diff --git a/cyclonedx/__res/schema/.editorconfig b/cyclonedx/__res/schema/.editorconfig new file mode 100644 index 00000000..6fe0e5e4 --- /dev/null +++ b/cyclonedx/__res/schema/.editorconfig @@ -0,0 +1,10 @@ + +# fix settings for files that are copied over, to keep them as is +[*.SNAPSHOT.xsd] +indent_size = 4 +indent_style = space +trim_trailing_whitespace = false +[*.SNAPSHOT.schema.json] +indent_size = 2 +indent_style = space +trim_trailing_whitespace = false \ No newline at end of file diff --git a/cyclonedx/__res/schema/.gitattributes b/cyclonedx/__res/schema/.gitattributes index 00abe0d3..41a9eb42 100644 --- a/cyclonedx/__res/schema/.gitattributes +++ b/cyclonedx/__res/schema/.gitattributes @@ -1,3 +1,6 @@ -* linguist-generated -*/* linguist-generated -**/* linguist-generated +# snapshots are vendored for offline use +*.SNAPSHOT.* linguist-vendored + +# specs are vendored for offline use +*.xsd linguist-vendored +*.schema.json linguist-vendored diff --git a/cyclonedx/__res/schema/README.md b/cyclonedx/__res/schema/README.md new file mode 100644 index 00000000..eb2eb377 --- /dev/null +++ b/cyclonedx/__res/schema/README.md @@ -0,0 +1,30 @@ +# Resources: Schema files + +some schema for offline use as download via [script](../../tools/schema-downloader.py). +original sources: + +Currently using version +[ccbf7b5781ef534cd62616e3c4221004c7c82a66](https://github.com/CycloneDX/specification/commit/ccbf7b5781ef534cd62616e3c4221004c7c82a66) + +| file | note | +|------|------| +| [`bom-1.0.SNAPSHOT.xsd`](bom-1.0.SNAPSHOT.xsd) | applied changes: 1 | +| [`bom-1.1.SNAPSHOT.xsd`](bom-1.1.SNAPSHOT.xsd) | applied changes: 1 | +| [`bom-1.2.SNAPSHOT.xsd`](bom-1.2.SNAPSHOT.xsd) | applied changes: 1 | +| [`bom-1.3.SNAPSHOT.xsd`](bom-1.3.SNAPSHOT.xsd) | applied changes: 1 | +| [`bom-1.4.SNAPSHOT.xsd`](bom-1.4.SNAPSHOT.xsd) | applied changes: 1 | +| [`bom-1.2.SNAPSHOT.schema.json`](bom-1.2.SNAPSHOT.schema.json) | applied changes: 2,3,4,5 | +| [`bom-1.3.SNAPSHOT.schema.json`](bom-1.3.SNAPSHOT.schema.json) | applied changes: 2,3,4,5 | +| [`bom-1.4.SNAPSHOT.schema.json`](bom-1.4.SNAPSHOT.schema.json) | applied changes: 2,3,4,5 | +| [`bom-1.2-strict.SNAPSHOT.schema.json`](bom-1.2-strict.SNAPSHOT.schema.json) | applied changes: 2,3,4,5 | +| [`bom-1.3-strict.SNAPSHOT.schema.json`](bom-1.3-strict.SNAPSHOT.schema.json) | applied changes: 2,3,4,5 | +| [`spdx.SNAPSHOT.xsd`](spdx.SNAPSHOT.xsd) | | +| [`spdx.SNAPSHOT.schema.json`](spdx.SNAPSHOT.schema.json) | | +| [`jsf-0.82.SNAPSHOT.schema.json`](jsf-0.82.SNAPSHOT.schema.json) | | + +changes: +1. `https?://cyclonedx.org/schema/spdx` was replaced with `spdx.SNAPSHOT.xsd` +2. `spdx.schema.json` was replaced with `spdx.SNAPSHOT.schema.json` +3. `jsf-0.82.schema.json` was replaced with `jsf-0.82.SNAPSHOT.schema.json` +4. `properties.$schema.enum` was fixed to match `$id` +5. `required.version` removed, as it is actually optional with default value diff --git a/cyclonedx/__res/schema/bom-1.0.xsd b/cyclonedx/__res/schema/bom-1.0.SNAPSHOT.xsd similarity index 99% rename from cyclonedx/__res/schema/bom-1.0.xsd rename to cyclonedx/__res/schema/bom-1.0.SNAPSHOT.xsd index 815ed9ee..64d0e33f 100644 --- a/cyclonedx/__res/schema/bom-1.0.xsd +++ b/cyclonedx/__res/schema/bom-1.0.SNAPSHOT.xsd @@ -7,9 +7,9 @@ targetNamespace="http://cyclonedx.org/schema/bom/1.0" vc:minVersion="1.0" vc:maxVersion="1.1" - version="1.0"> + version="1.0.1"> - + diff --git a/cyclonedx/__res/schema/bom-1.1.xsd b/cyclonedx/__res/schema/bom-1.1.SNAPSHOT.xsd similarity index 99% rename from cyclonedx/__res/schema/bom-1.1.xsd rename to cyclonedx/__res/schema/bom-1.1.SNAPSHOT.xsd index 1e7bc1e0..8ddbaf62 100644 --- a/cyclonedx/__res/schema/bom-1.1.xsd +++ b/cyclonedx/__res/schema/bom-1.1.SNAPSHOT.xsd @@ -24,7 +24,7 @@ limitations under the License. vc:maxVersion="1.1" version="1.1"> - + diff --git a/cyclonedx/__res/schema/bom-1.2-strict.schema.json b/cyclonedx/__res/schema/bom-1.2-strict.SNAPSHOT.schema.json similarity index 99% rename from cyclonedx/__res/schema/bom-1.2-strict.schema.json rename to cyclonedx/__res/schema/bom-1.2-strict.SNAPSHOT.schema.json index 30dad527..9a0f52d9 100644 --- a/cyclonedx/__res/schema/bom-1.2-strict.schema.json +++ b/cyclonedx/__res/schema/bom-1.2-strict.SNAPSHOT.schema.json @@ -6,11 +6,16 @@ "$comment" : "CycloneDX JSON schema is published under the terms of the Apache License 2.0.", "required": [ "bomFormat", - "specVersion", - "version" + "specVersion" ], "additionalProperties": false, "properties": { + "$schema": { + "type": "string", + "enum": [ + "http://cyclonedx.org/schema/bom-1.2a.schema.json" + ] + }, "bomFormat": { "$id": "#/properties/bomFormat", "type": "string", @@ -589,7 +594,7 @@ "additionalProperties": false, "properties": { "id": { - "$ref": "spdx.schema.json", + "$ref": "spdx.SNAPSHOT.schema.json", "title": "License ID (SPDX)", "description": "A valid SPDX license ID", "examples": ["Apache-2.0"] diff --git a/cyclonedx/__res/schema/bom-1.2.schema.json b/cyclonedx/__res/schema/bom-1.2.SNAPSHOT.schema.json similarity index 99% rename from cyclonedx/__res/schema/bom-1.2.schema.json rename to cyclonedx/__res/schema/bom-1.2.SNAPSHOT.schema.json index 2e44d942..539a7822 100644 --- a/cyclonedx/__res/schema/bom-1.2.schema.json +++ b/cyclonedx/__res/schema/bom-1.2.SNAPSHOT.schema.json @@ -6,8 +6,7 @@ "$comment" : "CycloneDX JSON schema is published under the terms of the Apache License 2.0.", "required": [ "bomFormat", - "specVersion", - "version" + "specVersion" ], "properties": { "bomFormat": { @@ -577,7 +576,7 @@ ], "properties": { "id": { - "$ref": "spdx.schema.json", + "$ref": "spdx.SNAPSHOT.schema.json", "title": "License ID (SPDX)", "description": "A valid SPDX license ID", "examples": ["Apache-2.0"] diff --git a/cyclonedx/__res/schema/bom-1.2.xsd b/cyclonedx/__res/schema/bom-1.2.SNAPSHOT.xsd similarity index 99% rename from cyclonedx/__res/schema/bom-1.2.xsd rename to cyclonedx/__res/schema/bom-1.2.SNAPSHOT.xsd index 2eb7e486..145874ba 100644 --- a/cyclonedx/__res/schema/bom-1.2.xsd +++ b/cyclonedx/__res/schema/bom-1.2.SNAPSHOT.xsd @@ -22,9 +22,9 @@ limitations under the License. targetNamespace="http://cyclonedx.org/schema/bom/1.2" vc:minVersion="1.0" vc:maxVersion="1.1" - version="1.2.1"> + version="1.2"> - + @@ -593,7 +593,7 @@ limitations under the License. - + @@ -1415,4 +1415,4 @@ limitations under the License. - \ No newline at end of file + diff --git a/cyclonedx/__res/schema/bom-1.2b.schema.json b/cyclonedx/__res/schema/bom-1.2b.schema.json deleted file mode 100644 index be21fb16..00000000 --- a/cyclonedx/__res/schema/bom-1.2b.schema.json +++ /dev/null @@ -1,1026 +0,0 @@ -{ - "$schema": "http://json-schema.org/draft-07/schema#", - "$id": "http://cyclonedx.org/schema/bom-1.2b.schema.json", - "type": "object", - "title": "CycloneDX Software Bill-of-Material Specification", - "$comment" : "CycloneDX JSON schema is published under the terms of the Apache License 2.0.", - "required": [ - "bomFormat", - "specVersion", - "version" - ], - "additionalProperties": false, - "properties": { - "$schema": { - "type": "string", - "enum": [ - "http://cyclonedx.org/schema/bom-1.2a.schema.json" - ] - }, - "bomFormat": { - "$id": "#/properties/bomFormat", - "type": "string", - "title": "BOM Format", - "description": "Specifies the format of the BOM. This helps to identify the file as CycloneDX since BOMs do not have a filename convention nor does JSON schema support namespaces.", - "enum": [ - "CycloneDX" - ] - }, - "specVersion": { - "$id": "#/properties/specVersion", - "type": "string", - "title": "CycloneDX Specification Version", - "description": "The version of the CycloneDX specification a BOM is written to (starting at version 1.2)", - "examples": ["1.2"] - }, - "serialNumber": { - "$id": "#/properties/serialNumber", - "type": "string", - "title": "BOM Serial Number", - "description": "Every BOM generated should have a unique serial number, even if the contents of the BOM being generated have not changed over time. The process or tool responsible for creating the BOM should create random UUID's for every BOM generated.", - "default": "", - "examples": ["urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79"], - "pattern": "^urn:uuid:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$" - }, - "version": { - "$id": "#/properties/version", - "type": "integer", - "title": "BOM Version", - "description": "The version allows component publishers/authors to make changes to existing BOMs to update various aspects of the document such as description or licenses. When a system is presented with multiple BOMs for the same component, the system should use the most recent version of the BOM. The default version is '1' and should be incremented for each version of the BOM that is published. Each version of a component should have a unique BOM and if no changes are made to the BOMs, then each BOM will have a version of '1'.", - "default": 1, - "examples": [1] - }, - "metadata": { - "$id": "#/properties/metadata", - "$ref": "#/definitions/metadata", - "title": "BOM Metadata", - "description": "Provides additional information about a BOM." - }, - "components": { - "$id": "#/properties/components", - "type": "array", - "items": {"$ref": "#/definitions/component"}, - "uniqueItems": true, - "title": "Components" - }, - "services": { - "$id": "#/properties/services", - "type": "array", - "items": {"$ref": "#/definitions/service"}, - "uniqueItems": true, - "title": "Services" - }, - "externalReferences": { - "$id": "#/properties/externalReferences", - "type": "array", - "items": {"$ref": "#/definitions/externalReference"}, - "title": "External References", - "description": "External references provide a way to document systems, sites, and information that may be relevant but which are not included with the BOM." - }, - "dependencies": { - "$id": "#/properties/dependencies", - "type": "array", - "items": {"$ref": "#/definitions/dependency"}, - "uniqueItems": true, - "title": "Dependencies", - "description": "Provides the ability to document dependency relationships." - } - }, - "definitions": { - "metadata": { - "type": "object", - "title": "BOM Metadata Object", - "additionalProperties": false, - "properties": { - "timestamp": { - "type": "string", - "format": "date-time", - "title": "Timestamp", - "description": "The date and time (timestamp) when the document was created." - }, - "tools": { - "type": "array", - "title": "Creation Tools", - "description": "The tool(s) used in the creation of the BOM.", - "items": {"$ref": "#/definitions/tool"} - }, - "authors" :{ - "type": "array", - "title": "Authors", - "description": "The person(s) who created the BOM. Authors are common in BOMs created through manual processes. BOMs created through automated means may not have authors.", - "items": {"$ref": "#/definitions/organizationalContact"} - }, - "component": { - "title": "Component", - "description": "The component that the BOM describes.", - "$ref": "#/definitions/component" - }, - "manufacture": { - "title": "Manufacture", - "description": "The organization that manufactured the component that the BOM describes.", - "$ref": "#/definitions/organizationalEntity" - }, - "supplier": { - "title": "Supplier", - "description": " The organization that supplied the component that the BOM describes. The supplier may often be the manufacture, but may also be a distributor or repackager.", - "$ref": "#/definitions/organizationalEntity" - } - } - }, - "tool": { - "type": "object", - "title": "Tool", - "description": "The tool used to create the BOM.", - "additionalProperties": false, - "properties": { - "vendor": { - "type": "string", - "format": "string", - "title": "Tool Vendor", - "description": "The date and time (timestamp) when the document was created." - }, - "name": { - "type": "string", - "format": "string", - "title": "Tool Name", - "description": "The date and time (timestamp) when the document was created." - }, - "version": { - "type": "string", - "format": "string", - "title": "Tool Version", - "description": "The date and time (timestamp) when the document was created." - }, - "hashes": { - "$id": "#/definitions/tool/properties/hashes", - "type": "array", - "items": {"$ref": "#/definitions/hash"}, - "title": "Hashes", - "description": "The hashes of the tool (if applicable)." - } - } - }, - "organizationalEntity": { - "type": "object", - "title": "Organizational Entity Object", - "description": "", - "additionalProperties": false, - "properties": { - "name": { - "type": "string", - "title": "Name", - "description": "The name of the organization", - "default": "", - "examples": [ - "Example Inc." - ], - "pattern": "^(.*)$" - }, - "url": { - "type": "array", - "title": "URL", - "description": "The URL of the organization. Multiple URLs are allowed.", - "default": "", - "examples": ["https://example.com"], - "pattern": "^(.*)$" - }, - "contact": { - "type": "array", - "title": "Contact", - "description": "A contact at the organization. Multiple contacts are allowed.", - "items": {"$ref": "#/definitions/organizationalContact"} - } - } - }, - "organizationalContact": { - "type": "object", - "title": "Organizational Contact Object", - "description": "", - "additionalProperties": false, - "properties": { - "name": { - "type": "string", - "title": "Name", - "description": "The name of a contact", - "default": "", - "examples": ["Contact name"], - "pattern": "^(.*)$" - }, - "email": { - "type": "string", - "title": "Email Address", - "description": "The email address of the contact. Multiple email addresses are allowed.", - "default": "", - "examples": ["firstname.lastname@example.com"], - "pattern": "^(.*)$" - }, - "phone": { - "type": "string", - "title": "Phone", - "description": "The phone number of the contact. Multiple phone numbers are allowed.", - "default": "", - "examples": ["800-555-1212"], - "pattern": "^(.*)$" - } - } - }, - "component": { - "type": "object", - "title": "Component Object", - "required": [ - "type", - "name", - "version" - ], - "additionalProperties": false, - "properties": { - "type": { - "type": "string", - "enum": [ - "application", - "framework", - "library", - "container", - "operating-system", - "device", - "firmware", - "file" - ], - "title": "Component Type", - "description": "Specifies the type of component. For software components, classify as application if no more specific appropriate classification is available or cannot be determined for the component.", - "default": "", - "examples": ["library"], - "pattern": "^(.*)$" - }, - "mime-type": { - "type": "string", - "title": "Mime-Type", - "description": "The optional mime-type of the component. When used on file components, the mime-type can provide additional context about the kind of file being represented such as an image, font, or executable. Some library or framework components may also have an associated mime-type.", - "default": "", - "examples": ["image/jpeg"], - "pattern": "^[-+a-z0-9.]+/[-+a-z0-9.]+$" - }, - "bom-ref": { - "type": "string", - "title": "BOM Reference", - "description": "An optional identifier which can be used to reference the component elsewhere in the BOM. Every bom-ref should be unique.", - "default": "", - "pattern": "^(.*)$" - }, - "supplier": { - "title": "Component Supplier", - "description": " The organization that supplied the component. The supplier may often be the manufacture, but may also be a distributor or repackager.", - "$ref": "#/definitions/organizationalEntity" - }, - "author": { - "type": "string", - "title": "Component Author", - "description": "The person(s) or organization(s) that authored the component", - "default": "", - "examples": ["Acme Inc"], - "pattern": "^(.*)$" - }, - "publisher": { - "type": "string", - "title": "Component Publisher", - "description": "The person(s) or organization(s) that published the component", - "default": "", - "examples": ["Acme Inc"], - "pattern": "^(.*)$" - }, - "group": { - "type": "string", - "title": "Component Group", - "description": "The grouping name or identifier. This will often be a shortened, single name of the company or project that produced the component, or the source package or domain name. Whitespace and special characters should be avoided. Examples include: apache, org.apache.commons, and apache.org.", - "default": "", - "examples": ["com.acme"], - "pattern": "^(.*)$" - }, - "name": { - "type": "string", - "title": "Component Name", - "description": "The name of the component. This will often be a shortened, single name of the component. Examples: commons-lang3 and jquery", - "default": "", - "examples": ["tomcat-catalina"], - "pattern": "^(.*)$" - }, - "version": { - "type": "string", - "title": "Component Version", - "description": "The component version. The version should ideally comply with semantic versioning but is not enforced.", - "default": "", - "examples": ["9.0.14"], - "pattern": "^(.*)$" - }, - "description": { - "type": "string", - "title": "Component Description", - "description": "Specifies a description for the component", - "default": "", - "pattern": "^(.*)$" - }, - "scope": { - "type": "string", - "enum": [ - "required", - "optional", - "excluded" - ], - "title": "Component Scope", - "description": "Specifies the scope of the component. If scope is not specified, 'required' scope should be assumed by the consumer of the BOM", - "default": "required", - "pattern": "^(.*)$" - }, - "hashes": { - "type": "array", - "title": "Component Hashes", - "items": {"$ref": "#/definitions/hash"} - }, - "licenses": { - "type": "array", - "title": "Component License(s)", - "items": { - "additionalProperties": false, - "properties": { - "license": { - "$ref": "#/definitions/license" - }, - "expression": { - "type": "string", - "title": "SPDX License Expression", - "examples": [ - "Apache-2.0 AND (MIT OR GPL-2.0-only)", - "GPL-3.0-only WITH Classpath-exception-2.0" - ], - "pattern": "^(.*)$" - } - }, - "oneOf":[ - { - "required": ["license"] - }, - { - "required": ["expression"] - } - ] - } - }, - "copyright": { - "type": "string", - "title": "Component Copyright", - "description": "An optional copyright notice informing users of the underlying claims to copyright ownership in a published work.", - "examples": ["Acme Inc"], - "pattern": "^(.*)$" - }, - "cpe": { - "type": "string", - "title": "Component Common Platform Enumeration (CPE)", - "description": "DEPRECATED - DO NOT USE. This will be removed in a future version. Specifies a well-formed CPE name. See https://nvd.nist.gov/products/cpe", - "examples": ["cpe:2.3:a:acme:component_framework:-:*:*:*:*:*:*:*"], - "pattern": "^(.*)$" - }, - "purl": { - "type": "string", - "title": "Component Package URL (purl)", - "default": "", - "examples": ["pkg:maven/com.acme/tomcat-catalina@9.0.14?packaging=jar"], - "pattern": "^(.*)$" - }, - "swid": { - "$ref": "#/definitions/swid", - "title": "SWID Tag", - "description": "Specifies metadata and content for ISO-IEC 19770-2 Software Identification (SWID) Tags." - }, - "modified": { - "type": "boolean", - "title": "Component Modified From Original", - "description": "DEPRECATED - DO NOT USE. This will be removed in a future version. Use the pedigree element instead to supply information on exactly how the component was modified. A boolean value indicating is the component has been modified from the original. A value of true indicates the component is a derivative of the original. A value of false indicates the component has not been modified from the original." - }, - "pedigree": { - "type": "object", - "title": "Component Pedigree", - "description": "Component pedigree is a way to document complex supply chain scenarios where components are created, distributed, modified, redistributed, combined with other components, etc. Pedigree supports viewing this complex chain from the beginning, the end, or anywhere in the middle. It also provides a way to document variants where the exact relation may not be known.", - "additionalProperties": false, - "properties": { - "ancestors": { - "type": "array", - "title": "Ancestors", - "description": "Describes zero or more components in which a component is derived from. This is commonly used to describe forks from existing projects where the forked version contains a ancestor node containing the original component it was forked from. For example, Component A is the original component. Component B is the component being used and documented in the BOM. However, Component B contains a pedigree node with a single ancestor documenting Component A - the original component from which Component B is derived from.", - "items": {"$ref": "#/definitions/component"} - }, - "descendants": { - "type": "array", - "title": "Descendants", - "description": "Descendants are the exact opposite of ancestors. This provides a way to document all forks (and their forks) of an original or root component.", - "items": {"$ref": "#/definitions/component"} - }, - "variants": { - "type": "array", - "title": "Variants", - "description": "Variants describe relations where the relationship between the components are not known. For example, if Component A contains nearly identical code to Component B. They are both related, but it is unclear if one is derived from the other, or if they share a common ancestor.", - "items": {"$ref": "#/definitions/component"} - }, - "commits": { - "type": "array", - "title": "Commits", - "description": "A list of zero or more commits which provide a trail describing how the component deviates from an ancestor, descendant, or variant.", - "items": {"$ref": "#/definitions/commit"} - }, - "patches": { - "type": "array", - "title": "Patches", - "description": ">A list of zero or more patches describing how the component deviates from an ancestor, descendant, or variant. Patches may be complimentary to commits or may be used in place of commits.", - "items": {"$ref": "#/definitions/patch"} - }, - "notes": { - "type": "string", - "title": "Notes", - "description": "Notes, observations, and other non-structured commentary describing the components pedigree.", - "pattern": "^(.