diff --git a/schema/2.0/README.md b/schema/2.0/README.md index 377fecd9..6adeb8ea 100644 --- a/schema/2.0/README.md +++ b/schema/2.0/README.md @@ -16,7 +16,7 @@ validation, tooling, and data exchange. ## Modularity and Model Composition -CycloneDX 2.0 is defined as a modular specification. All core concepts—such as components, services, vulnerabilities, +CycloneDX 2.0 is defined as a modular specification. All core concepts—such as components, vulnerabilities, licensing, and AI/ML metadata, are encapsulated in reusable model definitions located in the [`model/`](./model) directory. This modular architecture promotes: diff --git a/schema/2.0/cyclonedx-2.0.schema.json b/schema/2.0/cyclonedx-2.0.schema.json index 190cc1f8..cc6e33f1 100644 --- a/schema/2.0/cyclonedx-2.0.schema.json +++ b/schema/2.0/cyclonedx-2.0.schema.json @@ -52,9 +52,6 @@ "$ref": "model/cyclonedx-component-2.0.schema.json#/$defs/components", "description": "A collection of components. When a metadata component is present, this array represents the inventory of components associated with that subject, forming a bill of materials. When the metadata component is omitted, the array provides component data for interchange purposes without establishing a compositional relationship." }, - "services": { - "$ref": "model/cyclonedx-service-2.0.schema.json#/$defs/services" - }, "dependencies": { "$ref": "model/cyclonedx-dependency-2.0.schema.json#/$defs/dependencies" }, diff --git a/schema/2.0/model/README.md b/schema/2.0/model/README.md index 307e0068..a3ccc9e3 100644 --- a/schema/2.0/model/README.md +++ b/schema/2.0/model/README.md @@ -18,15 +18,15 @@ These models are compiled into the schemas in the parent directory, ensuring con |----------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------| | [`cyclonedx-ai-model-parameters-2.0.schema.json`](./cyclonedx-ai-model-parameters-2.0.schema.json) | Defines configuration and metadata for AI/ML training, evaluation, and deployment parameters. | | [`cyclonedx-ai-modelcard-2.0.schema.json`](./cyclonedx-ai-modelcard-2.0.schema.json) | Describes AI/ML model cards including intended use, limitations, and ethical considerations. | -| [`cyclonedx-annotation-2.0.schema.json`](./cyclonedx-annotation-2.0.schema.json) | Represents human or automated comments about BOM elements, such as components or services. | +| [`cyclonedx-annotation-2.0.schema.json`](./cyclonedx-annotation-2.0.schema.json) | Represents human or automated comments about BOM elements, such as components. | | [`cyclonedx-common-2.0.schema.json`](./cyclonedx-common-2.0.schema.json) | Provides common types and base definitions used across all other schemas. | -| [`cyclonedx-component-2.0.schema.json`](./cyclonedx-component-2.0.schema.json) | Models hardware, software, data, cryptographic, and AI components and their attributes. | +| [`cyclonedx-component-2.0.schema.json`](./cyclonedx-component-2.0.schema.json) | Models hardware, software, data, cryptographic, AI, and service components and their attributes. | | [`cyclonedx-composition-2.0.schema.json`](./cyclonedx-composition-2.0.schema.json) | Indicates the known and unknown completeness of BOM elements and their relationships. | | [`cyclonedx-cryptography-2.0.schema.json`](./cyclonedx-cryptography-2.0.schema.json) | Defines cryptographic properties, including algorithms, keys, and post-quantum cryptographic readiness. | | [`cyclonedx-declaration-2.0.schema.json`](./cyclonedx-declaration-2.0.schema.json) | Structures conformance declarations, claims, attestations, and associated evidence. | | [`cyclonedx-definition-2.0.schema.json`](./cyclonedx-definition-2.0.schema.json) | Contains reusable definitions and enums referenced by other schemas. | -| [`cyclonedx-dependency-2.0.schema.json`](./cyclonedx-dependency-2.0.schema.json) | Captures dependency relationships among components and services in the BOM. | -| [`cyclonedx-formulation-2.0.schema.json`](./cyclonedx-formulation-2.0.schema.json) | Describes the process of manufacturing, building, or deploying a component or service. | +| [`cyclonedx-dependency-2.0.schema.json`](./cyclonedx-dependency-2.0.schema.json) | Captures dependency relationships among components in the BOM. | +| [`cyclonedx-formulation-2.0.schema.json`](./cyclonedx-formulation-2.0.schema.json) | Describes the process of manufacturing, building, or deploying a component. | | [`cyclonedx-license-2.0.schema.json`](./cyclonedx-license-2.0.schema.json) | Models software licences using SPDX IDs, named licences, and optional full text. | | [`cyclonedx-licensing-2.0.schema.json`](./cyclonedx-licensing-2.0.schema.json) | Expands on licence metadata with purchaser, licensee, terms, and validity periods. | | [`cyclonedx-metadata-2.0.schema.json`](./cyclonedx-metadata-2.0.schema.json) | Contains metadata about the BOM, such as authorship, tools used, and timestamps. | @@ -34,7 +34,6 @@ These models are compiled into the schemas in the parent directory, ensuring con | [`cyclonedx-patent-assertion-2.0.schema.json`](./cyclonedx-patent-assertion-2.0.schema.json) | Defines legal claims or disclaimers associated with patents. | | [`cyclonedx-patent-family-2.0.schema.json`](./cyclonedx-patent-family-2.0.schema.json) | Groups related patents across different jurisdictions into patent families. | | [`cyclonedx-release-notes-2.0.schema.json`](./cyclonedx-release-notes-2.0.schema.json) | Specifies structured release note content, including changes and version history. | -| [`cyclonedx-service-2.0.schema.json`](./cyclonedx-service-2.0.schema.json) | Models services such as APIs or microservices, including endpoints and interactions. | | [`cyclonedx-standard-2.0.schema.json`](./cyclonedx-standard-2.0.schema.json) | Describes standards, regulations, and frameworks referenced in BOM declarations. | | [`cyclonedx-vulnerability-2.0.schema.json`](./cyclonedx-vulnerability-2.0.schema.json) | Details vulnerabilities, including severity, remediation, and advisories. | diff --git a/schema/2.0/model/cyclonedx-annotation-2.0.schema.json b/schema/2.0/model/cyclonedx-annotation-2.0.schema.json index 2a454041..83f9aa0a 100644 --- a/schema/2.0/model/cyclonedx-annotation-2.0.schema.json +++ b/schema/2.0/model/cyclonedx-annotation-2.0.schema.json @@ -50,7 +50,7 @@ "annotator": { "type": "object", "title": "Annotator", - "description": "The organization, person, component, or service which created the textual content of the annotation.", + "description": "The organization, person, or component which created the textual content of the annotation.", "oneOf": [ { "required": [ @@ -66,11 +66,6 @@ "required": [ "component" ] - }, - { - "required": [ - "service" - ] } ], "additionalProperties": false, @@ -86,10 +81,6 @@ "component": { "description": "The tool or component that created the annotation", "$ref": "cyclonedx-component-2.0.schema.json#/$defs/component" - }, - "service": { - "description": "The service that created the annotation", - "$ref": "cyclonedx-service-2.0.schema.json#/$defs/service" } } }, diff --git a/schema/2.0/model/cyclonedx-component-2.0.schema.json b/schema/2.0/model/cyclonedx-component-2.0.schema.json index 7b3dae3f..74b07e3b 100644 --- a/schema/2.0/model/cyclonedx-component-2.0.schema.json +++ b/schema/2.0/model/cyclonedx-component-2.0.schema.json @@ -35,7 +35,8 @@ "file", "machine-learning-model", "data", - "cryptographic-asset" + "cryptographic-asset", + "service" ], "meta:enum": { "application": "A software application. Refer to [https://en.wikipedia.org/wiki/Application_software](https://en.wikipedia.org/wiki/Application_software) for information about applications.", @@ -50,7 +51,8 @@ "file": "A computer file. Refer to [https://en.wikipedia.org/wiki/Computer_file](https://en.wikipedia.org/wiki/Computer_file) for information about files.", "machine-learning-model": "A model based on training data that can make predictions or decisions without being explicitly programmed to do so.", "data": "A collection of discrete values that convey information.", - "cryptographic-asset": "A cryptographic asset including algorithms, protocols, certificates, keys, tokens, and secrets." + "cryptographic-asset": "A cryptographic asset including algorithms, protocols, certificates, keys, tokens, and secrets.", + "service": "A service, including microservices, function-as-a-service, and other types of network or intra-process services. Service-specific attributes, endpoints and the data profiles characterizing the data the service handles, apply exclusively to this component type." }, "title": "Component Type", "description": "Specifies the type of component. For software components, classify as application if no more specific appropriate classification is available or cannot be determined for the component.", @@ -188,7 +190,7 @@ "items": {"$ref": "#/$defs/componentOrChoice"}, "uniqueItems": true, "title": "Components", - "description": "A list of software and hardware components included in the parent component. Entries may be concrete components or component-choice wrappers expressing conditional or alternate relationships. This is not a dependency tree. It provides a way to specify a hierarchical representation of component assemblies, similar to system → subsystem → parts assembly in physical supply chains." + "description": "A list of components included in the parent component, including software, hardware, and services. Entries may be concrete components or component-choice wrappers expressing conditional or alternate relationships. This is not a dependency tree. It provides a way to specify a hierarchical representation of component assemblies, similar to system → subsystem → parts assembly in physical supply chains." }, "evidence": { "$ref": "#/$defs/componentEvidence", @@ -214,6 +216,23 @@ "$ref": "cyclonedx-cryptography-2.0.schema.json#/$defs/cryptoProperties", "title": "Cryptographic Properties" }, + "endpoints": { + "type": "array", + "items": { + "type": "string", + "format": "iri-reference" + }, + "title": "Endpoints", + "description": "The endpoint URIs of the service. Multiple endpoints are allowed. May only be used for components of type `service`.", + "examples": ["https://example.com/api/v1/ticker"] + }, + "dataProfiles": { + "type": "array", + "uniqueItems": true, + "items": {"$ref": "cyclonedx-data-2.0.schema.json#/$defs/dataProfileChoice"}, + "title": "Data Profiles", + "description": "The data handled by the service, characterized by data profiles. Each entry is either an inline profile object or a reference using bom-link or bom-ref to a previously declared profile, typically declared in the root profiles catalogue. May only be used for components of type `service`. Data movement is intentionally not expressed here: flow direction, sources, destinations, authentication, and boundary crossings are modelled via blueprint flows, assets, and boundaries, which reference this component by bom-ref." + }, "tags": { "$ref": "cyclonedx-common-2.0.schema.json#/$defs/tags", "title": "Tags" @@ -244,6 +263,23 @@ "not": { "required": ["versionRange"] } }, "else": true + }, + { + "title": "Service Requirement", + "description": "Requirement: endpoints and dataProfiles may only be used for components of type `service`.", + "if": { + "properties": { "type": { "const": "service" } }, + "required": ["type"] + }, + "then": true, + "else": { + "not": { + "anyOf": [ + { "required": ["endpoints"] }, + { "required": ["dataProfiles"] } + ] + } + } } ] }, @@ -320,7 +356,7 @@ } }, "version": { - "description": "A single disjunctive version identifier, for a component or service.", + "description": "A single disjunctive version identifier for a component.", "type": "string", "maxLength": 1024, "examples": [ diff --git a/schema/2.0/model/cyclonedx-data-2.0.schema.json b/schema/2.0/model/cyclonedx-data-2.0.schema.json index 598f9098..eb29ccc2 100644 --- a/schema/2.0/model/cyclonedx-data-2.0.schema.json +++ b/schema/2.0/model/cyclonedx-data-2.0.schema.json @@ -59,23 +59,6 @@ "required": ["contact"] } ] - }, - "dataFlowDirection": { - "type": "string", - "enum": [ - "inbound", - "outbound", - "bi-directional", - "unknown" - ], - "meta:enum": { - "inbound": "Data that enters a service.", - "outbound": "Data that exits a service.", - "bi-directional": "Data flows in and out of the service.", - "unknown": "The directional flow of data is not known." - }, - "title": "Data flow direction", - "description": "Specifies the flow direction of the data. Direction is relative to the service." } } } diff --git a/schema/2.0/model/cyclonedx-declaration-2.0.schema.json b/schema/2.0/model/cyclonedx-declaration-2.0.schema.json index d8c2b39b..f16f2da3 100644 --- a/schema/2.0/model/cyclonedx-declaration-2.0.schema.json +++ b/schema/2.0/model/cyclonedx-declaration-2.0.schema.json @@ -315,12 +315,6 @@ "title": "Components", "description": "The list of components which claims are made against.", "items": {"$ref": "cyclonedx-component-2.0.schema.json#/$defs/component"} - }, - "services": { - "type": "array", - "title": "Services", - "description": "The list of services which claims are made against.", - "items": {"$ref": "cyclonedx-service-2.0.schema.json#/$defs/service"} } } }, diff --git