The date and time (timestamp) when the BOM was created.
The date and time (timestamp) when the BOM was created.
Element tools
The tool(s) used in the creation of the BOM.
The tool(s) used in the creation of the BOM.
Element authors
The person(s) who created the BOM. Authors are common in BOMs created through manual processes. BOMs created through automated means may not have authors.
The person(s) who created the BOM. Authors are common in BOMs created through manual processes. BOMs created through automated means may not have authors.
Element component
The component that the BOM describes.
The component that the BOM describes.
Element manufacture
The organization that manufactured the component that the BOM describes.
The organization that manufactured the component that the BOM describes.
Element supplier
The organization that supplied the component that the BOM describes. The supplier may often be the manufacturer, but may also be a distributor or repackager.
The organization that supplied the component that the BOM describes. The supplier may often be the manufacturer, but may also be a distributor or repackager.
Element properties
Provides the ability to document properties in a key/value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Property names of interest to the general public are encouraged to be registered in the CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. Formal registration is OPTIONAL.
Provides the ability to document properties in a key/value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Property names of interest to the general public are encouraged to be registered in the CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. Formal registration is OPTIONAL.
Element name
The name of the organization
The name of the organization
Element url
The URL of the organization. Multiple URLs are allowed.
The URL of the organization. Multiple URLs are allowed.
Element contact
A contact person at the organization. Multiple contacts are allowed.
A contact person at the organization. Multiple contacts are allowed.
Element vendor
The name of the vendor who created the tool
The name of the vendor who created the tool
Element name
The name of the tool
The name of the tool
Element version
The version of the tool
The version of the tool
Element externalReferences
Provides the ability to document external references related to the tool.
Provides the ability to document external references related to the tool.
Element name
The name of the contact
The name of the contact
Element email
The email address of the contact.
The email address of the contact.
Element phone
The phone number of the contact.
The phone number of the contact.
Element supplier
The organization that supplied the component. The supplier may often be the manufacturer, but may also be a distributor or repackager.
The organization that supplied the component. The supplier may often be the manufacturer, but may also be a distributor or repackager.
Element author
The person(s) or organization(s) that authored the component
The person(s) or organization(s) that authored the component
Element publisher
The person(s) or organization(s) that published the component
The person(s) or organization(s) that published the component
Element group
The grouping name or identifier. This will often be a shortened, single name of the company or project that produced the component, or the source package or domain name. Whitespace and special characters should be avoided. Examples include: apache, org.apache.commons, and apache.org.
The grouping name or identifier. This will often be a shortened, single name of the company or project that produced the component, or the source package or domain name. Whitespace and special characters should be avoided. Examples include: apache, org.apache.commons, and apache.org.
Element name
The name of the component. This will often be a shortened, single name of the component. Examples: commons-lang3 and jquery
The name of the component. This will often be a shortened, single name of the component. Examples: commons-lang3 and jquery
Element version
The component version. The version should ideally comply with semantic versioning but is not enforced.
The component version. The version should ideally comply with semantic versioning but is not enforced.
Element description
Specifies a description for the component
Specifies a description for the component
Element scope
Specifies the scope of the component. If scope is not specified, 'required' scope SHOULD be assumed by the consumer of the BOM.
Specifies the scope of the component. If scope is not specified, 'required' scope SHOULD be assumed by the consumer of the BOM.
Element copyright
A copyright notice informing users of the underlying claims to copyright ownership in a published work.
A copyright notice informing users of the underlying claims to copyright ownership in a published work.
Element cpe
Specifies a well-formed CPE name that conforms to the CPE 2.2 or 2.3 specification. See https://nvd.nist.gov/products/cpe
Specifies a well-formed CPE name that conforms to the CPE 2.2 or 2.3 specification. See https://nvd.nist.gov/products/cpe
Element purl
Specifies the package-url (purl). The purl, if specified, MUST be valid and conform to the specification defined at: https://github.com/package-url/purl-spec
Specifies the package-url (purl). The purl, if specified, MUST be valid and conform to the specification defined at: https://github.com/package-url/purl-spec
Element swid
Specifies metadata and content for ISO-IEC 19770-2 Software Identification (SWID) Tags.
Specifies metadata and content for ISO-IEC 19770-2 Software Identification (SWID) Tags.
Element modified
DEPRECATED - DO NOT USE. This will be removed in a future version. Use the pedigree element instead to supply information on exactly how the component was modified. A boolean value indicating if the component has been modified from the original. A value of true indicates the component is a derivative of the original. A value of false indicates the component has not been modified from the original.
DEPRECATED - DO NOT USE. This will be removed in a future version. Use the pedigree element instead to supply information on exactly how the component was modified. A boolean value indicating if the component has been modified from the original. A value of true indicates the component is a derivative of the original. A value of false indicates the component has not been modified from the original.
Element pedigree
Component pedigree is a way to document complex supply chain scenarios where components are created, distributed, modified, redistributed, combined with other components, etc.
Component pedigree is a way to document complex supply chain scenarios where components are created, distributed, modified, redistributed, combined with other components, etc.
Element externalReferences
Provides the ability to document external references related to the component or to the project the component describes.
Provides the ability to document external references related to the component or to the project the component describes.
Element properties
Provides the ability to document properties in a key/value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Property names of interest to the general public are encouraged to be registered in the CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. Formal registration is OPTIONAL.
Provides the ability to document properties in a key/value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Property names of interest to the general public are encouraged to be registered in the CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. Formal registration is OPTIONAL.
Element components
A list of software and hardware components included in the parent component. This is not a dependency tree. It provides a way to specify a hierarchical representation of component assemblies, similar to system -> subsystem -> parts assembly in physical supply chains.
A list of software and hardware components included in the parent component. This is not a dependency tree. It provides a way to specify a hierarchical representation of component assemblies, similar to system -> subsystem -> parts assembly in physical supply chains.
Element evidence
Provides the ability to document evidence collected through various forms of extraction or analysis.
Provides the ability to document evidence collected through various forms of extraction or analysis.
Element releaseNotes
Specifies optional release notes.
Specifies optional release notes.
Attribute type
Specifies the type of component. For software components, classify as application if no more specific appropriate classification is available or cannot be determined for the component.
Specifies the type of component. For software components, classify as application if no more specific appropriate classification is available or cannot be determined for the component.
