diff --git a/schema/bom-1.6.proto b/schema/bom-1.6.proto
index c803035c..f7c04a68 100644
--- a/schema/bom-1.6.proto
+++ b/schema/bom-1.6.proto
@@ -39,6 +39,10 @@ message Bom {
repeated Property properties = 12;
// Describes how a component or service was manufactured or deployed. This is achieved through the use of formulas, workflows, tasks, and steps, which declare the precise steps to reproduce along with the observed formulas describing the steps which transpired in the manufacturing process.
repeated Formula formulation = 13;
+ // The list of declarations which describe the conformance to standards. Each declaration may include attestations, claims, and evidence.
+ repeated Declarations declarations = 14;
+ // A collection of reusable objects that are defined and may be used elsewhere in the BOM.
+ repeated Definition definitions = 15;
}
enum Classification {
@@ -265,6 +269,10 @@ enum ExternalReferenceType {
EXTERNAL_REFERENCE_TYPE_FORMULATION = 37;
// URL to a source archive.
EXTERNAL_REFERENCE_TYPE_SOURCE_DISTRIBUTION = 38;
+ // An e-signature is commonly a scanned representation of a written signature or a stylized script of the persons name.
+ EXTERNAL_REFERENCE_TYPE_ELECTRONIC_SIGNATURE = 39;
+ // A signature that leverages cryptography, typically public/private key pairs, which provides strong authenticity verification.
+ EXTERNAL_REFERENCE_TYPE_DIGITAL_SIGNATURE = 40;
}
enum HashAlg {
@@ -1488,3 +1496,192 @@ message EnvironmentVars {
string value = 2;
}
}
+
+message Declarations {
+ message Assessor {
+ // An optional identifier which can be used to reference the component elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element.
+ optional string bom_ref = 1;
+ // The boolean indicating if the assessor is outside the organization generating claims. A value of false indicates a self assessor.
+ optional bool thirdParty = 2;
+ // The entity issuing the assessment.
+ optional OrganizationalEntity organization = 3;
+ }
+ message Attestation {
+ message AttestationMap {
+ message AttestationConformance {
+ // The conformance of the claim between and inclusive of 0 and 1, where 1 is 100% conformance.
+ optional double score = 1;
+ // The rationale for the conformance score.
+ optional string rationale = 2;
+ // The list of `bom-ref` to the evidence provided describing the mitigation strategies.
+ repeated string mitigationStrategies = 3;
+ }
+ message AttestationConfidence {
+ // The confidence of the claim between and inclusive of 0 and 1, where 1 is 100% confidence.
+ optional double score = 1;
+ // The rationale for the confidence score.
+ optional string rationale = 2;
+ }
+ // The `bom-ref` to the requirement being attested to.
+ optional string requirement = 1;
+ // The list of `bom-ref` to the claims being attested to.
+ repeated string claims = 2;
+ // The list of `bom-ref` to the counter claims being attested to.
+ repeated string counterClaims = 3;
+ // The conformance of the claim meeting a requirement.
+ optional AttestationConformance conformance = 4;
+ // The confidence of the claim meeting the requirement.
+ optional AttestationConfidence confidence = 5;
+ }
+ // The short description explaining the main points of the attestation.
+ optional string summary = 1;
+ // The `bom-ref` to the assessor asserting the attestation.
+ optional string assessor = 2;
+ // The grouping of requirements to claims and the attestors declared conformance and confidence thereof.
+ repeated AttestationMap map = 3;
+ }
+ message Claim {
+ // An optional identifier which can be used to reference the component elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element.
+ optional string bom_ref = 1;
+ // The `bom-ref` to a target representing a specific system, application, API, module, team, person, process, business unit, company, etc... that this claim is being applied to.
+ optional string target = 2;
+ // The specific statement or assertion about the target.
+ optional string predicate = 3;
+ // The list of `bom-ref` to the evidence provided describing the mitigation strategies. Each mitigation strategy should include an explanation of how any weaknesses in the evidence will be mitigated.
+ repeated string mitigationStrategies = 4;
+ // The written explanation of why the evidence provided substantiates the claim.
+ optional string reasoning = 5;
+ // The list of `bom-ref` to evidence that supports this claim.
+ repeated string evidence = 6;
+ // The list of `bom-ref` to counterEvidence that supports this claim.
+ repeated string counterEvidence = 7;
+ // External references provide a way to document systems, sites, and information that may be relevant, but are not included with the BOM. They may also establish specific relationships within or external to the BOM.
+ repeated ExternalReference externalReferences = 8;
+ }
+ message Evidence {
+ message Data {
+ message Contents {
+ // An optional way to include textual or encoded data.
+ optional AttachedText attachment = 1;
+ // The URL to where the data can be retrieved.
+ optional string url = 2;
+ }
+ // The name of the data.
+ optional string name = 1;
+ // The contents or references to the contents of the data being described.
+ optional Contents contents = 2;
+ // Data classification tags data according to its type, sensitivity, and value if altered, stolen, or destroyed.
+ optional string classification = 3;
+ // A description of any sensitive data included.
+ repeated string sensitiveData = 4;
+ // Data Governance
+ optional DataGovernance governance = 5;
+ }
+ // An optional identifier which can be used to reference the component elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element.
+ optional string bom_ref = 1;
+ // The reference to the property name as defined in the CycloneDX Property Taxonomy: https://github.com/CycloneDX/cyclonedx-property-taxonomy/.
+ optional string propertyName = 2;
+ // The written description of what this evidence is and how it was created.
+ optional string description = 3;
+ // The output or analysis that supports claims.
+ repeated Data data = 4;
+ // The date and time (timestamp) when the evidence was created.
+ optional google.protobuf.Timestamp created = 5;
+ // The optional date and time (timestamp) when the evidence is no longer valid.
+ optional google.protobuf.Timestamp expires = 6;
+ // The author of the evidence.
+ optional OrganizationalContact author = 7;
+ // The reviewer of the evidence.
+ optional OrganizationalContact reviewer = 8;
+ }
+ message Targets {
+ // The list of organizations which claims are made against.
+ repeated OrganizationalEntity organizations = 1;
+ // The list of components which claims are made against.
+ repeated Component components = 2;
+ // The list of services which claims are made against.
+ repeated Service services = 3;
+ }
+ message Affirmation {
+ message Signatory {
+ // The signatory's name.
+ optional string name = 1;
+ // The signatory's role within an organization.
+ optional string role = 2;
+ // The signatory's organization.
+ optional OrganizationalEntity organization = 3;
+ // An External reference provide a way to document systems, sites, and information that may be relevant, but are not included with the BOM. They may also establish specific relationships within or external to the BOM.
+ optional ExternalReference externalReference = 4;
+ }
+ // The brief statement affirmed by an individual regarding all declarations. Notes: This could be an affirmation of acceptance by a third-party auditor or receiving individual of a file.
+ optional string statement = 1;
+ // The list of signatories authorized on behalf of an organization to assert validity of this document.
+ repeated Signatory signatories = 2;
+ }
+ // The list of assessors evaluating claims and determining conformance to requirements and confidence in that assessment.
+ repeated Assessor assessors = 1;
+ // The list of attestations asserted by an assessor that maps requirements to claims.
+ repeated Attestation attestations = 2;
+ // The list of claims.
+ repeated Claim claims = 3;
+ // The list of evidence
+ repeated Evidence evidence = 4;
+ // The list of targets which claims are made against.
+ optional Targets targets = 5;
+ // affirmation
+ optional Affirmation affirmation = 6;
+}
+
+message Definition {
+ message Standard {
+ message Requirement {
+ // An optional identifier which can be used to reference the component elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element.
