mirror of
https://github.com/anchore/grype
synced 2024-11-14 16:27:15 +00:00
a62a3a413e
grype currently produces CYCLONE-DX SBOM that are not compliant with the cyclone-dx tooling libraries. Rather than write the logic in two places, this PR moves grype to use syft's formatting functions as a library to produce valid CYCLONE-DX SBOM components along with the discovered vulnerabilities. For more context on impacted issues: https://github.com/anchore/grype/issues/796 https://github.com/anchore/grype/issues/951
2417 lines
130 KiB
XML
2417 lines
130 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!--
|
|
CycloneDX Software Bill-of-Material (SBoM) Specification
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
you may not use this file except in compliance with the License.
|
|
You may obtain a copy of the License at
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
See the License for the specific language governing permissions and
|
|
limitations under the License.
|
|
-->
|
|
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema"
|
|
xmlns:vc="http://www.w3.org/2007/XMLSchema-versioning"
|
|
xmlns:bom="http://cyclonedx.org/schema/bom/1.4"
|
|
xmlns:spdx="http://cyclonedx.org/schema/spdx"
|
|
elementFormDefault="qualified"
|
|
targetNamespace="http://cyclonedx.org/schema/bom/1.4"
|
|
vc:minVersion="1.0"
|
|
vc:maxVersion="1.1"
|
|
version="1.4.1">
|
|
|
|
<xs:import namespace="http://cyclonedx.org/schema/spdx" schemaLocation="spdx.xsd"/>
|
|
|
|
<xs:annotation>
|
|
<xs:documentation>
|
|
<name>CycloneDX Software Bill of Materials Standard</name>
|
|
<url>https://cyclonedx.org/</url>
|
|
<license uri="http://www.apache.org/licenses/LICENSE-2.0"
|
|
version="2.0">Apache License, Version 2.0</license>
|
|
</xs:documentation>
|
|
</xs:annotation>
|
|
|
|
<xs:simpleType name="refType">
|
|
<xs:annotation>
|
|
<xs:documentation>Identifier-DataType for interlinked elements.</xs:documentation>
|
|
</xs:annotation>
|
|
<xs:restriction base="xs:string" />
|
|
</xs:simpleType>
|
|
|
|
<xs:complexType name="metadata">
|
|
<xs:sequence minOccurs="0" maxOccurs="1">
|
|
<xs:element name="timestamp" type="xs:dateTime" minOccurs="0">
|
|
<xs:annotation>
|
|
<xs:documentation>The date and time (timestamp) when the BOM was created.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
<xs:element name="tools" minOccurs="0" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation>The tool(s) used in the creation of the BOM.</xs:documentation>
|
|
</xs:annotation>
|
|
<xs:complexType>
|
|
<xs:sequence minOccurs="0" maxOccurs="unbounded">
|
|
<xs:element name="tool" minOccurs="0" type="bom:toolType"/>
|
|
</xs:sequence>
|
|
</xs:complexType>
|
|
</xs:element>
|
|
<xs:element name="authors" minOccurs="0" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation>The person(s) who created the BOM. Authors are common in BOMs created through
|
|
manual processes. BOMs created through automated means may not have authors.</xs:documentation>
|
|
</xs:annotation>
|
|
<xs:complexType>
|
|
<xs:sequence minOccurs="0" maxOccurs="unbounded">
|
|
<xs:element name="author" type="bom:organizationalContact"/>
|
|
</xs:sequence>
|
|
</xs:complexType>
|
|
</xs:element>
|
|
<xs:element name="component" type="bom:component" minOccurs="0">
|
|
<xs:annotation>
|
|
<xs:documentation>The component that the BOM describes.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
<xs:element name="manufacture" type="bom:organizationalEntity" minOccurs="0" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation>The organization that manufactured the component that the BOM describes.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
<xs:element name="supplier" type="bom:organizationalEntity" minOccurs="0" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation>The organization that supplied the component that the BOM describes. The
|
|
supplier may often be the manufacturer, but may also be a distributor or repackager.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
<xs:element name="licenses" type="bom:licenseChoiceType" minOccurs="0" maxOccurs="1"/>
|
|
<xs:element name="properties" type="bom:propertiesType" minOccurs="0" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation>Provides the ability to document properties in a key/value store.
|
|
This provides flexibility to include data not officially supported in the standard
|
|
without having to use additional namespaces or create extensions. Property names
|
|
of interest to the general public are encouraged to be registered in the
|
|
CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy.
|
|
Formal registration is OPTIONAL.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
<xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded">
|
|
<xs:annotation>
|
|
<xs:documentation>
|
|
Allows any undeclared elements as long as the elements are placed in a different namespace.
|
|
</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:any>
|
|
</xs:sequence>
|
|
<xs:anyAttribute namespace="##other" processContents="lax">
|
|
<xs:annotation>
|
|
<xs:documentation>User-defined attributes may be used on this element as long as they
|
|
do not have the same name as an existing attribute used by the schema.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:anyAttribute>
|
|
</xs:complexType>
|
|
|
|
<xs:complexType name="organizationalEntity">
|
|
<xs:sequence minOccurs="0" maxOccurs="1">
|
|
<xs:element name="name" type="xs:normalizedString" minOccurs="0" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation>The name of the organization</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
<xs:element name="url" type="xs:anyURI" minOccurs="0" maxOccurs="unbounded">
|
|
<xs:annotation>
|
|
<xs:documentation>The URL of the organization. Multiple URLs are allowed.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
<xs:element name="contact" type="bom:organizationalContact" minOccurs="0" maxOccurs="unbounded">
|
|
<xs:annotation>
|
|
<xs:documentation>A contact person at the organization. Multiple contacts are allowed.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
<xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded">
|
|
<xs:annotation>
|
|
<xs:documentation>
|
|
Allows any undeclared elements as long as the elements are placed in a different namespace.
|
|
</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:any>
|
|
</xs:sequence>
|
|
<xs:anyAttribute namespace="##other" processContents="lax">
|
|
<xs:annotation>
|
|
<xs:documentation>User-defined attributes may be used on this element as long as they
|
|
do not have the same name as an existing attribute used by the schema.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:anyAttribute>
|
|
</xs:complexType>
|
|
|
|
<xs:complexType name="toolType">
|
|
<xs:annotation>
|
|
<xs:documentation>Information about the automated or manual tool used</xs:documentation>
|
|
</xs:annotation>
|
|
<xs:sequence minOccurs="0" maxOccurs="1">
|
|
<xs:element name="vendor" minOccurs="0" maxOccurs="1" type="xs:normalizedString">
|
|
<xs:annotation>
|
|
<xs:documentation>The name of the vendor who created the tool</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
<xs:element name="name" minOccurs="0" maxOccurs="1" type="xs:normalizedString">
|
|
<xs:annotation>
|
|
<xs:documentation>The name of the tool</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
<xs:element name="version" minOccurs="0" maxOccurs="1" type="xs:normalizedString">
|
|
<xs:annotation>
|
|
<xs:documentation>The version of the tool</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
<xs:element name="hashes" minOccurs="0" maxOccurs="1">
|
|
<xs:complexType>
|
|
<xs:sequence minOccurs="0" maxOccurs="unbounded">
|
|
<xs:element name="hash" type="bom:hashType"/>
|
|
</xs:sequence>
|
|
</xs:complexType>
|
|
</xs:element>
|
|
<xs:element name="externalReferences" type="bom:externalReferences" minOccurs="0" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation>Provides the ability to document external references related to the tool.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
<xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded">
|
|
<xs:annotation>
|
|
<xs:documentation>
|
|
Allows any undeclared elements as long as the elements are placed in a different namespace.
|
|
</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:any>
|
|
</xs:sequence>
|
|
<xs:anyAttribute namespace="##other" processContents="lax">
|
|
<xs:annotation>
|
|
<xs:documentation>User-defined attributes may be used on this element as long as they
|
|
do not have the same name as an existing attribute used by the schema.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:anyAttribute>
|
|
</xs:complexType>
|
|
|
|
<xs:complexType name="organizationalContact">
|
|
<xs:sequence minOccurs="0" maxOccurs="1">
|
|
<xs:element name="name" type="xs:normalizedString" minOccurs="0" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation>The name of the contact</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
<xs:element name="email" type="xs:normalizedString" minOccurs="0" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation>The email address of the contact.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
<xs:element name="phone" type="xs:normalizedString" minOccurs="0" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation>The phone number of the contact.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
<xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded">
|
|
<xs:annotation>
|
|
<xs:documentation>
|
|
Allows any undeclared elements as long as the elements are placed in a different namespace.
|
|
</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:any>
|
|
</xs:sequence>
|
|
<xs:anyAttribute namespace="##other" processContents="lax">
|
|
<xs:annotation>
|
|
<xs:documentation>User-defined attributes may be used on this element as long as they
|
|
do not have the same name as an existing attribute used by the schema.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:anyAttribute>
|
|
</xs:complexType>
|
|
|
|
<xs:complexType name="componentsType">
|
|
<xs:sequence minOccurs="0" maxOccurs="unbounded">
|
|
<xs:element name="component" type="bom:component"/>
|
|
<xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded">
|
|
<xs:annotation>
|
|
<xs:documentation>
|
|
Allows any undeclared elements as long as the elements are placed in a different namespace.
|
|
</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:any>
|
|
</xs:sequence>
|
|
<xs:anyAttribute namespace="##any" processContents="lax">
|
|
<xs:annotation>
|
|
<xs:documentation>User-defined attributes may be used on this element as long as they
|
|
do not have the same name as an existing attribute used by the schema.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:anyAttribute>
|
|
</xs:complexType>
|
|
|
|
<xs:complexType name="component">
|
|
<xs:sequence>
|
|
<xs:element name="supplier" type="bom:organizationalEntity" minOccurs="0" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation>The organization that supplied the component. The supplier may often
|
|
be the manufacturer, but may also be a distributor or repackager.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
<xs:element name="author" type="xs:normalizedString" minOccurs="0" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation>The person(s) or organization(s) that authored the component</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
<xs:element name="publisher" type="xs:normalizedString" minOccurs="0" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation>The person(s) or organization(s) that published the component</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
<xs:element name="group" type="xs:normalizedString" minOccurs="0" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation>The grouping name or identifier. This will often be a shortened, single
|
|
name of the company or project that produced the component, or the source package or
|
|
domain name. Whitespace and special characters should be avoided. Examples include:
|
|
apache, org.apache.commons, and apache.org.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
<xs:element name="name" type="xs:normalizedString" minOccurs="1" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation>The name of the component. This will often be a shortened, single name
|
|
of the component. Examples: commons-lang3 and jquery</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
<xs:element name="version" type="xs:normalizedString" minOccurs="0" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation>The component version. The version should ideally comply with semantic versioning
|
|
but is not enforced.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
<xs:element name="description" type="xs:normalizedString" minOccurs="0" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation>Specifies a description for the component</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
<xs:element name="scope" type="bom:scope" minOccurs="0" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation>Specifies the scope of the component. If scope is not specified, 'required'
|
|
scope SHOULD be assumed by the consumer of the BOM.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
<xs:element name="hashes" minOccurs="0" maxOccurs="1">
|
|
<xs:complexType>
|
|
<xs:sequence minOccurs="0" maxOccurs="unbounded">
|
|
<xs:element name="hash" type="bom:hashType"/>
|
|
</xs:sequence>
|
|
</xs:complexType>
|
|
</xs:element>
|
|
<xs:element name="licenses" type="bom:licenseChoiceType" minOccurs="0" maxOccurs="1"/>
|
|
<xs:element name="copyright" type="xs:normalizedString" minOccurs="0" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation>A copyright notice informing users of the underlying claims to
|
|
copyright ownership in a published work.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
<xs:element name="cpe" type="bom:cpe" minOccurs="0" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation>
|
|
Specifies a well-formed CPE name that conforms to the CPE 2.2 or 2.3 specification. See https://nvd.nist.gov/products/cpe
|
|
</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
<xs:element name="purl" type="xs:anyURI" minOccurs="0" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation>
|
|
Specifies the package-url (purl). The purl, if specified, MUST be valid and conform
|
|
to the specification defined at: https://github.com/package-url/purl-spec
|
|
</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
<xs:element name="swid" type="bom:swidType" minOccurs="0" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation>
|
|
Specifies metadata and content for ISO-IEC 19770-2 Software Identification (SWID) Tags.