Attribute mime-type
The OPTIONAL mime-type of the component. When used on file components, the mime-type can provide additional context about the kind of file being represented such as an image, font, or executable. Some library or framework components may also have an associated mime-type.
The OPTIONAL mime-type of the component. When used on file components, the mime-type can provide additional context about the kind of file being represented such as an image, font, or executable. Some library or framework components may also have an associated mime-type.
Attribute bom-ref
An optional identifier which can be used to reference the component elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element.
An optional identifier which can be used to reference the component elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element.
Element id
A valid SPDX license ID
A valid SPDX license ID
Element name
If SPDX does not define the license used, this field may be used to provide the license name
If SPDX does not define the license used, this field may be used to provide the license name
Element text
Specifies the optional full text of the attachment
Specifies the optional full text of the attachment
Element url
The URL to the attachment file. If the attachment is a license or BOM, an externalReference should also be specified for completeness.
The URL to the attachment file. If the attachment is a license or BOM, an externalReference should also be specified for completeness.
Attribute content-type
Specifies the content type of the text. Defaults to text/plain if not specified.
Specifies the content type of the text. Defaults to text/plain if not specified.
Attribute encoding
Specifies the optional encoding the text is represented in
Specifies the optional encoding the text is represented in
Attribute alg
Specifies the algorithm used to create the hash
Specifies the algorithm used to create the hash
Simple Type cpe
Define the format for acceptable CPE URIs. Supports CPE 2.2 and CPE 2.3 formats. Refer to https://nvd.nist.gov/products/cpe for official specification.
Define the format for acceptable CPE URIs. Supports CPE 2.2 and CPE 2.3 formats. Refer to https://nvd.nist.gov/products/cpe for official specification.
Element text
Specifies the full content of the SWID tag.
Specifies the full content of the SWID tag.
Element url
The URL to the SWID file.
The URL to the SWID file.
Attribute tagId
Maps to the tagId of a SoftwareIdentity.
Maps to the tagId of a SoftwareIdentity.
Attribute name
Maps to the name of a SoftwareIdentity.
Maps to the name of a SoftwareIdentity.
Attribute version
Maps to the version of a SoftwareIdentity.
Maps to the version of a SoftwareIdentity.
Attribute tagVersion
Maps to the tagVersion of a SoftwareIdentity.
Maps to the tagVersion of a SoftwareIdentity.
Attribute patch
Maps to the patch of a SoftwareIdentity.
Maps to the patch of a SoftwareIdentity.
Simple Type urnUuid
Defines a string representation of a UUID conforming to RFC 4122.
Defines a string representation of a UUID conforming to RFC 4122.
Element reference
Zero or more external references can be defined
Zero or more external references can be defined
Element url
The URL to the external reference
The URL to the external reference
Element comment
An optional comment describing the external reference
An optional comment describing the external reference
Attribute type
Specifies the type of external reference. There are built-in types to describe common references. If a type does not exist for the reference being referred to, use the "other" type.
Specifies the type of external reference. There are built-in types to describe common references. If a type does not exist for the reference being referred to, use the "other" type.
Element commit
Specifies an individual commit.
Specifies an individual commit.
Element uid
A unique identifier of the commit. This may be version control specific. For example, Subversion uses revision numbers whereas git uses commit hashes.
A unique identifier of the commit. This may be version control specific. For example, Subversion uses revision numbers whereas git uses commit hashes.
Element url
The URL to the commit. This URL will typically point to a commit in a version control system.
The URL to the commit. This URL will typically point to a commit in a version control system.
Element author
The author who created the changes in the commit
The author who created the changes in the commit
Element committer
The person who committed or pushed the commit
The person who committed or pushed the commit
Element message
The text description of the contents of the commit
The text description of the contents of the commit
Element patch
Specifies an individual patch.
Specifies an individual patch.
Element diff
The patch file (or diff) that show changes. Refer to https://en.wikipedia.org/wiki/Diff
The patch file (or diff) that show changes. Refer to https://en.wikipedia.org/wiki/Diff
Attribute type
Specifies the purpose for the patch including the resolution of defects, security issues, or new behavior or functionality
Specifies the purpose for the patch including the resolution of defects, security issues, or new behavior or functionality
Element text
Specifies the optional text of the diff
Specifies the optional text of the diff
Element url
Specifies the URL to the diff
Specifies the URL to the diff
Element id
The identifier of the issue assigned by the source of the issue
The identifier of the issue assigned by the source of the issue
Element name
The name of the issue
The name of the issue
Element description
A description of the issue
A description of the issue
Element name
The name of the source. For example "National Vulnerability Database", "NVD", and "Apache"
The name of the source. For example "National Vulnerability Database", "NVD", and "Apache"
Element url
The url of the issue documentation as provided by the source
The url of the issue documentation as provided by the source
Attribute type
Specifies the type of issue
Specifies the type of issue
Element timestamp
The timestamp in which the action occurred
The timestamp in which the action occurred
Element name
The name of the individual who performed the action
The name of the individual who performed the action
Element email
The email address of the individual who performed the action
The email address of the individual who performed the action
Element ancestors
Describes zero or more components in which a component is derived from. This is commonly used to describe forks from existing projects where the forked version contains a ancestor node containing the original component it was forked from. For example, Component A is the original component. Component B is the component being used and documented in the BOM. However, Component B contains a pedigree node with a single ancestor documenting Component A - the original component from which Component B is derived from.
Describes zero or more components in which a component is derived from. This is commonly used to describe forks from existing projects where the forked version contains a ancestor node containing the original component it was forked from. For example, Component A is the original component. Component B is the component being used and documented in the BOM. However, Component B contains a pedigree node with a single ancestor documenting Component A - the original component from which Component B is derived from.
Element descendants
Descendants are the exact opposite of ancestors. This provides a way to document all forks (and their forks) of an original or root component.
Descendants are the exact opposite of ancestors. This provides a way to document all forks (and their forks) of an original or root component.
Element variants
Variants describe relations where the relationship between the components are not known. For example, if Component A contains nearly identical code to Component B. They are both related, but it is unclear if one is derived from the other, or if they share a common ancestor.
Variants describe relations where the relationship between the components are not known. For example, if Component A contains nearly identical code to Component B. They are both related, but it is unclear if one is derived from the other, or if they share a common ancestor.
Element commits
A list of zero or more commits which provide a trail describing how the component deviates from an ancestor, descendant, or variant.
A list of zero or more commits which provide a trail describing how the component deviates from an ancestor, descendant, or variant.
