CycloneDX v1.5 Protobuf Reference

Table of Contents

Package: cyclonedx.v1_5

Top

Advisory

FieldTypeLabelDescription
titlestringoptional

An optional name of the advisory.

urlstring

Location where the advisory can be obtained.

Annotation

FieldTypeLabelDescription
bom_refstringoptional

An optional identifier which can be used to reference the annotation elsewhere in the BOM. Every bom-ref MUST be unique within the BOM.

subjectsstringrepeated

The object in the BOM identified by its bom-ref. This is often a component or service, but may be any object type supporting bom-refs.

annotatorAnnotatorChoice

The organization, person, component, or service which created the textual content of the annotation.

timestampgoogle.protobuf.Timestamp

The date and time (timestamp) when the annotation was created.

textstring

The textual content of the annotation.

AnnotatorChoice

FieldTypeLabelDescription
organizationOrganizationalEntity

The organization that created the annotation

individualOrganizationalContact

The person that created the annotation

componentComponent

The tool or component that created the annotation

serviceService

The service that created the annotation

AttachedText

Specifies attributes of the text

FieldTypeLabelDescription
content_typestringoptional

Specifies the content type of the text. Defaults to 'text/plain' if not specified.

encodingstringoptional

Specifies the optional encoding the text is represented in

valuestring

SimpleContent value of element. Proactive controls such as input validation and sanitization should be employed to prevent misuse of attachment text.

Bom

FieldTypeLabelDescription
spec_versionstring

The version of the CycloneDX specification a BOM is written to (starting at version 1.3)

versionint32optional

The version allows component publishers/authors to make changes to existing BOMs to update various aspects of the document such as description or licenses. When a system is presented with multiple BOMs for the same component, the system should use the most recent version of the BOM. The default version is '1' and should be incremented for each version of the BOM that is published. Each version of a component should have a unique BOM and if no changes are made to the BOMs, then each BOM will have a version of '1'.

serial_numberstringoptional

Every BOM generated should have a unique serial number, even if the contents of the BOM being generated have not changed over time. The process or tool responsible for creating the BOM should create random UUID's for every BOM generated.

metadataMetadataoptional

Provides additional information about a BOM.

componentsComponentrepeated

Provides the ability to document a list of components.

servicesServicerepeated

Provides the ability to document a list of external services.

external_referencesExternalReferencerepeated

Provides the ability to document external references related to the BOM or to the project the BOM describes.

dependenciesDependencyrepeated

Provides the ability to document dependency relationships.

compositionsCompositionrepeated

Compositions describe constituent parts (including components, services, and dependency relationships) and their completeness. The completeness of vulnerabilities expressed in a BOM may also be described.

vulnerabilitiesVulnerabilityrepeated

Vulnerabilities identified in components or services.

annotationsAnnotationrepeated

Comments made by people, organizations, or tools about any object with a bom-ref, such as components, services, vulnerabilities, or the BOM itself. Unlike inventory information, annotations may contain opinion or commentary from various stakeholders.

propertiesPropertyrepeated

Specifies optional, custom, properties

formulationFormularepeated

Describes how a component or service was manufactured or deployed. This is achieved through the use of formulas, workflows, tasks, and steps, which declare the precise steps to reproduce along with the observed formulas describing the steps which transpired in the manufacturing process.

Callstack

Evidence of the components use through the callstack.

FieldTypeLabelDescription
framesCallstack.Framesrepeated

Callstack.Frames

FieldTypeLabelDescription
packagestringoptional

A package organizes modules into namespaces, providing a unique namespace for each type it contains.

modulestring

A module or class that encloses functions/methods and other code.

functionstringoptional

A block of code designed to perform a particular task.

parametersstringrepeated

Optional arguments that are passed to the module or function.

lineint32optional

The line number the code that is called resides on.

columnint32optional

The column the code that is called resides.

fullFilenamestringoptional

The full path and filename of the module.

Command

FieldTypeLabelDescription
executedstringoptional

A text representation of the executed command.

propertiesPropertyrepeated

Domain-specific command properties.

Commit

FieldTypeLabelDescription
uidstringoptional

A unique identifier of the commit. This may be version control specific. For example, Subversion uses revision numbers whereas git uses commit hashes.

urlstringoptional

The URL to the commit. This URL will typically point to a commit in a version control system.

authorIdentifiableActionoptional

The author who created the changes in the commit

committerIdentifiableActionoptional

The person who committed or pushed the commit

messagestringoptional

The text description of the contents of the commit

Component

FieldTypeLabelDescription
typeClassification

Specifies the type of component. For software components, classify as application if no more specific appropriate classification is available or cannot be determined for the component.

mime_typestringoptional

The optional mime-type of the component. When used on file components, the mime-type can provide additional context about the kind of file being represented such as an image, font, or executable. Some library or framework components may also have an associated mime-type.

bom_refstringoptional

An optional identifier which can be used to reference the component elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element.

supplierOrganizationalEntityoptional

The organization that supplied the component. The supplier may often be the manufacture, but may also be a distributor or repackager.

authorstringoptional

The person(s) or organization(s) that authored the component

publisherstringoptional

The person(s) or organization(s) that published the component

groupstringoptional

The grouping name or identifier. This will often be a shortened, single name of the company or project that produced the component, or the source package or domain name. Whitespace and special characters should be avoided. Examples include: apache, org.apache.commons, and apache.org.

namestring

The name of the component. This will often be a shortened, single name of the component. Examples: commons-lang3 and jquery

versionstring

The component version. The version should ideally comply with semantic versioning but is not enforced. Version was made optional in v1.4 of the spec. For backward compatibility, it is RECOMMENDED to use an empty string to represent components without version information.

descriptionstringoptional

Specifies a description for the component

scopeScopeoptional

Specifies the scope of the component. If scope is not specified, SCOPE_REQUIRED scope should be assumed by the consumer of the BOM

hashesHashrepeated

licensesLicenseChoicerepeated

EITHER (list of SPDX licenses and/or named licenses) OR (tuple of one SPDX License Expression)

copyrightstringoptional

An optional copyright notice informing users of the underlying claims to copyright ownership in a published work.

cpestringoptional

DEPRECATED - DO NOT USE. This will be removed in a future version. Specifies a well-formed CPE name. See https://nvd.nist.gov/products/cpe

purlstringoptional

Specifies the package-url (PURL). The purl, if specified, must be valid and conform to the specification defined at: https://github.com/package-url/purl-spec

swidSwidoptional

Specifies metadata and content for ISO-IEC 19770-2 Software Identification (SWID) Tags.

modifiedbooloptional

DEPRECATED - DO NOT USE. This will be removed in a future version. Use the pedigree element instead to supply information on exactly how the component was modified. A boolean value indicating is the component has been modified from the original. A value of true indicates the component is a derivative of the original. A value of false indicates the component has not been modified from the original.

pedigreePedigreeoptional

Component pedigree is a way to document complex supply chain scenarios where components are created, distributed, modified, redistributed, combined with other components, etc.

external_referencesExternalReferencerepeated

Provides the ability to document external references related to the component or to the project the component describes.

componentsComponentrepeated

Specifies optional sub-components. This is not a dependency tree. It provides a way to specify a hierarchical representation of component assemblies, similar to system -> subsystem -> parts assembly in physical supply chains.

propertiesPropertyrepeated

Specifies optional, custom, properties

evidenceEvidencerepeated

Specifies optional license and copyright evidence

releaseNotesReleaseNotesoptional

Specifies optional release notes.

modelCardModelCardoptional

A model card describes the intended uses of a machine learning model, potential limitations, biases, ethical considerations, training parameters, datasets used to train the model, performance metrics, and other relevant data useful for ML transparency.

dataComponentDataoptional

This object SHOULD be specified for any component of type `data` and MUST NOT be specified for other component types.

ComponentData

FieldTypeLabelDescription
bom_refstringoptional

An optional identifier which can be used to reference the dataset elsewhere in the BOM. Every bom-ref MUST be unique within the BOM.

typeComponentDataType

The general theme or subject matter of the data being specified.

namestringoptional

The name of the dataset.

contentsComponentData.ComponentDataContentsoptional

The contents or references to the contents of the data being described.

classificationstringoptional

Data classification tags data according to its type, sensitivity, and value if altered, stolen, or destroyed.

sensitiveDatastringrepeated

A description of any sensitive data in a dataset.

graphicsGraphicsCollectionoptional

A collection of graphics that represent various measurements.

descriptionstringoptional

A description of the dataset. Can describe size of dataset, whether it's used for source code, training, testing, or validation, etc.

governanceDataGovernanceoptional

Data Governance

ComponentData.ComponentDataContents

FieldTypeLabelDescription
attachmentAttachedTextoptional

An optional way to include textual or encoded data.

urlstringoptional

The URL to where the data can be retrieved.

propertiesPropertyrepeated

Provides the ability to document name-value parameters used for configuration.

