diff --git a/.gitignore b/.gitignore index 2628a539..18e73886 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,4 @@ +.DS_Store .idea/ .vscode/ tools/target/ diff --git a/schema/2.0/cyclonedx-2.0-bundled.min.schema.json b/schema/2.0/cyclonedx-2.0-bundled.min.schema.json index f48b23cb..e675ddb9 100644 --- a/schema/2.0/cyclonedx-2.0-bundled.min.schema.json +++ b/schema/2.0/cyclonedx-2.0-bundled.min.schema.json @@ -1 +1 @@ -{"$schema":"https://json-schema.org/draft/2020-12/schema","$id":"https://cyclonedx.org/schema/2.0/cyclonedx-2.0.schema.json","type":"object","title":"CycloneDX Transparency Expression Language","$comment":"OWASP CycloneDX is an Ecma International standard (ECMA-424) developed in collaboration between the OWASP Foundation and Ecma Technical Committee 54 (TC54). The standard is published under a royalty-free patent policy. This JSON schema is the reference implementation and is licensed under the Apache License 2.0.","required":["specFormat","specVersion"],"additionalProperties":false,"properties":{"$schema":{"type":"string"},"specFormat":{"type":"string","title":"Specification Format","description":"Specifies the format. This value must be \"CycloneDX\".","enum":["CycloneDX"]},"specVersion":{"type":"string","title":"Specification Version","description":"The version of the CycloneDX specification the BOM conforms to.","examples":["2.0"]},"serialNumber":{"type":"string","title":"BOM Serial Number","description":"Every BOM generated SHOULD have a unique serial number, even if the contents of the BOM have not changed over time. If specified, the serial number must conform to [RFC 4122](https://www.ietf.org/rfc/rfc4122.html). Use of serial numbers is recommended.","examples":["urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79"],"pattern":"^urn:uuid:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$"},"version":{"type":"integer","title":"BOM Version","description":"Whenever an existing BOM is modified, either manually or through automated processes, the version of the BOM SHOULD be incremented by 1. When a system is presented with multiple BOMs with identical serial numbers, the system SHOULD use the most recent version of the BOM. The default version is '1'.","minimum":1,"default":1},"metadata":{"$ref":"#/$defs/cyclonedx-metadata-2.0/$defs/metadata"},"components":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/components","description":"A collection of components. When a metadata component is present, this array represents the inventory of components associated with that subject, forming a bill of materials. When the metadata component is omitted, the array provides component data for interchange purposes without establishing a compositional relationship."},"services":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/services"},"dependencies":{"$ref":"#/$defs/cyclonedx-dependency-2.0/$defs/dependencies"},"compositions":{"$ref":"#/$defs/cyclonedx-composition-2.0/$defs/compositions"},"vulnerabilities":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/vulnerabilities"},"annotations":{"$ref":"#/$defs/cyclonedx-annotation-2.0/$defs/annotations"},"formulation":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/formulation"},"declarations":{"$ref":"#/$defs/cyclonedx-declaration-2.0/$defs/declarations"},"definitions":{"$ref":"#/$defs/cyclonedx-definition-2.0/$defs/definitions"},"citations":{"$ref":"#/$defs/cyclonedx-citation-2.0/$defs/citations"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature"}},"allOf":[{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/extensibleProperties"}],"$defs":{"cyclonedx-ai-modelcard-2.0":{"type":"null","title":"CycloneDX AI Model Card","$defs":{"modelCard":{"type":"object","title":"Model Card","description":"A model card describes the intended uses of a machine learning model and potential limitations, including biases and ethical considerations. Model cards typically contain the training parameters, which datasets were used to train the model, performance metrics, and other relevant data useful for ML transparency. This object SHOULD be specified for any component of type `machine-learning-model` and must not be specified for other component types.","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the model card elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"modelParameters":{"type":"object","title":"Model Parameters","description":"Hyper-parameters for construction of the model.","additionalProperties":false,"properties":{"approach":{"type":"object","title":"Approach","description":"The overall approach to learning used by the model for problem solving.","additionalProperties":false,"properties":{"type":{"type":"string","title":"Learning Type","description":"Learning types describing the learning problem or hybrid learning problem.","enum":["supervised","unsupervised","reinforcement-learning","semi-supervised","self-supervised"],"meta:enum":{"supervised":"Supervised machine learning involves training an algorithm on labeled data to predict or classify new data based on the patterns learned from the labeled examples.","unsupervised":"Unsupervised machine learning involves training algorithms on unlabeled data to discover patterns, structures, or relationships without explicit guidance, allowing the model to identify inherent structures or clusters within the data.","reinforcement-learning":"Reinforcement learning is a type of machine learning where an agent learns to make decisions by interacting with an environment to maximize cumulative rewards, through trial and error.","semi-supervised":"Semi-supervised machine learning utilizes a combination of labeled and unlabeled data during training to improve model performance, leveraging the benefits of both supervised and unsupervised learning techniques.","self-supervised":"Self-supervised machine learning involves training models to predict parts of the input data from other parts of the same data, without requiring external labels, enabling learning from large amounts of unlabeled data."}}}},"task":{"type":"string","title":"Task","description":"Directly influences the input and/or output. Examples include classification, regression, clustering, etc."},"architectureFamily":{"type":"string","title":"Architecture Family","description":"The model architecture family such as transformer network, convolutional neural network, residual neural network, LSTM neural network, etc."},"modelArchitecture":{"type":"string","title":"Model Architecture","description":"The specific architecture of the model such as GPT-1, ResNet-50, YOLOv3, etc."},"datasets":{"type":"array","title":"Datasets","description":"The datasets used to train and evaluate the model.","items":{"oneOf":[{"title":"Inline Data Information","$ref":"#/$defs/cyclonedx-component-2.0/$defs/componentData"},{"type":"object","title":"Data Reference","additionalProperties":false,"properties":{"ref":{"anyOf":[{"title":"Ref","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}],"title":"Reference","type":"string","description":"References a data component by the components bom-ref attribute"}}}]}},"inputs":{"type":"array","title":"Inputs","description":"The input format(s) of the model","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/inputOutputMLParameters"}},"outputs":{"type":"array","title":"Outputs","description":"The output format(s) from the model","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/inputOutputMLParameters"}}}},"quantitativeAnalysis":{"type":"object","title":"Quantitative Analysis","description":"A quantitative analysis of the model","additionalProperties":false,"properties":{"performanceMetrics":{"type":"array","title":"Performance Metrics","description":"The model performance metrics being reported. Examples may include accuracy, F1 score, precision, top-3 error rates, MSC, etc.","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/performanceMetric"}},"graphics":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/graphicsCollection"}}},"considerations":{"type":"object","title":"Considerations","description":"What considerations should be taken into account regarding the model's construction, training, and application?","additionalProperties":false,"properties":{"users":{"type":"array","title":"Users","description":"Who are the intended users of the model?","items":{"type":"string"}},"useCases":{"type":"array","title":"Use Cases","description":"What are the intended use cases of the model?","items":{"type":"string"}},"technicalLimitations":{"type":"array","title":"Technical Limitations","description":"What are the known technical limitations of the model? E.g. What kind(s) of data should the model be expected not to perform well on? What are the factors that might degrade model performance?","items":{"type":"string"}},"performanceTradeoffs":{"type":"array","title":"Performance Tradeoffs","description":"What are the known tradeoffs in accuracy/performance of the model?","items":{"type":"string"}},"ethicalConsiderations":{"type":"array","title":"Ethical Considerations","description":"What are the ethical risks involved in the application of this model?","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/risk"}},"environmentalConsiderations":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/environmentalConsiderations","title":"Environmental Considerations","description":"What are the various environmental impacts the corresponding machine learning model has exhibited across its lifecycle?"},"fairnessAssessments":{"type":"array","title":"Fairness Assessments","description":"How does the model affect groups at risk of being systematically disadvantaged? What are the harms and benefits to the various affected groups?","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/fairnessAssessment"}}}},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"inputOutputMLParameters":{"type":"object","title":"Input and Output Parameters","additionalProperties":false,"properties":{"format":{"title":"Input/Output Format","description":"The data format for input/output to the model.","type":"string","examples":["string","image","time-series"]}}},"environmentalConsiderations":{"type":"object","title":"Environmental Considerations","description":"Describes various environmental impact metrics.","additionalProperties":false,"properties":{"energyConsumptions":{"title":"Energy Consumptions","description":"Describes energy consumption information incurred for one or more component lifecycle activities.","type":"array","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/energyConsumption"}},"properties":{"type":"array","title":"Properties","description":"Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"}}}},"energyConsumption":{"title":"Energy consumption","description":"Describes energy consumption information incurred for the specified lifecycle activity.","type":"object","required":["activity","energyProviders","activityEnergyCost"],"additionalProperties":false,"properties":{"activity":{"type":"string","title":"Activity","description":"The type of activity that is part of a machine learning model development or operational lifecycle.","enum":["design","data-collection","data-preparation","training","fine-tuning","validation","deployment","inference","other"],"meta:enum":{"design":"A model design including problem framing, goal definition and algorithm selection.","data-collection":"Model data acquisition including search, selection and transfer.","data-preparation":"Model data preparation including data cleaning, labeling and conversion.","training":"Model building, training and generalized tuning.","fine-tuning":"Refining a trained model to produce desired outputs for a given problem space.","validation":"Model validation including model output evaluation and testing.","deployment":"Explicit model deployment to a target hosting infrastructure.","inference":"Generating an output response from a hosted model from a set of inputs.","other":"A lifecycle activity type whose description does not match currently defined values."}},"energyProviders":{"title":"Energy Providers","description":"The provider(s) of the energy consumed by the associated model development lifecycle activity.","type":"array","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/energyProvider"}},"activityEnergyCost":{"title":"Activity Energy Cost","description":"The total energy cost associated with the model lifecycle activity.","$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/energyMeasure"},"co2CostEquivalent":{"title":"CO2 Equivalent Cost","description":"The CO2 cost (debit) equivalent to the total energy cost.","$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/co2Measure"},"co2CostOffset":{"title":"CO2 Cost Offset","description":"The CO2 offset (credit) for the CO2 equivalent cost.","$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/co2Measure"},"properties":{"type":"array","title":"Properties","description":"Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"}}}},"energyMeasure":{"type":"object","title":"Energy Measure","description":"A measure of energy.","required":["value","unit"],"additionalProperties":false,"properties":{"value":{"type":"number","title":"Value","description":"Quantity of energy."},"unit":{"type":"string","enum":["kWh"],"title":"Unit","description":"Unit of energy.","meta:enum":{"kWh":"Kilowatt-hour (kWh) is the energy delivered by one kilowatt (kW) of power for one hour (h)."}}}},"co2Measure":{"type":"object","title":"CO2 Measure","description":"A measure of carbon dioxide (CO2).","required":["value","unit"],"additionalProperties":false,"properties":{"value":{"type":"number","title":"Value","description":"Quantity of carbon dioxide (CO2)."},"unit":{"type":"string","enum":["tCO2eq"],"title":"Unit","description":"Unit of carbon dioxide (CO2).","meta:enum":{"tCO2eq":"Tonnes (t) of carbon dioxide (CO2) equivalent (eq)."}}}},"energyProvider":{"type":"object","title":"Energy Provider","description":"Describes the physical provider of energy used for model development or operations.","required":["organization","energySource","energyProvided"],"additionalProperties":false,"properties":{"bom-ref":{"title":"BOM Reference","description":"An identifier which can be used to reference the energy provider elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":{"type":"string","title":"Description","description":"A description of the energy provider."},"organization":{"type":"object","title":"Organization","description":"The organization that provides energy.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"energySource":{"type":"string","enum":["coal","oil","natural-gas","nuclear","wind","solar","geothermal","hydropower","biofuel","unknown","other"],"meta:enum":{"coal":"Energy produced by types of coal.","oil":"Petroleum products (primarily crude oil and its derivative fuel oils).","natural-gas":"Hydrocarbon gas liquids (HGL) that occur as gases at atmospheric pressure and as liquids under higher pressures including Natural gas (C5H12 and heavier), Ethane (C2H6), Propane (C3H8), etc.","nuclear":"Energy produced from the cores of atoms (i.e., through nuclear fission or fusion).","wind":"Energy produced from moving air.","solar":"Energy produced from the sun (i.e., solar radiation).","geothermal":"Energy produced from heat within the earth.","hydropower":"Energy produced from flowing water.","biofuel":"Liquid fuels produced from biomass feedstocks (i.e., organic materials such as plants or animals).","unknown":"The energy source is unknown.","other":"An energy source that is not listed."},"title":"Energy Source","description":"The energy source for the energy provider."},"energyProvided":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/energyMeasure","title":"Energy Provided","description":"The energy provided by the energy source for an associated activity."},"externalReferences":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"},"title":"External References","description":"External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM."}}},"graphicsCollection":{"type":"object","title":"Graphics Collection","description":"A collection of graphics that represent various measurements.","additionalProperties":false,"properties":{"description":{"title":"Description","description":"A description of this collection of graphics.","type":"string"},"collection":{"title":"Collection","description":"A collection of graphics.","type":"array","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/graphic"}}}},"graphic":{"type":"object","title":"Graphic","additionalProperties":false,"properties":{"name":{"title":"Name","description":"The name of the graphic.","type":"string"},"image":{"title":"Graphic Image","description":"The graphic (vector or raster). Base64 encoding must be specified for binary images.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"}}},"performanceMetric":{"type":"object","title":"Performance Metric","additionalProperties":false,"properties":{"type":{"title":"Type","description":"The type of performance metric.","type":"string"},"value":{"title":"Value","description":"The value of the performance metric.","type":"string"},"slice":{"title":"Slice","description":"The name of the slice this metric was computed on. By default, assume this metric is not sliced.","type":"string"},"confidenceInterval":{"title":"Confidence Interval","description":"The confidence interval of the metric.","type":"object","additionalProperties":false,"properties":{"lowerBound":{"title":"Lower Bound","description":"The lower bound of the confidence interval.","type":"string"},"upperBound":{"title":"Upper Bound","description":"The upper bound of the confidence interval.","type":"string"}}}}},"risk":{"type":"object","title":"Risk","additionalProperties":false,"properties":{"name":{"title":"Name","description":"The name of the risk.","type":"string"},"mitigationStrategy":{"title":"Mitigation Strategy","description":"Strategy used to address this risk.","type":"string"}}},"fairnessAssessment":{"type":"object","title":"Fairness Assessment","description":"Information about the benefits and harms of the model to an identified at risk group.","additionalProperties":false,"properties":{"groupAtRisk":{"type":"string","title":"Group at Risk","description":"The groups or individuals at risk of being systematically disadvantaged by the model."},"benefits":{"type":"string","title":"Benefits","description":"Expected benefits to the identified groups."},"harms":{"type":"string","title":"Harms","description":"Expected harms to the identified groups."},"mitigationStrategy":{"type":"string","title":"Mitigation Strategy","description":"With respect to the benefits and harms outlined, please describe any mitigation strategy implemented."}}}}},"cyclonedx-annotation-2.0":{"type":"null","title":"CycloneDX Annotation Model","$defs":{"annotations":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-annotation-2.0/$defs/annotation"},"uniqueItems":true,"title":"Annotations","description":"Comments made by people, organizations, or tools about any object with a bom-ref, such as components, services, vulnerabilities, or the BOM itself. Unlike inventory information, annotations may contain opinions or commentary from various stakeholders. Annotations may be inline (with inventory) or externalized via BOM-Link and may optionally be signed."},"annotation":{"type":"object","title":"Annotations","description":"A comment, note, explanation, or similar textual content which provides additional context to the object(s) being annotated.","required":["subjects","annotator","timestamp","text"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the annotation elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"subjects":{"type":"array","uniqueItems":true,"items":{"anyOf":[{"title":"Ref","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"title":"Subjects","description":"The object in the BOM identified by its bom-ref. This is often a component or service, but may be any object type supporting bom-refs."},"annotator":{"type":"object","title":"Annotator","description":"The organization, person, component, or service which created the textual content of the annotation.","oneOf":[{"required":["organization"]},{"required":["individual"]},{"required":["component"]},{"required":["service"]}],"additionalProperties":false,"properties":{"organization":{"description":"The organization that created the annotation","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"individual":{"description":"The person that created the annotation","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"},"component":{"description":"The tool or component that created the annotation","$ref":"#/$defs/cyclonedx-component-2.0/$defs/component"},"service":{"description":"The service that created the annotation","$ref":"#/$defs/cyclonedx-service-2.0/$defs/service"}}},"timestamp":{"type":"string","format":"date-time","title":"Timestamp","description":"The date and time (timestamp) when the annotation was created."},"text":{"type":"string","title":"Text","description":"The textual content of the annotation."},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}}}},"cyclonedx-citation-2.0":{"type":"null","title":"CycloneDX Citation Model","$defs":{"citations":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-citation-2.0/$defs/citation"},"uniqueItems":true,"title":"Citations","description":"A collection of attributions indicating which entity supplied information for specific fields within the BOM."},"citation":{"type":"object","title":"Citation","description":"Details a specific attribution of data within the BOM to a contributing entity or process.","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference"},"pointers":{"type":"array","items":{"type":"string","title":"Field Reference","description":"A [JSON Pointer](https://datatracker.ietf.org/doc/html/rfc6901) identifying the BOM field to which the attribution applies."},"minItems":1,"title":"Field References","description":"One or more [JSON Pointers](https://datatracker.ietf.org/doc/html/rfc6901) identifying the BOM fields to which the attribution applies.\nExactly one of the \"pointers\" or \"expressions\" elements must be present."},"expressions":{"type":"array","items":{"type":"string","title":"Path Expression","description":"Specifies a [JSONPath](https://datatracker.ietf.org/doc/html/rfc9535) expression used to locate a value within a BOM."},"minItems":1,"title":"Path Expressions","description":"One or more path expressions used to locate values within a BOM.\nExactly one of the \"pointers\" or \"expressions\" elements must be present."},"timestamp":{"type":"string","format":"date-time","title":"Timestamp","description":"The date and time when the attribution was made or the information was supplied."},"attributedTo":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Attributed To","description":"The `bom-ref` of an object, such as a component, service, tool, organisational entity, or person that supplied the cited information.\nAt least one of the \"attributedTo\" or \"process\" elements must be present."},"process":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Process Reference","description":"The `bom-ref` to a process (such as a formula, workflow, task, or step) defined in the `formulation` section that executed or generated the attributed data.\nAt least one of the \"attributedTo\" or \"process\" elements must be present."},"note":{"type":"string","title":"Note","description":"A description or comment about the context or quality of the data attribution."},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"A digital signature verifying the authenticity or integrity of the attribution."}},"required":["timestamp"],"anyOf":[{"required":["attributedTo"]},{"required":["process"]}],"oneOf":[{"required":["pointers"]},{"required":["expressions"]}]}}},"cyclonedx-common-2.0":{"type":"null","title":"CycloneDX Common Model","$defs":{"refType":{"description":"Identifier for referable and therefore interlinkable elements.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","type":"string","minLength":1},"refLinkType":{"description":"Descriptor for an element identified by the attribute 'bom-ref' in the same BOM document.\nIn contrast to `bomLinkElementType`.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"bomLinkDocumentType":{"title":"BOM-Link Document","description":"Descriptor for another BOM document. See https://cyclonedx.org/capabilities/bomlink/","type":"string","format":"iri-reference","pattern":"^urn:cdx:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/[1-9][0-9]*$"},"bomLinkElementType":{"title":"BOM-Link Element","description":"Descriptor for an element in a BOM document. See https://cyclonedx.org/capabilities/bomlink/","type":"string","format":"iri-reference","pattern":"^urn:cdx:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/[1-9][0-9]*#.+$"},"bomLink":{"title":"BOM-Link","anyOf":[{"title":"BOM-Link Document","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkDocumentType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"hash":{"type":"object","title":"Hash","required":["alg","content"],"additionalProperties":false,"properties":{"alg":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/hashAlgorithm"},"content":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/hashValue"}}},"hashAlgorithm":{"type":"string","title":"Hash Algorithm","description":"The algorithm that generated the hash value.","enum":["MD5","SHA-1","SHA-256","SHA-384","SHA-512","SHA3-256","SHA3-384","SHA3-512","BLAKE2b-256","BLAKE2b-384","BLAKE2b-512","BLAKE3","Streebog-256","Streebog-512"]},"hashValue":{"type":"string","title":"Hash Value","description":"The value of the hash.","examples":["3942447fac867ae5cdb3229b658f4d48"],"pattern":"^([a-fA-F0-9]{32}|[a-fA-F0-9]{40}|[a-fA-F0-9]{64}|[a-fA-F0-9]{96}|[a-fA-F0-9]{128})$"},"mediaType":{"type":"string","title":"Media Type","description":"The media type of the object. The media type can provide additional context about the kind of data being represented, such as an image, font, or executable.","examples":["text/plain","application/json","image/png"],"pattern":"^[-+a-z0-9.]+/[-+a-z0-9.]+$"},"attachment":{"type":"object","title":"Attachment","description":"Specifies the metadata and content for an attachment.","required":["content"],"additionalProperties":false,"properties":{"mediaType":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/mediaType"},"encoding":{"type":"string","title":"Encoding","description":"Specifies the optional encoding the text is represented in.","enum":["base64"],"meta:enum":{"base64":"Base64 is a binary-to-text encoding scheme that represents binary data in an ASCII string."}},"content":{"type":"string","title":"Attachment Text","description":"The attachment data. Proactive controls such as input validation and sanitization should be employed to prevent misuse of attachment text."}}},"base64":{"type":"string","pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$","description":"A Base64-encoded string."},"externalReferences":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"},"title":"External References","description":"External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM."},"externalReference":{"type":"object","title":"External Reference","description":"External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM.","required":["url","type"],"additionalProperties":false,"properties":{"url":{"anyOf":[{"title":"URL","type":"string","format":"iri-reference"},{"title":"BOM-Link","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLink"}],"title":"URL","description":"The URI (URL or URN) to the external reference. External references are URIs and therefore can accept any URL scheme including https ([RFC-7230](https://www.ietf.org/rfc/rfc7230.txt)), mailto ([RFC-2368](https://www.ietf.org/rfc/rfc2368.txt)), tel ([RFC-3966](https://www.ietf.org/rfc/rfc3966.txt)), and dns ([RFC-4501](https://www.ietf.org/rfc/rfc4501.txt)). External references may also include formally registered URNs such as [CycloneDX BOM-Link](https://cyclonedx.org/capabilities/bomlink/) to reference CycloneDX BOMs or any object within a BOM. BOM-Link transforms applicable external references into relationships that can be expressed in a BOM or across BOMs."},"comment":{"type":"string","title":"Comment","description":"A comment describing the external reference"},"type":{"type":"string","title":"Type","description":"Specifies the type of external reference.","enum":["vcs","issue-tracker","website","advisories","bom","mailing-list","social","chat","documentation","support","source-distribution","distribution","distribution-intake","license","build-meta","build-system","release-notes","security-contact","model-card","log","configuration","evidence","formulation","attestation","threat-model","adversary-model","risk-assessment","vulnerability-assertion","exploitability-statement","pentest-report","static-analysis-report","dynamic-analysis-report","runtime-analysis-report","component-analysis-report","maturity-report","certification-report","codified-infrastructure","quality-metrics","poam","electronic-signature","digital-signature","rfc-9116","patent","patent-family","patent-assertion","citation","other"],"meta:enum":{"vcs":"Version Control System","issue-tracker":"Issue or defect tracking system, or an Application Lifecycle Management (ALM) system","website":"Website","advisories":"Security advisories","bom":"Bill of Materials (SBOM, OBOM, HBOM, SaaSBOM, etc)","mailing-list":"Mailing list or discussion group","social":"Social media account","chat":"Real-time chat platform","documentation":"Documentation, guides, or how-to instructions","support":"Community or commercial support","source-distribution":"The location where the source code distributable can be obtained. This is often an archive format such as zip or tgz. The source-distribution type complements use of the version control (vcs) type.","distribution":"Direct or repository download location","distribution-intake":"The location where a component was published to. This is often the same as \"distribution\" but may also include specialized publishing processes that act as an intermediary.","license":"The reference to the license file. If a license URL has been defined in the license node, it should also be defined as an external reference for completeness.","build-meta":"Build-system specific meta file (i.e. pom.xml, package.json, .nuspec, etc)","build-system":"Reference to an automated build system","release-notes":"Reference to release notes","security-contact":"Specifies a way to contact the maintainer, supplier, or provider in the event of a security incident. Common URIs include links to a disclosure procedure, a mailto (RFC-2368) that specifies an email address, a tel (RFC-3966) that specifies a phone number, or dns (RFC-4501) that specifies the records containing DNS Security TXT.","model-card":"A model card describes the intended uses of a machine learning model, potential limitations, biases, ethical considerations, training parameters, datasets used to train the model, performance metrics, and other relevant data useful for ML transparency.","log":"A record of events that occurred in a computer system or application, such as problems, errors, or information on current operations.","configuration":"Parameters or settings that may be used by other components or services.","evidence":"Information used to substantiate a claim.","formulation":"Describes the formulation of any referencable object within the BOM, including components, services, metadata, declarations, or the BOM itself.","attestation":"Human or machine-readable statements containing facts, evidence, or testimony.","threat-model":"An enumeration of identified weaknesses, threats, and countermeasures, dataflow diagram (DFD), attack tree, and other supporting documentation in human-readable or machine-readable format.","adversary-model":"The defined assumptions, goals, and capabilities of an adversary.","risk-assessment":"Identifies and analyzes the potential of future events that may negatively impact individuals, assets, and/or the environment. Risk assessments may also include judgments on the tolerability of each risk.","vulnerability-assertion":"A Vulnerability Disclosure Report (VDR) which asserts the known and previously unknown vulnerabilities that affect a component, service, or product including the analysis and findings describing the impact (or lack of impact) that the reported vulnerability has on a component, service, or product.","exploitability-statement":"A Vulnerability Exploitability eXchange (VEX) which asserts the known vulnerabilities that do not affect a product, product family, or organization, and optionally the ones that do. The VEX should include the analysis and findings describing the impact (or lack of impact) that the reported vulnerability has on the product, product family, or organization.","pentest-report":"Results from an authorized simulated cyberattack on a component or service, otherwise known as a penetration test.","static-analysis-report":"SARIF or proprietary machine or human-readable report for which static analysis has identified code quality, security, and other potential issues with the source code.","dynamic-analysis-report":"Dynamic analysis report that has identified issues such as vulnerabilities and misconfigurations.","runtime-analysis-report":"Report generated by analyzing the call stack of a running application.","component-analysis-report":"Report generated by Software Composition Analysis (SCA), container analysis, or other forms of component analysis.","maturity-report":"Report containing a formal assessment of an organization, business unit, or team against a maturity model.","certification-report":"Industry, regulatory, or other certification from an accredited (if applicable) certification body.","codified-infrastructure":"Code or configuration that defines and provisions virtualized infrastructure, commonly referred to as Infrastructure as Code (IaC).","quality-metrics":"Report or system in which quality metrics can be obtained.","poam":"Plans of Action and Milestones (POA&M) complement an \"attestation\" external reference. POA&M is defined by NIST as a \"document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks and scheduled completion dates for the milestones\".","electronic-signature":"An e-signature is commonly a scanned representation of a written signature or a stylized script of the person's name.","digital-signature":"A signature that leverages cryptography, typically public/private key pairs, which provides strong authenticity verification.","rfc-9116":"Document that complies with [RFC 9116](https://www.ietf.org/rfc/rfc9116.html) (A File Format to Aid in Security Vulnerability Disclosure)","patent":"References information about patents which may be defined in human-readable documents or in machine-readable formats such as CycloneDX or ST.96. For detailed patent information or to reference the information provided directly by patent offices, it is recommended to leverage standards from the World Intellectual Property Organization (WIPO) such as [ST.96](https://www.wipo.int/standards/en/st96).","patent-family":"References information about a patent family which may be defined in human-readable documents or in machine-readable formats such as CycloneDX or ST.96. A patent family is a group of related patent applications or granted patents that cover the same or similar invention. For detailed patent family information or to reference the information provided directly by patent offices, it is recommended to leverage standards from the World Intellectual Property Organization (WIPO) such as [ST.96](https://www.wipo.int/standards/en/st96).","patent-assertion":"References assertions made regarding patents associated with a component or service. Assertions distinguish between ownership, licensing, and other relevant interactions with patents.","citation":"A reference to external citations applicable to the object identified by this BOM entry or the BOM itself. When used with a BOM-Link, this allows offloading citations into a separate CycloneDX BOM.","other":"Use this if no other types accurately describe the purpose of the external reference."}},"hashes":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/hash"},"title":"Hashes","description":"The hashes of the external reference (if applicable)."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"postalAddress":{"type":"object","title":"Postal address","description":"An address used to identify a contactable location.","additionalProperties":false,"properties":{"bom-ref":{"title":"BOM Reference","description":"An optional identifier which can be used to reference the address elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"country":{"type":"string","title":"Country","description":"The country name or the two-letter ISO 3166-1 country code."},"region":{"type":"string","title":"Region","description":"The region or state in the country.","examples":["Texas"]},"locality":{"type":"string","title":"Locality","description":"The locality or city within the country.","examples":["Austin"]},"postOfficeBoxNumber":{"type":"string","title":"Post Office Box Number","description":"The post office box number.","examples":["901"]},"postalCode":{"type":"string","title":"Postal Code","description":"The postal code.","examples":["78758"]},"streetAddress":{"type":"string","title":"Street Address","description":"The street address.","examples":["100 Main Street"]}}},"organizationalEntity":{"type":"object","title":"Organizational Entity","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"name":{"type":"string","title":"Organization Name","description":"The name of the organization","examples":["Example Inc."]},"address":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/postalAddress","title":"Organization Address","description":"The physical address (location) of the organization"},"url":{"type":"array","items":{"type":"string","format":"iri-reference"},"title":"Organization URL(s)","description":"The URL of the organization. Multiple URLs are allowed.","examples":["https://example.com"]},"contact":{"type":"array","title":"Organizational Contact","description":"A contact at the organization. Multiple contacts are allowed.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}}}},"organizationalContact":{"type":"object","title":"Organizational Contact","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"name":{"type":"string","title":"Name","description":"The name of a contact","examples":["Contact name"]},"email":{"type":"string","format":"idn-email","title":"Email Address","description":"The email address of the contact.","examples":["firstname.lastname@example.com"]},"phone":{"type":"string","title":"Phone","description":"The phone number of the contact.","examples":["800-555-1212"]}}},"organizationalEntityOrContact":{},"properties":{"type":"array","title":"Properties","description":"Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"}},"property":{"type":"object","title":"Lightweight name-value pair","description":"Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.","required":["name"],"properties":{"name":{"type":"string","title":"Name","description":"The name of the property. Duplicate names are allowed, each potentially having a different value."},"value":{"type":"string","title":"Value","description":"The value of the property."}},"additionalProperties":false},"extensibleProperties":{"type":"object","title":"Extensible Properties","patternProperties":{"^ext:[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}:.+$":{"description":"CycloneDX supports a structured and namespace-aware mechanism for extensibility through the use of extensible properties. This mechanism enables organizations, ecosystems, and tool vendors to safely introduce custom properties without conflicting with the core schema or other extensions.\n\nExtensible properties are defined as a JSON object whose keys must conform to a strict pattern that resembles a reverse domain name structure, prefixed with ext:. This pattern provides a namespacing convention that aligns with well-established practices in other structured formats (e.g., XML namespaces).","examples":["ext::","ext:example.org:myExtension"],"if":{"type":["object","array"]},"then":{"type":"object","required":["$schema"],"properties":{"$schema":{"type":"string","format":"uri"}}},"else":{"type":["string","number","boolean","null"]}}}},"baseObject":{"description":"Base object for all CycloneDX entities. Automatically includes support for extensible properties.","allOf":[{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/extensibleProperties"}],"properties":{"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"}}},"timestamp":{"type":"string","format":"date-time","title":"Timestamp","pattern":"^\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}(\\.\\d+)?Z$","description":"An RFC 3339-compliant UTC timestamp using Zulu time (i.e., ending with 'Z'). The format must be 'YYYY-MM-DDTHH:MM:SSZ' or include optional fractional seconds, e.g., 'YYYY-MM-DDTHH:MM:SS.sssZ'. Offsets such as '+00:00' are not allowed."},"lifecycle":{"type":"object","title":"Lifecycle","description":"The product lifecycle(s) that this BOM represents.","oneOf":[{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/preDefinedLifecyclePhase"},{"title":"Custom Lifecycle Phase","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"The name of the lifecycle phase"},"description":{"type":"string","title":"Description","description":"The description of the lifecycle phase"}}}]},"lifecycles":{"type":"array","title":"Lifecycles","description":"Lifecycles communicate the stage(s) in which data in the BOM was captured. Different types of data may be available at various phases of a lifecycle, such as the Software Development Lifecycle (SDLC), IT Asset Management (ITAM), and Software Asset Management (SAM). Thus, a BOM may include data specific to or only obtainable in a given lifecycle.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/lifecycle"}},"preDefinedLifecyclePhase":{"title":"Pre-Defined Phase","required":["phase"],"additionalProperties":false,"properties":{"phase":{"type":"string","title":"Phase","description":"A pre-defined phase in the product lifecycle.","enum":["design","pre-build","build","post-build","operations","discovery","decommission"],"meta:enum":{"design":"BOM produced early in the development lifecycle containing an inventory of components and services that are proposed or planned to be used. The inventory may need to be procured, retrieved, or resourced prior to use.","pre-build":"BOM consisting of information obtained prior to a build process and may contain source files and development artifacts and manifests. The inventory may need to be resolved and retrieved prior to use.","build":"BOM consisting of information obtained during a build process where component inventory is available for use. The precise versions of resolved components are usually available at this time as well as the provenance of where the components were retrieved from.","post-build":"BOM consisting of information obtained after a build process has completed and the resulting components(s) are available for further analysis. Built components may exist as the result of a CI/CD process, may have been installed or deployed to a system or device, and may need to be retrieved or extracted from the system or device.","operations":"BOM produced that represents inventory that is running and operational. This may include staging or production environments and will generally encompass multiple SBOMs describing the applications and operating system, along with HBOMs describing the hardware that makes up the system. Operations Bill of Materials (OBOM) can provide full-stack inventory of runtime environments, configurations, and additional dependencies.","discovery":"BOM consisting of information observed through network discovery providing point-in-time enumeration of embedded, on-premise, and cloud-native services such as server applications, connected devices, microservices, and serverless functions.","decommission":"BOM containing inventory that will be, or has been retired from operations."}}}},"tags":{"type":"array","items":{"type":"string"},"title":"Tags","description":"Textual strings that aid in discovery, search, and retrieval of the associated object. Tags often serve as a way to group or categorize similar or related objects by various attributes.","examples":["json-parser","object-persistence","text-to-image","translation","object-detection"]},"commit":{"type":"object","title":"Commit","description":"Specifies an individual commit","additionalProperties":false,"properties":{"uid":{"type":"string","title":"UID","description":"A unique identifier of the commit. This may be version control specific. For example, Subversion uses revision numbers whereas git uses commit hashes."},"url":{"type":"string","title":"URL","description":"The URL to the commit. This URL will typically point to a commit in a version control system.","format":"iri-reference"},"author":{"title":"Author","description":"The author who created the changes in the commit","$ref":"#/$defs/cyclonedx-common-2.0/$defs/identifiableAction"},"committer":{"title":"Committer","description":"The person who committed or pushed the commit","$ref":"#/$defs/cyclonedx-common-2.0/$defs/identifiableAction"},"message":{"type":"string","title":"Message","description":"The text description of the contents of the commit"}}},"patch":{"type":"object","title":"Patch","description":"Specifies an individual patch","required":["type"],"additionalProperties":false,"properties":{"type":{"type":"string","enum":["unofficial","monkey","backport","cherry-pick"],"meta:enum":{"unofficial":"A patch which is not developed by the creators or maintainers of the software being patched. Refer to [https://en.wikipedia.org/wiki/Unofficial_patch](https://en.wikipedia.org/wiki/Unofficial_patch).","monkey":"A patch which dynamically modifies runtime behavior. Refer to [https://en.wikipedia.org/wiki/Monkey_patch](https://en.wikipedia.org/wiki/Monkey_patch).","backport":"A patch which takes code from a newer version of the software and applies it to older versions of the same software. Refer to [https://en.wikipedia.org/wiki/Backporting](https://en.wikipedia.org/wiki/Backporting).","cherry-pick":"A patch created by selectively applying commits from other versions or branches of the same software."},"title":"Patch Type","description":"Specifies the purpose for the patch including the resolution of defects, security issues, or new behavior or functionality."},"diff":{"title":"Diff","description":"The patch file (or diff) that shows changes. Refer to [https://en.wikipedia.org/wiki/Diff](https://en.wikipedia.org/wiki/Diff)","$ref":"#/$defs/cyclonedx-common-2.0/$defs/diff"},"resolves":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/issue"},"title":"Resolves","description":"A collection of issues the patch resolves"}}},"diff":{"type":"object","title":"Diff","description":"The patch file (or diff) that shows changes. Refer to https://en.wikipedia.org/wiki/Diff","additionalProperties":false,"properties":{"text":{"title":"Diff text","description":"Specifies the optional text of the diff","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"url":{"type":"string","title":"URL","description":"Specifies the URL to the diff","format":"iri-reference"}}},"issue":{"type":"object","title":"Issue","description":"An individual issue that has been resolved.","required":["type"],"additionalProperties":false,"properties":{"type":{"type":"string","enum":["defect","enhancement","security"],"meta:enum":{"defect":"A fault, flaw, or bug in software.","enhancement":"A new feature or behavior in software.","security":"A special type of defect which impacts security."},"title":"Issue Type","description":"Specifies the type of issue"},"id":{"type":"string","title":"Issue ID","description":"The identifier of the issue assigned by the source of the issue"},"name":{"type":"string","title":"Issue Name","description":"The name of the issue"},"description":{"type":"string","title":"Issue Description","description":"A description of the issue"},"source":{"type":"object","title":"Source","description":"The source of the issue where it is documented","additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"The name of the source.","examples":["National Vulnerability Database","NVD","Apache"]},"url":{"type":"string","title":"URL","description":"The url of the issue documentation as provided by the source","format":"iri-reference"}}},"references":{"type":"array","items":{"type":"string","format":"iri-reference"},"title":"References","description":"A collection of URL's for reference. Multiple URLs are allowed.","examples":["https://example.com"]}}},"identifiableAction":{"type":"object","title":"Identifiable Action","description":"Specifies an individual commit","additionalProperties":false,"properties":{"timestamp":{"type":"string","format":"date-time","title":"Timestamp","description":"The timestamp in which the action occurred"},"name":{"type":"string","title":"Name","description":"The name of the individual who performed the action"},"email":{"type":"string","format":"idn-email","title":"E-mail","description":"The email address of the individual who performed the action"}}},"locale":{"type":"string","pattern":"^([a-z]{2})(-[A-Z]{2})?$","title":"Locale","description":"Defines a syntax for representing two character language code (ISO-639) followed by an optional two character country code. The language code must be lower case. If the country code is specified, the country code must be upper case. The language code and country code must be separated by a minus sign. Examples: en, en-US, fr, fr-CA"},"signature":{"$ref":"../jsf-0.82.schema.json#/definitions/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}},"cyclonedx-component-2.0":{"type":"null","title":"CycloneDX Component Model","$defs":{"components":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/component"},"uniqueItems":true,"title":"Components"},"component":{"type":"object","title":"Component","required":["type","name"],"additionalProperties":false,"properties":{"type":{"type":"string","enum":["application","framework","library","container","platform","operating-system","device","device-driver","firmware","file","machine-learning-model","data","cryptographic-asset"],"meta:enum":{"application":"A software application. Refer to [https://en.wikipedia.org/wiki/Application_software](https://en.wikipedia.org/wiki/Application_software) for information about applications.","framework":"A software framework. Refer to [https://en.wikipedia.org/wiki/Software_framework](https://en.wikipedia.org/wiki/Software_framework) for information on how frameworks vary slightly from libraries.","library":"A software library. Refer to [https://en.wikipedia.org/wiki/Library_(computing)](https://en.wikipedia.org/wiki/Library_(computing)) for information about libraries. All third-party and open source reusable components will likely be a library. If the library also has key features of a framework, then it should be classified as a framework. If not, or is unknown, then specifying library is recommended.","container":"A packaging and/or runtime format, not specific to any particular technology, which isolates software inside the container from software outside of a container through virtualization technology. Refer to [https://en.wikipedia.org/wiki/OS-level_virtualization](https://en.wikipedia.org/wiki/OS-level_virtualization).","platform":"A runtime environment that interprets or executes software. This may include runtimes such as those that execute bytecode, just-in-time compilers, interpreters, or low-code/no-code application platforms.","operating-system":"A software operating system without regard to deployment model (i.e. installed on physical hardware, virtual machine, image, etc) Refer to [https://en.wikipedia.org/wiki/Operating_system](https://en.wikipedia.org/wiki/Operating_system).","device":"A hardware device such as a processor or chip-set. A hardware device containing firmware SHOULD include a component for the physical hardware itself and another component of type 'firmware' or 'operating-system' (whichever is relevant), describing information about the software running on the device. See also the list of [known device properties](https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/device.md).","device-driver":"A special type of software that operates or controls a particular type of device. Refer to [https://en.wikipedia.org/wiki/Device_driver](https://en.wikipedia.org/wiki/Device_driver).","firmware":"A special type of software that provides low-level control over a device's hardware. Refer to [https://en.wikipedia.org/wiki/Firmware](https://en.wikipedia.org/wiki/Firmware).","file":"A computer file. Refer to [https://en.wikipedia.org/wiki/Computer_file](https://en.wikipedia.org/wiki/Computer_file) for information about files.","machine-learning-model":"A model based on training data that can make predictions or decisions without being explicitly programmed to do so.","data":"A collection of discrete values that convey information.","cryptographic-asset":"A cryptographic asset including algorithms, protocols, certificates, keys, tokens, and secrets."},"title":"Component Type","description":"Specifies the type of component. For software components, classify as application if no more specific appropriate classification is available or cannot be determined for the component.","examples":["library"]},"mime-type":{"type":"string","title":"Mime-Type","description":"The mime-type of the component. When used on file components, the mime-type can provide additional context about the kind of file being represented, such as an image, font, or executable. Some library or framework components may also have an associated mime-type.","examples":["image/jpeg"],"pattern":"^[-+a-z0-9.]+/[-+a-z0-9.]+$"},"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the component elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"supplier":{"title":"Component Supplier","description":" The organization that supplied the component. The supplier may often be the manufacturer, but may also be a distributor or repackager.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"manufacturer":{"title":"Component Manufacturer","description":"The organization that created the component.\nManufacturer is common in components created through automated processes. Components created through manual means may have `@.authors` instead.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"authors":{"type":"array","title":"Component Authors","description":"The person(s) who created the component.\nAuthors are common in components created through manual processes. Components created through automated means may have `@.manufacturer` instead.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}},"publisher":{"type":"string","title":"Component Publisher","description":"The person(s) or organization(s) that published the component","examples":["Acme Inc"]},"group":{"type":"string","title":"Component Group","description":"The grouping name or identifier. This will often be a shortened, single name of the company or project that produced the component, or the source package or domain name. Whitespace and special characters should be avoided. Examples include: apache, org.apache.commons, and apache.org.","examples":["com.acme"]},"name":{"type":"string","title":"Component Name","description":"The name of the component. This will often be a shortened, single name of the component. Examples: commons-lang3 and jquery","examples":["tomcat-catalina"]},"version":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/version","title":"Component Version","description":"The component version. The version should ideally comply with semantic versioning but is not enforced.\nMust be used exclusively, either 'version' or 'versionRange', but not both."},"versionRange":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/versionRange","title":"Component Version Range","description":"For an external component, this specifies the accepted version range.\nThe value must adhere to the Package URL Version Range syntax (vers), as defined at A list of zero or more patches describing how the component deviates from an ancestor, descendant, or variant. Patches may be complementary to commits or may be used in place of commits.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/patch"}},"notes":{"type":"string","title":"Notes","description":"Notes, observations, and other non-structured commentary describing the components pedigree."}}},"components":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/component"},"uniqueItems":true,"title":"Components","description":"A list of software and hardware components included in the parent component. This is not a dependency tree. It provides a way to specify a hierarchical representation of component assemblies, similar to system → subsystem → parts assembly in physical supply chains."},"evidence":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/componentEvidence","title":"Evidence","description":"Provides the ability to document evidence collected through various forms of extraction or analysis."},"releaseNotes":{"$ref":"#/$defs/cyclonedx-release-notes-2.0/$defs/releaseNotes","title":"Release notes","description":"Specifies release notes."},"modelCard":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/modelCard","title":"AI/ML Model Card"},"data":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/componentData"},"title":"Data","description":"This object SHOULD be specified for any component of type `data` and must not be specified for other component types."},"cryptoProperties":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/cryptoProperties","title":"Cryptographic Properties"},"tags":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/tags","title":"Tags"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}},"allOf":[{"description":"Requirement: ensure that `version` and `versionRange` are not present simultaneously.","not":{"required":["version","versionRange"]}},{"description":"Requirement: 'versionRange' must not be present when 'isExternal' is `false`.","if":{"properties":{"isExternal":{"const":false}}},"then":{"not":{"required":["versionRange"]}},"else":true}]},"version":{"description":"A single disjunctive version identifier, for a component or service.","type":"string","maxLength":1024,"examples":["9.0.14","v1.33.7","7.0.0-M1","2.0pre1","1.0.0-beta1","0.8.15"]},"versionRange":{"description":"A version range specified in Package-URL Version Range syntax (vers) which is defined at https://github.com/package-url/vers-spec","type":"string","minLength":1,"maxLength":4096,"examples":["vers:cargo/9.0.14","vers:npm/1.2.3|>=2.0.0|<5.0.0","vers:pypi/0.0.0|0.0.1|0.0.2|0.0.3|1.0|2.0pre1","vers:tomee/>=1.0.0-beta1|<=1.7.5|>=7.0.0-M1|<=7.0.7|>=7.1.0|<=7.1.2|>=8.0.0-M1|<=8.0.1","vers:gem/>=2.2.0|!= 2.2.1|<2.3.0"]},"copyrightText":{"type":"string","title":"Component Copyright","description":"A copyright notice informing users of the underlying claims to copyright ownership in a published work.","examples":["Acme Inc"]},"copyright":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/copyrightObject"},"title":"Copyright","description":"Captures intellectual property assertions, providing evidence of possible ownership and legal protection."},"copyrightObject":{"type":"object","title":"Copyright","description":"A copyright notice informing users of the underlying claims to copyright ownership in a published work.","required":["text"],"additionalProperties":false,"properties":{"text":{"type":"string","title":"Copyright Text","description":"The textual content of the copyright."}}},"swid":{"type":"object","title":"SWID Tag","description":"Specifies metadata and content for ISO-IEC 19770-2 Software Identification (SWID) Tags.","required":["tagId","name"],"additionalProperties":false,"properties":{"tagId":{"type":"string","title":"Tag ID","description":"Maps to the tagId of a SoftwareIdentity."},"name":{"type":"string","title":"Name","description":"Maps to the name of a SoftwareIdentity."},"version":{"type":"string","title":"Version","default":"0.0","description":"Maps to the version of a SoftwareIdentity."},"tagVersion":{"type":"integer","title":"Tag Version","default":0,"description":"Maps to the tagVersion of a SoftwareIdentity."},"patch":{"type":"boolean","title":"Patch","default":false,"description":"Maps to the patch of a SoftwareIdentity."},"text":{"title":"Attachment text","description":"Specifies the metadata and content of the SWID tag.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"url":{"type":"string","title":"URL","description":"The URL to the SWID file.","format":"iri-reference"}}},"componentEvidence":{"type":"object","title":"Evidence","description":"Provides the ability to document evidence collected through various forms of extraction or analysis.","additionalProperties":false,"properties":{"identity":{"type":"array","title":"Identity Evidence","description":"Evidence that substantiates the identity of a component. The identity may be an object or an array of identity objects. Support for specifying identity as a single object was introduced in CycloneDX v1.5. Arrays were introduced in v1.6. It is recommended that all implementations use arrays, even if only one identity object is specified.","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/componentIdentityEvidence"}},"occurrences":{"type":"array","title":"Occurrences","description":"Evidence of individual instances of a component spread across multiple locations.","items":{"type":"object","required":["location"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the occurrence elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"location":{"type":"string","title":"Location","description":"The location or path to where the component was found."},"line":{"type":"integer","minimum":0,"title":"Line Number","description":"The line number where the component was found."},"offset":{"type":"integer","minimum":0,"title":"Offset","description":"The offset where the component was found."},"symbol":{"type":"string","title":"Symbol","description":"The symbol name that was found associated with the component."},"additionalContext":{"type":"string","title":"Additional Context","description":"Any additional context of the detected component (e.g. a code snippet)."}}}},"callstack":{"type":"object","title":"Call Stack","description":"Evidence of the components use through the callstack.","additionalProperties":false,"properties":{"frames":{"type":"array","title":"Frames","description":"Within a call stack, a frame is a discrete unit that encapsulates an execution context, including local variables, parameters, and the return address. As function calls are made, frames are pushed onto the stack, forming an array-like structure that orchestrates the flow of program execution and manages the sequence of function invocations.","items":{"type":"object","required":["module"],"additionalProperties":false,"properties":{"package":{"title":"Package","description":"A package organizes modules into namespaces, providing a unique namespace for each type it contains.","type":"string"},"module":{"title":"Module","description":"A module or class that encloses functions/methods and other code.","type":"string"},"function":{"title":"Function","description":"A block of code designed to perform a particular task.","type":"string"},"parameters":{"title":"Parameters","description":"Arguments that are passed to the module or function.","type":"array","items":{"type":"string"}},"line":{"title":"Line","description":"The line number the code that is called resides on.","type":"integer"},"column":{"title":"Column","description":"The column the code that is called resides.","type":"integer"},"fullFilename":{"title":"Full Filename","description":"The full path and filename of the module.","type":"string"}}}}}},"licenses":{"$ref":"#/$defs/cyclonedx-license-2.0/$defs/licenseChoice","title":"License Evidence"},"copyright":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/copyright"}}},"componentIdentityEvidence":{"type":"object","title":"Identity Evidence","description":"Evidence that substantiates the identity of a component.","required":["field"],"additionalProperties":false,"properties":{"field":{"type":"string","enum":["group","name","version","purl","cpe","omniborId","swhid","swid","hash"],"title":"Field","description":"The identity field of the component which the evidence describes."},"confidence":{"type":"number","minimum":0,"maximum":1,"title":"Confidence","description":"The overall confidence of the evidence from 0 - 1, where 1 is 100% confidence."},"concludedValue":{"type":"string","title":"Concluded Value","description":"The value of the field (cpe, purl, etc) that has been concluded based on the aggregate of all methods (if available)."},"methods":{"type":"array","title":"Methods","description":"The methods used to extract and/or analyze the evidence.","items":{"type":"object","required":["technique","confidence"],"additionalProperties":false,"properties":{"technique":{"title":"Technique","description":"The technique used in this method of analysis.","type":"string","enum":["source-code-analysis","binary-analysis","manifest-analysis","ast-fingerprint","hash-comparison","instrumentation","dynamic-analysis","filename","attestation","other"]},"confidence":{"type":"number","minimum":0,"maximum":1,"title":"Confidence","description":"The confidence of the evidence from 0 - 1, where 1 is 100% confidence. Confidence is specific to the technique used. Each technique of analysis can have independent confidence."},"value":{"type":"string","title":"Value","description":"The value or contents of the evidence."}}}},"tools":{"type":"array","uniqueItems":true,"items":{"anyOf":[{"title":"Ref","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"title":"BOM References","description":"The object in the BOM identified by its bom-ref. This is often a component or service but may be any object type supporting bom-refs. Tools used for analysis should already be defined in the BOM, either in the metadata/tools, components, or formulation."}}},"componentData":{"type":"object","additionalProperties":false,"required":["type"],"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the dataset elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"type":{"type":"string","title":"Type of Data","description":"The general theme or subject matter of the data being specified.","enum":["source-code","configuration","dataset","definition","other"],"meta:enum":{"source-code":"Any type of code, code snippet, or data-as-code.","configuration":"Parameters or settings that may be used by other components.","dataset":"A collection of data.","definition":"Data that can be used to create new instances of what the definition defines.","other":"Any other type of data that does not fit into existing definitions."}},"name":{"title":"Dataset Name","description":"The name of the dataset.","type":"string"},"contents":{"type":"object","title":"Data Contents","description":"The contents or references to the contents of the data being described.","additionalProperties":false,"properties":{"attachment":{"title":"Data Attachment","description":"A way to include textual or encoded data.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"url":{"type":"string","title":"Data URL","description":"The URL to where the data can be retrieved.","format":"iri-reference"},"properties":{"type":"array","title":"Configuration Properties","description":"Provides the ability to document name-value parameters used for configuration.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"}}}},"classification":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataClassification"},"sensitiveData":{"type":"array","title":"Sensitive Data","description":"A description of any sensitive data in a dataset.","items":{"type":"string"}},"graphics":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/graphicsCollection"},"description":{"title":"Dataset Description","description":"A description of the dataset. Can describe size of dataset, whether it's used for source code, training, testing, or validation, etc.","type":"string"},"governance":{"title":"Data Governance","$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataGovernance"}}}}},"cyclonedx-composition-2.0":{"type":"null","title":"CycloneDX Composition Model","$defs":{"compositions":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-composition-2.0/$defs/composition"},"uniqueItems":true,"title":"Compositions","description":"Compositions describe constituent parts (including components, services, and dependency relationships) and their completeness. The completeness of vulnerabilities expressed in a BOM may also be described."},"composition":{"type":"object","title":"Compositions","required":["aggregate"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the composition elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"aggregate":{"$ref":"#/$defs/cyclonedx-composition-2.0/$defs/aggregateType","title":"Aggregate","description":"Specifies an aggregate type that describes how complete a relationship is."},"assemblies":{"type":"array","uniqueItems":true,"items":{"anyOf":[{"title":"Ref","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"title":"BOM references","description":"The bom-ref identifiers of the components or services being described. Assemblies refer to nested relationships whereby a constituent part may include other constituent parts. References do not cascade to child parts. References are explicit for the specified constituent part only."},"dependencies":{"type":"array","uniqueItems":true,"items":{"type":"string"},"title":"BOM references","description":"The bom-ref identifiers of the components or services being described. Dependencies refer to a relationship whereby an independent constituent part requires another independent constituent part. References do not cascade to transitive dependencies. References are explicit for the specified dependency only."},"vulnerabilities":{"type":"array","uniqueItems":true,"items":{"type":"string"},"title":"BOM references","description":"The bom-ref identifiers of the vulnerabilities being described."},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}},"aggregateType":{"type":"string","default":"not_specified","enum":["complete","incomplete","incomplete_first_party_only","incomplete_first_party_proprietary_only","incomplete_first_party_opensource_only","incomplete_third_party_only","incomplete_third_party_proprietary_only","incomplete_third_party_opensource_only","unknown","not_specified"],"meta:enum":{"complete":"The relationship is complete. No further relationships including constituent components, services, or dependencies are known to exist.","incomplete":"The relationship is incomplete. Additional relationships exist and may include constituent components, services, or dependencies.","incomplete_first_party_only":"The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented.","incomplete_first_party_proprietary_only":"The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented, limited specifically to those that are proprietary.","incomplete_first_party_opensource_only":"The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented, limited specifically to those that are opensource.","incomplete_third_party_only":"The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented.","incomplete_third_party_proprietary_only":"The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are proprietary.","incomplete_third_party_opensource_only":"The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are opensource.","unknown":"The relationship may be complete or incomplete. This usually signifies a 'best-effort' to obtain constituent components, services, or dependencies but the completeness is inconclusive.","not_specified":"The relationship completeness is not specified."}}}},"cyclonedx-cryptography-2.0":{"type":"null","title":"CycloneDX Cryptography Model","$defs":{"cryptoProperties":{"type":"object","title":"Cryptographic Properties","description":"Cryptographic assets have properties that uniquely define them and that make them actionable for further reasoning. As an example, it makes a difference if one knows the algorithm family (e.g. AES) or the specific variant or instantiation (e.g. AES-128-GCM). This is because the security level and the algorithm primitive (authenticated encryption) are only defined by the definition of the algorithm variant. The presence of a weak cryptographic algorithm like SHA1 vs. HMAC-SHA1 also makes a difference.","additionalProperties":false,"required":["assetType"],"properties":{"assetType":{"type":"string","title":"Asset Type","description":"Cryptographic assets occur in several forms. Algorithms and protocols are most commonly implemented in specialized cryptographic libraries. They may, however, also be 'hardcoded' in software components. Certificates and related cryptographic material like keys, tokens, secrets or passwords are other cryptographic assets to be modelled.","enum":["algorithm","certificate","protocol","related-crypto-material"],"meta:enum":{"algorithm":"Mathematical function commonly used for data encryption, authentication, and digital signatures.","certificate":"An electronic document that is used to provide the identity or validate a public key.","protocol":"A set of rules and guidelines that govern the behavior and communication with each other.","related-crypto-material":"Other cryptographic assets related to algorithms, certificates, and protocols such as keys and tokens."}},"algorithmProperties":{"type":"object","title":"Algorithm Properties","description":"Additional properties specific to a cryptographic algorithm.","additionalProperties":false,"properties":{"primitive":{"type":"string","title":"primitive","description":"Cryptographic building blocks used in higher-level cryptographic systems and protocols. Primitives represent different cryptographic routines: deterministic random bit generators (drbg, e.g. CTR_DRBG from NIST SP800-90A-r1), message authentication codes (mac, e.g. HMAC-SHA-256), blockciphers (e.g. AES), streamciphers (e.g. Salsa20), signatures (e.g. ECDSA), hash functions (e.g. SHA-256), public-key encryption schemes (pke, e.g. RSA), extended output functions (xof, e.g. SHAKE256), key derivation functions (e.g. pbkdf2), key agreement algorithms (e.g. ECDH), key encapsulation mechanisms (e.g. ML-KEM), authenticated encryption (ae, e.g. AES-GCM) and the combination of multiple algorithms (combiner, e.g. SP800-56Cr2).","enum":["drbg","mac","block-cipher","stream-cipher","signature","hash","pke","xof","kdf","key-agree","kem","ae","combiner","key-wrap","other","unknown"],"meta:enum":{"drbg":"Deterministic Random Bit Generator (DRBG) is a type of pseudorandom number generator designed to produce a sequence of bits from an initial seed value. DRBGs are commonly used in cryptographic applications where reproducibility of random values is important.","mac":"In cryptography, a Message Authentication Code (MAC) is information used for authenticating and integrity-checking a message.","block-cipher":"A block cipher is a symmetric key algorithm that operates on fixed-size blocks of data. It encrypts or decrypts the data in block units, providing confidentiality. Block ciphers are widely used in various cryptographic modes and protocols for secure data transmission.","stream-cipher":"A stream cipher is a symmetric key cipher where plaintext digits are combined with a pseudorandom cipher digit stream (keystream).","signature":"In cryptography, a signature is a digital representation of a message or data that proves its origin, identity, and integrity. Digital signatures are generated using cryptographic algorithms and are widely used for authentication and verification in secure communication.","hash":"A hash function is a mathematical algorithm that takes an input (or 'message') and produces a fixed-size string of characters, which is typically a hash value. Hash functions are commonly used in various cryptographic applications, including data integrity verification and password hashing.","pke":"Public Key Encryption (PKE) is a type of encryption that uses a pair of public and private keys for secure communication. The public key is used for encryption, while the private key is used for decryption. PKE is a fundamental component of public-key cryptography.","xof":"An XOF is an extendable output function that can take arbitrary input and creates a stream of output, up to a limit determined by the size of the internal state of the hash function that underlies the XOF.","kdf":"A Key Derivation Function (KDF) derives key material from another source of entropy while preserving the entropy of the input.","key-agree":"In cryptography, a key-agreement is a protocol whereby two or more parties agree on a cryptographic key in such a way that both influence the outcome.","kem":"A Key Encapsulation Mechanism (KEM) algorithm is a mechanism for transporting random keying material to a recipient using the recipient's public key.","ae":"Authenticated Encryption (AE) is a cryptographic process that provides both confidentiality and data integrity. It ensures that the encrypted data has not been tampered with and comes from a legitimate source. AE is commonly used in secure communication protocols.","combiner":"A combiner aggregates many candidates for a cryptographic primitive and generates a new candidate for the same primitive.","key-wrap":"Key-wrap is a cryptographic technique used to securely encrypt and protect cryptographic keys using algorithms like AES.","other":"Another primitive type.","unknown":"The primitive is not known."}},"algorithmFamily":{"$ref":"../cryptography-defs.schema.json#/definitions/algorithmFamiliesEnum","title":"Algorithm Family","description":"A valid algorithm family identifier. If specified, this value shall be one of the enumeration of valid algorithm Family identifiers defined in the `cryptography-defs.schema.json` subschema.","examples":["3DES","Blowfish","ECDH"]},"parameterSetIdentifier":{"type":"string","title":"Parameter Set Identifier","description":"An identifier for the parameter set of the cryptographic algorithm. Examples: in AES128, '128' identifies the key length in bits, in SHA256, '256' identifies the digest length, '128' in SHAKE128 identifies its maximum security level in bits, and 'SHA2-128s' identifies a parameter set used in SLH-DSA (FIPS205)."},"ellipticCurve":{"$ref":"../cryptography-defs.schema.json#/definitions/ellipticCurvesEnum","title":"Elliptic Curve","description":"The specific underlying Elliptic Curve (EC) definition employed which is an indicator of the level of security strength, performance and complexity. If specified, this value shall be one of the enumeration of valid elliptic curves identifiers defined in the `cryptography-defs.schema.json` subschema."},"executionEnvironment":{"type":"string","title":"Execution Environment","description":"The target and execution environment in which the algorithm is implemented in.","enum":["software-plain-ram","software-encrypted-ram","software-tee","hardware","other","unknown"],"meta:enum":{"software-plain-ram":"A software implementation running in plain unencrypted RAM.","software-encrypted-ram":"A software implementation running in encrypted RAM.","software-tee":"A software implementation running in a trusted execution environment.","hardware":"A hardware implementation.","other":"Another implementation environment.","unknown":"The execution environment is not known."}},"implementationPlatform":{"type":"string","title":"Implementation platform","description":"The target platform for which the algorithm is implemented. The implementation can be 'generic', running on any platform or for a specific platform.","enum":["generic","x86_32","x86_64","armv7-a","armv7-m","armv8-a","armv8-m","armv9-a","armv9-m","s390x","ppc64","ppc64le","other","unknown"]},"certificationLevel":{"type":"array","title":"Certification Level","description":"The certification that the implementation of the cryptographic algorithm has received, if any. Certifications include revisions and levels of FIPS 140 or Common Criteria of different Extended Assurance Levels (CC-EAL).","items":{"type":"string","enum":["none","fips140-1-l1","fips140-1-l2","fips140-1-l3","fips140-1-l4","fips140-2-l1","fips140-2-l2","fips140-2-l3","fips140-2-l4","fips140-3-l1","fips140-3-l2","fips140-3-l3","fips140-3-l4","cc-eal1","cc-eal1+","cc-eal2","cc-eal2+","cc-eal3","cc-eal3+","cc-eal4","cc-eal4+","cc-eal5","cc-eal5+","cc-eal6","cc-eal6+","cc-eal7","cc-eal7+","other","unknown"],"meta:enum":{"none":"No certification obtained","fips140-1-l1":"FIPS 140-1 Level 1","fips140-1-l2":"FIPS 140-1 Level 2","fips140-1-l3":"FIPS 140-1 Level 3","fips140-1-l4":"FIPS 140-1 Level 4","fips140-2-l1":"FIPS 140-2 Level 1","fips140-2-l2":"FIPS 140-2 Level 2","fips140-2-l3":"FIPS 140-2 Level 3","fips140-2-l4":"FIPS 140-2 Level 4","fips140-3-l1":"FIPS 140-3 Level 1","fips140-3-l2":"FIPS 140-3 Level 2","fips140-3-l3":"FIPS 140-3 Level 3","fips140-3-l4":"FIPS 140-3 Level 4","cc-eal1":"Common Criteria - Evaluation Assurance Level 1","cc-eal1+":"Common Criteria - Evaluation Assurance Level 1 (Augmented)","cc-eal2":"Common Criteria - Evaluation Assurance Level 2","cc-eal2+":"Common Criteria - Evaluation Assurance Level 2 (Augmented)","cc-eal3":"Common Criteria - Evaluation Assurance Level 3","cc-eal3+":"Common Criteria - Evaluation Assurance Level 3 (Augmented)","cc-eal4":"Common Criteria - Evaluation Assurance Level 4","cc-eal4+":"Common Criteria - Evaluation Assurance Level 4 (Augmented)","cc-eal5":"Common Criteria - Evaluation Assurance Level 5","cc-eal5+":"Common Criteria - Evaluation Assurance Level 5 (Augmented)","cc-eal6":"Common Criteria - Evaluation Assurance Level 6","cc-eal6+":"Common Criteria - Evaluation Assurance Level 6 (Augmented)","cc-eal7":"Common Criteria - Evaluation Assurance Level 7","cc-eal7+":"Common Criteria - Evaluation Assurance Level 7 (Augmented)","other":"Another certification","unknown":"The certification level is not known"}}},"mode":{"type":"string","title":"Mode","description":"The mode of operation in which the cryptographic algorithm (block cipher) is used.","enum":["cbc","ecb","ccm","gcm","cfb","ofb","ctr","other","unknown"],"meta:enum":{"cbc":"Cipher block chaining","ecb":"Electronic codebook","ccm":"Counter with cipher block chaining message authentication code","gcm":"Galois/counter","cfb":"Cipher feedback","ofb":"Output feedback","ctr":"Counter","other":"Another mode of operation","unknown":"The mode of operation is not known"}},"padding":{"type":"string","title":"Padding","description":"The padding scheme that is used for the cryptographic algorithm.","enum":["pkcs5","pkcs7","pkcs1v15","oaep","raw","other","unknown"],"meta:enum":{"pkcs5":"Public Key Cryptography Standard: Password-Based Cryptography","pkcs7":"Public Key Cryptography Standard: Cryptographic Message Syntax","pkcs1v15":"Public Key Cryptography Standard: RSA Cryptography v1.5","oaep":"Optimal asymmetric encryption padding","raw":"Raw","other":"Another padding scheme","unknown":"The padding scheme is not known"}},"cryptoFunctions":{"type":"array","title":"Cryptographic functions","description":"The cryptographic functions implemented by the cryptographic algorithm.","items":{"type":"string","enum":["generate","keygen","encrypt","decrypt","digest","tag","keyderive","sign","verify","encapsulate","decapsulate","other","unknown"]}},"classicalSecurityLevel":{"type":"integer","title":"classical security level","description":"The classical security level that a cryptographic algorithm provides (in bits).","minimum":0},"nistQuantumSecurityLevel":{"type":"integer","title":"NIST security strength category","description":"The NIST security strength category as defined in https://csrc.nist.gov/projects/post-quantum-cryptography/post-quantum-cryptography-standardization/evaluation-criteria/security-(evaluation-criteria). A value of 0 indicates that none of the categories are met.","minimum":0,"maximum":6}}},"certificateProperties":{"type":"object","title":"Certificate Properties","description":"Properties for cryptographic assets of asset type 'certificate'.","additionalProperties":false,"properties":{"serialNumber":{"type":"string","title":"Serial Number","description":"The serial number is a unique identifier for the certificate issued by a CA."},"subjectName":{"type":"string","title":"Subject Name","description":"The subject name for the certificate."},"issuerName":{"type":"string","title":"Issuer Name","description":"The issuer name for the certificate."},"notValidBefore":{"type":"string","format":"date-time","title":"Not Valid Before","description":"The date and time according to ISO-8601 standard from which the certificate is valid."},"notValidAfter":{"type":"string","format":"date-time","title":"Not Valid After","description":"The date and time according to ISO-8601 standard from which the certificate is not valid anymore."},"certificateFormat":{"type":"string","title":"Certificate Format","description":"The format of the certificate.","examples":["X.509","PEM","DER","CVC"]},"certificateFileExtension":{"type":"string","title":"Certificate File Extension","description":"The file extension of the certificate.","examples":["crt","pem","cer","der","p12"]},"fingerprint":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/hash","title":"Certificate Fingerprint","description":"The fingerprint is a cryptographic hash of the certificate excluding it's signature."},"certificateState":{"type":"array","title":"Certificate Lifecycle State","description":"The certificate lifecycle is a comprehensive process that manages digital certificates from their initial creation to eventual expiration or revocation. It typically involves several stages.","items":{"type":"object","title":"State","description":"The state of the certificate.","oneOf":[{"title":"Pre-Defined State","required":["state"],"additionalProperties":false,"properties":{"state":{"type":"string","title":"State","description":"A pre-defined state in the certificate lifecycle.","enum":["pre-activation","active","suspended","deactivated","revoked","destroyed"],"meta:enum":{"pre-activation":"The certificate has been issued by the issuing certificate authority (CA) but has not been authorized for use.","active":"The certificate may be used to cryptographically protect information, cryptographically process previously protected information, or both.","deactivated":"Certificates in the deactivated state shall not be used to apply cryptographic protection but, in some cases, may be used to process cryptographically protected information.","suspended":"The use of a certificate may be suspended for several possible reasons.","revoked":"A revoked certificate is a digital certificate that has been invalidated by the issuing certificate authority (CA) before its scheduled expiration date.","destroyed":"The certificate has been destroyed."}},"reason":{"type":"string","title":"Reason","description":"A reason for the certificate being in this state."}}},{"title":"Custom State","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","title":"State","description":"The name of the certificate lifecycle state."},"description":{"type":"string","title":"Description","description":"The description of the certificate lifecycle state."},"reason":{"type":"string","title":"Reason","description":"A reason for the certificate being in this state."}}}]}},"creationDate":{"type":"string","format":"date-time","title":"Creation Date","description":"The date and time (timestamp) when the certificate was created or pre-activated."},"activationDate":{"type":"string","format":"date-time","title":"Activation Date","description":"The date and time (timestamp) when the certificate was activated."},"deactivationDate":{"type":"string","format":"date-time","title":"Deactivation Date","description":"The date and time (timestamp) when the related certificate was deactivated."},"revocationDate":{"type":"string","format":"date-time","title":"Revocation Date","description":"The date and time (timestamp) when the certificate was revoked."},"destructionDate":{"type":"string","format":"date-time","title":"Destruction Date","description":"The date and time (timestamp) when the certificate was destroyed."},"certificateExtensions":{"type":"array","title":"Certificate Extensions","description":"A certificate extension is a field that provides additional information about the certificate or its use. Extensions are used to convey additional information beyond the standard fields.","items":{"type":"object","title":"Extension","description":"","oneOf":[{"title":"Common Extensions","required":["commonExtensionName","commonExtensionValue"],"additionalProperties":false,"properties":{"commonExtensionName":{"type":"string","title":"name","description":"The name of the extension.","enum":["basicConstraints","keyUsage","extendedKeyUsage","subjectAlternativeName","authorityKeyIdentifier","subjectKeyIdentifier","authorityInformationAccess","certificatePolicies","crlDistributionPoints","signedCertificateTimestamp"],"meta:enum":{"basicConstraints":"Specifies whether a certificate can be used as a CA certificate or not.","keyUsage":"Specifies the allowed uses of the public key in the certificate.","extendedKeyUsage":"Specifies additional purposes for which the public key can be used.","subjectAlternativeName":"Allows inclusion of additional names to identify the entity associated with the certificate.","authorityKeyIdentifier":"Identifies the public key of the CA that issued the certificate.","subjectKeyIdentifier":"Identifies the public key associated with the entity the certificate was issued to.","authorityInformationAccess":"Contains CA issuers and OCSP information.","certificatePolicies":"Defines the policies under which the certificate was issued and can be used.","crlDistributionPoints":"Contains one or more URLs where a Certificate Revocation List (CRL) can be obtained.","signedCertificateTimestamp":"Shows that the certificate has been publicly logged, which helps prevent the issuance of rogue certificates by a CA. Log ID, timestamp and signature as proof."}},"commonExtensionValue":{"type":"string","title":"Value","description":"The value of the certificate extension."}}},{"title":"Custom Extensions","description":"Custom extensions may convey application-specific or vendor-specific data not covered by standard extensions. The structure and semantics of custom extensions are typically defined outside of public standards. CycloneDX leverages properties to support this capability.","required":["customExtensionName"],"additionalProperties":false,"properties":{"customExtensionName":{"type":"string","title":"Name","description":"The name for the custom certificate extension."},"customExtensionValue":{"type":"string","title":"Value","description":"The description of the custom certificate extension."}}}]}},"relatedCryptographicAssets":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/relatedCryptographicAssets"}}},"relatedCryptoMaterialProperties":{"type":"object","title":"Related Cryptographic Material Properties","description":"Properties for cryptographic assets of asset type: `related-crypto-material`.","additionalProperties":false,"properties":{"type":{"type":"string","title":"relatedCryptoMaterialType","description":"The type for the related cryptographic material.","enum":["private-key","public-key","secret-key","key","ciphertext","signature","digest","initialization-vector","nonce","seed","salt","shared-secret","tag","additional-data","password","credential","token","other","unknown"],"meta:enum":{"private-key":"The confidential key of a key pair used in asymmetric cryptography.","public-key":"The non-confidential key of a key pair used in asymmetric cryptography.","secret-key":"A key used to encrypt and decrypt messages in symmetric cryptography.","key":"A piece of information, usually an octet string, which, when processed through a cryptographic algorithm, processes cryptographic data.","ciphertext":"The result of encryption performed on plaintext using an algorithm (or cipher).","signature":"A cryptographic value that is calculated from the data and a key known only by the signer.","digest":"The output of the hash function.","initialization-vector":"A fixed-size random or pseudo-random value used as an input parameter for cryptographic algorithms.","nonce":"A random or pseudo-random number that can only be used once in a cryptographic communication.","seed":"The input to a pseudo-random number generator. Different seeds generate different pseudo-random sequences.","salt":"A value used in a cryptographic process, usually to ensure that the results of computations for one instance cannot be reused by an attacker.","shared-secret":"A piece of data known only to the parties involved, in a secure communication.","tag":"A message authentication code (MAC), sometimes known as an authentication tag, is a short piece of information used for authenticating and integrity-checking a message.","additional-data":"An unspecified collection of data with relevance to cryptographic activity.","password":"A secret word, phrase, or sequence of characters used during authentication or authorization.","credential":"Establishes the identity of a party to communication, usually in the form of cryptographic keys or passwords.","token":"An object encapsulating a security identity.","other":"Another type of cryptographic asset.","unknown":"The type of cryptographic asset is not known."}},"id":{"type":"string","title":"ID","description":"The unique identifier for the related cryptographic material."},"state":{"type":"string","title":"State","description":"The key state as defined by NIST SP 800-57.","enum":["pre-activation","active","suspended","deactivated","compromised","destroyed"]},"creationDate":{"type":"string","format":"date-time","title":"Creation Date","description":"The date and time (timestamp) when the related cryptographic material was created."},"activationDate":{"type":"string","format":"date-time","title":"Activation Date","description":"The date and time (timestamp) when the related cryptographic material was activated."},"updateDate":{"type":"string","format":"date-time","title":"Update Date","description":"The date and time (timestamp) when the related cryptographic material was updated."},"expirationDate":{"type":"string","format":"date-time","title":"Expiration Date","description":"The date and time (timestamp) when the related cryptographic material expires."},"value":{"type":"string","title":"Value","description":"The associated value of the cryptographic material."},"size":{"type":"integer","title":"Size","description":"The size of the cryptographic asset (in bits)."},"format":{"type":"string","title":"Format","description":"The format of the related cryptographic material (e.g. P8, PEM, DER)."},"securedBy":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/securedBy","title":"Secured By","description":"The mechanism by which the cryptographic asset is secured by."},"fingerprint":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/hash","title":"Fingerprint","description":"The fingerprint is a cryptographic hash of the asset."},"relatedCryptographicAssets":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/relatedCryptographicAssets"}}},"protocolProperties":{"type":"object","title":"Protocol Properties","description":"Properties specific to cryptographic assets of type: `protocol`.","additionalProperties":false,"properties":{"type":{"type":"string","title":"Type","description":"The concrete protocol type.","enum":["tls","ssh","ipsec","ike","sstp","wpa","dtls","quic","eap-aka","eap-aka-prime","prins","5g-aka","other","unknown"],"meta:enum":{"tls":"Transport Layer Security","ssh":"Secure Shell","ipsec":"Internet Protocol Security","ike":"Internet Key Exchange","sstp":"Secure Socket Tunneling Protocol","wpa":"Wi-Fi Protected Access","dtls":"Datagram Transport Layer Security","quic":"Quick UDP Internet Connections","eap-aka":"Extensible Authentication Protocol variant","eap-aka-prime":"Enhanced version of EAP-AKA","prins":"Protection of Inter-Network Signaling","5g-aka":"Authentication and Key Agreement for 5G","other":"Another protocol type","unknown":"The protocol type is not known"}},"version":{"type":"string","title":"Protocol Version","description":"The version of the protocol.","examples":["1.0","1.2","1.99"]},"cipherSuites":{"type":"array","title":"Cipher Suites","description":"A list of cipher suites related to the protocol.","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/cipherSuite","title":"Cipher Suite"}},"ikev2TransformTypes":{"type":"object","title":"IKEv2 Transform Types","description":"The IKEv2 transform types supported (types 1-4), defined in [RFC 7296 section 3.3.2](https://www.ietf.org/rfc/rfc7296.html#section-3.3.2), and additional properties.","additionalProperties":false,"properties":{"encr":{"type":"array","title":"Encryption Algorithms (ENCR)","description":"Transform Type 1: encryption algorithms.","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Enc","title":"Encryption Algorithm (ENCR)"}},"prf":{"type":"array","title":"Pseudorandom Functions (PRF)","description":"Transform Type 2: pseudorandom functions.","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Prf","title":"Pseudorandom Function (PRF)"}},"integ":{"type":"array","title":"Integrity Algorithms (INTEG)","description":"Transform Type 3: integrity algorithms.","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Integ","title":"Integrity Algorithm (INTEG)"}},"ke":{"type":"array","title":"Key Exchange Methods (KE)","description":"Transform Type 4: Key Exchange Method (KE) per [RFC 9370](https://www.ietf.org/rfc/rfc9370.html), formerly called Diffie-Hellman Group (D-H).","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Ke"}},"esn":{"type":"boolean","title":"Extended Sequence Number (ESN)","description":"Specifies if an Extended Sequence Number (ESN) is used."},"auth":{"type":"array","title":"IKEv2 Authentication methods","description":"IKEv2 Authentication method per [RFC9593](https://www.ietf.org/rfc/rfc9593.html).","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Auth","title":"IKEv2 Authentication Method"}}}},"relatedCryptographicAssets":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/relatedCryptographicAssets"}}},"oid":{"type":"string","title":"OID","description":"The object identifier (OID) of the cryptographic asset."}}},"cipherSuite":{"type":"object","title":"Cipher Suite","description":"Object representing a cipher suite.","additionalProperties":false,"properties":{"name":{"type":"string","title":"Common Name","description":"A common name for the cipher suite.","examples":["TLS_DHE_RSA_WITH_AES_128_CCM"]},"algorithms":{"type":"array","title":"Related Algorithms","description":"A list of algorithms related to the cipher suite.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Algorithm reference","description":"The bom-ref to algorithm cryptographic asset."}},"identifiers":{"type":"array","title":"Cipher Suite Identifiers","description":"A list of common identifiers for the cipher suite.","items":{"type":"string","title":"identifier","description":"Cipher suite identifier.","examples":["0xC0","0x9E"]}},"tlsGroups":{"type":"array","title":"TLS Groups","description":"A list of TLS named groups (formerly known as curves) for this cipher suite. These groups define the parameters for key exchange algorithms like ECDHE.","items":{"type":"string","title":"Group Name","description":"The name of the TLS group.","examples":["x25519","ffdhe2048"]}},"tlsSignatureSchemes":{"type":"array","title":"TLS Signature Schemes","description":"A list of signature schemes supported for cipher suite. These schemes specify the algorithms used for digital signatures in TLS handshakes and certificate verification.","items":{"type":"string","title":"Signature Scheme","description":"The name of the TLS signature scheme.","examples":["ecdsa_secp256r1_sha256","rsa_pss_rsae_sha256","ed25519"]}}}},"ikeV2Enc":{"type":"object","title":"Encryption Algorithm (ENCR)","description":"Object representing an encryption algorithm (ENCR).","additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"A name for the encryption method.","examples":["ENCR_AES_GCM_16"]},"keyLength":{"type":"integer","title":"Encryption algorithm key length","description":"The key length of the encryption algorithm."},"algorithm":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Algorithm reference","description":"The bom-ref to algorithm cryptographic asset."}}},"ikeV2Prf":{"type":"object","title":"Pseudorandom Function (PRF)","description":"Object representing a pseudorandom function (PRF).","additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"A name for the pseudorandom function.","examples":["PRF_HMAC_SHA2_256"]},"algorithm":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Algorithm reference","description":"The bom-ref to algorithm cryptographic asset."}}},"ikeV2Integ":{"type":"object","title":"Integrity Algorithm (INTEG)","description":"Object representing an integrity algorithm (INTEG).","additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"A name for the integrity algorithm.","examples":["AUTH_HMAC_SHA2_256_128"]},"algorithm":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Algorithm reference","description":"The bom-ref to algorithm cryptographic asset."}}},"ikeV2Ke":{"type":"object","title":"Key Exchange Method (KE)","description":"Object representing a key exchange method (KE).","additionalProperties":false,"properties":{"group":{"type":"integer","title":"Group Identifier","description":"A group identifier for the key exchange algorithm."},"algorithm":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Algorithm reference","description":"The bom-ref to algorithm cryptographic asset."}}},"ikeV2Auth":{"type":"object","title":"IKEv2 Authentication method","description":"Object representing a IKEv2 Authentication method.","additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"A name for the authentication method."},"algorithm":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Algorithm reference","description":"The bom-ref to algorithm cryptographic asset."}}},"relatedCryptographicAssets":{"type":"array","title":"Related Cryptographic Assets","description":"A list of cryptographic assets related to this component.","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/relatedCryptographicAsset"}},"relatedCryptographicAsset":{"type":"object","title":"Related Cryptographic Asset","description":"A cryptographic assets related to this component.","additionalProperties":false,"properties":{"type":{"type":"string","title":"Type","description":"Specifies the mechanism by which the cryptographic asset is secured by.","examples":["publicKey","privateKey","algorithm"]},"ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Reference to cryptographic asset","description":"The bom-ref to cryptographic asset."}}},"securedBy":{"type":"object","title":"Secured By","description":"Specifies the mechanism by which the cryptographic asset is secured by.","additionalProperties":false,"properties":{"mechanism":{"type":"string","title":"Mechanism","description":"Specifies the mechanism by which the cryptographic asset is secured by.","examples":["HSM","TPM","SGX","Software","None"]},"algorithmRef":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Algorithm Reference","description":"The bom-ref to the algorithm."}}}}},"cyclonedx-data-2.0":{"type":"null","title":"CycloneDX Data Model","$defs":{"dataClassification":{"type":"string","title":"Data Classification","description":"Data classification tags data according to its type, sensitivity, and value if altered, stolen, or destroyed."},"dataGovernance":{"type":"object","title":"Data Governance","description":"Data governance captures information regarding data ownership, stewardship, and custodianship, providing insights into the individuals or entities responsible for managing, overseeing, and safeguarding the data throughout its lifecycle.","additionalProperties":false,"properties":{"custodians":{"type":"array","title":"Data Custodians","description":"Data custodians are responsible for the safe custody, transport, and storage of data.","items":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataGovernanceResponsibleParty"}},"stewards":{"type":"array","title":"Data Stewards","description":"Data stewards are responsible for data content, context, and associated business rules.","items":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataGovernanceResponsibleParty"}},"owners":{"type":"array","title":"Data Owners","description":"Data owners are concerned with risk and appropriate access to data.","items":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataGovernanceResponsibleParty"}}}},"dataGovernanceResponsibleParty":{"type":"object","additionalProperties":false,"properties":{"organization":{"title":"Organization","description":"The organization that is responsible for specific data governance role(s).","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"contact":{"title":"Individual","description":"The individual that is responsible for specific data governance role(s).","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}},"oneOf":[{"required":["organization"]},{"required":["contact"]}]},"dataFlowDirection":{"type":"string","enum":["inbound","outbound","bi-directional","unknown"],"meta:enum":{"inbound":"Data that enters a service.","outbound":"Data that exits a service.","bi-directional":"Data flows in and out of the service.","unknown":"The directional flow of data is not known."},"title":"Data flow direction","description":"Specifies the flow direction of the data. Direction is relative to the service."}}},"cyclonedx-declaration-2.0":{"type":"null","title":"CycloneDX Declaration Model","$defs":{"declarations":{"type":"object","title":"Declarations","description":"The list of declarations which describe the conformance to standards. Each declaration may include attestations, claims, and evidence.","additionalProperties":false,"properties":{"assessors":{"type":"array","title":"Assessors","description":"The list of assessors evaluating claims and determining conformance to requirements and confidence in that assessment.","items":{"type":"object","title":"Assessor","description":"The assessor who evaluates claims and determines conformance to requirements and confidence in that assessment.","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM."},"thirdParty":{"type":"boolean","title":"Third Party","description":"The boolean indicating if the assessor is outside the organization generating claims. A value of false indicates a self assessor."},"organization":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity","title":"Organization","description":"The entity issuing the assessment."}}}},"attestations":{"type":"array","title":"Attestations","description":"The list of attestations asserted by an assessor that maps requirements to claims.","items":{"type":"object","title":"Attestation","additionalProperties":false,"properties":{"summary":{"type":"string","title":"Summary","description":"The short description explaining the main points of the attestation."},"assessor":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Assessor","description":"The `bom-ref` to the assessor asserting the attestation."},"map":{"type":"array","title":"Map","description":"The grouping of requirements to claims and the attestors declared conformance and confidence thereof.","items":{"type":"object","title":"Map","additionalProperties":false,"properties":{"requirement":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Requirement","description":"The `bom-ref` to the requirement being attested to."},"claims":{"type":"array","title":"Claims","description":"The list of `bom-ref` to the claims being attested to.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}},"counterClaims":{"type":"array","title":"Counter Claims","description":"The list of `bom-ref` to the counter claims being attested to.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}},"conformance":{"type":"object","title":"Conformance","description":"The conformance of the claim meeting a requirement.","additionalProperties":false,"properties":{"score":{"type":"number","minimum":0,"maximum":1,"title":"Score","description":"The conformance of the claim between and inclusive of 0 and 1, where 1 is 100% conformance."},"rationale":{"type":"string","title":"Rationale","description":"The rationale for the conformance score."},"mitigationStrategies":{"type":"array","title":"Mitigation Strategies","description":"The list of `bom-ref` to the evidence provided describing the mitigation strategies.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}}}},"confidence":{"type":"object","title":"Confidence","description":"The confidence of the claim meeting the requirement.","additionalProperties":false,"properties":{"score":{"type":"number","minimum":0,"maximum":1,"title":"Score","description":"The confidence of the claim between and inclusive of 0 and 1, where 1 is 100% confidence."},"rationale":{"type":"string","title":"Rationale","description":"The rationale for the confidence score."}}}}}},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}}},"claims":{"type":"array","title":"Claims","description":"The list of claims.","items":{"type":"object","title":"Claim","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM."},"target":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Target","description":"The `bom-ref` to a target representing a specific system, application, API, module, team, person, process, business unit, company, etc... that this claim is being applied to."},"predicate":{"type":"string","title":"Predicate","description":"The specific statement or assertion about the target."},"mitigationStrategies":{"type":"array","title":"Mitigation Strategies","description":"The list of `bom-ref` to the evidence provided describing the mitigation strategies. Each mitigation strategy should include an explanation of how any weaknesses in the evidence will be mitigated.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}},"reasoning":{"type":"string","title":"Reasoning","description":"The written explanation of why the evidence provided substantiates the claim."},"evidence":{"type":"array","title":"Evidence","description":"The list of `bom-ref` to evidence that supports this claim.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}},"counterEvidence":{"type":"array","title":"Counter Evidence","description":"The list of `bom-ref` to counterEvidence that supports this claim.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}}},"evidence":{"type":"array","title":"Evidence","description":"The list of evidence","items":{"type":"object","title":"Evidence","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM."},"propertyName":{"type":"string","title":"Property Name","description":"The reference to the property name as defined in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy/)."},"description":{"type":"string","title":"Description","description":"The written description of what this evidence is and how it was created."},"data":{"type":"array","title":"Data","description":"The output or analysis that supports claims.","items":{"type":"object","title":"Data","additionalProperties":false,"properties":{"name":{"title":"Data Name","description":"The name of the data.","type":"string"},"contents":{"type":"object","title":"Data Contents","description":"The contents or references to the contents of the data being described.","additionalProperties":false,"properties":{"attachment":{"title":"Data Attachment","description":"A way to include textual or encoded data.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"url":{"type":"string","title":"Data URL","description":"The URL to where the data can be retrieved.","format":"iri-reference"}}},"classification":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataClassification"},"sensitiveData":{"type":"array","title":"Sensitive Data","description":"A description of any sensitive data included.","items":{"type":"string"}},"governance":{"title":"Data Governance","$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataGovernance"}}}},"created":{"type":"string","format":"date-time","title":"Created","description":"The date and time (timestamp) when the evidence was created."},"expires":{"type":"string","format":"date-time","title":"Expires","description":"The date and time (timestamp) when the evidence is no longer valid."},"author":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact","title":"Author","description":"The author of the evidence."},"reviewer":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact","title":"Reviewer","description":"The reviewer of the evidence."},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}}},"targets":{"type":"object","title":"Targets","description":"The list of targets which claims are made against.","additionalProperties":false,"properties":{"organizations":{"type":"array","title":"Organizations","description":"The list of organizations which claims are made against.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"}},"components":{"type":"array","title":"Components","description":"The list of components which claims are made against.","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/component"}},"services":{"type":"array","title":"Services","description":"The list of services which claims are made against.","items":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/service"}}}},"affirmation":{"type":"object","title":"Affirmation","description":"A concise statement affirmed by an individual regarding all declarations, often used for third-party auditor acceptance or recipient acknowledgment. It includes a list of authorized signatories who assert the validity of the document on behalf of the organization.","additionalProperties":false,"properties":{"statement":{"type":"string","title":"Statement","description":"The brief statement affirmed by an individual regarding all declarations.\n*- Notes This could be an affirmation of acceptance by a third-party auditor or receiving individual of a file.","examples":["I certify, to the best of my knowledge, that all information is correct."]},"signatories":{"type":"array","title":"Signatories","description":"The list of signatories authorized on behalf of an organization to assert validity of this document.","items":{"type":"object","title":"Signatory","additionalProperties":false,"oneOf":[{"required":["signature"]},{"required":["externalReference","organization"]}],"properties":{"name":{"type":"string","title":"Name","description":"The signatory's name."},"role":{"type":"string","title":"Role","description":"The signatory's role within an organization."},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."},"organization":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity","title":"Organization","description":"The signatory's organization."},"externalReference":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"}}}},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}}}},"cyclonedx-definition-2.0":{"type":"null","title":"CycloneDX Definition Model","$defs":{"definitions":{"type":"object","title":"Definitions","description":"A collection of reusable objects that are defined and may be used elsewhere in the BOM.","additionalProperties":false,"properties":{"standards":{"$ref":"#/$defs/cyclonedx-standard-2.0/$defs/standards"},"patents":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patents"}}}}},"cyclonedx-dependency-2.0":{"type":"null","title":"CycloneDX Dependency Model","$defs":{"dependencies":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-dependency-2.0/$defs/dependency"},"uniqueItems":true,"title":"Dependencies","description":"Provides the ability to document dependency relationships including provided & implemented components."},"dependency":{"type":"object","title":"Dependency","description":"Defines the direct dependencies of a component, service, or the components provided/implemented by a given component. Components or services that do not have their own dependencies must be declared as empty elements within the graph. Components or services that are not represented in the dependency graph may have unknown dependencies. It is recommended that implementations assume this to be opaque and not an indicator of an object being dependency-free. It is recommended to leverage compositions to indicate unknown dependency graphs.","required":["ref"],"additionalProperties":false,"properties":{"ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Reference","description":"References a component or service by its bom-ref attribute"},"dependsOn":{"type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"title":"Depends On","description":"The bom-ref identifiers of the components or services that are dependencies of this dependency object."},"provides":{"type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"title":"Provides","description":"The bom-ref identifiers of the components or services that define a given specification or standard, which are provided or implemented by this dependency object.\nFor example, a cryptographic library which implements a cryptographic algorithm. A component which implements another component does not imply that the implementation is in use."}}}}},"cyclonedx-formulation-2.0":{"type":"null","title":"CycloneDX Formulation Model","$defs":{"formulation":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/formula"},"uniqueItems":true,"title":"Formulation","description":"Describes the formulation of any referencable object within the BOM, including components, services, metadata, declarations, or the BOM itself. This may encompass how the object was created, assembled, deployed, tested, certified, or otherwise brought into its present form. Common examples include software build pipelines, deployment processes, AI/ML model training, cryptographic key generation or certification, and third-party audits. Processes are modeled using declared and observed formulas, composed of workflows, tasks, and individual steps."},"formula":{"title":"Formula","description":"Describes workflows and resources that captures rules and other aspects of how the associated BOM component or service was formed.","type":"object","additionalProperties":false,"properties":{"bom-ref":{"title":"BOM Reference","description":"An identifier which can be used to reference the formula elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"components":{"title":"Components","description":"Transient components that are used in tasks that constitute one or more of this formula's workflows","type":"array","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/component"},"uniqueItems":true},"services":{"title":"Services","description":"Transient services that are used in tasks that constitute one or more of this formula's workflows","type":"array","items":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/service"},"uniqueItems":true},"workflows":{"title":"Workflows","description":"List of workflows that can be declared to accomplish specific orchestrated goals and independently triggered.","type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/workflow"},"uniqueItems":true},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"workflow":{"title":"Workflow","description":"A specialized orchestration task.","type":"object","required":["bom-ref","uid","taskTypes"],"additionalProperties":false,"properties":{"bom-ref":{"title":"BOM Reference","description":"An identifier which can be used to reference the workflow elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"uid":{"title":"Unique Identifier (UID)","description":"The unique identifier for the resource instance within its deployment context.","type":"string"},"name":{"title":"Name","description":"The name of the resource instance.","type":"string"},"description":{"title":"Description","description":"A description of the resource instance.","type":"string"},"resourceReferences":{"title":"Resource references","description":"References to component or service resources that are used to realize the resource instance.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"}},"tasks":{"title":"Tasks","description":"The tasks that comprise the workflow.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/task"}},"taskDependencies":{"title":"Task dependency graph","description":"The graph of dependencies between tasks within the workflow.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-dependency-2.0/$defs/dependency"}},"taskTypes":{"title":"Task types","description":"Indicates the types of activities performed by the set of workflow tasks.","type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/taskType"}},"trigger":{"title":"Trigger","description":"The trigger that initiated the task.","$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/trigger"},"steps":{"title":"Steps","description":"The sequence of steps for the task.","type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/step"},"uniqueItems":true},"inputs":{"title":"Inputs","description":"Represents resources and data brought into a task at runtime by executor or task commands","examples":["a `configuration` file which was declared as a local `component` or `externalReference`"],"type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/inputType"},"uniqueItems":true},"outputs":{"title":"Outputs","description":"Represents resources and data output from a task at runtime by executor or task commands","examples":["a log file or metrics data produced by the task"],"type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/outputType"},"uniqueItems":true},"timeStart":{"title":"Time start","description":"The date and time (timestamp) when the task started.","type":"string","format":"date-time"},"timeEnd":{"title":"Time end","description":"The date and time (timestamp) when the task ended.","type":"string","format":"date-time"},"workspaces":{"title":"Workspaces","description":"A set of named filesystem or data resource shareable by workflow tasks.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/workspace"}},"runtimeTopology":{"title":"Runtime topology","description":"A graph of the component runtime topology for workflow's instance.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-dependency-2.0/$defs/dependency"}},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"task":{"title":"Task","description":"Describes the inputs, sequence of steps and resources used to accomplish a task and its output.","type":"object","required":["bom-ref","uid","taskTypes"],"additionalProperties":false,"properties":{"bom-ref":{"title":"BOM Reference","description":"An identifier which can be used to reference the task elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"uid":{"title":"Unique Identifier (UID)","description":"The unique identifier for the resource instance within its deployment context.","type":"string"},"name":{"title":"Name","description":"The name of the resource instance.","type":"string"},"description":{"title":"Description","description":"A description of the resource instance.","type":"string"},"resourceReferences":{"title":"Resource references","description":"References to component or service resources that are used to realize the resource instance.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"}},"taskTypes":{"title":"Task types","description":"Indicates the types of activities performed by the set of workflow tasks.","type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/taskType"}},"trigger":{"title":"Trigger","description":"The trigger that initiated the task.","$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/trigger"},"steps":{"title":"Steps","description":"The sequence of steps for the task.","type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/step"},"uniqueItems":true},"inputs":{"title":"Inputs","description":"Represents resources and data brought into a task at runtime by executor or task commands","examples":["a `configuration` file which was declared as a local `component` or `externalReference`"],"type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/inputType"},"uniqueItems":true},"outputs":{"title":"Outputs","description":"Represents resources and data output from a task at runtime by executor or task commands","examples":["a log file or metrics data produced by the task"],"type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/outputType"},"uniqueItems":true},"timeStart":{"title":"Time start","description":"The date and time (timestamp) when the task started.","type":"string","format":"date-time"},"timeEnd":{"title":"Time end","description":"The date and time (timestamp) when the task ended.","type":"string","format":"date-time"},"workspaces":{"title":"Workspaces","description":"A set of named filesystem or data resource shareable by workflow tasks.","type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/workspace"},"uniqueItems":true},"runtimeTopology":{"title":"Runtime topology","description":"A graph of the component runtime topology for task's instance.","type":"array","items":{"$ref":"#/$defs/cyclonedx-dependency-2.0/$defs/dependency"},"uniqueItems":true},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"step":{"type":"object","description":"Executes specific commands or tools in order to accomplish its owning task as part of a sequence.","additionalProperties":false,"properties":{"name":{"title":"Name","description":"A name for the step.","type":"string"},"description":{"title":"Description","description":"A description of the step.","type":"string"},"commands":{"title":"Commands","description":"Ordered list of commands or directives for the step","type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/command"}},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"command":{"type":"object","additionalProperties":false,"properties":{"executed":{"title":"Executed","description":"A text representation of the executed command.","type":"string"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"workspace":{"title":"Workspace","description":"A named filesystem or data resource shareable by workflow tasks.","type":"object","required":["bom-ref","uid"],"additionalProperties":false,"properties":{"bom-ref":{"title":"BOM Reference","description":"An identifier which can be used to reference the workspace elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"uid":{"title":"Unique Identifier (UID)","description":"The unique identifier for the resource instance within its deployment context.","type":"string"},"name":{"title":"Name","description":"The name of the resource instance.","type":"string"},"aliases":{"title":"Aliases","description":"The names for the workspace as referenced by other workflow tasks. Effectively, a name mapping so other tasks can use their own local name in their steps.","type":"array","items":{"type":"string"}},"description":{"title":"Description","description":"A description of the resource instance.","type":"string"},"resourceReferences":{"title":"Resource references","description":"References to component or service resources that are used to realize the resource instance.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"}},"accessMode":{"title":"Access mode","description":"Describes the read-write access control for the workspace relative to the owning resource instance.","type":"string","enum":["read-only","read-write","read-write-once","write-once","write-only"]},"mountPath":{"title":"Mount path","description":"A path to a location on disk where the workspace will be available to the associated task's steps.","type":"string"},"managedDataType":{"title":"Managed data type","description":"The name of a domain-specific data type the workspace represents.","examples":["ConfigMap","Secret"],"type":"string"},"volumeRequest":{"title":"Volume request","description":"Identifies the reference to the request for a specific volume type and parameters.","examples":["a kubernetes Persistent Volume Claim (PVC) name"],"type":"string"},"volume":{"title":"Volume","description":"Information about the actual volume instance allocated to the workspace.","examples":["see https://kubernetes.io/docs/concepts/storage/persistent-volumes/"],"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/volume"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"volume":{"title":"Volume","description":"An identifiable, logical unit of data storage tied to a physical device.","type":"object","additionalProperties":false,"properties":{"uid":{"title":"Unique Identifier (UID)","description":"The unique identifier for the volume instance within its deployment context.","type":"string"},"name":{"title":"Name","description":"The name of the volume instance","type":"string"},"mode":{"title":"Mode","description":"The mode for the volume instance.","type":"string","enum":["filesystem","block"],"default":"filesystem"},"path":{"title":"Path","description":"The underlying path created from the actual volume.","type":"string"},"sizeAllocated":{"title":"Size allocated","description":"The allocated size of the volume accessible to the associated workspace. This should include the scalar size as well as IEC standard unit in either decimal or binary form.","examples":["10GB","2Ti","1Pi"],"type":"string"},"persistent":{"title":"Persistent","description":"Indicates if the volume persists beyond the life of the resource it is associated with.","type":"boolean"},"remote":{"title":"Remote","description":"Indicates if the volume is remotely (i.e., network) attached.","type":"boolean"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"trigger":{"title":"Trigger","description":"Represents a resource that can conditionally activate (or fire) tasks based upon associated events and their data.","type":"object","additionalProperties":false,"required":["type","bom-ref","uid"],"properties":{"bom-ref":{"title":"BOM Reference","description":"An identifier which can be used to reference the trigger elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"uid":{"title":"Unique Identifier (UID)","description":"The unique identifier for the resource instance within its deployment context.","type":"string"},"name":{"title":"Name","description":"The name of the resource instance.","type":"string"},"description":{"title":"Description","description":"A description of the resource instance.","type":"string"},"resourceReferences":{"title":"Resource references","description":"References to component or service resources that are used to realize the resource instance.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"}},"type":{"title":"Type","description":"The source type of event which caused the trigger to fire.","type":"string","enum":["manual","api","webhook","scheduled"]},"event":{"title":"Event","description":"The event data that caused the associated trigger to activate.","$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/event"},"conditions":{"type":"array","title":"Conditions","description":"A list of conditions used to determine if a trigger should be activated.","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/condition"}},"timeActivated":{"title":"Time activated","description":"The date and time (timestamp) when the trigger was activated.","type":"string","format":"date-time"},"inputs":{"title":"Inputs","description":"Represents resources and data brought into a task at runtime by executor or task commands","examples":["a `configuration` file which was declared as a local `component` or `externalReference`"],"type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/inputType"},"uniqueItems":true},"outputs":{"title":"Outputs","description":"Represents resources and data output from a task at runtime by executor or task commands","examples":["a log file or metrics data produced by the task"],"type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/outputType"},"uniqueItems":true},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"event":{"title":"Event","description":"Represents something that happened that may trigger a response.","type":"object","additionalProperties":false,"properties":{"uid":{"title":"Unique Identifier (UID)","description":"The unique identifier of the event.","type":"string"},"description":{"title":"Description","description":"A description of the event.","type":"string"},"timeReceived":{"title":"Time Received","description":"The date and time (timestamp) when the event was received.","type":"string","format":"date-time"},"data":{"title":"Data","description":"Encoding of the raw event data.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"source":{"title":"Source","description":"References the component or service that was the source of the event","$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"target":{"title":"Target","description":"References the component or service that was the target of the event","$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"inputType":{"title":"Input type","description":"Type that represents various input data types and formats.","type":"object","oneOf":[{"required":["resource"]},{"required":["parameters"]},{"required":["environmentVars"]},{"required":["data"]}],"additionalProperties":false,"properties":{"source":{"title":"Source","description":"A reference to the component or service that provided the input to the task (e.g., reference to a service with data flow value of `inbound`)","examples":["source code repository","database"],"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"target":{"title":"Target","description":"A reference to the component or service that received or stored the input if not the task itself (e.g., a local, named storage workspace)","examples":["workspace","directory"],"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"resource":{"title":"Resource","description":"A reference to an independent resource provided as an input to a task by the workflow runtime.","examples":["a reference to a configuration file in a repository (i.e., a bom-ref)","a reference to a scanning service used in a task (i.e., a bom-ref)"],"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"parameters":{"title":"Parameters","description":"Inputs that have the form of parameters with names and values.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/parameter"}},"environmentVars":{"title":"Environment variables","description":"Inputs that have the form of parameters with names and values.","type":"array","uniqueItems":true,"items":{"oneOf":[{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"},{"type":"string","title":"String-Based Environment Variables","description":"In addition to the more common key–value pair format, some environment variables may consist of a single string without an explicit value assignment. These string-based environment variables typically act as flags or signals to software, indicating that a feature should be enabled, a mode should be activated, or a specific condition is present. Their presence alone conveys meaning."}]}},"data":{"title":"Data","description":"Inputs that have the form of data.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"outputType":{"type":"object","oneOf":[{"required":["resource"]},{"required":["environmentVars"]},{"required":["data"]}],"additionalProperties":false,"properties":{"type":{"title":"Type","description":"Describes the type of data output.","type":"string","enum":["artifact","attestation","log","evidence","metrics","other"]},"source":{"title":"Source","description":"Component or service that generated or provided the output from the task (e.g., a build tool)","$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"target":{"title":"Target","description":"Component or service that received the output from the task (e.g., reference to an artifactory service with data flow value of `outbound`)","examples":["a log file described as an `externalReference` within its target domain."],"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"resource":{"title":"Resource","description":"A reference to an independent resource generated as output by the task.","examples":["configuration file","source code","scanning service"],"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"data":{"title":"Data","description":"Outputs that have the form of data.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"environmentVars":{"title":"Environment variables","description":"Outputs that have the form of environment variables.","type":"array","items":{"oneOf":[{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"},{"type":"string","title":"String-Based Environment Variables","description":"In addition to the more common key–value pair format, some environment variables may consist of a single string without an explicit value assignment. These string-based environment variables typically act as flags or signals to software, indicating that a feature should be enabled, a mode should be activated, or a specific condition is present. Their presence alone conveys meaning."}]},"uniqueItems":true},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"resourceReferenceChoice":{"title":"Resource reference choice","description":"A reference to a locally defined resource (e.g., a bom-ref) or an externally accessible resource.","type":"object","additionalProperties":false,"properties":{"ref":{"title":"BOM Reference","description":"References an object by its bom-ref attribute","anyOf":[{"title":"Ref","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"externalReference":{"title":"External reference","description":"Reference to an externally accessible resource.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"}},"oneOf":[{"required":["ref"]},{"required":["externalReference"]}]},"condition":{"title":"Condition","description":"A condition that was used to determine a trigger should be activated.","type":"object","additionalProperties":false,"properties":{"description":{"title":"Description","description":"Describes the set of conditions which cause the trigger to activate.","type":"string"},"expression":{"title":"Expression","description":"The logical expression that was evaluated that determined the trigger should be fired.","type":"string"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"taskType":{"type":"string","enum":["copy","clone","lint","scan","merge","build","test","deliver","deploy","release","clean","other"],"meta:enum":{"copy":"A task that copies software or data used to accomplish other tasks in the workflow.","clone":"A task that clones a software repository into the workflow in order to retrieve its source code or data for use in a build step.","lint":"A task that checks source code for programmatic and stylistic errors.","scan":"A task that performs a scan against source code, or built or deployed components and services. Scans are typically run to gather or test for security vulnerabilities or policy compliance.","merge":"A task that merges changes or fixes into source code prior to a build step in the workflow.","build":"A task that builds the source code, dependencies and/or data into an artifact that can be deployed to and executed on target systems.","test":"A task that verifies the functionality of a component or service.","deliver":"A task that delivers a built artifact to one or more target repositories or storage systems.","deploy":"A task that deploys a built artifact for execution on one or more target systems.","release":"A task that releases a built, versioned artifact to a target repository or distribution system.","clean":"A task that cleans unnecessary tools, build artifacts and/or data from workflow storage.","other":"A workflow task that does not match current task type definitions."}},"parameter":{"title":"Parameter","description":"A representation of a functional parameter.","type":"object","additionalProperties":false,"properties":{"name":{"title":"Name","description":"The name of the parameter.","type":"string"},"value":{"title":"Value","description":"The value of the parameter.","type":"string"},"dataType":{"title":"Data type","description":"The data type of the parameter.","type":"string"}}}}},"cyclonedx-license-2.0":{"type":"null","title":"CycloneDX License Model","$defs":{"licenseChoice":{"title":"License Choice","description":"A list of SPDX licenses and/or named licenses and/or SPDX License Expression.","type":"array","items":{"oneOf":[{"type":"object","title":"License","required":["license"],"additionalProperties":false,"properties":{"license":{"$ref":"#/$defs/cyclonedx-license-2.0/$defs/license"}}},{"title":"License Expression","description":"Specifies the details and attributes related to a software license.\nIt must be a valid SPDX license expression, along with additional properties such as license acknowledgment.","type":"object","additionalProperties":false,"required":["expression"],"properties":{"expression":{"type":"string","title":"SPDX License Expression","description":"A valid SPDX license expression.\nRefer to https://spdx.org/specifications for syntax requirements.","examples":["Apache-2.0 AND (MIT OR GPL-2.0-only)","GPL-3.0-only WITH Classpath-exception-2.0"]},"expressionDetails":{"title":"Expression Details","description":"Details for parts of the `expression`.","type":"array","items":{"type":"object","description":"This document specifies the details and attributes related to a software license identifier. An SPDX expression may be a compound of license identifiers.\nThe `license_identifier` property serves as the key that identifies each record. Note that this key is not required to be unique, as the same license identifier could apply to multiple, different but similar license details, texts, etc.","required":["licenseIdentifier"],"properties":{"licenseIdentifier":{"title":"License Identifier","description":"The valid SPDX license identifier. Refer to https://spdx.org/specifications for syntax requirements.\nThis property serves as the primary key, which uniquely identifies each record.","type":"string","examples":["Apache-2.0","GPL-3.0-only WITH Classpath-exception-2.0","LicenseRef-my-custom-license"]},"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the license elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"text":{"title":"License texts","description":"A way to include the textual content of the license.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"url":{"type":"string","title":"License URL","description":"The URL to the license file. If specified, a 'license' externalReference should also be specified for completeness","examples":["https://www.apache.org/licenses/LICENSE-2.0.txt"],"format":"iri-reference"}},"additionalProperties":false}},"acknowledgement":{"$ref":"#/$defs/cyclonedx-license-2.0/$defs/licenseAcknowledgementEnumeration"},"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the license elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"licensing":{"$ref":"#/$defs/cyclonedx-license-2.0/$defs/licensing"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}}]}},"license":{"type":"object","title":"License","description":"Specifies the details and attributes related to a software license. It can either include a valid SPDX license identifier or a named license, along with additional properties such as license acknowledgment, comprehensive commercial licensing information, and the full text of the license.","oneOf":[{"required":["id"]},{"required":["name"]}],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the license elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"id":{"$ref":"../spdx.schema.json","title":"License ID (SPDX)","description":"A valid SPDX license identifier. If specified, this value must be one of the enumeration of valid SPDX license identifiers defined in the spdx.schema.json (or spdx.xml) subschema which is synchronized with the official SPDX license list.","examples":["Apache-2.0"]},"name":{"type":"string","title":"License Name","description":"The name of the license. This may include the name of a commercial or proprietary license or an open source license that may not be defined by SPDX.","examples":["Acme Software License"]},"acknowledgement":{"$ref":"#/$defs/cyclonedx-license-2.0/$defs/licenseAcknowledgementEnumeration"},"text":{"title":"License text","description":"A way to include the textual content of a license.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"url":{"type":"string","title":"License URL","description":"The URL to the license file. If specified, a 'license' externalReference should also be specified for completeness","examples":["https://www.apache.org/licenses/LICENSE-2.0.txt"],"format":"iri-reference"},"licensing":{"$ref":"#/$defs/cyclonedx-license-2.0/$defs/licensing"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"licenseAcknowledgementEnumeration":{"title":"License Acknowledgement","description":"Declared licenses and concluded licenses represent two different stages in the licensing process within software development. Declared licenses refer to the initial intention of the software authors regarding the licensing terms under which their code is released. On the other hand, concluded licenses are the result of a comprehensive analysis of the project's codebase to identify and confirm the actual licenses of the components used, which may differ from the initially declared licenses. While declared licenses provide an upfront indication of the licensing intentions, concluded licenses offer a more thorough understanding of the actual licensing within a project, facilitating proper compliance and risk management. Observed licenses are defined in `@.evidence.licenses`. Observed licenses form the evidence necessary to substantiate a concluded license.","type":"string","enum":["declared","concluded"],"meta:enum":{"declared":"Declared licenses represent the initial intentions of authors regarding the licensing terms of their code.","concluded":"Concluded licenses are verified and confirmed."}},"licensing":{"type":"object","title":"Licensing information","description":"Licensing details describing the licensor/licensee, license type, renewal and expiration dates, and other important metadata","additionalProperties":false,"properties":{"altIds":{"type":"array","title":"Alternate License Identifiers","description":"License identifiers that may be used to manage licenses and their lifecycle","items":{"type":"string"}},"licensor":{"title":"Licensor","description":"The individual or organization that grants a license to another individual or organization","type":"object","additionalProperties":false,"properties":{"organization":{"title":"Licensor (Organization)","description":"The organization that granted the license","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"individual":{"title":"Licensor (Individual)","description":"The individual, not associated with an organization, that granted the license","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}},"oneOf":[{"required":["organization"]},{"required":["individual"]}]},"licensee":{"title":"Licensee","description":"The individual or organization for which a license was granted to","type":"object","additionalProperties":false,"properties":{"organization":{"title":"Licensee (Organization)","description":"The organization that was granted the license","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"individual":{"title":"Licensee (Individual)","description":"The individual, not associated with an organization, that was granted the license","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}},"oneOf":[{"required":["organization"]},{"required":["individual"]}]},"purchaser":{"title":"Purchaser","description":"The individual or organization that purchased the license","type":"object","additionalProperties":false,"properties":{"organization":{"title":"Purchaser (Organization)","description":"The organization that purchased the license","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"individual":{"title":"Purchaser (Individual)","description":"The individual, not associated with an organization, that purchased the license","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}},"oneOf":[{"required":["organization"]},{"required":["individual"]}]},"purchaseOrder":{"type":"string","title":"Purchase Order","description":"The purchase order identifier the purchaser sent to a supplier or vendor to authorize a purchase"},"licenseTypes":{"type":"array","title":"License Type","description":"The type of license(s) that was granted to the licensee.","items":{"type":"string","enum":["academic","appliance","client-access","concurrent-user","core-points","custom-metric","device","evaluation","named-user","node-locked","oem","perpetual","processor-points","subscription","user","other"],"meta:enum":{"academic":"A license that grants use of software solely for the purpose of education or research.","appliance":"A license covering use of software embedded in a specific piece of hardware.","client-access":"A Client Access License (CAL) allows client computers to access services provided by server software.","concurrent-user":"A Concurrent User license (aka floating license) limits the number of licenses for a software application and licenses are shared among a larger number of users.","core-points":"A license where the core of a computer's processor is assigned a specific number of points.","custom-metric":"A license for which consumption is measured by non-standard metrics.","device":"A license that covers a defined number of installations on computers and other types of devices.","evaluation":"A license that grants permission to install and use software for trial purposes.","named-user":"A license that grants access to the software to one or more pre-defined users.","node-locked":"A license that grants access to the software on one or more pre-defined computers or devices.","oem":"An Original Equipment Manufacturer license that is delivered with hardware, cannot be transferred to other hardware, and is valid for the life of the hardware.","perpetual":"A license where the software is sold on a one-time basis and the licensee can use a copy of the software indefinitely.","processor-points":"A license where each installation consumes points per processor.","subscription":"A license where the licensee pays a fee to use the software or service.","user":"A license that grants access to the software or service by a specified number of users.","other":"Another license type."}}},"lastRenewal":{"type":"string","format":"date-time","title":"Last Renewal","description":"The timestamp indicating when the license was last renewed. For new purchases, this is often the purchase or acquisition date. For non-perpetual licenses or subscriptions, this is the timestamp of when the license was last renewed."},"expiration":{"type":"string","format":"date-time","title":"Expiration","description":"The timestamp indicating when the current license expires (if applicable)."}}}}},"cyclonedx-metadata-2.0":{"type":"null","title":"CycloneDX Metadata Model","$defs":{"metadata":{"type":"object","title":"BOM Metadata","description":"Provides additional information about a BOM.","additionalProperties":false,"properties":{"timestamp":{"type":"string","format":"date-time","title":"Timestamp","description":"The date and time (timestamp) when the BOM was created."},"lifecycles":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/lifecycles"},"tools":{"type":"object","title":"Tools","description":"The tool(s) used in the creation, enrichment, and validation of the BOM.","additionalProperties":false,"properties":{"components":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/components","description":"A list of software and hardware components used as tools."},"services":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/services","description":"A list of services used as tools. This may include microservices, function-as-a-service, and other types of network or intra-process services."}}},"manufacturer":{"title":"BOM Manufacturer","description":"The organization that created the BOM.\nManufacturer is common in BOMs created through automated processes. BOMs created through manual means may have `@.authors` instead.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"authors":{"type":"array","title":"BOM Authors","description":"The person(s) who created the BOM.\nAuthors are common in BOMs created through manual processes. BOMs created through automated means may have `@.manufacturer` instead.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}},"component":{"description":"The component that the BOM describes.","$ref":"#/$defs/cyclonedx-component-2.0/$defs/component"},"supplier":{"title":"Supplier","description":" The organization that supplied the component that the BOM describes. The supplier may often be the manufacturer, but may also be a distributor or repackager.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"licenses":{"title":"BOM License(s)","description":"The license information for the BOM document.\nThis may be different from the license(s) of the component(s) that the BOM describes.","$ref":"#/$defs/cyclonedx-license-2.0/$defs/licenseChoice"},"distributionConstraints":{"$ref":"#/$defs/cyclonedx-metadata-2.0/$defs/distributionConstraints"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"distributionConstraints":{"title":"Distribution Constraints","description":"Conditions and constraints governing the sharing and distribution of the data or components described by this BOM.","type":"object","properties":{"tlp":{"$ref":"#/$defs/cyclonedx-metadata-2.0/$defs/tlpClassification","description":"The Traffic Light Protocol (TLP) classification that controls the sharing and distribution of the data that the BOM describes."}}},"tlpClassification":{"title":"Traffic Light Protocol (TLP) Classification","description":"Traffic Light Protocol (TLP) is a classification system for identifying the potential risk associated with artefact, including whether it is subject to certain types of legal, financial, or technical threats. Refer to [https://www.first.org/tlp/](https://www.first.org/tlp/) for further information.\nThe default classification is \"CLEAR\"","type":"string","default":"CLEAR","enum":["CLEAR","GREEN","AMBER","AMBER_AND_STRICT","RED"],"meta:enum":{"CLEAR":"The information is not subject to any restrictions as regards the sharing.","GREEN":"The information is subject to limited disclosure, and recipients can share it within their community but not via publicly accessible channels.","AMBER":"The information is subject to limited disclosure, and recipients can only share it on a need-to-know basis within their organization and with clients.","AMBER_AND_STRICT":"The information is subject to limited disclosure, and recipients can only share it on a need-to-know basis within their organization.","RED":"The information is subject to restricted distribution to individual recipients only and must not be shared."}}}},"cyclonedx-patent-2.0":{"type":"null","title":"CycloneDX Patent Model","$defs":{"patents":{"type":"array","title":"Patents","description":"The list of either individual patents or patent families.","items":{"anyOf":[{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patent"},{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patentFamily"}]}},"patent":{"type":"object","title":"Patent","description":"A patent is a legal instrument, granted by an authority, that confers certain rights over an invention for a specified period, contingent on public disclosure and adherence to relevant legal requirements. The summary information in this object is aligned with [WIPO ST.96](https://www.wipo.int/standards/en/st96/) principles where applicable.","required":["patentNumber","jurisdiction","patentLegalStatus"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM."},"patentNumber":{"type":"string","pattern":"^[A-Za-z0-9][A-Za-z0-9\\-/.()\\s]{0,28}[A-Za-z0-9]$","title":"Patent Number","description":"The unique number assigned to the granted patent by the issuing authority. Aligned with `PatentNumber` in WIPO ST.96. Refer to [PatentNumber in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/PatentNumber.xsd).","examples":["US987654321","EP1234567B1"]},"applicationNumber":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patentApplicationNumber"},"jurisdiction":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patentJurisdiction"},"priorityApplication":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/priorityApplication"},"publicationNumber":{"type":"string","pattern":"^[A-Za-z0-9][A-Za-z0-9\\-/.()\\s]{0,28}[A-Za-z0-9]$","title":"Patent Publication Number","description":"This is the number assigned to a patent application once it is published. Patent applications are generally published 18 months after filing (unless an applicant requests non-publication). This number is distinct from the application number. \n\nPurpose: Identifies the publicly available version of the application. \n\nFormat: Varies by jurisdiction, often similar to application numbers but includes an additional suffix indicating publication. \n\nExample:\n - US: US20240000123A1 (indicates the first publication of application US20240000123) \n - Europe: EP23123456A1 (first publication of European application EP23123456). \n\nWIPO ST.96 v8.0: \n - Publication Number field: https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/PublicationNumber.xsd"},"title":{"type":"string","title":"Patent Title","description":"The title of the patent, summarising the invention it protects. Aligned with `InventionTitle` in WIPO ST.96. Refer to [InventionTitle in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/InventionTitle.xsd)."},"abstract":{"type":"string","title":"Patent Abstract","description":"A brief summary of the invention described in the patent. Aligned with `Abstract` and `P` in WIPO ST.96. Refer to [Abstract in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/Abstract.xsd)."},"filingDate":{"type":"string","format":"date","title":"Filing Date","description":"The date the patent application was filed with the jurisdiction. Aligned with `FilingDate` in WIPO ST.96. Refer to [FilingDate in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/FilingDate.xsd)."},"grantDate":{"type":"string","format":"date","title":"Grant Date","description":"The date the patent was granted by the jurisdiction. Aligned with `GrantDate` in WIPO ST.96. Refer to [GrantDate in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/GrantDate.xsd)."},"patentExpirationDate":{"type":"string","format":"date","title":"Expiration Date","description":"The date the patent expires. Derived from grant or filing date according to jurisdiction-specific rules."},"patentLegalStatus":{"type":"string","title":"Legal Status","description":"Indicates the current legal status of the patent or patent application, based on the WIPO ST.27 standard. This status reflects administrative, procedural, or legal events. Values include both active and inactive states and are useful for determining enforceability, procedural history, and maintenance status.","enum":["pending","granted","revoked","expired","lapsed","withdrawn","abandoned","suspended","reinstated","opposed","terminated","invalidated","in-force"],"meta:enum":{"pending":"The patent application has been filed but not yet examined or granted.","granted":"The patent application has been examined and a patent has been issued.","revoked":"The patent has been declared invalid through a legal or administrative process.","expired":"The patent has reached the end of its enforceable term.","lapsed":"The patent is no longer in force due to non-payment of maintenance fees or other requirements.","withdrawn":"The patent application was voluntarily withdrawn by the applicant.","abandoned":"The patent application was abandoned, often due to lack of action or response.","suspended":"Processing of the patent application has been temporarily halted.","reinstated":"A previously abandoned or lapsed patent has been reinstated.","opposed":"The patent application or granted patent is under formal opposition proceedings.","terminated":"The patent or application has been officially terminated.","invalidated":"The patent has been invalidated, either in part or in full.","in-force":"The granted patent is active and enforceable."}},"patentAssignee":{"type":"array","title":"Patent Assignees","description":"A collection of organisations or individuals to whom the patent rights are assigned. This supports joint ownership and allows for flexible representation of both corporate entities and individual inventors.","items":{"oneOf":[{"title":"Person","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"},{"title":"Organizational Entity","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"}]}},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"}}},"patentFamily":{"type":"object","title":"Patent Family","description":"A patent family is a group of related patent applications or granted patents that cover the same or similar invention. These patents are filed in multiple jurisdictions to protect the invention across different regions or countries. A patent family typically includes patents that share a common priority date, originating from the same initial application, and may vary slightly in scope or claims to comply with regional legal frameworks. Fields align with WIPO ST.96 standards where applicable.","required":["familyId"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM. \n\nFor a patent, it might be a good idea to use a patent number as the BOM reference ID."},"familyId":{"type":"string","title":"Patent Family ID","description":"The unique identifier for the patent family, aligned with the `id` attribute in WIPO ST.96 v8.0's `PatentFamilyType`. Refer to [PatentFamilyType in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/PatentFamilyType.xsd)."},"priorityApplication":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/priorityApplication"},"members":{"type":"array","title":"Family Members","description":"A collection of patents or applications that belong to this family, each identified by a `bom-ref` pointing to a patent object defined elsewhere in the BOM.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"BOM Reference","description":"A `bom-ref` linking to a patent or application object within the BOM."}},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"}}},"patentAssertions":{"type":"array","title":"Patent Assertions","description":"A list of assertions made regarding patents associated with this component or service. Assertions distinguish between ownership, licensing, and other relevant interactions with patents.","items":{"type":"object","title":"Patent Assertion","description":"An assertion linking a patent or patent family to this component or service.","required":["assertionType","asserter"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"A reference to the patent or patent family object within the BOM. This must match the `bom-ref` of a `patent` or `patentFamily` object."},"assertionType":{"type":"string","title":"Assertion Type","description":"The type of assertion being made about the patent or patent family. Examples include ownership, licensing, and standards inclusion.","enum":["ownership","license","third-party-claim","standards-inclusion","prior-art","exclusive-rights","non-assertion","research-or-evaluation"],"meta:enum":{"ownership":"The manufacturer asserts ownership of the patent or patent family.","license":"The manufacturer asserts they have a license to use the patent or patent family.","third-party-claim":"A third party has asserted a claim or potential infringement against the manufacturer’s component or service.","standards-inclusion":"The patent is part of a standard essential patent (SEP) portfolio relevant to the component or service.","prior-art":"The manufacturer asserts the patent or patent family as prior art that invalidates another patent or claim.","exclusive-rights":"The manufacturer asserts exclusive rights granted through a licensing agreement.","non-assertion":"The manufacturer asserts they will not enforce the patent or patent family against certain uses or users.","research-or-evaluation":"The patent or patent family is being used under a research or evaluation license."}},"patentRefs":{"type":"array","title":"Patent References","description":"A list of BOM references (`bom-ref`) linking to patents or patent families associated with this assertion.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"}},"asserter":{"oneOf":[{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity","title":"Organizational Entity"},{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact","title":"Person"},{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Reference","description":"A reference to a previously defined `organizationalContact` or `organizationalEntity` object in the BOM. The value must be a valid `bom-ref` pointing to one of these objects."}]},"notes":{"type":"string","title":"Notes","description":"Additional notes or clarifications regarding the assertion, if necessary. For example, geographical restrictions, duration, or limitations of a license."}}}},"patentApplicationNumber":{"type":"string","pattern":"^[A-Za-z0-9][A-Za-z0-9\\-/.()\\s]{0,28}[A-Za-z0-9]$","title":"Patent Application Number","description":"The unique number assigned to a patent application when it is filed with a patent office. It is used to identify the specific application and track its progress through the examination process. Aligned with `ApplicationNumber` in ST.96. Refer to [ApplicationIdentificationType in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/ApplicationIdentificationType.xsd).","examples":["US20240000123","EP23123456"]},"patentJurisdiction":{"type":"string","title":"Jurisdiction","description":"The jurisdiction or patent office where the priority application was filed, specified using WIPO ST.3 codes. Aligned with `IPOfficeCode` in ST.96. Refer to [IPOfficeCode in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Common/IPOfficeCode.xsd).","pattern":"^[A-Z]{2}$","examples":["US","EP","JP"]},"patentFilingDate":{"type":"string","format":"date","title":"Filing Date","description":"The date the priority application was filed, aligned with `FilingDate` in ST.96. Refer to [FilingDate in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/FilingDate.xsd)."},"priorityApplication":{"type":"object","title":"Priority Application","description":"The priorityApplication contains the essential data necessary to identify and reference an earlier patent filing for priority rights. In line with WIPO ST.96 guidelines, it includes the jurisdiction (office code), application number, and filing date-the three key elements that uniquely specify the priority application in a global patent context.","required":["applicationNumber","jurisdiction","filingDate"],"additionalProperties":false,"properties":{"applicationNumber":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patentApplicationNumber"},"jurisdiction":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patentJurisdiction"},"filingDate":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patentFilingDate"}}}}},"cyclonedx-release-notes-2.0":{"type":"null","title":"CycloneDX Release Notes Model","$defs":{"releaseNotes":{"type":"object","title":"Release notes","required":["type"],"additionalProperties":false,"properties":{"type":{"$ref":"#/$defs/cyclonedx-release-notes-2.0/$defs/releaseType","title":"Type","description":"The software versioning type the release note describes."},"title":{"type":"string","title":"Title","description":"The title of the release."},"featuredImage":{"type":"string","format":"iri-reference","title":"Featured image","description":"The URL to an image that may be prominently displayed with the release note."},"socialImage":{"type":"string","format":"iri-reference","title":"Social image","description":"The URL to an image that may be used in messaging on social media platforms."},"description":{"type":"string","title":"Description","description":"A short description of the release."},"timestamp":{"type":"string","format":"date-time","title":"Timestamp","description":"The date and time (timestamp) when the release note was created."},"aliases":{"type":"array","items":{"type":"string"},"title":"Aliases","description":"One or more alternate names the release may be referred to. This may include unofficial terms used by development and marketing teams (e.g. code names)."},"tags":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/tags","title":"Tags"},"resolves":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/issue"},"title":"Resolves","description":"A collection of issues that have been resolved."},"notes":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-release-notes-2.0/$defs/note"},"title":"Notes","description":"Zero or more release notes containing the locale and content. Multiple note objects may be specified to support release notes in a wide variety of languages."},"properties":{"type":"array","title":"Properties","description":"Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"}}}},"releaseType":{"type":"string","examples":["major","minor","patch","pre-release","internal"],"description":"The software versioning type. It is recommended that the release type use one of 'major', 'minor', 'patch', 'pre-release', or 'internal'. Representing all possible software release types is not practical, so standardizing on the recommended values, whenever possible, is strongly encouraged.\n\n* __major__ = A major release may contain significant changes or may introduce breaking changes.\n* __minor__ = A minor release, also known as an update, may contain a smaller number of changes than major releases.\n* __patch__ = Patch releases are typically unplanned and may resolve defects or important security issues.\n* __pre-release__ = A pre-release may include alpha, beta, or release candidates and typically have limited support. They provide the ability to preview a release prior to its general availability.\n* __internal__ = Internal releases are not for public consumption and are intended to be used exclusively by the project or manufacturer that produced it."},"note":{"type":"object","title":"Note","description":"A note containing the locale and content.","required":["text"],"additionalProperties":false,"properties":{"locale":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/locale","title":"Locale","description":"The ISO-639 (or higher) language code and optional ISO-3166 (or higher) country code. Examples include: \"en\", \"en-US\", \"fr\" and \"fr-CA\""},"text":{"title":"Release note content","description":"Specifies the full content of the release note.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"}}}}},"cyclonedx-service-2.0":{"type":"null","title":"CycloneDX Service Model","$defs":{"services":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/service"},"uniqueItems":true,"title":"Services"},"service":{"type":"object","title":"Service","required":["name"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the service elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"provider":{"title":"Provider","description":"The organization that provides the service.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"group":{"type":"string","title":"Service Group","description":"The grouping name, namespace, or identifier. This will often be a shortened, single name of the company or project that produced the service or domain name. Whitespace and special characters should be avoided.","examples":["com.acme"]},"name":{"type":"string","title":"Service Name","description":"The name of the service. This will often be a shortened, single name of the service.","examples":["ticker-service"]},"version":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/version","title":"Service Version","description":"The service version."},"description":{"type":"string","title":"Service Description","description":"Specifies a description for the service"},"endpoints":{"type":"array","items":{"type":"string","format":"iri-reference"},"title":"Endpoints","description":"The endpoint URIs of the service. Multiple endpoints are allowed.","examples":["https://example.com/api/v1/ticker"]},"authenticated":{"type":"boolean","title":"Authentication Required","description":"A boolean value indicating if the service requires authentication. A value of true indicates the service requires authentication prior to use. A value of false indicates the service does not require authentication."},"x-trust-boundary":{"type":"boolean","title":"Crosses Trust Boundary","description":"A boolean value indicating if use of the service crosses a trust zone or boundary. A value of true indicates that by using the service, a trust boundary is crossed. A value of false indicates that by using the service, a trust boundary is not crossed."},"trustZone":{"type":"string","title":"Trust Zone","description":"The name of the trust zone the service resides in."},"data":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/serviceData"},"title":"Data","description":"Specifies information about the data including the directional flow of data and the data classification."},"licenses":{"$ref":"#/$defs/cyclonedx-license-2.0/$defs/licenseChoice","title":"Service License(s)"},"patentAssertions":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patentAssertions","title":"Service Patent(s)"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"},"services":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/service"},"uniqueItems":true,"title":"Services","description":"A list of services included or deployed behind the parent service. This is not a dependency tree. It provides a way to specify a hierarchical representation of service assemblies."},"releaseNotes":{"$ref":"#/$defs/cyclonedx-release-notes-2.0/$defs/releaseNotes","title":"Release notes","description":"Specifies release notes."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"tags":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/tags","title":"Tags"},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}},"serviceData":{"type":"object","title":"Hash Objects","required":["flow","classification"],"additionalProperties":false,"properties":{"flow":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataFlowDirection","title":"Directional Flow","description":"Specifies the flow direction of the data. Direction is relative to the service. Inbound flow states that data enters the service. Outbound flow states that data leaves the service. Bi-directional states that data flows both ways and unknown states that the direction is not known."},"classification":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataClassification"},"name":{"type":"string","title":"Name","description":"Name for the defined data","examples":["Credit card reporting"]},"description":{"type":"string","title":"Description","description":"Short description of the data content and usage","examples":["Credit card information being exchanged in between the web app and the database"]},"governance":{"title":"Data Governance","$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataGovernance"},"source":{"type":"array","items":{"anyOf":[{"title":"URL","type":"string","format":"iri-reference"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"title":"Source","description":"The URI, URL, or BOM-Link of the components or services the data came in from"},"destination":{"type":"array","items":{"anyOf":[{"title":"URL","type":"string","format":"iri-reference"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"title":"Destination","description":"The URI, URL, or BOM-Link of the components or services the data is sent to"}}}}},"cyclonedx-standard-2.0":{"type":"null","title":"CycloneDX Standard Model","$defs":{"standards":{"type":"array","title":"Standards","description":"The list of standards which may consist of regulations, industry or organizational-specific standards, maturity models, best practices, or any other requirements which can be evaluated against or attested to.","items":{"$ref":"#/$defs/cyclonedx-standard-2.0/$defs/standard"}},"standard":{"type":"object","title":"Standard","description":"A standard may consist of regulations, industry or organizational-specific standards, maturity models, best practices, or any other requirements which can be evaluated against or attested to.","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM."},"name":{"type":"string","title":"Name","description":"The name of the standard. This will often be a shortened, single name of the standard."},"version":{"type":"string","title":"Version","description":"The version of the standard."},"description":{"type":"string","title":"Description","description":"The description of the standard."},"owner":{"type":"string","title":"Owner","description":"The owner of the standard, often the entity responsible for its release."},"requirements":{"$ref":"#/$defs/cyclonedx-standard-2.0/$defs/requirements"},"levels":{"$ref":"#/$defs/cyclonedx-standard-2.0/$defs/levels"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}},"requirements":{"type":"array","title":"Requirements","description":"The list of requirements comprising the standard.","items":{"$ref":"#/$defs/cyclonedx-standard-2.0/$defs/requirement"}},"requirement":{"type":"object","title":"Requirement","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM."},"identifier":{"type":"string","title":"Identifier","description":"The unique identifier used in the standard to identify a specific requirement. This should match what is in the standard and should not be the requirements bom-ref."},"title":{"type":"string","title":"Title","description":"The title of the requirement."},"text":{"type":"string","title":"Text","description":"The textual content of the requirement."},"descriptions":{"type":"array","title":"Descriptions","description":"The supplemental text that provides additional guidance or context to the requirement, but is not directly part of the requirement.","items":{"type":"string"}},"openCre":{"type":"array","title":"OWASP OpenCRE Identifier(s)","description":"The Common Requirements Enumeration (CRE) identifier(s). CRE is a structured and standardized framework for uniting security standards and guidelines. CRE links each section of a resource to a shared topic identifier (a Common Requirement). Through this shared topic link, all resources map to each other. Use of CRE promotes clear and unambiguous communication among stakeholders.","items":{"type":"string","pattern":"^CRE:[0-9]+-[0-9]+$","examples":["CRE:764-507"]}},"parent":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Parent BOM Reference","description":"The `bom-ref` to a parent requirement. This establishes a hierarchy of requirements. Top-level requirements must not define a parent. Only child requirements should define parents."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"}}},"levels":{"type":"array","title":"Levels","description":"The list of levels associated with the standard. Some standards have different levels of compliance.","items":{"$ref":"#/$defs/cyclonedx-standard-2.0/$defs/level"}},"level":{"type":"object","title":"Level","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM."},"identifier":{"type":"string","title":"Identifier","description":"The identifier used in the standard to identify a specific level."},"title":{"type":"string","title":"Title","description":"The title of the level."},"description":{"type":"string","title":"Description","description":"The description of the level."},"requirements":{"type":"array","title":"Requirements","description":"The list of requirement `bom-ref`s that comprise the level.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}}}}}},"cyclonedx-vulnerability-2.0":{"type":"null","title":"CycloneDX Vulnerability Model","$defs":{"vulnerabilities":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/vulnerability"},"uniqueItems":true,"title":"Vulnerabilities","description":"Vulnerabilities identified in components or services."},"vulnerability":{"type":"object","title":"Vulnerability","description":"Defines a weakness in a component or service that could be exploited or triggered by a threat source.","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the vulnerability elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"id":{"type":"string","title":"ID","description":"The identifier that uniquely identifies the vulnerability.","examples":["CVE-2021-39182","GHSA-35m5-8cvj-8783","SNYK-PYTHON-ENROCRYPT-1912876"]},"source":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/vulnerabilitySource","description":"The source that published the vulnerability."},"references":{"type":"array","title":"References","description":"Zero or more pointers to vulnerabilities that are the equivalent of the vulnerability specified. Often times, the same vulnerability may exist in multiple sources of vulnerability intelligence, but have different identifiers. References provide a way to correlate vulnerabilities across multiple sources of vulnerability intelligence.","items":{"type":"object","required":["id","source"],"additionalProperties":false,"properties":{"id":{"type":"string","title":"ID","description":"An identifier that uniquely identifies the vulnerability.","examples":["CVE-2021-39182","GHSA-35m5-8cvj-8783","SNYK-PYTHON-ENROCRYPT-1912876"]},"source":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/vulnerabilitySource","description":"The source that published the vulnerability."}}}},"ratings":{"type":"array","title":"Ratings","description":"List of vulnerability ratings","items":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/rating"}},"cwes":{"type":"array","title":"CWEs","description":"List of Common Weaknesses Enumerations (CWEs) codes that describes this vulnerability.","examples":[399],"items":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/cwe"}},"description":{"type":"string","title":"Description","description":"A description of the vulnerability as provided by the source."},"detail":{"type":"string","title":"Details","description":"If available, an in-depth description of the vulnerability as provided by the source organization. Details often include information useful in understanding root cause."},"recommendation":{"type":"string","title":"Recommendation","description":"Recommendations of how the vulnerability can be remediated or mitigated."},"workaround":{"type":"string","title":"Workarounds","description":"A bypass, usually temporary, of the vulnerability that reduces its likelihood and/or impact. Workarounds often involve changes to configuration or deployments."},"proofOfConcept":{"type":"object","title":"Proof of Concept","description":"Evidence used to reproduce the vulnerability.","properties":{"reproductionSteps":{"type":"string","title":"Steps to Reproduce","description":"Precise steps to reproduce the vulnerability."},"environment":{"type":"string","title":"Environment","description":"A description of the environment in which reproduction was possible."},"supportingMaterial":{"type":"array","title":"Supporting Material","description":"Supporting material that helps in reproducing or understanding how reproduction is possible. This may include screenshots, payloads, and PoC exploit code.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"}}}},"advisories":{"type":"array","title":"Advisories","description":"Published advisories of the vulnerability if provided.","items":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/advisory"}},"created":{"type":"string","format":"date-time","title":"Created","description":"The date and time (timestamp) when the vulnerability record was created in the vulnerability database."},"published":{"type":"string","format":"date-time","title":"Published","description":"The date and time (timestamp) when the vulnerability record was first published."},"updated":{"type":"string","format":"date-time","title":"Updated","description":"The date and time (timestamp) when the vulnerability record was last updated."},"rejected":{"type":"string","format":"date-time","title":"Rejected","description":"The date and time (timestamp) when the vulnerability record was rejected (if applicable)."},"credits":{"type":"object","title":"Credits","description":"Individuals or organizations credited with the discovery of the vulnerability.","additionalProperties":false,"properties":{"organizations":{"type":"array","title":"Organizations","description":"The organizations credited with vulnerability discovery.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"}},"individuals":{"type":"array","title":"Individuals","description":"The individuals, not associated with organizations, that are credited with vulnerability discovery.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}}}},"tools":{"type":"object","title":"Tools","description":"The tool(s) used to identify, confirm, or score the vulnerability.","additionalProperties":false,"properties":{"components":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/component"},"uniqueItems":true,"title":"Components","description":"A list of software and hardware components used as tools."},"services":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/service"},"uniqueItems":true,"title":"Services","description":"A list of services used as tools. This may include microservices, function-as-a-service, and other types of network or intra-process services."}}},"analysis":{"type":"object","title":"Impact Analysis","description":"An assessment of the impact and exploitability of the vulnerability.","additionalProperties":false,"properties":{"state":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/impactAnalysisState"},"justification":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/impactAnalysisJustification"},"response":{"type":"array","title":"Response","description":"A response to the vulnerability by the manufacturer, supplier, or project responsible for the affected component or service. More than one response is allowed. Responses are strongly encouraged for vulnerabilities where the analysis state is exploitable.","items":{"type":"string","enum":["can_not_fix","will_not_fix","update","rollback","workaround_available"],"meta:enum":{"can_not_fix":"Can not fix","will_not_fix":"Will not fix","update":"Update to a different revision or release","rollback":"Revert to a previous revision or release","workaround_available":"There is a workaround available"}}},"detail":{"type":"string","title":"Detail","description":"Detailed description of the impact including methods used during assessment. If a vulnerability is not exploitable, this field should include specific details on why the component or service is not impacted by this vulnerability."},"firstIssued":{"type":"string","format":"date-time","title":"First Issued","description":"The date and time (timestamp) when the analysis was first issued."},"lastUpdated":{"type":"string","format":"date-time","title":"Last Updated","description":"The date and time (timestamp) when the analysis was last updated."}}},"affects":{"type":"array","uniqueItems":true,"items":{"type":"object","required":["ref"],"additionalProperties":false,"properties":{"ref":{"anyOf":[{"title":"Ref","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}],"title":"Reference","description":"References a component or service by the objects bom-ref"},"versions":{"type":"array","title":"Versions","description":"Zero or more individual versions or range of versions.","items":{"type":"object","oneOf":[{"required":["version"]},{"required":["range"]}],"additionalProperties":false,"properties":{"version":{"title":"Version","description":"A single version of a component or service.","$ref":"#/$defs/cyclonedx-component-2.0/$defs/version"},"range":{"title":"Version Range","description":"A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/vers-spec","$ref":"#/$defs/cyclonedx-component-2.0/$defs/versionRange"},"status":{"title":"Status","description":"The vulnerability status for the version or range of versions.","$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/affectedStatus","default":"affected"}}}}}},"title":"Affects","description":"The components or services that are affected by the vulnerability."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"advisory":{"type":"object","title":"Advisory","description":"Title and location where advisory information can be obtained. An advisory is a notification of a threat to a component, service, or system.","required":["url"],"additionalProperties":false,"properties":{"title":{"type":"string","title":"Title","description":"A name of the advisory."},"url":{"type":"string","title":"URL","format":"iri-reference","description":"Location where the advisory can be obtained."}}},"cwe":{"type":"integer","minimum":1,"title":"CWE","description":"Integer representation of a Common Weaknesses Enumerations (CWE). For example 399 (of https://cwe.mitre.org/data/definitions/399.html)"},"severity":{"type":"string","title":"Severity","description":"Textual representation of the severity of the vulnerability adopted by the analysis method. If the analysis method uses values other than what is provided, the user is expected to translate appropriately.","enum":["critical","high","medium","low","info","none","unknown"],"meta:enum":{"critical":"Critical severity","high":"High severity","medium":"Medium severity","low":"Low severity","info":"Informational warning.","none":"None","unknown":"The severity is not known"}},"scoreMethod":{"type":"string","title":"Method","description":"Specifies the severity or risk scoring methodology or standard used.","enum":["CVSSv2","CVSSv3","CVSSv31","CVSSv4","OWASP","SSVC","other"],"meta:enum":{"CVSSv2":"Common Vulnerability Scoring System v2.0","CVSSv3":"Common Vulnerability Scoring System v3.0","CVSSv31":"Common Vulnerability Scoring System v3.1","CVSSv4":"Common Vulnerability Scoring System v4.0","OWASP":"OWASP Risk Rating Methodology","SSVC":"Stakeholder Specific Vulnerability Categorization","other":"Another severity or risk scoring methodology"}},"impactAnalysisState":{"type":"string","title":"Impact Analysis State","description":"Declares the current state of an occurrence of a vulnerability, after automated or manual analysis.","enum":["resolved","resolved_with_pedigree","exploitable","in_triage","false_positive","not_affected"],"meta:enum":{"resolved":"The vulnerability has been remediated.","resolved_with_pedigree":"The vulnerability has been remediated and evidence of the changes are provided in the affected components pedigree containing verifiable commit history and/or diff(s).","exploitable":"The vulnerability may be directly or indirectly exploitable.","in_triage":"The vulnerability is being investigated.","false_positive":"The vulnerability is not specific to the component or service and was falsely identified or associated.","not_affected":"The component or service is not affected by the vulnerability. Justification should be specified for all not_affected cases."}},"impactAnalysisJustification":{"type":"string","title":"Impact Analysis Justification","description":"The rationale of why the impact analysis state was asserted.","enum":["code_not_present","code_not_reachable","requires_configuration","requires_dependency","requires_environment","protected_by_compiler","protected_at_runtime","protected_at_perimeter","protected_by_mitigating_control"],"meta:enum":{"code_not_present":"The code has been removed or tree-shaked.","code_not_reachable":"The vulnerable code is not invoked at runtime.","requires_configuration":"Exploitability requires a configurable option to be set/unset.","requires_dependency":"Exploitability requires a dependency that is not present.","requires_environment":"Exploitability requires a certain environment which is not present.","protected_by_compiler":"Exploitability requires a compiler flag to be set/unset.","protected_at_runtime":"Exploits are prevented at runtime.","protected_at_perimeter":"Attacks are blocked at physical, logical, or network perimeter.","protected_by_mitigating_control":"Preventative measures have been implemented that reduce the likelihood and/or impact of the vulnerability."}},"rating":{"type":"object","title":"Rating","description":"Defines the severity or risk ratings of a vulnerability.","additionalProperties":false,"properties":{"source":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/vulnerabilitySource","description":"The source that calculated the severity or risk rating of the vulnerability."},"score":{"type":"number","title":"Score","description":"The numerical score of the rating."},"severity":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/severity","description":"Textual representation of the severity that corresponds to the numerical score of the rating."},"method":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/scoreMethod"},"vector":{"type":"string","title":"Vector","description":"Textual representation of the metric values used to score the vulnerability"},"justification":{"type":"string","title":"Justification","description":"A reason for rating the vulnerability as it was"}}},"vulnerabilitySource":{"type":"object","title":"Source","description":"The source of vulnerability information. This is often the organization that published the vulnerability.","additionalProperties":false,"properties":{"url":{"type":"string","title":"URL","description":"The url of the vulnerability documentation as provided by the source.","examples":["https://nvd.nist.gov/vuln/detail/CVE-2021-39182"]},"name":{"type":"string","title":"Name","description":"The name of the source.","examples":["NVD","National Vulnerability Database","OSS Index","VulnDB","GitHub Advisories"]}}},"affectedStatus":{"description":"The vulnerability status of a given version or range of versions of a product. The statuses 'affected' and 'unaffected' indicate that the version is affected or unaffected by the vulnerability. The status 'unknown' indicates that it is unknown or unspecified whether the given version is affected. There can be many reasons for an 'unknown' status, including that an investigation has not been undertaken or that a vendor has not disclosed the status.","type":"string","enum":["affected","unaffected","unknown"],"meta:enum":{"affected":"The version is affected by the vulnerability.","unaffected":"The version is not affected by the vulnerability.","unknown":"It is unknown (or unspecified) whether the given version is affected."}}}},"cyclonedx-2.0":{"type":"object","title":"CycloneDX Transparency Expression Language","required":["specFormat","specVersion"],"additionalProperties":false,"properties":{"$schema":{"type":"string"},"specFormat":{"type":"string","title":"Specification Format","description":"Specifies the format. This value must be \"CycloneDX\".","enum":["CycloneDX"]},"specVersion":{"type":"string","title":"Specification Version","description":"The version of the CycloneDX specification the BOM conforms to.","examples":["2.0"]},"serialNumber":{"type":"string","title":"BOM Serial Number","description":"Every BOM generated SHOULD have a unique serial number, even if the contents of the BOM have not changed over time. If specified, the serial number must conform to [RFC 4122](https://www.ietf.org/rfc/rfc4122.html). Use of serial numbers is recommended.","examples":["urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79"],"pattern":"^urn:uuid:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$"},"version":{"type":"integer","title":"BOM Version","description":"Whenever an existing BOM is modified, either manually or through automated processes, the version of the BOM SHOULD be incremented by 1. When a system is presented with multiple BOMs with identical serial numbers, the system SHOULD use the most recent version of the BOM. The default version is '1'.","minimum":1,"default":1},"metadata":{"$ref":"#/$defs/cyclonedx-metadata-2.0/$defs/metadata"},"components":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/components","description":"A collection of components. When a metadata component is present, this array represents the inventory of components associated with that subject, forming a bill of materials. When the metadata component is omitted, the array provides component data for interchange purposes without establishing a compositional relationship."},"services":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/services"},"dependencies":{"$ref":"#/$defs/cyclonedx-dependency-2.0/$defs/dependencies"},"compositions":{"$ref":"#/$defs/cyclonedx-composition-2.0/$defs/compositions"},"vulnerabilities":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/vulnerabilities"},"annotations":{"$ref":"#/$defs/cyclonedx-annotation-2.0/$defs/annotations"},"formulation":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/formulation"},"declarations":{"$ref":"#/$defs/cyclonedx-declaration-2.0/$defs/declarations"},"definitions":{"$ref":"#/$defs/cyclonedx-definition-2.0/$defs/definitions"},"citations":{"$ref":"#/$defs/cyclonedx-citation-2.0/$defs/citations"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature"}},"allOf":[{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/extensibleProperties"}]}}} \ No newline at end of file +{"$schema":"https://json-schema.org/draft/2020-12/schema","$id":"https://cyclonedx.org/schema/2.0/cyclonedx-2.0.schema.json","type":"object","title":"CycloneDX Transparency Expression Language","$comment":"OWASP CycloneDX is an Ecma International standard (ECMA-424) developed in collaboration between the OWASP Foundation and Ecma Technical Committee 54 (TC54). The standard is published under a royalty-free patent policy. This JSON schema is the reference implementation and is licensed under the Apache License 2.0.","required":["specFormat","specVersion"],"additionalProperties":false,"properties":{"$schema":{"type":"string"},"specFormat":{"type":"string","title":"Specification Format","description":"Specifies the format. This value must be \"CycloneDX\".","enum":["CycloneDX"]},"specVersion":{"type":"string","title":"Specification Version","description":"The version of the CycloneDX specification the BOM conforms to.","examples":["2.0"]},"serialNumber":{"type":"string","title":"BOM Serial Number","description":"Every BOM generated SHOULD have a unique serial number, even if the contents of the BOM have not changed over time. If specified, the serial number must conform to [RFC 4122](https://www.ietf.org/rfc/rfc4122.html). Use of serial numbers is recommended.","examples":["urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79"],"pattern":"^urn:uuid:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$"},"version":{"type":"integer","title":"BOM Version","description":"Whenever an existing BOM is modified, either manually or through automated processes, the version of the BOM SHOULD be incremented by 1. When a system is presented with multiple BOMs with identical serial numbers, the system SHOULD use the most recent version of the BOM. The default version is '1'.","minimum":1,"default":1},"metadata":{"$ref":"#/$defs/cyclonedx-metadata-2.0/$defs/metadata"},"components":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/components","description":"A collection of components. When a metadata component is present, this array represents the inventory of components associated with that subject, forming a bill of materials. When the metadata component is omitted, the array provides component data for interchange purposes without establishing a compositional relationship."},"services":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/services"},"dependencies":{"$ref":"#/$defs/cyclonedx-dependency-2.0/$defs/dependencies"},"compositions":{"$ref":"#/$defs/cyclonedx-composition-2.0/$defs/compositions"},"vulnerabilities":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/vulnerabilities"},"annotations":{"$ref":"#/$defs/cyclonedx-annotation-2.0/$defs/annotations"},"formulation":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/formulation"},"declarations":{"$ref":"#/$defs/cyclonedx-declaration-2.0/$defs/declarations"},"definitions":{"$ref":"#/$defs/cyclonedx-definition-2.0/$defs/definitions"},"blueprints":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/blueprints"},"citations":{"$ref":"#/$defs/cyclonedx-citation-2.0/$defs/citations"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature"}},"allOf":[{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/extensibleProperties"}],"$defs":{"cyclonedx-ai-modelcard-2.0":{"type":"null","title":"CycloneDX AI Model Card","$defs":{"modelCard":{"type":"object","title":"Model Card","description":"A model card describes the intended uses of a machine learning model and potential limitations, including biases and ethical considerations. Model cards typically contain the training parameters, which datasets were used to train the model, performance metrics, and other relevant data useful for ML transparency. This object SHOULD be specified for any component of type `machine-learning-model` and must not be specified for other component types.","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the model card elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"modelParameters":{"type":"object","title":"Model Parameters","description":"Hyper-parameters for construction of the model.","additionalProperties":false,"properties":{"approach":{"type":"object","title":"Approach","description":"The overall approach to learning used by the model for problem solving.","additionalProperties":false,"properties":{"type":{"type":"string","title":"Learning Type","description":"Learning types describing the learning problem or hybrid learning problem.","enum":["supervised","unsupervised","reinforcement-learning","semi-supervised","self-supervised"],"meta:enum":{"supervised":"Supervised machine learning involves training an algorithm on labeled data to predict or classify new data based on the patterns learned from the labeled examples.","unsupervised":"Unsupervised machine learning involves training algorithms on unlabeled data to discover patterns, structures, or relationships without explicit guidance, allowing the model to identify inherent structures or clusters within the data.","reinforcement-learning":"Reinforcement learning is a type of machine learning where an agent learns to make decisions by interacting with an environment to maximize cumulative rewards, through trial and error.","semi-supervised":"Semi-supervised machine learning utilizes a combination of labeled and unlabeled data during training to improve model performance, leveraging the benefits of both supervised and unsupervised learning techniques.","self-supervised":"Self-supervised machine learning involves training models to predict parts of the input data from other parts of the same data, without requiring external labels, enabling learning from large amounts of unlabeled data."}}}},"task":{"type":"string","title":"Task","description":"Directly influences the input and/or output. Examples include classification, regression, clustering, etc."},"architectureFamily":{"type":"string","title":"Architecture Family","description":"The model architecture family such as transformer network, convolutional neural network, residual neural network, LSTM neural network, etc."},"modelArchitecture":{"type":"string","title":"Model Architecture","description":"The specific architecture of the model such as GPT-1, ResNet-50, YOLOv3, etc."},"datasets":{"type":"array","title":"Datasets","description":"The datasets used to train and evaluate the model.","items":{"oneOf":[{"title":"Inline Data Information","$ref":"#/$defs/cyclonedx-component-2.0/$defs/componentData"},{"type":"object","title":"Data Reference","additionalProperties":false,"properties":{"ref":{"anyOf":[{"title":"Ref","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}],"title":"Reference","type":"string","description":"References a data component by the components bom-ref attribute"}}}]}},"inputs":{"type":"array","title":"Inputs","description":"The input format(s) of the model","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/inputOutputMLParameters"}},"outputs":{"type":"array","title":"Outputs","description":"The output format(s) from the model","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/inputOutputMLParameters"}}}},"quantitativeAnalysis":{"type":"object","title":"Quantitative Analysis","description":"A quantitative analysis of the model","additionalProperties":false,"properties":{"performanceMetrics":{"type":"array","title":"Performance Metrics","description":"The model performance metrics being reported. Examples may include accuracy, F1 score, precision, top-3 error rates, MSC, etc.","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/performanceMetric"}},"graphics":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/graphicsCollection"}}},"considerations":{"type":"object","title":"Considerations","description":"What considerations should be taken into account regarding the model's construction, training, and application?","additionalProperties":false,"properties":{"users":{"type":"array","title":"Users","description":"Who are the intended users of the model?","items":{"type":"string"}},"useCases":{"type":"array","title":"Use Cases","description":"What are the intended use cases of the model?","items":{"type":"string"}},"technicalLimitations":{"type":"array","title":"Technical Limitations","description":"What are the known technical limitations of the model? E.g. What kind(s) of data should the model be expected not to perform well on? What are the factors that might degrade model performance?","items":{"type":"string"}},"performanceTradeoffs":{"type":"array","title":"Performance Tradeoffs","description":"What are the known tradeoffs in accuracy/performance of the model?","items":{"type":"string"}},"ethicalConsiderations":{"type":"array","title":"Ethical Considerations","description":"What are the ethical risks involved in the application of this model?","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/risk"}},"environmentalConsiderations":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/environmentalConsiderations","title":"Environmental Considerations","description":"What are the various environmental impacts the corresponding machine learning model has exhibited across its lifecycle?"},"fairnessAssessments":{"type":"array","title":"Fairness Assessments","description":"How does the model affect groups at risk of being systematically disadvantaged? What are the harms and benefits to the various affected groups?","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/fairnessAssessment"}}}},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"inputOutputMLParameters":{"type":"object","title":"Input and Output Parameters","additionalProperties":false,"properties":{"format":{"title":"Input/Output Format","description":"The data format for input/output to the model.","type":"string","examples":["string","image","time-series"]}}},"environmentalConsiderations":{"type":"object","title":"Environmental Considerations","description":"Describes various environmental impact metrics.","additionalProperties":false,"properties":{"energyConsumptions":{"title":"Energy Consumptions","description":"Describes energy consumption information incurred for one or more component lifecycle activities.","type":"array","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/energyConsumption"}},"properties":{"type":"array","title":"Properties","description":"Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"}}}},"energyConsumption":{"title":"Energy consumption","description":"Describes energy consumption information incurred for the specified lifecycle activity.","type":"object","required":["activity","energyProviders","activityEnergyCost"],"additionalProperties":false,"properties":{"activity":{"type":"string","title":"Activity","description":"The type of activity that is part of a machine learning model development or operational lifecycle.","enum":["design","data-collection","data-preparation","training","fine-tuning","validation","deployment","inference","other"],"meta:enum":{"design":"A model design including problem framing, goal definition and algorithm selection.","data-collection":"Model data acquisition including search, selection and transfer.","data-preparation":"Model data preparation including data cleaning, labeling and conversion.","training":"Model building, training and generalized tuning.","fine-tuning":"Refining a trained model to produce desired outputs for a given problem space.","validation":"Model validation including model output evaluation and testing.","deployment":"Explicit model deployment to a target hosting infrastructure.","inference":"Generating an output response from a hosted model from a set of inputs.","other":"A lifecycle activity type whose description does not match currently defined values."}},"energyProviders":{"title":"Energy Providers","description":"The provider(s) of the energy consumed by the associated model development lifecycle activity.","type":"array","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/energyProvider"}},"activityEnergyCost":{"title":"Activity Energy Cost","description":"The total energy cost associated with the model lifecycle activity.","$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/energyMeasure"},"co2CostEquivalent":{"title":"CO2 Equivalent Cost","description":"The CO2 cost (debit) equivalent to the total energy cost.","$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/co2Measure"},"co2CostOffset":{"title":"CO2 Cost Offset","description":"The CO2 offset (credit) for the CO2 equivalent cost.","$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/co2Measure"},"properties":{"type":"array","title":"Properties","description":"Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"}}}},"energyMeasure":{"type":"object","title":"Energy Measure","description":"A measure of energy.","required":["value","unit"],"additionalProperties":false,"properties":{"value":{"type":"number","title":"Value","description":"Quantity of energy."},"unit":{"type":"string","enum":["kWh"],"title":"Unit","description":"Unit of energy.","meta:enum":{"kWh":"Kilowatt-hour (kWh) is the energy delivered by one kilowatt (kW) of power for one hour (h)."}}}},"co2Measure":{"type":"object","title":"CO2 Measure","description":"A measure of carbon dioxide (CO2).","required":["value","unit"],"additionalProperties":false,"properties":{"value":{"type":"number","title":"Value","description":"Quantity of carbon dioxide (CO2)."},"unit":{"type":"string","enum":["tCO2eq"],"title":"Unit","description":"Unit of carbon dioxide (CO2).","meta:enum":{"tCO2eq":"Tonnes (t) of carbon dioxide (CO2) equivalent (eq)."}}}},"energyProvider":{"type":"object","title":"Energy Provider","description":"Describes the physical provider of energy used for model development or operations.","required":["organization","energySource","energyProvided"],"additionalProperties":false,"properties":{"bom-ref":{"title":"BOM Reference","description":"An identifier which can be used to reference the energy provider elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":{"type":"string","title":"Description","description":"A description of the energy provider."},"organization":{"type":"object","title":"Organization","description":"The organization that provides energy.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"energySource":{"type":"string","enum":["coal","oil","natural-gas","nuclear","wind","solar","geothermal","hydropower","biofuel","unknown","other"],"meta:enum":{"coal":"Energy produced by types of coal.","oil":"Petroleum products (primarily crude oil and its derivative fuel oils).","natural-gas":"Hydrocarbon gas liquids (HGL) that occur as gases at atmospheric pressure and as liquids under higher pressures including Natural gas (C5H12 and heavier), Ethane (C2H6), Propane (C3H8), etc.","nuclear":"Energy produced from the cores of atoms (i.e., through nuclear fission or fusion).","wind":"Energy produced from moving air.","solar":"Energy produced from the sun (i.e., solar radiation).","geothermal":"Energy produced from heat within the earth.","hydropower":"Energy produced from flowing water.","biofuel":"Liquid fuels produced from biomass feedstocks (i.e., organic materials such as plants or animals).","unknown":"The energy source is unknown.","other":"An energy source that is not listed."},"title":"Energy Source","description":"The energy source for the energy provider."},"energyProvided":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/energyMeasure","title":"Energy Provided","description":"The energy provided by the energy source for an associated activity."},"externalReferences":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"},"title":"External References","description":"External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM."}}},"graphicsCollection":{"type":"object","title":"Graphics Collection","description":"A collection of graphics that represent various measurements.","additionalProperties":false,"properties":{"description":{"title":"Description","description":"A description of this collection of graphics.","type":"string"},"collection":{"title":"Collection","description":"A collection of graphics.","type":"array","items":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/graphic"}}}},"graphic":{"type":"object","title":"Graphic","additionalProperties":false,"properties":{"name":{"title":"Name","description":"The name of the graphic.","type":"string"},"image":{"title":"Graphic Image","description":"The graphic (vector or raster). Base64 encoding must be specified for binary images.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"}}},"performanceMetric":{"type":"object","title":"Performance Metric","additionalProperties":false,"properties":{"type":{"title":"Type","description":"The type of performance metric.","type":"string"},"value":{"title":"Value","description":"The value of the performance metric.","type":"string"},"slice":{"title":"Slice","description":"The name of the slice this metric was computed on. By default, assume this metric is not sliced.","type":"string"},"confidenceInterval":{"title":"Confidence Interval","description":"The confidence interval of the metric.","type":"object","additionalProperties":false,"properties":{"lowerBound":{"title":"Lower Bound","description":"The lower bound of the confidence interval.","type":"string"},"upperBound":{"title":"Upper Bound","description":"The upper bound of the confidence interval.","type":"string"}}}}},"risk":{"type":"object","title":"Risk","additionalProperties":false,"properties":{"name":{"title":"Name","description":"The name of the risk.","type":"string"},"mitigationStrategy":{"title":"Mitigation Strategy","description":"Strategy used to address this risk.","type":"string"}}},"fairnessAssessment":{"type":"object","title":"Fairness Assessment","description":"Information about the benefits and harms of the model to an identified at risk group.","additionalProperties":false,"properties":{"groupAtRisk":{"type":"string","title":"Group at Risk","description":"The groups or individuals at risk of being systematically disadvantaged by the model."},"benefits":{"type":"string","title":"Benefits","description":"Expected benefits to the identified groups."},"harms":{"type":"string","title":"Harms","description":"Expected harms to the identified groups."},"mitigationStrategy":{"type":"string","title":"Mitigation Strategy","description":"With respect to the benefits and harms outlined, please describe any mitigation strategy implemented."}}}}},"cyclonedx-annotation-2.0":{"type":"null","title":"CycloneDX Annotation Model","$defs":{"annotations":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-annotation-2.0/$defs/annotation"},"uniqueItems":true,"title":"Annotations","description":"Comments made by people, organizations, or tools about any object with a bom-ref, such as components, services, vulnerabilities, or the BOM itself. Unlike inventory information, annotations may contain opinions or commentary from various stakeholders. Annotations may be inline (with inventory) or externalized via BOM-Link and may optionally be signed."},"annotation":{"type":"object","title":"Annotations","description":"A comment, note, explanation, or similar textual content which provides additional context to the object(s) being annotated.","required":["subjects","annotator","timestamp","text"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the annotation elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"subjects":{"type":"array","uniqueItems":true,"items":{"anyOf":[{"title":"Ref","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"title":"Subjects","description":"The object in the BOM identified by its bom-ref. This is often a component or service, but may be any object type supporting bom-refs."},"annotator":{"type":"object","title":"Annotator","description":"The organization, person, component, or service which created the textual content of the annotation.","oneOf":[{"required":["organization"]},{"required":["individual"]},{"required":["component"]},{"required":["service"]}],"additionalProperties":false,"properties":{"organization":{"description":"The organization that created the annotation","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"individual":{"description":"The person that created the annotation","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"},"component":{"description":"The tool or component that created the annotation","$ref":"#/$defs/cyclonedx-component-2.0/$defs/component"},"service":{"description":"The service that created the annotation","$ref":"#/$defs/cyclonedx-service-2.0/$defs/service"}}},"timestamp":{"type":"string","format":"date-time","title":"Timestamp","description":"The date and time (timestamp) when the annotation was created."},"text":{"type":"string","title":"Text","description":"The textual content of the annotation."},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}}}},"cyclonedx-behavior-2.0":{"type":"null","title":"CycloneDX Behavior Model","properties":{"behaviors":{"$ref":"#/$defs/cyclonedx-behavior-2.0/$defs/behaviors"}},"$defs":{"trigger":{"type":"string","title":"Trigger","description":"The condition or event that initiates a behavior.","enum":["startup","shutdown","scheduled","event-driven","user-initiated","api-call","signal","condition-based","continuous","on-demand","unknown"],"meta:enum":{"startup":"Triggered during system or component initialisation.","shutdown":"Triggered during system or component termination.","scheduled":"Triggered at predetermined times or intervals.","event-driven":"Triggered in response to a specific event.","user-initiated":"Triggered by explicit user action.","api-call":"Triggered by an API invocation.","signal":"Triggered by a system or inter-process signal.","condition-based":"Triggered when specific conditions are met.","continuous":"Runs continuously during normal operation.","on-demand":"Triggered on demand as needed.","unknown":"The trigger mechanism is not known."}},"ordering":{"type":"string","title":"Ordering","description":"Execution semantics for steps within a flow.","default":"sequential","enum":["sequential","unordered","parallel","conditional"],"meta:enum":{"sequential":"Steps execute in ordinal order. Each completes before the next begins.","unordered":"All steps execute, but order is not guaranteed.","parallel":"Steps may execute concurrently.","conditional":"Step execution is determined by runtime conditions."}},"acknowledgment":{"type":"array","title":"Acknowledgment","description":"Indicates how the behavior or flow was identified. Multiple values indicate the behavior was both declared and observed.","uniqueItems":true,"items":{"type":"string","enum":["declared","observed"],"meta:enum":{"declared":"The behavior was explicitly declared, designed, or expected. Typically used for threat modelling, security requirements, and architectural documentation.","observed":"The behavior was observed, detected, or measured during analysis or runtime. Typically used for anomaly detection, incident response, and behavioural analysis."}}},"behaviors":{"type":"object","title":"Behaviors","description":"Behaviors performed by objects within the BOM.","additionalProperties":false,"properties":{"instances":{"type":"array","title":"Instances","description":"Individual behavior instances.","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-behavior-2.0/$defs/behaviorInstance"}},"flows":{"type":"array","title":"Flows","description":"Behavior flows that organise behaviors into operational patterns.","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-behavior-2.0/$defs/behaviorFlow"}}}},"behaviorInstance":{"type":"object","title":"Behavior Instance","description":"A behavior performed by one or more objects within the BOM.","additionalProperties":false,"required":["bom-ref","behavior"],"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"behavior":{"$ref":"#/$defs/cyclonedx-behavior-2.0/$defs/behavior","title":"Behavior","description":"The behavior from the taxonomy."},"acknowledgment":{"$ref":"#/$defs/cyclonedx-behavior-2.0/$defs/acknowledgment"},"trigger":{"$ref":"#/$defs/cyclonedx-behavior-2.0/$defs/trigger"},"actors":{"type":"array","title":"Actors","description":"References to objects that perform this behavior.","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"}},"targets":{"type":"array","title":"Targets","description":"References to objects affected by this behavior.","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"}}}},"behaviorFlow":{"type":"object","title":"Behavior Flow","description":"An organised collection of behaviors forming a coherent process.","additionalProperties":false,"required":["bom-ref","steps"],"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"acknowledgment":{"$ref":"#/$defs/cyclonedx-behavior-2.0/$defs/acknowledgment"},"ordering":{"$ref":"#/$defs/cyclonedx-behavior-2.0/$defs/ordering"},"trigger":{"$ref":"#/$defs/cyclonedx-behavior-2.0/$defs/trigger"},"steps":{"type":"array","title":"Steps","description":"The steps that comprise this flow.","minItems":1,"items":{"$ref":"#/$defs/cyclonedx-behavior-2.0/$defs/flowStep"}}},"allOf":[{"if":{"anyOf":[{"properties":{"ordering":{"const":"sequential"}},"required":["ordering"]},{"not":{"required":["ordering"]}}]},"then":{"properties":{"steps":{"items":{"required":["ordinal"]}}}}}]},"flowStep":{"type":"object","title":"Flow Step","description":"A single step within a behavior flow.","additionalProperties":false,"properties":{"ordinal":{"type":"integer","title":"Ordinal","description":"Position within the flow. Required when ordering is 'sequential' or omitted.","minimum":1},"behavior":{"$ref":"#/$defs/cyclonedx-behavior-2.0/$defs/behavior","title":"Behavior","description":"The behavior performed in this step. Mutually exclusive with 'ref' and 'flow'."},"trigger":{"$ref":"#/$defs/cyclonedx-behavior-2.0/$defs/trigger"},"ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Behavior Reference","description":"Reference to a behavior instance. Mutually exclusive with 'behavior' and 'flow'."},"flow":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Flow Reference","description":"Reference to a nested flow. Mutually exclusive with 'behavior' and 'ref'."},"actors":{"type":"array","title":"Actors","description":"References to objects that perform this step.","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"}},"targets":{"type":"array","title":"Targets","description":"References to objects affected by this step.","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"}}},"oneOf":[{"required":["behavior"]},{"required":["ref"]},{"required":["flow"]}]},"behavior":{"type":"string","title":"Behavior","description":"Specifies an action performed by an entity that may have security, privacy, safety, or operational implications. Values may represent a domain, a category within a domain, or a specific behavior within a category.","enum":["ai","ai:agent","ai:agent:actsOnBehalfOfUser","ai:agent:coordinatesAgents","ai:agent:delegatesTask","ai:agent:executesAction","ai:agent:invokesTool","ai:agent:observesResult","ai:agent:plansAction","ai:agent:receivesHumanDelegation","ai:agent:reflectsOnResult","ai:agent:reportsDelegatedAction","ai:agent:requestsUserApproval","ai:agent:returnsDelegation","ai:agent:revisesPlan","ai:explainability","ai:explainability:attributesFeatures","ai:explainability:documentsModel","ai:explainability:explainsDecision","ai:explainability:tracesPrediction","ai:explainability:visualizesModel","ai:fairness","ai:fairness:auditsModelFairness","ai:fairness:calculatesFairnessMetric","ai:fairness:detectsBias","ai:fairness:handlesProtectedAttribute","ai:fairness:mitigatesBias","ai:generative","ai:generative:citesSource","ai:generative:filtersOutput","ai:generative:generatesAudio","ai:generative:generatesCode","ai:generative:generatesEmbedding","ai:generative:generatesImage","ai:generative:generatesText","ai:generative:mitigatesHallucination","ai:generative:processesPrompt","ai:generative:streamsResponse","ai:inference","ai:inference:appliesThreshold","ai:inference:batchesInference","ai:inference:cachesPrediction","ai:inference:ensemblesModels","ai:inference:generatesPrediction","ai:inference:infersInRealTime","ai:inference:ranksResults","ai:inference:scoresConfidence","ai:management","ai:management:comparesModels","ai:management:deploysModel","ai:management:loadsModel","ai:management:monitorsModel","ai:management:retiresModel","ai:management:rollsBackModel","ai:management:unloadsModel","ai:management:versionsModel","ai:quality","ai:quality:detectsConceptDrift","ai:quality:detectsDataDrift","ai:quality:detectsOutlier","ai:quality:engineersFeatures","ai:quality:selectsFeatures","ai:quality:validatesInputData","ai:robustness","ai:robustness:defendsAgainstAdversarial","ai:robustness:detectsAdversarialInput","ai:robustness:detectsOutOfDistribution","ai:robustness:estimatesUncertainty","ai:robustness:validatesRobustness","ai:training","ai:training:appliesTransferLearning","ai:training:checkpointsModel","ai:training:fineTunesModel","ai:training:ingestsTrainingData","ai:training:preprocessesTrainingData","ai:training:trainsFederatedly","ai:training:trainsModel","ai:training:tunesHyperparameters","ai:training:validatesModel","ai:training:validatesTrainingData","application","application:codeExecution","application:codeExecution:compilesCode","application:codeExecution:evaluatesExpression","application:codeExecution:executesNativeCommand","application:codeExecution:executesScript","application:codeExecution:interpretsCode","application:codeExecution:invokesViaReflection","application:codeExecution:loadsCodeDynamically","application:configuration","application:configuration:detectsEnvironment","application:configuration:evaluatesFeatureFlag","application:configuration:loadsConfiguration","application:configuration:reloadsConfiguration","application:controlFlow","application:controlFlow:awaitsAsyncResult","application:controlFlow:catchesException","application:controlFlow:emitsEvent","application:controlFlow:handlesEvent","application:controlFlow:invokesCallback","application:controlFlow:invokesHandler","application:controlFlow:invokesMiddleware","application:controlFlow:schedulesAsyncOperation","application:controlFlow:throwsException","application:dependencyManagement","application:dependencyManagement:closesCircuitBreaker","application:dependencyManagement:fallsBack","application:dependencyManagement:injectsDependency","application:dependencyManagement:opensCircuitBreaker","application:dependencyManagement:resolvesDependency","application:externalIntegration","application:externalIntegration:callsExternalService","application:externalIntegration:consumesEvent","application:externalIntegration:publishesEvent","application:externalIntegration:receivesWebhook","application:observability","application:observability:emitsTelemetry","application:observability:logsOperation","application:observability:recordsMetric","application:observability:reportsHealth","application:observability:tracesRequest","application:requestHandling","application:requestHandling:authenticatesRequest","application:requestHandling:authorizesRequest","application:requestHandling:bindsParameters","application:requestHandling:parsesRequest","application:requestHandling:receivesHttpRequest","application:requestHandling:rejectsRequest","application:requestHandling:routesRequest","application:requestHandling:validatesRequest","application:responseGeneration","application:responseGeneration:generatesResponse","application:responseGeneration:readsCookie","application:responseGeneration:redirectsRequest","application:responseGeneration:returnsError","application:responseGeneration:returnsSuccess","application:responseGeneration:sendsHttpResponse","application:responseGeneration:setsCookie","application:responseGeneration:setsHeader","application:stateManagement","application:stateManagement:acquiresLock","application:stateManagement:beginsTransaction","application:stateManagement:commitsTransaction","application:stateManagement:createsSessionState","application:stateManagement:destroysSessionState","application:stateManagement:readsSessionState","application:stateManagement:releasesLock","application:stateManagement:rollsBackTransaction","application:stateManagement:synchronizesState","application:stateManagement:updatesSessionState","data","data:encoding","data:encoding:appliesXor","data:encoding:decodesBaseSixtyFour","data:encoding:decodesUrl","data:encoding:encodesBaseSixtyFour","data:encoding:encodesUrl","data:ingestion","data:ingestion:pollsSource","data:ingestion:readsFile","data:ingestion:readsStream","data:ingestion:receivesInput","data:ingestion:receivesMessage","data:ingestion:receivesRequest","data:ingestion:subscribesToFeed","data:output","data:output:formatsResponse","data:output:producesOutput","data:output:publishesMessage","data:output:rendersTemplate","data:output:sendsResponse","data:output:serializesObject","data:output:streamsOutput","data:output:writesFile","data:parsing","data:parsing:decodesData","data:parsing:deserializesObject","data:parsing:extractsFields","data:parsing:parsesData","data:parsing:parsesHtml","data:parsing:parsesJson","data:parsing:parsesXml","data:query","data:query:executesLdapQuery","data:query:executesNoSqlQuery","data:query:executesSearch","data:query:executesSql","data:query:executesXPath","data:query:queriesData","data:storage","data:storage:cachesData","data:storage:deletesData","data:storage:flushesCache","data:storage:invalidatesCache","data:storage:retrievesData","data:storage:storesData","data:storage:updatesData","data:transformation","data:transformation:aggregatesData","data:transformation:compressesData","data:transformation:decompressesData","data:transformation:encodesData","data:transformation:enrichesData","data:transformation:filtersData","data:transformation:joinsData","data:transformation:mapsData","data:transformation:normalizesData","data:transformation:sortsData","data:transformation:transformsData","evasion","evasion:analysisResistance","evasion:analysisResistance:detectsAnalysisTool","evasion:analysisResistance:detectsDebugger","evasion:analysisResistance:detectsEmulator","evasion:analysisResistance:detectsSandbox","evasion:analysisResistance:detectsVirtualMachine","evasion:analysisResistance:evadesDebugger","evasion:analysisResistance:evadesEmulator","evasion:analysisResistance:evadesSandbox","evasion:analysisResistance:evadesVirtualMachine","evasion:analysisResistance:usesTimingEvasion","evasion:antiSecurity","evasion:antiSecurity:detectsAntivirus","evasion:antiSecurity:disablesSecuritySoftware","evasion:antiSecurity:evadesAntivirus","evasion:antiSecurity:terminatesSecurityProcess","evasion:indirection","evasion:indirection:resolvesApiDynamically","evasion:indirection:usesIndirectCalls","evasion:indirection:usesProxyExecution","evasion:obfuscation","evasion:obfuscation:obfuscatesCode","evasion:obfuscation:obfuscatesControlFlow","evasion:obfuscation:obfuscatesData","evasion:obfuscation:obfuscatesStrings","evasion:obfuscation:packsCode","evasion:obfuscation:unpacksAtRuntime","file","file:directory","file:directory:changesDirectory","file:directory:createsDirectory","file:directory:deletesDirectory","file:directory:listsDirectory","file:directory:traversesDirectory","file:disk","file:disk:decryptsVolume","file:disk:encryptsVolume","file:disk:formatsVolume","file:disk:mountsVolume","file:disk:unmountsVolume","file:disk:wipesDisk","file:operations","file:operations:appendsToFile","file:operations:checksFileExistence","file:operations:closesFile","file:operations:copiesFile","file:operations:createsFile","file:operations:deletesFile","file:operations:getsFileAttributes","file:operations:movesFile","file:operations:opensFile","file:operations:readsFile","file:operations:renamesFile","file:operations:setsFileAttributes","file:operations:setsFilePermissions","file:operations:writesFile","gui","gui:display","gui:display:displaysData","gui:display:monitorsDisplay","gui:display:updatesDisplay","gui:session","gui:session:displaysLogin","gui:session:interactsWithSession","gui:session:switchesSession","gui:window","gui:window:capturesWindow","gui:window:createsWindow","gui:window:destroysWindow","gui:window:enumeratesWindows","gui:window:interactsWithTaskbar","gui:window:modifiesWindow","hardware","hardware:actuator","hardware:actuator:calibratesActuator","hardware:actuator:controlsBattery","hardware:actuator:controlsHeating","hardware:actuator:controlsLed","hardware:actuator:controlsMotor","hardware:actuator:controlsPower","hardware:actuator:controlsPump","hardware:actuator:controlsTemperature","hardware:boot","hardware:boot:entersRecoveryMode","hardware:boot:executesSecureBoot","hardware:boot:locksBootConfiguration","hardware:boot:modifiesBootConfiguration","hardware:boot:readsBootConfiguration","hardware:boot:recordsBootMeasurement","hardware:boot:verifiesBootLoader","hardware:firmware","hardware:firmware:monitorsFirmwareIntegrity","hardware:firmware:preventsFirmwareRollback","hardware:firmware:readsFirmwareVersion","hardware:firmware:updatesFirmware","hardware:firmware:verifiesFirmwareSignature","hardware:memory","hardware:memory:encryptsMemory","hardware:memory:isolatesMemory","hardware:memory:protectsStack","hardware:memory:randomizesAddressSpace","hardware:memory:readsProtectedMemory","hardware:memory:writesProtectedMemory","hardware:peripheral","hardware:peripheral:accessesCamera","hardware:peripheral:accessesDisplay","hardware:peripheral:accessesGpio","hardware:peripheral:accessesJtag","hardware:peripheral:accessesKeyboard","hardware:peripheral:accessesStorageDevice","hardware:peripheral:accessesUsbDevice","hardware:peripheral:configuresDma","hardware:peripheral:protectsDma","hardware:physicalSecurity","hardware:physicalSecurity:detectsPhysicalTamper","hardware:physicalSecurity:disablesDebugInterface","hardware:physicalSecurity:enablesDebugInterface","hardware:physicalSecurity:monitorsEnclosure","hardware:physicalSecurity:respondsToTamper","hardware:physicalSecurity:zeroizesKeys","hardware:security","hardware:security:anchorsInHardwareRoot","hardware:security:executesInTee","hardware:security:generatesPufResponse","hardware:security:usesHsm","hardware:security:usesSecureElement","hardware:sensor","hardware:sensor:calibratesSensor","hardware:sensor:readsBatteryStatus","hardware:sensor:readsBloodOxygen","hardware:sensor:readsBloodPressure","hardware:sensor:readsCoTwoLevel","hardware:sensor:readsEcg","hardware:sensor:readsPowerStatus","hardware:sensor:readsTemperature","hardware:sideChannelDefense","hardware:sideChannelDefense:controlsEmEmissions","hardware:sideChannelDefense:resistsFaultInjection","hardware:sideChannelDefense:resistsPowerAnalysis","hardware:sideChannelDefense:resistsTimingAnalysis","network","network:connection","network:connection:acceptsConnection","network:connection:detectsConnectionLoss","network:connection:establishesConnection","network:connection:reconnects","network:connection:reusesConnection","network:connection:sendsHeartbeat","network:connection:terminatesConnection","network:discovery","network:discovery:advertisesService","network:discovery:discoversService","network:discovery:enumeratesInterfaces","network:discovery:probesPort","network:discovery:queriesDns","network:discovery:resolvesName","network:discovery:scansNetwork","network:protocol","network:protocol:downgradesProtocol","network:protocol:framesMessage","network:protocol:negotiatesProtocol","network:protocol:parsesMessage","network:protocol:retransmitsMessage","network:protocol:upgradesProtocol","network:protocol:validatesMessage","network:remoteInteraction","network:remoteInteraction:accessesRemoteDesktop","network:remoteInteraction:accessesRemoteShell","network:remoteInteraction:executesRemoteCommand","network:remoteInteraction:invokesRemoteProcedure","network:remoteInteraction:sendsEmail","network:remoteInteraction:sendsSms","network:remoteInteraction:transfersFile","network:routing","network:routing:configuresProxy","network:routing:forwardsPacket","network:routing:redirectsTraffic","network:routing:routesTraffic","network:routing:tunnelsTraffic","network:trafficControl","network:trafficControl:balancesLoad","network:trafficControl:filtersTraffic","network:trafficControl:inspectsTraffic","network:trafficControl:interceptsTraffic","network:trafficControl:limitsRate","network:trafficControl:modifiesTraffic","network:trafficControl:shapesTraffic","network:transmission","network:transmission:broadcastsData","network:transmission:multicastsData","network:transmission:receivesData","network:transmission:sendsData","network:transmission:streamsData","privacy","privacy:collection","privacy:collection:capturesAudio","privacy:collection:capturesKeystrokes","privacy:collection:capturesScreen","privacy:collection:capturesVideo","privacy:collection:collectsBehavioralData","privacy:collection:collectsBiometricData","privacy:collection:collectsCommunicationContent","privacy:collection:collectsDeviceInformation","privacy:collection:collectsFinancialData","privacy:collection:collectsHealthData","privacy:collection:collectsInBackground","privacy:collection:collectsLocationData","privacy:collection:collectsPersonalData","privacy:collection:collectsSilently","privacy:collection:readsBrowserHistory","privacy:collection:readsClipboard","privacy:deletion","privacy:deletion:clearsCache","privacy:deletion:deletesPersonalData","privacy:deletion:erasesSecurely","privacy:deletion:purgesFromBackup","privacy:deletion:redactsData","privacy:inference","privacy:inference:correlatesData","privacy:inference:createsProfile","privacy:inference:fingerprintsDevice","privacy:inference:infersPersonalInformation","privacy:inference:linksIdentities","privacy:inference:tracksUser","privacy:minimization","privacy:minimization:aggregatesData","privacy:minimization:anonymizesData","privacy:minimization:filtersData","privacy:minimization:generalizesData","privacy:minimization:limitsCollection","privacy:minimization:limitsProcessing","privacy:minimization:pseudonymizesData","privacy:privacyEnhancement","privacy:privacyEnhancement:addsDifferentialPrivacy","privacy:privacyEnhancement:computesMultiparty","privacy:privacyEnhancement:processesHomomorphically","privacy:privacyEnhancement:processesLocally","privacy:retention","privacy:retention:archivesData","privacy:retention:backsUpData","privacy:retention:enforcesRetentionPeriod","privacy:retention:retainsBeyondPurpose","privacy:retention:retainsInCache","privacy:retention:retainsInLog","privacy:retention:storesPersonalData","privacy:sharing","privacy:sharing:disclosesToThirdParty","privacy:sharing:exportsData","privacy:sharing:publishesData","privacy:sharing:sellsData","privacy:sharing:sharesWithAffiliate","privacy:sharing:transfersCrossBorder","privacy:subjectRights","privacy:subjectRights:correctsData","privacy:subjectRights:exportsDataPortably","privacy:subjectRights:honorsErasureRequest","privacy:subjectRights:honorsObjection","privacy:subjectRights:providesDataAccess","privacy:subjectRights:restrictsProcessing","privacy:transparency","privacy:transparency:disclosesProcessing","privacy:transparency:displaysPrivacyNotice","privacy:transparency:explainsAutomatedDecision","privacy:transparency:recordsConsent","privacy:transparency:requestsConsent","privacy:transparency:withdrawsConsent","safety","safety:autonomousBehavior","safety:autonomousBehavior:acceptsOverride","safety:autonomousBehavior:enforcesHumanInLoop","safety:autonomousBehavior:explainsDecision","safety:autonomousBehavior:requestsGuidance","safety:autonomousBehavior:respectsDecisionBoundary","safety:contentSafety","safety:contentSafety:detectsHarmfulContent","safety:contentSafety:detectsMisinformation","safety:contentSafety:enforcesAgeRestriction","safety:contentSafety:filtersContent","safety:contentSafety:labelsContent","safety:harmPrevention","safety:harmPrevention:preventsEnvironmentalHarm","safety:harmPrevention:preventsPropertyDamage","safety:harmPrevention:preventsUserHarm","safety:harmPrevention:protectsBystanders","safety:hazardManagement","safety:hazardManagement:assessesRisk","safety:hazardManagement:identifiesHazard","safety:hazardManagement:mitigatesHazard","safety:hazardManagement:reportsHazard","safety:humanInteraction","safety:humanInteraction:adaptsForAccessibility","safety:humanInteraction:managesCognitiveLoad","safety:humanInteraction:requestsConfirmation","safety:humanInteraction:warnsOperator","safety:operationalSafety","safety:operationalSafety:acceptsManualOverride","safety:operationalSafety:enforcesInterlock","safety:operationalSafety:enforcesOperatingLimits","safety:operationalSafety:executesEmergencyStop","safety:operationalSafety:monitorsWatchdog","safety:operationalSafety:validatesSafetyCondition","security","security:auditing","security:auditing:logsEvent","security:auditing:logsSecurityEvent","security:auditing:protectsAuditLog","security:auditing:purgesLog","security:auditing:rotatesLog","security:auditing:signsLogEntry","security:auditing:timestampsEvent","security:auditing:transmitsLog","security:authentication","security:authentication:authenticatesDevice","security:authentication:authenticatesService","security:authentication:authenticatesUser","security:authentication:bypassesAuthentication","security:authentication:capturesBiometric","security:authentication:delegatesAuthentication","security:authentication:failsAuthentication","security:authentication:locksAccount","security:authentication:performsMultiFactorAuthentication","security:authentication:promptsForCredentials","security:authentication:unlocksAccount","security:authentication:validatesBiometric","security:authentication:validatesCredentials","security:authorization","security:authorization:checksPermission","security:authorization:delegatesAuthority","security:authorization:deniesAccess","security:authorization:enforcesRole","security:authorization:escalatesPrivilege","security:authorization:evaluatesAttributes","security:authorization:evaluatesPolicy","security:authorization:grantsAccess","security:authorization:grantsImpersonation","security:authorization:impersonatesUser","security:authorization:requestsImpersonation","security:authorization:revokesAccess","security:authorization:revokesImpersonation","security:cryptography","security:cryptography:authenticates","security:cryptography:checksRevocation","security:cryptography:decryptsData","security:cryptography:decryptsDataAtRest","security:cryptography:decryptsDataInTransit","security:cryptography:decryptsDisk","security:cryptography:decryptsSecret","security:cryptography:destroysKey","security:cryptography:encryptsData","security:cryptography:encryptsDataAtRest","security:cryptography:encryptsDataInTransit","security:cryptography:encryptsDisk","security:cryptography:encryptsSecret","security:cryptography:ensuresAccountability","security:cryptography:ensuresConfidentiality","security:cryptography:ensuresIntegrity","security:cryptography:ensuresNonRepudiation","security:cryptography:exchangesKey","security:cryptography:generatesKey","security:cryptography:generatesRandomValue","security:cryptography:hashesData","security:cryptography:hashesPassword","security:cryptography:identifies","security:cryptography:issuesCertificate","security:cryptography:preservesPrivacy","security:cryptography:presentsClientCertificate","security:cryptography:presentsServerCertificate","security:cryptography:retrievesKey","security:cryptography:revokesCertificate","security:cryptography:rotatesKey","security:cryptography:signsCode","security:cryptography:signsData","security:cryptography:signsDocument","security:cryptography:storesKey","security:cryptography:usesIdentity","security:cryptography:validatesCertificate","security:cryptography:validatesToken","security:cryptography:verifiesCodeSignature","security:cryptography:verifiesDataSignature","security:cryptography:verifiesDocumentSignature","security:cryptography:verifiesHash","security:cryptography:verifiesSignature","security:cryptography:wrapsKey","security:errorHandling","security:errorHandling:catchesException","security:errorHandling:disclosesErrorDetails","security:errorHandling:failsClosed","security:errorHandling:failsOpen","security:errorHandling:generatesError","security:errorHandling:logsError","security:errorHandling:propagatesError","security:errorHandling:returnsGenericError","security:errorHandling:suppressesError","security:inputHandling","security:inputHandling:escapesInput","security:inputHandling:normalizesInput","security:inputHandling:rejectsInvalidInput","security:inputHandling:sanitizesInput","security:inputHandling:truncatesInput","security:inputHandling:validatesFormat","security:inputHandling:validatesRange","security:inputHandling:validatesSchema","security:integrity","security:integrity:attestsIntegrity","security:integrity:detectsTampering","security:integrity:respondsToTampering","security:integrity:validatesComponent","security:integrity:verifiesIntegrity","security:integrity:verifiesProvenance","security:outputHandling","security:outputHandling:encodesOutput","security:outputHandling:enforcesContentPolicy","security:outputHandling:escapesOutput","security:outputHandling:filtersOutput","security:outputHandling:masksOutput","security:outputHandling:setsSecurityHeader","security:session","security:session:createsSession","security:session:detectsSessionHijacking","security:session:invalidatesSession","security:session:refreshesSession","security:session:regeneratesSessionId","security:session:terminatesSession","security:session:validatesSession","security:threatResponse","security:threatResponse:blocksRequest","security:threatResponse:blocksSource","security:threatResponse:collectsForensicData","security:threatResponse:detectsAnomaly","security:threatResponse:detectsIntrusion","security:threatResponse:initiatesIncidentResponse","security:threatResponse:quarantinesElement","security:threatResponse:raisesAlert","system","system:configuration","system:configuration:deletesRegistryKey","system:configuration:modifiesGroupPolicy","system:configuration:readsConfigurationFile","system:configuration:readsEnvironmentVariable","system:configuration:readsGroupPolicy","system:configuration:readsRegistry","system:configuration:setsEnvironmentVariable","system:configuration:writesConfigurationFile","system:configuration:writesRegistry","system:informationGathering","system:informationGathering:detectsOsVersion","system:informationGathering:gathersSystemInformation","system:informationGathering:queriesHardwareInformation","system:informationGathering:retrievesHostname","system:kernelInteraction","system:kernelInteraction:hooksKernelFunction","system:kernelInteraction:installsDriver","system:kernelInteraction:readsKernelMemory","system:kernelInteraction:writesKernelMemory","system:lifecycle","system:lifecycle:appliesUpdate","system:lifecycle:decommissions","system:lifecycle:initializes","system:lifecycle:performsSelfTest","system:lifecycle:provisions","system:lifecycle:rollsBack","system:lifecycle:shutsDown","system:operationalState","system:operationalState:entersFailSafeState","system:operationalState:entersFailSecureState","system:operationalState:operatesInDegradedMode","system:operationalState:operatesNormally","system:operationalState:performsEmergencyShutdown","system:persistence","system:persistence:createsScheduledTask","system:persistence:installsAsService","system:persistence:loadsAsKernelModule","system:persistence:registersForStartup","system:persistence:removesPersistence","system:processControl","system:processControl:createsProcess","system:processControl:dumpsProcessMemory","system:processControl:enumeratesProcesses","system:processControl:hooksFunction","system:processControl:injectsCodeIntoProcess","system:processControl:modifiesProcess","system:processControl:resumesProcess","system:processControl:suspendsProcess","system:processControl:terminatesProcess","system:resilience","system:resilience:activatesRedundancy","system:resilience:degradesGracefully","system:resilience:detectsFault","system:resilience:recoversFromFailure","system:resilience:toleratesFault","system:resourceManagement","system:resourceManagement:allocatesMemory","system:resourceManagement:deallocatesMemory","system:resourceManagement:handlesResourceExhaustion","system:resourceManagement:managesPowerState","system:resourceManagement:readsFromStorage","system:resourceManagement:resumesThread","system:resourceManagement:spawnsThread","system:resourceManagement:suspendsThread","system:resourceManagement:terminatesThread","system:resourceManagement:writesToStorage","system:serviceControl","system:serviceControl:createsService","system:serviceControl:deletesService","system:serviceControl:enumeratesServices","system:serviceControl:modifiesService","system:serviceControl:startsService","system:serviceControl:stopsService","system:synchronization","system:synchronization:acquiresMutex","system:synchronization:releasesMutex","system:synchronization:signalsEvent","system:synchronization:signalsSemaphore","system:synchronization:waitsOnEvent","system:synchronization:waitsOnSemaphore","system:timing","system:timing:delaysExecution","system:timing:enforcesDeadline","system:timing:executesScheduledTask","system:timing:resetsWatchdog","system:timing:synchronizesClock","system:timing:triggersTimeout","system:timing:waits","system:userManagement","system:userManagement:createsUserAccount","system:userManagement:deletesUserAccount","system:userManagement:elevatesPrivileges","system:userManagement:enumeratesUsers","system:userManagement:impersonatesUser","system:userManagement:modifiesUserAccount"],"meta:enum":{"ai":"Behaviours relating to artificial intelligence and machine learning operations.","ai:agent":"Behaviours that enable autonomous agents to plan and execute tasks.","ai:agent:actsOnBehalfOfUser":"The entity performs actions within a delegated user context.","ai:agent:coordinatesAgents":"The entity orchestrates multiple agents.","ai:agent:delegatesTask":"The entity assigns work to another agent.","ai:agent:executesAction":"The entity performs planned step.","ai:agent:invokesTool":"The entity calls external capability.","ai:agent:observesResult":"The entity captures action outcome.","ai:agent:plansAction":"The entity determines steps to achieve goal.","ai:agent:receivesHumanDelegation":"The entity accepts authority delegated by a human user.","ai:agent:reflectsOnResult":"The entity evaluates action effectiveness.","ai:agent:reportsDelegatedAction":"The entity notifies the delegating user of actions taken.","ai:agent:requestsUserApproval":"The entity seeks explicit user authorisation before acting.","ai:agent:returnsDelegation":"The entity relinquishes delegated authority.","ai:agent:revisesPlan":"The entity modifies approach based on results.","ai:explainability":"Behaviours that provide interpretable explanations for model decisions.","ai:explainability:attributesFeatures":"The entity identifies influential inputs.","ai:explainability:documentsModel":"The entity records model design and behaviour.","ai:explainability:explainsDecision":"The entity provides human-readable rationale.","ai:explainability:tracesPrediction":"The entity records basis for output.","ai:explainability:visualizesModel":"The entity renders model behaviour graphically.","ai:fairness":"Behaviours that detect and mitigate bias in machine learning models.","ai:fairness:auditsModelFairness":"The entity evaluates model for bias.","ai:fairness:calculatesFairnessMetric":"The entity measures outcome equality.","ai:fairness:detectsBias":"The entity identifies unfair model behaviour.","ai:fairness:handlesProtectedAttribute":"The entity manages sensitive attributes.","ai:fairness:mitigatesBias":"The entity reduces unfair treatment.","ai:generative":"Behaviours that produce content using generative models.","ai:generative:citesSource":"The entity attributes generated content.","ai:generative:filtersOutput":"The entity screens generated content.","ai:generative:generatesAudio":"The entity produces sound content.","ai:generative:generatesCode":"The entity produces executable code.","ai:generative:generatesEmbedding":"The entity produces vector representation.","ai:generative:generatesImage":"The entity produces visual content.","ai:generative:generatesText":"The entity produces natural language.","ai:generative:mitigatesHallucination":"The entity reduces false content generation.","ai:generative:processesPrompt":"The entity interprets user instruction.","ai:generative:streamsResponse":"The entity delivers output incrementally.","ai:inference":"Behaviours that generate predictions using trained models.","ai:inference:appliesThreshold":"The entity uses decision boundary.","ai:inference:batchesInference":"The entity processes multiple inputs together.","ai:inference:cachesPrediction":"The entity stores prediction for reuse.","ai:inference:ensemblesModels":"The entity combines multiple model outputs.","ai:inference:generatesPrediction":"The entity produces model output.","ai:inference:infersInRealTime":"The entity generates prediction with low latency.","ai:inference:ranksResults":"The entity orders predictions by relevance.","ai:inference:scoresConfidence":"The entity assigns certainty to prediction.","ai:management":"Behaviours that deploy and manage machine learning models throughout their lifecycle.","ai:management:comparesModels":"The entity evaluates relative model performance.","ai:management:deploysModel":"The entity places model into service.","ai:management:loadsModel":"The entity retrieves model for use.","ai:management:monitorsModel":"The entity observes model performance.","ai:management:retiresModel":"The entity removes model from service.","ai:management:rollsBackModel":"The entity reverts to previous version.","ai:management:unloadsModel":"The entity removes model from memory.","ai:management:versionsModel":"The entity tracks model versions.","ai:quality":"Behaviours that monitor and maintain model and data quality.","ai:quality:detectsConceptDrift":"The entity identifies input-output relationship change.","ai:quality:detectsDataDrift":"The entity identifies input distribution change.","ai:quality:detectsOutlier":"The entity identifies anomalous input.","ai:quality:engineersFeatures":"The entity transforms raw data for model.","ai:quality:selectsFeatures":"The entity chooses relevant input features.","ai:quality:validatesInputData":"The entity checks inference input quality.","ai:robustness":"Behaviours that defend against adversarial attacks and handle uncertain inputs.","ai:robustness:defendsAgainstAdversarial":"The entity resists adversarial manipulation.","ai:robustness:detectsAdversarialInput":"The entity identifies crafted malicious input.","ai:robustness:detectsOutOfDistribution":"The entity identifies unfamiliar input.","ai:robustness:estimatesUncertainty":"The entity quantifies prediction confidence.","ai:robustness:validatesRobustness":"The entity tests model resilience.","ai:training":"Behaviours that prepare data and train machine learning models.","ai:training:appliesTransferLearning":"The entity adapts pre-trained model.","ai:training:checkpointsModel":"The entity saves model state during training.","ai:training:fineTunesModel":"The entity refines model for specific task.","ai:training:ingestsTrainingData":"The entity acquires data for training.","ai:training:preprocessesTrainingData":"The entity prepares data for training.","ai:training:trainsFederatedly":"The entity trains on distributed data.","ai:training:trainsModel":"The entity adjusts model parameters.","ai:training:tunesHyperparameters":"The entity optimises configuration parameters.","ai:training:validatesModel":"The entity evaluates model during training.","ai:training:validatesTrainingData":"The entity checks training data quality.","application":"Behaviours relating to application-level request processing and business logic.","application:codeExecution":"Behaviours that dynamically load and execute code at runtime.","application:codeExecution:compilesCode":"The entity transforms source to executable form.","application:codeExecution:evaluatesExpression":"The entity interprets and executes an expression.","application:codeExecution:executesNativeCommand":"The entity runs an operating system command.","application:codeExecution:executesScript":"The entity runs script code.","application:codeExecution:interpretsCode":"The entity executes code without compilation.","application:codeExecution:invokesViaReflection":"The entity calls method through reflection.","application:codeExecution:loadsCodeDynamically":"The entity loads executable code at runtime.","application:configuration":"Behaviours that load and manage application configuration settings.","application:configuration:detectsEnvironment":"The entity determines deployment context.","application:configuration:evaluatesFeatureFlag":"The entity checks feature toggle state.","application:configuration:loadsConfiguration":"The entity reads configuration settings.","application:configuration:reloadsConfiguration":"The entity refreshes configuration dynamically.","application:controlFlow":"Behaviours that manage the execution sequence and event handling within an application.","application:controlFlow:awaitsAsyncResult":"The entity waits for asynchronous completion.","application:controlFlow:catchesException":"The entity handles an error condition.","application:controlFlow:emitsEvent":"The entity triggers an event.","application:controlFlow:handlesEvent":"The entity responds to an event.","application:controlFlow:invokesCallback":"The entity executes a callback function.","application:controlFlow:invokesHandler":"The entity calls a request handler.","application:controlFlow:invokesMiddleware":"The entity executes middleware component.","application:controlFlow:schedulesAsyncOperation":"The entity queues work for later execution.","application:controlFlow:throwsException":"The entity raises an error condition.","application:dependencyManagement":"Behaviours that resolve and manage dependencies on other components.","application:dependencyManagement:closesCircuitBreaker":"The entity resumes calls to recovered dependency.","application:dependencyManagement:fallsBack":"The entity uses alternative when primary fails.","application:dependencyManagement:injectsDependency":"The entity provides component to dependent.","application:dependencyManagement:opensCircuitBreaker":"The entity stops calls to failing dependency.","application:dependencyManagement:resolvesDependency":"The entity locates required component.","application:externalIntegration":"Behaviours that communicate with external services and systems.","application:externalIntegration:callsExternalService":"The entity invokes an external API.","application:externalIntegration:consumesEvent":"The entity receives event from external system.","application:externalIntegration:publishesEvent":"The entity sends event to external system.","application:externalIntegration:receivesWebhook":"The entity accepts callback from external service.","application:observability":"Behaviours that emit telemetry for monitoring and debugging purposes.","application:observability:emitsTelemetry":"The entity transmits operational data.","application:observability:logsOperation":"The entity records an operational event.","application:observability:recordsMetric":"The entity captures a quantitative measurement.","application:observability:reportsHealth":"The entity communicates operational status.","application:observability:tracesRequest":"The entity tracks request across services.","application:requestHandling":"Behaviours that receive and process incoming requests.","application:requestHandling:authenticatesRequest":"The entity verifies requestor identity.","application:requestHandling:authorizesRequest":"The entity verifies requestor permissions.","application:requestHandling:bindsParameters":"The entity maps request data to parameters.","application:requestHandling:parsesRequest":"The entity interprets incoming request.","application:requestHandling:receivesHttpRequest":"The entity accepts an HTTP request.","application:requestHandling:rejectsRequest":"The entity refuses to process request.","application:requestHandling:routesRequest":"The entity directs request to appropriate handler.","application:requestHandling:validatesRequest":"The entity verifies request validity.","application:responseGeneration":"Behaviours that construct and transmit responses to requests.","application:responseGeneration:generatesResponse":"The entity creates a response.","application:responseGeneration:readsCookie":"The entity retrieves cookie value.","application:responseGeneration:redirectsRequest":"The entity sends client to different location.","application:responseGeneration:returnsError":"The entity indicates failure.","application:responseGeneration:returnsSuccess":"The entity indicates successful completion.","application:responseGeneration:sendsHttpResponse":"The entity transmits an HTTP response.","application:responseGeneration:setsCookie":"The entity creates or modifies a cookie.","application:responseGeneration:setsHeader":"The entity adds HTTP header to response.","application:stateManagement":"Behaviours that maintain and synchronise application state across requests.","application:stateManagement:acquiresLock":"The entity obtains exclusive access to resource.","application:stateManagement:beginsTransaction":"The entity starts an atomic operation group.","application:stateManagement:commitsTransaction":"The entity finalises transaction changes.","application:stateManagement:createsSessionState":"The entity initialises session data.","application:stateManagement:destroysSessionState":"The entity removes session data.","application:stateManagement:readsSessionState":"The entity retrieves session data.","application:stateManagement:releasesLock":"The entity relinquishes exclusive access.","application:stateManagement:rollsBackTransaction":"The entity undoes transaction changes.","application:stateManagement:synchronizesState":"The entity maintains consistency across replicas.","application:stateManagement:updatesSessionState":"The entity modifies session data.","data":"Behaviours relating to the ingestion and transformation of structured and unstructured data.","data:encoding":"Behaviours that apply specific encoding schemes to data.","data:encoding:appliesXor":"The entity transforms data using XOR operation.","data:encoding:decodesBaseSixtyFour":"The entity converts Base64 to original form.","data:encoding:decodesUrl":"The entity converts URL-encoded data.","data:encoding:encodesBaseSixtyFour":"The entity converts data to Base64.","data:encoding:encodesUrl":"The entity converts data for URL inclusion.","data:ingestion":"Behaviours that acquire data from external sources.","data:ingestion:pollsSource":"The entity periodically checks for new data.","data:ingestion:readsFile":"The entity retrieves data from a file.","data:ingestion:readsStream":"The entity consumes data from a continuous source.","data:ingestion:receivesInput":"The entity accepts data from an external source.","data:ingestion:receivesMessage":"The entity accepts a message from a queue.","data:ingestion:receivesRequest":"The entity accepts an incoming request.","data:ingestion:subscribesToFeed":"The entity registers to receive updates.","data:output":"Behaviours that produce and transmit data to external consumers.","data:output:formatsResponse":"The entity structures data for delivery.","data:output:producesOutput":"The entity generates data for consumption.","data:output:publishesMessage":"The entity sends a message to a queue.","data:output:rendersTemplate":"The entity generates output from a template.","data:output:sendsResponse":"The entity transmits a reply.","data:output:serializesObject":"The entity converts object to transmittable form.","data:output:streamsOutput":"The entity continuously produces data.","data:output:writesFile":"The entity saves data to a file.","data:parsing":"Behaviours that interpret and extract information from structured data formats.","data:parsing:decodesData":"The entity converts encoded data to original form.","data:parsing:deserializesObject":"The entity reconstructs object from serialised form.","data:parsing:extractsFields":"The entity isolates specific data elements.","data:parsing:parsesData":"The entity interprets structured data.","data:parsing:parsesHtml":"The entity interprets HTML content.","data:parsing:parsesJson":"The entity interprets JSON-formatted data.","data:parsing:parsesXml":"The entity interprets XML-formatted data.","data:query":"Behaviours that retrieve data based on specified criteria.","data:query:executesLdapQuery":"The entity queries an LDAP directory.","data:query:executesNoSqlQuery":"The entity queries a NoSQL database.","data:query:executesSearch":"The entity performs full-text or indexed search.","data:query:executesSql":"The entity runs a SQL statement.","data:query:executesXPath":"The entity evaluates an XPath expression.","data:query:queriesData":"The entity retrieves data matching criteria.","data:storage":"Behaviours that persist and retrieve data from storage systems.","data:storage:cachesData":"The entity stores data for quick retrieval.","data:storage:deletesData":"The entity removes stored data.","data:storage:flushesCache":"The entity writes cached data to persistent storage.","data:storage:invalidatesCache":"The entity marks cached data as stale.","data:storage:retrievesData":"The entity fetches stored data.","data:storage:storesData":"The entity saves data persistently.","data:storage:updatesData":"The entity modifies stored data.","data:transformation":"Behaviours that convert data from one form or structure to another.","data:transformation:aggregatesData":"The entity combines multiple values.","data:transformation:compressesData":"The entity reduces data size.","data:transformation:decompressesData":"The entity restores compressed data.","data:transformation:encodesData":"The entity converts data to encoded form.","data:transformation:enrichesData":"The entity adds information from external sources.","data:transformation:filtersData":"The entity removes unwanted elements.","data:transformation:joinsData":"The entity combines data from multiple sources.","data:transformation:mapsData":"The entity converts between data structures.","data:transformation:normalizesData":"The entity converts to standard form.","data:transformation:sortsData":"The entity orders data elements.","data:transformation:transformsData":"The entity converts data from one form to another.","evasion":"Behaviours relating to techniques that avoid detection and analysis.","evasion:analysisResistance":"Behaviours that detect and evade analysis environments.","evasion:analysisResistance:detectsAnalysisTool":"The entity identifies analysis software.","evasion:analysisResistance:detectsDebugger":"The entity identifies debugger presence.","evasion:analysisResistance:detectsEmulator":"The entity identifies emulation environment.","evasion:analysisResistance:detectsSandbox":"The entity identifies sandbox environment.","evasion:analysisResistance:detectsVirtualMachine":"The entity identifies VM environment.","evasion:analysisResistance:evadesDebugger":"The entity modifies behaviour under debugging.","evasion:analysisResistance:evadesEmulator":"The entity modifies behaviour under emulation.","evasion:analysisResistance:evadesSandbox":"The entity modifies behaviour in sandbox.","evasion:analysisResistance:evadesVirtualMachine":"The entity modifies behaviour in VM.","evasion:analysisResistance:usesTimingEvasion":"The entity uses delays to evade analysis.","evasion:antiSecurity":"Behaviours that detect and disable security software.","evasion:antiSecurity:detectsAntivirus":"The entity identifies AV software.","evasion:antiSecurity:disablesSecuritySoftware":"The entity deactivates security tools.","evasion:antiSecurity:evadesAntivirus":"The entity avoids AV detection.","evasion:antiSecurity:terminatesSecurityProcess":"The entity kills security software processes.","evasion:indirection":"Behaviours that use indirect methods to execute code.","evasion:indirection:resolvesApiDynamically":"The entity finds API addresses at runtime.","evasion:indirection:usesIndirectCalls":"The entity invokes functions indirectly.","evasion:indirection:usesProxyExecution":"The entity executes through intermediary.","evasion:obfuscation":"Behaviours that obscure code and data to hinder analysis.","evasion:obfuscation:obfuscatesCode":"The entity makes code difficult to analyse.","evasion:obfuscation:obfuscatesControlFlow":"The entity obscures execution paths.","evasion:obfuscation:obfuscatesData":"The entity hides data structures.","evasion:obfuscation:obfuscatesStrings":"The entity hides string contents.","evasion:obfuscation:packsCode":"The entity compresses or encrypts executable.","evasion:obfuscation:unpacksAtRuntime":"The entity decompresses code during execution.","file":"Behaviours relating to file system operations and disk management.","file:directory":"Behaviours that create and navigate directory structures.","file:directory:changesDirectory":"The entity sets current working directory.","file:directory:createsDirectory":"The entity creates a new directory.","file:directory:deletesDirectory":"The entity removes a directory.","file:directory:listsDirectory":"The entity enumerates directory contents.","file:directory:traversesDirectory":"The entity recursively explores directories.","file:disk":"Behaviours that manage storage volumes and disk-level operations.","file:disk:decryptsVolume":"The entity decrypts a storage volume.","file:disk:encryptsVolume":"The entity encrypts a storage volume.","file:disk:formatsVolume":"The entity prepares storage for use.","file:disk:mountsVolume":"The entity attaches a storage volume.","file:disk:unmountsVolume":"The entity detaches a storage volume.","file:disk:wipesDisk":"The entity securely erases disk contents.","file:operations":"Behaviours that create and manipulate files.","file:operations:appendsToFile":"The entity adds data to end of file.","file:operations:checksFileExistence":"The entity verifies whether a file exists.","file:operations:closesFile":"The entity releases file access.","file:operations:copiesFile":"The entity duplicates a file.","file:operations:createsFile":"The entity creates a new file.","file:operations:deletesFile":"The entity removes a file.","file:operations:getsFileAttributes":"The entity retrieves file metadata.","file:operations:movesFile":"The entity relocates a file.","file:operations:opensFile":"The entity prepares a file for access.","file:operations:readsFile":"The entity retrieves file contents.","file:operations:renamesFile":"The entity changes a file name.","file:operations:setsFileAttributes":"The entity modifies file metadata.","file:operations:setsFilePermissions":"The entity modifies file access permissions.","file:operations:writesFile":"The entity modifies file contents.","gui":"Behaviours relating to graphical user interface interactions.","gui:display":"Behaviours that render and monitor visual output.","gui:display:displaysData":"The entity renders information visually.","gui:display:monitorsDisplay":"The entity observes displayed content.","gui:display:updatesDisplay":"The entity refreshes visual presentation.","gui:session":"Behaviours that interact with user login sessions.","gui:session:displaysLogin":"The entity presents login interface.","gui:session:interactsWithSession":"The entity operates within user session.","gui:session:switchesSession":"The entity changes active user session.","gui:window":"Behaviours that create and manipulate graphical windows.","gui:window:capturesWindow":"The entity captures window contents.","gui:window:createsWindow":"The entity creates a graphical window.","gui:window:destroysWindow":"The entity closes a window.","gui:window:enumeratesWindows":"The entity lists open windows.","gui:window:interactsWithTaskbar":"The entity modifies taskbar elements.","gui:window:modifiesWindow":"The entity changes window properties.","hardware":"Behaviours relating to hardware components and physical device interactions.","hardware:actuator":"Behaviours that control physical actuators and output devices.","hardware:actuator:calibratesActuator":"The entity adjusts actuator accuracy.","hardware:actuator:controlsBattery":"The entity manages battery charging.","hardware:actuator:controlsHeating":"The entity manages heating element.","hardware:actuator:controlsLed":"The entity manages LED indicator.","hardware:actuator:controlsMotor":"The entity manages motor operation.","hardware:actuator:controlsPower":"The entity manages power distribution.","hardware:actuator:controlsPump":"The entity manages fluid pump.","hardware:actuator:controlsTemperature":"The entity regulates temperature.","hardware:boot":"Behaviours that verify and configure system startup processes.","hardware:boot:entersRecoveryMode":"The entity boots via alternative path.","hardware:boot:executesSecureBoot":"The entity verifies code integrity at startup.","hardware:boot:locksBootConfiguration":"The entity prevents boot setting changes.","hardware:boot:modifiesBootConfiguration":"The entity changes boot settings.","hardware:boot:readsBootConfiguration":"The entity retrieves boot settings.","hardware:boot:recordsBootMeasurement":"The entity logs boot component hashes.","hardware:boot:verifiesBootLoader":"The entity validates boot loader authenticity.","hardware:firmware":"Behaviours that manage and verify firmware integrity.","hardware:firmware:monitorsFirmwareIntegrity":"The entity checks for firmware tampering.","hardware:firmware:preventsFirmwareRollback":"The entity blocks reversion to old firmware.","hardware:firmware:readsFirmwareVersion":"The entity retrieves firmware version.","hardware:firmware:updatesFirmware":"The entity applies firmware changes.","hardware:firmware:verifiesFirmwareSignature":"The entity validates firmware authenticity.","hardware:memory":"Behaviours that protect and isolate memory regions.","hardware:memory:encryptsMemory":"The entity protects memory contents.","hardware:memory:isolatesMemory":"The entity separates memory regions.","hardware:memory:protectsStack":"The entity defends against stack attacks.","hardware:memory:randomizesAddressSpace":"The entity applies ASLR.","hardware:memory:readsProtectedMemory":"The entity accesses protected memory region.","hardware:memory:writesProtectedMemory":"The entity modifies protected memory region.","hardware:peripheral":"Behaviours that interact with peripheral devices and interfaces.","hardware:peripheral:accessesCamera":"The entity interacts with camera hardware.","hardware:peripheral:accessesDisplay":"The entity interacts with display hardware.","hardware:peripheral:accessesGpio":"The entity reads or writes GPIO pins.","hardware:peripheral:accessesJtag":"The entity uses JTAG debug interface.","hardware:peripheral:accessesKeyboard":"The entity interacts with keyboard hardware.","hardware:peripheral:accessesStorageDevice":"The entity interacts with storage hardware.","hardware:peripheral:accessesUsbDevice":"The entity interacts with USB peripheral.","hardware:peripheral:configuresDma":"The entity sets up direct memory access.","hardware:peripheral:protectsDma":"The entity prevents unauthorised DMA.","hardware:physicalSecurity":"Behaviours that detect and respond to physical tampering.","hardware:physicalSecurity:detectsPhysicalTamper":"The entity identifies physical interference.","hardware:physicalSecurity:disablesDebugInterface":"The entity prevents debug access.","hardware:physicalSecurity:enablesDebugInterface":"The entity permits debug access.","hardware:physicalSecurity:monitorsEnclosure":"The entity detects housing penetration.","hardware:physicalSecurity:respondsToTamper":"The entity reacts to physical attack.","hardware:physicalSecurity:zeroizesKeys":"The entity destroys keys on tamper detection.","hardware:security":"Behaviours that utilise hardware security features and trusted execution environments.","hardware:security:anchorsInHardwareRoot":"The entity uses tamper-resistant hardware for trust.","hardware:security:executesInTee":"The entity runs in trusted execution environment.","hardware:security:generatesPufResponse":"The entity uses physical unclonable function.","hardware:security:usesHsm":"The entity employs hardware security module.","hardware:security:usesSecureElement":"The entity employs dedicated security hardware.","hardware:sensor":"Behaviours that read measurements from hardware sensors.","hardware:sensor:calibratesSensor":"The entity adjusts sensor accuracy.","hardware:sensor:readsBatteryStatus":"The entity obtains battery state.","hardware:sensor:readsBloodOxygen":"The entity obtains SpO2 measurement.","hardware:sensor:readsBloodPressure":"The entity obtains blood pressure measurement.","hardware:sensor:readsCoTwoLevel":"The entity obtains CO2 measurement.","hardware:sensor:readsEcg":"The entity obtains electrocardiogram data.","hardware:sensor:readsPowerStatus":"The entity obtains power state.","hardware:sensor:readsTemperature":"The entity obtains temperature measurement.","hardware:sideChannelDefense":"Behaviours that protect against side-channel attacks.","hardware:sideChannelDefense:controlsEmEmissions":"The entity limits electromagnetic leakage.","hardware:sideChannelDefense:resistsFaultInjection":"The entity protects against induced faults.","hardware:sideChannelDefense:resistsPowerAnalysis":"The entity protects against power-based attacks.","hardware:sideChannelDefense:resistsTimingAnalysis":"The entity protects against timing-based attacks.","network":"Behaviours relating to network communication and data transmission between systems.","network:connection":"Behaviours that establish and manage network connections.","network:connection:acceptsConnection":"The entity receives an incoming connection.","network:connection:detectsConnectionLoss":"The entity identifies a dropped connection.","network:connection:establishesConnection":"The entity initiates a network connection.","network:connection:reconnects":"The entity re-establishes a dropped connection.","network:connection:reusesConnection":"The entity uses a pooled connection.","network:connection:sendsHeartbeat":"The entity transmits a keep-alive signal.","network:connection:terminatesConnection":"The entity closes a network connection.","network:discovery":"Behaviours that locate and advertise network services and resources.","network:discovery:advertisesService":"The entity announces its availability.","network:discovery:discoversService":"The entity locates an available service.","network:discovery:enumeratesInterfaces":"The entity lists network interfaces.","network:discovery:probesPort":"The entity checks if a port is open.","network:discovery:queriesDns":"The entity requests DNS resolution.","network:discovery:resolvesName":"The entity translates a name to an address.","network:discovery:scansNetwork":"The entity probes for active hosts or services.","network:protocol":"Behaviours that negotiate and implement communication protocols.","network:protocol:downgradesProtocol":"The entity falls back to a less secure protocol version.","network:protocol:framesMessage":"The entity structures data for transmission.","network:protocol:negotiatesProtocol":"The entity agrees on communication protocol with peer.","network:protocol:parsesMessage":"The entity interprets received network data.","network:protocol:retransmitsMessage":"The entity resends data after transmission failure.","network:protocol:upgradesProtocol":"The entity transitions to a more secure protocol version.","network:protocol:validatesMessage":"The entity verifies message format and integrity.","network:remoteInteraction":"Behaviours that execute operations on remote systems.","network:remoteInteraction:accessesRemoteDesktop":"The entity controls a remote graphical interface.","network:remoteInteraction:accessesRemoteShell":"The entity interacts with a remote command line.","network:remoteInteraction:executesRemoteCommand":"The entity runs a command on a remote system.","network:remoteInteraction:invokesRemoteProcedure":"The entity calls a function on a remote system.","network:remoteInteraction:sendsEmail":"The entity transmits an email message.","network:remoteInteraction:sendsSms":"The entity transmits a text message.","network:remoteInteraction:transfersFile":"The entity sends or receives a file remotely.","network:routing":"Behaviours that direct network traffic to its destination.","network:routing:configuresProxy":"The entity sets up traffic to route through a proxy.","network:routing:forwardsPacket":"The entity passes a packet toward its destination.","network:routing:redirectsTraffic":"The entity diverts traffic to a different destination.","network:routing:routesTraffic":"The entity directs network traffic to destinations.","network:routing:tunnelsTraffic":"The entity encapsulates traffic within another protocol.","network:trafficControl":"Behaviours that manage and manipulate network traffic flow.","network:trafficControl:balancesLoad":"The entity distributes requests across destinations.","network:trafficControl:filtersTraffic":"The entity blocks or allows traffic based on rules.","network:trafficControl:inspectsTraffic":"The entity examines traffic contents.","network:trafficControl:interceptsTraffic":"The entity captures traffic in transit.","network:trafficControl:limitsRate":"The entity restricts traffic volume.","network:trafficControl:modifiesTraffic":"The entity alters traffic in transit.","network:trafficControl:shapesTraffic":"The entity manages traffic timing and priority.","network:transmission":"Behaviours that send and receive data over network connections.","network:transmission:broadcastsData":"The entity sends data to multiple recipients.","network:transmission:multicastsData":"The entity sends data to a group of recipients.","network:transmission:receivesData":"The entity accepts data from the network.","network:transmission:sendsData":"The entity transmits data over the network.","network:transmission:streamsData":"The entity continuously transmits or receives data.","privacy":"Behaviours relating to the collection and processing of personal and sensitive data.","privacy:collection":"Behaviours that gather personal or sensitive information from individuals or systems.","privacy:collection:capturesAudio":"The entity records sound via microphone.","privacy:collection:capturesKeystrokes":"The entity records keyboard input.","privacy:collection:capturesScreen":"The entity records display contents.","privacy:collection:capturesVideo":"The entity records images via camera.","privacy:collection:collectsBehavioralData":"The entity records user actions and patterns.","privacy:collection:collectsBiometricData":"The entity captures biometric information.","privacy:collection:collectsCommunicationContent":"The entity captures message or call contents.","privacy:collection:collectsDeviceInformation":"The entity gathers device identifiers or characteristics.","privacy:collection:collectsFinancialData":"The entity gathers payment or financial information.","privacy:collection:collectsHealthData":"The entity gathers protected health information.","privacy:collection:collectsInBackground":"The entity gathers data without active user engagement.","privacy:collection:collectsLocationData":"The entity gathers geographical position information.","privacy:collection:collectsPersonalData":"The entity gathers personally identifiable information.","privacy:collection:collectsSilently":"The entity gathers data without user awareness.","privacy:collection:readsBrowserHistory":"The entity accesses web browsing history.","privacy:collection:readsClipboard":"The entity accesses clipboard contents.","privacy:deletion":"Behaviours that remove or destroy personal data.","privacy:deletion:clearsCache":"The entity removes data from temporary storage.","privacy:deletion:deletesPersonalData":"The entity removes personal data.","privacy:deletion:erasesSecurely":"The entity irreversibly destroys data.","privacy:deletion:purgesFromBackup":"The entity removes data from backup systems.","privacy:deletion:redactsData":"The entity removes specific content from records.","privacy:inference":"Behaviours that derive personal information through analysis and correlation of data.","privacy:inference:correlatesData":"The entity combines data from multiple sources.","privacy:inference:createsProfile":"The entity builds a profile from collected data.","privacy:inference:fingerprintsDevice":"The entity identifies device via characteristics.","privacy:inference:infersPersonalInformation":"The entity derives personal data from other data.","privacy:inference:linksIdentities":"The entity associates data across contexts.","privacy:inference:tracksUser":"The entity follows user activity across sessions.","privacy:minimization":"Behaviours that reduce the amount or sensitivity of personal data processed.","privacy:minimization:aggregatesData":"The entity combines records into summaries.","privacy:minimization:anonymizesData":"The entity removes identifying information.","privacy:minimization:filtersData":"The entity removes unnecessary data elements.","privacy:minimization:generalizesData":"The entity reduces data precision.","privacy:minimization:limitsCollection":"The entity gathers only necessary data.","privacy:minimization:limitsProcessing":"The entity restricts data use to stated purposes.","privacy:minimization:pseudonymizesData":"The entity replaces identifiers with pseudonyms.","privacy:privacyEnhancement":"Behaviours that employ technical measures to protect privacy during processing.","privacy:privacyEnhancement:addsDifferentialPrivacy":"The entity injects noise to protect individuals.","privacy:privacyEnhancement:computesMultiparty":"The entity performs joint computation privately.","privacy:privacyEnhancement:processesHomomorphically":"The entity computes on encrypted data.","privacy:privacyEnhancement:processesLocally":"The entity handles data on-device.","privacy:retention":"Behaviours that store personal data over time.","privacy:retention:archivesData":"The entity moves data to long-term storage.","privacy:retention:backsUpData":"The entity creates copies for recovery.","privacy:retention:enforcesRetentionPeriod":"The entity deletes data after specified time.","privacy:retention:retainsBeyondPurpose":"The entity keeps data longer than necessary.","privacy:retention:retainsInCache":"The entity keeps data in temporary storage.","privacy:retention:retainsInLog":"The entity keeps data in log files.","privacy:retention:storesPersonalData":"The entity saves personal data persistently.","privacy:sharing":"Behaviours that disclose personal data to third parties or across boundaries.","privacy:sharing:disclosesToThirdParty":"The entity transmits personal data externally.","privacy:sharing:exportsData":"The entity outputs data in portable format.","privacy:sharing:publishesData":"The entity makes data publicly available.","privacy:sharing:sellsData":"The entity provides data in exchange for value.","privacy:sharing:sharesWithAffiliate":"The entity provides data to related entities.","privacy:sharing:transfersCrossBorder":"The entity sends data across jurisdictions.","privacy:subjectRights":"Behaviours that fulfil data subject rights under privacy regulations.","privacy:subjectRights:correctsData":"The entity modifies inaccurate personal data.","privacy:subjectRights:exportsDataPortably":"The entity provides data in portable format.","privacy:subjectRights:honorsErasureRequest":"The entity deletes data upon request.","privacy:subjectRights:honorsObjection":"The entity ceases processing upon objection.","privacy:subjectRights:providesDataAccess":"The entity gives individuals their data.","privacy:subjectRights:restrictsProcessing":"The entity limits data use upon request.","privacy:transparency":"Behaviours that inform individuals about data processing activities.","privacy:transparency:disclosesProcessing":"The entity reveals data processing activities.","privacy:transparency:displaysPrivacyNotice":"The entity presents privacy information.","privacy:transparency:explainsAutomatedDecision":"The entity describes automated decision logic.","privacy:transparency:recordsConsent":"The entity stores consent decisions.","privacy:transparency:requestsConsent":"The entity asks for processing permission.","privacy:transparency:withdrawsConsent":"The entity processes consent revocation.","safety":"Behaviours relating to the prevention of harm to users and the environment.","safety:autonomousBehavior":"Behaviours that govern decision-making boundaries and human oversight of autonomous systems.","safety:autonomousBehavior:acceptsOverride":"The entity yields to human command.","safety:autonomousBehavior:enforcesHumanInLoop":"The entity requires human involvement.","safety:autonomousBehavior:explainsDecision":"The entity provides rationale for its action.","safety:autonomousBehavior:requestsGuidance":"The entity asks for human direction.","safety:autonomousBehavior:respectsDecisionBoundary":"The entity stays within authorised decision scope.","safety:contentSafety":"Behaviours that detect and filter harmful or inappropriate content.","safety:contentSafety:detectsHarmfulContent":"The entity identifies potentially harmful content.","safety:contentSafety:detectsMisinformation":"The entity identifies false or misleading content.","safety:contentSafety:enforcesAgeRestriction":"The entity limits access by user age.","safety:contentSafety:filtersContent":"The entity blocks or restricts content.","safety:contentSafety:labelsContent":"The entity marks content with warnings or ratings.","safety:harmPrevention":"Behaviours that actively protect users and bystanders from physical or psychological harm.","safety:harmPrevention:preventsEnvironmentalHarm":"The entity acts to protect the environment.","safety:harmPrevention:preventsPropertyDamage":"The entity acts to protect physical property.","safety:harmPrevention:preventsUserHarm":"The entity acts to protect users from injury.","safety:harmPrevention:protectsBystanders":"The entity considers safety of non-users.","safety:hazardManagement":"Behaviours that identify and mitigate potentially dangerous conditions.","safety:hazardManagement:assessesRisk":"The entity evaluates severity and likelihood of harm.","safety:hazardManagement:identifiesHazard":"The entity detects a potentially harmful condition.","safety:hazardManagement:mitigatesHazard":"The entity reduces hazard severity or likelihood.","safety:hazardManagement:reportsHazard":"The entity communicates a hazardous condition.","safety:humanInteraction":"Behaviours that manage communication and interaction with human operators.","safety:humanInteraction:adaptsForAccessibility":"The entity adjusts for users with disabilities.","safety:humanInteraction:managesCognitiveLoad":"The entity limits information to prevent overwhelm.","safety:humanInteraction:requestsConfirmation":"The entity requires human approval for action.","safety:humanInteraction:warnsOperator":"The entity alerts human to abnormal condition.","safety:operationalSafety":"Behaviours that enforce safe operating limits and conditions.","safety:operationalSafety:acceptsManualOverride":"The entity yields control to human operator.","safety:operationalSafety:enforcesInterlock":"The entity prevents unsafe operation combinations.","safety:operationalSafety:enforcesOperatingLimits":"The entity prevents operation outside safe bounds.","safety:operationalSafety:executesEmergencyStop":"The entity immediately halts dangerous operation.","safety:operationalSafety:monitorsWatchdog":"The entity checks for uncontrolled operation.","safety:operationalSafety:validatesSafetyCondition":"The entity confirms safe operating state.","security":"Behaviours relating to the protection of systems and data from unauthorised access and threats.","security:auditing":"Behaviours that record security-relevant events for accountability and forensic analysis.","security:auditing:logsEvent":"The entity records an occurrence.","security:auditing:logsSecurityEvent":"The entity records a security-relevant occurrence.","security:auditing:protectsAuditLog":"The entity prevents tampering with log records.","security:auditing:purgesLog":"The entity deletes old log records.","security:auditing:rotatesLog":"The entity archives and starts new log files.","security:auditing:signsLogEntry":"The entity cryptographically signs audit records.","security:auditing:timestampsEvent":"The entity records when an event occurred.","security:auditing:transmitsLog":"The entity sends log data to a remote destination.","security:authentication":"Behaviours that verify the identity of users and entities.","security:authentication:authenticatesDevice":"The entity confirms device identity.","security:authentication:authenticatesService":"The entity confirms service identity.","security:authentication:authenticatesUser":"The entity confirms user identity.","security:authentication:bypassesAuthentication":"The entity permits access without authentication.","security:authentication:capturesBiometric":"The entity collects biometric data for authentication.","security:authentication:delegatesAuthentication":"The entity relies on external identity provider.","security:authentication:failsAuthentication":"The entity rejects invalid credentials.","security:authentication:locksAccount":"The entity prevents further authentication attempts.","security:authentication:performsMultiFactorAuthentication":"The entity requires multiple authentication factors.","security:authentication:promptsForCredentials":"The entity requests authentication information.","security:authentication:unlocksAccount":"The entity restores authentication capability.","security:authentication:validatesBiometric":"The entity verifies biometric data.","security:authentication:validatesCredentials":"The entity verifies supplied credentials.","security:authorization":"Behaviours that determine and enforce access permissions.","security:authorization:checksPermission":"The entity verifies access rights.","security:authorization:delegatesAuthority":"The entity transfers access rights to another.","security:authorization:deniesAccess":"The entity refuses a requested action.","security:authorization:enforcesRole":"The entity restricts actions based on assigned role.","security:authorization:escalatesPrivilege":"The entity gains elevated permissions.","security:authorization:evaluatesAttributes":"The entity uses attributes for access decisions.","security:authorization:evaluatesPolicy":"The entity applies rules to make access decisions.","security:authorization:grantsAccess":"The entity permits a requested action.","security:authorization:grantsImpersonation":"The entity permits another to act within its security context.","security:authorization:impersonatesUser":"The entity performs actions within another user's security context.","security:authorization:requestsImpersonation":"The entity initiates a request to act as another user.","security:authorization:revokesAccess":"The entity withdraws previously granted permissions.","security:authorization:revokesImpersonation":"The entity terminates another's permission to act on its behalf.","security:cryptography":"Behaviours that employ cryptographic operations to protect data confidentiality and integrity.","security:cryptography:authenticates":"The entity verifies the identity of a user, process, or device.","security:cryptography:checksRevocation":"The entity queries certificate revocation status.","security:cryptography:decryptsData":"The entity restores encrypted data to readable form.","security:cryptography:decryptsDataAtRest":"The entity restores stored encrypted data to readable form.","security:cryptography:decryptsDataInTransit":"The entity restores data received over a network to readable form.","security:cryptography:decryptsDisk":"The entity unlocks and decrypts contents of an encrypted disk.","security:cryptography:decryptsSecret":"The entity retrieves and decrypts a secured credential or metadata.","security:cryptography:destroysKey":"The entity securely erases a key.","security:cryptography:encryptsData":"The entity transforms data to prevent unauthorised reading.","security:cryptography:encryptsDataAtRest":"The entity protects stored data by converting it to unreadable form.","security:cryptography:encryptsDataInTransit":"The entity protects data moving across a network.","security:cryptography:encryptsDisk":"The entity applies full-disk encryption to protect all data on a drive.","security:cryptography:encryptsSecret":"The entity secures sensitive credentials or metadata.","security:cryptography:ensuresAccountability":"The entity ensures actions can be traced to a specific individual or process.","security:cryptography:ensuresConfidentiality":"The entity protects sensitive information from unauthorised access.","security:cryptography:ensuresIntegrity":"The entity guarantees that data has not been altered or tampered with.","security:cryptography:ensuresNonRepudiation":"The entity provides proof of origin and integrity to prevent denial.","security:cryptography:exchangesKey":"The entity shares a key with another party.","security:cryptography:generatesKey":"The entity creates a cryptographic key.","security:cryptography:generatesRandomValue":"The entity produces a cryptographically secure random value.","security:cryptography:hashesData":"The entity generates a cryptographic hash.","security:cryptography:hashesPassword":"The entity applies a cryptographic hash function to a password.","security:cryptography:identifies":"The entity establishes a unique identity for an actor within the system.","security:cryptography:issuesCertificate":"The entity creates and signs a digital certificate.","security:cryptography:preservesPrivacy":"The entity protects personally identifiable information and user data.","security:cryptography:presentsClientCertificate":"The entity provides a client certificate for authentication.","security:cryptography:presentsServerCertificate":"The entity provides a server certificate for authentication.","security:cryptography:retrievesKey":"The entity obtains a stored key.","security:cryptography:revokesCertificate":"The entity invalidates a certificate.","security:cryptography:rotatesKey":"The entity replaces a key with a new one.","security:cryptography:signsCode":"The entity applies a digital signature to executable code.","security:cryptography:signsData":"The entity creates a digital signature.","security:cryptography:signsDocument":"The entity applies a digital signature to a document.","security:cryptography:storesKey":"The entity saves a key securely.","security:cryptography:usesIdentity":"The entity utilises established identity credentials for operations.","security:cryptography:validatesCertificate":"The entity verifies certificate authenticity.","security:cryptography:validatesToken":"The entity verifies the authenticity and expiration of a security token.","security:cryptography:verifiesCodeSignature":"The entity validates a digital signature on executable code.","security:cryptography:verifiesDataSignature":"The entity validates a digital signature on data.","security:cryptography:verifiesDocumentSignature":"The entity validates a digital signature on a document.","security:cryptography:verifiesHash":"The entity validates data against a hash.","security:cryptography:verifiesSignature":"The entity validates a digital signature.","security:cryptography:wrapsKey":"The entity encrypts a key for secure storage or transport.","security:errorHandling":"Behaviours that manage error conditions to prevent information disclosure.","security:errorHandling:catchesException":"The entity intercepts an error condition.","security:errorHandling:disclosesErrorDetails":"The entity reveals internal information in error messages.","security:errorHandling:failsClosed":"The entity denies access when controls fail.","security:errorHandling:failsOpen":"The entity permits access when controls fail.","security:errorHandling:generatesError":"The entity produces an error condition.","security:errorHandling:logsError":"The entity records an error condition.","security:errorHandling:propagatesError":"The entity passes an error to caller.","security:errorHandling:returnsGenericError":"The entity provides minimal error information.","security:errorHandling:suppressesError":"The entity hides an error condition.","security:inputHandling":"Behaviours that validate and sanitise input data to prevent injection attacks.","security:inputHandling:escapesInput":"The entity encodes special characters in input.","security:inputHandling:normalizesInput":"The entity converts input to standard form.","security:inputHandling:rejectsInvalidInput":"The entity refuses malformed or dangerous input.","security:inputHandling:sanitizesInput":"The entity removes potentially harmful content from input.","security:inputHandling:truncatesInput":"The entity shortens input to acceptable length.","security:inputHandling:validatesFormat":"The entity verifies input conforms to expected format.","security:inputHandling:validatesRange":"The entity ensures values fall within acceptable bounds.","security:inputHandling:validatesSchema":"The entity checks input against a defined schema.","security:integrity":"Behaviours that verify and protect the integrity of data and code.","security:integrity:attestsIntegrity":"The entity provides evidence of its own integrity.","security:integrity:detectsTampering":"The entity identifies modification attempts.","security:integrity:respondsToTampering":"The entity reacts to detected tampering.","security:integrity:validatesComponent":"The entity verifies authenticity of a dependency.","security:integrity:verifiesIntegrity":"The entity confirms data or code has not been altered.","security:integrity:verifiesProvenance":"The entity confirms origin and history.","security:outputHandling":"Behaviours that encode and filter output data to prevent information leakage.","security:outputHandling:encodesOutput":"The entity transforms output to prevent injection.","security:outputHandling:enforcesContentPolicy":"The entity restricts content sources.","security:outputHandling:escapesOutput":"The entity encodes special characters in output.","security:outputHandling:filtersOutput":"The entity removes sensitive content from output.","security:outputHandling:masksOutput":"The entity obscures sensitive data in output.","security:outputHandling:setsSecurityHeader":"The entity adds security-related HTTP headers.","security:session":"Behaviours that manage authenticated user sessions.","security:session:createsSession":"The entity establishes an authenticated session.","security:session:detectsSessionHijacking":"The entity identifies unauthorised session use.","security:session:invalidatesSession":"The entity revokes session validity.","security:session:refreshesSession":"The entity extends session lifetime.","security:session:regeneratesSessionId":"The entity creates a new session identifier.","security:session:terminatesSession":"The entity ends an authenticated session.","security:session:validatesSession":"The entity verifies session validity.","security:threatResponse":"Behaviours that detect and respond to security threats and incidents.","security:threatResponse:blocksRequest":"The entity refuses a suspicious request.","security:threatResponse:blocksSource":"The entity prevents further requests from a source.","security:threatResponse:collectsForensicData":"The entity gathers evidence for investigation.","security:threatResponse:detectsAnomaly":"The entity recognises deviation from normal patterns.","security:threatResponse:detectsIntrusion":"The entity identifies a potential security breach.","security:threatResponse:initiatesIncidentResponse":"The entity triggers security response procedures.","security:threatResponse:quarantinesElement":"The entity isolates a suspicious item.","security:threatResponse:raisesAlert":"The entity notifies of a security event.","system":"Behaviours relating to operating system interactions and the management of computational resources.","system:configuration":"Behaviours that read and modify system configuration settings.","system:configuration:deletesRegistryKey":"The entity removes entries from the registry.","system:configuration:modifiesGroupPolicy":"The entity changes group policy settings.","system:configuration:readsConfigurationFile":"The entity loads settings from a configuration file.","system:configuration:readsEnvironmentVariable":"The entity retrieves an environment variable value.","system:configuration:readsGroupPolicy":"The entity retrieves group policy settings.","system:configuration:readsRegistry":"The entity retrieves values from the system registry.","system:configuration:setsEnvironmentVariable":"The entity modifies an environment variable.","system:configuration:writesConfigurationFile":"The entity saves settings to a configuration file.","system:configuration:writesRegistry":"The entity stores values in the system registry.","system:informationGathering":"Behaviours that collect information about the host system and its configuration.","system:informationGathering:detectsOsVersion":"The entity determines the operating system version.","system:informationGathering:gathersSystemInformation":"The entity collects system configuration details.","system:informationGathering:queriesHardwareInformation":"The entity retrieves hardware specifications.","system:informationGathering:retrievesHostname":"The entity obtains the system hostname.","system:kernelInteraction":"Behaviours that interact directly with the operating system kernel.","system:kernelInteraction:hooksKernelFunction":"The entity intercepts kernel-level calls.","system:kernelInteraction:installsDriver":"The entity loads a kernel-mode driver.","system:kernelInteraction:readsKernelMemory":"The entity accesses kernel memory space.","system:kernelInteraction:writesKernelMemory":"The entity modifies kernel memory space.","system:lifecycle":"Behaviours associated with an entity's initialisation, operation, maintenance, and retirement.","system:lifecycle:appliesUpdate":"The entity installs software or firmware updates.","system:lifecycle:decommissions":"The entity securely retires from service.","system:lifecycle:initializes":"The entity performs start-up routines and loads configuration.","system:lifecycle:performsSelfTest":"The entity verifies its own operational readiness.","system:lifecycle:provisions":"The entity configures itself for deployment.","system:lifecycle:rollsBack":"The entity reverts to a previous known-good state.","system:lifecycle:shutsDown":"The entity executes orderly cessation of operations.","system:operationalState":"Behaviours that govern an entity's functional status and mode of operation.","system:operationalState:entersFailSafeState":"The entity transitions to a known safe state upon detecting a fault.","system:operationalState:entersFailSecureState":"The entity denies access or ceases sensitive operations upon detecting a security fault.","system:operationalState:operatesInDegradedMode":"The entity continues operation with reduced functionality.","system:operationalState:operatesNormally":"The entity performs its intended functions within designed parameters.","system:operationalState:performsEmergencyShutdown":"The entity immediately halts to prevent harm or damage.","system:persistence":"Behaviours that establish mechanisms for an entity to survive system restarts.","system:persistence:createsScheduledTask":"The entity schedules itself for recurring execution.","system:persistence:installsAsService":"The entity registers itself as a system service.","system:persistence:loadsAsKernelModule":"The entity loads itself into the kernel.","system:persistence:registersForStartup":"The entity configures itself to execute at system boot.","system:persistence:removesPersistence":"The entity removes its persistence mechanism.","system:processControl":"Behaviours that create and manipulate operating system processes.","system:processControl:createsProcess":"The entity starts a new process.","system:processControl:dumpsProcessMemory":"The entity extracts memory contents from a process.","system:processControl:enumeratesProcesses":"The entity lists running processes.","system:processControl:hooksFunction":"The entity intercepts and redirects function calls.","system:processControl:injectsCodeIntoProcess":"The entity inserts executable code into another process.","system:processControl:modifiesProcess":"The entity changes attributes of a running process.","system:processControl:resumesProcess":"The entity continues paused process execution.","system:processControl:suspendsProcess":"The entity pauses process execution.","system:processControl:terminatesProcess":"The entity ends a running process.","system:resilience":"Behaviours that enable an entity to detect faults and maintain operation despite adverse conditions.","system:resilience:activatesRedundancy":"The entity activates backup systems or alternative processing paths.","system:resilience:degradesGracefully":"The entity progressively reduces functionality rather than failing abruptly.","system:resilience:detectsFault":"The entity identifies an internal fault or anomalous condition.","system:resilience:recoversFromFailure":"The entity restores normal operation following a failure.","system:resilience:toleratesFault":"The entity continues operation despite the presence of a fault.","system:resourceManagement":"Behaviours that allocate and deallocate computational resources such as memory and threads.","system:resourceManagement:allocatesMemory":"The entity reserves memory for use.","system:resourceManagement:deallocatesMemory":"The entity releases previously allocated memory.","system:resourceManagement:handlesResourceExhaustion":"The entity responds to depleted resources.","system:resourceManagement:managesPowerState":"The entity transitions between power consumption states.","system:resourceManagement:readsFromStorage":"The entity retrieves data from persistent storage.","system:resourceManagement:resumesThread":"The entity continues paused thread execution.","system:resourceManagement:spawnsThread":"The entity creates a new execution thread.","system:resourceManagement:suspendsThread":"The entity pauses thread execution.","system:resourceManagement:terminatesThread":"The entity ends an execution thread.","system:resourceManagement:writesToStorage":"The entity saves data to persistent storage.","system:serviceControl":"Behaviours that manage system services and daemons.","system:serviceControl:createsService":"The entity installs a system service or daemon.","system:serviceControl:deletesService":"The entity removes a system service.","system:serviceControl:enumeratesServices":"The entity lists installed services.","system:serviceControl:modifiesService":"The entity changes service configuration.","system:serviceControl:startsService":"The entity initiates service execution.","system:serviceControl:stopsService":"The entity halts service execution.","system:synchronization":"Behaviours that coordinate access to shared resources across concurrent execution contexts.","system:synchronization:acquiresMutex":"The entity obtains exclusive access via mutex.","system:synchronization:releasesMutex":"The entity relinquishes mutex ownership.","system:synchronization:signalsEvent":"The entity triggers a synchronisation event.","system:synchronization:signalsSemaphore":"The entity releases a semaphore.","system:synchronization:waitsOnEvent":"The entity blocks until an event is signalled.","system:synchronization:waitsOnSemaphore":"The entity blocks until semaphore is available.","system:timing":"Behaviours that govern temporal aspects of execution including scheduling and synchronisation.","system:timing:delaysExecution":"The entity postpones an operation.","system:timing:enforcesDeadline":"The entity ensures completion within a timing constraint.","system:timing:executesScheduledTask":"The entity performs a task at a predetermined time.","system:timing:resetsWatchdog":"The entity signals continued operation to a watchdog monitor.","system:timing:synchronizesClock":"The entity aligns its internal clock with an external source.","system:timing:triggersTimeout":"The entity acts upon detecting an unresponsive condition.","system:timing:waits":"The entity pauses execution for a specified duration.","system:userManagement":"Behaviours that create and manipulate user accounts and privileges.","system:userManagement:createsUserAccount":"The entity adds a new user account.","system:userManagement:deletesUserAccount":"The entity removes a user account.","system:userManagement:elevatesPrivileges":"The entity gains higher access permissions.","system:userManagement:enumeratesUsers":"The entity lists user accounts.","system:userManagement:impersonatesUser":"The entity assumes another user's identity.","system:userManagement:modifiesUserAccount":"The entity changes user account properties."}}}},"cyclonedx-blueprint-2.0":{"type":"null","title":"CycloneDX Blueprint Model","$defs":{"blueprints":{"type":"array","title":"Blueprints","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/blueprint"},"description":"A collection of blueprints representing system models that capture the assets, flows, zones, boundaries, and relationships necessary for architectural, threat, risk, privacy, and other forms of modelling and analysis."},"blueprint":{"type":"object","title":"Blueprint","description":"A structured representation of a system model that captures the assets, flows, zones, boundaries, and relationships necessary to support architectural, threat, risk, privacy, and other forms of modelling and analysis.","required":["modelTypes","methodologies"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"metadata":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/blueprintMetadata"},"modelTypes":{"type":"array","title":"Model Types","minItems":1,"uniqueItems":true,"description":"The types of models being represented","items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/modelType"}},"methodologies":{"type":"array","title":"Methodologies","minItems":1,"uniqueItems":true,"description":"The modeling methodologies used","items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/methodology"}},"scope":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/scope"},"assets":{"type":"array","title":"Assets","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/asset"},"description":"The assets (components, services, data, actors) included in the model"},"dataStores":{"type":"array","title":"Data Stores","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/dataStore"},"description":"Structured description of data stores used in the model"},"dataSets":{"type":"array","title":"Data Sets","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/dataSet"},"description":"Datasets handled by the system, including placements and sensitivity"},"zones":{"type":"array","title":"Zones","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/zone"},"description":"Logical, physical, or trust zones that group assets with similar characteristics"},"boundaries":{"type":"array","title":"Boundaries","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/boundary"},"description":"Boundaries between zones"},"flows":{"type":"array","title":"Flows","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/flow"},"description":"Data, control, or process flows between assets"},"actors":{"type":"array","title":"Actors","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/actor"},"description":"Human or system actors involved in the model, distinct from assets"},"assumptions":{"type":"array","title":"Assumptions","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/assumption"},"description":"Assumptions made during the modeling process"},"visualizations":{"type":"array","title":"Visualizations","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/visualization"},"description":"Visual representations of the model"},"useCases":{"type":"array","title":"Use Cases","uniqueItems":true,"items":{"type":"object","allOf":[{"$ref":"#/$defs/cyclonedx-usecase-2.0/$defs/useCase"},{"properties":{"assets":{"type":"array","title":"Assets","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to the blueprint assets that are involved in or exercised by this use case"},"flows":{"type":"array","title":"Flows","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to the blueprint flows that are triggered or traversed during the execution of this use case"},"requirements":{"type":"array","title":"Requirements","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to the requirements that are implemented, validated, or addressed by this use case"}}}]},"description":"Use cases analyzed as part of the model, linking actors, goals, and steps to the blueprint's assets, flows, and requirements."},"requirements":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-requirement-2.0/$defs/requirement"},"description":"Requirements derived from or related to the model"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"modelType":{"type":"object","title":"Model Type","description":"The type of model being represented, either a predefined type or a custom named type.","oneOf":[{"title":"Predefined Model Type","description":"A model type selected from a predefined set of well-known modelling categories.","required":["type"],"additionalProperties":false,"properties":{"type":{"type":"string","title":"Pre-Defined Model Type","enum":["architecture","behavioral","conceptual","dataFlow","deployment","logical","network","operational","physical","privacy","process","risk","structural","threat"],"meta:enum":{"architecture":"System or software architecture model","behavioral":"System behavior model","conceptual":"High-level conceptual model","dataFlow":"Data flow model showing how data moves through the system","deployment":"Deployment or infrastructure model","logical":"Logical system model","network":"Network topology or connectivity model","operational":"Operational model","physical":"Physical infrastructure model","privacy":"Privacy impact assessment model","process":"Business or system process model","risk":"Risk assessment model","structural":"System structure model","threat":"Security threat model"}}}},{"title":"Custom Model Type","description":"A custom model type not covered by the predefined enumeration, allowing organizations to define methodology-specific or domain-specific model categories.","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","minLength":1,"description":"Custom model type name"},"description":{"type":"string","title":"Description","description":"Description of the custom model type"}}}]},"methodology":{"type":"object","title":"Methodology","description":"The modelling methodology used, either a predefined type or a custom named methodology.","oneOf":[{"title":"Predefined Methodology","description":"A modelling methodology selected from a predefined set of well-known frameworks and standards.","required":["type"],"additionalProperties":false,"properties":{"type":{"type":"string","title":"Pre-Defined Type","enum":["4+1","Archimate","ATFAA","BPMN","C4","DFD","DODAF","ERD","IDEF","LINDDUN","MAESTRO","MITRE-ATTACK","MODAF","NAF","OWASP","PASTA","SABSA","STRIDE","SysML","TOGAF","TRIKE","UML","VAST","Zachman","attackTree"],"meta:enum":{"4+1":"4+1 Architectural View Model","Archimate":"Enterprise architecture modeling language","ATFAA":"Advanced Threat Framework for Autonomous AI Agents","BPMN":"Business Process Model and Notation","C4":"C4 Model for software architecture","DFD":"Data Flow Diagrams","DODAF":"Department of Defense Architecture Framework","ERD":"Entity Relationship Diagrams","IDEF":"Integration Definition Methods","LINDDUN":"Linkability, Identifiability, Non-repudiation, Detectability, Disclosure of information, Unawareness, Non-compliance","MAESTRO":"Multi-Agent Environment, Security, Threat, Risk, and Outcome","MITRE-ATTACK":"MITRE ATT&CK adversarial tactics, techniques, and procedures framework","MODAF":"Ministry of Defence Architecture Framework","NAF":"NATO Architecture Framework","OWASP":"OWASP threat modelling methodology","PASTA":"Process for Attack Simulation and Threat Analysis","SABSA":"Sherwood Applied Business Security Architecture","STRIDE":"Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege","SysML":"Systems Modeling Language","TOGAF":"The Open Group Architecture Framework","TRIKE":"Risk-based threat modelling methodology","UML":"Unified Modeling Language","VAST":"Visual, Agile, and Simple Threat modelling","Zachman":"Zachman Framework","attackTree":"Attack tree methodology for structured threat analysis"}},"version":{"type":"string","title":"Version","description":"Version of the methodology"}}},{"title":"Custom Methodology","description":"A custom modelling methodology not covered by the predefined enumeration, allowing organizations to reference proprietary or emerging frameworks.","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","minLength":1,"description":"Custom methodology name"},"version":{"type":"string","title":"Version","description":"Version of the methodology"},"description":{"type":"string","title":"Description","description":"Description of the custom methodology"},"externalReferences":{"type":"array","title":"External References","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"}}}}]},"blueprintMetadata":{"type":"object","title":"Blueprint Metadata","description":"Metadata about the creation, review, and approval of the blueprint.","additionalProperties":false,"properties":{"timestamp":{"type":"string","title":"Timestamp","format":"date-time","description":"When the blueprint was created or last updated"},"authors":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact","description":"The person(s) or organization(s) who created the blueprint"},"reviewer":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact","description":"The person(s) or organization(s) who reviewed the blueprint"},"reviewDate":{"type":"string","title":"Review Date","format":"date-time","description":"When the blueprint was reviewed"},"approver":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact","description":"The person(s) or organization(s) who approved the blueprint"},"approvalDate":{"type":"string","title":"Approval Date","format":"date-time","description":"When the blueprint was approved"},"ordinalVersion":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/ordinalVersion"},"lifecycles":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/lifecycles"},"validityPeriod":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/validityPeriod"}}},"validityPeriod":{"type":"object","title":"Validity Period","description":"The period during which the blueprint is considered valid.","additionalProperties":false,"properties":{"start":{"type":"string","title":"Start","format":"date-time","description":"When the blueprint becomes valid"},"end":{"type":"string","title":"End","format":"date-time","description":"When the blueprint expires"},"reviewFrequency":{"type":"string","title":"Review Frequency","pattern":"^P(?!$)(\\d+Y)?(\\d+M)?(\\d+W)?(\\d+D)?$","description":"ISO 8601 duration for review frequency (e.g., P3M for quarterly)"}}},"scope":{"type":"object","title":"Scope","description":"Specifies what is included and excluded from the blueprint model, establishing the boundaries within which the modelling and analysis is performed.","required":["name"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","title":"Name","minLength":1,"description":"Name of the scope"},"description":{"type":"string","title":"Description","description":"Description of what is included and excluded from the model"},"boundaries":{"type":"array","title":"Boundaries","uniqueItems":true,"items":{"type":"string","minLength":1},"description":"Explicit boundaries of the model"},"includedComponents":{"type":"array","title":"Included Components","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to components explicitly included"},"excludedComponents":{"type":"array","title":"Excluded Components","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to components explicitly excluded"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"asset":{"type":"object","title":"Asset","description":"A component, service, data store, or other element included in the blueprint model.","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Unique identifier for the asset"},"componentRef":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference to the component this asset represents"},"serviceRef":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference to the service this asset represents"},"type":{"type":"string","title":"Asset Type","enum":["actor","agent","api","broker","cache","component","container","data","dataStore","device","endpoint","function","gateway","infrastructure","interface","model","module","network","other","process","queue","resource","service","stream","subsystem","system"],"meta:enum":{"actor":"User, system, or external entity","agent":"Autonomous AI or software agent","api":"API endpoint or interface","broker":"Message broker or event bus infrastructure","cache":"Caching layer or in-memory data store","component":"Software component or application","container":"Container or orchestration unit","data":"Dataset","dataStore":"Database, file system, or data repository","device":"Physical or IoT device","endpoint":"Service endpoint or URL","function":"Serverless function or lambda","gateway":"API gateway, load balancer, or proxy","infrastructure":"Infrastructure component","interface":"System interface or contract","model":"AI or machine learning model","module":"Software module or package","network":"Network segment or resource","other":"Asset type not covered by predefined values","process":"Business or system process","queue":"Message queue or task queue","resource":"Generic resource or artifact","service":"Service or microservice","stream":"Data stream or event stream","subsystem":"Part of a larger system","system":"Complete system or application"}},"name":{"type":"string","title":"Name","minLength":1,"description":"Name of the asset"},"description":{"type":"string","title":"Description","description":"Description of the asset's role and purpose"},"zone":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference to the zone containing this asset"},"parent":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference to parent asset if this is a sub-component"},"classification":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/assetClassification"},"tags":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/tags"},"responsibilities":{"type":"array","title":"Responsibilities","uniqueItems":true,"items":{"type":"string","minLength":1},"description":"Responsibilities or functions of this asset"},"interfaces":{"type":"array","title":"Interfaces","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/interface"},"description":"Interfaces exposed by this asset"},"dependencies":{"type":"array","title":"Dependencies","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to assets this asset depends on"},"useCases":{"type":"array","title":"Use Cases","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to use case objects that describe how actors interact with this asset, including the specific goals, sequences of steps, alternative and exception flows, and any requirements that govern its usage."},"authentication":{"type":"array","title":"Authentication","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/authenticationType"},"description":"Authentication methods supported/required"},"authorization":{"type":"array","title":"Authorization","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/authorizationType"},"description":"Authorization models supported/required"},"ownership":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/ownership"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"}},"oneOf":[{"title":"Component Reference Asset","description":"An asset defined by reference to a component declared elsewhere in the BOM.","required":["bom-ref","componentRef"]},{"title":"Service Reference Asset","description":"An asset defined by reference to a service declared elsewhere in the BOM.","required":["bom-ref","serviceRef"]},{"title":"Inline Asset","description":"An asset defined inline within the blueprint with an explicit type and name.","required":["bom-ref","type","name"]}]},"dataStore":{"type":"object","title":"Data Store","description":"A persistent storage system used within the modelled system to hold, retrieve, or manage data.","required":["bom-ref","name","type"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","title":"Name","minLength":1,"description":"Name of the data store"},"description":{"type":"string","title":"Description","description":"Purpose and contents of the store"},"type":{"type":"string","title":"Type","enum":["blob","blockchain","cache","columnFamily","custom","dataLake","dataWarehouse","document","eventLog","file","graph","inMemory","keyValue","messageQueue","object","other","registry","search","spatial","sql","timeSeries","vector"],"meta:enum":{"blob":"Binary/blob storage","blockchain":"Distributed ledger or blockchain storage","cache":"Caching tier","columnFamily":"Wide-column or column-family store (e.g., Cassandra, HBase)","custom":"Custom or mixed storage technology","dataLake":"Data lake or lakehouse for raw and semi-structured data","dataWarehouse":"Analytical data warehouse optimised for OLAP workloads","document":"Document database (e.g., MongoDB)","eventLog":"Event log or append-only streaming store (e.g., Kafka)","file":"File system or NAS","graph":"Graph database","inMemory":"In-memory data store used as a primary store","keyValue":"Key-value store","messageQueue":"Message queue or broker with persistent storage","object":"Object storage","other":"Other storage technology not listed","registry":"Configuration or service registry (e.g., etcd, Consul)","search":"Search index or full-text search engine (e.g., Elasticsearch)","spatial":"Spatial or geospatial database","sql":"Relational database","timeSeries":"Time-series database","vector":"Vector database for embeddings and similarity search"}},"vendor":{"type":"string","title":"Vendor","description":"The vendor or publisher of the data store product"},"product":{"type":"string","title":"Product","description":"The name of the data store product"},"version":{"type":"string","title":"Version","description":"The version of the data store product"},"environment":{"type":"string","title":"Environment","description":"Deployment environment (prod, test, etc.)"},"zone":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference to the zone where the asset resides"},"location":{"type":"string","title":"Location","description":"Physical or logical hosting location"},"technologies":{"type":"array","title":"Technologies","uniqueItems":true,"items":{"type":"string"},"description":"Supporting technologies or services"},"dataSets":{"type":"array","title":"Data Sets","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to data sets stored here"},"authorization":{"type":"array","title":"Authorization","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/authorizationType"},"description":"Authorization models supported/required"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"dataSet":{"type":"object","title":"Data Set","description":"A logical collection of related data managed within the modelled system, including its classification, ownership, and storage placements.","required":["bom-ref","name","description"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","title":"Name","minLength":1,"description":"Name of the dataset"},"description":{"type":"string","title":"Description","minLength":1,"description":"What information is contained and why it exists"},"dataProfile":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataProfile"},"recordCount":{"type":"integer","title":"Record Count","description":"Approximate number of records"},"owners":{"type":"array","title":"Owners","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact"},"description":"Individuals or organizational entities that own the dataset"},"authorization":{"type":"array","title":"Authorization","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/authorizationType"},"description":"Authorization models supported/required"},"placements":{"type":"array","title":"Placements","uniqueItems":true,"items":{"type":"object","title":"Placement","description":"Describes where a dataset physically or logically resides and the storage characteristics at that location.","required":["dataStore"],"additionalProperties":false,"properties":{"dataStore":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference to the store holding this dataset"},"encrypted":{"type":"boolean","title":"Encrypted","description":"Whether the dataset is encrypted at this location"},"retention":{"type":"string","title":"Retention","description":"Retention policy for this placement"},"replicated":{"type":"boolean","title":"Replicated","description":"Indicates if this placement is a replica"}}},"description":"Where the dataset resides"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"interface":{"type":"object","required":["name","type"],"additionalProperties":false,"properties":{"name":{"type":"string","description":"Name of the interface"},"type":{"type":"string","enum":["rest","graphql","grpc","soap","messaging","file","database","cli","gui","api","event","stream"],"description":"Type of interface"},"description":{"type":"string","description":"Description of the interface"},"specification":{"type":"string","description":"Link or reference to interface specification"},"protocol":{"type":"string","description":"Communication protocol used"},"dataFormat":{"type":"string","description":"Data format (e.g., JSON, XML, Protocol Buffers)"},"authentication":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/authenticationType"}},"operations":{"type":"array","items":{"type":"string"},"description":"Operations or methods exposed"}}},"zone":{"type":"object","title":"Zone","description":"A logical, physical, or trust zone that groups assets sharing common characteristics, security posture, or administrative control within the modelled system.","required":["bom-ref","name","type"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","title":"Name","minLength":1,"description":"Name of the zone"},"description":{"type":"string","title":"Description","description":"Description of the zone's characteristics"},"type":{"type":"string","title":"Type","enum":["deployment","functional","logical","network","organizational","other","physical","trust"],"meta:enum":{"deployment":"Deployment environment (e.g., dev, staging, prod)","functional":"Functional grouping","logical":"Logical grouping or boundary","network":"Network segmentation zone","organizational":"Organizational or administrative boundary","other":"Other zone type not listed","physical":"Physical location or boundary","trust":"Security trust zone"}},"parent":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference to parent zone if this is a sub-zone"},"characteristics":{"type":"array","title":"Characteristics","uniqueItems":true,"items":{"type":"string"},"description":"Key characteristics of this zone"},"constraints":{"type":"array","title":"Constraints","uniqueItems":true,"items":{"type":"string"},"description":"Constraints or limitations of this zone"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"boundary":{"type":"object","title":"Boundary","description":"Defines a boundary that separates or connects two or more zones, representing a point where security controls, policies, or trust levels change.","required":["bom-ref","zones"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","title":"Name","minLength":1,"description":"Name of the boundary"},"type":{"type":"string","title":"Type","enum":["data","functional","network","organizational","other","physical","process","trust"],"meta:enum":{"data":"Data classification boundary","functional":"Functional boundary","network":"Network boundary or firewall","organizational":"Organizational boundary","other":"A boundary type not covered by the predefined enumeration","physical":"Physical security boundary","process":"Process or execution boundary","trust":"Trust boundary between different security zones"}},"zones":{"type":"array","title":"Zones","uniqueItems":true,"minItems":2,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"The zones this boundary connects or separates"},"crossingRequirements":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/crossingRequirements"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"crossingRequirements":{"type":"object","title":"Crossing Requirements","description":"Defines the security controls, policies, and constraints that must be satisfied when data or actors cross a boundary between zones.","additionalProperties":false,"properties":{"authentication":{"type":"array","title":"Authentication","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/authenticationType"},"description":"Authentication required to cross this boundary"},"authorization":{"type":"array","title":"Authorization","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/authorizationType"},"description":"Authorization models enforced at this boundary"},"dataValidation":{"type":"boolean","title":"Data Validation","description":"Whether data is validated when crossing this boundary"},"dataTransformation":{"type":"boolean","title":"Data Transformation","description":"Whether data is transformed when crossing this boundary"},"logging":{"type":"boolean","title":"Logging","description":"Whether crossings are logged"},"monitoring":{"type":"boolean","title":"Monitoring","description":"Whether crossings are monitored"},"rateLimit":{"type":"string","title":"Rate Limit","description":"Rate limiting policy"},"protocols":{"type":"array","title":"Protocols","uniqueItems":true,"items":{"type":"string"},"description":"Allowed protocols for crossing"}}},"flow":{"type":"object","title":"Flow","description":"Represents a data, control, or process flow between two assets, capturing the direction, type, protocols, and security controls that govern the exchange.","required":["bom-ref","name","source","destination","type"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","title":"Name","minLength":1,"description":"Name or description of the flow"},"description":{"type":"string","title":"Description","description":"Detailed description of what flows and why"},"type":{"type":"string","title":"Type","enum":["control","data","dependency","event","interaction","message","other","physical","process","signal"],"meta:enum":{"control":"Control or command flow","data":"Data or information flow","dependency":"Dependency relationship","event":"Event or notification flow","interaction":"User or system interaction","message":"Message or communication flow","other":"A flow type not covered by the predefined enumeration","physical":"Physical movement of goods or materials","process":"Business process flow","signal":"Hardware or system signal"}},"source":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference to the source asset"},"destination":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference to the destination asset"},"bidirectional":{"type":"boolean","title":"Bidirectional","default":false,"description":"Whether flow occurs in both directions"},"synchronous":{"type":"boolean","title":"Synchronous","description":"Whether the flow is synchronous or asynchronous"},"volume":{"type":"string","title":"Volume","description":"Expected volume or frequency of flow"},"timing":{"type":"string","title":"Timing","description":"Timing characteristics (real-time, batch, scheduled)"},"protocols":{"type":"array","title":"Protocols","uniqueItems":true,"items":{"type":"string"},"description":"Communication protocols used by this flow"},"dataProfile":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataProfile"},"authentication":{"type":"array","title":"Authentication","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/authenticationType"},"description":"Authentication required for this flow"},"authorization":{"type":"array","title":"Authorization","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/authorizationType"},"description":"Authorization models enforced on this flow"},"sequence":{"type":"integer","title":"Sequence","minimum":0,"description":"Ordering hint so flows can be assembled into sequence diagrams"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"actor":{"type":"object","title":"Actor","description":"Represents a human, automated system, or autonomous agent that interacts with or operates within the modelled system.","required":["bom-ref","name","type"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","title":"Name","minLength":1,"description":"Name or title of the actor"},"description":{"type":"string","title":"Description","description":"Narrative describing the actor's role and context"},"type":{"type":"string","title":"Type","enum":["administrator","agent","engineer","external","operator","other","system","user"],"meta:enum":{"administrator":"Administrative or privileged operator","agent":"Autonomous AI agent or intelligent software agent","engineer":"Developer or platform/DevOps engineer","external":"Third-party or external entity","operator":"Operational staff running the system","other":"An actor type not covered by the predefined enumeration","system":"Automated system actor or service account","user":"End user of a client application or service"}},"permissions":{"type":"array","title":"Permissions","uniqueItems":true,"items":{"type":"string"},"description":"Permissions, capabilities, or duties the actor holds"},"delegatedBy":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference to the actor that delegated execution to this actor, such as a human user who authorized an AI agent to act on their behalf or a service account impersonating another identity"},"zone":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference to the zone where the actor resides"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"assumption":{"type":"object","title":"Assumption","description":"A stated belief or condition accepted as true for the purposes of the model, which may impact the validity of the analysis if proven false.","required":["description"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":{"type":"string","title":"Description","minLength":1,"description":"A clear statement of the assumption being made, including the believed condition, the reasoning or evidence behind it, and any constraints or scope under which it applies"},"topic":{"type":"string","title":"Topic","enum":["availability","business","compliance","operational","other","performance","security","technical"],"meta:enum":{"availability":"Assumption about system uptime, redundancy, or failover capabilities","business":"Assumption about business requirements, constraints, or organizational context","compliance":"Assumption about regulatory, legal, or policy compliance obligations","operational":"Assumption about operational procedures, staffing, or maintenance practices","other":"An assumption topic not covered by the predefined enumeration","performance":"Assumption about throughput, latency, capacity, or scalability characteristics","security":"Assumption about threat landscape, trust boundaries, or security controls","technical":"Assumption about technology choices, capabilities, or technical constraints"}},"relatedAssets":{"type":"array","title":"Related Assets","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to the assets that are directly affected by or dependent on this assumption, enabling impact analysis when the assumption's validity changes"},"validity":{"type":"string","title":"Validity","enum":["invalid","unknown","unverified","verified"],"meta:enum":{"invalid":"The assumption has been disproven or is no longer applicable","unknown":"The validity of the assumption has not yet been assessed","unverified":"The assumption has been identified but not yet validated","verified":"The assumption has been confirmed as true through validation"},"default":"unknown","description":"The current validation state of the assumption, tracked over time to ensure that modelling decisions built on this assumption remain sound"},"impact":{"type":"string","title":"Impact","description":"A narrative describing the consequences to the model, its assets, or the broader system if this assumption proves false, including the severity and scope of affected components"},"owner":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact","description":"The individual or organizational entity responsible for tracking, validating, and maintaining this assumption over the lifecycle of the model"},"validationMethod":{"type":"string","title":"Validation Method","description":"The approach, test, or evidence that can be used to confirm or disprove this assumption, such as a review, audit, penetration test, or empirical measurement"},"validationDate":{"type":"string","title":"Validation Date","format":"date-time","description":"The date and time when the assumption was last validated or reviewed, used to track staleness and trigger re-evaluation"}}},"visualization":{"type":"object","title":"Visualization","description":"A visual representation of the model or a subset of its elements, capturing diagram type, rendering format, and the elements depicted.","required":["name","type"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","title":"Name","minLength":1,"description":"Name or title of the visualization"},"description":{"type":"string","title":"Description","description":"Description of what the visualization shows"},"type":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/visualizationType"},"format":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/visualizationFormat"},"content":{"type":"string","title":"Content","description":"The diagram content (source code or base64 encoded image)"},"url":{"type":"string","title":"URL","format":"iri-reference","description":"URL to the diagram if stored externally"},"level":{"type":"string","title":"Level","enum":["detailed","high","medium","overview"],"meta:enum":{"detailed":"Fine-grained view showing implementation-level specifics","high":"High-level view showing major components and relationships","medium":"Intermediate view balancing breadth and depth","overview":"Top-level summary providing a broad perspective of the system"},"description":"Level of detail in the visualization"},"elements":{"type":"array","title":"Elements","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to elements shown in this visualization"},"interactive":{"type":"boolean","title":"Interactive","description":"Whether the visualization is interactive"},"layers":{"type":"array","title":"Layers","uniqueItems":true,"items":{"type":"string"},"description":"Layers or views available in the visualization"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"visualizationType":{"type":"object","title":"Visualization Type","description":"The type of diagram or visual representation.","oneOf":[{"title":"Predefined Visualization Type","description":"A visualization type selected from a predefined set of well-known diagram types.","required":["type"],"additionalProperties":false,"properties":{"type":{"type":"string","title":"Type","enum":["activity","architecture","class","code","collaboration","component","container","context","dataFlow","deployment","entity","network","process","sequence","state","useCase"],"meta:enum":{"activity":"Activity or workflow diagram","architecture":"System architecture diagram","class":"Class or object diagram","code":"Code structure diagram","collaboration":"Collaboration diagram","component":"Component diagram","container":"Container diagram (C4)","context":"Context diagram","dataFlow":"Data flow diagram (DFD)","deployment":"Deployment or infrastructure diagram","entity":"Entity relationship diagram","network":"Network topology diagram","process":"Business process diagram","sequence":"Sequence or interaction diagram","state":"State machine diagram","useCase":"Use case diagram"}}}},{"title":"Custom Visualization Type","description":"A custom visualization type not covered by the predefined enumeration.","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","minLength":1,"description":"The name of the custom visualization type"},"description":{"type":"string","title":"Description","description":"A description of the custom visualization type"}}}]},"visualizationFormat":{"type":"object","title":"Visualization Format","description":"The rendering format or toolchain used to produce the visualization.","oneOf":[{"title":"Predefined Visualization Format","description":"A visualization format selected from a predefined set of well-known diagram formats and tools.","required":["format"],"additionalProperties":false,"properties":{"format":{"type":"string","title":"Format","enum":["archimate","cytoscape","d3","drawio","graphviz","jpeg","mermaid","plantuml","png","svg","visio"],"meta:enum":{"archimate":"ArchiMate model format","cytoscape":"Cytoscape graph format","d3":"D3.js visualization","drawio":"Draw.io/diagrams.net format","graphviz":"GraphViz DOT language","jpeg":"JPEG image format","mermaid":"Mermaid diagram language","plantuml":"PlantUML diagram language","png":"Portable Network Graphics","svg":"Scalable Vector Graphics","visio":"Microsoft Visio format"}}}},{"title":"Custom Visualization Format","description":"A custom visualization format not covered by the predefined enumeration.","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","minLength":1,"description":"The name of the custom visualization format"},"description":{"type":"string","title":"Description","description":"A description of the custom visualization format"}}}]},"assetClassification":{"type":"object","additionalProperties":false,"properties":{"criticality":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/criticality"},"sensitivity":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataSensitivity"},"dataClassification":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataClassification"},"tier":{"type":"string","enum":["tier0","tier1","tier2","tier3","tier4"],"meta:enum":{"tier0":"Mission critical - highest priority","tier1":"Business critical - high priority","tier2":"Business important - medium priority","tier3":"Business supporting - low priority","tier4":"Non-critical - minimal priority"}},"categories":{"type":"array","items":{"type":"string"},"description":"Business or technical categories"},"tags":{"type":"array","items":{"type":"string"},"description":"Tags for classification and search"}}},"dataProfile":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataProfile"},"ownership":{"type":"object","title":"Ownership","description":"Identifies the individuals or organizational entities responsible for an asset, including its owner, steward, custodian, and primary users.","additionalProperties":false,"properties":{"owner":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact","description":"Primary owner of the asset"},"steward":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact","description":"Steward responsible for the asset"},"custodian":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact","description":"Custodian responsible for protecting the asset"},"users":{"type":"array","title":"Users","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact"},"description":"Primary users of the asset"}}},"authenticationType":{"type":"string","title":"Authentication Type","description":"The authentication method or protocol used to verify identity.","enum":["apiKey","basic","bearer","certificate","custom","digest","fido2","jwt","kerberos","ldap","mfa","mTLS","none","ntlm","oauth1","oauth2","oidc","saml","ssh"],"meta:enum":{"apiKey":"API key authentication","basic":"Basic authentication (username/password)","bearer":"Bearer token authentication","certificate":"Certificate-based authentication","custom":"Custom authentication method","digest":"Digest authentication","fido2":"FIDO2/WebAuthn passwordless authentication","jwt":"JSON Web Token authentication","kerberos":"Kerberos authentication","ldap":"LDAP directory authentication","mfa":"Multi-factor authentication","mTLS":"Mutual TLS authentication","none":"No authentication required","ntlm":"NTLM authentication","oauth1":"OAuth 1.0 authentication","oauth2":"OAuth 2.0 authentication","oidc":"OpenID Connect authentication","saml":"SAML authentication","ssh":"SSH key authentication"}},"authorizationType":{"type":"string","title":"Authorization Type","description":"The authorization model used to determine and enforce access permissions.","enum":["abac","acl","cbac","custom","dac","mac","none","other","pbac","rbac","rebac"],"meta:enum":{"abac":"Attribute-Based Access Control","acl":"Access Control Lists","cbac":"Claims-Based Access Control","custom":"Custom authorization model","dac":"Discretionary Access Control","mac":"Mandatory Access Control","none":"No authorization controls","other":"Other authorization model not listed","pbac":"Policy-Based Access Control","rbac":"Role-Based Access Control","rebac":"Relationship-Based Access Control"}}}},"cyclonedx-citation-2.0":{"type":"null","title":"CycloneDX Citation Model","$defs":{"citations":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-citation-2.0/$defs/citation"},"uniqueItems":true,"title":"Citations","description":"A collection of attributions indicating which entity supplied information for specific fields within the BOM."},"citation":{"type":"object","title":"Citation","description":"Details a specific attribution of data within the BOM to a contributing entity or process.","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference"},"pointers":{"type":"array","items":{"type":"string","title":"Field Reference","description":"A [JSON Pointer](https://datatracker.ietf.org/doc/html/rfc6901) identifying the BOM field to which the attribution applies."},"minItems":1,"title":"Field References","description":"One or more [JSON Pointers](https://datatracker.ietf.org/doc/html/rfc6901) identifying the BOM fields to which the attribution applies.\nExactly one of the \"pointers\" or \"expressions\" elements must be present."},"expressions":{"type":"array","items":{"type":"string","title":"Path Expression","description":"Specifies a [JSONPath](https://datatracker.ietf.org/doc/html/rfc9535) expression used to locate a value within a BOM."},"minItems":1,"title":"Path Expressions","description":"One or more path expressions used to locate values within a BOM.\nExactly one of the \"pointers\" or \"expressions\" elements must be present."},"timestamp":{"type":"string","format":"date-time","title":"Timestamp","description":"The date and time when the attribution was made or the information was supplied."},"attributedTo":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Attributed To","description":"The `bom-ref` of an object, such as a component, service, tool, organisational entity, or person that supplied the cited information.\nAt least one of the \"attributedTo\" or \"process\" elements must be present."},"process":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Process Reference","description":"The `bom-ref` to a process (such as a formula, workflow, task, or step) defined in the `formulation` section that executed or generated the attributed data.\nAt least one of the \"attributedTo\" or \"process\" elements must be present."},"note":{"type":"string","title":"Note","description":"A description or comment about the context or quality of the data attribution."},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"A digital signature verifying the authenticity or integrity of the attribution."}},"required":["timestamp"],"anyOf":[{"required":["attributedTo"]},{"required":["process"]}],"oneOf":[{"required":["pointers"]},{"required":["expressions"]}]}}},"cyclonedx-common-2.0":{"type":"null","title":"CycloneDX Common Model","$defs":{"refType":{"description":"Identifier for referable and therefore interlinkable elements.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","type":"string","minLength":1},"refLinkType":{"description":"Descriptor for an element identified by the attribute 'bom-ref' in the same BOM document.\nIn contrast to `bomLinkElementType`.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"bomLinkDocumentType":{"title":"BOM-Link Document","description":"Descriptor for another BOM document. See https://cyclonedx.org/capabilities/bomlink/","type":"string","format":"iri-reference","pattern":"^urn:cdx:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/[1-9][0-9]*$"},"bomLinkElementType":{"title":"BOM-Link Element","description":"Descriptor for an element in a BOM document. See https://cyclonedx.org/capabilities/bomlink/","type":"string","format":"iri-reference","pattern":"^urn:cdx:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/[1-9][0-9]*#.