+ optional string bom_ref = 1;
+ // The unique identifier used in the standard to identify a specific requirement. This should match what is in the standard and should not be the requirements bom-ref.
+ optional string identifier = 2;
+ // The title of the requirement.
+ optional string title = 3;
+ // The textual content of the requirement.
+ optional string text = 4;
+ // The supplemental text that provides additional guidance or context to the requirement, but is not directly part of the requirement.
+ repeated string descriptions = 5;
+ // The Common Requirements Enumeration (CRE) identifier(s). CRE is a structured and standardized framework for uniting security standards and guidelines. CRE links each section of a resource to a shared topic identifier (a Common Requirement). Through this shared topic link, all resources map to each other. Use of CRE promotes clear and unambiguous communication among stakeholders.
+ repeated string openCre = 6;
+ // The optional `bom-ref` to a parent requirement. This establishes a hierarchy of requirements. Top-level requirements must not define a parent. Only child requirements should define parents.
+ optional string parent = 7;
+ // Specifies optional, custom, properties
+ repeated Property properties = 8;
+ // External references provide a way to document systems, sites, and information that may be relevant, but are not included with the BOM. They may also establish specific relationships within or external to the BOM.
+ repeated ExternalReference externalReferences = 9;
+ }
+ message Level {
+ // An optional identifier which can be used to reference the component elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element.
+ optional string bom_ref = 1;
+ // The identifier used in the standard to identify a specific level.
+ optional string identifier = 2;
+ // The title of the level.
+ optional string title = 3;
+ // The description of the level.
+ optional string description = 4;
+ // The list of requirement `bom-ref`s that comprise the level.
+ repeated string requirements = 5;
+ }
+ // An optional identifier which can be used to reference the component elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element.
+ optional string bom_ref = 1;
+ // The name of the standard. This will often be a shortened, single name of the standard.
+ optional string name = 2;
+ // The version of the standard.
+ optional string version = 3;
+ // The description of the standard.
+ optional string description = 4;
+ // The owner of the standard, often the entity responsible for its release.
+ optional string owner = 5;
+ // The list of requirements comprising the standard.
+ repeated Requirement requirements = 6;
+ // The list of levels associated with the standard. Some standards have different levels of compliance.
+ repeated Level levels = 7;
+ // External references provide a way to document systems, sites, and information that may be relevant, but are not included with the BOM. They may also establish specific relationships within or external to the BOM.
+ repeated ExternalReference externalReferences = 8;
+ }
+ repeated Standard standards = 1;
+}
diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json
index e1194bef..130275d2 100644
--- a/schema/bom-1.6.schema.json
+++ b/schema/bom-1.6.schema.json
@@ -105,6 +105,412 @@
"title": "Formulation",
"description": "Describes how a component or service was manufactured or deployed. This is achieved through the use of formulas, workflows, tasks, and steps, which declare the precise steps to reproduce along with the observed formulas describing the steps which transpired in the manufacturing process."
},
+ "declarations": {
+ "type": "object",
+ "title": "Declarations",
+ "description": "The list of declarations which describe the conformance to standards. Each declaration may include attestations, claims, and evidence.",
+ "additionalProperties": false,
+ "properties": {
+ "assessors": {
+ "type": "array",
+ "title": "Assessors",
+ "description": "The list of assessors evaluating claims and determining conformance to requirements and confidence in that assessment.",
+ "items": {
+ "type": "object",
+ "title": "Assessor",
+ "description": "The assessor who evaluates claims and determines conformance to requirements and confidence in that assessment.",
+ "additionalProperties": false,
+ "properties": {
+ "bom-ref": {
+ "$ref": "#/definitions/refType",
+ "title": "BOM Reference",
+ "description": "An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref MUST be unique within the BOM."
+ },
+ "thirdParty": {
+ "type": "boolean",
+ "title": "Third Party",
+ "description": "The boolean indicating if the assessor is outside the organization generating claims. A value of false indicates a self assessor."
+ },
+ "organization": {
+ "$ref": "#/definitions/organizationalEntity",
+ "title": "Organization",
+ "description": "The entity issuing the assessment."
+ }
+ }
+ }
+ },
+ "attestations": {
+ "type": "array",
+ "title": "Attestations",
+ "description": "The list of attestations asserted by an assessor that maps requirements to claims.",
+ "items": {
+ "type": "object",
+ "additionalProperties": false,
+ "properties": {
+ "summary": {
+ "type": "string",
+ "title": "Summary",
+ "description": "The short description explaining the main points of the attestation."
+ },
+ "assessor": {
+ "$ref": "#/definitions/refLinkType",
+ "title": "Assessor",
+ "description": "The `bom-ref` to the assessor asserting the attestation."
+ },
+ "map": {
+ "type": "array",
+ "title": "Map",
+ "description": "The grouping of requirements to claims and the attestors declared conformance and confidence thereof.",
+ "items": {
+ "type": "object",
+ "additionalProperties": false,
+ "properties": {
+ "requirement": {
+ "$ref": "#/definitions/refLinkType",
+ "title": "Requirement",
+ "description": "The `bom-ref` to the requirement being attested to."
+ },
+ "claims": {
+ "type": "array",
+ "title": "Claims",
+ "description": "The list of `bom-ref` to the claims being attested to.",
+ "items": { "$ref": "#/definitions/refLinkType" }
+ },
+ "counterClaims": {
+ "type": "array",
+ "title": "Claims",
+ "description": "The list of `bom-ref` to the counter claims being attested to.",
+ "items": { "$ref": "#/definitions/refLinkType" }
+ },
+ "conformance": {
+ "type": "object",
+ "title": "Conformance",
+ "description": "The conformance of the claim meeting a requirement.",
+ "additionalProperties": false,
+ "properties": {
+ "score": {
+ "type": "number",
+ "minimum": 0,
+ "maximum": 1,
+ "title": "Score",
+ "description": "The conformance of the claim between and inclusive of 0 and 1, where 1 is 100% conformance."
+ },
+ "rationale": {
+ "type": "string",
+ "title": "Rationale",
+ "description": "The rationale for the conformance score."
+ },
+ "mitigationStrategies": {
+ "type": "array",
+ "title": "Mitigation Strategies",
+ "description": "The list of `bom-ref` to the evidence provided describing the mitigation strategies.",
+ "items": { "$ref": "#/definitions/refLinkType" }
+ }
+ }
+ },
+ "confidence": {
+ "type": "object",
+ "title": "Confidence",
+ "description": "The confidence of the claim meeting the requirement.",
+ "additionalProperties": false,
+ "properties": {
+ "score": {
+ "type": "number",
+ "minimum": 0,
+ "maximum": 1,
+ "title": "Score",
+ "description": "The confidence of the claim between and inclusive of 0 and 1, where 1 is 100% confidence."
+ },
+ "rationale": {
+ "type": "string",
+ "title": "Rationale",
+ "description": "The rationale for the confidence score."
+ }
+ }
+ }
+ }
+ }
+ },
+ "signature": {
+ "$ref": "#/definitions/signature",
+ "title": "Signature",
+ "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."
+ }
+ }
+ }
+ },
+ "claims": {
+ "type": "array",
+ "title": "Claims",
+ "description": "The list of claims.",
+ "items": {
+ "type": "object",
+ "additionalProperties": false,
+ "properties": {
+ "bom-ref": {
+ "$ref": "#/definitions/refType",
+ "title": "BOM Reference",
+ "description": "An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref MUST be unique within the BOM."
+ },
+ "target": {
+ "$ref": "#/definitions/refLinkType",
+ "title": "Target",
+ "description": "The `bom-ref` to a target representing a specific system, application, API, module, team, person, process, business unit, company, etc... that this claim is being applied to."
