diff --git a/Makefile b/Makefile
index 334ec198..23253cba 100644
--- a/Makefile
+++ b/Makefile
@@ -53,13 +53,13 @@ all: clean static-analysis test ## Run all checks (linting, license check, unit,
@printf '$(SUCCESS)All checks pass!$(RESET)\n'
.PHONY: test
-test: unit integration acceptance-linux ## Run all tests (unit, integration, and linux acceptance tests )
+test: unit validate-cyclonedx-schema integration acceptance-linux ## Run all tests (unit, integration, and linux acceptance tests )
help:
@grep -E '^[a-zA-Z_-]+:.*?## .*$$' $(MAKEFILE_LIST) | sort | awk 'BEGIN {FS = ":.*?## "}; {printf "$(BOLD)$(CYAN)%-25s$(RESET)%s\n", $$1, $$2}'
ci-bootstrap: bootstrap
- sudo apt update && sudo apt install -y bc jq
+ DEBIAN_FRONTEND=noninteractive sudo apt update && sudo -E apt install -y bc jq libxml2-utils
.PHONY: boostrap
bootstrap: ## Download and install all go dependencies (+ prep tooling in the ./tmp dir)
@@ -97,6 +97,10 @@ validate-schema:
# ensure the codebase is only referencing a single grype-db schema version, multiple is not allowed
python test/validate_schema.py
+.PHONY: validate-cyclonedx-schema
+validate-cyclonedx-schema:
+ cd schema/cyclonedx && make
+
.PHONY: lint-fix
lint-fix: ## Auto-format all source code + run golangci lint fixers
$(call title,Running lint fixers)
diff --git a/schema/cyclonedx/.gitignore b/schema/cyclonedx/.gitignore
new file mode 100644
index 00000000..0df37ccb
--- /dev/null
+++ b/schema/cyclonedx/.gitignore
@@ -0,0 +1 @@
+bom.xml
\ No newline at end of file
diff --git a/schema/cyclonedx/Makefile b/schema/cyclonedx/Makefile
new file mode 100644
index 00000000..0000bec8
--- /dev/null
+++ b/schema/cyclonedx/Makefile
@@ -0,0 +1,5 @@
+.DEFAULT_GOAL := validate-schema
+.PHONY: validate-schema
+validate-schema:
+ go run ../../main.go ubuntu:latest -vv -o cyclonedx > bom.xml
+ xmllint --noout --schema ./cyclonedx.xsd bom.xml
\ No newline at end of file
diff --git a/schema/cyclonedx/README.md b/schema/cyclonedx/README.md
new file mode 100644
index 00000000..41763409
--- /dev/null
+++ b/schema/cyclonedx/README.md
@@ -0,0 +1,5 @@
+# CycloneDX Schemas
+
+`grype` generates a CycloneDX BOm output with the vulnerability extension. This validation is similar to what is done in `syft`, validating output against CycloneDX schemas.
+
+Validation is done with `xmllint`, which requires a copy of all schemas because it can't work with HTTP references. The schemas are modified to reference local copies of dependent schemas.
diff --git a/schema/cyclonedx/bd.xsd b/schema/cyclonedx/bd.xsd
new file mode 100644
index 00000000..c410a037
--- /dev/null
+++ b/schema/cyclonedx/bd.xsd
@@ -0,0 +1,184 @@
+
+
+
+
+
+
+ CycloneDX BOM Descriptor Extension
+ https://cyclonedx.org/ext/bom-descriptor
+ Apache License, Version 2.0
+
+ Steve Springett
+
+
+
+
+
+
+
+
+
+
+ The date and time (timestamp) when the document was created.
+
+
+
+
+ The tool used to create the BOM.
+
+
+
+
+ The person(s) who created the BOM. Authors are common in BOMs created through
+ manual processes. BOMs created through automated means may not have authors.
+
+
+
+
+
+
+
+
+
+ The component that the BOM describes.
+
+
+
+
+ The organization that manufactured the component that the BOM describes.
+
+
+
+
+ The organization that supplied the component that the BOM describes. The
+ supplier may often be the manufacture, but may also be a distributor or repackager.
+
+
+
+
+
+ User-defined attributes may be used on this element as long as they
+ do not have the same name as an existing attribute used by the schema.
+
+
+
+
+
+
+
+
+ The name of the organization
+
+
+
+
+ The URL of the organization. Multiple URLs are allowed.
+
+
+
+
+ A contact person at the organization. Multiple contacts are allowed.
+
+
+
+
+
+ User-defined attributes may be used on this element as long as they
+ do not have the same name as an existing attribute used by the schema.
+
+
+
+
+
+
+ Specifies a tool (manual or automated).
+
+
+
+
+ The vendor of the tool used to create the BOM.
+
+
+
+
+ The name of the tool used to create the BOM.
+
+
+
+
+ The version of the tool used to create the BOM.
+
+
+
+
+
+
+
+
+
+
+
+
+ User-defined attributes may be used on this element as long as they
+ do not have the same name as an existing attribute used by the schema.
+
+
+
+
+
+
+
+
+ The name of the person
+
+
+
+
+ The email address of the person. Multiple email addresses are allowed.
+
+
+
+
+ The phone number of the person. Multiple phone numbers are allowed.
+
+
+
+
+
+ User-defined attributes may be used on this element as long as they
+ do not have the same name as an existing attribute used by the schema.
+
+
+
+
+
+
+ Provides additional information about a BOM.
+
+
+
+
diff --git a/schema/cyclonedx/cyclonedx.xsd b/schema/cyclonedx/cyclonedx.xsd
new file mode 100644
index 00000000..fb264092
--- /dev/null
+++ b/schema/cyclonedx/cyclonedx.xsd
@@ -0,0 +1,1419 @@
+
+
+
+
+
+
+
+
+ CycloneDX Software Bill-of-Material Specification
+ https://cyclonedx.org/
+ Apache License, Version 2.0
+
+ Steve Springett
+
+
+
+
+
+
+
+
+ The date and time (timestamp) when the document was created.
+
+
+
+
+ The tool(s) used in the creation of the BOM.
+
+
+
+
+
+
+
+
+
+ The person(s) who created the BOM. Authors are common in BOMs created through
+ manual processes. BOMs created through automated means may not have authors.
+
+
+
+
+
+
+
+
+
+ The component that the BOM describes.
+
+
+
+
+ The organization that manufactured the component that the BOM describes.
+
+
+
+
+ The organization that supplied the component that the BOM describes. The
+ supplier may often be the manufacture, but may also be a distributor or repackager.
+
+
+
+
+
+ Allows any undeclared elements as long as the elements are placed in a different namespace.
+
+
+
+
+
+
+ User-defined attributes may be used on this element as long as they
+ do not have the same name as an existing attribute used by the schema.
+
+
+
+
+
+
+
+
+ The name of the organization
+
+
+
+
+ The URL of the organization. Multiple URLs are allowed.
+
+
+
+
+ A contact person at the organization. Multiple contacts are allowed.
+
+
+
+
+
+ Allows any undeclared elements as long as the elements are placed in a different namespace.
+
+
+
+
+
+
+ User-defined attributes may be used on this element as long as they
+ do not have the same name as an existing attribute used by the schema.
+
+
+
+
+
+
+ Specifies a tool (manual or automated).
+
+
+
+
+ The vendor of the tool used to create the BOM.
+
+
+
+
+ The name of the tool used to create the BOM.
+
+
+
+
+ The version of the tool used to create the BOM.
