CycloneDX v1.0 XML Reference

Schema Document Properties

Target Namespace http://cyclonedx.org/schema/bom/1.0
Version 1.0.1
Element and Attribute Namespaces
  • Global element and attribute declarations belong to this schema's target namespace.
  • By default, local element declarations belong to this schema's target namespace.
  • By default, local attribute declarations have no namespace.
Schema Composition
  • This schema imports schema(s) from the following namespace(s):
    • http://cyclonedx.org/schema/spdx (at http://cyclonedx.org/schema/spdx)
No documentation provided.
Prefix Namespace
xs http://www.w3.org/2001/XMLSchema
vc http://www.w3.org/2007/XMLSchema-versioning
bom http://cyclonedx.org/schema/bom/1.0
spdx http://cyclonedx.org/schema/spdx
xml http://www.w3.org/XML/1998/namespace
<xs:schema elementFormDefault="qualified" targetNamespace="http://cyclonedx.org/schema/bom/1.0" minVersion="1.0" maxVersion="1.1" version="1.0.1">
   <xs:import namespace="http://cyclonedx.org/schema/spdx" schemaLocation="http://cyclonedx.org/schema/spdx"/>
...
</xs:schema>

Global Declarations

Element: bom

Name bom
Type Locally-defined complex type
Nillable no
Abstract no
No documentation provided.
<bom:bom
 version="xs:integer" [0..1] 
 Allow any attributes from a namespace other than this schema's namespace (lax validation).
>
   <bom:components
    Allow any attributes from a namespace other than this schema's namespace (lax validation).
   > [1] 
      Start Sequence [0..*]
         <bom:component> bom:component </bom:component> [1]
      End Sequence
   </bom:components>
</bom:bom>
<xs:element name="bom">
   <xs:complexType>
      <xs:sequence>
         <xs:element name="components">
            <xs:complexType>
               <xs:sequence minOccurs="0" maxOccurs="unbounded">
                  <xs:element name="component" type="bom:component"/>
               </xs:sequence>
               <xs:anyAttribute namespace="##other" processContents="lax"/>
            </xs:complexType>
         </xs:element>
      </xs:sequence>
      <xs:attribute name="version" type="xs:integer" default="1"/>
      <xs:anyAttribute namespace="##other" processContents="lax"/>
   </xs:complexType>
</xs:element>

Global Definitions

Complex Type: component

Super-types: None
Sub-types: None
Name component
Abstract no
No documentation provided.
<...
 type="bom:classification" [1] 
 Allow any attributes from a namespace other than this schema's namespace (lax validation).
>
   <bom:publisher> xs:normalizedString </bom:publisher> [0..1] 
   <bom:group> xs:normalizedString </bom:group> [0..1] 
   <bom:name> xs:normalizedString </bom:name> [1] 
   <bom:version> xs:normalizedString </bom:version> [1] 
   <bom:description> xs:normalizedString </bom:description> [0..1] 
   <bom:scope> bom:scope </bom:scope> [0..1] 
   <bom:hashes   > [0..1] 
      Start Sequence [0..*]
         <bom:hash> bom:hashType </bom:hash> [1]
      End Sequence
   </bom:hashes>
   <bom:licenses   > [0..1] 
      Start Sequence [1..*]
         <bom:license         > [1] 
            Start Choice [1]
               <bom:id> spdx:licenseId </bom:id> [0..*] 
               <bom:name> xs:normalizedString </bom:name> [0..*] 
            End Choice
         </bom:license>
      End Sequence
   </bom:licenses>
   <bom:copyright> xs:normalizedString </bom:copyright> [0..1] 
   <bom:cpe> bom:cpe </bom:cpe> [0..1] 
   <bom:purl> xs:anyURI </bom:purl> [0..1] 
   <bom:modified> xs:boolean </bom:modified> [1] 
   <bom:components   > [0..1]  
      Start Sequence [0..*]
         <bom:component> bom:component </bom:component> [1]
      End Sequence
   </bom:components>
</...>
<xs:complexType name="component">
   <xs:sequence>
      <xs:element name="publisher" type="xs:normalizedString" minOccurs="0" maxOccurs="1"/>
      <xs:element name="group" type="xs:normalizedString" minOccurs="0" maxOccurs="1"/>
      <xs:element name="name" type="xs:normalizedString" minOccurs="1" maxOccurs="1"/>
      <xs:element name="version" type="xs:normalizedString" minOccurs="1" maxOccurs="1"/>
      <xs:element name="description" type="xs:normalizedString" minOccurs="0" maxOccurs="1"/>
      <xs:element name="scope" type="bom:scope" minOccurs="0" maxOccurs="1"/>
      <xs:element name="hashes" minOccurs="0" maxOccurs="1">
         <xs:complexType>
            <xs:sequence minOccurs="0" maxOccurs="unbounded">
               <xs:element name="hash" type="bom:hashType"/>
            </xs:sequence>
         </xs:complexType>
      </xs:element>
      <xs:element name="licenses" minOccurs="0" maxOccurs="1">
         <xs:complexType>
            <xs:sequence minOccurs="1" maxOccurs="unbounded">
               <xs:element name="license">
                  <xs:complexType>
                     <xs:sequence>
                        <xs:choice>
                           <xs:element name="id" type="spdx:licenseId" minOccurs="0" maxOccurs="unbounded"/>
                           <xs:element name="name" type="xs:normalizedString" minOccurs="0" maxOccurs="unbounded"/>
                        </xs:choice>
                     </xs:sequence>
                  </xs:complexType>
               </xs:element>
            </xs:sequence>
         </xs:complexType>
      </xs:element>
      <xs:element name="copyright" type="xs:normalizedString" minOccurs="0" maxOccurs="1"/>
      <xs:element name="cpe" type="bom:cpe" minOccurs="0" maxOccurs="1"/>
      <xs:element name="purl" type="xs:anyURI" minOccurs="0" maxOccurs="1"/>
      <xs:element name="modified" type="xs:boolean" minOccurs="1" maxOccurs="1"/>
      <xs:element name="components" minOccurs="0" maxOccurs="1">
         <xs:complexType>
            <xs:sequence minOccurs="0" maxOccurs="unbounded">
               <xs:element name="component" type="bom:component"/>
            </xs:sequence>
         </xs:complexType>
      </xs:element>
   </xs:sequence>
   <xs:attribute name="type" type="bom:classification" use="required"/>
   <xs:anyAttribute namespace="##other" processContents="lax"/>
</xs:complexType>