*)$" - } - } - }, - "externalReferences": { - "type": "array", - "items": {"$ref": "#/definitions/externalReference"}, - "title": "External References" - }, - "components": { - "$id": "#/definitions/component/properties/components", - "type": "array", - "items": {"$ref": "#/definitions/component"}, - "uniqueItems": true, - "title": "Components" - } - } - }, - "swid": { - "type": "object", - "title": "SWID Tag", - "description": "Specifies metadata and content for ISO-IEC 19770-2 Software Identification (SWID) Tags.", - "required": [ - "tagId", - "name" - ], - "additionalProperties": false, - "properties": { - "tagId": { - "type": "string", - "title": "Tag ID", - "description": "Maps to the tagId of a SoftwareIdentity." - }, - "name": { - "type": "string", - "title": "Name", - "description": "Maps to the name of a SoftwareIdentity." - }, - "version": { - "type": "string", - "title": "Version", - "default": "0.0", - "description": "Maps to the version of a SoftwareIdentity." - }, - "tagVersion": { - "type": "integer", - "title": "Tag Version", - "default": 0, - "description": "Maps to the tagVersion of a SoftwareIdentity." - }, - "patch": { - "type": "boolean", - "title": "Patch", - "default": false, - "description": "Maps to the patch of a SoftwareIdentity." - }, - "text": { - "title": "Attachment text", - "description": "Specifies the metadata and content of the SWID tag.", - "$ref": "#/definitions/attachment" - }, - "url": { - "type": "string", - "title": "URL", - "default": "The URL to the SWID file.", - "pattern": "^(.*)$" - } - } - }, - "attachment": { - "type": "object", - "title": "Attachment", - "description": "Specifies the metadata and content for an attachment.", - "required": [ - "content" - ], - "additionalProperties": false, - "properties": { - "contentType": { - "type": "string", - "title": "Content-Type", - "description": "Specifies the content type of the text. Defaults to text/plain if not specified.", - "default": "text/plain" - }, - "encoding": { - "type": "string", - "title": "Encoding", - "description": "Specifies the optional encoding the text is represented in.", - "enum": [ - "base64" - ], - "default": "", - "pattern": "^(.*)$" - }, - "content": { - "type": "string", - "title": "Attachment Text", - "description": "The attachment data" - } - } - }, - "hash": { - "type": "object", - "title": "Hash Objects", - "required": [ - "alg", - "content" - ], - "additionalProperties": false, - "properties": { - "alg": { - "$ref": "#/definitions/hash-alg" - }, - "content": { - "$ref": "#/definitions/hash-content" - } - } - }, - "hash-alg": { - "type": "string", - "enum": [ - "MD5", - "SHA-1", - "SHA-256", - "SHA-384", - "SHA-512", - "SHA3-256", - "SHA3-384", - "SHA3-512", - "BLAKE2b-256", - "BLAKE2b-384", - "BLAKE2b-512", - "BLAKE3" - ], - "title": "Hash Algorithm", - "default": "", - "pattern": "^(.*)$" - }, - "hash-content": { - "type": "string", - "title": "Hash Content (value)", - "default": "", - "examples": ["3942447fac867ae5cdb3229b658f4d48"], - "pattern": "^([a-fA-F0-9]{32}|[a-fA-F0-9]{40}|[a-fA-F0-9]{64}|[a-fA-F0-9]{96}|[a-fA-F0-9]{128})$" - }, - "license": { - "type": "object", - "title": "License Object", - "oneOf": [ - { - "required": ["id"] - }, - { - "required": ["name"] - } - ], - "additionalProperties": false, - "properties": { - "id": { - "$ref": "spdx.schema.json", - "title": "License ID (SPDX)", - "description": "A valid SPDX license ID", - "examples": ["Apache-2.0"] - }, - "name": { - "type": "string", - "title": "License Name", - "description": "If SPDX does not define the license used, this field may be used to provide the license name", - "default": "", - "examples": ["Acme Software License"], - "pattern": "^(.*)$" - }, - "text": { - "title": "License text", - "description": "An optional way to include the textual content of a license.", - "$ref": "#/definitions/attachment" - }, - "url": { - "type": "string", - "title": "License URL", - "description": "The URL to the license file. If specified, a 'license' externalReference should also be specified for completeness", - "examples": ["https://www.apache.org/licenses/LICENSE-2.0.txt"], - "pattern": "^(.*)$" - } - } - }, - "commit": { - "type": "object", - "title": "Commit", - "description": "Specifies an individual commit", - "additionalProperties": false, - "properties": { - "uid": { - "type": "string", - "title": "UID", - "description": "A unique identifier of the commit. This may be version control specific. For example, Subversion uses revision numbers whereas git uses commit hashes.", - "pattern": "^(.*)$" - }, - "url": { - "type": "string", - "title": "URL", - "description": "The URL to the commit. This URL will typically point to a commit in a version control system.", - "format": "iri-reference" - }, - "author": { - "title": "Author", - "description": "The author who created the changes in the commit", - "$ref": "#/definitions/identifiableAction" - }, - "committer": { - "title": "Committer", - "description": "The person who committed or pushed the commit", - "$ref": "#/definitions/identifiableAction" - }, - "message": { - "type": "string", - "title": "Message", - "description": "The text description of the contents of the commit", - "pattern": "^(.*)$" - } - } - }, - "patch": { - "type": "object", - "title": "Patch", - "description": "Specifies an individual patch", - "required": [ - "type" - ], - "additionalProperties": false, - "properties": { - "type": { - "type": "string", - "enum": [ - "unofficial", - "monkey", - "backport", - "cherry-pick" - ], - "title": "Type", - "description": "Specifies the purpose for the patch including the resolution of defects, security issues, or new behavior or functionality" - }, - "diff": { - "title": "Diff", - "description": "The patch file (or diff) that show changes. Refer to https://en.wikipedia.org/wiki/Diff", - "$ref": "#/definitions/diff" - }, - "resolves": { - "type": "array", - "items": {"$ref": "#/definitions/issue"}, - "title": "Resolves", - "description": "A collection of issues the patch resolves" - } - } - }, - "diff": { - "type": "object", - "title": "Diff", - "description": "The patch file (or diff) that show changes. Refer to https://en.wikipedia.org/wiki/Diff", - "additionalProperties": false, - "properties": { - "text": { - "title": "Diff text", - "description": "Specifies the optional text of the diff", - "$ref": "#/definitions/attachment" - }, - "url": { - "type": "string", - "title": "URL", - "description": "Specifies the URL to the diff", - "pattern": "^(.*)$" - } - } - }, - "issue": { - "type": "object", - "title": "Diff", - "description": "The patch file (or diff) that show changes. Refer to https://en.wikipedia.org/wiki/Diff", - "required": [ - "type" - ], - "additionalProperties": false, - "properties": { - "type": { - "type": "string", - "enum": [ - "defect", - "enhancement", - "security" - ], - "title": "Type", - "description": "Specifies the type of issue" - }, - "id": { - "type": "string", - "title": "ID", - "description": "The identifier of the issue assigned by the source of the issue", - "pattern": "^(.*)$" - }, - "name": { - "type": "string", - "title": "Name", - "description": "The name of the issue", - "pattern": "^(.*)$" - }, - "description": { - "type": "string", - "title": "Description", - "description": "A description of the issue", - "pattern": "^(.*)$" - }, - "source": { - "type": "object", - "title": "Source", - "description": "The source of the issue where it is documented", - "additionalProperties": false, - "properties": { - "name": { - "type": "string", - "title": "Name", - "description": "The name of the source. For example 'National Vulnerability Database', 'NVD', and 'Apache'", - "pattern": "^(.*)$" - }, - "url": { - "type": "string", - "title": "URL", - "description": "The url of the issue documentation as provided by the source", - "pattern": "^(.*)$" - } - } - }, - "references": { - "type": "array", - "title": "References", - "description": "A collection of URL's for reference. Multiple URLs are allowed.", - "default": "", - "examples": ["https://example.com"], - "pattern": "^(.*)$" - } - } - }, - "identifiableAction": { - "type": "object", - "title": "Identifiable Action", - "description": "Specifies an individual commit", - "additionalProperties": false, - "properties": { - "timestamp": { - "type": "string", - "format": "date-time", - "title": "Timestamp", - "description": "The timestamp in which the action occurred" - }, - "name": { - "type": "string", - "title": "Name", - "description": "The name of the individual who performed the action", - "pattern": "^(.*)$" - }, - "email": { - "type": "string", - "format": "idn-email", - "title": "E-mail", - "description": "The email address of the individual who performed the action" - } - } - }, - "externalReference": { - "type": "object", - "title": "External Reference", - "description": "Specifies an individual external reference", - "required": [ - "url", - "type" - ], - "additionalProperties": false, - "properties": { - "url": { - "type": "string", - "title": "URL", - "description": "The URL to the external reference", - "pattern": "^(.*)$" - }, - "comment": { - "type": "string", - "title": "Comment", - "description": "An optional comment describing the external reference", - "pattern": "^(.*)$" - }, - "type": { - "type": "string", - "title": "Type", - "description": "Specifies the type of external reference. There are built-in types to describe common references. If a type does not exist for the reference being referred to, use the \"other\" type.", - "enum": [ - "vcs", - "issue-tracker", - "website", - "advisories", - "bom", - "mailing-list", - "social", - "chat", - "documentation", - "support", - "distribution", - "license", - "build-meta", - "build-system", - "other" - ] - } - } - }, - "dependency": { - "type": "object", - "title": "Dependency", - "description": "Defines the direct dependencies of a component. Components that do not have their own dependencies MUST be declared as empty elements within the graph. Components that are not represented in the dependency graph MAY have unknown dependencies. It is RECOMMENDED that implementations assume this to be opaque and not an indicator of a component being dependency-free.", - "required": [ - "ref" - ], - "additionalProperties": false, - "properties": { - "ref": { - "type": "string", - "format": "string", - "title": "Reference", - "description": "References a component by the components bom-ref attribute" - }, - "dependsOn": { - "type": "array", - "uniqueItems": true, - "items": { - "type": "string" - }, - "title": "Depends On", - "description": "The bom-ref identifiers of the components that are dependencies of this dependency object." - } - } - }, - "service": { - "type": "object", - "title": "Service Object", - "required": [ - "name" - ], - "additionalProperties": false, - "properties": { - "bom-ref": { - "type": "string", - "title": "BOM Reference", - "description": "An optional identifier which can be used to reference the service elsewhere in the BOM. Every bom-ref should be unique.", - "default": "", - "pattern": "^(.*)$" - }, - "provider": { - "title": "Provider", - "description": "The organization that provides the service.", - "$ref": "#/definitions/organizationalEntity" - }, - "group": { - "type": "string", - "title": "Service Group", - "description": "The grouping name, namespace, or identifier. This will often be a shortened, single name of the company or project that produced the service or domain name. Whitespace and special characters should be avoided.", - "default": "", - "examples": ["com.acme"], - "pattern": "^(.*)$" - }, - "name": { - "type": "string", - "title": "Service Name", - "description": "The name of the service. This will often be a shortened, single name of the service.", - "default": "", - "examples": ["ticker-service"], - "pattern": "^(.*)$" - }, - "version": { - "type": "string", - "title": "Service Version", - "description": "The service version.", - "default": "", - "examples": ["1.0.0"], - "pattern": "^(.*)$" - }, - "description": { - "type": "string", - "title": "Service Description", - "description": "Specifies a description for the service", - "default": "", - "pattern": "^(.*)$" - }, - "endpoints": { - "type": "array", - "title": "Endpoints", - "description": "The endpoint URIs of the service. Multiple endpoints are allowed.", - "default": "", - "examples": ["https://example.com/api/v1/ticker"], - "pattern": "^(.*)$" - }, - "authenticated": { - "type": "boolean", - "title": "Authentication Required", - "description": "A boolean value indicating if the service requires authentication. A value of true indicates the service requires authentication prior to use. A value of false indicates the service does not require authentication." - }, - "x-trust-boundary": { - "type": "boolean", - "title": "Crosses Trust Boundary", - "description": "A boolean value indicating if use of the service crosses a trust zone or boundary. A value of true indicates that by using the service, a trust boundary is crossed. A value of false indicates that by using the service, a trust boundary is not crossed." - }, - "data": { - "type": "array", - "items": {"$ref": "#/definitions/dataClassification"}, - "title": "Data Classification", - "description": "Specifies the data classification." - }, - "licenses": { - "type": "array", - "title": "Component License(s)", - "items": { - "additionalProperties": false, - "properties": { - "license": { - "$ref": "#/definitions/license" - }, - "expression": { - "type": "string", - "title": "SPDX License Expression", - "examples": [ - "Apache-2.0 AND (MIT OR GPL-2.0-only)", - "GPL-3.0-only WITH Classpath-exception-2.0" - ], - "pattern": "^(.*)$" - } - }, - "oneOf":[ - { - "required": ["license"] - }, - { - "required": ["expression"] - } - ] - } - }, - "externalReferences": { - "type": "array", - "items": {"$ref": "#/definitions/externalReference"}, - "title": "External References" - }, - "services": { - "$id": "#/definitions/service/properties/services", - "type": "array", - "items": {"$ref": "#/definitions/service"}, - "uniqueItems": true, - "title": "Services" - } - } - }, - "dataClassification": { - "type": "object", - "title": "Hash Objects", - "required": [ - "flow", - "classification" - ], - "additionalProperties": false, - "properties": { - "flow": { - "$ref": "#/definitions/dataFlow" - }, - "classification": { - "type": "string" - } - } - }, - "dataFlow": { - "type": "string", - "enum": [ - "inbound", - "outbound", - "bi-directional", - "unknown" - ], - "title": "Data flow direction", - "default": "", - "pattern": "^(.*)$" - } - } -} diff --git a/cyclonedx/__res/schema/bom-1.3-strict.schema.json b/cyclonedx/__res/schema/bom-1.3-strict.SNAPSHOT.schema.json similarity index 99% rename from cyclonedx/__res/schema/bom-1.3-strict.schema.json rename to cyclonedx/__res/schema/bom-1.3-strict.SNAPSHOT.schema.json index 35c8c2e5..5e9d273b 100644 --- a/cyclonedx/__res/schema/bom-1.3-strict.schema.json +++ b/cyclonedx/__res/schema/bom-1.3-strict.SNAPSHOT.schema.json @@ -6,8 +6,7 @@ "$comment" : "CycloneDX JSON schema is published under the terms of the Apache License 2.0.", "required": [ "bomFormat", - "specVersion", - "version" + "specVersion" ], "additionalProperties": false, "properties": { @@ -563,7 +562,7 @@ "additionalProperties": false, "properties": { "id": { - "$ref": "spdx.schema.json", + "$ref": "spdx.SNAPSHOT.schema.json", "title": "License ID (SPDX)", "description": "A valid SPDX license ID", "examples": ["Apache-2.0"] @@ -1082,4 +1081,4 @@ } } } -} \ No newline at end of file +} diff --git a/cyclonedx/__res/schema/bom-1.3.schema.json b/cyclonedx/__res/schema/bom-1.3.SNAPSHOT.schema.json similarity index 99% rename from cyclonedx/__res/schema/bom-1.3.schema.json rename to cyclonedx/__res/schema/bom-1.3.SNAPSHOT.schema.json index fdec9736..5ccecf89 100644 --- a/cyclonedx/__res/schema/bom-1.3.schema.json +++ b/cyclonedx/__res/schema/bom-1.3.SNAPSHOT.schema.json @@ -6,8 +6,7 @@ "$comment" : "CycloneDX JSON schema is published under the terms of the Apache License 2.0.", "required": [ "bomFormat", - "specVersion", - "version" + "specVersion" ], "properties": { "bomFormat": { @@ -546,7 +545,7 @@ ], "properties": { "id": { - "$ref": "spdx.schema.json", + "$ref": "spdx.SNAPSHOT.schema.json", "title": "License ID (SPDX)", "description": "A valid SPDX license ID", "examples": ["Apache-2.0"] diff --git a/cyclonedx/__res/schema/bom-1.3.xsd b/cyclonedx/__res/schema/bom-1.3.SNAPSHOT.xsd similarity index 99% rename from cyclonedx/__res/schema/bom-1.3.xsd rename to cyclonedx/__res/schema/bom-1.3.SNAPSHOT.xsd index 904d6369..0c411a3e 100644 --- a/cyclonedx/__res/schema/bom-1.3.xsd +++ b/cyclonedx/__res/schema/bom-1.3.SNAPSHOT.xsd @@ -22,9 +22,9 @@ limitations under the License. targetNamespace="http://cyclonedx.org/schema/bom/1.3" vc:minVersion="1.0" vc:maxVersion="1.1" - version="1.3.1"> + version="1.3"> - + @@ -598,7 +598,7 @@ limitations under the License. - + @@ -1628,4 +1628,4 @@ limitations under the License. - \ No newline at end of file + diff --git a/cyclonedx/__res/schema/bom-1.3.proto b/cyclonedx/__res/schema/bom-1.3.proto deleted file mode 100644 index 5c9926b2..00000000 --- a/cyclonedx/__res/schema/bom-1.3.proto +++ /dev/null @@ -1,452 +0,0 @@ -syntax = "proto3"; -package cyclonedx.v1_3; -import "google/protobuf/timestamp.proto"; - -// Specifies attributes of the text -message AttachedText { - // Specifies the content type of the text. Defaults to text/plain if not specified. - optional string content_type = 1; - // Specifies the optional encoding the text is represented in - optional string encoding = 2; - // SimpleContent value of element - string value = 3; -} - -message Bom { - // The version of the CycloneDX specification a BOM is written to (starting at version 1.3) - string spec_version = 1; - // The version allows component publishers/authors to make changes to existing BOMs to update various aspects of the document such as description or licenses. When a system is presented with multiple BOMs for the same component, the system should use the most recent version of the BOM. The default version is '1' and should be incremented for each version of the BOM that is published. Each version of a component should have a unique BOM and if no changes are made to the BOMs, then each BOM will have a version of '1'. - optional int32 version = 2; - // Every BOM generated should have a unique serial number, even if the contents of the BOM being generated have not changed over time. The process or tool responsible for creating the BOM should create random UUID's for every BOM generated. - optional string serial_number = 3; - // Provides additional information about a BOM. - optional Metadata metadata = 4; - // Provides the ability to document a list of components. - repeated Component components = 5; - // Provides the ability to document a list of external services. - repeated Service services = 6; - // Provides the ability to document external references related to the BOM or to the project the BOM describes. - repeated ExternalReference external_references = 7; - // Provides the ability to document dependency relationships. - repeated Dependency dependencies = 8; - // Provides the ability to document aggregate completeness - repeated Composition compositions = 9; -} - -enum Classification { - CLASSIFICATION_NULL = 0; - // A software application. Refer to https://en.wikipedia.org/wiki/Application_software for information about applications. - CLASSIFICATION_APPLICATION = 1; - // A software framework. Refer to https://en.wikipedia.org/wiki/Software_framework for information on how frameworks vary slightly from libraries. - CLASSIFICATION_FRAMEWORK = 2; - // A software library. Refer to https://en.wikipedia.org/wiki/Library_(computing) for information about libraries. All third-party and open source reusable components will likely be a library. If the library also has key features of a framework, then it should be classified as a framework. If not, or is unknown, then specifying library is recommended. - CLASSIFICATION_LIBRARY = 3; - // A software operating system without regard to deployment model (i.e. installed on physical hardware, virtual machine, image, etc) Refer to https://en.wikipedia.org/wiki/Operating_system - CLASSIFICATION_OPERATING_SYSTEM = 4; - // A hardware device such as a processor, or chip-set. A hardware device containing firmware should include a component for the physical hardware itself, and another component of type 'firmware' or 'operating-system' (whichever is relevant), describing information about the software running on the device. - CLASSIFICATION_DEVICE = 5; - // A computer file. Refer to https://en.wikipedia.org/wiki/Computer_file for information about files. - CLASSIFICATION_FILE = 6; - // A packaging and/or runtime format, not specific to any particular technology, which isolates software inside the container from software outside of a container through virtualization technology. Refer to https://en.wikipedia.org/wiki/OS-level_virtualization - CLASSIFICATION_CONTAINER = 7; - // A special type of software that provides low-level control over a devices hardware. Refer to https://en.wikipedia.org/wiki/Firmware - CLASSIFICATION_FIRMWARE = 8; -} - -message Commit { - // A unique identifier of the commit. This may be version control specific. For example, Subversion uses revision numbers whereas git uses commit hashes. - optional string uid = 1; - // The URL to the commit. This URL will typically point to a commit in a version control system. - optional string url = 2; - // The author who created the changes in the commit - optional IdentifiableAction author = 3; - // The person who committed or pushed the commit - optional IdentifiableAction committer = 4; - // The text description of the contents of the commit - optional string message = 5; -} - -message Component { - // Specifies the type of component. For software components, classify as application if no more specific appropriate classification is available or cannot be determined for the component. - Classification type = 1; - // The optional mime-type of the component. When used on file components, the mime-type can provide additional context about the kind of file being represented such as an image, font, or executable. Some library or framework components may also have an associated mime-type. - optional string mime_type = 2; - // An optional identifier which can be used to reference the component elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element. - optional string bom_ref = 3; - // The organization that supplied the component. The supplier may often be the manufacture, but may also be a distributor or repackager. - optional OrganizationalEntity supplier = 4; - // The person(s) or organization(s) that authored the component - optional string author = 5; - // The person(s) or organization(s) that published the component - optional string publisher = 6; - // The grouping name or identifier. This will often be a shortened, single name of the company or project that produced the component, or the source package or domain name. Whitespace and special characters should be avoided. Examples include: apache, org.apache.commons, and apache.org. - optional string group = 7; - // The name of the component. This will often be a shortened, single name of the component. Examples: commons-lang3 and jquery - string name = 8; - // The component version. The version should ideally comply with semantic versioning but is not enforced. - string version = 9; - // Specifies a description for the component - optional string description = 10; - // Specifies the scope of the component. If scope is not specified, 'runtime' scope should be assumed by the consumer of the BOM - optional Scope scope = 11; - repeated Hash hashes = 12; - repeated LicenseChoice licenses = 13; - // An optional copyright notice informing users of the underlying claims to copyright ownership in a published work. - optional string copyright = 14; - // DEPRECATED - DO NOT USE. This will be removed in a future version. Specifies a well-formed CPE name. See https://nvd.nist.gov/products/cpe - optional string cpe = 15; - // Specifies the package-url (PURL). The purl, if specified, must be valid and conform to the specification defined at: https://github.com/package-url/purl-spec - optional string purl = 16; - // Specifies metadata and content for ISO-IEC 19770-2 Software Identification (SWID) Tags. - optional Swid swid = 17; - // DEPRECATED - DO NOT USE. This will be removed in a future version. Use the pedigree element instead to supply information on exactly how the component was modified. A boolean value indicating is the component has been modified from the original. A value of true indicates the component is a derivative of the original. A value of false indicates the component has not been modified from the original. - optional bool modified = 18; - // Component pedigree is a way to document complex supply chain scenarios where components are created, distributed, modified, redistributed, combined with other components, etc. - optional Pedigree pedigree = 19; - // Provides the ability to document external references related to the component or to the project the component describes. - repeated ExternalReference external_references = 20; - // Specifies optional sub-components. This is not a dependency tree. It provides a way to specify a hierarchical representation of component assemblies, similar to system -> subsystem -> parts assembly in physical supply chains. - repeated Component components = 21; - // Specifies optional, custom, properties - repeated Property properties = 22; - // Specifies optional license and copyright evidence - repeated Evidence evidence = 23; -} - -// Specifies the data classification. -message DataClassification { - // Specifies the flow direction of the data. - DataFlow flow = 1; - // SimpleContent value of element - string value = 2; -} - -// Specifies the flow direction of the data. Valid values are: inbound, outbound, bi-directional, and unknown. Direction is relative to the service. Inbound flow states that data enters the service. Outbound flow states that data leaves the service. Bi-directional states that data flows both ways, and unknown states that the direction is not known. -enum DataFlow { - DATA_FLOW_NULL = 0; - DATA_FLOW_INBOUND = 1; - DATA_FLOW_OUTBOUND = 2; - DATA_FLOW_BI_DIRECTIONAL = 3; - DATA_FLOW_UNKNOWN = 4; -} - -message Dependency { - // References a component or service by the its bom-ref attribute - string ref = 1; - repeated Dependency dependencies = 2; -} - -message Diff { - // Specifies the optional text of the diff - optional AttachedText text = 1; - // Specifies the URL to the diff - optional string url = 2; -} - -message ExternalReference { - // Specifies the type of external reference. There are built-in types to describe common references. If a type does not exist for the reference being referred to, use the "other" type. - ExternalReferenceType type = 1; - // The URL to the external reference - string url = 2; - // An optional comment describing the external reference - optional string comment = 3; - // Optional integrity hashes for the external resource content - repeated Hash hashes = 4; -} - -enum ExternalReferenceType { - // Use this if no other types accurately describe the purpose of the external reference - EXTERNAL_REFERENCE_TYPE_OTHER = 0; - // Version Control System - EXTERNAL_REFERENCE_TYPE_VCS = 1; - // Issue or defect tracking system, or an Application Lifecycle Management (ALM) system - EXTERNAL_REFERENCE_TYPE_ISSUE_TRACKER = 2; - // Website - EXTERNAL_REFERENCE_TYPE_WEBSITE = 3; - // Security advisories - EXTERNAL_REFERENCE_TYPE_ADVISORIES = 4; - // Bill-of-material document (CycloneDX, SPDX, SWID, etc) - EXTERNAL_REFERENCE_TYPE_BOM = 5; - // Mailing list or discussion group - EXTERNAL_REFERENCE_TYPE_MAILING_LIST = 6; - // Social media account - EXTERNAL_REFERENCE_TYPE_SOCIAL = 7; - // Real-time chat platform - EXTERNAL_REFERENCE_TYPE_CHAT = 8; - // Documentation, guides, or how-to instructions - EXTERNAL_REFERENCE_TYPE_DOCUMENTATION = 9; - // Community or commercial support - EXTERNAL_REFERENCE_TYPE_SUPPORT = 10; - // Direct or repository download location - EXTERNAL_REFERENCE_TYPE_DISTRIBUTION = 11; - // The URL to the license file. If a license URL has been defined in the license node, it should also be defined as an external reference for completeness - EXTERNAL_REFERENCE_TYPE_LICENSE = 12; - // Build-system specific meta file (i.e. pom.xml, package.json, .nuspec, etc) - EXTERNAL_REFERENCE_TYPE_BUILD_META = 13; - // URL to an automated build system - EXTERNAL_REFERENCE_TYPE_BUILD_SYSTEM = 14; -} - -enum HashAlg { - HASH_ALG_NULL = 0; - HASH_ALG_MD_5 = 1; - HASH_ALG_SHA_1 = 2; - HASH_ALG_SHA_256 = 3; - HASH_ALG_SHA_384 = 4; - HASH_ALG_SHA_512 = 5; - HASH_ALG_SHA_3_256 = 6; - HASH_ALG_SHA_3_384 = 7; - HASH_ALG_SHA_3_512 = 8; - HASH_ALG_BLAKE_2_B_256 = 9; - HASH_ALG_BLAKE_2_B_384 = 10; - HASH_ALG_BLAKE_2_B_512 = 11; - HASH_ALG_BLAKE_3 = 12; -} - -// Specifies the file hash of the component -message Hash { - // Specifies the algorithm used to create the hash - HashAlg alg = 1; - // SimpleContent value of element - string value = 2; -} - -message IdentifiableAction { - // The timestamp in which the action occurred - optional google.protobuf.Timestamp timestamp = 1; - // The name of the individual who performed the action - optional string name = 2; - // The email address of the individual who performed the action - optional string email = 3; -} - -enum IssueClassification { - ISSUE_CLASSIFICATION_NULL = 0; - // A fault, flaw, or bug in software - ISSUE_CLASSIFICATION_DEFECT = 1; - // A new feature or behavior in software - ISSUE_CLASSIFICATION_ENHANCEMENT = 2; - // A special type of defect which impacts security - ISSUE_CLASSIFICATION_SECURITY = 3; -} - -message Issue { - // Specifies the type of issue - IssueClassification type = 1; - // The identifier of the issue assigned by the source of the issue - optional string id = 2; - // The name of the issue - optional string name = 3; - // A description of the issue - optional string description = 4; - optional Source source = 5; - repeated string references = 6; -} - -// The source of the issue where it is documented. -message Source { - // The name of the source. For example "National Vulnerability Database", "NVD", and "Apache" - optional string name = 1; - // The url of the issue documentation as provided by the source - optional string url = 2; -} - -message LicenseChoice { - oneof choice { - License license = 1; - string expression = 2; - } -} - -message License { - oneof license { - // A valid SPDX license ID - string id = 1; - // If SPDX does not define the license used, this field may be used to provide the license name - string name = 2; - } - // Specifies the optional full text of the attachment - optional AttachedText text = 3; - // The URL to the attachment file. If the attachment is a license or BOM, an externalReference should also be specified for completeness. - optional string url = 4; -} - -message Metadata { - // The date and time (timestamp) when the document was created. - optional google.protobuf.Timestamp timestamp = 1; - // The tool(s) used in the creation of the BOM. - repeated Tool tools = 2; - // The person(s) who created the BOM. Authors are common in BOMs created through manual processes. BOMs created through automated means may not have authors. - repeated OrganizationalContact authors = 3; - // The component that the BOM describes. - optional Component component = 4; - // The organization that manufactured the component that the BOM describes. - optional OrganizationalEntity manufacture = 5; - // The organization that supplied the component that the BOM describes. The supplier may often be the manufacture, but may also be a distributor or repackager. - optional OrganizationalEntity supplier = 6; - // The license information for the BOM document - optional LicenseChoice licenses = 7; - // Specifies optional, custom, properties - repeated Property properties = 8; -} - -message OrganizationalContact { - // The name of the contact - optional string name = 1; - // The email address of the contact. - optional string email = 2; - // The phone number of the contact. - optional string phone = 3; -} - -message OrganizationalEntity { - // The name of the organization - optional string name = 1; - // The URL of the organization. Multiple URLs are allowed. - repeated string url = 2; - // A contact person at the organization. Multiple contacts are allowed. - repeated OrganizationalContact contact = 3; -} - -enum PatchClassification { - PATCH_CLASSIFICATION_NULL = 0; - // A patch which is not developed by the creators or maintainers of the software being patched. Refer to https://en.wikipedia.org/wiki/Unofficial_patch - PATCH_CLASSIFICATION_UNOFFICIAL = 1; - // A patch which dynamically modifies runtime behavior. Refer to https://en.wikipedia.org/wiki/Monkey_patch - PATCH_CLASSIFICATION_MONKEY = 2; - // A patch which takes code from a newer version of software and applies it to older versions of the same software. Refer to https://en.wikipedia.org/wiki/Backporting - PATCH_CLASSIFICATION_BACKPORT = 3; - // A patch created by selectively applying commits from other versions or branches of the same software. - PATCH_CLASSIFICATION_CHERRY_PICK = 4; -} - -message Patch { - // Specifies the purpose for the patch including the resolution of defects, security issues, or new behavior or functionality - PatchClassification type = 1; - // The patch file (or diff) that show changes. Refer to https://en.wikipedia.org/wiki/Diff - optional Diff diff = 2; - repeated Issue resolves = 3; -} - -// Component pedigree is a way to document complex supply chain scenarios where components are created, distributed, modified, redistributed, combined with other components, etc. Pedigree supports viewing this complex chain from the beginning, the end, or anywhere in the middle. It also provides a way to document variants where the exact relation may not be known. -message Pedigree { - // Describes zero or more components in which a component is derived from. This is commonly used to describe forks from existing projects where the forked version contains a ancestor node containing the original component it was forked from. For example, Component A is the original component. Component B is the component being used and documented in the BOM. However, Component B contains a pedigree node with a single ancestor documenting Component A - the original component from which Component B is derived from. - repeated Component ancestors = 1; - // Descendants are the exact opposite of ancestors. This provides a way to document all forks (and their forks) of an original or root component. - repeated Component descendants = 2; - // Variants describe relations where the relationship between the components are not known. For example, if Component A contains nearly identical code to Component B. They are both related, but it is unclear if one is derived from the other, or if they share a common ancestor. - repeated Component variants = 3; - // A list of zero or more commits which provide a trail describing how the component deviates from an ancestor, descendant, or variant. - repeated Commit commits = 4; - // A list of zero or more patches describing how the component deviates from an ancestor, descendant, or variant. Patches may be complimentary to commits or may be used in place of commits. - repeated Patch patches = 5; - // Notes, observations, and other non-structured commentary describing the components pedigree. - optional string notes = 6; -} - -enum Scope { - // Default - SCOPE_UNSPECIFIED = 0; - // The component is required for runtime - SCOPE_REQUIRED = 1; - // The component is optional at runtime. Optional components are components that are not capable of being called due to them not be installed or otherwise accessible by any means. Components that are installed but due to configuration or other restrictions are prohibited from being called must be scoped as 'required'. - SCOPE_OPTIONAL = 2; - // Components that are excluded provide the ability to document component usage for test and other non-runtime purposes. Excluded components are not reachable within a call graph at runtime. - SCOPE_EXCLUDED = 3; -} - -message Service { - // An optional identifier which can be used to reference the service elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element. - optional string bom_ref = 1; - // The organization that provides the service. - optional OrganizationalEntity provider = 2; - // The grouping name, namespace, or identifier. This will often be a shortened, single name of the company or project that produced the service or domain name. Whitespace and special characters should be avoided. - optional string group = 3; - // The name of the service. This will often be a shortened, single name of the service. - string name = 4; - // The service version. - optional string version = 5; - // Specifies a description for the service. - optional string description = 6; - repeated string endpoints = 7; - // A boolean value indicating if the service requires authentication. A value of true indicates the service requires authentication prior to use. A value of false indicates the service does not require authentication. - optional bool authenticated = 8; - // A boolean value indicating if use of the service crosses a trust zone or boundary. A value of true indicates that by using the service, a trust boundary is crossed. A value of false indicates that by using the service, a trust boundary is not crossed. - optional bool x_trust_boundary = 9; - repeated DataClassification data = 10; - repeated LicenseChoice licenses = 11; - // Provides the ability to document external references related to the service. - repeated ExternalReference external_references = 12; - // Specifies optional sub-service. This is not a dependency tree. It provides a way to specify a hierarchical representation of service assemblies, similar to system -> subsystem -> parts assembly in physical supply chains. - repeated Service services = 13; - // Specifies optional, custom, properties - repeated Property properties = 14; -} - -message Swid { - // Maps to the tagId of a SoftwareIdentity. - string tag_id = 1; - // Maps to the name of a SoftwareIdentity. - string name = 2; - // Maps to the version of a SoftwareIdentity. - optional string version = 3; - // Maps to the tagVersion of a SoftwareIdentity. - optional int32 tag_version = 4; - // Maps to the patch of a SoftwareIdentity. - optional bool patch = 5; - // Specifies the full content of the SWID tag. - optional AttachedText text = 6; - // The URL to the SWID file. - optional string url = 7; -} - -// Specifies a tool (manual or automated). -message Tool { - // The vendor of the tool used to create the BOM. - optional string vendor = 1; - // The name of the tool used to create the BOM. - optional string name = 2; - // The version of the tool used to create the BOM. - optional string version = 3; - repeated Hash hashes = 4; -} - -// Specifies a property -message Property { - string name = 1; - optional string value = 2; -} - -enum Aggregate { - // Default, no statement about the aggregate completeness is being made - AGGREGATE_NOT_SPECIFIED = 0; - // The aggregate composition is complete - AGGREGATE_COMPLETE = 1; - // The aggregate composition is incomplete - AGGREGATE_INCOMPLETE = 2; - // The aggregate composition is incomplete for first party components, complete for third party components - AGGREGATE_INCOMPLETE_FIRST_PARTY_ONLY = 3; - // The aggregate composition is incomplete for third party components, complete for first party components - AGGREGATE_INCOMPLETE_THIRD_PARTY_ONLY = 4; - // The aggregate composition completeness is unknown - AGGREGATE_UNKNOWN = 5; -} - -message Composition { - // Indicates the aggregate completeness - Aggregate aggregate = 1; - // The assemblies the aggregate completeness applies to - repeated string assemblies = 2; - // The dependencies the aggregate completeness applies to - repeated string dependencies = 3; -} - -message EvidenceCopyright { - // Copyright text - string text = 1; -} - -message Evidence { - repeated LicenseChoice licenses = 1; - repeated EvidenceCopyright copyright = 2; -} diff --git a/cyclonedx/__res/schema/bom-1.3a.schema.json b/cyclonedx/__res/schema/bom-1.3a.schema.json deleted file mode 100644 index 41b0b945..00000000 --- a/cyclonedx/__res/schema/bom-1.3a.schema.json +++ /dev/null @@ -1,1085 +0,0 @@ -{ - "$schema": "http://json-schema.org/draft-07/schema#", - "$id": "http://cyclonedx.org/schema/bom-1.3a.schema.json", - "type": "object", - "title": "CycloneDX Software Bill-of-Material Specification", - "$comment" : "CycloneDX JSON schema is published under the terms of the Apache License 2.0.", - "required": [ - "bomFormat", - "specVersion", - "version" - ], - "additionalProperties": false, - "properties": { - "$schema": { - "type": "string", - "enum": [ - "http://cyclonedx.org/schema/bom-1.3.schema.json" - ] - }, - "bomFormat": { - "$id": "#/properties/bomFormat", - "type": "string", - "title": "BOM Format", - "description": "Specifies the format of the BOM. This helps to identify the file as CycloneDX since BOMs do not have a filename convention nor does JSON schema support namespaces.", - "enum": [ - "CycloneDX" - ] - }, - "specVersion": { - "$id": "#/properties/specVersion", - "type": "string", - "title": "CycloneDX Specification Version", - "description": "The version of the CycloneDX specification a BOM is written to (starting at version 1.2)", - "examples": ["1.3"] - }, - "serialNumber": { - "$id": "#/properties/serialNumber", - "type": "string", - "title": "BOM Serial Number", - "description": "Every BOM generated should have a unique serial number, even if the contents of the BOM being generated have not changed over time. The process or tool responsible for creating the BOM should create random UUID's for every BOM generated.", - "examples": ["urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79"], - "pattern": "^urn:uuid:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$" - }, - "version": { - "$id": "#/properties/version", - "type": "integer", - "title": "BOM Version", - "description": "The version allows component publishers/authors to make changes to existing BOMs to update various aspects of the document such as description or licenses. When a system is presented with multiple BOMs for the same component, the system should use the most recent version of the BOM. The default version is '1' and should be incremented for each version of the BOM that is published. Each version of a component should have a unique BOM and if no changes are made to the BOMs, then each BOM will have a version of '1'.", - "default": 1, - "examples": [1] - }, - "metadata": { - "$id": "#/properties/metadata", - "$ref": "#/definitions/metadata", - "title": "BOM Metadata", - "description": "Provides additional information about a BOM." - }, - "components": { - "$id": "#/properties/components", - "type": "array", - "items": {"$ref": "#/definitions/component"}, - "uniqueItems": true, - "title": "Components" - }, - "services": { - "$id": "#/properties/services", - "type": "array", - "items": {"$ref": "#/definitions/service"}, - "uniqueItems": true, - "title": "Services" - }, - "externalReferences": { - "$id": "#/properties/externalReferences", - "type": "array", - "items": {"$ref": "#/definitions/externalReference"}, - "title": "External References", - "description": "External references provide a way to document systems, sites, and information that may be relevant but which are not included with the BOM." - }, - "dependencies": { - "$id": "#/properties/dependencies", - "type": "array", - "items": {"$ref": "#/definitions/dependency"}, - "uniqueItems": true, - "title": "Dependencies", - "description": "Provides the ability to document dependency relationships." - }, - "compositions": { - "$id": "#/properties/compositions", - "type": "array", - "items": {"$ref": "#/definitions/compositions"}, - "uniqueItems": true, - "title": "Compositions", - "description": "Compositions describe constituent parts (including components, services, and dependency relationships) and their completeness." - } - }, - "definitions": { - "metadata": { - "type": "object", - "title": "BOM Metadata Object", - "additionalProperties": false, - "properties": { - "timestamp": { - "type": "string", - "format": "date-time", - "title": "Timestamp", - "description": "The date and time (timestamp) when the document was created." - }, - "tools": { - "type": "array", - "title": "Creation Tools", - "description": "The tool(s) used