+
+
+
+
+
+
+
+
+
+
+
+
+ Allows any undeclared elements as long as the elements are placed in a different namespace.
+
+
+
+
+
+
+ User-defined attributes may be used on this element as long as they
+ do not have the same name as an existing attribute used by the schema.
+
+
+
+
+
+
+
+
+ The name of the contact
+
+
+
+
+ The email address of the contact. Multiple email addresses are allowed.
+
+
+
+
+ The phone number of the contact. Multiple phone numbers are allowed.
+
+
+
+
+
+ Allows any undeclared elements as long as the elements are placed in a different namespace.
+
+
+
+
+
+
+ User-defined attributes may be used on this element as long as they
+ do not have the same name as an existing attribute used by the schema.
+
+
+
+
+
+
+
+
+
+
+ Allows any undeclared elements as long as the elements are placed in a different namespace.
+
+
+
+
+
+
+ User-defined attributes may be used on this element as long as they
+ do not have the same name as an existing attribute used by the schema.
+
+
+
+
+
+
+
+
+ The organization that supplied the component. The supplier may often
+ be the manufacture, but may also be a distributor or repackager.
+
+
+
+
+ The person(s) or organization(s) that authored the component
+
+
+
+
+ The person(s) or organization(s) that published the component
+
+
+
+
+ The grouping name or identifier. This will often be a shortened, single
+ name of the company or project that produced the component, or the source package or
+ domain name. Whitespace and special characters should be avoided. Examples include:
+ apache, org.apache.commons, and apache.org.
+
+
+
+
+ The name of the component. This will often be a shortened, single name
+ of the component. Examples: commons-lang3 and jquery
+
+
+
+
+ The component version. The version should ideally comply with semantic versioning
+ but is not enforced.
+
+
+
+
+ Specifies a description for the component
+
+
+
+
+ Specifies the scope of the component. If scope is not specified, 'runtime'
+ scope should be assumed by the consumer of the BOM
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ A valid SPDX license expression.
+ Refer to https://spdx.org/specifications for syntax requirements
+
+
+
+
+
+
+
+ An optional copyright notice informing users of the underlying claims to
+ copyright ownership in a published work.
+
+
+
+
+
+ DEPRECATED - DO NOT USE. This will be removed in a future version.
+ Specifies a well-formed CPE name. See https://nvd.nist.gov/products/cpe
+
+
+
+
+
+
+ Specifies the package-url (PURL). The purl, if specified, must be valid and conform
+ to the specification defined at: https://github.com/package-url/purl-spec
+
+
+
+
+
+
+ Specifies metadata and content for ISO-IEC 19770-2 Software Identification (SWID) Tags.
+
+
+
+
+
+
+ DEPRECATED - DO NOT USE. This will be removed in a future version. Use the pedigree
+ element instead to supply information on exactly how the component was modified.
+ A boolean value indicating is the component has been modified from the original.
+ A value of true indicates the component is a derivative of the original.
+ A value of false indicates the component has not been modified from the original.
+
+
+
+
+
+
+ Component pedigree is a way to document complex supply chain scenarios where components are
+ created, distributed, modified, redistributed, combined with other components, etc.
+
+
+
+
+
+ Provides the ability to document external references related to the
+ component or to the project the component describes.
+
+
+
+
+
+ Specifies optional sub-components. This is not a dependency tree. It provides a way
+ to specify a hierarchical representation of component assemblies, similar to
+ system -> subsystem -> parts assembly in physical supply chains.
+
+
+
+
+
+
+
+
+ Allows any undeclared elements as long as the elements are placed in a different namespace.
+
+
+
+
+
+
+
+
+
+ Allows any undeclared elements as long as the elements are placed in a different namespace.
+
+
+
+
+
+
+
+ Specifies the type of component. For software components, classify as application if no more
+ specific appropriate classification is available or cannot be determined for the component.
+
+
+
+
+
+
+ The optional mime-type of the component. When used on file components, the mime-type
+ can provide additional context about the kind of file being represented such as an image,
+ font, or executable. Some library or framework components may also have an associated mime-type.
+
+
+
+
+
+
+ An optional identifier which can be used to reference the component elsewhere in the BOM.
+ Uniqueness is enforced within all elements and children of the root-level bom element.
+
+
+
+
+
+ User-defined attributes may be used on this element as long as they
+ do not have the same name as an existing attribute used by the schema.
+
+
+
+
+
+
+
+
+
+ A valid SPDX license ID
+
+
+
+
+ If SPDX does not define the license used, this field may be used to provide the license name
+
+
+
+
+
+ Specifies the optional full text of the attachment
+
+
+
+
+ The URL to the attachment file. If the attachment is a license or BOM,
+ an externalReference should also be specified for completeness.
+
+
+
+
+
+ Allows any undeclared elements as long as the elements are placed in a different namespace.
+
+
+
+
+
+
+
+
+
+
+ Specifies attributes of the text
+
+
+
+ Specifies the content type of the text. Defaults to text/plain
+ if not specified.
+
+
+
+
+
+ Specifies the optional encoding the text is represented in
+
+
+
+
+
+
+
+
+
+ Specifies the file hash of the component
+
+
+
+
+
+ Specifies the algorithm used to create the hash
+
+
+
+
+
+
+
+
+
+
+ The component is required for runtime
+
+
+
+
+ The component is optional at runtime. Optional components are components that
+ are not capable of being called due to them not be installed or otherwise accessible by any means.
+ Components that are installed but due to configuration or other restrictions are prohibited from
+ being called must be scoped as 'required'.
+
+
+
+
+ Components that are excluded provide the ability to document component usage
+ for test and other non-runtime purposes. Excluded components are not reachable within a call
+ graph at runtime.
+
+
+
+
+
+
+
+
+
+ A software application. Refer to https://en.wikipedia.org/wiki/Application_software
+ for information about applications.
+
+
+
+
+ A software framework. Refer to https://en.wikipedia.org/wiki/Software_framework
+ for information on how frameworks vary slightly from libraries.
+
+
+
+
+ A software library. Refer to https://en.wikipedia.org/wiki/Library_(computing)
+ for information about libraries. All third-party and open source reusable components will likely
+ be a library. If the library also has key features of a framework, then it should be classified
+ as a framework. If not, or is unknown, then specifying library is recommended.
+
+
+
+
+ A packaging and/or runtime format, not specific to any particular technology,
+ which isolates software inside the container from software outside of a container through
+ virtualization technology. Refer to https://en.wikipedia.org/wiki/OS-level_virtualization
+
+
+
+
+ A software operating system without regard to deployment model
+ (i.e. installed on physical hardware, virtual machine, image, etc) Refer to
+ https://en.wikipedia.org/wiki/Operating_system
+
+
+
+
+ A hardware device such as a processor, or chip-set. A hardware device
+ containing firmware should include a component for the physical hardware itself, and another
+ component of type 'firmware' or 'operating-system' (whichever is relevant), describing
+ information about the software running on the device.
+
+
+
+
+ A special type of software that provides low-level control over a devices
+ hardware. Refer to https://en.wikipedia.org/wiki/Firmware
+
+
+
+
+ A computer file. Refer to https://en.wikipedia.org/wiki/Computer_file
+ for information about files.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Define the format for acceptable CPE URIs. Supports CPE 2.2 and CPE 2.3 formats.
+ Refer to https://nvd.nist.gov/products/cpe for official specification.
+
+
+
+
+
+
+
+
+
+
+
+ Specifies the full content of the SWID tag.
