github.com/CycloneDX/sbom-utility@v0.16.0/schema/cyclonedx.go (about) 1 // SPDX-License-Identifier: Apache-2.0 2 /* 3 * Licensed to the Apache Software Foundation (ASF) under one or more 4 * contributor license agreements. See the NOTICE file distributed with 5 * this work for additional information regarding copyright ownership. 6 * The ASF licenses this file to You under the Apache License, Version 2.0 7 * (the "License"); you may not use this file except in compliance with 8 * the License. You may obtain a copy of the License at 9 * 10 * http://www.apache.org/licenses/LICENSE-2.0 11 * 12 * Unless required by applicable law or agreed to in writing, software 13 * distributed under the License is distributed on an "AS IS" BASIS, 14 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 15 * See the License for the specific language governing permissions and 16 * limitations under the License. 17 */ 18 package schema 19 20 const ( 21 KEY_ANNOTATIONS = "annotations" 22 KEY_COMPONENTS = "components" 23 KEY_LICENSES = "licenses" 24 KEY_METADATA = "metadata" 25 KEY_SERVICES = "services" 26 ) 27 28 // Note: CycloneDX v1.2, 1.3, 1.4, 1.5 schema properties are currently supported 29 // TODO: make ALL struct pointer references for (future) editing needs 30 31 // For convenience, we provide named vars. for testing for zero-length (empty) structs 32 var EMPTY_CDXLicense = CDXLicense{} 33 34 // NOTE: During parsing, any fields not explicitly included in the structure 35 // will still be added as generic "interface{}" types 36 // v1.3: added "compositions" 37 // v1.4: added "vulnerabilities", "signature" 38 // v1.5: added "annotations", "formulation", "properties" 39 // v1.6: added "declarations", "definitions" 40 type CDXBom struct { 41 BOMFormat string `json:"bomFormat,omitempty"` 42 SpecVersion string `json:"specVersion,omitempty"` 43 SerialNumber string `json:"serialNumber,omitempty"` 44 Version int `json:"version,omitempty"` 45 Metadata *CDXMetadata `json:"metadata,omitempty"` 46 Components *[]CDXComponent `json:"components,omitempty"` 47 Services *[]CDXService `json:"services,omitempty"` 48 ExternalReferences *[]CDXExternalReference `json:"externalReferences,omitempty"` 49 Dependencies *[]CDXDependency `json:"dependencies,omitempty"` 50 Compositions *[]CDXCompositions `json:"compositions,omitempty" cdx:"added:1.3"` 51 Vulnerabilities *[]CDXVulnerability `json:"vulnerabilities,omitempty" cdx:"added:1.4"` 52 Signature *JSFSignature `json:"signature,omitempty" cdx:"added:1.4"` 53 Annotations *[]CDXAnnotation `json:"annotations,omitempty" cdx:"added:1.5"` 54 Formulation *[]CDXFormula `json:"formulation,omitempty" cdx:"added:1.5"` 55 Properties *[]CDXProperty `json:"properties,omitempty" cdx:"added:1.5"` 56 Declarations *[]CDXDeclaration `json:"declarations,omitempty" cdx:"added:1.6"` 57 Definitions *[]CDXDefinition `json:"definitions,omitempty" cdx:"added:1.6"` 58 } 59 60 // v1.2: existed 61 // v1.3: added "licenses", "properties" 62 // v1.5: added "lifecycles" 63 // v1.5: "tools" is changed to an interface{} as it represents 2 possible types (object <legacy tools>, slice <new tools>) 64 // v1.6: added "manufacturer"; deprecated "manufacture" 65 // Note: "timestamp" in OWASP SCVS is: urn:owasp:scvs:bom:core:timestamp 66 type CDXMetadata struct { 67 Timestamp string `json:"timestamp,omitempty" scvs:"bom:core:timestamp"` 68 Tools interface{} `json:"tools,omitempty"` 69 Authors *[]CDXOrganizationalContact `json:"authors,omitempty"` 