Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion schema/2.0/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ validation, tooling, and data exchange.

## Modularity and Model Composition

CycloneDX 2.0 is defined as a modular specification. All core concepts—such as components, services, vulnerabilities,
CycloneDX 2.0 is defined as a modular specification. All core concepts—such as components, vulnerabilities,
licensing, and AI/ML metadata, are encapsulated in reusable model definitions located in the [`model/`](./model) directory.

This modular architecture promotes:
Expand Down
3 changes: 0 additions & 3 deletions schema/2.0/cyclonedx-2.0.schema.json
Original file line number Diff line number Diff line change
Expand Up @@ -52,9 +52,6 @@
"$ref": "model/cyclonedx-component-2.0.schema.json#/$defs/components",
"description": "A collection of components. When a metadata component is present, this array represents the inventory of components associated with that subject, forming a bill of materials. When the metadata component is omitted, the array provides component data for interchange purposes without establishing a compositional relationship."
},
"services": {
"$ref": "model/cyclonedx-service-2.0.schema.json#/$defs/services"
},
"dependencies": {
"$ref": "model/cyclonedx-dependency-2.0.schema.json#/$defs/dependencies"
},
Expand Down
9 changes: 4 additions & 5 deletions schema/2.0/model/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -18,23 +18,22 @@ These models are compiled into the schemas in the parent directory, ensuring con
|----------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------|
| [`cyclonedx-ai-model-parameters-2.0.schema.json`](./cyclonedx-ai-model-parameters-2.0.schema.json) | Defines configuration and metadata for AI/ML training, evaluation, and deployment parameters. |
| [`cyclonedx-ai-modelcard-2.0.schema.json`](./cyclonedx-ai-modelcard-2.0.schema.json) | Describes AI/ML model cards including intended use, limitations, and ethical considerations. |
| [`cyclonedx-annotation-2.0.schema.json`](./cyclonedx-annotation-2.0.schema.json) | Represents human or automated comments about BOM elements, such as components or services. |
| [`cyclonedx-annotation-2.0.schema.json`](./cyclonedx-annotation-2.0.schema.json) | Represents human or automated comments about BOM elements, such as components. |
| [`cyclonedx-common-2.0.schema.json`](./cyclonedx-common-2.0.schema.json) | Provides common types and base definitions used across all other schemas. |
| [`cyclonedx-component-2.0.schema.json`](./cyclonedx-component-2.0.schema.json) | Models hardware, software, data, cryptographic, and AI components and their attributes. |
| [`cyclonedx-component-2.0.schema.json`](./cyclonedx-component-2.0.schema.json) | Models hardware, software, data, cryptographic, AI, and service components and their attributes. |
| [`cyclonedx-composition-2.0.schema.json`](./cyclonedx-composition-2.0.schema.json) | Indicates the known and unknown completeness of BOM elements and their relationships. |
| [`cyclonedx-cryptography-2.0.schema.json`](./cyclonedx-cryptography-2.0.schema.json) | Defines cryptographic properties, including algorithms, keys, and post-quantum cryptographic readiness. |
| [`cyclonedx-declaration-2.0.schema.json`](./cyclonedx-declaration-2.0.schema.json) | Structures conformance declarations, claims, attestations, and associated evidence. |
| [`cyclonedx-definition-2.0.schema.json`](./cyclonedx-definition-2.0.schema.json) | Contains reusable definitions and enums referenced by other schemas. |
| [`cyclonedx-dependency-2.0.schema.json`](./cyclonedx-dependency-2.0.schema.json) | Captures dependency relationships among components and services in the BOM. |
| [`cyclonedx-formulation-2.0.schema.json`](./cyclonedx-formulation-2.0.schema.json) | Describes the process of manufacturing, building, or deploying a component or service. |
| [`cyclonedx-dependency-2.0.schema.json`](./cyclonedx-dependency-2.0.schema.json) | Captures dependency relationships among components in the BOM. |
| [`cyclonedx-formulation-2.0.schema.json`](./cyclonedx-formulation-2.0.schema.json) | Describes the process of manufacturing, building, or deploying a component. |
| [`cyclonedx-license-2.0.schema.json`](./cyclonedx-license-2.0.schema.json) | Models software licences using SPDX IDs, named licences, and optional full text. |