+$"},"bomLink":{"title":"BOM-Link","anyOf":[{"title":"BOM-Link Document","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkDocumentType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"hash":{"type":"object","title":"Hash","required":["alg","content"],"additionalProperties":false,"properties":{"alg":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/hashAlgorithm"},"content":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/hashValue"}}},"hashAlgorithm":{"type":"string","title":"Hash Algorithm","description":"The algorithm that generated the hash value.","enum":["MD5","SHA-1","SHA-256","SHA-384","SHA-512","SHA3-256","SHA3-384","SHA3-512","BLAKE2b-256","BLAKE2b-384","BLAKE2b-512","BLAKE3","Streebog-256","Streebog-512"]},"hashValue":{"type":"string","title":"Hash Value","description":"The value of the hash.","examples":["3942447fac867ae5cdb3229b658f4d48"],"pattern":"^([a-fA-F0-9]{32}|[a-fA-F0-9]{40}|[a-fA-F0-9]{64}|[a-fA-F0-9]{96}|[a-fA-F0-9]{128})$"},"mediaType":{"type":"string","title":"Media Type","description":"The media type of the object. The media type can provide additional context about the kind of data being represented, such as an image, font, or executable.","examples":["text/plain","application/json","image/png"],"pattern":"^[-+a-z0-9.]+/[-+a-z0-9.]+$"},"attachment":{"type":"object","title":"Attachment","description":"Specifies the metadata and content for an attachment.","required":["content"],"additionalProperties":false,"properties":{"mediaType":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/mediaType"},"encoding":{"type":"string","title":"Encoding","description":"Specifies the optional encoding the text is represented in.","enum":["base64"],"meta:enum":{"base64":"Base64 is a binary-to-text encoding scheme that represents binary data in an ASCII string."}},"content":{"type":"string","title":"Attachment Text","description":"The attachment data. Proactive controls such as input validation and sanitization should be employed to prevent misuse of attachment text."}}},"base64":{"type":"string","pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$","description":"A Base64-encoded string."},"externalReferences":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"},"title":"External References","description":"External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM."},"externalReference":{"type":"object","title":"External Reference","description":"External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM.","required":["url","type"],"additionalProperties":false,"properties":{"url":{"anyOf":[{"title":"URL","type":"string","format":"iri-reference"},{"title":"BOM-Link","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLink"}],"title":"URL","description":"The URI (URL or URN) to the external reference. External references are URIs and therefore can accept any URL scheme including https ([RFC-7230](https://www.ietf.org/rfc/rfc7230.txt)), mailto ([RFC-2368](https://www.ietf.org/rfc/rfc2368.txt)), tel ([RFC-3966](https://www.ietf.org/rfc/rfc3966.txt)), and dns ([RFC-4501](https://www.ietf.org/rfc/rfc4501.txt)). External references may also include formally registered URNs such as [CycloneDX BOM-Link](https://cyclonedx.org/capabilities/bomlink/) to reference CycloneDX BOMs or any object within a BOM. BOM-Link transforms applicable external references into relationships that can be expressed in a BOM or across BOMs."},"comment":{"type":"string","title":"Comment","description":"A comment describing the external reference"},"type":{"type":"string","title":"Type","description":"Specifies the type of external reference.","enum":["vcs","issue-tracker","website","advisories","bom","mailing-list","social","chat","documentation","support","source-distribution","distribution","distribution-intake","license","build-meta","build-system","release-notes","security-contact","model-card","log","configuration","evidence","formulation","attestation","threat-model","adversary-model","risk-assessment","vulnerability-assertion","exploitability-statement","pentest-report","static-analysis-report","dynamic-analysis-report","runtime-analysis-report","component-analysis-report","maturity-report","certification-report","codified-infrastructure","quality-metrics","poam","electronic-signature","digital-signature","rfc-9116","patent","patent-family","patent-assertion","citation","other"],"meta:enum":{"vcs":"Version Control System","issue-tracker":"Issue or defect tracking system, or an Application Lifecycle Management (ALM) system","website":"Website","advisories":"Security advisories","bom":"Bill of Materials (SBOM, OBOM, HBOM, SaaSBOM, etc)","mailing-list":"Mailing list or discussion group","social":"Social media account","chat":"Real-time chat platform","documentation":"Documentation, guides, or how-to instructions","support":"Community or commercial support","source-distribution":"The location where the source code distributable can be obtained. This is often an archive format such as zip or tgz. The source-distribution type complements use of the version control (vcs) type.","distribution":"Direct or repository download location","distribution-intake":"The location where a component was published to. This is often the same as \"distribution\" but may also include specialized publishing processes that act as an intermediary.","license":"The reference to the license file. If a license URL has been defined in the license node, it should also be defined as an external reference for completeness.","build-meta":"Build-system specific meta file (i.e. pom.xml, package.json, .nuspec, etc)","build-system":"Reference to an automated build system","release-notes":"Reference to release notes","security-contact":"Specifies a way to contact the maintainer, supplier, or provider in the event of a security incident. Common URIs include links to a disclosure procedure, a mailto (RFC-2368) that specifies an email address, a tel (RFC-3966) that specifies a phone number, or dns (RFC-4501) that specifies the records containing DNS Security TXT.","model-card":"A model card describes the intended uses of a machine learning model, potential limitations, biases, ethical considerations, training parameters, datasets used to train the model, performance metrics, and other relevant data useful for ML transparency.","log":"A record of events that occurred in a computer system or application, such as problems, errors, or information on current operations.","configuration":"Parameters or settings that may be used by other components or services.","evidence":"Information used to substantiate a claim.","formulation":"Describes the formulation of any referencable object within the BOM, including components, services, metadata, declarations, or the BOM itself.","attestation":"Human or machine-readable statements containing facts, evidence, or testimony.","threat-model":"An enumeration of identified weaknesses, threats, and countermeasures, dataflow diagram (DFD), attack tree, and other supporting documentation in human-readable or machine-readable format.","adversary-model":"The defined assumptions, goals, and capabilities of an adversary.","risk-assessment":"Identifies and analyzes the potential of future events that may negatively impact individuals, assets, and/or the environment. Risk assessments may also include judgments on the tolerability of each risk.","vulnerability-assertion":"A Vulnerability Disclosure Report (VDR) which asserts the known and previously unknown vulnerabilities that affect a component, service, or product including the analysis and findings describing the impact (or lack of impact) that the reported vulnerability has on a component, service, or product.","exploitability-statement":"A Vulnerability Exploitability eXchange (VEX) which asserts the known vulnerabilities that do not affect a product, product family, or organization, and optionally the ones that do. The VEX should include the analysis and findings describing the impact (or lack of impact) that the reported vulnerability has on the product, product family, or organization.","pentest-report":"Results from an authorized simulated cyberattack on a component or service, otherwise known as a penetration test.","static-analysis-report":"SARIF or proprietary machine or human-readable report for which static analysis has identified code quality, security, and other potential issues with the source code.","dynamic-analysis-report":"Dynamic analysis report that has identified issues such as vulnerabilities and misconfigurations.","runtime-analysis-report":"Report generated by analyzing the call stack of a running application.","component-analysis-report":"Report generated by Software Composition Analysis (SCA), container analysis, or other forms of component analysis.","maturity-report":"Report containing a formal assessment of an organization, business unit, or team against a maturity model.","certification-report":"Industry, regulatory, or other certification from an accredited (if applicable) certification body.","codified-infrastructure":"Code or configuration that defines and provisions virtualized infrastructure, commonly referred to as Infrastructure as Code (IaC).","quality-metrics":"Report or system in which quality metrics can be obtained.","poam":"Plans of Action and Milestones (POA&M) complement an \"attestation\" external reference. POA&M is defined by NIST as a \"document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks and scheduled completion dates for the milestones\".","electronic-signature":"An e-signature is commonly a scanned representation of a written signature or a stylized script of the person's name.","digital-signature":"A signature that leverages cryptography, typically public/private key pairs, which provides strong authenticity verification.","rfc-9116":"Document that complies with [RFC 9116](https://www.ietf.org/rfc/rfc9116.html) (A File Format to Aid in Security Vulnerability Disclosure)","patent":"References information about patents which may be defined in human-readable documents or in machine-readable formats such as CycloneDX or ST.96. For detailed patent information or to reference the information provided directly by patent offices, it is recommended to leverage standards from the World Intellectual Property Organization (WIPO) such as [ST.96](https://www.wipo.int/standards/en/st96).","patent-family":"References information about a patent family which may be defined in human-readable documents or in machine-readable formats such as CycloneDX or ST.96. A patent family is a group of related patent applications or granted patents that cover the same or similar invention. For detailed patent family information or to reference the information provided directly by patent offices, it is recommended to leverage standards from the World Intellectual Property Organization (WIPO) such as [ST.96](https://www.wipo.int/standards/en/st96).","patent-assertion":"References assertions made regarding patents associated with a component or service. Assertions distinguish between ownership, licensing, and other relevant interactions with patents.","citation":"A reference to external citations applicable to the object identified by this BOM entry or the BOM itself. When used with a BOM-Link, this allows offloading citations into a separate CycloneDX BOM.","other":"Use this if no other types accurately describe the purpose of the external reference."}},"hashes":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/hash"},"title":"Hashes","description":"The hashes of the external reference (if applicable)."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"postalAddress":{"type":"object","title":"Postal address","description":"An address used to identify a contactable location.","additionalProperties":false,"properties":{"bom-ref":{"title":"BOM Reference","description":"An optional identifier which can be used to reference the address elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"country":{"type":"string","title":"Country","description":"The country name or the two-letter ISO 3166-1 country code."},"region":{"type":"string","title":"Region","description":"The region or state in the country.","examples":["Texas"]},"locality":{"type":"string","title":"Locality","description":"The locality or city within the country.","examples":["Austin"]},"postOfficeBoxNumber":{"type":"string","title":"Post Office Box Number","description":"The post office box number.","examples":["901"]},"postalCode":{"type":"string","title":"Postal Code","description":"The postal code.","examples":["78758"]},"streetAddress":{"type":"string","title":"Street Address","description":"The street address.","examples":["100 Main Street"]}}},"organizationalEntity":{"type":"object","title":"Organizational Entity","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"name":{"type":"string","title":"Organization Name","description":"The name of the organization","examples":["Example Inc."]},"address":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/postalAddress","title":"Organization Address","description":"The physical address (location) of the organization"},"url":{"type":"array","items":{"type":"string","format":"iri-reference"},"title":"Organization URL(s)","description":"The URL of the organization. Multiple URLs are allowed.","examples":["https://example.com"]},"contact":{"type":"array","title":"Organizational Contact","description":"A contact at the organization. Multiple contacts are allowed.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}}}},"organizationalContact":{"type":"object","title":"Organizational Contact","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"name":{"type":"string","title":"Name","description":"The name of a contact","examples":["Contact name"]},"email":{"type":"string","format":"idn-email","title":"Email Address","description":"The email address of the contact.","examples":["firstname.lastname@example.com"]},"phone":{"type":"string","title":"Phone","description":"The phone number of the contact.","examples":["800-555-1212"]}}},"organizationalEntityOrContact":{},"properties":{"type":"array","title":"Properties","description":"Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"}},"property":{"type":"object","title":"Lightweight name-value pair","description":"Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.","required":["name"],"properties":{"name":{"type":"string","title":"Name","description":"The name of the property. Duplicate names are allowed, each potentially having a different value."},"value":{"type":"string","title":"Value","description":"The value of the property."}},"additionalProperties":false},"extensibleProperties":{"type":"object","title":"Extensible Properties","patternProperties":{"^ext:[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}:.+$":{"description":"CycloneDX supports a structured and namespace-aware mechanism for extensibility through the use of extensible properties. This mechanism enables organizations, ecosystems, and tool vendors to safely introduce custom properties without conflicting with the core schema or other extensions.\n\nExtensible properties are defined as a JSON object whose keys must conform to a strict pattern that resembles a reverse domain name structure, prefixed with ext:. This pattern provides a namespacing convention that aligns with well-established practices in other structured formats (e.g., XML namespaces).","examples":["ext::","ext:example.org:myExtension"],"if":{"type":["object","array"]},"then":{"type":"object","required":["$schema"],"properties":{"$schema":{"type":"string","format":"uri"}}},"else":{"type":["string","number","boolean","null"]}}}},"baseObject":{"description":"Base object for all CycloneDX entities. Automatically includes support for extensible properties.","allOf":[{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/extensibleProperties"}],"properties":{"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"}}},"timestamp":{"type":"string","format":"date-time","title":"Timestamp","pattern":"^\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}(\\.\\d+)?Z$","description":"An RFC 3339-compliant UTC timestamp using Zulu time (i.e., ending with 'Z'). The format must be 'YYYY-MM-DDTHH:MM:SSZ' or include optional fractional seconds, e.g., 'YYYY-MM-DDTHH:MM:SS.sssZ'. Offsets such as '+00:00' are not allowed."},"ordinalVersion":{"title":"Ordinal Version","description":"An ordinal version is a dot-delimited, purely numeric identifier where each segment represents an ordered level in the hierarchy. The segments have no prescribed meaning beyond numeric ordering, allowing straightforward comparison and sorting.","type":"string","pattern":"^\\d+(\\.\\d+)*$","examples":["1","1.2","1.2.3","2025.09.02","10.4.7.3"]},"lifecycle":{"type":"object","title":"Lifecycle","description":"The product lifecycle(s) that this BOM represents.","oneOf":[{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/preDefinedLifecyclePhase"},{"title":"Custom Lifecycle Phase","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"The name of the lifecycle phase"},"description":{"type":"string","title":"Description","description":"The description of the lifecycle phase"}}}]},"lifecycles":{"type":"array","title":"Lifecycles","description":"Lifecycles communicate the stage(s) in which data in the BOM was captured. Different types of data may be available at various phases of a lifecycle, such as the Software Development Lifecycle (SDLC), IT Asset Management (ITAM), and Software Asset Management (SAM). Thus, a BOM may include data specific to or only obtainable in a given lifecycle.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/lifecycle"}},"preDefinedLifecyclePhase":{"title":"Pre-Defined Phase","required":["phase"],"additionalProperties":false,"properties":{"phase":{"type":"string","title":"Phase","description":"A pre-defined phase in the product lifecycle.","enum":["design","pre-build","build","post-build","operations","discovery","decommission"],"meta:enum":{"design":"BOM produced early in the development lifecycle containing an inventory of components and services that are proposed or planned to be used. The inventory may need to be procured, retrieved, or resourced prior to use.","pre-build":"BOM consisting of information obtained prior to a build process and may contain source files and development artifacts and manifests. The inventory may need to be resolved and retrieved prior to use.","build":"BOM consisting of information obtained during a build process where component inventory is available for use. The precise versions of resolved components are usually available at this time as well as the provenance of where the components were retrieved from.","post-build":"BOM consisting of information obtained after a build process has completed and the resulting components(s) are available for further analysis. Built components may exist as the result of a CI/CD process, may have been installed or deployed to a system or device, and may need to be retrieved or extracted from the system or device.","operations":"BOM produced that represents inventory that is running and operational. This may include staging or production environments and will generally encompass multiple SBOMs describing the applications and operating system, along with HBOMs describing the hardware that makes up the system. Operations Bill of Materials (OBOM) can provide full-stack inventory of runtime environments, configurations, and additional dependencies.","discovery":"BOM consisting of information observed through network discovery providing point-in-time enumeration of embedded, on-premise, and cloud-native services such as server applications, connected devices, microservices, and serverless functions.","decommission":"BOM containing inventory that will be, or has been retired from operations."}}}},"tags":{"type":"array","items":{"type":"string"},"title":"Tags","description":"Textual strings that aid in discovery, search, and retrieval of the associated object. Tags often serve as a way to group or categorize similar or related objects by various attributes.","examples":["json-parser","object-persistence","text-to-image","translation","object-detection"]},"commit":{"type":"object","title":"Commit","description":"Specifies an individual commit","additionalProperties":false,"properties":{"uid":{"type":"string","title":"UID","description":"A unique identifier of the commit. This may be version control specific. For example, Subversion uses revision numbers whereas git uses commit hashes."},"url":{"type":"string","title":"URL","description":"The URL to the commit. This URL will typically point to a commit in a version control system.","format":"iri-reference"},"author":{"title":"Author","description":"The author who created the changes in the commit","$ref":"#/$defs/cyclonedx-common-2.0/$defs/identifiableAction"},"committer":{"title":"Committer","description":"The person who committed or pushed the commit","$ref":"#/$defs/cyclonedx-common-2.0/$defs/identifiableAction"},"message":{"type":"string","title":"Message","description":"The text description of the contents of the commit"}}},"patch":{"type":"object","title":"Patch","description":"Specifies an individual patch","required":["type"],"additionalProperties":false,"properties":{"type":{"type":"string","enum":["unofficial","monkey","backport","cherry-pick"],"meta:enum":{"unofficial":"A patch which is not developed by the creators or maintainers of the software being patched. Refer to [https://en.wikipedia.org/wiki/Unofficial_patch](https://en.wikipedia.org/wiki/Unofficial_patch).","monkey":"A patch which dynamically modifies runtime behavior. Refer to [https://en.wikipedia.org/wiki/Monkey_patch](https://en.wikipedia.org/wiki/Monkey_patch).","backport":"A patch which takes code from a newer version of the software and applies it to older versions of the same software. Refer to [https://en.wikipedia.org/wiki/Backporting](https://en.wikipedia.org/wiki/Backporting).","cherry-pick":"A patch created by selectively applying commits from other versions or branches of the same software."},"title":"Patch Type","description":"Specifies the purpose for the patch including the resolution of defects, security issues, or new behavior or functionality."},"diff":{"title":"Diff","description":"The patch file (or diff) that shows changes. Refer to [https://en.wikipedia.org/wiki/Diff](https://en.wikipedia.org/wiki/Diff)","$ref":"#/$defs/cyclonedx-common-2.0/$defs/diff"},"resolves":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/issue"},"title":"Resolves","description":"A collection of issues the patch resolves"}}},"diff":{"type":"object","title":"Diff","description":"The patch file (or diff) that shows changes. Refer to https://en.wikipedia.org/wiki/Diff","additionalProperties":false,"properties":{"text":{"title":"Diff text","description":"Specifies the optional text of the diff","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"url":{"type":"string","title":"URL","description":"Specifies the URL to the diff","format":"iri-reference"}}},"issue":{"type":"object","title":"Issue","description":"An individual issue that has been resolved.","required":["type"],"additionalProperties":false,"properties":{"type":{"type":"string","enum":["defect","enhancement","security"],"meta:enum":{"defect":"A fault, flaw, or bug in software.","enhancement":"A new feature or behavior in software.","security":"A special type of defect which impacts security."},"title":"Issue Type","description":"Specifies the type of issue"},"id":{"type":"string","title":"Issue ID","description":"The identifier of the issue assigned by the source of the issue"},"name":{"type":"string","title":"Issue Name","description":"The name of the issue"},"description":{"type":"string","title":"Issue Description","description":"A description of the issue"},"source":{"type":"object","title":"Source","description":"The source of the issue where it is documented","additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"The name of the source.","examples":["National Vulnerability Database","NVD","Apache"]},"url":{"type":"string","title":"URL","description":"The url of the issue documentation as provided by the source","format":"iri-reference"}}},"references":{"type":"array","items":{"type":"string","format":"iri-reference"},"title":"References","description":"A collection of URL's for reference. Multiple URLs are allowed.","examples":["https://example.com"]}}},"identifiableAction":{"type":"object","title":"Identifiable Action","description":"Specifies an individual commit","additionalProperties":false,"properties":{"timestamp":{"type":"string","format":"date-time","title":"Timestamp","description":"The timestamp in which the action occurred"},"name":{"type":"string","title":"Name","description":"The name of the individual who performed the action"},"email":{"type":"string","format":"idn-email","title":"E-mail","description":"The email address of the individual who performed the action"}}},"locale":{"type":"string","pattern":"^([a-z]{2})(-[A-Z]{2})?$","title":"Locale","description":"Defines a syntax for representing two character language code (ISO-639) followed by an optional two character country code. The language code must be lower case. If the country code is specified, the country code must be upper case. The language code and country code must be separated by a minus sign. Examples: en, en-US, fr, fr-CA"},"signature":{"$ref":"../jsf-0.82.schema.json#/definitions/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}},"cyclonedx-component-2.0":{"type":"null","title":"CycloneDX Component Model","$defs":{"components":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/component"},"uniqueItems":true,"title":"Components"},"component":{"type":"object","title":"Component","required":["type","name"],"additionalProperties":false,"properties":{"type":{"type":"string","enum":["application","framework","library","container","platform","operating-system","device","device-driver","firmware","file","machine-learning-model","data","cryptographic-asset"],"meta:enum":{"application":"A software application. Refer to [https://en.wikipedia.org/wiki/Application_software](https://en.wikipedia.org/wiki/Application_software) for information about applications.","framework":"A software framework. Refer to [https://en.wikipedia.org/wiki/Software_framework](https://en.wikipedia.org/wiki/Software_framework) for information on how frameworks vary slightly from libraries.","library":"A software library. Refer to [https://en.wikipedia.org/wiki/Library_(computing)](https://en.wikipedia.org/wiki/Library_(computing)) for information about libraries. All third-party and open source reusable components will likely be a library. If the library also has key features of a framework, then it should be classified as a framework. If not, or is unknown, then specifying library is recommended.","container":"A packaging and/or runtime format, not specific to any particular technology, which isolates software inside the container from software outside of a container through virtualization technology. Refer to [https://en.wikipedia.org/wiki/OS-level_virtualization](https://en.wikipedia.org/wiki/OS-level_virtualization).","platform":"A runtime environment that interprets or executes software. This may include runtimes such as those that execute bytecode, just-in-time compilers, interpreters, or low-code/no-code application platforms.","operating-system":"A software operating system without regard to deployment model (i.e. installed on physical hardware, virtual machine, image, etc) Refer to [https://en.wikipedia.org/wiki/Operating_system](https://en.wikipedia.org/wiki/Operating_system).","device":"A hardware device such as a processor or chip-set. A hardware device containing firmware SHOULD include a component for the physical hardware itself and another component of type 'firmware' or 'operating-system' (whichever is relevant), describing information about the software running on the device. See also the list of [known device properties](https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/device.md).","device-driver":"A special type of software that operates or controls a particular type of device. Refer to [https://en.wikipedia.org/wiki/Device_driver](https://en.wikipedia.org/wiki/Device_driver).","firmware":"A special type of software that provides low-level control over a device's hardware. Refer to [https://en.wikipedia.org/wiki/Firmware](https://en.wikipedia.org/wiki/Firmware).","file":"A computer file. Refer to [https://en.wikipedia.org/wiki/Computer_file](https://en.wikipedia.org/wiki/Computer_file) for information about files.","machine-learning-model":"A model based on training data that can make predictions or decisions without being explicitly programmed to do so.","data":"A collection of discrete values that convey information.","cryptographic-asset":"A cryptographic asset including algorithms, protocols, certificates, keys, tokens, and secrets."},"title":"Component Type","description":"Specifies the type of component. For software components, classify as application if no more specific appropriate classification is available or cannot be determined for the component.","examples":["library"]},"mime-type":{"type":"string","title":"Mime-Type","description":"The mime-type of the component. When used on file components, the mime-type can provide additional context about the kind of file being represented, such as an image, font, or executable. Some library or framework components may also have an associated mime-type.","examples":["image/jpeg"],"pattern":"^[-+a-z0-9.]+/[-+a-z0-9.]+$"},"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the component elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"supplier":{"title":"Component Supplier","description":" The organization that supplied the component. The supplier may often be the manufacturer, but may also be a distributor or repackager.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"manufacturer":{"title":"Component Manufacturer","description":"The organization that created the component.\nManufacturer is common in components created through automated processes. Components created through manual means may have `@.authors` instead.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"authors":{"type":"array","title":"Component Authors","description":"The person(s) who created the component.\nAuthors are common in components created through manual processes. Components created through automated means may have `@.manufacturer` instead.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}},"publisher":{"type":"string","title":"Component Publisher","description":"The person(s) or organization(s) that published the component","examples":["Acme Inc"]},"group":{"type":"string","title":"Component Group","description":"The grouping name or identifier. This will often be a shortened, single name of the company or project that produced the component, or the source package or domain name. Whitespace and special characters should be avoided. Examples include: apache, org.apache.commons, and apache.org.","examples":["com.acme"]},"name":{"type":"string","title":"Component Name","description":"The name of the component. This will often be a shortened, single name of the component. Examples: commons-lang3 and jquery","examples":["tomcat-catalina"]},"version":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/version","title":"Component Version","description":"The component version. The version should ideally comply with semantic versioning but is not enforced.\nMust be used exclusively, either 'version' or 'versionRange', but not both."},"versionRange":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/versionRange","title":"Component Version Range","description":"For an external component, this specifies the accepted version range.\nThe value must adhere to the Package URL Version Range syntax (vers), as defined at A list of zero or more patches describing how the component deviates from an ancestor, descendant, or variant. Patches may be complementary to commits or may be used in place of commits.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/patch"}},"notes":{"type":"string","title":"Notes","description":"Notes, observations, and other non-structured commentary describing the components pedigree."}}},"components":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/component"},"uniqueItems":true,"title":"Components","description":"A list of software and hardware components included in the parent component. This is not a dependency tree. It provides a way to specify a hierarchical representation of component assemblies, similar to system → subsystem → parts assembly in physical supply chains."},"evidence":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/componentEvidence","title":"Evidence","description":"Provides the ability to document evidence collected through various forms of extraction or analysis."},"releaseNotes":{"$ref":"#/$defs/cyclonedx-release-notes-2.0/$defs/releaseNotes","title":"Release notes","description":"Specifies release notes."},"modelCard":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/modelCard","title":"AI/ML Model Card"},"data":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/componentData"},"title":"Data","description":"This object SHOULD be specified for any component of type `data` and must not be specified for other component types."},"cryptoProperties":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/cryptoProperties","title":"Cryptographic Properties"},"tags":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/tags","title":"Tags"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}},"allOf":[{"description":"Requirement: ensure that `version` and `versionRange` are not present simultaneously.","not":{"required":["version","versionRange"]}},{"description":"Requirement: 'versionRange' must not be present when 'isExternal' is `false`.","if":{"properties":{"isExternal":{"const":false}}},"then":{"not":{"required":["versionRange"]}},"else":true}]},"version":{"description":"A single disjunctive version identifier, for a component or service.","type":"string","maxLength":1024,"examples":["9.0.14","v1.33.7","7.0.0-M1","2.0pre1","1.0.0-beta1","0.8.15"]},"versionRange":{"description":"A version range specified in Package-URL Version Range syntax (vers) which is defined at https://github.com/package-url/vers-spec","type":"string","minLength":1,"maxLength":4096,"examples":["vers:cargo/9.0.14","vers:npm/1.2.3|>=2.0.0|<5.0.0","vers:pypi/0.0.0|0.0.1|0.0.2|0.0.3|1.0|2.0pre1","vers:tomee/>=1.0.0-beta1|<=1.7.5|>=7.0.0-M1|<=7.0.7|>=7.1.0|<=7.1.2|>=8.0.0-M1|<=8.0.1","vers:gem/>=2.2.0|!= 2.2.1|<2.3.0"]},"copyrightText":{"type":"string","title":"Component Copyright","description":"A copyright notice informing users of the underlying claims to copyright ownership in a published work.","examples":["Acme Inc"]},"copyright":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/copyrightObject"},"title":"Copyright","description":"Captures intellectual property assertions, providing evidence of possible ownership and legal protection."},"copyrightObject":{"type":"object","title":"Copyright","description":"A copyright notice informing users of the underlying claims to copyright ownership in a published work.","required":["text"],"additionalProperties":false,"properties":{"text":{"type":"string","title":"Copyright Text","description":"The textual content of the copyright."}}},"swid":{"type":"object","title":"SWID Tag","description":"Specifies metadata and content for ISO-IEC 19770-2 Software Identification (SWID) Tags.","required":["tagId","name"],"additionalProperties":false,"properties":{"tagId":{"type":"string","title":"Tag ID","description":"Maps to the tagId of a SoftwareIdentity."},"name":{"type":"string","title":"Name","description":"Maps to the name of a SoftwareIdentity."},"version":{"type":"string","title":"Version","default":"0.0","description":"Maps to the version of a SoftwareIdentity."},"tagVersion":{"type":"integer","title":"Tag Version","default":0,"description":"Maps to the tagVersion of a SoftwareIdentity."},"patch":{"type":"boolean","title":"Patch","default":false,"description":"Maps to the patch of a SoftwareIdentity."},"text":{"title":"Attachment text","description":"Specifies the metadata and content of the SWID tag.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"url":{"type":"string","title":"URL","description":"The URL to the SWID file.","format":"iri-reference"}}},"componentEvidence":{"type":"object","title":"Evidence","description":"Provides the ability to document evidence collected through various forms of extraction or analysis.","additionalProperties":false,"properties":{"identity":{"type":"array","title":"Identity Evidence","description":"Evidence that substantiates the identity of a component. The identity may be an object or an array of identity objects. Support for specifying identity as a single object was introduced in CycloneDX v1.5. Arrays were introduced in v1.6. It is recommended that all implementations use arrays, even if only one identity object is specified.","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/componentIdentityEvidence"}},"occurrences":{"type":"array","title":"Occurrences","description":"Evidence of individual instances of a component spread across multiple locations.","items":{"type":"object","required":["location"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the occurrence elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"location":{"type":"string","title":"Location","description":"The location or path to where the component was found."},"line":{"type":"integer","minimum":0,"title":"Line Number","description":"The line number where the component was found."},"offset":{"type":"integer","minimum":0,"title":"Offset","description":"The offset where the component was found."},"symbol":{"type":"string","title":"Symbol","description":"The symbol name that was found associated with the component."},"additionalContext":{"type":"string","title":"Additional Context","description":"Any additional context of the detected component (e.g. a code snippet)."}}}},"callstack":{"type":"object","title":"Call Stack","description":"Evidence of the components use through the callstack.","additionalProperties":false,"properties":{"frames":{"type":"array","title":"Frames","description":"Within a call stack, a frame is a discrete unit that encapsulates an execution context, including local variables, parameters, and the return address. As function calls are made, frames are pushed onto the stack, forming an array-like structure that orchestrates the flow of program execution and manages the sequence of function invocations.","items":{"type":"object","required":["module"],"additionalProperties":false,"properties":{"package":{"title":"Package","description":"A package organizes modules into namespaces, providing a unique namespace for each type it contains.","type":"string"},"module":{"title":"Module","description":"A module or class that encloses functions/methods and other code.","type":"string"},"function":{"title":"Function","description":"A block of code designed to perform a particular task.","type":"string"},"parameters":{"title":"Parameters","description":"Arguments that are passed to the module or function.","type":"array","items":{"type":"string"}},"line":{"title":"Line","description":"The line number the code that is called resides on.","type":"integer"},"column":{"title":"Column","description":"The column the code that is called resides.","type":"integer"},"fullFilename":{"title":"Full Filename","description":"The full path and filename of the module.","type":"string"}}}}}},"licenses":{"$ref":"#/$defs/cyclonedx-license-2.0/$defs/licenseChoice","title":"License Evidence"},"copyright":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/copyright"}}},"componentIdentityEvidence":{"type":"object","title":"Identity Evidence","description":"Evidence that substantiates the identity of a component.","required":["field"],"additionalProperties":false,"properties":{"field":{"type":"string","enum":["group","name","version","purl","cpe","omniborId","swhid","swid","hash"],"title":"Field","description":"The identity field of the component which the evidence describes."},"confidence":{"type":"number","minimum":0,"maximum":1,"title":"Confidence","description":"The overall confidence of the evidence from 0 - 1, where 1 is 100% confidence."},"concludedValue":{"type":"string","title":"Concluded Value","description":"The value of the field (cpe, purl, etc) that has been concluded based on the aggregate of all methods (if available)."},"methods":{"type":"array","title":"Methods","description":"The methods used to extract and/or analyze the evidence.","items":{"type":"object","required":["technique","confidence"],"additionalProperties":false,"properties":{"technique":{"title":"Technique","description":"The technique used in this method of analysis.","type":"string","enum":["source-code-analysis","binary-analysis","manifest-analysis","ast-fingerprint","hash-comparison","instrumentation","dynamic-analysis","filename","attestation","other"]},"confidence":{"type":"number","minimum":0,"maximum":1,"title":"Confidence","description":"The confidence of the evidence from 0 - 1, where 1 is 100% confidence. Confidence is specific to the technique used. Each technique of analysis can have independent confidence."},"value":{"type":"string","title":"Value","description":"The value or contents of the evidence."}}}},"tools":{"type":"array","uniqueItems":true,"items":{"anyOf":[{"title":"Ref","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"title":"BOM References","description":"The object in the BOM identified by its bom-ref. This is often a component or service but may be any object type supporting bom-refs. Tools used for analysis should already be defined in the BOM, either in the metadata/tools, components, or formulation."}}},"componentData":{"type":"object","additionalProperties":false,"required":["type"],"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the dataset elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"type":{"type":"string","title":"Type of Data","description":"The general theme or subject matter of the data being specified.","enum":["source-code","configuration","dataset","definition","other"],"meta:enum":{"source-code":"Any type of code, code snippet, or data-as-code.","configuration":"Parameters or settings that may be used by other components.","dataset":"A collection of data.","definition":"Data that can be used to create new instances of what the definition defines.","other":"Any other type of data that does not fit into existing definitions."}},"name":{"title":"Dataset Name","description":"The name of the dataset.","type":"string"},"contents":{"type":"object","title":"Data Contents","description":"The contents or references to the contents of the data being described.","additionalProperties":false,"properties":{"attachment":{"title":"Data Attachment","description":"A way to include textual or encoded data.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"url":{"type":"string","title":"Data URL","description":"The URL to where the data can be retrieved.","format":"iri-reference"},"properties":{"type":"array","title":"Configuration Properties","description":"Provides the ability to document name-value parameters used for configuration.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"}}}},"classification":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataClassification"},"sensitiveData":{"type":"array","title":"Sensitive Data","description":"A description of any sensitive data in a dataset.","items":{"type":"string"}},"graphics":{"$ref":"#/$defs/cyclonedx-ai-modelcard-2.0/$defs/graphicsCollection"},"description":{"title":"Dataset Description","description":"A description of the dataset. Can describe size of dataset, whether it's used for source code, training, testing, or validation, etc.","type":"string"},"governance":{"title":"Data Governance","$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataGovernance"}}}}},"cyclonedx-composition-2.0":{"type":"null","title":"CycloneDX Composition Model","$defs":{"compositions":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-composition-2.0/$defs/composition"},"uniqueItems":true,"title":"Compositions","description":"Compositions describe constituent parts (including components, services, and dependency relationships) and their completeness. The completeness of vulnerabilities expressed in a BOM may also be described."},"composition":{"type":"object","title":"Compositions","required":["aggregate"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the composition elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"aggregate":{"$ref":"#/$defs/cyclonedx-composition-2.0/$defs/aggregateType","title":"Aggregate","description":"Specifies an aggregate type that describes how complete a relationship is."},"assemblies":{"type":"array","uniqueItems":true,"items":{"anyOf":[{"title":"Ref","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"title":"BOM references","description":"The bom-ref identifiers of the components or services being described. Assemblies refer to nested relationships whereby a constituent part may include other constituent parts. References do not cascade to child parts. References are explicit for the specified constituent part only."},"dependencies":{"type":"array","uniqueItems":true,"items":{"type":"string"},"title":"BOM references","description":"The bom-ref identifiers of the components or services being described. Dependencies refer to a relationship whereby an independent constituent part requires another independent constituent part. References do not cascade to transitive dependencies. References are explicit for the specified dependency only."},"vulnerabilities":{"type":"array","uniqueItems":true,"items":{"type":"string"},"title":"BOM references","description":"The bom-ref identifiers of the vulnerabilities being described."},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}},"aggregateType":{"type":"string","default":"not_specified","enum":["complete","incomplete","incomplete_first_party_only","incomplete_first_party_proprietary_only","incomplete_first_party_opensource_only","incomplete_third_party_only","incomplete_third_party_proprietary_only","incomplete_third_party_opensource_only","unknown","not_specified"],"meta:enum":{"complete":"The relationship is complete. No further relationships including constituent components, services, or dependencies are known to exist.","incomplete":"The relationship is incomplete. Additional relationships exist and may include constituent components, services, or dependencies.","incomplete_first_party_only":"The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented.","incomplete_first_party_proprietary_only":"The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented, limited specifically to those that are proprietary.","incomplete_first_party_opensource_only":"The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented, limited specifically to those that are opensource.","incomplete_third_party_only":"The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented.","incomplete_third_party_proprietary_only":"The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are proprietary.","incomplete_third_party_opensource_only":"The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are opensource.","unknown":"The relationship may be complete or incomplete. This usually signifies a 'best-effort' to obtain constituent components, services, or dependencies but the completeness is inconclusive.","not_specified":"The relationship completeness is not specified."}}}},"cyclonedx-cryptography-2.0":{"type":"null","title":"CycloneDX Cryptography Model","$defs":{"cryptoProperties":{"type":"object","title":"Cryptographic Properties","description":"Cryptographic assets have properties that uniquely define them and that make them actionable for further reasoning. As an example, it makes a difference if one knows the algorithm family (e.g. AES) or the specific variant or instantiation (e.g. AES-128-GCM). This is because the security level and the algorithm primitive (authenticated encryption) are only defined by the definition of the algorithm variant. The presence of a weak cryptographic algorithm like SHA1 vs. HMAC-SHA1 also makes a difference.","additionalProperties":false,"required":["assetType"],"properties":{"assetType":{"type":"string","title":"Asset Type","description":"Cryptographic assets occur in several forms. Algorithms and protocols are most commonly implemented in specialized cryptographic libraries. They may, however, also be 'hardcoded' in software components. Certificates and related cryptographic material like keys, tokens, secrets or passwords are other cryptographic assets to be modelled.","enum":["algorithm","certificate","protocol","related-crypto-material"],"meta:enum":{"algorithm":"Mathematical function commonly used for data encryption, authentication, and digital signatures.","certificate":"An electronic document that is used to provide the identity or validate a public key.","protocol":"A set of rules and guidelines that govern the behavior and communication with each other.","related-crypto-material":"Other cryptographic assets related to algorithms, certificates, and protocols such as keys and tokens."}},"algorithmProperties":{"type":"object","title":"Algorithm Properties","description":"Additional properties specific to a cryptographic algorithm.","additionalProperties":false,"properties":{"primitive":{"type":"string","title":"primitive","description":"Cryptographic building blocks used in higher-level cryptographic systems and protocols. Primitives represent different cryptographic routines: deterministic random bit generators (drbg, e.g. CTR_DRBG from NIST SP800-90A-r1), message authentication codes (mac, e.g. HMAC-SHA-256), blockciphers (e.g. AES), streamciphers (e.g. Salsa20), signatures (e.g. ECDSA), hash functions (e.g. SHA-256), public-key encryption schemes (pke, e.g. RSA), extended output functions (xof, e.g. SHAKE256), key derivation functions (e.g. pbkdf2), key agreement algorithms (e.g. ECDH), key encapsulation mechanisms (e.g. ML-KEM), authenticated encryption (ae, e.g. AES-GCM) and the combination of multiple algorithms (combiner, e.g. SP800-56Cr2).","enum":["drbg","mac","block-cipher","stream-cipher","signature","hash","pke","xof","kdf","key-agree","kem","ae","combiner","key-wrap","other","unknown"],"meta:enum":{"drbg":"Deterministic Random Bit Generator (DRBG) is a type of pseudorandom number generator designed to produce a sequence of bits from an initial seed value. DRBGs are commonly used in cryptographic applications where reproducibility of random values is important.","mac":"In cryptography, a Message Authentication Code (MAC) is information used for authenticating and integrity-checking a message.","block-cipher":"A block cipher is a symmetric key algorithm that operates on fixed-size blocks of data. It encrypts or decrypts the data in block units, providing confidentiality. Block ciphers are widely used in various cryptographic modes and protocols for secure data transmission.","stream-cipher":"A stream cipher is a symmetric key cipher where plaintext digits are combined with a pseudorandom cipher digit stream (keystream).","signature":"In cryptography, a signature is a digital representation of a message or data that proves its origin, identity, and integrity. Digital signatures are generated using cryptographic algorithms and are widely used for authentication and verification in secure communication.","hash":"A hash function is a mathematical algorithm that takes an input (or 'message') and produces a fixed-size string of characters, which is typically a hash value. Hash functions are commonly used in various cryptographic applications, including data integrity verification and password hashing.","pke":"Public Key Encryption (PKE) is a type of encryption that uses a pair of public and private keys for secure communication. The public key is used for encryption, while the private key is used for decryption. PKE is a fundamental component of public-key cryptography.","xof":"An XOF is an extendable output function that can take arbitrary input and creates a stream of output, up to a limit determined by the size of the internal state of the hash function that underlies the XOF.","kdf":"A Key Derivation Function (KDF) derives key material from another source of entropy while preserving the entropy of the input.","key-agree":"In cryptography, a key-agreement is a protocol whereby two or more parties agree on a cryptographic key in such a way that both influence the outcome.","kem":"A Key Encapsulation Mechanism (KEM) algorithm is a mechanism for transporting random keying material to a recipient using the recipient's public key.","ae":"Authenticated Encryption (AE) is a cryptographic process that provides both confidentiality and data integrity. It ensures that the encrypted data has not been tampered with and comes from a legitimate source. AE is commonly used in secure communication protocols.","combiner":"A combiner aggregates many candidates for a cryptographic primitive and generates a new candidate for the same primitive.","key-wrap":"Key-wrap is a cryptographic technique used to securely encrypt and protect cryptographic keys using algorithms like AES.","other":"Another primitive type.","unknown":"The primitive is not known."}},"algorithmFamily":{"$ref":"../cryptography-defs.schema.json#/definitions/algorithmFamiliesEnum","title":"Algorithm Family","description":"A valid algorithm family identifier. If specified, this value shall be one of the enumeration of valid algorithm Family identifiers defined in the `cryptography-defs.schema.json` subschema.","examples":["3DES","Blowfish","ECDH"]},"parameterSetIdentifier":{"type":"string","title":"Parameter Set Identifier","description":"An identifier for the parameter set of the cryptographic algorithm. Examples: in AES128, '128' identifies the key length in bits, in SHA256, '256' identifies the digest length, '128' in SHAKE128 identifies its maximum security level in bits, and 'SHA2-128s' identifies a parameter set used in SLH-DSA (FIPS205)."},"ellipticCurve":{"$ref":"../cryptography-defs.schema.json#/definitions/ellipticCurvesEnum","title":"Elliptic Curve","description":"The specific underlying Elliptic Curve (EC) definition employed which is an indicator of the level of security strength, performance and complexity. If specified, this value shall be one of the enumeration of valid elliptic curves identifiers defined in the `cryptography-defs.schema.json` subschema."},"executionEnvironment":{"type":"string","title":"Execution Environment","description":"The target and execution environment in which the algorithm is implemented in.","enum":["software-plain-ram","software-encrypted-ram","software-tee","hardware","other","unknown"],"meta:enum":{"software-plain-ram":"A software implementation running in plain unencrypted RAM.","software-encrypted-ram":"A software implementation running in encrypted RAM.","software-tee":"A software implementation running in a trusted execution environment.","hardware":"A hardware implementation.","other":"Another implementation environment.","unknown":"The execution environment is not known."}},"implementationPlatform":{"type":"string","title":"Implementation platform","description":"The target platform for which the algorithm is implemented. The implementation can be 'generic', running on any platform or for a specific platform.","enum":["generic","x86_32","x86_64","armv7-a","armv7-m","armv8-a","armv8-m","armv9-a","armv9-m","s390x","ppc64","ppc64le","other","unknown"]},"certificationLevel":{"type":"array","title":"Certification Level","description":"The certification that the implementation of the cryptographic algorithm has received, if any. Certifications include revisions and levels of FIPS 140 or Common Criteria of different Extended Assurance Levels (CC-EAL).","items":{"type":"string","enum":["none","fips140-1-l1","fips140-1-l2","fips140-1-l3","fips140-1-l4","fips140-2-l1","fips140-2-l2","fips140-2-l3","fips140-2-l4","fips140-3-l1","fips140-3-l2","fips140-3-l3","fips140-3-l4","cc-eal1","cc-eal1+","cc-eal2","cc-eal2+","cc-eal3","cc-eal3+","cc-eal4","cc-eal4+","cc-eal5","cc-eal5+","cc-eal6","cc-eal6+","cc-eal7","cc-eal7+","other","unknown"],"meta:enum":{"none":"No certification obtained","fips140-1-l1":"FIPS 140-1 Level 1","fips140-1-l2":"FIPS 140-1 Level 2","fips140-1-l3":"FIPS 140-1 Level 3","fips140-1-l4":"FIPS 140-1 Level 4","fips140-2-l1":"FIPS 140-2 Level 1","fips140-2-l2":"FIPS 140-2 Level 2","fips140-2-l3":"FIPS 140-2 Level 3","fips140-2-l4":"FIPS 140-2 Level 4","fips140-3-l1":"FIPS 140-3 Level 1","fips140-3-l2":"FIPS 140-3 Level 2","fips140-3-l3":"FIPS 140-3 Level 3","fips140-3-l4":"FIPS 140-3 Level 4","cc-eal1":"Common Criteria - Evaluation Assurance Level 1","cc-eal1+":"Common Criteria - Evaluation Assurance Level 1 (Augmented)","cc-eal2":"Common Criteria - Evaluation Assurance Level 2","cc-eal2+":"Common Criteria - Evaluation Assurance Level 2 (Augmented)","cc-eal3":"Common Criteria - Evaluation Assurance Level 3","cc-eal3+":"Common Criteria - Evaluation Assurance Level 3 (Augmented)","cc-eal4":"Common Criteria - Evaluation Assurance Level 4","cc-eal4+":"Common Criteria - Evaluation Assurance Level 4 (Augmented)","cc-eal5":"Common Criteria - Evaluation Assurance Level 5","cc-eal5+":"Common Criteria - Evaluation Assurance Level 5 (Augmented)","cc-eal6":"Common Criteria - Evaluation Assurance Level 6","cc-eal6+":"Common Criteria - Evaluation Assurance Level 6 (Augmented)","cc-eal7":"Common Criteria - Evaluation Assurance Level 7","cc-eal7+":"Common Criteria - Evaluation Assurance Level 7 (Augmented)","other":"Another certification","unknown":"The certification level is not known"}}},"mode":{"type":"string","title":"Mode","description":"The mode of operation in which the cryptographic algorithm (block cipher) is used.","enum":["cbc","ecb","ccm","gcm","cfb","ofb","ctr","other","unknown"],"meta:enum":{"cbc":"Cipher block chaining","ecb":"Electronic codebook","ccm":"Counter with cipher block chaining message authentication code","gcm":"Galois/counter","cfb":"Cipher feedback","ofb":"Output feedback","ctr":"Counter","other":"Another mode of operation","unknown":"The mode of operation is not known"}},"padding":{"type":"string","title":"Padding","description":"The padding scheme that is used for the cryptographic algorithm.","enum":["pkcs5","pkcs7","pkcs1v15","oaep","raw","other","unknown"],"meta:enum":{"pkcs5":"Public Key Cryptography Standard: Password-Based Cryptography","pkcs7":"Public Key Cryptography Standard: Cryptographic Message Syntax","pkcs1v15":"Public Key Cryptography Standard: RSA Cryptography v1.5","oaep":"Optimal asymmetric encryption padding","raw":"Raw","other":"Another padding scheme","unknown":"The padding scheme is not known"}},"cryptoFunctions":{"type":"array","title":"Cryptographic functions","description":"The cryptographic functions implemented by the cryptographic algorithm.","items":{"type":"string","enum":["generate","keygen","encrypt","decrypt","digest","tag","keyderive","sign","verify","encapsulate","decapsulate","other","unknown"]}},"classicalSecurityLevel":{"type":"integer","title":"classical security level","description":"The classical security level that a cryptographic algorithm provides (in bits).","minimum":0},"nistQuantumSecurityLevel":{"type":"integer","title":"NIST security strength category","description":"The NIST security strength category as defined in https://csrc.nist.gov/projects/post-quantum-cryptography/post-quantum-cryptography-standardization/evaluation-criteria/security-(evaluation-criteria). A value of 0 indicates that none of the categories are met.","minimum":0,"maximum":6}}},"certificateProperties":{"type":"object","title":"Certificate Properties","description":"Properties for cryptographic assets of asset type 'certificate'.","additionalProperties":false,"properties":{"serialNumber":{"type":"string","title":"Serial Number","description":"The serial number is a unique identifier for the certificate issued by a CA."},"subjectName":{"type":"string","title":"Subject Name","description":"The subject name for the certificate."},"issuerName":{"type":"string","title":"Issuer Name","description":"The issuer name for the certificate."},"notValidBefore":{"type":"string","format":"date-time","title":"Not Valid Before","description":"The date and time according to ISO-8601 standard from which the certificate is valid."},"notValidAfter":{"type":"string","format":"date-time","title":"Not Valid After","description":"The date and time according to ISO-8601 standard from which the certificate is not valid anymore."},"certificateFormat":{"type":"string","title":"Certificate Format","description":"The format of the certificate.","examples":["X.509","PEM","DER","CVC"]},"certificateFileExtension":{"type":"string","title":"Certificate File Extension","description":"The file extension of the certificate.","examples":["crt","pem","cer","der","p12"]},"fingerprint":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/hash","title":"Certificate Fingerprint","description":"The fingerprint is a cryptographic hash of the certificate excluding it's signature."},"certificateState":{"type":"array","title":"Certificate Lifecycle State","description":"The certificate lifecycle is a comprehensive process that manages digital certificates from their initial creation to eventual expiration or revocation. It typically involves several stages.","items":{"type":"object","title":"State","description":"The state of the certificate.","oneOf":[{"title":"Pre-Defined State","required":["state"],"additionalProperties":false,"properties":{"state":{"type":"string","title":"State","description":"A pre-defined state in the certificate lifecycle.","enum":["pre-activation","active","suspended","deactivated","revoked","destroyed"],"meta:enum":{"pre-activation":"The certificate has been issued by the issuing certificate authority (CA) but has not been authorized for use.","active":"The certificate may be used to cryptographically protect information, cryptographically process previously protected information, or both.","deactivated":"Certificates in the deactivated state shall not be used to apply cryptographic protection but, in some cases, may be used to process cryptographically protected information.","suspended":"The use of a certificate may be suspended for several possible reasons.","revoked":"A revoked certificate is a digital certificate that has been invalidated by the issuing certificate authority (CA) before its scheduled expiration date.","destroyed":"The certificate has been destroyed."}},"reason":{"type":"string","title":"Reason","description":"A reason for the certificate being in this state."}}},{"title":"Custom State","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","title":"State","description":"The name of the certificate lifecycle state."},"description":{"type":"string","title":"Description","description":"The description of the certificate lifecycle state."},"reason":{"type":"string","title":"Reason","description":"A reason for the certificate being in this state."}}}]}},"creationDate":{"type":"string","format":"date-time","title":"Creation Date","description":"The date and time (timestamp) when the certificate was created or pre-activated."},"activationDate":{"type":"string","format":"date-time","title":"Activation Date","description":"The date and time (timestamp) when the certificate was activated."},"deactivationDate":{"type":"string","format":"date-time","title":"Deactivation Date","description":"The date and time (timestamp) when the related certificate was deactivated."},"revocationDate":{"type":"string","format":"date-time","title":"Revocation Date","description":"The date and time (timestamp) when the certificate was revoked."},"destructionDate":{"type":"string","format":"date-time","title":"Destruction Date","description":"The date and time (timestamp) when the certificate was destroyed."},"certificateExtensions":{"type":"array","title":"Certificate Extensions","description":"A certificate extension is a field that provides additional information about the certificate or its use. Extensions are used to convey additional information beyond the standard fields.","items":{"type":"object","title":"Extension","description":"","oneOf":[{"title":"Common Extensions","required":["commonExtensionName","commonExtensionValue"],"additionalProperties":false,"properties":{"commonExtensionName":{"type":"string","title":"name","description":"The name of the extension.","enum":["basicConstraints","keyUsage","extendedKeyUsage","subjectAlternativeName","authorityKeyIdentifier","subjectKeyIdentifier","authorityInformationAccess","certificatePolicies","crlDistributionPoints","signedCertificateTimestamp"],"meta:enum":{"basicConstraints":"Specifies whether a certificate can be used as a CA certificate or not.","keyUsage":"Specifies the allowed uses of the public key in the certificate.","extendedKeyUsage":"Specifies additional purposes for which the public key can be used.","subjectAlternativeName":"Allows inclusion of additional names to identify the entity associated with the certificate.","authorityKeyIdentifier":"Identifies the public key of the CA that issued the certificate.","subjectKeyIdentifier":"Identifies the public key associated with the entity the certificate was issued to.","authorityInformationAccess":"Contains CA issuers and OCSP information.","certificatePolicies":"Defines the policies under which the certificate was issued and can be used.","crlDistributionPoints":"Contains one or more URLs where a Certificate Revocation List (CRL) can be obtained.","signedCertificateTimestamp":"Shows that the certificate has been publicly logged, which helps prevent the issuance of rogue certificates by a CA. Log ID, timestamp and signature as proof."}},"commonExtensionValue":{"type":"string","title":"Value","description":"The value of the certificate extension."}}},{"title":"Custom Extensions","description":"Custom extensions may convey application-specific or vendor-specific data not covered by standard extensions. The structure and semantics of custom extensions are typically defined outside of public standards. CycloneDX leverages properties to support this capability.","required":["customExtensionName"],"additionalProperties":false,"properties":{"customExtensionName":{"type":"string","title":"Name","description":"The name for the custom certificate extension."},"customExtensionValue":{"type":"string","title":"Value","description":"The description of the custom certificate extension."}}}]}},"relatedCryptographicAssets":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/relatedCryptographicAssets"}}},"relatedCryptoMaterialProperties":{"type":"object","title":"Related Cryptographic Material Properties","description":"Properties for cryptographic assets of asset type: `related-crypto-material`.","additionalProperties":false,"properties":{"type":{"type":"string","title":"relatedCryptoMaterialType","description":"The type for the related cryptographic material.","enum":["private-key","public-key","secret-key","key","ciphertext","signature","digest","initialization-vector","nonce","seed","salt","shared-secret","tag","additional-data","password","credential","token","other","unknown"],"meta:enum":{"private-key":"The confidential key of a key pair used in asymmetric cryptography.","public-key":"The non-confidential key of a key pair used in asymmetric cryptography.","secret-key":"A key used to encrypt and decrypt messages in symmetric cryptography.","key":"A piece of information, usually an octet string, which, when processed through a cryptographic algorithm, processes cryptographic data.","ciphertext":"The result of encryption performed on plaintext using an algorithm (or cipher).","signature":"A cryptographic value that is calculated from the data and a key known only by the signer.","digest":"The output of the hash function.","initialization-vector":"A fixed-size random or pseudo-random value used as an input parameter for cryptographic algorithms.","nonce":"A random or pseudo-random number that can only be used once in a cryptographic communication.","seed":"The input to a pseudo-random number generator. Different seeds generate different pseudo-random sequences.","salt":"A value used in a cryptographic process, usually to ensure that the results of computations for one instance cannot be reused by an attacker.","shared-secret":"A piece of data known only to the parties involved, in a secure communication.","tag":"A message authentication code (MAC), sometimes known as an authentication tag, is a short piece of information used for authenticating and integrity-checking a message.","additional-data":"An unspecified collection of data with relevance to cryptographic activity.","password":"A secret word, phrase, or sequence of characters used during authentication or authorization.","credential":"Establishes the identity of a party to communication, usually in the form of cryptographic keys or passwords.","token":"An object encapsulating a security identity.","other":"Another type of cryptographic asset.","unknown":"The type of cryptographic asset is not known."}},"id":{"type":"string","title":"ID","description":"The unique identifier for the related cryptographic material."},"state":{"type":"string","title":"State","description":"The key state as defined by NIST SP 800-57.","enum":["pre-activation","active","suspended","deactivated","compromised","destroyed"]},"creationDate":{"type":"string","format":"date-time","title":"Creation Date","description":"The date and time (timestamp) when the related cryptographic material was created."},"activationDate":{"type":"string","format":"date-time","title":"Activation Date","description":"The date and time (timestamp) when the related cryptographic material was activated."},"updateDate":{"type":"string","format":"date-time","title":"Update Date","description":"The date and time (timestamp) when the related cryptographic material was updated."},"expirationDate":{"type":"string","format":"date-time","title":"Expiration Date","description":"The date and time (timestamp) when the related cryptographic material expires."},"value":{"type":"string","title":"Value","description":"The associated value of the cryptographic material."},"size":{"type":"integer","title":"Size","description":"The size of the cryptographic asset (in bits)."},"format":{"type":"string","title":"Format","description":"The format of the related cryptographic material (e.g. P8, PEM, DER)."},"securedBy":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/securedBy","title":"Secured By","description":"The mechanism by which the cryptographic asset is secured by."},"fingerprint":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/hash","title":"Fingerprint","description":"The fingerprint is a cryptographic hash of the asset."},"relatedCryptographicAssets":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/relatedCryptographicAssets"}}},"protocolProperties":{"type":"object","title":"Protocol Properties","description":"Properties specific to cryptographic assets of type: `protocol`.","additionalProperties":false,"properties":{"type":{"type":"string","title":"Type","description":"The concrete protocol type.","enum":["tls","ssh","ipsec","ike","sstp","wpa","dtls","quic","eap-aka","eap-aka-prime","prins","5g-aka","other","unknown"],"meta:enum":{"tls":"Transport Layer Security","ssh":"Secure Shell","ipsec":"Internet Protocol Security","ike":"Internet Key Exchange","sstp":"Secure Socket Tunneling Protocol","wpa":"Wi-Fi Protected Access","dtls":"Datagram Transport Layer Security","quic":"Quick UDP Internet Connections","eap-aka":"Extensible Authentication Protocol variant","eap-aka-prime":"Enhanced version of EAP-AKA","prins":"Protection of Inter-Network Signaling","5g-aka":"Authentication and Key Agreement for 5G","other":"Another protocol type","unknown":"The protocol type is not known"}},"version":{"type":"string","title":"Protocol Version","description":"The version of the protocol.","examples":["1.0","1.2","1.99"]},"cipherSuites":{"type":"array","title":"Cipher Suites","description":"A list of cipher suites related to the protocol.","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/cipherSuite","title":"Cipher Suite"}},"ikev2TransformTypes":{"type":"object","title":"IKEv2 Transform Types","description":"The IKEv2 transform types supported (types 1-4), defined in [RFC 7296 section 3.3.2](https://www.ietf.org/rfc/rfc7296.html#section-3.3.2), and additional properties.","additionalProperties":false,"properties":{"encr":{"type":"array","title":"Encryption Algorithms (ENCR)","description":"Transform Type 1: encryption algorithms.","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Enc","title":"Encryption Algorithm (ENCR)"}},"prf":{"type":"array","title":"Pseudorandom Functions (PRF)","description":"Transform Type 2: pseudorandom functions.","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Prf","title":"Pseudorandom Function (PRF)"}},"integ":{"type":"array","title":"Integrity Algorithms (INTEG)","description":"Transform Type 3: integrity algorithms.","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Integ","title":"Integrity Algorithm (INTEG)"}},"ke":{"type":"array","title":"Key Exchange Methods (KE)","description":"Transform Type 4: Key Exchange Method (KE) per [RFC 9370](https://www.ietf.org/rfc/rfc9370.html), formerly called Diffie-Hellman Group (D-H).","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Ke"}},"esn":{"type":"boolean","title":"Extended Sequence Number (ESN)","description":"Specifies if an Extended Sequence Number (ESN) is used."},"auth":{"type":"array","title":"IKEv2 Authentication methods","description":"IKEv2 Authentication method per [RFC9593](https://www.ietf.org/rfc/rfc9593.html).","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Auth","title":"IKEv2 Authentication Method"}}}},"relatedCryptographicAssets":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/relatedCryptographicAssets"}}},"oid":{"type":"string","title":"OID","description":"The object identifier (OID) of the cryptographic asset."}}},"cipherSuite":{"type":"object","title":"Cipher Suite","description":"Object representing a cipher suite.","additionalProperties":false,"properties":{"name":{"type":"string","title":"Common Name","description":"A common name for the cipher suite.","examples":["TLS_DHE_RSA_WITH_AES_128_CCM"]},"algorithms":{"type":"array","title":"Related Algorithms","description":"A list of algorithms related to the cipher suite.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Algorithm reference","description":"The bom-ref to algorithm cryptographic asset."}},"identifiers":{"type":"array","title":"Cipher Suite Identifiers","description":"A list of common identifiers for the cipher suite.","items":{"type":"string","title":"identifier","description":"Cipher suite identifier.","examples":["0xC0","0x9E"]}},"tlsGroups":{"type":"array","title":"TLS Groups","description":"A list of TLS named groups (formerly known as curves) for this cipher suite. These groups define the parameters for key exchange algorithms like ECDHE.","items":{"type":"string","title":"Group Name","description":"The name of the TLS group.","examples":["x25519","ffdhe2048"]}},"tlsSignatureSchemes":{"type":"array","title":"TLS Signature Schemes","description":"A list of signature schemes supported for cipher suite. These schemes specify the algorithms used for digital signatures in TLS handshakes and certificate verification.","items":{"type":"string","title":"Signature Scheme","description":"The name of the TLS signature scheme.","examples":["ecdsa_secp256r1_sha256","rsa_pss_rsae_sha256","ed25519"]}}}},"ikeV2Enc":{"type":"object","title":"Encryption Algorithm (ENCR)","description":"Object representing an encryption algorithm (ENCR).","additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"A name for the encryption method.","examples":["ENCR_AES_GCM_16"]},"keyLength":{"type":"integer","title":"Encryption algorithm key length","description":"The key length of the encryption algorithm."},"algorithm":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Algorithm reference","description":"The bom-ref to algorithm cryptographic asset."}}},"ikeV2Prf":{"type":"object","title":"Pseudorandom Function (PRF)","description":"Object representing a pseudorandom function (PRF).","additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"A name for the pseudorandom function.","examples":["PRF_HMAC_SHA2_256"]},"algorithm":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Algorithm reference","description":"The bom-ref to algorithm cryptographic asset."}}},"ikeV2Integ":{"type":"object","title":"Integrity Algorithm (INTEG)","description":"Object representing an integrity algorithm (INTEG).","additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"A name for the integrity algorithm.","examples":["AUTH_HMAC_SHA2_256_128"]},"algorithm":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Algorithm reference","description":"The bom-ref to algorithm cryptographic asset."}}},"ikeV2Ke":{"type":"object","title":"Key Exchange Method (KE)","description":"Object representing a key exchange method (KE).","additionalProperties":false,"properties":{"group":{"type":"integer","title":"Group Identifier","description":"A group identifier for the key exchange algorithm."},"algorithm":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Algorithm reference","description":"The bom-ref to algorithm cryptographic asset."}}},"ikeV2Auth":{"type":"object","title":"IKEv2 Authentication method","description":"Object representing a IKEv2 Authentication method.","additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"A name for the authentication method."},"algorithm":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Algorithm reference","description":"The bom-ref to algorithm cryptographic asset."}}},"relatedCryptographicAssets":{"type":"array","title":"Related Cryptographic Assets","description":"A list of cryptographic assets related to this component.","items":{"$ref":"#/$defs/cyclonedx-cryptography-2.0/$defs/relatedCryptographicAsset"}},"relatedCryptographicAsset":{"type":"object","title":"Related Cryptographic Asset","description":"A cryptographic assets related to this component.","additionalProperties":false,"properties":{"type":{"type":"string","title":"Type","description":"Specifies the mechanism by which the cryptographic asset is secured by.","examples":["publicKey","privateKey","algorithm"]},"ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Reference to cryptographic asset","description":"The bom-ref to cryptographic asset."}}},"securedBy":{"type":"object","title":"Secured By","description":"Specifies the mechanism by which the cryptographic asset is secured by.","additionalProperties":false,"properties":{"mechanism":{"type":"string","title":"Mechanism","description":"Specifies the mechanism by which the cryptographic asset is secured by.","examples":["HSM","TPM","SGX","Software","None"]},"algorithmRef":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"Algorithm Reference","description":"The bom-ref to the algorithm."}}}}},"cyclonedx-data-2.0":{"type":"null","title":"CycloneDX Data Model","$defs":{"dataProfile":{"type":"object","title":"Data Profile","description":"Captures the sensitivity, classification, and lifecycle requirements associated with data, including how it may be collected, accessed, processed, shared, handled, retained, and disposed of.","required":["name"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Unique identifier for this data profile"},"name":{"type":"string","title":"Name","minLength":1,"description":"The name or label that identifies this data profile, such as the name of the dataset, data category, or information asset it describes."},"description":{"type":"string","title":"Description","description":"A detailed explanation of the data this profile describes, including what information is contained, its purpose, origin, and any relevant context about how it is used within the system."},"sensitivity":{"type":"string","title":"Sensitivity","enum":["confidential","internal","public","restricted"],"description":"Data sensitivity classification","meta:enum":{"confidential":"Confidential information requiring protection","internal":"Internal use only within the organization","public":"Public information that can be freely shared","restricted":"Highly restricted information with limited access and special protection measures"}},"classification":{"title":"Classification","description":"Classifies data by its type, either using a predefined classification or a custom name and description for classifications not covered by the enumeration.","oneOf":[{"title":"Predefined Classification","description":"A predefined data classification from the enumeration.","type":"object","additionalProperties":false,"required":["type"],"properties":{"type":{"type":"string","title":"Type","enum":["credentials","financial","intellectualProperty","logs","operational","other","pci","phi","pii","safety","telemetry"],"meta:enum":{"credentials":"Secrets, tokens, or credentials","financial":"Financial statements or transaction data","intellectualProperty":"Intellectual property or trade secrets","logs":"Operational or security log data","operational":"Operational or process data","other":"Other data classification not listed","pci":"Payment card industry data","phi":"Protected health information","pii":"Personally identifiable information","safety":"Safety critical data or signals","telemetry":"System or product telemetry data"}}}},{"title":"Custom Classification","description":"A custom data classification not covered by the predefined enumeration.","type":"object","additionalProperties":false,"required":["name"],"properties":{"name":{"type":"string","title":"Name","minLength":1,"description":"The name of a custom data classification not covered by the predefined enumeration"},"description":{"type":"string","title":"Description","description":"A description of the custom data classification"}}}]},"dataFormats":{"type":"array","title":"Data Formats","uniqueItems":true,"items":{"type":"string"},"description":"Format of data"},"dataTypes":{"type":"array","title":"Data Types","uniqueItems":true,"items":{"type":"string"},"description":"Specific types of data"},"schema":{"type":"array","title":"Schema","uniqueItems":true,"items":{"type":"string","format":"uri"},"description":"Reference to schema contracts or documents describing the data structure."},"access":{"type":"array","title":"Access","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to requirement objects that define who may access the data and under what conditions, including need-to-know restrictions, clearance levels, audit logging, and break-glass procedures."},"collection":{"type":"array","title":"Collection","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to requirement objects that govern how data is collected or acquired, including consent mechanisms, lawful basis, purpose limitation, and notice obligations."},"disposal":{"type":"array","title":"Disposal","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to requirement objects that specify how this data must be destroyed or rendered unrecoverable when no longer needed, including sanitisation methods, disposal timelines, and regulatory obligations governing data destruction."},"handling":{"type":"array","title":"Handling","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to requirement objects that govern how this data must be handled throughout its lifecycle, such as encryption at rest, access restrictions, anonymisation, or regulatory compliance obligations."},"processing":{"type":"array","title":"Processing","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to requirement objects that govern what may be done with the data, including purpose limitation, data minimisation, aggregation rules, and prohibited uses such as AI or ML training restrictions."},"retention":{"type":"array","title":"Retention","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to requirement objects that define how long this data must be retained, including minimum retention periods, maximum storage durations, and any regulatory or contractual obligations governing data preservation."},"sharing":{"type":"array","title":"Sharing","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to requirement objects that govern how data may be shared with third parties, partners, or across jurisdictional boundaries, including data sharing agreements, cross-border transfer restrictions, and adequacy decisions."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"dataClassification":{"type":"string","title":"Data Classification","description":"Data classification tags data according to its type, sensitivity, and value if altered, stolen, or destroyed."},"dataSensitivity":{"type":"string","title":"Data Sensitivity","description":"Classifies the sensitivity of data to indicate the level of protection required.","enum":["confidential","internal","public","restricted"],"meta:enum":{"confidential":"Confidential information requiring protection","internal":"Internal use only within the organization","public":"Public information that can be freely shared","restricted":"Highly restricted information with limited access"}},"dataGovernance":{"type":"object","title":"Data Governance","description":"Data governance captures information regarding data ownership, stewardship, and custodianship, providing insights into the individuals or entities responsible for managing, overseeing, and safeguarding the data throughout its lifecycle.","additionalProperties":false,"properties":{"custodians":{"type":"array","title":"Data Custodians","uniqueItems":true,"description":"Data custodians are responsible for the safe custody, transport, and storage of data.","items":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataGovernanceResponsibleParty"}},"stewards":{"type":"array","title":"Data Stewards","uniqueItems":true,"description":"Data stewards are responsible for data content, context, and associated business rules.","items":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataGovernanceResponsibleParty"}},"owners":{"type":"array","title":"Data Owners","uniqueItems":true,"description":"Data owners are concerned with risk and appropriate access to data.","items":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataGovernanceResponsibleParty"}}}},"dataGovernanceResponsibleParty":{"type":"object","title":"Data Governance Responsible Party","description":"An organizational entity or individual responsible for a specific data governance role.","additionalProperties":false,"properties":{"organization":{"title":"Organization","description":"The organization that is responsible for specific data governance role(s).","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"contact":{"title":"Individual","description":"The individual that is responsible for specific data governance role(s).","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}},"oneOf":[{"required":["organization"]},{"required":["contact"]}]},"dataFlowDirection":{"type":"string","title":"Data Flow Direction","description":"Specifies the flow direction of the data. Direction is relative to the service.","enum":["bi-directional","inbound","outbound","unknown"],"meta:enum":{"bi-directional":"Data flows in and out of the service.","inbound":"Data that enters a service.","outbound":"Data that exits a service.","unknown":"The directional flow of data is not known."}}}},"cyclonedx-declaration-2.0":{"type":"null","title":"CycloneDX Declaration Model","$defs":{"declarations":{"type":"object","title":"Declarations","description":"The list of declarations which describe the conformance to standards. Each declaration may include attestations, claims, and evidence.","additionalProperties":false,"properties":{"assessors":{"type":"array","title":"Assessors","description":"The list of assessors evaluating claims and determining conformance to requirements and confidence in that assessment.","items":{"type":"object","title":"Assessor","description":"The assessor who evaluates claims and determines conformance to requirements and confidence in that assessment.","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM."},"thirdParty":{"type":"boolean","title":"Third Party","description":"The boolean indicating if the assessor is outside the organization generating claims. A value of false indicates a self assessor."},"organization":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity","title":"Organization","description":"The entity issuing the assessment."}}}},"attestations":{"type":"array","title":"Attestations","description":"The list of attestations asserted by an assessor that maps requirements to claims.","items":{"type":"object","title":"Attestation","additionalProperties":false,"properties":{"summary":{"type":"string","title":"Summary","description":"The short description explaining the main points of the attestation."},"assessor":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Assessor","description":"The `bom-ref` to the assessor asserting the attestation."},"map":{"type":"array","title":"Map","description":"The grouping of requirements to claims and the attestors declared conformance and confidence thereof.","items":{"type":"object","title":"Map","additionalProperties":false,"properties":{"requirement":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Requirement","description":"The `bom-ref` to the requirement being attested to."},"claims":{"type":"array","title":"Claims","description":"The list of `bom-ref` to the claims being attested to.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}},"counterClaims":{"type":"array","title":"Counter Claims","description":"The list of `bom-ref` to the counter claims being attested to.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}},"conformance":{"type":"object","title":"Conformance","description":"The conformance of the claim meeting a requirement.","additionalProperties":false,"properties":{"score":{"type":"number","minimum":0,"maximum":1,"title":"Score","description":"The conformance of the claim between and inclusive of 0 and 1, where 1 is 100% conformance."},"rationale":{"type":"string","title":"Rationale","description":"The rationale for the conformance score."},"mitigationStrategies":{"type":"array","title":"Mitigation Strategies","description":"The list of `bom-ref` to the evidence provided describing the mitigation strategies.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}}}},"confidence":{"type":"object","title":"Confidence","description":"The confidence of the claim meeting the requirement.","additionalProperties":false,"properties":{"score":{"type":"number","minimum":0,"maximum":1,"title":"Score","description":"The confidence of the claim between and inclusive of 0 and 1, where 1 is 100% confidence."},"rationale":{"type":"string","title":"Rationale","description":"The rationale for the confidence score."}}}}}},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}}},"claims":{"type":"array","title":"Claims","description":"The list of claims.","items":{"type":"object","title":"Claim","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM."},"target":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Target","description":"The `bom-ref` to a target representing a specific system, application, API, module, team, person, process, business unit, company, etc... that this claim is being applied to."},"predicate":{"type":"string","title":"Predicate","description":"The specific statement or assertion about the target."},"mitigationStrategies":{"type":"array","title":"Mitigation Strategies","description":"The list of `bom-ref` to the evidence provided describing the mitigation strategies. Each mitigation strategy should include an explanation of how any weaknesses in the evidence will be mitigated.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}},"reasoning":{"type":"string","title":"Reasoning","description":"The written explanation of why the evidence provided substantiates the claim."},"evidence":{"type":"array","title":"Evidence","description":"The list of `bom-ref` to evidence that supports this claim.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}},"counterEvidence":{"type":"array","title":"Counter Evidence","description":"The list of `bom-ref` to counterEvidence that supports this claim.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}}},"evidence":{"type":"array","title":"Evidence","description":"The list of evidence","items":{"type":"object","title":"Evidence","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM."},"propertyName":{"type":"string","title":"Property Name","description":"The reference to the property name as defined in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy/)."},"description":{"type":"string","title":"Description","description":"The written description of what this evidence is and how it was created."},"data":{"type":"array","title":"Data","description":"The output or analysis that supports claims.","items":{"type":"object","title":"Data","additionalProperties":false,"properties":{"name":{"title":"Data Name","description":"The name of the data.","type":"string"},"contents":{"type":"object","title":"Data Contents","description":"The contents or references to the contents of the data being described.","additionalProperties":false,"properties":{"attachment":{"title":"Data Attachment","description":"A way to include textual or encoded data.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"url":{"type":"string","title":"Data URL","description":"The URL to where the data can be retrieved.","format":"iri-reference"}}},"classification":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataClassification"},"sensitiveData":{"type":"array","title":"Sensitive Data","description":"A description of any sensitive data included.","items":{"type":"string"}},"governance":{"title":"Data Governance","$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataGovernance"}}}},"created":{"type":"string","format":"date-time","title":"Created","description":"The date and time (timestamp) when the evidence was created."},"expires":{"type":"string","format":"date-time","title":"Expires","description":"The date and time (timestamp) when the evidence is no longer valid."},"author":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact","title":"Author","description":"The author of the evidence."},"reviewer":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact","title":"Reviewer","description":"The reviewer of the evidence."},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}}},"targets":{"type":"object","title":"Targets","description":"The list of targets which claims are made against.","additionalProperties":false,"properties":{"organizations":{"type":"array","title":"Organizations","description":"The list of organizations which claims are made against.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"}},"components":{"type":"array","title":"Components","description":"The list of components which claims are made against.","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/component"}},"services":{"type":"array","title":"Services","description":"The list of services which claims are made against.","items":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/service"}}}},"affirmation":{"type":"object","title":"Affirmation","description":"A concise statement affirmed by an individual regarding all declarations, often used for third-party auditor acceptance or recipient acknowledgment. It includes a list of authorized signatories who assert the validity of the document on behalf of the organization.","additionalProperties":false,"properties":{"statement":{"type":"string","title":"Statement","description":"The brief statement affirmed by an individual regarding all declarations.\n*- Notes This could be an affirmation of acceptance by a third-party auditor or receiving individual of a file.","examples":["I certify, to the best of my knowledge, that all information is correct."]},"signatories":{"type":"array","title":"Signatories","description":"The list of signatories authorized on behalf of an organization to assert validity of this document.","items":{"type":"object","title":"Signatory","additionalProperties":false,"oneOf":[{"required":["signature"]},{"required":["externalReference","organization"]}],"properties":{"name":{"type":"string","title":"Name","description":"The signatory's name."},"role":{"type":"string","title":"Role","description":"The signatory's role within an organization."},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."},"organization":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity","title":"Organization","description":"The signatory's organization."},"externalReference":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"}}}},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}}}},"cyclonedx-definition-2.0":{"type":"null","title":"CycloneDX Definition Model","$defs":{"definitions":{"type":"object","title":"Definitions","description":"A collection of reusable objects that are defined and may be used elsewhere in the BOM.","additionalProperties":false,"properties":{"standards":{"$ref":"#/$defs/cyclonedx-standard-2.0/$defs/standards"},"patents":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patents"}}}}},"cyclonedx-dependency-2.0":{"type":"null","title":"CycloneDX Dependency Model","$defs":{"dependencies":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-dependency-2.0/$defs/dependency"},"uniqueItems":true,"title":"Dependencies","description":"Provides the ability to document dependency relationships including provided & implemented components."},"dependency":{"type":"object","title":"Dependency","description":"Defines the direct dependencies of a component, service, or the components provided/implemented by a given component. Components or services that do not have their own dependencies must be declared as empty elements within the graph. Components or services that are not represented in the dependency graph may have unknown dependencies. It is recommended that implementations assume this to be opaque and not an indicator of an object being dependency-free. It is recommended to leverage compositions to indicate unknown dependency graphs.","required":["ref"],"additionalProperties":false,"properties":{"ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Reference","description":"References a component or service by its bom-ref attribute"},"dependsOn":{"type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"title":"Depends On","description":"The bom-ref identifiers of the components or services that are dependencies of this dependency object."},"provides":{"type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},"title":"Provides","description":"The bom-ref identifiers of the components or services that define a given specification or standard, which are provided or implemented by this dependency object.\nFor example, a cryptographic library which implements a cryptographic algorithm. A component which implements another component does not imply that the implementation is in use."}}}}},"cyclonedx-formulation-2.0":{"type":"null","title":"CycloneDX Formulation Model","$defs":{"formulation":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/formula"},"uniqueItems":true,"title":"Formulation","description":"Describes the formulation of any referencable object within the BOM, including components, services, metadata, declarations, or the BOM itself. This may encompass how the object was created, assembled, deployed, tested, certified, or otherwise brought into its present form. Common examples include software build pipelines, deployment processes, AI/ML model training, cryptographic key generation or certification, and third-party audits. Processes are modeled using declared and observed formulas, composed of workflows, tasks, and individual steps."},"formula":{"title":"Formula","description":"Describes workflows and resources that captures rules and other aspects of how the associated BOM component or service was formed.","type":"object","additionalProperties":false,"properties":{"bom-ref":{"title":"BOM Reference","description":"An identifier which can be used to reference the formula elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"components":{"title":"Components","description":"Transient components that are used in tasks that constitute one or more of this formula's workflows","type":"array","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/component"},"uniqueItems":true},"services":{"title":"Services","description":"Transient services that are used in tasks that constitute one or more of this formula's workflows","type":"array","items":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/service"},"uniqueItems":true},"workflows":{"title":"Workflows","description":"List of workflows that can be declared to accomplish specific orchestrated goals and independently triggered.","type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/workflow"},"uniqueItems":true},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"workflow":{"title":"Workflow","description":"A specialized orchestration task.","type":"object","required":["bom-ref","uid","taskTypes"],"additionalProperties":false,"properties":{"bom-ref":{"title":"BOM Reference","description":"An identifier which can be used to reference the workflow elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"uid":{"title":"Unique Identifier (UID)","description":"The unique identifier for the resource instance within its deployment context.","type":"string"},"name":{"title":"Name","description":"The name of the resource instance.","type":"string"},"description":{"title":"Description","description":"A description of the resource instance.","type":"string"},"resourceReferences":{"title":"Resource references","description":"References to component or service resources that are used to realize the resource instance.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"}},"tasks":{"title":"Tasks","description":"The tasks that comprise the workflow.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/task"}},"taskDependencies":{"title":"Task dependency graph","description":"The graph of dependencies between tasks within the workflow.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-dependency-2.0/$defs/dependency"}},"taskTypes":{"title":"Task types","description":"Indicates the types of activities performed by the set of workflow tasks.","type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/taskType"}},"trigger":{"title":"Trigger","description":"The trigger that initiated the task.","$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/trigger"},"steps":{"title":"Steps","description":"The sequence of steps for the task.","type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/step"},"uniqueItems":true},"inputs":{"title":"Inputs","description":"Represents resources and data brought into a task at runtime by executor or task commands","examples":["a `configuration` file which was declared as a local `component` or `externalReference`"],"type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/inputType"},"uniqueItems":true},"outputs":{"title":"Outputs","description":"Represents resources and data output from a task at runtime by executor or task commands","examples":["a log file or metrics data produced by the task"],"type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/outputType"},"uniqueItems":true},"timeStart":{"title":"Time start","description":"The date and time (timestamp) when the task started.","type":"string","format":"date-time"},"timeEnd":{"title":"Time end","description":"The date and time (timestamp) when the task ended.","type":"string","format":"date-time"},"workspaces":{"title":"Workspaces","description":"A set of named filesystem or data resource shareable by workflow tasks.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/workspace"}},"runtimeTopology":{"title":"Runtime topology","description":"A graph of the component runtime topology for workflow's instance.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-dependency-2.0/$defs/dependency"}},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"task":{"title":"Task","description":"Describes the inputs, sequence of steps and resources used to accomplish a task and its output.","type":"object","required":["bom-ref","uid","taskTypes"],"additionalProperties":false,"properties":{"bom-ref":{"title":"BOM Reference","description":"An identifier which can be used to reference the task elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"uid":{"title":"Unique Identifier (UID)","description":"The unique identifier for the resource instance within its deployment context.","type":"string"},"name":{"title":"Name","description":"The name of the resource instance.","type":"string"},"description":{"title":"Description","description":"A description of the resource instance.","type":"string"},"resourceReferences":{"title":"Resource references","description":"References to component or service resources that are used to realize the resource instance.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"}},"taskTypes":{"title":"Task types","description":"Indicates the types of activities performed by the set of workflow tasks.","type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/taskType"}},"trigger":{"title":"Trigger","description":"The trigger that initiated the task.","$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/trigger"},"steps":{"title":"Steps","description":"The sequence of steps for the task.","type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/step"},"uniqueItems":true},"inputs":{"title":"Inputs","description":"Represents resources and data brought into a task at runtime by executor or task commands","examples":["a `configuration` file which was declared as a local `component` or `externalReference`"],"type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/inputType"},"uniqueItems":true},"outputs":{"title":"Outputs","description":"Represents resources and data output from a task at runtime by executor or task commands","examples":["a log file or metrics data produced by the task"],"type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/outputType"},"uniqueItems":true},"timeStart":{"title":"Time start","description":"The date and time (timestamp) when the task started.","type":"string","format":"date-time"},"timeEnd":{"title":"Time end","description":"The date and time (timestamp) when the task ended.","type":"string","format":"date-time"},"workspaces":{"title":"Workspaces","description":"A set of named filesystem or data resource shareable by workflow tasks.","type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/workspace"},"uniqueItems":true},"runtimeTopology":{"title":"Runtime topology","description":"A graph of the component runtime topology for task's instance.","type":"array","items":{"$ref":"#/$defs/cyclonedx-dependency-2.0/$defs/dependency"},"uniqueItems":true},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"step":{"type":"object","description":"Executes specific commands or tools in order to accomplish its owning task as part of a sequence.","additionalProperties":false,"properties":{"name":{"title":"Name","description":"A name for the step.","type":"string"},"description":{"title":"Description","description":"A description of the step.","type":"string"},"commands":{"title":"Commands","description":"Ordered list of commands or directives for the step","type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/command"}},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"command":{"type":"object","additionalProperties":false,"properties":{"executed":{"title":"Executed","description":"A text representation of the executed command.","type":"string"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"workspace":{"title":"Workspace","description":"A named filesystem or data resource shareable by workflow tasks.","type":"object","required":["bom-ref","uid"],"additionalProperties":false,"properties":{"bom-ref":{"title":"BOM Reference","description":"An identifier which can be used to reference the workspace elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"uid":{"title":"Unique Identifier (UID)","description":"The unique identifier for the resource instance within its deployment context.","type":"string"},"name":{"title":"Name","description":"The name of the resource instance.","type":"string"},"aliases":{"title":"Aliases","description":"The names for the workspace as referenced by other workflow tasks. Effectively, a name mapping so other tasks can use their own local name in their steps.","type":"array","items":{"type":"string"}},"description":{"title":"Description","description":"A description of the resource instance.","type":"string"},"resourceReferences":{"title":"Resource references","description":"References to component or service resources that are used to realize the resource instance.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"}},"accessMode":{"title":"Access mode","description":"Describes the read-write access control for the workspace relative to the owning resource instance.","type":"string","enum":["read-only","read-write","read-write-once","write-once","write-only"]},"mountPath":{"title":"Mount path","description":"A path to a location on disk where the workspace will be available to the associated task's steps.","type":"string"},"managedDataType":{"title":"Managed data type","description":"The name of a domain-specific data type the workspace represents.","examples":["ConfigMap","Secret"],"type":"string"},"volumeRequest":{"title":"Volume request","description":"Identifies the reference to the request for a specific volume type and parameters.","examples":["a kubernetes Persistent Volume Claim (PVC) name"],"type":"string"},"volume":{"title":"Volume","description":"Information about the actual volume instance allocated to the workspace.","examples":["see https://kubernetes.io/docs/concepts/storage/persistent-volumes/"],"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/volume"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"volume":{"title":"Volume","description":"An identifiable, logical unit of data storage tied to a physical device.","type":"object","additionalProperties":false,"properties":{"uid":{"title":"Unique Identifier (UID)","description":"The unique identifier for the volume instance within its deployment context.","type":"string"},"name":{"title":"Name","description":"The name of the volume instance","type":"string"},"mode":{"title":"Mode","description":"The mode for the volume instance.","type":"string","enum":["filesystem","block"],"default":"filesystem"},"path":{"title":"Path","description":"The underlying path created from the actual volume.","type":"string"},"sizeAllocated":{"title":"Size allocated","description":"The allocated size of the volume accessible to the associated workspace. This should include the scalar size as well as IEC standard unit in either decimal or binary form.","examples":["10GB","2Ti","1Pi"],"type":"string"},"persistent":{"title":"Persistent","description":"Indicates if the volume persists beyond the life of the resource it is associated with.","type":"boolean"},"remote":{"title":"Remote","description":"Indicates if the volume is remotely (i.e., network) attached.","type":"boolean"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"trigger":{"title":"Trigger","description":"Represents a resource that can conditionally activate (or fire) tasks based upon associated events and their data.","type":"object","additionalProperties":false,"required":["type","bom-ref","uid"],"properties":{"bom-ref":{"title":"BOM Reference","description":"An identifier which can be used to reference the trigger elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"uid":{"title":"Unique Identifier (UID)","description":"The unique identifier for the resource instance within its deployment context.","type":"string"},"name":{"title":"Name","description":"The name of the resource instance.","type":"string"},"description":{"title":"Description","description":"A description of the resource instance.","type":"string"},"resourceReferences":{"title":"Resource references","description":"References to component or service resources that are used to realize the resource instance.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"}},"type":{"title":"Type","description":"The source type of event which caused the trigger to fire.","type":"string","enum":["manual","api","webhook","scheduled"]},"event":{"title":"Event","description":"The event data that caused the associated trigger to activate.","$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/event"},"conditions":{"type":"array","title":"Conditions","description":"A list of conditions used to determine if a trigger should be activated.","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/condition"}},"timeActivated":{"title":"Time activated","description":"The date and time (timestamp) when the trigger was activated.","type":"string","format":"date-time"},"inputs":{"title":"Inputs","description":"Represents resources and data brought into a task at runtime by executor or task commands","examples":["a `configuration` file which was declared as a local `component` or `externalReference`"],"type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/inputType"},"uniqueItems":true},"outputs":{"title":"Outputs","description":"Represents resources and data output from a task at runtime by executor or task commands","examples":["a log file or metrics data produced by the task"],"type":"array","items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/outputType"},"uniqueItems":true},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"event":{"title":"Event","description":"Represents something that happened that may trigger a response.","type":"object","additionalProperties":false,"properties":{"uid":{"title":"Unique Identifier (UID)","description":"The unique identifier of the event.","type":"string"},"description":{"title":"Description","description":"A description of the event.","type":"string"},"timeReceived":{"title":"Time Received","description":"The date and time (timestamp) when the event was received.","type":"string","format":"date-time"},"data":{"title":"Data","description":"Encoding of the raw event data.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"source":{"title":"Source","description":"References the component or service that was the source of the event","$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"target":{"title":"Target","description":"References the component or service that was the target of the event","$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"inputType":{"title":"Input type","description":"Type that represents various input data types and formats.","type":"object","oneOf":[{"required":["resource"]},{"required":["parameters"]},{"required":["environmentVars"]},{"required":["data"]}],"additionalProperties":false,"properties":{"source":{"title":"Source","description":"A reference to the component or service that provided the input to the task (e.g., reference to a service with data flow value of `inbound`)","examples":["source code repository","database"],"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"target":{"title":"Target","description":"A reference to the component or service that received or stored the input if not the task itself (e.g., a local, named storage workspace)","examples":["workspace","directory"],"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"resource":{"title":"Resource","description":"A reference to an independent resource provided as an input to a task by the workflow runtime.","examples":["a reference to a configuration file in a repository (i.e., a bom-ref)","a reference to a scanning service used in a task (i.e., a bom-ref)"],"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"parameters":{"title":"Parameters","description":"Inputs that have the form of parameters with names and values.","type":"array","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/parameter"}},"environmentVars":{"title":"Environment variables","description":"Inputs that have the form of parameters with names and values.","type":"array","uniqueItems":true,"items":{"oneOf":[{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"},{"type":"string","title":"String-Based Environment Variables","description":"In addition to the more common key–value pair format, some environment variables may consist of a single string without an explicit value assignment. These string-based environment variables typically act as flags or signals to software, indicating that a feature should be enabled, a mode should be activated, or a specific condition is present. Their presence alone conveys meaning."}]}},"data":{"title":"Data","description":"Inputs that have the form of data.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"outputType":{"type":"object","oneOf":[{"required":["resource"]},{"required":["environmentVars"]},{"required":["data"]}],"additionalProperties":false,"properties":{"type":{"title":"Type","description":"Describes the type of data output.","type":"string","enum":["artifact","attestation","log","evidence","metrics","other"]},"source":{"title":"Source","description":"Component or service that generated or provided the output from the task (e.g., a build tool)","$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"target":{"title":"Target","description":"Component or service that received the output from the task (e.g., reference to an artifactory service with data flow value of `outbound`)","examples":["a log file described as an `externalReference` within its target domain."],"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"resource":{"title":"Resource","description":"A reference to an independent resource generated as output by the task.","examples":["configuration file","source code","scanning service"],"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice"},"data":{"title":"Data","description":"Outputs that have the form of data.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"environmentVars":{"title":"Environment variables","description":"Outputs that have the form of environment variables.","type":"array","items":{"oneOf":[{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"},{"type":"string","title":"String-Based Environment Variables","description":"In addition to the more common key–value pair format, some environment variables may consist of a single string without an explicit value assignment. These string-based environment variables typically act as flags or signals to software, indicating that a feature should be enabled, a mode should be activated, or a specific condition is present. Their presence alone conveys meaning."}]},"uniqueItems":true},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"resourceReferenceChoice":{"title":"Resource reference choice","description":"A reference to a locally defined resource (e.g., a bom-ref) or an externally accessible resource.","type":"object","additionalProperties":false,"properties":{"ref":{"title":"BOM Reference","description":"References an object by its bom-ref attribute","anyOf":[{"title":"Ref","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"externalReference":{"title":"External reference","description":"Reference to an externally accessible resource.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"}},"oneOf":[{"required":["ref"]},{"required":["externalReference"]}]},"condition":{"title":"Condition","description":"A condition that was used to determine a trigger should be activated.","type":"object","additionalProperties":false,"properties":{"description":{"title":"Description","description":"Describes the set of conditions which cause the trigger to activate.","type":"string"},"expression":{"title":"Expression","description":"The logical expression that was evaluated that determined the trigger should be fired.","type":"string"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"taskType":{"type":"string","enum":["copy","clone","lint","scan","merge","build","test","deliver","deploy","release","clean","other"],"meta:enum":{"copy":"A task that copies software or data used to accomplish other tasks in the workflow.","clone":"A task that clones a software repository into the workflow in order to retrieve its source code or data for use in a build step.","lint":"A task that checks source code for programmatic and stylistic errors.","scan":"A task that performs a scan against source code, or built or deployed components and services. Scans are typically run to gather or test for security vulnerabilities or policy compliance.","merge":"A task that merges changes or fixes into source code prior to a build step in the workflow.","build":"A task that builds the source code, dependencies and/or data into an artifact that can be deployed to and executed on target systems.","test":"A task that verifies the functionality of a component or service.","deliver":"A task that delivers a built artifact to one or more target repositories or storage systems.","deploy":"A task that deploys a built artifact for execution on one or more target systems.","release":"A task that releases a built, versioned artifact to a target repository or distribution system.","clean":"A task that cleans unnecessary tools, build artifacts and/or data from workflow storage.","other":"A workflow task that does not match current task type definitions."}},"parameter":{"title":"Parameter","description":"A representation of a functional parameter.","type":"object","additionalProperties":false,"properties":{"name":{"title":"Name","description":"The name of the parameter.","type":"string"},"value":{"title":"Value","description":"The value of the parameter.","type":"string"},"dataType":{"title":"Data type","description":"The data type of the parameter.","type":"string"}}}}},"cyclonedx-license-2.0":{"type":"null","title":"CycloneDX License Model","$defs":{"licenseChoice":{"title":"License Choice","description":"A list of SPDX licenses and/or named licenses and/or SPDX License Expression.","type":"array","items":{"oneOf":[{"type":"object","title":"License","required":["license"],"additionalProperties":false,"properties":{"license":{"$ref":"#/$defs/cyclonedx-license-2.0/$defs/license"}}},{"title":"License Expression","description":"Specifies the details and attributes related to a software license.\nIt must be a valid SPDX license expression, along with additional properties such as license acknowledgment.","type":"object","additionalProperties":false,"required":["expression"],"properties":{"expression":{"type":"string","title":"SPDX License Expression","description":"A valid SPDX license expression.\nRefer to https://spdx.org/specifications for syntax requirements.","examples":["Apache-2.0 AND (MIT OR GPL-2.0-only)","GPL-3.0-only WITH Classpath-exception-2.0"]},"expressionDetails":{"title":"Expression Details","description":"Details for parts of the `expression`.","type":"array","items":{"type":"object","description":"This document specifies the details and attributes related to a software license identifier. An SPDX expression may be a compound of license identifiers.\nThe `license_identifier` property serves as the key that identifies each record. Note that this key is not required to be unique, as the same license identifier could apply to multiple, different but similar license details, texts, etc.","required":["licenseIdentifier"],"properties":{"licenseIdentifier":{"title":"License Identifier","description":"The valid SPDX license identifier. Refer to https://spdx.org/specifications for syntax requirements.\nThis property serves as the primary key, which uniquely identifies each record.","type":"string","examples":["Apache-2.0","GPL-3.0-only WITH Classpath-exception-2.0","LicenseRef-my-custom-license"]},"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the license elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"text":{"title":"License texts","description":"A way to include the textual content of the license.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"url":{"type":"string","title":"License URL","description":"The URL to the license file. If specified, a 'license' externalReference should also be specified for completeness","examples":["https://www.apache.org/licenses/LICENSE-2.0.txt"],"format":"iri-reference"}},"additionalProperties":false}},"acknowledgement":{"$ref":"#/$defs/cyclonedx-license-2.0/$defs/licenseAcknowledgementEnumeration"},"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the license elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"licensing":{"$ref":"#/$defs/cyclonedx-license-2.0/$defs/licensing"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}}]}},"license":{"type":"object","title":"License","description":"Specifies the details and attributes related to a software license. It can either include a valid SPDX license identifier or a named license, along with additional properties such as license acknowledgment, comprehensive commercial licensing information, and the full text of the license.","oneOf":[{"required":["id"]},{"required":["name"]}],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the license elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"id":{"$ref":"../spdx.schema.json","title":"License ID (SPDX)","description":"A valid SPDX license identifier. If specified, this value must be one of the enumeration of valid SPDX license identifiers defined in the spdx.schema.json (or spdx.xml) subschema which is synchronized with the official SPDX license list.","examples":["Apache-2.0"]},"name":{"type":"string","title":"License Name","description":"The name of the license. This may include the name of a commercial or proprietary license or an open source license that may not be defined by SPDX.","examples":["Acme Software License"]},"acknowledgement":{"$ref":"#/$defs/cyclonedx-license-2.0/$defs/licenseAcknowledgementEnumeration"},"text":{"title":"License text","description":"A way to include the textual content of a license.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"},"url":{"type":"string","title":"License URL","description":"The URL to the license file. If specified, a 'license' externalReference should also be specified for completeness","examples":["https://www.apache.org/licenses/LICENSE-2.0.txt"],"format":"iri-reference"},"licensing":{"$ref":"#/$defs/cyclonedx-license-2.0/$defs/licensing"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"licenseAcknowledgementEnumeration":{"title":"License Acknowledgement","description":"Declared licenses and concluded licenses represent two different stages in the licensing process within software development. Declared licenses refer to the initial intention of the software authors regarding the licensing terms under which their code is released. On the other hand, concluded licenses are the result of a comprehensive analysis of the project's codebase to identify and confirm the actual licenses of the components used, which may differ from the initially declared licenses. While declared licenses provide an upfront indication of the licensing intentions, concluded licenses offer a more thorough understanding of the actual licensing within a project, facilitating proper compliance and risk management. Observed licenses are defined in `@.evidence.licenses`. Observed licenses form the evidence necessary to substantiate a concluded license.","type":"string","enum":["declared","concluded"],"meta:enum":{"declared":"Declared licenses represent the initial intentions of authors regarding the licensing terms of their code.","concluded":"Concluded licenses are verified and confirmed."}},"licensing":{"type":"object","title":"Licensing information","description":"Licensing details describing the licensor/licensee, license type, renewal and expiration dates, and other important metadata","additionalProperties":false,"properties":{"altIds":{"type":"array","title":"Alternate License Identifiers","description":"License identifiers that may be used to manage licenses and their lifecycle","items":{"type":"string"}},"licensor":{"title":"Licensor","description":"The individual or organization that grants a license to another individual or organization","type":"object","additionalProperties":false,"properties":{"organization":{"title":"Licensor (Organization)","description":"The organization that granted the license","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"individual":{"title":"Licensor (Individual)","description":"The individual, not associated with an organization, that granted the license","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}},"oneOf":[{"required":["organization"]},{"required":["individual"]}]},"licensee":{"title":"Licensee","description":"The individual or organization for which a license was granted to","type":"object","additionalProperties":false,"properties":{"organization":{"title":"Licensee (Organization)","description":"The organization that was granted the license","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"individual":{"title":"Licensee (Individual)","description":"The individual, not associated with an organization, that was granted the license","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}},"oneOf":[{"required":["organization"]},{"required":["individual"]}]},"purchaser":{"title":"Purchaser","description":"The individual or organization that purchased the license","type":"object","additionalProperties":false,"properties":{"organization":{"title":"Purchaser (Organization)","description":"The organization that purchased the license","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"individual":{"title":"Purchaser (Individual)","description":"The individual, not associated with an organization, that purchased the license","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}},"oneOf":[{"required":["organization"]},{"required":["individual"]}]},"purchaseOrder":{"type":"string","title":"Purchase Order","description":"The purchase order identifier the purchaser sent to a supplier or vendor to authorize a purchase"},"licenseTypes":{"type":"array","title":"License Type","description":"The type of license(s) that was granted to the licensee.","items":{"type":"string","enum":["academic","appliance","client-access","concurrent-user","core-points","custom-metric","device","evaluation","named-user","node-locked","oem","perpetual","processor-points","subscription","user","other"],"meta:enum":{"academic":"A license that grants use of software solely for the purpose of education or research.","appliance":"A license covering use of software embedded in a specific piece of hardware.","client-access":"A Client Access License (CAL) allows client computers to access services provided by server software.","concurrent-user":"A Concurrent User license (aka floating license) limits the number of licenses for a software application and licenses are shared among a larger number of users.","core-points":"A license where the core of a computer's processor is assigned a specific number of points.","custom-metric":"A license for which consumption is measured by non-standard metrics.","device":"A license that covers a defined number of installations on computers and other types of devices.","evaluation":"A license that grants permission to install and use software for trial purposes.","named-user":"A license that grants access to the software to one or more pre-defined users.","node-locked":"A license that grants access to the software on one or more pre-defined computers or devices.","oem":"An Original Equipment Manufacturer license that is delivered with hardware, cannot be transferred to other hardware, and is valid for the life of the hardware.","perpetual":"A license where the software is sold on a one-time basis and the licensee can use a copy of the software indefinitely.","processor-points":"A license where each installation consumes points per processor.","subscription":"A license where the licensee pays a fee to use the software or service.","user":"A license that grants access to the software or service by a specified number of users.","other":"Another license type."}}},"lastRenewal":{"type":"string","format":"date-time","title":"Last Renewal","description":"The timestamp indicating when the license was last renewed. For new purchases, this is often the purchase or acquisition date. For non-perpetual licenses or subscriptions, this is the timestamp of when the license was last renewed."},"expiration":{"type":"string","format":"date-time","title":"Expiration","description":"The timestamp indicating when the current license expires (if applicable)."}}}}},"cyclonedx-metadata-2.0":{"type":"null","title":"CycloneDX Metadata Model","$defs":{"metadata":{"type":"object","title":"BOM Metadata","description":"Provides additional information about a BOM.","additionalProperties":false,"properties":{"timestamp":{"type":"string","format":"date-time","title":"Timestamp","description":"The date and time (timestamp) when the BOM was created."},"lifecycles":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/lifecycles"},"tools":{"type":"object","title":"Tools","description":"The tool(s) used in the creation, enrichment, and validation of the BOM.","additionalProperties":false,"properties":{"components":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/components","description":"A list of software and hardware components used as tools."},"services":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/services","description":"A list of services used as tools. This may include microservices, function-as-a-service, and other types of network or intra-process services."}}},"manufacturer":{"title":"BOM Manufacturer","description":"The organization that created the BOM.\nManufacturer is common in BOMs created through automated processes. BOMs created through manual means may have `@.authors` instead.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"authors":{"type":"array","title":"BOM Authors","description":"The person(s) who created the BOM.\nAuthors are common in BOMs created through manual processes. BOMs created through automated means may have `@.manufacturer` instead.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}},"component":{"description":"The component that the BOM describes.","$ref":"#/$defs/cyclonedx-component-2.0/$defs/component"},"supplier":{"title":"Supplier","description":" The organization that supplied the component that the BOM describes. The supplier may often be the manufacturer, but may also be a distributor or repackager.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"licenses":{"title":"BOM License(s)","description":"The license information for the BOM document.\nThis may be different from the license(s) of the component(s) that the BOM describes.","$ref":"#/$defs/cyclonedx-license-2.0/$defs/licenseChoice"},"distributionConstraints":{"$ref":"#/$defs/cyclonedx-metadata-2.0/$defs/distributionConstraints"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"distributionConstraints":{"title":"Distribution Constraints","description":"Conditions and constraints governing the sharing and distribution of the data or components described by this BOM.","type":"object","properties":{"tlp":{"$ref":"#/$defs/cyclonedx-metadata-2.0/$defs/tlpClassification","description":"The Traffic Light Protocol (TLP) classification that controls the sharing and distribution of the data that the BOM describes."}}},"tlpClassification":{"title":"Traffic Light Protocol (TLP) Classification","description":"Traffic Light Protocol (TLP) is a classification system for identifying the potential risk associated with artefact, including whether it is subject to certain types of legal, financial, or technical threats. Refer to [https://www.first.org/tlp/](https://www.first.org/tlp/) for further information.\nThe default classification is \"CLEAR\"","type":"string","default":"CLEAR","enum":["CLEAR","GREEN","AMBER","AMBER_AND_STRICT","RED"],"meta:enum":{"CLEAR":"The information is not subject to any restrictions as regards the sharing.","GREEN":"The information is subject to limited disclosure, and recipients can share it within their community but not via publicly accessible channels.","AMBER":"The information is subject to limited disclosure, and recipients can only share it on a need-to-know basis within their organization and with clients.","AMBER_AND_STRICT":"The information is subject to limited disclosure, and recipients can only share it on a need-to-know basis within their organization.","RED":"The information is subject to restricted distribution to individual recipients only and must not be shared."}}}},"cyclonedx-patent-2.0":{"type":"null","title":"CycloneDX Patent Model","$defs":{"patents":{"type":"array","title":"Patents","description":"The list of either individual patents or patent families.","items":{"anyOf":[{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patent"},{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patentFamily"}]}},"patent":{"type":"object","title":"Patent","description":"A patent is a legal instrument, granted by an authority, that confers certain rights over an invention for a specified period, contingent on public disclosure and adherence to relevant legal requirements. The summary information in this object is aligned with [WIPO ST.96](https://www.wipo.int/standards/en/st96/) principles where applicable.","required":["patentNumber","jurisdiction","patentLegalStatus"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM."},"patentNumber":{"type":"string","pattern":"^[A-Za-z0-9][A-Za-z0-9\\-/.()\\s]{0,28}[A-Za-z0-9]$","title":"Patent Number","description":"The unique number assigned to the granted patent by the issuing authority. Aligned with `PatentNumber` in WIPO ST.96. Refer to [PatentNumber in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/PatentNumber.xsd).","examples":["US987654321","EP1234567B1"]},"applicationNumber":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patentApplicationNumber"},"jurisdiction":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patentJurisdiction"},"priorityApplication":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/priorityApplication"},"publicationNumber":{"type":"string","pattern":"^[A-Za-z0-9][A-Za-z0-9\\-/.()\\s]{0,28}[A-Za-z0-9]$","title":"Patent Publication Number","description":"This is the number assigned to a patent application once it is published. Patent applications are generally published 18 months after filing (unless an applicant requests non-publication). This number is distinct from the application number. \n\nPurpose: Identifies the publicly available version of the application. \n\nFormat: Varies by jurisdiction, often similar to application numbers but includes an additional suffix indicating publication. \n\nExample:\n - US: US20240000123A1 (indicates the first publication of application US20240000123) \n - Europe: EP23123456A1 (first publication of European application EP23123456). \n\nWIPO ST.96 v8.0: \n - Publication Number field: https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/PublicationNumber.xsd"},"title":{"type":"string","title":"Patent Title","description":"The title of the patent, summarising the invention it protects. Aligned with `InventionTitle` in WIPO ST.96. Refer to [InventionTitle in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/InventionTitle.xsd)."},"abstract":{"type":"string","title":"Patent Abstract","description":"A brief summary of the invention described in the patent. Aligned with `Abstract` and `P` in WIPO ST.96. Refer to [Abstract in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/Abstract.xsd)."},"filingDate":{"type":"string","format":"date","title":"Filing Date","description":"The date the patent application was filed with the jurisdiction. Aligned with `FilingDate` in WIPO ST.96. Refer to [FilingDate in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/FilingDate.xsd)."},"grantDate":{"type":"string","format":"date","title":"Grant Date","description":"The date the patent was granted by the jurisdiction. Aligned with `GrantDate` in WIPO ST.96. Refer to [GrantDate in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/GrantDate.xsd)."},"patentExpirationDate":{"type":"string","format":"date","title":"Expiration Date","description":"The date the patent expires. Derived from grant or filing date according to jurisdiction-specific rules."},"patentLegalStatus":{"type":"string","title":"Legal Status","description":"Indicates the current legal status of the patent or patent application, based on the WIPO ST.27 standard. This status reflects administrative, procedural, or legal events. Values include both active and inactive states and are useful for determining enforceability, procedural history, and maintenance status.","enum":["pending","granted","revoked","expired","lapsed","withdrawn","abandoned","suspended","reinstated","opposed","terminated","invalidated","in-force"],"meta:enum":{"pending":"The patent application has been filed but not yet examined or granted.","granted":"The patent application has been examined and a patent has been issued.","revoked":"The patent has been declared invalid through a legal or administrative process.","expired":"The patent has reached the end of its enforceable term.","lapsed":"The patent is no longer in force due to non-payment of maintenance fees or other requirements.","withdrawn":"The patent application was voluntarily withdrawn by the applicant.","abandoned":"The patent application was abandoned, often due to lack of action or response.","suspended":"Processing of the patent application has been temporarily halted.","reinstated":"A previously abandoned or lapsed patent has been reinstated.","opposed":"The patent application or granted patent is under formal opposition proceedings.","terminated":"The patent or application has been officially terminated.","invalidated":"The patent has been invalidated, either in part or in full.","in-force":"The granted patent is active and enforceable."}},"patentAssignee":{"type":"array","title":"Patent Assignees","description":"A collection of organisations or individuals to whom the patent rights are assigned. This supports joint ownership and allows for flexible representation of both corporate entities and individual inventors.","items":{"oneOf":[{"title":"Person","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"},{"title":"Organizational Entity","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"}]}},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"}}},"patentFamily":{"type":"object","title":"Patent Family","description":"A patent family is a group of related patent applications or granted patents that cover the same or similar invention. These patents are filed in multiple jurisdictions to protect the invention across different regions or countries. A patent family typically includes patents that share a common priority date, originating from the same initial application, and may vary slightly in scope or claims to comply with regional legal frameworks. Fields align with WIPO ST.96 standards where applicable.","required":["familyId"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM. \n\nFor a patent, it might be a good idea to use a patent number as the BOM reference ID."},"familyId":{"type":"string","title":"Patent Family ID","description":"The unique identifier for the patent family, aligned with the `id` attribute in WIPO ST.96 v8.0's `PatentFamilyType`. Refer to [PatentFamilyType in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/PatentFamilyType.xsd)."},"priorityApplication":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/priorityApplication"},"members":{"type":"array","title":"Family Members","description":"A collection of patents or applications that belong to this family, each identified by a `bom-ref` pointing to a patent object defined elsewhere in the BOM.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"BOM Reference","description":"A `bom-ref` linking to a patent or application object within the BOM."}},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"}}},"patentAssertions":{"type":"array","title":"Patent Assertions","description":"A list of assertions made regarding patents associated with this component or service. Assertions distinguish between ownership, licensing, and other relevant interactions with patents.","items":{"type":"object","title":"Patent Assertion","description":"An assertion linking a patent or patent family to this component or service.","required":["assertionType","asserter"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"A reference to the patent or patent family object within the BOM. This must match the `bom-ref` of a `patent` or `patentFamily` object."},"assertionType":{"type":"string","title":"Assertion Type","description":"The type of assertion being made about the patent or patent family. Examples include ownership, licensing, and standards inclusion.","enum":["ownership","license","third-party-claim","standards-inclusion","prior-art","exclusive-rights","non-assertion","research-or-evaluation"],"meta:enum":{"ownership":"The manufacturer asserts ownership of the patent or patent family.","license":"The manufacturer asserts they have a license to use the patent or patent family.","third-party-claim":"A third party has asserted a claim or potential infringement against the manufacturer’s component or service.","standards-inclusion":"The patent is part of a standard essential patent (SEP) portfolio relevant to the component or service.","prior-art":"The manufacturer asserts the patent or patent family as prior art that invalidates another patent or claim.","exclusive-rights":"The manufacturer asserts exclusive rights granted through a licensing agreement.","non-assertion":"The manufacturer asserts they will not enforce the patent or patent family against certain uses or users.","research-or-evaluation":"The patent or patent family is being used under a research or evaluation license."}},"patentRefs":{"type":"array","title":"Patent References","description":"A list of BOM references (`bom-ref`) linking to patents or patent families associated with this assertion.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"}},"asserter":{"oneOf":[{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity","title":"Organizational Entity"},{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact","title":"Person"},{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Reference","description":"A reference to a previously defined `organizationalContact` or `organizationalEntity` object in the BOM. The value must be a valid `bom-ref` pointing to one of these objects."}]},"notes":{"type":"string","title":"Notes","description":"Additional notes or clarifications regarding the assertion, if necessary. For example, geographical restrictions, duration, or limitations of a license."}}}},"patentApplicationNumber":{"type":"string","pattern":"^[A-Za-z0-9][A-Za-z0-9\\-/.()\\s]{0,28}[A-Za-z0-9]$","title":"Patent Application Number","description":"The unique number assigned to a patent application when it is filed with a patent office. It is used to identify the specific application and track its progress through the examination process. Aligned with `ApplicationNumber` in ST.96. Refer to [ApplicationIdentificationType in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/ApplicationIdentificationType.xsd).","examples":["US20240000123","EP23123456"]},"patentJurisdiction":{"type":"string","title":"Jurisdiction","description":"The jurisdiction or patent office where the priority application was filed, specified using WIPO ST.3 codes. Aligned with `IPOfficeCode` in ST.96. Refer to [IPOfficeCode in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Common/IPOfficeCode.xsd).","pattern":"^[A-Z]{2}$","examples":["US","EP","JP"]},"patentFilingDate":{"type":"string","format":"date","title":"Filing Date","description":"The date the priority application was filed, aligned with `FilingDate` in ST.96. Refer to [FilingDate in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/FilingDate.xsd)."},"priorityApplication":{"type":"object","title":"Priority Application","description":"The priorityApplication contains the essential data necessary to identify and reference an earlier patent filing for priority rights. In line with WIPO ST.96 guidelines, it includes the jurisdiction (office code), application number, and filing date-the three key elements that uniquely specify the priority application in a global patent context.","required":["applicationNumber","jurisdiction","filingDate"],"additionalProperties":false,"properties":{"applicationNumber":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patentApplicationNumber"},"jurisdiction":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patentJurisdiction"},"filingDate":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patentFilingDate"}}}}},"cyclonedx-release-notes-2.0":{"type":"null","title":"CycloneDX Release Notes Model","$defs":{"releaseNotes":{"type":"object","title":"Release notes","required":["type"],"additionalProperties":false,"properties":{"type":{"$ref":"#/$defs/cyclonedx-release-notes-2.0/$defs/releaseType","title":"Type","description":"The software versioning type the release note describes."},"title":{"type":"string","title":"Title","description":"The title of the release."},"featuredImage":{"type":"string","format":"iri-reference","title":"Featured image","description":"The URL to an image that may be prominently displayed with the release note."},"socialImage":{"type":"string","format":"iri-reference","title":"Social image","description":"The URL to an image that may be used in messaging on social media platforms."},"description":{"type":"string","title":"Description","description":"A short description of the release."},"timestamp":{"type":"string","format":"date-time","title":"Timestamp","description":"The date and time (timestamp) when the release note was created."},"aliases":{"type":"array","items":{"type":"string"},"title":"Aliases","description":"One or more alternate names the release may be referred to. This may include unofficial terms used by development and marketing teams (e.g. code names)."},"tags":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/tags","title":"Tags"},"resolves":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/issue"},"title":"Resolves","description":"A collection of issues that have been resolved."},"notes":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-release-notes-2.0/$defs/note"},"title":"Notes","description":"Zero or more release notes containing the locale and content. Multiple note objects may be specified to support release notes in a wide variety of languages."},"properties":{"type":"array","title":"Properties","description":"Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"}}}},"releaseType":{"type":"string","examples":["major","minor","patch","pre-release","internal"],"description":"The software versioning type. It is recommended that the release type use one of 'major', 'minor', 'patch', 'pre-release', or 'internal'. Representing all possible software release types is not practical, so standardizing on the recommended values, whenever possible, is strongly encouraged.\n\n* __major__ = A major release may contain significant changes or may introduce breaking changes.\n* __minor__ = A minor release, also known as an update, may contain a smaller number of changes than major releases.\n* __patch__ = Patch releases are typically unplanned and may resolve defects or important security issues.\n* __pre-release__ = A pre-release may include alpha, beta, or release candidates and typically have limited support. They provide the ability to preview a release prior to its general availability.\n* __internal__ = Internal releases are not for public consumption and are intended to be used exclusively by the project or manufacturer that produced it."},"note":{"type":"object","title":"Note","description":"A note containing the locale and content.","required":["text"],"additionalProperties":false,"properties":{"locale":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/locale","title":"Locale","description":"The ISO-639 (or higher) language code and optional ISO-3166 (or higher) country code. Examples include: \"en\", \"en-US\", \"fr\" and \"fr-CA\""},"text":{"title":"Release note content","description":"Specifies the full content of the release note.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"}}}}},"cyclonedx-requirement-2.0":{"type":"null","title":"CycloneDX Engineering Requirement Model","$defs":{"requirement":{"type":"object","title":"Requirement","description":"A requirement represents a specific need, constraint, or capability that must be met.","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"id":{"type":"string","title":"Identifier","description":"A unique identifier for the requirement, often used in requirement management systems (e.g., REQ-001)."},"name":{"type":"string","title":"Name","description":"A short name or title for the requirement."},"description":{"type":"string","title":"Description","description":"A detailed description of the requirement."},"type":{"type":"array","title":"Requirement Types","description":"The categories or classifications applicable to the requirement.","items":{"$ref":"#/$defs/cyclonedx-requirement-2.0/$defs/requirementType"},"uniqueItems":true},"priority":{"type":"string","title":"Priority","description":"The priority level of the requirement.","enum":["critical","high","medium","low"]},"status":{"$ref":"#/$defs/cyclonedx-requirement-2.0/$defs/requirementStatus"},"version":{"type":"string","title":"Version","description":"The version of the requirement."},"stakeholders":{"type":"array","title":"Stakeholders","description":"The individuals or groups who have an interest in the requirement.","items":{"type":"string"}},"acceptanceCriteria":{"type":"array","title":"Acceptance Criteria","description":"Criteria that must be met for the requirement to be considered satisfied.","items":{"$ref":"#/$defs/cyclonedx-requirement-2.0/$defs/acceptanceCriterion"}},"dependencies":{"type":"array","title":"Dependencies","description":"Other requirements that this requirement depends on.","items":{"$ref":"#/$defs/cyclonedx-requirement-2.0/$defs/dependency"}},"parent":{"type":"string","title":"Parent BOM Reference","description":"The optional `bom-ref` to a parent requirement. This establishes a hierarchy of requirements."},"rationale":{"type":"string","title":"Rationale","description":"The reasoning or justification for the requirement."},"fitCriterion":{"type":"string","title":"Fit Criterion","description":"A measurable test that the solution must pass to be acceptable to the stakeholders."},"effort":{"type":"string","title":"Effort Estimation","description":"An estimation of the effort required to implement the requirement."},"risk":{"type":"string","title":"Risk","description":"The risk level associated with implementing or not implementing the requirement.","enum":["critical","high","medium","low"]},"attachments":{"type":"array","title":"Attachments","description":"Files or documents attached to the requirement.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"}},"properties":{"type":"array","title":"Properties","description":"Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/property"}},"externalReferences":{"type":"array","title":"External References","description":"External references provide a way to document systems, sites, and information that may be relevant to the requirement.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"}}}},"requirementType":{"type":"string","title":"Requirement Type","description":"The category or classification applicable to the requirement.","enum":["accessibility","auditability","availability","business","compatibility","compliance","deployment","functional","interoperability","localization","maintainability","non-functional","other","performance","portability","privacy","regulatory","reliability","scalability","security","system","testability","usability","user"],"meta:enum":{"accessibility":"Requirements ensuring inclusive access for people with disabilities or impairments.","auditability":"Requirements defining the capability of a system to record activities for review and compliance purposes.","availability":"Requirements describing the uptime and operational availability of systems or services.","business":"Requirements derived from organizational goals, strategies, or business processes.","compatibility":"Requirements ensuring the software or system functions correctly with other systems or legacy components.","compliance":"Requirements ensuring adherence to internal policies, industry standards, or external agreements beyond regulatory mandates.","deployment":"Requirements related to deploying, configuring, and operating the system in production environments.","functional":"Requirements specifying the fundamental behaviors and capabilities of the system or application.","interoperability":"Requirements addressing the ability of the system to interact seamlessly with external systems or products.","localization":"Requirements specifying adaptations for specific languages, cultures, or regional needs.","maintainability":"Requirements aimed at ensuring the ease of performing maintenance, enhancements, or repairs.","non-functional":"Requirements that define constraints or qualities such as performance, usability, reliability, etc., rather than specific functionality.","other":"Requirements that do not clearly fit into other specified categories.","performance":"Requirements specifying response times, throughput, or other efficiency-related aspects.","portability":"Requirements enabling the system or components to be transferred easily across various environments or platforms.","privacy":"Requirements specifically addressing the handling and protection of personal and sensitive data.","regulatory":"Requirements necessary for legal compliance, dictated by laws, regulations, or standards.","reliability":"Requirements ensuring the system consistently performs under specified conditions and duration.","scalability":"Requirements focused on the ability of the system to grow and manage increased demand effectively.","security":"Requirements intended to protect systems, data, and users from malicious actions or threats.","system":"Technical requirements defining infrastructure, architecture, or underlying technologies.","testability":"Requirements ensuring the system can be effectively validated and tested.","usability":"Requirements addressing the ease of use, intuitiveness, and overall user experience.","user":"Requirements captured directly from user needs, tasks, and expectations."}},"requirementStatus":{"type":"string","title":"Status","description":"The current status of the requirement in the development lifecycle.","enum":["draft","proposed","approved","implemented","verified","deferred","rejected","replaced","obsolete"]},"acceptanceCriterion":{"type":"object","title":"Acceptance Criterion","description":"A specific condition that must be met for the requirement to be considered satisfied.","additionalProperties":false,"properties":{"id":{"type":"string","title":"Identifier","description":"A unique identifier for the acceptance criterion."},"description":{"type":"string","title":"Description","description":"A description of the acceptance criterion."},"status":{"type":"string","title":"Status","description":"The current status of the acceptance criterion.","enum":["pending","passed","failed"]}}},"dependency":{"type":"object","title":"Dependency","description":"A dependency on another requirement.","additionalProperties":false,"properties":{"ref":{"oneOf":[{"title":"Ref","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"type":{"type":"string","title":"Dependency Type","description":"The type of dependency relationship.","enum":["requires","conflicts-with","enhances","implements","other"]},"description":{"type":"string","title":"Description","description":"A description of the dependency relationship."}}}}},"cyclonedx-risk-2.0":{"type":"null","title":"CycloneDX Risk Model","properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"An optional identifier which can be used to reference the risk assessment elsewhere in the BOM"},"domains":{"type":"array","description":"Risk domains covered by this assessment","items":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/riskDomain"}},"scenarios":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/scenario"},"description":"Risk scenarios identified"},"risks":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/risk"},"description":"Documented risks derived from scenarios"},"mitigations":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/mitigation"},"description":"Controls, countermeasures, or mitigations to address identified risks"},"assessments":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/assessment"},"description":"Risk assessments and evaluations"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}},"$defs":{"riskDomain":{"type":"object","required":["type"],"additionalProperties":false,"properties":{"type":{"type":"string","enum":["security","privacy","operational","financial","compliance","strategic","reputational","safety","environmental","supply_chain","technical","project"],"meta:enum":{"security":"Information security and cybersecurity risks","privacy":"Data protection and privacy risks","operational":"Business operations and continuity risks","financial":"Financial loss and economic impact risks","compliance":"Regulatory and legal compliance risks","strategic":"Strategic business and market risks","reputational":"Brand and reputation damage risks","safety":"Human safety and physical security risks","environmental":"Environmental impact and sustainability risks","supply_chain":"Supply chain and third-party risks","technical":"Technical and technology risks","project":"Project delivery and execution risks"}},"priority":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/priority"},"description":{"type":"string","description":"Additional context for this risk domain"}}},"riskAttribute":{"type":"string","description":"A classification of security and privacy attributes that represent potential impact areas when a risk is realized","enum":["accountability","authentication","authorization","authenticity","availability","compliance","confidentiality","connectivity","control","data_subject_rights","integrity","minimisation","non-repudiation","possession","privacy","purpose_limitation","transparency","utility"],"meta:enum":{"accountability":"Assigning responsibility for actions and decisions to individuals or entities","authentication":"Verifying the identity of users, devices, or systems before granting access","authorization":"Granting permissions based on identity and roles to perform specific actions or access resources","authenticity":"Ensuring that data, communications, or entities are genuine and can be verified","availability":"Ensuring systems, data, and services are accessible and operational when needed","compliance":"Adherence to applicable laws, regulations, policies, and standards","confidentiality":"Preventing unauthorised access to or disclosure of information","connectivity":"Maintaining secure and reliable communication between systems or components","control":"Enabling individuals to manage how their personal data is used and shared","data_subject_rights":"Guaranteeing individuals' rights to access, correct, delete, or restrict their personal data","integrity":"Ensuring information is accurate, complete, and unaltered by unauthorised actors","minimisation":"Limiting data collection and retention to what is strictly necessary for the intended purpose","non-repudiation":"Providing proof of origin and delivery to prevent denial of actions or communications","possession":"Ensuring control or custody over data or assets, regardless of ownership","privacy":"Protecting individuals' personal information in accordance with legal and ethical standards","purpose_limitation":"Ensuring that personal data is only used for the purpose explicitly specified at collection","transparency":"Ensuring individuals are informed about data practices, including collection, use, and sharing","utility":"Ensuring data is usable and in a format suitable for the intended purpose"}},"scenario":{"type":"object","required":["bom-ref","name","type"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","description":"Name of the risk scenario"},"description":{"type":"string","description":"Detailed description of the scenario"},"type":{"type":"string","enum":["threat","vulnerability","weakness","risk","incident","opportunity","hazard"],"meta:enum":{"threat":"Threat scenario","vulnerability":"Exploitable vulnerability","weakness":"System or design weakness","risk":"General risk scenario","incident":"Potential incident scenario","opportunity":"Positive risk (opportunity)","hazard":"Safety hazard scenario"}},"domain":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/riskDomain"},"likelihood":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/likelihood"},"impact":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/impact"},"riskScore":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/riskScore"},"riskAttributes":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/riskAttribute"},"description":"Risk attributes affected by this scenario"},"affectedAssets":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to affected assets"},"mitigations":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to mitigations that address this scenario"},"externalReferences":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"}},"compliance":{"type":"array","items":{"type":"object","required":["framework","controlId"],"additionalProperties":false,"properties":{"framework":{"type":"string","description":"Name of the compliance program or framework"},"controlId":{"type":"string","description":"Identifier of the control within the framework"},"reference":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference","description":"Link or citation to the requirement or control documentation"},"description":{"type":"string","description":"Optional notes describing the mapping"}}},"description":"Compliance frameworks and control references this mitigation supports"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"risk":{"type":"object","required":["bom-ref","name","statement"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","description":"Name or identifier for the risk"},"statement":{"type":"string","description":"Structured risk statement describing source, event, and impact"},"description":{"type":"string","description":"Additional narrative about the risk"},"domains":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/riskDomain"},"description":"Risk domains impacted"},"scenarios":{"type":"array","minItems":1,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to scenarios this risk addresses"},"likelihood":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/likelihood"},"impact":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/impact"},"riskScore":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/riskScore"},"riskAttributes":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/riskAttribute"}},"responses":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/riskResponse"},"description":"Risk responses or mitigation plans applied to this risk"},"relatedThreats":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/threatScenario"},"description":"Related threat scenarios informing this risk"},"status":{"type":"string","enum":["identified","assessed","mitigated","accepted","transferred","retired"],"meta:enum":{"identified":"Risk has been identified but not yet evaluated","assessed":"Risk has been assessed and prioritized","mitigated":"Mitigations are in place reducing this risk","accepted":"Risk has been formally accepted","transferred":"Risk has been transferred to another party","retired":"Risk no longer applies"}},"owner":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact","description":"Owner or accountable party for this risk"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"likelihood":{"type":"object","required":["level"],"additionalProperties":false,"properties":{"level":{"type":"string","title":"Level","description":"The qualitative likelihood level representing the overall assessed probability of the risk or scenario being realized.","enum":["certain","high","low","medium","veryHigh","veryLow"],"meta:enum":{"certain":"Almost certain to occur (> 90% probability).","high":"Likely to occur (60-90% probability).","low":"Unlikely to occur (10-30% probability).","medium":"Possible to occur (30-60% probability).","veryHigh":"Very likely to occur (75-90% probability).","veryLow":"Very unlikely to occur (< 10% probability)."}},"score":{"type":"number","minimum":0,"maximum":5,"description":"Numeric likelihood score"},"probability":{"type":"number","minimum":0,"maximum":1,"description":"Probability as a decimal (0-1)"},"factors":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/likelihoodFactor"},"description":"Factors considered when determining the likelihood level"},"rationale":{"type":"string","description":"Justification for the likelihood rating"}}},"likelihoodFactor":{"type":"object","title":"Likelihood Factor","description":"An individual contributing factor used to determine the overall likelihood of a risk or scenario being realized. Likelihood is rarely a single judgment — it is typically derived from multiple independent factors such as threat actor capability, exploit maturity, attack surface exposure, and control effectiveness. Each factor captures a discrete dimension of likelihood with its own rating, enabling transparent, auditable, and methodology-aligned risk assessments.","required":["name","type"],"additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"The name of the likelihood factor being evaluated. Should clearly identify the dimension of likelihood being assessed, such as 'Threat Actor Capability', 'Exploit Availability', or 'Control Effectiveness'.","minLength":1},"type":{"title":"Type","description":"The category of likelihood factor being assessed. Predefined types align with common risk assessment methodologies including FAIR, OWASP Risk Rating, and NIST SP 800-30.","oneOf":[{"title":"Predefined Likelihood Factor Type","description":"A likelihood factor type defined by the CycloneDX standard, aligned with established risk assessment methodologies.","type":"string","additionalProperties":false,"enum":["attackVector","controlEffectiveness","exploitMaturity","exposure","motivation","opportunity","other","threatCapability","vulnerability"],"meta:enum":{"attackVector":"Accessibility of the attack path to the threat actor, considering network proximity, authentication requirements, and interaction complexity.","controlEffectiveness":"Strength, reliability, and coverage of existing preventive, detective, or corrective controls that reduce the probability of successful exploitation.","exploitMaturity":"Availability, reliability, and sophistication of known exploits, attack toolkits, or proof-of-concept code targeting the identified weakness.","exposure":"Degree to which the target asset, system, or service is visible, discoverable, or reachable by potential threat actors.","motivation":"Level of incentive, intent, or determination driving the threat actor to pursue exploitation, including financial gain, ideology, or competitive advantage.","opportunity":"Availability of the conditions, timing, or circumstances required for the threat actor to act, including access windows, environmental factors, and resource availability.","other":"A likelihood factor type not defined by the CycloneDX standard. Use the custom type option for factors specific to an organization's risk methodology.","threatCapability":"Technical skill, resources, tooling, and sophistication of the threat actor relative to the complexity of the attack required.","vulnerability":"Presence, severity, and exploitability of weaknesses in the target system, application, or process that could be leveraged by a threat actor."}},{"title":"Custom Likelihood Factor Type","description":"A custom likelihood factor type not covered by predefined values, allowing organizations to extend the model with methodology-specific factors.","type":"object","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","description":"The name of the custom likelihood factor type.","minLength":1},"description":{"type":"string","title":"Description","description":"A description of the custom likelihood factor type and how it contributes to likelihood assessment."}}}]},"level":{"type":"string","title":"Level","description":"The qualitative rating assigned to this factor, representing the assessed degree to which this factor contributes to the overall likelihood of the risk being realized.","enum":["certain","high","low","medium","veryHigh","veryLow"],"meta:enum":{"certain":"This factor almost certainly contributes to risk realization (> 90% influence).","high":"This factor strongly contributes to risk realization (60-90% influence).","low":"This factor has limited contribution to risk realization (10-30% influence).","medium":"This factor moderately contributes to risk realization (30-60% influence).","veryHigh":"This factor very strongly contributes to risk realization (75-90% influence).","veryLow":"This factor has minimal contribution to risk realization (< 10% influence)."}},"score":{"type":"number","title":"Score","description":"A numeric score representing the assessed value of this factor on a 0-5 scale, where 0 indicates no contribution to likelihood and 5 indicates maximum contribution.","minimum":0,"maximum":5},"weight":{"type":"number","title":"Weight","description":"The relative importance or weight of this factor in the overall likelihood calculation, expressed as a decimal between 0 and 1. When multiple factors are present, weights can be used to produce a weighted average likelihood score. A weight of 1 indicates full importance; a weight of 0 indicates no importance.","minimum":0,"maximum":1},"description":{"type":"string","title":"Description","description":"A narrative explanation of how this factor was evaluated, the evidence or reasoning supporting the assigned level or score, and how it contributes to the overall likelihood assessment."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"impact":{"type":"object","required":["level"],"additionalProperties":false,"properties":{"level":{"type":"string","enum":["negligible","low","moderate","major","catastrophic"],"description":"Impact severity level","meta:enum":{"negligible":"Minimal impact with no significant consequences","low":"Minor impact with limited consequences","moderate":"Moderate impact affecting some operations","major":"Significant impact with serious consequences","catastrophic":"Catastrophic impact with existential consequences"}},"score":{"type":"number","minimum":0,"maximum":10,"description":"Numeric impact score"},"categories":{"type":"array","items":{"type":"string","enum":["confidentiality","integrity","availability","financial","reputation","regulatory","safety","privacy","operational","strategic"],"meta:enum":{"confidentiality":"Impact on data confidentiality","integrity":"Impact on data or system integrity","availability":"Impact on service availability","financial":"Financial loss or impact","reputation":"Reputational damage","regulatory":"Regulatory compliance impact","safety":"Human safety impact","privacy":"Privacy violation impact","operational":"Operational disruption","strategic":"Strategic business impact"}},"description":"Categories of impact"},"riskAttributes":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/riskAttribute"},"description":"Risk attributes affected"},"quantification":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/impactQuantification"},"description":{"type":"string","description":"Description of the potential impact"}}},"impactQuantification":{"type":"object","additionalProperties":false,"properties":{"financialLoss":{"type":"number","description":"Estimated financial loss in currency units"},"currency":{"type":"string","pattern":"^[A-Z]{3}$","description":"ISO 4217 currency code"},"affectedUsers":{"type":"integer","description":"Number of affected users"},"downtime":{"type":"string","pattern":"^P(?!$)(\\d+Y)?(\\d+M)?(\\d+W)?(\\d+D)?(T(\\d+H)?(\\d+M)?(\\d+(\\.\\d+)?S)?)?$","description":"Expected downtime as ISO 8601 duration"},"dataRecords":{"type":"integer","description":"Number of data records affected"},"recovery":{"type":"string","pattern":"^P(?!$)(\\d+Y)?(\\d+M)?(\\d+W)?(\\d+D)?(T(\\d+H)?(\\d+M)?(\\d+(\\.\\d+)?S)?)?$","description":"Recovery time as ISO 8601 duration"}}},"riskScore":{"type":"object","required":["level"],"additionalProperties":false,"properties":{"level":{"type":"string","enum":["info","low","medium","high","critical"],"description":"Overall risk level","meta:enum":{"info":"Informational - no immediate action required","low":"Low risk - monitor and address in normal cycle","medium":"Medium risk - plan mitigation activities","high":"High risk - prioritize mitigation efforts","critical":"Critical risk - immediate action required"}},"score":{"type":"number","minimum":1,"description":"Numeric risk score"},"vector":{"type":"string","description":"Risk scoring vector (e.g., L:H/I:M)"},"methodology":{"type":"string","description":"Risk scoring methodology used"}}},"riskResponse":{"type":"object","required":["bom-ref","mitigations","mitigationPlan"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"mitigations":{"type":"array","minItems":1,"items":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/mitigation"},"description":"Mitigations applied to this risk response"},"mitigationPlan":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/mitigationPlan"}}},"mitigation":{"type":"object","required":["bom-ref","reference"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Unique identifier for this mitigation entry so it can be referenced by a plan"},"reference":{"description":"Reference to a mitigation/control implementing the response.