diff --git a/schema/bom-1.6.proto b/schema/bom-1.6.proto
index 89991875..66f21f83 100644
--- a/schema/bom-1.6.proto
+++ b/schema/bom-1.6.proto
@@ -141,6 +141,8 @@ message Component {
optional ComponentData data = 26;
// Cryptographic assets have properties that uniquely define them and that make them actionable for further reasoning. As an example, it makes a difference if one knows the algorithm family (e.g. AES) or the specific variant or instantiation (e.g. AES-128-GCM). This is because the security level and the algorithm primitive (authenticated encryption) is only defined by the definition of the algorithm variant. The presence of a weak cryptographic algorithm like SHA1 vs. HMAC-SHA1 also makes a difference.
optional CryptoProperties cryptoProperties = 27;
+ // The organization that manufactured the component (the "manufacturer", although the field is misspelled).
+ optional OrganizationalEntity manufacture = 28;
}
// Specifies the data flow.
@@ -444,7 +446,7 @@ message Metadata {
repeated OrganizationalContact authors = 3;
// The component that the BOM describes.
optional Component component = 4;
- // The organization that manufactured the component that the BOM describes.
+ // The organization that manufactured the CycloneDX document (the "manufacturer", although the field is misspelled). This may be different from the manufacurer of the component that the CycloneDX document describes.
optional OrganizationalEntity manufacture = 5;
// The organization that supplied the component that the BOM describes. The supplier may often be the manufacture, but may also be a distributor or repackager.
optional OrganizationalEntity supplier = 6;
diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json
index 695b1d2d..89c17617 100644
--- a/schema/bom-1.6.schema.json
+++ b/schema/bom-1.6.schema.json
@@ -678,8 +678,8 @@
"$ref": "#/definitions/component"
},
"manufacture": {
- "title": "Manufacture",
- "description": "The organization that manufactured the component that the BOM describes.",
+ "title": "Manufacturer",
+ "description": "The organization that manufactured the CycloneDX document (the \"manufacturer\", although the property is misspelled).\nThis may be different from the manufacturer of the component that the CycloneDX document describes.",
"$ref": "#/definitions/organizationalEntity"
},
"supplier": {
@@ -860,6 +860,11 @@
"title": "BOM Reference",
"description": "An optional identifier which can be used to reference the component elsewhere in the BOM. Every bom-ref MUST be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."
},
+ "manufacture": {
+ "title": "Manufacturer",
+ "description": "The organization that manufactured the component (the \"manufacturer\", although the property is misspelled).",
+ "$ref": "#/definitions/organizationalEntity"
+ },
"supplier": {
"title": "Component Supplier",
"description": " The organization that supplied the component. The supplier may often be the manufacturer, but may also be a distributor or repackager.",
diff --git a/schema/bom-1.6.xsd b/schema/bom-1.6.xsd
index c3c9b230..4deaf08b 100644
--- a/schema/bom-1.6.xsd
+++ b/schema/bom-1.6.xsd
@@ -214,7 +214,10 @@ limitations under the License.
- The organization that manufactured the component that the BOM describes.
+
+ The organization that manufactured the CycloneDX document (the "manufacturer", although the element is misspelled).
+ This may be different from the manufacturer of the component that the CycloneDX document describes.
+
@@ -470,6 +473,11 @@ limitations under the License.
+
+
+ The organization that manufactured the component (the "manufacturer", although the element is misspelled).
+
+
The organization that supplied the component. The supplier may often
diff --git a/tools/src/test/resources/1.6/valid-bom-1.6.json b/tools/src/test/resources/1.6/valid-bom-1.6.json
index 994f726f..eb873f2d 100644
--- a/tools/src/test/resources/1.6/valid-bom-1.6.json
+++ b/tools/src/test/resources/1.6/valid-bom-1.6.json
@@ -142,6 +142,19 @@
},
{
"type": "library",
+ "manufacture": {
+ "name": "ACME, Inc.",
+ "url": [
+ "https://acme.org/manufacturing"
+ ],
+ "contact": [
+ {
+ "name": "ACME Manufacturing",
+ "email": "manufacturing@acme.org",
+ "phone": "800-555-13372"
+ }
+ ]
+ },
"supplier": {
"name": "Example, Inc.",
"url": [
diff --git a/tools/src/test/resources/1.6/valid-bom-1.6.textproto b/tools/src/test/resources/1.6/valid-bom-1.6.textproto
index 3e81e348..8f5f4770 100644
--- a/tools/src/test/resources/1.6/valid-bom-1.6.textproto
+++ b/tools/src/test/resources/1.6/valid-bom-1.6.textproto
@@ -141,6 +141,15 @@ components {
group: "org.example"
name: "mylibrary"
version: "1.0.0"
+ manufacture {
+ name: "Acme Inc."
+ url: "https://acme.org/manufacturing"
+ contact {
+ name: "ACME Manufacturing"
+ email: "manufacturing@acme.org"
+ phone: "800-555-13372"
+ }
+ }
}
dependencies {
ref: "pkg:npm/acme/component@1.0.0"
diff --git a/tools/src/test/resources/1.6/valid-bom-1.6.xml b/tools/src/test/resources/1.6/valid-bom-1.6.xml
index fc1904d3..e5fa25e8 100644
--- a/tools/src/test/resources/1.6/valid-bom-1.6.xml
+++ b/tools/src/test/resources/1.6/valid-bom-1.6.xml
@@ -106,6 +106,15 @@
+
+ Acme Inc.
+ https://acme.org/manufacturing
+
+ ACME Manufacturing
+ manufacturing@acme.org
+ 800-555-13372
+
+
Example Inc.
https://example.com