From 430826a231e3ddff78832b440e6ad5e7dd488c58 Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Mon, 24 Apr 2023 23:52:50 -0500 Subject: [PATCH 1/6] Added additional composition types, bom-ref, and updated docs. Signed-off-by: Steve Springett --- schema/bom-1.5.proto | 22 ++++++++++---- schema/bom-1.5.schema.json | 11 ++++++- schema/bom-1.5.xsd | 30 ++++++++++++++++++- .../resources/1.5/valid-compositions-1.5.json | 2 ++ .../1.5/valid-compositions-1.5.textproto | 2 ++ .../resources/1.5/valid-compositions-1.5.xml | 4 +-- 6 files changed, 61 insertions(+), 10 deletions(-) diff --git a/schema/bom-1.5.proto b/schema/bom-1.5.proto index 50f5ada5..09560a0b 100644 --- a/schema/bom-1.5.proto +++ b/schema/bom-1.5.proto @@ -545,18 +545,26 @@ message Property { } enum Aggregate { - // Default, no statement about the aggregate completeness is being made + // The relationship completeness is not specified. AGGREGATE_NOT_SPECIFIED = 0; - // The aggregate composition is complete + // The relationship is complete. No further relationships including constituent components, services, or dependencies are known to exist. AGGREGATE_COMPLETE = 1; - // The aggregate composition is incomplete + // The relationship is incomplete. Additional relationships exist and may include constituent components, services, or dependencies. AGGREGATE_INCOMPLETE = 2; - // The aggregate composition is incomplete for first party components, complete for third party components + // The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented. AGGREGATE_INCOMPLETE_FIRST_PARTY_ONLY = 3; - // The aggregate composition is incomplete for third party components, complete for first party components + // The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented. AGGREGATE_INCOMPLETE_THIRD_PARTY_ONLY = 4; - // The aggregate composition completeness is unknown + // The relationship may be complete or incomplete. This usually signifies a 'best-effort' to obtain constituent components, services, or dependencies but the completeness is inconclusive. AGGREGATE_UNKNOWN = 5; + // The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented, limited specifically to those that are proprietary. + AGGREGATE_INCOMPLETE_FIRST_PARTY_PROPRIETARY_ONLY = 6; + // The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented, limited specifically to those that are opensource. + AGGREGATE_INCOMPLETE_FIRST_PARTY_OPENSOURCE_ONLY = 7; + // The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are proprietary. + AGGREGATE_INCOMPLETE_THIRD_PARTY_PROPRIETARY_ONLY = 8; + // The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are opensource. + AGGREGATE_INCOMPLETE_THIRD_PARTY_OPENSOURCE_ONLY = 9; } message Composition { @@ -566,6 +574,8 @@ message Composition { repeated string assemblies = 2; // The dependencies the aggregate completeness applies to repeated string dependencies = 3; + // An optional identifier which can be used to reference the composition elsewhere in the BOM. Every bom-ref MUST be unique within the BOM. + optional string bom_ref = 4; } message EvidenceCopyright { diff --git a/schema/bom-1.5.schema.json b/schema/bom-1.5.schema.json index c72e5e42..9d2b86ab 100644 --- a/schema/bom-1.5.schema.json +++ b/schema/bom-1.5.schema.json @@ -1511,10 +1511,15 @@ ], "additionalProperties": false, "properties": { + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An optional identifier which can be used to reference the composition elsewhere in the BOM. Every bom-ref MUST be unique within the BOM." + }, "aggregate": { "$ref": "#/definitions/aggregateType", "title": "Aggregate", - "description": "Specifies an aggregate type that describe how complete a relationship is." + "description": "Specifies an aggregate type that describe how complete a relationship is.\n\n* __complete__ = The relationship is complete. No further relationships including constituent components, services, or dependencies are known to exist.\n* __incomplete__ = The relationship is incomplete. Additional relationships exist and may include constituent components, services, or dependencies.\n* __incomplete_first_party_only__ = The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented.\n* __incomplete_first_party_proprietary_only__ = The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented, limited specifically to those that are proprietary.\n* __incomplete_first_party_opensource_only__ = The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented, limited specifically to those that are opensource.\n* __incomplete_third_party_only__ = The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented.\n* __incomplete_third_party_proprietary_only__ = The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are proprietary.\n* __incomplete_third_party_opensource_only__ = The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are opensource.