From db82280cc7b06c07430051a8502c0c5e61967062 Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Tue, 27 Jun 2023 16:02:51 -0500 Subject: [PATCH 001/217] Init of v1.6 Signed-off-by: Steve Springett --- schema/bom-1.6.proto | 1487 +++++ schema/bom-1.6.schema.json | 3799 ++++++++++++ schema/bom-1.6.xsd | 5464 +++++++++++++++++ .../resources/1.6/invalid-bomformat-1.6.json | 8 + .../1.6/invalid-component-ref-1.6.json | 26 + .../1.6/invalid-component-ref-1.6.xml | 21 + .../1.6/invalid-component-swid-1.6.json | 18 + .../1.6/invalid-component-swid-1.6.xml | 11 + .../1.6/invalid-component-type-1.6.json | 13 + .../1.6/invalid-component-type-1.6.xml | 9 + .../resources/1.6/invalid-dependency-1.6.json | 43 + .../resources/1.6/invalid-dependency-1.6.xml | 31 + .../1.6/invalid-empty-component-1.6.json | 11 + .../1.6/invalid-empty-component-1.6.xml | 7 + .../resources/1.6/invalid-hash-alg-1.6.json | 32 + .../resources/1.6/invalid-hash-alg-1.6.xml | 16 + .../resources/1.6/invalid-hash-md5-1.6.json | 32 + .../resources/1.6/invalid-hash-md5-1.6.xml | 16 + .../resources/1.6/invalid-hash-sha1-1.6.json | 32 + .../resources/1.6/invalid-hash-sha1-1.6.xml | 16 + .../1.6/invalid-hash-sha256-1.6.json | 32 + .../resources/1.6/invalid-hash-sha256-1.6.xml | 16 + .../1.6/invalid-hash-sha512-1.6.json | 32 + .../resources/1.6/invalid-hash-sha512-1.6.xml | 16 + .../resources/1.6/invalid-issue-type-1.6.json | 48 + .../resources/1.6/invalid-issue-type-1.6.xml | 37 + .../1.6/invalid-license-choice-1.6.json | 23 + .../1.6/invalid-license-choice-1.6.xml | 26 + .../1.6/invalid-license-encoding-1.6.json | 28 + .../1.6/invalid-license-encoding-1.6.xml | 27 + .../resources/1.6/invalid-license-id-1.6.json | 22 + .../resources/1.6/invalid-license-id-1.6.xml | 27 + .../1.6/invalid-license-id-count-1.6.xml | 27 + .../1.6/invalid-license-name-count-1.6.xml | 27 + .../1.6/invalid-metadata-license-1.6.json | 16 + .../1.6/invalid-metadata-license-1.6.xml | 11 + .../1.6/invalid-metadata-timestamp-1.6.json | 10 + .../1.6/invalid-metadata-timestamp-1.6.xml | 7 + .../invalid-missing-component-type-1.6.json | 12 + .../invalid-missing-component-type-1.6.xml | 9 + .../resources/1.6/invalid-namespace-1.6.xml | 118 + .../resources/1.6/invalid-patch-type-1.6.json | 48 + .../resources/1.6/invalid-patch-type-1.6.xml | 37 + .../test/resources/1.6/invalid-scope-1.6.json | 14 + .../test/resources/1.6/invalid-scope-1.6.xml | 10 + .../1.6/invalid-serialnumber-1.6.json | 8 + .../1.6/invalid-serialnumber-1.6.xml | 118 + .../1.6/invalid-service-data-1.6.json | 20 + .../1.6/invalid-service-data-1.6.xml | 11 + .../resources/1.6/valid-annotation-1.6.json | 102 + .../1.6/valid-annotation-1.6.textproto | 94 + .../resources/1.6/valid-annotation-1.6.xml | 87 + .../resources/1.6/valid-assembly-1.6.json | 30 + .../1.6/valid-assembly-1.6.textproto | 19 + .../test/resources/1.6/valid-assembly-1.6.xml | 25 + .../src/test/resources/1.6/valid-bom-1.6.json | 177 + .../resources/1.6/valid-bom-1.6.textproto | 150 + .../src/test/resources/1.6/valid-bom-1.6.xml | 181 + .../1.6/valid-component-hashes-1.6.json | 63 + .../1.6/valid-component-hashes-1.6.textproto | 56 + .../1.6/valid-component-hashes-1.6.xml | 23 + .../1.6/valid-component-ref-1.6.json | 20 + .../1.6/valid-component-ref-1.6.textproto | 15 + .../resources/1.6/valid-component-ref-1.6.xml | 19 + .../1.6/valid-component-swid-1.6.json | 19 + .../1.6/valid-component-swid-1.6.textproto | 14 + .../1.6/valid-component-swid-1.6.xml | 11 + .../1.6/valid-component-swid-full-1.6.json | 24 + .../valid-component-swid-full-1.6.textproto | 19 + .../1.6/valid-component-swid-full-1.6.xml | 13 + .../1.6/valid-component-types-1.6.json | 48 + .../1.6/valid-component-types-1.6.textproto | 43 + .../1.6/valid-component-types-1.6.xml | 37 + .../resources/1.6/valid-compositions-1.6.json | 80 + .../1.6/valid-compositions-1.6.textproto | 61 + .../resources/1.6/valid-compositions-1.6.xml | 65 + .../resources/1.6/valid-dependency-1.6.json | 38 + .../1.6/valid-dependency-1.6.textproto | 30 + .../resources/1.6/valid-dependency-1.6.xml | 23 + .../1.6/valid-empty-components-1.6.json | 8 + .../1.6/valid-empty-components-1.6.textproto | 3 + .../1.6/valid-empty-components-1.6.xml | 5 + .../resources/1.6/valid-evidence-1.6.json | 110 + .../1.6/valid-evidence-1.6.textproto | 102 + .../test/resources/1.6/valid-evidence-1.6.xml | 92 + .../1.6/valid-external-elements-1.6.xml | 158 + .../1.6/valid-external-reference-1.6.json | 38 + .../valid-external-reference-1.6.textproto | 29 + .../1.6/valid-external-reference-1.6.xml | 27 + .../resources/1.6/valid-formulation-1.6.json | 294 + .../1.6/valid-formulation-1.6.textproto | 336 + .../resources/1.6/valid-formulation-1.6.xml | 251 + .../1.6/valid-license-expression-1.6.json | 21 + .../valid-license-expression-1.6.textproto | 13 + .../1.6/valid-license-expression-1.6.xml | 25 + .../resources/1.6/valid-license-id-1.6.json | 23 + .../1.6/valid-license-id-1.6.textproto | 15 + .../resources/1.6/valid-license-id-1.6.xml | 25 + .../1.6/valid-license-licensing-1.6.json | 55 + .../1.6/valid-license-licensing-1.6.textproto | 51 + .../1.6/valid-license-licensing-1.6.xml | 49 + .../resources/1.6/valid-license-name-1.6.json | 23 + .../1.6/valid-license-name-1.6.textproto | 15 + .../resources/1.6/valid-license-name-1.6.xml | 25 + .../1.6/valid-machine-learning-1.6.json | 92 + .../1.6/valid-machine-learning-1.6.textproto | 63 + .../1.6/valid-machine-learning-1.6.xml | 92 + .../1.6/valid-metadata-author-1.6.json | 16 + .../1.6/valid-metadata-author-1.6.textproto | 10 + .../1.6/valid-metadata-author-1.6.xml | 13 + .../1.6/valid-metadata-license-1.6.json | 16 + .../1.6/valid-metadata-license-1.6.textproto | 10 + .../1.6/valid-metadata-license-1.6.xml | 11 + .../1.6/valid-metadata-lifecycle-1.6.json | 21 + .../valid-metadata-lifecycle-1.6.textproto | 17 + .../1.6/valid-metadata-lifecycle-1.6.xml | 18 + .../1.6/valid-metadata-manufacture-1.6.json | 23 + .../valid-metadata-manufacture-1.6.textproto | 15 + .../1.6/valid-metadata-manufacture-1.6.xml | 14 + .../1.6/valid-metadata-supplier-1.6.json | 23 + .../1.6/valid-metadata-supplier-1.6.textproto | 15 + .../1.6/valid-metadata-supplier-1.6.xml | 14 + .../1.6/valid-metadata-timestamp-1.6.json | 10 + .../valid-metadata-timestamp-1.6.textproto | 9 + .../1.6/valid-metadata-timestamp-1.6.xml | 7 + .../1.6/valid-metadata-tool-1.6.json | 47 + .../1.6/valid-metadata-tool-1.6.textproto | 37 + .../resources/1.6/valid-metadata-tool-1.6.xml | 35 + .../valid-metadata-tool-deprecated-1.6.json | 26 + ...lid-metadata-tool-deprecated-1.6.textproto | 18 + .../valid-metadata-tool-deprecated-1.6.xml | 17 + .../1.6/valid-minimal-viable-1.6.json | 12 + .../1.6/valid-minimal-viable-1.6.textproto | 7 + .../1.6/valid-minimal-viable-1.6.xml | 8 + .../test/resources/1.6/valid-patch-1.6.json | 88 + .../resources/1.6/valid-patch-1.6.textproto | 71 + .../test/resources/1.6/valid-patch-1.6.xml | 70 + .../resources/1.6/valid-properties-1.6.json | 80 + .../1.6/valid-properties-1.6.textproto | 61 + .../resources/1.6/valid-properties-1.6.xml | 45 + .../1.6/valid-random-attributes-1.6.xml | 118 + .../1.6/valid-release-notes-1.6.json | 194 + .../1.6/valid-release-notes-1.6.textproto | 117 + .../resources/1.6/valid-release-notes-1.6.xml | 149 + .../test/resources/1.6/valid-saasbom-1.6.json | 303 + .../resources/1.6/valid-saasbom-1.6.textproto | 204 + .../test/resources/1.6/valid-saasbom-1.6.xml | 239 + .../test/resources/1.6/valid-service-1.6.json | 101 + .../resources/1.6/valid-service-1.6.textproto | 76 + .../test/resources/1.6/valid-service-1.6.xml | 66 + .../1.6/valid-service-empty-objects-1.6.json | 22 + .../valid-service-empty-objects-1.6.textproto | 9 + .../1.6/valid-service-empty-objects-1.6.xml | 16 + .../resources/1.6/valid-signatures-1.6.json | 78 + .../1.6/valid-vulnerability-1.6.json | 169 + .../1.6/valid-vulnerability-1.6.textproto | 161 + .../resources/1.6/valid-vulnerability-1.6.xml | 151 + .../resources/1.6/valid-xml-signature-1.6.xml | 177 + 158 files changed, 18789 insertions(+) create mode 100644 schema/bom-1.6.proto create mode 100644 schema/bom-1.6.schema.json create mode 100644 schema/bom-1.6.xsd create mode 100644 tools/src/test/resources/1.6/invalid-bomformat-1.6.json create mode 100644 tools/src/test/resources/1.6/invalid-component-ref-1.6.json create mode 100644 tools/src/test/resources/1.6/invalid-component-ref-1.6.xml create mode 100644 tools/src/test/resources/1.6/invalid-component-swid-1.6.json create mode 100644 tools/src/test/resources/1.6/invalid-component-swid-1.6.xml create mode 100644 tools/src/test/resources/1.6/invalid-component-type-1.6.json create mode 100644 tools/src/test/resources/1.6/invalid-component-type-1.6.xml create mode 100644 tools/src/test/resources/1.6/invalid-dependency-1.6.json create mode 100644 tools/src/test/resources/1.6/invalid-dependency-1.6.xml create mode 100644 tools/src/test/resources/1.6/invalid-empty-component-1.6.json create mode 100644 tools/src/test/resources/1.6/invalid-empty-component-1.6.xml create mode 100644 tools/src/test/resources/1.6/invalid-hash-alg-1.6.json create mode 100644 tools/src/test/resources/1.6/invalid-hash-alg-1.6.xml create mode 100644 tools/src/test/resources/1.6/invalid-hash-md5-1.6.json create mode 100644 tools/src/test/resources/1.6/invalid-hash-md5-1.6.xml create mode 100644 tools/src/test/resources/1.6/invalid-hash-sha1-1.6.json create mode 100644 tools/src/test/resources/1.6/invalid-hash-sha1-1.6.xml create mode 100644 tools/src/test/resources/1.6/invalid-hash-sha256-1.6.json create mode 100644 tools/src/test/resources/1.6/invalid-hash-sha256-1.6.xml create mode 100644 tools/src/test/resources/1.6/invalid-hash-sha512-1.6.json create mode 100644 tools/src/test/resources/1.6/invalid-hash-sha512-1.6.xml create mode 100644 tools/src/test/resources/1.6/invalid-issue-type-1.6.json create mode 100644 tools/src/test/resources/1.6/invalid-issue-type-1.6.xml create mode 100644 tools/src/test/resources/1.6/invalid-license-choice-1.6.json create mode 100644 tools/src/test/resources/1.6/invalid-license-choice-1.6.xml create mode 100644 tools/src/test/resources/1.6/invalid-license-encoding-1.6.json create mode 100644 tools/src/test/resources/1.6/invalid-license-encoding-1.6.xml create mode 100644 tools/src/test/resources/1.6/invalid-license-id-1.6.json create mode 100644 tools/src/test/resources/1.6/invalid-license-id-1.6.xml create mode 100644 tools/src/test/resources/1.6/invalid-license-id-count-1.6.xml create mode 100644 tools/src/test/resources/1.6/invalid-license-name-count-1.6.xml create mode 100644 tools/src/test/resources/1.6/invalid-metadata-license-1.6.json create mode 100644 tools/src/test/resources/1.6/invalid-metadata-license-1.6.xml create mode 100644 tools/src/test/resources/1.6/invalid-metadata-timestamp-1.6.json create mode 100644 tools/src/test/resources/1.6/invalid-metadata-timestamp-1.6.xml create mode 100644 tools/src/test/resources/1.6/invalid-missing-component-type-1.6.json create mode 100644 tools/src/test/resources/1.6/invalid-missing-component-type-1.6.xml create mode 100644 tools/src/test/resources/1.6/invalid-namespace-1.6.xml create mode 100644 tools/src/test/resources/1.6/invalid-patch-type-1.6.json create mode 100644 tools/src/test/resources/1.6/invalid-patch-type-1.6.xml create mode 100644 tools/src/test/resources/1.6/invalid-scope-1.6.json create mode 100644 tools/src/test/resources/1.6/invalid-scope-1.6.xml create mode 100644 tools/src/test/resources/1.6/invalid-serialnumber-1.6.json create mode 100644 tools/src/test/resources/1.6/invalid-serialnumber-1.6.xml create mode 100644 tools/src/test/resources/1.6/invalid-service-data-1.6.json create mode 100644 tools/src/test/resources/1.6/invalid-service-data-1.6.xml create mode 100644 tools/src/test/resources/1.6/valid-annotation-1.6.json create mode 100644 tools/src/test/resources/1.6/valid-annotation-1.6.textproto create mode 100644 tools/src/test/resources/1.6/valid-annotation-1.6.xml create mode 100644 tools/src/test/resources/1.6/valid-assembly-1.6.json create mode 100644 tools/src/test/resources/1.6/valid-assembly-1.6.textproto create mode 100644 tools/src/test/resources/1.6/valid-assembly-1.6.xml create mode 100644 tools/src/test/resources/1.6/valid-bom-1.6.json create mode 100644 tools/src/test/resources/1.6/valid-bom-1.6.textproto create mode 100644 tools/src/test/resources/1.6/valid-bom-1.6.xml create mode 100644 tools/src/test/resources/1.6/valid-component-hashes-1.6.json create mode 100644 tools/src/test/resources/1.6/valid-component-hashes-1.6.textproto create mode 100644 tools/src/test/resources/1.6/valid-component-hashes-1.6.xml create mode 100644 tools/src/test/resources/1.6/valid-component-ref-1.6.json create mode 100644 tools/src/test/resources/1.6/valid-component-ref-1.6.textproto create mode 100644 tools/src/test/resources/1.6/valid-component-ref-1.6.xml create mode 100644 tools/src/test/resources/1.6/valid-component-swid-1.6.json create mode 100644 tools/src/test/resources/1.6/valid-component-swid-1.6.textproto create mode 100644 tools/src/test/resources/1.6/valid-component-swid-1.6.xml create mode 100644 tools/src/test/resources/1.6/valid-component-swid-full-1.6.json create mode 100644 tools/src/test/resources/1.6/valid-component-swid-full-1.6.textproto create mode 100644 tools/src/test/resources/1.6/valid-component-swid-full-1.6.xml create mode 100644 tools/src/test/resources/1.6/valid-component-types-1.6.json create mode 100644 tools/src/test/resources/1.6/valid-component-types-1.6.textproto create mode 100644 tools/src/test/resources/1.6/valid-component-types-1.6.xml create mode 100644 tools/src/test/resources/1.6/valid-compositions-1.6.json create mode 100644 tools/src/test/resources/1.6/valid-compositions-1.6.textproto create mode 100644 tools/src/test/resources/1.6/valid-compositions-1.6.xml create mode 100644 tools/src/test/resources/1.6/valid-dependency-1.6.json create mode 100644 tools/src/test/resources/1.6/valid-dependency-1.6.textproto create mode 100644 tools/src/test/resources/1.6/valid-dependency-1.6.xml create mode 100644 tools/src/test/resources/1.6/valid-empty-components-1.6.json create mode 100644 tools/src/test/resources/1.6/valid-empty-components-1.6.textproto create mode 100644 tools/src/test/resources/1.6/valid-empty-components-1.6.xml create mode 100644 tools/src/test/resources/1.6/valid-evidence-1.6.json create mode 100644 tools/src/test/resources/1.6/valid-evidence-1.6.textproto create mode 100644 tools/src/test/resources/1.6/valid-evidence-1.6.xml create mode 100644 tools/src/test/resources/1.6/valid-external-elements-1.6.xml create mode 100644 tools/src/test/resources/1.6/valid-external-reference-1.6.json create mode 100644 tools/src/test/resources/1.6/valid-external-reference-1.6.textproto create mode 100644 tools/src/test/resources/1.6/valid-external-reference-1.6.xml create mode 100644 tools/src/test/resources/1.6/valid-formulation-1.6.json create mode 100644 tools/src/test/resources/1.6/valid-formulation-1.6.textproto create mode 100644 tools/src/test/resources/1.6/valid-formulation-1.6.xml create mode 100644 tools/src/test/resources/1.6/valid-license-expression-1.6.json create mode 100644 tools/src/test/resources/1.6/valid-license-expression-1.6.textproto create mode 100644 tools/src/test/resources/1.6/valid-license-expression-1.6.xml create mode 100644 tools/src/test/resources/1.6/valid-license-id-1.6.json create mode 100644 tools/src/test/resources/1.6/valid-license-id-1.6.textproto create mode 100644 tools/src/test/resources/1.6/valid-license-id-1.6.xml create mode 100644 tools/src/test/resources/1.6/valid-license-licensing-1.6.json create mode 100644 tools/src/test/resources/1.6/valid-license-licensing-1.6.textproto create mode 100644 tools/src/test/resources/1.6/valid-license-licensing-1.6.xml create mode 100644 tools/src/test/resources/1.6/valid-license-name-1.6.json create mode 100644 tools/src/test/resources/1.6/valid-license-name-1.6.textproto create mode 100644 tools/src/test/resources/1.6/valid-license-name-1.6.xml create mode 100644 tools/src/test/resources/1.6/valid-machine-learning-1.6.json create mode 100644 tools/src/test/resources/1.6/valid-machine-learning-1.6.textproto create mode 100644 tools/src/test/resources/1.6/valid-machine-learning-1.6.xml create mode 100644 tools/src/test/resources/1.6/valid-metadata-author-1.6.json create mode 100644 tools/src/test/resources/1.6/valid-metadata-author-1.6.textproto create mode 100644 tools/src/test/resources/1.6/valid-metadata-author-1.6.xml create mode 100644 tools/src/test/resources/1.6/valid-metadata-license-1.6.json create mode 100644 tools/src/test/resources/1.6/valid-metadata-license-1.6.textproto create mode 100644 tools/src/test/resources/1.6/valid-metadata-license-1.6.xml create mode 100644 tools/src/test/resources/1.6/valid-metadata-lifecycle-1.6.json create mode 100644 tools/src/test/resources/1.6/valid-metadata-lifecycle-1.6.textproto create mode 100644 tools/src/test/resources/1.6/valid-metadata-lifecycle-1.6.xml create mode 100644 tools/src/test/resources/1.6/valid-metadata-manufacture-1.6.json create mode 100644 tools/src/test/resources/1.6/valid-metadata-manufacture-1.6.textproto create mode 100644 tools/src/test/resources/1.6/valid-metadata-manufacture-1.6.xml create mode 100644 tools/src/test/resources/1.6/valid-metadata-supplier-1.6.json create mode 100644 tools/src/test/resources/1.6/valid-metadata-supplier-1.6.textproto create mode 100644 tools/src/test/resources/1.6/valid-metadata-supplier-1.6.xml create mode 100644 tools/src/test/resources/1.6/valid-metadata-timestamp-1.6.json create mode 100644 tools/src/test/resources/1.6/valid-metadata-timestamp-1.6.textproto create mode 100644 tools/src/test/resources/1.6/valid-metadata-timestamp-1.6.xml create mode 100644 tools/src/test/resources/1.6/valid-metadata-tool-1.6.json create mode 100644 tools/src/test/resources/1.6/valid-metadata-tool-1.6.textproto create mode 100644 tools/src/test/resources/1.6/valid-metadata-tool-1.6.xml create mode 100644 tools/src/test/resources/1.6/valid-metadata-tool-deprecated-1.6.json create mode 100644 tools/src/test/resources/1.6/valid-metadata-tool-deprecated-1.6.textproto create mode 100644 tools/src/test/resources/1.6/valid-metadata-tool-deprecated-1.6.xml create mode 100644 tools/src/test/resources/1.6/valid-minimal-viable-1.6.json create mode 100644 tools/src/test/resources/1.6/valid-minimal-viable-1.6.textproto create mode 100644 tools/src/test/resources/1.6/valid-minimal-viable-1.6.xml create mode 100644 tools/src/test/resources/1.6/valid-patch-1.6.json create mode 100644 tools/src/test/resources/1.6/valid-patch-1.6.textproto create mode 100644 tools/src/test/resources/1.6/valid-patch-1.6.xml create mode 100644 tools/src/test/resources/1.6/valid-properties-1.6.json create mode 100644 tools/src/test/resources/1.6/valid-properties-1.6.textproto create mode 100644 tools/src/test/resources/1.6/valid-properties-1.6.xml create mode 100644 tools/src/test/resources/1.6/valid-random-attributes-1.6.xml create mode 100644 tools/src/test/resources/1.6/valid-release-notes-1.6.json create mode 100644 tools/src/test/resources/1.6/valid-release-notes-1.6.textproto create mode 100644 tools/src/test/resources/1.6/valid-release-notes-1.6.xml create mode 100644 tools/src/test/resources/1.6/valid-saasbom-1.6.json create mode 100644 tools/src/test/resources/1.6/valid-saasbom-1.6.textproto create mode 100644 tools/src/test/resources/1.6/valid-saasbom-1.6.xml create mode 100644 tools/src/test/resources/1.6/valid-service-1.6.json create mode 100644 tools/src/test/resources/1.6/valid-service-1.6.textproto create mode 100644 tools/src/test/resources/1.6/valid-service-1.6.xml create mode 100644 tools/src/test/resources/1.6/valid-service-empty-objects-1.6.json create mode 100644 tools/src/test/resources/1.6/valid-service-empty-objects-1.6.textproto create mode 100644 tools/src/test/resources/1.6/valid-service-empty-objects-1.6.xml create mode 100644 tools/src/test/resources/1.6/valid-signatures-1.6.json create mode 100644 tools/src/test/resources/1.6/valid-vulnerability-1.6.json create mode 100644 tools/src/test/resources/1.6/valid-vulnerability-1.6.textproto create mode 100644 tools/src/test/resources/1.6/valid-vulnerability-1.6.xml create mode 100644 tools/src/test/resources/1.6/valid-xml-signature-1.6.xml diff --git a/schema/bom-1.6.proto b/schema/bom-1.6.proto new file mode 100644 index 00000000..a02e9b20 --- /dev/null +++ b/schema/bom-1.6.proto @@ -0,0 +1,1487 @@ +syntax = "proto3"; +package cyclonedx.v1_6; +import "google/protobuf/timestamp.proto"; + +// Specifies attributes of the text +message AttachedText { + // Specifies the content type of the text. Defaults to 'text/plain' if not specified. + optional string content_type = 1; + // Specifies the optional encoding the text is represented in + optional string encoding = 2; + // SimpleContent value of element. Proactive controls such as input validation and sanitization should be employed to prevent misuse of attachment text. + string value = 3; +} + +message Bom { + // The version of the CycloneDX specification a BOM is written to (starting at version 1.3) + string spec_version = 1; + // The version allows component publishers/authors to make changes to existing BOMs to update various aspects of the document such as description or licenses. When a system is presented with multiple BOMs for the same component, the system should use the most recent version of the BOM. The default version is '1' and should be incremented for each version of the BOM that is published. Each version of a component should have a unique BOM and if no changes are made to the BOMs, then each BOM will have a version of '1'. + optional int32 version = 2; + // Every BOM generated should have a unique serial number, even if the contents of the BOM being generated have not changed over time. The process or tool responsible for creating the BOM should create random UUID's for every BOM generated. + optional string serial_number = 3; + // Provides additional information about a BOM. + optional Metadata metadata = 4; + // Provides the ability to document a list of components. + repeated Component components = 5; + // Provides the ability to document a list of external services. + repeated Service services = 6; + // Provides the ability to document external references related to the BOM or to the project the BOM describes. + repeated ExternalReference external_references = 7; + // Provides the ability to document dependency relationships. + repeated Dependency dependencies = 8; + // Compositions describe constituent parts (including components, services, and dependency relationships) and their completeness. The completeness of vulnerabilities expressed in a BOM may also be described. + repeated Composition compositions = 9; + // Vulnerabilities identified in components or services. + repeated Vulnerability vulnerabilities = 10; + // Comments made by people, organizations, or tools about any object with a bom-ref, such as components, services, vulnerabilities, or the BOM itself. Unlike inventory information, annotations may contain opinion or commentary from various stakeholders. + repeated Annotation annotations = 11; + // Specifies optional, custom, properties + repeated Property properties = 12; + // Describes how a component or service was manufactured or deployed. This is achieved through the use of formulas, workflows, tasks, and steps, which declare the precise steps to reproduce along with the observed formulas describing the steps which transpired in the manufacturing process. + repeated Formula formulation = 13; +} + +enum Classification { + CLASSIFICATION_NULL = 0; + // A software application. Refer to https://en.wikipedia.org/wiki/Application_software for information about applications. + CLASSIFICATION_APPLICATION = 1; + // A software framework. Refer to https://en.wikipedia.org/wiki/Software_framework for information on how frameworks vary slightly from libraries. + CLASSIFICATION_FRAMEWORK = 2; + // A software library. Refer to https://en.wikipedia.org/wiki/Library_(computing) for information about libraries. All third-party and open source reusable components will likely be a library. If the library also has key features of a framework, then it should be classified as a framework. If not, or is unknown, then specifying library is recommended. + CLASSIFICATION_LIBRARY = 3; + // A software operating system without regard to deployment model (i.e. installed on physical hardware, virtual machine, image, etc) Refer to https://en.wikipedia.org/wiki/Operating_system + CLASSIFICATION_OPERATING_SYSTEM = 4; + // A hardware device such as a processor, or chip-set. A hardware device containing firmware should include a component for the physical hardware itself, and another component of type 'firmware' or 'operating-system' (whichever is relevant), describing information about the software running on the device. See also the list of known device properties: https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/device.md + CLASSIFICATION_DEVICE = 5; + // A computer file. Refer to https://en.wikipedia.org/wiki/Computer_file for information about files. + CLASSIFICATION_FILE = 6; + // A packaging and/or runtime format, not specific to any particular technology, which isolates software inside the container from software outside of a container through virtualization technology. Refer to https://en.wikipedia.org/wiki/OS-level_virtualization + CLASSIFICATION_CONTAINER = 7; + // A special type of software that provides low-level control over a devices hardware. Refer to https://en.wikipedia.org/wiki/Firmware + CLASSIFICATION_FIRMWARE = 8; + // A special type of software that operates or controls a particular type of device. Refer to https://en.wikipedia.org/wiki/Device_driver + CLASSIFICATION_DEVICE_DRIVER = 9; + // A runtime environment which interprets or executes software. This may include runtimes such as those that execute bytecode or low-code/no-code application platforms. + CLASSIFICATION_PLATFORM = 10; + // A model based on training data that can make predictions or decisions without being explicitly programmed to do so. + CLASSIFICATION_MACHINE_LEARNING_MODEL = 11; + // A collection of discrete values that convey information. + CLASSIFICATION_DATA = 12; +} + +message Commit { + // A unique identifier of the commit. This may be version control specific. For example, Subversion uses revision numbers whereas git uses commit hashes. + optional string uid = 1; + // The URL to the commit. This URL will typically point to a commit in a version control system. + optional string url = 2; + // The author who created the changes in the commit + optional IdentifiableAction author = 3; + // The person who committed or pushed the commit + optional IdentifiableAction committer = 4; + // The text description of the contents of the commit + optional string message = 5; +} + +message Component { + // Specifies the type of component. For software components, classify as application if no more specific appropriate classification is available or cannot be determined for the component. + Classification type = 1; + // The optional mime-type of the component. When used on file components, the mime-type can provide additional context about the kind of file being represented such as an image, font, or executable. Some library or framework components may also have an associated mime-type. + optional string mime_type = 2; + // An optional identifier which can be used to reference the component elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element. + optional string bom_ref = 3; + // The organization that supplied the component. The supplier may often be the manufacture, but may also be a distributor or repackager. + optional OrganizationalEntity supplier = 4; + // The person(s) or organization(s) that authored the component + optional string author = 5; + // The person(s) or organization(s) that published the component + optional string publisher = 6; + // The grouping name or identifier. This will often be a shortened, single name of the company or project that produced the component, or the source package or domain name. Whitespace and special characters should be avoided. Examples include: apache, org.apache.commons, and apache.org. + optional string group = 7; + // The name of the component. This will often be a shortened, single name of the component. Examples: commons-lang3 and jquery + string name = 8; + // The component version. The version should ideally comply with semantic versioning but is not enforced. Version was made optional in v1.4 of the spec. For backward compatibility, it is RECOMMENDED to use an empty string to represent components without version information. + string version = 9; + // Specifies a description for the component + optional string description = 10; + // Specifies the scope of the component. If scope is not specified, SCOPE_REQUIRED scope should be assumed by the consumer of the BOM + optional Scope scope = 11; + repeated Hash hashes = 12; + repeated LicenseChoice licenses = 13; + // An optional copyright notice informing users of the underlying claims to copyright ownership in a published work. + optional string copyright = 14; + // DEPRECATED - DO NOT USE. This will be removed in a future version. Specifies a well-formed CPE name. See https://nvd.nist.gov/products/cpe + optional string cpe = 15; + // Specifies the package-url (PURL). The purl, if specified, must be valid and conform to the specification defined at: https://github.com/package-url/purl-spec + optional string purl = 16; + // Specifies metadata and content for ISO-IEC 19770-2 Software Identification (SWID) Tags. + optional Swid swid = 17; + // DEPRECATED - DO NOT USE. This will be removed in a future version. Use the pedigree element instead to supply information on exactly how the component was modified. A boolean value indicating is the component has been modified from the original. A value of true indicates the component is a derivative of the original. A value of false indicates the component has not been modified from the original. + optional bool modified = 18; + // Component pedigree is a way to document complex supply chain scenarios where components are created, distributed, modified, redistributed, combined with other components, etc. + optional Pedigree pedigree = 19; + // Provides the ability to document external references related to the component or to the project the component describes. + repeated ExternalReference external_references = 20; + // Specifies optional sub-components. This is not a dependency tree. It provides a way to specify a hierarchical representation of component assemblies, similar to system -> subsystem -> parts assembly in physical supply chains. + repeated Component components = 21; + // Specifies optional, custom, properties + repeated Property properties = 22; + // Specifies optional license and copyright evidence + repeated Evidence evidence = 23; + // Specifies optional release notes. + optional ReleaseNotes releaseNotes = 24; + // A model card describes the intended uses of a machine learning model, potential limitations, biases, ethical considerations, training parameters, datasets used to train the model, performance metrics, and other relevant data useful for ML transparency. + optional ModelCard modelCard = 25; + // This object SHOULD be specified for any component of type `data` and MUST NOT be specified for other component types. + optional ComponentData data = 26; +} + +// Specifies the data flow. +message DataFlow { + // Specifies the flow direction of the data. + DataFlowDirection flow = 1; + // Data classification tags data according to its type, sensitivity, and value if altered, stolen, or destroyed. + string value = 2; + // Name for the defined data + optional string name = 3; + // Short description of the data content and usage + optional string description = 4; + // The URI, URL, or BOM-Link of the components or services the data came in from + repeated string source = 5; + // The URI, URL, or BOM-Link of the components or services the data is sent to + repeated string destination = 6; + // Data Governance + optional DataGovernance governance = 7; +} + +// Specifies the flow direction of the data. Valid values are: inbound, outbound, bi-directional, and unknown. Direction is relative to the service. Inbound flow states that data enters the service. Outbound flow states that data leaves the service. Bi-directional states that data flows both ways, and unknown states that the direction is not known. +enum DataFlowDirection { + DATA_FLOW_NULL = 0; + DATA_FLOW_INBOUND = 1; + DATA_FLOW_OUTBOUND = 2; + DATA_FLOW_BI_DIRECTIONAL = 3; + DATA_FLOW_UNKNOWN = 4; +} + +message Dependency { + // References a component or service by the its bom-ref attribute + string ref = 1; + repeated Dependency dependencies = 2; +} + +message Diff { + // Specifies the optional text of the diff + optional AttachedText text = 1; + // Specifies the URL to the diff + optional string url = 2; +} + +message ExternalReference { + // Specifies the type of external reference. There are built-in types to describe common references. If a type does not exist for the reference being referred to, use the "other" type. + ExternalReferenceType type = 1; + // The URL to the external reference + string url = 2; + // An optional comment describing the external reference + optional string comment = 3; + // Optional integrity hashes for the external resource content + repeated Hash hashes = 4; +} + +enum ExternalReferenceType { + // Use this if no other types accurately describe the purpose of the external reference + EXTERNAL_REFERENCE_TYPE_OTHER = 0; + // Version Control System + EXTERNAL_REFERENCE_TYPE_VCS = 1; + // Issue or defect tracking system, or an Application Lifecycle Management (ALM) system + EXTERNAL_REFERENCE_TYPE_ISSUE_TRACKER = 2; + // Website + EXTERNAL_REFERENCE_TYPE_WEBSITE = 3; + // Security advisories + EXTERNAL_REFERENCE_TYPE_ADVISORIES = 4; + // Bill-of-material document (CycloneDX, SPDX, SWID, etc) + EXTERNAL_REFERENCE_TYPE_BOM = 5; + // Mailing list or discussion group + EXTERNAL_REFERENCE_TYPE_MAILING_LIST = 6; + // Social media account + EXTERNAL_REFERENCE_TYPE_SOCIAL = 7; + // Real-time chat platform + EXTERNAL_REFERENCE_TYPE_CHAT = 8; + // Documentation, guides, or how-to instructions + EXTERNAL_REFERENCE_TYPE_DOCUMENTATION = 9; + // Community or commercial support + EXTERNAL_REFERENCE_TYPE_SUPPORT = 10; + // Direct or repository download location + EXTERNAL_REFERENCE_TYPE_DISTRIBUTION = 11; + // The URL to the license file. If a license URL has been defined in the license node, it should also be defined as an external reference for completeness + EXTERNAL_REFERENCE_TYPE_LICENSE = 12; + // Build-system specific meta file (i.e. pom.xml, package.json, .nuspec, etc) + EXTERNAL_REFERENCE_TYPE_BUILD_META = 13; + // URL to an automated build system + EXTERNAL_REFERENCE_TYPE_BUILD_SYSTEM = 14; + // Specifies a way to contact the maintainer, supplier, or provider in the event of a security incident. Common URIs include links to a disclosure procedure, a mailto (RFC-2368) that specifies an email address, a tel (RFC-3966) that specifies a phone number, or dns (RFC-4501]) that specifies the records containing DNS Security TXT. + EXTERNAL_REFERENCE_TYPE_SECURITY_CONTACT = 15; + // Human or machine-readable statements containing facts, evidence, or testimony + EXTERNAL_REFERENCE_TYPE_ATTESTATION = 16; + // An enumeration of identified weaknesses, threats, and countermeasures, dataflow diagram (DFD), attack tree, and other supporting documentation in human-readable or machine-readable format + EXTERNAL_REFERENCE_TYPE_THREAT_MODEL = 17; + // The defined assumptions, goals, and capabilities of an adversary. + EXTERNAL_REFERENCE_TYPE_ADVERSARY_MODEL = 18; + // Identifies and analyzes the potential of future events that may negatively impact individuals, assets, and/or the environment. Risk assessments may also include judgments on the tolerability of each risk. + EXTERNAL_REFERENCE_TYPE_RISK_ASSESSMENT = 19; + // The location where a component was published to. This is often the same as "distribution" but may also include specialized publishing processes that act as an intermediary + EXTERNAL_REFERENCE_TYPE_DISTRIBUTION_INTAKE = 20; + // A Vulnerability Disclosure Report (VDR) which asserts the known and previously unknown vulnerabilities that affect a component, service, or product including the analysis and findings describing the impact (or lack of impact) that the reported vulnerability has on a component, service, or product + EXTERNAL_REFERENCE_TYPE_VULNERABILITY_ASSERTION = 21; + // A Vulnerability Exploitability eXchange (VEX) which asserts the known vulnerabilities that do not affect a product, product family, or organization, and optionally the ones that do. The VEX should include the analysis and findings describing the impact (or lack of impact) that the reported vulnerability has on the product, product family, or organization + EXTERNAL_REFERENCE_TYPE_EXPLOITABILITY_STATEMENT = 22; + // Results from an authorized simulated cyberattack on a component or service, otherwise known as a penetration test + EXTERNAL_REFERENCE_TYPE_PENTEST_REPORT = 23; + // SARIF or proprietary machine or human-readable report for which static analysis has identified code quality, security, and other potential issues with the source code + EXTERNAL_REFERENCE_TYPE_STATIC_ANALYSIS_REPORT = 24; + // Dynamic analysis report that has identified issues such as vulnerabilities and misconfigurations + EXTERNAL_REFERENCE_TYPE_DYNAMIC_ANALYSIS_REPORT = 25; + // Report generated by analyzing the call stack of a running application + EXTERNAL_REFERENCE_TYPE_RUNTIME_ANALYSIS_REPORT = 26; + // Report generated by Software Composition Analysis (SCA), container analysis, or other forms of component analysis + EXTERNAL_REFERENCE_TYPE_COMPONENT_ANALYSIS_REPORT = 27; + // Report containing a formal assessment of an organization, business unit, or team against a maturity model + EXTERNAL_REFERENCE_TYPE_MATURITY_REPORT = 28; + // Industry, regulatory, or other certification from an accredited (if applicable) certification body + EXTERNAL_REFERENCE_TYPE_CERTIFICATION_REPORT = 29; + // Report or system in which quality metrics can be obtained + EXTERNAL_REFERENCE_TYPE_QUALITY_METRICS = 30; + // Code or configuration that defines and provisions virtualized infrastructure, commonly referred to as Infrastructure as Code (IaC) + EXTERNAL_REFERENCE_TYPE_CODIFIED_INFRASTRUCTURE = 31; + // A model card describes the intended uses of a machine learning model, potential limitations, biases, ethical considerations, training parameters, datasets used to train the model, performance metrics, and other relevant data useful for ML transparency. + EXTERNAL_REFERENCE_TYPE_MODEL_CARD = 32; + // Plans of Action and Milestones (POAM) compliment an "attestation" external reference. POAM is defined by NIST as a "document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks and scheduled completion dates for the milestones". + EXTERNAL_REFERENCE_TYPE_POAM = 33; + // A record of events that occurred in a computer system or application, such as problems, errors, or information on current operations. + EXTERNAL_REFERENCE_TYPE_LOG = 34; + // Parameters or settings that may be used by other components or services. + EXTERNAL_REFERENCE_TYPE_CONFIGURATION = 35; + // Information used to substantiate a claim. + EXTERNAL_REFERENCE_TYPE_EVIDENCE = 36; + // Describes how a component or service was manufactured or deployed. + EXTERNAL_REFERENCE_TYPE_FORMULATION = 37; +} + +enum HashAlg { + HASH_ALG_NULL = 0; + HASH_ALG_MD_5 = 1; + HASH_ALG_SHA_1 = 2; + HASH_ALG_SHA_256 = 3; + HASH_ALG_SHA_384 = 4; + HASH_ALG_SHA_512 = 5; + HASH_ALG_SHA_3_256 = 6; + HASH_ALG_SHA_3_384 = 7; + HASH_ALG_SHA_3_512 = 8; + HASH_ALG_BLAKE_2_B_256 = 9; + HASH_ALG_BLAKE_2_B_384 = 10; + HASH_ALG_BLAKE_2_B_512 = 11; + HASH_ALG_BLAKE_3 = 12; +} + +// Specifies the file hash of the component +message Hash { + // Specifies the algorithm used to create the hash + HashAlg alg = 1; + // SimpleContent value of element + string value = 2; +} + +message IdentifiableAction { + // The timestamp in which the action occurred + optional google.protobuf.Timestamp timestamp = 1; + // The name of the individual who performed the action + optional string name = 2; + // The email address of the individual who performed the action + optional string email = 3; +} + +enum IssueClassification { + ISSUE_CLASSIFICATION_NULL = 0; + // A fault, flaw, or bug in software + ISSUE_CLASSIFICATION_DEFECT = 1; + // A new feature or behavior in software + ISSUE_CLASSIFICATION_ENHANCEMENT = 2; + // A special type of defect which impacts security + ISSUE_CLASSIFICATION_SECURITY = 3; +} + +message Issue { + // Specifies the type of issue + IssueClassification type = 1; + // The identifier of the issue assigned by the source of the issue + optional string id = 2; + // The name of the issue + optional string name = 3; + // A description of the issue + optional string description = 4; + optional Source source = 5; + repeated string references = 6; +} + +// The source of the issue where it is documented. +message Source { + // The name of the source. For example "National Vulnerability Database", "NVD", and "Apache" + optional string name = 1; + // The url of the issue documentation as provided by the source + optional string url = 2; +} + +message LicenseChoice { + oneof choice { + License license = 1; + string expression = 2; + } +} + +message License { + oneof license { + // A valid SPDX license ID + string id = 1; + // If SPDX does not define the license used, this field may be used to provide the license name + string name = 2; + } + // Specifies the optional full text of the attachment + optional AttachedText text = 3; + // The URL to the attachment file. If the attachment is a license or BOM, an externalReference should also be specified for completeness. + optional string url = 4; + // An optional identifier which can be used to reference the license elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element. + optional string bom_ref = 5; + // Licensing details describing the licensor/licensee, license type, renewal and expiration dates, and other important metadata + optional Licensing licensing = 6; + // Specifies optional, custom, properties + repeated Property properties = 7; +} + +message Licensing { + // License identifiers that may be used to manage licenses and their lifecycle + repeated string altIds = 1; + // The individual or organization that grants a license to another individual or organization + optional OrganizationalEntityOrContact licensor = 2; + // The individual or organization for which a license was granted to + optional OrganizationalEntityOrContact licensee = 3; + // The individual or organization that purchased the license + optional OrganizationalEntityOrContact purchaser = 4; + // The purchase order identifier the purchaser sent to a supplier or vendor to authorize a purchase + optional string purchaseOrder = 5; + // The type of license(s) that was granted to the licensee + repeated LicensingTypeEnum licenseTypes = 6; + // The timestamp indicating when the license was last renewed. For new purchases, this is often the purchase or acquisition date. For non-perpetual licenses or subscriptions, this is the timestamp of when the license was last renewed. + optional google.protobuf.Timestamp lastRenewal = 7; + // The timestamp indicating when the current license expires (if applicable). + optional google.protobuf.Timestamp expiration = 8; +} + +message OrganizationalEntityOrContact { + oneof choice { + OrganizationalEntity organization = 1; + OrganizationalContact individual = 2; + } +} + +enum LicensingTypeEnum { + LICENSING_TYPE_NULL = 0; + // A license that grants use of software solely for the purpose of education or research. + LICENSING_TYPE_ACADEMIC = 1; + // A license covering use of software embedded in a specific piece of hardware. + LICENSING_TYPE_APPLIANCE = 2; + // A Client Access License (CAL) allows client computers to access services provided by server software. + LICENSING_TYPE_CLIENT_ACCESS = 3; + // A Concurrent User license (aka floating license) limits the number of licenses for a software application and licenses are shared among a larger number of users. + LICENSING_TYPE_CONCURRENT_USER = 4; + // A license where the core of a computer's processor is assigned a specific number of points. + LICENSING_TYPE_CORE_POINTS = 5; + // A license for which consumption is measured by non-standard metrics. + LICENSING_TYPE_CUSTOM_METRIC = 6; + // A license that covers a defined number of installations on computers and other types of devices. + LICENSING_TYPE_DEVICE = 7; + // A license that grants permission to install and use software for trial purposes. + LICENSING_TYPE_EVALUATION = 8; + // A license that grants access to the software to one or more pre-defined users. + LICENSING_TYPE_NAMED_USER = 9; + // A license that grants access to the software on one or more pre-defined computers or devices. + LICENSING_TYPE_NODE_LOCKED = 10; + // An Original Equipment Manufacturer license that is delivered with hardware, cannot be transferred to other hardware, and is valid for the life of the hardware. + LICENSING_TYPE_OEM = 11; + // A license where the software is sold on a one-time basis and the licensee can use a copy of the software indefinitely. + LICENSING_TYPE_PERPETUAL = 12; + // A license where each installation consumes points per processor. + LICENSING_TYPE_PROCESSOR_POINTS = 13; + // A license where the licensee pays a fee to use the software or service. + LICENSING_TYPE_SUBSCRIPTION = 14; + // A license that grants access to the software or service by a specified number of users. + LICENSING_TYPE_USER = 15; + // Another license type. + LICENSING_TYPE_OTHER = 16; +} + +message Metadata { + // The date and time (timestamp) when the document was created. + optional google.protobuf.Timestamp timestamp = 1; + // The tool(s) used in the creation of the BOM. + optional Tool tools = 2; + // The person(s) who created the BOM. Authors are common in BOMs created through manual processes. BOMs created through automated means may not have authors. + repeated OrganizationalContact authors = 3; + // The component that the BOM describes. + optional Component component = 4; + // The organization that manufactured the component that the BOM describes. + optional OrganizationalEntity manufacture = 5; + // The organization that supplied the component that the BOM describes. The supplier may often be the manufacture, but may also be a distributor or repackager. + optional OrganizationalEntity supplier = 6; + // The license information for the BOM document + optional LicenseChoice licenses = 7; + // Specifies optional, custom, properties + repeated Property properties = 8; + // The product lifecycle(s) that this BOM represents. + repeated Lifecycles lifecycles = 9; +} + +message Lifecycles { + oneof choice { + // A pre-defined phase in the product lifecycle. + LifecyclePhase phase = 1; + // The name of the lifecycle phase + string name = 2; + } + // The description of the lifecycle phase + optional string description = 3; +} + +enum LifecyclePhase { + // BOM produced early in the development lifecycle containing inventory of components and services that are proposed or planned to be used. The inventory may need to be procured, retrieved, or resourced prior to use. + LIFECYCLE_PHASE_DESIGN = 0; + // BOM consisting of information obtained prior to a build process and may contain source files and development artifacts and manifests. The inventory may need to be resolved and retrieved prior to use. + LIFECYCLE_PHASE_PRE_BUILD = 1; + // BOM consisting of information obtained during a build process where component inventory is available for use. The precise versions of resolved components are usually available at this time as well as the provenance of where the components were retrieved from. + LIFECYCLE_PHASE_BUILD = 2; + // BOM