github.com/anchore/syft@v1.4.2-0.20240516191711-1bec1fc5d397/schema/cyclonedx/cyclonedx.xsd (about) 1 <?xml version="1.0" encoding="UTF-8"?> 2 <!-- 3 CycloneDX Software Bill-of-Material (SBoM) Specification 4 5 Licensed under the Apache License, Version 2.0 (the "License"); 6 you may not use this file except in compliance with the License. 7 You may obtain a copy of the License at 8 9 http://www.apache.org/licenses/LICENSE-2.0 10 11 Unless required by applicable law or agreed to in writing, software 12 distributed under the License is distributed on an "AS IS" BASIS, 13 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 See the License for the specific language governing permissions and 15 limitations under the License. 16 --> 17 <xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" 18 xmlns:vc="http://www.w3.org/2007/XMLSchema-versioning" 19 xmlns:bom="http://cyclonedx.org/schema/bom/1.5" 20 xmlns:spdx="http://cyclonedx.org/schema/spdx" 21 elementFormDefault="qualified" 22 targetNamespace="http://cyclonedx.org/schema/bom/1.5" 23 vc:minVersion="1.0" 24 vc:maxVersion="1.1" 25 version="1.5.0"> 26 27 <xs:import namespace="http://cyclonedx.org/schema/spdx" schemaLocation="spdx.xsd"/> 28 29 <xs:annotation> 30 <xs:documentation> 31 <name>CycloneDX Software Bill of Materials Standard</name> 32 <url>https://cyclonedx.org/</url> 33 <license uri="http://www.apache.org/licenses/LICENSE-2.0" 34 version="2.0">Apache License, Version 2.0</license> 35 </xs:documentation> 36 </xs:annotation> 37 38 <xs:simpleType name="refType"> 39 <xs:annotation> 40 <xs:documentation>Identifier for referable and therefore interlink-able elements.</xs:documentation> 41 </xs:annotation> 42 <xs:restriction base="xs:string"> 43 <xs:minLength value="1"/> 44 <!-- value SHOULD not start with the BOM-Link intro "urn:cdx:" --> 45 </xs:restriction> 46 </xs:simpleType> 47 <xs:simpleType name="refLinkType"> 48 <xs:annotation> 49 <xs:documentation xml:lang="en"> 50 Descriptor for an element identified by the attribute "bom-ref" in the same BOM document. 51 In contrast to `bomLinkElementType`. 52 </xs:documentation> 53 </xs:annotation> 54 <xs:restriction base="bom:refType"/> 55 </xs:simpleType> 56 57 <xs:simpleType name="bomLinkDocumentType"> 58 <xs:annotation> 59 <xs:documentation xml:lang="en"> 60 Descriptor for another BOM document. 61 See https://cyclonedx.org/capabilities/bomlink/ 62 </xs:documentation> 63 </xs:annotation> 64 <xs:restriction base="xs:anyURI"> 65 <!-- part of the pattern is based on `bom.serialNumber`'s pattern --> 66 <xs:pattern value="urn:cdx:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/[1-9][0-9]*"/> 67 </xs:restriction> 68 </xs:simpleType> 69 <xs:simpleType name="bomLinkElementType"> 70 <xs:annotation> 71 <xs:documentation xml:lang="en"> 72 Descriptor for an element in another BOM document. 73 See https://cyclonedx.org/capabilities/bomlink/ 74 </xs:documentation> 75 </xs:annotation> 76 <xs:restriction base="xs:anyURI"> 77 <!-- part of the pattern is based on `bom.serialNumber`'s pattern --> 78 <xs:pattern value="urn:cdx:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/[1-9][0-9]*#.+"/> 79 </xs:restriction> 80 </xs:simpleType> 81 <xs:simpleType name="bomLinkType"> 82 <xs:union memberTypes="bom:bomLinkDocumentType bom:bomLinkElementType"/> 83 </xs:simpleType> 84 85 <xs:complexType name="metadata"> 86 <xs:sequence minOccurs="0" maxOccurs="1"> 87 <xs:element name="timestamp" type="xs:dateTime" minOccurs="0"> 88 <xs:annotation> 89 <xs:documentation>The date and time (timestamp) when the BOM was created.</xs:documentation> 90 </xs:annotation> 91 </xs:element> 92 <xs:element name="lifecycles" minOccurs="0" maxOccurs="1"> 93 <xs:annotation> 94 <xs:documentation> 95 The product lifecycle(s) that this BOM represents. 96 </xs:documentation> 97 </xs:annotation> 98 <xs:complexType> 99 <xs:sequence> 100 <xs:element name="lifecycle" minOccurs="0" maxOccurs="unbounded"> 101 <xs:complexType> 102 <xs:choice> 103 <xs:sequence> 104 <xs:element name="phase" type="bom:lifecyclePhaseType" minOccurs="1" maxOccurs="1"> 105 <xs:annotation> 106 <xs:documentation> 107 A pre-defined phase in the product lifecycle. 108 </xs:documentation> 109 </xs:annotation> 110 </xs:element> 111 </xs:sequence> 112 <xs:sequence> 113 <xs:element name="name" type="xs:normalizedString" minOccurs="1" maxOccurs="1"> 114 <xs:annotation> 115 <xs:documentation> 116 The name of the lifecycle phase 117 </xs:documentation> 118 </xs:annotation> 119 </xs:element> 120 <xs:element name="description" type="xs:string" minOccurs="0" maxOccurs="1"> 121 <xs:annotation> 122 <xs:documentation> 123 The description of the lifecycle phase 124 </xs:documentation> 125 </xs:annotation> 126 </xs:element> 127 </xs:sequence> 128 </xs:choice> 129 </xs:complexType> 130 </xs:element> 131 </xs:sequence> 132 </xs:complexType> 133 </xs:element> 134 <xs:element name="tools" minOccurs="0" maxOccurs="1"> 135 <xs:annotation> 136 <xs:documentation>The tool(s) used in the creation of the BOM.</xs:documentation> 137 </xs:annotation> 138 <xs:complexType> 139 <xs:choice> 140 <xs:sequence minOccurs="0" maxOccurs="unbounded"> 141 <xs:element name="tool" minOccurs="0" type="bom:toolType"> 142 <xs:annotation> 143 <xs:documentation>DEPRECATED. Use tools\components or tools\services instead.</xs:documentation> 144 </xs:annotation> 145 </xs:element> 146 </xs:sequence> 147 <xs:sequence minOccurs="0" maxOccurs="1"> 148 <xs:element name="components" type="bom:componentsType" minOccurs="0" maxOccurs="1"> 149 <xs:annotation> 150 <xs:documentation>A list of software and hardware components used as tools.</xs:documentation> 151 </xs:annotation> 152 </xs:element> 153 <xs:element name="services" type="bom:servicesType" minOccurs="0" maxOccurs="1"> 154 <xs:annotation> 155 <xs:documentation>A list of services used as tools.</xs:documentation> 156 </xs:annotation> 157 </xs:element> 158 </xs:sequence> 159 </xs:choice> 160 </xs:complexType> 161 </xs:element> 162 <xs:element name="authors" minOccurs="0" maxOccurs="1"> 163 <xs:annotation> 164 <xs:documentation>The person(s) who created the BOM. Authors are common in BOMs created through 165 manual processes. BOMs created through automated means may not have authors.</xs:documentation> 166 </xs:annotation> 167 <xs:complexType> 168 <xs:sequence minOccurs="0" maxOccurs="unbounded"> 169 <xs:element name="author" type="bom:organizationalContact"/> 170 </xs:sequence> 171 </xs:complexType> 172 </xs:element> 173 <xs:element name="component" type="bom:component" minOccurs="0"> 174 <xs:annotation> 175 <xs:documentation>The component that the BOM describes.</xs:documentation> 176 </xs:annotation> 177 </xs:element> 178 <xs:element name="manufacture" type="bom:organizationalEntity" minOccurs="0" maxOccurs="1"> 179 <xs:annotation> 180 <xs:documentation>The organization that manufactured the component that the BOM describes.</xs:documentation> 181 </xs:annotation> 182 </xs:element> 183 <xs:element name="supplier" type="bom:organizationalEntity" minOccurs="0" maxOccurs="1"> 184 <xs:annotation> 185 <xs:documentation>The organization that supplied the component that the BOM describes. The 186 supplier may often be the manufacturer, but may also be a distributor or repackager.</xs:documentation> 187 </xs:annotation> 188 </xs:element> 189 <xs:element name="licenses" type="bom:licenseChoiceType" minOccurs="0" maxOccurs="1"/> 190 <xs:element name="properties" type="bom:propertiesType" minOccurs="0" maxOccurs="1"> 191 <xs:annotation> 192 <xs:documentation>Provides the ability to document properties in a name/value store. 193 This provides flexibility to include data not officially supported in the standard 194 without having to use additional namespaces or create extensions. Property names 195 of interest to the general public are encouraged to be registered in the 196 CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. 197 Formal registration is OPTIONAL.</xs:documentation> 198 </xs:annotation> 199 </xs:element> 200 <xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"> 201 <xs:annotation> 202 <xs:documentation> 203 Allows any undeclared elements as long as the elements are placed in a different namespace. 204 </xs:documentation> 205 </xs:annotation> 206 </xs:any> 207 </xs:sequence> 208 <xs:anyAttribute namespace="##other" processContents="lax"> 209 <xs:annotation> 210 <xs:documentation>User-defined attributes may be used on this element as long as they 211 do not have the same name as an existing attribute used by the schema.</xs:documentation> 212 </xs:annotation> 213 </xs:anyAttribute> 214 </xs:complexType> 215 216 <xs:simpleType name="lifecyclePhaseType"> 217 <xs:restriction base="xs:string"> 218 <xs:enumeration value="design"> 219 <xs:annotation> 220 <xs:documentation> 221 BOM produced early in the development lifecycle containing inventory of components and services 222 that are proposed or planned to be used. The inventory may need to be procured, retrieved, 223 or resourced prior to use. 224 </xs:documentation> 225 </xs:annotation> 226 </xs:enumeration> 227 <xs:enumeration value="pre-build"> 228 <xs:annotation> 229 <xs:documentation> 230 BOM consisting of information obtained prior to a build process and may contain source files 231 and development artifacts and manifests. The inventory may need to be resolved and retrieved 232 prior to use. 233 </xs:documentation> 234 </xs:annotation> 235 </xs:enumeration> 236 <xs:enumeration value="build"> 237 <xs:annotation> 238 <xs:documentation> 239 BOM consisting of information obtained during a build process where component inventory is 240 available for use. The precise versions of resolved components are usually available at this 241 time as well as the provenance of where the components were retrieved from. 242 </xs:documentation> 243 </xs:annotation> 244 </xs:enumeration> 245 <xs:enumeration value="post-build"> 246 <xs:annotation> 247 <xs:documentation> 248 BOM consisting of information obtained after a build process has completed and the resulting 249 components(s) are available for further analysis. Built components may exist as the result of a 250 CI/CD process, may have been installed or deployed to a system or device, and may need to be 251 retrieved or extracted from the system or device. 252 </xs:documentation> 253 </xs:annotation> 254 </xs:enumeration> 255 <xs:enumeration value="operations"> 256 <xs:annotation> 257 <xs:documentation> 258 BOM produced that represents inventory that is running and operational. This may include staging 259 or production environments and will generally encompass multiple SBOMs describing the applications 260 and operating system, along with HBOMs describing the hardware that makes up the system. Operations 261 Bill of Materials (OBOM) can provide full-stack inventory of runtime environments, configurations, 262 and additional dependencies. 263 </xs:documentation> 264 </xs:annotation> 265 </xs:enumeration> 266 <xs:enumeration value="discovery"> 267 <xs:annotation> 268 <xs:documentation> 269 BOM consisting of information observed through network discovery providing point-in-time 270 enumeration of embedded, on-premise, and cloud-native services such as server applications, 271 connected devices, microservices, and serverless functions. 272 </xs:documentation> 273 </xs:annotation> 274 </xs:enumeration> 275 <xs:enumeration value="decommission"> 276 <xs:annotation> 277 <xs:documentation> 278 BOM containing inventory that will be, or has been retired from operations. 279 </xs:documentation> 280 </xs:annotation> 281 </xs:enumeration> 282 </xs:restriction> 283 </xs:simpleType> 284 285 <xs:complexType name="organizationalEntity"> 286 <xs:sequence minOccurs="0" maxOccurs="1"> 287 <xs:element name="name" type="xs:normalizedString" minOccurs="0" maxOccurs="1"> 288 <xs:annotation> 289 <xs:documentation>The name of the organization</xs:documentation> 290 </xs:annotation> 291 </xs:element> 292 <xs:element name="url" type="xs:anyURI" minOccurs="0" maxOccurs="unbounded"> 293 <xs:annotation> 294 <xs:documentation>The URL of the organization. Multiple URLs are allowed.</xs:documentation> 295 </xs:annotation> 296 </xs:element> 297 <xs:element name="contact" type="bom:organizationalContact" minOccurs="0" maxOccurs="unbounded"> 298 <xs:annotation> 299 <xs:documentation>A contact person at the organization. Multiple contacts are allowed.</xs:documentation> 300 </xs:annotation> 301 </xs:element> 302 <xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"> 303 <xs:annotation> 304 <xs:documentation> 305 Allows any undeclared elements as long as the elements are placed in a different namespace. 306 </xs:documentation> 307 </xs:annotation> 308 </xs:any> 309 </xs:sequence> 310 <xs:attribute name="bom-ref" type="bom:refType"> 311 <xs:annotation> 312 <xs:documentation> 313 An optional identifier which can be used to reference the object elsewhere in the BOM. 314 Uniqueness is enforced within all elements and children of the root-level bom element. 315 </xs:documentation> 316 </xs:annotation> 317 </xs:attribute> 318 <xs:anyAttribute namespace="##other" processContents="lax"> 319 <xs:annotation> 320 <xs:documentation>User-defined attributes may be used on this element as long as they 321 do not have the same name as an existing attribute used by the schema.</xs:documentation> 322 </xs:annotation> 323 </xs:anyAttribute> 324 </xs:complexType> 325 326 <xs:complexType name="toolType"> 327 <xs:annotation> 328 <xs:documentation>Information about the automated or manual tool used</xs:documentation> 329 </xs:annotation> 330 <xs:sequence minOccurs="0" maxOccurs="1"> 331 <xs:element name="vendor" minOccurs="0" maxOccurs="1" type="xs:normalizedString"> 332 <xs:annotation> 333 <xs:documentation>The name of the vendor who created the tool</xs:documentation> 334 </xs:annotation> 335 </xs:element> 336 <xs:element name="name" minOccurs="0" maxOccurs="1" type="xs:normalizedString"> 337 <xs:annotation> 338 <xs:documentation>The name of the tool</xs:documentation> 339 </xs:annotation> 340 </xs:element> 341 <xs:element name="version" minOccurs="0" maxOccurs="1" type="xs:normalizedString"> 342 <xs:annotation> 343 <xs:documentation>The version of the tool</xs:documentation> 344 </xs:annotation> 345 </xs:element> 346 <xs:element name="hashes" minOccurs="0" maxOccurs="1"> 347 <xs:complexType> 348 <xs:sequence minOccurs="0" maxOccurs="unbounded"> 349 <xs:element name="hash" type="bom:hashType"/> 350 </xs:sequence> 351 </xs:complexType> 352 </xs:element> 353 <xs:element name="externalReferences" type="bom:externalReferences" minOccurs="0" maxOccurs="1"> 354 <xs:annotation> 355 <xs:documentation>Provides the ability to document external references related to the tool.</xs:documentation> 356 </xs:annotation> 357 </xs:element> 358 <xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"> 359 <xs:annotation> 360 <xs:documentation> 361 Allows any undeclared elements as long as the elements are placed in a different namespace. 362 </xs:documentation> 363 </xs:annotation> 364 </xs:any> 365 </xs:sequence> 366 <xs:anyAttribute namespace="##other" processContents="lax"> 367 <xs:annotation> 368 <xs:documentation>User-defined attributes may be used on this element as long as they 369 do not have the same name as an existing attribute used by the schema.</xs:documentation> 370 </xs:annotation> 371 </xs:anyAttribute> 372 </xs:complexType> 373 374 <xs:complexType name="organizationalContact"> 375 <xs:sequence minOccurs="0" maxOccurs="1"> 376 <xs:element name="name" type="xs:normalizedString" minOccurs="0" maxOccurs="1"> 377 <xs:annotation> 378 <xs:documentation>The name of the contact</xs:documentation> 379 </xs:annotation> 380 </xs:element> 381 <xs:element name="email" type="xs:normalizedString" minOccurs="0" maxOccurs="1"> 382 <xs:annotation> 383 <xs:documentation>The email address of the contact.</xs:documentation> 384 </xs:annotation> 385 </xs:element> 386 <xs:element name="phone" type="xs:normalizedString" minOccurs="0" maxOccurs="1"> 387 <xs:annotation> 388 <xs:documentation>The phone number of the contact.</xs:documentation> 389 </xs:annotation> 390 </xs:element> 391 <xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"> 392 <xs:annotation> 393 <xs:documentation> 394 Allows any undeclared elements as long as the elements are placed in a different namespace. 395 </xs:documentation> 396 </xs:annotation> 397 </xs:any> 398 </xs:sequence> 399 <xs:attribute name="bom-ref" type="bom:refType"> 400 <xs:annotation> 401 <xs:documentation> 402 An optional identifier which can be used to reference the object elsewhere in the BOM. 403 Uniqueness is enforced within all elements and children of the root-level bom element. 404 </xs:documentation> 405 </xs:annotation> 406 </xs:attribute> 407 <xs:anyAttribute namespace="##other" processContents="lax"> 408 <xs:annotation> 409 <xs:documentation>User-defined attributes may be used on this element as long as they 410 do not have the same name as an existing attribute used by the schema.</xs:documentation> 411 </xs:annotation> 412 </xs:anyAttribute> 413 </xs:complexType> 414 415 <xs:complexType name="componentsType"> 416 <xs:sequence minOccurs="0" maxOccurs="unbounded"> 417 <xs:element name="component" type="bom:component"/> 418 <xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"> 419 <xs:annotation> 420 <xs:documentation> 421 Allows any undeclared elements as long as the elements are placed in a different namespace. 422 </xs:documentation> 423 </xs:annotation> 424 </xs:any> 425 </xs:sequence> 426 <xs:anyAttribute namespace="##any" processContents="lax"> 427 <xs:annotation> 428 <xs:documentation>User-defined attributes may be used on this element as long as they 429 do not have the same name as an existing attribute used by the schema.</xs:documentation> 430 </xs:annotation> 431 </xs:anyAttribute> 432 </xs:complexType> 433 434 <xs:complexType name="component"> 435 <xs:sequence> 436 <xs:element name="supplier" type="bom:organizationalEntity" minOccurs="0" maxOccurs="1"> 437 <xs:annotation> 438 <xs:documentation>The organization that supplied the component. The supplier may often 439 be the manufacturer, but may also be a distributor or repackager.</xs:documentation> 440 </xs:annotation> 441 </xs:element> 442 <xs:element name="author" type="xs:normalizedString" minOccurs="0" maxOccurs="1"> 443 <xs:annotation> 444 <xs:documentation>The person(s) or organization(s) that authored the component</xs:documentation> 445 </xs:annotation> 446 </xs:element> 447 <xs:element name="publisher" type="xs:normalizedString" minOccurs="0" maxOccurs="1"> 448 <xs:annotation> 449 <xs:documentation>The person(s) or organization(s) that published the component</xs:documentation> 450 </xs:annotation> 451 </xs:element> 452 <xs:element name="group" type="xs:normalizedString" minOccurs="0" maxOccurs="1"> 453 <xs:annotation> 454 <xs:documentation>The grouping name or identifier. This will often be a shortened, single 455 name of the company or project that produced the component, or the source package or 456 domain name. Whitespace and special characters should be avoided. Examples include: 457 apache, org.apache.commons, and apache.org.</xs:documentation> 458 </xs:annotation> 459 </xs:element> 460 <xs:element name="name" type="xs:normalizedString" minOccurs="1" maxOccurs="1"> 461 <xs:annotation> 462 <xs:documentation>The name of the component. This will often be a shortened, single name 463 of the component. Examples: commons-lang3 and jquery</xs:documentation> 464 </xs:annotation> 465 </xs:element> 466 <xs:element name="version" type="xs:normalizedString" minOccurs="0" maxOccurs="1"> 467 <xs:annotation> 468 <xs:documentation>The component version. The version should ideally comply with semantic versioning 469 but is not enforced.</xs:documentation> 470 </xs:annotation> 471 </xs:element> 472 <xs:element name="description" type="xs:normalizedString" minOccurs="0" maxOccurs="1"> 473 <xs:annotation> 474 <xs:documentation>Specifies a description for the component</xs:documentation> 475 </xs:annotation> 476 </xs:element> 477 <xs:element name="scope" type="bom:scope" minOccurs="0" maxOccurs="1" default="required"> 478 <xs:annotation> 479 <xs:documentation>Specifies the scope of the component. If scope is not specified, 'required' 480 scope SHOULD be assumed by the consumer of the BOM.</xs:documentation> 481 </xs:annotation> 482 </xs:element> 483 <xs:element name="hashes" minOccurs="0" maxOccurs="1"> 484 <xs:complexType> 485 <xs:sequence minOccurs="0" maxOccurs="unbounded"> 486 <xs:element name="hash" type="bom:hashType"/> 487 </xs:sequence> 488 </xs:complexType> 489 </xs:element> 490 <xs:element name="licenses" type="bom:licenseChoiceType" minOccurs="0" maxOccurs="1"/> 491 <xs:element name="copyright" type="xs:normalizedString" minOccurs="0" maxOccurs="1"> 492 <xs:annotation> 493 <xs:documentation>A copyright notice informing users of the underlying claims to 494 copyright ownership in a published work.</xs:documentation> 495 </xs:annotation> 496 </xs:element> 497 <xs:element name="cpe" type="bom:cpe" minOccurs="0" maxOccurs="1"> 498 <xs:annotation> 499 <xs:documentation> 500 Specifies a well-formed CPE name that conforms to the CPE 2.2 or 2.3 specification. See https://nvd.nist.gov/products/cpe 501 </xs:documentation> 502 </xs:annotation> 503 </xs:element> 504 <xs:element name="purl" type="xs:anyURI" minOccurs="0" maxOccurs="1"> 505 <xs:annotation> 506 <xs:documentation> 507 Specifies the package-url (purl). The purl, if specified, MUST be valid and conform 508 to the specification defined at: https://github.com/package-url/purl-spec 509 </xs:documentation> 510 </xs:annotation> 511 </xs:element> 512 <xs:element name="swid" type="bom:swidType" minOccurs="0" maxOccurs="1"> 513 <xs:annotation> 514 <xs:documentation> 515 Specifies metadata and content for ISO-IEC 19770-2 Software Identification (SWID) Tags. 516 </xs:documentation> 517 </xs:annotation> 518 </xs:element> 519 <xs:element name="modified" type="xs:boolean" minOccurs="0" maxOccurs="1"> 520 <xs:annotation> 521 <xs:documentation> 522 DEPRECATED - DO NOT USE. This will be removed in a future version. Use the pedigree 523 element instead to supply information on exactly how the component was modified. 524 A boolean value indicating if the component has been modified from the original. 525 A value of true indicates the component is a derivative of the original. 526 A value of false indicates the component has not been modified from the original. 527 </xs:documentation> 528 </xs:annotation> 529 </xs:element> 530 <xs:element name="pedigree" type="bom:pedigreeType" minOccurs="0" maxOccurs="1"> 531 <xs:annotation> 532 <xs:documentation> 533 Component pedigree is a way to document complex supply chain scenarios where components are 534 created, distributed, modified, redistributed, combined with other components, etc. 535 </xs:documentation> 536 </xs:annotation> 537 </xs:element> 538 <xs:element name="externalReferences" type="bom:externalReferences" minOccurs="0" maxOccurs="1"> 539 <xs:annotation> 540 <xs:documentation>Provides the ability to document external references related to the 541 component or to the project the component describes.</xs:documentation> 542 </xs:annotation> 543 </xs:element> 544 <xs:element name="properties" type="bom:propertiesType" minOccurs="0" maxOccurs="1"> 545 <xs:annotation> 546 <xs:documentation>Provides the ability to document properties in a name/value store. 547 This provides flexibility to include data not officially supported in the standard 548 without having to use additional namespaces or create extensions. Property names 549 of interest to the general public are encouraged to be registered in the 550 CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. 551 Formal registration is OPTIONAL.</xs:documentation> 552 </xs:annotation> 553 </xs:element> 554 <xs:element name="components" minOccurs="0" maxOccurs="1"> 555 <xs:annotation> 556 <xs:documentation> 557 A list of software and hardware components included in the parent component. This is not a 558 dependency tree. It provides a way to specify a hierarchical representation of component 559 assemblies, similar to system -> subsystem -> parts assembly in physical supply chains. 560 </xs:documentation> 561 </xs:annotation> 562 <xs:complexType> 563 <xs:sequence minOccurs="0" maxOccurs="unbounded"> 564 <xs:element name="component" type="bom:component"/> 565 <xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"> 566 <xs:annotation> 567 <xs:documentation> 568 Allows any undeclared elements as long as the elements are placed in a different namespace. 569 </xs:documentation> 570 </xs:annotation> 571 </xs:any> 572 </xs:sequence> 573 </xs:complexType> 574 </xs:element> 575 <xs:element name="evidence" type="bom:componentEvidenceType" minOccurs="0" maxOccurs="1"> 576 <xs:annotation> 577 <xs:documentation>Provides the ability to document evidence collected through various forms of extraction or analysis.</xs:documentation> 578 </xs:annotation> 579 </xs:element> 580 <xs:element name="releaseNotes" type="bom:releaseNotesType" minOccurs="0" maxOccurs="1"> 581 <xs:annotation> 582 <xs:documentation>Specifies optional release notes.</xs:documentation> 583 </xs:annotation> 584 </xs:element> 585 <xs:element name="modelCard" type="bom:modelCardType" minOccurs="0" maxOccurs="1"> 586 <xs:annotation> 587 <xs:documentation>A model card describes the intended uses of a machine learning model and potential 588 limitations, including biases and ethical considerations. Model cards typically contain the 589 training parameters, which datasets were used to train the model, performance metrics, and other 590 relevant data useful for ML transparency. This object SHOULD be specified for any component of 591 type `machine-learning-model` and MUST NOT be specified for other component types.</xs:documentation> 592 </xs:annotation> 593 </xs:element> 594 <xs:element name="data" type="bom:componentDataType" minOccurs="0" maxOccurs="1"> 595 <xs:annotation> 596 <xs:documentation>This object SHOULD be specified for any component of type `data` and MUST NOT be 597 specified for other component types.</xs:documentation> 598 </xs:annotation> 599 </xs:element> 600 <xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"> 601 <xs:annotation> 602 <xs:documentation> 603 Allows any undeclared elements as long as the elements are placed in a different namespace. 604 </xs:documentation> 605 </xs:annotation> 606 </xs:any> 607 </xs:sequence> 608 <xs:attribute name="type" type="bom:classification" use="required"> 609 <xs:annotation> 610 <xs:documentation> 611 Specifies the type of component. For software components, classify as application if no more 612 specific appropriate classification is available or cannot be determined for the component. 613 </xs:documentation> 614 </xs:annotation> 615 </xs:attribute> 616 <xs:attribute name="mime-type" type="bom:mimeType"> 617 <xs:annotation> 618 <xs:documentation> 619 The OPTIONAL mime-type of the component. When used on file components, the mime-type 620 can provide additional context about the kind of file being represented such as an image, 621 font, or executable. Some library or framework components may also have an associated mime-type. 622 </xs:documentation> 623 </xs:annotation> 624 </xs:attribute> 625 <xs:attribute name="bom-ref" type="bom:refType"> 626 <xs:annotation> 627 <xs:documentation> 628 An optional identifier which can be used to reference the component elsewhere in the BOM. 629 Uniqueness is enforced within all elements and children of the root-level bom element. 630 </xs:documentation> 631 </xs:annotation> 632 </xs:attribute> 633 <xs:anyAttribute namespace="##any" processContents="lax"> 634 <xs:annotation> 635 <xs:documentation>User-defined attributes may be used on this element as long as they 636 do not have the same name as an existing attribute used by the schema.</xs:documentation> 637 </xs:annotation> 638 </xs:anyAttribute> 639 </xs:complexType> 640 641 <xs:complexType name="licenseType"> 642 <xs:sequence> 643 <xs:choice> 644 <xs:element name="id" type="spdx:licenseId" minOccurs="0" maxOccurs="1"> 645 <xs:annotation> 646 <xs:documentation>A valid SPDX license ID</xs:documentation> 647 </xs:annotation> 648 </xs:element> 649 <xs:element name="name" type="xs:normalizedString" minOccurs="0" maxOccurs="1"> 650 <xs:annotation> 651 <xs:documentation>If SPDX does not define the license used, this field may be used to provide the license name</xs:documentation> 652 </xs:annotation> 653 </xs:element> 654 </xs:choice> 655 <xs:element name="text" type="bom:attachedTextType" minOccurs="0" maxOccurs="1"> 656 <xs:annotation> 657 <xs:documentation>Specifies the optional full text of the attachment</xs:documentation> 658 </xs:annotation> 659 </xs:element> 660 <xs:element name="url" type="xs:anyURI" minOccurs="0" maxOccurs="1"> 661 <xs:annotation> 662 <xs:documentation>The URL to the attachment file. If the attachment is a license or BOM, 663 an externalReference should also be specified for completeness.