in the creation of the BOM.", - "items": {"$ref": "#/definitions/tool"} - }, - "authors" :{ - "type": "array", - "title": "Authors", - "description": "The person(s) who created the BOM. Authors are common in BOMs created through manual processes. BOMs created through automated means may not have authors.", - "items": {"$ref": "#/definitions/organizationalContact"} - }, - "component": { - "title": "Component", - "description": "The component that the BOM describes.", - "$ref": "#/definitions/component" - }, - "manufacture": { - "title": "Manufacture", - "description": "The organization that manufactured the component that the BOM describes.", - "$ref": "#/definitions/organizationalEntity" - }, - "supplier": { - "title": "Supplier", - "description": " The organization that supplied the component that the BOM describes. The supplier may often be the manufacturer, but may also be a distributor or repackager.", - "$ref": "#/definitions/organizationalEntity" - }, - "licenses": { - "type": "array", - "title": "BOM License(s)", - "items": {"$ref": "#/definitions/licenseChoice"} - }, - "properties": { - "type": "array", - "title": "Properties", - "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values.", - "items": {"$ref": "#/definitions/property"} - } - } - }, - "tool": { - "type": "object", - "title": "Tool", - "description": "The tool used to create the BOM.", - "additionalProperties": false, - "properties": { - "vendor": { - "type": "string", - "title": "Tool Vendor", - "description": "The date and time (timestamp) when the document was created." - }, - "name": { - "type": "string", - "title": "Tool Name", - "description": "The date and time (timestamp) when the document was created." - }, - "version": { - "type": "string", - "title": "Tool Version", - "description": "The date and time (timestamp) when the document was created." - }, - "hashes": { - "$id": "#/definitions/tool/properties/hashes", - "type": "array", - "items": {"$ref": "#/definitions/hash"}, - "title": "Hashes", - "description": "The hashes of the tool (if applicable)." - } - } - }, - "organizationalEntity": { - "type": "object", - "title": "Organizational Entity Object", - "description": "", - "additionalProperties": false, - "properties": { - "name": { - "type": "string", - "title": "Name", - "description": "The name of the organization", - "examples": [ - "Example Inc." - ] - }, - "url": { - "type": "array", - "items": { - "type": "string", - "format": "iri-reference" - }, - "title": "URL", - "description": "The URL of the organization. Multiple URLs are allowed.", - "examples": ["https://example.com"] - }, - "contact": { - "type": "array", - "title": "Contact", - "description": "A contact at the organization. Multiple contacts are allowed.", - "items": {"$ref": "#/definitions/organizationalContact"} - } - } - }, - "organizationalContact": { - "type": "object", - "title": "Organizational Contact Object", - "description": "", - "additionalProperties": false, - "properties": { - "name": { - "type": "string", - "title": "Name", - "description": "The name of a contact", - "examples": ["Contact name"] - }, - "email": { - "type": "string", - "title": "Email Address", - "description": "The email address of the contact.", - "examples": ["firstname.lastname@example.com"] - }, - "phone": { - "type": "string", - "title": "Phone", - "description": "The phone number of the contact.", - "examples": ["800-555-1212"] - } - } - }, - "component": { - "type": "object", - "title": "Component Object", - "required": [ - "type", - "name", - "version" - ], - "additionalProperties": false, - "properties": { - "type": { - "type": "string", - "enum": [ - "application", - "framework", - "library", - "container", - "operating-system", - "device", - "firmware", - "file" - ], - "title": "Component Type", - "description": "Specifies the type of component. For software components, classify as application if no more specific appropriate classification is available or cannot be determined for the component.", - "examples": ["library"] - }, - "mime-type": { - "type": "string", - "title": "Mime-Type", - "description": "The optional mime-type of the component. When used on file components, the mime-type can provide additional context about the kind of file being represented such as an image, font, or executable. Some library or framework components may also have an associated mime-type.", - "examples": ["image/jpeg"], - "pattern": "^[-+a-z0-9.]+/[-+a-z0-9.]+$" - }, - "bom-ref": { - "type": "string", - "title": "BOM Reference", - "description": "An optional identifier which can be used to reference the component elsewhere in the BOM. Every bom-ref should be unique." - }, - "supplier": { - "title": "Component Supplier", - "description": " The organization that supplied the component. The supplier may often be the manufacturer, but may also be a distributor or repackager.", - "$ref": "#/definitions/organizationalEntity" - }, - "author": { - "type": "string", - "title": "Component Author", - "description": "The person(s) or organization(s) that authored the component", - "examples": ["Acme Inc"] - }, - "publisher": { - "type": "string", - "title": "Component Publisher", - "description": "The person(s) or organization(s) that published the component", - "examples": ["Acme Inc"] - }, - "group": { - "type": "string", - "title": "Component Group", - "description": "The grouping name or identifier. This will often be a shortened, single name of the company or project that produced the component, or the source package or domain name. Whitespace and special characters should be avoided. Examples include: apache, org.apache.commons, and apache.org.", - "examples": ["com.acme"] - }, - "name": { - "type": "string", - "title": "Component Name", - "description": "The name of the component. This will often be a shortened, single name of the component. Examples: commons-lang3 and jquery", - "examples": ["tomcat-catalina"] - }, - "version": { - "type": "string", - "title": "Component Version", - "description": "The component version. The version should ideally comply with semantic versioning but is not enforced.", - "examples": ["9.0.14"] - }, - "description": { - "type": "string", - "title": "Component Description", - "description": "Specifies a description for the component" - }, - "scope": { - "type": "string", - "enum": [ - "required", - "optional", - "excluded" - ], - "title": "Component Scope", - "description": "Specifies the scope of the component. If scope is not specified, 'required' scope should be assumed by the consumer of the BOM", - "default": "required" - }, - "hashes": { - "type": "array", - "title": "Component Hashes", - "items": {"$ref": "#/definitions/hash"} - }, - "licenses": { - "type": "array", - "items": {"$ref": "#/definitions/licenseChoice"}, - "title": "Component License(s)" - }, - "copyright": { - "type": "string", - "title": "Component Copyright", - "description": "An optional copyright notice informing users of the underlying claims to copyright ownership in a published work.", - "examples": ["Acme Inc"] - }, - "cpe": { - "type": "string", - "title": "Component Common Platform Enumeration (CPE)", - "description": "DEPRECATED - DO NOT USE. This will be removed in a future version. Specifies a well-formed CPE name. See https://nvd.nist.gov/products/cpe", - "examples": ["cpe:2.3:a:acme:component_framework:-:*:*:*:*:*:*:*"] - }, - "purl": { - "type": "string", - "title": "Component Package URL (purl)", - "examples": ["pkg:maven/com.acme/tomcat-catalina@9.0.14?packaging=jar"] - }, - "swid": { - "$ref": "#/definitions/swid", - "title": "SWID Tag", - "description": "Specifies metadata and content for ISO-IEC 19770-2 Software Identification (SWID) Tags." - }, - "modified": { - "type": "boolean", - "title": "Component Modified From Original", - "description": "DEPRECATED - DO NOT USE. This will be removed in a future version. Use the pedigree element instead to supply information on exactly how the component was modified. A boolean value indicating is the component has been modified from the original. A value of true indicates the component is a derivative of the original. A value of false indicates the component has not been modified from the original." - }, - "pedigree": { - "type": "object", - "title": "Component Pedigree", - "description": "Component pedigree is a way to document complex supply chain scenarios where components are created, distributed, modified, redistributed, combined with other components, etc. Pedigree supports viewing this complex chain from the beginning, the end, or anywhere in the middle. It also provides a way to document variants where the exact relation may not be known.", - "additionalProperties": false, - "properties": { - "ancestors": { - "type": "array", - "title": "Ancestors", - "description": "Describes zero or more components in which a component is derived from. This is commonly used to describe forks from existing projects where the forked version contains a ancestor node containing the original component it was forked from. For example, Component A is the original component. Component B is the component being used and documented in the BOM. However, Component B contains a pedigree node with a single ancestor documenting Component A - the original component from which Component B is derived from.", - "items": {"$ref": "#/definitions/component"} - }, - "descendants": { - "type": "array", - "title": "Descendants", - "description": "Descendants are the exact opposite of ancestors. This provides a way to document all forks (and their forks) of an original or root component.", - "items": {"$ref": "#/definitions/component"} - }, - "variants": { - "type": "array", - "title": "Variants", - "description": "Variants describe relations where the relationship between the components are not known. For example, if Component A contains nearly identical code to Component B. They are both related, but it is unclear if one is derived from the other, or if they share a common ancestor.", - "items": {"$ref": "#/definitions/component"} - }, - "commits": { - "type": "array", - "title": "Commits", - "description": "A list of zero or more commits which provide a trail describing how the component deviates from an ancestor, descendant, or variant.", - "items": {"$ref": "#/definitions/commit"} - }, - "patches": { - "type": "array", - "title": "Patches", - "description": ">A list of zero or more patches describing how the component deviates from an ancestor, descendant, or variant. Patches may be complimentary to commits or may be used in place of commits.", - "items": {"$ref": "#/definitions/patch"} - }, - "notes": { - "type": "string", - "title": "Notes", - "description": "Notes, observations, and other non-structured commentary describing the components pedigree." - } - } - }, - "externalReferences": { - "type": "array", - "items": {"$ref": "#/definitions/externalReference"}, - "title": "External References" - }, - "components": { - "$id": "#/definitions/component/properties/components", - "type": "array", - "items": {"$ref": "#/definitions/component"}, - "uniqueItems": true, - "title": "Components" - }, - "evidence": { - "$ref": "#/definitions/componentEvidence", - "title": "Evidence", - "description": "Provides the ability to document evidence collected through various forms of extraction or analysis." - }, - "properties": { - "type": "array", - "title": "Properties", - "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values.", - "items": {"$ref": "#/definitions/property"} - } - } - }, - "swid": { - "type": "object", - "title": "SWID Tag", - "description": "Specifies metadata and content for ISO-IEC 19770-2 Software Identification (SWID) Tags.", - "required": [ - "tagId", - "name" - ], - "additionalProperties": false, - "properties": { - "tagId": { - "type": "string", - "title": "Tag ID", - "description": "Maps to the tagId of a SoftwareIdentity." - }, - "name": { - "type": "string", - "title": "Name", - "description": "Maps to the name of a SoftwareIdentity." - }, - "version": { - "type": "string", - "title": "Version", - "default": "0.0", - "description": "Maps to the version of a SoftwareIdentity." - }, - "tagVersion": { - "type": "integer", - "title": "Tag Version", - "default": 0, - "description": "Maps to the tagVersion of a SoftwareIdentity." - }, - "patch": { - "type": "boolean", - "title": "Patch", - "default": false, - "description": "Maps to the patch of a SoftwareIdentity." - }, - "text": { - "title": "Attachment text", - "description": "Specifies the metadata and content of the SWID tag.", - "$ref": "#/definitions/attachment" - }, - "url": { - "type": "string", - "title": "URL", - "description": "The URL to the SWID file.", - "format": "iri-reference" - } - } - }, - "attachment": { - "type": "object", - "title": "Attachment", - "description": "Specifies the metadata and content for an attachment.", - "required": [ - "content" - ], - "additionalProperties": false, - "properties": { - "contentType": { - "type": "string", - "title": "Content-Type", - "description": "Specifies the content type of the text. Defaults to text/plain if not specified.", - "default": "text/plain" - }, - "encoding": { - "type": "string", - "title": "Encoding", - "description": "Specifies the optional encoding the text is represented in.", - "enum": [ - "base64" - ] - }, - "content": { - "type": "string", - "title": "Attachment Text", - "description": "The attachment data" - } - } - }, - "hash": { - "type": "object", - "title": "Hash Objects", - "required": [ - "alg", - "content" - ], - "additionalProperties": false, - "properties": { - "alg": { - "$ref": "#/definitions/hash-alg" - }, - "content": { - "$ref": "#/definitions/hash-content" - } - } - }, - "hash-alg": { - "type": "string", - "enum": [ - "MD5", - "SHA-1", - "SHA-256", - "SHA-384", - "SHA-512", - "SHA3-256", - "SHA3-384", - "SHA3-512", - "BLAKE2b-256", - "BLAKE2b-384", - "BLAKE2b-512", - "BLAKE3" - ], - "title": "Hash Algorithm" - }, - "hash-content": { - "type": "string", - "title": "Hash Content (value)", - "examples": ["3942447fac867ae5cdb3229b658f4d48"], - "pattern": "^([a-fA-F0-9]{32}|[a-fA-F0-9]{40}|[a-fA-F0-9]{64}|[a-fA-F0-9]{96}|[a-fA-F0-9]{128})$" - }, - "license": { - "type": "object", - "title": "License Object", - "oneOf": [ - { - "required": ["id"] - }, - { - "required": ["name"] - } - ], - "additionalProperties": false, - "properties": { - "id": { - "$ref": "spdx.schema.json", - "title": "License ID (SPDX)", - "description": "A valid SPDX license ID", - "examples": ["Apache-2.0"] - }, - "name": { - "type": "string", - "title": "License Name", - "description": "If SPDX does not define the license used, this field may be used to provide the license name", - "examples": ["Acme Software License"] - }, - "text": { - "title": "License text", - "description": "An optional way to include the textual content of a license.", - "$ref": "#/definitions/attachment" - }, - "url": { - "type": "string", - "title": "License URL", - "description": "The URL to the license file. If specified, a 'license' externalReference should also be specified for completeness", - "examples": ["https://www.apache.org/licenses/LICENSE-2.0.txt"], - "format": "iri-reference" - } - } - }, - "licenseChoice": { - "type": "object", - "title": "License(s)", - "additionalProperties": false, - "properties": { - "license": { - "$ref": "#/definitions/license" - }, - "expression": { - "type": "string", - "title": "SPDX License Expression", - "examples": [ - "Apache-2.0 AND (MIT OR GPL-2.0-only)", - "GPL-3.0-only WITH Classpath-exception-2.0" - ] - } - }, - "oneOf":[ - { - "required": ["license"] - }, - { - "required": ["expression"] - } - ] - }, - "commit": { - "type": "object", - "title": "Commit", - "description": "Specifies an individual commit", - "additionalProperties": false, - "properties": { - "uid": { - "type": "string", - "title": "UID", - "description": "A unique identifier of the commit. This may be version control specific. For example, Subversion uses revision numbers whereas git uses commit hashes." - }, - "url": { - "type": "string", - "title": "URL", - "description": "The URL to the commit. This URL will typically point to a commit in a version control system.", - "format": "iri-reference" - }, - "author": { - "title": "Author", - "description": "The author who created the changes in the commit", - "$ref": "#/definitions/identifiableAction" - }, - "committer": { - "title": "Committer", - "description": "The person who committed or pushed the commit", - "$ref": "#/definitions/identifiableAction" - }, - "message": { - "type": "string", - "title": "Message", - "description": "The text description of the contents of the commit" - } - } - }, - "patch": { - "type": "object", - "title": "Patch", - "description": "Specifies an individual patch", - "required": [ - "type" - ], - "additionalProperties": false, - "properties": { - "type": { - "type": "string", - "enum": [ - "unofficial", - "monkey", - "backport", - "cherry-pick" - ], - "title": "Type", - "description": "Specifies the purpose for the patch including the resolution of defects, security issues, or new behavior or functionality" - }, - "diff": { - "title": "Diff", - "description": "The patch file (or diff) that show changes. Refer to https://en.wikipedia.org/wiki/Diff", - "$ref": "#/definitions/diff" - }, - "resolves": { - "type": "array", - "items": {"$ref": "#/definitions/issue"}, - "title": "Resolves", - "description": "A collection of issues the patch resolves" - } - } - }, - "diff": { - "type": "object", - "title": "Diff", - "description": "The patch file (or diff) that show changes. Refer to https://en.wikipedia.org/wiki/Diff", - "additionalProperties": false, - "properties": { - "text": { - "title": "Diff text", - "description": "Specifies the optional text of the diff", - "$ref": "#/definitions/attachment" - }, - "url": { - "type": "string", - "title": "URL", - "description": "Specifies the URL to the diff", - "format": "iri-reference" - } - } - }, - "issue": { - "type": "object", - "title": "Diff", - "description": "The patch file (or diff) that show changes. Refer to https://en.wikipedia.org/wiki/Diff", - "required": [ - "type" - ], - "additionalProperties": false, - "properties": { - "type": { - "type": "string", - "enum": [ - "defect", - "enhancement", - "security" - ], - "title": "Type", - "description": "Specifies the type of issue" - }, - "id": { - "type": "string", - "title": "ID", - "description": "The identifier of the issue assigned by the source of the issue" - }, - "name": { - "type": "string", - "title": "Name", - "description": "The name of the issue" - }, - "description": { - "type": "string", - "title": "Description", - "description": "A description of the issue" - }, - "source": { - "type": "object", - "title": "Source", - "description": "The source of the issue where it is documented", - "additionalProperties": false, - "properties": { - "name": { - "type": "string", - "title": "Name", - "description": "The name of the source. For example 'National Vulnerability Database', 'NVD', and 'Apache'" - }, - "url": { - "type": "string", - "title": "URL", - "description": "The url of the issue documentation as provided by the source", - "format": "iri-reference" - } - } - }, - "references": { - "type": "array", - "items": { - "type": "string", - "format": "iri-reference" - }, - "title": "References", - "description": "A collection of URL's for reference. Multiple URLs are allowed.", - "examples": ["https://example.com"] - } - } - }, - "identifiableAction": { - "type": "object", - "title": "Identifiable Action", - "description": "Specifies an individual commit", - "additionalProperties": false, - "properties": { - "timestamp": { - "type": "string", - "format": "date-time", - "title": "Timestamp", - "description": "The timestamp in which the action occurred" - }, - "name": { - "type": "string", - "title": "Name", - "description": "The name of the individual who performed the action" - }, - "email": { - "type": "string", - "format": "idn-email", - "title": "E-mail", - "description": "The email address of the individual who performed the action" - } - } - }, - "externalReference": { - "type": "object", - "title": "External Reference", - "description": "Specifies an individual external reference", - "required": [ - "url", - "type" - ], - "additionalProperties": false, - "properties": { - "url": { - "type": "string", - "title": "URL", - "description": "The URL to the external reference", - "format": "iri-reference" - }, - "comment": { - "type": "string", - "title": "Comment", - "description": "An optional comment describing the external reference" - }, - "type": { - "type": "string", - "title": "Type", - "description": "Specifies the type of external reference. There are built-in types to describe common references. If a type does not exist for the reference being referred to, use the \"other\" type.", - "enum": [ - "vcs", - "issue-tracker", - "website", - "advisories", - "bom", - "mailing-list", - "social", - "chat", - "documentation", - "support", - "distribution", - "license", - "build-meta", - "build-system", - "other" - ] - }, - "hashes": { - "$id": "#/definitions/externalReference/properties/hashes", - "type": "array", - "items": {"$ref": "#/definitions/hash"}, - "title": "Hashes", - "description": "The hashes of the external reference (if applicable)." - } - } - }, - "dependency": { - "type": "object", - "title": "Dependency", - "description": "Defines the direct dependencies of a component. Components that do not have their own dependencies MUST be declared as empty elements within the graph. Components that are not represented in the dependency graph MAY have unknown dependencies. It is RECOMMENDED that implementations assume this to be opaque and not an indicator of a component being dependency-free.", - "required": [ - "ref" - ], - "additionalProperties": false, - "properties": { - "ref": { - "type": "string", - "title": "Reference", - "description": "References a component by the components bom-ref attribute" - }, - "dependsOn": { - "type": "array", - "uniqueItems": true, - "items": { - "type": "string" - }, - "title": "Depends On", - "description": "The bom-ref identifiers of the components that are dependencies of this dependency