Supported schema formats

TODO: look to remove once we uniformly use get/set methods on structure fields.

TODO: look to remove once we uniformly use get/set methods on structure fields.

NOTE: policy.Id == "" we allow as "valid" as this indicates a potential "family" entry (i.e., group of SPDX IDs).

This is a wrapper to test specifically for the Normalize interface.

given an array of policies verify their "usage" policy does not represent a conflict.

Supported conjunctions and prepositions.

Supported conjunctions and prepositions.

Format ID (key component) UNUSED, TODO Use these values to verify remotely loaded schema files.

Format ID (key component) UNUSED, TODO Use these values to verify remotely loaded schema files.

Input (source) reserved values.

Input (source) reserved values.

LicenseChoice - Choice type.

LicenseChoice - Choice type.

LicenseChoice - Choice type.

LicenseChoice - Choice type.

LicenseChoice - corresponding (name) values for license choice types.

LicenseChoice - corresponding (name) values for license choice types.

LicenseChoice - corresponding (name) values for license choice types.

LicenseChoice - corresponding (name) values for license choice types.

Tokens.

Tokens.

MSG_CONFIG_SCHEMA_FORMAT_NOT_FOUND = "schema format not found in configuration.".

Supported conjunctions and prepositions.

Tokens.

CycloneDX.

SPDX.

Document property keys JSON document property keys to lookup values in their respective SBOM formats UNUSED, TODO Use these values to verify remotely loaded schema files.

Document property keys JSON document property keys to lookup values in their respective SBOM formats UNUSED, TODO Use these values to verify remotely loaded schema files.

Note: the SPDX spec.

resource types.

i.e., all resource types.

resource types.

Tokens.

Tokens.

default / "empty" values.

default / "empty" values.

default / "empty" values.

Supported conjunctions and prepositions.

Globals.

For convenience, we provide named vars.

Candidate BOM document (context) information.

Configs.

v1.4: created "releaseNotes" defn.

v1.4: created "analysis" def.

v1.6: added.

v1.6: added.

v1.4: created "analysis" def.

v1.5 "annotations" and sub-schema added ("required": ["subjects","annotator","timestamp","text"]) NOTE: CDXRefType is a named `string` type as of v1.5.

v1.5 added to represent the anonymous type defined in the "annotations" object required" oneOf: organization, individual, component, service.

v1.5: added "Learning types describing the learning problem or hybrid learning problem." "enum": ["supervised","unsupervised","reinforcement-learning","semi-supervised","self-supervised"].

v1.6: added.

v1.2: existed.

v1.6: added.

v1.6: added.

NOTE: During parsing, any fields not explicitly included in the structure will still be added as generic "interface{}" types v1.3: added "compositions" v1.4: added "vulnerabilities", "signature" v1.5: added "annotations", "formulation", "properties" v1.6: added "declarations", "definitions".

v1.5: added.

v1.6: added.

v1.6: added.

v1.6: added.

v1.6: added.

v1.5: added.

v1.2: existed TODO: GitHub PRs MAY have more than 1 commit (committer); CDX needs to account for this.

v1.2: existed v1.3: added: "evidence", "properties" v1.4: added: "releaseNotes", "signature" v1.4: changed: "version" no longer required v1.4: deprecated: "modified", "cpe", "swid" v1.5: added "modelCard", (component)"data" Note: "bom-ref" is a "refType" which is a constrained `string` TODO: "mime-type" SHOULD become "media-type" which is more modern/inclusive TODO: Remove "service" from "Type" enum.

v1.5 added object The general theme or subject matter of the data being specified.

v1.3: created "componentEvidence" defn.

------------------- Components ------------------- TODO: Authors (*[]CDXOrganizationalContact) TODO: HasHashes, HasLicenses, HasPedigree, HasEvidence, HasComponents, HasReleaseNotes TODO: HasModelCard, HasData, HasTags, HasSignature (*JSFSignature) TODO: OmniborId (new), Swhid (new).

v1.3: created "compositions" defn.

v1.5: added.

v1.6: added TODO: NOTE: overlap in fields with CDXConformance.

v1.5: added.

v1.6: added TODO: NOTE: overlap in fields with CDXConfidence.

v1.5: added (anonymous type) Considerations that should be taken into account regarding the model's construction, training, and application.

v1.5 added object.

v1.3: created "copyright" defn.