+ },
+ "predicate": {
+ "type": "string",
+ "title": "Predicate",
+ "description": "The specific statement or assertion about the target."
+ },
+ "mitigationStrategies": {
+ "type": "array",
+ "title": "Mitigation Strategies",
+ "description": "The list of `bom-ref` to the evidence provided describing the mitigation strategies. Each mitigation strategy should include an explanation of how any weaknesses in the evidence will be mitigated.",
+ "items": { "$ref": "#/definitions/refLinkType" }
+ },
+ "reasoning": {
+ "type": "string",
+ "title": "Reasoning",
+ "description": "The written explanation of why the evidence provided substantiates the claim."
+ },
+ "evidence": {
+ "type": "array",
+ "title": "Evidence",
+ "description": "The list of `bom-ref` to evidence that supports this claim.",
+ "items": { "$ref": "#/definitions/refLinkType" }
+ },
+ "counterEvidence": {
+ "type": "array",
+ "title": "Counter Evidence",
+ "description": "The list of `bom-ref` to counterEvidence that supports this claim.",
+ "items": { "$ref": "#/definitions/refLinkType" }
+ },
+ "externalReferences": {
+ "type": "array",
+ "items": {"$ref": "#/definitions/externalReference"},
+ "title": "External References",
+ "description": "External references provide a way to document systems, sites, and information that may be relevant, but are not included with the BOM. They may also establish specific relationships within or external to the BOM."
+ },
+ "signature": {
+ "$ref": "#/definitions/signature",
+ "title": "Signature",
+ "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."
+ }
+ }
+ }
+ },
+ "evidence": {
+ "type": "array",
+ "title": "Evidence",
+ "description": "The list of evidence",
+ "items": {
+ "type": "object",
+ "additionalProperties": false,
+ "properties": {
+ "bom-ref": {
+ "$ref": "#/definitions/refType",
+ "title": "BOM Reference",
+ "description": "An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref MUST be unique within the BOM."
+ },
+ "propertyName": {
+ "type": "string",
+ "title": "Type",
+ "description": "The reference to the property name as defined in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy/)."
+ },
+ "description": {
+ "type": "string",
+ "title": "Description",
+ "description": "The written description of what this evidence is and how it was created."
+ },
+ "data": {
+ "type": "array",
+ "title": "Data",
+ "description": "The output or analysis that supports claims.",
+ "items": {
+ "type": "object",
+ "additionalProperties": false,
+ "properties": {
+ "name": {
+ "description": "The name of the data.",
+ "type": "string"
+ },
+ "contents": {
+ "type": "object",
+ "title": "Data Contents",
+ "description": "The contents or references to the contents of the data being described.",
+ "additionalProperties": false,
+ "properties": {
+ "attachment": {
+ "title": "Data Attachment",
+ "description": "An optional way to include textual or encoded data.",
+ "$ref": "#/definitions/attachment"
+ },
+ "url": {
+ "type": "string",
+ "title": "Data URL",
+ "description": "The URL to where the data can be retrieved.",
+ "format": "iri-reference"
+ }
+ }
+ },
+ "classification": {
+ "$ref": "#/definitions/dataClassification"
+ },
+ "sensitiveData": {
+ "type": "array",
+ "description": "A description of any sensitive data included.",
+ "items": {
+ "type": "string"
+ }
+ },
+ "governance": {
+ "title": "Data Governance",
+ "$ref": "#/definitions/dataGovernance"
+ }
+ }
+ }
+ },
+ "created": {
+ "type": "string",
+ "format": "date-time",
+ "title": "Created",
+ "description": "The date and time (timestamp) when the evidence was created."
+ },
+ "expires": {
+ "type": "string",
+ "format": "date-time",
+ "title": "Expires",
+ "description": "The optional date and time (timestamp) when the evidence is no longer valid."
+ },
+ "author": {
+ "$ref": "#/definitions/organizationalContact",
+ "title": "Author",
+ "description": "The author of the evidence."
+ },
+ "reviewer": {
+ "$ref": "#/definitions/organizationalContact",
+ "title": "Reviewer",
+ "description": "The reviewer of the evidence."
+ },
+ "signature": {
+ "$ref": "#/definitions/signature",
+ "title": "Signature",
+ "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."
+ }
+ }
+ }
+ },
+ "targets": {
+ "type": "object",
+ "title": "Targets",
+ "description": "The list of targets which claims are made against.",
+ "additionalProperties": false,
+ "properties": {
+ "organizations": {
+ "type": "array",
+ "title": "Organizations",
+ "description": "The list of organizations which claims are made against.",
+ "items": {"$ref": "#/definitions/organizationalEntity"}
+ },
+ "components": {
+ "type": "array",
+ "title": "Components",
+ "description": "The list of components which claims are made against.",
+ "items": {"$ref": "#/definitions/component"}
+ },
+ "services": {
+ "type": "array",
+ "title": "Services",
+ "description": "The list of services which claims are made against.",
+ "items": {"$ref": "#/definitions/service"}
+ }
+ }
+ },
+ "affirmation": {
+ "type": "object",
+ "title": "Affirmation",
+ "additionalProperties": false,
+ "properties": {
+ "statement": {
+ "type": "string",
+ "title": "Text",
+ "description": "The brief statement affirmed by an individual regarding all declarations.\n*- Notes This could be an affirmation of acceptance by a third-party auditor or receiving individual of a file.",
+ "examples": [ "I certify, to the best of my knowledge, that all information is correct." ]
+ },
+ "signatories": {
+ "type": "array",
+ "title": "Signatories",
+ "description": "The list of signatories authorized on behalf of an organization to assert validity of this document.",
+ "items": {
+ "type": "object",
+ "additionalProperties": false,
+ "oneOf": [
+ {
+ "required": ["signature"]
+ },
+ {
+ "required": ["externalReference", "organization"]
+ }
+ ],
+ "properties": {
+ "name": {
+ "type": "string",
+ "title": "Name",
+ "description": "The signatory's name."
+ },
+ "role": {
+ "type": "string",
+ "title": "Role",
+ "description": "The signatory's role within an organization."
+ },
+ "signature": {
+ "$ref": "#/definitions/signature",
+ "title": "Signature",
+ "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."
+ },
+ "organization": {
+ "$ref": "#/definitions/organizationalEntity",
+ "title": "Organization",
+ "description": "The signatory's organization."
+ },
+ "externalReference": {
+ "$ref": "#/definitions/externalReference",
+ "title": "External Reference",
+ "description": "An External reference provide a way to document systems, sites, and information that may be relevant, but are not included with the BOM. They may also establish specific relationships within or external to the BOM."
+ }
+ }
+ }
+ },
+ "signature": {
+ "$ref": "#/definitions/signature",
+ "title": "Signature",
+ "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."
+ }
+ }
+ },
+ "signature": {
+ "$ref": "#/definitions/signature",
+ "title": "Signature",
+ "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."