a/schema/2.0/model/cyclonedx-dependency-2.0.schema.json b/schema/2.0/model/cyclonedx-dependency-2.0.schema.json index a0558605..09779d1b 100644 --- a/schema/2.0/model/cyclonedx-dependency-2.0.schema.json +++ b/schema/2.0/model/cyclonedx-dependency-2.0.schema.json @@ -15,7 +15,7 @@ "dependency": { "type": "object", "title": "Dependency", - "description": "Defines the direct dependencies of a component, service, or the components provided/implemented by a given component. Components or services that do not have their own dependencies must be declared as empty elements within the graph. Components or services that are not represented in the dependency graph may have unknown dependencies. It is recommended that implementations assume this to be opaque and not an indicator of an object being dependency-free. It is recommended to leverage compositions to indicate unknown dependency graphs.", + "description": "Defines the direct dependencies of a component, or the components provided/implemented by a given component. Components that do not have their own dependencies must be declared as empty elements within the graph. Components that are not represented in the dependency graph may have unknown dependencies. It is recommended that implementations assume this to be opaque and not an indicator of an object being dependency-free. It is recommended to leverage compositions to indicate unknown dependency graphs.", "required": [ "ref" ], @@ -24,7 +24,7 @@ "ref": { "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType", "title": "Reference", - "description": "References a component or service by its bom-ref attribute" + "description": "References a component by its bom-ref attribute" }, "dependsOn": { "type": "array", @@ -33,7 +33,7 @@ "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" }, "title": "Depends On", - "description": "The bom-ref identifiers of the components or services that are dependencies of this dependency object." + "description": "The bom-ref identifiers of the components that are dependencies of this dependency object." }, "provides": { "type": "array", @@ -42,7 +42,7 @@ "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType" }, "title": "Provides", - "description": "The bom-ref identifiers of the components or services that define a given specification or standard, which are provided or implemented by this dependency object.\nFor example, a cryptographic library which implements a cryptographic algorithm. A component which implements another component does not imply that the implementation is in use." + "description": "The bom-ref identifiers of the components that define a given specification or standard, which are provided or implemented by this dependency object.\nFor example, a cryptographic library which implements a cryptographic algorithm. A component which implements another component does not imply that the implementation is in use." } } } diff --git a/schema/2.0/model/cyclonedx-formulation-2.0.schema.json b/schema/2.0/model/cyclonedx-formulation-2.0.schema.json index 4eadad60..c6843364 100644 --- a/schema/2.0/model/cyclonedx-formulation-2.0.schema.json +++ b/schema/2.0/model/cyclonedx-formulation-2.0.schema.json @@ -10,7 +10,7 @@ "items": {"$ref": "#/$defs/formula"}, "uniqueItems": true, "title": "Formulation", - "description": "Describes the formulation of any referencable object within the BOM, including components, services, metadata, declarations, or the BOM itself. This may encompass how the object was created, assembled, deployed, tested, certified, or otherwise brought into its present form. Common examples include software build pipelines, deployment processes, AI/ML model training, cryptographic key generation or certification, and third-party audits. Processes are modeled using declared and observed formulas, composed of workflows, tasks, and individual steps." + "description": "Describes the formulation of any referencable object within the BOM, including components, metadata, declarations, or the BOM itself. This may encompass how the object was created, assembled, deployed, tested, certified, or otherwise brought into its present form. Common examples include software build pipelines, deployment processes, AI/ML model training, cryptographic key generation or certification, and third-party audits. Processes are modeled using declared and observed formulas, composed of workflows, tasks, and individual steps." }, "formula": { "title": "Formula", @@ -32,15 +32,6 @@ }, "uniqueItems": true }, - "services": { - "title": "Services", - "description": "Transient services that are used in tasks that constitute one or more of this formula's workflows", - "type": "array", - "items": { - "$ref": "cyclonedx-service-2.0.schema.json#/$defs/service" - }, - "uniqueItems": true - }, "workflows": { "title": "Workflows", "description": "List of workflows that can be declared to accomplish specific orchestrated goals and independently triggered.", diff --git a/schema/2.0/model/cyclonedx-metadata-2.0.schema.json b/schema/2.0/model/cyclonedx-metadata-2.0.schema.json index e9fef3d8..1ddcd24e 100644 --- a/schema/2.0/model/cyclonedx-metadata-2.0.schema.json +++ b/schema/2.0/model/cyclonedx-metadata-2.0.schema.json @@ -28,11 +28,7 @@ "properties": { "components": { "$ref": "cyclonedx-component-2.0.schema.json#/$defs/components", - "description": "A list of software and hardware components used as tools." - }, - "services": { - "$ref": "cyclonedx-service-2.0.schema.json#/$defs/services", - "description": "A list of services used as tools. This may include microservices, function-as-a-service, and other types of network or intra-process services." + "description": "A list of components used as tools. This may include software, hardware, and services such as microservices and function-as-a-service." } } }, diff --git a/schema/2.0/model/cyclonedx-party-2.0.schema.json b/schema/2.0/model/cyclonedx-party-2.0.schema.json index 938e80ea..a0d41369 100644 --- a/schema/2.0/model/cyclonedx-party-2.0.schema.json +++ b/schema/2.0/model/cyclonedx-party-2.0.schema.json @@ -165,6 +165,7 @@ "packager", "partner", "principal", + "provider", "publisher", "purchaser", "quality-control", @@ -232,6 +233,7 @@ "packager": "The party that packages goods for storage, shipment, or retail sale.", "partner": "Business partner with a defined relationship.", "principal": "The party on whose behalf another party acts, paired with delegate.", + "provider": "The party that provides and operates a service or capability consumed by others, such as a cloud service provider, managed service provider, or identity