diff --git a/schema/bom-1.5.proto b/schema/bom-1.5.proto index 937ea0e1..ce873571 100644 --- a/schema/bom-1.5.proto +++ b/schema/bom-1.5.proto @@ -121,16 +121,24 @@ message Component { optional ReleaseNotes releaseNotes = 24; } -// Specifies the data classification. -message DataClassification { +// Specifies the data flow. +message DataFlow { // Specifies the flow direction of the data. - DataFlow flow = 1; - // SimpleContent value of element + DataFlowDirection flow = 1; + // Data classification tags data according to its type, sensitivity, and value if altered, stolen, or destroyed. string value = 2; + // Name for the defined data + optional string name = 3; + // Short description of the data content and usage + optional string description = 4; + // The URI, URL, or BOM-Link of the components or services the data came in from + repeated string source = 5; + // The URI, URL, or BOM-Link of the components or services the data is sent to + repeated string destination = 6; } // Specifies the flow direction of the data. Valid values are: inbound, outbound, bi-directional, and unknown. Direction is relative to the service. Inbound flow states that data enters the service. Outbound flow states that data leaves the service. Bi-directional states that data flows both ways, and unknown states that the direction is not known. -enum DataFlow { +enum DataFlowDirection { DATA_FLOW_NULL = 0; DATA_FLOW_INBOUND = 1; DATA_FLOW_OUTBOUND = 2; @@ -451,7 +459,7 @@ message Service { optional bool authenticated = 8; // A boolean value indicating if use of the service crosses a trust zone or boundary. A value of true indicates that by using the service, a trust boundary is crossed. A value of false indicates that by using the service, a trust boundary is not crossed. optional bool x_trust_boundary = 9; - repeated DataClassification data = 10; + repeated DataFlow data = 10; repeated LicenseChoice licenses = 11; // Provides the ability to document external references related to the service. repeated ExternalReference external_references = 12; @@ -461,6 +469,8 @@ message Service { repeated Property properties = 14; // Specifies optional release notes. optional ReleaseNotes releaseNotes = 15; + // The name of the trust zone the service resides in. + optional string trustZone = 16; } message Swid { diff --git a/schema/bom-1.5.schema.json b/schema/bom-1.5.schema.json index f2f43304..95ab3a6a 100644 --- a/schema/bom-1.5.schema.json +++ b/schema/bom-1.5.schema.json @@ -1145,12 +1145,17 @@ "title": "Crosses Trust Boundary", "description": "A boolean value indicating if use of the service crosses a trust zone or boundary. A value of true indicates that by using the service, a trust boundary is crossed. A value of false indicates that by using the service, a trust boundary is not crossed." }, + "trustZone": { + "type": "string", + "title": "Trust Zone", + "description": "The name of the trust zone the service resides in." + }, "data": { "type": "array", "additionalItems": false, - "items": {"$ref": "#/definitions/dataClassification"}, - "title": "Data Classification", - "description": "Specifies the data classification." + "items": {"$ref": "#/definitions/dataFlow"}, + "title": "Data", + "description": "Specifies the data flow, classification, and other relevant information." }, "licenses": { "type": "array", @@ -1192,7 +1197,7 @@ } } }, - "dataClassification": { + "dataFlow": { "type": "object", "title": "Hash Objects", "required": [ @@ -1202,7 +1207,7 @@ "additionalProperties": false, "properties": { "flow": { - "$ref": "#/definitions/dataFlow", + "$ref": "#/definitions/dataFlowDirection", "title": "Directional Flow", "description": "Specifies the flow direction of the data. Direction is relative to the service. Inbound flow states that data enters the service. Outbound flow states that data leaves the service. Bi-directional states that data flows both ways, and unknown states that the direction is not known." }, @@ -1210,10 +1215,46 @@ "type": "string", "title": "Classification", "description": "Data classification tags data according to its type, sensitivity, and value if altered, stolen, or destroyed." + }, + "name": { + "type": "string", + "title": "Name", + "description": "Name for the