|
|
</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
<xs:element name="modified" type="xs:boolean" minOccurs="0" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation>
|
|
DEPRECATED - DO NOT USE. This will be removed in a future version. Use the pedigree
|
|
element instead to supply information on exactly how the component was modified.
|
|
A boolean value indicating if the component has been modified from the original.
|
|
A value of true indicates the component is a derivative of the original.
|
|
A value of false indicates the component has not been modified from the original.
|
|
</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
<xs:element name="pedigree" type="bom:pedigreeType" minOccurs="0" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation>
|
|
Component pedigree is a way to document complex supply chain scenarios where components are
|
|
created, distributed, modified, redistributed, combined with other components, etc.
|
|
</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
<xs:element name="externalReferences" type="bom:externalReferences" minOccurs="0" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation>Provides the ability to document external references related to the
|
|
component or to the project the component describes.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
<xs:element name="properties" type="bom:propertiesType" minOccurs="0" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation>Provides the ability to document properties in a key/value store.
|
|
This provides flexibility to include data not officially supported in the standard
|
|
without having to use additional namespaces or create extensions. Property names
|
|
of interest to the general public are encouraged to be registered in the
|
|
CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy.
|
|
Formal registration is OPTIONAL.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
<xs:element name="components" minOccurs="0" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation>
|
|
A list of software and hardware components included in the parent component. This is not a
|
|
dependency tree. It provides a way to specify a hierarchical representation of component
|
|
assemblies, similar to system -> subsystem -> parts assembly in physical supply chains.
|
|
</xs:documentation>
|
|
</xs:annotation>
|
|
<xs:complexType>
|
|
<xs:sequence minOccurs="0" maxOccurs="unbounded">
|
|
<xs:element name="component" type="bom:component"/>
|
|
<xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded">
|
|
<xs:annotation>
|
|
<xs:documentation>
|
|
Allows any undeclared elements as long as the elements are placed in a different namespace.
|
|
</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:any>
|
|
</xs:sequence>
|
|
</xs:complexType>
|
|
</xs:element>
|
|
<xs:element name="evidence" type="bom:componentEvidenceType" minOccurs="0" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation>Provides the ability to document evidence collected through various forms of extraction or analysis.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
<xs:element name="releaseNotes" type="bom:releaseNotesType" minOccurs="0" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation>Specifies optional release notes.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
<xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded">
|
|
<xs:annotation>
|
|
<xs:documentation>
|
|
Allows any undeclared elements as long as the elements are placed in a different namespace.
|
|
</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:any>
|
|
</xs:sequence>
|
|
<xs:attribute name="type" type="bom:classification" use="required">
|
|
<xs:annotation>
|
|
<xs:documentation>
|
|
Specifies the type of component. For software components, classify as application if no more
|
|
specific appropriate classification is available or cannot be determined for the component.
|
|
</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:attribute>
|
|
<xs:attribute name="mime-type" type="bom:mimeType">
|
|
<xs:annotation>
|
|
<xs:documentation>
|
|
The OPTIONAL mime-type of the component. When used on file components, the mime-type
|
|
can provide additional context about the kind of file being represented such as an image,
|
|
font, or executable. Some library or framework components may also have an associated mime-type.
|
|
</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:attribute>
|
|
<xs:attribute name="bom-ref" type="bom:refType">
|
|
<xs:annotation>
|
|
<xs:documentation>
|
|
An optional identifier which can be used to reference the component elsewhere in the BOM.
|
|
Uniqueness is enforced within all elements and children of the root-level bom element.
|
|
</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:attribute>
|
|
<xs:anyAttribute namespace="##any" processContents="lax">
|
|
<xs:annotation>
|
|
<xs:documentation>User-defined attributes may be used on this element as long as they
|
|
do not have the same name as an existing attribute used by the schema.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:anyAttribute>
|
|
</xs:complexType>
|
|
|
|
<xs:complexType name="licenseType">
|
|
<xs:sequence>
|
|
<xs:choice>
|
|
<xs:element name="id" type="spdx:licenseId" minOccurs="0" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation>A valid SPDX license ID</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
<xs:element name="name" type="xs:normalizedString" minOccurs="0" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation>If SPDX does not define the license used, this field may be used to provide the license name</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
</xs:choice>
|
|
<xs:element name="text" type="bom:attachedTextType" minOccurs="0" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation>Specifies the optional full text of the attachment</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
<xs:element name="url" type="xs:anyURI" minOccurs="0" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation>The URL to the attachment file. If the attachment is a license or BOM,
|
|
an externalReference should also be specified for completeness.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
<xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded">
|
|
<xs:annotation>
|
|
<xs:documentation>
|
|
Allows any undeclared elements as long as the elements are placed in a different namespace.
|
|
</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:any>
|
|
</xs:sequence>
|
|
</xs:complexType>
|
|
|
|
<xs:complexType name="attachedTextType">
|
|
<xs:simpleContent>
|
|
<xs:extension base="xs:string">
|
|
<xs:annotation>
|
|
<xs:documentation>The attachment data. Proactive controls such as input validation and sanitization should be employed to prevent misuse of attachment text.</xs:documentation>
|
|
</xs:annotation>
|
|
<xs:attribute name="content-type" type="xs:normalizedString" default="text/plain">
|
|
<xs:annotation>
|
|
<xs:documentation>Specifies the content type of the text. Defaults to text/plain
|
|
if not specified.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:attribute>
|
|
<xs:attribute name="encoding" type="bom:encoding">
|
|
<xs:annotation>
|
|
<xs:documentation>
|
|
Specifies the optional encoding the text is represented in
|
|
</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:attribute>
|
|
</xs:extension>
|
|
</xs:simpleContent>
|
|
</xs:complexType>
|
|
|
|
<xs:complexType name="hashType">
|
|
<xs:annotation>
|
|
<xs:documentation>Specifies the file hash of the component</xs:documentation>
|
|
</xs:annotation>
|
|
<xs:simpleContent>
|
|
<xs:extension base="bom:hashValue">
|
|
<xs:attribute name="alg" type="bom:hashAlg" use="required">
|
|
<xs:annotation>
|
|
<xs:documentation>Specifies the algorithm used to create the hash</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:attribute>
|
|
</xs:extension>
|
|
</xs:simpleContent>
|
|
</xs:complexType>
|
|
|
|
<xs:simpleType name="scope">
|
|
<xs:restriction base="xs:string">
|
|
<xs:enumeration value="required">
|
|
<xs:annotation>
|
|
<xs:documentation>The component is required for runtime</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:enumeration>
|
|
<xs:enumeration value="optional">
|
|
<xs:annotation>
|
|
<xs:documentation>The component is optional at runtime. Optional components are components that
|
|
are not capable of being called due to them not be installed or otherwise accessible by any means.
|
|
Components that are installed but due to configuration or other restrictions are prohibited from
|
|
being called must be scoped as 'required'.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:enumeration>
|
|
<xs:enumeration value="excluded">
|
|
<xs:annotation>
|
|
<xs:documentation>Components that are excluded provide the ability to document component usage
|
|
for test and other non-runtime purposes. Excluded components are not reachable within a call
|
|
graph at runtime.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:enumeration>
|
|
</xs:restriction>
|
|
</xs:simpleType>
|
|
|
|
<xs:simpleType name="classification">
|
|
<xs:restriction base="xs:string">
|
|
<xs:enumeration value="application">
|
|
<xs:annotation>
|
|
<xs:documentation>A software application. Refer to https://en.wikipedia.org/wiki/Application_software
|
|
for information about applications.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:enumeration>
|
|
<xs:enumeration value="framework">
|
|
<xs:annotation>
|
|
<xs:documentation>A software framework. Refer to https://en.wikipedia.org/wiki/Software_framework
|
|
for information on how frameworks vary slightly from libraries.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:enumeration>
|
|
<xs:enumeration value="library">
|
|
<xs:annotation>
|
|
<xs:documentation>A software library. Refer to https://en.wikipedia.org/wiki/Library_(computing)
|
|
for information about libraries. All third-party and open source reusable components will likely
|
|
be a library. If the library also has key features of a framework, then it should be classified
|
|
as a framework. If not, or is unknown, then specifying library is recommended.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:enumeration>
|
|
<xs:enumeration value="container">
|
|
<xs:annotation>
|
|
<xs:documentation>A packaging and/or runtime format, not specific to any particular technology,
|
|
which isolates software inside the container from software outside of a container through
|
|
virtualization technology. Refer to https://en.wikipedia.org/wiki/OS-level_virtualization</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:enumeration>
|
|
<xs:enumeration value="operating-system">
|
|
<xs:annotation>
|
|
<xs:documentation>A software operating system without regard to deployment model
|
|
(i.e. installed on physical hardware, virtual machine, image, etc) Refer to
|
|
https://en.wikipedia.org/wiki/Operating_system</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:enumeration>
|
|
<xs:enumeration value="device">
|
|
<xs:annotation>
|
|
<xs:documentation>A hardware device such as a processor, or chip-set. A hardware device
|
|
containing firmware SHOULD include a component for the physical hardware itself, and another
|
|
component of type 'firmware' or 'operating-system' (whichever is relevant), describing
|
|
information about the software running on the device.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:enumeration>
|
|
<xs:enumeration value="firmware">
|
|
<xs:annotation>
|
|
<xs:documentation>A special type of software that provides low-level control over a devices
|
|
hardware. Refer to https://en.wikipedia.org/wiki/Firmware</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:enumeration>
|
|
<xs:enumeration value="file">
|
|
<xs:annotation>
|
|
<xs:documentation>A computer file. Refer to https://en.wikipedia.org/wiki/Computer_file
|
|
for information about files.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:enumeration>
|
|
</xs:restriction>
|
|
</xs:simpleType>
|
|
|
|
<xs:simpleType name="hashAlg">
|
|
<xs:restriction base="xs:string">
|
|
<xs:enumeration value="MD5"/>
|
|
<xs:enumeration value="SHA-1"/>
|
|
<xs:enumeration value="SHA-256"/>
|
|
<xs:enumeration value="SHA-384"/>
|
|
<xs:enumeration value="SHA-512"/>
|
|
<xs:enumeration value="SHA3-256"/>
|
|
<xs:enumeration value="SHA3-384"/>
|
|
<xs:enumeration value="SHA3-512"/>
|
|
<xs:enumeration value="BLAKE2b-256"/>
|
|
<xs:enumeration value="BLAKE2b-384"/>
|
|
<xs:enumeration value="BLAKE2b-512"/>
|
|
<xs:enumeration value="BLAKE3"/>
|
|
</xs:restriction>
|
|
</xs:simpleType>
|
|
|
|
<xs:simpleType name="hashValue">
|
|
<xs:restriction base="xs:token">
|
|
<xs:pattern value="([a-fA-F0-9]{32})|([a-fA-F0-9]{40})|([a-fA-F0-9]{64})|([a-fA-F0-9]{96})|([a-fA-F0-9]{128})"/>
|
|
</xs:restriction>
|
|
</xs:simpleType>
|
|
|
|
<xs:simpleType name="mimeType">
|
|
<xs:restriction base="xs:token">
|
|
<xs:pattern value="[-+a-z0-9.]+/[-+a-z0-9.]+"/>
|
|
</xs:restriction>
|
|
</xs:simpleType>
|
|
|
|
<xs:simpleType name="encoding">
|
|
<xs:restriction base="xs:string">
|
|
<xs:enumeration value="base64"/>
|
|
</xs:restriction>
|
|
</xs:simpleType>
|
|
|
|
<xs:simpleType name="cpe">
|
|
<xs:annotation>
|
|
<xs:documentation xml:lang="en">
|
|
Define the format for acceptable CPE URIs. Supports CPE 2.2 and CPE 2.3 formats.