| [`cyclonedx-licensing-2.0.schema.json`](./cyclonedx-licensing-2.0.schema.json) | Expands on licence metadata with purchaser, licensee, terms, and validity periods. |
| [`cyclonedx-metadata-2.0.schema.json`](./cyclonedx-metadata-2.0.schema.json) | Contains metadata about the BOM, such as authorship, tools used, and timestamps. |
| [`cyclonedx-patent-2.0.schema.json`](./cyclonedx-patent-2.0.schema.json) | Represents patents relevant to components, including jurisdiction and legal status. |
| [`cyclonedx-patent-assertion-2.0.schema.json`](./cyclonedx-patent-assertion-2.0.schema.json) | Defines legal claims or disclaimers associated with patents. |
| [`cyclonedx-patent-family-2.0.schema.json`](./cyclonedx-patent-family-2.0.schema.json) | Groups related patents across different jurisdictions into patent families. |
| [`cyclonedx-release-notes-2.0.schema.json`](./cyclonedx-release-notes-2.0.schema.json) | Specifies structured release note content, including changes and version history. |
| [`cyclonedx-service-2.0.schema.json`](./cyclonedx-service-2.0.schema.json) | Models services such as APIs or microservices, including endpoints and interactions. |
| [`cyclonedx-standard-2.0.schema.json`](./cyclonedx-standard-2.0.schema.json) | Describes standards, regulations, and frameworks referenced in BOM declarations. |
| [`cyclonedx-vulnerability-2.0.schema.json`](./cyclonedx-vulnerability-2.0.schema.json) | Details vulnerabilities, including severity, remediation, and advisories. |

11 changes: 1 addition & 10 deletions schema/2.0/model/cyclonedx-annotation-2.0.schema.json
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@
"annotator": {
"type": "object",
"title": "Annotator",
"description": "The organization, person, component, or service which created the textual content of the annotation.",
"description": "The organization, person, or component which created the textual content of the annotation.",
"oneOf": [
{
"required": [
Expand All @@ -66,11 +66,6 @@
"required": [
"component"
]
},
{
"required": [
"service"
]
}
],
"additionalProperties": false,
Expand All @@ -86,10 +81,6 @@
"component": {
"description": "The tool or component that created the annotation",
"$ref": "cyclonedx-component-2.0.schema.json#/$defs/component"
},
"service": {
"description": "The service that created the annotation",
"$ref": "cyclonedx-service-2.0.schema.json#/$defs/service"
}
}
},
Expand Down
44 changes: 40 additions & 4 deletions schema/2.0/model/cyclonedx-component-2.0.schema.json
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,8 @@
"file",
"machine-learning-model",
"data",
"cryptographic-asset"
"cryptographic-asset",
"service"
],
"meta:enum": {
"application": "A software application. Refer to [https://en.wikipedia.org/wiki/Application_software](https://en.wikipedia.org/wiki/Application_software) for information about applications.",
Expand All @@ -50,7 +51,8 @@
"file": "A computer file. Refer to [https://en.wikipedia.org/wiki/Computer_file](https://en.wikipedia.org/wiki/Computer_file) for information about files.",
"machine-learning-model": "A model based on training data that can make predictions or decisions without being explicitly programmed to do so.",
"data": "A collection of discrete values that convey information.",
"cryptographic-asset": "A cryptographic asset including algorithms, protocols, certificates, keys, tokens, and secrets."
"cryptographic-asset": "A cryptographic asset including algorithms, protocols, certificates, keys, tokens, and secrets.",
"service": "A service, including microservices, function-as-a-service, and other types of network or intra-process services. Service-specific attributes, endpoints and the data profiles characterizing the data the service handles, apply exclusively to this component type."
},
"title": "Component Type",
"description": "Specifies the type of component. For software components, classify as application if no more specific appropriate classification is available or cannot be determined for the component.",
Expand Down Expand Up @@ -188,7 +190,7 @@
"items": {"$ref": "#/$defs/componentOrChoice"},
"uniqueItems": true,
"title": "Components",
"description": "A list of software and hardware components included in the parent component. Entries may be concrete components or component-choice wrappers expressing conditional or alternate relationships. This is not a dependency tree. It provides a way to specify a hierarchical representation of component assemblies, similar to system → subsystem → parts assembly in physical supply chains."