Composition

FieldTypeLabelDescription
aggregateAggregate

Indicates the aggregate completeness

assembliesstringrepeated

The assemblies the aggregate completeness applies to

dependenciesstringrepeated

The dependencies the aggregate completeness applies to

vulnerabilitiesstringrepeated

The bom-ref identifiers of the vulnerabilities being described.

bom_refstringoptional

An optional identifier which can be used to reference the composition elsewhere in the BOM. Every bom-ref MUST be unique within the BOM.

Condition

A condition that was used to determine a trigger should be activated.

FieldTypeLabelDescription
descriptionstringoptional

Describes the set of conditions which cause the trigger to activate.

expressionstringoptional

The logical expression that was evaluated that determined the trigger should be fired.

propertiesPropertyrepeated

Domain-specific condition instance properties.

DataFlow

Specifies the data flow.

FieldTypeLabelDescription
flowDataFlowDirection

Specifies the flow direction of the data.

valuestring

Data classification tags data according to its type, sensitivity, and value if altered, stolen, or destroyed.

namestringoptional

Name for the defined data

descriptionstringoptional

Short description of the data content and usage

sourcestringrepeated

The URI, URL, or BOM-Link of the components or services the data came in from

destinationstringrepeated

The URI, URL, or BOM-Link of the components or services the data is sent to

governanceDataGovernanceoptional

Data Governance

DataGovernance

FieldTypeLabelDescription
custodiansDataGovernance.DataGovernanceResponsiblePartyrepeated

Data custodians are responsible for the safe custody, transport, and storage of data.

stewardsDataGovernance.DataGovernanceResponsiblePartyrepeated

Data stewards are responsible for data content, context, and associated business rules.

ownersDataGovernance.DataGovernanceResponsiblePartyrepeated

Data owners are concerned with risk and appropriate access to data.

DataGovernance.DataGovernanceResponsibleParty

FieldTypeLabelDescription
organizationOrganizationalEntity

contactOrganizationalContact

Dependency

FieldTypeLabelDescription
refstring

References a component or service by the its bom-ref attribute

dependenciesDependencyrepeated

Diff

FieldTypeLabelDescription
textAttachedTextoptional

Specifies the optional text of the diff

urlstringoptional

Specifies the URL to the diff

EnvironmentVars

FieldTypeLabelDescription
propertyProperty

valuestring

Event

Represents something that happened that may trigger a response.

FieldTypeLabelDescription
uidstringoptional

The unique identifier of the event.

descriptionstringoptional

A description of the event.

timeReceivedgoogle.protobuf.Timestampoptional

The date and time (timestamp) when the event was received.

dataAttachedTextoptional

Encoding of the raw event data.

sourceResourceReferenceChoiceoptional

References the component or service that was the source of the event

targetResourceReferenceChoiceoptional

References the component or service that was the target of the event

propertiesPropertyrepeated

Additional properties of the event.

Evidence

FieldTypeLabelDescription
licensesLicenseChoicerepeated

EITHER (list of SPDX licenses and/or named licenses) OR (tuple of one SPDX License Expression)

copyrightEvidenceCopyrightrepeated

identityEvidenceIdentityrepeated

occurrencesEvidenceOccurrencesrepeated

callstackCallstackoptional

EvidenceCopyright

FieldTypeLabelDescription
textstring

Copyright text

EvidenceIdentity

FieldTypeLabelDescription
fieldEvidenceFieldType

The identity field of the component which the evidence describes.

confidencefloatoptional

The overall confidence of the evidence from 0 - 1, where 1 is 100% confidence.

methodsEvidenceMethodsrepeated

The methods used to extract and/or analyze the evidence.

toolsstringrepeated

The object in the BOM identified by its bom-ref. This is often a component or service, but may be any object type supporting bom-refs. Tools used for analysis should already be defined in the BOM, either in the metadata/tools, components, or formulation.

EvidenceMethods

FieldTypeLabelDescription
techniqueEvidenceTechnique

The technique used in this method of analysis.

confidencefloat

The confidence of the evidence from 0 - 1, where 1 is 100% confidence. Confidence is specific to the technique used. Each technique of analysis can have independent confidence.

valuestringoptional

The value or contents of the evidence.

EvidenceOccurrences

FieldTypeLabelDescription
bom_refstringoptional

An optional identifier which can be used to reference the occurrence elsewhere in the BOM. Every bom-ref MUST be unique within the BOM.

locationstring

The location or path to where the component was found.

ExternalReference

FieldTypeLabelDescription
typeExternalReferenceType

Specifies the type of external reference. There are built-in types to describe common references. If a type does not exist for the reference being referred to, use the "other" type.

urlstring

The URL to the external reference

commentstringoptional

An optional comment describing the external reference

hashesHashrepeated

Optional integrity hashes for the external resource content

Formula

Describes workflows and resources that captures rules and other aspects of how the associated BOM component or service was formed.

FieldTypeLabelDescription
bom_refstringoptional

BOM unique reference to the resource.

componentsComponentrepeated

Transient components that are used in tasks that constitute one or more of this formula's workflows

servicesServicerepeated

Transient services that are used in tasks that constitute one or more of this formula's workflows

workflowsWorkflowrepeated

List of workflows that can be declared to accomplish specific orchestrated goals and independently triggered.

propertiesPropertyrepeated

Domain-specific formula properties.

GraphicsCollection

FieldTypeLabelDescription
descriptionstringoptional

A description of this collection of graphics.

graphicGraphicsCollection.Graphicrepeated

A collection of graphics.

GraphicsCollection.Graphic

FieldTypeLabelDescription
namestringoptional

The name of the graphic.

imageAttachedTextoptional

The graphic (vector or raster). Base64 encoding MUST be specified for binary images.

Hash

Specifies the file hash of the component

FieldTypeLabelDescription
algHashAlg

Specifies the algorithm used to create the hash

valuestring

SimpleContent value of element

IdentifiableAction

FieldTypeLabelDescription
timestampgoogle.protobuf.Timestampoptional

The timestamp in which the action occurred

namestringoptional

The name of the individual who performed the action

emailstringoptional

The email address of the individual who performed the action

InputType

Type that represents various input data types and formats.

FieldTypeLabelDescription
sourceResourceReferenceChoiceoptional

A references to the component or service that provided the input to the task (e.g., reference to a service with data flow value of `inbound`)

targetResourceReferenceChoiceoptional

A reference to the component or service that received or stored the input if not the task itself (e.g., a local, named storage workspace)

resourceResourceReferenceChoiceoptional

A reference to an independent resource provided as an input to a task by the workflow runtime.

parametersParameterrepeated

Inputs that have the form of parameters with names and values.

environmentVarsEnvironmentVarsrepeated

Inputs that have the form of parameters with names and values.

dataAttachedTextoptional

Inputs that have the form of data.

propertiesPropertyrepeated

Additional properties of the input data.

Issue

FieldTypeLabelDescription
typeIssueClassification

Specifies the type of issue

idstringoptional

The identifier of the issue assigned by the source of the issue

namestringoptional

The name of the issue

descriptionstringoptional

A description of the issue

sourceSourceoptional

referencesstringrepeated

License

FieldTypeLabelDescription
idstring

A valid SPDX license ID

namestring

If SPDX does not define the license used, this field may be used to provide the license name

textAttachedTextoptional

Specifies the optional full text of the attachment

urlstringoptional

The URL to the attachment file. If the attachment is a license or BOM, an externalReference should also be specified for completeness.

bom_refstringoptional

An optional identifier which can be used to reference the license elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element.

licensingLicensingoptional

Licensing details describing the licensor/licensee, license type, renewal and expiration dates, and other important metadata

propertiesPropertyrepeated

Specifies optional, custom, properties

LicenseChoice

FieldTypeLabelDescription
licenseLicense

expressionstring

Licensing

FieldTypeLabelDescription
altIdsstringrepeated

License identifiers that may be used to manage licenses and their lifecycle

licensorOrganizationalEntityOrContactoptional

The individual or organization that grants a license to another individual or organization

licenseeOrganizationalEntityOrContactoptional

The individual or organization for which a license was granted to

purchaserOrganizationalEntityOrContactoptional

The individual or organization that purchased the license

purchaseOrderstringoptional

The purchase order identifier the purchaser sent to a supplier or vendor to authorize a purchase

licenseTypesLicensingTypeEnumrepeated

The type of license(s) that was granted to the licensee

lastRenewalgoogle.protobuf.Timestampoptional

The timestamp indicating when the license was last renewed. For new purchases, this is often the purchase or acquisition date. For non-perpetual licenses or subscriptions, this is the timestamp of when the license was last renewed.

expirationgoogle.protobuf.Timestampoptional

The timestamp indicating when the current license expires (if applicable).