provider.", "publisher": "The party that published the subject, making it available for consumption.", "purchaser": "The party that purchased the subject or a license for its use.", "quality-control": "The party responsible for quality control activities, including inspection, testing, and verification.", diff --git a/schema/2.0/model/cyclonedx-service-2.0.schema.json b/schema/2.0/model/cyclonedx-service-2.0.schema.json deleted file mode 100644 index 6822fa9a..00000000 --- a/schema/2.0/model/cyclonedx-service-2.0.schema.json +++ /dev/null @@ -1,196 +0,0 @@ -{ - "$schema": "https://json-schema.org/draft/2020-12/schema", - "$id": "https://cyclonedx.org/schema/2.0/model/cyclonedx-service-2.0.schema.json", - "type": "null", - "title": "CycloneDX Service Model", - "$comment" : "OWASP CycloneDX is an Ecma International standard (ECMA-424) developed in collaboration between the OWASP Foundation and Ecma Technical Committee 54 (TC54). The standard is published under a royalty-free patent policy. This JSON schema is the reference implementation and is licensed under the Apache License 2.0.", - "$defs": { - "services": { - "type": "array", - "items": {"$ref": "#/$defs/service"}, - "uniqueItems": true, - "title": "Services" - }, - "service": { - "type": "object", - "title": "Service", - "required": [ - "name" - ], - "additionalProperties": false, - "properties": { - "bom-ref": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", - "title": "BOM Reference", - "description": "An identifier which can be used to reference the service elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." - }, - "provider": { - "title": "Provider", - "description": "The organization that provides the service.", - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/organizationalEntity" - }, - "group": { - "type": "string", - "title": "Service Group", - "description": "The grouping name, namespace, or identifier. This will often be a shortened, single name of the company or project that produced the service or domain name. Whitespace and special characters should be avoided.", - "examples": ["com.acme"] - }, - "name": { - "type": "string", - "title": "Service Name", - "description": "The name of the service. This will often be a shortened, single name of the service.", - "examples": ["ticker-service"] - }, - "version": { - "$ref": "cyclonedx-component-2.0.schema.json#/$defs/version", - "title": "Service Version", - "description": "The service version." - }, - "description": { - "type": "string", - "title": "Service Description", - "description": "Specifies a description for the service" - }, - "endpoints": { - "type": "array", - "items": { - "type": "string", - "format": "iri-reference" - }, - "title": "Endpoints", - "description": "The endpoint URIs of the service. Multiple endpoints are allowed.", - "examples": ["https://example.com/api/v1/ticker"] - }, - "authenticated": { - "type": "boolean", - "title": "Authentication Required", - "description": "A boolean value indicating if the service requires authentication. A value of true indicates the service requires authentication prior to use. A value of false indicates the service does not require authentication." - }, - "x-trust-boundary": { - "type": "boolean", - "title": "Crosses Trust Boundary", - "description": "A boolean value indicating if use of the service crosses a trust zone or boundary. A value of true indicates that by using the service, a trust boundary is crossed. A value of false indicates that by using the service, a trust boundary is not crossed." - }, - "trustZone": { - "type": "string", - "title": "Trust Zone", - "description": "The name of the trust zone the service resides in." - }, - "data": { - "type": "array", - "items": {"$ref": "#/$defs/serviceData"}, - "title": "Data", - "description": "Specifies information about the data including the directional flow of data and the data classification." - }, - "licenses": { - "$ref": "cyclonedx-license-2.0.schema.json#/$defs/licenseChoice", - "title": "Service License(s)" - }, - "patentAssertions": { - "$ref": "cyclonedx-patent-2.0.schema.json#/$defs/patentAssertions", - "title": "Service Patent(s)" - }, - "externalReferences": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/externalReferences" - }, - "services": { - "type": "array", - "items": {"$ref": "#/$defs/service"}, - "uniqueItems": true, - "title": "Services", - "description": "A list of services included or deployed behind the parent service. This is not a dependency tree. It provides a way to specify a hierarchical representation of service assemblies." - }, - "releaseNotes": { - "$ref": "cyclonedx-release-notes-2.0.schema.json#/$defs/releaseNotes", - "title": "Release notes", - "description": "Specifies release notes." - }, - "properties": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" - }, - "tags": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/tags", - "title": "Tags" - }, - "signatures": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/signatures" - } - } - }, - "serviceData": { - "type": "object", - "title": "Hash Objects", - "required": [ - "flow", - "classification" - ], - "additionalProperties": false, - "properties": { - "flow": { - "$ref": "cyclonedx-data-2.0.schema.json#/$defs/dataFlowDirection", - "title": "Directional Flow", - "description": "Specifies the flow direction of the data. Direction is relative to the service. Inbound flow states that data enters the service. Outbound flow states that data leaves the service. Bi-directional states that data flows both ways and unknown states that the direction is not known." - }, - "classification": { - "$ref": "cyclonedx-data-2.0.schema.json#/$defs/dataClassification" - }, - "name": { - "type": "string", - "title": "Name", - "description": "Name for the defined data", - "examples": [ - "Credit card reporting" - ] - }, - "description": { - "type": "string", - "title": "Description", - "description": "Short description of the data content and usage", - "examples": [ - "Credit card information being exchanged in between the web app and the database" - ] - }, - "governance": { - "title": "Data Governance", - "$ref": "cyclonedx-data-2.0.schema.json#/$defs/dataGovernance" - }, - "source": { - "type": "array", - "items": { - "anyOf": [ - { - "title": "URL", - "type": "string", - "format": "iri-reference" - }, - { - "title": "BOM-Link Element", - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/bomLinkElementType" - } - ] - }, - "title": "Source", - "description": "The URI, URL, or BOM-Link of the components or services the data came in