Element patches
A list of zero or more patches describing how the component deviates from an ancestor, descendant, or variant. Patches may be complimentary to commits or may be used in place of commits.
A list of zero or more patches describing how the component deviates from an ancestor, descendant, or variant. Patches may be complimentary to commits or may be used in place of commits.
Element notes
Notes, observations, and other non-structured commentary describing the components pedigree.
Notes, observations, and other non-structured commentary describing the components pedigree.
Attribute ref
References a component or service by the its bom-ref attribute
References a component or service by the its bom-ref attribute
Element dependency
Components that do not have their own dependencies MUST be declared as empty elements within the graph. Components that are not represented in the dependency graph MAY have unknown dependencies. It is RECOMMENDED that implementations assume this to be opaque and not an indicator of a component being dependency-free.
Components that do not have their own dependencies MUST be declared as empty elements within the graph. Components that are not represented in the dependency graph MAY have unknown dependencies. It is RECOMMENDED that implementations assume this to be opaque and not an indicator of a component being dependency-free.
Element provider
The organization that provides the service.
The organization that provides the service.
Element group
The grouping name, namespace, or identifier. This will often be a shortened, single name of the company or project that produced the service or domain name. Whitespace and special characters should be avoided.
The grouping name, namespace, or identifier. This will often be a shortened, single name of the company or project that produced the service or domain name. Whitespace and special characters should be avoided.
Element name
The name of the service. This will often be a shortened, single name of the service.
The name of the service. This will often be a shortened, single name of the service.
Element version
The service version.
The service version.
Element description
Specifies a description for the service.
Specifies a description for the service.
Element endpoint
A service endpoint URI.
A service endpoint URI.
Element authenticated
A boolean value indicating if the service requires authentication. A value of true indicates the service requires authentication prior to use. A value of false indicates the service does not require authentication.
A boolean value indicating if the service requires authentication. A value of true indicates the service requires authentication prior to use. A value of false indicates the service does not require authentication.
Element x-trust-boundary
A boolean value indicating if use of the service crosses a trust zone or boundary. A value of true indicates that by using the service, a trust boundary is crossed. A value of false indicates that by using the service, a trust boundary is not crossed.
A boolean value indicating if use of the service crosses a trust zone or boundary. A value of true indicates that by using the service, a trust boundary is crossed. A value of false indicates that by using the service, a trust boundary is not crossed.
Element classification
Specifies the data classification.
Specifies the data classification.
Element externalReferences
Provides the ability to document external references related to the service.
Provides the ability to document external references related to the service.
Element properties
Provides the ability to document properties in a key/value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Property names of interest to the general public are encouraged to be registered in the CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. Formal registration is OPTIONAL.
Provides the ability to document properties in a key/value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Property names of interest to the general public are encouraged to be registered in the CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. Formal registration is OPTIONAL.
Element services
A list of services included or deployed behind the parent service. This is not a dependency tree. It provides a way to specify a hierarchical representation of service assemblies.
A list of services included or deployed behind the parent service. This is not a dependency tree. It provides a way to specify a hierarchical representation of service assemblies.
Element releaseNotes
Specifies optional release notes.
Specifies optional release notes.
Attribute bom-ref
An optional identifier which can be used to reference the service elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element.
An optional identifier which can be used to reference the service elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element.
Attribute flow
Specifies the flow direction of the data.
Specifies the flow direction of the data.
Simple Type dataFlowType
Specifies the flow direction of the data. Valid values are: inbound, outbound, bi-directional, and unknown. Direction is relative to the service. Inbound flow states that data enters the service. Outbound flow states that data leaves the service. Bi-directional states that data flows both ways, and unknown states that the direction is not known.
Specifies the flow direction of the data. Valid values are: inbound, outbound, bi-directional, and unknown. Direction is relative to the service. Inbound flow states that data enters the service. Outbound flow states that data leaves the service. Bi-directional states that data flows both ways, and unknown states that the direction is not known.
Element expression
A valid SPDX license expression. Refer to https://spdx.org/specifications for syntax requirements
A valid SPDX license expression. Refer to https://spdx.org/specifications for syntax requirements
Element aggregate
Specifies an aggregate type that describe how complete a relationship is.
Specifies an aggregate type that describe how complete a relationship is.
Element assemblies
The bom-ref identifiers of the components or services being described. Assemblies refer to nested relationships whereby a constituent part may include other constituent parts. References do not cascade to child parts. References are explicit for the specified constituent part only.
The bom-ref identifiers of the components or services being described. Assemblies refer to nested relationships whereby a constituent part may include other constituent parts. References do not cascade to child parts. References are explicit for the specified constituent part only.
Element dependencies
The bom-ref identifiers of the components or services being described. Dependencies refer to a relationship whereby an independent constituent part requires another independent constituent part. References do not cascade to transitive dependencies. References are explicit for the specified dependency only.
The bom-ref identifiers of the components or services being described. Dependencies refer to a relationship whereby an independent constituent part requires another independent constituent part. References do not cascade to transitive dependencies. References are explicit for the specified dependency only.
Simple Type localeType
Defines a syntax for representing two character language code (ISO-639) followed by an optional two character country code. The language code MUST be lower case. If the country code is specified, the country code MUST be upper case. The language code and country code MUST be separated by a minus sign. Examples: en, en-US, fr, fr-CA
Defines a syntax for representing two character language code (ISO-639) followed by an optional two character country code. The language code MUST be lower case. If the country code is specified, the country code MUST be upper case. The language code and country code MUST be separated by a minus sign. Examples: en, en-US, fr, fr-CA
Element type
The software versioning type. It is RECOMMENDED that the release type use one of 'major', 'minor', 'patch', 'pre-release', or 'internal'. Representing all possible software release types is not practical, so standardizing on the recommended values, whenever possible, is strongly encouraged. * major = A major release may contain significant changes or may introduce breaking changes. * minor = A minor release, also known as an update, may contain a smaller number of changes than major releases. * patch = Patch releases are typically unplanned and may resolve defects or important security issues. * pre-release = A pre-release may include alpha, beta, or release candidates and typically have limited support. They provide the ability to preview a release prior to its general availability. * internal = Internal releases are not for public consumption and are intended to be used exclusively by the project or manufacturer that produced it.
