diff --git a/README.md b/README.md index 21e70cee..0e2ea997 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,5 @@ [![License](https://img.shields.io/badge/License-Apache_2.0-blue.svg)](https://opensource.org/licenses/Apache-2.0) -[![License](https://img.shields.io/badge/CycloneDX-v1.2,1.3,1.4,1.5,1.6-darkcyan.svg)](https://github.com/CycloneDX/specification) +[![License](https://img.shields.io/badge/CycloneDX-v1.2,1.3,1.4,1.5,1.6,1.7-darkcyan.svg)](https://github.com/CycloneDX/specification) [![License](https://img.shields.io/badge/SPDX-v2.1,2.2,2.3-purple.svg)](https://github.com/spdx/spdx-spec) [![Go Report Card](https://goreportcard.com/badge/github.com/CycloneDX/sbom-utility)](https://goreportcard.com/badge/github.com/CycloneDX/sbom-utility) @@ -326,7 +326,7 @@ See each command's section for contextual examples of the `--where` flag filter ### Validate -This command will parse standardized SBOMs and validate it against its declared format and version (e.g., SPDX 2.3, CycloneDX 1.6). +This command will parse standardized SBOMs and validate it against its declared format and version (e.g., SPDX 2.3, CycloneDX 1.7). - Custom variants of standard JSON schemas can be used for validation by supplying the `--variant` name as a flag. - Explicit JSON schemas can be specified using the `--force` flag. @@ -2226,7 +2226,8 @@ This command supports the `--format` flag with any of the following values: ```bash name variant format version file url ---- ------- ------ ------- ---- --- -CycloneDX v1.6 (latest) CycloneDX 1.6 schema/cyclonedx/1.6/bom-1.6.schema.json https://raw.githubusercontent.com/CycloneDX/specification/master/schema/bom-1.6.schema.json +CycloneDX v1.7 (latest) CycloneDX 1.7 schema/cyclonedx/1.7/bom-1.7.schema.json https://raw.githubusercontent.com/CycloneDX/specification/master/schema/bom-1.7.schema.json +CycloneDX v1.6.1(latest) CycloneDX 1.6 schema/cyclonedx/1.6/bom-1.6.schema.json https://raw.githubusercontent.com/CycloneDX/specification/master/schema/bom-1.6.schema.json CycloneDX v1.5 (latest) CycloneDX 1.5 schema/cyclonedx/1.5/bom-1.5.schema.json https://raw.githubusercontent.com/CycloneDX/specification/master/schema/bom-1.5.schema.json CycloneDX v1.4 (latest) CycloneDX 1.4 schema/cyclonedx/1.4/bom-1.4.schema.json https://raw.githubusercontent.com/CycloneDX/specification/master/schema/bom-1.4.schema.json CycloneDX v1.4 custom CycloneDX 1.4 schema/test/bom-1.4-custom.schema.json diff --git a/cmd/diff_test.go b/cmd/diff_test.go index acb71a7f..f57f29fc 100644 --- a/cmd/diff_test.go +++ b/cmd/diff_test.go @@ -45,7 +45,7 @@ const ( // Test CycloneDX BOM deltas const ( TEST_DIFF_CDX_1_4_MATURITY_EXAMPLE_1_DELTA = "test/diff/cdx-1-4-mature-example-1-delta.json" - TEST_DIFF_CDX_1_4_MATURITY_EXAMPLE_2_DELTA = "test/diff/cdx-1-4-mature-example-2-delta.json" + TEST_DIFF_CDX_1_4_MATURITY_EXAMPLE_2_DELTA = "test/diff/cdx-1-4-mature-example-1-delta2.json" TEST_DIFF_CDX_1_5_VULNERABILITY_BASE = "test/diff/vulnerability/cdx-1-5-vulnerabilities-base.bom.json" TEST_DIFF_CDX_1_5_VULNERABILITY_ADD_1 = "test/diff/vulnerability/cdx-1-5-vulnerabilities-delta-add-1.bom.json" diff --git a/cmd/validate_cdx_test.go b/cmd/validate_cdx_test.go index 7d72adb8..56d9bcf5 100644 --- a/cmd/validate_cdx_test.go +++ b/cmd/validate_cdx_test.go @@ -27,6 +27,7 @@ const ( TEST_CDX_1_4_MIN_REQUIRED = "test/cyclonedx/cdx-1-4-min-required.json" TEST_CDX_1_5_MIN_REQUIRED = "test/cyclonedx/cdx-1-5-min-required.json" TEST_CDX_1_6_MIN_REQUIRED = "test/cyclonedx/1.6/cdx-1-6-min-required.json" + TEST_CDX_1_7_MIN_REQUIRED = "test/cyclonedx/1.7/cdx-1-7-min-required.json" ) // Tests for MLBOM subtypes @@ -78,6 +79,11 @@ const ( TEST_CDX_SPEC_1_6_1_VALID_SPDX_LICENSE = "test/cyclonedx/1.6/specification/valid-license-spdx-licenses-1.6.1.json" ) +const ( + TEST_CDX_SPEC_1_7_VALID_CRYPTO_CITATION = "test/cyclonedx/1.7/cdx-1-7-valid-crypto-citation.json" + TEST_CDX_SPEC_1_7_COMP_VERSION_RANGE = "test/cyclonedx/1.7/cdx-1-7-comp-version-range.json" +) + // ----------------------------------------------------------- // CycloneDX - Min. requirement & Mature tests // ----------------------------------------------------------- @@ -102,6 +108,11 @@ func TestValidateCdx16MinRequiredBasic(t *testing.T) { innerTestValidate(t, *vti) } +func TestValidateCdx17MinRequiredBasic(t *testing.T) { + vti := NewValidateTestInfoMinimum(TEST_CDX_1_7_MIN_REQUIRED) + innerTestValidate(t, *vti) +} + func TestValidateCdx13Mature(t *testing.T) { vti := NewValidateTestInfoMinimum(TEST_CDX_1_3_MATURE_EXAMPLE_1_BASE) innerTestValidate(t, *vti) @@ -195,3 +206,14 @@ func TestValidateCdx16SpdxLicense(t *testing.T) { vti := NewValidateTestInfoMinimum(TEST_CDX_SPEC_1_6_1_VALID_SPDX_LICENSE) innerTestValidate(t, *vti) } + +// 1.7 Tests +func TestValidateCdx17CryptoCitation(t *testing.T) { + vti := NewValidateTestInfoMinimum(TEST_CDX_SPEC_1_7_VALID_CRYPTO_CITATION) + innerTestValidate(t, *vti) +} + +func TestValidateCdx17ComponentVersionRange(t *testing.T) { + vti := NewValidateTestInfoMinimum(TEST_CDX_SPEC_1_7_COMP_VERSION_RANGE) + innerTestValidate(t, *vti) +} diff --git a/resources/config/config.json b/resources/config/config.json index 246fb156..8f5add3f 100644 --- a/resources/config/config.json +++ b/resources/config/config.json @@ -154,7 +154,7 @@ "development": "https://github.com/CycloneDX/specification/blob/master/schema/bom-1.7.schema.json", "url": "https://raw.githubusercontent.com/CycloneDX/specification/master/schema/bom-1.7.schema.json", "default": true, - "dependencies": ["jsf-0.82.schema.json", "spdx.schema.json"] + "dependencies": ["jsf-0.82.schema.json", "spdx.schema.json", "cryptography-defs.schema"] }, { "version": "1.3", diff --git a/resources/schema/cyclonedx/common/cryptography-defs.schema.json b/resources/schema/cyclonedx/common/cryptography-defs.schema.json new file mode 100644 index 00000000..1f06fdff --- /dev/null +++ b/resources/schema/cyclonedx/common/cryptography-defs.schema.json @@ -0,0 +1,576 @@ +{ + "$schema": "http://json-schema.org/draft-07/schema#", + "$id": "http://cyclonedx.org/schema/cryptography-defs.schema.json", + "$comment": "2025-09-07T11:12:52Z", + "title": "Cryptographic Algorithm Family Definitions", + "description": "Enumerates cryptographic algorithm families and their specific metadata.", + "type": "object", + "additionalProperties": false, + "properties": { + "$schema": { + "type": "string" + }, + "lastUpdated": { + "type": "string", + "format": "date-time", + "title": "Last Updated", + "description": "The date and time (timestamp) when the data was last updated." + }, + "algorithms": { + "type": "array", + "title": "Algorithm Families", + "description": "An array of cryptographic algorithm family definitions.", + "items": { + "type": "object", + "title": "Algorithm Family", + "description": "Defines a cryptographic algorithm family and its metadata.", + "additionalProperties": false, + "properties": { + "family": { + "type": "string", + "title": "Algorithm Family", + "description": "The name of the cryptographic algorithm family." + }, + "standard": { + "type": "array", + "title": "Standards", + "description": "List of standards defining or relating to the algorithm family.", + "items": { + "type": "object", + "title": "Standard Reference", + "description": "Reference to a standard, including its name and URL.", + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Standard Name", + "description": "The name or identifier of the standard." + }, + "url": { + "type": "string", + "format": "iri-reference", + "title": "Standard URL", + "description": "A URL pointing to the standard's official documentation." + } + }, + "required": [ + "name", + "url" + ] + } + }, + "variant": { + "type": "array", + "title": "Variants", + "description": "Defines algorithm variants by a naming pattern and the corresponding cryptographic primitive.", + "items": { + "type": "object", + "title": "Standard Reference", + "description": "Reference to a standard, including its name and URL.", + "additionalProperties": false, + "properties": { + "pattern": { + "type": "string", + "title": "Standard Name", + "description": "Defines the pattern used to construct the complete algorithm name. Placeholders are defined by {} for algorithm-specific properties." + }, + "primitive": { + "type": "string", + "title": "Primitive", + "description": "Type of cryptographic primitive (e.g., signature, encryption, hash)." + }, + "standard": { + "type": "array", + "title": "Standards", + "description": "List of standards defining or relating to the algorithm variant.", + "items": { + "type": "object", + "title": "Standard Reference", + "description": "Reference to a standard, including its name and URL.", + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Standard Name", + "description": "The name or identifier of the standard." + }, + "url": { + "type": "string", + "format": "iri-reference", + "title": "Standard URL", + "description": "A URL pointing to the standard's official documentation." + } + }, + "required": [ + "name", + "url" + ] + } + } + }, + "required": [ + "pattern", + "primitive" + ] + } + } + }, + "required": [ + "family", + "variant" + ] + } + }, + "ellipticCurves": { + "type": "array", + "title": "Elliptic Curves", + "description": "An array of elliptic curve family definitions.", + "items": { + "type": "object", + "title": "Elliptic Curve Family", + "description": "Defines an elliptic curve family and its metadata.", + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Curve Family Name", + "description": "The name of the elliptic curve family." + }, + "description": { + "type": [ + "string", + "null" + ], + "title": "Description", + "description": "A description of the elliptic curve family." + }, + "curves": { + "type": "array", + "title": "Curves", + "description": "List of curves in this family.", + "items": { + "type": "object", + "title": "Curve", + "description": "Defines a specific elliptic curve and its metadata.", + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Curve Name", + "description": "The name of the elliptic curve." + }, + "description": { + "type": [ + "string", + "null" + ], + "title": "Description", + "description": "A description of the elliptic curve." + }, + "oid": { + "type": [ + "string", + "null" + ], + "title": "OID", + "description": "The Object Identifier (OID) of the elliptic curve." + }, + "form": { + "type": "string", + "title": "Form", + "description": "The form of the elliptic curve.", + "enum": [ + "Weierstrass", + "Edwards", + "TwistedEdwards", + "Montgomery" + ] + }, + "aliases": { + "type": "array", + "title": "Aliases", + "description": "List