+
+
+
+
+ The URL to the SWID file.
+
+
+
+
+
+ Allows any undeclared elements as long as the elements are placed in a different namespace.
+
+
+
+
+
+
+ Maps to the tagId of a SoftwareIdentity.
+
+
+
+
+ Maps to the name of a SoftwareIdentity.
+
+
+
+
+ Maps to the version of a SoftwareIdentity.
+
+
+
+
+ Maps to the tagVersion of a SoftwareIdentity.
+
+
+
+
+ Maps to the patch of a SoftwareIdentity.
+
+
+
+
+
+
+
+ Defines a string representation of a UUID conforming to RFC 4122.
+
+
+
+
+
+
+
+
+
+
+
+ Version Control System
+
+
+
+
+ Issue or defect tracking system, or an Application Lifecycle Management (ALM) system
+
+
+
+
+ Website
+
+
+
+
+ Security advisories
+
+
+
+
+ Bill-of-material document (CycloneDX, SPDX, SWID, etc)
+
+
+
+
+ Mailing list or discussion group
+
+
+
+
+ Social media account
+
+
+
+
+ Real-time chat platform
+
+
+
+
+ Documentation, guides, or how-to instructions
+
+
+
+
+ Community or commercial support
+
+
+
+
+ Direct or repository download location
+
+
+
+
+ The URL to the license file. If a license URL has been defined in the license
+ node, it should also be defined as an external reference for completeness
+
+
+
+
+ Build-system specific meta file (i.e. pom.xml, package.json, .nuspec, etc)
+
+
+
+
+ URL to an automated build system
+
+
+
+
+ Use this if no other types accurately describe the purpose of the external reference
+
+
+
+
+
+
+
+
+ External references provide a way to document systems, sites, and information that may be relevant
+ but which are not included with the BOM.
+
+
+
+
+
+ Zero or more external references can be defined
+
+
+
+
+
+
+
+
+
+ The URL to the external reference
+
+
+
+
+ An optional comment describing the external reference
+
+
+
+
+
+ Specifies the type of external reference. There are built-in types to describe common
+ references. If a type does not exist for the reference being referred to, use the "other" type.
+
+
+
+
+
+ User-defined attributes may be used on this element as long as they
+ do not have the same name as an existing attribute used by the schema.
+
+
+
+
+
+
+ Zero or more commits can be specified.
+
+
+
+
+ Specifies an individual commit.
+
+
+
+
+
+ Allows any undeclared elements as long as the elements are placed in a different namespace.
+
+
+
+
+
+
+
+
+
+
+ A unique identifier of the commit. This may be version control
+ specific. For example, Subversion uses revision numbers whereas git uses commit hashes.
+
+
+
+
+
+ The URL to the commit. This URL will typically point to a commit
+ in a version control system.
+
+
+
+
+
+ The author who created the changes in the commit
+
+
+
+
+ The person who committed or pushed the commit
+
+
+
+
+ The text description of the contents of the commit
+
+
+
+
+
+ Allows any undeclared elements as long as the elements are placed in a different namespace.
+
+
+
+
+
+
+
+
+ Zero or more patches can be specified.
+
+
+
+
+ Specifies an individual patch.
+
+
+
+
+
+ Allows any undeclared elements as long as the elements are placed in a different namespace.
+
+
+
+
+
+
+
+
+
+
+ The patch file (or diff) that show changes.
+ Refer to https://en.wikipedia.org/wiki/Diff
+
+
+
+
+
+
+
+
+
+
+
+
+ Allows any undeclared elements as long as the elements are placed in a different namespace.
+
+
+
+
+
+
+ Specifies the purpose for the patch including the resolution of defects,
+ security issues, or new behavior or functionality
+
+
+
+
+
+
+
+
+ A patch which is not developed by the creators or maintainers of the software
+ being patched. Refer to https://en.wikipedia.org/wiki/Unofficial_patch
+
+
+
+
+ A patch which dynamically modifies runtime behavior.
+ Refer to https://en.wikipedia.org/wiki/Monkey_patch
+
+
+
+
+ A patch which takes code from a newer version of software and applies
+ it to older versions of the same software. Refer to https://en.wikipedia.org/wiki/Backporting
+
+
+
+
+ A patch created by selectively applying commits from other versions or
+ branches of the same software.
+
+
+
+
+
+
+
+
+
+ A fault, flaw, or bug in software
+
+
+
+
+ A new feature or behavior in software
+
+
+
+
+ A special type of defect which impacts security
+
+
+
+
+
+
+
+
+
+ Specifies the optional text of the diff
+
+
+
+
+ Specifies the URL to the diff
+
+
+
+
+
+ Allows any undeclared elements as long as the elements are placed in a different namespace.
+
+
+
+
+
+
+
+
+
+
+ The identifier of the issue assigned by the source of the issue
+
+
+
+
+ The name of the issue
+
+
+
+
+ A description of the issue
+
+
+
+
+
+
+ The source of the issue where it is documented.
+
+
+
+
+
+
+ The name of the source. For example "National Vulnerability Database",
+ "NVD", and "Apache"
+
+
+
+
+
+
+ The url of the issue documentation as provided by the source
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Allows any undeclared elements as long as the elements are placed in a different namespace.
+
+
+
+
+
+
+ Specifies the type of issue
+
+
+
+
+
+
+
+
+ The timestamp in which the action occurred
+
+
+
+
+ The name of the individual who performed the action
+
+
+
+
+ The email address of the individual who performed the action
+
+
+
+
+
+ Allows any undeclared elements as long as the elements are placed in a different namespace.
+
+
+
+
+
+
+
+
+
+ Component pedigree is a way to document complex supply chain scenarios where components are created,
+ distributed, modified, redistributed, combined with other components, etc. Pedigree supports viewing
+ this complex chain from the beginning, the end, or anywhere in the middle. It also provides a way to
+ document variants where the exact relation may not be known.
+
+
+
+
+
+ Describes zero or more components in which a component is derived
+ from. This is commonly used to describe forks from existing projects where the forked version
+ contains a ancestor node containing the original component it was forked from. For example,
+ Component A is the original component. Component B is the component being used and documented
+ in the BOM. However, Component B contains a pedigree node with a single ancestor documenting
+ Component A - the original component from which Component B is derived from.
+
+
+
+
+
+ Descendants are the exact opposite of ancestors. This provides a
+ way to document all forks (and their forks) of an original or root component.
+
+
+
+
+
+ Variants describe relations where the relationship between the
+ components are not known. For example, if Component A contains nearly identical code to
+ Component B. They are both related, but it is unclear if one is derived from the other,
+ or if they share a common ancestor.
+
+
+
+
+
+ A list of zero or more commits which provide a trail describing
+ how the component deviates from an ancestor, descendant, or variant.
+
+
+
+
+ A list of zero or more patches describing how the component
+ deviates from an ancestor, descendant, or variant. Patches may be complimentary to commits
+ or may be used in place of commits.
+
+
+
+
+ Notes, observations, and other non-structured commentary
+ describing the components pedigree.
+
+
+
+
+
+
+ Allows any undeclared elements as long as the elements are placed in a different namespace.
+
+
+
+
+
+
+
+
+
+
+
+
+ References a component or service by the its bom-ref attribute
+
+
+
+
+ User-defined attributes may be used on this element as long as they
+ do not have the same name as an existing attribute used by the schema.