consisting of information obtained after a build process has completed and the resulting components(s) are available for further analysis. Built components may exist as the result of a CI/CD process, may have been installed or deployed to a system or device, and may need to be retrieved or extracted from the system or device. + LIFECYCLE_PHASE_POST_BUILD = 3; + // BOM produced that represents inventory that is running and operational. This may include staging or production environments and will generally encompass multiple SBOMs describing the applications and operating system, along with HBOMs describing the hardware that makes up the system. Operations Bill of Materials (OBOM) can provide full-stack inventory of runtime environments, configurations, and additional dependencies. + LIFECYCLE_PHASE_OPERATIONS = 4; + // BOM consisting of information observed through network discovery providing point-in-time enumeration of embedded, on-premise, and cloud-native services such as server applications, connected devices, microservices, and serverless functions. + LIFECYCLE_PHASE_DISCOVERY = 5; + // BOM containing inventory that will be, or has been retired from operations. + LIFECYCLE_PHASE_DECOMMISSION = 6; +} + +message OrganizationalContact { + // The name of the contact + optional string name = 1; + // The email address of the contact. + optional string email = 2; + // The phone number of the contact. + optional string phone = 3; + // An optional identifier which can be used to reference the object elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element. + optional string bom_ref = 4; +} + +message OrganizationalEntity { + // The name of the organization + optional string name = 1; + // The URL of the organization. Multiple URLs are allowed. + repeated string url = 2; + // A contact person at the organization. Multiple contacts are allowed. + repeated OrganizationalContact contact = 3; + // An optional identifier which can be used to reference the object elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element. + optional string bom_ref = 4; +} + +enum PatchClassification { + PATCH_CLASSIFICATION_NULL = 0; + // A patch which is not developed by the creators or maintainers of the software being patched. Refer to https://en.wikipedia.org/wiki/Unofficial_patch + PATCH_CLASSIFICATION_UNOFFICIAL = 1; + // A patch which dynamically modifies runtime behavior. Refer to https://en.wikipedia.org/wiki/Monkey_patch + PATCH_CLASSIFICATION_MONKEY = 2; + // A patch which takes code from a newer version of software and applies it to older versions of the same software. Refer to https://en.wikipedia.org/wiki/Backporting + PATCH_CLASSIFICATION_BACKPORT = 3; + // A patch created by selectively applying commits from other versions or branches of the same software. + PATCH_CLASSIFICATION_CHERRY_PICK = 4; +} + +message Patch { + // Specifies the purpose for the patch including the resolution of defects, security issues, or new behavior or functionality + PatchClassification type = 1; + // The patch file (or diff) that show changes. Refer to https://en.wikipedia.org/wiki/Diff + optional Diff diff = 2; + repeated Issue resolves = 3; +} + +// Component pedigree is a way to document complex supply chain scenarios where components are created, distributed, modified, redistributed, combined with other components, etc. Pedigree supports viewing this complex chain from the beginning, the end, or anywhere in the middle. It also provides a way to document variants where the exact relation may not be known. +message Pedigree { + // Describes zero or more components in which a component is derived from. This is commonly used to describe forks from existing projects where the forked version contains a ancestor node containing the original component it was forked from. For example, Component A is the original component. Component B is the component being used and documented in the BOM. However, Component B contains a pedigree node with a single ancestor documenting Component A - the original component from which Component B is derived from. + repeated Component ancestors = 1; + // Descendants are the exact opposite of ancestors. This provides a way to document all forks (and their forks) of an original or root component. + repeated Component descendants = 2; + // Variants describe relations where the relationship between the components are not known. For example, if Component A contains nearly identical code to Component B. They are both related, but it is unclear if one is derived from the other, or if they share a common ancestor. + repeated Component variants = 3; + // A list of zero or more commits which provide a trail describing how the component deviates from an ancestor, descendant, or variant. + repeated Commit commits = 4; + // A list of zero or more patches describing how the component deviates from an ancestor, descendant, or variant. Patches may be complimentary to commits or may be used in place of commits. + repeated Patch patches = 5; + // Notes, observations, and other non-structured commentary describing the components pedigree. + optional string notes = 6; +} + +enum Scope { + // Default + SCOPE_UNSPECIFIED = 0; + // The component is required for runtime + SCOPE_REQUIRED = 1; + // The component is optional at runtime. Optional components are components that are not capable of being called due to them not be installed or otherwise accessible by any means. Components that are installed but due to configuration or other restrictions are prohibited from being called must be scoped as 'required'. + SCOPE_OPTIONAL = 2; + // Components that are excluded provide the ability to document component usage for test and other non-runtime purposes. Excluded components are not reachable within a call graph at runtime. + SCOPE_EXCLUDED = 3; +} + +message Service { + // An optional identifier which can be used to reference the service elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element. + optional string bom_ref = 1; + // The organization that provides the service. + optional OrganizationalEntity provider = 2; + // The grouping name, namespace, or identifier. This will often be a shortened, single name of the company or project that produced the service or domain name. Whitespace and special characters should be avoided. + optional string group = 3; + // The name of the service. This will often be a shortened, single name of the service. + string name = 4; + // The service version. + optional string version = 5; + // Specifies a description for the service. + optional string description = 6; + repeated string endpoints = 7; + // A boolean value indicating if the service requires authentication. A value of true indicates the service requires authentication prior to use. A value of false indicates the service does not require authentication. + optional bool authenticated = 8; + // A boolean value indicating if use of the service crosses a trust zone or boundary. A value of true indicates that by using the service, a trust boundary is crossed. A value of false indicates that by using the service, a trust boundary is not crossed. + optional bool x_trust_boundary = 9; + repeated DataFlow data = 10; + repeated LicenseChoice licenses = 11; + // Provides the ability to document external references related to the service. + repeated ExternalReference external_references = 12; + // Specifies optional sub-service. This is not a dependency tree. It provides a way to specify a hierarchical representation of service assemblies, similar to system -> subsystem -> parts assembly in physical supply chains. + repeated Service services = 13; + // Specifies optional, custom, properties + repeated Property properties = 14; + // Specifies optional release notes. + optional ReleaseNotes releaseNotes = 15; + // The name of the trust zone the service resides in. + optional string trustZone = 16; +} + +message Swid { + // Maps to the tagId of a SoftwareIdentity. + string tag_id = 1; + // Maps to the name of a SoftwareIdentity. + string name = 2; + // Maps to the version of a SoftwareIdentity. Defaults to '0.0' if not specified. + optional string version = 3; + // Maps to the tagVersion of a SoftwareIdentity. Defaults to '0' if not specified. + optional int32 tag_version = 4; + // Maps to the patch of a SoftwareIdentity. Defaults to 'false' if not specified. + optional bool patch = 5; + // Specifies the full content of the SWID tag. + optional AttachedText text = 6; + // The URL to the SWID file. + optional string url = 7; +} + +// Specifies a tool (manual or automated). +message Tool { + // DEPRECATED - DO NOT USE - The vendor of the tool used to create the BOM. + optional string vendor = 1 [deprecated = true]; + // DEPRECATED - DO NOT USE - The name of the tool used to create the BOM. + optional string name = 2 [deprecated = true]; + // DEPRECATED - DO NOT USE - The version of the tool used to create the BOM. + optional string version = 3 [deprecated = true]; + // DEPRECATED - DO NOT USE + repeated Hash hashes = 4 [deprecated = true]; + // DEPRECATED - DO NOT USE - Provides the ability to document external references related to the tool. + repeated ExternalReference external_references = 5 [deprecated = true]; + // A list of software and hardware components used as tools + repeated Component components = 6; + // A list of services used as tools. This may include microservices, function-as-a-service, and other types of network or intra-process services. + repeated Service services = 7; +} + +// Specifies a property +message Property { + string name = 1; + optional string value = 2; +} + +enum Aggregate { + // The relationship completeness is not specified. + AGGREGATE_NOT_SPECIFIED = 0; + // The relationship is complete. No further relationships including constituent components, services, or dependencies are known to exist. + AGGREGATE_COMPLETE = 1; + // The relationship is incomplete. Additional relationships exist and may include constituent components, services, or dependencies. + AGGREGATE_INCOMPLETE = 2; + // The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented. + AGGREGATE_INCOMPLETE_FIRST_PARTY_ONLY = 3; + // The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented. + AGGREGATE_INCOMPLETE_THIRD_PARTY_ONLY = 4; + // The relationship may be complete or incomplete. This usually signifies a 'best-effort' to obtain constituent components, services, or dependencies but the completeness is inconclusive. + AGGREGATE_UNKNOWN = 5; + // The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented, limited specifically to those that are proprietary. + AGGREGATE_INCOMPLETE_FIRST_PARTY_PROPRIETARY_ONLY = 6; + // The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented, limited specifically to those that are opensource. + AGGREGATE_INCOMPLETE_FIRST_PARTY_OPENSOURCE_ONLY = 7; + // The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are proprietary. + AGGREGATE_INCOMPLETE_THIRD_PARTY_PROPRIETARY_ONLY = 8; + // The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are opensource. + AGGREGATE_INCOMPLETE_THIRD_PARTY_OPENSOURCE_ONLY = 9; +} + +message Composition { + // Indicates the aggregate completeness + Aggregate aggregate = 1; + // The assemblies the aggregate completeness applies to + repeated string assemblies = 2; + // The dependencies the aggregate completeness applies to + repeated string dependencies = 3; + // The bom-ref identifiers of the vulnerabilities being described. + repeated string vulnerabilities = 4; + // An optional identifier which can be used to reference the composition elsewhere in the BOM. Every bom-ref MUST be unique within the BOM. + optional string bom_ref = 5; +} + +message EvidenceCopyright { + // Copyright text + string text = 1; +} + +message Evidence { + repeated LicenseChoice licenses = 1; + repeated EvidenceCopyright copyright = 2; + repeated EvidenceIdentity identity = 3; + repeated EvidenceOccurrences occurrences = 4; + optional Callstack callstack = 5; +} + +// Evidence of the components use through the callstack. +message Callstack { + repeated Frames frames = 1; + + message Frames { + // A package organizes modules into namespaces, providing a unique namespace for each type it contains. + optional string package = 1; + // A module or class that encloses functions/methods and other code. + string module = 2; + // A block of code designed to perform a particular task. + optional string function = 3; + // Optional arguments that are passed to the module or function. + repeated string parameters = 4; + // The line number the code that is called resides on. + optional int32 line = 5; + // The column the code that is called resides. + optional int32 column = 6; + // The full path and filename of the module. + optional string fullFilename = 7; + } +} + +message EvidenceIdentity { + // The identity field of the component which the evidence describes. + EvidenceFieldType field = 1; + // The overall confidence of the evidence from 0 - 1, where 1 is 100% confidence. + optional float confidence = 2; + // The methods used to extract and/or analyze the evidence. + repeated EvidenceMethods methods = 3; + // The object in the BOM identified by its bom-ref. This is often a component or service, but may be any object type supporting bom-refs. Tools used for analysis should already be defined in the BOM, either in the metadata/tools, components, or formulation. + repeated string tools = 4; +} + +message EvidenceMethods { + // The technique used in this method of analysis. + EvidenceTechnique technique = 1; + // The confidence of the evidence from 0 - 1, where 1 is 100% confidence. Confidence is specific to the technique used. Each technique of analysis can have independent confidence. + float confidence = 2; + // The value or contents of the evidence. + optional string value = 3; +} + +message EvidenceOccurrences { + // An optional identifier which can be used to reference the occurrence elsewhere in the BOM. Every bom-ref MUST be unique within the BOM. + optional string bom_ref = 1; + // The location or path to where the component was found. + string location = 2; +} + +enum EvidenceFieldType { + EVIDENCE_FIELD_NULL = 0; + EVIDENCE_FIELD_GROUP = 1; + EVIDENCE_FIELD_NAME = 2; + EVIDENCE_FIELD_VERSION = 3; + EVIDENCE_FIELD_PURL = 4; + EVIDENCE_FIELD_CPE = 5; + EVIDENCE_FIELD_SWID = 6; + EVIDENCE_FIELD_HASH = 7; +} + +enum EvidenceTechnique { + EVIDENCE_TECHNIQUE_SOURCE_CODE_ANALYSIS = 0; + EVIDENCE_TECHNIQUE_BINARY_ANALYSIS = 1; + EVIDENCE_TECHNIQUE_MANIFEST_ANALYSIS = 2; + EVIDENCE_TECHNIQUE_AST_FINGERPRINT = 3; + EVIDENCE_TECHNIQUE_HASH_COMPARISON = 4; + EVIDENCE_TECHNIQUE_INSTRUMENTATION = 5; + EVIDENCE_TECHNIQUE_DYNAMIC_ANALYSIS = 6; + EVIDENCE_TECHNIQUE_FILENAME = 7; + EVIDENCE_TECHNIQUE_ATTESTATION = 8; + EVIDENCE_TECHNIQUE_OTHER = 9; +} + +message Note { + // The ISO-639 (or higher) language code and optional ISO-3166 (or higher) country code. Examples include: "en", "en-US", "fr" and "fr-CA". + optional string locale = 1; + // Specifies the full content of the release note. + optional AttachedText text = 2; +} + +message ReleaseNotes { + // The software versioning type. It is RECOMMENDED that the release type use one of 'major', 'minor', 'patch', 'pre-release', or 'internal'. Representing all possible software release types is not practical, so standardizing on the recommended values, whenever possible, is strongly encouraged. + string type = 1; + // The title of the release. + optional string title = 2; + // The URL to an image that may be prominently displayed with the release note. + optional string featuredImage = 3; + // The URL to an image that may be used in messaging on social media platforms. + optional string socialImage = 4; + // A short description of the release. + optional string description = 5; + // The date and time (timestamp) when the release note was created. + optional google.protobuf.Timestamp timestamp = 6; + // Optional alternate names the release may be referred to. This may include unofficial terms used by development and marketing teams (e.g. code names). + repeated string aliases = 7; + // Optional tags that may aid in search or retrieval of the release note. + repeated string tags = 8; + // A collection of issues that have been resolved. + repeated Issue resolves = 9; + // Zero or more release notes containing the locale and content. Multiple note messages may be specified to support release notes in a wide variety of languages. + repeated Note notes = 10; + // Specifies optional, custom, properties + repeated Property properties = 11; +} + +message Vulnerability { + // An optional identifier which can be used to reference the vulnerability elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element. + optional string bom_ref = 1; + // The identifier that uniquely identifies the vulnerability. + optional string id = 2; + // The source that published the vulnerability. + optional Source source = 3; + // Zero or more pointers to vulnerabilities that are the equivalent of the vulnerability specified. Often times, the same vulnerability may exist in multiple sources of vulnerability intelligence, but have different identifiers. References provide a way to correlate vulnerabilities across multiple sources of vulnerability intelligence. + repeated VulnerabilityReference references = 4; + // List of vulnerability ratings + repeated VulnerabilityRating ratings = 5; + // List of Common Weaknesses Enumerations (CWEs) codes that describes this vulnerability. For example 399 (of https://cwe.mitre.org/data/definitions/399.html) + repeated int32 cwes = 6; + // A description of the vulnerability as provided by the source. + optional string description = 7; + // If available, an in-depth description of the vulnerability as provided by the source organization. Details often include information useful in understanding root cause. + optional string detail = 8; + // Recommendations of how the vulnerability can be remediated or mitigated. + optional string recommendation = 9; + // Published advisories of the vulnerability if provided. + repeated Advisory advisories = 10; + // The date and time (timestamp) when the vulnerability record was created in the vulnerability database. + optional google.protobuf.Timestamp created = 11; + // The date and time (timestamp) when the vulnerability record was first published. + optional google.protobuf.Timestamp published = 12; + // The date and time (timestamp) when the vulnerability record was last updated. + optional google.protobuf.Timestamp updated = 13; + // Individuals or organizations credited with the discovery of the vulnerability. + optional VulnerabilityCredits credits = 14; + // The tool(s) used to identify, confirm, or score the vulnerability. + optional Tool tools = 15; + // An assessment of the impact and exploitability of the vulnerability. + optional VulnerabilityAnalysis analysis = 16; + // affects + repeated VulnerabilityAffects affects = 17; + // Specifies optional, custom, properties + repeated Property properties = 18; + // The date and time (timestamp) when the vulnerability record was rejected (if applicable). + optional google.protobuf.Timestamp rejected = 19; + // Evidence used to reproduce the vulnerability. + optional ProofOfConcept proofOfConcept = 20; + // A bypass, usually temporary, of the vulnerability that reduces its likelihood and/or impact. Workarounds often involve changes to configuration or deployments. + optional string workaround = 21; +} + +message ProofOfConcept { + // Precise steps to reproduce the vulnerability. + optional string reproductionSteps = 1; + // A description of the environment in which reproduction was possible. + optional string environment = 2; + // Supporting material that helps in reproducing or understanding how reproduction is possible. This may include screenshots, payloads, and PoC exploit code. + repeated AttachedText supportingMaterial = 3; +} + +message VulnerabilityReference { + // An identifier that uniquely identifies the vulnerability. + string id = 1; + // The source that published the vulnerability. + Source source = 2; +} + +message VulnerabilityRating { + // The source that calculated the severity or risk rating of the vulnerability. + optional Source source = 1; + // The numerical score of the rating. + optional double score = 2; + // Textual representation of the severity that corresponds to the numerical score of the rating. + optional Severity severity = 3; + // Specifies the severity or risk scoring methodology or standard used. + optional ScoreMethod method = 4; + // Textual representation of the metric values used to score the vulnerability. + optional string vector = 5; + // An optional reason for rating the vulnerability as it was. + optional string justification = 6; +} + +enum Severity { + SEVERITY_UNKNOWN = 0; + SEVERITY_CRITICAL = 1; + SEVERITY_HIGH = 2; + SEVERITY_MEDIUM = 3; + SEVERITY_LOW = 4; + SEVERITY_INFO = 5; + SEVERITY_NONE = 6; +} + +enum ScoreMethod { + // An undefined score method + SCORE_METHOD_NULL = 0; + // Common Vulnerability Scoring System v2 - https://www.first.org/cvss/v2/ + SCORE_METHOD_CVSSV2 = 1; + // Common Vulnerability Scoring System v3 - https://www.first.org/cvss/v3-0/ + SCORE_METHOD_CVSSV3 = 2; + // Common Vulnerability Scoring System v3.1 - https://www.first.org/cvss/v3-1/ + SCORE_METHOD_CVSSV31 = 3; + // OWASP Risk Rating Methodology - https://owasp.org/www-community/OWASP_Risk_Rating_Methodology + SCORE_METHOD_OWASP = 4; + // Other scoring method + SCORE_METHOD_OTHER = 5; + // Common Vulnerability Scoring System v3.1 - https://www.first.org/cvss/v4-0/ + SCORE_METHOD_CVSSV4 = 6; + // Stakeholder Specific Vulnerability Categorization (all versions) - https://github.com/CERTCC/SSVC + SCORE_METHOD_SSVC = 7; +} + +message Advisory { + // An optional name of the advisory. + optional string title = 1; + // Location where the advisory can be obtained. + string url = 2; +} + +message VulnerabilityCredits { + // The organizations credited with vulnerability discovery. + repeated OrganizationalEntity organizations = 1; + // The individuals, not associated with organizations, that are credited with vulnerability discovery. + repeated OrganizationalContact individuals = 2; +} + +message VulnerabilityAnalysis { + // Declares the current state of an occurrence of a vulnerability, after automated or manual analysis. + optional ImpactAnalysisState state = 1; + // The rationale of why the impact analysis state was asserted. + optional ImpactAnalysisJustification justification = 2; + // A response to the vulnerability by the manufacturer, supplier, or project responsible for the affected component or service. More than one response is allowed. Responses are strongly encouraged for vulnerabilities where the analysis state is exploitable. + repeated VulnerabilityResponse response = 3; + // Detailed description of the impact including methods used during assessment. If a vulnerability is not exploitable, this field should include specific details on why the component or service is not impacted by this vulnerability. + optional string detail = 4; + // The date and time (timestamp) when the analysis was first issued. + optional google.protobuf.Timestamp firstIssued = 5; + // The date and time (timestamp) when the analysis was last updated. + optional google.protobuf.Timestamp lastUpdated = 6; +} + +enum ImpactAnalysisState { + // An undefined impact analysis state + IMPACT_ANALYSIS_STATE_NULL = 0; + // The vulnerability has been remediated. + IMPACT_ANALYSIS_STATE_RESOLVED = 1; + // The vulnerability has been remediated and evidence of the changes are provided in the affected components pedigree containing verifiable commit history and/or diff(s). + IMPACT_ANALYSIS_STATE_RESOLVED_WITH_PEDIGREE = 2; + // The vulnerability may be directly or indirectly exploitable. + IMPACT_ANALYSIS_STATE_EXPLOITABLE = 3; + // The vulnerability is being investigated. + IMPACT_ANALYSIS_STATE_IN_TRIAGE = 4; + // The vulnerability is not specific to the component or service and was falsely identified or associated. + IMPACT_ANALYSIS_STATE_FALSE_POSITIVE = 5; + // The component or service is not affected by the vulnerability. Justification should be specified for all not_affected cases. + IMPACT_ANALYSIS_STATE_NOT_AFFECTED = 6; +} + +enum ImpactAnalysisJustification { + // An undefined impact analysis justification + IMPACT_ANALYSIS_JUSTIFICATION_NULL = 0; + // The code has been removed or tree-shaked. + IMPACT_ANALYSIS_JUSTIFICATION_CODE_NOT_PRESENT = 1; + // The vulnerable code is not invoked at runtime. + IMPACT_ANALYSIS_JUSTIFICATION_CODE_NOT_REACHABLE = 2; + // Exploitability requires a configurable option to be set/unset. + IMPACT_ANALYSIS_JUSTIFICATION_REQUIRES_CONFIGURATION = 3; + // Exploitability requires a dependency that is not present. + IMPACT_ANALYSIS_JUSTIFICATION_REQUIRES_DEPENDENCY = 4; + // Exploitability requires a certain environment which is not present. + IMPACT_ANALYSIS_JUSTIFICATION_REQUIRES_ENVIRONMENT = 5; + // Exploitability requires a compiler flag to be set/unset. + IMPACT_ANALYSIS_JUSTIFICATION_PROTECTED_BY_COMPILER = 6; + // Exploits are prevented at runtime. + IMPACT_ANALYSIS_JUSTIFICATION_PROTECTED_AT_RUNTIME = 7; + // Attacks are blocked at physical, logical, or network perimeter. + IMPACT_ANALYSIS_JUSTIFICATION_PROTECTED_AT_PERIMETER = 8; + // Preventative measures have been implemented that reduce the likelihood and/or impact of the vulnerability. + IMPACT_ANALYSIS_JUSTIFICATION_PROTECTED_BY_MITIGATING_CONTROL = 9; +} + +enum VulnerabilityResponse { + VULNERABILITY_RESPONSE_NULL = 0; + VULNERABILITY_RESPONSE_CAN_NOT_FIX = 1; + VULNERABILITY_RESPONSE_WILL_NOT_FIX = 2; + VULNERABILITY_RESPONSE_UPDATE = 3; + VULNERABILITY_RESPONSE_ROLLBACK = 4; + VULNERABILITY_RESPONSE_WORKAROUND_AVAILABLE = 5; +} + +message VulnerabilityAffects { + // References a component or service by the objects bom-ref + string ref = 1; + // Zero or more individual versions or range of versions. + repeated VulnerabilityAffectedVersions versions = 2; +} + +message VulnerabilityAffectedVersions { + oneof choice { + // A single version of a component or service. + string version = 1; + // A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/purl-spec/VERSION-RANGE-SPEC.rst + string range = 2; + } + // The vulnerability status for the version or range of versions. Defaults to VULNERABILITY_AFFECTED_STATUS_AFFECTED if not specified. + optional VulnerabilityAffectedStatus status = 3; +} + +enum VulnerabilityAffectedStatus { + // The vulnerability status of a given version or range of versions of a product. The statuses 'affected' and 'unaffected' indicate that the version is affected or unaffected by the vulnerability. The status 'unknown' indicates that it is unknown or unspecified whether the given version is affected. There can be many reasons for an 'unknown' status, including that an investigation has not been undertaken or that a vendor has not disclosed the status. + VULNERABILITY_AFFECTED_STATUS_UNKNOWN = 0; + VULNERABILITY_AFFECTED_STATUS_AFFECTED = 1; + VULNERABILITY_AFFECTED_STATUS_NOT_AFFECTED = 2; +} + +message AnnotatorChoice { + oneof choice { + // The organization that created the annotation + OrganizationalEntity organization = 1; + // The person that created the annotation + OrganizationalContact individual = 2; + // The tool or component that created the annotation + Component component = 3; + // The service that created the annotation + Service service = 4; + } +} + +message Annotation { + // An optional identifier which can be used to reference the annotation elsewhere in the BOM. Every bom-ref MUST be unique within the BOM. + optional string bom_ref = 1; + // The object in the BOM identified by its bom-ref. This is often a component or service, but may be any object type supporting bom-refs. + repeated string subjects = 2; + // The organization, person, component, or service which created the textual content of the annotation. + AnnotatorChoice annotator = 3; + // The date and time (timestamp) when the annotation was created. + google.protobuf.Timestamp timestamp = 4; + // The textual content of the annotation. + string text = 5; +} + +message ModelCard { + // An optional identifier which can be used to reference the model card elsewhere in the BOM. Every bom-ref MUST be unique within the BOM. + optional string bom_ref = 1; + // Hyper-parameters for construction of the model. + optional ModelParameters modelParameters = 2; + // A quantitative analysis of the model + optional QuantitativeAnalysis quantitativeAnalysis = 3; + // What considerations should be taken into account regarding the model's construction, training, and application? + optional ModelCardConsiderations considerations = 4; + + message ModelParameters { + // The overall approach to learning used by the model for problem solving. + optional Approach approach = 1; + // Directly influences the input and/or output. Examples include classification, regression, clustering, etc. + optional string task = 2; + // The model architecture family such as transformer network, convolutional neural network, residual neural network, LSTM neural network, etc. + optional string architectureFamily = 3; + //The specific architecture of the model such as GPT-1, ResNet-50, YOLOv3, etc. + optional string modelArchitecture = 4; + // The datasets used to train and evaluate the model. + repeated Datasets datasets = 5; + // The input format(s) of the model + repeated MachineLearningInputOutputParameters inputs = 6; + // The output format(s) from the model + repeated MachineLearningInputOutputParameters outputs = 7; + + message Approach { + optional ModelParameterApproachType type = 1; + } + message Datasets { + oneof choice { + ComponentData dataset = 1; + // References a data component by the components bom-ref attribute + string ref = 2; + } + } + message MachineLearningInputOutputParameters { + // The data format for input/output to the model. Example formats include string, image, time-series + optional string format = 1; + } + } + message QuantitativeAnalysis { + // The model performance metrics being reported. Examples may include accuracy, F1 score, precision, top-3 error rates, MSC, etc. + repeated PerformanceMetrics performanceMetrics = 1; + optional GraphicsCollection graphics = 2; + + message PerformanceMetrics { + // The type of performance metric. + optional string type = 1; + // The value of the performance metric. + optional string value = 2; + // The name of the slice this metric was computed on. By default, assume this metric is not sliced. + optional string slice = 3; + // The confidence interval of the metric. + optional ConfidenceInterval confidenceInterval = 4; + + message ConfidenceInterval { + // The lower bound of the confidence interval. + optional string lowerBound = 1; + // The upper bound of the confidence interval. + optional string upperBound = 2; + } + } + } + message ModelCardConsiderations { + // Who are the intended users of the model? + repeated string users = 1; + // What are the intended use cases of the model? + repeated string useCases = 2; + // What are the known technical limitations of the model? E.g. What kind(s) of data should the model be expected not to perform well on? What are the factors that might degrade model performance? + repeated string technicalLimitations = 3; + // What are the known tradeoffs in accuracy/performance of the model? + repeated string performanceTradeoffs = 4; + // What are the ethical (or environmental) risks involved in the application of this model? + repeated EthicalConsiderations ethicalConsiderations = 5; + // How does the model affect groups at risk of being systematically disadvantaged? What are the harms and benefits to the various affected groups? + repeated FairnessAssessments fairnessAssessments = 6; + + message EthicalConsiderations { + // The name of the risk. + optional string name = 1; + // Strategy used to address this risk. + optional string mitigationStrategy = 2; + } + message FairnessAssessments { + // The groups or individuals at risk of being systematically disadvantaged by the model. + optional string groupAtRisk = 1; + // Expected benefits to the identified groups. + optional string benefits = 2; + // Expected harms to the identified groups. + optional string harms = 3; + // With respect to the benefits and harms outlined, please describe any mitigation strategy implemented. + optional string mitigationStrategy = 4; + } + } +} + +enum ModelParameterApproachType { + MODEL_PARAMETER_APPROACH_TYPE_SUPERVISED = 0; + MODEL_PARAMETER_APPROACH_TYPE_UNSUPERVISED = 1; + MODEL_PARAMETER_APPROACH_TYPE_REINFORCED_LEARNING = 2; + MODEL_PARAMETER_APPROACH_TYPE_SEMI_SUPERVISED = 3; + MODEL_PARAMETER_APPROACH_TYPE_SELF_SUPERVISED = 4; +} + +message ComponentData { + // An optional identifier which can be used to reference the dataset elsewhere in the BOM. Every bom-ref MUST be unique within the BOM. + optional string bom_ref = 1; + // The general theme or subject matter of the data being specified. + ComponentDataType type = 2; + // The name of the dataset. + optional string name = 3; + // The contents or references to the contents of the data being described. + optional ComponentDataContents contents = 4; + // Data classification tags data according to its type, sensitivity, and value if altered, stolen, or destroyed. + optional string classification = 5; + // A description of any sensitive data in a dataset. + repeated string sensitiveData = 6; + // A collection of graphics that represent various measurements. + optional GraphicsCollection graphics = 7; + // A description of the dataset. Can describe size of dataset, whether it's used for source code, training, testing, or validation, etc. + optional string description = 8; + // Data Governance + optional DataGovernance governance = 9; + + message ComponentDataContents { + // An optional way to include textual or encoded data. + optional AttachedText attachment = 1; + // The URL to where the data can be retrieved. + optional string url = 2; + // Provides the ability to document name-value parameters used for configuration. + repeated Property properties = 3; + } +} + +message DataGovernance { + // Data custodians are responsible for the safe custody, transport, and storage of data. + repeated DataGovernanceResponsibleParty custodians = 1; + // Data stewards are responsible for data content, context, and associated business rules. + repeated DataGovernanceResponsibleParty stewards = 2; + // Data owners are concerned with risk and appropriate access to data. + repeated DataGovernanceResponsibleParty owners = 3; + + message DataGovernanceResponsibleParty { + oneof choice { + OrganizationalEntity organization = 1; + OrganizationalContact contact = 2; + } + } +} + +enum ComponentDataType { + // Any type of code, code snippet, or data-as-code + COMPONENT_DATA_TYPE_SOURCE_CODE = 0; + // Parameters or settings that may be used by other components. + COMPONENT_DATA_TYPE_CONFIGURATION = 1; + // A collection of data. + COMPONENT_DATA_TYPE_DATASET = 2; + // Data that can be used to create new instances of what the definition defines. + COMPONENT_DATA_TYPE_DEFINITION = 3; + // Any other type of data that does not fit into existing definitions. + COMPONENT_DATA_TYPE_OTHER = 4; +} + +message GraphicsCollection { + // A description of this collection of graphics. + optional string description = 1; + // A collection of graphics. + repeated Graphic graphic = 2; + + message Graphic { + // The name of the graphic. + optional string name = 1; + // The graphic (vector or raster). Base64 encoding MUST be specified for binary images. + optional AttachedText image = 2; + } +} + +// Describes workflows and resources that captures rules and other aspects of how the associated BOM component or service was formed. +message Formula { + // BOM unique reference to the resource. + optional string bom_ref = 1; + // Transient components that are used in tasks that constitute one or more of this formula's workflows + repeated Component components = 2; + // Transient services that are used in tasks that constitute one or more of this formula's workflows + repeated Service services = 3; + // List of workflows that can be declared to accomplish specific orchestrated goals and independently triggered. + repeated Workflow workflows = 4; + // Domain-specific formula properties. + repeated Property properties = 5; +} + +// A specialized orchestration task. +message Workflow { + // BOM unique reference to the resource. + string bom_ref = 1; + // The unique identifier for the resource instance within its deployment context. + string uid = 2; + // The name of the resource instance. + optional string name = 3; + // A description of the resource instance. + optional string description = 4; + // Domain-specific resource instance properties. + repeated Property properties = 5; + // References to component or service resources that are used to realize the resource instance. + repeated ResourceReferenceChoice resourceReferences = 6; + // The tasks that comprise the workflow. + repeated Task tasks = 7; + // The graph of dependencies between tasks within the workflow. + repeated Dependency taskDependencies = 8; + // Indicates the types of activities performed by the set of workflow tasks. + repeated TaskType taskTypes = 9; + // The trigger that initiated the task. + optional Trigger trigger = 10; + // The sequence of steps for the task. + repeated Step steps = 11; + // Represents resources and data brought into a task at runtime by executor or task commands + repeated InputType inputs = 12; + // Represents resources and data output from a task at runtime by executor or task commands + repeated OutputType outputs = 13; + // The date and time (timestamp) when the task started. + optional google.protobuf.Timestamp timeStart = 14; + // The date and time (timestamp) when the task ended. + optional google.protobuf.Timestamp timeEnd = 15; + // A set of named filesystem or data resource shareable by workflow tasks. + repeated Workspace workspaces = 16; + // A graph of the component runtime topology for workflow's instance. + repeated Dependency runtimeTopology = 17; +} + +// Describes the inputs, sequence of steps and resources used to accomplish a task and its output. +message Task { + // BOM unique reference to the resource. + string bom_ref = 1; + // The unique identifier for the resource instance within its deployment context. + string uid = 2; + // The name of the resource instance. + optional string name = 3; + // A description of the resource instance. + optional string description = 4; + // Domain-specific task instance properties. + repeated Property properties = 5; + // References to component or service resources that are used to realize the resource instance. + repeated ResourceReferenceChoice resourceReferences = 6; + // Indicates the types of activities performed by the set of workflow tasks. + repeated TaskType taskTypes = 7; + // The trigger that initiated the task. + optional Trigger trigger = 8; + // "The sequence of steps for the task. + repeated Step steps = 9; + // Represents resources and data brought into a task at runtime by executor or task commands + repeated InputType inputs = 10; + // Represents resources and data output from a task at runtime by executor or task commands + repeated OutputType outputs = 11; + // The date and time (timestamp) when the task started. + optional google.protobuf.Timestamp timeStart = 14; + // The date and time (timestamp) when the task ended. + optional google.protobuf.Timestamp timeEnd = 15; + // A set of named filesystem or data resource shareable by workflow tasks. + repeated Workspace workspaces = 16; + // A graph of the component runtime topology for task's instance. + repeated Dependency runtimeTopology = 17; +} + +// Executes specific commands or tools in order to accomplish its owning task as part of a sequence. +message Step { + // A name for the step. + optional string name = 1; + // A description of the step. + optional string description = 2; + // Ordered list of commands or directives for the step + repeated Command commands = 3; + // Domain-specific step properties. + repeated Property properties = 4; +} + +message Command { + // A text representation of the executed command. + optional string executed = 1; + // Domain-specific command properties. + repeated Property properties = 2; +} + +// A named filesystem or data resource shareable by workflow tasks. +message Workspace { + // BOM unique reference to the resource. + string bom_ref = 1; + // The unique identifier for the resource instance within its deployment context. + string uid = 2; + // The name of the resource instance. + optional string name = 3; + // The names for the workspace as referenced by other workflow tasks. Effectively, a name mapping so other tasks can use their own local name in their steps. + repeated string aliases = 4; + // A description of the resource instance. + optional string description = 5; + // Domain-specific workspace instance properties. + repeated Property properties = 6; + // References to component or service resources that are used to realize the resource instance. + repeated ResourceReferenceChoice resourceReferences = 7; + // Describes the read-write access control for the workspace relative to the owning resource instance. + optional AccessMode accessMode = 8; + // A path to a location on disk where the workspace will be available to the associated task's steps. + optional string mountPath = 9; + // The name of a domain-specific data type the workspace represents. + optional string managedDataType = 10; + // Identifies the reference to the request for a specific volume type and parameters. + optional string volumeRequest = 11; + // Information about the actual volume instance allocated to the workspace. + optional Volume volume = 12; + + enum AccessMode { + ACCESS_MODE_READ_ONLY = 0; + ACCESS_MODE_READ_WRITE = 1; + ACCESS_MODE_READ_WRITE_ONCE = 2; + ACCESS_MODE_WRITE_ONCE = 3; + ACCESS_MODE_WRITE_ONLY = 4; + } +} + +// An identifiable, logical unit of data storage tied to a physical device. +message Volume { + // The unique identifier for the volume instance within its deployment context. + optional string uid = 1; + // The name of the volume instance + optional string name = 2; + // The volume mode for the volume instance. + optional VolumeMode mode = 3; + // The underlying path created from the actual volume. + optional string path = 4; + // The allocated size of the volume accessible to the associated workspace. This should include the scalar size as well as IEC standard unit in either decimal or binary form. + optional string sizeAllocated = 5; + // Indicates if the volume persists beyond the life of the resource it is associated with. + optional bool persistent = 6; + // Indicates if the volume is remotely (i.e., network) attached. + optional bool remote = 7; + // Domain-specific volume instance properties. + repeated Property properties = 8; + + enum VolumeMode { + VOLUME_MODE_FILESYSTEM = 0; + VOLUME_MODE_BLOCK = 1; + } +} + +// Represents a resource that can conditionally activate (or fire) tasks based upon associated events and their data. +message Trigger { + // BOM unique reference to the resource. + string bom_ref = 1; + // The unique identifier for the resource instance within its deployment context. + string uid = 2; + // The name of the resource instance. + optional string name = 3; + // A description of the resource instance. + optional string description = 4; + // Additional properties of the trigger. + repeated Property properties = 5; + // References to component or service resources that are used to realize the resource instance. + repeated ResourceReferenceChoice resourceReferences = 6; + // The source type of event which caused the trigger to fire. + TriggerType type = 7; + // The event data that caused the associated trigger to activate. + optional Event event = 8; + // Conditions + repeated Condition conditions = 9; + // The date and time (timestamp) when the trigger was activated. + optional google.protobuf.Timestamp timeActivated = 10; + // Represents resources and data brought into a task at runtime by executor or task commands + repeated InputType inputs = 11; + // Represents resources and data output from a task at runtime by executor or task commands + repeated OutputType outputs = 12; + + enum TriggerType { + TRIGGER_TYPE_MANUAL = 0; + TRIGGER_TYPE_API = 1; + TRIGGER_TYPE_WEBHOOK = 2; + TRIGGER_TYPE_SCHEDULED = 3; + } +} + +// Represents something that happened that may trigger a response. +message Event { + // The unique identifier of the event. + optional string uid = 1; + // A description of the event. + optional string description = 2; + // The date and time (timestamp) when the event was received. + optional google.protobuf.Timestamp timeReceived = 3; + // Encoding of the raw event data. + optional AttachedText data = 4; + // References the component or service that was the source of the event + optional ResourceReferenceChoice source = 5; + // References the component or service that was the target of the event + optional ResourceReferenceChoice target = 6; + // Additional properties of the event. + repeated Property properties = 7; +} + +// Type that represents various input data types and formats. +message InputType { + // A references to the component or service that provided the input to the task (e.g., reference to a service with data flow value of `inbound`) + optional ResourceReferenceChoice source = 1; + // A reference to the component or service that received or stored the input if not the task itself (e.g., a local, named storage workspace) + optional ResourceReferenceChoice target = 2; + // A reference to an independent resource provided as an input to a task by the workflow runtime. + optional ResourceReferenceChoice resource = 3; + // Inputs that have the form of parameters with names and values. + repeated Parameter parameters = 4; + // Inputs that have the form of parameters with names and values. + repeated EnvironmentVars environmentVars = 5; + // Inputs that have the form of data. + optional AttachedText data = 6; + // Additional properties of the input data. + repeated Property properties = 7; +} + +message OutputType { + // Describes the type of data output. + optional OutputTypeType type = 1; + // Component or service that generated or provided the output from the task (e.g., a build tool) + optional ResourceReferenceChoice source = 2; + // Component or service that received the output from the task (e.g., reference to an artifactory service with data flow value of `outbound`) + optional ResourceReferenceChoice target = 3; + // A reference to an independent resource generated as output by the task. + optional ResourceReferenceChoice resource = 4; + // Outputs that have the form of data. + optional AttachedText data = 5; + // Outputs that have the form of environment variables. + repeated EnvironmentVars environmentVars = 6; + // Additional properties of the output data. + repeated Property properties = 7; + + enum OutputTypeType { + OUTPUT_TYPE_ARTIFACT = 0; + OUTPUT_TYPE_ATTESTATION = 1; + OUTPUT_TYPE_LOG = 2; + OUTPUT_TYPE_EVIDENCE = 3; + OUTPUT_TYPE_METRICS = 4; + OUTPUT_TYPE_OTHER = 5; + } +} + +message ResourceReferenceChoice { + oneof choice { + string ref = 1; + ExternalReference externalReference = 2; + } +} + +// A condition that was used to determine a trigger should be activated. +message Condition { + // Describes the set of conditions which cause the trigger to activate. + optional string description = 1; + // The logical expression that was evaluated that determined the trigger should be fired. + optional string expression = 2; + // Domain-specific condition instance properties. + repeated Property properties = 3; +} + +enum TaskType { + TASK_TYPE_COPY = 0; + TASK_TYPE_CLONE = 1; + TASK_TYPE_LINT = 2; + TASK_TYPE_SCAN = 3; + TASK_TYPE_MERGE = 4; + TASK_TYPE_BUILD = 5; + TASK_TYPE_TEST = 6; + TASK_TYPE_DELIVER = 7; + TASK_TYPE_DEPLOY = 8; + TASK_TYPE_RELEASE = 9; + TASK_TYPE_CLEAN = 10; + TASK_TYPE_OTHER = 11; +} + +// A representation of a functional parameter. +message Parameter { + // The name of the parameter. + optional string name = 1; + // The value of the parameter. + optional string value = 2; + // The data type of the parameter. + optional string dataType = 3; +} + +message EnvironmentVars { + oneof choice { + Property property = 1; + string value = 2; + } +} diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json new file mode 100644 index 00000000..726fbf03 --- /dev/null +++ b/schema/bom-1.6.schema.json @@ -0,0 +1,3799 @@ +{ + "$schema": "http://json-schema.org/draft-07/schema#", + "$id": "http://cyclonedx.org/schema/bom-1.6.schema.json", + "type": "object", + "title": "CycloneDX Software Bill of Materials Standard", + "$comment" : "CycloneDX JSON schema is published under the terms of the Apache License 2.0.", + "required": [ + "bomFormat", + "specVersion" + ], + "additionalProperties": false, + "properties": { + "$schema": { + "type": "string", + "enum": [ + "http://cyclonedx.org/schema/bom-1.6.schema.json" + ] + }, + "bomFormat": { + "type": "string", + "title": "BOM Format", + "description": "Specifies the format of the BOM. This helps to identify the file as CycloneDX since BOMs do not have a filename convention nor does JSON schema support namespaces. This value MUST be \"CycloneDX\".", + "enum": [ + "CycloneDX" + ] + }, + "specVersion": { + "type": "string", + "title": "CycloneDX Specification Version", + "description": "The version of the CycloneDX specification a BOM conforms to (starting at version 1.2).", + "examples": ["1.6"] + }, + "serialNumber": { + "type": "string", + "title": "BOM Serial Number", + "description": "Every BOM generated SHOULD have a unique serial number, even if the contents of the BOM have not changed over time. If specified, the serial number MUST conform to RFC-4122. Use of serial numbers are RECOMMENDED.", + "examples": ["urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79"], + "pattern": "^urn:uuid:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$" + }, + "version": { + "type": "integer", + "title": "BOM Version", + "description": "Whenever an existing BOM is modified, either manually or through automated processes, the version of the BOM SHOULD be incremented by 1. When a system is presented with multiple BOMs with identical serial numbers, the system SHOULD use the most recent version of the BOM. The default version is '1'.", + "minimum": 1, + "default": 1, + "examples": [1] + }, + "metadata": { + "$ref": "#/definitions/metadata", + "title": "BOM Metadata", + "description": "Provides additional information about a BOM." + }, + "components": { + "type": "array", + "items": {"$ref": "#/definitions/component"}, + "uniqueItems": true, + "title": "Components", + "description": "A list of software and hardware components." + }, + "services": { + "type": "array", + "items": {"$ref": "#/definitions/service"}, + "uniqueItems": true, + "title": "Services", + "description": "A list of services. This may include microservices, function-as-a-service, and other types of network or intra-process services." + }, + "externalReferences": { + "type": "array", + "items": {"$ref": "#/definitions/externalReference"}, + "title": "External References", + "description": "External references provide a way to document systems, sites, and information that may be relevant, but are not included with the BOM. They may also establish specific relationships within or external to the BOM." + }, + "dependencies": { + "type": "array", + "items": {"$ref": "#/definitions/dependency"}, + "uniqueItems": true, + "title": "Dependencies", + "description": "Provides the ability to document dependency relationships." + }, + "compositions": { + "type": "array", + "items": {"$ref": "#/definitions/compositions"}, + "uniqueItems": true, + "title": "Compositions", + "description": "Compositions describe constituent parts (including components, services, and dependency relationships) and their completeness. The completeness of vulnerabilities expressed in a BOM may also be described." + }, + "vulnerabilities": { + "type": "array", + "items": {"$ref": "#/definitions/vulnerability"}, + "uniqueItems": true, + "title": "Vulnerabilities", + "description": "Vulnerabilities identified in components or services." + }, + "annotations": { + "type": "array", + "items": {"$ref": "#/definitions/annotations"}, + "uniqueItems": true, + "title": "Annotations", + "description": "Comments made by people, organizations, or tools about any object with a bom-ref, such as components, services, vulnerabilities, or the BOM itself. Unlike inventory information, annotations may contain opinion or commentary from various stakeholders. Annotations may be inline (with inventory) or externalized via BOM-Link, and may optionally be signed." + }, + "formulation": { + "type": "array", + "items": {"$ref": "#/definitions/formula"}, + "uniqueItems": true, + "title": "Formulation", + "description": "Describes how a component or service was manufactured or deployed. This is achieved through the use of formulas, workflows, tasks, and steps, which declare the precise steps to reproduce along with the observed formulas describing the steps which transpired in the manufacturing process." + }, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is OPTIONAL.", + "items": { + "$ref": "#/definitions/property" + } + }, + "signature": { + "$ref": "#/definitions/signature", + "title": "Signature", + "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." + } + }, + "definitions": { + "refType": { + "description": "Identifier for referable and therefore interlink-able elements.", + "type": "string", + "minLength": 1, + "$comment": "value SHOULD not start with the BOM-Link intro 'urn:cdx:'" + }, + "refLinkType": { + "description": "Descriptor for an element identified by the attribute 'bom-ref' in the same BOM document.