package
0.16.0
Repository: https://github.com/cyclonedx/sbom-utility.git
Documentation: pkg.go.dev

# README

Supported schema formats

Formats MUST be in JSON schema format.

The following schema formats are supported:

Format NameFormat KeyFormat IDSchema repository
SPDXSPDXIDSPDXRef-DOCUMENThttps://github.com/spdx/spdx-spec
CycloneDXbomFormatCycloneDxhttps://github.com/CycloneDX/specification

# Functions

No description provided by the author
No description provided by the author
No description provided by the author
TODO: look to remove once we uniformly use get/set methods on structure fields.
TODO: look to remove once we uniformly use get/set methods on structure fields.
No description provided by the author
No description provided by the author
NOTE: policy.Id == "" we allow as "valid" as this indicates a potential "family" entry (i.e., group of SPDX IDs).
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
This is a wrapper to test specifically for the Normalize interface.
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
given an array of policies verify their "usage" policy does not represent a conflict.

# Constants

Supported conjunctions and prepositions.
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
Supported conjunctions and prepositions.
No description provided by the author
No description provided by the author
Format ID (key component) UNUSED, TODO Use these values to verify remotely loaded schema files.
Format ID (key component) UNUSED, TODO Use these values to verify remotely loaded schema files.
Input (source) reserved values.
Input (source) reserved values.
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
LicenseChoice - Choice type.
LicenseChoice - Choice type.
LicenseChoice - Choice type.
LicenseChoice - Choice type.
LicenseChoice - corresponding (name) values for license choice types.
LicenseChoice - corresponding (name) values for license choice types.
LicenseChoice - corresponding (name) values for license choice types.
LicenseChoice - corresponding (name) values for license choice types.
Tokens.
Tokens.
No description provided by the author
No description provided by the author
No description provided by the author
MSG_CONFIG_SCHEMA_FORMAT_NOT_FOUND = "schema format not found in configuration.".
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
Supported conjunctions and prepositions.
Tokens.
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
CycloneDX.
SPDX.
Document property keys JSON document property keys to lookup values in their respective SBOM formats UNUSED, TODO Use these values to verify remotely loaded schema files.
Document property keys JSON document property keys to lookup values in their respective SBOM formats UNUSED, TODO Use these values to verify remotely loaded schema files.
Note: the SPDX spec.
resource types.
i.e., all resource types.
resource types.
Tokens.
Tokens.
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
default / "empty" values.
default / "empty" values.
default / "empty" values.
Supported conjunctions and prepositions.

# Variables

No description provided by the author
No description provided by the author
Globals.
For convenience, we provide named vars.
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author