object." - } - } - }, - "service": { - "type": "object", - "title": "Service Object", - "required": [ - "name" - ], - "additionalProperties": false, - "properties": { - "bom-ref": { - "type": "string", - "title": "BOM Reference", - "description": "An optional identifier which can be used to reference the service elsewhere in the BOM. Every bom-ref should be unique." - }, - "provider": { - "title": "Provider", - "description": "The organization that provides the service.", - "$ref": "#/definitions/organizationalEntity" - }, - "group": { - "type": "string", - "title": "Service Group", - "description": "The grouping name, namespace, or identifier. This will often be a shortened, single name of the company or project that produced the service or domain name. Whitespace and special characters should be avoided.", - "examples": ["com.acme"] - }, - "name": { - "type": "string", - "title": "Service Name", - "description": "The name of the service. This will often be a shortened, single name of the service.", - "examples": ["ticker-service"] - }, - "version": { - "type": "string", - "title": "Service Version", - "description": "The service version.", - "examples": ["1.0.0"] - }, - "description": { - "type": "string", - "title": "Service Description", - "description": "Specifies a description for the service" - }, - "endpoints": { - "type": "array", - "items": { - "type": "string", - "format": "iri-reference" - }, - "title": "Endpoints", - "description": "The endpoint URIs of the service. Multiple endpoints are allowed.", - "examples": ["https://example.com/api/v1/ticker"] - }, - "authenticated": { - "type": "boolean", - "title": "Authentication Required", - "description": "A boolean value indicating if the service requires authentication. A value of true indicates the service requires authentication prior to use. A value of false indicates the service does not require authentication." - }, - "x-trust-boundary": { - "type": "boolean", - "title": "Crosses Trust Boundary", - "description": "A boolean value indicating if use of the service crosses a trust zone or boundary. A value of true indicates that by using the service, a trust boundary is crossed. A value of false indicates that by using the service, a trust boundary is not crossed." - }, - "data": { - "type": "array", - "items": {"$ref": "#/definitions/dataClassification"}, - "title": "Data Classification", - "description": "Specifies the data classification." - }, - "licenses": { - "type": "array", - "items": {"$ref": "#/definitions/licenseChoice"}, - "title": "Component License(s)" - }, - "externalReferences": { - "type": "array", - "items": {"$ref": "#/definitions/externalReference"}, - "title": "External References" - }, - "services": { - "$id": "#/definitions/service/properties/services", - "type": "array", - "items": {"$ref": "#/definitions/service"}, - "uniqueItems": true, - "title": "Services" - }, - "properties": { - "type": "array", - "title": "Properties", - "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values.", - "items": {"$ref": "#/definitions/property"} - } - } - }, - "dataClassification": { - "type": "object", - "title": "Hash Objects", - "required": [ - "flow", - "classification" - ], - "additionalProperties": false, - "properties": { - "flow": { - "$ref": "#/definitions/dataFlow" - }, - "classification": { - "type": "string" - } - } - }, - "dataFlow": { - "type": "string", - "enum": [ - "inbound", - "outbound", - "bi-directional", - "unknown" - ], - "title": "Data flow direction" - }, - - "copyright": { - "type": "object", - "title": "Copyright", - "required": [ - "text" - ], - "additionalProperties": false, - "properties": { - "text": { - "type": "string", - "title": "Copyright Text" - } - } - }, - - "componentEvidence": { - "type": "object", - "title": "Evidence", - "description": "Provides the ability to document evidence collected through various forms of extraction or analysis.", - "additionalProperties": false, - "properties": { - "licenses": { - "type": "array", - "items": {"$ref": "#/definitions/licenseChoice"}, - "title": "Component License(s)" - }, - "copyright": { - "type": "array", - "items": {"$ref": "#/definitions/copyright"}, - "title": "Copyright" - } - } - }, - "compositions": { - "type": "object", - "title": "Compositions", - "required": [ - "aggregate" - ], - "additionalProperties": false, - "properties": { - "aggregate": { - "$ref": "#/definitions/aggregateType", - "title": "Aggregate", - "description": "Specifies an aggregate type that describe how complete a relationship is." - }, - "assemblies": { - "type": "array", - "uniqueItems": true, - "items": { - "type": "string" - }, - "title": "BOM references", - "description": "The bom-ref identifiers of the components or services being described. Assemblies refer to nested relationships whereby a constituent part may include other constituent parts. References do not cascade to child parts. References are explicit for the specified constituent part only." - }, - "dependencies": { - "type": "array", - "uniqueItems": true, - "items": { - "type": "string" - }, - "title": "BOM references", - "description": "The bom-ref identifiers of the components or services being described. Dependencies refer to a relationship whereby an independent constituent part requires another independent constituent part. References do not cascade to transitive dependencies. References are explicit for the specified dependency only." - } - } - }, - "aggregateType": { - "type": "string", - "default": "not_specified", - "enum": [ - "complete", - "incomplete", - "incomplete_first_party_only", - "incomplete_third_party_only", - "unknown", - "not_specified" - ] - }, - "property": { - "type": "object", - "title": "Lightweight name-value pair", - "properties": { - "name": { - "type": "string", - "title": "Name", - "description": "The name of the property. Duplicate names are allowed, each potentially having a different value." - }, - "value": { - "type": "string", - "title": "Value", - "description": "The value of the property." - } - } - } - } -} diff --git a/cyclonedx/__res/schema/bom-1.4.schema.json b/cyclonedx/__res/schema/bom-1.4.SNAPSHOT.schema.json similarity index 99% rename from cyclonedx/__res/schema/bom-1.4.schema.json rename to cyclonedx/__res/schema/bom-1.4.SNAPSHOT.schema.json index 85684d76..83e27ceb 100644 --- a/cyclonedx/__res/schema/bom-1.4.schema.json +++ b/cyclonedx/__res/schema/bom-1.4.SNAPSHOT.schema.json @@ -6,8 +6,7 @@ "$comment" : "CycloneDX JSON schema is published under the terms of the Apache License 2.0.", "required": [ "bomFormat", - "specVersion", - "version" + "specVersion" ], "additionalProperties": false, "properties": { @@ -611,7 +610,7 @@ "additionalProperties": false, "properties": { "id": { - "$ref": "spdx.schema.json", + "$ref": "spdx.SNAPSHOT.schema.json", "title": "License ID (SPDX)", "description": "A valid SPDX license ID", "examples": ["Apache-2.0"] @@ -1689,9 +1688,9 @@ "maxLength": 1024 }, "signature": { - "$ref": "jsf-0.82.schema.json#/definitions/signature", + "$ref": "jsf-0.82.SNAPSHOT.schema.json#/definitions/signature", "title": "Signature", "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." } } -} \ No newline at end of file +} diff --git a/cyclonedx/__res/schema/bom-1.4.xsd b/cyclonedx/__res/schema/bom-1.4.SNAPSHOT.xsd similarity index 99% rename from cyclonedx/__res/schema/bom-1.4.xsd rename to cyclonedx/__res/schema/bom-1.4.SNAPSHOT.xsd index 9cf8af24..27c68fb9 100644 --- a/cyclonedx/__res/schema/bom-1.4.xsd +++ b/cyclonedx/__res/schema/bom-1.4.SNAPSHOT.xsd @@ -22,9 +22,9 @@ limitations under the License. targetNamespace="http://cyclonedx.org/schema/bom/1.4" vc:minVersion="1.0" vc:maxVersion="1.1" - version="1.4.2"> + version="1.4"> - + @@ -620,7 +620,7 @@ limitations under the License. - + @@ -2014,16 +2014,6 @@ limitations under the License. - - - Provides the ability to document properties in a key/value store. - This provides flexibility to include data not officially supported in the standard - without having to use additional namespaces or create extensions. Property names - of interest to the general public are encouraged to be registered in the - CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. - Formal registration is OPTIONAL. - - @@ -2414,4 +2404,4 @@ limitations under the License. - \ No newline at end of file + diff --git a/cyclonedx/__res/schema/ext/bom-descriptor-0.9.xsd b/cyclonedx/__res/schema/ext/bom-descriptor-0.9.xsd deleted file mode 100644 index 605df12f..00000000 --- a/cyclonedx/__res/schema/ext/bom-descriptor-0.9.xsd +++ /dev/null @@ -1,175 +0,0 @@ - - - - - - - CycloneDX BOM Descriptor Extension - https://cyclonedx.org/ext/bom-descriptor - Apache License, Version 2.0 - - Steve Springett - - - - - - - - - Specifies the name of the software the BOM describes. - - - - - Specifies the version of the software the BOM describes. - - - - - Specifies the edition of the software the BOM describes. - - - - - - - - - - - - - - - - A valid SPDX license expression. - Refer to https://spdx.org/specifications for syntax requirements - - - - - - - - An optional copyright notice informing users of the underlying claims to - copyright ownership in a published work. - - - - - - Specifies a well-formed CPE name. See https://nvd.nist.gov/products/cpe - - - - - - - Specifies the package-url (PURL). The purl, if specified, must be valid and conform - to the specification defined at: https://github.com/package-url/purl-spec - - - - - - The organization that manufactured the software for which the BOM describes. - - - - - The organization that supplied the software for which the BOM describes. The - supplier may often be the manufacture, but may also be a distributor or repackager. - - - - - - User-defined attributes may be used on this element as long as they - do not have the same name as an existing attribute used by the schema. - - - - - - - - - The name of the organization - - - - - The URL of the organization. Multiple URLs are allowed. - - - - - A contact person at the organization. Multiple contacts are allowed. - - - - - - User-defined attributes may be used on this element as long as they - do not have the same name as an existing attribute used by the schema. - - - - - - - - - The name of the person - - - - - The email address of the person. Multiple email addresses are allowed. - - - - - The phone number of the person. Multiple phone numbers are allowed. - - - - - - User-defined attributes may be used on this element as long as they - do not have the same name as an existing attribute used by the schema. - - - - - - - Provides additional information about a BOM. - - - - diff --git a/cyclonedx/__res/schema/ext/bom-descriptor-1.0.xsd b/cyclonedx/__res/schema/ext/bom-descriptor-1.0.xsd deleted file mode 100644 index 013f550e..00000000 --- a/cyclonedx/__res/schema/ext/bom-descriptor-1.0.xsd +++ /dev/null @@ -1,183 +0,0 @@ - - - - - - - CycloneDX BOM Descriptor Extension - https://cyclonedx.org/ext/bom-descriptor - Apache License, Version 2.0 - - Steve Springett - - - - - - - - - - - The date and time (timestamp) when the document was created. - - - - - The tool used to create the BOM. - - - - - The person(s) who created the BOM. Authors are common in BOMs created through - manual processes. BOMs created through automated means may not have authors. - - - - - - - - - - The component that the BOM describes. - - - - - The organization that manufactured the component that the BOM describes. - - - - - The organization that supplied the component that the BOM describes. The - supplier may often be the manufacture, but may also be a distributor or repackager. - - - - - - User-defined attributes may be used on this element as long as they - do not have the same name as an existing attribute used by the schema. - - - - - - - - - The name of the organization - - - - - The URL of the organization. Multiple URLs are allowed. - - - - - A contact person at the organization. Multiple contacts are allowed. - - - - - - User-defined attributes may be used on this element as long as they - do not have the same name as an existing attribute used by the schema. - - - - - - - Specifies a tool (manual or automated). - - - - - The vendor of the tool used to create the BOM. - - - - - The name of the tool used to create the BOM. - - - - - The version of the tool used to create the BOM. - - - - - - - - - - - - - User-defined attributes may be used on this element as long as they - do not have the same name as an existing attribute used by the schema. - - - - - - - - - The name of the person - - - - - The email address of the person. Multiple email addresses are allowed. - - - - - The phone number of the person. Multiple phone numbers are allowed. - - - - - - User-defined attributes may be used on this element as long as they - do not have the same name as an existing attribute used by the schema. - - - - - - - Provides additional information about a BOM. - - - - diff --git a/cyclonedx/__res/schema/ext/dependency-graph-1.0.xsd b/cyclonedx/__res/schema/ext/dependency-graph-1.0.xsd deleted file mode 100644 index ddcb5365..00000000 --- a/cyclonedx/__res/schema/ext/dependency-graph-1.0.xsd +++ /dev/null @@ -1,70 +0,0 @@ - - - - - - - CycloneDX Dependency Graph Extension - https://cyclonedx.org/ext/dependency-graph - Apache License, Version 2.0 - - Steve Springett - - - - - - - - - - - References a component by the components bom-ref attribute - - - - - User-defined attributes may be used on this element as long as they - do not have the same name as an existing attribute used by the schema. - - - - - - - - - - Components that do not have their own dependencies MUST be declared as empty - elements within the graph. Components that are not represented in the dependency graph MAY - have unknown dependencies. It is RECOMMENDED that implementations assume this to be opaque - and not an indicator of a component being dependency-free. - - - - - - - diff --git a/cyclonedx/__res/schema/ext/vulnerability-1.0-SNAPSHOT.schema.json b/cyclonedx/__res/schema/ext/vulnerability-1.0-SNAPSHOT.schema.json deleted file mode 100644 index 378bd498..00000000 --- a/cyclonedx/__res/schema/ext/vulnerability-1.0-SNAPSHOT.schema.json +++ /dev/null @@ -1,182 +0,0 @@ -{ - "$schema": "http://json-schema.org/draft-07/schema#", - "$id": "http://cyclonedx.org/schema/ext/vulnerability-1.0-SNAPSHOT.schema.json", - "type": "object", - "title": "CycloneDX Vulnerability Extension", - "$comment" : "CycloneDX Vulnerability Extension for JSON Schema is published under the terms of the Apache License 2.0.", - "properties": { - "vulnerabilities": { - "$id": "#/properties/vulnerabilities", - "type": "array", - "items": {"$ref": "#/definitions/vulnerability"}, - "title": "Vulnerabilities", - "description": "Defines a list of vulnerabilities." - } - }, - "definitions": { - "cwe": { - "type": "integer", - "minimum": 1, - "title": "CWE", - "description": "Integer representation of a Common Weaknesses Enumerations (CWE). For example 399 (of https://cwe.mitre.org/data/definitions/399.html)" - }, - "severity": { - "type": "string", - "title": "Severity", - "description": "Textual representation of the severity of the vulnerability adopted by the risk analysis method. If an other risk analysis method is used other than whats defined in scoreSourceType, the user is expected to translate appropriately to match with an element value below.", - "enum": [ - "None", - "Low", - "Medium", - "High", - "Critical", - "Unknown" - ] - }, - "scoreValue": { - "type": "number", - "title": "Score", - "description": "Numerical representation of the vulnerability score. Must be a number between 0 - 10 (maps to lowest severity - highest severity)", - "multipleOf": 0.1, - "examples": [7.9, 10.0] - }, - "scoreSource": { - "type": "string", - "title": "Source", - "description": "Specifies the risk scoring methodology/standard used.", - "enum": [ - "CVSSv2", - "CVSSv3", - "OWASP Risk", - "Open FAIR", - "Other" - ] - }, - "score": { - "type": "object", - "title": "Score", - "description": "Defines the numerical risk score of a vulnerability", - "properties": { - "base": { - "type": "number", - "title": "Base Score", - "description": "The base score of the security vulnerability (Refer CVSS standard for example)", - "multipleOf": 0.1, - "examples": [2.9, 7.2] - }, - "impact": { - "type": "number", - "title": "Impact Score", - "description": "The impact subscore of the security vulnerability (Refer CVSS standard for example)", - "multipleOf": 0.1, - "examples": [2.9, 7.2] - }, - "exploitability": { - "type": "number", - "title": "Exploitability Score", - "description": "The exploitability subscore of the security vulnerability (Refer CVSS standard for example)", - "multipleOf": 0.1, - "examples": [2.9, 7.2] - } - } - }, - "rating": { - "type": "object", - "title": "Rating", - "description": "Defines the risk rating of a vulnerability.", - "properties": { - "score": { - "$ref": "#/definitions/score" - }, - "severity": { - "$ref": "#/definitions/severity" - }, - "method": { - "$ref": "#/definitions/scoreSource" - }, - "vector": { - "type": "string", - "title": "Vector", - "description": "Textual representation of the metric values used to score the vulnerability see attack vector in https://www.first.org/cvss/v3.1/specification-document" - } - } - }, - "source": { - "type": "object", - "title": "Source", - "description": "The source of the vulnerability where it is documented. Usually the name of the organization publishing vulnerability information", - "properties": { - "url": { - "type": "string", - "title": "URL", - "description": "The url of the vulnerability documentation as provided by the source.", - "examples": [ - "https://nvd.nist.gov/vuln/detail/CVE-2019-15842" - ] - }, - "name": { - "type": "string", - "title": "Name", - "description": "The name of the source.", - "examples": [ - "NVD", "National Vulnerability Database", "OSS Index", "VulnDB", "NPM Advisories" - ] - } - } - }, - "vulnerability": { - "type": "object", - "title": "Vulnerability", - "description": "Defines the structure of a vulnerability.", - "properties": { - "ref": { - "type": "string", - "format": "string", - "title": "Reference", - "description": "References a component by the components bom-ref attribute" - }, - "id": { - "type": "string", - "title": "ID", - "description": "The id of the vulnerability as defined by the risk scoring methodology. For example CVE-2019-15842 (of https://nvd.nist.gov/vuln/detail/CVE-2019-15842)" - }, - "source": { - "$ref": "#/definitions/source" - }, - "ratings": { - "type": "array", - "title": "Ratings", - "description": "List of the vulnerability ratings as defined by various risk rating methodologies.", - "items": {"$ref": "#/definitions/rating"} - }, - "cwes": { - "type": "array", - "title": "CWEs", - "description": "List of Common Weaknesses Enumerations (CWEs) codes that describes this vulnerability. For example 399 (of https://cwe.mitre.org/data/definitions/399.html)", - "items": {"$ref": "#/definitions/cwe"} - }, - "description": { - "type": "string", - "title": "Description", - "description": "Description of the vulnerability as provided by the source organization" - }, - "recommendations": { - "type": "array", - "title": "Recommendations", - "description": "List of recommendations of how the particular vulnerability can be avoided/mitigated.", - "items": { - "type": "string" - } - }, - "advisories": { - "type": "array", - "title": "Advisories", - "description": "Published advisories of the vulnerability if provided.", - "items": { - "type": "string" - } - } - } - } - } -} diff --git a/cyclonedx/__res/schema/ext/vulnerability-1.0.xsd b/cyclonedx/__res/schema/ext/vulnerability-1.0.xsd deleted file mode 100644 index 2d684745..00000000 --- a/cyclonedx/__res/schema/ext/vulnerability-1.0.xsd +++ /dev/null @@ -1,291 +0,0 @@ - - - - - - - CycloneDX Vulnerability Extension - https://cyclonedx.org/ext/vulnerability - Apache License, Version 2.0 - - - - - - - Textual representation of the severity of the vulnerability adopted by the risk analysis method. - If an other risk analysis method is used other than whats defined in scoreSourceType, - the user is expected to translate appropriately to match with an element value below. - - - - - - - - - - - - - - - - Numerical representation of the vulnerability score. - Must be a number between 0 - 10 (maps to lowest severity - highest severity) - - - - - - - - - - - - - Specifies the risk scoring methodology/standard used. - - - - - - - The rating is based on CVSS v2 standard - https://www.first.org/cvss/v2/guide - - - - - - - The rating is based on CVSS v3 standard - https://www.first.org/cvss/v3.1/specification-document - - - - - - - The rating is based on OWASP Risk Rating - https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology - - - - - - - The rating is based on Open FAIR specification - http://www.opengroup.org/subjectareas/security/risk - - - - - - - Use this if the risk scoring methodology is not based on any of the options above - - - - - - - - - - Defines the numerical risk score of a vulnerability - - - - - - - - - - The base score of the security vulnerability (Refer CVSS standard for example) - - - - - - - The impact subscore of the security vulnerability (Refer CVSS standard for example) - - - - - - - The exploitability subscore of the security vulnerability (Refer CVSS standard for - example) - - - - - - - - - - - - Textual representation of the metric values used to score the vulnerability - see attack vector in https://www.first.org/cvss/v3.1/specification-document - - - - - - - - - - Defines the structure of a vulnerability. - - - - - - - The id of the vulnerability as defined by the risk scoring methodology - For example CVE-2019-15842 (of https://nvd.nist.gov/vuln/detail/CVE-2019-15842) - - - - - - - - The source of the vulnerability where it is documented. - Usually the name of the organization publishing vulnerability information - - - - - - - The url of the vulnerability documentation as provided by the source - For example https://nvd.nist.gov/vuln/detail/CVE-2019-15842 - - - - - - - - The name of the source. For example "National Vulnerability Database" - - - - - - - - - List of the vulnerability ratings as defined by various risk rating