defined data", + "examples": [ + "Credit card reporting" + ] + }, + "description": { + "type": "string", + "title": "Description", + "description": "Short description of the data content and usage", + "examples": [ + "Credit card information being exchanged in between the web app and the database" + ] + }, + "source": { + "type": "array", + "additionalItems": false, + "items": { + "type": "string", + "format": "iri-reference" + }, + "title": "Source", + "description": "The URI, URL, or BOM-Link of the components or services the data came in from" + }, + "destination": { + "type": "array", + "additionalItems": false, + "items": { + "type": "string", + "format": "iri-reference" + }, + "title": "Destination", + "description": "The URI, URL, or BOM-Link of the components or services the data is sent to" } } }, - "dataFlow": { + "dataFlowDirection": { "type": "string", "enum": [ "inbound", diff --git a/schema/bom-1.5.xsd b/schema/bom-1.5.xsd index 357f6fd3..f204bbb5 100644 --- a/schema/bom-1.5.xsd +++ b/schema/bom-1.5.xsd @@ -1544,15 +1544,76 @@ limitations under the License. A value of false indicates that by using the service, a trust boundary is not crossed.</xs:documentation> </xs:annotation> </xs:element> + <xs:element name="trustZone" type="xs:string" minOccurs="0" maxOccurs="1"> + <xs:annotation> + <xs:documentation>The name of the trust zone the service resides in.</xs:documentation> + </xs:annotation> + </xs:element> <xs:element name="data" minOccurs="0" maxOccurs="1"> <xs:complexType> - <xs:sequence minOccurs="0" maxOccurs="unbounded"> - <xs:element name="classification" type="bom:dataClassificationType"> + <xs:choice> + <xs:sequence minOccurs="0" maxOccurs="unbounded"> + <xs:element name="classification" type="bom:dataClassificationType"> + <xs:annotation> + <xs:documentation>DEPRECATED: Specifies the data classification. THIS FIELD IS DEPRECATED AS OF v1.5. Use dataflow\classification instead</xs:documentation> + </xs:annotation> + </xs:element> + </xs:sequence> + <xs:element name="dataflow" minOccurs="0" maxOccurs="unbounded"> <xs:annotation> <xs:documentation>Specifies the data classification.</xs:documentation> </xs:annotation> + <xs:complexType> + <xs:sequence> + <xs:element name="classification" type="bom:dataClassificationType" minOccurs="0" maxOccurs="1"> + <xs:annotation> + <xs:documentation>Specifies the data classification.</xs:documentation> + </xs:annotation> + </xs:element> + <xs:element name="source" minOccurs="0" maxOccurs="1"> + <xs:annotation> + <xs:documentation>The URI, URL, or BOM-Link of the components or services the data came in from.</xs:documentation> + </xs:annotation> + <xs:complexType> + <xs:sequence minOccurs="0" maxOccurs="unbounded"> + <xs:element name="url" type="xs:anyURI"/> + </xs:sequence> + </xs:complexType> + </xs:element> + <xs:element name="destination" minOccurs="0" maxOccurs="1"> + <xs:annotation> + <xs:documentation>The URI, URL, or BOM-Link of the components or services the data is sent to.</xs:documentation> + </xs:annotation> + <xs:complexType> + <xs:sequence minOccurs="0" maxOccurs="unbounded"> + <xs:element name="url" type="xs:anyURI"/> + </xs:sequence> + </xs:complexType> + </xs:element> + </xs:sequence> + <xs:attribute name="name" type="xs:string" use="optional"> + <xs:annotation> + <xs:documentation> + Name for the defined data. + </xs:documentation> + </xs:annotation> + </xs:attribute> + <xs:attribute name="description" type="xs:string" use="optional"> + <xs:annotation> + <xs:documentation> + Short description of the data content and usage. + </xs:documentation> + </xs:annotation> + </xs:attribute> + <xs:anyAttribute namespace="##any" processContents="lax"> + <xs:annotation> + <xs:documentation>User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema.</xs:documentation> + </xs:annotation> + </xs:anyAttribute> + </xs:complexType> </xs:element> - </xs:sequence> + </xs:choice> </xs:complexType> </xs:element> <xs:element name="licenses" type="bom:licenseChoiceType" minOccurs="0" maxOccurs="1"/> diff --git a/tools/src/test/resources/1.5/valid-saasbom-1.5.json b/tools/src/test/resources/1.5/valid-saasbom-1.5.json new file mode 100644 index 00000000..929d1130 --- /dev/null +++ b/tools/src/test/resources/1.5/valid-saasbom-1.5.json @@ -0,0 +1,294 @@ +{ + "bomFormat": "CycloneDX", + "specVersion": "1.5", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "metadata": { + "timestamp": "2021-01-10T12:00:00Z", + "component": { + "bom-ref": "acme-stock-application", + "type": "application", + "name": "Acme SaaSBOM Example", + "version": "2022-1" + } + }, + "services": [ + { + "bom-ref": "stock-ticker-service", + "provider": { + "name": "Acme Inc", + "url": [ "https://example.com" ] + }, + "group": "com.example", + "name": "Stock Ticker Service", + "version": "2022-1", + "endpoints": [ + "https://example.com/", + "https://example.com/app" + ], + "authenticated": true, + "trustZone": "Acme Public Zone", + "data": [ + { + "name": "Consumer to Stock Service", + "description": "Traffic to/from consumer to service", + "classification": "Customer", + "flow": "bi-directional", + "source": [ + "https://0.0.0.0" + ], + "destination": [ + "https://0.0.0.0" + ] + }, + { + "name": "Stock Service to MS-1", + "description": "Traffic to/from stock service to microservice-1", + "classification": "PII", + "flow": "bi-directional", + "source": [ + "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-1.example.com" + ], + "destination": [ + "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-1.example.com" + ] + }, + { + "name": "Stock Service to MS-2", + "description": "Traffic to/from stock service to microservice-2", + "classification": "PIFI", + "flow": "bi-directional", + "source": [ + "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-2.example.com" + ], + "destination": [ + "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-2.example.com" + ] + }, + { + "name": "Stock Service to MS-3", + "description": "Traffic to/from stock service to microservice-3", + "classification": "Public", + "flow": "bi-directional", + "source": [ + "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-3.example.com" + ], + "destination": [ + "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-3.example.com" + ] + } + ], + "externalReferences": [ + { + "type": "documentation", + "url": "https://example.com/app/swagger" + } + ], + "services": [ + { + "bom-ref": "ms-1.example.com", + "provider": { + "name": "Acme Inc", + "url": [ "https://example.com" ] + }, + "group": "com.example", + "name": "Microservice 1", + "version": "2022-1", + "description": "Example Microservice", + "endpoints": [ + "https://ms-1.example.com" + ], + "authenticated": true, + "trustZone": "Acme Private Zone", + "data": [ + { + "name": "Stock Service to MS-1", + "description": "Traffic to/from stock service to microservice-1", + "classification": "PII", + "flow": "bi-directional", + "source": [ + "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#stock-ticker-service" + ], + "destination": [ + "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#stock-ticker-service" + ] + }, + { + "name": "MS-1 to Database", + "description": "Traffic to/from microservice-1 to database", + "classification": "PII", + "flow": "bi-directional", + "source": [ + "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-1-pgsql.example.com" + ], + "destination": [ + "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-1-pgsql.example.com" + ] + } + ], + "externalReferences": [ + { + "type": "documentation", + "url": "https://ms-1.example.com/swagger" + } + ] + }, + { + "bom-ref": "ms-2.example.com", + "provider": { + "name": "Acme Inc", + "url": [ "https://example.com" ] + }, + "group": "com.example", + "name": "Microservice 2", + "version": "2022-1", + "description": "Example Microservice", + "endpoints": [ + "https://ms-2.example.com" + ], + "authenticated": true, + "trustZone": "Acme Private Zone", + "data": [ + { + "name": "Stock Service to MS-2", + "description": "Traffic to/from stock service to microservice-2", + "classification": "PIFI", + "flow": "bi-directional", + "source": [ + "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#stock-ticker-service" + ], + "destination": [ + "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#stock-ticker-service" + ] + } + ], + "externalReferences": [ + { + "type": "documentation", + "url": "https://ms-2.example.com/swagger" + } + ] + }, + { + "bom-ref": "ms-3.example.com", + "provider": { + "name": "Acme