</xs:documentation> 664 </xs:annotation> 665 </xs:element> 666 <xs:element name="licensing" minOccurs="0" maxOccurs="1"> 667 <xs:annotation> 668 <xs:documentation>Licensing details describing the licensor/licensee, license type, renewal and 669 expiration dates, and other important metadata</xs:documentation> 670 </xs:annotation> 671 <xs:complexType> 672 <xs:sequence> 673 <xs:element name="altIds" minOccurs="0" maxOccurs="1"> 674 <xs:annotation> 675 <xs:documentation>License identifiers that may be used to manage licenses and 676 their lifecycle</xs:documentation> 677 </xs:annotation> 678 <xs:complexType> 679 <xs:sequence> 680 <xs:element name="altId" type="xs:normalizedString" minOccurs="0" maxOccurs="unbounded"/> 681 </xs:sequence> 682 </xs:complexType> 683 </xs:element> 684 <xs:element name="licensor" minOccurs="0" maxOccurs="1"> 685 <xs:annotation> 686 <xs:documentation>The individual or organization that grants a license to another 687 individual or organization</xs:documentation> 688 </xs:annotation> 689 <xs:complexType> 690 <xs:sequence> 691 <xs:choice> 692 <xs:element name="organization" type="bom:organizationalEntity" minOccurs="0" maxOccurs="1"> 693 <xs:annotation> 694 <xs:documentation>The organization that granted the license</xs:documentation> 695 </xs:annotation> 696 </xs:element> 697 <xs:element name="individual" type="bom:organizationalContact" minOccurs="0" maxOccurs="1"> 698 <xs:annotation> 699 <xs:documentation>The individual, not associated with an organization, 700 that granted the license</xs:documentation> 701 </xs:annotation> 702 </xs:element> 703 </xs:choice> 704 </xs:sequence> 705 </xs:complexType> 706 </xs:element> 707 <xs:element name="licensee" minOccurs="0" maxOccurs="1"> 708 <xs:annotation> 709 <xs:documentation>The individual or organization for which a license was granted to</xs:documentation> 710 </xs:annotation> 711 <xs:complexType> 712 <xs:sequence> 713 <xs:choice> 714 <xs:element name="organization" type="bom:organizationalEntity" minOccurs="0" maxOccurs="1"> 715 <xs:annotation> 716 <xs:documentation>The organization that was granted the license</xs:documentation> 717 </xs:annotation> 718 </xs:element> 719 <xs:element name="individual" type="bom:organizationalContact" minOccurs="0" maxOccurs="1"> 720 <xs:annotation> 721 <xs:documentation>The individual, not associated with an organization, 722 that was granted the license</xs:documentation> 723 </xs:annotation> 724 </xs:element> 725 </xs:choice> 726 </xs:sequence> 727 </xs:complexType> 728 </xs:element> 729 <xs:element name="purchaser" minOccurs="0" maxOccurs="1"> 730 <xs:annotation> 731 <xs:documentation>The individual or organization that purchased the license</xs:documentation> 732 </xs:annotation> 733 <xs:complexType> 734 <xs:sequence> 735 <xs:choice> 736 <xs:element name="organization" type="bom:organizationalEntity" minOccurs="0" maxOccurs="1"> 737 <xs:annotation> 738 <xs:documentation>The organization that purchased the license</xs:documentation> 739 </xs:annotation> 740 </xs:element> 741 <xs:element name="individual" type="bom:organizationalContact" minOccurs="0" maxOccurs="1"> 742 <xs:annotation> 743 <xs:documentation>The individual, not associated with an organization, 744 that purchased the license</xs:documentation> 745 </xs:annotation> 746 </xs:element> 747 </xs:choice> 748 </xs:sequence> 749 </xs:complexType> 750 </xs:element> 751 <xs:element name="purchaseOrder" type="xs:string" minOccurs="0" maxOccurs="1"> 752 <xs:annotation> 753 <xs:documentation>The purchase order identifier the purchaser sent to a supplier or 754 vendor to authorize a purchase</xs:documentation> 755 </xs:annotation> 756 </xs:element> 757 <xs:element name="licenseTypes" minOccurs="0" maxOccurs="1"> 758 <xs:annotation> 759 <xs:documentation>The type of license(s) that was granted to the licensee</xs:documentation> 760 </xs:annotation> 761 <xs:complexType> 762 <xs:sequence> 763 <xs:element name="licenseType" type="bom:licenseTypeEnum" minOccurs="0" maxOccurs="unbounded"/> 764 </xs:sequence> 765 </xs:complexType> 766 </xs:element> 767 <xs:element name="lastRenewal" type="xs:dateTime" minOccurs="0" maxOccurs="1"> 768 <xs:annotation> 769 <xs:documentation xml:lang="en">The timestamp indicating when the license was last 770 renewed. For new purchases, this is often the purchase or acquisition date. 771 For non-perpetual licenses or subscriptions, this is the timestamp of when the 772 license was last renewed.</xs:documentation> 773 </xs:annotation> 774 </xs:element> 775 <xs:element name="expiration" type="xs:dateTime" minOccurs="0" maxOccurs="1"> 776 <xs:annotation> 777 <xs:documentation xml:lang="en">The timestamp indicating when the current license 778 expires (if applicable).</xs:documentation> 779 </xs:annotation> 780 </xs:element> 781 <xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"> 782 <xs:annotation> 783 <xs:documentation> 784 Allows any undeclared elements as long as the elements are placed in a different namespace. 785 </xs:documentation> 786 </xs:annotation> 787 </xs:any> 788 </xs:sequence> 789 </xs:complexType> 790 </xs:element> 791 <xs:element name="properties" type="bom:propertiesType" minOccurs="0" maxOccurs="1"> 792 <xs:annotation> 793 <xs:documentation>Provides the ability to document properties in a name/value store. 794 This provides flexibility to include data not officially supported in the standard 795 without having to use additional namespaces or create extensions. Property names 796 of interest to the general public are encouraged to be registered in the 797 CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. 798 Formal registration is OPTIONAL.</xs:documentation> 799 </xs:annotation> 800 </xs:element> 801 <xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"> 802 <xs:annotation> 803 <xs:documentation> 804 Allows any undeclared elements as long as the elements are placed in a different namespace. 805 </xs:documentation> 806 </xs:annotation> 807 </xs:any> 808 </xs:sequence> 809 <xs:attribute name="bom-ref" type="bom:refType"> 810 <xs:annotation> 811 <xs:documentation> 812 An optional identifier which can be used to reference the license elsewhere in the BOM. 813 Uniqueness is enforced within all elements and children of the root-level bom element. 814 </xs:documentation> 815 </xs:annotation> 816 </xs:attribute> 817 </xs:complexType> 818 819 <xs:complexType name="attachedTextType"> 820 <xs:simpleContent> 821 <xs:extension base="xs:string"> 822 <xs:annotation> 823 <xs:documentation>The attachment data. Proactive controls such as input validation and sanitization should be employed to prevent misuse of attachment text.</xs:documentation> 824 </xs:annotation> 825 <xs:attribute name="content-type" type="xs:normalizedString" default="text/plain"> 826 <xs:annotation> 827 <xs:documentation>Specifies the content type of the text. Defaults to text/plain 828 if not specified.</xs:documentation> 829 </xs:annotation> 830 </xs:attribute> 831 <xs:attribute name="encoding" type="bom:encoding"> 832 <xs:annotation> 833 <xs:documentation> 834 Specifies the optional encoding the text is represented in 835 </xs:documentation> 836 </xs:annotation> 837 </xs:attribute> 838 </xs:extension> 839 </xs:simpleContent> 840 </xs:complexType> 841 842 <xs:complexType name="hashType"> 843 <xs:annotation> 844 <xs:documentation>Specifies the file hash of the component</xs:documentation> 845 </xs:annotation> 846 <xs:simpleContent> 847 <xs:extension base="bom:hashValue"> 848 <xs:attribute name="alg" type="bom:hashAlg" use="required"> 849 <xs:annotation> 850 <xs:documentation>Specifies the algorithm used to create the hash</xs:documentation> 851 </xs:annotation> 852 </xs:attribute> 853 </xs:extension> 854 </xs:simpleContent> 855 </xs:complexType> 856 857 <xs:simpleType name="scope"> 858 <xs:restriction base="xs:string"> 859 <xs:enumeration value="required"> 860 <xs:annotation> 861 <xs:documentation>The component is required for runtime</xs:documentation> 862 </xs:annotation> 863 </xs:enumeration> 864 <xs:enumeration value="optional"> 865 <xs:annotation> 866 <xs:documentation>The component is optional at runtime. Optional components are components that 867 are not capable of being called due to them not be installed or otherwise accessible by any means. 868 Components that are installed but due to configuration or other restrictions are prohibited from 869 being called must be scoped as 'required'.</xs:documentation> 870 </xs:annotation> 871 </xs:enumeration> 872 <xs:enumeration value="excluded"> 873 <xs:annotation> 874 <xs:documentation>Components that are excluded provide the ability to document component usage 875 for test and other non-runtime purposes. Excluded components are not reachable within a call 876 graph at runtime.</xs:documentation> 877 </xs:annotation> 878 </xs:enumeration> 879 </xs:restriction> 880 </xs:simpleType> 881 882 <xs:simpleType name="classification"> 883 <xs:restriction base="xs:string"> 884 <xs:enumeration value="application"> 885 <xs:annotation> 886 <xs:documentation>A software application. Refer to https://en.wikipedia.org/wiki/Application_software 887 for information about applications.</xs:documentation> 888 </xs:annotation> 889 </xs:enumeration> 890 <xs:enumeration value="framework"> 891 <xs:annotation> 892 <xs:documentation>A software framework. Refer to https://en.wikipedia.org/wiki/Software_framework 893 for information on how frameworks vary slightly from libraries.</xs:documentation> 894 </xs:annotation> 895 </xs:enumeration> 896 <xs:enumeration value="library"> 897 <xs:annotation> 898 <xs:documentation>A software library. Refer to https://en.wikipedia.org/wiki/Library_(computing) 899 for information about libraries. All third-party and open source reusable components will likely 900 be a library. If the library also has key features of a framework, then it should be classified 901 as a framework. If not, or is unknown, then specifying library is recommended.</xs:documentation> 902 </xs:annotation> 903 </xs:enumeration> 904 <xs:enumeration value="container"> 905 <xs:annotation> 906 <xs:documentation>A packaging and/or runtime format, not specific to any particular technology, 907 which isolates software inside the container from software outside of a container through 908 virtualization technology. Refer to https://en.wikipedia.org/wiki/OS-level_virtualization</xs:documentation> 909 </xs:annotation> 910 </xs:enumeration> 911 <xs:enumeration value="platform"> 912 <xs:annotation> 913 <xs:documentation>A runtime environment which interprets or executes software. This may include 914 runtimes such as those that execute bytecode or low-code/no-code application platforms.</xs:documentation> 915 </xs:annotation> 916 </xs:enumeration> 917 <xs:enumeration value="operating-system"> 918 <xs:annotation> 919 <xs:documentation>A software operating system without regard to deployment model 920 (i.e. installed on physical hardware, virtual machine, image, etc) Refer to 921 https://en.wikipedia.org/wiki/Operating_system</xs:documentation> 922 </xs:annotation> 923 </xs:enumeration> 924 <xs:enumeration value="device"> 925 <xs:annotation> 926 <xs:documentation>A hardware device such as a processor, or chip-set. A hardware device 927 containing firmware SHOULD include a component for the physical hardware itself, and another 928 component of type 'firmware' or 'operating-system' (whichever is relevant), describing 929 information about the software running on the device. 930 See also the list of known device properties: https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/device.md 931 </xs:documentation> 932 </xs:annotation> 933 </xs:enumeration> 934 <xs:enumeration value="device-driver"> 935 <xs:annotation> 936 <xs:documentation>A special type of software that operates or controls a particular type of device. 937 Refer to https://en.wikipedia.org/wiki/Device_driver</xs:documentation> 938 </xs:annotation> 939 </xs:enumeration> 940 <xs:enumeration value="firmware"> 941 <xs:annotation> 942 <xs:documentation>A special type of software that provides low-level control over a devices 943 hardware. Refer to https://en.wikipedia.org/wiki/Firmware</xs:documentation> 944 </xs:annotation> 945 </xs:enumeration> 946 <xs:enumeration value="file"> 947 <xs:annotation> 948 <xs:documentation>A computer file. Refer to https://en.wikipedia.org/wiki/Computer_file 949 for information about files.</xs:documentation> 950 </xs:annotation> 951 </xs:enumeration> 952 <xs:enumeration value="machine-learning-model"> 953 <xs:annotation> 954 <xs:documentation>A model based on training data that can make predictions or decisions without 955 being explicitly programmed to do so.</xs:documentation> 956 </xs:annotation> 957 </xs:enumeration> 958 <xs:enumeration value="data"> 959 <xs:annotation> 960 <xs:documentation>A collection of discrete values that convey information.</xs:documentation> 961 </xs:annotation> 962 </xs:enumeration> 963 </xs:restriction> 964 </xs:simpleType> 965 966 <xs:simpleType name="hashAlg"> 967 <xs:restriction base="xs:string"> 968 <xs:enumeration value="MD5"/> 969 <xs:enumeration value="SHA-1"/> 970 <xs:enumeration value="SHA-256"/> 971 <xs:enumeration value="SHA-384"/> 972 <xs:enumeration value="SHA-512"/> 973 <xs:enumeration value="SHA3-256"/> 974 <xs:enumeration value="SHA3-384"/> 975 <xs:enumeration value="SHA3-512"/> 976 <xs:enumeration value="BLAKE2b-256"/> 977 <xs:enumeration value="BLAKE2b-384"/> 978 <xs:enumeration value="BLAKE2b-512"/> 979 <xs:enumeration value="BLAKE3"/> 980 </xs:restriction> 981 </xs:simpleType> 982 983 <xs:simpleType name="licenseTypeEnum"> 984 <xs:restriction base="xs:string"> 985 <xs:enumeration value="academic"> 986 <xs:annotation> 987 <xs:documentation>A license that grants use of software solely for the purpose 988 of education or research.</xs:documentation> 989 </xs:annotation> 990 </xs:enumeration> 991 <xs:enumeration value="appliance"> 992 <xs:annotation> 993 <xs:documentation>A license covering use of software embedded in a specific 994 piece of hardware.</xs:documentation> 995 </xs:annotation> 996 </xs:enumeration> 997 <xs:enumeration value="client-access"> 998 <xs:annotation> 999 <xs:documentation>A Client Access License (CAL) allows client computers to access 1000 services provided by server software.</xs:documentation> 1001 </xs:annotation> 1002 </xs:enumeration> 1003 <xs:enumeration value="concurrent-user"> 1004 <xs:annotation> 1005 <xs:documentation>A Concurrent User license (aka floating license) limits the 1006 number of licenses for a software application and licenses are shared among 1007 a larger number of users.</xs:documentation> 1008 </xs:annotation> 1009 </xs:enumeration> 1010 <xs:enumeration value="core-points"> 1011 <xs:annotation> 1012 <xs:documentation>A license where the core of a computer's processor is assigned 1013 a specific number of points.</xs:documentation> 1014 </xs:annotation> 1015 </xs:enumeration> 1016 <xs:enumeration value="custom-metric"> 1017 <xs:annotation> 1018 <xs:documentation>A license for which consumption is measured by non-standard 1019 metrics.</xs:documentation> 1020 </xs:annotation> 1021 </xs:enumeration> 1022 <xs:enumeration value="device"> 1023 <xs:annotation> 1024 <xs:documentation>A license that covers a defined number of installations on 1025 computers and other types of devices.</xs:documentation> 1026 </xs:annotation> 1027 </xs:enumeration> 1028 <xs:enumeration value="evaluation"> 1029 <xs:annotation> 1030 <xs:documentation>A license that grants permission to install and use software 1031 for trial purposes.</xs:documentation> 1032 </xs:annotation> 1033 </xs:enumeration> 1034 <xs:enumeration value="named-user"> 1035 <xs:annotation> 1036 <xs:documentation>A license that grants access to the software to one or more 1037 pre-defined users.</xs:documentation> 1038 </xs:annotation> 1039 </xs:enumeration> 1040 <xs:enumeration value="node-locked"> 1041 <xs:annotation> 1042 <xs:documentation>A license that grants access to the software on one or more 1043 pre-defined computers or devices.</xs:documentation> 1044 </xs:annotation> 1045 </xs:enumeration> 1046 <xs:enumeration value="oem"> 1047 <xs:annotation> 1048 <xs:documentation>An Original Equipment Manufacturer license that is delivered 1049 with hardware, cannot be transferred to other hardware, and is valid for the 1050 life of the hardware.</xs:documentation> 1051 </xs:annotation> 1052 </xs:enumeration> 1053 <xs:enumeration value="perpetual"> 1054 <xs:annotation> 1055 <xs:documentation>A license where the software is sold on a one-time basis and 1056 the licensee can use a copy of the software indefinitely.</xs:documentation> 1057 </xs:annotation> 1058 </xs:enumeration> 1059 <xs:enumeration value="processor-points"> 1060 <xs:annotation> 1061 <xs:documentation>A license where each installation consumes points per 1062 processor.</xs:documentation> 1063 </xs:annotation> 1064 </xs:enumeration> 1065 <xs:enumeration value="subscription"> 1066 <xs:annotation> 1067 <xs:documentation>A license where the licensee pays a fee to use the software 1068 or service.</xs:documentation> 1069 </xs:annotation> 1070 </xs:enumeration> 1071 <xs:enumeration value="user"> 1072 <xs:annotation> 1073 <xs:documentation>A license that grants access to the software or service by a 1074 specified number of users.</xs:documentation> 1075 </xs:annotation> 1076 </xs:enumeration> 1077 <xs:enumeration value="other"> 1078 <xs:annotation> 1079 <xs:documentation>Another license type.</xs:documentation> 1080 </xs:annotation> 1081 </xs:enumeration> 1082 </xs:restriction> 1083 </xs:simpleType> 1084 1085 <xs:simpleType name="hashValue"> 1086 <xs:restriction base="xs:token"> 1087 <xs:pattern value="([a-fA-F0-9]{32})|([a-fA-F0-9]{40})|([a-fA-F0-9]{64})|([a-fA-F0-9]{96})|([a-fA-F0-9]{128})"/> 1088 </xs:restriction> 1089 </xs:simpleType> 1090 1091 <xs:simpleType name="mimeType"> 1092 <xs:restriction base="xs:token"> 1093 <xs:pattern value="[-+a-z0-9.]+/[-+a-z0-9.]+"/> 1094 </xs:restriction> 1095 </xs:simpleType> 1096 1097 <xs:simpleType name="encoding"> 1098 <xs:restriction base="xs:string"> 1099 <xs:enumeration value="base64"/> 1100 </xs:restriction> 1101 </xs:simpleType> 1102 1103 <xs:simpleType name="cpe"> 1104 <xs:annotation> 1105 <xs:documentation xml:lang="en"> 1106 Define the format for acceptable CPE URIs. Supports CPE 2.2 and CPE 2.3 formats. 1107 Refer to https://nvd.nist.gov/products/cpe for official specification. 1108 </xs:documentation> 1109 </xs:annotation> 1110 <xs:restriction base="xs:string"> 1111 <xs:pattern value="([c][pP][eE]:/[AHOaho]?(:[A-Za-z0-9\._\-~%]*){0,6})|(cpe:2\.3:[aho\*\-](:(((\?*|\*?)([a-zA-Z0-9\-\._]|(\\[\\\*\?!"#$$%&'\(\)\+,/:;<=>@\[\]\^`\{\|}~]))+(\?*|\*?))|[\*\-])){5}(:(([a-zA-Z]{2,3}(-([a-zA-Z]{2}|[0-9]{3}))?)|[\*\-]))(:(((\?*|\*?)([a-zA-Z0-9\-\._]|(\\[\\\*\?!"#$$%&'\(\)\+,/:;<=>@\[\]\^`\{\|}~]))+(\?*|\*?))|[\*\-])){4})"/> 1112 </xs:restriction> 1113 </xs:simpleType> 1114 1115 <xs:complexType name="swidType"> 1116 <xs:sequence> 1117 <xs:element name="text" type="bom:attachedTextType" minOccurs="0" maxOccurs="1"> 1118 <xs:annotation> 1119 <xs:documentation>Specifies the full content of the SWID tag.</xs:documentation> 1120 </xs:annotation> 1121 </xs:element> 1122 <xs:element name="url" type="xs:anyURI" minOccurs="0" maxOccurs="1"> 1123 <xs:annotation> 1124 <xs:documentation>The URL to the SWID file.</xs:documentation> 1125 </xs:annotation> 1126 </xs:element> 1127 <xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"> 1128 <xs:annotation> 1129 <xs:documentation> 1130 Allows any undeclared elements as long as the elements are placed in a different namespace. 1131 </xs:documentation> 1132 </xs:annotation> 1133 </xs:any> 1134 </xs:sequence> 1135 <xs:attribute name="tagId" type="xs:string" use="required"> 1136 <xs:annotation> 1137 <xs:documentation>Maps to the tagId of a SoftwareIdentity.</xs:documentation> 1138 </xs:annotation> 1139 </xs:attribute> 1140 <xs:attribute name="name" type="xs:string" use="required"> 1141 <xs:annotation> 1142 <xs:documentation>Maps to the name of a SoftwareIdentity.</xs:documentation> 1143 </xs:annotation> 1144 </xs:attribute> 1145 <xs:attribute name="version" type="xs:string" use="optional" default="0.0"> 1146 <xs:annotation> 1147 <xs:documentation>Maps to the version of a SoftwareIdentity.</xs:documentation> 1148 </xs:annotation> 1149 </xs:attribute> 1150 <xs:attribute name="tagVersion" type="xs:integer" use="optional" default="0"> 1151 <xs:annotation> 1152 <xs:documentation>Maps to the tagVersion of a SoftwareIdentity.</xs:documentation> 1153 </xs:annotation> 1154 </xs:attribute> 1155 <xs:attribute name="patch" type="xs:boolean" use="optional" default="false"> 1156 <xs:annotation> 1157 <xs:documentation>Maps to the patch of a SoftwareIdentity.</xs:documentation> 1158 </xs:annotation> 1159 </xs:attribute> 1160 </xs:complexType> 1161 1162 <xs:simpleType name="urnUuid"> 1163 <xs:annotation> 1164 <xs:documentation xml:lang="en"> 1165 Defines a string representation of a UUID conforming to RFC 4122. 1166 </xs:documentation> 1167 </xs:annotation> 1168 <xs:restriction base="xs:string"> 1169 <xs:pattern value="urn:uuid:([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})|(\{[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}\})"/> 1170 </xs:restriction> 1171 </xs:simpleType> 1172 1173 <xs:simpleType name="externalReferenceType"> 1174 <xs:restriction base="xs:string"> 1175 <xs:enumeration value="vcs"> 1176 <xs:annotation> 1177 <xs:documentation>Version Control System</xs:documentation> 1178 </xs:annotation> 1179 </xs:enumeration> 1180 <xs:enumeration value="issue-tracker"> 1181 <xs:annotation> 1182 <xs:documentation>Issue or defect tracking system, or an Application Lifecycle Management (ALM) system</xs:documentation> 1183 </xs:annotation> 1184 </xs:enumeration> 1185 <xs:enumeration value="website"> 1186 <xs:annotation> 1187 <xs:documentation>Website</xs:documentation> 1188 </xs:annotation> 1189 </xs:enumeration> 1190 <xs:enumeration value="advisories"> 1191 <xs:annotation> 1192 <xs:documentation>Security advisories</xs:documentation> 1193 </xs:annotation> 1194 </xs:enumeration> 1195 <xs:enumeration value="bom"> 1196 <xs:annotation> 1197 <xs:documentation>Bill-of-materials (SBOM, OBOM, HBOM, SaaSBOM, etc)</xs:documentation> 1198 </xs:annotation> 1199 </xs:enumeration> 1200 <xs:enumeration value="mailing-list"> 1201 <xs:annotation> 1202 <xs:documentation>Mailing list or discussion group</xs:documentation> 1203 </xs:annotation> 1204 </xs:enumeration> 1205 <xs:enumeration value="social"> 1206 <xs:annotation> 1207 <xs:documentation>Social media account</xs:documentation> 1208 </xs:annotation> 1209 </xs:enumeration> 1210 <xs:enumeration value="chat"> 1211 <xs:annotation> 1212 <xs:documentation>Real-time chat platform</xs:documentation> 1213 </xs:annotation> 1214 </xs:enumeration> 1215 <xs:enumeration value="documentation"> 1216 <xs:annotation> 1217 <xs:documentation>Documentation, guides, or how-to instructions</xs:documentation> 1218 </xs:annotation> 1219 </xs:enumeration> 1220 <xs:enumeration value="support"> 1221 <xs:annotation> 1222 <xs:documentation>Community or commercial support</xs:documentation> 1223 </xs:annotation> 1224 </xs:enumeration> 1225 <xs:enumeration value="distribution"> 1226 <xs:annotation> 1227 <xs:documentation>Direct or repository download location</xs:documentation> 1228 </xs:annotation> 1229 </xs:enumeration> 1230 <xs:enumeration value="distribution-intake"> 1231 <xs:annotation> 1232 <xs:documentation>The location where a component was published to. This is often the same as "distribution" but may also include specialized publishing processes that act as an intermediary</xs:documentation> 1233 </xs:annotation> 1234 </xs:enumeration> 1235 <xs:enumeration value="license"> 1236 <xs:annotation> 1237 <xs:documentation>The URL to the license file. If a license URL has been defined in the license 1238 node, it should also be defined as an external reference for completeness</xs:documentation> 1239 </xs:annotation> 1240 </xs:enumeration> 1241 <xs:enumeration value="build-meta"> 1242 <xs:annotation> 1243 <xs:documentation>Build-system specific meta file (i.e. pom.xml, package.json, .nuspec, etc)</xs:documentation> 1244 </xs:annotation> 1245 </xs:enumeration> 1246 <xs:enumeration value="build-system"> 1247 <xs:annotation> 1248 <xs:documentation>URL to an automated build system</xs:documentation> 1249 </xs:annotation> 1250 </xs:enumeration> 1251 <xs:enumeration value="release-notes"> 1252 <xs:annotation> 1253 <xs:documentation>URL to release notes</xs:documentation> 1254 </xs:annotation> 1255 </xs:enumeration> 1256 <xs:enumeration value="security-contact"> 1257 <xs:annotation> 1258 <xs:documentation>Specifies a way to contact the maintainer, supplier, or provider in the event of a security incident. Common URIs include links to a disclosure procedure, a mailto (RFC-2368) that specifies an email address, a tel (RFC-3966) that specifies a phone number, or dns (RFC-4501]) that specifies the records containing DNS Security TXT.</xs:documentation> 1259 </xs:annotation> 1260 </xs:enumeration> 1261 <xs:enumeration value="model-card"> 1262 <xs:annotation> 1263 <xs:documentation>A model card describes the intended uses of a machine learning model, potential 1264 limitations, biases, ethical considerations, training parameters, datasets used to train the 1265 model, performance metrics, and other relevant data useful for ML transparency.</xs:documentation> 1266 </xs:annotation> 1267 </xs:enumeration> 1268 <xs:enumeration value="log"> 1269 <xs:annotation> 1270 <xs:documentation>A record of events that occurred in a computer system or application, such as problems, errors, or information on current operations.</xs:documentation> 1271 </xs:annotation> 1272 </xs:enumeration> 1273 <xs:enumeration value="configuration"> 1274 <xs:annotation> 1275 <xs:documentation>Parameters or settings that may be used by other components or services.</xs:documentation> 1276 </xs:annotation> 1277 </xs:enumeration> 1278 <xs:enumeration value="evidence"> 1279 <xs:annotation> 1280 <xs:documentation>Information used to substantiate a claim.</xs:documentation> 1281 </xs:annotation> 1282 </xs:enumeration> 1283 <xs:enumeration value="formulation"> 1284 <xs:annotation> 1285 <xs:documentation>Describes how a component or service was manufactured or deployed.</xs:documentation> 1286 </xs:annotation> 1287 </xs:enumeration> 1288 <xs:enumeration value="attestation"> 1289 <xs:annotation> 1290 <xs:documentation>Human or machine-readable statements containing facts, evidence, or testimony</xs:documentation> 1291 </xs:annotation> 1292 </xs:enumeration> 1293 <xs:enumeration value="threat-model"> 1294 <xs:annotation> 1295 <xs:documentation>An enumeration of identified weaknesses, threats, and countermeasures, dataflow diagram (DFD), attack tree, and other supporting documentation in human-readable or machine-readable format</xs:documentation> 1296 </xs:annotation> 1297 </xs:enumeration> 1298 <xs:enumeration value="adversary-model"> 1299 <xs:annotation> 1300 <xs:documentation>The defined assumptions, goals, and capabilities of an adversary.</xs:documentation> 1301 </xs:annotation> 1302 </xs:enumeration> 1303 <xs:enumeration value="risk-assessment"> 1304 <xs:annotation> 1305 <xs:documentation>Identifies and analyzes the potential of future events that may negatively impact individuals, assets, and/or the environment. Risk assessments may also include judgments on the tolerability of each risk.</xs:documentation> 1306 </xs:annotation> 1307 </xs:enumeration> 1308 <xs:enumeration value="vulnerability-assertion"> 1309 <xs:annotation> 1310 <xs:documentation>A Vulnerability Disclosure Report (VDR) which asserts the known and previously unknown vulnerabilities that affect a component, service, or product including the analysis and findings describing the impact (or lack of impact) that the reported vulnerability has on a component, service, or product.