+ }
+ }
+ },
+ "definitions": {
+ "type": "object",
+ "title": "Definitions",
+ "description": "A collection of reusable objects that are defined and may be used elsewhere in the BOM.",
+ "additionalProperties": false,
+ "properties": {
+ "standards": {
+ "type": "array",
+ "title": "Standards",
+ "description": "The list of standards which may consist of regulations, industry or organizational-specific standards, maturity models, best practices, or any other requirements which can be evaluated against or attested to.",
+ "items": {
+ "$ref": "#/definitions/standard"
+ }
+ }
+ }
+ },
"properties": {
"type": "array",
"title": "Properties",
@@ -1273,6 +1679,8 @@
"codified-infrastructure",
"quality-metrics",
"poam",
+ "electronic-signature",
+ "digital-signature",
"other"
],
"meta:enum": {
@@ -1315,6 +1723,8 @@
"codified-infrastructure": "Code or configuration that defines and provisions virtualized infrastructure, commonly referred to as Infrastructure as Code (IaC).",
"quality-metrics": "Report or system in which quality metrics can be obtained.",
"poam": "Plans of Action and Milestones (POAM) compliment an \"attestation\" external reference. POAM is defined by NIST as a \"document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks and scheduled completion dates for the milestones\".",
+ "electronic-signature": "An e-signature is commonly a scanned representation of a written signature or a stylized script of the persons name.",
+ "digital-signature": "A signature that leverages cryptography, typically public/private key pairs, which provides strong authenticity verification.",
"other": "Use this if no other types accurately describe the purpose of the external reference."
}
@@ -3999,6 +4409,155 @@
}
}
},
+ "standard": {
+ "type": "object",
+ "title": "Standard",
+ "description": "A standard may consist of regulations, industry or organizational-specific standards, maturity models, best practices, or any other requirements which can be evaluated against or attested to.",
+ "additionalProperties": false,
+ "properties": {
+ "bom-ref": {
+ "$ref": "#/definitions/refType",
+ "title": "BOM Reference",
+ "description": "An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref MUST be unique within the BOM."
+ },
+ "name": {
+ "type": "string",
+ "title": "Name",
+ "description": "The name of the standard. This will often be a shortened, single name of the standard."
+ },
+ "version": {
+ "type": "string",
+ "title": "Version",
+ "description": "The version of the standard."
+ },
+ "description": {
+ "type": "string",
+ "title": "Description",
+ "description": "The description of the standard."
+ },
+ "owner": {
+ "type": "string",
+ "title": "Owner",
+ "description": "The owner of the standard, often the entity responsible for its release."
+ },
+ "requirements": {
+ "type": "array",
+ "title": "Requirements",
+ "description": "The list of requirements comprising the standard.",
+ "items": {
+ "type": "object",
+ "title": "Requirement",
+ "additionalProperties": false,
+ "properties": {
+ "bom-ref": {
+ "$ref": "#/definitions/refType",
+ "title": "BOM Reference",
+ "description": "An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref MUST be unique within the BOM."
+ },
+ "identifier": {
+ "type": "string",
+ "title": "Identifier",
+ "description": "The unique identifier used in the standard to identify a specific requirement. This should match what is in the standard and should not be the requirements bom-ref."
+ },
+ "title": {
+ "type": "string",
+ "title": "Title",
+ "description": "The title of the requirement."
+ },
+ "text": {
+ "type": "string",
+ "title": "Text",
+ "description": "The textual content of the requirement."
+ },
+ "descriptions": {
+ "type": "array",
+ "title": "Descriptions",
+ "description": "The supplemental text that provides additional guidance or context to the requirement, but is not directly part of the requirement.",
+ "items": { "type": "string" }
+ },
+ "openCre": {
+ "type": "array",
+ "title": "OWASP OpenCRE Identifier(s)",
+ "description": "The Common Requirements Enumeration (CRE) identifier(s). CRE is a structured and standardized framework for uniting security standards and guidelines. CRE links each section of a resource to a shared topic identifier (a Common Requirement). Through this shared topic link, all resources map to each other. Use of CRE promotes clear and unambiguous communication among stakeholders.",
+ "items": {
+ "type": "string",
+ "pattern": "^CRE:[0-9]+-[0-9]+$",
+ "examples": [ "CRE:764-507" ]
+ }
+ },
+ "parent": {
+ "$ref": "#/definitions/refLinkType",
+ "title": "Parent BOM Reference",
+ "description": "The optional `bom-ref` to a parent requirement. This establishes a hierarchy of requirements. Top-level requirements must not define a parent. Only child requirements should define parents."
+ },
+ "properties": {
+ "type": "array",
+ "title": "Properties",
+ "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is OPTIONAL.",
+ "items": {
+ "$ref": "#/definitions/property"
+ }
+ },
+ "externalReferences": {
+ "type": "array",
+ "items": {"$ref": "#/definitions/externalReference"},
+ "title": "External References",
+ "description": "External references provide a way to document systems, sites, and information that may be relevant, but are not included with the BOM. They may also establish specific relationships within or external to the BOM."
+ }
+ }
+ }
+ },
+ "levels": {
+ "type": "array",
+ "title": "Levels",
+ "description": "The list of levels associated with the standard. Some standards have different levels of compliance.",
+ "items": {
+ "type": "object",
+ "title": "Level",
+ "additionalProperties": false,
+ "properties": {
+ "bom-ref": {
+ "$ref": "#/definitions/refType",
+ "title": "BOM Reference",
+ "description": "An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref MUST be unique within the BOM."
+ },
+ "identifier": {
+ "type": "string",
+ "title": "Identifier",
+ "description": "The identifier used in the standard to identify a specific level."
+ },
+ "title": {
+ "type": "string",
+ "title": "Title",
+ "description": "The title of the level."
+ },
+ "description": {
+ "type": "string",
+ "title": "Description",
+ "description": "The description of the level."
+ },
+ "requirements": {
+ "type": "array",
+ "title": "Requirements",
+ "description": "The list of requirement `bom-ref`s that comprise the level.",
+ "items": { "$ref": "#/definitions/refLinkType" }
+ }
+ }
+ }
+ },
+ "externalReferences": {
+ "type": "array",
+ "items": {"$ref": "#/definitions/externalReference"},
+ "title": "External References",
+ "description": "External references provide a way to document systems, sites, and information that may be relevant, but are not included with the BOM. They may also establish specific relationships within or external to the BOM."
+ },
+ "signature": {
+ "$ref": "#/definitions/signature",
+ "title": "Signature",
+ "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."
+ }
+ }
+ },
"signature": {
"$ref": "jsf-0.82.schema.json#/definitions/signature",
"title": "Signature",
diff --git a/schema/bom-1.6.xsd b/schema/bom-1.6.xsd
index 96da1576..07faf380 100644
--- a/schema/bom-1.6.xsd
+++ b/schema/bom-1.6.xsd
@@ -1407,6 +1407,16 @@ limitations under the License.
Plans of Action and Milestones (POAM) compliment an "attestation" external reference. POAM is defined by NIST as a "document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks and scheduled completion dates for the milestones".
+
+
+ An e-signature is commonly a scanned representation of a written signature or a stylized script of the persons name.
+
+
+
+
+ A signature that leverages cryptography, typically public/private key pairs, which provides strong authenticity verification.
+
+
Use this if no other types accurately describe the purpose of the external reference
@@ -5461,70 +5471,929 @@ limitations under the License.
-
-
-
-
-
- Provides additional information about a BOM.
-
-
-
-
- A list of software and hardware components.
-
-
-
-
- A list of services. This may include microservices, function-as-a-service, and other types of network or intra-process services.
-
-
-
-
- Provides the ability to document external references related to the BOM or
- to the project the BOM describes.
-
-
-
-
- Provides the ability to document dependency relationships.
-
-
-
-
- Compositions describe constituent parts (including components, services, and dependency relationships) and their completeness. The completeness of vulnerabilities expressed in a BOM may also be described.
-
-
-
-
- Provides the ability to document properties in a name/value store.
- This provides flexibility to include data not officially supported in the standard
- without having to use additional namespaces or create extensions. Property names
- of interest to the general public are encouraged to be registered in the
- CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy.
- Formal registration is OPTIONAL.
-
-
-
-
- Vulnerabilities identified in components or services.