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"strategy":{"type":"string","enum":["prevent","detect","respond","recover"],"meta:enum":{"prevent":"Prevents the risk from occurring","detect":"Detects when the risk occurs","respond":"Responds to the risk when detected","recover":"Recovers from the impact"}},"type":{"type":"string","enum":["control","countermeasure","procedure","removal"],"meta:enum":{"control":"Protective, preventive or detective control","countermeasure":"Reactive measure to counter risks","procedure":"Documented procedure","removal":"Removing a risky component or asset"}},"status":{"type":"string","enum":["proposed","approved","planned","inProgress","implemented","verified"],"meta:enum":{"proposed":"Mitigation has been proposed","approved":"Mitigation has been approved","planned":"Implementation is planned","inProgress":"Implementation is in progress","implemented":"Mitigation has been implemented","verified":"Effectiveness has been verified"}},"priority":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/priority"},"effectiveness":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/effectiveness"},"cost":{"type":"string","enum":["trivial","low","medium","high","extreme"],"meta:enum":{"trivial":"Minimal cost and effort","low":"Low cost and effort","medium":"Moderate cost and effort","high":"High cost and significant effort","extreme":"Extreme cost and major effort"}},"addresses":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to scenarios this plan addresses"},"implementedBy":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to assets that implement this plan"},"externalReferences":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"}},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"mitigationPlan":{"type":"object","required":["name","type","status","mitigations"],"additionalProperties":false,"properties":{"name":{"type":"string","description":"Name of the mitigation plan"},"description":{"type":"string","description":"Description of what the plan covers"},"type":{"type":"string","enum":["avoid","reduce","transfer","accept","control","countermeasure","safeguard","practice","procedure"],"meta:enum":{"avoid":"Avoid the risk entirely","reduce":"Reduce likelihood or impact","transfer":"Transfer risk to another party","accept":"Accept the risk","control":"Protective, preventive or detective control","countermeasure":"Reactive measure to counter risks","safeguard":"Safeguards mitigating adverse events","practice":"Operational or governance practice","procedure":"Documented procedure"}},"status":{"type":"string","enum":["proposed","approved","planned","inProgress","implemented","verified"],"meta:enum":{"proposed":"Mitigation has been proposed","approved":"Mitigation has been approved","planned":"Implementation is planned","inProgress":"Implementation is in progress","implemented":"Mitigation has been implemented","verified":"Effectiveness has been verified"}},"externalReferences":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"}},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"mitigations":{"type":"array","minItems":1,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"List of mitigation bom-refs chosen for this plan"}}},"effectiveness":{"type":"object","additionalProperties":false,"properties":{"percentage":{"type":"number","minimum":0,"maximum":1,"description":"Effectiveness as decimal"},"rating":{"type":"string","enum":["ineffective","marginal","adequate","good","excellent"],"meta:enum":{"ineffective":"Does not meaningfully reduce risk","marginal":"Slightly reduces risk","adequate":"Adequately reduces risk","good":"Significantly reduces risk","excellent":"Nearly eliminates risk"}}}},"assessment":{"type":"object","required":["bom-ref","type","timestamp"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"type":{"type":"string","enum":["initial","periodic","continuous","triggered"],"meta:enum":{"initial":"Initial risk assessment","periodic":"Scheduled periodic assessment","continuous":"Continuous monitoring assessment","triggered":"Event-triggered assessment"}},"timestamp":{"type":"string","format":"date-time","description":"When the assessment was performed"},"assessor":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact","description":"Who performed the assessment"},"summary":{"type":"string","description":"Executive summary of the assessment"},"risks":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to risk entries evaluated in this assessment"},"overallRisk":{"type":"object","required":["method","score"],"additionalProperties":false,"properties":{"method":{"type":"string","enum":["sum","average","custom"],"description":"Aggregation method used to derive the overall risk"},"score":{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/riskScore"},"description":{"type":"string","description":"Optional explanation for custom aggregation approaches"}},"description":"Aggregated risk result for this assessment"},"recommendations":{"type":"array","items":{"type":"string"},"description":"Recommendations from the assessment"},"nextReview":{"type":"string","format":"date-time","description":"When the next review should occur"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"priority":{"type":"string","enum":["none","low","medium","high","critical"],"description":"Priority level","meta:enum":{"none":"No priority assigned","low":"Low priority - address when convenient","medium":"Medium priority - address in normal cycle","high":"High priority - address soon","critical":"Critical priority - address immediately"}},"severity":{"type":"string","enum":["info","low","medium","high","critical"],"description":"Severity level","meta:enum":{"info":"Informational finding","low":"Low severity issue","medium":"Medium severity issue","high":"High severity issue","critical":"Critical severity issue"}},"criticality":{"type":"string","enum":["minimal","low","moderate","high","critical"],"description":"Business criticality level","meta:enum":{"minimal":"Minimal impact on business operations","low":"Low impact with minor inconvenience","moderate":"Moderate impact affecting some operations","high":"High impact affecting critical operations","critical":"Critical impact with severe business consequences"}}}},"cyclonedx-service-2.0":{"type":"null","title":"CycloneDX Service Model","$defs":{"services":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/service"},"uniqueItems":true,"title":"Services"},"service":{"type":"object","title":"Service","required":["name"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the service elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"provider":{"title":"Provider","description":"The organization that provides the service.","$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"},"group":{"type":"string","title":"Service Group","description":"The grouping name, namespace, or identifier. This will often be a shortened, single name of the company or project that produced the service or domain name. Whitespace and special characters should be avoided.","examples":["com.acme"]},"name":{"type":"string","title":"Service Name","description":"The name of the service. This will often be a shortened, single name of the service.","examples":["ticker-service"]},"version":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/version","title":"Service Version","description":"The service version."},"description":{"type":"string","title":"Service Description","description":"Specifies a description for the service"},"endpoints":{"type":"array","items":{"type":"string","format":"iri-reference"},"title":"Endpoints","description":"The endpoint URIs of the service. Multiple endpoints are allowed.","examples":["https://example.com/api/v1/ticker"]},"authenticated":{"type":"boolean","title":"Authentication Required","description":"A boolean value indicating if the service requires authentication. A value of true indicates the service requires authentication prior to use. A value of false indicates the service does not require authentication."},"x-trust-boundary":{"type":"boolean","title":"Crosses Trust Boundary","description":"A boolean value indicating if use of the service crosses a trust zone or boundary. A value of true indicates that by using the service, a trust boundary is crossed. A value of false indicates that by using the service, a trust boundary is not crossed."},"trustZone":{"type":"string","title":"Trust Zone","description":"The name of the trust zone the service resides in."},"data":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/serviceData"},"title":"Data","description":"Specifies information about the data including the directional flow of data and the data classification."},"licenses":{"$ref":"#/$defs/cyclonedx-license-2.0/$defs/licenseChoice","title":"Service License(s)"},"patentAssertions":{"$ref":"#/$defs/cyclonedx-patent-2.0/$defs/patentAssertions","title":"Service Patent(s)"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"},"services":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/service"},"uniqueItems":true,"title":"Services","description":"A list of services included or deployed behind the parent service. This is not a dependency tree. It provides a way to specify a hierarchical representation of service assemblies."},"releaseNotes":{"$ref":"#/$defs/cyclonedx-release-notes-2.0/$defs/releaseNotes","title":"Release notes","description":"Specifies release notes."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"tags":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/tags","title":"Tags"},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}},"serviceData":{"type":"object","title":"Hash Objects","required":["flow","classification"],"additionalProperties":false,"properties":{"flow":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataFlowDirection","title":"Directional Flow","description":"Specifies the flow direction of the data. Direction is relative to the service. Inbound flow states that data enters the service. Outbound flow states that data leaves the service. Bi-directional states that data flows both ways and unknown states that the direction is not known."},"classification":{"$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataClassification"},"name":{"type":"string","title":"Name","description":"Name for the defined data","examples":["Credit card reporting"]},"description":{"type":"string","title":"Description","description":"Short description of the data content and usage","examples":["Credit card information being exchanged in between the web app and the database"]},"governance":{"title":"Data Governance","$ref":"#/$defs/cyclonedx-data-2.0/$defs/dataGovernance"},"source":{"type":"array","items":{"anyOf":[{"title":"URL","type":"string","format":"iri-reference"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"title":"Source","description":"The URI, URL, or BOM-Link of the components or services the data came in from"},"destination":{"type":"array","items":{"anyOf":[{"title":"URL","type":"string","format":"iri-reference"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}]},"title":"Destination","description":"The URI, URL, or BOM-Link of the components or services the data is sent to"}}}}},"cyclonedx-standard-2.0":{"type":"null","title":"CycloneDX Standard Model","$defs":{"standards":{"type":"array","title":"Standards","description":"The list of standards which may consist of regulations, industry or organizational-specific standards, maturity models, best practices, or any other requirements which can be evaluated against or attested to.","items":{"$ref":"#/$defs/cyclonedx-standard-2.0/$defs/standard"}},"standard":{"type":"object","title":"Standard","description":"A standard may consist of regulations, industry or organizational-specific standards, maturity models, best practices, or any other requirements which can be evaluated against or attested to.","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM."},"name":{"type":"string","title":"Name","description":"The name of the standard. This will often be a shortened, single name of the standard."},"version":{"type":"string","title":"Version","description":"The version of the standard."},"description":{"type":"string","title":"Description","description":"The description of the standard."},"owner":{"type":"string","title":"Owner","description":"The owner of the standard, often the entity responsible for its release."},"requirements":{"$ref":"#/$defs/cyclonedx-standard-2.0/$defs/requirements"},"levels":{"$ref":"#/$defs/cyclonedx-standard-2.0/$defs/levels"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature","title":"Signature","description":"Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."}}},"requirements":{"type":"array","title":"Requirements","description":"The list of requirements comprising the standard.","items":{"$ref":"#/$defs/cyclonedx-standard-2.0/$defs/requirement"}},"requirement":{"type":"object","title":"Requirement","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM."},"identifier":{"type":"string","title":"Identifier","description":"The unique identifier used in the standard to identify a specific requirement. This should match what is in the standard and should not be the requirements bom-ref."},"title":{"type":"string","title":"Title","description":"The title of the requirement."},"text":{"type":"string","title":"Text","description":"The textual content of the requirement."},"descriptions":{"type":"array","title":"Descriptions","description":"The supplemental text that provides additional guidance or context to the requirement, but is not directly part of the requirement.","items":{"type":"string"}},"openCre":{"type":"array","title":"OWASP OpenCRE Identifier(s)","description":"The Common Requirements Enumeration (CRE) identifier(s). CRE is a structured and standardized framework for uniting security standards and guidelines. CRE links each section of a resource to a shared topic identifier (a Common Requirement). Through this shared topic link, all resources map to each other. Use of CRE promotes clear and unambiguous communication among stakeholders.","items":{"type":"string","pattern":"^CRE:[0-9]+-[0-9]+$","examples":["CRE:764-507"]}},"parent":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType","title":"Parent BOM Reference","description":"The `bom-ref` to a parent requirement. This establishes a hierarchy of requirements. Top-level requirements must not define a parent. Only child requirements should define parents."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"}}},"levels":{"type":"array","title":"Levels","description":"The list of levels associated with the standard. Some standards have different levels of compliance.","items":{"$ref":"#/$defs/cyclonedx-standard-2.0/$defs/level"}},"level":{"type":"object","title":"Level","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM."},"identifier":{"type":"string","title":"Identifier","description":"The identifier used in the standard to identify a specific level."},"title":{"type":"string","title":"Title","description":"The title of the level."},"description":{"type":"string","title":"Description","description":"The description of the level."},"requirements":{"type":"array","title":"Requirements","description":"The list of requirement `bom-ref`s that comprise the level.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"}}}}}},"cyclonedx-threat-2.0":{"type":"null","title":"CycloneDX Threat Model","$defs":{"threatScenario":{"type":"object","allOf":[{"$ref":"#/$defs/cyclonedx-risk-2.0/$defs/scenario"},{"properties":{"threatCategory":{"type":"string","description":"Threat category based on methodology (e.g., STRIDE category)"},"threatActor":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/threatActorProfile"},"attackVector":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/attackVector"},"attackPattern":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/attackPatternReference"},"abuseCases":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/abuseCase"},"description":"Abuse or misuse cases that illustrate how this threat can be exercised"},"weakness":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/weaknessReference"},"exploitability":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/exploitability"},"indicators":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/indicators"},"killChainPhase":{"type":"string","enum":["reconnaissance","weaponization","delivery","exploitation","installation","command-and-control","actions-on-objectives"],"meta:enum":{"reconnaissance":"Gathering information about the target","weaponization":"Creating malicious payloads","delivery":"Transmitting weapon to target","exploitation":"Exploiting vulnerabilities","installation":"Installing malware or backdoors","command-and-control":"Establishing C2 channel","actions-on-objectives":"Achieving attack goals"}},"technicalImpact":{"type":"array","items":{"type":"string","enum":["unauthorized-access","data-breach","data-corruption","service-disruption","privilege-escalation","code-execution","information-disclosure","denial-of-service"]}}}}]},"threatActor":{"type":"object","required":["bom-ref","name","type"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","description":"Name or identifier of the threat actor"},"description":{"type":"string","description":"Description of the threat actor"},"type":{"type":"string","enum":["individual","group","organization","nation-state","unknown"],"meta:enum":{"individual":"Individual threat actor","group":"Organized group or collective","organization":"Corporate or criminal organization","nation-state":"Nation-state sponsored actor","unknown":"Unknown threat actor type"}},"aliases":{"type":"array","items":{"type":"string"},"description":"Known aliases or alternative names"},"profile":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/threatActorProfile"},"observedTTPs":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/ttp"},"description":"Observed tactics, techniques, and procedures"},"attributedAttacks":{"type":"array","items":{"type":"string"},"description":"Attacks attributed to this actor"},"targeting":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/targeting"},"externalReferences":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReference"}}}},"threatActorProfile":{"type":"object","additionalProperties":false,"properties":{"sophistication":{"type":"string","enum":["none","minimal","intermediate","advanced","expert"],"meta:enum":{"none":"No technical sophistication","minimal":"Script kiddie level","intermediate":"Intermediate technical skills","advanced":"Advanced persistent threat","expert":"Nation-state level capabilities"}},"motivation":{"type":"array","items":{"type":"string","enum":["financial","political","personal","ideological","espionage","destruction","disruption","reputation","curiosity","competitive","revenge","activism"]},"description":"Primary motivations"},"intent":{"type":"string","enum":["accidental","opportunistic","targeted","persistent"],"description":"Intent level"},"resources":{"type":"string","enum":["minimal","limited","moderate","substantial","unlimited"],"description":"Resource availability"},"accessLevel":{"type":"string","enum":["none","external","internal","privileged","physical"],"description":"Level of access to target systems"},"skillSet":{"type":"array","items":{"type":"string"},"description":"Specific skills possessed"}}},"attackVector":{"type":"object","additionalProperties":false,"properties":{"type":{"type":"string","enum":["network","adjacent","local","physical"],"meta:enum":{"network":"Remotely exploitable via network","adjacent":"Exploitable from adjacent network","local":"Requires local access","physical":"Requires physical access"}},"complexity":{"type":"string","enum":["low","high"],"description":"Attack complexity"},"privileges":{"type":"string","enum":["none","low","high"],"description":"Privileges required"},"userInteraction":{"type":"string","enum":["none","required"],"description":"User interaction requirement"},"scope":{"type":"string","enum":["unchanged","changed"],"description":"Scope impact"}}},"abuseCase":{"type":"object","required":["bom-ref","name"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","description":"Name of the abuse case"},"description":{"type":"string","description":"Narrative describing how the system can be misused or abused"},"abuser":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference (bom-ref) to a threat actor involved in the abuse case"},"targets":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References (bom-refs) to assets or flows targeted in this abuse case"},"steps":{"type":"array","items":{"type":"string"},"description":"Ordered steps the abuser follows"}}},"attackPattern":{"type":"object","required":["bom-ref","name"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"capecId":{"type":"integer","description":"CAPEC (Common Attack Pattern Enumeration and Classification) ID"},"name":{"type":"string","description":"Name of the attack pattern"},"description":{"type":"string","description":"Description of the attack pattern"},"prerequisites":{"type":"array","items":{"type":"string"},"description":"Prerequisites for the attack"},"techniques":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/technique"},"description":"Techniques used in the attack"},"mitigations":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to mitigations"},"examples":{"type":"array","items":{"type":"string"},"description":"Real-world examples"}}},"attackPatternReference":{"type":"object","additionalProperties":false,"properties":{"patternRef":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference to attack pattern"},"capecId":{"type":"integer","description":"CAPEC ID if not referencing internal pattern"},"customization":{"type":"string","description":"How this pattern is customized for the specific scenario"}}},"technique":{"type":"object","additionalProperties":false,"properties":{"id":{"type":"string","description":"Technique ID (e.g., MITRE ATT&CK ID)"},"name":{"type":"string","description":"Name of the technique"},"tactic":{"type":"string","description":"Associated tactic"},"procedure":{"type":"string","description":"Specific procedure"},"tools":{"type":"array","items":{"type":"string"},"description":"Tools used with this technique"}}},"weakness":{"type":"object","required":["bom-ref"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"cweId":{"type":"integer","description":"CWE (Common Weakness Enumeration) ID"},"name":{"type":"string","description":"Name of the weakness"},"description":{"type":"string","description":"Description of the weakness"},"abstraction":{"type":"string","enum":["pillar","class","base","variant","compound"],"meta:enum":{"pillar":"Most abstract type of weakness","class":"Weakness described in generic terms","base":"Weakness described in abstract terms","variant":"Weakness specific to a resource/technology","compound":"Combination of two or more weaknesses"}},"ordinality":{"type":"string","enum":["primary","resultant","indirect"],"meta:enum":{"primary":"Weakness exists independent of other weaknesses","resultant":"Weakness is caused by another weakness","indirect":"Weakness is indirectly caused by another weakness"}},"affectedAssets":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"Assets affected by this weakness"},"exploitationDifficulty":{"type":"string","enum":["trivial","easy","moderate","difficult","impractical"],"description":"Difficulty of exploiting this weakness"},"detectionMethods":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/detectionMethod"},"description":"Methods for detecting this weakness"}}},"weaknessReference":{"type":"object","additionalProperties":false,"properties":{"weaknessRef":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference to weakness"},"cweId":{"type":"integer","description":"CWE ID if not referencing internal weakness"},"instance":{"type":"string","description":"Specific instance or manifestation of the weakness"}}},"exploitability":{"type":"object","additionalProperties":false,"properties":{"level":{"type":"string","enum":["theoretical","proof-of-concept","functional","weaponized"],"meta:enum":{"theoretical":"Theoretically possible but not demonstrated","proof-of-concept":"Proof of concept exists","functional":"Functional exploit exists","weaponized":"Weaponized exploit in the wild"}},"complexity":{"type":"string","enum":["trivial","low","medium","high","very-high"],"description":"Complexity to exploit"},"skillRequired":{"type":"string","enum":["none","basic","intermediate","advanced","expert"],"description":"Skill level required"},"toolsRequired":{"type":"array","items":{"type":"string"},"description":"Tools required for exploitation"},"timeRequired":{"type":"string","description":"Estimated time to develop exploit"},"reliability":{"type":"string","enum":["unreliable","occasional","reliable","highly-reliable"],"description":"Reliability of exploitation"},"automatable":{"type":"boolean","description":"Whether exploitation can be automated"}}},"indicators":{"type":"object","additionalProperties":false,"properties":{"compromise":{"type":"array","items":{"type":"string"},"description":"Indicators of compromise"},"attack":{"type":"array","items":{"type":"string"},"description":"Indicators of attack"},"behavioral":{"type":"array","items":{"type":"string"},"description":"Behavioral indicators"},"signatures":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/signature"},"description":"Detection signatures"}}},"signature":{"type":"object","required":["type","value"],"additionalProperties":false,"properties":{"type":{"type":"string","enum":["yara","snort","regex","hash","behavior"],"description":"Type of signature"},"value":{"type":"string","description":"Signature value or pattern"},"description":{"type":"string","description":"Description of what the signature detects"},"confidence":{"type":"string","enum":["low","medium","high"],"description":"Confidence level of detection"}}},"ttp":{"type":"object","additionalProperties":false,"properties":{"tactic":{"type":"string","description":"High-level tactic"},"technique":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/technique"},"procedure":{"type":"string","description":"Specific implementation"},"tools":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/tool"},"description":"Tools used"},"infrastructure":{"type":"array","items":{"type":"string"},"description":"Infrastructure used"}}},"tool":{"type":"object","required":["name"],"additionalProperties":false,"properties":{"name":{"type":"string","description":"Tool name"},"type":{"type":"string","enum":["exploit","scanner","fuzzer","proxy","framework","custom"],"description":"Type of tool"},"version":{"type":"string","description":"Tool version"},"capabilities":{"type":"array","items":{"type":"string"},"description":"Tool capabilities"}}},"targeting":{"type":"object","additionalProperties":false,"properties":{"sectors":{"type":"array","items":{"type":"string"},"description":"Targeted sectors or industries"},"regions":{"type":"array","items":{"type":"string"},"description":"Targeted geographic regions"},"technologies":{"type":"array","items":{"type":"string"},"description":"Targeted technologies or platforms"},"dataTypes":{"type":"array","items":{"type":"string"},"description":"Types of data targeted"}}},"detectionMethod":{"type":"object","required":["method"],"additionalProperties":false,"properties":{"method":{"type":"string","enum":["static-analysis","dynamic-analysis","penetration-test","code-review","architecture-review","automated-scan"],"description":"Detection method type"},"description":{"type":"string","description":"Description of the detection method"},"effectiveness":{"type":"string","enum":["low","medium","high"],"description":"Effectiveness of the method"},"tools":{"type":"array","items":{"type":"string"},"description":"Tools that implement this method"}}},"securityPolicy":{"type":"object","required":["bom-ref","name","type"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","description":"Policy name"},"type":{"type":"string","enum":["access-control","data-protection","network-security","application-security","operational-security","compliance"],"description":"Type of security policy"},"description":{"type":"string","description":"Policy description"},"requirements":{"type":"array","items":{"type":"string"},"description":"Policy requirements"},"enforcement":{"type":"string","enum":["mandatory","recommended","optional"],"description":"Enforcement level"},"appliesTo":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"Assets this policy applies to"},"exceptions":{"type":"array","items":{"type":"string"},"description":"Policy exceptions"}}},"trustBoundary":{"type":"object","allOf":[{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/boundary"},{"properties":{"trustLevel":{"type":"string","enum":["untrusted","semi-trusted","trusted","highly-trusted"],"description":"Trust level differential"},"securityRequirements":{"$ref":"#/$defs/cyclonedx-threat-2.0/$defs/boundarySecurityRequirements"},"threatsAtBoundary":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"Threats that could exploit this boundary"},"controlsAtBoundary":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"Controls implemented at this boundary"}}}]},"boundarySecurityRequirements":{"type":"object","additionalProperties":false,"properties":{"authenticationStrength":{"type":"string","enum":["none","weak","moderate","strong","very-strong"],"description":"Required authentication strength"},"authorizationGranularity":{"type":"string","enum":["coarse","medium","fine","very-fine"],"description":"Authorization granularity required"},"integrityVerification":{"type":"boolean","description":"Whether integrity verification is required"},"confidentialityProtection":{"type":"boolean","description":"Whether confidentiality protection is required"},"auditingLevel":{"type":"string","enum":["none","basic","detailed","comprehensive"],"description":"Level of auditing required"},"dataValidationRules":{"type":"array","items":{"type":"string"},"description":"Data validation rules at boundary"}}}}},"cyclonedx-usecase-2.0":{"type":"null","title":"CycloneDX Use Case Model","$defs":{"useCases":{"type":"array","title":"Use Cases","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-usecase-2.0/$defs/useCase"},"description":"A collection of use cases that describe how actors interact with the system to achieve specific goals."},"useCase":{"type":"object","title":"Use Case","description":"A structured description of how one or more actors interact with the system to achieve a specific goal, including the primary flow, alternative paths, and exception scenarios.","required":["name"],"additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"name":{"type":"string","title":"Name","minLength":1,"description":"The name or title of the use case, typically expressed as a verb phrase that captures the goal from the actor's perspective (e.g., 'Place Order', 'Reset Password')."},"description":{"type":"string","title":"Description","description":"A detailed narrative of the use case, including the actor's goal, the scope of the interaction, and any relevant business rules or constraints that govern its execution."},"actors":{"type":"array","title":"Actors","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType"},"description":"References to the actors that participate in this use case, representing anyone or anything that initiates or interacts with the described flow."},"preconditions":{"type":"array","title":"Preconditions","uniqueItems":true,"items":{"type":"string"},"description":"Conditions that must hold true before the use case can begin execution, such as required system state, authenticated sessions, available resources, or prior completed use cases."},"postconditions":{"type":"array","title":"Postconditions","uniqueItems":true,"items":{"type":"string"},"description":"Conditions that will be true after the use case completes successfully, describing the expected system state, data changes, notifications sent, or side effects produced."},"mainFlow":{"type":"array","title":"Main Flow","items":{"$ref":"#/$defs/cyclonedx-usecase-2.0/$defs/step"},"description":"The primary sequence of steps representing the most common or expected path through the use case, from the triggering action to the successful outcome."},"alternativeFlows":{"type":"array","title":"Alternative Flows","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-usecase-2.0/$defs/flow"},"description":"Variant paths that branch from the main flow under specific conditions, representing valid but less common ways to achieve the use case goal or a modified outcome."},"exceptions":{"type":"array","title":"Exceptions","uniqueItems":true,"items":{"$ref":"#/$defs/cyclonedx-usecase-2.0/$defs/exception"},"description":"Error or failure scenarios that may interrupt the main or alternative flows, including the triggering condition and how the system responds to recover or terminate gracefully."},"successCriteria":{"type":"array","title":"Success Criteria","uniqueItems":true,"items":{"type":"string"},"description":"Measurable or observable criteria that determine whether the use case has been completed successfully, used for validation, acceptance testing, and stakeholder sign-off."},"notes":{"type":"array","title":"Notes","uniqueItems":true,"items":{"type":"string"},"description":"Supplementary information, clarifications, open questions, or implementation guidance that provides additional context beyond the formal use case structure."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"step":{"type":"object","title":"Step","description":"A single discrete action within a use case flow, performed by a specific actor, that advances the interaction toward the use case goal.","required":["number","description"],"additionalProperties":false,"properties":{"number":{"type":"integer","title":"Number","minimum":1,"description":"The sequence number indicating the ordinal position of this step within its flow, starting at 1."},"description":{"type":"string","title":"Description","minLength":1,"description":"A clear, action-oriented statement describing what the actor does in this step and the expected system response, written in the form 'The [actor] [action]'."},"actor":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","description":"Reference to the actor who initiates or performs this step, which may be a human user, an external system, or the system under design."}}},"flow":{"type":"object","title":"Flow","description":"An alternative sequence of steps that branches from the main flow under a specific condition, representing a valid variant path through the use case.","required":["name","condition"],"additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","minLength":1,"description":"A short, descriptive name identifying this alternative flow (e.g., 'Payment Declined', 'Guest Checkout')."},"description":{"type":"string","title":"Description","description":"A narrative explaining the purpose and context of this alternative flow, including how it differs from the main flow and under what circumstances it applies."},"condition":{"type":"string","title":"Condition","minLength":1,"description":"The specific condition, decision point, or triggering event that causes execution to diverge from the main flow into this alternative path."},"steps":{"type":"array","title":"Steps","items":{"$ref":"#/$defs/cyclonedx-usecase-2.0/$defs/step"},"description":"The ordered sequence of steps that comprise this alternative flow, following the same structure as main flow steps."}}},"exception":{"type":"object","title":"Exception","description":"An error or failure scenario that may interrupt the normal execution of a use case, including the condition that triggers it and how the system responds.","required":["name","condition"],"additionalProperties":false,"properties":{"name":{"type":"string","title":"Name","minLength":1,"description":"A short, descriptive name identifying this exception scenario (e.g., 'Session Timeout', 'Insufficient Funds', 'Service Unavailable')."},"description":{"type":"string","title":"Description","description":"A narrative describing the nature of this exception, its potential causes, and its impact on the use case and the actors involved."},"condition":{"type":"string","title":"Condition","minLength":1,"description":"The specific error condition, system state, or external event that triggers this exception during the execution of the use case."},"handling":{"type":"string","title":"Handling","description":"The recovery strategy or response the system takes when this exception occurs, such as retrying the operation, rolling back changes, notifying the user, or escalating to support."}}}}},"cyclonedx-vulnerability-2.0":{"type":"null","title":"CycloneDX Vulnerability Model","$defs":{"vulnerabilities":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/vulnerability"},"uniqueItems":true,"title":"Vulnerabilities","description":"Vulnerabilities identified in components or services."},"vulnerability":{"type":"object","title":"Vulnerability","description":"Defines a weakness in a component or service that could be exploited or triggered by a threat source.","additionalProperties":false,"properties":{"bom-ref":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/refType","title":"BOM Reference","description":"An identifier which can be used to reference the vulnerability elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."},"id":{"type":"string","title":"ID","description":"The identifier that uniquely identifies the vulnerability.","examples":["CVE-2021-39182","GHSA-35m5-8cvj-8783","SNYK-PYTHON-ENROCRYPT-1912876"]},"source":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/vulnerabilitySource","description":"The source that published the vulnerability."},"references":{"type":"array","title":"References","description":"Zero or more pointers to vulnerabilities that are the equivalent of the vulnerability specified. Often times, the same vulnerability may exist in multiple sources of vulnerability intelligence, but have different identifiers. References provide a way to correlate vulnerabilities across multiple sources of vulnerability intelligence.","items":{"type":"object","required":["id","source"],"additionalProperties":false,"properties":{"id":{"type":"string","title":"ID","description":"An identifier that uniquely identifies the vulnerability.","examples":["CVE-2021-39182","GHSA-35m5-8cvj-8783","SNYK-PYTHON-ENROCRYPT-1912876"]},"source":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/vulnerabilitySource","description":"The source that published the vulnerability."}}}},"ratings":{"type":"array","title":"Ratings","description":"List of vulnerability ratings","items":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/rating"}},"cwes":{"type":"array","title":"CWEs","description":"List of Common Weaknesses Enumerations (CWEs) codes that describes this vulnerability.","examples":[399],"items":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/cwe"}},"description":{"type":"string","title":"Description","description":"A description of the vulnerability as provided by the source."},"detail":{"type":"string","title":"Details","description":"If available, an in-depth description of the vulnerability as provided by the source organization. Details often include information useful in understanding root cause."},"recommendation":{"type":"string","title":"Recommendation","description":"Recommendations of how the vulnerability can be remediated or mitigated."},"workaround":{"type":"string","title":"Workarounds","description":"A bypass, usually temporary, of the vulnerability that reduces its likelihood and/or impact. Workarounds often involve changes to configuration or deployments."},"proofOfConcept":{"type":"object","title":"Proof of Concept","description":"Evidence used to reproduce the vulnerability.","properties":{"reproductionSteps":{"type":"string","title":"Steps to Reproduce","description":"Precise steps to reproduce the vulnerability."},"environment":{"type":"string","title":"Environment","description":"A description of the environment in which reproduction was possible."},"supportingMaterial":{"type":"array","title":"Supporting Material","description":"Supporting material that helps in reproducing or understanding how reproduction is possible. This may include screenshots, payloads, and PoC exploit code.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/attachment"}}}},"advisories":{"type":"array","title":"Advisories","description":"Published advisories of the vulnerability if provided.","items":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/advisory"}},"created":{"type":"string","format":"date-time","title":"Created","description":"The date and time (timestamp) when the vulnerability record was created in the vulnerability database."},"published":{"type":"string","format":"date-time","title":"Published","description":"The date and time (timestamp) when the vulnerability record was first published."},"updated":{"type":"string","format":"date-time","title":"Updated","description":"The date and time (timestamp) when the vulnerability record was last updated."},"rejected":{"type":"string","format":"date-time","title":"Rejected","description":"The date and time (timestamp) when the vulnerability record was rejected (if applicable)."},"credits":{"type":"object","title":"Credits","description":"Individuals or organizations credited with the discovery of the vulnerability.","additionalProperties":false,"properties":{"organizations":{"type":"array","title":"Organizations","description":"The organizations credited with vulnerability discovery.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity"}},"individuals":{"type":"array","title":"Individuals","description":"The individuals, not associated with organizations, that are credited with vulnerability discovery.","items":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/organizationalContact"}}}},"tools":{"type":"object","title":"Tools","description":"The tool(s) used to identify, confirm, or score the vulnerability.","additionalProperties":false,"properties":{"components":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/component"},"uniqueItems":true,"title":"Components","description":"A list of software and hardware components used as tools."},"services":{"type":"array","items":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/service"},"uniqueItems":true,"title":"Services","description":"A list of services used as tools. This may include microservices, function-as-a-service, and other types of network or intra-process services."}}},"analysis":{"type":"object","title":"Impact Analysis","description":"An assessment of the impact and exploitability of the vulnerability.","additionalProperties":false,"properties":{"state":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/impactAnalysisState"},"justification":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/impactAnalysisJustification"},"response":{"type":"array","title":"Response","description":"A response to the vulnerability by the manufacturer, supplier, or project responsible for the affected component or service. More than one response is allowed. Responses are strongly encouraged for vulnerabilities where the analysis state is exploitable.","items":{"type":"string","enum":["can_not_fix","will_not_fix","update","rollback","workaround_available"],"meta:enum":{"can_not_fix":"Can not fix","will_not_fix":"Will not fix","update":"Update to a different revision or release","rollback":"Revert to a previous revision or release","workaround_available":"There is a workaround available"}}},"detail":{"type":"string","title":"Detail","description":"Detailed description of the impact including methods used during assessment. If a vulnerability is not exploitable, this field should include specific details on why the component or service is not impacted by this vulnerability."},"firstIssued":{"type":"string","format":"date-time","title":"First Issued","description":"The date and time (timestamp) when the analysis was first issued."},"lastUpdated":{"type":"string","format":"date-time","title":"Last Updated","description":"The date and time (timestamp) when the analysis was last updated."}}},"affects":{"type":"array","uniqueItems":true,"items":{"type":"object","required":["ref"],"additionalProperties":false,"properties":{"ref":{"anyOf":[{"title":"Ref","$ref":"#/$defs/cyclonedx-common-2.0/$defs/refLinkType"},{"title":"BOM-Link Element","$ref":"#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType"}],"title":"Reference","description":"References a component or service by the objects bom-ref"},"versions":{"type":"array","title":"Versions","description":"Zero or more individual versions or range of versions.","items":{"type":"object","oneOf":[{"required":["version"]},{"required":["range"]}],"additionalProperties":false,"properties":{"version":{"title":"Version","description":"A single version of a component or service.","$ref":"#/$defs/cyclonedx-component-2.0/$defs/version"},"range":{"title":"Version Range","description":"A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/vers-spec","$ref":"#/$defs/cyclonedx-component-2.0/$defs/versionRange"},"status":{"title":"Status","description":"The vulnerability status for the version or range of versions.","$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/affectedStatus","default":"affected"}}}}}},"title":"Affects","description":"The components or services that are affected by the vulnerability."},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"}}},"advisory":{"type":"object","title":"Advisory","description":"Title and location where advisory information can be obtained. An advisory is a notification of a threat to a component, service, or system.","required":["url"],"additionalProperties":false,"properties":{"title":{"type":"string","title":"Title","description":"A name of the advisory."},"url":{"type":"string","title":"URL","format":"iri-reference","description":"Location where the advisory can be obtained."}}},"cwe":{"type":"integer","minimum":1,"title":"CWE","description":"Integer representation of a Common Weaknesses Enumerations (CWE). For example 399 (of https://cwe.mitre.org/data/definitions/399.html)"},"severity":{"type":"string","title":"Severity","description":"Textual representation of the severity of the vulnerability adopted by the analysis method. If the analysis method uses values other than what is provided, the user is expected to translate appropriately.","enum":["critical","high","medium","low","info","none","unknown"],"meta:enum":{"critical":"Critical severity","high":"High severity","medium":"Medium severity","low":"Low severity","info":"Informational warning.","none":"None","unknown":"The severity is not known"}},"scoreMethod":{"type":"string","title":"Method","description":"Specifies the severity or risk scoring methodology or standard used.","enum":["CVSSv2","CVSSv3","CVSSv31","CVSSv4","OWASP","SSVC","other"],"meta:enum":{"CVSSv2":"Common Vulnerability Scoring System v2.0","CVSSv3":"Common Vulnerability Scoring System v3.0","CVSSv31":"Common Vulnerability Scoring System v3.1","CVSSv4":"Common Vulnerability Scoring System v4.0","OWASP":"OWASP Risk Rating Methodology","SSVC":"Stakeholder Specific Vulnerability Categorization","other":"Another severity or risk scoring methodology"}},"impactAnalysisState":{"type":"string","title":"Impact Analysis State","description":"Declares the current state of an occurrence of a vulnerability, after automated or manual analysis.","enum":["resolved","resolved_with_pedigree","exploitable","in_triage","false_positive","not_affected"],"meta:enum":{"resolved":"The vulnerability has been remediated.","resolved_with_pedigree":"The vulnerability has been remediated and evidence of the changes are provided in the affected components pedigree containing verifiable commit history and/or diff(s).","exploitable":"The vulnerability may be directly or indirectly exploitable.","in_triage":"The vulnerability is being investigated.","false_positive":"The vulnerability is not specific to the component or service and was falsely identified or associated.","not_affected":"The component or service is not affected by the vulnerability. Justification should be specified for all not_affected cases."}},"impactAnalysisJustification":{"type":"string","title":"Impact Analysis Justification","description":"The rationale of why the impact analysis state was asserted.","enum":["code_not_present","code_not_reachable","requires_configuration","requires_dependency","requires_environment","protected_by_compiler","protected_at_runtime","protected_at_perimeter","protected_by_mitigating_control"],"meta:enum":{"code_not_present":"The code has been removed or tree-shaked.","code_not_reachable":"The vulnerable code is not invoked at runtime.","requires_configuration":"Exploitability requires a configurable option to be set/unset.","requires_dependency":"Exploitability requires a dependency that is not present.","requires_environment":"Exploitability requires a certain environment which is not present.","protected_by_compiler":"Exploitability requires a compiler flag to be set/unset.","protected_at_runtime":"Exploits are prevented at runtime.","protected_at_perimeter":"Attacks are blocked at physical, logical, or network perimeter.","protected_by_mitigating_control":"Preventative measures have been implemented that reduce the likelihood and/or impact of the vulnerability."}},"rating":{"type":"object","title":"Rating","description":"Defines the severity or risk ratings of a vulnerability.","additionalProperties":false,"properties":{"source":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/vulnerabilitySource","description":"The source that calculated the severity or risk rating of the vulnerability."},"score":{"type":"number","title":"Score","description":"The numerical score of the rating."},"severity":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/severity","description":"Textual representation of the severity that corresponds to the numerical score of the rating."},"method":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/scoreMethod"},"vector":{"type":"string","title":"Vector","description":"Textual representation of the metric values used to score the vulnerability"},"justification":{"type":"string","title":"Justification","description":"A reason for rating the vulnerability as it was"}}},"vulnerabilitySource":{"type":"object","title":"Source","description":"The source of vulnerability information. This is often the organization that published the vulnerability.","additionalProperties":false,"properties":{"url":{"type":"string","title":"URL","description":"The url of the vulnerability documentation as provided by the source.","examples":["https://nvd.nist.gov/vuln/detail/CVE-2021-39182"]},"name":{"type":"string","title":"Name","description":"The name of the source.","examples":["NVD","National Vulnerability Database","OSS Index","VulnDB","GitHub Advisories"]}}},"affectedStatus":{"description":"The vulnerability status of a given version or range of versions of a product. The statuses 'affected' and 'unaffected' indicate that the version is affected or unaffected by the vulnerability. The status 'unknown' indicates that it is unknown or unspecified whether the given version is affected. There can be many reasons for an 'unknown' status, including that an investigation has not been undertaken or that a vendor has not disclosed the status.","type":"string","enum":["affected","unaffected","unknown"],"meta:enum":{"affected":"The version is affected by the vulnerability.","unaffected":"The version is not affected by the vulnerability.","unknown":"It is unknown (or unspecified) whether the given version is affected."}}}},"cyclonedx-2.0":{"type":"object","title":"CycloneDX Transparency Expression Language","required":["specFormat","specVersion"],"additionalProperties":false,"properties":{"$schema":{"type":"string"},"specFormat":{"type":"string","title":"Specification Format","description":"Specifies the format. This value must be \"CycloneDX\".","enum":["CycloneDX"]},"specVersion":{"type":"string","title":"Specification Version","description":"The version of the CycloneDX specification the BOM conforms to.","examples":["2.0"]},"serialNumber":{"type":"string","title":"BOM Serial Number","description":"Every BOM generated SHOULD have a unique serial number, even if the contents of the BOM have not changed over time. If specified, the serial number must conform to [RFC 4122](https://www.ietf.org/rfc/rfc4122.html). Use of serial numbers is recommended.","examples":["urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79"],"pattern":"^urn:uuid:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$"},"version":{"type":"integer","title":"BOM Version","description":"Whenever an existing BOM is modified, either manually or through automated processes, the version of the BOM SHOULD be incremented by 1. When a system is presented with multiple BOMs with identical serial numbers, the system SHOULD use the most recent version of the BOM. The default version is '1'.","minimum":1,"default":1},"metadata":{"$ref":"#/$defs/cyclonedx-metadata-2.0/$defs/metadata"},"components":{"$ref":"#/$defs/cyclonedx-component-2.0/$defs/components","description":"A collection of components. When a metadata component is present, this array represents the inventory of components associated with that subject, forming a bill of materials. When the metadata component is omitted, the array provides component data for interchange purposes without establishing a compositional relationship."},"services":{"$ref":"#/$defs/cyclonedx-service-2.0/$defs/services"},"dependencies":{"$ref":"#/$defs/cyclonedx-dependency-2.0/$defs/dependencies"},"compositions":{"$ref":"#/$defs/cyclonedx-composition-2.0/$defs/compositions"},"vulnerabilities":{"$ref":"#/$defs/cyclonedx-vulnerability-2.0/$defs/vulnerabilities"},"annotations":{"$ref":"#/$defs/cyclonedx-annotation-2.0/$defs/annotations"},"formulation":{"$ref":"#/$defs/cyclonedx-formulation-2.0/$defs/formulation"},"declarations":{"$ref":"#/$defs/cyclonedx-declaration-2.0/$defs/declarations"},"definitions":{"$ref":"#/$defs/cyclonedx-definition-2.0/$defs/definitions"},"blueprints":{"$ref":"#/$defs/cyclonedx-blueprint-2.0/$defs/blueprints"},"citations":{"$ref":"#/$defs/cyclonedx-citation-2.0/$defs/citations"},"properties":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/properties"},"externalReferences":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/externalReferences"},"signature":{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/signature"}},"allOf":[{"$ref":"#/$defs/cyclonedx-common-2.0/$defs/extensibleProperties"}]}}} \ No newline at end of file diff --git a/schema/2.0/cyclonedx-2.0-bundled.schema.json b/schema/2.0/cyclonedx-2.0-bundled.schema.json index e9f8174f..2c8c0698 100644 --- a/schema/2.0/cyclonedx-2.0-bundled.schema.json +++ b/schema/2.0/cyclonedx-2.0-bundled.schema.json @@ -76,6 +76,9 @@ "definitions": { "$ref": "#/$defs/cyclonedx-definition-2.0/$defs/definitions" }, + "blueprints": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/blueprints" + }, "citations": { "$ref": "#/$defs/cyclonedx-citation-2.0/$defs/citations" }, @@ -777,2383 +780,6040 @@ } } }, - "cyclonedx-citation-2.0": { + "cyclonedx-behavior-2.0": { "type": "null", - "title": "CycloneDX Citation Model", + "title": "CycloneDX Behavior Model", + "properties": { + "behaviors": { + "$ref": "#/$defs/cyclonedx-behavior-2.0/$defs/behaviors" + } + }, "$defs": { - "citations": { + "trigger": { + "type": "string", + "title": "Trigger", + "description": "The condition or event that initiates a behavior.", + "enum": [ + "startup", + "shutdown", + "scheduled", + "event-driven", + "user-initiated", + "api-call", + "signal", + "condition-based", + "continuous", + "on-demand", + "unknown" + ], + "meta:enum": { + "startup": "Triggered during system or component initialisation.", + "shutdown": "Triggered during system or component termination.", + "scheduled": "Triggered at predetermined times or intervals.", + "event-driven": "Triggered in response to a specific event.", + "user-initiated": "Triggered by explicit user action.", + "api-call": "Triggered by an API invocation.", + "signal": "Triggered by a system or inter-process signal.", + "condition-based": "Triggered when specific conditions are met.", + "continuous": "Runs continuously during normal operation.", + "on-demand": "Triggered on demand as needed.", + "unknown": "The trigger mechanism is not known." + } + }, + "ordering": { + "type": "string", + "title": "Ordering", + "description": "Execution semantics for steps within a flow.", + "default": "sequential", + "enum": [ + "sequential", + "unordered", + "parallel", + "conditional" + ], + "meta:enum": { + "sequential": "Steps execute in ordinal order. Each completes before the next begins.", + "unordered": "All steps execute, but order is not guaranteed.", + "parallel": "Steps may execute concurrently.", + "conditional": "Step execution is determined by runtime conditions." + } + }, + "acknowledgment": { "type": "array", - "items": { - "$ref": "#/$defs/cyclonedx-citation-2.0/$defs/citation" - }, + "title": "Acknowledgment", + "description": "Indicates how the behavior or flow was identified. Multiple values indicate the behavior was both declared and observed.", "uniqueItems": true, - "title": "Citations", - "description": "A collection of attributions indicating which entity supplied information for specific fields within the BOM." + "items": { + "type": "string", + "enum": [ + "declared", + "observed" + ], + "meta:enum": { + "declared": "The behavior was explicitly declared, designed, or expected. Typically used for threat modelling, security requirements, and architectural documentation.", + "observed": "The behavior was observed, detected, or measured during analysis or runtime. Typically used for anomaly detection, incident response, and behavioural analysis." + } + } }, - "citation": { + "behaviors": { "type": "object", - "title": "Citation", - "description": "Details a specific attribution of data within the BOM to a contributing entity or process.", + "title": "Behaviors", + "description": "Behaviors performed by objects within the BOM.", + "additionalProperties": false, + "properties": { + "instances": { + "type": "array", + "title": "Instances", + "description": "Individual behavior instances.", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-behavior-2.0/$defs/behaviorInstance" + } + }, + "flows": { + "type": "array", + "title": "Flows", + "description": "Behavior flows that organise behaviors into operational patterns.", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-behavior-2.0/$defs/behaviorFlow" + } + } + } + }, + "behaviorInstance": { + "type": "object", + "title": "Behavior Instance", + "description": "A behavior performed by one or more objects within the BOM.", "additionalProperties": false, + "required": [ + "bom-ref", + "behavior" + ], "properties": { "bom-ref": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "title": "BOM Reference" + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" }, - "pointers": { + "behavior": { + "$ref": "#/$defs/cyclonedx-behavior-2.0/$defs/behavior", + "title": "Behavior", + "description": "The behavior from the taxonomy." + }, + "acknowledgment": { + "$ref": "#/$defs/cyclonedx-behavior-2.0/$defs/acknowledgment" + }, + "trigger": { + "$ref": "#/$defs/cyclonedx-behavior-2.0/$defs/trigger" + }, + "actors": { "type": "array", + "title": "Actors", + "description": "References to objects that perform this behavior.", + "uniqueItems": true, "items": { - "type": "string", - "title": "Field Reference", - "description": "A [JSON Pointer](https://datatracker.ietf.org/doc/html/rfc6901) identifying the BOM field to which the attribution applies." - }, - "minItems": 1, - "title": "Field References", - "description": "One or more [JSON Pointers](https://datatracker.ietf.org/doc/html/rfc6901) identifying the BOM fields to which the attribution applies.\nExactly one of the \"pointers\" or \"expressions\" elements must be present." + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + } }, - "expressions": { + "targets": { "type": "array", + "title": "Targets", + "description": "References to objects affected by this behavior.", + "uniqueItems": true, "items": { - "type": "string", - "title": "Path Expression", - "description": "Specifies a [JSONPath](https://datatracker.ietf.org/doc/html/rfc9535) expression used to locate a value within a BOM." - }, + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + } + } + } + }, + "behaviorFlow": { + "type": "object", + "title": "Behavior Flow", + "description": "An organised collection of behaviors forming a coherent process.", + "additionalProperties": false, + "required": [ + "bom-ref", + "steps" + ], + "properties": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "acknowledgment": { + "$ref": "#/$defs/cyclonedx-behavior-2.0/$defs/acknowledgment" + }, + "ordering": { + "$ref": "#/$defs/cyclonedx-behavior-2.0/$defs/ordering" + }, + "trigger": { + "$ref": "#/$defs/cyclonedx-behavior-2.0/$defs/trigger" + }, + "steps": { + "type": "array", + "title": "Steps", + "description": "The steps that comprise this flow.", "minItems": 1, - "title": "Path Expressions", - "description": "One or more path expressions used to locate values within a BOM.\nExactly one of the \"pointers\" or \"expressions\" elements must be present." + "items": { + "$ref": "#/$defs/cyclonedx-behavior-2.0/$defs/flowStep" + } + } + }, + "allOf": [ + { + "if": { + "anyOf": [ + { + "properties": { + "ordering": { + "const": "sequential" + } + }, + "required": [ + "ordering" + ] + }, + { + "not": { + "required": [ + "ordering" + ] + } + } + ] + }, + "then": { + "properties": { + "steps": { + "items": { + "required": [ + "ordinal" + ] + } + } + } + } + } + ] + }, + "flowStep": { + "type": "object", + "title": "Flow Step", + "description": "A single step within a behavior flow.", + "additionalProperties": false, + "properties": { + "ordinal": { + "type": "integer", + "title": "Ordinal", + "description": "Position within the flow. Required when ordering is 'sequential' or omitted.", + "minimum": 1 }, - "timestamp": { - "type": "string", - "format": "date-time", - "title": "Timestamp", - "description": "The date and time when the attribution was made or the information was supplied." + "behavior": { + "$ref": "#/$defs/cyclonedx-behavior-2.0/$defs/behavior", + "title": "Behavior", + "description": "The behavior performed in this step. Mutually exclusive with 'ref' and 'flow'." }, - "attributedTo": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", - "title": "Attributed To", - "description": "The `bom-ref` of an object, such as a component, service, tool, organisational entity, or person that supplied the cited information.\nAt least one of the \"attributedTo\" or \"process\" elements must be present." + "trigger": { + "$ref": "#/$defs/cyclonedx-behavior-2.0/$defs/trigger" }, - "process": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", - "title": "Process Reference", - "description": "The `bom-ref` to a process (such as a formula, workflow, task, or step) defined in the `formulation` section that executed or generated the attributed data.\nAt least one of the \"attributedTo\" or \"process\" elements must be present." + "ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "Behavior Reference", + "description": "Reference to a behavior instance. Mutually exclusive with 'behavior' and 'flow'." }, - "note": { - "type": "string", - "title": "Note", - "description": "A description or comment about the context or quality of the data attribution." + "flow": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "Flow Reference", + "description": "Reference to a nested flow. Mutually exclusive with 'behavior' and 'ref'." }, - "signature": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/signature", - "title": "Signature", - "description": "A digital signature verifying the authenticity or integrity of the attribution." + "actors": { + "type": "array", + "title": "Actors", + "description": "References to objects that perform this step.", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + } + }, + "targets": { + "type": "array", + "title": "Targets", + "description": "References to objects affected by this step.", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + } } }, - "required": [ - "timestamp" - ], - "anyOf": [ + "oneOf": [ { "required": [ - "attributedTo" + "behavior" ] }, { "required": [ - "process" - ] - } - ], - "oneOf": [ - { - "required": [ - "pointers" + "ref" ] }, { "required": [ - "expressions" + "flow" ] } ] + }, + "behavior": { + "type": "string", + "title": "Behavior", + "description": "Specifies an action performed by an entity that may have security, privacy, safety, or operational implications. Values may represent a domain, a category within a domain, or a specific behavior within a category.", + "enum": [ + "ai", + "ai:agent", + "ai:agent:actsOnBehalfOfUser", + "ai:agent:coordinatesAgents", + "ai:agent:delegatesTask", + "ai:agent:executesAction", + "ai:agent:invokesTool", + "ai:agent:observesResult", + "ai:agent:plansAction", + "ai:agent:receivesHumanDelegation", + "ai:agent:reflectsOnResult", + "ai:agent:reportsDelegatedAction", + "ai:agent:requestsUserApproval", + "ai:agent:returnsDelegation", + "ai:agent:revisesPlan", + "ai:explainability", + "ai:explainability:attributesFeatures", + "ai:explainability:documentsModel", + "ai:explainability:explainsDecision", + "ai:explainability:tracesPrediction", + "ai:explainability:visualizesModel", + "ai:fairness", + "ai:fairness:auditsModelFairness", + "ai:fairness:calculatesFairnessMetric", + "ai:fairness:detectsBias", + "ai:fairness:handlesProtectedAttribute", + "ai:fairness:mitigatesBias", + "ai:generative", + "ai:generative:citesSource", + "ai:generative:filtersOutput", + "ai:generative:generatesAudio", + "ai:generative:generatesCode", + "ai:generative:generatesEmbedding", + "ai:generative:generatesImage", + "ai:generative:generatesText", + "ai:generative:mitigatesHallucination", + "ai:generative:processesPrompt", + "ai:generative:streamsResponse", + "ai:inference", + "ai:inference:appliesThreshold", + "ai:inference:batchesInference", + "ai:inference:cachesPrediction", + "ai:inference:ensemblesModels", + "ai:inference:generatesPrediction", + "ai:inference:infersInRealTime", + "ai:inference:ranksResults", + "ai:inference:scoresConfidence", + "ai:management", + "ai:management:comparesModels", + "ai:management:deploysModel", + "ai:management:loadsModel", + "ai:management:monitorsModel", + "ai:management:retiresModel", + "ai:management:rollsBackModel", + "ai:management:unloadsModel", + "ai:management:versionsModel", + "ai:quality", + "ai:quality:detectsConceptDrift", + "ai:quality:detectsDataDrift", + "ai:quality:detectsOutlier", + "ai:quality:engineersFeatures", + "ai:quality:selectsFeatures", + "ai:quality:validatesInputData", + "ai:robustness", + "ai:robustness:defendsAgainstAdversarial", + "ai:robustness:detectsAdversarialInput", + "ai:robustness:detectsOutOfDistribution", + "ai:robustness:estimatesUncertainty", + "ai:robustness:validatesRobustness", + "ai:training", + "ai:training:appliesTransferLearning", + "ai:training:checkpointsModel", + "ai:training:fineTunesModel", + "ai:training:ingestsTrainingData", + "ai:training:preprocessesTrainingData", + "ai:training:trainsFederatedly", + "ai:training:trainsModel", + "ai:training:tunesHyperparameters", + "ai:training:validatesModel", + "ai:training:validatesTrainingData", + "application", + "application:codeExecution", + "application:codeExecution:compilesCode", + "application:codeExecution:evaluatesExpression", + "application:codeExecution:executesNativeCommand", + "application:codeExecution:executesScript", + "application:codeExecution:interpretsCode", + "application:codeExecution:invokesViaReflection", + "application:codeExecution:loadsCodeDynamically", + "application:configuration", + "application:configuration:detectsEnvironment", + "application:configuration:evaluatesFeatureFlag", + "application:configuration:loadsConfiguration", + "application:configuration:reloadsConfiguration", + "application:controlFlow", + "application:controlFlow:awaitsAsyncResult", + "application:controlFlow:catchesException", + "application:controlFlow:emitsEvent", + "application:controlFlow:handlesEvent", + "application:controlFlow:invokesCallback", + "application:controlFlow:invokesHandler", + "application:controlFlow:invokesMiddleware", + "application:controlFlow:schedulesAsyncOperation", + "application:controlFlow:throwsException", + "application:dependencyManagement", + "application:dependencyManagement:closesCircuitBreaker", + "application:dependencyManagement:fallsBack", + "application:dependencyManagement:injectsDependency", + "application:dependencyManagement:opensCircuitBreaker", + "application:dependencyManagement:resolvesDependency", + "application:externalIntegration", + "application:externalIntegration:callsExternalService", + "application:externalIntegration:consumesEvent", + "application:externalIntegration:publishesEvent", + "application:externalIntegration:receivesWebhook", + "application:observability", + "application:observability:emitsTelemetry", + "application:observability:logsOperation", + "application:observability:recordsMetric", + "application:observability:reportsHealth", + "application:observability:tracesRequest", + "application:requestHandling", + "application:requestHandling:authenticatesRequest", + "application:requestHandling:authorizesRequest", + "application:requestHandling:bindsParameters", + "application:requestHandling:parsesRequest", + "application:requestHandling:receivesHttpRequest", + "application:requestHandling:rejectsRequest", + "application:requestHandling:routesRequest", + "application:requestHandling:validatesRequest", + "application:responseGeneration", + "application:responseGeneration:generatesResponse", + "application:responseGeneration:readsCookie", + "application:responseGeneration:redirectsRequest", + "application:responseGeneration:returnsError", + "application:responseGeneration:returnsSuccess", + "application:responseGeneration:sendsHttpResponse", + "application:responseGeneration:setsCookie", + "application:responseGeneration:setsHeader", + "application:stateManagement", + "application:stateManagement:acquiresLock", + "application:stateManagement:beginsTransaction", + "application:stateManagement:commitsTransaction", + "application:stateManagement:createsSessionState", + "application:stateManagement:destroysSessionState", + "application:stateManagement:readsSessionState", + "application:stateManagement:releasesLock", + "application:stateManagement:rollsBackTransaction", + "application:stateManagement:synchronizesState", + "application:stateManagement:updatesSessionState", + "data", + "data:encoding", + "data:encoding:appliesXor", + "data:encoding:decodesBaseSixtyFour", + "data:encoding:decodesUrl", + "data:encoding:encodesBaseSixtyFour", + "data:encoding:encodesUrl", + "data:ingestion", + "data:ingestion:pollsSource", + "data:ingestion:readsFile", + "data:ingestion:readsStream", + "data:ingestion:receivesInput", + "data:ingestion:receivesMessage", + "data:ingestion:receivesRequest", + "data:ingestion:subscribesToFeed", + "data:output", + "data:output:formatsResponse", + "data:output:producesOutput", + "data:output:publishesMessage", + "data:output:rendersTemplate", + "data:output:sendsResponse", + "data:output:serializesObject", + "data:output:streamsOutput", + "data:output:writesFile", + "data:parsing", + "data:parsing:decodesData", + "data:parsing:deserializesObject", + "data:parsing:extractsFields", + "data:parsing:parsesData", + "data:parsing:parsesHtml", + "data:parsing:parsesJson", + "data:parsing:parsesXml", + "data:query", + "data:query:executesLdapQuery", + "data:query:executesNoSqlQuery", + "data:query:executesSearch", + "data:query:executesSql", + "data:query:executesXPath", + "data:query:queriesData", + "data:storage", + "data:storage:cachesData", + "data:storage:deletesData", + "data:storage:flushesCache", + "data:storage:invalidatesCache", + "data:storage:retrievesData", + "data:storage:storesData", + "data:storage:updatesData", + "data:transformation", + "data:transformation:aggregatesData", + "data:transformation:compressesData", + "data:transformation:decompressesData", + "data:transformation:encodesData", + "data:transformation:enrichesData", + "data:transformation:filtersData", + "data:transformation:joinsData", + "data:transformation:mapsData", + "data:transformation:normalizesData", + "data:transformation:sortsData", + "data:transformation:transformsData", + "evasion", + "evasion:analysisResistance", + "evasion:analysisResistance:detectsAnalysisTool", + "evasion:analysisResistance:detectsDebugger", + "evasion:analysisResistance:detectsEmulator", + "evasion:analysisResistance:detectsSandbox", + "evasion:analysisResistance:detectsVirtualMachine", + "evasion:analysisResistance:evadesDebugger", + "evasion:analysisResistance:evadesEmulator", + "evasion:analysisResistance:evadesSandbox", + "evasion:analysisResistance:evadesVirtualMachine", + "evasion:analysisResistance:usesTimingEvasion", + "evasion:antiSecurity", + "evasion:antiSecurity:detectsAntivirus", + "evasion:antiSecurity:disablesSecuritySoftware", + "evasion:antiSecurity:evadesAntivirus", + "evasion:antiSecurity:terminatesSecurityProcess", + "evasion:indirection", + "evasion:indirection:resolvesApiDynamically", + "evasion:indirection:usesIndirectCalls", + "evasion:indirection:usesProxyExecution", + "evasion:obfuscation", + "evasion:obfuscation:obfuscatesCode", + "evasion:obfuscation:obfuscatesControlFlow", + "evasion:obfuscation:obfuscatesData", + "evasion:obfuscation:obfuscatesStrings", + "evasion:obfuscation:packsCode", + "evasion:obfuscation:unpacksAtRuntime", + "file", + "file:directory", + "file:directory:changesDirectory", + "file:directory:createsDirectory", + "file:directory:deletesDirectory", + "file:directory:listsDirectory", + "file:directory:traversesDirectory", + "file:disk", + "file:disk:decryptsVolume", + "file:disk:encryptsVolume", + "file:disk:formatsVolume", + "file:disk:mountsVolume", + "file:disk:unmountsVolume", + "file:disk:wipesDisk", + "file:operations", + "file:operations:appendsToFile", + "file:operations:checksFileExistence", + "file:operations:closesFile", + "file:operations:copiesFile", + "file:operations:createsFile", + "file:operations:deletesFile", + "file:operations:getsFileAttributes", + "file:operations:movesFile", + "file:operations:opensFile", + "file:operations:readsFile", + "file:operations:renamesFile", + "file:operations:setsFileAttributes", + "file:operations:setsFilePermissions", + "file:operations:writesFile", + "gui", + "gui:display", + "gui:display:displaysData", + "gui:display:monitorsDisplay", + "gui:display:updatesDisplay", + "gui:session", + "gui:session:displaysLogin", + "gui:session:interactsWithSession", + "gui:session:switchesSession", + "gui:window", + "gui:window:capturesWindow", + "gui:window:createsWindow", + "gui:window:destroysWindow", + "gui:window:enumeratesWindows", + "gui:window:interactsWithTaskbar", + "gui:window:modifiesWindow", + "hardware", + "hardware:actuator", + "hardware:actuator:calibratesActuator", + "hardware:actuator:controlsBattery", + "hardware:actuator:controlsHeating", + "hardware:actuator:controlsLed", + "hardware:actuator:controlsMotor", + "hardware:actuator:controlsPower", + "hardware:actuator:controlsPump", + "hardware:actuator:controlsTemperature", + "hardware:boot", + "hardware:boot:entersRecoveryMode", + "hardware:boot:executesSecureBoot", + "hardware:boot:locksBootConfiguration", + "hardware:boot:modifiesBootConfiguration", + "hardware:boot:readsBootConfiguration", + "hardware:boot:recordsBootMeasurement", + "hardware:boot:verifiesBootLoader", + "hardware:firmware", + "hardware:firmware:monitorsFirmwareIntegrity", + "hardware:firmware:preventsFirmwareRollback", + "hardware:firmware:readsFirmwareVersion", + "hardware:firmware:updatesFirmware", + "hardware:firmware:verifiesFirmwareSignature", + "hardware:memory", + "hardware:memory:encryptsMemory", + "hardware:memory:isolatesMemory", + "hardware:memory:protectsStack", + "hardware:memory:randomizesAddressSpace", + "hardware:memory:readsProtectedMemory", + "hardware:memory:writesProtectedMemory", + "hardware:peripheral", + "hardware:peripheral:accessesCamera", + "hardware:peripheral:accessesDisplay", + "hardware:peripheral:accessesGpio", + "hardware:peripheral:accessesJtag", + "hardware:peripheral:accessesKeyboard", + "hardware:peripheral:accessesStorageDevice", + "hardware:peripheral:accessesUsbDevice", + "hardware:peripheral:configuresDma", + "hardware:peripheral:protectsDma", + "hardware:physicalSecurity", + "hardware:physicalSecurity:detectsPhysicalTamper", + "hardware:physicalSecurity:disablesDebugInterface", + "hardware:physicalSecurity:enablesDebugInterface", + "hardware:physicalSecurity:monitorsEnclosure", + "hardware:physicalSecurity:respondsToTamper", + "hardware:physicalSecurity:zeroizesKeys", + "hardware:security", + "hardware:security:anchorsInHardwareRoot", + "hardware:security:executesInTee", + "hardware:security:generatesPufResponse", + "hardware:security:usesHsm", + "hardware:security:usesSecureElement", + "hardware:sensor", + "hardware:sensor:calibratesSensor", + "hardware:sensor:readsBatteryStatus", + "hardware:sensor:readsBloodOxygen", + "hardware:sensor:readsBloodPressure", + "hardware:sensor:readsCoTwoLevel", + "hardware:sensor:readsEcg", + "hardware:sensor:readsPowerStatus", + "hardware:sensor:readsTemperature", + "hardware:sideChannelDefense", + "hardware:sideChannelDefense:controlsEmEmissions", + "hardware:sideChannelDefense:resistsFaultInjection", + "hardware:sideChannelDefense:resistsPowerAnalysis", + "hardware:sideChannelDefense:resistsTimingAnalysis", + "network", + "network:connection", + "network:connection:acceptsConnection", + "network:connection:detectsConnectionLoss", + "network:connection:establishesConnection", + "network:connection:reconnects", + "network:connection:reusesConnection", + "network:connection:sendsHeartbeat", + "network:connection:terminatesConnection", + "network:discovery", + "network:discovery:advertisesService", + "network:discovery:discoversService", + "network:discovery:enumeratesInterfaces", + "network:discovery:probesPort", + "network:discovery:queriesDns", + "network:discovery:resolvesName", + "network:discovery:scansNetwork", + "network:protocol", + "network:protocol:downgradesProtocol", + "network:protocol:framesMessage", + "network:protocol:negotiatesProtocol", + "network:protocol:parsesMessage", + "network:protocol:retransmitsMessage", + "network:protocol:upgradesProtocol", + "network:protocol:validatesMessage", + "network:remoteInteraction", + "network:remoteInteraction:accessesRemoteDesktop", + "network:remoteInteraction:accessesRemoteShell", + "network:remoteInteraction:executesRemoteCommand", + "network:remoteInteraction:invokesRemoteProcedure", + "network:remoteInteraction:sendsEmail", + "network:remoteInteraction:sendsSms", + "network:remoteInteraction:transfersFile", + "network:routing", + "network:routing:configuresProxy", + "network:routing:forwardsPacket", + "network:routing:redirectsTraffic", + "network:routing:routesTraffic", + "network:routing:tunnelsTraffic", + "network:trafficControl", + "network:trafficControl:balancesLoad", + "network:trafficControl:filtersTraffic", + "network:trafficControl:inspectsTraffic", + "network:trafficControl:interceptsTraffic", + "network:trafficControl:limitsRate", + "network:trafficControl:modifiesTraffic", + "network:trafficControl:shapesTraffic", + "network:transmission", + "network:transmission:broadcastsData", + "network:transmission:multicastsData", + "network:transmission:receivesData", + "network:transmission:sendsData", + "network:transmission:streamsData", + "privacy", + "privacy:collection", + "privacy:collection:capturesAudio", + "privacy:collection:capturesKeystrokes", + "privacy:collection:capturesScreen", + "privacy:collection:capturesVideo", + "privacy:collection:collectsBehavioralData", + "privacy:collection:collectsBiometricData", + "privacy:collection:collectsCommunicationContent", + "privacy:collection:collectsDeviceInformation", + "privacy:collection:collectsFinancialData", + "privacy:collection:collectsHealthData", + "privacy:collection:collectsInBackground", + "privacy:collection:collectsLocationData", + "privacy:collection:collectsPersonalData", + "privacy:collection:collectsSilently", + "privacy:collection:readsBrowserHistory", + "privacy:collection:readsClipboard", + "privacy:deletion", + "privacy:deletion:clearsCache", + "privacy:deletion:deletesPersonalData", + "privacy:deletion:erasesSecurely", + "privacy:deletion:purgesFromBackup", + "privacy:deletion:redactsData", + "privacy:inference", + "privacy:inference:correlatesData", + "privacy:inference:createsProfile", + "privacy:inference:fingerprintsDevice", + "privacy:inference:infersPersonalInformation", + "privacy:inference:linksIdentities", + "privacy:inference:tracksUser", + "privacy:minimization", + "privacy:minimization:aggregatesData", + "privacy:minimization:anonymizesData", + "privacy:minimization:filtersData", + "privacy:minimization:generalizesData", + "privacy:minimization:limitsCollection", + "privacy:minimization:limitsProcessing", + "privacy:minimization:pseudonymizesData", + "privacy:privacyEnhancement", + "privacy:privacyEnhancement:addsDifferentialPrivacy", + "privacy:privacyEnhancement:computesMultiparty", + "privacy:privacyEnhancement:processesHomomorphically", + "privacy:privacyEnhancement:processesLocally", + "privacy:retention", + "privacy:retention:archivesData", + "privacy:retention:backsUpData", + "privacy:retention:enforcesRetentionPeriod", + "privacy:retention:retainsBeyondPurpose", + "privacy:retention:retainsInCache", + "privacy:retention:retainsInLog", + "privacy:retention:storesPersonalData", + "privacy:sharing", + "privacy:sharing:disclosesToThirdParty", + "privacy:sharing:exportsData", + "privacy:sharing:publishesData", + "privacy:sharing:sellsData", + "privacy:sharing:sharesWithAffiliate", + "privacy:sharing:transfersCrossBorder", + "privacy:subjectRights", + "privacy:subjectRights:correctsData", + "privacy:subjectRights:exportsDataPortably", + "privacy:subjectRights:honorsErasureRequest", + "privacy:subjectRights:honorsObjection", + "privacy:subjectRights:providesDataAccess", + "privacy:subjectRights:restrictsProcessing", + "privacy:transparency", + "privacy:transparency:disclosesProcessing", + "privacy:transparency:displaysPrivacyNotice", + "privacy:transparency:explainsAutomatedDecision", + "privacy:transparency:recordsConsent", + "privacy:transparency:requestsConsent", + "privacy:transparency:withdrawsConsent", + "safety", + "safety:autonomousBehavior", + "safety:autonomousBehavior:acceptsOverride", + "safety:autonomousBehavior:enforcesHumanInLoop", + "safety:autonomousBehavior:explainsDecision", + "safety:autonomousBehavior:requestsGuidance", + "safety:autonomousBehavior:respectsDecisionBoundary", + "safety:contentSafety", + "safety:contentSafety:detectsHarmfulContent", + "safety:contentSafety:detectsMisinformation", + "safety:contentSafety:enforcesAgeRestriction", + "safety:contentSafety:filtersContent", + "safety:contentSafety:labelsContent", + "safety:harmPrevention", + "safety:harmPrevention:preventsEnvironmentalHarm", + "safety:harmPrevention:preventsPropertyDamage", + "safety:harmPrevention:preventsUserHarm", + "safety:harmPrevention:protectsBystanders", + "safety:hazardManagement", + "safety:hazardManagement:assessesRisk", + "safety:hazardManagement:identifiesHazard", + "safety:hazardManagement:mitigatesHazard", + "safety:hazardManagement:reportsHazard", + "safety:humanInteraction", + "safety:humanInteraction:adaptsForAccessibility", + "safety:humanInteraction:managesCognitiveLoad", + "safety:humanInteraction:requestsConfirmation", + "safety:humanInteraction:warnsOperator", + "safety:operationalSafety", + "safety:operationalSafety:acceptsManualOverride", + "safety:operationalSafety:enforcesInterlock", + "safety:operationalSafety:enforcesOperatingLimits", + "safety:operationalSafety:executesEmergencyStop", + "safety:operationalSafety:monitorsWatchdog", + "safety:operationalSafety:validatesSafetyCondition", + "security", + "security:auditing", + "security:auditing:logsEvent", + "security:auditing:logsSecurityEvent", + "security:auditing:protectsAuditLog", + "security:auditing:purgesLog", + "security:auditing:rotatesLog", + "security:auditing:signsLogEntry", + "security:auditing:timestampsEvent", + "security:auditing:transmitsLog", + "security:authentication", + "security:authentication:authenticatesDevice", + "security:authentication:authenticatesService", + "security:authentication:authenticatesUser", + "security:authentication:bypassesAuthentication", + "security:authentication:capturesBiometric", + "security:authentication:delegatesAuthentication", + "security:authentication:failsAuthentication", + "security:authentication:locksAccount", + "security:authentication:performsMultiFactorAuthentication", + "security:authentication:promptsForCredentials", + "security:authentication:unlocksAccount", + "security:authentication:validatesBiometric", + "security:authentication:validatesCredentials", + "security:authorization", + "security:authorization:checksPermission", + "security:authorization:delegatesAuthority", + "security:authorization:deniesAccess", + "security:authorization:enforcesRole", + "security:authorization:escalatesPrivilege", + "security:authorization:evaluatesAttributes", + "security:authorization:evaluatesPolicy", + "security:authorization:grantsAccess", + "security:authorization:grantsImpersonation", + "security:authorization:impersonatesUser", + "security:authorization:requestsImpersonation", + "security:authorization:revokesAccess", + "security:authorization:revokesImpersonation", + "security:cryptography", + "security:cryptography:authenticates", + "security:cryptography:checksRevocation", + "security:cryptography:decryptsData", + "security:cryptography:decryptsDataAtRest", + "security:cryptography:decryptsDataInTransit", + "security:cryptography:decryptsDisk", + "security:cryptography:decryptsSecret", + "security:cryptography:destroysKey", + "security:cryptography:encryptsData", + "security:cryptography:encryptsDataAtRest", + "security:cryptography:encryptsDataInTransit", + "security:cryptography:encryptsDisk", + "security:cryptography:encryptsSecret", + "security:cryptography:ensuresAccountability", + "security:cryptography:ensuresConfidentiality", + "security:cryptography:ensuresIntegrity", + "security:cryptography:ensuresNonRepudiation", + "security:cryptography:exchangesKey", + "security:cryptography:generatesKey", + "security:cryptography:generatesRandomValue", + "security:cryptography:hashesData", + "security:cryptography:hashesPassword", + "security:cryptography:identifies", + "security:cryptography:issuesCertificate", + "security:cryptography:preservesPrivacy", + "security:cryptography:presentsClientCertificate", + "security:cryptography:presentsServerCertificate", + "security:cryptography:retrievesKey", + "security:cryptography:revokesCertificate", + "security:cryptography:rotatesKey", + "security:cryptography:signsCode", + "security:cryptography:signsData", + "security:cryptography:signsDocument", + "security:cryptography:storesKey", + "security:cryptography:usesIdentity", + "security:cryptography:validatesCertificate", + "security:cryptography:validatesToken", + "security:cryptography:verifiesCodeSignature", + "security:cryptography:verifiesDataSignature", + "security:cryptography:verifiesDocumentSignature", + "security:cryptography:verifiesHash", + "security:cryptography:verifiesSignature", + "security:cryptography:wrapsKey", + "security:errorHandling", + "security:errorHandling:catchesException", + "security:errorHandling:disclosesErrorDetails", + "security:errorHandling:failsClosed", + "security:errorHandling:failsOpen", + "security:errorHandling:generatesError", + "security:errorHandling:logsError", + "security:errorHandling:propagatesError", + "security:errorHandling:returnsGenericError", + "security:errorHandling:suppressesError", + "security:inputHandling", + "security:inputHandling:escapesInput", + "security:inputHandling:normalizesInput", + "security:inputHandling:rejectsInvalidInput", + "security:inputHandling:sanitizesInput", + "security:inputHandling:truncatesInput", + "security:inputHandling:validatesFormat", + "security:inputHandling:validatesRange", + "security:inputHandling:validatesSchema", + "security:integrity", + "security:integrity:attestsIntegrity", + "security:integrity:detectsTampering", + "security:integrity:respondsToTampering", + "security:integrity:validatesComponent", + "security:integrity:verifiesIntegrity", + "security:integrity:verifiesProvenance", + "security:outputHandling", + "security:outputHandling:encodesOutput", + "security:outputHandling:enforcesContentPolicy", + "security:outputHandling:escapesOutput", + "security:outputHandling:filtersOutput", + "security:outputHandling:masksOutput", + "security:outputHandling:setsSecurityHeader", + "security:session", + "security:session:createsSession", + "security:session:detectsSessionHijacking", + "security:session:invalidatesSession", + "security:session:refreshesSession", + "security:session:regeneratesSessionId", + "security:session:terminatesSession", + "security:session:validatesSession", + "security:threatResponse", + "security:threatResponse:blocksRequest", + "security:threatResponse:blocksSource", + "security:threatResponse:collectsForensicData", + "security:threatResponse:detectsAnomaly", + "security:threatResponse:detectsIntrusion", + "security:threatResponse:initiatesIncidentResponse", + "security:threatResponse:quarantinesElement", + "security:threatResponse:raisesAlert", + "system", + "system:configuration", + "system:configuration:deletesRegistryKey", + "system:configuration:modifiesGroupPolicy", + "system:configuration:readsConfigurationFile", + "system:configuration:readsEnvironmentVariable", + "system:configuration:readsGroupPolicy", + "system:configuration:readsRegistry", + "system:configuration:setsEnvironmentVariable", + "system:configuration:writesConfigurationFile", + "system:configuration:writesRegistry", + "system:informationGathering", + "system:informationGathering:detectsOsVersion", + "system:informationGathering:gathersSystemInformation", + "system:informationGathering:queriesHardwareInformation", + "system:informationGathering:retrievesHostname", + "system:kernelInteraction", + "system:kernelInteraction:hooksKernelFunction", + "system:kernelInteraction:installsDriver", + "system:kernelInteraction:readsKernelMemory", + "system:kernelInteraction:writesKernelMemory", + "system:lifecycle", + "system:lifecycle:appliesUpdate", + "system:lifecycle:decommissions", + "system:lifecycle:initializes", + "system:lifecycle:performsSelfTest", + "system:lifecycle:provisions", + "system:lifecycle:rollsBack", + "system:lifecycle:shutsDown", + "system:operationalState", + "system:operationalState:entersFailSafeState", + "system:operationalState:entersFailSecureState", + "system:operationalState:operatesInDegradedMode", + "system:operationalState:operatesNormally", + "system:operationalState:performsEmergencyShutdown", + "system:persistence", + "system:persistence:createsScheduledTask", + "system:persistence:installsAsService", + "system:persistence:loadsAsKernelModule", + "system:persistence:registersForStartup", + "system:persistence:removesPersistence", + "system:processControl", + "system:processControl:createsProcess", + "system:processControl:dumpsProcessMemory", + "system:processControl:enumeratesProcesses", + "system:processControl:hooksFunction", + "system:processControl:injectsCodeIntoProcess", + "system:processControl:modifiesProcess", + "system:processControl:resumesProcess", + "system:processControl:suspendsProcess", + "system:processControl:terminatesProcess", + "system:resilience", + "system:resilience:activatesRedundancy", + "system:resilience:degradesGracefully", + "system:resilience:detectsFault", + "system:resilience:recoversFromFailure", + "system:resilience:toleratesFault", + "system:resourceManagement", + "system:resourceManagement:allocatesMemory", + "system:resourceManagement:deallocatesMemory", + "system:resourceManagement:handlesResourceExhaustion", + "system:resourceManagement:managesPowerState", + "system:resourceManagement:readsFromStorage", + "system:resourceManagement:resumesThread", + "system:resourceManagement:spawnsThread", + "system:resourceManagement:suspendsThread", + "system:resourceManagement:terminatesThread", + "system:resourceManagement:writesToStorage", + "system:serviceControl", + "system:serviceControl:createsService", + "system:serviceControl:deletesService", + "system:serviceControl:enumeratesServices", + "system:serviceControl:modifiesService", + "system:serviceControl:startsService", + "system:serviceControl:stopsService", + "system:synchronization", + "system:synchronization:acquiresMutex", + "system:synchronization:releasesMutex", + "system:synchronization:signalsEvent", + "system:synchronization:signalsSemaphore", + "system:synchronization:waitsOnEvent", + "system:synchronization:waitsOnSemaphore", + "system:timing", + "system:timing:delaysExecution", + "system:timing:enforcesDeadline", + "system:timing:executesScheduledTask", + "system:timing:resetsWatchdog", + "system:timing:synchronizesClock", + "system:timing:triggersTimeout", + "system:timing:waits", + "system:userManagement", + "system:userManagement:createsUserAccount", + "system:userManagement:deletesUserAccount", + "system:userManagement:elevatesPrivileges", + "system:userManagement:enumeratesUsers", + "system:userManagement:impersonatesUser", + "system:userManagement:modifiesUserAccount" + ], + "meta:enum": { + "ai": "Behaviours relating to artificial intelligence and machine learning operations.", + "ai:agent": "Behaviours that enable autonomous agents to plan and execute tasks.", + "ai:agent:actsOnBehalfOfUser": "The entity performs actions within a delegated user context.", + "ai:agent:coordinatesAgents": "The entity orchestrates multiple agents.", + "ai:agent:delegatesTask": "The entity assigns work to another agent.", + "ai:agent:executesAction": "The entity performs planned step.", + "ai:agent:invokesTool": "The entity calls external capability.", + "ai:agent:observesResult": "The entity captures action outcome.", + "ai:agent:plansAction": "The entity determines steps to achieve goal.", + "ai:agent:receivesHumanDelegation": "The entity accepts authority delegated by a human user.", + "ai:agent:reflectsOnResult": "The entity evaluates action effectiveness.", + "ai:agent:reportsDelegatedAction": "The entity notifies the delegating user of actions taken.", + "ai:agent:requestsUserApproval": "The entity seeks explicit user authorisation before acting.", + "ai:agent:returnsDelegation": "The entity relinquishes delegated authority.", + "ai:agent:revisesPlan": "The entity modifies approach based on results.", + "ai:explainability": "Behaviours that provide interpretable explanations for model decisions.", + "ai:explainability:attributesFeatures": "The entity identifies influential inputs.", + "ai:explainability:documentsModel": "The entity records model design and behaviour.", + "ai:explainability:explainsDecision": "The entity provides human-readable rationale.", + "ai:explainability:tracesPrediction": "The entity records basis for output.", + "ai:explainability:visualizesModel": "The entity renders model behaviour graphically.", + "ai:fairness": "Behaviours that detect and mitigate bias in machine learning models.", + "ai:fairness:auditsModelFairness": "The entity evaluates model for bias.", + "ai:fairness:calculatesFairnessMetric": "The entity measures outcome equality.", + "ai:fairness:detectsBias": "The entity identifies unfair model behaviour.", + "ai:fairness:handlesProtectedAttribute": "The entity manages sensitive attributes.", + "ai:fairness:mitigatesBias": "The entity reduces unfair treatment.", + "ai:generative": "Behaviours that produce content using generative models.", + "ai:generative:citesSource": "The entity attributes generated content.", + "ai:generative:filtersOutput": "The entity screens generated content.", + "ai:generative:generatesAudio": "The entity produces sound content.", + "ai:generative:generatesCode": "The entity produces executable code.", + "ai:generative:generatesEmbedding": "The entity produces vector representation.", + "ai:generative:generatesImage": "The entity produces visual content.", + "ai:generative:generatesText": "The entity produces natural language.", + "ai:generative:mitigatesHallucination": "The entity reduces false content generation.", + "ai:generative:processesPrompt": "The entity interprets user instruction.", + "ai:generative:streamsResponse": "The entity delivers output incrementally.", + "ai:inference": "Behaviours that generate predictions using trained models.", + "ai:inference:appliesThreshold": "The entity uses decision boundary.", + "ai:inference:batchesInference": "The entity processes multiple inputs together.", + "ai:inference:cachesPrediction": "The entity stores prediction for reuse.", + "ai:inference:ensemblesModels": "The entity combines multiple model outputs.", + "ai:inference:generatesPrediction": "The entity produces model output.", + "ai:inference:infersInRealTime": "The entity generates prediction with low latency.", + "ai:inference:ranksResults": "The entity orders predictions by relevance.", + "ai:inference:scoresConfidence": "The entity assigns certainty to prediction.", + "ai:management": "Behaviours that deploy and manage machine learning models throughout their lifecycle.", + "ai:management:comparesModels": "The entity evaluates relative model performance.", + "ai:management:deploysModel": "The entity places model into service.", + "ai:management:loadsModel": "The entity retrieves model for use.", + "ai:management:monitorsModel": "The entity observes model performance.", + "ai:management:retiresModel": "The entity removes model from service.", + "ai:management:rollsBackModel": "The entity reverts to previous version.", + "ai:management:unloadsModel": "The entity removes model from memory.", + "ai:management:versionsModel": "The entity tracks model versions.", + "ai:quality": "Behaviours that monitor and maintain model and data quality.", + "ai:quality:detectsConceptDrift": "The entity identifies input-output relationship change.", + "ai:quality:detectsDataDrift": "The entity identifies input distribution change.", + "ai:quality:detectsOutlier": "The entity identifies anomalous input.", + "ai:quality:engineersFeatures": "The entity transforms raw data for model.", + "ai:quality:selectsFeatures": "The entity chooses relevant input features.", + "ai:quality:validatesInputData": "The entity checks inference input quality.", + "ai:robustness": "Behaviours that defend against adversarial attacks and handle uncertain inputs.", + "ai:robustness:defendsAgainstAdversarial": "The entity resists adversarial manipulation.", + "ai:robustness:detectsAdversarialInput": "The entity identifies crafted malicious input.", + "ai:robustness:detectsOutOfDistribution": "The entity identifies unfamiliar input.", + "ai:robustness:estimatesUncertainty": "The entity quantifies prediction confidence.", + "ai:robustness:validatesRobustness": "The entity tests model resilience.", + "ai:training": "Behaviours that prepare data and train machine learning models.", + "ai:training:appliesTransferLearning": "The entity adapts pre-trained model.", + "ai:training:checkpointsModel": "The entity saves model state during training.", + "ai:training:fineTunesModel": "The entity refines model for specific task.", + "ai:training:ingestsTrainingData": "The entity acquires data for training.", + "ai:training:preprocessesTrainingData": "The entity prepares data for training.", + "ai:training:trainsFederatedly": "The entity trains on distributed data.", + "ai:training:trainsModel": "The entity adjusts model parameters.", + "ai:training:tunesHyperparameters": "The entity optimises configuration parameters.", + "ai:training:validatesModel": "The entity evaluates model during training.", + "ai:training:validatesTrainingData": "The entity checks training data quality.", + "application": "Behaviours relating to application-level request processing and business logic.", + "application:codeExecution": "Behaviours that dynamically load and execute code at runtime.", + "application:codeExecution:compilesCode": "The entity transforms source to executable form.", + "application:codeExecution:evaluatesExpression": "The entity interprets and executes an expression.", + "application:codeExecution:executesNativeCommand": "The entity runs an operating system command.", + "application:codeExecution:executesScript": "The entity runs script code.", + "application:codeExecution:interpretsCode": "The entity executes code without compilation.", + "application:codeExecution:invokesViaReflection": "The entity calls method through reflection.", + "application:codeExecution:loadsCodeDynamically": "The entity loads executable code at runtime.", + "application:configuration": "Behaviours that load and manage application configuration settings.", + "application:configuration:detectsEnvironment": "The entity determines deployment context.", + "application:configuration:evaluatesFeatureFlag": "The entity checks feature toggle state.", + "application:configuration:loadsConfiguration": "The entity reads configuration settings.", + "application:configuration:reloadsConfiguration": "The entity refreshes configuration dynamically.", + "application:controlFlow": "Behaviours that manage the execution sequence and event handling within an application.", + "application:controlFlow:awaitsAsyncResult": "The entity waits for asynchronous completion.", + "application:controlFlow:catchesException": "The entity handles an error condition.", + "application:controlFlow:emitsEvent": "The entity triggers an event.", + "application:controlFlow:handlesEvent": "The entity responds to an event.", + "application:controlFlow:invokesCallback": "The entity executes a callback function.", + "application:controlFlow:invokesHandler": "The entity calls a request handler.", + "application:controlFlow:invokesMiddleware": "The entity executes middleware component.", + "application:controlFlow:schedulesAsyncOperation": "The entity queues work for later execution.", + "application:controlFlow:throwsException": "The entity raises an error condition.", + "application:dependencyManagement": "Behaviours that resolve and manage dependencies on other components.", + "application:dependencyManagement:closesCircuitBreaker": "The entity resumes calls to recovered dependency.", + "application:dependencyManagement:fallsBack": "The entity uses alternative when primary fails.", + "application:dependencyManagement:injectsDependency": "The entity provides component to dependent.", + "application:dependencyManagement:opensCircuitBreaker": "The entity stops calls to failing dependency.", + "application:dependencyManagement:resolvesDependency": "The entity locates required component.", + "application:externalIntegration": "Behaviours that communicate with external services and systems.", + "application:externalIntegration:callsExternalService": "The entity invokes an external API.", + "application:externalIntegration:consumesEvent": "The entity receives event from external system.", + "application:externalIntegration:publishesEvent": "The entity sends event to external system.", + "application:externalIntegration:receivesWebhook": "The entity accepts callback from external service.", + "application:observability": "Behaviours that emit telemetry for monitoring and debugging purposes.", + "application:observability:emitsTelemetry": "The entity transmits operational data.", + "application:observability:logsOperation": "The entity records an operational event.", + "application:observability:recordsMetric": "The entity captures a quantitative measurement.", + "application:observability:reportsHealth": "The entity communicates operational status.", + "application:observability:tracesRequest": "The entity tracks request across services.", + "application:requestHandling": "Behaviours that receive and process incoming requests.", + "application:requestHandling:authenticatesRequest": "The entity verifies requestor identity.", + "application:requestHandling:authorizesRequest": "The entity verifies requestor permissions.", + "application:requestHandling:bindsParameters": "The entity maps request data to parameters.", + "application:requestHandling:parsesRequest": "The entity interprets incoming request.", + "application:requestHandling:receivesHttpRequest": "The entity accepts an HTTP request.", + "application:requestHandling:rejectsRequest": "The entity refuses to process request.", + "application:requestHandling:routesRequest": "The entity directs request to appropriate handler.", + "application:requestHandling:validatesRequest": "The entity verifies request validity.", + "application:responseGeneration": "Behaviours that construct and transmit responses to requests.", + "application:responseGeneration:generatesResponse": "The entity creates a response.", + "application:responseGeneration:readsCookie": "The entity retrieves cookie value.", + "application:responseGeneration:redirectsRequest": "The entity sends client to different location.", + "application:responseGeneration:returnsError": "The entity indicates failure.", + "application:responseGeneration:returnsSuccess": "The entity indicates successful completion.", + "application:responseGeneration:sendsHttpResponse": "The entity transmits an HTTP response.", + "application:responseGeneration:setsCookie": "The entity creates or modifies a cookie.", + "application:responseGeneration:setsHeader": "The entity adds HTTP header to response.", + "application:stateManagement": "Behaviours that maintain and synchronise application state across requests.", + "application:stateManagement:acquiresLock": "The entity obtains exclusive access to resource.", + "application:stateManagement:beginsTransaction": "The entity starts an atomic operation group.", + "application:stateManagement:commitsTransaction": "The entity finalises transaction changes.", + "application:stateManagement:createsSessionState": "The entity initialises session data.", + "application:stateManagement:destroysSessionState": "The entity removes session data.", + "application:stateManagement:readsSessionState": "The entity retrieves session data.", + "application:stateManagement:releasesLock": "The entity relinquishes exclusive access.", + "application:stateManagement:rollsBackTransaction": "The entity undoes transaction changes.", + "application:stateManagement:synchronizesState": "The entity maintains consistency across replicas.", + "application:stateManagement:updatesSessionState": "The entity modifies session data.", + "data": "Behaviours relating to the ingestion and transformation of structured and unstructured data.", + "data:encoding": "Behaviours that apply specific encoding schemes to data.", + "data:encoding:appliesXor": "The entity transforms data using XOR operation.", + "data:encoding:decodesBaseSixtyFour": "The entity converts Base64 to original form.", + "data:encoding:decodesUrl": "The entity converts URL-encoded data.", + "data:encoding:encodesBaseSixtyFour": "The entity converts data to Base64.", + "data:encoding:encodesUrl": "The entity converts data for URL inclusion.", + "data:ingestion": "Behaviours that acquire data from external sources.", + "data:ingestion:pollsSource": "The entity periodically checks for new data.", + "data:ingestion:readsFile": "The entity retrieves data from a file.", + "data:ingestion:readsStream": "The entity consumes data from a continuous source.", + "data:ingestion:receivesInput": "The entity accepts data from an external source.", + "data:ingestion:receivesMessage": "The entity accepts a message from a queue.", + "data:ingestion:receivesRequest": "The entity accepts an incoming request.", + "data:ingestion:subscribesToFeed": "The entity registers to receive updates.", + "data:output": "Behaviours that produce and transmit data to external consumers.", + "data:output:formatsResponse": "The entity structures data for delivery.", + "data:output:producesOutput": "The entity generates data for consumption.", + "data:output:publishesMessage": "The entity sends a message to a queue.", + "data:output:rendersTemplate": "The entity generates output from a template.", + "data:output:sendsResponse": "The entity transmits a reply.", + "data:output:serializesObject": "The entity converts object to transmittable form.", + "data:output:streamsOutput": "The entity continuously produces data.", + "data:output:writesFile": "The entity saves data to a file.", + "data:parsing": "Behaviours that interpret and extract information from structured data formats.", + "data:parsing:decodesData": "The entity converts encoded data to original form.", + "data:parsing:deserializesObject": "The entity reconstructs object from serialised form.", + "data:parsing:extractsFields": "The entity isolates specific data elements.", + "data:parsing:parsesData": "The entity interprets structured data.", + "data:parsing:parsesHtml": "The entity interprets HTML content.", + "data:parsing:parsesJson": "The entity interprets JSON-formatted data.", + "data:parsing:parsesXml": "The entity interprets XML-formatted data.", + "data:query": "Behaviours that retrieve data based on specified criteria.", + "data:query:executesLdapQuery": "The entity queries an LDAP directory.", + "data:query:executesNoSqlQuery": "The entity queries a NoSQL database.", + "data:query:executesSearch": "The entity performs full-text or indexed search.", + "data:query:executesSql": "The entity runs a SQL statement.", + "data:query:executesXPath": "The entity evaluates an XPath expression.", + "data:query:queriesData": "The entity retrieves data matching criteria.", + "data:storage": "Behaviours that persist and retrieve data from storage systems.", + "data:storage:cachesData": "The entity stores data for quick retrieval.", + "data:storage:deletesData": "The entity removes stored data.", + "data:storage:flushesCache": "The entity writes cached data to persistent storage.", + "data:storage:invalidatesCache": "The entity marks cached data as stale.", + "data:storage:retrievesData": "The entity fetches stored data.", + "data:storage:storesData": "The entity saves data persistently.", + "data:storage:updatesData": "The entity modifies stored data.", + "data:transformation": "Behaviours that convert data from one form or structure to another.", + "data:transformation:aggregatesData": "The entity combines multiple values.", + "data:transformation:compressesData": "The entity reduces data size.", + "data:transformation:decompressesData": "The entity restores compressed data.", + "data:transformation:encodesData": "The entity converts data to encoded form.", + "data:transformation:enrichesData": "The entity adds information from external sources.", + "data:transformation:filtersData": "The entity removes unwanted elements.", + "data:transformation:joinsData": "The entity combines data from multiple sources.", + "data:transformation:mapsData": "The entity converts between data structures.", + "data:transformation:normalizesData": "The entity converts to standard form.", + "data:transformation:sortsData": "The entity orders data elements.", + "data:transformation:transformsData": "The entity converts data from one form to another.", + "evasion": "Behaviours relating to techniques that avoid detection and analysis.", + "evasion:analysisResistance": "Behaviours that detect and evade analysis environments.", + "evasion:analysisResistance:detectsAnalysisTool": "The entity identifies analysis software.", + "evasion:analysisResistance:detectsDebugger": "The entity identifies debugger presence.", + "evasion:analysisResistance:detectsEmulator": "The entity identifies emulation environment.", + "evasion:analysisResistance:detectsSandbox": "The entity identifies sandbox environment.", + "evasion:analysisResistance:detectsVirtualMachine": "The entity identifies VM environment.", + "evasion:analysisResistance:evadesDebugger": "The entity modifies behaviour under debugging.", + "evasion:analysisResistance:evadesEmulator": "The entity modifies behaviour under emulation.", + "evasion:analysisResistance:evadesSandbox": "The entity modifies behaviour in sandbox.", + "evasion:analysisResistance:evadesVirtualMachine": "The entity modifies behaviour in VM.", + "evasion:analysisResistance:usesTimingEvasion": "The entity uses delays to evade analysis.", + "evasion:antiSecurity": "Behaviours that detect and disable security software.", + "evasion:antiSecurity:detectsAntivirus": "The entity identifies AV software.", + "evasion:antiSecurity:disablesSecuritySoftware": "The entity deactivates security tools.", + "evasion:antiSecurity:evadesAntivirus": "The entity avoids AV detection.", + "evasion:antiSecurity:terminatesSecurityProcess": "The entity kills security software processes.", + "evasion:indirection": "Behaviours that use indirect methods to execute code.", + "evasion:indirection:resolvesApiDynamically": "The entity finds API addresses at runtime.", + "evasion:indirection:usesIndirectCalls": "The entity invokes functions indirectly.", + "evasion:indirection:usesProxyExecution": "The entity executes through intermediary.", + "evasion:obfuscation": "Behaviours that obscure code and data to hinder analysis.", + "evasion:obfuscation:obfuscatesCode": "The entity makes code difficult to analyse.", + "evasion:obfuscation:obfuscatesControlFlow": "The entity obscures execution paths.", + "evasion:obfuscation:obfuscatesData": "The entity hides data structures.", + "evasion:obfuscation:obfuscatesStrings": "The entity hides string contents.", + "evasion:obfuscation:packsCode": "The entity compresses or encrypts executable.", + "evasion:obfuscation:unpacksAtRuntime": "The entity decompresses code during execution.", + "file": "Behaviours relating to file system operations and disk management.", + "file:directory": "Behaviours that create and navigate directory structures.", + "file:directory:changesDirectory": "The entity sets current working directory.", + "file:directory:createsDirectory": "The entity creates a new directory.", + "file:directory:deletesDirectory": "The entity removes a directory.", + "file:directory:listsDirectory": "The entity enumerates directory contents.", + "file:directory:traversesDirectory": "The entity recursively explores directories.", + "file:disk": "Behaviours that manage storage volumes and disk-level operations.", + "file:disk:decryptsVolume": "The entity decrypts a storage volume.", + "file:disk:encryptsVolume": "The entity encrypts a storage volume.", + "file:disk:formatsVolume": "The entity prepares storage for use.", + "file:disk:mountsVolume": "The entity attaches a storage volume.", + "file:disk:unmountsVolume": "The entity detaches a storage volume.", + "file:disk:wipesDisk": "The entity securely erases disk contents.", + "file:operations": "Behaviours that create and manipulate files.", + "file:operations:appendsToFile": "The entity adds data to end of file.", + "file:operations:checksFileExistence": "The entity verifies whether a file exists.", + "file:operations:closesFile": "The entity releases file access.", + "file:operations:copiesFile": "The entity duplicates a file.", + "file:operations:createsFile": "The entity creates a new file.", + "file:operations:deletesFile": "The entity removes a file.", + "file:operations:getsFileAttributes": "The entity retrieves file metadata.", + "file:operations:movesFile": "The entity relocates a file.", + "file:operations:opensFile": "The entity prepares a file for access.", + "file:operations:readsFile": "The entity retrieves file contents.", + "file:operations:renamesFile": "The entity changes a file name.", + "file:operations:setsFileAttributes": "The entity modifies file metadata.", + "file:operations:setsFilePermissions": "The entity modifies file access permissions.", + "file:operations:writesFile": "The entity modifies file contents.", + "gui": "Behaviours relating to graphical user interface interactions.", + "gui:display": "Behaviours that render and monitor visual output.", + "gui:display:displaysData": "The entity renders information visually.", + "gui:display:monitorsDisplay": "The entity observes displayed content.", + "gui:display:updatesDisplay": "The entity refreshes visual presentation.", + "gui:session": "Behaviours that interact with user login sessions.", + "gui:session:displaysLogin": "The entity presents login interface.", + "gui:session:interactsWithSession": "The entity operates within user session.", + "gui:session:switchesSession": "The entity changes active user session.", + "gui:window": "Behaviours that create and manipulate graphical windows.", + "gui:window:capturesWindow": "The entity captures window contents.", + "gui:window:createsWindow": "The entity creates a graphical window.", + "gui:window:destroysWindow": "The entity closes a window.", + "gui:window:enumeratesWindows": "The entity lists open windows.", + "gui:window:interactsWithTaskbar": "The entity modifies taskbar elements.", + "gui:window:modifiesWindow": "The entity changes window properties.", + "hardware": "Behaviours relating to hardware components and physical device interactions.", + "hardware:actuator": "Behaviours that control physical actuators and output devices.", + "hardware:actuator:calibratesActuator": "The entity adjusts actuator accuracy.", + "hardware:actuator:controlsBattery": "The entity manages battery charging.", + "hardware:actuator:controlsHeating": "The entity manages heating element.", + "hardware:actuator:controlsLed": "The entity manages LED indicator.", + "hardware:actuator:controlsMotor": "The entity manages motor operation.", + "hardware:actuator:controlsPower": "The entity manages power distribution.", + "hardware:actuator:controlsPump": "The entity manages fluid pump.", + "hardware:actuator:controlsTemperature": "The entity regulates temperature.", + "hardware:boot": "Behaviours that verify and configure system startup processes.", + "hardware:boot:entersRecoveryMode": "The entity boots via alternative path.", + "hardware:boot:executesSecureBoot": "The entity verifies code integrity at startup.", + "hardware:boot:locksBootConfiguration": "The entity prevents boot setting changes.", + "hardware:boot:modifiesBootConfiguration": "The entity changes boot settings.", + "hardware:boot:readsBootConfiguration": "The entity retrieves boot settings.", + "hardware:boot:recordsBootMeasurement": "The entity logs boot component hashes.", + "hardware:boot:verifiesBootLoader": "The entity validates boot loader authenticity.", + "hardware:firmware": "Behaviours that manage and verify firmware integrity.", + "hardware:firmware:monitorsFirmwareIntegrity": "The entity checks for firmware tampering.", + "hardware:firmware:preventsFirmwareRollback": "The entity blocks reversion to old firmware.", + "hardware:firmware:readsFirmwareVersion": "The entity retrieves firmware version.", + "hardware:firmware:updatesFirmware": "The entity applies firmware changes.", + "hardware:firmware:verifiesFirmwareSignature": "The entity validates firmware authenticity.", + "hardware:memory": "Behaviours that protect and isolate memory regions.", + "hardware:memory:encryptsMemory": "The entity protects memory contents.", + "hardware:memory:isolatesMemory": "The entity separates memory regions.", + "hardware:memory:protectsStack": "The entity defends against stack attacks.", + "hardware:memory:randomizesAddressSpace": "The entity applies ASLR.", + "hardware:memory:readsProtectedMemory": "The entity accesses protected memory region.", + "hardware:memory:writesProtectedMemory": "The entity modifies protected memory region.", + "hardware:peripheral": "Behaviours that interact with peripheral devices and interfaces.", + "hardware:peripheral:accessesCamera": "The entity interacts with camera hardware.", + "hardware:peripheral:accessesDisplay": "The entity interacts with display hardware.", + "hardware:peripheral:accessesGpio": "The entity reads or writes GPIO pins.", + "hardware:peripheral:accessesJtag": "The entity uses JTAG debug interface.", + "hardware:peripheral:accessesKeyboard": "The entity interacts with keyboard hardware.", + "hardware:peripheral:accessesStorageDevice": "The entity interacts with storage hardware.", + "hardware:peripheral:accessesUsbDevice": "The entity interacts with USB peripheral.", + "hardware:peripheral:configuresDma": "The entity sets up direct memory access.", + "hardware:peripheral:protectsDma": "The entity prevents unauthorised DMA.", + "hardware:physicalSecurity": "Behaviours that detect and respond to physical tampering.", + "hardware:physicalSecurity:detectsPhysicalTamper": "The entity identifies physical interference.", + "hardware:physicalSecurity:disablesDebugInterface": "The entity prevents debug access.", + "hardware:physicalSecurity:enablesDebugInterface": "The entity permits debug access.", + "hardware:physicalSecurity:monitorsEnclosure": "The entity detects housing penetration.", + "hardware:physicalSecurity:respondsToTamper": "The entity reacts to physical attack.", + "hardware:physicalSecurity:zeroizesKeys": "The entity destroys keys on tamper detection.", + "hardware:security": "Behaviours that utilise hardware security features and trusted execution environments.", + "hardware:security:anchorsInHardwareRoot": "The entity uses tamper-resistant hardware for trust.", + "hardware:security:executesInTee": "The entity runs in trusted execution environment.", + "hardware:security:generatesPufResponse": "The entity uses physical unclonable function.", + "hardware:security:usesHsm": "The entity employs hardware security module.", + "hardware:security:usesSecureElement": "The entity employs dedicated security hardware.", + "hardware:sensor": "Behaviours that read measurements from hardware sensors.", + "hardware:sensor:calibratesSensor": "The entity adjusts sensor accuracy.", + "hardware:sensor:readsBatteryStatus": "The entity obtains battery state.", + "hardware:sensor:readsBloodOxygen": "The entity obtains SpO2 measurement.", + "hardware:sensor:readsBloodPressure": "The entity obtains blood pressure measurement.", + "hardware:sensor:readsCoTwoLevel": "The entity obtains CO2 measurement.", + "hardware:sensor:readsEcg": "The entity obtains electrocardiogram data.", + "hardware:sensor:readsPowerStatus": "The entity obtains power state.", + "hardware:sensor:readsTemperature": "The entity obtains temperature measurement.", + "hardware:sideChannelDefense": "Behaviours that protect against side-channel attacks.", + "hardware:sideChannelDefense:controlsEmEmissions": "The entity limits electromagnetic leakage.", + "hardware:sideChannelDefense:resistsFaultInjection": "The entity protects against induced faults.", + "hardware:sideChannelDefense:resistsPowerAnalysis": "The entity protects against power-based attacks.", + "hardware:sideChannelDefense:resistsTimingAnalysis": "The entity protects against timing-based attacks.", + "network": "Behaviours relating to network communication and data transmission between systems.", + "network:connection": "Behaviours that establish and manage network connections.", + "network:connection:acceptsConnection": "The entity receives an incoming connection.", + "network:connection:detectsConnectionLoss": "The entity identifies a dropped connection.", + "network:connection:establishesConnection": "The entity initiates a network connection.", + "network:connection:reconnects": "The entity re-establishes a dropped connection.", + "network:connection:reusesConnection": "The entity uses a pooled connection.", + "network:connection:sendsHeartbeat": "The entity transmits a keep-alive signal.", + "network:connection:terminatesConnection": "The entity closes a network connection.", + "network:discovery": "Behaviours that locate and advertise network services and resources.", + "network:discovery:advertisesService": "The entity announces its availability.", + "network:discovery:discoversService": "The entity locates an available service.", + "network:discovery:enumeratesInterfaces": "The entity lists network interfaces.", + "network:discovery:probesPort": "The entity checks if a port is open.", + "network:discovery:queriesDns": "The entity requests DNS resolution.", + "network:discovery:resolvesName": "The entity translates a name to an address.", + "network:discovery:scansNetwork": "The entity probes for active hosts or services.", + "network:protocol": "Behaviours that negotiate and implement communication protocols.", + "network:protocol:downgradesProtocol": "The entity falls back to a less secure protocol version.", + "network:protocol:framesMessage": "The entity structures data for transmission.", + "network:protocol:negotiatesProtocol": "The entity agrees on communication protocol with peer.", + "network:protocol:parsesMessage": "The entity interprets received network data.", + "network:protocol:retransmitsMessage": "The entity resends data after transmission failure.", + "network:protocol:upgradesProtocol": "The entity transitions to a more secure protocol version.", + "network:protocol:validatesMessage": "The entity verifies message format and integrity.", + "network:remoteInteraction": "Behaviours that execute operations on remote systems.", + "network:remoteInteraction:accessesRemoteDesktop": "The entity controls a remote graphical interface.", + "network:remoteInteraction:accessesRemoteShell": "The entity interacts with a remote command line.", + "network:remoteInteraction:executesRemoteCommand": "The entity runs a command on a remote system.", + "network:remoteInteraction:invokesRemoteProcedure": "The entity calls a function on a remote system.", + "network:remoteInteraction:sendsEmail": "The entity transmits an email message.", + "network:remoteInteraction:sendsSms": "The entity transmits a text message.", + "network:remoteInteraction:transfersFile": "The entity sends or receives a file remotely.", + "network:routing": "Behaviours that direct network traffic to its destination.", + "network:routing:configuresProxy": "The entity sets up traffic to route through a proxy.", + "network:routing:forwardsPacket": "The entity passes a packet toward its destination.", + "network:routing:redirectsTraffic": "The entity diverts traffic to a different destination.", + "network:routing:routesTraffic": "The entity directs network traffic to destinations.", + "network:routing:tunnelsTraffic": "The entity encapsulates traffic within another protocol.", + "network:trafficControl": "Behaviours that manage and manipulate network traffic flow.", + "network:trafficControl:balancesLoad": "The entity distributes requests across destinations.", + "network:trafficControl:filtersTraffic": "The entity blocks or allows traffic based on rules.", + "network:trafficControl:inspectsTraffic": "The entity examines traffic contents.", + "network:trafficControl:interceptsTraffic": "The entity captures traffic in transit.", + "network:trafficControl:limitsRate": "The entity restricts traffic volume.", + "network:trafficControl:modifiesTraffic": "The entity alters traffic in transit.", + "network:trafficControl:shapesTraffic": "The entity manages traffic timing and priority.", + "network:transmission": "Behaviours that send and receive data over network connections.", + "network:transmission:broadcastsData": "The entity sends data to multiple recipients.", + "network:transmission:multicastsData": "The entity sends data to a group of recipients.", + "network:transmission:receivesData": "The entity accepts data from the network.", + "network:transmission:sendsData": "The entity transmits data over the network.", + "network:transmission:streamsData": "The entity continuously transmits or receives data.", + "privacy": "Behaviours relating to the collection and processing of personal and sensitive data.", + "privacy:collection": "Behaviours that gather personal or sensitive information from individuals or systems.", + "privacy:collection:capturesAudio": "The entity records sound via microphone.", + "privacy:collection:capturesKeystrokes": "The entity records keyboard input.", + "privacy:collection:capturesScreen": "The entity records display contents.", + "privacy:collection:capturesVideo": "The entity records images via camera.", + "privacy:collection:collectsBehavioralData": "The entity records user actions and patterns.", + "privacy:collection:collectsBiometricData": "The entity captures biometric information.", + "privacy:collection:collectsCommunicationContent": "The entity captures message or call contents.", + "privacy:collection:collectsDeviceInformation": "The entity gathers device identifiers or characteristics.", + "privacy:collection:collectsFinancialData": "The entity gathers payment or financial information.", + "privacy:collection:collectsHealthData": "The entity gathers protected health information.", + "privacy:collection:collectsInBackground": "The entity gathers data without active user engagement.", + "privacy:collection:collectsLocationData": "The entity gathers geographical position information.", + "privacy:collection:collectsPersonalData": "The entity gathers personally identifiable information.", + "privacy:collection:collectsSilently": "The entity gathers data without user awareness.", + "privacy:collection:readsBrowserHistory": "The entity accesses web browsing history.", + "privacy:collection:readsClipboard": "The entity accesses clipboard contents.", + "privacy:deletion": "Behaviours that remove or destroy personal data.", + "privacy:deletion:clearsCache": "The entity removes data from temporary storage.", + "privacy:deletion:deletesPersonalData": "The entity removes personal data.", + "privacy:deletion:erasesSecurely": "The entity irreversibly destroys data.", + "privacy:deletion:purgesFromBackup": "The entity removes data from backup systems.", + "privacy:deletion:redactsData": "The entity removes specific content from records.", + "privacy:inference": "Behaviours that derive personal information through analysis and correlation of data.", + "privacy:inference:correlatesData": "The entity combines data from multiple sources.", + "privacy:inference:createsProfile": "The entity builds a profile from collected data.", + "privacy:inference:fingerprintsDevice": "The entity identifies device via characteristics.", + "privacy:inference:infersPersonalInformation": "The entity derives personal data from other data.", + "privacy:inference:linksIdentities": "The entity associates data across contexts.", + "privacy:inference:tracksUser": "The entity follows user activity across sessions.", + "privacy:minimization": "Behaviours that reduce the amount or sensitivity of personal data processed.", + "privacy:minimization:aggregatesData": "The entity combines records into summaries.", + "privacy:minimization:anonymizesData": "The entity removes identifying information.", + "privacy:minimization:filtersData": "The entity removes unnecessary data elements.", + "privacy:minimization:generalizesData": "The entity reduces data precision.", + "privacy:minimization:limitsCollection": "The entity gathers only necessary data.", + "privacy:minimization:limitsProcessing": "The entity restricts data use to stated purposes.", + "privacy:minimization:pseudonymizesData": "The entity replaces identifiers with pseudonyms.", + "privacy:privacyEnhancement": "Behaviours that employ technical measures to protect privacy during processing.", + "privacy:privacyEnhancement:addsDifferentialPrivacy": "The entity injects noise to protect individuals.", + "privacy:privacyEnhancement:computesMultiparty": "The entity performs joint computation privately.", + "privacy:privacyEnhancement:processesHomomorphically": "The entity computes on encrypted data.", + "privacy:privacyEnhancement:processesLocally": "The entity handles data on-device.", + "privacy:retention": "Behaviours that store personal data over time.", + "privacy:retention:archivesData": "The entity moves data to long-term storage.", + "privacy:retention:backsUpData": "The entity creates copies for recovery.", + "privacy:retention:enforcesRetentionPeriod": "The entity deletes data after specified time.", + "privacy:retention:retainsBeyondPurpose": "The entity keeps data longer than necessary.", + "privacy:retention:retainsInCache": "The entity keeps data in temporary storage.", + "privacy:retention:retainsInLog": "The entity keeps data in log files.", + "privacy:retention:storesPersonalData": "The entity saves personal data persistently.", + "privacy:sharing": "Behaviours that disclose personal data to third parties or across boundaries.", + "privacy:sharing:disclosesToThirdParty": "The entity transmits personal data externally.", + "privacy:sharing:exportsData": "The entity outputs data in portable format.", + "privacy:sharing:publishesData": "The entity makes data publicly available.", + "privacy:sharing:sellsData": "The entity provides data in exchange for value.", + "privacy:sharing:sharesWithAffiliate": "The entity provides data to related entities.", + "privacy:sharing:transfersCrossBorder": "The entity sends data across jurisdictions.", + "privacy:subjectRights": "Behaviours that fulfil data subject rights under privacy regulations.", + "privacy:subjectRights:correctsData": "The entity modifies inaccurate personal data.", + "privacy:subjectRights:exportsDataPortably": "The entity provides data in portable format.", + "privacy:subjectRights:honorsErasureRequest": "The entity deletes data upon request.", + "privacy:subjectRights:honorsObjection": "The entity ceases processing upon objection.", + "privacy:subjectRights:providesDataAccess": "The entity gives individuals their data.", + "privacy:subjectRights:restrictsProcessing": "The entity limits data use upon request.", + "privacy:transparency": "Behaviours that inform individuals about data processing activities.", + "privacy:transparency:disclosesProcessing": "The entity reveals data processing activities.", + "privacy:transparency:displaysPrivacyNotice": "The entity presents privacy information.", + "privacy:transparency:explainsAutomatedDecision": "The entity describes automated decision logic.", + "privacy:transparency:recordsConsent": "The entity stores consent decisions.", + "privacy:transparency:requestsConsent": "The entity asks for processing permission.", + "privacy:transparency:withdrawsConsent": "The entity processes consent revocation.", + "safety": "Behaviours relating to the prevention of harm to users and the environment.", + "safety:autonomousBehavior": "Behaviours that govern decision-making boundaries and human oversight of autonomous systems.", + "safety:autonomousBehavior:acceptsOverride": "The entity yields to human command.", + "safety:autonomousBehavior:enforcesHumanInLoop": "The entity requires human involvement.", + "safety:autonomousBehavior:explainsDecision": "The entity provides rationale for its action.", + "safety:autonomousBehavior:requestsGuidance": "The entity asks for human direction.", + "safety:autonomousBehavior:respectsDecisionBoundary": "The entity stays within authorised decision scope.", + "safety:contentSafety": "Behaviours that detect and filter harmful or inappropriate content.", + "safety:contentSafety:detectsHarmfulContent": "The entity identifies potentially harmful content.", + "safety:contentSafety:detectsMisinformation": "The entity identifies false or misleading content.", + "safety:contentSafety:enforcesAgeRestriction": "The entity limits access by user age.", + "safety:contentSafety:filtersContent": "The entity blocks or restricts content.", + "safety:contentSafety:labelsContent": "The entity marks content with warnings or ratings.", + "safety:harmPrevention": "Behaviours that actively protect users and bystanders from physical or psychological harm.", + "safety:harmPrevention:preventsEnvironmentalHarm": "The entity acts to protect the environment.", + "safety:harmPrevention:preventsPropertyDamage": "The entity acts to protect physical property.", + "safety:harmPrevention:preventsUserHarm": "The entity acts to protect users from injury.", + "safety:harmPrevention:protectsBystanders": "The entity considers safety of non-users.", + "safety:hazardManagement": "Behaviours that identify and mitigate potentially dangerous conditions.", + "safety:hazardManagement:assessesRisk": "The entity evaluates severity and likelihood of harm.", + "safety:hazardManagement:identifiesHazard": "The entity detects a potentially harmful condition.", + "safety:hazardManagement:mitigatesHazard": "The entity reduces hazard severity or likelihood.", + "safety:hazardManagement:reportsHazard": "The entity communicates a hazardous condition.", + "safety:humanInteraction": "Behaviours that manage communication and interaction with human operators.", + "safety:humanInteraction:adaptsForAccessibility": "The entity adjusts for users with disabilities.", + "safety:humanInteraction:managesCognitiveLoad": "The entity limits information to prevent overwhelm.", + "safety:humanInteraction:requestsConfirmation": "The entity requires human approval for action.", + "safety:humanInteraction:warnsOperator": "The entity alerts human to abnormal condition.", + "safety:operationalSafety": "Behaviours that enforce safe operating limits and conditions.", + "safety:operationalSafety:acceptsManualOverride": "The entity yields control to human operator.", + "safety:operationalSafety:enforcesInterlock": "The entity prevents unsafe operation combinations.", + "safety:operationalSafety:enforcesOperatingLimits": "The entity prevents operation outside safe bounds.", + "safety:operationalSafety:executesEmergencyStop": "The entity immediately halts dangerous operation.", + "safety:operationalSafety:monitorsWatchdog": "The entity checks for uncontrolled operation.", + "safety:operationalSafety:validatesSafetyCondition": "The entity confirms safe operating state.", + "security": "Behaviours relating to the protection of systems and data from unauthorised access and threats.", + "security:auditing": "Behaviours that record security-relevant events for accountability and forensic analysis.", + "security:auditing:logsEvent": "The entity records an occurrence.", + "security:auditing:logsSecurityEvent": "The entity records a security-relevant occurrence.", + "security:auditing:protectsAuditLog": "The entity prevents tampering with log records.", + "security:auditing:purgesLog": "The entity deletes old log records.", + "security:auditing:rotatesLog": "The entity archives and starts new log files.", + "security:auditing:signsLogEntry": "The entity cryptographically signs audit records.", + "security:auditing:timestampsEvent": "The entity records when an event occurred.", + "security:auditing:transmitsLog": "The entity sends log data to a remote destination.", + "security:authentication": "Behaviours that verify the identity of users and entities.", + "security:authentication:authenticatesDevice": "The entity confirms device identity.", + "security:authentication:authenticatesService": "The entity confirms service identity.", + "security:authentication:authenticatesUser": "The entity confirms user identity.", + "security:authentication:bypassesAuthentication": "The entity permits access without authentication.", + "security:authentication:capturesBiometric": "The entity collects biometric data for authentication.", + "security:authentication:delegatesAuthentication": "The entity relies on external identity provider.", + "security:authentication:failsAuthentication": "The entity rejects invalid credentials.", + "security:authentication:locksAccount": "The entity prevents further authentication attempts.", + "security:authentication:performsMultiFactorAuthentication": "The entity requires multiple authentication factors.", + "security:authentication:promptsForCredentials": "The entity requests authentication information.", + "security:authentication:unlocksAccount": "The entity restores authentication capability.", + "security:authentication:validatesBiometric": "The entity verifies biometric data.", + "security:authentication:validatesCredentials": "The entity verifies supplied credentials.", + "security:authorization": "Behaviours that determine and enforce access permissions.", + "security:authorization:checksPermission": "The entity verifies access rights.", + "security:authorization:delegatesAuthority": "The entity transfers access rights to another.", + "security:authorization:deniesAccess": "The entity refuses a requested action.", + "security:authorization:enforcesRole": "The entity restricts actions based on assigned role.", + "security:authorization:escalatesPrivilege": "The entity gains elevated permissions.", + "security:authorization:evaluatesAttributes": "The entity uses attributes for access decisions.", + "security:authorization:evaluatesPolicy": "The entity applies rules to make access decisions.", + "security:authorization:grantsAccess": "The entity permits a requested action.", + "security:authorization:grantsImpersonation": "The entity permits another to act within its security context.", + "security:authorization:impersonatesUser": "The entity performs actions within another user's security context.", + "security:authorization:requestsImpersonation": "The entity initiates a request to act as another user.", + "security:authorization:revokesAccess": "The entity withdraws previously granted permissions.", + "security:authorization:revokesImpersonation": "The entity terminates another's permission to act on its behalf.", + "security:cryptography": "Behaviours that employ cryptographic operations to protect data confidentiality and integrity.", + "security:cryptography:authenticates": "The entity verifies the identity of a user, process, or device.", + "security:cryptography:checksRevocation": "The entity queries certificate revocation status.", + "security:cryptography:decryptsData": "The entity restores encrypted data to readable form.", + "security:cryptography:decryptsDataAtRest": "The entity restores stored encrypted data to readable form.", + "security:cryptography:decryptsDataInTransit": "The entity restores data received over a network to readable form.", + "security:cryptography:decryptsDisk": "The entity unlocks and decrypts contents of an encrypted disk.", + "security:cryptography:decryptsSecret": "The entity retrieves and decrypts a secured credential or metadata.", + "security:cryptography:destroysKey": "The entity securely erases a key.", + "security:cryptography:encryptsData": "The entity transforms data to prevent unauthorised reading.", + "security:cryptography:encryptsDataAtRest": "The entity protects stored data by converting it to unreadable form.", + "security:cryptography:encryptsDataInTransit": "The entity protects data moving across a network.", + "security:cryptography:encryptsDisk": "The entity applies full-disk encryption to protect all data on a drive.", + "security:cryptography:encryptsSecret": "The entity secures sensitive credentials or metadata.", + "security:cryptography:ensuresAccountability": "The entity ensures actions can be traced to a specific individual or process.", + "security:cryptography:ensuresConfidentiality": "The entity protects sensitive information from unauthorised access.", + "security:cryptography:ensuresIntegrity": "The entity guarantees that data has not been altered or tampered with.", + "security:cryptography:ensuresNonRepudiation": "The entity provides proof of origin and integrity to prevent denial.", + "security:cryptography:exchangesKey": "The entity shares a key with another party.", + "security:cryptography:generatesKey": "The entity creates a cryptographic key.", + "security:cryptography:generatesRandomValue": "The entity produces a cryptographically secure random value.", + "security:cryptography:hashesData": "The entity generates a cryptographic hash.", + "security:cryptography:hashesPassword": "The entity applies a cryptographic hash function to a password.", + "security:cryptography:identifies": "The entity establishes a unique identity for an actor within the system.", + "security:cryptography:issuesCertificate": "The entity creates and signs a digital certificate.", + "security:cryptography:preservesPrivacy": "The entity protects personally identifiable information and user data.", + "security:cryptography:presentsClientCertificate": "The entity provides a client certificate for authentication.", + "security:cryptography:presentsServerCertificate": "The entity provides a server certificate for authentication.", + "security:cryptography:retrievesKey": "The entity obtains a stored key.", + "security:cryptography:revokesCertificate": "The entity invalidates a certificate.", + "security:cryptography:rotatesKey": "The entity replaces a key with a new one.", + "security:cryptography:signsCode": "The entity applies a digital signature to executable code.", + "security:cryptography:signsData": "The entity creates a digital signature.", + "security:cryptography:signsDocument": "The entity applies a digital signature to a document.", + "security:cryptography:storesKey": "The entity saves a key securely.", + "security:cryptography:usesIdentity": "The entity utilises established identity credentials for operations.", + "security:cryptography:validatesCertificate": "The entity verifies certificate authenticity.", + "security:cryptography:validatesToken": "The entity verifies the authenticity and expiration of a security token.", + "security:cryptography:verifiesCodeSignature": "The entity validates a digital signature on executable code.", + "security:cryptography:verifiesDataSignature": "The entity validates a digital signature on data.", + "security:cryptography:verifiesDocumentSignature": "The entity validates a digital signature on a document.", + "security:cryptography:verifiesHash": "The entity validates data against a hash.", + "security:cryptography:verifiesSignature": "The entity validates a digital signature.", + "security:cryptography:wrapsKey": "The entity encrypts a key for secure storage or transport.", + "security:errorHandling": "Behaviours that manage error conditions to prevent information disclosure.", + "security:errorHandling:catchesException": "The entity intercepts an error condition.", + "security:errorHandling:disclosesErrorDetails": "The entity reveals internal information in error messages.", + "security:errorHandling:failsClosed": "The entity denies access when controls fail.", + "security:errorHandling:failsOpen": "The entity permits access when controls fail.", + "security:errorHandling:generatesError": "The entity produces an error condition.", + "security:errorHandling:logsError": "The entity records an error condition.", + "security:errorHandling:propagatesError": "The entity passes an error to caller.", + "security:errorHandling:returnsGenericError": "The entity provides minimal error information.", + "security:errorHandling:suppressesError": "The entity hides an error condition.", + "security:inputHandling": "Behaviours that validate and sanitise input data to prevent injection attacks.", + "security:inputHandling:escapesInput": "The entity encodes special characters in input.", + "security:inputHandling:normalizesInput": "The entity converts input to standard form.", + "security:inputHandling:rejectsInvalidInput": "The entity refuses malformed or dangerous input.", + "security:inputHandling:sanitizesInput": "The entity removes potentially harmful content from input.", + "security:inputHandling:truncatesInput": "The entity shortens input to acceptable length.", + "security:inputHandling:validatesFormat": "The entity verifies input conforms to expected format.", + "security:inputHandling:validatesRange": "The entity ensures values fall within acceptable bounds.", + "security:inputHandling:validatesSchema": "The entity checks input against a defined schema.", + "security:integrity": "Behaviours that verify and protect the integrity of data and code.", + "security:integrity:attestsIntegrity": "The entity provides evidence of its own integrity.", + "security:integrity:detectsTampering": "The entity identifies modification attempts.", + "security:integrity:respondsToTampering": "The entity reacts to detected tampering.", + "security:integrity:validatesComponent": "The entity verifies authenticity of a dependency.", + "security:integrity:verifiesIntegrity": "The entity confirms data or code has not been altered.", + "security:integrity:verifiesProvenance": "The entity confirms origin and history.", + "security:outputHandling": "Behaviours that encode and filter output data to prevent information leakage.", + "security:outputHandling:encodesOutput": "The entity transforms output to prevent injection.", + "security:outputHandling:enforcesContentPolicy": "The entity restricts content sources.", + "security:outputHandling:escapesOutput": "The entity encodes special characters in output.", + "security:outputHandling:filtersOutput": "The entity removes sensitive content from output.", + "security:outputHandling:masksOutput": "The entity obscures sensitive data in output.", + "security:outputHandling:setsSecurityHeader": "The entity adds security-related HTTP headers.", + "security:session": "Behaviours that manage authenticated user sessions.", + "security:session:createsSession": "The entity establishes an authenticated session.", + "security:session:detectsSessionHijacking": "The entity identifies unauthorised session use.", + "security:session:invalidatesSession": "The entity revokes session validity.", + "security:session:refreshesSession": "The entity extends session lifetime.", + "security:session:regeneratesSessionId": "The entity creates a new session identifier.", + "security:session:terminatesSession": "The entity ends an authenticated session.", + "security:session:validatesSession": "The entity verifies session validity.", + "security:threatResponse": "Behaviours that detect and respond to security threats and incidents.", + "security:threatResponse:blocksRequest": "The entity refuses a suspicious request.", + "security:threatResponse:blocksSource": "The entity prevents further requests from a source.", + "security:threatResponse:collectsForensicData": "The entity gathers evidence for investigation.", + "security:threatResponse:detectsAnomaly": "The entity recognises deviation from normal patterns.", + "security:threatResponse:detectsIntrusion": "The entity identifies a potential security breach.", + "security:threatResponse:initiatesIncidentResponse": "The entity triggers security response procedures.", + "security:threatResponse:quarantinesElement": "The entity isolates a suspicious item.", + "security:threatResponse:raisesAlert": "The entity notifies of a security event.", + "system": "Behaviours relating to operating system interactions and the management of computational resources.", + "system:configuration": "Behaviours that read and modify system configuration settings.", + "system:configuration:deletesRegistryKey": "The entity removes entries from the registry.", + "system:configuration:modifiesGroupPolicy": "The entity changes group policy settings.", + "system:configuration:readsConfigurationFile": "The entity loads settings from a configuration file.", + "system:configuration:readsEnvironmentVariable": "The entity retrieves an environment variable value.", + "system:configuration:readsGroupPolicy": "The entity retrieves group policy settings.", + "system:configuration:readsRegistry": "The entity retrieves values from the system registry.", + "system:configuration:setsEnvironmentVariable": "The entity modifies an environment variable.", + "system:configuration:writesConfigurationFile": "The entity saves settings to a configuration file.", + "system:configuration:writesRegistry": "The entity stores values in the system registry.", + "system:informationGathering": "Behaviours that collect information about the host system and its configuration.", + "system:informationGathering:detectsOsVersion": "The entity determines the operating system version.", + "system:informationGathering:gathersSystemInformation": "The entity collects system configuration details.", + "system:informationGathering:queriesHardwareInformation": "The entity retrieves hardware specifications.", + "system:informationGathering:retrievesHostname": "The entity obtains the system hostname.", + "system:kernelInteraction": "Behaviours that interact directly with the operating system kernel.", + "system:kernelInteraction:hooksKernelFunction": "The entity intercepts kernel-level calls.", + "system:kernelInteraction:installsDriver": "The entity loads a kernel-mode driver.", + "system:kernelInteraction:readsKernelMemory": "The entity accesses kernel memory space.", + "system:kernelInteraction:writesKernelMemory": "The entity modifies kernel memory space.", + "system:lifecycle": "Behaviours associated with an entity's initialisation, operation, maintenance, and retirement.", + "system:lifecycle:appliesUpdate": "The entity installs software or firmware updates.", + "system:lifecycle:decommissions": "The entity securely retires from service.", + "system:lifecycle:initializes": "The entity performs start-up routines and loads configuration.", + "system:lifecycle:performsSelfTest": "The entity verifies its own operational readiness.", + "system:lifecycle:provisions": "The entity configures itself for deployment.", + "system:lifecycle:rollsBack": "The entity reverts to a previous known-good state.", + "system:lifecycle:shutsDown": "The entity executes orderly cessation of operations.", + "system:operationalState": "Behaviours that govern an entity's functional status and mode of operation.", + "system:operationalState:entersFailSafeState": "The entity transitions to a known safe state upon detecting a fault.", + "system:operationalState:entersFailSecureState": "The entity denies access or ceases sensitive operations upon detecting a security fault.", + "system:operationalState:operatesInDegradedMode": "The entity continues operation with reduced functionality.", + "system:operationalState:operatesNormally": "The entity performs its intended functions within designed parameters.", + "system:operationalState:performsEmergencyShutdown": "The entity immediately halts to prevent harm or damage.", + "system:persistence": "Behaviours that establish mechanisms for an entity to survive system restarts.", + "system:persistence:createsScheduledTask": "The entity schedules itself for recurring execution.", + "system:persistence:installsAsService": "The entity registers itself as a system service.", + "system:persistence:loadsAsKernelModule": "The entity loads itself into the kernel.", + "system:persistence:registersForStartup": "The entity configures itself to execute at system boot.", + "system:persistence:removesPersistence": "The entity removes its persistence mechanism.", + "system:processControl": "Behaviours that create and manipulate operating system processes.", + "system:processControl:createsProcess": "The entity starts a new process.", + "system:processControl:dumpsProcessMemory": "The entity extracts memory contents from a process.", + "system:processControl:enumeratesProcesses": "The entity lists running processes.", + "system:processControl:hooksFunction": "The entity intercepts and redirects function calls.", + "system:processControl:injectsCodeIntoProcess": "The entity inserts executable code into another process.", + "system:processControl:modifiesProcess": "The entity changes attributes of a running process.", + "system:processControl:resumesProcess": "The entity continues paused process execution.", + "system:processControl:suspendsProcess": "The entity pauses process execution.", + "system:processControl:terminatesProcess": "The entity ends a running process.", + "system:resilience": "Behaviours that enable an entity to detect faults and maintain operation despite adverse conditions.", + "system:resilience:activatesRedundancy": "The entity activates backup systems or alternative processing paths.", + "system:resilience:degradesGracefully": "The entity progressively reduces functionality rather than failing abruptly.", + "system:resilience:detectsFault": "The entity identifies an internal fault or anomalous condition.", + "system:resilience:recoversFromFailure": "The entity restores normal operation following a failure.", + "system:resilience:toleratesFault": "The entity continues operation despite the presence of a fault.", + "system:resourceManagement": "Behaviours that allocate and deallocate computational resources such as memory and threads.", + "system:resourceManagement:allocatesMemory": "The entity reserves memory for use.", + "system:resourceManagement:deallocatesMemory": "The entity releases previously allocated memory.", + "system:resourceManagement:handlesResourceExhaustion": "The entity responds to depleted resources.", + "system:resourceManagement:managesPowerState": "The entity transitions between power consumption states.", + "system:resourceManagement:readsFromStorage": "The entity retrieves data from persistent storage.", + "system:resourceManagement:resumesThread": "The entity continues paused thread execution.", + "system:resourceManagement:spawnsThread": "The entity creates a new execution thread.", + "system:resourceManagement:suspendsThread": "The entity pauses thread execution.", + "system:resourceManagement:terminatesThread": "The entity ends an execution thread.", + "system:resourceManagement:writesToStorage": "The entity saves data to persistent storage.", + "system:serviceControl": "Behaviours that manage system services and daemons.", + "system:serviceControl:createsService": "The entity installs a system service or daemon.", + "system:serviceControl:deletesService": "The entity removes a system service.", + "system:serviceControl:enumeratesServices": "The entity lists installed services.", + "system:serviceControl:modifiesService": "The entity changes service configuration.", + "system:serviceControl:startsService": "The entity initiates service execution.", + "system:serviceControl:stopsService": "The entity halts service execution.", + "system:synchronization": "Behaviours that coordinate access to shared resources across concurrent execution contexts.", + "system:synchronization:acquiresMutex": "The entity obtains exclusive access via mutex.", + "system:synchronization:releasesMutex": "The entity relinquishes mutex ownership.", + "system:synchronization:signalsEvent": "The entity triggers a synchronisation event.", + "system:synchronization:signalsSemaphore": "The entity releases a semaphore.", + "system:synchronization:waitsOnEvent": "The entity blocks until an event is signalled.", + "system:synchronization:waitsOnSemaphore": "The entity blocks until semaphore is available.", + "system:timing": "Behaviours that govern temporal aspects of execution including scheduling and synchronisation.", + "system:timing:delaysExecution": "The entity postpones an operation.", + "system:timing:enforcesDeadline": "The entity ensures completion within a timing constraint.", + "system:timing:executesScheduledTask": "The entity performs a task at a predetermined time.", + "system:timing:resetsWatchdog": "The entity signals continued operation to a watchdog monitor.", + "system:timing:synchronizesClock": "The entity aligns its internal clock with an external source.", + "system:timing:triggersTimeout": "The entity acts upon detecting an unresponsive condition.", + "system:timing:waits": "The entity pauses execution for a specified duration.", + "system:userManagement": "Behaviours that create and manipulate user accounts and privileges.", + "system:userManagement:createsUserAccount": "The entity adds a new user account.", + "system:userManagement:deletesUserAccount": "The entity removes a user account.", + "system:userManagement:elevatesPrivileges": "The entity gains higher access permissions.", + "system:userManagement:enumeratesUsers": "The entity lists user accounts.", + "system:userManagement:impersonatesUser": "The entity assumes another user's identity.", + "system:userManagement:modifiesUserAccount": "The entity changes user account properties." + } } } }, - "cyclonedx-common-2.0": { + "cyclonedx-blueprint-2.0": { "type": "null", - "title": "CycloneDX Common Model", + "title": "CycloneDX Blueprint Model", "$defs": { - "refType": { - "description": "Identifier for referable and therefore interlinkable elements.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", - "type": "string", - "minLength": 1, - "$comment": "TODO (breaking change): add a format constraint that prevents the value from staring with 'urn:cdx:'" - }, - "refLinkType": { - "description": "Descriptor for an element identified by the attribute 'bom-ref' in the same BOM document.\nIn contrast to `bomLinkElementType`.", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" - }, - "bomLinkDocumentType": { - "title": "BOM-Link Document", - "description": "Descriptor for another BOM document. See https://cyclonedx.org/capabilities/bomlink/", - "type": "string", - "format": "iri-reference", - "pattern": "^urn:cdx:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/[1-9][0-9]*$", - "$comment": "part of the pattern is based on `bom.serialNumber`'s pattern" - }, - "bomLinkElementType": { - "title": "BOM-Link Element", - "description": "Descriptor for an element in a BOM document. See https://cyclonedx.org/capabilities/bomlink/", - "type": "string", - "format": "iri-reference", - "pattern": "^urn:cdx:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/[1-9][0-9]*#.+$", - "$comment": "part of the pattern is based on `bom.serialNumber`'s pattern" - }, - "bomLink": { - "title": "BOM-Link", - "anyOf": [ - { - "title": "BOM-Link Document", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/bomLinkDocumentType" - }, - { - "title": "BOM-Link Element", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType" - } - ] + "blueprints": { + "type": "array", + "title": "Blueprints", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/blueprint" + }, + "description": "A collection of blueprints representing system models that capture the assets, flows, zones, boundaries, and relationships necessary for architectural, threat, risk, privacy, and other forms of modelling and analysis." }, - "hash": { + "blueprint": { "type": "object", - "title": "Hash", + "title": "Blueprint", + "description": "A structured representation of a system model that captures the assets, flows, zones, boundaries, and relationships necessary to support architectural, threat, risk, privacy, and other forms of modelling and analysis.", "required": [ - "alg", - "content" + "modelTypes", + "methodologies" ], "additionalProperties": false, "properties": { - "alg": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/hashAlgorithm" + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" }, - "content": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/hashValue" - } - } - }, - "hashAlgorithm": { - "type": "string", - "title": "Hash Algorithm", - "description": "The algorithm that generated the hash value.", - "enum": [ - "MD5", - "SHA-1", - "SHA-256", - "SHA-384", - "SHA-512", - "SHA3-256", - "SHA3-384", - "SHA3-512", - "BLAKE2b-256", - "BLAKE2b-384", - "BLAKE2b-512", - "BLAKE3", - "Streebog-256", - "Streebog-512" - ] + "metadata": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/blueprintMetadata" + }, + "modelTypes": { + "type": "array", + "title": "Model Types", + "minItems": 1, + "uniqueItems": true, + "description": "The types of models being represented", + "items": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/modelType" + } + }, + "methodologies": { + "type": "array", + "title": "Methodologies", + "minItems": 1, + "uniqueItems": true, + "description": "The modeling methodologies used", + "items": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/methodology" + } + }, + "scope": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/scope" + }, + "assets": { + "type": "array", + "title": "Assets", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/asset" + }, + "description": "The assets (components, services, data, actors) included in the model" + }, + "dataStores": { + "type": "array", + "title": "Data Stores", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/dataStore" + }, + "description": "Structured description of data stores used in the model" + }, + "dataSets": { + "type": "array", + "title": "Data Sets", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/dataSet" + }, + "description": "Datasets handled by the system, including placements and sensitivity" + }, + "zones": { + "type": "array", + "title": "Zones", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/zone" + }, + "description": "Logical, physical, or trust zones that group assets with similar characteristics" + }, + "boundaries": { + "type": "array", + "title": "Boundaries", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/boundary" + }, + "description": "Boundaries between zones" + }, + "flows": { + "type": "array", + "title": "Flows", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/flow" + }, + "description": "Data, control, or process flows between assets" + }, + "actors": { + "type": "array", + "title": "Actors", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/actor" + }, + "description": "Human or system actors involved in the model, distinct from assets" + }, + "assumptions": { + "type": "array", + "title": "Assumptions", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/assumption" + }, + "description": "Assumptions made during the modeling process" + }, + "visualizations": { + "type": "array", + "title": "Visualizations", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/visualization" + }, + "description": "Visual representations of the model" + }, + "useCases": { + "type": "array", + "title": "Use Cases", + "uniqueItems": true, + "items": { + "type": "object", + "allOf": [ + { + "$ref": "#/$defs/cyclonedx-usecase-2.0/$defs/useCase" + }, + { + "properties": { + "assets": { + "type": "array", + "title": "Assets", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "description": "References to the blueprint assets that are involved in or exercised by this use case" + }, + "flows": { + "type": "array", + "title": "Flows", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "description": "References to the blueprint flows that are triggered or traversed during the execution of this use case" + }, + "requirements": { + "type": "array", + "title": "Requirements", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "description": "References to the requirements that are implemented, validated, or addressed by this use case" + } + } + } + ] + }, + "description": "Use cases analyzed as part of the model, linking actors, goals, and steps to the blueprint's assets, flows, and requirements." + }, + "requirements": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-requirement-2.0/$defs/requirement" + }, + "description": "Requirements derived from or related to the model" + }, + "externalReferences": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReferences" + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + } + } }, - "hashValue": { - "type": "string", - "title": "Hash Value", - "description": "The value of the hash.", - "examples": [ - "3942447fac867ae5cdb3229b658f4d48" - ], - "pattern": "^([a-fA-F0-9]{32}|[a-fA-F0-9]{40}|[a-fA-F0-9]{64}|[a-fA-F0-9]{96}|[a-fA-F0-9]{128})$" + "modelType": { + "type": "object", + "title": "Model Type", + "description": "The type of model being represented, either a predefined type or a custom named type.", + "oneOf": [ + { + "title": "Predefined Model Type", + "description": "A model type selected from a predefined set of well-known modelling categories.", + "required": [ + "type" + ], + "additionalProperties": false, + "properties": { + "type": { + "type": "string", + "title": "Pre-Defined Model Type", + "enum": [ + "architecture", + "behavioral", + "conceptual", + "dataFlow", + "deployment", + "logical", + "network", + "operational", + "physical", + "privacy", + "process", + "risk", + "structural", + "threat" + ], + "meta:enum": { + "architecture": "System or software architecture model", + "behavioral": "System behavior model", + "conceptual": "High-level conceptual model", + "dataFlow": "Data flow model showing how data moves through the system", + "deployment": "Deployment or infrastructure model", + "logical": "Logical system model", + "network": "Network topology or connectivity model", + "operational": "Operational model", + "physical": "Physical infrastructure model", + "privacy": "Privacy impact assessment model", + "process": "Business or system process model", + "risk": "Risk assessment model", + "structural": "System structure model", + "threat": "Security threat model" + } + } + } + }, + { + "title": "Custom Model Type", + "description": "A custom model type not covered by the predefined enumeration, allowing organizations to define methodology-specific or domain-specific model categories.", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Name", + "minLength": 1, + "description": "Custom model type name" + }, + "description": { + "type": "string", + "title": "Description", + "description": "Description of the custom model type" + } + } + } + ] }, - "mediaType": { - "type": "string", - "title": "Media Type", - "description": "The media type of the object. The media type can provide additional context about the kind of data being represented, such as an image, font, or executable.", - "examples": [ - "text/plain", - "application/json", - "image/png" - ], - "pattern": "^[-+a-z0-9.]+/[-+a-z0-9.]+$" + "methodology": { + "type": "object", + "title": "Methodology", + "description": "The modelling methodology used, either a predefined type or a custom named methodology.", + "oneOf": [ + { + "title": "Predefined Methodology", + "description": "A modelling methodology selected from a predefined set of well-known frameworks and standards.", + "required": [ + "type" + ], + "additionalProperties": false, + "properties": { + "type": { + "type": "string", + "title": "Pre-Defined Type", + "enum": [ + "4+1", + "Archimate", + "ATFAA", + "BPMN", + "C4", + "DFD", + "DODAF", + "ERD", + "IDEF", + "LINDDUN", + "MAESTRO", + "MITRE-ATTACK", + "MODAF", + "NAF", + "OWASP", + "PASTA", + "SABSA", + "STRIDE", + "SysML", + "TOGAF", + "TRIKE", + "UML", + "VAST", + "Zachman", + "attackTree" + ], + "meta:enum": { + "4+1": "4+1 Architectural View Model", + "Archimate": "Enterprise architecture modeling language", + "ATFAA": "Advanced Threat Framework for Autonomous AI Agents", + "BPMN": "Business Process Model and Notation", + "C4": "C4 Model for software architecture", + "DFD": "Data Flow Diagrams", + "DODAF": "Department of Defense Architecture Framework", + "ERD": "Entity Relationship Diagrams", + "IDEF": "Integration Definition Methods", + "LINDDUN": "Linkability, Identifiability, Non-repudiation, Detectability, Disclosure of information, Unawareness, Non-compliance", + "MAESTRO": "Multi-Agent Environment, Security, Threat, Risk, and Outcome", + "MITRE-ATTACK": "MITRE ATT&CK adversarial tactics, techniques, and procedures framework", + "MODAF": "Ministry of Defence Architecture Framework", + "NAF": "NATO Architecture Framework", + "OWASP": "OWASP threat modelling methodology", + "PASTA": "Process for Attack Simulation and Threat Analysis", + "SABSA": "Sherwood Applied Business Security Architecture", + "STRIDE": "Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege", + "SysML": "Systems Modeling Language", + "TOGAF": "The Open Group Architecture Framework", + "TRIKE": "Risk-based threat modelling methodology", + "UML": "Unified Modeling Language", + "VAST": "Visual, Agile, and Simple Threat modelling", + "Zachman": "Zachman Framework", + "attackTree": "Attack tree methodology for structured threat analysis" + } + }, + "version": { + "type": "string", + "title": "Version", + "description": "Version of the methodology" + } + } + }, + { + "title": "Custom Methodology", + "description": "A custom modelling methodology not covered by the predefined enumeration, allowing organizations to reference proprietary or emerging frameworks.", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Name", + "minLength": 1, + "description": "Custom methodology name" + }, + "version": { + "type": "string", + "title": "Version", + "description": "Version of the methodology" + }, + "description": { + "type": "string", + "title": "Description", + "description": "Description of the custom methodology" + }, + "externalReferences": { + "type": "array", + "title": "External References", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReference" + } + } + } + } + ] }, - "attachment": { + "blueprintMetadata": { "type": "object", - "title": "Attachment", - "description": "Specifies the metadata and content for an attachment.", - "required": [ - "content" - ], + "title": "Blueprint Metadata", + "description": "Metadata about the creation, review, and approval of the blueprint.", "additionalProperties": false, "properties": { - "mediaType": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/mediaType" + "timestamp": { + "type": "string", + "title": "Timestamp", + "format": "date-time", + "description": "When the blueprint was created or last updated" }, - "encoding": { + "authors": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact", + "description": "The person(s) or organization(s) who created the blueprint" + }, + "reviewer": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact", + "description": "The person(s) or organization(s) who reviewed the blueprint" + }, + "reviewDate": { "type": "string", - "title": "Encoding", - "description": "Specifies the optional encoding the text is represented in.", - "enum": [ - "base64" - ], - "meta:enum": { - "base64": "Base64 is a binary-to-text encoding scheme that represents binary data in an ASCII string." - } + "title": "Review Date", + "format": "date-time", + "description": "When the blueprint was reviewed" }, - "content": { + "approver": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact", + "description": "The person(s) or organization(s) who approved the blueprint" + }, + "approvalDate": { "type": "string", - "title": "Attachment Text", - "description": "The attachment data. Proactive controls such as input validation and sanitization should be employed to prevent misuse of attachment text." + "title": "Approval Date", + "format": "date-time", + "description": "When the blueprint was approved" + }, + "ordinalVersion": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/ordinalVersion" + }, + "lifecycles": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/lifecycles" + }, + "validityPeriod": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/validityPeriod" } } }, - "base64": { - "type": "string", - "pattern": "^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$", - "description": "A Base64-encoded string." - }, - "externalReferences": { - "type": "array", - "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReference" - }, - "title": "External References", - "description": "External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM." - }, - "externalReference": { + "validityPeriod": { "type": "object", - "title": "External Reference", - "description": "External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM.", - "required": [ - "url", - "type" - ], + "title": "Validity Period", + "description": "The period during which the blueprint is considered valid.", "additionalProperties": false, "properties": { - "url": { - "anyOf": [ - { - "title": "URL", - "type": "string", - "format": "iri-reference" - }, - { - "title": "BOM-Link", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/bomLink" - } - ], - "title": "URL", - "description": "The URI (URL or URN) to the external reference. External references are URIs and therefore can accept any URL scheme including https ([RFC-7230](https://www.ietf.org/rfc/rfc7230.txt)), mailto ([RFC-2368](https://www.ietf.org/rfc/rfc2368.txt)), tel ([RFC-3966](https://www.ietf.org/rfc/rfc3966.txt)), and dns ([RFC-4501](https://www.ietf.org/rfc/rfc4501.txt)). External references may also include formally registered URNs such as [CycloneDX BOM-Link](https://cyclonedx.org/capabilities/bomlink/) to reference CycloneDX BOMs or any object within a BOM. BOM-Link transforms applicable external references into relationships that can be expressed in a BOM or across BOMs." - }, - "comment": { + "start": { "type": "string", - "title": "Comment", - "description": "A comment describing the external reference" + "title": "Start", + "format": "date-time", + "description": "When the blueprint becomes valid" }, - "type": { + "end": { "type": "string", - "title": "Type", - "description": "Specifies the type of external reference.", - "enum": [ - "vcs", - "issue-tracker", - "website", - "advisories", - "bom", - "mailing-list", - "social", - "chat", - "documentation", - "support", - "source-distribution", - "distribution", - "distribution-intake", - "license", - "build-meta", - "build-system", - "release-notes", - "security-contact", - "model-card", - "log", - "configuration", - "evidence", - "formulation", - "attestation", - "threat-model", - "adversary-model", - "risk-assessment", - "vulnerability-assertion", - "exploitability-statement", - "pentest-report", - "static-analysis-report", - "dynamic-analysis-report", - "runtime-analysis-report", - "component-analysis-report", - "maturity-report", - "certification-report", - "codified-infrastructure", - "quality-metrics", - "poam", - "electronic-signature", - "digital-signature", - "rfc-9116", - "patent", - "patent-family", - "patent-assertion", - "citation", - "other" - ], - "meta:enum": { - "vcs": "Version Control System", - "issue-tracker": "Issue or defect tracking system, or an Application Lifecycle Management (ALM) system", - "website": "Website", - "advisories": "Security advisories", - "bom": "Bill of Materials (SBOM, OBOM, HBOM, SaaSBOM, etc)", - "mailing-list": "Mailing list or discussion group", - "social": "Social media account", - "chat": "Real-time chat platform", - "documentation": "Documentation, guides, or how-to instructions", - "support": "Community or commercial support", - "source-distribution": "The location where the source code distributable can be obtained. This is often an archive format such as zip or tgz. The source-distribution type complements use of the version control (vcs) type.", - "distribution": "Direct or repository download location", - "distribution-intake": "The location where a component was published to. This is often the same as \"distribution\" but may also include specialized publishing processes that act as an intermediary.", - "license": "The reference to the license file. If a license URL has been defined in the license node, it should also be defined as an external reference for completeness.", - "build-meta": "Build-system specific meta file (i.e. pom.xml, package.json, .nuspec, etc)", - "build-system": "Reference to an automated build system", - "release-notes": "Reference to release notes", - "security-contact": "Specifies a way to contact the maintainer, supplier, or provider in the event of a security incident. Common URIs include links to a disclosure procedure, a mailto (RFC-2368) that specifies an email address, a tel (RFC-3966) that specifies a phone number, or dns (RFC-4501) that specifies the records containing DNS Security TXT.", - "model-card": "A model card describes the intended uses of a machine learning model, potential limitations, biases, ethical considerations, training parameters, datasets used to train the model, performance metrics, and other relevant data useful for ML transparency.", - "log": "A record of events that occurred in a computer system or application, such as problems, errors, or information on current operations.", - "configuration": "Parameters or settings that may be used by other components or services.", - "evidence": "Information used to substantiate a claim.", - "formulation": "Describes the formulation of any referencable object within the BOM, including components, services, metadata, declarations, or the BOM itself.", - "attestation": "Human or machine-readable statements containing facts, evidence, or testimony.", - "threat-model": "An enumeration of identified weaknesses, threats, and countermeasures, dataflow diagram (DFD), attack tree, and other supporting documentation in human-readable or machine-readable format.", - "adversary-model": "The defined assumptions, goals, and capabilities of an adversary.", - "risk-assessment": "Identifies and analyzes the potential of future events that may negatively impact individuals, assets, and/or the environment. Risk assessments may also include judgments on the tolerability of each risk.", - "vulnerability-assertion": "A Vulnerability Disclosure Report (VDR) which asserts the known and previously unknown vulnerabilities that affect a component, service, or product including the analysis and findings describing the impact (or lack of impact) that the reported vulnerability has on a component, service, or product.", - "exploitability-statement": "A Vulnerability Exploitability eXchange (VEX) which asserts the known vulnerabilities that do not affect a product, product family, or organization, and optionally the ones that do. The VEX should include the analysis and findings describing the impact (or lack of impact) that the reported vulnerability has on the product, product family, or organization.", - "pentest-report": "Results from an authorized simulated cyberattack on a component or service, otherwise known as a penetration test.", - "static-analysis-report": "SARIF or proprietary machine or human-readable report for which static analysis has identified code quality, security, and other potential issues with the source code.", - "dynamic-analysis-report": "Dynamic analysis report that has identified issues such as vulnerabilities and misconfigurations.", - "runtime-analysis-report": "Report generated by analyzing the call stack of a running application.", - "component-analysis-report": "Report generated by Software Composition Analysis (SCA), container analysis, or other forms of component analysis.", - "maturity-report": "Report containing a formal assessment of an organization, business unit, or team against a maturity model.", - "certification-report": "Industry, regulatory, or other certification from an accredited (if applicable) certification body.", - "codified-infrastructure": "Code or configuration that defines and provisions virtualized infrastructure, commonly referred to as Infrastructure as Code (IaC).", - "quality-metrics": "Report or system in which quality metrics can be obtained.", - "poam": "Plans of Action and Milestones (POA&M) complement an \"attestation\" external reference. POA&M is defined by NIST as a \"document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks and scheduled completion dates for the milestones\".", - "electronic-signature": "An e-signature is commonly a scanned representation of a written signature or a stylized script of the person's name.", - "digital-signature": "A signature that leverages cryptography, typically public/private key pairs, which provides strong authenticity verification.", - "rfc-9116": "Document that complies with [RFC 9116](https://www.ietf.org/rfc/rfc9116.html) (A File Format to Aid in Security Vulnerability Disclosure)", - "patent": "References information about patents which may be defined in human-readable documents or in machine-readable formats such as CycloneDX or ST.96. For detailed patent information or to reference the information provided directly by patent offices, it is recommended to leverage standards from the World Intellectual Property Organization (WIPO) such as [ST.96](https://www.wipo.int/standards/en/st96).", - "patent-family": "References information about a patent family which may be defined in human-readable documents or in machine-readable formats such as CycloneDX or ST.96. A patent family is a group of related patent applications or granted patents that cover the same or similar invention. For detailed patent family information or to reference the information provided directly by patent offices, it is recommended to leverage standards from the World Intellectual Property Organization (WIPO) such as [ST.96](https://www.wipo.int/standards/en/st96).", - "patent-assertion": "References assertions made regarding patents associated with a component or service. Assertions distinguish between ownership, licensing, and other relevant interactions with patents.", - "citation": "A reference to external citations applicable to the object identified by this BOM entry or the BOM itself. When used with a BOM-Link, this allows offloading citations into a separate CycloneDX BOM.", - "other": "Use this if no other types accurately describe the purpose of the external reference." - } - }, - "hashes": { - "type": "array", - "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/hash" - }, - "title": "Hashes", - "description": "The hashes of the external reference (if applicable)." + "title": "End", + "format": "date-time", + "description": "When the blueprint expires" }, - "properties": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + "reviewFrequency": { + "type": "string", + "title": "Review Frequency", + "pattern": "^P(?!