</xs:documentation> 1311 </xs:annotation> 1312 </xs:enumeration> 1313 <xs:enumeration value="exploitability-statement"> 1314 <xs:annotation> 1315 <xs:documentation>A Vulnerability Exploitability eXchange (VEX) which asserts the known vulnerabilities that do not affect a product, product family, or organization, and optionally the ones that do. The VEX should include the analysis and findings describing the impact (or lack of impact) that the reported vulnerability has on the product, product family, or organization.</xs:documentation> 1316 </xs:annotation> 1317 </xs:enumeration> 1318 <xs:enumeration value="pentest-report"> 1319 <xs:annotation> 1320 <xs:documentation>Results from an authorized simulated cyberattack on a component or service, otherwise known as a penetration test</xs:documentation> 1321 </xs:annotation> 1322 </xs:enumeration> 1323 <xs:enumeration value="static-analysis-report"> 1324 <xs:annotation> 1325 <xs:documentation>SARIF or proprietary machine or human-readable report for which static analysis has identified code quality, security, and other potential issues with the source code</xs:documentation> 1326 </xs:annotation> 1327 </xs:enumeration> 1328 <xs:enumeration value="dynamic-analysis-report"> 1329 <xs:annotation> 1330 <xs:documentation>Dynamic analysis report that has identified issues such as vulnerabilities and misconfigurations</xs:documentation> 1331 </xs:annotation> 1332 </xs:enumeration> 1333 <xs:enumeration value="runtime-analysis-report"> 1334 <xs:annotation> 1335 <xs:documentation>Report generated by analyzing the call stack of a running application</xs:documentation> 1336 </xs:annotation> 1337 </xs:enumeration> 1338 <xs:enumeration value="component-analysis-report"> 1339 <xs:annotation> 1340 <xs:documentation>Report generated by Software Composition Analysis (SCA), container analysis, or other forms of component analysis</xs:documentation> 1341 </xs:annotation> 1342 </xs:enumeration> 1343 <xs:enumeration value="maturity-report"> 1344 <xs:annotation> 1345 <xs:documentation>Report containing a formal assessment of an organization, business unit, or team against a maturity model</xs:documentation> 1346 </xs:annotation> 1347 </xs:enumeration> 1348 <xs:enumeration value="certification-report"> 1349 <xs:annotation> 1350 <xs:documentation>Industry, regulatory, or other certification from an accredited (if applicable) certification body</xs:documentation> 1351 </xs:annotation> 1352 </xs:enumeration> 1353 <xs:enumeration value="quality-metrics"> 1354 <xs:annotation> 1355 <xs:documentation>Report or system in which quality metrics can be obtained</xs:documentation> 1356 </xs:annotation> 1357 </xs:enumeration> 1358 <xs:enumeration value="codified-infrastructure"> 1359 <xs:annotation> 1360 <xs:documentation>Code or configuration that defines and provisions virtualized infrastructure, commonly referred to as Infrastructure as Code (IaC)</xs:documentation> 1361 </xs:annotation> 1362 </xs:enumeration> 1363 <xs:enumeration value="poam"> 1364 <xs:annotation> 1365 <xs:documentation>Plans of Action and Milestones (POAM) compliment an "attestation" external reference. POAM is defined by NIST as a "document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks and scheduled completion dates for the milestones".</xs:documentation> 1366 </xs:annotation> 1367 </xs:enumeration> 1368 <xs:enumeration value="other"> 1369 <xs:annotation> 1370 <xs:documentation>Use this if no other types accurately describe the purpose of the external reference</xs:documentation> 1371 </xs:annotation> 1372 </xs:enumeration> 1373 </xs:restriction> 1374 </xs:simpleType> 1375 1376 <xs:complexType name="externalReferences"> 1377 <xs:annotation> 1378 <xs:documentation xml:lang="en"> 1379 External references provide a way to document systems, sites, and information that may be 1380 relevant, but are not included with the BOM. They may also establish specific relationships 1381 within or external to the BOM. 1382 </xs:documentation> 1383 </xs:annotation> 1384 <xs:sequence minOccurs="0" maxOccurs="unbounded"> 1385 <xs:element name="reference" type="bom:externalReference"> 1386 <xs:annotation> 1387 <xs:documentation xml:lang="en">Zero or more external references can be defined</xs:documentation> 1388 </xs:annotation> 1389 </xs:element> 1390 </xs:sequence> 1391 </xs:complexType> 1392 1393 <xs:complexType name="externalReference"> 1394 <xs:sequence> 1395 <xs:element name="url" minOccurs="1" maxOccurs="1"> 1396 <xs:annotation> 1397 <xs:documentation xml:lang="en">The URI (URL or URN) to the external reference. External references 1398 are URIs and therefore can accept any URL scheme including https, mailto, tel, and dns. 1399 External references may also include formally registered URNs such as CycloneDX BOM-Link to 1400 reference CycloneDX BOMs or any object within a BOM. BOM-Link transforms applicable external 1401 references into relationships that can be expressed in a BOM or across BOMs. Refer to: 1402 https://cyclonedx.org/capabilities/bomlink/</xs:documentation> 1403 </xs:annotation> 1404 <xs:simpleType> 1405 <xs:union memberTypes="xs:anyURI bom:bomLinkType"/> 1406 </xs:simpleType> 1407 </xs:element> 1408 <xs:element name="comment" type="xs:string" minOccurs="0" maxOccurs="1"> 1409 <xs:annotation> 1410 <xs:documentation xml:lang="en">An optional comment describing the external reference</xs:documentation> 1411 </xs:annotation> 1412 </xs:element> 1413 <xs:element name="hashes" minOccurs="0" maxOccurs="1"> 1414 <xs:complexType> 1415 <xs:sequence minOccurs="0" maxOccurs="unbounded"> 1416 <xs:element name="hash" type="bom:hashType"/> 1417 </xs:sequence> 1418 </xs:complexType> 1419 </xs:element> 1420 </xs:sequence> 1421 <xs:attribute name="type" type="bom:externalReferenceType" use="required"> 1422 <xs:annotation> 1423 <xs:documentation>Specifies the type of external reference. There are built-in types to describe common 1424 references. If a type does not exist for the reference being referred to, use the "other" type. 1425 </xs:documentation> 1426 </xs:annotation> 1427 </xs:attribute> 1428 <xs:anyAttribute namespace="##any" processContents="lax"> 1429 <xs:annotation> 1430 <xs:documentation>User-defined attributes may be used on this element as long as they 1431 do not have the same name as an existing attribute used by the schema.</xs:documentation> 1432 </xs:annotation> 1433 </xs:anyAttribute> 1434 </xs:complexType> 1435 1436 <xs:complexType name="commitsType"> 1437 <xs:annotation> 1438 <xs:documentation xml:lang="en">Zero or more commits can be specified.</xs:documentation> 1439 </xs:annotation> 1440 <xs:sequence minOccurs="0" maxOccurs="unbounded"> 1441 <xs:element name="commit" type="bom:commitType"> 1442 <xs:annotation> 1443 <xs:documentation xml:lang="en">Specifies an individual commit.</xs:documentation> 1444 </xs:annotation> 1445 </xs:element> 1446 <xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"> 1447 <xs:annotation> 1448 <xs:documentation> 1449 Allows any undeclared elements as long as the elements are placed in a different namespace. 1450 </xs:documentation> 1451 </xs:annotation> 1452 </xs:any> 1453 </xs:sequence> 1454 </xs:complexType> 1455 1456 <xs:complexType name="commitType"> 1457 <xs:sequence> 1458 <xs:element name="uid" type="xs:normalizedString" minOccurs="0" maxOccurs="1"> 1459 <xs:annotation> 1460 <xs:documentation xml:lang="en">A unique identifier of the commit. This may be version control 1461 specific. For example, Subversion uses revision numbers whereas git uses commit hashes. 1462 </xs:documentation> 1463 </xs:annotation> 1464 </xs:element> 1465 <xs:element name="url" type="xs:anyURI" minOccurs="0" maxOccurs="1"> 1466 <xs:annotation> 1467 <xs:documentation xml:lang="en">The URL to the commit. This URL will typically point to a commit 1468 in a version control system. 1469 </xs:documentation> 1470 </xs:annotation> 1471 </xs:element> 1472 <xs:element name="author" type="bom:identifiableActionType" minOccurs="0" maxOccurs="1"> 1473 <xs:annotation> 1474 <xs:documentation xml:lang="en">The author who created the changes in the commit</xs:documentation> 1475 </xs:annotation> 1476 </xs:element> 1477 <xs:element name="committer" type="bom:identifiableActionType" minOccurs="0" maxOccurs="1"> 1478 <xs:annotation> 1479 <xs:documentation xml:lang="en">The person who committed or pushed the commit</xs:documentation> 1480 </xs:annotation> 1481 </xs:element> 1482 <xs:element name="message" type="xs:normalizedString" minOccurs="0" maxOccurs="1"> 1483 <xs:annotation> 1484 <xs:documentation xml:lang="en">The text description of the contents of the commit</xs:documentation> 1485 </xs:annotation> 1486 </xs:element> 1487 <xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"> 1488 <xs:annotation> 1489 <xs:documentation> 1490 Allows any undeclared elements as long as the elements are placed in a different namespace. 1491 </xs:documentation> 1492 </xs:annotation> 1493 </xs:any> 1494 </xs:sequence> 1495 </xs:complexType> 1496 1497 <xs:complexType name="patchesType"> 1498 <xs:annotation> 1499 <xs:documentation xml:lang="en">Zero or more patches can be specified.</xs:documentation> 1500 </xs:annotation> 1501 <xs:sequence minOccurs="0" maxOccurs="unbounded"> 1502 <xs:element name="patch" type="bom:patchType"> 1503 <xs:annotation> 1504 <xs:documentation xml:lang="en">Specifies an individual patch.</xs:documentation> 1505 </xs:annotation> 1506 </xs:element> 1507 <xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"> 1508 <xs:annotation> 1509 <xs:documentation> 1510 Allows any undeclared elements as long as the elements are placed in a different namespace. 1511 </xs:documentation> 1512 </xs:annotation> 1513 </xs:any> 1514 </xs:sequence> 1515 </xs:complexType> 1516 1517 <xs:complexType name="patchType"> 1518 <xs:sequence> 1519 <xs:element name="diff" type="bom:diffType" minOccurs="0" maxOccurs="1"> 1520 <xs:annotation> 1521 <xs:documentation xml:lang="en">The patch file (or diff) that show changes. 1522 Refer to https://en.wikipedia.org/wiki/Diff</xs:documentation> 1523 </xs:annotation> 1524 </xs:element> 1525 <xs:element name="resolves" minOccurs="0" maxOccurs="1"> 1526 <xs:complexType> 1527 <xs:sequence minOccurs="0" maxOccurs="unbounded"> 1528 <xs:element name="issue" type="bom:issueType"/> 1529 </xs:sequence> 1530 </xs:complexType> 1531 </xs:element> 1532 <xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"> 1533 <xs:annotation> 1534 <xs:documentation> 1535 Allows any undeclared elements as long as the elements are placed in a different namespace. 1536 </xs:documentation> 1537 </xs:annotation> 1538 </xs:any> 1539 </xs:sequence> 1540 <xs:attribute name="type" type="bom:patchClassification" use="required"> 1541 <xs:annotation> 1542 <xs:documentation>Specifies the purpose for the patch including the resolution of defects, 1543 security issues, or new behavior or functionality</xs:documentation> 1544 </xs:annotation> 1545 </xs:attribute> 1546 </xs:complexType> 1547 1548 <xs:simpleType name="patchClassification"> 1549 <xs:restriction base="xs:string"> 1550 <xs:enumeration value="unofficial"> 1551 <xs:annotation> 1552 <xs:documentation>A patch which is not developed by the creators or maintainers of the software 1553 being patched. Refer to https://en.wikipedia.org/wiki/Unofficial_patch</xs:documentation> 1554 </xs:annotation> 1555 </xs:enumeration> 1556 <xs:enumeration value="monkey"> 1557 <xs:annotation> 1558 <xs:documentation>A patch which dynamically modifies runtime behavior. 1559 Refer to https://en.wikipedia.org/wiki/Monkey_patch</xs:documentation> 1560 </xs:annotation> 1561 </xs:enumeration> 1562 <xs:enumeration value="backport"> 1563 <xs:annotation> 1564 <xs:documentation>A patch which takes code from a newer version of software and applies 1565 it to older versions of the same software. Refer to https://en.wikipedia.org/wiki/Backporting</xs:documentation> 1566 </xs:annotation> 1567 </xs:enumeration> 1568 <xs:enumeration value="cherry-pick"> 1569 <xs:annotation> 1570 <xs:documentation>A patch created by selectively applying commits from other versions or 1571 branches of the same software.</xs:documentation> 1572 </xs:annotation> 1573 </xs:enumeration> 1574 </xs:restriction> 1575 </xs:simpleType> 1576 1577 <xs:simpleType name="issueClassification"> 1578 <xs:restriction base="xs:string"> 1579 <xs:enumeration value="defect"> 1580 <xs:annotation> 1581 <xs:documentation>A fault, flaw, or bug in software</xs:documentation> 1582 </xs:annotation> 1583 </xs:enumeration> 1584 <xs:enumeration value="enhancement"> 1585 <xs:annotation> 1586 <xs:documentation>A new feature or behavior in software</xs:documentation> 1587 </xs:annotation> 1588 </xs:enumeration> 1589 <xs:enumeration value="security"> 1590 <xs:annotation> 1591 <xs:documentation>A special type of defect which impacts security</xs:documentation> 1592 </xs:annotation> 1593 </xs:enumeration> 1594 </xs:restriction> 1595 </xs:simpleType> 1596 1597 <xs:complexType name="diffType"> 1598 <xs:sequence> 1599 <xs:element name="text" type="bom:attachedTextType" minOccurs="0" maxOccurs="1"> 1600 <xs:annotation> 1601 <xs:documentation xml:lang="en">Specifies the optional text of the diff</xs:documentation> 1602 </xs:annotation> 1603 </xs:element> 1604 <xs:element name="url" type="xs:anyURI" minOccurs="0" maxOccurs="1"> 1605 <xs:annotation> 1606 <xs:documentation xml:lang="en">Specifies the URL to the diff</xs:documentation> 1607 </xs:annotation> 1608 </xs:element> 1609 <xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"> 1610 <xs:annotation> 1611 <xs:documentation> 1612 Allows any undeclared elements as long as the elements are placed in a different namespace. 1613 </xs:documentation> 1614 </xs:annotation> 1615 </xs:any> 1616 </xs:sequence> 1617 </xs:complexType> 1618 1619 <xs:complexType name="issueType"> 1620 <xs:annotation> 1621 <xs:documentation> 1622 An individual issue that has been resolved. 1623 </xs:documentation> 1624 </xs:annotation> 1625 <xs:sequence> 1626 <xs:element name="id" type="xs:normalizedString" minOccurs="0" maxOccurs="1"> 1627 <xs:annotation> 1628 <xs:documentation xml:lang="en">The identifier of the issue assigned by the source of the issue</xs:documentation> 1629 </xs:annotation> 1630 </xs:element> 1631 <xs:element name="name" type="xs:normalizedString" minOccurs="0" maxOccurs="1"> 1632 <xs:annotation> 1633 <xs:documentation xml:lang="en">The name of the issue</xs:documentation> 1634 </xs:annotation> 1635 </xs:element> 1636 <xs:element name="description" type="xs:normalizedString" minOccurs="0" maxOccurs="1"> 1637 <xs:annotation> 1638 <xs:documentation xml:lang="en">A description of the issue</xs:documentation> 1639 </xs:annotation> 1640 </xs:element> 1641 <xs:element name="source" minOccurs="0" maxOccurs="1"> 1642 <xs:complexType> 1643 <xs:annotation> 1644 <xs:documentation xml:lang="en"> 1645 The source of the issue where it is documented. 1646 </xs:documentation> 1647 </xs:annotation> 1648 <xs:sequence> 1649 <xs:element name="name" minOccurs="0" type="xs:normalizedString" maxOccurs="1"> 1650 <xs:annotation> 1651 <xs:documentation xml:lang="en"> 1652 The name of the source. For example "National Vulnerability Database", 1653 "NVD", and "Apache" 1654 </xs:documentation> 1655 </xs:annotation> 1656 </xs:element> 1657 <xs:element name="url" minOccurs="0" type="xs:anyURI" maxOccurs="1"> 1658 <xs:annotation> 1659 <xs:documentation xml:lang="en"> 1660 The url of the issue documentation as provided by the source 1661 </xs:documentation> 1662 </xs:annotation> 1663 </xs:element> 1664 </xs:sequence> 1665 </xs:complexType> 1666 </xs:element> 1667 <xs:element name="references" minOccurs="0" maxOccurs="1"> 1668 <xs:complexType> 1669 <xs:sequence minOccurs="0" maxOccurs="unbounded"> 1670 <xs:element name="url" type="xs:anyURI"/> 1671 </xs:sequence> 1672 </xs:complexType> 1673 </xs:element> 1674 <xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"> 1675 <xs:annotation> 1676 <xs:documentation> 1677 Allows any undeclared elements as long as the elements are placed in a different namespace. 1678 </xs:documentation> 1679 </xs:annotation> 1680 </xs:any> 1681 </xs:sequence> 1682 <xs:attribute name="type" type="bom:issueClassification" use="required"> 1683 <xs:annotation> 1684 <xs:documentation>Specifies the type of issue</xs:documentation> 1685 </xs:annotation> 1686 </xs:attribute> 1687 </xs:complexType> 1688 1689 <xs:complexType name="identifiableActionType"> 1690 <xs:sequence> 1691 <xs:element name="timestamp" type="xs:dateTime" minOccurs="0" maxOccurs="1"> 1692 <xs:annotation> 1693 <xs:documentation xml:lang="en">The timestamp in which the action occurred</xs:documentation> 1694 </xs:annotation> 1695 </xs:element> 1696 <xs:element name="name" type="xs:normalizedString" minOccurs="0" maxOccurs="1"> 1697 <xs:annotation> 1698 <xs:documentation xml:lang="en">The name of the individual who performed the action</xs:documentation> 1699 </xs:annotation> 1700 </xs:element> 1701 <xs:element name="email" type="xs:normalizedString" minOccurs="0" maxOccurs="1"> 1702 <xs:annotation> 1703 <xs:documentation xml:lang="en">The email address of the individual who performed the action</xs:documentation> 1704 </xs:annotation> 1705 </xs:element> 1706 <xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"> 1707 <xs:annotation> 1708 <xs:documentation> 1709 Allows any undeclared elements as long as the elements are placed in a different namespace. 1710 </xs:documentation> 1711 </xs:annotation> 1712 </xs:any> 1713 </xs:sequence> 1714 </xs:complexType> 1715 1716 <xs:complexType name="pedigreeType"> 1717 <xs:annotation> 1718 <xs:documentation xml:lang="en"> 1719 Component pedigree is a way to document complex supply chain scenarios where components are created, 1720 distributed, modified, redistributed, combined with other components, etc. Pedigree supports viewing 1721 this complex chain from the beginning, the end, or anywhere in the middle. It also provides a way to 1722 document variants where the exact relation may not be known. 1723 </xs:documentation> 1724 </xs:annotation> 1725 <xs:sequence> 1726 <xs:element name="ancestors" type="bom:componentsType" minOccurs="0" maxOccurs="1"> 1727 <xs:annotation> 1728 <xs:documentation xml:lang="en">Describes zero or more components in which a component is derived 1729 from. This is commonly used to describe forks from existing projects where the forked version 1730 contains a ancestor node containing the original component it was forked from. For example, 1731 Component A is the original component. Component B is the component being used and documented 1732 in the BOM. However, Component B contains a pedigree node with a single ancestor documenting 1733 Component A - the original component from which Component B is derived from. 1734 </xs:documentation> 1735 </xs:annotation> 1736 </xs:element> 1737 <xs:element name="descendants" type="bom:componentsType" minOccurs="0" maxOccurs="1"> 1738 <xs:annotation> 1739 <xs:documentation xml:lang="en">Descendants are the exact opposite of ancestors. This provides a 1740 way to document all forks (and their forks) of an original or root component. 1741 </xs:documentation> 1742 </xs:annotation> 1743 </xs:element> 1744 <xs:element name="variants" type="bom:componentsType" minOccurs="0" maxOccurs="1"> 1745 <xs:annotation> 1746 <xs:documentation xml:lang="en">Variants describe relations where the relationship between the 1747 components are not known. For example, if Component A contains nearly identical code to 1748 Component B. They are both related, but it is unclear if one is derived from the other, 1749 or if they share a common ancestor. 1750 </xs:documentation> 1751 </xs:annotation> 1752 </xs:element> 1753 <xs:element name="commits" type="bom:commitsType" minOccurs="0" maxOccurs="1"> 1754 <xs:annotation> 1755 <xs:documentation xml:lang="en">A list of zero or more commits which provide a trail describing 1756 how the component deviates from an ancestor, descendant, or variant.</xs:documentation> 1757 </xs:annotation> 1758 </xs:element> 1759 <xs:element name="patches" type="bom:patchesType" minOccurs="0" maxOccurs="1"> 1760 <xs:annotation> 1761 <xs:documentation xml:lang="en">A list of zero or more patches describing how the component 1762 deviates from an ancestor, descendant, or variant. Patches may be complimentary to commits 1763 or may be used in place of commits.</xs:documentation> 1764 </xs:annotation> 1765 </xs:element> 1766 <xs:element name="notes" type="xs:string" minOccurs="0" maxOccurs="1"> 1767 <xs:annotation> 1768 <xs:documentation xml:lang="en">Notes, observations, and other non-structured commentary 1769 describing the components pedigree. 1770 </xs:documentation> 1771 </xs:annotation> 1772 </xs:element> 1773 <xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"> 1774 <xs:annotation> 1775 <xs:documentation> 1776 Allows any undeclared elements as long as the elements are placed in a different namespace. 1777 </xs:documentation> 1778 </xs:annotation> 1779 </xs:any> 1780 </xs:sequence> 1781 </xs:complexType> 1782 1783 <xs:complexType name="dependencyType"> 1784 <xs:sequence minOccurs="0" maxOccurs="unbounded"> 1785 <xs:element name="dependency" type="bom:dependencyType"/> 1786 </xs:sequence> 1787 <xs:attribute name="ref" type="bom:refLinkType" use="required"> 1788 <xs:annotation> 1789 <xs:documentation>References a component or service by its bom-ref attribute</xs:documentation> 1790 </xs:annotation> 1791 </xs:attribute> 1792 <xs:anyAttribute namespace="##other" processContents="lax"> 1793 <xs:annotation> 1794 <xs:documentation>User-defined attributes may be used on this element as long as they 1795 do not have the same name as an existing attribute used by the schema.</xs:documentation> 1796 </xs:annotation> 1797 </xs:anyAttribute> 1798 </xs:complexType> 1799 1800 <xs:complexType name="dependenciesType"> 1801 <xs:sequence minOccurs="0" maxOccurs="unbounded"> 1802 <xs:element name="dependency" type="bom:dependencyType"> 1803 <xs:annotation> 1804 <xs:documentation>Defines the direct dependencies of a component or service. Components or services 1805 that do not have their own dependencies MUST be declared as empty elements within the graph. 1806 Components or services that are not represented in the dependency graph MAY have unknown 1807 dependencies. It is RECOMMENDED that implementations assume this to be opaque and not an 1808 indicator of a object being dependency-free. It is RECOMMENDED to leverage compositions to 1809 indicate unknown dependency graphs.</xs:documentation> 1810 </xs:annotation> 1811 </xs:element> 1812 </xs:sequence> 1813 </xs:complexType> 1814 1815 <xs:complexType name="servicesType"> 1816 <xs:sequence minOccurs="0" maxOccurs="unbounded"> 1817 <xs:element name="service" type="bom:service"/> 1818 <xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"> 1819 <xs:annotation> 1820 <xs:documentation> 1821 Allows any undeclared elements as long as the elements are placed in a different namespace. 1822 </xs:documentation> 1823 </xs:annotation> 1824 </xs:any> 1825 </xs:sequence> 1826 <xs:anyAttribute namespace="##any" processContents="lax"> 1827 <xs:annotation> 1828 <xs:documentation>User-defined attributes may be used on this element as long as they 1829 do not have the same name as an existing attribute used by the schema.</xs:documentation> 1830 </xs:annotation> 1831 </xs:anyAttribute> 1832 </xs:complexType> 1833 1834 <xs:complexType name="service"> 1835 <xs:sequence> 1836 <xs:element name="provider" type="bom:organizationalEntity" minOccurs="0" maxOccurs="1"> 1837 <xs:annotation> 1838 <xs:documentation>The organization that provides the service.</xs:documentation> 1839 </xs:annotation> 1840 </xs:element> 1841 <xs:element name="group" type="xs:normalizedString" minOccurs="0" maxOccurs="1"> 1842 <xs:annotation> 1843 <xs:documentation>The grouping name, namespace, or identifier. This will often be a shortened, 1844 single name of the company or project that produced the service or domain name. 1845 Whitespace and special characters should be avoided.</xs:documentation> 1846 </xs:annotation> 1847 </xs:element> 1848 <xs:element name="name" type="xs:normalizedString" minOccurs="1" maxOccurs="1"> 1849 <xs:annotation> 1850 <xs:documentation>The name of the service. This will often be a shortened, single name 1851 of the service.</xs:documentation> 1852 </xs:annotation> 1853 </xs:element> 1854 <xs:element name="version" type="xs:normalizedString" minOccurs="0" maxOccurs="1"> 1855 <xs:annotation> 1856 <xs:documentation>The service version.</xs:documentation> 1857 </xs:annotation> 1858 </xs:element> 1859 <xs:element name="description" type="xs:normalizedString" minOccurs="0" maxOccurs="1"> 1860 <xs:annotation> 1861 <xs:documentation>Specifies a description for the service.</xs:documentation> 1862 </xs:annotation> 1863 </xs:element> 1864 <xs:element name="endpoints" minOccurs="0" maxOccurs="1"> 1865 <xs:complexType> 1866 <xs:sequence minOccurs="0" maxOccurs="unbounded"> 1867 <xs:element name="endpoint" type="xs:anyURI" minOccurs="1"> 1868 <xs:annotation> 1869 <xs:documentation>A service endpoint URI.</xs:documentation> 1870 </xs:annotation> 1871 </xs:element> 1872 </xs:sequence> 1873 </xs:complexType> 1874 </xs:element> 1875 <xs:element name="authenticated" type="xs:boolean" minOccurs="0" maxOccurs="1"> 1876 <xs:annotation> 1877 <xs:documentation>A boolean value indicating if the service requires authentication. 1878 A value of true indicates the service requires authentication prior to use. 1879 A value of false indicates the service does not require authentication.</xs:documentation> 1880 </xs:annotation> 1881 </xs:element> 1882 <xs:element name="x-trust-boundary" type="xs:boolean" minOccurs="0" maxOccurs="1"> 1883 <xs:annotation> 1884 <xs:documentation>A boolean value indicating if use of the service crosses a trust zone or boundary. 1885 A value of true indicates that by using the service, a trust boundary is crossed. 1886 A value of false indicates that by using the service, a trust boundary is not crossed.</xs:documentation> 1887 </xs:annotation> 1888 </xs:element> 1889 <xs:element name="trustZone" type="xs:string" minOccurs="0" maxOccurs="1"> 1890 <xs:annotation> 1891 <xs:documentation>The name of the trust zone the service resides in.</xs:documentation> 1892 </xs:annotation> 1893 </xs:element> 1894 <xs:element name="data" minOccurs="0" maxOccurs="1"> 1895 <xs:complexType> 1896 <xs:choice> 1897 <xs:sequence minOccurs="0" maxOccurs="unbounded"> 1898 <xs:element name="classification" type="bom:dataClassificationType"> 1899 <xs:annotation> 1900 <xs:documentation>DEPRECATED: Specifies the data classification. THIS FIELD IS DEPRECATED AS OF v1.5. Use dataflow\classification instead</xs:documentation> 1901 </xs:annotation> 1902 </xs:element> 1903 </xs:sequence> 1904 <xs:element name="dataflow" minOccurs="0" maxOccurs="unbounded"> 1905 <xs:annotation> 1906 <xs:documentation>Specifies the data classification.</xs:documentation> 1907 </xs:annotation> 1908 <xs:complexType> 1909 <xs:sequence> 1910 <xs:element name="classification" type="bom:dataClassificationType" minOccurs="0" maxOccurs="1"> 1911 <xs:annotation> 1912 <xs:documentation>Specifies the data classification.</xs:documentation> 1913 </xs:annotation> 1914 </xs:element> 1915 <xs:element name="governance" type="bom:dataGovernance" minOccurs="0" maxOccurs="1" /> 1916 <xs:element name="source" minOccurs="0" maxOccurs="1"> 1917 <xs:annotation> 1918 <xs:documentation>The URI, URL, or BOM-Link of the components or services the data came in from.</xs:documentation> 1919 </xs:annotation> 1920 <xs:complexType> 1921 <xs:sequence minOccurs="0" maxOccurs="unbounded"> 1922 <xs:element name="url"> 1923 <xs:simpleType> 1924 <xs:union memberTypes="xs:anyURI bom:bomLinkElementType"/> 1925 </xs:simpleType> 1926 </xs:element> 1927 </xs:sequence> 1928 </xs:complexType> 1929 </xs:element> 1930 <xs:element name="destination" minOccurs="0" maxOccurs="1"> 1931 <xs:annotation> 1932 <xs:documentation>The URI, URL, or BOM-Link of the components or services the data is sent to.</xs:documentation> 1933 </xs:annotation> 1934 <xs:complexType> 1935 <xs:sequence minOccurs="0" maxOccurs="unbounded"> 1936 <xs:element name="url"> 1937 <xs:simpleType> 1938 <xs:union memberTypes="xs:anyURI bom:bomLinkElementType"/> 1939 </xs:simpleType> 1940 </xs:element> 1941 </xs:sequence> 1942 </xs:complexType> 1943 </xs:element> 1944 </xs:sequence> 1945 <xs:attribute name="name" type="xs:string" use="optional"> 1946 <xs:annotation> 1947 <xs:documentation> 1948 Name for the defined data. 1949 </xs:documentation> 1950 </xs:annotation> 1951 </xs:attribute> 1952 <xs:attribute name="description" type="xs:string" use="optional"> 1953 <xs:annotation> 1954 <xs:documentation> 1955 Short description of the data content and usage. 