\n* __unknown__ = The relationship may be complete or incomplete. This usually signifies a 'best-effort' to obtain constituent components, services, or dependencies but the completeness is inconclusive.\n* __not_specified__ = The relationship completeness is not specified.\n" }, "assemblies": { "type": "array", @@ -1548,7 +1553,11 @@ "complete", "incomplete", "incomplete_first_party_only", + "incomplete_first_party_proprietary_only", + "incomplete_first_party_opensource_only", "incomplete_third_party_only", + "incomplete_third_party_proprietary_only", + "incomplete_third_party_opensource_only", "unknown", "not_specified" ] diff --git a/schema/bom-1.5.xsd b/schema/bom-1.5.xsd index bd7c708d..2bb65114 100644 --- a/schema/bom-1.5.xsd +++ b/schema/bom-1.5.xsd @@ -2142,13 +2142,21 @@ limitations under the License. + + + + An optional identifier which can be used to reference the composition elsewhere in the BOM. + Uniqueness is enforced within all elements and children of the root-level bom element. + + + - The relationship is complete. No further relationships including constituent components, services, or dependencies exist. + The relationship is complete. No further relationships including constituent components, services, or dependencies are known to exist. @@ -2161,11 +2169,31 @@ limitations under the License. The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented. + + + The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are proprietary. + + + + + The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are opensource. + + The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented. + + + The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are proprietary. + + + + + The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are opensource. + + The relationship may be complete or incomplete. This usually signifies a 'best-effort' to obtain constituent components, services, or dependencies but the completeness is inconclusive. diff --git a/tools/src/test/resources/1.5/valid-compositions-1.5.json b/tools/src/test/resources/1.5/valid-compositions-1.5.json index 551834e0..f2043a9a 100644 --- a/tools/src/test/resources/1.5/valid-compositions-1.5.json +++ b/tools/src/test/resources/1.5/valid-compositions-1.5.json @@ -46,6 +46,7 @@ ], "compositions": [ { + "bom-ref": "composition-1", "aggregate": "complete", "assemblies": [ "pkg:maven/partner/shaded-library@1.0" @@ -55,6 +56,7 @@ ] }, { + "bom-ref": "composition-2", "aggregate": "unknown", "assemblies": [ "pkg:maven/acme/library@3.0" diff --git a/tools/src/test/resources/1.5/valid-compositions-1.5.textproto b/tools/src/test/resources/1.5/valid-compositions-1.5.textproto index d29b94fe..b94dead4 100644 --- a/tools/src/test/resources/1.5/valid-compositions-1.5.textproto +++ b/tools/src/test/resources/1.5/valid-compositions-1.5.textproto @@ -39,11 +39,13 @@ dependencies { } } compositions { + bom_ref: "composition-1" aggregate: AGGREGATE_COMPLETE assemblies: "pkg:maven/partner/shaded-library@1.0" dependencies: "acme-application-1.0" } compositions { + bom_ref: "composition-1" aggregate: AGGREGATE_UNKNOWN assemblies: "pkg:maven/acme/library@3.0" } diff --git a/tools/src/test/resources/1.5/valid-compositions-1.5.xml b/tools/src/test/resources/1.5/valid-compositions-1.5.xml index 82c16c55..e2923bcf 100644 --- a/tools/src/test/resources/1.5/valid-compositions-1.5.xml +++ b/tools/src/test/resources/1.5/valid-compositions-1.5.xml @@ -32,7 +32,7 @@ - + complete @@ -41,7 +41,7 @@ - + unknown From 7e3070f58717f567661a0d55eead970bc7b0a1ad Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Mon, 24 Apr 2023 23:54:40 -0500 Subject: [PATCH 2/6] Corrected JSON docs Signed-off-by: Steve Springett --- schema/bom-1.5.schema.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/schema/bom-1.5.schema.json b/schema/bom-1.5.schema.json index 9d2b86ab..af869622 100644 --- a/schema/bom-1.5.schema.json +++ b/schema/bom-1.5.schema.json @@ -1519,7 +1519,7 @@ "aggregate": { "$ref": "#/definitions/aggregateType", "title": "Aggregate", - "description": "Specifies an aggregate type that describe how complete a relationship is.\n\n* __complete__ = The relationship is complete. No further relationships including constituent components, services, or dependencies are known to exist.\n* __incomplete__ = The relationship is incomplete. Additional relationships exist and may include constituent components, services, or dependencies.\n* __incomplete_first_party_only__ = The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented.\n* __incomplete_first_party_proprietary_only__ = The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented, limited specifically to those that are proprietary.