methodologies. - - - - - - - - - - - - - List of Common Weaknesses Enumerations (CWEs) codes that describes this vulnerability. - For example 399 (of https://cwe.mitre.org/data/definitions/399.html) - - - - - - - - - - - Description of the vulnerability as provided by the source organization - - - - - - - - The remediation options for the vulnerability if available - - - - - - - A recommendation of how the particular vulnerability can be avoided/mitigated. - - - - - - - - - - - Published advisories of the vulnerability if provided - - - - - - - - - - - References a component by the components bom-ref attribute - - - - - - - - Defines a list of vulnerabilities. - Vulnerabilities are intended to be used inside the BOM component element. - Extending a component ability to declare associated vulnerability information. - Each component element optionally can add a vulnerabilities element. - - - - - - - - - diff --git a/cyclonedx/__res/schema/jsf-0.82.SNAPSHOT.schema.json b/cyclonedx/__res/schema/jsf-0.82.SNAPSHOT.schema.json new file mode 100644 index 00000000..20f16f9c --- /dev/null +++ b/cyclonedx/__res/schema/jsf-0.82.SNAPSHOT.schema.json @@ -0,0 +1,244 @@ +{ + "$schema": "http://json-schema.org/draft-07/schema#", + "$id": "http://cyclonedx.org/schema/jsf-0.82.schema.json", + "type": "object", + "title": "JSON Signature Format (JSF) standard", + "$comment" : "JSON Signature Format schema is published under the terms of the Apache License 2.0. JSF was developed by Anders Rundgren (anders.rundgren.net@gmail.com) as a part of the OpenKeyStore project. This schema supports the entirely of the JSF standard excluding 'extensions'.", + "definitions": { + "signature": { + "type": "object", + "title": "Signature", + "oneOf": [ + { + "additionalProperties": false, + "properties": { + "signers": { + "type": "array", + "title": "Signature", + "description": "Unique top level property for Multiple Signatures. (multisignature)", + "additionalItems": false, + "items": {"$ref": "#/definitions/signer"} + } + } + }, + { + "additionalProperties": false, + "properties": { + "chain": { + "type": "array", + "title": "Signature", + "description": "Unique top level property for Signature Chains. (signaturechain)", + "additionalItems": false, + "items": {"$ref": "#/definitions/signer"} + } + } + }, + { + "title": "Signature", + "description": "Unique top level property for simple signatures. (signaturecore)", + "$ref": "#/definitions/signer" + } + ] + }, + "signer": { + "type": "object", + "title": "Signature", + "required": [ + "algorithm", + "value" + ], + "additionalProperties": false, + "properties": { + "algorithm": { + "oneOf": [ + { + "type": "string", + "title": "Algorithm", + "description": "Signature algorithm. The currently recognized JWA [RFC7518] and RFC8037 [RFC8037] asymmetric key algorithms. Note: Unlike RFC8037 [RFC8037] JSF requires explicit Ed* algorithm names instead of \"EdDSA\".", + "enum": [ + "RS256", + "RS384", + "RS512", + "PS256", + "PS384", + "PS512", + "ES256", + "ES384", + "ES512", + "Ed25519", + "Ed448", + "HS256", + "HS384", + "HS512" + ] + }, + { + "type": "string", + "title": "Algorithm", + "description": "Signature algorithm. Note: If proprietary signature algorithms are added, they must be expressed as URIs.", + "format": "uri" + } + ] + }, + "keyId": { + "type": "string", + "title": "Key ID", + "description": "Optional. Application specific string identifying the signature key." + }, + "publicKey": { + "title": "Public key", + "description": "Optional. Public key object.", + "$ref": "#/definitions/publicKey" + }, + "certificatePath": { + "type": "array", + "title": "Certificate path", + "description": "Optional. Sorted array of X.509 [RFC5280] certificates, where the first element must contain the signature certificate. The certificate path must be contiguous but is not required to be complete.", + "additionalItems": false, + "items": { + "type": "string" + } + }, + "excludes": { + "type": "array", + "title": "Excludes", + "description": "Optional. Array holding the names of one or more application level properties that must be excluded from the signature process. Note that the \"excludes\" property itself, must also be excluded from the signature process. Since both the \"excludes\" property and the associated data it points to are unsigned, a conforming JSF implementation must provide options for specifying which properties to accept.", + "additionalItems": false, + "items": { + "type": "string" + } + }, + "value": { + "type": "string", + "title": "Signature", + "description": "The signature data. Note that the binary representation must follow the JWA [RFC7518] specifications." + } + } + }, + "keyType": { + "type": "string", + "title": "Key type", + "description": "Key type indicator.", + "enum": [ + "EC", + "OKP", + "RSA" + ] + }, + "publicKey": { + "title": "Public key", + "description": "Optional. Public key object.", + "type": "object", + "required": [ + "kty" + ], + "additionalProperties": true, + "properties": { + "kty": { + "$ref": "#/definitions/keyType" + } + }, + "allOf": [ + { + "if": { + "properties": { "kty": { "const": "EC" } } + }, + "then": { + "required": [ + "kty", + "crv", + "x", + "y" + ], + "additionalProperties": false, + "properties": { + "kty": { + "$ref": "#/definitions/keyType" + }, + "crv": { + "type": "string", + "title": "Curve name", + "description": "EC curve name.", + "enum": [ + "P-256", + "P-384", + "P-521" + ] + }, + "x": { + "type": "string", + "title": "Coordinate", + "description": "EC curve point X. The length of this field must be the full size of a coordinate for the curve specified in the \"crv\" parameter. For example, if the value of \"crv\" is \"P-521\", the decoded argument must be 66 bytes." + }, + "y": { + "type": "string", + "title": "Coordinate", + "description": "EC curve point Y. The length of this field must be the full size of a coordinate for the curve specified in the \"crv\" parameter. For example, if the value of \"crv\" is \"P-256\", the decoded argument must be 32 bytes." + } + } + } + }, + { + "if": { + "properties": { "kty": { "const": "OKP" } } + }, + "then": { + "required": [ + "kty", + "crv", + "x" + ], + "additionalProperties": false, + "properties": { + "kty": { + "$ref": "#/definitions/keyType" + }, + "crv": { + "type": "string", + "title": "Curve name", + "description": "EdDSA curve name.", + "enum": [ + "Ed25519", + "Ed448" + ] + }, + "x": { + "type": "string", + "title": "Coordinate", + "description": "EdDSA curve point X. The length of this field must be the full size of a coordinate for the curve specified in the \"crv\" parameter. For example, if the value of \"crv\" is \"Ed25519\", the decoded argument must be 32 bytes." + } + } + } + }, + { + "if": { + "properties": { "kty": { "const": "RSA" } } + }, + "then": { + "required": [ + "kty", + "n", + "e" + ], + "additionalProperties": false, + "properties": { + "kty": { + "$ref": "#/definitions/keyType" + }, + "n": { + "type": "string", + "title": "Modulus", + "description": "RSA modulus." + }, + "e": { + "type": "string", + "title": "Exponent", + "description": "RSA exponent." + } + } + } + } + ] + } + } +} diff --git a/cyclonedx/__res/schema/spdx.schema.json b/cyclonedx/__res/schema/spdx.SNAPSHOT.schema.json similarity index 92% rename from cyclonedx/__res/schema/spdx.schema.json rename to cyclonedx/__res/schema/spdx.SNAPSHOT.schema.json index 26013fa6..af6d696d 100644 --- a/cyclonedx/__res/schema/spdx.schema.json +++ b/cyclonedx/__res/schema/spdx.SNAPSHOT.schema.json @@ -1,538 +1,507 @@ { "$schema": "http://json-schema.org/draft-07/schema#", "$id": "http://cyclonedx.org/schema/spdx.schema.json", - "$comment": "v1.0-3.17", + "$comment": "v1.0-3.12", "type": "string", "enum": [ - "CC-BY-NC-ND-2.0", - "SGI-B-2.0", - "LPPL-1.3c", - "NIST-PD-fallback", - "libtiff", - "XSkat", - "PDDL-1.0", - "KiCad-libraries-exception", - "CC-BY-NC-SA-1.0", - "GFDL-1.1-no-invariants-only", - "Xerox", - "LPPL-1.1", - "VOSTROM", - "UCL-1.0", - "ADSL", - "OSL-2.0", + "AFL-2.0", "AAL", - "FDK-AAC", - "W3C-20150513", + "Adobe-2006", + "AFL-3.0", + "ADSL", + "0BSD", + "Afmparse", + "AFL-1.2", + "AGPL-1.0-or-later", + "AFL-2.1", "AFL-1.1", - "W3C", - "Sleepycat", - "CECILL-1.1", - "mpich2", - "SISSL", - "NLOD-1.0", + "AGPL-1.0", + "Adobe-Glyph", + "AMDPLPA", + "Aladdin", "ANTLR-PD", - "GPL-3.0-only", - "gnuplot", - "NLOD-2.0", - "BSD-3-Clause-Open-MPI", - "LiLiQ-P-1.1", - "BSD-3-Clause-Clear", - "FSFUL", - "CC-BY-NC-SA-2.0-UK", - "CERN-OHL-S-2.0", - "Spencer-94", - "CERN-OHL-1.2", - "GFDL-1.1-or-later", - "AGPL-1.0-or-later", - "Wsuipa", "AML", - "BSD-2-Clause", - "DSDP", - "CC-BY-2.5", - "MIT-CMU", - "Beerware", - "Sendmail", - "TU-Berlin-1.0", - "CNRI-Jython", - "mplus", - "CPOL-1.02", - "BSD-3-Clause-No-Nuclear-License-2014", - "ISC", - "CC-BY-SA-4.0", - "Eurosym", - "LGPL-3.0-only", - "OLDAP-1.3", - "GFDL-1.1-invariants-or-later", - "Glulxe", - "SimPL-2.0", - "CDLA-Permissive-2.0", - "GPL-2.0-with-font-exception", - "OGL-UK-2.0", - "CC-BY-SA-3.0-DE", - "CC-BY-ND-1.0", - "GFDL-1.1", - "CC-BY-4.0", - "OpenSSL", - "TU-Berlin-2.0", - "DOC", - "GFDL-1.2-no-invariants-or-later", - "QPL-1.0", - "OLDAP-2.8", - "OML", - "OLDAP-2.7", - "NIST-PD", - "Bitstream-Vera", - "GFDL-1.2-or-later", - "OFL-1.1-RFN", + "Apache-1.0", + "ANTLR-PD-fallback", + "Abstyles", + "AGPL-1.0-only", + "APAFML", + "APSL-1.0", + "APSL-1.1", + "APSL-2.0", + "AGPL-3.0-only", + "Apache-1.1", + "Apache-2.0", + "APL-1.0", "Bahyph", - "Barr", - "COIL-1.0", - "GFDL-1.3", - "CECILL-B", - "JPNIC", - "Zed", - "ICU", - "CC-BY-NC-SA-2.5", - "CC-BY-ND-3.0-DE", - "bzip2-1.0.5", - "SPL-1.0", - "YPL-1.0", - "OSET-PL-2.1", - "Noweb", - "RPSL-1.0", - "BSD-3-Clause-LBNL", - "CDLA-Sharing-1.0", - "CECILL-1.0", + "Artistic-1.0", "AMPAS", - "APAFML", - "CC-BY-ND-3.0", - "D-FSL-1.0", - "CC-BY-NC-3.0", - "libpng-2.0", - "PolyForm-Noncommercial-1.0.0", - "dvipdfm", - "GFDL-1.3-or-later", - "OGTSL", - "NPL-1.1", - "GPL-3.0", - "CERN-OHL-P-2.0", - "BlueOak-1.0.0", + "Barr", "AGPL-3.0-or-later", + "BlueOak-1.0.0", + "Beerware", + "Artistic-1.0-cl8", "blessing", - "ImageMagick", - "APSL-2.0", - "MIT-advertising", - "curl", - "CC0-1.0", - "Zimbra-1.4", - "SSPL-1.0", - "psutils", - "CC-BY-SA-2.0-UK", - "PSF-2.0", - "Net-SNMP", - "NAIST-2003", - "GFDL-1.2-invariants-or-later", - "SGI-B-1.0", - "NBPL-1.0", - "GFDL-1.2-invariants-only", - "W3C-19980720", - "OFL-1.0-no-RFN", - "NetCDF", - "TMate", - "NOSL", - "CNRI-Python-GPL-Compatible", + "Borceux", + "BSD-2-Clause-NetBSD", "BSD-1-Clause", - "CC-BY-NC-SA-3.0-DE", - "BSD-3-Clause-Modification", - "GLWTPL", - "GFDL-1.3-only", - "OLDAP-2.2", - "CC-BY-ND-4.0", - "CC-BY-NC-ND-3.0-DE", - "EUPL-1.0", - "Linux-OpenIB", - "LGPL-2.0-or-later", - "OSL-1.1", - "Spencer-86", - "LGPL-2.0", - "CC-PDDC", - "CC-BY-NC-ND-3.0", - "CDL-1.0", - "Elastic-2.0", - "CC-BY-2.0", - "BSD-3-Clause-No-Military-License", - "IJG", - "LPPL-1.3a", - "SAX-PD", + "BSD-2-Clause-Patent", "BitTorrent-1.0", - "OLDAP-2.0", - "Giftware", + "BSD-2-Clause-FreeBSD", + "BSD-3-Clause-Attribution", + "BSD-2-Clause", + "APSL-1.2", + "BSD-3-Clause-LBNL", + "Artistic-2.0", + "BSD-3-Clause-No-Nuclear-License-2014", + "BSD-3-Clause-Modification", + "BSD-4-Clause-Shortened", + "BSD-3-Clause", + "BSD-3-Clause-Open-MPI", + "BitTorrent-1.1", + "BSD-3-Clause-No-Nuclear-Warranty", + "BSD-Source-Code", + "BSD-Protection", + "AGPL-3.0", + "BUSL-1.1", + "Artistic-1.0-Perl", + "BSL-1.0", + "BSD-2-Clause-Views", + "CAL-1.0-Combined-Work-Exception", + "CATOSL-1.1", + "bzip2-1.0.5", + "bzip2-1.0.6", + "CC-BY-2.5", + "CC-BY-3.0-AT", "C-UDA-1.0", - "LGPL-2.0+", - "Rdisc", - "GPL-2.0-with-classpath-exception", "CC-BY-3.0-US", - "CDDL-1.0", - "Xnet", - "CPL-1.0", - "LGPL-3.0-or-later", - "NASA-1.3", - "BUSL-1.1", - "etalab-2.0", - "MIT-open-group", - "OLDAP-1.4", - "GFDL-1.1-invariants-only", - "RPL-1.1", - "CC-BY-NC-ND-2.5", - "FSFULLR", - "Saxpath", - "NTP-0", - "SISSL-1.2", - "GPL-3.0-or-later", - "Apache-1.1", + "CC-BY-1.0", + "CC-BY-NC-1.0", + "CC-BY-NC-2.0", + "CC-BY-NC-2.5", + "CC-BY-2.0", + "CC-BY-NC-4.0", + "CC-BY-NC-ND-1.0", + "CC-BY-NC-ND-2.0", + "CC-BY-NC-3.0", + "CC-BY-NC-ND-3.0-IGO", + "CC-BY-NC-ND-3.0", + "BSD-3-Clause-No-Nuclear-License", + "CC-BY-NC-ND-4.0", + "CC-BY-NC-SA-2.0", + "CC-BY-NC-SA-2.5", + "CC-BY-NC-SA-3.0", + "CC-BY-NC-SA-4.0", + "CC-BY-ND-1.0", + "BSD-3-Clause-Clear", + "CC-BY-ND-2.5", + "CC-BY-ND-3.0", + "CC-BY-ND-4.0", + "CC-BY-SA-1.0", + "CC-BY-SA-2.0-UK", + "CC-BY-SA-2.0", "CC-BY-SA-2.1-JP", - "AGPL-3.0-only", - "GPL-2.0-with-autoconf-exception", - "Artistic-2.0", - "App-s2p", - "Unicode-DFS-2015", - "diffmark", - "SNIA", + "CC-BY-ND-2.0", + "CC-BY-SA-3.0-AT", + "CC-BY-SA-3.0", + "CC-BY-SA-4.0", "CC-BY-SA-2.5", - "Linux-man-pages-copyleft", - "HPND-sell-variant", - "ZPL-2.1", - "BSD-4-Clause-UC", - "LAL-1.2", - "AGPL-1.0-only", - "MIT-enna", - "Condor-1.1", - "Naumen", - "GFDL-1.3-no-invariants-or-later", - "RPL-1.5", - "PolyForm-Small-Business-1.0.0", - "EFL-1.0", - "MirOS", - "CC-BY-2.5-AU", - "Afmparse", - "MPL-2.0-no-copyleft-exception", - "LiLiQ-Rplus-1.1", - "AFL-1.2", - "OSL-1.0", - "GPL-1.0-only", - "APSL-1.0", - "OGL-Canada-2.0", - "CPAL-1.0", - "Latex2e", - "Zend-2.0", - "Unlicense", - "xpp", - "CC-BY-NC-1.0", - "GPL-3.0-with-autoconf-exception", - "CC-BY-NC-SA-3.0", - "TCP-wrappers", - "SCEA", - "SSH-short", - "CC-BY-3.0-NL", - "SchemeReport", "CC-BY-3.0", - "MPL-2.0", - "Unicode-TOU", - "CC-BY-NC-ND-1.0", + "CDDL-1.0", + "CC0-1.0", + "CC-BY-NC-ND-2.5", + "CC-BY-NC-SA-1.0", + "Caldera", + "CDLA-Permissive-1.0", + "CC-BY-4.0", + "CC-PDDC", + "BSD-4-Clause-UC", + "BSD-4-Clause", + "CAL-1.0", + "CDDL-1.1", + "CERN-OHL-1.2", + "CERN-OHL-1.1", + "CERN-OHL-P-2.0", + "CERN-OHL-S-2.0", + "CECILL-1.1", + "CECILL-2.0", + "CECILL-1.0", + "CNRI-Python", + "CNRI-Python-GPL-Compatible", + "copyleft-next-0.3.0", + "CPAL-1.0", + "copyleft-next-0.3.1", + "CPL-1.0", + "ClArtistic", + "CECILL-C", + "CNRI-Jython", + "Condor-1.1", + "CPOL-1.02", + "curl", + "diffmark", + "Crossword", + "Dotseqn", + "DOC", + "DSDP", + "DRL-1.0", + "ECL-1.0", + "ECL-2.0", + "eCos-2.0", + "CrystalStacker", + "CERN-OHL-W-2.0", + "D-FSL-1.0", + "eGenix", + "EPICS", "Entessa", - "BSD-3-Clause-No-Nuclear-License", - "SWL", - "GFDL-1.2-no-invariants-only", - "Parity-7.0.0", - "OLDAP-2.2.1", - "SGI-B-1.1", + "EPL-1.0", + "EFL-2.0", + "CUA-OPL-1.0", + "etalab-2.0", + "EUPL-1.0", + "ErlPL-1.1", + "EUDatagrid", + "EUPL-1.1", + "Cube", + "dvipdfm", + "FreeBSD-DOC", + "Eurosym", + "FSFAP", + "FreeImage", + "FSFULLR", + "FSFUL", + "GD", + "GFDL-1.1-invariants-only", + "EUPL-1.2", + "EPL-2.0", + "GFDL-1.1-no-invariants-or-later", + "GFDL-1.1-only", + "GFDL-1.1-or-later", + "GFDL-1.1", "FTL", - "OLDAP-2.4", - "CC-BY-NC-4.0", - "bzip2-1.0.6", - "copyleft-next-0.3.0", - "MakeIndex", - "NRL", - "GFDL-1.3-invariants-or-later", - "CC-BY-NC-2.0", - "SugarCRM-1.1.3", - "AFL-2.1", - "GPL-2.0-only", + "GFDL-1.2-invariants-or-later", + "GFDL-1.1-invariants-or-later", + "GFDL-1.2-invariants-only", + "GFDL-1.2-only", + "GFDL-1.2-or-later", + "GFDL-1.2", + "GFDL-1.2-no-invariants-only", "GFDL-1.3-invariants-only", - "TORQUE-1.1", - "Ruby", - "X11", - "Borceux", - "Libpng", - "X11-distribute-modifications-variant", + "GFDL-1.3-no-invariants-only", + "GFDL-1.3-invariants-or-later", + "GFDL-1.2-no-invariants-or-later", + "Fair", "Frameworx-1.0", - "NCGL-UK-2.0", - "CECILL-2.1", - "CC-BY-3.0-AT", - "CNRI-Python", - "NCSA", - "gSOAP-1.3b", - "EUPL-1.1", - "AMDPLPA", - "Imlib2", - "CDDL-1.1", - "WTFPL", - "LPL-1.0", - "EPL-1.0", - "BSD-3-Clause-Attribution", - "OSL-3.0", - "RHeCos-1.1", - "PHP-3.0", - "BSD-Protection", - "CC-BY-NC-3.0-DE", - "APL-1.0", - "EUDatagrid", + "Giftware", + "GFDL-1.1-no-invariants-only", + "GL2PS", + "Glulxe", + "Glide", + "gnuplot", + "GLWTPL", + "GPL-1.0-only", + "GPL-1.0-or-later", "GPL-1.0", - "SHL-0.5", - "CC-BY-SA-2.0", - "CC-BY-SA-3.0-AT", - "CC-BY-NC-SA-3.0-IGO", - "Adobe-2006", - "Newsletr", - "Nunit", - "Multics", - "OGL-UK-1.0", - "Vim", - "eCos-2.0", - "Zimbra-1.3", - "eGenix", - "IBM-pibs", - "BitTorrent-1.1", - "OFL-1.1-no-RFN", - "psfrag", - "CC-BY-ND-2.0", - "SHL-0.51", - "FreeBSD-DOC", - "Python-2.0", - "Mup", - "BSD-4-Clause-Shortened", - "CC-BY-NC-SA-4.0", - "HPND", - "OLDAP-2.6", - "MPL-1.1", + "GFDL-1.3-only", + "GPL-2.0-only", + "GPL-2.0-or-later", + "GPL-2.0-with-autoconf-exception", + "GPL-2.0+", + "GFDL-1.3", + "GPL-1.0+", + "CDLA-Sharing-1.0", + "GPL-2.0-with-classpath-exception", "GPL-2.0-with-GCC-exception", + "GPL-2.0-with-bison-exception", + "GPL-2.0-with-font-exception", + "GPL-2.0", + "CECILL-2.1", + "GPL-3.0", + "GPL-3.0+", + "GPL-3.0-with-autoconf-exception", + "GPL-3.0-only", + "Hippocratic-2.1", + "HPND", + "HTMLTIDY", + "GPL-3.0-with-GCC-exception", "HaskellReport", - "ECL-1.0", + "GPL-3.0-or-later", + "ICU", + "ImageMagick", + "iMatix", + "IBM-pibs", + "Intel-ACPI", + "Intel", + "Info-ZIP", + "IPA", + "IJG", + "ISC", + "JasPer-2.0", + "JPNIC", + "JSON", + "LAL-1.2", + "LAL-1.3", + "Latex2e", + "Leptonica", + "HPND-sell-variant", + "LGPL-2.0-only", + "LGPL-2.0-or-later", + "Imlib2", + "IPL-1.0", + "LGPL-2.1-only", "LGPL-2.1-or-later", - "OFL-1.0", - "APSL-1.1", - "MITNFA", - "CECILL-2.0", - "Crossword", - "Aladdin", - "Baekmuk", - "XFree86-1.1", - "GPL-1.0-or-later", - "CERN-OHL-W-2.0", - "CC-BY-SA-1.0", - "NTP", - "PHP-3.01", - "OCLC-2.0", - "CC-BY-3.0-DE", - "CC-BY-NC-2.5", - "Zlib", - "CATOSL-1.1", + "LGPL-2.0+", + "LGPL-2.0", + "CECILL-B", + "LGPL-3.0-or-later", + "LGPL-3.0-only", + "LGPLLR", + "libpng-2.0", + "Libpng", + "libselinux-1.0", "LGPL-3.0+", - "CAL-1.0", - "NPL-1.0", - "SMLNJ", - "GPL-2.0+", - "OLDAP-2.5", - "JasPer-2.0", - "GPL-2.0-or-later", - "BSD-2-Clause-Patent", + "EFL-1.0", + "libtiff", + "GFDL-1.3-no-invariants-or-later", + "LiLiQ-Rplus-1.1", + "LiLiQ-R-1.1", + "LPL-1.0", + "LiLiQ-P-1.1", + "Linux-OpenIB", + "LPPL-1.0", + "LPPL-1.2", + "LPPL-1.3a", + "LPL-1.02", + "LPPL-1.3c", + "MakeIndex", + "LGPL-2.1+", + "LPPL-1.1", + "MIT-CMU", + "MirOS", + "MIT-advertising", + "MIT-Modern-Variant", + "MIT", + "MIT-enna", + "MIT-open-group", + "MIT-feh", + "MITNFA", + "MPL-1.0", + "mpich2", + "MPL-2.0", + "MPL-2.0-no-copyleft-exception", "MS-RL", - "CUA-OPL-1.0", - "IPA", + "MTLL", + "MPL-1.1", + "MulanPSL-2.0", + "Motosoto", + "Mup", + "MulanPSL-1.0", + "NAIST-2003", + "Naumen", + "Multics", + "NBPL-1.0", + "NCSA", + "Net-SNMP", + "NetCDF", + "NASA-1.3", + "NGPL", + "NIST-PD-fallback", + "NIST-PD", + "Newsletr", "NLPL", + "Nokia", + "NOSL", + "Noweb", + "NLOD-1.0", + "NPL-1.0", + "NCGL-UK-2.0", + "NRL", + "NTP-0", + "NTP", + "GFDL-1.3-or-later", + "Nunit", "O-UDA-1.0", - "MIT-Modern-Variant", - "OLDAP-1.2", - "BSD-2-Clause-FreeBSD", - "Info-ZIP", - "CC-BY-NC-SA-2.0-FR", - "0BSD", - "Unicode-DFS-2016", + "NPL-1.1", + "OCCT-PL", + "ODC-By-1.0", + "OFL-1.0-no-RFN", + "OCLC-2.0", "OFL-1.0-RFN", - "Intel", - "AFL-2.0", - "GL2PS", - "TAPR-OHL-1.0", - "Apache-1.0", - "MTLL", - "Motosoto", + "OFL-1.0", + "OFL-1.1-no-RFN", + "OFL-1.1-RFN", + "OFL-1.1", + "OGDL-Taiwan-1.0", + "OGC-1.0", + "OGL-UK-1.0", + "OGL-UK-2.0", + "OGL-UK-3.0", + "OGTSL", + "OLDAP-1.1", + "OLDAP-1.2", + "OLDAP-1.3", + "OGL-Canada-2.0", + "OLDAP-2.0.1", + "OLDAP-2.0", + "OLDAP-2.1", + "OLDAP-2.2.1", + "OLDAP-2.2.2", + "OLDAP-2.2", + "ODbL-1.0", + "OLDAP-2.4", + "OLDAP-1.4", + "OLDAP-2.3", + "OLDAP-2.7", + "OLDAP-2.8", + "OML", + "OpenSSL", + "OLDAP-2.6", + "OPL-1.0", + "OSL-1.0", + "OSL-1.1", + "OSL-2.0", + "OSET-PL-2.1", + "OSL-2.1", + "Parity-6.0.0", + "Parity-7.0.0", + "PDDL-1.0", + "PHP-3.0", + "OSL-3.0", + "Plexus", + "MS-PL", + "PolyForm-Small-Business-1.0.0", + "PolyForm-Noncommercial-1.0.0", + "PSF-2.0", + "psfrag", + "PostgreSQL", + "psutils", + "Qhull", + "QPL-1.0", + "Rdisc", + "Python-2.0", + "RPL-1.1", + "RPL-1.5", + "RHeCos-1.1", "RSA-MD", - "Community-Spec-1.0", - "ODC-By-1.0", - "zlib-acknowledgement", - "DL-DE-BY-2.0", - "VSL-1.0", - "LiLiQ-R-1.1", - "OPL-1.0", - "GPL-3.0+", - "MulanPSL-2.0", - "APSL-1.2", - "OGDL-Taiwan-1.0", "RSCPL", - "OGC-1.0", - "EFL-2.0", - "CAL-1.0-Combined-Work-Exception", - "MS-PL", - "Plexus", + "Ruby", + "SAX-PD", + "Saxpath", + "SCEA", "Sendmail-8.23", - "Cube", - "JSON", - "EUPL-1.2", - "Adobe-Glyph", - "FreeImage", - "Watcom-1.0", - "Jam", - "Hippocratic-2.1", - "OLDAP-2.0.1", - "CC-BY-NC-SA-2.0", - "Nokia", - "OCCT-PL", - "ErlPL-1.1", + "Sendmail", + "SGI-B-1.0", + "SGI-B-1.1", + "SGI-B-2.0", + "SHL-0.5", + "SHL-0.51", + "SimPL-2.0", + "SISSL-1.2", + "SISSL", + "Sleepycat", + "SMLNJ", + "SMPPL", + "SNIA", + "Spencer-86", + "Spencer-94", + "Spencer-99", + "SPL-1.0", + "SSH-OpenSSH", + "PHP-3.01", + "SSH-short", + "MIT-0", + "RPSL-1.0", + "SWL", + "SugarCRM-1.1.3", + "TCL", + "TCP-wrappers", + "SSPL-1.0", + "TMate", "TOSL", - "OSL-2.1", - "ClArtistic", + "TORQUE-1.1", + "TAPR-OHL-1.0", + "UCL-1.0", + "Unicode-DFS-2015", + "Unicode-DFS-2016", + "Unicode-TOU", + "TU-Berlin-1.0", + "UPL-1.0", + "Unlicense", + "VOSTROM", + "Vim", + "VSL-1.0", + "W3C-20150513", + "W3C", + "W3C-19980720", + "Wsuipa", + "Watcom-1.0", + "WTFPL", + "X11", + "Xerox", + "XFree86-1.1", "xinetd", - "GPL-3.0-with-GCC-exception", - "ODbL-1.0", - "MIT", - "LGPL-2.1+", - "LGPL-2.1-only", - "CrystalStacker", - "ECL-2.0", - "LPPL-1.0", - "iMatix", - "CC-BY-NC-ND-3.0-IGO", - "BSD-Source-Code", - "Parity-6.0.0", - "TCL", - "Arphic-1999", - "CC-BY-SA-3.0", - "Caldera", - "AGPL-1.0", - "IPL-1.0", - "LAL-1.3", - "EPICS", - "NGPL", - "DRL-1.0", - "BSD-2-Clause-NetBSD", - "ZPL-1.1", - "GD", - "LPPL-1.2", - "Dotseqn", - "Spencer-99", - "OLDAP-2.3", + "Xnet", + "xpp", + "XSkat", + "YPL-1.0", "YPL-1.1", - "Fair", - "Qhull", - "GFDL-1.1-no-invariants-or-later", - "CECILL-C", - "MulanPSL-1.0", - "OLDAP-1.1", - "OLDAP-2.1", - "LPL-1.02", - "UPL-1.0", - "Abstyles", + "Zed", + "Zend-2.0", + "TU-Berlin-2.0", + "Zimbra-1.4", + "zlib-acknowledgement", + "Zlib", + "ZPL-1.1", "ZPL-2.0", - "MIT-0", - "LGPL-2.0-only", - "GFDL-1.3-no-invariants-only", - "AGPL-3.0", - "EPL-2.0", - "AFL-3.0", - "CDLA-Permissive-1.0", - "Artistic-1.0", - "CC-BY-NC-ND-4.0", - "HTMLTIDY", - "Glide", - "FSFAP", - "LGPLLR", - "OGL-UK-3.0", - "GFDL-1.2", - "SSH-OpenSSH", - "GFDL-1.1-only", - "MIT-feh", - "MPL-1.0", - "PostgreSQL", - "OLDAP-2.2.2", - "SMPPL", - "OFL-1.1", - "Leptonica", - "CERN-OHL-1.1", - "BSD-3-Clause-No-Nuclear-Warranty", - "CC-BY-ND-2.5", - "CC-BY-1.0", - "GFDL-1.2-only", - "OPUBL-1.0", - "libselinux-1.0", - "BSD-3-Clause", - "ANTLR-PD-fallback", - "copyleft-next-0.3.1", - "GPL-1.0+", + "ZPL-2.1", "wxWindows", - "LGPL-3.0", - "LGPL-2.1", - "StandardML-NJ", - "BSD-4-Clause", - "GPL-2.0-with-bison-exception", - "Apache-2.0", - "Artistic-1.0-cl8", - "GPL-2.0", - "Intel-ACPI", - "BSL-1.0", - "Artistic-1.0-Perl", - "BSD-2-Clause-Views", + "Zimbra-1.3", + "gSOAP-1.3b", "Interbase-1.0", + "LGPL-2.1", + "LGPL-3.0", "NPOSL-3.0", - "FLTK-exception", - "Bootloader-exception", - "WxWindows-exception-3.1", - "Linux-syscall-note", - "Qt-LGPL-exception-1.1", - "LLVM-exception", - "PS-or-PDF-font-exception-20170817", - "GCC-exception-3.1", + "OLDAP-2.5", + "StandardML-NJ", + "389-exception", + "Autoconf-exception-2.0", "Autoconf-exception-3.0", - "LGPL-3.0-linking-exception", - "GCC-exception-2.0", "Bison-exception-2.2", - "openvpn-openssl-exception", - "Libtool-exception", - "Autoconf-exception-2.0", + "Bootloader-exception", + "Classpath-exception-2.0", + "CLISP-exception-2.0", + "DigiRule-FOSS-exception", + "eCos-exception-2.0", + "Fawkes-Runtime-exception", + "FLTK-exception", + "Font-exception-2.0", + "freertos-exception-2.0", + "GCC-exception-2.0", + "GCC-exception-3.1", + "gnu-javamail-exception", + "GPL-3.0-linking-exception", "GPL-3.0-linking-source-exception", "GPL-CC-1.0", - "OCaml-LGPL-linking-exception", - "Universal-FOSS-exception-1.0", "i2p-gpl-java-exception", - "CLISP-exception-2.0", + "LGPL-3.0-linking-exception", + "Libtool-exception", + "Linux-syscall-note", + "LLVM-exception", + "LZMA-exception", + "mif-exception", + "Nokia-Qt-exception-1.1", + "OCaml-LGPL-linking-exception", "OCCT-exception-1.0", - "Qwt-exception-1.0", - "gnu-javamail-exception", - "u-boot-exception-2.0", - "freertos-exception-2.0", - "Qt-GPL-exception-1.0", "OpenJDK-assembly-exception-1.0", + "openvpn-openssl-exception", + "PS-or-PDF-font-exception-20170817", + "Qt-GPL-exception-1.0", + "Qt-LGPL-exception-1.1", + "Qwt-exception-1.0", + "SHL-2.0", "SHL-2.1", - "mif-exception", - "Fawkes-Runtime-exception", "Swift-exception", - "GPL-3.0-linking-exception", - "SHL-2.0", - "Classpath-exception-2.0", - "LZMA-exception", - "Font-exception-2.0", - "Nokia-Qt-exception-1.1", - "DigiRule-FOSS-exception", - "eCos-exception-2.0", - "389-exception" + "u-boot-exception-2.0", + "Universal-FOSS-exception-1.0", + "WxWindows-exception-3.1" ] -} \ No newline at end of file +} diff --git a/cyclonedx/__res/schema/spdx.xsd b/cyclonedx/__res/schema/spdx.SNAPSHOT.xsd similarity index 93% rename from cyclonedx/__res/schema/spdx.xsd rename to cyclonedx/__res/schema/spdx.SNAPSHOT.xsd index 4fb43642..b45e2de0 100644 --- a/cyclonedx/__res/schema/spdx.xsd +++ b/cyclonedx/__res/schema/spdx.SNAPSHOT.xsd @@ -2,2059 +2,2049 @@ + version="1.0-3.12"> - + - Creative Commons Attribution Non Commercial No Derivatives 2.0 Generic + Academic Free License v2.0 - + - SGI Free Software License B v2.0 + Attribution Assurance License - + - LaTeX Project Public License v1.3c + Adobe Systems Incorporated Source Code License Agreement - + - NIST Public Domain Notice with license fallback + Academic Free License v3.0 - + - libtiff License + Amazon Digital Services License - + - XSkat License + BSD Zero Clause License - + - Open Data Commons Public Domain Dedication & License 1.0 + Afmparse License - + - KiCad Libraries Exception + Academic Free License v1.2 - + - Creative Commons Attribution Non Commercial Share Alike 1.0 Generic + Affero General Public License v1.0 or later - + - GNU Free Documentation License v1.1 only - no invariants + Academic Free License v2.1 - + - Xerox License + Academic Free License v1.1 - + - LaTeX Project Public License v1.1 + Affero General Public License v1.0 - + - VOSTROM Public License for Open Source + Adobe Glyph List License - + - Upstream Compatibility License v1.0 + AMD's plpa_map.c License - + - Amazon Digital Services License + Aladdin Free Public License - + - Open Software License 2.0 + ANTLR Software Rights Notice - + - Attribution Assurance License + Apple MIT License - + - Fraunhofer FDK AAC Codec Library + Apache License 1.0 - + - W3C Software Notice and Document License (2015-05-13) + ANTLR Software Rights Notice with license fallback - + - Academic Free License v1.1 + Abstyles License - + - W3C Software Notice and License (2002-12-31) + Affero General Public License v1.0 only - + - Sleepycat License + Adobe Postscript AFM License - + - CeCILL Free Software License Agreement v1.1 + Apple Public Source License 1.0 - + - mpich2 License + Apple Public Source License 1.1 - + - Sun Industry Standards Source License v1.1 + Apple Public Source License 2.0 - + - Norwegian Licence for Open Government Data (NLOD) 1.0 + GNU Affero General Public License v3.0 only - + - ANTLR Software Rights Notice + Apache License 1.1 - + - GNU General Public License v3.0 only + Apache License 2.0 - + - gnuplot License + Adaptive Public License 1.0 - + - Norwegian Licence for Open Government Data (NLOD) 2.0 + Bahyph License - + - BSD 3-Clause Open MPI variant + Artistic License 1.0 - + - Licence Libre du Québec – Permissive version 1.1 + Academy of Motion Picture Arts and Sciences BSD - + - BSD 3-Clause Clear License + Barr License - + - FSF Unlimited License + GNU Affero General Public License v3.0 or later - + - Creative Commons Attribution Non Commercial Share Alike 2.0 England and Wales + Blue Oak Model License 1.0.0 - + - CERN Open Hardware Licence Version 2 - Strongly Reciprocal + Beerware License - + - Spencer License 94 + Artistic License 1.0 w/clause 8 - + - CERN Open Hardware Licence v1.2 + SQLite Blessing - + - GNU Free Documentation License v1.1 or later + Borceux license - + - Affero General Public License v1.0 or later + BSD 2-Clause NetBSD License - + - Wsuipa License + BSD 1-Clause License - + - Apple MIT License + BSD-2-Clause Plus Patent License - + - BSD 2-Clause "Simplified" License + BitTorrent Open Source License v1.0 - + - DSDP License + BSD 2-Clause FreeBSD License - + - Creative Commons Attribution 2.5 Generic + BSD with attribution - + - CMU License + BSD 2-Clause "Simplified" License - + - Beerware License + Apple Public Source License 1.2 - + - Sendmail License + Lawrence Berkeley National Labs BSD variant license - + - Technische Universitaet Berlin License 1.0 + Artistic License 2.0 - + - CNRI Jython License + BSD 3-Clause No Nuclear License 2014 - + - mplus Font License + BSD 3-Clause Modification - + - Code Project Open License 1.02 + BSD 4 Clause Shortened - + - BSD 3-Clause No Nuclear License 2014 + BSD 3-Clause "New" or "Revised" License - + - ISC License + BSD 3-Clause Open MPI variant - + - Creative Commons Attribution Share Alike 4.0 International + BitTorrent Open Source License v1.1 - + - Eurosym License + BSD 3-Clause No Nuclear Warranty - + - GNU Lesser General Public License v3.0 only + BSD Source Code Attribution - + - Open LDAP Public License v1.3 + BSD Protection License - + - GNU Free Documentation License v1.1 or later - invariants + GNU Affero General Public License v3.0 - + - Glulxe License + Business Source License 1.1 - + - Simple Public License 2.0 + Artistic License 1.0 (Perl) - + - Community Data License Agreement Permissive 2.0 + Boost Software License 1.0 - + - GNU General Public License v2.0 w/Font exception + BSD 2-Clause with views sentence - + - Open Government Licence v2.0 + Cryptographic Autonomy License 1.0 (Combined Work Exception) - + - Creative Commons Attribution Share Alike 3.0 Germany + Computer Associates Trusted Open Source License 1.1 - + - Creative Commons Attribution No Derivatives 1.0 Generic + bzip2 and libbzip2 License v1.0.5 - + - GNU Free Documentation License v1.1 + bzip2 and libbzip2 License v1.0.6 - + - Creative Commons Attribution 4.0 International + Creative Commons Attribution 2.5 Generic - + - OpenSSL License + Creative Commons Attribution 3.0 Austria - + - Technische Universitaet Berlin License 2.0 + Computational Use of Data Agreement v1.0 - + - DOC License + Creative Commons Attribution 3.0 United States - + - GNU Free Documentation License v1.2 or later - no invariants + Creative Commons Attribution 1.0 Generic - + - Q Public License 1.0 + Creative Commons Attribution Non Commercial 1.0 Generic - + - Open LDAP Public License v2.8 + Creative Commons Attribution Non Commercial 2.0 Generic - + - Open Market License + Creative Commons Attribution Non Commercial 2.5 Generic - + - Open LDAP Public License v2.7 + Creative Commons Attribution 2.0 Generic - + - NIST Public Domain Notice + Creative Commons Attribution Non Commercial 4.0 International - + - Bitstream Vera Font License + Creative Commons Attribution Non Commercial No Derivatives 1.0 Generic - + - GNU Free Documentation License v1.2 or later + Creative Commons Attribution Non Commercial No Derivatives 2.0 Generic - + - SIL Open Font License 1.1 with Reserved Font Name + Creative Commons Attribution Non Commercial 3.0 Unported - + - Bahyph License + Creative Commons Attribution Non Commercial No Derivatives 3.0 IGO - + - Barr License + Creative Commons Attribution Non Commercial No Derivatives 3.0 Unported - + - Copyfree Open Innovation License + BSD 3-Clause No Nuclear License - + - GNU Free Documentation License v1.3 + Creative Commons Attribution Non Commercial No Derivatives 4.0 International - + - CeCILL-B Free Software License Agreement + Creative Commons Attribution Non Commercial Share Alike 2.0 Generic - + - Japan Network Information Center License + Creative Commons Attribution Non Commercial Share Alike 2.5 Generic - + - Zed License + Creative Commons Attribution Non Commercial Share Alike 3.0 Unported - + - ICU License + Creative Commons Attribution Non Commercial Share Alike 4.0 International - + - Creative Commons Attribution Non Commercial Share Alike 2.5 Generic + Creative Commons Attribution No Derivatives 1.0 Generic - + - Creative Commons Attribution No Derivatives 3.0 Germany + BSD 3-Clause Clear License - + - bzip2 and libbzip2 License v1.0.5 + Creative Commons Attribution No Derivatives 2.5 Generic - + - Sun Public License v1.0 + Creative Commons Attribution No Derivatives 3.0 Unported - + - Yahoo! Public License v1.0 + Creative Commons Attribution No Derivatives 4.0 International - + - OSET Public License version 2.1 + Creative Commons Attribution Share Alike 1.0 Generic - + - Noweb License + Creative Commons Attribution Share Alike 2.0 England and Wales - + - RealNetworks Public Source License v1.0 + Creative Commons Attribution Share Alike 2.0 Generic - + - Lawrence Berkeley National Labs BSD variant license + Creative Commons Attribution Share Alike 2.1 Japan - + - Community Data License Agreement Sharing 1.0 + Creative Commons Attribution No Derivatives 2.0 Generic - + - CeCILL Free Software License Agreement v1.0 + Creative Commons Attribution-Share Alike 3.0 Austria - + - Academy of Motion Picture Arts and Sciences BSD + Creative Commons Attribution Share Alike 3.0 Unported - + - Adobe Postscript AFM License + Creative Commons Attribution Share Alike 4.0 International - + - Creative Commons Attribution No Derivatives 3.0 Unported + Creative Commons Attribution Share Alike 2.5 Generic - + - Deutsche Freie Software Lizenz + Creative Commons Attribution 3.0 Unported - + - Creative Commons Attribution Non Commercial 3.0 Unported + Common Development and Distribution License 1.0 - + - PNG Reference Library version 2 + Creative Commons Zero v1.0 Universal - + - PolyForm Noncommercial License 1.0.0 + Creative Commons Attribution Non Commercial No Derivatives 2.5 Generic - + - dvipdfm License + Creative Commons Attribution Non Commercial Share Alike 1.0 Generic - + - GNU Free Documentation License v1.3 or later + Caldera License - + - Open Group Test Suite License + Community Data License Agreement Permissive 1.0 - + - Netscape Public License v1.1 + Creative Commons Attribution 4.0 International - + - GNU General Public License v3.0 only + Creative Commons Public Domain Dedication and Certification - + - CERN Open Hardware Licence Version 2 - Permissive + BSD-4-Clause (University of California-Specific) - + - Blue Oak Model License 1.0.0 + BSD 4-Clause "Original" or "Old" License - + - GNU Affero General Public License v3.0 or later + Cryptographic Autonomy License 1.0 - + - SQLite Blessing + Common Development and Distribution License 1.1 - + - ImageMagick License + CERN Open Hardware Licence v1.2 - + - Apple Public Source License 2.0 + CERN Open Hardware Licence v1.1 - + - Enlightenment License (e16) + CERN Open Hardware Licence Version 2 - Permissive - + - curl License + CERN Open Hardware Licence Version 2 - Strongly Reciprocal - + - Creative Commons Zero v1.0 Universal + CeCILL Free Software License Agreement v1.1 - + - Zimbra Public License v1.4 + CeCILL Free Software License Agreement v2.0 - + - Server Side Public License, v 1 + CeCILL Free Software License Agreement v1.0 - + - psutils License + CNRI Python License - + - Creative Commons Attribution Share Alike 2.0 England and Wales + CNRI Python Open Source GPL Compatible License Agreement - + - Python Software Foundation License 2.0 + copyleft-next 0.3.0 - + - Net-SNMP License + Common Public Attribution License 1.0 - + - Nara Institute of Science and Technology License (2003) + copyleft-next 0.3.1 - + - GNU Free Documentation License v1.2 or later - invariants + Common Public License 1.0 - + - SGI Free Software License B v1.0 + Clarified Artistic License - + - Net Boolean Public License v1 + CeCILL-C Free Software License Agreement - + - GNU Free Documentation License v1.2 only - invariants + CNRI Jython License - + - W3C Software Notice and License (1998-07-20) + Condor Public License v1.1 - + - SIL Open Font License 1.0 with no Reserved Font Name + Code Project Open License 1.02 - + - NetCDF license + curl License - + - TMate Open Source License + diffmark license - + - Netizen Open Source License + Crossword License - + - CNRI Python Open Source GPL Compatible License Agreement + Dotseqn License - + - BSD 1-Clause License + DOC License - + - Creative Commons Attribution Non Commercial Share Alike 3.0 Germany + DSDP License - + - BSD 3-Clause Modification + Detection Rule License 1.0 - + - Good Luck With That Public License + Educational Community License v1.0 - + - GNU Free Documentation License v1.3 only + Educational Community License v2.0 - + - Open LDAP Public License v2.2 + eCos license version 2.0 - + - Creative Commons Attribution No Derivatives 4.0 International + CrystalStacker License - + - Creative Commons Attribution Non Commercial No Derivatives 3.0 Germany + CERN Open Hardware Licence Version 2 - Weakly Reciprocal - + - European Union Public License 1.0 + Deutsche Freie Software Lizenz - + - Linux Kernel Variant of OpenIB.org license + eGenix.com Public License 1.1.0 - + - GNU Library General Public License v2 or later + EPICS Open License - + - Open Software License 1.1 + Entessa Public License v1.0 - + - Spencer License 86 + Eclipse Public License 1.0 - + - GNU Library General Public License v2 only + Eiffel Forum License v2.0 - + - Creative Commons Public Domain Dedication and Certification + CUA Office Public License v1.0 - + - Creative Commons Attribution Non Commercial No Derivatives 3.0 Unported + Etalab Open License 2.0 - + - Common Documentation License 1.0 + European Union Public License 1.0 - + - Elastic License 2.0 + Erlang Public License v1.1 - + - Creative Commons Attribution 2.0 Generic + EU DataGrid Software License - + - BSD 3-Clause No Military License + European Union Public License 1.1 - + - Independent JPEG Group License + Cube License - + - LaTeX Project Public License v1.3a + dvipdfm License - + - Sax Public Domain Notice + FreeBSD Documentation License - + - BitTorrent Open Source License v1.0 + Eurosym License - + - Open LDAP Public License v2.0 (or possibly 2.0A and 2.0B) + FSF All Permissive License - + - Giftware License + FreeImage Public License v1.0 - + - Computational Use of Data Agreement v1.0 + FSF Unlimited License (with License Retention) - + - GNU Library General Public License v2 or later + FSF Unlimited License - + - Rdisc License + GD License - + - GNU General Public License v2.0 w/Classpath exception + GNU Free Documentation License v1.1 only - invariants - + - Creative Commons Attribution 3.0 United States + European Union Public License 1.2 - + - Common Development and Distribution License 1.0 + Eclipse Public License 2.0 - + - X.Net License + GNU Free Documentation License v1.1 or later - no invariants - + - Common Public License 1.0 + GNU Free Documentation License v1.1 only - + - GNU Lesser General Public License v3.0 or later + GNU Free Documentation License v1.1 or later - + - NASA Open Source Agreement 1.3 + GNU Free Documentation License v1.1 - + - Business Source License 1.1 + Freetype Project License - + - Etalab Open License 2.0 + GNU Free Documentation License v1.2 or later - invariants - + - MIT Open Group variant + GNU Free Documentation License v1.1 or later - invariants - + - Open LDAP Public License v1.4 + GNU Free Documentation License v1.2 only - invariants - + - GNU Free Documentation License v1.1 only - invariants + GNU Free Documentation License v1.2 only - + - Reciprocal Public License 1.1 + GNU Free Documentation License v1.2 or later - + - Creative Commons Attribution Non Commercial No Derivatives 2.5 Generic + GNU Free Documentation License v1.2 - + - FSF Unlimited License (with License Retention) + GNU Free Documentation License v1.2 only - no invariants - + - Saxpath License + GNU Free Documentation License v1.3 only - invariants - + - NTP No Attribution + GNU Free Documentation License v1.3 only - no invariants - + - Sun Industry Standards Source License v1.2 + GNU Free Documentation License v1.3 or later - invariants - + - GNU General Public License v3.0 or later + GNU Free Documentation License v1.2 or later - no invariants - + - Apache License 1.1 + Fair License - + - Creative Commons Attribution Share Alike 2.1 Japan + Frameworx Open License 1.0 - + - GNU Affero General Public License v3.0 only + Giftware License - + - GNU General Public License v2.0 w/Autoconf exception + GNU Free Documentation License v1.1 only - no invariants - + - Artistic License 2.0 + GL2PS License - + - App::s2p License + Glulxe License - + - Unicode License Agreement - Data Files and Software (2015) + 3dfx Glide License - + - diffmark license + gnuplot License - + - SNIA Public License 1.1 + Good Luck With That Public License - + - Creative Commons Attribution Share Alike 2.5 Generic + GNU General Public License v1.0 only - + - Linux man-pages Copyleft + GNU General Public License v1.0 or later - + - Historical Permission Notice and Disclaimer - sell variant + GNU General Public License v1.0 only - + - Zope Public License 2.1 + GNU Free Documentation License v1.3 only - + - BSD-4-Clause (University of California-Specific) + GNU General Public License v2.0 only - + - Licence Art Libre 1.2 + GNU General Public License v2.0 or later - + - Affero General Public License v1.0 only + GNU General Public License v2.0 w/Autoconf exception - + - enna License + GNU General Public License v2.0 or later - + - Condor Public License v1.1 + GNU Free Documentation License v1.3 - + - Naumen Public License + GNU General Public License v1.0 or later - + - GNU Free Documentation License v1.3 or later - no invariants + Community Data License Agreement Sharing 1.0 - + - Reciprocal Public License 1.5 + GNU General Public License v2.0 w/Classpath exception - + - PolyForm Small Business License 1.0.0 + GNU General Public License v2.0 w/GCC Runtime Library exception - + - Eiffel Forum License v1.0 + GNU General Public License v2.0 w/Bison exception - + - The MirOS Licence + GNU General Public License v2.0 w/Font exception - + - Creative Commons Attribution 2.5 Australia + GNU General Public License v2.0 only - + - Afmparse License + CeCILL Free Software License Agreement v2.1 - + - Mozilla Public License 2.0 (no copyleft exception) + GNU General Public License v3.0 only - + - Licence Libre du Québec – Réciprocité forte version 1.1 + GNU General Public License v3.0 or later - + - Academic Free License v1.2 + GNU General Public License v3.0 w/Autoconf exception - + - Open Software License 1.0 + GNU General Public License v3.0 only - + - GNU General Public License v1.0 only + Hippocratic License 2.1 - + - Apple Public Source License 1.0 + Historical Permission Notice and Disclaimer - + - Open Government Licence - Canada + HTML Tidy License - + - Common Public Attribution License 1.0 + GNU General Public License v3.0 w/GCC Runtime Library exception - + - Latex2e License + Haskell Language Report License - + - Zend License v2.0 + GNU General Public License v3.0 or later - + - The Unlicense + ICU License - + - XPP License + ImageMagick License - + - Creative Commons Attribution Non Commercial 1.0 Generic + iMatix Standard Function Library Agreement - + - GNU General Public License v3.0 w/Autoconf exception + IBM PowerPC Initialization and Boot Software - + - Creative Commons Attribution Non Commercial Share Alike 3.0 Unported + Intel ACPI Software License Agreement - + - TCP Wrappers License + Intel Open Source License - + - SCEA Shared Source License + Info-ZIP License - + - SSH short notice + IPA Font License - + - Creative Commons Attribution 3.0 Netherlands + Independent JPEG Group License - + - Scheme Language Report License + ISC License - + - Creative Commons Attribution 3.0 Unported + JasPer License - + - Mozilla Public License 2.0 + Japan Network Information Center License - + - Unicode Terms of Use + JSON License - + - Creative Commons Attribution Non Commercial No Derivatives 1.0 Generic + Licence Art Libre 1.2 - + - Entessa Public License v1.0 + Licence Art Libre 1.3 - + - BSD 3-Clause No Nuclear License + Latex2e License - + - Scheme Widget Library (SWL) Software License Agreement + Leptonica License - + - GNU Free Documentation License v1.2 only - no invariants + Historical Permission Notice and Disclaimer - sell variant - + - The Parity Public License 7.0.0 + GNU Library General Public License v2 only - + - Open LDAP Public License v2.2.1 + GNU Library General Public License v2 or later - + - SGI Free Software License B v1.1 + Imlib2 License - + - Freetype Project License + IBM Public License v1.0 - + - Open LDAP Public License v2.4 + GNU Lesser General Public License v2.1 only - + - Creative