1956 </xs:documentation> 1957 </xs:annotation> 1958 </xs:attribute> 1959 <xs:anyAttribute namespace="##any" processContents="lax"> 1960 <xs:annotation> 1961 <xs:documentation>User-defined attributes may be used on this element as long as they 1962 do not have the same name as an existing attribute used by the schema.</xs:documentation> 1963 </xs:annotation> 1964 </xs:anyAttribute> 1965 </xs:complexType> 1966 </xs:element> 1967 </xs:choice> 1968 </xs:complexType> 1969 </xs:element> 1970 <xs:element name="licenses" type="bom:licenseChoiceType" minOccurs="0" maxOccurs="1"/> 1971 <xs:element name="externalReferences" type="bom:externalReferences" minOccurs="0" maxOccurs="1"> 1972 <xs:annotation> 1973 <xs:documentation>Provides the ability to document external references related to the service.</xs:documentation> 1974 </xs:annotation> 1975 </xs:element> 1976 <xs:element name="properties" type="bom:propertiesType" minOccurs="0" maxOccurs="1"> 1977 <xs:annotation> 1978 <xs:documentation>Provides the ability to document properties in a name/value store. 1979 This provides flexibility to include data not officially supported in the standard 1980 without having to use additional namespaces or create extensions. Property names 1981 of interest to the general public are encouraged to be registered in the 1982 CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. 1983 Formal registration is OPTIONAL.</xs:documentation> 1984 </xs:annotation> 1985 </xs:element> 1986 <xs:element name="services" minOccurs="0" maxOccurs="1"> 1987 <xs:annotation> 1988 <xs:documentation> 1989 A list of services included or deployed behind the parent service. This is not a dependency 1990 tree. It provides a way to specify a hierarchical representation of service assemblies. 1991 </xs:documentation> 1992 </xs:annotation> 1993 <xs:complexType> 1994 <xs:sequence minOccurs="0" maxOccurs="unbounded"> 1995 <xs:element name="service" type="bom:service"/> 1996 <xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"> 1997 <xs:annotation> 1998 <xs:documentation> 1999 Allows any undeclared elements as long as the elements are placed in a different namespace. 2000 </xs:documentation> 2001 </xs:annotation> 2002 </xs:any> 2003 </xs:sequence> 2004 </xs:complexType> 2005 </xs:element> 2006 <xs:element name="releaseNotes" type="bom:releaseNotesType" minOccurs="0" maxOccurs="1"> 2007 <xs:annotation> 2008 <xs:documentation>Specifies optional release notes.</xs:documentation> 2009 </xs:annotation> 2010 </xs:element> 2011 <xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"> 2012 <xs:annotation> 2013 <xs:documentation> 2014 Allows any undeclared elements as long as the elements are placed in a different namespace. 2015 </xs:documentation> 2016 </xs:annotation> 2017 </xs:any> 2018 </xs:sequence> 2019 <xs:attribute name="bom-ref" type="bom:refType"> 2020 <xs:annotation> 2021 <xs:documentation> 2022 An optional identifier which can be used to reference the service elsewhere in the BOM. 2023 Uniqueness is enforced within all elements and children of the root-level bom element. 2024 </xs:documentation> 2025 </xs:annotation> 2026 </xs:attribute> 2027 <xs:anyAttribute namespace="##any" processContents="lax"> 2028 <xs:annotation> 2029 <xs:documentation>User-defined attributes may be used on this element as long as they 2030 do not have the same name as an existing attribute used by the schema.</xs:documentation> 2031 </xs:annotation> 2032 </xs:anyAttribute> 2033 </xs:complexType> 2034 2035 <xs:complexType name="dataClassificationType"> 2036 <xs:annotation> 2037 <xs:documentation>Specifies the data classification.</xs:documentation> 2038 </xs:annotation> 2039 <xs:simpleContent> 2040 <xs:extension base="xs:normalizedString"> 2041 <xs:attribute name="flow" type="bom:dataFlowType" use="required"> 2042 <xs:annotation> 2043 <xs:documentation>Specifies the flow direction of the data.</xs:documentation> 2044 </xs:annotation> 2045 </xs:attribute> 2046 </xs:extension> 2047 </xs:simpleContent> 2048 </xs:complexType> 2049 2050 <xs:simpleType name="dataFlowType"> 2051 <xs:annotation> 2052 <xs:documentation>Specifies the flow direction of the data. Valid values are: 2053 inbound, outbound, bi-directional, and unknown. Direction is relative to the service. 2054 Inbound flow states that data enters the service. Outbound flow states that data 2055 leaves the service. Bi-directional states that data flows both ways, and unknown 2056 states that the direction is not known.</xs:documentation> 2057 </xs:annotation> 2058 <xs:restriction base="xs:string"> 2059 <xs:enumeration value="inbound"/> 2060 <xs:enumeration value="outbound"/> 2061 <xs:enumeration value="bi-directional"/> 2062 <xs:enumeration value="unknown"/> 2063 </xs:restriction> 2064 </xs:simpleType> 2065 2066 <xs:complexType name="licenseChoiceType"> 2067 <xs:choice> 2068 <xs:element name="license" type="bom:licenseType" minOccurs="0" maxOccurs="unbounded"/> 2069 <xs:element name="expression" minOccurs="0" maxOccurs="1"> 2070 <xs:annotation> 2071 <xs:documentation>A valid SPDX license expression. 2072 Refer to https://spdx.org/specifications for syntax requirements</xs:documentation> 2073 </xs:annotation> 2074 <xs:complexType> 2075 <xs:simpleContent> 2076 <xs:extension base="xs:normalizedString"> 2077 <xs:attribute name="bom-ref" type="bom:refType"> 2078 <xs:annotation> 2079 <xs:documentation> 2080 An optional identifier which can be used to reference the license elsewhere in the BOM. 2081 Uniqueness is enforced within all elements and children of the root-level bom element. 2082 </xs:documentation> 2083 </xs:annotation> 2084 </xs:attribute> 2085 </xs:extension> 2086 </xs:simpleContent> 2087 </xs:complexType> 2088 </xs:element> 2089 </xs:choice> 2090 </xs:complexType> 2091 2092 <xs:complexType name="copyrightsType"> 2093 <xs:sequence> 2094 <xs:element name="text" type="xs:string" minOccurs="0" maxOccurs="unbounded"/> 2095 </xs:sequence> 2096 </xs:complexType> 2097 2098 <xs:simpleType name="identityFieldType"> 2099 <xs:restriction base="xs:string"> 2100 <xs:enumeration value="group"/> 2101 <xs:enumeration value="name"/> 2102 <xs:enumeration value="version"/> 2103 <xs:enumeration value="purl"/> 2104 <xs:enumeration value="cpe"/> 2105 <xs:enumeration value="swid"/> 2106 <xs:enumeration value="hash"/> 2107 </xs:restriction> 2108 </xs:simpleType> 2109 2110 <xs:simpleType name="decimalPercentType"> 2111 <xs:restriction base="xs:decimal"> 2112 <xs:minInclusive value="0"/> 2113 <xs:maxInclusive value="1"/> 2114 </xs:restriction> 2115 </xs:simpleType> 2116 2117 <xs:simpleType name="evidenceTechnique"> 2118 <xs:restriction base="xs:string"> 2119 <xs:enumeration value="source-code-analysis" /> 2120 <xs:enumeration value="binary-analysis" /> 2121 <xs:enumeration value="manifest-analysis" /> 2122 <xs:enumeration value="ast-fingerprint" /> 2123 <xs:enumeration value="hash-comparison" /> 2124 <xs:enumeration value="instrumentation" /> 2125 <xs:enumeration value="dynamic-analysis" /> 2126 <xs:enumeration value="filename" /> 2127 <xs:enumeration value="attestation" /> 2128 <xs:enumeration value="other" /> 2129 </xs:restriction> 2130 </xs:simpleType> 2131 2132 <xs:complexType name="componentEvidenceType"> 2133 <xs:sequence> 2134 <xs:element name="identity" minOccurs="0" maxOccurs="1"> 2135 <xs:annotation> 2136 <xs:documentation>Evidence that substantiates the identity of a component.</xs:documentation> 2137 </xs:annotation> 2138 <xs:complexType> 2139 <xs:sequence> 2140 <xs:element name="field" type="bom:identityFieldType" minOccurs="1" maxOccurs="1"> 2141 <xs:annotation> 2142 <xs:documentation>The identity field of the component which the evidence describes.</xs:documentation> 2143 </xs:annotation> 2144 </xs:element> 2145 <xs:element name="confidence" type="bom:decimalPercentType" minOccurs="0" maxOccurs="1"> 2146 <xs:annotation> 2147 <xs:documentation>The overall confidence of the evidence from 0 - 1, where 1 is 100% confidence.</xs:documentation> 2148 </xs:annotation> 2149 </xs:element> 2150 <xs:element name="methods" minOccurs="0" maxOccurs="1"> 2151 <xs:annotation> 2152 <xs:documentation>The methods used to extract and/or analyze the evidence.</xs:documentation> 2153 </xs:annotation> 2154 <xs:complexType> 2155 <xs:sequence> 2156 <xs:element name="method" minOccurs="0" maxOccurs="unbounded"> 2157 <xs:complexType> 2158 <xs:sequence> 2159 <xs:element name="technique" type="bom:evidenceTechnique" minOccurs="1" maxOccurs="1"> 2160 <xs:annotation> 2161 <xs:documentation>The technique used in this method of analysis.</xs:documentation> 2162 </xs:annotation> 2163 </xs:element> 2164 <xs:element name="confidence" type="bom:decimalPercentType" minOccurs="1" maxOccurs="1"> 2165 <xs:annotation> 2166 <xs:documentation>The confidence of the evidence from 0 - 1, where 1 is 100% confidence. Confidence is specific to the technique used. Each technique of analysis can have independent confidence.</xs:documentation> 2167 </xs:annotation> 2168 </xs:element> 2169 <xs:element name="value" type="xs:string" minOccurs="0" maxOccurs="1"> 2170 <xs:annotation> 2171 <xs:documentation>The value or contents of the evidence.</xs:documentation> 2172 </xs:annotation> 2173 </xs:element> 2174 </xs:sequence> 2175 </xs:complexType> 2176 </xs:element> 2177 </xs:sequence> 2178 </xs:complexType> 2179 </xs:element> 2180 <xs:element name="tools" minOccurs="0" maxOccurs="1"> 2181 <xs:annotation> 2182 <xs:documentation> 2183 The object in the BOM identified by its bom-ref. This is often a component or service, 2184 but may be any object type supporting bom-refs. Tools used for analysis should already 2185 be defined in the BOM, either in the metadata/tools, components, or formulation. 2186 </xs:documentation> 2187 </xs:annotation> 2188 <xs:complexType> 2189 <xs:sequence> 2190 <xs:element name="tool" type="bom:bomReferenceType" minOccurs="0" maxOccurs="unbounded"/> 2191 </xs:sequence> 2192 </xs:complexType> 2193 </xs:element> 2194 </xs:sequence> 2195 </xs:complexType> 2196 </xs:element> 2197 <xs:element name="occurrences" minOccurs="0" maxOccurs="1"> 2198 <xs:annotation> 2199 <xs:documentation>Evidence of individual instances of a component spread across multiple locations.</xs:documentation> 2200 </xs:annotation> 2201 <xs:complexType> 2202 <xs:sequence> 2203 <xs:element name="occurrence" minOccurs="0" maxOccurs="unbounded"> 2204 <xs:complexType> 2205 <xs:sequence> 2206 <xs:element name="location" minOccurs="1" maxOccurs="1"> 2207 <xs:annotation> 2208 <xs:documentation>The location or path to where the component was found.</xs:documentation> 2209 </xs:annotation> 2210 </xs:element> 2211 </xs:sequence> 2212 <xs:attribute name="bom-ref" type="bom:refType"> 2213 <xs:annotation> 2214 <xs:documentation> 2215 An optional identifier which can be used to reference the occurrence elsewhere 2216 in the BOM. Every bom-ref MUST be unique within the BOM. 2217 </xs:documentation> 2218 </xs:annotation> 2219 </xs:attribute> 2220 </xs:complexType> 2221 </xs:element> 2222 </xs:sequence> 2223 </xs:complexType> 2224 </xs:element> 2225 <xs:element name="callstack" minOccurs="0" maxOccurs="1"> 2226 <xs:annotation> 2227 <xs:documentation>Evidence of the components use through the callstack.</xs:documentation> 2228 </xs:annotation> 2229 <xs:complexType> 2230 <xs:sequence> 2231 <xs:element name="frames" minOccurs="0" maxOccurs="1"> 2232 <xs:complexType> 2233 <xs:sequence> 2234 <xs:element name="frame" minOccurs="0" maxOccurs="unbounded"> 2235 <xs:complexType> 2236 <xs:sequence> 2237 <xs:element name="package" type="xs:string" minOccurs="0" maxOccurs="1"> 2238 <xs:annotation> 2239 <xs:documentation>A package organizes modules into namespaces, providing a unique namespace for each type it contains.</xs:documentation> 2240 </xs:annotation> 2241 </xs:element> 2242 <xs:element name="module" type="xs:string" minOccurs="1" maxOccurs="1"> 2243 <xs:annotation> 2244 <xs:documentation>A module or class that encloses functions/methods and other code.</xs:documentation> 2245 </xs:annotation> 2246 </xs:element> 2247 <xs:element name="function" type="xs:string" minOccurs="0" maxOccurs="1"> 2248 <xs:annotation> 2249 <xs:documentation>A block of code designed to perform a particular task.</xs:documentation> 2250 </xs:annotation> 2251 </xs:element> 2252 <xs:element name="parameters" minOccurs="0" maxOccurs="1"> 2253 <xs:annotation> 2254 <xs:documentation>Optional arguments that are passed to the module or function.</xs:documentation> 2255 </xs:annotation> 2256 <xs:complexType> 2257 <xs:sequence> 2258 <xs:element name="parameter" type="xs:string" minOccurs="0" maxOccurs="unbounded"/> 2259 </xs:sequence> 2260 </xs:complexType> 2261 </xs:element> 2262 <xs:element name="line" type="xs:integer" minOccurs="0" maxOccurs="1"> 2263 <xs:annotation> 2264 <xs:documentation>The line number the code that is called resides on.</xs:documentation> 2265 </xs:annotation> 2266 </xs:element> 2267 <xs:element name="column" type="xs:integer" minOccurs="0" maxOccurs="1"> 2268 <xs:annotation> 2269 <xs:documentation>The column the code that is called resides.</xs:documentation> 2270 </xs:annotation> 2271 </xs:element> 2272 <xs:element name="fullFilename" type="xs:string" minOccurs="0" maxOccurs="1"> 2273 <xs:annotation> 2274 <xs:documentation>The full path and filename of the module.</xs:documentation> 2275 </xs:annotation> 2276 </xs:element> 2277 </xs:sequence> 2278 </xs:complexType> 2279 </xs:element> 2280 </xs:sequence> 2281 </xs:complexType> 2282 </xs:element> 2283 <xs:element name="tools" minOccurs="0" maxOccurs="1"> 2284 <xs:annotation> 2285 <xs:documentation> 2286 The object in the BOM identified by its bom-ref. This is often a component or service, 2287 but may be any object type supporting bom-refs. Tools used for analysis should already 2288 be defined in the BOM, either in the metadata/tools, components, or formulation. 2289 </xs:documentation> 2290 </xs:annotation> 2291 <xs:complexType> 2292 <xs:sequence> 2293 <xs:element name="tool" type="bom:bomReferenceType" minOccurs="0" maxOccurs="unbounded"/> 2294 </xs:sequence> 2295 </xs:complexType> 2296 </xs:element> 2297 </xs:sequence> 2298 </xs:complexType> 2299 </xs:element> 2300 <xs:element name="licenses" type="bom:licenseChoiceType" minOccurs="0" maxOccurs="1"/> 2301 <xs:element name="copyright" type="bom:copyrightsType" minOccurs="0" maxOccurs="1"/> 2302 <xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"> 2303 <xs:annotation> 2304 <xs:documentation> 2305 Allows any undeclared elements as long as the elements are placed in a different namespace. 2306 </xs:documentation> 2307 </xs:annotation> 2308 </xs:any> 2309 </xs:sequence> 2310 <xs:anyAttribute namespace="##any" processContents="lax"> 2311 <xs:annotation> 2312 <xs:documentation>User-defined attributes may be used on this element as long as they 2313 do not have the same name as an existing attribute used by the schema.</xs:documentation> 2314 </xs:annotation> 2315 </xs:anyAttribute> 2316 </xs:complexType> 2317 2318 <xs:complexType name="compositionsType"> 2319 <xs:sequence minOccurs="0" maxOccurs="unbounded"> 2320 <xs:element name="composition" type="bom:compositionType"/> 2321 <xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"> 2322 <xs:annotation> 2323 <xs:documentation> 2324 Allows any undeclared elements as long as the elements are placed in a different namespace. 2325 </xs:documentation> 2326 </xs:annotation> 2327 </xs:any> 2328 </xs:sequence> 2329 <xs:anyAttribute namespace="##any" processContents="lax"> 2330 <xs:annotation> 2331 <xs:documentation>User-defined attributes may be used on this element as long as they 2332 do not have the same name as an existing attribute used by the schema.</xs:documentation> 2333 </xs:annotation> 2334 </xs:anyAttribute> 2335 </xs:complexType> 2336 2337 <xs:complexType name="compositionType"> 2338 <xs:sequence minOccurs="0" maxOccurs="unbounded"> 2339 <xs:element name="aggregate" type="bom:aggregateType" default="not_specified"> 2340 <xs:annotation> 2341 <xs:documentation>Specifies an aggregate type that describe how complete a relationship is.</xs:documentation> 2342 </xs:annotation> 2343 </xs:element> 2344 <xs:element name="assemblies" minOccurs="0" maxOccurs="1"> 2345 <xs:annotation> 2346 <xs:documentation> 2347 The bom-ref identifiers of the components or services being described. Assemblies refer to 2348 nested relationships whereby a constituent part may include other constituent parts. References 2349 do not cascade to child parts. References are explicit for the specified constituent part only. 2350 </xs:documentation> 2351 </xs:annotation> 2352 <xs:complexType> 2353 <xs:sequence minOccurs="0" maxOccurs="unbounded"> 2354 <xs:element name="assembly" type="bom:bomReferenceType"/> 2355 <xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"> 2356 <xs:annotation> 2357 <xs:documentation> 2358 Allows any undeclared elements as long as the elements are placed in a different namespace. 2359 </xs:documentation> 2360 </xs:annotation> 2361 </xs:any> 2362 </xs:sequence> 2363 </xs:complexType> 2364 </xs:element> 2365 <xs:element name="dependencies" minOccurs="0" maxOccurs="1"> 2366 <xs:annotation> 2367 <xs:documentation> 2368 The bom-ref identifiers of the components or services being described. Dependencies refer to a 2369 relationship whereby an independent constituent part requires another independent constituent 2370 part. References do not cascade to transitive dependencies. References are explicit for the 2371 specified dependency only. 2372 </xs:documentation> 2373 </xs:annotation> 2374 <xs:complexType> 2375 <xs:sequence minOccurs="0" maxOccurs="unbounded"> 2376 <xs:element name="dependency" type="bom:bomReferenceType"/> 2377 <xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"> 2378 <xs:annotation> 2379 <xs:documentation> 2380 Allows any undeclared elements as long as the elements are placed in a different namespace. 2381 </xs:documentation> 2382 </xs:annotation> 2383 </xs:any> 2384 </xs:sequence> 2385 </xs:complexType> 2386 </xs:element> 2387 <xs:element name="vulnerabilities" minOccurs="0" maxOccurs="1"> 2388 <xs:annotation> 2389 <xs:documentation> 2390 The bom-ref identifiers of the vulnerabilities being described. 2391 </xs:documentation> 2392 </xs:annotation> 2393 <xs:complexType> 2394 <xs:sequence minOccurs="0" maxOccurs="unbounded"> 2395 <xs:element name="vulnerability" type="bom:bomReferenceType"/> 2396 <xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"> 2397 <xs:annotation> 2398 <xs:documentation> 2399 Allows any undeclared elements as long as the elements are placed in a different namespace. 2400 </xs:documentation> 2401 </xs:annotation> 2402 </xs:any> 2403 </xs:sequence> 2404 </xs:complexType> 2405 </xs:element> 2406 </xs:sequence> 2407 <xs:attribute name="bom-ref" type="bom:refType"> 2408 <xs:annotation> 2409 <xs:documentation> 2410 An optional identifier which can be used to reference the composition elsewhere in the BOM. 2411 Uniqueness is enforced within all elements and children of the root-level bom element. 2412 </xs:documentation> 2413 </xs:annotation> 2414 </xs:attribute> 2415 </xs:complexType> 2416 2417 <xs:simpleType name="aggregateType"> 2418 <xs:restriction base="xs:string"> 2419 <xs:enumeration value="complete"> 2420 <xs:annotation> 2421 <xs:documentation>The relationship is complete. No further relationships including constituent components, services, or dependencies are known to exist.</xs:documentation> 2422 </xs:annotation> 2423 </xs:enumeration> 2424 <xs:enumeration value="incomplete"> 2425 <xs:annotation> 2426 <xs:documentation>The relationship is incomplete. Additional relationships exist and may include constituent components, services, or dependencies.</xs:documentation> 2427 </xs:annotation> 2428 </xs:enumeration> 2429 <xs:enumeration value="incomplete_first_party_only"> 2430 <xs:annotation> 2431 <xs:documentation>The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented.</xs:documentation> 2432 </xs:annotation> 2433 </xs:enumeration> 2434 <xs:enumeration value="incomplete_first_party_proprietary_only"> 2435 <xs:annotation> 2436 <xs:documentation>The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are proprietary.</xs:documentation> 2437 </xs:annotation> 2438 </xs:enumeration> 2439 <xs:enumeration value="incomplete_first_party_opensource_only"> 2440 <xs:annotation> 2441 <xs:documentation>The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are opensource.</xs:documentation> 2442 </xs:annotation> 2443 </xs:enumeration> 2444 <xs:enumeration value="incomplete_third_party_only"> 2445 <xs:annotation> 2446 <xs:documentation>The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented.</xs:documentation> 2447 </xs:annotation> 2448 </xs:enumeration> 2449 <xs:enumeration value="incomplete_third_party_proprietary_only"> 2450 <xs:annotation> 2451 <xs:documentation>The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are proprietary.</xs:documentation> 2452 </xs:annotation> 2453 </xs:enumeration> 2454 <xs:enumeration value="incomplete_third_party_opensource_only"> 2455 <xs:annotation> 2456 <xs:documentation>The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are opensource.</xs:documentation> 2457 </xs:annotation> 2458 </xs:enumeration> 2459 <xs:enumeration value="unknown"> 2460 <xs:annotation> 2461 <xs:documentation>The relationship may be complete or incomplete. This usually signifies a 'best-effort' to obtain constituent components, services, or dependencies but the completeness is inconclusive.</xs:documentation> 2462 </xs:annotation> 2463 </xs:enumeration> 2464 <xs:enumeration value="not_specified"> 2465 <xs:annotation> 2466 <xs:documentation>The relationship completeness is not specified.</xs:documentation> 2467 </xs:annotation> 2468 </xs:enumeration> 2469 </xs:restriction> 2470 </xs:simpleType> 2471 2472 <xs:simpleType name="localeType"> 2473 <xs:annotation> 2474 <xs:documentation xml:lang="en"> 2475 Defines a syntax for representing two character language code (ISO-639) followed by an optional two 2476 character country code. The language code MUST be lower case. If the country code is specified, the 2477 country code MUST be upper case. The language code and country code MUST be separated by a minus sign. 2478 Examples: en, en-US, fr, fr-CA 2479 </xs:documentation> 2480 </xs:annotation> 2481 <xs:restriction base="xs:string"> 2482 <xs:pattern value="([a-z]{2})(-[A-Z]{2})?"/> 2483 </xs:restriction> 2484 </xs:simpleType> 2485 2486 <xs:complexType name="releaseNotesType"> 2487 <xs:sequence minOccurs="0" maxOccurs="unbounded"> 2488 <xs:element name="type" type="xs:normalizedString" minOccurs="1" maxOccurs="1"> 2489 <xs:annotation> 2490 <xs:documentation>The software versioning type. It is RECOMMENDED that the release type use one 2491 of 'major', 'minor', 'patch', 'pre-release', or 'internal'. Representing all possible software 2492 release types is not practical, so standardizing on the recommended values, whenever possible, 2493 is strongly encouraged. 2494 * major = A major release may contain significant changes or may introduce breaking changes. 2495 * minor = A minor release, also known as an update, may contain a smaller number of changes than major releases. 2496 * patch = Patch releases are typically unplanned and may resolve defects or important security issues. 2497 * pre-release = A pre-release may include alpha, beta, or release candidates and typically have 2498 limited support. They provide the ability to preview a release prior to its general availability. 2499 * internal = Internal releases are not for public consumption and are intended to be used exclusively 2500 by the project or manufacturer that produced it. 2501 </xs:documentation> 2502 </xs:annotation> 2503 </xs:element> 2504 <xs:element name="title" type="xs:string" minOccurs="0" maxOccurs="1"> 2505 <xs:annotation> 2506 <xs:documentation>The title of the release.</xs:documentation> 2507 </xs:annotation> 2508 </xs:element> 2509 <xs:element name="featuredImage" type="xs:anyURI" minOccurs="0" maxOccurs="1"> 2510 <xs:annotation> 2511 <xs:documentation>The URL to an image that may be prominently displayed with the release note.</xs:documentation> 2512 </xs:annotation> 2513 </xs:element> 2514 <xs:element name="socialImage" type="xs:anyURI" minOccurs="0" maxOccurs="1"> 2515 <xs:annotation> 2516 <xs:documentation>The URL to an image that may be used in messaging on social media platforms.</xs:documentation> 2517 </xs:annotation> 2518 </xs:element> 2519 <xs:element name="description" type="xs:string" minOccurs="0" maxOccurs="1"> 2520 <xs:annotation> 2521 <xs:documentation>A short description of the release.</xs:documentation> 2522 </xs:annotation> 2523 </xs:element> 2524 <xs:element name="timestamp" type="xs:dateTime" minOccurs="0" maxOccurs="1"> 2525 <xs:annotation> 2526 <xs:documentation>The date and time (timestamp) when the release note was created.</xs:documentation> 2527 </xs:annotation> 2528 </xs:element> 2529 <xs:element name="aliases" minOccurs="0" maxOccurs="1"> 2530 <xs:complexType> 2531 <xs:sequence minOccurs="0" maxOccurs="unbounded"> 2532 <xs:element name="alias" type="xs:normalizedString"> 2533 <xs:annotation> 2534 <xs:documentation>One or more alternate names the release may be referred to. This may 2535 include unofficial terms used by development and marketing teams (e.g. code names).</xs:documentation> 2536 </xs:annotation> 2537 </xs:element> 2538 </xs:sequence> 2539 </xs:complexType> 2540 </xs:element> 2541 <xs:element name="tags" minOccurs="0" maxOccurs="1"> 2542 <xs:complexType> 2543 <xs:sequence minOccurs="0" maxOccurs="unbounded"> 2544 <xs:element name="tag" type="xs:normalizedString"> 2545 <xs:annotation> 2546 <xs:documentation>One or more tags that may aid in search or retrieval of the release note.</xs:documentation> 2547 </xs:annotation> 2548 </xs:element> 2549 </xs:sequence> 2550 </xs:complexType> 2551 </xs:element> 2552 <xs:element name="resolves" minOccurs="0" maxOccurs="1"> 2553 <xs:annotation> 2554 <xs:documentation>A collection of issues that have been resolved.</xs:documentation> 2555 </xs:annotation> 2556 <xs:complexType> 2557 <xs:sequence minOccurs="0" maxOccurs="unbounded"> 2558 <xs:element name="issue" type="bom:issueType"/> 2559 </xs:sequence> 2560 </xs:complexType> 2561 </xs:element> 2562 <xs:element name="notes" minOccurs="0" maxOccurs="1"> 2563 <xs:complexType> 2564 <xs:sequence minOccurs="0" maxOccurs="unbounded"> 2565 <xs:element name="note"> 2566 <xs:annotation> 2567 <xs:documentation>Zero or more release notes containing the locale and content. Multiple 2568 note elements may be specified to support release notes in a wide variety of languages.</xs:documentation> 2569 </xs:annotation> 2570 <xs:complexType> 2571 <xs:sequence minOccurs="0" maxOccurs="unbounded"> 2572 <xs:element name="locale" type="bom:localeType" minOccurs="0" maxOccurs="1"> 2573 <xs:annotation> 2574 <xs:documentation>The ISO-639 (or higher) language code and optional ISO-3166 2575 (or higher) country code. Examples include: "en", "en-US", "fr" and "fr-CA".</xs:documentation> 2576 </xs:annotation> 2577 </xs:element> 2578 <xs:element name="text" type="bom:attachedTextType" minOccurs="1" maxOccurs="1"> 2579 <xs:annotation> 2580 <xs:documentation>Specifies the full content of the release note.</xs:documentation> 2581 </xs:annotation> 2582 </xs:element> 2583 </xs:sequence> 2584 </xs:complexType> 2585 </xs:element> 2586 </xs:sequence> 2587 </xs:complexType> 2588 </xs:element> 2589 <xs:element name="properties" type="bom:propertiesType" minOccurs="0" maxOccurs="1"> 2590 <xs:annotation> 2591 <xs:documentation>Provides the ability to document properties in a name/value store. 2592 This provides flexibility to include data not officially supported in the standard 2593 without having to use additional namespaces or create extensions. Property names 2594 of interest to the general public are encouraged to be registered in the 2595 CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. 2596 Formal registration is OPTIONAL.</xs:documentation> 2597 </xs:annotation> 2598 </xs:element> 2599 <xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"> 2600 <xs:annotation> 2601 <xs:documentation> 2602 Allows any undeclared elements as long as the elements are placed in a different namespace. 2603 </xs:documentation> 2604 </xs:annotation> 2605 </xs:any> 2606 </xs:sequence> 2607 <xs:anyAttribute namespace="##any" processContents="lax"> 2608 <xs:annotation> 2609 <xs:documentation>User-defined attributes may be used on this element as long as they 2610 do not have the same name as an existing attribute used by the schema.