github.com/noqcks/syft@v0.0.0-20230920222752-a9e2c4e288e5/schema/cyclonedx/cyclonedx.xsd (about) 1 <?xml version="1.0" encoding="UTF-8"?> 2 <!-- 3 CycloneDX Software Bill-of-Material (SBoM) Specification 4 5 Licensed under the Apache License, Version 2.0 (the "License"); 6 you may not use this file except in compliance with the License. 7 You may obtain a copy of the License at 8 9 http://www.apache.org/licenses/LICENSE-2.0 10 11 Unless required by applicable law or agreed to in writing, software 12 distributed under the License is distributed on an "AS IS" BASIS, 13 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 See the License for the specific language governing permissions and 15 limitations under the License. 16 --> 17 <xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" 18 xmlns:vc="http://www.w3.org/2007/XMLSchema-versioning" 19 xmlns:bom="http://cyclonedx.org/schema/bom/1.4" 20 xmlns:spdx="http://cyclonedx.org/schema/spdx" 21 elementFormDefault="qualified" 22 targetNamespace="http://cyclonedx.org/schema/bom/1.4" 23 vc:minVersion="1.0" 24 vc:maxVersion="1.1" 25 version="1.4.1"> 26 27 <xs:import namespace="http://cyclonedx.org/schema/spdx" schemaLocation="spdx.xsd"/> 28 29 <xs:annotation> 30 <xs:documentation> 31 <name>CycloneDX Software Bill of Materials Standard</name> 32 <url>https://cyclonedx.org/</url> 33 <license uri="http://www.apache.org/licenses/LICENSE-2.0" 34 version="2.0">Apache License, Version 2.0</license> 35 </xs:documentation> 36 </xs:annotation> 37 38 <xs:simpleType name="refType"> 39 <xs:annotation> 40 <xs:documentation>Identifier-DataType for interlinked elements.</xs:documentation> 41 </xs:annotation> 42 <xs:restriction base="xs:string" /> 43 </xs:simpleType> 44 45 <xs:complexType name="metadata"> 46 <xs:sequence minOccurs="0" maxOccurs="1"> 47 <xs:element name="timestamp" type="xs:dateTime" minOccurs="0"> 48 <xs:annotation> 49 <xs:documentation>The date and time (timestamp) when the BOM was created.</xs:documentation> 50 </xs:annotation> 51 </xs:element> 52 <xs:element name="tools" minOccurs="0" maxOccurs="1"> 53 <xs:annotation> 54 <xs:documentation>The tool(s) used in the creation of the BOM.</xs:documentation> 55 </xs:annotation> 56 <xs:complexType> 57 <xs:sequence minOccurs="0" maxOccurs="unbounded"> 58 <xs:element name="tool" minOccurs="0" type="bom:toolType"/> 59 </xs:sequence> 60 </xs:complexType> 61 </xs:element> 62 <xs:element name="authors" minOccurs="0" maxOccurs="1"> 63 <xs:annotation> 64 <xs:documentation>The person(s) who created the BOM. Authors are common in BOMs created through 65 manual processes. BOMs created through automated means may not have authors.</xs:documentation> 66 </xs:annotation> 67 <xs:complexType> 68 <xs:sequence minOccurs="0" maxOccurs="unbounded"> 69 <xs:element name="author" type="bom:organizationalContact"/> 70 </xs:sequence> 71 </xs:complexType> 72 </xs:element> 73 <xs:element name="component" type="bom:component" minOccurs="0"> 74 <xs:annotation> 75 <xs:documentation>The component that the BOM describes.</xs:documentation> 76 </xs:annotation> 77 </xs:element> 78 <xs:element name="manufacture" type="bom:organizationalEntity" minOccurs="0" maxOccurs="1"> 79 <xs:annotation> 80 <xs:documentation>The organization that manufactured the component that the BOM describes.</xs:documentation> 81 </xs:annotation> 82 </xs:element> 83 <xs:element name="supplier" type="bom:organizationalEntity" minOccurs="0" maxOccurs="1"> 84 <xs:annotation> 85 <xs:documentation>The organization that supplied the component that the BOM describes. The 86 supplier may often be the manufacturer, but may also be a distributor or repackager.</xs:documentation> 87 </xs:annotation> 88 </xs:element> 89 <xs:element name="licenses" type="bom:licenseChoiceType" minOccurs="0" maxOccurs="1"/> 90 <xs:element name="properties" type="bom:propertiesType" minOccurs="0" maxOccurs="1"> 91 <xs:annotation> 92 <xs:documentation>Provides the ability to document properties in a key/value store. 93 This provides flexibility to include data not officially supported in the standard 94 without having to use additional namespaces or create extensions. Property names 95 of interest to the general public are encouraged to be registered in the 96 CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. 97 Formal registration is OPTIONAL.</xs:documentation> 98 </xs:annotation> 99 </xs:element> 100 <xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"> 101 <xs:annotation> 102 <xs:documentation> 103 Allows any undeclared elements as long as the elements are placed in a different namespace. 104 </xs:documentation> 105 </xs:annotation> 106 </xs:any> 107 </xs:sequence> 108 <xs:anyAttribute namespace="##other" processContents="lax"> 109 <xs:annotation> 110 <xs:documentation>User-defined attributes may be used on this element as long as they 111 do not have the same name as an existing attribute used by the schema.</xs:documentation> 112 </xs:annotation> 113 </xs:anyAttribute> 114 </xs:complexType> 115 116 <xs:complexType name="organizationalEntity"> 117 <xs:sequence minOccurs="0" maxOccurs="1"> 118 <xs:element name="name" type="xs:normalizedString" minOccurs="0" maxOccurs="1"> 119 <xs:annotation> 120 <xs:documentation>The name of the organization</xs:documentation> 121 </xs:annotation> 122 </xs:element> 123 <xs:element name="url" type="xs:anyURI" minOccurs="0" maxOccurs="unbounded"> 124 <xs:annotation> 125 <xs:documentation>The URL of the organization. Multiple URLs are allowed.</xs:documentation> 126 </xs:annotation> 127 </xs:element> 128 <xs:element name="contact" type="bom:organizationalContact" minOccurs="0" maxOccurs="unbounded"> 129 <xs:annotation> 130 <xs:documentation>A contact person at the organization. Multiple contacts are allowed.</xs:documentation> 131 </xs:annotation> 132 </xs:element> 133 <xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"> 134 <xs:annotation> 135 <xs:documentation> 136 Allows any undeclared elements as long as the elements are placed in a different namespace. 137 </xs:documentation> 138 </xs:annotation> 139 </xs:any> 140 </xs:sequence> 141 <xs:anyAttribute namespace="##other" processContents="lax"> 142 <xs:annotation> 143 <xs:documentation>User-defined attributes may be used on this element as long as they 144 do not have the same name as an existing attribute used by the schema.</xs:documentation> 145 </xs:annotation> 146 </xs:anyAttribute> 147 </xs:complexType> 148 149 <xs:complexType name="toolType"> 150 <xs:annotation> 151 <xs:documentation>Information about the automated or manual tool used</xs:documentation> 152 </xs:annotation> 153 <xs:sequence minOccurs="0" maxOccurs="1"> 154 <xs:element name="vendor" minOccurs="0" maxOccurs="1" type="xs:normalizedString"> 155 <xs:annotation> 156 <xs:documentation>The name of the vendor who created the tool</xs:documentation> 157 </xs:annotation> 158 </xs:element> 159 <xs:element name="name" minOccurs="0" maxOccurs="1" type="xs:normalizedString"> 160 <xs:annotation> 161 <xs:documentation>The name of the tool</xs:documentation> 162 </xs:annotation> 163 </xs:element> 164 <xs:element name="version" minOccurs="0" maxOccurs="1" type="xs:normalizedString"> 165 <xs:annotation> 166 <xs:documentation>The version of the tool</xs:documentation> 167 </xs:annotation> 168 </xs:element> 169 <xs:element name="hashes" minOccurs="0" maxOccurs="1"> 170 <xs:complexType> 171 <xs:sequence minOccurs="0" maxOccurs="unbounded"> 172 <xs:element name="hash" type="bom:hashType"/> 173 </xs:sequence> 174 </xs:complexType> 175 </xs:element> 176 <xs:element name="externalReferences" type="bom:externalReferences" minOccurs="0" maxOccurs="1"> 177 <xs:annotation> 178 <xs:documentation>Provides the ability to document external references related to the tool.</xs:documentation> 179 </xs:annotation> 180 </xs:element> 181 <xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"> 182 <xs:annotation> 183 <xs:documentation> 184 Allows any undeclared elements as long as the elements are placed in a different namespace. 185 </xs:documentation> 186 </xs:annotation> 187 </xs:any> 188 </xs:sequence> 189 <xs:anyAttribute namespace="##other" processContents="lax"> 190 <xs:annotation> 191 <xs:documentation>User-defined attributes may be used on this element as long as they 192 do not have the same name as an existing attribute used by the schema.</xs:documentation> 193 </xs:annotation> 194 </xs:anyAttribute> 195 </xs:complexType> 196 197 <xs:complexType name="organizationalContact"> 198 <xs:sequence minOccurs="0" maxOccurs="1"> 199 <xs:element name="name" type="xs:normalizedString" minOccurs="0" maxOccurs="1"> 200 <xs:annotation> 201 <xs:documentation>The name of the contact</xs:documentation> 202 </xs:annotation> 203 </xs:element> 204 <xs:element name="email" type="xs:normalizedString" minOccurs="0" maxOccurs="1"> 205 <xs:annotation> 206 <xs:documentation>The email address of the contact.</xs:documentation> 207 </xs:annotation> 208 </xs:element> 209 <xs:element name="phone" type="xs:normalizedString" minOccurs="0" maxOccurs="1"> 210 <xs:annotation> 211 <xs:documentation>The phone number of the contact.</xs:documentation> 212 </xs:annotation> 213 </xs:element> 214 <xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"> 215 <xs:annotation> 216 <xs:documentation> 217 Allows any undeclared elements as long as the elements are placed in a different namespace. 218 </xs:documentation> 219 </xs:annotation> 220 </xs:any> 221 </xs:sequence> 222 <xs:anyAttribute namespace="##other" processContents="lax"> 223 <xs:annotation> 224 <xs:documentation>User-defined attributes may be used on this element as long as they 225 do not have the same name as an existing attribute used by the schema.</xs:documentation> 226 </xs:annotation> 227 </xs:anyAttribute> 228 </xs:complexType> 229 230 <xs:complexType name="componentsType"> 231 <xs:sequence minOccurs="0" maxOccurs="unbounded"> 232 <xs:element name="component" type="bom:component"/> 233 <xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"> 234 <xs:annotation> 235 <xs:documentation> 236 Allows any undeclared elements as long as the elements are placed in a different namespace. 237 </xs:documentation> 238 </xs:annotation> 239 </xs:any> 240 </xs:sequence> 241 <xs:anyAttribute namespace="##any" processContents="lax"> 242 <xs:annotation> 243 <xs:documentation>User-defined attributes may be used on this element as long as they 244 do not have the same name as an existing attribute used by the schema.</xs:documentation> 245 </xs:annotation> 246 </xs:anyAttribute> 247 </xs:complexType> 248 249 <xs:complexType name="component"> 250 <xs:sequence> 251 <xs:element name="supplier" type="bom:organizationalEntity" minOccurs="0" maxOccurs="1"> 252 <xs:annotation> 253 <xs:documentation>The organization that supplied the component. The supplier may often 254 be the manufacturer, but may also be a distributor or repackager.</xs:documentation> 255 </xs:annotation> 256 </xs:element> 257 <xs:element name="author" type="xs:normalizedString" minOccurs="0" maxOccurs="1"> 258 <xs:annotation> 259 <xs:documentation>The person(s) or organization(s) that authored the component</xs:documentation> 260 </xs:annotation> 261 </xs:element> 262 <xs:element name="publisher" type="xs:normalizedString" minOccurs="0" maxOccurs="1"> 263 <xs:annotation> 264 <xs:documentation>The person(s) or organization(s) that published the component</xs:documentation> 265 </xs:annotation> 266 </xs:element> 267 <xs:element name="group" type="xs:normalizedString" minOccurs="0" maxOccurs="1"> 268 <xs:annotation> 269 <xs:documentation>The grouping name or identifier. This will often be a shortened, single 270 name of the company or project that produced the component, or the source package or 271 domain name. Whitespace and special characters should be avoided. Examples include: 272 apache, org.apache.commons, and apache.org.</xs:documentation> 273 </xs:annotation> 274 </xs:element> 275 <xs:element name="name" type="xs:normalizedString" minOccurs="1" maxOccurs="1"> 276 <xs:annotation> 277 <xs:documentation>The name of the component. This will often be a shortened, single name 278 of the component. Examples: commons-lang3 and jquery</xs:documentation> 279 </xs:annotation> 280 </xs:element> 281 <xs:element name="version" type="xs:normalizedString" minOccurs="0" maxOccurs="1"> 282 <xs:annotation> 283 <xs:documentation>The component version. The version should ideally comply with semantic versioning 284 but is not enforced.</xs:documentation> 285 </xs:annotation> 286 </xs:element> 287 <xs:element name="description" type="xs:normalizedString" minOccurs="0" maxOccurs="1"> 288 <xs:annotation> 289 <xs:documentation>Specifies a description for the component</xs:documentation> 290 </xs:annotation> 291 </xs:element> 292 <xs:element name="scope" type="bom:scope" minOccurs="0" maxOccurs="1"> 293 <xs:annotation> 294 <xs:documentation>Specifies the scope of the component. If scope is not specified, 'required' 295 scope SHOULD be assumed by the consumer of the BOM.