+
+
+
+
+
+
+
+
+ Components that do not have their own dependencies MUST be declared as empty
+ elements within the graph. Components that are not represented in the dependency graph MAY
+ have unknown dependencies. It is RECOMMENDED that implementations assume this to be opaque
+ and not an indicator of a component being dependency-free.
+
+
+
+
+
+
+
+
+
+
+
+ Allows any undeclared elements as long as the elements are placed in a different namespace.
+
+
+
+
+
+
+ User-defined attributes may be used on this element as long as they
+ do not have the same name as an existing attribute used by the schema.
+
+
+
+
+
+
+
+
+ The organization that provides the service.
+
+
+
+
+ The grouping name, namespace, or identifier. This will often be a shortened,
+ single name of the company or project that produced the service or domain name.
+ Whitespace and special characters should be avoided.
+
+
+
+
+ The name of the service. This will often be a shortened, single name
+ of the service.
+
+
+
+
+ The service version.
+
+
+
+
+ Specifies a description for the service.
+
+
+
+
+
+
+
+ A service endpoint URI.
+
+
+
+
+
+
+
+ A boolean value indicating if the service requires authentication.
+ A value of true indicates the service requires authentication prior to use.
+ A value of false indicates the service does not require authentication.
+
+
+
+
+ A boolean value indicating if use of the service crosses a trust zone or boundary.
+ A value of true indicates that by using the service, a trust boundary is crossed.
+ A value of false indicates that by using the service, a trust boundary is not crossed.
+
+
+
+
+
+
+
+ Specifies the data classification.
+
+
+
+
+
+
+
+
+
+
+
+ A valid SPDX license expression.
+ Refer to https://spdx.org/specifications for syntax requirements
+
+
+
+
+
+
+
+ Provides the ability to document external references related to the service.
+
+
+
+
+
+ Specifies optional sub-service. This is not a dependency tree. It provides a way
+ to specify a hierarchical representation of service assemblies, similar to
+ system -> subsystem -> parts assembly in physical supply chains.
+
+
+
+
+
+
+
+
+ Allows any undeclared elements as long as the elements are placed in a different namespace.
+
+
+
+
+
+
+
+
+
+ Allows any undeclared elements as long as the elements are placed in a different namespace.
+
+
+
+
+
+
+
+ An optional identifier which can be used to reference the service elsewhere in the BOM.
+ Uniqueness is enforced within all elements and children of the root-level bom element.
+
+
+
+
+
+ User-defined attributes may be used on this element as long as they
+ do not have the same name as an existing attribute used by the schema.
+
+
+
+
+
+
+ Specifies the data classification.
+
+
+
+
+
+ Specifies the flow direction of the data.
+
+
+
+
+
+
+
+
+ Specifies the flow direction of the data. Valid values are:
+ inbound, outbound, bi-directional, and unknown. Direction is relative to the service.
+ Inbound flow states that data enters the service. Outbound flow states that data
+ leaves the service. Bi-directional states that data flows both ways, and unknown
+ states that the direction is not known.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Provides additional information about a BOM.
+
+
+
+
+ Provides the ability to document a list of components.
+
+
+
+
+ Provides the ability to document a list of external services.
+
+
+
+
+ Provides the ability to document external references related to the BOM or
+ to the project the BOM describes.
+
+
+
+
+ Provides the ability to document dependency relationships.
+
+
+
+
+
+ Allows any undeclared elements as long as the elements are placed in a different namespace.
+
+
+
+
+
+
+ The version allows component publishers/authors to make changes to existing
+ BOMs to update various aspects of the document such as description or licenses. When a system
+ is presented with multiple BOMs for the same component, the system should use the most recent
+ version of the BOM. The default version is '1' and should be incremented for each version of the
+ BOM that is published. Each version of a component should have a unique BOM and if no changes are
+ made to the BOMs, then each BOM will have a version of '1'.
+
+
+
+
+ Every BOM generated should have a unique serial number, even if the contents
+ of the BOM being generated have not changed over time. The process or tool responsible for
+ creating the BOM should create random UUID's for every BOM generated.
+
+
+
+
+ User-defined attributes may be used on this element as long as they
+ do not have the same name as an existing attribute used by the schema.
+
+
+
+
+
+
+
+
+
diff --git a/schema/cyclonedx/spdx.xsd b/schema/cyclonedx/spdx.xsd
new file mode 100644
index 00000000..dbd61b16
--- /dev/null
+++ b/schema/cyclonedx/spdx.xsd
@@ -0,0 +1,2429 @@
+
+
+
+
+
+
+
+
+ BSD Zero Clause License
+
+
+
+
+ Attribution Assurance License
+
+
+
+
+ Amazon Digital Services License
+
+
+
+
+ Academic Free License v1.1
+
+
+
+
+ Academic Free License v1.2
+
+
+
+
+ Academic Free License v2.0
+
+
+
+
+ Academic Free License v2.1
+
+
+
+
+ Academic Free License v3.0
+
+
+
+
+ Affero General Public License v1.0
+
+
+
+
+ Affero General Public License v1.0 only
+
+
+
+
+ Affero General Public License v1.0 or later
+
+
+
+
+ GNU Affero General Public License v3.0
+
+
+
+
+ GNU Affero General Public License v3.0 only
+
+
+
+
+ GNU Affero General Public License v3.0 or later
+
+
+
+
+ AMD's plpa_map.c License
+
+
+
+
+ Apple MIT License
+
+
+
+
+ Academy of Motion Picture Arts and Sciences BSD
+
+
+
+
+ ANTLR Software Rights Notice
+
+
+
+
+ Adobe Postscript AFM License
+
+
+
+
+ Adaptive Public License 1.0
+
+
+
+
+ Apple Public Source License 1.0
+
+
+
+
+ Apple Public Source License 1.1
+
+
+
+
+ Apple Public Source License 1.2
+
+
+
+
