cyclonedx-common-2.0.schema.json

{
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "$id": "https://cyclonedx.org/schema/2.0/model/cyclonedx-common-2.0.schema.json",
  "type": "null",
  "title": "CycloneDX Common Model",
  "$comment" : "OWASP CycloneDX is an Ecma International standard (ECMA-424) developed in collaboration between the OWASP Foundation and Ecma Technical Committee 54 (TC54). The standard is published under a royalty-free patent policy. This JSON schema is the reference implementation and is licensed under the Apache License 2.0.",
  "$defs": {
    "refType": {
      "description": "Identifier for referable and therefore interlinkable elements.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.",
      "type": "string",
      "minLength": 1,
      "$comment": "TODO (breaking change): add a format constraint that prevents the value from staring with 'urn:cdx:'"
    },
    "refLinkType": {
      "description": "Descriptor for an element identified by the attribute 'bom-ref' in the same BOM document.\nIn contrast to `bomLinkElementType`.",
      "$ref": "#/$defs/refType"
    },
    "bomLinkDocumentType": {
      "title": "BOM-Link Document",
      "description": "Descriptor for another BOM document. See https://cyclonedx.org/capabilities/bomlink/",
      "type": "string",
      "format": "iri-reference",
      "pattern": "^urn:cdx:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/[1-9][0-9]*$",
      "$comment": "part of the pattern is based on `bom.serialNumber`'s pattern"
    },
    "bomLinkElementType": {
      "title": "BOM-Link Element",
      "description": "Descriptor for an element in a BOM document. See https://cyclonedx.org/capabilities/bomlink/",
      "type": "string",
      "format": "iri-reference",
      "pattern": "^urn:cdx:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/[1-9][0-9]*#.+$",
      "$comment": "part of the pattern is based on `bom.serialNumber`'s pattern"
    },
    "bomLink": {
      "title": "BOM-Link",
      "anyOf": [
        {
          "title": "BOM-Link Document",
          "$ref": "#/$defs/bomLinkDocumentType"
        },
        {
          "title": "BOM-Link Element",
          "$ref": "#/$defs/bomLinkElementType"
        }
      ]
    },
    "hash": {
      "type": "object",
      "title": "Hash",
      "required": [
        "alg",
        "content"
      ],
      "additionalProperties": false,
      "properties": {
        "alg": {
          "$ref": "#/$defs/hashAlgorithm"
        },
        "content": {
          "$ref": "#/$defs/hashValue"
        }
      }
    },
    "hashAlgorithm": {
      "type": "string",
      "title": "Hash Algorithm",
      "description": "The algorithm that generated the hash value.",
      "enum": [
        "MD5",
        "SHA-1",
        "SHA-256",
        "SHA-384",
        "SHA-512",
        "SHA3-256",
        "SHA3-384",
        "SHA3-512",
        "BLAKE2b-256",
        "BLAKE2b-384",
        "BLAKE2b-512",
        "BLAKE3",
        "Streebog-256",
        "Streebog-512"
      ]
    },
    "hashValue": {
      "type": "string",
      "title": "Hash Value",
      "description": "The value of the hash.",
      "examples": ["3942447fac867ae5cdb3229b658f4d48"],
      "pattern": "^([a-fA-F0-9]{32}|[a-fA-F0-9]{40}|[a-fA-F0-9]{64}|[a-fA-F0-9]{96}|[a-fA-F0-9]{128})$"
    },
    "mediaType": {
      "type": "string",
      "title": "Media Type",
      "description": "The media type of the object. The media type can provide additional context about the kind of data being represented, such as an image, font, or executable.",
      "examples": [
        "text/plain",
        "application/json",
        "image/png"
      ],
      "pattern": "^[-+a-z0-9.]+/[-+a-z0-9.]+$"
    },
    "attachment": {
      "type": "object",
      "title": "Attachment",
      "description": "Specifies the metadata and content for an attachment.",
      "required": [
        "content"
      ],
      "additionalProperties": false,
      "properties": {
        "mediaType": {
          "$ref": "#/$defs/mediaType"
        },
        "encoding": {
          "type": "string",
          "title": "Encoding",
          "description": "Specifies the optional encoding the text is represented in.",
          "enum": [
            "base64"
          ],
          "meta:enum": {
            "base64": "Base64 is a binary-to-text encoding scheme that represents binary data in an ASCII string."