</xs:documentation> 2611 </xs:annotation> 2612 </xs:anyAttribute> 2613 </xs:complexType> 2614 2615 <!-- 2616 Model card support in CycloneDX is derived from TensorFlow Model Card Toolkit released under the Apache 2.0 license and 2617 available from https://github.com/tensorflow/model-card-toolkit/blob/main/model_card_toolkit/schema/v0.0.2/model_card.schema.json. 2618 In addition, CycloneDX model card support includes portions of VerifyML, also released under the Apache 2.0 license and 2619 available from https://github.com/cylynx/verifyml/blob/main/verifyml/model_card_toolkit/schema/v0.0.4/model_card.schema.json. 2620 --> 2621 <xs:complexType name="modelCardType"> 2622 <xs:annotation> 2623 <xs:documentation> 2624 A model card describes the intended uses of a machine learning model and potential limitations, including 2625 biases and ethical considerations. Model cards typically contain the training parameters, which datasets 2626 were used to train the model, performance metrics, and other relevant data useful for ML transparency. 2627 This object SHOULD be specified for any component of type `machine-learning-model` and MUST NOT be specified 2628 for other component types. 2629 </xs:documentation> 2630 </xs:annotation> 2631 <xs:sequence> 2632 <xs:element name="modelParameters" minOccurs="0" maxOccurs="1"> 2633 <xs:annotation> 2634 <xs:documentation> 2635 Hyper-parameters for construction of the model. 2636 </xs:documentation> 2637 </xs:annotation> 2638 <xs:complexType> 2639 <xs:sequence> 2640 <xs:element name="approach" minOccurs="0" maxOccurs="1"> 2641 <xs:annotation> 2642 <xs:documentation> 2643 The overall approach to learning used by the model for problem solving. 2644 </xs:documentation> 2645 </xs:annotation> 2646 <xs:complexType> 2647 <xs:sequence> 2648 <xs:element name="type" type="bom:machineLearningApproachType" minOccurs="0" maxOccurs="1"> 2649 <xs:annotation> 2650 <xs:documentation> 2651 Learning types describing the learning problem or hybrid learning problem. 2652 </xs:documentation> 2653 </xs:annotation> 2654 </xs:element> 2655 </xs:sequence> 2656 </xs:complexType> 2657 </xs:element> 2658 <xs:element name="task" type="xs:string" minOccurs="0" maxOccurs="1"> 2659 <xs:annotation> 2660 <xs:documentation> 2661 Directly influences the input and/or output. Examples include classification, 2662 regression, clustering, etc. 2663 </xs:documentation> 2664 </xs:annotation> 2665 </xs:element> 2666 <xs:element name="architectureFamily" type="xs:string" minOccurs="0" maxOccurs="1"> 2667 <xs:annotation> 2668 <xs:documentation> 2669 The model architecture family such as transformer network, convolutional neural 2670 network, residual neural network, LSTM neural network, etc. 2671 </xs:documentation> 2672 </xs:annotation> 2673 </xs:element> 2674 <xs:element name="modelArchitecture" type="xs:string" minOccurs="0" maxOccurs="1"> 2675 <xs:annotation> 2676 <xs:documentation> 2677 The specific architecture of the model such as GPT-1, ResNet-50, YOLOv3, etc. 2678 </xs:documentation> 2679 </xs:annotation> 2680 </xs:element> 2681 <xs:element name="datasets" minOccurs="0" maxOccurs="1"> 2682 <xs:annotation> 2683 <xs:documentation> 2684 The datasets used to train and evaluate the model. 2685 </xs:documentation> 2686 </xs:annotation> 2687 <xs:complexType> 2688 <xs:choice minOccurs="0" maxOccurs="unbounded"> 2689 <xs:element name="ref" minOccurs="0" maxOccurs="1"> 2690 <xs:annotation> 2691 <xs:documentation>References a data component by the components bom-ref attribute</xs:documentation> 2692 </xs:annotation> 2693 <xs:simpleType> 2694 <xs:union memberTypes="bom:refLinkType bom:bomLinkElementType"/> 2695 </xs:simpleType> 2696 </xs:element> 2697 <xs:element name="dataset" type="bom:componentDataType" minOccurs="0" maxOccurs="1" /> 2698 </xs:choice> 2699 </xs:complexType> 2700 </xs:element> 2701 <xs:element name="inputs" minOccurs="0" maxOccurs="1"> 2702 <xs:annotation> 2703 <xs:documentation> 2704 The input format(s) of the model 2705 </xs:documentation> 2706 </xs:annotation> 2707 <xs:complexType> 2708 <xs:sequence> 2709 <xs:element name="input" minOccurs="0" maxOccurs="unbounded"> 2710 <xs:complexType> 2711 <xs:sequence> 2712 <xs:element name="format" type="xs:string" minOccurs="1" maxOccurs="1"> 2713 <xs:annotation> 2714 <xs:documentation> 2715 The data format for input to the model. Example formats include string, image, time-series 2716 </xs:documentation> 2717 </xs:annotation> 2718 </xs:element> 2719 </xs:sequence> 2720 </xs:complexType> 2721 </xs:element> 2722 </xs:sequence> 2723 </xs:complexType> 2724 </xs:element> 2725 <xs:element name="outputs" minOccurs="0" maxOccurs="1"> 2726 <xs:annotation> 2727 <xs:documentation> 2728 The output format(s) from the model 2729 </xs:documentation> 2730 </xs:annotation> 2731 <xs:complexType> 2732 <xs:sequence> 2733 <xs:element name="output" minOccurs="0" maxOccurs="unbounded"> 2734 <xs:complexType> 2735 <xs:sequence> 2736 <xs:element name="format" type="xs:string" minOccurs="1" maxOccurs="1"> 2737 <xs:annotation> 2738 <xs:documentation> 2739 The data format for output from the model. Example formats include string, image, time-series 2740 </xs:documentation> 2741 </xs:annotation> 2742 </xs:element> 2743 </xs:sequence> 2744 </xs:complexType> 2745 </xs:element> 2746 </xs:sequence> 2747 </xs:complexType> 2748 </xs:element> 2749 </xs:sequence> 2750 </xs:complexType> 2751 </xs:element> 2752 <xs:element name="quantitativeAnalysis" minOccurs="0" maxOccurs="1"> 2753 <xs:annotation> 2754 <xs:documentation> 2755 A quantitative analysis of the model 2756 </xs:documentation> 2757 </xs:annotation> 2758 <xs:complexType> 2759 <xs:sequence> 2760 <xs:element name="performanceMetrics" minOccurs="0" maxOccurs="1"> 2761 <xs:complexType> 2762 <xs:sequence> 2763 <xs:element name="performanceMetric" minOccurs="0" maxOccurs="unbounded"> 2764 <xs:complexType> 2765 <xs:sequence> 2766 <xs:element name="type" type="xs:string" minOccurs="0" maxOccurs="1"> 2767 <xs:annotation> 2768 <xs:documentation> 2769 The type of performance metric. 2770 </xs:documentation> 2771 </xs:annotation> 2772 </xs:element> 2773 <xs:element name="value" type="xs:string" minOccurs="0" maxOccurs="1"> 2774 <xs:annotation> 2775 <xs:documentation> 2776 The value of the performance metric. 2777 </xs:documentation> 2778 </xs:annotation> 2779 </xs:element> 2780 <xs:element name="slice" type="xs:string" minOccurs="0" maxOccurs="1"> 2781 <xs:annotation> 2782 <xs:documentation> 2783 The name of the slice this metric was computed on. By default, assume 2784 this metric is not sliced. 2785 </xs:documentation> 2786 </xs:annotation> 2787 </xs:element> 2788 <xs:element name="confidenceInterval" minOccurs="0" maxOccurs="1"> 2789 <xs:annotation> 2790 <xs:documentation> 2791 The confidence interval of the metric. 2792 </xs:documentation> 2793 </xs:annotation> 2794 <xs:complexType> 2795 <xs:sequence> 2796 <xs:element name="lowerBound" type="xs:string" minOccurs="0" maxOccurs="1"> 2797 <xs:annotation> 2798 <xs:documentation> 2799 The lower bound of the confidence interval. 2800 </xs:documentation> 2801 </xs:annotation> 2802 </xs:element> 2803 <xs:element name="upperBound" type="xs:string" minOccurs="0" maxOccurs="1"> 2804 <xs:annotation> 2805 <xs:documentation> 2806 The upper bound of the confidence interval. 2807 </xs:documentation> 2808 </xs:annotation> 2809 </xs:element> 2810 </xs:sequence> 2811 </xs:complexType> 2812 </xs:element> 2813 </xs:sequence> 2814 </xs:complexType> 2815 </xs:element> 2816 </xs:sequence> 2817 </xs:complexType> 2818 </xs:element> 2819 <xs:element name="graphics" minOccurs="0" maxOccurs="1"> 2820 <xs:annotation> 2821 <xs:documentation> 2822 A collection of graphics that represent various measurements 2823 </xs:documentation> 2824 </xs:annotation> 2825 <xs:complexType> 2826 <xs:sequence> 2827 <xs:element name="description" type="xs:string" minOccurs="0" maxOccurs="1"> 2828 <xs:annotation> 2829 <xs:documentation> 2830 A description of this collection of graphics. 2831 </xs:documentation> 2832 </xs:annotation> 2833 </xs:element> 2834 <xs:element name="collection" minOccurs="0" maxOccurs="1"> 2835 <xs:annotation> 2836 <xs:documentation> 2837 A collection of graphics. 2838 </xs:documentation> 2839 </xs:annotation> 2840 <xs:complexType> 2841 <xs:sequence> 2842 <xs:element name="graphic" minOccurs="0" maxOccurs="unbounded"> 2843 <xs:complexType> 2844 <xs:sequence> 2845 <xs:element name="name" type="xs:string" minOccurs="0" maxOccurs="1"> 2846 <xs:annotation> 2847 <xs:documentation> 2848 The name of the graphic. 2849 </xs:documentation> 2850 </xs:annotation> 2851 </xs:element> 2852 <xs:element name="image" type="bom:attachedTextType" minOccurs="0" maxOccurs="1"> 2853 <xs:annotation> 2854 <xs:documentation> 2855 The graphic (vector or raster). Base64 encoding MUST be specified for binary images. 2856 </xs:documentation> 2857 </xs:annotation> 2858 </xs:element> 2859 </xs:sequence> 2860 </xs:complexType> 2861 </xs:element> 2862 </xs:sequence> 2863 </xs:complexType> 2864 </xs:element> 2865 </xs:sequence> 2866 </xs:complexType> 2867 </xs:element> 2868 </xs:sequence> 2869 </xs:complexType> 2870 </xs:element> 2871 <xs:element name="considerations" minOccurs="0" maxOccurs="1"> 2872 <xs:annotation> 2873 <xs:documentation> 2874 What considerations should be taken into account regarding the model's construction, training, 2875 and application? 2876 </xs:documentation> 2877 </xs:annotation> 2878 <xs:complexType> 2879 <xs:sequence> 2880 <xs:element name="users" minOccurs="0" maxOccurs="1"> 2881 <xs:annotation> 2882 <xs:documentation> 2883 Who are the intended users of the model? 2884 </xs:documentation> 2885 </xs:annotation> 2886 <xs:complexType> 2887 <xs:sequence> 2888 <xs:element name="user" type="xs:string" minOccurs="0" maxOccurs="1" /> 2889 </xs:sequence> 2890 </xs:complexType> 2891 </xs:element> 2892 <xs:element name="useCases" minOccurs="0" maxOccurs="1"> 2893 <xs:annotation> 2894 <xs:documentation> 2895 What are the intended use cases of the model? 2896 </xs:documentation> 2897 </xs:annotation> 2898 <xs:complexType> 2899 <xs:sequence> 2900 <xs:element name="useCase" type="xs:string" minOccurs="0" maxOccurs="1" /> 2901 </xs:sequence> 2902 </xs:complexType> 2903 </xs:element> 2904 <xs:element name="technicalLimitations" minOccurs="0" maxOccurs="1"> 2905 <xs:annotation> 2906 <xs:documentation> 2907 What are the known technical limitations of the model? E.g. What kind(s) of data 2908 should the model be expected not to perform well on? What are the factors that might 2909 degrade model performance? 2910 </xs:documentation> 2911 </xs:annotation> 2912 <xs:complexType> 2913 <xs:sequence> 2914 <xs:element name="technicalLimitation" type="xs:string" minOccurs="0" maxOccurs="1" /> 2915 </xs:sequence> 2916 </xs:complexType> 2917 </xs:element> 2918 <xs:element name="performanceTradeoffs" minOccurs="0" maxOccurs="1"> 2919 <xs:annotation> 2920 <xs:documentation> 2921 What are the known tradeoffs in accuracy/performance of the model? 2922 </xs:documentation> 2923 </xs:annotation> 2924 <xs:complexType> 2925 <xs:sequence> 2926 <xs:element name="performanceTradeoff" type="xs:string" minOccurs="0" maxOccurs="1" /> 2927 </xs:sequence> 2928 </xs:complexType> 2929 </xs:element> 2930 <xs:element name="ethicalConsiderations" minOccurs="0" maxOccurs="1"> 2931 <xs:annotation> 2932 <xs:documentation> 2933 What are the ethical (or environmental) risks involved in the application of this model? 2934 </xs:documentation> 2935 </xs:annotation> 2936 <xs:complexType> 2937 <xs:sequence> 2938 <xs:element name="ethicalConsideration" minOccurs="0" maxOccurs="unbounded"> 2939 <xs:complexType> 2940 <xs:sequence> 2941 <xs:element name="name" type="xs:string" minOccurs="0" maxOccurs="1"> 2942 <xs:annotation> 2943 <xs:documentation> 2944 The name of the risk 2945 </xs:documentation> 2946 </xs:annotation> 2947 </xs:element> 2948 <xs:element name="mitigationStrategy" type="xs:string" minOccurs="0" maxOccurs="1"> 2949 <xs:annotation> 2950 <xs:documentation> 2951 Strategy used to address this risk 2952 </xs:documentation> 2953 </xs:annotation> 2954 </xs:element> 2955 </xs:sequence> 2956 </xs:complexType> 2957 </xs:element> 2958 </xs:sequence> 2959 </xs:complexType> 2960 </xs:element> 2961 <xs:element name="fairnessAssessments" minOccurs="0" maxOccurs="1"> 2962 <xs:annotation> 2963 <xs:documentation> 2964 How does the model affect groups at risk of being systematically disadvantaged? 2965 What are the harms and benefits to the various affected groups? 2966 </xs:documentation> 2967 </xs:annotation> 2968 <xs:complexType> 2969 <xs:sequence> 2970 <xs:element name="fairnessAssessment" minOccurs="0" maxOccurs="unbounded"> 2971 <xs:complexType> 2972 <xs:sequence> 2973 <xs:element name="groupAtRisk" type="xs:string" minOccurs="0" maxOccurs="1"> 2974 <xs:annotation> 2975 <xs:documentation> 2976 The groups or individuals at risk of being systematically disadvantaged by the model. 2977 </xs:documentation> 2978 </xs:annotation> 2979 </xs:element> 2980 <xs:element name="benefits" type="xs:string" minOccurs="0" maxOccurs="1"> 2981 <xs:annotation> 2982 <xs:documentation> 2983 Expected benefits to the identified groups. 2984 </xs:documentation> 2985 </xs:annotation> 2986 </xs:element> 2987 <xs:element name="harms" type="xs:string" minOccurs="0" maxOccurs="1"> 2988 <xs:annotation> 2989 <xs:documentation> 2990 Expected harms to the identified groups. 2991 </xs:documentation> 2992 </xs:annotation> 2993 </xs:element> 2994 <xs:element name="mitigationStrategy" type="xs:string" minOccurs="0" maxOccurs="1"> 2995 <xs:annotation> 2996 <xs:documentation> 2997 With respect to the benefits and harms outlined, please 2998 describe any mitigation strategy implemented. 2999 </xs:documentation> 3000 </xs:annotation> 3001 </xs:element> 3002 </xs:sequence> 3003 </xs:complexType> 3004 </xs:element> 3005 </xs:sequence> 3006 </xs:complexType> 3007 </xs:element> 3008 </xs:sequence> 3009 </xs:complexType> 3010 </xs:element> 3011 </xs:sequence> 3012 <xs:attribute name="bom-ref" type="bom:refType"> 3013 <xs:annotation> 3014 <xs:documentation> 3015 An optional identifier which can be used to reference the model card elsewhere in the BOM. 3016 Every bom-ref MUST be unique within the BOM. 3017 </xs:documentation> 3018 </xs:annotation> 3019 </xs:attribute> 3020 </xs:complexType> 3021 3022 <xs:simpleType name="machineLearningApproachType"> 3023 <xs:restriction base="xs:string"> 3024 <xs:enumeration value="supervised"> 3025 <xs:annotation> 3026 <xs:documentation>TODO</xs:documentation> 3027 </xs:annotation> 3028 </xs:enumeration> 3029 <xs:enumeration value="unsupervised"> 3030 <xs:annotation> 3031 <xs:documentation>TODO</xs:documentation> 3032 </xs:annotation> 3033 </xs:enumeration> 3034 <xs:enumeration value="reinforcement-learning"> 3035 <xs:annotation> 3036 <xs:documentation>TODO</xs:documentation> 3037 </xs:annotation> 3038 </xs:enumeration> 3039 <xs:enumeration value="semi-supervised"> 3040 <xs:annotation> 3041 <xs:documentation>TODO</xs:documentation> 3042 </xs:annotation> 3043 </xs:enumeration> 3044 <xs:enumeration value="self-supervised"> 3045 <xs:annotation> 3046 <xs:documentation>TODO</xs:documentation> 3047 </xs:annotation> 3048 </xs:enumeration> 3049 </xs:restriction> 3050 </xs:simpleType> 3051 3052 <xs:complexType name="componentDataType"> 3053 <xs:sequence> 3054 <xs:element name="type" type="bom:componentDataTypeEnumeration" minOccurs="1" maxOccurs="1"> 3055 <xs:annotation> 3056 <xs:documentation> 3057 The general theme or subject matter of the data being specified. 3058 </xs:documentation> 3059 </xs:annotation> 3060 </xs:element> 3061 <xs:element name="name" type="xs:string" minOccurs="0" maxOccurs="1"> 3062 <xs:annotation> 3063 <xs:documentation> 3064 The name of the dataset. 3065 </xs:documentation> 3066 </xs:annotation> 3067 </xs:element> 3068 <xs:element name="contents" minOccurs="0" maxOccurs="1"> 3069 <xs:annotation> 3070 <xs:documentation> 3071 The contents or references to the contents of the data being described. 3072 </xs:documentation> 3073 </xs:annotation> 3074 <xs:complexType> 3075 <xs:sequence> 3076 <xs:element name="attachment" type="bom:attachedTextType" minOccurs="0" maxOccurs="1"> 3077 <xs:annotation> 3078 <xs:documentation>An optional way to include textual or encoded data.</xs:documentation> 3079 </xs:annotation> 3080 </xs:element> 3081 <xs:element name="url" type="xs:anyURI" minOccurs="0" maxOccurs="1"> 3082 <xs:annotation> 3083 <xs:documentation>The URL to where the data can be retrieved.</xs:documentation> 3084 </xs:annotation> 3085 </xs:element> 3086 <xs:element name="properties" type="bom:propertiesType" minOccurs="0" maxOccurs="1"> 3087 <xs:annotation> 3088 <xs:documentation>Provides the ability to document name-value parameters used for configuration.</xs:documentation> 3089 </xs:annotation> 3090 </xs:element> 3091 </xs:sequence> 3092 </xs:complexType> 3093 </xs:element> 3094 <xs:element name="classification" type="xs:string" minOccurs="0" maxOccurs="1"> 3095 <xs:annotation> 3096 <xs:documentation> 3097 Data classification tags data according to its type, sensitivity, and value if altered, stolen, or destroyed. 3098 </xs:documentation> 3099 </xs:annotation> 3100 </xs:element> 3101 <xs:element name="sensitiveData" minOccurs="0" maxOccurs="unbounded"> 3102 <xs:annotation> 3103 <xs:documentation> 3104 A description of any sensitive data in a dataset. 3105 </xs:documentation> 3106 </xs:annotation> 3107 </xs:element> 3108 <xs:element name="graphics" type="bom:graphicsCollectionType" minOccurs="0" maxOccurs="1"> 3109 <xs:annotation> 3110 <xs:documentation> 3111 A collection of graphics that represent various measurements. 3112 </xs:documentation> 3113 </xs:annotation> 3114 </xs:element> 3115 <xs:element name="description" type="xs:string" minOccurs="0" maxOccurs="1"> 3116 <xs:annotation> 3117 <xs:documentation> 3118 A description of the dataset. Can describe size of dataset, whether it's used for source code, 3119 training, testing, or validation, etc. 3120 </xs:documentation> 3121 </xs:annotation> 3122 </xs:element> 3123 <xs:element name="governance" type="bom:dataGovernance" minOccurs="0" maxOccurs="1" /> 3124 </xs:sequence> 3125 <xs:attribute name="bom-ref" type="bom:refType"> 3126 <xs:annotation> 3127 <xs:documentation> 3128 An optional identifier which can be used to reference the dataset elsewhere in the BOM. 3129 Every bom-ref MUST be unique within the BOM. 3130 </xs:documentation> 3131 </xs:annotation> 3132 </xs:attribute> 3133 </xs:complexType> 3134 3135 <xs:complexType name="dataGovernance"> 3136 <xs:sequence> 3137 <xs:element name="custodians" minOccurs="0" maxOccurs="1"> 3138 <xs:annotation> 3139 <xs:documentation> 3140 Data custodians are responsible for the safe custody, transport, and storage of data. 3141 </xs:documentation> 3142 </xs:annotation> 3143 <xs:complexType> 3144 <xs:sequence> 3145 <xs:element name="custodian" type="bom:organizationOrIndividualType" minOccurs="0" maxOccurs="unbounded"/> 3146 </xs:sequence> 3147 </xs:complexType> 3148 </xs:element> 3149 <xs:element name="stewards" minOccurs="0" maxOccurs="1"> 3150 <xs:annotation> 3151 <xs:documentation> 3152 Data stewards are responsible for data content, context, and associated business rules. 3153 </xs:documentation> 3154 </xs:annotation> 3155 <xs:complexType> 3156 <xs:sequence> 3157 <xs:element name="steward" type="bom:organizationOrIndividualType" minOccurs="0" maxOccurs="unbounded"/> 3158 </xs:sequence> 3159 </xs:complexType> 3160 </xs:element> 3161 <xs:element name="owners" minOccurs="0" maxOccurs="1"> 3162 <xs:annotation> 3163 <xs:documentation> 3164 Data owners are concerned with risk and appropriate access to data. 3165 </xs:documentation> 3166 </xs:annotation> 3167 <xs:complexType> 3168 <xs:sequence> 3169 <xs:element name="owner" type="bom:organizationOrIndividualType" minOccurs="0" maxOccurs="unbounded"/> 3170 </xs:sequence> 3171 </xs:complexType> 3172 </xs:element> 3173 </xs:sequence> 3174 </xs:complexType> 3175 3176 <xs:complexType name="organizationOrIndividualType"> 3177 <xs:choice> 3178 <xs:element name="organization" type="bom:organizationalEntity" minOccurs="0" maxOccurs="1" /> 3179 <xs:element name="individual" type="bom:organizationalContact" minOccurs="0" maxOccurs="1" /> 3180 </xs:choice> 3181 </xs:complexType> 3182 3183 <xs:complexType name="graphicsCollectionType"> 3184 <xs:annotation> 3185 <xs:documentation> 3186 A collection of graphics that represent various measurements. 3187 </xs:documentation> 3188 </xs:annotation> 3189 <xs:sequence> 3190 <xs:element name="description" minOccurs="0" maxOccurs="1"> 3191 <xs:annotation> 3192 <xs:documentation> 3193 A description of this collection of graphics. 3194 </xs:documentation> 3195 </xs:annotation> 3196 </xs:element> 3197 <xs:element name="collection" minOccurs="0" maxOccurs="1"> 3198 <xs:annotation> 3199 <xs:documentation> 3200 A collection of graphics. 3201 </xs:documentation> 3202 </xs:annotation> 3203 <xs:complexType> 3204 <xs:sequence> 3205 <xs:element name="graphic" minOccurs="0" maxOccurs="unbounded"> 3206 <xs:complexType> 3207 <xs:sequence> 3208 <xs:element name="name" type="xs:string" minOccurs="0" maxOccurs="1"> 3209 <xs:annotation> 3210 <xs:documentation> 3211 The name of the graphic. 3212 </xs:documentation> 3213 </xs:annotation> 3214 </xs:element> 3215 <xs:element name="image" type="bom:attachedTextType" minOccurs="0" maxOccurs="1"> 3216 <xs:annotation> 3217 <xs:documentation> 3218 The graphic (vector or raster). Base64 encoding MUST be specified for binary images. 3219 </xs:documentation> 3220 </xs:annotation> 3221 </xs:element> 3222 </xs:sequence> 3223 </xs:complexType> 3224 </xs:element> 3225 </xs:sequence> 3226 </xs:complexType> 3227 </xs:element> 3228 </xs:sequence> 3229 </xs:complexType> 3230 3231 <xs:simpleType name="componentDataTypeEnumeration"> 3232 <xs:restriction base="xs:string"> 3233 <xs:enumeration value="source-code"> 3234 <xs:annotation> 3235 <xs:documentation>Any type of code, code snippet, or data-as-code.</xs:documentation> 3236 </xs:annotation> 3237 </xs:enumeration> 3238 <xs:enumeration value="configuration"> 3239 <xs:annotation> 3240 <xs:documentation>Parameters or settings that may be used by other components.</xs:documentation> 3241 </xs:annotation> 3242 </xs:enumeration> 3243 <xs:enumeration value="dataset"> 3244 <xs:annotation> 3245 <xs:documentation>A collection of data.</xs:documentation> 3246 </xs:annotation> 3247 </xs:enumeration> 3248 <xs:enumeration value="definition"> 3249 <xs:annotation> 3250 <xs:documentation>Data that can be used to create new instances of what the definition defines.</xs:documentation> 3251 </xs:annotation> 3252 </xs:enumeration> 3253 <xs:enumeration value="other"> 3254 <xs:annotation> 3255 <xs:documentation>Any other type of data that does not fit into existing definitions.</xs:documentation> 3256 </xs:annotation> 3257 </xs:enumeration> 3258 </xs:restriction> 3259 </xs:simpleType> 3260 3261 <xs:complexType name="bomReferenceType"> 3262 <xs:attribute name="ref" use="required"> 3263 <xs:annotation> 3264 <xs:documentation>References a component or service by its bom-ref attribute</xs:documentation> 3265 </xs:annotation> 3266 <xs:simpleType> 3267 <xs:union memberTypes="bom:refLinkType bom:bomLinkType"/> 3268 </xs:simpleType> 3269 </xs:attribute> 3270 <xs:anyAttribute namespace="##other" processContents="lax"> 3271 <xs:annotation> 3272 <xs:documentation>User-defined attributes may be used on this element as long as they 3273 do not have the same name as an existing attribute used by the schema.</xs:documentation> 3274 </xs:annotation> 3275 </xs:anyAttribute> 3276 </xs:complexType> 3277 3278 <xs:complexType name="propertiesType"> 3279 <xs:sequence minOccurs="0" maxOccurs="unbounded"> 3280 <xs:element name="property" type="bom:propertyType"/> 3281 <xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"> 3282 <xs:annotation> 3283 <xs:documentation> 3284 Allows any undeclared elements as long as the elements are placed in a different namespace. 3285 </xs:documentation> 3286 </xs:annotation> 3287 </xs:any> 3288 </xs:sequence> 3289 <xs:anyAttribute namespace="##any" processContents="lax"> 3290 <xs:annotation> 3291 <xs:documentation>User-defined attributes may be used on this element as long as they 3292 do not have the same name as an existing attribute used by the schema.</xs:documentation> 3293 </xs:annotation> 3294 </xs:anyAttribute> 3295 </xs:complexType> 3296 3297 <xs:complexType name="propertyType"> 3298 <xs:annotation> 3299 <xs:documentation>Specifies an individual property with a name and value.</xs:documentation> 3300 </xs:annotation> 3301 <xs:simpleContent> 3302 <xs:extension base="xs:normalizedString"> 3303 <xs:attribute name="name" type="xs:string" use="required"> 3304 <xs:annotation> 3305 <xs:documentation>The name of the property. Duplicate names are allowed, each potentially having a different value.</xs:documentation> 3306 </xs:annotation> 3307 </xs:attribute> 3308 </xs:extension> 3309 </xs:simpleContent> 3310 </xs:complexType> 3311 3312 <xs:complexType name="vulnerabilitiesType"> 3313 <xs:sequence minOccurs="0" maxOccurs="unbounded"> 3314 <xs:element name="vulnerability" type="bom:vulnerabilityType"> 3315 <xs:annotation> 3316 <xs:documentation>Defines a weakness in a component or service that could be exploited or triggered by a threat source.</xs:documentation> 3317 </xs:annotation> 3318 </xs:element> 3319 <xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"> 3320 <xs:annotation> 3321 <xs:documentation> 3322 Allows any undeclared elements as long as the elements are placed in a different namespace. 3323 </xs:documentation> 3324 </xs:annotation> 3325 </xs:any> 3326 </xs:sequence> 3327 <xs:anyAttribute namespace="##any" processContents="lax"> 3328 <xs:annotation> 3329 <xs:documentation>User-defined attributes may be used on this element as long as they 3330 do not have the same name as an existing attribute used by the schema.</xs:documentation> 3331 </xs:annotation> 3332 </xs:anyAttribute> 3333 </xs:complexType> 3334 3335 <xs:complexType name="vulnerabilityType"> 3336 <xs:sequence minOccurs="0" maxOccurs="1"> 3337 <xs:element name="id" type="xs:normalizedString" minOccurs="0" maxOccurs="1"> 3338 <xs:annotation> 3339 <xs:documentation>The identifier that uniquely identifies the vulnerability. For example: 3340 CVE-2021-39182, GHSA-35m5-8cvj-8783, and SNYK-PYTHON-ENROCRYPT-1912876.</xs:documentation> 3341 </xs:annotation> 3342 </xs:element> 3343 <xs:element name="source" type="bom:vulnerabilitySourceType" minOccurs="0" maxOccurs="1"> 3344 <xs:annotation> 3345 <xs:documentation>The source that published the vulnerability.</xs:documentation> 3346 </xs:annotation> 3347 </xs:element> 3348 <xs:element name="references" minOccurs="0" maxOccurs="1"> 3349 <xs:annotation> 3350 <xs:documentation>Zero or more pointers to vulnerabilities that are the equivalent of the 3351 vulnerability specified. Often times, the same vulnerability may exist in multiple sources of 3352 vulnerability intelligence, but have different identifiers. References provide a way to 3353 correlate vulnerabilities across multiple sources of vulnerability intelligence.</xs:documentation> 3354 </xs:annotation> 3355 <xs:complexType> 3356 <xs:sequence minOccurs="0" maxOccurs="unbounded"> 3357 <xs:element name="reference"> 3358 <xs:annotation> 3359 <xs:documentation>A pointer to a vulnerability that is the equivalent of the 3360 vulnerability specified.</xs:documentation> 3361 </xs:annotation> 3362 <xs:complexType> 3363 <xs:sequence minOccurs="1" maxOccurs="1"> 3364 <xs:element name="id" type="xs:normalizedString" minOccurs="1" maxOccurs="1"> 3365 <xs:annotation> 3366 <xs:documentation>The identifier that uniquely identifies the vulnerability. For example: 3367 CVE-2021-39182, GHSA-35m5-8cvj-8783, and SNYK-PYTHON-ENROCRYPT-1912876.</xs:documentation> 3368 </xs:annotation> 3369 </xs:element> 3370 <xs:element name="source" type="bom:vulnerabilitySourceType" minOccurs="1" maxOccurs="1"> 3371 <xs:annotation> 3372 <xs:documentation>The source that published the vulnerability.</xs:documentation> 3373 </xs:annotation> 3374 </xs:element> 3375 </xs:sequence> 3376 </xs:complexType> 3377 </xs:element> 3378 <xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"> 3379 <xs:annotation> 3380 <xs:documentation> 3381 Allows any undeclared elements as long as the elements are placed in a different namespace. 