README
¶
Supported schema formats
Formats MUST be in JSON schema format.
The following schema formats are supported:
| Format Name | Format Key | Format ID | Schema repository |
|---|---|---|---|
| SPDX | SPDXID |
SPDXRef-DOCUMENT |
https://github.com/spdx/spdx-spec |
| CycloneDX | bomFormat |
CycloneDx |
https://github.com/CycloneDX/specification |
Documentation
¶
Index ¶
- Constants
- Variables
- func CalcLineAndCharacterPos(data []byte, offset int64) (lineNum int, charNum int)
- func DisplayJSONErrorDetails(data []byte, err error)
- func FormatSchemaVariant(variant string) (formattedVariant string)
- func IsInterfaceASlice(testValue interface{}) bool
- func LoadCustomValidationConfig(filename string) (err error)
- type BOM
- func (bom *BOM) GetCdxBom() (cdxBom *CDXBom)
- func (bom *BOM) GetCdxComponents() (components []CDXComponent)
- func (bom *BOM) GetCdxMetadata() (metadata *CDXMetadata)
- func (bom *BOM) GetCdxMetadataComponent() (component *CDXComponent)
- func (bom *BOM) GetCdxMetadataLicenses() (licenses []CDXLicenseChoice)
- func (bom *BOM) GetCdxMetadataProperties() (properties []CDXProperty)
- func (bom *BOM) GetCdxServices() (services []CDXService)
- func (bom *BOM) GetCdxVulnerabilities() (vulnerabilities []CDXVulnerability)
- func (bom *BOM) GetFilename() string
- func (bom *BOM) GetFilenameInterpolated() string
- func (bom *BOM) GetJSONMap() map[string]interface{}
- func (bom *BOM) GetKeyValueAsString(key string) (sValue string, err error)
- func (bom *BOM) GetRawBytes() []byte
- func (bom *BOM) UnmarshalBOMAsJSONMap() (err error)
- func (bom *BOM) UnmarshalCycloneDXBOM() (err error)
- type BOMFormatAndSchemaConfig
- func (schemaConfig *BOMFormatAndSchemaConfig) FindFormatAndSchema(bom *BOM) (err error)
- func (config *BOMFormatAndSchemaConfig) InnerLoadSchemaConfigFile(filename string, defaultFilename string) (err error)
- func (config *BOMFormatAndSchemaConfig) LoadSchemaConfigFile(filename string, defaultFilename string) (err error)
- func (config *BOMFormatAndSchemaConfig) Reset()
- type CDXAdvisory
- type CDXAffect
- type CDXAnalysis
- type CDXAnnotation
- type CDXAnnotator
- type CDXApproach
- type CDXAttachment
- type CDXBom
- type CDXBomLink
- type CDXBomLinkDocumentType
- type CDXBomLinkElementType
- type CDXCommand
- type CDXCommit
- type CDXComponent
- type CDXComponentData
- type CDXComponentEvidence
- type CDXCompositions
- type CDXCondition
- type CDXConfidenceInterval
- type CDXConsiderations
- type CDXContent
- type CDXCopyright
- type CDXCreationTools
- type CDXCredit
- type CDXDataClassification
- type CDXDataGovernance
- type CDXDataGovernanceResponsibleParty
- type CDXDataset
- type CDXDependency
- type CDXDiff
- type CDXEvent
- type CDXExternalReference
- type CDXFairnessAssessment
- type CDXFormula
- type CDXGraphic
- type CDXGraphicsCollection
- type CDXHash
- type CDXIdentifiableAction
- type CDXInputOutputMLParameters
- type CDXInputType
- type CDXIssue
- type CDXLegacyCreationTool
- type CDXLicense
- type CDXLicenseChoice
- type CDXLicenseExpression
- type CDXLicenseLegalParty
- type CDXLicensing
- type CDXLifecycle
- type CDXMetadata
- type CDXModelCard
- type CDXModelParameters
- type CDXNameDescription
- type CDXNote
- type CDXOrganizationalContact
- type CDXOrganizationalEntity
- type CDXOutputType
- type CDXParameter
- type CDXPatch
- type CDXPedigree
- type CDXPerformanceMetric
- type CDXProofOfConcept
- type CDXProperty
- type CDXQuantitativeAnalysis
- type CDXRating
- type CDXRefLinkType
- type CDXRefType
- type CDXReleaseNotes
- type CDXResourceReferenceChoice
- type CDXRisk
- type CDXService
- type CDXServiceData
- type CDXSource
- type CDXStep
- type CDXSubject
- type CDXSupportingMaterial
- type CDXSwid
- type CDXTask
- type CDXTaskType
- type CDXTrigger
- type CDXVersionRange
- type CDXVolume
- type CDXVulnerability
- type CDXVulnerabilityReference
- type CDXVulnerabilitySource
- type CDXWorkflow
- type CDXWorkspace
- type CustomValidation
- type CustomValidationConfig
- type CustomValidationMetadata
- type CustomValidationProperty
- type FormatSchema
- type FormatSchemaInstance
- type JSFKeyType
- type JSFPublicKey
- type JSFSignature
- type JSFSigner
- type UnsupportedFormatError
- type UnsupportedSchemaError
Constants ¶
const ( ID_SPDX = "SPDXRef-DOCUMENT" ID_CYCLONEDX = "CycloneDX" )
Format ID (key component) UNUSED, TODO Use these values to verify remotely loaded schema files
const ( // SPDX PROPKEY_ID_SPDX = "SPDXID" PROPKEY_VERSION_SPDX = "spdxVersion" // CycloneDX PROPKEY_ID_CYCLONEDX = "bomFormat" PROPKEY_VERSION_CYCLONEDX = "specVersion" )
Document property keys JSON document property keys to lookup values in their respective SBOM formats UNUSED, TODO Use these values to verify remotely loaded schema files
const ( KEY_ANNOTATIONS = "annotations" KEY_COMPONENTS = "components" KEY_LICENSES = "licenses" KEY_METADATA = "metadata" KEY_SERVICES = "services" )
const ( SCHEMA_FORMAT_SPDX = "SPDX" SCHEMA_FORMAT_CYCLONEDX = "CycloneDX" )
const ( ERR_TYPE_UNSUPPORTED_FORMAT = "format not supported" ERR_TYPE_UNSUPPORTED_SCHEMA = "schema not supported" //MSG_CONFIG_SCHEMA_FORMAT_NOT_FOUND = "schema format not found in configuration." MSG_FORMAT_UNSUPPORTED_UNKNOWN = "unknown format" MSG_FORMAT_UNSUPPORTED_COMMAND = "for command and/or flags" MSG_CONFIG_SCHEMA_VERSION_NOT_FOUND = "schema version not found in configuration" MSG_CONFIG_SCHEMA_VARIANT_NOT_FOUND = "schema variant not found in configuration" )
const (
INPUT_TYPE_STDIN = "-"
)
Input (source) reserved values
const (
SCHEMA_VARIANT_LATEST = "(latest)"
)
Variables ¶
var EMPTY_CDXLicense = CDXLicense{}
For convenience, we provide named vars. for testing for zero-length (empty) structs
var ENCODED_EMPTY_SLICE_OF_STRUCT = []byte("[{}]")
var ENCODED_EMPTY_STRUCT = []byte("{}")
var (
ProjectLogger *log.MiniLogger
)
Functions ¶
func CalcLineAndCharacterPos ¶
func DisplayJSONErrorDetails ¶
func FormatSchemaVariant ¶
func IsInterfaceASlice ¶ added in v0.13.0
func IsInterfaceASlice(testValue interface{}) bool
Types ¶
type BOM ¶ added in v0.13.0
type BOM struct {
JsonMap map[string]interface{}
FormatInfo FormatSchema
SchemaInfo FormatSchemaInstance
CdxBom *CDXBom
// contains filtered or unexported fields
}
Candidate SBOM document (context) information TODO: rename to SBOM to jive more with Go conventions; although it may look like a constant unless we expand the name...