</xs:documentation> 296 </xs:annotation> 297 </xs:element> 298 <xs:element name="hashes" minOccurs="0" maxOccurs="1"> 299 <xs:complexType> 300 <xs:sequence minOccurs="0" maxOccurs="unbounded"> 301 <xs:element name="hash" type="bom:hashType"/> 302 </xs:sequence> 303 </xs:complexType> 304 </xs:element> 305 <xs:element name="licenses" type="bom:licenseChoiceType" minOccurs="0" maxOccurs="1"/> 306 <xs:element name="copyright" type="xs:normalizedString" minOccurs="0" maxOccurs="1"> 307 <xs:annotation> 308 <xs:documentation>A copyright notice informing users of the underlying claims to 309 copyright ownership in a published work.</xs:documentation> 310 </xs:annotation> 311 </xs:element> 312 <xs:element name="cpe" type="bom:cpe" minOccurs="0" maxOccurs="1"> 313 <xs:annotation> 314 <xs:documentation> 315 Specifies a well-formed CPE name that conforms to the CPE 2.2 or 2.3 specification. See https://nvd.nist.gov/products/cpe 316 </xs:documentation> 317 </xs:annotation> 318 </xs:element> 319 <xs:element name="purl" type="xs:anyURI" minOccurs="0" maxOccurs="1"> 320 <xs:annotation> 321 <xs:documentation> 322 Specifies the package-url (purl). The purl, if specified, MUST be valid and conform 323 to the specification defined at: https://github.com/package-url/purl-spec 324 </xs:documentation> 325 </xs:annotation> 326 </xs:element> 327 <xs:element name="swid" type="bom:swidType" minOccurs="0" maxOccurs="1"> 328 <xs:annotation> 329 <xs:documentation> 330 Specifies metadata and content for ISO-IEC 19770-2 Software Identification (SWID) Tags. 331 </xs:documentation> 332 </xs:annotation> 333 </xs:element> 334 <xs:element name="modified" type="xs:boolean" minOccurs="0" maxOccurs="1"> 335 <xs:annotation> 336 <xs:documentation> 337 DEPRECATED - DO NOT USE. This will be removed in a future version. Use the pedigree 338 element instead to supply information on exactly how the component was modified. 339 A boolean value indicating if the component has been modified from the original. 340 A value of true indicates the component is a derivative of the original. 341 A value of false indicates the component has not been modified from the original. 342 </xs:documentation> 343 </xs:annotation> 344 </xs:element> 345 <xs:element name="pedigree" type="bom:pedigreeType" minOccurs="0" maxOccurs="1"> 346 <xs:annotation> 347 <xs:documentation> 348 Component pedigree is a way to document complex supply chain scenarios where components are 349 created, distributed, modified, redistributed, combined with other components, etc. 350 </xs:documentation> 351 </xs:annotation> 352 </xs:element> 353 <xs:element name="externalReferences" type="bom:externalReferences" minOccurs="0" maxOccurs="1"> 354 <xs:annotation> 355 <xs:documentation>Provides the ability to document external references related to the 356 component or to the project the component describes.</xs:documentation> 357 </xs:annotation> 358 </xs:element> 359 <xs:element name="properties" type="bom:propertiesType" minOccurs="0" maxOccurs="1"> 360 <xs:annotation> 361 <xs:documentation>Provides the ability to document properties in a key/value store. 362 This provides flexibility to include data not officially supported in the standard 363 without having to use additional namespaces or create extensions. Property names 364 of interest to the general public are encouraged to be registered in the 365 CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. 366 Formal registration is OPTIONAL.</xs:documentation> 367 </xs:annotation> 368 </xs:element> 369 <xs:element name="components" minOccurs="0" maxOccurs="1"> 370 <xs:annotation> 371 <xs:documentation> 372 A list of software and hardware components included in the parent component. This is not a 373 dependency tree. It provides a way to specify a hierarchical representation of component 374 assemblies, similar to system -> subsystem -> parts assembly in physical supply chains. 375 </xs:documentation> 376 </xs:annotation> 377 <xs:complexType> 378 <xs:sequence minOccurs="0" maxOccurs="unbounded"> 379 <xs:element name="component" type="bom:component"/> 380 <xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"> 381 <xs:annotation> 382 <xs:documentation> 383 Allows any undeclared elements as long as the elements are placed in a different namespace. 384 </xs:documentation> 385 </xs:annotation> 386 </xs:any> 387 </xs:sequence> 388 </xs:complexType> 389 </xs:element> 390 <xs:element name="evidence" type="bom:componentEvidenceType" minOccurs="0" maxOccurs="1"> 391 <xs:annotation> 392 <xs:documentation>Provides the ability to document evidence collected through various forms of extraction or analysis.</xs:documentation> 393 </xs:annotation> 394 </xs:element> 395 <xs:element name="releaseNotes" type="bom:releaseNotesType" minOccurs="0" maxOccurs="1"> 396 <xs:annotation> 397 <xs:documentation>Specifies optional release notes.</xs:documentation> 398 </xs:annotation> 399 </xs:element> 400 <xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"> 401 <xs:annotation> 402 <xs:documentation> 403 Allows any undeclared elements as long as the elements are placed in a different namespace. 404 </xs:documentation> 405 </xs:annotation> 406 </xs:any> 407 </xs:sequence> 408 <xs:attribute name="type" type="bom:classification" use="required"> 409 <xs:annotation> 410 <xs:documentation> 411 Specifies the type of component. For software components, classify as application if no more 412 specific appropriate classification is available or cannot be determined for the component. 413 </xs:documentation> 414 </xs:annotation> 415 </xs:attribute> 416 <xs:attribute name="mime-type" type="bom:mimeType"> 417 <xs:annotation> 418 <xs:documentation> 419 The OPTIONAL mime-type of the component. When used on file components, the mime-type 420 can provide additional context about the kind of file being represented such as an image, 421 font, or executable. Some library or framework components may also have an associated mime-type. 422 </xs:documentation> 423 </xs:annotation> 424 </xs:attribute> 425 <xs:attribute name="bom-ref" type="bom:refType"> 426 <xs:annotation> 427 <xs:documentation> 428 An optional identifier which can be used to reference the component elsewhere in the BOM. 429 Uniqueness is enforced within all elements and children of the root-level bom element. 430 </xs:documentation> 431 </xs:annotation> 432 </xs:attribute> 433 <xs:anyAttribute namespace="##any" processContents="lax"> 434 <xs:annotation> 435 <xs:documentation>User-defined attributes may be used on this element as long as they 436 do not have the same name as an existing attribute used by the schema.</xs:documentation> 437 </xs:annotation> 438 </xs:anyAttribute> 439 </xs:complexType> 440 441 <xs:complexType name="licenseType"> 442 <xs:sequence> 443 <xs:choice> 444 <xs:element name="id" type="spdx:licenseId" minOccurs="0" maxOccurs="1"> 445 <xs:annotation> 446 <xs:documentation>A valid SPDX license ID</xs:documentation> 447 </xs:annotation> 448 </xs:element> 449 <xs:element name="name" type="xs:normalizedString" minOccurs="0" maxOccurs="1"> 450 <xs:annotation> 451 <xs:documentation>If SPDX does not define the license used, this field may be used to provide the license name</xs:documentation> 452 </xs:annotation> 453 </xs:element> 454 </xs:choice> 455 <xs:element name="text" type="bom:attachedTextType" minOccurs="0" maxOccurs="1"> 456 <xs:annotation> 457 <xs:documentation>Specifies the optional full text of the attachment</xs:documentation> 458 </xs:annotation> 459 </xs:element> 460 <xs:element name="url" type="xs:anyURI" minOccurs="0" maxOccurs="1"> 461 <xs:annotation> 462 <xs:documentation>The URL to the attachment file. If the attachment is a license or BOM, 463 an externalReference should also be specified for completeness.</xs:documentation> 464 </xs:annotation> 465 </xs:element> 466 <xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"> 467 <xs:annotation> 468 <xs:documentation> 469 Allows any undeclared elements as long as the elements are placed in a different namespace. 470 </xs:documentation> 471 </xs:annotation> 472 </xs:any> 473 </xs:sequence> 474 </xs:complexType> 475 476 <xs:complexType name="attachedTextType"> 477 <xs:simpleContent> 478 <xs:extension base="xs:string"> 479 <xs:annotation> 480 <xs:documentation>The attachment data. Proactive controls such as input validation and sanitization should be employed to prevent misuse of attachment text.</xs:documentation> 481 </xs:annotation> 482 <xs:attribute name="content-type" type="xs:normalizedString" default="text/plain"> 483 <xs:annotation> 484 <xs:documentation>Specifies the content type of the text. Defaults to text/plain 485 if not specified.</xs:documentation> 486 </xs:annotation> 487 </xs:attribute> 488 <xs:attribute name="encoding" type="bom:encoding"> 489 <xs:annotation> 490 <xs:documentation> 491 Specifies the optional encoding the text is represented in 492 </xs:documentation> 493 </xs:annotation> 494 </xs:attribute> 495 </xs:extension> 496 </xs:simpleContent> 497 </xs:complexType> 498 499 <xs:complexType name="hashType"> 500 <xs:annotation> 501 <xs:documentation>Specifies the file hash of the component</xs:documentation> 502 </xs:annotation> 503 <xs:simpleContent> 504 <xs:extension base="bom:hashValue"> 505 <xs:attribute name="alg" type="bom:hashAlg" use="required"> 506 <xs:annotation> 507 <xs:documentation>Specifies the algorithm used to create the hash</xs:documentation> 508 </xs:annotation> 509 </xs:attribute> 510 </xs:extension> 511 </xs:simpleContent> 512 </xs:complexType> 513 514 <xs:simpleType name="scope"> 515 <xs:restriction base="xs:string"> 516 <xs:enumeration value="required"> 517 <xs:annotation> 518 <xs:documentation>The component is required for runtime</xs:documentation> 519 </xs:annotation> 520 </xs:enumeration> 521 <xs:enumeration value="optional"> 522 <xs:annotation> 523 <xs:documentation>The component is optional at runtime. Optional components are components that 524 are not capable of being called due to them not be installed or otherwise accessible by any means. 525 Components that are installed but due to configuration or other restrictions are prohibited from 526 being called must be scoped as 'required'.</xs:documentation> 527 </xs:annotation> 528 </xs:enumeration> 529 <xs:enumeration value="excluded"> 530 <xs:annotation> 531 <xs:documentation>Components that are excluded provide the ability to document component usage 532 for test and other non-runtime purposes. Excluded components are not reachable within a call 533 graph at runtime.</xs:documentation> 534 </xs:annotation> 535 </xs:enumeration> 536 </xs:restriction> 537 </xs:simpleType> 538 539 <xs:simpleType name="classification"> 540 <xs:restriction base="xs:string"> 541 <xs:enumeration value="application"> 542 <xs:annotation> 543 <xs:documentation>A software application. Refer to https://en.wikipedia.org/wiki/Application_software 544 for information about applications.</xs:documentation> 545 </xs:annotation> 546 </xs:enumeration> 547 <xs:enumeration value="framework"> 548 <xs:annotation> 549 <xs:documentation>A software framework. Refer to https://en.wikipedia.org/wiki/Software_framework 550 for information on how frameworks vary slightly from libraries.</xs:documentation> 551 </xs:annotation> 552 </xs:enumeration> 553 <xs:enumeration value="library"> 554 <xs:annotation> 555 <xs:documentation>A software library. Refer to https://en.wikipedia.org/wiki/Library_(computing) 556 for information about libraries. All third-party and open source reusable components will likely 557 be a library. If the library also has key features of a framework, then it should be classified 558 as a framework. If not, or is unknown, then specifying library is recommended.</xs:documentation> 559 </xs:annotation> 560 </xs:enumeration> 561 <xs:enumeration value="container"> 562 <xs:annotation> 563 <xs:documentation>A packaging and/or runtime format, not specific to any particular technology, 564 which isolates software inside the container from software outside of a container through 565 virtualization technology. Refer to https://en.wikipedia.org/wiki/OS-level_virtualization</xs:documentation> 566 </xs:annotation> 567 </xs:enumeration> 568 <xs:enumeration value="operating-system"> 569 <xs:annotation> 570 <xs:documentation>A software operating system without regard to deployment model 571 (i.e. installed on physical hardware, virtual machine, image, etc) Refer to 572 https://en.wikipedia.org/wiki/Operating_system</xs:documentation> 573 </xs:annotation> 574 </xs:enumeration> 575 <xs:enumeration value="device"> 576 <xs:annotation> 577 <xs:documentation>A hardware device such as a processor, or chip-set. A hardware device 578 containing firmware SHOULD include a component for the physical hardware itself, and another 579 component of type 'firmware' or 'operating-system' (whichever is relevant), describing 580 information about the software running on the device.