\n* __incomplete_first_party_opensource_only__ = The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented, limited specifically to those that are opensource.\n* __incomplete_third_party_only__ = The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented.\n* __incomplete_third_party_proprietary_only__ = The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are proprietary.\n* __incomplete_third_party_opensource_only__ = The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are opensource.\n* __unknown__ = The relationship may be complete or incomplete. This usually signifies a 'best-effort' to obtain constituent components, services, or dependencies but the completeness is inconclusive.\n* __not_specified__ = The relationship completeness is not specified.\n" + "description": "Specifies an aggregate type that describe how complete a relationship is.\n\n* __complete__ = The relationship is complete. No further relationships including constituent components, services, or dependencies are known to exist.\n* __incomplete__ = The relationship is incomplete. Additional relationships exist and may include constituent components, services, or dependencies.\n* __incomplete_first_party_only__ = The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented.\n* __incomplete_first_party_proprietary_only__ = The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented, limited specifically to those that are proprietary.\n* __incomplete_first_party_opensource_only__ = The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented, limited specifically to those that are opensource.\n* __incomplete_third_party_only__ = The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented.\n* __incomplete_third_party_proprietary_only__ = The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are proprietary.\n* __incomplete_third_party_opensource_only__ = The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are opensource.\n* __unknown__ = The relationship may be complete or incomplete. This usually signifies a 'best-effort' to obtain constituent components, services, or dependencies but the completeness is inconclusive.\n* __not_specified__ = The relationship completeness is not specified.\n" }, "assemblies": { "type": "array", From f0df2d2bf3026fa034c9d2936722aafcd1322edb Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Tue, 25 Apr 2023 09:53:06 -0500 Subject: [PATCH 3/6] Updating test cases to show that bom-ref for compositions are optional Signed-off-by: Steve Springett --- tools/src/test/resources/1.5/valid-compositions-1.5.json | 1 - tools/src/test/resources/1.5/valid-compositions-1.5.textproto | 1 - tools/src/test/resources/1.5/valid-compositions-1.5.xml | 2 +- 3 files changed, 1 insertion(+), 3 deletions(-) diff --git a/tools/src/test/resources/1.5/valid-compositions-1.5.json b/tools/src/test/resources/1.5/valid-compositions-1.5.json index f2043a9a..0c394e19 100644 --- a/tools/src/test/resources/1.5/valid-compositions-1.5.json +++ b/tools/src/test/resources/1.5/valid-compositions-1.5.json @@ -56,7 +56,6 @@ ] }, { - "bom-ref": "composition-2", "aggregate": "unknown", "assemblies": [ "pkg:maven/acme/library@3.0" diff --git a/tools/src/test/resources/1.5/valid-compositions-1.5.textproto b/tools/src/test/resources/1.5/valid-compositions-1.5.textproto index b94dead4..4c2f08ea 100644 --- a/tools/src/test/resources/1.5/valid-compositions-1.5.textproto +++ b/tools/src/test/resources/1.5/valid-compositions-1.5.textproto @@ -45,7 +45,6 @@ compositions { dependencies: "acme-application-1.0" } compositions { - bom_ref: "composition-1" aggregate: AGGREGATE_UNKNOWN assemblies: "pkg:maven/acme/library@3.0" } diff --git a/tools/src/test/resources/1.5/valid-compositions-1.5.xml b/tools/src/test/resources/1.5/valid-compositions-1.5.xml index e2923bcf..9dd2d2de 100644 --- a/tools/src/test/resources/1.5/valid-compositions-1.5.xml +++ b/tools/src/test/resources/1.5/valid-compositions-1.5.xml @@ -41,7 +41,7 @@ - + unknown From 332a05f31614facc3ae6464aeb3563dbdc3befcf Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Tue, 25 Apr 2023 10:06:00 -0500 Subject: [PATCH 4/6] Updated docs Signed-off-by: Steve Springett --- schema/bom-1.5.proto | 8 ++++---- schema/bom-1.5.schema.json | 4 ++-- schema/bom-1.5.xsd | 3 ++- 3 files changed, 8 insertions(+), 7 deletions(-) diff --git a/schema/bom-1.5.proto b/schema/bom-1.5.proto index 09560a0b..a6bdcb83 100644 --- a/schema/bom-1.5.proto +++ b/schema/bom-1.5.proto @@ -29,7 +29,7 @@ message Bom { repeated ExternalReference external_references = 7; // Provides the ability to document dependency relationships. repeated Dependency dependencies = 8; - // Provides the ability to document aggregate completeness + // Compositions describe constituent parts (including components, services, and dependency relationships) and