The software versioning type. It is RECOMMENDED that the release type use one of 'major', 'minor', 'patch', 'pre-release', or 'internal'. Representing all possible software release types is not practical, so standardizing on the recommended values, whenever possible, is strongly encouraged. * major = A major release may contain significant changes or may introduce breaking changes. * minor = A minor release, also known as an update, may contain a smaller number of changes than major releases. * patch = Patch releases are typically unplanned and may resolve defects or important security issues. * pre-release = A pre-release may include alpha, beta, or release candidates and typically have limited support. They provide the ability to preview a release prior to its general availability. * internal = Internal releases are not for public consumption and are intended to be used exclusively by the project or manufacturer that produced it.
Element title
The title of the release.
The title of the release.
Element featuredImage
The URL to an image that may be prominently displayed with the release note.
The URL to an image that may be prominently displayed with the release note.
Element socialImage
The URL to an image that may be used in messaging on social media platforms.
The URL to an image that may be used in messaging on social media platforms.
Element description
A short description of the release.
A short description of the release.
Element timestamp
The date and time (timestamp) when the release note was created.
The date and time (timestamp) when the release note was created.
Element alias
One or more alternate names the release may be referred to. This may include unofficial terms used by development and marketing teams (e.g. code names).
One or more alternate names the release may be referred to. This may include unofficial terms used by development and marketing teams (e.g. code names).
Element tag
One or more tags that may aid in search or retrieval of the release note.
One or more tags that may aid in search or retrieval of the release note.
Element resolves
A collection of issues that have been resolved.
A collection of issues that have been resolved.
Element note
Zero or more release notes containing the locale and content. Multiple note elements may be specified to support release notes in a wide variety of languages.
Zero or more release notes containing the locale and content. Multiple note elements may be specified to support release notes in a wide variety of languages.
Element locale
The ISO-639 (or higher) language code and optional ISO-3166 (or higher) country code. Examples include: "en", "en-US", "fr" and "fr-CA".
The ISO-639 (or higher) language code and optional ISO-3166 (or higher) country code. Examples include: "en", "en-US", "fr" and "fr-CA".
Element text
Specifies the full content of the release note.
Specifies the full content of the release note.
Element properties
Provides the ability to document properties in a key/value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Property names of interest to the general public are encouraged to be registered in the CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. Formal registration is OPTIONAL.
Provides the ability to document properties in a key/value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Property names of interest to the general public are encouraged to be registered in the CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. Formal registration is OPTIONAL.
Attribute ref
References a component or service by the its bom-ref attribute
References a component or service by the its bom-ref attribute
Attribute name
The name of the property. Duplicate names are allowed, each potentially having a different value.
The name of the property. Duplicate names are allowed, each potentially having a different value.
Element vulnerability
Defines a weakness in an component or service that could be exploited or triggered by a threat source.
Defines a weakness in an component or service that could be exploited or triggered by a threat source.
Element id
The identifier that uniquely identifies the vulnerability. For example: CVE-2021-39182, GHSA-35m5-8cvj-8783, and SNYK-PYTHON-ENROCRYPT-1912876.
The identifier that uniquely identifies the vulnerability. For example: CVE-2021-39182, GHSA-35m5-8cvj-8783, and SNYK-PYTHON-ENROCRYPT-1912876.
Element source
The source that published the vulnerability.
The source that published the vulnerability.
Element references
Zero or more pointers to vulnerabilities that are the equivalent of the vulnerability specified. Often times, the same vulnerability may exist in multiple sources of vulnerability intelligence, but have different identifiers. References provide a way to correlate vulnerabilities across multiple sources of vulnerability intelligence.
Zero or more pointers to vulnerabilities that are the equivalent of the vulnerability specified. Often times, the same vulnerability may exist in multiple sources of vulnerability intelligence, but have different identifiers. References provide a way to correlate vulnerabilities across multiple sources of vulnerability intelligence.
Element reference
A pointer to a vulnerability that is the equivalent of the vulnerability specified.
A pointer to a vulnerability that is the equivalent of the vulnerability specified.
Element id
The identifier that uniquely identifies the vulnerability. For example: CVE-2021-39182, GHSA-35m5-8cvj-8783, and SNYK-PYTHON-ENROCRYPT-1912876.
The identifier that uniquely identifies the vulnerability. For example: CVE-2021-39182, GHSA-35m5-8cvj-8783, and SNYK-PYTHON-ENROCRYPT-1912876.
Element source
The source that published the vulnerability.
The source that published the vulnerability.
Element ratings
List of vulnerability ratings.
List of vulnerability ratings.
Element description
A description of the vulnerability as provided by the source.
A description of the vulnerability as provided by the source.
Element detail
If available, an in-depth description of the vulnerability as provided by the source organization. Details often include examples, proof-of-concepts, and other information useful in understanding root cause.
If available, an in-depth description of the vulnerability as provided by the source organization. Details often include examples, proof-of-concepts, and other information useful in understanding root cause.
Element recommendation
Recommendations of how the vulnerability can be remediated or mitigated.
Recommendations of how the vulnerability can be remediated or mitigated.
Element created
The date and time (timestamp) when the vulnerability record was created in the vulnerability database.
The date and time (timestamp) when the vulnerability record was created in the vulnerability database.
Element published
The date and time (timestamp) when the vulnerability record was first published.
The date and time (timestamp) when the vulnerability record was first published.
Element updated
The date and time (timestamp) when the vulnerability record was last updated.
The date and time (timestamp) when the vulnerability record was last updated.
Element credits
Individuals or organizations credited with the discovery of the vulnerability.
Individuals or organizations credited with the discovery of the vulnerability.
Element organizations
The organizations credited with vulnerability discovery.
The organizations credited with vulnerability discovery.
Element individuals
The individuals, not associated with organizations, that are credited with vulnerability discovery.
The individuals, not associated with organizations, that are credited with vulnerability discovery.
Element tools
The tool(s) used to identify, confirm, or score the vulnerability.
The tool(s) used to identify, confirm, or score the vulnerability.
Element state
Declares the current state of an occurrence of a vulnerability, after automated or manual analysis.
Declares the current state of an occurrence of a vulnerability, after automated or manual analysis.
Element justification
The rationale of why the impact analysis state was asserted.
The rationale of why the impact analysis state was asserted.
Element responses
A response to the vulnerability by the manufacturer, supplier, or project responsible for the affected component or service. More than one response is allowed. Responses are strongly encouraged for vulnerabilities where the analysis state is exploitable.