"description": "A list of components included in the parent component, including software, hardware, and services. Entries may be concrete components or component-choice wrappers expressing conditional or alternate relationships. This is not a dependency tree. It provides a way to specify a hierarchical representation of component assemblies, similar to system → subsystem → parts assembly in physical supply chains."
},
"evidence": {
"$ref": "#/$defs/componentEvidence",
Expand All @@ -214,6 +216,23 @@
"$ref": "cyclonedx-cryptography-2.0.schema.json#/$defs/cryptoProperties",
"title": "Cryptographic Properties"
},
"endpoints": {
"type": "array",
"items": {
"type": "string",
"format": "iri-reference"
},
"title": "Endpoints",
"description": "The endpoint URIs of the service. Multiple endpoints are allowed. May only be used for components of type `service`.",
"examples": ["https://example.com/api/v1/ticker"]
},
"dataProfiles": {
"type": "array",
"uniqueItems": true,
"items": {"$ref": "cyclonedx-data-2.0.schema.json#/$defs/dataProfileChoice"},
"title": "Data Profiles",
"description": "The data handled by the service, characterized by data profiles. Each entry is either an inline profile object or a reference using bom-link or bom-ref to a previously declared profile, typically declared in the root profiles catalogue. May only be used for components of type `service`. Data movement is intentionally not expressed here: flow direction, sources, destinations, authentication, and boundary crossings are modelled via blueprint flows, assets, and boundaries, which reference this component by bom-ref."
},
"tags": {
"$ref": "cyclonedx-common-2.0.schema.json#/$defs/tags",
"title": "Tags"
Expand Down Expand Up @@ -244,6 +263,23 @@
"not": { "required": ["versionRange"] }
},
"else": true
},
{
"title": "Service Requirement",
"description": "Requirement: endpoints and dataProfiles may only be used for components of type `service`.",
"if": {
"properties": { "type": { "const": "service" } },
"required": ["type"]
},
"then": true,
"else": {
"not": {
"anyOf": [
{ "required": ["endpoints"] },
{ "required": ["dataProfiles"] }
]
}
}
}
]
},
Expand Down Expand Up @@ -320,7 +356,7 @@
}
},
"version": {
"description": "A single disjunctive version identifier, for a component or service.",
"description": "A single disjunctive version identifier for a component.",
"type": "string",
"maxLength": 1024,
"examples": [
Expand Down
17 changes: 0 additions & 17 deletions schema/2.0/model/cyclonedx-data-2.0.schema.json
Original file line number Diff line number Diff line change
Expand Up @@ -59,23 +59,6 @@
"required": ["contact"]
}
]
},
"dataFlowDirection": {
"type": "string",
"enum": [
"inbound",
"outbound",
"bi-directional",
"unknown"
],
"meta:enum": {
"inbound": "Data that enters a service.",
"outbound": "Data that exits a service.",
"bi-directional": "Data flows in and out of the service.",
"unknown": "The directional flow of data is not known."
},
"title": "Data flow direction",
"description": "Specifies the flow direction of the data. Direction is relative to the service."