$)(\\d+Y)?(\\d+M)?(\\d+W)?(\\d+D)?$", + "description": "ISO 8601 duration for review frequency (e.g., P3M for quarterly)" } } }, - "postalAddress": { + "scope": { "type": "object", - "title": "Postal address", - "description": "An address used to identify a contactable location.", + "title": "Scope", + "description": "Specifies what is included and excluded from the blueprint model, establishing the boundaries within which the modelling and analysis is performed.", + "required": [ + "name" + ], "additionalProperties": false, "properties": { "bom-ref": { - "title": "BOM Reference", - "description": "An optional identifier which can be used to reference the address elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" }, - "country": { + "name": { "type": "string", - "title": "Country", - "description": "The country name or the two-letter ISO 3166-1 country code." + "title": "Name", + "minLength": 1, + "description": "Name of the scope" }, - "region": { + "description": { "type": "string", - "title": "Region", - "description": "The region or state in the country.", - "examples": [ - "Texas" - ] + "title": "Description", + "description": "Description of what is included and excluded from the model" }, - "locality": { - "type": "string", - "title": "Locality", - "description": "The locality or city within the country.", - "examples": [ - "Austin" - ] + "boundaries": { + "type": "array", + "title": "Boundaries", + "uniqueItems": true, + "items": { + "type": "string", + "minLength": 1 + }, + "description": "Explicit boundaries of the model" }, - "postOfficeBoxNumber": { - "type": "string", - "title": "Post Office Box Number", - "description": "The post office box number.", - "examples": [ - "901" - ] + "includedComponents": { + "type": "array", + "title": "Included Components", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "description": "References to components explicitly included" }, - "postalCode": { - "type": "string", - "title": "Postal Code", - "description": "The postal code.", - "examples": [ - "78758" - ] + "excludedComponents": { + "type": "array", + "title": "Excluded Components", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "description": "References to components explicitly excluded" }, - "streetAddress": { - "type": "string", - "title": "Street Address", - "description": "The street address.", - "examples": [ - "100 Main Street" - ] + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" } } }, - "organizationalEntity": { + "asset": { "type": "object", - "title": "Organizational Entity", + "title": "Asset", + "description": "A component, service, data store, or other element included in the blueprint model.", "additionalProperties": false, "properties": { "bom-ref": { "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "title": "BOM Reference", - "description": "An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." + "description": "Unique identifier for the asset" + }, + "componentRef": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "description": "Reference to the component this asset represents" + }, + "serviceRef": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "description": "Reference to the service this asset represents" + }, + "type": { + "type": "string", + "title": "Asset Type", + "enum": [ + "actor", + "agent", + "api", + "broker", + "cache", + "component", + "container", + "data", + "dataStore", + "device", + "endpoint", + "function", + "gateway", + "infrastructure", + "interface", + "model", + "module", + "network", + "other", + "process", + "queue", + "resource", + "service", + "stream", + "subsystem", + "system" + ], + "meta:enum": { + "actor": "User, system, or external entity", + "agent": "Autonomous AI or software agent", + "api": "API endpoint or interface", + "broker": "Message broker or event bus infrastructure", + "cache": "Caching layer or in-memory data store", + "component": "Software component or application", + "container": "Container or orchestration unit", + "data": "Dataset", + "dataStore": "Database, file system, or data repository", + "device": "Physical or IoT device", + "endpoint": "Service endpoint or URL", + "function": "Serverless function or lambda", + "gateway": "API gateway, load balancer, or proxy", + "infrastructure": "Infrastructure component", + "interface": "System interface or contract", + "model": "AI or machine learning model", + "module": "Software module or package", + "network": "Network segment or resource", + "other": "Asset type not covered by predefined values", + "process": "Business or system process", + "queue": "Message queue or task queue", + "resource": "Generic resource or artifact", + "service": "Service or microservice", + "stream": "Data stream or event stream", + "subsystem": "Part of a larger system", + "system": "Complete system or application" + } }, "name": { "type": "string", - "title": "Organization Name", - "description": "The name of the organization", - "examples": [ - "Example Inc." - ] + "title": "Name", + "minLength": 1, + "description": "Name of the asset" }, - "address": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/postalAddress", - "title": "Organization Address", - "description": "The physical address (location) of the organization" + "description": { + "type": "string", + "title": "Description", + "description": "Description of the asset's role and purpose" }, - "url": { + "zone": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "description": "Reference to the zone containing this asset" + }, + "parent": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "description": "Reference to parent asset if this is a sub-component" + }, + "classification": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/assetClassification" + }, + "tags": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/tags" + }, + "responsibilities": { "type": "array", + "title": "Responsibilities", + "uniqueItems": true, "items": { "type": "string", - "format": "iri-reference" + "minLength": 1 }, - "title": "Organization URL(s)", - "description": "The URL of the organization. Multiple URLs are allowed.", - "examples": [ - "https://example.com" - ] + "description": "Responsibilities or functions of this asset" }, - "contact": { + "interfaces": { "type": "array", - "title": "Organizational Contact", - "description": "A contact at the organization. Multiple contacts are allowed.", + "title": "Interfaces", + "uniqueItems": true, "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalContact" - } + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/interface" + }, + "description": "Interfaces exposed by this asset" + }, + "dependencies": { + "type": "array", + "title": "Dependencies", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "description": "References to assets this asset depends on" + }, + "useCases": { + "type": "array", + "title": "Use Cases", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "description": "References to use case objects that describe how actors interact with this asset, including the specific goals, sequences of steps, alternative and exception flows, and any requirements that govern its usage." + }, + "authentication": { + "type": "array", + "title": "Authentication", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/authenticationType" + }, + "description": "Authentication methods supported/required" + }, + "authorization": { + "type": "array", + "title": "Authorization", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/authorizationType" + }, + "description": "Authorization models supported/required" + }, + "ownership": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/ownership" + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + }, + "externalReferences": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReferences" } - } + }, + "oneOf": [ + { + "title": "Component Reference Asset", + "description": "An asset defined by reference to a component declared elsewhere in the BOM.", + "required": [ + "bom-ref", + "componentRef" + ] + }, + { + "title": "Service Reference Asset", + "description": "An asset defined by reference to a service declared elsewhere in the BOM.", + "required": [ + "bom-ref", + "serviceRef" + ] + }, + { + "title": "Inline Asset", + "description": "An asset defined inline within the blueprint with an explicit type and name.", + "required": [ + "bom-ref", + "type", + "name" + ] + } + ] }, - "organizationalContact": { + "dataStore": { "type": "object", - "title": "Organizational Contact", + "title": "Data Store", + "description": "A persistent storage system used within the modelled system to hold, retrieve, or manage data.", + "required": [ + "bom-ref", + "name", + "type" + ], "additionalProperties": false, "properties": { "bom-ref": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "title": "BOM Reference", - "description": "An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" }, "name": { "type": "string", "title": "Name", - "description": "The name of a contact", - "examples": [ - "Contact name" - ] + "minLength": 1, + "description": "Name of the data store" }, - "email": { + "description": { "type": "string", - "format": "idn-email", - "title": "Email Address", - "description": "The email address of the contact.", - "examples": [ - "firstname.lastname@example.com" - ] + "title": "Description", + "description": "Purpose and contents of the store" }, - "phone": { + "type": { "type": "string", - "title": "Phone", - "description": "The phone number of the contact.", - "examples": [ - "800-555-1212" - ] + "title": "Type", + "enum": [ + "blob", + "blockchain", + "cache", + "columnFamily", + "custom", + "dataLake", + "dataWarehouse", + "document", + "eventLog", + "file", + "graph", + "inMemory", + "keyValue", + "messageQueue", + "object", + "other", + "registry", + "search", + "spatial", + "sql", + "timeSeries", + "vector" + ], + "meta:enum": { + "blob": "Binary/blob storage", + "blockchain": "Distributed ledger or blockchain storage", + "cache": "Caching tier", + "columnFamily": "Wide-column or column-family store (e.g., Cassandra, HBase)", + "custom": "Custom or mixed storage technology", + "dataLake": "Data lake or lakehouse for raw and semi-structured data", + "dataWarehouse": "Analytical data warehouse optimised for OLAP workloads", + "document": "Document database (e.g., MongoDB)", + "eventLog": "Event log or append-only streaming store (e.g., Kafka)", + "file": "File system or NAS", + "graph": "Graph database", + "inMemory": "In-memory data store used as a primary store", + "keyValue": "Key-value store", + "messageQueue": "Message queue or broker with persistent storage", + "object": "Object storage", + "other": "Other storage technology not listed", + "registry": "Configuration or service registry (e.g., etcd, Consul)", + "search": "Search index or full-text search engine (e.g., Elasticsearch)", + "spatial": "Spatial or geospatial database", + "sql": "Relational database", + "timeSeries": "Time-series database", + "vector": "Vector database for embeddings and similarity search" + } + }, + "vendor": { + "type": "string", + "title": "Vendor", + "description": "The vendor or publisher of the data store product" + }, + "product": { + "type": "string", + "title": "Product", + "description": "The name of the data store product" + }, + "version": { + "type": "string", + "title": "Version", + "description": "The version of the data store product" + }, + "environment": { + "type": "string", + "title": "Environment", + "description": "Deployment environment (prod, test, etc.)" + }, + "zone": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "description": "Reference to the zone where the asset resides" + }, + "location": { + "type": "string", + "title": "Location", + "description": "Physical or logical hosting location" + }, + "technologies": { + "type": "array", + "title": "Technologies", + "uniqueItems": true, + "items": { + "type": "string" + }, + "description": "Supporting technologies or services" + }, + "dataSets": { + "type": "array", + "title": "Data Sets", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "description": "References to data sets stored here" + }, + "authorization": { + "type": "array", + "title": "Authorization", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/authorizationType" + }, + "description": "Authorization models supported/required" + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" } } }, - "organizationalEntityOrContact": {}, - "properties": { - "type": "array", - "title": "Properties", - "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", - "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/property" - } - }, - "property": { + "dataSet": { "type": "object", - "title": "Lightweight name-value pair", - "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", + "title": "Data Set", + "description": "A logical collection of related data managed within the modelled system, including its classification, ownership, and storage placements.", "required": [ - "name" + "bom-ref", + "name", + "description" ], + "additionalProperties": false, "properties": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, "name": { "type": "string", "title": "Name", - "description": "The name of the property. Duplicate names are allowed, each potentially having a different value." + "minLength": 1, + "description": "Name of the dataset" }, - "value": { + "description": { "type": "string", - "title": "Value", - "description": "The value of the property." - } - }, - "additionalProperties": false - }, - "extensibleProperties": { - "type": "object", - "title": "Extensible Properties", - "patternProperties": { - "^ext:[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}:.+$": { - "description": "CycloneDX supports a structured and namespace-aware mechanism for extensibility through the use of extensible properties. This mechanism enables organizations, ecosystems, and tool vendors to safely introduce custom properties without conflicting with the core schema or other extensions.\n\nExtensible properties are defined as a JSON object whose keys must conform to a strict pattern that resembles a reverse domain name structure, prefixed with ext:. This pattern provides a namespacing convention that aligns with well-established practices in other structured formats (e.g., XML namespaces).", - "examples": [ - "ext::", - "ext:example.org:myExtension" - ], - "if": { - "type": [ - "object", - "array" - ] + "title": "Description", + "minLength": 1, + "description": "What information is contained and why it exists" + }, + "dataProfile": { + "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataProfile" + }, + "recordCount": { + "type": "integer", + "title": "Record Count", + "description": "Approximate number of records" + }, + "owners": { + "type": "array", + "title": "Owners", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact" }, - "then": { + "description": "Individuals or organizational entities that own the dataset" + }, + "authorization": { + "type": "array", + "title": "Authorization", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/authorizationType" + }, + "description": "Authorization models supported/required" + }, + "placements": { + "type": "array", + "title": "Placements", + "uniqueItems": true, + "items": { "type": "object", + "title": "Placement", + "description": "Describes where a dataset physically or logically resides and the storage characteristics at that location.", "required": [ - "$schema" + "dataStore" ], + "additionalProperties": false, "properties": { - "$schema": { + "dataStore": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "description": "Reference to the store holding this dataset" + }, + "encrypted": { + "type": "boolean", + "title": "Encrypted", + "description": "Whether the dataset is encrypted at this location" + }, + "retention": { "type": "string", - "format": "uri" + "title": "Retention", + "description": "Retention policy for this placement" + }, + "replicated": { + "type": "boolean", + "title": "Replicated", + "description": "Indicates if this placement is a replica" } } }, - "else": { - "type": [ - "string", - "number", - "boolean", - "null" - ] - } + "description": "Where the dataset resides" + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" } } }, - "baseObject": { - "description": "Base object for all CycloneDX entities. Automatically includes support for extensible properties.", - "allOf": [ - { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/extensibleProperties" - } + "interface": { + "type": "object", + "required": [ + "name", + "type" ], + "additionalProperties": false, "properties": { - "properties": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + "name": { + "type": "string", + "description": "Name of the interface" }, - "externalReferences": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReferences" + "type": { + "type": "string", + "enum": [ + "rest", + "graphql", + "grpc", + "soap", + "messaging", + "file", + "database", + "cli", + "gui", + "api", + "event", + "stream" + ], + "description": "Type of interface" + }, + "description": { + "type": "string", + "description": "Description of the interface" + }, + "specification": { + "type": "string", + "description": "Link or reference to interface specification" + }, + "protocol": { + "type": "string", + "description": "Communication protocol used" + }, + "dataFormat": { + "type": "string", + "description": "Data format (e.g., JSON, XML, Protocol Buffers)" + }, + "authentication": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/authenticationType" + } + }, + "operations": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Operations or methods exposed" } } }, - "timestamp": { - "type": "string", - "format": "date-time", - "title": "Timestamp", - "pattern": "^\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}(\\.\\d+)?Z$", - "description": "An RFC 3339-compliant UTC timestamp using Zulu time (i.e., ending with 'Z'). The format must be 'YYYY-MM-DDTHH:MM:SSZ' or include optional fractional seconds, e.g., 'YYYY-MM-DDTHH:MM:SS.sssZ'. Offsets such as '+00:00' are not allowed." - }, - "lifecycle": { + "zone": { "type": "object", - "title": "Lifecycle", - "description": "The product lifecycle(s) that this BOM represents.", - "oneOf": [ - { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/preDefinedLifecyclePhase" - }, - { - "title": "Custom Lifecycle Phase", - "required": [ - "name" - ], - "additionalProperties": false, - "properties": { - "name": { - "type": "string", - "title": "Name", - "description": "The name of the lifecycle phase" - }, - "description": { - "type": "string", - "title": "Description", - "description": "The description of the lifecycle phase" - } - } - } - ] - }, - "lifecycles": { - "type": "array", - "title": "Lifecycles", - "description": "Lifecycles communicate the stage(s) in which data in the BOM was captured. Different types of data may be available at various phases of a lifecycle, such as the Software Development Lifecycle (SDLC), IT Asset Management (ITAM), and Software Asset Management (SAM). Thus, a BOM may include data specific to or only obtainable in a given lifecycle.", - "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/lifecycle" - } - }, - "preDefinedLifecyclePhase": { - "title": "Pre-Defined Phase", + "title": "Zone", + "description": "A logical, physical, or trust zone that groups assets sharing common characteristics, security posture, or administrative control within the modelled system.", "required": [ - "phase" + "bom-ref", + "name", + "type" ], "additionalProperties": false, "properties": { - "phase": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "name": { "type": "string", - "title": "Phase", - "description": "A pre-defined phase in the product lifecycle.", + "title": "Name", + "minLength": 1, + "description": "Name of the zone" + }, + "description": { + "type": "string", + "title": "Description", + "description": "Description of the zone's characteristics" + }, + "type": { + "type": "string", + "title": "Type", "enum": [ - "design", - "pre-build", - "build", - "post-build", - "operations", - "discovery", - "decommission" + "deployment", + "functional", + "logical", + "network", + "organizational", + "other", + "physical", + "trust" ], "meta:enum": { - "design": "BOM produced early in the development lifecycle containing an inventory of components and services that are proposed or planned to be used. The inventory may need to be procured, retrieved, or resourced prior to use.", - "pre-build": "BOM consisting of information obtained prior to a build process and may contain source files and development artifacts and manifests. The inventory may need to be resolved and retrieved prior to use.", - "build": "BOM consisting of information obtained during a build process where component inventory is available for use. The precise versions of resolved components are usually available at this time as well as the provenance of where the components were retrieved from.", - "post-build": "BOM consisting of information obtained after a build process has completed and the resulting components(s) are available for further analysis. Built components may exist as the result of a CI/CD process, may have been installed or deployed to a system or device, and may need to be retrieved or extracted from the system or device.", - "operations": "BOM produced that represents inventory that is running and operational. This may include staging or production environments and will generally encompass multiple SBOMs describing the applications and operating system, along with HBOMs describing the hardware that makes up the system. Operations Bill of Materials (OBOM) can provide full-stack inventory of runtime environments, configurations, and additional dependencies.", - "discovery": "BOM consisting of information observed through network discovery providing point-in-time enumeration of embedded, on-premise, and cloud-native services such as server applications, connected devices, microservices, and serverless functions.", - "decommission": "BOM containing inventory that will be, or has been retired from operations." + "deployment": "Deployment environment (e.g., dev, staging, prod)", + "functional": "Functional grouping", + "logical": "Logical grouping or boundary", + "network": "Network segmentation zone", + "organizational": "Organizational or administrative boundary", + "other": "Other zone type not listed", + "physical": "Physical location or boundary", + "trust": "Security trust zone" } - } - } - }, - "tags": { - "type": "array", - "items": { - "type": "string" - }, - "title": "Tags", - "description": "Textual strings that aid in discovery, search, and retrieval of the associated object. Tags often serve as a way to group or categorize similar or related objects by various attributes.", - "examples": [ - "json-parser", - "object-persistence", - "text-to-image", - "translation", - "object-detection" - ] - }, - "commit": { - "type": "object", - "title": "Commit", - "description": "Specifies an individual commit", - "additionalProperties": false, - "properties": { - "uid": { - "type": "string", - "title": "UID", - "description": "A unique identifier of the commit. This may be version control specific. For example, Subversion uses revision numbers whereas git uses commit hashes." }, - "url": { - "type": "string", - "title": "URL", - "description": "The URL to the commit. This URL will typically point to a commit in a version control system.", - "format": "iri-reference" + "parent": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "description": "Reference to parent zone if this is a sub-zone" }, - "author": { - "title": "Author", - "description": "The author who created the changes in the commit", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/identifiableAction" + "characteristics": { + "type": "array", + "title": "Characteristics", + "uniqueItems": true, + "items": { + "type": "string" + }, + "description": "Key characteristics of this zone" }, - "committer": { - "title": "Committer", - "description": "The person who committed or pushed the commit", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/identifiableAction" + "constraints": { + "type": "array", + "title": "Constraints", + "uniqueItems": true, + "items": { + "type": "string" + }, + "description": "Constraints or limitations of this zone" }, - "message": { - "type": "string", - "title": "Message", - "description": "The text description of the contents of the commit" + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" } } }, - "patch": { + "boundary": { "type": "object", - "title": "Patch", - "description": "Specifies an individual patch", + "title": "Boundary", + "description": "Defines a boundary that separates or connects two or more zones, representing a point where security controls, policies, or trust levels change.", "required": [ - "type" + "bom-ref", + "zones" ], "additionalProperties": false, "properties": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "name": { + "type": "string", + "title": "Name", + "minLength": 1, + "description": "Name of the boundary" + }, "type": { "type": "string", + "title": "Type", "enum": [ - "unofficial", - "monkey", - "backport", - "cherry-pick" + "data", + "functional", + "network", + "organizational", + "other", + "physical", + "process", + "trust" ], "meta:enum": { - "unofficial": "A patch which is not developed by the creators or maintainers of the software being patched. Refer to [https://en.wikipedia.org/wiki/Unofficial_patch](https://en.wikipedia.org/wiki/Unofficial_patch).", - "monkey": "A patch which dynamically modifies runtime behavior. Refer to [https://en.wikipedia.org/wiki/Monkey_patch](https://en.wikipedia.org/wiki/Monkey_patch).", - "backport": "A patch which takes code from a newer version of the software and applies it to older versions of the same software. Refer to [https://en.wikipedia.org/wiki/Backporting](https://en.wikipedia.org/wiki/Backporting).", - "cherry-pick": "A patch created by selectively applying commits from other versions or branches of the same software." - }, - "title": "Patch Type", - "description": "Specifies the purpose for the patch including the resolution of defects, security issues, or new behavior or functionality." - }, - "diff": { - "title": "Diff", - "description": "The patch file (or diff) that shows changes. Refer to [https://en.wikipedia.org/wiki/Diff](https://en.wikipedia.org/wiki/Diff)", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/diff" + "data": "Data classification boundary", + "functional": "Functional boundary", + "network": "Network boundary or firewall", + "organizational": "Organizational boundary", + "other": "A boundary type not covered by the predefined enumeration", + "physical": "Physical security boundary", + "process": "Process or execution boundary", + "trust": "Trust boundary between different security zones" + } }, - "resolves": { + "zones": { "type": "array", + "title": "Zones", + "uniqueItems": true, + "minItems": 2, "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/issue" + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" }, - "title": "Resolves", - "description": "A collection of issues the patch resolves" + "description": "The zones this boundary connects or separates" + }, + "crossingRequirements": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/crossingRequirements" + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" } } }, - "diff": { + "crossingRequirements": { "type": "object", - "title": "Diff", - "description": "The patch file (or diff) that shows changes. Refer to https://en.wikipedia.org/wiki/Diff", + "title": "Crossing Requirements", + "description": "Defines the security controls, policies, and constraints that must be satisfied when data or actors cross a boundary between zones.", "additionalProperties": false, "properties": { - "text": { - "title": "Diff text", - "description": "Specifies the optional text of the diff", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/attachment" + "authentication": { + "type": "array", + "title": "Authentication", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/authenticationType" + }, + "description": "Authentication required to cross this boundary" }, - "url": { + "authorization": { + "type": "array", + "title": "Authorization", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/authorizationType" + }, + "description": "Authorization models enforced at this boundary" + }, + "dataValidation": { + "type": "boolean", + "title": "Data Validation", + "description": "Whether data is validated when crossing this boundary" + }, + "dataTransformation": { + "type": "boolean", + "title": "Data Transformation", + "description": "Whether data is transformed when crossing this boundary" + }, + "logging": { + "type": "boolean", + "title": "Logging", + "description": "Whether crossings are logged" + }, + "monitoring": { + "type": "boolean", + "title": "Monitoring", + "description": "Whether crossings are monitored" + }, + "rateLimit": { "type": "string", - "title": "URL", - "description": "Specifies the URL to the diff", - "format": "iri-reference" + "title": "Rate Limit", + "description": "Rate limiting policy" + }, + "protocols": { + "type": "array", + "title": "Protocols", + "uniqueItems": true, + "items": { + "type": "string" + }, + "description": "Allowed protocols for crossing" } } }, - "issue": { + "flow": { "type": "object", - "title": "Issue", - "description": "An individual issue that has been resolved.", + "title": "Flow", + "description": "Represents a data, control, or process flow between two assets, capturing the direction, type, protocols, and security controls that govern the exchange.", "required": [ + "bom-ref", + "name", + "source", + "destination", "type" ], "additionalProperties": false, "properties": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "name": { + "type": "string", + "title": "Name", + "minLength": 1, + "description": "Name or description of the flow" + }, + "description": { + "type": "string", + "title": "Description", + "description": "Detailed description of what flows and why" + }, "type": { "type": "string", + "title": "Type", "enum": [ - "defect", - "enhancement", - "security" + "control", + "data", + "dependency", + "event", + "interaction", + "message", + "other", + "physical", + "process", + "signal" ], "meta:enum": { - "defect": "A fault, flaw, or bug in software.", - "enhancement": "A new feature or behavior in software.", - "security": "A special type of defect which impacts security." - }, - "title": "Issue Type", - "description": "Specifies the type of issue" + "control": "Control or command flow", + "data": "Data or information flow", + "dependency": "Dependency relationship", + "event": "Event or notification flow", + "interaction": "User or system interaction", + "message": "Message or communication flow", + "other": "A flow type not covered by the predefined enumeration", + "physical": "Physical movement of goods or materials", + "process": "Business process flow", + "signal": "Hardware or system signal" + } }, - "id": { - "type": "string", - "title": "Issue ID", - "description": "The identifier of the issue assigned by the source of the issue" + "source": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "description": "Reference to the source asset" }, - "name": { + "destination": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "description": "Reference to the destination asset" + }, + "bidirectional": { + "type": "boolean", + "title": "Bidirectional", + "default": false, + "description": "Whether flow occurs in both directions" + }, + "synchronous": { + "type": "boolean", + "title": "Synchronous", + "description": "Whether the flow is synchronous or asynchronous" + }, + "volume": { "type": "string", - "title": "Issue Name", - "description": "The name of the issue" + "title": "Volume", + "description": "Expected volume or frequency of flow" }, - "description": { + "timing": { "type": "string", - "title": "Issue Description", - "description": "A description of the issue" + "title": "Timing", + "description": "Timing characteristics (real-time, batch, scheduled)" }, - "source": { - "type": "object", - "title": "Source", - "description": "The source of the issue where it is documented", - "additionalProperties": false, - "properties": { - "name": { - "type": "string", - "title": "Name", - "description": "The name of the source.", - "examples": [ - "National Vulnerability Database", - "NVD", - "Apache" - ] - }, - "url": { - "type": "string", - "title": "URL", - "description": "The url of the issue documentation as provided by the source", - "format": "iri-reference" - } - } + "protocols": { + "type": "array", + "title": "Protocols", + "uniqueItems": true, + "items": { + "type": "string" + }, + "description": "Communication protocols used by this flow" }, - "references": { + "dataProfile": { + "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataProfile" + }, + "authentication": { "type": "array", + "title": "Authentication", + "uniqueItems": true, "items": { - "type": "string", - "format": "iri-reference" + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/authenticationType" }, - "title": "References", - "description": "A collection of URL's for reference. Multiple URLs are allowed.", - "examples": [ - "https://example.com" - ] + "description": "Authentication required for this flow" + }, + "authorization": { + "type": "array", + "title": "Authorization", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/authorizationType" + }, + "description": "Authorization models enforced on this flow" + }, + "sequence": { + "type": "integer", + "title": "Sequence", + "minimum": 0, + "description": "Ordering hint so flows can be assembled into sequence diagrams" + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" } } }, - "identifiableAction": { + "actor": { "type": "object", - "title": "Identifiable Action", - "description": "Specifies an individual commit", + "title": "Actor", + "description": "Represents a human, automated system, or autonomous agent that interacts with or operates within the modelled system.", + "required": [ + "bom-ref", + "name", + "type" + ], "additionalProperties": false, "properties": { - "timestamp": { - "type": "string", - "format": "date-time", - "title": "Timestamp", - "description": "The timestamp in which the action occurred" + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" }, "name": { "type": "string", "title": "Name", - "description": "The name of the individual who performed the action" + "minLength": 1, + "description": "Name or title of the actor" }, - "email": { + "description": { "type": "string", - "format": "idn-email", - "title": "E-mail", - "description": "The email address of the individual who performed the action" + "title": "Description", + "description": "Narrative describing the actor's role and context" + }, + "type": { + "type": "string", + "title": "Type", + "enum": [ + "administrator", + "agent", + "engineer", + "external", + "operator", + "other", + "system", + "user" + ], + "meta:enum": { + "administrator": "Administrative or privileged operator", + "agent": "Autonomous AI agent or intelligent software agent", + "engineer": "Developer or platform/DevOps engineer", + "external": "Third-party or external entity", + "operator": "Operational staff running the system", + "other": "An actor type not covered by the predefined enumeration", + "system": "Automated system actor or service account", + "user": "End user of a client application or service" + } + }, + "permissions": { + "type": "array", + "title": "Permissions", + "uniqueItems": true, + "items": { + "type": "string" + }, + "description": "Permissions, capabilities, or duties the actor holds" + }, + "delegatedBy": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "description": "Reference to the actor that delegated execution to this actor, such as a human user who authorized an AI agent to act on their behalf or a service account impersonating another identity" + }, + "zone": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "description": "Reference to the zone where the actor resides" + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" } } }, - "locale": { - "type": "string", - "pattern": "^([a-z]{2})(-[A-Z]{2})?$", - "title": "Locale", - "description": "Defines a syntax for representing two character language code (ISO-639) followed by an optional two character country code. The language code must be lower case. If the country code is specified, the country code must be upper case. The language code and country code must be separated by a minus sign. Examples: en, en-US, fr, fr-CA" - }, - "signature": { - "$ref": "../jsf-0.82.schema.json#/definitions/signature", - "title": "Signature", - "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." - } - } - }, - "cyclonedx-component-2.0": { - "type": "null", - "title": "CycloneDX Component Model", - "$defs": { - "components": { - "type": "array", - "items": { - "$ref": "#/$defs/cyclonedx-component-2.0/$defs/component" - }, - "uniqueItems": true, - "title": "Components" - }, - "component": { + "assumption": { "type": "object", - "title": "Component", + "title": "Assumption", + "description": "A stated belief or condition accepted as true for the purposes of the model, which may impact the validity of the analysis if proven false.", "required": [ - "type", - "name" + "description" ], "additionalProperties": false, "properties": { - "type": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "description": { + "type": "string", + "title": "Description", + "minLength": 1, + "description": "A clear statement of the assumption being made, including the believed condition, the reasoning or evidence behind it, and any constraints or scope under which it applies" + }, + "topic": { "type": "string", + "title": "Topic", "enum": [ - "application", - "framework", - "library", - "container", - "platform", - "operating-system", - "device", - "device-driver", - "firmware", - "file", - "machine-learning-model", - "data", - "cryptographic-asset" + "availability", + "business", + "compliance", + "operational", + "other", + "performance", + "security", + "technical" ], "meta:enum": { - "application": "A software application. Refer to [https://en.wikipedia.org/wiki/Application_software](https://en.wikipedia.org/wiki/Application_software) for information about applications.", - "framework": "A software framework. Refer to [https://en.wikipedia.org/wiki/Software_framework](https://en.wikipedia.org/wiki/Software_framework) for information on how frameworks vary slightly from libraries.", - "library": "A software library. Refer to [https://en.wikipedia.org/wiki/Library_(computing)](https://en.wikipedia.org/wiki/Library_(computing)) for information about libraries. All third-party and open source reusable components will likely be a library. If the library also has key features of a framework, then it should be classified as a framework. If not, or is unknown, then specifying library is recommended.", - "container": "A packaging and/or runtime format, not specific to any particular technology, which isolates software inside the container from software outside of a container through virtualization technology. Refer to [https://en.wikipedia.org/wiki/OS-level_virtualization](https://en.wikipedia.org/wiki/OS-level_virtualization).", - "platform": "A runtime environment that interprets or executes software. This may include runtimes such as those that execute bytecode, just-in-time compilers, interpreters, or low-code/no-code application platforms.", - "operating-system": "A software operating system without regard to deployment model (i.e. installed on physical hardware, virtual machine, image, etc) Refer to [https://en.wikipedia.org/wiki/Operating_system](https://en.wikipedia.org/wiki/Operating_system).", - "device": "A hardware device such as a processor or chip-set. A hardware device containing firmware SHOULD include a component for the physical hardware itself and another component of type 'firmware' or 'operating-system' (whichever is relevant), describing information about the software running on the device. See also the list of [known device properties](https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/device.md).", - "device-driver": "A special type of software that operates or controls a particular type of device. Refer to [https://en.wikipedia.org/wiki/Device_driver](https://en.wikipedia.org/wiki/Device_driver).", - "firmware": "A special type of software that provides low-level control over a device's hardware. Refer to [https://en.wikipedia.org/wiki/Firmware](https://en.wikipedia.org/wiki/Firmware).", - "file": "A computer file. Refer to [https://en.wikipedia.org/wiki/Computer_file](https://en.wikipedia.org/wiki/Computer_file) for information about files.", - "machine-learning-model": "A model based on training data that can make predictions or decisions without being explicitly programmed to do so.", - "data": "A collection of discrete values that convey information.", - "cryptographic-asset": "A cryptographic asset including algorithms, protocols, certificates, keys, tokens, and secrets." + "availability": "Assumption about system uptime, redundancy, or failover capabilities", + "business": "Assumption about business requirements, constraints, or organizational context", + "compliance": "Assumption about regulatory, legal, or policy compliance obligations", + "operational": "Assumption about operational procedures, staffing, or maintenance practices", + "other": "An assumption topic not covered by the predefined enumeration", + "performance": "Assumption about throughput, latency, capacity, or scalability characteristics", + "security": "Assumption about threat landscape, trust boundaries, or security controls", + "technical": "Assumption about technology choices, capabilities, or technical constraints" + } + }, + "relatedAssets": { + "type": "array", + "title": "Related Assets", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" }, - "title": "Component Type", - "description": "Specifies the type of component. For software components, classify as application if no more specific appropriate classification is available or cannot be determined for the component.", - "examples": [ - "library" - ] + "description": "References to the assets that are directly affected by or dependent on this assumption, enabling impact analysis when the assumption's validity changes" }, - "mime-type": { + "validity": { "type": "string", - "title": "Mime-Type", - "description": "The mime-type of the component. When used on file components, the mime-type can provide additional context about the kind of file being represented, such as an image, font, or executable. Some library or framework components may also have an associated mime-type.", - "examples": [ - "image/jpeg" + "title": "Validity", + "enum": [ + "invalid", + "unknown", + "unverified", + "verified" ], - "pattern": "^[-+a-z0-9.]+/[-+a-z0-9.]+$" - }, - "bom-ref": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "title": "BOM Reference", - "description": "An identifier which can be used to reference the component elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." - }, - "supplier": { - "title": "Component Supplier", - "description": " The organization that supplied the component. The supplier may often be the manufacturer, but may also be a distributor or repackager.", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity" + "meta:enum": { + "invalid": "The assumption has been disproven or is no longer applicable", + "unknown": "The validity of the assumption has not yet been assessed", + "unverified": "The assumption has been identified but not yet validated", + "verified": "The assumption has been confirmed as true through validation" + }, + "default": "unknown", + "description": "The current validation state of the assumption, tracked over time to ensure that modelling decisions built on this assumption remain sound" }, - "manufacturer": { - "title": "Component Manufacturer", - "description": "The organization that created the component.\nManufacturer is common in components created through automated processes. Components created through manual means may have `@.authors` instead.", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity" + "impact": { + "type": "string", + "title": "Impact", + "description": "A narrative describing the consequences to the model, its assets, or the broader system if this assumption proves false, including the severity and scope of affected components" }, - "authors": { - "type": "array", - "title": "Component Authors", - "description": "The person(s) who created the component.\nAuthors are common in components created through manual processes. Components created through automated means may have `@.manufacturer` instead.", - "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalContact" - } + "owner": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact", + "description": "The individual or organizational entity responsible for tracking, validating, and maintaining this assumption over the lifecycle of the model" }, - "publisher": { + "validationMethod": { "type": "string", - "title": "Component Publisher", - "description": "The person(s) or organization(s) that published the component", - "examples": [ - "Acme Inc" - ] + "title": "Validation Method", + "description": "The approach, test, or evidence that can be used to confirm or disprove this assumption, such as a review, audit, penetration test, or empirical measurement" }, - "group": { + "validationDate": { "type": "string", - "title": "Component Group", - "description": "The grouping name or identifier. This will often be a shortened, single name of the company or project that produced the component, or the source package or domain name. Whitespace and special characters should be avoided. Examples include: apache, org.apache.commons, and apache.org.", - "examples": [ - "com.acme" - ] + "title": "Validation Date", + "format": "date-time", + "description": "The date and time when the assumption was last validated or reviewed, used to track staleness and trigger re-evaluation" + } + } + }, + "visualization": { + "type": "object", + "title": "Visualization", + "description": "A visual representation of the model or a subset of its elements, capturing diagram type, rendering format, and the elements depicted.", + "required": [ + "name", + "type" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" }, "name": { "type": "string", - "title": "Component Name", - "description": "The name of the component. This will often be a shortened, single name of the component. Examples: commons-lang3 and jquery", - "examples": [ - "tomcat-catalina" - ] + "title": "Name", + "minLength": 1, + "description": "Name or title of the visualization" }, - "version": { - "$ref": "#/$defs/cyclonedx-component-2.0/$defs/version", - "title": "Component Version", - "description": "The component version. The version should ideally comply with semantic versioning but is not enforced.\nMust be used exclusively, either 'version' or 'versionRange', but not both." + "description": { + "type": "string", + "title": "Description", + "description": "Description of what the visualization shows" }, - "versionRange": { - "$ref": "#/$defs/cyclonedx-component-2.0/$defs/versionRange", - "title": "Component Version Range", - "description": "For an external component, this specifies the accepted version range.\nThe value must adhere to the Package URL Version Range syntax (vers), as defined at A list of zero or more patches describing how the component deviates from an ancestor, descendant, or variant. Patches may be complementary to commits or may be used in place of commits.", - "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/patch" + "description": { + "type": "string", + "title": "Description", + "description": "A description of the custom visualization type" + } + } + } + ] + }, + "visualizationFormat": { + "type": "object", + "title": "Visualization Format", + "description": "The rendering format or toolchain used to produce the visualization.", + "oneOf": [ + { + "title": "Predefined Visualization Format", + "description": "A visualization format selected from a predefined set of well-known diagram formats and tools.", + "required": [ + "format" + ], + "additionalProperties": false, + "properties": { + "format": { + "type": "string", + "title": "Format", + "enum": [ + "archimate", + "cytoscape", + "d3", + "drawio", + "graphviz", + "jpeg", + "mermaid", + "plantuml", + "png", + "svg", + "visio" + ], + "meta:enum": { + "archimate": "ArchiMate model format", + "cytoscape": "Cytoscape graph format", + "d3": "D3.js visualization", + "drawio": "Draw.io/diagrams.net format", + "graphviz": "GraphViz DOT language", + "jpeg": "JPEG image format", + "mermaid": "Mermaid diagram language", + "plantuml": "PlantUML diagram language", + "png": "Portable Network Graphics", + "svg": "Scalable Vector Graphics", + "visio": "Microsoft Visio format" } + } + } + }, + { + "title": "Custom Visualization Format", + "description": "A custom visualization format not covered by the predefined enumeration.", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Name", + "minLength": 1, + "description": "The name of the custom visualization format" }, - "notes": { + "description": { "type": "string", - "title": "Notes", - "description": "Notes, observations, and other non-structured commentary describing the components pedigree." + "title": "Description", + "description": "A description of the custom visualization format" } } + } + ] + }, + "assetClassification": { + "type": "object", + "additionalProperties": false, + "properties": { + "criticality": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/criticality" }, - "components": { - "type": "array", - "items": { - "$ref": "#/$defs/cyclonedx-component-2.0/$defs/component" - }, - "uniqueItems": true, - "title": "Components", - "description": "A list of software and hardware components included in the parent component. This is not a dependency tree. It provides a way to specify a hierarchical representation of component assemblies, similar to system → subsystem → parts assembly in physical supply chains." - }, - "evidence": { - "$ref": "#/$defs/cyclonedx-component-2.0/$defs/componentEvidence", - "title": "Evidence", - "description": "Provides the ability to document evidence collected through various forms of extraction or analysis." + "sensitivity": { + "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataSensitivity" }, - "releaseNotes": { - "$ref": "#/$defs/cyclonedx-release-notes-2.0/$defs/releaseNotes", - "title": "Release notes", - "description": "Specifies release notes." + "dataClassification": { + "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataClassification" }, - "modelCard": { - "$ref": "#/$defs/cyclonedx-ai-modelcard-2.0/$defs/modelCard", - "title": "AI/ML Model Card" + "tier": { + "type": "string", + "enum": [ + "tier0", + "tier1", + "tier2", + "tier3", + "tier4" + ], + "meta:enum": { + "tier0": "Mission critical - highest priority", + "tier1": "Business critical - high priority", + "tier2": "Business important - medium priority", + "tier3": "Business supporting - low priority", + "tier4": "Non-critical - minimal priority" + } }, - "data": { + "categories": { "type": "array", "items": { - "$ref": "#/$defs/cyclonedx-component-2.0/$defs/componentData" + "type": "string" }, - "title": "Data", - "description": "This object SHOULD be specified for any component of type `data` and must not be specified for other component types." - }, - "cryptoProperties": { - "$ref": "#/$defs/cyclonedx-cryptography-2.0/$defs/cryptoProperties", - "title": "Cryptographic Properties" + "description": "Business or technical categories" }, "tags": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/tags", - "title": "Tags" - }, - "properties": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + "type": "array", + "items": { + "type": "string" + }, + "description": "Tags for classification and search" + } + } + }, + "dataProfile": { + "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataProfile" + }, + "ownership": { + "type": "object", + "title": "Ownership", + "description": "Identifies the individuals or organizational entities responsible for an asset, including its owner, steward, custodian, and primary users.", + "additionalProperties": false, + "properties": { + "owner": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact", + "description": "Primary owner of the asset" }, - "externalReferences": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReferences" + "steward": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact", + "description": "Steward responsible for the asset" }, - "signature": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/signature", - "title": "Signature", - "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." - } - }, - "allOf": [ - { - "description": "Requirement: ensure that `version` and `versionRange` are not present simultaneously.", - "not": { - "required": [ - "version", - "versionRange" - ] - } + "custodian": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact", + "description": "Custodian responsible for protecting the asset" }, - { - "description": "Requirement: 'versionRange' must not be present when 'isExternal' is `false`.", - "if": { - "properties": { - "isExternal": { - "const": false - } - } - }, - "then": { - "not": { - "required": [ - "versionRange" - ] - } + "users": { + "type": "array", + "title": "Users", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact" }, - "else": true + "description": "Primary users of the asset" } - ] + } }, - "version": { - "description": "A single disjunctive version identifier, for a component or service.", - "type": "string", - "maxLength": 1024, - "examples": [ - "9.0.14", - "v1.33.7", - "7.0.0-M1", - "2.0pre1", - "1.0.0-beta1", - "0.8.15" - ] - }, - "versionRange": { - "description": "A version range specified in Package-URL Version Range syntax (vers) which is defined at https://github.com/package-url/vers-spec", + "authenticationType": { "type": "string", - "minLength": 1, - "maxLength": 4096, - "examples": [ - "vers:cargo/9.0.14", - "vers:npm/1.2.3|>=2.0.0|<5.0.0", - "vers:pypi/0.0.0|0.0.1|0.0.2|0.0.3|1.0|2.0pre1", - "vers:tomee/>=1.0.0-beta1|<=1.7.5|>=7.0.0-M1|<=7.0.7|>=7.1.0|<=7.1.2|>=8.0.0-M1|<=8.0.1", - "vers:gem/>=2.2.0|!= 2.2.1|<2.3.0" - ] + "title": "Authentication Type", + "description": "The authentication method or protocol used to verify identity.", + "enum": [ + "apiKey", + "basic", + "bearer", + "certificate", + "custom", + "digest", + "fido2", + "jwt", + "kerberos", + "ldap", + "mfa", + "mTLS", + "none", + "ntlm", + "oauth1", + "oauth2", + "oidc", + "saml", + "ssh" + ], + "meta:enum": { + "apiKey": "API key authentication", + "basic": "Basic authentication (username/password)", + "bearer": "Bearer token authentication", + "certificate": "Certificate-based authentication", + "custom": "Custom authentication method", + "digest": "Digest authentication", + "fido2": "FIDO2/WebAuthn passwordless authentication", + "jwt": "JSON Web Token authentication", + "kerberos": "Kerberos authentication", + "ldap": "LDAP directory authentication", + "mfa": "Multi-factor authentication", + "mTLS": "Mutual TLS authentication", + "none": "No authentication required", + "ntlm": "NTLM authentication", + "oauth1": "OAuth 1.0 authentication", + "oauth2": "OAuth 2.0 authentication", + "oidc": "OpenID Connect authentication", + "saml": "SAML authentication", + "ssh": "SSH key authentication" + } }, - "copyrightText": { + "authorizationType": { "type": "string", - "title": "Component Copyright", - "description": "A copyright notice informing users of the underlying claims to copyright ownership in a published work.", - "examples": [ - "Acme Inc" - ] - }, - "copyright": { + "title": "Authorization Type", + "description": "The authorization model used to determine and enforce access permissions.", + "enum": [ + "abac", + "acl", + "cbac", + "custom", + "dac", + "mac", + "none", + "other", + "pbac", + "rbac", + "rebac" + ], + "meta:enum": { + "abac": "Attribute-Based Access Control", + "acl": "Access Control Lists", + "cbac": "Claims-Based Access Control", + "custom": "Custom authorization model", + "dac": "Discretionary Access Control", + "mac": "Mandatory Access Control", + "none": "No authorization controls", + "other": "Other authorization model not listed", + "pbac": "Policy-Based Access Control", + "rbac": "Role-Based Access Control", + "rebac": "Relationship-Based Access Control" + } + } + } + }, + "cyclonedx-citation-2.0": { + "type": "null", + "title": "CycloneDX Citation Model", + "$defs": { + "citations": { "type": "array", "items": { - "$ref": "#/$defs/cyclonedx-component-2.0/$defs/copyrightObject" + "$ref": "#/$defs/cyclonedx-citation-2.0/$defs/citation" }, - "title": "Copyright", - "description": "Captures intellectual property assertions, providing evidence of possible ownership and legal protection." - }, - "copyrightObject": { - "type": "object", - "title": "Copyright", - "description": "A copyright notice informing users of the underlying claims to copyright ownership in a published work.", - "required": [ - "text" - ], - "additionalProperties": false, - "properties": { - "text": { - "type": "string", - "title": "Copyright Text", - "description": "The textual content of the copyright." - } - } + "uniqueItems": true, + "title": "Citations", + "description": "A collection of attributions indicating which entity supplied information for specific fields within the BOM." }, - "swid": { + "citation": { "type": "object", - "title": "SWID Tag", - "description": "Specifies metadata and content for ISO-IEC 19770-2 Software Identification (SWID) Tags.", - "required": [ - "tagId", - "name" - ], + "title": "Citation", + "description": "Details a specific attribution of data within the BOM to a contributing entity or process.", "additionalProperties": false, "properties": { - "tagId": { - "type": "string", - "title": "Tag ID", - "description": "Maps to the tagId of a SoftwareIdentity." + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "BOM Reference" }, - "name": { + "pointers": { + "type": "array", + "items": { + "type": "string", + "title": "Field Reference", + "description": "A [JSON Pointer](https://datatracker.ietf.org/doc/html/rfc6901) identifying the BOM field to which the attribution applies." + }, + "minItems": 1, + "title": "Field References", + "description": "One or more [JSON Pointers](https://datatracker.ietf.org/doc/html/rfc6901) identifying the BOM fields to which the attribution applies.\nExactly one of the \"pointers\" or \"expressions\" elements must be present." + }, + "expressions": { + "type": "array", + "items": { + "type": "string", + "title": "Path Expression", + "description": "Specifies a [JSONPath](https://datatracker.ietf.org/doc/html/rfc9535) expression used to locate a value within a BOM." + }, + "minItems": 1, + "title": "Path Expressions", + "description": "One or more path expressions used to locate values within a BOM.\nExactly one of the \"pointers\" or \"expressions\" elements must be present." + }, + "timestamp": { "type": "string", - "title": "Name", - "description": "Maps to the name of a SoftwareIdentity." + "format": "date-time", + "title": "Timestamp", + "description": "The date and time when the attribution was made or the information was supplied." }, - "version": { + "attributedTo": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", + "title": "Attributed To", + "description": "The `bom-ref` of an object, such as a component, service, tool, organisational entity, or person that supplied the cited information.\nAt least one of the \"attributedTo\" or \"process\" elements must be present." + }, + "process": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", + "title": "Process Reference", + "description": "The `bom-ref` to a process (such as a formula, workflow, task, or step) defined in the `formulation` section that executed or generated the attributed data.\nAt least one of the \"attributedTo\" or \"process\" elements must be present." + }, + "note": { "type": "string", - "title": "Version", - "default": "0.0", - "description": "Maps to the version of a SoftwareIdentity." + "title": "Note", + "description": "A description or comment about the context or quality of the data attribution." }, - "tagVersion": { - "type": "integer", - "title": "Tag Version", - "default": 0, - "description": "Maps to the tagVersion of a SoftwareIdentity." + "signature": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/signature", + "title": "Signature", + "description": "A digital signature verifying the authenticity or integrity of the attribution." + } + }, + "required": [ + "timestamp" + ], + "anyOf": [ + { + "required": [ + "attributedTo" + ] }, - "patch": { - "type": "boolean", - "title": "Patch", - "default": false, - "description": "Maps to the patch of a SoftwareIdentity." + { + "required": [ + "process" + ] + } + ], + "oneOf": [ + { + "required": [ + "pointers" + ] }, - "text": { - "title": "Attachment text", - "description": "Specifies the metadata and content of the SWID tag.", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/attachment" + { + "required": [ + "expressions" + ] + } + ] + } + } + }, + "cyclonedx-common-2.0": { + "type": "null", + "title": "CycloneDX Common Model", + "$defs": { + "refType": { + "description": "Identifier for referable and therefore interlinkable elements.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", + "type": "string", + "minLength": 1, + "$comment": "TODO (breaking change): add a format constraint that prevents the value from staring with 'urn:cdx:'" + }, + "refLinkType": { + "description": "Descriptor for an element identified by the attribute 'bom-ref' in the same BOM document.\nIn contrast to `bomLinkElementType`.", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "bomLinkDocumentType": { + "title": "BOM-Link Document", + "description": "Descriptor for another BOM document. See https://cyclonedx.org/capabilities/bomlink/", + "type": "string", + "format": "iri-reference", + "pattern": "^urn:cdx:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/[1-9][0-9]*$", + "$comment": "part of the pattern is based on `bom.serialNumber`'s pattern" + }, + "bomLinkElementType": { + "title": "BOM-Link Element", + "description": "Descriptor for an element in a BOM document. See https://cyclonedx.org/capabilities/bomlink/", + "type": "string", + "format": "iri-reference", + "pattern": "^urn:cdx:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/[1-9][0-9]*#.+$", + "$comment": "part of the pattern is based on `bom.serialNumber`'s pattern" + }, + "bomLink": { + "title": "BOM-Link", + "anyOf": [ + { + "title": "BOM-Link Document", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/bomLinkDocumentType" }, - "url": { - "type": "string", - "title": "URL", - "description": "The URL to the SWID file.", - "format": "iri-reference" + { + "title": "BOM-Link Element", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType" } - } + ] }, - "componentEvidence": { + "hash": { "type": "object", - "title": "Evidence", - "description": "Provides the ability to document evidence collected through various forms of extraction or analysis.", + "title": "Hash", + "required": [ + "alg", + "content" + ], "additionalProperties": false, "properties": { - "identity": { - "type": "array", - "title": "Identity Evidence", - "description": "Evidence that substantiates the identity of a component. The identity may be an object or an array of identity objects. Support for specifying identity as a single object was introduced in CycloneDX v1.5. Arrays were introduced in v1.6. It is recommended that all implementations use arrays, even if only one identity object is specified.", - "items": { - "$ref": "#/$defs/cyclonedx-component-2.0/$defs/componentIdentityEvidence" - } + "alg": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/hashAlgorithm" }, - "occurrences": { - "type": "array", - "title": "Occurrences", - "description": "Evidence of individual instances of a component spread across multiple locations.", - "items": { - "type": "object", - "required": [ - "location" - ], - "additionalProperties": false, - "properties": { - "bom-ref": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "title": "BOM Reference", - "description": "An identifier which can be used to reference the occurrence elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." - }, - "location": { - "type": "string", - "title": "Location", - "description": "The location or path to where the component was found." - }, - "line": { - "type": "integer", - "minimum": 0, - "title": "Line Number", - "description": "The line number where the component was found." - }, - "offset": { - "type": "integer", - "minimum": 0, - "title": "Offset", - "description": "The offset where the component was found." - }, - "symbol": { - "type": "string", - "title": "Symbol", - "description": "The symbol name that was found associated with the component." - }, - "additionalContext": { - "type": "string", - "title": "Additional Context", - "description": "Any additional context of the detected component (e.g. a code snippet)." - } - } - } - }, - "callstack": { - "type": "object", - "title": "Call Stack", - "description": "Evidence of the components use through the callstack.", - "additionalProperties": false, - "properties": { - "frames": { - "type": "array", - "title": "Frames", - "description": "Within a call stack, a frame is a discrete unit that encapsulates an execution context, including local variables, parameters, and the return address. As function calls are made, frames are pushed onto the stack, forming an array-like structure that orchestrates the flow of program execution and manages the sequence of function invocations.", - "items": { - "type": "object", - "required": [ - "module" - ], - "additionalProperties": false, - "properties": { - "package": { - "title": "Package", - "description": "A package organizes modules into namespaces, providing a unique namespace for each type it contains.", - "type": "string" - }, - "module": { - "title": "Module", - "description": "A module or class that encloses functions/methods and other code.", - "type": "string" - }, - "function": { - "title": "Function", - "description": "A block of code designed to perform a particular task.", - "type": "string" - }, - "parameters": { - "title": "Parameters", - "description": "Arguments that are passed to the module or function.", - "type": "array", - "items": { - "type": "string" - } - }, - "line": { - "title": "Line", - "description": "The line number the code that is called resides on.", - "type": "integer" - }, - "column": { - "title": "Column", - "description": "The column the code that is called resides.", - "type": "integer" - }, - "fullFilename": { - "title": "Full Filename", - "description": "The full path and filename of the module.", - "type": "string" - } - } - } - } - } - }, - "licenses": { - "$ref": "#/$defs/cyclonedx-license-2.0/$defs/licenseChoice", - "title": "License Evidence" - }, - "copyright": { - "$ref": "#/$defs/cyclonedx-component-2.0/$defs/copyright" + "content": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/hashValue" } } }, - "componentIdentityEvidence": { + "hashAlgorithm": { + "type": "string", + "title": "Hash Algorithm", + "description": "The algorithm that generated the hash value.", + "enum": [ + "MD5", + "SHA-1", + "SHA-256", + "SHA-384", + "SHA-512", + "SHA3-256", + "SHA3-384", + "SHA3-512", + "BLAKE2b-256", + "BLAKE2b-384", + "BLAKE2b-512", + "BLAKE3", + "Streebog-256", + "Streebog-512" + ] + }, + "hashValue": { + "type": "string", + "title": "Hash Value", + "description": "The value of the hash.", + "examples": [ + "3942447fac867ae5cdb3229b658f4d48" + ], + "pattern": "^([a-fA-F0-9]{32}|[a-fA-F0-9]{40}|[a-fA-F0-9]{64}|[a-fA-F0-9]{96}|[a-fA-F0-9]{128})$" + }, + "mediaType": { + "type": "string", + "title": "Media Type", + "description": "The media type of the object. The media type can provide additional context about the kind of data being represented, such as an image, font, or executable.", + "examples": [ + "text/plain", + "application/json", + "image/png" + ], + "pattern": "^[-+a-z0-9.]+/[-+a-z0-9.]+$" + }, + "attachment": { "type": "object", - "title": "Identity Evidence", - "description": "Evidence that substantiates the identity of a component.", + "title": "Attachment", + "description": "Specifies the metadata and content for an attachment.", "required": [ - "field" + "content" ], "additionalProperties": false, "properties": { - "field": { + "mediaType": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/mediaType" + }, + "encoding": { "type": "string", + "title": "Encoding", + "description": "Specifies the optional encoding the text is represented in.", "enum": [ - "group", - "name", - "version", - "purl", - "cpe", - "omniborId", - "swhid", - "swid", - "hash" + "base64" ], - "title": "Field", - "description": "The identity field of the component which the evidence describes." - }, - "confidence": { - "type": "number", - "minimum": 0, - "maximum": 1, - "title": "Confidence", - "description": "The overall confidence of the evidence from 0 - 1, where 1 is 100% confidence." - }, - "concludedValue": { - "type": "string", - "title": "Concluded Value", - "description": "The value of the field (cpe, purl, etc) that has been concluded based on the aggregate of all methods (if available)." - }, - "methods": { - "type": "array", - "title": "Methods", - "description": "The methods used to extract and/or analyze the evidence.", - "items": { - "type": "object", - "required": [ - "technique", - "confidence" - ], - "additionalProperties": false, - "properties": { - "technique": { - "title": "Technique", - "description": "The technique used in this method of analysis.", - "type": "string", - "enum": [ - "source-code-analysis", - "binary-analysis", - "manifest-analysis", - "ast-fingerprint", - "hash-comparison", - "instrumentation", - "dynamic-analysis", - "filename", - "attestation", - "other" - ] - }, - "confidence": { - "type": "number", - "minimum": 0, - "maximum": 1, - "title": "Confidence", - "description": "The confidence of the evidence from 0 - 1, where 1 is 100% confidence. Confidence is specific to the technique used. Each technique of analysis can have independent confidence." - }, - "value": { - "type": "string", - "title": "Value", - "description": "The value or contents of the evidence." - } - } + "meta:enum": { + "base64": "Base64 is a binary-to-text encoding scheme that represents binary data in an ASCII string." } }, - "tools": { - "type": "array", - "uniqueItems": true, - "items": { - "anyOf": [ - { - "title": "Ref", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" - }, - { - "title": "BOM-Link Element", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType" - } - ] - }, - "title": "BOM References", - "description": "The object in the BOM identified by its bom-ref. This is often a component or service but may be any object type supporting bom-refs. Tools used for analysis should already be defined in the BOM, either in the metadata/tools, components, or formulation." + "content": { + "type": "string", + "title": "Attachment Text", + "description": "The attachment data. Proactive controls such as input validation and sanitization should be employed to prevent misuse of attachment text." } } }, - "componentData": { - "type": "object", - "additionalProperties": false, - "required": [ + "base64": { + "type": "string", + "pattern": "^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$", + "description": "A Base64-encoded string." + }, + "externalReferences": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReference" + }, + "title": "External References", + "description": "External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM." + }, + "externalReference": { + "type": "object", + "title": "External Reference", + "description": "External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM.", + "required": [ + "url", "type" ], + "additionalProperties": false, "properties": { - "bom-ref": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "title": "BOM Reference", - "description": "An identifier which can be used to reference the dataset elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." + "url": { + "anyOf": [ + { + "title": "URL", + "type": "string", + "format": "iri-reference" + }, + { + "title": "BOM-Link", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/bomLink" + } + ], + "title": "URL", + "description": "The URI (URL or URN) to the external reference. External references are URIs and therefore can accept any URL scheme including https ([RFC-7230](https://www.ietf.org/rfc/rfc7230.txt)), mailto ([RFC-2368](https://www.ietf.org/rfc/rfc2368.txt)), tel ([RFC-3966](https://www.ietf.org/rfc/rfc3966.txt)), and dns ([RFC-4501](https://www.ietf.org/rfc/rfc4501.txt)). External references may also include formally registered URNs such as [CycloneDX BOM-Link](https://cyclonedx.org/capabilities/bomlink/) to reference CycloneDX BOMs or any object within a BOM. BOM-Link transforms applicable external references into relationships that can be expressed in a BOM or across BOMs." + }, + "comment": { + "type": "string", + "title": "Comment", + "description": "A comment describing the external reference" }, "type": { "type": "string", - "title": "Type of Data", - "description": "The general theme or subject matter of the data being specified.", + "title": "Type", + "description": "Specifies the type of external reference.", "enum": [ - "source-code", + "vcs", + "issue-tracker", + "website", + "advisories", + "bom", + "mailing-list", + "social", + "chat", + "documentation", + "support", + "source-distribution", + "distribution", + "distribution-intake", + "license", + "build-meta", + "build-system", + "release-notes", + "security-contact", + "model-card", + "log", "configuration", - "dataset", - "definition", + "evidence", + "formulation", + "attestation", + "threat-model", + "adversary-model", + "risk-assessment", + "vulnerability-assertion", + "exploitability-statement", + "pentest-report", + "static-analysis-report", + "dynamic-analysis-report", + "runtime-analysis-report", + "component-analysis-report", + "maturity-report", + "certification-report", + "codified-infrastructure", + "quality-metrics", + "poam", + "electronic-signature", + "digital-signature", + "rfc-9116", + "patent", + "patent-family", + "patent-assertion", + "citation", "other" ], "meta:enum": { - "source-code": "Any type of code, code snippet, or data-as-code.", - "configuration": "Parameters or settings that may be used by other components.", - "dataset": "A collection of data.", - "definition": "Data that can be used to create new instances of what the definition defines.", - "other": "Any other type of data that does not fit into existing definitions." - } - }, - "name": { - "title": "Dataset Name", - "description": "The name of the dataset.", - "type": "string" - }, - "contents": { - "type": "object", - "title": "Data Contents", - "description": "The contents or references to the contents of the data being described.", - "additionalProperties": false, - "properties": { - "attachment": { - "title": "Data Attachment", - "description": "A way to include textual or encoded data.", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/attachment" - }, - "url": { - "type": "string", - "title": "Data URL", - "description": "The URL to where the data can be retrieved.", - "format": "iri-reference" - }, - "properties": { - "type": "array", - "title": "Configuration Properties", - "description": "Provides the ability to document name-value parameters used for configuration.", - "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/property" - } - } + "vcs": "Version Control System", + "issue-tracker": "Issue or defect tracking system, or an Application Lifecycle Management (ALM) system", + "website": "Website", + "advisories": "Security advisories", + "bom": "Bill of Materials (SBOM, OBOM, HBOM, SaaSBOM, etc)", + "mailing-list": "Mailing list or discussion group", + "social": "Social media account", + "chat": "Real-time chat platform", + "documentation": "Documentation, guides, or how-to instructions", + "support": "Community or commercial support", + "source-distribution": "The location where the source code distributable can be obtained. This is often an archive format such as zip or tgz. The source-distribution type complements use of the version control (vcs) type.", + "distribution": "Direct or repository download location", + "distribution-intake": "The location where a component was published to. This is often the same as \"distribution\" but may also include specialized publishing processes that act as an intermediary.", + "license": "The reference to the license file. If a license URL has been defined in the license node, it should also be defined as an external reference for completeness.", + "build-meta": "Build-system specific meta file (i.e. pom.xml, package.json, .nuspec, etc)", + "build-system": "Reference to an automated build system", + "release-notes": "Reference to release notes", + "security-contact": "Specifies a way to contact the maintainer, supplier, or provider in the event of a security incident. Common URIs include links to a disclosure procedure, a mailto (RFC-2368) that specifies an email address, a tel (RFC-3966) that specifies a phone number, or dns (RFC-4501) that specifies the records containing DNS Security TXT.", + "model-card": "A model card describes the intended uses of a machine learning model, potential limitations, biases, ethical considerations, training parameters, datasets used to train the model, performance metrics, and other relevant data useful for ML transparency.", + "log": "A record of events that occurred in a computer system or application, such as problems, errors, or information on current operations.", + "configuration": "Parameters or settings that may be used by other components or services.", + "evidence": "Information used to substantiate a claim.", + "formulation": "Describes the formulation of any referencable object within the BOM, including components, services, metadata, declarations, or the BOM itself.", + "attestation": "Human or machine-readable statements containing facts, evidence, or testimony.", + "threat-model": "An enumeration of identified weaknesses, threats, and countermeasures, dataflow diagram (DFD), attack tree, and other supporting documentation in human-readable or machine-readable format.", + "adversary-model": "The defined assumptions, goals, and capabilities of an adversary.", + "risk-assessment": "Identifies and analyzes the potential of future events that may negatively impact individuals, assets, and/or the environment. Risk assessments may also include judgments on the tolerability of each risk.", + "vulnerability-assertion": "A Vulnerability Disclosure Report (VDR) which asserts the known and previously unknown vulnerabilities that affect a component, service, or product including the analysis and findings describing the impact (or lack of impact) that the reported vulnerability has on a component, service, or product.", + "exploitability-statement": "A Vulnerability Exploitability eXchange (VEX) which asserts the known vulnerabilities that do not affect a product, product family, or organization, and optionally the ones that do. The VEX should include the analysis and findings describing the impact (or lack of impact) that the reported vulnerability has on the product, product family, or organization.", + "pentest-report": "Results from an authorized simulated cyberattack on a component or service, otherwise known as a penetration test.", + "static-analysis-report": "SARIF or proprietary machine or human-readable report for which static analysis has identified code quality, security, and other potential issues with the source code.", + "dynamic-analysis-report": "Dynamic analysis report that has identified issues such as vulnerabilities and misconfigurations.", + "runtime-analysis-report": "Report generated by analyzing the call stack of a running application.", + "component-analysis-report": "Report generated by Software Composition Analysis (SCA), container analysis, or other forms of component analysis.", + "maturity-report": "Report containing a formal assessment of an organization, business unit, or team against a maturity model.", + "certification-report": "Industry, regulatory, or other certification from an accredited (if applicable) certification body.", + "codified-infrastructure": "Code or configuration that defines and provisions virtualized infrastructure, commonly referred to as Infrastructure as Code (IaC).", + "quality-metrics": "Report or system in which quality metrics can be obtained.", + "poam": "Plans of Action and Milestones (POA&M) complement an \"attestation\" external reference. POA&M is defined by NIST as a \"document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks and scheduled completion dates for the milestones\".", + "electronic-signature": "An e-signature is commonly a scanned representation of a written signature or a stylized script of the person's name.", + "digital-signature": "A signature that leverages cryptography, typically public/private key pairs, which provides strong authenticity verification.", + "rfc-9116": "Document that complies with [RFC 9116](https://www.ietf.org/rfc/rfc9116.html) (A File Format to Aid in Security Vulnerability Disclosure)", + "patent": "References information about patents which may be defined in human-readable documents or in machine-readable formats such as CycloneDX or ST.96. For detailed patent information or to reference the information provided directly by patent offices, it is recommended to leverage standards from the World Intellectual Property Organization (WIPO) such as [ST.96](https://www.wipo.int/standards/en/st96).", + "patent-family": "References information about a patent family which may be defined in human-readable documents or in machine-readable formats such as CycloneDX or ST.96. A patent family is a group of related patent applications or granted patents that cover the same or similar invention. For detailed patent family information or to reference the information provided directly by patent offices, it is recommended to leverage standards from the World Intellectual Property Organization (WIPO) such as [ST.96](https://www.wipo.int/standards/en/st96).", + "patent-assertion": "References assertions made regarding patents associated with a component or service. Assertions distinguish between ownership, licensing, and other relevant interactions with patents.", + "citation": "A reference to external citations applicable to the object identified by this BOM entry or the BOM itself. When used with a BOM-Link, this allows offloading citations into a separate CycloneDX BOM.", + "other": "Use this if no other types accurately describe the purpose of the external reference." } }, - "classification": { - "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataClassification" - }, - "sensitiveData": { + "hashes": { "type": "array", - "title": "Sensitive Data", - "description": "A description of any sensitive data in a dataset.", "items": { - "type": "string" - } - }, - "graphics": { - "$ref": "#/$defs/cyclonedx-ai-modelcard-2.0/$defs/graphicsCollection" - }, - "description": { - "title": "Dataset Description", - "description": "A description of the dataset. Can describe size of dataset, whether it's used for source code, training, testing, or validation, etc.", - "type": "string" + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/hash" + }, + "title": "Hashes", + "description": "The hashes of the external reference (if applicable)." }, - "governance": { - "title": "Data Governance", - "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataGovernance" + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" } } - } - } - }, - "cyclonedx-composition-2.0": { - "type": "null", - "title": "CycloneDX Composition Model", - "$defs": { - "compositions": { - "type": "array", - "items": { - "$ref": "#/$defs/cyclonedx-composition-2.0/$defs/composition" - }, - "uniqueItems": true, - "title": "Compositions", - "description": "Compositions describe constituent parts (including components, services, and dependency relationships) and their completeness. The completeness of vulnerabilities expressed in a BOM may also be described." }, - "composition": { + "postalAddress": { "type": "object", - "title": "Compositions", - "required": [ - "aggregate" - ], + "title": "Postal address", + "description": "An address used to identify a contactable location.", "additionalProperties": false, "properties": { "bom-ref": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", "title": "BOM Reference", - "description": "An identifier which can be used to reference the composition elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." + "description": "An optional identifier which can be used to reference the address elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" }, - "aggregate": { - "$ref": "#/$defs/cyclonedx-composition-2.0/$defs/aggregateType", - "title": "Aggregate", - "description": "Specifies an aggregate type that describes how complete a relationship is." + "country": { + "type": "string", + "title": "Country", + "description": "The country name or the two-letter ISO 3166-1 country code." }, - "assemblies": { - "type": "array", - "uniqueItems": true, - "items": { - "anyOf": [ - { - "title": "Ref", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" - }, - { - "title": "BOM-Link Element", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType" - } - ] - }, - "title": "BOM references", - "description": "The bom-ref identifiers of the components or services being described. Assemblies refer to nested relationships whereby a constituent part may include other constituent parts. References do not cascade to child parts. References are explicit for the specified constituent part only." + "region": { + "type": "string", + "title": "Region", + "description": "The region or state in the country.", + "examples": [ + "Texas" + ] }, - "dependencies": { + "locality": { + "type": "string", + "title": "Locality", + "description": "The locality or city within the country.", + "examples": [ + "Austin" + ] + }, + "postOfficeBoxNumber": { + "type": "string", + "title": "Post Office Box Number", + "description": "The post office box number.", + "examples": [ + "901" + ] + }, + "postalCode": { + "type": "string", + "title": "Postal Code", + "description": "The postal code.", + "examples": [ + "78758" + ] + }, + "streetAddress": { + "type": "string", + "title": "Street Address", + "description": "The street address.", + "examples": [ + "100 Main Street" + ] + } + } + }, + "organizationalEntity": { + "type": "object", + "title": "Organizational Entity", + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "BOM Reference", + "description": "An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." + }, + "name": { + "type": "string", + "title": "Organization Name", + "description": "The name of the organization", + "examples": [ + "Example Inc." + ] + }, + "address": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/postalAddress", + "title": "Organization Address", + "description": "The physical address (location) of the organization" + }, + "url": { "type": "array", - "uniqueItems": true, "items": { - "type": "string" + "type": "string", + "format": "iri-reference" }, - "title": "BOM references", - "description": "The bom-ref identifiers of the components or services being described. Dependencies refer to a relationship whereby an independent constituent part requires another independent constituent part. References do not cascade to transitive dependencies. References are explicit for the specified dependency only." + "title": "Organization URL(s)", + "description": "The URL of the organization. Multiple URLs are allowed.", + "examples": [ + "https://example.com" + ] }, - "vulnerabilities": { + "contact": { "type": "array", - "uniqueItems": true, + "title": "Organizational Contact", + "description": "A contact at the organization. Multiple contacts are allowed.", "items": { - "type": "string" - }, - "title": "BOM references", - "description": "The bom-ref identifiers of the vulnerabilities being described." + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalContact" + } + } + } + }, + "organizationalContact": { + "type": "object", + "title": "Organizational Contact", + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "BOM Reference", + "description": "An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." }, - "signature": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/signature", - "title": "Signature", - "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." + "name": { + "type": "string", + "title": "Name", + "description": "The name of a contact", + "examples": [ + "Contact name" + ] + }, + "email": { + "type": "string", + "format": "idn-email", + "title": "Email Address", + "description": "The email address of the contact.", + "examples": [ + "firstname.lastname@example.com" + ] + }, + "phone": { + "type": "string", + "title": "Phone", + "description": "The phone number of the contact.", + "examples": [ + "800-555-1212" + ] } } }, - "aggregateType": { - "type": "string", - "default": "not_specified", - "enum": [ - "complete", - "incomplete", - "incomplete_first_party_only", - "incomplete_first_party_proprietary_only", - "incomplete_first_party_opensource_only", - "incomplete_third_party_only", - "incomplete_third_party_proprietary_only", - "incomplete_third_party_opensource_only", - "unknown", - "not_specified" - ], - "meta:enum": { - "complete": "The relationship is complete. No further relationships including constituent components, services, or dependencies are known to exist.", - "incomplete": "The relationship is incomplete. Additional relationships exist and may include constituent components, services, or dependencies.", - "incomplete_first_party_only": "The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented.", - "incomplete_first_party_proprietary_only": "The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented, limited specifically to those that are proprietary.", - "incomplete_first_party_opensource_only": "The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented, limited specifically to those that are opensource.", - "incomplete_third_party_only": "The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented.", - "incomplete_third_party_proprietary_only": "The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are proprietary.", - "incomplete_third_party_opensource_only": "The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are opensource.", - "unknown": "The relationship may be complete or incomplete. This usually signifies a 'best-effort' to obtain constituent components, services, or dependencies but the completeness is inconclusive.", - "not_specified": "The relationship completeness is not specified." + "organizationalEntityOrContact": {}, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/property" } - } - } - }, - "cyclonedx-cryptography-2.0": { - "type": "null", - "title": "CycloneDX Cryptography Model", - "$defs": { - "cryptoProperties": { + }, + "property": { "type": "object", - "title": "Cryptographic Properties", - "description": "Cryptographic assets have properties that uniquely define them and that make them actionable for further reasoning. As an example, it makes a difference if one knows the algorithm family (e.g. AES) or the specific variant or instantiation (e.g. AES-128-GCM). This is because the security level and the algorithm primitive (authenticated encryption) are only defined by the definition of the algorithm variant. The presence of a weak cryptographic algorithm like SHA1 vs. HMAC-SHA1 also makes a difference.", - "additionalProperties": false, + "title": "Lightweight name-value pair", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", "required": [ - "assetType" + "name" ], "properties": { - "assetType": { + "name": { "type": "string", - "title": "Asset Type", - "description": "Cryptographic assets occur in several forms. Algorithms and protocols are most commonly implemented in specialized cryptographic libraries. They may, however, also be 'hardcoded' in software components. Certificates and related cryptographic material like keys, tokens, secrets or passwords are other cryptographic assets to be modelled.", - "enum": [ - "algorithm", - "certificate", - "protocol", - "related-crypto-material" + "title": "Name", + "description": "The name of the property. Duplicate names are allowed, each potentially having a different value." + }, + "value": { + "type": "string", + "title": "Value", + "description": "The value of the property." + } + }, + "additionalProperties": false + }, + "extensibleProperties": { + "type": "object", + "title": "Extensible Properties", + "patternProperties": { + "^ext:[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}:.+$": { + "description": "CycloneDX supports a structured and namespace-aware mechanism for extensibility through the use of extensible properties. This mechanism enables organizations, ecosystems, and tool vendors to safely introduce custom properties without conflicting with the core schema or other extensions.\n\nExtensible properties are defined as a JSON object whose keys must conform to a strict pattern that resembles a reverse domain name structure, prefixed with ext:. This pattern provides a namespacing convention that aligns with well-established practices in other structured formats (e.g., XML namespaces).", + "examples": [ + "ext::", + "ext:example.org:myExtension" ], - "meta:enum": { - "algorithm": "Mathematical function commonly used for data encryption, authentication, and digital signatures.", - "certificate": "An electronic document that is used to provide the identity or validate a public key.", - "protocol": "A set of rules and guidelines that govern the behavior and communication with each other.", - "related-crypto-material": "Other cryptographic assets related to algorithms, certificates, and protocols such as keys and tokens." + "if": { + "type": [ + "object", + "array" + ] + }, + "then": { + "type": "object", + "required": [ + "$schema" + ], + "properties": { + "$schema": { + "type": "string", + "format": "uri" + } + } + }, + "else": { + "type": [ + "string", + "number", + "boolean", + "null" + ] } + } + } + }, + "baseObject": { + "description": "Base object for all CycloneDX entities. Automatically includes support for extensible properties.", + "allOf": [ + { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/extensibleProperties" + } + ], + "properties": { + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" }, - "algorithmProperties": { - "type": "object", - "title": "Algorithm Properties", - "description": "Additional properties specific to a cryptographic algorithm.", - "additionalProperties": false, + "externalReferences": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReferences" + } + } + }, + "timestamp": { + "type": "string", + "format": "date-time", + "title": "Timestamp", + "pattern": "^\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}(\\.\\d+)?Z$", + "description": "An RFC 3339-compliant UTC timestamp using Zulu time (i.e., ending with 'Z'). The format must be 'YYYY-MM-DDTHH:MM:SSZ' or include optional fractional seconds, e.g., 'YYYY-MM-DDTHH:MM:SS.sssZ'. Offsets such as '+00:00' are not allowed." + }, + "ordinalVersion": { + "title": "Ordinal Version", + "description": "An ordinal version is a dot-delimited, purely numeric identifier where each segment represents an ordered level in the hierarchy. The segments have no prescribed meaning beyond numeric ordering, allowing straightforward comparison and sorting.", + "type": "string", + "pattern": "^\\d+(\\.\\d+)*$", + "examples": [ + "1", + "1.2", + "1.2.3", + "2025.09.02", + "10.4.7.3" + ] + }, + "lifecycle": { + "type": "object", + "title": "Lifecycle", + "description": "The product lifecycle(s) that this BOM represents.", + "oneOf": [ + { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/preDefinedLifecyclePhase" + }, + { + "title": "Custom Lifecycle Phase", + "required": [ + "name" + ], + "additionalProperties": false, "properties": { - "primitive": { - "type": "string", - "title": "primitive", - "description": "Cryptographic building blocks used in higher-level cryptographic systems and protocols. Primitives represent different cryptographic routines: deterministic random bit generators (drbg, e.g. CTR_DRBG from NIST SP800-90A-r1), message authentication codes (mac, e.g. HMAC-SHA-256), blockciphers (e.g. AES), streamciphers (e.g. Salsa20), signatures (e.g. ECDSA), hash functions (e.g. SHA-256), public-key encryption schemes (pke, e.g. RSA), extended output functions (xof, e.g. SHAKE256), key derivation functions (e.g. pbkdf2), key agreement algorithms (e.g. ECDH), key encapsulation mechanisms (e.g. ML-KEM), authenticated encryption (ae, e.g. AES-GCM) and the combination of multiple algorithms (combiner, e.g. SP800-56Cr2).", - "enum": [ - "drbg", - "mac", - "block-cipher", - "stream-cipher", - "signature", - "hash", - "pke", - "xof", - "kdf", - "key-agree", - "kem", - "ae", - "combiner", - "key-wrap", - "other", - "unknown" - ], - "meta:enum": { - "drbg": "Deterministic Random Bit Generator (DRBG) is a type of pseudorandom number generator designed to produce a sequence of bits from an initial seed value. DRBGs are commonly used in cryptographic applications where reproducibility of random values is important.", - "mac": "In cryptography, a Message Authentication Code (MAC) is information used for authenticating and integrity-checking a message.", - "block-cipher": "A block cipher is a symmetric key algorithm that operates on fixed-size blocks of data. It encrypts or decrypts the data in block units, providing confidentiality. Block ciphers are widely used in various cryptographic modes and protocols for secure data transmission.", - "stream-cipher": "A stream cipher is a symmetric key cipher where plaintext digits are combined with a pseudorandom cipher digit stream (keystream).", - "signature": "In cryptography, a signature is a digital representation of a message or data that proves its origin, identity, and integrity. Digital signatures are generated using cryptographic algorithms and are widely used for authentication and verification in secure communication.", - "hash": "A hash function is a mathematical algorithm that takes an input (or 'message') and produces a fixed-size string of characters, which is typically a hash value. Hash functions are commonly used in various cryptographic applications, including data integrity verification and password hashing.", - "pke": "Public Key Encryption (PKE) is a type of encryption that uses a pair of public and private keys for secure communication. The public key is used for encryption, while the private key is used for decryption. PKE is a fundamental component of public-key cryptography.", - "xof": "An XOF is an extendable output function that can take arbitrary input and creates a stream of output, up to a limit determined by the size of the internal state of the hash function that underlies the XOF.", - "kdf": "A Key Derivation Function (KDF) derives key material from another source of entropy while preserving the entropy of the input.", - "key-agree": "In cryptography, a key-agreement is a protocol whereby two or more parties agree on a cryptographic key in such a way that both influence the outcome.", - "kem": "A Key Encapsulation Mechanism (KEM) algorithm is a mechanism for transporting random keying material to a recipient using the recipient's public key.", - "ae": "Authenticated Encryption (AE) is a cryptographic process that provides both confidentiality and data integrity. It ensures that the encrypted data has not been tampered with and comes from a legitimate source. AE is commonly used in secure communication protocols.", - "combiner": "A combiner aggregates many candidates for a cryptographic primitive and generates a new candidate for the same primitive.", - "key-wrap": "Key-wrap is a cryptographic technique used to securely encrypt and protect cryptographic keys using algorithms like AES.", - "other": "Another primitive type.", - "unknown": "The primitive is not known." - } - }, - "algorithmFamily": { - "$ref": "../cryptography-defs.schema.json#/definitions/algorithmFamiliesEnum", - "title": "Algorithm Family", - "description": "A valid algorithm family identifier. If specified, this value shall be one of the enumeration of valid algorithm Family identifiers defined in the `cryptography-defs.schema.json` subschema.", - "examples": [ - "3DES", - "Blowfish", - "ECDH" - ] - }, - "parameterSetIdentifier": { - "type": "string", - "title": "Parameter Set Identifier", - "description": "An identifier for the parameter set of the cryptographic algorithm. Examples: in AES128, '128' identifies the key length in bits, in SHA256, '256' identifies the digest length, '128' in SHAKE128 identifies its maximum security level in bits, and 'SHA2-128s' identifies a parameter set used in SLH-DSA (FIPS205)." - }, - "ellipticCurve": { - "$ref": "../cryptography-defs.schema.json#/definitions/ellipticCurvesEnum", - "title": "Elliptic Curve", - "description": "The specific underlying Elliptic Curve (EC) definition employed which is an indicator of the level of security strength, performance and complexity. If specified, this value shall be one of the enumeration of valid elliptic curves identifiers defined in the `cryptography-defs.schema.json` subschema." - }, - "executionEnvironment": { - "type": "string", - "title": "Execution Environment", - "description": "The target and execution environment in which the algorithm is implemented in.", - "enum": [ - "software-plain-ram", - "software-encrypted-ram", - "software-tee", - "hardware", - "other", - "unknown" - ], - "meta:enum": { - "software-plain-ram": "A software implementation running in plain unencrypted RAM.", - "software-encrypted-ram": "A software implementation running in encrypted RAM.", - "software-tee": "A software implementation running in a trusted execution environment.", - "hardware": "A hardware implementation.", - "other": "Another implementation environment.", - "unknown": "The execution environment is not known." - } - }, - "implementationPlatform": { - "type": "string", - "title": "Implementation platform", - "description": "The target platform for which the algorithm is implemented. The implementation can be 'generic', running on any platform or for a specific platform.", - "enum": [ - "generic", - "x86_32", - "x86_64", - "armv7-a", - "armv7-m", - "armv8-a", - "armv8-m", - "armv9-a", - "armv9-m", - "s390x", - "ppc64", - "ppc64le", - "other", - "unknown" - ] - }, - "certificationLevel": { - "type": "array", - "title": "Certification Level", - "description": "The certification that the implementation of the cryptographic algorithm has received, if any. Certifications include revisions and levels of FIPS 140 or Common Criteria of different Extended Assurance Levels (CC-EAL).", - "items": { - "type": "string", - "enum": [ - "none", - "fips140-1-l1", - "fips140-1-l2", - "fips140-1-l3", - "fips140-1-l4", - "fips140-2-l1", - "fips140-2-l2", - "fips140-2-l3", - "fips140-2-l4", - "fips140-3-l1", - "fips140-3-l2", - "fips140-3-l3", - "fips140-3-l4", - "cc-eal1", - "cc-eal1+", - "cc-eal2", - "cc-eal2+", - "cc-eal3", - "cc-eal3+", - "cc-eal4", - "cc-eal4+", - "cc-eal5", - "cc-eal5+", - "cc-eal6", - "cc-eal6+", - "cc-eal7", - "cc-eal7+", - "other", - "unknown" - ], - "meta:enum": { - "none": "No certification obtained", - "fips140-1-l1": "FIPS 140-1 Level 1", - "fips140-1-l2": "FIPS 140-1 Level 2", - "fips140-1-l3": "FIPS 140-1 Level 3", - "fips140-1-l4": "FIPS 140-1 Level 4", - "fips140-2-l1": "FIPS 140-2 Level 1", - "fips140-2-l2": "FIPS 140-2 Level 2", - "fips140-2-l3": "FIPS 140-2 Level 3", - "fips140-2-l4": "FIPS 140-2 Level 4", - "fips140-3-l1": "FIPS 140-3 Level 1", - "fips140-3-l2": "FIPS 140-3 Level 2", - "fips140-3-l3": "FIPS 140-3 Level 3", - "fips140-3-l4": "FIPS 140-3 Level 4", - "cc-eal1": "Common Criteria - Evaluation Assurance Level 1", - "cc-eal1+": "Common Criteria - Evaluation Assurance Level 1 (Augmented)", - "cc-eal2": "Common Criteria - Evaluation Assurance Level 2", - "cc-eal2+": "Common Criteria - Evaluation Assurance Level 2 (Augmented)", - "cc-eal3": "Common Criteria - Evaluation Assurance Level 3", - "cc-eal3+": "Common Criteria - Evaluation Assurance Level 3 (Augmented)", - "cc-eal4": "Common Criteria - Evaluation Assurance Level 4", - "cc-eal4+": "Common Criteria - Evaluation Assurance Level 4 (Augmented)", - "cc-eal5": "Common Criteria - Evaluation Assurance Level 5", - "cc-eal5+": "Common Criteria - Evaluation Assurance Level 5 (Augmented)", - "cc-eal6": "Common Criteria - Evaluation Assurance Level 6", - "cc-eal6+": "Common Criteria - Evaluation Assurance Level 6 (Augmented)", - "cc-eal7": "Common Criteria - Evaluation Assurance Level 7", - "cc-eal7+": "Common Criteria - Evaluation Assurance Level 7 (Augmented)", - "other": "Another certification", - "unknown": "The certification level is not known" - } - } - }, - "mode": { + "name": { "type": "string", - "title": "Mode", - "description": "The mode of operation in which the cryptographic algorithm (block cipher) is used.", - "enum": [ - "cbc", - "ecb", - "ccm", - "gcm", - "cfb", - "ofb", - "ctr", - "other", - "unknown" - ], - "meta:enum": { - "cbc": "Cipher block chaining", - "ecb": "Electronic codebook", - "ccm": "Counter with cipher block chaining message authentication code", - "gcm": "Galois/counter", - "cfb": "Cipher feedback", - "ofb": "Output feedback", - "ctr": "Counter", - "other": "Another mode of operation", - "unknown": "The mode of operation is not known" - } + "title": "Name", + "description": "The name of the lifecycle phase" }, - "padding": { + "description": { "type": "string", - "title": "Padding", - "description": "The padding scheme that is used for the cryptographic algorithm.", - "enum": [ - "pkcs5", - "pkcs7", - "pkcs1v15", - "oaep", - "raw", - "other", - "unknown" - ], - "meta:enum": { - "pkcs5": "Public Key Cryptography Standard: Password-Based Cryptography", - "pkcs7": "Public Key Cryptography Standard: Cryptographic Message Syntax", - "pkcs1v15": "Public Key Cryptography Standard: RSA Cryptography v1.5", - "oaep": "Optimal asymmetric encryption padding", - "raw": "Raw", - "other": "Another padding scheme", - "unknown": "The padding scheme is not known" - } - }, - "cryptoFunctions": { - "type": "array", - "title": "Cryptographic functions", - "description": "The cryptographic functions implemented by the cryptographic algorithm.", - "items": { - "type": "string", - "enum": [ - "generate", - "keygen", - "encrypt", - "decrypt", - "digest", - "tag", - "keyderive", - "sign", - "verify", - "encapsulate", - "decapsulate", - "other", - "unknown" - ] - } - }, - "classicalSecurityLevel": { - "type": "integer", - "title": "classical security level", - "description": "The classical security level that a cryptographic algorithm provides (in bits).", - "minimum": 0 - }, - "nistQuantumSecurityLevel": { - "type": "integer", - "title": "NIST security strength category", - "description": "The NIST security strength category as defined in https://csrc.nist.gov/projects/post-quantum-cryptography/post-quantum-cryptography-standardization/evaluation-criteria/security-(evaluation-criteria). A value of 0 indicates that none of the categories are met.", - "minimum": 0, - "maximum": 6 + "title": "Description", + "description": "The description of the lifecycle phase" } } + } + ] + }, + "lifecycles": { + "type": "array", + "title": "Lifecycles", + "description": "Lifecycles communicate the stage(s) in which data in the BOM was captured. Different types of data may be available at various phases of a lifecycle, such as the Software Development Lifecycle (SDLC), IT Asset Management (ITAM), and Software Asset Management (SAM). Thus, a BOM may include data specific to or only obtainable in a given lifecycle.", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/lifecycle" + } + }, + "preDefinedLifecyclePhase": { + "title": "Pre-Defined Phase", + "required": [ + "phase" + ], + "additionalProperties": false, + "properties": { + "phase": { + "type": "string", + "title": "Phase", + "description": "A pre-defined phase in the product lifecycle.", + "enum": [ + "design", + "pre-build", + "build", + "post-build", + "operations", + "discovery", + "decommission" + ], + "meta:enum": { + "design": "BOM produced early in the development lifecycle containing an inventory of components and services that are proposed or planned to be used. The inventory may need to be procured, retrieved, or resourced prior to use.", + "pre-build": "BOM consisting of information obtained prior to a build process and may contain source files and development artifacts and manifests. The inventory may need to be resolved and retrieved prior to use.", + "build": "BOM consisting of information obtained during a build process where component inventory is available for use. The precise versions of resolved components are usually available at this time as well as the provenance of where the components were retrieved from.", + "post-build": "BOM consisting of information obtained after a build process has completed and the resulting components(s) are available for further analysis. Built components may exist as the result of a CI/CD process, may have been installed or deployed to a system or device, and may need to be retrieved or extracted from the system or device.", + "operations": "BOM produced that represents inventory that is running and operational. This may include staging or production environments and will generally encompass multiple SBOMs describing the applications and operating system, along with HBOMs describing the hardware that makes up the system. Operations Bill of Materials (OBOM) can provide full-stack inventory of runtime environments, configurations, and additional dependencies.", + "discovery": "BOM consisting of information observed through network discovery providing point-in-time enumeration of embedded, on-premise, and cloud-native services such as server applications, connected devices, microservices, and serverless functions.", + "decommission": "BOM containing inventory that will be, or has been retired from operations." + } + } + } + }, + "tags": { + "type": "array", + "items": { + "type": "string" + }, + "title": "Tags", + "description": "Textual strings that aid in discovery, search, and retrieval of the associated object. Tags often serve as a way to group or categorize similar or related objects by various attributes.", + "examples": [ + "json-parser", + "object-persistence", + "text-to-image", + "translation", + "object-detection" + ] + }, + "commit": { + "type": "object", + "title": "Commit", + "description": "Specifies an individual commit", + "additionalProperties": false, + "properties": { + "uid": { + "type": "string", + "title": "UID", + "description": "A unique identifier of the commit. This may be version control specific. For example, Subversion uses revision numbers whereas git uses commit hashes." }, - "certificateProperties": { + "url": { + "type": "string", + "title": "URL", + "description": "The URL to the commit. This URL will typically point to a commit in a version control system.", + "format": "iri-reference" + }, + "author": { + "title": "Author", + "description": "The author who created the changes in the commit", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/identifiableAction" + }, + "committer": { + "title": "Committer", + "description": "The person who committed or pushed the commit", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/identifiableAction" + }, + "message": { + "type": "string", + "title": "Message", + "description": "The text description of the contents of the commit" + } + } + }, + "patch": { + "type": "object", + "title": "Patch", + "description": "Specifies an individual patch", + "required": [ + "type" + ], + "additionalProperties": false, + "properties": { + "type": { + "type": "string", + "enum": [ + "unofficial", + "monkey", + "backport", + "cherry-pick" + ], + "meta:enum": { + "unofficial": "A patch which is not developed by the creators or maintainers of the software being patched. Refer to [https://en.wikipedia.org/wiki/Unofficial_patch](https://en.wikipedia.org/wiki/Unofficial_patch).", + "monkey": "A patch which dynamically modifies runtime behavior. Refer to [https://en.wikipedia.org/wiki/Monkey_patch](https://en.wikipedia.org/wiki/Monkey_patch).", + "backport": "A patch which takes code from a newer version of the software and applies it to older versions of the same software. Refer to [https://en.wikipedia.org/wiki/Backporting](https://en.wikipedia.org/wiki/Backporting).", + "cherry-pick": "A patch created by selectively applying commits from other versions or branches of the same software." + }, + "title": "Patch Type", + "description": "Specifies the purpose for the patch including the resolution of defects, security issues, or new behavior or functionality." + }, + "diff": { + "title": "Diff", + "description": "The patch file (or diff) that shows changes. Refer to [https://en.wikipedia.org/wiki/Diff](https://en.wikipedia.org/wiki/Diff)", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/diff" + }, + "resolves": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/issue" + }, + "title": "Resolves", + "description": "A collection of issues the patch resolves" + } + } + }, + "diff": { + "type": "object", + "title": "Diff", + "description": "The patch file (or diff) that shows changes. Refer to https://en.wikipedia.org/wiki/Diff", + "additionalProperties": false, + "properties": { + "text": { + "title": "Diff text", + "description": "Specifies the optional text of the diff", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/attachment" + }, + "url": { + "type": "string", + "title": "URL", + "description": "Specifies the URL to the diff", + "format": "iri-reference" + } + } + }, + "issue": { + "type": "object", + "title": "Issue", + "description": "An individual issue that has been resolved.", + "required": [ + "type" + ], + "additionalProperties": false, + "properties": { + "type": { + "type": "string", + "enum": [ + "defect", + "enhancement", + "security" + ], + "meta:enum": { + "defect": "A fault, flaw, or bug in software.", + "enhancement": "A new feature or behavior in software.", + "security": "A special type of defect which impacts security." + }, + "title": "Issue Type", + "description": "Specifies the type of issue" + }, + "id": { + "type": "string", + "title": "Issue ID", + "description": "The identifier of the issue assigned by the source of the issue" + }, + "name": { + "type": "string", + "title": "Issue Name", + "description": "The name of the issue" + }, + "description": { + "type": "string", + "title": "Issue Description", + "description": "A description of the issue" + }, + "source": { "type": "object", - "title": "Certificate Properties", - "description": "Properties for cryptographic assets of asset type 'certificate'.", + "title": "Source", + "description": "The source of the issue where it is documented", "additionalProperties": false, "properties": { - "serialNumber": { - "type": "string", - "title": "Serial Number", - "description": "The serial number is a unique identifier for the certificate issued by a CA." - }, - "subjectName": { - "type": "string", - "title": "Subject Name", - "description": "The subject name for the certificate." - }, - "issuerName": { + "name": { "type": "string", - "title": "Issuer Name", - "description": "The issuer name for the certificate." + "title": "Name", + "description": "The name of the source.", + "examples": [ + "National Vulnerability Database", + "NVD", + "Apache" + ] }, - "notValidBefore": { + "url": { "type": "string", - "format": "date-time", - "title": "Not Valid Before", - "description": "The date and time according to ISO-8601 standard from which the certificate is valid." - }, - "notValidAfter": { - "type": "string", - "format": "date-time", - "title": "Not Valid After", - "description": "The date and time according to ISO-8601 standard from which the certificate is not valid anymore." - }, - "certificateFormat": { - "type": "string", - "title": "Certificate Format", - "description": "The format of the certificate.", - "examples": [ - "X.509", - "PEM", - "DER", - "CVC" - ] - }, - "certificateFileExtension": { - "type": "string", - "title": "Certificate File Extension", - "description": "The file extension of the certificate.", - "examples": [ - "crt", - "pem", - "cer", - "der", - "p12" - ] - }, - "fingerprint": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/hash", - "title": "Certificate Fingerprint", - "description": "The fingerprint is a cryptographic hash of the certificate excluding it's signature." - }, - "certificateState": { - "type": "array", - "title": "Certificate Lifecycle State", - "description": "The certificate lifecycle is a comprehensive process that manages digital certificates from their initial creation to eventual expiration or revocation. It typically involves several stages.", - "items": { - "type": "object", - "title": "State", - "description": "The state of the certificate.", - "oneOf": [ - { - "title": "Pre-Defined State", - "required": [ - "state" - ], - "additionalProperties": false, - "properties": { - "state": { - "type": "string", - "title": "State", - "description": "A pre-defined state in the certificate lifecycle.", - "enum": [ - "pre-activation", - "active", - "suspended", - "deactivated", - "revoked", - "destroyed" - ], - "meta:enum": { - "pre-activation": "The certificate has been issued by the issuing certificate authority (CA) but has not been authorized for use.", - "active": "The certificate may be used to cryptographically protect information, cryptographically process previously protected information, or both.", - "deactivated": "Certificates in the deactivated state shall not be used to apply cryptographic protection but, in some cases, may be used to process cryptographically protected information.", - "suspended": "The use of a certificate may be suspended for several possible reasons.", - "revoked": "A revoked certificate is a digital certificate that has been invalidated by the issuing certificate authority (CA) before its scheduled expiration date.", - "destroyed": "The certificate has been destroyed." - } - }, - "reason": { - "type": "string", - "title": "Reason", - "description": "A reason for the certificate being in this state." - } - } - }, - { - "title": "Custom State", - "required": [ - "name" - ], - "additionalProperties": false, - "properties": { - "name": { - "type": "string", - "title": "State", - "description": "The name of the certificate lifecycle state." - }, - "description": { - "type": "string", - "title": "Description", - "description": "The description of the certificate lifecycle state." - }, - "reason": { - "type": "string", - "title": "Reason", - "description": "A reason for the certificate being in this state." - } - } - } - ] - } - }, - "creationDate": { - "type": "string", - "format": "date-time", - "title": "Creation Date", - "description": "The date and time (timestamp) when the certificate was created or pre-activated." - }, - "activationDate": { - "type": "string", - "format": "date-time", - "title": "Activation Date", - "description": "The date and time (timestamp) when the certificate was activated." - }, - "deactivationDate": { - "type": "string", - "format": "date-time", - "title": "Deactivation Date", - "description": "The date and time (timestamp) when the related certificate was deactivated." - }, - "revocationDate": { - "type": "string", - "format": "date-time", - "title": "Revocation Date", - "description": "The date and time (timestamp) when the certificate was revoked." - }, - "destructionDate": { - "type": "string", - "format": "date-time", - "title": "Destruction Date", - "description": "The date and time (timestamp) when the certificate was destroyed." - }, - "certificateExtensions": { - "type": "array", - "title": "Certificate Extensions", - "description": "A certificate extension is a field that provides additional information about the certificate or its use. Extensions are used to convey additional information beyond the standard fields.", - "items": { - "type": "object", - "title": "Extension", - "description": "", - "oneOf": [ - { - "title": "Common Extensions", - "required": [ - "commonExtensionName", - "commonExtensionValue" - ], - "additionalProperties": false, - "properties": { - "commonExtensionName": { - "type": "string", - "title": "name", - "description": "The name of the extension.", - "enum": [ - "basicConstraints", - "keyUsage", - "extendedKeyUsage", - "subjectAlternativeName", - "authorityKeyIdentifier", - "subjectKeyIdentifier", - "authorityInformationAccess", - "certificatePolicies", - "crlDistributionPoints", - "signedCertificateTimestamp" - ], - "meta:enum": { - "basicConstraints": "Specifies whether a certificate can be used as a CA certificate or not.", - "keyUsage": "Specifies the allowed uses of the public key in the certificate.", - "extendedKeyUsage": "Specifies additional purposes for which the public key can be used.", - "subjectAlternativeName": "Allows inclusion of additional names to identify the entity associated with the certificate.", - "authorityKeyIdentifier": "Identifies the public key of the CA that issued the certificate.", - "subjectKeyIdentifier": "Identifies the public key associated with the entity the certificate was issued to.", - "authorityInformationAccess": "Contains CA issuers and OCSP information.", - "certificatePolicies": "Defines the policies under which the certificate was issued and can be used.", - "crlDistributionPoints": "Contains one or more URLs where a Certificate Revocation List (CRL) can be obtained.", - "signedCertificateTimestamp": "Shows that the certificate has been publicly logged, which helps prevent the issuance of rogue certificates by a CA. Log ID, timestamp and signature as proof." - } - }, - "commonExtensionValue": { - "type": "string", - "title": "Value", - "description": "The value of the certificate extension." - } - } - }, - { - "title": "Custom Extensions", - "description": "Custom extensions may convey application-specific or vendor-specific data not covered by standard extensions. The structure and semantics of custom extensions are typically defined outside of public standards. CycloneDX leverages properties to support this capability.", - "required": [ - "customExtensionName" - ], - "additionalProperties": false, - "properties": { - "customExtensionName": { - "type": "string", - "title": "Name", - "description": "The name for the custom certificate extension." - }, - "customExtensionValue": { - "type": "string", - "title": "Value", - "description": "The description of the custom certificate extension." - } - } - } - ] - } - }, - "relatedCryptographicAssets": { - "$ref": "#/$defs/cyclonedx-cryptography-2.0/$defs/relatedCryptographicAssets" + "title": "URL", + "description": "The url of the issue documentation as provided by the source", + "format": "iri-reference" } } }, - "relatedCryptoMaterialProperties": { - "type": "object", - "title": "Related Cryptographic Material Properties", - "description": "Properties for cryptographic assets of asset type: `related-crypto-material`.", - "additionalProperties": false, - "properties": { - "type": { - "type": "string", - "title": "relatedCryptoMaterialType", - "description": "The type for the related cryptographic material.", - "enum": [ - "private-key", - "public-key", - "secret-key", - "key", - "ciphertext", - "signature", - "digest", - "initialization-vector", - "nonce", - "seed", - "salt", - "shared-secret", - "tag", - "additional-data", - "password", - "credential", - "token", - "other", - "unknown" - ], - "meta:enum": { - "private-key": "The confidential key of a key pair used in asymmetric cryptography.", - "public-key": "The non-confidential key of a key pair used in asymmetric cryptography.", - "secret-key": "A key used to encrypt and decrypt messages in symmetric cryptography.", - "key": "A piece of information, usually an octet string, which, when processed through a cryptographic algorithm, processes cryptographic data.", - "ciphertext": "The result of encryption performed on plaintext using an algorithm (or cipher).", - "signature": "A cryptographic value that is calculated from the data and a key known only by the signer.", + "references": { + "type": "array", + "items": { + "type": "string", + "format": "iri-reference" + }, + "title": "References", + "description": "A collection of URL's for reference. Multiple URLs are allowed.", + "examples": [ + "https://example.com" + ] + } + } + }, + "identifiableAction": { + "type": "object", + "title": "Identifiable Action", + "description": "Specifies an individual commit", + "additionalProperties": false, + "properties": { + "timestamp": { + "type": "string", + "format": "date-time", + "title": "Timestamp", + "description": "The timestamp in which the action occurred" + }, + "name": { + "type": "string", + "title": "Name", + "description": "The name of the individual who performed the action" + }, + "email": { + "type": "string", + "format": "idn-email", + "title": "E-mail", + "description": "The email address of the individual who performed the action" + } + } + }, + "locale": { + "type": "string", + "pattern": "^([a-z]{2})(-[A-Z]{2})?$", + "title": "Locale", + "description": "Defines a syntax for representing two character language code (ISO-639) followed by an optional two character country code. The language code must be lower case. If the country code is specified, the country code must be upper case. The language code and country code must be separated by a minus sign. Examples: en, en-US, fr, fr-CA" + }, + "signature": { + "$ref": "../jsf-0.82.schema.json#/definitions/signature", + "title": "Signature", + "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." + } + } + }, + "cyclonedx-component-2.0": { + "type": "null", + "title": "CycloneDX Component Model", + "$defs": { + "components": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-component-2.0/$defs/component" + }, + "uniqueItems": true, + "title": "Components" + }, + "component": { + "type": "object", + "title": "Component", + "required": [ + "type", + "name" + ], + "additionalProperties": false, + "properties": { + "type": { + "type": "string", + "enum": [ + "application", + "framework", + "library", + "container", + "platform", + "operating-system", + "device", + "device-driver", + "firmware", + "file", + "machine-learning-model", + "data", + "cryptographic-asset" + ], + "meta:enum": { + "application": "A software application. Refer to [https://en.wikipedia.org/wiki/Application_software](https://en.wikipedia.org/wiki/Application_software) for information about applications.", + "framework": "A software framework. Refer to [https://en.wikipedia.org/wiki/Software_framework](https://en.wikipedia.org/wiki/Software_framework) for information on how frameworks vary slightly from libraries.", + "library": "A software library. Refer to [https://en.wikipedia.org/wiki/Library_(computing)](https://en.wikipedia.org/wiki/Library_(computing)) for information about libraries. All third-party and open source reusable components will likely be a library. If the library also has key features of a framework, then it should be classified as a framework. If not, or is unknown, then specifying library is recommended.", + "container": "A packaging and/or runtime format, not specific to any particular technology, which isolates software inside the container from software outside of a container through virtualization technology. Refer to [https://en.wikipedia.org/wiki/OS-level_virtualization](https://en.wikipedia.org/wiki/OS-level_virtualization).", + "platform": "A runtime environment that interprets or executes software. This may include runtimes such as those that execute bytecode, just-in-time compilers, interpreters, or low-code/no-code application platforms.", + "operating-system": "A software operating system without regard to deployment model (i.e. installed on physical hardware, virtual machine, image, etc) Refer to [https://en.wikipedia.org/wiki/Operating_system](https://en.wikipedia.org/wiki/Operating_system).", + "device": "A hardware device such as a processor or chip-set. A hardware device containing firmware SHOULD include a component for the physical hardware itself and another component of type 'firmware' or 'operating-system' (whichever is relevant), describing information about the software running on the device. See also the list of [known device properties](https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/device.md).", + "device-driver": "A special type of software that operates or controls a particular type of device. Refer to [https://en.wikipedia.org/wiki/Device_driver](https://en.wikipedia.org/wiki/Device_driver).", + "firmware": "A special type of software that provides low-level control over a device's hardware. Refer to [https://en.wikipedia.org/wiki/Firmware](https://en.wikipedia.org/wiki/Firmware).", + "file": "A computer file. Refer to [https://en.wikipedia.org/wiki/Computer_file](https://en.wikipedia.org/wiki/Computer_file) for information about files.", + "machine-learning-model": "A model based on training data that can make predictions or decisions without being explicitly programmed to do so.", + "data": "A collection of discrete values that convey information.", + "cryptographic-asset": "A cryptographic asset including algorithms, protocols, certificates, keys, tokens, and secrets." + }, + "title": "Component Type", + "description": "Specifies the type of component. For software components, classify as application if no more specific appropriate classification is available or cannot be determined for the component.", + "examples": [ + "library" + ] + }, + "mime-type": { + "type": "string", + "title": "Mime-Type", + "description": "The mime-type of the component. When used on file components, the mime-type can provide additional context about the kind of file being represented, such as an image, font, or executable. Some library or framework components may also have an associated mime-type.", + "examples": [ + "image/jpeg" + ], + "pattern": "^[-+a-z0-9.]+/[-+a-z0-9.]+$" + }, + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "BOM Reference", + "description": "An identifier which can be used to reference the component elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." + }, + "supplier": { + "title": "Component Supplier", + "description": " The organization that supplied the component. The supplier may often be the manufacturer, but may also be a distributor or repackager.", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity" + }, + "manufacturer": { + "title": "Component Manufacturer", + "description": "The organization that created the component.\nManufacturer is common in components created through automated processes. Components created through manual means may have `@.authors` instead.", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity" + }, + "authors": { + "type": "array", + "title": "Component Authors", + "description": "The person(s) who created the component.\nAuthors are common in components created through manual processes. Components created through automated means may have `@.manufacturer` instead.", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalContact" + } + }, + "publisher": { + "type": "string", + "title": "Component Publisher", + "description": "The person(s) or organization(s) that published the component", + "examples": [ + "Acme Inc" + ] + }, + "group": { + "type": "string", + "title": "Component Group", + "description": "The grouping name or identifier. This will often be a shortened, single name of the company or project that produced the component, or the source package or domain name. Whitespace and special characters should be avoided. Examples include: apache, org.apache.commons, and apache.org.", + "examples": [ + "com.acme" + ] + }, + "name": { + "type": "string", + "title": "Component Name", + "description": "The name of the component. This will often be a shortened, single name of the component. Examples: commons-lang3 and jquery", + "examples": [ + "tomcat-catalina" + ] + }, + "version": { + "$ref": "#/$defs/cyclonedx-component-2.0/$defs/version", + "title": "Component Version", + "description": "The component version. The version should ideally comply with semantic versioning but is not enforced.\nMust be used exclusively, either 'version' or 'versionRange', but not both." + }, + "versionRange": { + "$ref": "#/$defs/cyclonedx-component-2.0/$defs/versionRange", + "title": "Component Version Range", + "description": "For an external component, this specifies the accepted version range.\nThe value must adhere to the Package URL Version Range syntax (vers), as defined at A list of zero or more patches describing how the component deviates from an ancestor, descendant, or variant. Patches may be complementary to commits or may be used in place of commits.", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/patch" + } + }, + "notes": { + "type": "string", + "title": "Notes", + "description": "Notes, observations, and other non-structured commentary describing the components pedigree." + } + } + }, + "components": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-component-2.0/$defs/component" + }, + "uniqueItems": true, + "title": "Components", + "description": "A list of software and hardware components included in the parent component. This is not a dependency tree. It provides a way to specify a hierarchical representation of component assemblies, similar to system → subsystem → parts assembly in physical supply chains." + }, + "evidence": { + "$ref": "#/$defs/cyclonedx-component-2.0/$defs/componentEvidence", + "title": "Evidence", + "description": "Provides the ability to document evidence collected through various forms of extraction or analysis." + }, + "releaseNotes": { + "$ref": "#/$defs/cyclonedx-release-notes-2.0/$defs/releaseNotes", + "title": "Release notes", + "description": "Specifies release notes." + }, + "modelCard": { + "$ref": "#/$defs/cyclonedx-ai-modelcard-2.0/$defs/modelCard", + "title": "AI/ML Model Card" + }, + "data": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-component-2.0/$defs/componentData" + }, + "title": "Data", + "description": "This object SHOULD be specified for any component of type `data` and must not be specified for other component types." + }, + "cryptoProperties": { + "$ref": "#/$defs/cyclonedx-cryptography-2.0/$defs/cryptoProperties", + "title": "Cryptographic Properties" + }, + "tags": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/tags", + "title": "Tags" + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + }, + "externalReferences": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReferences" + }, + "signature": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/signature", + "title": "Signature", + "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." + } + }, + "allOf": [ + { + "description": "Requirement: ensure that `version` and `versionRange` are not present simultaneously.", + "not": { + "required": [ + "version", + "versionRange" + ] + } + }, + { + "description": "Requirement: 'versionRange' must not be present when 'isExternal' is `false`.", + "if": { + "properties": { + "isExternal": { + "const": false + } + } + }, + "then": { + "not": { + "required": [ + "versionRange" + ] + } + }, + "else": true + } + ] + }, + "version": { + "description": "A single disjunctive version identifier, for a component or service.", + "type": "string", + "maxLength": 1024, + "examples": [ + "9.0.14", + "v1.33.7", + "7.0.0-M1", + "2.0pre1", + "1.0.0-beta1", + "0.8.15" + ] + }, + "versionRange": { + "description": "A version range specified in Package-URL Version Range syntax (vers) which is defined at https://github.com/package-url/vers-spec", + "type": "string", + "minLength": 1, + "maxLength": 4096, + "examples": [ + "vers:cargo/9.0.14", + "vers:npm/1.2.3|>=2.0.0|<5.0.0", + "vers:pypi/0.0.0|0.0.1|0.0.2|0.0.3|1.0|2.0pre1", + "vers:tomee/>=1.0.0-beta1|<=1.7.5|>=7.0.0-M1|<=7.0.7|>=7.1.0|<=7.1.2|>=8.0.0-M1|<=8.0.1", + "vers:gem/>=2.2.0|!= 2.2.1|<2.3.0" + ] + }, + "copyrightText": { + "type": "string", + "title": "Component Copyright", + "description": "A copyright notice informing users of the underlying claims to copyright ownership in a published work.", + "examples": [ + "Acme Inc" + ] + }, + "copyright": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-component-2.0/$defs/copyrightObject" + }, + "title": "Copyright", + "description": "Captures intellectual property assertions, providing evidence of possible ownership and legal protection." + }, + "copyrightObject": { + "type": "object", + "title": "Copyright", + "description": "A copyright notice informing users of the underlying claims to copyright ownership in a published work.", + "required": [ + "text" + ], + "additionalProperties": false, + "properties": { + "text": { + "type": "string", + "title": "Copyright Text", + "description": "The textual content of the copyright." + } + } + }, + "swid": { + "type": "object", + "title": "SWID Tag", + "description": "Specifies metadata and content for ISO-IEC 19770-2 Software Identification (SWID) Tags.", + "required": [ + "tagId", + "name" + ], + "additionalProperties": false, + "properties": { + "tagId": { + "type": "string", + "title": "Tag ID", + "description": "Maps to the tagId of a SoftwareIdentity." + }, + "name": { + "type": "string", + "title": "Name", + "description": "Maps to the name of a SoftwareIdentity." + }, + "version": { + "type": "string", + "title": "Version", + "default": "0.0", + "description": "Maps to the version of a SoftwareIdentity." + }, + "tagVersion": { + "type": "integer", + "title": "Tag Version", + "default": 0, + "description": "Maps to the tagVersion of a SoftwareIdentity." + }, + "patch": { + "type": "boolean", + "title": "Patch", + "default": false, + "description": "Maps to the patch of a SoftwareIdentity." + }, + "text": { + "title": "Attachment text", + "description": "Specifies the metadata and content of the SWID tag.", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/attachment" + }, + "url": { + "type": "string", + "title": "URL", + "description": "The URL to the SWID file.", + "format": "iri-reference" + } + } + }, + "componentEvidence": { + "type": "object", + "title": "Evidence", + "description": "Provides the ability to document evidence collected through various forms of extraction or analysis.", + "additionalProperties": false, + "properties": { + "identity": { + "type": "array", + "title": "Identity Evidence", + "description": "Evidence that substantiates the identity of a component. The identity may be an object or an array of identity objects. Support for specifying identity as a single object was introduced in CycloneDX v1.5. Arrays were introduced in v1.6. It is recommended that all implementations use arrays, even if only one identity object is specified.", + "items": { + "$ref": "#/$defs/cyclonedx-component-2.0/$defs/componentIdentityEvidence" + } + }, + "occurrences": { + "type": "array", + "title": "Occurrences", + "description": "Evidence of individual instances of a component spread across multiple locations.", + "items": { + "type": "object", + "required": [ + "location" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "BOM Reference", + "description": "An identifier which can be used to reference the occurrence elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." + }, + "location": { + "type": "string", + "title": "Location", + "description": "The location or path to where the component was found." + }, + "line": { + "type": "integer", + "minimum": 0, + "title": "Line Number", + "description": "The line number where the component was found." + }, + "offset": { + "type": "integer", + "minimum": 0, + "title": "Offset", + "description": "The offset where the component was found." + }, + "symbol": { + "type": "string", + "title": "Symbol", + "description": "The symbol name that was found associated with the component." + }, + "additionalContext": { + "type": "string", + "title": "Additional Context", + "description": "Any additional context of the detected component (e.g. a code snippet)." + } + } + } + }, + "callstack": { + "type": "object", + "title": "Call Stack", + "description": "Evidence of the components use through the callstack.", + "additionalProperties": false, + "properties": { + "frames": { + "type": "array", + "title": "Frames", + "description": "Within a call stack, a frame is a discrete unit that encapsulates an execution context, including local variables, parameters, and the return address. As function calls are made, frames are pushed onto the stack, forming an array-like structure that orchestrates the flow of program execution and manages the sequence of function invocations.", + "items": { + "type": "object", + "required": [ + "module" + ], + "additionalProperties": false, + "properties": { + "package": { + "title": "Package", + "description": "A package organizes modules into namespaces, providing a unique namespace for each type it contains.", + "type": "string" + }, + "module": { + "title": "Module", + "description": "A module or class that encloses functions/methods and other code.", + "type": "string" + }, + "function": { + "title": "Function", + "description": "A block of code designed to perform a particular task.", + "type": "string" + }, + "parameters": { + "title": "Parameters", + "description": "Arguments that are passed to the module or function.", + "type": "array", + "items": { + "type": "string" + } + }, + "line": { + "title": "Line", + "description": "The line number the code that is called resides on.", + "type": "integer" + }, + "column": { + "title": "Column", + "description": "The column the code that is called resides.", + "type": "integer" + }, + "fullFilename": { + "title": "Full Filename", + "description": "The full path and filename of the module.", + "type": "string" + } + } + } + } + } + }, + "licenses": { + "$ref": "#/$defs/cyclonedx-license-2.0/$defs/licenseChoice", + "title": "License Evidence" + }, + "copyright": { + "$ref": "#/$defs/cyclonedx-component-2.0/$defs/copyright" + } + } + }, + "componentIdentityEvidence": { + "type": "object", + "title": "Identity Evidence", + "description": "Evidence that substantiates the identity of a component.", + "required": [ + "field" + ], + "additionalProperties": false, + "properties": { + "field": { + "type": "string", + "enum": [ + "group", + "name", + "version", + "purl", + "cpe", + "omniborId", + "swhid", + "swid", + "hash" + ], + "title": "Field", + "description": "The identity field of the component which the evidence describes." + }, + "confidence": { + "type": "number", + "minimum": 0, + "maximum": 1, + "title": "Confidence", + "description": "The overall confidence of the evidence from 0 - 1, where 1 is 100% confidence." + }, + "concludedValue": { + "type": "string", + "title": "Concluded Value", + "description": "The value of the field (cpe, purl, etc) that has been concluded based on the aggregate of all methods (if available)." + }, + "methods": { + "type": "array", + "title": "Methods", + "description": "The methods used to extract and/or analyze the evidence.", + "items": { + "type": "object", + "required": [ + "technique", + "confidence" + ], + "additionalProperties": false, + "properties": { + "technique": { + "title": "Technique", + "description": "The technique used in this method of analysis.", + "type": "string", + "enum": [ + "source-code-analysis", + "binary-analysis", + "manifest-analysis", + "ast-fingerprint", + "hash-comparison", + "instrumentation", + "dynamic-analysis", + "filename", + "attestation", + "other" + ] + }, + "confidence": { + "type": "number", + "minimum": 0, + "maximum": 1, + "title": "Confidence", + "description": "The confidence of the evidence from 0 - 1, where 1 is 100% confidence. Confidence is specific to the technique used. Each technique of analysis can have independent confidence." + }, + "value": { + "type": "string", + "title": "Value", + "description": "The value or contents of the evidence." + } + } + } + }, + "tools": { + "type": "array", + "uniqueItems": true, + "items": { + "anyOf": [ + { + "title": "Ref", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + }, + { + "title": "BOM-Link Element", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType" + } + ] + }, + "title": "BOM References", + "description": "The object in the BOM identified by its bom-ref. This is often a component or service but may be any object type supporting bom-refs. Tools used for analysis should already be defined in the BOM, either in the metadata/tools, components, or formulation." + } + } + }, + "componentData": { + "type": "object", + "additionalProperties": false, + "required": [ + "type" + ], + "properties": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "BOM Reference", + "description": "An identifier which can be used to reference the dataset elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." + }, + "type": { + "type": "string", + "title": "Type of Data", + "description": "The general theme or subject matter of the data being specified.", + "enum": [ + "source-code", + "configuration", + "dataset", + "definition", + "other" + ], + "meta:enum": { + "source-code": "Any type of code, code snippet, or data-as-code.", + "configuration": "Parameters or settings that may be used by other components.", + "dataset": "A collection of data.", + "definition": "Data that can be used to create new instances of what the definition defines.", + "other": "Any other type of data that does not fit into existing definitions." + } + }, + "name": { + "title": "Dataset Name", + "description": "The name of the dataset.", + "type": "string" + }, + "contents": { + "type": "object", + "title": "Data Contents", + "description": "The contents or references to the contents of the data being described.", + "additionalProperties": false, + "properties": { + "attachment": { + "title": "Data Attachment", + "description": "A way to include textual or encoded data.", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/attachment" + }, + "url": { + "type": "string", + "title": "Data URL", + "description": "The URL to where the data can be retrieved.", + "format": "iri-reference" + }, + "properties": { + "type": "array", + "title": "Configuration Properties", + "description": "Provides the ability to document name-value parameters used for configuration.", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/property" + } + } + } + }, + "classification": { + "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataClassification" + }, + "sensitiveData": { + "type": "array", + "title": "Sensitive Data", + "description": "A description of any sensitive data in a dataset.", + "items": { + "type": "string" + } + }, + "graphics": { + "$ref": "#/$defs/cyclonedx-ai-modelcard-2.0/$defs/graphicsCollection" + }, + "description": { + "title": "Dataset Description", + "description": "A description of the dataset. Can describe size of dataset, whether it's used for source code, training, testing, or validation, etc.", + "type": "string" + }, + "governance": { + "title": "Data Governance", + "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataGovernance" + } + } + } + } + }, + "cyclonedx-composition-2.0": { + "type": "null", + "title": "CycloneDX Composition Model", + "$defs": { + "compositions": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-composition-2.0/$defs/composition" + }, + "uniqueItems": true, + "title": "Compositions", + "description": "Compositions describe constituent parts (including components, services, and dependency relationships) and their completeness. The completeness of vulnerabilities expressed in a BOM may also be described." + }, + "composition": { + "type": "object", + "title": "Compositions", + "required": [ + "aggregate" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "BOM Reference", + "description": "An identifier which can be used to reference the composition elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." + }, + "aggregate": { + "$ref": "#/$defs/cyclonedx-composition-2.0/$defs/aggregateType", + "title": "Aggregate", + "description": "Specifies an aggregate type that describes how complete a relationship is." + }, + "assemblies": { + "type": "array", + "uniqueItems": true, + "items": { + "anyOf": [ + { + "title": "Ref", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + }, + { + "title": "BOM-Link Element", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType" + } + ] + }, + "title": "BOM references", + "description": "The bom-ref identifiers of the components or services being described. Assemblies refer to nested relationships whereby a constituent part may include other constituent parts. References do not cascade to child parts. References are explicit for the specified constituent part only." + }, + "dependencies": { + "type": "array", + "uniqueItems": true, + "items": { + "type": "string" + }, + "title": "BOM references", + "description": "The bom-ref identifiers of the components or services being described. Dependencies refer to a relationship whereby an independent constituent part requires another independent constituent part. References do not cascade to transitive dependencies. References are explicit for the specified dependency only." + }, + "vulnerabilities": { + "type": "array", + "uniqueItems": true, + "items": { + "type": "string" + }, + "title": "BOM references", + "description": "The bom-ref identifiers of the vulnerabilities being described." + }, + "signature": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/signature", + "title": "Signature", + "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." + } + } + }, + "aggregateType": { + "type": "string", + "default": "not_specified", + "enum": [ + "complete", + "incomplete", + "incomplete_first_party_only", + "incomplete_first_party_proprietary_only", + "incomplete_first_party_opensource_only", + "incomplete_third_party_only", + "incomplete_third_party_proprietary_only", + "incomplete_third_party_opensource_only", + "unknown", + "not_specified" + ], + "meta:enum": { + "complete": "The relationship is complete. No further relationships including constituent components, services, or dependencies are known to exist.", + "incomplete": "The relationship is incomplete. Additional relationships exist and may include constituent components, services, or dependencies.", + "incomplete_first_party_only": "The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented.", + "incomplete_first_party_proprietary_only": "The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented, limited specifically to those that are proprietary.", + "incomplete_first_party_opensource_only": "The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented, limited specifically to those that are opensource.", + "incomplete_third_party_only": "The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented.", + "incomplete_third_party_proprietary_only": "The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are proprietary.", + "incomplete_third_party_opensource_only": "The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are opensource.", + "unknown": "The relationship may be complete or incomplete. This usually signifies a 'best-effort' to obtain constituent components, services, or dependencies but the completeness is inconclusive.", + "not_specified": "The relationship completeness is not specified." + } + } + } + }, + "cyclonedx-cryptography-2.0": { + "type": "null", + "title": "CycloneDX Cryptography Model", + "$defs": { + "cryptoProperties": { + "type": "object", + "title": "Cryptographic Properties", + "description": "Cryptographic assets have properties that uniquely define them and that make them actionable for further reasoning. As an example, it makes a difference if one knows the algorithm family (e.g. AES) or the specific variant or instantiation (e.g. AES-128-GCM). This is because the security level and the algorithm primitive (authenticated encryption) are only defined by the definition of the algorithm variant. The presence of a weak cryptographic algorithm like SHA1 vs. HMAC-SHA1 also makes a difference.", + "additionalProperties": false, + "required": [ + "assetType" + ], + "properties": { + "assetType": { + "type": "string", + "title": "Asset Type", + "description": "Cryptographic assets occur in several forms. Algorithms and protocols are most commonly implemented in specialized cryptographic libraries. They may, however, also be 'hardcoded' in software components. Certificates and related cryptographic material like keys, tokens, secrets or passwords are other cryptographic assets to be modelled.", + "enum": [ + "algorithm", + "certificate", + "protocol", + "related-crypto-material" + ], + "meta:enum": { + "algorithm": "Mathematical function commonly used for data encryption, authentication, and digital signatures.", + "certificate": "An electronic document that is used to provide the identity or validate a public key.", + "protocol": "A set of rules and guidelines that govern the behavior and communication with each other.", + "related-crypto-material": "Other cryptographic assets related to algorithms, certificates, and protocols such as keys and tokens." + } + }, + "algorithmProperties": { + "type": "object", + "title": "Algorithm Properties", + "description": "Additional properties specific to a cryptographic algorithm.", + "additionalProperties": false, + "properties": { + "primitive": { + "type": "string", + "title": "primitive", + "description": "Cryptographic building blocks used in higher-level cryptographic systems and protocols. Primitives represent different cryptographic routines: deterministic random bit generators (drbg, e.g. CTR_DRBG from NIST SP800-90A-r1), message authentication codes (mac, e.g. HMAC-SHA-256), blockciphers (e.g. AES), streamciphers (e.g. Salsa20), signatures (e.g. ECDSA), hash functions (e.g. SHA-256), public-key encryption schemes (pke, e.g. RSA), extended output functions (xof, e.g. SHAKE256), key derivation functions (e.g. pbkdf2), key agreement algorithms (e.g. ECDH), key encapsulation mechanisms (e.g. ML-KEM), authenticated encryption (ae, e.g. AES-GCM) and the combination of multiple algorithms (combiner, e.g. SP800-56Cr2).", + "enum": [ + "drbg", + "mac", + "block-cipher", + "stream-cipher", + "signature", + "hash", + "pke", + "xof", + "kdf", + "key-agree", + "kem", + "ae", + "combiner", + "key-wrap", + "other", + "unknown" + ], + "meta:enum": { + "drbg": "Deterministic Random Bit Generator (DRBG) is a type of pseudorandom number generator designed to produce a sequence of bits from an initial seed value. DRBGs are commonly used in cryptographic applications where reproducibility of random values is important.", + "mac": "In cryptography, a Message Authentication Code (MAC) is information used for authenticating and integrity-checking a message.", + "block-cipher": "A block cipher is a symmetric key algorithm that operates on fixed-size blocks of data. It encrypts or decrypts the data in block units, providing confidentiality. Block ciphers are widely used in various cryptographic modes and protocols for secure data transmission.", + "stream-cipher": "A stream cipher is a symmetric key cipher where plaintext digits are combined with a pseudorandom cipher digit stream (keystream).", + "signature": "In cryptography, a signature is a digital representation of a message or data that proves its origin, identity, and integrity. Digital signatures are generated using cryptographic algorithms and are widely used for authentication and verification in secure communication.", + "hash": "A hash function is a mathematical algorithm that takes an input (or 'message') and produces a fixed-size string of characters, which is typically a hash value. Hash functions are commonly used in various cryptographic applications, including data integrity verification and password hashing.", + "pke": "Public Key Encryption (PKE) is a type of encryption that uses a pair of public and private keys for secure communication. The public key is used for encryption, while the private key is used for decryption. PKE is a fundamental component of public-key cryptography.", + "xof": "An XOF is an extendable output function that can take arbitrary input and creates a stream of output, up to a limit determined by the size of the internal state of the hash function that underlies the XOF.", + "kdf": "A Key Derivation Function (KDF) derives key material from another source of entropy while preserving the entropy of the input.", + "key-agree": "In cryptography, a key-agreement is a protocol whereby two or more parties agree on a cryptographic key in such a way that both influence the outcome.", + "kem": "A Key Encapsulation Mechanism (KEM) algorithm is a mechanism for transporting random keying material to a recipient using the recipient's public key.", + "ae": "Authenticated Encryption (AE) is a cryptographic process that provides both confidentiality and data integrity. It ensures that the encrypted data has not been tampered with and comes from a legitimate source. AE is commonly used in secure communication protocols.", + "combiner": "A combiner aggregates many candidates for a cryptographic primitive and generates a new candidate for the same primitive.", + "key-wrap": "Key-wrap is a cryptographic technique used to securely encrypt and protect cryptographic keys using algorithms like AES.", + "other": "Another primitive type.", + "unknown": "The primitive is not known." + } + }, + "algorithmFamily": { + "$ref": "../cryptography-defs.schema.json#/definitions/algorithmFamiliesEnum", + "title": "Algorithm Family", + "description": "A valid algorithm family identifier. If specified, this value shall be one of the enumeration of valid algorithm Family identifiers defined in the `cryptography-defs.schema.json` subschema.", + "examples": [ + "3DES", + "Blowfish", + "ECDH" + ] + }, + "parameterSetIdentifier": { + "type": "string", + "title": "Parameter Set Identifier", + "description": "An identifier for the parameter set of the cryptographic algorithm. Examples: in AES128, '128' identifies the key length in bits, in SHA256, '256' identifies the digest length, '128' in SHAKE128 identifies its maximum security level in bits, and 'SHA2-128s' identifies a parameter set used in SLH-DSA (FIPS205)." + }, + "ellipticCurve": { + "$ref": "../cryptography-defs.schema.json#/definitions/ellipticCurvesEnum", + "title": "Elliptic Curve", + "description": "The specific underlying Elliptic Curve (EC) definition employed which is an indicator of the level of security strength, performance and complexity. If specified, this value shall be one of the enumeration of valid elliptic curves identifiers defined in the `cryptography-defs.schema.json` subschema." + }, + "executionEnvironment": { + "type": "string", + "title": "Execution Environment", + "description": "The target and execution environment in which the algorithm is implemented in.", + "enum": [ + "software-plain-ram", + "software-encrypted-ram", + "software-tee", + "hardware", + "other", + "unknown" + ], + "meta:enum": { + "software-plain-ram": "A software implementation running in plain unencrypted RAM.", + "software-encrypted-ram": "A software implementation running in encrypted RAM.", + "software-tee": "A software implementation running in a trusted execution environment.", + "hardware": "A hardware implementation.", + "other": "Another implementation environment.", + "unknown": "The execution environment is not known." + } + }, + "implementationPlatform": { + "type": "string", + "title": "Implementation platform", + "description": "The target platform for which the algorithm is implemented. The implementation can be 'generic', running on any platform or for a specific platform.", + "enum": [ + "generic", + "x86_32", + "x86_64", + "armv7-a", + "armv7-m", + "armv8-a", + "armv8-m", + "armv9-a", + "armv9-m", + "s390x", + "ppc64", + "ppc64le", + "other", + "unknown" + ] + }, + "certificationLevel": { + "type": "array", + "title": "Certification Level", + "description": "The certification that the implementation of the cryptographic algorithm has received, if any. Certifications include revisions and levels of FIPS 140 or Common Criteria of different Extended Assurance Levels (CC-EAL).", + "items": { + "type": "string", + "enum": [ + "none", + "fips140-1-l1", + "fips140-1-l2", + "fips140-1-l3", + "fips140-1-l4", + "fips140-2-l1", + "fips140-2-l2", + "fips140-2-l3", + "fips140-2-l4", + "fips140-3-l1", + "fips140-3-l2", + "fips140-3-l3", + "fips140-3-l4", + "cc-eal1", + "cc-eal1+", + "cc-eal2", + "cc-eal2+", + "cc-eal3", + "cc-eal3+", + "cc-eal4", + "cc-eal4+", + "cc-eal5", + "cc-eal5+", + "cc-eal6", + "cc-eal6+", + "cc-eal7", + "cc-eal7+", + "other", + "unknown" + ], + "meta:enum": { + "none": "No certification obtained", + "fips140-1-l1": "FIPS 140-1 Level 1", + "fips140-1-l2": "FIPS 140-1 Level 2", + "fips140-1-l3": "FIPS 140-1 Level 3", + "fips140-1-l4": "FIPS 140-1 Level 4", + "fips140-2-l1": "FIPS 140-2 Level 1", + "fips140-2-l2": "FIPS 140-2 Level 2", + "fips140-2-l3": "FIPS 140-2 Level 3", + "fips140-2-l4": "FIPS 140-2 Level 4", + "fips140-3-l1": "FIPS 140-3 Level 1", + "fips140-3-l2": "FIPS 140-3 Level 2", + "fips140-3-l3": "FIPS 140-3 Level 3", + "fips140-3-l4": "FIPS 140-3 Level 4", + "cc-eal1": "Common Criteria - Evaluation Assurance Level 1", + "cc-eal1+": "Common Criteria - Evaluation Assurance Level 1 (Augmented)", + "cc-eal2": "Common Criteria - Evaluation Assurance Level 2", + "cc-eal2+": "Common Criteria - Evaluation Assurance Level 2 (Augmented)", + "cc-eal3": "Common Criteria - Evaluation Assurance Level 3", + "cc-eal3+": "Common Criteria - Evaluation Assurance Level 3 (Augmented)", + "cc-eal4": "Common Criteria - Evaluation Assurance Level 4", + "cc-eal4+": "Common Criteria - Evaluation Assurance Level 4 (Augmented)", + "cc-eal5": "Common Criteria - Evaluation Assurance Level 5", + "cc-eal5+": "Common Criteria - Evaluation Assurance Level 5 (Augmented)", + "cc-eal6": "Common Criteria - Evaluation Assurance Level 6", + "cc-eal6+": "Common Criteria - Evaluation Assurance Level 6 (Augmented)", + "cc-eal7": "Common Criteria - Evaluation Assurance Level 7", + "cc-eal7+": "Common Criteria - Evaluation Assurance Level 7 (Augmented)", + "other": "Another certification", + "unknown": "The certification level is not known" + } + } + }, + "mode": { + "type": "string", + "title": "Mode", + "description": "The mode of operation in which the cryptographic algorithm (block cipher) is used.", + "enum": [ + "cbc", + "ecb", + "ccm", + "gcm", + "cfb", + "ofb", + "ctr", + "other", + "unknown" + ], + "meta:enum": { + "cbc": "Cipher block chaining", + "ecb": "Electronic codebook", + "ccm": "Counter with cipher block chaining message authentication code", + "gcm": "Galois/counter", + "cfb": "Cipher feedback", + "ofb": "Output feedback", + "ctr": "Counter", + "other": "Another mode of operation", + "unknown": "The mode of operation is not known" + } + }, + "padding": { + "type": "string", + "title": "Padding", + "description": "The padding scheme that is used for the cryptographic algorithm.", + "enum": [ + "pkcs5", + "pkcs7", + "pkcs1v15", + "oaep", + "raw", + "other", + "unknown" + ], + "meta:enum": { + "pkcs5": "Public Key Cryptography Standard: Password-Based Cryptography", + "pkcs7": "Public Key Cryptography Standard: Cryptographic Message Syntax", + "pkcs1v15": "Public Key Cryptography Standard: RSA Cryptography v1.5", + "oaep": "Optimal asymmetric encryption padding", + "raw": "Raw", + "other": "Another padding scheme", + "unknown": "The padding scheme is not known" + } + }, + "cryptoFunctions": { + "type": "array", + "title": "Cryptographic functions", + "description": "The cryptographic functions implemented by the cryptographic algorithm.", + "items": { + "type": "string", + "enum": [ + "generate", + "keygen", + "encrypt", + "decrypt", + "digest", + "tag", + "keyderive", + "sign", + "verify", + "encapsulate", + "decapsulate", + "other", + "unknown" + ] + } + }, + "classicalSecurityLevel": { + "type": "integer", + "title": "classical security level", + "description": "The classical security level that a cryptographic algorithm provides (in bits).", + "minimum": 0 + }, + "nistQuantumSecurityLevel": { + "type": "integer", + "title": "NIST security strength category", + "description": "The NIST security strength category as defined in https://csrc.nist.gov/projects/post-quantum-cryptography/post-quantum-cryptography-standardization/evaluation-criteria/security-(evaluation-criteria). A value of 0 indicates that none of the categories are met.", + "minimum": 0, + "maximum": 6 + } + } + }, + "certificateProperties": { + "type": "object", + "title": "Certificate Properties", + "description": "Properties for cryptographic assets of asset type 'certificate'.", + "additionalProperties": false, + "properties": { + "serialNumber": { + "type": "string", + "title": "Serial Number", + "description": "The serial number is a unique identifier for the certificate issued by a CA." + }, + "subjectName": { + "type": "string", + "title": "Subject Name", + "description": "The subject name for the certificate." + }, + "issuerName": { + "type": "string", + "title": "Issuer Name", + "description": "The issuer name for the certificate." + }, + "notValidBefore": { + "type": "string", + "format": "date-time", + "title": "Not Valid Before", + "description": "The date and time according to ISO-8601 standard from which the certificate is valid." + }, + "notValidAfter": { + "type": "string", + "format": "date-time", + "title": "Not Valid After", + "description": "The date and time according to ISO-8601 standard from which the certificate is not valid anymore." + }, + "certificateFormat": { + "type": "string", + "title": "Certificate Format", + "description": "The format of the certificate.", + "examples": [ + "X.509", + "PEM", + "DER", + "CVC" + ] + }, + "certificateFileExtension": { + "type": "string", + "title": "Certificate File Extension", + "description": "The file extension of the certificate.", + "examples": [ + "crt", + "pem", + "cer", + "der", + "p12" + ] + }, + "fingerprint": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/hash", + "title": "Certificate Fingerprint", + "description": "The fingerprint is a cryptographic hash of the certificate excluding it's signature." + }, + "certificateState": { + "type": "array", + "title": "Certificate Lifecycle State", + "description": "The certificate lifecycle is a comprehensive process that manages digital certificates from their initial creation to eventual expiration or revocation. It typically involves several stages.", + "items": { + "type": "object", + "title": "State", + "description": "The state of the certificate.", + "oneOf": [ + { + "title": "Pre-Defined State", + "required": [ + "state" + ], + "additionalProperties": false, + "properties": { + "state": { + "type": "string", + "title": "State", + "description": "A pre-defined state in the certificate lifecycle.", + "enum": [ + "pre-activation", + "active", + "suspended", + "deactivated", + "revoked", + "destroyed" + ], + "meta:enum": { + "pre-activation": "The certificate has been issued by the issuing certificate authority (CA) but has not been authorized for use.", + "active": "The certificate may be used to cryptographically protect information, cryptographically process previously protected information, or both.", + "deactivated": "Certificates in the deactivated state shall not be used to apply cryptographic protection but, in some cases, may be used to process cryptographically protected information.", + "suspended": "The use of a certificate may be suspended for several possible reasons.", + "revoked": "A revoked certificate is a digital certificate that has been invalidated by the issuing certificate authority (CA) before its scheduled expiration date.", + "destroyed": "The certificate has been destroyed." + } + }, + "reason": { + "type": "string", + "title": "Reason", + "description": "A reason for the certificate being in this state." + } + } + }, + { + "title": "Custom State", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "State", + "description": "The name of the certificate lifecycle state." + }, + "description": { + "type": "string", + "title": "Description", + "description": "The description of the certificate lifecycle state." + }, + "reason": { + "type": "string", + "title": "Reason", + "description": "A reason for the certificate being in this state." + } + } + } + ] + } + }, + "creationDate": { + "type": "string", + "format": "date-time", + "title": "Creation Date", + "description": "The date and time (timestamp) when the certificate was created or pre-activated." + }, + "activationDate": { + "type": "string", + "format": "date-time", + "title": "Activation Date", + "description": "The date and time (timestamp) when the certificate was activated." + }, + "deactivationDate": { + "type": "string", + "format": "date-time", + "title": "Deactivation Date", + "description": "The date and time (timestamp) when the related certificate was deactivated." + }, + "revocationDate": { + "type": "string", + "format": "date-time", + "title": "Revocation Date", + "description": "The date and time (timestamp) when the certificate was revoked." + }, + "destructionDate": { + "type": "string", + "format": "date-time", + "title": "Destruction Date", + "description": "The date and time (timestamp) when the certificate was destroyed." + }, + "certificateExtensions": { + "type": "array", + "title": "Certificate Extensions", + "description": "A certificate extension is a field that provides additional information about the certificate or its use. Extensions are used to convey additional information beyond the standard fields.", + "items": { + "type": "object", + "title": "Extension", + "description": "", + "oneOf": [ + { + "title": "Common Extensions", + "required": [ + "commonExtensionName", + "commonExtensionValue" + ], + "additionalProperties": false, + "properties": { + "commonExtensionName": { + "type": "string", + "title": "name", + "description": "The name of the extension.", + "enum": [ + "basicConstraints", + "keyUsage", + "extendedKeyUsage", + "subjectAlternativeName", + "authorityKeyIdentifier", + "subjectKeyIdentifier", + "authorityInformationAccess", + "certificatePolicies", + "crlDistributionPoints", + "signedCertificateTimestamp" + ], + "meta:enum": { + "basicConstraints": "Specifies whether a certificate can be used as a CA certificate or not.", + "keyUsage": "Specifies the allowed uses of the public key in the certificate.", + "extendedKeyUsage": "Specifies additional purposes for which the public key can be used.", + "subjectAlternativeName": "Allows inclusion of additional names to identify the entity associated with the certificate.", + "authorityKeyIdentifier": "Identifies the public key of the CA that issued the certificate.", + "subjectKeyIdentifier": "Identifies the public key associated with the entity the certificate was issued to.", + "authorityInformationAccess": "Contains CA issuers and OCSP information.", + "certificatePolicies": "Defines the policies under which the certificate was issued and can be used.", + "crlDistributionPoints": "Contains one or more URLs where a Certificate Revocation List (CRL) can be obtained.", + "signedCertificateTimestamp": "Shows that the certificate has been publicly logged, which helps prevent the issuance of rogue certificates by a CA. Log ID, timestamp and signature as proof." + } + }, + "commonExtensionValue": { + "type": "string", + "title": "Value", + "description": "The value of the certificate extension." + } + } + }, + { + "title": "Custom Extensions", + "description": "Custom extensions may convey application-specific or vendor-specific data not covered by standard extensions. The structure and semantics of custom extensions are typically defined outside of public standards. CycloneDX leverages properties to support this capability.", + "required": [ + "customExtensionName" + ], + "additionalProperties": false, + "properties": { + "customExtensionName": { + "type": "string", + "title": "Name", + "description": "The name for the custom certificate extension." + }, + "customExtensionValue": { + "type": "string", + "title": "Value", + "description": "The description of the custom certificate extension." + } + } + } + ] + } + }, + "relatedCryptographicAssets": { + "$ref": "#/$defs/cyclonedx-cryptography-2.0/$defs/relatedCryptographicAssets" + } + } + }, + "relatedCryptoMaterialProperties": { + "type": "object", + "title": "Related Cryptographic Material Properties", + "description": "Properties for cryptographic assets of asset type: `related-crypto-material`.", + "additionalProperties": false, + "properties": { + "type": { + "type": "string", + "title": "relatedCryptoMaterialType", + "description": "The type for the related cryptographic material.", + "enum": [ + "private-key", + "public-key", + "secret-key", + "key", + "ciphertext", + "signature", + "digest", + "initialization-vector", + "nonce", + "seed", + "salt", + "shared-secret", + "tag", + "additional-data", + "password", + "credential", + "token", + "other", + "unknown" + ], + "meta:enum": { + "private-key": "The confidential key of a key pair used in asymmetric cryptography.", + "public-key": "The non-confidential key of a key pair used in asymmetric cryptography.", + "secret-key": "A key used to encrypt and decrypt messages in symmetric cryptography.", + "key": "A piece of information, usually an octet string, which, when processed through a cryptographic algorithm, processes cryptographic data.", + "ciphertext": "The result of encryption performed on plaintext using an algorithm (or cipher).", + "signature": "A cryptographic value that is calculated from the data and a key known only by the signer.", "digest": "The output of the hash function.", "initialization-vector": "A fixed-size random or pseudo-random value used as an input parameter for cryptographic algorithms.", "nonce": "A random or pseudo-random number that can only be used once in a cryptographic communication.", @@ -3169,3228 +6829,5978 @@ "unknown": "The type of cryptographic asset is not known." } }, - "id": { - "type": "string", - "title": "ID", - "description": "The unique identifier for the related cryptographic material." - }, - "state": { + "id": { + "type": "string", + "title": "ID", + "description": "The unique identifier for the related cryptographic material." + }, + "state": { + "type": "string", + "title": "State", + "description": "The key state as defined by NIST SP 800-57.", + "enum": [ + "pre-activation", + "active", + "suspended", + "deactivated", + "compromised", + "destroyed" + ] + }, + "creationDate": { + "type": "string", + "format": "date-time", + "title": "Creation Date", + "description": "The date and time (timestamp) when the related cryptographic material was created." + }, + "activationDate": { + "type": "string", + "format": "date-time", + "title": "Activation Date", + "description": "The date and time (timestamp) when the related cryptographic material was activated." + }, + "updateDate": { + "type": "string", + "format": "date-time", + "title": "Update Date", + "description": "The date and time (timestamp) when the related cryptographic material was updated." + }, + "expirationDate": { + "type": "string", + "format": "date-time", + "title": "Expiration Date", + "description": "The date and time (timestamp) when the related cryptographic material expires." + }, + "value": { + "type": "string", + "title": "Value", + "description": "The associated value of the cryptographic material." + }, + "size": { + "type": "integer", + "title": "Size", + "description": "The size of the cryptographic asset (in bits)." + }, + "format": { + "type": "string", + "title": "Format", + "description": "The format of the related cryptographic material (e.g. P8, PEM, DER)." + }, + "securedBy": { + "$ref": "#/$defs/cyclonedx-cryptography-2.0/$defs/securedBy", + "title": "Secured By", + "description": "The mechanism by which the cryptographic asset is secured by." + }, + "fingerprint": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/hash", + "title": "Fingerprint", + "description": "The fingerprint is a cryptographic hash of the asset." + }, + "relatedCryptographicAssets": { + "$ref": "#/$defs/cyclonedx-cryptography-2.0/$defs/relatedCryptographicAssets" + } + } + }, + "protocolProperties": { + "type": "object", + "title": "Protocol Properties", + "description": "Properties specific to cryptographic assets of type: `protocol`.", + "additionalProperties": false, + "properties": { + "type": { + "type": "string", + "title": "Type", + "description": "The concrete protocol type.", + "enum": [ + "tls", + "ssh", + "ipsec", + "ike", + "sstp", + "wpa", + "dtls", + "quic", + "eap-aka", + "eap-aka-prime", + "prins", + "5g-aka", + "other", + "unknown" + ], + "meta:enum": { + "tls": "Transport Layer Security", + "ssh": "Secure Shell", + "ipsec": "Internet Protocol Security", + "ike": "Internet Key Exchange", + "sstp": "Secure Socket Tunneling Protocol", + "wpa": "Wi-Fi Protected Access", + "dtls": "Datagram Transport Layer Security", + "quic": "Quick UDP Internet Connections", + "eap-aka": "Extensible Authentication Protocol variant", + "eap-aka-prime": "Enhanced version of EAP-AKA", + "prins": "Protection of Inter-Network Signaling", + "5g-aka": "Authentication and Key Agreement for 5G", + "other": "Another protocol type", + "unknown": "The protocol type is not known" + } + }, + "version": { + "type": "string", + "title": "Protocol Version", + "description": "The version of the protocol.", + "examples": [ + "1.0", + "1.2", + "1.99" + ] + }, + "cipherSuites": { + "type": "array", + "title": "Cipher Suites", + "description": "A list of cipher suites related to the protocol.", + "items": { + "$ref": "#/$defs/cyclonedx-cryptography-2.0/$defs/cipherSuite", + "title": "Cipher Suite" + } + }, + "ikev2TransformTypes": { + "type": "object", + "title": "IKEv2 Transform Types", + "description": "The IKEv2 transform types supported (types 1-4), defined in [RFC 7296 section 3.3.2](https://www.ietf.org/rfc/rfc7296.html#section-3.3.2), and additional properties.", + "additionalProperties": false, + "properties": { + "encr": { + "type": "array", + "title": "Encryption Algorithms (ENCR)", + "description": "Transform Type 1: encryption algorithms.", + "items": { + "$ref": "#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Enc", + "title": "Encryption Algorithm (ENCR)" + } + }, + "prf": { + "type": "array", + "title": "Pseudorandom Functions (PRF)", + "description": "Transform Type 2: pseudorandom functions.", + "items": { + "$ref": "#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Prf", + "title": "Pseudorandom Function (PRF)" + } + }, + "integ": { + "type": "array", + "title": "Integrity Algorithms (INTEG)", + "description": "Transform Type 3: integrity algorithms.", + "items": { + "$ref": "#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Integ", + "title": "Integrity Algorithm (INTEG)" + } + }, + "ke": { + "type": "array", + "title": "Key Exchange Methods (KE)", + "description": "Transform Type 4: Key Exchange Method (KE) per [RFC 9370](https://www.ietf.org/rfc/rfc9370.html), formerly called Diffie-Hellman Group (D-H).", + "items": { + "$ref": "#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Ke" + } + }, + "esn": { + "type": "boolean", + "title": "Extended Sequence Number (ESN)", + "description": "Specifies if an Extended Sequence Number (ESN) is used." + }, + "auth": { + "type": "array", + "title": "IKEv2 Authentication methods", + "description": "IKEv2 Authentication method per [RFC9593](https://www.ietf.org/rfc/rfc9593.html).", + "items": { + "$ref": "#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Auth", + "title": "IKEv2 Authentication Method" + } + } + } + }, + "relatedCryptographicAssets": { + "$ref": "#/$defs/cyclonedx-cryptography-2.0/$defs/relatedCryptographicAssets" + } + } + }, + "oid": { + "type": "string", + "title": "OID", + "description": "The object identifier (OID) of the cryptographic asset." + } + } + }, + "cipherSuite": { + "type": "object", + "title": "Cipher Suite", + "description": "Object representing a cipher suite.", + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Common Name", + "description": "A common name for the cipher suite.", + "examples": [ + "TLS_DHE_RSA_WITH_AES_128_CCM" + ] + }, + "algorithms": { + "type": "array", + "title": "Related Algorithms", + "description": "A list of algorithms related to the cipher suite.", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "Algorithm reference", + "description": "The bom-ref to algorithm cryptographic asset." + } + }, + "identifiers": { + "type": "array", + "title": "Cipher Suite Identifiers", + "description": "A list of common identifiers for the cipher suite.", + "items": { + "type": "string", + "title": "identifier", + "description": "Cipher suite identifier.", + "examples": [ + "0xC0", + "0x9E" + ] + } + }, + "tlsGroups": { + "type": "array", + "title": "TLS Groups", + "description": "A list of TLS named groups (formerly known as curves) for this cipher suite. These groups define the parameters for key exchange algorithms like ECDHE.", + "items": { + "type": "string", + "title": "Group Name", + "description": "The name of the TLS group.", + "examples": [ + "x25519", + "ffdhe2048" + ] + } + }, + "tlsSignatureSchemes": { + "type": "array", + "title": "TLS Signature Schemes", + "description": "A list of signature schemes supported for cipher suite. These schemes specify the algorithms used for digital signatures in TLS handshakes and certificate verification.", + "items": { + "type": "string", + "title": "Signature Scheme", + "description": "The name of the TLS signature scheme.", + "examples": [ + "ecdsa_secp256r1_sha256", + "rsa_pss_rsae_sha256", + "ed25519" + ] + } + } + } + }, + "ikeV2Enc": { + "type": "object", + "title": "Encryption Algorithm (ENCR)", + "description": "Object representing an encryption algorithm (ENCR).", + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "A name for the encryption method.", + "examples": [ + "ENCR_AES_GCM_16" + ] + }, + "keyLength": { + "type": "integer", + "title": "Encryption algorithm key length", + "description": "The key length of the encryption algorithm." + }, + "algorithm": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "Algorithm reference", + "description": "The bom-ref to algorithm cryptographic asset." + } + } + }, + "ikeV2Prf": { + "type": "object", + "title": "Pseudorandom Function (PRF)", + "description": "Object representing a pseudorandom function (PRF).", + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "A name for the pseudorandom function.", + "examples": [ + "PRF_HMAC_SHA2_256" + ] + }, + "algorithm": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "Algorithm reference", + "description": "The bom-ref to algorithm cryptographic asset." + } + } + }, + "ikeV2Integ": { + "type": "object", + "title": "Integrity Algorithm (INTEG)", + "description": "Object representing an integrity algorithm (INTEG).", + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "A name for the integrity algorithm.", + "examples": [ + "AUTH_HMAC_SHA2_256_128" + ] + }, + "algorithm": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "Algorithm reference", + "description": "The bom-ref to algorithm cryptographic asset." + } + } + }, + "ikeV2Ke": { + "type": "object", + "title": "Key Exchange Method (KE)", + "description": "Object representing a key exchange method (KE).", + "additionalProperties": false, + "properties": { + "group": { + "type": "integer", + "title": "Group Identifier", + "description": "A group identifier for the key exchange algorithm." + }, + "algorithm": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "Algorithm reference", + "description": "The bom-ref to algorithm cryptographic asset." + } + } + }, + "ikeV2Auth": { + "type": "object", + "title": "IKEv2 Authentication method", + "description": "Object representing a IKEv2 Authentication method.", + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "A name for the authentication method." + }, + "algorithm": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "Algorithm reference", + "description": "The bom-ref to algorithm cryptographic asset." + } + } + }, + "relatedCryptographicAssets": { + "type": "array", + "title": "Related Cryptographic Assets", + "description": "A list of cryptographic assets related to this component.", + "items": { + "$ref": "#/$defs/cyclonedx-cryptography-2.0/$defs/relatedCryptographicAsset" + } + }, + "relatedCryptographicAsset": { + "type": "object", + "title": "Related Cryptographic Asset", + "description": "A cryptographic assets related to this component.", + "additionalProperties": false, + "properties": { + "type": { + "type": "string", + "title": "Type", + "description": "Specifies the mechanism by which the cryptographic asset is secured by.", + "examples": [ + "publicKey", + "privateKey", + "algorithm" + ] + }, + "ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "Reference to cryptographic asset", + "description": "The bom-ref to cryptographic asset." + } + } + }, + "securedBy": { + "type": "object", + "title": "Secured By", + "description": "Specifies the mechanism by which the cryptographic asset is secured by.", + "additionalProperties": false, + "properties": { + "mechanism": { + "type": "string", + "title": "Mechanism", + "description": "Specifies the mechanism by which the cryptographic asset is secured by.", + "examples": [ + "HSM", + "TPM", + "SGX", + "Software", + "None" + ] + }, + "algorithmRef": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "Algorithm Reference", + "description": "The bom-ref to the algorithm." + } + } + } + } + }, + "cyclonedx-data-2.0": { + "type": "null", + "title": "CycloneDX Data Model", + "$defs": { + "dataProfile": { + "type": "object", + "title": "Data Profile", + "description": "Captures the sensitivity, classification, and lifecycle requirements associated with data, including how it may be collected, accessed, processed, shared, handled, retained, and disposed of.", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "description": "Unique identifier for this data profile" + }, + "name": { + "type": "string", + "title": "Name", + "minLength": 1, + "description": "The name or label that identifies this data profile, such as the name of the dataset, data category, or information asset it describes." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A detailed explanation of the data this profile describes, including what information is contained, its purpose, origin, and any relevant context about how it is used within the system." + }, + "sensitivity": { + "type": "string", + "title": "Sensitivity", + "enum": [ + "confidential", + "internal", + "public", + "restricted" + ], + "description": "Data sensitivity classification", + "meta:enum": { + "confidential": "Confidential information requiring protection", + "internal": "Internal use only within the organization", + "public": "Public information that can be freely shared", + "restricted": "Highly restricted information with limited access and special protection measures" + } + }, + "classification": { + "title": "Classification", + "description": "Classifies data by its type, either using a predefined classification or a custom name and description for classifications not covered by the enumeration.", + "oneOf": [ + { + "title": "Predefined Classification", + "description": "A predefined data classification from the enumeration.", + "type": "object", + "additionalProperties": false, + "required": [ + "type" + ], + "properties": { + "type": { + "type": "string", + "title": "Type", + "enum": [ + "credentials", + "financial", + "intellectualProperty", + "logs", + "operational", + "other", + "pci", + "phi", + "pii", + "safety", + "telemetry" + ], + "meta:enum": { + "credentials": "Secrets, tokens, or credentials", + "financial": "Financial statements or transaction data", + "intellectualProperty": "Intellectual property or trade secrets", + "logs": "Operational or security log data", + "operational": "Operational or process data", + "other": "Other data classification not listed", + "pci": "Payment card industry data", + "phi": "Protected health information", + "pii": "Personally identifiable information", + "safety": "Safety critical data or signals", + "telemetry": "System or product telemetry data" + } + } + } + }, + { + "title": "Custom Classification", + "description": "A custom data classification not covered by the predefined enumeration.", + "type": "object", + "additionalProperties": false, + "required": [ + "name" + ], + "properties": { + "name": { + "type": "string", + "title": "Name", + "minLength": 1, + "description": "The name of a custom data classification not covered by the predefined enumeration" + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the custom data classification" + } + } + } + ] + }, + "dataFormats": { + "type": "array", + "title": "Data Formats", + "uniqueItems": true, + "items": { + "type": "string" + }, + "description": "Format of data" + }, + "dataTypes": { + "type": "array", + "title": "Data Types", + "uniqueItems": true, + "items": { + "type": "string" + }, + "description": "Specific types of data" + }, + "schema": { + "type": "array", + "title": "Schema", + "uniqueItems": true, + "items": { + "type": "string", + "format": "uri" + }, + "description": "Reference to schema contracts or documents describing the data structure." + }, + "access": { + "type": "array", + "title": "Access", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "description": "References to requirement objects that define who may access the data and under what conditions, including need-to-know restrictions, clearance levels, audit logging, and break-glass procedures." + }, + "collection": { + "type": "array", + "title": "Collection", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "description": "References to requirement objects that govern how data is collected or acquired, including consent mechanisms, lawful basis, purpose limitation, and notice obligations." + }, + "disposal": { + "type": "array", + "title": "Disposal", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "description": "References to requirement objects that specify how this data must be destroyed or rendered unrecoverable when no longer needed, including sanitisation methods, disposal timelines, and regulatory obligations governing data destruction." + }, + "handling": { + "type": "array", + "title": "Handling", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "description": "References to requirement objects that govern how this data must be handled throughout its lifecycle, such as encryption at rest, access restrictions, anonymisation, or regulatory compliance obligations." + }, + "processing": { + "type": "array", + "title": "Processing", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "description": "References to requirement objects that govern what may be done with the data, including purpose limitation, data minimisation, aggregation rules, and prohibited uses such as AI or ML training restrictions." + }, + "retention": { + "type": "array", + "title": "Retention", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "description": "References to requirement objects that define how long this data must be retained, including minimum retention periods, maximum storage durations, and any regulatory or contractual obligations governing data preservation." + }, + "sharing": { + "type": "array", + "title": "Sharing", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "description": "References to requirement objects that govern how data may be shared with third parties, partners, or across jurisdictional boundaries, including data sharing agreements, cross-border transfer restrictions, and adequacy decisions." + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + } + } + }, + "dataClassification": { + "type": "string", + "title": "Data Classification", + "description": "Data classification tags data according to its type, sensitivity, and value if altered, stolen, or destroyed." + }, + "dataSensitivity": { + "type": "string", + "title": "Data Sensitivity", + "description": "Classifies the sensitivity of data to indicate the level of protection required.", + "enum": [ + "confidential", + "internal", + "public", + "restricted" + ], + "meta:enum": { + "confidential": "Confidential information requiring protection", + "internal": "Internal use only within the organization", + "public": "Public information that can be freely shared", + "restricted": "Highly restricted information with limited access" + } + }, + "dataGovernance": { + "type": "object", + "title": "Data Governance", + "description": "Data governance captures information regarding data ownership, stewardship, and custodianship, providing insights into the individuals or entities responsible for managing, overseeing, and safeguarding the data throughout its lifecycle.", + "additionalProperties": false, + "properties": { + "custodians": { + "type": "array", + "title": "Data Custodians", + "uniqueItems": true, + "description": "Data custodians are responsible for the safe custody, transport, and storage of data.", + "items": { + "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataGovernanceResponsibleParty" + } + }, + "stewards": { + "type": "array", + "title": "Data Stewards", + "uniqueItems": true, + "description": "Data stewards are responsible for data content, context, and associated business rules.", + "items": { + "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataGovernanceResponsibleParty" + } + }, + "owners": { + "type": "array", + "title": "Data Owners", + "uniqueItems": true, + "description": "Data owners are concerned with risk and appropriate access to data.", + "items": { + "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataGovernanceResponsibleParty" + } + } + } + }, + "dataGovernanceResponsibleParty": { + "type": "object", + "title": "Data Governance Responsible Party", + "description": "An organizational entity or individual responsible for a specific data governance role.", + "additionalProperties": false, + "properties": { + "organization": { + "title": "Organization", + "description": "The organization that is responsible for specific data governance role(s).", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity" + }, + "contact": { + "title": "Individual", + "description": "The individual that is responsible for specific data governance role(s).", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalContact" + } + }, + "oneOf": [ + { + "required": [ + "organization" + ] + }, + { + "required": [ + "contact" + ] + } + ] + }, + "dataFlowDirection": { + "type": "string", + "title": "Data Flow Direction", + "description": "Specifies the flow direction of the data. Direction is relative to the service.", + "enum": [ + "bi-directional", + "inbound", + "outbound", + "unknown" + ], + "meta:enum": { + "bi-directional": "Data flows in and out of the service.", + "inbound": "Data that enters a service.", + "outbound": "Data that exits a service.", + "unknown": "The directional flow of data is not known." + } + } + } + }, + "cyclonedx-declaration-2.0": { + "type": "null", + "title": "CycloneDX Declaration Model", + "$defs": { + "declarations": { + "type": "object", + "title": "Declarations", + "description": "The list of declarations which describe the conformance to standards. Each declaration may include attestations, claims, and evidence.", + "additionalProperties": false, + "properties": { + "assessors": { + "type": "array", + "title": "Assessors", + "description": "The list of assessors evaluating claims and determining conformance to requirements and confidence in that assessment.", + "items": { + "type": "object", + "title": "Assessor", + "description": "The assessor who evaluates claims and determines conformance to requirements and confidence in that assessment.", + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "BOM Reference", + "description": "An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM." + }, + "thirdParty": { + "type": "boolean", + "title": "Third Party", + "description": "The boolean indicating if the assessor is outside the organization generating claims. A value of false indicates a self assessor." + }, + "organization": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity", + "title": "Organization", + "description": "The entity issuing the assessment." + } + } + } + }, + "attestations": { + "type": "array", + "title": "Attestations", + "description": "The list of attestations asserted by an assessor that maps requirements to claims.", + "items": { + "type": "object", + "title": "Attestation", + "additionalProperties": false, + "properties": { + "summary": { + "type": "string", + "title": "Summary", + "description": "The short description explaining the main points of the attestation." + }, + "assessor": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", + "title": "Assessor", + "description": "The `bom-ref` to the assessor asserting the attestation." + }, + "map": { + "type": "array", + "title": "Map", + "description": "The grouping of requirements to claims and the attestors declared conformance and confidence thereof.", + "items": { + "type": "object", + "title": "Map", + "additionalProperties": false, + "properties": { + "requirement": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", + "title": "Requirement", + "description": "The `bom-ref` to the requirement being attested to." + }, + "claims": { + "type": "array", + "title": "Claims", + "description": "The list of `bom-ref` to the claims being attested to.", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + } + }, + "counterClaims": { + "type": "array", + "title": "Counter Claims", + "description": "The list of `bom-ref` to the counter claims being attested to.", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + } + }, + "conformance": { + "type": "object", + "title": "Conformance", + "description": "The conformance of the claim meeting a requirement.", + "additionalProperties": false, + "properties": { + "score": { + "type": "number", + "minimum": 0, + "maximum": 1, + "title": "Score", + "description": "The conformance of the claim between and inclusive of 0 and 1, where 1 is 100% conformance." + }, + "rationale": { + "type": "string", + "title": "Rationale", + "description": "The rationale for the conformance score." + }, + "mitigationStrategies": { + "type": "array", + "title": "Mitigation Strategies", + "description": "The list of `bom-ref` to the evidence provided describing the mitigation strategies.", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + } + } + } + }, + "confidence": { + "type": "object", + "title": "Confidence", + "description": "The confidence of the claim meeting the requirement.", + "additionalProperties": false, + "properties": { + "score": { + "type": "number", + "minimum": 0, + "maximum": 1, + "title": "Score", + "description": "The confidence of the claim between and inclusive of 0 and 1, where 1 is 100% confidence." + }, + "rationale": { + "type": "string", + "title": "Rationale", + "description": "The rationale for the confidence score." + } + } + } + } + } + }, + "signature": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/signature", + "title": "Signature", + "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." + } + } + } + }, + "claims": { + "type": "array", + "title": "Claims", + "description": "The list of claims.", + "items": { + "type": "object", + "title": "Claim", + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "BOM Reference", + "description": "An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM." + }, + "target": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", + "title": "Target", + "description": "The `bom-ref` to a target representing a specific system, application, API, module, team, person, process, business unit, company, etc... that this claim is being applied to." + }, + "predicate": { + "type": "string", + "title": "Predicate", + "description": "The specific statement or assertion about the target." + }, + "mitigationStrategies": { + "type": "array", + "title": "Mitigation Strategies", + "description": "The list of `bom-ref` to the evidence provided describing the mitigation strategies. Each mitigation strategy should include an explanation of how any weaknesses in the evidence will be mitigated.", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + } + }, + "reasoning": { + "type": "string", + "title": "Reasoning", + "description": "The written explanation of why the evidence provided substantiates the claim." + }, + "evidence": { + "type": "array", + "title": "Evidence", + "description": "The list of `bom-ref` to evidence that supports this claim.", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + } + }, + "counterEvidence": { + "type": "array", + "title": "Counter Evidence", + "description": "The list of `bom-ref` to counterEvidence that supports this claim.", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + } + }, + "externalReferences": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReferences" + }, + "signature": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/signature", + "title": "Signature", + "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." + } + } + } + }, + "evidence": { + "type": "array", + "title": "Evidence", + "description": "The list of evidence", + "items": { + "type": "object", + "title": "Evidence", + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "BOM Reference", + "description": "An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM." + }, + "propertyName": { + "type": "string", + "title": "Property Name", + "description": "The reference to the property name as defined in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy/)." + }, + "description": { + "type": "string", + "title": "Description", + "description": "The written description of what this evidence is and how it was created." + }, + "data": { + "type": "array", + "title": "Data", + "description": "The output or analysis that supports claims.", + "items": { + "type": "object", + "title": "Data", + "additionalProperties": false, + "properties": { + "name": { + "title": "Data Name", + "description": "The name of the data.", + "type": "string" + }, + "contents": { + "type": "object", + "title": "Data Contents", + "description": "The contents or references to the contents of the data being described.", + "additionalProperties": false, + "properties": { + "attachment": { + "title": "Data Attachment", + "description": "A way to include textual or encoded data.", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/attachment" + }, + "url": { + "type": "string", + "title": "Data URL", + "description": "The URL to where the data can be retrieved.", + "format": "iri-reference" + } + } + }, + "classification": { + "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataClassification" + }, + "sensitiveData": { + "type": "array", + "title": "Sensitive Data", + "description": "A description of any sensitive data included.", + "items": { + "type": "string" + } + }, + "governance": { + "title": "Data Governance", + "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataGovernance" + } + } + } + }, + "created": { + "type": "string", + "format": "date-time", + "title": "Created", + "description": "The date and time (timestamp) when the evidence was created." + }, + "expires": { + "type": "string", + "format": "date-time", + "title": "Expires", + "description": "The date and time (timestamp) when the evidence is no longer valid." + }, + "author": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalContact", + "title": "Author", + "description": "The author of the evidence." + }, + "reviewer": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalContact", + "title": "Reviewer", + "description": "The reviewer of the evidence." + }, + "signature": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/signature", + "title": "Signature", + "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." + } + } + } + }, + "targets": { + "type": "object", + "title": "Targets", + "description": "The list of targets which claims are made against.", + "additionalProperties": false, + "properties": { + "organizations": { + "type": "array", + "title": "Organizations", + "description": "The list of organizations which claims are made against.", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity" + } + }, + "components": { + "type": "array", + "title": "Components", + "description": "The list of components which claims are made against.", + "items": { + "$ref": "#/$defs/cyclonedx-component-2.0/$defs/component" + } + }, + "services": { + "type": "array", + "title": "Services", + "description": "The list of services which claims are made against.", + "items": { + "$ref": "#/$defs/cyclonedx-service-2.0/$defs/service" + } + } + } + }, + "affirmation": { + "type": "object", + "title": "Affirmation", + "description": "A concise statement affirmed by an individual regarding all declarations, often used for third-party auditor acceptance or recipient acknowledgment. It includes a list of authorized signatories who assert the validity of the document on behalf of the organization.", + "additionalProperties": false, + "properties": { + "statement": { "type": "string", - "title": "State", - "description": "The key state as defined by NIST SP 800-57.", - "enum": [ - "pre-activation", - "active", - "suspended", - "deactivated", - "compromised", - "destroyed" + "title": "Statement", + "description": "The brief statement affirmed by an individual regarding all declarations.\n*- Notes This could be an affirmation of acceptance by a third-party auditor or receiving individual of a file.", + "examples": [ + "I certify, to the best of my knowledge, that all information is correct." ] }, - "creationDate": { - "type": "string", - "format": "date-time", - "title": "Creation Date", - "description": "The date and time (timestamp) when the related cryptographic material was created." - }, - "activationDate": { - "type": "string", - "format": "date-time", - "title": "Activation Date", - "description": "The date and time (timestamp) when the related cryptographic material was activated." - }, - "updateDate": { - "type": "string", - "format": "date-time", - "title": "Update Date", - "description": "The date and time (timestamp) when the related cryptographic material was updated." - }, - "expirationDate": { - "type": "string", - "format": "date-time", - "title": "Expiration Date", - "description": "The date and time (timestamp) when the related cryptographic material expires." - }, - "value": { - "type": "string", - "title": "Value", - "description": "The associated value of the cryptographic material." - }, - "size": { - "type": "integer", - "title": "Size", - "description": "The size of the cryptographic asset (in bits)." - }, - "format": { - "type": "string", - "title": "Format", - "description": "The format of the related cryptographic material (e.g. P8, PEM, DER)." - }, - "securedBy": { - "$ref": "#/$defs/cyclonedx-cryptography-2.0/$defs/securedBy", - "title": "Secured By", - "description": "The mechanism by which the cryptographic asset is secured by." - }, - "fingerprint": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/hash", - "title": "Fingerprint", - "description": "The fingerprint is a cryptographic hash of the asset." + "signatories": { + "type": "array", + "title": "Signatories", + "description": "The list of signatories authorized on behalf of an organization to assert validity of this document.", + "items": { + "type": "object", + "title": "Signatory", + "additionalProperties": false, + "oneOf": [ + { + "required": [ + "signature" + ] + }, + { + "required": [ + "externalReference", + "organization" + ] + } + ], + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "The signatory's name." + }, + "role": { + "type": "string", + "title": "Role", + "description": "The signatory's role within an organization." + }, + "signature": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/signature", + "title": "Signature", + "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." + }, + "organization": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity", + "title": "Organization", + "description": "The signatory's organization." + }, + "externalReference": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReference" + } + } + } }, - "relatedCryptographicAssets": { - "$ref": "#/$defs/cyclonedx-cryptography-2.0/$defs/relatedCryptographicAssets" + "signature": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/signature", + "title": "Signature", + "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." } } }, - "protocolProperties": { - "type": "object", - "title": "Protocol Properties", - "description": "Properties specific to cryptographic assets of type: `protocol`.", - "additionalProperties": false, - "properties": { - "type": { - "type": "string", - "title": "Type", - "description": "The concrete protocol type.", - "enum": [ - "tls", - "ssh", - "ipsec", - "ike", - "sstp", - "wpa", - "dtls", - "quic", - "eap-aka", - "eap-aka-prime", - "prins", - "5g-aka", - "other", - "unknown" - ], - "meta:enum": { - "tls": "Transport Layer Security", - "ssh": "Secure Shell", - "ipsec": "Internet Protocol Security", - "ike": "Internet Key Exchange", - "sstp": "Secure Socket Tunneling Protocol", - "wpa": "Wi-Fi Protected Access", - "dtls": "Datagram Transport Layer Security", - "quic": "Quick UDP Internet Connections", - "eap-aka": "Extensible Authentication Protocol variant", - "eap-aka-prime": "Enhanced version of EAP-AKA", - "prins": "Protection of Inter-Network Signaling", - "5g-aka": "Authentication and Key Agreement for 5G", - "other": "Another protocol type", - "unknown": "The protocol type is not known" - } - }, - "version": { - "type": "string", - "title": "Protocol Version", - "description": "The version of the protocol.", - "examples": [ - "1.0", - "1.2", - "1.99" - ] - }, - "cipherSuites": { - "type": "array", - "title": "Cipher Suites", - "description": "A list of cipher suites related to the protocol.", - "items": { - "$ref": "#/$defs/cyclonedx-cryptography-2.0/$defs/cipherSuite", - "title": "Cipher Suite" - } - }, - "ikev2TransformTypes": { - "type": "object", - "title": "IKEv2 Transform Types", - "description": "The IKEv2 transform types supported (types 1-4), defined in [RFC 7296 section 3.3.2](https://www.ietf.org/rfc/rfc7296.html#section-3.3.2), and additional properties.", - "additionalProperties": false, - "properties": { - "encr": { - "type": "array", - "title": "Encryption Algorithms (ENCR)", - "description": "Transform Type 1: encryption algorithms.", - "items": { - "$ref": "#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Enc", - "title": "Encryption Algorithm (ENCR)" - } - }, - "prf": { - "type": "array", - "title": "Pseudorandom Functions (PRF)", - "description": "Transform Type 2: pseudorandom functions.", - "items": { - "$ref": "#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Prf", - "title": "Pseudorandom Function (PRF)" - } - }, - "integ": { - "type": "array", - "title": "Integrity Algorithms (INTEG)", - "description": "Transform Type 3: integrity algorithms.", - "items": { - "$ref": "#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Integ", - "title": "Integrity Algorithm (INTEG)" - } - }, - "ke": { - "type": "array", - "title": "Key Exchange Methods (KE)", - "description": "Transform Type 4: Key Exchange Method (KE) per [RFC 9370](https://www.ietf.org/rfc/rfc9370.html), formerly called Diffie-Hellman Group (D-H).", - "items": { - "$ref": "#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Ke" - } - }, - "esn": { - "type": "boolean", - "title": "Extended Sequence Number (ESN)", - "description": "Specifies if an Extended Sequence Number (ESN) is used." - }, - "auth": { - "type": "array", - "title": "IKEv2 Authentication methods", - "description": "IKEv2 Authentication method per [RFC9593](https://www.ietf.org/rfc/rfc9593.html).", - "items": { - "$ref": "#/$defs/cyclonedx-cryptography-2.0/$defs/ikeV2Auth", - "title": "IKEv2 Authentication Method" - } - } - } - }, - "relatedCryptographicAssets": { - "$ref": "#/$defs/cyclonedx-cryptography-2.0/$defs/relatedCryptographicAssets" - } + "signature": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/signature", + "title": "Signature", + "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." + } + } + } + } + }, + "cyclonedx-definition-2.0": { + "type": "null", + "title": "CycloneDX Definition Model", + "$defs": { + "definitions": { + "type": "object", + "title": "Definitions", + "description": "A collection of reusable objects that are defined and may be used elsewhere in the BOM.", + "additionalProperties": false, + "properties": { + "standards": { + "$ref": "#/$defs/cyclonedx-standard-2.0/$defs/standards" + }, + "patents": { + "$ref": "#/$defs/cyclonedx-patent-2.0/$defs/patents" + } + } + } + } + }, + "cyclonedx-dependency-2.0": { + "type": "null", + "title": "CycloneDX Dependency Model", + "$defs": { + "dependencies": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-dependency-2.0/$defs/dependency" + }, + "uniqueItems": true, + "title": "Dependencies", + "description": "Provides the ability to document dependency relationships including provided & implemented components." + }, + "dependency": { + "type": "object", + "title": "Dependency", + "description": "Defines the direct dependencies of a component, service, or the components provided/implemented by a given component. Components or services that do not have their own dependencies must be declared as empty elements within the graph. Components or services that are not represented in the dependency graph may have unknown dependencies. It is recommended that implementations assume this to be opaque and not an indicator of an object being dependency-free. It is recommended to leverage compositions to indicate unknown dependency graphs.", + "required": [ + "ref" + ], + "additionalProperties": false, + "properties": { + "ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", + "title": "Reference", + "description": "References a component or service by its bom-ref attribute" + }, + "dependsOn": { + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + }, + "title": "Depends On", + "description": "The bom-ref identifiers of the components or services that are dependencies of this dependency object." + }, + "provides": { + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + }, + "title": "Provides", + "description": "The bom-ref identifiers of the components or services that define a given specification or standard, which are provided or implemented by this dependency object.\nFor example, a cryptographic library which implements a cryptographic algorithm. A component which implements another component does not imply that the implementation is in use." + } + } + } + } + }, + "cyclonedx-formulation-2.0": { + "type": "null", + "title": "CycloneDX Formulation Model", + "$defs": { + "formulation": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/formula" + }, + "uniqueItems": true, + "title": "Formulation", + "description": "Describes the formulation of any referencable object within the BOM, including components, services, metadata, declarations, or the BOM itself. This may encompass how the object was created, assembled, deployed, tested, certified, or otherwise brought into its present form. Common examples include software build pipelines, deployment processes, AI/ML model training, cryptographic key generation or certification, and third-party audits. Processes are modeled using declared and observed formulas, composed of workflows, tasks, and individual steps." + }, + "formula": { + "title": "Formula", + "description": "Describes workflows and resources that captures rules and other aspects of how the associated BOM component or service was formed.", + "type": "object", + "additionalProperties": false, + "properties": { + "bom-ref": { + "title": "BOM Reference", + "description": "An identifier which can be used to reference the formula elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "components": { + "title": "Components", + "description": "Transient components that are used in tasks that constitute one or more of this formula's workflows", + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-component-2.0/$defs/component" + }, + "uniqueItems": true + }, + "services": { + "title": "Services", + "description": "Transient services that are used in tasks that constitute one or more of this formula's workflows", + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-service-2.0/$defs/service" + }, + "uniqueItems": true + }, + "workflows": { + "title": "Workflows", + "description": "List of workflows that can be declared to accomplish specific orchestrated goals and independently triggered.", + "$comment": "Different workflows can be designed to work together to perform end-to-end CI/CD builds and deployments.", + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/workflow" + }, + "uniqueItems": true + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + } + } + }, + "workflow": { + "title": "Workflow", + "description": "A specialized orchestration task.", + "$comment": "Workflow are as task themselves and can trigger other workflow tasks. These relationships can be modeled in the taskDependencies graph.", + "type": "object", + "required": [ + "bom-ref", + "uid", + "taskTypes" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "title": "BOM Reference", + "description": "An identifier which can be used to reference the workflow elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "uid": { + "title": "Unique Identifier (UID)", + "description": "The unique identifier for the resource instance within its deployment context.", + "type": "string" + }, + "name": { + "title": "Name", + "description": "The name of the resource instance.", + "type": "string" + }, + "description": { + "title": "Description", + "description": "A description of the resource instance.", + "type": "string" + }, + "resourceReferences": { + "title": "Resource references", + "description": "References to component or service resources that are used to realize the resource instance.", + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice" + } + }, + "tasks": { + "title": "Tasks", + "description": "The tasks that comprise the workflow.", + "$comment": "Note that tasks can appear more than once as different instances (by name or UID).", + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/task" + } + }, + "taskDependencies": { + "title": "Task dependency graph", + "description": "The graph of dependencies between tasks within the workflow.", + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-dependency-2.0/$defs/dependency" + } + }, + "taskTypes": { + "title": "Task types", + "description": "Indicates the types of activities performed by the set of workflow tasks.", + "$comment": "Currently, these types reflect common CI/CD actions.", + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/taskType" + } + }, + "trigger": { + "title": "Trigger", + "description": "The trigger that initiated the task.", + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/trigger" + }, + "steps": { + "title": "Steps", + "description": "The sequence of steps for the task.", + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/step" + }, + "uniqueItems": true + }, + "inputs": { + "title": "Inputs", + "description": "Represents resources and data brought into a task at runtime by executor or task commands", + "examples": [ + "a `configuration` file which was declared as a local `component` or `externalReference`" + ], + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/inputType" + }, + "uniqueItems": true + }, + "outputs": { + "title": "Outputs", + "description": "Represents resources and data output from a task at runtime by executor or task commands", + "examples": [ + "a log file or metrics data produced by the task" + ], + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/outputType" + }, + "uniqueItems": true + }, + "timeStart": { + "title": "Time start", + "description": "The date and time (timestamp) when the task started.", + "type": "string", + "format": "date-time" + }, + "timeEnd": { + "title": "Time end", + "description": "The date and time (timestamp) when the task ended.", + "type": "string", + "format": "date-time" + }, + "workspaces": { + "title": "Workspaces", + "description": "A set of named filesystem or data resource shareable by workflow tasks.", + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/workspace" + } + }, + "runtimeTopology": { + "title": "Runtime topology", + "description": "A graph of the component runtime topology for workflow's instance.", + "$comment": "A description of the runtime component and service topology. This can describe a partial or complete topology used to host and execute the task (e.g., hardware, operating systems, configurations, etc.),", + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-dependency-2.0/$defs/dependency" + } + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + } + } + }, + "task": { + "title": "Task", + "description": "Describes the inputs, sequence of steps and resources used to accomplish a task and its output.", + "$comment": "Tasks are building blocks for constructing assemble CI/CD workflows or pipelines.", + "type": "object", + "required": [ + "bom-ref", + "uid", + "taskTypes" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "title": "BOM Reference", + "description": "An identifier which can be used to reference the task elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "uid": { + "title": "Unique Identifier (UID)", + "description": "The unique identifier for the resource instance within its deployment context.", + "type": "string" + }, + "name": { + "title": "Name", + "description": "The name of the resource instance.", + "type": "string" + }, + "description": { + "title": "Description", + "description": "A description of the resource instance.", + "type": "string" + }, + "resourceReferences": { + "title": "Resource references", + "description": "References to component or service resources that are used to realize the resource instance.", + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice" + } + }, + "taskTypes": { + "title": "Task types", + "description": "Indicates the types of activities performed by the set of workflow tasks.", + "$comment": "Currently, these types reflect common CI/CD actions.", + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/taskType" + } + }, + "trigger": { + "title": "Trigger", + "description": "The trigger that initiated the task.", + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/trigger" + }, + "steps": { + "title": "Steps", + "description": "The sequence of steps for the task.", + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/step" + }, + "uniqueItems": true + }, + "inputs": { + "title": "Inputs", + "description": "Represents resources and data brought into a task at runtime by executor or task commands", + "examples": [ + "a `configuration` file which was declared as a local `component` or `externalReference`" + ], + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/inputType" + }, + "uniqueItems": true + }, + "outputs": { + "title": "Outputs", + "description": "Represents resources and data output from a task at runtime by executor or task commands", + "examples": [ + "a log file or metrics data produced by the task" + ], + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/outputType" + }, + "uniqueItems": true + }, + "timeStart": { + "title": "Time start", + "description": "The date and time (timestamp) when the task started.", + "type": "string", + "format": "date-time" + }, + "timeEnd": { + "title": "Time end", + "description": "The date and time (timestamp) when the task ended.", + "type": "string", + "format": "date-time" + }, + "workspaces": { + "title": "Workspaces", + "description": "A set of named filesystem or data resource shareable by workflow tasks.", + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/workspace" + }, + "uniqueItems": true + }, + "runtimeTopology": { + "title": "Runtime topology", + "description": "A graph of the component runtime topology for task's instance.", + "$comment": "A description of the runtime component and service topology. This can describe a partial or complete topology used to host and execute the task (e.g., hardware, operating systems, configurations, etc.),", + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-dependency-2.0/$defs/dependency" + }, + "uniqueItems": true + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + } + } + }, + "step": { + "type": "object", + "description": "Executes specific commands or tools in order to accomplish its owning task as part of a sequence.", + "additionalProperties": false, + "properties": { + "name": { + "title": "Name", + "description": "A name for the step.", + "type": "string" + }, + "description": { + "title": "Description", + "description": "A description of the step.", + "type": "string" + }, + "commands": { + "title": "Commands", + "description": "Ordered list of commands or directives for the step", + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/command" + } + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + } + } + }, + "command": { + "type": "object", + "additionalProperties": false, + "properties": { + "executed": { + "title": "Executed", + "description": "A text representation of the executed command.", + "type": "string" + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + } + } + }, + "workspace": { + "title": "Workspace", + "description": "A named filesystem or data resource shareable by workflow tasks.", + "type": "object", + "required": [ + "bom-ref", + "uid" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "title": "BOM Reference", + "description": "An identifier which can be used to reference the workspace elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "uid": { + "title": "Unique Identifier (UID)", + "description": "The unique identifier for the resource instance within its deployment context.", + "type": "string" + }, + "name": { + "title": "Name", + "description": "The name of the resource instance.", + "type": "string" + }, + "aliases": { + "title": "Aliases", + "description": "The names for the workspace as referenced by other workflow tasks. Effectively, a name mapping so other tasks can use their own local name in their steps.", + "type": "array", + "items": { + "type": "string" + } + }, + "description": { + "title": "Description", + "description": "A description of the resource instance.", + "type": "string" + }, + "resourceReferences": { + "title": "Resource references", + "description": "References to component or service resources that are used to realize the resource instance.", + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice" + } + }, + "accessMode": { + "title": "Access mode", + "description": "Describes the read-write access control for the workspace relative to the owning resource instance.", + "type": "string", + "enum": [ + "read-only", + "read-write", + "read-write-once", + "write-once", + "write-only" + ] + }, + "mountPath": { + "title": "Mount path", + "description": "A path to a location on disk where the workspace will be available to the associated task's steps.", + "type": "string" + }, + "managedDataType": { + "title": "Managed data type", + "description": "The name of a domain-specific data type the workspace represents.", + "$comment": "This property is for CI/CD frameworks that are able to provide access to structured, managed data at a more granular level than a filesystem.", + "examples": [ + "ConfigMap", + "Secret" + ], + "type": "string" + }, + "volumeRequest": { + "title": "Volume request", + "description": "Identifies the reference to the request for a specific volume type and parameters.", + "examples": [ + "a kubernetes Persistent Volume Claim (PVC) name" + ], + "type": "string" + }, + "volume": { + "title": "Volume", + "description": "Information about the actual volume instance allocated to the workspace.", + "$comment": "The actual volume allocated may be different than the request.", + "examples": [ + "see https://kubernetes.io/docs/concepts/storage/persistent-volumes/" + ], + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/volume" + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + } + } + }, + "volume": { + "title": "Volume", + "description": "An identifiable, logical unit of data storage tied to a physical device.", + "type": "object", + "additionalProperties": false, + "properties": { + "uid": { + "title": "Unique Identifier (UID)", + "description": "The unique identifier for the volume instance within its deployment context.", + "type": "string" + }, + "name": { + "title": "Name", + "description": "The name of the volume instance", + "type": "string" + }, + "mode": { + "title": "Mode", + "description": "The mode for the volume instance.", + "type": "string", + "enum": [ + "filesystem", + "block" + ], + "default": "filesystem" + }, + "path": { + "title": "Path", + "description": "The underlying path created from the actual volume.", + "type": "string" + }, + "sizeAllocated": { + "title": "Size allocated", + "description": "The allocated size of the volume accessible to the associated workspace. This should include the scalar size as well as IEC standard unit in either decimal or binary form.", + "examples": [ + "10GB", + "2Ti", + "1Pi" + ], + "type": "string" + }, + "persistent": { + "title": "Persistent", + "description": "Indicates if the volume persists beyond the life of the resource it is associated with.", + "type": "boolean" + }, + "remote": { + "title": "Remote", + "description": "Indicates if the volume is remotely (i.e., network) attached.", + "type": "boolean" + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + } + } + }, + "trigger": { + "title": "Trigger", + "description": "Represents a resource that can conditionally activate (or fire) tasks based upon associated events and their data.", + "type": "object", + "additionalProperties": false, + "required": [ + "type", + "bom-ref", + "uid" + ], + "properties": { + "bom-ref": { + "title": "BOM Reference", + "description": "An identifier which can be used to reference the trigger elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "uid": { + "title": "Unique Identifier (UID)", + "description": "The unique identifier for the resource instance within its deployment context.", + "type": "string" + }, + "name": { + "title": "Name", + "description": "The name of the resource instance.", + "type": "string" + }, + "description": { + "title": "Description", + "description": "A description of the resource instance.", + "type": "string" + }, + "resourceReferences": { + "title": "Resource references", + "description": "References to component or service resources that are used to realize the resource instance.", + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice" + } + }, + "type": { + "title": "Type", + "description": "The source type of event which caused the trigger to fire.", + "type": "string", + "enum": [ + "manual", + "api", + "webhook", + "scheduled" + ] + }, + "event": { + "title": "Event", + "description": "The event data that caused the associated trigger to activate.", + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/event" + }, + "conditions": { + "type": "array", + "title": "Conditions", + "description": "A list of conditions used to determine if a trigger should be activated.", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/condition" } }, - "oid": { + "timeActivated": { + "title": "Time activated", + "description": "The date and time (timestamp) when the trigger was activated.", "type": "string", - "title": "OID", - "description": "The object identifier (OID) of the cryptographic asset." + "format": "date-time" + }, + "inputs": { + "title": "Inputs", + "description": "Represents resources and data brought into a task at runtime by executor or task commands", + "examples": [ + "a `configuration` file which was declared as a local `component` or `externalReference`" + ], + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/inputType" + }, + "uniqueItems": true + }, + "outputs": { + "title": "Outputs", + "description": "Represents resources and data output from a task at runtime by executor or task commands", + "examples": [ + "a log file or metrics data produced by the task" + ], + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/outputType" + }, + "uniqueItems": true + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + } + } + }, + "event": { + "title": "Event", + "description": "Represents something that happened that may trigger a response.", + "type": "object", + "additionalProperties": false, + "properties": { + "uid": { + "title": "Unique Identifier (UID)", + "description": "The unique identifier of the event.", + "type": "string" + }, + "description": { + "title": "Description", + "description": "A description of the event.", + "type": "string" + }, + "timeReceived": { + "title": "Time Received", + "description": "The date and time (timestamp) when the event was received.", + "type": "string", + "format": "date-time" + }, + "data": { + "title": "Data", + "description": "Encoding of the raw event data.", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/attachment" + }, + "source": { + "title": "Source", + "description": "References the component or service that was the source of the event", + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice" + }, + "target": { + "title": "Target", + "description": "References the component or service that was the target of the event", + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice" + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + } + } + }, + "inputType": { + "title": "Input type", + "description": "Type that represents various input data types and formats.", + "type": "object", + "oneOf": [ + { + "required": [ + "resource" + ] + }, + { + "required": [ + "parameters" + ] + }, + { + "required": [ + "environmentVars" + ] + }, + { + "required": [ + "data" + ] } - } - }, - "cipherSuite": { - "type": "object", - "title": "Cipher Suite", - "description": "Object representing a cipher suite.", + ], "additionalProperties": false, "properties": { - "name": { - "type": "string", - "title": "Common Name", - "description": "A common name for the cipher suite.", + "source": { + "title": "Source", + "description": "A reference to the component or service that provided the input to the task (e.g., reference to a service with data flow value of `inbound`)", "examples": [ - "TLS_DHE_RSA_WITH_AES_128_CCM" - ] + "source code repository", + "database" + ], + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice" }, - "algorithms": { - "type": "array", - "title": "Related Algorithms", - "description": "A list of algorithms related to the cipher suite.", - "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "title": "Algorithm reference", - "description": "The bom-ref to algorithm cryptographic asset." - } + "target": { + "title": "Target", + "description": "A reference to the component or service that received or stored the input if not the task itself (e.g., a local, named storage workspace)", + "examples": [ + "workspace", + "directory" + ], + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice" }, - "identifiers": { - "type": "array", - "title": "Cipher Suite Identifiers", - "description": "A list of common identifiers for the cipher suite.", - "items": { - "type": "string", - "title": "identifier", - "description": "Cipher suite identifier.", - "examples": [ - "0xC0", - "0x9E" - ] - } + "resource": { + "title": "Resource", + "description": "A reference to an independent resource provided as an input to a task by the workflow runtime.", + "examples": [ + "a reference to a configuration file in a repository (i.e., a bom-ref)", + "a reference to a scanning service used in a task (i.e., a bom-ref)" + ], + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice" }, - "tlsGroups": { + "parameters": { + "title": "Parameters", + "description": "Inputs that have the form of parameters with names and values.", "type": "array", - "title": "TLS Groups", - "description": "A list of TLS named groups (formerly known as curves) for this cipher suite. These groups define the parameters for key exchange algorithms like ECDHE.", + "uniqueItems": true, "items": { - "type": "string", - "title": "Group Name", - "description": "The name of the TLS group.", - "examples": [ - "x25519", - "ffdhe2048" - ] + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/parameter" } }, - "tlsSignatureSchemes": { + "environmentVars": { + "title": "Environment variables", + "description": "Inputs that have the form of parameters with names and values.", "type": "array", - "title": "TLS Signature Schemes", - "description": "A list of signature schemes supported for cipher suite. These schemes specify the algorithms used for digital signatures in TLS handshakes and certificate verification.", + "uniqueItems": true, "items": { - "type": "string", - "title": "Signature Scheme", - "description": "The name of the TLS signature scheme.", - "examples": [ - "ecdsa_secp256r1_sha256", - "rsa_pss_rsae_sha256", - "ed25519" + "oneOf": [ + { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/property" + }, + { + "type": "string", + "title": "String-Based Environment Variables", + "description": "In addition to the more common key–value pair format, some environment variables may consist of a single string without an explicit value assignment. These string-based environment variables typically act as flags or signals to software, indicating that a feature should be enabled, a mode should be activated, or a specific condition is present. Their presence alone conveys meaning." + } ] } + }, + "data": { + "title": "Data", + "description": "Inputs that have the form of data.", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/attachment" + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" } } }, - "ikeV2Enc": { + "outputType": { "type": "object", - "title": "Encryption Algorithm (ENCR)", - "description": "Object representing an encryption algorithm (ENCR).", - "additionalProperties": false, - "properties": { - "name": { - "type": "string", - "title": "Name", - "description": "A name for the encryption method.", - "examples": [ - "ENCR_AES_GCM_16" + "oneOf": [ + { + "required": [ + "resource" ] }, - "keyLength": { - "type": "integer", - "title": "Encryption algorithm key length", - "description": "The key length of the encryption algorithm." + { + "required": [ + "environmentVars" + ] }, - "algorithm": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "title": "Algorithm reference", - "description": "The bom-ref to algorithm cryptographic asset." + { + "required": [ + "data" + ] } - } - }, - "ikeV2Prf": { - "type": "object", - "title": "Pseudorandom Function (PRF)", - "description": "Object representing a pseudorandom function (PRF).", + ], "additionalProperties": false, "properties": { - "name": { + "type": { + "title": "Type", + "description": "Describes the type of data output.", "type": "string", - "title": "Name", - "description": "A name for the pseudorandom function.", - "examples": [ - "PRF_HMAC_SHA2_256" + "enum": [ + "artifact", + "attestation", + "log", + "evidence", + "metrics", + "other" ] }, - "algorithm": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "title": "Algorithm reference", - "description": "The bom-ref to algorithm cryptographic asset." + "source": { + "title": "Source", + "description": "Component or service that generated or provided the output from the task (e.g., a build tool)", + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice" + }, + "target": { + "title": "Target", + "description": "Component or service that received the output from the task (e.g., reference to an artifactory service with data flow value of `outbound`)", + "examples": [ + "a log file described as an `externalReference` within its target domain." + ], + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice" + }, + "resource": { + "title": "Resource", + "description": "A reference to an independent resource generated as output by the task.", + "examples": [ + "configuration file", + "source code", + "scanning service" + ], + "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice" + }, + "data": { + "title": "Data", + "description": "Outputs that have the form of data.", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/attachment" + }, + "environmentVars": { + "title": "Environment variables", + "description": "Outputs that have the form of environment variables.", + "type": "array", + "items": { + "oneOf": [ + { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/property" + }, + { + "type": "string", + "title": "String-Based Environment Variables", + "description": "In addition to the more common key–value pair format, some environment variables may consist of a single string without an explicit value assignment. These string-based environment variables typically act as flags or signals to software, indicating that a feature should be enabled, a mode should be activated, or a specific condition is present. Their presence alone conveys meaning." + } + ] + }, + "uniqueItems": true + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" } } }, - "ikeV2Integ": { + "resourceReferenceChoice": { + "title": "Resource reference choice", + "description": "A reference to a locally defined resource (e.g., a bom-ref) or an externally accessible resource.", + "$comment": "Enables reference to a resource that participates in a workflow; using either internal (bom-ref) or external (externalReference) types.", "type": "object", - "title": "Integrity Algorithm (INTEG)", - "description": "Object representing an integrity algorithm (INTEG).", "additionalProperties": false, "properties": { - "name": { - "type": "string", - "title": "Name", - "description": "A name for the integrity algorithm.", - "examples": [ - "AUTH_HMAC_SHA2_256_128" + "ref": { + "title": "BOM Reference", + "description": "References an object by its bom-ref attribute", + "anyOf": [ + { + "title": "Ref", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + }, + { + "title": "BOM-Link Element", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType" + } ] }, - "algorithm": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "title": "Algorithm reference", - "description": "The bom-ref to algorithm cryptographic asset." + "externalReference": { + "title": "External reference", + "description": "Reference to an externally accessible resource.", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReference" + } + }, + "oneOf": [ + { + "required": [ + "ref" + ] + }, + { + "required": [ + "externalReference" + ] } - } + ] }, - "ikeV2Ke": { + "condition": { + "title": "Condition", + "description": "A condition that was used to determine a trigger should be activated.", "type": "object", - "title": "Key Exchange Method (KE)", - "description": "Object representing a key exchange method (KE).", "additionalProperties": false, "properties": { - "group": { - "type": "integer", - "title": "Group Identifier", - "description": "A group identifier for the key exchange algorithm." + "description": { + "title": "Description", + "description": "Describes the set of conditions which cause the trigger to activate.", + "type": "string" }, - "algorithm": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "title": "Algorithm reference", - "description": "The bom-ref to algorithm cryptographic asset." + "expression": { + "title": "Expression", + "description": "The logical expression that was evaluated that determined the trigger should be fired.", + "type": "string" + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" } } }, - "ikeV2Auth": { + "taskType": { + "type": "string", + "enum": [ + "copy", + "clone", + "lint", + "scan", + "merge", + "build", + "test", + "deliver", + "deploy", + "release", + "clean", + "other" + ], + "meta:enum": { + "copy": "A task that copies software or data used to accomplish other tasks in the workflow.", + "clone": "A task that clones a software repository into the workflow in order to retrieve its source code or data for use in a build step.", + "lint": "A task that checks source code for programmatic and stylistic errors.", + "scan": "A task that performs a scan against source code, or built or deployed components and services. Scans are typically run to gather or test for security vulnerabilities or policy compliance.", + "merge": "A task that merges changes or fixes into source code prior to a build step in the workflow.", + "build": "A task that builds the source code, dependencies and/or data into an artifact that can be deployed to and executed on target systems.", + "test": "A task that verifies the functionality of a component or service.", + "deliver": "A task that delivers a built artifact to one or more target repositories or storage systems.", + "deploy": "A task that deploys a built artifact for execution on one or more target systems.", + "release": "A task that releases a built, versioned artifact to a target repository or distribution system.", + "clean": "A task that cleans unnecessary tools, build artifacts and/or data from workflow storage.", + "other": "A workflow task that does not match current task type definitions." + } + }, + "parameter": { + "title": "Parameter", + "description": "A representation of a functional parameter.", "type": "object", - "title": "IKEv2 Authentication method", - "description": "Object representing a IKEv2 Authentication method.", "additionalProperties": false, "properties": { "name": { - "type": "string", "title": "Name", - "description": "A name for the authentication method." + "description": "The name of the parameter.", + "type": "string" }, - "algorithm": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "title": "Algorithm reference", - "description": "The bom-ref to algorithm cryptographic asset." + "value": { + "title": "Value", + "description": "The value of the parameter.", + "type": "string" + }, + "dataType": { + "title": "Data type", + "description": "The data type of the parameter.", + "type": "string" } } - }, - "relatedCryptographicAssets": { + } + } + }, + "cyclonedx-license-2.0": { + "type": "null", + "title": "CycloneDX License Model", + "$defs": { + "licenseChoice": { + "title": "License Choice", + "description": "A list of SPDX licenses and/or named licenses and/or SPDX License Expression.", "type": "array", - "title": "Related Cryptographic Assets", - "description": "A list of cryptographic assets related to this component.", "items": { - "$ref": "#/$defs/cyclonedx-cryptography-2.0/$defs/relatedCryptographicAsset" + "oneOf": [ + { + "type": "object", + "title": "License", + "required": [ + "license" + ], + "additionalProperties": false, + "properties": { + "license": { + "$ref": "#/$defs/cyclonedx-license-2.0/$defs/license" + } + } + }, + { + "title": "License Expression", + "description": "Specifies the details and attributes related to a software license.\nIt must be a valid SPDX license expression, along with additional properties such as license acknowledgment.", + "type": "object", + "additionalProperties": false, + "required": [ + "expression" + ], + "properties": { + "expression": { + "type": "string", + "title": "SPDX License Expression", + "description": "A valid SPDX license expression.\nRefer to https://spdx.org/specifications for syntax requirements.", + "examples": [ + "Apache-2.0 AND (MIT OR GPL-2.0-only)", + "GPL-3.0-only WITH Classpath-exception-2.0" + ] + }, + "expressionDetails": { + "title": "Expression Details", + "description": "Details for parts of the `expression`.", + "type": "array", + "items": { + "type": "object", + "description": "This document specifies the details and attributes related to a software license identifier. An SPDX expression may be a compound of license identifiers.\nThe `license_identifier` property serves as the key that identifies each record. Note that this key is not required to be unique, as the same license identifier could apply to multiple, different but similar license details, texts, etc.", + "required": [ + "licenseIdentifier" + ], + "properties": { + "licenseIdentifier": { + "title": "License Identifier", + "description": "The valid SPDX license identifier. Refer to https://spdx.org/specifications for syntax requirements.\nThis property serves as the primary key, which uniquely identifies each record.", + "type": "string", + "examples": [ + "Apache-2.0", + "GPL-3.0-only WITH Classpath-exception-2.0", + "LicenseRef-my-custom-license" + ] + }, + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "BOM Reference", + "description": "An identifier which can be used to reference the license elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." + }, + "text": { + "title": "License texts", + "description": "A way to include the textual content of the license.", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/attachment" + }, + "url": { + "type": "string", + "title": "License URL", + "description": "The URL to the license file. If specified, a 'license' externalReference should also be specified for completeness", + "examples": [ + "https://www.apache.org/licenses/LICENSE-2.0.txt" + ], + "format": "iri-reference" + } + }, + "additionalProperties": false + } + }, + "acknowledgement": { + "$ref": "#/$defs/cyclonedx-license-2.0/$defs/licenseAcknowledgementEnumeration" + }, + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "BOM Reference", + "description": "An identifier which can be used to reference the license elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." + }, + "licensing": { + "$ref": "#/$defs/cyclonedx-license-2.0/$defs/licensing" + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + } + } + } + ] } }, - "relatedCryptographicAsset": { + "license": { "type": "object", - "title": "Related Cryptographic Asset", - "description": "A cryptographic assets related to this component.", + "title": "License", + "description": "Specifies the details and attributes related to a software license. It can either include a valid SPDX license identifier or a named license, along with additional properties such as license acknowledgment, comprehensive commercial licensing information, and the full text of the license.", + "oneOf": [ + { + "required": [ + "id" + ] + }, + { + "required": [ + "name" + ] + } + ], "additionalProperties": false, "properties": { - "type": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "BOM Reference", + "description": "An identifier which can be used to reference the license elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." + }, + "id": { + "$ref": "../spdx.schema.json", + "title": "License ID (SPDX)", + "description": "A valid SPDX license identifier. If specified, this value must be one of the enumeration of valid SPDX license identifiers defined in the spdx.schema.json (or spdx.xml) subschema which is synchronized with the official SPDX license list.", + "examples": [ + "Apache-2.0" + ] + }, + "name": { "type": "string", - "title": "Type", - "description": "Specifies the mechanism by which the cryptographic asset is secured by.", + "title": "License Name", + "description": "The name of the license. This may include the name of a commercial or proprietary license or an open source license that may not be defined by SPDX.", "examples": [ - "publicKey", - "privateKey", - "algorithm" + "Acme Software License" ] }, - "ref": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "title": "Reference to cryptographic asset", - "description": "The bom-ref to cryptographic asset." + "acknowledgement": { + "$ref": "#/$defs/cyclonedx-license-2.0/$defs/licenseAcknowledgementEnumeration" + }, + "text": { + "title": "License text", + "description": "A way to include the textual content of a license.", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/attachment" + }, + "url": { + "type": "string", + "title": "License URL", + "description": "The URL to the license file. If specified, a 'license' externalReference should also be specified for completeness", + "examples": [ + "https://www.apache.org/licenses/LICENSE-2.0.txt" + ], + "format": "iri-reference" + }, + "licensing": { + "$ref": "#/$defs/cyclonedx-license-2.0/$defs/licensing" + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" } } }, - "securedBy": { + "licenseAcknowledgementEnumeration": { + "title": "License Acknowledgement", + "description": "Declared licenses and concluded licenses represent two different stages in the licensing process within software development. Declared licenses refer to the initial intention of the software authors regarding the licensing terms under which their code is released. On the other hand, concluded licenses are the result of a comprehensive analysis of the project's codebase to identify and confirm the actual licenses of the components used, which may differ from the initially declared licenses. While declared licenses provide an upfront indication of the licensing intentions, concluded licenses offer a more thorough understanding of the actual licensing within a project, facilitating proper compliance and risk management. Observed licenses are defined in `@.evidence.licenses`. Observed licenses form the evidence necessary to substantiate a concluded license.", + "type": "string", + "enum": [ + "declared", + "concluded" + ], + "meta:enum": { + "declared": "Declared licenses represent the initial intentions of authors regarding the licensing terms of their code.", + "concluded": "Concluded licenses are verified and confirmed." + } + }, + "licensing": { "type": "object", - "title": "Secured By", - "description": "Specifies the mechanism by which the cryptographic asset is secured by.", + "title": "Licensing information", + "description": "Licensing details describing the licensor/licensee, license type, renewal and expiration dates, and other important metadata", "additionalProperties": false, "properties": { - "mechanism": { - "type": "string", - "title": "Mechanism", - "description": "Specifies the mechanism by which the cryptographic asset is secured by.", - "examples": [ - "HSM", - "TPM", - "SGX", - "Software", - "None" + "altIds": { + "type": "array", + "title": "Alternate License Identifiers", + "description": "License identifiers that may be used to manage licenses and their lifecycle", + "items": { + "type": "string" + } + }, + "licensor": { + "title": "Licensor", + "description": "The individual or organization that grants a license to another individual or organization", + "type": "object", + "additionalProperties": false, + "properties": { + "organization": { + "title": "Licensor (Organization)", + "description": "The organization that granted the license", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity" + }, + "individual": { + "title": "Licensor (Individual)", + "description": "The individual, not associated with an organization, that granted the license", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalContact" + } + }, + "oneOf": [ + { + "required": [ + "organization" + ] + }, + { + "required": [ + "individual" + ] + } ] }, - "algorithmRef": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "title": "Algorithm Reference", - "description": "The bom-ref to the algorithm." + "licensee": { + "title": "Licensee", + "description": "The individual or organization for which a license was granted to", + "type": "object", + "additionalProperties": false, + "properties": { + "organization": { + "title": "Licensee (Organization)", + "description": "The organization that was granted the license", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity" + }, + "individual": { + "title": "Licensee (Individual)", + "description": "The individual, not associated with an organization, that was granted the license", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalContact" + } + }, + "oneOf": [ + { + "required": [ + "organization" + ] + }, + { + "required": [ + "individual" + ] + } + ] + }, + "purchaser": { + "title": "Purchaser", + "description": "The individual or organization that purchased the license", + "type": "object", + "additionalProperties": false, + "properties": { + "organization": { + "title": "Purchaser (Organization)", + "description": "The organization that purchased the license", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity" + }, + "individual": { + "title": "Purchaser (Individual)", + "description": "The individual, not associated with an organization, that purchased the license", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalContact" + } + }, + "oneOf": [ + { + "required": [ + "organization" + ] + }, + { + "required": [ + "individual" + ] + } + ] + }, + "purchaseOrder": { + "type": "string", + "title": "Purchase Order", + "description": "The purchase order identifier the purchaser sent to a supplier or vendor to authorize a purchase" + }, + "licenseTypes": { + "type": "array", + "title": "License Type", + "description": "The type of license(s) that was granted to the licensee.", + "items": { + "type": "string", + "enum": [ + "academic", + "appliance", + "client-access", + "concurrent-user", + "core-points", + "custom-metric", + "device", + "evaluation", + "named-user", + "node-locked", + "oem", + "perpetual", + "processor-points", + "subscription", + "user", + "other" + ], + "meta:enum": { + "academic": "A license that grants use of software solely for the purpose of education or research.", + "appliance": "A license covering use of software embedded in a specific piece of hardware.", + "client-access": "A Client Access License (CAL) allows client computers to access services provided by server software.", + "concurrent-user": "A Concurrent User license (aka floating license) limits the number of licenses for a software application and licenses are shared among a larger number of users.", + "core-points": "A license where the core of a computer's processor is assigned a specific number of points.", + "custom-metric": "A license for which consumption is measured by non-standard metrics.", + "device": "A license that covers a defined number of installations on computers and other types of devices.", + "evaluation": "A license that grants permission to install and use software for trial purposes.", + "named-user": "A license that grants access to the software to one or more pre-defined users.", + "node-locked": "A license that grants access to the software on one or more pre-defined computers or devices.", + "oem": "An Original Equipment Manufacturer license that is delivered with hardware, cannot be transferred to other hardware, and is valid for the life of the hardware.", + "perpetual": "A license where the software is sold on a one-time basis and the licensee can use a copy of the software indefinitely.", + "processor-points": "A license where each installation consumes points per processor.", + "subscription": "A license where the licensee pays a fee to use the software or service.", + "user": "A license that grants access to the software or service by a specified number of users.", + "other": "Another license type." + } + } + }, + "lastRenewal": { + "type": "string", + "format": "date-time", + "title": "Last Renewal", + "description": "The timestamp indicating when the license was last renewed. For new purchases, this is often the purchase or acquisition date. For non-perpetual licenses or subscriptions, this is the timestamp of when the license was last renewed." + }, + "expiration": { + "type": "string", + "format": "date-time", + "title": "Expiration", + "description": "The timestamp indicating when the current license expires (if applicable)." } } } } }, - "cyclonedx-data-2.0": { + "cyclonedx-metadata-2.0": { "type": "null", - "title": "CycloneDX Data Model", + "title": "CycloneDX Metadata Model", "$defs": { - "dataClassification": { - "type": "string", - "title": "Data Classification", - "description": "Data classification tags data according to its type, sensitivity, and value if altered, stolen, or destroyed." - }, - "dataGovernance": { + "metadata": { "type": "object", - "title": "Data Governance", - "description": "Data governance captures information regarding data ownership, stewardship, and custodianship, providing insights into the individuals or entities responsible for managing, overseeing, and safeguarding the data throughout its lifecycle.", + "title": "BOM Metadata", + "description": "Provides additional information about a BOM.", "additionalProperties": false, "properties": { - "custodians": { - "type": "array", - "title": "Data Custodians", - "description": "Data custodians are responsible for the safe custody, transport, and storage of data.", - "items": { - "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataGovernanceResponsibleParty" + "timestamp": { + "type": "string", + "format": "date-time", + "title": "Timestamp", + "description": "The date and time (timestamp) when the BOM was created." + }, + "lifecycles": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/lifecycles" + }, + "tools": { + "type": "object", + "title": "Tools", + "description": "The tool(s) used in the creation, enrichment, and validation of the BOM.", + "additionalProperties": false, + "properties": { + "components": { + "$ref": "#/$defs/cyclonedx-component-2.0/$defs/components", + "description": "A list of software and hardware components used as tools." + }, + "services": { + "$ref": "#/$defs/cyclonedx-service-2.0/$defs/services", + "description": "A list of services used as tools. This may include microservices, function-as-a-service, and other types of network or intra-process services." + } } }, - "stewards": { + "manufacturer": { + "title": "BOM Manufacturer", + "description": "The organization that created the BOM.\nManufacturer is common in BOMs created through automated processes. BOMs created through manual means may have `@.authors` instead.", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity" + }, + "authors": { "type": "array", - "title": "Data Stewards", - "description": "Data stewards are responsible for data content, context, and associated business rules.", + "title": "BOM Authors", + "description": "The person(s) who created the BOM.\nAuthors are common in BOMs created through manual processes. BOMs created through automated means may have `@.manufacturer` instead.", "items": { - "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataGovernanceResponsibleParty" + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalContact" } }, - "owners": { - "type": "array", - "title": "Data Owners", - "description": "Data owners are concerned with risk and appropriate access to data.", - "items": { - "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataGovernanceResponsibleParty" - } + "component": { + "description": "The component that the BOM describes.", + "$ref": "#/$defs/cyclonedx-component-2.0/$defs/component" + }, + "supplier": { + "title": "Supplier", + "description": " The organization that supplied the component that the BOM describes. The supplier may often be the manufacturer, but may also be a distributor or repackager.", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity" + }, + "licenses": { + "title": "BOM License(s)", + "description": "The license information for the BOM document.\nThis may be different from the license(s) of the component(s) that the BOM describes.", + "$ref": "#/$defs/cyclonedx-license-2.0/$defs/licenseChoice" + }, + "distributionConstraints": { + "$ref": "#/$defs/cyclonedx-metadata-2.0/$defs/distributionConstraints" + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" } } }, - "dataGovernanceResponsibleParty": { + "distributionConstraints": { + "title": "Distribution Constraints", + "description": "Conditions and constraints governing the sharing and distribution of the data or components described by this BOM.", "type": "object", - "additionalProperties": false, "properties": { - "organization": { - "title": "Organization", - "description": "The organization that is responsible for specific data governance role(s).", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity" - }, - "contact": { - "title": "Individual", - "description": "The individual that is responsible for specific data governance role(s).", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalContact" - } - }, - "oneOf": [ - { - "required": [ - "organization" - ] - }, - { - "required": [ - "contact" - ] + "tlp": { + "$ref": "#/$defs/cyclonedx-metadata-2.0/$defs/tlpClassification", + "description": "The Traffic Light Protocol (TLP) classification that controls the sharing and distribution of the data that the BOM describes." } - ] + } }, - "dataFlowDirection": { + "tlpClassification": { + "title": "Traffic Light Protocol (TLP) Classification", + "description": "Traffic Light Protocol (TLP) is a classification system for identifying the potential risk associated with artefact, including whether it is subject to certain types of legal, financial, or technical threats. Refer to [https://www.first.org/tlp/](https://www.first.org/tlp/) for further information.\nThe default classification is \"CLEAR\"", "type": "string", + "default": "CLEAR", "enum": [ - "inbound", - "outbound", - "bi-directional", - "unknown" + "CLEAR", + "GREEN", + "AMBER", + "AMBER_AND_STRICT", + "RED" ], "meta:enum": { - "inbound": "Data that enters a service.", - "outbound": "Data that exits a service.", - "bi-directional": "Data flows in and out of the service.", - "unknown": "The directional flow of data is not known." - }, - "title": "Data flow direction", - "description": "Specifies the flow direction of the data. Direction is relative to the service." + "CLEAR": "The information is not subject to any restrictions as regards the sharing.", + "GREEN": "The information is subject to limited disclosure, and recipients can share it within their community but not via publicly accessible channels.", + "AMBER": "The information is subject to limited disclosure, and recipients can only share it on a need-to-know basis within their organization and with clients.", + "AMBER_AND_STRICT": "The information is subject to limited disclosure, and recipients can only share it on a need-to-know basis within their organization.", + "RED": "The information is subject to restricted distribution to individual recipients only and must not be shared." + } } } }, - "cyclonedx-declaration-2.0": { + "cyclonedx-patent-2.0": { "type": "null", - "title": "CycloneDX Declaration Model", + "title": "CycloneDX Patent Model", "$defs": { - "declarations": { + "patents": { + "type": "array", + "title": "Patents", + "description": "The list of either individual patents or patent families.", + "items": { + "anyOf": [ + { + "$ref": "#/$defs/cyclonedx-patent-2.0/$defs/patent" + }, + { + "$ref": "#/$defs/cyclonedx-patent-2.0/$defs/patentFamily" + } + ] + } + }, + "patent": { "type": "object", - "title": "Declarations", - "description": "The list of declarations which describe the conformance to standards. Each declaration may include attestations, claims, and evidence.", + "title": "Patent", + "description": "A patent is a legal instrument, granted by an authority, that confers certain rights over an invention for a specified period, contingent on public disclosure and adherence to relevant legal requirements. The summary information in this object is aligned with [WIPO ST.96](https://www.wipo.int/standards/en/st96/) principles where applicable.", + "required": [ + "patentNumber", + "jurisdiction", + "patentLegalStatus" + ], "additionalProperties": false, "properties": { - "assessors": { - "type": "array", - "title": "Assessors", - "description": "The list of assessors evaluating claims and determining conformance to requirements and confidence in that assessment.", - "items": { - "type": "object", - "title": "Assessor", - "description": "The assessor who evaluates claims and determines conformance to requirements and confidence in that assessment.", - "additionalProperties": false, - "properties": { - "bom-ref": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "title": "BOM Reference", - "description": "An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM." - }, - "thirdParty": { - "type": "boolean", - "title": "Third Party", - "description": "The boolean indicating if the assessor is outside the organization generating claims. A value of false indicates a self assessor." - }, - "organization": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity", - "title": "Organization", - "description": "The entity issuing the assessment." - } - } - } + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "BOM Reference", + "description": "An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM." }, - "attestations": { - "type": "array", - "title": "Attestations", - "description": "The list of attestations asserted by an assessor that maps requirements to claims.", - "items": { - "type": "object", - "title": "Attestation", - "additionalProperties": false, - "properties": { - "summary": { - "type": "string", - "title": "Summary", - "description": "The short description explaining the main points of the attestation." - }, - "assessor": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", - "title": "Assessor", - "description": "The `bom-ref` to the assessor asserting the attestation." - }, - "map": { - "type": "array", - "title": "Map", - "description": "The grouping of requirements to claims and the attestors declared conformance and confidence thereof.", - "items": { - "type": "object", - "title": "Map", - "additionalProperties": false, - "properties": { - "requirement": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", - "title": "Requirement", - "description": "The `bom-ref` to the requirement being attested to." - }, - "claims": { - "type": "array", - "title": "Claims", - "description": "The list of `bom-ref` to the claims being attested to.", - "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" - } - }, - "counterClaims": { - "type": "array", - "title": "Counter Claims", - "description": "The list of `bom-ref` to the counter claims being attested to.", - "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" - } - }, - "conformance": { - "type": "object", - "title": "Conformance", - "description": "The conformance of the claim meeting a requirement.", - "additionalProperties": false, - "properties": { - "score": { - "type": "number", - "minimum": 0, - "maximum": 1, - "title": "Score", - "description": "The conformance of the claim between and inclusive of 0 and 1, where 1 is 100% conformance." - }, - "rationale": { - "type": "string", - "title": "Rationale", - "description": "The rationale for the conformance score." - }, - "mitigationStrategies": { - "type": "array", - "title": "Mitigation Strategies", - "description": "The list of `bom-ref` to the evidence provided describing the mitigation strategies.", - "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" - } - } - } - }, - "confidence": { - "type": "object", - "title": "Confidence", - "description": "The confidence of the claim meeting the requirement.", - "additionalProperties": false, - "properties": { - "score": { - "type": "number", - "minimum": 0, - "maximum": 1, - "title": "Score", - "description": "The confidence of the claim between and inclusive of 0 and 1, where 1 is 100% confidence." - }, - "rationale": { - "type": "string", - "title": "Rationale", - "description": "The rationale for the confidence score." - } - } - } - } - } - }, - "signature": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/signature", - "title": "Signature", - "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." - } - } + "patentNumber": { + "type": "string", + "pattern": "^[A-Za-z0-9][A-Za-z0-9\\-/.()\\s]{0,28}[A-Za-z0-9]$", + "title": "Patent Number", + "description": "The unique number assigned to the granted patent by the issuing authority. Aligned with `PatentNumber` in WIPO ST.96. Refer to [PatentNumber in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/PatentNumber.xsd).", + "examples": [ + "US987654321", + "EP1234567B1" + ] + }, + "applicationNumber": { + "$ref": "#/$defs/cyclonedx-patent-2.0/$defs/patentApplicationNumber" + }, + "jurisdiction": { + "$ref": "#/$defs/cyclonedx-patent-2.0/$defs/patentJurisdiction" + }, + "priorityApplication": { + "$ref": "#/$defs/cyclonedx-patent-2.0/$defs/priorityApplication" + }, + "publicationNumber": { + "type": "string", + "pattern": "^[A-Za-z0-9][A-Za-z0-9\\-/.()\\s]{0,28}[A-Za-z0-9]$", + "title": "Patent Publication Number", + "description": "This is the number assigned to a patent application once it is published. Patent applications are generally published 18 months after filing (unless an applicant requests non-publication). This number is distinct from the application number. \n\nPurpose: Identifies the publicly available version of the application. \n\nFormat: Varies by jurisdiction, often similar to application numbers but includes an additional suffix indicating publication. \n\nExample:\n - US: US20240000123A1 (indicates the first publication of application US20240000123) \n - Europe: EP23123456A1 (first publication of European application EP23123456). \n\nWIPO ST.96 v8.0: \n - Publication Number field: https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/PublicationNumber.xsd" + }, + "title": { + "type": "string", + "title": "Patent Title", + "description": "The title of the patent, summarising the invention it protects. Aligned with `InventionTitle` in WIPO ST.96. Refer to [InventionTitle in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/InventionTitle.xsd)." + }, + "abstract": { + "type": "string", + "title": "Patent Abstract", + "description": "A brief summary of the invention described in the patent. Aligned with `Abstract` and `P` in WIPO ST.96. Refer to [Abstract in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/Abstract.xsd)." + }, + "filingDate": { + "type": "string", + "format": "date", + "title": "Filing Date", + "description": "The date the patent application was filed with the jurisdiction. Aligned with `FilingDate` in WIPO ST.96. Refer to [FilingDate in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/FilingDate.xsd)." + }, + "grantDate": { + "type": "string", + "format": "date", + "title": "Grant Date", + "description": "The date the patent was granted by the jurisdiction. Aligned with `GrantDate` in WIPO ST.96. Refer to [GrantDate in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/GrantDate.xsd)." + }, + "patentExpirationDate": { + "type": "string", + "format": "date", + "title": "Expiration Date", + "description": "The date the patent expires. Derived from grant or filing date according to jurisdiction-specific rules." + }, + "patentLegalStatus": { + "type": "string", + "title": "Legal Status", + "description": "Indicates the current legal status of the patent or patent application, based on the WIPO ST.27 standard. This status reflects administrative, procedural, or legal events. Values include both active and inactive states and are useful for determining enforceability, procedural history, and maintenance status.", + "enum": [ + "pending", + "granted", + "revoked", + "expired", + "lapsed", + "withdrawn", + "abandoned", + "suspended", + "reinstated", + "opposed", + "terminated", + "invalidated", + "in-force" + ], + "meta:enum": { + "pending": "The patent application has been filed but not yet examined or granted.", + "granted": "The patent application has been examined and a patent has been issued.", + "revoked": "The patent has been declared invalid through a legal or administrative process.", + "expired": "The patent has reached the end of its enforceable term.", + "lapsed": "The patent is no longer in force due to non-payment of maintenance fees or other requirements.", + "withdrawn": "The patent application was voluntarily withdrawn by the applicant.", + "abandoned": "The patent application was abandoned, often due to lack of action or response.", + "suspended": "Processing of the patent application has been temporarily halted.", + "reinstated": "A previously abandoned or lapsed patent has been reinstated.", + "opposed": "The patent application or granted patent is under formal opposition proceedings.", + "terminated": "The patent or application has been officially terminated.", + "invalidated": "The patent has been invalidated, either in part or in full.", + "in-force": "The granted patent is active and enforceable." } }, - "claims": { + "patentAssignee": { "type": "array", - "title": "Claims", - "description": "The list of claims.", + "title": "Patent Assignees", + "description": "A collection of organisations or individuals to whom the patent rights are assigned. This supports joint ownership and allows for flexible representation of both corporate entities and individual inventors.", "items": { - "type": "object", - "title": "Claim", - "additionalProperties": false, - "properties": { - "bom-ref": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "title": "BOM Reference", - "description": "An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM." - }, - "target": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", - "title": "Target", - "description": "The `bom-ref` to a target representing a specific system, application, API, module, team, person, process, business unit, company, etc... that this claim is being applied to." - }, - "predicate": { - "type": "string", - "title": "Predicate", - "description": "The specific statement or assertion about the target." - }, - "mitigationStrategies": { - "type": "array", - "title": "Mitigation Strategies", - "description": "The list of `bom-ref` to the evidence provided describing the mitigation strategies. Each mitigation strategy should include an explanation of how any weaknesses in the evidence will be mitigated.", - "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" - } - }, - "reasoning": { - "type": "string", - "title": "Reasoning", - "description": "The written explanation of why the evidence provided substantiates the claim." - }, - "evidence": { - "type": "array", - "title": "Evidence", - "description": "The list of `bom-ref` to evidence that supports this claim.", - "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" - } - }, - "counterEvidence": { - "type": "array", - "title": "Counter Evidence", - "description": "The list of `bom-ref` to counterEvidence that supports this claim.", - "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" - } - }, - "externalReferences": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReferences" + "oneOf": [ + { + "title": "Person", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalContact" }, - "signature": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/signature", - "title": "Signature", - "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." + { + "title": "Organizational Entity", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity" } - } + ] } }, - "evidence": { - "type": "array", - "title": "Evidence", - "description": "The list of evidence", - "items": { - "type": "object", - "title": "Evidence", - "additionalProperties": false, - "properties": { - "bom-ref": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "title": "BOM Reference", - "description": "An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM." - }, - "propertyName": { - "type": "string", - "title": "Property Name", - "description": "The reference to the property name as defined in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy/)." - }, - "description": { - "type": "string", - "title": "Description", - "description": "The written description of what this evidence is and how it was created." - }, - "data": { - "type": "array", - "title": "Data", - "description": "The output or analysis that supports claims.", - "items": { - "type": "object", - "title": "Data", - "additionalProperties": false, - "properties": { - "name": { - "title": "Data Name", - "description": "The name of the data.", - "type": "string" - }, - "contents": { - "type": "object", - "title": "Data Contents", - "description": "The contents or references to the contents of the data being described.", - "additionalProperties": false, - "properties": { - "attachment": { - "title": "Data Attachment", - "description": "A way to include textual or encoded data.", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/attachment" - }, - "url": { - "type": "string", - "title": "Data URL", - "description": "The URL to where the data can be retrieved.", - "format": "iri-reference" - } - } - }, - "classification": { - "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataClassification" - }, - "sensitiveData": { - "type": "array", - "title": "Sensitive Data", - "description": "A description of any sensitive data included.", - "items": { - "type": "string" - } - }, - "governance": { - "title": "Data Governance", - "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataGovernance" - } - } - } - }, - "created": { - "type": "string", - "format": "date-time", - "title": "Created", - "description": "The date and time (timestamp) when the evidence was created." - }, - "expires": { - "type": "string", - "format": "date-time", - "title": "Expires", - "description": "The date and time (timestamp) when the evidence is no longer valid." - }, - "author": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalContact", - "title": "Author", - "description": "The author of the evidence." + "externalReferences": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReferences" + } + } + }, + "patentFamily": { + "type": "object", + "title": "Patent Family", + "description": "A patent family is a group of related patent applications or granted patents that cover the same or similar invention. These patents are filed in multiple jurisdictions to protect the invention across different regions or countries. A patent family typically includes patents that share a common priority date, originating from the same initial application, and may vary slightly in scope or claims to comply with regional legal frameworks. Fields align with WIPO ST.96 standards where applicable.", + "required": [ + "familyId" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "BOM Reference", + "description": "An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM. \n\nFor a patent, it might be a good idea to use a patent number as the BOM reference ID." + }, + "familyId": { + "type": "string", + "title": "Patent Family ID", + "description": "The unique identifier for the patent family, aligned with the `id` attribute in WIPO ST.96 v8.0's `PatentFamilyType`. Refer to [PatentFamilyType in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/PatentFamilyType.xsd)." + }, + "priorityApplication": { + "$ref": "#/$defs/cyclonedx-patent-2.0/$defs/priorityApplication" + }, + "members": { + "type": "array", + "title": "Family Members", + "description": "A collection of patents or applications that belong to this family, each identified by a `bom-ref` pointing to a patent object defined elsewhere in the BOM.", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", + "title": "BOM Reference", + "description": "A `bom-ref` linking to a patent or application object within the BOM." + } + }, + "externalReferences": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReferences" + } + } + }, + "patentAssertions": { + "type": "array", + "title": "Patent Assertions", + "description": "A list of assertions made regarding patents associated with this component or service. Assertions distinguish between ownership, licensing, and other relevant interactions with patents.", + "items": { + "type": "object", + "title": "Patent Assertion", + "description": "An assertion linking a patent or patent family to this component or service.", + "required": [ + "assertionType", + "asserter" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "BOM Reference", + "description": "A reference to the patent or patent family object within the BOM. This must match the `bom-ref` of a `patent` or `patentFamily` object." + }, + "assertionType": { + "type": "string", + "title": "Assertion Type", + "description": "The type of assertion being made about the patent or patent family. Examples include ownership, licensing, and standards inclusion.", + "enum": [ + "ownership", + "license", + "third-party-claim", + "standards-inclusion", + "prior-art", + "exclusive-rights", + "non-assertion", + "research-or-evaluation" + ], + "meta:enum": { + "ownership": "The manufacturer asserts ownership of the patent or patent family.", + "license": "The manufacturer asserts they have a license to use the patent or patent family.", + "third-party-claim": "A third party has asserted a claim or potential infringement against the manufacturer’s component or service.", + "standards-inclusion": "The patent is part of a standard essential patent (SEP) portfolio relevant to the component or service.", + "prior-art": "The manufacturer asserts the patent or patent family as prior art that invalidates another patent or claim.", + "exclusive-rights": "The manufacturer asserts exclusive rights granted through a licensing agreement.", + "non-assertion": "The manufacturer asserts they will not enforce the patent or patent family against certain uses or users.", + "research-or-evaluation": "The patent or patent family is being used under a research or evaluation license." + } + }, + "patentRefs": { + "type": "array", + "title": "Patent References", + "description": "A list of BOM references (`bom-ref`) linking to patents or patent families associated with this assertion.", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + } + }, + "asserter": { + "oneOf": [ + { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity", + "title": "Organizational Entity" }, - "reviewer": { + { "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalContact", - "title": "Reviewer", - "description": "The reviewer of the evidence." + "title": "Person" }, - "signature": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/signature", - "title": "Signature", - "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." + { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", + "title": "Reference", + "description": "A reference to a previously defined `organizationalContact` or `organizationalEntity` object in the BOM. The value must be a valid `bom-ref` pointing to one of these objects." } - } + ] + }, + "notes": { + "type": "string", + "title": "Notes", + "description": "Additional notes or clarifications regarding the assertion, if necessary. For example, geographical restrictions, duration, or limitations of a license." } + } + } + }, + "patentApplicationNumber": { + "type": "string", + "pattern": "^[A-Za-z0-9][A-Za-z0-9\\-/.()\\s]{0,28}[A-Za-z0-9]$", + "title": "Patent Application Number", + "description": "The unique number assigned to a patent application when it is filed with a patent office. It is used to identify the specific application and track its progress through the examination process. Aligned with `ApplicationNumber` in ST.96. Refer to [ApplicationIdentificationType in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/ApplicationIdentificationType.xsd).", + "examples": [ + "US20240000123", + "EP23123456" + ] + }, + "patentJurisdiction": { + "type": "string", + "title": "Jurisdiction", + "description": "The jurisdiction or patent office where the priority application was filed, specified using WIPO ST.3 codes. Aligned with `IPOfficeCode` in ST.96. Refer to [IPOfficeCode in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Common/IPOfficeCode.xsd).", + "pattern": "^[A-Z]{2}$", + "examples": [ + "US", + "EP", + "JP" + ] + }, + "patentFilingDate": { + "type": "string", + "format": "date", + "title": "Filing Date", + "description": "The date the priority application was filed, aligned with `FilingDate` in ST.96. Refer to [FilingDate in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/FilingDate.xsd)." + }, + "priorityApplication": { + "type": "object", + "title": "Priority Application", + "description": "The priorityApplication contains the essential data necessary to identify and reference an earlier patent filing for priority rights. In line with WIPO ST.96 guidelines, it includes the jurisdiction (office code), application number, and filing date-the three key elements that uniquely specify the priority application in a global patent context.", + "required": [ + "applicationNumber", + "jurisdiction", + "filingDate" + ], + "additionalProperties": false, + "properties": { + "applicationNumber": { + "$ref": "#/$defs/cyclonedx-patent-2.0/$defs/patentApplicationNumber" }, - "targets": { - "type": "object", - "title": "Targets", - "description": "The list of targets which claims are made against.", - "additionalProperties": false, - "properties": { - "organizations": { - "type": "array", - "title": "Organizations", - "description": "The list of organizations which claims are made against.", - "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity" - } - }, - "components": { - "type": "array", - "title": "Components", - "description": "The list of components which claims are made against.", - "items": { - "$ref": "#/$defs/cyclonedx-component-2.0/$defs/component" - } - }, - "services": { - "type": "array", - "title": "Services", - "description": "The list of services which claims are made against.", - "items": { - "$ref": "#/$defs/cyclonedx-service-2.0/$defs/service" - } - } - } + "jurisdiction": { + "$ref": "#/$defs/cyclonedx-patent-2.0/$defs/patentJurisdiction" }, - "affirmation": { - "type": "object", - "title": "Affirmation", - "description": "A concise statement affirmed by an individual regarding all declarations, often used for third-party auditor acceptance or recipient acknowledgment. It includes a list of authorized signatories who assert the validity of the document on behalf of the organization.", - "additionalProperties": false, - "properties": { - "statement": { - "type": "string", - "title": "Statement", - "description": "The brief statement affirmed by an individual regarding all declarations.\n*- Notes This could be an affirmation of acceptance by a third-party auditor or receiving individual of a file.", - "examples": [ - "I certify, to the best of my knowledge, that all information is correct." - ] - }, - "signatories": { - "type": "array", - "title": "Signatories", - "description": "The list of signatories authorized on behalf of an organization to assert validity of this document.", - "items": { - "type": "object", - "title": "Signatory", - "additionalProperties": false, - "oneOf": [ - { - "required": [ - "signature" - ] - }, - { - "required": [ - "externalReference", - "organization" - ] - } - ], - "properties": { - "name": { - "type": "string", - "title": "Name", - "description": "The signatory's name." - }, - "role": { - "type": "string", - "title": "Role", - "description": "The signatory's role within an organization." - }, - "signature": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/signature", - "title": "Signature", - "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." - }, - "organization": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity", - "title": "Organization", - "description": "The signatory's organization." - }, - "externalReference": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReference" - } - } - } - }, - "signature": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/signature", - "title": "Signature", - "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." - } + "filingDate": { + "$ref": "#/$defs/cyclonedx-patent-2.0/$defs/patentFilingDate" + } + } + } + } + }, + "cyclonedx-release-notes-2.0": { + "type": "null", + "title": "CycloneDX Release Notes Model", + "$defs": { + "releaseNotes": { + "type": "object", + "title": "Release notes", + "required": [ + "type" + ], + "additionalProperties": false, + "properties": { + "type": { + "$ref": "#/$defs/cyclonedx-release-notes-2.0/$defs/releaseType", + "title": "Type", + "description": "The software versioning type the release note describes." + }, + "title": { + "type": "string", + "title": "Title", + "description": "The title of the release." + }, + "featuredImage": { + "type": "string", + "format": "iri-reference", + "title": "Featured image", + "description": "The URL to an image that may be prominently displayed with the release note." + }, + "socialImage": { + "type": "string", + "format": "iri-reference", + "title": "Social image", + "description": "The URL to an image that may be used in messaging on social media platforms." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A short description of the release." + }, + "timestamp": { + "type": "string", + "format": "date-time", + "title": "Timestamp", + "description": "The date and time (timestamp) when the release note was created." + }, + "aliases": { + "type": "array", + "items": { + "type": "string" + }, + "title": "Aliases", + "description": "One or more alternate names the release may be referred to. This may include unofficial terms used by development and marketing teams (e.g. code names)." + }, + "tags": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/tags", + "title": "Tags" + }, + "resolves": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/issue" + }, + "title": "Resolves", + "description": "A collection of issues that have been resolved." + }, + "notes": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-release-notes-2.0/$defs/note" + }, + "title": "Notes", + "description": "Zero or more release notes containing the locale and content. Multiple note objects may be specified to support release notes in a wide variety of languages." + }, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/property" } + } + } + }, + "releaseType": { + "type": "string", + "examples": [ + "major", + "minor", + "patch", + "pre-release", + "internal" + ], + "description": "The software versioning type. It is recommended that the release type use one of 'major', 'minor', 'patch', 'pre-release', or 'internal'. Representing all possible software release types is not practical, so standardizing on the recommended values, whenever possible, is strongly encouraged.\n\n* __major__ = A major release may contain significant changes or may introduce breaking changes.\n* __minor__ = A minor release, also known as an update, may contain a smaller number of changes than major releases.\n* __patch__ = Patch releases are typically unplanned and may resolve defects or important security issues.\n* __pre-release__ = A pre-release may include alpha, beta, or release candidates and typically have limited support. They provide the ability to preview a release prior to its general availability.\n* __internal__ = Internal releases are not for public consumption and are intended to be used exclusively by the project or manufacturer that produced it." + }, + "note": { + "type": "object", + "title": "Note", + "description": "A note containing the locale and content.", + "required": [ + "text" + ], + "additionalProperties": false, + "properties": { + "locale": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/locale", + "title": "Locale", + "description": "The ISO-639 (or higher) language code and optional ISO-3166 (or higher) country code. Examples include: \"en\", \"en-US\", \"fr\" and \"fr-CA\"" }, - "signature": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/signature", - "title": "Signature", - "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." + "text": { + "title": "Release note content", + "description": "Specifies the full content of the release note.", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/attachment" } } } } }, - "cyclonedx-definition-2.0": { + "cyclonedx-requirement-2.0": { "type": "null", - "title": "CycloneDX Definition Model", + "title": "CycloneDX Engineering Requirement Model", "$defs": { - "definitions": { + "requirement": { "type": "object", - "title": "Definitions", - "description": "A collection of reusable objects that are defined and may be used elsewhere in the BOM.", + "title": "Requirement", + "description": "A requirement represents a specific need, constraint, or capability that must be met.", "additionalProperties": false, "properties": { - "standards": { - "$ref": "#/$defs/cyclonedx-standard-2.0/$defs/standards" + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" }, - "patents": { - "$ref": "#/$defs/cyclonedx-patent-2.0/$defs/patents" + "id": { + "type": "string", + "title": "Identifier", + "description": "A unique identifier for the requirement, often used in requirement management systems (e.g., REQ-001)." + }, + "name": { + "type": "string", + "title": "Name", + "description": "A short name or title for the requirement." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A detailed description of the requirement." + }, + "type": { + "type": "array", + "title": "Requirement Types", + "description": "The categories or classifications applicable to the requirement.", + "items": { + "$ref": "#/$defs/cyclonedx-requirement-2.0/$defs/requirementType" + }, + "uniqueItems": true + }, + "priority": { + "type": "string", + "title": "Priority", + "description": "The priority level of the requirement.", + "enum": [ + "critical", + "high", + "medium", + "low" + ] + }, + "status": { + "$ref": "#/$defs/cyclonedx-requirement-2.0/$defs/requirementStatus" + }, + "version": { + "type": "string", + "title": "Version", + "description": "The version of the requirement." + }, + "stakeholders": { + "type": "array", + "title": "Stakeholders", + "description": "The individuals or groups who have an interest in the requirement.", + "items": { + "type": "string" + } + }, + "acceptanceCriteria": { + "type": "array", + "title": "Acceptance Criteria", + "description": "Criteria that must be met for the requirement to be considered satisfied.", + "items": { + "$ref": "#/$defs/cyclonedx-requirement-2.0/$defs/acceptanceCriterion" + } + }, + "dependencies": { + "type": "array", + "title": "Dependencies", + "description": "Other requirements that this requirement depends on.", + "items": { + "$ref": "#/$defs/cyclonedx-requirement-2.0/$defs/dependency" + } + }, + "parent": { + "type": "string", + "title": "Parent BOM Reference", + "description": "The optional `bom-ref` to a parent requirement. This establishes a hierarchy of requirements." + }, + "rationale": { + "type": "string", + "title": "Rationale", + "description": "The reasoning or justification for the requirement." + }, + "fitCriterion": { + "type": "string", + "title": "Fit Criterion", + "description": "A measurable test that the solution must pass to be acceptable to the stakeholders." + }, + "effort": { + "type": "string", + "title": "Effort Estimation", + "description": "An estimation of the effort required to implement the requirement." + }, + "risk": { + "type": "string", + "title": "Risk", + "description": "The risk level associated with implementing or not implementing the requirement.", + "enum": [ + "critical", + "high", + "medium", + "low" + ] + }, + "attachments": { + "type": "array", + "title": "Attachments", + "description": "Files or documents attached to the requirement.", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/attachment" + } + }, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard.", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/property" + } + }, + "externalReferences": { + "type": "array", + "title": "External References", + "description": "External references provide a way to document systems, sites, and information that may be relevant to the requirement.", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReference" + } + } + } + }, + "requirementType": { + "type": "string", + "title": "Requirement Type", + "description": "The category or classification applicable to the requirement.", + "enum": [ + "accessibility", + "auditability", + "availability", + "business", + "compatibility", + "compliance", + "deployment", + "functional", + "interoperability", + "localization", + "maintainability", + "non-functional", + "other", + "performance", + "portability", + "privacy", + "regulatory", + "reliability", + "scalability", + "security", + "system", + "testability", + "usability", + "user" + ], + "meta:enum": { + "accessibility": "Requirements ensuring inclusive access for people with disabilities or impairments.", + "auditability": "Requirements defining the capability of a system to record activities for review and compliance purposes.", + "availability": "Requirements describing the uptime and operational availability of systems or services.", + "business": "Requirements derived from organizational goals, strategies, or business processes.", + "compatibility": "Requirements ensuring the software or system functions correctly with other systems or legacy components.", + "compliance": "Requirements ensuring adherence to internal policies, industry standards, or external agreements beyond regulatory mandates.", + "deployment": "Requirements related to deploying, configuring, and operating the system in production environments.", + "functional": "Requirements specifying the fundamental behaviors and capabilities of the system or application.", + "interoperability": "Requirements addressing the ability of the system to interact seamlessly with external systems or products.", + "localization": "Requirements specifying adaptations for specific languages, cultures, or regional needs.", + "maintainability": "Requirements aimed at ensuring the ease of performing maintenance, enhancements, or repairs.", + "non-functional": "Requirements that define constraints or qualities such as performance, usability, reliability, etc., rather than specific functionality.", + "other": "Requirements that do not clearly fit into other specified categories.", + "performance": "Requirements specifying response times, throughput, or other efficiency-related aspects.", + "portability": "Requirements enabling the system or components to be transferred easily across various environments or platforms.", + "privacy": "Requirements specifically addressing the handling and protection of personal and sensitive data.", + "regulatory": "Requirements necessary for legal compliance, dictated by laws, regulations, or standards.", + "reliability": "Requirements ensuring the system consistently performs under specified conditions and duration.", + "scalability": "Requirements focused on the ability of the system to grow and manage increased demand effectively.", + "security": "Requirements intended to protect systems, data, and users from malicious actions or threats.", + "system": "Technical requirements defining infrastructure, architecture, or underlying technologies.", + "testability": "Requirements ensuring the system can be effectively validated and tested.", + "usability": "Requirements addressing the ease of use, intuitiveness, and overall user experience.", + "user": "Requirements captured directly from user needs, tasks, and expectations." + } + }, + "requirementStatus": { + "type": "string", + "title": "Status", + "description": "The current status of the requirement in the development lifecycle.", + "enum": [ + "draft", + "proposed", + "approved", + "implemented", + "verified", + "deferred", + "rejected", + "replaced", + "obsolete" + ] + }, + "acceptanceCriterion": { + "type": "object", + "title": "Acceptance Criterion", + "description": "A specific condition that must be met for the requirement to be considered satisfied.", + "additionalProperties": false, + "properties": { + "id": { + "type": "string", + "title": "Identifier", + "description": "A unique identifier for the acceptance criterion." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the acceptance criterion." + }, + "status": { + "type": "string", + "title": "Status", + "description": "The current status of the acceptance criterion.", + "enum": [ + "pending", + "passed", + "failed" + ] } } - } - } - }, - "cyclonedx-dependency-2.0": { - "type": "null", - "title": "CycloneDX Dependency Model", - "$defs": { - "dependencies": { - "type": "array", - "items": { - "$ref": "#/$defs/cyclonedx-dependency-2.0/$defs/dependency" - }, - "uniqueItems": true, - "title": "Dependencies", - "description": "Provides the ability to document dependency relationships including provided & implemented components." }, "dependency": { "type": "object", "title": "Dependency", - "description": "Defines the direct dependencies of a component, service, or the components provided/implemented by a given component. Components or services that do not have their own dependencies must be declared as empty elements within the graph. Components or services that are not represented in the dependency graph may have unknown dependencies. It is recommended that implementations assume this to be opaque and not an indicator of an object being dependency-free. It is recommended to leverage compositions to indicate unknown dependency graphs.", - "required": [ - "ref" - ], + "description": "A dependency on another requirement.", "additionalProperties": false, "properties": { "ref": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", - "title": "Reference", - "description": "References a component or service by its bom-ref attribute" + "oneOf": [ + { + "title": "Ref", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + }, + { + "title": "BOM-Link Element", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType" + } + ] }, - "dependsOn": { - "type": "array", - "uniqueItems": true, - "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" - }, - "title": "Depends On", - "description": "The bom-ref identifiers of the components or services that are dependencies of this dependency object." + "type": { + "type": "string", + "title": "Dependency Type", + "description": "The type of dependency relationship.", + "enum": [ + "requires", + "conflicts-with", + "enhances", + "implements", + "other" + ] }, - "provides": { - "type": "array", - "uniqueItems": true, - "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" - }, - "title": "Provides", - "description": "The bom-ref identifiers of the components or services that define a given specification or standard, which are provided or implemented by this dependency object.\nFor example, a cryptographic library which implements a cryptographic algorithm. A component which implements another component does not imply that the implementation is in use." + "description": { + "type": "string", + "title": "Description", + "description": "A description of the dependency relationship." } } } } }, - "cyclonedx-formulation-2.0": { + "cyclonedx-risk-2.0": { "type": "null", - "title": "CycloneDX Formulation Model", - "$defs": { - "formulation": { + "title": "CycloneDX Risk Model", + "properties": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "description": "An optional identifier which can be used to reference the risk assessment elsewhere in the BOM" + }, + "domains": { "type": "array", + "description": "Risk domains covered by this assessment", "items": { - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/formula" + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/riskDomain" + } + }, + "scenarios": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/scenario" }, - "uniqueItems": true, - "title": "Formulation", - "description": "Describes the formulation of any referencable object within the BOM, including components, services, metadata, declarations, or the BOM itself. This may encompass how the object was created, assembled, deployed, tested, certified, or otherwise brought into its present form. Common examples include software build pipelines, deployment processes, AI/ML model training, cryptographic key generation or certification, and third-party audits. Processes are modeled using declared and observed formulas, composed of workflows, tasks, and individual steps." + "description": "Risk scenarios identified" }, - "formula": { - "title": "Formula", - "description": "Describes workflows and resources that captures rules and other aspects of how the associated BOM component or service was formed.", + "risks": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/risk" + }, + "description": "Documented risks derived from scenarios" + }, + "mitigations": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/mitigation" + }, + "description": "Controls, countermeasures, or mitigations to address identified risks" + }, + "assessments": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/assessment" + }, + "description": "Risk assessments and evaluations" + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + } + }, + "$defs": { + "riskDomain": { "type": "object", + "required": [ + "type" + ], "additionalProperties": false, "properties": { - "bom-ref": { - "title": "BOM Reference", - "description": "An identifier which can be used to reference the formula elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" - }, - "components": { - "title": "Components", - "description": "Transient components that are used in tasks that constitute one or more of this formula's workflows", - "type": "array", - "items": { - "$ref": "#/$defs/cyclonedx-component-2.0/$defs/component" - }, - "uniqueItems": true - }, - "services": { - "title": "Services", - "description": "Transient services that are used in tasks that constitute one or more of this formula's workflows", - "type": "array", - "items": { - "$ref": "#/$defs/cyclonedx-service-2.0/$defs/service" - }, - "uniqueItems": true + "type": { + "type": "string", + "enum": [ + "security", + "privacy", + "operational", + "financial", + "compliance", + "strategic", + "reputational", + "safety", + "environmental", + "supply_chain", + "technical", + "project" + ], + "meta:enum": { + "security": "Information security and cybersecurity risks", + "privacy": "Data protection and privacy risks", + "operational": "Business operations and continuity risks", + "financial": "Financial loss and economic impact risks", + "compliance": "Regulatory and legal compliance risks", + "strategic": "Strategic business and market risks", + "reputational": "Brand and reputation damage risks", + "safety": "Human safety and physical security risks", + "environmental": "Environmental impact and sustainability risks", + "supply_chain": "Supply chain and third-party risks", + "technical": "Technical and technology risks", + "project": "Project delivery and execution risks" + } }, - "workflows": { - "title": "Workflows", - "description": "List of workflows that can be declared to accomplish specific orchestrated goals and independently triggered.", - "$comment": "Different workflows can be designed to work together to perform end-to-end CI/CD builds and deployments.", - "type": "array", - "items": { - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/workflow" - }, - "uniqueItems": true + "priority": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/priority" }, - "properties": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + "description": { + "type": "string", + "description": "Additional context for this risk domain" } } }, - "workflow": { - "title": "Workflow", - "description": "A specialized orchestration task.", - "$comment": "Workflow are as task themselves and can trigger other workflow tasks. These relationships can be modeled in the taskDependencies graph.", + "riskAttribute": { + "type": "string", + "description": "A classification of security and privacy attributes that represent potential impact areas when a risk is realized", + "enum": [ + "accountability", + "authentication", + "authorization", + "authenticity", + "availability", + "compliance", + "confidentiality", + "connectivity", + "control", + "data_subject_rights", + "integrity", + "minimisation", + "non-repudiation", + "possession", + "privacy", + "purpose_limitation", + "transparency", + "utility" + ], + "meta:enum": { + "accountability": "Assigning responsibility for actions and decisions to individuals or entities", + "authentication": "Verifying the identity of users, devices, or systems before granting access", + "authorization": "Granting permissions based on identity and roles to perform specific actions or access resources", + "authenticity": "Ensuring that data, communications, or entities are genuine and can be verified", + "availability": "Ensuring systems, data, and services are accessible and operational when needed", + "compliance": "Adherence to applicable laws, regulations, policies, and standards", + "confidentiality": "Preventing unauthorised access to or disclosure of information", + "connectivity": "Maintaining secure and reliable communication between systems or components", + "control": "Enabling individuals to manage how their personal data is used and shared", + "data_subject_rights": "Guaranteeing individuals' rights to access, correct, delete, or restrict their personal data", + "integrity": "Ensuring information is accurate, complete, and unaltered by unauthorised actors", + "minimisation": "Limiting data collection and retention to what is strictly necessary for the intended purpose", + "non-repudiation": "Providing proof of origin and delivery to prevent denial of actions or communications", + "possession": "Ensuring control or custody over data or assets, regardless of ownership", + "privacy": "Protecting individuals' personal information in accordance with legal and ethical standards", + "purpose_limitation": "Ensuring that personal data is only used for the purpose explicitly specified at collection", + "transparency": "Ensuring individuals are informed about data practices, including collection, use, and sharing", + "utility": "Ensuring data is usable and in a format suitable for the intended purpose" + } + }, + "scenario": { "type": "object", "required": [ "bom-ref", - "uid", - "taskTypes" + "name", + "type" ], "additionalProperties": false, "properties": { "bom-ref": { - "title": "BOM Reference", - "description": "An identifier which can be used to reference the workflow elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" }, - "uid": { - "title": "Unique Identifier (UID)", - "description": "The unique identifier for the resource instance within its deployment context.", - "type": "string" - }, "name": { - "title": "Name", - "description": "The name of the resource instance.", - "type": "string" + "type": "string", + "description": "Name of the risk scenario" }, "description": { - "title": "Description", - "description": "A description of the resource instance.", - "type": "string" + "type": "string", + "description": "Detailed description of the scenario" }, - "resourceReferences": { - "title": "Resource references", - "description": "References to component or service resources that are used to realize the resource instance.", - "type": "array", - "uniqueItems": true, - "items": { - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice" + "type": { + "type": "string", + "enum": [ + "threat", + "vulnerability", + "weakness", + "risk", + "incident", + "opportunity", + "hazard" + ], + "meta:enum": { + "threat": "Threat scenario", + "vulnerability": "Exploitable vulnerability", + "weakness": "System or design weakness", + "risk": "General risk scenario", + "incident": "Potential incident scenario", + "opportunity": "Positive risk (opportunity)", + "hazard": "Safety hazard scenario" } }, - "tasks": { - "title": "Tasks", - "description": "The tasks that comprise the workflow.", - "$comment": "Note that tasks can appear more than once as different instances (by name or UID).", - "type": "array", - "uniqueItems": true, - "items": { - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/task" - } + "domain": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/riskDomain" }, - "taskDependencies": { - "title": "Task dependency graph", - "description": "The graph of dependencies between tasks within the workflow.", - "type": "array", - "uniqueItems": true, - "items": { - "$ref": "#/$defs/cyclonedx-dependency-2.0/$defs/dependency" - } + "likelihood": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/likelihood" }, - "taskTypes": { - "title": "Task types", - "description": "Indicates the types of activities performed by the set of workflow tasks.", - "$comment": "Currently, these types reflect common CI/CD actions.", - "type": "array", - "items": { - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/taskType" - } + "impact": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/impact" }, - "trigger": { - "title": "Trigger", - "description": "The trigger that initiated the task.", - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/trigger" + "riskScore": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/riskScore" }, - "steps": { - "title": "Steps", - "description": "The sequence of steps for the task.", + "riskAttributes": { "type": "array", "items": { - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/step" + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/riskAttribute" }, - "uniqueItems": true + "description": "Risk attributes affected by this scenario" }, - "inputs": { - "title": "Inputs", - "description": "Represents resources and data brought into a task at runtime by executor or task commands", - "examples": [ - "a `configuration` file which was declared as a local `component` or `externalReference`" - ], + "affectedAssets": { "type": "array", "items": { - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/inputType" + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" }, - "uniqueItems": true + "description": "References to affected assets" }, - "outputs": { - "title": "Outputs", - "description": "Represents resources and data output from a task at runtime by executor or task commands", - "examples": [ - "a log file or metrics data produced by the task" - ], + "mitigations": { "type": "array", "items": { - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/outputType" + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" }, - "uniqueItems": true - }, - "timeStart": { - "title": "Time start", - "description": "The date and time (timestamp) when the task started.", - "type": "string", - "format": "date-time" - }, - "timeEnd": { - "title": "Time end", - "description": "The date and time (timestamp) when the task ended.", - "type": "string", - "format": "date-time" + "description": "References to mitigations that address this scenario" }, - "workspaces": { - "title": "Workspaces", - "description": "A set of named filesystem or data resource shareable by workflow tasks.", + "externalReferences": { "type": "array", - "uniqueItems": true, "items": { - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/workspace" + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReference" } }, - "runtimeTopology": { - "title": "Runtime topology", - "description": "A graph of the component runtime topology for workflow's instance.", - "$comment": "A description of the runtime component and service topology. This can describe a partial or complete topology used to host and execute the task (e.g., hardware, operating systems, configurations, etc.),", + "compliance": { "type": "array", - "uniqueItems": true, "items": { - "$ref": "#/$defs/cyclonedx-dependency-2.0/$defs/dependency" - } + "type": "object", + "required": [ + "framework", + "controlId" + ], + "additionalProperties": false, + "properties": { + "framework": { + "type": "string", + "description": "Name of the compliance program or framework" + }, + "controlId": { + "type": "string", + "description": "Identifier of the control within the framework" + }, + "reference": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReference", + "description": "Link or citation to the requirement or control documentation" + }, + "description": { + "type": "string", + "description": "Optional notes describing the mapping" + } + } + }, + "description": "Compliance frameworks and control references this mitigation supports" }, "properties": { "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" } } }, - "task": { - "title": "Task", - "description": "Describes the inputs, sequence of steps and resources used to accomplish a task and its output.", - "$comment": "Tasks are building blocks for constructing assemble CI/CD workflows or pipelines.", + "risk": { "type": "object", "required": [ "bom-ref", - "uid", - "taskTypes" + "name", + "statement" ], "additionalProperties": false, "properties": { "bom-ref": { - "title": "BOM Reference", - "description": "An identifier which can be used to reference the task elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" }, - "uid": { - "title": "Unique Identifier (UID)", - "description": "The unique identifier for the resource instance within its deployment context.", - "type": "string" - }, - "name": { - "title": "Name", - "description": "The name of the resource instance.", - "type": "string" - }, - "description": { - "title": "Description", - "description": "A description of the resource instance.", - "type": "string" - }, - "resourceReferences": { - "title": "Resource references", - "description": "References to component or service resources that are used to realize the resource instance.", - "type": "array", - "uniqueItems": true, - "items": { - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice" - } - }, - "taskTypes": { - "title": "Task types", - "description": "Indicates the types of activities performed by the set of workflow tasks.", - "$comment": "Currently, these types reflect common CI/CD actions.", - "type": "array", - "items": { - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/taskType" - } + "name": { + "type": "string", + "description": "Name or identifier for the risk" }, - "trigger": { - "title": "Trigger", - "description": "The trigger that initiated the task.", - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/trigger" + "statement": { + "type": "string", + "description": "Structured risk statement describing source, event, and impact" }, - "steps": { - "title": "Steps", - "description": "The sequence of steps for the task.", - "type": "array", - "items": { - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/step" - }, - "uniqueItems": true + "description": { + "type": "string", + "description": "Additional narrative about the risk" }, - "inputs": { - "title": "Inputs", - "description": "Represents resources and data brought into a task at runtime by executor or task commands", - "examples": [ - "a `configuration` file which was declared as a local `component` or `externalReference`" - ], + "domains": { "type": "array", "items": { - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/inputType" + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/riskDomain" }, - "uniqueItems": true + "description": "Risk domains impacted" }, - "outputs": { - "title": "Outputs", - "description": "Represents resources and data output from a task at runtime by executor or task commands", - "examples": [ - "a log file or metrics data produced by the task" - ], + "scenarios": { "type": "array", + "minItems": 1, "items": { - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/outputType" + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" }, - "uniqueItems": true + "description": "References to scenarios this risk addresses" }, - "timeStart": { - "title": "Time start", - "description": "The date and time (timestamp) when the task started.", - "type": "string", - "format": "date-time" + "likelihood": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/likelihood" }, - "timeEnd": { - "title": "Time end", - "description": "The date and time (timestamp) when the task ended.", - "type": "string", - "format": "date-time" + "impact": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/impact" }, - "workspaces": { - "title": "Workspaces", - "description": "A set of named filesystem or data resource shareable by workflow tasks.", + "riskScore": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/riskScore" + }, + "riskAttributes": { "type": "array", "items": { - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/workspace" + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/riskAttribute" + } + }, + "responses": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/riskResponse" }, - "uniqueItems": true + "description": "Risk responses or mitigation plans applied to this risk" }, - "runtimeTopology": { - "title": "Runtime topology", - "description": "A graph of the component runtime topology for task's instance.", - "$comment": "A description of the runtime component and service topology. This can describe a partial or complete topology used to host and execute the task (e.g., hardware, operating systems, configurations, etc.),", + "relatedThreats": { "type": "array", "items": { - "$ref": "#/$defs/cyclonedx-dependency-2.0/$defs/dependency" + "$ref": "#/$defs/cyclonedx-threat-2.0/$defs/threatScenario" }, - "uniqueItems": true + "description": "Related threat scenarios informing this risk" + }, + "status": { + "type": "string", + "enum": [ + "identified", + "assessed", + "mitigated", + "accepted", + "transferred", + "retired" + ], + "meta:enum": { + "identified": "Risk has been identified but not yet evaluated", + "assessed": "Risk has been assessed and prioritized", + "mitigated": "Mitigations are in place reducing this risk", + "accepted": "Risk has been formally accepted", + "transferred": "Risk has been transferred to another party", + "retired": "Risk no longer applies" + } + }, + "owner": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact", + "description": "Owner or accountable party for this risk" }, "properties": { "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" } } }, - "step": { + "likelihood": { "type": "object", - "description": "Executes specific commands or tools in order to accomplish its owning task as part of a sequence.", + "required": [ + "level" + ], "additionalProperties": false, "properties": { - "name": { - "title": "Name", - "description": "A name for the step.", - "type": "string" + "level": { + "type": "string", + "title": "Level", + "description": "The qualitative likelihood level representing the overall assessed probability of the risk or scenario being realized.", + "enum": [ + "certain", + "high", + "low", + "medium", + "veryHigh", + "veryLow" + ], + "meta:enum": { + "certain": "Almost certain to occur (> 90% probability).", + "high": "Likely to occur (60-90% probability).", + "low": "Unlikely to occur (10-30% probability).", + "medium": "Possible to occur (30-60% probability).", + "veryHigh": "Very likely to occur (75-90% probability).", + "veryLow": "Very unlikely to occur (< 10% probability)." + } }, - "description": { - "title": "Description", - "description": "A description of the step.", - "type": "string" + "score": { + "type": "number", + "minimum": 0, + "maximum": 5, + "description": "Numeric likelihood score" }, - "commands": { - "title": "Commands", - "description": "Ordered list of commands or directives for the step", + "probability": { + "type": "number", + "minimum": 0, + "maximum": 1, + "description": "Probability as a decimal (0-1)" + }, + "factors": { "type": "array", "items": { - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/command" - } + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/likelihoodFactor" + }, + "description": "Factors considered when determining the likelihood level" }, - "properties": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + "rationale": { + "type": "string", + "description": "Justification for the likelihood rating" } } }, - "command": { + "likelihoodFactor": { "type": "object", + "title": "Likelihood Factor", + "description": "An individual contributing factor used to determine the overall likelihood of a risk or scenario being realized. Likelihood is rarely a single judgment — it is typically derived from multiple independent factors such as threat actor capability, exploit maturity, attack surface exposure, and control effectiveness. Each factor captures a discrete dimension of likelihood with its own rating, enabling transparent, auditable, and methodology-aligned risk assessments.", + "required": [ + "name", + "type" + ], "additionalProperties": false, "properties": { - "executed": { - "title": "Executed", - "description": "A text representation of the executed command.", - "type": "string" + "name": { + "type": "string", + "title": "Name", + "description": "The name of the likelihood factor being evaluated. Should clearly identify the dimension of likelihood being assessed, such as 'Threat Actor Capability', 'Exploit Availability', or 'Control Effectiveness'.", + "minLength": 1 + }, + "type": { + "title": "Type", + "description": "The category of likelihood factor being assessed. Predefined types align with common risk assessment methodologies including FAIR, OWASP Risk Rating, and NIST SP 800-30.", + "oneOf": [ + { + "title": "Predefined Likelihood Factor Type", + "description": "A likelihood factor type defined by the CycloneDX standard, aligned with established risk assessment methodologies.", + "type": "string", + "additionalProperties": false, + "enum": [ + "attackVector", + "controlEffectiveness", + "exploitMaturity", + "exposure", + "motivation", + "opportunity", + "other", + "threatCapability", + "vulnerability" + ], + "meta:enum": { + "attackVector": "Accessibility of the attack path to the threat actor, considering network proximity, authentication requirements, and interaction complexity.", + "controlEffectiveness": "Strength, reliability, and coverage of existing preventive, detective, or corrective controls that reduce the probability of successful exploitation.", + "exploitMaturity": "Availability, reliability, and sophistication of known exploits, attack toolkits, or proof-of-concept code targeting the identified weakness.", + "exposure": "Degree to which the target asset, system, or service is visible, discoverable, or reachable by potential threat actors.", + "motivation": "Level of incentive, intent, or determination driving the threat actor to pursue exploitation, including financial gain, ideology, or competitive advantage.", + "opportunity": "Availability of the conditions, timing, or circumstances required for the threat actor to act, including access windows, environmental factors, and resource availability.", + "other": "A likelihood factor type not defined by the CycloneDX standard. Use the custom type option for factors specific to an organization's risk methodology.", + "threatCapability": "Technical skill, resources, tooling, and sophistication of the threat actor relative to the complexity of the attack required.", + "vulnerability": "Presence, severity, and exploitability of weaknesses in the target system, application, or process that could be leveraged by a threat actor." + } + }, + { + "title": "Custom Likelihood Factor Type", + "description": "A custom likelihood factor type not covered by predefined values, allowing organizations to extend the model with methodology-specific factors.", + "type": "object", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "The name of the custom likelihood factor type.", + "minLength": 1 + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the custom likelihood factor type and how it contributes to likelihood assessment." + } + } + } + ] + }, + "level": { + "type": "string", + "title": "Level", + "description": "The qualitative rating assigned to this factor, representing the assessed degree to which this factor contributes to the overall likelihood of the risk being realized.", + "enum": [ + "certain", + "high", + "low", + "medium", + "veryHigh", + "veryLow" + ], + "meta:enum": { + "certain": "This factor almost certainly contributes to risk realization (> 90% influence).", + "high": "This factor strongly contributes to risk realization (60-90% influence).", + "low": "This factor has limited contribution to risk realization (10-30% influence).", + "medium": "This factor moderately contributes to risk realization (30-60% influence).", + "veryHigh": "This factor very strongly contributes to risk realization (75-90% influence).", + "veryLow": "This factor has minimal contribution to risk realization (< 10% influence)." + } + }, + "score": { + "type": "number", + "title": "Score", + "description": "A numeric score representing the assessed value of this factor on a 0-5 scale, where 0 indicates no contribution to likelihood and 5 indicates maximum contribution.", + "minimum": 0, + "maximum": 5 + }, + "weight": { + "type": "number", + "title": "Weight", + "description": "The relative importance or weight of this factor in the overall likelihood calculation, expressed as a decimal between 0 and 1. When multiple factors are present, weights can be used to produce a weighted average likelihood score. A weight of 1 indicates full importance; a weight of 0 indicates no importance.", + "minimum": 0, + "maximum": 1 + }, + "description": { + "type": "string", + "title": "Description", + "description": "A narrative explanation of how this factor was evaluated, the evidence or reasoning supporting the assigned level or score, and how it contributes to the overall likelihood assessment." }, "properties": { "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" } } }, - "workspace": { - "title": "Workspace", - "description": "A named filesystem or data resource shareable by workflow tasks.", + "impact": { "type": "object", "required": [ - "bom-ref", - "uid" + "level" ], "additionalProperties": false, "properties": { - "bom-ref": { - "title": "BOM Reference", - "description": "An identifier which can be used to reference the workspace elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" - }, - "uid": { - "title": "Unique Identifier (UID)", - "description": "The unique identifier for the resource instance within its deployment context.", - "type": "string" + "level": { + "type": "string", + "enum": [ + "negligible", + "low", + "moderate", + "major", + "catastrophic" + ], + "description": "Impact severity level", + "meta:enum": { + "negligible": "Minimal impact with no significant consequences", + "low": "Minor impact with limited consequences", + "moderate": "Moderate impact affecting some operations", + "major": "Significant impact with serious consequences", + "catastrophic": "Catastrophic impact with existential consequences" + } }, - "name": { - "title": "Name", - "description": "The name of the resource instance.", - "type": "string" + "score": { + "type": "number", + "minimum": 0, + "maximum": 10, + "description": "Numeric impact score" }, - "aliases": { - "title": "Aliases", - "description": "The names for the workspace as referenced by other workflow tasks. Effectively, a name mapping so other tasks can use their own local name in their steps.", + "categories": { "type": "array", "items": { - "type": "string" - } - }, - "description": { - "title": "Description", - "description": "A description of the resource instance.", - "type": "string" + "type": "string", + "enum": [ + "confidentiality", + "integrity", + "availability", + "financial", + "reputation", + "regulatory", + "safety", + "privacy", + "operational", + "strategic" + ], + "meta:enum": { + "confidentiality": "Impact on data confidentiality", + "integrity": "Impact on data or system integrity", + "availability": "Impact on service availability", + "financial": "Financial loss or impact", + "reputation": "Reputational damage", + "regulatory": "Regulatory compliance impact", + "safety": "Human safety impact", + "privacy": "Privacy violation impact", + "operational": "Operational disruption", + "strategic": "Strategic business impact" + } + }, + "description": "Categories of impact" }, - "resourceReferences": { - "title": "Resource references", - "description": "References to component or service resources that are used to realize the resource instance.", + "riskAttributes": { "type": "array", - "uniqueItems": true, "items": { - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice" - } - }, - "accessMode": { - "title": "Access mode", - "description": "Describes the read-write access control for the workspace relative to the owning resource instance.", - "type": "string", - "enum": [ - "read-only", - "read-write", - "read-write-once", - "write-once", - "write-only" - ] - }, - "mountPath": { - "title": "Mount path", - "description": "A path to a location on disk where the workspace will be available to the associated task's steps.", - "type": "string" - }, - "managedDataType": { - "title": "Managed data type", - "description": "The name of a domain-specific data type the workspace represents.", - "$comment": "This property is for CI/CD frameworks that are able to provide access to structured, managed data at a more granular level than a filesystem.", - "examples": [ - "ConfigMap", - "Secret" - ], - "type": "string" - }, - "volumeRequest": { - "title": "Volume request", - "description": "Identifies the reference to the request for a specific volume type and parameters.", - "examples": [ - "a kubernetes Persistent Volume Claim (PVC) name" - ], - "type": "string" + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/riskAttribute" + }, + "description": "Risk attributes affected" }, - "volume": { - "title": "Volume", - "description": "Information about the actual volume instance allocated to the workspace.", - "$comment": "The actual volume allocated may be different than the request.", - "examples": [ - "see https://kubernetes.io/docs/concepts/storage/persistent-volumes/" - ], - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/volume" + "quantification": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/impactQuantification" }, - "properties": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + "description": { + "type": "string", + "description": "Description of the potential impact" } } }, - "volume": { - "title": "Volume", - "description": "An identifiable, logical unit of data storage tied to a physical device.", + "impactQuantification": { "type": "object", "additionalProperties": false, "properties": { - "uid": { - "title": "Unique Identifier (UID)", - "description": "The unique identifier for the volume instance within its deployment context.", - "type": "string" + "financialLoss": { + "type": "number", + "description": "Estimated financial loss in currency units" }, - "name": { - "title": "Name", - "description": "The name of the volume instance", - "type": "string" + "currency": { + "type": "string", + "pattern": "^[A-Z]{3}$", + "description": "ISO 4217 currency code" }, - "mode": { - "title": "Mode", - "description": "The mode for the volume instance.", + "affectedUsers": { + "type": "integer", + "description": "Number of affected users" + }, + "downtime": { "type": "string", - "enum": [ - "filesystem", - "block" - ], - "default": "filesystem" + "pattern": "^P(?!$)(\\d+Y)?(\\d+M)?(\\d+W)?(\\d+D)?(T(\\d+H)?(\\d+M)?(\\d+(\\.\\d+)?S)?)?$", + "description": "Expected downtime as ISO 8601 duration" }, - "path": { - "title": "Path", - "description": "The underlying path created from the actual volume.", - "type": "string" + "dataRecords": { + "type": "integer", + "description": "Number of data records affected" }, - "sizeAllocated": { - "title": "Size allocated", - "description": "The allocated size of the volume accessible to the associated workspace. This should include the scalar size as well as IEC standard unit in either decimal or binary form.", - "examples": [ - "10GB", - "2Ti", - "1Pi" + "recovery": { + "type": "string", + "pattern": "^P(?!$)(\\d+Y)?(\\d+M)?(\\d+W)?(\\d+D)?(T(\\d+H)?(\\d+M)?(\\d+(\\.\\d+)?S)?)?$", + "description": "Recovery time as ISO 8601 duration" + } + } + }, + "riskScore": { + "type": "object", + "required": [ + "level" + ], + "additionalProperties": false, + "properties": { + "level": { + "type": "string", + "enum": [ + "info", + "low", + "medium", + "high", + "critical" ], - "type": "string" + "description": "Overall risk level", + "meta:enum": { + "info": "Informational - no immediate action required", + "low": "Low risk - monitor and address in normal cycle", + "medium": "Medium risk - plan mitigation activities", + "high": "High risk - prioritize mitigation efforts", + "critical": "Critical risk - immediate action required" + } }, - "persistent": { - "title": "Persistent", - "description": "Indicates if the volume persists beyond the life of the resource it is associated with.", - "type": "boolean" + "score": { + "type": "number", + "minimum": 1, + "description": "Numeric risk score" }, - "remote": { - "title": "Remote", - "description": "Indicates if the volume is remotely (i.e., network) attached.", - "type": "boolean" + "vector": { + "type": "string", + "description": "Risk scoring vector (e.g., L:H/I:M)" }, - "properties": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + "methodology": { + "type": "string", + "description": "Risk scoring methodology used" } } }, - "trigger": { - "title": "Trigger", - "description": "Represents a resource that can conditionally activate (or fire) tasks based upon associated events and their data.", + "riskResponse": { "type": "object", - "additionalProperties": false, "required": [ - "type", "bom-ref", - "uid" + "mitigations", + "mitigationPlan" ], + "additionalProperties": false, "properties": { "bom-ref": { - "title": "BOM Reference", - "description": "An identifier which can be used to reference the trigger elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" }, - "uid": { - "title": "Unique Identifier (UID)", - "description": "The unique identifier for the resource instance within its deployment context.", - "type": "string" + "mitigations": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/mitigation" + }, + "description": "Mitigations applied to this risk response" }, - "name": { - "title": "Name", - "description": "The name of the resource instance.", - "type": "string" + "mitigationPlan": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/mitigationPlan" + } + } + }, + "mitigation": { + "type": "object", + "required": [ + "bom-ref", + "reference" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "description": "Unique identifier for this mitigation entry so it can be referenced by a plan" }, - "description": { - "title": "Description", - "description": "A description of the resource instance.", - "type": "string" + "reference": { + "description": "Reference to a mitigation/control implementing the response.", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" }, - "resourceReferences": { - "title": "Resource references", - "description": "References to component or service resources that are used to realize the resource instance.", - "type": "array", - "uniqueItems": true, - "items": { - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice" + "strategy": { + "type": "string", + "enum": [ + "prevent", + "detect", + "respond", + "recover" + ], + "meta:enum": { + "prevent": "Prevents the risk from occurring", + "detect": "Detects when the risk occurs", + "respond": "Responds to the risk when detected", + "recover": "Recovers from the impact" } }, "type": { - "title": "Type", - "description": "The source type of event which caused the trigger to fire.", "type": "string", "enum": [ - "manual", - "api", - "webhook", - "scheduled" - ] - }, - "event": { - "title": "Event", - "description": "The event data that caused the associated trigger to activate.", - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/event" - }, - "conditions": { - "type": "array", - "title": "Conditions", - "description": "A list of conditions used to determine if a trigger should be activated.", - "uniqueItems": true, - "items": { - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/condition" + "control", + "countermeasure", + "procedure", + "removal" + ], + "meta:enum": { + "control": "Protective, preventive or detective control", + "countermeasure": "Reactive measure to counter risks", + "procedure": "Documented procedure", + "removal": "Removing a risky component or asset" } }, - "timeActivated": { - "title": "Time activated", - "description": "The date and time (timestamp) when the trigger was activated.", + "status": { "type": "string", - "format": "date-time" + "enum": [ + "proposed", + "approved", + "planned", + "inProgress", + "implemented", + "verified" + ], + "meta:enum": { + "proposed": "Mitigation has been proposed", + "approved": "Mitigation has been approved", + "planned": "Implementation is planned", + "inProgress": "Implementation is in progress", + "implemented": "Mitigation has been implemented", + "verified": "Effectiveness has been verified" + } }, - "inputs": { - "title": "Inputs", - "description": "Represents resources and data brought into a task at runtime by executor or task commands", - "examples": [ - "a `configuration` file which was declared as a local `component` or `externalReference`" + "priority": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/priority" + }, + "effectiveness": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/effectiveness" + }, + "cost": { + "type": "string", + "enum": [ + "trivial", + "low", + "medium", + "high", + "extreme" ], + "meta:enum": { + "trivial": "Minimal cost and effort", + "low": "Low cost and effort", + "medium": "Moderate cost and effort", + "high": "High cost and significant effort", + "extreme": "Extreme cost and major effort" + } + }, + "addresses": { "type": "array", "items": { - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/inputType" + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" }, - "uniqueItems": true + "description": "References to scenarios this plan addresses" }, - "outputs": { - "title": "Outputs", - "description": "Represents resources and data output from a task at runtime by executor or task commands", - "examples": [ - "a log file or metrics data produced by the task" - ], + "implementedBy": { "type": "array", "items": { - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/outputType" + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" }, - "uniqueItems": true + "description": "References to assets that implement this plan" + }, + "externalReferences": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReference" + } }, "properties": { "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" } } }, - "event": { - "title": "Event", - "description": "Represents something that happened that may trigger a response.", + "mitigationPlan": { "type": "object", + "required": [ + "name", + "type", + "status", + "mitigations" + ], "additionalProperties": false, "properties": { - "uid": { - "title": "Unique Identifier (UID)", - "description": "The unique identifier of the event.", - "type": "string" + "name": { + "type": "string", + "description": "Name of the mitigation plan" }, "description": { - "title": "Description", - "description": "A description of the event.", - "type": "string" - }, - "timeReceived": { - "title": "Time Received", - "description": "The date and time (timestamp) when the event was received.", "type": "string", - "format": "date-time" + "description": "Description of what the plan covers" }, - "data": { - "title": "Data", - "description": "Encoding of the raw event data.", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/attachment" + "type": { + "type": "string", + "enum": [ + "avoid", + "reduce", + "transfer", + "accept", + "control", + "countermeasure", + "safeguard", + "practice", + "procedure" + ], + "meta:enum": { + "avoid": "Avoid the risk entirely", + "reduce": "Reduce likelihood or impact", + "transfer": "Transfer risk to another party", + "accept": "Accept the risk", + "control": "Protective, preventive or detective control", + "countermeasure": "Reactive measure to counter risks", + "safeguard": "Safeguards mitigating adverse events", + "practice": "Operational or governance practice", + "procedure": "Documented procedure" + } }, - "source": { - "title": "Source", - "description": "References the component or service that was the source of the event", - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice" + "status": { + "type": "string", + "enum": [ + "proposed", + "approved", + "planned", + "inProgress", + "implemented", + "verified" + ], + "meta:enum": { + "proposed": "Mitigation has been proposed", + "approved": "Mitigation has been approved", + "planned": "Implementation is planned", + "inProgress": "Implementation is in progress", + "implemented": "Mitigation has been implemented", + "verified": "Effectiveness has been verified" + } }, - "target": { - "title": "Target", - "description": "References the component or service that was the target of the event", - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice" + "externalReferences": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReference" + } }, "properties": { "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + }, + "mitigations": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "description": "List of mitigation bom-refs chosen for this plan" } } }, - "inputType": { - "title": "Input type", - "description": "Type that represents various input data types and formats.", + "effectiveness": { "type": "object", - "oneOf": [ - { - "required": [ - "resource" - ] - }, - { - "required": [ - "parameters" - ] - }, - { - "required": [ - "environmentVars" - ] + "additionalProperties": false, + "properties": { + "percentage": { + "type": "number", + "minimum": 0, + "maximum": 1, + "description": "Effectiveness as decimal" }, - { - "required": [ - "data" - ] + "rating": { + "type": "string", + "enum": [ + "ineffective", + "marginal", + "adequate", + "good", + "excellent" + ], + "meta:enum": { + "ineffective": "Does not meaningfully reduce risk", + "marginal": "Slightly reduces risk", + "adequate": "Adequately reduces risk", + "good": "Significantly reduces risk", + "excellent": "Nearly eliminates risk" + } } + } + }, + "assessment": { + "type": "object", + "required": [ + "bom-ref", + "type", + "timestamp" ], "additionalProperties": false, "properties": { - "source": { - "title": "Source", - "description": "A reference to the component or service that provided the input to the task (e.g., reference to a service with data flow value of `inbound`)", - "examples": [ - "source code repository", - "database" - ], - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice" + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" }, - "target": { - "title": "Target", - "description": "A reference to the component or service that received or stored the input if not the task itself (e.g., a local, named storage workspace)", - "examples": [ - "workspace", - "directory" + "type": { + "type": "string", + "enum": [ + "initial", + "periodic", + "continuous", + "triggered" ], - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice" + "meta:enum": { + "initial": "Initial risk assessment", + "periodic": "Scheduled periodic assessment", + "continuous": "Continuous monitoring assessment", + "triggered": "Event-triggered assessment" + } }, - "resource": { - "title": "Resource", - "description": "A reference to an independent resource provided as an input to a task by the workflow runtime.", - "examples": [ - "a reference to a configuration file in a repository (i.e., a bom-ref)", - "a reference to a scanning service used in a task (i.e., a bom-ref)" - ], - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice" + "timestamp": { + "type": "string", + "format": "date-time", + "description": "When the assessment was performed" }, - "parameters": { - "title": "Parameters", - "description": "Inputs that have the form of parameters with names and values.", + "assessor": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntityOrContact", + "description": "Who performed the assessment" + }, + "summary": { + "type": "string", + "description": "Executive summary of the assessment" + }, + "risks": { "type": "array", - "uniqueItems": true, "items": { - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/parameter" - } + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "description": "References to risk entries evaluated in this assessment" }, - "environmentVars": { - "title": "Environment variables", - "description": "Inputs that have the form of parameters with names and values.", + "overallRisk": { + "type": "object", + "required": [ + "method", + "score" + ], + "additionalProperties": false, + "properties": { + "method": { + "type": "string", + "enum": [ + "sum", + "average", + "custom" + ], + "description": "Aggregation method used to derive the overall risk" + }, + "score": { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/riskScore" + }, + "description": { + "type": "string", + "description": "Optional explanation for custom aggregation approaches" + } + }, + "description": "Aggregated risk result for this assessment" + }, + "recommendations": { "type": "array", - "uniqueItems": true, "items": { - "oneOf": [ - { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/property" - }, - { - "type": "string", - "title": "String-Based Environment Variables", - "description": "In addition to the more common key–value pair format, some environment variables may consist of a single string without an explicit value assignment. These string-based environment variables typically act as flags or signals to software, indicating that a feature should be enabled, a mode should be activated, or a specific condition is present. Their presence alone conveys meaning." - } - ] - } + "type": "string" + }, + "description": "Recommendations from the assessment" }, - "data": { - "title": "Data", - "description": "Inputs that have the form of data.", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/attachment" + "nextReview": { + "type": "string", + "format": "date-time", + "description": "When the next review should occur" }, "properties": { "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" } } }, - "outputType": { + "priority": { + "type": "string", + "enum": [ + "none", + "low", + "medium", + "high", + "critical" + ], + "description": "Priority level", + "meta:enum": { + "none": "No priority assigned", + "low": "Low priority - address when convenient", + "medium": "Medium priority - address in normal cycle", + "high": "High priority - address soon", + "critical": "Critical priority - address immediately" + } + }, + "severity": { + "type": "string", + "enum": [ + "info", + "low", + "medium", + "high", + "critical" + ], + "description": "Severity level", + "meta:enum": { + "info": "Informational finding", + "low": "Low severity issue", + "medium": "Medium severity issue", + "high": "High severity issue", + "critical": "Critical severity issue" + } + }, + "criticality": { + "type": "string", + "enum": [ + "minimal", + "low", + "moderate", + "high", + "critical" + ], + "description": "Business criticality level", + "meta:enum": { + "minimal": "Minimal impact on business operations", + "low": "Low impact with minor inconvenience", + "moderate": "Moderate impact affecting some operations", + "high": "High impact affecting critical operations", + "critical": "Critical impact with severe business consequences" + } + } + } + }, + "cyclonedx-service-2.0": { + "type": "null", + "title": "CycloneDX Service Model", + "$defs": { + "services": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-service-2.0/$defs/service" + }, + "uniqueItems": true, + "title": "Services" + }, + "service": { "type": "object", - "oneOf": [ - { - "required": [ - "resource" - ] - }, - { - "required": [ - "environmentVars" - ] - }, - { - "required": [ - "data" - ] - } + "title": "Service", + "required": [ + "name" ], "additionalProperties": false, "properties": { - "type": { - "title": "Type", - "description": "Describes the type of data output.", + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "BOM Reference", + "description": "An identifier which can be used to reference the service elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." + }, + "provider": { + "title": "Provider", + "description": "The organization that provides the service.", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity" + }, + "group": { "type": "string", - "enum": [ - "artifact", - "attestation", - "log", - "evidence", - "metrics", - "other" + "title": "Service Group", + "description": "The grouping name, namespace, or identifier. This will often be a shortened, single name of the company or project that produced the service or domain name. Whitespace and special characters should be avoided.", + "examples": [ + "com.acme" ] }, - "source": { - "title": "Source", - "description": "Component or service that generated or provided the output from the task (e.g., a build tool)", - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice" - }, - "target": { - "title": "Target", - "description": "Component or service that received the output from the task (e.g., reference to an artifactory service with data flow value of `outbound`)", + "name": { + "type": "string", + "title": "Service Name", + "description": "The name of the service. This will often be a shortened, single name of the service.", "examples": [ - "a log file described as an `externalReference` within its target domain." - ], - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice" + "ticker-service" + ] }, - "resource": { - "title": "Resource", - "description": "A reference to an independent resource generated as output by the task.", + "version": { + "$ref": "#/$defs/cyclonedx-component-2.0/$defs/version", + "title": "Service Version", + "description": "The service version." + }, + "description": { + "type": "string", + "title": "Service Description", + "description": "Specifies a description for the service" + }, + "endpoints": { + "type": "array", + "items": { + "type": "string", + "format": "iri-reference" + }, + "title": "Endpoints", + "description": "The endpoint URIs of the service. Multiple endpoints are allowed.", "examples": [ - "configuration file", - "source code", - "scanning service" - ], - "$ref": "#/$defs/cyclonedx-formulation-2.0/$defs/resourceReferenceChoice" + "https://example.com/api/v1/ticker" + ] + }, + "authenticated": { + "type": "boolean", + "title": "Authentication Required", + "description": "A boolean value indicating if the service requires authentication. A value of true indicates the service requires authentication prior to use. A value of false indicates the service does not require authentication." + }, + "x-trust-boundary": { + "type": "boolean", + "title": "Crosses Trust Boundary", + "description": "A boolean value indicating if use of the service crosses a trust zone or boundary. A value of true indicates that by using the service, a trust boundary is crossed. A value of false indicates that by using the service, a trust boundary is not crossed." + }, + "trustZone": { + "type": "string", + "title": "Trust Zone", + "description": "The name of the trust zone the service resides in." }, "data": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-service-2.0/$defs/serviceData" + }, "title": "Data", - "description": "Outputs that have the form of data.", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/attachment" + "description": "Specifies information about the data including the directional flow of data and the data classification." + }, + "licenses": { + "$ref": "#/$defs/cyclonedx-license-2.0/$defs/licenseChoice", + "title": "Service License(s)" + }, + "patentAssertions": { + "$ref": "#/$defs/cyclonedx-patent-2.0/$defs/patentAssertions", + "title": "Service Patent(s)" + }, + "externalReferences": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReferences" }, - "environmentVars": { - "title": "Environment variables", - "description": "Outputs that have the form of environment variables.", + "services": { "type": "array", "items": { - "oneOf": [ - { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/property" - }, - { - "type": "string", - "title": "String-Based Environment Variables", - "description": "In addition to the more common key–value pair format, some environment variables may consist of a single string without an explicit value assignment. These string-based environment variables typically act as flags or signals to software, indicating that a feature should be enabled, a mode should be activated, or a specific condition is present. Their presence alone conveys meaning." - } - ] + "$ref": "#/$defs/cyclonedx-service-2.0/$defs/service" }, - "uniqueItems": true + "uniqueItems": true, + "title": "Services", + "description": "A list of services included or deployed behind the parent service. This is not a dependency tree. It provides a way to specify a hierarchical representation of service assemblies." + }, + "releaseNotes": { + "$ref": "#/$defs/cyclonedx-release-notes-2.0/$defs/releaseNotes", + "title": "Release notes", + "description": "Specifies release notes." }, "properties": { "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" - } - } - }, - "resourceReferenceChoice": { - "title": "Resource reference choice", - "description": "A reference to a locally defined resource (e.g., a bom-ref) or an externally accessible resource.", - "$comment": "Enables reference to a resource that participates in a workflow; using either internal (bom-ref) or external (externalReference) types.", - "type": "object", - "additionalProperties": false, - "properties": { - "ref": { - "title": "BOM Reference", - "description": "References an object by its bom-ref attribute", - "anyOf": [ - { - "title": "Ref", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" - }, - { - "title": "BOM-Link Element", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType" - } - ] }, - "externalReference": { - "title": "External reference", - "description": "Reference to an externally accessible resource.", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReference" - } - }, - "oneOf": [ - { - "required": [ - "ref" - ] + "tags": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/tags", + "title": "Tags" }, - { - "required": [ - "externalReference" - ] + "signature": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/signature", + "title": "Signature", + "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." } - ] + } }, - "condition": { - "title": "Condition", - "description": "A condition that was used to determine a trigger should be activated.", + "serviceData": { "type": "object", + "title": "Hash Objects", + "required": [ + "flow", + "classification" + ], "additionalProperties": false, "properties": { - "description": { - "title": "Description", - "description": "Describes the set of conditions which cause the trigger to activate.", - "type": "string" + "flow": { + "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataFlowDirection", + "title": "Directional Flow", + "description": "Specifies the flow direction of the data. Direction is relative to the service. Inbound flow states that data enters the service. Outbound flow states that data leaves the service. Bi-directional states that data flows both ways and unknown states that the direction is not known." }, - "expression": { - "title": "Expression", - "description": "The logical expression that was evaluated that determined the trigger should be fired.", - "type": "string" + "classification": { + "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataClassification" }, - "properties": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" - } - } - }, - "taskType": { - "type": "string", - "enum": [ - "copy", - "clone", - "lint", - "scan", - "merge", - "build", - "test", - "deliver", - "deploy", - "release", - "clean", - "other" - ], - "meta:enum": { - "copy": "A task that copies software or data used to accomplish other tasks in the workflow.", - "clone": "A task that clones a software repository into the workflow in order to retrieve its source code or data for use in a build step.", - "lint": "A task that checks source code for programmatic and stylistic errors.", - "scan": "A task that performs a scan against source code, or built or deployed components and services. Scans are typically run to gather or test for security vulnerabilities or policy compliance.", - "merge": "A task that merges changes or fixes into source code prior to a build step in the workflow.", - "build": "A task that builds the source code, dependencies and/or data into an artifact that can be deployed to and executed on target systems.", - "test": "A task that verifies the functionality of a component or service.", - "deliver": "A task that delivers a built artifact to one or more target repositories or storage systems.", - "deploy": "A task that deploys a built artifact for execution on one or more target systems.", - "release": "A task that releases a built, versioned artifact to a target repository or distribution system.", - "clean": "A task that cleans unnecessary tools, build artifacts and/or data from workflow storage.", - "other": "A workflow task that does not match current task type definitions." - } - }, - "parameter": { - "title": "Parameter", - "description": "A representation of a functional parameter.", - "type": "object", - "additionalProperties": false, - "properties": { "name": { + "type": "string", "title": "Name", - "description": "The name of the parameter.", - "type": "string" - }, - "value": { - "title": "Value", - "description": "The value of the parameter.", - "type": "string" + "description": "Name for the defined data", + "examples": [ + "Credit card reporting" + ] }, - "dataType": { - "title": "Data type", - "description": "The data type of the parameter.", - "type": "string" - } - } - } - } - }, - "cyclonedx-license-2.0": { - "type": "null", - "title": "CycloneDX License Model", - "$defs": { - "licenseChoice": { - "title": "License Choice", - "description": "A list of SPDX licenses and/or named licenses and/or SPDX License Expression.", - "type": "array", - "items": { - "oneOf": [ - { - "type": "object", - "title": "License", - "required": [ - "license" - ], - "additionalProperties": false, - "properties": { - "license": { - "$ref": "#/$defs/cyclonedx-license-2.0/$defs/license" - } - } - }, - { - "title": "License Expression", - "description": "Specifies the details and attributes related to a software license.