A response to the vulnerability by the manufacturer, supplier, or project responsible for the affected component or service. More than one response is allowed. Responses are strongly encouraged for vulnerabilities where the analysis state is exploitable.
Element detail
Detailed description of the impact including methods used during assessment. If a vulnerability is not exploitable, this field should include specific details on why the component or service is not impacted by this vulnerability.
Detailed description of the impact including methods used during assessment. If a vulnerability is not exploitable, this field should include specific details on why the component or service is not impacted by this vulnerability.
Element affects
The components or services that are affected by the vulnerability.
The components or services that are affected by the vulnerability.
Element ref
References a component or service by the objects bom-ref.
References a component or service by the objects bom-ref.
Element versions
Zero or more individual versions or range of versions.
Zero or more individual versions or range of versions.
Element version
A single version of a component or service.
A single version of a component or service.
Element range
A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/purl-spec/blob/master/VERSION-RANGE-SPEC.rst
A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/purl-spec/blob/master/VERSION-RANGE-SPEC.rst
Element status
The vulnerability status for the version or range of versions.
The vulnerability status for the version or range of versions.
Element properties
Provides the ability to document properties in a key/value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Property names of interest to the general public are encouraged to be registered in the CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. Formal registration is OPTIONAL.
Provides the ability to document properties in a key/value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Property names of interest to the general public are encouraged to be registered in the CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. Formal registration is OPTIONAL.
Attribute bom-ref
An optional identifier which can be used to reference the vulnerability elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element.
An optional identifier which can be used to reference the vulnerability elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element.
Element name
The name of the source. For example: NVD, National Vulnerability Database, OSS Index, VulnDB, and GitHub Advisories
The name of the source. For example: NVD, National Vulnerability Database, OSS Index, VulnDB, and GitHub Advisories
Element url
The url of the vulnerability documentation as provided by the source. For example: https://nvd.nist.gov/vuln/detail/CVE-2021-39182
The url of the vulnerability documentation as provided by the source. For example: https://nvd.nist.gov/vuln/detail/CVE-2021-39182
Element source
The source that calculated the severity or risk rating of the vulnerability.
The source that calculated the severity or risk rating of the vulnerability.
Element score
The numerical score of the rating.
The numerical score of the rating.
Element severity
Textual representation of the severity that corresponds to the numerical score of the rating.
Textual representation of the severity that corresponds to the numerical score of the rating.
Element method
The risk scoring methodology/standard used.
The risk scoring methodology/standard used.
Element vector
Textual representation of the metric values used to score the vulnerability.
Textual representation of the metric values used to score the vulnerability.
Element justification
An optional reason for rating the vulnerability as it was.
An optional reason for rating the vulnerability as it was.
Element title
An optional name of the advisory.
An optional name of the advisory.
Element url
Location where the advisory can be obtained.
Location where the advisory can be obtained.
Simple Type severityType
Textual representation of the severity of the vulnerability adopted by the analysis method. If the analysis method uses values other than what is provided, the user is expected to translate appropriately.
Textual representation of the severity of the vulnerability adopted by the analysis method. If the analysis method uses values other than what is provided, the user is expected to translate appropriately.
Simple Type impactAnalysisStateType
Declares the current state of an occurrence of a vulnerability, after automated or manual analysis.
Declares the current state of an occurrence of a vulnerability, after automated or manual analysis.
Simple Type impactAnalysisJustificationType
The rationale of why the impact analysis state was asserted.
The rationale of why the impact analysis state was asserted.
Simple Type scoreSourceType
Specifies the severity or risk scoring methodology or standard used.
Specifies the severity or risk scoring methodology or standard used.
Simple Type impactAnalysisResponsesType
The rationale of why the impact analysis state was asserted.
The rationale of why the impact analysis state was asserted.
Simple Type impactAnalysisAffectedStatusType
The vulnerability status of a given version or range of versions of a product. The statuses 'affected' and 'unaffected' indicate that the version is affected or unaffected by the vulnerability. The status 'unknown' indicates that it is unknown or unspecified whether the given version is affected. There can be many reasons for an 'unknown' status, including that an investigation has not been undertaken or that a vendor has not disclosed the status.
The vulnerability status of a given version or range of versions of a product. The statuses 'affected' and 'unaffected' indicate that the version is affected or unaffected by the vulnerability. The status 'unknown' indicates that it is unknown or unspecified whether the given version is affected. There can be many reasons for an 'unknown' status, including that an investigation has not been undertaken or that a vendor has not disclosed the status.
Element metadata
Provides additional information about a BOM.
Provides additional information about a BOM.
Element components
A list of software and hardware components.
A list of software and hardware components.
Element services
A list of services. This may include microservices, function-as-a-service, and other types of network or intra-process services.
A list of services. This may include microservices, function-as-a-service, and other types of network or intra-process services.
Element externalReferences
Provides the ability to document external references related to the BOM or to the project the BOM describes.
Provides the ability to document external references related to the BOM or to the project the BOM describes.
Element dependencies
Provides the ability to document dependency relationships.
Provides the ability to document dependency relationships.
Element compositions
Compositions describe constituent parts (including components, services, and dependency relationships) and their completeness.
Compositions describe constituent parts (including components, services, and dependency relationships) and their completeness.
Element properties
Provides the ability to document properties in a key/value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Property names of interest to the general public are encouraged to be registered in the CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. Formal registration is OPTIONAL.
Provides the ability to document properties in a key/value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Property names of interest to the general public are encouraged to be registered in the CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. Formal registration is OPTIONAL.
Element vulnerabilities
Vulnerabilities identified in components or services.
Vulnerabilities identified in components or services.
Attribute version
Whenever an existing BOM is modified, either manually or through automated processes, the version of the BOM SHOULD be incremented by 1. When a system is presented with multiple BOMs with identical serial numbers, the system SHOULD use the most recent version of the BOM. The default version is '1'.
Whenever an existing BOM is modified, either manually or through automated processes, the version of the BOM SHOULD be incremented by 1. When a system is presented with multiple BOMs with identical serial numbers, the system SHOULD use the most recent version of the BOM. The default version is '1'.
Attribute serialNumber
Every BOM generated SHOULD have a unique serial number, even if the contents of the BOM have not changed over time. If specified, the serial number MUST conform to RFC-4122. Use of serial numbers are RECOMMENDED.