|
|
Refer to https://nvd.nist.gov/products/cpe for official specification.
|
|
</xs:documentation>
|
|
</xs:annotation>
|
|
<xs:restriction base="xs:string">
|
|
<xs:pattern value="([c][pP][eE]:/[AHOaho]?(:[A-Za-z0-9\._\-~%]*){0,6})|(cpe:2\.3:[aho\*\-](:(((\?*|\*?)([a-zA-Z0-9\-\._]|(\\[\\\*\?!"#$$%&'\(\)\+,/:;<=>@\[\]\^`\{\|}~]))+(\?*|\*?))|[\*\-])){5}(:(([a-zA-Z]{2,3}(-([a-zA-Z]{2}|[0-9]{3}))?)|[\*\-]))(:(((\?*|\*?)([a-zA-Z0-9\-\._]|(\\[\\\*\?!"#$$%&'\(\)\+,/:;<=>@\[\]\^`\{\|}~]))+(\?*|\*?))|[\*\-])){4})"/>
|
|
</xs:restriction>
|
|
</xs:simpleType>
|
|
|
|
<xs:complexType name="swidType">
|
|
<xs:sequence>
|
|
<xs:element name="text" type="bom:attachedTextType" minOccurs="0" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation>Specifies the full content of the SWID tag.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
<xs:element name="url" type="xs:anyURI" minOccurs="0" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation>The URL to the SWID file.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
<xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded">
|
|
<xs:annotation>
|
|
<xs:documentation>
|
|
Allows any undeclared elements as long as the elements are placed in a different namespace.
|
|
</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:any>
|
|
</xs:sequence>
|
|
<xs:attribute name="tagId" type="xs:string" use="required">
|
|
<xs:annotation>
|
|
<xs:documentation>Maps to the tagId of a SoftwareIdentity.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:attribute>
|
|
<xs:attribute name="name" type="xs:string" use="required">
|
|
<xs:annotation>
|
|
<xs:documentation>Maps to the name of a SoftwareIdentity.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:attribute>
|
|
<xs:attribute name="version" type="xs:string" use="optional" default="0.0">
|
|
<xs:annotation>
|
|
<xs:documentation>Maps to the version of a SoftwareIdentity.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:attribute>
|
|
<xs:attribute name="tagVersion" type="xs:integer" use="optional" default="0">
|
|
<xs:annotation>
|
|
<xs:documentation>Maps to the tagVersion of a SoftwareIdentity.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:attribute>
|
|
<xs:attribute name="patch" type="xs:boolean" use="optional" default="false">
|
|
<xs:annotation>
|
|
<xs:documentation>Maps to the patch of a SoftwareIdentity.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:attribute>
|
|
</xs:complexType>
|
|
|
|
<xs:simpleType name="urnUuid">
|
|
<xs:annotation>
|
|
<xs:documentation xml:lang="en">
|
|
Defines a string representation of a UUID conforming to RFC 4122.
|
|
</xs:documentation>
|
|
</xs:annotation>
|
|
<xs:restriction base="xs:string">
|
|
<xs:pattern value="urn:uuid:([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})|(\{[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}\})"/>
|
|
</xs:restriction>
|
|
</xs:simpleType>
|
|
|
|
<xs:simpleType name="externalReferenceType">
|
|
<xs:restriction base="xs:string">
|
|
<xs:enumeration value="vcs">
|
|
<xs:annotation>
|
|
<xs:documentation>Version Control System</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:enumeration>
|
|
<xs:enumeration value="issue-tracker">
|
|
<xs:annotation>
|
|
<xs:documentation>Issue or defect tracking system, or an Application Lifecycle Management (ALM) system</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:enumeration>
|
|
<xs:enumeration value="website">
|
|
<xs:annotation>
|
|
<xs:documentation>Website</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:enumeration>
|
|
<xs:enumeration value="advisories">
|
|
<xs:annotation>
|
|
<xs:documentation>Security advisories</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:enumeration>
|
|
<xs:enumeration value="bom">
|
|
<xs:annotation>
|
|
<xs:documentation>Bill-of-material document (CycloneDX, SPDX, SWID, etc)</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:enumeration>
|
|
<xs:enumeration value="mailing-list">
|
|
<xs:annotation>
|
|
<xs:documentation>Mailing list or discussion group</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:enumeration>
|
|
<xs:enumeration value="social">
|
|
<xs:annotation>
|
|
<xs:documentation>Social media account</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:enumeration>
|
|
<xs:enumeration value="chat">
|
|
<xs:annotation>
|
|
<xs:documentation>Real-time chat platform</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:enumeration>
|
|
<xs:enumeration value="documentation">
|
|
<xs:annotation>
|
|
<xs:documentation>Documentation, guides, or how-to instructions</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:enumeration>
|
|
<xs:enumeration value="support">
|
|
<xs:annotation>
|
|
<xs:documentation>Community or commercial support</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:enumeration>
|
|
<xs:enumeration value="distribution">
|
|
<xs:annotation>
|
|
<xs:documentation>Direct or repository download location</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:enumeration>
|
|
<xs:enumeration value="license">
|
|
<xs:annotation>
|
|
<xs:documentation>The URL to the license file. If a license URL has been defined in the license
|
|
node, it should also be defined as an external reference for completeness</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:enumeration>
|
|
<xs:enumeration value="build-meta">
|
|
<xs:annotation>
|
|
<xs:documentation>Build-system specific meta file (i.e. pom.xml, package.json, .nuspec, etc)</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:enumeration>
|
|
<xs:enumeration value="build-system">
|
|
<xs:annotation>
|
|
<xs:documentation>URL to an automated build system</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:enumeration>
|
|
<xs:enumeration value="release-notes">
|
|
<xs:annotation>
|
|
<xs:documentation>URL to release notes</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:enumeration>
|
|
<xs:enumeration value="other">
|
|
<xs:annotation>
|
|
<xs:documentation>Use this if no other types accurately describe the purpose of the external reference</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:enumeration>
|
|
</xs:restriction>
|
|
</xs:simpleType>
|
|
|
|
<xs:complexType name="externalReferences">
|
|
<xs:annotation>
|
|
<xs:documentation xml:lang="en">
|
|
External references provide a way to document systems, sites, and information that may be relevant
|
|
but which are not included with the BOM.
|
|
</xs:documentation>
|
|
</xs:annotation>
|
|
<xs:sequence minOccurs="0" maxOccurs="unbounded">
|
|
<xs:element name="reference" type="bom:externalReference">
|
|
<xs:annotation>
|
|
<xs:documentation xml:lang="en">Zero or more external references can be defined</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
</xs:sequence>
|
|
</xs:complexType>
|
|
|
|
<xs:complexType name="externalReference">
|
|
<xs:sequence>
|
|
<xs:element name="url" type="xs:anyURI" minOccurs="1" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation xml:lang="en">The URL to the external reference</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
<xs:element name="comment" type="xs:string" minOccurs="0" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation xml:lang="en">An optional comment describing the external reference</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
<xs:element name="hashes" minOccurs="0" maxOccurs="1">
|
|
<xs:complexType>
|
|
<xs:sequence minOccurs="0" maxOccurs="unbounded">
|
|
<xs:element name="hash" type="bom:hashType"/>
|
|
</xs:sequence>
|
|
</xs:complexType>
|
|
</xs:element>
|
|
</xs:sequence>
|
|
<xs:attribute name="type" type="bom:externalReferenceType" use="required">
|
|
<xs:annotation>
|
|
<xs:documentation>Specifies the type of external reference. There are built-in types to describe common
|
|
references. If a type does not exist for the reference being referred to, use the "other" type.
|
|
</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:attribute>
|
|
<xs:anyAttribute namespace="##any" processContents="lax">
|
|
<xs:annotation>
|
|
<xs:documentation>User-defined attributes may be used on this element as long as they
|
|
do not have the same name as an existing attribute used by the schema.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:anyAttribute>
|
|
</xs:complexType>
|
|
|
|
<xs:complexType name="commitsType">
|
|
<xs:annotation>
|
|
<xs:documentation xml:lang="en">Zero or more commits can be specified.</xs:documentation>
|
|
</xs:annotation>
|
|
<xs:sequence minOccurs="0" maxOccurs="unbounded">
|
|
<xs:element name="commit" type="bom:commitType">
|
|
<xs:annotation>
|
|
<xs:documentation xml:lang="en">Specifies an individual commit.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
<xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded">
|
|
<xs:annotation>
|
|
<xs:documentation>
|
|
Allows any undeclared elements as long as the elements are placed in a different namespace.
|
|
</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:any>
|
|
</xs:sequence>
|
|
</xs:complexType>
|
|
|
|
<xs:complexType name="commitType">
|
|
<xs:sequence>
|
|
<xs:element name="uid" type="xs:normalizedString" minOccurs="0" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation xml:lang="en">A unique identifier of the commit. This may be version control
|
|
specific. For example, Subversion uses revision numbers whereas git uses commit hashes.
|
|
</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
<xs:element name="url" type="xs:anyURI" minOccurs="0" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation xml:lang="en">The URL to the commit. This URL will typically point to a commit
|
|
in a version control system.
|
|
</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
<xs:element name="author" type="bom:identifiableActionType" minOccurs="0" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation xml:lang="en">The author who created the changes in the commit</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
<xs:element name="committer" type="bom:identifiableActionType" minOccurs="0" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation xml:lang="en">The person who committed or pushed the commit</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
<xs:element name="message" type="xs:normalizedString" minOccurs="0" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation xml:lang="en">The text description of the contents of the commit</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
<xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded">
|
|
<xs:annotation>
|
|
<xs:documentation>
|
|
Allows any undeclared elements as long as the elements are placed in a different namespace.