3382 </xs:documentation> 3383 </xs:annotation> 3384 </xs:any> 3385 </xs:sequence> 3386 </xs:complexType> 3387 </xs:element> 3388 <xs:element name="ratings" minOccurs="0" maxOccurs="1"> 3389 <xs:annotation> 3390 <xs:documentation xml:lang="en">List of vulnerability ratings.</xs:documentation> 3391 </xs:annotation> 3392 <xs:complexType> 3393 <xs:sequence> 3394 <xs:element name="rating" type="bom:ratingType" minOccurs="0" maxOccurs="unbounded"/> 3395 </xs:sequence> 3396 </xs:complexType> 3397 </xs:element> 3398 <xs:element name="cwes" minOccurs="0" maxOccurs="1"> 3399 <xs:complexType> 3400 <xs:annotation> 3401 <xs:documentation xml:lang="en"> 3402 List of Common Weaknesses Enumerations (CWEs) codes that describes this vulnerability. 3403 For example 399 (of https://cwe.mitre.org/data/definitions/399.html) 3404 </xs:documentation> 3405 </xs:annotation> 3406 <xs:sequence> 3407 <xs:element name="cwe" type="xs:integer" minOccurs="0" maxOccurs="unbounded"/> 3408 </xs:sequence> 3409 </xs:complexType> 3410 </xs:element> 3411 <xs:element name="description" type="xs:string" minOccurs="0" maxOccurs="1"> 3412 <xs:annotation> 3413 <xs:documentation>A description of the vulnerability as provided by the source.</xs:documentation> 3414 </xs:annotation> 3415 </xs:element> 3416 <xs:element name="detail" type="xs:string" minOccurs="0" maxOccurs="1"> 3417 <xs:annotation> 3418 <xs:documentation>If available, an in-depth description of the vulnerability as provided by the 3419 source organization. Details often include information useful in understanding root cause.</xs:documentation> 3420 </xs:annotation> 3421 </xs:element> 3422 <xs:element name="recommendation" type="xs:string" minOccurs="0" maxOccurs="1"> 3423 <xs:annotation> 3424 <xs:documentation>Recommendations of how the vulnerability can be remediated or mitigated.</xs:documentation> 3425 </xs:annotation> 3426 </xs:element> 3427 <xs:element name="workaround" type="xs:string" minOccurs="0" maxOccurs="1"> 3428 <xs:annotation> 3429 <xs:documentation>A bypass, usually temporary, of the vulnerability that reduces its likelihood and/or impact. Workarounds often involve changes to configuration or deployments.</xs:documentation> 3430 </xs:annotation> 3431 </xs:element> 3432 <xs:element name="proofOfConcept" minOccurs="0" maxOccurs="1"> 3433 <xs:complexType> 3434 <xs:annotation> 3435 <xs:documentation xml:lang="en"> 3436 Evidence used to reproduce the vulnerability. 3437 </xs:documentation> 3438 </xs:annotation> 3439 <xs:sequence> 3440 <xs:element name="reproductionSteps" type="xs:string" minOccurs="0" maxOccurs="1"> 3441 <xs:annotation> 3442 <xs:documentation>Precise steps to reproduce the vulnerability.</xs:documentation> 3443 </xs:annotation> 3444 </xs:element> 3445 <xs:element name="environment" type="xs:string" minOccurs="0" maxOccurs="1"> 3446 <xs:annotation> 3447 <xs:documentation>A description of the environment in which reproduction was possible.</xs:documentation> 3448 </xs:annotation> 3449 </xs:element> 3450 <xs:element name="supportingMaterial" minOccurs="0" maxOccurs="1"> 3451 <xs:annotation> 3452 <xs:documentation>Supporting material that helps in reproducing or understanding how reproduction is possible. This may include screenshots, payloads, and PoC exploit code.</xs:documentation> 3453 </xs:annotation> 3454 <xs:complexType> 3455 <xs:sequence> 3456 <xs:element name="attachment" type="bom:attachedTextType" minOccurs="0" maxOccurs="unbounded" /> 3457 </xs:sequence> 3458 </xs:complexType> 3459 </xs:element> 3460 </xs:sequence> 3461 </xs:complexType> 3462 </xs:element> 3463 <xs:element name="advisories" minOccurs="0" maxOccurs="1"> 3464 <xs:complexType> 3465 <xs:annotation> 3466 <xs:documentation xml:lang="en"> 3467 Published advisories of the vulnerability if provided. 3468 </xs:documentation> 3469 </xs:annotation> 3470 <xs:sequence> 3471 <xs:element name="advisory" type="bom:advisoryType" minOccurs="0" maxOccurs="unbounded"/> 3472 </xs:sequence> 3473 </xs:complexType> 3474 </xs:element> 3475 <xs:element name="created" type="xs:dateTime" minOccurs="0" maxOccurs="1"> 3476 <xs:annotation> 3477 <xs:documentation>The date and time (timestamp) when the vulnerability record was created in the vulnerability database.</xs:documentation> 3478 </xs:annotation> 3479 </xs:element> 3480 <xs:element name="published" type="xs:dateTime" minOccurs="0" maxOccurs="1"> 3481 <xs:annotation> 3482 <xs:documentation>The date and time (timestamp) when the vulnerability record was first published.</xs:documentation> 3483 </xs:annotation> 3484 </xs:element> 3485 <xs:element name="updated" type="xs:dateTime" minOccurs="0" maxOccurs="1"> 3486 <xs:annotation> 3487 <xs:documentation>The date and time (timestamp) when the vulnerability record was last updated.</xs:documentation> 3488 </xs:annotation> 3489 </xs:element> 3490 <xs:element name="rejected" type="xs:dateTime" minOccurs="0" maxOccurs="1"> 3491 <xs:annotation> 3492 <xs:documentation>The date and time (timestamp) when the vulnerability record was rejected (if applicable).</xs:documentation> 3493 </xs:annotation> 3494 </xs:element> 3495 <xs:element name="credits" minOccurs="0" maxOccurs="1"> 3496 <xs:annotation> 3497 <xs:documentation>Individuals or organizations credited with the discovery of the vulnerability.</xs:documentation> 3498 </xs:annotation> 3499 <xs:complexType> 3500 <xs:sequence> 3501 <xs:element name="organizations" minOccurs="0" maxOccurs="1"> 3502 <xs:annotation> 3503 <xs:documentation>The organizations credited with vulnerability discovery.</xs:documentation> 3504 </xs:annotation> 3505 <xs:complexType> 3506 <xs:sequence minOccurs="0" maxOccurs="unbounded"> 3507 <xs:element name="organization" type="bom:organizationalEntity"/> 3508 </xs:sequence> 3509 </xs:complexType> 3510 </xs:element> 3511 <xs:element name="individuals" minOccurs="0" maxOccurs="1"> 3512 <xs:annotation> 3513 <xs:documentation>The individuals, not associated with organizations, that are credited with vulnerability discovery.</xs:documentation> 3514 </xs:annotation> 3515 <xs:complexType> 3516 <xs:sequence minOccurs="0" maxOccurs="unbounded"> 3517 <xs:element name="individual" type="bom:organizationalContact"/> 3518 </xs:sequence> 3519 </xs:complexType> 3520 </xs:element> 3521 </xs:sequence> 3522 </xs:complexType> 3523 </xs:element> 3524 <xs:element name="tools" minOccurs="0" maxOccurs="1"> 3525 <xs:annotation> 3526 <xs:documentation>The tool(s) used to identify, confirm, or score the vulnerability.</xs:documentation> 3527 </xs:annotation> 3528 <xs:complexType> 3529 <xs:choice> 3530 <xs:sequence minOccurs="0" maxOccurs="unbounded"> 3531 <xs:element name="tool" minOccurs="0" type="bom:toolType"> 3532 <xs:annotation> 3533 <xs:documentation>DEPRECATED. Use tools\components or tools\services instead.</xs:documentation> 3534 </xs:annotation> 3535 </xs:element> 3536 </xs:sequence> 3537 <xs:sequence minOccurs="0" maxOccurs="1"> 3538 <xs:element name="components" type="bom:componentsType" minOccurs="0" maxOccurs="1"> 3539 <xs:annotation> 3540 <xs:documentation>A list of software and hardware components used as tools.</xs:documentation> 3541 </xs:annotation> 3542 </xs:element> 3543 <xs:element name="services" type="bom:servicesType" minOccurs="0" maxOccurs="1"> 3544 <xs:annotation> 3545 <xs:documentation>A list of services used as tools.</xs:documentation> 3546 </xs:annotation> 3547 </xs:element> 3548 </xs:sequence> 3549 </xs:choice> 3550 </xs:complexType> 3551 </xs:element> 3552 <xs:element name="analysis" minOccurs="0" maxOccurs="1"> 3553 <xs:complexType> 3554 <xs:annotation> 3555 <xs:documentation xml:lang="en"> 3556 An assessment of the impact and exploitability of the vulnerability. 3557 </xs:documentation> 3558 </xs:annotation> 3559 <xs:sequence minOccurs="0" maxOccurs="1"> 3560 <xs:element name="state" type="bom:impactAnalysisStateType" minOccurs="0" maxOccurs="1"> 3561 <xs:annotation> 3562 <xs:documentation xml:lang="en"> 3563 Declares the current state of an occurrence of a vulnerability, after automated or manual analysis. 3564 </xs:documentation> 3565 </xs:annotation> 3566 </xs:element> 3567 <xs:element name="justification" type="bom:impactAnalysisJustificationType" minOccurs="0" maxOccurs="1"> 3568 <xs:annotation> 3569 <xs:documentation xml:lang="en"> 3570 The rationale of why the impact analysis state was asserted. 3571 </xs:documentation> 3572 </xs:annotation> 3573 </xs:element> 3574 <xs:element name="responses" minOccurs="0" maxOccurs="1"> 3575 <xs:annotation> 3576 <xs:documentation>A response to the vulnerability by the manufacturer, supplier, or 3577 project responsible for the affected component or service. More than one response 3578 is allowed. Responses are strongly encouraged for vulnerabilities where the analysis 3579 state is exploitable.</xs:documentation> 3580 </xs:annotation> 3581 <xs:complexType> 3582 <xs:sequence minOccurs="0" maxOccurs="unbounded"> 3583 <xs:element name="response" type="bom:impactAnalysisResponsesType"/> 3584 </xs:sequence> 3585 </xs:complexType> 3586 </xs:element> 3587 <xs:element name="detail" type="xs:string" minOccurs="0" maxOccurs="1"> 3588 <xs:annotation> 3589 <xs:documentation xml:lang="en"> 3590 Detailed description of the impact including methods used during assessment. 3591 If a vulnerability is not exploitable, this field should include specific details 3592 on why the component or service is not impacted by this vulnerability. 3593 </xs:documentation> 3594 </xs:annotation> 3595 </xs:element> 3596 <xs:element name="firstIssued" type="xs:dateTime" minOccurs="0" maxOccurs="1"> 3597 <xs:annotation> 3598 <xs:documentation xml:lang="en"> 3599 The date and time (timestamp) when the analysis was first issued. 3600 </xs:documentation> 3601 </xs:annotation> 3602 </xs:element> 3603 <xs:element name="lastUpdated" type="xs:dateTime" minOccurs="0" maxOccurs="1"> 3604 <xs:annotation> 3605 <xs:documentation xml:lang="en"> 3606 The date and time (timestamp) when the analysis was last updated. 3607 </xs:documentation> 3608 </xs:annotation> 3609 </xs:element> 3610 </xs:sequence> 3611 </xs:complexType> 3612 </xs:element> 3613 <xs:element name="affects" minOccurs="0" maxOccurs="1"> 3614 <xs:annotation> 3615 <xs:documentation>The components or services that are affected by the vulnerability.</xs:documentation> 3616 </xs:annotation> 3617 <xs:complexType> 3618 <xs:sequence minOccurs="0" maxOccurs="unbounded"> 3619 <xs:element name="target"> 3620 <xs:complexType> 3621 <xs:sequence minOccurs="0" maxOccurs="1"> 3622 <xs:element name="ref" minOccurs="1" maxOccurs="1"> 3623 <xs:annotation> 3624 <xs:documentation>References a component or service by the objects bom-ref.</xs:documentation> 3625 </xs:annotation> 3626 <xs:simpleType> 3627 <xs:union memberTypes="bom:refLinkType bom:bomLinkElementType"/> 3628 </xs:simpleType> 3629 </xs:element> 3630 <xs:element name="versions" minOccurs="0" maxOccurs="1"> 3631 <xs:annotation> 3632 <xs:documentation>Zero or more individual versions or range of versions.</xs:documentation> 3633 </xs:annotation> 3634 <xs:complexType> 3635 <xs:sequence minOccurs="0" maxOccurs="unbounded"> 3636 <xs:element name="version"> 3637 <xs:complexType> 3638 <xs:sequence minOccurs="0" maxOccurs="1"> 3639 <xs:choice> 3640 <xs:element name="version" type="xs:normalizedString" minOccurs="1" maxOccurs="1"> 3641 <xs:annotation> 3642 <xs:documentation>A single version of a component or service.</xs:documentation> 3643 </xs:annotation> 3644 </xs:element> 3645 <xs:element name="range" type="xs:normalizedString" minOccurs="1" maxOccurs="1"> 3646 <xs:annotation> 3647 <xs:documentation>A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/purl-spec/VERSION-RANGE-SPEC.rst</xs:documentation> 3648 </xs:annotation> 3649 </xs:element> 3650 </xs:choice> 3651 <xs:element name="status" type="bom:impactAnalysisAffectedStatusType" minOccurs="0" maxOccurs="1" default="affected"> 3652 <xs:annotation> 3653 <xs:documentation> 3654 The vulnerability status for the version or range of versions. 3655 </xs:documentation> 3656 </xs:annotation> 3657 </xs:element> 3658 </xs:sequence> 3659 </xs:complexType> 3660 </xs:element> 3661 </xs:sequence> 3662 </xs:complexType> 3663 </xs:element> 3664 </xs:sequence> 3665 </xs:complexType> 3666 </xs:element> 3667 </xs:sequence> 3668 </xs:complexType> 3669 </xs:element> 3670 <xs:element name="properties" type="bom:propertiesType" minOccurs="0" maxOccurs="1"> 3671 <xs:annotation> 3672 <xs:documentation>Provides the ability to document properties in a name/value store. 3673 This provides flexibility to include data not officially supported in the standard 3674 without having to use additional namespaces or create extensions. Property names 3675 of interest to the general public are encouraged to be registered in the 3676 CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. 3677 Formal registration is OPTIONAL.</xs:documentation> 3678 </xs:annotation> 3679 </xs:element> 3680 </xs:sequence> 3681 <xs:attribute name="bom-ref" type="bom:refType"> 3682 <xs:annotation> 3683 <xs:documentation> 3684 An optional identifier which can be used to reference the vulnerability elsewhere in the BOM. 3685 Uniqueness is enforced within all elements and children of the root-level bom element. 3686 </xs:documentation> 3687 </xs:annotation> 3688 </xs:attribute> 3689 </xs:complexType> 3690 3691 <xs:complexType name="vulnerabilitySourceType"> 3692 <xs:sequence minOccurs="0" maxOccurs="unbounded"> 3693 <xs:element name="name" type="xs:normalizedString" minOccurs="0" maxOccurs="1"> 3694 <xs:annotation> 3695 <xs:documentation>The name of the source. 3696 For example: NVD, National Vulnerability Database, OSS Index, VulnDB, and GitHub Advisories 3697 </xs:documentation> 3698 </xs:annotation> 3699 </xs:element> 3700 <xs:element name="url" type="xs:anyURI" minOccurs="0" maxOccurs="1"> 3701 <xs:annotation> 3702 <xs:documentation>The url of the vulnerability documentation as provided by the source. 3703 For example: https://nvd.nist.gov/vuln/detail/CVE-2021-39182</xs:documentation> 3704 </xs:annotation> 3705 </xs:element> 3706 </xs:sequence> 3707 </xs:complexType> 3708 3709 <xs:complexType name="ratingType"> 3710 <xs:sequence> 3711 <xs:element name="source" type="bom:vulnerabilitySourceType" minOccurs="0" maxOccurs="1"> 3712 <xs:annotation> 3713 <xs:documentation>The source that calculated the severity or risk rating of the vulnerability.</xs:documentation> 3714 </xs:annotation> 3715 </xs:element> 3716 <xs:element name="score" type="xs:decimal" minOccurs="0" maxOccurs="1"> 3717 <xs:annotation> 3718 <xs:documentation>The numerical score of the rating.</xs:documentation> 3719 </xs:annotation> 3720 </xs:element> 3721 <xs:element name="severity" type="bom:severityType" minOccurs="0" maxOccurs="1"> 3722 <xs:annotation> 3723 <xs:documentation>Textual representation of the severity that corresponds to the numerical score of the rating.</xs:documentation> 3724 </xs:annotation> 3725 </xs:element> 3726 <xs:element name="method" type="bom:scoreSourceType" minOccurs="0" maxOccurs="1"> 3727 <xs:annotation> 3728 <xs:documentation>The risk scoring methodology/standard used.</xs:documentation> 3729 </xs:annotation> 3730 </xs:element> 3731 <xs:element name="vector" type="xs:normalizedString" minOccurs="0" maxOccurs="1"> 3732 <xs:annotation> 3733 <xs:documentation>Textual representation of the metric values used to score the vulnerability.</xs:documentation> 3734 </xs:annotation> 3735 </xs:element> 3736 <xs:element name="justification" type="xs:string" minOccurs="0" maxOccurs="1"> 3737 <xs:annotation> 3738 <xs:documentation>An optional reason for rating the vulnerability as it was.</xs:documentation> 3739 </xs:annotation> 3740 </xs:element> 3741 </xs:sequence> 3742 </xs:complexType> 3743 3744 <xs:complexType name="advisoryType"> 3745 <xs:sequence> 3746 <xs:element name="title" type="xs:normalizedString" minOccurs="0" maxOccurs="1"> 3747 <xs:annotation> 3748 <xs:documentation>An optional name of the advisory.</xs:documentation> 3749 </xs:annotation> 3750 </xs:element> 3751 <xs:element name="url" type="xs:anyURI" minOccurs="1" maxOccurs="1"> 3752 <xs:annotation> 3753 <xs:documentation>Location where the advisory can be obtained.</xs:documentation> 3754 </xs:annotation> 3755 </xs:element> 3756 </xs:sequence> 3757 </xs:complexType> 3758 3759 <xs:complexType name="annotationsType"> 3760 <xs:sequence minOccurs="0" maxOccurs="unbounded"> 3761 <xs:element name="annotation" type="bom:annotationType"/> 3762 <xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"> 3763 <xs:annotation> 3764 <xs:documentation> 3765 Allows any undeclared elements as long as the elements are placed in a different namespace. 3766 </xs:documentation> 3767 </xs:annotation> 3768 </xs:any> 3769 </xs:sequence> 3770 <xs:anyAttribute namespace="##any" processContents="lax"> 3771 <xs:annotation> 3772 <xs:documentation>User-defined attributes may be used on this element as long as they 3773 do not have the same name as an existing attribute used by the schema.</xs:documentation> 3774 </xs:annotation> 3775 </xs:anyAttribute> 3776 </xs:complexType> 3777 3778 <xs:complexType name="annotatorChoiceType"> 3779 <xs:choice> 3780 <xs:element name="organization" type="bom:organizationalEntity" minOccurs="0" maxOccurs="1"> 3781 <xs:annotation> 3782 <xs:documentation>The organization that created the annotation</xs:documentation> 3783 </xs:annotation> 3784 </xs:element> 3785 <xs:element name="individual" type="bom:organizationalContact" minOccurs="0" maxOccurs="1"> 3786 <xs:annotation> 3787 <xs:documentation>The person that created the annotation</xs:documentation> 3788 </xs:annotation> 3789 </xs:element> 3790 <xs:element name="component" type="bom:component" minOccurs="0" maxOccurs="1"> 3791 <xs:annotation> 3792 <xs:documentation>The tool or component that created the annotation</xs:documentation> 3793 </xs:annotation> 3794 </xs:element> 3795 <xs:element name="service" type="bom:service" minOccurs="0" maxOccurs="1"> 3796 <xs:annotation> 3797 <xs:documentation>The service that created the annotation</xs:documentation> 3798 </xs:annotation> 3799 </xs:element> 3800 </xs:choice> 3801 </xs:complexType> 3802 3803 <xs:complexType name="annotationType"> 3804 <xs:sequence> 3805 <xs:element name="subjects" minOccurs="0" maxOccurs="1"> 3806 <xs:annotation> 3807 <xs:documentation> 3808 The objects in the BOM identified by their bom-ref's. This is often components or services, but may be any object type supporting bom-refs. 3809 </xs:documentation> 3810 </xs:annotation> 3811 <xs:complexType> 3812 <xs:sequence minOccurs="0" maxOccurs="unbounded"> 3813 <xs:element name="subject" type="bom:bomReferenceType"/> 3814 <xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"> 3815 <xs:annotation> 3816 <xs:documentation> 3817 Allows any undeclared elements as long as the elements are placed in a different namespace. 3818 </xs:documentation> 3819 </xs:annotation> 3820 </xs:any> 3821 </xs:sequence> 3822 </xs:complexType> 3823 </xs:element> 3824 <xs:element name="annotator" type="bom:annotatorChoiceType" minOccurs="1" maxOccurs="1"> 3825 <xs:annotation> 3826 <xs:documentation>The organization, individual, component, or service which created the textual content 3827 of the annotation.</xs:documentation> 3828 </xs:annotation> 3829 </xs:element> 3830 <xs:element name="timestamp" type="xs:dateTime" minOccurs="1" maxOccurs="1"> 3831 <xs:annotation> 3832 <xs:documentation>The date and time (timestamp) when the annotation was created.</xs:documentation> 3833 </xs:annotation> 3834 </xs:element> 3835 <xs:element name="text" type="xs:string" minOccurs="1" maxOccurs="1"> 3836 <xs:annotation> 3837 <xs:documentation>The textual content of the annotation.</xs:documentation> 3838 </xs:annotation> 3839 </xs:element> 3840 <xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"> 3841 <xs:annotation> 3842 <xs:documentation> 3843 Allows any undeclared elements as long as the elements are placed in a different namespace. 3844 </xs:documentation> 3845 </xs:annotation> 3846 </xs:any> 3847 </xs:sequence> 3848 <xs:attribute name="bom-ref" type="bom:refType"> 3849 <xs:annotation> 3850 <xs:documentation> 3851 An optional identifier which can be used to reference the annotation elsewhere in the BOM. 3852 Uniqueness is enforced within all elements and children of the root-level bom element. 3853 </xs:documentation> 3854 </xs:annotation> 3855 </xs:attribute> 3856 <xs:anyAttribute namespace="##any" processContents="lax"> 3857 <xs:annotation> 3858 <xs:documentation>User-defined attributes may be used on this element as long as they 3859 do not have the same name as an existing attribute used by the schema.</xs:documentation> 3860 </xs:annotation> 3861 </xs:anyAttribute> 3862 </xs:complexType> 3863 3864 <xs:simpleType name="severityType" final="restriction"> 3865 <xs:annotation> 3866 <xs:documentation xml:lang="en"> 3867 Textual representation of the severity of the vulnerability adopted by the analysis method. If the 3868 analysis method uses values other than what is provided, the user is expected to translate appropriately. 3869 </xs:documentation> 3870 </xs:annotation> 3871 <xs:restriction base="xs:string"> 3872 <xs:enumeration value="critical"/> 3873 <xs:enumeration value="high"/> 3874 <xs:enumeration value="medium"/> 3875 <xs:enumeration value="low"/> 3876 <xs:enumeration value="info"/> 3877 <xs:enumeration value="none"/> 3878 <xs:enumeration value="unknown"/> 3879 </xs:restriction> 3880 </xs:simpleType> 3881 3882 <xs:simpleType name="impactAnalysisStateType" final="restriction"> 3883 <xs:annotation> 3884 <xs:documentation xml:lang="en"> 3885 Declares the current state of an occurrence of a vulnerability, after automated or manual analysis. 3886 </xs:documentation> 3887 </xs:annotation> 3888 <xs:restriction base="xs:string"> 3889 <xs:enumeration value="resolved"> 3890 <xs:annotation> 3891 <xs:documentation> 3892 The vulnerability has been remediated. 3893 </xs:documentation> 3894 </xs:annotation> 3895 </xs:enumeration> 3896 <xs:enumeration value="resolved_with_pedigree"> 3897 <xs:annotation> 3898 <xs:documentation> 3899 The vulnerability has been remediated and evidence of the changes are provided in the affected 3900 components pedigree containing verifiable commit history and/or diff(s). 3901 </xs:documentation> 3902 </xs:annotation> 3903 </xs:enumeration> 3904 <xs:enumeration value="exploitable"> 3905 <xs:annotation> 3906 <xs:documentation> 3907 The vulnerability may be directly or indirectly exploitable. 3908 </xs:documentation> 3909 </xs:annotation> 3910 </xs:enumeration> 3911 <xs:enumeration value="in_triage"> 3912 <xs:annotation> 3913 <xs:documentation> 3914 The vulnerability is being investigated. 3915 </xs:documentation> 3916 </xs:annotation> 3917 </xs:enumeration> 3918 <xs:enumeration value="false_positive"> 3919 <xs:annotation> 3920 <xs:documentation> 3921 The vulnerability is not specific to the component or service and was falsely identified or associated. 3922 </xs:documentation> 3923 </xs:annotation> 3924 </xs:enumeration> 3925 <xs:enumeration value="not_affected"> 3926 <xs:annotation> 3927 <xs:documentation> 3928 The component or service is not affected by the vulnerability. Justification should be specified 3929 for all not_affected cases. 3930 </xs:documentation> 3931 </xs:annotation> 3932 </xs:enumeration> 3933 </xs:restriction> 3934 </xs:simpleType> 3935 3936 <xs:simpleType name="impactAnalysisJustificationType" final="restriction"> 3937 <xs:annotation> 3938 <xs:documentation xml:lang="en"> 3939 The rationale of why the impact analysis state was asserted. 3940 </xs:documentation> 3941 </xs:annotation> 3942 <xs:restriction base="xs:string"> 3943 <xs:enumeration value="code_not_present"> 3944 <xs:annotation> 3945 <xs:documentation> 3946 The code has been removed or tree-shaked. 3947 </xs:documentation> 3948 </xs:annotation> 3949 </xs:enumeration> 3950 <xs:enumeration value="code_not_reachable"> 3951 <xs:annotation> 3952 <xs:documentation> 3953 The vulnerable code is not invoked at runtime. 3954 </xs:documentation> 3955 </xs:annotation> 3956 </xs:enumeration> 3957 <xs:enumeration value="requires_configuration"> 3958 <xs:annotation> 3959 <xs:documentation> 3960 Exploitability requires a configurable option to be set/unset. 3961 </xs:documentation> 3962 </xs:annotation> 3963 </xs:enumeration> 3964 <xs:enumeration value="requires_dependency"> 3965 <xs:annotation> 3966 <xs:documentation> 3967 Exploitability requires a dependency that is not present. 3968 </xs:documentation> 3969 </xs:annotation> 3970 </xs:enumeration> 3971 <xs:enumeration value="requires_environment"> 3972 <xs:annotation> 3973 <xs:documentation> 3974 Exploitability requires a certain environment which is not present. 3975 </xs:documentation> 3976 </xs:annotation> 3977 </xs:enumeration> 3978 <xs:enumeration value="protected_by_compiler"> 3979 <xs:annotation> 3980 <xs:documentation> 3981 Exploitability requires a compiler flag to be set/unset. 3982 </xs:documentation> 3983 </xs:annotation> 3984 </xs:enumeration> 3985 <xs:enumeration value="protected_at_runtime"> 3986 <xs:annotation> 3987 <xs:documentation> 3988 Exploits are prevented at runtime. 3989 </xs:documentation> 3990 </xs:annotation> 3991 </xs:enumeration> 3992 <xs:enumeration value="protected_at_perimeter"> 3993 <xs:annotation> 3994 <xs:documentation> 3995 Attacks are blocked at physical, logical, or network perimeter. 3996 </xs:documentation> 3997 </xs:annotation> 3998 </xs:enumeration> 3999 <xs:enumeration value="protected_by_mitigating_control"> 4000 <xs:annotation> 4001 <xs:documentation> 4002 Preventative measures have been implemented that reduce the likelihood and/or impact of the vulnerability. 4003 </xs:documentation> 4004 </xs:annotation> 4005 </xs:enumeration> 4006 </xs:restriction> 4007 </xs:simpleType> 4008 4009 <xs:simpleType name="scoreSourceType" final="restriction"> 4010 <xs:annotation> 4011 <xs:documentation xml:lang="en"> 4012 Specifies the severity or risk scoring methodology or standard used. 4013 </xs:documentation> 4014 </xs:annotation> 4015 <xs:restriction base="xs:string"> 4016 <xs:enumeration value="CVSSv2"> 4017 <xs:annotation> 4018 <xs:documentation xml:lang="en"> 4019 The rating is based on CVSS v2 standard 4020 https://www.first.org/cvss/v2/ 4021 </xs:documentation> 4022 </xs:annotation> 4023 </xs:enumeration> 4024 <xs:enumeration value="CVSSv3"> 4025 <xs:annotation> 4026 <xs:documentation xml:lang="en"> 4027 The rating is based on CVSS v3.0 standard 4028 https://www.first.org/cvss/v3-0/ 4029 </xs:documentation> 4030 </xs:annotation> 4031 </xs:enumeration> 4032 <xs:enumeration value="CVSSv31"> 4033 <xs:annotation> 4034 <xs:documentation xml:lang="en"> 4035 The rating is based on CVSS v3.1 standard 4036 https://www.first.org/cvss/v3-1/ 4037 </xs:documentation> 4038 </xs:annotation> 4039 </xs:enumeration> 4040 <xs:enumeration value="CVSSv4"> 4041 <xs:annotation> 4042 <xs:documentation xml:lang="en"> 4043 The rating is based on CVSS v4.0 standard 4044 https://www.first.org/cvss/v4-0/ 4045 </xs:documentation> 4046 </xs:annotation> 4047 </xs:enumeration> 4048 <xs:enumeration value="OWASP"> 4049 <xs:annotation> 4050 <xs:documentation xml:lang="en"> 4051 The rating is based on OWASP Risk Rating 4052 https://owasp.org/www-community/OWASP_Risk_Rating_Methodology 4053 </xs:documentation> 4054 </xs:annotation> 4055 </xs:enumeration> 4056 <xs:enumeration value="SSVC"> 4057 <xs:annotation> 4058 <xs:documentation xml:lang="en"> 4059 The rating is based on Stakeholder Specific Vulnerability Categorization (all versions) 4060 https://github.com/CERTCC/SSVC 4061 </xs:documentation> 4062 </xs:annotation> 4063 </xs:enumeration> 4064 <xs:enumeration value="other"> 4065 <xs:annotation> 4066 <xs:documentation xml:lang="en"> 4067 Use this if the risk scoring methodology is not based on any of the options above 4068 </xs:documentation> 4069 </xs:annotation> 4070 </xs:enumeration> 4071 </xs:restriction> 4072 </xs:simpleType> 4073 4074 <xs:simpleType name="impactAnalysisResponsesType" final="restriction"> 4075 <xs:annotation> 4076 <xs:documentation xml:lang="en"> 4077 The rationale of why the impact analysis state was asserted. 4078 </xs:documentation> 4079 </xs:annotation> 4080 <xs:restriction base="xs:string"> 4081 <xs:enumeration value="can_not_fix"/> 4082 <xs:enumeration value="will_not_fix"/> 4083 <xs:enumeration value="update"/> 4084 <xs:enumeration value="rollback"/> 4085 <xs:enumeration value="workaround_available"/> 4086 </xs:restriction> 4087 </xs:simpleType> 4088 4089 <xs:simpleType name="impactAnalysisAffectedStatusType" final="restriction"> 4090 <xs:annotation> 4091 <xs:documentation xml:lang="en"> 4092 The vulnerability status of a given version or range of versions of a product. The statuses 4093 'affected' and 'unaffected' indicate that the version is affected or unaffected by the vulnerability. 