</xs:documentation> 581 </xs:annotation> 582 </xs:enumeration> 583 <xs:enumeration value="firmware"> 584 <xs:annotation> 585 <xs:documentation>A special type of software that provides low-level control over a devices 586 hardware. Refer to https://en.wikipedia.org/wiki/Firmware</xs:documentation> 587 </xs:annotation> 588 </xs:enumeration> 589 <xs:enumeration value="file"> 590 <xs:annotation> 591 <xs:documentation>A computer file. Refer to https://en.wikipedia.org/wiki/Computer_file 592 for information about files.</xs:documentation> 593 </xs:annotation> 594 </xs:enumeration> 595 </xs:restriction> 596 </xs:simpleType> 597 598 <xs:simpleType name="hashAlg"> 599 <xs:restriction base="xs:string"> 600 <xs:enumeration value="MD5"/> 601 <xs:enumeration value="SHA-1"/> 602 <xs:enumeration value="SHA-256"/> 603 <xs:enumeration value="SHA-384"/> 604 <xs:enumeration value="SHA-512"/> 605 <xs:enumeration value="SHA3-256"/> 606 <xs:enumeration value="SHA3-384"/> 607 <xs:enumeration value="SHA3-512"/> 608 <xs:enumeration value="BLAKE2b-256"/> 609 <xs:enumeration value="BLAKE2b-384"/> 610 <xs:enumeration value="BLAKE2b-512"/> 611 <xs:enumeration value="BLAKE3"/> 612 </xs:restriction> 613 </xs:simpleType> 614 615 <xs:simpleType name="hashValue"> 616 <xs:restriction base="xs:token"> 617 <xs:pattern value="([a-fA-F0-9]{32})|([a-fA-F0-9]{40})|([a-fA-F0-9]{64})|([a-fA-F0-9]{96})|([a-fA-F0-9]{128})"/> 618 </xs:restriction> 619 </xs:simpleType> 620 621 <xs:simpleType name="mimeType"> 622 <xs:restriction base="xs:token"> 623 <xs:pattern value="[-+a-z0-9.]+/[-+a-z0-9.]+"/> 624 </xs:restriction> 625 </xs:simpleType> 626 627 <xs:simpleType name="encoding"> 628 <xs:restriction base="xs:string"> 629 <xs:enumeration value="base64"/> 630 </xs:restriction> 631 </xs:simpleType> 632 633 <xs:simpleType name="cpe"> 634 <xs:annotation> 635 <xs:documentation xml:lang="en"> 636 Define the format for acceptable CPE URIs. Supports CPE 2.2 and CPE 2.3 formats. 637 Refer to https://nvd.nist.gov/products/cpe for official specification. 638 </xs:documentation> 639 </xs:annotation> 640 <xs:restriction base="xs:string"> 641 <xs:pattern value="([c][pP][eE]:/[AHOaho]?(:[A-Za-z0-9\._\-~%]*){0,6})|(cpe:2\.3:[aho\*\-](:(((\?*|\*?)([a-zA-Z0-9\-\._]|(\\[\\\*\?!"#$$%&'\(\)\+,/:;<=>@\[\]\^`\{\|}~]))+(\?*|\*?))|[\*\-])){5}(:(([a-zA-Z]{2,3}(-([a-zA-Z]{2}|[0-9]{3}))?)|[\*\-]))(:(((\?*|\*?)([a-zA-Z0-9\-\._]|(\\[\\\*\?!"#$$%&'\(\)\+,/:;<=>@\[\]\^`\{\|}~]))+(\?*|\*?))|[\*\-])){4})"/> 642 </xs:restriction> 643 </xs:simpleType> 644 645 <xs:complexType name="swidType"> 646 <xs:sequence> 647 <xs:element name="text" type="bom:attachedTextType" minOccurs="0" maxOccurs="1"> 648 <xs:annotation> 649 <xs:documentation>Specifies the full content of the SWID tag.</xs:documentation> 650 </xs:annotation> 651 </xs:element> 652 <xs:element name="url" type="xs:anyURI" minOccurs="0" maxOccurs="1"> 653 <xs:annotation> 654 <xs:documentation>The URL to the SWID file.</xs:documentation> 655 </xs:annotation> 656 </xs:element> 657 <xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"> 658 <xs:annotation> 659 <xs:documentation> 660 Allows any undeclared elements as long as the elements are placed in a different namespace. 661 </xs:documentation> 662 </xs:annotation> 663 </xs:any> 664 </xs:sequence> 665 <xs:attribute name="tagId" type="xs:string" use="required"> 666 <xs:annotation> 667 <xs:documentation>Maps to the tagId of a SoftwareIdentity.</xs:documentation> 668 </xs:annotation> 669 </xs:attribute> 670 <xs:attribute name="name" type="xs:string" use="required"> 671 <xs:annotation> 672 <xs:documentation>Maps to the name of a SoftwareIdentity.</xs:documentation> 673 </xs:annotation> 674 </xs:attribute> 675 <xs:attribute name="version" type="xs:string" use="optional" default="0.0"> 676 <xs:annotation> 677 <xs:documentation>Maps to the version of a SoftwareIdentity.</xs:documentation> 678 </xs:annotation> 679 </xs:attribute> 680 <xs:attribute name="tagVersion" type="xs:integer" use="optional" default="0"> 681 <xs:annotation> 682 <xs:documentation>Maps to the tagVersion of a SoftwareIdentity.</xs:documentation> 683 </xs:annotation> 684 </xs:attribute> 685 <xs:attribute name="patch" type="xs:boolean" use="optional" default="false"> 686 <xs:annotation> 687 <xs:documentation>Maps to the patch of a SoftwareIdentity.</xs:documentation> 688 </xs:annotation> 689 </xs:attribute> 690 </xs:complexType> 691 692 <xs:simpleType name="urnUuid"> 693 <xs:annotation> 694 <xs:documentation xml:lang="en"> 695 Defines a string representation of a UUID conforming to RFC 4122. 696 </xs:documentation> 697 </xs:annotation> 698 <xs:restriction base="xs:string"> 699 <xs:pattern value="urn:uuid:([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})|(\{[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}\})"/> 700 </xs:restriction> 701 </xs:simpleType> 702 703 <xs:simpleType name="externalReferenceType"> 704 <xs:restriction base="xs:string"> 705 <xs:enumeration value="vcs"> 706 <xs:annotation> 707 <xs:documentation>Version Control System</xs:documentation> 708 </xs:annotation> 709 </xs:enumeration> 710 <xs:enumeration value="issue-tracker"> 711 <xs:annotation> 712 <xs:documentation>Issue or defect tracking system, or an Application Lifecycle Management (ALM) system</xs:documentation> 713 </xs:annotation> 714 </xs:enumeration> 715 <xs:enumeration value="website"> 716 <xs:annotation> 717 <xs:documentation>Website</xs:documentation> 718 </xs:annotation> 719 </xs:enumeration> 720 <xs:enumeration value="advisories"> 721 <xs:annotation> 722 <xs:documentation>Security advisories</xs:documentation> 723 </xs:annotation> 724 </xs:enumeration> 725 <xs:enumeration value="bom"> 726 <xs:annotation> 727 <xs:documentation>Bill-of-material document (CycloneDX, SPDX, SWID, etc)</xs:documentation> 728 </xs:annotation> 729 </xs:enumeration> 730 <xs:enumeration value="mailing-list"> 731 <xs:annotation> 732 <xs:documentation>Mailing list or discussion group</xs:documentation> 733 </xs:annotation> 734 </xs:enumeration> 735 <xs:enumeration value="social"> 736 <xs:annotation> 737 <xs:documentation>Social media account</xs:documentation> 738 </xs:annotation> 739 </xs:enumeration> 740 <xs:enumeration value="chat"> 741 <xs:annotation> 742 <xs:documentation>Real-time chat platform</xs:documentation> 743 </xs:annotation> 744 </xs:enumeration> 745 <xs:enumeration value="documentation"> 746 <xs:annotation> 747 <xs:documentation>Documentation, guides, or how-to instructions</xs:documentation> 748 </xs:annotation> 749 </xs:enumeration> 750 <xs:enumeration value="support"> 751 <xs:annotation> 752 <xs:documentation>Community or commercial support</xs:documentation> 753 </xs:annotation> 754 </xs:enumeration> 755 <xs:enumeration value="distribution"> 756 <xs:annotation> 757 <xs:documentation>Direct or repository download location</xs:documentation> 758 </xs:annotation> 759 </xs:enumeration> 760 <xs:enumeration value="license"> 761 <xs:annotation> 762 <xs:documentation>The URL to the license file. If a license URL has been defined in the license 763 node, it should also be defined as an external reference for completeness</xs:documentation> 764 </xs:annotation> 765 </xs:enumeration> 766 <xs:enumeration value="build-meta"> 767 <xs:annotation> 768 <xs:documentation>Build-system specific meta file (i.e. pom.xml, package.json, .nuspec, etc)</xs:documentation> 769 </xs:annotation> 770 </xs:enumeration> 771 <xs:enumeration value="build-system"> 772 <xs:annotation> 773 <xs:documentation>URL to an automated build system</xs:documentation> 774 </xs:annotation> 775 </xs:enumeration> 776 <xs:enumeration value="release-notes"> 777 <xs:annotation> 778 <xs:documentation>URL to release notes</xs:documentation> 779 </xs:annotation> 780 </xs:enumeration> 781 <xs:enumeration value="other"> 782 <xs:annotation> 783 <xs:documentation>Use this if no other types accurately describe the purpose of the external reference</xs:documentation> 784 </xs:annotation> 785 </xs:enumeration> 786 </xs:restriction> 787 </xs:simpleType> 788 789 <xs:complexType name="externalReferences"> 790 <xs:annotation> 791 <xs:documentation xml:lang="en"> 792 External references provide a way to document systems, sites, and information that may be relevant 793 but which are not included with the BOM. 794 </xs:documentation> 795 </xs:annotation> 796 <xs:sequence minOccurs="0" maxOccurs="unbounded"> 797 <xs:element name="reference" type="bom:externalReference"> 798 <xs:annotation> 799 <xs:documentation xml:lang="en">Zero or more external references can be defined</xs:documentation> 800 </xs:annotation> 801 </xs:element> 802 </xs:sequence> 803 </xs:complexType> 804 805 <xs:complexType name="externalReference"> 806 <xs:sequence> 807 <xs:element name="url" type="xs:anyURI" minOccurs="1" maxOccurs="1"> 808 <xs:annotation> 809 <xs:documentation xml:lang="en">The URL to the external reference</xs:documentation> 810 </xs:annotation> 811 </xs:element> 812 <xs:element name="comment" type="xs:string" minOccurs="0" maxOccurs="1"> 813 <xs:annotation> 814 <xs:documentation xml:lang="en">An optional comment describing the external reference</xs:documentation> 815 </xs:annotation> 816 </xs:element> 817 <xs:element name="hashes" minOccurs="0" maxOccurs="1"> 818 <xs:complexType> 819 <xs:sequence minOccurs="0" maxOccurs="unbounded"> 820 <xs:element name="hash" type="bom:hashType"/> 821 </xs:sequence> 822 </xs:complexType> 823 </xs:element> 824 </xs:sequence> 825 <xs:attribute name="type" type="bom:externalReferenceType" use="required"> 826 <xs:annotation> 827 <xs:documentation>Specifies the type of external reference. There are built-in types to describe common 828 references. If a type does not exist for the reference being referred to, use the "other" type. 829 </xs:documentation> 830 </xs:annotation> 831 </xs:attribute> 832 <xs:anyAttribute namespace="##any" processContents="lax"> 833 <xs:annotation> 834 <xs:documentation>User-defined attributes may be used on this element as long as they 835 do not have the same name as an existing attribute used by the schema.</xs:documentation> 836 </xs:annotation> 837 </xs:anyAttribute> 838 </xs:complexType> 839 840 <xs:complexType name="commitsType"> 841 <xs:annotation> 842 <xs:documentation xml:lang="en">Zero or more commits can be specified.</xs:documentation> 843 </xs:annotation> 844 <xs:sequence minOccurs="0" maxOccurs="unbounded"> 845 <xs:element name="commit" type="bom:commitType"> 846 <xs:annotation> 847 <xs:documentation xml:lang="en">Specifies an individual commit.</xs:documentation> 848 </xs:annotation> 849 </xs:element> 850 <xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"> 851 <xs:annotation> 852 <xs:documentation> 853 Allows any undeclared elements as long as the elements are placed in a different namespace. 854 </xs:documentation> 855 </xs:annotation> 856 </xs:any> 857 </xs:sequence> 858 </xs:complexType> 859 860 <xs:complexType name="commitType"> 861 <xs:sequence> 862 <xs:element name="uid" type="xs:normalizedString" minOccurs="0" maxOccurs="1"> 863 <xs:annotation> 864 <xs:documentation xml:lang="en">A unique identifier of the commit. This may be version control 865 specific. For example, Subversion uses revision numbers whereas git uses commit hashes. 866 </xs:documentation> 867 </xs:annotation> 868 </xs:element> 869 <xs:element name="url" type="xs:anyURI" minOccurs="0" maxOccurs="1"> 870 <xs:annotation> 871 <xs:documentation xml:lang="en">The URL to the commit. This URL will typically point to a commit 872 in a version control system. 873 </xs:documentation> 874 </xs:annotation> 875 </xs:element> 876 <xs:element name="author" type="bom:identifiableActionType" minOccurs="0" maxOccurs="1"> 877 <xs:annotation> 878 <xs:documentation xml:lang="en">The author who created the changes in the commit</xs:documentation> 879 </xs:annotation> 880 </xs:element> 881 <xs:element name="committer" type="bom:identifiableActionType" minOccurs="0" maxOccurs="1"> 882 <xs:annotation> 883 <xs:documentation xml:lang="en">The person who committed or pushed the commit</xs:documentation> 884 </xs:annotation> 885 </xs:element> 886 <xs:element name="message" type="xs:normalizedString" minOccurs="0" maxOccurs="1"> 887 <xs:annotation> 888 <xs:documentation xml:lang="en">The text description of the contents of the commit</xs:documentation> 889 </xs:annotation> 890 </xs:element> 891 <xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"> 892 <xs:annotation> 893 <xs:documentation> 894 Allows any undeclared elements as long as the elements are placed in a different namespace. 895 </xs:documentation> 896 </xs:annotation> 897 </xs:any> 898 </xs:sequence> 899 </xs:complexType> 900 901 <xs:complexType name="patchesType"> 902 <xs:annotation> 903 <xs:documentation xml:lang="en">Zero or more patches can be specified.