func (*BOM) GetCdxComponents ¶ added in v0.13.0
func (bom *BOM) GetCdxComponents() (components []CDXComponent)
func (*BOM) GetCdxMetadata ¶ added in v0.13.0
func (bom *BOM) GetCdxMetadata() (metadata *CDXMetadata)
func (*BOM) GetCdxMetadataComponent ¶ added in v0.13.0
func (bom *BOM) GetCdxMetadataComponent() (component *CDXComponent)
func (*BOM) GetCdxMetadataLicenses ¶ added in v0.13.0
func (bom *BOM) GetCdxMetadataLicenses() (licenses []CDXLicenseChoice)
func (*BOM) GetCdxMetadataProperties ¶ added in v0.13.0
func (bom *BOM) GetCdxMetadataProperties() (properties []CDXProperty)
func (*BOM) GetCdxServices ¶ added in v0.13.0
func (bom *BOM) GetCdxServices() (services []CDXService)
func (*BOM) GetCdxVulnerabilities ¶ added in v0.13.0
func (bom *BOM) GetCdxVulnerabilities() (vulnerabilities []CDXVulnerability)
func (*BOM) GetFilename ¶ added in v0.13.0
func (*BOM) GetFilenameInterpolated ¶ added in v0.13.0
func (*BOM) GetJSONMap ¶ added in v0.13.0
func (*BOM) GetKeyValueAsString ¶ added in v0.13.0
func (*BOM) GetRawBytes ¶ added in v0.13.0
func (*BOM) UnmarshalBOMAsJSONMap ¶ added in v0.13.0
func (*BOM) UnmarshalCycloneDXBOM ¶ added in v0.13.0
type BOMFormatAndSchemaConfig ¶ added in v0.13.0
type BOMFormatAndSchemaConfig struct {
Formats []FormatSchema `json:"formats"`
// contains filtered or unexported fields
}
Configs
func (*BOMFormatAndSchemaConfig) FindFormatAndSchema ¶ added in v0.13.0
func (schemaConfig *BOMFormatAndSchemaConfig) FindFormatAndSchema(bom *BOM) (err error)
func (*BOMFormatAndSchemaConfig) InnerLoadSchemaConfigFile ¶ added in v0.13.0
func (config *BOMFormatAndSchemaConfig) InnerLoadSchemaConfigFile(filename string, defaultFilename string) (err error)
TODO: Add error messages as constants (for future i18n) TODO: Support remote schema retrieval as an optional program flag However, we want to default to local for performance where possible as well as plan for local, secure bundling of schema with this utility in CI build systems (towards improved security, isolated builds) NOTE: we have also found that standards orgs. freely move their schema files within SCM systems thereby being a cause for remote retrieval failures.
func (*BOMFormatAndSchemaConfig) LoadSchemaConfigFile ¶ added in v0.13.0
func (config *BOMFormatAndSchemaConfig) LoadSchemaConfigFile(filename string, defaultFilename string) (err error)
func (*BOMFormatAndSchemaConfig) Reset ¶ added in v0.13.0
func (config *BOMFormatAndSchemaConfig) Reset()
type CDXAdvisory ¶
type CDXAdvisory struct {
Title string `json:"title,omitempty"` // v1.4
Url string `json:"url,omitempty"` // v1.4
}
v1.4: created "releaseNotes" defn. Note: "url" is of type "iri-reference"
type CDXAffect ¶
type CDXAffect struct {
Versions []CDXVersionRange `json:"versions,omitempty"` // v1.4: anon. type
Ref CDXRefLinkType `json:"ref,omitempty"` // v1.5: added
}
v1.4: created "analysis" def. to represent an in-line, anon. type v1.5: Note: "ref" is a constrained "string" which can be "anyOf": ["#/definitions/refLinkType", "#/definitions/bomLinkElementType"] Note: This anon. "type" ONLY includes a single array of another in-line type TODO: create top-level defn. for "affect" anon. type
func (*CDXAffect) MarshalJSON ¶ added in v0.11.0
type CDXAnalysis ¶
type CDXAnalysis struct {
State string `json:"state,omitempty"` // v1.4
Justification string `json:"justification,omitempty"` // v1.4
Response []string `json:"response,omitempty"` // v1.4: anon. type
Detail string `json:"detail,omitempty"` // v1.4
FirstIssued string `json:"firstIssued,omitempty"` // v1.5: added
LastUpdated string `json:"lastUpdated,omitempty"` // v1.5: added
}
v1.4: created "analysis" def. to represent an in-line, anon. type defined in the "vulnerability" object defn. v1.5: added "firstIssued", "lastUpdated" Note: "state" is an "impactAnalysisState" type which is a constrained enum. of type `string` Note: "justification" is an "impactAnalysisJustification" type which is a constrained enum. of type `string` TODO: "response" is also "in-lined" as a constrained enum. of `string`, but SHOULD be declared at top-level
type CDXAnnotation ¶ added in v0.13.0
type CDXAnnotation struct {
BOMRef CDXRefType `json:"bom-ref,omitempty"` // v1.5
Subjects []CDXSubject `json:"subjects,omitempty"` // v1.5
Annotator CDXAnnotator `json:"annotator,omitempty"` // v1.5
Timestamp string `json:"timestamp,omitempty"` // v1.5
Text string `json:"text,omitempty"` // v1.5
Signature JSFSignature `json:"signature,omitempty"` // v1.5
}
v1.5 "annotations" and sub-schema added ("required": ["subjects","annotator","timestamp","text"])
type CDXAnnotator ¶ added in v0.13.0
type CDXAnnotator struct {
Organization CDXOrganizationalEntity `json:"organization,omitempty"` // v1.5
Individual CDXOrganizationalContact `json:"individual,omitempty"` // v1.5
Component CDXComponent `json:"component,omitempty"` // v1.5
Service CDXService `json:"service,omitempty"` // v1.5
}
v1.5 added to represent the anonymous type defined in the "annotations" object required" oneOf: organization, individual, component, service
type CDXApproach ¶ added in v0.13.0
type CDXApproach struct {
Type string `json:"type,omitempty"` // v1.5
}
v1.5: added "Learning types describing the learning problem or hybrid learning problem." "enum": ["supervised","unsupervised","reinforcement-learning","semi-supervised","self-supervised"]
type CDXAttachment ¶
type CDXAttachment struct {
ContentType string `json:"contentType,omitempty"`
Encoding string `json:"encoding,omitempty"`
Content string `json:"content,omitempty"`
}
v1.2: existed
func (*CDXAttachment) MarshalJSON ¶ added in v0.11.0
func (value *CDXAttachment) MarshalJSON() ([]byte, error)
recreate a representation of the struct, but only include values in map that are not empty
type CDXBom ¶
type CDXBom struct {
BOMFormat string `json:"bomFormat,omitempty"`
SpecVersion string `json:"specVersion,omitempty"`
SerialNumber string `json:"serialNumber,omitempty"`
Version int `json:"version,omitempty"`
Metadata *CDXMetadata `json:"metadata,omitempty"`
Components *[]CDXComponent `json:"components,omitempty"`
Services *[]CDXService `json:"services,omitempty"`
ExternalReferences []CDXExternalReference `json:"externalReferences,omitempty"`
Dependencies []CDXDependency `json:"dependencies,omitempty"`
Compositions []CDXCompositions `json:"compositions,omitempty" cdx:"+1.3"` // v1.3 added
Vulnerabilities []CDXVulnerability `json:"vulnerabilities,omitempty" cdx:"+1.4"` // v1.4 added
Signature JSFSignature `json:"signature,omitempty" cdx:"+1.4"` // v1.4 added
Annotations []CDXAnnotation `json:"annotations,omitempty" cdx:"+1.5"` // v1.5 added
Formulation []CDXFormula `json:"formulation,omitempty" cdx:"+1.5"` // v1.5 added
Properties []CDXProperty `json:"properties,omitempty" cdx:"+1.5"` // v1.5 added
}
NOTE: During parsing, any fields not explicitly included in the structure will still be added as generic "interface{}" types v1.3: added "compositions" v1.4: added "vulnerabilities", "signature" v1.5: added "annotations", "formulation", "properties"