-
-
-
-
- Comments made by people, organizations, or tools about any object with
- a bom-ref, such as components, services, vulnerabilities, or the BOM itself. Unlike
- inventory information, annotations may contain opinion or commentary from various
- stakeholders. Annotations may be inline (with inventory) or externalized via BOM-Link,
- and may optionally be signed.
-
-
-
-
- Describes how a component or service was manufactured or deployed. This is
- achieved through the use of formulas, workflows, tasks, and steps, which declare the precise
- steps to reproduce along with the observed formulas describing the steps which transpired
- in the manufacturing process.
+
+
+
+
+
+ The list of assessors evaluating claims and determining conformance to requirements and confidence in that assessment.
+
+
+
+
+
+
+
+ The assessor who evaluates claims and determines conformance to requirements and confidence in that assessment.
+
+
+
+
+
+
+
+ The boolean indicating if the assessor is outside the organization generating claims. A value of false indicates a self assessor.
+
+
+
+
+
+
+ The entity issuing the assessment.
+
+
+
+
+
+
+
+ An optional identifier which can be used to reference the object elsewhere in the BOM.
+ Every bom-ref MUST be unique within the BOM.
+
+
+
+
+
+ User-defined attributes may be used on this element as long as they
+ do not have the same name as an existing attribute used by the schema.
+
+
+
+
+
+
+
+
+
+
+ The list of attestations asserted by an assessor that maps requirements to claims.
+
+
+
+
+
+
+
+ An attestation asserted by an assessor that maps requirements to claims.
+
+
+
+
+
+
+
+ The short description explaining the main points of the attestation.
+
+
+
+
+
+
+ The `bom-ref` to the assessor asserting the attestation.
+
+
+
+
+
+
+ The grouping of requirements to claims and the attestors declared conformance and confidence thereof.
+
+
+
+
+
+
+
+ The `bom-ref` to the requirement being attested to.
+
+
+
+
+
+
+ The list of `bom-ref` to the claims being attested to.
+
+
+
+
+
+
+
+ The `bom-ref` to the claim being attested to.
+
+
+
+
+
+
+
+
+
+ The list of `bom-ref` to the counter claims being attested to.
+
+
+
+
+
+
+
+ The `bom-ref` to the counter claim being attested to.
+
+
+
+
+
+
+
+
+
+ The conformance of the claim meeting a requirement.
+
+
+
+
+
+
+
+ The conformance of the claim between and inclusive of 0 and 1, where 1 is 100% conformance.
+
+
+
+
+
+
+
+
+
+
+
+
+ The rationale for the score of conformance.
+
+
+
+
+
+
+ The list of `bom-ref` to the evidence provided describing the
+ mitigation strategies. Each mitigation strategy should include an
+ explanation of how any weaknesses in the evidence will be mitigated.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The confidence of the claim meeting the requirement.
+
+
+
+
+
+
+
+ The confidence of the claim between and inclusive of 0 and 1, where 1 is 100% confidence.
+
+
+
+
+
+
+
+
+
+
+
+
+ The rationale for the confidence score.
+
+
+
+
+
+
+
+
+
+
+
+
+ Allows any undeclared elements as long as the elements are placed in a different namespace.
+
+
+
+
+
+
+
+
+
+
+
+
+ The list of claims.
+
+
+
+
+
+
+
+
+
+
+ The `bom-ref` to a target representing a specific system, application,
+ API, module, team, person, process, business unit, company, etc...
+ that this claim is being applied to.
+
+
+
+
+
+
+ The specific statement or assertion about the target.
+
+
+
+
+
+
+ The list of `bom-ref` to the evidence provided describing the
+ mitigation strategies. Each mitigation strategy should include an
+ explanation of how any weaknesses in the evidence will be mitigated.
+
+
+
+
+
+
+
+
+
+
+
+ The written explanation of why the evidence provided substantiates the claim.
+
+
+
+
+
+
+ The list of `bom-ref` to evidence that supports this claim.
+
+
+
+
+
+
+ The list of `bom-ref` to counterEvidence that supports this claim.
+
+
+
+
+
+ Provides the ability to document external references related to the claim the BOM describes.
+
+
+
+
+
+ Allows any undeclared elements as long as the elements are placed in a different namespace.
+
+
+
+
+
+
+
+ An optional identifier which can be used to reference the object elsewhere
+ in the BOM. Every bom-ref MUST be unique within the BOM.
+
+
+
+
+
+ User-defined attributes may be used on this element as long as they
+ do not have the same name as an existing attribute used by the schema.
+
+
+
+
+
+
+
+
+
+
+ The list of evidence
+
+
+
+
+
+
+
+ The list of evidence
+
+
+
+
+
+
+
+ The reference to the property name as defined in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy/).
+
+
+
+
+
+
+ The written description of what this evidence is and how it was created.
+
+
+
+
+
+
+ The output or analysis that supports claims.
+
+
+
+
+
+
+
+ The name of the data.
+
+
+
+
+
+
+ The contents or references to the contents of the data being described.
+
+
+
+
+
+
+ An optional way to include textual or encoded data.
+
+
+
+
+ The URL to where the data can be retrieved.
+
+
+
+
+
+
+
+
+ Data classification tags data according to its type, sensitivity, and value if altered, stolen, or destroyed.
+
+
+
+
+
+
+ A description of any sensitive data.
+
+
+
+
+
+
+
+
+
+ The date and time (timestamp) when the evidence was created.
+
+
+
+
+ The optional date and time (timestamp) when the evidence is no longer valid.
+
+
+
+
+ The author of the evidence.
+
+
+
+
+ The reviewer of the evidence.
+
+
+
+
+
+ Allows any undeclared elements as long as the elements are placed in a different namespace.
+
+
+
+
+
+
+
+ An optional identifier which can be used to reference the object elsewhere
+ in the BOM. Every bom-ref MUST be unique within the BOM.
+
+
+
+
+
+ User-defined attributes may be used on this element as long as they
+ do not have the same name as an existing attribute used by the schema.
+
+
+
+
+
+
+
+
+
+
+ The list of targets which claims are made against.
+
+
+
+
+
+
+
+ The list of organizations which claims are made against.
+
+
+
+
+
+
+
+
+
+
+
+ The list of components which claims are made against.
+
+
+
+
+
+
+
+
+
+
+
+ The list of services which claims are made against.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The brief statement affirmed by an individual regarding all declarations.
+ This could be an affirmation of acceptance by a third-party auditor or receiving
+ individual of a file. For example: "I certify, to the best of my knowledge, that all information is correct."
+
+
+
+
+
+
+ The list of signatories authorized on behalf of an organization to assert validity of this document.
+
+
+
+
+
+
+
+
+
+
+ The signatory's name.
+
+
+
+
+
+
+ The signatory's role within an organization.
+
+
+
+
+
+
+ The signatory's organization.
+
+
+
+
+
+
+ An External reference provide a way to document systems, sites, and information that may be relevant, but are not included with the BOM. They may also establish specific relationships within or external to the BOM.
+
+
+
+
+
+
+ Allows any undeclared elements as long as the elements are placed in a different namespace.
+
+
+
+
+
+
+
+
+
+
+
+
+ Allows any undeclared elements as long as the elements are placed in a different namespace.
+
+
+
+
+
+
+
+
+
+ Allows any undeclared elements as long as the elements are placed in a different namespace.
+
+
+
+
+
+
+
+
+
+ A collection of reusable objects that are defined and may be used elsewhere in the BOM.
+
+
+
+
+
+
+
+
+
+
+ The list of standards which may consist of regulations, industry or organizational-specific standards, maturity models, best practices, or any other requirements which can be evaluated against or attested to.
+
+
+
+
+
+
+
+ Allows any undeclared elements as long as the elements are placed in a different namespace.