70 Component *CDXComponent `json:"component,omitempty"` 71 Supplier *CDXOrganizationalEntity `json:"supplier,omitempty"` 72 Licenses *[]CDXLicenseChoice `json:"licenses,omitempty" cdx:"added:1.3"` 73 Properties *[]CDXProperty `json:"properties,omitempty" cdx:"added:1.3"` 74 Lifecycles *[]CDXLifecycle `json:"lifecycles,omitempty" cdx:"added:1.5"` 75 Manufacture *CDXOrganizationalEntity `json:"manufacture,omitempty" cdx:"deprecated:1.6"` 76 Manufacturer *CDXOrganizationalEntity `json:"manufacturer,omitempty" cdx:"added:1.6"` 77 } 78 79 // v1.2: existed 80 // v1.3: added: "evidence", "properties" 81 // v1.4: added: "releaseNotes", "signature" 82 // v1.4: changed: "version" no longer required 83 // v1.4: deprecated: "modified", "cpe", "swid" 84 // v1.5: added "modelCard", (component)"data" 85 // Note: "bom-ref" is a "refType" which is a constrained `string` 86 // TODO: "mime-type" SHOULD become "media-type" which is more modern/inclusive 87 // TODO: Remove "service" from "Type" enum. as "service" now exists (deprecate in future versions) 88 // NOTE: CDXRefType is a named `string` type as of v1.5 89 type CDXComponent struct { 90 Primary bool `json:"-"` // Proprietary: do NOT marshal/unmarshal 91 Type string `json:"type,omitempty"` // Constraint: enum [see schema] 92 Name string `json:"name,omitempty"` 93 Version string `json:"version,omitempty"` 94 Description string `json:"description,omitempty"` 95 Group string `json:"group,omitempty"` 96 BOMRef *CDXRefType `json:"bom-ref,omitempty"` 97 MimeType string `json:"mime-type,omitempty"` 98 Supplier *CDXOrganizationalEntity `json:"supplier,omitempty"` 99 Publisher string `json:"publisher,omitempty"` 100 Scope string `json:"scope,omitempty"` // Constraint: "enum": ["required","optional","excluded"] 101 Hashes *[]CDXHash `json:"hashes,omitempty"` 102 Licenses *[]CDXLicenseChoice `json:"licenses,omitempty"` 103 Copyright string `json:"copyright,omitempty"` 104 Cpe string `json:"cpe,omitempty"` // See: https://nvd.nist.gov/products/cpe 105 Purl string `json:"purl,omitempty" scvs:"bom:resource:identifiers:purl"` // See: https://github.com/package-url/purl-spec 106 Swid *CDXSwid `json:"swid,omitempty"` // See: https://www.iso.org/standard/65666.html 107 Pedigree *CDXPedigree `json:"pedigree,omitempty"` 108 ExternalReferences *[]CDXExternalReference `json:"externalReferences,omitempty"` 109 Components *[]CDXComponent `json:"components,omitempty"` 110 Evidence *CDXComponentEvidence `json:"evidence,omitempty" cdx:"added:1.3"` 111 Properties *[]CDXProperty `json:"properties,omitempty" cdx:"added:1.3"` 112 ReleaseNotes *[]CDXReleaseNotes `json:"releaseNotes,omitempty" cdx:"added:1.4"` 113 Signature *JSFSignature `json:"signature,omitempty" cdx:"added:1.4"` 114 Modified bool `json:"modified,omitempty" cdx:"deprecated:1.4"` 115 ModelCard *CDXModelCard `json:"modelCard,omitempty" cdx:"added:1.5"` 116 Data *[]CDXComponentData `json:"data,omitempty" cdx:"added:1.5"` 117 Authors *[]CDXOrganizationalContact `json:"authors,omitempty" cdx:"added:1.6"` 118 OmniborId *[]string `json:"omniborId,omitempty" cdx:"added:1.6"` 119 Swhid *[]string `json:"swhid,omitempty" cdx:"added:1.6"` 120 CryptoProperties *CDXCryptoProperties `json:"cryptoProperties,omitempty" cdx:"added:1.6"` 121 Tags *[]string `json:"tags,omitempty" cdx:"added:1.6"` 122 Manufacturer *CDXOrganizationalEntity `json:"manufacturer,omitempty" cdx:"added:1.6"` 123 Author string `json:"author,omitempty" cdx:"deprecated:1.6"` 124 } 125 126 // v1.5 added object 127 // The general theme or subject matter of the data being specified. 