|
|
</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:any>
|
|
</xs:sequence>
|
|
</xs:complexType>
|
|
|
|
<xs:complexType name="patchesType">
|
|
<xs:annotation>
|
|
<xs:documentation xml:lang="en">Zero or more patches can be specified.</xs:documentation>
|
|
</xs:annotation>
|
|
<xs:sequence minOccurs="0" maxOccurs="unbounded">
|
|
<xs:element name="patch" type="bom:patchType">
|
|
<xs:annotation>
|
|
<xs:documentation xml:lang="en">Specifies an individual patch.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
<xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded">
|
|
<xs:annotation>
|
|
<xs:documentation>
|
|
Allows any undeclared elements as long as the elements are placed in a different namespace.
|
|
</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:any>
|
|
</xs:sequence>
|
|
</xs:complexType>
|
|
|
|
<xs:complexType name="patchType">
|
|
<xs:sequence>
|
|
<xs:element name="diff" type="bom:diffType" minOccurs="0" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation xml:lang="en">The patch file (or diff) that show changes.
|
|
Refer to https://en.wikipedia.org/wiki/Diff</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
<xs:element name="resolves" minOccurs="0" maxOccurs="1">
|
|
<xs:complexType>
|
|
<xs:sequence minOccurs="0" maxOccurs="unbounded">
|
|
<xs:element name="issue" type="bom:issueType"/>
|
|
</xs:sequence>
|
|
</xs:complexType>
|
|
</xs:element>
|
|
<xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded">
|
|
<xs:annotation>
|
|
<xs:documentation>
|
|
Allows any undeclared elements as long as the elements are placed in a different namespace.
|
|
</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:any>
|
|
</xs:sequence>
|
|
<xs:attribute name="type" type="bom:patchClassification" use="required">
|
|
<xs:annotation>
|
|
<xs:documentation>Specifies the purpose for the patch including the resolution of defects,
|
|
security issues, or new behavior or functionality</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:attribute>
|
|
</xs:complexType>
|
|
|
|
<xs:simpleType name="patchClassification">
|
|
<xs:restriction base="xs:string">
|
|
<xs:enumeration value="unofficial">
|
|
<xs:annotation>
|
|
<xs:documentation>A patch which is not developed by the creators or maintainers of the software
|
|
being patched. Refer to https://en.wikipedia.org/wiki/Unofficial_patch</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:enumeration>
|
|
<xs:enumeration value="monkey">
|
|
<xs:annotation>
|
|
<xs:documentation>A patch which dynamically modifies runtime behavior.
|
|
Refer to https://en.wikipedia.org/wiki/Monkey_patch</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:enumeration>
|
|
<xs:enumeration value="backport">
|
|
<xs:annotation>
|
|
<xs:documentation>A patch which takes code from a newer version of software and applies
|
|
it to older versions of the same software. Refer to https://en.wikipedia.org/wiki/Backporting</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:enumeration>
|
|
<xs:enumeration value="cherry-pick">
|
|
<xs:annotation>
|
|
<xs:documentation>A patch created by selectively applying commits from other versions or
|
|
branches of the same software.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:enumeration>
|
|
</xs:restriction>
|
|
</xs:simpleType>
|
|
|
|
<xs:simpleType name="issueClassification">
|
|
<xs:restriction base="xs:string">
|
|
<xs:enumeration value="defect">
|
|
<xs:annotation>
|
|
<xs:documentation>A fault, flaw, or bug in software</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:enumeration>
|
|
<xs:enumeration value="enhancement">
|
|
<xs:annotation>
|
|
<xs:documentation>A new feature or behavior in software</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:enumeration>
|
|
<xs:enumeration value="security">
|
|
<xs:annotation>
|
|
<xs:documentation>A special type of defect which impacts security</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:enumeration>
|
|
</xs:restriction>
|
|
</xs:simpleType>
|
|
|
|
<xs:complexType name="diffType">
|
|
<xs:sequence>
|
|
<xs:element name="text" type="bom:attachedTextType" minOccurs="0" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation xml:lang="en">Specifies the optional text of the diff</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
<xs:element name="url" type="xs:anyURI" minOccurs="0" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation xml:lang="en">Specifies the URL to the diff</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
<xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded">
|
|
<xs:annotation>
|
|
<xs:documentation>
|
|
Allows any undeclared elements as long as the elements are placed in a different namespace.
|
|
</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:any>
|
|
</xs:sequence>
|
|
</xs:complexType>
|
|
|
|
<xs:complexType name="issueType">
|
|
<xs:annotation>
|
|
<xs:documentation>
|
|
An individual issue that has been resolved.
|
|
</xs:documentation>
|
|
</xs:annotation>
|
|
<xs:sequence>
|
|
<xs:element name="id" type="xs:normalizedString" minOccurs="0" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation xml:lang="en">The identifier of the issue assigned by the source of the issue</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
<xs:element name="name" type="xs:normalizedString" minOccurs="0" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation xml:lang="en">The name of the issue</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
<xs:element name="description" type="xs:normalizedString" minOccurs="0" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation xml:lang="en">A description of the issue</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
<xs:element name="source" minOccurs="0" maxOccurs="1">
|
|
<xs:complexType>
|
|
<xs:annotation>
|
|
<xs:documentation xml:lang="en">
|
|
The source of the issue where it is documented.
|
|
</xs:documentation>
|
|
</xs:annotation>
|
|
<xs:sequence>
|
|
<xs:element name="name" minOccurs="0" type="xs:normalizedString" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation xml:lang="en">
|
|
The name of the source. For example "National Vulnerability Database",
|
|
"NVD", and "Apache"
|
|
</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
<xs:element name="url" minOccurs="0" type="xs:anyURI" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation xml:lang="en">
|
|
The url of the issue documentation as provided by the source
|
|
</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
</xs:sequence>
|
|
</xs:complexType>
|
|
</xs:element>
|
|
<xs:element name="references" minOccurs="0" maxOccurs="1">
|
|
<xs:complexType>
|
|
<xs:sequence minOccurs="0" maxOccurs="unbounded">
|
|
<xs:element name="url" type="xs:anyURI"/>
|
|
</xs:sequence>
|
|
</xs:complexType>
|
|
</xs:element>
|
|
<xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded">
|
|
<xs:annotation>
|
|
<xs:documentation>
|
|
Allows any undeclared elements as long as the elements are placed in a different namespace.
|
|
</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:any>
|
|
</xs:sequence>
|
|
<xs:attribute name="type" type="bom:issueClassification" use="required">
|
|
<xs:annotation>
|
|
<xs:documentation>Specifies the type of issue</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:attribute>
|
|
</xs:complexType>
|
|
|
|
<xs:complexType name="identifiableActionType">
|
|
<xs:sequence>
|
|
<xs:element name="timestamp" type="xs:dateTime" minOccurs="0" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation xml:lang="en">The timestamp in which the action occurred</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
<xs:element name="name" type="xs:normalizedString" minOccurs="0" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation xml:lang="en">The name of the individual who performed the action</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
<xs:element name="email" type="xs:normalizedString" minOccurs="0" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation xml:lang="en">The email address of the individual who performed the action</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
<xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded">
|
|
<xs:annotation>
|
|
<xs:documentation>
|
|
Allows any undeclared elements as long as the elements are placed in a different namespace.
|
|
</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:any>
|
|
</xs:sequence>
|
|
</xs:complexType>
|
|
|
|
<xs:complexType name="pedigreeType">
|
|
<xs:annotation>
|
|
<xs:documentation xml:lang="en">
|
|
Component pedigree is a way to document complex supply chain scenarios where components are created,
|
|
distributed, modified, redistributed, combined with other components, etc. Pedigree supports viewing
|
|
this complex chain from the beginning, the end, or anywhere in the middle. It also provides a way to
|
|
document variants where the exact relation may not be known.
|
|
</xs:documentation>
|
|
</xs:annotation>
|
|
<xs:sequence>
|
|
<xs:element name="ancestors" type="bom:componentsType" minOccurs="0" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation xml:lang="en">Describes zero or more components in which a component is derived
|
|
from. This is commonly used to describe forks from existing projects where the forked version
|
|
contains a ancestor node containing the original component it was forked from. For example,
|
|
Component A is the original component. Component B is the component being used and documented
|
|
in the BOM. However, Component B contains a pedigree node with a single ancestor documenting
|
|
Component A - the original component from which Component B is derived from.
|
|
</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
<xs:element name="descendants" type="bom:componentsType" minOccurs="0" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation xml:lang="en">Descendants are the exact opposite of ancestors. This provides a
|
|
way to document all forks (and their forks) of an original or root component.
|
|
</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
<xs:element name="variants" type="bom:componentsType" minOccurs="0" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation xml:lang="en">Variants describe relations where the relationship between the
|
|
components are not known. For example, if Component A contains nearly identical code to
|
|
Component B. They are both related, but it is unclear if one is derived from the other,
|
|
or if they share a common ancestor.
|
|
</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
<xs:element name="commits" type="bom:commitsType" minOccurs="0" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation xml:lang="en">A list of zero or more commits which provide a trail describing
|
|
how the component deviates from an ancestor, descendant, or variant.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
<xs:element name="patches" type="bom:patchesType" minOccurs="0" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation xml:lang="en">A list of zero or more patches describing how the component
|
|
deviates from an ancestor, descendant, or variant. Patches may be complimentary to commits
|
|
or may be used in place of commits.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
<xs:element name="notes" type="xs:string" minOccurs="0" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation xml:lang="en">Notes, observations, and other non-structured commentary
|
|
describing the components pedigree.
|
|
</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
<xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded">
|
|
<xs:annotation>
|
|
<xs:documentation>
|
|
Allows any undeclared elements as long as the elements are placed in a different namespace.
|
|
</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:any>
|
|
</xs:sequence>
|
|
</xs:complexType>
|
|
|
|
<xs:complexType name="dependencyType">
|
|
<xs:sequence minOccurs="0" maxOccurs="unbounded">
|
|
<xs:element name="dependency" type="bom:dependencyType"/>
|
|
</xs:sequence>
|
|
<xs:attribute name="ref" type="bom:refType" use="required">
|
|
<xs:annotation>
|
|
<xs:documentation>References a component or service by the its bom-ref attribute</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:attribute>
|
|
<xs:anyAttribute namespace="##other" processContents="lax">
|
|
<xs:annotation>
|
|
<xs:documentation>User-defined attributes may be used on this element as long as they
|
|
do not have the same name as an existing attribute used by the schema.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:anyAttribute>
|
|
</xs:complexType>
|
|
|
|
<xs:complexType name="dependenciesType">
|
|
<xs:sequence minOccurs="0" maxOccurs="unbounded">
|
|
<xs:element name="dependency" type="bom:dependencyType">
|
|
<xs:annotation>
|
|
<xs:documentation>Components that do not have their own dependencies MUST be declared as empty
|
|
elements within the graph. Components that are not represented in the dependency graph MAY
|
|
have unknown dependencies. It is RECOMMENDED that implementations assume this to be opaque
|
|
and not an indicator of a component being dependency-free.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
</xs:sequence>
|
|
</xs:complexType>
|
|
|
|
<xs:complexType name="servicesType">
|
|
<xs:sequence minOccurs="0" maxOccurs="unbounded">
|
|
<xs:element name="service" type="bom:service"/>
|
|
<xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded">
|
|
<xs:annotation>
|
|
<xs:documentation>
|
|
Allows any undeclared elements as long as the elements are placed in a different namespace.