+
+
+
+
+
+
+ User-defined attributes may be used on this element as long as they
+ do not have the same name as an existing attribute used by the schema.
+
+
+
+
+
+
+
+ A standard may consist of regulations, industry or organizational-specific standards, maturity models, best practices, or any other requirements which can be evaluated against or attested to.
+
+
+
+
+
+
+ The name of the standard. This will often be a shortened, single name of the standard.
+
+
+
+
+
+
+ The version of the standard.
+
+
+
+
+
+
+ The description of the standard.
+
+
+
+
+
+
+ The owner of the standard, often the entity responsible for its release.
+
+
+
+
+
+
+ The list of requirements comprising the standard.
+
+
+
+
+
+
+
+
+
+
+ The unique identifier used in the standard to identify a specific requirement. This should match what is in the standard and should not be the requirements bom-ref.
+
+
+
+
+
+
+ The title of the requirement.
+
+
+
+
+
+
+ The textual content of the requirement.
+
+
+
+
+
+
+ The supplemental text that provides additional guidance or context to the requirement, but is not directly part of the requirement.
+
+
+
+
+
+
+
+
+
+
+
+ The Common Requirements Enumeration (CRE) identifier(s). CRE is a structured and standardized framework for uniting security standards and guidelines. CRE links each section of a resource to a shared topic identifier (a Common Requirement). Through this shared topic link, all resources map to each other. Use of CRE promotes clear and unambiguous communication among stakeholders.
+
+
+
+
+
+
+
+
+
+
+
+ The optional `bom-ref` to a parent requirement. This establishes a hierarchy of requirements. Top-level requirements must not define a parent. Only child requirements should define parents.
+
+
+
+
+
+ Provides the ability to document properties in a name/value store.
+ This provides flexibility to include data not officially supported in the standard
+ without having to use additional namespaces or create extensions. Property names
+ of interest to the general public are encouraged to be registered in the
+ CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy.
+ Formal registration is OPTIONAL.
+
+
+
+
+ Provides the ability to document external references related to the BOM or
+ to the project the BOM describes.
+
+
+
+
+
+
+ An optional identifier which can be used to reference the object elsewhere
+ in the BOM. Every bom-ref MUST be unique within the BOM.
+
+
+
+
+
+ User-defined attributes may be used on this element as long as they
+ do not have the same name as an existing attribute used by the schema.
+
+
+
+
+
+
+
+
+
+
+ The list of levels associated with the standard. Some standards have different levels of compliance.
+
+
+
+
+
+
+
+
+
+
+ The identifier used in the standard to identify a specific level.
+
+
+
+
+
+
+ The title of the level.
+
+
+
+
+
+
+ The description of the level.
+
+
+
+
+
+
+ The list of requirement `bom-ref`s that comprise the level.
+
+
+
+
+
+
+
+
+
+
+
+
+ An optional identifier which can be used to reference the object elsewhere
+ in the BOM. Every bom-ref MUST be unique within the BOM.
+
+
+
+
+
+ User-defined attributes may be used on this element as long as they
+ do not have the same name as an existing attribute used by the schema.
+
+
+
+
+
+
+
+
+
+ Provides the ability to document external references related to the BOM or
+ to the project the BOM describes.
+
+
+
+
+
+ Allows any undeclared elements as long as the elements are placed in a different namespace.
+
+
+
+
+
+
+
+ An optional identifier which can be used to reference the object elsewhere
+ in the BOM. Every bom-ref MUST be unique within the BOM.
+
+
+
+
+
+ User-defined attributes may be used on this element as long as they
+ do not have the same name as an existing attribute used by the schema.
+
+
+
+
+
+
+
+
+
+ Provides additional information about a BOM.
+
+
+
+
+ A list of software and hardware components.
+
+
+
+
+ A list of services. This may include microservices, function-as-a-service, and other types of network or intra-process services.
+
+
+
+
+ Provides the ability to document external references related to the BOM or
+ to the project the BOM describes.
+
+
+
+
+ Provides the ability to document dependency relationships.
+
+
+
+
+ Compositions describe constituent parts (including components, services, and dependency relationships) and their completeness. The completeness of vulnerabilities expressed in a BOM may also be described.
+
+
+
+
+ Provides the ability to document properties in a name/value store.
+ This provides flexibility to include data not officially supported in the standard
+ without having to use additional namespaces or create extensions. Property names
+ of interest to the general public are encouraged to be registered in the
+ CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy.
+ Formal registration is OPTIONAL.
+
+
+
+
+ Vulnerabilities identified in components or services.
+
+
+
+
+ Comments made by people, organizations, or tools about any object with
+ a bom-ref, such as components, services, vulnerabilities, or the BOM itself. Unlike
+ inventory information, annotations may contain opinion or commentary from various
+ stakeholders. Annotations may be inline (with inventory) or externalized via BOM-Link,
+ and may optionally be signed.
+
+
+
+
+ Describes how a component or service was manufactured or deployed. This is
+ achieved through the use of formulas, workflows, tasks, and steps, which declare the precise
+ steps to reproduce along with the observed formulas describing the steps which transpired
+ in the manufacturing process.
+
+
+
+
+
+ The list of declarations which describe the conformance to standards. Each declaration may
+ include attestations, claims, and evidence.
+
+
+
+
+
+
+ A collection of reusable objects that are defined and may be used elsewhere in the BOM.
+
diff --git a/tools/src/test/resources/1.6/valid-attestation-1.6.json b/tools/src/test/resources/1.6/valid-attestation-1.6.json
new file mode 100644
index 00000000..c270d49b
--- /dev/null
+++ b/tools/src/test/resources/1.6/valid-attestation-1.6.json
@@ -0,0 +1,209 @@
+{
+ "bomFormat": "CycloneDX",
+ "specVersion": "1.6",
+ "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
+ "version": 1,
+ "declarations": {
+ "assessors": [
+ {
+ "bom-ref": "assessor-1",
+ "thirdParty": true,
+ "organization": {
+ "name": "Assessors Inc"
+ }
+ }
+ ],
+ "attestations": [
+ {
+ "summary": "Attestation summary here",
+ "assessor": "assessor-1",
+ "map": [
+ {
+ "requirement": "requirement-1",
+ "claims": [ "claim-1" ],
+ "counterClaims": [ "counterClaim-1" ],
+ "conformance": {
+ "score": 0.8,
+ "rationale": "Conformance rationale here",
+ "mitigationStrategies": [ "mitigationStrategy-1" ]
+ },
+ "confidence": {
+ "score": 1,
+ "rationale": "Confidence rationale here"
+ }
+ }
+ ],
+ "signature": {
+ "algorithm": "ES256",
+ "certificatePath": [ "MIIB...", "MIID..." ],
+ "value": "tqIT..."
+ }
+ }
+ ],
+ "claims": [
+ {
+ "bom-ref": "claim-1",
+ "target": "acme-inc",
+ "predicate": "Predicate here",
+ "mitigationStrategies": [ "mitigationStrategy-1" ],
+ "reasoning": "Reasoning here",
+ "evidence": [ "evidence-1" ],
+ "counterEvidence": [ "counterEvidence-1" ],
+ "externalReferences": [
+ {
+ "type": "issue-tracker",
+ "url": "https://alm.example.com"
+ }
+ ],
+ "signature": {
+ "algorithm": "ES256",
+ "certificatePath": [ "MIIB...", "MIID..." ],
+ "value": "tqIT..."