v1.5: created.

v1.4: created "credit" defn.

v1.6: added NOTE: This is an enum.

v1.5 added.

v1.5 added structure Constraints: "oneOf": ["organization", "contact"].

v1.5: added.

v1.6: added "declarations".

v1.6: added.

v1.2: existed v1.4: "ref" and "dependsOn" became type "refType" which is a constrained `string` v1.5: "ref": is now a constrained "string" of type "#/definitions/refLinkType" v1.5: "dependsOn": is now a constrained "string" of type "#/definitions/refLinkType" Note: Changes to RefType and RefLinkType are ONLY constraint changes; we need only track type changes...

v1.2: existed v1.3 "url" type changed from `string` (with constraints) to an "iri-reference".

v1.6: added.

v1.6: added.

v1.6: added.

v1.6: added Information about the benefits and harms of the model to an identified at risk group.

v1.6: added.

v1.6: added NOTE: The "Contents" field defines a structure that is identical to the CDXContent used in CDXComponentData, but does NOT have a "properties" field.

v1.2: existed v1.3: added "hashes" v1.4: `Type` field: added value "release-notes" to enum.

v1.5: added Information about the benefits and harms of the model to an identified at risk group.

v1.5: added NOTE: CDXRefType is a named `string` type as of v1.5.

v1.5: added Note: "parameters" SHOULD use "formulation" definitions that better define a parameter.

v1.6: added.

v1.5: added.

v1.5: added.

v1.2: existed Note: "alg" is of type "hash-alg" which is a constrained `string` type Note: "content" is of type "hash-content" which is a constrained `string` type.

v1.2: existed TODO: We should suggest this be "deprecated" and instead add "timestamp" and other fields to OrganizationalContact (or similar) TODO: should have "signage" information (e.g., evidence, public key).

v1.6: added.

v1.5: added "The data format for input/output to the model.

v1.5: added TODO: see if we can improve "environmentVars" types which is "oneOf": ["#/definitions/property", "string"].

v1.2: existed Note: v1.2 Bug: there appears to be a bug in the 1.2 spec.

v1.2: existed v1.4: added "externalReferences" v1.5: deprecated "Creation Tools (legacy)" object in favor of new "Creation Tools" object - v1.5 Note: The v1.4 structure/fields is now called the "Creation Tools (legacy)" structure - v1.5: In order to support the new object "Creation Tools", we need to combine these fields into with the legacy structure fields TODO: figure out how to support both current (object)/legacy(array) tools in Metadata.Tools field See: https://stackoverflow.com/questions/47057240/parsing-multiple-json-types-into-the-same-struct.

v1.6: added.

v1.2: was an anon.

v1.2: was an anon.

v1.5: added "expression" type structure v1.6: added Acknowledgment NOTE: CDXRefType is a named `string` type as of v1.5.

v1.5: created for reuse in "licensing" schema for "licensee" and "licensor" TODO: reuse on "annotator" as well?.

v1.5: added object.

v1.2: existed v1.3: added "licenses", "properties" v1.5: added "lifecycles" v1.5: "tools" is changed to an interface{} as it represents 2 possible types (object <legacy tools>, slice <new tools>) v1.6: added "manufacturer"; deprecated "manufacture" Note: "timestamp" in OWASP SCVS is: urn:owasp:scvs:bom:core:timestamp.

v1.5: added NOTE: CDXRefType is a named `string` type as of v1.5 TODO: v1.7: How to represent an AI App.

v1.5: added.

v1.5 new type for "metadata".

v1.4: created "note" defn.

v1.5: added.

v1.2: existed v1.5: added "bom-ref" NOTE: CDXRefType is a named `string` type as of v1.5.

v1.2: existed v1.5: added "bom-ref" v1.6: added "address" NOTE: CDXRefType is a named `string` type as of v1.5.

v1.5: added TODO: likely nothing better we can do for "environmentVars" which is type "oneOf": ["#/definitions/property", "string"].

v1.5: added.

v1.2: existed.

v1.2: existed as an anon.

v1.5: added.

v1.6: added.

v1.5: created ("reproductionSteps", "environment", "supportingMaterial") TODO: "supportingMaterial" should be plural as it is an "array".

v1.3: created "property" defn.

v1.6: added.

v1.5: added (anonymous type).

v1.4: created "rating" defn.

v1.4: created "releaseNotes" defn.

v1.6: added.