|
|
</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:any>
|
|
</xs:sequence>
|
|
<xs:anyAttribute namespace="##any" processContents="lax">
|
|
<xs:annotation>
|
|
<xs:documentation>User-defined attributes may be used on this element as long as they
|
|
do not have the same name as an existing attribute used by the schema.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:anyAttribute>
|
|
</xs:complexType>
|
|
|
|
<xs:complexType name="service">
|
|
<xs:sequence>
|
|
<xs:element name="provider" type="bom:organizationalEntity" minOccurs="0" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation>The organization that provides the service.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
<xs:element name="group" type="xs:normalizedString" minOccurs="0" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation>The grouping name, namespace, or identifier. This will often be a shortened,
|
|
single name of the company or project that produced the service or domain name.
|
|
Whitespace and special characters should be avoided.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
<xs:element name="name" type="xs:normalizedString" minOccurs="1" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation>The name of the service. This will often be a shortened, single name
|
|
of the service.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
<xs:element name="version" type="xs:normalizedString" minOccurs="0" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation>The service version.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
<xs:element name="description" type="xs:normalizedString" minOccurs="0" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation>Specifies a description for the service.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
<xs:element name="endpoints" minOccurs="0" maxOccurs="1">
|
|
<xs:complexType>
|
|
<xs:sequence minOccurs="0" maxOccurs="unbounded">
|
|
<xs:element name="endpoint" type="xs:anyURI" minOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation>A service endpoint URI.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
</xs:sequence>
|
|
</xs:complexType>
|
|
</xs:element>
|
|
<xs:element name="authenticated" type="xs:boolean" minOccurs="0" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation>A boolean value indicating if the service requires authentication.
|
|
A value of true indicates the service requires authentication prior to use.
|
|
A value of false indicates the service does not require authentication.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
<xs:element name="x-trust-boundary" type="xs:boolean" minOccurs="0" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation>A boolean value indicating if use of the service crosses a trust zone or boundary.
|
|
A value of true indicates that by using the service, a trust boundary is crossed.
|
|
A value of false indicates that by using the service, a trust boundary is not crossed.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
<xs:element name="data" minOccurs="0" maxOccurs="1">
|
|
<xs:complexType>
|
|
<xs:sequence minOccurs="0" maxOccurs="unbounded">
|
|
<xs:element name="classification" type="bom:dataClassificationType">
|
|
<xs:annotation>
|
|
<xs:documentation>Specifies the data classification.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
</xs:sequence>
|
|
</xs:complexType>
|
|
</xs:element>
|
|
<xs:element name="licenses" type="bom:licenseChoiceType" minOccurs="0" maxOccurs="1"/>
|
|
<xs:element name="externalReferences" type="bom:externalReferences" minOccurs="0" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation>Provides the ability to document external references related to the service.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
<xs:element name="properties" type="bom:propertiesType" minOccurs="0" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation>Provides the ability to document properties in a key/value store.
|
|
This provides flexibility to include data not officially supported in the standard
|
|
without having to use additional namespaces or create extensions. Property names
|
|
of interest to the general public are encouraged to be registered in the
|
|
CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy.
|
|
Formal registration is OPTIONAL.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
<xs:element name="services" minOccurs="0" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation>
|
|
A list of services included or deployed behind the parent service. This is not a dependency
|
|
tree. It provides a way to specify a hierarchical representation of service assemblies.
|
|
</xs:documentation>
|
|
</xs:annotation>
|
|
<xs:complexType>
|
|
<xs:sequence minOccurs="0" maxOccurs="unbounded">
|
|
<xs:element name="service" type="bom:service"/>
|
|
<xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded">
|
|
<xs:annotation>
|
|
<xs:documentation>
|
|
Allows any undeclared elements as long as the elements are placed in a different namespace.
|
|
</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:any>
|
|
</xs:sequence>
|
|
</xs:complexType>
|
|
</xs:element>
|
|
<xs:element name="releaseNotes" type="bom:releaseNotesType" minOccurs="0" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation>Specifies optional release notes.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
<xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded">
|
|
<xs:annotation>
|
|
<xs:documentation>
|
|
Allows any undeclared elements as long as the elements are placed in a different namespace.
|
|
</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:any>
|
|
</xs:sequence>
|
|
<xs:attribute name="bom-ref" type="bom:refType">
|
|
<xs:annotation>
|
|
<xs:documentation>
|
|
An optional identifier which can be used to reference the service elsewhere in the BOM.
|
|
Uniqueness is enforced within all elements and children of the root-level bom element.
|
|
</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:attribute>
|
|
<xs:anyAttribute namespace="##any" processContents="lax">
|
|
<xs:annotation>
|
|
<xs:documentation>User-defined attributes may be used on this element as long as they
|
|
do not have the same name as an existing attribute used by the schema.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:anyAttribute>
|
|
</xs:complexType>
|
|
|
|
<xs:complexType name="dataClassificationType">
|
|
<xs:annotation>
|
|
<xs:documentation>Specifies the data classification.</xs:documentation>
|
|
</xs:annotation>
|
|
<xs:simpleContent>
|
|
<xs:extension base="xs:normalizedString">
|
|
<xs:attribute name="flow" type="bom:dataFlowType" use="required">
|
|
<xs:annotation>
|
|
<xs:documentation>Specifies the flow direction of the data.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:attribute>
|
|
</xs:extension>
|
|
</xs:simpleContent>
|
|
</xs:complexType>
|
|
|
|
<xs:simpleType name="dataFlowType">
|
|
<xs:annotation>
|
|
<xs:documentation>Specifies the flow direction of the data. Valid values are:
|
|
inbound, outbound, bi-directional, and unknown. Direction is relative to the service.
|
|
Inbound flow states that data enters the service. Outbound flow states that data
|
|
leaves the service. Bi-directional states that data flows both ways, and unknown
|
|
states that the direction is not known.</xs:documentation>
|
|
</xs:annotation>
|
|
<xs:restriction base="xs:string">
|
|
<xs:enumeration value="inbound"/>
|
|
<xs:enumeration value="outbound"/>
|
|
<xs:enumeration value="bi-directional"/>
|
|
<xs:enumeration value="unknown"/>
|
|
</xs:restriction>
|
|
</xs:simpleType>
|
|
|
|
<xs:complexType name="licenseChoiceType">
|
|
<xs:choice>
|
|
<xs:element name="license" type="bom:licenseType" minOccurs="0" maxOccurs="unbounded"/>
|
|
<xs:element name="expression" type="xs:normalizedString" minOccurs="0" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation>A valid SPDX license expression.
|
|
Refer to https://spdx.org/specifications for syntax requirements</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
</xs:choice>
|
|
</xs:complexType>
|
|
|
|
<xs:complexType name="copyrightsType">
|
|
<xs:sequence>
|
|
<xs:element name="text" type="xs:string" minOccurs="0" maxOccurs="unbounded"/>
|
|
</xs:sequence>
|
|
</xs:complexType>
|
|
|
|
<xs:complexType name="componentEvidenceType">
|
|
<xs:sequence>
|
|
<xs:element name="licenses" type="bom:licenseChoiceType" minOccurs="0" maxOccurs="1"/>
|
|
<xs:element name="copyright" type="bom:copyrightsType" minOccurs="0" maxOccurs="1"/>
|
|
<xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded">
|
|
<xs:annotation>
|
|
<xs:documentation>
|
|
Allows any undeclared elements as long as the elements are placed in a different namespace.
|
|
</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:any>
|
|
</xs:sequence>
|
|
<xs:anyAttribute namespace="##any" processContents="lax">
|
|
<xs:annotation>
|
|
<xs:documentation>User-defined attributes may be used on this element as long as they
|
|
do not have the same name as an existing attribute used by the schema.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:anyAttribute>
|
|
</xs:complexType>
|
|
|
|
<xs:complexType name="compositionsType">
|
|
<xs:sequence minOccurs="0" maxOccurs="unbounded">
|
|
<xs:element name="composition" type="bom:compositionType"/>
|
|
<xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded">
|
|
<xs:annotation>
|
|
<xs:documentation>
|
|
Allows any undeclared elements as long as the elements are placed in a different namespace.
|
|
</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:any>
|
|
</xs:sequence>
|
|
<xs:anyAttribute namespace="##any" processContents="lax">
|
|
<xs:annotation>
|
|
<xs:documentation>User-defined attributes may be used on this element as long as they
|
|
do not have the same name as an existing attribute used by the schema.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:anyAttribute>
|
|
</xs:complexType>
|
|
|
|
<xs:complexType name="compositionType">
|
|
<xs:sequence minOccurs="0" maxOccurs="unbounded">
|
|
<xs:element name="aggregate" type="bom:aggregateType" default="not_specified">
|
|
<xs:annotation>
|
|
<xs:documentation>Specifies an aggregate type that describe how complete a relationship is.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
<xs:element name="assemblies" minOccurs="0" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation>
|
|
The bom-ref identifiers of the components or services being described. Assemblies refer to
|
|
nested relationships whereby a constituent part may include other constituent parts. References
|
|
do not cascade to child parts. References are explicit for the specified constituent part only.
|
|
</xs:documentation>
|
|
</xs:annotation>
|
|
<xs:complexType>
|
|
<xs:sequence minOccurs="0" maxOccurs="unbounded">
|
|
<xs:element name="assembly" type="bom:bomReferenceType"/>
|
|
<xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded">
|
|
<xs:annotation>
|
|
<xs:documentation>
|
|
Allows any undeclared elements as long as the elements are placed in a different namespace.
|
|
</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:any>
|
|
</xs:sequence>
|
|
</xs:complexType>
|
|
</xs:element>
|
|
<xs:element name="dependencies" minOccurs="0" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation>
|
|
The bom-ref identifiers of the components or services being described. Dependencies refer to a
|
|
relationship whereby an independent constituent part requires another independent constituent
|
|
part. References do not cascade to transitive dependencies. References are explicit for the
|
|
specified dependency only.
|
|
</xs:documentation>
|
|
</xs:annotation>
|
|
<xs:complexType>
|
|
<xs:sequence minOccurs="0" maxOccurs="unbounded">
|
|
<xs:element name="dependency" type="bom:bomReferenceType"/>
|
|
<xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded">
|
|
<xs:annotation>
|
|
<xs:documentation>
|
|
Allows any undeclared elements as long as the elements are placed in a different namespace.