Commons Attribution Non Commercial 4.0 International + GNU Lesser General Public License v2.1 or later - + - bzip2 and libbzip2 License v1.0.6 + GNU Library General Public License v2 or later - + - copyleft-next 0.3.0 + GNU Library General Public License v2 only - + - MakeIndex License + CeCILL-B Free Software License Agreement - + - NRL License + GNU Lesser General Public License v3.0 or later - + - GNU Free Documentation License v1.3 or later - invariants + GNU Lesser General Public License v3.0 only - + - Creative Commons Attribution Non Commercial 2.0 Generic + Lesser General Public License For Linguistic Resources - + - SugarCRM Public License v1.1.3 + PNG Reference Library version 2 - + - Academic Free License v2.1 + libpng License - + - GNU General Public License v2.0 only + libselinux public domain notice - + - GNU Free Documentation License v1.3 only - invariants + GNU Lesser General Public License v3.0 or later - + - TORQUE v2.5+ Software License v1.1 + Eiffel Forum License v1.0 - + - Ruby License + libtiff License - + - X11 License + GNU Free Documentation License v1.3 or later - no invariants - + - Borceux license + Licence Libre du Québec – Réciprocité forte version 1.1 - + - libpng License + Licence Libre du Québec – Réciprocité version 1.1 - + - X11 License Distribution Modification Variant + Lucent Public License Version 1.0 - + - Frameworx Open License 1.0 + Licence Libre du Québec – Permissive version 1.1 - + - Non-Commercial Government Licence + Linux Kernel Variant of OpenIB.org license - + - CeCILL Free Software License Agreement v2.1 + LaTeX Project Public License v1.0 - + - Creative Commons Attribution 3.0 Austria + LaTeX Project Public License v1.2 - + - CNRI Python License + LaTeX Project Public License v1.3a - + - University of Illinois/NCSA Open Source License + Lucent Public License v1.02 - + - gSOAP Public License v1.3b + LaTeX Project Public License v1.3c - + - European Union Public License 1.1 + MakeIndex License - + - AMD's plpa_map.c License + GNU Library General Public License v2.1 or later - + - Imlib2 License + LaTeX Project Public License v1.1 - + - Common Development and Distribution License 1.1 + CMU License - + - Do What The F*ck You Want To Public License + The MirOS Licence - + - Lucent Public License Version 1.0 + Enlightenment License (e16) - + - Eclipse Public License 1.0 + MIT License Modern Variant - + - BSD with attribution + MIT License - + - Open Software License 3.0 + enna License - + - Red Hat eCos Public License v1.1 + MIT Open Group variant - + - PHP License v3.0 + feh License - + - BSD Protection License + MIT +no-false-attribs license - + - Creative Commons Attribution Non Commercial 3.0 Germany + Mozilla Public License 1.0 - + - Adaptive Public License 1.0 + mpich2 License - + - EU DataGrid Software License + Mozilla Public License 2.0 - + - GNU General Public License v1.0 only + Mozilla Public License 2.0 (no copyleft exception) - + - Solderpad Hardware License v0.5 + Microsoft Reciprocal License - + - Creative Commons Attribution Share Alike 2.0 Generic + Matrix Template Library License - + - Creative Commons Attribution Share Alike 3.0 Austria + Mozilla Public License 1.1 - + - Creative Commons Attribution Non Commercial Share Alike 3.0 IGO + Mulan Permissive Software License, Version 2 - + - Adobe Systems Incorporated Source Code License Agreement + Motosoto License - + - Newsletr License + Mup License - + - Nunit License + Mulan Permissive Software License, Version 1 - + - Multics License + Nara Institute of Science and Technology License (2003) - + - Open Government Licence v1.0 + Naumen Public License - + - Vim License + Multics License - + - eCos license version 2.0 + Net Boolean Public License v1 - + - Zimbra Public License v1.3 + University of Illinois/NCSA Open Source License - + - eGenix.com Public License 1.1.0 + Net-SNMP License - + - IBM PowerPC Initialization and Boot Software + NetCDF license - + - BitTorrent Open Source License v1.1 + NASA Open Source Agreement 1.3 - + - SIL Open Font License 1.1 with no Reserved Font Name + Nethack General Public License - + - psfrag License + NIST Public Domain Notice with license fallback - + - Creative Commons Attribution No Derivatives 2.0 Generic + NIST Public Domain Notice - + - Solderpad Hardware License, Version 0.51 + Newsletr License - + - FreeBSD Documentation License + No Limit Public License - + - Python License 2.0 + Nokia Open Source License - + - Mup License + Netizen Open Source License - + - BSD 4 Clause Shortened + Noweb License - + - Creative Commons Attribution Non Commercial Share Alike 4.0 International + Norwegian Licence for Open Government Data - + - Historical Permission Notice and Disclaimer + Netscape Public License v1.0 - + - Open LDAP Public License v2.6 + Non-Commercial Government Licence - + - Mozilla Public License 1.1 + NRL License - + - GNU General Public License v2.0 w/GCC Runtime Library exception + NTP No Attribution - + - Haskell Language Report License + NTP License - + - Educational Community License v1.0 + GNU Free Documentation License v1.3 or later - + - GNU Lesser General Public License v2.1 or later + Nunit License - + - SIL Open Font License 1.0 + Open Use of Data Agreement v1.0 - + - Apple Public Source License 1.1 + Netscape Public License v1.1 - + - MIT +no-false-attribs license + Open CASCADE Technology Public License - + - CeCILL Free Software License Agreement v2.0 + Open Data Commons Attribution License v1.0 - + - Crossword License + SIL Open Font License 1.0 with no Reserved Font Name - + - Aladdin Free Public License + OCLC Research Public License 2.0 - + - Baekmuk License + SIL Open Font License 1.0 with Reserved Font Name - + - XFree86 License 1.1 + SIL Open Font License 1.0 - + - GNU General Public License v1.0 or later + SIL Open Font License 1.1 with no Reserved Font Name - + - CERN Open Hardware Licence Version 2 - Weakly Reciprocal + SIL Open Font License 1.1 with Reserved Font Name - + - Creative Commons Attribution Share Alike 1.0 Generic + SIL Open Font License 1.1 - + - NTP License + Taiwan Open Government Data License, version 1.0 - + - PHP License v3.01 + OGC Software License, Version 1.0 - + - OCLC Research Public License 2.0 + Open Government Licence v1.0 - + - Creative Commons Attribution 3.0 Germany + Open Government Licence v2.0 - + - Creative Commons Attribution Non Commercial 2.5 Generic + Open Government Licence v3.0 - + - zlib License + Open Group Test Suite License - + - Computer Associates Trusted Open Source License 1.1 + Open LDAP Public License v1.1 - + - GNU Lesser General Public License v3.0 or later + Open LDAP Public License v1.2 - + - Cryptographic Autonomy License 1.0 + Open LDAP Public License v1.3 - + - Netscape Public License v1.0 + Open Government Licence - Canada - + - Standard ML of New Jersey License + Open LDAP Public License v2.0.1 - + - GNU General Public License v2.0 or later + Open LDAP Public License v2.0 (or possibly 2.0A and 2.0B) - + - Open LDAP Public License v2.5 + Open LDAP Public License v2.1 - + - JasPer License + Open LDAP Public License v2.2.1 - + - GNU General Public License v2.0 or later + Open LDAP Public License 2.2.2 - + - BSD-2-Clause Plus Patent License + Open LDAP Public License v2.2 - + - Microsoft Reciprocal License + Open Data Commons Open Database License v1.0 - + - CUA Office Public License v1.0 + Open LDAP Public License v2.4 - + - IPA Font License + Open LDAP Public License v1.4 - + - No Limit Public License + Open LDAP Public License v2.3 - + - Open Use of Data Agreement v1.0 + Open LDAP Public License v2.7 - + - MIT License Modern Variant + Open LDAP Public License v2.8 - + - Open LDAP Public License v1.2 + Open Market License - + - BSD 2-Clause FreeBSD License + OpenSSL License - + - Info-ZIP License + Open LDAP Public License v2.6 - + - Creative Commons Attribution-NonCommercial-ShareAlike 2.0 France + Open Public License v1.0 - + - BSD Zero Clause License + Open Software License 1.0 - + - Unicode License Agreement - Data Files and Software (2016) + Open Software License 1.1 - + - SIL Open Font License 1.0 with Reserved Font Name + Open Software License 2.0 - + - Intel Open Source License + OSET Public License version 2.1 - + - Academic Free License v2.0 + Open Software License 2.1 - + - GL2PS License + The Parity Public License 6.0.0 - + - TAPR Open Hardware License v1.0 + The Parity Public License 7.0.0 - + - Apache License 1.0 + Open Data Commons Public Domain Dedication & License 1.0 - + - Matrix Template Library License + PHP License v3.0 - + - Motosoto License + Open Software License 3.0 - + - RSA Message-Digest License + Plexus Classworlds License - + - Community Specification License 1.0 + Microsoft Public License - + - Open Data Commons Attribution License v1.0 + PolyForm Small Business License 1.0.0 - + - zlib/libpng License with Acknowledgement + PolyForm Noncommercial License 1.0.0 - + - Data licence Germany – attribution – version 2.0 + Python Software Foundation License 2.0 - + - Vovida Software License v1.0 + psfrag License - + - Licence Libre du Québec – Réciprocité version 1.1 + PostgreSQL License - + - Open Public License v1.0 + psutils License - + - GNU General Public License v3.0 or later + Qhull License - + - Mulan Permissive Software License, Version 2 + Q Public License 1.0 - + - Apple Public Source License 1.2 + Rdisc License - + - Taiwan Open Government Data License, version 1.0 + Python License 2.0 - + - Ricoh Source Code Public License + Reciprocal Public License 1.1 - + - OGC Software License, Version 1.0 + Reciprocal Public License 1.5 - + - Eiffel Forum License v2.0 + Red Hat eCos Public License v1.1 - + - Cryptographic Autonomy License 1.0 (Combined Work Exception) + RSA Message-Digest License - + - Microsoft Public License + Ricoh Source Code Public License - + - Plexus Classworlds License + Ruby License - + - Sendmail License 8.23 + Sax Public Domain Notice - + - Cube License + Saxpath License - + - JSON License + SCEA Shared Source License - + - European Union Public License 1.2 + Sendmail License 8.23 - + - Adobe Glyph List License + Sendmail License - + - FreeImage Public License v1.0 + SGI Free Software License B v1.0 - + - Sybase Open Watcom Public License 1.0 + SGI Free Software License B v1.1 - + - Jam License + SGI Free Software License B v2.0 - + - Hippocratic License 2.1 + Solderpad Hardware License v0.5 - + - Open LDAP Public License v2.0.1 + Solderpad Hardware License, Version 0.51 - + - Creative Commons Attribution Non Commercial Share Alike 2.0 Generic + Simple Public License 2.0 - + - Nokia Open Source License + Sun Industry Standards Source License v1.2 - + - Open CASCADE Technology Public License + Sun Industry Standards Source License v1.1 - + - Erlang Public License v1.1 + Sleepycat License - + - Trusster Open Source License + Standard ML of New Jersey License - + - Open Software License 2.1 + Secure Messaging Protocol Public License - + - Clarified Artistic License + SNIA Public License 1.1 - + - xinetd License + Spencer License 86 - + - GNU General Public License v3.0 w/GCC Runtime Library exception + Spencer License 94 - + - Open Data Commons Open Database License v1.0 - - - - - MIT License - - - - - GNU Library General Public License v2.1 or later + Spencer License 99 - + - GNU Lesser General Public License v2.1 only + Sun Public License v1.0 - + - CrystalStacker License + SSH OpenSSH license - + - Educational Community License v2.0 + PHP License v3.01 - + - LaTeX Project Public License v1.0 + SSH short notice - + - iMatix Standard Function Library Agreement + MIT No Attribution - + - Creative Commons Attribution Non Commercial No Derivatives 3.0 IGO + RealNetworks Public Source License v1.0 - + - BSD Source Code Attribution + Scheme Widget Library (SWL) Software License Agreement - + - The Parity Public License 6.0.0 + SugarCRM Public License v1.1.3 @@ -2062,129 +2052,59 @@ TCL/TK License - - - Arphic Public License - - - - - Creative Commons Attribution Share Alike 3.0 Unported - - - - - Caldera License - - - - - Affero General Public License v1.0 - - - - - IBM Public License v1.0 - - - - - Licence Art Libre 1.3 - - - - - EPICS Open License - - - - - Nethack General Public License - - - - - Detection Rule License 1.0 - - - - - BSD 2-Clause NetBSD License - - - - - Zope Public License 1.1 - - - - - GD License - - - - - LaTeX Project Public License v1.2 - - - - - Dotseqn License - - - + - Spencer License 99 + TCP Wrappers License - + - Open LDAP Public License v2.3 + Server Side Public License, v 1 - + - Yahoo! Public License v1.1 + TMate Open Source License - + - Fair License + Trusster Open Source License - + - Qhull License + TORQUE v2.5+ Software License v1.1 - + - GNU Free Documentation License v1.1 or later - no invariants + TAPR Open Hardware License v1.0 - + - CeCILL-C Free Software License Agreement + Upstream Compatibility License v1.0 - + - Mulan Permissive Software License, Version 1 + Unicode License Agreement - Data Files and Software (2015) - + - Open LDAP Public License v1.1 + Unicode License Agreement - Data Files and Software (2016) - + - Open LDAP Public License v2.1 + Unicode Terms of Use - + - Lucent Public License v1.02 + Technische Universitaet Berlin License 1.0 @@ -2192,270 +2112,210 @@ Universal Permissive License v1.0 - - - Abstyles License - - - - - Zope Public License 2.0 - - - - - MIT No Attribution - - - - - GNU Library General Public License v2 only - - - - - GNU Free Documentation License v1.3 only - no invariants - - - - - GNU Affero General Public License v3.0 - - - - - Eclipse Public License 2.0 - - - - - Academic Free License v3.0 - - - - - Community Data License Agreement Permissive 1.0 - - - - - Artistic License 1.0 - - - - - Creative Commons Attribution Non Commercial No Derivatives 4.0 International - - - - - HTML Tidy License - - - + - 3dfx Glide License + The Unlicense - + - FSF All Permissive License + VOSTROM Public License for Open Source - + - Lesser General Public License For Linguistic Resources + Vim License - + - Open Government Licence v3.0 + Vovida Software License v1.0 - + - GNU Free Documentation License v1.2 + W3C Software Notice and Document License (2015-05-13) - + - SSH OpenSSH license + W3C Software Notice and License (2002-12-31) - + - GNU Free Documentation License v1.1 only + W3C Software Notice and License (1998-07-20) - + - feh License + Wsuipa License - + - Mozilla Public License 1.0 + Sybase Open Watcom Public License 1.0 - + - PostgreSQL License + Do What The F*ck You Want To Public License - + - Open LDAP Public License 2.2.2 + X11 License - + - Secure Messaging Protocol Public License + Xerox License - + - SIL Open Font License 1.1 + XFree86 License 1.1 - + - Leptonica License + xinetd License - + - CERN Open Hardware Licence v1.1 + X.Net License - + - BSD 3-Clause No Nuclear Warranty + XPP License - + - Creative Commons Attribution No Derivatives 2.5 Generic + XSkat License - + - Creative Commons Attribution 1.0 Generic + Yahoo! Public License v1.0 - + - GNU Free Documentation License v1.2 only + Yahoo! Public License v1.1 - + - Open Publication License v1.0 + Zed License - + - libselinux public domain notice + Zend License v2.0 - + - BSD 3-Clause "New" or "Revised" License + Technische Universitaet Berlin License 2.0 - + - ANTLR Software Rights Notice with license fallback + Zimbra Public License v1.4 - + - copyleft-next 0.3.1 + zlib/libpng License with Acknowledgement - + - GNU General Public License v1.0 or later + zlib License - + - wxWindows Library License + Zope Public License 1.1 - + - GNU Lesser General Public License v3.0 only + Zope Public License 2.0 - + - GNU Lesser General Public License v2.1 only + Zope Public License 2.1 - + - Standard ML of New Jersey License + wxWindows Library License - + - BSD 4-Clause "Original" or "Old" License + Zimbra Public License v1.3 - + - GNU General Public License v2.0 w/Bison exception + gSOAP Public License v1.3b - + - Apache License 2.0 + Interbase Public License v1.0 - + - Artistic License 1.0 w/clause 8 + GNU Lesser General Public License v2.1 only - + - GNU General Public License v2.0 only + GNU Lesser General Public License v3.0 only - + - Intel ACPI Software License Agreement + Non-Profit Open Software License 3.0 - + - Boost Software License 1.0 + Open LDAP Public License v2.5 - + - Artistic License 1.0 (Perl) + Standard ML of New Jersey License - + + - BSD 2-Clause with views sentence + 389 Directory Server Exception - + - Interbase Public License v1.0 + Autoconf exception 2.0 - + - Non-Profit Open Software License 3.0 + Autoconf exception 3.0 - - + - FLTK exception + Bison exception 2.2 @@ -2463,44 +2323,44 @@ Bootloader Distribution Exception - + - WxWindows Library Exception 3.1 + Classpath exception 2.0 - + - Linux Syscall Note + CLISP exception 2.0 - + - Qt LGPL exception 1.1 + DigiRule FOSS License Exception - + - LLVM Exception + eCos exception 2.0 - + - PS/PDF font exception (2017-08-17) + Fawkes Runtime Exception - + - GCC Runtime Library exception 3.1 + FLTK exception - + - Autoconf exception 3.0 + Font exception 2.0 - + - LGPL-3.0 Linking Exception + FreeRTOS Exception 2.0 @@ -2508,24 +2368,19 @@ GCC Runtime Library exception 2.0 - - - Bison exception 2.2 - - - + - OpenVPN OpenSSL Exception + GCC Runtime Library exception 3.1 - + - Libtool Exception + GNU JavaMail exception - + - Autoconf exception 2.0 + GPL-3.0 Linking Exception @@ -2538,54 +2393,54 @@ GPL Cooperation Commitment 1.0 - + - OCaml LGPL Linking Exception + i2p GPL+Java Exception - + - Universal FOSS Exception, Version 1.0 + LGPL-3.0 Linking Exception - + - i2p GPL+Java Exception + Libtool Exception - + - CLISP exception 2.0 + Linux Syscall Note - + - Open CASCADE Exception 1.0 + LLVM Exception - + - Qwt exception 1.0 + LZMA exception - + - GNU JavaMail exception + Macros and Inline Functions Exception - + - U-Boot exception 2.0 + Nokia Qt LGPL exception 1.1 - + - FreeRTOS Exception 2.0 + OCaml LGPL Linking Exception - + - Qt GPL exception 1.0 + Open CASCADE Exception 1.0 @@ -2593,29 +2448,29 @@ OpenJDK Assembly exception 1.0 - + - Solderpad Hardware License v2.1 + OpenVPN OpenSSL Exception - + - Macros and Inline Functions Exception + PS/PDF font exception (2017-08-17) - + - Fawkes Runtime Exception + Qt GPL exception 1.0 - + - Swift Exception + Qt LGPL exception 1.1 - + - GPL-3.0 Linking Exception + Qwt exception 1.0 @@ -2623,39 +2478,29 @@ Solderpad Hardware License v2.0 - - - Classpath exception 2.0 - - - - - LZMA exception - - - + - Font exception 2.0 + Solderpad Hardware License v2.1 - + - Nokia Qt LGPL exception 1.1 + Swift Exception - + - DigiRule FOSS License Exception + U-Boot exception 2.0 - + - eCos exception 2.0 + Universal FOSS Exception, Version 1.0 - + - 389 Directory Server Exception + WxWindows Library Exception 3.1 diff --git a/tools/schema-downloader.py b/tools/schema-downloader.py new file mode 100644 index 00000000..2ff3e668 --- /dev/null +++ b/tools/schema-downloader.py @@ -0,0 +1,109 @@ +# encoding: utf-8 +import re +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 + +from os.path import dirname, join +from urllib.request import urlretrieve +import re + +SOURCE_ROOT = 'https://raw.githubusercontent.com/CycloneDX/specification/1.4/schema/' +TARGET_ROOT = join(dirname(__file__), '..', 'cyclonedx', '__res', 'schema') + +bom_xsd = { + 'versions': ['1.4', '1.3', '1.2', '1.1', '1.0'], + 'sourcePattern': f'{SOURCE_ROOT}bom-%s.xsd', + 'targetPattern': join(TARGET_ROOT, 'bom-%s.SNAPSHOT.xsd'), + 'replace': [], + 'replaceRE': [ + (re.compile(r'schemaLocation="https?://cyclonedx.org/schema/spdx"'), 'schemaLocation="spdx.SNAPSHOT.xsd"') + ] +} + +# "version" is not required but optional with a default value! +# this is wrong in schema<1.5 +_bomSchemaEnumMatch = re.compile( + r'("\$id": "(http://cyclonedx\.org/schema/bom.+?\.schema\.json)".*"enum": \[\s+")http://cyclonedx\.org/schema/bom.+?\.schema\.json"', + re.DOTALL) +_bomSchemaEnumReplace = r'\1\2"' + + +# "version" is not required but optional with a default value! +# this is wrong in schema<1.5 +_bomRequired = """ + "required": [ + "bomFormat", + "specVersion", + "version" + ],""" +_bomRequiredReplace = """ + "required": [ + "bomFormat", + "specVersion" + ],""" + + +# there was a case where the default value did not match the own pattern ... +# this is wrong in schema<1.5 +_defaultWithPatternMatch = re.compile(r'\s+"default": "",(?![^}]*?"pattern": "\^\(\.\*\)\$")', re.MULTILINE) +_defaultWithPatternReplace = r'' + +bom_json_lax = { + 'versions': ['1.4', '1.3', '1.2'], + 'sourcePattern': f'{SOURCE_ROOT}bom-%s.schema.json', + 'targetPattern': join(TARGET_ROOT, 'bom-%s.SNAPSHOT.schema.json'), + 'replace': [ + ('spdx.schema.json', 'spdx.SNAPSHOT.schema.json'), + ('jsf-0.82.schema.json', 'jsf-0.82.SNAPSHOT.schema.json'), + (_bomRequired, _bomRequiredReplace), + ], + 'replaceRE': [ + (_bomSchemaEnumMatch, _bomSchemaEnumReplace), + # there was a case where the default value did not match the own pattern ... + # this is wrong in schema<1.5 + # with current SchemaValidator this is no longer required, as defaults are not applied + # (re.compile(r'\s+"default": "",(?![^}]*?"pattern": "\^\(\.\*\)\$")', re.MULTILINE), '') + ] +} + +bom_json_strict = { + 'versions': ['1.3', '1.2'], + 'sourcePattern': f'{SOURCE_ROOT}bom-%s-strict.schema.json', + 'targetPattern': join(TARGET_ROOT, 'bom-%s-strict.SNAPSHOT.schema.json'), + 'replace': bom_json_lax['replace'], + 'replaceRE': bom_json_lax['replaceRE'] +} + +other_downloadables = [ + (f'{SOURCE_ROOT}spdx.schema.json', join(TARGET_ROOT, 'spdx.SNAPSHOT.schema.json')), + (f'{SOURCE_ROOT}spdx.xsd', join(TARGET_ROOT, 'spdx.SNAPSHOT.xsd')), + (f'{SOURCE_ROOT}jsf-0.82.schema.json', join(TARGET_ROOT, 'jsf-0.82.SNAPSHOT.schema.json')), +] + +for dspec in (bom_xsd, bom_json_lax, bom_json_strict): + for version in dspec['versions']: + source = dspec['sourcePattern'].replace('%s', version) + target = dspec['targetPattern'].replace('%s', version) + tempfile, _ = urlretrieve(source) + with open(tempfile, 'r') as tmpf: + with open(target, 'w') as tarf: + text = tmpf.read() + for search, replace in dspec['replace']: + text = text.replace(search, replace) + for search, replace in dspec['replaceRE']: + text = search.sub(replace, text) + tarf.write(text) + +for source, target in other_downloadables: + urlretrieve(source, target)