+ }
+ }
+ ],
+ "evidence": [
+ {
+ "bom-ref": "evidence-1",
+ "propertyName": "internal.com.acme.someProperty",
+ "description": "Description here",
+ "data": [
+ {
+ "name": "Name of the data",
+ "contents": {
+ "attachment": {
+ "content": "Evidence here",
+ "contentType": "text/plain"
+ }
+ },
+ "classification": "PII",
+ "sensitiveData": [ "Describe sensitive data here" ]
+ }
+ ],
+ "created": "2023-04-25T00:00:00+00:00",
+ "expires": "2023-05-25T00:00:00+00:00",
+ "author": {
+ "name": "Mary"
+ },
+ "reviewer": {
+ "name": "Jane"
+ },
+ "signature": {
+ "algorithm": "ES256",
+ "certificatePath": [ "MIIB...", "MIID..." ],
+ "value": "tqIT..."
+ }
+ },
+ {
+ "bom-ref": "counterEvidence-1",
+ "propertyName": "internal.com.acme.someProperty",
+ "description": "Description here",
+ "data": [
+ {
+ "name": "Name of the data",
+ "contents": {
+ "attachment": {
+ "content": "Counter evidence here",
+ "contentType": "text/plain"
+ }
+ },
+ "classification": "Pubic",
+ "sensitiveData": [ "Describe sensitive data here" ]
+ }
+ ],
+ "created": "2023-04-25T00:00:00+00:00",
+ "expires": "2023-05-25T00:00:00+00:00",
+ "author": {
+ "name": "Mary"
+ },
+ "reviewer": {
+ "name": "Jane"
+ },
+ "signature": {
+ "algorithm": "ES256",
+ "certificatePath": [ "MIIB...", "MIID..." ],
+ "value": "tqIT..."
+ }
+ },
+ {
+ "bom-ref": "mitigationStrategy-1",
+ "propertyName": "internal.com.acme.someProperty",
+ "description": "Description here",
+ "data": [
+ {
+ "name": "Name of the data",
+ "contents": {
+ "attachment": {
+ "content": "Mitigation strategy here",
+ "contentType": "text/plain"
+ }
+ },
+ "classification": "Company Confidential",
+ "sensitiveData": [ "Describe sensitive data here" ]
+ }
+ ],
+ "created": "2023-04-25T00:00:00+00:00",
+ "expires": "2023-05-25T00:00:00+00:00",
+ "author": {
+ "name": "Mary"
+ },
+ "reviewer": {
+ "name": "Jane"
+ },
+ "signature": {
+ "algorithm": "ES256",
+ "certificatePath": [ "MIIB...", "MIID..." ],
+ "value": "tqIT..."
+ }
+ }
+ ],
+ "targets": {
+ "organizations": [
+ {
+ "bom-ref": "acme-inc",
+ "name": "Acme Inc"
+ }
+ ]
+ },
+ "affirmation": {
+ "statement": "I certify, to the best of my knowledge, that all information is correct...",
+ "signatories": [
+ {
+ "name": "Tom",
+ "role": "CEO",
+ "signature": {
+ "algorithm": "ES256",
+ "certificatePath": [ "MIIB...", "MIID..." ],
+ "value": "tqIT..."
+ }
+ },
+ {
+ "name": "Jerry",
+ "role": "COO",
+ "organization": {
+ "name": "Acme Inc"
+ },
+ "externalReference": {
+ "type": "electronic-signature",
+ "url": "https://example.com/coo-sig.png"
+ }
+ }
+ ],
+ "signature": {
+ "algorithm": "ES256",
+ "certificatePath": [ "MIIB...", "MIID..." ],
+ "value": "tqIT..."
+ }
+ },
+ "signature": {
+ "algorithm": "ES256",
+ "certificatePath": [ "MIIB...", "MIID..." ],
+ "value": "tqIT..."
+ }
+ },
+ "signature": {
+ "algorithm": "ES256",
+ "certificatePath": [ "MIIB...", "MIID..." ],
+ "value": "tqIT..."
+ }
+}
\ No newline at end of file
diff --git a/tools/src/test/resources/1.6/valid-attestation-1.6.textproto b/tools/src/test/resources/1.6/valid-attestation-1.6.textproto
new file mode 100644
index 00000000..ca16cf57
--- /dev/null
+++ b/tools/src/test/resources/1.6/valid-attestation-1.6.textproto
@@ -0,0 +1,179 @@
+spec_version: "1.6"
+version: 1
+serial_number: "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79"
+declarations: {
+ assessors: [
+ {
+ bom_ref: "assessor-1"
+ thirdParty: true
+ organization: {
+ name: "Assessors Inc"
+ }
+ }
+ ]
+ attestations: [
+ {
+ summary: "Attestation summary here"
+ assessor: "assessor-1"
+ map: [
+ {
+ requirement: "requirement-1"
+ claims: [ "claim-1" ]
+ counterClaims: [ "counterClaim-1" ]
+ conformance: {
+ score: 0.8,
+ rationale: "Conformance rationale here",
+ mitigationStrategies: [ "mitigationStrategy-1" ]
+ }
+ confidence: {
+ score: 1,
+ rationale: "Confidence rationale here"
+ }
+ }
+ ]
+ }
+ ],
+ claims: [
+ {
+ bom_ref: "claim-1"
+ target: "acme-inc"
+ predicate: "Predicate here"
+ mitigationStrategies: [ "mitigationStrategy-1" ]
+ reasoning: "Reasoning here"
+ evidence: [ "evidence-1" ]
+ counterEvidence: [ "counterEvidence-1" ]
+ externalReferences: [
+ {
+ type: EXTERNAL_REFERENCE_TYPE_ISSUE_TRACKER,
+ url: "https://alm.example.com"
+ }
+ ]
+ }
+ ]
+ evidence: [
+ {
+ bom_ref: "evidence-1"
+ propertyName: "internal.com.acme.someProperty"
+ description: "Description here"
+ data: [
+ {
+ name: "Name of the data"
+ contents: {
+ attachment: {
+ content_type: "text/plain"
+ value: "Evidence here"
+ }
+ }
+ classification: "PII",
+ sensitiveData: [ "Describe sensitive data here" ]
+ }
+ ]
+ created {
+ seconds: 1714003200
+ nanos: 0
+ }
+ expires {
+ seconds: 1712102400
+ nanos: 0
+ }
+ author: {
+ name: "Mary"
+ }
+ reviewer: {
+ name: "Jane"
+ }
+ },
+ {
+ bom_ref: "counterEvidence-1"
+ propertyName: "internal.com.acme.someProperty"
+ description: "Description here"
+ data: [
+ {
+ name: "Name of the data"
+ contents: {
+ attachment: {
+ content_type: "text/plain"
+ value: "Counter evidence here"
+ }
+ }
+ classification: "Pubic"
+ sensitiveData: [ "Describe sensitive data here" ]
+ }
+ ]
+ created {
+ seconds: 1714003200
+ nanos: 0
+ }
+ expires {
+ seconds: 1712102400
+ nanos: 0
+ }
+ author: {
+ name: "Mary"
+ }
+ reviewer: {
+ name: "Jane"
+ }
+ },
+ {
+ bom_ref: "mitigationStrategy-1"
+ propertyName: "internal.com.acme.someProperty"
+ description: "Description here"
+ data: [
+ {
+ name: "Name of the data"
+ contents: {
+ attachment: {
+ content_type: "text/plain"
+ value: "Mitigation strategy here"
+ }
+ }
+ classification: "Company Confidential"
+ sensitiveData: [ "Describe sensitive data here" ]
+ }
+ ]
+ created {
+ seconds: 1714003200
+ nanos: 0
+ }
+ expires {
+ seconds: 1712102400
+ nanos: 0
+ }
+ author: {
+ name: "Mary"
+ }
+ reviewer: {
+ name: "Jane"
+ }
+ }
+ ],
+ targets: {
+ organizations: [
+ {
+ bom_ref: "acme-inc"
+ name: "Acme Inc"
+ }
+ ]
+ }
+ affirmation: {
+ statement: "I certify, to the best of my knowledge, that all information is correct..."