\nIt must be a valid SPDX license expression, along with additional properties such as license acknowledgment.", - "type": "object", - "additionalProperties": false, - "required": [ - "expression" - ], - "properties": { - "expression": { - "type": "string", - "title": "SPDX License Expression", - "description": "A valid SPDX license expression.\nRefer to https://spdx.org/specifications for syntax requirements.", - "examples": [ - "Apache-2.0 AND (MIT OR GPL-2.0-only)", - "GPL-3.0-only WITH Classpath-exception-2.0" - ] - }, - "expressionDetails": { - "title": "Expression Details", - "description": "Details for parts of the `expression`.", - "type": "array", - "items": { - "type": "object", - "description": "This document specifies the details and attributes related to a software license identifier. An SPDX expression may be a compound of license identifiers.\nThe `license_identifier` property serves as the key that identifies each record. Note that this key is not required to be unique, as the same license identifier could apply to multiple, different but similar license details, texts, etc.", - "required": [ - "licenseIdentifier" - ], - "properties": { - "licenseIdentifier": { - "title": "License Identifier", - "description": "The valid SPDX license identifier. Refer to https://spdx.org/specifications for syntax requirements.\nThis property serves as the primary key, which uniquely identifies each record.", - "type": "string", - "examples": [ - "Apache-2.0", - "GPL-3.0-only WITH Classpath-exception-2.0", - "LicenseRef-my-custom-license" - ] - }, - "bom-ref": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "title": "BOM Reference", - "description": "An identifier which can be used to reference the license elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." - }, - "text": { - "title": "License texts", - "description": "A way to include the textual content of the license.", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/attachment" - }, - "url": { - "type": "string", - "title": "License URL", - "description": "The URL to the license file. If specified, a 'license' externalReference should also be specified for completeness", - "examples": [ - "https://www.apache.org/licenses/LICENSE-2.0.txt" - ], - "format": "iri-reference" - } - }, - "additionalProperties": false - } - }, - "acknowledgement": { - "$ref": "#/$defs/cyclonedx-license-2.0/$defs/licenseAcknowledgementEnumeration" - }, - "bom-ref": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "title": "BOM Reference", - "description": "An identifier which can be used to reference the license elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." + "description": { + "type": "string", + "title": "Description", + "description": "Short description of the data content and usage", + "examples": [ + "Credit card information being exchanged in between the web app and the database" + ] + }, + "governance": { + "title": "Data Governance", + "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataGovernance" + }, + "source": { + "type": "array", + "items": { + "anyOf": [ + { + "title": "URL", + "type": "string", + "format": "iri-reference" }, - "licensing": { - "$ref": "#/$defs/cyclonedx-license-2.0/$defs/licensing" + { + "title": "BOM-Link Element", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType" + } + ] + }, + "title": "Source", + "description": "The URI, URL, or BOM-Link of the components or services the data came in from" + }, + "destination": { + "type": "array", + "items": { + "anyOf": [ + { + "title": "URL", + "type": "string", + "format": "iri-reference" }, - "properties": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + { + "title": "BOM-Link Element", + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType" } - } - } - ] + ] + }, + "title": "Destination", + "description": "The URI, URL, or BOM-Link of the components or services the data is sent to" + } + } + } + } + }, + "cyclonedx-standard-2.0": { + "type": "null", + "title": "CycloneDX Standard Model", + "$defs": { + "standards": { + "type": "array", + "title": "Standards", + "description": "The list of standards which may consist of regulations, industry or organizational-specific standards, maturity models, best practices, or any other requirements which can be evaluated against or attested to.", + "items": { + "$ref": "#/$defs/cyclonedx-standard-2.0/$defs/standard" } }, - "license": { + "standard": { "type": "object", - "title": "License", - "description": "Specifies the details and attributes related to a software license. It can either include a valid SPDX license identifier or a named license, along with additional properties such as license acknowledgment, comprehensive commercial licensing information, and the full text of the license.", - "oneOf": [ - { - "required": [ - "id" - ] - }, - { - "required": [ - "name" - ] - } - ], + "title": "Standard", + "description": "A standard may consist of regulations, industry or organizational-specific standards, maturity models, best practices, or any other requirements which can be evaluated against or attested to.", "additionalProperties": false, "properties": { "bom-ref": { "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", "title": "BOM Reference", - "description": "An identifier which can be used to reference the license elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." - }, - "id": { - "$ref": "../spdx.schema.json", - "title": "License ID (SPDX)", - "description": "A valid SPDX license identifier. If specified, this value must be one of the enumeration of valid SPDX license identifiers defined in the spdx.schema.json (or spdx.xml) subschema which is synchronized with the official SPDX license list.", - "examples": [ - "Apache-2.0" - ] + "description": "An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM." }, "name": { "type": "string", - "title": "License Name", - "description": "The name of the license. This may include the name of a commercial or proprietary license or an open source license that may not be defined by SPDX.", - "examples": [ - "Acme Software License" - ] + "title": "Name", + "description": "The name of the standard. This will often be a shortened, single name of the standard." }, - "acknowledgement": { - "$ref": "#/$defs/cyclonedx-license-2.0/$defs/licenseAcknowledgementEnumeration" + "version": { + "type": "string", + "title": "Version", + "description": "The version of the standard." }, - "text": { - "title": "License text", - "description": "A way to include the textual content of a license.", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/attachment" + "description": { + "type": "string", + "title": "Description", + "description": "The description of the standard." }, - "url": { + "owner": { "type": "string", - "title": "License URL", - "description": "The URL to the license file. If specified, a 'license' externalReference should also be specified for completeness", - "examples": [ - "https://www.apache.org/licenses/LICENSE-2.0.txt" - ], - "format": "iri-reference" + "title": "Owner", + "description": "The owner of the standard, often the entity responsible for its release." }, - "licensing": { - "$ref": "#/$defs/cyclonedx-license-2.0/$defs/licensing" + "requirements": { + "$ref": "#/$defs/cyclonedx-standard-2.0/$defs/requirements" }, - "properties": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + "levels": { + "$ref": "#/$defs/cyclonedx-standard-2.0/$defs/levels" + }, + "externalReferences": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReferences" + }, + "signature": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/signature", + "title": "Signature", + "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." } } }, - "licenseAcknowledgementEnumeration": { - "title": "License Acknowledgement", - "description": "Declared licenses and concluded licenses represent two different stages in the licensing process within software development. Declared licenses refer to the initial intention of the software authors regarding the licensing terms under which their code is released. On the other hand, concluded licenses are the result of a comprehensive analysis of the project's codebase to identify and confirm the actual licenses of the components used, which may differ from the initially declared licenses. While declared licenses provide an upfront indication of the licensing intentions, concluded licenses offer a more thorough understanding of the actual licensing within a project, facilitating proper compliance and risk management. Observed licenses are defined in `@.evidence.licenses`. Observed licenses form the evidence necessary to substantiate a concluded license.", - "type": "string", - "enum": [ - "declared", - "concluded" - ], - "meta:enum": { - "declared": "Declared licenses represent the initial intentions of authors regarding the licensing terms of their code.", - "concluded": "Concluded licenses are verified and confirmed." + "requirements": { + "type": "array", + "title": "Requirements", + "description": "The list of requirements comprising the standard.", + "items": { + "$ref": "#/$defs/cyclonedx-standard-2.0/$defs/requirement" } }, - "licensing": { + "requirement": { "type": "object", - "title": "Licensing information", - "description": "Licensing details describing the licensor/licensee, license type, renewal and expiration dates, and other important metadata", + "title": "Requirement", "additionalProperties": false, "properties": { - "altIds": { - "type": "array", - "title": "Alternate License Identifiers", - "description": "License identifiers that may be used to manage licenses and their lifecycle", - "items": { - "type": "string" - } - }, - "licensor": { - "title": "Licensor", - "description": "The individual or organization that grants a license to another individual or organization", - "type": "object", - "additionalProperties": false, - "properties": { - "organization": { - "title": "Licensor (Organization)", - "description": "The organization that granted the license", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity" - }, - "individual": { - "title": "Licensor (Individual)", - "description": "The individual, not associated with an organization, that granted the license", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalContact" - } - }, - "oneOf": [ - { - "required": [ - "organization" - ] - }, - { - "required": [ - "individual" - ] - } - ] - }, - "licensee": { - "title": "Licensee", - "description": "The individual or organization for which a license was granted to", - "type": "object", - "additionalProperties": false, - "properties": { - "organization": { - "title": "Licensee (Organization)", - "description": "The organization that was granted the license", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity" - }, - "individual": { - "title": "Licensee (Individual)", - "description": "The individual, not associated with an organization, that was granted the license", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalContact" - } - }, - "oneOf": [ - { - "required": [ - "organization" - ] - }, - { - "required": [ - "individual" - ] - } - ] - }, - "purchaser": { - "title": "Purchaser", - "description": "The individual or organization that purchased the license", - "type": "object", - "additionalProperties": false, - "properties": { - "organization": { - "title": "Purchaser (Organization)", - "description": "The organization that purchased the license", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity" - }, - "individual": { - "title": "Purchaser (Individual)", - "description": "The individual, not associated with an organization, that purchased the license", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalContact" - } - }, - "oneOf": [ - { - "required": [ - "organization" - ] - }, - { - "required": [ - "individual" - ] - } - ] + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "BOM Reference", + "description": "An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM." }, - "purchaseOrder": { + "identifier": { "type": "string", - "title": "Purchase Order", - "description": "The purchase order identifier the purchaser sent to a supplier or vendor to authorize a purchase" + "title": "Identifier", + "description": "The unique identifier used in the standard to identify a specific requirement. This should match what is in the standard and should not be the requirements bom-ref." }, - "licenseTypes": { + "title": { + "type": "string", + "title": "Title", + "description": "The title of the requirement." + }, + "text": { + "type": "string", + "title": "Text", + "description": "The textual content of the requirement." + }, + "descriptions": { "type": "array", - "title": "License Type", - "description": "The type of license(s) that was granted to the licensee.", + "title": "Descriptions", + "description": "The supplemental text that provides additional guidance or context to the requirement, but is not directly part of the requirement.", + "items": { + "type": "string" + } + }, + "openCre": { + "type": "array", + "title": "OWASP OpenCRE Identifier(s)", + "description": "The Common Requirements Enumeration (CRE) identifier(s). CRE is a structured and standardized framework for uniting security standards and guidelines. CRE links each section of a resource to a shared topic identifier (a Common Requirement). Through this shared topic link, all resources map to each other. Use of CRE promotes clear and unambiguous communication among stakeholders.", "items": { "type": "string", - "enum": [ - "academic", - "appliance", - "client-access", - "concurrent-user", - "core-points", - "custom-metric", - "device", - "evaluation", - "named-user", - "node-locked", - "oem", - "perpetual", - "processor-points", - "subscription", - "user", - "other" - ], - "meta:enum": { - "academic": "A license that grants use of software solely for the purpose of education or research.", - "appliance": "A license covering use of software embedded in a specific piece of hardware.", - "client-access": "A Client Access License (CAL) allows client computers to access services provided by server software.", - "concurrent-user": "A Concurrent User license (aka floating license) limits the number of licenses for a software application and licenses are shared among a larger number of users.", - "core-points": "A license where the core of a computer's processor is assigned a specific number of points.", - "custom-metric": "A license for which consumption is measured by non-standard metrics.", - "device": "A license that covers a defined number of installations on computers and other types of devices.", - "evaluation": "A license that grants permission to install and use software for trial purposes.", - "named-user": "A license that grants access to the software to one or more pre-defined users.", - "node-locked": "A license that grants access to the software on one or more pre-defined computers or devices.", - "oem": "An Original Equipment Manufacturer license that is delivered with hardware, cannot be transferred to other hardware, and is valid for the life of the hardware.", - "perpetual": "A license where the software is sold on a one-time basis and the licensee can use a copy of the software indefinitely.", - "processor-points": "A license where each installation consumes points per processor.", - "subscription": "A license where the licensee pays a fee to use the software or service.", - "user": "A license that grants access to the software or service by a specified number of users.", - "other": "Another license type." - } + "pattern": "^CRE:[0-9]+-[0-9]+$", + "examples": [ + "CRE:764-507" + ] } }, - "lastRenewal": { + "parent": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", + "title": "Parent BOM Reference", + "description": "The `bom-ref` to a parent requirement. This establishes a hierarchy of requirements. Top-level requirements must not define a parent. Only child requirements should define parents." + }, + "properties": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + }, + "externalReferences": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReferences" + } + } + }, + "levels": { + "type": "array", + "title": "Levels", + "description": "The list of levels associated with the standard. Some standards have different levels of compliance.", + "items": { + "$ref": "#/$defs/cyclonedx-standard-2.0/$defs/level" + } + }, + "level": { + "type": "object", + "title": "Level", + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "title": "BOM Reference", + "description": "An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM." + }, + "identifier": { "type": "string", - "format": "date-time", - "title": "Last Renewal", - "description": "The timestamp indicating when the license was last renewed. For new purchases, this is often the purchase or acquisition date. For non-perpetual licenses or subscriptions, this is the timestamp of when the license was last renewed." + "title": "Identifier", + "description": "The identifier used in the standard to identify a specific level." }, - "expiration": { + "title": { "type": "string", - "format": "date-time", - "title": "Expiration", - "description": "The timestamp indicating when the current license expires (if applicable)." + "title": "Title", + "description": "The title of the level." + }, + "description": { + "type": "string", + "title": "Description", + "description": "The description of the level." + }, + "requirements": { + "type": "array", + "title": "Requirements", + "description": "The list of requirement `bom-ref`s that comprise the level.", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" + } } } } } }, - "cyclonedx-metadata-2.0": { + "cyclonedx-threat-2.0": { "type": "null", - "title": "CycloneDX Metadata Model", + "title": "CycloneDX Threat Model", "$defs": { - "metadata": { + "threatScenario": { "type": "object", - "title": "BOM Metadata", - "description": "Provides additional information about a BOM.", + "allOf": [ + { + "$ref": "#/$defs/cyclonedx-risk-2.0/$defs/scenario" + }, + { + "properties": { + "threatCategory": { + "type": "string", + "description": "Threat category based on methodology (e.g., STRIDE category)" + }, + "threatActor": { + "$ref": "#/$defs/cyclonedx-threat-2.0/$defs/threatActorProfile" + }, + "attackVector": { + "$ref": "#/$defs/cyclonedx-threat-2.0/$defs/attackVector" + }, + "attackPattern": { + "$ref": "#/$defs/cyclonedx-threat-2.0/$defs/attackPatternReference" + }, + "abuseCases": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-threat-2.0/$defs/abuseCase" + }, + "description": "Abuse or misuse cases that illustrate how this threat can be exercised" + }, + "weakness": { + "$ref": "#/$defs/cyclonedx-threat-2.0/$defs/weaknessReference" + }, + "exploitability": { + "$ref": "#/$defs/cyclonedx-threat-2.0/$defs/exploitability" + }, + "indicators": { + "$ref": "#/$defs/cyclonedx-threat-2.0/$defs/indicators" + }, + "killChainPhase": { + "type": "string", + "enum": [ + "reconnaissance", + "weaponization", + "delivery", + "exploitation", + "installation", + "command-and-control", + "actions-on-objectives" + ], + "meta:enum": { + "reconnaissance": "Gathering information about the target", + "weaponization": "Creating malicious payloads", + "delivery": "Transmitting weapon to target", + "exploitation": "Exploiting vulnerabilities", + "installation": "Installing malware or backdoors", + "command-and-control": "Establishing C2 channel", + "actions-on-objectives": "Achieving attack goals" + } + }, + "technicalImpact": { + "type": "array", + "items": { + "type": "string", + "enum": [ + "unauthorized-access", + "data-breach", + "data-corruption", + "service-disruption", + "privilege-escalation", + "code-execution", + "information-disclosure", + "denial-of-service" + ] + } + } + } + } + ] + }, + "threatActor": { + "type": "object", + "required": [ + "bom-ref", + "name", + "type" + ], "additionalProperties": false, "properties": { - "timestamp": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "name": { "type": "string", - "format": "date-time", - "title": "Timestamp", - "description": "The date and time (timestamp) when the BOM was created." + "description": "Name or identifier of the threat actor" }, - "lifecycles": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/lifecycles" + "description": { + "type": "string", + "description": "Description of the threat actor" }, - "tools": { - "type": "object", - "title": "Tools", - "description": "The tool(s) used in the creation, enrichment, and validation of the BOM.", - "additionalProperties": false, - "properties": { - "components": { - "$ref": "#/$defs/cyclonedx-component-2.0/$defs/components", - "description": "A list of software and hardware components used as tools." - }, - "services": { - "$ref": "#/$defs/cyclonedx-service-2.0/$defs/services", - "description": "A list of services used as tools. This may include microservices, function-as-a-service, and other types of network or intra-process services." - } + "type": { + "type": "string", + "enum": [ + "individual", + "group", + "organization", + "nation-state", + "unknown" + ], + "meta:enum": { + "individual": "Individual threat actor", + "group": "Organized group or collective", + "organization": "Corporate or criminal organization", + "nation-state": "Nation-state sponsored actor", + "unknown": "Unknown threat actor type" } }, - "manufacturer": { - "title": "BOM Manufacturer", - "description": "The organization that created the BOM.\nManufacturer is common in BOMs created through automated processes. BOMs created through manual means may have `@.authors` instead.", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity" + "aliases": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Known aliases or alternative names" }, - "authors": { + "profile": { + "$ref": "#/$defs/cyclonedx-threat-2.0/$defs/threatActorProfile" + }, + "observedTTPs": { "type": "array", - "title": "BOM Authors", - "description": "The person(s) who created the BOM.\nAuthors are common in BOMs created through manual processes. BOMs created through automated means may have `@.manufacturer` instead.", "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalContact" - } + "$ref": "#/$defs/cyclonedx-threat-2.0/$defs/ttp" + }, + "description": "Observed tactics, techniques, and procedures" }, - "component": { - "description": "The component that the BOM describes.", - "$ref": "#/$defs/cyclonedx-component-2.0/$defs/component" + "attributedAttacks": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Attacks attributed to this actor" }, - "supplier": { - "title": "Supplier", - "description": " The organization that supplied the component that the BOM describes. The supplier may often be the manufacturer, but may also be a distributor or repackager.", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity" + "targeting": { + "$ref": "#/$defs/cyclonedx-threat-2.0/$defs/targeting" + }, + "externalReferences": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReference" + } + } + } + }, + "threatActorProfile": { + "type": "object", + "additionalProperties": false, + "properties": { + "sophistication": { + "type": "string", + "enum": [ + "none", + "minimal", + "intermediate", + "advanced", + "expert" + ], + "meta:enum": { + "none": "No technical sophistication", + "minimal": "Script kiddie level", + "intermediate": "Intermediate technical skills", + "advanced": "Advanced persistent threat", + "expert": "Nation-state level capabilities" + } + }, + "motivation": { + "type": "array", + "items": { + "type": "string", + "enum": [ + "financial", + "political", + "personal", + "ideological", + "espionage", + "destruction", + "disruption", + "reputation", + "curiosity", + "competitive", + "revenge", + "activism" + ] + }, + "description": "Primary motivations" }, - "licenses": { - "title": "BOM License(s)", - "description": "The license information for the BOM document.\nThis may be different from the license(s) of the component(s) that the BOM describes.", - "$ref": "#/$defs/cyclonedx-license-2.0/$defs/licenseChoice" + "intent": { + "type": "string", + "enum": [ + "accidental", + "opportunistic", + "targeted", + "persistent" + ], + "description": "Intent level" }, - "distributionConstraints": { - "$ref": "#/$defs/cyclonedx-metadata-2.0/$defs/distributionConstraints" + "resources": { + "type": "string", + "enum": [ + "minimal", + "limited", + "moderate", + "substantial", + "unlimited" + ], + "description": "Resource availability" }, - "properties": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" + "accessLevel": { + "type": "string", + "enum": [ + "none", + "external", + "internal", + "privileged", + "physical" + ], + "description": "Level of access to target systems" + }, + "skillSet": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Specific skills possessed" } } }, - "distributionConstraints": { - "title": "Distribution Constraints", - "description": "Conditions and constraints governing the sharing and distribution of the data or components described by this BOM.", + "attackVector": { "type": "object", + "additionalProperties": false, "properties": { - "tlp": { - "$ref": "#/$defs/cyclonedx-metadata-2.0/$defs/tlpClassification", - "description": "The Traffic Light Protocol (TLP) classification that controls the sharing and distribution of the data that the BOM describes." + "type": { + "type": "string", + "enum": [ + "network", + "adjacent", + "local", + "physical" + ], + "meta:enum": { + "network": "Remotely exploitable via network", + "adjacent": "Exploitable from adjacent network", + "local": "Requires local access", + "physical": "Requires physical access" + } + }, + "complexity": { + "type": "string", + "enum": [ + "low", + "high" + ], + "description": "Attack complexity" + }, + "privileges": { + "type": "string", + "enum": [ + "none", + "low", + "high" + ], + "description": "Privileges required" + }, + "userInteraction": { + "type": "string", + "enum": [ + "none", + "required" + ], + "description": "User interaction requirement" + }, + "scope": { + "type": "string", + "enum": [ + "unchanged", + "changed" + ], + "description": "Scope impact" } } }, - "tlpClassification": { - "title": "Traffic Light Protocol (TLP) Classification", - "description": "Traffic Light Protocol (TLP) is a classification system for identifying the potential risk associated with artefact, including whether it is subject to certain types of legal, financial, or technical threats. Refer to [https://www.first.org/tlp/](https://www.first.org/tlp/) for further information.\nThe default classification is \"CLEAR\"", - "type": "string", - "default": "CLEAR", - "enum": [ - "CLEAR", - "GREEN", - "AMBER", - "AMBER_AND_STRICT", - "RED" + "abuseCase": { + "type": "object", + "required": [ + "bom-ref", + "name" ], - "meta:enum": { - "CLEAR": "The information is not subject to any restrictions as regards the sharing.", - "GREEN": "The information is subject to limited disclosure, and recipients can share it within their community but not via publicly accessible channels.", - "AMBER": "The information is subject to limited disclosure, and recipients can only share it on a need-to-know basis within their organization and with clients.", - "AMBER_AND_STRICT": "The information is subject to limited disclosure, and recipients can only share it on a need-to-know basis within their organization.", - "RED": "The information is subject to restricted distribution to individual recipients only and must not be shared." - } - } - } - }, - "cyclonedx-patent-2.0": { - "type": "null", - "title": "CycloneDX Patent Model", - "$defs": { - "patents": { - "type": "array", - "title": "Patents", - "description": "The list of either individual patents or patent families.", - "items": { - "anyOf": [ - { - "$ref": "#/$defs/cyclonedx-patent-2.0/$defs/patent" + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "name": { + "type": "string", + "description": "Name of the abuse case" + }, + "description": { + "type": "string", + "description": "Narrative describing how the system can be misused or abused" + }, + "abuser": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "description": "Reference (bom-ref) to a threat actor involved in the abuse case" + }, + "targets": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" }, - { - "$ref": "#/$defs/cyclonedx-patent-2.0/$defs/patentFamily" - } - ] + "description": "References (bom-refs) to assets or flows targeted in this abuse case" + }, + "steps": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Ordered steps the abuser follows" + } } }, - "patent": { + "attackPattern": { "type": "object", - "title": "Patent", - "description": "A patent is a legal instrument, granted by an authority, that confers certain rights over an invention for a specified period, contingent on public disclosure and adherence to relevant legal requirements. The summary information in this object is aligned with [WIPO ST.96](https://www.wipo.int/standards/en/st96/) principles where applicable.", "required": [ - "patentNumber", - "jurisdiction", - "patentLegalStatus" + "bom-ref", + "name" ], "additionalProperties": false, "properties": { "bom-ref": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "title": "BOM Reference", - "description": "An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM." + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" }, - "patentNumber": { + "capecId": { + "type": "integer", + "description": "CAPEC (Common Attack Pattern Enumeration and Classification) ID" + }, + "name": { "type": "string", - "pattern": "^[A-Za-z0-9][A-Za-z0-9\\-/.()\\s]{0,28}[A-Za-z0-9]$", - "title": "Patent Number", - "description": "The unique number assigned to the granted patent by the issuing authority. Aligned with `PatentNumber` in WIPO ST.96. Refer to [PatentNumber in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/PatentNumber.xsd).", - "examples": [ - "US987654321", - "EP1234567B1" - ] + "description": "Name of the attack pattern" }, - "applicationNumber": { - "$ref": "#/$defs/cyclonedx-patent-2.0/$defs/patentApplicationNumber" + "description": { + "type": "string", + "description": "Description of the attack pattern" }, - "jurisdiction": { - "$ref": "#/$defs/cyclonedx-patent-2.0/$defs/patentJurisdiction" + "prerequisites": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Prerequisites for the attack" }, - "priorityApplication": { - "$ref": "#/$defs/cyclonedx-patent-2.0/$defs/priorityApplication" + "techniques": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-threat-2.0/$defs/technique" + }, + "description": "Techniques used in the attack" }, - "publicationNumber": { + "mitigations": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "description": "References to mitigations" + }, + "examples": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Real-world examples" + } + } + }, + "attackPatternReference": { + "type": "object", + "additionalProperties": false, + "properties": { + "patternRef": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "description": "Reference to attack pattern" + }, + "capecId": { + "type": "integer", + "description": "CAPEC ID if not referencing internal pattern" + }, + "customization": { "type": "string", - "pattern": "^[A-Za-z0-9][A-Za-z0-9\\-/.()\\s]{0,28}[A-Za-z0-9]$", - "title": "Patent Publication Number", - "description": "This is the number assigned to a patent application once it is published. Patent applications are generally published 18 months after filing (unless an applicant requests non-publication). This number is distinct from the application number. \n\nPurpose: Identifies the publicly available version of the application. \n\nFormat: Varies by jurisdiction, often similar to application numbers but includes an additional suffix indicating publication. \n\nExample:\n - US: US20240000123A1 (indicates the first publication of application US20240000123) \n - Europe: EP23123456A1 (first publication of European application EP23123456). \n\nWIPO ST.96 v8.0: \n - Publication Number field: https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/PublicationNumber.xsd" + "description": "How this pattern is customized for the specific scenario" + } + } + }, + "technique": { + "type": "object", + "additionalProperties": false, + "properties": { + "id": { + "type": "string", + "description": "Technique ID (e.g., MITRE ATT&CK ID)" }, - "title": { + "name": { "type": "string", - "title": "Patent Title", - "description": "The title of the patent, summarising the invention it protects. Aligned with `InventionTitle` in WIPO ST.96. Refer to [InventionTitle in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/InventionTitle.xsd)." + "description": "Name of the technique" }, - "abstract": { + "tactic": { "type": "string", - "title": "Patent Abstract", - "description": "A brief summary of the invention described in the patent. Aligned with `Abstract` and `P` in WIPO ST.96. Refer to [Abstract in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/Abstract.xsd)." + "description": "Associated tactic" }, - "filingDate": { + "procedure": { "type": "string", - "format": "date", - "title": "Filing Date", - "description": "The date the patent application was filed with the jurisdiction. Aligned with `FilingDate` in WIPO ST.96. Refer to [FilingDate in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/FilingDate.xsd)." + "description": "Specific procedure" }, - "grantDate": { + "tools": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Tools used with this technique" + } + } + }, + "weakness": { + "type": "object", + "required": [ + "bom-ref" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "cweId": { + "type": "integer", + "description": "CWE (Common Weakness Enumeration) ID" + }, + "name": { "type": "string", - "format": "date", - "title": "Grant Date", - "description": "The date the patent was granted by the jurisdiction. Aligned with `GrantDate` in WIPO ST.96. Refer to [GrantDate in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/GrantDate.xsd)." + "description": "Name of the weakness" }, - "patentExpirationDate": { + "description": { "type": "string", - "format": "date", - "title": "Expiration Date", - "description": "The date the patent expires. Derived from grant or filing date according to jurisdiction-specific rules." + "description": "Description of the weakness" }, - "patentLegalStatus": { + "abstraction": { "type": "string", - "title": "Legal Status", - "description": "Indicates the current legal status of the patent or patent application, based on the WIPO ST.27 standard. This status reflects administrative, procedural, or legal events. Values include both active and inactive states and are useful for determining enforceability, procedural history, and maintenance status.", "enum": [ - "pending", - "granted", - "revoked", - "expired", - "lapsed", - "withdrawn", - "abandoned", - "suspended", - "reinstated", - "opposed", - "terminated", - "invalidated", - "in-force" - ], - "meta:enum": { - "pending": "The patent application has been filed but not yet examined or granted.", - "granted": "The patent application has been examined and a patent has been issued.", - "revoked": "The patent has been declared invalid through a legal or administrative process.", - "expired": "The patent has reached the end of its enforceable term.", - "lapsed": "The patent is no longer in force due to non-payment of maintenance fees or other requirements.", - "withdrawn": "The patent application was voluntarily withdrawn by the applicant.", - "abandoned": "The patent application was abandoned, often due to lack of action or response.", - "suspended": "Processing of the patent application has been temporarily halted.", - "reinstated": "A previously abandoned or lapsed patent has been reinstated.", - "opposed": "The patent application or granted patent is under formal opposition proceedings.", - "terminated": "The patent or application has been officially terminated.", - "invalidated": "The patent has been invalidated, either in part or in full.", - "in-force": "The granted patent is active and enforceable." + "pillar", + "class", + "base", + "variant", + "compound" + ], + "meta:enum": { + "pillar": "Most abstract type of weakness", + "class": "Weakness described in generic terms", + "base": "Weakness described in abstract terms", + "variant": "Weakness specific to a resource/technology", + "compound": "Combination of two or more weaknesses" } }, - "patentAssignee": { + "ordinality": { + "type": "string", + "enum": [ + "primary", + "resultant", + "indirect" + ], + "meta:enum": { + "primary": "Weakness exists independent of other weaknesses", + "resultant": "Weakness is caused by another weakness", + "indirect": "Weakness is indirectly caused by another weakness" + } + }, + "affectedAssets": { "type": "array", - "title": "Patent Assignees", - "description": "A collection of organisations or individuals to whom the patent rights are assigned. This supports joint ownership and allows for flexible representation of both corporate entities and individual inventors.", "items": { - "oneOf": [ - { - "title": "Person", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalContact" - }, - { - "title": "Organizational Entity", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity" - } - ] - } + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "description": "Assets affected by this weakness" }, - "externalReferences": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReferences" + "exploitationDifficulty": { + "type": "string", + "enum": [ + "trivial", + "easy", + "moderate", + "difficult", + "impractical" + ], + "description": "Difficulty of exploiting this weakness" + }, + "detectionMethods": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-threat-2.0/$defs/detectionMethod" + }, + "description": "Methods for detecting this weakness" } } }, - "patentFamily": { + "weaknessReference": { "type": "object", - "title": "Patent Family", - "description": "A patent family is a group of related patent applications or granted patents that cover the same or similar invention. These patents are filed in multiple jurisdictions to protect the invention across different regions or countries. A patent family typically includes patents that share a common priority date, originating from the same initial application, and may vary slightly in scope or claims to comply with regional legal frameworks. Fields align with WIPO ST.96 standards where applicable.", - "required": [ - "familyId" - ], "additionalProperties": false, "properties": { - "bom-ref": { + "weaknessRef": { "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "title": "BOM Reference", - "description": "An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM. \n\nFor a patent, it might be a good idea to use a patent number as the BOM reference ID." + "description": "Reference to weakness" }, - "familyId": { + "cweId": { + "type": "integer", + "description": "CWE ID if not referencing internal weakness" + }, + "instance": { "type": "string", - "title": "Patent Family ID", - "description": "The unique identifier for the patent family, aligned with the `id` attribute in WIPO ST.96 v8.0's `PatentFamilyType`. Refer to [PatentFamilyType in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/PatentFamilyType.xsd)." + "description": "Specific instance or manifestation of the weakness" + } + } + }, + "exploitability": { + "type": "object", + "additionalProperties": false, + "properties": { + "level": { + "type": "string", + "enum": [ + "theoretical", + "proof-of-concept", + "functional", + "weaponized" + ], + "meta:enum": { + "theoretical": "Theoretically possible but not demonstrated", + "proof-of-concept": "Proof of concept exists", + "functional": "Functional exploit exists", + "weaponized": "Weaponized exploit in the wild" + } }, - "priorityApplication": { - "$ref": "#/$defs/cyclonedx-patent-2.0/$defs/priorityApplication" + "complexity": { + "type": "string", + "enum": [ + "trivial", + "low", + "medium", + "high", + "very-high" + ], + "description": "Complexity to exploit" }, - "members": { + "skillRequired": { + "type": "string", + "enum": [ + "none", + "basic", + "intermediate", + "advanced", + "expert" + ], + "description": "Skill level required" + }, + "toolsRequired": { "type": "array", - "title": "Family Members", - "description": "A collection of patents or applications that belong to this family, each identified by a `bom-ref` pointing to a patent object defined elsewhere in the BOM.", "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", - "title": "BOM Reference", - "description": "A `bom-ref` linking to a patent or application object within the BOM." - } + "type": "string" + }, + "description": "Tools required for exploitation" }, - "externalReferences": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReferences" + "timeRequired": { + "type": "string", + "description": "Estimated time to develop exploit" + }, + "reliability": { + "type": "string", + "enum": [ + "unreliable", + "occasional", + "reliable", + "highly-reliable" + ], + "description": "Reliability of exploitation" + }, + "automatable": { + "type": "boolean", + "description": "Whether exploitation can be automated" } } }, - "patentAssertions": { - "type": "array", - "title": "Patent Assertions", - "description": "A list of assertions made regarding patents associated with this component or service. Assertions distinguish between ownership, licensing, and other relevant interactions with patents.", - "items": { - "type": "object", - "title": "Patent Assertion", - "description": "An assertion linking a patent or patent family to this component or service.", - "required": [ - "assertionType", - "asserter" - ], - "additionalProperties": false, - "properties": { - "bom-ref": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "title": "BOM Reference", - "description": "A reference to the patent or patent family object within the BOM. This must match the `bom-ref` of a `patent` or `patentFamily` object." + "indicators": { + "type": "object", + "additionalProperties": false, + "properties": { + "compromise": { + "type": "array", + "items": { + "type": "string" }, - "assertionType": { - "type": "string", - "title": "Assertion Type", - "description": "The type of assertion being made about the patent or patent family. Examples include ownership, licensing, and standards inclusion.", - "enum": [ - "ownership", - "license", - "third-party-claim", - "standards-inclusion", - "prior-art", - "exclusive-rights", - "non-assertion", - "research-or-evaluation" - ], - "meta:enum": { - "ownership": "The manufacturer asserts ownership of the patent or patent family.", - "license": "The manufacturer asserts they have a license to use the patent or patent family.", - "third-party-claim": "A third party has asserted a claim or potential infringement against the manufacturer’s component or service.", - "standards-inclusion": "The patent is part of a standard essential patent (SEP) portfolio relevant to the component or service.", - "prior-art": "The manufacturer asserts the patent or patent family as prior art that invalidates another patent or claim.", - "exclusive-rights": "The manufacturer asserts exclusive rights granted through a licensing agreement.", - "non-assertion": "The manufacturer asserts they will not enforce the patent or patent family against certain uses or users.", - "research-or-evaluation": "The patent or patent family is being used under a research or evaluation license." - } + "description": "Indicators of compromise" + }, + "attack": { + "type": "array", + "items": { + "type": "string" }, - "patentRefs": { - "type": "array", - "title": "Patent References", - "description": "A list of BOM references (`bom-ref`) linking to patents or patent families associated with this assertion.", - "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" - } + "description": "Indicators of attack" + }, + "behavioral": { + "type": "array", + "items": { + "type": "string" }, - "asserter": { - "oneOf": [ - { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity", - "title": "Organizational Entity" - }, - { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalContact", - "title": "Person" - }, - { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", - "title": "Reference", - "description": "A reference to a previously defined `organizationalContact` or `organizationalEntity` object in the BOM. The value must be a valid `bom-ref` pointing to one of these objects." - } - ] + "description": "Behavioral indicators" + }, + "signatures": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-threat-2.0/$defs/signature" }, - "notes": { - "type": "string", - "title": "Notes", - "description": "Additional notes or clarifications regarding the assertion, if necessary. For example, geographical restrictions, duration, or limitations of a license." - } + "description": "Detection signatures" } } }, - "patentApplicationNumber": { - "type": "string", - "pattern": "^[A-Za-z0-9][A-Za-z0-9\\-/.()\\s]{0,28}[A-Za-z0-9]$", - "title": "Patent Application Number", - "description": "The unique number assigned to a patent application when it is filed with a patent office. It is used to identify the specific application and track its progress through the examination process. Aligned with `ApplicationNumber` in ST.96. Refer to [ApplicationIdentificationType in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/ApplicationIdentificationType.xsd).", - "examples": [ - "US20240000123", - "EP23123456" - ] - }, - "patentJurisdiction": { - "type": "string", - "title": "Jurisdiction", - "description": "The jurisdiction or patent office where the priority application was filed, specified using WIPO ST.3 codes. Aligned with `IPOfficeCode` in ST.96. Refer to [IPOfficeCode in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Common/IPOfficeCode.xsd).", - "pattern": "^[A-Z]{2}$", - "examples": [ - "US", - "EP", - "JP" - ] - }, - "patentFilingDate": { - "type": "string", - "format": "date", - "title": "Filing Date", - "description": "The date the priority application was filed, aligned with `FilingDate` in ST.96. Refer to [FilingDate in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/FilingDate.xsd)." - }, - "priorityApplication": { + "signature": { "type": "object", - "title": "Priority Application", - "description": "The priorityApplication contains the essential data necessary to identify and reference an earlier patent filing for priority rights. In line with WIPO ST.96 guidelines, it includes the jurisdiction (office code), application number, and filing date-the three key elements that uniquely specify the priority application in a global patent context.", "required": [ - "applicationNumber", - "jurisdiction", - "filingDate" + "type", + "value" ], "additionalProperties": false, "properties": { - "applicationNumber": { - "$ref": "#/$defs/cyclonedx-patent-2.0/$defs/patentApplicationNumber" + "type": { + "type": "string", + "enum": [ + "yara", + "snort", + "regex", + "hash", + "behavior" + ], + "description": "Type of signature" }, - "jurisdiction": { - "$ref": "#/$defs/cyclonedx-patent-2.0/$defs/patentJurisdiction" + "value": { + "type": "string", + "description": "Signature value or pattern" }, - "filingDate": { - "$ref": "#/$defs/cyclonedx-patent-2.0/$defs/patentFilingDate" + "description": { + "type": "string", + "description": "Description of what the signature detects" + }, + "confidence": { + "type": "string", + "enum": [ + "low", + "medium", + "high" + ], + "description": "Confidence level of detection" } } - } - } - }, - "cyclonedx-release-notes-2.0": { - "type": "null", - "title": "CycloneDX Release Notes Model", - "$defs": { - "releaseNotes": { + }, + "ttp": { + "type": "object", + "additionalProperties": false, + "properties": { + "tactic": { + "type": "string", + "description": "High-level tactic" + }, + "technique": { + "$ref": "#/$defs/cyclonedx-threat-2.0/$defs/technique" + }, + "procedure": { + "type": "string", + "description": "Specific implementation" + }, + "tools": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-threat-2.0/$defs/tool" + }, + "description": "Tools used" + }, + "infrastructure": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Infrastructure used" + } + } + }, + "tool": { "type": "object", - "title": "Release notes", "required": [ - "type" + "name" ], "additionalProperties": false, "properties": { - "type": { - "$ref": "#/$defs/cyclonedx-release-notes-2.0/$defs/releaseType", - "title": "Type", - "description": "The software versioning type the release note describes." - }, - "title": { - "type": "string", - "title": "Title", - "description": "The title of the release." - }, - "featuredImage": { - "type": "string", - "format": "iri-reference", - "title": "Featured image", - "description": "The URL to an image that may be prominently displayed with the release note." - }, - "socialImage": { + "name": { "type": "string", - "format": "iri-reference", - "title": "Social image", - "description": "The URL to an image that may be used in messaging on social media platforms." + "description": "Tool name" }, - "description": { + "type": { "type": "string", - "title": "Description", - "description": "A short description of the release." + "enum": [ + "exploit", + "scanner", + "fuzzer", + "proxy", + "framework", + "custom" + ], + "description": "Type of tool" }, - "timestamp": { + "version": { "type": "string", - "format": "date-time", - "title": "Timestamp", - "description": "The date and time (timestamp) when the release note was created." + "description": "Tool version" }, - "aliases": { + "capabilities": { "type": "array", "items": { "type": "string" }, - "title": "Aliases", - "description": "One or more alternate names the release may be referred to. This may include unofficial terms used by development and marketing teams (e.g. code names)." - }, - "tags": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/tags", - "title": "Tags" + "description": "Tool capabilities" + } + } + }, + "targeting": { + "type": "object", + "additionalProperties": false, + "properties": { + "sectors": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Targeted sectors or industries" }, - "resolves": { + "regions": { "type": "array", "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/issue" + "type": "string" }, - "title": "Resolves", - "description": "A collection of issues that have been resolved." + "description": "Targeted geographic regions" }, - "notes": { + "technologies": { "type": "array", "items": { - "$ref": "#/$defs/cyclonedx-release-notes-2.0/$defs/note" + "type": "string" }, - "title": "Notes", - "description": "Zero or more release notes containing the locale and content. Multiple note objects may be specified to support release notes in a wide variety of languages." + "description": "Targeted technologies or platforms" }, - "properties": { + "dataTypes": { "type": "array", - "title": "Properties", - "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/property" - } + "type": "string" + }, + "description": "Types of data targeted" } } }, - "releaseType": { - "type": "string", - "examples": [ - "major", - "minor", - "patch", - "pre-release", - "internal" - ], - "description": "The software versioning type. It is recommended that the release type use one of 'major', 'minor', 'patch', 'pre-release', or 'internal'. Representing all possible software release types is not practical, so standardizing on the recommended values, whenever possible, is strongly encouraged.\n\n* __major__ = A major release may contain significant changes or may introduce breaking changes.\n* __minor__ = A minor release, also known as an update, may contain a smaller number of changes than major releases.\n* __patch__ = Patch releases are typically unplanned and may resolve defects or important security issues.\n* __pre-release__ = A pre-release may include alpha, beta, or release candidates and typically have limited support. They provide the ability to preview a release prior to its general availability.\n* __internal__ = Internal releases are not for public consumption and are intended to be used exclusively by the project or manufacturer that produced it." - }, - "note": { + "detectionMethod": { "type": "object", - "title": "Note", - "description": "A note containing the locale and content.", "required": [ - "text" + "method" ], "additionalProperties": false, "properties": { - "locale": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/locale", - "title": "Locale", - "description": "The ISO-639 (or higher) language code and optional ISO-3166 (or higher) country code. Examples include: \"en\", \"en-US\", \"fr\" and \"fr-CA\"" + "method": { + "type": "string", + "enum": [ + "static-analysis", + "dynamic-analysis", + "penetration-test", + "code-review", + "architecture-review", + "automated-scan" + ], + "description": "Detection method type" }, - "text": { - "title": "Release note content", - "description": "Specifies the full content of the release note.", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/attachment" + "description": { + "type": "string", + "description": "Description of the detection method" + }, + "effectiveness": { + "type": "string", + "enum": [ + "low", + "medium", + "high" + ], + "description": "Effectiveness of the method" + }, + "tools": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Tools that implement this method" } } - } - } - }, - "cyclonedx-service-2.0": { - "type": "null", - "title": "CycloneDX Service Model", - "$defs": { - "services": { - "type": "array", - "items": { - "$ref": "#/$defs/cyclonedx-service-2.0/$defs/service" - }, - "uniqueItems": true, - "title": "Services" }, - "service": { + "securityPolicy": { "type": "object", - "title": "Service", "required": [ - "name" + "bom-ref", + "name", + "type" ], "additionalProperties": false, "properties": { "bom-ref": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "title": "BOM Reference", - "description": "An identifier which can be used to reference the service elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." - }, - "provider": { - "title": "Provider", - "description": "The organization that provides the service.", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/organizationalEntity" - }, - "group": { - "type": "string", - "title": "Service Group", - "description": "The grouping name, namespace, or identifier. This will often be a shortened, single name of the company or project that produced the service or domain name. Whitespace and special characters should be avoided.", - "examples": [ - "com.acme" - ] + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" }, "name": { "type": "string", - "title": "Service Name", - "description": "The name of the service. This will often be a shortened, single name of the service.", - "examples": [ - "ticker-service" - ] + "description": "Policy name" }, - "version": { - "$ref": "#/$defs/cyclonedx-component-2.0/$defs/version", - "title": "Service Version", - "description": "The service version." + "type": { + "type": "string", + "enum": [ + "access-control", + "data-protection", + "network-security", + "application-security", + "operational-security", + "compliance" + ], + "description": "Type of security policy" }, "description": { "type": "string", - "title": "Service Description", - "description": "Specifies a description for the service" + "description": "Policy description" }, - "endpoints": { + "requirements": { "type": "array", "items": { - "type": "string", - "format": "iri-reference" + "type": "string" }, - "title": "Endpoints", - "description": "The endpoint URIs of the service. Multiple endpoints are allowed.", - "examples": [ - "https://example.com/api/v1/ticker" - ] - }, - "authenticated": { - "type": "boolean", - "title": "Authentication Required", - "description": "A boolean value indicating if the service requires authentication. A value of true indicates the service requires authentication prior to use. A value of false indicates the service does not require authentication." - }, - "x-trust-boundary": { - "type": "boolean", - "title": "Crosses Trust Boundary", - "description": "A boolean value indicating if use of the service crosses a trust zone or boundary. A value of true indicates that by using the service, a trust boundary is crossed. A value of false indicates that by using the service, a trust boundary is not crossed." + "description": "Policy requirements" }, - "trustZone": { + "enforcement": { "type": "string", - "title": "Trust Zone", - "description": "The name of the trust zone the service resides in." + "enum": [ + "mandatory", + "recommended", + "optional" + ], + "description": "Enforcement level" }, - "data": { + "appliesTo": { "type": "array", "items": { - "$ref": "#/$defs/cyclonedx-service-2.0/$defs/serviceData" + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" }, - "title": "Data", - "description": "Specifies information about the data including the directional flow of data and the data classification." - }, - "licenses": { - "$ref": "#/$defs/cyclonedx-license-2.0/$defs/licenseChoice", - "title": "Service License(s)" - }, - "patentAssertions": { - "$ref": "#/$defs/cyclonedx-patent-2.0/$defs/patentAssertions", - "title": "Service Patent(s)" - }, - "externalReferences": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReferences" + "description": "Assets this policy applies to" }, - "services": { + "exceptions": { "type": "array", "items": { - "$ref": "#/$defs/cyclonedx-service-2.0/$defs/service" + "type": "string" }, - "uniqueItems": true, - "title": "Services", - "description": "A list of services included or deployed behind the parent service. This is not a dependency tree. It provides a way to specify a hierarchical representation of service assemblies." - }, - "releaseNotes": { - "$ref": "#/$defs/cyclonedx-release-notes-2.0/$defs/releaseNotes", - "title": "Release notes", - "description": "Specifies release notes." - }, - "properties": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" - }, - "tags": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/tags", - "title": "Tags" - }, - "signature": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/signature", - "title": "Signature", - "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." + "description": "Policy exceptions" } } }, - "serviceData": { + "trustBoundary": { "type": "object", - "title": "Hash Objects", - "required": [ - "flow", - "classification" - ], - "additionalProperties": false, - "properties": { - "flow": { - "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataFlowDirection", - "title": "Directional Flow", - "description": "Specifies the flow direction of the data. Direction is relative to the service. Inbound flow states that data enters the service. Outbound flow states that data leaves the service. Bi-directional states that data flows both ways and unknown states that the direction is not known." - }, - "classification": { - "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataClassification" + "allOf": [ + { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/boundary" }, - "name": { + { + "properties": { + "trustLevel": { + "type": "string", + "enum": [ + "untrusted", + "semi-trusted", + "trusted", + "highly-trusted" + ], + "description": "Trust level differential" + }, + "securityRequirements": { + "$ref": "#/$defs/cyclonedx-threat-2.0/$defs/boundarySecurityRequirements" + }, + "threatsAtBoundary": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "description": "Threats that could exploit this boundary" + }, + "controlsAtBoundary": { + "type": "array", + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "description": "Controls implemented at this boundary" + } + } + } + ] + }, + "boundarySecurityRequirements": { + "type": "object", + "additionalProperties": false, + "properties": { + "authenticationStrength": { "type": "string", - "title": "Name", - "description": "Name for the defined data", - "examples": [ - "Credit card reporting" - ] + "enum": [ + "none", + "weak", + "moderate", + "strong", + "very-strong" + ], + "description": "Required authentication strength" }, - "description": { + "authorizationGranularity": { "type": "string", - "title": "Description", - "description": "Short description of the data content and usage", - "examples": [ - "Credit card information being exchanged in between the web app and the database" - ] + "enum": [ + "coarse", + "medium", + "fine", + "very-fine" + ], + "description": "Authorization granularity required" }, - "governance": { - "title": "Data Governance", - "$ref": "#/$defs/cyclonedx-data-2.0/$defs/dataGovernance" + "integrityVerification": { + "type": "boolean", + "description": "Whether integrity verification is required" }, - "source": { - "type": "array", - "items": { - "anyOf": [ - { - "title": "URL", - "type": "string", - "format": "iri-reference" - }, - { - "title": "BOM-Link Element", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType" - } - ] - }, - "title": "Source", - "description": "The URI, URL, or BOM-Link of the components or services the data came in from" + "confidentialityProtection": { + "type": "boolean", + "description": "Whether confidentiality protection is required" }, - "destination": { + "auditingLevel": { + "type": "string", + "enum": [ + "none", + "basic", + "detailed", + "comprehensive" + ], + "description": "Level of auditing required" + }, + "dataValidationRules": { "type": "array", "items": { - "anyOf": [ - { - "title": "URL", - "type": "string", - "format": "iri-reference" - }, - { - "title": "BOM-Link Element", - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/bomLinkElementType" - } - ] + "type": "string" }, - "title": "Destination", - "description": "The URI, URL, or BOM-Link of the components or services the data is sent to" + "description": "Data validation rules at boundary" } } } } }, - "cyclonedx-standard-2.0": { + "cyclonedx-usecase-2.0": { "type": "null", - "title": "CycloneDX Standard Model", + "title": "CycloneDX Use Case Model", "$defs": { - "standards": { + "useCases": { "type": "array", - "title": "Standards", - "description": "The list of standards which may consist of regulations, industry or organizational-specific standards, maturity models, best practices, or any other requirements which can be evaluated against or attested to.", + "title": "Use Cases", + "uniqueItems": true, "items": { - "$ref": "#/$defs/cyclonedx-standard-2.0/$defs/standard" - } + "$ref": "#/$defs/cyclonedx-usecase-2.0/$defs/useCase" + }, + "description": "A collection of use cases that describe how actors interact with the system to achieve specific goals." }, - "standard": { + "useCase": { "type": "object", - "title": "Standard", - "description": "A standard may consist of regulations, industry or organizational-specific standards, maturity models, best practices, or any other requirements which can be evaluated against or attested to.", + "title": "Use Case", + "description": "A structured description of how one or more actors interact with the system to achieve a specific goal, including the primary flow, alternative paths, and exception scenarios.", + "required": [ + "name" + ], "additionalProperties": false, "properties": { "bom-ref": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "title": "BOM Reference", - "description": "An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM." + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" }, "name": { "type": "string", "title": "Name", - "description": "The name of the standard. This will often be a shortened, single name of the standard." - }, - "version": { - "type": "string", - "title": "Version", - "description": "The version of the standard." + "minLength": 1, + "description": "The name or title of the use case, typically expressed as a verb phrase that captures the goal from the actor's perspective (e.g., 'Place Order', 'Reset Password')." }, "description": { "type": "string", "title": "Description", - "description": "The description of the standard." - }, - "owner": { - "type": "string", - "title": "Owner", - "description": "The owner of the standard, often the entity responsible for its release." + "description": "A detailed narrative of the use case, including the actor's goal, the scope of the interaction, and any relevant business rules or constraints that govern its execution." }, - "requirements": { - "$ref": "#/$defs/cyclonedx-standard-2.0/$defs/requirements" - }, - "levels": { - "$ref": "#/$defs/cyclonedx-standard-2.0/$defs/levels" + "actors": { + "type": "array", + "title": "Actors", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType" + }, + "description": "References to the actors that participate in this use case, representing anyone or anything that initiates or interacts with the described flow." }, - "externalReferences": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReferences" + "preconditions": { + "type": "array", + "title": "Preconditions", + "uniqueItems": true, + "items": { + "type": "string" + }, + "description": "Conditions that must hold true before the use case can begin execution, such as required system state, authenticated sessions, available resources, or prior completed use cases." }, - "signature": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/signature", - "title": "Signature", - "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." - } - } - }, - "requirements": { - "type": "array", - "title": "Requirements", - "description": "The list of requirements comprising the standard.", - "items": { - "$ref": "#/$defs/cyclonedx-standard-2.0/$defs/requirement" - } - }, - "requirement": { - "type": "object", - "title": "Requirement", - "additionalProperties": false, - "properties": { - "bom-ref": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "title": "BOM Reference", - "description": "An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM." + "postconditions": { + "type": "array", + "title": "Postconditions", + "uniqueItems": true, + "items": { + "type": "string" + }, + "description": "Conditions that will be true after the use case completes successfully, describing the expected system state, data changes, notifications sent, or side effects produced." }, - "identifier": { - "type": "string", - "title": "Identifier", - "description": "The unique identifier used in the standard to identify a specific requirement. This should match what is in the standard and should not be the requirements bom-ref." + "mainFlow": { + "type": "array", + "title": "Main Flow", + "items": { + "$ref": "#/$defs/cyclonedx-usecase-2.0/$defs/step" + }, + "description": "The primary sequence of steps representing the most common or expected path through the use case, from the triggering action to the successful outcome." }, - "title": { - "type": "string", - "title": "Title", - "description": "The title of the requirement." + "alternativeFlows": { + "type": "array", + "title": "Alternative Flows", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-usecase-2.0/$defs/flow" + }, + "description": "Variant paths that branch from the main flow under specific conditions, representing valid but less common ways to achieve the use case goal or a modified outcome." }, - "text": { - "type": "string", - "title": "Text", - "description": "The textual content of the requirement." + "exceptions": { + "type": "array", + "title": "Exceptions", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/cyclonedx-usecase-2.0/$defs/exception" + }, + "description": "Error or failure scenarios that may interrupt the main or alternative flows, including the triggering condition and how the system responds to recover or terminate gracefully." }, - "descriptions": { + "successCriteria": { "type": "array", - "title": "Descriptions", - "description": "The supplemental text that provides additional guidance or context to the requirement, but is not directly part of the requirement.", + "title": "Success Criteria", + "uniqueItems": true, "items": { "type": "string" - } + }, + "description": "Measurable or observable criteria that determine whether the use case has been completed successfully, used for validation, acceptance testing, and stakeholder sign-off." }, - "openCre": { + "notes": { "type": "array", - "title": "OWASP OpenCRE Identifier(s)", - "description": "The Common Requirements Enumeration (CRE) identifier(s). CRE is a structured and standardized framework for uniting security standards and guidelines. CRE links each section of a resource to a shared topic identifier (a Common Requirement). Through this shared topic link, all resources map to each other. Use of CRE promotes clear and unambiguous communication among stakeholders.", + "title": "Notes", + "uniqueItems": true, "items": { - "type": "string", - "pattern": "^CRE:[0-9]+-[0-9]+$", - "examples": [ - "CRE:764-507" - ] - } - }, - "parent": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType", - "title": "Parent BOM Reference", - "description": "The `bom-ref` to a parent requirement. This establishes a hierarchy of requirements. Top-level requirements must not define a parent. Only child requirements should define parents." + "type": "string" + }, + "description": "Supplementary information, clarifications, open questions, or implementation guidance that provides additional context beyond the formal use case structure." }, "properties": { "$ref": "#/$defs/cyclonedx-common-2.0/$defs/properties" - }, - "externalReferences": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/externalReferences" } } }, - "levels": { - "type": "array", - "title": "Levels", - "description": "The list of levels associated with the standard. Some standards have different levels of compliance.", - "items": { - "$ref": "#/$defs/cyclonedx-standard-2.0/$defs/level" - } - }, - "level": { + "step": { "type": "object", - "title": "Level", + "title": "Step", + "description": "A single discrete action within a use case flow, performed by a specific actor, that advances the interaction toward the use case goal.", + "required": [ + "number", + "description" + ], "additionalProperties": false, "properties": { - "bom-ref": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", - "title": "BOM Reference", - "description": "An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM." + "number": { + "type": "integer", + "title": "Number", + "minimum": 1, + "description": "The sequence number indicating the ordinal position of this step within its flow, starting at 1." }, - "identifier": { + "description": { "type": "string", - "title": "Identifier", - "description": "The identifier used in the standard to identify a specific level." + "title": "Description", + "minLength": 1, + "description": "A clear, action-oriented statement describing what the actor does in this step and the expected system response, written in the form 'The [actor] [action]'." }, - "title": { + "actor": { + "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType", + "description": "Reference to the actor who initiates or performs this step, which may be a human user, an external system, or the system under design." + } + } + }, + "flow": { + "type": "object", + "title": "Flow", + "description": "An alternative sequence of steps that branches from the main flow under a specific condition, representing a valid variant path through the use case.", + "required": [ + "name", + "condition" + ], + "additionalProperties": false, + "properties": { + "name": { "type": "string", - "title": "Title", - "description": "The title of the level." + "title": "Name", + "minLength": 1, + "description": "A short, descriptive name identifying this alternative flow (e.g., 'Payment Declined', 'Guest Checkout')." }, "description": { "type": "string", "title": "Description", - "description": "The description of the level." + "description": "A narrative explaining the purpose and context of this alternative flow, including how it differs from the main flow and under what circumstances it applies." }, - "requirements": { + "condition": { + "type": "string", + "title": "Condition", + "minLength": 1, + "description": "The specific condition, decision point, or triggering event that causes execution to diverge from the main flow into this alternative path." + }, + "steps": { "type": "array", - "title": "Requirements", - "description": "The list of requirement `bom-ref`s that comprise the level.", + "title": "Steps", "items": { - "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType" - } + "$ref": "#/$defs/cyclonedx-usecase-2.0/$defs/step" + }, + "description": "The ordered sequence of steps that comprise this alternative flow, following the same structure as main flow steps." + } + } + }, + "exception": { + "type": "object", + "title": "Exception", + "description": "An error or failure scenario that may interrupt the normal execution of a use case, including the condition that triggers it and how the system responds.", + "required": [ + "name", + "condition" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Name", + "minLength": 1, + "description": "A short, descriptive name identifying this exception scenario (e.g., 'Session Timeout', 'Insufficient Funds', 'Service Unavailable')." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A narrative describing the nature of this exception, its potential causes, and its impact on the use case and the actors involved." + }, + "condition": { + "type": "string", + "title": "Condition", + "minLength": 1, + "description": "The specific error condition, system state, or external event that triggers this exception during the execution of the use case." + }, + "handling": { + "type": "string", + "title": "Handling", + "description": "The recovery strategy or response the system takes when this exception occurs, such as retrying the operation, rolling back changes, notifying the user, or escalating to support." } } } @@ -7010,6 +13420,9 @@ "definitions": { "$ref": "#/$defs/cyclonedx-definition-2.0/$defs/definitions" }, + "blueprints": { + "$ref": "#/$defs/cyclonedx-blueprint-2.0/$defs/blueprints" + }, "citations": { "$ref": "#/$defs/cyclonedx-citation-2.0/$defs/citations" }, diff --git a/schema/2.0/cyclonedx-2.0.schema.json b/schema/2.0/cyclonedx-2.0.schema.json index 6a272963..548d0fca 100644 --- a/schema/2.0/cyclonedx-2.0.schema.json +++ b/schema/2.0/cyclonedx-2.0.schema.json @@ -76,6 +76,9 @@ "definitions": { "$ref": "model/cyclonedx-definition-2.0.schema.json#/$defs/definitions" }, + "blueprints": { + "$ref": "model/cyclonedx-blueprint-2.0.schema.json#/$defs/blueprints" + }, "citations": { "$ref": "model/cyclonedx-citation-2.0.schema.json#/$defs/citations" }, diff --git a/schema/2.0/model/cyclonedx-behavior-2.0.schema.json b/schema/2.0/model/cyclonedx-behavior-2.0.schema.json new file mode 100644 index 00000000..25814a61 --- /dev/null +++ b/schema/2.0/model/cyclonedx-behavior-2.0.schema.json @@ -0,0 +1,1740 @@ +{ + "$schema": "https://json-schema.org/draft/2020-12/schema", + "$id": "https://cyclonedx.org/schema/2.0/model/cyclonedx-behavior-2.0.schema.json", + "type": "null", + "title": "CycloneDX Behavior Model", + "$comment" : "OWASP CycloneDX is an Ecma International standard (ECMA-424) developed in collaboration between the OWASP Foundation and Ecma Technical Committee 54 (TC54). The standard is published under a royalty-free patent policy. This JSON schema is the reference implementation and is licensed under the Apache License 2.0.", + "properties": { + "behaviors": { + "$ref": "#/$defs/behaviors" + } + }, + "$defs": { + "trigger": { + "type": "string", + "title": "Trigger", + "description": "The condition or event that initiates a behavior.", + "enum": [ + "startup", + "shutdown", + "scheduled", + "event-driven", + "user-initiated", + "api-call", + "signal", + "condition-based", + "continuous", + "on-demand", + "unknown" + ], + "meta:enum": { + "startup": "Triggered during system or component initialisation.", + "shutdown": "Triggered during system or component termination.", + "scheduled": "Triggered at predetermined times or intervals.", + "event-driven": "Triggered in response to a specific event.", + "user-initiated": "Triggered by explicit user action.", + "api-call": "Triggered by an API invocation.", + "signal": "Triggered by a system or inter-process signal.", + "condition-based": "Triggered when specific conditions are met.", + "continuous": "Runs continuously during normal operation.", + "on-demand": "Triggered on demand as needed.", + "unknown": "The trigger mechanism is not known." + } + }, + "ordering": { + "type": "string", + "title": "Ordering", + "description": "Execution semantics for steps within a flow.", + "default": "sequential", + "enum": [ + "sequential", + "unordered", + "parallel", + "conditional" + ], + "meta:enum": { + "sequential": "Steps execute in ordinal order. Each completes before the next begins.", + "unordered": "All steps execute, but order is not guaranteed.", + "parallel": "Steps may execute concurrently.", + "conditional": "Step execution is determined by runtime conditions." + } + }, + "acknowledgment": { + "type": "array", + "title": "Acknowledgment", + "description": "Indicates how the behavior or flow was identified. Multiple values indicate the behavior was both declared and observed.", + "uniqueItems": true, + "items": { + "type": "string", + "enum": [ + "declared", + "observed" + ], + "meta:enum": { + "declared": "The behavior was explicitly declared, designed, or expected. Typically used for threat modelling, security requirements, and architectural documentation.", + "observed": "The behavior was observed, detected, or measured during analysis or runtime. Typically used for anomaly detection, incident response, and behavioural analysis." + } + } + }, + "behaviors": { + "type": "object", + "title": "Behaviors", + "description": "Behaviors performed by objects within the BOM.", + "additionalProperties": false, + "properties": { + "instances": { + "type": "array", + "title": "Instances", + "description": "Individual behavior instances.", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/behaviorInstance" + } + }, + "flows": { + "type": "array", + "title": "Flows", + "description": "Behavior flows that organise behaviors into operational patterns.", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/behaviorFlow" + } + } + } + }, + "behaviorInstance": { + "type": "object", + "title": "Behavior Instance", + "description": "A behavior performed by one or more objects within the BOM.", + "additionalProperties": false, + "required": ["bom-ref", "behavior"], + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "behavior": { + "$ref": "cyclonedx-behavior-2.0.schema.json#/$defs/behavior", + "title": "Behavior", + "description": "The behavior from the taxonomy." + }, + "acknowledgment": { + "$ref": "#/$defs/acknowledgment" + }, + "trigger": { + "$ref": "#/$defs/trigger" + }, + "actors": { + "type": "array", + "title": "Actors", + "description": "References to objects that perform this behavior.", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + } + }, + "targets": { + "type": "array", + "title": "Targets", + "description": "References to objects affected by this behavior.", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + } + } + } + }, + "behaviorFlow": { + "type": "object", + "title": "Behavior Flow", + "description": "An organised collection of behaviors forming a coherent process.", + "additionalProperties": false, + "required": ["bom-ref", "steps"], + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "acknowledgment": { + "$ref": "#/$defs/acknowledgment" + }, + "ordering": { + "$ref": "#/$defs/ordering" + }, + "trigger": { + "$ref": "#/$defs/trigger" + }, + "steps": { + "type": "array", + "title": "Steps", + "description": "The steps that comprise this flow.", + "minItems": 1, + "items": { + "$ref": "#/$defs/flowStep" + } + } + }, + "allOf": [ + { + "if": { + "anyOf": [ + { "properties": { "ordering": { "const": "sequential" } }, "required": ["ordering"] }, + { "not": { "required": ["ordering"] } } + ] + }, + "then": { + "properties": { + "steps": { + "items": { + "required": ["ordinal"] + } + } + } + } + } + ] + }, + "flowStep": { + "type": "object", + "title": "Flow Step", + "description": "A single step within a behavior flow.", + "additionalProperties": false, + "properties": { + "ordinal": { + "type": "integer", + "title": "Ordinal", + "description": "Position within the flow. Required when ordering is 'sequential' or omitted.", + "minimum": 1 + }, + "behavior": { + "$ref": "cyclonedx-behavior-2.0.schema.json#/$defs/behavior", + "title": "Behavior", + "description": "The behavior performed in this step. Mutually exclusive with 'ref' and 'flow'." + }, + "trigger": { + "$ref": "#/$defs/trigger" + }, + "ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "title": "Behavior Reference", + "description": "Reference to a behavior instance. Mutually exclusive with 'behavior' and 'flow'." + }, + "flow": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "title": "Flow Reference", + "description": "Reference to a nested flow. Mutually exclusive with 'behavior' and 'ref'." + }, + "actors": { + "type": "array", + "title": "Actors", + "description": "References to objects that perform this step.", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + } + }, + "targets": { + "type": "array", + "title": "Targets", + "description": "References to objects affected by this step.", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + } + } + }, + "oneOf": [ + { "required": ["behavior"] }, + { "required": ["ref"] }, + { "required": ["flow"] } + ] + }, + "behavior": { + "type": "string", + "title": "Behavior", + "description": "Specifies an action performed by an entity that may have security, privacy, safety, or operational implications. Values may represent a domain, a category within a domain, or a specific behavior within a category.", + "enum": [ + "ai", + "ai:agent", + "ai:agent:actsOnBehalfOfUser", + "ai:agent:coordinatesAgents", + "ai:agent:delegatesTask", + "ai:agent:executesAction", + "ai:agent:invokesTool", + "ai:agent:observesResult", + "ai:agent:plansAction", + "ai:agent:receivesHumanDelegation", + "ai:agent:reflectsOnResult", + "ai:agent:reportsDelegatedAction", + "ai:agent:requestsUserApproval", + "ai:agent:returnsDelegation", + "ai:agent:revisesPlan", + "ai:explainability", + "ai:explainability:attributesFeatures", + "ai:explainability:documentsModel", + "ai:explainability:explainsDecision", + "ai:explainability:tracesPrediction", + "ai:explainability:visualizesModel", + "ai:fairness", + "ai:fairness:auditsModelFairness", + "ai:fairness:calculatesFairnessMetric", + "ai:fairness:detectsBias", + "ai:fairness:handlesProtectedAttribute", + "ai:fairness:mitigatesBias", + "ai:generative", + "ai:generative:citesSource", + "ai:generative:filtersOutput", + "ai:generative:generatesAudio", + "ai:generative:generatesCode", + "ai:generative:generatesEmbedding", + "ai:generative:generatesImage", + "ai:generative:generatesText", + "ai:generative:mitigatesHallucination", + "ai:generative:processesPrompt", + "ai:generative:streamsResponse", + "ai:inference", + "ai:inference:appliesThreshold", + "ai:inference:batchesInference", + "ai:inference:cachesPrediction", + "ai:inference:ensemblesModels", + "ai:inference:generatesPrediction", + "ai:inference:infersInRealTime", + "ai:inference:ranksResults", + "ai:inference:scoresConfidence", + "ai:management", + "ai:management:comparesModels", + "ai:management:deploysModel", + "ai:management:loadsModel", + "ai:management:monitorsModel", + "ai:management:retiresModel", + "ai:management:rollsBackModel", + "ai:management:unloadsModel", + "ai:management:versionsModel", + "ai:quality", + "ai:quality:detectsConceptDrift", + "ai:quality:detectsDataDrift", + "ai:quality:detectsOutlier", + "ai:quality:engineersFeatures", + "ai:quality:selectsFeatures", + "ai:quality:validatesInputData", + "ai:robustness", + "ai:robustness:defendsAgainstAdversarial", + "ai:robustness:detectsAdversarialInput", + "ai:robustness:detectsOutOfDistribution", + "ai:robustness:estimatesUncertainty", + "ai:robustness:validatesRobustness", + "ai:training", + "ai:training:appliesTransferLearning", + "ai:training:checkpointsModel", + "ai:training:fineTunesModel", + "ai:training:ingestsTrainingData", + "ai:training:preprocessesTrainingData", + "ai:training:trainsFederatedly", + "ai:training:trainsModel", + "ai:training:tunesHyperparameters", + "ai:training:validatesModel", + "ai:training:validatesTrainingData", + "application", + "application:codeExecution", + "application:codeExecution:compilesCode", + "application:codeExecution:evaluatesExpression", + "application:codeExecution:executesNativeCommand", + "application:codeExecution:executesScript", + "application:codeExecution:interpretsCode", + "application:codeExecution:invokesViaReflection", + "application:codeExecution:loadsCodeDynamically", + "application:configuration", + "application:configuration:detectsEnvironment", + "application:configuration:evaluatesFeatureFlag", + "application:configuration:loadsConfiguration", + "application:configuration:reloadsConfiguration", + "application:controlFlow", + "application:controlFlow:awaitsAsyncResult", + "application:controlFlow:catchesException", + "application:controlFlow:emitsEvent", + "application:controlFlow:handlesEvent", + "application:controlFlow:invokesCallback", + "application:controlFlow:invokesHandler", + "application:controlFlow:invokesMiddleware", + "application:controlFlow:schedulesAsyncOperation", + "application:controlFlow:throwsException", + "application:dependencyManagement", + "application:dependencyManagement:closesCircuitBreaker", + "application:dependencyManagement:fallsBack", + "application:dependencyManagement:injectsDependency", + "application:dependencyManagement:opensCircuitBreaker", + "application:dependencyManagement:resolvesDependency", + "application:externalIntegration", + "application:externalIntegration:callsExternalService", + "application:externalIntegration:consumesEvent", + "application:externalIntegration:publishesEvent", + "application:externalIntegration:receivesWebhook", + "application:observability", + "application:observability:emitsTelemetry", + "application:observability:logsOperation", + "application:observability:recordsMetric", + "application:observability:reportsHealth", + "application:observability:tracesRequest", + "application:requestHandling", + "application:requestHandling:authenticatesRequest", + "application:requestHandling:authorizesRequest", + "application:requestHandling:bindsParameters", + "application:requestHandling:parsesRequest", + "application:requestHandling:receivesHttpRequest", + "application:requestHandling:rejectsRequest", + "application:requestHandling:routesRequest", + "application:requestHandling:validatesRequest", + "application:responseGeneration", + "application:responseGeneration:generatesResponse", + "application:responseGeneration:readsCookie", + "application:responseGeneration:redirectsRequest", + "application:responseGeneration:returnsError", + "application:responseGeneration:returnsSuccess", + "application:responseGeneration:sendsHttpResponse", + "application:responseGeneration:setsCookie", + "application:responseGeneration:setsHeader", + "application:stateManagement", + "application:stateManagement:acquiresLock", + "application:stateManagement:beginsTransaction", + "application:stateManagement:commitsTransaction", + "application:stateManagement:createsSessionState", + "application:stateManagement:destroysSessionState", + "application:stateManagement:readsSessionState", + "application:stateManagement:releasesLock", + "application:stateManagement:rollsBackTransaction", + "application:stateManagement:synchronizesState", + "application:stateManagement:updatesSessionState", + "data", + "data:encoding", + "data:encoding:appliesXor", + "data:encoding:decodesBaseSixtyFour", + "data:encoding:decodesUrl", + "data:encoding:encodesBaseSixtyFour", + "data:encoding:encodesUrl", + "data:ingestion", + "data:ingestion:pollsSource", + "data:ingestion:readsFile", + "data:ingestion:readsStream", + "data:ingestion:receivesInput", + "data:ingestion:receivesMessage", + "data:ingestion:receivesRequest", + "data:ingestion:subscribesToFeed", + "data:output", + "data:output:formatsResponse", + "data:output:producesOutput", + "data:output:publishesMessage", + "data:output:rendersTemplate", + "data:output:sendsResponse", + "data:output:serializesObject", + "data:output:streamsOutput", + "data:output:writesFile", + "data:parsing", + "data:parsing:decodesData", + "data:parsing:deserializesObject", + "data:parsing:extractsFields", + "data:parsing:parsesData", + "data:parsing:parsesHtml", + "data:parsing:parsesJson", + "data:parsing:parsesXml", + "data:query", + "data:query:executesLdapQuery", + "data:query:executesNoSqlQuery", + "data:query:executesSearch", + "data:query:executesSql", + "data:query:executesXPath", + "data:query:queriesData", + "data:storage", + "data:storage:cachesData", + "data:storage:deletesData", + "data:storage:flushesCache", + "data:storage:invalidatesCache", + "data:storage:retrievesData", + "data:storage:storesData", + "data:storage:updatesData", + "data:transformation", + "data:transformation:aggregatesData", + "data:transformation:compressesData", + "data:transformation:decompressesData", + "data:transformation:encodesData", + "data:transformation:enrichesData", + "data:transformation:filtersData", + "data:transformation:joinsData", + "data:transformation:mapsData", + "data:transformation:normalizesData", + "data:transformation:sortsData", + "data:transformation:transformsData", + "evasion", + "evasion:analysisResistance", + "evasion:analysisResistance:detectsAnalysisTool", + "evasion:analysisResistance:detectsDebugger", + "evasion:analysisResistance:detectsEmulator", + "evasion:analysisResistance:detectsSandbox", + "evasion:analysisResistance:detectsVirtualMachine", + "evasion:analysisResistance:evadesDebugger", + "evasion:analysisResistance:evadesEmulator", + "evasion:analysisResistance:evadesSandbox", + "evasion:analysisResistance:evadesVirtualMachine", + "evasion:analysisResistance:usesTimingEvasion", + "evasion:antiSecurity", + "evasion:antiSecurity:detectsAntivirus", + "evasion:antiSecurity:disablesSecuritySoftware", + "evasion:antiSecurity:evadesAntivirus", + "evasion:antiSecurity:terminatesSecurityProcess", + "evasion:indirection", + "evasion:indirection:resolvesApiDynamically", + "evasion:indirection:usesIndirectCalls", + "evasion:indirection:usesProxyExecution", + "evasion:obfuscation", + "evasion:obfuscation:obfuscatesCode", + "evasion:obfuscation:obfuscatesControlFlow", + "evasion:obfuscation:obfuscatesData", + "evasion:obfuscation:obfuscatesStrings", + "evasion:obfuscation:packsCode", + "evasion:obfuscation:unpacksAtRuntime", + "file", + "file:directory", + "file:directory:changesDirectory", + "file:directory:createsDirectory", + "file:directory:deletesDirectory", + "file:directory:listsDirectory", + "file:directory:traversesDirectory", + "file:disk", + "file:disk:decryptsVolume", + "file:disk:encryptsVolume", + "file:disk:formatsVolume", + "file:disk:mountsVolume", + "file:disk:unmountsVolume", + "file:disk:wipesDisk", + "file:operations", + "file:operations:appendsToFile", + "file:operations:checksFileExistence", + "file:operations:closesFile", + "file:operations:copiesFile", + "file:operations:createsFile", + "file:operations:deletesFile", + "file:operations:getsFileAttributes", + "file:operations:movesFile", + "file:operations:opensFile", + "file:operations:readsFile", + "file:operations:renamesFile", + "file:operations:setsFileAttributes", + "file:operations:setsFilePermissions", + "file:operations:writesFile", + "gui", + "gui:display", + "gui:display:displaysData", + "gui:display:monitorsDisplay", + "gui:display:updatesDisplay", + "gui:session", + "gui:session:displaysLogin", + "gui:session:interactsWithSession", + "gui:session:switchesSession", + "gui:window", + "gui:window:capturesWindow", + "gui:window:createsWindow", + "gui:window:destroysWindow", + "gui:window:enumeratesWindows", + "gui:window:interactsWithTaskbar", + "gui:window:modifiesWindow", + "hardware", + "hardware:actuator", + "hardware:actuator:calibratesActuator", + "hardware:actuator:controlsBattery", + "hardware:actuator:controlsHeating", + "hardware:actuator:controlsLed", + "hardware:actuator:controlsMotor", + "hardware:actuator:controlsPower", + "hardware:actuator:controlsPump", + "hardware:actuator:controlsTemperature", + "hardware:boot", + "hardware:boot:entersRecoveryMode", + "hardware:boot:executesSecureBoot", + "hardware:boot:locksBootConfiguration", + "hardware:boot:modifiesBootConfiguration", + "hardware:boot:readsBootConfiguration", + "hardware:boot:recordsBootMeasurement", + "hardware:boot:verifiesBootLoader", + "hardware:firmware", + "hardware:firmware:monitorsFirmwareIntegrity", + "hardware:firmware:preventsFirmwareRollback", + "hardware:firmware:readsFirmwareVersion", + "hardware:firmware:updatesFirmware", + "hardware:firmware:verifiesFirmwareSignature", + "hardware:memory", + "hardware:memory:encryptsMemory", + "hardware:memory:isolatesMemory", + "hardware:memory:protectsStack", + "hardware:memory:randomizesAddressSpace", + "hardware:memory:readsProtectedMemory", + "hardware:memory:writesProtectedMemory", + "hardware:peripheral", + "hardware:peripheral:accessesCamera", + "hardware:peripheral:accessesDisplay", + "hardware:peripheral:accessesGpio", + "hardware:peripheral:accessesJtag", + "hardware:peripheral:accessesKeyboard", + "hardware:peripheral:accessesStorageDevice", + "hardware:peripheral:accessesUsbDevice", + "hardware:peripheral:configuresDma", + "hardware:peripheral:protectsDma", + "hardware:physicalSecurity", + "hardware:physicalSecurity:detectsPhysicalTamper", + "hardware:physicalSecurity:disablesDebugInterface", + "hardware:physicalSecurity:enablesDebugInterface", + "hardware:physicalSecurity:monitorsEnclosure", + "hardware:physicalSecurity:respondsToTamper", + "hardware:physicalSecurity:zeroizesKeys", + "hardware:security", + "hardware:security:anchorsInHardwareRoot", + "hardware:security:executesInTee", + "hardware:security:generatesPufResponse", + "hardware:security:usesHsm", + "hardware:security:usesSecureElement", + "hardware:sensor", + "hardware:sensor:calibratesSensor", + "hardware:sensor:readsBatteryStatus", + "hardware:sensor:readsBloodOxygen", + "hardware:sensor:readsBloodPressure", + "hardware:sensor:readsCoTwoLevel", + "hardware:sensor:readsEcg", + "hardware:sensor:readsPowerStatus", + "hardware:sensor:readsTemperature", + "hardware:sideChannelDefense", + "hardware:sideChannelDefense:controlsEmEmissions", + "hardware:sideChannelDefense:resistsFaultInjection", + "hardware:sideChannelDefense:resistsPowerAnalysis", + "hardware:sideChannelDefense:resistsTimingAnalysis", + "network", + "network:connection", + "network:connection:acceptsConnection", + "network:connection:detectsConnectionLoss", + "network:connection:establishesConnection", + "network:connection:reconnects", + "network:connection:reusesConnection", + "network:connection:sendsHeartbeat", + "network:connection:terminatesConnection", + "network:discovery", + "network:discovery:advertisesService", + "network:discovery:discoversService", + "network:discovery:enumeratesInterfaces", + "network:discovery:probesPort", + "network:discovery:queriesDns", + "network:discovery:resolvesName", + "network:discovery:scansNetwork", + "network:protocol", + "network:protocol:downgradesProtocol", + "network:protocol:framesMessage", + "network:protocol:negotiatesProtocol", + "network:protocol:parsesMessage", + "network:protocol:retransmitsMessage", + "network:protocol:upgradesProtocol", + "network:protocol:validatesMessage", + "network:remoteInteraction", + "network:remoteInteraction:accessesRemoteDesktop", + "network:remoteInteraction:accessesRemoteShell", + "network:remoteInteraction:executesRemoteCommand", + "network:remoteInteraction:invokesRemoteProcedure", + "network:remoteInteraction:sendsEmail", + "network:remoteInteraction:sendsSms", + "network:remoteInteraction:transfersFile", + "network:routing", + "network:routing:configuresProxy", + "network:routing:forwardsPacket", + "network:routing:redirectsTraffic", + "network:routing:routesTraffic", + "network:routing:tunnelsTraffic", + "network:trafficControl", + "network:trafficControl:balancesLoad", + "network:trafficControl:filtersTraffic", + "network:trafficControl:inspectsTraffic", + "network:trafficControl:interceptsTraffic", + "network:trafficControl:limitsRate", + "network:trafficControl:modifiesTraffic", + "network:trafficControl:shapesTraffic", + "network:transmission", + "network:transmission:broadcastsData", + "network:transmission:multicastsData", + "network:transmission:receivesData", + "network:transmission:sendsData", + "network:transmission:streamsData", + "privacy", + "privacy:collection", + "privacy:collection:capturesAudio", + "privacy:collection:capturesKeystrokes", + "privacy:collection:capturesScreen", + "privacy:collection:capturesVideo", + "privacy:collection:collectsBehavioralData", + "privacy:collection:collectsBiometricData", + "privacy:collection:collectsCommunicationContent", + "privacy:collection:collectsDeviceInformation", + "privacy:collection:collectsFinancialData", + "privacy:collection:collectsHealthData", + "privacy:collection:collectsInBackground", + "privacy:collection:collectsLocationData", + "privacy:collection:collectsPersonalData", + "privacy:collection:collectsSilently", + "privacy:collection:readsBrowserHistory", + "privacy:collection:readsClipboard", + "privacy:deletion", + "privacy:deletion:clearsCache", + "privacy:deletion:deletesPersonalData", + "privacy:deletion:erasesSecurely", + "privacy:deletion:purgesFromBackup", + "privacy:deletion:redactsData", + "privacy:inference", + "privacy:inference:correlatesData", + "privacy:inference:createsProfile", + "privacy:inference:fingerprintsDevice", + "privacy:inference:infersPersonalInformation", + "privacy:inference:linksIdentities", + "privacy:inference:tracksUser", + "privacy:minimization", + "privacy:minimization:aggregatesData", + "privacy:minimization:anonymizesData", + "privacy:minimization:filtersData", + "privacy:minimization:generalizesData", + "privacy:minimization:limitsCollection", + "privacy:minimization:limitsProcessing", + "privacy:minimization:pseudonymizesData", + "privacy:privacyEnhancement", + "privacy:privacyEnhancement:addsDifferentialPrivacy", + "privacy:privacyEnhancement:computesMultiparty", + "privacy:privacyEnhancement:processesHomomorphically", + "privacy:privacyEnhancement:processesLocally", + "privacy:retention", + "privacy:retention:archivesData", + "privacy:retention:backsUpData", + "privacy:retention:enforcesRetentionPeriod", + "privacy:retention:retainsBeyondPurpose", + "privacy:retention:retainsInCache", + "privacy:retention:retainsInLog", + "privacy:retention:storesPersonalData", + "privacy:sharing", + "privacy:sharing:disclosesToThirdParty", + "privacy:sharing:exportsData", + "privacy:sharing:publishesData", + "privacy:sharing:sellsData", + "privacy:sharing:sharesWithAffiliate", + "privacy:sharing:transfersCrossBorder", + "privacy:subjectRights", + "privacy:subjectRights:correctsData", + "privacy:subjectRights:exportsDataPortably", + "privacy:subjectRights:honorsErasureRequest", + "privacy:subjectRights:honorsObjection", + "privacy:subjectRights:providesDataAccess", + "privacy:subjectRights:restrictsProcessing", + "privacy:transparency", + "privacy:transparency:disclosesProcessing", + "privacy:transparency:displaysPrivacyNotice", + "privacy:transparency:explainsAutomatedDecision", + "privacy:transparency:recordsConsent", + "privacy:transparency:requestsConsent", + "privacy:transparency:withdrawsConsent", + "safety", + "safety:autonomousBehavior", + "safety:autonomousBehavior:acceptsOverride", + "safety:autonomousBehavior:enforcesHumanInLoop", + "safety:autonomousBehavior:explainsDecision", + "safety:autonomousBehavior:requestsGuidance", + "safety:autonomousBehavior:respectsDecisionBoundary", + "safety:contentSafety", + "safety:contentSafety:detectsHarmfulContent", + "safety:contentSafety:detectsMisinformation", + "safety:contentSafety:enforcesAgeRestriction", + "safety:contentSafety:filtersContent", + "safety:contentSafety:labelsContent", + "safety:harmPrevention", + "safety:harmPrevention:preventsEnvironmentalHarm", + "safety:harmPrevention:preventsPropertyDamage", + "safety:harmPrevention:preventsUserHarm", + "safety:harmPrevention:protectsBystanders", + "safety:hazardManagement", + "safety:hazardManagement:assessesRisk", + "safety:hazardManagement:identifiesHazard", + "safety:hazardManagement:mitigatesHazard", + "safety:hazardManagement:reportsHazard", + "safety:humanInteraction", + "safety:humanInteraction:adaptsForAccessibility", + "safety:humanInteraction:managesCognitiveLoad", + "safety:humanInteraction:requestsConfirmation", + "safety:humanInteraction:warnsOperator", + "safety:operationalSafety", + "safety:operationalSafety:acceptsManualOverride", + "safety:operationalSafety:enforcesInterlock", + "safety:operationalSafety:enforcesOperatingLimits", + "safety:operationalSafety:executesEmergencyStop", + "safety:operationalSafety:monitorsWatchdog", + "safety:operationalSafety:validatesSafetyCondition", + "security", + "security:auditing", + "security:auditing:logsEvent", + "security:auditing:logsSecurityEvent", + "security:auditing:protectsAuditLog", + "security:auditing:purgesLog", + "security:auditing:rotatesLog", + "security:auditing:signsLogEntry", + "security:auditing:timestampsEvent", + "security:auditing:transmitsLog", + "security:authentication", + "security:authentication:authenticatesDevice", + "security:authentication:authenticatesService", + "security:authentication:authenticatesUser", + "security:authentication:bypassesAuthentication", + "security:authentication:capturesBiometric", + "security:authentication:delegatesAuthentication", + "security:authentication:failsAuthentication", + "security:authentication:locksAccount", + "security:authentication:performsMultiFactorAuthentication", + "security:authentication:promptsForCredentials", + "security:authentication:unlocksAccount", + "security:authentication:validatesBiometric", + "security:authentication:validatesCredentials", + "security:authorization", + "security:authorization:checksPermission", + "security:authorization:delegatesAuthority", + "security:authorization:deniesAccess", + "security:authorization:enforcesRole", + "security:authorization:escalatesPrivilege", + "security:authorization:evaluatesAttributes", + "security:authorization:evaluatesPolicy", + "security:authorization:grantsAccess", + "security:authorization:grantsImpersonation", + "security:authorization:impersonatesUser", + "security:authorization:requestsImpersonation", + "security:authorization:revokesAccess", + "security:authorization:revokesImpersonation", + "security:cryptography", + "security:cryptography:authenticates", + "security:cryptography:checksRevocation", + "security:cryptography:decryptsData", + "security:cryptography:decryptsDataAtRest", + "security:cryptography:decryptsDataInTransit", + "security:cryptography:decryptsDisk", + "security:cryptography:decryptsSecret", + "security:cryptography:destroysKey", + "security:cryptography:encryptsData", + "security:cryptography:encryptsDataAtRest", + "security:cryptography:encryptsDataInTransit", + "security:cryptography:encryptsDisk", + "security:cryptography:encryptsSecret", + "security:cryptography:ensuresAccountability", + "security:cryptography:ensuresConfidentiality", + "security:cryptography:ensuresIntegrity", + "security:cryptography:ensuresNonRepudiation", + "security:cryptography:exchangesKey", + "security:cryptography:generatesKey", + "security:cryptography:generatesRandomValue", + "security:cryptography:hashesData", + "security:cryptography:hashesPassword", + "security:cryptography:identifies", + "security:cryptography:issuesCertificate", + "security:cryptography:preservesPrivacy", + "security:cryptography:presentsClientCertificate", + "security:cryptography:presentsServerCertificate", + "security:cryptography:retrievesKey", + "security:cryptography:revokesCertificate", + "security:cryptography:rotatesKey", + "security:cryptography:signsCode", + "security:cryptography:signsData", + "security:cryptography:signsDocument", + "security:cryptography:storesKey", + "security:cryptography:usesIdentity", + "security:cryptography:validatesCertificate", + "security:cryptography:validatesToken", + "security:cryptography:verifiesCodeSignature", + "security:cryptography:verifiesDataSignature", + "security:cryptography:verifiesDocumentSignature", + "security:cryptography:verifiesHash", + "security:cryptography:verifiesSignature", + "security:cryptography:wrapsKey", + "security:errorHandling", + "security:errorHandling:catchesException", + "security:errorHandling:disclosesErrorDetails", + "security:errorHandling:failsClosed", + "security:errorHandling:failsOpen", + "security:errorHandling:generatesError", + "security:errorHandling:logsError", + "security:errorHandling:propagatesError", + "security:errorHandling:returnsGenericError", + "security:errorHandling:suppressesError", + "security:inputHandling", + "security:inputHandling:escapesInput", + "security:inputHandling:normalizesInput", + "security:inputHandling:rejectsInvalidInput", + "security:inputHandling:sanitizesInput", + "security:inputHandling:truncatesInput", + "security:inputHandling:validatesFormat", + "security:inputHandling:validatesRange", + "security:inputHandling:validatesSchema", + "security:integrity", + "security:integrity:attestsIntegrity", + "security:integrity:detectsTampering", + "security:integrity:respondsToTampering", + "security:integrity:validatesComponent", + "security:integrity:verifiesIntegrity", + "security:integrity:verifiesProvenance", + "security:outputHandling", + "security:outputHandling:encodesOutput", + "security:outputHandling:enforcesContentPolicy", + "security:outputHandling:escapesOutput", + "security:outputHandling:filtersOutput", + "security:outputHandling:masksOutput", + "security:outputHandling:setsSecurityHeader", + "security:session", + "security:session:createsSession", + "security:session:detectsSessionHijacking", + "security:session:invalidatesSession", + "security:session:refreshesSession", + "security:session:regeneratesSessionId", + "security:session:terminatesSession", + "security:session:validatesSession", + "security:threatResponse", + "security:threatResponse:blocksRequest", + "security:threatResponse:blocksSource", + "security:threatResponse:collectsForensicData", + "security:threatResponse:detectsAnomaly", + "security:threatResponse:detectsIntrusion", + "security:threatResponse:initiatesIncidentResponse", + "security:threatResponse:quarantinesElement", + "security:threatResponse:raisesAlert", + "system", + "system:configuration", + "system:configuration:deletesRegistryKey", + "system:configuration:modifiesGroupPolicy", + "system:configuration:readsConfigurationFile", + "system:configuration:readsEnvironmentVariable", + "system:configuration:readsGroupPolicy", + "system:configuration:readsRegistry", + "system:configuration:setsEnvironmentVariable", + "system:configuration:writesConfigurationFile", + "system:configuration:writesRegistry", + "system:informationGathering", + "system:informationGathering:detectsOsVersion", + "system:informationGathering:gathersSystemInformation", + "system:informationGathering:queriesHardwareInformation", + "system:informationGathering:retrievesHostname", + "system:kernelInteraction", + "system:kernelInteraction:hooksKernelFunction", + "system:kernelInteraction:installsDriver", + "system:kernelInteraction:readsKernelMemory", + "system:kernelInteraction:writesKernelMemory", + "system:lifecycle", + "system:lifecycle:appliesUpdate", + "system:lifecycle:decommissions", + "system:lifecycle:initializes", + "system:lifecycle:performsSelfTest", + "system:lifecycle:provisions", + "system:lifecycle:rollsBack", + "system:lifecycle:shutsDown", + "system:operationalState", + "system:operationalState:entersFailSafeState", + "system:operationalState:entersFailSecureState", + "system:operationalState:operatesInDegradedMode", + "system:operationalState:operatesNormally", + "system:operationalState:performsEmergencyShutdown", + "system:persistence", + "system:persistence:createsScheduledTask", + "system:persistence:installsAsService", + "system:persistence:loadsAsKernelModule", + "system:persistence:registersForStartup", + "system:persistence:removesPersistence", + "system:processControl", + "system:processControl:createsProcess", + "system:processControl:dumpsProcessMemory", + "system:processControl:enumeratesProcesses", + "system:processControl:hooksFunction", + "system:processControl:injectsCodeIntoProcess", + "system:processControl:modifiesProcess", + "system:processControl:resumesProcess", + "system:processControl:suspendsProcess", + "system:processControl:terminatesProcess", + "system:resilience", + "system:resilience:activatesRedundancy", + "system:resilience:degradesGracefully", + "system:resilience:detectsFault", + "system:resilience:recoversFromFailure", + "system:resilience:toleratesFault", + "system:resourceManagement", + "system:resourceManagement:allocatesMemory", + "system:resourceManagement:deallocatesMemory", + "system:resourceManagement:handlesResourceExhaustion", + "system:resourceManagement:managesPowerState", + "system:resourceManagement:readsFromStorage", + "system:resourceManagement:resumesThread", + "system:resourceManagement:spawnsThread", + "system:resourceManagement:suspendsThread", + "system:resourceManagement:terminatesThread", + "system:resourceManagement:writesToStorage", + "system:serviceControl", + "system:serviceControl:createsService", + "system:serviceControl:deletesService", + "system:serviceControl:enumeratesServices", + "system:serviceControl:modifiesService", + "system:serviceControl:startsService", + "system:serviceControl:stopsService", + "system:synchronization", + "system:synchronization:acquiresMutex", + "system:synchronization:releasesMutex", + "system:synchronization:signalsEvent", + "system:synchronization:signalsSemaphore", + "system:synchronization:waitsOnEvent", + "system:synchronization:waitsOnSemaphore", + "system:timing", + "system:timing:delaysExecution", + "system:timing:enforcesDeadline", + "system:timing:executesScheduledTask", + "system:timing:resetsWatchdog", + "system:timing:synchronizesClock", + "system:timing:triggersTimeout", + "system:timing:waits", + "system:userManagement", + "system:userManagement:createsUserAccount", + "system:userManagement:deletesUserAccount", + "system:userManagement:elevatesPrivileges", + "system:userManagement:enumeratesUsers", + "system:userManagement:impersonatesUser", + "system:userManagement:modifiesUserAccount" + ], + "meta:enum": { + "ai": "Behaviours relating to artificial intelligence and machine learning operations.", + "ai:agent": "Behaviours that enable autonomous agents to plan and execute tasks.", + "ai:agent:actsOnBehalfOfUser": "The entity performs actions within a delegated user context.", + "ai:agent:coordinatesAgents": "The entity orchestrates multiple agents.", + "ai:agent:delegatesTask": "The entity assigns work to another agent.", + "ai:agent:executesAction": "The entity performs planned step.", + "ai:agent:invokesTool": "The entity calls external capability.", + "ai:agent:observesResult": "The entity captures action outcome.", + "ai:agent:plansAction": "The entity determines steps to achieve goal.", + "ai:agent:receivesHumanDelegation": "The entity accepts authority delegated by a human user.", + "ai:agent:reflectsOnResult": "The entity evaluates action effectiveness.", + "ai:agent:reportsDelegatedAction": "The entity notifies the delegating user of actions taken.", + "ai:agent:requestsUserApproval": "The entity seeks explicit user authorisation before acting.", + "ai:agent:returnsDelegation": "The entity relinquishes delegated authority.", + "ai:agent:revisesPlan": "The entity modifies approach based on results.", + "ai:explainability": "Behaviours that provide interpretable explanations for model decisions.", + "ai:explainability:attributesFeatures": "The entity identifies influential inputs.", + "ai:explainability:documentsModel": "The entity records model design and behaviour.", + "ai:explainability:explainsDecision": "The entity provides human-readable rationale.", + "ai:explainability:tracesPrediction": "The entity records basis for output.", + "ai:explainability:visualizesModel": "The entity renders model behaviour graphically.", + "ai:fairness": "Behaviours that detect and mitigate bias in machine learning models.", + "ai:fairness:auditsModelFairness": "The entity evaluates model for bias.", + "ai:fairness:calculatesFairnessMetric": "The entity measures outcome equality.", + "ai:fairness:detectsBias": "The entity identifies unfair model behaviour.", + "ai:fairness:handlesProtectedAttribute": "The entity manages sensitive attributes.", + "ai:fairness:mitigatesBias": "The entity reduces unfair treatment.", + "ai:generative": "Behaviours that produce content using generative models.", + "ai:generative:citesSource": "The entity attributes generated content.", + "ai:generative:filtersOutput": "The entity screens generated content.", + "ai:generative:generatesAudio": "The entity produces sound content.", + "ai:generative:generatesCode": "The entity produces executable code.", + "ai:generative:generatesEmbedding": "The entity produces vector representation.", + "ai:generative:generatesImage": "The entity produces visual content.", + "ai:generative:generatesText": "The entity produces natural language.", + "ai:generative:mitigatesHallucination": "The entity reduces false content generation.", + "ai:generative:processesPrompt": "The entity interprets user instruction.", + "ai:generative:streamsResponse": "The entity delivers output incrementally.", + "ai:inference": "Behaviours that generate predictions using trained models.", + "ai:inference:appliesThreshold": "The entity uses decision boundary.", + "ai:inference:batchesInference": "The entity processes multiple inputs together.", + "ai:inference:cachesPrediction": "The entity stores prediction for reuse.", + "ai:inference:ensemblesModels": "The entity combines multiple model outputs.", + "ai:inference:generatesPrediction": "The entity produces model output.", + "ai:inference:infersInRealTime": "The entity generates prediction with low latency.", + "ai:inference:ranksResults": "The entity orders predictions by relevance.", + "ai:inference:scoresConfidence": "The entity assigns certainty to prediction.", + "ai:management": "Behaviours that deploy and manage machine learning models throughout their lifecycle.", + "ai:management:comparesModels": "The entity evaluates relative model performance.", + "ai:management:deploysModel": "The entity places model into service.", + "ai:management:loadsModel": "The entity retrieves model for use.", + "ai:management:monitorsModel": "The entity observes model performance.", + "ai:management:retiresModel": "The entity removes model from service.", + "ai:management:rollsBackModel": "The entity reverts to previous version.", + "ai:management:unloadsModel": "The entity removes model from memory.", + "ai:management:versionsModel": "The entity tracks model versions.", + "ai:quality": "Behaviours that monitor and maintain model and data quality.", + "ai:quality:detectsConceptDrift": "The entity identifies input-output relationship change.", + "ai:quality:detectsDataDrift": "The entity identifies input distribution change.", + "ai:quality:detectsOutlier": "The entity identifies anomalous input.", + "ai:quality:engineersFeatures": "The entity transforms raw data for model.", + "ai:quality:selectsFeatures": "The entity chooses relevant input features.", + "ai:quality:validatesInputData": "The entity checks inference input quality.", + "ai:robustness": "Behaviours that defend against adversarial attacks and handle uncertain inputs.", + "ai:robustness:defendsAgainstAdversarial": "The entity resists adversarial manipulation.", + "ai:robustness:detectsAdversarialInput": "The entity identifies crafted malicious input.", + "ai:robustness:detectsOutOfDistribution": "The entity identifies unfamiliar input.", + "ai:robustness:estimatesUncertainty": "The entity quantifies prediction confidence.", + "ai:robustness:validatesRobustness": "The entity tests model resilience.", + "ai:training": "Behaviours that prepare data and train machine learning models.", + "ai:training:appliesTransferLearning": "The entity adapts pre-trained model.", + "ai:training:checkpointsModel": "The entity saves model state during training.", + "ai:training:fineTunesModel": "The entity refines model for specific task.", + "ai:training:ingestsTrainingData": "The entity acquires data for training.", + "ai:training:preprocessesTrainingData": "The entity prepares data for training.", + "ai:training:trainsFederatedly": "The entity trains on distributed data.", + "ai:training:trainsModel": "The entity adjusts model parameters.", + "ai:training:tunesHyperparameters": "The entity optimises configuration parameters.", + "ai:training:validatesModel": "The entity evaluates model during training.", + "ai:training:validatesTrainingData": "The entity checks training data quality.", + "application": "Behaviours relating to application-level request processing and business logic.", + "application:codeExecution": "Behaviours that dynamically load and execute code at runtime.", + "application:codeExecution:compilesCode": "The entity transforms source to executable form.", + "application:codeExecution:evaluatesExpression": "The entity interprets and executes an expression.", + "application:codeExecution:executesNativeCommand": "The entity runs an operating system command.", + "application:codeExecution:executesScript": "The entity runs script code.", + "application:codeExecution:interpretsCode": "The entity executes code without compilation.", + "application:codeExecution:invokesViaReflection": "The entity calls method through reflection.", + "application:codeExecution:loadsCodeDynamically": "The entity loads executable code at runtime.", + "application:configuration": "Behaviours that load and manage application configuration settings.", + "application:configuration:detectsEnvironment": "The entity determines deployment context.", + "application:configuration:evaluatesFeatureFlag": "The entity checks feature toggle state.", + "application:configuration:loadsConfiguration": "The entity reads configuration settings.", + "application:configuration:reloadsConfiguration": "The entity refreshes configuration dynamically.", + "application:controlFlow": "Behaviours that manage the execution sequence and event handling within an application.", + "application:controlFlow:awaitsAsyncResult": "The entity waits for asynchronous completion.", + "application:controlFlow:catchesException": "The entity handles an error condition.", + "application:controlFlow:emitsEvent": "The entity triggers an event.", + "application:controlFlow:handlesEvent": "The entity responds to an event.", + "application:controlFlow:invokesCallback": "The entity executes a callback function.", + "application:controlFlow:invokesHandler": "The entity calls a request handler.", + "application:controlFlow:invokesMiddleware": "The entity executes middleware component.", + "application:controlFlow:schedulesAsyncOperation": "The entity queues work for later execution.", + "application:controlFlow:throwsException": "The entity raises an error condition.", + "application:dependencyManagement": "Behaviours that resolve and manage dependencies on other components.", + "application:dependencyManagement:closesCircuitBreaker": "The entity resumes calls to recovered dependency.", + "application:dependencyManagement:fallsBack": "The entity uses alternative when primary fails.", + "application:dependencyManagement:injectsDependency": "The entity provides component to dependent.", + "application:dependencyManagement:opensCircuitBreaker": "The entity stops calls to failing dependency.", + "application:dependencyManagement:resolvesDependency": "The entity locates required component.", + "application:externalIntegration": "Behaviours that communicate with external services and systems.", + "application:externalIntegration:callsExternalService": "The entity invokes an external API.", + "application:externalIntegration:consumesEvent": "The entity receives event from external system.", + "application:externalIntegration:publishesEvent": "The entity sends event to external system.", + "application:externalIntegration:receivesWebhook": "The entity accepts callback from external service.", + "application:observability": "Behaviours that emit telemetry for monitoring and debugging purposes.", + "application:observability:emitsTelemetry": "The entity transmits operational data.", + "application:observability:logsOperation": "The entity records an operational event.", + "application:observability:recordsMetric": "The entity captures a quantitative measurement.", + "application:observability:reportsHealth": "The entity communicates operational status.", + "application:observability:tracesRequest": "The entity tracks request across services.", + "application:requestHandling": "Behaviours that receive and process incoming requests.", + "application:requestHandling:authenticatesRequest": "The entity verifies requestor identity.", + "application:requestHandling:authorizesRequest": "The entity verifies requestor permissions.", + "application:requestHandling:bindsParameters": "The entity maps request data to parameters.", + "application:requestHandling:parsesRequest": "The entity interprets incoming request.", + "application:requestHandling:receivesHttpRequest": "The entity accepts an HTTP request.", + "application:requestHandling:rejectsRequest": "The entity refuses to process request.", + "application:requestHandling:routesRequest": "The entity directs request to appropriate handler.", + "application:requestHandling:validatesRequest": "The entity verifies request validity.", + "application:responseGeneration": "Behaviours that construct and transmit responses to requests.", + "application:responseGeneration:generatesResponse": "The entity creates a response.", + "application:responseGeneration:readsCookie": "The entity retrieves cookie value.", + "application:responseGeneration:redirectsRequest": "The entity sends client to different location.", + "application:responseGeneration:returnsError": "The entity indicates failure.", + "application:responseGeneration:returnsSuccess": "The entity indicates successful completion.", + "application:responseGeneration:sendsHttpResponse": "The entity transmits an HTTP response.", + "application:responseGeneration:setsCookie": "The entity creates or modifies a cookie.", + "application:responseGeneration:setsHeader": "The entity adds HTTP header to response.", + "application:stateManagement": "Behaviours that maintain and synchronise application state across requests.", + "application:stateManagement:acquiresLock": "The entity obtains exclusive access to resource.", + "application:stateManagement:beginsTransaction": "The entity starts an atomic operation group.", + "application:stateManagement:commitsTransaction": "The entity finalises transaction changes.", + "application:stateManagement:createsSessionState": "The entity initialises session data.", + "application:stateManagement:destroysSessionState": "The entity removes session data.", + "application:stateManagement:readsSessionState": "The entity retrieves session data.", + "application:stateManagement:releasesLock": "The entity relinquishes exclusive access.", + "application:stateManagement:rollsBackTransaction": "The entity undoes transaction changes.", + "application:stateManagement:synchronizesState": "The entity maintains consistency across replicas.", + "application:stateManagement:updatesSessionState": "The entity modifies session data.", + "data": "Behaviours relating to the ingestion and transformation of structured and unstructured data.", + "data:encoding": "Behaviours that apply specific encoding schemes to data.", + "data:encoding:appliesXor": "The entity transforms data using XOR operation.", + "data:encoding:decodesBaseSixtyFour": "The entity converts Base64 to original form.", + "data:encoding:decodesUrl": "The entity converts URL-encoded data.", + "data:encoding:encodesBaseSixtyFour": "The entity converts data to Base64.", + "data:encoding:encodesUrl": "The entity converts data for URL inclusion.", + "data:ingestion": "Behaviours that acquire data from external sources.", + "data:ingestion:pollsSource": "The entity periodically checks for new data.", + "data:ingestion:readsFile": "The entity retrieves data from a file.", + "data:ingestion:readsStream": "The entity consumes data from a continuous source.", + "data:ingestion:receivesInput": "The entity accepts data from an external source.", + "data:ingestion:receivesMessage": "The entity accepts a message from a queue.", + "data:ingestion:receivesRequest": "The entity accepts an incoming request.", + "data:ingestion:subscribesToFeed": "The entity registers to receive updates.", + "data:output": "Behaviours that produce and transmit data to external consumers.", + "data:output:formatsResponse": "The entity structures data for delivery.", + "data:output:producesOutput": "The entity generates data for consumption.", + "data:output:publishesMessage": "The entity sends a message to a queue.", + "data:output:rendersTemplate": "The entity generates output from a template.", + "data:output:sendsResponse": "The entity transmits a reply.", + "data:output:serializesObject": "The entity converts object to transmittable form.", + "data:output:streamsOutput": "The entity continuously produces data.", + "data:output:writesFile": "The entity saves data to a file.", + "data:parsing": "Behaviours that interpret and extract information from structured data formats.", + "data:parsing:decodesData": "The entity converts encoded data to original form.", + "data:parsing:deserializesObject": "The entity reconstructs object from serialised form.", + "data:parsing:extractsFields": "The entity isolates specific data elements.", + "data:parsing:parsesData": "The entity interprets structured data.", + "data:parsing:parsesHtml": "The entity interprets HTML content.", + "data:parsing:parsesJson": "The entity interprets JSON-formatted data.", + "data:parsing:parsesXml": "The entity interprets XML-formatted data.", + "data:query": "Behaviours that retrieve data based on specified criteria.", + "data:query:executesLdapQuery": "The entity queries an LDAP directory.", + "data:query:executesNoSqlQuery": "The entity queries a NoSQL database.", + "data:query:executesSearch": "The entity performs full-text or indexed search.", + "data:query:executesSql": "The entity runs a SQL statement.", + "data:query:executesXPath": "The entity evaluates an XPath expression.", + "data:query:queriesData": "The entity retrieves data matching criteria.", + "data:storage": "Behaviours that persist and retrieve data from storage systems.", + "data:storage:cachesData": "The entity stores data for quick retrieval.", + "data:storage:deletesData": "The entity removes stored data.", + "data:storage:flushesCache": "The entity writes cached data to persistent storage.", + "data:storage:invalidatesCache": "The entity marks cached data as stale.", + "data:storage:retrievesData": "The entity fetches stored data.", + "data:storage:storesData": "The entity saves data persistently.", + "data:storage:updatesData": "The entity modifies stored data.", + "data:transformation": "Behaviours that convert data from one form or structure to another.", + "data:transformation:aggregatesData": "The entity combines multiple values.", + "data:transformation:compressesData": "The entity reduces data size.", + "data:transformation:decompressesData": "The entity restores compressed data.", + "data:transformation:encodesData": "The entity converts data to encoded form.", + "data:transformation:enrichesData": "The entity adds information from external sources.", + "data:transformation:filtersData": "The entity removes unwanted elements.", + "data:transformation:joinsData": "The entity combines data from multiple sources.", + "data:transformation:mapsData": "The entity converts between data structures.", + "data:transformation:normalizesData": "The entity converts to standard form.", + "data:transformation:sortsData": "The entity orders data elements.", + "data:transformation:transformsData": "The entity converts data from one form to another.", + "evasion": "Behaviours relating to techniques that avoid detection and analysis.", + "evasion:analysisResistance": "Behaviours that detect and evade analysis environments.", + "evasion:analysisResistance:detectsAnalysisTool": "The entity identifies analysis software.", + "evasion:analysisResistance:detectsDebugger": "The entity identifies debugger presence.", + "evasion:analysisResistance:detectsEmulator": "The entity identifies emulation environment.", + "evasion:analysisResistance:detectsSandbox": "The entity identifies sandbox environment.", + "evasion:analysisResistance:detectsVirtualMachine": "The entity identifies VM environment.", + "evasion:analysisResistance:evadesDebugger": "The entity modifies behaviour under debugging.", + "evasion:analysisResistance:evadesEmulator": "The entity modifies behaviour under emulation.", + "evasion:analysisResistance:evadesSandbox": "The entity modifies behaviour in sandbox.", + "evasion:analysisResistance:evadesVirtualMachine": "The entity modifies behaviour in VM.", + "evasion:analysisResistance:usesTimingEvasion": "The entity uses delays to evade analysis.", + "evasion:antiSecurity": "Behaviours that detect and disable security software.", + "evasion:antiSecurity:detectsAntivirus": "The entity identifies AV software.", + "evasion:antiSecurity:disablesSecuritySoftware": "The entity deactivates security tools.", + "evasion:antiSecurity:evadesAntivirus": "The entity avoids AV detection.", + "evasion:antiSecurity:terminatesSecurityProcess": "The entity kills security software processes.", + "evasion:indirection": "Behaviours that use indirect methods to execute code.", + "evasion:indirection:resolvesApiDynamically": "The entity finds API addresses at runtime.", + "evasion:indirection:usesIndirectCalls": "The entity invokes functions indirectly.", + "evasion:indirection:usesProxyExecution": "The entity executes through intermediary.", + "evasion:obfuscation": "Behaviours that obscure code and data to hinder analysis.", + "evasion:obfuscation:obfuscatesCode": "The entity makes code difficult to analyse.", + "evasion:obfuscation:obfuscatesControlFlow": "The entity obscures execution paths.", + "evasion:obfuscation:obfuscatesData": "The entity hides data structures.", + "evasion:obfuscation:obfuscatesStrings": "The entity hides string contents.", + "evasion:obfuscation:packsCode": "The entity compresses or encrypts executable.", + "evasion:obfuscation:unpacksAtRuntime": "The entity decompresses code during execution.", + "file": "Behaviours relating to file system operations and disk management.", + "file:directory": "Behaviours that create and navigate directory structures.", + "file:directory:changesDirectory": "The entity sets current working directory.", + "file:directory:createsDirectory": "The entity creates a new directory.", + "file:directory:deletesDirectory": "The entity removes a directory.", + "file:directory:listsDirectory": "The entity enumerates directory contents.", + "file:directory:traversesDirectory": "The entity recursively explores directories.", + "file:disk": "Behaviours that manage storage volumes and disk-level operations.", + "file:disk:decryptsVolume": "The entity decrypts a storage volume.", + "file:disk:encryptsVolume": "The entity encrypts a storage volume.", + "file:disk:formatsVolume": "The entity prepares storage for use.", + "file:disk:mountsVolume": "The entity attaches a storage volume.", + "file:disk:unmountsVolume": "The entity detaches a storage volume.", + "file:disk:wipesDisk": "The entity securely erases disk contents.", + "file:operations": "Behaviours that create and manipulate files.", + "file:operations:appendsToFile": "The entity adds data to end of file.", + "file:operations:checksFileExistence": "The entity verifies whether a file exists.", + "file:operations:closesFile": "The entity releases file access.", + "file:operations:copiesFile": "The entity duplicates a file.", + "file:operations:createsFile": "The entity creates a new file.", + "file:operations:deletesFile": "The entity removes a file.", + "file:operations:getsFileAttributes": "The entity retrieves file metadata.", + "file:operations:movesFile": "The entity relocates a file.", + "file:operations:opensFile": "The entity prepares a file for access.", + "file:operations:readsFile": "The entity retrieves file contents.", + "file:operations:renamesFile": "The entity changes a file name.", + "file:operations:setsFileAttributes": "The entity modifies file metadata.", + "file:operations:setsFilePermissions": "The entity modifies file access permissions.", + "file:operations:writesFile": "The entity modifies file contents.", + "gui": "Behaviours relating to graphical user interface interactions.", + "gui:display": "Behaviours that render and monitor visual output.", + "gui:display:displaysData": "The entity renders information visually.", + "gui:display:monitorsDisplay": "The entity observes displayed content.", + "gui:display:updatesDisplay": "The entity refreshes visual presentation.", + "gui:session": "Behaviours that interact with user login sessions.", + "gui:session:displaysLogin": "The entity presents login interface.", + "gui:session:interactsWithSession": "The entity operates within user session.", + "gui:session:switchesSession": "The entity changes active user session.", + "gui:window": "Behaviours that create and manipulate graphical windows.", + "gui:window:capturesWindow": "The entity captures window contents.", + "gui:window:createsWindow": "The entity creates a graphical window.", + "gui:window:destroysWindow": "The entity closes a window.", + "gui:window:enumeratesWindows": "The entity lists open windows.", + "gui:window:interactsWithTaskbar": "The entity modifies taskbar elements.", + "gui:window:modifiesWindow": "The entity changes window properties.", + "hardware": "Behaviours relating to hardware components and physical device interactions.", + "hardware:actuator": "Behaviours that control physical actuators and output devices.", + "hardware:actuator:calibratesActuator": "The entity adjusts actuator accuracy.", + "hardware:actuator:controlsBattery": "The entity manages battery charging.", + "hardware:actuator:controlsHeating": "The entity manages heating element.", + "hardware:actuator:controlsLed": "The entity manages LED indicator.", + "hardware:actuator:controlsMotor": "The entity manages motor operation.", + "hardware:actuator:controlsPower": "The entity manages power distribution.", + "hardware:actuator:controlsPump": "The entity manages fluid pump.", + "hardware:actuator:controlsTemperature": "The entity regulates temperature.", + "hardware:boot": "Behaviours that verify and configure system startup processes.", + "hardware:boot:entersRecoveryMode": "The entity boots via alternative path.", + "hardware:boot:executesSecureBoot": "The entity verifies code integrity at startup.", + "hardware:boot:locksBootConfiguration": "The entity prevents boot setting changes.", + "hardware:boot:modifiesBootConfiguration": "The entity changes boot settings.", + "hardware:boot:readsBootConfiguration": "The entity retrieves boot settings.", + "hardware:boot:recordsBootMeasurement": "The entity logs boot component hashes.", + "hardware:boot:verifiesBootLoader": "The entity validates boot loader authenticity.", + "hardware:firmware": "Behaviours that manage and verify firmware integrity.", + "hardware:firmware:monitorsFirmwareIntegrity": "The entity checks for firmware tampering.", + "hardware:firmware:preventsFirmwareRollback": "The entity blocks reversion to old firmware.", + "hardware:firmware:readsFirmwareVersion": "The entity retrieves firmware version.", + "hardware:firmware:updatesFirmware": "The entity applies firmware changes.", + "hardware:firmware:verifiesFirmwareSignature": "The entity validates firmware authenticity.", + "hardware:memory": "Behaviours that protect and isolate memory regions.", + "hardware:memory:encryptsMemory": "The entity protects memory contents.", + "hardware:memory:isolatesMemory": "The entity separates memory regions.", + "hardware:memory:protectsStack": "The entity defends against stack attacks.", + "hardware:memory:randomizesAddressSpace": "The entity applies ASLR.", + "hardware:memory:readsProtectedMemory": "The entity accesses protected memory region.", + "hardware:memory:writesProtectedMemory": "The entity modifies protected memory region.", + "hardware:peripheral": "Behaviours that interact with peripheral devices and interfaces.", + "hardware:peripheral:accessesCamera": "The entity interacts with camera hardware.", + "hardware:peripheral:accessesDisplay": "The entity interacts with display hardware.", + "hardware:peripheral:accessesGpio": "The entity reads or writes GPIO pins.", + "hardware:peripheral:accessesJtag": "The entity uses JTAG debug interface.", + "hardware:peripheral:accessesKeyboard": "The entity interacts with keyboard hardware.", + "hardware:peripheral:accessesStorageDevice": "The entity interacts with storage hardware.", + "hardware:peripheral:accessesUsbDevice": "The entity interacts with USB peripheral.", + "hardware:peripheral:configuresDma": "The entity sets up direct memory access.", + "hardware:peripheral:protectsDma": "The entity prevents unauthorised DMA.", + "hardware:physicalSecurity": "Behaviours that detect and respond to physical tampering.", + "hardware:physicalSecurity:detectsPhysicalTamper": "The entity identifies physical interference.", + "hardware:physicalSecurity:disablesDebugInterface": "The entity prevents debug access.", + "hardware:physicalSecurity:enablesDebugInterface": "The entity permits debug access.", + "hardware:physicalSecurity:monitorsEnclosure": "The entity detects housing penetration.", + "hardware:physicalSecurity:respondsToTamper": "The entity reacts to physical attack.", + "hardware:physicalSecurity:zeroizesKeys": "The entity destroys keys on tamper detection.", + "hardware:security": "Behaviours that utilise hardware security features and trusted execution environments.", + "hardware:security:anchorsInHardwareRoot": "The entity uses tamper-resistant hardware for trust.", + "hardware:security:executesInTee": "The entity runs in trusted execution environment.", + "hardware:security:generatesPufResponse": "The entity uses physical unclonable function.", + "hardware:security:usesHsm": "The entity employs hardware security module.", + "hardware:security:usesSecureElement": "The entity employs dedicated security hardware.", + "hardware:sensor": "Behaviours that read measurements from hardware sensors.", + "hardware:sensor:calibratesSensor": "The entity adjusts sensor accuracy.", + "hardware:sensor:readsBatteryStatus": "The entity obtains battery state.", + "hardware:sensor:readsBloodOxygen": "The entity obtains SpO2 measurement.", + "hardware:sensor:readsBloodPressure": "The entity obtains blood pressure measurement.", + "hardware:sensor:readsCoTwoLevel": "The entity obtains CO2 measurement.", + "hardware:sensor:readsEcg": "The entity obtains electrocardiogram data.", + "hardware:sensor:readsPowerStatus": "The entity obtains power state.", + "hardware:sensor:readsTemperature": "The entity obtains temperature measurement.", + "hardware:sideChannelDefense": "Behaviours that protect against side-channel attacks.", + "hardware:sideChannelDefense:controlsEmEmissions": "The entity limits electromagnetic leakage.", + "hardware:sideChannelDefense:resistsFaultInjection": "The entity protects against induced faults.", + "hardware:sideChannelDefense:resistsPowerAnalysis": "The entity protects against power-based attacks.", + "hardware:sideChannelDefense:resistsTimingAnalysis": "The entity protects against timing-based attacks.", + "network": "Behaviours relating to network communication and data transmission between systems.", + "network:connection": "Behaviours that establish and manage network connections.", + "network:connection:acceptsConnection": "The entity receives an incoming connection.", + "network:connection:detectsConnectionLoss": "The entity identifies a dropped connection.", + "network:connection:establishesConnection": "The entity initiates a network connection.", + "network:connection:reconnects": "The entity re-establishes a dropped connection.", + "network:connection:reusesConnection": "The entity uses a pooled connection.", + "network:connection:sendsHeartbeat": "The entity transmits a keep-alive signal.", + "network:connection:terminatesConnection": "The entity closes a network connection.", + "network:discovery": "Behaviours that locate and advertise network services and resources.", + "network:discovery:advertisesService": "The entity announces its availability.", + "network:discovery:discoversService": "The entity locates an available service.", + "network:discovery:enumeratesInterfaces": "The entity lists network interfaces.", + "network:discovery:probesPort": "The entity checks if a port is open.", + "network:discovery:queriesDns": "The entity requests DNS resolution.", + "network:discovery:resolvesName": "The entity translates a name to an address.", + "network:discovery:scansNetwork": "The entity probes for active hosts or services.", + "network:protocol": "Behaviours that negotiate and implement communication protocols.", + "network:protocol:downgradesProtocol": "The entity falls back to a less secure protocol version.", + "network:protocol:framesMessage": "The entity structures data for transmission.", + "network:protocol:negotiatesProtocol": "The entity agrees on communication protocol with peer.", + "network:protocol:parsesMessage": "The entity interprets received network data.", + "network:protocol:retransmitsMessage": "The entity resends data after transmission failure.", + "network:protocol:upgradesProtocol": "The entity transitions to a more secure protocol version.", + "network:protocol:validatesMessage": "The entity verifies message format and integrity.", + "network:remoteInteraction": "Behaviours that execute operations on remote systems.", + "network:remoteInteraction:accessesRemoteDesktop": "The entity controls a remote graphical interface.", + "network:remoteInteraction:accessesRemoteShell": "The entity interacts with a remote command line.", + "network:remoteInteraction:executesRemoteCommand": "The entity runs a command on a remote system.", + "network:remoteInteraction:invokesRemoteProcedure": "The entity calls a function on a remote system.", + "network:remoteInteraction:sendsEmail": "The entity transmits an email message.", + "network:remoteInteraction:sendsSms": "The entity transmits a text message.", + "network:remoteInteraction:transfersFile": "The entity sends or receives a file remotely.", + "network:routing": "Behaviours that direct network traffic to its destination.", + "network:routing:configuresProxy": "The entity sets up traffic to route through a proxy.", + "network:routing:forwardsPacket": "The entity passes a packet toward its destination.", + "network:routing:redirectsTraffic": "The entity diverts traffic to a different destination.", + "network:routing:routesTraffic": "The entity directs network traffic to destinations.", + "network:routing:tunnelsTraffic": "The entity encapsulates traffic within another protocol.", + "network:trafficControl": "Behaviours that manage and manipulate network traffic flow.", + "network:trafficControl:balancesLoad": "The entity distributes requests across destinations.", + "network:trafficControl:filtersTraffic": "The entity blocks or allows traffic based on rules.", + "network:trafficControl:inspectsTraffic": "The entity examines traffic contents.", + "network:trafficControl:interceptsTraffic": "The entity captures traffic in transit.", + "network:trafficControl:limitsRate": "The entity restricts traffic volume.", + "network:trafficControl:modifiesTraffic": "The entity alters traffic in transit.", + "network:trafficControl:shapesTraffic": "The entity manages traffic timing and priority.", + "network:transmission": "Behaviours that send and receive data over network connections.", + "network:transmission:broadcastsData": "The entity sends data to multiple recipients.", + "network:transmission:multicastsData": "The entity sends data to a group of recipients.", + "network:transmission:receivesData": "The entity accepts data from the network.", + "network:transmission:sendsData": "The entity transmits data over the network.", + "network:transmission:streamsData": "The entity continuously transmits or receives data.", + "privacy": "Behaviours relating to the collection and processing of personal and sensitive data.", + "privacy:collection": "Behaviours that gather personal or sensitive information from individuals or systems.", + "privacy:collection:capturesAudio": "The entity records sound via microphone.", + "privacy:collection:capturesKeystrokes": "The entity records keyboard input.", + "privacy:collection:capturesScreen": "The entity records display contents.", + "privacy:collection:capturesVideo": "The entity records images via camera.", + "privacy:collection:collectsBehavioralData": "The entity records user actions and patterns.", + "privacy:collection:collectsBiometricData": "The entity captures biometric information.", + "privacy:collection:collectsCommunicationContent": "The entity captures message or call contents.", + "privacy:collection:collectsDeviceInformation": "The entity gathers device identifiers or characteristics.", + "privacy:collection:collectsFinancialData": "The entity gathers payment or financial information.", + "privacy:collection:collectsHealthData": "The entity gathers protected health information.", + "privacy:collection:collectsInBackground": "The entity gathers data without active user engagement.", + "privacy:collection:collectsLocationData": "The entity gathers geographical position information.", + "privacy:collection:collectsPersonalData": "The entity gathers personally identifiable information.", + "privacy:collection:collectsSilently": "The entity gathers data without user awareness.", + "privacy:collection:readsBrowserHistory": "The entity accesses web browsing history.", + "privacy:collection:readsClipboard": "The entity accesses clipboard contents.", + "privacy:deletion": "Behaviours that remove or destroy personal data.", + "privacy:deletion:clearsCache": "The entity removes data from temporary storage.", + "privacy:deletion:deletesPersonalData": "The entity removes personal data.", + "privacy:deletion:erasesSecurely": "The entity irreversibly destroys data.", + "privacy:deletion:purgesFromBackup": "The entity removes data from backup systems.", + "privacy:deletion:redactsData": "The entity removes specific content from records.", + "privacy:inference": "Behaviours that derive personal information through analysis and correlation of data.", + "privacy:inference:correlatesData": "The entity combines data from multiple sources.", + "privacy:inference:createsProfile": "The entity builds a profile from collected data.", + "privacy:inference:fingerprintsDevice": "The entity identifies device via characteristics.", + "privacy:inference:infersPersonalInformation": "The entity derives personal data from other data.", + "privacy:inference:linksIdentities": "The entity associates data across contexts.", + "privacy:inference:tracksUser": "The entity follows user activity across sessions.", + "privacy:minimization": "Behaviours that reduce the amount or sensitivity of personal data processed.", + "privacy:minimization:aggregatesData": "The entity combines records into summaries.", + "privacy:minimization:anonymizesData": "The entity removes identifying information.", + "privacy:minimization:filtersData": "The entity removes unnecessary data elements.", + "privacy:minimization:generalizesData": "The entity reduces data precision.", + "privacy:minimization:limitsCollection": "The entity gathers only necessary data.", + "privacy:minimization:limitsProcessing": "The entity restricts data use to stated purposes.", + "privacy:minimization:pseudonymizesData": "The entity replaces identifiers with pseudonyms.", + "privacy:privacyEnhancement": "Behaviours that employ technical measures to protect privacy during processing.", + "privacy:privacyEnhancement:addsDifferentialPrivacy": "The entity injects noise to protect individuals.", + "privacy:privacyEnhancement:computesMultiparty": "The entity performs joint computation privately.", + "privacy:privacyEnhancement:processesHomomorphically": "The entity computes on encrypted data.", + "privacy:privacyEnhancement:processesLocally": "The entity handles data on-device.", + "privacy:retention": "Behaviours that store personal data over time.", + "privacy:retention:archivesData": "The entity moves data to long-term storage.", + "privacy:retention:backsUpData": "The entity creates copies for recovery.", + "privacy:retention:enforcesRetentionPeriod": "The entity deletes data after specified time.", + "privacy:retention:retainsBeyondPurpose": "The entity keeps data longer than necessary.", + "privacy:retention:retainsInCache": "The entity keeps data in temporary storage.", + "privacy:retention:retainsInLog": "The entity keeps data in log files.", + "privacy:retention:storesPersonalData": "The entity saves personal data persistently.", + "privacy:sharing": "Behaviours that disclose personal data to third parties or across boundaries.", + "privacy:sharing:disclosesToThirdParty": "The entity transmits personal data externally.", + "privacy:sharing:exportsData": "The entity outputs data in portable format.", + "privacy:sharing:publishesData": "The entity makes data publicly available.", + "privacy:sharing:sellsData": "The entity provides data in exchange for value.", + "privacy:sharing:sharesWithAffiliate": "The entity provides data to related entities.", + "privacy:sharing:transfersCrossBorder": "The entity sends data across jurisdictions.", + "privacy:subjectRights": "Behaviours that fulfil data subject rights under privacy regulations.", + "privacy:subjectRights:correctsData": "The entity modifies inaccurate personal data.", + "privacy:subjectRights:exportsDataPortably": "The entity provides data in portable format.", + "privacy:subjectRights:honorsErasureRequest": "The entity deletes data upon request.", + "privacy:subjectRights:honorsObjection": "The entity ceases processing upon objection.", + "privacy:subjectRights:providesDataAccess": "The entity gives individuals their data.", + "privacy:subjectRights:restrictsProcessing": "The entity limits data use upon request.", + "privacy:transparency": "Behaviours that inform individuals about data processing activities.", + "privacy:transparency:disclosesProcessing": "The entity reveals data processing activities.", + "privacy:transparency:displaysPrivacyNotice": "The entity presents privacy information.", + "privacy:transparency:explainsAutomatedDecision": "The entity describes automated decision logic.", + "privacy:transparency:recordsConsent": "The entity stores consent decisions.", + "privacy:transparency:requestsConsent": "The entity asks for processing permission.", + "privacy:transparency:withdrawsConsent": "The entity processes consent revocation.", + "safety": "Behaviours relating to the prevention of harm to users and the environment.", + "safety:autonomousBehavior": "Behaviours that govern decision-making boundaries and human oversight of autonomous systems.", + "safety:autonomousBehavior:acceptsOverride": "The entity yields to human command.", + "safety:autonomousBehavior:enforcesHumanInLoop": "The entity requires human involvement.", + "safety:autonomousBehavior:explainsDecision": "The entity provides rationale for its action.", + "safety:autonomousBehavior:requestsGuidance": "The entity asks for human direction.", + "safety:autonomousBehavior:respectsDecisionBoundary": "The entity stays within authorised decision scope.", + "safety:contentSafety": "Behaviours that detect and filter harmful or inappropriate content.", + "safety:contentSafety:detectsHarmfulContent": "The entity identifies potentially harmful content.", + "safety:contentSafety:detectsMisinformation": "The entity identifies false or misleading content.", + "safety:contentSafety:enforcesAgeRestriction": "The entity limits access by user age.", + "safety:contentSafety:filtersContent": "The entity blocks or restricts content.", + "safety:contentSafety:labelsContent": "The entity marks content with warnings or ratings.", + "safety:harmPrevention": "Behaviours that actively protect users and bystanders from physical or psychological harm.", + "safety:harmPrevention:preventsEnvironmentalHarm": "The entity acts to protect the environment.", + "safety:harmPrevention:preventsPropertyDamage": "The entity acts to protect physical property.", + "safety:harmPrevention:preventsUserHarm": "The entity acts to protect users from injury.", + "safety:harmPrevention:protectsBystanders": "The entity considers safety of non-users.", + "safety:hazardManagement": "Behaviours that identify and mitigate potentially dangerous conditions.", + "safety:hazardManagement:assessesRisk": "The entity evaluates severity and likelihood of harm.", + "safety:hazardManagement:identifiesHazard": "The entity detects a potentially harmful condition.", + "safety:hazardManagement:mitigatesHazard": "The entity reduces hazard severity or likelihood.", + "safety:hazardManagement:reportsHazard": "The entity communicates a hazardous condition.", + "safety:humanInteraction": "Behaviours that manage communication and interaction with human operators.", + "safety:humanInteraction:adaptsForAccessibility": "The entity adjusts for users with disabilities.", + "safety:humanInteraction:managesCognitiveLoad": "The entity limits information to prevent overwhelm.", + "safety:humanInteraction:requestsConfirmation": "The entity requires human approval for action.", + "safety:humanInteraction:warnsOperator": "The entity alerts human to abnormal condition.", + "safety:operationalSafety": "Behaviours that enforce safe operating limits and conditions.", + "safety:operationalSafety:acceptsManualOverride": "The entity yields control to human operator.", + "safety:operationalSafety:enforcesInterlock": "The entity prevents unsafe operation combinations.", + "safety:operationalSafety:enforcesOperatingLimits": "The entity prevents operation outside safe bounds.", + "safety:operationalSafety:executesEmergencyStop": "The entity immediately halts dangerous operation.", + "safety:operationalSafety:monitorsWatchdog": "The entity checks for uncontrolled operation.", + "safety:operationalSafety:validatesSafetyCondition": "The entity confirms safe operating state.", + "security": "Behaviours relating to the protection of systems and data from unauthorised access and threats.", + "security:auditing": "Behaviours that record security-relevant events for accountability and forensic analysis.", + "security:auditing:logsEvent": "The entity records an occurrence.", + "security:auditing:logsSecurityEvent": "The entity records a security-relevant occurrence.", + "security:auditing:protectsAuditLog": "The entity prevents tampering with log records.", + "security:auditing:purgesLog": "The entity deletes old log records.", + "security:auditing:rotatesLog": "The entity archives and starts new log files.", + "security:auditing:signsLogEntry": "The entity cryptographically signs audit records.", + "security:auditing:timestampsEvent": "The entity records when an event occurred.", + "security:auditing:transmitsLog": "The entity sends log data to a remote destination.", + "security:authentication": "Behaviours that verify the identity of users and entities.", + "security:authentication:authenticatesDevice": "The entity confirms device identity.", + "security:authentication:authenticatesService": "The entity confirms service identity.", + "security:authentication:authenticatesUser": "The entity confirms user identity.", + "security:authentication:bypassesAuthentication": "The entity permits access without authentication.", + "security:authentication:capturesBiometric": "The entity collects biometric data for authentication.", + "security:authentication:delegatesAuthentication": "The entity relies on external identity provider.", + "security:authentication:failsAuthentication": "The entity rejects invalid credentials.", + "security:authentication:locksAccount": "The entity prevents further authentication attempts.", + "security:authentication:performsMultiFactorAuthentication": "The entity requires multiple authentication factors.", + "security:authentication:promptsForCredentials": "The entity requests authentication information.", + "security:authentication:unlocksAccount": "The entity restores authentication capability.", + "security:authentication:validatesBiometric": "The entity verifies biometric data.", + "security:authentication:validatesCredentials": "The entity verifies supplied credentials.", + "security:authorization": "Behaviours that determine and enforce access permissions.", + "security:authorization:checksPermission": "The entity verifies access rights.", + "security:authorization:delegatesAuthority": "The entity transfers access rights to another.", + "security:authorization:deniesAccess": "The entity refuses a requested action.", + "security:authorization:enforcesRole": "The entity restricts actions based on assigned role.", + "security:authorization:escalatesPrivilege": "The entity gains elevated permissions.", + "security:authorization:evaluatesAttributes": "The entity uses attributes for access decisions.", + "security:authorization:evaluatesPolicy": "The entity applies rules to make access decisions.", + "security:authorization:grantsAccess": "The entity permits a requested action.", + "security:authorization:grantsImpersonation": "The entity permits another to act within its security context.", + "security:authorization:impersonatesUser": "The entity performs actions within another user's security context.", + "security:authorization:requestsImpersonation": "The entity initiates a request to act as another user.", + "security:authorization:revokesAccess": "The entity withdraws previously granted permissions.", + "security:authorization:revokesImpersonation": "The entity terminates another's permission to act on its behalf.", + "security:cryptography": "Behaviours that employ cryptographic operations to protect data confidentiality and integrity.", + "security:cryptography:authenticates": "The entity verifies the identity of a user, process, or device.", + "security:cryptography:checksRevocation": "The entity queries certificate revocation status.", + "security:cryptography:decryptsData": "The entity restores encrypted data to readable form.", + "security:cryptography:decryptsDataAtRest": "The entity restores stored encrypted data to readable form.", + "security:cryptography:decryptsDataInTransit": "The entity restores data received over a network to readable form.", + "security:cryptography:decryptsDisk": "The entity unlocks and decrypts contents of an encrypted disk.", + "security:cryptography:decryptsSecret": "The entity retrieves and decrypts a secured credential or metadata.", + "security:cryptography:destroysKey": "The entity securely erases a key.", + "security:cryptography:encryptsData": "The entity transforms data to prevent unauthorised reading.", + "security:cryptography:encryptsDataAtRest": "The entity protects stored data by converting it to unreadable form.", + "security:cryptography:encryptsDataInTransit": "The entity protects data moving across a network.", + "security:cryptography:encryptsDisk": "The entity applies full-disk encryption to protect all data on a drive.", + "security:cryptography:encryptsSecret": "The entity secures sensitive credentials or metadata.", + "security:cryptography:ensuresAccountability": "The entity ensures actions can be traced to a specific individual or process.", + "security:cryptography:ensuresConfidentiality": "The entity protects sensitive information from unauthorised access.", + "security:cryptography:ensuresIntegrity": "The entity guarantees that data has not been altered or tampered with.", + "security:cryptography:ensuresNonRepudiation": "The entity provides proof of origin and integrity to prevent denial.", + "security:cryptography:exchangesKey": "The entity shares a key with another party.", + "security:cryptography:generatesKey": "The entity creates a cryptographic key.", + "security:cryptography:generatesRandomValue": "The entity produces a cryptographically secure random value.", + "security:cryptography:hashesData": "The entity generates a cryptographic hash.", + "security:cryptography:hashesPassword": "The entity applies a cryptographic hash function to a password.", + "security:cryptography:identifies": "The entity establishes a unique identity for an actor within the system.", + "security:cryptography:issuesCertificate": "The entity creates and signs a digital certificate.", + "security:cryptography:preservesPrivacy": "The entity protects personally identifiable information and user data.", + "security:cryptography:presentsClientCertificate": "The entity provides a client certificate for authentication.", + "security:cryptography:presentsServerCertificate": "The entity provides a server certificate for authentication.", + "security:cryptography:retrievesKey": "The entity obtains a stored key.", + "security:cryptography:revokesCertificate": "The entity invalidates a certificate.", + "security:cryptography:rotatesKey": "The entity replaces a key with a new one.", + "security:cryptography:signsCode": "The entity applies a digital signature to executable code.", + "security:cryptography:signsData": "The entity creates a digital signature.", + "security:cryptography:signsDocument": "The entity applies a digital signature to a document.", + "security:cryptography:storesKey": "The entity saves a key securely.", + "security:cryptography:usesIdentity": "The entity utilises established identity credentials for operations.", + "security:cryptography:validatesCertificate": "The entity verifies certificate authenticity.", + "security:cryptography:validatesToken": "The entity verifies the authenticity and expiration of a security token.", + "security:cryptography:verifiesCodeSignature": "The entity validates a digital signature on executable code.", + "security:cryptography:verifiesDataSignature": "The entity validates a digital signature on data.", + "security:cryptography:verifiesDocumentSignature": "The entity validates a digital signature on a document.", + "security:cryptography:verifiesHash": "The entity validates data against a hash.", + "security:cryptography:verifiesSignature": "The entity validates a digital signature.", + "security:cryptography:wrapsKey": "The entity encrypts a key for secure storage or transport.", + "security:errorHandling": "Behaviours that manage error conditions to prevent information disclosure.", + "security:errorHandling:catchesException": "The entity intercepts an error condition.", + "security:errorHandling:disclosesErrorDetails": "The entity reveals internal information in error messages.", + "security:errorHandling:failsClosed": "The entity denies access when controls fail.", + "security:errorHandling:failsOpen": "The entity permits access when controls fail.", + "security:errorHandling:generatesError": "The entity produces an error condition.", + "security:errorHandling:logsError": "The entity records an error condition.", + "security:errorHandling:propagatesError": "The entity passes an error to caller.", + "security:errorHandling:returnsGenericError": "The entity provides minimal error information.", + "security:errorHandling:suppressesError": "The entity hides an error condition.", + "security:inputHandling": "Behaviours that validate and sanitise input data to prevent injection attacks.", + "security:inputHandling:escapesInput": "The entity encodes special characters in input.", + "security:inputHandling:normalizesInput": "The entity converts input to standard form.", + "security:inputHandling:rejectsInvalidInput": "The entity refuses malformed or dangerous input.", + "security:inputHandling:sanitizesInput": "The entity removes potentially harmful content from input.", + "security:inputHandling:truncatesInput": "The entity shortens input to acceptable length.", + "security:inputHandling:validatesFormat": "The entity verifies input conforms to expected format.", + "security:inputHandling:validatesRange": "The entity ensures values fall within acceptable bounds.", + "security:inputHandling:validatesSchema": "The entity checks input against a defined schema.", + "security:integrity": "Behaviours that verify and protect the integrity of data and code.", + "security:integrity:attestsIntegrity": "The entity provides evidence of its own integrity.", + "security:integrity:detectsTampering": "The entity identifies modification attempts.", + "security:integrity:respondsToTampering": "The entity reacts to detected tampering.", + "security:integrity:validatesComponent": "The entity verifies authenticity of a dependency.", + "security:integrity:verifiesIntegrity": "The entity confirms data or code has not been altered.", + "security:integrity:verifiesProvenance": "The entity confirms origin and history.", + "security:outputHandling": "Behaviours that encode and filter output data to prevent information leakage.", + "security:outputHandling:encodesOutput": "The entity transforms output to prevent injection.", + "security:outputHandling:enforcesContentPolicy": "The entity restricts content sources.", + "security:outputHandling:escapesOutput": "The entity encodes special characters in output.", + "security:outputHandling:filtersOutput": "The entity removes sensitive content from output.", + "security:outputHandling:masksOutput": "The entity obscures sensitive data in output.", + "security:outputHandling:setsSecurityHeader": "The entity adds security-related HTTP headers.", + "security:session": "Behaviours that manage authenticated user sessions.", + "security:session:createsSession": "The entity establishes an authenticated session.", + "security:session:detectsSessionHijacking": "The entity identifies unauthorised session use.", + "security:session:invalidatesSession": "The entity revokes session validity.", + "security:session:refreshesSession": "The entity extends session lifetime.", + "security:session:regeneratesSessionId": "The entity creates a new session identifier.", + "security:session:terminatesSession": "The entity ends an authenticated session.", + "security:session:validatesSession": "The entity verifies session validity.", + "security:threatResponse": "Behaviours that detect and respond to security threats and incidents.", + "security:threatResponse:blocksRequest": "The entity refuses a suspicious request.", + "security:threatResponse:blocksSource": "The entity prevents further requests from a source.", + "security:threatResponse:collectsForensicData": "The entity gathers evidence for investigation.", + "security:threatResponse:detectsAnomaly": "The entity recognises deviation from normal patterns.", + "security:threatResponse:detectsIntrusion": "The entity identifies a potential security breach.", + "security:threatResponse:initiatesIncidentResponse": "The entity triggers security response procedures.", + "security:threatResponse:quarantinesElement": "The entity isolates a suspicious item.", + "security:threatResponse:raisesAlert": "The entity notifies of a security event.", + "system": "Behaviours relating to operating system interactions and the management of computational resources.", + "system:configuration": "Behaviours that read and modify system configuration settings.", + "system:configuration:deletesRegistryKey": "The entity removes entries from the registry.", + "system:configuration:modifiesGroupPolicy": "The entity changes group policy settings.", + "system:configuration:readsConfigurationFile": "The entity loads settings from a configuration file.", + "system:configuration:readsEnvironmentVariable": "The entity retrieves an environment variable value.", + "system:configuration:readsGroupPolicy": "The entity retrieves group policy settings.", + "system:configuration:readsRegistry": "The entity retrieves values from the system registry.", + "system:configuration:setsEnvironmentVariable": "The entity modifies an environment variable.", + "system:configuration:writesConfigurationFile": "The entity saves settings to a configuration file.", + "system:configuration:writesRegistry": "The entity stores values in the system registry.", + "system:informationGathering": "Behaviours that collect information about the host system and its configuration.", + "system:informationGathering:detectsOsVersion": "The entity determines the operating system version.", + "system:informationGathering:gathersSystemInformation": "The entity collects system configuration details.", + "system:informationGathering:queriesHardwareInformation": "The entity retrieves hardware specifications.", + "system:informationGathering:retrievesHostname": "The entity obtains the system hostname.", + "system:kernelInteraction": "Behaviours that interact directly with the operating system kernel.", + "system:kernelInteraction:hooksKernelFunction": "The entity intercepts kernel-level calls.", + "system:kernelInteraction:installsDriver": "The entity loads a kernel-mode driver.", + "system:kernelInteraction:readsKernelMemory": "The entity accesses kernel memory space.", + "system:kernelInteraction:writesKernelMemory": "The entity modifies kernel memory space.", + "system:lifecycle": "Behaviours associated with an entity's initialisation, operation, maintenance, and retirement.", + "system:lifecycle:appliesUpdate": "The entity installs software or firmware updates.", + "system:lifecycle:decommissions": "The entity securely retires from service.", + "system:lifecycle:initializes": "The entity performs start-up routines and loads configuration.", + "system:lifecycle:performsSelfTest": "The entity verifies its own operational readiness.", + "system:lifecycle:provisions": "The entity configures itself for deployment.", + "system:lifecycle:rollsBack": "The entity reverts to a previous known-good state.", + "system:lifecycle:shutsDown": "The entity executes orderly cessation of operations.", + "system:operationalState": "Behaviours that govern an entity's functional status and mode of operation.", + "system:operationalState:entersFailSafeState": "The entity transitions to a known safe state upon detecting a fault.", + "system:operationalState:entersFailSecureState": "The entity denies access or ceases sensitive operations upon detecting a security fault.", + "system:operationalState:operatesInDegradedMode": "The entity continues operation with reduced functionality.", + "system:operationalState:operatesNormally": "The entity performs its intended functions within designed parameters.", + "system:operationalState:performsEmergencyShutdown": "The entity immediately halts to prevent harm or damage.", + "system:persistence": "Behaviours that establish mechanisms for an entity to survive system restarts.", + "system:persistence:createsScheduledTask": "The entity schedules itself for recurring execution.", + "system:persistence:installsAsService": "The entity registers itself as a system service.", + "system:persistence:loadsAsKernelModule": "The entity loads itself into the kernel.", + "system:persistence:registersForStartup": "The entity configures itself to execute at system boot.", + "system:persistence:removesPersistence": "The entity removes its persistence mechanism.", + "system:processControl": "Behaviours that create and manipulate operating system processes.", + "system:processControl:createsProcess": "The entity starts a new process.", + "system:processControl:dumpsProcessMemory": "The entity extracts memory contents from a process.", + "system:processControl:enumeratesProcesses": "The entity lists running processes.", + "system:processControl:hooksFunction": "The entity intercepts and redirects function calls.", + "system:processControl:injectsCodeIntoProcess": "The entity inserts executable code into another process.", + "system:processControl:modifiesProcess": "The entity changes attributes of a running process.", + "system:processControl:resumesProcess": "The entity continues paused process execution.", + "system:processControl:suspendsProcess": "The entity pauses process execution.", + "system:processControl:terminatesProcess": "The entity ends a running process.", + "system:resilience": "Behaviours that enable an entity to detect faults and maintain operation despite adverse conditions.", + "system:resilience:activatesRedundancy": "The entity activates backup systems or alternative processing paths.", + "system:resilience:degradesGracefully": "The entity progressively reduces functionality rather than failing abruptly.", + "system:resilience:detectsFault": "The entity identifies an internal fault or anomalous condition.", + "system:resilience:recoversFromFailure": "The entity restores normal operation following a failure.", + "system:resilience:toleratesFault": "The entity continues operation despite the presence of a fault.", + "system:resourceManagement": "Behaviours that allocate and deallocate computational resources such as memory and threads.", + "system:resourceManagement:allocatesMemory": "The entity reserves memory for use.", + "system:resourceManagement:deallocatesMemory": "The entity releases previously allocated memory.", + "system:resourceManagement:handlesResourceExhaustion": "The entity responds to depleted resources.", + "system:resourceManagement:managesPowerState": "The entity transitions between power consumption states.", + "system:resourceManagement:readsFromStorage": "The entity retrieves data from persistent storage.", + "system:resourceManagement:resumesThread": "The entity continues paused thread execution.", + "system:resourceManagement:spawnsThread": "The entity creates a new execution thread.", + "system:resourceManagement:suspendsThread": "The entity pauses thread execution.", + "system:resourceManagement:terminatesThread": "The entity ends an execution thread.", + "system:resourceManagement:writesToStorage": "The entity saves data to persistent storage.", + "system:serviceControl": "Behaviours that manage system services and daemons.", + "system:serviceControl:createsService": "The entity installs a system service or daemon.", + "system:serviceControl:deletesService": "The entity removes a system service.", + "system:serviceControl:enumeratesServices": "The entity lists installed services.", + "system:serviceControl:modifiesService": "The entity changes service configuration.", + "system:serviceControl:startsService": "The entity initiates service execution.", + "system:serviceControl:stopsService": "The entity halts service execution.", + "system:synchronization": "Behaviours that coordinate access to shared resources across concurrent execution contexts.", + "system:synchronization:acquiresMutex": "The entity obtains exclusive access via mutex.", + "system:synchronization:releasesMutex": "The entity relinquishes mutex ownership.", + "system:synchronization:signalsEvent": "The entity triggers a synchronisation event.", + "system:synchronization:signalsSemaphore": "The entity releases a semaphore.", + "system:synchronization:waitsOnEvent": "The entity blocks until an event is signalled.", + "system:synchronization:waitsOnSemaphore": "The entity blocks until semaphore is available.", + "system:timing": "Behaviours that govern temporal aspects of execution including scheduling and synchronisation.", + "system:timing:delaysExecution": "The entity postpones an operation.", + "system:timing:enforcesDeadline": "The entity ensures completion within a timing constraint.", + "system:timing:executesScheduledTask": "The entity performs a task at a predetermined time.", + "system:timing:resetsWatchdog": "The entity signals continued operation to a watchdog monitor.", + "system:timing:synchronizesClock": "The entity aligns its internal clock with an external source.", + "system:timing:triggersTimeout": "The entity acts upon detecting an unresponsive condition.", + "system:timing:waits": "The entity pauses execution for a specified duration.", + "system:userManagement": "Behaviours that create and manipulate user accounts and privileges.", + "system:userManagement:createsUserAccount": "The entity adds a new user account.", + "system:userManagement:deletesUserAccount": "The entity removes a user account.", + "system:userManagement:elevatesPrivileges": "The entity gains higher access permissions.", + "system:userManagement:enumeratesUsers": "The entity lists user accounts.", + "system:userManagement:impersonatesUser": "The entity assumes another user's identity.", + "system:userManagement:modifiesUserAccount": "The entity changes user account properties." + } + } + } +} diff --git a/schema/2.0/model/cyclonedx-blueprint-2.0.schema.json b/schema/2.0/model/cyclonedx-blueprint-2.0.schema.json new file mode 100644 index 00000000..6a2a9181 --- /dev/null +++ b/schema/2.0/model/cyclonedx-blueprint-2.0.schema.json @@ -0,0 +1,1790 @@ +{ + "$schema": "https://json-schema.org/draft/2020-12/schema", + "$id": "https://cyclonedx.org/schema/2.0/model/cyclonedx-blueprint-2.0.schema.json", + "type": "null", + "title": "CycloneDX Blueprint Model", + "$comment" : "OWASP CycloneDX is an Ecma International standard (ECMA-424) developed in collaboration between the OWASP Foundation and Ecma Technical Committee 54 (TC54). The standard is published under a royalty-free patent policy. This JSON schema is the reference implementation and is licensed under the Apache License 2.0.", + "$defs": { + "blueprints": { + "type": "array", + "title": "Blueprints", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/blueprint" + }, + "description": "A collection of blueprints representing system models that capture the assets, flows, zones, boundaries, and relationships necessary for architectural, threat, risk, privacy, and other forms of modelling and analysis." + }, + "blueprint": { + "type": "object", + "title": "Blueprint", + "description": "A structured representation of a system model that captures the assets, flows, zones, boundaries, and relationships necessary to support architectural, threat, risk, privacy, and other forms of modelling and analysis.", + "required": ["modelTypes", "methodologies"], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "metadata": { + "$ref": "#/$defs/blueprintMetadata" + }, + "modelTypes": { + "type": "array", + "title": "Model Types", + "minItems": 1, + "uniqueItems": true, + "description": "The types of models being represented", + "items": { + "$ref": "#/$defs/modelType" + } + }, + "methodologies": { + "type": "array", + "title": "Methodologies", + "minItems": 1, + "uniqueItems": true, + "description": "The modeling methodologies used", + "items": { + "$ref": "#/$defs/methodology" + } + }, + "scope": { + "$ref": "#/$defs/scope" + }, + "assets": { + "type": "array", + "title": "Assets", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/asset" + }, + "description": "The assets (components, services, data, actors) included in the model" + }, + "dataStores": { + "type": "array", + "title": "Data Stores", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/dataStore" + }, + "description": "Structured description of data stores used in the model" + }, + "dataSets": { + "type": "array", + "title": "Data Sets", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/dataSet" + }, + "description": "Datasets handled by the system, including placements and sensitivity" + }, + "zones": { + "type": "array", + "title": "Zones", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/zone" + }, + "description": "Logical, physical, or trust zones that group assets with similar characteristics" + }, + "boundaries": { + "type": "array", + "title": "Boundaries", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/boundary" + }, + "description": "Boundaries between zones" + }, + "flows": { + "type": "array", + "title": "Flows", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/flow" + }, + "description": "Data, control, or process flows between assets" + }, + "actors": { + "type": "array", + "title": "Actors", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/actor" + }, + "description": "Human or system actors involved in the model, distinct from assets" + }, + "assumptions": { + "type": "array", + "title": "Assumptions", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/assumption" + }, + "description": "Assumptions made during the modeling process" + }, + "visualizations": { + "type": "array", + "title": "Visualizations", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/visualization" + }, + "description": "Visual representations of the model" + }, + "useCases": { + "type": "array", + "title": "Use Cases", + "uniqueItems": true, + "items": { + "type": "object", + "allOf": [ + { + "$ref": "cyclonedx-usecase-2.0.schema.json#/$defs/useCase" + }, + { + "properties": { + "assets": { + "type": "array", + "title": "Assets", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": "References to the blueprint assets that are involved in or exercised by this use case" + }, + "flows": { + "type": "array", + "title": "Flows", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": "References to the blueprint flows that are triggered or traversed during the execution of this use case" + }, + "requirements": { + "type": "array", + "title": "Requirements", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": "References to the requirements that are implemented, validated, or addressed by this use case" + } + } + } + ] + }, + "description": "Use cases analyzed as part of the model, linking actors, goals, and steps to the blueprint's assets, flows, and requirements." + }, + "requirements": { + "type": "array", + "items": { + "$ref": "cyclonedx-requirement-2.0.schema.json#/$defs/requirement" + }, + "description": "Requirements derived from or related to the model" + }, + "externalReferences": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/externalReferences" + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" + } + } + }, + "modelType": { + "type": "object", + "title": "Model Type", + "description": "The type of model being represented, either a predefined type or a custom named type.", + "oneOf": [ + { + "title": "Predefined Model Type", + "description": "A model type selected from a predefined set of well-known modelling categories.", + "required": ["type"], + "additionalProperties": false, + "properties": { + "type": { + "type": "string", + "title": "Pre-Defined Model Type", + "enum": [ + "architecture", + "behavioral", + "conceptual", + "dataFlow", + "deployment", + "logical", + "network", + "operational", + "physical", + "privacy", + "process", + "risk", + "structural", + "threat" + ], + "meta:enum": { + "architecture": "System or software architecture model", + "behavioral": "System behavior model", + "conceptual": "High-level conceptual model", + "dataFlow": "Data flow model showing how data moves through the system", + "deployment": "Deployment or infrastructure model", + "logical": "Logical system model", + "network": "Network topology or connectivity model", + "operational": "Operational model", + "physical": "Physical infrastructure model", + "privacy": "Privacy impact assessment model", + "process": "Business or system process model", + "risk": "Risk assessment model", + "structural": "System structure model", + "threat": "Security threat model" + } + } + } + }, + { + "title": "Custom Model Type", + "description": "A custom model type not covered by the predefined enumeration, allowing organizations to define methodology-specific or domain-specific model categories.", + "required": ["name"], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Name", + "minLength": 1, + "description": "Custom model type name" + }, + "description": { + "type": "string", + "title": "Description", + "description": "Description of the custom model type" + } + } + } + ] + }, + "methodology": { + "type": "object", + "title": "Methodology", + "description": "The modelling methodology used, either a predefined type or a custom named methodology.", + "oneOf": [ + { + "title": "Predefined Methodology", + "description": "A modelling methodology selected from a predefined set of well-known frameworks and standards.", + "required": ["type"], + "additionalProperties": false, + "properties": { + "type": { + "type": "string", + "title": "Pre-Defined Type", + "enum": [ + "4+1", + "Archimate", + "ATFAA", + "BPMN", + "C4", + "DFD", + "DODAF", + "ERD", + "IDEF", + "LINDDUN", + "MAESTRO", + "MITRE-ATTACK", + "MODAF", + "NAF", + "OWASP", + "PASTA", + "SABSA", + "STRIDE", + "SysML", + "TOGAF", + "TRIKE", + "UML", + "VAST", + "Zachman", + "attackTree" + ], + "meta:enum": { + "4+1": "4+1 Architectural View Model", + "Archimate": "Enterprise architecture modeling language", + "ATFAA": "Advanced Threat Framework for Autonomous AI Agents", + "BPMN": "Business Process Model and Notation", + "C4": "C4 Model for software architecture", + "DFD": "Data Flow Diagrams", + "DODAF": "Department of Defense Architecture Framework", + "ERD": "Entity Relationship Diagrams", + "IDEF": "Integration Definition Methods", + "LINDDUN": "Linkability, Identifiability, Non-repudiation, Detectability, Disclosure of information, Unawareness, Non-compliance", + "MAESTRO": "Multi-Agent Environment, Security, Threat, Risk, and Outcome", + "MITRE-ATTACK": "MITRE ATT&CK adversarial tactics, techniques, and procedures framework", + "MODAF": "Ministry of Defence Architecture Framework", + "NAF": "NATO Architecture Framework", + "OWASP": "OWASP threat modelling methodology", + "PASTA": "Process for Attack Simulation and Threat Analysis", + "SABSA": "Sherwood Applied Business Security Architecture", + "STRIDE": "Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege", + "SysML": "Systems Modeling Language", + "TOGAF": "The Open Group Architecture Framework", + "TRIKE": "Risk-based threat modelling methodology", + "UML": "Unified Modeling Language", + "VAST": "Visual, Agile, and Simple Threat modelling", + "Zachman": "Zachman Framework", + "attackTree": "Attack tree methodology for structured threat analysis" + } + }, + "version": { + "type": "string", + "title": "Version", + "description": "Version of the methodology" + } + } + }, + { + "title": "Custom Methodology", + "description": "A custom modelling methodology not covered by the predefined enumeration, allowing organizations to reference proprietary or emerging frameworks.", + "required": ["name"], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Name", + "minLength": 1, + "description": "Custom methodology name" + }, + "version": { + "type": "string", + "title": "Version", + "description": "Version of the methodology" + }, + "description": { + "type": "string", + "title": "Description", + "description": "Description of the custom methodology" + }, + "externalReferences": { + "type": "array", + "title": "External References", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/externalReference" + } + } + } + } + ] + }, + "blueprintMetadata": { + "type": "object", + "title": "Blueprint Metadata", + "description": "Metadata about the creation, review, and approval of the blueprint.", + "additionalProperties": false, + "properties": { + "timestamp": { + "type": "string", + "title": "Timestamp", + "format": "date-time", + "description": "When the blueprint was created or last updated" + }, + "authors": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/organizationalEntityOrContact", + "description": "The person(s) or organization(s) who created the blueprint" + }, + "reviewer": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/organizationalEntityOrContact", + "description": "The person(s) or organization(s) who reviewed the blueprint" + }, + "reviewDate": { + "type": "string", + "title": "Review Date", + "format": "date-time", + "description": "When the blueprint was reviewed" + }, + "approver": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/organizationalEntityOrContact", + "description": "The person(s) or organization(s) who approved the blueprint" + }, + "approvalDate": { + "type": "string", + "title": "Approval Date", + "format": "date-time", + "description": "When the blueprint was approved" + }, + "ordinalVersion": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/ordinalVersion" + }, + "lifecycles": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/lifecycles" + }, + "validityPeriod": { + "$ref": "#/$defs/validityPeriod" + } + } + }, + "validityPeriod": { + "type": "object", + "title": "Validity Period", + "description": "The period during which the blueprint is considered valid.", + "additionalProperties": false, + "properties": { + "start": { + "type": "string", + "title": "Start", + "format": "date-time", + "description": "When the blueprint becomes valid" + }, + "end": { + "type": "string", + "title": "End", + "format": "date-time", + "description": "When the blueprint expires" + }, + "reviewFrequency": { + "type": "string", + "title": "Review Frequency", + "pattern": "^P(?!