Every BOM generated SHOULD have a unique serial number, even if the contents of the BOM have not changed over time. If specified, the serial number MUST conform to RFC-4122. Use of serial numbers are RECOMMENDED.
Whenever an existing BOM is modified, either manually or through automated
processes, the version of the BOM SHOULD be incremented by 1. When a system is presented with
multiple BOMs with identical serial numbers, the system SHOULD use the most recent version of the BOM.
The default version is '1'.
Whenever an existing BOM is modified, either manually or through automated processes, the version of the BOM SHOULD be incremented by 1. When a system is presented with multiple BOMs with identical serial numbers, the system SHOULD use the most recent version of the BOM. The default version is '1'.
Every BOM generated SHOULD have a unique serial number, even if the contents of
the BOM have not changed over time. If specified, the serial number MUST conform to RFC-4122.
Use of serial numbers are RECOMMENDED.
Every BOM generated SHOULD have a unique serial number, even if the contents of the BOM have not changed over time. If specified, the serial number MUST conform to RFC-4122. Use of serial numbers are RECOMMENDED.
<...><bom:uid>xs:normalizedString</bom:uid>[0..1]<bom:url>xs:anyURI</bom:url>[0..1]<bom:author>bom:identifiableActionType</bom:author>[0..1]<bom:committer>bom:identifiableActionType</bom:committer>[0..1]<bom:message>xs:normalizedString</bom:message>[0..1]Allow any elements from a namespace other than this schema's namespace (lax validation). [0..*]</...>
<...>Start Sequence[0..*]<bom:commit>bom:commitType</bom:commit>[1]Allow any elements from a namespace other than this schema's namespace (lax validation). [0..*]End Sequence</...>
Specifies the type of component. For software components, classify as application if no more
specific appropriate classification is available or cannot be determined for the component.
Specifies the type of component. For software components, classify as application if no more specific appropriate classification is available or cannot be determined for the component.
The OPTIONAL mime-type of the component. When used on file components, the mime-type
can provide additional context about the kind of file being represented such as an image,
font, or executable. Some library or framework components may also have an associated mime-type.
The OPTIONAL mime-type of the component. When used on file components, the mime-type can provide additional context about the kind of file being represented such as an image, font, or executable. Some library or framework components may also have an associated mime-type.
An optional identifier which can be used to reference the component elsewhere in the BOM.
Uniqueness is enforced within all elements and children of the root-level bom element.
An optional identifier which can be used to reference the component elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element.
Allow any attributes from any namespace (lax validation).><bom:supplier>bom:organizationalEntity</bom:supplier>[0..1]<bom:author>xs:normalizedString</bom:author>[0..1]<bom:publisher>xs:normalizedString</bom:publisher>[0..1]<bom:group>xs:normalizedString</bom:group>[0..1]<bom:name>xs:normalizedString</bom:name>[1]<bom:version>xs:normalizedString</bom:version>[0..1]<bom:description>xs:normalizedString</bom:description>[0..1]<bom:scope>bom:scope</bom:scope>[0..1]<bom:hashes>[0..1]Start Sequence[0..*]<bom:hash>bom:hashType</bom:hash>[1]End Sequence</bom:hashes><bom:licenses>bom:licenseChoiceType</bom:licenses>[0..1]<bom:copyright>xs:normalizedString</bom:copyright>[0..1]<bom:cpe>bom:cpe</bom:cpe>[0..1]<bom:purl>xs:anyURI</bom:purl>[0..1]<bom:swid>bom:swidType</bom:swid>[0..1]<bom:modified>xs:boolean</bom:modified>[0..1]<bom:pedigree>bom:pedigreeType</bom:pedigree>[0..1]<bom:externalReferences>bom:externalReferences</bom:externalReferences>[0..1]<bom:properties>bom:propertiesType</bom:properties>[0..1]<bom:components>[0..1]Start Sequence[0..*]<bom:component>bom:component</bom:component>[1]Allow any elements from a namespace other than this schema's namespace (lax validation). [0..*]End Sequence</bom:components><bom:evidence>bom:componentEvidenceType</bom:evidence>[0..1]<bom:releaseNotes>bom:releaseNotesType</bom:releaseNotes>[0..1]Allow any elements from a namespace other than this schema's namespace (lax validation). [0..*]</...>
<...Allow any attributes from any namespace (lax validation).><bom:licenses>bom:licenseChoiceType</bom:licenses>[0..1]<bom:copyright>bom:copyrightsType</bom:copyright>[0..1]Allow any elements from a namespace other than this schema's namespace (lax validation). [0..*]</...>
<...Allow any attributes from any namespace (lax validation).>Start Sequence[0..*]<bom:component>bom:component</bom:component>[1]Allow any elements from a namespace other than this schema's namespace (lax validation). [0..*]End Sequence</...>
<...>Start Sequence[0..*]<bom:aggregate>bom:aggregateType</bom:aggregate>[1]<bom:assemblies>[0..1]Start Sequence[0..*]<bom:assembly>bom:bomReferenceType</bom:assembly>[1]Allow any elements from a namespace other than this schema's namespace (lax validation). [0..*]End Sequence</bom:assemblies><bom:dependencies>[0..1]Start Sequence[0..*]<bom:dependency>bom:bomReferenceType</bom:dependency>[1]Allow any elements from a namespace other than this schema's namespace (lax validation). [0..*]End Sequence</bom:dependencies>End Sequence</...>
<...Allow any attributes from any namespace (lax validation).>Start Sequence[0..*]<bom:composition>bom:compositionType</bom:composition>[1]Allow any elements from a namespace other than this schema's namespace (lax validation). [0..*]End Sequence</...>
References a component or service by the its bom-ref attribute
References a component or service by the its bom-ref attribute
Allow any attributes from a namespace other than this schema's namespace (lax validation).>Start Sequence[0..*]<bom:dependency>bom:dependencyType</bom:dependency>[1]End Sequence</...>
<...><bom:text>bom:attachedTextType</bom:text>[0..1]<bom:url>xs:anyURI</bom:url>[0..1]Allow any elements from a namespace other than this schema's namespace (lax validation). [0..*]</...>
Specifies the type of external reference. There are built-in types to describe common
references. If a type does not exist for the reference being referred to, use the "other" type.
Specifies the type of external reference. There are built-in types to describe common references. If a type does not exist for the reference being referred to, use the "other" type.