|
|
</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:any>
|
|
</xs:sequence>
|
|
</xs:complexType>
|
|
</xs:element>
|
|
</xs:sequence>
|
|
</xs:complexType>
|
|
|
|
<xs:simpleType name="aggregateType">
|
|
<xs:restriction base="xs:string">
|
|
<xs:enumeration value="complete">
|
|
<xs:annotation>
|
|
<xs:documentation>The relationship is complete. No further relationships including constituent components, services, or dependencies exist.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:enumeration>
|
|
<xs:enumeration value="incomplete">
|
|
<xs:annotation>
|
|
<xs:documentation>The relationship is incomplete. Additional relationships exist and may include constituent components, services, or dependencies.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:enumeration>
|
|
<xs:enumeration value="incomplete_first_party_only">
|
|
<xs:annotation>
|
|
<xs:documentation>The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:enumeration>
|
|
<xs:enumeration value="incomplete_third_party_only">
|
|
<xs:annotation>
|
|
<xs:documentation>The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:enumeration>
|
|
<xs:enumeration value="unknown">
|
|
<xs:annotation>
|
|
<xs:documentation>The relationship may be complete or incomplete. This usually signifies a 'best-effort' to obtain constituent components, services, or dependencies but the completeness is inconclusive.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:enumeration>
|
|
<xs:enumeration value="not_specified">
|
|
<xs:annotation>
|
|
<xs:documentation>The relationship completeness is not specified.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:enumeration>
|
|
</xs:restriction>
|
|
</xs:simpleType>
|
|
|
|
<xs:simpleType name="localeType">
|
|
<xs:annotation>
|
|
<xs:documentation xml:lang="en">
|
|
Defines a syntax for representing two character language code (ISO-639) followed by an optional two
|
|
character country code. The language code MUST be lower case. If the country code is specified, the
|
|
country code MUST be upper case. The language code and country code MUST be separated by a minus sign.
|
|
Examples: en, en-US, fr, fr-CA
|
|
</xs:documentation>
|
|
</xs:annotation>
|
|
<xs:restriction base="xs:string">
|
|
<xs:pattern value="([a-z]{2})(-[A-Z]{2})?"/>
|
|
</xs:restriction>
|
|
</xs:simpleType>
|
|
|
|
<xs:complexType name="releaseNotesType">
|
|
<xs:sequence minOccurs="0" maxOccurs="unbounded">
|
|
<xs:element name="type" type="xs:normalizedString" minOccurs="1" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation>The software versioning type. It is RECOMMENDED that the release type use one
|
|
of 'major', 'minor', 'patch', 'pre-release', or 'internal'. Representing all possible software
|
|
release types is not practical, so standardizing on the recommended values, whenever possible,
|
|
is strongly encouraged.
|
|
* major = A major release may contain significant changes or may introduce breaking changes.
|
|
* minor = A minor release, also known as an update, may contain a smaller number of changes than major releases.
|
|
* patch = Patch releases are typically unplanned and may resolve defects or important security issues.
|
|
* pre-release = A pre-release may include alpha, beta, or release candidates and typically have
|
|
limited support. They provide the ability to preview a release prior to its general availability.
|
|
* internal = Internal releases are not for public consumption and are intended to be used exclusively
|
|
by the project or manufacturer that produced it.
|
|
</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
<xs:element name="title" type="xs:string" minOccurs="0" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation>The title of the release.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
<xs:element name="featuredImage" type="xs:anyURI" minOccurs="0" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation>The URL to an image that may be prominently displayed with the release note.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
<xs:element name="socialImage" type="xs:anyURI" minOccurs="0" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation>The URL to an image that may be used in messaging on social media platforms.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
<xs:element name="description" type="xs:string" minOccurs="0" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation>A short description of the release.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
<xs:element name="timestamp" type="xs:dateTime" minOccurs="0" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation>The date and time (timestamp) when the release note was created.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
<xs:element name="aliases" minOccurs="0" maxOccurs="1">
|
|
<xs:complexType>
|
|
<xs:sequence minOccurs="0" maxOccurs="unbounded">
|
|
<xs:element name="alias" type="xs:normalizedString">
|
|
<xs:annotation>
|
|
<xs:documentation>One or more alternate names the release may be referred to. This may
|
|
include unofficial terms used by development and marketing teams (e.g. code names).</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
</xs:sequence>
|
|
</xs:complexType>
|
|
</xs:element>
|
|
<xs:element name="tags" minOccurs="0" maxOccurs="1">
|
|
<xs:complexType>
|
|
<xs:sequence minOccurs="0" maxOccurs="unbounded">
|
|
<xs:element name="tag" type="xs:normalizedString">
|
|
<xs:annotation>
|
|
<xs:documentation>One or more tags that may aid in search or retrieval of the release note.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
</xs:sequence>
|
|
</xs:complexType>
|
|
</xs:element>
|
|
<xs:element name="resolves" minOccurs="0" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation>A collection of issues that have been resolved.</xs:documentation>
|
|
</xs:annotation>
|
|
<xs:complexType>
|
|
<xs:sequence minOccurs="0" maxOccurs="unbounded">
|
|
<xs:element name="issue" type="bom:issueType"/>
|
|
</xs:sequence>
|
|
</xs:complexType>
|
|
</xs:element>
|
|
<xs:element name="notes" minOccurs="0" maxOccurs="1">
|
|
<xs:complexType>
|
|
<xs:sequence minOccurs="0" maxOccurs="unbounded">
|
|
<xs:element name="note">
|
|
<xs:annotation>
|
|
<xs:documentation>Zero or more release notes containing the locale and content. Multiple
|
|
note elements may be specified to support release notes in a wide variety of languages.</xs:documentation>
|
|
</xs:annotation>
|
|
<xs:complexType>
|
|
<xs:sequence minOccurs="0" maxOccurs="unbounded">
|
|
<xs:element name="locale" type="bom:localeType" minOccurs="0" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation>The ISO-639 (or higher) language code and optional ISO-3166
|
|
(or higher) country code. Examples include: "en", "en-US", "fr" and "fr-CA".</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
<xs:element name="text" type="bom:attachedTextType" minOccurs="1" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation>Specifies the full content of the release note.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
</xs:sequence>
|
|
</xs:complexType>
|
|
</xs:element>
|
|
</xs:sequence>
|
|
</xs:complexType>
|
|
</xs:element>
|
|
<xs:element name="properties" type="bom:propertiesType" minOccurs="0" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation>Provides the ability to document properties in a key/value store.
|
|
This provides flexibility to include data not officially supported in the standard
|
|
without having to use additional namespaces or create extensions. Property names
|
|
of interest to the general public are encouraged to be registered in the
|
|
CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy.
|
|
Formal registration is OPTIONAL.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
<xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded">
|
|
<xs:annotation>
|
|
<xs:documentation>
|
|
Allows any undeclared elements as long as the elements are placed in a different namespace.
|
|
</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:any>
|
|
</xs:sequence>
|
|
<xs:anyAttribute namespace="##any" processContents="lax">
|
|
<xs:annotation>
|
|
<xs:documentation>User-defined attributes may be used on this element as long as they
|
|
do not have the same name as an existing attribute used by the schema.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:anyAttribute>
|
|
</xs:complexType>
|
|
|
|
<xs:complexType name="bomReferenceType">
|
|
<xs:attribute name="ref" type="bom:refType" use="required">
|
|
<xs:annotation>
|
|
<xs:documentation>References a component or service by the its bom-ref attribute</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:attribute>
|
|
<xs:anyAttribute namespace="##other" processContents="lax">
|
|
<xs:annotation>
|
|
<xs:documentation>User-defined attributes may be used on this element as long as they
|
|
do not have the same name as an existing attribute used by the schema.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:anyAttribute>
|
|
</xs:complexType>
|
|
|
|
<xs:complexType name="propertiesType">
|
|
<xs:sequence minOccurs="0" maxOccurs="unbounded">
|
|
<xs:element name="property" type="bom:propertyType"/>
|
|
<xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded">
|
|
<xs:annotation>
|
|
<xs:documentation>
|
|
Allows any undeclared elements as long as the elements are placed in a different namespace.
|
|
</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:any>
|
|
</xs:sequence>
|
|
<xs:anyAttribute namespace="##any" processContents="lax">
|
|
<xs:annotation>
|
|
<xs:documentation>User-defined attributes may be used on this element as long as they
|
|
do not have the same name as an existing attribute used by the schema.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:anyAttribute>
|
|
</xs:complexType>
|
|
|
|
<xs:complexType name="propertyType">
|
|
<xs:annotation>
|
|
<xs:documentation>Specifies an individual property with a name and value.</xs:documentation>
|
|
</xs:annotation>
|
|
<xs:simpleContent>
|
|
<xs:extension base="xs:normalizedString">
|
|
<xs:attribute name="name" type="xs:string" use="required">
|
|
<xs:annotation>
|
|
<xs:documentation>The name of the property. Duplicate names are allowed, each potentially having a different value.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:attribute>
|
|
</xs:extension>
|
|
</xs:simpleContent>
|
|
</xs:complexType>
|
|
|
|
<xs:complexType name="vulnerabilitiesType">
|
|
<xs:sequence minOccurs="0" maxOccurs="unbounded">
|
|
<xs:element name="vulnerability" type="bom:vulnerabilityType">
|
|
<xs:annotation>
|
|
<xs:documentation>Defines a weakness in an component or service that could be exploited or triggered by a threat source.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
<xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded">
|
|
<xs:annotation>
|
|
<xs:documentation>
|
|
Allows any undeclared elements as long as the elements are placed in a different namespace.
|
|
</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:any>
|
|
</xs:sequence>
|
|
<xs:anyAttribute namespace="##any" processContents="lax">
|
|
<xs:annotation>
|
|
<xs:documentation>User-defined attributes may be used on this element as long as they
|
|
do not have the same name as an existing attribute used by the schema.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:anyAttribute>
|
|
</xs:complexType>
|
|
|
|
<xs:complexType name="vulnerabilityType">
|
|
<xs:sequence minOccurs="0" maxOccurs="1">
|
|
<xs:element name="id" type="xs:normalizedString" minOccurs="0" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation>The identifier that uniquely identifies the vulnerability. For example:
|
|
CVE-2021-39182, GHSA-35m5-8cvj-8783, and SNYK-PYTHON-ENROCRYPT-1912876.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
<xs:element name="source" type="bom:vulnerabilitySourceType" minOccurs="0" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation>The source that published the vulnerability.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
<xs:element name="references" minOccurs="0" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation>Zero or more pointers to vulnerabilities that are the equivalent of the
|
|
vulnerability specified. Often times, the same vulnerability may exist in multiple sources of
|
|
vulnerability intelligence, but have different identifiers. References provide a way to
|
|
correlate vulnerabilities across multiple sources of vulnerability intelligence.</xs:documentation>
|
|
</xs:annotation>
|
|
<xs:complexType>
|
|
<xs:sequence minOccurs="0" maxOccurs="unbounded">
|
|
<xs:element name="reference">
|
|
<xs:annotation>
|
|
<xs:documentation>A pointer to a vulnerability that is the equivalent of the
|
|
vulnerability specified.</xs:documentation>
|
|
</xs:annotation>
|
|
<xs:complexType>
|
|
<xs:sequence minOccurs="1" maxOccurs="1">
|
|
<xs:element name="id" type="xs:normalizedString" minOccurs="0" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation>The identifier that uniquely identifies the vulnerability. For example:
|
|
CVE-2021-39182, GHSA-35m5-8cvj-8783, and SNYK-PYTHON-ENROCRYPT-1912876.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
<xs:element name="source" type="bom:vulnerabilitySourceType" minOccurs="0" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation>The source that published the vulnerability.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
</xs:sequence>
|
|
</xs:complexType>
|
|
</xs:element>
|
|
<xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded">
|
|
<xs:annotation>
|
|
<xs:documentation>
|
|
Allows any undeclared elements as long as the elements are placed in a different namespace.