          }
        },
        "content": {
          "type": "string",
          "title": "Attachment Text",
          "description": "The attachment data. Proactive controls such as input validation and sanitization should be employed to prevent misuse of attachment text."
        }
      }
    },
    "base64": {
      "type": "string",
      "pattern": "^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$",
      "description": "A Base64-encoded string."
    },
    "externalReferences": {
      "type": "array",
      "items": {"$ref": "#/$defs/externalReference"},
      "title": "External References",
      "description": "External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM."
    },
    "externalReference": {
      "type": "object",
      "title": "External Reference",
      "description": "External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM.",
      "required": [
        "url",
        "type"
      ],
      "additionalProperties": false,
      "properties": {
        "url": {
          "anyOf": [
            {
              "title": "URL",
              "type": "string",
              "format": "iri-reference"
            },
            {
              "title": "BOM-Link",
              "$ref": "#/$defs/bomLink"
            }
          ],
          "title": "URL",
          "description": "The URI (URL or URN) to the external reference. External references are URIs and therefore can accept any URL scheme including https ([RFC-7230](https://www.ietf.org/rfc/rfc7230.txt)), mailto ([RFC-2368](https://www.ietf.org/rfc/rfc2368.txt)), tel ([RFC-3966](https://www.ietf.org/rfc/rfc3966.txt)), and dns ([RFC-4501](https://www.ietf.org/rfc/rfc4501.txt)). External references may also include formally registered URNs such as [CycloneDX BOM-Link](https://cyclonedx.org/capabilities/bomlink/) to reference CycloneDX BOMs or any object within a BOM. BOM-Link transforms applicable external references into relationships that can be expressed in a BOM or across BOMs."
        },
        "comment": {
          "type": "string",
          "title": "Comment",
          "description": "A comment describing the external reference"
        },
        "type": {
          "type": "string",
          "title": "Type",
          "description": "Specifies the type of external reference.",
          "enum": [
            "vcs",
            "issue-tracker",
            "website",
            "advisories",
            "bom",
            "mailing-list",
            "social",
            "chat",
            "documentation",
            "support",
            "source-distribution",
            "distribution",
            "distribution-intake",
            "license",
            "build-meta",
            "build-system",
            "release-notes",
            "security-contact",
            "model-card",
            "log",
            "configuration",
            "evidence",
            "formulation",
            "attestation",
            "threat-model",
            "adversary-model",
            "risk-assessment",
            "vulnerability-assertion",
            "exploitability-statement",
            "pentest-report",
            "static-analysis-report",
            "dynamic-analysis-report",
            "runtime-analysis-report",
            "component-analysis-report",
            "maturity-report",
            "certification-report",
            "codified-infrastructure",
            "quality-metrics",
            "poam",
            "electronic-signature",
            "digital-signature",
            "rfc-9116",
            "patent",
            "patent-family",
            "patent-assertion",
            "citation",
            "other"
          ],
          "meta:enum": {
            "vcs": "Version Control System",
            "issue-tracker": "Issue or defect tracking system, or an Application Lifecycle Management (ALM) system",
            "website": "Website",
            "advisories": "Security advisories",
            "bom": "Bill of Materials (SBOM, OBOM, HBOM, SaaSBOM, etc)",
            "mailing-list": "Mailing list or discussion group",
            "social": "Social media account",
            "chat": "Real-time chat platform",
            "documentation": "Documentation, guides, or how-to instructions",
            "support": "Community or commercial support",
            "source-distribution": "The location where the source code distributable can be obtained. This is often an archive format such as zip or tgz. The source-distribution type complements use of the version control (vcs) type.",
            "distribution": "Direct or repository download location",
            "distribution-intake": "The location where a component was published to. This is often the same as \"distribution\" but may also include specialized publishing processes that act as an intermediary.",
            "license": "The reference to the license file. If a license URL has been defined in the license node, it should also be defined as an external reference for completeness.",
            "build-meta": "Build-system specific meta file (i.e. pom.xml, package.json, .nuspec, etc)",
            "build-system": "Reference to an automated build system",
            "release-notes": "Reference to release notes",
            "security-contact": "Specifies a way to contact the maintainer, supplier, or provider in the event of a security incident. Common URIs include links to a disclosure procedure, a mailto (RFC-2368) that specifies an email address, a tel (RFC-3966) that specifies a phone number, or dns (RFC-4501) that specifies the records containing DNS Security TXT.",