\nIn contrast to `bomLinkElementType`.", + "allOf": [{"$ref": "#/definitions/refType"}] + }, + "bomLinkDocumentType": { + "title": "BOM-Link Document", + "description": "Descriptor for another BOM document. See https://cyclonedx.org/capabilities/bomlink/", + "type": "string", + "format": "iri-reference", + "pattern": "^urn:cdx:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/[1-9][0-9]*$", + "$comment": "part of the pattern is based on `bom.serialNumber`'s pattern" + }, + "bomLinkElementType": { + "title": "BOM-Link Element", + "description": "Descriptor for an element in a BOM document. See https://cyclonedx.org/capabilities/bomlink/", + "type": "string", + "format": "iri-reference", + "pattern": "^urn:cdx:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/[1-9][0-9]*#.+$", + "$comment": "part of the pattern is based on `bom.serialNumber`'s pattern" + }, + "bomLink": { + "anyOf": [ + { + "title": "BOM-Link Document", + "$ref": "#/definitions/bomLinkDocumentType" + }, + { + "title": "BOM-Link Element", + "$ref": "#/definitions/bomLinkElementType" + } + ] + }, + "metadata": { + "type": "object", + "title": "BOM Metadata Object", + "additionalProperties": false, + "properties": { + "timestamp": { + "type": "string", + "format": "date-time", + "title": "Timestamp", + "description": "The date and time (timestamp) when the BOM was created." + }, + "lifecycles": { + "type": "array", + "title": "Lifecycles", + "description": "", + "items": { + "type": "object", + "title": "Lifecycle", + "description": "The product lifecycle(s) that this BOM represents.", + "oneOf": [ + { + "required": ["phase"], + "additionalProperties": false, + "properties": { + "phase": { + "type": "string", + "title": "Phase", + "description": "A pre-defined phase in the product lifecycle.\n\n* __design__ = BOM produced early in the development lifecycle containing inventory of components and services that are proposed or planned to be used. The inventory may need to be procured, retrieved, or resourced prior to use.\n* __pre-build__ = BOM consisting of information obtained prior to a build process and may contain source files and development artifacts and manifests. The inventory may need to be resolved and retrieved prior to use.\n* __build__ = BOM consisting of information obtained during a build process where component inventory is available for use. The precise versions of resolved components are usually available at this time as well as the provenance of where the components were retrieved from.\n* __post-build__ = BOM consisting of information obtained after a build process has completed and the resulting components(s) are available for further analysis. Built components may exist as the result of a CI/CD process, may have been installed or deployed to a system or device, and may need to be retrieved or extracted from the system or device.\n* __operations__ = BOM produced that represents inventory that is running and operational. This may include staging or production environments and will generally encompass multiple SBOMs describing the applications and operating system, along with HBOMs describing the hardware that makes up the system. Operations Bill of Materials (OBOM) can provide full-stack inventory of runtime environments, configurations, and additional dependencies.\n* __discovery__ = BOM consisting of information observed through network discovery providing point-in-time enumeration of embedded, on-premise, and cloud-native services such as server applications, connected devices, microservices, and serverless functions.\n* __decommission__ = BOM containing inventory that will be, or has been retired from operations.", + "enum": [ + "design", + "pre-build", + "build", + "post-build", + "operations", + "discovery", + "decommission" + ] + } + } + }, + { + "required": ["name"], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "The name of the lifecycle phase" + }, + "description": { + "type": "string", + "title": "Description", + "description": "The description of the lifecycle phase" + } + } + } + ] + } + }, + "tools": { + "oneOf": [ + { + "type": "object", + "title": "Creation Tools", + "description": "The tool(s) used in the creation of the BOM.", + "additionalProperties": false, + "properties": { + "components": { + "type": "array", + "items": {"$ref": "#/definitions/component"}, + "uniqueItems": true, + "title": "Components", + "description": "A list of software and hardware components used as tools" + }, + "services": { + "type": "array", + "items": {"$ref": "#/definitions/service"}, + "uniqueItems": true, + "title": "Services", + "description": "A list of services used as tools. This may include microservices, function-as-a-service, and other types of network or intra-process services." + } + } + }, + { + "type": "array", + "title": "Creation Tools (legacy)", + "description": "[Deprecated] The tool(s) used in the creation of the BOM.", + "items": {"$ref": "#/definitions/tool"} + } + ] + }, + "authors" :{ + "type": "array", + "title": "Authors", + "description": "The person(s) who created the BOM. Authors are common in BOMs created through manual processes. BOMs created through automated means may not have authors.", + "items": {"$ref": "#/definitions/organizationalContact"} + }, + "component": { + "title": "Component", + "description": "The component that the BOM describes.", + "$ref": "#/definitions/component" + }, + "manufacture": { + "title": "Manufacture", + "description": "The organization that manufactured the component that the BOM describes.", + "$ref": "#/definitions/organizationalEntity" + }, + "supplier": { + "title": "Supplier", + "description": " The organization that supplied the component that the BOM describes. The supplier may often be the manufacturer, but may also be a distributor or repackager.", + "$ref": "#/definitions/organizationalEntity" + }, + "licenses": { + "title": "BOM License(s)", + "$ref": "#/definitions/licenseChoice" + }, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is OPTIONAL.", + "items": {"$ref": "#/definitions/property"} + } + } + }, + "tool": { + "type": "object", + "title": "Tool", + "description": "[Deprecated] - DO NOT USE. This will be removed in a future version. This will be removed in a future version. Use component or service instead. Information about the automated or manual tool used", + "additionalProperties": false, + "properties": { + "vendor": { + "type": "string", + "title": "Tool Vendor", + "description": "The name of the vendor who created the tool" + }, + "name": { + "type": "string", + "title": "Tool Name", + "description": "The name of the tool" + }, + "version": { + "type": "string", + "title": "Tool Version", + "description": "The version of the tool" + }, + "hashes": { + "type": "array", + "items": {"$ref": "#/definitions/hash"}, + "title": "Hashes", + "description": "The hashes of the tool (if applicable)." + }, + "externalReferences": { + "type": "array", + "items": {"$ref": "#/definitions/externalReference"}, + "title": "External References", + "description": "External references provide a way to document systems, sites, and information that may be relevant, but are not included with the BOM. They may also establish specific relationships within or external to the BOM." + } + } + }, + "organizationalEntity": { + "type": "object", + "title": "Organizational Entity Object", + "description": "", + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref MUST be unique within the BOM." + }, + "name": { + "type": "string", + "title": "Name", + "description": "The name of the organization", + "examples": [ + "Example Inc." + ] + }, + "url": { + "type": "array", + "items": { + "type": "string", + "format": "iri-reference" + }, + "title": "URL", + "description": "The URL of the organization. Multiple URLs are allowed.", + "examples": ["https://example.com"] + }, + "contact": { + "type": "array", + "title": "Contact", + "description": "A contact at the organization. Multiple contacts are allowed.", + "items": {"$ref": "#/definitions/organizationalContact"} + } + } + }, + "organizationalContact": { + "type": "object", + "title": "Organizational Contact Object", + "description": "", + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref MUST be unique within the BOM." + }, + "name": { + "type": "string", + "title": "Name", + "description": "The name of a contact", + "examples": ["Contact name"] + }, + "email": { + "type": "string", + "format": "idn-email", + "title": "Email Address", + "description": "The email address of the contact.", + "examples": ["firstname.lastname@example.com"] + }, + "phone": { + "type": "string", + "title": "Phone", + "description": "The phone number of the contact.", + "examples": ["800-555-1212"] + } + } + }, + "component": { + "type": "object", + "title": "Component Object", + "required": [ + "type", + "name" + ], + "additionalProperties": false, + "properties": { + "type": { + "type": "string", + "enum": [ + "application", + "framework", + "library", + "container", + "platform", + "operating-system", + "device", + "device-driver", + "firmware", + "file", + "machine-learning-model", + "data" + ], + "title": "Component Type", + "description": "Specifies the type of component. For software components, classify as application if no more specific appropriate classification is available or cannot be determined for the component. Types include:\n\n* __application__ = A software application. Refer to [https://en.wikipedia.org/wiki/Application_software](https://en.wikipedia.org/wiki/Application_software) for information about applications.\n* __framework__ = A software framework. Refer to [https://en.wikipedia.org/wiki/Software_framework](https://en.wikipedia.org/wiki/Software_framework) for information on how frameworks vary slightly from libraries.\n* __library__ = A software library. Refer to [https://en.wikipedia.org/wiki/Library_(computing)](https://en.wikipedia.org/wiki/Library_(computing))\n for information about libraries. All third-party and open source reusable components will likely be a library. If the library also has key features of a framework, then it should be classified as a framework. If not, or is unknown, then specifying library is RECOMMENDED.\n* __container__ = A packaging and/or runtime format, not specific to any particular technology, which isolates software inside the container from software outside of a container through virtualization technology. Refer to [https://en.wikipedia.org/wiki/OS-level_virtualization](https://en.wikipedia.org/wiki/OS-level_virtualization)\n* __platform__ = A runtime environment which interprets or executes software. This may include runtimes such as those that execute bytecode or low-code/no-code application platforms.\n* __operating-system__ = A software operating system without regard to deployment model (i.e. installed on physical hardware, virtual machine, image, etc) Refer to [https://en.wikipedia.org/wiki/Operating_system](https://en.wikipedia.org/wiki/Operating_system)\n* __device__ = A hardware device such as a processor, or chip-set. A hardware device containing firmware SHOULD include a component for the physical hardware itself, and another component of type 'firmware' or 'operating-system' (whichever is relevant), describing information about the software running on the device.\n See also the list of [known device properties](https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/device.md).\n* __device-driver__ = A special type of software that operates or controls a particular type of device. Refer to [https://en.wikipedia.org/wiki/Device_driver](https://en.wikipedia.org/wiki/Device_driver)\n* __firmware__ = A special type of software that provides low-level control over a devices hardware. Refer to [https://en.wikipedia.org/wiki/Firmware](https://en.wikipedia.org/wiki/Firmware)\n* __file__ = A computer file. Refer to [https://en.wikipedia.org/wiki/Computer_file](https://en.wikipedia.org/wiki/Computer_file) for information about files.\n* __machine-learning-model__ = A model based on training data that can make predictions or decisions without being explicitly programmed to do so.\n* __data__ = A collection of discrete values that convey information.", + "examples": ["library"] + }, + "mime-type": { + "type": "string", + "title": "Mime-Type", + "description": "The optional mime-type of the component. When used on file components, the mime-type can provide additional context about the kind of file being represented such as an image, font, or executable. Some library or framework components may also have an associated mime-type.", + "examples": ["image/jpeg"], + "pattern": "^[-+a-z0-9.]+/[-+a-z0-9.]+$" + }, + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An optional identifier which can be used to reference the component elsewhere in the BOM. Every bom-ref MUST be unique within the BOM." + }, + "supplier": { + "title": "Component Supplier", + "description": " The organization that supplied the component. The supplier may often be the manufacturer, but may also be a distributor or repackager.", + "$ref": "#/definitions/organizationalEntity" + }, + "author": { + "type": "string", + "title": "Component Author", + "description": "The person(s) or organization(s) that authored the component", + "examples": ["Acme Inc"] + }, + "publisher": { + "type": "string", + "title": "Component Publisher", + "description": "The person(s) or organization(s) that published the component", + "examples": ["Acme Inc"] + }, + "group": { + "type": "string", + "title": "Component Group", + "description": "The grouping name or identifier. This will often be a shortened, single name of the company or project that produced the component, or the source package or domain name. Whitespace and special characters should be avoided. Examples include: apache, org.apache.commons, and apache.org.", + "examples": ["com.acme"] + }, + "name": { + "type": "string", + "title": "Component Name", + "description": "The name of the component. This will often be a shortened, single name of the component. Examples: commons-lang3 and jquery", + "examples": ["tomcat-catalina"] + }, + "version": { + "type": "string", + "title": "Component Version", + "description": "The component version. The version should ideally comply with semantic versioning but is not enforced.", + "examples": ["9.0.14"] + }, + "description": { + "type": "string", + "title": "Component Description", + "description": "Specifies a description for the component" + }, + "scope": { + "type": "string", + "enum": [ + "required", + "optional", + "excluded" + ], + "title": "Component Scope", + "description": "Specifies the scope of the component. If scope is not specified, 'required' scope SHOULD be assumed by the consumer of the BOM.", + "default": "required" + }, + "hashes": { + "type": "array", + "title": "Component Hashes", + "items": {"$ref": "#/definitions/hash"} + }, + "licenses": { + "$ref": "#/definitions/licenseChoice", + "title": "Component License(s)" + }, + "copyright": { + "type": "string", + "title": "Component Copyright", + "description": "A copyright notice informing users of the underlying claims to copyright ownership in a published work.", + "examples": ["Acme Inc"] + }, + "cpe": { + "type": "string", + "title": "Component Common Platform Enumeration (CPE)", + "description": "Specifies a well-formed CPE name that conforms to the CPE 2.2 or 2.3 specification. See [https://nvd.nist.gov/products/cpe](https://nvd.nist.gov/products/cpe)", + "examples": ["cpe:2.3:a:acme:component_framework:-:*:*:*:*:*:*:*"] + }, + "purl": { + "type": "string", + "title": "Component Package URL (purl)", + "description": "Specifies the package-url (purl). The purl, if specified, MUST be valid and conform to the specification defined at: [https://github.com/package-url/purl-spec](https://github.com/package-url/purl-spec)", + "examples": ["pkg:maven/com.acme/tomcat-catalina@9.0.14?packaging=jar"] + }, + "swid": { + "$ref": "#/definitions/swid", + "title": "SWID Tag", + "description": "Specifies metadata and content for [ISO-IEC 19770-2 Software Identification (SWID) Tags](https://www.iso.org/standard/65666.html)." + }, + "modified": { + "type": "boolean", + "title": "Component Modified From Original", + "description": "[Deprecated] - DO NOT USE. This will be removed in a future version. Use the pedigree element instead to supply information on exactly how the component was modified. A boolean value indicating if the component has been modified from the original. A value of true indicates the component is a derivative of the original. A value of false indicates the component has not been modified from the original." + }, + "pedigree": { + "type": "object", + "title": "Component Pedigree", + "description": "Component pedigree is a way to document complex supply chain scenarios where components are created, distributed, modified, redistributed, combined with other components, etc. Pedigree supports viewing this complex chain from the beginning, the end, or anywhere in the middle. It also provides a way to document variants where the exact relation may not be known.", + "additionalProperties": false, + "properties": { + "ancestors": { + "type": "array", + "title": "Ancestors", + "description": "Describes zero or more components in which a component is derived from. This is commonly used to describe forks from existing projects where the forked version contains a ancestor node containing the original component it was forked from. For example, Component A is the original component. Component B is the component being used and documented in the BOM. However, Component B contains a pedigree node with a single ancestor documenting Component A - the original component from which Component B is derived from.", + "items": {"$ref": "#/definitions/component"} + }, + "descendants": { + "type": "array", + "title": "Descendants", + "description": "Descendants are the exact opposite of ancestors. This provides a way to document all forks (and their forks) of an original or root component.", + "items": {"$ref": "#/definitions/component"} + }, + "variants": { + "type": "array", + "title": "Variants", + "description": "Variants describe relations where the relationship between the components are not known. For example, if Component A contains nearly identical code to Component B. They are both related, but it is unclear if one is derived from the other, or if they share a common ancestor.", + "items": {"$ref": "#/definitions/component"} + }, + "commits": { + "type": "array", + "title": "Commits", + "description": "A list of zero or more commits which provide a trail describing how the component deviates from an ancestor, descendant, or variant.", + "items": {"$ref": "#/definitions/commit"} + }, + "patches": { + "type": "array", + "title": "Patches", + "description": ">A list of zero or more patches describing how the component deviates from an ancestor, descendant, or variant. Patches may be complimentary to commits or may be used in place of commits.", + "items": {"$ref": "#/definitions/patch"} + }, + "notes": { + "type": "string", + "title": "Notes", + "description": "Notes, observations, and other non-structured commentary describing the components pedigree." + } + } + }, + "externalReferences": { + "type": "array", + "items": {"$ref": "#/definitions/externalReference"}, + "title": "External References", + "description": "External references provide a way to document systems, sites, and information that may be relevant, but are not included with the BOM. They may also establish specific relationships within or external to the BOM." + }, + "components": { + "type": "array", + "items": {"$ref": "#/definitions/component"}, + "uniqueItems": true, + "title": "Components", + "description": "A list of software and hardware components included in the parent component. This is not a dependency tree. It provides a way to specify a hierarchical representation of component assemblies, similar to system → subsystem → parts assembly in physical supply chains." + }, + "evidence": { + "$ref": "#/definitions/componentEvidence", + "title": "Evidence", + "description": "Provides the ability to document evidence collected through various forms of extraction or analysis." + }, + "releaseNotes": { + "$ref": "#/definitions/releaseNotes", + "title": "Release notes", + "description": "Specifies optional release notes." + }, + "modelCard": { + "$ref": "#/definitions/modelCard", + "title": "Machine Learning Model Card" + }, + "data": { + "type": "array", + "items": {"$ref": "#/definitions/componentData"}, + "title": "Data", + "description": "This object SHOULD be specified for any component of type `data` and MUST NOT be specified for other component types." + }, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is OPTIONAL.", + "items": {"$ref": "#/definitions/property"} + }, + "signature": { + "$ref": "#/definitions/signature", + "title": "Signature", + "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." + } + } + }, + "swid": { + "type": "object", + "title": "SWID Tag", + "description": "Specifies metadata and content for ISO-IEC 19770-2 Software Identification (SWID) Tags.", + "required": [ + "tagId", + "name" + ], + "additionalProperties": false, + "properties": { + "tagId": { + "type": "string", + "title": "Tag ID", + "description": "Maps to the tagId of a SoftwareIdentity." + }, + "name": { + "type": "string", + "title": "Name", + "description": "Maps to the name of a SoftwareIdentity." + }, + "version": { + "type": "string", + "title": "Version", + "default": "0.0", + "description": "Maps to the version of a SoftwareIdentity." + }, + "tagVersion": { + "type": "integer", + "title": "Tag Version", + "default": 0, + "description": "Maps to the tagVersion of a SoftwareIdentity." + }, + "patch": { + "type": "boolean", + "title": "Patch", + "default": false, + "description": "Maps to the patch of a SoftwareIdentity." + }, + "text": { + "title": "Attachment text", + "description": "Specifies the metadata and content of the SWID tag.", + "$ref": "#/definitions/attachment" + }, + "url": { + "type": "string", + "title": "URL", + "description": "The URL to the SWID file.", + "format": "iri-reference" + } + } + }, + "attachment": { + "type": "object", + "title": "Attachment", + "description": "Specifies the metadata and content for an attachment.", + "required": [ + "content" + ], + "additionalProperties": false, + "properties": { + "contentType": { + "type": "string", + "title": "Content-Type", + "description": "Specifies the content type of the text. Defaults to text/plain if not specified.", + "default": "text/plain" + }, + "encoding": { + "type": "string", + "title": "Encoding", + "description": "Specifies the optional encoding the text is represented in.", + "enum": [ + "base64" + ] + }, + "content": { + "type": "string", + "title": "Attachment Text", + "description": "The attachment data. Proactive controls such as input validation and sanitization should be employed to prevent misuse of attachment text." + } + } + }, + "hash": { + "type": "object", + "title": "Hash Objects", + "required": [ + "alg", + "content" + ], + "additionalProperties": false, + "properties": { + "alg": { + "$ref": "#/definitions/hash-alg" + }, + "content": { + "$ref": "#/definitions/hash-content" + } + } + }, + "hash-alg": { + "type": "string", + "enum": [ + "MD5", + "SHA-1", + "SHA-256", + "SHA-384", + "SHA-512", + "SHA3-256", + "SHA3-384", + "SHA3-512", + "BLAKE2b-256", + "BLAKE2b-384", + "BLAKE2b-512", + "BLAKE3" + ], + "title": "Hash Algorithm" + }, + "hash-content": { + "type": "string", + "title": "Hash Content (value)", + "examples": ["3942447fac867ae5cdb3229b658f4d48"], + "pattern": "^([a-fA-F0-9]{32}|[a-fA-F0-9]{40}|[a-fA-F0-9]{64}|[a-fA-F0-9]{96}|[a-fA-F0-9]{128})$" + }, + "license": { + "type": "object", + "title": "License Object", + "oneOf": [ + { + "required": ["id"] + }, + { + "required": ["name"] + } + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An optional identifier which can be used to reference the license elsewhere in the BOM. Every bom-ref MUST be unique within the BOM." + }, + "id": { + "$ref": "spdx.schema.json", + "title": "License ID (SPDX)", + "description": "A valid SPDX license ID", + "examples": ["Apache-2.0"] + }, + "name": { + "type": "string", + "title": "License Name", + "description": "If SPDX does not define the license used, this field may be used to provide the license name", + "examples": ["Acme Software License"] + }, + "text": { + "title": "License text", + "description": "An optional way to include the textual content of a license.", + "$ref": "#/definitions/attachment" + }, + "url": { + "type": "string", + "title": "License URL", + "description": "The URL to the license file. If specified, a 'license' externalReference should also be specified for completeness", + "examples": ["https://www.apache.org/licenses/LICENSE-2.0.txt"], + "format": "iri-reference" + }, + "licensing": { + "type": "object", + "title": "Licensing information", + "description": "Licensing details describing the licensor/licensee, license type, renewal and expiration dates, and other important metadata", + "additionalProperties": false, + "properties": { + "altIds": { + "type": "array", + "title": "Alternate License Identifiers", + "description": "License identifiers that may be used to manage licenses and their lifecycle", + "items": { + "type": "string" + } + }, + "licensor": { + "title": "Licensor", + "description": "The individual or organization that grants a license to another individual or organization", + "type": "object", + "additionalProperties": false, + "properties": { + "organization": { + "title": "Licensor (Organization)", + "description": "The organization that granted the license", + "$ref": "#/definitions/organizationalEntity" + }, + "individual": { + "title": "Licensor (Individual)", + "description": "The individual, not associated with an organization, that granted the license", + "$ref": "#/definitions/organizationalContact" + } + }, + "oneOf":[ + { + "required": ["organization"] + }, + { + "required": ["individual"] + } + ] + }, + "licensee": { + "title": "Licensee", + "description": "The individual or organization for which a license was granted to", + "type": "object", + "additionalProperties": false, + "properties": { + "organization": { + "title": "Licensee (Organization)", + "description": "The organization that was granted the license", + "$ref": "#/definitions/organizationalEntity" + }, + "individual": { + "title": "Licensee (Individual)", + "description": "The individual, not associated with an organization, that was granted the license", + "$ref": "#/definitions/organizationalContact" + } + }, + "oneOf":[ + { + "required": ["organization"] + }, + { + "required": ["individual"] + } + ] + }, + "purchaser": { + "title": "Purchaser", + "description": "The individual or organization that purchased the license", + "type": "object", + "additionalProperties": false, + "properties": { + "organization": { + "title": "Purchaser (Organization)", + "description": "The organization that purchased the license", + "$ref": "#/definitions/organizationalEntity" + }, + "individual": { + "title": "Purchaser (Individual)", + "description": "The individual, not associated with an organization, that purchased the license", + "$ref": "#/definitions/organizationalContact" + } + }, + "oneOf":[ + { + "required": ["organization"] + }, + { + "required": ["individual"] + } + ] + }, + "purchaseOrder": { + "type": "string", + "title": "Purchase Order", + "description": "The purchase order identifier the purchaser sent to a supplier or vendor to authorize a purchase" + }, + "licenseTypes": { + "type": "array", + "title": "License Type", + "description": "The type of license(s) that was granted to the licensee\n\n* __academic__ = A license that grants use of software solely for the purpose of education or research.\n* __appliance__ = A license covering use of software embedded in a specific piece of hardware.\n* __client-access__ = A Client Access License (CAL) allows client computers to access services provided by server software.\n* __concurrent-user__ = A Concurrent User license (aka floating license) limits the number of licenses for a software application and licenses are shared among a larger number of users.\n* __core-points__ = A license where the core of a computer's processor is assigned a specific number of points.\n* __custom-metric__ = A license for which consumption is measured by non-standard metrics.\n* __device__ = A license that covers a defined number of installations on computers and other types of devices.\n* __evaluation__ = A license that grants permission to install and use software for trial purposes.\n* __named-user__ = A license that grants access to the software to one or more pre-defined users.\n* __node-locked__ = A license that grants access to the software on one or more pre-defined computers or devices.\n* __oem__ = An Original Equipment Manufacturer license that is delivered with hardware, cannot be transferred to other hardware, and is valid for the life of the hardware.\n* __perpetual__ = A license where the software is sold on a one-time basis and the licensee can use a copy of the software indefinitely.\n* __processor-points__ = A license where each installation consumes points per processor.\n* __subscription__ = A license where the licensee pays a fee to use the software or service.\n* __user__ = A license that grants access to the software or service by a specified number of users.\n* __other__ = Another license type.\n", + "items": { + "type": "string", + "enum": [ + "academic", + "appliance", + "client-access", + "concurrent-user", + "core-points", + "custom-metric", + "device", + "evaluation", + "named-user", + "node-locked", + "oem", + "perpetual", + "processor-points", + "subscription", + "user", + "other" + ] + } + }, + "lastRenewal": { + "type": "string", + "format": "date-time", + "title": "Last Renewal", + "description": "The timestamp indicating when the license was last renewed. For new purchases, this is often the purchase or acquisition date. For non-perpetual licenses or subscriptions, this is the timestamp of when the license was last renewed." + }, + "expiration": { + "type": "string", + "format": "date-time", + "title": "Expiration", + "description": "The timestamp indicating when the current license expires (if applicable)." + } + } + }, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is OPTIONAL.", + "items": {"$ref": "#/definitions/property"} + } + } + }, + "licenseChoice": { + "title": "License Choice", + "description": "EITHER (list of SPDX licenses and/or named licenses) OR (tuple of one SPDX License Expression)", + "type": "array", + "oneOf": [ + { + "title": "Multiple licenses", + "description": "A list of SPDX licenses and/or named licenses.", + "type": "array", + "items": { + "type": "object", + "required": ["license"], + "additionalProperties": false, + "properties": { + "license": {"$ref": "#/definitions/license"} + } + } + }, + { + "title": "SPDX License Expression", + "description": "A tuple of exactly one SPDX License Expression.", + "type": "array", + "additionalItems": false, + "minItems": 1, + "maxItems": 1, + "items": [{ + "type": "object", + "additionalProperties": false, + "required": ["expression"], + "properties": { + "expression": { + "type": "string", + "title": "SPDX License Expression", + "examples": [ + "Apache-2.0 AND (MIT OR GPL-2.0-only)", + "GPL-3.0-only WITH Classpath-exception-2.0" + ] + }, + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An optional identifier which can be used to reference the license elsewhere in the BOM. Every bom-ref MUST be unique within the BOM." + } + } + }] + } + ] + }, + "commit": { + "type": "object", + "title": "Commit", + "description": "Specifies an individual commit", + "additionalProperties": false, + "properties": { + "uid": { + "type": "string", + "title": "UID", + "description": "A unique identifier of the commit. This may be version control specific. For example, Subversion uses revision numbers whereas git uses commit hashes." + }, + "url": { + "type": "string", + "title": "URL", + "description": "The URL to the commit. This URL will typically point to a commit in a version control system.", + "format": "iri-reference" + }, + "author": { + "title": "Author", + "description": "The author who created the changes in the commit", + "$ref": "#/definitions/identifiableAction" + }, + "committer": { + "title": "Committer", + "description": "The person who committed or pushed the commit", + "$ref": "#/definitions/identifiableAction" + }, + "message": { + "type": "string", + "title": "Message", + "description": "The text description of the contents of the commit" + } + } + }, + "patch": { + "type": "object", + "title": "Patch", + "description": "Specifies an individual patch", + "required": [ + "type" + ], + "additionalProperties": false, + "properties": { + "type": { + "type": "string", + "enum": [ + "unofficial", + "monkey", + "backport", + "cherry-pick" + ], + "title": "Type", + "description": "Specifies the purpose for the patch including the resolution of defects, security issues, or new behavior or functionality.\n\n* __unofficial__ = A patch which is not developed by the creators or maintainers of the software being patched. Refer to [https://en.wikipedia.org/wiki/Unofficial_patch](https://en.wikipedia.org/wiki/Unofficial_patch)\n* __monkey__ = A patch which dynamically modifies runtime behavior. Refer to [https://en.wikipedia.org/wiki/Monkey_patch](https://en.wikipedia.org/wiki/Monkey_patch)\n* __backport__ = A patch which takes code from a newer version of software and applies it to older versions of the same software. Refer to [https://en.wikipedia.org/wiki/Backporting](https://en.wikipedia.org/wiki/Backporting)\n* __cherry-pick__ = A patch created by selectively applying commits from other versions or branches of the same software." + }, + "diff": { + "title": "Diff", + "description": "The patch file (or diff) that show changes. Refer to [https://en.wikipedia.org/wiki/Diff](https://en.wikipedia.org/wiki/Diff)", + "$ref": "#/definitions/diff" + }, + "resolves": { + "type": "array", + "items": {"$ref": "#/definitions/issue"}, + "title": "Resolves", + "description": "A collection of issues the patch resolves" + } + } + }, + "diff": { + "type": "object", + "title": "Diff", + "description": "The patch file (or diff) that show changes. Refer to https://en.wikipedia.org/wiki/Diff", + "additionalProperties": false, + "properties": { + "text": { + "title": "Diff text", + "description": "Specifies the optional text of the diff", + "$ref": "#/definitions/attachment" + }, + "url": { + "type": "string", + "title": "URL", + "description": "Specifies the URL to the diff", + "format": "iri-reference" + } + } + }, + "issue": { + "type": "object", + "title": "Diff", + "description": "An individual issue that has been resolved.", + "required": [ + "type" + ], + "additionalProperties": false, + "properties": { + "type": { + "type": "string", + "enum": [ + "defect", + "enhancement", + "security" + ], + "title": "Type", + "description": "Specifies the type of issue" + }, + "id": { + "type": "string", + "title": "ID", + "description": "The identifier of the issue assigned by the source of the issue" + }, + "name": { + "type": "string", + "title": "Name", + "description": "The name of the issue" + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the issue" + }, + "source": { + "type": "object", + "title": "Source", + "description": "The source of the issue where it is documented", + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "The name of the source. For example 'National Vulnerability Database', 'NVD', and 'Apache'" + }, + "url": { + "type": "string", + "title": "URL", + "description": "The url of the issue documentation as provided by the source", + "format": "iri-reference" + } + } + }, + "references": { + "type": "array", + "items": { + "type": "string", + "format": "iri-reference" + }, + "title": "References", + "description": "A collection of URL's for reference. Multiple URLs are allowed.", + "examples": ["https://example.com"] + } + } + }, + "identifiableAction": { + "type": "object", + "title": "Identifiable Action", + "description": "Specifies an individual commit", + "additionalProperties": false, + "properties": { + "timestamp": { + "type": "string", + "format": "date-time", + "title": "Timestamp", + "description": "The timestamp in which the action occurred" + }, + "name": { + "type": "string", + "title": "Name", + "description": "The name of the individual who performed the action" + }, + "email": { + "type": "string", + "format": "idn-email", + "title": "E-mail", + "description": "The email address of the individual who performed the action" + } + } + }, + "externalReference": { + "type": "object", + "title": "External Reference", + "description": "External references provide a way to document systems, sites, and information that may be relevant, but are not included with the BOM. They may also establish specific relationships within or external to the BOM.", + "required": [ + "url", + "type" + ], + "additionalProperties": false, + "properties": { + "url": { + "anyOf": [ + { + "title": "URL", + "type": "string", + "format": "iri-reference" + }, + { + "title": "BOM-Link", + "$ref": "#/definitions/bomLink" + } + ], + "title": "URL", + "description": "The URI (URL or URN) to the external reference. External references are URIs and therefore can accept any URL scheme including https ([RFC-7230](https://www.ietf.org/rfc/rfc7230.txt)), mailto ([RFC-2368](https://www.ietf.org/rfc/rfc2368.txt)), tel ([RFC-3966](https://www.ietf.org/rfc/rfc3966.txt)), and dns ([RFC-4501](https://www.ietf.org/rfc/rfc4501.txt)). External references may also include formally registered URNs such as [CycloneDX BOM-Link](https://cyclonedx.org/capabilities/bomlink/) to reference CycloneDX BOMs or any object within a BOM. BOM-Link transforms applicable external references into relationships that can be expressed in a BOM or across BOMs." + }, + "comment": { + "type": "string", + "title": "Comment", + "description": "An optional comment describing the external reference" + }, + "type": { + "type": "string", + "title": "Type", + "description": "Specifies the type of external reference.\n\n* __vcs__ = Version Control System\n* __issue-tracker__ = Issue or defect tracking system, or an Application Lifecycle Management (ALM) system\n* __website__ = Website\n* __advisories__ = Security advisories\n* __bom__ = Bill of Materials (SBOM, OBOM, HBOM, SaaSBOM, etc)\n* __mailing-list__ = Mailing list or discussion group\n* __social__ = Social media account\n* __chat__ = Real-time chat platform\n* __documentation__ = Documentation, guides, or how-to instructions\n* __support__ = Community or commercial support\n* __distribution__ = Direct or repository download location\n* __distribution-intake__ = The location where a component was published to. This is often the same as \"distribution\" but may also include specialized publishing processes that act as an intermediary\n* __license__ = The URL to the license file. If a license URL has been defined in the license node, it should also be defined as an external reference for completeness\n* __build-meta__ = Build-system specific meta file (i.e. pom.xml, package.json, .nuspec, etc)\n* __build-system__ = URL to an automated build system\n* __release-notes__ = URL to release notes\n* __security-contact__ = Specifies a way to contact the maintainer, supplier, or provider in the event of a security incident. Common URIs include links to a disclosure procedure, a mailto (RFC-2368) that specifies an email address, a tel (RFC-3966) that specifies a phone number, or dns (RFC-4501) that specifies the records containing DNS Security TXT\n* __model-card__ = A model card describes the intended uses of a machine learning model, potential limitations, biases, ethical considerations, training parameters, datasets used to train the model, performance metrics, and other relevant data useful for ML transparency\n* __log__ = A record of events that occurred in a computer system or application, such as problems, errors, or information on current operations\n* __configuration__ = Parameters or settings that may be used by other components or services\n* __evidence__ = Information used to substantiate a claim\n* __formulation__ = Describes how a component or service was manufactured or deployed\n* __attestation__ = Human or machine-readable statements containing facts, evidence, or testimony\n* __threat-model__ = An enumeration of identified weaknesses, threats, and countermeasures, dataflow diagram (DFD), attack tree, and other supporting documentation in human-readable or machine-readable format\n* __adversary-model__ = The defined assumptions, goals, and capabilities of an adversary.\n* __risk-assessment__ = Identifies and analyzes the potential of future events that may negatively impact individuals, assets, and/or the environment. Risk assessments may also include judgments on the tolerability of each risk.\n* __vulnerability-assertion__ = A Vulnerability Disclosure Report (VDR) which asserts the known and previously unknown vulnerabilities that affect a component, service, or product including the analysis and findings describing the impact (or lack of impact) that the reported vulnerability has on a component, service, or product.\n* __exploitability-statement__ = A Vulnerability Exploitability eXchange (VEX) which asserts the known vulnerabilities that do not affect a product, product family, or organization, and optionally the ones that do. The VEX should include the analysis and findings describing the impact (or lack of impact) that the reported vulnerability has on the product, product family, or organization.