Allow any attributes from any namespace (lax validation).><bom:url>xs:anyURI</bom:url>[1]<bom:comment>xs:string</bom:comment>[0..1]<bom:hashes>[0..1]Start Sequence[0..*]<bom:hash>bom:hashType</bom:hash>[1]End Sequence</bom:hashes></...>
<...><bom:timestamp>xs:dateTime</bom:timestamp>[0..1]<bom:name>xs:normalizedString</bom:name>[0..1]<bom:email>xs:normalizedString</bom:email>[0..1]Allow any elements from a namespace other than this schema's namespace (lax validation). [0..*]</...>
><bom:id>xs:normalizedString</bom:id>[0..1]<bom:name>xs:normalizedString</bom:name>[0..1]<bom:description>xs:normalizedString</bom:description>[0..1]<bom:source>[0..1]<bom:name>xs:normalizedString</bom:name>[0..1]<bom:url>xs:anyURI</bom:url>[0..1]</bom:source><bom:references>[0..1]Start Sequence[0..*]<bom:url>xs:anyURI</bom:url>[1]End Sequence</bom:references>Allow any elements from a namespace other than this schema's namespace (lax validation). [0..*]</...>
<...>Start Choice[1]<bom:id>spdx:licenseId</bom:id>[0..1]<bom:name>xs:normalizedString</bom:name>[0..1]End Choice<bom:text>bom:attachedTextType</bom:text>[0..1]<bom:url>xs:anyURI</bom:url>[0..1]Allow any elements from a namespace other than this schema's namespace (lax validation). [0..*]</...>
<...Allow any attributes from a namespace other than this schema's namespace (lax validation).>Start Sequence[0..1]<bom:name>xs:normalizedString</bom:name>[0..1]<bom:email>xs:normalizedString</bom:email>[0..1]<bom:phone>xs:normalizedString</bom:phone>[0..1]Allow any elements from a namespace other than this schema's namespace (lax validation). [0..*]End Sequence</...>
<...Allow any attributes from a namespace other than this schema's namespace (lax validation).>Start Sequence[0..1]<bom:name>xs:normalizedString</bom:name>[0..1]<bom:url>xs:anyURI</bom:url>[0..*]<bom:contact>bom:organizationalContact</bom:contact>[0..*]Allow any elements from a namespace other than this schema's namespace (lax validation). [0..*]End Sequence</...>
Specifies the purpose for the patch including the resolution of defects,
security issues, or new behavior or functionality
Specifies the purpose for the patch including the resolution of defects, security issues, or new behavior or functionality
><bom:diff>bom:diffType</bom:diff>[0..1]<bom:resolves>[0..1]Start Sequence[0..*]<bom:issue>bom:issueType</bom:issue>[1]End Sequence</bom:resolves>Allow any elements from a namespace other than this schema's namespace (lax validation). [0..*]</...>
<...>Start Sequence[0..*]<bom:patch>bom:patchType</bom:patch>[1]Allow any elements from a namespace other than this schema's namespace (lax validation). [0..*]End Sequence</...>
Component pedigree is a way to document complex supply chain scenarios where components are created, distributed, modified, redistributed, combined with other components, etc. Pedigree supports viewing this complex chain from the beginning, the end, or anywhere in the middle. It also provides a way to document variants where the exact relation may not be known.
Component pedigree is a way to document complex supply chain scenarios where components are created, distributed, modified, redistributed, combined with other components, etc. Pedigree supports viewing this complex chain from the beginning, the end, or anywhere in the middle. It also provides a way to document variants where the exact relation may not be known.
<...Allow any attributes from any namespace (lax validation).>Start Sequence[0..*]<bom:property>bom:propertyType</bom:property>[1]Allow any elements from a namespace other than this schema's namespace (lax validation). [0..*]End Sequence</...>
<...Allow any attributes from any namespace (lax validation).>Start Sequence[0..*]<bom:type>xs:normalizedString</bom:type>[1]<bom:title>xs:string</bom:title>[0..1]<bom:featuredImage>xs:anyURI</bom:featuredImage>[0..1]<bom:socialImage>xs:anyURI</bom:socialImage>[0..1]<bom:description>xs:string</bom:description>[0..1]<bom:timestamp>xs:dateTime</bom:timestamp>[0..1]<bom:aliases>[0..1]Start Sequence[0..*]<bom:alias>xs:normalizedString</bom:alias>[1]End Sequence</bom:aliases><bom:tags>[0..1]Start Sequence[0..*]<bom:tag>xs:normalizedString</bom:tag>[1]End Sequence</bom:tags><bom:resolves>[0..1]Start Sequence[0..*]<bom:issue>bom:issueType</bom:issue>[1]End Sequence</bom:resolves><bom:notes>[0..1]Start Sequence[0..*]<bom:note>[1]Start Sequence[0..*]<bom:locale>bom:localeType</bom:locale>[0..1]<bom:text>bom:attachedTextType</bom:text>[1]End Sequence</bom:note>End Sequence</bom:notes><bom:properties>bom:propertiesType</bom:properties>[0..1]Allow any elements from a namespace other than this schema's namespace (lax validation). [0..*]End Sequence</...>
An optional identifier which can be used to reference the service elsewhere in the BOM.
Uniqueness is enforced within all elements and children of the root-level bom element.
An optional identifier which can be used to reference the service elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element.