+ signatories: [
+ {
+ name: "Tom"
+ role: "CEO"
+ },
+ {
+ name: "Jerry"
+ role: "COO"
+ organization: {
+ name: "Acme Inc"
+ }
+ externalReference: {
+ type: EXTERNAL_REFERENCE_TYPE_ELECTRONIC_SIGNATURE
+ url: "https://example.com/coo-sig.png"
+ }
+ }
+ ]
+ }
+}
\ No newline at end of file
diff --git a/tools/src/test/resources/1.6/valid-attestation-1.6.xml b/tools/src/test/resources/1.6/valid-attestation-1.6.xml
new file mode 100644
index 00000000..1dce0ced
--- /dev/null
+++ b/tools/src/test/resources/1.6/valid-attestation-1.6.xml
@@ -0,0 +1,165 @@
+
+
+
+
+
+ false
+
+ Acme Inc
+
+
+
+
+
+ Attestation summary here
+ assessor-1
+
+
+
+
+
+
+
+
+ acme-inc
+ Predicate here
+
+ mitigationStrategy-1
+
+ Reasoning here
+ evidence-1
+ counterEvidence-1
+
+
+ https://alm.example.com
+
+
+
+
+
+
+
+
+
+ internal.com.acme.someProperty
+ Description here
+
+ Name of the data
+
+ Evidence here
+
+ PII
+ Describe sensitive data here
+
+ 2023-04-25T00:00:00+00:00
+ 2023-05-25T00:00:00+00:00
+
+ Mary
+
+
+ Jane
+
+
+
+
+
+
+ internal.com.acme.someProperty
+ Description here
+
+ Name of the data
+
+ Counter evidence here
+
+ Public
+ Describe sensitive data here
+
+ 2023-04-25T00:00:00+00:00
+ 2023-05-25T00:00:00+00:00
+
+ Mary
+
+
+ Jane
+
+
+
+ internal.com.acme.someProperty
+ Description here
+
+ Name of the data
+
+ Mitigation strategy here
+
+ Public
+ Describe sensitive data here
+
+ 2023-04-25T00:00:00+00:00
+ 2023-05-25T00:00:00+00:00
+
+ Mary
+
+
+ Jane
+
+
+
+
+
+
+ Acme Inc
+
+
+
+
+ I certify, to the best of my knowledge, that all information is correct...
+
+
+ Tom
+ CEO
+
+
+
+
+
+ Jerry
+ COO
+
+ Acme Inc
+
+
+ https://example.com/coo-sig.png
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/tools/src/test/resources/1.6/valid-standard-1.6.json b/tools/src/test/resources/1.6/valid-standard-1.6.json
new file mode 100644
index 00000000..ad6b4bab
--- /dev/null
+++ b/tools/src/test/resources/1.6/valid-standard-1.6.json
@@ -0,0 +1,73 @@
+{
+ "bomFormat": "CycloneDX",
+ "specVersion": "1.6",
+ "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
+ "version": 1,
+ "definitions": {
+ "standards": [
+ {
+ "bom-ref": "standard-1",
+ "name": "Sample Standard",
+ "version": "1.0.0",
+ "description": "Description here",
+ "owner": "Acme Inc",
+ "requirements": [
+ {
+ "bom-ref": "requirement-1",
+ "identifier": "v1",
+ "title": "Title here"
+ },
+ {
+ "bom-ref": "requirement-1.1",
+ "identifier": "v1.1",
+ "title": "Title here",
+ "parent": "requirement-1"
+ },
+ {
+ "bom-ref": "requirement-1.1.1",
+ "identifier": "v1.1.1",
+ "text": "Text of the requirement here",
+ "descriptions": [
+ "Supplemental text here"
+ ],
+ "openCre": [
+ "CRE:616-305"
+ ],
+ "parent": "requirement-1.1"
+ }
+ ],
+ "levels": [
+ {
+ "bom-ref": "level-1",
+ "identifier": "Level 1",
+ "description": "Description here",
+ "requirements": [
+ "requirement-1.1.1"
+ ]
+ },
+ {
+ "bom-ref": "level-2",
+ "identifier": "Level 2",
+ "description": "Description here",
+ "requirements": [
+ "requirement-1.1.1"
+ ]
+ },
+ {
+ "bom-ref": "level-3",
+ "identifier": "Level 3",
+ "description": "Description here",
+ "requirements": [
+ "requirement-1.1.1"
+ ]
+ }
+ ],
+ "signature": {
+ "algorithm": "ES256",
+ "certificatePath": [ "MIIB...", "MIID..." ],
+ "value": "tqIT..."
+ }
+ }
+ ]
+ }
+}
\ No newline at end of file
diff --git a/tools/src/test/resources/1.6/valid-standard-1.6.textproto b/tools/src/test/resources/1.6/valid-standard-1.6.textproto
new file mode 100644
index 00000000..65b90e2a
--- /dev/null
+++ b/tools/src/test/resources/1.6/valid-standard-1.6.textproto
@@ -0,0 +1,65 @@
+spec_version: "1.6",
+version: 1
+serial_number: "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79"
+definitions {
+ standards: [
+ {
+ bom_ref: "standard-1"
+ name: "Sample Standard"
+ version: "1.0.0"
+ description: "Description here"
+ owner: "Acme Inc"
+ requirements: [
+ {
+ bom_ref: "requirement-1"
+ identifier: "v1"
+ title: "Title here"
+ },
+ {
+ bom_ref: "requirement-1.1"
+ identifier: "v1.1"
+ title: "Title here"
+ parent: "requirement-1"
+ },
+ {
+ bom_ref: "requirement-1.1.1"
+ identifier: "v1.1.1"
+ text: "Text of the requirement here"
+ descriptions: [
+ "Supplemental text here"
+ ]
+ openCre: [
+ "CRE:616-305"
+ ],
+ parent: "requirement-1.1"
+ }
+ ]
+ levels: [
+ {
+ bom_ref: "level-1"
+ identifier: "Level 1"
+ description: "Description here"
+ requirements: [
+ "requirement-1.1.1"
+ ]
+ },
+ {
+ bom_ref: "level-2"
+ identifier: "Level 2"
+ description: "Description here"
+ requirements: [
+ "requirement-1.1.1"
+ ]
+ },
+ {
+ bom_ref: "level-3"
+ identifier: "Level 3"
+ description: "Description here"
+ requirements: [
+ "requirement-1.1.1"
+ ]
+ }
+ ]
+ }
+ ]
+}
\ No newline at end of file
diff --git a/tools/src/test/resources/1.6/valid-standard-1.6.xml b/tools/src/test/resources/1.6/valid-standard-1.6.xml
new file mode 100644
index 00000000..7a36430a
--- /dev/null
+++ b/tools/src/test/resources/1.6/valid-standard-1.6.xml
@@ -0,0 +1,59 @@
+
+
+
+
+
+ Sample Standard
+ 1.0.0
+ Description here
+ Acme Inc
+
+
+ v1
+ Title here
+
+
+ v1.1
+ Title here
+ requirement-1
+
+
+ v1.1.1
+ Text of the requirement here
+
+ Supplemental text here
+
+ CRE:616-305
+ requirement-1.1
+
+
+
+
+ Level 1
+ Description here
+
+ requirement-1.1.1
+
+
+
+ Level 2
+ Description here
+
+ requirement-1.1.1
+
+
+
+ Level 3
+ Description here
+
+ requirement-1.1.1
+
+
+
+
+
+
+
+
+
+
\ No newline at end of file