from" - }, - "destination": { - "type": "array", - "items": { - "anyOf": [ - { - "title": "URL", - "type": "string", - "format": "iri-reference" - }, - { - "title": "BOM-Link Element", - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/bomLinkElementType" - } - ] - }, - "title": "Destination", - "description": "The URI, URL, or BOM-Link of the components or services the data is sent to" - } - } - } - } -} \ No newline at end of file diff --git a/schema/2.0/model/cyclonedx-vulnerability-2.0.schema.json b/schema/2.0/model/cyclonedx-vulnerability-2.0.schema.json index 2e3f8c11..58aff30c 100644 --- a/schema/2.0/model/cyclonedx-vulnerability-2.0.schema.json +++ b/schema/2.0/model/cyclonedx-vulnerability-2.0.schema.json @@ -193,14 +193,7 @@ "items": {"$ref": "cyclonedx-component-2.0.schema.json#/$defs/component"}, "uniqueItems": true, "title": "Components", - "description": "A list of software and hardware components used as tools." - }, - "services": { - "type": "array", - "items": {"$ref": "cyclonedx-service-2.0.schema.json#/$defs/service"}, - "uniqueItems": true, - "title": "Services", - "description": "A list of services used as tools. This may include microservices, function-as-a-service, and other types of network or intra-process services." + "description": "A list of components used as tools. This may include software, hardware, and services such as microservices and function-as-a-service." } } }, diff --git a/tools/src/test/resources/2.0/invalid-component-service-fields-2.0.json b/tools/src/test/resources/2.0/invalid-component-service-fields-2.0.json new file mode 100644 index 00000000..aec12760 --- /dev/null +++ b/tools/src/test/resources/2.0/invalid-component-service-fields-2.0.json @@ -0,0 +1,23 @@ +{ + "$schema": "https://cyclonedx.org/schema/2.0/cyclonedx-2.0.schema.json", + "specFormat": "CycloneDX", + "specVersion": "2.0", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "components": [ + { + "bom-ref": "not-a-service", + "type": "application", + "name": "Acme Application", + "endpoints": [ + "https://example.com/api" + ], + "dataProfiles": [ + { + "name": "Customer PII", + "classification": "confidential" + } + ] + } + ] +} diff --git a/tools/src/test/resources/2.0/invalid-properties-2.0.json b/tools/src/test/resources/2.0/invalid-properties-2.0.json index 63fe132d..ad973792 100644 --- a/tools/src/test/resources/2.0/invalid-properties-2.0.json +++ b/tools/src/test/resources/2.0/invalid-properties-2.0.json @@ -45,11 +45,10 @@ }, {} ] - } - ], - "services": [ + }, { "bom-ref": "b2a46a4b-8367-4bae-9820-95557cfe03a8", + "type": "service", "group": "org.partner", "name": "Stock ticker service", "endpoints": [ diff --git a/tools/src/test/resources/2.0/invalid-service-data-2.0.json b/tools/src/test/resources/2.0/invalid-service-data-2.0.json index 5c0ada41..81dae75a 100644 --- a/tools/src/test/resources/2.0/invalid-service-data-2.0.json +++ b/tools/src/test/resources/2.0/invalid-service-data-2.0.json @@ -4,13 +4,12 @@ "specVersion": "2.0", "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", "version": 1, - "services": [ + "components": [ { "bom-ref": "b2a46a4b-8367-4bae-9820-95557cfe03a8", + "type": "service", "name": "Stock ticker service", - "authenticated": true, - "x-trust-boundary": true, - "data": [ + "dataProfiles": [ { "classification": "foo", "flow": "bar" diff --git a/tools/src/test/resources/2.0/valid-annotation-2.0.json b/tools/src/test/resources/2.0/valid-annotation-2.0.json index a634126a..88522a6d 100644 --- a/tools/src/test/resources/2.0/valid-annotation-2.0.json +++ b/tools/src/test/resources/2.0/valid-annotation-2.0.json @@ -71,21 +71,47 @@ "component-a" ], "annotator": { - "service": { + "component": { "bom-ref": "b2a46a4b-8367-4bae-9820-95557cfe03a8", - "provider": { - "name": "Partner Org", - "url": [ - "https://partner.org" - ], - "contact": [ - { + "type": "service", + "parties": [ + { + "roles": [ + { + "role": "provider" + } + ], + "organization": { + "name": "Partner Org", + "url": [ + { + "name": "homepage", + "url": "https://partner.org" + } + ] + } + }, + { + "roles": [ + { + "role": "support-contact" + } + ], + "person": { "name": "Support", - "email": "support@partner.org", - "phone": "800-555-1212" + "email": [ + { + "address": "support@partner.org" + } + ], + "phone": [ + { + "number": "800-555-1212" + } + ] } - ] - }, + } + ], "group": "org.partner", "name": "BOM Annotation Service", "version": "2020-Q2", @@ -93,18 +119,16 @@ "https://partner.org/api/v1/inspect", "https://partner.org/api/v1/annotate" ], - "authenticated": true, - "x-trust-boundary": true, - "data": [ + "dataProfiles": [ { - "classification": "public", - "flow": "bi-directional" + "name": "Public BOM Data", + "classification": "public" } ] } }, "timestamp": "2022-01-01T00:00:00Z", - "text": "This is a sample annotation made by a service" + "text": "This is a sample annotation made by a service component" } ] } diff --git a/tools/src/test/resources/2.0/valid-assembly-2.0.json b/tools/src/test/resources/2.0/valid-assembly-2.0.json index 320363b8..347d3fad 100644 --- a/tools/src/test/resources/2.0/valid-assembly-2.0.json +++ b/tools/src/test/resources/2.0/valid-assembly-2.0.json @@ -16,13 +16,13 @@ "version": "2.0.0" } ] - } - ], - "services": [ + }, { + "type": "service", "name": "acme-service-a", - "services": [ + "components": [ { + "type": "service", "name": "acme-service-b" } ] diff --git a/tools/src/test/resources/2.0/valid-metadata-tool-2.0.json b/tools/src/test/resources/2.0/valid-metadata-tool-2.0.json index 4f99ba23..c059e678 100644 --- a/tools/src/test/resources/2.0/valid-metadata-tool-2.0.json +++ b/tools/src/test/resources/2.0/valid-metadata-tool-2.0.json @@ -22,16 +22,27 @@ "content": "a74f733635a19aefb1f73e5947cef59cd7440c6952ef0f03d09d974274cbd6df" } ] - } - ], - "services": [ + }, { - "provider": { - "name": "Acme Org", - "url": [ - "https://example.com" - ] - }, + "type": "service", + "parties": [ + { + "roles": [ + { + "role": "provider" + } + ], + "organization": { + "name": "Acme Org", + "url": [ + { + "name": "homepage", + "url": "https://example.com" + } + ] + } + } + ], "group": "com.example", "name": "Acme Signing Server", "description": "Signs artifacts", diff --git a/tools/src/test/resources/2.0/valid-patent-2.0.json b/tools/src/test/resources/2.0/valid-patent-2.0.json index 54ed6923..bbcb64ce 100644 --- a/tools/src/test/resources/2.0/valid-patent-2.0.json +++ b/tools/src/test/resources/2.0/valid-patent-2.0.json @@ -8,11 +8,25 @@ { "bom-ref": "component-1", "type": "library", - "manufacturer": { - "bom-ref": "org-acme-inc", - "name": "Acme Inc", - "url": ["https://example.com"] - }, + "parties": [ + { + "bom-ref": "org-acme-inc", + "roles": [ + { + "role": "manufacturer" + } + ], + "organization": { + "name": "Acme Inc", + "url": [ + { + "name": "homepage", + "url": "https://example.com" + } + ] + } + } + ], "name": "High-Efficiency Processor", "version": "1.0", "patentAssertions": [ @@ -20,22 +34,25 @@ "bom-ref": "patent-assertion-1", "assertionType": "ownership", "asserter": "org-acme-inc", - "patentRefs": ["patent-1"], + "patentRefs": [ + "patent-1" + ], "notes": "Covers the core processing architecture for advanced computation." }, { "bom-ref": "patent-assertion-2", "assertionType": "license", "asserter": "org-acme-inc", - "patentRefs": ["patent-3"], + "patentRefs": [ + "patent-3" + ], "notes": "Licensed for use in North America." } ] - } - ], - "services": [ + }, { "bom-ref": "service-1", + "type": "service", "name": "Data Analysis Service", "patentAssertions": [ { @@ -50,7 +67,9 @@ } ] }, - "patentRefs": ["patent-2"], + "patentRefs": [ + "patent-2" + ], "notes": "Exclusive rights for machine learning integration." } ] @@ -73,7 +92,9 @@ "patentAssignee": [ { "name": "Tech Innovators Inc.", - "url": ["https://techinnovators.com"] + "url": [ + "https://techinnovators.com" + ] } ], "externalReferences": [ @@ -104,7 +125,9 @@ "patentAssignee": [ { "name": "Tech Innovators Inc.", - "url": ["https://techinnovators.com"] + "url": [ + "https://techinnovators.com" + ] } ] }, diff --git a/tools/src/test/resources/2.0/valid-properties-2.0.json b/tools/src/test/resources/2.0/valid-properties-2.0.json index 8db37c7a..7dd70a9e 100644 --- a/tools/src/test/resources/2.0/valid-properties-2.0.json +++ b/tools/src/test/resources/2.0/valid-properties-2.0.json @@ -69,11 +69,10 @@ "name": "value-is-optional" } ] - } - ], - "services": [ + }, { "bom-ref": "b2a46a4b-8367-4bae-9820-95557cfe03a8", + "type": "service", "group": "org.partner", "name": "Stock ticker service", "endpoints": [ diff --git a/tools/src/test/resources/2.0/valid-release-notes-2.0.json b/tools/src/test/resources/2.0/valid-release-notes-2.0.json index 5ccef573..f7a2fc91 100644 --- a/tools/src/test/resources/2.0/valid-release-notes-2.0.json +++ b/tools/src/test/resources/2.0/valid-release-notes-2.0.json @@ -74,24 +74,48 @@ } ] } - } - ], - "services": [ + }, { "bom-ref": "b2a46a4b-8367-4bae-9820-95557cfe03a8", - "provider": { - "name": "Partner Org", - "url": [ - "https://partner.org" - ], - "contact": [ - { + "type": "service", + "parties": [ + { + "roles": [ + { + "role": "provider" + } + ], + "organization": { + "name": "Partner Org", + "url": [ + { + "name": "homepage", + "url": "https://partner.org" + } + ] + } + }, + { + "roles": [ + { + "role": "support-contact" + } + ], + "person": { "name": "Support", - "email": "support@partner.org", - "phone": "800-555-1212" + "email": [ + { + "address": "support@partner.org" + } + ], + "phone": [ + { + "number": "800-555-1212" + } + ] } - ] - }, + } + ], "group": "org.partner", "name": "Stock ticker service", "version": "2020-Q2", @@ -100,24 +124,32 @@ "https://partner.org/api/v1/lookup", "https://partner.org/api/v1/stock" ], - "authenticated": true, - "x-trust-boundary": true, - "data": [ + "dataProfiles": [ { - "classification": "PII", - "flow": "inbound" + "name": "Customer PII", + "classification": "confidential", + "informationTypes": [ + "pii" + ] }, { - "classification": "PIFI", - "flow": "outbound" + "name": "Personally Identifiable Financial Information", + "classification": "confidential", + "informationTypes": [ + "pii", + "financial" + ] }, { - "classification": "public", - "flow": "bi-directional" + "name": "Public Market Data", + "classification": "public" }, { - "classification": "partner-data", - "flow": "unknown" + "name": "Partner Data", + "classification": { + "name": "partner-restricted", + "description": "Data subject to the partner data-sharing agreement." + } } ], "licenses": [ diff --git a/tools/src/test/resources/2.0/valid-saasbom-2.0.json b/tools/src/test/resources/2.0/valid-saasbom-2.0.json index 42c60ee2..7d7f6173 100644 --- a/tools/src/test/resources/2.0/valid-saasbom-2.0.json +++ b/tools/src/test/resources/2.0/valid-saasbom-2.0.json @@ -13,13 +13,73 @@ "version": "2022-1" } }, - "services": [ + "profiles": { + "dataProfiles": [ + { + "bom-ref": "profile-customer", + "name": "Customer Data", + "classification": "confidential", + "informationTypes": [ + "pii" + ], + "subjects": [ + { + "name": "Acme Customers", + "type": "group", + "regulations": [ + "GDPR", + "CCPA" + ] + } + ] + }, + { + "bom-ref": "profile-pii", + "name": "Personally Identifiable Information", + "classification": "confidential", + "informationTypes": [ + "pii" + ] + }, + { + "bom-ref": "profile-pifi", + "name": "Personally Identifiable Financial Information", + "classification": "confidential", + "informationTypes": [ + "pii", + "financial" + ] + }, + { + "bom-ref": "profile-public", + "name": "Public Market Data", + "classification": "public" + } + ] + }, + "components": [ { "bom-ref": "stock-ticker-service", - "provider": { - "name": "Acme Inc", - "url": ["https://example.com"] - }, + "type": "service", + "parties": [ + { + "bom-ref": "party-acme", + "roles": [ + { + "role": "provider" + } + ], + "organization": { + "name": "Acme Inc", + "url": [ + { + "name": "homepage", + "url": "https://example.com" + } + ] + } + } + ], "group": "com.example", "name": "Stock Ticker Service", "version": "2022-1", @@ -27,57 +87,11 @@ "https://example.com/", "https://example.com/app" ], - "authenticated": true, - "trustZone": "Acme Public Zone", - "data": [ - { - "name": "Consumer to Stock Service", - "description": "Traffic to/from consumer to service", - "classification": "Customer", - "flow": "bi-directional", - "source": [ - "https://0.0.0.0" - ], - "destination": [ - "https://0.0.0.0" - ] - }, - { - "name": "Stock Service to MS-1", - "description": "Traffic to/from stock service to microservice-1", - "classification": "PII", - "flow": "bi-directional", - "source": [ - "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-1.example.com" - ], - "destination": [ - "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-1.example.com" - ] - }, - { - "name": "Stock Service to MS-2", - "description": "Traffic to/from stock service to microservice-2", - "classification": "PIFI", - "flow": "bi-directional", - "source": [ - "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-2.example.com" - ], - "destination": [ - "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-2.example.com" - ] - }, - { - "name": "Stock Service to MS-3", - "description": "Traffic to/from stock service to