Inc", + "url": [ "https://example.com" ] + }, + "group": "com.example", + "name": "Microservice 3", + "version": "2022-1", + "description": "Example Microservice", + "endpoints": [ + "https://ms-3.example.com" + ], + "authenticated": true, + "trustZone": "Acme Private Zone", + "data": [ + { + "name": "Stock Service to MS-3", + "description": "Traffic to/from stock service to microservice-3", + "classification": "Public", + "flow": "bi-directional", + "source": [ + "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#stock-ticker-service" + ], + "destination": [ + "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#stock-ticker-service" + ] + }, + { + "name": "MS-3 to S3", + "description": "Data pushed from microservice-3 to S3 bucket", + "classification": "Public", + "flow": "outbound", + "destination": [ + "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#s3-example.amazon.com" + ] + } + ], + "externalReferences": [ + { + "type": "documentation", + "url": "https://ms-3.example.com/swagger" + } + ] + }, + { + "bom-ref": "ms-1-pgsql.example.com", + "group": "org.postgresql", + "name": "Postgres", + "version": "14.1", + "description": "Postgres database for Microservice #1", + "endpoints": [ + "https://ms-1-pgsql.example.com:5432" + ], + "authenticated": true, + "trustZone": "Acme Private Zone", + "data": [ + { + "name": "MS-1 to Database", + "description": "Traffic to/from microservice-1 to database", + "classification": "PII", + "flow": "bi-directional", + "source": [ + "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-1.example.com" + ], + "destination": [ + "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-1.example.com" + ] + } + ] + }, + { + "bom-ref": "s3-example.amazon.com", + "group": "com.amazon", + "name": "S3", + "description": "S3 bucket", + "endpoints": [ + "https://s3-example.amazon.com" + ], + "authenticated": true, + "trustZone": "Public Internet", + "data": [ + { + "name": "MS-3 to S3", + "description": "Data pushed from microservice-3 to S3 bucket", + "classification": "Public", + "flow": "inbound", + "source": [ + "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-3.example.com" + ] + } + ] + } + ] + } + ], + "dependencies": [ + { + "ref": "acme-stock-application", + "dependsOn": [ "stock-ticker-service" ] + }, + { + "ref": "stock-ticker-service", + "dependsOn": [ + "ms-1.example.com", + "ms-2.example.com", + "ms-3.example.com" + ] + }, + { + "ref": "ms-1.example.com", + "dependsOn": [ "ms-1-pgsql.example.com" ] + }, + { + "ref": "ms-2.example.com", + "dependsOn": [ ] + }, + { + "ref": "ms-3.example.com", + "dependsOn": [ "s3-example.amazon.com" ] + } + ] +} \ No newline at end of file diff --git a/tools/src/test/resources/1.5/valid-saasbom-1.5.textproto b/tools/src/test/resources/1.5/valid-saasbom-1.5.textproto new file mode 100644 index 00000000..6b025220 --- /dev/null +++ b/tools/src/test/resources/1.5/valid-saasbom-1.5.textproto @@ -0,0 +1,195 @@ +spec_version: "1.5" +version: 1 +serial_number: "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" +metadata { + timestamp { + seconds: 3173618478 + nanos: 3 + } + component { + type: CLASSIFICATION_APPLICATION + bom_ref: "acme-stock-application" + name: "Acme SaaSBOM Example" + version: "2022-1" + } +} +services { + bom_ref: "stock-ticker-service" + provider { + name: "Acme Inc" + url: "https://example.com" + } + group: "com.example" + name: "Stock Ticker Service" + version:"2022-1" + endpoints: "https://example.com/" + endpoints: "https://example.com/app" + authenticated: true + trustZone: "Acme Public Zone" + data { + flow: DATA_FLOW_BI_DIRECTIONAL + value: "Customer" + name: "Consumer to Stock Service", + description: "Traffic to/from consumer to service" + source: "https://0.0.0.0" + destination: "https://0.0.0.0" + } + data { + flow: DATA_FLOW_BI_DIRECTIONAL + value: "PII" + name: "Stock Service to MS-1" + description: "Traffic to/from stock service to microservice-1" + source: "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-1.example.com" + destination: "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-1.example.com" + } + data { + flow: DATA_FLOW_BI_DIRECTIONAL + value: "PIFI" + name: "Stock Service to MS-2" + description: "Traffic to/from stock service to microservice-2" + source: "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-2.example.com" + destination: "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-2.example.com" + } + data { + flow: DATA_FLOW_BI_DIRECTIONAL + value: "Public" + name: "Stock Service to MS-3" + description: "Traffic to/from stock service to microservice-3" + source: "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-3.example.com" + destination: "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-3.example.com" + } + external_references { + type: EXTERNAL_REFERENCE_TYPE_DOCUMENTATION + url: "https://example.com/app/swagger" + } + services { + bom_ref: "ms-1.example.com" + provider { + name: "Acme Inc" + url: "https://example.com" + } + group: "com.example" + name: "Microservice 1" + version:"2022-1" + endpoints: "https://ms-1.example.com" + authenticated: true + trustZone: "Acme Private Zone" + data { + flow: DATA_FLOW_BI_DIRECTIONAL + value: "PII" + name: "Stock Service to MS-1" + description: "Traffic to/from stock service to microservice-1" + source: "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#stock-ticker-service" + destination: "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#stock-ticker-service" + } + data { + flow: DATA_FLOW_BI_DIRECTIONAL + value: "PII" + name: "MS-1 to Database" + description: "Traffic to/from microservice-1 to database" + source: "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-1-pgsql.example.com" + destination: "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-1-pgsql.example.com" + } + external_references { + type: EXTERNAL_REFERENCE_TYPE_DOCUMENTATION + url: "https://ms-1.example.com/swagger" + } + } + services { + bom_ref: "ms-2.example.com" + provider { + name: "Acme Inc" + url: "https://example.com" + } + group: "com.example" + name: "Microservice 2" + version:"2022-1" + endpoints: "https://ms-2.example.com" + authenticated: true + trustZone: "Acme Private Zone" + data { + flow: DATA_FLOW_BI_DIRECTIONAL + value: "PIFI" + name: "Stock Service to MS-2" + description: "Traffic to/from stock service to microservice-2" + source: "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#stock-ticker-service" + destination: "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#stock-ticker-service" + } + external_references { + type: EXTERNAL_REFERENCE_TYPE_DOCUMENTATION + url: "https://ms-2.example.com/swagger" + } + } + services { + bom_ref: "ms-3.example.com" + provider { + name: "Acme Inc" + url: "https://example.com" + } + group: "com.example" + name: "Microservice 3" + version:"2022-1" + endpoints: "https://ms-3.example.com" + authenticated: true + trustZone: "Acme Private Zone" + data { + flow: DATA_FLOW_BI_DIRECTIONAL + value: "Public" + name: "Stock Service to MS-3" + description: "Traffic to/from stock service to microservice-3" + source: "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#stock-ticker-service" + destination: "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#stock-ticker-service" + } + data { + flow: DATA_FLOW_OUTBOUND + value: "Public" + name: "MS-3 to S3" + description: "Data pushed from microservice-3 to S3 bucket" + destination: "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#s3-example.amazon.com" + } + external_references { + type: EXTERNAL_REFERENCE_TYPE_DOCUMENTATION + url: "https://ms-3.example.com/swagger" + } + } + services { + bom_ref: "ms-1-pgsql.example.com" + group: "org.postgresql" + name: "Postgres" + version:"14.1" + description: "Postgres database for Microservice #1" + endpoints: "https://ms-1-pgsql.example.com:5432" + authenticated: true + trustZone: "Acme Private Zone" + data { + flow: DATA_FLOW_BI_DIRECTIONAL + value: "PII" + name: "MS-1 to Database" + description: "Traffic to/from microservice-1 to database" + source: "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-1.example.com" + destination: "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-1.example.com" + } + } + services { + bom_ref: "s3-example.amazon.com" + group: "com.amazon" + name: "S3" + description: "S3 bucket" + endpoints: "https://s3-example.amazon.com" + authenticated: true + trustZone: "Public Internet" + data { + flow: DATA_FLOW_INBOUND + value: "PII" + name: "MS-3 to S3" + description: "Data pushed from microservice-3 to S3 bucket" + source: "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-3.example.com" + } + } +} +dependencies { + ref: "pkg:maven/com.acme/stock-java-client@1.0.12" + dependencies { + ref: "b2a46a4b-8367-4bae-9820-95557cfe03a8" + } +} diff --git a/tools/src/test/resources/1.5/valid-saasbom-1.5.xml b/tools/src/test/resources/1.5/valid-saasbom-1.5.xml new file mode 100644 index 00000000..d8101afc --- /dev/null +++ b/tools/src/test/resources/1.5/valid-saasbom-1.5.xml @@ -0,0 +1,230 @@ +<?xml version="1.0"?