</xs:documentation> 904 </xs:annotation> 905 <xs:sequence minOccurs="0" maxOccurs="unbounded"> 906 <xs:element name="patch" type="bom:patchType"> 907 <xs:annotation> 908 <xs:documentation xml:lang="en">Specifies an individual patch.</xs:documentation> 909 </xs:annotation> 910 </xs:element> 911 <xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"> 912 <xs:annotation> 913 <xs:documentation> 914 Allows any undeclared elements as long as the elements are placed in a different namespace. 915 </xs:documentation> 916 </xs:annotation> 917 </xs:any> 918 </xs:sequence> 919 </xs:complexType> 920 921 <xs:complexType name="patchType"> 922 <xs:sequence> 923 <xs:element name="diff" type="bom:diffType" minOccurs="0" maxOccurs="1"> 924 <xs:annotation> 925 <xs:documentation xml:lang="en">The patch file (or diff) that show changes. 926 Refer to https://en.wikipedia.org/wiki/Diff</xs:documentation> 927 </xs:annotation> 928 </xs:element> 929 <xs:element name="resolves" minOccurs="0" maxOccurs="1"> 930 <xs:complexType> 931 <xs:sequence minOccurs="0" maxOccurs="unbounded"> 932 <xs:element name="issue" type="bom:issueType"/> 933 </xs:sequence> 934 </xs:complexType> 935 </xs:element> 936 <xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"> 937 <xs:annotation> 938 <xs:documentation> 939 Allows any undeclared elements as long as the elements are placed in a different namespace. 940 </xs:documentation> 941 </xs:annotation> 942 </xs:any> 943 </xs:sequence> 944 <xs:attribute name="type" type="bom:patchClassification" use="required"> 945 <xs:annotation> 946 <xs:documentation>Specifies the purpose for the patch including the resolution of defects, 947 security issues, or new behavior or functionality</xs:documentation> 948 </xs:annotation> 949 </xs:attribute> 950 </xs:complexType> 951 952 <xs:simpleType name="patchClassification"> 953 <xs:restriction base="xs:string"> 954 <xs:enumeration value="unofficial"> 955 <xs:annotation> 956 <xs:documentation>A patch which is not developed by the creators or maintainers of the software 957 being patched. Refer to https://en.wikipedia.org/wiki/Unofficial_patch</xs:documentation> 958 </xs:annotation> 959 </xs:enumeration> 960 <xs:enumeration value="monkey"> 961 <xs:annotation> 962 <xs:documentation>A patch which dynamically modifies runtime behavior. 963 Refer to https://en.wikipedia.org/wiki/Monkey_patch</xs:documentation> 964 </xs:annotation> 965 </xs:enumeration> 966 <xs:enumeration value="backport"> 967 <xs:annotation> 968 <xs:documentation>A patch which takes code from a newer version of software and applies 969 it to older versions of the same software. Refer to https://en.wikipedia.org/wiki/Backporting</xs:documentation> 970 </xs:annotation> 971 </xs:enumeration> 972 <xs:enumeration value="cherry-pick"> 973 <xs:annotation> 974 <xs:documentation>A patch created by selectively applying commits from other versions or 975 branches of the same software.</xs:documentation> 976 </xs:annotation> 977 </xs:enumeration> 978 </xs:restriction> 979 </xs:simpleType> 980 981 <xs:simpleType name="issueClassification"> 982 <xs:restriction base="xs:string"> 983 <xs:enumeration value="defect"> 984 <xs:annotation> 985 <xs:documentation>A fault, flaw, or bug in software</xs:documentation> 986 </xs:annotation> 987 </xs:enumeration> 988 <xs:enumeration value="enhancement"> 989 <xs:annotation> 990 <xs:documentation>A new feature or behavior in software</xs:documentation> 991 </xs:annotation> 992 </xs:enumeration> 993 <xs:enumeration value="security"> 994 <xs:annotation> 995 <xs:documentation>A special type of defect which impacts security</xs:documentation> 996 </xs:annotation> 997 </xs:enumeration> 998 </xs:restriction> 999 </xs:simpleType> 1000 1001 <xs:complexType name="diffType"> 1002 <xs:sequence> 1003 <xs:element name="text" type="bom:attachedTextType" minOccurs="0" maxOccurs="1"> 1004 <xs:annotation> 1005 <xs:documentation xml:lang="en">Specifies the optional text of the diff</xs:documentation> 1006 </xs:annotation> 1007 </xs:element> 1008 <xs:element name="url" type="xs:anyURI" minOccurs="0" maxOccurs="1"> 1009 <xs:annotation> 1010 <xs:documentation xml:lang="en">Specifies the URL to the diff</xs:documentation> 1011 </xs:annotation> 1012 </xs:element> 1013 <xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"> 1014 <xs:annotation> 1015 <xs:documentation> 1016 Allows any undeclared elements as long as the elements are placed in a different namespace. 1017 </xs:documentation> 1018 </xs:annotation> 1019 </xs:any> 1020 </xs:sequence> 1021 </xs:complexType> 1022 1023 <xs:complexType name="issueType"> 1024 <xs:annotation> 1025 <xs:documentation> 1026 An individual issue that has been resolved. 1027 </xs:documentation> 1028 </xs:annotation> 1029 <xs:sequence> 1030 <xs:element name="id" type="xs:normalizedString" minOccurs="0" maxOccurs="1"> 1031 <xs:annotation> 1032 <xs:documentation xml:lang="en">The identifier of the issue assigned by the source of the issue</xs:documentation> 1033 </xs:annotation> 1034 </xs:element> 1035 <xs:element name="name" type="xs:normalizedString" minOccurs="0" maxOccurs="1"> 1036 <xs:annotation> 1037 <xs:documentation xml:lang="en">The name of the issue</xs:documentation> 1038 </xs:annotation> 1039 </xs:element> 1040 <xs:element name="description" type="xs:normalizedString" minOccurs="0" maxOccurs="1"> 1041 <xs:annotation> 1042 <xs:documentation xml:lang="en">A description of the issue</xs:documentation> 1043 </xs:annotation> 1044 </xs:element> 1045 <xs:element name="source" minOccurs="0" maxOccurs="1"> 1046 <xs:complexType> 1047 <xs:annotation> 1048 <xs:documentation xml:lang="en"> 1049 The source of the issue where it is documented. 1050 </xs:documentation> 1051 </xs:annotation> 1052 <xs:sequence> 1053 <xs:element name="name" minOccurs="0" type="xs:normalizedString" maxOccurs="1"> 1054 <xs:annotation> 1055 <xs:documentation xml:lang="en"> 1056 The name of the source. For example "National Vulnerability Database", 1057 "NVD", and "Apache" 1058 </xs:documentation> 1059 </xs:annotation> 1060 </xs:element> 1061 <xs:element name="url" minOccurs="0" type="xs:anyURI" maxOccurs="1"> 1062 <xs:annotation> 1063 <xs:documentation xml:lang="en"> 1064 The url of the issue documentation as provided by the source 1065 </xs:documentation> 1066 </xs:annotation> 1067 </xs:element> 1068 </xs:sequence> 1069 </xs:complexType> 1070 </xs:element> 1071 <xs:element name="references" minOccurs="0" maxOccurs="1"> 1072 <xs:complexType> 1073 <xs:sequence minOccurs="0" maxOccurs="unbounded"> 1074 <xs:element name="url" type="xs:anyURI"/> 1075 </xs:sequence> 1076 </xs:complexType> 1077 </xs:element> 1078 <xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"> 1079 <xs:annotation> 1080 <xs:documentation> 1081 Allows any undeclared elements as long as the elements are placed in a different namespace. 1082 </xs:documentation> 1083 </xs:annotation> 1084 </xs:any> 1085 </xs:sequence> 1086 <xs:attribute name="type" type="bom:issueClassification" use="required"> 1087 <xs:annotation> 1088 <xs:documentation>Specifies the type of issue</xs:documentation> 1089 </xs:annotation> 1090 </xs:attribute> 1091 </xs:complexType> 1092 1093 <xs:complexType name="identifiableActionType"> 1094 <xs:sequence> 1095 <xs:element name="timestamp" type="xs:dateTime" minOccurs="0" maxOccurs="1"> 1096 <xs:annotation> 1097 <xs:documentation xml:lang="en">The timestamp in which the action occurred</xs:documentation> 1098 </xs:annotation> 1099 </xs:element> 1100 <xs:element name="name" type="xs:normalizedString" minOccurs="0" maxOccurs="1"> 1101 <xs:annotation> 1102 <xs:documentation xml:lang="en">The name of the individual who performed the action</xs:documentation> 1103 </xs:annotation> 1104 </xs:element> 1105 <xs:element name="email" type="xs:normalizedString" minOccurs="0" maxOccurs="1"> 1106 <xs:annotation> 1107 <xs:documentation xml:lang="en">The email address of the individual who performed the action</xs:documentation> 1108 </xs:annotation> 1109 </xs:element> 1110 <xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"> 1111 <xs:annotation> 1112 <xs:documentation> 1113 Allows any undeclared elements as long as the elements are placed in a different namespace. 1114 </xs:documentation> 1115 </xs:annotation> 1116 </xs:any> 1117 </xs:sequence> 1118 </xs:complexType> 1119 1120 <xs:complexType name="pedigreeType"> 1121 <xs:annotation> 1122 <xs:documentation xml:lang="en"> 1123 Component pedigree is a way to document complex supply chain scenarios where components are created, 1124 distributed, modified, redistributed, combined with other components, etc. Pedigree supports viewing 1125 this complex chain from the beginning, the end, or anywhere in the middle. It also provides a way to 1126 document variants where the exact relation may not be known. 1127 </xs:documentation> 1128 </xs:annotation> 1129 <xs:sequence> 1130 <xs:element name="ancestors" type="bom:componentsType" minOccurs="0" maxOccurs="1"> 1131 <xs:annotation> 1132 <xs:documentation xml:lang="en">Describes zero or more components in which a component is derived 1133 from. This is commonly used to describe forks from existing projects where the forked version 1134 contains a ancestor node containing the original component it was forked from. For example, 1135 Component A is the original component. Component B is the component being used and documented 1136 in the BOM. However, Component B contains a pedigree node with a single ancestor documenting 1137 Component A - the original component from which Component B is derived from. 1138 </xs:documentation> 1139 </xs:annotation> 1140 </xs:element> 1141 <xs:element name="descendants" type="bom:componentsType" minOccurs="0" maxOccurs="1"> 1142 <xs:annotation> 1143 <xs:documentation xml:lang="en">Descendants are the exact opposite of ancestors. This provides a 1144 way to document all forks (and their forks) of an original or root component. 1145 </xs:documentation> 1146 </xs:annotation> 1147 </xs:element> 1148 <xs:element name="variants" type="bom:componentsType" minOccurs="0" maxOccurs="1"> 1149 <xs:annotation> 1150 <xs:documentation xml:lang="en">Variants describe relations where the relationship between the 1151 components are not known. For example, if Component A contains nearly identical code to 1152 Component B. They are both related, but it is unclear if one is derived from the other, 1153 or if they share a common ancestor. 1154 </xs:documentation> 1155 </xs:annotation> 1156 </xs:element> 1157 <xs:element name="commits" type="bom:commitsType" minOccurs="0" maxOccurs="1"> 1158 <xs:annotation> 1159 <xs:documentation xml:lang="en">A list of zero or more commits which provide a trail describing 1160 how the component deviates from an ancestor, descendant, or variant.</xs:documentation> 1161 </xs:annotation> 1162 </xs:element> 1163 <xs:element name="patches" type="bom:patchesType" minOccurs="0" maxOccurs="1"> 1164 <xs:annotation> 1165 <xs:documentation xml:lang="en">A list of zero or more patches describing how the component 1166 deviates from an ancestor, descendant, or variant. Patches may be complimentary to commits 1167 or may be used in place of commits.</xs:documentation> 1168 </xs:annotation> 1169 </xs:element> 1170 <xs:element name="notes" type="xs:string" minOccurs="0" maxOccurs="1"> 1171 <xs:annotation> 1172 <xs:documentation xml:lang="en">Notes, observations, and other non-structured commentary 1173 describing the components pedigree. 1174 </xs:documentation> 1175 </xs:annotation> 1176 </xs:element> 1177 <xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"> 1178 <xs:annotation> 1179 <xs:documentation> 1180 Allows any undeclared elements as long as the elements are placed in a different namespace. 1181 </xs:documentation> 1182 </xs:annotation> 1183 </xs:any> 1184 </xs:sequence> 1185 </xs:complexType> 1186 1187 <xs:complexType name="dependencyType"> 1188 <xs:sequence minOccurs="0" maxOccurs="unbounded"> 1189 <xs:element name="dependency" type="bom:dependencyType"/> 1190 </xs:sequence> 1191 <xs:attribute name="ref" type="bom:refType" use="required"> 1192 <xs:annotation> 1193 <xs:documentation>References a component or service by the its bom-ref attribute</xs:documentation> 1194 </xs:annotation> 1195 </xs:attribute> 1196 <xs:anyAttribute namespace="##other" processContents="lax"> 1197 <xs:annotation> 1198 <xs:documentation>User-defined attributes may be used on this element as long as they 1199 do not have the same name as an existing attribute used by the schema.</xs:documentation> 1200 </xs:annotation> 1201 </xs:anyAttribute> 1202 </xs:complexType> 1203 1204 <xs:complexType name="dependenciesType"> 1205 <xs:sequence minOccurs="0" maxOccurs="unbounded"> 1206 <xs:element name="dependency" type="bom:dependencyType"> 1207 <xs:annotation> 1208 <xs:documentation>Components that do not have their own dependencies MUST be declared as empty 1209 elements within the graph. Components that are not represented in the dependency graph MAY 1210 have unknown dependencies. It is RECOMMENDED that implementations assume this to be opaque 1211 and not an indicator of a component being dependency-free.