func UnMarshalDocument ¶
type CDXBomLink ¶ added in v0.13.0
type CDXBomLink string
v1.5 added. Constraints: "anyOf": ["#/definitions/bomLinkDocumentType", "#/definitions/bomLinkElementType"] TODO see what happens if we use a struct with the 2 possible types (i.e., an interface{})
func (CDXBomLink) String ¶ added in v0.13.0
func (link CDXBomLink) String() string
type CDXBomLinkDocumentType ¶ added in v0.13.0
type CDXBomLinkDocumentType string
v1.5 added. Constraints: "format": "iri-reference", "pattern": "^urn:cdx: ... "
func (CDXBomLinkDocumentType) String ¶ added in v0.13.0
func (link CDXBomLinkDocumentType) String() string
v1.5 added Stringer interface
type CDXBomLinkElementType ¶ added in v0.13.0
type CDXBomLinkElementType string
v1.5 added. Constraints: "format": "iri-reference", "pattern": "^urn:cdx: ... "
func (CDXBomLinkElementType) String ¶ added in v0.13.0
func (link CDXBomLinkElementType) String() string
v1.5 added Stringer interface
type CDXCommand ¶ added in v0.13.0
type CDXCommand struct {
Executed bool `json:"executed,omitempty"` // v1.5
Properties []CDXProperty `json:"properties,omitempty"` // v1.5
}
v1.5: added
type CDXCommit ¶
type CDXCommit struct {
Uid string `json:"uid,omitempty"`
Url string `json:"url,omitempty"`
Message string `json:"message,omitempty"`
Author CDXIdentifiableAction `json:"author,omitempty"`
Committer CDXIdentifiableAction `json:"committer,omitempty"`
}
v1.2: existed TODO: GitHub PRs MAY have more than 1 commit (committer); CDX needs to account for this
type CDXComponent ¶
type CDXComponent struct {
Primary bool `json:"-"` // Proprietary: do NOT marshal/unmarshal
Type string `json:"type,omitempty"` // Constraint: enum [see schema]
MimeType string `json:"mime-type,omitempty"`
BOMRef CDXRefType `json:"bom-ref,omitempty"`
Supplier CDXOrganizationalEntity `json:"supplier,omitempty"`
Author string `json:"author,omitempty"`
Publisher string `json:"publisher,omitempty"`
Group string `json:"group,omitempty"`
Name string `json:"name,omitempty"`
Version string `json:"version,omitempty"`
Description string `json:"description,omitempty"`
Scope string `json:"scope,omitempty"` // Constraint: "enum": ["required","optional","excluded"]
Hashes []CDXHash `json:"hashes,omitempty"`
Licenses []CDXLicenseChoice `json:"licenses,omitempty"`
Copyright string `json:"copyright,omitempty"`
Cpe string `json:"cpe,omitempty"` // See: https://nvd.nist.gov/products/cpe
Purl string `json:"purl,omitempty"` // See: https://github.com/package-url/purl-spec
Swid CDXSwid `json:"swid,omitempty"` // See: https://www.iso.org/standard/65666.html
Pedigree CDXPedigree `json:"pedigree,omitempty"` // anon. type
ExternalReferences []CDXExternalReference `json:"externalReferences,omitempty"`
Components []CDXComponent `json:"components,omitempty"`
Evidence CDXComponentEvidence `json:"evidence,omitempty"` // v1.3: added
Properties []CDXProperty `json:"properties,omitempty"` // v1.3: added
Modified bool `json:"modified,omitempty" cdx:"deprecated"` // v1.4: deprecated
ReleaseNotes []CDXReleaseNotes `json:"releaseNotes,omitempty"` // v1.4: added
Signature JSFSignature `json:"signature,omitempty"` // v1.4: added
ModelCard CDXModelCard `json:"modelCard,omitempty"` // v1.5: added
Data []CDXComponentData `json:"data,omitempty"` // v1.5: added
}
v1.2: existed v1.3: added: "evidence", "properties" v1.4: added: "releaseNotes", "signature" v1.4: changed: "version" no longer required v1.4: deprecated: "modified", "cpe", "swid" v1.5: added Note: "bom-ref" is a "refType" which is a constrained `string` TODO: "mime-type" SHOULD become "media-type" which is more modern/inclusive TODO: Remove "service" from "Type" enum. as "service" now exists (deprecate in future versions)
func UnMarshalComponent ¶
func UnMarshalComponent(data interface{}) (CDXComponent, error)
func UnMarshalComponents ¶
func UnMarshalComponents(data interface{}) ([]CDXComponent, error)
type CDXComponentData ¶ added in v0.13.0
type CDXComponentData struct {
BOMRef CDXRefType `json:"bom-ref,omitempty"`
Type string `json:"type,omitempty"` // Constraint: "enum": ["source-code","configuration","dataset","definition","other"]
Name string `json:"name,omitempty"`
Contents CDXContent `json:"contents,omitempty"`
Classification CDXDataClassification `json:"classification,omitempty"`
SensitiveData []string `json:"sensitiveData,omitempty"`
Graphics CDXGraphicsCollection `json:"graphics,omitempty"`
Description string `json:"description,omitempty"`
Governance CDXDataGovernance `json:"governance,omitempty"`
}
v1.5 added The general theme or subject matter of the data being specified. TODO: "contents" is plural, but it is not an array
type CDXComponentEvidence ¶
type CDXComponentEvidence struct {
Licenses []CDXLicense `json:"licenses,omitempty"`
Copyright []CDXCopyright `json:"copyright,omitempty"`
}
v1.3: created "componentEvidence" defn.
type CDXCompositions ¶
type CDXCompositions struct {
Aggregate string `json:"aggregate,omitempty"`
Assemblies []string `json:"assemblies,omitempty"`
Dependencies []string `json:"dependencies,omitempty"`
Signature JSFSignature `json:"signature,omitempty"` // v1.4: added
Vulnerabilities []CDXVulnerability `json:"vulnerabilities,omitempty"` // v1.5: added
BOMRef CDXRefType `json:"bom-ref,omitempty"` // v1.5: added
}
v1.3: created "compositions" defn. v1.4: added "signature" v1.5: added "bom-ref", "vulnerabilities" Note: "aggregate" is type `aggregateType` which is a constrained string TODO: Should not be plural; open issue against v2.0 schema
type CDXCondition ¶ added in v0.13.0
type CDXCondition struct {
Description string `json:"description,omitempty"` // v1.5
Expression string `json:"expression,omitempty"` // v1.5
Properties []CDXProperty `json:"properties,omitempty"` // v1.5
}
v1.5: added
type CDXConfidenceInterval ¶ added in v0.13.0
type CDXConfidenceInterval struct {
LowerBound string `json:"lowerBound,omitempty"` // v1.5
UpperBound string `json:"upperBound,omitempty"` // v1.5
}
v1.5: added
type CDXConsiderations ¶ added in v0.13.0
type CDXConsiderations struct {
Users []string `json:"users,omitempty"` // v1.5
UseCases []string `json:"useCases,omitempty"` // v1.5
TechnicalLimitations []string `json:"technicalLimitations,omitempty"` // v1.5
PerformanceTradeoffs []string `json:"performanceTradeoffs,omitempty"` // v1.5
EthicalConsiderations []CDXRisk `json:"ethicalConsiderations,omitempty"` // v1.5
FairnessAssessments []CDXFairnessAssessment `json:"fairnessAssessments,omitempty"` // v1.5
}
v1.5: added (anonymous type) Considerations that should be taken into account regarding the model's construction, training, and application
type CDXContent ¶ added in v0.13.0
type CDXContent struct {
Attachment CDXAttachment `json:"attachment,omitempty"`
Url string `json:"url,omitempty"`
Properties []CDXProperty `json:"properties,omitempty"`
}
v1.5 added
type CDXCopyright ¶
type CDXCopyright struct {
Text string `json:"text,omitempty"`
}
v1.3: created "copyright" defn.