Lifecycles

FieldTypeLabelDescription
phaseLifecyclePhase

A pre-defined phase in the product lifecycle.

namestring

The name of the lifecycle phase

descriptionstringoptional

The description of the lifecycle phase

Metadata

FieldTypeLabelDescription
timestampgoogle.protobuf.Timestampoptional

The date and time (timestamp) when the document was created.

toolsTooloptional

The tool(s) used in the creation of the BOM.

authorsOrganizationalContactrepeated

The person(s) who created the BOM. Authors are common in BOMs created through manual processes. BOMs created through automated means may not have authors.

componentComponentoptional

The component that the BOM describes.

manufactureOrganizationalEntityoptional

The organization that manufactured the component that the BOM describes.

supplierOrganizationalEntityoptional

The organization that supplied the component that the BOM describes. The supplier may often be the manufacture, but may also be a distributor or repackager.

licensesLicenseChoiceoptional

The license information for the BOM document EITHER (list of SPDX licenses and/or named licenses) OR (tuple of one SPDX License Expression)

propertiesPropertyrepeated

Specifies optional, custom, properties

lifecyclesLifecyclesrepeated

The product lifecycle(s) that this BOM represents.

ModelCard

FieldTypeLabelDescription
bom_refstringoptional

An optional identifier which can be used to reference the model card elsewhere in the BOM. Every bom-ref MUST be unique within the BOM.

modelParametersModelCard.ModelParametersoptional

Hyper-parameters for construction of the model.

quantitativeAnalysisModelCard.QuantitativeAnalysisoptional

A quantitative analysis of the model

considerationsModelCard.ModelCardConsiderationsoptional

What considerations should be taken into account regarding the model's construction, training, and application?

ModelCard.ModelCardConsiderations

FieldTypeLabelDescription
usersstringrepeated

Who are the intended users of the model?

useCasesstringrepeated

What are the intended use cases of the model?

technicalLimitationsstringrepeated

What are the known technical limitations of the model? E.g. What kind(s) of data should the model be expected not to perform well on? What are the factors that might degrade model performance?

performanceTradeoffsstringrepeated

What are the known tradeoffs in accuracy/performance of the model?

ethicalConsiderationsModelCard.ModelCardConsiderations.EthicalConsiderationsrepeated

What are the ethical (or environmental) risks involved in the application of this model?

fairnessAssessmentsModelCard.ModelCardConsiderations.FairnessAssessmentsrepeated

How does the model affect groups at risk of being systematically disadvantaged? What are the harms and benefits to the various affected groups?

ModelCard.ModelCardConsiderations.EthicalConsiderations

FieldTypeLabelDescription
namestringoptional

The name of the risk.

mitigationStrategystringoptional

Strategy used to address this risk.

ModelCard.ModelCardConsiderations.FairnessAssessments

FieldTypeLabelDescription
groupAtRiskstringoptional

The groups or individuals at risk of being systematically disadvantaged by the model.

benefitsstringoptional

Expected benefits to the identified groups.

harmsstringoptional

Expected harms to the identified groups.

mitigationStrategystringoptional

With respect to the benefits and harms outlined, please describe any mitigation strategy implemented.

ModelCard.ModelParameters

FieldTypeLabelDescription
approachModelCard.ModelParameters.Approachoptional

The overall approach to learning used by the model for problem solving.

taskstringoptional

Directly influences the input and/or output. Examples include classification, regression, clustering, etc.

architectureFamilystringoptional

The model architecture family such as transformer network, convolutional neural network, residual neural network, LSTM neural network, etc.

modelArchitecturestringoptional

The specific architecture of the model such as GPT-1, ResNet-50, YOLOv3, etc.

datasetsModelCard.ModelParameters.Datasetsrepeated

The datasets used to train and evaluate the model.

inputsModelCard.ModelParameters.MachineLearningInputOutputParametersrepeated

The input format(s) of the model

outputsModelCard.ModelParameters.MachineLearningInputOutputParametersrepeated

The output format(s) from the model

ModelCard.ModelParameters.Approach

FieldTypeLabelDescription
typeModelParameterApproachTypeoptional

ModelCard.ModelParameters.Datasets

FieldTypeLabelDescription
datasetComponentData

refstring

References a data component by the components bom-ref attribute

ModelCard.ModelParameters.MachineLearningInputOutputParameters

FieldTypeLabelDescription
formatstringoptional

The data format for input/output to the model. Example formats include string, image, time-series

ModelCard.QuantitativeAnalysis

FieldTypeLabelDescription
performanceMetricsModelCard.QuantitativeAnalysis.PerformanceMetricsrepeated

The model performance metrics being reported. Examples may include accuracy, F1 score, precision, top-3 error rates, MSC, etc.

graphicsGraphicsCollectionoptional

ModelCard.QuantitativeAnalysis.PerformanceMetrics

FieldTypeLabelDescription
typestringoptional

The type of performance metric.

valuestringoptional

The value of the performance metric.

slicestringoptional

The name of the slice this metric was computed on. By default, assume this metric is not sliced.

confidenceIntervalModelCard.QuantitativeAnalysis.PerformanceMetrics.ConfidenceIntervaloptional

The confidence interval of the metric.

ModelCard.QuantitativeAnalysis.PerformanceMetrics.ConfidenceInterval

FieldTypeLabelDescription
lowerBoundstringoptional

The lower bound of the confidence interval.

upperBoundstringoptional

The upper bound of the confidence interval.

Note

FieldTypeLabelDescription
localestringoptional

The ISO-639 (or higher) language code and optional ISO-3166 (or higher) country code. Examples include: "en", "en-US", "fr" and "fr-CA".

textAttachedTextoptional

Specifies the full content of the release note.

OrganizationalContact

FieldTypeLabelDescription
namestringoptional

The name of the contact

emailstringoptional

The email address of the contact.

phonestringoptional

The phone number of the contact.

bom_refstringoptional

An optional identifier which can be used to reference the object elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element.

OrganizationalEntity

FieldTypeLabelDescription
namestringoptional

The name of the organization

urlstringrepeated

The URL of the organization. Multiple URLs are allowed.

contactOrganizationalContactrepeated

A contact person at the organization. Multiple contacts are allowed.

bom_refstringoptional

An optional identifier which can be used to reference the object elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element.

OrganizationalEntityOrContact

FieldTypeLabelDescription
organizationOrganizationalEntity

individualOrganizationalContact

OutputType

FieldTypeLabelDescription
typeOutputType.OutputTypeTypeoptional

Describes the type of data output.

sourceResourceReferenceChoiceoptional

Component or service that generated or provided the output from the task (e.g., a build tool)

targetResourceReferenceChoiceoptional

Component or service that received the output from the task (e.g., reference to an artifactory service with data flow value of `outbound`)

resourceResourceReferenceChoiceoptional

A reference to an independent resource generated as output by the task.

dataAttachedTextoptional

Outputs that have the form of data.

environmentVarsEnvironmentVarsrepeated

Outputs that have the form of environment variables.

propertiesPropertyrepeated

Additional properties of the output data.

Parameter

A representation of a functional parameter.

FieldTypeLabelDescription
namestringoptional

The name of the parameter.

valuestringoptional

The value of the parameter.

dataTypestringoptional

The data type of the parameter.

Patch

FieldTypeLabelDescription
typePatchClassification

Specifies the purpose for the patch including the resolution of defects, security issues, or new behavior or functionality

diffDiffoptional

The patch file (or diff) that show changes. Refer to https://en.wikipedia.org/wiki/Diff

resolvesIssuerepeated

Pedigree

Component pedigree is a way to document complex supply chain scenarios where components are created, distributed, modified, redistributed, combined with other components, etc. Pedigree supports viewing this complex chain from the beginning, the end, or anywhere in the middle. It also provides a way to document variants where the exact relation may not be known.