of aliases for this curve.", + "items": { + "type": "object", + "title": "Alias", + "description": "An alias for the curve.", + "additionalProperties": false, + "properties": { + "category": { + "type": "string", + "title": "Category", + "description": "The category of the alias." + }, + "name": { + "type": "string", + "title": "Name", + "description": "The name of the alias." + } + }, + "required": [ + "category", + "name" + ] + } + } + }, + "required": [ + "name", + "description", + "oid", + "form" + ] + } + } + }, + "required": [ + "name", + "description", + "curves" + ] + } + } + }, + "required": [ + "lastUpdated", + "algorithms", + "ellipticCurves" + ], + "definitions": { + "algorithmFamiliesEnum": { + "type": "string", + "title": "Algorithm Families", + "description": "An enum for the algorithm families.", + "enum": [ + "3DES", + "3GPP-XOR", + "A5/1", + "A5/2", + "AES", + "ARIA", + "Ascon", + "BLAKE2", + "BLAKE3", + "BLS", + "Blowfish", + "CAMELLIA", + "CAST5", + "CAST6", + "CMAC", + "CMEA", + "ChaCha", + "ChaCha20", + "DES", + "DSA", + "ECDH", + "ECDSA", + "ECIES", + "EdDSA", + "ElGamal", + "FFDH", + "Fortuna", + "GOST", + "HC", + "HKDF", + "HMAC", + "IDEA", + "IKE-PRF", + "KMAC", + "LMS", + "MD2", + "MD4", + "MD5", + "MILENAGE", + "ML-DSA", + "ML-KEM", + "MQV", + "PBES1", + "PBES2", + "PBKDF1", + "PBKDF2", + "PBMAC1", + "Poly1305", + "RABBIT", + "RC2", + "RC4", + "RC5", + "RC6", + "RIPEMD", + "RSAES-OAEP", + "RSAES-PKCS1", + "RSASSA-PKCS1", + "RSASSA-PSS", + "SEED", + "SHA-1", + "SHA-2", + "SHA-3", + "SLH-DSA", + "SNOW3G", + "SP800-108", + "Salsa20", + "Serpent", + "SipHash", + "Skipjack", + "TUAK", + "Twofish", + "Whirlpool", + "X3DH", + "XMSS", + "Yarrow", + "ZUC", + "bcrypt" + ] + }, + "ellipticCurvesEnum": { + "type": "string", + "enum": [ + "anssi/FRP256v1", + "bls/BLS12-377", + "bls/BLS12-381", + "bls/BLS12-446", + "bls/BLS12-455", + "bls/BLS12-638", + "bls/BLS24-477", + "bls/Bandersnatch", + "bn/bn158", + "bn/bn190", + "bn/bn222", + "bn/bn254", + "bn/bn286", + "bn/bn318", + "bn/bn350", + "bn/bn382", + "bn/bn414", + "bn/bn446", + "bn/bn478", + "bn/bn510", + "bn/bn542", + "bn/bn574", + "bn/bn606", + "bn/bn638", + "brainpool/brainpoolP160r1", + "brainpool/brainpoolP160t1", + "brainpool/brainpoolP192r1", + "brainpool/brainpoolP192t1", + "brainpool/brainpoolP224r1", + "brainpool/brainpoolP224t1", + "brainpool/brainpoolP256r1", + "brainpool/brainpoolP256t1", + "brainpool/brainpoolP320r1", + "brainpool/brainpoolP320t1", + "brainpool/brainpoolP384r1", + "brainpool/brainpoolP384t1", + "brainpool/brainpoolP512r1", + "brainpool/brainpoolP512t1", + "gost/gost256", + "gost/gost512", + "gost/id-GostR3410-2001-CryptoPro-A-ParamSet", + "gost/id-GostR3410-2001-CryptoPro-B-ParamSet", + "gost/id-GostR3410-2001-CryptoPro-C-ParamSet", + "gost/id-tc26-gost-3410-12-512-paramSetA", + "gost/id-tc26-gost-3410-12-512-paramSetB", + "gost/id-tc26-gost-3410-2012-256-paramSetA", + "gost/id-tc26-gost-3410-2012-512-paramSetC", + "mnt/mnt1", + "mnt/mnt2/1", + "mnt/mnt2/2", + "mnt/mnt3/1", + "mnt/mnt3/2", + "mnt/mnt3/3", + "mnt/mnt4", + "mnt/mnt5/1", + "mnt/mnt5/2", + "mnt/mnt5/3", + "nist/B-163", + "nist/B-233", + "nist/B-283", + "nist/B-409", + "nist/B-571", + "nist/K-163", + "nist/K-233", + "nist/K-283", + "nist/K-409", + "nist/K-571", + "nist/P-192", + "nist/P-224", + "nist/P-256", + "nist/P-384", + "nist/P-521", + "nums/ed-254-mont", + "nums/ed-255-mers", + "nums/ed-256-mont", + "nums/ed-382-mont", + "nums/ed-383-mers", + "nums/ed-384-mont", + "nums/ed-510-mont", + "nums/ed-511-mers", + "nums/ed-512-mont", + "nums/numsp256d1", + "nums/numsp256t1", + "nums/numsp384d1", + "nums/numsp384t1", + "nums/numsp512d1", + "nums/numsp512t1", + "nums/w-254-mont", + "nums/w-255-mers", + "nums/w-256-mont", + "nums/w-382-mont", + "nums/w-383-mers", + "nums/w-384-mont", + "nums/w-510-mont", + "nums/w-511-mers", + "nums/w-512-mont", + "oakley/192-bit Random ECP Group", + "oakley/224-bit Random ECP Group", + "oakley/256-bit Random ECP Group", + "oakley/384-bit Random ECP Group", + "oakley/521-bit Random ECP Group", + "oakley/Oakley Group 3", + "oakley/Oakley Group 4", + "oscaa/SM2", + "other/BADA55-R-256", + "other/BADA55-VPR-224", + "other/BADA55-VPR2-224", + "other/BADA55-VR-224", + "other/BADA55-VR-256", + "other/BADA55-VR-384", + "other/Curve1174", + "other/Curve22103", + "other/Curve25519", + "other/Curve383187", + "other/Curve41417", + "other/Curve4417", + "other/Curve448", + "other/Curve67254", + "other/E-222", + "other/E-382", + "other/E-521", + "other/Ed25519", + "other/Ed448", + "other/Ed448-Goldilocks", + "other/FourQ", + "other/Fp224BN", + "other/Fp254BNa", + "other/Fp254BNb", + "other/Fp254n2BNa", + "other/Fp256BN", + "other/Fp384BN", + "other/Fp512BN", + "other/JubJub", + "other/M-221", + "other/M-383", + "other/M-511", + "other/MDC201601", + "other/Pallas", + "other/Tom-256", + "other/Tom-384", + "other/Tom-521", + "other/Tweedledee", + "other/Tweedledum", + "other/Vesta", + "other/ssc-160", + "other/ssc-192", + "other/ssc-224", + "other/ssc-256", + "other/ssc-288", + "other/ssc-320", + "other/ssc-384", + "other/ssc-512", + "secg/secp112r1", + "secg/secp112r2", + "secg/secp128r1", + "secg/secp128r2", + "secg/secp160k1", + "secg/secp160r1", + "secg/secp160r2", + "secg/secp192k1", + "secg/