+ Apple Public Source License 2.0
+
+
+
+
+ Abstyles License
+
+
+
+
+ Adobe Systems Incorporated Source Code License Agreement
+
+
+
+
+ Adobe Glyph List License
+
+
+
+
+ Afmparse License
+
+
+
+
+ Aladdin Free Public License
+
+
+
+
+ Apache License 1.0
+
+
+
+
+ Apache License 1.1
+
+
+
+
+ Apache License 2.0
+
+
+
+
+ Artistic License 1.0
+
+
+
+
+ Artistic License 1.0 (Perl)
+
+
+
+
+ Artistic License 1.0 w/clause 8
+
+
+
+
+ Artistic License 2.0
+
+
+
+
+ BSD 1-Clause License
+
+
+
+
+ BSD 2-Clause "Simplified" License
+
+
+
+
+ BSD 2-Clause FreeBSD License
+
+
+
+
+ BSD 2-Clause NetBSD License
+
+
+
+
+ BSD-2-Clause Plus Patent License
+
+
+
+
+ BSD 2-Clause with views sentence
+
+
+
+
+ BSD 3-Clause "New" or "Revised" License
+
+
+
+
+ BSD with attribution
+
+
+
+
+ BSD 3-Clause Clear License
+
+
+
+
+ Lawrence Berkeley National Labs BSD variant license
+
+
+
+
+ BSD 3-Clause No Nuclear License
+
+
+
+
+ BSD 3-Clause No Nuclear License 2014
+
+
+
+
+ BSD 3-Clause No Nuclear Warranty
+
+
+
+
+ BSD 3-Clause Open MPI variant
+
+
+
+
+ BSD 4-Clause "Original" or "Old" License
+
+
+
+
+ BSD-4-Clause (University of California-Specific)
+
+
+
+
+ BSD Protection License
+
+
+
+
+ BSD Source Code Attribution
+
+
+
+
+ Boost Software License 1.0
+
+
+
+
+ Bahyph License
+
+
+
+
+ Barr License
+
+
+
+
+ Beerware License
+
+
+
+
+ BitTorrent Open Source License v1.0
+
+
+
+
+ BitTorrent Open Source License v1.1
+
+
+
+
+ Blue Oak Model License 1.0.0
+
+
+
+
+ Borceux license
+
+
+
+
+ Cryptographic Autonomy License 1.0
+
+
+
+
+ Cryptographic Autonomy License 1.0 (Combined Work Exception)
+
+
+
+
+ Computer Associates Trusted Open Source License 1.1
+
+
+
+
+ Creative Commons Attribution 1.0 Generic
+
+
+
+
+ Creative Commons Attribution 2.0 Generic
+
+
+
+
+ Creative Commons Attribution 2.5 Generic
+
+
+
+
+ Creative Commons Attribution 3.0 Unported
+
+
+
+
+ Creative Commons Attribution 3.0 Austria
+
+
+
+
+ Creative Commons Attribution 4.0 International
+
+
+
+
+ Creative Commons Attribution Non Commercial 1.0 Generic
+
+
+
+
+ Creative Commons Attribution Non Commercial 2.0 Generic
+
+
+
+
+ Creative Commons Attribution Non Commercial 2.5 Generic
+
+
+
+
+ Creative Commons Attribution Non Commercial 3.0 Unported
+
+
+
+
+ Creative Commons Attribution Non Commercial 4.0 International
+
+
+
+
+ Creative Commons Attribution Non Commercial No Derivatives 1.0 Generic
+
+
+
+
+ Creative Commons Attribution Non Commercial No Derivatives 2.0 Generic
+
+
+
+
+ Creative Commons Attribution Non Commercial No Derivatives 2.5 Generic
+
+
+
+
+ Creative Commons Attribution Non Commercial No Derivatives 3.0 Unported
+
+
+
+
+ Creative Commons Attribution Non Commercial No Derivatives 3.0 IGO
+
+
+
+
+ Creative Commons Attribution Non Commercial No Derivatives 4.0 International
+
+
+
+
+ Creative Commons Attribution Non Commercial Share Alike 1.0 Generic
+
+
+
+
+ Creative Commons Attribution Non Commercial Share Alike 2.0 Generic
+
+
+
+
+ Creative Commons Attribution Non Commercial Share Alike 2.5 Generic
+
+
+
+
+ Creative Commons Attribution Non Commercial Share Alike 3.0 Unported
+
+
+
+
+ Creative Commons Attribution Non Commercial Share Alike 4.0 International
+
+
+
+
+ Creative Commons Attribution No Derivatives 1.0 Generic
+
+
+
+
+ Creative Commons Attribution No Derivatives 2.0 Generic
+
+
+
+
+ Creative Commons Attribution No Derivatives 2.5 Generic
+
+
+
+
+ Creative Commons Attribution No Derivatives 3.0 Unported
+
+
+
+
+ Creative Commons Attribution No Derivatives 4.0 International
+
+
+
+
+ Creative Commons Attribution Share Alike 1.0 Generic
+
+
+
+
+ Creative Commons Attribution Share Alike 2.0 Generic
+
+
+
+
+ Creative Commons Attribution Share Alike 2.5 Generic
+
+
+
+
+ Creative Commons Attribution Share Alike 3.0 Unported
+
+
+
+
+ Creative Commons Attribution-Share Alike 3.0 Austria
+
+
+
+
+ Creative Commons Attribution Share Alike 4.0 International
+
+
+
+
+ Creative Commons Public Domain Dedication and Certification
+
+
+
+
+ Creative Commons Zero v1.0 Universal
+
+
+
+
+ Common Development and Distribution License 1.0
+
+
+
+
+ Common Development and Distribution License 1.1
+
+
+
+
+ Community Data License Agreement Permissive 1.0
+
+
+
+
+ Community Data License Agreement Sharing 1.0
+
+
+
+
+ CeCILL Free Software License Agreement v1.0
+
+
+
+
+ CeCILL Free Software License Agreement v1.1
+
+
+
+
+ CeCILL Free Software License Agreement v2.0
+
+
+
+
+ CeCILL Free Software License Agreement v2.1
+
+
+
+
+ CeCILL-B Free Software License Agreement
+
+
+
+
+ CeCILL-C Free Software License Agreement
+
+
+
+
+ CERN Open Hardware Licence v1.1
+
+
+
+
+ CERN Open Hardware Licence v1.2
+
+
+
+
+ CERN Open Hardware Licence Version 2 - Permissive
+
+
+
+
+ CERN Open Hardware Licence Version 2 - Strongly Reciprocal
+
+
+
+
+ CERN Open Hardware Licence Version 2 - Weakly Reciprocal
+
+
+
+
+ CNRI Jython License
+
+
+
+
+ CNRI Python License
+
+
+
+
+ CNRI Python Open Source GPL Compatible License Agreement
+
+
+
+
+ Common Public Attribution License 1.0
+
+
+
+
+ Common Public License 1.0
+
+
+
+
+ Code Project Open License 1.02
+
+
+
+
+ CUA Office Public License v1.0
+
+
+
+
+ Caldera License
+
+
+
+
+ Clarified Artistic License
+
+
+
+
+ Condor Public License v1.1
+
+
+
+
+ Crossword License
+
+
+
+
+ CrystalStacker License
+
+
+
+
+ Cube License
+
+
+
+
+ Deutsche Freie Software Lizenz
+
+
+
+
+ DOC License
+
+
+
+
+ DSDP License
+
+
+
+
+ Dotseqn License
+
+
+
+
+ Educational Community License v1.0
+
+
+
+
+ Educational Community License v2.0
+
+
+
+
+ Eiffel Forum License v1.0
+
+
+
+
+ Eiffel Forum License v2.0
+
+
+
+
+ EPICS Open License
+
+
+
+
+ Eclipse Public License 1.0
+
+
+
+
+ Eclipse Public License 2.0
+
+
+
+
+ EU DataGrid Software License
+
+
+
+
+ European Union Public License 1.0
+
+
+
+
+ European Union Public License 1.1