Complex Type: hashType

Super-types: xs:token < hashValue (by restriction) < hashType (by extension)
Sub-types: None
Name hashType
Abstract no
<...
 alg="bom:hashAlg" [1] 
>
    bom:hashValue
</...>
<xs:complexType name="hashType">
   <xs:simpleContent>
      <xs:extension base="bom:hashValue">
         <xs:attribute name="alg" type="bom:hashAlg" use="required"/>
      </xs:extension>
   </xs:simpleContent>
</xs:complexType>

Simple Type: classification

Super-types: xs:string < classification (by restriction)
Sub-types: None
Name classification
Content
  • Base XSD Type: string
  • value comes from list: {'application'|'framework'|'library'|'operating-system'|'device'}
No documentation provided.
<xs:simpleType name="classification">
   <xs:restriction base="xs:string">
      <xs:enumeration value="application"/>
      <xs:enumeration value="framework"/>
      <xs:enumeration value="library"/>
      <xs:enumeration value="operating-system"/>
      <xs:enumeration value="device"/>
   </xs:restriction>
</xs:simpleType>

Simple Type: cpe

Super-types: xs:string < cpe (by restriction)
Sub-types: None
Name cpe
Content
  • Base XSD Type: string
  • pattern = ([c][pP][eE]:/[AHOaho]?(:[A-Za-z0-9\._\-~%]*){0,6})|(cpe:2\.3:[aho\*\-](:(((\?*|\*?)([a-zA-Z0-9\-\._]|(\\[\\\*\?!"#$$%&'\(\)\+,/:;<=>@\[\]\^`\{\|}~]))+(\?*|\*?))|[\*\-])){5}(:(([a-zA-Z]{2,3}(-([a-zA-Z]{2}|[0-9]{3}))?)|[\*\-]))(:(((\?*|\*?)([a-zA-Z0-9\-\._]|(\\[\\\*\?!"#$$%&'\(\)\+,/:;<=>@\[\]\^`\{\|}~]))+(\?*|\*?))|[\*\-])){4})
<xs:simpleType name="cpe">
   <xs:restriction base="xs:string">
      <xs:pattern value="([c][pP][eE]:/[AHOaho]?(:[A-Za-z0-9\._\-~%]*){0,6})|(cpe:2\.3:[aho\*\-](:(((\?*|\*?)([a-zA-Z0-9\-\._]|(\\[\\\*\?!"#$$%&'\(\)\+,/:;<=>@\[\]\^`\{\|}~]))+(\?*|\*?))|[\*\-])){5}(:(([a-zA-Z]{2,3}(-([a-zA-Z]{2}|[0-9]{3}))?)|[\*\-]))(:(((\?*|\*?)([a-zA-Z0-9\-\._]|(\\[\\\*\?!"#$$%&'\(\)\+,/:;<=>@\[\]\^`\{\|}~]))+(\?*|\*?))|[\*\-])){4})"/>
   </xs:restriction>
</xs:simpleType>

Simple Type: hashAlg

Super-types: xs:string < hashAlg (by restriction)
Sub-types: None
Name hashAlg
Content
  • Base XSD Type: string
  • value comes from list: { 'MD5'| 'SHA-1'| 'SHA-256'| 'SHA-384'| 'SHA-512'| 'SHA3-256'| 'SHA3-512'}
No documentation provided.
<xs:simpleType name="hashAlg">
   <xs:restriction base="xs:string">
      <xs:enumeration value="MD5"/>
      <xs:enumeration value="SHA-1"/>
      <xs:enumeration value="SHA-256"/>
      <xs:enumeration value="SHA-384"/>
      <xs:enumeration value="SHA-512"/>
      <xs:enumeration value="SHA3-256"/>
      <xs:enumeration value="SHA3-512"/>
   </xs:restriction>
</xs:simpleType>