            "model-card": "A model card describes the intended uses of a machine learning model, potential limitations, biases, ethical considerations, training parameters, datasets used to train the model, performance metrics, and other relevant data useful for ML transparency.",
            "log": "A record of events that occurred in a computer system or application, such as problems, errors, or information on current operations.",
            "configuration": "Parameters or settings that may be used by other components or services.",
            "evidence": "Information used to substantiate a claim.",
            "formulation": "Describes the formulation of any referencable object within the BOM, including components, services, metadata, declarations, or the BOM itself.",
            "attestation": "Human or machine-readable statements containing facts, evidence, or testimony.",
            "threat-model": "An enumeration of identified weaknesses, threats, and countermeasures, dataflow diagram (DFD), attack tree, and other supporting documentation in human-readable or machine-readable format.",
            "adversary-model": "The defined assumptions, goals, and capabilities of an adversary.",
            "risk-assessment": "Identifies and analyzes the potential of future events that may negatively impact individuals, assets, and/or the environment. Risk assessments may also include judgments on the tolerability of each risk.",
            "vulnerability-assertion": "A Vulnerability Disclosure Report (VDR) which asserts the known and previously unknown vulnerabilities that affect a component, service, or product including the analysis and findings describing the impact (or lack of impact) that the reported vulnerability has on a component, service, or product.",
            "exploitability-statement": "A Vulnerability Exploitability eXchange (VEX) which asserts the known vulnerabilities that do not affect a product, product family, or organization, and optionally the ones that do. The VEX should include the analysis and findings describing the impact (or lack of impact) that the reported vulnerability has on the product, product family, or organization.",
            "pentest-report": "Results from an authorized simulated cyberattack on a component or service, otherwise known as a penetration test.",
            "static-analysis-report": "SARIF or proprietary machine or human-readable report for which static analysis has identified code quality, security, and other potential issues with the source code.",
            "dynamic-analysis-report": "Dynamic analysis report that has identified issues such as vulnerabilities and misconfigurations.",
            "runtime-analysis-report": "Report generated by analyzing the call stack of a running application.",
            "component-analysis-report": "Report generated by Software Composition Analysis (SCA), container analysis, or other forms of component analysis.",
            "maturity-report": "Report containing a formal assessment of an organization, business unit, or team against a maturity model.",
            "certification-report": "Industry, regulatory, or other certification from an accredited (if applicable) certification body.",
            "codified-infrastructure": "Code or configuration that defines and provisions virtualized infrastructure, commonly referred to as Infrastructure as Code (IaC).",
            "quality-metrics": "Report or system in which quality metrics can be obtained.",
            "poam": "Plans of Action and Milestones (POA&M) complement an \"attestation\" external reference. POA&M is defined by NIST as a \"document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks and scheduled completion dates for the milestones\".",
            "electronic-signature": "An e-signature is commonly a scanned representation of a written signature or a stylized script of the person's name.",
            "digital-signature": "A signature that leverages cryptography, typically public/private key pairs, which provides strong authenticity verification.",
            "rfc-9116": "Document that complies with [RFC 9116](https://www.ietf.org/rfc/rfc9116.html) (A File Format to Aid in Security Vulnerability Disclosure)",
            "patent": "References information about patents which may be defined in human-readable documents or in machine-readable formats such as CycloneDX or ST.96. For detailed patent information or to reference the information provided directly by patent offices, it is recommended to leverage standards from the World Intellectual Property Organization (WIPO) such as [ST.96](https://www.wipo.int/standards/en/st96).",
            "patent-family": "References information about a patent family which may be defined in human-readable documents or in machine-readable formats such as CycloneDX or ST.96. A patent family is a group of related patent applications or granted patents that cover the same or similar invention. For detailed patent family information or to reference the information provided directly by patent offices, it is recommended to leverage standards from the World Intellectual Property Organization (WIPO) such as [ST.96](https://www.wipo.int/standards/en/st96).",
            "patent-assertion" : "References assertions made regarding patents associated with a component or service. Assertions distinguish between ownership, licensing, and other relevant interactions with patents.",
            "citation": "A reference to external citations applicable to the object identified by this BOM entry or the BOM itself. When used with a BOM-Link, this allows offloading citations into a separate CycloneDX BOM.",
            "other": "Use this if no other types accurately describe the purpose of the external reference."