</xs:documentation> 1212 </xs:annotation> 1213 </xs:element> 1214 </xs:sequence> 1215 </xs:complexType> 1216 1217 <xs:complexType name="servicesType"> 1218 <xs:sequence minOccurs="0" maxOccurs="unbounded"> 1219 <xs:element name="service" type="bom:service"/> 1220 <xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"> 1221 <xs:annotation> 1222 <xs:documentation> 1223 Allows any undeclared elements as long as the elements are placed in a different namespace. 1224 </xs:documentation> 1225 </xs:annotation> 1226 </xs:any> 1227 </xs:sequence> 1228 <xs:anyAttribute namespace="##any" processContents="lax"> 1229 <xs:annotation> 1230 <xs:documentation>User-defined attributes may be used on this element as long as they 1231 do not have the same name as an existing attribute used by the schema.</xs:documentation> 1232 </xs:annotation> 1233 </xs:anyAttribute> 1234 </xs:complexType> 1235 1236 <xs:complexType name="service"> 1237 <xs:sequence> 1238 <xs:element name="provider" type="bom:organizationalEntity" minOccurs="0" maxOccurs="1"> 1239 <xs:annotation> 1240 <xs:documentation>The organization that provides the service.</xs:documentation> 1241 </xs:annotation> 1242 </xs:element> 1243 <xs:element name="group" type="xs:normalizedString" minOccurs="0" maxOccurs="1"> 1244 <xs:annotation> 1245 <xs:documentation>The grouping name, namespace, or identifier. This will often be a shortened, 1246 single name of the company or project that produced the service or domain name. 1247 Whitespace and special characters should be avoided.</xs:documentation> 1248 </xs:annotation> 1249 </xs:element> 1250 <xs:element name="name" type="xs:normalizedString" minOccurs="1" maxOccurs="1"> 1251 <xs:annotation> 1252 <xs:documentation>The name of the service. This will often be a shortened, single name 1253 of the service.</xs:documentation> 1254 </xs:annotation> 1255 </xs:element> 1256 <xs:element name="version" type="xs:normalizedString" minOccurs="0" maxOccurs="1"> 1257 <xs:annotation> 1258 <xs:documentation>The service version.</xs:documentation> 1259 </xs:annotation> 1260 </xs:element> 1261 <xs:element name="description" type="xs:normalizedString" minOccurs="0" maxOccurs="1"> 1262 <xs:annotation> 1263 <xs:documentation>Specifies a description for the service.</xs:documentation> 1264 </xs:annotation> 1265 </xs:element> 1266 <xs:element name="endpoints" minOccurs="0" maxOccurs="1"> 1267 <xs:complexType> 1268 <xs:sequence minOccurs="0" maxOccurs="unbounded"> 1269 <xs:element name="endpoint" type="xs:anyURI" minOccurs="1"> 1270 <xs:annotation> 1271 <xs:documentation>A service endpoint URI.</xs:documentation> 1272 </xs:annotation> 1273 </xs:element> 1274 </xs:sequence> 1275 </xs:complexType> 1276 </xs:element> 1277 <xs:element name="authenticated" type="xs:boolean" minOccurs="0" maxOccurs="1"> 1278 <xs:annotation> 1279 <xs:documentation>A boolean value indicating if the service requires authentication. 1280 A value of true indicates the service requires authentication prior to use. 1281 A value of false indicates the service does not require authentication.</xs:documentation> 1282 </xs:annotation> 1283 </xs:element> 1284 <xs:element name="x-trust-boundary" type="xs:boolean" minOccurs="0" maxOccurs="1"> 1285 <xs:annotation> 1286 <xs:documentation>A boolean value indicating if use of the service crosses a trust zone or boundary. 1287 A value of true indicates that by using the service, a trust boundary is crossed. 1288 A value of false indicates that by using the service, a trust boundary is not crossed.</xs:documentation> 1289 </xs:annotation> 1290 </xs:element> 1291 <xs:element name="data" minOccurs="0" maxOccurs="1"> 1292 <xs:complexType> 1293 <xs:sequence minOccurs="0" maxOccurs="unbounded"> 1294 <xs:element name="classification" type="bom:dataClassificationType"> 1295 <xs:annotation> 1296 <xs:documentation>Specifies the data classification.</xs:documentation> 1297 </xs:annotation> 1298 </xs:element> 1299 </xs:sequence> 1300 </xs:complexType> 1301 </xs:element> 1302 <xs:element name="licenses" type="bom:licenseChoiceType" minOccurs="0" maxOccurs="1"/> 1303 <xs:element name="externalReferences" type="bom:externalReferences" minOccurs="0" maxOccurs="1"> 1304 <xs:annotation> 1305 <xs:documentation>Provides the ability to document external references related to the service.</xs:documentation> 1306 </xs:annotation> 1307 </xs:element> 1308 <xs:element name="properties" type="bom:propertiesType" minOccurs="0" maxOccurs="1"> 1309 <xs:annotation> 1310 <xs:documentation>Provides the ability to document properties in a key/value store. 1311 This provides flexibility to include data not officially supported in the standard 1312 without having to use additional namespaces or create extensions. Property names 1313 of interest to the general public are encouraged to be registered in the 1314 CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. 1315 Formal registration is OPTIONAL.</xs:documentation> 1316 </xs:annotation> 1317 </xs:element> 1318 <xs:element name="services" minOccurs="0" maxOccurs="1"> 1319 <xs:annotation> 1320 <xs:documentation> 1321 A list of services included or deployed behind the parent service. This is not a dependency 1322 tree. It provides a way to specify a hierarchical representation of service assemblies. 1323 </xs:documentation> 1324 </xs:annotation> 1325 <xs:complexType> 1326 <xs:sequence minOccurs="0" maxOccurs="unbounded"> 1327 <xs:element name="service" type="bom:service"/> 1328 <xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"> 1329 <xs:annotation> 1330 <xs:documentation> 1331 Allows any undeclared elements as long as the elements are placed in a different namespace. 1332 </xs:documentation> 1333 </xs:annotation> 1334 </xs:any> 1335 </xs:sequence> 1336 </xs:complexType> 1337 </xs:element> 1338 <xs:element name="releaseNotes" type="bom:releaseNotesType" minOccurs="0" maxOccurs="1"> 1339 <xs:annotation> 1340 <xs:documentation>Specifies optional release notes.</xs:documentation> 1341 </xs:annotation> 1342 </xs:element> 1343 <xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"> 1344 <xs:annotation> 1345 <xs:documentation> 1346 Allows any undeclared elements as long as the elements are placed in a different namespace. 1347 </xs:documentation> 1348 </xs:annotation> 1349 </xs:any> 1350 </xs:sequence> 1351 <xs:attribute name="bom-ref" type="bom:refType"> 1352 <xs:annotation> 1353 <xs:documentation> 1354 An optional identifier which can be used to reference the service elsewhere in the BOM. 1355 Uniqueness is enforced within all elements and children of the root-level bom element. 1356 </xs:documentation> 1357 </xs:annotation> 1358 </xs:attribute> 1359 <xs:anyAttribute namespace="##any" processContents="lax"> 1360 <xs:annotation> 1361 <xs:documentation>User-defined attributes may be used on this element as long as they 1362 do not have the same name as an existing attribute used by the schema.</xs:documentation> 1363 </xs:annotation> 1364 </xs:anyAttribute> 1365 </xs:complexType> 1366 1367 <xs:complexType name="dataClassificationType"> 1368 <xs:annotation> 1369 <xs:documentation>Specifies the data classification.</xs:documentation> 1370 </xs:annotation> 1371 <xs:simpleContent> 1372 <xs:extension base="xs:normalizedString"> 1373 <xs:attribute name="flow" type="bom:dataFlowType" use="required"> 1374 <xs:annotation> 1375 <xs:documentation>Specifies the flow direction of the data.</xs:documentation> 1376 </xs:annotation> 1377 </xs:attribute> 1378 </xs:extension> 1379 </xs:simpleContent> 1380 </xs:complexType> 1381 1382 <xs:simpleType name="dataFlowType"> 1383 <xs:annotation> 1384 <xs:documentation>Specifies the flow direction of the data. Valid values are: 1385 inbound, outbound, bi-directional, and unknown. Direction is relative to the service. 1386 Inbound flow states that data enters the service. Outbound flow states that data 1387 leaves the service. Bi-directional states that data flows both ways, and unknown 1388 states that the direction is not known.</xs:documentation> 1389 </xs:annotation> 1390 <xs:restriction base="xs:string"> 1391 <xs:enumeration value="inbound"/> 1392 <xs:enumeration value="outbound"/> 1393 <xs:enumeration value="bi-directional"/> 1394 <xs:enumeration value="unknown"/> 1395 </xs:restriction> 1396 </xs:simpleType> 1397 1398 <xs:complexType name="licenseChoiceType"> 1399 <xs:choice> 1400 <xs:element name="license" type="bom:licenseType" minOccurs="0" maxOccurs="unbounded"/> 1401 <xs:element name="expression" type="xs:normalizedString" minOccurs="0" maxOccurs="1"> 1402 <xs:annotation> 1403 <xs:documentation>A valid SPDX license expression. 1404 Refer to https://spdx.org/specifications for syntax requirements</xs:documentation> 1405 </xs:annotation> 1406 </xs:element> 1407 </xs:choice> 1408 </xs:complexType> 1409 1410 <xs:complexType name="copyrightsType"> 1411 <xs:sequence> 1412 <xs:element name="text" type="xs:string" minOccurs="0" maxOccurs="unbounded"/> 1413 </xs:sequence> 1414 </xs:complexType> 1415 1416 <xs:complexType name="componentEvidenceType"> 1417 <xs:sequence> 1418 <xs:element name="licenses" type="bom:licenseChoiceType" minOccurs="0" maxOccurs="1"/> 1419 <xs:element name="copyright" type="bom:copyrightsType" minOccurs="0" maxOccurs="1"/> 1420 <xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"> 1421 <xs:annotation> 1422 <xs:documentation> 1423 Allows any undeclared elements as long as the elements are placed in a different namespace. 1424 </xs:documentation> 1425 </xs:annotation> 1426 </xs:any> 1427 </xs:sequence> 1428 <xs:anyAttribute namespace="##any" processContents="lax"> 1429 <xs:annotation> 1430 <xs:documentation>User-defined attributes may be used on this element as long as they 1431 do not have the same name as an existing attribute used by the schema.</xs:documentation> 1432 </xs:annotation> 1433 </xs:anyAttribute> 1434 </xs:complexType> 1435 1436 <xs:complexType name="compositionsType"> 1437 <xs:sequence minOccurs="0" maxOccurs="unbounded"> 1438 <xs:element name="composition" type="bom:compositionType"/> 1439 <xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"> 1440 <xs:annotation> 1441 <xs:documentation> 1442 Allows any undeclared elements as long as the elements are placed in a different namespace. 1443 </xs:documentation> 1444 </xs:annotation> 1445 </xs:any> 1446 </xs:sequence> 1447 <xs:anyAttribute namespace="##any" processContents="lax"> 1448 <xs:annotation> 1449 <xs:documentation>User-defined attributes may be used on this element as long as they 1450 do not have the same name as an existing attribute used by the schema.</xs:documentation> 1451 </xs:annotation> 1452 </xs:anyAttribute> 1453 </xs:complexType> 1454 1455 <xs:complexType name="compositionType"> 1456 <xs:sequence minOccurs="0" maxOccurs="unbounded"> 1457 <xs:element name="aggregate" type="bom:aggregateType" default="not_specified"> 1458 <xs:annotation> 1459 <xs:documentation>Specifies an aggregate type that describe how complete a relationship is.</xs:documentation> 1460 </xs:annotation> 1461 </xs:element> 1462 <xs:element name="assemblies" minOccurs="0" maxOccurs="1"> 1463 <xs:annotation> 1464 <xs:documentation> 1465 The bom-ref identifiers of the components or services being described. Assemblies refer to 1466 nested relationships whereby a constituent part may include other constituent parts. References 1467 do not cascade to child parts. References are explicit for the specified constituent part only. 1468 </xs:documentation> 1469 </xs:annotation> 1470 <xs:complexType> 1471 <xs:sequence minOccurs="0" maxOccurs="unbounded"> 1472 <xs:element name="assembly" type="bom:bomReferenceType"/> 1473 <xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"> 1474 <xs:annotation> 1475 <xs:documentation> 1476 Allows any undeclared elements as long as the elements are placed in a different namespace. 1477 </xs:documentation> 1478 </xs:annotation> 1479 </xs:any> 1480 </xs:sequence> 1481 </xs:complexType> 1482 </xs:element> 1483 <xs:element name="dependencies" minOccurs="0" maxOccurs="1"> 1484 <xs:annotation> 1485 <xs:documentation> 1486 The bom-ref identifiers of the components or services being described. Dependencies refer to a 1487 relationship whereby an independent constituent part requires another independent constituent 1488 part. References do not cascade to transitive dependencies. References are explicit for the 1489 specified dependency only. 1490 </xs:documentation> 1491 </xs:annotation> 1492 <xs:complexType> 1493 <xs:sequence minOccurs="0" maxOccurs="unbounded"> 1494 <xs:element name="dependency" type="bom:bomReferenceType"/> 1495 <xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"> 1496 <xs:annotation> 1497 <xs:documentation> 1498 Allows any undeclared elements as long as the elements are placed in a different namespace. 