128 // TODO: "contents" is plural, but it is not an array 129 type CDXComponentData struct { 130 Type string `json:"type,omitempty" cdx:"added:1.5"` // Constraint: "enum": ["source-code","configuration","dataset","definition","other"] 131 Name string `json:"name,omitempty" cdx:"added:1.5"` 132 BOMRef *CDXRefType `json:"bom-ref,omitempty" cdx:"added:1.5"` 133 Contents *CDXContent `json:"contents,omitempty" cdx:"added:1.5"` 134 Classification *CDXDataClassification `json:"classification,omitempty" cdx:"added:1.5"` 135 SensitiveData []string `json:"sensitiveData,omitempty" cdx:"added:1.5"` 136 Graphics *CDXGraphicsCollection `json:"graphics,omitempty" cdx:"added:1.5"` 137 Description string `json:"description,omitempty" cdx:"added:1.5"` 138 Governance *CDXDataGovernance `json:"governance,omitempty" cdx:"added:1.5"` 139 } 140 141 // v1.5 added object 142 type CDXContent struct { 143 Url string `json:"url,omitempty" cdx:"added:1.5"` 144 Attachment *CDXAttachment `json:"attachment,omitempty" cdx:"added:1.5"` 145 Properties *[]CDXProperty `json:"properties,omitempty" cdx:"added:1.5"` 146 } 147 148 // v1.5 added 149 type CDXDataGovernance struct { 150 Custodians *[]CDXDataGovernanceResponsibleParty `json:"custodians,omitempty" cdx:"added:1.5"` 151 Stewards *[]CDXDataGovernanceResponsibleParty `json:"stewards,omitempty" cdx:"added:1.5"` 152 Owners *[]CDXDataGovernanceResponsibleParty `json:"owners,omitempty" cdx:"added:1.5"` 153 } 154 155 // v1.5 added structure 156 // Constraints: "oneOf": ["organization", "contact"] 157 type CDXDataGovernanceResponsibleParty struct { 158 Organization *CDXOrganizationalEntity `json:"organization,omitempty" cdx:"added:1.5"` 159 Contact *CDXOrganizationalContact `json:"contact,omitempty" cdx:"added:1.5"` 160 } 161 162 // v1.2: existed 163 // v1.3: added: "properties" 164 // v1.4: added: "releaseNotes", "signature" 165 // v1.5: moved "data" object elements into "serviceData" object 166 // v1.5: added "trustZone" 167 // ----- 168 // TODO: a service is not all auth or not auth.; that is, we have multiple endpoints 169 // but only 1 boolean for "authenticated" (open spec. issue) 170 // TODO: Not sure the intent of having "nested" (hierarchical) services? 171 // TODO: Should support OpenAPI specification (documents) as canonical descriptors 172 // TODO: v1.2 "licenses" used to be an anon. type until v1.3 intro. the `LicenseChoice` def. 173 // validate a v1.2 SBOM wit the anon. type parses properly 174 // NOTE: CDXRefType is a named `string` type as of v1.5 175 type CDXService struct { 176 Name string `json:"name,omitempty"` 177 Version string `json:"version,omitempty"` 178 Description string `json:"description,omitempty"` 179 Group string `json:"group,omitempty"` 180 BOMRef *CDXRefType `json:"bom-ref,omitempty"` 181 Endpoints *[]string `json:"endpoints,omitempty"` 182 Authenticated bool `json:"authenticated,omitempty"` 183 XTrustBoundary bool `json:"x-trust-boundary,omitempty"` 184 Provider *CDXOrganizationalEntity `json:"provider,omitempty"` 185 Data *[]CDXServiceData `json:"data,omitempty"` 186 Licenses *[]CDXLicenseChoice `json:"licenses,omitempty"` 187 ExternalReferences *[]CDXExternalReference `json:"externalReferences,omitempty"` 188 Services *[]CDXService `json:"services,omitempty"` 189 Properties *[]CDXProperty `json:"properties,omitempty" cdx:"added:1.3"` 190 