          }
        },
        "hashes": {
          "type": "array",
          "items": {"$ref": "#/$defs/hash"},
          "title": "Hashes",
          "description": "The hashes of the external reference (if applicable)."
        },
        "properties": {
          "$ref": "#/$defs/properties"
        }
      }
    },
    "postalAddress": {
      "type": "object",
      "title": "Postal address",
      "description": "An address used to identify a contactable location.",
      "additionalProperties": false,
      "properties": {
        "bom-ref": {
          "title": "BOM Reference",
          "description": "An optional identifier which can be used to reference the address elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.",
          "$ref": "#/$defs/refType"
        },
        "country": {
          "type": "string",
          "title": "Country",
          "description": "The country name or the two-letter ISO 3166-1 country code."
        },
        "region": {
          "type": "string",
          "title": "Region",
          "description": "The region or state in the country.",
          "examples": [ "Texas" ]
        },
        "locality": {
          "type": "string",
          "title": "Locality",
          "description": "The locality or city within the country.",
          "examples": [ "Austin" ]
        },
        "postOfficeBoxNumber": {
          "type": "string",
          "title": "Post Office Box Number",
          "description": "The post office box number.",
          "examples": [ "901" ]
        },
        "postalCode": {
          "type": "string",
          "title": "Postal Code",
          "description": "The postal code.",
          "examples": [ "78758" ]
        },
        "streetAddress": {
          "type": "string",
          "title": "Street Address",
          "description": "The street address.",
          "examples": [ "100 Main Street" ]
        }
      }
    },
    "organizationalEntity": {
      "type": "object",
      "title": "Organizational Entity",
      "additionalProperties": false,
      "properties": {
        "bom-ref": {
          "$ref": "#/$defs/refType",
          "title": "BOM Reference",
          "description": "An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."
        },
        "name": {
          "type": "string",
          "title": "Organization Name",
          "description": "The name of the organization",
          "examples": [
            "Example Inc."
          ]
        },
        "address": {
          "$ref": "#/$defs/postalAddress",
          "title": "Organization Address",
          "description": "The physical address (location) of the organization"
        },
        "url": {
          "type": "array",
          "items": {
            "type": "string",
            "format": "iri-reference"
          },
          "title": "Organization URL(s)",
          "description": "The URL of the organization. Multiple URLs are allowed.",
          "examples": ["https://example.com"]
        },
        "contact": {
          "type": "array",
          "title": "Organizational Contact",
          "description": "A contact at the organization. Multiple contacts are allowed.",
          "items": {"$ref": "#/$defs/organizationalContact"}
        }
      }
    },
    "organizationalContact": {
      "type": "object",
      "title": "Organizational Contact",
      "additionalProperties": false,
      "properties": {
        "bom-ref": {
          "$ref": "#/$defs/refType",
          "title": "BOM Reference",
          "description": "An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links."
        },
        "name": {
          "type": "string",
          "title": "Name",
          "description": "The name of a contact",
          "examples": ["Contact name"]
        },
        "email": {
          "type": "string",
          "format": "idn-email",
          "title": "Email Address",
          "description": "The email address of the contact.",
          "examples": ["firstname.lastname@example.com"]
        },
        "phone": {
          "type": "string",
          "title": "Phone",
          "description": "The phone number of the contact.",
          "examples": ["800-555-1212"]
        }
      }
    },
    "organizationalEntityOrContact": {

    },
    "entity": {
      "type": "object",
      "title": "Entity",
      "description": "Represents a person or organization with one or more roles in relation to the subject. Entities provide a unified mechanism for expressing the various parties involved in the creation, distribution, governance, and lifecycle management of components, services, data, and other objects within the BOM.",
      "required": ["roles"],
      "additionalProperties": false,
      "properties": {
        "bom-ref": {
          "$ref": "#/$defs/refType"
        },
        "person": {
          "title": "Person",
          "description": "An individual acting in the specified role(s). Use this property when the entity is a natural person rather than an organization.",
          "$ref": "#/$defs/organizationalContact"
        },
        "organization": {
          "title": "Organization",
          "description": "An organizational entity acting in the specified role(s). Use this property when the entity is an organization, company, department, or other collective body.",
          "$ref": "#/$defs/organizationalEntity"
        },
        "roles": {
          "type": "array",
          "title": "Roles",
          "description": "The role(s) that the entity fulfils. At least one role shall be specified. Multiple roles may be assigned to represent the various capacities in which the entity operates.",
          "minItems": 1,
          "items": {
            "$ref": "#/$defs/role"
          }
        },
        "priority": {
          "type": "integer",
          "title": "Priority",