1499 </xs:documentation> 1500 </xs:annotation> 1501 </xs:any> 1502 </xs:sequence> 1503 </xs:complexType> 1504 </xs:element> 1505 </xs:sequence> 1506 </xs:complexType> 1507 1508 <xs:simpleType name="aggregateType"> 1509 <xs:restriction base="xs:string"> 1510 <xs:enumeration value="complete"> 1511 <xs:annotation> 1512 <xs:documentation>The relationship is complete. No further relationships including constituent components, services, or dependencies exist.</xs:documentation> 1513 </xs:annotation> 1514 </xs:enumeration> 1515 <xs:enumeration value="incomplete"> 1516 <xs:annotation> 1517 <xs:documentation>The relationship is incomplete. Additional relationships exist and may include constituent components, services, or dependencies.</xs:documentation> 1518 </xs:annotation> 1519 </xs:enumeration> 1520 <xs:enumeration value="incomplete_first_party_only"> 1521 <xs:annotation> 1522 <xs:documentation>The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented.</xs:documentation> 1523 </xs:annotation> 1524 </xs:enumeration> 1525 <xs:enumeration value="incomplete_third_party_only"> 1526 <xs:annotation> 1527 <xs:documentation>The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented.</xs:documentation> 1528 </xs:annotation> 1529 </xs:enumeration> 1530 <xs:enumeration value="unknown"> 1531 <xs:annotation> 1532 <xs:documentation>The relationship may be complete or incomplete. This usually signifies a 'best-effort' to obtain constituent components, services, or dependencies but the completeness is inconclusive.</xs:documentation> 1533 </xs:annotation> 1534 </xs:enumeration> 1535 <xs:enumeration value="not_specified"> 1536 <xs:annotation> 1537 <xs:documentation>The relationship completeness is not specified.</xs:documentation> 1538 </xs:annotation> 1539 </xs:enumeration> 1540 </xs:restriction> 1541 </xs:simpleType> 1542 1543 <xs:simpleType name="localeType"> 1544 <xs:annotation> 1545 <xs:documentation xml:lang="en"> 1546 Defines a syntax for representing two character language code (ISO-639) followed by an optional two 1547 character country code. The language code MUST be lower case. If the country code is specified, the 1548 country code MUST be upper case. The language code and country code MUST be separated by a minus sign. 1549 Examples: en, en-US, fr, fr-CA 1550 </xs:documentation> 1551 </xs:annotation> 1552 <xs:restriction base="xs:string"> 1553 <xs:pattern value="([a-z]{2})(-[A-Z]{2})?"/> 1554 </xs:restriction> 1555 </xs:simpleType> 1556 1557 <xs:complexType name="releaseNotesType"> 1558 <xs:sequence minOccurs="0" maxOccurs="unbounded"> 1559 <xs:element name="type" type="xs:normalizedString" minOccurs="1" maxOccurs="1"> 1560 <xs:annotation> 1561 <xs:documentation>The software versioning type. It is RECOMMENDED that the release type use one 1562 of 'major', 'minor', 'patch', 'pre-release', or 'internal'. Representing all possible software 1563 release types is not practical, so standardizing on the recommended values, whenever possible, 1564 is strongly encouraged. 1565 * major = A major release may contain significant changes or may introduce breaking changes. 1566 * minor = A minor release, also known as an update, may contain a smaller number of changes than major releases. 1567 * patch = Patch releases are typically unplanned and may resolve defects or important security issues. 1568 * pre-release = A pre-release may include alpha, beta, or release candidates and typically have 1569 limited support. They provide the ability to preview a release prior to its general availability. 1570 * internal = Internal releases are not for public consumption and are intended to be used exclusively 1571 by the project or manufacturer that produced it. 1572 </xs:documentation> 1573 </xs:annotation> 1574 </xs:element> 1575 <xs:element name="title" type="xs:string" minOccurs="0" maxOccurs="1"> 1576 <xs:annotation> 1577 <xs:documentation>The title of the release.</xs:documentation> 1578 </xs:annotation> 1579 </xs:element> 1580 <xs:element name="featuredImage" type="xs:anyURI" minOccurs="0" maxOccurs="1"> 1581 <xs:annotation> 1582 <xs:documentation>The URL to an image that may be prominently displayed with the release note.</xs:documentation> 1583 </xs:annotation> 1584 </xs:element> 1585 <xs:element name="socialImage" type="xs:anyURI" minOccurs="0" maxOccurs="1"> 1586 <xs:annotation> 1587 <xs:documentation>The URL to an image that may be used in messaging on social media platforms.</xs:documentation> 1588 </xs:annotation> 1589 </xs:element> 1590 <xs:element name="description" type="xs:string" minOccurs="0" maxOccurs="1"> 1591 <xs:annotation> 1592 <xs:documentation>A short description of the release.</xs:documentation> 1593 </xs:annotation> 1594 </xs:element> 1595 <xs:element name="timestamp" type="xs:dateTime" minOccurs="0" maxOccurs="1"> 1596 <xs:annotation> 1597 <xs:documentation>The date and time (timestamp) when the release note was created.</xs:documentation> 1598 </xs:annotation> 1599 </xs:element> 1600 <xs:element name="aliases" minOccurs="0" maxOccurs="1"> 1601 <xs:complexType> 1602 <xs:sequence minOccurs="0" maxOccurs="unbounded"> 1603 <xs:element name="alias" type="xs:normalizedString"> 1604 <xs:annotation> 1605 <xs:documentation>One or more alternate names the release may be referred to. This may 1606 include unofficial terms used by development and marketing teams (e.g. code names).</xs:documentation> 1607 </xs:annotation> 1608 </xs:element> 1609 </xs:sequence> 1610 </xs:complexType> 1611 </xs:element> 1612 <xs:element name="tags" minOccurs="0" maxOccurs="1"> 1613 <xs:complexType> 1614 <xs:sequence minOccurs="0" maxOccurs="unbounded"> 1615 <xs:element name="tag" type="xs:normalizedString"> 1616 <xs:annotation> 1617 <xs:documentation>One or more tags that may aid in search or retrieval of the release note.</xs:documentation> 1618 </xs:annotation> 1619 </xs:element> 1620 </xs:sequence> 1621 </xs:complexType> 1622 </xs:element> 1623 <xs:element name="resolves" minOccurs="0" maxOccurs="1"> 1624 <xs:annotation> 1625 <xs:documentation>A collection of issues that have been resolved.</xs:documentation> 1626 </xs:annotation> 1627 <xs:complexType> 1628 <xs:sequence minOccurs="0" maxOccurs="unbounded"> 1629 <xs:element name="issue" type="bom:issueType"/> 1630 </xs:sequence> 1631 </xs:complexType> 1632 </xs:element> 1633 <xs:element name="notes" minOccurs="0" maxOccurs="1"> 1634 <xs:complexType> 1635 <xs:sequence minOccurs="0" maxOccurs="unbounded"> 1636 <xs:element name="note"> 1637 <xs:annotation> 1638 <xs:documentation>Zero or more release notes containing the locale and content. Multiple 1639 note elements may be specified to support release notes in a wide variety of languages.</xs:documentation> 1640 </xs:annotation> 1641 <xs:complexType> 1642 <xs:sequence minOccurs="0" maxOccurs="unbounded"> 1643 <xs:element name="locale" type="bom:localeType" minOccurs="0" maxOccurs="1"> 1644 <xs:annotation> 1645 <xs:documentation>The ISO-639 (or higher) language code and optional ISO-3166 1646 (or higher) country code. Examples include: "en", "en-US", "fr" and "fr-CA".</xs:documentation> 1647 </xs:annotation> 1648 </xs:element> 1649 <xs:element name="text" type="bom:attachedTextType" minOccurs="1" maxOccurs="1"> 1650 <xs:annotation> 1651 <xs:documentation>Specifies the full content of the release note.</xs:documentation> 1652 </xs:annotation> 1653 </xs:element> 1654 </xs:sequence> 1655 </xs:complexType> 1656 </xs:element> 1657 </xs:sequence> 1658 </xs:complexType> 1659 </xs:element> 1660 <xs:element name="properties" type="bom:propertiesType" minOccurs="0" maxOccurs="1"> 1661 <xs:annotation> 1662 <xs:documentation>Provides the ability to document properties in a key/value store. 1663 This provides flexibility to include data not officially supported in the standard 1664 without having to use additional namespaces or create extensions. Property names 1665 of interest to the general public are encouraged to be registered in the 1666 CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. 1667 Formal registration is OPTIONAL.</xs:documentation> 1668 </xs:annotation> 1669 </xs:element> 1670 <xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"> 1671 <xs:annotation> 1672 <xs:documentation> 1673 Allows any undeclared elements as long as the elements are placed in a different namespace. 1674 </xs:documentation> 1675 </xs:annotation> 1676 </xs:any> 1677 </xs:sequence> 1678 <xs:anyAttribute namespace="##any" processContents="lax"> 1679 <xs:annotation> 1680 <xs:documentation>User-defined attributes may be used on this element as long as they 1681 do not have the same name as an existing attribute used by the schema.</xs:documentation> 1682 </xs:annotation> 1683 </xs:anyAttribute> 1684 </xs:complexType> 1685 1686 <xs:complexType name="bomReferenceType"> 1687 <xs:attribute name="ref" type="bom:refType" use="required"> 1688 <xs:annotation> 1689 <xs:documentation>References a component or service by the its bom-ref attribute</xs:documentation> 1690 </xs:annotation> 1691 </xs:attribute> 1692 <xs:anyAttribute namespace="##other" processContents="lax"> 1693 <xs:annotation> 1694 <xs:documentation>User-defined attributes may be used on this element as long as they 1695 do not have the same name as an existing attribute used by the schema.</xs:documentation> 1696 </xs:annotation> 1697 </xs:anyAttribute> 1698 </xs:complexType> 1699 1700 <xs:complexType name="propertiesType"> 1701 <xs:sequence minOccurs="0" maxOccurs="unbounded"> 1702 <xs:element name="property" type="bom:propertyType"/> 1703 <xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"> 1704 <xs:annotation> 1705 <xs:documentation> 1706 Allows any undeclared elements as long as the elements are placed in a different namespace. 1707 </xs:documentation> 1708 </xs:annotation> 1709 </xs:any> 1710 </xs:sequence> 1711 <xs:anyAttribute namespace="##any" processContents="lax"> 1712 <xs:annotation> 1713 <xs:documentation>User-defined attributes may be used on this element as long as they 1714 do not have the same name as an existing attribute used by the schema.</xs:documentation> 1715 </xs:annotation> 1716 </xs:anyAttribute> 1717 </xs:complexType> 1718 1719 <xs:complexType name="propertyType"> 1720 <xs:annotation> 1721 <xs:documentation>Specifies an individual property with a name and value.</xs:documentation> 1722 </xs:annotation> 1723 <xs:simpleContent> 1724 <xs:extension base="xs:normalizedString"> 1725 <xs:attribute name="name" type="xs:string" use="required"> 1726 <xs:annotation> 1727 <xs:documentation>The name of the property. Duplicate names are allowed, each potentially having a different value.</xs:documentation> 1728 </xs:annotation> 1729 </xs:attribute> 1730 </xs:extension> 1731 </xs:simpleContent> 1732 </xs:complexType> 1733 1734 <xs:complexType name="vulnerabilitiesType"> 1735 <xs:sequence minOccurs="0" maxOccurs="unbounded"> 1736 <xs:element name="vulnerability" type="bom:vulnerabilityType"> 1737 <xs:annotation> 1738 <xs:documentation>Defines a weakness in an component or service that could be exploited or triggered by a threat source.</xs:documentation> 1739 </xs:annotation> 1740 </xs:element> 1741 <xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"> 1742 <xs:annotation> 1743 <xs:documentation> 1744 Allows any undeclared elements as long as the elements are placed in a different namespace. 1745 </xs:documentation> 1746 </xs:annotation> 1747 </xs:any> 1748 </xs:sequence> 1749 <xs:anyAttribute namespace="##any" processContents="lax"> 1750 <xs:annotation> 1751 <xs:documentation>User-defined attributes may be used on this element as long as they 1752 do not have the same name as an existing attribute used by the schema.</xs:documentation> 1753 </xs:annotation> 1754 </xs:anyAttribute> 1755 </xs:complexType> 1756 1757 <xs:complexType name="vulnerabilityType"> 1758 <xs:sequence minOccurs="0" maxOccurs="1"> 1759 <xs:element name="id" type="xs:normalizedString" minOccurs="0" maxOccurs="1"> 1760 <xs:annotation> 1761 <xs:documentation>The identifier that uniquely identifies the vulnerability. For example: 1762 CVE-2021-39182, GHSA-35m5-8cvj-8783, and SNYK-PYTHON-ENROCRYPT-1912876.</xs:documentation> 1763 </xs:annotation> 1764 </xs:element> 1765 <xs:element name="source" type="bom:vulnerabilitySourceType" minOccurs="0" maxOccurs="1"> 1766 <xs:annotation> 1767 <xs:documentation>The source that published the vulnerability.</xs:documentation> 1768 </xs:annotation> 1769 </xs:element> 1770 <xs:element name="references" minOccurs="0" maxOccurs="1"> 1771 <xs:annotation> 1772 <xs:documentation>Zero or more pointers to vulnerabilities that are the equivalent of the 1773 vulnerability specified. Often times, the same vulnerability may exist in multiple sources of 1774 vulnerability intelligence, but have different identifiers. References provide a way to 1775 correlate vulnerabilities across multiple sources of vulnerability intelligence.