diff --git a/docgen/json/templates/cyclonedx/tabbed_section.html b/docgen/json/templates/cyclonedx/tabbed_section.html index 9cecf4c1..81ea390b 100644 --- a/docgen/json/templates/cyclonedx/tabbed_section.html +++ b/docgen/json/templates/cyclonedx/tabbed_section.html @@ -11,7 +11,11 @@

{{ node.definition_name or tab_label ~ " " ~ loop.index }} + >{{ node.definition_name or tab_label ~ " " ~ loop.index }} + {%- if node is deprecated -%} + {{ " " }}Deprecated + {%- endif -%} + {%- endfor -%} diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index 130275d2..a25cf5d5 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -1982,101 +1982,20 @@ "additionalProperties": false, "properties": { "identity": { - "type": "object", - "description": "Evidence that substantiates the identity of a component.", - "required": [ "field" ], - "additionalProperties": false, - "properties": { - "field": { - "type": "string", - "enum": [ - "group", "name", "version", "purl", "cpe", "swid", "hash" - ], - "title": "Field", - "description": "The identity field of the component which the evidence describes." - }, - "confidence": { - "type": "number", - "minimum": 0, - "maximum": 1, - "title": "Confidence", - "description": "The overall confidence of the evidence from 0 - 1, where 1 is 100% confidence." - }, - "methods": { + "description": "Evidence that substantiates the identity of a component. The identify may be an object or an array of identity objects. Support for specifying identify as a single object was introduced in CycloneDX v1.5. Arrays were introduced in v1.6. It is RECOMMENDED that all implementations use arrays, even if only one identity object is specified.", + "oneOf" : [ + { "type": "array", - "title": "Methods", - "description": "The methods used to extract and/or analyze the evidence.", - "items": { - "type": "object", - "required": [ - "technique" , - "confidence" - ], - "additionalProperties": false, - "properties": { - "technique": { - "title": "Technique", - "description": "The technique used in this method of analysis.", - "type": "string", - "enum": [ - "source-code-analysis", - "binary-analysis", - "manifest-analysis", - "ast-fingerprint", - "hash-comparison", - "instrumentation", - "dynamic-analysis", - "filename", - "attestation", - "other" - ], - "meta:enum": { - "source-code-analysis": "Examines the source code without executing it.", - "binary-analysis": "Examines a compiled binary through reverse engineering, typically via disassembly or bytecode reversal.", - "manifest-analysis": "Examines a package management system such as those used for building software or installing software.", - "ast-fingerprint": "Examines the Abstract Syntax Tree (AST) of source code or a compiled binary.", - "hash-comparison": "Evaluates the cryptographic hash of a component against a set of pre-computed hashes of identified software.", - "instrumentation": "Examines the call stack of running applications by intercepting and monitoring application logic without the need to modify the application.", - "dynamic-analysis": "Evaluates a running application.", - "filename": "Evaluates file name of a component against a set of known file names of identified software.", - "attestation": "A testimony to the accuracy of the identify of a component made by an individual or entity.", - "other": "Any other technique." - } - }, - "confidence": { - "type": "number", - "minimum": 0, - "maximum": 1, - "title": "Confidence", - "description": "The confidence of the evidence from 0 - 1, where 1 is 100% confidence. Confidence is specific to the technique used. Each technique of analysis can have independent confidence." - }, - "value": { - "type": "string", - "title": "Value", - "description": "The