specification/schema/2.0/model/cyclonedx-annotation-2.0.schema.json at 81479889778cd0538189f84bbcfab6e50f175d69 · CycloneDX/specification · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
{
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "$id": "https://cyclonedx.org/schema/2.0/model/cyclonedx-annotation-2.0.schema.json",
  "type": "null",
  "title": "CycloneDX Annotation Model",
  "$comment" : "OWASP CycloneDX is an Ecma International standard (ECMA-424) developed in collaboration between the OWASP Foundation and Ecma Technical Committee 54 (TC54). The standard is published under a royalty-free patent policy. This JSON schema is the reference implementation and is licensed under the Apache License 2.0.",
  "$defs": {
    "annotations": {
      "type": "array",
      "items": {"$ref": "#/$defs/annotation"},
      "uniqueItems": true,
      "title": "Annotations",
      "description": "Comments made by people, organizations, or tools about any object with a bom-ref, such as components, services, vulnerabilities, or the BOM itself. Unlike inventory information, annotations may contain opinions or commentary from various stakeholders. Annotations may be inline (with inventory) or externalized via BOM-Link and may optionally be signed."
    },
    "annotation": {
      "type": "object",
      "title": "Annotations",
      "description": "A comment, note, explanation, or similar textual content which provides additional context to the object(s) being annotated.",
      "required": [
        "subjects",
        "annotator",
        "timestamp",
        "text"
      ],
      "additionalProperties": false,
      "properties": {
        "bom-ref": {
          "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType",
          "title": "BOM Reference",
          "description": "An identifier which can be used to reference the annotation elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."
        },
        "subjects": {
          "type": "array",
          "uniqueItems": true,
          "items": {
            "anyOf": [
              {
                "title": "Ref",
                "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType"
              },
              {
                "title": "BOM-Link Element",
                "$ref": "cyclonedx-common-2.0.schema.json#/$defs/bomLinkElementType"
              }
            ]
          },
          "title": "Subjects",
          "description": "The object in the BOM identified by its bom-ref. This is often a component or service, but may be any object type supporting bom-refs."
        },
        "annotator": {
          "type": "object",
          "title": "Annotator",
          "description": "The organization, person, component, or service which created the textual content of the annotation.",
          "oneOf": [
            {
              "required": [
                "organization"
              ]
            },
            {
              "required": [
                "individual"
              ]
            },
            {
              "required": [
                "component"
              ]
            },
            {
              "required": [
                "service"
              ]
            }
          ],
          "additionalProperties": false,
          "properties": {
            "organization": {
              "description": "The organization that created the annotation",
              "$ref": "cyclonedx-common-2.0.schema.json#/$defs/organizationalEntity"
            },
            "individual": {
              "description": "The person that created the annotation",
              "$ref": "cyclonedx-common-2.0.schema.json#/$defs/organizationalContact"
            },
            "component": {
              "description": "The tool or component that created the annotation",
              "$ref": "cyclonedx-component-2.0.schema.json#/$defs/component"
            },
            "service": {
              "description": "The service that created the annotation",
              "$ref": "cyclonedx-service-2.0.schema.json#/$defs/service"
            }
          }
        },
        "timestamp": {
          "type": "string",
          "format": "date-time",
          "title": "Timestamp",
          "description": "The date and time (timestamp) when the annotation was created."
        },
        "text": {
          "type": "string",
          "title": "Text",
          "description": "The textual content of the annotation."
        },
        "signatures": {
          "$ref": "cyclonedx-common-2.0.schema.json#/$defs/signatures",
          "title": "Signature",
          "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."
        }
      }
    }
  }
}