FieldTypeLabelDescription
ancestorsComponentrepeated

Describes zero or more components in which a component is derived from. This is commonly used to describe forks from existing projects where the forked version contains a ancestor node containing the original component it was forked from. For example, Component A is the original component. Component B is the component being used and documented in the BOM. However, Component B contains a pedigree node with a single ancestor documenting Component A - the original component from which Component B is derived from.

descendantsComponentrepeated

Descendants are the exact opposite of ancestors. This provides a way to document all forks (and their forks) of an original or root component.

variantsComponentrepeated

Variants describe relations where the relationship between the components are not known. For example, if Component A contains nearly identical code to Component B. They are both related, but it is unclear if one is derived from the other, or if they share a common ancestor.

commitsCommitrepeated

A list of zero or more commits which provide a trail describing how the component deviates from an ancestor, descendant, or variant.

patchesPatchrepeated

A list of zero or more patches describing how the component deviates from an ancestor, descendant, or variant. Patches may be complimentary to commits or may be used in place of commits.

notesstringoptional

Notes, observations, and other non-structured commentary describing the components pedigree.

ProofOfConcept

FieldTypeLabelDescription
reproductionStepsstringoptional

Precise steps to reproduce the vulnerability.

environmentstringoptional

A description of the environment in which reproduction was possible.

supportingMaterialAttachedTextrepeated

Supporting material that helps in reproducing or understanding how reproduction is possible. This may include screenshots, payloads, and PoC exploit code.

Property

Specifies a property

FieldTypeLabelDescription
namestring

valuestringoptional

ReleaseNotes

FieldTypeLabelDescription
typestring

The software versioning type. It is RECOMMENDED that the release type use one of 'major', 'minor', 'patch', 'pre-release', or 'internal'. Representing all possible software release types is not practical, so standardizing on the recommended values, whenever possible, is strongly encouraged.

titlestringoptional

The title of the release.

featuredImagestringoptional

The URL to an image that may be prominently displayed with the release note.

socialImagestringoptional

The URL to an image that may be used in messaging on social media platforms.

descriptionstringoptional

A short description of the release.

timestampgoogle.protobuf.Timestampoptional

The date and time (timestamp) when the release note was created.

aliasesstringrepeated

Optional alternate names the release may be referred to. This may include unofficial terms used by development and marketing teams (e.g. code names).

tagsstringrepeated

Optional tags that may aid in search or retrieval of the release note.

resolvesIssuerepeated

A collection of issues that have been resolved.

notesNoterepeated

Zero or more release notes containing the locale and content. Multiple note messages may be specified to support release notes in a wide variety of languages.

propertiesPropertyrepeated

Specifies optional, custom, properties

ResourceReferenceChoice

FieldTypeLabelDescription
refstring

externalReferenceExternalReference

Service

FieldTypeLabelDescription
bom_refstringoptional

An optional identifier which can be used to reference the service elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element.

providerOrganizationalEntityoptional

The organization that provides the service.

groupstringoptional

The grouping name, namespace, or identifier. This will often be a shortened, single name of the company or project that produced the service or domain name. Whitespace and special characters should be avoided.

namestring

The name of the service. This will often be a shortened, single name of the service.

versionstringoptional

The service version.

descriptionstringoptional

Specifies a description for the service.

endpointsstringrepeated

authenticatedbooloptional

A boolean value indicating if the service requires authentication. A value of true indicates the service requires authentication prior to use. A value of false indicates the service does not require authentication.

x_trust_boundarybooloptional

A boolean value indicating if use of the service crosses a trust zone or boundary. A value of true indicates that by using the service, a trust boundary is crossed. A value of false indicates that by using the service, a trust boundary is not crossed.

dataDataFlowrepeated

licensesLicenseChoicerepeated

EITHER (list of SPDX licenses and/or named licenses) OR (tuple of one SPDX License Expression)

external_referencesExternalReferencerepeated

Provides the ability to document external references related to the service.

servicesServicerepeated

Specifies optional sub-service. This is not a dependency tree. It provides a way to specify a hierarchical representation of service assemblies, similar to system -> subsystem -> parts assembly in physical supply chains.

propertiesPropertyrepeated

Specifies optional, custom, properties

releaseNotesReleaseNotesoptional

Specifies optional release notes.

trustZonestringoptional

The name of the trust zone the service resides in.

Source

The source of the issue where it is documented.

FieldTypeLabelDescription
namestringoptional

The name of the source. For example "National Vulnerability Database", "NVD", and "Apache"

urlstringoptional

The url of the issue documentation as provided by the source

Step

Executes specific commands or tools in order to accomplish its owning task as part of a sequence.

FieldTypeLabelDescription
namestringoptional

A name for the step.

descriptionstringoptional

A description of the step.

commandsCommandrepeated

Ordered list of commands or directives for the step

propertiesPropertyrepeated

Domain-specific step properties.

Swid

FieldTypeLabelDescription
tag_idstring

Maps to the tagId of a SoftwareIdentity.

namestring

Maps to the name of a SoftwareIdentity.

versionstringoptional

Maps to the version of a SoftwareIdentity. Defaults to '0.0' if not specified.

tag_versionint32optional

Maps to the tagVersion of a SoftwareIdentity. Defaults to '0' if not specified.

patchbooloptional

Maps to the patch of a SoftwareIdentity. Defaults to 'false' if not specified.

textAttachedTextoptional

Specifies the full content of the SWID tag.

urlstringoptional

The URL to the SWID file.

Task

Describes the inputs, sequence of steps and resources used to accomplish a task and its output.

FieldTypeLabelDescription
bom_refstring

BOM unique reference to the resource.

uidstring

The unique identifier for the resource instance within its deployment context.

namestringoptional

The name of the resource instance.

descriptionstringoptional

A description of the resource instance.

propertiesPropertyrepeated

Domain-specific task instance properties.

resourceReferencesResourceReferenceChoicerepeated

References to component or service resources that are used to realize the resource instance.

taskTypesTaskTyperepeated

Indicates the types of activities performed by the set of workflow tasks.

triggerTriggeroptional

The trigger that initiated the task.

stepsSteprepeated

"The sequence of steps for the task.

inputsInputTyperepeated

Represents resources and data brought into a task at runtime by executor or task commands

outputsOutputTyperepeated

Represents resources and data output from a task at runtime by executor or task commands

timeStartgoogle.protobuf.Timestampoptional

The date and time (timestamp) when the task started.

timeEndgoogle.protobuf.Timestampoptional

The date and time (timestamp) when the task ended.

workspacesWorkspacerepeated

A set of named filesystem or data resource shareable by workflow tasks.

runtimeTopologyDependencyrepeated

A graph of the component runtime topology for task's instance.

Tool

Specifies a tool (manual or automated).

FieldTypeLabelDescription
vendorstringoptional

Deprecated. DEPRECATED - DO NOT USE - The vendor of the tool used to create the BOM.

namestringoptional

Deprecated. DEPRECATED - DO NOT USE - The name of the tool used to create the BOM.

versionstringoptional

Deprecated. DEPRECATED - DO NOT USE - The version of the tool used to create the BOM.

hashesHashrepeated

Deprecated. DEPRECATED - DO NOT USE

external_referencesExternalReferencerepeated

Deprecated. DEPRECATED - DO NOT USE - Provides the ability to document external references related to the tool.

componentsComponentrepeated

A list of software and hardware components used as tools

servicesServicerepeated

A list of services used as tools. This may include microservices, function-as-a-service, and other types of network or intra-process services.

Fields with deprecated option

NameOption
vendor

true

name

true

version

true

hashes

true

external_references

true

Trigger

Represents a resource that can conditionally activate (or fire) tasks based upon associated events and their data.

FieldTypeLabelDescription
bom_refstring

BOM unique reference to the resource.

uidstring

The unique identifier for the resource instance within its deployment context.

namestringoptional

The name of the resource instance.

descriptionstringoptional

A description of the resource instance.

propertiesPropertyrepeated

Additional properties of the trigger.

resourceReferencesResourceReferenceChoicerepeated

References to component or service resources that are used to realize the resource instance.

typeTrigger.TriggerType

The source type of event which caused the trigger to fire.

eventEventoptional

The event data that caused the associated trigger to activate.

conditionsConditionrepeated

Conditions

timeActivatedgoogle.protobuf.Timestampoptional

The date and time (timestamp) when the trigger was activated.

inputsInputTyperepeated

Represents resources and data brought into a task at runtime by executor or task commands

outputsOutputTyperepeated

Represents resources and data output from a task at runtime by executor or task commands

Volume

An identifiable, logical unit of data storage tied to a physical device.