\n* __pentest-report__ = Results from an authorized simulated cyberattack on a component or service, otherwise known as a penetration test\n* __static-analysis-report__ = SARIF or proprietary machine or human-readable report for which static analysis has identified code quality, security, and other potential issues with the source code\n* __dynamic-analysis-report__ = Dynamic analysis report that has identified issues such as vulnerabilities and misconfigurations\n* __runtime-analysis-report__ = Report generated by analyzing the call stack of a running application\n* __component-analysis-report__ = Report generated by Software Composition Analysis (SCA), container analysis, or other forms of component analysis\n* __maturity-report__ = Report containing a formal assessment of an organization, business unit, or team against a maturity model\n* __certification-report__ = Industry, regulatory, or other certification from an accredited (if applicable) certification body\n* __quality-metrics__ = Report or system in which quality metrics can be obtained\n* __codified-infrastructure__ = Code or configuration that defines and provisions virtualized infrastructure, commonly referred to as Infrastructure as Code (IaC)\n* __poam__ = Plans of Action and Milestones (POAM) compliment an \"attestation\" external reference. POAM is defined by NIST as a \"document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks and scheduled completion dates for the milestones\".\n* __other__ = Use this if no other types accurately describe the purpose of the external reference", + "enum": [ + "vcs", + "issue-tracker", + "website", + "advisories", + "bom", + "mailing-list", + "social", + "chat", + "documentation", + "support", + "distribution", + "distribution-intake", + "license", + "build-meta", + "build-system", + "release-notes", + "security-contact", + "model-card", + "log", + "configuration", + "evidence", + "formulation", + "attestation", + "threat-model", + "adversary-model", + "risk-assessment", + "vulnerability-assertion", + "exploitability-statement", + "pentest-report", + "static-analysis-report", + "dynamic-analysis-report", + "runtime-analysis-report", + "component-analysis-report", + "maturity-report", + "certification-report", + "codified-infrastructure", + "quality-metrics", + "poam", + "other" + ] + }, + "hashes": { + "type": "array", + "items": {"$ref": "#/definitions/hash"}, + "title": "Hashes", + "description": "The hashes of the external reference (if applicable)." + } + } + }, + "dependency": { + "type": "object", + "title": "Dependency", + "description": "Defines the direct dependencies of a component or service. Components or services that do not have their own dependencies MUST be declared as empty elements within the graph. Components or services that are not represented in the dependency graph MAY have unknown dependencies. It is RECOMMENDED that implementations assume this to be opaque and not an indicator of a object being dependency-free. It is RECOMMENDED to leverage compositions to indicate unknown dependency graphs.", + "required": [ + "ref" + ], + "additionalProperties": false, + "properties": { + "ref": { + "$ref": "#/definitions/refLinkType", + "title": "Reference", + "description": "References a component or service by its bom-ref attribute" + }, + "dependsOn": { + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/definitions/refLinkType" + }, + "title": "Depends On", + "description": "The bom-ref identifiers of the components or services that are dependencies of this dependency object." + } + } + }, + "service": { + "type": "object", + "title": "Service Object", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An optional identifier which can be used to reference the service elsewhere in the BOM. Every bom-ref MUST be unique within the BOM." + }, + "provider": { + "title": "Provider", + "description": "The organization that provides the service.", + "$ref": "#/definitions/organizationalEntity" + }, + "group": { + "type": "string", + "title": "Service Group", + "description": "The grouping name, namespace, or identifier. This will often be a shortened, single name of the company or project that produced the service or domain name. Whitespace and special characters should be avoided.", + "examples": ["com.acme"] + }, + "name": { + "type": "string", + "title": "Service Name", + "description": "The name of the service. This will often be a shortened, single name of the service.", + "examples": ["ticker-service"] + }, + "version": { + "type": "string", + "title": "Service Version", + "description": "The service version.", + "examples": ["1.0.0"] + }, + "description": { + "type": "string", + "title": "Service Description", + "description": "Specifies a description for the service" + }, + "endpoints": { + "type": "array", + "items": { + "type": "string", + "format": "iri-reference" + }, + "title": "Endpoints", + "description": "The endpoint URIs of the service. Multiple endpoints are allowed.", + "examples": ["https://example.com/api/v1/ticker"] + }, + "authenticated": { + "type": "boolean", + "title": "Authentication Required", + "description": "A boolean value indicating if the service requires authentication. A value of true indicates the service requires authentication prior to use. A value of false indicates the service does not require authentication." + }, + "x-trust-boundary": { + "type": "boolean", + "title": "Crosses Trust Boundary", + "description": "A boolean value indicating if use of the service crosses a trust zone or boundary. A value of true indicates that by using the service, a trust boundary is crossed. A value of false indicates that by using the service, a trust boundary is not crossed." + }, + "trustZone": { + "type": "string", + "title": "Trust Zone", + "description": "The name of the trust zone the service resides in." + }, + "data": { + "type": "array", + "items": {"$ref": "#/definitions/serviceData"}, + "title": "Data", + "description": "Specifies information about the data including the directional flow of data and the data classification." + }, + "licenses": { + "$ref": "#/definitions/licenseChoice", + "title": "Component License(s)" + }, + "externalReferences": { + "type": "array", + "items": {"$ref": "#/definitions/externalReference"}, + "title": "External References", + "description": "External references provide a way to document systems, sites, and information that may be relevant, but are not included with the BOM. They may also establish specific relationships within or external to the BOM." + }, + "services": { + "type": "array", + "items": {"$ref": "#/definitions/service"}, + "uniqueItems": true, + "title": "Services", + "description": "A list of services included or deployed behind the parent service. This is not a dependency tree. It provides a way to specify a hierarchical representation of service assemblies." + }, + "releaseNotes": { + "$ref": "#/definitions/releaseNotes", + "title": "Release notes", + "description": "Specifies optional release notes." + }, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is OPTIONAL.", + "items": {"$ref": "#/definitions/property"} + }, + "signature": { + "$ref": "#/definitions/signature", + "title": "Signature", + "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." + } + } + }, + "serviceData": { + "type": "object", + "title": "Hash Objects", + "required": [ + "flow", + "classification" + ], + "additionalProperties": false, + "properties": { + "flow": { + "$ref": "#/definitions/dataFlowDirection", + "title": "Directional Flow", + "description": "Specifies the flow direction of the data. Direction is relative to the service. Inbound flow states that data enters the service. Outbound flow states that data leaves the service. Bi-directional states that data flows both ways, and unknown states that the direction is not known." + }, + "classification": { + "$ref": "#/definitions/dataClassification" + }, + "name": { + "type": "string", + "title": "Name", + "description": "Name for the defined data", + "examples": [ + "Credit card reporting" + ] + }, + "description": { + "type": "string", + "title": "Description", + "description": "Short description of the data content and usage", + "examples": [ + "Credit card information being exchanged in between the web app and the database" + ] + }, + "governance": { + "type": "object", + "title": "Data Governance", + "$ref": "#/definitions/dataGovernance" + }, + "source": { + "type": "array", + "items": { + "anyOf": [ + { + "title": "URL", + "type": "string", + "format": "iri-reference" + }, + { + "title": "BOM-Link Element", + "$ref": "#/definitions/bomLinkElementType" + } + ] + }, + "title": "Source", + "description": "The URI, URL, or BOM-Link of the components or services the data came in from" + }, + "destination": { + "type": "array", + "items": { + "anyOf": [ + { + "title": "URL", + "type": "string", + "format": "iri-reference" + }, + { + "title": "BOM-Link Element", + "$ref": "#/definitions/bomLinkElementType" + } + ] + }, + "title": "Destination", + "description": "The URI, URL, or BOM-Link of the components or services the data is sent to" + } + } + }, + "dataFlowDirection": { + "type": "string", + "enum": [ + "inbound", + "outbound", + "bi-directional", + "unknown" + ], + "title": "Data flow direction", + "description": "Specifies the flow direction of the data. Direction is relative to the service. Inbound flow states that data enters the service. Outbound flow states that data leaves the service. Bi-directional states that data flows both ways, and unknown states that the direction is not known." + }, + + "copyright": { + "type": "object", + "title": "Copyright", + "required": [ + "text" + ], + "additionalProperties": false, + "properties": { + "text": { + "type": "string", + "title": "Copyright Text" + } + } + }, + "componentEvidence": { + "type": "object", + "title": "Evidence", + "description": "Provides the ability to document evidence collected through various forms of extraction or analysis.", + "additionalProperties": false, + "properties": { + "identity": { + "type": "object", + "description": "Evidence that substantiates the identity of a component.", + "required": [ "field" ], + "additionalProperties": false, + "properties": { + "field": { + "type": "string", + "enum": [ + "group", "name", "version", "purl", "cpe", "swid", "hash" + ], + "title": "Field", + "description": "The identity field of the component which the evidence describes." + }, + "confidence": { + "type": "number", + "minimum": 0, + "maximum": 1, + "title": "Confidence", + "description": "The overall confidence of the evidence from 0 - 1, where 1 is 100% confidence." + }, + "methods": { + "type": "array", + "title": "Methods", + "description": "The methods used to extract and/or analyze the evidence.", + "items": { + "type": "object", + "required": [ + "technique" , + "confidence" + ], + "additionalProperties": false, + "properties": { + "technique": { + "title": "Technique", + "description": "The technique used in this method of analysis.", + "type": "string", + "enum": [ + "source-code-analysis", + "binary-analysis", + "manifest-analysis", + "ast-fingerprint", + "hash-comparison", + "instrumentation", + "dynamic-analysis", + "filename", + "attestation", + "other" + ] + }, + "confidence": { + "type": "number", + "minimum": 0, + "maximum": 1, + "title": "Confidence", + "description": "The confidence of the evidence from 0 - 1, where 1 is 100% confidence. Confidence is specific to the technique used. Each technique of analysis can have independent confidence." + }, + "value": { + "type": "string", + "title": "Value", + "description": "The value or contents of the evidence." + } + } + } + }, + "tools": { + "type": "array", + "uniqueItems": true, + "items": { + "anyOf": [ + { + "title": "Ref", + "$ref": "#/definitions/refLinkType" + }, + { + "title": "BOM-Link Element", + "$ref": "#/definitions/bomLinkElementType" + } + ] + }, + "title": "BOM References", + "description": "The object in the BOM identified by its bom-ref. This is often a component or service, but may be any object type supporting bom-refs. Tools used for analysis should already be defined in the BOM, either in the metadata/tools, components, or formulation." + } + } + }, + "occurrences": { + "type": "array", + "title": "Occurrences", + "description": "Evidence of individual instances of a component spread across multiple locations.", + "items": { + "type": "object", + "required": [ "location" ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An optional identifier which can be used to reference the occurrence elsewhere in the BOM. Every bom-ref MUST be unique within the BOM." + }, + "location": { + "type": "string", + "title": "Location", + "description": "The location or path to where the component was found." + } + } + } + }, + "callstack": { + "type": "object", + "description": "Evidence of the components use through the callstack.", + "additionalProperties": false, + "properties": { + "frames": { + "type": "array", + "title": "Methods", + "items": { + "type": "object", + "required": [ + "module" + ], + "additionalProperties": false, + "properties": { + "package": { + "title": "Package", + "description": "A package organizes modules into namespaces, providing a unique namespace for each type it contains.", + "type": "string" + }, + "module": { + "title": "Module", + "description": "A module or class that encloses functions/methods and other code.", + "type": "string" + }, + "function": { + "title": "Function", + "description": "A block of code designed to perform a particular task.", + "type": "string" + }, + "parameters": { + "title": "Parameters", + "description": "Optional arguments that are passed to the module or function.", + "type": "array", + "items": { + "type": "string" + } + }, + "line": { + "title": "Line", + "description": "The line number the code that is called resides on.", + "type": "integer" + }, + "column": { + "title": "Column", + "description": "The column the code that is called resides.", + "type": "integer" + }, + "fullFilename": { + "title": "Full Filename", + "description": "The full path and filename of the module.", + "type": "string" + } + } + } + } + } + }, + "licenses": { + "$ref": "#/definitions/licenseChoice", + "title": "Component License(s)" + }, + "copyright": { + "type": "array", + "items": {"$ref": "#/definitions/copyright"}, + "title": "Copyright" + } + } + }, + "compositions": { + "type": "object", + "title": "Compositions", + "required": [ + "aggregate" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An optional identifier which can be used to reference the composition elsewhere in the BOM. Every bom-ref MUST be unique within the BOM." + }, + "aggregate": { + "$ref": "#/definitions/aggregateType", + "title": "Aggregate", + "description": "Specifies an aggregate type that describe how complete a relationship is.\n\n* __complete__ = The relationship is complete. No further relationships including constituent components, services, or dependencies are known to exist.\n* __incomplete__ = The relationship is incomplete. Additional relationships exist and may include constituent components, services, or dependencies.\n* __incomplete_first_party_only__ = The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented.\n* __incomplete_first_party_proprietary_only__ = The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented, limited specifically to those that are proprietary.\n* __incomplete_first_party_opensource_only__ = The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented, limited specifically to those that are opensource.\n* __incomplete_third_party_only__ = The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented.\n* __incomplete_third_party_proprietary_only__ = The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are proprietary.\n* __incomplete_third_party_opensource_only__ = The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are opensource.\n* __unknown__ = The relationship may be complete or incomplete. This usually signifies a 'best-effort' to obtain constituent components, services, or dependencies but the completeness is inconclusive.\n* __not_specified__ = The relationship completeness is not specified.\n" + }, + "assemblies": { + "type": "array", + "uniqueItems": true, + "items": { + "anyOf": [ + { + "title": "Ref", + "$ref": "#/definitions/refLinkType" + }, + { + "title": "BOM-Link Element", + "$ref": "#/definitions/bomLinkElementType" + } + ] + }, + "title": "BOM references", + "description": "The bom-ref identifiers of the components or services being described. Assemblies refer to nested relationships whereby a constituent part may include other constituent parts. References do not cascade to child parts. References are explicit for the specified constituent part only." + }, + "dependencies": { + "type": "array", + "uniqueItems": true, + "items": { + "type": "string" + }, + "title": "BOM references", + "description": "The bom-ref identifiers of the components or services being described. Dependencies refer to a relationship whereby an independent constituent part requires another independent constituent part. References do not cascade to transitive dependencies. References are explicit for the specified dependency only." + }, + "vulnerabilities": { + "type": "array", + "uniqueItems": true, + "items": { + "type": "string" + }, + "title": "BOM references", + "description": "The bom-ref identifiers of the vulnerabilities being described." + }, + "signature": { + "$ref": "#/definitions/signature", + "title": "Signature", + "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." + } + } + }, + "aggregateType": { + "type": "string", + "default": "not_specified", + "enum": [ + "complete", + "incomplete", + "incomplete_first_party_only", + "incomplete_first_party_proprietary_only", + "incomplete_first_party_opensource_only", + "incomplete_third_party_only", + "incomplete_third_party_proprietary_only", + "incomplete_third_party_opensource_only", + "unknown", + "not_specified" + ] + }, + "property": { + "type": "object", + "title": "Lightweight name-value pair", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is OPTIONAL.", + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "The name of the property. Duplicate names are allowed, each potentially having a different value." + }, + "value": { + "type": "string", + "title": "Value", + "description": "The value of the property." + } + } + }, + "localeType": { + "type": "string", + "pattern": "^([a-z]{2})(-[A-Z]{2})?$", + "title": "Locale", + "description": "Defines a syntax for representing two character language code (ISO-639) followed by an optional two character country code. The language code MUST be lower case. If the country code is specified, the country code MUST be upper case. The language code and country code MUST be separated by a minus sign. Examples: en, en-US, fr, fr-CA" + }, + "releaseType": { + "type": "string", + "examples": [ + "major", + "minor", + "patch", + "pre-release", + "internal" + ], + "description": "The software versioning type. It is RECOMMENDED that the release type use one of 'major', 'minor', 'patch', 'pre-release', or 'internal'. Representing all possible software release types is not practical, so standardizing on the recommended values, whenever possible, is strongly encouraged.\n\n* __major__ = A major release may contain significant changes or may introduce breaking changes.\n* __minor__ = A minor release, also known as an update, may contain a smaller number of changes than major releases.\n* __patch__ = Patch releases are typically unplanned and may resolve defects or important security issues.\n* __pre-release__ = A pre-release may include alpha, beta, or release candidates and typically have limited support. They provide the ability to preview a release prior to its general availability.\n* __internal__ = Internal releases are not for public consumption and are intended to be used exclusively by the project or manufacturer that produced it." + }, + "note": { + "type": "object", + "title": "Note", + "description": "A note containing the locale and content.", + "required": [ + "text" + ], + "additionalProperties": false, + "properties": { + "locale": { + "$ref": "#/definitions/localeType", + "title": "Locale", + "description": "The ISO-639 (or higher) language code and optional ISO-3166 (or higher) country code. Examples include: \"en\", \"en-US\", \"fr\" and \"fr-CA\"" + }, + "text": { + "title": "Release note content", + "description": "Specifies the full content of the release note.", + "$ref": "#/definitions/attachment" + } + } + }, + "releaseNotes": { + "type": "object", + "title": "Release notes", + "required": [ + "type" + ], + "additionalProperties": false, + "properties": { + "type": { + "$ref": "#/definitions/releaseType", + "title": "Type", + "description": "The software versioning type the release note describes." + }, + "title": { + "type": "string", + "title": "Title", + "description": "The title of the release." + }, + "featuredImage": { + "type": "string", + "format": "iri-reference", + "title": "Featured image", + "description": "The URL to an image that may be prominently displayed with the release note." + }, + "socialImage": { + "type": "string", + "format": "iri-reference", + "title": "Social image", + "description": "The URL to an image that may be used in messaging on social media platforms." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A short description of the release." + }, + "timestamp": { + "type": "string", + "format": "date-time", + "title": "Timestamp", + "description": "The date and time (timestamp) when the release note was created." + }, + "aliases": { + "type": "array", + "items": { + "type": "string" + }, + "title": "Aliases", + "description": "One or more alternate names the release may be referred to. This may include unofficial terms used by development and marketing teams (e.g. code names)." + }, + "tags": { + "type": "array", + "items": { + "type": "string" + }, + "title": "Tags", + "description": "One or more tags that may aid in search or retrieval of the release note." + }, + "resolves": { + "type": "array", + "items": {"$ref": "#/definitions/issue"}, + "title": "Resolves", + "description": "A collection of issues that have been resolved." + }, + "notes": { + "type": "array", + "items": {"$ref": "#/definitions/note"}, + "title": "Notes", + "description": "Zero or more release notes containing the locale and content. Multiple note objects may be specified to support release notes in a wide variety of languages." + }, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is OPTIONAL.", + "items": {"$ref": "#/definitions/property"} + } + } + }, + "advisory": { + "type": "object", + "title": "Advisory", + "description": "Title and location where advisory information can be obtained. An advisory is a notification of a threat to a component, service, or system.", + "required": ["url"], + "additionalProperties": false, + "properties": { + "title": { + "type": "string", + "title": "Title", + "description": "An optional name of the advisory." + }, + "url": { + "type": "string", + "title": "URL", + "format": "iri-reference", + "description": "Location where the advisory can be obtained." + } + } + }, + "cwe": { + "type": "integer", + "minimum": 1, + "title": "CWE", + "description": "Integer representation of a Common Weaknesses Enumerations (CWE). For example 399 (of https://cwe.mitre.org/data/definitions/399.html)" + }, + "severity": { + "type": "string", + "title": "Severity", + "description": "Textual representation of the severity of the vulnerability adopted by the analysis method. If the analysis method uses values other than what is provided, the user is expected to translate appropriately.", + "enum": [ + "critical", + "high", + "medium", + "low", + "info", + "none", + "unknown" + ] + }, + "scoreMethod": { + "type": "string", + "title": "Method", + "description": "Specifies the severity or risk scoring methodology or standard used.\n\n* CVSSv2 - [Common Vulnerability Scoring System v2](https://www.first.org/cvss/v2/)\n* CVSSv3 - [Common Vulnerability Scoring System v3](https://www.first.org/cvss/v3-0/)\n* CVSSv31 - [Common Vulnerability Scoring System v3.1](https://www.first.org/cvss/v3-1/)\n* CVSSv4 - [Common Vulnerability Scoring System v4](https://www.first.org/cvss/v4-0/)\n* OWASP - [OWASP Risk Rating Methodology](https://owasp.org/www-community/OWASP_Risk_Rating_Methodology)\n* SSVC - [Stakeholder Specific Vulnerability Categorization](https://github.com/CERTCC/SSVC) (all versions)", + "enum": [ + "CVSSv2", + "CVSSv3", + "CVSSv31", + "CVSSv4", + "OWASP", + "SSVC", + "other" + ] + }, + "impactAnalysisState": { + "type": "string", + "title": "Impact Analysis State", + "description": "Declares the current state of an occurrence of a vulnerability, after automated or manual analysis. \n\n* __resolved__ = the vulnerability has been remediated. \n* __resolved\\_with\\_pedigree__ = the vulnerability has been remediated and evidence of the changes are provided in the affected components pedigree containing verifiable commit history and/or diff(s). \n* __exploitable__ = the vulnerability may be directly or indirectly exploitable. \n* __in\\_triage__ = the vulnerability is being investigated. \n* __false\\_positive__ = the vulnerability is not specific to the component or service and was falsely identified or associated. \n* __not\\_affected__ = the component or service is not affected by the vulnerability. Justification should be specified for all not_affected cases.", + "enum": [ + "resolved", + "resolved_with_pedigree", + "exploitable", + "in_triage", + "false_positive", + "not_affected" + ] + }, + "impactAnalysisJustification": { + "type": "string", + "title": "Impact Analysis Justification", + "description": "The rationale of why the impact analysis state was asserted. \n\n* __code\\_not\\_present__ = the code has been removed or tree-shaked. \n* __code\\_not\\_reachable__ = the vulnerable code is not invoked at runtime. \n* __requires\\_configuration__ = exploitability requires a configurable option to be set/unset. \n* __requires\\_dependency__ = exploitability requires a dependency that is not present. \n* __requires\\_environment__ = exploitability requires a certain environment which is not present. \n* __protected\\_by\\_compiler__ = exploitability requires a compiler flag to be set/unset. \n* __protected\\_at\\_runtime__ = exploits are prevented at runtime. \n* __protected\\_at\\_perimeter__ = attacks are blocked at physical, logical, or network perimeter. \n* __protected\\_by\\_mitigating\\_control__ = preventative measures have been implemented that reduce the likelihood and/or impact of the vulnerability.", + "enum": [ + "code_not_present", + "code_not_reachable", + "requires_configuration", + "requires_dependency", + "requires_environment", + "protected_by_compiler", + "protected_at_runtime", + "protected_at_perimeter", + "protected_by_mitigating_control" + ] + }, + "rating": { + "type": "object", + "title": "Rating", + "description": "Defines the severity or risk ratings of a vulnerability.", + "additionalProperties": false, + "properties": { + "source": { + "$ref": "#/definitions/vulnerabilitySource", + "description": "The source that calculated the severity or risk rating of the vulnerability." + }, + "score": { + "type": "number", + "title": "Score", + "description": "The numerical score of the rating." + }, + "severity": { + "$ref": "#/definitions/severity", + "description": "Textual representation of the severity that corresponds to the numerical score of the rating." + }, + "method": { + "$ref": "#/definitions/scoreMethod" + }, + "vector": { + "type": "string", + "title": "Vector", + "description": "Textual representation of the metric values used to score the vulnerability" + }, + "justification": { + "type": "string", + "title": "Justification", + "description": "An optional reason for rating the vulnerability as it was" + } + } + }, + "vulnerabilitySource": { + "type": "object", + "title": "Source", + "description": "The source of vulnerability information. This is often the organization that published the vulnerability.", + "additionalProperties": false, + "properties": { + "url": { + "type": "string", + "title": "URL", + "description": "The url of the vulnerability documentation as provided by the source.", + "examples": [ + "https://nvd.nist.gov/vuln/detail/CVE-2021-39182" + ] + }, + "name": { + "type": "string", + "title": "Name", + "description": "The name of the source.", + "examples": [ + "NVD", + "National Vulnerability Database", + "OSS Index", + "VulnDB", + "GitHub Advisories" + ] + } + } + }, + "vulnerability": { + "type": "object", + "title": "Vulnerability", + "description": "Defines a weakness in a component or service that could be exploited or triggered by a threat source.", + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An optional identifier which can be used to reference the vulnerability elsewhere in the BOM. Every bom-ref MUST be unique within the BOM." + }, + "id": { + "type": "string", + "title": "ID", + "description": "The identifier that uniquely identifies the vulnerability.", + "examples": [ + "CVE-2021-39182", + "GHSA-35m5-8cvj-8783", + "SNYK-PYTHON-ENROCRYPT-1912876" + ] + }, + "source": { + "$ref": "#/definitions/vulnerabilitySource", + "description": "The source that published the vulnerability." + }, + "references": { + "type": "array", + "title": "References", + "description": "Zero or more pointers to vulnerabilities that are the equivalent of the vulnerability specified. Often times, the same vulnerability may exist in multiple sources of vulnerability intelligence, but have different identifiers. References provide a way to correlate vulnerabilities across multiple sources of vulnerability intelligence.", + "items": { + "type": "object", + "required": [ + "id", + "source" + ], + "additionalProperties": false, + "properties": { + "id": { + "type": "string", + "title": "ID", + "description": "An identifier that uniquely identifies the vulnerability.", + "examples": [ + "CVE-2021-39182", + "GHSA-35m5-8cvj-8783", + "SNYK-PYTHON-ENROCRYPT-1912876" + ] + }, + "source": { + "$ref": "#/definitions/vulnerabilitySource", + "description": "The source that published the vulnerability." + } + } + } + }, + "ratings": { + "type": "array", + "title": "Ratings", + "description": "List of vulnerability ratings", + "items": { + "$ref": "#/definitions/rating" + } + }, + "cwes": { + "type": "array", + "title": "CWEs", + "description": "List of Common Weaknesses Enumerations (CWEs) codes that describes this vulnerability. For example 399 (of https://cwe.mitre.org/data/definitions/399.html)", + "examples": [399], + "items": { + "$ref": "#/definitions/cwe" + } + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the vulnerability as provided by the source." + }, + "detail": { + "type": "string", + "title": "Details", + "description": "If available, an in-depth description of the vulnerability as provided by the source organization. Details often include information useful in understanding root cause." + }, + "recommendation": { + "type": "string", + "title": "Recommendation", + "description": "Recommendations of how the vulnerability can be remediated or mitigated." + }, + "workaround": { + "type": "string", + "title": "Workarounds", + "description": "A bypass, usually temporary, of the vulnerability that reduces its likelihood and/or impact. Workarounds often involve changes to configuration or deployments." + }, + "proofOfConcept": { + "type": "object", + "title": "Proof of Concept", + "description": "Evidence used to reproduce the vulnerability.", + "properties": { + "reproductionSteps": { + "type": "string", + "title": "Steps to Reproduce", + "description": "Precise steps to reproduce the vulnerability." + }, + "environment": { + "type": "string", + "title": "Environment", + "description": "A description of the environment in which reproduction was possible." + }, + "supportingMaterial": { + "type": "array", + "title": "Supporting Material", + "description": "Supporting material that helps in reproducing or understanding how reproduction is possible. This may include screenshots, payloads, and PoC exploit code.", + "items": { "$ref": "#/definitions/attachment" } + } + } + }, + "advisories": { + "type": "array", + "title": "Advisories", + "description": "Published advisories of the vulnerability if provided.", + "items": { + "$ref": "#/definitions/advisory" + } + }, + "created": { + "type": "string", + "format": "date-time", + "title": "Created", + "description": "The date and time (timestamp) when the vulnerability record was created in the vulnerability database." + }, + "published": { + "type": "string", + "format": "date-time", + "title": "Published", + "description": "The date and time (timestamp) when the vulnerability record was first published." + }, + "updated": { + "type": "string", + "format": "date-time", + "title": "Updated", + "description": "The date and time (timestamp) when the vulnerability record was last updated." + }, + "rejected": { + "type": "string", + "format": "date-time", + "title": "Rejected", + "description": "The date and time (timestamp) when the vulnerability record was rejected (if applicable)." + }, + "credits": { + "type": "object", + "title": "Credits", + "description": "Individuals or organizations credited with the discovery of the vulnerability.", + "additionalProperties": false, + "properties": { + "organizations": { + "type": "array", + "title": "Organizations", + "description": "The organizations credited with vulnerability discovery.", + "items": { + "$ref": "#/definitions/organizationalEntity" + } + }, + "individuals": { + "type": "array", + "title": "Individuals", + "description": "The individuals, not associated with organizations, that are credited with vulnerability discovery.", + "items": { + "$ref": "#/definitions/organizationalContact" + } + } + } + }, + "tools": { + "oneOf": [ + { + "type": "object", + "title": "Tools", + "description": "The tool(s) used to identify, confirm, or score the vulnerability.", + "additionalProperties": false, + "properties": { + "components": { + "type": "array", + "items": {"$ref": "#/definitions/component"}, + "uniqueItems": true, + "title": "Components", + "description": "A list of software and hardware components used as tools" + }, + "services": { + "type": "array", + "items": {"$ref": "#/definitions/service"}, + "uniqueItems": true, + "title": "Services", + "description": "A list of services used as tools. This may include microservices, function-as-a-service, and other types of network or intra-process services." + } + } + }, + { + "type": "array", + "title": "Tools (legacy)", + "description": "[Deprecated] The tool(s) used to identify, confirm, or score the vulnerability.", + "items": {"$ref": "#/definitions/tool"} + } + ] + }, + "analysis": { + "type": "object", + "title": "Impact Analysis", + "description": "An assessment of the impact and exploitability of the vulnerability.", + "additionalProperties": false, + "properties": { + "state": { + "$ref": "#/definitions/impactAnalysisState" + }, + "justification": { + "$ref": "#/definitions/impactAnalysisJustification" + }, + "response": { + "type": "array", + "title": "Response", + "description": "A response to the vulnerability by the manufacturer, supplier, or project responsible for the affected component or service. More than one response is allowed. Responses are strongly encouraged for vulnerabilities where the analysis state is exploitable.", + "items": { + "type": "string", + "enum": [ + "can_not_fix", + "will_not_fix", + "update", + "rollback", + "workaround_available" + ] + } + }, + "detail": { + "type": "string", + "title": "Detail", + "description": "Detailed description of the impact including methods used during assessment. If a vulnerability is not exploitable, this field should include specific details on why the component or service is not impacted by this vulnerability." + }, + "firstIssued": { + "type": "string", + "format": "date-time", + "title": "First Issued", + "description": "The date and time (timestamp) when the analysis was first issued." + }, + "lastUpdated": { + "type": "string", + "format": "date-time", + "title": "Last Updated", + "description": "The date and time (timestamp) when the analysis was last updated." + } + } + }, + "affects": { + "type": "array", + "uniqueItems": true, + "items": { + "type": "object", + "required": [ + "ref" + ], + "additionalProperties": false, + "properties": { + "ref": { + "anyOf": [ + { + "title": "Ref", + "$ref": "#/definitions/refLinkType" + }, + { + "title": "BOM-Link Element", + "$ref": "#/definitions/bomLinkElementType" + } + ], + "title": "Reference", + "description": "References a component or service by the objects bom-ref" + }, + "versions": { + "type": "array", + "title": "Versions", + "description": "Zero or more individual versions or range of versions.", + "items": { + "type": "object", + "oneOf": [ + { + "required": ["version"] + }, + { + "required": ["range"] + } + ], + "additionalProperties": false, + "properties": { + "version": { + "description": "A single version of a component or service.", + "$ref": "#/definitions/version" + }, + "range": { + "description": "A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/purl-spec/VERSION-RANGE-SPEC.rst", + "$ref": "#/definitions/range" + }, + "status": { + "description": "The vulnerability status for the version or range of versions.", + "$ref": "#/definitions/affectedStatus", + "default": "affected" + } + } + } + } + } + }, + "title": "Affects", + "description": "The components or services that are affected by the vulnerability." + }, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is OPTIONAL.", + "items": { + "$ref": "#/definitions/property" + } + } + } + }, + "affectedStatus": { + "description": "The vulnerability status of a given version or range of versions of a product. The statuses 'affected' and 'unaffected' indicate that the version is affected or unaffected by the vulnerability. The status 'unknown' indicates that it is unknown or unspecified whether the given version is affected. There can be many reasons for an 'unknown' status, including that an investigation has not been undertaken or that a vendor has not disclosed the status.", + "type": "string", + "enum": [ + "affected", + "unaffected", + "unknown" + ] + }, + "version": { + "description": "A single version of a component or service.", + "type": "string", + "minLength": 1, + "maxLength": 1024 + }, + "range": { + "description": "A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/purl-spec/VERSION-RANGE-SPEC.rst", + "type": "string", + "minLength": 1, + "maxLength": 1024 + }, + "annotations": { + "type": "object", + "title": "Annotations", + "description": "A comment, note, explanation, or similar textual content which provides additional context to the object(s) being annotated.", + "required": [ + "subjects", + "annotator", + "timestamp", + "text" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An optional identifier which can be used to reference the annotation elsewhere in the BOM. Every bom-ref MUST be unique within the BOM." + }, + "subjects": { + "type": "array", + "uniqueItems": true, + "items": { + "anyOf": [ + { + "title": "Ref", + "$ref": "#/definitions/refLinkType" + }, + { + "title": "BOM-Link Element", + "$ref": "#/definitions/bomLinkElementType" + } + ] + }, + "title": "BOM References", + "description": "The object in the BOM identified by its bom-ref. This is often a component or service, but may be any object type supporting bom-refs." + }, + "annotator": { + "type": "object", + "title": "Annotator", + "description": "The organization, person, component, or service which created the textual content of the annotation.", + "oneOf": [ + { + "required": [ + "organization" + ] + }, + { + "required": [ + "individual" + ] + }, + { + "required": [ + "component" + ] + }, + { + "required": [ + "service" + ] + } + ], + "additionalProperties": false, + "properties": { + "organization": { + "description": "The organization that created the annotation", + "$ref": "#/definitions/organizationalEntity" + }, + "individual": { + "description": "The person that created the annotation", + "$ref": "#/definitions/organizationalContact" + }, + "component": { + "description": "The tool or component that created the annotation", + "$ref": "#/definitions/component" + }, + "service": { + "description": "The service that created the annotation", + "$ref": "#/definitions/service" + } + } + }, + "timestamp": { + "type": "string", + "format": "date-time", + "title": "Timestamp", + "description": "The date and time (timestamp) when the annotation was created." + }, + "text": { + "type": "string", + "title": "Text", + "description": "The textual content of the annotation." + }, + "signature": { + "$ref": "#/definitions/signature", + "title": "Signature", + "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." + } + } + }, + "modelCard": { + "$comment": "Model card support in CycloneDX is derived from TensorFlow Model Card Toolkit released under the Apache 2.0 license and available from https://github.com/tensorflow/model-card-toolkit/blob/main/model_card_toolkit/schema/v0.0.2/model_card.schema.json. In addition, CycloneDX model card support includes portions of VerifyML, also released under the Apache 2.0 license and available from https://github.com/cylynx/verifyml/blob/main/verifyml/model_card_toolkit/schema/v0.0.4/model_card.schema.json.", + "type": "object", + "title": "Model Card", + "description": "A model card describes the intended uses of a machine learning model and potential limitations, including biases and ethical considerations. Model cards typically contain the training parameters, which datasets were used to train the model, performance metrics, and other relevant data useful for ML transparency. This object SHOULD be specified for any component of type `machine-learning-model` and MUST NOT be specified for other component types.", + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An optional identifier which can be used to reference the model card elsewhere in the BOM. Every bom-ref MUST be unique within the BOM." + }, + "modelParameters": { + "type": "object", + "title": "Model Parameters", + "description": "Hyper-parameters for construction of the model.", + "additionalProperties": false, + "properties": { + "approach": { + "type": "object", + "title": "Approach", + "description": "The overall approach to learning used by the model for problem solving.", + "additionalProperties": false, + "properties": { + "type": { + "type": "string", + "title": "Learning Type", + "description": "Learning types describing the learning problem or hybrid learning problem.", + "enum": [ + "supervised", + "unsupervised", + "reinforcement-learning", + "semi-supervised", + "self-supervised" + ] + } + } + }, + "task": { + "type": "string", + "title": "Task", + "description": "Directly influences the input and/or output. Examples include classification, regression, clustering, etc." + }, + "architectureFamily": { + "type": "string", + "title": "Architecture Family", + "description": "The model architecture family such as transformer network, convolutional neural network, residual neural network, LSTM neural network, etc." + }, + "modelArchitecture": { + "type": "string", + "title": "Model Architecture", + "description": "The specific architecture of the model such as GPT-1, ResNet-50, YOLOv3, etc." + }, + "datasets": { + "type": "array", + "title": "Datasets", + "description": "The datasets used to train and evaluate the model.", + "items" : { + "oneOf" : [ + { + "title": "Inline Component Data", + "$ref": "#/definitions/componentData" + }, + { + "type": "object", + "title": "Data Component Reference", + "additionalProperties": false, + "properties": { + "ref": { + "anyOf": [ + { + "title": "Ref", + "$ref": "#/definitions/refLinkType" + }, + { + "title": "BOM-Link Element", + "$ref": "#/definitions/bomLinkElementType" + } + ], + "title": "Reference", + "description": "References a data component by the components bom-ref attribute" + } + } + } + ] + } + }, + "inputs": { + "type": "array", + "title": "Inputs", + "description": "The input format(s) of the model", + "items": { "$ref": "#/definitions/inputOutputMLParameters" } + }, + "outputs": { + "type": "array", + "title": "Outputs", + "description": "The output format(s) from the model", + "items": { "$ref": "#/definitions/inputOutputMLParameters" } + } + } + }, + "quantitativeAnalysis": { + "type": "object", + "title": "Quantitative Analysis", + "description": "A quantitative analysis of the model", + "additionalProperties": false, + "properties": { + "performanceMetrics": { + "type": "array", + "title": "Performance Metrics", + "description": "The model performance metrics being reported. Examples may include accuracy, F1 score, precision, top-3 error rates, MSC, etc.", + "items": { "$ref": "#/definitions/performanceMetric" } + }, + "graphics": { "$ref": "#/definitions/graphicsCollection" } + } + }, + "considerations": { + "type": "object", + "title": "Considerations", + "description": "What considerations should be taken into account regarding the model's construction, training, and application?", + "additionalProperties": false, + "properties": { + "users": { + "type": "array", + "title": "Users", + "description": "Who are the intended users of the model?", + "items": { + "type": "string" + } + }, + "useCases": { + "type": "array", + "title": "Use Cases", + "description": "What are the intended use cases of the model?", + "items": { + "type": "string" + } + }, + "technicalLimitations": { + "type": "array", + "title": "Technical Limitations", + "description": "What are the known technical limitations of the model? E.g. What kind(s) of data should the model be expected not to perform well on? What are the factors that might degrade model performance?", + "items": { + "type": "string" + } + }, + "performanceTradeoffs": { + "type": "array", + "title": "Performance Tradeoffs", + "description": "What are the known tradeoffs in accuracy/performance of the model?", + "items": { + "type": "string" + } + }, + "ethicalConsiderations": { + "type": "array", + "title": "Ethical Considerations", + "description": "What are the ethical (or environmental) risks involved in the application of this model?", + "items": { "$ref": "#/definitions/risk" } + }, + "fairnessAssessments": { + "type": "array", + "title": "Fairness Assessments", + "description": "How does the model affect groups at risk of being systematically disadvantaged? What are the harms and benefits to the various affected groups?", + "items": { + "$ref": "#/definitions/fairnessAssessment" + } + } + } + }, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is OPTIONAL.", + "items": {"$ref": "#/definitions/property"} + } + } + }, + "inputOutputMLParameters": { + "type": "object", + "title": "Input and Output Parameters", + "additionalProperties": false, + "properties": { + "format": { + "description": "The data format for input/output to the model. Example formats include string, image, time-series", + "type": "string" + } + } + }, + "componentData": { + "type": "object", + "additionalProperties": false, + "required": [ + "type" + ], + "properties": { + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An optional identifier which can be used to reference the dataset elsewhere in the BOM. Every bom-ref MUST be unique within the BOM." + }, + "type": { + "type": "string", + "title": "Type of Data", + "description": "The general theme or subject matter of the data being specified.\n\n* __source-code__ = Any type of code, code snippet, or data-as-code.\n* __configuration__ = Parameters or settings that may be used by other components.\n* __dataset__ = A collection of data.\n* __definition__ = Data that can be used to create new instances of what the definition defines.