type CDXCreationTools ¶ added in v0.13.0
type CDXCreationTools struct {
Components []CDXComponent `json:"components,omitempty" cdx:"+1.5"` // v1.5: added (new type)
Services []CDXService `json:"services,omitempty" cdx:"+1.5"` // v1.5: added (new type)
}
v1.5: created. Intended to be used instead of (legacy) Creation Tools which was deprecated
type CDXCredit ¶
type CDXCredit struct {
Organizations []CDXOrganizationalEntity `json:"organizations,omitempty"` // v1.4
Individuals []CDXOrganizationalContact `json:"individuals,omitempty"` // v1.4
}
v1.4: created "credit" defn. to represent the in-line, anon. type found in the "vulnerability" type defn.
func (*CDXCredit) MarshalJSON ¶ added in v0.11.0
type CDXDataClassification ¶
type CDXDataClassification string // Constraint: "enum": ["inbound", "outbound", "bi-directional", "unknown"]
v1.5 added. Replaced former "object" type in favor of "string" Data classification tags data according to its type, sensitivity, and value if altered, stolen, or destroyed.
type CDXDataGovernance ¶ added in v0.13.0
type CDXDataGovernance struct {
Custodians []CDXDataGovernanceResponsibleParty `json:"custodians,omitempty"`
Stewards [][]CDXDataGovernanceResponsibleParty `json:"stewards,omitempty"`
Owners [][]CDXDataGovernanceResponsibleParty `json:"owners,omitempty"`
}
v1.5 added
type CDXDataGovernanceResponsibleParty ¶ added in v0.13.0
type CDXDataGovernanceResponsibleParty struct {
Organization CDXOrganizationalEntity `json:"organization,omitempty"`
Contact CDXOrganizationalContact `json:"contact,omitempty"`
}
v1.5 added Constraints: "oneOf": ["organization", "contact"]
type CDXDataset ¶ added in v0.13.0
type CDXDataset struct {
CDXComponentData
Ref CDXRefLinkType `json:"ref,omitempty"` // v1.5
}
v1.5: added. v1.5: Note: "ref" is a constrained "string" which can be "anyOf": ["#/definitions/refLinkType", "#/definitions/bomLinkElementType"] TODO: actually, "Ref" should be its own anonymous type with "anyOf": ["#/definitions/refLinkType", "#/definitions/bomLinkElementType"]
type CDXDependency ¶
type CDXDependency struct {
Ref CDXRefLinkType `json:"ref,omitempty"`
DependsOn []CDXRefLinkType `json:"dependsOn,omitempty"`
}
v1.2: existed v1.4: "ref" and "dependsOn" became type "refType" which is a constrained `string` v1.5: "ref": is now a constrained "string" of type "#/definitions/refLinkType" v1.5: "dependsOn": is now a constrained "string" of type "#/definitions/refLinkType"
type CDXDiff ¶
type CDXDiff struct {
Text CDXAttachment `json:"text,omitempty"`
Url string `json:"url,omitempty"` // v1.3: type changed to "iri-reference"
}
v1.2: existed v1.3 "url" type changed from `string` (with constraints) to an "iri-reference"
type CDXEvent ¶ added in v0.13.0
type CDXEvent struct {
Uid string `json:"uid,omitempty"` // v1.5
Description string `json:"description,omitempty"` // v1.5
TimeReceived string `json:"timeReceived,omitempty"` // v1.5
Data CDXAttachment `json:"data,omitempty"` // v1.5
Source CDXResourceReferenceChoice `json:"source,omitempty"` // v1.5
Target CDXResourceReferenceChoice `json:"target,omitempty"` // v1.5
Properties []CDXProperty `json:"properties,omitempty"` // v1.5
}
type CDXExternalReference ¶
type CDXExternalReference struct {
Url string `json:"url,omitempty"`
Comment string `json:"comment,omitempty"`
Type string `json:"type,omitempty"`
Hashes []CDXHash `json:"hashes,omitempty"` // v1.3: added
}
v1.2: existed v1.3: added "hashes" v1.4: `Type` field: added value "release-notes" to enum.
type CDXFairnessAssessment ¶ added in v0.13.0
type CDXFairnessAssessment struct {
GroupAtRisk string `json:"groupAtRisk,omitempty"` // v1.5
Benefits string `json:"benefits,omitempty"` // v1.5
Harms string `json:"harms,omitempty"` // v1.5
MitigationStrategy string `json:"mitigationStrategy,omitempty"` // v1.5
}
v1.5: added Information about the benefits and harms of the model to an identified at risk group.
type CDXFormula ¶ added in v0.13.0
type CDXFormula struct {
BOMRef CDXRefType `json:"bom-ref,omitempty"` // v1.5
Components []CDXComponent `json:"components,omitempty"` // v1.5
Services []CDXService `json:"services,omitempty"` // v1.5
Workflows []CDXWorkflow `json:"workflows,omitempty"` // v1.5
Properties []CDXProperty `json:"properties,omitempty"` // v1.5
}
v1.5: added
type CDXGraphic ¶ added in v0.13.0
type CDXGraphic struct {
Name string `json:"name,omitempty"` // v1.5
Image CDXAttachment `json:"image,omitempty"` // v1.5
}
v1.5: added
type CDXGraphicsCollection ¶ added in v0.13.0
type CDXGraphicsCollection struct {
Description string `json:"description,omitempty"` // v1.5
Collection []CDXGraphic `json:"collection,omitempty"` // v1.5
}
v1.5: added
type CDXHash ¶
v1.2: existed Note: "alg" is of type "hash-alg" which is a constrained `string` type Note: "content" is of type "hash-content" which is a constrained `string` type
type CDXIdentifiableAction ¶
type CDXIdentifiableAction struct {
Timestamp string `json:"timestamp,omitempty"`
Name string `json:"name,omitempty"`
Email string `json:"email,omitempty"`
}
v1.2: existed TODO: We should suggest this be "deprecated" and instead add "timestamp" and other fields to OrganizationalContact (or similar) TODO: should have "signage" information (e.g., evidence, public key)
type CDXInputOutputMLParameters ¶ added in v0.13.0
type CDXInputOutputMLParameters struct {
Format string `json:"format,omitempty"` // v1.5
}
v1.5: added "The data format for input/output to the model. Example formats include string, image, time-series",
type CDXInputType ¶ added in v0.13.0
type CDXInputType struct {
Source CDXResourceReferenceChoice `json:"source,omitempty"` // v1.5
Target CDXResourceReferenceChoice `json:"target,omitempty"` // v1.5
Resource CDXResourceReferenceChoice `json:"resource,omitempty"` // v1.5
Data CDXAttachment `json:"data,omitempty"` // v1.5
Parameters []CDXParameter `json:"parameters,omitempty"` // v1.5
EnvironmentVars []interface{} `json:"environmentVars,omitempty"` // v1.5
Properties []CDXProperty `json:"properties,omitempty"` // v1.5
}
v1.5: added TODO: see if we can improve "environmentVars" types which is "oneOf": ["#/definitions/property", "string"]
type CDXIssue ¶
type CDXIssue struct {
Type string `json:"type,omitempty"`
Id string `json:"id,omitempty"`
Name string `json:"name,omitempty"`
Description string `json:"description,omitempty"`
Source CDXSource `json:"source,omitempty"`
References []string `json:"references,omitempty"` // v1.3: added missing `string` type
}
v1.2: existed Note: v1.2 Bug: there appears to be a bug in the 1.2 spec. where the type for "references" is declared an array of "no type" (it likely should be `string`) Not sure how a parser will treat this... perhaps as an `interface{}`? v1.3: fixed to be []string
type CDXLegacyCreationTool ¶ added in v0.13.0
type CDXLegacyCreationTool struct {
Vendor string `json:"vendor,omitempty" cdx:"deprecated"` // v1.5: deprecated
Name string `json:"name,omitempty" cdx:"deprecated"` // v1.5: deprecated
Version string `json:"version,omitempty" cdx:"deprecated"` // v1.5: deprecated
Hashes []CDXHash `json:"hashes,omitempty" cdx:"deprecated"` // v1.5: deprecated
ExternalReferences []CDXExternalReference `json:"externalReferences,omitempty" cdx:"+1.4"` // v1.4: added, v1.5: deprecated
}
v1.2: existed v1.4: added "externalReferences" v1.5: deprecated "Creation Tools (legacy)" object in favor of new "Creation Tools" object - v1.5 Note: The v1.4 structure/fields is now called the "Creation Tools (legacy)" structure - v1.5: In order to support the new object "Creation Tools", we need to combine these fields into with the legacy structure fields
type CDXLicense ¶
type CDXLicense struct {
Id string `json:"id,omitempty"`
Name string `json:"name,omitempty"`
Text CDXAttachment `json:"text,omitempty"`
Url string `json:"url,omitempty"`
BOMRef CDXRefType `json:"bom-ref,omitempty"` // v1.5: added
Licensing CDXLicensing `json:"licensing,omitempty"` // v1.5: added
Properties []CDXProperty `json:"properties,omitempty"` // v1.5: added
}
v1.2: was an anon. type v1.3: created Note: "id" SHOULD be an SPDX license ID Note: "oneOf": ["id", "name"] is required
func (*CDXLicense) MarshalJSON ¶ added in v0.11.0
func (value *CDXLicense) MarshalJSON() (bytes []byte, err error)
recreate a representation of the struct, but only include values in map that are not empty
type CDXLicenseChoice ¶
type CDXLicenseChoice struct {
License CDXLicense `json:"license,omitempty"`
//Expression string `json:"expression,omitempty"`
CDXLicenseExpression
}
v1.2: was an anon. type in schema v1.3: created explicit schema object type Note: "oneOf": ["license", "expression"] is required
func UnMarshalLicenseChoice ¶
func UnMarshalLicenseChoice(data interface{}) (CDXLicenseChoice, error)
func (*CDXLicenseChoice) MarshalJSON ¶ added in v0.11.0
func (value *CDXLicenseChoice) MarshalJSON() (marshalled []byte, err error)
TODO: v1.5: no longer works with addition of "Licensing" object (requires deep compare/copy)
type CDXLicenseExpression ¶ added in v0.13.0
type CDXLicenseExpression struct {
Expression string `json:"expression,omitempty"`
BOMRef CDXRefType `json:"bom-ref,omitempty"`
}
v1.5: added
type CDXLicenseLegalParty ¶ added in v0.13.0
type CDXLicenseLegalParty struct {
Organization CDXOrganizationalEntity `json:"organization,omitempty"`
Individual CDXOrganizationalContact `json:"individual,omitempty"`
}
v1.5: created for reuse in "licensing" schema for "licensee" and "licensor" TODO: reuse on "annotator" as well?