</xs:documentation> 1776 </xs:annotation> 1777 <xs:complexType> 1778 <xs:sequence minOccurs="0" maxOccurs="unbounded"> 1779 <xs:element name="reference"> 1780 <xs:annotation> 1781 <xs:documentation>A pointer to a vulnerability that is the equivalent of the 1782 vulnerability specified.</xs:documentation> 1783 </xs:annotation> 1784 <xs:complexType> 1785 <xs:sequence minOccurs="1" maxOccurs="1"> 1786 <xs:element name="id" type="xs:normalizedString" minOccurs="0" maxOccurs="1"> 1787 <xs:annotation> 1788 <xs:documentation>The identifier that uniquely identifies the vulnerability. For example: 1789 CVE-2021-39182, GHSA-35m5-8cvj-8783, and SNYK-PYTHON-ENROCRYPT-1912876.</xs:documentation> 1790 </xs:annotation> 1791 </xs:element> 1792 <xs:element name="source" type="bom:vulnerabilitySourceType" minOccurs="0" maxOccurs="1"> 1793 <xs:annotation> 1794 <xs:documentation>The source that published the vulnerability.</xs:documentation> 1795 </xs:annotation> 1796 </xs:element> 1797 </xs:sequence> 1798 </xs:complexType> 1799 </xs:element> 1800 <xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"> 1801 <xs:annotation> 1802 <xs:documentation> 1803 Allows any undeclared elements as long as the elements are placed in a different namespace. 1804 </xs:documentation> 1805 </xs:annotation> 1806 </xs:any> 1807 </xs:sequence> 1808 </xs:complexType> 1809 </xs:element> 1810 <xs:element name="ratings" minOccurs="0" maxOccurs="1"> 1811 <xs:annotation> 1812 <xs:documentation xml:lang="en">List of vulnerability ratings.</xs:documentation> 1813 </xs:annotation> 1814 <xs:complexType> 1815 <xs:sequence> 1816 <xs:element name="rating" type="bom:ratingType" minOccurs="0" maxOccurs="unbounded"/> 1817 </xs:sequence> 1818 </xs:complexType> 1819 </xs:element> 1820 <xs:element name="cwes" minOccurs="0" maxOccurs="1"> 1821 <xs:complexType> 1822 <xs:annotation> 1823 <xs:documentation xml:lang="en"> 1824 List of Common Weaknesses Enumerations (CWEs) codes that describes this vulnerability. 1825 For example 399 (of https://cwe.mitre.org/data/definitions/399.html) 1826 </xs:documentation> 1827 </xs:annotation> 1828 <xs:sequence> 1829 <xs:element name="cwe" type="xs:integer" minOccurs="0" maxOccurs="unbounded"/> 1830 </xs:sequence> 1831 </xs:complexType> 1832 </xs:element> 1833 <xs:element name="description" type="xs:string" minOccurs="0" maxOccurs="1"> 1834 <xs:annotation> 1835 <xs:documentation>A description of the vulnerability as provided by the source.</xs:documentation> 1836 </xs:annotation> 1837 </xs:element> 1838 <xs:element name="detail" type="xs:string" minOccurs="0" maxOccurs="1"> 1839 <xs:annotation> 1840 <xs:documentation>If available, an in-depth description of the vulnerability as provided by the 1841 source organization. Details often include examples, proof-of-concepts, and other information 1842 useful in understanding root cause.</xs:documentation> 1843 </xs:annotation> 1844 </xs:element> 1845 <xs:element name="recommendation" type="xs:string" minOccurs="0" maxOccurs="1"> 1846 <xs:annotation> 1847 <xs:documentation>Recommendations of how the vulnerability can be remediated or mitigated.</xs:documentation> 1848 </xs:annotation> 1849 </xs:element> 1850 <xs:element name="advisories" minOccurs="0" maxOccurs="1"> 1851 <xs:complexType> 1852 <xs:annotation> 1853 <xs:documentation xml:lang="en"> 1854 Published advisories of the vulnerability if provided. 1855 </xs:documentation> 1856 </xs:annotation> 1857 <xs:sequence> 1858 <xs:element name="advisory" type="bom:advisoryType" minOccurs="0" maxOccurs="unbounded"/> 1859 </xs:sequence> 1860 </xs:complexType> 1861 </xs:element> 1862 <xs:element name="created" type="xs:dateTime" minOccurs="0" maxOccurs="1"> 1863 <xs:annotation> 1864 <xs:documentation>The date and time (timestamp) when the vulnerability record was created in the vulnerability database.</xs:documentation> 1865 </xs:annotation> 1866 </xs:element> 1867 <xs:element name="published" type="xs:dateTime" minOccurs="0" maxOccurs="1"> 1868 <xs:annotation> 1869 <xs:documentation>The date and time (timestamp) when the vulnerability record was first published.</xs:documentation> 1870 </xs:annotation> 1871 </xs:element> 1872 <xs:element name="updated" type="xs:dateTime" minOccurs="0" maxOccurs="1"> 1873 <xs:annotation> 1874 <xs:documentation>The date and time (timestamp) when the vulnerability record was last updated.</xs:documentation> 1875 </xs:annotation> 1876 </xs:element> 1877 <xs:element name="credits" minOccurs="0" maxOccurs="1"> 1878 <xs:annotation> 1879 <xs:documentation>Individuals or organizations credited with the discovery of the vulnerability.</xs:documentation> 1880 </xs:annotation> 1881 <xs:complexType> 1882 <xs:sequence> 1883 <xs:element name="organizations" minOccurs="0" maxOccurs="1"> 1884 <xs:annotation> 1885 <xs:documentation>The organizations credited with vulnerability discovery.</xs:documentation> 1886 </xs:annotation> 1887 <xs:complexType> 1888 <xs:sequence minOccurs="0" maxOccurs="unbounded"> 1889 <xs:element name="organization" type="bom:organizationalEntity"/> 1890 </xs:sequence> 1891 </xs:complexType> 1892 </xs:element> 1893 <xs:element name="individuals" minOccurs="0" maxOccurs="1"> 1894 <xs:annotation> 1895 <xs:documentation>The individuals, not associated with organizations, that are credited with vulnerability discovery.</xs:documentation> 1896 </xs:annotation> 1897 <xs:complexType> 1898 <xs:sequence minOccurs="0" maxOccurs="unbounded"> 1899 <xs:element name="individual" type="bom:organizationalContact"/> 1900 </xs:sequence> 1901 </xs:complexType> 1902 </xs:element> 1903 </xs:sequence> 1904 </xs:complexType> 1905 </xs:element> 1906 <xs:element name="tools" minOccurs="0" maxOccurs="1"> 1907 <xs:annotation> 1908 <xs:documentation>The tool(s) used to identify, confirm, or score the vulnerability.</xs:documentation> 1909 </xs:annotation> 1910 <xs:complexType> 1911 <xs:sequence minOccurs="0" maxOccurs="unbounded"> 1912 <xs:element name="tool" minOccurs="0" type="bom:toolType"/> 1913 </xs:sequence> 1914 </xs:complexType> 1915 </xs:element> 1916 <xs:element name="analysis" minOccurs="0" maxOccurs="1"> 1917 <xs:complexType> 1918 <xs:annotation> 1919 <xs:documentation xml:lang="en"> 1920 An assessment of the impact and exploitability of the vulnerability. 1921 </xs:documentation> 1922 </xs:annotation> 1923 <xs:sequence minOccurs="0" maxOccurs="1"> 1924 <xs:element name="state" type="bom:impactAnalysisStateType" minOccurs="0" maxOccurs="1"> 1925 <xs:annotation> 1926 <xs:documentation xml:lang="en"> 1927 Declares the current state of an occurrence of a vulnerability, after automated or manual analysis. 1928 </xs:documentation> 1929 </xs:annotation> 1930 </xs:element> 1931 <xs:element name="justification" type="bom:impactAnalysisJustificationType" minOccurs="0" maxOccurs="1"> 1932 <xs:annotation> 1933 <xs:documentation xml:lang="en"> 1934 The rationale of why the impact analysis state was asserted. 1935 </xs:documentation> 1936 </xs:annotation> 1937 </xs:element> 1938 <xs:element name="responses" minOccurs="0" maxOccurs="1"> 1939 <xs:annotation> 1940 <xs:documentation>A response to the vulnerability by the manufacturer, supplier, or 1941 project responsible for the affected component or service. More than one response 1942 is allowed. Responses are strongly encouraged for vulnerabilities where the analysis 1943 state is exploitable.</xs:documentation> 1944 </xs:annotation> 1945 <xs:complexType> 1946 <xs:sequence minOccurs="0" maxOccurs="unbounded"> 1947 <xs:element name="response" type="bom:impactAnalysisResponsesType"/> 1948 </xs:sequence> 1949 </xs:complexType> 1950 </xs:element> 1951 <xs:element name="detail" type="xs:string" minOccurs="0" maxOccurs="1"> 1952 <xs:annotation> 1953 <xs:documentation xml:lang="en"> 1954 Detailed description of the impact including methods used during assessment. 1955 If a vulnerability is not exploitable, this field should include specific details 1956 on why the component or service is not impacted by this vulnerability. 1957 </xs:documentation> 1958 </xs:annotation> 1959 </xs:element> 1960 </xs:sequence> 1961 </xs:complexType> 1962 </xs:element> 1963 <xs:element name="affects" minOccurs="0" maxOccurs="1"> 1964 <xs:annotation> 1965 <xs:documentation>The components or services that are affected by the vulnerability.</xs:documentation> 1966 </xs:annotation> 1967 <xs:complexType> 1968 <xs:sequence minOccurs="0" maxOccurs="unbounded"> 1969 <xs:element name="target"> 1970 <xs:complexType> 1971 <xs:sequence minOccurs="0" maxOccurs="1"> 1972 <xs:element name="ref" minOccurs="1" maxOccurs="1"> 1973 <xs:annotation> 1974 <xs:documentation>References a component or service by the objects bom-ref.</xs:documentation> 1975 </xs:annotation> 1976 </xs:element> 1977 <xs:element name="versions" minOccurs="0" maxOccurs="1"> 1978 <xs:annotation> 1979 <xs:documentation>Zero or more individual versions or range of versions.</xs:documentation> 1980 </xs:annotation> 1981 <xs:complexType> 1982 <xs:sequence minOccurs="0" maxOccurs="unbounded"> 1983 <xs:element name="version"> 1984 <xs:complexType> 1985 <xs:sequence minOccurs="0" maxOccurs="1"> 1986 <xs:choice> 1987 <xs:element name="version" type="xs:normalizedString" minOccurs="1" maxOccurs="1"> 1988 <xs:annotation> 1989 <xs:documentation>A single version of a component or service.</xs:documentation> 1990 </xs:annotation> 1991 </xs:element> 1992 <xs:element name="range" type="xs:normalizedString" minOccurs="1" maxOccurs="1"> 1993 <xs:annotation> 1994 <xs:documentation>A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/purl-spec/VERSION-RANGE-SPEC.rst</xs:documentation> 1995 </xs:annotation> 1996 </xs:element> 1997 </xs:choice> 1998 <xs:element name="status" type="bom:impactAnalysisAffectedStatusType" minOccurs="0" maxOccurs="1" default="affected"> 1999 <xs:annotation> 2000 <xs:documentation> 2001 The vulnerability status for the version or range of versions. 2002 </xs:documentation> 2003 </xs:annotation> 2004 </xs:element> 2005 </xs:sequence> 2006 </xs:complexType> 2007 </xs:element> 2008 </xs:sequence> 2009 </xs:complexType> 2010 </xs:element> 2011 </xs:sequence> 2012 </xs:complexType> 2013 </xs:element> 2014 </xs:sequence> 2015 </xs:complexType> 2016 </xs:element> 2017 </xs:sequence> 2018 <xs:attribute name="bom-ref" type="bom:refType"> 2019 <xs:annotation> 2020 <xs:documentation> 2021 An optional identifier which can be used to reference the vulnerability elsewhere in the BOM. 2022 Uniqueness is enforced within all elements and children of the root-level bom element. 2023 </xs:documentation> 2024 </xs:annotation> 2025 </xs:attribute> 2026 </xs:complexType> 2027 2028 <xs:complexType name="vulnerabilitySourceType"> 2029 <xs:sequence minOccurs="0" maxOccurs="unbounded"> 2030 <xs:element name="name" type="xs:normalizedString" minOccurs="0" maxOccurs="1"> 2031 <xs:annotation> 2032 <xs:documentation>The name of the source. 2033 For example: NVD, National Vulnerability Database, OSS Index, VulnDB, and GitHub Advisories 2034 </xs:documentation> 2035 </xs:annotation> 2036 </xs:element> 2037 <xs:element name="url" type="xs:anyURI" minOccurs="0" maxOccurs="1"> 2038 <xs:annotation> 2039 <xs:documentation>The url of the vulnerability documentation as provided by the source. 2040 For example: https://nvd.nist.gov/vuln/detail/CVE-2021-39182</xs:documentation> 2041 </xs:annotation> 2042 </xs:element> 2043 </xs:sequence> 2044 </xs:complexType> 2045 2046 <xs:complexType name="ratingType"> 2047 <xs:sequence> 2048 <xs:element name="source" type="bom:vulnerabilitySourceType" minOccurs="0" maxOccurs="1"> 2049 <xs:annotation> 2050 <xs:documentation>The source that calculated the severity or risk rating of the vulnerability.</xs:documentation> 2051 </xs:annotation> 2052 </xs:element> 2053 <xs:element name="score" type="xs:decimal" minOccurs="0" maxOccurs="1"> 2054 <xs:annotation> 2055 <xs:documentation>The numerical score of the rating.</xs:documentation> 2056 </xs:annotation> 2057 </xs:element> 2058 <xs:element name="severity" type="bom:severityType" minOccurs="0" maxOccurs="1"> 2059 <xs:annotation> 2060 <xs:documentation>Textual representation of the severity that corresponds to the numerical score of the rating.</xs:documentation> 2061 </xs:annotation> 2062 </xs:element> 2063 <xs:element name="method" type="bom:scoreSourceType" minOccurs="0" maxOccurs="1"> 2064 <xs:annotation> 2065 <xs:documentation>The risk scoring methodology/standard used.</xs:documentation> 2066 </xs:annotation> 2067 </xs:element> 2068 <xs:element name="vector" type="xs:normalizedString" minOccurs="0" maxOccurs="1"> 2069 <xs:annotation> 2070 <xs:documentation>Textual representation of the metric values used to score the vulnerability.</xs:documentation> 2071 </xs:annotation> 2072 </xs:element> 2073 <xs:element name="justification" type="xs:string" minOccurs="0" maxOccurs="1"> 2074 <xs:annotation> 2075 <xs:documentation>An optional reason for rating the vulnerability as it was.