ReleaseNotes *[]CDXReleaseNotes `json:"releaseNotes,omitempty" cdx:"added:1.4"` 191 Signature *JSFSignature `json:"signature,omitempty" cdx:"added:1.4"` 192 TrustZone string `json:"trustZone,omitempty" cdx:"added:1.5"` 193 Tags *[]string `json:"tags,omitempty" cdx:"added:1.6"` 194 } 195 196 // v1.5: added. aggregated related date from v1.2-v1.4 and added additional fields 197 // v1.2-v1.4: "flow", "classification" existed 198 // TODO: "source" is a "oneOf" type (both currently resolve to string), but needs to be its own anonymous type 199 // TODO: "destination" is a "oneOf" type (both currently resolve to string), but needs to be its own anonymous type 200 type CDXServiceData struct { 201 Flow string `json:"flow,omitempty"` 202 Classification *CDXDataClassification `json:"classification,omitempty"` 203 Name string `json:"name,omitempty" cdx:"added:1.5"` 204 Description string `json:"description,omitempty" cdx:"added:1.5"` 205 Governance *CDXDataGovernance `json:"governance,omitempty" cdx:"added:1.5"` 206 Source string `json:"source,omitempty" cdx:"added:1.5"` 207 Destination string `json:"destination,omitempty" cdx:"added:1.5"` 208 } 209 210 // v1.2: existed as an anon. type in the "component" type defn. 211 // The "Notes" (plural) should likely be multiple strings or text annotations 212 // TODO: create top-level defn. for "pedigree" anon. type 213 type CDXPedigree struct { 214 Ancestors *[]CDXComponent `json:"ancestors,omitempty"` 215 Descendants *[]CDXComponent `json:"descendants,omitempty"` 216 Variants *[]CDXComponent `json:"variants,omitempty"` 217 Commits *[]CDXCommit `json:"commits,omitempty"` 218 Patches *[]CDXPatch `json:"patches,omitempty"` 219 Notes string `json:"notes,omitempty"` 220 } 221 222 // TODO: create "isEmpty()" method to use in "component list" command 223 // This method, currently, does NOT go "deep" enough into the structs used as slices... 224 func (pedigree *CDXPedigree) isEmpty() bool { 225 if *pedigree == (CDXPedigree{}) { 226 return true 227 } 228 if (pedigree.Notes != "") || 229 (pedigree.Ancestors != nil && len(*pedigree.Ancestors) > 0) || 230 (pedigree.Descendants != nil && len(*pedigree.Descendants) > 0) || 231 (pedigree.Variants != nil && len(*pedigree.Variants) > 0) || 232 (pedigree.Commits != nil && len(*pedigree.Commits) > 0) || 233 (pedigree.Patches != nil && len(*pedigree.Patches) > 0) { 234 return false 235 } 236 // TODO: we verified, at least to a shallow depth, that an attempt was made to provide 237 // provenance data; however, data structs in could still be "empty" 238 // a full, deep empty check impl. is needed 239 return true 240 } 241 242 // v1.2: existed 243 // See: https://www.iso.org/standard/65666.html 244 // NOTE: Swid v1 tag values are deprecated; new v2 tags are avail. 245 type CDXSwid struct { 246 TagId string `json:"tagId,omitempty"` 247 Name string `json:"name,omitempty"` 248 Version string `json:"version,omitempty"` 249 TagVersion int `json:"tagVersion,omitempty"` 250 Patch bool `json:"patch,omitempty"` 251 Text *CDXAttachment `json:"text,omitempty"` 252 Url string `json:"url,omitempty"` 253 } 254 255 // v1.2: was an anon. type in schema 256 // v1.3: created explicit schema object type 257 // Note: "oneOf": ["license", "expression"] is required 258 // NOTE: CDXLicenseExpression is a named `string` type as of v1.5 259 type CDXLicenseChoice struct { 260 License *CDXLicense `json:"license,omitempty"` 261 //Expression string `json:"expression,omitempty"` // v1.5: changed 262 CDXLicenseExpression 263 } 264 265 // v1.5: added "expression" type structure 266 // v1.6: added Acknowledgment 267 // NOTE: CDXRefType is a named `string` type as of v1.5 268 type CDXLicenseExpression struct { 269 Expression string `json:"expression,omitempty"` 270 BOMRef *CDXRefType `json:"bom-ref,omitempty" cdx:"added:1.5"` 271 Acknowledgement string `json:"acknowledgement,omitempty" cdx:"added:1.6"` 272 } 273 274 // v1.2: was an anon. type 275 // v1.3: created as a named type 276 // v1.6: added Acknowledgment 277 // Note: "id" SHOULD be an SPDX license ID 278 // Note: "oneOf": ["id", "name"] is required 279 // Note: CDXRefType is a named `string` type as of v1.5 280 // Note: Acknowledgement is actually a named `string` (licenseAcknowledgementEnumeration) 281 type CDXLicense struct { 282 Id string `json:"id,omitempty"` 283 Name string `json:"name,omitempty"` 284 Text *CDXAttachment `json:"text,omitempty"` 285 Url string `json:"url,omitempty"` 286 BOMRef *CDXRefType `json:"bom-ref,omitempty" cdx:"added:1.5"` 287 Licensing *CDXLicensing `json:"licensing,omitempty" cdx:"added:1.5"` 288 Properties *[]CDXProperty `json:"properties,omitempty" cdx:"added:1.5"` 289 Acknowledgement string `json:"acknowledgement,omitempty" cdx:"added:1.6"` 290 } 291 292 // v1.5: added object 293 type CDXLicensing struct { 294 AltIds *[]string `json:"altIds,omitempty" cdx:"added:1.5"` 295 Licensor *CDXLicenseLegalParty `json:"licensor,omitempty" cdx:"added:1.5"` 296 Licensee *CDXLicenseLegalParty `json:"licensee,omitempty" cdx:"added:1.5"` 297 Purchaser *CDXLicenseLegalParty `json:"purchaser,omitempty" cdx:"added:1.5"` 298 PurchaseOrder string `json:"purchaseOrder,omitempty" cdx:"added:1.5"` 299 LicenseTypes *[]string `json:"licenseTypes,omitempty" cdx:"added:1.5"` 300 LastRenewal string `json:"lastRenewal,omitempty" cdx:"added:1.5"` 301 Expiration string `json:"expiration,omitempty" cdx:"added:1.5"` 302 } 303 304 // v1.2: existed 305 // TODO: GitHub PRs MAY have more than 1 commit (committer); CDX needs to account for this 306 type CDXCommit struct { 307 Uid string `json:"uid,omitempty"` 308 Url string `json:"url,omitempty"` 309 Message string `json:"message,omitempty"` 310 Author *CDXIdentifiableAction `json:"author,omitempty"` 311 Committer *CDXIdentifiableAction `json:"committer,omitempty"` 312 } 313 314 // v1.2: existed 315 type CDXPatch struct { 316 Type string `json:"type,omitempty"` 317 Diff *CDXDiff `json:"diff,omitempty"` 318 Resolves *[]CDXIssue `json:"resolves,omitempty"` 319 } 320 321 // v1.2: existed 322 // v1.3 "url" type changed from `string` (with constraints) to an "iri-reference" 323 type CDXDiff struct { 324 Text *CDXAttachment `json:"text,omitempty"` 325 Url string `json:"url,omitempty" cdx:"changed:1.3"` 326 } 327 328 // v1.2: existed 329 // Note: v1.2 Bug: there appears to be a bug in the 1.2 spec. where the type for 330 // "references" is declared an array of "no type" (it likely should be `string`) 331 // Not sure how a parser will treat this... perhaps as an `interface{}`? 