+
+
+
+
+ European Union Public License 1.2
+
+
+
+
+ Entessa Public License v1.0
+
+
+
+
+ Erlang Public License v1.1
+
+
+
+
+ Eurosym License
+
+
+
+
+ FSF All Permissive License
+
+
+
+
+ FSF Unlimited License
+
+
+
+
+ FSF Unlimited License (with License Retention)
+
+
+
+
+ Freetype Project License
+
+
+
+
+ Fair License
+
+
+
+
+ Frameworx Open License 1.0
+
+
+
+
+ FreeImage Public License v1.0
+
+
+
+
+ GNU Free Documentation License v1.1
+
+
+
+
+ GNU Free Documentation License v1.1 only - invariants
+
+
+
+
+ GNU Free Documentation License v1.1 or later - invariants
+
+
+
+
+ GNU Free Documentation License v1.1 only - no invariants
+
+
+
+
+ GNU Free Documentation License v1.1 or later - no invariants
+
+
+
+
+ GNU Free Documentation License v1.1 only
+
+
+
+
+ GNU Free Documentation License v1.1 or later
+
+
+
+
+ GNU Free Documentation License v1.2
+
+
+
+
+ GNU Free Documentation License v1.2 only - invariants
+
+
+
+
+ GNU Free Documentation License v1.2 or later - invariants
+
+
+
+
+ GNU Free Documentation License v1.2 only - no invariants
+
+
+
+
+ GNU Free Documentation License v1.2 or later - no invariants
+
+
+
+
+ GNU Free Documentation License v1.2 only
+
+
+
+
+ GNU Free Documentation License v1.2 or later
+
+
+
+
+ GNU Free Documentation License v1.3
+
+
+
+
+ GNU Free Documentation License v1.3 only - invariants
+
+
+
+
+ GNU Free Documentation License v1.3 or later - invariants
+
+
+
+
+ GNU Free Documentation License v1.3 only - no invariants
+
+
+
+
+ GNU Free Documentation License v1.3 or later - no invariants
+
+
+
+
+ GNU Free Documentation License v1.3 only
+
+
+
+
+ GNU Free Documentation License v1.3 or later
+
+
+
+
+ GL2PS License
+
+
+
+
+ Good Luck With That Public License
+
+
+
+
+ GNU General Public License v1.0 only
+
+
+
+
+ GNU General Public License v1.0 or later
+
+
+
+
+ GNU General Public License v1.0 only
+
+
+
+
+ GNU General Public License v1.0 or later
+
+
+
+
+ GNU General Public License v2.0 only
+
+
+
+
+ GNU General Public License v2.0 or later
+
+
+
+
+ GNU General Public License v2.0 only
+
+
+
+
+ GNU General Public License v2.0 or later
+
+
+
+
+ GNU General Public License v2.0 w/GCC Runtime Library exception
+
+
+
+
+ GNU General Public License v2.0 w/Autoconf exception
+
+
+
+
+ GNU General Public License v2.0 w/Bison exception
+
+
+
+
+ GNU General Public License v2.0 w/Classpath exception
+
+
+
+
+ GNU General Public License v2.0 w/Font exception
+
+
+
+
+ GNU General Public License v3.0 only
+
+
+
+
+ GNU General Public License v3.0 or later
+
+
+
+
+ GNU General Public License v3.0 only
+
+
+
+
+ GNU General Public License v3.0 or later
+
+
+
+
+ GNU General Public License v3.0 w/GCC Runtime Library exception
+
+
+
+
+ GNU General Public License v3.0 w/Autoconf exception
+
+
+
+
+ Giftware License
+
+
+
+
+ 3dfx Glide License
+
+
+
+
+ Glulxe License
+
+
+
+
+ Historical Permission Notice and Disclaimer
+
+
+
+
+ Historical Permission Notice and Disclaimer - sell variant
+
+
+
+
+ Haskell Language Report License
+
+
+
+
+ Hippocratic License 2.1
+
+
+
+
+ IBM PowerPC Initialization and Boot Software
+
+
+
+
+ ICU License
+
+
+
+
+ Independent JPEG Group License
+
+
+
+
+ IPA Font License
+
+
+
+
+ IBM Public License v1.0
+
+
+
+
+ ISC License
+
+
+
+
+ ImageMagick License
+
+
+
+
+ Imlib2 License
+
+
+
+
+ Info-ZIP License
+
+
+
+
+ Intel Open Source License
+
+
+
+
+ Intel ACPI Software License Agreement
+
+
+
+
+ Interbase Public License v1.0
+
+
+
+
+ Japan Network Information Center License
+
+
+
+
+ JSON License
+
+
+
+
+ JasPer License
+
+
+
+
+ Licence Art Libre 1.2
+
+
+
+
+ Licence Art Libre 1.3
+
+
+
+
+ GNU Library General Public License v2 only
+
+
+
+
+ GNU Library General Public License v2 or later
+
+
+
+
+ GNU Library General Public License v2 only
+
+
+
+
+ GNU Library General Public License v2 or later
+
+
+
+
+ GNU Lesser General Public License v2.1 only
+
+
+
+
+ GNU Library General Public License v2.1 or later
+
+
+
+
+ GNU Lesser General Public License v2.1 only
+
+
+
+
+ GNU Lesser General Public License v2.1 or later
+
+
+
+
+ GNU Lesser General Public License v3.0 only
+
+
+
+
+ GNU Lesser General Public License v3.0 or later
+
+
+
+
+ GNU Lesser General Public License v3.0 only
+
+
+
+
+ GNU Lesser General Public License v3.0 or later
+
+
+
+
+ Lesser General Public License For Linguistic Resources
+
+
+
+
+ Lucent Public License Version 1.0
+
+
+
+
+ Lucent Public License v1.02
+
+
+
+
+ LaTeX Project Public License v1.0
+
+
+
+
+ LaTeX Project Public License v1.1
+
+
+
+
+ LaTeX Project Public License v1.2
+
+
+
+
+ LaTeX Project Public License v1.3a
+
+
+
+
+ LaTeX Project Public License v1.3c
+
+
+
+
+ Latex2e License
+
+
+
+
+ Leptonica License
+
+
+
+
+ Licence Libre du Québec – Permissive version 1.1
+
+
+
+
+ Licence Libre du Québec – Réciprocité version 1.1
+
+
+
+
+ Licence Libre du Québec – Réciprocité forte version 1.1
+
+
+
+
+ libpng License
+
+
+
+
+ Linux Kernel Variant of OpenIB.org license
+
+
+
+
+ MIT License
+
+
+
+
+ MIT No Attribution
+
+
+
+
+ CMU License
+
+
+
+
+ Enlightenment License (e16)
+
+
+
+
+ enna License
+
+
+
+
+ feh License
+
+
+
+
+ MIT +no-false-attribs license
+
+
+
+
+ Mozilla Public License 1.0
+
+
+
+
+ Mozilla Public License 1.1
+
+
+
+
+ Mozilla Public License 2.0
+
+
+
+
+ Mozilla Public License 2.0 (no copyleft exception)
+
+
+
+
+ Microsoft Public License
+
+
+
+
+ Microsoft Reciprocal License
+
+
+
+
+ Matrix Template Library License
+
+
+
+
+ MakeIndex License
+
+
+
+
+ The MirOS Licence
+
+
+
+
+ Motosoto License
+
+
+
+
+ Mulan Permissive Software License, Version 1
+
+
+
+
+ Mulan Permissive Software License, Version 2
+
+
+
+
+ Multics License
+
+
+
+
+ Mup License
+
+
+
+
+ NASA Open Source Agreement 1.3
+
+
+
+
+ Net Boolean Public License v1
+
+
+
+
+ Non-Commercial Government Licence