          "description": "The priority order of this entity relative to other entities with the same role(s). Lower values indicate higher priority. When multiple entities share the same role, priority establishes the preference order. For example, in hardware supply chains, a priority of 1 may indicate the primary supplier, whilst 2 and 3 may indicate first and second alternates respectively. If not specified, no priority order is implied.",
          "minimum": 1,
          "examples": [1, 2, 3]
        }
      },
      "oneOf": [
        {
          "required": ["person"]
        },
        {
          "required": ["organization"]
        }
      ]
    },
    "role": {
      "title": "Role",
      "description": "A role that an entity fulfils. May be a predefined role from the CycloneDX taxonomy or a custom role definition.",
      "oneOf": [
        {
          "type": "string",
          "title": "Predefined Role",
          "description": "A predefined role from the CycloneDX role taxonomy.",
          "enum": [
            "assembler",
            "author",
            "manufacturer",
            "supplier",
            "distributor",
            "repackager",
            "publisher",
            "maintainer",
            "contributor",
            "licensor",
            "licensee",
            "purchaser",
            "owner",
            "custodian",
            "steward",
            "asserter",
            "reviewer",
            "annotator",
            "signatory",
            "committer",
            "auditor",
            "integrator",
            "operator",
            "qualityControl",
            "securityContact",
            "supportContact",
            "legalContact"
          ],
          "meta:enum": {
            "assembler": "The entity that assembles or integrates constituent parts into the subject. Assemblers are common in hardware manufacturing but may also apply to software build and packaging processes.",
            "author": "The entity that created the subject. Authors are common in entities created through manual processes.",
            "manufacturer": "The entity that manufactured or produced the subject. Manufacturers are common in entities created through automated processes.",
            "supplier": "The entity that supplied the subject. The supplier may often be the manufacturer, but may also be a distributor or repackager.",
            "distributor": "The entity that distributes the subject to downstream consumers or customers.",
            "repackager": "The entity that repackages the subject, potentially combining it with other components or modifying its packaging for redistribution.",
            "publisher": "The entity that published the subject, making it available for public or private consumption.",
            "maintainer": "The entity responsible for ongoing maintenance, including updates, patches, and security fixes.",
            "contributor": "An entity that contributed to the development of the subject without being the primary author.",
            "licensor": "The entity that grants a licence for the subject.",
            "licensee": "The entity to which a licence for the subject has been granted.",
            "purchaser": "The entity that purchased the subject or a licence for its use.",
            "owner": "The entity that holds ownership rights over the subject, including responsibility for risk management and access control.",
            "custodian": "The entity responsible for the safe custody, transport, and storage of the subject.",
            "steward": "The entity responsible for the content, context, and associated business rules of the subject.",
            "asserter": "The entity making assertions about the subject, such as patent ownership or compliance claims.",
            "reviewer": "The entity that reviewed the subject or its associated evidence.",
            "annotator": "The entity, component, or service that created annotations or supplementary information about the subject.",
            "signatory": "The entity authorised to sign on behalf of an organization, affirming the validity or accuracy of documentation.",
            "committer": "The entity who committed or pushed changes to a version control system.",
            "auditor": "The entity that conducted an audit or assessment of the subject.",
            "integrator": "The entity that integrates the subject into a larger system or product.",
            "operator": "The entity responsible for operating or running the subject in a production environment.",
            "qualityControl": "The entity responsible for quality control activities, including inspection, testing, and verification to ensure the subject meets specified requirements and standards. Quality control is common in hardware manufacturing but may also apply to software testing and release processes.",
            "securityContact": "The designated entity to contact in the event of a security incident.",
            "supportContact": "The designated entity to contact for technical support.",
            "legalContact": "The designated entity to contact for legal matters."
          }
        },
        {
          "type": "object",
          "title": "Custom Role",
          "description": "A custom role not covered by the predefined taxonomy. Use this structure to define domain-specific or organization-specific roles.",
          "required": ["name"],
          "additionalProperties": false,
          "properties": {
            "name": {
              "type": "string",
              "title": "Role Name",
              "description": "The name of the custom role. Use a concise, descriptive identifier.",
              "examples": ["Chief Executive Officer", "Data Protection Officer", "Release Manager"]
            },
            "description": {
              "type": "string",
              "title": "Role Description",
              "description": "A description of the custom role, including its responsibilities and scope."