|
|
</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:any>
|
|
</xs:sequence>
|
|
</xs:complexType>
|
|
</xs:element>
|
|
<xs:element name="ratings" minOccurs="0" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation xml:lang="en">List of vulnerability ratings.</xs:documentation>
|
|
</xs:annotation>
|
|
<xs:complexType>
|
|
<xs:sequence>
|
|
<xs:element name="rating" type="bom:ratingType" minOccurs="0" maxOccurs="unbounded"/>
|
|
</xs:sequence>
|
|
</xs:complexType>
|
|
</xs:element>
|
|
<xs:element name="cwes" minOccurs="0" maxOccurs="1">
|
|
<xs:complexType>
|
|
<xs:annotation>
|
|
<xs:documentation xml:lang="en">
|
|
List of Common Weaknesses Enumerations (CWEs) codes that describes this vulnerability.
|
|
For example 399 (of https://cwe.mitre.org/data/definitions/399.html)
|
|
</xs:documentation>
|
|
</xs:annotation>
|
|
<xs:sequence>
|
|
<xs:element name="cwe" type="xs:integer" minOccurs="0" maxOccurs="unbounded"/>
|
|
</xs:sequence>
|
|
</xs:complexType>
|
|
</xs:element>
|
|
<xs:element name="description" type="xs:string" minOccurs="0" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation>A description of the vulnerability as provided by the source.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
<xs:element name="detail" type="xs:string" minOccurs="0" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation>If available, an in-depth description of the vulnerability as provided by the
|
|
source organization. Details often include examples, proof-of-concepts, and other information
|
|
useful in understanding root cause.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
<xs:element name="recommendation" type="xs:string" minOccurs="0" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation>Recommendations of how the vulnerability can be remediated or mitigated.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
<xs:element name="advisories" minOccurs="0" maxOccurs="1">
|
|
<xs:complexType>
|
|
<xs:annotation>
|
|
<xs:documentation xml:lang="en">
|
|
Published advisories of the vulnerability if provided.
|
|
</xs:documentation>
|
|
</xs:annotation>
|
|
<xs:sequence>
|
|
<xs:element name="advisory" type="bom:advisoryType" minOccurs="0" maxOccurs="unbounded"/>
|
|
</xs:sequence>
|
|
</xs:complexType>
|
|
</xs:element>
|
|
<xs:element name="created" type="xs:dateTime" minOccurs="0" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation>The date and time (timestamp) when the vulnerability record was created in the vulnerability database.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
<xs:element name="published" type="xs:dateTime" minOccurs="0" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation>The date and time (timestamp) when the vulnerability record was first published.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
<xs:element name="updated" type="xs:dateTime" minOccurs="0" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation>The date and time (timestamp) when the vulnerability record was last updated.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
<xs:element name="credits" minOccurs="0" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation>Individuals or organizations credited with the discovery of the vulnerability.</xs:documentation>
|
|
</xs:annotation>
|
|
<xs:complexType>
|
|
<xs:sequence>
|
|
<xs:element name="organizations" minOccurs="0" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation>The organizations credited with vulnerability discovery.</xs:documentation>
|
|
</xs:annotation>
|
|
<xs:complexType>
|
|
<xs:sequence minOccurs="0" maxOccurs="unbounded">
|
|
<xs:element name="organization" type="bom:organizationalEntity"/>
|
|
</xs:sequence>
|
|
</xs:complexType>
|
|
</xs:element>
|
|
<xs:element name="individuals" minOccurs="0" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation>The individuals, not associated with organizations, that are credited with vulnerability discovery.</xs:documentation>
|
|
</xs:annotation>
|
|
<xs:complexType>
|
|
<xs:sequence minOccurs="0" maxOccurs="unbounded">
|
|
<xs:element name="individual" type="bom:organizationalContact"/>
|
|
</xs:sequence>
|
|
</xs:complexType>
|
|
</xs:element>
|
|
</xs:sequence>
|
|
</xs:complexType>
|
|
</xs:element>
|
|
<xs:element name="tools" minOccurs="0" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation>The tool(s) used to identify, confirm, or score the vulnerability.</xs:documentation>
|
|
</xs:annotation>
|
|
<xs:complexType>
|
|
<xs:sequence minOccurs="0" maxOccurs="unbounded">
|
|
<xs:element name="tool" minOccurs="0" type="bom:toolType"/>
|
|
</xs:sequence>
|
|
</xs:complexType>
|
|
</xs:element>
|
|
<xs:element name="analysis" minOccurs="0" maxOccurs="1">
|
|
<xs:complexType>
|
|
<xs:annotation>
|
|
<xs:documentation xml:lang="en">
|
|
An assessment of the impact and exploitability of the vulnerability.
|
|
</xs:documentation>
|
|
</xs:annotation>
|
|
<xs:sequence minOccurs="0" maxOccurs="1">
|
|
<xs:element name="state" type="bom:impactAnalysisStateType" minOccurs="0" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation xml:lang="en">
|
|
Declares the current state of an occurrence of a vulnerability, after automated or manual analysis.
|
|
</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
<xs:element name="justification" type="bom:impactAnalysisJustificationType" minOccurs="0" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation xml:lang="en">
|
|
The rationale of why the impact analysis state was asserted.
|
|
</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
<xs:element name="responses" minOccurs="0" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation>A response to the vulnerability by the manufacturer, supplier, or
|
|
project responsible for the affected component or service. More than one response
|
|
is allowed. Responses are strongly encouraged for vulnerabilities where the analysis
|
|
state is exploitable.</xs:documentation>
|
|
</xs:annotation>
|
|
<xs:complexType>
|
|
<xs:sequence minOccurs="0" maxOccurs="unbounded">
|
|
<xs:element name="response" type="bom:impactAnalysisResponsesType"/>
|
|
</xs:sequence>
|
|
</xs:complexType>
|
|
</xs:element>
|
|
<xs:element name="detail" type="xs:string" minOccurs="0" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation xml:lang="en">
|
|
Detailed description of the impact including methods used during assessment.
|
|
If a vulnerability is not exploitable, this field should include specific details
|
|
on why the component or service is not impacted by this vulnerability.
|
|
</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
</xs:sequence>
|
|
</xs:complexType>
|
|
</xs:element>
|
|
<xs:element name="affects" minOccurs="0" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation>The components or services that are affected by the vulnerability.</xs:documentation>
|
|
</xs:annotation>
|
|
<xs:complexType>
|
|
<xs:sequence minOccurs="0" maxOccurs="unbounded">
|
|
<xs:element name="target">
|
|
<xs:complexType>
|
|
<xs:sequence minOccurs="0" maxOccurs="1">
|
|
<xs:element name="ref" minOccurs="1" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation>References a component or service by the objects bom-ref.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
<xs:element name="versions" minOccurs="0" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation>Zero or more individual versions or range of versions.</xs:documentation>
|
|
</xs:annotation>
|
|
<xs:complexType>
|
|
<xs:sequence minOccurs="0" maxOccurs="unbounded">
|
|
<xs:element name="version">
|
|
<xs:complexType>
|
|
<xs:sequence minOccurs="0" maxOccurs="1">
|
|
<xs:choice>
|
|
<xs:element name="version" type="xs:normalizedString" minOccurs="1" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation>A single version of a component or service.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
<xs:element name="range" type="xs:normalizedString" minOccurs="1" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation>A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/purl-spec/VERSION-RANGE-SPEC.rst</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
</xs:choice>
|
|
<xs:element name="status" type="bom:impactAnalysisAffectedStatusType" minOccurs="0" maxOccurs="1" default="affected">
|
|
<xs:annotation>
|
|
<xs:documentation>
|
|
The vulnerability status for the version or range of versions.
|
|
</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
</xs:sequence>
|
|
</xs:complexType>
|
|
</xs:element>
|
|
</xs:sequence>
|
|
</xs:complexType>
|
|
</xs:element>
|
|
</xs:sequence>
|
|
</xs:complexType>
|
|
</xs:element>
|
|
</xs:sequence>
|
|
</xs:complexType>
|
|
</xs:element>
|
|
<xs:element name="properties" type="bom:propertiesType" minOccurs="0" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation>Provides the ability to document properties in a key/value store.
|
|
This provides flexibility to include data not officially supported in the standard
|
|
without having to use additional namespaces or create extensions. Property names
|
|
of interest to the general public are encouraged to be registered in the
|
|
CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy.
|
|
Formal registration is OPTIONAL.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
</xs:sequence>
|
|
<xs:attribute name="bom-ref" type="bom:refType">
|
|
<xs:annotation>
|
|
<xs:documentation>
|
|
An optional identifier which can be used to reference the vulnerability elsewhere in the BOM.
|
|
Uniqueness is enforced within all elements and children of the root-level bom element.
|
|
</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:attribute>
|
|
</xs:complexType>
|
|
|
|
<xs:complexType name="vulnerabilitySourceType">
|
|
<xs:sequence minOccurs="0" maxOccurs="unbounded">
|
|
<xs:element name="name" type="xs:normalizedString" minOccurs="0" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation>The name of the source.
|
|
For example: NVD, National Vulnerability Database, OSS Index, VulnDB, and GitHub Advisories
|
|
</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
<xs:element name="url" type="xs:anyURI" minOccurs="0" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation>The url of the vulnerability documentation as provided by the source.
|
|
For example: https://nvd.nist.gov/vuln/detail/CVE-2021-39182</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
</xs:sequence>
|
|
</xs:complexType>
|
|
|
|
<xs:complexType name="ratingType">
|
|
<xs:sequence>
|
|
<xs:element name="source" type="bom:vulnerabilitySourceType" minOccurs="0" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation>The source that calculated the severity or risk rating of the vulnerability.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
<xs:element name="score" type="xs:decimal" minOccurs="0" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation>The numerical score of the rating.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
<xs:element name="severity" type="bom:severityType" minOccurs="0" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation>Textual representation of the severity that corresponds to the numerical score of the rating.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
<xs:element name="method" type="bom:scoreSourceType" minOccurs="0" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation>The risk scoring methodology/standard used.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
<xs:element name="vector" type="xs:normalizedString" minOccurs="0" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation>Textual representation of the metric values used to score the vulnerability.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
<xs:element name="justification" type="xs:string" minOccurs="0" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation>An optional reason for rating the vulnerability as it was.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
</xs:sequence>
|
|
</xs:complexType>
|
|
|
|
<xs:complexType name="advisoryType">
|
|
<xs:sequence>
|
|
<xs:element name="title" type="xs:normalizedString" minOccurs="0" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation>An optional name of the advisory.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
<xs:element name="url" type="xs:anyURI" minOccurs="1" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation>Location where the advisory can be obtained.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
</xs:sequence>
|
|
</xs:complexType>
|
|
|
|
<xs:simpleType name="severityType" final="restriction">
|
|
<xs:annotation>
|
|
<xs:documentation xml:lang="en">
|
|
Textual representation of the severity of the vulnerability adopted by the analysis method. If the
|
|
analysis method uses values other than what is provided, the user is expected to translate appropriately.