type CDXLicensing ¶ added in v0.13.0
type CDXLicensing struct {
AltIds []string `json:"altIds,omitempty"`
Licensor CDXLicenseLegalParty `json:"licensor,omitempty"`
Licensee CDXLicenseLegalParty `json:"licensee,omitempty"`
Purchaser CDXLicenseLegalParty `json:"purchaser,omitempty"`
PurchaseOrder string `json:"purchaseOrder,omitempty"`
LicenseTypes []string `json:"licenseTypes,omitempty"` // Constraint: enum[see schema]
LastRenewal string `json:"lastRenewal,omitempty"`
Expiration string `json:"expiration,omitempty"`
}
v1.5: added
type CDXLifecycle ¶ added in v0.13.0
type CDXLifecycle struct {
// v1.5: "enum": [ "design", "pre-build", "build", "post-build", "operations", "discovery", "decommission"]
Phase string `json:"phase,omitempty"`
CDXNameDescription // name, description
}
type CDXMetadata ¶
type CDXMetadata struct {
Timestamp string `json:"timestamp,omitempty"`
Tools interface{} `json:"tools,omitempty"` // v1.2: added.v1.5: "tools" is now an interface{}
Authors []CDXOrganizationalContact `json:"authors,omitempty"`
Component CDXComponent `json:"component,omitempty"`
Manufacturer CDXOrganizationalEntity `json:"manufacturer,omitempty"`
Supplier CDXOrganizationalEntity `json:"supplier,omitempty"`
Licenses []CDXLicenseChoice `json:"licenses,omitempty"` // v1.3 added
Properties []CDXProperty `json:"properties,omitempty"` // v1.3 added
Lifecycles []CDXLifecycle `json:"lifecycles,omitempty"` // v1.5 added
}
v1.2: existed v1.3: added "licenses", "properties" v1.5: added "lifecycles"
func UnMarshalMetadata ¶
func UnMarshalMetadata(data interface{}) (CDXMetadata, error)
type CDXModelCard ¶ added in v0.13.0
type CDXModelCard struct {
BOMRef CDXRefType `json:"bom-ref,omitempty"` // v1.5
ModelParameters CDXModelParameters `json:"modelParameters,omitempty"` // v1.5
QuantitativeAnalysis CDXQuantitativeAnalysis `json:"quantitativeAnalysis,omitempty"` // v1.5
Considerations CDXConsiderations `json:"considerations,omitempty"` // v1.5
Properties []CDXProperty `json:"properties,omitempty"` // v1.5
}
v1.5: added
type CDXModelParameters ¶ added in v0.13.0
type CDXModelParameters struct {
Approach CDXApproach `json:"approach,omitempty"` // v1.5
Task string `json:"task,omitempty"` // v1.5
ArchitectureFamily string `json:"architectureFamily,omitempty"` // v1.5
ModelArchitecture string `json:"modelArchitecture,omitempty"` // v1.5
Datasets []CDXDataset `json:"datasets,omitempty"` // v1.5
Inputs []CDXInputOutputMLParameters `json:"inputs,omitempty"` // v1.5
Outputs []CDXInputOutputMLParameters `json:"outputs,omitempty"` // v1.5
}
v1.5: added
type CDXNameDescription ¶ added in v0.13.0
type CDXNameDescription struct {
Name string `json:"name,omitempty"`
Description string `json:"description,omitempty"`
}
v1.5 new type for "metadata"
type CDXNote ¶
type CDXNote struct {
Locale string `json:"locale,omitempty"`
Text CDXAttachment `json:"attachment,omitempty"`
}
v1.4: created "note" defn. Note: "locale" is of type "localeType" which is a constrained `string`
type CDXOrganizationalContact ¶
type CDXOrganizationalContact struct {
Name string `json:"name,omitempty"`
Email string `json:"email,omitempty"`
Phone string `json:"phone,omitempty"`
BOMRef CDXRefType `json:"bom-ref,omitempty"` // v1.5 added
}
v1.2: existed v1.5: added "bom-ref"
type CDXOrganizationalEntity ¶
type CDXOrganizationalEntity struct {
Name string `json:"name,omitempty"`
Url []string `json:"url,omitempty"`
Contact []CDXOrganizationalContact `json:"contact,omitempty"`
BOMRef CDXRefType `json:"bom-ref,omitempty"` // v1.5 added
}
v1.2: existed v1.5: added "bom-ref"
type CDXOutputType ¶ added in v0.13.0
type CDXOutputType struct {
Type string `json:"type,omitempty"` // "enum": ["artifact", "attestation", "log", "evidence", "metrics", "other"]
Source CDXResourceReferenceChoice `json:"source,omitempty"` // v1.5
Target CDXResourceReferenceChoice `json:"target,omitempty"` // v1.5
Resource CDXResourceReferenceChoice `json:"resource,omitempty"` // v1.5
Data CDXAttachment `json:"data,omitempty"` // v1.5
EnvironmentVars []interface{} `json:"environmentVars,omitempty"` // v1.5
Properties []CDXProperty `json:"properties,omitempty"` // v1.5
}
v1.5: added TODO: likely nothing better we can do for "environmentVars" which is type "oneOf": ["#/definitions/property", "string"]
type CDXParameter ¶ added in v0.13.0
type CDXParameter struct {
Name string `json:"name,omitempty"` // v1.5
Value string `json:"value,omitempty"` // v1.5
DataType string `json:"dataType,omitempty"` // v1.5
}
v1.5: added
type CDXPatch ¶
type CDXPatch struct {
Type string `json:"type,omitempty"`
Diff CDXDiff `json:"diff,omitempty"`
Resolves []CDXIssue `json:"resolves,omitempty"`
}
v1.2: existed
type CDXPedigree ¶
type CDXPedigree struct {
Ancestors []CDXComponent `json:"ancestors,omitempty"`
Descendants []CDXComponent `json:"descendants,omitempty"`
Variants []CDXComponent `json:"variants,omitempty"`
Commits []CDXCommit `json:"commits,omitempty"`
Patches []CDXPatch `json:"patches,omitempty"`
Notes string `json:"notes,omitempty"`
}
v1.2: existed as an anon. type in the "component" type defn. The "Notes" (plural) should likely be multiple strings or text annotations TODO: create top-level defn. for "pedigree" anon. type
type CDXPerformanceMetric ¶ added in v0.13.0
type CDXPerformanceMetric struct {
Type string `json:"type,omitempty"` // v1.5
Value string `json:"value,omitempty"` // v1.5
Slice string `json:"slice,omitempty"` // v1.5
ConfidenceInterval CDXConfidenceInterval `json:"confidenceInterval,omitempty"` // v1.5
}
v1.5: added
type CDXProofOfConcept ¶ added in v0.13.0
type CDXProofOfConcept struct {
ReproductionSteps string `json:"reproductionSteps,omitempty"` // v1.5: added
Environment string `json:"environment,omitempty"` // v1.5: added
SupportingMaterial []CDXSupportingMaterial `json:"supportingMaterial,omitempty"` // v1.5: added
}
v1.5: created ("reproductionSteps", "environment", "supportingMaterial") TODO: "supportingMaterial" should be plural as it is an "array"
type CDXProperty ¶
type CDXProperty struct {
Name string `json:"name,omitempty"`
Value string `json:"value,omitempty"`
}
v1.3: created "property" defn.