their completeness. Other inventory types such as vulnerabilities may also be described for completeness. repeated Composition compositions = 9; // Vulnerabilities identified in components or services. repeated Vulnerability vulnerabilities = 10; @@ -568,11 +568,11 @@ enum Aggregate { } message Composition { - // Indicates the aggregate completeness + // Specifies an aggregate type that describe how complete a relationship is. Aggregate aggregate = 1; - // The assemblies the aggregate completeness applies to + // The bom-ref identifiers of the components or services being described. Assemblies refer to nested relationships whereby a constituent part may include other constituent parts. References do not cascade to child parts. References are explicit for the specified constituent part only. Other inventory types such as vulnerabilities may also be described. repeated string assemblies = 2; - // The dependencies the aggregate completeness applies to + // The bom-ref identifiers of the components or services being described. Dependencies refer to a relationship whereby an independent constituent part requires another independent constituent part. References do not cascade to transitive dependencies. References are explicit for the specified dependency only. repeated string dependencies = 3; // An optional identifier which can be used to reference the composition elsewhere in the BOM. Every bom-ref MUST be unique within the BOM. optional string bom_ref = 4; diff --git a/schema/bom-1.5.schema.json b/schema/bom-1.5.schema.json index af869622..b8be004b 100644 --- a/schema/bom-1.5.schema.json +++ b/schema/bom-1.5.schema.json @@ -87,7 +87,7 @@ "items": {"$ref": "#/definitions/compositions"}, "uniqueItems": true, "title": "Compositions", - "description": "Compositions describe constituent parts (including components, services, and dependency relationships) and their completeness." + "description": "Compositions describe constituent parts (including components, services, and dependency relationships) and their completeness. Other inventory types such as vulnerabilities may also be described for completeness." }, "vulnerabilities": { "type": "array", @@ -1528,7 +1528,7 @@ "type": "string" }, "title": "BOM references", - "description": "The bom-ref identifiers of the components or services being described. Assemblies refer to nested relationships whereby a constituent part may include other constituent parts. References do not cascade to child parts. References are explicit for the specified constituent part only." + "description": "The bom-ref identifiers of the components or services being described. Assemblies refer to nested relationships whereby a constituent part may include other constituent parts. References do not cascade to child parts. References are explicit for the specified constituent part only. Other inventory types such as vulnerabilities may also be described." }, "dependencies": { "type": "array", diff --git a/schema/bom-1.5.xsd b/schema/bom-1.5.xsd index 2bb65114..e7f65aaf 100644 --- a/schema/bom-1.5.xsd +++ b/schema/bom-1.5.xsd @@ -2104,6 +2104,7 @@ limitations under the License. The bom-ref identifiers of the components or services being described. Assemblies refer to nested relationships whereby a constituent part may include other constituent parts. References do not cascade to child parts. References are explicit for the specified constituent part only. + Other inventory types such as vulnerabilities may also be described. @@ -3213,7 +3214,7 @@ limitations under the License. - Compositions describe constituent parts (including components, services, and dependency relationships) and their completeness. + Compositions describe constituent parts (including components, services, and dependency relationships) and their completeness. Other inventory types such as vulnerabilities may also be described for completeness. From 4acfa29532fc793644bc9fe63088b2f355f9d1aa Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Tue, 25 Apr 2023 12:43:14 -0500 Subject: [PATCH 5/6] Revert "Updated docs" This reverts commit 332a05f31614facc3ae6464aeb3563dbdc3befcf. --- schema/bom-1.5.proto | 8 ++++---- schema/bom-1.5.schema.json | 4 ++-- schema/bom-1.5.xsd | 3 +-- 3 files changed, 7 insertions(+), 8 deletions(-) diff --git a/schema/bom-1.5.proto b/schema/bom-1.5.proto index a6bdcb83..09560a0b 100644 --- a/schema/bom-1.5.proto +++ b/schema/bom-1.5.proto @@ -29,7 +29,7 @@ message Bom { repeated ExternalReference external_references = 7; // Provides the ability to document dependency relationships. repeated Dependency dependencies = 8; - // Compositions describe constituent parts (including components, services, and dependency relationships) and their completeness. Other inventory types such as vulnerabilities