microservice-3", - "classification": "Public", - "flow": "bi-directional", - "source": [ - "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-3.example.com" - ], - "destination": [ - "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-3.example.com" - ] - } + "dataProfiles": [ + "profile-customer", + "profile-pii", + "profile-pifi", + "profile-public" ], "externalReferences": [ { @@ -85,13 +99,13 @@ "url": "https://example.com/app/swagger" } ], - "services": [ + "components": [ { "bom-ref": "ms-1.example.com", - "provider": { - "name": "Acme Inc", - "url": ["https://example.com"] - }, + "type": "service", + "parties": [ + "party-acme" + ], "group": "com.example", "name": "Microservice 1", "version": "2022-1", @@ -99,42 +113,8 @@ "endpoints": [ "https://ms-1.example.com" ], - "authenticated": true, - "trustZone": "Acme Private Zone", - "data": [ - { - "name": "Stock Service to MS-1", - "description": "Traffic to/from stock service to microservice-1", - "classification": "PII", - "flow": "bi-directional", - "governance": { - "owners": [ - { - "organization": { - "name": "Customer Name" - } - } - ] - }, - "source": [ - "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#stock-ticker-service" - ], - "destination": [ - "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#stock-ticker-service" - ] - }, - { - "name": "MS-1 to Database", - "description": "Traffic to/from microservice-1 to database", - "classification": "PII", - "flow": "bi-directional", - "source": [ - "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-1-pgsql.example.com" - ], - "destination": [ - "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-1-pgsql.example.com" - ] - } + "dataProfiles": [ + "profile-pii" ], "externalReferences": [ { @@ -145,10 +125,10 @@ }, { "bom-ref": "ms-2.example.com", - "provider": { - "name": "Acme Inc", - "url": ["https://example.com"] - }, + "type": "service", + "parties": [ + "party-acme" + ], "group": "com.example", "name": "Microservice 2", "version": "2022-1", @@ -156,21 +136,8 @@ "endpoints": [ "https://ms-2.example.com" ], - "authenticated": true, - "trustZone": "Acme Private Zone", - "data": [ - { - "name": "Stock Service to MS-2", - "description": "Traffic to/from stock service to microservice-2", - "classification": "PIFI", - "flow": "bi-directional", - "source": [ - "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#stock-ticker-service" - ], - "destination": [ - "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#stock-ticker-service" - ] - } + "dataProfiles": [ + "profile-pifi" ], "externalReferences": [ { @@ -181,10 +148,10 @@ }, { "bom-ref": "ms-3.example.com", - "provider": { - "name": "Acme Inc", - "url": ["https://example.com"] - }, + "type": "service", + "parties": [ + "party-acme" + ], "group": "com.example", "name": "Microservice 3", "version": "2022-1", @@ -192,30 +159,8 @@ "endpoints": [ "https://ms-3.example.com" ], - "authenticated": true, - "trustZone": "Acme Private Zone", - "data": [ - { - "name": "Stock Service to MS-3", - "description": "Traffic to/from stock service to microservice-3", - "classification": "Public", - "flow": "bi-directional", - "source": [ - "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#stock-ticker-service" - ], - "destination": [ - "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#stock-ticker-service" - ] - }, - { - "name": "MS-3 to S3", - "description": "Data pushed from microservice-3 to S3 bucket", - "classification": "Public", - "flow": "outbound", - "destination": [ - "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#s3-example.amazon.com" - ] - } + "dataProfiles": [ + "profile-public" ], "externalReferences": [ { @@ -226,6 +171,7 @@ }, { "bom-ref": "ms-1-pgsql.example.com", + "type": "service", "group": "org.postgresql", "name": "Postgres", "version": "14.1", @@ -233,42 +179,209 @@ "endpoints": [ "https://ms-1-pgsql.example.com:5432" ], - "authenticated": true, - "trustZone": "Acme Private Zone", - "data": [ - { - "name": "MS-1 to Database", - "description": "Traffic to/from microservice-1 to database", - "classification": "PII", - "flow": "bi-directional", - "source": [ - "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-1.example.com" - ], - "destination": [ - "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-1.example.com" - ] - } + "dataProfiles": [ + "profile-pii" ] }, { "bom-ref": "s3-example.amazon.com", + "type": "service", + "isExternal": true, "group": "com.amazon", "name": "S3", "description": "S3 bucket", "endpoints": [ "https://s3-example.amazon.com" ], - "authenticated": true, - "trustZone": "Public Internet", - "data": [ + "dataProfiles": [ + "profile-public" + ] + } + ] + } + ], + "blueprints": [ + { + "bom-ref": "blueprint-stock-app", + "name": "Acme Stock Application Topology", + "modelTypes": [ + "data-flow" + ], + "zones": [ + { + "bom-ref": "zone-acme-public", + "name": "Acme Public Zone", + "type": "trust" + }, + { + "bom-ref": "zone-acme-private", + "name": "Acme Private Zone", + "type": "trust" + }, + { + "bom-ref": "zone-public-internet", + "name": "Public Internet", + "type": "trust" + } + ], + "boundaries": [ + { + "bom-ref": "boundary-public-private", + "name": "Acme Public to Private Boundary", + "type": "trust", + "zones": [ + "zone-acme-public", + "zone-acme-private" + ], + "crossingRequirements": { + "authentication": [ + "mtls" + ] + } + } + ], + "assets": [ + { + "bom-ref": "asset-stock-ticker", + "componentRef": "stock-ticker-service", + "type": "service", + "zone": "zone-acme-public", + "authentication": [ + "oauth2" + ] + }, + { + "bom-ref": "asset-ms-1", + "componentRef": "ms-1.example.com", + "type": "service", + "zone": "zone-acme-private", + "authentication": [ + "mtls" + ] + }, + { + "bom-ref": "asset-ms-2", + "componentRef": "ms-2.example.com", + "type": "service", + "zone": "zone-acme-private", + "authentication": [ + "mtls" + ] + }, + { + "bom-ref": "asset-ms-3", + "componentRef": "ms-3.example.com", + "type": "service", + "zone": "zone-acme-private", + "authentication": [ + "mtls" + ] + }, + { + "bom-ref": "asset-ms-1-pgsql", + "componentRef": "ms-1-pgsql.example.com", + "type": "data-store", + "zone": "zone-acme-private", + "authentication": [ + "scram" + ] + }, + { + "bom-ref": "asset-s3", + "componentRef": "s3-example.amazon.com", + "type": "data-store", + "zone": "zone-public-internet", + "authentication": [ + "hmac" + ] + } + ], + "flows": [ + { + "bom-ref": "flow-ticker-ms1", + "name": "Stock Service to MS-1", + "type": "data", + "source": "asset-stock-ticker", + "destination": "asset-ms-1", + "bidirectional": true, + "encrypted": true, + "dataProfiles": [ + "profile-pii" + ] + }, + { + "bom-ref": "flow-ticker-ms2", + "name": "Stock Service to MS-2", + "type": "data", + "source": "asset-stock-ticker", + "destination": "asset-ms-2", + "bidirectional": true, + "encrypted": true, + "dataProfiles": [ + "profile-pifi" + ] + }, + { + "bom-ref": "flow-ticker-ms3", + "name": "Stock Service to MS-3", + "type": "data", + "source": "asset-stock-ticker", + "destination": "asset-ms-3", + "bidirectional": true, + "encrypted": true, + "dataProfiles": [ + "profile-public" + ] + }, + { + "bom-ref": "flow-ms1-pgsql", + "name": "MS-1 to Database", + "type": "data", + "source": "asset-ms-1", + "destination": "asset-ms-1-pgsql", + "bidirectional": true, + "encrypted": true, + "dataProfiles": [ + "profile-pii" + ] + }, + { + "bom-ref": "flow-ms3-s3", + "name": "MS-3 to S3", + "type": "data", + "source": "asset-ms-3", + "destination": "asset-s3", + "bidirectional": false, + "encrypted": true, + "dataProfiles": [ + "profile-public" + ] + } + ], + "dataSets": [ + { + "bom-ref": "dataset-customer-records", + "name": "Customer Records", + "description": "Customer personally identifiable information persisted by Microservice 1.", + "dataProfiles": [ + "profile-pii" + ], + "owners": [ { - "name": "MS-3 to S3", - "description": "Data pushed from microservice-3 to S3 bucket", - "classification": "PII", - "flow": "inbound", - "source": [ - "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-3.example.com" - ] + "roles": [ + { + "role": "owner" + } + ], + "organization": { + "name": "Customer Name" + } + } + ], + "placements": [ + { + "dataStore": "asset-ms-1-pgsql", + "encrypted": true } ] } @@ -278,7 +391,9 @@ "dependencies": [ { "ref": "acme-stock-application", - "dependsOn": ["stock-ticker-service"] + "dependsOn": [ + "stock-ticker-service" + ] }, { "ref": "stock-ticker-service", @@ -290,7 +405,9 @@ }, { "ref": "ms-1.example.com", - "dependsOn": ["ms-1-pgsql.example.com"] + "dependsOn": [ + "ms-1-pgsql.example.com" + ] }, { "ref": "ms-2.example.com", @@ -298,7 +415,9 @@ }, { "ref": "ms-3.example.com", - "dependsOn": ["s3-example.amazon.com"] + "dependsOn": [ + "s3-example.amazon.com" + ] } ] } diff --git a/tools/src/test/resources/2.0/valid-service-2.0.json b/tools/src/test/resources/2.0/valid-service-2.0.json index 8f544114..cce89f90 100644 --- a/tools/src/test/resources/2.0/valid-service-2.0.json +++ b/tools/src/test/resources/2.0/valid-service-2.0.json @@ -8,7 +8,18 @@ { "bom-ref": "pkg:maven/com.acme/stock-java-client@1.0.12", "type": "library", - "publisher": "Acme Inc", + "parties": [ + { + "roles": [ + { + "role": "publisher" + } + ], + "organization": { + "name": "Acme Inc" + } + } + ], "group": "com.acme", "name": "stock-java-client", "version": "1.0.12", @@ -25,24 +36,51 @@ } } ] - } - ], - "services": [ + }, { "bom-ref": "b2a46a4b-8367-4bae-9820-95557cfe03a8", - "provider": { - "name": "Partner Org", - "url": [ - "https://partner.org" - ], - "contact": [ - { + "type": "service", + "isExternal": true, + "parties": [ + { + "bom-ref": "party-partner-org", + "roles": [ + { + "role": "provider" + } + ], + "organization": { + "name": "Partner Org", + "url": [ + { + "name": "homepage", + "url": "https://partner.org" + } + ] + } + }, + { + "roles": [ + { + "role": "support-contact" + } + ], + "person": { "name": "Support", - "email": "support@partner.org", - "phone": "800-555-1212" + "email": [ + { + "address": "support@partner.org" + } + ], + "phone": [ + { + "number": "800-555-1212" + } + ], + "affiliation": "party-partner-org" } - ] - }, + } + ], "group": "org.partner", "name": "Stock ticker service", "version": "2020-Q2", @@ -51,24 +89,32 @@ "https://partner.org/api/v1/lookup", "https://partner.org/api/v1/stock" ], - "authenticated": true, - "x-trust-boundary": true, - "data": [ + "dataProfiles": [ { - "classification": "PII", - "flow": "inbound" + "name": "Customer PII", + "classification": "confidential", + "informationTypes": [ + "pii" + ] }, { - "classification": "PIFI", - "flow": "outbound" + "name": "Personally Identifiable Financial Information", + "classification": "confidential", + "informationTypes": [ + "pii", + "financial" + ] }, { - "classification": "public", - "flow": "bi-directional" + "name": "Public Market Data", + "classification": "public" }, { - "classification": "partner-data", - "flow": "unknown" + "name": "Partner Data", + "classification": { + "name": "partner-restricted", + "description": "Data subject to the partner data-sharing agreement." + } } ], "licenses": [ diff --git a/tools/src/test/resources/2.0/valid-service-empty-objects-2.0.json b/tools/src/test/resources/2.0/valid-service-empty-objects-2.0.json index 197feb3a..c2c2bb93 100644 --- a/tools/src/test/resources/2.0/valid-service-empty-objects-2.0.json +++ b/tools/src/test/resources/2.0/valid-service-empty-objects-2.0.json @@ -4,20 +4,24 @@ "specVersion": "2.0", "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", "version": 1, - "services": [ + "components": [ { "bom-ref": "b2a46a4b-8367-4bae-9820-95557cfe03a8", - "provider": { - "contact": [ - ] - }, - "name": "Stock ticker service", - "endpoints": [ - ], - "data": [ + "type": "service", + "parties": [ + { + "roles": [ + { + "role": "provider" + } + ], + "organization": {} + } ], - "externalReferences": [ - ] + "name": "Stock ticker service", + "endpoints": [], + "dataProfiles": [], + "externalReferences": [] } ] } diff --git a/tools/src/test/resources/2.0/valid-tags-2.0.json b/tools/src/test/resources/2.0/valid-tags-2.0.json index c34a6fff..dd45e065 100644 --- a/tools/src/test/resources/2.0/valid-tags-2.0.json +++ b/tools/src/test/resources/2.0/valid-tags-2.0.json @@ -14,12 +14,13 @@ "javascript", "node.js" ] - } - ], - "services": [ + }, { + "type": "service", "name": "my service", - "endpoints": ["https://example.com/myservice"], + "endpoints": [ + "https://example.com/myservice" + ], "tags": [ "microservice", "golang", diff --git a/tools/src/test/resources/2.0/valid-vulnerability-2.0.json b/tools/src/test/resources/2.0/valid-vulnerability-2.0.json index 992629f5..a38e9ede 100644 --- a/tools/src/test/resources/2.0/valid-vulnerability-2.0.json +++ b/tools/src/test/resources/2.0/valid-vulnerability-2.0.json @@ -105,13 +105,21 @@ "content": "2eaf8c62831a1658c95d41fdc683cd177c147733c64a93e59cb2362829e45b7d" } ] - } - ], - "services": [ + }, { - "provider": { - "name": "Acme Inc" - }, + "type": "service", + "parties": [ + { + "roles": [ + { + "role": "provider" + } + ], + "organization": { + "name": "Acme Inc" + } + } + ], "name": "Acme BOM Analyzer", "endpoints": [ "https://example.com/analyze"