value or contents of the evidence." - } - } - } + "title": "Array of Identity Objects", + "items": { "$ref": "#/definitions/componentIdentityEvidence" } }, - "tools": { - "type": "array", - "uniqueItems": true, - "items": { - "anyOf": [ - { - "title": "Ref", - "$ref": "#/definitions/refLinkType" - }, - { - "title": "BOM-Link Element", - "$ref": "#/definitions/bomLinkElementType" - } - ] - }, - "title": "BOM References", - "description": "The object in the BOM identified by its bom-ref. This is often a component or service, but may be any object type supporting bom-refs. Tools used for analysis should already be defined in the BOM, either in the metadata/tools, components, or formulation." + { + "title": "A Single Identity Object", + "description": "[Deprecated]", + "$ref": "#/definitions/componentIdentityEvidence", + "deprecated": true } - } + ] }, "occurrences": { "type": "array", @@ -4409,6 +4328,91 @@ } } }, + "componentIdentityEvidence": { + "type": "object", + "description": "Evidence that substantiates the identity of a component.", + "required": [ "field" ], + "additionalProperties": false, + "properties": { + "field": { + "type": "string", + "enum": [ + "group", "name", "version", "purl", "cpe", "swid", "hash" + ], + "title": "Field", + "description": "The identity field of the component which the evidence describes." + }, + "confidence": { + "type": "number", + "minimum": 0, + "maximum": 1, + "title": "Confidence", + "description": "The overall confidence of the evidence from 0 - 1, where 1 is 100% confidence." + }, + "methods": { + "type": "array", + "title": "Methods", + "description": "The methods used to extract and/or analyze the evidence.", + "items": { + "type": "object", + "required": [ + "technique" , + "confidence" + ], + "additionalProperties": false, + "properties": { + "technique": { + "title": "Technique", + "description": "The technique used in this method of analysis.", + "type": "string", + "enum": [ + "source-code-analysis", + "binary-analysis", + "manifest-analysis", + "ast-fingerprint", + "hash-comparison", + "instrumentation", + "dynamic-analysis", + "filename", + "attestation", + "other" + ] + }, + "confidence": { + "type": "number", + "minimum": 0, + "maximum": 1, + "title": "Confidence", + "description": "The confidence of the evidence from 0 - 1, where 1 is 100% confidence. Confidence is specific to the technique used. Each technique of analysis can have independent confidence." + }, + "value": { + "type": "string", + "title": "Value", + "description": "The value or contents of the evidence." + } + } + } + }, + "tools": { + "type": "array", + "uniqueItems": true, + "items": { + "anyOf": [ + { + "title": "Ref", + "$ref": "#/definitions/refLinkType" + }, + { + "title": "BOM-Link Element", + "$ref": "#/definitions/bomLinkElementType" + } + ] + }, + "title": "BOM References", + "description": "The object in the BOM identified by its bom-ref. This is often a component or service, but may be any object type supporting bom-refs. Tools used for analysis should already be defined in the BOM, either in the metadata/tools, components, or formulation." + } + } + }, "standard": { "type": "object", "title": "Standard", diff --git a/schema/bom-1.6.xsd b/schema/bom-1.6.xsd index 07faf380..e500f8e8 100644 --- a/schema/bom-1.6.xsd +++ b/schema/bom-1.6.xsd @@ -2248,9 +2248,12 @@ limitations under the License. - + - Evidence that substantiates the identity of a component. + Evidence that substantiates the identity of a component. The identify may be an + object or an array of identity objects. Support for specifying identify as a single object was + introduced in CycloneDX v1.5. "unbounded" was introduced