+
+
+
+
+ University of Illinois/NCSA Open Source License
+
+
+
+
+ Nethack General Public License
+
+
+
+
+ NIST Public Domain Notice
+
+
+
+
+ NIST Public Domain Notice with license fallback
+
+
+
+
+ Norwegian Licence for Open Government Data
+
+
+
+
+ No Limit Public License
+
+
+
+
+ Netizen Open Source License
+
+
+
+
+ Netscape Public License v1.0
+
+
+
+
+ Netscape Public License v1.1
+
+
+
+
+ Non-Profit Open Software License 3.0
+
+
+
+
+ NRL License
+
+
+
+
+ NTP License
+
+
+
+
+ NTP No Attribution
+
+
+
+
+ Naumen Public License
+
+
+
+
+ Net-SNMP License
+
+
+
+
+ NetCDF license
+
+
+
+
+ Newsletr License
+
+
+
+
+ Nokia Open Source License
+
+
+
+
+ Noweb License
+
+
+
+
+ Nunit License
+
+
+
+
+ Open Use of Data Agreement v1.0
+
+
+
+
+ Open CASCADE Technology Public License
+
+
+
+
+ OCLC Research Public License 2.0
+
+
+
+
+ Open Data Commons Attribution License v1.0
+
+
+
+
+ ODC Open Database License v1.0
+
+
+
+
+ SIL Open Font License 1.0
+
+
+
+
+ SIL Open Font License 1.0 with Reserved Font Name
+
+
+
+
+ SIL Open Font License 1.0 with no Reserved Font Name
+
+
+
+
+ SIL Open Font License 1.1
+
+
+
+
+ SIL Open Font License 1.1 with Reserved Font Name
+
+
+
+
+ SIL Open Font License 1.1 with no Reserved Font Name
+
+
+
+
+ OGC Software License, Version 1.0
+
+
+
+
+ Open Government Licence - Canada
+
+
+
+
+ Open Government Licence v1.0
+
+
+
+
+ Open Government Licence v2.0
+
+
+
+
+ Open Government Licence v3.0
+
+
+
+
+ Open Group Test Suite License
+
+
+
+
+ Open LDAP Public License v1.1
+
+
+
+
+ Open LDAP Public License v1.2
+
+
+
+
+ Open LDAP Public License v1.3
+
+
+
+
+ Open LDAP Public License v1.4
+
+
+
+
+ Open LDAP Public License v2.0 (or possibly 2.0A and 2.0B)
+
+
+
+
+ Open LDAP Public License v2.0.1
+
+
+
+
+ Open LDAP Public License v2.1
+
+
+
+
+ Open LDAP Public License v2.2
+
+
+
+
+ Open LDAP Public License v2.2.1
+
+
+
+
+ Open LDAP Public License 2.2.2
+
+
+
+
+ Open LDAP Public License v2.3
+
+
+
+
+ Open LDAP Public License v2.4
+
+
+
+
+ Open LDAP Public License v2.5
+
+
+
+
+ Open LDAP Public License v2.6
+
+
+
+
+ Open LDAP Public License v2.7
+
+
+
+
+ Open LDAP Public License v2.8
+
+
+
+
+ Open Market License
+
+
+
+
+ Open Public License v1.0
+
+
+
+
+ OSET Public License version 2.1
+
+
+
+
+ Open Software License 1.0
+
+
+
+
+ Open Software License 1.1
+
+
+
+
+ Open Software License 2.0
+
+
+
+
+ Open Software License 2.1
+
+
+
+
+ Open Software License 3.0
+
+
+
+
+ OpenSSL License
+
+
+
+
+ ODC Public Domain Dedication & License 1.0
+
+
+
+
+ PHP License v3.0
+
+
+
+
+ PHP License v3.01
+
+
+
+
+ Python Software Foundation License 2.0
+
+
+
+
+ The Parity Public License 6.0.0
+
+
+
+
+ The Parity Public License 7.0.0
+
+
+
+
+ Plexus Classworlds License
+
+
+
+
+ PolyForm Noncommercial License 1.0.0
+
+
+
+
+ PolyForm Small Business License 1.0.0
+
+
+
+
+ PostgreSQL License
+
+
+
+
+ Python License 2.0
+
+
+
+
+ Q Public License 1.0
+
+
+
+
+ Qhull License
+
+
+
+
+ Red Hat eCos Public License v1.1
+
+
+
+
+ Reciprocal Public License 1.1
+
+
+
+
+ Reciprocal Public License 1.5
+
+
+
+
+ RealNetworks Public Source License v1.0
+
+
+
+
+ RSA Message-Digest License
+
+
+
+
+ Ricoh Source Code Public License
+
+
+
+
+ Rdisc License
+
+
+
+
+ Ruby License
+
+
+
+
+ Sax Public Domain Notice
+
+
+
+
+ SCEA Shared Source License
+
+
+
+
+ SGI Free Software License B v1.0
+
+
+
+
+ SGI Free Software License B v1.1
+
+
+
+
+ SGI Free Software License B v2.0
+
+
+
+
+ Solderpad Hardware License v0.5
+
+
+
+
+ Solderpad Hardware License, Version 0.51
+
+
+
+
+ Sun Industry Standards Source License v1.1
+
+
+
+
+ Sun Industry Standards Source License v1.2
+
+
+
+
+ Standard ML of New Jersey License
+
+
+
+
+ Secure Messaging Protocol Public License
+
+
+
+
+ SNIA Public License 1.1
+
+
+
+
+ Sun Public License v1.0
+
+
+
+
+ SSH OpenSSH license
+
+
+
+
+ SSH short notice
+
+
+
+
+ Server Side Public License, v 1
+
+
+
+
+ Scheme Widget Library (SWL) Software License Agreement
+
+
+
+
+ Saxpath License
+
+
+
+
+ Sendmail License
+
+
+
+
+ Sendmail License 8.23
+
+
+
+
+ Simple Public License 2.0
+
+
+
+
+ Sleepycat License
+
+
+
+
+ Spencer License 86
+
+
+
+
+ Spencer License 94
+
+
+
+
+ Spencer License 99
+
+
+
+
+ Standard ML of New Jersey License
+
+
+
+
+ SugarCRM Public License v1.1.3
+
+
+
+
+ TAPR Open Hardware License v1.0
+
+
+
+
+ TCL/TK License
+
+
+
+
+ TCP Wrappers License
+
+
+
+
+ TMate Open Source License
+
+
+
+
+ TORQUE v2.5+ Software License v1.1
+
+
+
+
+ Trusster Open Source License
+
+
+
+
+ Technische Universitaet Berlin License 1.0
+
+
+
+
+ Technische Universitaet Berlin License 2.0
+
+
+
+
+ Upstream Compatibility License v1.0
+
+
+
+
+ Universal Permissive License v1.0
+
+
+
+
+ Unicode License Agreement - Data Files and Software (2015)
+
+
+
+
+ Unicode License Agreement - Data Files and Software (2016)
+
+
+
+
+ Unicode Terms of Use
+
+
+
+
+ The Unlicense
+
+
+
+
+ VOSTROM Public License for Open Source
+
+
+
+
+ Vovida Software License v1.0
+
+
+
+
+ Vim License
+
+
+
+
+ W3C Software Notice and License (2002-12-31)
+
+
+
+
+ W3C Software Notice and License (1998-07-20)
+
+
+
+
+ W3C Software Notice and Document License (2015-05-13)
+
+
+
+
+ Do What The F*ck You Want To Public License
+
+
+
+
+ Sybase Open Watcom Public License 1.0
+
+
+
+
+ Wsuipa License
+
+
+
+
+ X11 License
+
+
+
+
+ XFree86 License 1.1
+
+
+
+
+ XSkat License
+
+
+
+
+ Xerox License
+
+
+
+
+ X.Net License
+
+
+
+
+ Yahoo! Public License v1.0
+
+
+
+
+ Yahoo! Public License v1.1
+
+
+
+
+ Zope Public License 1.1
+
+
+
+
+ Zope Public License 2.0
+
+
+
+
+ Zope Public License 2.1
+
+
+
+
+ Zed License
+
+
+
+
+ Zend License v2.0
+
+
+
+
+ Zimbra Public License v1.3
+
+
+
+
+ Zimbra Public License v1.4
+
+
+
+
+ zlib License
+
+
+
+
+ SQLite Blessing
+
+
+
+
+ bzip2 and libbzip2 License v1.0.5