# Structs

Candidate BOM document (context) information.
No description provided by the author
Configs.
No description provided by the author
No description provided by the author
v1.4: created "releaseNotes" defn.
v1.4: created "analysis" def.
v1.6: added.
v1.6: added.
v1.4: created "analysis" def.
v1.5 "annotations" and sub-schema added ("required": ["subjects","annotator","timestamp","text"]) NOTE: CDXRefType is a named `string` type as of v1.5.
v1.5 added to represent the anonymous type defined in the "annotations" object required" oneOf: organization, individual, component, service.
v1.5: added "Learning types describing the learning problem or hybrid learning problem." "enum": ["supervised","unsupervised","reinforcement-learning","semi-supervised","self-supervised"].
v1.6: added.
v1.2: existed.
v1.6: added.
v1.6: added.
NOTE: During parsing, any fields not explicitly included in the structure will still be added as generic "interface{}" types v1.3: added "compositions" v1.4: added "vulnerabilities", "signature" v1.5: added "annotations", "formulation", "properties" v1.6: added "declarations", "definitions".
v1.5: added.
v1.6: added.
v1.6: added.
v1.6: added.
v1.6: added.
v1.5: added.
v1.2: existed TODO: GitHub PRs MAY have more than 1 commit (committer); CDX needs to account for this.
v1.2: existed v1.3: added: "evidence", "properties" v1.4: added: "releaseNotes", "signature" v1.4: changed: "version" no longer required v1.4: deprecated: "modified", "cpe", "swid" v1.5: added "modelCard", (component)"data" Note: "bom-ref" is a "refType" which is a constrained `string` TODO: "mime-type" SHOULD become "media-type" which is more modern/inclusive TODO: Remove "service" from "Type" enum.
v1.5 added object The general theme or subject matter of the data being specified.
v1.3: created "componentEvidence" defn.
------------------- Components ------------------- TODO: Authors (*[]CDXOrganizationalContact) TODO: HasHashes, HasLicenses, HasPedigree, HasEvidence, HasComponents, HasReleaseNotes TODO: HasModelCard, HasData, HasTags, HasSignature (*JSFSignature) TODO: OmniborId (new), Swhid (new).
v1.3: created "compositions" defn.
v1.5: added.
v1.6: added TODO: NOTE: overlap in fields with CDXConformance.
v1.5: added.
v1.6: added TODO: NOTE: overlap in fields with CDXConfidence.
v1.5: added (anonymous type) Considerations that should be taken into account regarding the model's construction, training, and application.
v1.5 added object.
v1.3: created "copyright" defn.
v1.5: created.
v1.4: created "credit" defn.
v1.6: added NOTE: This is an enum.
v1.5 added.
v1.5 added structure Constraints: "oneOf": ["organization", "contact"].
v1.5: added.
v1.6: added "declarations".
v1.6: added.
v1.2: existed v1.4: "ref" and "dependsOn" became type "refType" which is a constrained `string` v1.5: "ref": is now a constrained "string" of type "#/definitions/refLinkType" v1.5: "dependsOn": is now a constrained "string" of type "#/definitions/refLinkType" Note: Changes to RefType and RefLinkType are ONLY constraint changes; we need only track type changes...
v1.2: existed v1.3 "url" type changed from `string` (with constraints) to an "iri-reference".
v1.6: added.
v1.6: added.
v1.6: added.
v1.6: added Information about the benefits and harms of the model to an identified at risk group.
No description provided by the author
v1.6: added.
v1.6: added NOTE: The "Contents" field defines a structure that is identical to the CDXContent used in CDXComponentData, but does NOT have a "properties" field.
v1.2: existed v1.3: added "hashes" v1.4: `Type` field: added value "release-notes" to enum.
v1.5: added Information about the benefits and harms of the model to an identified at risk group.
v1.5: added NOTE: CDXRefType is a named `string` type as of v1.5.
v1.5: added Note: "parameters" SHOULD use "formulation" definitions that better define a parameter.
v1.6: added.
v1.5: added.
v1.5: added.
v1.2: existed Note: "alg" is of type "hash-alg" which is a constrained `string` type Note: "content" is of type "hash-content" which is a constrained `string` type.
v1.2: existed TODO: We should suggest this be "deprecated" and instead add "timestamp" and other fields to OrganizationalContact (or similar) TODO: should have "signage" information (e.g., evidence, public key).
v1.6: added.
v1.5: added "The data format for input/output to the model.
v1.5: added TODO: see if we can improve "environmentVars" types which is "oneOf": ["#/definitions/property", "string"].
v1.2: existed Note: v1.2 Bug: there appears to be a bug in the 1.2 spec.
v1.2: existed v1.4: added "externalReferences" v1.5: deprecated "Creation Tools (legacy)" object in favor of new "Creation Tools" object - v1.5 Note: The v1.4 structure/fields is now called the "Creation Tools (legacy)" structure - v1.5: In order to support the new object "Creation Tools", we need to combine these fields into with the legacy structure fields TODO: figure out how to support both current (object)/legacy(array) tools in Metadata.Tools field See: https://stackoverflow.com/questions/47057240/parsing-multiple-json-types-into-the-same-struct.
v1.6: added.
v1.2: was an anon.
v1.2: was an anon.
v1.5: added "expression" type structure v1.6: added Acknowledgment NOTE: CDXRefType is a named `string` type as of v1.5.
v1.5: created for reuse in "licensing" schema for "licensee" and "licensor" TODO: reuse on "annotator" as well?.
v1.5: added object.
No description provided by the author
v1.2: existed v1.3: added "licenses", "properties" v1.5: added "lifecycles" v1.5: "tools" is changed to an interface{} as it represents 2 possible types (object <legacy tools>, slice <new tools>) v1.6: added "manufacturer"; deprecated "manufacture" Note: "timestamp" in OWASP SCVS is: urn:owasp:scvs:bom:core:timestamp.