secp192r1", + "secg/secp224k1", + "secg/secp224r1", + "secg/secp256k1", + "secg/secp256r1", + "secg/secp384r1", + "secg/secp521r1", + "secg/sect113r1", + "secg/sect113r2", + "secg/sect131r1", + "secg/sect131r2", + "secg/sect163k1", + "secg/sect163r1", + "secg/sect163r2", + "secg/sect193r1", + "secg/sect193r2", + "secg/sect233k1", + "secg/sect233r1", + "secg/sect239k1", + "secg/sect283k1", + "secg/sect283r1", + "secg/sect409k1", + "secg/sect409r1", + "secg/sect571k1", + "secg/sect571r1", + "wtls/wap-wsg-idm-ecid-wtls1", + "wtls/wap-wsg-idm-ecid-wtls10", + "wtls/wap-wsg-idm-ecid-wtls11", + "wtls/wap-wsg-idm-ecid-wtls12", + "wtls/wap-wsg-idm-ecid-wtls3", + "wtls/wap-wsg-idm-ecid-wtls4", + "wtls/wap-wsg-idm-ecid-wtls5", + "wtls/wap-wsg-idm-ecid-wtls6", + "wtls/wap-wsg-idm-ecid-wtls7", + "wtls/wap-wsg-idm-ecid-wtls8", + "wtls/wap-wsg-idm-ecid-wtls9", + "x962/c2onb191v4", + "x962/c2onb191v5", + "x962/c2onb239v4", + "x962/c2onb239v5", + "x962/c2pnb163v1", + "x962/c2pnb163v2", + "x962/c2pnb163v3", + "x962/c2pnb176w1", + "x962/c2pnb208w1", + "x962/c2pnb272w1", + "x962/c2pnb304w1", + "x962/c2pnb368w1", + "x962/c2tnb191v1", + "x962/c2tnb191v2", + "x962/c2tnb191v3", + "x962/c2tnb239v1", + "x962/c2tnb239v2", + "x962/c2tnb239v3", + "x962/c2tnb359v1", + "x962/c2tnb431r1", + "x962/prime192v1", + "x962/prime192v2", + "x962/prime192v3", + "x962/prime239v1", + "x962/prime239v2", + "x962/prime239v3", + "x962/prime256v1", + "x963/ansip160k1", + "x963/ansip160r1", + "x963/ansip160r2", + "x963/ansip192k1", + "x963/ansip224k1", + "x963/ansip224r1", + "x963/ansip256k1", + "x963/ansip384r1", + "x963/ansip521r1", + "x963/ansit163k1", + "x963/ansit163r1", + "x963/ansit163r2", + "x963/ansit193r1", + "x963/ansit193r2", + "x963/ansit233k1", + "x963/ansit233r1", + "x963/ansit239k1", + "x963/ansit283k1", + "x963/ansit283r1", + "x963/ansit409k1", + "x963/ansit409r1", + "x963/ansit571k1", + "x963/ansit571r1" + ] + } + } +} \ No newline at end of file diff --git a/schema/cyclonedx.go b/schema/cyclonedx.go index f59fee67..c55ed6dd 100644 --- a/schema/cyclonedx.go +++ b/schema/cyclonedx.go @@ -55,6 +55,7 @@ type CDXBom struct { Properties *[]CDXProperty `json:"properties,omitempty" cdx:"added:1.5"` Declarations *CDXDeclaration `json:"declarations,omitempty" cdx:"added:1.6"` Definitions *CDXDefinition `json:"definitions,omitempty" cdx:"added:1.6"` + Citations *[]CDXCitation `json:"citations,omitempty" cdx:"+1.7"` } // v1.2: existed @@ -121,6 +122,9 @@ type CDXComponent struct { Tags *[]string `json:"tags,omitempty" cdx:"added:1.6"` Manufacturer *CDXOrganizationalEntity `json:"manufacturer,omitempty" cdx:"added:1.6"` Author string `json:"author,omitempty" cdx:"deprecated:1.6"` + VersionRange CDXComponentVersionRange `json:"versionRange,omitempty" cdx:"+1.7"` + IsExternal bool `json:"isExternal,omitempty" cdx:"+1.7"` + PatentAssertions *[]CDXPatentAssertion `json:"patentAssertions,omitempty" cdx:"+1.7"` } // v1.5 added object @@ -191,6 +195,7 @@ type CDXService struct { Signature *JSFSignature `json:"signature,omitempty" cdx:"added:1.4"` TrustZone string `json:"trustZone,omitempty" cdx:"added:1.5"` Tags *[]string `json:"tags,omitempty" cdx:"added:1.6"` + PatentAssertions *[]CDXPatentAssertion `json:"patentAssertions,omitempty" cdx:"+1.7"` } // v1.5: added. aggregated related date from v1.2-v1.4 and added additional fields @@ -266,9 +271,20 @@ type CDXLicenseChoice struct { // v1.6: added Acknowledgment // NOTE: CDXRefType is a named `string` type as of v1.5 type CDXLicenseExpression struct { - Expression string `json:"expression,omitempty"` - BOMRef *CDXRefType `json:"bom-ref,omitempty" cdx:"added:1.5"` - Acknowledgement string `json:"acknowledgement,omitempty" cdx:"added:1.6"` + Expression string `json:"expression,omitempty"` + BOMRef *CDXRefType `json:"bom-ref,omitempty" cdx:"added:1.5"` + Acknowledgement string `json:"acknowledgement,omitempty" cdx:"added:1.6"` + ExpressionDetails *[]CDXExpressionDetails `json:"expressionDetails,omitempty" cdx:"+1.7"` + Licensing *CDXLicensing `json:"licensing,omitempty" cdx:"+1.7"` + Properties *[]CDXProperty `json:"properties,omitempty" cdx:"+1.7"` +} + +// v1.7 +type CDXExpressionDetails struct { + LicenseIdentifier string `json:"licenseIdentifier,omitempty" cdx:"+1.7"` + BOMRef *CDXRefType `json:"bom-ref,omitempty" cdx:"+1.7"` + Text *CDXAttachment `json:"text,omitempty" cdx:"+1.7"` + Url string `json:"url,omitempty" cdx:"+1.7"` } // v1.2: was an anon. type @@ -289,18 +305,6 @@ type CDXLicense struct { Acknowledgement string `json:"acknowledgement,omitempty" cdx:"added:1.6"` } -// v1.5: added object -type CDXLicensing struct { - AltIds *[]string `json:"altIds,omitempty" cdx:"added:1.5"` - Licensor *CDXLicenseLegalParty `json:"licensor,omitempty" cdx:"added:1.5"` - Licensee *CDXLicenseLegalParty `json:"licensee,omitempty" cdx:"added:1.5"` - Purchaser *CDXLicenseLegalParty `json:"purchaser,omitempty" cdx:"added:1.5"` - PurchaseOrder string `json:"purchaseOrder,omitempty" cdx:"added:1.5"` - LicenseTypes *[]string `json:"licenseTypes,omitempty" cdx:"added:1.5"` - LastRenewal string `json:"lastRenewal,omitempty" cdx:"added:1.5"` - Expiration string `json:"expiration,omitempty" cdx:"added:1.5"` -} - // v1.2: existed // TODO: GitHub PRs MAY have more than 1 commit (committer); CDX needs to account for this type