may also be described for completeness. + // Provides the ability to document aggregate completeness repeated Composition compositions = 9; // Vulnerabilities identified in components or services. repeated Vulnerability vulnerabilities = 10; @@ -568,11 +568,11 @@ enum Aggregate { } message Composition { - // Specifies an aggregate type that describe how complete a relationship is. + // Indicates the aggregate completeness Aggregate aggregate = 1; - // The bom-ref identifiers of the components or services being described. Assemblies refer to nested relationships whereby a constituent part may include other constituent parts. References do not cascade to child parts. References are explicit for the specified constituent part only. Other inventory types such as vulnerabilities may also be described. + // The assemblies the aggregate completeness applies to repeated string assemblies = 2; - // The bom-ref identifiers of the components or services being described. Dependencies refer to a relationship whereby an independent constituent part requires another independent constituent part. References do not cascade to transitive dependencies. References are explicit for the specified dependency only. + // The dependencies the aggregate completeness applies to repeated string dependencies = 3; // An optional identifier which can be used to reference the composition elsewhere in the BOM. Every bom-ref MUST be unique within the BOM. optional string bom_ref = 4; diff --git a/schema/bom-1.5.schema.json b/schema/bom-1.5.schema.json index b8be004b..af869622 100644 --- a/schema/bom-1.5.schema.json +++ b/schema/bom-1.5.schema.json @@ -87,7 +87,7 @@ "items": {"$ref": "#/definitions/compositions"}, "uniqueItems": true, "title": "Compositions", - "description": "Compositions describe constituent parts (including components, services, and dependency relationships) and their completeness. Other inventory types such as vulnerabilities may also be described for completeness." + "description": "Compositions describe constituent parts (including components, services, and dependency relationships) and their completeness." }, "vulnerabilities": { "type": "array", @@ -1528,7 +1528,7 @@ "type": "string" }, "title": "BOM references", - "description": "The bom-ref identifiers of the components or services being described. Assemblies refer to nested relationships whereby a constituent part may include other constituent parts. References do not cascade to child parts. References are explicit for the specified constituent part only. Other inventory types such as vulnerabilities may also be described." + "description": "The bom-ref identifiers of the components or services being described. Assemblies refer to nested relationships whereby a constituent part may include other constituent parts. References do not cascade to child parts. References are explicit for the specified constituent part only." }, "dependencies": { "type": "array", diff --git a/schema/bom-1.5.xsd b/schema/bom-1.5.xsd index e7f65aaf..2bb65114 100644 --- a/schema/bom-1.5.xsd +++ b/schema/bom-1.5.xsd @@ -2104,7 +2104,6 @@ limitations under the License. The bom-ref identifiers of the components or services being described. Assemblies refer to nested relationships whereby a constituent part may include other constituent parts. References do not cascade to child parts. References are explicit for the specified constituent part only. - Other inventory types such as vulnerabilities may also be described. @@ -3214,7 +3213,7 @@ limitations under the License. - Compositions describe constituent parts (including components, services, and dependency relationships) and their completeness. Other inventory types such as vulnerabilities may also be described for completeness. + Compositions describe constituent parts (including components, services, and dependency relationships) and their completeness. From db06aba7e9348d8bda42128964ea0cbc058b5c5c Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Tue, 25 Apr 2023 12:58:35 -0500 Subject: [PATCH 6/6] Added vulnerability composition support to allow for specifying the completeness and aggregate of vulnerabilities defined in a BOM. Updated test cases. Signed-off-by: Steve Springett --- schema/bom-1.5.proto | 6 ++++-- schema/bom-1.5.schema.json | 11 +++++++++- schema/bom-1.5.xsd | 21 ++++++++++++++++++- .../resources/1.5/valid-compositions-1.5.json | 15 +++++++++++++ .../1.5/valid-compositions-1.5.textproto | 11 ++++++++++ .../resources/1.5/valid-compositions-1.5.xml | 14 +++++++++++++ 6 files changed, 74 insertions(+), 4 deletions(-) diff --git a/schema/bom-1.5.proto b/schema/bom-1.5.proto index 09560a0b..e84ce7ba 100644 --- a/schema/bom-1.5.proto +++ b/schema/bom-1.5.proto @@ -29,7 +29,7 @@ message Bom { repeated ExternalReference