FieldTypeLabelDescription
uidstringoptional

The unique identifier for the volume instance within its deployment context.

namestringoptional

The name of the volume instance

modeVolume.VolumeModeoptional

The volume mode for the volume instance.

pathstringoptional

The underlying path created from the actual volume.

sizeAllocatedstringoptional

The allocated size of the volume accessible to the associated workspace. This should include the scalar size as well as IEC standard unit in either decimal or binary form.

persistentbooloptional

Indicates if the volume persists beyond the life of the resource it is associated with.

remotebooloptional

Indicates if the volume is remotely (i.e., network) attached.

propertiesPropertyrepeated

Domain-specific volume instance properties.

Vulnerability

FieldTypeLabelDescription
bom_refstringoptional

An optional identifier which can be used to reference the vulnerability elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element.

idstringoptional

The identifier that uniquely identifies the vulnerability.

sourceSourceoptional

The source that published the vulnerability.

referencesVulnerabilityReferencerepeated

Zero or more pointers to vulnerabilities that are the equivalent of the vulnerability specified. Often times, the same vulnerability may exist in multiple sources of vulnerability intelligence, but have different identifiers. References provide a way to correlate vulnerabilities across multiple sources of vulnerability intelligence.

ratingsVulnerabilityRatingrepeated

List of vulnerability ratings

cwesint32repeated

List of Common Weaknesses Enumerations (CWEs) codes that describes this vulnerability. For example 399 (of https://cwe.mitre.org/data/definitions/399.html)

descriptionstringoptional

A description of the vulnerability as provided by the source.

detailstringoptional

If available, an in-depth description of the vulnerability as provided by the source organization. Details often include information useful in understanding root cause.

recommendationstringoptional

Recommendations of how the vulnerability can be remediated or mitigated.

advisoriesAdvisoryrepeated

Published advisories of the vulnerability if provided.

createdgoogle.protobuf.Timestampoptional

The date and time (timestamp) when the vulnerability record was created in the vulnerability database.

publishedgoogle.protobuf.Timestampoptional

The date and time (timestamp) when the vulnerability record was first published.

updatedgoogle.protobuf.Timestampoptional

The date and time (timestamp) when the vulnerability record was last updated.

creditsVulnerabilityCreditsoptional

Individuals or organizations credited with the discovery of the vulnerability.

toolsTooloptional

The tool(s) used to identify, confirm, or score the vulnerability.

analysisVulnerabilityAnalysisoptional

An assessment of the impact and exploitability of the vulnerability.

affectsVulnerabilityAffectsrepeated

affects

propertiesPropertyrepeated

Specifies optional, custom, properties

rejectedgoogle.protobuf.Timestampoptional

The date and time (timestamp) when the vulnerability record was rejected (if applicable).

proofOfConceptProofOfConceptoptional

Evidence used to reproduce the vulnerability.

workaroundstringoptional

A bypass, usually temporary, of the vulnerability that reduces its likelihood and/or impact. Workarounds often involve changes to configuration or deployments.

VulnerabilityAffectedVersions

FieldTypeLabelDescription
versionstring

A single version of a component or service.

rangestring

A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/purl-spec/blob/master/VERSION-RANGE-SPEC.rst

statusVulnerabilityAffectedStatusoptional

The vulnerability status for the version or range of versions. Defaults to VULNERABILITY_AFFECTED_STATUS_AFFECTED if not specified.

VulnerabilityAffects

FieldTypeLabelDescription
refstring

References a component or service by the objects bom-ref

versionsVulnerabilityAffectedVersionsrepeated

Zero or more individual versions or range of versions.

VulnerabilityAnalysis

FieldTypeLabelDescription
stateImpactAnalysisStateoptional

Declares the current state of an occurrence of a vulnerability, after automated or manual analysis.

justificationImpactAnalysisJustificationoptional

The rationale of why the impact analysis state was asserted.

responseVulnerabilityResponserepeated

A response to the vulnerability by the manufacturer, supplier, or project responsible for the affected component or service. More than one response is allowed. Responses are strongly encouraged for vulnerabilities where the analysis state is exploitable.

detailstringoptional

Detailed description of the impact including methods used during assessment. If a vulnerability is not exploitable, this field should include specific details on why the component or service is not impacted by this vulnerability.

firstIssuedgoogle.protobuf.Timestampoptional

The date and time (timestamp) when the analysis was first issued.

lastUpdatedgoogle.protobuf.Timestampoptional

The date and time (timestamp) when the analysis was last updated.

VulnerabilityCredits

FieldTypeLabelDescription
organizationsOrganizationalEntityrepeated

The organizations credited with vulnerability discovery.

individualsOrganizationalContactrepeated

The individuals, not associated with organizations, that are credited with vulnerability discovery.

VulnerabilityRating

FieldTypeLabelDescription
sourceSourceoptional

The source that calculated the severity or risk rating of the vulnerability.

scoredoubleoptional

The numerical score of the rating.

severitySeverityoptional

Textual representation of the severity that corresponds to the numerical score of the rating.

methodScoreMethodoptional

Specifies the severity or risk scoring methodology or standard used.

vectorstringoptional

Textual representation of the metric values used to score the vulnerability.

justificationstringoptional

An optional reason for rating the vulnerability as it was.

VulnerabilityReference

FieldTypeLabelDescription
idstring

An identifier that uniquely identifies the vulnerability.

sourceSource

The source that published the vulnerability.

Workflow

A specialized orchestration task.

FieldTypeLabelDescription
bom_refstring

BOM unique reference to the resource.

uidstring

The unique identifier for the resource instance within its deployment context.

namestringoptional

The name of the resource instance.

descriptionstringoptional

A description of the resource instance.

propertiesPropertyrepeated

Domain-specific resource instance properties.

resourceReferencesResourceReferenceChoicerepeated

References to component or service resources that are used to realize the resource instance.

tasksTaskrepeated

The tasks that comprise the workflow.

taskDependenciesDependencyrepeated

The graph of dependencies between tasks within the workflow.

taskTypesTaskTyperepeated

Indicates the types of activities performed by the set of workflow tasks.

triggerTriggeroptional

The trigger that initiated the task.

stepsSteprepeated

The sequence of steps for the task.

inputsInputTyperepeated

Represents resources and data brought into a task at runtime by executor or task commands

outputsOutputTyperepeated

Represents resources and data output from a task at runtime by executor or task commands

timeStartgoogle.protobuf.Timestampoptional

The date and time (timestamp) when the task started.

timeEndgoogle.protobuf.Timestampoptional

The date and time (timestamp) when the task ended.

workspacesWorkspacerepeated

A set of named filesystem or data resource shareable by workflow tasks.

runtimeTopologyDependencyrepeated

A graph of the component runtime topology for workflow's instance.

Workspace

A named filesystem or data resource shareable by workflow tasks.

FieldTypeLabelDescription
bom_refstring

BOM unique reference to the resource.

uidstring

The unique identifier for the resource instance within its deployment context.

namestringoptional

The name of the resource instance.

aliasesstringrepeated

The names for the workspace as referenced by other workflow tasks. Effectively, a name mapping so other tasks can use their own local name in their steps.

descriptionstringoptional

A description of the resource instance.

propertiesPropertyrepeated

Domain-specific workspace instance properties.

resourceReferencesResourceReferenceChoicerepeated

References to component or service resources that are used to realize the resource instance.

accessModeWorkspace.AccessModeoptional

Describes the read-write access control for the workspace relative to the owning resource instance.

mountPathstringoptional

A path to a location on disk where the workspace will be available to the associated task's steps.

managedDataTypestringoptional

The name of a domain-specific data type the workspace represents.

volumeRequeststringoptional

Identifies the reference to the request for a specific volume type and parameters.

volumeVolumeoptional

Information about the actual volume instance allocated to the workspace.

Aggregate

NameNumberDescription
AGGREGATE_NOT_SPECIFIED0

The relationship completeness is not specified.

AGGREGATE_COMPLETE1

The relationship is complete. No further relationships including constituent components, services, or dependencies are known to exist.

AGGREGATE_INCOMPLETE2

The relationship is incomplete. Additional relationships exist and may include constituent components, services, or dependencies.

AGGREGATE_INCOMPLETE_FIRST_PARTY_ONLY3

The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented.

AGGREGATE_INCOMPLETE_THIRD_PARTY_ONLY4

The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented.

AGGREGATE_UNKNOWN5

The relationship may be complete or incomplete. This usually signifies a 'best-effort' to obtain constituent components, services, or dependencies but the completeness is inconclusive.