CDXCommit struct { @@ -483,3 +487,7 @@ type CDXNameDescription struct { Name string `json:"name,omitempty" cdx:"added:1.5"` Description string `json:"description,omitempty" cdx:"added:1.5"` } + +// v1.7 +// Note: CDXVulnerability already has a CDXVersionRange which is more than a simple string +type CDXComponentVersionRange string diff --git a/schema/cyclonedx_citations.go b/schema/cyclonedx_citations.go new file mode 100644 index 00000000..57380606 --- /dev/null +++ b/schema/cyclonedx_citations.go @@ -0,0 +1,50 @@ +// SPDX-License-Identifier: Apache-2.0 +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package schema + +// v1.7: added +// Note: TODO: support 3 signer options (i.e., Signer (string), chain ([]object), CDXSignature ) +type CDXCitation struct { + BOMRef *CDXRefType `json:"bom-ref,omitempty" cdx:"+1.7"` + Timestamp string `json:"timestamp,omitempty" scvs:"bom:core:timestamp" cdx:"+1.7"` + Pointers *[]string `json:"pointers,omitempty" cdx:"+1.7"` + AttributedTo string `json:"attributedTo,omitempty" cdx:"+1.7"` + Process string `json:"process,omitempty" cdx:"+1.7"` + Note string `json:"note,omitempty" cdx:"+1.7"` + Signature interface{} `json:"signature,omitempty" cdx:"+1.7"` +} + +// v1.7: added +type CDXSigner struct { + Algorithm string `json:"algorithm,omitempty" cdx:"+1.7"` + KeyId string `json:"keyId,omitempty" cdx:"+1.7"` + PublicKey *CDXPublicKey `json:"publicKey,omitempty" cdx:"+1.7"` + CertificatePath *[]string `json:"certificatePath,omitempty" cdx:"+1.7"` + Excludes *[]string `json:"excludes,omitempty" cdx:"+1.7"` + Value string `json:"value,omitempty" cdx:"+1.7"` +} + +// v1.7: added +type CDXPublicKey struct { + Kty string `json:"kty,omitempty" cdx:"+1.7"` // option 1, 2, 3 + Crv string `json:"crv,omitempty" cdx:"+1.7"` // option 1 ,2 + X string `json:"x,omitempty" cdx:"+1.7"` // option 1, 2 + Y string `json:"y,omitempty" cdx:"+1.7"` // option 1 + N string `json:"n,omitempty" cdx:"+1.7"` // option 3 + E string `json:"e,omitempty" cdx:"+1.7"` // option 3 +} diff --git a/schema/cyclonedx_common.go b/schema/cyclonedx_common.go index 5fa5bced..862f84de 100644 --- a/schema/cyclonedx_common.go +++ b/schema/cyclonedx_common.go @@ -65,11 +65,13 @@ func (link CDXBomLink) String() string { // v1.2: existed // v1.3: added "hashes" // v1.4: `Type` field: added value "release-notes" to enum. +// v1.7: added "properties" type CDXExternalReference struct { - Type string `json:"type,omitempty"` - Url string `json:"url,omitempty"` - Comment string `json:"comment,omitempty"` - Hashes *[]CDXHash `json:"hashes,omitempty"` // v1.3: added + Type string `json:"type,omitempty"` + Url string `json:"url,omitempty"` + Comment string `json:"comment,omitempty"` + Hashes *[]CDXHash `json:"hashes,omitempty" cdx:"+1.3"` + Properties *[]CDXProperty `json:"properties,omitempty" cdx:"+1.7"` } // v1.2: existed @@ -153,10 +155,3 @@ type CDXCreationTools struct { Components *[]CDXComponent `json:"components,omitempty" cdx:"+1.5"` // v1.5: added (new type) Services *[]CDXService `json:"services,omitempty" cdx:"+1.5"` // v1.5: added (new type) } - -// v1.5: created for reuse in "licensing" schema for "licensee" and "licensor" -// TODO: reuse on "annotator" as well? -type CDXLicenseLegalParty struct { - Organization *CDXOrganizationalEntity `json:"organization,omitempty"` - Individual *CDXOrganizationalContact `json:"individual,omitempty"` -} diff --git a/schema/cyclonedx_crypto.go b/schema/cyclonedx_crypto.go index 19783465..117c0eff 100644 --- a/schema/cyclonedx_crypto.go +++ b/schema/cyclonedx_crypto.go @@ -29,6 +29,9 @@ type CDXCryptoProperties struct { } // v1.6: added +// v1.7: Curve - deprecated +// v1.7: Added: EllipticCurve +// TODO: Test EllipticCurve; "$ref": "cryptography-defs.schema.json#/definitions/ellipticCurvesEnum" type CDXAlgorithmProperties struct { Primitive string `json:"primitive,omitempty" cdx:"+1.6"` // v1.6 added ParameterSetIdentifier string `json:"parameterSetIdentifier,omitempty" cdx:"+1.6"` // v1.6 added @@ -40,43 +43,61 @@ type CDXAlgorithmProperties struct { Padding string `json:"padding,omitempty" cdx:"+1.6"` // v1.6 added CryptoFunctions *[]string `json:"cryptoFunctions,omitempty" cdx:"+1.6"` // v1.6 added ClassicalSecurityLevel int `json:"classicalSecurityLevel,omitempty" cdx:"+1.6"` // v1.6 added - NistQuantumSecurityLevel int `json:"nistQuantumSecurityLevel,omitempty" cdx:"+1.6"` // v1.6 added `json:"oid,omitempty" cdx:"+1.6"` // v1.6 added + NistQuantumSecurityLevel int `json:"nistQuantumSecurityLevel,omitempty" cdx:"+1.6"` // v1.6 added + AlgorithmFamily string `json:"algorithmFamily,omitempty" cdx:"+1.7"` + EllipticCurve string `json:"ellipticCurve,omitempty" cdx:"+1.7"` } // v1.6: added +// v1.7: SignatureAlgorithmRef, SubjectPublicKeyRef, CertificateExtension - deprecated type CDXCertificateProperties struct { - SubjectName string `json:"subjectName,omitempty" cdx:"+1.6"` // v1.6 added - IssuerName string `json:"issuerName,omitempty" cdx:"+1.6"` // v1.6 added - NotValidBefore string `json:"notValidBefore,omitempty" cdx:"+1.6"` // v1.6 added - NotValidAfter string `json:"notValidAfter,omitempty" cdx:"+1.6"` // v1.6 added - SignatureAlgorithmRef *CDXRefType `json:"signatureAlgorithmRef,omitempty" cdx:"+1.6"` // v1.6 added - SubjectPublicKeyRef *CDXRefType `json:"subjectPublicKeyRef,omitempty" cdx:"+1.6"` // v1.6 added - CertificateFormat string `json:"certificateFormat,omitempty" cdx:"+1.6"` // v1.6 added - CertificateExtension string `json:"certificateExtension,omitempty" cdx:"+1.6"` // v1.6 added + SubjectName string `json:"subjectName,omitempty" cdx:"+1.6"` // v1.6 added + IssuerName string `json:"issuerName,omitempty" cdx:"+1.6"` // v1.6 added + NotValidBefore string `json:"notValidBefore,omitempty" cdx:"+1.6"` // v1.6 added + NotValidAfter string `json:"notValidAfter,omitempty" cdx:"+1.6"` // v1.6 added + SignatureAlgorithmRef *CDXRefType `json:"signatureAlgorithmRef,omitempty" cdx:"+1.6"` // v1.6 added + SubjectPublicKeyRef *CDXRefType `json:"subjectPublicKeyRef,omitempty" cdx:"+1.6"` // v1.6 added + CertificateFormat string `json:"certificateFormat,omitempty" cdx:"+1.6"` // v1.6 added + CertificateExtension string `json:"certificateExtension,omitempty" cdx:"+1.6"` // v1.6 added + SerialNumber string `json:"serialNumber,omitempty" cdx:"+1.7"` + CertificateFileExtension string `json:"certificateFileExtension,omitempty" cdx:"+1.7"` + Fingerprint *CDXCryptoFingerprint `json:"fingerprint,omitempty" cdx:"+1.7"` + CertificateState *CDXCertificateState `json:"certificateState,omitempty" cdx:"+1.7"` + CreationDate string `json:"creationDate,omitempty" cdx:"+1.7"` + ActivationDate string `json:"activationDate,omitempty" cdx:"+1.7"` + DeactivationDate string `json:"deactivationDate,omitempty" cdx:"+1.7"` + RevocationDate string `json:"revocationDate,omitempty" cdx:"+1.7"` + DestructionDate string `json:"destructionDate,omitempty" cdx:"+1.7"` + CertificateExtensions *[]CDXCertificateExtension `json:"certificateExtensions,omitempty" cdx:"+1.7"` + RelatedCryptographicAssets *[]CDXCryptographicAsset `json:"relatedCryptographicAssets,omitempty" cdx:"+1.7"` } type CDXRelatedCryptoMaterialProperties struct { - Type string `json:"type,omitempty" cdx:"+1.6"` // v1.6 added - Id string `json:"id,omitempty" cdx:"+1.6"` // v1.6 added - State string `json:"state,omitempty" cdx:"+1.6"` // v1.6 added - AlgorithmRef *CDXRefType `json:"algorithmRef,omitempty" cdx:"+1.6"` // v1.6 added - CreationDate string `json:"creationDate,omitempty" cdx:"+1.6"` // v1.6 added - ActivationDate string `json:"activationDate,omitempty" cdx:"+1.6"` // v1.6 added - UpdateDate string `json:"updateDate,omitempty" cdx:"+1.6"` // v1.6 added - ExpirationDate string `json:"expirationDate,omitempty" cdx:"+1.6"` // v1.6 added - Value string `json:"value,omitempty" cdx:"+1.6"` // v1.6 added - Size int `json:"size,omitempty" cdx:"+1.6"` // v1.6 added - Format string `json:"format,omitempty" cdx:"+1.6"` // v1.6 added - SecuredBy *CDXSecuredBy `json:"securedBy,omitempty" cdx:"+1.6"` // v1.6 added + Type string `json:"type,omitempty" cdx:"+1.6"` // v1.6 added + Id string `json:"id,omitempty" cdx:"+1.6"` // v1.6 added + State string `json:"state,omitempty" cdx:"+1.6"` // v1.6 added + AlgorithmRef *CDXRefType `json:"algorithmRef,omitempty" cdx:"+1.6"` // v1.6 added + CreationDate string `json:"creationDate,omitempty" cdx:"+1.6"` // v1.6 added + ActivationDate string `json:"activationDate,omitempty" cdx:"+1.6"` // v1.6 added + UpdateDate string `json:"updateDate,omitempty" cdx:"+1.6"` // v1.6 added + ExpirationDate string `json:"expirationDate,omitempty" cdx:"+1.6"` // v1.6 added + Value string `json:"value,omitempty" cdx:"+1.6"` // v1.6 added + Size int `json:"size,omitempty" cdx:"+1.6"` // v1.6 added + Format string `json:"format,omitempty" cdx:"+1.6"` // v1.6 added + SecuredBy *CDXSecuredBy `json:"securedBy,omitempty" cdx:"+1.6"` // v1.6 added + Fingerprint *CDXCryptoFingerprint `json:"fingerprint,omitempty" cdx:"+1.7"` + RelatedCryptographicAssets *[]CDXCryptographicAsset `json:"relatedCryptographicAssets,omitempty" cdx:"+1.7"` } // v1.6: added +// v1.7 CryptoRefArray: deprecated type CDXProtocolProperties struct { - Type string `json:"type,omitempty" cdx:"+1.6"` // v1.6 added - Version string `json:"version,omitempty" cdx:"+1.6"` // v1.6 added - CipherSuites *[]CDXCipherSuite `json:"cipherSuites,omitempty" cdx:"+1.6"` // v1.6 added - Ikev2TransformTypes *CDXIkevV2TransformType `json:"ikev2TransformTypes,omitempty" cdx:"+1.6"` // v1.6 added - CryptoRefArray *CDXCryptoRefArray `json:"cryptoRefArray,omitempty" cdx:"+1.6"` // v1.6 added + Type string `json:"type,omitempty" cdx:"+1.6"` // v1.6 added + Version string `json:"version,omitempty" cdx:"+1.6"` // v1.6 added + CipherSuites *[]CDXCipherSuite `json:"cipherSuites,omitempty" cdx:"+1.6"` // v1.6 added + Ikev2TransformTypes *CDXIkevV2TransformType `json:"ikev2TransformTypes,omitempty" cdx:"+1.6"` // v1.6 added + CryptoRefArray *CDXCryptoRefArray `json:"cryptoRefArray,omitempty" cdx:"+1.6"` // v1.6 added, v1.7 deprecated + RelatedCryptographicAssets *[]CDXCryptographicAsset `json:"relatedCryptographicAssets,omitempty" cdx:"+1.7"` } // v1.6: added @@ -87,22 +108,59 @@ type CDXCipherSuite struct { } // v1.6: added +// v1.7: Encr, Prf, Integ, Ke, Auth changed from array of string to additionally allow a struct type type CDXIkevV2TransformType struct { - Encr *CDXCryptoRefArray `json:"encr,omitempty" cdx:"+1.6"` // v1.6 added - Prf *CDXCryptoRefArray `json:"prf,omitempty" cdx:"+1.6"` // v1.6 added - Integ *CDXCryptoRefArray `json:"integ,omitempty" cdx:"+1.6"` // v1.6 added - Ke *CDXCryptoRefArray `json:"ke,omitempty" cdx:"+1.6"` // v1.6 added - Esn bool `json:"esn,omitempty" cdx:"+1.6"` // v1.6 added - Auth *CDXCryptoRefArray `json:"auth,omitempty" cdx:"+1.6"` // v1.6 added + Encr *[]interface{} `json:"encr,omitempty" cdx:"+1.6"` // v1.6 added, v1.7 changed + Prf *[]interface{} `json:"prf,omitempty" cdx:"+1.6"` // v1.6 added, v1.7 changed + Integ *[]interface{} `json:"integ,omitempty" cdx:"+1.6"` // v1.6 added, v1.7 changed + Ke *[]interface{} `json:"ke,omitempty" cdx:"+1.6"` // v1.6 added, v1.7 changed + Esn bool `json:"esn,omitempty" cdx:"+1.6"` // v1.6 added + Auth *[]interface{} `json:"auth,omitempty" cdx:"+1.6"` // v1.6 added, v1.7 changed } -// v1.6: added +// v1.6: added, v1.7 changed to complex array of multiple types // TODO: NOTE: This is a first-of-kind, alias for a slice // it SHOULD NOT exist unless this is adopted EVERYWHERE type CDXCryptoRefArray []CDXRefType +// v1.7: added, optional object as part of CDXIkevV2TransformType elements +type CDXCryptoAlgorithmDescription struct { + Group int `json:"group,omitempty" cdx:"+1.7"` + Name string `json:"name,omitempty" cdx:"+1.7"` + Algorithm string `json:"algorithm,omitempty" cdx:"+1.7"` +} + +// v1.7 added // v1.6: added type CDXSecuredBy struct { - Mechanism string `json:"mechanism,omitempty" cdx:"+1.6"` // v1.6 added - AlgorithmRef *CDXRefType `json:"algorithmRef,omitempty" cdx:"+1.6"` // v1.6 added + Mechanism string `json:"mechanism,omitempty" cdx:"+1.6"` + AlgorithmRef *CDXRefType `json:"algorithmRef,omitempty" cdx:"+1.6"` +} + +// v1.7: added +type CDXCryptoFingerprint struct { + Alg string `json:"alg,omitempty" cdx:"+1.7"` + Content string `json:"content,omitempty" cdx:"+1.7"` +} + +// v1.7: added +type CDXCertificateState struct { + State string `json:"state,omitempty" cdx:"+1.7"` // Predefined + Reason string `json:"reason,omitempty" cdx:"+1.7"` // Pre-defined / Custom + Name string `json:"name,omitempty" cdx:"+1.7"` // Custom + Description string `json:"description,omitempty" cdx:"+1.7"` // Custom +} + +// v1.7: added +type CDXCertificateExtension struct { + CommonExtensionName string `json:"commonExtensionName,omitempty" cdx:"+1.7"` + CommonExtensionValue string `json:"commonExtensionValue,omitempty" cdx:"+1.7"` + CustomExtensionName string `json:"customExtensionName,omitempty" cdx:"+1.7"` + CustomExtensionValue string `json:"customExtensionValue,omitempty" cdx:"+1.7"` +} + +// v1.7: added +type CDXCryptographicAsset struct { + Type string `json:"type,omitempty" cdx:"+1.7"` + Ref string `json:"ref,omitempty" cdx:"+1.7"` } diff --git a/schema/cyclonedx_definitions.go b/schema/cyclonedx_definitions.go index bf9e2351..844165a4 100644 --- a/schema/cyclonedx_definitions.go +++ b/schema/cyclonedx_definitions.go @@ -18,8 +18,10 @@ package schema // v1.6: added +// v1.7: Patents can either be a patent or a patentFamily type type CDXDefinition struct { Standards *[]CDXStandard `json:"standards,omitempty" cdx:"+1.6"` // v1.6 added + Patents *[]any `json:"patents,omitempty" cdx:"+1.7"` // v1.7 added } // v1.6: added diff --git a/schema/cyclonedx_licensing.go b/schema/cyclonedx_licensing.go new file mode 100644 index 00000000..c77ee21a --- /dev/null +++ b/schema/cyclonedx_licensing.go @@ -0,0 +1,38 @@ +// SPDX-License-Identifier: Apache-2.0 +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package schema + +// v1.5: added as an anon. object under component->license +type CDXLicensing struct { + AltIds *[]string `json:"altIds,omitempty" cdx:"added:1.5"` + Licensor *CDXLicenseLegalParty `json:"licensor,omitempty" cdx:"added:1.5"` + Licensee *CDXLicenseLegalParty `json:"licensee,omitempty" cdx:"added:1.5"` + Purchaser *CDXLicenseLegalParty `json:"purchaser,omitempty" cdx:"added:1.5"` + PurchaseOrder string `json:"purchaseOrder,omitempty" cdx:"added:1.5"` + LicenseTypes *[]string `json:"licenseTypes,omitempty" cdx:"added:1.5"` + LastRenewal string `json:"lastRenewal,omitempty" cdx:"added:1.5"` + Expiration string `json:"expiration,omitempty" cdx:"added:1.5"` +} + +// v1.5: created for reuse in "licensing" schema for "licensee" and "licensor" +// TODO: reuse on "annotator" as well? +// TODO: copied to CDXLegalParty for patents... make abstract and reuse +type CDXLicenseLegalParty struct { + Organization *CDXOrganizationalEntity `json:"organization,omitempty"` + Individual *CDXOrganizationalContact `json:"individual,omitempty"` +} diff --git a/schema/cyclonedx_patents.go b/schema/cyclonedx_patents.go new file mode 100644 index 00000000..236d98f2 --- /dev/null +++ b/schema/cyclonedx_patents.go @@ -0,0 +1,89 @@ +// SPDX-License-Identifier: Apache-2.0 +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package schema + +// v1.7: added +// "enum": [ "CLEAR", "GREEN", "AMBER", "AMBER_AND_STRICT", "RED" ], +type CDXTlpClassification string + +type CDXDistributionConstraints struct { + Tlp CDXTlpClassification `json:"tlp,omitempty" cdx:"+1.7"` +} + +// v1.7: added +// Note: this is an in-line (anon.) type +// Note: Asserter is OneOf organizationEntity, OrganizationalContact or refLinkType +// TODO: Notes implies array, but the defn. is a single string +type CDXPatentAssertion struct { + BOMRef *CDXRefType `json:"bom-ref,omitempty" cdx:"+1.7"` + AssertionType string `json:"assertionType,omitempty" cdx:"+1.7"` + PatentRefs *[]CDXRefType `json:"patentRefs,omitempty" cdx:"+1.7"` + Asserter interface{} `json:"asserter,omitempty" cdx:"+1.7"` + Notes string `json:"notes,omitempty" cdx:"+1.7"` +} + +// v1.7: added +// Note: "pattern": "^[A-Za-z0-9][A-Za-z0-9\\-/.