v1.5: added NOTE: CDXRefType is a named `string` type as of v1.5 TODO: v1.7: How to represent an AI App.
v1.5: added.
v1.5 new type for "metadata".
v1.4: created "note" defn.
v1.5: added.
v1.2: existed v1.5: added "bom-ref" NOTE: CDXRefType is a named `string` type as of v1.5.
v1.2: existed v1.5: added "bom-ref" v1.6: added "address" NOTE: CDXRefType is a named `string` type as of v1.5.
v1.5: added TODO: likely nothing better we can do for "environmentVars" which is type "oneOf": ["#/definitions/property", "string"].
v1.5: added.
v1.2: existed.
v1.2: existed as an anon.
v1.5: added.
v1.6: added.
v1.5: created ("reproductionSteps", "environment", "supportingMaterial") TODO: "supportingMaterial" should be plural as it is an "array".
v1.3: created "property" defn.
v1.6: added.
v1.5: added (anonymous type).
v1.4: created "rating" defn.
No description provided by the author
v1.4: created "releaseNotes" defn.
v1.6: added.
TODO: need to strip `-` from `bom-ref` for where filter To be clear, we need the "json:" annotations to enable "where" filter "key=value" matches when hashing resources since we apply it to a JSON map: mapResourceInfo, _ := utils.ConvertStructToMap(resourceInfo) match, _ = whereFilterMatch(mapResourceInfo, whereFilters) If we could normalize to lowercase and remove "-" chars we may not need to use any JSON annotations.
v1.5: added v1.5: Note: "ref" is a constrained "string" which can be "anyOf": ["#/definitions/refLinkType", "#/definitions/bomLinkElementType"] TODO: actually, "Ref" should be its own anonymous type with "anyOf": ["#/definitions/refLinkType", "#/definitions/bomLinkElementType"].
v1.5: added.
v1.6: added.
v1.2: existed v1.3: added: "properties" v1.4: added: "releaseNotes", "signature" v1.5: moved "data" object elements into "serviceData" object v1.5: added "trustZone" ----- TODO: a service is not all auth or not auth.; that is, we have multiple endpoints but only 1 boolean for "authenticated" (open spec.
v1.5: added.
------------------- Services ------------------- TODO: HasServices, HasEndpoints TODO: HasLicenses, HasReleaseNotes, HasData, HasTags, HasSignature (*JSFSignature) TODO: HasProperties, HasExternalRefs.
v1.6: added.
v1.2: existed as anon.
v1.6: added NOTE: The "Owner" field SHOULD be a CDXOrganizationalEntity OR CDXOrganizationalContact We have structures that already support this concept!!!.
v1.5: added.
v1.5: created ("contentType", "encoding", "content").
v1.2: existed See: https://www.iso.org/standard/65666.html NOTE: Swid v1 tag values are deprecated; new v2 tags are avail.
v1.6: added NOTE: Type name matches plural reference from the spec.
v1.5: added NOTE: CDXRefType is a named `string` type as of v1.5.
No description provided by the author
v1.4: created "version" def.
v1.5: added NOTE: CDXRefType is a named `string` type as of v1.5.
v1.4: created "vulnerability" defn.
v1.4 This is an anonymous type used in CDXVulnerability.
v1.4: created "vulnerabilitySource" defn.
v1.5: added NOTE: CDXRefType is a named `string` type as of v1.5.
v1.5: added NOTE: CDXRefType is a named `string` type as of v1.5.
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
NOTE: Assumes property "key" is the value in the "name" field.
No description provided by the author
Representation of SBOM format.
Representation of SBOM schema instance TODO: add support for schema (Hash) key if we end up having lots of entries e.g., key string where key: SchemaKey{ID_CYCLONEDX, VERSION_CYCLONEDX_1_3, false},.
if kty (key type)== "EC" - required: "crv" (EC curve name), "x", "y" - constraint "crv": "enum": ["P-256","P-384","P-521"] else if kty == "OKP" - required: "crv" (EdDSA curve name), "x" - constraint "crv" : "enum": ["Ed25519","Ed448"] else if kty == "RSA" - required: n, e.
Note: struct will contain "oneOf": []"Signers", "Chain", "Signature"].
Algorithm: "Signature algorithm.
Note: the "License" property is used as hashmap key NOTE: CDXRefType is a named `string` type as of v1.5.
No description provided by the author
No description provided by the author
No description provided by the author
Format/schema error types.
No description provided by the author
This data consolidates nested information into a flattened version more suitable for report listings.

# Interfaces

==================================================================== Normalizer Interface (and helpers) ====================================================================.

# Type aliases

named BOM slice types.
No description provided by the author
named BOM slice types.
v1.5 added.
v1.5 added.
v1.5 added.
No description provided by the author
No description provided by the author
No description provided by the author
v1.6: added TODO: NOTE: This is a first-of-kind, alias for a slice it SHOULD NOT exist unless this is adopted EVERYWHERE.
v1.5 added.
No description provided by the author
No description provided by the author
named BOM slice types.
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
v1.5 added NOTE: CDXRefType is a named `string` type as of v1.5.
No description provided by the author
v1.4: added v1.5: added Constraints: "minLength": 1.
No description provided by the author
No description provided by the author
v1.5 added to represent the anonymous type defined in the "annotations" object Note: Since CDXSubject can be one of 2 other types (i.e., "#/definitions/refLinkType" and "#/definitions/bomLinkElementType") which both are "string" types we can also make it a "string" type as it does not affect constraint validation.
No description provided by the author
No description provided by the author
v1.5: added "enum": ["copy","clone","lint","scan","merge","build","test","deliver","deploy","release","clean","other"].
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
constraint: "enum": ["EC","OKP","RSA"].