$)(\\d+Y)?(\\d+M)?(\\d+W)?(\\d+D)?$", + "description": "ISO 8601 duration for review frequency (e.g., P3M for quarterly)" + } + } + }, + "scope": { + "type": "object", + "title": "Scope", + "description": "Specifies what is included and excluded from the blueprint model, establishing the boundaries within which the modelling and analysis is performed.", + "required": ["name"], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "name": { + "type": "string", + "title": "Name", + "minLength": 1, + "description": "Name of the scope" + }, + "description": { + "type": "string", + "title": "Description", + "description": "Description of what is included and excluded from the model" + }, + "boundaries": { + "type": "array", + "title": "Boundaries", + "uniqueItems": true, + "items": { + "type": "string", + "minLength": 1 + }, + "description": "Explicit boundaries of the model" + }, + "includedComponents": { + "type": "array", + "title": "Included Components", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": "References to components explicitly included" + }, + "excludedComponents": { + "type": "array", + "title": "Excluded Components", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": "References to components explicitly excluded" + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" + } + } + }, + "asset": { + "type": "object", + "title": "Asset", + "description": "A component, service, data store, or other element included in the blueprint model.", + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "description": "Unique identifier for the asset" + }, + "componentRef": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "description": "Reference to the component this asset represents" + }, + "serviceRef": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "description": "Reference to the service this asset represents" + }, + "type": { + "type": "string", + "title": "Asset Type", + "enum": [ + "actor", + "agent", + "api", + "broker", + "cache", + "component", + "container", + "data", + "dataStore", + "device", + "endpoint", + "function", + "gateway", + "infrastructure", + "interface", + "model", + "module", + "network", + "other", + "process", + "queue", + "resource", + "service", + "stream", + "subsystem", + "system" + ], + "meta:enum": { + "actor": "User, system, or external entity", + "agent": "Autonomous AI or software agent", + "api": "API endpoint or interface", + "broker": "Message broker or event bus infrastructure", + "cache": "Caching layer or in-memory data store", + "component": "Software component or application", + "container": "Container or orchestration unit", + "data": "Dataset", + "dataStore": "Database, file system, or data repository", + "device": "Physical or IoT device", + "endpoint": "Service endpoint or URL", + "function": "Serverless function or lambda", + "gateway": "API gateway, load balancer, or proxy", + "infrastructure": "Infrastructure component", + "interface": "System interface or contract", + "model": "AI or machine learning model", + "module": "Software module or package", + "network": "Network segment or resource", + "other": "Asset type not covered by predefined values", + "process": "Business or system process", + "queue": "Message queue or task queue", + "resource": "Generic resource or artifact", + "service": "Service or microservice", + "stream": "Data stream or event stream", + "subsystem": "Part of a larger system", + "system": "Complete system or application" + } + }, + "name": { + "type": "string", + "title": "Name", + "minLength": 1, + "description": "Name of the asset" + }, + "description": { + "type": "string", + "title": "Description", + "description": "Description of the asset's role and purpose" + }, + "zone": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "description": "Reference to the zone containing this asset" + }, + "parent": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "description": "Reference to parent asset if this is a sub-component" + }, + "classification": { + "$ref": "#/$defs/assetClassification" + }, + "tags": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/tags" + }, + "responsibilities": { + "type": "array", + "title": "Responsibilities", + "uniqueItems": true, + "items": { + "type": "string", + "minLength": 1 + }, + "description": "Responsibilities or functions of this asset" + }, + "interfaces": { + "type": "array", + "title": "Interfaces", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/interface" + }, + "description": "Interfaces exposed by this asset" + }, + "dependencies": { + "type": "array", + "title": "Dependencies", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": "References to assets this asset depends on" + }, + "useCases": { + "type": "array", + "title": "Use Cases", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": "References to use case objects that describe how actors interact with this asset, including the specific goals, sequences of steps, alternative and exception flows, and any requirements that govern its usage." + }, + "authentication": { + "type": "array", + "title": "Authentication", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/authenticationType" + }, + "description": "Authentication methods supported/required" + }, + "authorization": { + "type": "array", + "title": "Authorization", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/authorizationType" + }, + "description": "Authorization models supported/required" + }, + "ownership": { + "$ref": "#/$defs/ownership" + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" + }, + "externalReferences": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/externalReferences" + } + }, + "oneOf": [ + { + "title": "Component Reference Asset", + "description": "An asset defined by reference to a component declared elsewhere in the BOM.", + "required": ["bom-ref", "componentRef"] + }, + { + "title": "Service Reference Asset", + "description": "An asset defined by reference to a service declared elsewhere in the BOM.", + "required": ["bom-ref", "serviceRef"] + }, + { + "title": "Inline Asset", + "description": "An asset defined inline within the blueprint with an explicit type and name.", + "required": ["bom-ref", "type", "name"] + } + ] + }, + "dataStore": { + "type": "object", + "title": "Data Store", + "description": "A persistent storage system used within the modelled system to hold, retrieve, or manage data.", + "required": ["bom-ref", "name", "type"], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "name": { + "type": "string", + "title": "Name", + "minLength": 1, + "description": "Name of the data store" + }, + "description": { + "type": "string", + "title": "Description", + "description": "Purpose and contents of the store" + }, + "type": { + "type": "string", + "title": "Type", + "enum": [ + "blob", + "blockchain", + "cache", + "columnFamily", + "custom", + "dataLake", + "dataWarehouse", + "document", + "eventLog", + "file", + "graph", + "inMemory", + "keyValue", + "messageQueue", + "object", + "other", + "registry", + "search", + "spatial", + "sql", + "timeSeries", + "vector" + ], + "meta:enum": { + "blob": "Binary/blob storage", + "blockchain": "Distributed ledger or blockchain storage", + "cache": "Caching tier", + "columnFamily": "Wide-column or column-family store (e.g., Cassandra, HBase)", + "custom": "Custom or mixed storage technology", + "dataLake": "Data lake or lakehouse for raw and semi-structured data", + "dataWarehouse": "Analytical data warehouse optimised for OLAP workloads", + "document": "Document database (e.g., MongoDB)", + "eventLog": "Event log or append-only streaming store (e.g., Kafka)", + "file": "File system or NAS", + "graph": "Graph database", + "inMemory": "In-memory data store used as a primary store", + "keyValue": "Key-value store", + "messageQueue": "Message queue or broker with persistent storage", + "object": "Object storage", + "other": "Other storage technology not listed", + "registry": "Configuration or service registry (e.g., etcd, Consul)", + "search": "Search index or full-text search engine (e.g., Elasticsearch)", + "spatial": "Spatial or geospatial database", + "sql": "Relational database", + "timeSeries": "Time-series database", + "vector": "Vector database for embeddings and similarity search" + } + }, + "vendor": { + "type": "string", + "title": "Vendor", + "description": "The vendor or publisher of the data store product" + }, + "product": { + "type": "string", + "title": "Product", + "description": "The name of the data store product" + }, + "version": { + "type": "string", + "title": "Version", + "description": "The version of the data store product" + }, + "environment": { + "type": "string", + "title": "Environment", + "description": "Deployment environment (prod, test, etc.)" + }, + "zone": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "description": "Reference to the zone where the asset resides" + }, + "location": { + "type": "string", + "title": "Location", + "description": "Physical or logical hosting location" + }, + "technologies": { + "type": "array", + "title": "Technologies", + "uniqueItems": true, + "items": { + "type": "string" + }, + "description": "Supporting technologies or services" + }, + "dataSets": { + "type": "array", + "title": "Data Sets", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": "References to data sets stored here" + }, + "authorization": { + "type": "array", + "title": "Authorization", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/authorizationType" + }, + "description": "Authorization models supported/required" + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" + } + } + }, + "dataSet": { + "type": "object", + "title": "Data Set", + "description": "A logical collection of related data managed within the modelled system, including its classification, ownership, and storage placements.", + "required": ["bom-ref", "name", "description"], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "name": { + "type": "string", + "title": "Name", + "minLength": 1, + "description": "Name of the dataset" + }, + "description": { + "type": "string", + "title": "Description", + "minLength": 1, + "description": "What information is contained and why it exists" + }, + "dataProfile": { + "$ref": "cyclonedx-data-2.0.schema.json#/$defs/dataProfile" + }, + "recordCount": { + "type": "integer", + "title": "Record Count", + "description": "Approximate number of records" + }, + "owners": { + "type": "array", + "title": "Owners", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/organizationalEntityOrContact" + }, + "description": "Individuals or organizational entities that own the dataset" + }, + "authorization": { + "type": "array", + "title": "Authorization", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/authorizationType" + }, + "description": "Authorization models supported/required" + }, + "placements": { + "type": "array", + "title": "Placements", + "uniqueItems": true, + "items": { + "type": "object", + "title": "Placement", + "description": "Describes where a dataset physically or logically resides and the storage characteristics at that location.", + "required": ["dataStore"], + "additionalProperties": false, + "properties": { + "dataStore": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "description": "Reference to the store holding this dataset" + }, + "encrypted": { + "type": "boolean", + "title": "Encrypted", + "description": "Whether the dataset is encrypted at this location" + }, + "retention": { + "type": "string", + "title": "Retention", + "description": "Retention policy for this placement" + }, + "replicated": { + "type": "boolean", + "title": "Replicated", + "description": "Indicates if this placement is a replica" + } + } + }, + "description": "Where the dataset resides" + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" + } + } + }, + "interface": { + "type": "object", + "required": ["name", "type"], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "description": "Name of the interface" + }, + "type": { + "type": "string", + "enum": ["rest", "graphql", "grpc", "soap", "messaging", "file", "database", "cli", "gui", "api", "event", "stream"], + "description": "Type of interface" + }, + "description": { + "type": "string", + "description": "Description of the interface" + }, + "specification": { + "type": "string", + "description": "Link or reference to interface specification" + }, + "protocol": { + "type": "string", + "description": "Communication protocol used" + }, + "dataFormat": { + "type": "string", + "description": "Data format (e.g., JSON, XML, Protocol Buffers)" + }, + "authentication": { + "type": "array", + "items": { + "$ref": "#/$defs/authenticationType" + } + }, + "operations": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Operations or methods exposed" + } + } + }, + "zone": { + "type": "object", + "title": "Zone", + "description": "A logical, physical, or trust zone that groups assets sharing common characteristics, security posture, or administrative control within the modelled system.", + "required": ["bom-ref", "name", "type"], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "name": { + "type": "string", + "title": "Name", + "minLength": 1, + "description": "Name of the zone" + }, + "description": { + "type": "string", + "title": "Description", + "description": "Description of the zone's characteristics" + }, + "type": { + "type": "string", + "title": "Type", + "enum": [ + "deployment", + "functional", + "logical", + "network", + "organizational", + "other", + "physical", + "trust" + ], + "meta:enum": { + "deployment": "Deployment environment (e.g., dev, staging, prod)", + "functional": "Functional grouping", + "logical": "Logical grouping or boundary", + "network": "Network segmentation zone", + "organizational": "Organizational or administrative boundary", + "other": "Other zone type not listed", + "physical": "Physical location or boundary", + "trust": "Security trust zone" + } + }, + "parent": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "description": "Reference to parent zone if this is a sub-zone" + }, + "characteristics": { + "type": "array", + "title": "Characteristics", + "uniqueItems": true, + "items": { + "type": "string" + }, + "description": "Key characteristics of this zone" + }, + "constraints": { + "type": "array", + "title": "Constraints", + "uniqueItems": true, + "items": { + "type": "string" + }, + "description": "Constraints or limitations of this zone" + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" + } + } + }, + "boundary": { + "type": "object", + "title": "Boundary", + "description": "Defines a boundary that separates or connects two or more zones, representing a point where security controls, policies, or trust levels change.", + "required": ["bom-ref", "zones"], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "name": { + "type": "string", + "title": "Name", + "minLength": 1, + "description": "Name of the boundary" + }, + "type": { + "type": "string", + "title": "Type", + "enum": [ + "data", + "functional", + "network", + "organizational", + "other", + "physical", + "process", + "trust" + ], + "meta:enum": { + "data": "Data classification boundary", + "functional": "Functional boundary", + "network": "Network boundary or firewall", + "organizational": "Organizational boundary", + "other": "A boundary type not covered by the predefined enumeration", + "physical": "Physical security boundary", + "process": "Process or execution boundary", + "trust": "Trust boundary between different security zones" + } + }, + "zones": { + "type": "array", + "title": "Zones", + "uniqueItems": true, + "minItems": 2, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": "The zones this boundary connects or separates" + }, + "crossingRequirements": { + "$ref": "#/$defs/crossingRequirements" + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" + } + } + }, + "crossingRequirements": { + "type": "object", + "title": "Crossing Requirements", + "description": "Defines the security controls, policies, and constraints that must be satisfied when data or actors cross a boundary between zones.", + "additionalProperties": false, + "properties": { + "authentication": { + "type": "array", + "title": "Authentication", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/authenticationType" + }, + "description": "Authentication required to cross this boundary" + }, + "authorization": { + "type": "array", + "title": "Authorization", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/authorizationType" + }, + "description": "Authorization models enforced at this boundary" + }, + "dataValidation": { + "type": "boolean", + "title": "Data Validation", + "description": "Whether data is validated when crossing this boundary" + }, + "dataTransformation": { + "type": "boolean", + "title": "Data Transformation", + "description": "Whether data is transformed when crossing this boundary" + }, + "logging": { + "type": "boolean", + "title": "Logging", + "description": "Whether crossings are logged" + }, + "monitoring": { + "type": "boolean", + "title": "Monitoring", + "description": "Whether crossings are monitored" + }, + "rateLimit": { + "type": "string", + "title": "Rate Limit", + "description": "Rate limiting policy" + }, + "protocols": { + "type": "array", + "title": "Protocols", + "uniqueItems": true, + "items": { + "type": "string" + }, + "description": "Allowed protocols for crossing" + } + } + }, + "flow": { + "type": "object", + "title": "Flow", + "description": "Represents a data, control, or process flow between two assets, capturing the direction, type, protocols, and security controls that govern the exchange.", + "required": ["bom-ref", "name", "source", "destination", "type"], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "name": { + "type": "string", + "title": "Name", + "minLength": 1, + "description": "Name or description of the flow" + }, + "description": { + "type": "string", + "title": "Description", + "description": "Detailed description of what flows and why" + }, + "type": { + "type": "string", + "title": "Type", + "enum": [ + "control", + "data", + "dependency", + "event", + "interaction", + "message", + "other", + "physical", + "process", + "signal" + ], + "meta:enum": { + "control": "Control or command flow", + "data": "Data or information flow", + "dependency": "Dependency relationship", + "event": "Event or notification flow", + "interaction": "User or system interaction", + "message": "Message or communication flow", + "other": "A flow type not covered by the predefined enumeration", + "physical": "Physical movement of goods or materials", + "process": "Business process flow", + "signal": "Hardware or system signal" + } + }, + "source": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "description": "Reference to the source asset" + }, + "destination": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "description": "Reference to the destination asset" + }, + "bidirectional": { + "type": "boolean", + "title": "Bidirectional", + "default": false, + "description": "Whether flow occurs in both directions" + }, + "synchronous": { + "type": "boolean", + "title": "Synchronous", + "description": "Whether the flow is synchronous or asynchronous" + }, + "volume": { + "type": "string", + "title": "Volume", + "description": "Expected volume or frequency of flow" + }, + "timing": { + "type": "string", + "title": "Timing", + "description": "Timing characteristics (real-time, batch, scheduled)" + }, + "protocols": { + "type": "array", + "title": "Protocols", + "uniqueItems": true, + "items": { + "type": "string" + }, + "description": "Communication protocols used by this flow" + }, + "dataProfile": { + "$ref": "cyclonedx-data-2.0.schema.json#/$defs/dataProfile" + }, + "authentication": { + "type": "array", + "title": "Authentication", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/authenticationType" + }, + "description": "Authentication required for this flow" + }, + "authorization": { + "type": "array", + "title": "Authorization", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/authorizationType" + }, + "description": "Authorization models enforced on this flow" + }, + "sequence": { + "type": "integer", + "title": "Sequence", + "minimum": 0, + "description": "Ordering hint so flows can be assembled into sequence diagrams" + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" + } + } + }, + "actor": { + "type": "object", + "title": "Actor", + "description": "Represents a human, automated system, or autonomous agent that interacts with or operates within the modelled system.", + "required": ["bom-ref", "name", "type"], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "name": { + "type": "string", + "title": "Name", + "minLength": 1, + "description": "Name or title of the actor" + }, + "description": { + "type": "string", + "title": "Description", + "description": "Narrative describing the actor's role and context" + }, + "type": { + "type": "string", + "title": "Type", + "enum": [ + "administrator", + "agent", + "engineer", + "external", + "operator", + "other", + "system", + "user" + ], + "meta:enum": { + "administrator": "Administrative or privileged operator", + "agent": "Autonomous AI agent or intelligent software agent", + "engineer": "Developer or platform/DevOps engineer", + "external": "Third-party or external entity", + "operator": "Operational staff running the system", + "other": "An actor type not covered by the predefined enumeration", + "system": "Automated system actor or service account", + "user": "End user of a client application or service" + } + }, + "permissions": { + "type": "array", + "title": "Permissions", + "uniqueItems": true, + "items": { + "type": "string" + }, + "description": "Permissions, capabilities, or duties the actor holds" + }, + "delegatedBy": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "description": "Reference to the actor that delegated execution to this actor, such as a human user who authorized an AI agent to act on their behalf or a service account impersonating another identity" + }, + "zone": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "description": "Reference to the zone where the actor resides" + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" + } + } + }, + "assumption": { + "type": "object", + "title": "Assumption", + "description": "A stated belief or condition accepted as true for the purposes of the model, which may impact the validity of the analysis if proven false.", + "required": ["description"], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": { + "type": "string", + "title": "Description", + "minLength": 1, + "description": "A clear statement of the assumption being made, including the believed condition, the reasoning or evidence behind it, and any constraints or scope under which it applies" + }, + "topic": { + "type": "string", + "title": "Topic", + "enum": [ + "availability", + "business", + "compliance", + "operational", + "other", + "performance", + "security", + "technical" + ], + "meta:enum": { + "availability": "Assumption about system uptime, redundancy, or failover capabilities", + "business": "Assumption about business requirements, constraints, or organizational context", + "compliance": "Assumption about regulatory, legal, or policy compliance obligations", + "operational": "Assumption about operational procedures, staffing, or maintenance practices", + "other": "An assumption topic not covered by the predefined enumeration", + "performance": "Assumption about throughput, latency, capacity, or scalability characteristics", + "security": "Assumption about threat landscape, trust boundaries, or security controls", + "technical": "Assumption about technology choices, capabilities, or technical constraints" + } + }, + "relatedAssets": { + "type": "array", + "title": "Related Assets", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": "References to the assets that are directly affected by or dependent on this assumption, enabling impact analysis when the assumption's validity changes" + }, + "validity": { + "type": "string", + "title": "Validity", + "enum": [ + "invalid", + "unknown", + "unverified", + "verified" + ], + "meta:enum": { + "invalid": "The assumption has been disproven or is no longer applicable", + "unknown": "The validity of the assumption has not yet been assessed", + "unverified": "The assumption has been identified but not yet validated", + "verified": "The assumption has been confirmed as true through validation" + }, + "default": "unknown", + "description": "The current validation state of the assumption, tracked over time to ensure that modelling decisions built on this assumption remain sound" + }, + "impact": { + "type": "string", + "title": "Impact", + "description": "A narrative describing the consequences to the model, its assets, or the broader system if this assumption proves false, including the severity and scope of affected components" + }, + "owner": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/organizationalEntityOrContact", + "description": "The individual or organizational entity responsible for tracking, validating, and maintaining this assumption over the lifecycle of the model" + }, + "validationMethod": { + "type": "string", + "title": "Validation Method", + "description": "The approach, test, or evidence that can be used to confirm or disprove this assumption, such as a review, audit, penetration test, or empirical measurement" + }, + "validationDate": { + "type": "string", + "title": "Validation Date", + "format": "date-time", + "description": "The date and time when the assumption was last validated or reviewed, used to track staleness and trigger re-evaluation" + } + } + }, + "visualization": { + "type": "object", + "title": "Visualization", + "description": "A visual representation of the model or a subset of its elements, capturing diagram type, rendering format, and the elements depicted.", + "required": ["name", "type"], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "name": { + "type": "string", + "title": "Name", + "minLength": 1, + "description": "Name or title of the visualization" + }, + "description": { + "type": "string", + "title": "Description", + "description": "Description of what the visualization shows" + }, + "type": { + "$ref": "#/$defs/visualizationType" + }, + "format": { + "$ref": "#/$defs/visualizationFormat" + }, + "content": { + "type": "string", + "title": "Content", + "description": "The diagram content (source code or base64 encoded image)" + }, + "url": { + "type": "string", + "title": "URL", + "format": "iri-reference", + "description": "URL to the diagram if stored externally" + }, + "level": { + "type": "string", + "title": "Level", + "enum": [ + "detailed", + "high", + "medium", + "overview" + ], + "meta:enum": { + "detailed": "Fine-grained view showing implementation-level specifics", + "high": "High-level view showing major components and relationships", + "medium": "Intermediate view balancing breadth and depth", + "overview": "Top-level summary providing a broad perspective of the system" + }, + "description": "Level of detail in the visualization" + }, + "elements": { + "type": "array", + "title": "Elements", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": "References to elements shown in this visualization" + }, + "interactive": { + "type": "boolean", + "title": "Interactive", + "description": "Whether the visualization is interactive" + }, + "layers": { + "type": "array", + "title": "Layers", + "uniqueItems": true, + "items": { + "type": "string" + }, + "description": "Layers or views available in the visualization" + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" + } + } + }, + "visualizationType": { + "type": "object", + "title": "Visualization Type", + "description": "The type of diagram or visual representation.", + "oneOf": [ + { + "title": "Predefined Visualization Type", + "description": "A visualization type selected from a predefined set of well-known diagram types.", + "required": ["type"], + "additionalProperties": false, + "properties": { + "type": { + "type": "string", + "title": "Type", + "enum": [ + "activity", + "architecture", + "class", + "code", + "collaboration", + "component", + "container", + "context", + "dataFlow", + "deployment", + "entity", + "network", + "process", + "sequence", + "state", + "useCase" + ], + "meta:enum": { + "activity": "Activity or workflow diagram", + "architecture": "System architecture diagram", + "class": "Class or object diagram", + "code": "Code structure diagram", + "collaboration": "Collaboration diagram", + "component": "Component diagram", + "container": "Container diagram (C4)", + "context": "Context diagram", + "dataFlow": "Data flow diagram (DFD)", + "deployment": "Deployment or infrastructure diagram", + "entity": "Entity relationship diagram", + "network": "Network topology diagram", + "process": "Business process diagram", + "sequence": "Sequence or interaction diagram", + "state": "State machine diagram", + "useCase": "Use case diagram" + } + } + } + }, + { + "title": "Custom Visualization Type", + "description": "A custom visualization type not covered by the predefined enumeration.", + "required": ["name"], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Name", + "minLength": 1, + "description": "The name of the custom visualization type" + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the custom visualization type" + } + } + } + ] + }, + "visualizationFormat": { + "type": "object", + "title": "Visualization Format", + "description": "The rendering format or toolchain used to produce the visualization.", + "oneOf": [ + { + "title": "Predefined Visualization Format", + "description": "A visualization format selected from a predefined set of well-known diagram formats and tools.", + "required": ["format"], + "additionalProperties": false, + "properties": { + "format": { + "type": "string", + "title": "Format", + "enum": [ + "archimate", + "cytoscape", + "d3", + "drawio", + "graphviz", + "jpeg", + "mermaid", + "plantuml", + "png", + "svg", + "visio" + ], + "meta:enum": { + "archimate": "ArchiMate model format", + "cytoscape": "Cytoscape graph format", + "d3": "D3.js visualization", + "drawio": "Draw.io/diagrams.net format", + "graphviz": "GraphViz DOT language", + "jpeg": "JPEG image format", + "mermaid": "Mermaid diagram language", + "plantuml": "PlantUML diagram language", + "png": "Portable Network Graphics", + "svg": "Scalable Vector Graphics", + "visio": "Microsoft Visio format" + } + } + } + }, + { + "title": "Custom Visualization Format", + "description": "A custom visualization format not covered by the predefined enumeration.", + "required": ["name"], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Name", + "minLength": 1, + "description": "The name of the custom visualization format" + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the custom visualization format" + } + } + } + ] + }, + "assetClassification": { + "type": "object", + "additionalProperties": false, + "properties": { + "criticality": { + "$ref": "cyclonedx-risk-2.0.schema.json#/$defs/criticality" + }, + "sensitivity": { + "$ref": "cyclonedx-data-2.0.schema.json#/$defs/dataSensitivity" + }, + "dataClassification": { + "$ref": "cyclonedx-data-2.0.schema.json#/$defs/dataClassification" + }, + "tier": { + "type": "string", + "enum": ["tier0", "tier1", "tier2", "tier3", "tier4"], + "meta:enum": { + "tier0": "Mission critical - highest priority", + "tier1": "Business critical - high priority", + "tier2": "Business important - medium priority", + "tier3": "Business supporting - low priority", + "tier4": "Non-critical - minimal priority" + } + }, + "categories": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Business or technical categories" + }, + "tags": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Tags for classification and search" + } + } + }, + "dataProfile": { + "$ref": "cyclonedx-data-2.0.schema.json#/$defs/dataProfile" + }, + "ownership": { + "type": "object", + "title": "Ownership", + "description": "Identifies the individuals or organizational entities responsible for an asset, including its owner, steward, custodian, and primary users.", + "additionalProperties": false, + "properties": { + "owner": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/organizationalEntityOrContact", + "description": "Primary owner of the asset" + }, + "steward": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/organizationalEntityOrContact", + "description": "Steward responsible for the asset" + }, + "custodian": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/organizationalEntityOrContact", + "description": "Custodian responsible for protecting the asset" + }, + "users": { + "type": "array", + "title": "Users", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/organizationalEntityOrContact" + }, + "description": "Primary users of the asset" + } + } + }, + "authenticationType": { + "type": "string", + "title": "Authentication Type", + "description": "The authentication method or protocol used to verify identity.", + "enum": [ + "apiKey", + "basic", + "bearer", + "certificate", + "custom", + "digest", + "fido2", + "jwt", + "kerberos", + "ldap", + "mfa", + "mTLS", + "none", + "ntlm", + "oauth1", + "oauth2", + "oidc", + "saml", + "ssh" + ], + "meta:enum": { + "apiKey": "API key authentication", + "basic": "Basic authentication (username/password)", + "bearer": "Bearer token authentication", + "certificate": "Certificate-based authentication", + "custom": "Custom authentication method", + "digest": "Digest authentication", + "fido2": "FIDO2/WebAuthn passwordless authentication", + "jwt": "JSON Web Token authentication", + "kerberos": "Kerberos authentication", + "ldap": "LDAP directory authentication", + "mfa": "Multi-factor authentication", + "mTLS": "Mutual TLS authentication", + "none": "No authentication required", + "ntlm": "NTLM authentication", + "oauth1": "OAuth 1.0 authentication", + "oauth2": "OAuth 2.0 authentication", + "oidc": "OpenID Connect authentication", + "saml": "SAML authentication", + "ssh": "SSH key authentication" + } + }, + "authorizationType": { + "type": "string", + "title": "Authorization Type", + "description": "The authorization model used to determine and enforce access permissions.", + "enum": [ + "abac", + "acl", + "cbac", + "custom", + "dac", + "mac", + "none", + "other", + "pbac", + "rbac", + "rebac" + ], + "meta:enum": { + "abac": "Attribute-Based Access Control", + "acl": "Access Control Lists", + "cbac": "Claims-Based Access Control", + "custom": "Custom authorization model", + "dac": "Discretionary Access Control", + "mac": "Mandatory Access Control", + "none": "No authorization controls", + "other": "Other authorization model not listed", + "pbac": "Policy-Based Access Control", + "rbac": "Role-Based Access Control", + "rebac": "Relationship-Based Access Control" + } + } + } +} diff --git a/schema/2.0/model/cyclonedx-common-2.0.schema.json b/schema/2.0/model/cyclonedx-common-2.0.schema.json index b93946c4..137b629a 100644 --- a/schema/2.0/model/cyclonedx-common-2.0.schema.json +++ b/schema/2.0/model/cyclonedx-common-2.0.schema.json @@ -487,6 +487,19 @@ "pattern": "^\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}(\\.\\d+)?Z$", "description": "An RFC 3339-compliant UTC timestamp using Zulu time (i.e., ending with 'Z'). The format must be 'YYYY-MM-DDTHH:MM:SSZ' or include optional fractional seconds, e.g., 'YYYY-MM-DDTHH:MM:SS.sssZ'. Offsets such as '+00:00' are not allowed." }, + "ordinalVersion": { + "title": "Ordinal Version", + "description": "An ordinal version is a dot-delimited, purely numeric identifier where each segment represents an ordered level in the hierarchy. The segments have no prescribed meaning beyond numeric ordering, allowing straightforward comparison and sorting.", + "type": "string", + "pattern": "^\\d+(\\.\\d+)*$", + "examples": [ + "1", + "1.2", + "1.2.3", + "2025.09.02", + "10.4.7.3" + ] + }, "lifecycle": { "type": "object", "title": "Lifecycle", diff --git a/schema/2.0/model/cyclonedx-data-2.0.schema.json b/schema/2.0/model/cyclonedx-data-2.0.schema.json index 598f9098..77c80cab 100644 --- a/schema/2.0/model/cyclonedx-data-2.0.schema.json +++ b/schema/2.0/model/cyclonedx-data-2.0.schema.json @@ -5,11 +5,228 @@ "title": "CycloneDX Data Model", "$comment" : "OWASP CycloneDX is an Ecma International standard (ECMA-424) developed in collaboration between the OWASP Foundation and Ecma Technical Committee 54 (TC54). The standard is published under a royalty-free patent policy. This JSON schema is the reference implementation and is licensed under the Apache License 2.0.", "$defs": { + "dataProfile": { + "type": "object", + "title": "Data Profile", + "description": "Captures the sensitivity, classification, and lifecycle requirements associated with data, including how it may be collected, accessed, processed, shared, handled, retained, and disposed of.", + "required": ["name"], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "description": "Unique identifier for this data profile" + }, + "name": { + "type": "string", + "title": "Name", + "minLength": 1, + "description": "The name or label that identifies this data profile, such as the name of the dataset, data category, or information asset it describes." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A detailed explanation of the data this profile describes, including what information is contained, its purpose, origin, and any relevant context about how it is used within the system." + }, + "sensitivity": { + "type": "string", + "title": "Sensitivity", + "enum": [ + "confidential", + "internal", + "public", + "restricted" + ], + "description": "Data sensitivity classification", + "meta:enum": { + "confidential": "Confidential information requiring protection", + "internal": "Internal use only within the organization", + "public": "Public information that can be freely shared", + "restricted": "Highly restricted information with limited access and special protection measures" + } + }, + "classification": { + "title": "Classification", + "description": "Classifies data by its type, either using a predefined classification or a custom name and description for classifications not covered by the enumeration.", + "oneOf": [ + { + "title": "Predefined Classification", + "description": "A predefined data classification from the enumeration.", + "type": "object", + "additionalProperties": false, + "required": ["type"], + "properties": { + "type": { + "type": "string", + "title": "Type", + "enum": [ + "credentials", + "financial", + "intellectualProperty", + "logs", + "operational", + "other", + "pci", + "phi", + "pii", + "safety", + "telemetry" + ], + "meta:enum": { + "credentials": "Secrets, tokens, or credentials", + "financial": "Financial statements or transaction data", + "intellectualProperty": "Intellectual property or trade secrets", + "logs": "Operational or security log data", + "operational": "Operational or process data", + "other": "Other data classification not listed", + "pci": "Payment card industry data", + "phi": "Protected health information", + "pii": "Personally identifiable information", + "safety": "Safety critical data or signals", + "telemetry": "System or product telemetry data" + } + } + } + }, + { + "title": "Custom Classification", + "description": "A custom data classification not covered by the predefined enumeration.", + "type": "object", + "additionalProperties": false, + "required": ["name"], + "properties": { + "name": { + "type": "string", + "title": "Name", + "minLength": 1, + "description": "The name of a custom data classification not covered by the predefined enumeration" + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the custom data classification" + } + } + } + ] + }, + "dataFormats": { + "type": "array", + "title": "Data Formats", + "uniqueItems": true, + "items": { + "type": "string" + }, + "description": "Format of data" + }, + "dataTypes": { + "type": "array", + "title": "Data Types", + "uniqueItems": true, + "items": { + "type": "string" + }, + "description": "Specific types of data" + }, + "schema": { + "type": "array", + "title": "Schema", + "uniqueItems": true, + "items": { + "type": "string", + "format": "uri" + }, + "description": "Reference to schema contracts or documents describing the data structure." + }, + "access": { + "type": "array", + "title": "Access", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": "References to requirement objects that define who may access the data and under what conditions, including need-to-know restrictions, clearance levels, audit logging, and break-glass procedures." + }, + "collection": { + "type": "array", + "title": "Collection", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": "References to requirement objects that govern how data is collected or acquired, including consent mechanisms, lawful basis, purpose limitation, and notice obligations." + }, + "disposal": { + "type": "array", + "title": "Disposal", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": "References to requirement objects that specify how this data must be destroyed or rendered unrecoverable when no longer needed, including sanitisation methods, disposal timelines, and regulatory obligations governing data destruction." + }, + "handling": { + "type": "array", + "title": "Handling", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": "References to requirement objects that govern how this data must be handled throughout its lifecycle, such as encryption at rest, access restrictions, anonymisation, or regulatory compliance obligations." + }, + "processing": { + "type": "array", + "title": "Processing", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": "References to requirement objects that govern what may be done with the data, including purpose limitation, data minimisation, aggregation rules, and prohibited uses such as AI or ML training restrictions." + }, + "retention": { + "type": "array", + "title": "Retention", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": "References to requirement objects that define how long this data must be retained, including minimum retention periods, maximum storage durations, and any regulatory or contractual obligations governing data preservation." + }, + "sharing": { + "type": "array", + "title": "Sharing", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": "References to requirement objects that govern how data may be shared with third parties, partners, or across jurisdictional boundaries, including data sharing agreements, cross-border transfer restrictions, and adequacy decisions." + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" + } + } + }, "dataClassification": { "type": "string", "title": "Data Classification", "description": "Data classification tags data according to its type, sensitivity, and value if altered, stolen, or destroyed." }, + "dataSensitivity": { + "type": "string", + "title": "Data Sensitivity", + "description": "Classifies the sensitivity of data to indicate the level of protection required.", + "enum": [ + "confidential", + "internal", + "public", + "restricted" + ], + "meta:enum": { + "confidential": "Confidential information requiring protection", + "internal": "Internal use only within the organization", + "public": "Public information that can be freely shared", + "restricted": "Highly restricted information with limited access" + } + }, "dataGovernance": { "type": "object", "title": "Data Governance", @@ -19,18 +236,21 @@ "custodians": { "type": "array", "title": "Data Custodians", + "uniqueItems": true, "description": "Data custodians are responsible for the safe custody, transport, and storage of data.", "items": { "$ref": "#/$defs/dataGovernanceResponsibleParty" } }, "stewards": { "type": "array", "title": "Data Stewards", + "uniqueItems": true, "description": "Data stewards are responsible for data content, context, and associated business rules.", "items": { "$ref": "#/$defs/dataGovernanceResponsibleParty" } }, "owners": { "type": "array", "title": "Data Owners", + "uniqueItems": true, "description": "Data owners are concerned with risk and appropriate access to data.", "items": { "$ref": "#/$defs/dataGovernanceResponsibleParty" } } @@ -38,6 +258,8 @@ }, "dataGovernanceResponsibleParty": { "type": "object", + "title": "Data Governance Responsible Party", + "description": "An organizational entity or individual responsible for a specific data governance role.", "additionalProperties": false, "properties": { "organization": { @@ -62,20 +284,20 @@ }, "dataFlowDirection": { "type": "string", + "title": "Data Flow Direction", + "description": "Specifies the flow direction of the data. Direction is relative to the service.", "enum": [ + "bi-directional", "inbound", "outbound", - "bi-directional", "unknown" ], "meta:enum": { + "bi-directional": "Data flows in and out of the service.", "inbound": "Data that enters a service.", "outbound": "Data that exits a service.", - "bi-directional": "Data flows in and out of the service.", "unknown": "The directional flow of data is not known." - }, - "title": "Data flow direction", - "description": "Specifies the flow direction of the data. Direction is relative to the service." + } } } } diff --git a/schema/2.0/model/cyclonedx-requirement-2.0.schema.json b/schema/2.0/model/cyclonedx-requirement-2.0.schema.json new file mode 100644 index 00000000..bee371df --- /dev/null +++ b/schema/2.0/model/cyclonedx-requirement-2.0.schema.json @@ -0,0 +1,280 @@ +{ + "$schema": "https://json-schema.org/draft/2020-12/schema", + "$id": "https://cyclonedx.org/schema/2.0/model/cyclonedx-requirement-2.0.schema.json", + "type": "null", + "title": "CycloneDX Engineering Requirement Model", + "$comment" : "OWASP CycloneDX is an Ecma International standard (ECMA-424) developed in collaboration between the OWASP Foundation and Ecma Technical Committee 54 (TC54). The standard is published under a royalty-free patent policy. This JSON schema is the reference implementation and is licensed under the Apache License 2.0.", + "$defs": { + "requirement": { + "type": "object", + "title": "Requirement", + "description": "A requirement represents a specific need, constraint, or capability that must be met.", + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "id": { + "type": "string", + "title": "Identifier", + "description": "A unique identifier for the requirement, often used in requirement management systems (e.g., REQ-001)." + }, + "name": { + "type": "string", + "title": "Name", + "description": "A short name or title for the requirement." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A detailed description of the requirement." + }, + "type": { + "type": "array", + "title": "Requirement Types", + "description": "The categories or classifications applicable to the requirement.", + "items": { + "$ref": "#/$defs/requirementType" + }, + "uniqueItems": true + }, + "priority": { + "type": "string", + "title": "Priority", + "description": "The priority level of the requirement.", + "enum": [ + "critical", + "high", + "medium", + "low" + ] + }, + "status": { + "$ref": "#/$defs/requirementStatus" + }, + "version": { + "type": "string", + "title": "Version", + "description": "The version of the requirement." + }, + "stakeholders": { + "type": "array", + "title": "Stakeholders", + "description": "The individuals or groups who have an interest in the requirement.", + "items": { + "type": "string" + } + }, + "acceptanceCriteria": { + "type": "array", + "title": "Acceptance Criteria", + "description": "Criteria that must be met for the requirement to be considered satisfied.", + "items": { + "$ref": "#/$defs/acceptanceCriterion" + } + }, + "dependencies": { + "type": "array", + "title": "Dependencies", + "description": "Other requirements that this requirement depends on.", + "items": { + "$ref": "#/$defs/dependency" + } + }, + "parent": { + "type": "string", + "title": "Parent BOM Reference", + "description": "The optional `bom-ref` to a parent requirement. This establishes a hierarchy of requirements." + }, + "rationale": { + "type": "string", + "title": "Rationale", + "description": "The reasoning or justification for the requirement." + }, + "fitCriterion": { + "type": "string", + "title": "Fit Criterion", + "description": "A measurable test that the solution must pass to be acceptable to the stakeholders." + }, + "effort": { + "type": "string", + "title": "Effort Estimation", + "description": "An estimation of the effort required to implement the requirement." + }, + "risk": { + "type": "string", + "title": "Risk", + "description": "The risk level associated with implementing or not implementing the requirement.", + "enum": [ + "critical", + "high", + "medium", + "low" + ] + }, + "attachments": { + "type": "array", + "title": "Attachments", + "description": "Files or documents attached to the requirement.", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/attachment" + } + }, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard.", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/property" + } + }, + "externalReferences": { + "type": "array", + "title": "External References", + "description": "External references provide a way to document systems, sites, and information that may be relevant to the requirement.", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/externalReference" + } + } + } + }, + "requirementType": { + "type": "string", + "title": "Requirement Type", + "description": "The category or classification applicable to the requirement.", + "enum": [ + "accessibility", + "auditability", + "availability", + "business", + "compatibility", + "compliance", + "deployment", + "functional", + "interoperability", + "localization", + "maintainability", + "non-functional", + "other", + "performance", + "portability", + "privacy", + "regulatory", + "reliability", + "scalability", + "security", + "system", + "testability", + "usability", + "user" + ], + "meta:enum": { + "accessibility": "Requirements ensuring inclusive access for people with disabilities or impairments.", + "auditability": "Requirements defining the capability of a system to record activities for review and compliance purposes.", + "availability": "Requirements describing the uptime and operational availability of systems or services.", + "business": "Requirements derived from organizational goals, strategies, or business processes.", + "compatibility": "Requirements ensuring the software or system functions correctly with other systems or legacy components.", + "compliance": "Requirements ensuring adherence to internal policies, industry standards, or external agreements beyond regulatory mandates.", + "deployment": "Requirements related to deploying, configuring, and operating the system in production environments.", + "functional": "Requirements specifying the fundamental behaviors and capabilities of the system or application.", + "interoperability": "Requirements addressing the ability of the system to interact seamlessly with external systems or products.", + "localization": "Requirements specifying adaptations for specific languages, cultures, or regional needs.", + "maintainability": "Requirements aimed at ensuring the ease of performing maintenance, enhancements, or repairs.", + "non-functional": "Requirements that define constraints or qualities such as performance, usability, reliability, etc., rather than specific functionality.", + "other": "Requirements that do not clearly fit into other specified categories.", + "performance": "Requirements specifying response times, throughput, or other efficiency-related aspects.", + "portability": "Requirements enabling the system or components to be transferred easily across various environments or platforms.", + "privacy": "Requirements specifically addressing the handling and protection of personal and sensitive data.", + "regulatory": "Requirements necessary for legal compliance, dictated by laws, regulations, or standards.", + "reliability": "Requirements ensuring the system consistently performs under specified conditions and duration.", + "scalability": "Requirements focused on the ability of the system to grow and manage increased demand effectively.", + "security": "Requirements intended to protect systems, data, and users from malicious actions or threats.", + "system": "Technical requirements defining infrastructure, architecture, or underlying technologies.", + "testability": "Requirements ensuring the system can be effectively validated and tested.", + "usability": "Requirements addressing the ease of use, intuitiveness, and overall user experience.", + "user": "Requirements captured directly from user needs, tasks, and expectations." + } + }, + "requirementStatus": { + "type": "string", + "title": "Status", + "description": "The current status of the requirement in the development lifecycle.", + "enum": [ + "draft", + "proposed", + "approved", + "implemented", + "verified", + "deferred", + "rejected", + "replaced", + "obsolete" + ] + }, + "acceptanceCriterion": { + "type": "object", + "title": "Acceptance Criterion", + "description": "A specific condition that must be met for the requirement to be considered satisfied.", + "additionalProperties": false, + "properties": { + "id": { + "type": "string", + "title": "Identifier", + "description": "A unique identifier for the acceptance criterion." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the acceptance criterion." + }, + "status": { + "type": "string", + "title": "Status", + "description": "The current status of the acceptance criterion.", + "enum": [ + "pending", + "passed", + "failed" + ] + } + } + }, + "dependency": { + "type": "object", + "title": "Dependency", + "description": "A dependency on another requirement.", + "additionalProperties": false, + "properties": { + "ref": { + "oneOf": [ + { + "title": "Ref", + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" + }, + { + "title": "BOM-Link Element", + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/bomLinkElementType" + } + ] + }, + "type": { + "type": "string", + "title": "Dependency Type", + "description": "The type of dependency relationship.", + "enum": [ + "requires", + "conflicts-with", + "enhances", + "implements", + "other" + ] + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the dependency relationship." + } + } + } + } +} diff --git a/schema/2.0/model/cyclonedx-risk-2.0.schema.json b/schema/2.0/model/cyclonedx-risk-2.0.schema.json new file mode 100644 index 00000000..16f2e779 --- /dev/null +++ b/schema/2.0/model/cyclonedx-risk-2.0.schema.json @@ -0,0 +1,927 @@ +{ + "$schema": "https://json-schema.org/draft/2020-12/schema", + "$id": "https://cyclonedx.org/schema/2.0/model/cyclonedx-risk-2.0.schema.json", + "type": "null", + "title": "CycloneDX Risk Model", + "$comment" : "OWASP CycloneDX is an Ecma International standard (ECMA-424) developed in collaboration between the OWASP Foundation and Ecma Technical Committee 54 (TC54). The standard is published under a royalty-free patent policy. This JSON schema is the reference implementation and is licensed under the Apache License 2.0.", + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "description": "An optional identifier which can be used to reference the risk assessment elsewhere in the BOM" + }, + "domains": { + "type": "array", + "description": "Risk domains covered by this assessment", + "items": { + "$ref": "#/$defs/riskDomain" + } + }, + "scenarios": { + "type": "array", + "items": { + "$ref": "#/$defs/scenario" + }, + "description": "Risk scenarios identified" + }, + "risks": { + "type": "array", + "items": { + "$ref": "#/$defs/risk" + }, + "description": "Documented risks derived from scenarios" + }, + "mitigations": { + "type": "array", + "items": { + "$ref": "#/$defs/mitigation" + }, + "description": "Controls, countermeasures, or mitigations to address identified risks" + }, + "assessments": { + "type": "array", + "items": { + "$ref": "#/$defs/assessment" + }, + "description": "Risk assessments and evaluations" + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" + } + }, + "$defs": { + "riskDomain": { + "type": "object", + "required": ["type"], + "additionalProperties": false, + "properties": { + "type": { + "type": "string", + "enum": [ + "security", + "privacy", + "operational", + "financial", + "compliance", + "strategic", + "reputational", + "safety", + "environmental", + "supply_chain", + "technical", + "project" + ], + "meta:enum": { + "security": "Information security and cybersecurity risks", + "privacy": "Data protection and privacy risks", + "operational": "Business operations and continuity risks", + "financial": "Financial loss and economic impact risks", + "compliance": "Regulatory and legal compliance risks", + "strategic": "Strategic business and market risks", + "reputational": "Brand and reputation damage risks", + "safety": "Human safety and physical security risks", + "environmental": "Environmental impact and sustainability risks", + "supply_chain": "Supply chain and third-party risks", + "technical": "Technical and technology risks", + "project": "Project delivery and execution risks" + } + }, + "priority": { + "$ref": "#/$defs/priority" + }, + "description": { + "type": "string", + "description": "Additional context for this risk domain" + } + } + }, + "riskAttribute": { + "type": "string", + "description": "A classification of security and privacy attributes that represent potential impact areas when a risk is realized", + "enum": [ + "accountability", + "authentication", + "authorization", + "authenticity", + "availability", + "compliance", + "confidentiality", + "connectivity", + "control", + "data_subject_rights", + "integrity", + "minimisation", + "non-repudiation", + "possession", + "privacy", + "purpose_limitation", + "transparency", + "utility" + ], + "meta:enum": { + "accountability": "Assigning responsibility for actions and decisions to individuals or entities", + "authentication": "Verifying the identity of users, devices, or systems before granting access", + "authorization": "Granting permissions based on identity and roles to perform specific actions or access resources", + "authenticity": "Ensuring that data, communications, or entities are genuine and can be verified", + "availability": "Ensuring systems, data, and services are accessible and operational when needed", + "compliance": "Adherence to applicable laws, regulations, policies, and standards", + "confidentiality": "Preventing unauthorised access to or disclosure of information", + "connectivity": "Maintaining secure and reliable communication between systems or components", + "control": "Enabling individuals to manage how their personal data is used and shared", + "data_subject_rights": "Guaranteeing individuals' rights to access, correct, delete, or restrict their personal data", + "integrity": "Ensuring information is accurate, complete, and unaltered by unauthorised actors", + "minimisation": "Limiting data collection and retention to what is strictly necessary for the intended purpose", + "non-repudiation": "Providing proof of origin and delivery to prevent denial of actions or communications", + "possession": "Ensuring control or custody over data or assets, regardless of ownership", + "privacy": "Protecting individuals' personal information in accordance with legal and ethical standards", + "purpose_limitation": "Ensuring that personal data is only used for the purpose explicitly specified at collection", + "transparency": "Ensuring individuals are informed about data practices, including collection, use, and sharing", + "utility": "Ensuring data is usable and in a format suitable for the intended purpose" + } + }, + "scenario": { + "type": "object", + "required": ["bom-ref", "name", "type"], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "name": { + "type": "string", + "description": "Name of the risk scenario" + }, + "description": { + "type": "string", + "description": "Detailed description of the scenario" + }, + "type": { + "type": "string", + "enum": ["threat", "vulnerability", "weakness", "risk", "incident", "opportunity", "hazard"], + "meta:enum": { + "threat": "Threat scenario", + "vulnerability": "Exploitable vulnerability", + "weakness": "System or design weakness", + "risk": "General risk scenario", + "incident": "Potential incident scenario", + "opportunity": "Positive risk (opportunity)", + "hazard": "Safety hazard scenario" + } + }, + "domain": { + "$ref": "#/$defs/riskDomain" + }, + "likelihood": { + "$ref": "#/$defs/likelihood" + }, + "impact": { + "$ref": "#/$defs/impact" + }, + "riskScore": { + "$ref": "#/$defs/riskScore" + }, + "riskAttributes": { + "type": "array", + "items": { + "$ref": "#/$defs/riskAttribute" + }, + "description": "Risk attributes affected by this scenario" + }, + "affectedAssets": { + "type": "array", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": "References to affected assets" + }, + "mitigations": { + "type": "array", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": "References to mitigations that address this scenario" + }, + "externalReferences": { + "type": "array", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/externalReference" + } + }, + "compliance": { + "type": "array", + "items": { + "type": "object", + "required": ["framework", "controlId"], + "additionalProperties": false, + "properties": { + "framework": { + "type": "string", + "description": "Name of the compliance program or framework" + }, + "controlId": { + "type": "string", + "description": "Identifier of the control within the framework" + }, + "reference": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/externalReference", + "description": "Link or citation to the requirement or control documentation" + }, + "description": { + "type": "string", + "description": "Optional notes describing the mapping" + } + } + }, + "description": "Compliance frameworks and control references this mitigation supports" + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" + } + } + }, + "risk": { + "type": "object", + "required": ["bom-ref", "name", "statement"], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "name": { + "type": "string", + "description": "Name or identifier for the risk" + }, + "statement": { + "type": "string", + "description": "Structured risk statement describing source, event, and impact" + }, + "description": { + "type": "string", + "description": "Additional narrative about the risk" + }, + "domains": { + "type": "array", + "items": { + "$ref": "#/$defs/riskDomain" + }, + "description": "Risk domains impacted" + }, + "scenarios": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": "References to scenarios this risk addresses" + }, + "likelihood": { + "$ref": "#/$defs/likelihood" + }, + "impact": { + "$ref": "#/$defs/impact" + }, + "riskScore": { + "$ref": "#/$defs/riskScore" + }, + "riskAttributes": { + "type": "array", + "items": { + "$ref": "#/$defs/riskAttribute" + } + }, + "responses": { + "type": "array", + "items": { + "$ref": "#/$defs/riskResponse" + }, + "description": "Risk responses or mitigation plans applied to this risk" + }, + "relatedThreats": { + "type": "array", + "items": { + "$ref": "cyclonedx-threat-2.0.schema.json#/$defs/threatScenario" + }, + "description": "Related threat scenarios informing this risk" + }, + "status": { + "type": "string", + "enum": ["identified", "assessed", "mitigated", "accepted", "transferred", "retired"], + "meta:enum": { + "identified": "Risk has been identified but not yet evaluated", + "assessed": "Risk has been assessed and prioritized", + "mitigated": "Mitigations are in place reducing this risk", + "accepted": "Risk has been formally accepted", + "transferred": "Risk has been transferred to another party", + "retired": "Risk no longer applies" + } + }, + "owner": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/organizationalEntityOrContact", + "description": "Owner or accountable party for this risk" + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" + } + } + }, + "likelihood": { + "type": "object", + "required": ["level"], + "additionalProperties": false, + "properties": { + "level": { + "type": "string", + "title": "Level", + "description": "The qualitative likelihood level representing the overall assessed probability of the risk or scenario being realized.", + "enum": ["certain", "high", "low", "medium", "veryHigh", "veryLow"], + "meta:enum": { + "certain": "Almost certain to occur (> 90% probability).", + "high": "Likely to occur (60-90% probability).", + "low": "Unlikely to occur (10-30% probability).", + "medium": "Possible to occur (30-60% probability).", + "veryHigh": "Very likely to occur (75-90% probability).", + "veryLow": "Very unlikely to occur (< 10% probability)." + } + }, + "score": { + "type": "number", + "minimum": 0, + "maximum": 5, + "description": "Numeric likelihood score" + }, + "probability": { + "type": "number", + "minimum": 0, + "maximum": 1, + "description": "Probability as a decimal (0-1)" + }, + "factors": { + "type": "array", + "items": { + "$ref": "#/$defs/likelihoodFactor" + }, + "description": "Factors considered when determining the likelihood level" + }, + "rationale": { + "type": "string", + "description": "Justification for the likelihood rating" + } + } + }, + "likelihoodFactor": { + "type": "object", + "title": "Likelihood Factor", + "description": "An individual contributing factor used to determine the overall likelihood of a risk or scenario being realized. Likelihood is rarely a single judgment — it is typically derived from multiple independent factors such as threat actor capability, exploit maturity, attack surface exposure, and control effectiveness. Each factor captures a discrete dimension of likelihood with its own rating, enabling transparent, auditable, and methodology-aligned risk assessments.", + "required": ["name", "type"], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "The name of the likelihood factor being evaluated. Should clearly identify the dimension of likelihood being assessed, such as 'Threat Actor Capability', 'Exploit Availability', or 'Control Effectiveness'.", + "minLength": 1 + }, + "type": { + "title": "Type", + "description": "The category of likelihood factor being assessed. Predefined types align with common risk assessment methodologies including FAIR, OWASP Risk Rating, and NIST SP 800-30.", + "oneOf": [ + { + "title": "Predefined Likelihood Factor Type", + "description": "A likelihood factor type defined by the CycloneDX standard, aligned with established risk assessment methodologies.", + "type": "string", + "additionalProperties": false, + "enum": [ + "attackVector", + "controlEffectiveness", + "exploitMaturity", + "exposure", + "motivation", + "opportunity", + "other", + "threatCapability", + "vulnerability" + ], + "meta:enum": { + "attackVector": "Accessibility of the attack path to the threat actor, considering network proximity, authentication requirements, and interaction complexity.", + "controlEffectiveness": "Strength, reliability, and coverage of existing preventive, detective, or corrective controls that reduce the probability of successful exploitation.", + "exploitMaturity": "Availability, reliability, and sophistication of known exploits, attack toolkits, or proof-of-concept code targeting the identified weakness.", + "exposure": "Degree to which the target asset, system, or service is visible, discoverable, or reachable by potential threat actors.", + "motivation": "Level of incentive, intent, or determination driving the threat actor to pursue exploitation, including financial gain, ideology, or competitive advantage.", + "opportunity": "Availability of the conditions, timing, or circumstances required for the threat actor to act, including access windows, environmental factors, and resource availability.", + "other": "A likelihood factor type not defined by the CycloneDX standard. Use the custom type option for factors specific to an organization's risk methodology.", + "threatCapability": "Technical skill, resources, tooling, and sophistication of the threat actor relative to the complexity of the attack required.", + "vulnerability": "Presence, severity, and exploitability of weaknesses in the target system, application, or process that could be leveraged by a threat actor." + } + }, + { + "title": "Custom Likelihood Factor Type", + "description": "A custom likelihood factor type not covered by predefined values, allowing organizations to extend the model with methodology-specific factors.", + "type": "object", + "required": ["name"], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "The name of the custom likelihood factor type.", + "minLength": 1 + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the custom likelihood factor type and how it contributes to likelihood assessment." + } + } + } + ] + }, + "level": { + "type": "string", + "title": "Level", + "description": "The qualitative rating assigned to this factor, representing the assessed degree to which this factor contributes to the overall likelihood of the risk being realized.", + "enum": ["certain", "high", "low", "medium", "veryHigh", "veryLow"], + "meta:enum": { + "certain": "This factor almost certainly contributes to risk realization (> 90% influence).", + "high": "This factor strongly contributes to risk realization (60-90% influence).", + "low": "This factor has limited contribution to risk realization (10-30% influence).", + "medium": "This factor moderately contributes to risk realization (30-60% influence).", + "veryHigh": "This factor very strongly contributes to risk realization (75-90% influence).", + "veryLow": "This factor has minimal contribution to risk realization (< 10% influence)." + } + }, + "score": { + "type": "number", + "title": "Score", + "description": "A numeric score representing the assessed value of this factor on a 0-5 scale, where 0 indicates no contribution to likelihood and 5 indicates maximum contribution.", + "minimum": 0, + "maximum": 5 + }, + "weight": { + "type": "number", + "title": "Weight", + "description": "The relative importance or weight of this factor in the overall likelihood calculation, expressed as a decimal between 0 and 1. When multiple factors are present, weights can be used to produce a weighted average likelihood score. A weight of 1 indicates full importance; a weight of 0 indicates no importance.", + "minimum": 0, + "maximum": 1 + }, + "description": { + "type": "string", + "title": "Description", + "description": "A narrative explanation of how this factor was evaluated, the evidence or reasoning supporting the assigned level or score, and how it contributes to the overall likelihood assessment." + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" + } + } + }, + "impact": { + "type": "object", + "required": ["level"], + "additionalProperties": false, + "properties": { + "level": { + "type": "string", + "enum": ["negligible", "low", "moderate", "major", "catastrophic"], + "description": "Impact severity level", + "meta:enum": { + "negligible": "Minimal impact with no significant consequences", + "low": "Minor impact with limited consequences", + "moderate": "Moderate impact affecting some operations", + "major": "Significant impact with serious consequences", + "catastrophic": "Catastrophic impact with existential consequences" + } + }, + "score": { + "type": "number", + "minimum": 0, + "maximum": 10, + "description": "Numeric impact score" + }, + "categories": { + "type": "array", + "items": { + "type": "string", + "enum": [ + "confidentiality", + "integrity", + "availability", + "financial", + "reputation", + "regulatory", + "safety", + "privacy", + "operational", + "strategic" + ], + "meta:enum": { + "confidentiality": "Impact on data confidentiality", + "integrity": "Impact on data or system integrity", + "availability": "Impact on service availability", + "financial": "Financial loss or impact", + "reputation": "Reputational damage", + "regulatory": "Regulatory compliance impact", + "safety": "Human safety impact", + "privacy": "Privacy violation impact", + "operational": "Operational disruption", + "strategic": "Strategic business impact" + } + }, + "description": "Categories of impact" + }, + "riskAttributes": { + "type": "array", + "items": { + "$ref": "#/$defs/riskAttribute" + }, + "description": "Risk attributes affected" + }, + "quantification": { + "$ref": "#/$defs/impactQuantification" + }, + "description": { + "type": "string", + "description": "Description of the potential impact" + } + } + }, + "impactQuantification": { + "type": "object", + "additionalProperties": false, + "properties": { + "financialLoss": { + "type": "number", + "description": "Estimated financial loss in currency units" + }, + "currency": { + "type": "string", + "pattern": "^[A-Z]{3}$", + "description": "ISO 4217 currency code" + }, + "affectedUsers": { + "type": "integer", + "description": "Number of affected users" + }, + "downtime": { + "type": "string", + "pattern": "^P(?!$)(\\d+Y)?(\\d+M)?(\\d+W)?(\\d+D)?(T(\\d+H)?(\\d+M)?(\\d+(\\.\\d+)?S)?)?$", + "description": "Expected downtime as ISO 8601 duration" + }, + "dataRecords": { + "type": "integer", + "description": "Number of data records affected" + }, + "recovery": { + "type": "string", + "pattern": "^P(?!$)(\\d+Y)?(\\d+M)?(\\d+W)?(\\d+D)?(T(\\d+H)?(\\d+M)?(\\d+(\\.\\d+)?S)?)?$", + "description": "Recovery time as ISO 8601 duration" + } + } + }, + "riskScore": { + "type": "object", + "required": ["level"], + "additionalProperties": false, + "properties": { + "level": { + "type": "string", + "enum": ["info", "low", "medium", "high", "critical"], + "description": "Overall risk level", + "meta:enum": { + "info": "Informational - no immediate action required", + "low": "Low risk - monitor and address in normal cycle", + "medium": "Medium risk - plan mitigation activities", + "high": "High risk - prioritize mitigation efforts", + "critical": "Critical risk - immediate action required" + } + }, + "score": { + "type": "number", + "minimum": 1, + "description": "Numeric risk score" + }, + "vector": { + "type": "string", + "description": "Risk scoring vector (e.g., L:H/I:M)" + }, + "methodology": { + "type": "string", + "description": "Risk scoring methodology used" + } + } + }, + "riskResponse": { + "type": "object", + "required": ["bom-ref", "mitigations", "mitigationPlan"], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "mitigations": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#/$defs/mitigation" + }, + "description": "Mitigations applied to this risk response" + }, + "mitigationPlan": { + "$ref": "#/$defs/mitigationPlan" + } + } + }, + "mitigation": { + "type": "object", + "required": ["bom-ref", "reference"], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "description": "Unique identifier for this mitigation entry so it can be referenced by a plan" + }, + "reference": { + "description": "Reference to a mitigation/control implementing the response.", + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "strategy": { + "type": "string", + "enum": ["prevent", "detect", "respond", "recover"], + "meta:enum": { + "prevent": "Prevents the risk from occurring", + "detect": "Detects when the risk occurs", + "respond": "Responds to the risk when detected", + "recover": "Recovers from the impact" + } + }, + "type": { + "type": "string", + "enum": [ + "control", + "countermeasure", + "procedure", + "removal" + ], + "meta:enum": { + "control": "Protective, preventive or detective control", + "countermeasure": "Reactive measure to counter risks", + "procedure": "Documented procedure", + "removal": "Removing a risky component or asset" + } + }, + "status": { + "type": "string", + "enum": ["proposed", "approved", "planned", "inProgress", "implemented", "verified"], + "meta:enum": { + "proposed": "Mitigation has been proposed", + "approved": "Mitigation has been approved", + "planned": "Implementation is planned", + "inProgress": "Implementation is in progress", + "implemented": "Mitigation has been implemented", + "verified": "Effectiveness has been verified" + } + }, + "priority": { + "$ref": "#/$defs/priority" + }, + "effectiveness": { + "$ref": "#/$defs/effectiveness" + }, + "cost": { + "type": "string", + "enum": ["trivial", "low", "medium", "high", "extreme"], + "meta:enum": { + "trivial": "Minimal cost and effort", + "low": "Low cost and effort", + "medium": "Moderate cost and effort", + "high": "High cost and significant effort", + "extreme": "Extreme cost and major effort" + } + }, + "addresses": { + "type": "array", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": "References to scenarios this plan addresses" + }, + "implementedBy": { + "type": "array", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": "References to assets that implement this plan" + }, + "externalReferences": { + "type": "array", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/externalReference" + } + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" + } + } + }, + "mitigationPlan": { + "type": "object", + "required": ["name", "type", "status", "mitigations"], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "description": "Name of the mitigation plan" + }, + "description": { + "type": "string", + "description": "Description of what the plan covers" + }, + "type": { + "type": "string", + "enum": [ + "avoid", + "reduce", + "transfer", + "accept", + "control", + "countermeasure", + "safeguard", + "practice", + "procedure" + ], + "meta:enum": { + "avoid": "Avoid the risk entirely", + "reduce": "Reduce likelihood or impact", + "transfer": "Transfer risk to another party", + "accept": "Accept the risk", + "control": "Protective, preventive or detective control", + "countermeasure": "Reactive measure to counter risks", + "safeguard": "Safeguards mitigating adverse events", + "practice": "Operational or governance practice", + "procedure": "Documented procedure" + } + }, + "status": { + "type": "string", + "enum": ["proposed", "approved", "planned", "inProgress", "implemented", "verified"], + "meta:enum": { + "proposed": "Mitigation has been proposed", + "approved": "Mitigation has been approved", + "planned": "Implementation is planned", + "inProgress": "Implementation is in progress", + "implemented": "Mitigation has been implemented", + "verified": "Effectiveness has been verified" + } + }, + "externalReferences": { + "type": "array", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/externalReference" + } + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" + }, + "mitigations": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": "List of mitigation bom-refs chosen for this plan" + } + } + }, + "effectiveness": { + "type": "object", + "additionalProperties": false, + "properties": { + "percentage": { + "type": "number", + "minimum": 0, + "maximum": 1, + "description": "Effectiveness as decimal" + }, + "rating": { + "type": "string", + "enum": ["ineffective", "marginal", "adequate", "good", "excellent"], + "meta:enum": { + "ineffective": "Does not meaningfully reduce risk", + "marginal": "Slightly reduces risk", + "adequate": "Adequately reduces risk", + "good": "Significantly reduces risk", + "excellent": "Nearly eliminates risk" + } + } + } + }, + "assessment": { + "type": "object", + "required": ["bom-ref", "type", "timestamp"], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "type": { + "type": "string", + "enum": ["initial", "periodic", "continuous", "triggered"], + "meta:enum": { + "initial": "Initial risk assessment", + "periodic": "Scheduled periodic assessment", + "continuous": "Continuous monitoring assessment", + "triggered": "Event-triggered assessment" + } + }, + "timestamp": { + "type": "string", + "format": "date-time", + "description": "When the assessment was performed" + }, + "assessor": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/organizationalEntityOrContact", + "description": "Who performed the assessment" + }, + "summary": { + "type": "string", + "description": "Executive summary of the assessment" + }, + "risks": { + "type": "array", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": "References to risk entries evaluated in this assessment" + }, + "overallRisk": { + "type": "object", + "required": ["method", "score"], + "additionalProperties": false, + "properties": { + "method": { + "type": "string", + "enum": ["sum", "average", "custom"], + "description": "Aggregation method used to derive the overall risk" + }, + "score": { + "$ref": "#/$defs/riskScore" + }, + "description": { + "type": "string", + "description": "Optional explanation for custom aggregation approaches" + } + }, + "description": "Aggregated risk result for this assessment" + }, + "recommendations": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Recommendations from the assessment" + }, + "nextReview": { + "type": "string", + "format": "date-time", + "description": "When the next review should occur" + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" + } + } + }, + "priority": { + "type": "string", + "enum": ["none", "low", "medium", "high", "critical"], + "description": "Priority level", + "meta:enum": { + "none": "No priority assigned", + "low": "Low priority - address when convenient", + "medium": "Medium priority - address in normal cycle", + "high": "High priority - address soon", + "critical": "Critical priority - address immediately" + } + }, + "severity": { + "type": "string", + "enum": ["info", "low", "medium", "high", "critical"], + "description": "Severity level", + "meta:enum": { + "info": "Informational finding", + "low": "Low severity issue", + "medium": "Medium severity issue", + "high": "High severity issue", + "critical": "Critical severity issue" + } + }, + "criticality": { + "type": "string", + "enum": ["minimal", "low", "moderate", "high", "critical"], + "description": "Business criticality level", + "meta:enum": { + "minimal": "Minimal impact on business operations", + "low": "Low impact with minor inconvenience", + "moderate": "Moderate impact affecting some operations", + "high": "High impact affecting critical operations", + "critical": "Critical impact with severe business consequences" + } + } + } +} diff --git a/schema/2.0/model/cyclonedx-threat-2.0.schema.json b/schema/2.0/model/cyclonedx-threat-2.0.schema.json new file mode 100644 index 00000000..4bf44932 --- /dev/null +++ b/schema/2.0/model/cyclonedx-threat-2.0.schema.json @@ -0,0 +1,804 @@ +{ + "$schema": "https://json-schema.org/draft/2020-12/schema", + "$id": "https://cyclonedx.org/schema/2.0/model/cyclonedx-threat-2.0.schema.json", + "type": "null", + "title": "CycloneDX Threat Model", + "$comment" : "OWASP CycloneDX is an Ecma International standard (ECMA-424) developed in collaboration between the OWASP Foundation and Ecma Technical Committee 54 (TC54). The standard is published under a royalty-free patent policy. This JSON schema is the reference implementation and is licensed under the Apache License 2.0.", + "$defs": { + "threatScenario": { + "type": "object", + "allOf": [ + { + "$ref": "cyclonedx-risk-2.0.schema.json#/$defs/scenario" + }, + { + "properties": { + "threatCategory": { + "type": "string", + "description": "Threat category based on methodology (e.g., STRIDE category)" + }, + "threatActor": { + "$ref": "#/$defs/threatActorProfile" + }, + "attackVector": { + "$ref": "#/$defs/attackVector" + }, + "attackPattern": { + "$ref": "#/$defs/attackPatternReference" + }, + "abuseCases": { + "type": "array", + "items": { + "$ref": "#/$defs/abuseCase" + }, + "description": "Abuse or misuse cases that illustrate how this threat can be exercised" + }, + "weakness": { + "$ref": "#/$defs/weaknessReference" + }, + "exploitability": { + "$ref": "#/$defs/exploitability" + }, + "indicators": { + "$ref": "#/$defs/indicators" + }, + "killChainPhase": { + "type": "string", + "enum": [ + "reconnaissance", + "weaponization", + "delivery", + "exploitation", + "installation", + "command-and-control", + "actions-on-objectives" + ], + "meta:enum": { + "reconnaissance": "Gathering information about the target", + "weaponization": "Creating malicious payloads", + "delivery": "Transmitting weapon to target", + "exploitation": "Exploiting vulnerabilities", + "installation": "Installing malware or backdoors", + "command-and-control": "Establishing C2 channel", + "actions-on-objectives": "Achieving attack goals" + } + }, + "technicalImpact": { + "type": "array", + "items": { + "type": "string", + "enum": [ + "unauthorized-access", + "data-breach", + "data-corruption", + "service-disruption", + "privilege-escalation", + "code-execution", + "information-disclosure", + "denial-of-service" + ] + } + } + } + } + ] + }, + "threatActor": { + "type": "object", + "required": ["bom-ref", "name", "type"], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "name": { + "type": "string", + "description": "Name or identifier of the threat actor" + }, + "description": { + "type": "string", + "description": "Description of the threat actor" + }, + "type": { + "type": "string", + "enum": ["individual", "group", "organization", "nation-state", "unknown"], + "meta:enum": { + "individual": "Individual threat actor", + "group": "Organized group or collective", + "organization": "Corporate or criminal organization", + "nation-state": "Nation-state sponsored actor", + "unknown": "Unknown threat actor type" + } + }, + "aliases": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Known aliases or alternative names" + }, + "profile": { + "$ref": "#/$defs/threatActorProfile" + }, + "observedTTPs": { + "type": "array", + "items": { + "$ref": "#/$defs/ttp" + }, + "description": "Observed tactics, techniques, and procedures" + }, + "attributedAttacks": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Attacks attributed to this actor" + }, + "targeting": { + "$ref": "#/$defs/targeting" + }, + "externalReferences": { + "type": "array", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/externalReference" + } + } + } + }, + "threatActorProfile": { + "type": "object", + "additionalProperties": false, + "properties": { + "sophistication": { + "type": "string", + "enum": ["none", "minimal", "intermediate", "advanced", "expert"], + "meta:enum": { + "none": "No technical sophistication", + "minimal": "Script kiddie level", + "intermediate": "Intermediate technical skills", + "advanced": "Advanced persistent threat", + "expert": "Nation-state level capabilities" + } + }, + "motivation": { + "type": "array", + "items": { + "type": "string", + "enum": [ + "financial", + "political", + "personal", + "ideological", + "espionage", + "destruction", + "disruption", + "reputation", + "curiosity", + "competitive", + "revenge", + "activism" + ] + }, + "description": "Primary motivations" + }, + "intent": { + "type": "string", + "enum": ["accidental", "opportunistic", "targeted", "persistent"], + "description": "Intent level" + }, + "resources": { + "type": "string", + "enum": ["minimal", "limited", "moderate", "substantial", "unlimited"], + "description": "Resource availability" + }, + "accessLevel": { + "type": "string", + "enum": ["none", "external", "internal", "privileged", "physical"], + "description": "Level of access to target systems" + }, + "skillSet": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Specific skills possessed" + } + } + }, + "attackVector": { + "type": "object", + "additionalProperties": false, + "properties": { + "type": { + "type": "string", + "enum": ["network", "adjacent", "local", "physical"], + "meta:enum": { + "network": "Remotely exploitable via network", + "adjacent": "Exploitable from adjacent network", + "local": "Requires local access", + "physical": "Requires physical access" + } + }, + "complexity": { + "type": "string", + "enum": [ + "low", + "high" + ], + "description": "Attack complexity" + }, + "privileges": { + "type": "string", + "enum": ["none", "low", "high"], + "description": "Privileges required" + }, + "userInteraction": { + "type": "string", + "enum": ["none", "required"], + "description": "User interaction requirement" + }, + "scope": { + "type": "string", + "enum": ["unchanged", "changed"], + "description": "Scope impact" + } + } + }, + "abuseCase": { + "type": "object", + "required": ["bom-ref", "name"], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "name": { + "type": "string", + "description": "Name of the abuse case" + }, + "description": { + "type": "string", + "description": "Narrative describing how the system can be misused or abused" + }, + "abuser": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "description": "Reference (bom-ref) to a threat actor involved in the abuse case" + }, + "targets": { + "type": "array", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": "References (bom-refs) to assets or flows targeted in this abuse case" + }, + "steps": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Ordered steps the abuser follows" + } + } + }, + "attackPattern": { + "type": "object", + "required": ["bom-ref", "name"], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "capecId": { + "type": "integer", + "description": "CAPEC (Common Attack Pattern Enumeration and Classification) ID" + }, + "name": { + "type": "string", + "description": "Name of the attack pattern" + }, + "description": { + "type": "string", + "description": "Description of the attack pattern" + }, + "prerequisites": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Prerequisites for the attack" + }, + "techniques": { + "type": "array", + "items": { + "$ref": "#/$defs/technique" + }, + "description": "Techniques used in the attack" + }, + "mitigations": { + "type": "array", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": "References to mitigations" + }, + "examples": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Real-world examples" + } + } + }, + "attackPatternReference": { + "type": "object", + "additionalProperties": false, + "properties": { + "patternRef": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "description": "Reference to attack pattern" + }, + "capecId": { + "type": "integer", + "description": "CAPEC ID if not referencing internal pattern" + }, + "customization": { + "type": "string", + "description": "How this pattern is customized for the specific scenario" + } + } + }, + "technique": { + "type": "object", + "additionalProperties": false, + "properties": { + "id": { + "type": "string", + "description": "Technique ID (e.g., MITRE ATT&CK ID)" + }, + "name": { + "type": "string", + "description": "Name of the technique" + }, + "tactic": { + "type": "string", + "description": "Associated tactic" + }, + "procedure": { + "type": "string", + "description": "Specific procedure" + }, + "tools": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Tools used with this technique" + } + } + }, + "weakness": { + "type": "object", + "required": ["bom-ref"], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "cweId": { + "type": "integer", + "description": "CWE (Common Weakness Enumeration) ID" + }, + "name": { + "type": "string", + "description": "Name of the weakness" + }, + "description": { + "type": "string", + "description": "Description of the weakness" + }, + "abstraction": { + "type": "string", + "enum": ["pillar", "class", "base", "variant", "compound"], + "meta:enum": { + "pillar": "Most abstract type of weakness", + "class": "Weakness described in generic terms", + "base": "Weakness described in abstract terms", + "variant": "Weakness specific to a resource/technology", + "compound": "Combination of two or more weaknesses" + } + }, + "ordinality": { + "type": "string", + "enum": ["primary", "resultant", "indirect"], + "meta:enum": { + "primary": "Weakness exists independent of other weaknesses", + "resultant": "Weakness is caused by another weakness", + "indirect": "Weakness is indirectly caused by another weakness" + } + }, + "affectedAssets": { + "type": "array", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": "Assets affected by this weakness" + }, + "exploitationDifficulty": { + "type": "string", + "enum": ["trivial", "easy", "moderate", "difficult", "impractical"], + "description": "Difficulty of exploiting this weakness" + }, + "detectionMethods": { + "type": "array", + "items": { + "$ref": "#/$defs/detectionMethod" + }, + "description": "Methods for detecting this weakness" + } + } + }, + "weaknessReference": { + "type": "object", + "additionalProperties": false, + "properties": { + "weaknessRef": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "description": "Reference to weakness" + }, + "cweId": { + "type": "integer", + "description": "CWE ID if not referencing internal weakness" + }, + "instance": { + "type": "string", + "description": "Specific instance or manifestation of the weakness" + } + } + }, + "exploitability": { + "type": "object", + "additionalProperties": false, + "properties": { + "level": { + "type": "string", + "enum": ["theoretical", "proof-of-concept", "functional", "weaponized"], + "meta:enum": { + "theoretical": "Theoretically possible but not demonstrated", + "proof-of-concept": "Proof of concept exists", + "functional": "Functional exploit exists", + "weaponized": "Weaponized exploit in the wild" + } + }, + "complexity": { + "type": "string", + "enum": ["trivial", "low", "medium", "high", "very-high"], + "description": "Complexity to exploit" + }, + "skillRequired": { + "type": "string", + "enum": ["none", "basic", "intermediate", "advanced", "expert"], + "description": "Skill level required" + }, + "toolsRequired": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Tools required for exploitation" + }, + "timeRequired": { + "type": "string", + "description": "Estimated time to develop exploit" + }, + "reliability": { + "type": "string", + "enum": ["unreliable", "occasional", "reliable", "highly-reliable"], + "description": "Reliability of exploitation" + }, + "automatable": { + "type": "boolean", + "description": "Whether exploitation can be automated" + } + } + }, + "indicators": { + "type": "object", + "additionalProperties": false, + "properties": { + "compromise": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Indicators of compromise" + }, + "attack": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Indicators of attack" + }, + "behavioral": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Behavioral indicators" + }, + "signatures": { + "type": "array", + "items": { + "$ref": "#/$defs/signature" + }, + "description": "Detection signatures" + } + } + }, + "signature": { + "type": "object", + "required": ["type", "value"], + "additionalProperties": false, + "properties": { + "type": { + "type": "string", + "enum": ["yara", "snort", "regex", "hash", "behavior"], + "description": "Type of signature" + }, + "value": { + "type": "string", + "description": "Signature value or pattern" + }, + "description": { + "type": "string", + "description": "Description of what the signature detects" + }, + "confidence": { + "type": "string", + "enum": ["low", "medium", "high"], + "description": "Confidence level of detection" + } + } + }, + "ttp": { + "type": "object", + "additionalProperties": false, + "properties": { + "tactic": { + "type": "string", + "description": "High-level tactic" + }, + "technique": { + "$ref": "#/$defs/technique" + }, + "procedure": { + "type": "string", + "description": "Specific implementation" + }, + "tools": { + "type": "array", + "items": { + "$ref": "#/$defs/tool" + }, + "description": "Tools used" + }, + "infrastructure": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Infrastructure used" + } + } + }, + "tool": { + "type": "object", + "required": ["name"], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "description": "Tool name" + }, + "type": { + "type": "string", + "enum": ["exploit", "scanner", "fuzzer", "proxy", "framework", "custom"], + "description": "Type of tool" + }, + "version": { + "type": "string", + "description": "Tool version" + }, + "capabilities": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Tool capabilities" + } + } + }, + "targeting": { + "type": "object", + "additionalProperties": false, + "properties": { + "sectors": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Targeted sectors or industries" + }, + "regions": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Targeted geographic regions" + }, + "technologies": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Targeted technologies or platforms" + }, + "dataTypes": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Types of data targeted" + } + } + }, + "detectionMethod": { + "type": "object", + "required": ["method"], + "additionalProperties": false, + "properties": { + "method": { + "type": "string", + "enum": ["static-analysis", "dynamic-analysis", "penetration-test", "code-review", "architecture-review", "automated-scan"], + "description": "Detection method type" + }, + "description": { + "type": "string", + "description": "Description of the detection method" + }, + "effectiveness": { + "type": "string", + "enum": ["low", "medium", "high"], + "description": "Effectiveness of the method" + }, + "tools": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Tools that implement this method" + } + } + }, + "securityPolicy": { + "type": "object", + "required": ["bom-ref", "name", "type"], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "name": { + "type": "string", + "description": "Policy name" + }, + "type": { + "type": "string", + "enum": ["access-control", "data-protection", "network-security", "application-security", "operational-security", "compliance"], + "description": "Type of security policy" + }, + "description": { + "type": "string", + "description": "Policy description" + }, + "requirements": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Policy requirements" + }, + "enforcement": { + "type": "string", + "enum": ["mandatory", "recommended", "optional"], + "description": "Enforcement level" + }, + "appliesTo": { + "type": "array", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": "Assets this policy applies to" + }, + "exceptions": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Policy exceptions" + } + } + }, + "trustBoundary": { + "type": "object", + "allOf": [ + { + "$ref": "cyclonedx-blueprint-2.0.schema.json#/$defs/boundary" + }, + { + "properties": { + "trustLevel": { + "type": "string", + "enum": ["untrusted", "semi-trusted", "trusted", "highly-trusted"], + "description": "Trust level differential" + }, + "securityRequirements": { + "$ref": "#/$defs/boundarySecurityRequirements" + }, + "threatsAtBoundary": { + "type": "array", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": "Threats that could exploit this boundary" + }, + "controlsAtBoundary": { + "type": "array", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": "Controls implemented at this boundary" + } + } + } + ] + }, + "boundarySecurityRequirements": { + "type": "object", + "additionalProperties": false, + "properties": { + "authenticationStrength": { + "type": "string", + "enum": ["none", "weak", "moderate", "strong", "very-strong"], + "description": "Required authentication strength" + }, + "authorizationGranularity": { + "type": "string", + "enum": ["coarse", "medium", "fine", "very-fine"], + "description": "Authorization granularity required" + }, + "integrityVerification": { + "type": "boolean", + "description": "Whether integrity verification is required" + }, + "confidentialityProtection": { + "type": "boolean", + "description": "Whether confidentiality protection is required" + }, + "auditingLevel": { + "type": "string", + "enum": ["none", "basic", "detailed", "comprehensive"], + "description": "Level of auditing required" + }, + "dataValidationRules": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Data validation rules at boundary" + } + } + } + } +} diff --git a/schema/2.0/model/cyclonedx-usecase-2.0.schema.json b/schema/2.0/model/cyclonedx-usecase-2.0.schema.json new file mode 100644 index 00000000..f54e0919 --- /dev/null +++ b/schema/2.0/model/cyclonedx-usecase-2.0.schema.json @@ -0,0 +1,205 @@ +{ + "$schema": "https://json-schema.org/draft/2020-12/schema", + "$id": "https://cyclonedx.org/schema/2.0/model/cyclonedx-usecase-2.0.schema.json", + "type": "null", + "title": "CycloneDX Use Case Model", + "$comment" : "OWASP CycloneDX is an Ecma International standard (ECMA-424) developed in collaboration between the OWASP Foundation and Ecma Technical Committee 54 (TC54). The standard is published under a royalty-free patent policy. This JSON schema is the reference implementation and is licensed under the Apache License 2.0.", + "$defs": { + "useCases": { + "type": "array", + "title": "Use Cases", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/useCase" + }, + "description": "A collection of use cases that describe how actors interact with the system to achieve specific goals." + }, + "useCase": { + "type": "object", + "title": "Use Case", + "description": "A structured description of how one or more actors interact with the system to achieve a specific goal, including the primary flow, alternative paths, and exception scenarios.", + "required": ["name"], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "name": { + "type": "string", + "title": "Name", + "minLength": 1, + "description": "The name or title of the use case, typically expressed as a verb phrase that captures the goal from the actor's perspective (e.g., 'Place Order', 'Reset Password')." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A detailed narrative of the use case, including the actor's goal, the scope of the interaction, and any relevant business rules or constraints that govern its execution." + }, + "actors": { + "type": "array", + "title": "Actors", + "uniqueItems": true, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": "References to the actors that participate in this use case, representing anyone or anything that initiates or interacts with the described flow." + }, + "preconditions": { + "type": "array", + "title": "Preconditions", + "uniqueItems": true, + "items": { + "type": "string" + }, + "description": "Conditions that must hold true before the use case can begin execution, such as required system state, authenticated sessions, available resources, or prior completed use cases." + }, + "postconditions": { + "type": "array", + "title": "Postconditions", + "uniqueItems": true, + "items": { + "type": "string" + }, + "description": "Conditions that will be true after the use case completes successfully, describing the expected system state, data changes, notifications sent, or side effects produced." + }, + "mainFlow": { + "type": "array", + "title": "Main Flow", + "items": { + "$ref": "#/$defs/step" + }, + "description": "The primary sequence of steps representing the most common or expected path through the use case, from the triggering action to the successful outcome." + }, + "alternativeFlows": { + "type": "array", + "title": "Alternative Flows", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/flow" + }, + "description": "Variant paths that branch from the main flow under specific conditions, representing valid but less common ways to achieve the use case goal or a modified outcome." + }, + "exceptions": { + "type": "array", + "title": "Exceptions", + "uniqueItems": true, + "items": { + "$ref": "#/$defs/exception" + }, + "description": "Error or failure scenarios that may interrupt the main or alternative flows, including the triggering condition and how the system responds to recover or terminate gracefully." + }, + "successCriteria": { + "type": "array", + "title": "Success Criteria", + "uniqueItems": true, + "items": { + "type": "string" + }, + "description": "Measurable or observable criteria that determine whether the use case has been completed successfully, used for validation, acceptance testing, and stakeholder sign-off." + }, + "notes": { + "type": "array", + "title": "Notes", + "uniqueItems": true, + "items": { + "type": "string" + }, + "description": "Supplementary information, clarifications, open questions, or implementation guidance that provides additional context beyond the formal use case structure." + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" + } + } + }, + "step": { + "type": "object", + "title": "Step", + "description": "A single discrete action within a use case flow, performed by a specific actor, that advances the interaction toward the use case goal.", + "required": ["number", "description"], + "additionalProperties": false, + "properties": { + "number": { + "type": "integer", + "title": "Number", + "minimum": 1, + "description": "The sequence number indicating the ordinal position of this step within its flow, starting at 1." + }, + "description": { + "type": "string", + "title": "Description", + "minLength": 1, + "description": "A clear, action-oriented statement describing what the actor does in this step and the expected system response, written in the form 'The [actor] [action]'." + }, + "actor": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "description": "Reference to the actor who initiates or performs this step, which may be a human user, an external system, or the system under design." + } + } + }, + "flow": { + "type": "object", + "title": "Flow", + "description": "An alternative sequence of steps that branches from the main flow under a specific condition, representing a valid variant path through the use case.", + "required": ["name", "condition"], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Name", + "minLength": 1, + "description": "A short, descriptive name identifying this alternative flow (e.g., 'Payment Declined', 'Guest Checkout')." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A narrative explaining the purpose and context of this alternative flow, including how it differs from the main flow and under what circumstances it applies." + }, + "condition": { + "type": "string", + "title": "Condition", + "minLength": 1, + "description": "The specific condition, decision point, or triggering event that causes execution to diverge from the main flow into this alternative path." + }, + "steps": { + "type": "array", + "title": "Steps", + "items": { + "$ref": "#/$defs/step" + }, + "description": "The ordered sequence of steps that comprise this alternative flow, following the same structure as main flow steps." + } + } + }, + "exception": { + "type": "object", + "title": "Exception", + "description": "An error or failure scenario that may interrupt the normal execution of a use case, including the condition that triggers it and how the system responds.", + "required": ["name", "condition"], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Name", + "minLength": 1, + "description": "A short, descriptive name identifying this exception scenario (e.g., 'Session Timeout', 'Insufficient Funds', 'Service Unavailable')." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A narrative describing the nature of this exception, its potential causes, and its impact on the use case and the actors involved." + }, + "condition": { + "type": "string", + "title": "Condition", + "minLength": 1, + "description": "The specific error condition, system state, or external event that triggers this exception during the execution of the use case." + }, + "handling": { + "type": "string", + "title": "Handling", + "description": "The recovery strategy or response the system takes when this exception occurs, such as retrying the operation, rolling back changes, notifying the user, or escalating to support." + } + } + } + } +} diff --git a/tools/src/test/resources/2.0/prototypes/hashicorp-vault-threat-model/cyclonedx-2.0-prototype.json b/tools/src/test/resources/2.0/prototypes/hashicorp-vault-threat-model/cyclonedx-2.0-prototype.json new file mode 100644 index 00000000..e36ec28a --- /dev/null +++ b/tools/src/test/resources/2.0/prototypes/hashicorp-vault-threat-model/cyclonedx-2.0-prototype.json @@ -0,0 +1,71 @@ +{ + "specFormat": "CycloneDX", + "specVersion": "2.0", + "blueprints": [ + { + "bom-ref": "blueprint-1", + "blueprintMetadata":{ + "timestamp": "2025-09-12T15:42:30Z", + "authors": [], + "reviewers": [], + "reviewDate": "2025-09-03", + "approvers": [], + "approvalDate": "2025-09-12", + "ordinalVersion": "1.0", + "lifecycles": [ + { + "phase": "operations" + } + ], + "validityPeriod": { + "start": "", + "end": "", + "reviewFrequency": "P3M" + } + }, + "modelTypes": [ + "threat", + "dataFlow", + "logical" + ], + "methodologies": [ + "STRIDE", + "LINDDUN" + ], + "perspectives": [ + { + "bom-ref": "perspective-1", + "type": "security", + "name": "", + "role": "Security Architect", + "objectives": [], + "concerns": [], + "viewpoint": "" + ], + "scope": { + "bom-ref": "scope-1", + "name": "HashiCorp Vault", + "description": "HashiCorp Vault is a secrets management system that provides secure storage, access control, dynamic credentials, cryptographic operations (Transit), and secret leasing/renewal. A typical deployment consists of Vault clients (applications, CI/CD, operators) communicating over TLS with one or more Vault server nodes. Vault enforces authentication (e.g., AppRole, AWS/GCP/IAM, OIDC/JWT, Kubernetes), issues scoped tokens bound to policies, and gates all operations through its HTTP API. The server maintains an encrypted storage barrier and persists data in a backend - the integrated Storage/Raft deployment is the one in scope. Clusters are commonly configured in HA mode with an active leader and standby nodes. Core security properties include encryption at rest within the barrier, mutual TLS on all control/data paths, least-privilege policies, response wrapping, and short-lived dynamic secrets. Operational workflows cover initialization and sealing (Shamir key shares), unsealing, rotation of root keys and encryption keys, audit device configuration (e.g., file/socket/syslog), mount-by-mount secrets engine hardening, and strict network segmentation—especially between clients, Vault nodes, and the storage backend. Misconfigurations to consider include over-permissive policies, exposed Raft/Consul ports, weak auth method constraints, disabled audit logging, and long-lived tokens. This threat model involves an AWS deployment with k8s and a load balancer", + "$comment": "Business criticality, data sensitivity, and tier are defined on the individual assets. Exposure is not defined yet.", + "boundaries": [], + "includedComponents": [], + "excludedComponents": [] + + }, + "visualizations": [ + + ], + "externalReferences": [ + { + "type": "documentation", + "url": "https://developer.hashicorp.com/vault/docs" + }, + { + "type": "vcs", + "url": "https://github.com/hashicorp/vault" + } + ] + } + } + ] + } \ No newline at end of file diff --git a/tools/src/test/resources/2.0/prototypes/hashicorp-vault-threat-model/hashicorp-vault-threat-model.json b/tools/src/test/resources/2.0/prototypes/hashicorp-vault-threat-model/hashicorp-vault-threat-model.json new file mode 100644 index 00000000..d549195a --- /dev/null +++ b/tools/src/test/resources/2.0/prototypes/hashicorp-vault-threat-model/hashicorp-vault-threat-model.json @@ -0,0 +1,1258 @@ +{ + "$schema": "https://github.com/OWASP/www-project-threat-model-library/blob/v1.0.1/threat-model.schema.json", + "version": "1.0", + "scope": { + "title": "HashiCorp Vault", + "description": "HashiCorp Vault is a secrets management system that provides secure storage, access control, dynamic credentials, cryptographic operations (Transit), and secret leasing/renewal. A typical deployment consists of Vault clients (applications, CI/CD, operators) communicating over TLS with one or more Vault server nodes. Vault enforces authentication (e.g., AppRole, AWS/GCP/IAM, OIDC/JWT, Kubernetes), issues scoped tokens bound to policies, and gates all operations through its HTTP API. The server maintains an encrypted storage barrier and persists data in a backend - the integrated Storage/Raft deployment is the one in scope. Clusters are commonly configured in HA mode with an active leader and standby nodes. Core security properties include encryption at rest within the barrier, mutual TLS on all control/data paths, least-privilege policies, response wrapping, and short-lived dynamic secrets. Operational workflows cover initialization and sealing (Shamir key shares), unsealing, rotation of root keys and encryption keys, audit device configuration (e.g., file/socket/syslog), mount-by-mount secrets engine hardening, and strict network segmentation—especially between clients, Vault nodes, and the storage backend. Misconfigurations to consider include over-permissive policies, exposed Raft/Consul ports, weak auth method constraints, disabled audit logging, and long-lived tokens. This threat model involves an AWS deployment with k8s and a load balancer", + "business_criticality": "high", + "data_sensitivity": [ + "biz", + "cred", + "pii" + ], + "exposure": "internal", + "tier": "mission_critical" + }, + "description": "Enterprise secrets management and cryptographic services for applications and operators.", + "frozen": false, + "release_docs_link": "https://developer.hashicorp.com/vault/docs", + "reviewed_at": "2025-09-03", + "repo_link": "https://github.com/hashicorp/vault", + "diagrams": [ + { + "title": "AWS Deployment with K8s and a load balancer","type": "mermaid", + "source": "flowchart LR; AU[\"App User\"]; DEV[\"Developer\"]; PE[\"Platform Engineer\"]; APP1[\"Client Application (App 1)\"]; CLI[\"Vault CLI / API Client\"]; subgraph VPC[\"Internal AWS VPC\"]; direction LR; VPN[\"VPN Gateway (AWS SSO)\"]; LB[\"AWS Load Balancer\"]; subgraph EKS[\"EKS Cluster\"]; direction TB; APISERVER[\"Kubernetes API Server\"]; subgraph NS[\"K8s Namespace: vault\"]; direction LR; SVC[\"K8s Service: vault-internal\"]; SVC_EP[\"Service Endpoint\"]; subgraph VAULT[\"Vault HA Deployment (StatefulSet)\"]; direction LR; V1[\"Vault Pod 1 (Active)\"]; V2[\"Vault Pod 2 (Standby)\"]; V3[\"Vault Pod 3 (Standby)\"]; API[\"Vault API (:8200)\"]; AUTH[\"Vault Auth Methods\"]; SE[\"Vault Secret Engines\"]; AUDDEV[\"Vault Audit Devices\"]; subgraph RAFT[\"Integrated Storage (Raft :8201 mTLS)\"]; R1[\"Raft Peer (Pod 1)\"]; R2[\"Raft Peer (Pod 2)\"]; R3[\"Raft Peer (Pod 3)\"]; end; end; end; end; KMS[\"Vault Auto-Unseal (Cloud KMS)\"]; end; AU -->|Login/API| APP1; APP1 -- \"TLS :8200\" --> LB; DEV -->|\"VPN + AWS SSO\"| VPN; PE -->|\"VPN + AWS SSO\"| VPN; DEV -->|\"Uses Vault CLI\"| CLI; PE -->|\"Uses Vault CLI\"| CLI; CLI -->|\"Tunnel via VPN\"| VPN; VPN -->|\"Forward to VPC\"| LB; CLI -- \"TLS :8200 (via VPN)\" --> LB; VPN -. \"kubectl (AWS SSO)\" .-> APISERVER; LB -->|\"TLS :8200\"| SVC_EP; SVC_EP --> V1; SVC_EP --> V2; SVC_EP --> V3; V1 --- API; V2 --- API; V3 --- API; API --> AUTH; API --> SE; API --> AUDDEV; V1 --- R1; V2 --- R2; V3 --- R3; R1 <-->|\"Raft :8201 mTLS\"| R2; R1 <-->|\"Raft :8201 mTLS\"| R3; R2 <-->|\"Raft :8201 mTLS\"| R3; VAULT -. \"Auto-Unseal\" .-> KMS;" + } + ], + "trust_zones": [ + { + "symbolic_name": "public", + "title": "Public Internet Zone", + "description": "External clients and actors including applications, CI/CD pipelines, and operators that connect to Vault over TLS (8200)." + }, + { + "symbolic_name": "aws-vpc", + "title": "Internal AWS VPC", + "description": "Private AWS VPC hosting the EKS cluster and load balancer. Provides network isolation and segmentation for Vault components." + }, + { + "symbolic_name": "eks-cluster", + "title": "EKS Cluster Zone", + "description": "Amazon EKS cluster providing the orchestration environment for Vault pods and services." + }, + { + "symbolic_name": "k8s-namespace-vault", + "title": "Vault Kubernetes Namespace", + "description": "Dedicated Kubernetes namespace (`vault`) that contains the Vault StatefulSet, Service, and Raft integrated storage peers." + } + ], + "trust_boundaries": [ + { + "trust_zone_a": "public-internet", + "trust_zone_b": "aws-vpc", + "access_control_methods": [ + "acl", + "rbac" + ], + "authentication_methods": [ + "public_key", + "token", + "sso" + + ] + }, + { + "trust_zone_a": "aws-vpc", + "trust_zone_b": "eks-cluster", + "access_control_methods": [ + "rbac", + "acl" + ], + "authentication_methods": [ + "public_key" + ] + }, + { + "trust_zone_a": "eks-cluster", + "trust_zone_b": "k8s-namespace-vault", + "access_control_methods": [ + "rbac", + "acl", + "mac" + ], + "authentication_methods": [ + "token" + ] + } + ], + "actors": [ + { + "symbolic_name": "platform-engineer", + "title": "Platform Engineer", + "description": "Responsible for deploying, operating, and maintaining the Vault cluster. Manages HA configuration, upgrades, storage backends, and operational tasks like initialization, unseal, and monitoring.", + "type": "engineer", + "permissions": "Deploy and upgrade Vault; configure Raft or Consul storage; perform initialization and unseal operations; enable/disable auth and secrets engines; monitor health and performance.", + "trust_zone": "aws-vpc" + }, + { + "symbolic_name": "developer", + "title": "Application Developer", + "description": "A developer who builds and maintains applications that consume secrets from Vault. In this scenario, developers also have access to the Kubernetes cluster where Vault is deployed, as well as Vault audit logs. This gives them significant power to access, modify, and observe secret-related operations.", + "type": "engineer", + "permissions": "Push and retrieve secrets; configure application roles for development; read Vault audit logs; access the Kubernetes cluster including the Vault namespace, which may allow tampering with Vault pods, services, or Raft storage.", + "trust_zone": "aws-vpc" + }, + + { + "symbolic_name": "app-user", + "title": "End User of Client Application", + "description": "An end user (internal employee or external customer) who interacts with an application that relies on Vault for secrets management or cryptographic operations.", + "type": "user", + "permissions": "Indirect access to Vault-protected resources through the client application; cannot interact with Vault directly.", + "trust_zone": "public" + } + ], + "components": [ + { + "symbolic_name": "client-app-1", + "title": "Client Application (App 1)", + "description": "External application that end users interact with. Relies on Vault for secrets or cryptographic operations.", + "trust_zone": "public-internet" + }, + { + "symbolic_name": "vpn-gateway", + "title": "VPN Gateway", + "description": "Provides secure entry for engineers and developers into the AWS VPC hosting Vault.", + "trust_zone": "aws-vpc" + }, + { + "symbolic_name": "aws-lb", + "title": "AWS Load Balancer", + "description": "DMZ load balancer that forwards client requests over TLS to the Vault Kubernetes Service endpoint.", + "trust_zone": "aws-vpc", + "repo_link": "https://github.com/hashicorp/vault" + }, + { + "symbolic_name": "eks-cluster", + "title": "Amazon EKS Cluster", + "description": "Managed Kubernetes control plane and worker nodes that run the Vault namespace.", + "trust_zone": "eks-cluster" + }, + { + "symbolic_name": "k8s-service-vault-internal", + "title": "Kubernetes Service: vault-internal", + "description": "Cluster-internal service endpoint that routes traffic from the AWS Load Balancer to Vault pods.", + "trust_zone": "k8s-namespace-vault" + }, + { + "symbolic_name": "vault-ha-statefulset", + "title": "Vault HA Deployment (StatefulSet)", + "description": "Vault pods (1 active leader, 2 standbys) running in high availability mode and exposing the Vault API.", + "trust_zone": "k8s-namespace-vault" + }, + { + "symbolic_name": "vault-auth-methods", + "title": "Vault Authentication Methods", + "description": "Pluggable authentication backends (e.g., AppRole, Kubernetes, AWS IAM, OIDC) that validate identities and issue scoped Vault tokens.", + "trust_zone": "k8s-namespace-vault", + "repo_link": "https://github.com/hashicorp/vault" + }, + { + "symbolic_name": "vault-secret-engines", + "title": "Vault Secret Engines", + "description": "Pluggable backends for secrets management and cryptographic operations, including KV, PKI, Transit, Database, and dynamic secrets engines.", + "trust_zone": "k8s-namespace-vault", + "repo_link": "https://github.com/hashicorp/vault" + }, + { + "symbolic_name": "vault-audit-devices", + "title": "Vault Audit Devices", + "description": "Configured audit sinks (file, syslog, socket, etc.) that record all requests and responses for security and compliance monitoring.", + "trust_zone": "k8s-namespace-vault", + "repo_link": "https://github.com/hashicorp/vault" + }, + { + "symbolic_name": "vault-cli", + "title": "Vault CLI / API Client", + "description": "The Vault command-line interface and HTTP API used by engineers and automation tools to interact with Vault.", + "trust_zone": "public-internet-client-zone", + "repo_link": "https://github.com/hashicorp/vault" + }, + { + "symbolic_name": "vault-auto-unseal", + "title": "Vault Auto-Unseal (Cloud KMS Integration)", + "description": "Integration with external Key Management Services (AWS KMS, GCP KMS, Azure Key Vault) to automate the unseal process.", + "trust_zone": "aws-vpc", + "repo_link": "https://github.com/hashicorp/vault" + }, + { + "symbolic_name": "vault-api", + "title": "Vault API", + "description": "The HTTP API exposed by Vault pods on port 8200. Provides entry points to authentication methods, secret engines, and application endpoints.", + "trust_zone": "k8s-namespace-vault", + "repo_link": "https://github.com/hashicorp/vault" + } + ], + "data_stores": [ + { + "symbolic_name": "vault-raft-storage", + "title": "Vault Integrated Storage (Raft)", + "description": "Embedded Raft storage peers that persist encrypted Vault data. Provides replication and consensus across Vault pods.", + "type": "key_value", + "vendor": "HashiCorp", + "product": "Vault Raft Storage", + "trust_zone": "k8s-namespace-vault" + }, + { + "symbolic_name": "vault-audit-logs", + "title": "Vault Audit Logs", + "description": "Audit device output streams (file, syslog, socket) that contain records of every Vault request and response for compliance and monitoring.", + "type": "object", + "vendor": "HashiCorp", + "product": "Vault Audit Devices", + "trust_zone": "k8s-namespace-vault" + }, + { + "symbolic_name": "cloud-kms", + "title": "Cloud KMS for Auto-Unseal", + "description": "External Key Management Service used by Vault for auto-unseal operations and master key encryption.", + "type": "key_value", + "vendor": "AWS", + "product": "AWS KMS", + "trust_zone": "aws-vpc" + } + ], + "data_sets": [ + { + "symbolic_name": "vault-secrets", + "title": "Vault Stored Secrets", + "description": "Static and dynamic secrets stored and managed within Vault, including credentials, API keys, and tokens. Encrypted at rest within the Raft storage backend.", + "placements": [ + { + "data_store": "vault-raft-storage", + "encrypted": true + } + ], + "record_count": 5000, + "data_sensitivity": [ + "cred", + "pii", + "biz" + ], + "access_control_methods": [ + "rbac", + "acl" + ] + }, + { + "symbolic_name": "vault-audit-records", + "title": "Vault Audit Log Records", + "description": "Detailed records of Vault API requests and responses, containing metadata on who accessed what, when, and how.", + "placements": [ + { + "data_store": "vault-audit-logs", + "encrypted": false + } + ], + "record_count": 1000000, + "data_sensitivity": [ + "biz", + "pii" + ], + "access_control_methods": [ + "rbac", + "acl" + ] + }, + { + "symbolic_name": "vault-unseal-keys", + "title": "Vault Master Key and Unseal Keys", + "description": "Key shares or cloud KMS-encrypted master keys used for unsealing Vault and securing the root of trust.", + "placements": [ + { + "data_store": "cloud-kms", + "encrypted": true + } + ], + "record_count": 5, + "data_sensitivity": [ + "cred" + ], + "access_control_methods": [ + "acl", + "rbac" + ] + } + ], + "data_flows": [ + { + "symbolic_name": "developer-to-cli", + "title": "Developer to Vault CLI", + "description": "Developer issues commands to the local Vault CLI binary, which acts as the client interface to Vault.", + "source": { + "type": "actor", + "object": "developer" + }, + "destination": { + "type": "component", + "object": "vault-cli" + }, + "has_sensitive_data": false, + "encrypted": false + }, + { + "symbolic_name": "platform-engineer-to-cli", + "title": "Platform Engineer to Vault CLI", + "description": "Platform Engineer issues commands to the local Vault CLI binary for managing Vault operations and configurations.", + "source": { + "type": "actor", + "object": "platform-engineer" + }, + "destination": { + "type": "component", + "object": "vault-cli" + }, + "has_sensitive_data": false, + "encrypted": false + }, + { + "symbolic_name": "app-user-to-client-app", + "title": "App User to Client Application", + "description": "An end user interacts with the client-facing application, which relies on Vault for secrets or cryptographic operations.", + "source": { + "type": "actor", + "object": "app-user" + }, + "destination": { + "type": "component", + "object": "client-app-1" + }, + "has_sensitive_data": true, + "encrypted": true + }, + { + "symbolic_name": "client-app-to-aws-lb", + "title": "Client Application to AWS Load Balancer", + "description": "Client Application (App 1) sends requests to Vault via the AWS Load Balancer over TLS 8200.", + "source": { + "type": "component", + "object": "client-app-1" + }, + "destination": { + "type": "component", + "object": "aws-lb" + }, + "has_sensitive_data": true, + "encrypted": true + }, + { + "symbolic_name": "cli-to-vpn", + "title": "Vault CLI to VPN Gateway", + "description": "Vault CLI tunnels traffic through the VPN Gateway, which enforces AWS SSO before allowing access into the VPC.", + "source": { + "type": "component", + "object": "vault-cli" + }, + "destination": { + "type": "component", + "object": "vpn-gateway" + }, + "has_sensitive_data": true, + "encrypted": true + }, + { + "symbolic_name": "vpn-to-aws-lb", + "title": "VPN Gateway to AWS Load Balancer", + "description": "VPN Gateway forwards authenticated engineer traffic (AWS SSO) into the VPC, delivering Vault CLI/API requests to the AWS Load Balancer over TLS 8200.", + "source": { + "type": "component", + "object": "vpn-gateway" + }, + "destination": { + "type": "component", + "object": "aws-lb" + }, + "has_sensitive_data": true, + "encrypted": true + }, + { + "symbolic_name": "aws-lb-to-eks", + "title": "AWS Load Balancer to EKS Cluster", + "description": "The Load Balancer forwards TLS :8200 traffic into the EKS cluster.", + "source": { + "type": "component", + "object": "aws-lb" + }, + "destination": { + "type": "component", + "object": "eks-cluster" + }, + "has_sensitive_data": true, + "encrypted": true + }, + { + "symbolic_name": "k8s-service-to-vault-ha", + "title": "Kubernetes Service to Vault HA StatefulSet", + "description": "The Service load balances requests to Vault pods.", + "source": { + "type": "component", + "object": "k8s-service-vault-internal" + }, + "destination": { + "type": "component", + "object": "vault-ha-statefulset" + }, + "has_sensitive_data": true, + "encrypted": true + }, + { + "symbolic_name": "eks-cluster-to-k8s-service", + "title": "EKS Cluster to Kubernetes Service (vault-internal)", + "description": "EKS networking routes traffic internally to the cluster Service endpoint for Vault.", + "source": { + "type": "component", + "object": "eks-cluster" + }, + "destination": { + "type": "component", + "object": "k8s-service-vault-internal" + }, + "has_sensitive_data": true, + "encrypted": true + }, + { + "symbolic_name": "vault-ha-to-vault-api", + "title": "Vault Pod to Vault API", + "description": "Requests arriving at a Vault pod are handled by the Vault API listener on :8200.", + "source": { + "type": "component", + "object": "vault-ha-statefulset" + }, + "destination": { + "type": "component", + "object": "vault-api" + }, + "has_sensitive_data": true, + "encrypted": true + }, + { + "symbolic_name": "vault-api-to-auth", + "title": "Vault API to Auth Methods", + "description": "Login requests (/auth/*) dispatched to configured authentication backends.", + "source": { + "type": "component", + "object": "vault-api" + }, + "destination": { + "type": "component", + "object": "vault-auth-methods" + }, + "has_sensitive_data": true, + "encrypted": true + }, + { + "symbolic_name": "vault-api-to-secrets", + "title": "Vault API to Secret Engines", + "description": "Secret read/write and cryptographic operations routed to secrets engines.", + "source": { + "type": "component", + "object": "vault-api" + }, + "destination": { + "type": "component", + "object": "vault-secret-engines" + }, + "has_sensitive_data": true, + "encrypted": true + }, + { + "symbolic_name": "vault-api-to-audit", + "title": "Vault API to Audit Devices", + "description": "Vault writes request/response metadata to audit devices (file/syslog/socket).", + "source": { + "type": "component", + "object": "vault-api" + }, + "destination": { + "type": "component", + "object": "vault-audit-devices" + }, + "has_sensitive_data": true, + "encrypted": true + }, + { + "symbolic_name": "vault-core-to-raft", + "title": "Vault Core to Raft Storage", + "description": "Vault Core persists encrypted state via the storage barrier into Integrated Storage (Raft).", + "source": { + "type": "component", + "object": "vault-ha-statefulset" + }, + "destination": { + "type": "data_store", + "object": "vault-raft-storage" + }, + "has_sensitive_data": true, + "encrypted": true + }, + { + "symbolic_name": "vault-ha-to-auto-unseal", + "title": "Vault to Auto-Unseal Integration", + "description": "Vault contacts the Cloud KMS integration to decrypt master key material during startup/unseal.", + "source": { + "type": "component", + "object": "vault-ha-statefulset" + }, + "destination": { + "type": "component", + "object": "vault-auto-unseal" + }, + "has_sensitive_data": true, + "encrypted": true + }, + { + "symbolic_name": "audit-devices-to-audit-logs", + "title": "Vault Audit Devices to Audit Logs", + "description": "Audit devices append structured records to the audit log store.", + "source": { + "type": "component", + "object": "vault-audit-devices" + }, + "destination": { + "type": "data_store", + "object": "vault-audit-logs" + }, + "has_sensitive_data": true, + "encrypted": true + }, + { + "symbolic_name": "auto-unseal-to-cloud-kms", + "title": "Auto-Unseal to Cloud KMS", + "description": "Auto-unseal integration calls Cloud KMS to decrypt the master key material.", + "source": { + "type": "component", + "object": "vault-auto-unseal" + }, + "destination": { + "type": "data_store", + "object": "cloud-kms" + }, + "has_sensitive_data": true, + "encrypted": true + }, + { + "symbolic_name": "developer-to-vpn", + "title": "Developer to VPN (AWS SSO)", + "description": "Developer authenticates to the VPN using AWS SSO before accessing internal cluster resources.", + "source": { + "type": "actor", + "object": "developer" + }, + "destination": { + "type": "component", + "object": "vpn-gateway" + }, + "has_sensitive_data": false, + "encrypted": true + }, + { + "symbolic_name": "platform-engineer-to-vpn", + "title": "Platform Engineer to VPN (AWS SSO)", + "description": "Platform Engineer authenticates to the VPN using AWS SSO before accessing internal cluster resources.", + "source": { + "type": "actor", + "object": "platform-engineer" + }, + "destination": { + "type": "component", + "object": "vpn-gateway" + }, + "has_sensitive_data": false, + "encrypted": true + }, + { + "symbolic_name": "vault-audit-devices-to-audit-logs", + "title": "Vault Audit Devices to Audit Logs", + "description": "Vault pods (audit devices) write structured audit records to the audit log store (file/syslog/socket).", + "source": { + "type": "component", + "object": "vault-audit-devices" + }, + "destination": { + "type": "data_store", + "object": "vault-audit-logs" + }, + "has_sensitive_data": true, + "encrypted": true + }, + { + "symbolic_name": "insider-read-audit-logs-developer", + "title": "Developer reads Vault Audit Logs", + "description": "Developer reads audit records directly from the audit log store via kubectl exec/logs or mounted volumes inside the Vault pod.", + "source": { + "type": "data_store", + "object": "vault-audit-logs" + }, + "destination": { + "type": "actor", + "object": "developer" + }, + "has_sensitive_data": true, + "encrypted": true + }, + { + "symbolic_name": "insider-read-audit-logs-platform-engineer", + "title": "Platform Engineer reads Vault Audit Logs", + "description": "Platform Engineer reads audit records directly from the audit log store via kubectl exec/logs or mounted volumes inside the Vault pod.", + "source": { + "type": "data_store", + "object": "vault-audit-logs" + }, + "destination": { + "type": "actor", + "object": "platform-engineer" + }, + "has_sensitive_data": true, + "encrypted": true + }, + { + "symbolic_name": "insider-read-raft-storage", + "title": "Developer reads Raft Storage", + "description": "Developer with kubectl exec access copies or reads Raft storage files from the Vault pod filesystem. Data remains barrier-encrypted at rest, but access enables exfiltration or tampering.", + "source": { + "type": "data_store", + "object": "vault-raft-storage" + }, + "destination": { + "type": "actor", + "object": "developer" + }, + "has_sensitive_data": true, + "encrypted": true + }, + { + "symbolic_name": "insider-read-raft-storage-platform-engineer", + "title": "Platform Engineer reads Raft Storage", + "description": "Platform Engineer with kubectl exec access copies or reads Raft storage files from the Vault pod filesystem. Data remains barrier-encrypted at rest, but access enables exfiltration or tampering.", + "source": { + "type": "data_store", + "object": "vault-raft-storage" + }, + "destination": { + "type": "actor", + "object": "platform-engineer" + }, + "has_sensitive_data": true, + "encrypted": true + } + ], + "assumptions": [ + { + "description": "All communication between clients, load balancers, Kubernetes services, and Vault pods occurs over TLS (8200).", + "validity": "confirmed" + }, + { + "description": "Vault Raft storage is encrypted at rest by the Vault barrier, and requires master key material (from KMS or Shamir unseal) for decryption.", + "validity": "confirmed" + }, + { + "description": "Vault pods run inside a dedicated Kubernetes namespace with RBAC, NetworkPolicies, and IAM roles scoped to the namespace.", + "validity": "confirmed" + }, + { + "description": "VPN gateway enforces AWS SSO authentication for Developers and Platform Engineers before they can access the AWS VPC and EKS cluster.", + "validity": "confirmed" + }, + { + "description": "Cloud KMS (AWS KMS) keys used for auto-unseal are properly scoped and only accessible by Vault service accounts.", + "validity": "confirmed" + }, + { + "description": "Audit devices are configured and cannot be disabled without privileged administrator actions.", + "validity": "confirmed" + }, + { + "description": "Developers and Platform Engineers with kubectl access could bypass the Vault API to access logs and storage directly, introducing insider risk.", + "validity": "confirmed" + }, + { + "description": "Raft replication between Vault pods uses mutual TLS on port 8201 with certificate pinning/verification.", + "validity": "confirmed" + }, + { + "description": "VPN Gateway enforces AWS SSO (MFA) for Developers and Platform Engineers before access to the VPC and EKS control plane.", + "validity": "confirmed" + }, + { + "description": "EKS API access requires VPN + SSO and is logged; direct Internet access to the cluster or nodes is blocked.", + "validity": "confirmed" + } + ], + "threat_personas": [ + { + "symbolic_name": "darius", + "title": "Darius the Compromised / Malicious Developer", + "description": "An insider developer whose account or workstation is compromised (or who has turned malicious). Has kubectl access to the EKS cluster and can read Vault audit logs and pod files. Could exfiltrate secrets, tamper with Raft storage, or disable/modify logging.", + "is_person": true, + "skill_level": "engineer", + "access_level": "admin", + "malicious_intent": true, + "applicability_to_org": "high" + }, + { + "symbolic_name": "sofia", + "title": "Sofia the Rogue Platform Engineer", + "description": "An insider with elevated privileges over Vault’s deployment, networking, and storage backends. Capable of modifying StatefulSets, Service configurations, or intercepting API traffic.", + "is_person": true, + "skill_level": "expert_engineer", + "access_level": "admin", + "malicious_intent": true, + "applicability_to_org": "low" + }, + { + "symbolic_name": "li-wei", + "title": "Li Wei the External Attacker", + "description": "An attacker on the public Internet attempting to exploit misconfigurations, weak authentication methods, or exposed APIs to gain unauthorized access to Vault.", + "is_person": true, + "skill_level": "script_kid", + "access_level": "user", + "malicious_intent": true, + "applicability_to_org": "maximal" + }, + { + "symbolic_name": "giovanni", + "title": "Giovanni the Curious Administrator", + "description": "A well-meaning but overcurious administrator who inspects Vault audit logs or Raft storage beyond their intended duties, creating insider risk without direct malicious intent.", + "is_person": true, + "skill_level": "insider", + "access_level": "admin", + "malicious_intent": false, + "applicability_to_org": "maximal" + }, + { + "symbolic_name": "alejandra", + "title": "Alejandra the OC-Sponsored Operator", + "description": "An operator working on behalf of organized crime (ransomware/credential resale). Skilled at exploiting exposed services, social engineering, and purchasing insider access; targets Vault to harvest credentials and secrets for monetization.", + "is_person": true, + "skill_level": "oc_sponsored", + "access_level": "user", + "malicious_intent": true, + "applicability_to_org": "high" + } + ], + "threats": [ + { + "symbolic_name": "insider-exfiltrate-secrets-via-kubectl", + "title": "Insider exfiltrates secrets and configuration via kubectl (pod exec / file copy)", + "description": "A developer or platform engineer with kubectl access execs into Vault pods or mounts pod volumes to read Raft storage files and configuration, allowing exfiltration of encrypted state and metadata which can be used for offline attacks or tampering.", + "threat_persona": "darius", + "event": "unauthorized data exfiltration / tampering", + "sources": [ + "adversary" + ], + "attack_mechanisms": [ + { + "capec_id": 122, + "capec_title": "Privilege Abuse" + } + ], + "weaknesses": [ + { + "cwe_id": 284, + "cwe_title": "Improper Access Control" + }, + { + "cwe_id": 200, + "cwe_title": "Exposure of Sensitive Information to an Unauthorized Actor" + }, + { + "cwe_id": 522, + "cwe_title": "Insufficiently Protected Credentials" + } + ] + }, + { + "symbolic_name": "insider-read-tamper-audit-logs", + "title": "Insider reads or tampers with audit logs", + "description": "An actor with cluster access directly reads Vault audit files or streams pod logs (kubectl logs). They can exfiltrate sensitive audit trails, or delete/modify logs to remove traces of malicious activity.", + "threat_persona": "darius", + "event": "information disclosure / evidence tampering", + "sources": [ + "adversary" + ], + "attack_mechanisms": [ + { + "capec_id": 122, + "capec_title": "Privilege Abuse" + } + ], + "weaknesses": [ + { + "cwe_id": 200, + "cwe_title": "Exposure of Sensitive Information to an Unauthorized Actor" + } + ] + }, + { + "symbolic_name": "rogue-platform-tamper-ha-config", + "title": "Rogue platform engineer tampers with Vault deployment to cause DoS or capture secrets", + "description": "A platform engineer modifies StatefulSet, Service, or network rules (or injects sidecars) to disrupt Vault availability (DoS), redirect traffic to a malicious endpoint, or capture secrets in transit.", + "threat_persona": "sofia", + "event": "denial of service / credential capture / traffic interception", + "sources": [ + "adversary" + ], + "attack_mechanisms": [ + { + "capec_id": 210, + "capec_title": "Abuse Existing Functionality" + } + ], + "weaknesses": [ + { + "cwe_id": 732, + "cwe_title": "Incorrect Permission Assignment for Critical Resource" + }, + { + "cwe_id": 269, + "cwe_title": "Improper Privilege Management" + } + ] + }, + { + "symbolic_name": "compromised-workload-abuse-auth", + "title": "Compromised workload abuses auth (Kubernetes/AppRole/IAM) to exfiltrate secrets and access various services with these secrets", + "description": "A compromised application or CI job uses stolen credentials, stolen service account tokens, or abused auth bindings to obtain Vault tokens, then reads secrets or requests dynamic credentials beyond its intended scope.", + "threat_persona": "li-wei", + "event": "unauthorized secret access", + "sources": [ + "adversary" + ], + "attack_mechanisms": [ + { + "capec_id": 555, + "capec_title": "Remote Services with Stolen Credentials" + } + ], + "weaknesses": [ + { + "cwe_id": 287, + "cwe_title": "Improper Authentication" + }, + { + "cwe_id": 285, + "cwe_title": "Improper Authorization" + }, + { + "cwe_id": 522, + "cwe_title": "Insufficiently Protected Credentials" + } + ] + }, + { + "symbolic_name": "exposed-raft-port-remote-attack", + "title": "Exposed Raft/consensus ports allow remote access to storage", + "description": "If Raft ports (8201) or the pod network are exposed outside the cluster/VPC, an attacker could discover services, attempt to join/replicate, extract data, or cause cluster instability.", + "threat_persona": "li-wei", + "event": "confidentiality breach / data exfiltration / cluster compromise", + "sources": [ + "adversary" + ], + "attack_mechanisms": [ + { + "capec_id": 310, + "capec_title": "Scanning for Vulnerable Software" + } + ], + "weaknesses": [ + { + "cwe_id": 200, + "cwe_title": "Exposure of Sensitive Information to an Unauthorized Actor" + } + ] + }, + { + "symbolic_name": "lb-tls-mitm-or-termination-misconfig", + "title": "TLS termination/misconfiguration at Load Balancer leads to MITM or credential leak", + "description": "If the AWS Load Balancer is misconfigured (terminates TLS without re-encrypting, or uses an untrusted certificate), an attacker or compromised LB control plane could intercept or tamper with Vault API traffic.", + "threat_persona": "alejandra", + "event": "man-in-the-middle / data interception", + "sources": [ + "adversary" + ], + "attack_mechanisms": [ + { + "capec_id": 117, + "capec_title": "Interception" + } + ], + "weaknesses": [ + { + "cwe_id": 295, + "cwe_title": "Improper Certificate Validation" + } + ] + }, + { + "symbolic_name": "vault-availability-failure", + "title": "Loss of availability of secret material due to failure", + "description": "Failures in cluster nodes, Raft replication, or storage can cause Vault to become unavailable, preventing applications from retrieving secrets or performing cryptographic operations.", + "threat_persona": "sofia", + "event": "denial of service / loss of availability", + "sources": [ + "failure" + ], + "attack_mechanisms": [ + { + "capec_id": 125, + "capec_title": "Flooding" + } + ], + "weaknesses": [ + { + "cwe_id": 400, + "cwe_title": "Uncontrolled Resource Consumption" + }, + { + "cwe_id": 664, + "cwe_title": "Improper Control of a Resource Through its Lifetime" + } + ] + }, + { + "symbolic_name": "misconfigured-policies-excess-privilege", + "title": "Over-permissive Vault policies allow lateral movement or secret theft", + "description": "Misconfigured Vault policies or overly-broad role bindings grant principals capabilities they don't need (e.g., wildcard admin policies), enabling actors to list/read secrets or create tokens for escalation.", + "threat_persona": "giovanni", + "event": "unauthorized access / privilege escalation", + "sources": [ + "human_error" + ], + "attack_mechanisms": [ + { + "capec_id": 212, + "capec_title": "Abuse existing Functionality" + } + ], + "weaknesses": [ + { + "cwe_id": 285, + "cwe_title": "Improper Authorization" + } + ] + } + ], + "controls": [ + { + "symbolic_name": "restrict-k8s-rbac", + "title": "Restrict Kubernetes RBAC for developers and engineers", + "description": "Limit Kubernetes RoleBindings/ClusterRoleBindings so that developers and engineers cannot exec into Vault pods, read pod volumes, or access Raft storage directly. Only platform engineers should have restricted administrative access under break-glass conditions.", + "threats": [ + "insider-exfiltrate-secrets-via-kubectl", + "insider-read-tamper-audit-logs", + "rogue-platform-tamper-ha-config" + ], + "trust_boundary": { + "trust_zone_a": "eks-cluster", + "trust_zone_b": "k8s-namespace-vault" + }, + "status": "suggested", + "priority": "high" + }, + { + "symbolic_name": "pod-security-policies", + "title": "Apply Pod Security Standards / OPA Gatekeeper", + "description": "Use Kubernetes Pod Security Standards (restricted profile) or OPA/Gatekeeper policies to prevent privileged containers and block direct volume mounts that would expose Raft data to kubectl exec or copy commands.", + "threats": [ + "insider-exfiltrate-secrets-via-kubectl" + ], + "status": "suggested", + "priority": "high" + }, + { + "symbolic_name": "audit-kubectl-commands", + "title": "Audit kubectl exec and cp usage", + "description": "Enable Kubernetes audit logging to track all kubectl exec and copy commands. Send logs to a SIEM for real-time detection of suspicious access attempts.", + "threats": [ + "insider-exfiltrate-secrets-via-kubectl", + "insider-read-tamper-audit-logs" + + ], + "status": "suggested", + "priority": "medium" + }, + { + "symbolic_name": "vault-multiple-audit-devices", + "title": "Configure multiple Vault audit devices", + "description": "Enable at least two Vault audit devices (e.g., file and syslog). Even if one sink is tampered with or deleted, other sinks continue to capture activity.", + "threats": [ + "insider-read-tamper-audit-logs", + "compromised-workload-abuse-auth" + ], + "status": "suggested", + "priority": "high" + }, + { + "symbolic_name": "immutable-storage-for-audit", + "title": "Store Vault audit logs in immutable storage", + "description": "Use append-only storage (e.g., WORM S3 buckets or immutable syslog servers) for Vault audit logs so they cannot be deleted or modified retroactively.", + "threats": [ + "insider-read-tamper-audit-logs", + "compromised-workload-abuse-auth" + ], + "status": "suggested", + "priority": "high" + }, + { + "symbolic_name": "deployment-change-control", + "title": "Require change control for Vault deployment manifests", + "description": "Enforce code review and approval workflows (e.g., GitOps, Infrastructure as Code pipelines) for changes to Vault StatefulSets, Services, and ConfigMaps. Prevent direct kubectl edits in production.", + "threats": [ + "rogue-platform-tamper-ha-config" + ], + "status": "suggested", + "priority": "high" + }, + { + "symbolic_name": "k8s-admission-controls", + "title": "Apply Kubernetes admission controls for Vault workloads", + "description": "Use admission controllers (OPA Gatekeeper, Kyverno) to enforce security policies on Vault pods (no sidecars, no privilege escalation, no host networking) and reject unauthorized changes.", + "threats": [ + "rogue-platform-tamper-ha-config" + ], + "status": "suggested", + "priority": "medium" + }, + { + "symbolic_name": "monitor-k8s-config-changes", + "title": "Monitor and alert on Kubernetes configuration changes", + "description": "Enable auditing of Kubernetes API server for changes to StatefulSets, Services, and ConfigMaps in the Vault namespace. Send to SIEM for alerting on unexpected changes.", + "threats": [ + "rogue-platform-tamper-ha-config" + ], + "trust_boundary": { + "trust_zone_a": "eks-cluster", + "trust_zone_b": "k8s-namespace-vault" + }, + "status": "suggested", + "priority": "medium" + }, + { + "symbolic_name": "constrain-auth-methods", + "title": "Constrain Vault authentication methods", + "description": "Configure Vault auth methods (AppRole, Kubernetes, IAM) with least privilege. Require role bindings to be tightly scoped (limited CIDRs, bounded service accounts, short-lived tokens).", + "threats": [ + "compromised-workload-abuse-auth" + ], + "status": "suggested", + "priority": "high" + }, + { + "symbolic_name": "short-lived-tokens", + "title": "Use short-lived Vault tokens and dynamic secrets", + "description": "Configure Vault roles and policies to issue ephemeral tokens and dynamic credentials that automatically expire, limiting impact of stolen tokens.", + "threats": [ + "compromised-workload-abuse-auth" + ], + "trust_boundary": { + "trust_zone_a": "k8s-namespace-vault", + "trust_zone_b": "k8s-namespace-vault" + }, + "status": "suggested", + "priority": "high" + }, + { + "symbolic_name": "bind-secrets-to-identity", + "title": "Bind secrets tightly to workload identity", + "description": "Restrict Vault roles to specific Kubernetes service accounts, IAM roles, or AppRoles. Enforce identity binding so compromised workloads cannot escalate or impersonate others.", + "threats": [ + "compromised-workload-abuse-auth" + ], + "status": "suggested", + "priority": "medium" + }, + { + "symbolic_name": "restrict-raft-network-access", + "title": "Restrict Raft port access to Vault cluster nodes only", + "description": "Use Kubernetes NetworkPolicies and AWS Security Groups to restrict port 8201 so only Vault pods can communicate with each other. Block all external or client access to Raft traffic.", + "threats": [ + "exposed-raft-port-remote-attack" + ], + "status": "active", + "priority": "critical" + }, + { + "symbolic_name": "raft-mtls-cert-validation", + "title": "Enforce mutual TLS for Raft replication", + "description": "Require Vault nodes to authenticate Raft peers with mTLS certificates. Configure strict certificate validation and rotation to prevent unauthorized Raft peers from joining the cluster.", + "threats": [ + "exposed-raft-port-remote-attack" + ], + "status": "suggested", + "priority": "high" + }, + { + "symbolic_name": "monitor-raft-consensus-health", + "title": "Monitor Raft consensus health", + "description": "Enable monitoring and alerting on Raft replication status, quorum health, and node membership changes. Detect anomalies that may indicate tampering or external Raft join attempts.", + "threats": [ + "exposed-raft-port-remote-attack", + "vault-availability-failure" + ], + "status": "suggested", + "priority": "medium" + }, + { + "symbolic_name": "end-to-end-strong-tls", + "title": "Enforce end-to-end TLS from clients to Vault pods. Enforce TLS versions (1.2+), secure cipher suites, and valid CA-signed certificates. Disable weak ciphers and enforce certificate pinning where possible.", + "description": "Configure the AWS Load Balancer for TCP passthrough (no TLS termination), or ensure re-encryption is used with trusted server certificates so traffic is encrypted all the way to Vault pods.", + "threats": [ + "lb-tls-mitm-or-termination-misconfig" + ], + "status": "active", + "priority": "critical" + }, + { + "symbolic_name": "monitor-lb-config", + "title": "Monitor and alert on Load Balancer TLS configuration changes", + "description": "Continuously check AWS Load Balancer TLS configuration (e.g., via AWS Config or Security Hub). Alert if TLS termination is enabled unexpectedly or insecure parameters are set.", + "threats": [ + "lb-tls-mitm-or-termination-misconfig" + ], + "status": "suggested", + "priority": "medium" + }, + { + "symbolic_name": "multi-az-deployment", + "title": "Deploy Vault cluster across multiple Availability Zones", + "description": "Distribute Vault pods and Raft peers across multiple AWS Availability Zones to ensure quorum and service availability during AZ-level outages.", + "threats": [ + "vault-availability-failure" + ], + "status": "suggested", + "priority": "medium" + }, + { + "symbolic_name": "raft-backup-snapshots", + "title": "Enable automated Raft snapshots and backup", + "description": "Configure regular Raft snapshots and store them securely outside the Vault cluster (e.g., S3 with encryption) to recover state in case of catastrophic failure.", + "threats": [ + "vault-availability-failure" + ], + "status": "suggested", + "priority": "critical" + }, + { + "symbolic_name": "auto-unseal-ha", + "title": "Use redundant Cloud KMS for auto-unseal", + "description": "Configure Vault auto-unseal with multiple KMS providers (or highly available KMS setup) to avoid dependency on a single point of failure.", + "threats": [ + "vault-availability-failure" + ], + "status": "suggested", + "priority": "medium" + }, + { + "symbolic_name": "health-checks-and-restarts", + "title": "Enable health checks and automated restarts for Vault pods", + "description": "Configure Kubernetes liveness/readiness probes for Vault pods and enable automated restart policies to recover from node/pod failures quickly.", + "threats": [ + "vault-availability-failure" + ], + "status": "active", + "priority": "high" + }, + { + "symbolic_name": "policy-review-process", + "title": "Implement Vault policy review and approval workflow", + "description": "Establish a mandatory peer-review or automated validation process for Vault policies before deployment. Reject policies that include wildcards or grant admin-level capabilities unnecessarily.", + "threats": [ + "misconfigured-policies-excess-privilege" + ], + "status": "suggested", + "priority": "medium" + }, + { + "symbolic_name": "least-privilege-defaults", + "title": "Adopt least-privilege defaults for Vault roles", + "description": "Use policy templates and default role definitions that start with no privileges. Require explicit justification and approval for each added capability.", + "threats": [ + "misconfigured-policies-excess-privilege" + ], + "trust_boundary": { + "trust_zone_a": "k8s-namespace-vault", + "trust_zone_b": "k8s-namespace-vault" + }, + "status": "suggested", + "priority": "high" + }, + { + "symbolic_name": "policy-linter", + "title": "Automated linting of Vault policies", + "description": "Introduce static analysis (policy linter) to detect dangerous constructs in Vault policies (e.g., wildcards, overly broad paths, admin capabilities) before deployment.", + "threats": [ + "misconfigured-policies-excess-privilege" + ], + "status": "suggested", + "priority": "low" + } + ], + "risks": [ + { + "symbolic_name": "insider-abuse-of-kubernetes-access", + "title": "Insider abuse of Kubernetes access to exfiltrate or tamper with secrets", + "description": "Developers or platform engineers with kubectl access may exec into Vault pods, read Raft storage files, or tamper with Vault audit logs, leading to loss of confidentiality and accountability.", + "threats": [ + "insider-exfiltrate-secrets-via-kubectl", + "insider-read-tamper-audit-logs", + "rogue-platform-tamper-ha-config" + ], + "likelihood": "possible", + "impact": "severe", + "impact_description": "Could result in full compromise of Vault data, bypassing of audit logs, and erosion of operational trust.", + "score": 15, + "level": "high" + }, + { + "symbolic_name": "workload-auth-abuse", + "title": "Compromised workloads abusing Vault authentication", + "description": "A compromised workload (application, CI/CD job) can abuse Kubernetes, AppRole, or IAM auth to escalate privileges and extract secrets beyond intended scope.", + "threats": [ + "compromised-workload-abuse-auth", + "misconfigured-policies-excess-privilege" + ], + "likelihood": "unlikely", + "impact": "severe", + "impact_description": "Widespread credential exposure or lateral movement into other systems and services.", + "score": 10, + "level": "medium" + }, + { + "symbolic_name": "network-exposure-and-mitm", + "title": "Network exposure or misconfiguration leading to interception or Raft compromise", + "description": "If Raft ports (8201) are exposed or TLS is misconfigured at the load balancer, attackers could eavesdrop, tamper with traffic, or attempt to join the Raft cluster.", + "threats": [ + "exposed-raft-port-remote-attack", + "lb-tls-mitm-or-termination-misconfig" + ], + "likelihood": "rare", + "impact": "severe", + "impact_description": "Interception of secrets or compromise of Vault cluster integrity.", + "score": 5, + "level": "medium" + }, + { + "symbolic_name": "vault-availability-risk", + "title": "Loss of Vault availability", + "description": "Failures in Raft consensus, node crashes, or dependency outages (e.g., KMS auto-unseal) could make Vault unavailable, preventing applications from retrieving secrets.", + "threats": [ + "vault-availability-failure" + ], + "likelihood": "unlikely", + "impact": "major", + "impact_description": "Applications relying on Vault could experience outages and service disruption.", + "score": 10, + "level": "high" + } + ] +} \ No newline at end of file diff --git a/tools/src/test/resources/2.0/valid-threatmodel-simple-2.0.json b/tools/src/test/resources/2.0/valid-threatmodel-simple-2.0.json new file mode 100644 index 00000000..88724de3 --- /dev/null +++ b/tools/src/test/resources/2.0/valid-threatmodel-simple-2.0.json @@ -0,0 +1,25 @@ +{ + "specFormat": "CycloneDX", + "specVersion": "2.0", + "metadata": { + + }, + "threatModel": { + // References the threat model schema + "modelTypes": [{"type": "threat"}], + "methodologies": [{"type": "STRIDE"}], + "domains": [{"type": "security"}], + + // Blueprint elements + "assets": [...], + "zones": [...], + "boundaries": [...], + "flows": [...], + + // Threat-specific elements + "scenarios": [...], + "threatActors": [...], + "mitigations": [...], + "assessments": [...] + } +} \ No newline at end of file