</xs:documentation> 2076 </xs:annotation> 2077 </xs:element> 2078 </xs:sequence> 2079 </xs:complexType> 2080 2081 <xs:complexType name="advisoryType"> 2082 <xs:sequence> 2083 <xs:element name="title" type="xs:normalizedString" minOccurs="0" maxOccurs="1"> 2084 <xs:annotation> 2085 <xs:documentation>An optional name of the advisory.</xs:documentation> 2086 </xs:annotation> 2087 </xs:element> 2088 <xs:element name="url" type="xs:anyURI" minOccurs="1" maxOccurs="1"> 2089 <xs:annotation> 2090 <xs:documentation>Location where the advisory can be obtained.</xs:documentation> 2091 </xs:annotation> 2092 </xs:element> 2093 </xs:sequence> 2094 </xs:complexType> 2095 2096 <xs:simpleType name="severityType" final="restriction"> 2097 <xs:annotation> 2098 <xs:documentation xml:lang="en"> 2099 Textual representation of the severity of the vulnerability adopted by the analysis method. If the 2100 analysis method uses values other than what is provided, the user is expected to translate appropriately. 2101 </xs:documentation> 2102 </xs:annotation> 2103 <xs:restriction base="xs:string"> 2104 <xs:enumeration value="critical"/> 2105 <xs:enumeration value="high"/> 2106 <xs:enumeration value="medium"/> 2107 <xs:enumeration value="low"/> 2108 <xs:enumeration value="info"/> 2109 <xs:enumeration value="none"/> 2110 <xs:enumeration value="unknown"/> 2111 </xs:restriction> 2112 </xs:simpleType> 2113 2114 <xs:simpleType name="impactAnalysisStateType" final="restriction"> 2115 <xs:annotation> 2116 <xs:documentation xml:lang="en"> 2117 Declares the current state of an occurrence of a vulnerability, after automated or manual analysis. 2118 </xs:documentation> 2119 </xs:annotation> 2120 <xs:restriction base="xs:string"> 2121 <xs:enumeration value="resolved"> 2122 <xs:annotation> 2123 <xs:documentation> 2124 The vulnerability has been remediated. 2125 </xs:documentation> 2126 </xs:annotation> 2127 </xs:enumeration> 2128 <xs:enumeration value="resolved_with_pedigree"> 2129 <xs:annotation> 2130 <xs:documentation> 2131 The vulnerability has been remediated and evidence of the changes are provided in the affected 2132 components pedigree containing verifiable commit history and/or diff(s). 2133 </xs:documentation> 2134 </xs:annotation> 2135 </xs:enumeration> 2136 <xs:enumeration value="exploitable"> 2137 <xs:annotation> 2138 <xs:documentation> 2139 The vulnerability may be directly or indirectly exploitable. 2140 </xs:documentation> 2141 </xs:annotation> 2142 </xs:enumeration> 2143 <xs:enumeration value="in_triage"> 2144 <xs:annotation> 2145 <xs:documentation> 2146 The vulnerability is being investigated. 2147 </xs:documentation> 2148 </xs:annotation> 2149 </xs:enumeration> 2150 <xs:enumeration value="false_positive"> 2151 <xs:annotation> 2152 <xs:documentation> 2153 The vulnerability is not specific to the component or service and was falsely identified or associated. 2154 </xs:documentation> 2155 </xs:annotation> 2156 </xs:enumeration> 2157 <xs:enumeration value="not_affected"> 2158 <xs:annotation> 2159 <xs:documentation> 2160 The component or service is not affected by the vulnerability. Justification should be specified 2161 for all not_affected cases. 2162 </xs:documentation> 2163 </xs:annotation> 2164 </xs:enumeration> 2165 </xs:restriction> 2166 </xs:simpleType> 2167 2168 <xs:simpleType name="impactAnalysisJustificationType" final="restriction"> 2169 <xs:annotation> 2170 <xs:documentation xml:lang="en"> 2171 The rationale of why the impact analysis state was asserted. 2172 </xs:documentation> 2173 </xs:annotation> 2174 <xs:restriction base="xs:string"> 2175 <xs:enumeration value="code_not_present"> 2176 <xs:annotation> 2177 <xs:documentation> 2178 The code has been removed or tree-shaked. 2179 </xs:documentation> 2180 </xs:annotation> 2181 </xs:enumeration> 2182 <xs:enumeration value="code_not_reachable"> 2183 <xs:annotation> 2184 <xs:documentation> 2185 The vulnerable code is not invoked at runtime. 2186 </xs:documentation> 2187 </xs:annotation> 2188 </xs:enumeration> 2189 <xs:enumeration value="requires_configuration"> 2190 <xs:annotation> 2191 <xs:documentation> 2192 Exploitability requires a configurable option to be set/unset. 2193 </xs:documentation> 2194 </xs:annotation> 2195 </xs:enumeration> 2196 <xs:enumeration value="requires_dependency"> 2197 <xs:annotation> 2198 <xs:documentation> 2199 Exploitability requires a dependency that is not present. 2200 </xs:documentation> 2201 </xs:annotation> 2202 </xs:enumeration> 2203 <xs:enumeration value="requires_environment"> 2204 <xs:annotation> 2205 <xs:documentation> 2206 Exploitability requires a certain environment which is not present. 2207 </xs:documentation> 2208 </xs:annotation> 2209 </xs:enumeration> 2210 <xs:enumeration value="protected_by_compiler"> 2211 <xs:annotation> 2212 <xs:documentation> 2213 Exploitability requires a compiler flag to be set/unset. 2214 </xs:documentation> 2215 </xs:annotation> 2216 </xs:enumeration> 2217 <xs:enumeration value="protected_at_runtime"> 2218 <xs:annotation> 2219 <xs:documentation> 2220 Exploits are prevented at runtime. 2221 </xs:documentation> 2222 </xs:annotation> 2223 </xs:enumeration> 2224 <xs:enumeration value="protected_at_perimeter"> 2225 <xs:annotation> 2226 <xs:documentation> 2227 Attacks are blocked at physical, logical, or network perimeter. 2228 </xs:documentation> 2229 </xs:annotation> 2230 </xs:enumeration> 2231 <xs:enumeration value="protected_by_mitigating_control"> 2232 <xs:annotation> 2233 <xs:documentation> 2234 Preventative measures have been implemented that reduce the likelihood and/or impact of the vulnerability. 2235 </xs:documentation> 2236 </xs:annotation> 2237 </xs:enumeration> 2238 </xs:restriction> 2239 </xs:simpleType> 2240 2241 <xs:simpleType name="scoreSourceType" final="restriction"> 2242 <xs:annotation> 2243 <xs:documentation xml:lang="en"> 2244 Specifies the severity or risk scoring methodology or standard used. 2245 </xs:documentation> 2246 </xs:annotation> 2247 <xs:restriction base="xs:string"> 2248 <xs:enumeration value="CVSSv2"> 2249 <xs:annotation> 2250 <xs:documentation xml:lang="en"> 2251 The rating is based on CVSS v2 standard 2252 https://www.first.org/cvss/v2/ 2253 </xs:documentation> 2254 </xs:annotation> 2255 </xs:enumeration> 2256 <xs:enumeration value="CVSSv3"> 2257 <xs:annotation> 2258 <xs:documentation xml:lang="en"> 2259 The rating is based on CVSS v3.0 standard 2260 https://www.first.org/cvss/v3-0/ 2261 </xs:documentation> 2262 </xs:annotation> 2263 </xs:enumeration> 2264 <xs:enumeration value="CVSSv31"> 2265 <xs:annotation> 2266 <xs:documentation xml:lang="en"> 2267 The rating is based on CVSS v3.1 standard 2268 https://www.first.org/cvss/v3-1/ 2269 </xs:documentation> 2270 </xs:annotation> 2271 </xs:enumeration> 2272 <xs:enumeration value="OWASP"> 2273 <xs:annotation> 2274 <xs:documentation xml:lang="en"> 2275 The rating is based on OWASP Risk Rating 2276 https://owasp.org/www-community/OWASP_Risk_Rating_Methodology 2277 </xs:documentation> 2278 </xs:annotation> 2279 </xs:enumeration> 2280 <xs:enumeration value="other"> 2281 <xs:annotation> 2282 <xs:documentation xml:lang="en"> 2283 Use this if the risk scoring methodology is not based on any of the options above 2284 </xs:documentation> 2285 </xs:annotation> 2286 </xs:enumeration> 2287 </xs:restriction> 2288 </xs:simpleType> 2289 2290 <xs:simpleType name="impactAnalysisResponsesType" final="restriction"> 2291 <xs:annotation> 2292 <xs:documentation xml:lang="en"> 2293 The rationale of why the impact analysis state was asserted. 2294 </xs:documentation> 2295 </xs:annotation> 2296 <xs:restriction base="xs:string"> 2297 <xs:enumeration value="can_not_fix"/> 2298 <xs:enumeration value="will_not_fix"/> 2299 <xs:enumeration value="update"/> 2300 <xs:enumeration value="rollback"/> 2301 <xs:enumeration value="workaround_available"/> 2302 </xs:restriction> 2303 </xs:simpleType> 2304 2305 <xs:simpleType name="impactAnalysisAffectedStatusType" final="restriction"> 2306 <xs:annotation> 2307 <xs:documentation xml:lang="en"> 2308 The vulnerability status of a given version or range of versions of a product. The statuses 2309 'affected' and 'unaffected' indicate that the version is affected or unaffected by the vulnerability. 2310 The status 'unknown' indicates that it is unknown or unspecified whether the given version is affected. 2311 There can be many reasons for an 'unknown' status, including that an investigation has not been 2312 undertaken or that a vendor has not disclosed the status. 2313 </xs:documentation> 2314 </xs:annotation> 2315 <xs:restriction base="xs:string"> 2316 <xs:enumeration value="affected"/> 2317 <xs:enumeration value="unaffected"/> 2318 <xs:enumeration value="unknown"/> 2319 </xs:restriction> 2320 </xs:simpleType> 2321 2322 2323 <xs:element name="bom"> 2324 <xs:complexType> 2325 <xs:sequence> 2326 <xs:element name="metadata" type="bom:metadata" minOccurs="0" maxOccurs="1"> 2327 <xs:annotation> 2328 <xs:documentation>Provides additional information about a BOM.</xs:documentation> 2329 </xs:annotation> 2330 </xs:element> 2331 <xs:element name="components" type="bom:componentsType" minOccurs="0" maxOccurs="1"> 2332 <xs:annotation> 2333 <xs:documentation>A list of software and hardware components.</xs:documentation> 2334 </xs:annotation> 2335 </xs:element> 2336 <xs:element name="services" type="bom:servicesType" minOccurs="0" maxOccurs="1"> 2337 <xs:annotation> 2338 <xs:documentation>A list of services. This may include microservices, function-as-a-service, and other types of network or intra-process services.</xs:documentation> 2339 </xs:annotation> 2340 </xs:element> 2341 <xs:element name="externalReferences" type="bom:externalReferences" minOccurs="0" maxOccurs="1"> 2342 <xs:annotation> 2343 <xs:documentation>Provides the ability to document external references related to the BOM or 2344 to the project the BOM describes.</xs:documentation> 2345 </xs:annotation> 2346 </xs:element> 2347 <xs:element name="dependencies" type="bom:dependenciesType" minOccurs="0" maxOccurs="1"> 2348 <xs:annotation> 2349 <xs:documentation>Provides the ability to document dependency relationships.</xs:documentation> 2350 </xs:annotation> 2351 </xs:element> 2352 <xs:element name="compositions" type="bom:compositionsType" minOccurs="0" maxOccurs="1"> 2353 <xs:annotation> 2354 <xs:documentation>Compositions describe constituent parts (including components, services, and dependency relationships) and their completeness.</xs:documentation> 2355 </xs:annotation> 2356 </xs:element> 2357 <xs:element name="properties" type="bom:propertiesType" minOccurs="0" maxOccurs="1"> 2358 <xs:annotation> 2359 <xs:documentation>Provides the ability to document properties in a key/value store. 2360 This provides flexibility to include data not officially supported in the standard 2361 without having to use additional namespaces or create extensions. Property names 2362 of interest to the general public are encouraged to be registered in the 2363 CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. 2364 Formal registration is OPTIONAL.</xs:documentation> 2365 </xs:annotation> 2366 </xs:element> 2367 <xs:element name="vulnerabilities" type="bom:vulnerabilitiesType" minOccurs="0" maxOccurs="1"> 2368 <xs:annotation> 2369 <xs:documentation>Vulnerabilities identified in components or services.</xs:documentation> 2370 </xs:annotation> 2371 </xs:element> 2372 <xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"> 2373 <xs:annotation> 2374 <xs:documentation> 2375 Allows any undeclared elements as long as the elements are placed in a different namespace. 2376 </xs:documentation> 2377 </xs:annotation> 2378 </xs:any> 2379 </xs:sequence> 2380 <xs:attribute name="version" type="xs:integer" default="1"> 2381 <xs:annotation> 2382 <xs:documentation>Whenever an existing BOM is modified, either manually or through automated 2383 processes, the version of the BOM SHOULD be incremented by 1. When a system is presented with 2384 multiple BOMs with identical serial numbers, the system SHOULD use the most recent version of the BOM. 2385 The default version is '1'.</xs:documentation> 2386 </xs:annotation> 2387 </xs:attribute> 2388 <xs:attribute name="serialNumber" type="bom:urnUuid"> 2389 <xs:annotation> 2390 <xs:documentation>Every BOM generated SHOULD have a unique serial number, even if the contents of 2391 the BOM have not changed over time. If specified, the serial number MUST conform to RFC-4122. 2392 Use of serial numbers are RECOMMENDED.</xs:documentation> 2393 </xs:annotation> 2394 </xs:attribute> 2395 <xs:anyAttribute namespace="##any" processContents="lax"> 2396 <xs:annotation> 2397 <xs:documentation>User-defined attributes may be used on this element as long as they 2398 do not have the same name as an existing attribute used by the schema.</xs:documentation> 2399 </xs:annotation> 2400 </xs:anyAttribute> 2401 </xs:complexType> 2402 <xs:unique name="bom-ref"> 2403 <xs:selector xpath=".//*"/> 2404 <xs:field xpath="@bom-ref"/> 2405 </xs:unique> 2406 </xs:element> 2407 </xs:schema>