func UnMarshalProperties ¶
func UnMarshalProperties(data interface{}) (properties []CDXProperty, err error)
func UnMarshalProperty ¶
func UnMarshalProperty(data interface{}) (property CDXProperty, err error)
func (*CDXProperty) Equals ¶
func (property *CDXProperty) Equals(testProperty CDXProperty) bool
type CDXQuantitativeAnalysis ¶ added in v0.13.0
type CDXQuantitativeAnalysis struct {
PerformanceMetrics []CDXPerformanceMetric `json:"performanceMetrics,omitempty"` // v1.5
Graphics CDXGraphicsCollection `json:"graphics,omitempty"` // v1.5
}
v1.5: added (anonymous type)
type CDXRating ¶
type CDXRating struct {
Source CDXVulnerabilitySource `json:"source,omitempty"` // v1.4
Score float64 `json:"score,omitempty"` // v1.4
Severity string `json:"severity,omitempty"` // v1.4
Method string `json:"method,omitempty"` // v1.4
Vector string `json:"vector,omitempty"` // v1.4
Justification string `json:"justification,omitempty"` // v1.4
}
v1.4: created "rating" defn. Note: "score" is of type "number" which should map to `float64` Note: "severity" is of type "severity" which is a constrained `string` Note: "method" is of type "scoreMethod" which is a constrained `string`
type CDXRefLinkType ¶ added in v0.13.0
type CDXRefLinkType CDXRefType // "allOf": [{"$ref": "#/definitions/refType"}]
v1.5 added
func (CDXRefLinkType) String ¶ added in v0.13.0
func (ref CDXRefLinkType) String() string
v1.5 added Stringer interface
type CDXRefType ¶ added in v0.13.0
type CDXRefType string
v1.4: added v1.5: added Constraints: "minLength": 1
func (CDXRefType) String ¶ added in v0.13.0
func (ref CDXRefType) String() string
v1.5: added Stringer interface
type CDXReleaseNotes ¶
type CDXReleaseNotes struct {
Type string `json:"type,omitempty"`
Title string `json:"title,omitempty"`
FeaturedImage string `json:"featuredImage,omitempty"`
SocialImage string `json:"socialImage,omitempty"`
Description string `json:"description,omitempty"`
Timestamp string `json:"timestamp,omitempty"`
Aliases []string `json:"aliases,omitempty"`
Tags []string `json:"tags,omitempty"`
Resolves []CDXIssue `json:"resolves,omitempty"`
Notes []CDXNote `json:"notes,omitempty"`
Properties []CDXProperty `json:"properties,omitempty"`
}
v1.4: created "releaseNotes" defn. TODO: should be singular "releaseNote"
type CDXResourceReferenceChoice ¶ added in v0.13.0
type CDXResourceReferenceChoice struct {
Ref CDXRefLinkType `json:"description,omitempty"` // v1.5
ExternalReference CDXExternalReference `json:"externalReference,omitempty"` // v1.5
}
v1.5: added v1.5: Note: "ref" is a constrained "string" which can be "anyOf": ["#/definitions/refLinkType", "#/definitions/bomLinkElementType"] TODO: actually, "Ref" should be its own anonymous type with "anyOf": ["#/definitions/refLinkType", "#/definitions/bomLinkElementType"]
type CDXRisk ¶ added in v0.13.0
type CDXRisk struct {
Name string `json:"name,omitempty"` // v1.5
MitigationStrategy string `json:"mitigationStrategy,omitempty"` // v1.5
}
v1.5: added
type CDXService ¶
type CDXService struct {
BOMRef CDXRefType `json:"bom-ref,omitempty"`
Provider CDXOrganizationalEntity `json:"provider,omitempty"`
Group string `json:"group,omitempty"`
Name string `json:"name,omitempty"`
Version string `json:"version,omitempty"`
Description string `json:"description,omitempty"`
Endpoints []string `json:"endpoints,omitempty"`
Authenticated bool `json:"authenticated,omitempty"`
XTrustBoundary bool `json:"x-trust-boundary,omitempty"`
TrustZone string `json:"trustZone,omitempty"`
Data []CDXServiceData `json:"data,omitempty"`
Licenses []CDXLicenseChoice `json:"licenses,omitempty"`
ExternalReferences []CDXExternalReference `json:"externalReferences,omitempty"`
Services []CDXService `json:"services,omitempty"`
Properties []CDXProperty `json:"properties,omitempty"` // v1.3: added
ReleaseNotes []CDXReleaseNotes `json:"releaseNotes,omitempty"` // v1.4: added
Signature JSFSignature `json:"signature,omitempty"` // v1.4: added
}
v1.2: existed v1.3: added: "properties" v1.4: added: "releaseNotes", "signature" v1.5: moved "data" object elements into "serviceData" object v1.5: added "trustZone" ----- TODO: a service is not all auth or not auth.; that is, we have multiple endpoints but only 1 boolean for "authenticated" (open spec. issue) TODO: Not sure the intent of having "nested" (hierarchical) services? TODO: Should support OpenAPI specification (documents) as canonical descriptors TODO: v1.2 "licenses" used to be an anon. type until v1.3 intro. the `LicenseChoice` def. validate a v1.2 SBOM wit the anon. type parses properly
type CDXServiceData ¶ added in v0.13.0
type CDXServiceData struct {
Flow string `json:"externalReferences,omitempty"`
Classification CDXDataClassification `json:"classification,omitempty"`
Name string `json:"name,omitempty"` // v1.5: added
Description string `json:"description,omitempty"` // v1.5: added
Governance CDXDataGovernance `json:"governance,omitempty"` // v1.5: added
Source string `json:"source,omitempty"` // v1.5: added
Destination string `json:"destination,omitempty"` // v1.5: added
}
v1.5: added. aggregated related date from v1.2-v1.4 and added additional fields v1.2-v1.4: "flow", "classification" existed TODO: "source" is a "oneOf" type (both currently resolve to string), but needs to be its own anonymous type TODO: "destination" is a "oneOf" type (both currently resolve to string), but needs to be its own anonymous type
type CDXSource ¶
v1.2: existed as anon. type Note: this is an anonymous type defined within "issue" defn. (i.e., "CDXIssue")
type CDXStep ¶ added in v0.13.0
type CDXStep struct {
Name string `json:"name,omitempty"` // v1.5
Description string `json:"description,omitempty"` // v1.5
Commands []CDXCommand `json:"commands,omitempty"` // v1.5
Properties []CDXProperty `json:"properties,omitempty"` // v1.5
}
v1.5: added
type CDXSubject ¶ added in v0.13.0
type CDXSubject string // v1.5
v1.5 added to represent the anonymous type defined in the "annotations" object Note: Since CDXSubject can be one of 2 other types (i.e., "#/definitions/refLinkType" and "#/definitions/bomLinkElementType") which both are "string" types we can also make it a "string" type as it does not affect constraint validation.