AGGREGATE_INCOMPLETE_FIRST_PARTY_PROPRIETARY_ONLY6

The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented, limited specifically to those that are proprietary.

AGGREGATE_INCOMPLETE_FIRST_PARTY_OPENSOURCE_ONLY7

The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented, limited specifically to those that are opensource.

AGGREGATE_INCOMPLETE_THIRD_PARTY_PROPRIETARY_ONLY8

The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are proprietary.

AGGREGATE_INCOMPLETE_THIRD_PARTY_OPENSOURCE_ONLY9

The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are opensource.

Classification

NameNumberDescription
CLASSIFICATION_NULL0

CLASSIFICATION_APPLICATION1

A software application. Refer to https://en.wikipedia.org/wiki/Application_software for information about applications.

CLASSIFICATION_FRAMEWORK2

A software framework. Refer to https://en.wikipedia.org/wiki/Software_framework for information on how frameworks vary slightly from libraries.

CLASSIFICATION_LIBRARY3

A software library. Refer to https://en.wikipedia.org/wiki/Library_(computing) for information about libraries. All third-party and open source reusable components will likely be a library. If the library also has key features of a framework, then it should be classified as a framework. If not, or is unknown, then specifying library is recommended.

CLASSIFICATION_OPERATING_SYSTEM4

A software operating system without regard to deployment model (i.e. installed on physical hardware, virtual machine, image, etc) Refer to https://en.wikipedia.org/wiki/Operating_system

CLASSIFICATION_DEVICE5

A hardware device such as a processor, or chip-set. A hardware device containing firmware should include a component for the physical hardware itself, and another component of type 'firmware' or 'operating-system' (whichever is relevant), describing information about the software running on the device. See also the list of known device properties: https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/device.md

CLASSIFICATION_FILE6

A computer file. Refer to https://en.wikipedia.org/wiki/Computer_file for information about files.

CLASSIFICATION_CONTAINER7

A packaging and/or runtime format, not specific to any particular technology, which isolates software inside the container from software outside of a container through virtualization technology. Refer to https://en.wikipedia.org/wiki/OS-level_virtualization

CLASSIFICATION_FIRMWARE8

A special type of software that provides low-level control over a devices hardware. Refer to https://en.wikipedia.org/wiki/Firmware

CLASSIFICATION_DEVICE_DRIVER9

A special type of software that operates or controls a particular type of device. Refer to https://en.wikipedia.org/wiki/Device_driver

CLASSIFICATION_PLATFORM10

A runtime environment which interprets or executes software. This may include runtimes such as those that execute bytecode or low-code/no-code application platforms.

CLASSIFICATION_MACHINE_LEARNING_MODEL11

A model based on training data that can make predictions or decisions without being explicitly programmed to do so.

CLASSIFICATION_DATA12

A collection of discrete values that convey information.

ComponentDataType

NameNumberDescription
COMPONENT_DATA_TYPE_SOURCE_CODE0

Any type of code, code snippet, or data-as-code

COMPONENT_DATA_TYPE_CONFIGURATION1

Parameters or settings that may be used by other components.

COMPONENT_DATA_TYPE_DATASET2

A collection of data.

COMPONENT_DATA_TYPE_DEFINITION3

Data that can be used to create new instances of what the definition defines.

COMPONENT_DATA_TYPE_OTHER4

Any other type of data that does not fit into existing definitions.

DataFlowDirection

Specifies the flow direction of the data. Valid values are: inbound, outbound, bi-directional, and unknown. Direction is relative to the service. Inbound flow states that data enters the service. Outbound flow states that data leaves the service. Bi-directional states that data flows both ways, and unknown states that the direction is not known.

NameNumberDescription
DATA_FLOW_NULL0

DATA_FLOW_INBOUND1

DATA_FLOW_OUTBOUND2

DATA_FLOW_BI_DIRECTIONAL3

DATA_FLOW_UNKNOWN4

EvidenceFieldType

NameNumberDescription
EVIDENCE_FIELD_NULL0

EVIDENCE_FIELD_GROUP1

EVIDENCE_FIELD_NAME2

EVIDENCE_FIELD_VERSION3

EVIDENCE_FIELD_PURL4

EVIDENCE_FIELD_CPE5

EVIDENCE_FIELD_SWID6

EVIDENCE_FIELD_HASH7

EvidenceTechnique

NameNumberDescription
EVIDENCE_TECHNIQUE_SOURCE_CODE_ANALYSIS0

EVIDENCE_TECHNIQUE_BINARY_ANALYSIS1

EVIDENCE_TECHNIQUE_MANIFEST_ANALYSIS2

EVIDENCE_TECHNIQUE_AST_FINGERPRINT3

EVIDENCE_TECHNIQUE_HASH_COMPARISON4

EVIDENCE_TECHNIQUE_INSTRUMENTATION5

EVIDENCE_TECHNIQUE_DYNAMIC_ANALYSIS6

EVIDENCE_TECHNIQUE_FILENAME7

EVIDENCE_TECHNIQUE_ATTESTATION8

EVIDENCE_TECHNIQUE_OTHER9

ExternalReferenceType

NameNumberDescription
EXTERNAL_REFERENCE_TYPE_OTHER0

Use this if no other types accurately describe the purpose of the external reference

EXTERNAL_REFERENCE_TYPE_VCS1

Version Control System

EXTERNAL_REFERENCE_TYPE_ISSUE_TRACKER2

Issue or defect tracking system, or an Application Lifecycle Management (ALM) system

EXTERNAL_REFERENCE_TYPE_WEBSITE3

Website

EXTERNAL_REFERENCE_TYPE_ADVISORIES4

Security advisories

EXTERNAL_REFERENCE_TYPE_BOM5

Bill-of-material document (CycloneDX, SPDX, SWID, etc)

EXTERNAL_REFERENCE_TYPE_MAILING_LIST6

Mailing list or discussion group

EXTERNAL_REFERENCE_TYPE_SOCIAL7

Social media account

EXTERNAL_REFERENCE_TYPE_CHAT8

Real-time chat platform

EXTERNAL_REFERENCE_TYPE_DOCUMENTATION9

Documentation, guides, or how-to instructions

EXTERNAL_REFERENCE_TYPE_SUPPORT10

Community or commercial support

EXTERNAL_REFERENCE_TYPE_DISTRIBUTION11

Direct or repository download location

EXTERNAL_REFERENCE_TYPE_LICENSE12

The URL to the license file. If a license URL has been defined in the license node, it should also be defined as an external reference for completeness

EXTERNAL_REFERENCE_TYPE_BUILD_META13

Build-system specific meta file (i.e. pom.xml, package.json, .nuspec, etc)

EXTERNAL_REFERENCE_TYPE_BUILD_SYSTEM14

URL to an automated build system

EXTERNAL_REFERENCE_TYPE_SECURITY_CONTACT15

Specifies a way to contact the maintainer, supplier, or provider in the event of a security incident. Common URIs include links to a disclosure procedure, a mailto (RFC-2368) that specifies an email address, a tel (RFC-3966) that specifies a phone number, or dns (RFC-4501]) that specifies the records containing DNS Security TXT.

EXTERNAL_REFERENCE_TYPE_ATTESTATION16

Human or machine-readable statements containing facts, evidence, or testimony

EXTERNAL_REFERENCE_TYPE_THREAT_MODEL17

An enumeration of identified weaknesses, threats, and countermeasures, dataflow diagram (DFD), attack tree, and other supporting documentation in human-readable or machine-readable format

EXTERNAL_REFERENCE_TYPE_ADVERSARY_MODEL18

The defined assumptions, goals, and capabilities of an adversary.

EXTERNAL_REFERENCE_TYPE_RISK_ASSESSMENT19

Identifies and analyzes the potential of future events that may negatively impact individuals, assets, and/or the environment. Risk assessments may also include judgments on the tolerability of each risk.