            }
          }
        }
      ]
    },
    "entityChoice": {
      "title": "Entity Choice",
      "description": "An entity represented either as a complete object or as a reference to a previously defined entity or other referenceable object within the BOM.",
      "oneOf": [
        {
          "$ref": "#/$defs/entity",
          "title": "Entity"
        },
        {
          "$ref": "#/$defs/refLinkType",
          "title": "Reference",
          "description": "A reference to a previously defined entity, `organizationalContact`, or `organizationalEntity` object in the BOM. The value shall be a valid `bom-ref` pointing to one of these objects."
        }
      ]
    },
    "entities": {
      "type": "array",
      "title": "Entities",
      "description": "A collection of persons and organizations with defined roles in relation to the subject. Each item may be a complete entity object or a reference to a previously defined entity or other referenceable object within the BOM.",
      "items": {
        "$ref": "#/$defs/entityChoice"
      }
    },
    "properties": {
      "type": "array",
      "title": "Properties",
      "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.",
      "items": {
        "$ref": "#/$defs/property"
      }
    },
    "property": {
      "type": "object",
      "title": "Lightweight name-value pair",
      "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.",
      "required": [
        "name"
      ],
      "properties": {
        "name": {
          "type": "string",
          "title": "Name",
          "description": "The name of the property. Duplicate names are allowed, each potentially having a different value."
        },
        "value": {
          "type": "string",
          "title": "Value",
          "description": "The value of the property."
        }
      },
      "additionalProperties": false
    },
    "extensibleProperties": {
      "type": "object",
      "title": "Extensible Properties",
      "patternProperties": {
        "^ext:[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}:.+$": {
          "description": "CycloneDX supports a structured and namespace-aware mechanism for extensibility through the use of extensible properties. This mechanism enables organizations, ecosystems, and tool vendors to safely introduce custom properties without conflicting with the core schema or other extensions.\n\nExtensible properties are defined as a JSON object whose keys must conform to a strict pattern that resembles a reverse domain name structure, prefixed with ext:. This pattern provides a namespacing convention that aligns with well-established practices in other structured formats (e.g., XML namespaces).",
          "examples": [
            "ext:<domain>:<name>",
            "ext:example.org:myExtension"
          ],
          "if": {
            "type": ["object", "array"]
          },
          "then": {
            "type": "object",
            "required": ["$schema"],
            "properties": {
              "$schema": {
                "type": "string",
                "format": "uri"
              }
            }
          },
          "else": {
            "type": ["string", "number", "boolean", "null"]
          }
        }
      }
    },
    "baseObject": {
      "description": "Base object for all CycloneDX entities. Automatically includes support for extensible properties.",
      "allOf": [
        { "$ref": "cyclonedx-common-2.0.schema.json#/$defs/extensibleProperties" }
      ],
      "properties": {
        "properties": {
          "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties"
        },
        "externalReferences": {
          "$ref": "cyclonedx-common-2.0.schema.json#/$defs/externalReferences"
        }
      }
    },
    "timestamp": {
      "type": "string",
      "format": "date-time",
      "title": "Timestamp",
      "pattern": "^\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}(\\.\\d+)?Z$",
      "description": "An RFC 3339-compliant UTC timestamp using Zulu time (i.e., ending with 'Z'). The format must be 'YYYY-MM-DDTHH:MM:SSZ' or include optional fractional seconds, e.g., 'YYYY-MM-DDTHH:MM:SS.sssZ'. Offsets such as '+00:00' are not allowed."