type CDXSupportingMaterial ¶ added in v0.13.0
type CDXSupportingMaterial struct {
ContentType string `json:"contentType,omitempty"` // v1.5: added
Encoding string `json:"encoding,omitempty"` // v1.5: added
Content string `json:"content,omitempty"` // v1.5: added
}
v1.5: created ("contentType", "encoding", "content")
type CDXSwid ¶
type CDXSwid struct {
TagId string `json:"tagId,omitempty"`
Name string `json:"name,omitempty"`
Version string `json:"version,omitempty"`
TagVersion int `json:"tagVersion,omitempty"`
Patch bool `json:"patch,omitempty"`
Text CDXAttachment `json:"attachment,omitempty"`
Url string `json:"url,omitempty"`
}
v1.2: existed v1.4: deprecated See: https://www.iso.org/standard/65666.html
type CDXTask ¶ added in v0.13.0
type CDXTask struct {
BOMRef CDXRefType `json:"bom-ref,omitempty"` // v1.5
Uid string `json:"uid,omitempty"` // v1.5
Name string `json:"name,omitempty"` // v1.5
Description string `json:"description,omitempty"` // v1.5
ResourceReferences []CDXResourceReferenceChoice `json:"resourceReferences,omitempty"` // v1.5
TaskTypes []CDXTaskType `json:"taskTypes,omitempty"` // v1.5
Trigger CDXTrigger `json:"trigger,omitempty"` // v1.5
Steps []CDXStep `json:"steps,omitempty"` // v1.5
Inputs []CDXInputType `json:"inputs,omitempty"` // v1.5
Outputs []CDXOutputType `json:"outputs,omitempty"` // v1.5
TimeStart string `json:"timeStart,omitempty"` // v1.5
TimeEnd string `json:"timeEnd,omitempty"` // v1.5
Workspaces []CDXWorkspace `json:"workspaces,omitempty"` // v1.5
RuntimeTopology []CDXDependency `json:"runtimeTopology,omitempty"` // v1.5
Properties []CDXProperty `json:"properties,omitempty"` // v1.5
}
v1.5: added
type CDXTaskType ¶ added in v0.13.0
type CDXTaskType string // v1.5
v1.5: added "enum": ["copy","clone","lint","scan","merge","build","test","deliver","deploy","release","clean","other"]
type CDXTrigger ¶ added in v0.13.0
type CDXTrigger struct {
BOMRef CDXRefType `json:"bom-ref,omitempty"` // v1.5
Uid string `json:"uid,omitempty"` // v1.5
Name string `json:"name,omitempty"` // v1.5
Description string `json:"description,omitempty"` // v1.5
ResourceReferences []CDXResourceReferenceChoice `json:"resourceReferences,omitempty"` // v1.5
Type string `json:"type,omitempty"` // v1.5 // "enum": ["manual", "api", "webhook","scheduled"]
Event CDXEvent `json:"event,omitempty"` // v1.5
Condition CDXCondition `json:"condition,omitempty"` // v1.5
TimeActivated string `json:"timeActivated,omitempty"` // v1.5
Inputs []CDXInputType `json:"inputs,omitempty"` // v1.5
Outputs []CDXOutputType `json:"outputs,omitempty"` // v1.5
Properties []CDXProperty `json:"properties,omitempty"` // v1.5
}
type CDXVersionRange ¶
type CDXVersionRange struct {
Version string `json:"version,omitempty"` // v1.4
Range string `json:"range,omitempty"` // v1.4
Status string `json:"status,omitempty"` // v1.4
}
v1.4: created "version" def. to represent an in-line, anon. type Note "version" is a top-level defn. that is a constrained `string` type Note "affectedStatus" is a top-level defn. that is an enum. of `string` type Note: Both "version" constrains strings to a min/mac (1, 1024) length this concept SHOULD APPLY to all free-form text entries (e.g., descriptive text) TODO: create top-level defn. for "versions" (a.k.a. "versionRange") anon. type (name TBD)
type CDXVolume ¶ added in v0.13.0
type CDXVolume struct {
Uid string `json:"uid,omitempty"` // v1.5
Name string `json:"name,omitempty"` // v1.5
Mode string `json:"mode,omitempty"` // v1.5
Path string `json:"path,omitempty"` // v1.5
SizeAllocated string `json:"sizeAllocated,omitempty"` // v1.5
Persistent bool `json:"persistent,omitempty"` // v1.5
Remote bool `json:"remote,omitempty"` // v1.5
Properties []CDXProperty `json:"properties,omitempty"` // v1.5
}
v1.5: added
type CDXVulnerability ¶
type CDXVulnerability struct {
BOMRef CDXRefType `json:"bom-ref,omitempty"` // v1.4
Id string `json:"id,omitempty"` // v1.4
Source CDXVulnerabilitySource `json:"source,omitempty"` // v1.4
References []CDXVulnerabilityReference `json:"references"` // v1.4: anon. type
Ratings []CDXRating `json:"ratings,omitempty"` // v1.4
Cwes []int `json:"cwes,omitempty"` // v1.4
Description string `json:"description,omitempty"` // v1.4
Detail string `json:"detail,omitempty"` // v1.4
Recommendation string `json:"recommendation,omitempty"` // v1.4
Advisories []CDXAdvisory `json:"advisories,omitempty"` // v1.4
Created string `json:"created,omitempty"` // v1.4
Published string `json:"published,omitempty"` // v1.4
Updated string `json:"updated,omitempty"` // v1.4
Credits CDXCredit `json:"credits,omitempty"` // v1.4: anon. type
Tools interface{} `json:"tools,omitempty"` // v1.4: added; v1.5: changed to interface{}
Analysis CDXAnalysis `json:"analysis,omitempty"` // v1.4: anon. type
Affects []CDXAffect `json:"affects,omitempty"` // v1.4: anon. type
Properties []CDXProperty `json:"properties,omitempty"` // v1.4: added
Workaround string `json:"workaround,omitempty"` // v1.5: added
ProofOfConcept CDXProofOfConcept `json:"proofOfConcept,omitempty"` // v1.5: added
Rejected string `json:"rejected,omitempty"` // v1.5: added
}
v1.4: created "vulnerability" defn. v1.5: added "workaround", "proofOfConcept", "rejected" Note: "bom-ref" is a "ref-type" which is a constrained `string` Note: "cwes" is a array of "cwe" which is a constrained `int`
func (*CDXVulnerability) MarshalJSON ¶ added in v0.11.0
func (value *CDXVulnerability) MarshalJSON() ([]byte, error)
recreate a representation of the struct, but only include values in map that are not empty
type CDXVulnerabilityReference ¶ added in v0.13.0
type CDXVulnerabilityReference struct {
Id string `json:"id,omitempty"` // v1.4
Source CDXVulnerabilitySource `json:"source,omitempty"` // v1.4
}
v1.4 This is an anonymous type used in CDXVulnerability
func (*CDXVulnerabilityReference) MarshalJSON ¶ added in v0.13.0
func (value *CDXVulnerabilityReference) MarshalJSON() ([]byte, error)
type CDXVulnerabilitySource ¶
type CDXVulnerabilitySource struct {
Url string `json:"url,omitempty"` // v1.4
Name string `json:"name,omitempty"` // v1.4
}
v1.4: created "vulnerabilitySource" defn. Note: "url" is of type "string" (and not an "iri-reference") TODO: "url" SHOULD be an "iri-reference"
func (*CDXVulnerabilitySource) MarshalJSON ¶ added in v0.11.0
func (value *CDXVulnerabilitySource) MarshalJSON() ([]byte, error)
type CDXWorkflow ¶ added in v0.13.0
type CDXWorkflow struct {
BOMRef CDXRefType `json:"bom-ref,omitempty"` // v1.5
Uid string `json:"uid,omitempty"` // v1.5
Name string `json:"name,omitempty"` // v1.5
Description string `json:"description,omitempty"` // v1.5
ResourceReferences []CDXResourceReferenceChoice `json:"resourceReferences,omitempty"` // v1.5
Tasks []CDXTask `json:"tasks,omitempty"` // v1.5
TaskDependencies []CDXDependency `json:"taskDependencies,omitempty"` // v1.5
TaskTypes []CDXTaskType `json:"taskTypes,omitempty"` // v1.5
Trigger CDXTrigger `json:"trigger,omitempty"` // v1.5