()\\s]{0,28}[A-Za-z0-9]$" +type CDXPatentNumber string +type CDXPatentApplicationNumber CDXPatentNumber +type CDXPublicationNumber CDXPatentNumber + +// v1.7: added +// Note: "pattern": "^[A-Z]{2}$" +type CDXPatentJurisdiction string + +// v1.7: added +type CDXPriorityApplication struct { + ApplicationNumber CDXPatentApplicationNumber `json:"applicationNumber,omitempty" cdx:"+1.7"` + Jurisdiction CDXPatentJurisdiction `json:"jurisdiction,omitempty" cdx:"+1.7"` + FilingDate string `json:"filingDate,omitempty" cdx:"+1.7"` +} + +// v1.7: added +type CDXPatentFamily struct { + FamilyId string `json:"familyId,omitempty" cdx:"+1.7"` + BOMRef *CDXRefType `json:"bom-ref,omitempty" cdx:"+1.7"` + PriorityApplication *CDXPriorityApplication `json:"priorityApplication,omitempty" cdx:"+1.7"` + Members *[]CDXRefLinkType `json:"members,omitempty" cdx:"+1.7"` + ExternalReferences *[]CDXExternalReference `json:"externalReferences,omitempty" cdx:"+1.7"` +} + +// v1.7: added +type CDXPatent struct { + BOMRef *CDXRefType `json:"bom-ref,omitempty" cdx:"+1.7"` + PatentNumber CDXPatentNumber `json:"patentNumber,omitempty" cdx:"+1.7"` + PatentApplicationNumber CDXPatentApplicationNumber `json:"patentApplicationNumber,omitempty" cdx:"+1.7"` + Jurisdiction CDXPatentJurisdiction `json:"jurisdiction,omitempty" cdx:"+1.7"` + PriorityApplication *CDXPriorityApplication `json:"priorityApplication,omitempty" cdx:"+1.7"` + PublicationNumber CDXPublicationNumber `json:"publicationNumber,omitempty" cdx:"+1.7"` + Title string `json:"title,omitempty" cdx:"+1.7"` + Abstract string `json:"abstract,omitempty" cdx:"+1.7"` + FilingDate string `json:"filingDate,omitempty" cdx:"+1.7"` + GrantDate string `json:"grantDate,omitempty" cdx:"+1.7"` + PatentExpirationDate string `json:"patentExpirationDate,omitempty" cdx:"+1.7"` + PatentLegalStatus string `json:"patentLegalStatus,omitempty" cdx:"+1.7"` + PatentAssignee *CDXLegalParty `json:"patentAssignee,omitempty" cdx:"+1.7"` + ExternalReferences *[]CDXExternalReference `json:"externalReferences,omitempty" cdx:"+1.7"` +} + +// v1.7: added +// Note: copy of CDXLicenseLegalParty type; make an abstract type +type CDXLegalParty struct { + Organization *CDXOrganizationalEntity `json:"organization,omitempty"` + Individual *CDXOrganizationalContact `json:"individual,omitempty"` +} diff --git a/test/cyclonedx/1.7/cdx-1-7-comp-version-range.json b/test/cyclonedx/1.7/cdx-1-7-comp-version-range.json new file mode 100644 index 00000000..7bacaffe --- /dev/null +++ b/test/cyclonedx/1.7/cdx-1-7-comp-version-range.json @@ -0,0 +1,18 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "metadata": { + "timestamp": "2025-12-28T21:40:00Z", + "component": { + "bom-ref": "pkg:maven/org.example/appserver@1.0.0", + "type": "application", + "group": "org.example", + "name": "app-server", + "versionRange": "vers:npm/1.2.3|>=2.0.0|<5.0.0", + "isExternal": true + } + } +} \ No newline at end of file diff --git a/test/cyclonedx/1.7/cdx-1-7-min-required.json b/test/cyclonedx/1.7/cdx-1-7-min-required.json new file mode 100644 index 00000000..4160c8a3 --- /dev/null +++ b/test/cyclonedx/1.7/cdx-1-7-min-required.json @@ -0,0 +1,5 @@ +{ + "bomFormat": "CycloneDX", + "specVersion": "1.7", + "version": 1 +} diff --git a/test/cyclonedx/1.7/cdx-1-7-valid-crypto-citation.json b/test/cyclonedx/1.7/cdx-1-7-valid-crypto-citation.json new file mode 100644 index 00000000..9569b6c8 --- /dev/null +++ b/test/cyclonedx/1.7/cdx-1-7-valid-crypto-citation.json @@ -0,0 +1,87 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "metadata": { + "timestamp": "2025-12-28T21:40:00Z", + "tools": { + "components": [ + { + "type": "application", + "name": "cdxgen", + "version": "11.0.0" + } + ] + }, + "component": { + "bom-ref": "pkg:maven/org.example/server@1.0.0", + "type": "application", + "group": "org.example", + "name": "server", + "version": "1.0.0" + } + }, + "components": [ + { + "bom-ref": "pkg:maven/org.example/crypto-lib@2.0.0", + "type": "library", + "name": "crypto-lib", + "version": "2.0.0", + "evidence": { + "occurrences": [ + { + "location": "/usr/local/bin/crypto-lib.jar" + } + ] + }, + "cryptoProperties": { + "assetType": "algorithm", + "algorithmProperties": { + "parameterSetIdentifier": "AES128", + "mode": "ecb", + "executionEnvironment": "software-encrypted-ram", + "implementationPlatform": "x86_64", + "certificationLevel": ["fips140-1-l2"] + } + } + } + ], + "dependencies": [ + { + "ref": "pkg:maven/org.example/portal-server@1.0.0?type=war", + "dependsOn": [ + "pkg:maven/org.example/crypto-lib@2.0.0" + ] + } + ], + "citations": [ + { + "bom-ref": "citation-1", + "timestamp": "2025-12-28T10:00:00Z", + "attributedTo": "Build Automation System", + "expressions": [ + "$.metadata.component.name" + ] + } + ], + "declarations": { + "assessors": [ + { + "bom-ref": "assessor-1", + "thirdParty": false, + "organization": { + "bom-ref": "organization-1", + "name": "internal-ip-legal" + } + } + ], + "attestations": [ + { + "summary": "patent-assertion-1", + "assessor": "assessor-1" + } + ] + } +} \ No newline at end of file