Simple Type: hashValue

Super-types: xs:token < hashValue (by restriction)
Sub-types:
Name hashValue
Content
  • Base XSD Type: token
  • pattern = ([a-fA-F0-9]{32})|([a-fA-F0-9]{40})|([a-fA-F0-9]{64})|([a-fA-F0-9]{96})|([a-fA-F0-9]{128})
No documentation provided.
<xs:simpleType name="hashValue">
   <xs:restriction base="xs:token">
      <xs:pattern value="([a-fA-F0-9]{32})|([a-fA-F0-9]{40})|([a-fA-F0-9]{64})|([a-fA-F0-9]{96})|([a-fA-F0-9]{128})"/>
   </xs:restriction>
</xs:simpleType>

Simple Type: scope

Super-types: xs:string < scope (by restriction)
Sub-types: None
Name scope
Content
  • Base XSD Type: string
  • value comes from list: {'required'|'optional'}
No documentation provided.
<xs:simpleType name="scope">
   <xs:restriction base="xs:string">
      <xs:enumeration value="required"/>
      <xs:enumeration value="optional"/>
   </xs:restriction>
</xs:simpleType>

Glossary

Abstract (Applies to complex type definitions and element declarations). An abstract element or complex type cannot used to validate an element instance. If there is a reference to an abstract element, only element declarations that can substitute the abstract element can be used to validate the instance. For references to abstract type definitions, only derived types can be used.

All Model Group Child elements can be provided in any order in instances. See: http://www.w3.org/TR/xmlschema-1/#element-all.

Choice Model Group Only one from the list of child elements and model groups can be provided in instances. See: http://www.w3.org/TR/xmlschema-1/#element-choice.

Collapse Whitespace Policy Replace tab, line feed, and carriage return characters with space character (Unicode character 32). Then, collapse contiguous sequences of space characters into single space character, and remove leading and trailing space characters.

Disallowed Substitutions (Applies to element declarations). If substitution is specified, then substitution group members cannot be used in place of the given element declaration to validate element instances. If derivation methods, e.g. extension, restriction, are specified, then the given element declaration will not validate element instances that have types derived from the element declaration's type using the specified derivation methods. Normally, element instances can override their declaration's type by specifying an xsi:type attribute.

Key Constraint Like Uniqueness Constraint, but additionally requires that the specified value(s) must be provided. See: http://www.w3.org/TR/xmlschema-1/#cIdentity-constraint_Definitions.

Key Reference Constraint Ensures that the specified value(s) must match value(s) from a Key Constraint or Uniqueness Constraint. See: http://www.w3.org/TR/xmlschema-1/#cIdentity-constraint_Definitions.

Model Group Groups together element content, specifying the order in which the element content can occur and the number of times the group of element content may be repeated. See: http://www.w3.org/TR/xmlschema-1/#Model_Groups.

Nillable (Applies to element declarations). If an element declaration is nillable, instances can use the xsi:nil attribute. The xsi:nil attribute is the boolean attribute, nil, from the http://www.w3.org/2001/XMLSchema-instance namespace. If an element instance has an xsi:nil attribute set to true, it can be left empty, even though its element declaration may have required content.

Notation A notation is used to identify the format of a piece of data. Values of elements and attributes that are of type, NOTATION, must come from the names of declared notations. See: http://www.w3.org/TR/xmlschema-1/#cNotation_Declarations.

Preserve Whitespace Policy Preserve whitespaces exactly as they appear in instances.

Prohibited Derivations (Applies to type definitions). Derivation methods that cannot be used to create sub-types from a given type definition.

Prohibited Substitutions (Applies to complex type definitions). Prevents sub-types that have been derived using the specified derivation methods from validating element instances in place of the given type definition.

Replace Whitespace Policy Replace tab, line feed, and carriage return characters with space character (Unicode character 32).

Sequence Model Group Child elements and model groups must be provided in the specified order in instances. See: http://www.w3.org/TR/xmlschema-1/#element-sequence.

Substitution Group Elements that are members of a substitution group can be used wherever the head element of the substitution group is referenced.

Substitution Group Exclusions (Applies to element declarations). Prohibits element declarations from nominating themselves as being able to substitute a given element declaration, if they have types that are derived from the original element's type using the specified derivation methods.

Target Namespace The target namespace identifies the namespace that components in this schema belongs to. If no target namespace is provided, then the schema components do not belong to any namespace.

Uniqueness Constraint Ensures uniqueness of an element/attribute value, or a combination of values, within a specified scope. See: http://www.w3.org/TR/xmlschema-1/#cIdentity-constraint_Definitions.