Steps []CDXStep `json:"steps,omitempty"` // v1.5
Inputs []CDXInputType `json:"inputs,omitempty"` // v1.5
Outputs []CDXOutputType `json:"outputs,omitempty"` // v1.5
TimeStart string `json:"timeStart,omitempty"` // v1.5
TimeEnd string `json:"timeEnd,omitempty"` // v1.5
Workspaces []CDXWorkspace `json:"workspaces,omitempty"` // v1.5
RuntimeTopology []CDXDependency `json:"runtimeTopology,omitempty"` // v1.5
Properties []CDXProperty `json:"properties,omitempty"` // v1.5
}
v1.5: added
type CDXWorkspace ¶ added in v0.13.0
type CDXWorkspace struct {
BOMRef CDXRefType `json:"bom-ref,omitempty"` // v1.5
Uid string `json:"uid,omitempty"` // v1.5
Name string `json:"name,omitempty"` // v1.5
Aliases []string `json:"aliases,omitempty"` // v1.5
Description string `json:"description,omitempty"` // v1.5
ResourceReferences []CDXResourceReferenceChoice `json:"resourceReferences,omitempty"` // v1.5
AccessMode string `json:"accessMode,omitempty"` // v1.5
MountPath string `json:"mountPath,omitempty"` // v1.5
ManagedDataType string `json:"managedDataType,omitempty"` // v1.5
VolumeRequest string `json:"volumeRequest,omitempty"` // v1.5
Volume CDXVolume `json:"volume,omitempty"` // v1.5
Properties []CDXProperty `json:"properties,omitempty"` // v1.5
}
v1.5: added
type CustomValidation ¶
type CustomValidation struct {
Metadata CustomValidationMetadata `json:"metadata"`
}
type CustomValidationConfig ¶
type CustomValidationConfig struct {
Validation CustomValidation `json:"validation"`
}
var CustomValidationChecks CustomValidationConfig
Globals
func (*CustomValidationConfig) GetCustomValidationConfig ¶
func (config *CustomValidationConfig) GetCustomValidationConfig() *CustomValidation
TODO: return copies
func (*CustomValidationConfig) GetCustomValidationMetadata ¶
func (config *CustomValidationConfig) GetCustomValidationMetadata() *CustomValidationMetadata
func (*CustomValidationConfig) GetCustomValidationMetadataProperties ¶
func (config *CustomValidationConfig) GetCustomValidationMetadataProperties() []CustomValidationProperty
type CustomValidationMetadata ¶
type CustomValidationMetadata struct {
Properties []CustomValidationProperty `json:"properties"`
}
type CustomValidationProperty ¶
type CustomValidationProperty struct {
CDXProperty
Description string `json:"_validate_description"`
Key string `json:"_validate_key"`
CheckUnique string `json:"_validate_unique"`
CheckRegex string `json:"_validate_regex"`
}
NOTE: Assumes property "key" is the value in the "name" field
type FormatSchema ¶
type FormatSchema struct {
CanonicalName string `json:"canonicalName"`
PropertyKeyFormat string `json:"propertyKeyFormat"`
PropertyKeyVersion string `json:"propertyKeyVersion"`
PropertyValueFormat string `json:"propertyValueFormat"`
Schemas []FormatSchemaInstance `json:"schemas"`
}
Representation of SBOM format
func (*FormatSchema) IsCycloneDx ¶
func (format *FormatSchema) IsCycloneDx() bool
func (*FormatSchema) IsSpdx ¶
func (format *FormatSchema) IsSpdx() bool
type FormatSchemaInstance ¶
type FormatSchemaInstance struct {
Name string `json:"name"`
Version string `json:"version"`
Development string `json:"development"`
File string `json:"file"`
Url string `json:"url"`
Default bool `json:"default"`
Variant string `json:"variant"`
Format string `json:"format"` // value set from parent FormatSchema's `CanonicalName`
}
Representation of SBOM schema instance TODO: add support for schema (Hash) key if we end up having lots of entries e.g., key string where key: SchemaKey{ID_CYCLONEDX, VERSION_CYCLONEDX_1_3, false},
type JSFPublicKey ¶ added in v0.13.0
type JSFPublicKey struct {
Kty JSFKeyType `json:"kty,omitempty"` // Key Type
Crv string `json:"crv,omitempty"` // EC/OKP curve name
X string `json:"x,omitempty"` // X coordinate
Y string `json:"y,omitempty"` // Y coordinate
N string `json:"n,omitempty"` // RSA modulus
E string `json:"e,omitempty"` // RSA exponent
}
if kty (key type)== "EC"
- required: "crv" (EC curve name), "x", "y"
- constraint "crv": "enum": ["P-256","P-384","P-521"]
else if kty == "OKP"
- required: "crv" (EdDSA curve name), "x"
- constraint "crv" : "enum": ["Ed25519","Ed448"]
else if kty == "RSA"
- required: n, e
type JSFSignature ¶ added in v0.13.0
type JSFSignature struct {
// "Unique top level property for Multiple Signatures."
Signers []JSFSigner `json:"signers,omitempty"`
// "Unique top level property for Signature Chains."
Chain []JSFSigner `json:"chain,omitempty"`
// "Unique top level property for simple signatures."
Signature JSFSigner `json:"signature,omitempty"`
}
Note: struct will contain "oneOf": []"Signers", "Chain", "Signature"]
type JSFSigner ¶ added in v0.13.0
type JSFSigner struct {
Algorithm string `json:"algorithm,omitempty"`
KeyId string `json:"keyId,omitempty"`
PublicKey JSFPublicKey `json:"publicKey,omitempty"`
CertificatePath []string `json:"certificatePath,omitempty"`
Excludes []string `json:"excludes,omitempty"`
Value string `json:"value,omitempty"`
}
Algorithm: "Signature algorithm. The currently recognized JWA [RFC7518] and RFC8037
- constraint: "enum": ["RS256","RS384","RS512","PS256","PS384","PS512", "ES256","ES384","ES512","Ed25519","Ed448","HS256","HS384","HS512"]
- OR contains a URI for custom algorithm (name)
KeyId: "Optional. Application specific string identifying the signature key." PublicKey: "Optional. Public key object." CertificatePath: "Optional. Sorted array of X.509 [RFC5280] certificates, where the first element must contain the signature certificate. The certificate path must be contiguous but is not required to be complete." Excludes: "Optional. Array holding the names of one or more application level properties that must be excluded from the signature process. Note that the \"excludes\" property itself, must also be excluded from the signature process. Since both the \"excludes\" property and the associated data it points to are unsigned, a conforming JSF implementation must provide options for specifying which properties to accept." Value: "The signature data. Note that the binary representation must follow the JWA [RFC7518] specifications."
type UnsupportedFormatError ¶
type UnsupportedFormatError struct {
Type string
Message string
InputFile string
Format string
Version string
Variant string
Command string
Flags string
}
Format/schema error types
func NewUnknownFormatError ¶
func NewUnknownFormatError(f string) *UnsupportedFormatError
func NewUnsupportedFormatForCommandError ¶
func NewUnsupportedFormatForCommandError(f string, fmt string, cmd string, flags string) *UnsupportedFormatError
func (UnsupportedFormatError) Error ¶
func (err UnsupportedFormatError) Error() string
type UnsupportedSchemaError ¶
type UnsupportedSchemaError struct {
UnsupportedFormatError
}
func NewUnsupportedSchemaError ¶
func NewUnsupportedSchemaError(m string, format string, version string, variant string) *UnsupportedSchemaError
func (UnsupportedSchemaError) Error ¶
func (err UnsupportedSchemaError) Error() string
Source Files