> +<bom serialNumber="urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" version="1" xmlns="http://cyclonedx.org/schema/bom/1.5"> + <metadata> + <timestamp>2021-01-10T12:00:00Z</timestamp> + <component type="application" bom-ref="acme-stock-application"> + <name>Acme SaaSBOM Example</name> + <version>2022-1</version> + </component> + </metadata> + <services> + <service bom-ref="stock-ticker-service"> + <provider> + <name>Acme Inc</name> + <url>https://example.com</url> + </provider> + <group>com.example</group> + <name>Stock ticker Service</name> + <endpoints> + <endpoint>https://example.com/</endpoint> + <endpoint>https://example.com/app</endpoint> + </endpoints> + <authenticated>true</authenticated> + <trustZone>Acme Public Zone</trustZone> + <data> + <dataflow name="Consumer to Stock Service" description="Traffic to/from consumer to service"> + <classification flow="bi-directional">Customer</classification> + <source> + <url>https://0.0.0.0</url> + </source> + <destination> + <url>https://0.0.0.0</url> + </destination> + </dataflow> + <dataflow name="Stock Service to MS-1" description="Traffic to/from stock service to microservice-1"> + <classification flow="bi-directional">PII</classification> + <source> + <url>urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-1.example.com</url> + </source> + <destination> + <url>urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-1.example.com</url> + </destination> + </dataflow> + <dataflow name="Stock Service to MS-2" description="Traffic to/from stock service to microservice-2"> + <classification flow="bi-directional">PIFI</classification> + <source> + <url>urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-2.example.com</url> + </source> + <destination> + <url>urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-2.example.com</url> + </destination> + </dataflow> + <dataflow name="Stock Service to MS-3" description="Traffic to/from stock service to microservice-3"> + <classification flow="bi-directional">Public</classification> + <source> + <url>urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-3.example.com</url> + </source> + <destination> + <url>urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-3.example.com</url> + </destination> + </dataflow> + </data> + <externalReferences> + <reference type="documentation"> + <url>https://example.com/app/swagger</url> + </reference> + </externalReferences> + <services> + <service bom-ref="ms-1.example.com"> + <provider> + <name>Acme Inc</name> + <url>https://example.com</url> + </provider> + <group>com.example</group> + <name>Microservice 1</name> + <endpoints> + <endpoint>https://ms-1.example.com</endpoint> + </endpoints> + <authenticated>true</authenticated> + <trustZone>Acme Private Zone</trustZone> + <data> + <dataflow name="Stock Service to MS-1" description="Traffic to/from stock service to microservice-1"> + <classification flow="bi-directional">PII</classification> + <source> + <url>urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#stock-ticker-service</url> + </source> + <destination> + <url>urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#stock-ticker-service</url> + </destination> + </dataflow> + <dataflow name="MS-1 to Database" description="Traffic to/from microservice-1 to database"> + <classification flow="bi-directional">PII</classification> + <source> + <url>urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-1-pgsql.example.com</url> + </source> + <destination> + <url>urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-1-pgsql.example.com</url> + </destination> + </dataflow> + </data> + <externalReferences> + <reference