    },
    "lifecycle": {
      "type": "object",
      "title": "Lifecycle",
      "description": "The product lifecycle(s) that this BOM represents.",
      "oneOf": [
        {
          "$ref": "#/$defs/preDefinedLifecyclePhase"
        },
        {
          "title": "Custom Lifecycle Phase",
          "required": ["name"],
          "additionalProperties": false,
          "properties": {
            "name": {
              "type": "string",
              "title": "Name",
              "description": "The name of the lifecycle phase"
            },
            "description": {
              "type": "string",
              "title": "Description",
              "description": "The description of the lifecycle phase"
            }
          }
        }
      ]
    },
    "lifecycles": {
      "type": "array",
      "title": "Lifecycles",
      "description": "Lifecycles communicate the stage(s) in which data in the BOM was captured. Different types of data may be available at various phases of a lifecycle, such as the Software Development Lifecycle (SDLC), IT Asset Management (ITAM), and Software Asset Management (SAM). Thus, a BOM may include data specific to or only obtainable in a given lifecycle.",
      "items": { "$ref":  "#/$defs/lifecycle"}
    },
    "preDefinedLifecyclePhase": {
      "title": "Pre-Defined Phase",
      "required": ["phase"],
      "additionalProperties": false,
      "properties": {
        "phase": {
          "type": "string",
          "title": "Phase",
          "description": "A pre-defined phase in the product lifecycle.",
          "enum": [
            "design",
            "pre-build",
            "build",
            "post-build",
            "operations",
            "discovery",
            "decommission"
          ],
          "meta:enum": {
            "design": "BOM produced early in the development lifecycle containing an inventory of components and services that are proposed or planned to be used. The inventory may need to be procured, retrieved, or resourced prior to use.",
            "pre-build": "BOM consisting of information obtained prior to a build process and may contain source files and development artifacts and manifests. The inventory may need to be resolved and retrieved prior to use.",
            "build": "BOM consisting of information obtained during a build process where component inventory is available for use. The precise versions of resolved components are usually available at this time as well as the provenance of where the components were retrieved from.",
            "post-build": "BOM consisting of information obtained after a build process has completed and the resulting components(s) are available for further analysis. Built components may exist as the result of a CI/CD process, may have been installed or deployed to a system or device, and may need to be retrieved or extracted from the system or device.",
            "operations": "BOM produced that represents inventory that is running and operational. This may include staging or production environments and will generally encompass multiple SBOMs describing the applications and operating system, along with HBOMs describing the hardware that makes up the system. Operations Bill of Materials (OBOM) can provide full-stack inventory of runtime environments, configurations, and additional dependencies.",
            "discovery": "BOM consisting of information observed through network discovery providing point-in-time enumeration of embedded, on-premise, and cloud-native services such as server applications, connected devices, microservices, and serverless functions.",
            "decommission": "BOM containing inventory that will be, or has been retired from operations."
          }
        }
      }
    },
    "tags": {
      "type": "array",
      "items": {
        "type": "string"
      },
      "title": "Tags",
      "description": "Textual strings that aid in discovery, search, and retrieval of the associated object. Tags often serve as a way to group or categorize similar or related objects by various attributes.",
      "examples": [
        "json-parser",
        "object-persistence",
        "text-to-image",
        "translation",
        "object-detection"
      ]
    },
    "commit": {
      "type": "object",
      "title": "Commit",
      "description": "Specifies an individual commit",
      "additionalProperties": false,
      "properties": {
        "uid": {
          "type": "string",
          "title": "UID",
          "description": "A unique identifier of the commit. This may be version control specific. For example, Subversion uses revision numbers whereas git uses commit hashes."
        },
        "url": {
          "type": "string",
          "title": "URL",
          "description": "The URL to the commit. This URL will typically point to a commit in a version control system.",
          "format": "iri-reference"
        },
        "author": {
          "title": "Author",
          "description": "The author who created the changes in the commit",
          "$ref": "#/$defs/identifiableAction"
        },
        "committer": {
          "title": "Committer",
          "description": "The person who committed or pushed the commit",
          "$ref": "#/$defs/identifiableAction"
        },
        "message": {
          "type": "string",
          "title": "Message",
          "description": "The text description of the contents of the commit"
        }
      }
    },
    "patch": {
      "type": "object",
      "title": "Patch",
      "description": "Specifies an individual patch",
      "required": [
        "type"
      ],
      "additionalProperties": false,
      "properties": {
        "type": {
          "type": "string",
          "enum": [
            "unofficial",
            "monkey",
            "backport",
            "cherry-pick"
          ],
          "meta:enum": {
            "unofficial": "A patch which is not developed by the creators or maintainers of the software being patched. Refer to [https://en.wikipedia.org/wiki/Unofficial_patch](https://en.wikipedia.org/wiki/Unofficial_patch).",
            "monkey": "A patch which dynamically modifies runtime behavior. Refer to [https://en.wikipedia.org/wiki/Monkey_patch](https://en.wikipedia.org/wiki/Monkey_patch).",
            "backport": "A patch which takes code from a newer version of the software and applies it to older versions of the same software. Refer to [https://en.wikipedia.org/wiki/Backporting](https://en.wikipedia.org/wiki/Backporting).",
            "cherry-pick": "A patch created by selectively applying commits from other versions or branches of the same software."