EXTERNAL_REFERENCE_TYPE_DISTRIBUTION_INTAKE20

The location where a component was published to. This is often the same as "distribution" but may also include specialized publishing processes that act as an intermediary

EXTERNAL_REFERENCE_TYPE_VULNERABILITY_ASSERTION21

A Vulnerability Disclosure Report (VDR) which asserts the known and previously unknown vulnerabilities that affect a component, service, or product including the analysis and findings describing the impact (or lack of impact) that the reported vulnerability has on a component, service, or product

EXTERNAL_REFERENCE_TYPE_EXPLOITABILITY_STATEMENT22

A Vulnerability Exploitability eXchange (VEX) which asserts the known vulnerabilities that do not affect a product, product family, or organization, and optionally the ones that do. The VEX should include the analysis and findings describing the impact (or lack of impact) that the reported vulnerability has on the product, product family, or organization

EXTERNAL_REFERENCE_TYPE_PENTEST_REPORT23

Results from an authorized simulated cyberattack on a component or service, otherwise known as a penetration test

EXTERNAL_REFERENCE_TYPE_STATIC_ANALYSIS_REPORT24

SARIF or proprietary machine or human-readable report for which static analysis has identified code quality, security, and other potential issues with the source code

EXTERNAL_REFERENCE_TYPE_DYNAMIC_ANALYSIS_REPORT25

Dynamic analysis report that has identified issues such as vulnerabilities and misconfigurations

EXTERNAL_REFERENCE_TYPE_RUNTIME_ANALYSIS_REPORT26

Report generated by analyzing the call stack of a running application

EXTERNAL_REFERENCE_TYPE_COMPONENT_ANALYSIS_REPORT27

Report generated by Software Composition Analysis (SCA), container analysis, or other forms of component analysis

EXTERNAL_REFERENCE_TYPE_MATURITY_REPORT28

Report containing a formal assessment of an organization, business unit, or team against a maturity model

EXTERNAL_REFERENCE_TYPE_CERTIFICATION_REPORT29

Industry, regulatory, or other certification from an accredited (if applicable) certification body

EXTERNAL_REFERENCE_TYPE_QUALITY_METRICS30

Report or system in which quality metrics can be obtained

EXTERNAL_REFERENCE_TYPE_CODIFIED_INFRASTRUCTURE31

Code or configuration that defines and provisions virtualized infrastructure, commonly referred to as Infrastructure as Code (IaC)

EXTERNAL_REFERENCE_TYPE_MODEL_CARD32

A model card describes the intended uses of a machine learning model, potential limitations, biases, ethical considerations, training parameters, datasets used to train the model, performance metrics, and other relevant data useful for ML transparency.

EXTERNAL_REFERENCE_TYPE_POAM33

Plans of Action and Milestones (POAM) compliment an "attestation" external reference. POAM is defined by NIST as a "document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks and scheduled completion dates for the milestones".

EXTERNAL_REFERENCE_TYPE_LOG34

A record of events that occurred in a computer system or application, such as problems, errors, or information on current operations.

EXTERNAL_REFERENCE_TYPE_CONFIGURATION35

Parameters or settings that may be used by other components or services.

EXTERNAL_REFERENCE_TYPE_EVIDENCE36

Information used to substantiate a claim.

EXTERNAL_REFERENCE_TYPE_FORMULATION37

Describes how a component or service was manufactured or deployed.

HashAlg

NameNumberDescription
HASH_ALG_NULL0

HASH_ALG_MD_51

HASH_ALG_SHA_12

HASH_ALG_SHA_2563

HASH_ALG_SHA_3844

HASH_ALG_SHA_5125

HASH_ALG_SHA_3_2566

HASH_ALG_SHA_3_3847

HASH_ALG_SHA_3_5128

HASH_ALG_BLAKE_2_B_2569

HASH_ALG_BLAKE_2_B_38410

HASH_ALG_BLAKE_2_B_51211

HASH_ALG_BLAKE_312

ImpactAnalysisJustification

NameNumberDescription
IMPACT_ANALYSIS_JUSTIFICATION_NULL0

An undefined impact analysis justification

IMPACT_ANALYSIS_JUSTIFICATION_CODE_NOT_PRESENT1

The code has been removed or tree-shaked.

IMPACT_ANALYSIS_JUSTIFICATION_CODE_NOT_REACHABLE2

The vulnerable code is not invoked at runtime.

IMPACT_ANALYSIS_JUSTIFICATION_REQUIRES_CONFIGURATION3

Exploitability requires a configurable option to be set/unset.

IMPACT_ANALYSIS_JUSTIFICATION_REQUIRES_DEPENDENCY4

Exploitability requires a dependency that is not present.

IMPACT_ANALYSIS_JUSTIFICATION_REQUIRES_ENVIRONMENT5

Exploitability requires a certain environment which is not present.

IMPACT_ANALYSIS_JUSTIFICATION_PROTECTED_BY_COMPILER6

Exploitability requires a compiler flag to be set/unset.

IMPACT_ANALYSIS_JUSTIFICATION_PROTECTED_AT_RUNTIME7

Exploits are prevented at runtime.

IMPACT_ANALYSIS_JUSTIFICATION_PROTECTED_AT_PERIMETER8

Attacks are blocked at physical, logical, or network perimeter.

IMPACT_ANALYSIS_JUSTIFICATION_PROTECTED_BY_MITIGATING_CONTROL9

Preventative measures have been implemented that reduce the likelihood and/or impact of the vulnerability.

ImpactAnalysisState

NameNumberDescription
IMPACT_ANALYSIS_STATE_NULL0

An undefined impact analysis state

IMPACT_ANALYSIS_STATE_RESOLVED1

The vulnerability has been remediated.

IMPACT_ANALYSIS_STATE_RESOLVED_WITH_PEDIGREE2

The vulnerability has been remediated and evidence of the changes are provided in the affected components pedigree containing verifiable commit history and/or diff(s).

IMPACT_ANALYSIS_STATE_EXPLOITABLE3

The vulnerability may be directly or indirectly exploitable.

IMPACT_ANALYSIS_STATE_IN_TRIAGE4

The vulnerability is being investigated.

IMPACT_ANALYSIS_STATE_FALSE_POSITIVE5

The vulnerability is not specific to the component or service and was falsely identified or associated.

IMPACT_ANALYSIS_STATE_NOT_AFFECTED6

The component or service is not affected by the vulnerability. Justification should be specified for all not_affected cases.

IssueClassification

NameNumberDescription
ISSUE_CLASSIFICATION_NULL0

ISSUE_CLASSIFICATION_DEFECT1

A fault, flaw, or bug in software

ISSUE_CLASSIFICATION_ENHANCEMENT2

A new feature or behavior in software

ISSUE_CLASSIFICATION_SECURITY3

A special type of defect which impacts security

LicensingTypeEnum

NameNumberDescription
LICENSING_TYPE_NULL0

LICENSING_TYPE_ACADEMIC1

A license that grants use of software solely for the purpose of education or research.

LICENSING_TYPE_APPLIANCE2

A license covering use of software embedded in a specific piece of hardware.

LICENSING_TYPE_CLIENT_ACCESS3

A Client Access License (CAL) allows client computers to access services provided by server software.

LICENSING_TYPE_CONCURRENT_USER4

A Concurrent User license (aka floating license) limits the number of licenses for a software application and licenses are shared among a larger number of users.

LICENSING_TYPE_CORE_POINTS5

A license where the core of a computer's processor is assigned a specific number of points.

LICENSING_TYPE_CUSTOM_METRIC6

A license for which consumption is measured by non-standard metrics.

LICENSING_TYPE_DEVICE7

A license that covers a defined number of installations on computers and other types of devices.

LICENSING_TYPE_EVALUATION8

A license that grants permission to install and use software for trial purposes.

LICENSING_TYPE_NAMED_USER9

A license that grants access to the software to one or more pre-defined users.

LICENSING_TYPE_NODE_LOCKED10

A license that grants access to the software on one or more pre-defined computers or devices.

LICENSING_TYPE_OEM11

An Original Equipment Manufacturer license that is delivered with hardware, cannot be transferred to other hardware, and is valid for the life of the hardware.

LICENSING_TYPE_PERPETUAL12

A license where the software is sold on a one-time basis and the licensee can use a copy of the software indefinitely.

LICENSING_TYPE_PROCESSOR_POINTS13

A license where each installation consumes points per processor.

LICENSING_TYPE_SUBSCRIPTION14

A license where the licensee pays a fee to use the software or service.

LICENSING_TYPE_USER15

A license that grants access to the software or service by a specified number of users.

LICENSING_TYPE_OTHER16

Another license type.

LifecyclePhase

NameNumberDescription
LIFECYCLE_PHASE_DESIGN0

BOM produced early in the development lifecycle containing inventory of components and services that are proposed or planned to be used. The inventory may need to be procured, retrieved, or resourced prior to use.

LIFECYCLE_PHASE_PRE_BUILD1

BOM consisting of information obtained prior to a build process and may contain source files and development artifacts and manifests. The inventory may need to be resolved and retrieved prior to use.

LIFECYCLE_PHASE_BUILD2

BOM consisting of information obtained during a build process where component inventory is available for use. The precise versions of resolved components are usually available at this time as well as the provenance of where the components were retrieved from.