4094 The status 'unknown' indicates that it is unknown or unspecified whether the given version is affected. 4095 There can be many reasons for an 'unknown' status, including that an investigation has not been 4096 undertaken or that a vendor has not disclosed the status. 4097 </xs:documentation> 4098 </xs:annotation> 4099 <xs:restriction base="xs:string"> 4100 <xs:enumeration value="affected"/> 4101 <xs:enumeration value="unaffected"/> 4102 <xs:enumeration value="unknown"/> 4103 </xs:restriction> 4104 </xs:simpleType> 4105 4106 <xs:complexType name="formulationType"> 4107 <xs:annotation> 4108 <xs:documentation> 4109 Describes how a component or service was manufactured or deployed. This is achieved through the use 4110 of formulas, workflows, tasks, and steps, which declare the precise steps to reproduce along with the 4111 observed formulas describing the steps which transpired in the manufacturing process. 4112 </xs:documentation> 4113 </xs:annotation> 4114 <xs:sequence minOccurs="0" maxOccurs="unbounded"> 4115 <xs:element name="formula" type="bom:formulaType"/> 4116 <xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"> 4117 <xs:annotation> 4118 <xs:documentation> 4119 Allows any undeclared elements as long as the elements are placed in a different namespace. 4120 </xs:documentation> 4121 </xs:annotation> 4122 </xs:any> 4123 </xs:sequence> 4124 <xs:anyAttribute namespace="##any" processContents="lax"> 4125 <xs:annotation> 4126 <xs:documentation>User-defined attributes may be used on this element as long as they 4127 do not have the same name as an existing attribute used by the schema.</xs:documentation> 4128 </xs:annotation> 4129 </xs:anyAttribute> 4130 </xs:complexType> 4131 4132 <xs:complexType name="formulaType"> 4133 <xs:annotation> 4134 <xs:documentation> 4135 Describes workflows and resources that captures rules and other aspects of how the associated 4136 BOM component or service was formed. 4137 </xs:documentation> 4138 </xs:annotation> 4139 <xs:sequence> 4140 <xs:element name="components" type="bom:componentsType" minOccurs="0" maxOccurs="1"> 4141 <xs:annotation> 4142 <xs:documentation>Transient components that are used in tasks that constitute one or more of 4143 this formula's workflows</xs:documentation> 4144 </xs:annotation> 4145 </xs:element> 4146 <xs:element name="services" type="bom:servicesType" minOccurs="0" maxOccurs="1"> 4147 <xs:annotation> 4148 <xs:documentation>Transient services that are used in tasks that constitute one or more of 4149 this formula's workflows</xs:documentation> 4150 </xs:annotation> 4151 </xs:element> 4152 <xs:element name="workflows" type="bom:workflowsType" minOccurs="0" maxOccurs="1"> 4153 <xs:annotation> 4154 <xs:documentation>List of workflows that can be declared to accomplish specific orchestrated goals 4155 and independently triggered.</xs:documentation> 4156 </xs:annotation> 4157 </xs:element> 4158 <xs:element name="properties" type="bom:propertiesType" minOccurs="0" maxOccurs="1"> 4159 <xs:annotation> 4160 <xs:documentation>Provides the ability to document properties in a name/value store. 4161 This provides flexibility to include data not officially supported in the standard 4162 without having to use additional namespaces or create extensions. Property names 4163 of interest to the general public are encouraged to be registered in the 4164 CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. 4165 Formal registration is OPTIONAL.</xs:documentation> 4166 </xs:annotation> 4167 </xs:element> 4168 </xs:sequence> 4169 <xs:attribute name="bom-ref" type="bom:refType"> 4170 <xs:annotation> 4171 <xs:documentation> 4172 An optional identifier which can be used to reference the formula elsewhere in the BOM. 4173 Uniqueness is enforced within all elements and children of the root-level bom element. 4174 </xs:documentation> 4175 </xs:annotation> 4176 </xs:attribute> 4177 <xs:anyAttribute namespace="##any" processContents="lax"> 4178 <xs:annotation> 4179 <xs:documentation>User-defined attributes may be used on this element as long as they 4180 do not have the same name as an existing attribute used by the schema.</xs:documentation> 4181 </xs:annotation> 4182 </xs:anyAttribute> 4183 </xs:complexType> 4184 4185 <xs:complexType name="workflowsType"> 4186 <xs:sequence> 4187 <xs:element name="workflow" type="bom:workflowType" minOccurs="0" maxOccurs="unbounded"/> 4188 <xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"> 4189 <xs:annotation> 4190 <xs:documentation> 4191 Allows any undeclared elements as long as the elements are placed in a different namespace. 4192 </xs:documentation> 4193 </xs:annotation> 4194 </xs:any> 4195 </xs:sequence> 4196 <xs:anyAttribute namespace="##any" processContents="lax"> 4197 <xs:annotation> 4198 <xs:documentation>User-defined attributes may be used on this element as long as they 4199 do not have the same name as an existing attribute used by the schema.</xs:documentation> 4200 </xs:annotation> 4201 </xs:anyAttribute> 4202 </xs:complexType> 4203 4204 <xs:complexType name="workflowType"> 4205 <xs:sequence> 4206 <xs:element name="uid" type="xs:string" minOccurs="1" maxOccurs="1"> 4207 <xs:annotation> 4208 <xs:documentation> 4209 The unique identifier for the resource instance within its deployment context. 4210 </xs:documentation> 4211 </xs:annotation> 4212 </xs:element> 4213 <xs:element name="name" type="xs:string" minOccurs="0" maxOccurs="1"> 4214 <xs:annotation> 4215 <xs:documentation> 4216 The name of the resource instance. 4217 </xs:documentation> 4218 </xs:annotation> 4219 </xs:element> 4220 <xs:element name="description" type="xs:string" minOccurs="0" maxOccurs="1"> 4221 <xs:annotation> 4222 <xs:documentation> 4223 The description of the resource instance. 4224 </xs:documentation> 4225 </xs:annotation> 4226 </xs:element> 4227 <xs:element name="resourceReferences" type="bom:resourceReferencesType" minOccurs="0" maxOccurs="1"> 4228 <xs:annotation> 4229 <xs:documentation>References to component or service resources that are used to realize 4230 the resource instance.</xs:documentation> 4231 </xs:annotation> 4232 </xs:element> 4233 <xs:element name="tasks" type="bom:tasksType" minOccurs="0" maxOccurs="1"> 4234 <xs:annotation> 4235 <xs:documentation>The tasks that comprise the workflow.</xs:documentation> 4236 </xs:annotation> 4237 </xs:element> 4238 <xs:element name="taskDependencies" type="bom:dependenciesType" minOccurs="0" maxOccurs="1"> 4239 <xs:annotation> 4240 <xs:documentation>The graph of dependencies between tasks within the workflow.</xs:documentation> 4241 </xs:annotation> 4242 </xs:element> 4243 <xs:element name="taskTypes" minOccurs="1" maxOccurs="1"> 4244 <xs:annotation> 4245 <xs:documentation>Indicates the types of activities performed by the set of workflow tasks.</xs:documentation> 4246 </xs:annotation> 4247 <xs:complexType> 4248 <xs:sequence> 4249 <xs:element name="taskType" type="bom:taskTypeEnum" minOccurs="0" maxOccurs="unbounded" /> 4250 </xs:sequence> 4251 </xs:complexType> 4252 </xs:element> 4253 <xs:element name="trigger" type="bom:triggerType" minOccurs="0" maxOccurs="1"> 4254 <xs:annotation> 4255 <xs:documentation>The trigger that initiated the task.</xs:documentation> 4256 </xs:annotation> 4257 </xs:element> 4258 <xs:element name="steps" minOccurs="0" maxOccurs="1"> 4259 <xs:annotation> 4260 <xs:documentation> 4261 The sequence of steps for the task. 4262 </xs:documentation> 4263 </xs:annotation> 4264 <xs:complexType> 4265 <xs:sequence> 4266 <xs:element name="step" type="bom:stepType" minOccurs="0" maxOccurs="unbounded"/> 4267 </xs:sequence> 4268 </xs:complexType> 4269 </xs:element> 4270 <xs:element name="inputs" minOccurs="0" maxOccurs="1"> 4271 <xs:annotation> 4272 <xs:documentation>Represents resources and data brought into a task at runtime by executor 4273 or task commands</xs:documentation> 4274 </xs:annotation> 4275 <xs:complexType> 4276 <xs:sequence> 4277 <xs:element name="input" type="bom:inputType" minOccurs="0" maxOccurs="unbounded" /> 4278 </xs:sequence> 4279 </xs:complexType> 4280 </xs:element> 4281 <xs:element name="outputs" minOccurs="0" maxOccurs="1"> 4282 <xs:annotation> 4283 <xs:documentation>Represents resources and data output from a task at runtime by executor 4284 or task commands</xs:documentation> 4285 </xs:annotation> 4286 <xs:complexType> 4287 <xs:sequence> 4288 <xs:element name="output" type="bom:outputType" minOccurs="0" maxOccurs="unbounded" /> 4289 </xs:sequence> 4290 </xs:complexType> 4291 </xs:element> 4292 <xs:element name="timeStart" type="xs:dateTime" minOccurs="0" maxOccurs="1"> 4293 <xs:annotation> 4294 <xs:documentation> 4295 The date and time (timestamp) when the task started. 4296 </xs:documentation> 4297 </xs:annotation> 4298 </xs:element> 4299 <xs:element name="timeEnd" type="xs:dateTime" minOccurs="0" maxOccurs="1"> 4300 <xs:annotation> 4301 <xs:documentation> 4302 The date and time (timestamp) when the task ended. 4303 </xs:documentation> 4304 </xs:annotation> 4305 </xs:element> 4306 <xs:element name="workspaces" type="bom:workspacesType" minOccurs="0" maxOccurs="1"> 4307 <xs:annotation> 4308 <xs:documentation>A set of named filesystem or data resource shareable by workflow tasks.</xs:documentation> 4309 </xs:annotation> 4310 </xs:element> 4311 <xs:element name="runtimeTopology" type="bom:dependenciesType" minOccurs="0" maxOccurs="1"> 4312 <xs:annotation> 4313 <xs:documentation>A graph of the component runtime topology for workflow's instance. 4314 A description of the runtime component and service topology. This can describe a partial or 4315 complete topology used to host and execute the task (e.g., hardware, operating systems, 4316 configurations, etc.)</xs:documentation> 4317 </xs:annotation> 4318 </xs:element> 4319 <xs:element name="properties" type="bom:propertiesType" minOccurs="0" maxOccurs="1"> 4320 <xs:annotation> 4321 <xs:documentation>Provides the ability to document properties in a name/value store. 4322 This provides flexibility to include data not officially supported in the standard 4323 without having to use additional namespaces or create extensions. Property names 4324 of interest to the general public are encouraged to be registered in the 4325 CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. 4326 Formal registration is OPTIONAL.</xs:documentation> 4327 </xs:annotation> 4328 </xs:element> 4329 <xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"> 4330 <xs:annotation> 4331 <xs:documentation> 4332 Allows any undeclared elements as long as the elements are placed in a different namespace. 4333 </xs:documentation> 4334 </xs:annotation> 4335 </xs:any> 4336 </xs:sequence> 4337 <xs:attribute name="bom-ref" type="bom:refType" use="required"> 4338 <xs:annotation> 4339 <xs:documentation> 4340 An optional identifier which can be used to reference the workflow elsewhere in the BOM. 4341 Uniqueness is enforced within all elements and children of the root-level bom element. 4342 </xs:documentation> 4343 </xs:annotation> 4344 </xs:attribute> 4345 <xs:anyAttribute namespace="##any" processContents="lax"> 4346 <xs:annotation> 4347 <xs:documentation>User-defined attributes may be used on this element as long as they 4348 do not have the same name as an existing attribute used by the schema.</xs:documentation> 4349 </xs:annotation> 4350 </xs:anyAttribute> 4351 </xs:complexType> 4352 4353 <xs:complexType name="resourceReferencesType"> 4354 <xs:sequence> 4355 <xs:element name="resourceReference" type="bom:resourceReferenceType" minOccurs="0" maxOccurs="unbounded" /> 4356 <xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"> 4357 <xs:annotation> 4358 <xs:documentation> 4359 Allows any undeclared elements as long as the elements are placed in a different namespace. 4360 </xs:documentation> 4361 </xs:annotation> 4362 </xs:any> 4363 </xs:sequence> 4364 <xs:anyAttribute namespace="##any" processContents="lax"> 4365 <xs:annotation> 4366 <xs:documentation>User-defined attributes may be used on this element as long as they 4367 do not have the same name as an existing attribute used by the schema.</xs:documentation> 4368 </xs:annotation> 4369 </xs:anyAttribute> 4370 </xs:complexType> 4371 4372 <xs:complexType name="resourceReferenceType"> 4373 <xs:sequence> 4374 <xs:choice> 4375 <xs:element name="ref" minOccurs="1" maxOccurs="1"> 4376 <xs:annotation> 4377 <xs:documentation> 4378 References an object by its bom-ref attribute 4379 </xs:documentation> 4380 </xs:annotation> 4381 <xs:simpleType> 4382 <xs:union memberTypes="bom:refLinkType bom:bomLinkElementType"/> 4383 </xs:simpleType> 4384 </xs:element> 4385 <xs:element name="externalReference" type="bom:externalReference" minOccurs="1" maxOccurs="1"> 4386 <xs:annotation> 4387 <xs:documentation> 4388 Reference to an externally accessible resource. 4389 </xs:documentation> 4390 </xs:annotation> 4391 </xs:element> 4392 </xs:choice> 4393 <xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"> 4394 <xs:annotation> 4395 <xs:documentation> 4396 Allows any undeclared elements as long as the elements are placed in a different namespace. 4397 </xs:documentation> 4398 </xs:annotation> 4399 </xs:any> 4400 </xs:sequence> 4401 <xs:anyAttribute namespace="##any" processContents="lax"> 4402 <xs:annotation> 4403 <xs:documentation>User-defined attributes may be used on this element as long as they 4404 do not have the same name as an existing attribute used by the schema.</xs:documentation> 4405 </xs:annotation> 4406 </xs:anyAttribute> 4407 </xs:complexType> 4408 4409 <xs:complexType name="tasksType"> 4410 <xs:sequence> 4411 <xs:element name="task" type="bom:taskType" minOccurs="0" maxOccurs="unbounded" /> 4412 <xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"> 4413 <xs:annotation> 4414 <xs:documentation> 4415 Allows any undeclared elements as long as the elements are placed in a different namespace. 4416 </xs:documentation> 4417 </xs:annotation> 4418 </xs:any> 4419 </xs:sequence> 4420 <xs:anyAttribute namespace="##any" processContents="lax"> 4421 <xs:annotation> 4422 <xs:documentation>User-defined attributes may be used on this element as long as they 4423 do not have the same name as an existing attribute used by the schema.</xs:documentation> 4424 </xs:annotation> 4425 </xs:anyAttribute> 4426 </xs:complexType> 4427 4428 <xs:complexType name="taskType"> 4429 <xs:sequence> 4430 <xs:element name="uid" type="xs:string" minOccurs="1" maxOccurs="1"> 4431 <xs:annotation> 4432 <xs:documentation> 4433 The unique identifier for the resource instance within its deployment context. 4434 </xs:documentation> 4435 </xs:annotation> 4436 </xs:element> 4437 <xs:element name="name" type="xs:string" minOccurs="0" maxOccurs="1"> 4438 <xs:annotation> 4439 <xs:documentation> 4440 The name of the resource instance. 4441 </xs:documentation> 4442 </xs:annotation> 4443 </xs:element> 4444 <xs:element name="description" type="xs:string" minOccurs="0" maxOccurs="1"> 4445 <xs:annotation> 4446 <xs:documentation> 4447 The description of the resource instance. 4448 </xs:documentation> 4449 </xs:annotation> 4450 </xs:element> 4451 <xs:element name="resourceReferences" type="bom:resourceReferencesType" minOccurs="0" maxOccurs="1"> 4452 <xs:annotation> 4453 <xs:documentation> 4454 References to component or service resources that are used to realize the resource instance. 4455 </xs:documentation> 4456 </xs:annotation> 4457 </xs:element> 4458 <xs:element name="taskTypes" minOccurs="1" maxOccurs="1"> 4459 <xs:annotation> 4460 <xs:documentation> 4461 Indicates the types of activities performed by the set of workflow tasks. 4462 </xs:documentation> 4463 </xs:annotation> 4464 <xs:complexType> 4465 <xs:sequence> 4466 <xs:element name="taskType" type="bom:taskTypeEnum" minOccurs="0" maxOccurs="unbounded"/> 4467 </xs:sequence> 4468 </xs:complexType> 4469 </xs:element> 4470 <xs:element name="trigger" type="bom:triggerType" minOccurs="0" maxOccurs="1"> 4471 <xs:annotation> 4472 <xs:documentation> 4473 The trigger that initiated the task. 4474 </xs:documentation> 4475 </xs:annotation> 4476 </xs:element> 4477 <xs:element name="steps" minOccurs="0" maxOccurs="1"> 4478 <xs:annotation> 4479 <xs:documentation> 4480 The sequence of steps for the task. 4481 </xs:documentation> 4482 </xs:annotation> 4483 <xs:complexType> 4484 <xs:sequence> 4485 <xs:element name="step" type="bom:stepType" minOccurs="0" maxOccurs="unbounded"/> 4486 </xs:sequence> 4487 </xs:complexType> 4488 </xs:element> 4489 <xs:element name="inputs" minOccurs="0" maxOccurs="1"> 4490 <xs:annotation> 4491 <xs:documentation> 4492 Represents resources and data brought into a task at runtime by executor or task commands. 4493 </xs:documentation> 4494 </xs:annotation> 4495 <xs:complexType> 4496 <xs:sequence> 4497 <xs:element name="input" type="bom:inputType" minOccurs="0" maxOccurs="unbounded"/> 4498 </xs:sequence> 4499 </xs:complexType> 4500 </xs:element> 4501 <xs:element name="outputs" minOccurs="0" maxOccurs="1"> 4502 <xs:annotation> 4503 <xs:documentation> 4504 Represents resources and data output from a task at runtime by executor or task commands 4505 </xs:documentation> 4506 </xs:annotation> 4507 <xs:complexType> 4508 <xs:sequence> 4509 <xs:element name="output" type="bom:outputType" minOccurs="0" maxOccurs="unbounded"/> 4510 </xs:sequence> 4511 </xs:complexType> 4512 </xs:element> 4513 <xs:element name="timeStart" type="xs:dateTime" minOccurs="0" maxOccurs="1"> 4514 <xs:annotation> 4515 <xs:documentation> 4516 The date and time (timestamp) when the task started. 4517 </xs:documentation> 4518 </xs:annotation> 4519 </xs:element> 4520 <xs:element name="timeEnd" type="xs:dateTime" minOccurs="0" maxOccurs="1"> 4521 <xs:annotation> 4522 <xs:documentation> 4523 The date and time (timestamp) when the task ended. 4524 </xs:documentation> 4525 </xs:annotation> 4526 </xs:element> 4527 <xs:element name="workspaces" type="bom:workspacesType" minOccurs="0" maxOccurs="1"> 4528 <xs:annotation> 4529 <xs:documentation> 4530 A set of named filesystem or data resource shareable by workflow tasks. 4531 </xs:documentation> 4532 </xs:annotation> 4533 </xs:element> 4534 <xs:element name="runtimeTopology" type="bom:dependenciesType" minOccurs="0" maxOccurs="1"> 4535 <xs:annotation> 4536 <xs:documentation> 4537 A graph of the component runtime topology for task's instance. 4538 </xs:documentation> 4539 </xs:annotation> 4540 </xs:element> 4541 <xs:element name="properties" type="bom:propertiesType" minOccurs="0" maxOccurs="1"> 4542 <xs:annotation> 4543 <xs:documentation>Provides the ability to document properties in a name/value store. 4544 This provides flexibility to include data not officially supported in the standard 4545 without having to use additional namespaces or create extensions. Property names 4546 of interest to the general public are encouraged to be registered in the 4547 CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. 4548 Formal registration is OPTIONAL.</xs:documentation> 4549 </xs:annotation> 4550 </xs:element> 4551 <xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"> 4552 <xs:annotation> 4553 <xs:documentation> 4554 Allows any undeclared elements as long as the elements are placed in a different namespace. 4555 </xs:documentation> 4556 </xs:annotation> 4557 </xs:any> 4558 </xs:sequence> 4559 <xs:attribute name="bom-ref" type="bom:refType" use="required"> 4560 <xs:annotation> 4561 <xs:documentation> 4562 An optional identifier which can be used to reference the task elsewhere in the BOM. 4563 Uniqueness is enforced within all elements and children of the root-level bom element. 4564 </xs:documentation> 4565 </xs:annotation> 4566 </xs:attribute> 4567 <xs:anyAttribute namespace="##any" processContents="lax"> 4568 <xs:annotation> 4569 <xs:documentation>User-defined attributes may be used on this element as long as they 4570 do not have the same name as an existing attribute used by the schema.</xs:documentation> 4571 </xs:annotation> 4572 </xs:anyAttribute> 4573 </xs:complexType> 4574 4575 <xs:simpleType name="taskTypeEnum"> 4576 <xs:restriction base="xs:string"> 4577 <xs:enumeration value="copy"/> 4578 <xs:enumeration value="clone"/> 4579 <xs:enumeration value="lint"/> 4580 <xs:enumeration value="scan"/> 4581 <xs:enumeration value="merge"/> 4582 <xs:enumeration value="build"/> 4583 <xs:enumeration value="test"/> 4584 <xs:enumeration value="deliver"/> 4585 <xs:enumeration value="deploy"/> 4586 <xs:enumeration value="release"/> 4587 <xs:enumeration value="clean"/> 4588 <xs:enumeration value="other"/> 4589 </xs:restriction> 4590 </xs:simpleType> 4591 4592 <xs:complexType name="workspacesType"> 4593 <xs:sequence> 4594 <xs:element name="workspace" type="bom:workspaceType" minOccurs="0" maxOccurs="unbounded"/> 4595 <xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"> 4596 <xs:annotation> 4597 <xs:documentation> 4598 Allows any undeclared elements as long as the elements are placed in a different namespace. 4599 </xs:documentation> 4600 </xs:annotation> 4601 </xs:any> 4602 </xs:sequence> 4603 <xs:anyAttribute namespace="##any" processContents="lax"> 4604 <xs:annotation> 4605 <xs:documentation>User-defined attributes may be used on this element as long as they 4606 do not have the same name as an existing attribute used by the schema.</xs:documentation> 4607 </xs:annotation> 4608 </xs:anyAttribute> 4609 </xs:complexType> 4610 4611 <xs:complexType name="workspaceType"> 4612 <xs:annotation> 4613 <xs:documentation> 4614 A named filesystem or data resource shareable by workflow tasks. 4615 </xs:documentation> 4616 </xs:annotation> 4617 <xs:sequence minOccurs="0" maxOccurs="unbounded"> 4618 <xs:element name="uid" type="xs:string" minOccurs="1" maxOccurs="1"> 4619 <xs:annotation> 4620 <xs:documentation> 4621 The unique identifier for the resource instance within its deployment context. 4622 </xs:documentation> 4623 </xs:annotation> 4624 </xs:element> 4625 <xs:element name="name" type="xs:string" minOccurs="0" maxOccurs="1"> 4626 <xs:annotation> 4627 <xs:documentation> 4628 The name of the resource instance. 4629 </xs:documentation> 4630 </xs:annotation> 4631 </xs:element> 4632 <xs:element name="aliases" minOccurs="0" maxOccurs="1"> 4633 <xs:annotation> 4634 <xs:documentation> 4635 The names for the workspace as referenced by other workflow tasks. Effectively, a name mapping 4636 so other tasks can use their own local name in their steps. 4637 </xs:documentation> 4638 </xs:annotation> 4639 <xs:complexType> 4640 <xs:sequence> 4641 <xs:element name="alias" type="xs:string" minOccurs="0" maxOccurs="unbounded" /> 4642 </xs:sequence> 4643 </xs:complexType> 4644 </xs:element> 4645 <xs:element name="description" type="xs:string" minOccurs="0" maxOccurs="1"> 4646 <xs:annotation> 4647 <xs:documentation> 4648 The description of the resource instance. 4649 </xs:documentation> 4650 </xs:annotation> 4651 </xs:element> 4652 <xs:element name="resourceReferences" type="bom:resourceReferencesType" minOccurs="0" maxOccurs="1"> 4653 <xs:annotation> 4654 <xs:documentation> 4655 References to component or service resources that are used to realize the resource instance. 4656 </xs:documentation> 4657 </xs:annotation> 4658 </xs:element> 4659 <xs:element name="accessMode" type="bom:accessModeEnum" minOccurs="0" maxOccurs="1"> 4660 <xs:annotation> 4661 <xs:documentation> 4662 Describes the read-write access control for the workspace relative to the owning resource instance. 4663 </xs:documentation> 4664 </xs:annotation> 4665 </xs:element> 4666 <xs:element name="mountPath" type="xs:string" minOccurs="0" maxOccurs="1"> 4667 <xs:annotation> 4668 <xs:documentation> 4669 A path to a location on disk where the workspace will be available to the associated task's steps. 4670 </xs:documentation> 4671 </xs:annotation> 4672 </xs:element> 4673 <xs:element name="managedDataType" type="xs:string" minOccurs="0" maxOccurs="1"> 4674 <xs:annotation> 4675 <xs:documentation> 4676 The name of a domain-specific data type the workspace represents. This property is for CI/CD 4677 frameworks that are able to provide access to structured, managed data at a more granular level 4678 than a filesystem. 4679 </xs:documentation> 4680 </xs:annotation> 4681 </xs:element> 4682 <xs:element name="volumeRequest" type="xs:string" minOccurs="0" maxOccurs="1"> 4683 <xs:annotation> 4684 <xs:documentation> 4685 Identifies the reference to the request for a specific volume type and parameters. 4686 </xs:documentation> 4687 </xs:annotation> 4688 </xs:element> 4689 <xs:element name="volume" type="bom:volumeType" minOccurs="0" maxOccurs="1"> 4690 <xs:annotation> 4691 <xs:documentation> 4692 Information about the actual volume instance allocated to the workspace. 4693 </xs:documentation> 4694 </xs:annotation> 4695 </xs:element> 4696 <xs:element name="properties" type="bom:propertiesType" minOccurs="0" maxOccurs="1"> 4697 <xs:annotation> 4698 <xs:documentation>Provides the ability to document properties in a name/value store. 4699 This provides flexibility to include data not officially supported in the standard 4700 without having to use additional namespaces or create extensions. Property names 4701 of interest to the general public are encouraged to be registered in the 4702 CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. 4703 Formal registration is OPTIONAL.</xs:documentation> 4704 </xs:annotation> 4705 </xs:element> 4706 <xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"> 4707 <xs:annotation> 4708 <xs:documentation> 4709 Allows any undeclared elements as long as the elements are placed in a different namespace. 4710 </xs:documentation> 4711 </xs:annotation> 4712 </xs:any> 4713 </xs:sequence> 4714 <xs:attribute name="bom-ref" type="bom:refType" use="required"> 4715 <xs:annotation> 4716 <xs:documentation> 4717 An optional identifier which can be used to reference the workflow elsewhere in the BOM. 4718 Uniqueness is enforced within all elements and children of the root-level bom element. 4719 </xs:documentation> 4720 </xs:annotation> 4721 </xs:attribute> 4722 <xs:anyAttribute namespace="##any" processContents="lax"> 4723 <xs:annotation> 4724 <xs:documentation>User-defined attributes may be used on this element as long as they 4725 do not have the same name as an existing attribute used by the schema.</xs:documentation> 4726 </xs:annotation> 4727 </xs:anyAttribute> 4728 </xs:complexType> 4729 4730 <xs:simpleType name="accessModeEnum"> 4731 <xs:restriction base="xs:string"> 4732 <xs:enumeration value="read-only"/> 4733 <xs:enumeration value="read-write"/> 4734 <xs:enumeration value="read-write-once"/> 4735 <xs:enumeration value="write-once"/> 4736 <xs:enumeration value="write-only"/> 4737 </xs:restriction> 4738 </xs:simpleType> 4739 4740 <xs:complexType name="volumeType"> 4741 <xs:annotation> 4742 <xs:documentation> 4743 An identifiable, logical unit of data storage tied to a physical device. 4744 </xs:documentation> 4745 </xs:annotation> 4746 <xs:sequence> 4747 <xs:element name="uid" type="xs:string" minOccurs="0" maxOccurs="1"> 4748 <xs:annotation> 4749 <xs:documentation> 4750 The unique identifier for the volume instance within its deployment context. 4751 </xs:documentation> 4752 </xs:annotation> 4753 </xs:element> 4754 <xs:element name="name" type="xs:string" minOccurs="0" maxOccurs="1"> 4755 <xs:annotation> 4756 <xs:documentation> 4757 The name of the volume instance 4758 </xs:documentation> 4759 </xs:annotation> 4760 </xs:element> 4761 <xs:element name="mode" type="bom:volumeModeEnum" minOccurs="0" maxOccurs="1" default="filesystem"> 4762 <xs:annotation> 4763 <xs:documentation> 4764 The mode for the volume instance. 4765 </xs:documentation> 4766 </xs:annotation> 4767 </xs:element> 4768 <xs:element name="path" type="xs:string" minOccurs="0" maxOccurs="1"> 4769 <xs:annotation> 4770 <xs:documentation> 4771 The underlying path created from the actual volume. 4772 </xs:documentation> 4773 </xs:annotation> 4774 </xs:element> 4775 <xs:element name="sizeAllocated" type="xs:string" minOccurs="0" maxOccurs="1"> 4776 <xs:annotation> 4777 <xs:documentation> 4778 The allocated size of the volume accessible to the associated workspace. This should include 4779 the scalar size as well as IEC standard unit in either decimal or binary form. 4780 </xs:documentation> 4781 </xs:annotation> 4782 </xs:element> 4783 <xs:element name="persistent" type="xs:boolean" minOccurs="0" maxOccurs="1"> 4784 <xs:annotation> 4785 <xs:documentation> 4786 Indicates if the volume persists beyond the life of the resource it is associated with. 4787 </xs:documentation> 4788 </xs:annotation> 4789 </xs:element> 4790 <xs:element name="remote" type="xs:boolean" minOccurs="0" maxOccurs="1"> 4791 <xs:annotation> 4792 <xs:documentation> 4793 Indicates if the volume is remotely (i.e., network) attached. 