|
|
</xs:documentation>
|
|
</xs:annotation>
|
|
<xs:restriction base="xs:string">
|
|
<xs:enumeration value="critical"/>
|
|
<xs:enumeration value="high"/>
|
|
<xs:enumeration value="medium"/>
|
|
<xs:enumeration value="low"/>
|
|
<xs:enumeration value="info"/>
|
|
<xs:enumeration value="none"/>
|
|
<xs:enumeration value="unknown"/>
|
|
</xs:restriction>
|
|
</xs:simpleType>
|
|
|
|
<xs:simpleType name="impactAnalysisStateType" final="restriction">
|
|
<xs:annotation>
|
|
<xs:documentation xml:lang="en">
|
|
Declares the current state of an occurrence of a vulnerability, after automated or manual analysis.
|
|
</xs:documentation>
|
|
</xs:annotation>
|
|
<xs:restriction base="xs:string">
|
|
<xs:enumeration value="resolved">
|
|
<xs:annotation>
|
|
<xs:documentation>
|
|
The vulnerability has been remediated.
|
|
</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:enumeration>
|
|
<xs:enumeration value="resolved_with_pedigree">
|
|
<xs:annotation>
|
|
<xs:documentation>
|
|
The vulnerability has been remediated and evidence of the changes are provided in the affected
|
|
components pedigree containing verifiable commit history and/or diff(s).
|
|
</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:enumeration>
|
|
<xs:enumeration value="exploitable">
|
|
<xs:annotation>
|
|
<xs:documentation>
|
|
The vulnerability may be directly or indirectly exploitable.
|
|
</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:enumeration>
|
|
<xs:enumeration value="in_triage">
|
|
<xs:annotation>
|
|
<xs:documentation>
|
|
The vulnerability is being investigated.
|
|
</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:enumeration>
|
|
<xs:enumeration value="false_positive">
|
|
<xs:annotation>
|
|
<xs:documentation>
|
|
The vulnerability is not specific to the component or service and was falsely identified or associated.
|
|
</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:enumeration>
|
|
<xs:enumeration value="not_affected">
|
|
<xs:annotation>
|
|
<xs:documentation>
|
|
The component or service is not affected by the vulnerability. Justification should be specified
|
|
for all not_affected cases.
|
|
</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:enumeration>
|
|
</xs:restriction>
|
|
</xs:simpleType>
|
|
|
|
<xs:simpleType name="impactAnalysisJustificationType" final="restriction">
|
|
<xs:annotation>
|
|
<xs:documentation xml:lang="en">
|
|
The rationale of why the impact analysis state was asserted.
|
|
</xs:documentation>
|
|
</xs:annotation>
|
|
<xs:restriction base="xs:string">
|
|
<xs:enumeration value="code_not_present">
|
|
<xs:annotation>
|
|
<xs:documentation>
|
|
The code has been removed or tree-shaked.
|
|
</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:enumeration>
|
|
<xs:enumeration value="code_not_reachable">
|
|
<xs:annotation>
|
|
<xs:documentation>
|
|
The vulnerable code is not invoked at runtime.
|
|
</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:enumeration>
|
|
<xs:enumeration value="requires_configuration">
|
|
<xs:annotation>
|
|
<xs:documentation>
|
|
Exploitability requires a configurable option to be set/unset.
|
|
</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:enumeration>
|
|
<xs:enumeration value="requires_dependency">
|
|
<xs:annotation>
|
|
<xs:documentation>
|
|
Exploitability requires a dependency that is not present.
|
|
</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:enumeration>
|
|
<xs:enumeration value="requires_environment">
|
|
<xs:annotation>
|
|
<xs:documentation>
|
|
Exploitability requires a certain environment which is not present.
|
|
</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:enumeration>
|
|
<xs:enumeration value="protected_by_compiler">
|
|
<xs:annotation>
|
|
<xs:documentation>
|
|
Exploitability requires a compiler flag to be set/unset.
|
|
</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:enumeration>
|
|
<xs:enumeration value="protected_at_runtime">
|
|
<xs:annotation>
|
|
<xs:documentation>
|
|
Exploits are prevented at runtime.
|
|
</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:enumeration>
|
|
<xs:enumeration value="protected_at_perimeter">
|
|
<xs:annotation>
|
|
<xs:documentation>
|
|
Attacks are blocked at physical, logical, or network perimeter.
|
|
</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:enumeration>
|
|
<xs:enumeration value="protected_by_mitigating_control">
|
|
<xs:annotation>
|
|
<xs:documentation>
|
|
Preventative measures have been implemented that reduce the likelihood and/or impact of the vulnerability.
|
|
</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:enumeration>
|
|
</xs:restriction>
|
|
</xs:simpleType>
|
|
|
|
<xs:simpleType name="scoreSourceType" final="restriction">
|
|
<xs:annotation>
|
|
<xs:documentation xml:lang="en">
|
|
Specifies the severity or risk scoring methodology or standard used.
|
|
</xs:documentation>
|
|
</xs:annotation>
|
|
<xs:restriction base="xs:string">
|
|
<xs:enumeration value="CVSSv2">
|
|
<xs:annotation>
|
|
<xs:documentation xml:lang="en">
|
|
The rating is based on CVSS v2 standard
|
|
https://www.first.org/cvss/v2/
|
|
</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:enumeration>
|
|
<xs:enumeration value="CVSSv3">
|
|
<xs:annotation>
|
|
<xs:documentation xml:lang="en">
|
|
The rating is based on CVSS v3.0 standard
|
|
https://www.first.org/cvss/v3-0/
|
|
</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:enumeration>
|
|
<xs:enumeration value="CVSSv31">
|
|
<xs:annotation>
|
|
<xs:documentation xml:lang="en">
|
|
The rating is based on CVSS v3.1 standard
|
|
https://www.first.org/cvss/v3-1/
|
|
</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:enumeration>
|
|
<xs:enumeration value="OWASP">
|
|
<xs:annotation>
|
|
<xs:documentation xml:lang="en">
|
|
The rating is based on OWASP Risk Rating
|
|
https://owasp.org/www-community/OWASP_Risk_Rating_Methodology
|
|
</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:enumeration>
|
|
<xs:enumeration value="other">
|
|
<xs:annotation>
|
|
<xs:documentation xml:lang="en">
|
|
Use this if the risk scoring methodology is not based on any of the options above
|
|
</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:enumeration>
|
|
</xs:restriction>
|
|
</xs:simpleType>
|
|
|
|
<xs:simpleType name="impactAnalysisResponsesType" final="restriction">
|
|
<xs:annotation>
|
|
<xs:documentation xml:lang="en">
|
|
The rationale of why the impact analysis state was asserted.
|
|
</xs:documentation>
|
|
</xs:annotation>
|
|
<xs:restriction base="xs:string">
|
|
<xs:enumeration value="can_not_fix"/>
|
|
<xs:enumeration value="will_not_fix"/>
|
|
<xs:enumeration value="update"/>
|
|
<xs:enumeration value="rollback"/>
|
|
<xs:enumeration value="workaround_available"/>
|
|
</xs:restriction>
|
|
</xs:simpleType>
|
|
|
|
<xs:simpleType name="impactAnalysisAffectedStatusType" final="restriction">
|
|
<xs:annotation>
|
|
<xs:documentation xml:lang="en">
|
|
The vulnerability status of a given version or range of versions of a product. The statuses
|
|
'affected' and 'unaffected' indicate that the version is affected or unaffected by the vulnerability.
|
|
The status 'unknown' indicates that it is unknown or unspecified whether the given version is affected.
|
|
There can be many reasons for an 'unknown' status, including that an investigation has not been
|
|
undertaken or that a vendor has not disclosed the status.
|
|
</xs:documentation>
|
|
</xs:annotation>
|
|
<xs:restriction base="xs:string">
|
|
<xs:enumeration value="affected"/>
|
|
<xs:enumeration value="unaffected"/>
|
|
<xs:enumeration value="unknown"/>
|
|
</xs:restriction>
|
|
</xs:simpleType>
|
|
|
|
|
|
<xs:element name="bom">
|
|
<xs:complexType>
|
|
<xs:sequence>
|
|
<xs:element name="metadata" type="bom:metadata" minOccurs="0" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation>Provides additional information about a BOM.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
<xs:element name="components" type="bom:componentsType" minOccurs="0" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation>A list of software and hardware components.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
<xs:element name="services" type="bom:servicesType" minOccurs="0" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation>A list of services. This may include microservices, function-as-a-service, and other types of network or intra-process services.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
<xs:element name="externalReferences" type="bom:externalReferences" minOccurs="0" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation>Provides the ability to document external references related to the BOM or
|
|
to the project the BOM describes.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
<xs:element name="dependencies" type="bom:dependenciesType" minOccurs="0" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation>Provides the ability to document dependency relationships.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
<xs:element name="compositions" type="bom:compositionsType" minOccurs="0" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation>Compositions describe constituent parts (including components, services, and dependency relationships) and their completeness.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
<xs:element name="properties" type="bom:propertiesType" minOccurs="0" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation>Provides the ability to document properties in a key/value store.
|
|
This provides flexibility to include data not officially supported in the standard
|
|
without having to use additional namespaces or create extensions. Property names
|
|
of interest to the general public are encouraged to be registered in the
|
|
CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy.
|
|
Formal registration is OPTIONAL.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
<xs:element name="vulnerabilities" type="bom:vulnerabilitiesType" minOccurs="0" maxOccurs="1">
|
|
<xs:annotation>
|
|
<xs:documentation>Vulnerabilities identified in components or services.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:element>
|
|
<xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded">
|
|
<xs:annotation>
|
|
<xs:documentation>
|
|
Allows any undeclared elements as long as the elements are placed in a different namespace.
|
|
</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:any>
|
|
</xs:sequence>
|
|
<xs:attribute name="version" type="xs:integer" default="1">
|
|
<xs:annotation>
|
|
<xs:documentation>Whenever an existing BOM is modified, either manually or through automated
|
|
processes, the version of the BOM SHOULD be incremented by 1. When a system is presented with
|
|
multiple BOMs with identical serial numbers, the system SHOULD use the most recent version of the BOM.
|
|
The default version is '1'.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:attribute>
|
|
<xs:attribute name="serialNumber" type="bom:urnUuid">
|
|
<xs:annotation>
|
|
<xs:documentation>Every BOM generated SHOULD have a unique serial number, even if the contents of
|
|
the BOM have not changed over time. If specified, the serial number MUST conform to RFC-4122.
|
|
Use of serial numbers are RECOMMENDED.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:attribute>
|
|
<xs:anyAttribute namespace="##any" processContents="lax">
|
|
<xs:annotation>
|
|
<xs:documentation>User-defined attributes may be used on this element as long as they
|
|
do not have the same name as an existing attribute used by the schema.</xs:documentation>
|
|
</xs:annotation>
|
|
</xs:anyAttribute>
|
|
</xs:complexType>
|
|
<xs:unique name="bom-ref">
|
|
<xs:selector xpath=".//*"/>
|
|
<xs:field xpath="@bom-ref"/>
|
|
</xs:unique>
|
|
</xs:element>
|
|
</xs:schema>
|