LIFECYCLE_PHASE_POST_BUILD3

BOM consisting of information obtained after a build process has completed and the resulting components(s) are available for further analysis. Built components may exist as the result of a CI/CD process, may have been installed or deployed to a system or device, and may need to be retrieved or extracted from the system or device.

LIFECYCLE_PHASE_OPERATIONS4

BOM produced that represents inventory that is running and operational. This may include staging or production environments and will generally encompass multiple SBOMs describing the applications and operating system, along with HBOMs describing the hardware that makes up the system. Operations Bill of Materials (OBOM) can provide full-stack inventory of runtime environments, configurations, and additional dependencies.

LIFECYCLE_PHASE_DISCOVERY5

BOM consisting of information observed through network discovery providing point-in-time enumeration of embedded, on-premise, and cloud-native services such as server applications, connected devices, microservices, and serverless functions.

LIFECYCLE_PHASE_DECOMMISSION6

BOM containing inventory that will be, or has been retired from operations.

ModelParameterApproachType

NameNumberDescription
MODEL_PARAMETER_APPROACH_TYPE_SUPERVISED0

MODEL_PARAMETER_APPROACH_TYPE_UNSUPERVISED1

MODEL_PARAMETER_APPROACH_TYPE_REINFORCED_LEARNING2

MODEL_PARAMETER_APPROACH_TYPE_SEMI_SUPERVISED3

MODEL_PARAMETER_APPROACH_TYPE_SELF_SUPERVISED4

OutputType.OutputTypeType

NameNumberDescription
OUTPUT_TYPE_ARTIFACT0

OUTPUT_TYPE_ATTESTATION1

OUTPUT_TYPE_LOG2

OUTPUT_TYPE_EVIDENCE3

OUTPUT_TYPE_METRICS4

OUTPUT_TYPE_OTHER5

PatchClassification

NameNumberDescription
PATCH_CLASSIFICATION_NULL0

PATCH_CLASSIFICATION_UNOFFICIAL1

A patch which is not developed by the creators or maintainers of the software being patched. Refer to https://en.wikipedia.org/wiki/Unofficial_patch

PATCH_CLASSIFICATION_MONKEY2

A patch which dynamically modifies runtime behavior. Refer to https://en.wikipedia.org/wiki/Monkey_patch

PATCH_CLASSIFICATION_BACKPORT3

A patch which takes code from a newer version of software and applies it to older versions of the same software. Refer to https://en.wikipedia.org/wiki/Backporting

PATCH_CLASSIFICATION_CHERRY_PICK4

A patch created by selectively applying commits from other versions or branches of the same software.

Scope

NameNumberDescription
SCOPE_UNSPECIFIED0

Default

SCOPE_REQUIRED1

The component is required for runtime

SCOPE_OPTIONAL2

The component is optional at runtime. Optional components are components that are not capable of being called due to them not be installed or otherwise accessible by any means. Components that are installed but due to configuration or other restrictions are prohibited from being called must be scoped as 'required'.

SCOPE_EXCLUDED3

Components that are excluded provide the ability to document component usage for test and other non-runtime purposes. Excluded components are not reachable within a call graph at runtime.

ScoreMethod

NameNumberDescription
SCORE_METHOD_NULL0

An undefined score method

SCORE_METHOD_CVSSV21

Common Vulnerability Scoring System v2 - https://www.first.org/cvss/v2/

SCORE_METHOD_CVSSV32

Common Vulnerability Scoring System v3 - https://www.first.org/cvss/v3-0/

SCORE_METHOD_CVSSV313

Common Vulnerability Scoring System v3.1 - https://www.first.org/cvss/v3-1/

SCORE_METHOD_OWASP4

OWASP Risk Rating Methodology - https://owasp.org/www-community/OWASP_Risk_Rating_Methodology

SCORE_METHOD_OTHER5

Other scoring method

SCORE_METHOD_CVSSV46

Common Vulnerability Scoring System v3.1 - https://www.first.org/cvss/v4-0/

SCORE_METHOD_SSVC7

Stakeholder Specific Vulnerability Categorization (all versions) - https://github.com/CERTCC/SSVC

Severity

NameNumberDescription
SEVERITY_UNKNOWN0

SEVERITY_CRITICAL1

SEVERITY_HIGH2

SEVERITY_MEDIUM3

SEVERITY_LOW4

SEVERITY_INFO5

SEVERITY_NONE6

TaskType

NameNumberDescription
TASK_TYPE_COPY0

TASK_TYPE_CLONE1

TASK_TYPE_LINT2

TASK_TYPE_SCAN3

TASK_TYPE_MERGE4

TASK_TYPE_BUILD5

TASK_TYPE_TEST6

TASK_TYPE_DELIVER7

TASK_TYPE_DEPLOY8

TASK_TYPE_RELEASE9

TASK_TYPE_CLEAN10

TASK_TYPE_OTHER11

Trigger.TriggerType

NameNumberDescription
TRIGGER_TYPE_MANUAL0

TRIGGER_TYPE_API1

TRIGGER_TYPE_WEBHOOK2

TRIGGER_TYPE_SCHEDULED3

Volume.VolumeMode

NameNumberDescription
VOLUME_MODE_FILESYSTEM0

VOLUME_MODE_BLOCK1

VulnerabilityAffectedStatus

NameNumberDescription
VULNERABILITY_AFFECTED_STATUS_UNKNOWN0

The vulnerability status of a given version or range of versions of a product. The statuses 'affected' and 'unaffected' indicate that the version is affected or unaffected by the vulnerability. The status 'unknown' indicates that it is unknown or unspecified whether the given version is affected. There can be many reasons for an 'unknown' status, including that an investigation has not been undertaken or that a vendor has not disclosed the status.

VULNERABILITY_AFFECTED_STATUS_AFFECTED1

VULNERABILITY_AFFECTED_STATUS_NOT_AFFECTED2

VulnerabilityResponse

NameNumberDescription
VULNERABILITY_RESPONSE_NULL0

VULNERABILITY_RESPONSE_CAN_NOT_FIX1

VULNERABILITY_RESPONSE_WILL_NOT_FIX2

VULNERABILITY_RESPONSE_UPDATE3

VULNERABILITY_RESPONSE_ROLLBACK4

VULNERABILITY_RESPONSE_WORKAROUND_AVAILABLE5

Workspace.AccessMode

NameNumberDescription
ACCESS_MODE_READ_ONLY0

ACCESS_MODE_READ_WRITE1

ACCESS_MODE_READ_WRITE_ONCE2

ACCESS_MODE_WRITE_ONCE3

ACCESS_MODE_WRITE_ONLY4

Scalar Value Types

.proto TypeNotesC++JavaPythonGoC#PHPRuby
doubledoubledoublefloatfloat64doublefloatFloat
floatfloatfloatfloatfloat32floatfloatFloat
int32Uses variable-length encoding. Inefficient for encoding negative numbers – if your field is likely to have negative values, use sint32 instead.int32intintint32intintegerBignum or Fixnum (as required)
int64Uses variable-length encoding. Inefficient for encoding negative numbers – if your field is likely to have negative values, use sint64 instead.int64longint/longint64longinteger/stringBignum
uint32Uses variable-length encoding.uint32intint/longuint32uintintegerBignum or Fixnum (as required)
uint64Uses variable-length encoding.uint64longint/longuint64ulonginteger/stringBignum or Fixnum (as required)
sint32Uses variable-length encoding. Signed int value. These more efficiently encode negative numbers than regular int32s.int32intintint32intintegerBignum or Fixnum (as required)
sint64Uses variable-length encoding. Signed int value. These more efficiently encode negative numbers than regular int64s.int64longint/longint64longinteger/stringBignum
fixed32Always four bytes. More efficient than uint32 if values are often greater than 2^28.uint32intintuint32uintintegerBignum or Fixnum (as required)
fixed64Always eight bytes. More efficient than uint64 if values are often greater than 2^56.uint64longint/longuint64ulonginteger/stringBignum
sfixed32Always four bytes.int32intintint32intintegerBignum or Fixnum (as required)
sfixed64Always eight bytes.int64longint/longint64longinteger/stringBignum
boolboolbooleanbooleanboolboolbooleanTrueClass/FalseClass
stringA string must always contain UTF-8 encoded or 7-bit ASCII text.stringStringstr/unicodestringstringstringString (UTF-8)
bytesMay contain any arbitrary sequence of bytes.stringByteStringstr[]byteByteStringstringString (ASCII-8BIT)