Supported schema formats

TODO: Add error messages as constants (for future i18n).

Format ID (key component).

Format ID (key component).

MSG_CONFIG_SCHEMA_FORMAT_NOT_FOUND = "schema format not found in configuration.".

CycloneDX.

SPDX.

Document property keys JSON document property keys to lookup values in their respective SBOM formats.

Document property keys JSON document property keys to lookup values in their respective SBOM formats.

TODO: Support remote schema retrieval as an optional program flag However, we want to default to local for performance where possible as well as plan for local, secure bundling of schema with this utility in CI build systems (towards improved security, isolated builds) NOTE: we have also found that standards orgs.

TODO: Support remote schema retrieval as an optional program flag However, we want to default to local for performance where possible as well as plan for local, secure bundling of schema with this utility in CI build systems (towards improved security, isolated builds) NOTE: we have also found that standards orgs.

TODO: Support remote schema retrieval as an optional program flag However, we want to default to local for performance where possible as well as plan for local, secure bundling of schema with this utility in CI build systems (towards improved security, isolated builds) NOTE: we have also found that standards orgs.

TODO: Support remote schema retrieval as an optional program flag However, we want to default to local for performance where possible as well as plan for local, secure bundling of schema with this utility in CI build systems (towards improved security, isolated builds) NOTE: we have also found that standards orgs.

TODO: Support remote schema retrieval as an optional program flag However, we want to default to local for performance where possible as well as plan for local, secure bundling of schema with this utility in CI build systems (towards improved security, isolated builds) NOTE: we have also found that standards orgs.

TODO: Support remote schema retrieval as an optional program flag However, we want to default to local for performance where possible as well as plan for local, secure bundling of schema with this utility in CI build systems (towards improved security, isolated builds) NOTE: we have also found that standards orgs.

Version (key component).

Version (key component).

Globals.

For convenience, we provide named vars.

Globals.

v1.4: created "releaseNotes" defn.

v1.4: created "analysis" def.

v1.4: created "analysis" def.

v1.2: existed.

NOTE: During parsing, any fields not explicitly included in the structure will still be added as generic "interface{}" types.

v1.2: existed TODO: GitHub PRs MAY have more than 1 commit (committer); CDX needs to account for this.

v1.2: existed v1.3: added: "evidence", "properties" v1.4: added: "releaseNotes", "signature" v1.4: changed: "version" no longer required v1.4: deprecated: "modified", "cpe", "swid" Note: "bom-ref" is a "refType" which is a constrained `string` TODO: "mime-type" SHOULD become "media-type" which is more modern/inclusive TODO: Remove "service" from "Type" enum.

v1.3: created "componentEvidence" defn.

v1.3: created "compositions" defn.

v1.3: created "copyright" defn.

v1.4: created "credit" defn.

v1.2: existed Note: "flow" is of type "dataFlow" which is a constrained `string` type.

v1.2: existed v1.4: "ref" and "dependsOn" became type "refType" which is a constrained `string`.

v1.2: existed v1.3 "url" type changed from `string` (with constraints) to an "iri-reference".

v1.2: existed v1.3: added "hashes" v1.4: `Type` field: added value "release-notes" to enum.

v1.2: existed Note: "alg" is of type "hash-alg" which is a constrained `string` type Note: "content" is of type "hash-content" which is a constrained `string` type.

v1.2: existed TODO: We should suggest this be "deprecated" and instead add "timestamp" and other fields to OrganizationalContact (or similar) TODO: should have "signage" information (e.g., evidence, public key).

v1.2: existed Note: v1.2 Bug: there appears to be a bug in the 1.2 spec.

v1.2: was an anon.

v1.2: was an anon.

v1.2: existed.

v1.4: created "note" defn.

v1.2: existed.

v1.2: existed.

v1.2: existed.

v1.2: existed as an anon.

v1.3: created "property" defn.

v1.4: created "rating" defn.

v1.4: created "releaseNotes" defn.

v1.2: existed v1.3: added: "properties" v1.4: added: "releaseNotes", "signature" ----- TODO: a service is not all auth or not auth.; that is, we have mult.

TODO: implement JSF schema https://github.com/CycloneDX/specification/blob/master/schema/jsf-0.82.schema.json.

v1.2: existed as anon.

v1.2: existed v1.4: deprecated.

v1.2: existed v1.4: added "externalReferences".

v1.4: created "version" def.

v1.4: created "vulnerability" defn.

v1.4: created "vulnerabilitySource" defn.

Custom Validation config.

NOTE: Assumes property "key" is the value in the "name" field.

Representation of SBOM format.

Configs.

Representation of SBOM schema instance TODO: add support for schema (Hash) key if we end up having lots of entries e.g., key string where key: SchemaKey{ID_CYCLONEDX, VERSION_CYCLONEDX_1_3, false},.

Candidate SBOM document (context) information TODO: rename to SBOM to jive more with Go conventions; although it may look like a constant unless we expand the name...

Format/schema error types.