external_references = 7; // Provides the ability to document dependency relationships. repeated Dependency dependencies = 8; - // Provides the ability to document aggregate completeness + // Compositions describe constituent parts (including components, services, and dependency relationships) and their completeness. The completeness of vulnerabilities expressed in a BOM may also be described. repeated Composition compositions = 9; // Vulnerabilities identified in components or services. repeated Vulnerability vulnerabilities = 10; @@ -574,8 +574,10 @@ message Composition { repeated string assemblies = 2; // The dependencies the aggregate completeness applies to repeated string dependencies = 3; + // The bom-ref identifiers of the vulnerabilities being described. + repeated string vulnerabilities = 4; // An optional identifier which can be used to reference the composition elsewhere in the BOM. Every bom-ref MUST be unique within the BOM. - optional string bom_ref = 4; + optional string bom_ref = 5; } message EvidenceCopyright { diff --git a/schema/bom-1.5.schema.json b/schema/bom-1.5.schema.json index af869622..fd19641e 100644 --- a/schema/bom-1.5.schema.json +++ b/schema/bom-1.5.schema.json @@ -87,7 +87,7 @@ "items": {"$ref": "#/definitions/compositions"}, "uniqueItems": true, "title": "Compositions", - "description": "Compositions describe constituent parts (including components, services, and dependency relationships) and their completeness." + "description": "Compositions describe constituent parts (including components, services, and dependency relationships) and their completeness. The completeness of vulnerabilities expressed in a BOM may also be described." }, "vulnerabilities": { "type": "array", @@ -1539,6 +1539,15 @@ "title": "BOM references", "description": "The bom-ref identifiers of the components or services being described. Dependencies refer to a relationship whereby an independent constituent part requires another independent constituent part. References do not cascade to transitive dependencies. References are explicit for the specified dependency only." }, + "vulnerabilities": { + "type": "array", + "uniqueItems": true, + "items": { + "type": "string" + }, + "title": "BOM references", + "description": "The bom-ref identifiers of the vulnerabilities being described." + }, "signature": { "$ref": "#/definitions/signature", "title": "Signature", diff --git a/schema/bom-1.5.xsd b/schema/bom-1.5.xsd index 2bb65114..7a981583 100644 --- a/schema/bom-1.5.xsd +++ b/schema/bom-1.5.xsd @@ -2141,6 +2141,25 @@ limitations under the License. + + + + The bom-ref identifiers of the vulnerabilities being described. + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + @@ -3213,7 +3232,7 @@ limitations under the License. - Compositions describe constituent parts (including components, services, and dependency relationships) and their completeness. + Compositions describe constituent parts (including components, services, and dependency relationships) and their completeness. The completeness of vulnerabilities expressed in a BOM may also be described. diff --git a/tools/src/test/resources/1.5/valid-compositions-1.5.json b/tools/src/test/resources/1.5/valid-compositions-1.5.json index 0c394e19..11c8a001 100644 --- a/tools/src/test/resources/1.5/valid-compositions-1.5.json +++ b/tools/src/test/resources/1.5/valid-compositions-1.5.json @@ -44,6 +44,15 @@ ] } ], + "vulnerabilities": [ + { + "bom-ref": "vulnerability-1", + "id": "ACME-12345", + "source": { + "name": "Acme Inc" + } + } + ], "compositions": [ { "bom-ref": "composition-1", @@ -60,6 +69,12 @@ "assemblies": [ "pkg:maven/acme/library@3.0" ] + }, + { + "aggregate": "incomplete_first_party_only", + "vulnerabilities": [ + "vulnerability-1" + ] } ] } diff --git a/tools/src/test/resources/1.5/valid-compositions-1.5.textproto b/tools/src/test/resources/1.5/valid-compositions-1.5.textproto index 4c2f08ea..bc542cf4 100644 --- a/tools/src/test/resources/1.5/valid-compositions-1.5.textproto +++ b/tools/src/test/resources/1.5/valid-compositions-1.5.textproto @@ -48,3 +48,14 @@ compositions { aggregate: AGGREGATE_UNKNOWN assemblies: "pkg:maven/acme/library@3.0" } +compositions { + aggregate: AGGREGATE_INCOMPLETE_FIRST_PARTY_ONLY, + vulnerabilities: "vulnerability-1" +} +vulnerabilities { + bom_ref: "vulnerability-1" + id: "ACME-12345" + source: { + name: "Acme Inc" + } +} diff --git a/tools/src/test/resources/1.5/valid-compositions-1.5.xml b/tools/src/test/resources/1.5/valid-compositions-1.5.xml index 9dd2d2de..99204878 100644 --- a/tools/src/test/resources/1.5/valid-compositions-1.5.xml +++ b/tools/src/test/resources/1.5/valid-compositions-1.5.xml @@ -47,5 +47,19 @@ + + incomplete_first_party_only + + + + + + + ACME-12345 + + Acme Inc + + +