Allow any attributes from any namespace (lax validation).><bom:provider>bom:organizationalEntity</bom:provider>[0..1]<bom:group>xs:normalizedString</bom:group>[0..1]<bom:name>xs:normalizedString</bom:name>[1]<bom:version>xs:normalizedString</bom:version>[0..1]<bom:description>xs:normalizedString</bom:description>[0..1]<bom:endpoints>[0..1]Start Sequence[0..*]<bom:endpoint>xs:anyURI</bom:endpoint>[1]End Sequence</bom:endpoints><bom:authenticated>xs:boolean</bom:authenticated>[0..1]<bom:x-trust-boundary>xs:boolean</bom:x-trust-boundary>[0..1]<bom:data>[0..1]Start Sequence[0..*]<bom:classification>bom:dataClassificationType</bom:classification>[1]End Sequence</bom:data><bom:licenses>bom:licenseChoiceType</bom:licenses>[0..1]<bom:externalReferences>bom:externalReferences</bom:externalReferences>[0..1]<bom:properties>bom:propertiesType</bom:properties>[0..1]<bom:services>[0..1]Start Sequence[0..*]<bom:service>bom:service</bom:service>[1]Allow any elements from a namespace other than this schema's namespace (lax validation). [0..*]End Sequence</bom:services><bom:releaseNotes>bom:releaseNotesType</bom:releaseNotes>[0..1]Allow any elements from a namespace other than this schema's namespace (lax validation). [0..*]</...>
<...Allow any attributes from any namespace (lax validation).>Start Sequence[0..*]<bom:service>bom:service</bom:service>[1]Allow any elements from a namespace other than this schema's namespace (lax validation). [0..*]End Sequence</...>
><bom:text>bom:attachedTextType</bom:text>[0..1]<bom:url>xs:anyURI</bom:url>[0..1]Allow any elements from a namespace other than this schema's namespace (lax validation). [0..*]</...>
<...Allow any attributes from a namespace other than this schema's namespace (lax validation).>Start Sequence[0..1]<bom:vendor>xs:normalizedString</bom:vendor>[0..1]<bom:name>xs:normalizedString</bom:name>[0..1]<bom:version>xs:normalizedString</bom:version>[0..1]<bom:hashes>[0..1]Start Sequence[0..*]<bom:hash>bom:hashType</bom:hash>[1]End Sequence</bom:hashes><bom:externalReferences>bom:externalReferences</bom:externalReferences>[0..1]Allow any elements from a namespace other than this schema's namespace (lax validation). [0..*]End Sequence</...>
<...Allow any attributes from any namespace (lax validation).>Start Sequence[0..*]<bom:vulnerability>bom:vulnerabilityType</bom:vulnerability>[1]Allow any elements from a namespace other than this schema's namespace (lax validation). [0..*]End Sequence</...>
An optional identifier which can be used to reference the vulnerability elsewhere in the BOM.
Uniqueness is enforced within all elements and children of the root-level bom element.
An optional identifier which can be used to reference the vulnerability elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element.
Define the format for acceptable CPE URIs. Supports CPE 2.2 and CPE 2.3 formats. Refer to https://nvd.nist.gov/products/cpe for official specification.
Define the format for acceptable CPE URIs. Supports CPE 2.2 and CPE 2.3 formats. Refer to https://nvd.nist.gov/products/cpe for official specification.
Specifies the flow direction of the data. Valid values are: inbound, outbound, bi-directional, and unknown. Direction is relative to the service. Inbound flow states that data enters the service. Outbound flow states that data leaves the service. Bi-directional states that data flows both ways, and unknown states that the direction is not known.
Specifies the flow direction of the data. Valid values are: inbound, outbound, bi-directional, and unknown. Direction is relative to the service. Inbound flow states that data enters the service. Outbound flow states that data leaves the service. Bi-directional states that data flows both ways, and unknown states that the direction is not known.
The vulnerability status of a given version or range of versions of a product. The statuses 'affected' and 'unaffected' indicate that the version is affected or unaffected by the vulnerability. The status 'unknown' indicates that it is unknown or unspecified whether the given version is affected. There can be many reasons for an 'unknown' status, including that an investigation has not been undertaken or that a vendor has not disclosed the status.
The vulnerability status of a given version or range of versions of a product. The statuses 'affected' and 'unaffected' indicate that the version is affected or unaffected by the vulnerability. The status 'unknown' indicates that it is unknown or unspecified whether the given version is affected. There can be many reasons for an 'unknown' status, including that an investigation has not been undertaken or that a vendor has not disclosed the status.
value comes from list: { 'code_not_present'| 'code_not_reachable'| 'requires_configuration'| 'requires_dependency'| 'requires_environment'| 'protected_by_compiler'| 'protected_at_runtime'| 'protected_at_perimeter'| 'protected_by_mitigating_control'}
Defines a syntax for representing two character language code (ISO-639) followed by an optional two character country code. The language code MUST be lower case. If the country code is specified, the country code MUST be upper case. The language code and country code MUST be separated by a minus sign. Examples: en, en-US, fr, fr-CA
Defines a syntax for representing two character language code (ISO-639) followed by an optional two character country code. The language code MUST be lower case. If the country code is specified, the country code MUST be upper case. The language code and country code MUST be separated by a minus sign. Examples: en, en-US, fr, fr-CA
Textual representation of the severity of the vulnerability adopted by the analysis method. If the analysis method uses values other than what is provided, the user is expected to translate appropriately.
Textual representation of the severity of the vulnerability adopted by the analysis method. If the analysis method uses values other than what is provided, the user is expected to translate appropriately.
Abstract(Applies to complex type definitions and element declarations). An abstract element or complex type cannot used to validate an element instance. If there is a reference to an abstract element, only element declarations that can substitute the abstract element can be used to validate the instance. For references to abstract type definitions, only derived types can be used.
Collapse Whitespace PolicyReplace tab, line feed, and carriage return characters with space character (Unicode character 32). Then, collapse contiguous sequences of space characters into single space character, and remove leading and trailing space characters.
Disallowed Substitutions(Applies to element declarations). If substitution is specified, then substitution group members cannot be used in place of the given element declaration to validate element instances. If derivation methods, e.g. extension, restriction, are specified, then the given element declaration will not validate element instances that have types derived from the element declaration's type using the specified derivation methods. Normally, element instances can override their declaration's type by specifying an xsi:type attribute.
Nillable(Applies to element declarations). If an element declaration is nillable, instances can use the xsi:nil attribute. The xsi:nil attribute is the boolean attribute, nil, from the http://www.w3.org/2001/XMLSchema-instance namespace. If an element instance has an xsi:nil attribute set to true, it can be left empty, even though its element declaration may have required content.
Prohibited Derivations(Applies to type definitions). Derivation methods that cannot be used to create sub-types from a given type definition.
Prohibited Substitutions(Applies to complex type definitions). Prevents sub-types that have been derived using the specified derivation methods from validating element instances in place of the given type definition.
Replace Whitespace PolicyReplace tab, line feed, and carriage return characters with space character (Unicode character 32).
Substitution GroupElements that are members of a substitution group can be used wherever the head element of the substitution group is referenced.
Substitution Group Exclusions(Applies to element declarations). Prohibits element declarations from nominating themselves as being able to substitute a given element declaration, if they have types that are derived from the original element's type using the specified derivation methods.
Target NamespaceThe target namespace identifies the namespace that components in this schema belongs to. If no target namespace is provided, then the schema components do not belong to any namespace.
Element comment
An optional comment describing the external reference