          },
          "title": "Patch Type",
          "description": "Specifies the purpose for the patch including the resolution of defects, security issues, or new behavior or functionality."
        },
        "diff": {
          "title": "Diff",
          "description": "The patch file (or diff) that shows changes. Refer to [https://en.wikipedia.org/wiki/Diff](https://en.wikipedia.org/wiki/Diff)",
          "$ref": "#/$defs/diff"
        },
        "resolves": {
          "type": "array",
          "items": {"$ref": "#/$defs/issue"},
          "title": "Resolves",
          "description": "A collection of issues the patch resolves"
        }
      }
    },
    "diff": {
      "type": "object",
      "title": "Diff",
      "description": "The patch file (or diff) that shows changes. Refer to https://en.wikipedia.org/wiki/Diff",
      "additionalProperties": false,
      "properties": {
        "text": {
          "title": "Diff text",
          "description": "Specifies the optional text of the diff",
          "$ref": "#/$defs/attachment"
        },
        "url": {
          "type": "string",
          "title": "URL",
          "description": "Specifies the URL to the diff",
          "format": "iri-reference"
        }
      }
    },
    "issue": {
      "type": "object",
      "title": "Issue",
      "description": "An individual issue that has been resolved.",
      "required": [
        "type"
      ],
      "additionalProperties": false,
      "properties": {
        "type": {
          "type": "string",
          "enum": [
            "defect",
            "enhancement",
            "security"
          ],
          "meta:enum": {
            "defect": "A fault, flaw, or bug in software.",
            "enhancement": "A new feature or behavior in software.",
            "security": "A special type of defect which impacts security."
          },
          "title": "Issue Type",
          "description": "Specifies the type of issue"
        },
        "id": {
          "type": "string",
          "title": "Issue ID",
          "description": "The identifier of the issue assigned by the source of the issue"
        },
        "name": {
          "type": "string",
          "title": "Issue Name",
          "description": "The name of the issue"
        },
        "description": {
          "type": "string",
          "title": "Issue Description",
          "description": "A description of the issue"
        },
        "source": {
          "type": "object",
          "title": "Source",
          "description": "The source of the issue where it is documented",
          "additionalProperties": false,
          "properties": {
            "name": {
              "type": "string",
              "title": "Name",
              "description": "The name of the source.",
              "examples": [
                "National Vulnerability Database",
                "NVD",
                "Apache"
              ]
            },
            "url": {
              "type": "string",
              "title": "URL",
              "description": "The url of the issue documentation as provided by the source",
              "format": "iri-reference"
            }
          }
        },
        "references": {
          "type": "array",
          "items": {
            "type": "string",
            "format": "iri-reference"
          },
          "title": "References",
          "description": "A collection of URL's for reference. Multiple URLs are allowed.",
          "examples": ["https://example.com"]
        }
      }
    },
    "identifiableAction": {
      "type": "object",
      "title": "Identifiable Action",
      "description": "Specifies an individual commit",
      "additionalProperties": false,
      "properties": {
        "timestamp": {
          "type": "string",
          "format": "date-time",
          "title": "Timestamp",
          "description": "The timestamp in which the action occurred"
        },
        "name": {
          "type": "string",
          "title": "Name",
          "description": "The name of the individual who performed the action"
        },
        "email": {
          "type": "string",
          "format": "idn-email",
          "title": "E-mail",
          "description": "The email address of the individual who performed the action"
        }
      }
    },
    "locale": {
      "type": "string",
      "pattern": "^([a-z]{2})(-[A-Z]{2})?$",
      "title": "Locale",
      "description": "Defines a syntax for representing two character language code (ISO-639) followed by an optional two character country code. The language code must be lower case. If the country code is specified, the country code must be upper case. The language code and country code must be separated by a minus sign. Examples: en, en-US, fr, fr-CA"
    },
    "signature": {
      "$ref": "../jsf-0.82.schema.json#/definitions/signature",
      "title": "Signature",
      "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."
    }
  }
}