in v1.6. It is RECOMMENDED that all + implementations are aware of "unbounded". diff --git a/tools/src/test/js/json-schema-lint-tests.js b/tools/src/test/js/json-schema-lint-tests.js index 651ef18f..5033ac6b 100644 --- a/tools/src/test/js/json-schema-lint-tests.js +++ b/tools/src/test/js/json-schema-lint-tests.js @@ -49,6 +49,7 @@ function getAjv(strict) { validateFormats: true, allowMatchingProperties: true, addUsedSchema: false, + allowUnionTypes: false, keywords: ["meta:enum"], schemas: { 'http://cyclonedx.org/schema/spdx.schema.json': spdxSchema, diff --git a/tools/src/test/resources/1.6/valid-evidence-1.6.json b/tools/src/test/resources/1.6/valid-evidence-1.6.json index 2d6187dc..b4e0e71f 100644 --- a/tools/src/test/resources/1.6/valid-evidence-1.6.json +++ b/tools/src/test/resources/1.6/valid-evidence-1.6.json @@ -105,6 +105,50 @@ } ] } + }, + { + "type": "application", + "group": "com.example", + "name": "example-project", + "version": "1.0.0", + "purl": "pkg:maven/com.example/example-project@1.0.0", + "evidence": { + "identity": [ + { + "field": "group", + "confidence": 0.1, + "methods": [ + { + "technique": "filename", + "confidence": 0.1, + "value": "example-project-1.0.0.jar" + } + ] + }, + { + "field": "name", + "confidence": 0.1, + "methods": [ + { + "technique": "filename", + "confidence": 0.1, + "value": "example-project-1.0.0.jar" + } + ] + }, + { + "field": "version", + "confidence": 0.1, + "methods": [ + { + "technique": "filename", + "confidence": 0.1, + "value": "example-project-1.0.0.jar" + } + ] + } + ] + } } ] } diff --git a/tools/src/test/resources/1.6/valid-evidence-1.6.textproto b/tools/src/test/resources/1.6/valid-evidence-1.6.textproto index d9bcf194..c0704d7f 100644 --- a/tools/src/test/resources/1.6/valid-evidence-1.6.textproto +++ b/tools/src/test/resources/1.6/valid-evidence-1.6.textproto @@ -4,99 +4,145 @@ spec_version: "1.6" version: 1 serial_number: "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" -components { - type: CLASSIFICATION_APPLICATION - group: "com.google.code.findbugs" - name: "findbugs-project" - version: "3.0.0" - licenses { - license { - id: "LGPL-3.0-or-later" - url: "https://www.gnu.org/licenses/lgpl-3.0-standalone.html" +components [ + { + type: CLASSIFICATION_APPLICATION + group: "com.google.code.findbugs" + name: "findbugs-project" + version: "3.0.0" + licenses { + license { + id: "LGPL-3.0-or-later" + url: "https://www.gnu.org/licenses/lgpl-3.0-standalone.html" + } } - } - purl: "pkg:maven/com.google.code.findbugs/findbugs-project@3.0.0" - evidence { - identity: { - field: EVIDENCE_FIELD_PURL, - confidence: 1, - methods: [ - { - technique: EVIDENCE_TECHNIQUE_FILENAME, - confidence: 0.1, - value: "findbugs-project-3.0.0.jar" - }, + purl: "pkg:maven/com.google.code.findbugs/findbugs-project@3.0.0" + evidence { + identity: { + field: EVIDENCE_FIELD_PURL, + confidence: 1, + methods: [ + { + technique: EVIDENCE_TECHNIQUE_FILENAME, + confidence: 0.1, + value: "findbugs-project-3.0.0.jar" + }, + { + technique: EVIDENCE_TECHNIQUE_AST_FINGERPRINT + confidence: 0.9, + value: "61e4bc08251761c3a73b606b9110a65899cb7d44f3b14c81ebc1e67c98e1d9ab" + }, + { + technique: EVIDENCE_TECHNIQUE_HASH_COMPARISON + confidence: 0.7, + value: "7c547a9d67cc7bc315c93b6e2ff8e4b6b41ae5be454ac249655ecb5ca2a85abf" + } + ], + tools: [ + "bom-ref-of-tool-that-performed-analysis", + "bom-ref-of-tool-that-performed-analysis" + ] + }, + occurrences: [ { - technique: EVIDENCE_TECHNIQUE_AST_FINGERPRINT - confidence: 0.9, - value: "61e4bc08251761c3a73b606b9110a65899cb7d44f3b14c81ebc1e67c98e1d9ab" + bom_ref: "d6bf237e-4e11-4713-9f62-56d18d5e2079" + location: "/path/to/component" }, { - technique: EVIDENCE_TECHNIQUE_HASH_COMPARISON - confidence: 0.7, - value: "7c547a9d67cc7bc315c93b6e2ff8e4b6b41ae5be454ac249655ecb5ca2a85abf" + bom_ref: "b574d5d1-e3cf-4dcd-9ba5-f3507eb1b175" + location: "/another/path/to/component" } ], - tools: [ - "bom-ref-of-tool-that-performed-analysis", - "bom-ref-of-tool-that-performed-analysis" - ] - }, - occurrences: [ - { - bom_ref: "d6bf237e-4e11-4713-9f62-56d18d5e2079" - location: "/path/to/component" + callstack: { + frames: [ + { + package: "com.apache.logging.log4j.core" + module: "Logger.class" + function: "logMessage" + parameters: [ + "com.acme.HelloWorld", "Level.INFO", "null", "Hello World" + ], + line: 150 + column: 17 + fullFilename: "/path/to/log4j-core-2.14.0.jar!/org/apache/logging/log4j/core/Logger.class" + }, + { + module: "HelloWorld.class" + function: "main" + line: 20 + column: 12 + fullFilename: "/path/to/HelloWorld.class" + } + ] }, - { - bom_ref: "b574d5d1-e3cf-4dcd-9ba5-f3507eb1b175" - location: "/another/path/to/component" + licenses { + license { + id: "Apache-2.0" + url: "http://www.apache.org/licenses/LICENSE-2.0" + } + } + licenses { + license { + id: "LGPL-2.1-only" + url: "https://opensource.org/licenses/LGPL-2.1" + } + } + copyright { + text: "Copyright 2012 Google Inc. All Rights Reserved." + } + copyright { + text: "Copyright (C) 2004,2005 Dave Brosius " + } + copyright { + text: "Copyright (C) 2005 William Pugh" + } + copyright { + text: "Copyright (C) 2004,2005 University of Maryland" } - ], - callstack: { - frames: [ + } + }, + { + type: CLASSIFICATION_APPLICATION + group: "com.example" + name: "example-project" + version: "1.0.0" + purl: "pkg:maven/com.example/example-project@1.0.0" + evidence: { + identity: [ + { + field: EVIDENCE_FIELD_GROUP + confidence: 0.1 + methods: [ + { + technique: EVIDENCE_TECHNIQUE_FILENAME + confidence: 0.1 + value: "example-project-1.0.0.jar" + } + ] + }, { - package: "com.apache.logging.log4j.core" - module: "Logger.class" - function: "logMessage" - parameters: [ - "com.acme.HelloWorld", "Level.INFO", "null", "Hello World" - ], - line: 150 - column: 17 - fullFilename: "/path/to/log4j-core-2.14.0.jar!/org/apache/logging/log4j/core/Logger.class" + field: EVIDENCE_FIELD_NAME + confidence: 0.1 + methods: [ + { + technique: EVIDENCE_TECHNIQUE_FILENAME + confidence: 0.1 + value: "example-project-1.0.0.jar" + } + ] }, { - module: "HelloWorld.class" - function: "main" - line: 20 - column: 12 - fullFilename: "/path/to/HelloWorld.class" + field: EVIDENCE_FIELD_VERSION + confidence: 0.1 + methods: [ + { + technique: EVIDENCE_TECHNIQUE_FILENAME + confidence: 0.1 + value: "example-project-1.0.0.jar" + } + ] } ] - }, - licenses { - license { - id: "Apache-2.0" - url: "http://www.apache.org/licenses/LICENSE-2.0" - } - } - licenses { - license { - id: "LGPL-2.1-only" - url: "https://opensource.org/licenses/LGPL-2.1" - } - } - copyright { - text: "Copyright 2012 Google Inc. All Rights Reserved." - } - copyright { - text: "Copyright (C) 2004,2005 Dave Brosius " - } - copyright { - text: "Copyright (C) 2005 William Pugh" - } - copyright { - text: "Copyright (C) 2004,2005 University of Maryland" } } -} +] diff --git a/tools/src/test/resources/1.6/valid-evidence-1.6.xml b/tools/src/test/resources/1.6/valid-evidence-1.6.xml index 6efdda27..336d96c3 100644 --- a/tools/src/test/resources/1.6/valid-evidence-1.6.xml +++ b/tools/src/test/resources/1.6/valid-evidence-1.6.xml @@ -88,5 +88,46 @@ + + com.example + example-project + 1.0.0 + pkg:maven/com.example/example-project@1.0.0 + + + group + 0.1 + + + filename + 0.1 + example-project-1.0.0.jar + + + + + name + 0.1 + + + filename + 0.1 + example-project-1.0.0.jar + + + + + version + 0.1 + + + filename + 0.1 + example-project-1.0.0.jar + + + + +