4794 </xs:documentation> 4795 </xs:annotation> 4796 </xs:element> 4797 <xs:element name="properties" type="bom:propertiesType" minOccurs="0" maxOccurs="1"> 4798 <xs:annotation> 4799 <xs:documentation>Provides the ability to document properties in a name/value store. 4800 This provides flexibility to include data not officially supported in the standard 4801 without having to use additional namespaces or create extensions. Property names 4802 of interest to the general public are encouraged to be registered in the 4803 CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. 4804 Formal registration is OPTIONAL.</xs:documentation> 4805 </xs:annotation> 4806 </xs:element> 4807 </xs:sequence> 4808 </xs:complexType> 4809 4810 <xs:simpleType name="volumeModeEnum"> 4811 <xs:restriction base="xs:string"> 4812 <xs:enumeration value="filesystem"/> 4813 <xs:enumeration value="block"/> 4814 </xs:restriction> 4815 </xs:simpleType> 4816 4817 <xs:complexType name="stepType"> 4818 <xs:annotation> 4819 <xs:documentation> 4820 Executes specific commands or tools in order to accomplish its owning task as part of a sequence. 4821 </xs:documentation> 4822 </xs:annotation> 4823 <xs:sequence> 4824 <xs:element name="name" type="xs:string" minOccurs="0" maxOccurs="1"> 4825 <xs:annotation> 4826 <xs:documentation> 4827 A name for the step. 4828 </xs:documentation> 4829 </xs:annotation> 4830 </xs:element> 4831 <xs:element name="description" type="xs:string" minOccurs="0" maxOccurs="1"> 4832 <xs:annotation> 4833 <xs:documentation> 4834 A description of the step. 4835 </xs:documentation> 4836 </xs:annotation> 4837 </xs:element> 4838 <xs:element name="commands" minOccurs="0" maxOccurs="1"> 4839 <xs:annotation> 4840 <xs:documentation> 4841 Ordered list of commands or directives for the step 4842 </xs:documentation> 4843 </xs:annotation> 4844 <xs:complexType> 4845 <xs:sequence> 4846 <xs:element name="command" minOccurs="0" maxOccurs="unbounded"> 4847 <xs:complexType> 4848 <xs:sequence> 4849 <xs:element name="executed" type="xs:string" minOccurs="0" maxOccurs="1"> 4850 <xs:annotation> 4851 <xs:documentation> 4852 A text representation of the executed command. 4853 </xs:documentation> 4854 </xs:annotation> 4855 </xs:element> 4856 <xs:element name="properties" type="bom:propertiesType" minOccurs="0" maxOccurs="1"> 4857 <xs:annotation> 4858 <xs:documentation>Provides the ability to document properties in a name/value store. 4859 This provides flexibility to include data not officially supported in the standard 4860 without having to use additional namespaces or create extensions. Property names 4861 of interest to the general public are encouraged to be registered in the 4862 CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. 4863 Formal registration is OPTIONAL.</xs:documentation> 4864 </xs:annotation> 4865 </xs:element> 4866 </xs:sequence> 4867 </xs:complexType> 4868 </xs:element> 4869 </xs:sequence> 4870 </xs:complexType> 4871 </xs:element> 4872 <xs:element name="properties" type="bom:propertiesType" minOccurs="0" maxOccurs="1"> 4873 <xs:annotation> 4874 <xs:documentation>Provides the ability to document properties in a name/value store. 4875 This provides flexibility to include data not officially supported in the standard 4876 without having to use additional namespaces or create extensions. Property names 4877 of interest to the general public are encouraged to be registered in the 4878 CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. 4879 Formal registration is OPTIONAL.</xs:documentation> 4880 </xs:annotation> 4881 </xs:element> 4882 <xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"> 4883 <xs:annotation> 4884 <xs:documentation> 4885 Allows any undeclared elements as long as the elements are placed in a different namespace. 4886 </xs:documentation> 4887 </xs:annotation> 4888 </xs:any> 4889 </xs:sequence> 4890 <xs:anyAttribute namespace="##any" processContents="lax"> 4891 <xs:annotation> 4892 <xs:documentation>User-defined attributes may be used on this element as long as they 4893 do not have the same name as an existing attribute used by the schema.</xs:documentation> 4894 </xs:annotation> 4895 </xs:anyAttribute> 4896 </xs:complexType> 4897 4898 <xs:complexType name="triggerType"> 4899 <xs:sequence> 4900 <xs:element name="uid" type="xs:string" minOccurs="1" maxOccurs="1"> 4901 <xs:annotation> 4902 <xs:documentation> 4903 The unique identifier for the resource instance within its deployment context. 4904 </xs:documentation> 4905 </xs:annotation> 4906 </xs:element> 4907 <xs:element name="name" type="xs:string" minOccurs="0" maxOccurs="1"> 4908 <xs:annotation> 4909 <xs:documentation> 4910 The name of the resource instance. 4911 </xs:documentation> 4912 </xs:annotation> 4913 </xs:element> 4914 <xs:element name="description" type="xs:string" minOccurs="0" maxOccurs="1"> 4915 <xs:annotation> 4916 <xs:documentation> 4917 The description of the resource instance. 4918 </xs:documentation> 4919 </xs:annotation> 4920 </xs:element> 4921 <xs:element name="resourceReferences" type="bom:resourceReferencesType" minOccurs="0" maxOccurs="1"> 4922 <xs:annotation> 4923 <xs:documentation> 4924 References to component or service resources that are used to realize the resource instance. 4925 </xs:documentation> 4926 </xs:annotation> 4927 </xs:element> 4928 <xs:element name="type" type="bom:triggerTypeType" minOccurs="1" maxOccurs="1"> 4929 <xs:annotation> 4930 <xs:documentation> 4931 The source type of event which caused the trigger to fire. 4932 </xs:documentation> 4933 </xs:annotation> 4934 </xs:element> 4935 <xs:element name="event" type="bom:eventType" minOccurs="0" maxOccurs="1"> 4936 <xs:annotation> 4937 <xs:documentation> 4938 The event data that caused the associated trigger to activate. 4939 </xs:documentation> 4940 </xs:annotation> 4941 </xs:element> 4942 <xs:element name="conditions" minOccurs="0" maxOccurs="1"> 4943 <xs:complexType> 4944 <xs:sequence> 4945 <xs:element name="condition" minOccurs="0" maxOccurs="unbounded"> 4946 <xs:annotation> 4947 <xs:documentation> 4948 A condition that was used to determine a trigger should be activated. 4949 </xs:documentation> 4950 </xs:annotation> 4951 <xs:complexType> 4952 <xs:sequence> 4953 <xs:element name="description" type="xs:string" minOccurs="0" maxOccurs="1"> 4954 <xs:annotation> 4955 <xs:documentation> 4956 Describes the set of conditions which cause the trigger to activate. 4957 </xs:documentation> 4958 </xs:annotation> 4959 </xs:element> 4960 <xs:element name="expression" type="xs:string" minOccurs="0" maxOccurs="1"> 4961 <xs:annotation> 4962 <xs:documentation> 4963 The logical expression that was evaluated that determined the trigger should be fired. 4964 </xs:documentation> 4965 </xs:annotation> 4966 </xs:element> 4967 <xs:element name="properties" type="bom:propertiesType" minOccurs="0" maxOccurs="1"> 4968 <xs:annotation> 4969 <xs:documentation>Provides the ability to document properties in a name/value store. 4970 This provides flexibility to include data not officially supported in the standard 4971 without having to use additional namespaces or create extensions. Property names 4972 of interest to the general public are encouraged to be registered in the 4973 CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. 4974 Formal registration is OPTIONAL.</xs:documentation> 4975 </xs:annotation> 4976 </xs:element> 4977 </xs:sequence> 4978 </xs:complexType> 4979 </xs:element> 4980 </xs:sequence> 4981 </xs:complexType> 4982 </xs:element> 4983 <xs:element name="timeActivated" type="xs:dateTime" minOccurs="0" maxOccurs="1"> 4984 <xs:annotation> 4985 <xs:documentation> 4986 The date and time (timestamp) when the trigger was activated. 4987 </xs:documentation> 4988 </xs:annotation> 4989 </xs:element> 4990 <xs:element name="inputs" minOccurs="0" maxOccurs="1"> 4991 <xs:annotation> 4992 <xs:documentation> 4993 Represents resources and data brought into a task at runtime by executor or task commands 4994 </xs:documentation> 4995 </xs:annotation> 4996 <xs:complexType> 4997 <xs:sequence> 4998 <xs:element name="input" type="bom:inputType" minOccurs="0" maxOccurs="unbounded" /> 4999 </xs:sequence> 5000 </xs:complexType> 5001 </xs:element> 5002 <xs:element name="outputs" minOccurs="0" maxOccurs="1"> 5003 <xs:annotation> 5004 <xs:documentation> 5005 Represents resources and data output from a task at runtime by executor or task commands 5006 </xs:documentation> 5007 </xs:annotation> 5008 <xs:complexType> 5009 <xs:sequence> 5010 <xs:element name="output" type="bom:outputType" minOccurs="0" maxOccurs="unbounded" /> 5011 </xs:sequence> 5012 </xs:complexType> 5013 </xs:element> 5014 <xs:element name="properties" type="bom:propertiesType" minOccurs="0" maxOccurs="1"> 5015 <xs:annotation> 5016 <xs:documentation>Provides the ability to document properties in a name/value store. 5017 This provides flexibility to include data not officially supported in the standard 5018 without having to use additional namespaces or create extensions. Property names 5019 of interest to the general public are encouraged to be registered in the 5020 CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. 5021 Formal registration is OPTIONAL.</xs:documentation> 5022 </xs:annotation> 5023 </xs:element> 5024 <xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"> 5025 <xs:annotation> 5026 <xs:documentation> 5027 Allows any undeclared elements as long as the elements are placed in a different namespace. 5028 </xs:documentation> 5029 </xs:annotation> 5030 </xs:any> 5031 </xs:sequence> 5032 <xs:attribute name="bom-ref" type="bom:refType" use="required"> 5033 <xs:annotation> 5034 <xs:documentation> 5035 An optional identifier which can be used to reference the trigger elsewhere in the BOM. 5036 Uniqueness is enforced within all elements and children of the root-level bom element. 5037 </xs:documentation> 5038 </xs:annotation> 5039 </xs:attribute> 5040 <xs:anyAttribute namespace="##any" processContents="lax"> 5041 <xs:annotation> 5042 <xs:documentation>User-defined attributes may be used on this element as long as they 5043 do not have the same name as an existing attribute used by the schema.</xs:documentation> 5044 </xs:annotation> 5045 </xs:anyAttribute> 5046 </xs:complexType> 5047 5048 <xs:simpleType name="triggerTypeType"> 5049 <xs:restriction base="xs:string"> 5050 <xs:enumeration value="manual"/> 5051 <xs:enumeration value="api"/> 5052 <xs:enumeration value="webhook"/> 5053 <xs:enumeration value="scheduled"/> 5054 </xs:restriction> 5055 </xs:simpleType> 5056 5057 <xs:complexType name="eventType"> 5058 <xs:sequence> 5059 <xs:element name="uid" type="xs:string" minOccurs="0" maxOccurs="1"> 5060 <xs:annotation> 5061 <xs:documentation> 5062 The unique identifier of the event. 5063 </xs:documentation> 5064 </xs:annotation> 5065 </xs:element> 5066 <xs:element name="description" type="xs:string" minOccurs="0" maxOccurs="1"> 5067 <xs:annotation> 5068 <xs:documentation> 5069 A description of the event. 5070 </xs:documentation> 5071 </xs:annotation> 5072 </xs:element> 5073 <xs:element name="timeReceived" type="xs:dateTime" minOccurs="0" maxOccurs="1"> 5074 <xs:annotation> 5075 <xs:documentation> 5076 The date and time (timestamp) when the event was received. 5077 </xs:documentation> 5078 </xs:annotation> 5079 </xs:element> 5080 <xs:element name="data" type="bom:attachedTextType" minOccurs="0" maxOccurs="1"> 5081 <xs:annotation> 5082 <xs:documentation> 5083 Encoding of the raw event data. 5084 </xs:documentation> 5085 </xs:annotation> 5086 </xs:element> 5087 <xs:element name="source" type="bom:resourceReferenceType" minOccurs="0" maxOccurs="1"> 5088 <xs:annotation> 5089 <xs:documentation> 5090 References the component or service that was the source of the event 5091 </xs:documentation> 5092 </xs:annotation> 5093 </xs:element> 5094 <xs:element name="target" type="bom:resourceReferenceType" minOccurs="0" maxOccurs="1"> 5095 <xs:annotation> 5096 <xs:documentation> 5097 References the component or service that was the target of the event 5098 </xs:documentation> 5099 </xs:annotation> 5100 </xs:element> 5101 <xs:element name="properties" type="bom:propertiesType" minOccurs="0" maxOccurs="1"> 5102 <xs:annotation> 5103 <xs:documentation>Provides the ability to document properties in a name/value store. 5104 This provides flexibility to include data not officially supported in the standard 5105 without having to use additional namespaces or create extensions. Property names 5106 of interest to the general public are encouraged to be registered in the 5107 CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. 5108 Formal registration is OPTIONAL.</xs:documentation> 5109 </xs:annotation> 5110 </xs:element> 5111 <xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"> 5112 <xs:annotation> 5113 <xs:documentation> 5114 Allows any undeclared elements as long as the elements are placed in a different namespace. 5115 </xs:documentation> 5116 </xs:annotation> 5117 </xs:any> 5118 </xs:sequence> 5119 <xs:anyAttribute namespace="##any" processContents="lax"> 5120 <xs:annotation> 5121 <xs:documentation>User-defined attributes may be used on this element as long as they 5122 do not have the same name as an existing attribute used by the schema.</xs:documentation> 5123 </xs:annotation> 5124 </xs:anyAttribute> 5125 </xs:complexType> 5126 5127 <xs:complexType name="inputType"> 5128 <xs:annotation> 5129 <xs:documentation> 5130 Type that represents various input data types and formats. 5131 </xs:documentation> 5132 </xs:annotation> 5133 <xs:sequence> 5134 <xs:choice> 5135 <xs:element name="resource" type="bom:resourceReferenceType" minOccurs="1" maxOccurs="1"> 5136 <xs:annotation> 5137 <xs:documentation> 5138 A reference to an independent resource provided as an input to a task by the workflow runtime. 5139 </xs:documentation> 5140 </xs:annotation> 5141 </xs:element> 5142 <xs:element name="parameters" type="bom:parametersType" minOccurs="1" maxOccurs="1"> 5143 <xs:annotation> 5144 <xs:documentation> 5145 Inputs that have the form of parameters with names and values. 5146 </xs:documentation> 5147 </xs:annotation> 5148 </xs:element> 5149 <xs:element name="environmentVars" minOccurs="1" maxOccurs="1"> 5150 <xs:annotation> 5151 <xs:documentation> 5152 Inputs that have the form of parameters with names and values. 5153 </xs:documentation> 5154 </xs:annotation> 5155 <xs:complexType> 5156 <xs:sequence minOccurs="0" maxOccurs="unbounded"> 5157 <!-- maxOccurs="unbounded" NEEDS to be set on the sequence, not the individual elements --> 5158 <xs:choice> 5159 <xs:element name="environmentVar" type="bom:propertyType" minOccurs="0" maxOccurs="1"/> 5160 <xs:element name="value" type="xs:string" minOccurs="0" maxOccurs="1"/> 5161 </xs:choice> 5162 </xs:sequence> 5163 </xs:complexType> 5164 </xs:element> 5165 <xs:element name="data" type="bom:attachedTextType" minOccurs="1" maxOccurs="1"> 5166 <xs:annotation> 5167 <xs:documentation> 5168 Inputs that have the form of data. 5169 </xs:documentation> 5170 </xs:annotation> 5171 </xs:element> 5172 </xs:choice> 5173 <xs:element name="source" type="bom:resourceReferenceType" minOccurs="0" maxOccurs="1"> 5174 <xs:annotation> 5175 <xs:documentation> 5176 A references to the component or service that provided the input to the task 5177 (e.g., reference to a service with data flow value of inbound) 5178 </xs:documentation> 5179 </xs:annotation> 5180 </xs:element> 5181 <xs:element name="target" type="bom:resourceReferenceType" minOccurs="0" maxOccurs="1"> 5182 <xs:annotation> 5183 <xs:documentation> 5184 A reference to the component or service that received or stored the input if not the task 5185 itself (e.g., a local, named storage workspace) 5186 </xs:documentation> 5187 </xs:annotation> 5188 </xs:element> 5189 <xs:element name="properties" type="bom:propertiesType" minOccurs="0" maxOccurs="1"> 5190 <xs:annotation> 5191 <xs:documentation>Provides the ability to document properties in a name/value store. 5192 This provides flexibility to include data not officially supported in the standard 5193 without having to use additional namespaces or create extensions. Property names 5194 of interest to the general public are encouraged to be registered in the 5195 CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. 5196 Formal registration is OPTIONAL.</xs:documentation> 5197 </xs:annotation> 5198 </xs:element> 5199 <xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"> 5200 <xs:annotation> 5201 <xs:documentation> 5202 Allows any undeclared elements as long as the elements are placed in a different namespace. 5203 </xs:documentation> 5204 </xs:annotation> 5205 </xs:any> 5206 </xs:sequence> 5207 <xs:anyAttribute namespace="##any" processContents="lax"> 5208 <xs:annotation> 5209 <xs:documentation>User-defined attributes may be used on this element as long as they 5210 do not have the same name as an existing attribute used by the schema.</xs:documentation> 5211 </xs:annotation> 5212 </xs:anyAttribute> 5213 </xs:complexType> 5214 5215 <xs:complexType name="outputType"> 5216 <xs:annotation> 5217 <xs:documentation> 5218 Represents resources and data output from a task at runtime by executor or task commands 5219 </xs:documentation> 5220 </xs:annotation> 5221 <xs:sequence> 5222 <xs:choice> 5223 <xs:element name="resource" type="bom:resourceReferenceType" minOccurs="1" maxOccurs="1"> 5224 <xs:annotation> 5225 <xs:documentation> 5226 A reference to an independent resource generated as output by the task. 5227 </xs:documentation> 5228 </xs:annotation> 5229 </xs:element> 5230 <xs:element name="environmentVars" minOccurs="1" maxOccurs="1"> 5231 <xs:annotation> 5232 <xs:documentation> 5233 Outputs that have the form of environment variables. 5234 </xs:documentation> 5235 </xs:annotation> 5236 <xs:complexType> 5237 <xs:sequence minOccurs="0" maxOccurs="unbounded"> 5238 <!-- maxOccurs="unbounded" NEEDS to be set on the sequence, not the individual elements --> 5239 <xs:choice> 5240 <xs:element name="environmentVar" type="bom:propertyType" minOccurs="0" maxOccurs="1"/> 5241 <xs:element name="value" type="xs:string" minOccurs="0" maxOccurs="1"/> 5242 </xs:choice> 5243 </xs:sequence> 5244 </xs:complexType> 5245 </xs:element> 5246 <xs:element name="data" type="bom:attachedTextType" minOccurs="1" maxOccurs="1"> 5247 <xs:annotation> 5248 <xs:documentation> 5249 Outputs that have the form of data. 5250 </xs:documentation> 5251 </xs:annotation> 5252 </xs:element> 5253 </xs:choice> 5254 <xs:element name="type" type="bom:outputTypeEnum" minOccurs="0" maxOccurs="1"> 5255 <xs:annotation> 5256 <xs:documentation> 5257 Describes the type of data output. 5258 </xs:documentation> 5259 </xs:annotation> 5260 </xs:element> 5261 <xs:element name="source" type="bom:resourceReferenceType" minOccurs="0" maxOccurs="1"> 5262 <xs:annotation> 5263 <xs:documentation> 5264 Component or service that generated or provided the output from the task (e.g., a build tool) 5265 </xs:documentation> 5266 </xs:annotation> 5267 </xs:element> 5268 <xs:element name="target" type="bom:resourceReferenceType" minOccurs="0" maxOccurs="1"> 5269 <xs:annotation> 5270 <xs:documentation> 5271 Component or service that received the output from the task 5272 (e.g., reference to an artifactory service with data flow value of outbound) 5273 </xs:documentation> 5274 </xs:annotation> 5275 </xs:element> 5276 <xs:element name="properties" type="bom:propertiesType" minOccurs="0" maxOccurs="1"> 5277 <xs:annotation> 5278 <xs:documentation>Provides the ability to document properties in a name/value store. 5279 This provides flexibility to include data not officially supported in the standard 5280 without having to use additional namespaces or create extensions. Property names 5281 of interest to the general public are encouraged to be registered in the 5282 CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. 5283 Formal registration is OPTIONAL.</xs:documentation> 5284 </xs:annotation> 5285 </xs:element> 5286 <xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"> 5287 <xs:annotation> 5288 <xs:documentation> 5289 Allows any undeclared elements as long as the elements are placed in a different namespace. 5290 </xs:documentation> 5291 </xs:annotation> 5292 </xs:any> 5293 </xs:sequence> 5294 <xs:anyAttribute namespace="##any" processContents="lax"> 5295 <xs:annotation> 5296 <xs:documentation>User-defined attributes may be used on this element as long as they 5297 do not have the same name as an existing attribute used by the schema.</xs:documentation> 5298 </xs:annotation> 5299 </xs:anyAttribute> 5300 </xs:complexType> 5301 5302 <xs:simpleType name="outputTypeEnum"> 5303 <xs:restriction base="xs:string"> 5304 <xs:enumeration value="artifact"/> 5305 <xs:enumeration value="attestation"/> 5306 <xs:enumeration value="log"/> 5307 <xs:enumeration value="evidence"/> 5308 <xs:enumeration value="metrics"/> 5309 <xs:enumeration value="other"/> 5310 </xs:restriction> 5311 </xs:simpleType> 5312 5313 <xs:complexType name="parametersType"> 5314 <xs:sequence> 5315 <xs:element name="parameter" type="bom:parameterType" minOccurs="0" maxOccurs="unbounded" /> 5316 </xs:sequence> 5317 </xs:complexType> 5318 5319 <xs:complexType name="parameterType"> 5320 <xs:annotation> 5321 <xs:documentation> 5322 A representation of a functional parameter. 5323 </xs:documentation> 5324 </xs:annotation> 5325 <xs:sequence> 5326 <xs:element name="name" type="xs:string" minOccurs="0" maxOccurs="1"> 5327 <xs:annotation> 5328 <xs:documentation> 5329 The name of the parameter. 5330 </xs:documentation> 5331 </xs:annotation> 5332 </xs:element> 5333 <xs:element name="value" type="xs:string" minOccurs="0" maxOccurs="1"> 5334 <xs:annotation> 5335 <xs:documentation> 5336 The value of the parameter. 5337 </xs:documentation> 5338 </xs:annotation> 5339 </xs:element> 5340 <xs:element name="dataType" type="xs:string" minOccurs="0" maxOccurs="1"> 5341 <xs:annotation> 5342 <xs:documentation> 5343 The data type of the parameter. 5344 </xs:documentation> 5345 </xs:annotation> 5346 </xs:element> 5347 <xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"> 5348 <xs:annotation> 5349 <xs:documentation> 5350 Allows any undeclared elements as long as the elements are placed in a different namespace. 5351 </xs:documentation> 5352 </xs:annotation> 5353 </xs:any> 5354 </xs:sequence> 5355 <xs:anyAttribute namespace="##any" processContents="lax"> 5356 <xs:annotation> 5357 <xs:documentation>User-defined attributes may be used on this element as long as they 5358 do not have the same name as an existing attribute used by the schema.</xs:documentation> 5359 </xs:annotation> 5360 </xs:anyAttribute> 5361 </xs:complexType> 5362 5363 <xs:element name="bom"> 5364 <xs:complexType> 5365 <xs:sequence> 5366 <xs:element name="metadata" type="bom:metadata" minOccurs="0" maxOccurs="1"> 5367 <xs:annotation> 5368 <xs:documentation>Provides additional information about a BOM.</xs:documentation> 5369 </xs:annotation> 5370 </xs:element> 5371 <xs:element name="components" type="bom:componentsType" minOccurs="0" maxOccurs="1"> 5372 <xs:annotation> 5373 <xs:documentation>A list of software and hardware components.</xs:documentation> 5374 </xs:annotation> 5375 </xs:element> 5376 <xs:element name="services" type="bom:servicesType" minOccurs="0" maxOccurs="1"> 5377 <xs:annotation> 5378 <xs:documentation>A list of services. This may include microservices, function-as-a-service, and other types of network or intra-process services.</xs:documentation> 5379 </xs:annotation> 5380 </xs:element> 5381 <xs:element name="externalReferences" type="bom:externalReferences" minOccurs="0" maxOccurs="1"> 5382 <xs:annotation> 5383 <xs:documentation>Provides the ability to document external references related to the BOM or 5384 to the project the BOM describes.</xs:documentation> 5385 </xs:annotation> 5386 </xs:element> 5387 <xs:element name="dependencies" type="bom:dependenciesType" minOccurs="0" maxOccurs="1"> 5388 <xs:annotation> 5389 <xs:documentation>Provides the ability to document dependency relationships.</xs:documentation> 5390 </xs:annotation> 5391 </xs:element> 5392 <xs:element name="compositions" type="bom:compositionsType" minOccurs="0" maxOccurs="1"> 5393 <xs:annotation> 5394 <xs:documentation>Compositions describe constituent parts (including components, services, and dependency relationships) and their completeness. The completeness of vulnerabilities expressed in a BOM may also be described.</xs:documentation> 5395 </xs:annotation> 5396 </xs:element> 5397 <xs:element name="properties" type="bom:propertiesType" minOccurs="0" maxOccurs="1"> 5398 <xs:annotation> 5399 <xs:documentation>Provides the ability to document properties in a name/value store. 5400 This provides flexibility to include data not officially supported in the standard 5401 without having to use additional namespaces or create extensions. Property names 5402 of interest to the general public are encouraged to be registered in the 5403 CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. 5404 Formal registration is OPTIONAL.</xs:documentation> 5405 </xs:annotation> 5406 </xs:element> 5407 <xs:element name="vulnerabilities" type="bom:vulnerabilitiesType" minOccurs="0" maxOccurs="1"> 5408 <xs:annotation> 5409 <xs:documentation>Vulnerabilities identified in components or services.</xs:documentation> 5410 </xs:annotation> 5411 </xs:element> 5412 <xs:element name="annotations" type="bom:annotationsType" minOccurs="0" maxOccurs="1"> 5413 <xs:annotation> 5414 <xs:documentation>Comments made by people, organizations, or tools about any object with 5415 a bom-ref, such as components, services, vulnerabilities, or the BOM itself. Unlike 5416 inventory information, annotations may contain opinion or commentary from various 5417 stakeholders. Annotations may be inline (with inventory) or externalized via BOM-Link, 5418 and may optionally be signed.</xs:documentation> 5419 </xs:annotation> 5420 </xs:element> 5421 <xs:element name="formulation" type="bom:formulationType" minOccurs="0" maxOccurs="1"> 5422 <xs:annotation> 5423 <xs:documentation>Describes how a component or service was manufactured or deployed. This is 5424 achieved through the use of formulas, workflows, tasks, and steps, which declare the precise 5425 steps to reproduce along with the observed formulas describing the steps which transpired 5426 in the manufacturing process.</xs:documentation> 5427 </xs:annotation> 5428 </xs:element> 5429 <xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"> 5430 <xs:annotation> 5431 <xs:documentation> 5432 Allows any undeclared elements as long as the elements are placed in a different namespace. 5433 </xs:documentation> 5434 </xs:annotation> 5435 </xs:any> 5436 </xs:sequence> 5437 <xs:attribute name="version" type="xs:positiveInteger" default="1"> 5438 <xs:annotation> 5439 <xs:documentation>Whenever an existing BOM is modified, either manually or through automated 5440 processes, the version of the BOM SHOULD be incremented by 1. When a system is presented with 5441 multiple BOMs with identical serial numbers, the system SHOULD use the most recent version of the BOM. 5442 The default version is '1'.</xs:documentation> 5443 </xs:annotation> 5444 </xs:attribute> 5445 <xs:attribute name="serialNumber" type="bom:urnUuid"> 5446 <xs:annotation> 5447 <xs:documentation>Every BOM generated SHOULD have a unique serial number, even if the contents of 5448 the BOM have not changed over time. If specified, the serial number MUST conform to RFC-4122. 5449 Use of serial numbers are RECOMMENDED.</xs:documentation> 5450 </xs:annotation> 5451 </xs:attribute> 5452 <xs:anyAttribute namespace="##any" processContents="lax"> 5453 <xs:annotation> 5454 <xs:documentation>User-defined attributes may be used on this element as long as they 5455 do not have the same name as an existing attribute used by the schema.</xs:documentation> 5456 </xs:annotation> 5457 </xs:anyAttribute> 5458 </xs:complexType> 5459 <xs:unique name="bom-ref"> 5460 <xs:selector xpath=".//*"/> 5461 <xs:field xpath="@bom-ref"/> 5462 </xs:unique> 5463 </xs:element> 5464 </xs:schema>