type="documentation"> + <url>https://ms-1.example.com/swagger</url> + </reference> + </externalReferences> + </service> + <service bom-ref="ms-2.example.com"> + <provider> + <name>Acme Inc</name> + <url>https://example.com</url> + </provider> + <group>com.example</group> + <name>Microservice 2</name> + <endpoints> + <endpoint>https://ms-2.example.com</endpoint> + </endpoints> + <authenticated>true</authenticated> + <trustZone>Acme Private Zone</trustZone> + <data> + <dataflow name="Stock Service to MS-2" description="Traffic to/from stock service to microservice-2"> + <classification flow="bi-directional">PII</classification> + <source> + <url>urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#stock-ticker-service</url> + </source> + <destination> + <url>urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#stock-ticker-service</url> + </destination> + </dataflow> + </data> + <externalReferences> + <reference type="documentation"> + <url>https://ms-2.example.com/swagger</url> + </reference> + </externalReferences> + </service> + <service bom-ref="ms-3.example.com"> + <provider> + <name>Acme Inc</name> + <url>https://example.com</url> + </provider> + <group>com.example</group> + <name>Microservice 3</name> + <endpoints> + <endpoint>https://ms-3.example.com</endpoint> + </endpoints> + <authenticated>true</authenticated> + <trustZone>Acme Private Zone</trustZone> + <data> + <dataflow name="Stock Service to MS-3" description="Traffic to/from stock service to microservice-3"> + <classification flow="bi-directional">PII</classification> + <source> + <url>urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#stock-ticker-service</url> + </source> + <destination> + <url>urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#stock-ticker-service</url> + </destination> + </dataflow> + <dataflow name="MS-3 to S3" description="Data pushed from microservice-3 to S3 bucket"> + <classification flow="outbound">Public</classification> + <destination> + <url>urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#s3-example.amazon.com</url> + </destination> + </dataflow> + </data> + <externalReferences> + <reference type="documentation"> + <url>https://ms-3.example.com/swagger</url> + </reference> + </externalReferences> + </service> + <service bom-ref="ms-1-pgsql.example.com"> + <group>org.postgresql</group> + <name>Postgres</name> + <version>14.1</version> + <description>Postgres database for Microservice #1</description> + <endpoints> + <endpoint>https://ms-1-pgsql.example.com:5432</endpoint> + </endpoints> + <authenticated>true</authenticated> + <trustZone>Acme Private Zone</trustZone> + <data> + <dataflow name="MS-1 to Database" description="Traffic to/from microservice-1 to database"> + <classification flow="bi-directional">PII</classification> + <source> + <url>urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-1.example.com</url> + </source> + <destination> + <url>urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-1.example.com</url> + </destination> + </dataflow> + </data> + </service> + <service bom-ref="s3-example.amazon.com"> + <group>com.amazon</group> + <name>S3</name> + <description>S3 bucket</description> + <endpoints> + <endpoint>https://s3-example.amazon.com</endpoint> + </endpoints> + <authenticated>true</authenticated> + <trustZone>Public Internet</trustZone> + <data> + <dataflow name="MS-3 to S3" description="Data pushed from microservice-3 to S3 bucket"> + <classification flow="inbound">Public</classification> + <source> + <url>urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-3.example.com</url> + </source> + </dataflow> + </data> + </service> + </services> + </service> + </services> + <dependencies> + <dependency ref="acme-stock-application"> + <dependency ref="stock-ticker-service"/> + </dependency> + <dependency ref="stock-ticker-service"> + <dependency ref="ms-1.example.com"/> + <dependency ref="ms-2.example.com"/> + <dependency ref="ms-3.example.com"/> + </dependency> + <dependency ref="ms-1.example.com"> + <dependency ref="ms-1-pgsql.example.com"/> + </dependency> + <dependency ref="ms-2.example.com" /> + <dependency ref="ms-3.example.com"> + <dependency ref="s3-example.amazon.com"/> + </dependency> + </dependencies> +</bom>