}
}
}
6 changes: 0 additions & 6 deletions schema/2.0/model/cyclonedx-declaration-2.0.schema.json
Original file line number Diff line number Diff line change
Expand Up @@ -315,12 +315,6 @@
"title": "Components",
"description": "The list of components which claims are made against.",
"items": {"$ref": "cyclonedx-component-2.0.schema.json#/$defs/component"}
},
"services": {
"type": "array",
"title": "Services",
"description": "The list of services which claims are made against.",
"items": {"$ref": "cyclonedx-service-2.0.schema.json#/$defs/service"}
}
}
},
Expand Down
8 changes: 4 additions & 4 deletions schema/2.0/model/cyclonedx-dependency-2.0.schema.json
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@
"dependency": {
"type": "object",
"title": "Dependency",
"description": "Defines the direct dependencies of a component, service, or the components provided/implemented by a given component. Components or services that do not have their own dependencies must be declared as empty elements within the graph. Components or services that are not represented in the dependency graph may have unknown dependencies. It is recommended that implementations assume this to be opaque and not an indicator of an object being dependency-free. It is recommended to leverage compositions to indicate unknown dependency graphs.",
"description": "Defines the direct dependencies of a component, or the components provided/implemented by a given component. Components that do not have their own dependencies must be declared as empty elements within the graph. Components that are not represented in the dependency graph may have unknown dependencies. It is recommended that implementations assume this to be opaque and not an indicator of an object being dependency-free. It is recommended to leverage compositions to indicate unknown dependency graphs.",
"required": [
"ref"
],
Expand All @@ -24,7 +24,7 @@
"ref": {
"$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType",
"title": "Reference",
"description": "References a component or service by its bom-ref attribute"
"description": "References a component by its bom-ref attribute"
},
"dependsOn": {
"type": "array",
Expand All @@ -33,7 +33,7 @@
"$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType"
},
"title": "Depends On",
"description": "The bom-ref identifiers of the components or services that are dependencies of this dependency object."
"description": "The bom-ref identifiers of the components that are dependencies of this dependency object."
},
"provides": {
"type": "array",
Expand All @@ -42,7 +42,7 @@
"$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType"
},
"title": "Provides",
"description": "The bom-ref identifiers of the components or services that define a given specification or standard, which are provided or implemented by this dependency object.\nFor example, a cryptographic library which implements a cryptographic algorithm. A component which implements another component does not imply that the implementation is in use."
"description": "The bom-ref identifiers of the components that define a given specification or standard, which are provided or implemented by this dependency object.\nFor example, a cryptographic library which implements a cryptographic algorithm. A component which implements another component does not imply that the implementation is in use."
}
}
}
Expand Down
11 changes: 1 addition & 10 deletions schema/2.0/model/cyclonedx-formulation-2.0.schema.json
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@
"items": {"$ref": "#/$defs/formula"},
"uniqueItems": true,
"title": "Formulation",
"description": "Describes the formulation of any referencable object within the BOM, including components, services, metadata, declarations, or the BOM itself. This may encompass how the object was created, assembled, deployed, tested, certified, or otherwise brought into its present form. Common examples include software build pipelines, deployment processes, AI/ML model training, cryptographic key generation or certification, and third-party audits. Processes are modeled using declared and observed formulas, composed of workflows, tasks, and individual steps."
"description": "Describes the formulation of any referencable object within the BOM, including components, metadata, declarations, or the BOM itself. This may encompass how the object was created, assembled, deployed, tested, certified, or otherwise brought into its present form. Common examples include software build pipelines, deployment processes, AI/ML model training, cryptographic key generation or certification, and third-party audits. Processes are modeled using declared and observed formulas, composed of workflows, tasks, and individual steps."
},
"formula": {
"title": "Formula",
Expand All @@ -32,15 +32,6 @@
},
"uniqueItems": true
},
"services": {
"title": "Services",
"description": "Transient services that are used in tasks that constitute one or more of this formula's workflows",
"type": "array",
"items": {
"$ref": "cyclonedx-service-2.0.schema.json#/$defs/service"
},
"uniqueItems": true
},
"workflows": {
"title": "Workflows",
"description": "List of workflows that can be declared to accomplish specific orchestrated goals and independently triggered.",
Expand Down
6 changes: 1 addition & 5 deletions schema/2.0/model/cyclonedx-metadata-2.0.schema.json
Original file line number Diff line number Diff line change
Expand Up @@ -28,11 +28,7 @@
"properties": {
"components": {
"$ref": "cyclonedx-component-2.0.schema.json#/$defs/components",
"description": "A list of software and hardware components used as tools."
},
"services": {
"$ref": "cyclonedx-service-2.0.schema.json#/$defs/services",
"description": "A list of services used as tools. This may include microservices, function-as-a-service, and other types of network or intra-process services."
"description": "A list of components used as tools. This may include software, hardware, and services such as microservices and function-as-a-service."
}
}
},
Expand Down
Loading
Loading