From 57d777cf0428805a2f159294be2098689b8f7f86 Mon Sep 17 00:00:00 2001 From: Alfredo Deza Date: Wed, 16 Sep 2020 10:50:57 -0400 Subject: [PATCH] tests: add cyclonedx schema check Signed-off-by: Alfredo Deza --- Makefile | 8 +- schema/cyclonedx/.gitignore | 1 + schema/cyclonedx/Makefile | 5 + schema/cyclonedx/README.md | 5 + schema/cyclonedx/bd.xsd | 184 +++ schema/cyclonedx/cyclonedx.xsd | 1419 ++++++++++++++++ schema/cyclonedx/spdx.xsd | 2429 ++++++++++++++++++++++++++++ schema/cyclonedx/vulnerability.xsd | 291 ++++ 8 files changed, 4340 insertions(+), 2 deletions(-) create mode 100644 schema/cyclonedx/.gitignore create mode 100644 schema/cyclonedx/Makefile create mode 100644 schema/cyclonedx/README.md create mode 100644 schema/cyclonedx/bd.xsd create mode 100644 schema/cyclonedx/cyclonedx.xsd create mode 100644 schema/cyclonedx/spdx.xsd create mode 100644 schema/cyclonedx/vulnerability.xsd diff --git a/Makefile b/Makefile index 334ec198..23253cba 100644 --- a/Makefile +++ b/Makefile @@ -53,13 +53,13 @@ all: clean static-analysis test ## Run all checks (linting, license check, unit, @printf '$(SUCCESS)All checks pass!$(RESET)\n' .PHONY: test -test: unit integration acceptance-linux ## Run all tests (unit, integration, and linux acceptance tests ) +test: unit validate-cyclonedx-schema integration acceptance-linux ## Run all tests (unit, integration, and linux acceptance tests ) help: @grep -E '^[a-zA-Z_-]+:.*?## .*$$' $(MAKEFILE_LIST) | sort | awk 'BEGIN {FS = ":.*?## "}; {printf "$(BOLD)$(CYAN)%-25s$(RESET)%s\n", $$1, $$2}' ci-bootstrap: bootstrap - sudo apt update && sudo apt install -y bc jq + DEBIAN_FRONTEND=noninteractive sudo apt update && sudo -E apt install -y bc jq libxml2-utils .PHONY: boostrap bootstrap: ## Download and install all go dependencies (+ prep tooling in the ./tmp dir) @@ -97,6 +97,10 @@ validate-schema: # ensure the codebase is only referencing a single grype-db schema version, multiple is not allowed python test/validate_schema.py +.PHONY: validate-cyclonedx-schema +validate-cyclonedx-schema: + cd schema/cyclonedx && make + .PHONY: lint-fix lint-fix: ## Auto-format all source code + run golangci lint fixers $(call title,Running lint fixers) diff --git a/schema/cyclonedx/.gitignore b/schema/cyclonedx/.gitignore new file mode 100644 index 00000000..0df37ccb --- /dev/null +++ b/schema/cyclonedx/.gitignore @@ -0,0 +1 @@ +bom.xml \ No newline at end of file diff --git a/schema/cyclonedx/Makefile b/schema/cyclonedx/Makefile new file mode 100644 index 00000000..0000bec8 --- /dev/null +++ b/schema/cyclonedx/Makefile @@ -0,0 +1,5 @@ +.DEFAULT_GOAL := validate-schema +.PHONY: validate-schema +validate-schema: + go run ../../main.go ubuntu:latest -vv -o cyclonedx > bom.xml + xmllint --noout --schema ./cyclonedx.xsd bom.xml \ No newline at end of file diff --git a/schema/cyclonedx/README.md b/schema/cyclonedx/README.md new file mode 100644 index 00000000..41763409 --- /dev/null +++ b/schema/cyclonedx/README.md @@ -0,0 +1,5 @@ +# CycloneDX Schemas + +`grype` generates a CycloneDX BOm output with the vulnerability extension. This validation is similar to what is done in `syft`, validating output against CycloneDX schemas. + +Validation is done with `xmllint`, which requires a copy of all schemas because it can't work with HTTP references. The schemas are modified to reference local copies of dependent schemas. diff --git a/schema/cyclonedx/bd.xsd b/schema/cyclonedx/bd.xsd new file mode 100644 index 00000000..c410a037 --- /dev/null +++ b/schema/cyclonedx/bd.xsd @@ -0,0 +1,184 @@ + + + + + + + CycloneDX BOM Descriptor Extension + https://cyclonedx.org/ext/bom-descriptor + Apache License, Version 2.0 + + Steve Springett + + + + + + + + + + + The date and time (timestamp) when the document was created. + + + + + The tool used to create the BOM. + + + + + The person(s) who created the BOM. Authors are common in BOMs created through + manual processes. BOMs created through automated means may not have authors. + + + + + + + + + + The component that the BOM describes. + + + + + The organization that manufactured the component that the BOM describes. + + + + + The organization that supplied the component that the BOM describes. The + supplier may often be the manufacture, but may also be a distributor or repackager. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + The name of the organization + + + + + The URL of the organization. Multiple URLs are allowed. + + + + + A contact person at the organization. Multiple contacts are allowed. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + Specifies a tool (manual or automated). + + + + + The vendor of the tool used to create the BOM. + + + + + The name of the tool used to create the BOM. + + + + + The version of the tool used to create the BOM. + + + + + + + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + The name of the person + + + + + The email address of the person. Multiple email addresses are allowed. + + + + + The phone number of the person. Multiple phone numbers are allowed. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + Provides additional information about a BOM. + + + + diff --git a/schema/cyclonedx/cyclonedx.xsd b/schema/cyclonedx/cyclonedx.xsd new file mode 100644 index 00000000..fb264092 --- /dev/null +++ b/schema/cyclonedx/cyclonedx.xsd @@ -0,0 +1,1419 @@ + + + + + + + + + CycloneDX Software Bill-of-Material Specification + https://cyclonedx.org/ + Apache License, Version 2.0 + + Steve Springett + + + + + + + + + The date and time (timestamp) when the document was created. + + + + + The tool(s) used in the creation of the BOM. + + + + + + + + + + The person(s) who created the BOM. Authors are common in BOMs created through + manual processes. BOMs created through automated means may not have authors. + + + + + + + + + + The component that the BOM describes. + + + + + The organization that manufactured the component that the BOM describes. + + + + + The organization that supplied the component that the BOM describes. The + supplier may often be the manufacture, but may also be a distributor or repackager. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + The name of the organization + + + + + The URL of the organization. Multiple URLs are allowed. + + + + + A contact person at the organization. Multiple contacts are allowed. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + Specifies a tool (manual or automated). + + + + + The vendor of the tool used to create the BOM. + + + + + The name of the tool used to create the BOM. + + + + + The version of the tool used to create the BOM. + + + + + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + The name of the contact + + + + + The email address of the contact. Multiple email addresses are allowed. + + + + + The phone number of the contact. Multiple phone numbers are allowed. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + The organization that supplied the component. The supplier may often + be the manufacture, but may also be a distributor or repackager. + + + + + The person(s) or organization(s) that authored the component + + + + + The person(s) or organization(s) that published the component + + + + + The grouping name or identifier. This will often be a shortened, single + name of the company or project that produced the component, or the source package or + domain name. Whitespace and special characters should be avoided. Examples include: + apache, org.apache.commons, and apache.org. + + + + + The name of the component. This will often be a shortened, single name + of the component. Examples: commons-lang3 and jquery + + + + + The component version. The version should ideally comply with semantic versioning + but is not enforced. + + + + + Specifies a description for the component + + + + + Specifies the scope of the component. If scope is not specified, 'runtime' + scope should be assumed by the consumer of the BOM + + + + + + + + + + + + + + + + A valid SPDX license expression. + Refer to https://spdx.org/specifications for syntax requirements + + + + + + + + An optional copyright notice informing users of the underlying claims to + copyright ownership in a published work. + + + + + + DEPRECATED - DO NOT USE. This will be removed in a future version. + Specifies a well-formed CPE name. See https://nvd.nist.gov/products/cpe + + + + + + + Specifies the package-url (PURL). The purl, if specified, must be valid and conform + to the specification defined at: https://github.com/package-url/purl-spec + + + + + + + Specifies metadata and content for ISO-IEC 19770-2 Software Identification (SWID) Tags. + + + + + + + DEPRECATED - DO NOT USE. This will be removed in a future version. Use the pedigree + element instead to supply information on exactly how the component was modified. + A boolean value indicating is the component has been modified from the original. + A value of true indicates the component is a derivative of the original. + A value of false indicates the component has not been modified from the original. + + + + + + + Component pedigree is a way to document complex supply chain scenarios where components are + created, distributed, modified, redistributed, combined with other components, etc. + + + + + + Provides the ability to document external references related to the + component or to the project the component describes. + + + + + + Specifies optional sub-components. This is not a dependency tree. It provides a way + to specify a hierarchical representation of component assemblies, similar to + system -> subsystem -> parts assembly in physical supply chains. + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + Specifies the type of component. For software components, classify as application if no more + specific appropriate classification is available or cannot be determined for the component. + + + + + + + The optional mime-type of the component. When used on file components, the mime-type + can provide additional context about the kind of file being represented such as an image, + font, or executable. Some library or framework components may also have an associated mime-type. + + + + + + + An optional identifier which can be used to reference the component elsewhere in the BOM. + Uniqueness is enforced within all elements and children of the root-level bom element. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + A valid SPDX license ID + + + + + If SPDX does not define the license used, this field may be used to provide the license name + + + + + + Specifies the optional full text of the attachment + + + + + The URL to the attachment file. If the attachment is a license or BOM, + an externalReference should also be specified for completeness. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + + + Specifies attributes of the text + + + + Specifies the content type of the text. Defaults to text/plain + if not specified. + + + + + + Specifies the optional encoding the text is represented in + + + + + + + + + + Specifies the file hash of the component + + + + + + Specifies the algorithm used to create the hash + + + + + + + + + + + The component is required for runtime + + + + + The component is optional at runtime. Optional components are components that + are not capable of being called due to them not be installed or otherwise accessible by any means. + Components that are installed but due to configuration or other restrictions are prohibited from + being called must be scoped as 'required'. + + + + + Components that are excluded provide the ability to document component usage + for test and other non-runtime purposes. Excluded components are not reachable within a call + graph at runtime. + + + + + + + + + + A software application. Refer to https://en.wikipedia.org/wiki/Application_software + for information about applications. + + + + + A software framework. Refer to https://en.wikipedia.org/wiki/Software_framework + for information on how frameworks vary slightly from libraries. + + + + + A software library. Refer to https://en.wikipedia.org/wiki/Library_(computing) + for information about libraries. All third-party and open source reusable components will likely + be a library. If the library also has key features of a framework, then it should be classified + as a framework. If not, or is unknown, then specifying library is recommended. + + + + + A packaging and/or runtime format, not specific to any particular technology, + which isolates software inside the container from software outside of a container through + virtualization technology. Refer to https://en.wikipedia.org/wiki/OS-level_virtualization + + + + + A software operating system without regard to deployment model + (i.e. installed on physical hardware, virtual machine, image, etc) Refer to + https://en.wikipedia.org/wiki/Operating_system + + + + + A hardware device such as a processor, or chip-set. A hardware device + containing firmware should include a component for the physical hardware itself, and another + component of type 'firmware' or 'operating-system' (whichever is relevant), describing + information about the software running on the device. + + + + + A special type of software that provides low-level control over a devices + hardware. Refer to https://en.wikipedia.org/wiki/Firmware + + + + + A computer file. Refer to https://en.wikipedia.org/wiki/Computer_file + for information about files. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Define the format for acceptable CPE URIs. Supports CPE 2.2 and CPE 2.3 formats. + Refer to https://nvd.nist.gov/products/cpe for official specification. + + + + + + + + + + + + Specifies the full content of the SWID tag. + + + + + The URL to the SWID file. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + Maps to the tagId of a SoftwareIdentity. + + + + + Maps to the name of a SoftwareIdentity. + + + + + Maps to the version of a SoftwareIdentity. + + + + + Maps to the tagVersion of a SoftwareIdentity. + + + + + Maps to the patch of a SoftwareIdentity. + + + + + + + + Defines a string representation of a UUID conforming to RFC 4122. + + + + + + + + + + + + Version Control System + + + + + Issue or defect tracking system, or an Application Lifecycle Management (ALM) system + + + + + Website + + + + + Security advisories + + + + + Bill-of-material document (CycloneDX, SPDX, SWID, etc) + + + + + Mailing list or discussion group + + + + + Social media account + + + + + Real-time chat platform + + + + + Documentation, guides, or how-to instructions + + + + + Community or commercial support + + + + + Direct or repository download location + + + + + The URL to the license file. If a license URL has been defined in the license + node, it should also be defined as an external reference for completeness + + + + + Build-system specific meta file (i.e. pom.xml, package.json, .nuspec, etc) + + + + + URL to an automated build system + + + + + Use this if no other types accurately describe the purpose of the external reference + + + + + + + + + External references provide a way to document systems, sites, and information that may be relevant + but which are not included with the BOM. + + + + + + Zero or more external references can be defined + + + + + + + + + + The URL to the external reference + + + + + An optional comment describing the external reference + + + + + + Specifies the type of external reference. There are built-in types to describe common + references. If a type does not exist for the reference being referred to, use the "other" type. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + Zero or more commits can be specified. + + + + + Specifies an individual commit. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + + + A unique identifier of the commit. This may be version control + specific. For example, Subversion uses revision numbers whereas git uses commit hashes. + + + + + + The URL to the commit. This URL will typically point to a commit + in a version control system. + + + + + + The author who created the changes in the commit + + + + + The person who committed or pushed the commit + + + + + The text description of the contents of the commit + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + Zero or more patches can be specified. + + + + + Specifies an individual patch. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + + + The patch file (or diff) that show changes. + Refer to https://en.wikipedia.org/wiki/Diff + + + + + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + Specifies the purpose for the patch including the resolution of defects, + security issues, or new behavior or functionality + + + + + + + + + A patch which is not developed by the creators or maintainers of the software + being patched. Refer to https://en.wikipedia.org/wiki/Unofficial_patch + + + + + A patch which dynamically modifies runtime behavior. + Refer to https://en.wikipedia.org/wiki/Monkey_patch + + + + + A patch which takes code from a newer version of software and applies + it to older versions of the same software. Refer to https://en.wikipedia.org/wiki/Backporting + + + + + A patch created by selectively applying commits from other versions or + branches of the same software. + + + + + + + + + + A fault, flaw, or bug in software + + + + + A new feature or behavior in software + + + + + A special type of defect which impacts security + + + + + + + + + + Specifies the optional text of the diff + + + + + Specifies the URL to the diff + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + + + The identifier of the issue assigned by the source of the issue + + + + + The name of the issue + + + + + A description of the issue + + + + + + + The source of the issue where it is documented. + + + + + + + The name of the source. For example "National Vulnerability Database", + "NVD", and "Apache" + + + + + + + The url of the issue documentation as provided by the source + + + + + + + + + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + Specifies the type of issue + + + + + + + + + The timestamp in which the action occurred + + + + + The name of the individual who performed the action + + + + + The email address of the individual who performed the action + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + + Component pedigree is a way to document complex supply chain scenarios where components are created, + distributed, modified, redistributed, combined with other components, etc. Pedigree supports viewing + this complex chain from the beginning, the end, or anywhere in the middle. It also provides a way to + document variants where the exact relation may not be known. + + + + + + Describes zero or more components in which a component is derived + from. This is commonly used to describe forks from existing projects where the forked version + contains a ancestor node containing the original component it was forked from. For example, + Component A is the original component. Component B is the component being used and documented + in the BOM. However, Component B contains a pedigree node with a single ancestor documenting + Component A - the original component from which Component B is derived from. + + + + + + Descendants are the exact opposite of ancestors. This provides a + way to document all forks (and their forks) of an original or root component. + + + + + + Variants describe relations where the relationship between the + components are not known. For example, if Component A contains nearly identical code to + Component B. They are both related, but it is unclear if one is derived from the other, + or if they share a common ancestor. + + + + + + A list of zero or more commits which provide a trail describing + how the component deviates from an ancestor, descendant, or variant. + + + + + A list of zero or more patches describing how the component + deviates from an ancestor, descendant, or variant. Patches may be complimentary to commits + or may be used in place of commits. + + + + + Notes, observations, and other non-structured commentary + describing the components pedigree. + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + + + + + References a component or service by the its bom-ref attribute + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + Components that do not have their own dependencies MUST be declared as empty + elements within the graph. Components that are not represented in the dependency graph MAY + have unknown dependencies. It is RECOMMENDED that implementations assume this to be opaque + and not an indicator of a component being dependency-free. + + + + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + The organization that provides the service. + + + + + The grouping name, namespace, or identifier. This will often be a shortened, + single name of the company or project that produced the service or domain name. + Whitespace and special characters should be avoided. + + + + + The name of the service. This will often be a shortened, single name + of the service. + + + + + The service version. + + + + + Specifies a description for the service. + + + + + + + + A service endpoint URI. + + + + + + + + A boolean value indicating if the service requires authentication. + A value of true indicates the service requires authentication prior to use. + A value of false indicates the service does not require authentication. + + + + + A boolean value indicating if use of the service crosses a trust zone or boundary. + A value of true indicates that by using the service, a trust boundary is crossed. + A value of false indicates that by using the service, a trust boundary is not crossed. + + + + + + + + Specifies the data classification. + + + + + + + + + + + + A valid SPDX license expression. + Refer to https://spdx.org/specifications for syntax requirements + + + + + + + + Provides the ability to document external references related to the service. + + + + + + Specifies optional sub-service. This is not a dependency tree. It provides a way + to specify a hierarchical representation of service assemblies, similar to + system -> subsystem -> parts assembly in physical supply chains. + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + An optional identifier which can be used to reference the service elsewhere in the BOM. + Uniqueness is enforced within all elements and children of the root-level bom element. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + Specifies the data classification. + + + + + + Specifies the flow direction of the data. + + + + + + + + + Specifies the flow direction of the data. Valid values are: + inbound, outbound, bi-directional, and unknown. Direction is relative to the service. + Inbound flow states that data enters the service. Outbound flow states that data + leaves the service. Bi-directional states that data flows both ways, and unknown + states that the direction is not known. + + + + + + + + + + + + + + + Provides additional information about a BOM. + + + + + Provides the ability to document a list of components. + + + + + Provides the ability to document a list of external services. + + + + + Provides the ability to document external references related to the BOM or + to the project the BOM describes. + + + + + Provides the ability to document dependency relationships. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + The version allows component publishers/authors to make changes to existing + BOMs to update various aspects of the document such as description or licenses. When a system + is presented with multiple BOMs for the same component, the system should use the most recent + version of the BOM. The default version is '1' and should be incremented for each version of the + BOM that is published. Each version of a component should have a unique BOM and if no changes are + made to the BOMs, then each BOM will have a version of '1'. + + + + + Every BOM generated should have a unique serial number, even if the contents + of the BOM being generated have not changed over time. The process or tool responsible for + creating the BOM should create random UUID's for every BOM generated. + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + diff --git a/schema/cyclonedx/spdx.xsd b/schema/cyclonedx/spdx.xsd new file mode 100644 index 00000000..dbd61b16 --- /dev/null +++ b/schema/cyclonedx/spdx.xsd @@ -0,0 +1,2429 @@ + + + + + + + + + BSD Zero Clause License + + + + + Attribution Assurance License + + + + + Amazon Digital Services License + + + + + Academic Free License v1.1 + + + + + Academic Free License v1.2 + + + + + Academic Free License v2.0 + + + + + Academic Free License v2.1 + + + + + Academic Free License v3.0 + + + + + Affero General Public License v1.0 + + + + + Affero General Public License v1.0 only + + + + + Affero General Public License v1.0 or later + + + + + GNU Affero General Public License v3.0 + + + + + GNU Affero General Public License v3.0 only + + + + + GNU Affero General Public License v3.0 or later + + + + + AMD's plpa_map.c License + + + + + Apple MIT License + + + + + Academy of Motion Picture Arts and Sciences BSD + + + + + ANTLR Software Rights Notice + + + + + Adobe Postscript AFM License + + + + + Adaptive Public License 1.0 + + + + + Apple Public Source License 1.0 + + + + + Apple Public Source License 1.1 + + + + + Apple Public Source License 1.2 + + + + + Apple Public Source License 2.0 + + + + + Abstyles License + + + + + Adobe Systems Incorporated Source Code License Agreement + + + + + Adobe Glyph List License + + + + + Afmparse License + + + + + Aladdin Free Public License + + + + + Apache License 1.0 + + + + + Apache License 1.1 + + + + + Apache License 2.0 + + + + + Artistic License 1.0 + + + + + Artistic License 1.0 (Perl) + + + + + Artistic License 1.0 w/clause 8 + + + + + Artistic License 2.0 + + + + + BSD 1-Clause License + + + + + BSD 2-Clause "Simplified" License + + + + + BSD 2-Clause FreeBSD License + + + + + BSD 2-Clause NetBSD License + + + + + BSD-2-Clause Plus Patent License + + + + + BSD 2-Clause with views sentence + + + + + BSD 3-Clause "New" or "Revised" License + + + + + BSD with attribution + + + + + BSD 3-Clause Clear License + + + + + Lawrence Berkeley National Labs BSD variant license + + + + + BSD 3-Clause No Nuclear License + + + + + BSD 3-Clause No Nuclear License 2014 + + + + + BSD 3-Clause No Nuclear Warranty + + + + + BSD 3-Clause Open MPI variant + + + + + BSD 4-Clause "Original" or "Old" License + + + + + BSD-4-Clause (University of California-Specific) + + + + + BSD Protection License + + + + + BSD Source Code Attribution + + + + + Boost Software License 1.0 + + + + + Bahyph License + + + + + Barr License + + + + + Beerware License + + + + + BitTorrent Open Source License v1.0 + + + + + BitTorrent Open Source License v1.1 + + + + + Blue Oak Model License 1.0.0 + + + + + Borceux license + + + + + Cryptographic Autonomy License 1.0 + + + + + Cryptographic Autonomy License 1.0 (Combined Work Exception) + + + + + Computer Associates Trusted Open Source License 1.1 + + + + + Creative Commons Attribution 1.0 Generic + + + + + Creative Commons Attribution 2.0 Generic + + + + + Creative Commons Attribution 2.5 Generic + + + + + Creative Commons Attribution 3.0 Unported + + + + + Creative Commons Attribution 3.0 Austria + + + + + Creative Commons Attribution 4.0 International + + + + + Creative Commons Attribution Non Commercial 1.0 Generic + + + + + Creative Commons Attribution Non Commercial 2.0 Generic + + + + + Creative Commons Attribution Non Commercial 2.5 Generic + + + + + Creative Commons Attribution Non Commercial 3.0 Unported + + + + + Creative Commons Attribution Non Commercial 4.0 International + + + + + Creative Commons Attribution Non Commercial No Derivatives 1.0 Generic + + + + + Creative Commons Attribution Non Commercial No Derivatives 2.0 Generic + + + + + Creative Commons Attribution Non Commercial No Derivatives 2.5 Generic + + + + + Creative Commons Attribution Non Commercial No Derivatives 3.0 Unported + + + + + Creative Commons Attribution Non Commercial No Derivatives 3.0 IGO + + + + + Creative Commons Attribution Non Commercial No Derivatives 4.0 International + + + + + Creative Commons Attribution Non Commercial Share Alike 1.0 Generic + + + + + Creative Commons Attribution Non Commercial Share Alike 2.0 Generic + + + + + Creative Commons Attribution Non Commercial Share Alike 2.5 Generic + + + + + Creative Commons Attribution Non Commercial Share Alike 3.0 Unported + + + + + Creative Commons Attribution Non Commercial Share Alike 4.0 International + + + + + Creative Commons Attribution No Derivatives 1.0 Generic + + + + + Creative Commons Attribution No Derivatives 2.0 Generic + + + + + Creative Commons Attribution No Derivatives 2.5 Generic + + + + + Creative Commons Attribution No Derivatives 3.0 Unported + + + + + Creative Commons Attribution No Derivatives 4.0 International + + + + + Creative Commons Attribution Share Alike 1.0 Generic + + + + + Creative Commons Attribution Share Alike 2.0 Generic + + + + + Creative Commons Attribution Share Alike 2.5 Generic + + + + + Creative Commons Attribution Share Alike 3.0 Unported + + + + + Creative Commons Attribution-Share Alike 3.0 Austria + + + + + Creative Commons Attribution Share Alike 4.0 International + + + + + Creative Commons Public Domain Dedication and Certification + + + + + Creative Commons Zero v1.0 Universal + + + + + Common Development and Distribution License 1.0 + + + + + Common Development and Distribution License 1.1 + + + + + Community Data License Agreement Permissive 1.0 + + + + + Community Data License Agreement Sharing 1.0 + + + + + CeCILL Free Software License Agreement v1.0 + + + + + CeCILL Free Software License Agreement v1.1 + + + + + CeCILL Free Software License Agreement v2.0 + + + + + CeCILL Free Software License Agreement v2.1 + + + + + CeCILL-B Free Software License Agreement + + + + + CeCILL-C Free Software License Agreement + + + + + CERN Open Hardware Licence v1.1 + + + + + CERN Open Hardware Licence v1.2 + + + + + CERN Open Hardware Licence Version 2 - Permissive + + + + + CERN Open Hardware Licence Version 2 - Strongly Reciprocal + + + + + CERN Open Hardware Licence Version 2 - Weakly Reciprocal + + + + + CNRI Jython License + + + + + CNRI Python License + + + + + CNRI Python Open Source GPL Compatible License Agreement + + + + + Common Public Attribution License 1.0 + + + + + Common Public License 1.0 + + + + + Code Project Open License 1.02 + + + + + CUA Office Public License v1.0 + + + + + Caldera License + + + + + Clarified Artistic License + + + + + Condor Public License v1.1 + + + + + Crossword License + + + + + CrystalStacker License + + + + + Cube License + + + + + Deutsche Freie Software Lizenz + + + + + DOC License + + + + + DSDP License + + + + + Dotseqn License + + + + + Educational Community License v1.0 + + + + + Educational Community License v2.0 + + + + + Eiffel Forum License v1.0 + + + + + Eiffel Forum License v2.0 + + + + + EPICS Open License + + + + + Eclipse Public License 1.0 + + + + + Eclipse Public License 2.0 + + + + + EU DataGrid Software License + + + + + European Union Public License 1.0 + + + + + European Union Public License 1.1 + + + + + European Union Public License 1.2 + + + + + Entessa Public License v1.0 + + + + + Erlang Public License v1.1 + + + + + Eurosym License + + + + + FSF All Permissive License + + + + + FSF Unlimited License + + + + + FSF Unlimited License (with License Retention) + + + + + Freetype Project License + + + + + Fair License + + + + + Frameworx Open License 1.0 + + + + + FreeImage Public License v1.0 + + + + + GNU Free Documentation License v1.1 + + + + + GNU Free Documentation License v1.1 only - invariants + + + + + GNU Free Documentation License v1.1 or later - invariants + + + + + GNU Free Documentation License v1.1 only - no invariants + + + + + GNU Free Documentation License v1.1 or later - no invariants + + + + + GNU Free Documentation License v1.1 only + + + + + GNU Free Documentation License v1.1 or later + + + + + GNU Free Documentation License v1.2 + + + + + GNU Free Documentation License v1.2 only - invariants + + + + + GNU Free Documentation License v1.2 or later - invariants + + + + + GNU Free Documentation License v1.2 only - no invariants + + + + + GNU Free Documentation License v1.2 or later - no invariants + + + + + GNU Free Documentation License v1.2 only + + + + + GNU Free Documentation License v1.2 or later + + + + + GNU Free Documentation License v1.3 + + + + + GNU Free Documentation License v1.3 only - invariants + + + + + GNU Free Documentation License v1.3 or later - invariants + + + + + GNU Free Documentation License v1.3 only - no invariants + + + + + GNU Free Documentation License v1.3 or later - no invariants + + + + + GNU Free Documentation License v1.3 only + + + + + GNU Free Documentation License v1.3 or later + + + + + GL2PS License + + + + + Good Luck With That Public License + + + + + GNU General Public License v1.0 only + + + + + GNU General Public License v1.0 or later + + + + + GNU General Public License v1.0 only + + + + + GNU General Public License v1.0 or later + + + + + GNU General Public License v2.0 only + + + + + GNU General Public License v2.0 or later + + + + + GNU General Public License v2.0 only + + + + + GNU General Public License v2.0 or later + + + + + GNU General Public License v2.0 w/GCC Runtime Library exception + + + + + GNU General Public License v2.0 w/Autoconf exception + + + + + GNU General Public License v2.0 w/Bison exception + + + + + GNU General Public License v2.0 w/Classpath exception + + + + + GNU General Public License v2.0 w/Font exception + + + + + GNU General Public License v3.0 only + + + + + GNU General Public License v3.0 or later + + + + + GNU General Public License v3.0 only + + + + + GNU General Public License v3.0 or later + + + + + GNU General Public License v3.0 w/GCC Runtime Library exception + + + + + GNU General Public License v3.0 w/Autoconf exception + + + + + Giftware License + + + + + 3dfx Glide License + + + + + Glulxe License + + + + + Historical Permission Notice and Disclaimer + + + + + Historical Permission Notice and Disclaimer - sell variant + + + + + Haskell Language Report License + + + + + Hippocratic License 2.1 + + + + + IBM PowerPC Initialization and Boot Software + + + + + ICU License + + + + + Independent JPEG Group License + + + + + IPA Font License + + + + + IBM Public License v1.0 + + + + + ISC License + + + + + ImageMagick License + + + + + Imlib2 License + + + + + Info-ZIP License + + + + + Intel Open Source License + + + + + Intel ACPI Software License Agreement + + + + + Interbase Public License v1.0 + + + + + Japan Network Information Center License + + + + + JSON License + + + + + JasPer License + + + + + Licence Art Libre 1.2 + + + + + Licence Art Libre 1.3 + + + + + GNU Library General Public License v2 only + + + + + GNU Library General Public License v2 or later + + + + + GNU Library General Public License v2 only + + + + + GNU Library General Public License v2 or later + + + + + GNU Lesser General Public License v2.1 only + + + + + GNU Library General Public License v2.1 or later + + + + + GNU Lesser General Public License v2.1 only + + + + + GNU Lesser General Public License v2.1 or later + + + + + GNU Lesser General Public License v3.0 only + + + + + GNU Lesser General Public License v3.0 or later + + + + + GNU Lesser General Public License v3.0 only + + + + + GNU Lesser General Public License v3.0 or later + + + + + Lesser General Public License For Linguistic Resources + + + + + Lucent Public License Version 1.0 + + + + + Lucent Public License v1.02 + + + + + LaTeX Project Public License v1.0 + + + + + LaTeX Project Public License v1.1 + + + + + LaTeX Project Public License v1.2 + + + + + LaTeX Project Public License v1.3a + + + + + LaTeX Project Public License v1.3c + + + + + Latex2e License + + + + + Leptonica License + + + + + Licence Libre du Québec – Permissive version 1.1 + + + + + Licence Libre du Québec – Réciprocité version 1.1 + + + + + Licence Libre du Québec – Réciprocité forte version 1.1 + + + + + libpng License + + + + + Linux Kernel Variant of OpenIB.org license + + + + + MIT License + + + + + MIT No Attribution + + + + + CMU License + + + + + Enlightenment License (e16) + + + + + enna License + + + + + feh License + + + + + MIT +no-false-attribs license + + + + + Mozilla Public License 1.0 + + + + + Mozilla Public License 1.1 + + + + + Mozilla Public License 2.0 + + + + + Mozilla Public