332 // v1.3: fixed missing item type to "string" ([]string) and constrained as an "iri-reference" 333 type CDXIssue struct { 334 Type string `json:"type,omitempty"` 335 Id string `json:"id,omitempty"` 336 Name string `json:"name,omitempty"` 337 Description string `json:"description,omitempty"` 338 Source *CDXSource `json:"source,omitempty"` 339 References *[]string `json:"references,omitempty" cdx:"changed:1.3"` 340 } 341 342 // v1.2: existed as anon. type 343 // Note: this is an anonymous type defined within "issue" defn. (i.e., "CDXIssue") 344 type CDXSource struct { 345 Name string `json:"name,omitempty"` 346 Url string `json:"url,omitempty"` 347 } 348 349 // v1.2: existed 350 // TODO: We should suggest this be "deprecated" and instead add "timestamp" and 351 // other fields to OrganizationalContact (or similar) 352 // TODO: should have "signage" information (e.g., evidence, public key) 353 type CDXIdentifiableAction struct { 354 Timestamp string `json:"timestamp,omitempty"` 355 Name string `json:"name,omitempty"` 356 Email string `json:"email,omitempty"` 357 } 358 359 // v1.2: existed 360 // v1.4: "ref" and "dependsOn" became type "refType" which is a constrained `string` 361 // v1.5: "ref": is now a constrained "string" of type "#/definitions/refLinkType" 362 // v1.5: "dependsOn": is now a constrained "string" of type "#/definitions/refLinkType" 363 // Note: Changes to RefType and RefLinkType are ONLY constraint changes; we need only track type changes... 364 type CDXDependency struct { 365 Ref *CDXRefLinkType `json:"ref,omitempty"` 366 DependsOn *[]CDXRefLinkType `json:"dependsOn,omitempty"` 367 } 368 369 // v1.2: existed 370 // Note: "flow" is of type "dataFlow" which is a constrained `string` type 371 // v1.5: removed. No longer an object; now it is a "string" ( "flow" moved out as "string" into "serviceData" object) 372 // type CDXDataClassification struct { 373 // Flow string `json:"flow,omitempty"` 374 // Classification string `json:"classification,omitempty"` 375 // } 376 377 // v1.5 added. Replaced former "object" type in favor of "string" 378 // Data classification tags data according to its type, sensitivity, and value if altered, 379 // stolen, or destroyed. 380 type CDXDataClassification string // Constraint: "enum": ["inbound", "outbound", "bi-directional", "unknown"] 381 382 // v1.3: created "copyright" defn. 383 type CDXCopyright struct { 384 Text string `json:"text,omitempty"` 385 } 386 387 // v1.3: created "componentEvidence" defn. 388 // Note: "Identity" was changed from a singleton in v1.5, to an array of in v1.6 389 type CDXComponentEvidence struct { 390 Licenses *[]CDXLicense `json:"licenses,omitempty" cdx:"added:1.3"` 391 Copyright *[]CDXCopyright `json:"copyright,omitempty" cdx:"added:1.3"` 392 Identity interface{} `json:"identity,omitempty" cdx:"added:1.5,changed:1.6"` 393 Occurrences *[]CDXOccurrence `json:"occurrences,omitempty" cdx:"added:1.5"` 394 Callstack *CDXCallstack `json:"callstack,omitempty" cdx:"added:1.5"` 395 } 396 397 // v1.5: added 398 type CDXOccurrence struct { 399 BOMRef *CDXRefType `json:"bom-ref,omitempty" cdx:"added:1.5"` 400 Location string `json:"location,omitempty" cdx:"added:1.5"` 401 } 402 403 // v1.5: added 404 type CDXCallstack struct { 405 Frames *[]CDXFrames `json:"frames,omitempty" cdx:"added:1.5"` 406 } 407 408 // v1.5: added 409 // Note: "parameters" SHOULD use "formulation" definitions that better define a parameter 410 type CDXFrames struct { 411 Package string `json:"package,omitempty" cdx:"added:1.5"` 412 Module string `json:"module,omitempty" cdx:"added:1.5"` 413 Function string `json:"function,omitempty" cdx:"added:1.5"` 414 Parameters *[]string `json:"parameters,omitempty" cdx:"added:1.5"` 415 Line int `json:"line,omitempty" cdx:"added:1.5"` 416 Column int `json:"column,omitempty" cdx:"added:1.5"` 417 FullFilename string `json:"fullFilename,omitempty" cdx:"added:1.5"` 418 } 419 420 // v1.5: added 421 // TODO: figure out how to support both the v1.5 "Identity" type (a singleton 422 // of an anonymous type) vs. the v1.6 "identity" which is an array of named type 423 // (i.e., componentIdentityEvidence). 