TODO: need to strip `-` from `bom-ref` for where filter To be clear, we need the "json:" annotations to enable "where" filter "key=value" matches when hashing resources since we apply it to a JSON map: mapResourceInfo, _ := utils.ConvertStructToMap(resourceInfo) match, _ = whereFilterMatch(mapResourceInfo, whereFilters) If we could normalize to lowercase and remove "-" chars we may not need to use any JSON annotations.

v1.5: added v1.5: Note: "ref" is a constrained "string" which can be "anyOf": ["#/definitions/refLinkType", "#/definitions/bomLinkElementType"] TODO: actually, "Ref" should be its own anonymous type with "anyOf": ["#/definitions/refLinkType", "#/definitions/bomLinkElementType"].

v1.5: added.

v1.6: added.

v1.2: existed v1.3: added: "properties" v1.4: added: "releaseNotes", "signature" v1.5: moved "data" object elements into "serviceData" object v1.5: added "trustZone" ----- TODO: a service is not all auth or not auth.; that is, we have multiple endpoints but only 1 boolean for "authenticated" (open spec.

v1.5: added.

------------------- Services ------------------- TODO: HasServices, HasEndpoints TODO: HasLicenses, HasReleaseNotes, HasData, HasTags, HasSignature (*JSFSignature) TODO: HasProperties, HasExternalRefs.

v1.6: added.

v1.2: existed as anon.

v1.6: added NOTE: The "Owner" field SHOULD be a CDXOrganizationalEntity OR CDXOrganizationalContact We have structures that already support this concept!!!.

v1.5: added.

v1.5: created ("contentType", "encoding", "content").

v1.2: existed See: https://www.iso.org/standard/65666.html NOTE: Swid v1 tag values are deprecated; new v2 tags are avail.

v1.6: added NOTE: Type name matches plural reference from the spec.

v1.5: added NOTE: CDXRefType is a named `string` type as of v1.5.

v1.4: created "version" def.

v1.5: added NOTE: CDXRefType is a named `string` type as of v1.5.

v1.4: created "vulnerability" defn.

v1.4 This is an anonymous type used in CDXVulnerability.

v1.4: created "vulnerabilitySource" defn.

v1.5: added NOTE: CDXRefType is a named `string` type as of v1.5.

v1.5: added NOTE: CDXRefType is a named `string` type as of v1.5.

NOTE: Assumes property "key" is the value in the "name" field.

Representation of SBOM format.

Representation of SBOM schema instance TODO: add support for schema (Hash) key if we end up having lots of entries e.g., key string where key: SchemaKey{ID_CYCLONEDX, VERSION_CYCLONEDX_1_3, false},.

if kty (key type)== "EC" - required: "crv" (EC curve name), "x", "y" - constraint "crv": "enum": ["P-256","P-384","P-521"] else if kty == "OKP" - required: "crv" (EdDSA curve name), "x" - constraint "crv" : "enum": ["Ed25519","Ed448"] else if kty == "RSA" - required: n, e.

Note: struct will contain "oneOf": []"Signers", "Chain", "Signature"].

Algorithm: "Signature algorithm.

Note: the "License" property is used as hashmap key NOTE: CDXRefType is a named `string` type as of v1.5.

Format/schema error types.

This data consolidates nested information into a flattened version more suitable for report listings.

==================================================================== Normalizer Interface (and helpers) ====================================================================.

named BOM slice types.

named BOM slice types.

v1.5 added.

v1.5 added.

v1.5 added.

v1.6: added TODO: NOTE: This is a first-of-kind, alias for a slice it SHOULD NOT exist unless this is adopted EVERYWHERE.

v1.5 added.

named BOM slice types.

v1.5 added NOTE: CDXRefType is a named `string` type as of v1.5.

v1.4: added v1.5: added Constraints: "minLength": 1.

v1.5 added to represent the anonymous type defined in the "annotations" object Note: Since CDXSubject can be one of 2 other types (i.e., "#/definitions/refLinkType" and "#/definitions/bomLinkElementType") which both are "string" types we can also make it a "string" type as it does not affect constraint validation.

v1.5: added "enum": ["copy","clone","lint","scan","merge","build","test","deliver","deploy","release","clean","other"].

constraint: "enum": ["EC","OKP","RSA"].