License 2.0 (no copyleft exception) + + + + + Microsoft Public License + + + + + Microsoft Reciprocal License + + + + + Matrix Template Library License + + + + + MakeIndex License + + + + + The MirOS Licence + + + + + Motosoto License + + + + + Mulan Permissive Software License, Version 1 + + + + + Mulan Permissive Software License, Version 2 + + + + + Multics License + + + + + Mup License + + + + + NASA Open Source Agreement 1.3 + + + + + Net Boolean Public License v1 + + + + + Non-Commercial Government Licence + + + + + University of Illinois/NCSA Open Source License + + + + + Nethack General Public License + + + + + NIST Public Domain Notice + + + + + NIST Public Domain Notice with license fallback + + + + + Norwegian Licence for Open Government Data + + + + + No Limit Public License + + + + + Netizen Open Source License + + + + + Netscape Public License v1.0 + + + + + Netscape Public License v1.1 + + + + + Non-Profit Open Software License 3.0 + + + + + NRL License + + + + + NTP License + + + + + NTP No Attribution + + + + + Naumen Public License + + + + + Net-SNMP License + + + + + NetCDF license + + + + + Newsletr License + + + + + Nokia Open Source License + + + + + Noweb License + + + + + Nunit License + + + + + Open Use of Data Agreement v1.0 + + + + + Open CASCADE Technology Public License + + + + + OCLC Research Public License 2.0 + + + + + Open Data Commons Attribution License v1.0 + + + + + ODC Open Database License v1.0 + + + + + SIL Open Font License 1.0 + + + + + SIL Open Font License 1.0 with Reserved Font Name + + + + + SIL Open Font License 1.0 with no Reserved Font Name + + + + + SIL Open Font License 1.1 + + + + + SIL Open Font License 1.1 with Reserved Font Name + + + + + SIL Open Font License 1.1 with no Reserved Font Name + + + + + OGC Software License, Version 1.0 + + + + + Open Government Licence - Canada + + + + + Open Government Licence v1.0 + + + + + Open Government Licence v2.0 + + + + + Open Government Licence v3.0 + + + + + Open Group Test Suite License + + + + + Open LDAP Public License v1.1 + + + + + Open LDAP Public License v1.2 + + + + + Open LDAP Public License v1.3 + + + + + Open LDAP Public License v1.4 + + + + + Open LDAP Public License v2.0 (or possibly 2.0A and 2.0B) + + + + + Open LDAP Public License v2.0.1 + + + + + Open LDAP Public License v2.1 + + + + + Open LDAP Public License v2.2 + + + + + Open LDAP Public License v2.2.1 + + + + + Open LDAP Public License 2.2.2 + + + + + Open LDAP Public License v2.3 + + + + + Open LDAP Public License v2.4 + + + + + Open LDAP Public License v2.5 + + + + + Open LDAP Public License v2.6 + + + + + Open LDAP Public License v2.7 + + + + + Open LDAP Public License v2.8 + + + + + Open Market License + + + + + Open Public License v1.0 + + + + + OSET Public License version 2.1 + + + + + Open Software License 1.0 + + + + + Open Software License 1.1 + + + + + Open Software License 2.0 + + + + + Open Software License 2.1 + + + + + Open Software License 3.0 + + + + + OpenSSL License + + + + + ODC Public Domain Dedication & License 1.0 + + + + + PHP License v3.0 + + + + + PHP License v3.01 + + + + + Python Software Foundation License 2.0 + + + + + The Parity Public License 6.0.0 + + + + + The Parity Public License 7.0.0 + + + + + Plexus Classworlds License + + + + + PolyForm Noncommercial License 1.0.0 + + + + + PolyForm Small Business License 1.0.0 + + + + + PostgreSQL License + + + + + Python License 2.0 + + + + + Q Public License 1.0 + + + + + Qhull License + + + + + Red Hat eCos Public License v1.1 + + + + + Reciprocal Public License 1.1 + + + + + Reciprocal Public License 1.5 + + + + + RealNetworks Public Source License v1.0 + + + + + RSA Message-Digest License + + + + + Ricoh Source Code Public License + + + + + Rdisc License + + + + + Ruby License + + + + + Sax Public Domain Notice + + + + + SCEA Shared Source License + + + + + SGI Free Software License B v1.0 + + + + + SGI Free Software License B v1.1 + + + + + SGI Free Software License B v2.0 + + + + + Solderpad Hardware License v0.5 + + + + + Solderpad Hardware License, Version 0.51 + + + + + Sun Industry Standards Source License v1.1 + + + + + Sun Industry Standards Source License v1.2 + + + + + Standard ML of New Jersey License + + + + + Secure Messaging Protocol Public License + + + + + SNIA Public License 1.1 + + + + + Sun Public License v1.0 + + + + + SSH OpenSSH license + + + + + SSH short notice + + + + + Server Side Public License, v 1 + + + + + Scheme Widget Library (SWL) Software License Agreement + + + + + Saxpath License + + + + + Sendmail License + + + + + Sendmail License 8.23 + + + + + Simple Public License 2.0 + + + + + Sleepycat License + + + + + Spencer License 86 + + + + + Spencer License 94 + + + + + Spencer License 99 + + + + + Standard ML of New Jersey License + + + + + SugarCRM Public License v1.1.3 + + + + + TAPR Open Hardware License v1.0 + + + + + TCL/TK License + + + + + TCP Wrappers License + + + + + TMate Open Source License + + + + + TORQUE v2.5+ Software License v1.1 + + + + + Trusster Open Source License + + + + + Technische Universitaet Berlin License 1.0 + + + + + Technische Universitaet Berlin License 2.0 + + + + + Upstream Compatibility License v1.0 + + + + + Universal Permissive License v1.0 + + + + + Unicode License Agreement - Data Files and Software (2015) + + + + + Unicode License Agreement - Data Files and Software (2016) + + + + + Unicode Terms of Use + + + + + The Unlicense + + + + + VOSTROM Public License for Open Source + + + + + Vovida Software License v1.0 + + + + + Vim License + + + + + W3C Software Notice and License (2002-12-31) + + + + + W3C Software Notice and License (1998-07-20) + + + + + W3C Software Notice and Document License (2015-05-13) + + + + + Do What The F*ck You Want To Public License + + + + + Sybase Open Watcom Public License 1.0 + + + + + Wsuipa License + + + + + X11 License + + + + + XFree86 License 1.1 + + + + + XSkat License + + + + + Xerox License + + + + + X.Net License + + + + + Yahoo! Public License v1.0 + + + + + Yahoo! Public License v1.1 + + + + + Zope Public License 1.1 + + + + + Zope Public License 2.0 + + + + + Zope Public License 2.1 + + + + + Zed License + + + + + Zend License v2.0 + + + + + Zimbra Public License v1.3 + + + + + Zimbra Public License v1.4 + + + + + zlib License + + + + + SQLite Blessing + + + + + bzip2 and libbzip2 License v1.0.5 + + + + + bzip2 and libbzip2 License v1.0.6 + + + + + copyleft-next 0.3.0 + + + + + copyleft-next 0.3.1 + + + + + curl License + + + + + diffmark license + + + + + dvipdfm License + + + + + eCos license version 2.0 + + + + + eGenix.com Public License 1.1.0 + + + + + Etalab Open License 2.0 + + + + + gSOAP Public License v1.3b + + + + + gnuplot License + + + + + iMatix Standard Function Library Agreement + + + + + PNG Reference Library version 2 + + + + + libselinux public domain notice + + + + + libtiff License + + + + + mpich2 License + + + + + psfrag License + + + + + psutils License + + + + + wxWindows Library License + + + + + xinetd License + + + + + XPP License + + + + + zlib/libpng License with Acknowledgement + + + + + + GCC Runtime Library exception 2.0 + + + + + OpenVPN OpenSSL Exception + + + + + Nokia Qt LGPL exception 1.1 + + + + + GPL-3.0 Linking Exception + + + + + Fawkes Runtime Exception + + + + + U-Boot exception 2.0 + + + + + PS/PDF font exception (2017-08-17) + + + + + GNU JavaMail exception + + + + + LGPL-3.0 Linking Exception + + + + + DigiRule FOSS License Exception + + + + + LLVM Exception + + + + + Linux Syscall Note + + + + + GPL-3.0 Linking Exception (with Corresponding Source) + + + + + Qwt exception 1.0 + + + + + 389 Directory Server Exception + + + + + Macros and Inline Functions Exception + + + + + eCos exception 2.0 + + + + + CLISP exception 2.0 + + + + + Bison exception 2.2 + + + + + Libtool Exception + + + + + LZMA exception + + + + + OpenJDK Assembly exception 1.0 + + + + + Font exception 2.0 + + + + + OCaml LGPL Linking Exception + + + + + GCC Runtime Library exception 3.1 + + + + + Bootloader Distribution Exception + + + + + Solderpad Hardware License v2.0 + + + + + Classpath exception 2.0 + + + + + Swift Exception + + + + + Autoconf exception 2.0 + + + + + FLTK exception + + + + + FreeRTOS Exception 2.0 + + + + + Universal FOSS Exception, Version 1.0 + + + + + WxWindows Library Exception 3.1 + + + + + Open CASCADE Exception 1.0 + + + + + Autoconf exception 3.0 + + + + + i2p GPL+Java Exception + + + + + GPL Cooperation Commitment 1.0 + + + + + Qt LGPL exception 1.1 + + + + + Solderpad Hardware License v2.1 + + + + + Qt GPL exception 1.0 + + + + + + \ No newline at end of file diff --git a/schema/cyclonedx/vulnerability.xsd b/schema/cyclonedx/vulnerability.xsd new file mode 100644 index 00000000..2d684745 --- /dev/null +++ b/schema/cyclonedx/vulnerability.xsd @@ -0,0 +1,291 @@ + + + + + + + CycloneDX Vulnerability Extension + https://cyclonedx.org/ext/vulnerability + Apache License, Version 2.0 + + + + + + + Textual representation of the severity of the vulnerability adopted by the risk analysis method. + If an other risk analysis method is used other than whats defined in scoreSourceType, + the user is expected to translate appropriately to match with an element value below. + + + + + + + + + + + + + + + + Numerical representation of the vulnerability score. + Must be a number between 0 - 10 (maps to lowest severity - highest severity) + + + + + + + + + + + + + Specifies the risk scoring methodology/standard used. + + + + + + + The rating is based on CVSS v2 standard + https://www.first.org/cvss/v2/guide + + + + + + + The rating is based on CVSS v3 standard + https://www.first.org/cvss/v3.1/specification-document + + + + + + + The rating is based on OWASP Risk Rating + https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology + + + + + + + The rating is based on Open FAIR specification + http://www.opengroup.org/subjectareas/security/risk + + + + + + + Use this if the risk scoring methodology is not based on any of the options above + + + + + + + + + + Defines the numerical risk score of a vulnerability + + + + + + + + + + The base score of the security vulnerability (Refer CVSS standard for example) + + + + + + + The impact subscore of the security vulnerability (Refer CVSS standard for example) + + + + + + + The exploitability subscore of the security vulnerability (Refer CVSS standard for + example) + + + + + + + + + + + + Textual representation of the metric values used to score the vulnerability + see attack vector in https://www.first.org/cvss/v3.1/specification-document + + + + + + + + + + Defines the structure of a vulnerability. + + + + + + + The id of the vulnerability as defined by the risk scoring methodology + For example CVE-2019-15842 (of https://nvd.nist.gov/vuln/detail/CVE-2019-15842) + + + + + + + + The source of the vulnerability where it is documented. + Usually the name of the organization publishing vulnerability information + + + + + + + The url of the vulnerability documentation as provided by the source + For example https://nvd.nist.gov/vuln/detail/CVE-2019-15842 + + + + + + + + The name of the source. For example "National Vulnerability Database" + + + + + + + + + List of the vulnerability ratings as defined by various risk rating methodologies. + + + + + + + + + + + + + List of Common Weaknesses Enumerations (CWEs) codes that describes this vulnerability. + For example 399 (of https://cwe.mitre.org/data/definitions/399.html) + + + + + + + + + + + Description of the vulnerability as provided by the source organization + + + + + + + + The remediation options for the vulnerability if available + + + + + + + A recommendation of how the particular vulnerability can be avoided/mitigated. + + + + + + + + + + + Published advisories of the vulnerability if provided + + + + + + + + + + + References a component by the components bom-ref attribute + + + + + + + + Defines a list of vulnerabilities. + Vulnerabilities are intended to be used inside the BOM component element. + Extending a component ability to declare associated vulnerability information. + Each component element optionally can add a vulnerabilities element. + + + + + + + + +