+
+
+
+
+ bzip2 and libbzip2 License v1.0.6
+
+
+
+
+ copyleft-next 0.3.0
+
+
+
+
+ copyleft-next 0.3.1
+
+
+
+
+ curl License
+
+
+
+
+ diffmark license
+
+
+
+
+ dvipdfm License
+
+
+
+
+ eCos license version 2.0
+
+
+
+
+ eGenix.com Public License 1.1.0
+
+
+
+
+ Etalab Open License 2.0
+
+
+
+
+ gSOAP Public License v1.3b
+
+
+
+
+ gnuplot License
+
+
+
+
+ iMatix Standard Function Library Agreement
+
+
+
+
+ PNG Reference Library version 2
+
+
+
+
+ libselinux public domain notice
+
+
+
+
+ libtiff License
+
+
+
+
+ mpich2 License
+
+
+
+
+ psfrag License
+
+
+
+
+ psutils License
+
+
+
+
+ wxWindows Library License
+
+
+
+
+ xinetd License
+
+
+
+
+ XPP License
+
+
+
+
+ zlib/libpng License with Acknowledgement
+
+
+
+
+
+ GCC Runtime Library exception 2.0
+
+
+
+
+ OpenVPN OpenSSL Exception
+
+
+
+
+ Nokia Qt LGPL exception 1.1
+
+
+
+
+ GPL-3.0 Linking Exception
+
+
+
+
+ Fawkes Runtime Exception
+
+
+
+
+ U-Boot exception 2.0
+
+
+
+
+ PS/PDF font exception (2017-08-17)
+
+
+
+
+ GNU JavaMail exception
+
+
+
+
+ LGPL-3.0 Linking Exception
+
+
+
+
+ DigiRule FOSS License Exception
+
+
+
+
+ LLVM Exception
+
+
+
+
+ Linux Syscall Note
+
+
+
+
+ GPL-3.0 Linking Exception (with Corresponding Source)
+
+
+
+
+ Qwt exception 1.0
+
+
+
+
+ 389 Directory Server Exception
+
+
+
+
+ Macros and Inline Functions Exception
+
+
+
+
+ eCos exception 2.0
+
+
+
+
+ CLISP exception 2.0
+
+
+
+
+ Bison exception 2.2
+
+
+
+
+ Libtool Exception
+
+
+
+
+ LZMA exception
+
+
+
+
+ OpenJDK Assembly exception 1.0
+
+
+
+
+ Font exception 2.0
+
+
+
+
+ OCaml LGPL Linking Exception
+
+
+
+
+ GCC Runtime Library exception 3.1
+
+
+
+
+ Bootloader Distribution Exception
+
+
+
+
+ Solderpad Hardware License v2.0
+
+
+
+
+ Classpath exception 2.0
+
+
+
+
+ Swift Exception
+
+
+
+
+ Autoconf exception 2.0
+
+
+
+
+ FLTK exception
+
+
+
+
+ FreeRTOS Exception 2.0
+
+
+
+
+ Universal FOSS Exception, Version 1.0
+
+
+
+
+ WxWindows Library Exception 3.1
+
+
+
+
+ Open CASCADE Exception 1.0
+
+
+
+
+ Autoconf exception 3.0
+
+
+
+
+ i2p GPL+Java Exception
+
+
+
+
+ GPL Cooperation Commitment 1.0
+
+
+
+
+ Qt LGPL exception 1.1
+
+
+
+
+ Solderpad Hardware License v2.1
+
+
+
+
+ Qt GPL exception 1.0
+
+
+
+
+
+
\ No newline at end of file
diff --git a/schema/cyclonedx/vulnerability.xsd b/schema/cyclonedx/vulnerability.xsd
new file mode 100644
index 00000000..2d684745
--- /dev/null
+++ b/schema/cyclonedx/vulnerability.xsd
@@ -0,0 +1,291 @@
+
+
+
+
+
+
+ CycloneDX Vulnerability Extension
+ https://cyclonedx.org/ext/vulnerability
+ Apache License, Version 2.0
+
+
+
+
+
+
+ Textual representation of the severity of the vulnerability adopted by the risk analysis method.
+ If an other risk analysis method is used other than whats defined in scoreSourceType,
+ the user is expected to translate appropriately to match with an element value below.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Numerical representation of the vulnerability score.
+ Must be a number between 0 - 10 (maps to lowest severity - highest severity)
+
+
+
+
+
+
+
+
+
+
+
+
+ Specifies the risk scoring methodology/standard used.
+
+
+
+
+
+
+ The rating is based on CVSS v2 standard
+ https://www.first.org/cvss/v2/guide
+
+
+
+
+
+
+ The rating is based on CVSS v3 standard
+ https://www.first.org/cvss/v3.1/specification-document
+
+
+
+
+
+
+ The rating is based on OWASP Risk Rating
+ https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology
+
+
+
+
+
+
+ The rating is based on Open FAIR specification
+ http://www.opengroup.org/subjectareas/security/risk
+
+
+
+
+
+
+ Use this if the risk scoring methodology is not based on any of the options above
+
+
+
+
+
+
+
+
+
+ Defines the numerical risk score of a vulnerability
+
+
+
+
+
+
+
+
+
+ The base score of the security vulnerability (Refer CVSS standard for example)
+
+
+
+
+
+
+ The impact subscore of the security vulnerability (Refer CVSS standard for example)
+
+
+
+
+
+
+ The exploitability subscore of the security vulnerability (Refer CVSS standard for
+ example)
+
+
+
+
+
+
+
+
+
+
+
+ Textual representation of the metric values used to score the vulnerability
+ see attack vector in https://www.first.org/cvss/v3.1/specification-document
+
+
+
+
+
+
+
+
+
+ Defines the structure of a vulnerability.
+
+
+
+
+
+
+ The id of the vulnerability as defined by the risk scoring methodology
+ For example CVE-2019-15842 (of https://nvd.nist.gov/vuln/detail/CVE-2019-15842)
+
+
+
+
+
+
+
+ The source of the vulnerability where it is documented.
+ Usually the name of the organization publishing vulnerability information
+
+
+
+
+
+
+ The url of the vulnerability documentation as provided by the source
+ For example https://nvd.nist.gov/vuln/detail/CVE-2019-15842
+
+
+
+
+
+
+
+ The name of the source. For example "National Vulnerability Database"
+
+
+
+
+
+
+
+
+ List of the vulnerability ratings as defined by various risk rating methodologies.
+
+
+
+
+
+
+
+
+
+
+
+
+ List of Common Weaknesses Enumerations (CWEs) codes that describes this vulnerability.
+ For example 399 (of https://cwe.mitre.org/data/definitions/399.html)
+
+
+
+
+
+
+
+
+
+
+ Description of the vulnerability as provided by the source organization
+
+
+
+
+
+
+
+ The remediation options for the vulnerability if available
+
+
+
+
+
+
+ A recommendation of how the particular vulnerability can be avoided/mitigated.
+
+
+
+
+
+
+
+
+
+
+ Published advisories of the vulnerability if provided
+
+
+
+
+
+
+
+
+
+
+ References a component by the components bom-ref attribute
+
+
+
+
+
+
+
+ Defines a list of vulnerabilities.
+ Vulnerabilities are intended to be used inside the BOM component element.
+ Extending a component ability to declare associated vulnerability information.
+ Each component element optionally can add a vulnerabilities element.
+
+
+
+
+
+
+
+
+