424 // Note: Tools is either (OneOf) CDXRefType <or> CDXBomLinkElementType, which are both strings for now... 425 // type CDXComponentIdentityEvidence struct { 426 // Field string `json:"field,omitempty" cdx:"added:1.5"` 427 // Confidence float64 `json:"confidence,omitempty" cdx:"added:1.5"` 428 // Methods *[]CDXMethod `json:"methods,omitempty" cdx:"added:1.5"` 429 // Tools *[]string `json:"tools,omitempty" cdx:"added:1.5"` 430 // } 431 432 // // v1.5: added 433 // type CDXMethod struct { 434 // Technique string `json:"technique,omitempty" cdx:"added:1.5"` 435 // Confidence float64 `json:"confidence,omitempty" cdx:"added:1.5"` 436 // Value string `json:"value,omitempty" cdx:"added:1.5"` 437 // } 438 439 // v1.3: created "compositions" defn. 440 // v1.4: added "signature" 441 // v1.5: added "bom-ref", "vulnerabilities" 442 // Note: "aggregate" is type `aggregateType` which is a constrained string 443 // TODO: Note: "Assemblies" is really an array of OneOf: "refLinkType" or "bomLinkElementType" 444 // which BOTH thankfully mapping to "string"; however, this MAY need to become an "interface{}" 445 // similar to "tools" has become. 446 // TODO: Should NOT be plural; open issue against v2.0 schema 447 // NOTE: CDXRefType is a named `string` type as of v1.5 448 type CDXCompositions struct { 449 Aggregate string `json:"aggregate,omitempty" cdx:"added:1.3"` 450 Assemblies *[]string `json:"assemblies,omitempty" cdx:"added:1.3"` 451 Dependencies *[]string `json:"dependencies,omitempty" cdx:"added:1.3"` 452 Signature *JSFSignature `json:"signature,omitempty" cdx:"added:1.4"` 453 Vulnerabilities *[]CDXVulnerability `json:"vulnerabilities,omitempty" cdx:"added:1.5"` 454 BOMRef *CDXRefType `json:"bom-ref,omitempty" cdx:"added:1.5"` 455 } 456 457 // v1.4: created "releaseNotes" defn. 458 // TODO: should be singular "releaseNote" 459 // TODO: v1.7: Add []ExternalReferences 460 // TODO: v1.7: "Tags" is an overloaded concept... currently doesn't represent GitHub tags 461 type CDXReleaseNotes struct { 462 Type string `json:"type,omitempty" cdx:"added:1.4"` 463 Title string `json:"title,omitempty" cdx:"added:1.4"` 464 FeaturedImage string `json:"featuredImage,omitempty" cdx:"added:1.4"` 465 SocialImage string `json:"socialImage,omitempty" cdx:"added:1.4"` 466 Description string `json:"description,omitempty" cdx:"added:1.4"` 467 Timestamp string `json:"timestamp,omitempty" cdx:"added:1.4"` 468 Aliases *[]string `json:"aliases,omitempty" cdx:"added:1.4"` 469 Tags *[]string `json:"tags,omitempty" cdx:"added:1.4"` 470 Resolves *[]CDXIssue `json:"resolves,omitempty" cdx:"added:1.4"` 471 Notes *[]CDXNote `json:"notes,omitempty" cdx:"added:1.4"` 472 Properties *[]CDXProperty `json:"properties,omitempty" cdx:"added:1.4"` 473 } 474 475 type CDXLifecycle struct { 476 // v1.5: "enum": [ "design", "pre-build", "build", "post-build", "operations", "discovery", "decommission"] 477 Phase string `json:"phase,omitempty" cdx:"added:1.5"` 478 CDXNameDescription // name, description 479 } 480 481 // v1.5 new type for "metadata" 482 type CDXNameDescription struct { 483 Name string `json:"name,omitempty" cdx:"added:1.5"` 484 Description string `json:"description,omitempty" cdx:"added:1.5"` 485 }