\n* __other__ = Any other type of data that does not fit into existing definitions.", + "enum": [ + "source-code", + "configuration", + "dataset", + "definition", + "other" + ] + }, + "name": { + "description": "The name of the dataset.", + "type": "string" + }, + "contents": { + "type": "object", + "title": "Data Contents", + "description": "The contents or references to the contents of the data being described.", + "additionalProperties": false, + "properties": { + "attachment": { + "title": "Data Attachment", + "description": "An optional way to include textual or encoded data.", + "$ref": "#/definitions/attachment" + }, + "url": { + "type": "string", + "title": "Data URL", + "description": "The URL to where the data can be retrieved.", + "format": "iri-reference" + }, + "properties": { + "type": "array", + "title": "Configuration Properties", + "description": "Provides the ability to document name-value parameters used for configuration.", + "items": { + "$ref": "#/definitions/property" + } + } + } + }, + "classification": { + "$ref": "#/definitions/dataClassification" + }, + "sensitiveData": { + "type": "array", + "description": "A description of any sensitive data in a dataset.", + "items": { + "type": "string" + } + }, + "graphics": { "$ref": "#/definitions/graphicsCollection" }, + "description": { + "description": "A description of the dataset. Can describe size of dataset, whether it's used for source code, training, testing, or validation, etc.", + "type": "string" + }, + "governance": { + "type": "object", + "title": "Data Governance", + "$ref": "#/definitions/dataGovernance" + } + } + }, + "dataGovernance": { + "type": "object", + "title": "Data Governance", + "additionalProperties": false, + "properties": { + "custodians": { + "type": "array", + "title": "Data Custodians", + "description": "Data custodians are responsible for the safe custody, transport, and storage of data.", + "items": { "$ref": "#/definitions/dataGovernanceResponsibleParty" } + }, + "stewards": { + "type": "array", + "title": "Data Stewards", + "description": "Data stewards are responsible for data content, context, and associated business rules.", + "items": { "$ref": "#/definitions/dataGovernanceResponsibleParty" } + }, + "owners": { + "type": "array", + "title": "Data Owners", + "description": "Data owners are concerned with risk and appropriate access to data.", + "items": { "$ref": "#/definitions/dataGovernanceResponsibleParty" } + } + } + }, + "dataGovernanceResponsibleParty": { + "type": "object", + "additionalProperties": false, + "properties": { + "organization": { + "title": "Organization", + "$ref": "#/definitions/organizationalEntity" + }, + "contact": { + "title": "Individual", + "$ref": "#/definitions/organizationalContact" + } + }, + "oneOf":[ + { + "required": ["organization"] + }, + { + "required": ["contact"] + } + ] + }, + "graphicsCollection": { + "type": "object", + "title": "Graphics Collection", + "description": "A collection of graphics that represent various measurements.", + "additionalProperties": false, + "properties": { + "description": { + "description": "A description of this collection of graphics.", + "type": "string" + }, + "collection": { + "description": "A collection of graphics.", + "type": "array", + "items": { "$ref": "#/definitions/graphic" } + } + } + }, + "graphic": { + "type": "object", + "additionalProperties": false, + "properties": { + "name": { + "description": "The name of the graphic.", + "type": "string" + }, + "image": { + "title": "Graphic Image", + "description": "The graphic (vector or raster). Base64 encoding MUST be specified for binary images.", + "$ref": "#/definitions/attachment" + } + } + }, + "performanceMetric": { + "type": "object", + "additionalProperties": false, + "properties": { + "type": { + "description": "The type of performance metric.", + "type": "string" + }, + "value": { + "description": "The value of the performance metric.", + "type": "string" + }, + "slice": { + "description": "The name of the slice this metric was computed on. By default, assume this metric is not sliced.", + "type": "string" + }, + "confidenceInterval": { + "description": "The confidence interval of the metric.", + "type": "object", + "additionalProperties": false, + "properties": { + "lowerBound": { + "description": "The lower bound of the confidence interval.", + "type": "string" + }, + "upperBound": { + "description": "The upper bound of the confidence interval.", + "type": "string" + } + } + } + } + }, + "risk": { + "type": "object", + "additionalProperties": false, + "properties": { + "name": { + "description": "The name of the risk.", + "type": "string" + }, + "mitigationStrategy": { + "description": "Strategy used to address this risk.", + "type": "string" + } + } + }, + "fairnessAssessment": { + "type": "object", + "title": "Fairness Assessment", + "description": "Information about the benefits and harms of the model to an identified at risk group.", + "additionalProperties": false, + "properties": { + "groupAtRisk": { + "type": "string", + "description": "The groups or individuals at risk of being systematically disadvantaged by the model." + }, + "benefits": { + "type": "string", + "description": "Expected benefits to the identified groups." + }, + "harms": { + "type": "string", + "description": "Expected harms to the identified groups." + }, + "mitigationStrategy": { + "type": "string", + "description": "With respect to the benefits and harms outlined, please describe any mitigation strategy implemented." + } + } + }, + "dataClassification": { + "type": "string", + "title": "Data Classification", + "description": "Data classification tags data according to its type, sensitivity, and value if altered, stolen, or destroyed." + }, + "formula": { + "title": "Formula", + "description": "Describes workflows and resources that captures rules and other aspects of how the associated BOM component or service was formed.", + "type": "object", + "additionalProperties": false, + "properties": { + "bom-ref": { + "title": "BOM Reference", + "description": "An optional identifier which can be used to reference the formula elsewhere in the BOM. Every bom-ref MUST be unique within the BOM.", + "$ref": "#/definitions/refType" + }, + "components": { + "title": "Components", + "description": "Transient components that are used in tasks that constitute one or more of this formula's workflows", + "type": "array", + "items": { + "$ref": "#/definitions/component" + }, + "uniqueItems": true + }, + "services": { + "title": "Services", + "description": "Transient services that are used in tasks that constitute one or more of this formula's workflows", + "type": "array", + "items": { + "$ref": "#/definitions/service" + }, + "uniqueItems": true + }, + "workflows": { + "title": "Workflows", + "description": "List of workflows that can be declared to accomplish specific orchestrated goals and independently triggered.", + "$comment": "Different workflows can be designed to work together to perform end-to-end CI/CD builds and deployments.", + "type": "array", + "items": { + "$ref": "#/definitions/workflow" + }, + "uniqueItems": true + }, + "properties": { + "type": "array", + "title": "Properties", + "items": { + "$ref": "#/definitions/property" + } + } + } + }, + "workflow": { + "title": "Workflow", + "description": "A specialized orchestration task.", + "$comment": "Workflow are as task themselves and can trigger other workflow tasks. These relationships can be modeled in the taskDependencies graph.", + "type": "object", + "required": [ + "bom-ref", + "uid", + "taskTypes" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "title": "BOM Reference", + "description": "An optional identifier which can be used to reference the workflow elsewhere in the BOM. Every bom-ref MUST be unique within the BOM.", + "$ref": "#/definitions/refType" + }, + "uid": { + "title": "Unique Identifier (UID)", + "description": "The unique identifier for the resource instance within its deployment context.", + "type": "string" + }, + "name": { + "title": "Name", + "description": "The name of the resource instance.", + "type": "string" + }, + "description": { + "title": "Description", + "description": "A description of the resource instance.", + "type": "string" + }, + "resourceReferences": { + "title": "Resource references", + "description": "References to component or service resources that are used to realize the resource instance.", + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/definitions/resourceReferenceChoice" + } + }, + "tasks": { + "title": "Tasks", + "description": "The tasks that comprise the workflow.", + "$comment": "Note that tasks can appear more than once as different instances (by name or UID).", + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/definitions/task" + } + }, + "taskDependencies": { + "title": "Task dependency graph", + "description": "The graph of dependencies between tasks within the workflow.", + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/definitions/dependency" + } + }, + "taskTypes": { + "title": "Task types", + "description": "Indicates the types of activities performed by the set of workflow tasks.", + "$comment": "Currently, these types reflect common CI/CD actions.", + "type": "array", + "items": { + "$ref": "#/definitions/taskType" + } + }, + "trigger": { + "title": "Trigger", + "description": "The trigger that initiated the task.", + "$ref": "#/definitions/trigger" + }, + "steps": { + "title": "Steps", + "description": "The sequence of steps for the task.", + "type": "array", + "items": { + "$ref": "#/definitions/step" + }, + "uniqueItems": true + }, + "inputs": { + "title": "Inputs", + "description": "Represents resources and data brought into a task at runtime by executor or task commands", + "examples": ["a `configuration` file which was declared as a local `component` or `externalReference`"], + "type": "array", + "items": { + "$ref": "#/definitions/inputType" + }, + "uniqueItems": true + }, + "outputs": { + "title": "Outputs", + "description": "Represents resources and data output from a task at runtime by executor or task commands", + "examples": ["a log file or metrics data produced by the task"], + "type": "array", + "items": { + "$ref": "#/definitions/outputType" + }, + "uniqueItems": true + }, + "timeStart": { + "title": "Time start", + "description": "The date and time (timestamp) when the task started.", + "type": "string", + "format": "date-time" + }, + "timeEnd": { + "title": "Time end", + "description": "The date and time (timestamp) when the task ended.", + "type": "string", + "format": "date-time" + }, + "workspaces": { + "title": "Workspaces", + "description": "A set of named filesystem or data resource shareable by workflow tasks.", + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/definitions/workspace" + } + }, + "runtimeTopology": { + "title": "Runtime topology", + "description": "A graph of the component runtime topology for workflow's instance.", + "$comment": "A description of the runtime component and service topology. This can describe a partial or complete topology used to host and execute the task (e.g., hardware, operating systems, configurations, etc.),", + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/definitions/dependency" + } + }, + "properties": { + "type": "array", + "title": "Properties", + "items": { + "$ref": "#/definitions/property" + } + } + } + }, + "task": { + "title": "Task", + "description": "Describes the inputs, sequence of steps and resources used to accomplish a task and its output.", + "$comment": "Tasks are building blocks for constructing assemble CI/CD workflows or pipelines.", + "type": "object", + "required": [ + "bom-ref", + "uid", + "taskTypes" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "title": "BOM Reference", + "description": "An optional identifier which can be used to reference the task elsewhere in the BOM. Every bom-ref MUST be unique within the BOM.", + "$ref": "#/definitions/refType" + }, + "uid": { + "title": "Unique Identifier (UID)", + "description": "The unique identifier for the resource instance within its deployment context.", + "type": "string" + }, + "name": { + "title": "Name", + "description": "The name of the resource instance.", + "type": "string" + }, + "description": { + "title": "Description", + "description": "A description of the resource instance.", + "type": "string" + }, + "resourceReferences": { + "title": "Resource references", + "description": "References to component or service resources that are used to realize the resource instance.", + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/definitions/resourceReferenceChoice" + } + }, + "taskTypes": { + "title": "Task types", + "description": "Indicates the types of activities performed by the set of workflow tasks.", + "$comment": "Currently, these types reflect common CI/CD actions.", + "type": "array", + "items": { + "$ref": "#/definitions/taskType" + } + }, + "trigger": { + "title": "Trigger", + "description": "The trigger that initiated the task.", + "$ref": "#/definitions/trigger" + }, + "steps": { + "title": "Steps", + "description": "The sequence of steps for the task.", + "type": "array", + "items": { + "$ref": "#/definitions/step" + }, + "uniqueItems": true + }, + "inputs": { + "title": "Inputs", + "description": "Represents resources and data brought into a task at runtime by executor or task commands", + "examples": ["a `configuration` file which was declared as a local `component` or `externalReference`"], + "type": "array", + "items": { + "$ref": "#/definitions/inputType" + }, + "uniqueItems": true + }, + "outputs": { + "title": "Outputs", + "description": "Represents resources and data output from a task at runtime by executor or task commands", + "examples": ["a log file or metrics data produced by the task"], + "type": "array", + "items": { + "$ref": "#/definitions/outputType" + }, + "uniqueItems": true + }, + "timeStart": { + "title": "Time start", + "description": "The date and time (timestamp) when the task started.", + "type": "string", + "format": "date-time" + }, + "timeEnd": { + "title": "Time end", + "description": "The date and time (timestamp) when the task ended.", + "type": "string", + "format": "date-time" + }, + "workspaces": { + "title": "Workspaces", + "description": "A set of named filesystem or data resource shareable by workflow tasks.", + "type": "array", + "items": { + "$ref": "#/definitions/workspace" + }, + "uniqueItems": true + }, + "runtimeTopology": { + "title": "Runtime topology", + "description": "A graph of the component runtime topology for task's instance.", + "$comment": "A description of the runtime component and service topology. This can describe a partial or complete topology used to host and execute the task (e.g., hardware, operating systems, configurations, etc.),", + "type": "array", + "items": { + "$ref": "#/definitions/dependency" + }, + "uniqueItems": true + }, + "properties": { + "type": "array", + "title": "Properties", + "items": { + "$ref": "#/definitions/property" + } + } + } + }, + "step": { + "type": "object", + "description": "Executes specific commands or tools in order to accomplish its owning task as part of a sequence.", + "additionalProperties": false, + "properties": { + "name": { + "title": "Name", + "description": "A name for the step.", + "type": "string" + }, + "description": { + "title": "Description", + "description": "A description of the step.", + "type": "string" + }, + "commands": { + "title": "Commands", + "description": "Ordered list of commands or directives for the step", + "type": "array", + "items": { + "$ref": "#/definitions/command" + } + }, + "properties": { + "type": "array", + "title": "Properties", + "items": { + "$ref": "#/definitions/property" + } + } + } + }, + "command": { + "type": "object", + "additionalProperties": false, + "properties": { + "executed": { + "title": "Executed", + "description": "A text representation of the executed command.", + "type": "string" + }, + "properties": { + "type": "array", + "title": "Properties", + "items": { + "$ref": "#/definitions/property" + } + } + } + }, + "workspace": { + "title": "Workspace", + "description": "A named filesystem or data resource shareable by workflow tasks.", + "type": "object", + "required": [ + "bom-ref", + "uid" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "title": "BOM Reference", + "description": "An optional identifier which can be used to reference the workspace elsewhere in the BOM. Every bom-ref MUST be unique within the BOM.", + "$ref": "#/definitions/refType" + }, + "uid": { + "title": "Unique Identifier (UID)", + "description": "The unique identifier for the resource instance within its deployment context.", + "type": "string" + }, + "name": { + "title": "Name", + "description": "The name of the resource instance.", + "type": "string" + }, + "aliases": { + "title": "Aliases", + "description": "The names for the workspace as referenced by other workflow tasks. Effectively, a name mapping so other tasks can use their own local name in their steps.", + "type": "array", + "items": {"type": "string"} + }, + "description": { + "title": "Description", + "description": "A description of the resource instance.", + "type": "string" + }, + "resourceReferences": { + "title": "Resource references", + "description": "References to component or service resources that are used to realize the resource instance.", + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/definitions/resourceReferenceChoice" + } + }, + "accessMode": { + "title": "Access mode", + "description": "Describes the read-write access control for the workspace relative to the owning resource instance.", + "type": "string", + "enum": [ + "read-only", + "read-write", + "read-write-once", + "write-once", + "write-only" + ] + }, + "mountPath": { + "title": "Mount path", + "description": "A path to a location on disk where the workspace will be available to the associated task's steps.", + "type": "string" + }, + "managedDataType": { + "title": "Managed data type", + "description": "The name of a domain-specific data type the workspace represents.", + "$comment": "This property is for CI/CD frameworks that are able to provide access to structured, managed data at a more granular level than a filesystem.", + "examples": ["ConfigMap","Secret"], + "type": "string" + }, + "volumeRequest": { + "title": "Volume request", + "description": "Identifies the reference to the request for a specific volume type and parameters.", + "examples": ["a kubernetes Persistent Volume Claim (PVC) name"], + "type": "string" + }, + "volume": { + "title": "Volume", + "description": "Information about the actual volume instance allocated to the workspace.", + "$comment": "The actual volume allocated may be different than the request.", + "examples": ["see https://kubernetes.io/docs/concepts/storage/persistent-volumes/"], + "$ref": "#/definitions/volume" + }, + "properties": { + "type": "array", + "title": "Properties", + "items": { + "$ref": "#/definitions/property" + } + } + } + }, + "volume": { + "title": "Volume", + "description": "An identifiable, logical unit of data storage tied to a physical device.", + "type": "object", + "additionalProperties": false, + "properties": { + "uid": { + "title": "Unique Identifier (UID)", + "description": "The unique identifier for the volume instance within its deployment context.", + "type": "string" + }, + "name": { + "title": "Name", + "description": "The name of the volume instance", + "type": "string" + }, + "mode": { + "title": "Mode", + "description": "The mode for the volume instance.", + "type": "string", + "enum": [ + "filesystem", "block" + ], + "default": "filesystem" + }, + "path": { + "title": "Path", + "description": "The underlying path created from the actual volume.", + "type": "string" + }, + "sizeAllocated": { + "title": "Size allocated", + "description": "The allocated size of the volume accessible to the associated workspace. This should include the scalar size as well as IEC standard unit in either decimal or binary form.", + "examples": ["10GB", "2Ti", "1Pi"], + "type": "string" + }, + "persistent": { + "title": "Persistent", + "description": "Indicates if the volume persists beyond the life of the resource it is associated with.", + "type": "boolean" + }, + "remote": { + "title": "Remote", + "description": "Indicates if the volume is remotely (i.e., network) attached.", + "type": "boolean" + }, + "properties": { + "type": "array", + "title": "Properties", + "items": { + "$ref": "#/definitions/property" + } + } + } + }, + "trigger": { + "title": "Trigger", + "description": "Represents a resource that can conditionally activate (or fire) tasks based upon associated events and their data.", + "type": "object", + "additionalProperties": false, + "required": [ + "type", + "bom-ref", + "uid" + ], + "properties": { + "bom-ref": { + "title": "BOM Reference", + "description": "An optional identifier which can be used to reference the trigger elsewhere in the BOM. Every bom-ref MUST be unique within the BOM.", + "$ref": "#/definitions/refType" + }, + "uid": { + "title": "Unique Identifier (UID)", + "description": "The unique identifier for the resource instance within its deployment context.", + "type": "string" + }, + "name": { + "title": "Name", + "description": "The name of the resource instance.", + "type": "string" + }, + "description": { + "title": "Description", + "description": "A description of the resource instance.", + "type": "string" + }, + "resourceReferences": { + "title": "Resource references", + "description": "References to component or service resources that are used to realize the resource instance.", + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/definitions/resourceReferenceChoice" + } + }, + "type": { + "title": "Type", + "description": "The source type of event which caused the trigger to fire.", + "type": "string", + "enum": [ + "manual", + "api", + "webhook", + "scheduled" + ] + }, + "event": { + "title": "Event", + "description": "The event data that caused the associated trigger to activate.", + "$ref": "#/definitions/event" + }, + "conditions": { + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/definitions/condition" + } + }, + "timeActivated": { + "title": "Time activated", + "description": "The date and time (timestamp) when the trigger was activated.", + "type": "string", + "format": "date-time" + }, + "inputs": { + "title": "Inputs", + "description": "Represents resources and data brought into a task at runtime by executor or task commands", + "examples": ["a `configuration` file which was declared as a local `component` or `externalReference`"], + "type": "array", + "items": { + "$ref": "#/definitions/inputType" + }, + "uniqueItems": true + }, + "outputs": { + "title": "Outputs", + "description": "Represents resources and data output from a task at runtime by executor or task commands", + "examples": ["a log file or metrics data produced by the task"], + "type": "array", + "items": { + "$ref": "#/definitions/outputType" + }, + "uniqueItems": true + }, + "properties": { + "type": "array", + "title": "Properties", + "items": { + "$ref": "#/definitions/property" + } + } + } + }, + "event": { + "title": "Event", + "description": "Represents something that happened that may trigger a response.", + "type": "object", + "additionalProperties": false, + "properties": { + "uid": { + "title": "Unique Identifier (UID)", + "description": "The unique identifier of the event.", + "type": "string" + }, + "description": { + "title": "Description", + "description": "A description of the event.", + "type": "string" + }, + "timeReceived": { + "title": "Time Received", + "description": "The date and time (timestamp) when the event was received.", + "type": "string", + "format": "date-time" + }, + "data": { + "title": "Data", + "description": "Encoding of the raw event data.", + "$ref": "#/definitions/attachment" + }, + "source": { + "title": "Source", + "description": "References the component or service that was the source of the event", + "$ref": "#/definitions/resourceReferenceChoice" + }, + "target": { + "title": "Target", + "description": "References the component or service that was the target of the event", + "$ref": "#/definitions/resourceReferenceChoice" + }, + "properties": { + "type": "array", + "title": "Properties", + "items": { + "$ref": "#/definitions/property" + } + } + } + }, + "inputType": { + "title": "Input type", + "description": "Type that represents various input data types and formats.", + "type": "object", + "oneOf": [ + { + "required": [ + "resource" + ] + }, + { + "required": [ + "parameters" + ] + }, + { + "required": [ + "environmentVars" + ] + }, + { + "required": [ + "data" + ] + } + ], + "additionalProperties": false, + "properties": { + "source": { + "title": "Source", + "description": "A references to the component or service that provided the input to the task (e.g., reference to a service with data flow value of `inbound`)", + "examples": [ + "source code repository", + "database" + ], + "$ref": "#/definitions/resourceReferenceChoice" + }, + "target": { + "title": "Target", + "description": "A reference to the component or service that received or stored the input if not the task itself (e.g., a local, named storage workspace)", + "examples": [ + "workspace", + "directory" + ], + "$ref": "#/definitions/resourceReferenceChoice" + }, + "resource": { + "title": "Resource", + "description": "A reference to an independent resource provided as an input to a task by the workflow runtime.", + "examples": [ + "reference to a configuration file in a repository (i.e., a bom-ref)", + "reference to a scanning service used in a task (i.e., a bom-ref)" + ], + "$ref": "#/definitions/resourceReferenceChoice" + }, + "parameters": { + "title": "Parameters", + "description": "Inputs that have the form of parameters with names and values.", + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/definitions/parameter" + } + }, + "environmentVars": { + "title": "Environment variables", + "description": "Inputs that have the form of parameters with names and values.", + "type": "array", + "uniqueItems": true, + "items": { + "oneOf": [ + { + "$ref": "#/definitions/property" + }, + { + "type": "string" + } + ] + } + }, + "data": { + "title": "Data", + "description": "Inputs that have the form of data.", + "$ref": "#/definitions/attachment" + }, + "properties": { + "type": "array", + "title": "Properties", + "items": { + "$ref": "#/definitions/property" + } + } + } + }, + "outputType": { + "type": "object", + "oneOf": [ + { + "required": [ + "resource" + ] + }, + { + "required": [ + "environmentVars" + ] + }, + { + "required": [ + "data" + ] + } + ], + "additionalProperties": false, + "properties": { + "type": { + "title": "Type", + "description": "Describes the type of data output.", + "type": "string", + "enum": [ + "artifact", + "attestation", + "log", + "evidence", + "metrics", + "other" + ] + }, + "source": { + "title": "Source", + "description": "Component or service that generated or provided the output from the task (e.g., a build tool)", + "$ref": "#/definitions/resourceReferenceChoice" + }, + "target": { + "title": "Target", + "description": "Component or service that received the output from the task (e.g., reference to an artifactory service with data flow value of `outbound`)", + "examples": ["a log file described as an `externalReference` within its target domain."], + "$ref": "#/definitions/resourceReferenceChoice" + }, + "resource": { + "title": "Resource", + "description": "A reference to an independent resource generated as output by the task.", + "examples": [ + "configuration file", + "source code", + "scanning service" + ], + "$ref": "#/definitions/resourceReferenceChoice" + }, + "data": { + "title": "Data", + "description": "Outputs that have the form of data.", + "$ref": "#/definitions/attachment" + }, + "environmentVars": { + "title": "Environment variables", + "description": "Outputs that have the form of environment variables.", + "type": "array", + "items": { + "oneOf": [ + { + "$ref": "#/definitions/property" + }, + { + "type": "string" + } + ] + }, + "uniqueItems": true + }, + "properties": { + "type": "array", + "title": "Properties", + "items": { + "$ref": "#/definitions/property" + } + } + } + }, + "resourceReferenceChoice": { + "title": "Resource reference choice", + "description": "A reference to a locally defined resource (e.g., a bom-ref) or an externally accessible resource.", + "$comment": "Enables reference to a resource that participates in a workflow; using either internal (bom-ref) or external (externalReference) types.", + "type": "object", + "additionalProperties": false, + "properties": { + "ref": { + "title": "BOM Reference", + "description": "References an object by its bom-ref attribute", + "anyOf": [ + { + "title": "Ref", + "$ref": "#/definitions/refLinkType" + }, + { + "title": "BOM-Link Element", + "$ref": "#/definitions/bomLinkElementType" + } + ] + }, + "externalReference": { + "title": "External reference", + "description": "Reference to an externally accessible resource.", + "$ref": "#/definitions/externalReference" + } + }, + "oneOf": [ + { + "required": [ + "ref" + ] + }, + { + "required": [ + "externalReference" + ] + } + ] + }, + "condition": { + "title": "Condition", + "description": "A condition that was used to determine a trigger should be activated.", + "type": "object", + "additionalProperties": false, + "properties": { + "description": { + "title": "Description", + "description": "Describes the set of conditions which cause the trigger to activate.", + "type": "string" + }, + "expression": { + "title": "Expression", + "description": "The logical expression that was evaluated that determined the trigger should be fired.", + "type": "string" + }, + "properties": { + "type": "array", + "title": "Properties", + "items": { + "$ref": "#/definitions/property" + } + } + } + }, + "taskType": { + "type": "string", + "enum": [ + "copy", + "clone", + "lint", + "scan", + "merge", + "build", + "test", + "deliver", + "deploy", + "release", + "clean", + "other" + ] + }, + "parameter": { + "title": "Parameter", + "description": "A representation of a functional parameter.", + "type": "object", + "additionalProperties": false, + "properties": { + "name": { + "title": "Name", + "description": "The name of the parameter.", + "type": "string" + }, + "value": { + "title": "Value", + "description": "The value of the parameter.", + "type": "string" + }, + "dataType": { + "title": "Data type", + "description": "The data type of the parameter.", + "type": "string" + } + } + }, + "signature": { + "$ref": "jsf-0.82.schema.json#/definitions/signature", + "title": "Signature", + "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." + } + } +} diff --git a/schema/bom-1.6.xsd b/schema/bom-1.6.xsd new file mode 100644 index 00000000..1cc87910 --- /dev/null +++ b/schema/bom-1.6.xsd @@ -0,0 +1,5464 @@ + + + + + + + + + CycloneDX Software Bill of Materials Standard + https://cyclonedx.org/ + Apache License, Version 2.0 + + + + + + Identifier for referable and therefore interlink-able elements. + + + + + + + + + + Descriptor for an element identified by the attribute "bom-ref" in the same BOM document. + In contrast to `bomLinkElementType`. + + + + + + + + + Descriptor for another BOM document. + See https://cyclonedx.org/capabilities/bomlink/ + + + + + + + + + + + Descriptor for an element in another BOM document. + See https://cyclonedx.org/capabilities/bomlink/ + + + + + + + + + + + + + + + + The date and time (timestamp) when the BOM was created. + + + + + + The product lifecycle(s) that this BOM represents. + + + + + + + + + + + + A pre-defined phase in the product lifecycle. + + + + + + + + + The name of the lifecycle phase + + + + + + + The description of the lifecycle phase + + + + + + + + + + + + + The tool(s) used in the creation of the BOM. + + + + + + + DEPRECATED. Use tools\components or tools\services instead. + + + + + + + A list of software and hardware components used as tools. + + + + + A list of services used as tools. + + + + + + + + + The person(s) who created the BOM. Authors are common in BOMs created through + manual processes. BOMs created through automated means may not have authors. + + + + + + + + + + The component that the BOM describes. + + + + + The organization that manufactured the component that the BOM describes. + + + + + The organization that supplied the component that the BOM describes. The + supplier may often be the manufacturer, but may also be a distributor or repackager. + + + + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is OPTIONAL. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + BOM produced early in the development lifecycle containing inventory of components and services + that are proposed or planned to be used. The inventory may need to be procured, retrieved, + or resourced prior to use. + + + + + + + BOM consisting of information obtained prior to a build process and may contain source files + and development artifacts and manifests. The inventory may need to be resolved and retrieved + prior to use. + + + + + + + BOM consisting of information obtained during a build process where component inventory is + available for use. The precise versions of resolved components are usually available at this + time as well as the provenance of where the components were retrieved from. + + + + + + + BOM consisting of information obtained after a build process has completed and the resulting + components(s) are available for further analysis. Built components may exist as the result of a + CI/CD process, may have been installed or deployed to a system or device, and may need to be + retrieved or extracted from the system or device. + + + + + + + BOM produced that represents inventory that is running and operational. This may include staging + or production environments and will generally encompass multiple SBOMs describing the applications + and operating system, along with HBOMs describing the hardware that makes up the system. Operations + Bill of Materials (OBOM) can provide full-stack inventory of runtime environments, configurations, + and additional dependencies. + + + + + + + BOM consisting of information observed through network discovery providing point-in-time + enumeration of embedded, on-premise, and cloud-native services such as server applications, + connected devices, microservices, and serverless functions. + + + + + + + BOM containing inventory that will be, or has been retired from operations. + + + + + + + + + + + The name of the organization + + + + + The URL of the organization. Multiple URLs are allowed. + + + + + A contact person at the organization. Multiple contacts are allowed. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + An optional identifier which can be used to reference the object elsewhere in the BOM. + Uniqueness is enforced within all elements and children of the root-level bom element. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + Information about the automated or manual tool used + + + + + The name of the vendor who created the tool + + + + + The name of the tool + + + + + The version of the tool + + + + + + + + + + + + Provides the ability to document external references related to the tool. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + The name of the contact + + + + + The email address of the contact. + + + + + The phone number of the contact. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + An optional identifier which can be used to reference the object elsewhere in the BOM. + Uniqueness is enforced within all elements and children of the root-level bom element. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + The organization that supplied the component. The supplier may often + be the manufacturer, but may also be a distributor or repackager. + + + + + The person(s) or organization(s) that authored the component + + + + + The person(s) or organization(s) that published the component + + + + + The grouping name or identifier. This will often be a shortened, single + name of the company or project that produced the component, or the source package or + domain name. Whitespace and special characters should be avoided. Examples include: + apache, org.apache.commons, and apache.org. + + + + + The name of the component. This will often be a shortened, single name + of the component. Examples: commons-lang3 and jquery + + + + + The component version. The version should ideally comply with semantic versioning + but is not enforced. + + + + + Specifies a description for the component + + + + + Specifies the scope of the component. If scope is not specified, 'required' + scope SHOULD be assumed by the consumer of the BOM. + + + + + + + + + + + + + A copyright notice informing users of the underlying claims to + copyright ownership in a published work. + + + + + + Specifies a well-formed CPE name that conforms to the CPE 2.2 or 2.3 specification. See https://nvd.nist.gov/products/cpe + + + + + + + Specifies the package-url (purl). The purl, if specified, MUST be valid and conform + to the specification defined at: https://github.com/package-url/purl-spec + + + + + + + Specifies metadata and content for ISO-IEC 19770-2 Software Identification (SWID) Tags. + + + + + + + DEPRECATED - DO NOT USE. This will be removed in a future version. Use the pedigree + element instead to supply information on exactly how the component was modified. + A boolean value indicating if the component has been modified from the original. + A value of true indicates the component is a derivative of the original. + A value of false indicates the component has not been modified from the original. + + + + + + + Component pedigree is a way to document complex supply chain scenarios where components are + created, distributed, modified, redistributed, combined with other components, etc. + + + + + + Provides the ability to document external references related to the + component or to the project the component describes. + + + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is OPTIONAL. + + + + + + A list of software and hardware components included in the parent component. This is not a + dependency tree. It provides a way to specify a hierarchical representation of component + assemblies, similar to system -> subsystem -> parts assembly in physical supply chains. + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + Provides the ability to document evidence collected through various forms of extraction or analysis. + + + + + Specifies optional release notes. + + + + + A model card describes the intended uses of a machine learning model and potential + limitations, including biases and ethical considerations. Model cards typically contain the + training parameters, which datasets were used to train the model, performance metrics, and other + relevant data useful for ML transparency. This object SHOULD be specified for any component of + type `machine-learning-model` and MUST NOT be specified for other component types. + + + + + This object SHOULD be specified for any component of type `data` and MUST NOT be + specified for other component types. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + Specifies the type of component. For software components, classify as application if no more + specific appropriate classification is available or cannot be determined for the component. + + + + + + + The OPTIONAL mime-type of the component. When used on file components, the mime-type + can provide additional context about the kind of file being represented such as an image, + font, or executable. Some library or framework components may also have an associated mime-type. + + + + + + + An optional identifier which can be used to reference the component elsewhere in the BOM. + Uniqueness is enforced within all elements and children of the root-level bom element. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + A valid SPDX license ID + + + + + If SPDX does not define the license used, this field may be used to provide the license name + + + + + + Specifies the optional full text of the attachment + + + + + The URL to the attachment file. If the attachment is a license or BOM, + an externalReference should also be specified for completeness. + + + + + Licensing details describing the licensor/licensee, license type, renewal and + expiration dates, and other important metadata + + + + + + License identifiers that may be used to manage licenses and + their lifecycle + + + + + + + + + + The individual or organization that grants a license to another + individual or organization + + + + + + + The organization that granted the license + + + + + The individual, not associated with an organization, + that granted the license + + + + + + + + + The individual or organization for which a license was granted to + + + + + + + The organization that was granted the license + + + + + The individual, not associated with an organization, + that was granted the license + + + + + + + + + The individual or organization that purchased the license + + + + + + + The organization that purchased the license + + + + + The individual, not associated with an organization, + that purchased the license + + + + + + + + + The purchase order identifier the purchaser sent to a supplier or + vendor to authorize a purchase + + + + + The type of license(s) that was granted to the licensee + + + + + + + + + + The timestamp indicating when the license was last + renewed. For new purchases, this is often the purchase or acquisition date. + For non-perpetual licenses or subscriptions, this is the timestamp of when the + license was last renewed. + + + + + The timestamp indicating when the current license + expires (if applicable). + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is OPTIONAL. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + An optional identifier which can be used to reference the license elsewhere in the BOM. + Uniqueness is enforced within all elements and children of the root-level bom element. + + + + + + + + + + The attachment data. Proactive controls such as input validation and sanitization should be employed to prevent misuse of attachment text. + + + + Specifies the content type of the text. Defaults to text/plain + if not specified. + + + + + + Specifies the optional encoding the text is represented in + + + + + + + + + + Specifies the file hash of the component + + + + + + Specifies the algorithm used to create the hash + + + + + + + + + + + The component is required for runtime + + + + + The component is optional at runtime. Optional components are components that + are not capable of being called due to them not be installed or otherwise accessible by any means. + Components that are installed but due to configuration or other restrictions are prohibited from + being called must be scoped as 'required'. + + + + + Components that are excluded provide the ability to document component usage + for test and other non-runtime purposes. Excluded components are not reachable within a call + graph at runtime. + + + + + + + + + + A software application. Refer to https://en.wikipedia.org/wiki/Application_software + for information about applications. + + + + + A software framework. Refer to https://en.wikipedia.org/wiki/Software_framework + for information on how frameworks vary slightly from libraries. + + + + + A software library. Refer to https://en.wikipedia.org/wiki/Library_(computing) + for information about libraries. All third-party and open source reusable components will likely + be a library. If the library also has key features of a framework, then it should be classified + as a framework. If not, or is unknown, then specifying library is recommended. + + + + + A packaging and/or runtime format, not specific to any particular technology, + which isolates software inside the container from software outside of a container through + virtualization technology. Refer to https://en.wikipedia.org/wiki/OS-level_virtualization + + + + + A runtime environment which interprets or executes software. This may include + runtimes such as those that execute bytecode or low-code/no-code application platforms. + + + + + A software operating system without regard to deployment model + (i.e. installed on physical hardware, virtual machine, image, etc) Refer to + https://en.wikipedia.org/wiki/Operating_system + + + + + A hardware device such as a processor, or chip-set. A hardware device + containing firmware SHOULD include a component for the physical hardware itself, and another + component of type 'firmware' or 'operating-system' (whichever is relevant), describing + information about the software running on the device. + See also the list of known device properties: https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/device.md + + + + + + A special type of software that operates or controls a particular type of device. + Refer to https://en.wikipedia.org/wiki/Device_driver + + + + + A special type of software that provides low-level control over a devices + hardware. Refer to https://en.wikipedia.org/wiki/Firmware + + + + + A computer file. Refer to https://en.wikipedia.org/wiki/Computer_file + for information about files. + + + + + A model based on training data that can make predictions or decisions without + being explicitly programmed to do so. + + + + + A collection of discrete values that convey information. + + + + + + + + + + + + + + + + + + + + + + + + + + + A license that grants use of software solely for the purpose + of education or research. + + + + + A license covering use of software embedded in a specific + piece of hardware. + + + + + A Client Access License (CAL) allows client computers to access + services provided by server software. + + + + + A Concurrent User license (aka floating license) limits the + number of licenses for a software application and licenses are shared among + a larger number of users. + + + + + A license where the core of a computer's processor is assigned + a specific number of points. + + + + + A license for which consumption is measured by non-standard + metrics. + + + + + A license that covers a defined number of installations on + computers and other types of devices. + + + + + A license that grants permission to install and use software + for trial purposes. + + + + + A license that grants access to the software to one or more + pre-defined users. + + + + + A license that grants access to the software on one or more + pre-defined computers or devices. + + + + + An Original Equipment Manufacturer license that is delivered + with hardware, cannot be transferred to other hardware, and is valid for the + life of the hardware. + + + + + A license where the software is sold on a one-time basis and + the licensee can use a copy of the software indefinitely. + + + + + A license where each installation consumes points per + processor. + + + + + A license where the licensee pays a fee to use the software + or service. + + + + + A license that grants access to the software or service by a + specified number of users. + + + + + Another license type. + + + + + + + + + + + + + + + + + + + + + + + + + + + Define the format for acceptable CPE URIs. Supports CPE 2.2 and CPE 2.3 formats. + Refer to https://nvd.nist.gov/products/cpe for official specification. + + + + + + + + + + + + Specifies the full content of the SWID tag. + + + + + The URL to the SWID file. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + Maps to the tagId of a SoftwareIdentity. + + + + + Maps to the name of a SoftwareIdentity. + + + + + Maps to the version of a SoftwareIdentity. + + + + + Maps to the tagVersion of a SoftwareIdentity. + + + + + Maps to the patch of a SoftwareIdentity. + + + + + + + + Defines a string representation of a UUID conforming to RFC 4122. + + + + + + + + + + + + Version Control System + + + + + Issue or defect tracking system, or an Application Lifecycle Management (ALM) system + + + + + Website + + + + + Security advisories + + + + + Bill-of-materials (SBOM, OBOM, HBOM, SaaSBOM, etc) + + + + + Mailing list or discussion group + + + + + Social media account + + + + + Real-time chat platform + + + + + Documentation, guides, or how-to instructions + + + + + Community or commercial support + + + + + Direct or repository download location + + + + + The location where a component was published to. This is often the same as "distribution" but may also include specialized publishing processes that act as an intermediary + + + + + The URL to the license file. If a license URL has been defined in the license + node, it should also be defined as an external reference for completeness + + + + + Build-system specific meta file (i.e. pom.xml, package.json, .nuspec, etc) + + + + + URL to an automated build system + + + + + URL to release notes + + + + + Specifies a way to contact the maintainer, supplier, or provider in the event of a security incident. Common URIs include links to a disclosure procedure, a mailto (RFC-2368) that specifies an email address, a tel (RFC-3966) that specifies a phone number, or dns (RFC-4501]) that specifies the records containing DNS Security TXT. + + + + + A model card describes the intended uses of a machine learning model, potential + limitations, biases, ethical considerations, training parameters, datasets used to train the + model, performance metrics, and other relevant data useful for ML transparency. + + + + + A record of events that occurred in a computer system or application, such as problems, errors, or information on current operations. + + + + + Parameters or settings that may be used by other components or services. + + + + + Information used to substantiate a claim. + + + + + Describes how a component or service was manufactured or deployed. + + + + + Human or machine-readable statements containing facts, evidence, or testimony + + + + + An enumeration of identified weaknesses, threats, and countermeasures, dataflow diagram (DFD), attack tree, and other supporting documentation in human-readable or machine-readable format + + + + + The defined assumptions, goals, and capabilities of an adversary. + + + + + Identifies and analyzes the potential of future events that may negatively impact individuals, assets, and/or the environment. Risk assessments may also include judgments on the tolerability of each risk. + + + + + A Vulnerability Disclosure Report (VDR) which asserts the known and previously unknown vulnerabilities that affect a component, service, or product including the analysis and findings describing the impact (or lack of impact) that the reported vulnerability has on a component, service, or product. + + + + + A Vulnerability Exploitability eXchange (VEX) which asserts the known vulnerabilities that do not affect a product, product family, or organization, and optionally the ones that do. The VEX should include the analysis and findings describing the impact (or lack of impact) that the reported vulnerability has on the product, product family, or organization. + + + + + Results from an authorized simulated cyberattack on a component or service, otherwise known as a penetration test + + + + + SARIF or proprietary machine or human-readable report for which static analysis has identified code quality, security, and other potential issues with the source code + + + + + Dynamic analysis report that has identified issues such as vulnerabilities and misconfigurations + + + + + Report generated by analyzing the call stack of a running application + + + + + Report generated by Software Composition Analysis (SCA), container analysis, or other forms of component analysis + + + + + Report containing a formal assessment of an organization, business unit, or team against a maturity model + + + + + Industry, regulatory, or other certification from an accredited (if applicable) certification body + + + + + Report or system in which quality metrics can be obtained + + + + + Code or configuration that defines and provisions virtualized infrastructure, commonly referred to as Infrastructure as Code (IaC) + + + + + Plans of Action and Milestones (POAM) compliment an "attestation" external reference. POAM is defined by NIST as a "document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks and scheduled completion dates for the milestones". + + + + + Use this if no other types accurately describe the purpose of the external reference + + + + + + + + + External references provide a way to document systems, sites, and information that may be + relevant, but are not included with the BOM. They may also establish specific relationships + within or external to the BOM. + + + + + + Zero or more external references can be defined + + + + + + + + + + The URI (URL or URN) to the external reference. External references + are URIs and therefore can accept any URL scheme including https, mailto, tel, and dns. + External references may also include formally registered URNs such as CycloneDX BOM-Link to + reference CycloneDX BOMs or any object within a BOM. BOM-Link transforms applicable external + references into relationships that can be expressed in a BOM or across BOMs. Refer to: + https://cyclonedx.org/capabilities/bomlink/ + + + + + + + + An optional comment describing the external reference + + + + + + + + + + + + + Specifies the type of external reference. There are built-in types to describe common + references. If a type does not exist for the reference being referred to, use the "other" type. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + Zero or more commits can be specified. + + + + + Specifies an individual commit. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + + + A unique identifier of the commit. This may be version control + specific. For example, Subversion uses revision numbers whereas git uses commit hashes. + + + + + + The URL to the commit. This URL will typically point to a commit + in a version control system. + + + + + + The author who created the changes in the commit + + + + + The person who committed or pushed the commit + + + + + The text description of the contents of the commit + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + Zero or more patches can be specified. + + + + + Specifies an individual patch. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + + + The patch file (or diff) that show changes. + Refer to https://en.wikipedia.org/wiki/Diff + + + + + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + Specifies the purpose for the patch including the resolution of defects, + security issues, or new behavior or functionality + + + + + + + + + A patch which is not developed by the creators or maintainers of the software + being patched. Refer to https://en.wikipedia.org/wiki/Unofficial_patch + + + + + A patch which dynamically modifies runtime behavior. + Refer to https://en.wikipedia.org/wiki/Monkey_patch + + + + + A patch which takes code from a newer version of software and applies + it to older versions of the same software. Refer to https://en.wikipedia.org/wiki/Backporting + + + + + A patch created by selectively applying commits from other versions or + branches of the same software. + + + + + + + + + + A fault, flaw, or bug in software + + + + + A new feature or behavior in software + + + + + A special type of defect which impacts security + + + + + + + + + + Specifies the optional text of the diff + + + + + Specifies the URL to the diff + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + + An individual issue that has been resolved. + + + + + + The identifier of the issue assigned by the source of the issue + + + + + The name of the issue + + + + + A description of the issue + + + + + + + The source of the issue where it is documented. + + + + + + + The name of the source. For example "National Vulnerability Database", + "NVD", and "Apache" + + + + + + + The url of the issue documentation as provided by the source + + + + + + + + + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + Specifies the type of issue + + + + + + + + + The timestamp in which the action occurred + + + + + The name of the individual who performed the action + + + + + The email address of the individual who performed the action + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + + Component pedigree is a way to document complex supply chain scenarios where components are created, + distributed, modified, redistributed, combined with other components, etc. Pedigree supports viewing + this complex chain from the beginning, the end, or anywhere in the middle. It also provides a way to + document variants where the exact relation may not be known. + + + + + + Describes zero or more components in which a component is derived + from. This is commonly used to describe forks from existing projects where the forked version + contains a ancestor node containing the original component it was forked from. For example, + Component A is the original component. Component B is the component being used and documented + in the BOM. However, Component B contains a pedigree node with a single ancestor documenting + Component A - the original component from which Component B is derived from. + + + + + + Descendants are the exact opposite of ancestors. This provides a + way to document all forks (and their forks) of an original or root component. + + + + + + Variants describe relations where the relationship between the + components are not known. For example, if Component A contains nearly identical code to + Component B. They are both related, but it is unclear if one is derived from the other, + or if they share a common ancestor. + + + + + + A list of zero or more commits which provide a trail describing + how the component deviates from an ancestor, descendant, or variant. + + + + + A list of zero or more patches describing how the component + deviates from an ancestor, descendant, or variant. Patches may be complimentary to commits + or may be used in place of commits. + + + + + Notes, observations, and other non-structured commentary + describing the components pedigree. + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + + + + + References a component or service by its bom-ref attribute + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + Defines the direct dependencies of a component or service. Components or services + that do not have their own dependencies MUST be declared as empty elements within the graph. + Components or services that are not represented in the dependency graph MAY have unknown + dependencies. It is RECOMMENDED that implementations assume this to be opaque and not an + indicator of a object being dependency-free. It is RECOMMENDED to leverage compositions to + indicate unknown dependency graphs. + + + + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + The organization that provides the service. + + + + + The grouping name, namespace, or identifier. This will often be a shortened, + single name of the company or project that produced the service or domain name. + Whitespace and special characters should be avoided. + + + + + The name of the service. This will often be a shortened, single name + of the service. + + + + + The service version. + + + + + Specifies a description for the service. + + + + + + + + A service endpoint URI. + + + + + + + + A boolean value indicating if the service requires authentication. + A value of true indicates the service requires authentication prior to use. + A value of false indicates the service does not require authentication. + + + + + A boolean value indicating if use of the service crosses a trust zone or boundary. + A value of true indicates that by using the service, a trust boundary is crossed. + A value of false indicates that by using the service, a trust boundary is not crossed. + + + + + The name of the trust zone the service resides in. + + + + + + + + + DEPRECATED: Specifies the data classification. THIS FIELD IS DEPRECATED AS OF v1.5. Use dataflow\classification instead + + + + + + Specifies the data classification. + + + + + + Specifies the data classification. + + + + + + The URI, URL, or BOM-Link of the components or services the data came in from. + + + + + + + + + + + + + + The URI, URL, or BOM-Link of the components or services the data is sent to. + + + + + + + + + + + + + + + + Name for the defined data. + + + + + + + Short description of the data content and usage. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + + Provides the ability to document external references related to the service. + + + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is OPTIONAL. + + + + + + A list of services included or deployed behind the parent service. This is not a dependency + tree. It provides a way to specify a hierarchical representation of service assemblies. + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + Specifies optional release notes. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + An optional identifier which can be used to reference the service elsewhere in the BOM. + Uniqueness is enforced within all elements and children of the root-level bom element. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + Specifies the data classification. + + + + + + Specifies the flow direction of the data. + + + + + + + + + Specifies the flow direction of the data. Valid values are: + inbound, outbound, bi-directional, and unknown. Direction is relative to the service. + Inbound flow states that data enters the service. Outbound flow states that data + leaves the service. Bi-directional states that data flows both ways, and unknown + states that the direction is not known. + + + + + + + + + + + + + + + A valid SPDX license expression. + Refer to https://spdx.org/specifications for syntax requirements + + + + + + + + An optional identifier which can be used to reference the license elsewhere in the BOM. + Uniqueness is enforced within all elements and children of the root-level bom element. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Evidence that substantiates the identity of a component. + + + + + + The identity field of the component which the evidence describes. + + + + + The overall confidence of the evidence from 0 - 1, where 1 is 100% confidence. + + + + + The methods used to extract and/or analyze the evidence. + + + + + + + + + The technique used in this method of analysis. + + + + + The confidence of the evidence from 0 - 1, where 1 is 100% confidence. Confidence is specific to the technique used. Each technique of analysis can have independent confidence. + + + + + The value or contents of the evidence. + + + + + + + + + + + + The object in the BOM identified by its bom-ref. This is often a component or service, + but may be any object type supporting bom-refs. Tools used for analysis should already + be defined in the BOM, either in the metadata/tools, components, or formulation. + + + + + + + + + + + + + + Evidence of individual instances of a component spread across multiple locations. + + + + + + + + + The location or path to where the component was found. + + + + + + + An optional identifier which can be used to reference the occurrence elsewhere + in the BOM. Every bom-ref MUST be unique within the BOM. + + + + + + + + + + + Evidence of the components use through the callstack. + + + + + + + + + + + + A package organizes modules into namespaces, providing a unique namespace for each type it contains. + + + + + A module or class that encloses functions/methods and other code. + + + + + A block of code designed to perform a particular task. + + + + + Optional arguments that are passed to the module or function. + + + + + + + + + + The line number the code that is called resides on. + + + + + The column the code that is called resides. + + + + + The full path and filename of the module. + + + + + + + + + + + + The object in the BOM identified by its bom-ref. This is often a component or service, + but may be any object type supporting bom-refs. Tools used for analysis should already + be defined in the BOM, either in the metadata/tools, components, or formulation. + + + + + + + + + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + Specifies an aggregate type that describe how complete a relationship is. + + + + + + The bom-ref identifiers of the components or services being described. Assemblies refer to + nested relationships whereby a constituent part may include other constituent parts. References + do not cascade to child parts. References are explicit for the specified constituent part only. + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + + The bom-ref identifiers of the components or services being described. Dependencies refer to a + relationship whereby an independent constituent part requires another independent constituent + part. References do not cascade to transitive dependencies. References are explicit for the + specified dependency only. + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + + The bom-ref identifiers of the vulnerabilities being described. + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + + + An optional identifier which can be used to reference the composition elsewhere in the BOM. + Uniqueness is enforced within all elements and children of the root-level bom element. + + + + + + + + + + The relationship is complete. No further relationships including constituent components, services, or dependencies are known to exist. + + + + + The relationship is incomplete. Additional relationships exist and may include constituent components, services, or dependencies. + + + + + The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented. + + + + + The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are proprietary. + + + + + The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are opensource. + + + + + The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented. + + + + + The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are proprietary. + + + + + The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are opensource. + + + + + The relationship may be complete or incomplete. This usually signifies a 'best-effort' to obtain constituent components, services, or dependencies but the completeness is inconclusive. + + + + + The relationship completeness is not specified. + + + + + + + + + Defines a syntax for representing two character language code (ISO-639) followed by an optional two + character country code. The language code MUST be lower case. If the country code is specified, the + country code MUST be upper case. The language code and country code MUST be separated by a minus sign. + Examples: en, en-US, fr, fr-CA + + + + + + + + + + + + The software versioning type. It is RECOMMENDED that the release type use one + of 'major', 'minor', 'patch', 'pre-release', or 'internal'. Representing all possible software + release types is not practical, so standardizing on the recommended values, whenever possible, + is strongly encouraged. + * major = A major release may contain significant changes or may introduce breaking changes. + * minor = A minor release, also known as an update, may contain a smaller number of changes than major releases. + * patch = Patch releases are typically unplanned and may resolve defects or important security issues. + * pre-release = A pre-release may include alpha, beta, or release candidates and typically have + limited support. They provide the ability to preview a release prior to its general availability. + * internal = Internal releases are not for public consumption and are intended to be used exclusively + by the project or manufacturer that produced it. + + + + + + The title of the release. + + + + + The URL to an image that may be prominently displayed with the release note. + + + + + The URL to an image that may be used in messaging on social media platforms. + + + + + A short description of the release. + + + + + The date and time (timestamp) when the release note was created. + + + + + + + + One or more alternate names the release may be referred to. This may + include unofficial terms used by development and marketing teams (e.g. code names). + + + + + + + + + + + One or more tags that may aid in search or retrieval of the release note. + + + + + + + + A collection of issues that have been resolved. + + + + + + + + + + + + + Zero or more release notes containing the locale and content. Multiple + note elements may be specified to support release notes in a wide variety of languages. + + + + + + The ISO-639 (or higher) language code and optional ISO-3166 + (or higher) country code. Examples include: "en", "en-US", "fr" and "fr-CA". + + + + + Specifies the full content of the release note. + + + + + + + + + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is OPTIONAL. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + A model card describes the intended uses of a machine learning model and potential limitations, including + biases and ethical considerations. Model cards typically contain the training parameters, which datasets + were used to train the model, performance metrics, and other relevant data useful for ML transparency. + This object SHOULD be specified for any component of type `machine-learning-model` and MUST NOT be specified + for other component types. + + + + + + + Hyper-parameters for construction of the model. + + + + + + + + The overall approach to learning used by the model for problem solving. + + + + + + + + Learning types describing the learning problem or hybrid learning problem. + + + + + + + + + + Directly influences the input and/or output. Examples include classification, + regression, clustering, etc. + + + + + + + The model architecture family such as transformer network, convolutional neural + network, residual neural network, LSTM neural network, etc. + + + + + + + The specific architecture of the model such as GPT-1, ResNet-50, YOLOv3, etc. + + + + + + + The datasets used to train and evaluate the model. + + + + + + + References a data component by the components bom-ref attribute + + + + + + + + + + + + + The input format(s) of the model + + + + + + + + + + + The data format for input to the model. Example formats include string, image, time-series + + + + + + + + + + + + + The output format(s) from the model + + + + + + + + + + + The data format for output from the model. Example formats include string, image, time-series + + + + + + + + + + + + + + + + A quantitative analysis of the model + + + + + + + + + + + + + + The type of performance metric. + + + + + + + The value of the performance metric. + + + + + + + The name of the slice this metric was computed on. By default, assume + this metric is not sliced. + + + + + + + The confidence interval of the metric. + + + + + + + + The lower bound of the confidence interval. + + + + + + + The upper bound of the confidence interval. + + + + + + + + + + + + + + + + A collection of graphics that represent various measurements + + + + + + + + A description of this collection of graphics. + + + + + + + A collection of graphics. + + + + + + + + + + + The name of the graphic. + + + + + + + The graphic (vector or raster). Base64 encoding MUST be specified for binary images. + + + + + + + + + + + + + + + + + + + What considerations should be taken into account regarding the model's construction, training, + and application? + + + + + + + + Who are the intended users of the model? + + + + + + + + + + + + What are the intended use cases of the model? + + + + + + + + + + + + What are the known technical limitations of the model? E.g. What kind(s) of data + should the model be expected not to perform well on? What are the factors that might + degrade model performance? + + + + + + + + + + + + What are the known tradeoffs in accuracy/performance of the model? + + + + + + + + + + + + What are the ethical (or environmental) risks involved in the application of this model? + + + + + + + + + + + The name of the risk + + + + + + + Strategy used to address this risk + + + + + + + + + + + + + How does the model affect groups at risk of being systematically disadvantaged? + What are the harms and benefits to the various affected groups? + + + + + + + + + + + The groups or individuals at risk of being systematically disadvantaged by the model. + + + + + + + Expected benefits to the identified groups. + + + + + + + Expected harms to the identified groups. + + + + + + + With respect to the benefits and harms outlined, please + describe any mitigation strategy implemented. + + + + + + + + + + + + + + + + + An optional identifier which can be used to reference the model card elsewhere in the BOM. + Every bom-ref MUST be unique within the BOM. + + + + + + + + + + TODO + + + + + TODO + + + + + TODO + + + + + TODO + + + + + TODO + + + + + + + + + + + The general theme or subject matter of the data being specified. + + + + + + + The name of the dataset. + + + + + + + The contents or references to the contents of the data being described. + + + + + + + An optional way to include textual or encoded data. + + + + + The URL to where the data can be retrieved. + + + + + Provides the ability to document name-value parameters used for configuration. + + + + + + + + + Data classification tags data according to its type, sensitivity, and value if altered, stolen, or destroyed. + + + + + + + A description of any sensitive data in a dataset. + + + + + + + A collection of graphics that represent various measurements. + + + + + + + A description of the dataset. Can describe size of dataset, whether it's used for source code, + training, testing, or validation, etc. + + + + + + + + + An optional identifier which can be used to reference the dataset elsewhere in the BOM. + Every bom-ref MUST be unique within the BOM. + + + + + + + + + + + Data custodians are responsible for the safe custody, transport, and storage of data. + + + + + + + + + + + + Data stewards are responsible for data content, context, and associated business rules. + + + + + + + + + + + + Data owners are concerned with risk and appropriate access to data. + + + + + + + + + + + + + + + + + + + + + + A collection of graphics that represent various measurements. + + + + + + + A description of this collection of graphics. + + + + + + + A collection of graphics. + + + + + + + + + + + The name of the graphic. + + + + + + + The graphic (vector or raster). Base64 encoding MUST be specified for binary images. + + + + + + + + + + + + + + + + + Any type of code, code snippet, or data-as-code. + + + + + Parameters or settings that may be used by other components. + + + + + A collection of data. + + + + + Data that can be used to create new instances of what the definition defines. + + + + + Any other type of data that does not fit into existing definitions. + + + + + + + + + References a component or service by its bom-ref attribute + + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + Specifies an individual property with a name and value. + + + + + + The name of the property. Duplicate names are allowed, each potentially having a different value. + + + + + + + + + + + Defines a weakness in a component or service that could be exploited or triggered by a threat source. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + The identifier that uniquely identifies the vulnerability. For example: + CVE-2021-39182, GHSA-35m5-8cvj-8783, and SNYK-PYTHON-ENROCRYPT-1912876. + + + + + The source that published the vulnerability. + + + + + Zero or more pointers to vulnerabilities that are the equivalent of the + vulnerability specified. Often times, the same vulnerability may exist in multiple sources of + vulnerability intelligence, but have different identifiers. References provide a way to + correlate vulnerabilities across multiple sources of vulnerability intelligence. + + + + + + A pointer to a vulnerability that is the equivalent of the + vulnerability specified. + + + + + + The identifier that uniquely identifies the vulnerability. For example: + CVE-2021-39182, GHSA-35m5-8cvj-8783, and SNYK-PYTHON-ENROCRYPT-1912876. + + + + + The source that published the vulnerability. + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + List of vulnerability ratings. + + + + + + + + + + + + List of Common Weaknesses Enumerations (CWEs) codes that describes this vulnerability. + For example 399 (of https://cwe.mitre.org/data/definitions/399.html) + + + + + + + + + + A description of the vulnerability as provided by the source. + + + + + If available, an in-depth description of the vulnerability as provided by the + source organization. Details often include information useful in understanding root cause. + + + + + Recommendations of how the vulnerability can be remediated or mitigated. + + + + + A bypass, usually temporary, of the vulnerability that reduces its likelihood and/or impact. Workarounds often involve changes to configuration or deployments. + + + + + + + Evidence used to reproduce the vulnerability. + + + + + + Precise steps to reproduce the vulnerability. + + + + + A description of the environment in which reproduction was possible. + + + + + Supporting material that helps in reproducing or understanding how reproduction is possible. This may include screenshots, payloads, and PoC exploit code. + + + + + + + + + + + + + + + Published advisories of the vulnerability if provided. + + + + + + + + + + The date and time (timestamp) when the vulnerability record was created in the vulnerability database. + + + + + The date and time (timestamp) when the vulnerability record was first published. + + + + + The date and time (timestamp) when the vulnerability record was last updated. + + + + + The date and time (timestamp) when the vulnerability record was rejected (if applicable). + + + + + Individuals or organizations credited with the discovery of the vulnerability. + + + + + + The organizations credited with vulnerability discovery. + + + + + + + + + + The individuals, not associated with organizations, that are credited with vulnerability discovery. + + + + + + + + + + + + + The tool(s) used to identify, confirm, or score the vulnerability. + + + + + + + DEPRECATED. Use tools\components or tools\services instead. + + + + + + + A list of software and hardware components used as tools. + + + + + A list of services used as tools. + + + + + + + + + + + An assessment of the impact and exploitability of the vulnerability. + + + + + + + Declares the current state of an occurrence of a vulnerability, after automated or manual analysis. + + + + + + + The rationale of why the impact analysis state was asserted. + + + + + + A response to the vulnerability by the manufacturer, supplier, or + project responsible for the affected component or service. More than one response + is allowed. Responses are strongly encouraged for vulnerabilities where the analysis + state is exploitable. + + + + + + + + + + + Detailed description of the impact including methods used during assessment. + If a vulnerability is not exploitable, this field should include specific details + on why the component or service is not impacted by this vulnerability. + + + + + + + The date and time (timestamp) when the analysis was first issued. + + + + + + + The date and time (timestamp) when the analysis was last updated. + + + + + + + + + The components or services that are affected by the vulnerability. + + + + + + + + + References a component or service by the objects bom-ref. + + + + + + + + Zero or more individual versions or range of versions. + + + + + + + + + + A single version of a component or service. + + + + + A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/purl-spec/VERSION-RANGE-SPEC.rst + + + + + + + The vulnerability status for the version or range of versions. + + + + + + + + + + + + + + + + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is OPTIONAL. + + + + + + + An optional identifier which can be used to reference the vulnerability elsewhere in the BOM. + Uniqueness is enforced within all elements and children of the root-level bom element. + + + + + + + + + + The name of the source. + For example: NVD, National Vulnerability Database, OSS Index, VulnDB, and GitHub Advisories + + + + + + The url of the vulnerability documentation as provided by the source. + For example: https://nvd.nist.gov/vuln/detail/CVE-2021-39182 + + + + + + + + + + The source that calculated the severity or risk rating of the vulnerability. + + + + + The numerical score of the rating. + + + + + Textual representation of the severity that corresponds to the numerical score of the rating. + + + + + The risk scoring methodology/standard used. + + + + + Textual representation of the metric values used to score the vulnerability. + + + + + An optional reason for rating the vulnerability as it was. + + + + + + + + + + An optional name of the advisory. + + + + + Location where the advisory can be obtained. + + + + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + The organization that created the annotation + + + + + The person that created the annotation + + + + + The tool or component that created the annotation + + + + + The service that created the annotation + + + + + + + + + + + The objects in the BOM identified by their bom-ref's. This is often components or services, but may be any object type supporting bom-refs. + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + The organization, individual, component, or service which created the textual content + of the annotation. + + + + + The date and time (timestamp) when the annotation was created. + + + + + The textual content of the annotation. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + An optional identifier which can be used to reference the annotation elsewhere in the BOM. + Uniqueness is enforced within all elements and children of the root-level bom element. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + Textual representation of the severity of the vulnerability adopted by the analysis method. If the + analysis method uses values other than what is provided, the user is expected to translate appropriately. + + + + + + + + + + + + + + + + + Declares the current state of an occurrence of a vulnerability, after automated or manual analysis. + + + + + + + The vulnerability has been remediated. + + + + + + + The vulnerability has been remediated and evidence of the changes are provided in the affected + components pedigree containing verifiable commit history and/or diff(s). + + + + + + + The vulnerability may be directly or indirectly exploitable. + + + + + + + The vulnerability is being investigated. + + + + + + + The vulnerability is not specific to the component or service and was falsely identified or associated. + + + + + + + The component or service is not affected by the vulnerability. Justification should be specified + for all not_affected cases. + + + + + + + + + + The rationale of why the impact analysis state was asserted. + + + + + + + The code has been removed or tree-shaked. + + + + + + + The vulnerable code is not invoked at runtime. + + + + + + + Exploitability requires a configurable option to be set/unset. + + + + + + + Exploitability requires a dependency that is not present. + + + + + + + Exploitability requires a certain environment which is not present. + + + + + + + Exploitability requires a compiler flag to be set/unset. + + + + + + + Exploits are prevented at runtime. + + + + + + + Attacks are blocked at physical, logical, or network perimeter. + + + + + + + Preventative measures have been implemented that reduce the likelihood and/or impact of the vulnerability. + + + + + + + + + + Specifies the severity or risk scoring methodology or standard used. + + + + + + + The rating is based on CVSS v2 standard + https://www.first.org/cvss/v2/ + + + + + + + The rating is based on CVSS v3.0 standard + https://www.first.org/cvss/v3-0/ + + + + + + + The rating is based on CVSS v3.1 standard + https://www.first.org/cvss/v3-1/ + + + + + + + The rating is based on CVSS v4.0 standard + https://www.first.org/cvss/v4-0/ + + + + + + + The rating is based on OWASP Risk Rating + https://owasp.org/www-community/OWASP_Risk_Rating_Methodology + + + + + + + The rating is based on Stakeholder Specific Vulnerability Categorization (all versions) + https://github.com/CERTCC/SSVC + + + + + + + Use this if the risk scoring methodology is not based on any of the options above + + + + + + + + + + The rationale of why the impact analysis state was asserted. + + + + + + + + + + + + + + + The vulnerability status of a given version or range of versions of a product. The statuses + 'affected' and 'unaffected' indicate that the version is affected or unaffected by the vulnerability. + The status 'unknown' indicates that it is unknown or unspecified whether the given version is affected. + There can be many reasons for an 'unknown' status, including that an investigation has not been + undertaken or that a vendor has not disclosed the status. + + + + + + + + + + + + + Describes how a component or service was manufactured or deployed. This is achieved through the use + of formulas, workflows, tasks, and steps, which declare the precise steps to reproduce along with the + observed formulas describing the steps which transpired in the manufacturing process. + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + Describes workflows and resources that captures rules and other aspects of how the associated + BOM component or service was formed. + + + + + + Transient components that are used in tasks that constitute one or more of + this formula's workflows + + + + + Transient services that are used in tasks that constitute one or more of + this formula's workflows + + + + + List of workflows that can be declared to accomplish specific orchestrated goals + and independently triggered. + + + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is OPTIONAL. + + + + + + + An optional identifier which can be used to reference the formula elsewhere in the BOM. + Uniqueness is enforced within all elements and children of the root-level bom element. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + The unique identifier for the resource instance within its deployment context. + + + + + + + The name of the resource instance. + + + + + + + The description of the resource instance. + + + + + + References to component or service resources that are used to realize + the resource instance. + + + + + The tasks that comprise the workflow. + + + + + The graph of dependencies between tasks within the workflow. + + + + + Indicates the types of activities performed by the set of workflow tasks. + + + + + + + + + + The trigger that initiated the task. + + + + + + The sequence of steps for the task. + + + + + + + + + + + Represents resources and data brought into a task at runtime by executor + or task commands + + + + + + + + + + Represents resources and data output from a task at runtime by executor + or task commands + + + + + + + + + + + The date and time (timestamp) when the task started. + + + + + + + The date and time (timestamp) when the task ended. + + + + + + A set of named filesystem or data resource shareable by workflow tasks. + + + + + A graph of the component runtime topology for workflow's instance. + A description of the runtime component and service topology. This can describe a partial or + complete topology used to host and execute the task (e.g., hardware, operating systems, + configurations, etc.) + + + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is OPTIONAL. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + An optional identifier which can be used to reference the workflow elsewhere in the BOM. + Uniqueness is enforced within all elements and children of the root-level bom element. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + + References an object by its bom-ref attribute + + + + + + + + + + Reference to an externally accessible resource. + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + The unique identifier for the resource instance within its deployment context. + + + + + + + The name of the resource instance. + + + + + + + The description of the resource instance. + + + + + + + References to component or service resources that are used to realize the resource instance. + + + + + + + Indicates the types of activities performed by the set of workflow tasks. + + + + + + + + + + + + The trigger that initiated the task. + + + + + + + The sequence of steps for the task. + + + + + + + + + + + + Represents resources and data brought into a task at runtime by executor or task commands. + + + + + + + + + + + + Represents resources and data output from a task at runtime by executor or task commands + + + + + + + + + + + + The date and time (timestamp) when the task started. + + + + + + + The date and time (timestamp) when the task ended. + + + + + + + A set of named filesystem or data resource shareable by workflow tasks. + + + + + + + A graph of the component runtime topology for task's instance. + + + + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is OPTIONAL. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + An optional identifier which can be used to reference the task elsewhere in the BOM. + Uniqueness is enforced within all elements and children of the root-level bom element. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + + + + + + + + + + + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + A named filesystem or data resource shareable by workflow tasks. + + + + + + + The unique identifier for the resource instance within its deployment context. + + + + + + + The name of the resource instance. + + + + + + + The names for the workspace as referenced by other workflow tasks. Effectively, a name mapping + so other tasks can use their own local name in their steps. + + + + + + + + + + + + The description of the resource instance. + + + + + + + References to component or service resources that are used to realize the resource instance. + + + + + + + Describes the read-write access control for the workspace relative to the owning resource instance. + + + + + + + A path to a location on disk where the workspace will be available to the associated task's steps. + + + + + + + The name of a domain-specific data type the workspace represents. This property is for CI/CD + frameworks that are able to provide access to structured, managed data at a more granular level + than a filesystem. + + + + + + + Identifies the reference to the request for a specific volume type and parameters. + + + + + + + Information about the actual volume instance allocated to the workspace. + + + + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is OPTIONAL. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + An optional identifier which can be used to reference the workflow elsewhere in the BOM. + Uniqueness is enforced within all elements and children of the root-level bom element. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + + + + + + + + + An identifiable, logical unit of data storage tied to a physical device. + + + + + + + The unique identifier for the volume instance within its deployment context. + + + + + + + The name of the volume instance + + + + + + + The mode for the volume instance. + + + + + + + The underlying path created from the actual volume. + + + + + + + The allocated size of the volume accessible to the associated workspace. This should include + the scalar size as well as IEC standard unit in either decimal or binary form. + + + + + + + Indicates if the volume persists beyond the life of the resource it is associated with. + + + + + + + Indicates if the volume is remotely (i.e., network) attached. + + + + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is OPTIONAL. + + + + + + + + + + + + + + + + Executes specific commands or tools in order to accomplish its owning task as part of a sequence. + + + + + + + A name for the step. + + + + + + + A description of the step. + + + + + + + Ordered list of commands or directives for the step + + + + + + + + + + + A text representation of the executed command. + + + + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is OPTIONAL. + + + + + + + + + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is OPTIONAL. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + The unique identifier for the resource instance within its deployment context. + + + + + + + The name of the resource instance. + + + + + + + The description of the resource instance. + + + + + + + References to component or service resources that are used to realize the resource instance. + + + + + + + The source type of event which caused the trigger to fire. + + + + + + + The event data that caused the associated trigger to activate. + + + + + + + + + + A condition that was used to determine a trigger should be activated. + + + + + + + + Describes the set of conditions which cause the trigger to activate. + + + + + + + The logical expression that was evaluated that determined the trigger should be fired. + + + + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is OPTIONAL. + + + + + + + + + + + + The date and time (timestamp) when the trigger was activated. + + + + + + + Represents resources and data brought into a task at runtime by executor or task commands + + + + + + + + + + + + Represents resources and data output from a task at runtime by executor or task commands + + + + + + + + + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is OPTIONAL. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + An optional identifier which can be used to reference the trigger elsewhere in the BOM. + Uniqueness is enforced within all elements and children of the root-level bom element. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + + + + + + + + + + The unique identifier of the event. + + + + + + + A description of the event. + + + + + + + The date and time (timestamp) when the event was received. + + + + + + + Encoding of the raw event data. + + + + + + + References the component or service that was the source of the event + + + + + + + References the component or service that was the target of the event + + + + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is OPTIONAL. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + Type that represents various input data types and formats. + + + + + + + + A reference to an independent resource provided as an input to a task by the workflow runtime. + + + + + + + Inputs that have the form of parameters with names and values. + + + + + + + Inputs that have the form of parameters with names and values. + + + + + + + + + + + + + + + + Inputs that have the form of data. + + + + + + + + A references to the component or service that provided the input to the task + (e.g., reference to a service with data flow value of inbound) + + + + + + + A reference to the component or service that received or stored the input if not the task + itself (e.g., a local, named storage workspace) + + + + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is OPTIONAL. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + Represents resources and data output from a task at runtime by executor or task commands + + + + + + + + A reference to an independent resource generated as output by the task. + + + + + + + Outputs that have the form of environment variables. + + + + + + + + + + + + + + + + Outputs that have the form of data. + + + + + + + + Describes the type of data output. + + + + + + + Component or service that generated or provided the output from the task (e.g., a build tool) + + + + + + + Component or service that received the output from the task + (e.g., reference to an artifactory service with data flow value of outbound) + + + + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is OPTIONAL. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + + + + + + + + + + + + + + + + A representation of a functional parameter. + + + + + + + The name of the parameter. + + + + + + + The value of the parameter. + + + + + + + The data type of the parameter. + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + Provides additional information about a BOM. + + + + + A list of software and hardware components. + + + + + A list of services. This may include microservices, function-as-a-service, and other types of network or intra-process services. + + + + + Provides the ability to document external references related to the BOM or + to the project the BOM describes. + + + + + Provides the ability to document dependency relationships. + + + + + Compositions describe constituent parts (including components, services, and dependency relationships) and their completeness. The completeness of vulnerabilities expressed in a BOM may also be described. + + + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is OPTIONAL. + + + + + Vulnerabilities identified in components or services. + + + + + Comments made by people, organizations, or tools about any object with + a bom-ref, such as components, services, vulnerabilities, or the BOM itself. Unlike + inventory information, annotations may contain opinion or commentary from various + stakeholders. Annotations may be inline (with inventory) or externalized via BOM-Link, + and may optionally be signed. + + + + + Describes how a component or service was manufactured or deployed. This is + achieved through the use of formulas, workflows, tasks, and steps, which declare the precise + steps to reproduce along with the observed formulas describing the steps which transpired + in the manufacturing process. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + Whenever an existing BOM is modified, either manually or through automated + processes, the version of the BOM SHOULD be incremented by 1. When a system is presented with + multiple BOMs with identical serial numbers, the system SHOULD use the most recent version of the BOM. + The default version is '1'. + + + + + Every BOM generated SHOULD have a unique serial number, even if the contents of + the BOM have not changed over time. If specified, the serial number MUST conform to RFC-4122. + Use of serial numbers are RECOMMENDED. + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + diff --git a/tools/src/test/resources/1.6/invalid-bomformat-1.6.json b/tools/src/test/resources/1.6/invalid-bomformat-1.6.json new file mode 100644 index 00000000..ee8df941 --- /dev/null +++ b/tools/src/test/resources/1.6/invalid-bomformat-1.6.json @@ -0,0 +1,8 @@ +{ + "bomFormat": "AnotherFormat", + "specVersion": "1.6", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "components": [ + ] +} diff --git a/tools/src/test/resources/1.6/invalid-component-ref-1.6.json b/tools/src/test/resources/1.6/invalid-component-ref-1.6.json new file mode 100644 index 00000000..46c971c0 --- /dev/null +++ b/tools/src/test/resources/1.6/invalid-component-ref-1.6.json @@ -0,0 +1,26 @@ +{ + "bomFormat": "CycloneDX", + "specVersion": "1.6", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "components": [ + { + "type": "library", + "bom-ref": "123", + "name": "acme-library", + "version": "1.0.0" + }, + { + "type": "library", + "bom-ref": "123", + "name": "acme-library", + "version": "1.0.0" + }, + { + "type": "library", + "bom-ref": "", + "name": "acme-library", + "version": "1.0.0" + } + ] +} diff --git a/tools/src/test/resources/1.6/invalid-component-ref-1.6.xml b/tools/src/test/resources/1.6/invalid-component-ref-1.6.xml new file mode 100644 index 00000000..78467e36 --- /dev/null +++ b/tools/src/test/resources/1.6/invalid-component-ref-1.6.xml @@ -0,0 +1,21 @@ + + + + + acme-library + 1.0.0 + + + + acme-library + 1.0.0 + + + + acme-library + 1.0.0 + + + + + diff --git a/tools/src/test/resources/1.6/invalid-component-swid-1.6.json b/tools/src/test/resources/1.6/invalid-component-swid-1.6.json new file mode 100644 index 00000000..b4aed947 --- /dev/null +++ b/tools/src/test/resources/1.6/invalid-component-swid-1.6.json @@ -0,0 +1,18 @@ +{ + "bomFormat": "CycloneDX", + "specVersion": "1.6", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "components": [ + { + "type": "application", + "author": "Acme Super Heros", + "name": "Acme Application", + "version": "9.1.1", + "swid": { + "name": "Acme Application", + "version": "9.1.1" + } + } + ] +} diff --git a/tools/src/test/resources/1.6/invalid-component-swid-1.6.xml b/tools/src/test/resources/1.6/invalid-component-swid-1.6.xml new file mode 100644 index 00000000..453d02b9 --- /dev/null +++ b/tools/src/test/resources/1.6/invalid-component-swid-1.6.xml @@ -0,0 +1,11 @@ + + + + + Acme Super Heros + Acme Application + 9.1.1 + + + + diff --git a/tools/src/test/resources/1.6/invalid-component-type-1.6.json b/tools/src/test/resources/1.6/invalid-component-type-1.6.json new file mode 100644 index 00000000..9404400c --- /dev/null +++ b/tools/src/test/resources/1.6/invalid-component-type-1.6.json @@ -0,0 +1,13 @@ +{ + "bomFormat": "CycloneDX", + "specVersion": "1.6", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "components": [ + { + "type": "foo", + "name": "acme-library", + "version": "1.0.0" + } + ] +} diff --git a/tools/src/test/resources/1.6/invalid-component-type-1.6.xml b/tools/src/test/resources/1.6/invalid-component-type-1.6.xml new file mode 100644 index 00000000..cd9738c6 --- /dev/null +++ b/tools/src/test/resources/1.6/invalid-component-type-1.6.xml @@ -0,0 +1,9 @@ + + + + + acme-library + 1.0.0 + + + diff --git a/tools/src/test/resources/1.6/invalid-dependency-1.6.json b/tools/src/test/resources/1.6/invalid-dependency-1.6.json new file mode 100644 index 00000000..6d6993ac --- /dev/null +++ b/tools/src/test/resources/1.6/invalid-dependency-1.6.json @@ -0,0 +1,43 @@ +{ + "bomFormat": "CycloneDX", + "specVersion": "1.6", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "components": [ + { + "bom-ref": "library-a", + "type": "library", + "name": "library-a", + "version": "1.0.0" + }, + { + "bom-ref": "library-b", + "type": "library", + "name": "library-b", + "version": "1.0.0" + }, + { + "bom-ref": "library-c", + "type": "library", + "name": "library-c", + "version": "1.0.0" + } + ], + "dependencies": [ + { + "dependsOn": [] + }, + { + "ref": "", + "dependsOn": [ + "library-a" + ] + }, + { + "ref": "library-b", + "dependsOn": [ + "library-c" + ] + } + ] +} diff --git a/tools/src/test/resources/1.6/invalid-dependency-1.6.xml b/tools/src/test/resources/1.6/invalid-dependency-1.6.xml new file mode 100644 index 00000000..ae2daa3d --- /dev/null +++ b/tools/src/test/resources/1.6/invalid-dependency-1.6.xml @@ -0,0 +1,31 @@ + + + + + acme-library-a + 1.0.0 + + + acme-library-b + 1.0.0 + + + acme-library-b + 1.0.0 + + + + + + + + + + + + + + + + + diff --git a/tools/src/test/resources/1.6/invalid-empty-component-1.6.json b/tools/src/test/resources/1.6/invalid-empty-component-1.6.json new file mode 100644 index 00000000..76d2edd6 --- /dev/null +++ b/tools/src/test/resources/1.6/invalid-empty-component-1.6.json @@ -0,0 +1,11 @@ +{ + "bomFormat": "CycloneDX", + "specVersion": "1.6", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "components": [ + { + "type": "library" + } + ] +} diff --git a/tools/src/test/resources/1.6/invalid-empty-component-1.6.xml b/tools/src/test/resources/1.6/invalid-empty-component-1.6.xml new file mode 100644 index 00000000..71d9e7ec --- /dev/null +++ b/tools/src/test/resources/1.6/invalid-empty-component-1.6.xml @@ -0,0 +1,7 @@ + + + + + + + diff --git a/tools/src/test/resources/1.6/invalid-hash-alg-1.6.json b/tools/src/test/resources/1.6/invalid-hash-alg-1.6.json new file mode 100644 index 00000000..b21fc921 --- /dev/null +++ b/tools/src/test/resources/1.6/invalid-hash-alg-1.6.json @@ -0,0 +1,32 @@ +{ + "bomFormat": "CycloneDX", + "specVersion": "1.6", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "components": [ + { + "type": "library", + "name": "acme-library", + "version": "1.0.0", + "scope": "required", + "hashes": [ + { + "alg": "FOO", + "content": "3942447fac867ae5cdb3229b658f4d48" + }, + { + "alg": "SHA-1", + "content": "e6b1000b94e835ffd37f4c6dcbdad43f4b48a02a" + }, + { + "alg": "SHA-256", + "content": "f498a8ff2dd007e29c2074f5e4b01a9a01775c3ff3aeaf6906ea503bc5791b7b" + }, + { + "alg": "SHA-512", + "content": "e8f33e424f3f4ed6db76a482fde1a5298970e442c531729119e37991884bdffab4f9426b7ee11fccd074eeda0634d71697d6f88a460dce0ac8d627a29f7d1282" + } + ] + } + ] +} diff --git a/tools/src/test/resources/1.6/invalid-hash-alg-1.6.xml b/tools/src/test/resources/1.6/invalid-hash-alg-1.6.xml new file mode 100644 index 00000000..dd45222b --- /dev/null +++ b/tools/src/test/resources/1.6/invalid-hash-alg-1.6.xml @@ -0,0 +1,16 @@ + + + + + acme-library + 1.0.0 + required + + 3942447fac867ae5cdb3229b658f4d48 + e6b1000b94e835ffd37f4c6dcbdad43f4b48a02a + f498a8ff2dd007e29c2074f5e4b01a9a01775c3ff3aeaf6906ea503bc5791b7b + e8f33e424f3f4ed6db76a482fde1a5298970e442c531729119e37991884bdffab4f9426b7ee11fccd074eeda0634d71697d6f88a460dce0ac8d627a29f7d1282 + + + + diff --git a/tools/src/test/resources/1.6/invalid-hash-md5-1.6.json b/tools/src/test/resources/1.6/invalid-hash-md5-1.6.json new file mode 100644 index 00000000..5c493847 --- /dev/null +++ b/tools/src/test/resources/1.6/invalid-hash-md5-1.6.json @@ -0,0 +1,32 @@ +{ + "bomFormat": "CycloneDX", + "specVersion": "1.6", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "components": [ + { + "type": "library", + "name": "acme-library", + "version": "1.0.0", + "scope": "required", + "hashes": [ + { + "alg": "MD5", + "content": "foo" + }, + { + "alg": "SHA-1", + "content": "e6b1000b94e835ffd37f4c6dcbdad43f4b48a02a" + }, + { + "alg": "SHA-256", + "content": "f498a8ff2dd007e29c2074f5e4b01a9a01775c3ff3aeaf6906ea503bc5791b7b" + }, + { + "alg": "SHA-512", + "content": "e8f33e424f3f4ed6db76a482fde1a5298970e442c531729119e37991884bdffab4f9426b7ee11fccd074eeda0634d71697d6f88a460dce0ac8d627a29f7d1282" + } + ] + } + ] +} diff --git a/tools/src/test/resources/1.6/invalid-hash-md5-1.6.xml b/tools/src/test/resources/1.6/invalid-hash-md5-1.6.xml new file mode 100644 index 00000000..8bf8c526 --- /dev/null +++ b/tools/src/test/resources/1.6/invalid-hash-md5-1.6.xml @@ -0,0 +1,16 @@ + + + + + acme-library + 1.0.0 + required + + foo + e6b1000b94e835ffd37f4c6dcbdad43f4b48a02a + f498a8ff2dd007e29c2074f5e4b01a9a01775c3ff3aeaf6906ea503bc5791b7b + e8f33e424f3f4ed6db76a482fde1a5298970e442c531729119e37991884bdffab4f9426b7ee11fccd074eeda0634d71697d6f88a460dce0ac8d627a29f7d1282 + + + + diff --git a/tools/src/test/resources/1.6/invalid-hash-sha1-1.6.json b/tools/src/test/resources/1.6/invalid-hash-sha1-1.6.json new file mode 100644 index 00000000..441fec3e --- /dev/null +++ b/tools/src/test/resources/1.6/invalid-hash-sha1-1.6.json @@ -0,0 +1,32 @@ +{ + "bomFormat": "CycloneDX", + "specVersion": "1.6", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "components": [ + { + "type": "library", + "name": "acme-library", + "version": "1.0.0", + "scope": "required", + "hashes": [ + { + "alg": "MD5", + "content": "3942447fac867ae5cdb3229b658f4d48" + }, + { + "alg": "SHA-1", + "content": "foo" + }, + { + "alg": "SHA-256", + "content": "f498a8ff2dd007e29c2074f5e4b01a9a01775c3ff3aeaf6906ea503bc5791b7b" + }, + { + "alg": "SHA-512", + "content": "e8f33e424f3f4ed6db76a482fde1a5298970e442c531729119e37991884bdffab4f9426b7ee11fccd074eeda0634d71697d6f88a460dce0ac8d627a29f7d1282" + } + ] + } + ] +} diff --git a/tools/src/test/resources/1.6/invalid-hash-sha1-1.6.xml b/tools/src/test/resources/1.6/invalid-hash-sha1-1.6.xml new file mode 100644 index 00000000..74f9eb22 --- /dev/null +++ b/tools/src/test/resources/1.6/invalid-hash-sha1-1.6.xml @@ -0,0 +1,16 @@ + + + + + acme-library + 1.0.0 + required + + 3942447fac867ae5cdb3229b658f4d48 + foo + f498a8ff2dd007e29c2074f5e4b01a9a01775c3ff3aeaf6906ea503bc5791b7b + e8f33e424f3f4ed6db76a482fde1a5298970e442c531729119e37991884bdffab4f9426b7ee11fccd074eeda0634d71697d6f88a460dce0ac8d627a29f7d1282 + + + + diff --git a/tools/src/test/resources/1.6/invalid-hash-sha256-1.6.json b/tools/src/test/resources/1.6/invalid-hash-sha256-1.6.json new file mode 100644 index 00000000..b7f8d1de --- /dev/null +++ b/tools/src/test/resources/1.6/invalid-hash-sha256-1.6.json @@ -0,0 +1,32 @@ +{ + "bomFormat": "CycloneDX", + "specVersion": "1.6", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "components": [ + { + "type": "library", + "name": "acme-library", + "version": "1.0.0", + "scope": "required", + "hashes": [ + { + "alg": "MD5", + "content": "3942447fac867ae5cdb3229b658f4d48" + }, + { + "alg": "SHA-1", + "content": "e6b1000b94e835ffd37f4c6dcbdad43f4b48a02a" + }, + { + "alg": "SHA-256", + "content": "foo" + }, + { + "alg": "SHA-512", + "content": "e8f33e424f3f4ed6db76a482fde1a5298970e442c531729119e37991884bdffab4f9426b7ee11fccd074eeda0634d71697d6f88a460dce0ac8d627a29f7d1282" + } + ] + } + ] +} diff --git a/tools/src/test/resources/1.6/invalid-hash-sha256-1.6.xml b/tools/src/test/resources/1.6/invalid-hash-sha256-1.6.xml new file mode 100644 index 00000000..bcc3b57b --- /dev/null +++ b/tools/src/test/resources/1.6/invalid-hash-sha256-1.6.xml @@ -0,0 +1,16 @@ + + + + + acme-library + 1.0.0 + required + + 3942447fac867ae5cdb3229b658f4d48 + e6b1000b94e835ffd37f4c6dcbdad43f4b48a02a + foo + e8f33e424f3f4ed6db76a482fde1a5298970e442c531729119e37991884bdffab4f9426b7ee11fccd074eeda0634d71697d6f88a460dce0ac8d627a29f7d1282 + + + + diff --git a/tools/src/test/resources/1.6/invalid-hash-sha512-1.6.json b/tools/src/test/resources/1.6/invalid-hash-sha512-1.6.json new file mode 100644 index 00000000..0b56c35a --- /dev/null +++ b/tools/src/test/resources/1.6/invalid-hash-sha512-1.6.json @@ -0,0 +1,32 @@ +{ + "bomFormat": "CycloneDX", + "specVersion": "1.6", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "components": [ + { + "type": "library", + "name": "acme-library", + "version": "1.0.0", + "scope": "required", + "hashes": [ + { + "alg": "MD5", + "content": "3942447fac867ae5cdb3229b658f4d48" + }, + { + "alg": "SHA-1", + "content": "e6b1000b94e835ffd37f4c6dcbdad43f4b48a02a" + }, + { + "alg": "SHA-256", + "content": "f498a8ff2dd007e29c2074f5e4b01a9a01775c3ff3aeaf6906ea503bc5791b7b" + }, + { + "alg": "SHA-512", + "content": "foo" + } + ] + } + ] +} diff --git a/tools/src/test/resources/1.6/invalid-hash-sha512-1.6.xml b/tools/src/test/resources/1.6/invalid-hash-sha512-1.6.xml new file mode 100644 index 00000000..d28277ca --- /dev/null +++ b/tools/src/test/resources/1.6/invalid-hash-sha512-1.6.xml @@ -0,0 +1,16 @@ + + + + + acme-library + 1.0.0 + required + + 3942447fac867ae5cdb3229b658f4d48 + e6b1000b94e835ffd37f4c6dcbdad43f4b48a02a + f498a8ff2dd007e29c2074f5e4b01a9a01775c3ff3aeaf6906ea503bc5791b7b + foo + + + + diff --git a/tools/src/test/resources/1.6/invalid-issue-type-1.6.json b/tools/src/test/resources/1.6/invalid-issue-type-1.6.json new file mode 100644 index 00000000..ef1c08b5 --- /dev/null +++ b/tools/src/test/resources/1.6/invalid-issue-type-1.6.json @@ -0,0 +1,48 @@ +{ + "bomFormat": "CycloneDX", + "specVersion": "1.6", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "components": [ + { + "type": "library", + "group": "com.acme", + "name": "sample-library", + "version": "1.0.0", + "pedigree": { + "ancestors": [ + { + "type": "library", + "group": "org.example", + "name": "sample-library", + "version": "1.0.0" + } + ], + "patches": [ + { + "type": "unofficial", + "diff": { + "text": { + "contentType": "text/plain", + "encoding": "base64", + "content": "blah" + }, + "url": "uri/to/changes.diff" + }, + "resolves": [ + { + "type": "foo", + "id": "JIRA-17240", + "description": "Great new feature that does something", + "source": { + "name": "Acme Org", + "url": "https://issues.acme.org/17240" + } + } + ] + } + ] + } + } + ] +} diff --git a/tools/src/test/resources/1.6/invalid-issue-type-1.6.xml b/tools/src/test/resources/1.6/invalid-issue-type-1.6.xml new file mode 100644 index 00000000..8fbb2fb2 --- /dev/null +++ b/tools/src/test/resources/1.6/invalid-issue-type-1.6.xml @@ -0,0 +1,37 @@ + + + + + com.acme + sample-library + 1.0.0 + + + + org.example + sample-library + 1.0.0 + + + + + + blah + uri/to/changes.diff + + + + JIRA-17240 + Great new feature that does something + + Acme Org + https://issues.acme.org/17240 + + + + + + + + + diff --git a/tools/src/test/resources/1.6/invalid-license-choice-1.6.json b/tools/src/test/resources/1.6/invalid-license-choice-1.6.json new file mode 100644 index 00000000..48399473 --- /dev/null +++ b/tools/src/test/resources/1.6/invalid-license-choice-1.6.json @@ -0,0 +1,23 @@ +{ + "bomFormat": "CycloneDX", + "specVersion": "1.6", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "components": [ + { + "type": "library", + "publisher": "Acme Inc", + "group": "com.acme", + "name": "tomcat-catalina", + "version": "9.0.14", + "licenses": [ + { + "expression": "EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0", + "license": { + "name": "Apache License 2.0" + } + } + ] + } + ] +} diff --git a/tools/src/test/resources/1.6/invalid-license-choice-1.6.xml b/tools/src/test/resources/1.6/invalid-license-choice-1.6.xml new file mode 100644 index 00000000..2c51eefc --- /dev/null +++ b/tools/src/test/resources/1.6/invalid-license-choice-1.6.xml @@ -0,0 +1,26 @@ + + + + + Acme Inc + com.acme + tomcat-catalina + 9.0.14 + Modified version of Apache Catalina + required + + 3942447fac867ae5cdb3229b658f4d48 + e6b1000b94e835ffd37f4c6dcbdad43f4b48a02a + f498a8ff2dd007e29c2074f5e4b01a9a01775c3ff3aeaf6906ea503bc5791b7b + e8f33e424f3f4ed6db76a482fde1a5298970e442c531729119e37991884bdffab4f9426b7ee11fccd074eeda0634d71697d6f88a460dce0ac8d627a29f7d1282 + + + + Apache-2.0 + + EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0 + + pkg:maven/com.acme/tomcat-catalina@9.0.14?packaging=jar + + + diff --git a/tools/src/test/resources/1.6/invalid-license-encoding-1.6.json b/tools/src/test/resources/1.6/invalid-license-encoding-1.6.json new file mode 100644 index 00000000..794c566c --- /dev/null +++ b/tools/src/test/resources/1.6/invalid-license-encoding-1.6.json @@ -0,0 +1,28 @@ +{ + "bomFormat": "CycloneDX", + "specVersion": "1.6", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "components": [ + { + "type": "library", + "publisher": "Acme Inc", + "group": "com.acme", + "name": "tomcat-catalina", + "version": "9.0.14", + "licenses": [ + { + "license": { + "id": "Apache-2.0", + "text": { + "contentType": "text/plain", + "encoding": "base85", + "content": "CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFwYWNoZSBMaWNlbnNlCiAgICAgICAgICAgICAgICAgICAgICAgICAgIFZlcnNpb24gMi4wLCBKYW51YXJ5IDIwMDQKICAgICAgICAgICAgICAgICAgICAgICAgaHR0cDovL3d3dy5hcGFjaGUub3JnL2xpY2Vuc2VzLwoKICAgVEVSTVMgQU5EIENPTkRJVElPTlMgRk9SIFVTRSwgUkVQUk9EVUNUSU9OLCBBTkQgRElTVFJJQlVUSU9OCgogICAxLiBEZWZpbml0aW9ucy4KCiAgICAgICJMaWNlbnNlIiBzaGFsbCBtZWFuIHRoZSB0ZXJtcyBhbmQgY29uZGl0aW9ucyBmb3IgdXNlLCByZXByb2R1Y3Rpb24sCiAgICAgIGFuZCBkaXN0cmlidXRpb24gYXMgZGVmaW5lZCBieSBTZWN0aW9ucyAxIHRocm91Z2ggOSBvZiB0aGlzIGRvY3VtZW50LgoKICAgICAgIkxpY2Vuc29yIiBzaGFsbCBtZWFuIHRoZSBjb3B5cmlnaHQgb3duZXIgb3IgZW50aXR5IGF1dGhvcml6ZWQgYnkKICAgICAgdGhlIGNvcHlyaWdodCBvd25lciB0aGF0IGlzIGdyYW50aW5nIHRoZSBMaWNlbnNlLgoKICAgICAgIkxlZ2FsIEVudGl0eSIgc2hhbGwgbWVhbiB0aGUgdW5pb24gb2YgdGhlIGFjdGluZyBlbnRpdHkgYW5kIGFsbAogICAgICBvdGhlciBlbnRpdGllcyB0aGF0IGNvbnRyb2wsIGFyZSBjb250cm9sbGVkIGJ5LCBvciBhcmUgdW5kZXIgY29tbW9uCiAgICAgIGNvbnRyb2wgd2l0aCB0aGF0IGVudGl0eS4gRm9yIHRoZSBwdXJwb3NlcyBvZiB0aGlzIGRlZmluaXRpb24sCiAgICAgICJjb250cm9sIiBtZWFucyAoaSkgdGhlIHBvd2VyLCBkaXJlY3Qgb3IgaW5kaXJlY3QsIHRvIGNhdXNlIHRoZQogICAgICBkaXJlY3Rpb24gb3IgbWFuYWdlbWVudCBvZiBzdWNoIGVudGl0eSwgd2hldGhlciBieSBjb250cmFjdCBvcgogICAgICBvdGhlcndpc2UsIG9yIChpaSkgb3duZXJzaGlwIG9mIGZpZnR5IHBlcmNlbnQgKDUwJSkgb3IgbW9yZSBvZiB0aGUKICAgICAgb3V0c3RhbmRpbmcgc2hhcmVzLCBvciAoaWlpKSBiZW5lZmljaWFsIG93bmVyc2hpcCBvZiBzdWNoIGVudGl0eS4KCiAgICAgICJZb3UiIChvciAiWW91ciIpIHNoYWxsIG1lYW4gYW4gaW5kaXZpZHVhbCBvciBMZWdhbCBFbnRpdHkKICAgICAgZXhlcmNpc2luZyBwZXJtaXNzaW9ucyBncmFudGVkIGJ5IHRoaXMgTGljZW5zZS4KCiAgICAgICJTb3VyY2UiIGZvcm0gc2hhbGwgbWVhbiB0aGUgcHJlZmVycmVkIGZvcm0gZm9yIG1ha2luZyBtb2RpZmljYXRpb25zLAogICAgICBpbmNsdWRpbmcgYnV0IG5vdCBsaW1pdGVkIHRvIHNvZnR3YXJlIHNvdXJjZSBjb2RlLCBkb2N1bWVudGF0aW9uCiAgICAgIHNvdXJjZSwgYW5kIGNvbmZpZ3VyYXRpb24gZmlsZXMuCgogICAgICAiT2JqZWN0IiBmb3JtIHNoYWxsIG1lYW4gYW55IGZvcm0gcmVzdWx0aW5nIGZyb20gbWVjaGFuaWNhbAogICAgICB0cmFuc2Zvcm1hdGlvbiBvciB0cmFuc2xhdGlvbiBvZiBhIFNvdXJjZSBmb3JtLCBpbmNsdWRpbmcgYnV0CiAgICAgIG5vdCBsaW1pdGVkIHRvIGNvbXBpbGVkIG9iamVjdCBjb2RlLCBnZW5lcmF0ZWQgZG9jdW1lbnRhdGlvbiwKICAgICAgYW5kIGNvbnZlcnNpb25zIHRvIG90aGVyIG1lZGlhIHR5cGVzLgoKICAgICAgIldvcmsiIHNoYWxsIG1lYW4gdGhlIHdvcmsgb2YgYXV0aG9yc2hpcCwgd2hldGhlciBpbiBTb3VyY2Ugb3IKICAgICAgT2JqZWN0IGZvcm0sIG1hZGUgYXZhaWxhYmxlIHVuZGVyIHRoZSBMaWNlbnNlLCBhcyBpbmRpY2F0ZWQgYnkgYQogICAgICBjb3B5cmlnaHQgbm90aWNlIHRoYXQgaXMgaW5jbHVkZWQgaW4gb3IgYXR0YWNoZWQgdG8gdGhlIHdvcmsKICAgICAgKGFuIGV4YW1wbGUgaXMgcHJvdmlkZWQgaW4gdGhlIEFwcGVuZGl4IGJlbG93KS4KCiAgICAgICJEZXJpdmF0aXZlIFdvcmtzIiBzaGFsbCBtZWFuIGFueSB3b3JrLCB3aGV0aGVyIGluIFNvdXJjZSBvciBPYmplY3QKICAgICAgZm9ybSwgdGhhdCBpcyBiYXNlZCBvbiAob3IgZGVyaXZlZCBmcm9tKSB0aGUgV29yayBhbmQgZm9yIHdoaWNoIHRoZQogICAgICBlZGl0b3JpYWwgcmV2aXNpb25zLCBhbm5vdGF0aW9ucywgZWxhYm9yYXRpb25zLCBvciBvdGhlciBtb2RpZmljYXRpb25zCiAgICAgIHJlcHJlc2VudCwgYXMgYSB3aG9sZSwgYW4gb3JpZ2luYWwgd29yayBvZiBhdXRob3JzaGlwLiBGb3IgdGhlIHB1cnBvc2VzCiAgICAgIG9mIHRoaXMgTGljZW5zZSwgRGVyaXZhdGl2ZSBXb3JrcyBzaGFsbCBub3QgaW5jbHVkZSB3b3JrcyB0aGF0IHJlbWFpbgogICAgICBzZXBhcmFibGUgZnJvbSwgb3IgbWVyZWx5IGxpbmsgKG9yIGJpbmQgYnkgbmFtZSkgdG8gdGhlIGludGVyZmFjZXMgb2YsCiAgICAgIHRoZSBXb3JrIGFuZCBEZXJpdmF0aXZlIFdvcmtzIHRoZXJlb2YuCgogICAgICAiQ29udHJpYnV0aW9uIiBzaGFsbCBtZWFuIGFueSB3b3JrIG9mIGF1dGhvcnNoaXAsIGluY2x1ZGluZwogICAgICB0aGUgb3JpZ2luYWwgdmVyc2lvbiBvZiB0aGUgV29yayBhbmQgYW55IG1vZGlmaWNhdGlvbnMgb3IgYWRkaXRpb25zCiAgICAgIHRvIHRoYXQgV29yayBvciBEZXJpdmF0aXZlIFdvcmtzIHRoZXJlb2YsIHRoYXQgaXMgaW50ZW50aW9uYWxseQogICAgICBzdWJtaXR0ZWQgdG8gTGljZW5zb3IgZm9yIGluY2x1c2lvbiBpbiB0aGUgV29yayBieSB0aGUgY29weXJpZ2h0IG93bmVyCiAgICAgIG9yIGJ5IGFuIGluZGl2aWR1YWwgb3IgTGVnYWwgRW50aXR5IGF1dGhvcml6ZWQgdG8gc3VibWl0IG9uIGJlaGFsZiBvZgogICAgICB0aGUgY29weXJpZ2h0IG93bmVyLiBGb3IgdGhlIHB1cnBvc2VzIG9mIHRoaXMgZGVmaW5pdGlvbiwgInN1Ym1pdHRlZCIKICAgICAgbWVhbnMgYW55IGZvcm0gb2YgZWxlY3Ryb25pYywgdmVyYmFsLCBvciB3cml0dGVuIGNvbW11bmljYXRpb24gc2VudAogICAgICB0byB0aGUgTGljZW5zb3Igb3IgaXRzIHJlcHJlc2VudGF0aXZlcywgaW5jbHVkaW5nIGJ1dCBub3QgbGltaXRlZCB0bwogICAgICBjb21tdW5pY2F0aW9uIG9uIGVsZWN0cm9uaWMgbWFpbGluZyBsaXN0cywgc291cmNlIGNvZGUgY29udHJvbCBzeXN0ZW1zLAogICAgICBhbmQgaXNzdWUgdHJhY2tpbmcgc3lzdGVtcyB0aGF0IGFyZSBtYW5hZ2VkIGJ5LCBvciBvbiBiZWhhbGYgb2YsIHRoZQogICAgICBMaWNlbnNvciBmb3IgdGhlIHB1cnBvc2Ugb2YgZGlzY3Vzc2luZyBhbmQgaW1wcm92aW5nIHRoZSBXb3JrLCBidXQKICAgICAgZXhjbHVkaW5nIGNvbW11bmljYXRpb24gdGhhdCBpcyBjb25zcGljdW91c2x5IG1hcmtlZCBvciBvdGhlcndpc2UKICAgICAgZGVzaWduYXRlZCBpbiB3cml0aW5nIGJ5IHRoZSBjb3B5cmlnaHQgb3duZXIgYXMgIk5vdCBhIENvbnRyaWJ1dGlvbi4iCgogICAgICAiQ29udHJpYnV0b3IiIHNoYWxsIG1lYW4gTGljZW5zb3IgYW5kIGFueSBpbmRpdmlkdWFsIG9yIExlZ2FsIEVudGl0eQogICAgICBvbiBiZWhhbGYgb2Ygd2hvbSBhIENvbnRyaWJ1dGlvbiBoYXMgYmVlbiByZWNlaXZlZCBieSBMaWNlbnNvciBhbmQKICAgICAgc3Vic2VxdWVudGx5IGluY29ycG9yYXRlZCB3aXRoaW4gdGhlIFdvcmsuCgogICAyLiBHcmFudCBvZiBDb3B5cmlnaHQgTGljZW5zZS4gU3ViamVjdCB0byB0aGUgdGVybXMgYW5kIGNvbmRpdGlvbnMgb2YKICAgICAgdGhpcyBMaWNlbnNlLCBlYWNoIENvbnRyaWJ1dG9yIGhlcmVieSBncmFudHMgdG8gWW91IGEgcGVycGV0dWFsLAogICAgICB3b3JsZHdpZGUsIG5vbi1leGNsdXNpdmUsIG5vLWNoYXJnZSwgcm95YWx0eS1mcmVlLCBpcnJldm9jYWJsZQogICAgICBjb3B5cmlnaHQgbGljZW5zZSB0byByZXByb2R1Y2UsIHByZXBhcmUgRGVyaXZhdGl2ZSBXb3JrcyBvZiwKICAgICAgcHVibGljbHkgZGlzcGxheSwgcHVibGljbHkgcGVyZm9ybSwgc3VibGljZW5zZSwgYW5kIGRpc3RyaWJ1dGUgdGhlCiAgICAgIFdvcmsgYW5kIHN1Y2ggRGVyaXZhdGl2ZSBXb3JrcyBpbiBTb3VyY2Ugb3IgT2JqZWN0IGZvcm0uCgogICAzLiBHcmFudCBvZiBQYXRlbnQgTGljZW5zZS4gU3ViamVjdCB0byB0aGUgdGVybXMgYW5kIGNvbmRpdGlvbnMgb2YKICAgICAgdGhpcyBMaWNlbnNlLCBlYWNoIENvbnRyaWJ1dG9yIGhlcmVieSBncmFudHMgdG8gWW91IGEgcGVycGV0dWFsLAogICAgICB3b3JsZHdpZGUsIG5vbi1leGNsdXNpdmUsIG5vLWNoYXJnZSwgcm95YWx0eS1mcmVlLCBpcnJldm9jYWJsZQogICAgICAoZXhjZXB0IGFzIHN0YXRlZCBpbiB0aGlzIHNlY3Rpb24pIHBhdGVudCBsaWNlbnNlIHRvIG1ha2UsIGhhdmUgbWFkZSwKICAgICAgdXNlLCBvZmZlciB0byBzZWxsLCBzZWxsLCBpbXBvcnQsIGFuZCBvdGhlcndpc2UgdHJhbnNmZXIgdGhlIFdvcmssCiAgICAgIHdoZXJlIHN1Y2ggbGljZW5zZSBhcHBsaWVzIG9ubHkgdG8gdGhvc2UgcGF0ZW50IGNsYWltcyBsaWNlbnNhYmxlCiAgICAgIGJ5IHN1Y2ggQ29udHJpYnV0b3IgdGhhdCBhcmUgbmVjZXNzYXJpbHkgaW5mcmluZ2VkIGJ5IHRoZWlyCiAgICAgIENvbnRyaWJ1dGlvbihzKSBhbG9uZSBvciBieSBjb21iaW5hdGlvbiBvZiB0aGVpciBDb250cmlidXRpb24ocykKICAgICAgd2l0aCB0aGUgV29yayB0byB3aGljaCBzdWNoIENvbnRyaWJ1dGlvbihzKSB3YXMgc3VibWl0dGVkLiBJZiBZb3UKICAgICAgaW5zdGl0dXRlIHBhdGVudCBsaXRpZ2F0aW9uIGFnYWluc3QgYW55IGVudGl0eSAoaW5jbHVkaW5nIGEKICAgICAgY3Jvc3MtY2xhaW0gb3IgY291bnRlcmNsYWltIGluIGEgbGF3c3VpdCkgYWxsZWdpbmcgdGhhdCB0aGUgV29yawogICAgICBvciBhIENvbnRyaWJ1dGlvbiBpbmNvcnBvcmF0ZWQgd2l0aGluIHRoZSBXb3JrIGNvbnN0aXR1dGVzIGRpcmVjdAogICAgICBvciBjb250cmlidXRvcnkgcGF0ZW50IGluZnJpbmdlbWVudCwgdGhlbiBhbnkgcGF0ZW50IGxpY2Vuc2VzCiAgICAgIGdyYW50ZWQgdG8gWW91IHVuZGVyIHRoaXMgTGljZW5zZSBmb3IgdGhhdCBXb3JrIHNoYWxsIHRlcm1pbmF0ZQogICAgICBhcyBvZiB0aGUgZGF0ZSBzdWNoIGxpdGlnYXRpb24gaXMgZmlsZWQuCgogICA0LiBSZWRpc3RyaWJ1dGlvbi4gWW91IG1heSByZXByb2R1Y2UgYW5kIGRpc3RyaWJ1dGUgY29waWVzIG9mIHRoZQogICAgICBXb3JrIG9yIERlcml2YXRpdmUgV29ya3MgdGhlcmVvZiBpbiBhbnkgbWVkaXVtLCB3aXRoIG9yIHdpdGhvdXQKICAgICAgbW9kaWZpY2F0aW9ucywgYW5kIGluIFNvdXJjZSBvciBPYmplY3QgZm9ybSwgcHJvdmlkZWQgdGhhdCBZb3UKICAgICAgbWVldCB0aGUgZm9sbG93aW5nIGNvbmRpdGlvbnM6CgogICAgICAoYSkgWW91IG11c3QgZ2l2ZSBhbnkgb3RoZXIgcmVjaXBpZW50cyBvZiB0aGUgV29yayBvcgogICAgICAgICAgRGVyaXZhdGl2ZSBXb3JrcyBhIGNvcHkgb2YgdGhpcyBMaWNlbnNlOyBhbmQKCiAgICAgIChiKSBZb3UgbXVzdCBjYXVzZSBhbnkgbW9kaWZpZWQgZmlsZXMgdG8gY2FycnkgcHJvbWluZW50IG5vdGljZXMKICAgICAgICAgIHN0YXRpbmcgdGhhdCBZb3UgY2hhbmdlZCB0aGUgZmlsZXM7IGFuZAoKICAgICAgKGMpIFlvdSBtdXN0IHJldGFpbiwgaW4gdGhlIFNvdXJjZSBmb3JtIG9mIGFueSBEZXJpdmF0aXZlIFdvcmtzCiAgICAgICAgICB0aGF0IFlvdSBkaXN0cmlidXRlLCBhbGwgY29weXJpZ2h0LCBwYXRlbnQsIHRyYWRlbWFyaywgYW5kCiAgICAgICAgICBhdHRyaWJ1dGlvbiBub3RpY2VzIGZyb20gdGhlIFNvdXJjZSBmb3JtIG9mIHRoZSBXb3JrLAogICAgICAgICAgZXhjbHVkaW5nIHRob3NlIG5vdGljZXMgdGhhdCBkbyBub3QgcGVydGFpbiB0byBhbnkgcGFydCBvZgogICAgICAgICAgdGhlIERlcml2YXRpdmUgV29ya3M7IGFuZAoKICAgICAgKGQpIElmIHRoZSBXb3JrIGluY2x1ZGVzIGEgIk5PVElDRSIgdGV4dCBmaWxlIGFzIHBhcnQgb2YgaXRzCiAgICAgICAgICBkaXN0cmlidXRpb24sIHRoZW4gYW55IERlcml2YXRpdmUgV29ya3MgdGhhdCBZb3UgZGlzdHJpYnV0ZSBtdXN0CiAgICAgICAgICBpbmNsdWRlIGEgcmVhZGFibGUgY29weSBvZiB0aGUgYXR0cmlidXRpb24gbm90aWNlcyBjb250YWluZWQKICAgICAgICAgIHdpdGhpbiBzdWNoIE5PVElDRSBmaWxlLCBleGNsdWRpbmcgdGhvc2Ugbm90aWNlcyB0aGF0IGRvIG5vdAogICAgICAgICAgcGVydGFpbiB0byBhbnkgcGFydCBvZiB0aGUgRGVyaXZhdGl2ZSBXb3JrcywgaW4gYXQgbGVhc3Qgb25lCiAgICAgICAgICBvZiB0aGUgZm9sbG93aW5nIHBsYWNlczogd2l0aGluIGEgTk9USUNFIHRleHQgZmlsZSBkaXN0cmlidXRlZAogICAgICAgICAgYXMgcGFydCBvZiB0aGUgRGVyaXZhdGl2ZSBXb3Jrczsgd2l0aGluIHRoZSBTb3VyY2UgZm9ybSBvcgogICAgICAgICAgZG9jdW1lbnRhdGlvbiwgaWYgcHJvdmlkZWQgYWxvbmcgd2l0aCB0aGUgRGVyaXZhdGl2ZSBXb3Jrczsgb3IsCiAgICAgICAgICB3aXRoaW4gYSBkaXNwbGF5IGdlbmVyYXRlZCBieSB0aGUgRGVyaXZhdGl2ZSBXb3JrcywgaWYgYW5kCiAgICAgICAgICB3aGVyZXZlciBzdWNoIHRoaXJkLXBhcnR5IG5vdGljZXMgbm9ybWFsbHkgYXBwZWFyLiBUaGUgY29udGVudHMKICAgICAgICAgIG9mIHRoZSBOT1RJQ0UgZmlsZSBhcmUgZm9yIGluZm9ybWF0aW9uYWwgcHVycG9zZXMgb25seSBhbmQKICAgICAgICAgIGRvIG5vdCBtb2RpZnkgdGhlIExpY2Vuc2UuIFlvdSBtYXkgYWRkIFlvdXIgb3duIGF0dHJpYnV0aW9uCiAgICAgICAgICBub3RpY2VzIHdpdGhpbiBEZXJpdmF0aXZlIFdvcmtzIHRoYXQgWW91IGRpc3RyaWJ1dGUsIGFsb25nc2lkZQogICAgICAgICAgb3IgYXMgYW4gYWRkZW5kdW0gdG8gdGhlIE5PVElDRSB0ZXh0IGZyb20gdGhlIFdvcmssIHByb3ZpZGVkCiAgICAgICAgICB0aGF0IHN1Y2ggYWRkaXRpb25hbCBhdHRyaWJ1dGlvbiBub3RpY2VzIGNhbm5vdCBiZSBjb25zdHJ1ZWQKICAgICAgICAgIGFzIG1vZGlmeWluZyB0aGUgTGljZW5zZS4KCiAgICAgIFlvdSBtYXkgYWRkIFlvdXIgb3duIGNvcHlyaWdodCBzdGF0ZW1lbnQgdG8gWW91ciBtb2RpZmljYXRpb25zIGFuZAogICAgICBtYXkgcHJvdmlkZSBhZGRpdGlvbmFsIG9yIGRpZmZlcmVudCBsaWNlbnNlIHRlcm1zIGFuZCBjb25kaXRpb25zCiAgICAgIGZvciB1c2UsIHJlcHJvZHVjdGlvbiwgb3IgZGlzdHJpYnV0aW9uIG9mIFlvdXIgbW9kaWZpY2F0aW9ucywgb3IKICAgICAgZm9yIGFueSBzdWNoIERlcml2YXRpdmUgV29ya3MgYXMgYSB3aG9sZSwgcHJvdmlkZWQgWW91ciB1c2UsCiAgICAgIHJlcHJvZHVjdGlvbiwgYW5kIGRpc3RyaWJ1dGlvbiBvZiB0aGUgV29yayBvdGhlcndpc2UgY29tcGxpZXMgd2l0aAogICAgICB0aGUgY29uZGl0aW9ucyBzdGF0ZWQgaW4gdGhpcyBMaWNlbnNlLgoKICAgNS4gU3VibWlzc2lvbiBvZiBDb250cmlidXRpb25zLiBVbmxlc3MgWW91IGV4cGxpY2l0bHkgc3RhdGUgb3RoZXJ3aXNlLAogICAgICBhbnkgQ29udHJpYnV0aW9uIGludGVudGlvbmFsbHkgc3VibWl0dGVkIGZvciBpbmNsdXNpb24gaW4gdGhlIFdvcmsKICAgICAgYnkgWW91IHRvIHRoZSBMaWNlbnNvciBzaGFsbCBiZSB1bmRlciB0aGUgdGVybXMgYW5kIGNvbmRpdGlvbnMgb2YKICAgICAgdGhpcyBMaWNlbnNlLCB3aXRob3V0IGFueSBhZGRpdGlvbmFsIHRlcm1zIG9yIGNvbmRpdGlvbnMuCiAgICAgIE5vdHdpdGhzdGFuZGluZyB0aGUgYWJvdmUsIG5vdGhpbmcgaGVyZWluIHNoYWxsIHN1cGVyc2VkZSBvciBtb2RpZnkKICAgICAgdGhlIHRlcm1zIG9mIGFueSBzZXBhcmF0ZSBsaWNlbnNlIGFncmVlbWVudCB5b3UgbWF5IGhhdmUgZXhlY3V0ZWQKICAgICAgd2l0aCBMaWNlbnNvciByZWdhcmRpbmcgc3VjaCBDb250cmlidXRpb25zLgoKICAgNi4gVHJhZGVtYXJrcy4gVGhpcyBMaWNlbnNlIGRvZXMgbm90IGdyYW50IHBlcm1pc3Npb24gdG8gdXNlIHRoZSB0cmFkZQogICAgICBuYW1lcywgdHJhZGVtYXJrcywgc2VydmljZSBtYXJrcywgb3IgcHJvZHVjdCBuYW1lcyBvZiB0aGUgTGljZW5zb3IsCiAgICAgIGV4Y2VwdCBhcyByZXF1aXJlZCBmb3IgcmVhc29uYWJsZSBhbmQgY3VzdG9tYXJ5IHVzZSBpbiBkZXNjcmliaW5nIHRoZQogICAgICBvcmlnaW4gb2YgdGhlIFdvcmsgYW5kIHJlcHJvZHVjaW5nIHRoZSBjb250ZW50IG9mIHRoZSBOT1RJQ0UgZmlsZS4KCiAgIDcuIERpc2NsYWltZXIgb2YgV2FycmFudHkuIFVubGVzcyByZXF1aXJlZCBieSBhcHBsaWNhYmxlIGxhdyBvcgogICAgICBhZ3JlZWQgdG8gaW4gd3JpdGluZywgTGljZW5zb3IgcHJvdmlkZXMgdGhlIFdvcmsgKGFuZCBlYWNoCiAgICAgIENvbnRyaWJ1dG9yIHByb3ZpZGVzIGl0cyBDb250cmlidXRpb25zKSBvbiBhbiAiQVMgSVMiIEJBU0lTLAogICAgICBXSVRIT1VUIFdBUlJBTlRJRVMgT1IgQ09ORElUSU9OUyBPRiBBTlkgS0lORCwgZWl0aGVyIGV4cHJlc3Mgb3IKICAgICAgaW1wbGllZCwgaW5jbHVkaW5nLCB3aXRob3V0IGxpbWl0YXRpb24sIGFueSB3YXJyYW50aWVzIG9yIGNvbmRpdGlvbnMKICAgICAgb2YgVElUTEUsIE5PTi1JTkZSSU5HRU1FTlQsIE1FUkNIQU5UQUJJTElUWSwgb3IgRklUTkVTUyBGT1IgQQogICAgICBQQVJUSUNVTEFSIFBVUlBPU0UuIFlvdSBhcmUgc29sZWx5IHJlc3BvbnNpYmxlIGZvciBkZXRlcm1pbmluZyB0aGUKICAgICAgYXBwcm9wcmlhdGVuZXNzIG9mIHVzaW5nIG9yIHJlZGlzdHJpYnV0aW5nIHRoZSBXb3JrIGFuZCBhc3N1bWUgYW55CiAgICAgIHJpc2tzIGFzc29jaWF0ZWQgd2l0aCBZb3VyIGV4ZXJjaXNlIG9mIHBlcm1pc3Npb25zIHVuZGVyIHRoaXMgTGljZW5zZS4KCiAgIDguIExpbWl0YXRpb24gb2YgTGlhYmlsaXR5LiBJbiBubyBldmVudCBhbmQgdW5kZXIgbm8gbGVnYWwgdGhlb3J5LAogICAgICB3aGV0aGVyIGluIHRvcnQgKGluY2x1ZGluZyBuZWdsaWdlbmNlKSwgY29udHJhY3QsIG9yIG90aGVyd2lzZSwKICAgICAgdW5sZXNzIHJlcXVpcmVkIGJ5IGFwcGxpY2FibGUgbGF3IChzdWNoIGFzIGRlbGliZXJhdGUgYW5kIGdyb3NzbHkKICAgICAgbmVnbGlnZW50IGFjdHMpIG9yIGFncmVlZCB0byBpbiB3cml0aW5nLCBzaGFsbCBhbnkgQ29udHJpYnV0b3IgYmUKICAgICAgbGlhYmxlIHRvIFlvdSBmb3IgZGFtYWdlcywgaW5jbHVkaW5nIGFueSBkaXJlY3QsIGluZGlyZWN0LCBzcGVjaWFsLAogICAgICBpbmNpZGVudGFsLCBvciBjb25zZXF1ZW50aWFsIGRhbWFnZXMgb2YgYW55IGNoYXJhY3RlciBhcmlzaW5nIGFzIGEKICAgICAgcmVzdWx0IG9mIHRoaXMgTGljZW5zZSBvciBvdXQgb2YgdGhlIHVzZSBvciBpbmFiaWxpdHkgdG8gdXNlIHRoZQogICAgICBXb3JrIChpbmNsdWRpbmcgYnV0IG5vdCBsaW1pdGVkIHRvIGRhbWFnZXMgZm9yIGxvc3Mgb2YgZ29vZHdpbGwsCiAgICAgIHdvcmsgc3RvcHBhZ2UsIGNvbXB1dGVyIGZhaWx1cmUgb3IgbWFsZnVuY3Rpb24sIG9yIGFueSBhbmQgYWxsCiAgICAgIG90aGVyIGNvbW1lcmNpYWwgZGFtYWdlcyBvciBsb3NzZXMpLCBldmVuIGlmIHN1Y2ggQ29udHJpYnV0b3IKICAgICAgaGFzIGJlZW4gYWR2aXNlZCBvZiB0aGUgcG9zc2liaWxpdHkgb2Ygc3VjaCBkYW1hZ2VzLgoKICAgOS4gQWNjZXB0aW5nIFdhcnJhbnR5IG9yIEFkZGl0aW9uYWwgTGlhYmlsaXR5LiBXaGlsZSByZWRpc3RyaWJ1dGluZwogICAgICB0aGUgV29yayBvciBEZXJpdmF0aXZlIFdvcmtzIHRoZXJlb2YsIFlvdSBtYXkgY2hvb3NlIHRvIG9mZmVyLAogICAgICBhbmQgY2hhcmdlIGEgZmVlIGZvciwgYWNjZXB0YW5jZSBvZiBzdXBwb3J0LCB3YXJyYW50eSwgaW5kZW1uaXR5LAogICAgICBvciBvdGhlciBsaWFiaWxpdHkgb2JsaWdhdGlvbnMgYW5kL29yIHJpZ2h0cyBjb25zaXN0ZW50IHdpdGggdGhpcwogICAgICBMaWNlbnNlLiBIb3dldmVyLCBpbiBhY2NlcHRpbmcgc3VjaCBvYmxpZ2F0aW9ucywgWW91IG1heSBhY3Qgb25seQogICAgICBvbiBZb3VyIG93biBiZWhhbGYgYW5kIG9uIFlvdXIgc29sZSByZXNwb25zaWJpbGl0eSwgbm90IG9uIGJlaGFsZgogICAgICBvZiBhbnkgb3RoZXIgQ29udHJpYnV0b3IsIGFuZCBvbmx5IGlmIFlvdSBhZ3JlZSB0byBpbmRlbW5pZnksCiAgICAgIGRlZmVuZCwgYW5kIGhvbGQgZWFjaCBDb250cmlidXRvciBoYXJtbGVzcyBmb3IgYW55IGxpYWJpbGl0eQogICAgICBpbmN1cnJlZCBieSwgb3IgY2xhaW1zIGFzc2VydGVkIGFnYWluc3QsIHN1Y2ggQ29udHJpYnV0b3IgYnkgcmVhc29uCiAgICAgIG9mIHlvdXIgYWNjZXB0aW5nIGFueSBzdWNoIHdhcnJhbnR5IG9yIGFkZGl0aW9uYWwgbGlhYmlsaXR5LgoKICAgRU5EIE9GIFRFUk1TIEFORCBDT05ESVRJT05TCgogICBBUFBFTkRJWDogSG93IHRvIGFwcGx5IHRoZSBBcGFjaGUgTGljZW5zZSB0byB5b3VyIHdvcmsuCgogICAgICBUbyBhcHBseSB0aGUgQXBhY2hlIExpY2Vuc2UgdG8geW91ciB3b3JrLCBhdHRhY2ggdGhlIGZvbGxvd2luZwogICAgICBib2lsZXJwbGF0ZSBub3RpY2UsIHdpdGggdGhlIGZpZWxkcyBlbmNsb3NlZCBieSBicmFja2V0cyAiW10iCiAgICAgIHJlcGxhY2VkIHdpdGggeW91ciBvd24gaWRlbnRpZnlpbmcgaW5mb3JtYXRpb24uIChEb24ndCBpbmNsdWRlCiAgICAgIHRoZSBicmFja2V0cyEpICBUaGUgdGV4dCBzaG91bGQgYmUgZW5jbG9zZWQgaW4gdGhlIGFwcHJvcHJpYXRlCiAgICAgIGNvbW1lbnQgc3ludGF4IGZvciB0aGUgZmlsZSBmb3JtYXQuIFdlIGFsc28gcmVjb21tZW5kIHRoYXQgYQogICAgICBmaWxlIG9yIGNsYXNzIG5hbWUgYW5kIGRlc2NyaXB0aW9uIG9mIHB1cnBvc2UgYmUgaW5jbHVkZWQgb24gdGhlCiAgICAgIHNhbWUgInByaW50ZWQgcGFnZSIgYXMgdGhlIGNvcHlyaWdodCBub3RpY2UgZm9yIGVhc2llcgogICAgICBpZGVudGlmaWNhdGlvbiB3aXRoaW4gdGhpcmQtcGFydHkgYXJjaGl2ZXMuCgogICBDb3B5cmlnaHQgW3l5eXldIFtuYW1lIG9mIGNvcHlyaWdodCBvd25lcl0KCiAgIExpY2Vuc2VkIHVuZGVyIHRoZSBBcGFjaGUgTGljZW5zZSwgVmVyc2lvbiAyLjAgKHRoZSAiTGljZW5zZSIpOwogICB5b3UgbWF5IG5vdCB1c2UgdGhpcyBmaWxlIGV4Y2VwdCBpbiBjb21wbGlhbmNlIHdpdGggdGhlIExpY2Vuc2UuCiAgIFlvdSBtYXkgb2J0YWluIGEgY29weSBvZiB0aGUgTGljZW5zZSBhdAoKICAgICAgIGh0dHA6Ly93d3cuYXBhY2hlLm9yZy9saWNlbnNlcy9MSUNFTlNFLTIuMAoKICAgVW5sZXNzIHJlcXVpcmVkIGJ5IGFwcGxpY2FibGUgbGF3IG9yIGFncmVlZCB0byBpbiB3cml0aW5nLCBzb2Z0d2FyZQogICBkaXN0cmlidXRlZCB1bmRlciB0aGUgTGljZW5zZSBpcyBkaXN0cmlidXRlZCBvbiBhbiAiQVMgSVMiIEJBU0lTLAogICBXSVRIT1VUIFdBUlJBTlRJRVMgT1IgQ09ORElUSU9OUyBPRiBBTlkgS0lORCwgZWl0aGVyIGV4cHJlc3Mgb3IgaW1wbGllZC4KICAgU2VlIHRoZSBMaWNlbnNlIGZvciB0aGUgc3BlY2lmaWMgbGFuZ3VhZ2UgZ292ZXJuaW5nIHBlcm1pc3Npb25zIGFuZAogICBsaW1pdGF0aW9ucyB1bmRlciB0aGUgTGljZW5zZS4=" + }, + "url": "https://www.apache.org/licenses/LICENSE-2.0.txt" + } + } + ] + } + ] +} diff --git a/tools/src/test/resources/1.6/invalid-license-encoding-1.6.xml b/tools/src/test/resources/1.6/invalid-license-encoding-1.6.xml new file mode 100644 index 00000000..9619c6b0 --- /dev/null +++ b/tools/src/test/resources/1.6/invalid-license-encoding-1.6.xml @@ -0,0 +1,27 @@ + + + + + Acme Inc + com.acme + tomcat-catalina + 9.0.14 + Modified version of Apache Catalina + required + + 3942447fac867ae5cdb3229b658f4d48 + e6b1000b94e835ffd37f4c6dcbdad43f4b48a02a + f498a8ff2dd007e29c2074f5e4b01a9a01775c3ff3aeaf6906ea503bc5791b7b + e8f33e424f3f4ed6db76a482fde1a5298970e442c531729119e37991884bdffab4f9426b7ee11fccd074eeda0634d71697d6f88a460dce0ac8d627a29f7d1282 + + + + Apache-2.0 + CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFwYWNoZSBMaWNlbnNlCiAgICAgICAgICAgICAgICAgICAgICAgICAgIFZlcnNpb24gMi4wLCBKYW51YXJ5IDIwMDQKICAgICAgICAgICAgICAgICAgICAgICAgaHR0cDovL3d3dy5hcGFjaGUub3JnL2xpY2Vuc2VzLwoKICAgVEVSTVMgQU5EIENPTkRJVElPTlMgRk9SIFVTRSwgUkVQUk9EVUNUSU9OLCBBTkQgRElTVFJJQlVUSU9OCgogICAxLiBEZWZpbml0aW9ucy4KCiAgICAgICJMaWNlbnNlIiBzaGFsbCBtZWFuIHRoZSB0ZXJtcyBhbmQgY29uZGl0aW9ucyBmb3IgdXNlLCByZXByb2R1Y3Rpb24sCiAgICAgIGFuZCBkaXN0cmlidXRpb24gYXMgZGVmaW5lZCBieSBTZWN0aW9ucyAxIHRocm91Z2ggOSBvZiB0aGlzIGRvY3VtZW50LgoKICAgICAgIkxpY2Vuc29yIiBzaGFsbCBtZWFuIHRoZSBjb3B5cmlnaHQgb3duZXIgb3IgZW50aXR5IGF1dGhvcml6ZWQgYnkKICAgICAgdGhlIGNvcHlyaWdodCBvd25lciB0aGF0IGlzIGdyYW50aW5nIHRoZSBMaWNlbnNlLgoKICAgICAgIkxlZ2FsIEVudGl0eSIgc2hhbGwgbWVhbiB0aGUgdW5pb24gb2YgdGhlIGFjdGluZyBlbnRpdHkgYW5kIGFsbAogICAgICBvdGhlciBlbnRpdGllcyB0aGF0IGNvbnRyb2wsIGFyZSBjb250cm9sbGVkIGJ5LCBvciBhcmUgdW5kZXIgY29tbW9uCiAgICAgIGNvbnRyb2wgd2l0aCB0aGF0IGVudGl0eS4gRm9yIHRoZSBwdXJwb3NlcyBvZiB0aGlzIGRlZmluaXRpb24sCiAgICAgICJjb250cm9sIiBtZWFucyAoaSkgdGhlIHBvd2VyLCBkaXJlY3Qgb3IgaW5kaXJlY3QsIHRvIGNhdXNlIHRoZQogICAgICBkaXJlY3Rpb24gb3IgbWFuYWdlbWVudCBvZiBzdWNoIGVudGl0eSwgd2hldGhlciBieSBjb250cmFjdCBvcgogICAgICBvdGhlcndpc2UsIG9yIChpaSkgb3duZXJzaGlwIG9mIGZpZnR5IHBlcmNlbnQgKDUwJSkgb3IgbW9yZSBvZiB0aGUKICAgICAgb3V0c3RhbmRpbmcgc2hhcmVzLCBvciAoaWlpKSBiZW5lZmljaWFsIG93bmVyc2hpcCBvZiBzdWNoIGVudGl0eS4KCiAgICAgICJZb3UiIChvciAiWW91ciIpIHNoYWxsIG1lYW4gYW4gaW5kaXZpZHVhbCBvciBMZWdhbCBFbnRpdHkKICAgICAgZXhlcmNpc2luZyBwZXJtaXNzaW9ucyBncmFudGVkIGJ5IHRoaXMgTGljZW5zZS4KCiAgICAgICJTb3VyY2UiIGZvcm0gc2hhbGwgbWVhbiB0aGUgcHJlZmVycmVkIGZvcm0gZm9yIG1ha2luZyBtb2RpZmljYXRpb25zLAogICAgICBpbmNsdWRpbmcgYnV0IG5vdCBsaW1pdGVkIHRvIHNvZnR3YXJlIHNvdXJjZSBjb2RlLCBkb2N1bWVudGF0aW9uCiAgICAgIHNvdXJjZSwgYW5kIGNvbmZpZ3VyYXRpb24gZmlsZXMuCgogICAgICAiT2JqZWN0IiBmb3JtIHNoYWxsIG1lYW4gYW55IGZvcm0gcmVzdWx0aW5nIGZyb20gbWVjaGFuaWNhbAogICAgICB0cmFuc2Zvcm1hdGlvbiBvciB0cmFuc2xhdGlvbiBvZiBhIFNvdXJjZSBmb3JtLCBpbmNsdWRpbmcgYnV0CiAgICAgIG5vdCBsaW1pdGVkIHRvIGNvbXBpbGVkIG9iamVjdCBjb2RlLCBnZW5lcmF0ZWQgZG9jdW1lbnRhdGlvbiwKICAgICAgYW5kIGNvbnZlcnNpb25zIHRvIG90aGVyIG1lZGlhIHR5cGVzLgoKICAgICAgIldvcmsiIHNoYWxsIG1lYW4gdGhlIHdvcmsgb2YgYXV0aG9yc2hpcCwgd2hldGhlciBpbiBTb3VyY2Ugb3IKICAgICAgT2JqZWN0IGZvcm0sIG1hZGUgYXZhaWxhYmxlIHVuZGVyIHRoZSBMaWNlbnNlLCBhcyBpbmRpY2F0ZWQgYnkgYQogICAgICBjb3B5cmlnaHQgbm90aWNlIHRoYXQgaXMgaW5jbHVkZWQgaW4gb3IgYXR0YWNoZWQgdG8gdGhlIHdvcmsKICAgICAgKGFuIGV4YW1wbGUgaXMgcHJvdmlkZWQgaW4gdGhlIEFwcGVuZGl4IGJlbG93KS4KCiAgICAgICJEZXJpdmF0aXZlIFdvcmtzIiBzaGFsbCBtZWFuIGFueSB3b3JrLCB3aGV0aGVyIGluIFNvdXJjZSBvciBPYmplY3QKICAgICAgZm9ybSwgdGhhdCBpcyBiYXNlZCBvbiAob3IgZGVyaXZlZCBmcm9tKSB0aGUgV29yayBhbmQgZm9yIHdoaWNoIHRoZQogICAgICBlZGl0b3JpYWwgcmV2aXNpb25zLCBhbm5vdGF0aW9ucywgZWxhYm9yYXRpb25zLCBvciBvdGhlciBtb2RpZmljYXRpb25zCiAgICAgIHJlcHJlc2VudCwgYXMgYSB3aG9sZSwgYW4gb3JpZ2luYWwgd29yayBvZiBhdXRob3JzaGlwLiBGb3IgdGhlIHB1cnBvc2VzCiAgICAgIG9mIHRoaXMgTGljZW5zZSwgRGVyaXZhdGl2ZSBXb3JrcyBzaGFsbCBub3QgaW5jbHVkZSB3b3JrcyB0aGF0IHJlbWFpbgogICAgICBzZXBhcmFibGUgZnJvbSwgb3IgbWVyZWx5IGxpbmsgKG9yIGJpbmQgYnkgbmFtZSkgdG8gdGhlIGludGVyZmFjZXMgb2YsCiAgICAgIHRoZSBXb3JrIGFuZCBEZXJpdmF0aXZlIFdvcmtzIHRoZXJlb2YuCgogICAgICAiQ29udHJpYnV0aW9uIiBzaGFsbCBtZWFuIGFueSB3b3JrIG9mIGF1dGhvcnNoaXAsIGluY2x1ZGluZwogICAgICB0aGUgb3JpZ2luYWwgdmVyc2lvbiBvZiB0aGUgV29yayBhbmQgYW55IG1vZGlmaWNhdGlvbnMgb3IgYWRkaXRpb25zCiAgICAgIHRvIHRoYXQgV29yayBvciBEZXJpdmF0aXZlIFdvcmtzIHRoZXJlb2YsIHRoYXQgaXMgaW50ZW50aW9uYWxseQogICAgICBzdWJtaXR0ZWQgdG8gTGljZW5zb3IgZm9yIGluY2x1c2lvbiBpbiB0aGUgV29yayBieSB0aGUgY29weXJpZ2h0IG93bmVyCiAgICAgIG9yIGJ5IGFuIGluZGl2aWR1YWwgb3IgTGVnYWwgRW50aXR5IGF1dGhvcml6ZWQgdG8gc3VibWl0IG9uIGJlaGFsZiBvZgogICAgICB0aGUgY29weXJpZ2h0IG93bmVyLiBGb3IgdGhlIHB1cnBvc2VzIG9mIHRoaXMgZGVmaW5pdGlvbiwgInN1Ym1pdHRlZCIKICAgICAgbWVhbnMgYW55IGZvcm0gb2YgZWxlY3Ryb25pYywgdmVyYmFsLCBvciB3cml0dGVuIGNvbW11bmljYXRpb24gc2VudAogICAgICB0byB0aGUgTGljZW5zb3Igb3IgaXRzIHJlcHJlc2VudGF0aXZlcywgaW5jbHVkaW5nIGJ1dCBub3QgbGltaXRlZCB0bwogICAgICBjb21tdW5pY2F0aW9uIG9uIGVsZWN0cm9uaWMgbWFpbGluZyBsaXN0cywgc291cmNlIGNvZGUgY29udHJvbCBzeXN0ZW1zLAogICAgICBhbmQgaXNzdWUgdHJhY2tpbmcgc3lzdGVtcyB0aGF0IGFyZSBtYW5hZ2VkIGJ5LCBvciBvbiBiZWhhbGYgb2YsIHRoZQogICAgICBMaWNlbnNvciBmb3IgdGhlIHB1cnBvc2Ugb2YgZGlzY3Vzc2luZyBhbmQgaW1wcm92aW5nIHRoZSBXb3JrLCBidXQKICAgICAgZXhjbHVkaW5nIGNvbW11bmljYXRpb24gdGhhdCBpcyBjb25zcGljdW91c2x5IG1hcmtlZCBvciBvdGhlcndpc2UKICAgICAgZGVzaWduYXRlZCBpbiB3cml0aW5nIGJ5IHRoZSBjb3B5cmlnaHQgb3duZXIgYXMgIk5vdCBhIENvbnRyaWJ1dGlvbi4iCgogICAgICAiQ29udHJpYnV0b3IiIHNoYWxsIG1lYW4gTGljZW5zb3IgYW5kIGFueSBpbmRpdmlkdWFsIG9yIExlZ2FsIEVudGl0eQogICAgICBvbiBiZWhhbGYgb2Ygd2hvbSBhIENvbnRyaWJ1dGlvbiBoYXMgYmVlbiByZWNlaXZlZCBieSBMaWNlbnNvciBhbmQKICAgICAgc3Vic2VxdWVudGx5IGluY29ycG9yYXRlZCB3aXRoaW4gdGhlIFdvcmsuCgogICAyLiBHcmFudCBvZiBDb3B5cmlnaHQgTGljZW5zZS4gU3ViamVjdCB0byB0aGUgdGVybXMgYW5kIGNvbmRpdGlvbnMgb2YKICAgICAgdGhpcyBMaWNlbnNlLCBlYWNoIENvbnRyaWJ1dG9yIGhlcmVieSBncmFudHMgdG8gWW91IGEgcGVycGV0dWFsLAogICAgICB3b3JsZHdpZGUsIG5vbi1leGNsdXNpdmUsIG5vLWNoYXJnZSwgcm95YWx0eS1mcmVlLCBpcnJldm9jYWJsZQogICAgICBjb3B5cmlnaHQgbGljZW5zZSB0byByZXByb2R1Y2UsIHByZXBhcmUgRGVyaXZhdGl2ZSBXb3JrcyBvZiwKICAgICAgcHVibGljbHkgZGlzcGxheSwgcHVibGljbHkgcGVyZm9ybSwgc3VibGljZW5zZSwgYW5kIGRpc3RyaWJ1dGUgdGhlCiAgICAgIFdvcmsgYW5kIHN1Y2ggRGVyaXZhdGl2ZSBXb3JrcyBpbiBTb3VyY2Ugb3IgT2JqZWN0IGZvcm0uCgogICAzLiBHcmFudCBvZiBQYXRlbnQgTGljZW5zZS4gU3ViamVjdCB0byB0aGUgdGVybXMgYW5kIGNvbmRpdGlvbnMgb2YKICAgICAgdGhpcyBMaWNlbnNlLCBlYWNoIENvbnRyaWJ1dG9yIGhlcmVieSBncmFudHMgdG8gWW91IGEgcGVycGV0dWFsLAogICAgICB3b3JsZHdpZGUsIG5vbi1leGNsdXNpdmUsIG5vLWNoYXJnZSwgcm95YWx0eS1mcmVlLCBpcnJldm9jYWJsZQogICAgICAoZXhjZXB0IGFzIHN0YXRlZCBpbiB0aGlzIHNlY3Rpb24pIHBhdGVudCBsaWNlbnNlIHRvIG1ha2UsIGhhdmUgbWFkZSwKICAgICAgdXNlLCBvZmZlciB0byBzZWxsLCBzZWxsLCBpbXBvcnQsIGFuZCBvdGhlcndpc2UgdHJhbnNmZXIgdGhlIFdvcmssCiAgICAgIHdoZXJlIHN1Y2ggbGljZW5zZSBhcHBsaWVzIG9ubHkgdG8gdGhvc2UgcGF0ZW50IGNsYWltcyBsaWNlbnNhYmxlCiAgICAgIGJ5IHN1Y2ggQ29udHJpYnV0b3IgdGhhdCBhcmUgbmVjZXNzYXJpbHkgaW5mcmluZ2VkIGJ5IHRoZWlyCiAgICAgIENvbnRyaWJ1dGlvbihzKSBhbG9uZSBvciBieSBjb21iaW5hdGlvbiBvZiB0aGVpciBDb250cmlidXRpb24ocykKICAgICAgd2l0aCB0aGUgV29yayB0byB3aGljaCBzdWNoIENvbnRyaWJ1dGlvbihzKSB3YXMgc3VibWl0dGVkLiBJZiBZb3UKICAgICAgaW5zdGl0dXRlIHBhdGVudCBsaXRpZ2F0aW9uIGFnYWluc3QgYW55IGVudGl0eSAoaW5jbHVkaW5nIGEKICAgICAgY3Jvc3MtY2xhaW0gb3IgY291bnRlcmNsYWltIGluIGEgbGF3c3VpdCkgYWxsZWdpbmcgdGhhdCB0aGUgV29yawogICAgICBvciBhIENvbnRyaWJ1dGlvbiBpbmNvcnBvcmF0ZWQgd2l0aGluIHRoZSBXb3JrIGNvbnN0aXR1dGVzIGRpcmVjdAogICAgICBvciBjb250cmlidXRvcnkgcGF0ZW50IGluZnJpbmdlbWVudCwgdGhlbiBhbnkgcGF0ZW50IGxpY2Vuc2VzCiAgICAgIGdyYW50ZWQgdG8gWW91IHVuZGVyIHRoaXMgTGljZW5zZSBmb3IgdGhhdCBXb3JrIHNoYWxsIHRlcm1pbmF0ZQogICAgICBhcyBvZiB0aGUgZGF0ZSBzdWNoIGxpdGlnYXRpb24gaXMgZmlsZWQuCgogICA0LiBSZWRpc3RyaWJ1dGlvbi4gWW91IG1heSByZXByb2R1Y2UgYW5kIGRpc3RyaWJ1dGUgY29waWVzIG9mIHRoZQogICAgICBXb3JrIG9yIERlcml2YXRpdmUgV29ya3MgdGhlcmVvZiBpbiBhbnkgbWVkaXVtLCB3aXRoIG9yIHdpdGhvdXQKICAgICAgbW9kaWZpY2F0aW9ucywgYW5kIGluIFNvdXJjZSBvciBPYmplY3QgZm9ybSwgcHJvdmlkZWQgdGhhdCBZb3UKICAgICAgbWVldCB0aGUgZm9sbG93aW5nIGNvbmRpdGlvbnM6CgogICAgICAoYSkgWW91IG11c3QgZ2l2ZSBhbnkgb3RoZXIgcmVjaXBpZW50cyBvZiB0aGUgV29yayBvcgogICAgICAgICAgRGVyaXZhdGl2ZSBXb3JrcyBhIGNvcHkgb2YgdGhpcyBMaWNlbnNlOyBhbmQKCiAgICAgIChiKSBZb3UgbXVzdCBjYXVzZSBhbnkgbW9kaWZpZWQgZmlsZXMgdG8gY2FycnkgcHJvbWluZW50IG5vdGljZXMKICAgICAgICAgIHN0YXRpbmcgdGhhdCBZb3UgY2hhbmdlZCB0aGUgZmlsZXM7IGFuZAoKICAgICAgKGMpIFlvdSBtdXN0IHJldGFpbiwgaW4gdGhlIFNvdXJjZSBmb3JtIG9mIGFueSBEZXJpdmF0aXZlIFdvcmtzCiAgICAgICAgICB0aGF0IFlvdSBkaXN0cmlidXRlLCBhbGwgY29weXJpZ2h0LCBwYXRlbnQsIHRyYWRlbWFyaywgYW5kCiAgICAgICAgICBhdHRyaWJ1dGlvbiBub3RpY2VzIGZyb20gdGhlIFNvdXJjZSBmb3JtIG9mIHRoZSBXb3JrLAogICAgICAgICAgZXhjbHVkaW5nIHRob3NlIG5vdGljZXMgdGhhdCBkbyBub3QgcGVydGFpbiB0byBhbnkgcGFydCBvZgogICAgICAgICAgdGhlIERlcml2YXRpdmUgV29ya3M7IGFuZAoKICAgICAgKGQpIElmIHRoZSBXb3JrIGluY2x1ZGVzIGEgIk5PVElDRSIgdGV4dCBmaWxlIGFzIHBhcnQgb2YgaXRzCiAgICAgICAgICBkaXN0cmlidXRpb24sIHRoZW4gYW55IERlcml2YXRpdmUgV29ya3MgdGhhdCBZb3UgZGlzdHJpYnV0ZSBtdXN0CiAgICAgICAgICBpbmNsdWRlIGEgcmVhZGFibGUgY29weSBvZiB0aGUgYXR0cmlidXRpb24gbm90aWNlcyBjb250YWluZWQKICAgICAgICAgIHdpdGhpbiBzdWNoIE5PVElDRSBmaWxlLCBleGNsdWRpbmcgdGhvc2Ugbm90aWNlcyB0aGF0IGRvIG5vdAogICAgICAgICAgcGVydGFpbiB0byBhbnkgcGFydCBvZiB0aGUgRGVyaXZhdGl2ZSBXb3JrcywgaW4gYXQgbGVhc3Qgb25lCiAgICAgICAgICBvZiB0aGUgZm9sbG93aW5nIHBsYWNlczogd2l0aGluIGEgTk9USUNFIHRleHQgZmlsZSBkaXN0cmlidXRlZAogICAgICAgICAgYXMgcGFydCBvZiB0aGUgRGVyaXZhdGl2ZSBXb3Jrczsgd2l0aGluIHRoZSBTb3VyY2UgZm9ybSBvcgogICAgICAgICAgZG9jdW1lbnRhdGlvbiwgaWYgcHJvdmlkZWQgYWxvbmcgd2l0aCB0aGUgRGVyaXZhdGl2ZSBXb3Jrczsgb3IsCiAgICAgICAgICB3aXRoaW4gYSBkaXNwbGF5IGdlbmVyYXRlZCBieSB0aGUgRGVyaXZhdGl2ZSBXb3JrcywgaWYgYW5kCiAgICAgICAgICB3aGVyZXZlciBzdWNoIHRoaXJkLXBhcnR5IG5vdGljZXMgbm9ybWFsbHkgYXBwZWFyLiBUaGUgY29udGVudHMKICAgICAgICAgIG9mIHRoZSBOT1RJQ0UgZmlsZSBhcmUgZm9yIGluZm9ybWF0aW9uYWwgcHVycG9zZXMgb25seSBhbmQKICAgICAgICAgIGRvIG5vdCBtb2RpZnkgdGhlIExpY2Vuc2UuIFlvdSBtYXkgYWRkIFlvdXIgb3duIGF0dHJpYnV0aW9uCiAgICAgICAgICBub3RpY2VzIHdpdGhpbiBEZXJpdmF0aXZlIFdvcmtzIHRoYXQgWW91IGRpc3RyaWJ1dGUsIGFsb25nc2lkZQogICAgICAgICAgb3IgYXMgYW4gYWRkZW5kdW0gdG8gdGhlIE5PVElDRSB0ZXh0IGZyb20gdGhlIFdvcmssIHByb3ZpZGVkCiAgICAgICAgICB0aGF0IHN1Y2ggYWRkaXRpb25hbCBhdHRyaWJ1dGlvbiBub3RpY2VzIGNhbm5vdCBiZSBjb25zdHJ1ZWQKICAgICAgICAgIGFzIG1vZGlmeWluZyB0aGUgTGljZW5zZS4KCiAgICAgIFlvdSBtYXkgYWRkIFlvdXIgb3duIGNvcHlyaWdodCBzdGF0ZW1lbnQgdG8gWW91ciBtb2RpZmljYXRpb25zIGFuZAogICAgICBtYXkgcHJvdmlkZSBhZGRpdGlvbmFsIG9yIGRpZmZlcmVudCBsaWNlbnNlIHRlcm1zIGFuZCBjb25kaXRpb25zCiAgICAgIGZvciB1c2UsIHJlcHJvZHVjdGlvbiwgb3IgZGlzdHJpYnV0aW9uIG9mIFlvdXIgbW9kaWZpY2F0aW9ucywgb3IKICAgICAgZm9yIGFueSBzdWNoIERlcml2YXRpdmUgV29ya3MgYXMgYSB3aG9sZSwgcHJvdmlkZWQgWW91ciB1c2UsCiAgICAgIHJlcHJvZHVjdGlvbiwgYW5kIGRpc3RyaWJ1dGlvbiBvZiB0aGUgV29yayBvdGhlcndpc2UgY29tcGxpZXMgd2l0aAogICAgICB0aGUgY29uZGl0aW9ucyBzdGF0ZWQgaW4gdGhpcyBMaWNlbnNlLgoKICAgNS4gU3VibWlzc2lvbiBvZiBDb250cmlidXRpb25zLiBVbmxlc3MgWW91IGV4cGxpY2l0bHkgc3RhdGUgb3RoZXJ3aXNlLAogICAgICBhbnkgQ29udHJpYnV0aW9uIGludGVudGlvbmFsbHkgc3VibWl0dGVkIGZvciBpbmNsdXNpb24gaW4gdGhlIFdvcmsKICAgICAgYnkgWW91IHRvIHRoZSBMaWNlbnNvciBzaGFsbCBiZSB1bmRlciB0aGUgdGVybXMgYW5kIGNvbmRpdGlvbnMgb2YKICAgICAgdGhpcyBMaWNlbnNlLCB3aXRob3V0IGFueSBhZGRpdGlvbmFsIHRlcm1zIG9yIGNvbmRpdGlvbnMuCiAgICAgIE5vdHdpdGhzdGFuZGluZyB0aGUgYWJvdmUsIG5vdGhpbmcgaGVyZWluIHNoYWxsIHN1cGVyc2VkZSBvciBtb2RpZnkKICAgICAgdGhlIHRlcm1zIG9mIGFueSBzZXBhcmF0ZSBsaWNlbnNlIGFncmVlbWVudCB5b3UgbWF5IGhhdmUgZXhlY3V0ZWQKICAgICAgd2l0aCBMaWNlbnNvciByZWdhcmRpbmcgc3VjaCBDb250cmlidXRpb25zLgoKICAgNi4gVHJhZGVtYXJrcy4gVGhpcyBMaWNlbnNlIGRvZXMgbm90IGdyYW50IHBlcm1pc3Npb24gdG8gdXNlIHRoZSB0cmFkZQogICAgICBuYW1lcywgdHJhZGVtYXJrcywgc2VydmljZSBtYXJrcywgb3IgcHJvZHVjdCBuYW1lcyBvZiB0aGUgTGljZW5zb3IsCiAgICAgIGV4Y2VwdCBhcyByZXF1aXJlZCBmb3IgcmVhc29uYWJsZSBhbmQgY3VzdG9tYXJ5IHVzZSBpbiBkZXNjcmliaW5nIHRoZQogICAgICBvcmlnaW4gb2YgdGhlIFdvcmsgYW5kIHJlcHJvZHVjaW5nIHRoZSBjb250ZW50IG9mIHRoZSBOT1RJQ0UgZmlsZS4KCiAgIDcuIERpc2NsYWltZXIgb2YgV2FycmFudHkuIFVubGVzcyByZXF1aXJlZCBieSBhcHBsaWNhYmxlIGxhdyBvcgogICAgICBhZ3JlZWQgdG8gaW4gd3JpdGluZywgTGljZW5zb3IgcHJvdmlkZXMgdGhlIFdvcmsgKGFuZCBlYWNoCiAgICAgIENvbnRyaWJ1dG9yIHByb3ZpZGVzIGl0cyBDb250cmlidXRpb25zKSBvbiBhbiAiQVMgSVMiIEJBU0lTLAogICAgICBXSVRIT1VUIFdBUlJBTlRJRVMgT1IgQ09ORElUSU9OUyBPRiBBTlkgS0lORCwgZWl0aGVyIGV4cHJlc3Mgb3IKICAgICAgaW1wbGllZCwgaW5jbHVkaW5nLCB3aXRob3V0IGxpbWl0YXRpb24sIGFueSB3YXJyYW50aWVzIG9yIGNvbmRpdGlvbnMKICAgICAgb2YgVElUTEUsIE5PTi1JTkZSSU5HRU1FTlQsIE1FUkNIQU5UQUJJTElUWSwgb3IgRklUTkVTUyBGT1IgQQogICAgICBQQVJUSUNVTEFSIFBVUlBPU0UuIFlvdSBhcmUgc29sZWx5IHJlc3BvbnNpYmxlIGZvciBkZXRlcm1pbmluZyB0aGUKICAgICAgYXBwcm9wcmlhdGVuZXNzIG9mIHVzaW5nIG9yIHJlZGlzdHJpYnV0aW5nIHRoZSBXb3JrIGFuZCBhc3N1bWUgYW55CiAgICAgIHJpc2tzIGFzc29jaWF0ZWQgd2l0aCBZb3VyIGV4ZXJjaXNlIG9mIHBlcm1pc3Npb25zIHVuZGVyIHRoaXMgTGljZW5zZS4KCiAgIDguIExpbWl0YXRpb24gb2YgTGlhYmlsaXR5LiBJbiBubyBldmVudCBhbmQgdW5kZXIgbm8gbGVnYWwgdGhlb3J5LAogICAgICB3aGV0aGVyIGluIHRvcnQgKGluY2x1ZGluZyBuZWdsaWdlbmNlKSwgY29udHJhY3QsIG9yIG90aGVyd2lzZSwKICAgICAgdW5sZXNzIHJlcXVpcmVkIGJ5IGFwcGxpY2FibGUgbGF3IChzdWNoIGFzIGRlbGliZXJhdGUgYW5kIGdyb3NzbHkKICAgICAgbmVnbGlnZW50IGFjdHMpIG9yIGFncmVlZCB0byBpbiB3cml0aW5nLCBzaGFsbCBhbnkgQ29udHJpYnV0b3IgYmUKICAgICAgbGlhYmxlIHRvIFlvdSBmb3IgZGFtYWdlcywgaW5jbHVkaW5nIGFueSBkaXJlY3QsIGluZGlyZWN0LCBzcGVjaWFsLAogICAgICBpbmNpZGVudGFsLCBvciBjb25zZXF1ZW50aWFsIGRhbWFnZXMgb2YgYW55IGNoYXJhY3RlciBhcmlzaW5nIGFzIGEKICAgICAgcmVzdWx0IG9mIHRoaXMgTGljZW5zZSBvciBvdXQgb2YgdGhlIHVzZSBvciBpbmFiaWxpdHkgdG8gdXNlIHRoZQogICAgICBXb3JrIChpbmNsdWRpbmcgYnV0IG5vdCBsaW1pdGVkIHRvIGRhbWFnZXMgZm9yIGxvc3Mgb2YgZ29vZHdpbGwsCiAgICAgIHdvcmsgc3RvcHBhZ2UsIGNvbXB1dGVyIGZhaWx1cmUgb3IgbWFsZnVuY3Rpb24sIG9yIGFueSBhbmQgYWxsCiAgICAgIG90aGVyIGNvbW1lcmNpYWwgZGFtYWdlcyBvciBsb3NzZXMpLCBldmVuIGlmIHN1Y2ggQ29udHJpYnV0b3IKICAgICAgaGFzIGJlZW4gYWR2aXNlZCBvZiB0aGUgcG9zc2liaWxpdHkgb2Ygc3VjaCBkYW1hZ2VzLgoKICAgOS4gQWNjZXB0aW5nIFdhcnJhbnR5IG9yIEFkZGl0aW9uYWwgTGlhYmlsaXR5LiBXaGlsZSByZWRpc3RyaWJ1dGluZwogICAgICB0aGUgV29yayBvciBEZXJpdmF0aXZlIFdvcmtzIHRoZXJlb2YsIFlvdSBtYXkgY2hvb3NlIHRvIG9mZmVyLAogICAgICBhbmQgY2hhcmdlIGEgZmVlIGZvciwgYWNjZXB0YW5jZSBvZiBzdXBwb3J0LCB3YXJyYW50eSwgaW5kZW1uaXR5LAogICAgICBvciBvdGhlciBsaWFiaWxpdHkgb2JsaWdhdGlvbnMgYW5kL29yIHJpZ2h0cyBjb25zaXN0ZW50IHdpdGggdGhpcwogICAgICBMaWNlbnNlLiBIb3dldmVyLCBpbiBhY2NlcHRpbmcgc3VjaCBvYmxpZ2F0aW9ucywgWW91IG1heSBhY3Qgb25seQogICAgICBvbiBZb3VyIG93biBiZWhhbGYgYW5kIG9uIFlvdXIgc29sZSByZXNwb25zaWJpbGl0eSwgbm90IG9uIGJlaGFsZgogICAgICBvZiBhbnkgb3RoZXIgQ29udHJpYnV0b3IsIGFuZCBvbmx5IGlmIFlvdSBhZ3JlZSB0byBpbmRlbW5pZnksCiAgICAgIGRlZmVuZCwgYW5kIGhvbGQgZWFjaCBDb250cmlidXRvciBoYXJtbGVzcyBmb3IgYW55IGxpYWJpbGl0eQogICAgICBpbmN1cnJlZCBieSwgb3IgY2xhaW1zIGFzc2VydGVkIGFnYWluc3QsIHN1Y2ggQ29udHJpYnV0b3IgYnkgcmVhc29uCiAgICAgIG9mIHlvdXIgYWNjZXB0aW5nIGFueSBzdWNoIHdhcnJhbnR5IG9yIGFkZGl0aW9uYWwgbGlhYmlsaXR5LgoKICAgRU5EIE9GIFRFUk1TIEFORCBDT05ESVRJT05TCgogICBBUFBFTkRJWDogSG93IHRvIGFwcGx5IHRoZSBBcGFjaGUgTGljZW5zZSB0byB5b3VyIHdvcmsuCgogICAgICBUbyBhcHBseSB0aGUgQXBhY2hlIExpY2Vuc2UgdG8geW91ciB3b3JrLCBhdHRhY2ggdGhlIGZvbGxvd2luZwogICAgICBib2lsZXJwbGF0ZSBub3RpY2UsIHdpdGggdGhlIGZpZWxkcyBlbmNsb3NlZCBieSBicmFja2V0cyAiW10iCiAgICAgIHJlcGxhY2VkIHdpdGggeW91ciBvd24gaWRlbnRpZnlpbmcgaW5mb3JtYXRpb24uIChEb24ndCBpbmNsdWRlCiAgICAgIHRoZSBicmFja2V0cyEpICBUaGUgdGV4dCBzaG91bGQgYmUgZW5jbG9zZWQgaW4gdGhlIGFwcHJvcHJpYXRlCiAgICAgIGNvbW1lbnQgc3ludGF4IGZvciB0aGUgZmlsZSBmb3JtYXQuIFdlIGFsc28gcmVjb21tZW5kIHRoYXQgYQogICAgICBmaWxlIG9yIGNsYXNzIG5hbWUgYW5kIGRlc2NyaXB0aW9uIG9mIHB1cnBvc2UgYmUgaW5jbHVkZWQgb24gdGhlCiAgICAgIHNhbWUgInByaW50ZWQgcGFnZSIgYXMgdGhlIGNvcHlyaWdodCBub3RpY2UgZm9yIGVhc2llcgogICAgICBpZGVudGlmaWNhdGlvbiB3aXRoaW4gdGhpcmQtcGFydHkgYXJjaGl2ZXMuCgogICBDb3B5cmlnaHQgW3l5eXldIFtuYW1lIG9mIGNvcHlyaWdodCBvd25lcl0KCiAgIExpY2Vuc2VkIHVuZGVyIHRoZSBBcGFjaGUgTGljZW5zZSwgVmVyc2lvbiAyLjAgKHRoZSAiTGljZW5zZSIpOwogICB5b3UgbWF5IG5vdCB1c2UgdGhpcyBmaWxlIGV4Y2VwdCBpbiBjb21wbGlhbmNlIHdpdGggdGhlIExpY2Vuc2UuCiAgIFlvdSBtYXkgb2J0YWluIGEgY29weSBvZiB0aGUgTGljZW5zZSBhdAoKICAgICAgIGh0dHA6Ly93d3cuYXBhY2hlLm9yZy9saWNlbnNlcy9MSUNFTlNFLTIuMAoKICAgVW5sZXNzIHJlcXVpcmVkIGJ5IGFwcGxpY2FibGUgbGF3IG9yIGFncmVlZCB0byBpbiB3cml0aW5nLCBzb2Z0d2FyZQogICBkaXN0cmlidXRlZCB1bmRlciB0aGUgTGljZW5zZSBpcyBkaXN0cmlidXRlZCBvbiBhbiAiQVMgSVMiIEJBU0lTLAogICBXSVRIT1VUIFdBUlJBTlRJRVMgT1IgQ09ORElUSU9OUyBPRiBBTlkgS0lORCwgZWl0aGVyIGV4cHJlc3Mgb3IgaW1wbGllZC4KICAgU2VlIHRoZSBMaWNlbnNlIGZvciB0aGUgc3BlY2lmaWMgbGFuZ3VhZ2UgZ292ZXJuaW5nIHBlcm1pc3Npb25zIGFuZAogICBsaW1pdGF0aW9ucyB1bmRlciB0aGUgTGljZW5zZS4= + https://www.apache.org/licenses/LICENSE-2.0.txt + + + pkg:maven/com.acme/tomcat-catalina@9.0.14?packaging=jar + + + diff --git a/tools/src/test/resources/1.6/invalid-license-id-1.6.json b/tools/src/test/resources/1.6/invalid-license-id-1.6.json new file mode 100644 index 00000000..907d5581 --- /dev/null +++ b/tools/src/test/resources/1.6/invalid-license-id-1.6.json @@ -0,0 +1,22 @@ +{ + "bomFormat": "CycloneDX", + "specVersion": "1.6", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "components": [ + { + "type": "library", + "publisher": "Acme Inc", + "group": "com.acme", + "name": "tomcat-catalina", + "version": "9.0.14", + "licenses": [ + { + "license": { + "id": "Apache-2" + } + } + ] + } + ] +} diff --git a/tools/src/test/resources/1.6/invalid-license-id-1.6.xml b/tools/src/test/resources/1.6/invalid-license-id-1.6.xml new file mode 100644 index 00000000..0497e118 --- /dev/null +++ b/tools/src/test/resources/1.6/invalid-license-id-1.6.xml @@ -0,0 +1,27 @@ + + + + + Acme Inc + com.acme + tomcat-catalina + 9.0.14 + Modified version of Apache Catalina + required + + 3942447fac867ae5cdb3229b658f4d48 + e6b1000b94e835ffd37f4c6dcbdad43f4b48a02a + f498a8ff2dd007e29c2074f5e4b01a9a01775c3ff3aeaf6906ea503bc5791b7b + e8f33e424f3f4ed6db76a482fde1a5298970e442c531729119e37991884bdffab4f9426b7ee11fccd074eeda0634d71697d6f88a460dce0ac8d627a29f7d1282 + + + + Apache-2 + CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFwYWNoZSBMaWNlbnNlCiAgICAgICAgICAgICAgICAgICAgICAgICAgIFZlcnNpb24gMi4wLCBKYW51YXJ5IDIwMDQKICAgICAgICAgICAgICAgICAgICAgICAgaHR0cDovL3d3dy5hcGFjaGUub3JnL2xpY2Vuc2VzLwoKICAgVEVSTVMgQU5EIENPTkRJVElPTlMgRk9SIFVTRSwgUkVQUk9EVUNUSU9OLCBBTkQgRElTVFJJQlVUSU9OCgogICAxLiBEZWZpbml0aW9ucy4KCiAgICAgICJMaWNlbnNlIiBzaGFsbCBtZWFuIHRoZSB0ZXJtcyBhbmQgY29uZGl0aW9ucyBmb3IgdXNlLCByZXByb2R1Y3Rpb24sCiAgICAgIGFuZCBkaXN0cmlidXRpb24gYXMgZGVmaW5lZCBieSBTZWN0aW9ucyAxIHRocm91Z2ggOSBvZiB0aGlzIGRvY3VtZW50LgoKICAgICAgIkxpY2Vuc29yIiBzaGFsbCBtZWFuIHRoZSBjb3B5cmlnaHQgb3duZXIgb3IgZW50aXR5IGF1dGhvcml6ZWQgYnkKICAgICAgdGhlIGNvcHlyaWdodCBvd25lciB0aGF0IGlzIGdyYW50aW5nIHRoZSBMaWNlbnNlLgoKICAgICAgIkxlZ2FsIEVudGl0eSIgc2hhbGwgbWVhbiB0aGUgdW5pb24gb2YgdGhlIGFjdGluZyBlbnRpdHkgYW5kIGFsbAogICAgICBvdGhlciBlbnRpdGllcyB0aGF0IGNvbnRyb2wsIGFyZSBjb250cm9sbGVkIGJ5LCBvciBhcmUgdW5kZXIgY29tbW9uCiAgICAgIGNvbnRyb2wgd2l0aCB0aGF0IGVudGl0eS4gRm9yIHRoZSBwdXJwb3NlcyBvZiB0aGlzIGRlZmluaXRpb24sCiAgICAgICJjb250cm9sIiBtZWFucyAoaSkgdGhlIHBvd2VyLCBkaXJlY3Qgb3IgaW5kaXJlY3QsIHRvIGNhdXNlIHRoZQogICAgICBkaXJlY3Rpb24gb3IgbWFuYWdlbWVudCBvZiBzdWNoIGVudGl0eSwgd2hldGhlciBieSBjb250cmFjdCBvcgogICAgICBvdGhlcndpc2UsIG9yIChpaSkgb3duZXJzaGlwIG9mIGZpZnR5IHBlcmNlbnQgKDUwJSkgb3IgbW9yZSBvZiB0aGUKICAgICAgb3V0c3RhbmRpbmcgc2hhcmVzLCBvciAoaWlpKSBiZW5lZmljaWFsIG93bmVyc2hpcCBvZiBzdWNoIGVudGl0eS4KCiAgICAgICJZb3UiIChvciAiWW91ciIpIHNoYWxsIG1lYW4gYW4gaW5kaXZpZHVhbCBvciBMZWdhbCBFbnRpdHkKICAgICAgZXhlcmNpc2luZyBwZXJtaXNzaW9ucyBncmFudGVkIGJ5IHRoaXMgTGljZW5zZS4KCiAgICAgICJTb3VyY2UiIGZvcm0gc2hhbGwgbWVhbiB0aGUgcHJlZmVycmVkIGZvcm0gZm9yIG1ha2luZyBtb2RpZmljYXRpb25zLAogICAgICBpbmNsdWRpbmcgYnV0IG5vdCBsaW1pdGVkIHRvIHNvZnR3YXJlIHNvdXJjZSBjb2RlLCBkb2N1bWVudGF0aW9uCiAgICAgIHNvdXJjZSwgYW5kIGNvbmZpZ3VyYXRpb24gZmlsZXMuCgogICAgICAiT2JqZWN0IiBmb3JtIHNoYWxsIG1lYW4gYW55IGZvcm0gcmVzdWx0aW5nIGZyb20gbWVjaGFuaWNhbAogICAgICB0cmFuc2Zvcm1hdGlvbiBvciB0cmFuc2xhdGlvbiBvZiBhIFNvdXJjZSBmb3JtLCBpbmNsdWRpbmcgYnV0CiAgICAgIG5vdCBsaW1pdGVkIHRvIGNvbXBpbGVkIG9iamVjdCBjb2RlLCBnZW5lcmF0ZWQgZG9jdW1lbnRhdGlvbiwKICAgICAgYW5kIGNvbnZlcnNpb25zIHRvIG90aGVyIG1lZGlhIHR5cGVzLgoKICAgICAgIldvcmsiIHNoYWxsIG1lYW4gdGhlIHdvcmsgb2YgYXV0aG9yc2hpcCwgd2hldGhlciBpbiBTb3VyY2Ugb3IKICAgICAgT2JqZWN0IGZvcm0sIG1hZGUgYXZhaWxhYmxlIHVuZGVyIHRoZSBMaWNlbnNlLCBhcyBpbmRpY2F0ZWQgYnkgYQogICAgICBjb3B5cmlnaHQgbm90aWNlIHRoYXQgaXMgaW5jbHVkZWQgaW4gb3IgYXR0YWNoZWQgdG8gdGhlIHdvcmsKICAgICAgKGFuIGV4YW1wbGUgaXMgcHJvdmlkZWQgaW4gdGhlIEFwcGVuZGl4IGJlbG93KS4KCiAgICAgICJEZXJpdmF0aXZlIFdvcmtzIiBzaGFsbCBtZWFuIGFueSB3b3JrLCB3aGV0aGVyIGluIFNvdXJjZSBvciBPYmplY3QKICAgICAgZm9ybSwgdGhhdCBpcyBiYXNlZCBvbiAob3IgZGVyaXZlZCBmcm9tKSB0aGUgV29yayBhbmQgZm9yIHdoaWNoIHRoZQogICAgICBlZGl0b3JpYWwgcmV2aXNpb25zLCBhbm5vdGF0aW9ucywgZWxhYm9yYXRpb25zLCBvciBvdGhlciBtb2RpZmljYXRpb25zCiAgICAgIHJlcHJlc2VudCwgYXMgYSB3aG9sZSwgYW4gb3JpZ2luYWwgd29yayBvZiBhdXRob3JzaGlwLiBGb3IgdGhlIHB1cnBvc2VzCiAgICAgIG9mIHRoaXMgTGljZW5zZSwgRGVyaXZhdGl2ZSBXb3JrcyBzaGFsbCBub3QgaW5jbHVkZSB3b3JrcyB0aGF0IHJlbWFpbgogICAgICBzZXBhcmFibGUgZnJvbSwgb3IgbWVyZWx5IGxpbmsgKG9yIGJpbmQgYnkgbmFtZSkgdG8gdGhlIGludGVyZmFjZXMgb2YsCiAgICAgIHRoZSBXb3JrIGFuZCBEZXJpdmF0aXZlIFdvcmtzIHRoZXJlb2YuCgogICAgICAiQ29udHJpYnV0aW9uIiBzaGFsbCBtZWFuIGFueSB3b3JrIG9mIGF1dGhvcnNoaXAsIGluY2x1ZGluZwogICAgICB0aGUgb3JpZ2luYWwgdmVyc2lvbiBvZiB0aGUgV29yayBhbmQgYW55IG1vZGlmaWNhdGlvbnMgb3IgYWRkaXRpb25zCiAgICAgIHRvIHRoYXQgV29yayBvciBEZXJpdmF0aXZlIFdvcmtzIHRoZXJlb2YsIHRoYXQgaXMgaW50ZW50aW9uYWxseQogICAgICBzdWJtaXR0ZWQgdG8gTGljZW5zb3IgZm9yIGluY2x1c2lvbiBpbiB0aGUgV29yayBieSB0aGUgY29weXJpZ2h0IG93bmVyCiAgICAgIG9yIGJ5IGFuIGluZGl2aWR1YWwgb3IgTGVnYWwgRW50aXR5IGF1dGhvcml6ZWQgdG8gc3VibWl0IG9uIGJlaGFsZiBvZgogICAgICB0aGUgY29weXJpZ2h0IG93bmVyLiBGb3IgdGhlIHB1cnBvc2VzIG9mIHRoaXMgZGVmaW5pdGlvbiwgInN1Ym1pdHRlZCIKICAgICAgbWVhbnMgYW55IGZvcm0gb2YgZWxlY3Ryb25pYywgdmVyYmFsLCBvciB3cml0dGVuIGNvbW11bmljYXRpb24gc2VudAogICAgICB0byB0aGUgTGljZW5zb3Igb3IgaXRzIHJlcHJlc2VudGF0aXZlcywgaW5jbHVkaW5nIGJ1dCBub3QgbGltaXRlZCB0bwogICAgICBjb21tdW5pY2F0aW9uIG9uIGVsZWN0cm9uaWMgbWFpbGluZyBsaXN0cywgc291cmNlIGNvZGUgY29udHJvbCBzeXN0ZW1zLAogICAgICBhbmQgaXNzdWUgdHJhY2tpbmcgc3lzdGVtcyB0aGF0IGFyZSBtYW5hZ2VkIGJ5LCBvciBvbiBiZWhhbGYgb2YsIHRoZQogICAgICBMaWNlbnNvciBmb3IgdGhlIHB1cnBvc2Ugb2YgZGlzY3Vzc2luZyBhbmQgaW1wcm92aW5nIHRoZSBXb3JrLCBidXQKICAgICAgZXhjbHVkaW5nIGNvbW11bmljYXRpb24gdGhhdCBpcyBjb25zcGljdW91c2x5IG1hcmtlZCBvciBvdGhlcndpc2UKICAgICAgZGVzaWduYXRlZCBpbiB3cml0aW5nIGJ5IHRoZSBjb3B5cmlnaHQgb3duZXIgYXMgIk5vdCBhIENvbnRyaWJ1dGlvbi4iCgogICAgICAiQ29udHJpYnV0b3IiIHNoYWxsIG1lYW4gTGljZW5zb3IgYW5kIGFueSBpbmRpdmlkdWFsIG9yIExlZ2FsIEVudGl0eQogICAgICBvbiBiZWhhbGYgb2Ygd2hvbSBhIENvbnRyaWJ1dGlvbiBoYXMgYmVlbiByZWNlaXZlZCBieSBMaWNlbnNvciBhbmQKICAgICAgc3Vic2VxdWVudGx5IGluY29ycG9yYXRlZCB3aXRoaW4gdGhlIFdvcmsuCgogICAyLiBHcmFudCBvZiBDb3B5cmlnaHQgTGljZW5zZS4gU3ViamVjdCB0byB0aGUgdGVybXMgYW5kIGNvbmRpdGlvbnMgb2YKICAgICAgdGhpcyBMaWNlbnNlLCBlYWNoIENvbnRyaWJ1dG9yIGhlcmVieSBncmFudHMgdG8gWW91IGEgcGVycGV0dWFsLAogICAgICB3b3JsZHdpZGUsIG5vbi1leGNsdXNpdmUsIG5vLWNoYXJnZSwgcm95YWx0eS1mcmVlLCBpcnJldm9jYWJsZQogICAgICBjb3B5cmlnaHQgbGljZW5zZSB0byByZXByb2R1Y2UsIHByZXBhcmUgRGVyaXZhdGl2ZSBXb3JrcyBvZiwKICAgICAgcHVibGljbHkgZGlzcGxheSwgcHVibGljbHkgcGVyZm9ybSwgc3VibGljZW5zZSwgYW5kIGRpc3RyaWJ1dGUgdGhlCiAgICAgIFdvcmsgYW5kIHN1Y2ggRGVyaXZhdGl2ZSBXb3JrcyBpbiBTb3VyY2Ugb3IgT2JqZWN0IGZvcm0uCgogICAzLiBHcmFudCBvZiBQYXRlbnQgTGljZW5zZS4gU3ViamVjdCB0byB0aGUgdGVybXMgYW5kIGNvbmRpdGlvbnMgb2YKICAgICAgdGhpcyBMaWNlbnNlLCBlYWNoIENvbnRyaWJ1dG9yIGhlcmVieSBncmFudHMgdG8gWW91IGEgcGVycGV0dWFsLAogICAgICB3b3JsZHdpZGUsIG5vbi1leGNsdXNpdmUsIG5vLWNoYXJnZSwgcm95YWx0eS1mcmVlLCBpcnJldm9jYWJsZQogICAgICAoZXhjZXB0IGFzIHN0YXRlZCBpbiB0aGlzIHNlY3Rpb24pIHBhdGVudCBsaWNlbnNlIHRvIG1ha2UsIGhhdmUgbWFkZSwKICAgICAgdXNlLCBvZmZlciB0byBzZWxsLCBzZWxsLCBpbXBvcnQsIGFuZCBvdGhlcndpc2UgdHJhbnNmZXIgdGhlIFdvcmssCiAgICAgIHdoZXJlIHN1Y2ggbGljZW5zZSBhcHBsaWVzIG9ubHkgdG8gdGhvc2UgcGF0ZW50IGNsYWltcyBsaWNlbnNhYmxlCiAgICAgIGJ5IHN1Y2ggQ29udHJpYnV0b3IgdGhhdCBhcmUgbmVjZXNzYXJpbHkgaW5mcmluZ2VkIGJ5IHRoZWlyCiAgICAgIENvbnRyaWJ1dGlvbihzKSBhbG9uZSBvciBieSBjb21iaW5hdGlvbiBvZiB0aGVpciBDb250cmlidXRpb24ocykKICAgICAgd2l0aCB0aGUgV29yayB0byB3aGljaCBzdWNoIENvbnRyaWJ1dGlvbihzKSB3YXMgc3VibWl0dGVkLiBJZiBZb3UKICAgICAgaW5zdGl0dXRlIHBhdGVudCBsaXRpZ2F0aW9uIGFnYWluc3QgYW55IGVudGl0eSAoaW5jbHVkaW5nIGEKICAgICAgY3Jvc3MtY2xhaW0gb3IgY291bnRlcmNsYWltIGluIGEgbGF3c3VpdCkgYWxsZWdpbmcgdGhhdCB0aGUgV29yawogICAgICBvciBhIENvbnRyaWJ1dGlvbiBpbmNvcnBvcmF0ZWQgd2l0aGluIHRoZSBXb3JrIGNvbnN0aXR1dGVzIGRpcmVjdAogICAgICBvciBjb250cmlidXRvcnkgcGF0ZW50IGluZnJpbmdlbWVudCwgdGhlbiBhbnkgcGF0ZW50IGxpY2Vuc2VzCiAgICAgIGdyYW50ZWQgdG8gWW91IHVuZGVyIHRoaXMgTGljZW5zZSBmb3IgdGhhdCBXb3JrIHNoYWxsIHRlcm1pbmF0ZQogICAgICBhcyBvZiB0aGUgZGF0ZSBzdWNoIGxpdGlnYXRpb24gaXMgZmlsZWQuCgogICA0LiBSZWRpc3RyaWJ1dGlvbi4gWW91IG1heSByZXByb2R1Y2UgYW5kIGRpc3RyaWJ1dGUgY29waWVzIG9mIHRoZQogICAgICBXb3JrIG9yIERlcml2YXRpdmUgV29ya3MgdGhlcmVvZiBpbiBhbnkgbWVkaXVtLCB3aXRoIG9yIHdpdGhvdXQKICAgICAgbW9kaWZpY2F0aW9ucywgYW5kIGluIFNvdXJjZSBvciBPYmplY3QgZm9ybSwgcHJvdmlkZWQgdGhhdCBZb3UKICAgICAgbWVldCB0aGUgZm9sbG93aW5nIGNvbmRpdGlvbnM6CgogICAgICAoYSkgWW91IG11c3QgZ2l2ZSBhbnkgb3RoZXIgcmVjaXBpZW50cyBvZiB0aGUgV29yayBvcgogICAgICAgICAgRGVyaXZhdGl2ZSBXb3JrcyBhIGNvcHkgb2YgdGhpcyBMaWNlbnNlOyBhbmQKCiAgICAgIChiKSBZb3UgbXVzdCBjYXVzZSBhbnkgbW9kaWZpZWQgZmlsZXMgdG8gY2FycnkgcHJvbWluZW50IG5vdGljZXMKICAgICAgICAgIHN0YXRpbmcgdGhhdCBZb3UgY2hhbmdlZCB0aGUgZmlsZXM7IGFuZAoKICAgICAgKGMpIFlvdSBtdXN0IHJldGFpbiwgaW4gdGhlIFNvdXJjZSBmb3JtIG9mIGFueSBEZXJpdmF0aXZlIFdvcmtzCiAgICAgICAgICB0aGF0IFlvdSBkaXN0cmlidXRlLCBhbGwgY29weXJpZ2h0LCBwYXRlbnQsIHRyYWRlbWFyaywgYW5kCiAgICAgICAgICBhdHRyaWJ1dGlvbiBub3RpY2VzIGZyb20gdGhlIFNvdXJjZSBmb3JtIG9mIHRoZSBXb3JrLAogICAgICAgICAgZXhjbHVkaW5nIHRob3NlIG5vdGljZXMgdGhhdCBkbyBub3QgcGVydGFpbiB0byBhbnkgcGFydCBvZgogICAgICAgICAgdGhlIERlcml2YXRpdmUgV29ya3M7IGFuZAoKICAgICAgKGQpIElmIHRoZSBXb3JrIGluY2x1ZGVzIGEgIk5PVElDRSIgdGV4dCBmaWxlIGFzIHBhcnQgb2YgaXRzCiAgICAgICAgICBkaXN0cmlidXRpb24sIHRoZW4gYW55IERlcml2YXRpdmUgV29ya3MgdGhhdCBZb3UgZGlzdHJpYnV0ZSBtdXN0CiAgICAgICAgICBpbmNsdWRlIGEgcmVhZGFibGUgY29weSBvZiB0aGUgYXR0cmlidXRpb24gbm90aWNlcyBjb250YWluZWQKICAgICAgICAgIHdpdGhpbiBzdWNoIE5PVElDRSBmaWxlLCBleGNsdWRpbmcgdGhvc2Ugbm90aWNlcyB0aGF0IGRvIG5vdAogICAgICAgICAgcGVydGFpbiB0byBhbnkgcGFydCBvZiB0aGUgRGVyaXZhdGl2ZSBXb3JrcywgaW4gYXQgbGVhc3Qgb25lCiAgICAgICAgICBvZiB0aGUgZm9sbG93aW5nIHBsYWNlczogd2l0aGluIGEgTk9USUNFIHRleHQgZmlsZSBkaXN0cmlidXRlZAogICAgICAgICAgYXMgcGFydCBvZiB0aGUgRGVyaXZhdGl2ZSBXb3Jrczsgd2l0aGluIHRoZSBTb3VyY2UgZm9ybSBvcgogICAgICAgICAgZG9jdW1lbnRhdGlvbiwgaWYgcHJvdmlkZWQgYWxvbmcgd2l0aCB0aGUgRGVyaXZhdGl2ZSBXb3Jrczsgb3IsCiAgICAgICAgICB3aXRoaW4gYSBkaXNwbGF5IGdlbmVyYXRlZCBieSB0aGUgRGVyaXZhdGl2ZSBXb3JrcywgaWYgYW5kCiAgICAgICAgICB3aGVyZXZlciBzdWNoIHRoaXJkLXBhcnR5IG5vdGljZXMgbm9ybWFsbHkgYXBwZWFyLiBUaGUgY29udGVudHMKICAgICAgICAgIG9mIHRoZSBOT1RJQ0UgZmlsZSBhcmUgZm9yIGluZm9ybWF0aW9uYWwgcHVycG9zZXMgb25seSBhbmQKICAgICAgICAgIGRvIG5vdCBtb2RpZnkgdGhlIExpY2Vuc2UuIFlvdSBtYXkgYWRkIFlvdXIgb3duIGF0dHJpYnV0aW9uCiAgICAgICAgICBub3RpY2VzIHdpdGhpbiBEZXJpdmF0aXZlIFdvcmtzIHRoYXQgWW91IGRpc3RyaWJ1dGUsIGFsb25nc2lkZQogICAgICAgICAgb3IgYXMgYW4gYWRkZW5kdW0gdG8gdGhlIE5PVElDRSB0ZXh0IGZyb20gdGhlIFdvcmssIHByb3ZpZGVkCiAgICAgICAgICB0aGF0IHN1Y2ggYWRkaXRpb25hbCBhdHRyaWJ1dGlvbiBub3RpY2VzIGNhbm5vdCBiZSBjb25zdHJ1ZWQKICAgICAgICAgIGFzIG1vZGlmeWluZyB0aGUgTGljZW5zZS4KCiAgICAgIFlvdSBtYXkgYWRkIFlvdXIgb3duIGNvcHlyaWdodCBzdGF0ZW1lbnQgdG8gWW91ciBtb2RpZmljYXRpb25zIGFuZAogICAgICBtYXkgcHJvdmlkZSBhZGRpdGlvbmFsIG9yIGRpZmZlcmVudCBsaWNlbnNlIHRlcm1zIGFuZCBjb25kaXRpb25zCiAgICAgIGZvciB1c2UsIHJlcHJvZHVjdGlvbiwgb3IgZGlzdHJpYnV0aW9uIG9mIFlvdXIgbW9kaWZpY2F0aW9ucywgb3IKICAgICAgZm9yIGFueSBzdWNoIERlcml2YXRpdmUgV29ya3MgYXMgYSB3aG9sZSwgcHJvdmlkZWQgWW91ciB1c2UsCiAgICAgIHJlcHJvZHVjdGlvbiwgYW5kIGRpc3RyaWJ1dGlvbiBvZiB0aGUgV29yayBvdGhlcndpc2UgY29tcGxpZXMgd2l0aAogICAgICB0aGUgY29uZGl0aW9ucyBzdGF0ZWQgaW4gdGhpcyBMaWNlbnNlLgoKICAgNS4gU3VibWlzc2lvbiBvZiBDb250cmlidXRpb25zLiBVbmxlc3MgWW91IGV4cGxpY2l0bHkgc3RhdGUgb3RoZXJ3aXNlLAogICAgICBhbnkgQ29udHJpYnV0aW9uIGludGVudGlvbmFsbHkgc3VibWl0dGVkIGZvciBpbmNsdXNpb24gaW4gdGhlIFdvcmsKICAgICAgYnkgWW91IHRvIHRoZSBMaWNlbnNvciBzaGFsbCBiZSB1bmRlciB0aGUgdGVybXMgYW5kIGNvbmRpdGlvbnMgb2YKICAgICAgdGhpcyBMaWNlbnNlLCB3aXRob3V0IGFueSBhZGRpdGlvbmFsIHRlcm1zIG9yIGNvbmRpdGlvbnMuCiAgICAgIE5vdHdpdGhzdGFuZGluZyB0aGUgYWJvdmUsIG5vdGhpbmcgaGVyZWluIHNoYWxsIHN1cGVyc2VkZSBvciBtb2RpZnkKICAgICAgdGhlIHRlcm1zIG9mIGFueSBzZXBhcmF0ZSBsaWNlbnNlIGFncmVlbWVudCB5b3UgbWF5IGhhdmUgZXhlY3V0ZWQKICAgICAgd2l0aCBMaWNlbnNvciByZWdhcmRpbmcgc3VjaCBDb250cmlidXRpb25zLgoKICAgNi4gVHJhZGVtYXJrcy4gVGhpcyBMaWNlbnNlIGRvZXMgbm90IGdyYW50IHBlcm1pc3Npb24gdG8gdXNlIHRoZSB0cmFkZQogICAgICBuYW1lcywgdHJhZGVtYXJrcywgc2VydmljZSBtYXJrcywgb3IgcHJvZHVjdCBuYW1lcyBvZiB0aGUgTGljZW5zb3IsCiAgICAgIGV4Y2VwdCBhcyByZXF1aXJlZCBmb3IgcmVhc29uYWJsZSBhbmQgY3VzdG9tYXJ5IHVzZSBpbiBkZXNjcmliaW5nIHRoZQogICAgICBvcmlnaW4gb2YgdGhlIFdvcmsgYW5kIHJlcHJvZHVjaW5nIHRoZSBjb250ZW50IG9mIHRoZSBOT1RJQ0UgZmlsZS4KCiAgIDcuIERpc2NsYWltZXIgb2YgV2FycmFudHkuIFVubGVzcyByZXF1aXJlZCBieSBhcHBsaWNhYmxlIGxhdyBvcgogICAgICBhZ3JlZWQgdG8gaW4gd3JpdGluZywgTGljZW5zb3IgcHJvdmlkZXMgdGhlIFdvcmsgKGFuZCBlYWNoCiAgICAgIENvbnRyaWJ1dG9yIHByb3ZpZGVzIGl0cyBDb250cmlidXRpb25zKSBvbiBhbiAiQVMgSVMiIEJBU0lTLAogICAgICBXSVRIT1VUIFdBUlJBTlRJRVMgT1IgQ09ORElUSU9OUyBPRiBBTlkgS0lORCwgZWl0aGVyIGV4cHJlc3Mgb3IKICAgICAgaW1wbGllZCwgaW5jbHVkaW5nLCB3aXRob3V0IGxpbWl0YXRpb24sIGFueSB3YXJyYW50aWVzIG9yIGNvbmRpdGlvbnMKICAgICAgb2YgVElUTEUsIE5PTi1JTkZSSU5HRU1FTlQsIE1FUkNIQU5UQUJJTElUWSwgb3IgRklUTkVTUyBGT1IgQQogICAgICBQQVJUSUNVTEFSIFBVUlBPU0UuIFlvdSBhcmUgc29sZWx5IHJlc3BvbnNpYmxlIGZvciBkZXRlcm1pbmluZyB0aGUKICAgICAgYXBwcm9wcmlhdGVuZXNzIG9mIHVzaW5nIG9yIHJlZGlzdHJpYnV0aW5nIHRoZSBXb3JrIGFuZCBhc3N1bWUgYW55CiAgICAgIHJpc2tzIGFzc29jaWF0ZWQgd2l0aCBZb3VyIGV4ZXJjaXNlIG9mIHBlcm1pc3Npb25zIHVuZGVyIHRoaXMgTGljZW5zZS4KCiAgIDguIExpbWl0YXRpb24gb2YgTGlhYmlsaXR5LiBJbiBubyBldmVudCBhbmQgdW5kZXIgbm8gbGVnYWwgdGhlb3J5LAogICAgICB3aGV0aGVyIGluIHRvcnQgKGluY2x1ZGluZyBuZWdsaWdlbmNlKSwgY29udHJhY3QsIG9yIG90aGVyd2lzZSwKICAgICAgdW5sZXNzIHJlcXVpcmVkIGJ5IGFwcGxpY2FibGUgbGF3IChzdWNoIGFzIGRlbGliZXJhdGUgYW5kIGdyb3NzbHkKICAgICAgbmVnbGlnZW50IGFjdHMpIG9yIGFncmVlZCB0byBpbiB3cml0aW5nLCBzaGFsbCBhbnkgQ29udHJpYnV0b3IgYmUKICAgICAgbGlhYmxlIHRvIFlvdSBmb3IgZGFtYWdlcywgaW5jbHVkaW5nIGFueSBkaXJlY3QsIGluZGlyZWN0LCBzcGVjaWFsLAogICAgICBpbmNpZGVudGFsLCBvciBjb25zZXF1ZW50aWFsIGRhbWFnZXMgb2YgYW55IGNoYXJhY3RlciBhcmlzaW5nIGFzIGEKICAgICAgcmVzdWx0IG9mIHRoaXMgTGljZW5zZSBvciBvdXQgb2YgdGhlIHVzZSBvciBpbmFiaWxpdHkgdG8gdXNlIHRoZQogICAgICBXb3JrIChpbmNsdWRpbmcgYnV0IG5vdCBsaW1pdGVkIHRvIGRhbWFnZXMgZm9yIGxvc3Mgb2YgZ29vZHdpbGwsCiAgICAgIHdvcmsgc3RvcHBhZ2UsIGNvbXB1dGVyIGZhaWx1cmUgb3IgbWFsZnVuY3Rpb24sIG9yIGFueSBhbmQgYWxsCiAgICAgIG90aGVyIGNvbW1lcmNpYWwgZGFtYWdlcyBvciBsb3NzZXMpLCBldmVuIGlmIHN1Y2ggQ29udHJpYnV0b3IKICAgICAgaGFzIGJlZW4gYWR2aXNlZCBvZiB0aGUgcG9zc2liaWxpdHkgb2Ygc3VjaCBkYW1hZ2VzLgoKICAgOS4gQWNjZXB0aW5nIFdhcnJhbnR5IG9yIEFkZGl0aW9uYWwgTGlhYmlsaXR5LiBXaGlsZSByZWRpc3RyaWJ1dGluZwogICAgICB0aGUgV29yayBvciBEZXJpdmF0aXZlIFdvcmtzIHRoZXJlb2YsIFlvdSBtYXkgY2hvb3NlIHRvIG9mZmVyLAogICAgICBhbmQgY2hhcmdlIGEgZmVlIGZvciwgYWNjZXB0YW5jZSBvZiBzdXBwb3J0LCB3YXJyYW50eSwgaW5kZW1uaXR5LAogICAgICBvciBvdGhlciBsaWFiaWxpdHkgb2JsaWdhdGlvbnMgYW5kL29yIHJpZ2h0cyBjb25zaXN0ZW50IHdpdGggdGhpcwogICAgICBMaWNlbnNlLiBIb3dldmVyLCBpbiBhY2NlcHRpbmcgc3VjaCBvYmxpZ2F0aW9ucywgWW91IG1heSBhY3Qgb25seQogICAgICBvbiBZb3VyIG93biBiZWhhbGYgYW5kIG9uIFlvdXIgc29sZSByZXNwb25zaWJpbGl0eSwgbm90IG9uIGJlaGFsZgogICAgICBvZiBhbnkgb3RoZXIgQ29udHJpYnV0b3IsIGFuZCBvbmx5IGlmIFlvdSBhZ3JlZSB0byBpbmRlbW5pZnksCiAgICAgIGRlZmVuZCwgYW5kIGhvbGQgZWFjaCBDb250cmlidXRvciBoYXJtbGVzcyBmb3IgYW55IGxpYWJpbGl0eQogICAgICBpbmN1cnJlZCBieSwgb3IgY2xhaW1zIGFzc2VydGVkIGFnYWluc3QsIHN1Y2ggQ29udHJpYnV0b3IgYnkgcmVhc29uCiAgICAgIG9mIHlvdXIgYWNjZXB0aW5nIGFueSBzdWNoIHdhcnJhbnR5IG9yIGFkZGl0aW9uYWwgbGlhYmlsaXR5LgoKICAgRU5EIE9GIFRFUk1TIEFORCBDT05ESVRJT05TCgogICBBUFBFTkRJWDogSG93IHRvIGFwcGx5IHRoZSBBcGFjaGUgTGljZW5zZSB0byB5b3VyIHdvcmsuCgogICAgICBUbyBhcHBseSB0aGUgQXBhY2hlIExpY2Vuc2UgdG8geW91ciB3b3JrLCBhdHRhY2ggdGhlIGZvbGxvd2luZwogICAgICBib2lsZXJwbGF0ZSBub3RpY2UsIHdpdGggdGhlIGZpZWxkcyBlbmNsb3NlZCBieSBicmFja2V0cyAiW10iCiAgICAgIHJlcGxhY2VkIHdpdGggeW91ciBvd24gaWRlbnRpZnlpbmcgaW5mb3JtYXRpb24uIChEb24ndCBpbmNsdWRlCiAgICAgIHRoZSBicmFja2V0cyEpICBUaGUgdGV4dCBzaG91bGQgYmUgZW5jbG9zZWQgaW4gdGhlIGFwcHJvcHJpYXRlCiAgICAgIGNvbW1lbnQgc3ludGF4IGZvciB0aGUgZmlsZSBmb3JtYXQuIFdlIGFsc28gcmVjb21tZW5kIHRoYXQgYQogICAgICBmaWxlIG9yIGNsYXNzIG5hbWUgYW5kIGRlc2NyaXB0aW9uIG9mIHB1cnBvc2UgYmUgaW5jbHVkZWQgb24gdGhlCiAgICAgIHNhbWUgInByaW50ZWQgcGFnZSIgYXMgdGhlIGNvcHlyaWdodCBub3RpY2UgZm9yIGVhc2llcgogICAgICBpZGVudGlmaWNhdGlvbiB3aXRoaW4gdGhpcmQtcGFydHkgYXJjaGl2ZXMuCgogICBDb3B5cmlnaHQgW3l5eXldIFtuYW1lIG9mIGNvcHlyaWdodCBvd25lcl0KCiAgIExpY2Vuc2VkIHVuZGVyIHRoZSBBcGFjaGUgTGljZW5zZSwgVmVyc2lvbiAyLjAgKHRoZSAiTGljZW5zZSIpOwogICB5b3UgbWF5IG5vdCB1c2UgdGhpcyBmaWxlIGV4Y2VwdCBpbiBjb21wbGlhbmNlIHdpdGggdGhlIExpY2Vuc2UuCiAgIFlvdSBtYXkgb2J0YWluIGEgY29weSBvZiB0aGUgTGljZW5zZSBhdAoKICAgICAgIGh0dHA6Ly93d3cuYXBhY2hlLm9yZy9saWNlbnNlcy9MSUNFTlNFLTIuMAoKICAgVW5sZXNzIHJlcXVpcmVkIGJ5IGFwcGxpY2FibGUgbGF3IG9yIGFncmVlZCB0byBpbiB3cml0aW5nLCBzb2Z0d2FyZQogICBkaXN0cmlidXRlZCB1bmRlciB0aGUgTGljZW5zZSBpcyBkaXN0cmlidXRlZCBvbiBhbiAiQVMgSVMiIEJBU0lTLAogICBXSVRIT1VUIFdBUlJBTlRJRVMgT1IgQ09ORElUSU9OUyBPRiBBTlkgS0lORCwgZWl0aGVyIGV4cHJlc3Mgb3IgaW1wbGllZC4KICAgU2VlIHRoZSBMaWNlbnNlIGZvciB0aGUgc3BlY2lmaWMgbGFuZ3VhZ2UgZ292ZXJuaW5nIHBlcm1pc3Npb25zIGFuZAogICBsaW1pdGF0aW9ucyB1bmRlciB0aGUgTGljZW5zZS4= + https://www.apache.org/licenses/LICENSE-2.0.txt + + + pkg:maven/com.acme/tomcat-catalina@9.0.14?packaging=jar + + + diff --git a/tools/src/test/resources/1.6/invalid-license-id-count-1.6.xml b/tools/src/test/resources/1.6/invalid-license-id-count-1.6.xml new file mode 100644 index 00000000..984e9943 --- /dev/null +++ b/tools/src/test/resources/1.6/invalid-license-id-count-1.6.xml @@ -0,0 +1,27 @@ + + + + + Acme Inc + com.acme + tomcat-catalina + 9.0.14 + Modified version of Apache Catalina + required + + 3942447fac867ae5cdb3229b658f4d48 + e6b1000b94e835ffd37f4c6dcbdad43f4b48a02a + f498a8ff2dd007e29c2074f5e4b01a9a01775c3ff3aeaf6906ea503bc5791b7b + e8f33e424f3f4ed6db76a482fde1a5298970e442c531729119e37991884bdffab4f9426b7ee11fccd074eeda0634d71697d6f88a460dce0ac8d627a29f7d1282 + + + + Apache-2 + + Apache-2 + + + pkg:maven/com.acme/tomcat-catalina@9.0.14?packaging=jar + + + diff --git a/tools/src/test/resources/1.6/invalid-license-name-count-1.6.xml b/tools/src/test/resources/1.6/invalid-license-name-count-1.6.xml new file mode 100644 index 00000000..3e91550d --- /dev/null +++ b/tools/src/test/resources/1.6/invalid-license-name-count-1.6.xml @@ -0,0 +1,27 @@ + + + + + Acme Inc + com.acme + tomcat-catalina + 9.0.14 + Modified version of Apache Catalina + required + + 3942447fac867ae5cdb3229b658f4d48 + e6b1000b94e835ffd37f4c6dcbdad43f4b48a02a + f498a8ff2dd007e29c2074f5e4b01a9a01775c3ff3aeaf6906ea503bc5791b7b + e8f33e424f3f4ed6db76a482fde1a5298970e442c531729119e37991884bdffab4f9426b7ee11fccd074eeda0634d71697d6f88a460dce0ac8d627a29f7d1282 + + + + Apache License 2.0 + + Apache License 2.0 + + + pkg:maven/com.acme/tomcat-catalina@9.0.14?packaging=jar + + + diff --git a/tools/src/test/resources/1.6/invalid-metadata-license-1.6.json b/tools/src/test/resources/1.6/invalid-metadata-license-1.6.json new file mode 100644 index 00000000..a510758b --- /dev/null +++ b/tools/src/test/resources/1.6/invalid-metadata-license-1.6.json @@ -0,0 +1,16 @@ +{ + "bomFormat": "CycloneDX", + "specVersion": "1.6", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "metadata": { + "licenses": [ + { + "license": { + "id": "Apache-2" + } + } + ] + }, + "components": [] +} diff --git a/tools/src/test/resources/1.6/invalid-metadata-license-1.6.xml b/tools/src/test/resources/1.6/invalid-metadata-license-1.6.xml new file mode 100644 index 00000000..f0f716bb --- /dev/null +++ b/tools/src/test/resources/1.6/invalid-metadata-license-1.6.xml @@ -0,0 +1,11 @@ + + + + + + Apache-2 + + + + + \ No newline at end of file diff --git a/tools/src/test/resources/1.6/invalid-metadata-timestamp-1.6.json b/tools/src/test/resources/1.6/invalid-metadata-timestamp-1.6.json new file mode 100644 index 00000000..e3f1884b --- /dev/null +++ b/tools/src/test/resources/1.6/invalid-metadata-timestamp-1.6.json @@ -0,0 +1,10 @@ +{ + "bomFormat": "CycloneDX", + "specVersion": "1.6", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "metadata": { + "timestamp": "2020-04-13" + }, + "components": [] +} diff --git a/tools/src/test/resources/1.6/invalid-metadata-timestamp-1.6.xml b/tools/src/test/resources/1.6/invalid-metadata-timestamp-1.6.xml new file mode 100644 index 00000000..db47d8df --- /dev/null +++ b/tools/src/test/resources/1.6/invalid-metadata-timestamp-1.6.xml @@ -0,0 +1,7 @@ + + + + 2020-04-07 + + + diff --git a/tools/src/test/resources/1.6/invalid-missing-component-type-1.6.json b/tools/src/test/resources/1.6/invalid-missing-component-type-1.6.json new file mode 100644 index 00000000..ec0b081e --- /dev/null +++ b/tools/src/test/resources/1.6/invalid-missing-component-type-1.6.json @@ -0,0 +1,12 @@ +{ + "bomFormat": "CycloneDX", + "specVersion": "1.6", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "components": [ + { + "name": "acme-library", + "version": "1.0.0" + } + ] +} diff --git a/tools/src/test/resources/1.6/invalid-missing-component-type-1.6.xml b/tools/src/test/resources/1.6/invalid-missing-component-type-1.6.xml new file mode 100644 index 00000000..d467421f --- /dev/null +++ b/tools/src/test/resources/1.6/invalid-missing-component-type-1.6.xml @@ -0,0 +1,9 @@ + + + + + acme-library + 1.0.0 + + + diff --git a/tools/src/test/resources/1.6/invalid-namespace-1.6.xml b/tools/src/test/resources/1.6/invalid-namespace-1.6.xml new file mode 100644 index 00000000..9e42be40 --- /dev/null +++ b/tools/src/test/resources/1.6/invalid-namespace-1.6.xml @@ -0,0 +1,118 @@ + + + + + Acme Inc + com.acme + tomcat-catalina + 9.0.14 + Modified version of Apache Catalina + required + + 3942447fac867ae5cdb3229b658f4d48 + e6b1000b94e835ffd37f4c6dcbdad43f4b48a02a + f498a8ff2dd007e29c2074f5e4b01a9a01775c3ff3aeaf6906ea503bc5791b7b + e8f33e424f3f4ed6db76a482fde1a5298970e442c531729119e37991884bdffab4f9426b7ee11fccd074eeda0634d71697d6f88a460dce0ac8d627a29f7d1282 + + + + Apache-2.0 + CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFwYWNoZSBMaWNlbnNlCiAgICAgICAgICAgICAgICAgICAgICAgICAgIFZlcnNpb24gMi4wLCBKYW51YXJ5IDIwMDQKICAgICAgICAgICAgICAgICAgICAgICAgaHR0cDovL3d3dy5hcGFjaGUub3JnL2xpY2Vuc2VzLwoKICAgVEVSTVMgQU5EIENPTkRJVElPTlMgRk9SIFVTRSwgUkVQUk9EVUNUSU9OLCBBTkQgRElTVFJJQlVUSU9OCgogICAxLiBEZWZpbml0aW9ucy4KCiAgICAgICJMaWNlbnNlIiBzaGFsbCBtZWFuIHRoZSB0ZXJtcyBhbmQgY29uZGl0aW9ucyBmb3IgdXNlLCByZXByb2R1Y3Rpb24sCiAgICAgIGFuZCBkaXN0cmlidXRpb24gYXMgZGVmaW5lZCBieSBTZWN0aW9ucyAxIHRocm91Z2ggOSBvZiB0aGlzIGRvY3VtZW50LgoKICAgICAgIkxpY2Vuc29yIiBzaGFsbCBtZWFuIHRoZSBjb3B5cmlnaHQgb3duZXIgb3IgZW50aXR5IGF1dGhvcml6ZWQgYnkKICAgICAgdGhlIGNvcHlyaWdodCBvd25lciB0aGF0IGlzIGdyYW50aW5nIHRoZSBMaWNlbnNlLgoKICAgICAgIkxlZ2FsIEVudGl0eSIgc2hhbGwgbWVhbiB0aGUgdW5pb24gb2YgdGhlIGFjdGluZyBlbnRpdHkgYW5kIGFsbAogICAgICBvdGhlciBlbnRpdGllcyB0aGF0IGNvbnRyb2wsIGFyZSBjb250cm9sbGVkIGJ5LCBvciBhcmUgdW5kZXIgY29tbW9uCiAgICAgIGNvbnRyb2wgd2l0aCB0aGF0IGVudGl0eS4gRm9yIHRoZSBwdXJwb3NlcyBvZiB0aGlzIGRlZmluaXRpb24sCiAgICAgICJjb250cm9sIiBtZWFucyAoaSkgdGhlIHBvd2VyLCBkaXJlY3Qgb3IgaW5kaXJlY3QsIHRvIGNhdXNlIHRoZQogICAgICBkaXJlY3Rpb24gb3IgbWFuYWdlbWVudCBvZiBzdWNoIGVudGl0eSwgd2hldGhlciBieSBjb250cmFjdCBvcgogICAgICBvdGhlcndpc2UsIG9yIChpaSkgb3duZXJzaGlwIG9mIGZpZnR5IHBlcmNlbnQgKDUwJSkgb3IgbW9yZSBvZiB0aGUKICAgICAgb3V0c3RhbmRpbmcgc2hhcmVzLCBvciAoaWlpKSBiZW5lZmljaWFsIG93bmVyc2hpcCBvZiBzdWNoIGVudGl0eS4KCiAgICAgICJZb3UiIChvciAiWW91ciIpIHNoYWxsIG1lYW4gYW4gaW5kaXZpZHVhbCBvciBMZWdhbCBFbnRpdHkKICAgICAgZXhlcmNpc2luZyBwZXJtaXNzaW9ucyBncmFudGVkIGJ5IHRoaXMgTGljZW5zZS4KCiAgICAgICJTb3VyY2UiIGZvcm0gc2hhbGwgbWVhbiB0aGUgcHJlZmVycmVkIGZvcm0gZm9yIG1ha2luZyBtb2RpZmljYXRpb25zLAogICAgICBpbmNsdWRpbmcgYnV0IG5vdCBsaW1pdGVkIHRvIHNvZnR3YXJlIHNvdXJjZSBjb2RlLCBkb2N1bWVudGF0aW9uCiAgICAgIHNvdXJjZSwgYW5kIGNvbmZpZ3VyYXRpb24gZmlsZXMuCgogICAgICAiT2JqZWN0IiBmb3JtIHNoYWxsIG1lYW4gYW55IGZvcm0gcmVzdWx0aW5nIGZyb20gbWVjaGFuaWNhbAogICAgICB0cmFuc2Zvcm1hdGlvbiBvciB0cmFuc2xhdGlvbiBvZiBhIFNvdXJjZSBmb3JtLCBpbmNsdWRpbmcgYnV0CiAgICAgIG5vdCBsaW1pdGVkIHRvIGNvbXBpbGVkIG9iamVjdCBjb2RlLCBnZW5lcmF0ZWQgZG9jdW1lbnRhdGlvbiwKICAgICAgYW5kIGNvbnZlcnNpb25zIHRvIG90aGVyIG1lZGlhIHR5cGVzLgoKICAgICAgIldvcmsiIHNoYWxsIG1lYW4gdGhlIHdvcmsgb2YgYXV0aG9yc2hpcCwgd2hldGhlciBpbiBTb3VyY2Ugb3IKICAgICAgT2JqZWN0IGZvcm0sIG1hZGUgYXZhaWxhYmxlIHVuZGVyIHRoZSBMaWNlbnNlLCBhcyBpbmRpY2F0ZWQgYnkgYQogICAgICBjb3B5cmlnaHQgbm90aWNlIHRoYXQgaXMgaW5jbHVkZWQgaW4gb3IgYXR0YWNoZWQgdG8gdGhlIHdvcmsKICAgICAgKGFuIGV4YW1wbGUgaXMgcHJvdmlkZWQgaW4gdGhlIEFwcGVuZGl4IGJlbG93KS4KCiAgICAgICJEZXJpdmF0aXZlIFdvcmtzIiBzaGFsbCBtZWFuIGFueSB3b3JrLCB3aGV0aGVyIGluIFNvdXJjZSBvciBPYmplY3QKICAgICAgZm9ybSwgdGhhdCBpcyBiYXNlZCBvbiAob3IgZGVyaXZlZCBmcm9tKSB0aGUgV29yayBhbmQgZm9yIHdoaWNoIHRoZQogICAgICBlZGl0b3JpYWwgcmV2aXNpb25zLCBhbm5vdGF0aW9ucywgZWxhYm9yYXRpb25zLCBvciBvdGhlciBtb2RpZmljYXRpb25zCiAgICAgIHJlcHJlc2VudCwgYXMgYSB3aG9sZSwgYW4gb3JpZ2luYWwgd29yayBvZiBhdXRob3JzaGlwLiBGb3IgdGhlIHB1cnBvc2VzCiAgICAgIG9mIHRoaXMgTGljZW5zZSwgRGVyaXZhdGl2ZSBXb3JrcyBzaGFsbCBub3QgaW5jbHVkZSB3b3JrcyB0aGF0IHJlbWFpbgogICAgICBzZXBhcmFibGUgZnJvbSwgb3IgbWVyZWx5IGxpbmsgKG9yIGJpbmQgYnkgbmFtZSkgdG8gdGhlIGludGVyZmFjZXMgb2YsCiAgICAgIHRoZSBXb3JrIGFuZCBEZXJpdmF0aXZlIFdvcmtzIHRoZXJlb2YuCgogICAgICAiQ29udHJpYnV0aW9uIiBzaGFsbCBtZWFuIGFueSB3b3JrIG9mIGF1dGhvcnNoaXAsIGluY2x1ZGluZwogICAgICB0aGUgb3JpZ2luYWwgdmVyc2lvbiBvZiB0aGUgV29yayBhbmQgYW55IG1vZGlmaWNhdGlvbnMgb3IgYWRkaXRpb25zCiAgICAgIHRvIHRoYXQgV29yayBvciBEZXJpdmF0aXZlIFdvcmtzIHRoZXJlb2YsIHRoYXQgaXMgaW50ZW50aW9uYWxseQogICAgICBzdWJtaXR0ZWQgdG8gTGljZW5zb3IgZm9yIGluY2x1c2lvbiBpbiB0aGUgV29yayBieSB0aGUgY29weXJpZ2h0IG93bmVyCiAgICAgIG9yIGJ5IGFuIGluZGl2aWR1YWwgb3IgTGVnYWwgRW50aXR5IGF1dGhvcml6ZWQgdG8gc3VibWl0IG9uIGJlaGFsZiBvZgogICAgICB0aGUgY29weXJpZ2h0IG93bmVyLiBGb3IgdGhlIHB1cnBvc2VzIG9mIHRoaXMgZGVmaW5pdGlvbiwgInN1Ym1pdHRlZCIKICAgICAgbWVhbnMgYW55IGZvcm0gb2YgZWxlY3Ryb25pYywgdmVyYmFsLCBvciB3cml0dGVuIGNvbW11bmljYXRpb24gc2VudAogICAgICB0byB0aGUgTGljZW5zb3Igb3IgaXRzIHJlcHJlc2VudGF0aXZlcywgaW5jbHVkaW5nIGJ1dCBub3QgbGltaXRlZCB0bwogICAgICBjb21tdW5pY2F0aW9uIG9uIGVsZWN0cm9uaWMgbWFpbGluZyBsaXN0cywgc291cmNlIGNvZGUgY29udHJvbCBzeXN0ZW1zLAogICAgICBhbmQgaXNzdWUgdHJhY2tpbmcgc3lzdGVtcyB0aGF0IGFyZSBtYW5hZ2VkIGJ5LCBvciBvbiBiZWhhbGYgb2YsIHRoZQogICAgICBMaWNlbnNvciBmb3IgdGhlIHB1cnBvc2Ugb2YgZGlzY3Vzc2luZyBhbmQgaW1wcm92aW5nIHRoZSBXb3JrLCBidXQKICAgICAgZXhjbHVkaW5nIGNvbW11bmljYXRpb24gdGhhdCBpcyBjb25zcGljdW91c2x5IG1hcmtlZCBvciBvdGhlcndpc2UKICAgICAgZGVzaWduYXRlZCBpbiB3cml0aW5nIGJ5IHRoZSBjb3B5cmlnaHQgb3duZXIgYXMgIk5vdCBhIENvbnRyaWJ1dGlvbi4iCgogICAgICAiQ29udHJpYnV0b3IiIHNoYWxsIG1lYW4gTGljZW5zb3IgYW5kIGFueSBpbmRpdmlkdWFsIG9yIExlZ2FsIEVudGl0eQogICAgICBvbiBiZWhhbGYgb2Ygd2hvbSBhIENvbnRyaWJ1dGlvbiBoYXMgYmVlbiByZWNlaXZlZCBieSBMaWNlbnNvciBhbmQKICAgICAgc3Vic2VxdWVudGx5IGluY29ycG9yYXRlZCB3aXRoaW4gdGhlIFdvcmsuCgogICAyLiBHcmFudCBvZiBDb3B5cmlnaHQgTGljZW5zZS4gU3ViamVjdCB0byB0aGUgdGVybXMgYW5kIGNvbmRpdGlvbnMgb2YKICAgICAgdGhpcyBMaWNlbnNlLCBlYWNoIENvbnRyaWJ1dG9yIGhlcmVieSBncmFudHMgdG8gWW91IGEgcGVycGV0dWFsLAogICAgICB3b3JsZHdpZGUsIG5vbi1leGNsdXNpdmUsIG5vLWNoYXJnZSwgcm95YWx0eS1mcmVlLCBpcnJldm9jYWJsZQogICAgICBjb3B5cmlnaHQgbGljZW5zZSB0byByZXByb2R1Y2UsIHByZXBhcmUgRGVyaXZhdGl2ZSBXb3JrcyBvZiwKICAgICAgcHVibGljbHkgZGlzcGxheSwgcHVibGljbHkgcGVyZm9ybSwgc3VibGljZW5zZSwgYW5kIGRpc3RyaWJ1dGUgdGhlCiAgICAgIFdvcmsgYW5kIHN1Y2ggRGVyaXZhdGl2ZSBXb3JrcyBpbiBTb3VyY2Ugb3IgT2JqZWN0IGZvcm0uCgogICAzLiBHcmFudCBvZiBQYXRlbnQgTGljZW5zZS4gU3ViamVjdCB0byB0aGUgdGVybXMgYW5kIGNvbmRpdGlvbnMgb2YKICAgICAgdGhpcyBMaWNlbnNlLCBlYWNoIENvbnRyaWJ1dG9yIGhlcmVieSBncmFudHMgdG8gWW91IGEgcGVycGV0dWFsLAogICAgICB3b3JsZHdpZGUsIG5vbi1leGNsdXNpdmUsIG5vLWNoYXJnZSwgcm95YWx0eS1mcmVlLCBpcnJldm9jYWJsZQogICAgICAoZXhjZXB0IGFzIHN0YXRlZCBpbiB0aGlzIHNlY3Rpb24pIHBhdGVudCBsaWNlbnNlIHRvIG1ha2UsIGhhdmUgbWFkZSwKICAgICAgdXNlLCBvZmZlciB0byBzZWxsLCBzZWxsLCBpbXBvcnQsIGFuZCBvdGhlcndpc2UgdHJhbnNmZXIgdGhlIFdvcmssCiAgICAgIHdoZXJlIHN1Y2ggbGljZW5zZSBhcHBsaWVzIG9ubHkgdG8gdGhvc2UgcGF0ZW50IGNsYWltcyBsaWNlbnNhYmxlCiAgICAgIGJ5IHN1Y2ggQ29udHJpYnV0b3IgdGhhdCBhcmUgbmVjZXNzYXJpbHkgaW5mcmluZ2VkIGJ5IHRoZWlyCiAgICAgIENvbnRyaWJ1dGlvbihzKSBhbG9uZSBvciBieSBjb21iaW5hdGlvbiBvZiB0aGVpciBDb250cmlidXRpb24ocykKICAgICAgd2l0aCB0aGUgV29yayB0byB3aGljaCBzdWNoIENvbnRyaWJ1dGlvbihzKSB3YXMgc3VibWl0dGVkLiBJZiBZb3UKICAgICAgaW5zdGl0dXRlIHBhdGVudCBsaXRpZ2F0aW9uIGFnYWluc3QgYW55IGVudGl0eSAoaW5jbHVkaW5nIGEKICAgICAgY3Jvc3MtY2xhaW0gb3IgY291bnRlcmNsYWltIGluIGEgbGF3c3VpdCkgYWxsZWdpbmcgdGhhdCB0aGUgV29yawogICAgICBvciBhIENvbnRyaWJ1dGlvbiBpbmNvcnBvcmF0ZWQgd2l0aGluIHRoZSBXb3JrIGNvbnN0aXR1dGVzIGRpcmVjdAogICAgICBvciBjb250cmlidXRvcnkgcGF0ZW50IGluZnJpbmdlbWVudCwgdGhlbiBhbnkgcGF0ZW50IGxpY2Vuc2VzCiAgICAgIGdyYW50ZWQgdG8gWW91IHVuZGVyIHRoaXMgTGljZW5zZSBmb3IgdGhhdCBXb3JrIHNoYWxsIHRlcm1pbmF0ZQogICAgICBhcyBvZiB0aGUgZGF0ZSBzdWNoIGxpdGlnYXRpb24gaXMgZmlsZWQuCgogICA0LiBSZWRpc3RyaWJ1dGlvbi4gWW91IG1heSByZXByb2R1Y2UgYW5kIGRpc3RyaWJ1dGUgY29waWVzIG9mIHRoZQogICAgICBXb3JrIG9yIERlcml2YXRpdmUgV29ya3MgdGhlcmVvZiBpbiBhbnkgbWVkaXVtLCB3aXRoIG9yIHdpdGhvdXQKICAgICAgbW9kaWZpY2F0aW9ucywgYW5kIGluIFNvdXJjZSBvciBPYmplY3QgZm9ybSwgcHJvdmlkZWQgdGhhdCBZb3UKICAgICAgbWVldCB0aGUgZm9sbG93aW5nIGNvbmRpdGlvbnM6CgogICAgICAoYSkgWW91IG11c3QgZ2l2ZSBhbnkgb3RoZXIgcmVjaXBpZW50cyBvZiB0aGUgV29yayBvcgogICAgICAgICAgRGVyaXZhdGl2ZSBXb3JrcyBhIGNvcHkgb2YgdGhpcyBMaWNlbnNlOyBhbmQKCiAgICAgIChiKSBZb3UgbXVzdCBjYXVzZSBhbnkgbW9kaWZpZWQgZmlsZXMgdG8gY2FycnkgcHJvbWluZW50IG5vdGljZXMKICAgICAgICAgIHN0YXRpbmcgdGhhdCBZb3UgY2hhbmdlZCB0aGUgZmlsZXM7IGFuZAoKICAgICAgKGMpIFlvdSBtdXN0IHJldGFpbiwgaW4gdGhlIFNvdXJjZSBmb3JtIG9mIGFueSBEZXJpdmF0aXZlIFdvcmtzCiAgICAgICAgICB0aGF0IFlvdSBkaXN0cmlidXRlLCBhbGwgY29weXJpZ2h0LCBwYXRlbnQsIHRyYWRlbWFyaywgYW5kCiAgICAgICAgICBhdHRyaWJ1dGlvbiBub3RpY2VzIGZyb20gdGhlIFNvdXJjZSBmb3JtIG9mIHRoZSBXb3JrLAogICAgICAgICAgZXhjbHVkaW5nIHRob3NlIG5vdGljZXMgdGhhdCBkbyBub3QgcGVydGFpbiB0byBhbnkgcGFydCBvZgogICAgICAgICAgdGhlIERlcml2YXRpdmUgV29ya3M7IGFuZAoKICAgICAgKGQpIElmIHRoZSBXb3JrIGluY2x1ZGVzIGEgIk5PVElDRSIgdGV4dCBmaWxlIGFzIHBhcnQgb2YgaXRzCiAgICAgICAgICBkaXN0cmlidXRpb24sIHRoZW4gYW55IERlcml2YXRpdmUgV29ya3MgdGhhdCBZb3UgZGlzdHJpYnV0ZSBtdXN0CiAgICAgICAgICBpbmNsdWRlIGEgcmVhZGFibGUgY29weSBvZiB0aGUgYXR0cmlidXRpb24gbm90aWNlcyBjb250YWluZWQKICAgICAgICAgIHdpdGhpbiBzdWNoIE5PVElDRSBmaWxlLCBleGNsdWRpbmcgdGhvc2Ugbm90aWNlcyB0aGF0IGRvIG5vdAogICAgICAgICAgcGVydGFpbiB0byBhbnkgcGFydCBvZiB0aGUgRGVyaXZhdGl2ZSBXb3JrcywgaW4gYXQgbGVhc3Qgb25lCiAgICAgICAgICBvZiB0aGUgZm9sbG93aW5nIHBsYWNlczogd2l0aGluIGEgTk9USUNFIHRleHQgZmlsZSBkaXN0cmlidXRlZAogICAgICAgICAgYXMgcGFydCBvZiB0aGUgRGVyaXZhdGl2ZSBXb3Jrczsgd2l0aGluIHRoZSBTb3VyY2UgZm9ybSBvcgogICAgICAgICAgZG9jdW1lbnRhdGlvbiwgaWYgcHJvdmlkZWQgYWxvbmcgd2l0aCB0aGUgRGVyaXZhdGl2ZSBXb3Jrczsgb3IsCiAgICAgICAgICB3aXRoaW4gYSBkaXNwbGF5IGdlbmVyYXRlZCBieSB0aGUgRGVyaXZhdGl2ZSBXb3JrcywgaWYgYW5kCiAgICAgICAgICB3aGVyZXZlciBzdWNoIHRoaXJkLXBhcnR5IG5vdGljZXMgbm9ybWFsbHkgYXBwZWFyLiBUaGUgY29udGVudHMKICAgICAgICAgIG9mIHRoZSBOT1RJQ0UgZmlsZSBhcmUgZm9yIGluZm9ybWF0aW9uYWwgcHVycG9zZXMgb25seSBhbmQKICAgICAgICAgIGRvIG5vdCBtb2RpZnkgdGhlIExpY2Vuc2UuIFlvdSBtYXkgYWRkIFlvdXIgb3duIGF0dHJpYnV0aW9uCiAgICAgICAgICBub3RpY2VzIHdpdGhpbiBEZXJpdmF0aXZlIFdvcmtzIHRoYXQgWW91IGRpc3RyaWJ1dGUsIGFsb25nc2lkZQogICAgICAgICAgb3IgYXMgYW4gYWRkZW5kdW0gdG8gdGhlIE5PVElDRSB0ZXh0IGZyb20gdGhlIFdvcmssIHByb3ZpZGVkCiAgICAgICAgICB0aGF0IHN1Y2ggYWRkaXRpb25hbCBhdHRyaWJ1dGlvbiBub3RpY2VzIGNhbm5vdCBiZSBjb25zdHJ1ZWQKICAgICAgICAgIGFzIG1vZGlmeWluZyB0aGUgTGljZW5zZS4KCiAgICAgIFlvdSBtYXkgYWRkIFlvdXIgb3duIGNvcHlyaWdodCBzdGF0ZW1lbnQgdG8gWW91ciBtb2RpZmljYXRpb25zIGFuZAogICAgICBtYXkgcHJvdmlkZSBhZGRpdGlvbmFsIG9yIGRpZmZlcmVudCBsaWNlbnNlIHRlcm1zIGFuZCBjb25kaXRpb25zCiAgICAgIGZvciB1c2UsIHJlcHJvZHVjdGlvbiwgb3IgZGlzdHJpYnV0aW9uIG9mIFlvdXIgbW9kaWZpY2F0aW9ucywgb3IKICAgICAgZm9yIGFueSBzdWNoIERlcml2YXRpdmUgV29ya3MgYXMgYSB3aG9sZSwgcHJvdmlkZWQgWW91ciB1c2UsCiAgICAgIHJlcHJvZHVjdGlvbiwgYW5kIGRpc3RyaWJ1dGlvbiBvZiB0aGUgV29yayBvdGhlcndpc2UgY29tcGxpZXMgd2l0aAogICAgICB0aGUgY29uZGl0aW9ucyBzdGF0ZWQgaW4gdGhpcyBMaWNlbnNlLgoKICAgNS4gU3VibWlzc2lvbiBvZiBDb250cmlidXRpb25zLiBVbmxlc3MgWW91IGV4cGxpY2l0bHkgc3RhdGUgb3RoZXJ3aXNlLAogICAgICBhbnkgQ29udHJpYnV0aW9uIGludGVudGlvbmFsbHkgc3VibWl0dGVkIGZvciBpbmNsdXNpb24gaW4gdGhlIFdvcmsKICAgICAgYnkgWW91IHRvIHRoZSBMaWNlbnNvciBzaGFsbCBiZSB1bmRlciB0aGUgdGVybXMgYW5kIGNvbmRpdGlvbnMgb2YKICAgICAgdGhpcyBMaWNlbnNlLCB3aXRob3V0IGFueSBhZGRpdGlvbmFsIHRlcm1zIG9yIGNvbmRpdGlvbnMuCiAgICAgIE5vdHdpdGhzdGFuZGluZyB0aGUgYWJvdmUsIG5vdGhpbmcgaGVyZWluIHNoYWxsIHN1cGVyc2VkZSBvciBtb2RpZnkKICAgICAgdGhlIHRlcm1zIG9mIGFueSBzZXBhcmF0ZSBsaWNlbnNlIGFncmVlbWVudCB5b3UgbWF5IGhhdmUgZXhlY3V0ZWQKICAgICAgd2l0aCBMaWNlbnNvciByZWdhcmRpbmcgc3VjaCBDb250cmlidXRpb25zLgoKICAgNi4gVHJhZGVtYXJrcy4gVGhpcyBMaWNlbnNlIGRvZXMgbm90IGdyYW50IHBlcm1pc3Npb24gdG8gdXNlIHRoZSB0cmFkZQogICAgICBuYW1lcywgdHJhZGVtYXJrcywgc2VydmljZSBtYXJrcywgb3IgcHJvZHVjdCBuYW1lcyBvZiB0aGUgTGljZW5zb3IsCiAgICAgIGV4Y2VwdCBhcyByZXF1aXJlZCBmb3IgcmVhc29uYWJsZSBhbmQgY3VzdG9tYXJ5IHVzZSBpbiBkZXNjcmliaW5nIHRoZQogICAgICBvcmlnaW4gb2YgdGhlIFdvcmsgYW5kIHJlcHJvZHVjaW5nIHRoZSBjb250ZW50IG9mIHRoZSBOT1RJQ0UgZmlsZS4KCiAgIDcuIERpc2NsYWltZXIgb2YgV2FycmFudHkuIFVubGVzcyByZXF1aXJlZCBieSBhcHBsaWNhYmxlIGxhdyBvcgogICAgICBhZ3JlZWQgdG8gaW4gd3JpdGluZywgTGljZW5zb3IgcHJvdmlkZXMgdGhlIFdvcmsgKGFuZCBlYWNoCiAgICAgIENvbnRyaWJ1dG9yIHByb3ZpZGVzIGl0cyBDb250cmlidXRpb25zKSBvbiBhbiAiQVMgSVMiIEJBU0lTLAogICAgICBXSVRIT1VUIFdBUlJBTlRJRVMgT1IgQ09ORElUSU9OUyBPRiBBTlkgS0lORCwgZWl0aGVyIGV4cHJlc3Mgb3IKICAgICAgaW1wbGllZCwgaW5jbHVkaW5nLCB3aXRob3V0IGxpbWl0YXRpb24sIGFueSB3YXJyYW50aWVzIG9yIGNvbmRpdGlvbnMKICAgICAgb2YgVElUTEUsIE5PTi1JTkZSSU5HRU1FTlQsIE1FUkNIQU5UQUJJTElUWSwgb3IgRklUTkVTUyBGT1IgQQogICAgICBQQVJUSUNVTEFSIFBVUlBPU0UuIFlvdSBhcmUgc29sZWx5IHJlc3BvbnNpYmxlIGZvciBkZXRlcm1pbmluZyB0aGUKICAgICAgYXBwcm9wcmlhdGVuZXNzIG9mIHVzaW5nIG9yIHJlZGlzdHJpYnV0aW5nIHRoZSBXb3JrIGFuZCBhc3N1bWUgYW55CiAgICAgIHJpc2tzIGFzc29jaWF0ZWQgd2l0aCBZb3VyIGV4ZXJjaXNlIG9mIHBlcm1pc3Npb25zIHVuZGVyIHRoaXMgTGljZW5zZS4KCiAgIDguIExpbWl0YXRpb24gb2YgTGlhYmlsaXR5LiBJbiBubyBldmVudCBhbmQgdW5kZXIgbm8gbGVnYWwgdGhlb3J5LAogICAgICB3aGV0aGVyIGluIHRvcnQgKGluY2x1ZGluZyBuZWdsaWdlbmNlKSwgY29udHJhY3QsIG9yIG90aGVyd2lzZSwKICAgICAgdW5sZXNzIHJlcXVpcmVkIGJ5IGFwcGxpY2FibGUgbGF3IChzdWNoIGFzIGRlbGliZXJhdGUgYW5kIGdyb3NzbHkKICAgICAgbmVnbGlnZW50IGFjdHMpIG9yIGFncmVlZCB0byBpbiB3cml0aW5nLCBzaGFsbCBhbnkgQ29udHJpYnV0b3IgYmUKICAgICAgbGlhYmxlIHRvIFlvdSBmb3IgZGFtYWdlcywgaW5jbHVkaW5nIGFueSBkaXJlY3QsIGluZGlyZWN0LCBzcGVjaWFsLAogICAgICBpbmNpZGVudGFsLCBvciBjb25zZXF1ZW50aWFsIGRhbWFnZXMgb2YgYW55IGNoYXJhY3RlciBhcmlzaW5nIGFzIGEKICAgICAgcmVzdWx0IG9mIHRoaXMgTGljZW5zZSBvciBvdXQgb2YgdGhlIHVzZSBvciBpbmFiaWxpdHkgdG8gdXNlIHRoZQogICAgICBXb3JrIChpbmNsdWRpbmcgYnV0IG5vdCBsaW1pdGVkIHRvIGRhbWFnZXMgZm9yIGxvc3Mgb2YgZ29vZHdpbGwsCiAgICAgIHdvcmsgc3RvcHBhZ2UsIGNvbXB1dGVyIGZhaWx1cmUgb3IgbWFsZnVuY3Rpb24sIG9yIGFueSBhbmQgYWxsCiAgICAgIG90aGVyIGNvbW1lcmNpYWwgZGFtYWdlcyBvciBsb3NzZXMpLCBldmVuIGlmIHN1Y2ggQ29udHJpYnV0b3IKICAgICAgaGFzIGJlZW4gYWR2aXNlZCBvZiB0aGUgcG9zc2liaWxpdHkgb2Ygc3VjaCBkYW1hZ2VzLgoKICAgOS4gQWNjZXB0aW5nIFdhcnJhbnR5IG9yIEFkZGl0aW9uYWwgTGlhYmlsaXR5LiBXaGlsZSByZWRpc3RyaWJ1dGluZwogICAgICB0aGUgV29yayBvciBEZXJpdmF0aXZlIFdvcmtzIHRoZXJlb2YsIFlvdSBtYXkgY2hvb3NlIHRvIG9mZmVyLAogICAgICBhbmQgY2hhcmdlIGEgZmVlIGZvciwgYWNjZXB0YW5jZSBvZiBzdXBwb3J0LCB3YXJyYW50eSwgaW5kZW1uaXR5LAogICAgICBvciBvdGhlciBsaWFiaWxpdHkgb2JsaWdhdGlvbnMgYW5kL29yIHJpZ2h0cyBjb25zaXN0ZW50IHdpdGggdGhpcwogICAgICBMaWNlbnNlLiBIb3dldmVyLCBpbiBhY2NlcHRpbmcgc3VjaCBvYmxpZ2F0aW9ucywgWW91IG1heSBhY3Qgb25seQogICAgICBvbiBZb3VyIG93biBiZWhhbGYgYW5kIG9uIFlvdXIgc29sZSByZXNwb25zaWJpbGl0eSwgbm90IG9uIGJlaGFsZgogICAgICBvZiBhbnkgb3RoZXIgQ29udHJpYnV0b3IsIGFuZCBvbmx5IGlmIFlvdSBhZ3JlZSB0byBpbmRlbW5pZnksCiAgICAgIGRlZmVuZCwgYW5kIGhvbGQgZWFjaCBDb250cmlidXRvciBoYXJtbGVzcyBmb3IgYW55IGxpYWJpbGl0eQogICAgICBpbmN1cnJlZCBieSwgb3IgY2xhaW1zIGFzc2VydGVkIGFnYWluc3QsIHN1Y2ggQ29udHJpYnV0b3IgYnkgcmVhc29uCiAgICAgIG9mIHlvdXIgYWNjZXB0aW5nIGFueSBzdWNoIHdhcnJhbnR5IG9yIGFkZGl0aW9uYWwgbGlhYmlsaXR5LgoKICAgRU5EIE9GIFRFUk1TIEFORCBDT05ESVRJT05TCgogICBBUFBFTkRJWDogSG93IHRvIGFwcGx5IHRoZSBBcGFjaGUgTGljZW5zZSB0byB5b3VyIHdvcmsuCgogICAgICBUbyBhcHBseSB0aGUgQXBhY2hlIExpY2Vuc2UgdG8geW91ciB3b3JrLCBhdHRhY2ggdGhlIGZvbGxvd2luZwogICAgICBib2lsZXJwbGF0ZSBub3RpY2UsIHdpdGggdGhlIGZpZWxkcyBlbmNsb3NlZCBieSBicmFja2V0cyAiW10iCiAgICAgIHJlcGxhY2VkIHdpdGggeW91ciBvd24gaWRlbnRpZnlpbmcgaW5mb3JtYXRpb24uIChEb24ndCBpbmNsdWRlCiAgICAgIHRoZSBicmFja2V0cyEpICBUaGUgdGV4dCBzaG91bGQgYmUgZW5jbG9zZWQgaW4gdGhlIGFwcHJvcHJpYXRlCiAgICAgIGNvbW1lbnQgc3ludGF4IGZvciB0aGUgZmlsZSBmb3JtYXQuIFdlIGFsc28gcmVjb21tZW5kIHRoYXQgYQogICAgICBmaWxlIG9yIGNsYXNzIG5hbWUgYW5kIGRlc2NyaXB0aW9uIG9mIHB1cnBvc2UgYmUgaW5jbHVkZWQgb24gdGhlCiAgICAgIHNhbWUgInByaW50ZWQgcGFnZSIgYXMgdGhlIGNvcHlyaWdodCBub3RpY2UgZm9yIGVhc2llcgogICAgICBpZGVudGlmaWNhdGlvbiB3aXRoaW4gdGhpcmQtcGFydHkgYXJjaGl2ZXMuCgogICBDb3B5cmlnaHQgW3l5eXldIFtuYW1lIG9mIGNvcHlyaWdodCBvd25lcl0KCiAgIExpY2Vuc2VkIHVuZGVyIHRoZSBBcGFjaGUgTGljZW5zZSwgVmVyc2lvbiAyLjAgKHRoZSAiTGljZW5zZSIpOwogICB5b3UgbWF5IG5vdCB1c2UgdGhpcyBmaWxlIGV4Y2VwdCBpbiBjb21wbGlhbmNlIHdpdGggdGhlIExpY2Vuc2UuCiAgIFlvdSBtYXkgb2J0YWluIGEgY29weSBvZiB0aGUgTGljZW5zZSBhdAoKICAgICAgIGh0dHA6Ly93d3cuYXBhY2hlLm9yZy9saWNlbnNlcy9MSUNFTlNFLTIuMAoKICAgVW5sZXNzIHJlcXVpcmVkIGJ5IGFwcGxpY2FibGUgbGF3IG9yIGFncmVlZCB0byBpbiB3cml0aW5nLCBzb2Z0d2FyZQogICBkaXN0cmlidXRlZCB1bmRlciB0aGUgTGljZW5zZSBpcyBkaXN0cmlidXRlZCBvbiBhbiAiQVMgSVMiIEJBU0lTLAogICBXSVRIT1VUIFdBUlJBTlRJRVMgT1IgQ09ORElUSU9OUyBPRiBBTlkgS0lORCwgZWl0aGVyIGV4cHJlc3Mgb3IgaW1wbGllZC4KICAgU2VlIHRoZSBMaWNlbnNlIGZvciB0aGUgc3BlY2lmaWMgbGFuZ3VhZ2UgZ292ZXJuaW5nIHBlcm1pc3Npb25zIGFuZAogICBsaW1pdGF0aW9ucyB1bmRlciB0aGUgTGljZW5zZS4= + https://www.apache.org/licenses/LICENSE-2.0.txt + + + pkg:maven/com.acme/tomcat-catalina@9.0.14?packaging=jar + + + + Apache + org.apache.tomcat + tomcat-catalina + 9.0.14 + Apache Catalina + + + Apache-2.0 + + + pkg:maven/org.apache.tomcat/tomcat-catalina@9.0.14?packaging=jar + + + + + 7638417db6d59f3c431d3e1f261cc637155684cd + https://location/to/7638417db6d59f3c431d3e1f261cc637155684cd + + 2018-11-07T22:01:45Z + John Doe + john.doe@example.com + + + 2018-11-07T22:01:45Z + Jane Doe + jane.doe@example.com + + Initial commit + + + Commentary here + + + + org.example + mylibrary + 1.0.0 + required + + 2342c2eaf1feb9a80195dbaddf2ebaa3 + 68b78babe00a053f9e35ec6a2d9080f5b90122b0 + 708f1f53b41f11f02d12a11b1a38d2905d47b099afc71a0f1124ef8582ec7313 + 387b7ae16b9cae45f830671541539bf544202faae5aac544a93b7b0a04f5f846fa2f4e81ef3f1677e13aed7496408a441f5657ab6d54423e56bf6f38da124aef + + + EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0 + + Copyright Example Inc. All rights reserved. + cpe:/a:example:myapplication:1.0.0 + pkg:maven/com.example/myapplication@1.0.0?packaging=war + false + + + http://example.org/docs + All component versions are documented here + + + http://example.org/security + + + + + com.example + myframework + 1.0.0 + Example Inc, enterprise framework + required + + cfcb0b64aacd2f81c1cd546543de965a + 7fbeef2346c45d565c3341f037bce4e088af8a52 + 0384db3cec55d86a6898c489fdb75a8e75fe66b26639634983d2f3c3558493d1 + 854909cdb9e3ca183056837144aab6d8069b377bd66445087cc7157bf0c3f620418705dd0b83bdc2f73a508c2bdb316ca1809d75ee6972d02023a3e7dd655c79 + + + + Some random license + + + pkg:maven/com.example/myframework@1.0.0?packaging=war + false + + + http://example.com/myframework + + + http://example.com/security + + + + + diff --git a/tools/src/test/resources/1.6/invalid-patch-type-1.6.json b/tools/src/test/resources/1.6/invalid-patch-type-1.6.json new file mode 100644 index 00000000..a71680e3 --- /dev/null +++ b/tools/src/test/resources/1.6/invalid-patch-type-1.6.json @@ -0,0 +1,48 @@ +{ + "bomFormat": "CycloneDX", + "specVersion": "1.6", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "components": [ + { + "type": "library", + "group": "com.acme", + "name": "sample-library", + "version": "1.0.0", + "pedigree": { + "ancestors": [ + { + "type": "library", + "group": "org.example", + "name": "sample-library", + "version": "1.0.0" + } + ], + "patches": [ + { + "type": "foo", + "diff": { + "text": { + "contentType": "text/plain", + "encoding": "base64", + "content": "blah" + }, + "url": "uri/to/changes.diff" + }, + "resolves": [ + { + "type": "enhancement", + "id": "JIRA-17240", + "description": "Great new feature that does something", + "source": { + "name": "Acme Org", + "url": "https://issues.acme.org/17240" + } + } + ] + } + ] + } + } + ] +} diff --git a/tools/src/test/resources/1.6/invalid-patch-type-1.6.xml b/tools/src/test/resources/1.6/invalid-patch-type-1.6.xml new file mode 100644 index 00000000..78cff1fd --- /dev/null +++ b/tools/src/test/resources/1.6/invalid-patch-type-1.6.xml @@ -0,0 +1,37 @@ + + + + + com.acme + sample-library + 1.0.0 + + + + org.example + sample-library + 1.0.0 + + + + + + blah + uri/to/changes.diff + + + + JIRA-17240 + Great new feature that does something + + Acme Org + https://issues.acme.org/17240 + + + + + + + + + diff --git a/tools/src/test/resources/1.6/invalid-scope-1.6.json b/tools/src/test/resources/1.6/invalid-scope-1.6.json new file mode 100644 index 00000000..cbb68fa2 --- /dev/null +++ b/tools/src/test/resources/1.6/invalid-scope-1.6.json @@ -0,0 +1,14 @@ +{ + "bomFormat": "CycloneDX", + "specVersion": "1.6", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "components": [ + { + "type": "library", + "name": "acme-library", + "version": "1.0.0", + "scope": "foo" + } + ] +} diff --git a/tools/src/test/resources/1.6/invalid-scope-1.6.xml b/tools/src/test/resources/1.6/invalid-scope-1.6.xml new file mode 100644 index 00000000..d6e615aa --- /dev/null +++ b/tools/src/test/resources/1.6/invalid-scope-1.6.xml @@ -0,0 +1,10 @@ + + + + + acme-library + 1.0.0 + foo + + + diff --git a/tools/src/test/resources/1.6/invalid-serialnumber-1.6.json b/tools/src/test/resources/1.6/invalid-serialnumber-1.6.json new file mode 100644 index 00000000..fdc34e3d --- /dev/null +++ b/tools/src/test/resources/1.6/invalid-serialnumber-1.6.json @@ -0,0 +1,8 @@ +{ + "bomFormat": "CycloneDX", + "specVersion": "1.6", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f", + "version": 1, + "components": [ + ] +} diff --git a/tools/src/test/resources/1.6/invalid-serialnumber-1.6.xml b/tools/src/test/resources/1.6/invalid-serialnumber-1.6.xml new file mode 100644 index 00000000..10e8ae0f --- /dev/null +++ b/tools/src/test/resources/1.6/invalid-serialnumber-1.6.xml @@ -0,0 +1,118 @@ + + + + + Acme Inc + com.acme + tomcat-catalina + 9.0.14 + Modified version of Apache Catalina + required + + 3942447fac867ae5cdb3229b658f4d48 + e6b1000b94e835ffd37f4c6dcbdad43f4b48a02a + f498a8ff2dd007e29c2074f5e4b01a9a01775c3ff3aeaf6906ea503bc5791b7b + e8f33e424f3f4ed6db76a482fde1a5298970e442c531729119e37991884bdffab4f9426b7ee11fccd074eeda0634d71697d6f88a460dce0ac8d627a29f7d1282 + + + + Apache-2.0 + CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFwYWNoZSBMaWNlbnNlCiAgICAgICAgICAgICAgICAgICAgICAgICAgIFZlcnNpb24gMi4wLCBKYW51YXJ5IDIwMDQKICAgICAgICAgICAgICAgICAgICAgICAgaHR0cDovL3d3dy5hcGFjaGUub3JnL2xpY2Vuc2VzLwoKICAgVEVSTVMgQU5EIENPTkRJVElPTlMgRk9SIFVTRSwgUkVQUk9EVUNUSU9OLCBBTkQgRElTVFJJQlVUSU9OCgogICAxLiBEZWZpbml0aW9ucy4KCiAgICAgICJMaWNlbnNlIiBzaGFsbCBtZWFuIHRoZSB0ZXJtcyBhbmQgY29uZGl0aW9ucyBmb3IgdXNlLCByZXByb2R1Y3Rpb24sCiAgICAgIGFuZCBkaXN0cmlidXRpb24gYXMgZGVmaW5lZCBieSBTZWN0aW9ucyAxIHRocm91Z2ggOSBvZiB0aGlzIGRvY3VtZW50LgoKICAgICAgIkxpY2Vuc29yIiBzaGFsbCBtZWFuIHRoZSBjb3B5cmlnaHQgb3duZXIgb3IgZW50aXR5IGF1dGhvcml6ZWQgYnkKICAgICAgdGhlIGNvcHlyaWdodCBvd25lciB0aGF0IGlzIGdyYW50aW5nIHRoZSBMaWNlbnNlLgoKICAgICAgIkxlZ2FsIEVudGl0eSIgc2hhbGwgbWVhbiB0aGUgdW5pb24gb2YgdGhlIGFjdGluZyBlbnRpdHkgYW5kIGFsbAogICAgICBvdGhlciBlbnRpdGllcyB0aGF0IGNvbnRyb2wsIGFyZSBjb250cm9sbGVkIGJ5LCBvciBhcmUgdW5kZXIgY29tbW9uCiAgICAgIGNvbnRyb2wgd2l0aCB0aGF0IGVudGl0eS4gRm9yIHRoZSBwdXJwb3NlcyBvZiB0aGlzIGRlZmluaXRpb24sCiAgICAgICJjb250cm9sIiBtZWFucyAoaSkgdGhlIHBvd2VyLCBkaXJlY3Qgb3IgaW5kaXJlY3QsIHRvIGNhdXNlIHRoZQogICAgICBkaXJlY3Rpb24gb3IgbWFuYWdlbWVudCBvZiBzdWNoIGVudGl0eSwgd2hldGhlciBieSBjb250cmFjdCBvcgogICAgICBvdGhlcndpc2UsIG9yIChpaSkgb3duZXJzaGlwIG9mIGZpZnR5IHBlcmNlbnQgKDUwJSkgb3IgbW9yZSBvZiB0aGUKICAgICAgb3V0c3RhbmRpbmcgc2hhcmVzLCBvciAoaWlpKSBiZW5lZmljaWFsIG93bmVyc2hpcCBvZiBzdWNoIGVudGl0eS4KCiAgICAgICJZb3UiIChvciAiWW91ciIpIHNoYWxsIG1lYW4gYW4gaW5kaXZpZHVhbCBvciBMZWdhbCBFbnRpdHkKICAgICAgZXhlcmNpc2luZyBwZXJtaXNzaW9ucyBncmFudGVkIGJ5IHRoaXMgTGljZW5zZS4KCiAgICAgICJTb3VyY2UiIGZvcm0gc2hhbGwgbWVhbiB0aGUgcHJlZmVycmVkIGZvcm0gZm9yIG1ha2luZyBtb2RpZmljYXRpb25zLAogICAgICBpbmNsdWRpbmcgYnV0IG5vdCBsaW1pdGVkIHRvIHNvZnR3YXJlIHNvdXJjZSBjb2RlLCBkb2N1bWVudGF0aW9uCiAgICAgIHNvdXJjZSwgYW5kIGNvbmZpZ3VyYXRpb24gZmlsZXMuCgogICAgICAiT2JqZWN0IiBmb3JtIHNoYWxsIG1lYW4gYW55IGZvcm0gcmVzdWx0aW5nIGZyb20gbWVjaGFuaWNhbAogICAgICB0cmFuc2Zvcm1hdGlvbiBvciB0cmFuc2xhdGlvbiBvZiBhIFNvdXJjZSBmb3JtLCBpbmNsdWRpbmcgYnV0CiAgICAgIG5vdCBsaW1pdGVkIHRvIGNvbXBpbGVkIG9iamVjdCBjb2RlLCBnZW5lcmF0ZWQgZG9jdW1lbnRhdGlvbiwKICAgICAgYW5kIGNvbnZlcnNpb25zIHRvIG90aGVyIG1lZGlhIHR5cGVzLgoKICAgICAgIldvcmsiIHNoYWxsIG1lYW4gdGhlIHdvcmsgb2YgYXV0aG9yc2hpcCwgd2hldGhlciBpbiBTb3VyY2Ugb3IKICAgICAgT2JqZWN0IGZvcm0sIG1hZGUgYXZhaWxhYmxlIHVuZGVyIHRoZSBMaWNlbnNlLCBhcyBpbmRpY2F0ZWQgYnkgYQogICAgICBjb3B5cmlnaHQgbm90aWNlIHRoYXQgaXMgaW5jbHVkZWQgaW4gb3IgYXR0YWNoZWQgdG8gdGhlIHdvcmsKICAgICAgKGFuIGV4YW1wbGUgaXMgcHJvdmlkZWQgaW4gdGhlIEFwcGVuZGl4IGJlbG93KS4KCiAgICAgICJEZXJpdmF0aXZlIFdvcmtzIiBzaGFsbCBtZWFuIGFueSB3b3JrLCB3aGV0aGVyIGluIFNvdXJjZSBvciBPYmplY3QKICAgICAgZm9ybSwgdGhhdCBpcyBiYXNlZCBvbiAob3IgZGVyaXZlZCBmcm9tKSB0aGUgV29yayBhbmQgZm9yIHdoaWNoIHRoZQogICAgICBlZGl0b3JpYWwgcmV2aXNpb25zLCBhbm5vdGF0aW9ucywgZWxhYm9yYXRpb25zLCBvciBvdGhlciBtb2RpZmljYXRpb25zCiAgICAgIHJlcHJlc2VudCwgYXMgYSB3aG9sZSwgYW4gb3JpZ2luYWwgd29yayBvZiBhdXRob3JzaGlwLiBGb3IgdGhlIHB1cnBvc2VzCiAgICAgIG9mIHRoaXMgTGljZW5zZSwgRGVyaXZhdGl2ZSBXb3JrcyBzaGFsbCBub3QgaW5jbHVkZSB3b3JrcyB0aGF0IHJlbWFpbgogICAgICBzZXBhcmFibGUgZnJvbSwgb3IgbWVyZWx5IGxpbmsgKG9yIGJpbmQgYnkgbmFtZSkgdG8gdGhlIGludGVyZmFjZXMgb2YsCiAgICAgIHRoZSBXb3JrIGFuZCBEZXJpdmF0aXZlIFdvcmtzIHRoZXJlb2YuCgogICAgICAiQ29udHJpYnV0aW9uIiBzaGFsbCBtZWFuIGFueSB3b3JrIG9mIGF1dGhvcnNoaXAsIGluY2x1ZGluZwogICAgICB0aGUgb3JpZ2luYWwgdmVyc2lvbiBvZiB0aGUgV29yayBhbmQgYW55IG1vZGlmaWNhdGlvbnMgb3IgYWRkaXRpb25zCiAgICAgIHRvIHRoYXQgV29yayBvciBEZXJpdmF0aXZlIFdvcmtzIHRoZXJlb2YsIHRoYXQgaXMgaW50ZW50aW9uYWxseQogICAgICBzdWJtaXR0ZWQgdG8gTGljZW5zb3IgZm9yIGluY2x1c2lvbiBpbiB0aGUgV29yayBieSB0aGUgY29weXJpZ2h0IG93bmVyCiAgICAgIG9yIGJ5IGFuIGluZGl2aWR1YWwgb3IgTGVnYWwgRW50aXR5IGF1dGhvcml6ZWQgdG8gc3VibWl0IG9uIGJlaGFsZiBvZgogICAgICB0aGUgY29weXJpZ2h0IG93bmVyLiBGb3IgdGhlIHB1cnBvc2VzIG9mIHRoaXMgZGVmaW5pdGlvbiwgInN1Ym1pdHRlZCIKICAgICAgbWVhbnMgYW55IGZvcm0gb2YgZWxlY3Ryb25pYywgdmVyYmFsLCBvciB3cml0dGVuIGNvbW11bmljYXRpb24gc2VudAogICAgICB0byB0aGUgTGljZW5zb3Igb3IgaXRzIHJlcHJlc2VudGF0aXZlcywgaW5jbHVkaW5nIGJ1dCBub3QgbGltaXRlZCB0bwogICAgICBjb21tdW5pY2F0aW9uIG9uIGVsZWN0cm9uaWMgbWFpbGluZyBsaXN0cywgc291cmNlIGNvZGUgY29udHJvbCBzeXN0ZW1zLAogICAgICBhbmQgaXNzdWUgdHJhY2tpbmcgc3lzdGVtcyB0aGF0IGFyZSBtYW5hZ2VkIGJ5LCBvciBvbiBiZWhhbGYgb2YsIHRoZQogICAgICBMaWNlbnNvciBmb3IgdGhlIHB1cnBvc2Ugb2YgZGlzY3Vzc2luZyBhbmQgaW1wcm92aW5nIHRoZSBXb3JrLCBidXQKICAgICAgZXhjbHVkaW5nIGNvbW11bmljYXRpb24gdGhhdCBpcyBjb25zcGljdW91c2x5IG1hcmtlZCBvciBvdGhlcndpc2UKICAgICAgZGVzaWduYXRlZCBpbiB3cml0aW5nIGJ5IHRoZSBjb3B5cmlnaHQgb3duZXIgYXMgIk5vdCBhIENvbnRyaWJ1dGlvbi4iCgogICAgICAiQ29udHJpYnV0b3IiIHNoYWxsIG1lYW4gTGljZW5zb3IgYW5kIGFueSBpbmRpdmlkdWFsIG9yIExlZ2FsIEVudGl0eQogICAgICBvbiBiZWhhbGYgb2Ygd2hvbSBhIENvbnRyaWJ1dGlvbiBoYXMgYmVlbiByZWNlaXZlZCBieSBMaWNlbnNvciBhbmQKICAgICAgc3Vic2VxdWVudGx5IGluY29ycG9yYXRlZCB3aXRoaW4gdGhlIFdvcmsuCgogICAyLiBHcmFudCBvZiBDb3B5cmlnaHQgTGljZW5zZS4gU3ViamVjdCB0byB0aGUgdGVybXMgYW5kIGNvbmRpdGlvbnMgb2YKICAgICAgdGhpcyBMaWNlbnNlLCBlYWNoIENvbnRyaWJ1dG9yIGhlcmVieSBncmFudHMgdG8gWW91IGEgcGVycGV0dWFsLAogICAgICB3b3JsZHdpZGUsIG5vbi1leGNsdXNpdmUsIG5vLWNoYXJnZSwgcm95YWx0eS1mcmVlLCBpcnJldm9jYWJsZQogICAgICBjb3B5cmlnaHQgbGljZW5zZSB0byByZXByb2R1Y2UsIHByZXBhcmUgRGVyaXZhdGl2ZSBXb3JrcyBvZiwKICAgICAgcHVibGljbHkgZGlzcGxheSwgcHVibGljbHkgcGVyZm9ybSwgc3VibGljZW5zZSwgYW5kIGRpc3RyaWJ1dGUgdGhlCiAgICAgIFdvcmsgYW5kIHN1Y2ggRGVyaXZhdGl2ZSBXb3JrcyBpbiBTb3VyY2Ugb3IgT2JqZWN0IGZvcm0uCgogICAzLiBHcmFudCBvZiBQYXRlbnQgTGljZW5zZS4gU3ViamVjdCB0byB0aGUgdGVybXMgYW5kIGNvbmRpdGlvbnMgb2YKICAgICAgdGhpcyBMaWNlbnNlLCBlYWNoIENvbnRyaWJ1dG9yIGhlcmVieSBncmFudHMgdG8gWW91IGEgcGVycGV0dWFsLAogICAgICB3b3JsZHdpZGUsIG5vbi1leGNsdXNpdmUsIG5vLWNoYXJnZSwgcm95YWx0eS1mcmVlLCBpcnJldm9jYWJsZQogICAgICAoZXhjZXB0IGFzIHN0YXRlZCBpbiB0aGlzIHNlY3Rpb24pIHBhdGVudCBsaWNlbnNlIHRvIG1ha2UsIGhhdmUgbWFkZSwKICAgICAgdXNlLCBvZmZlciB0byBzZWxsLCBzZWxsLCBpbXBvcnQsIGFuZCBvdGhlcndpc2UgdHJhbnNmZXIgdGhlIFdvcmssCiAgICAgIHdoZXJlIHN1Y2ggbGljZW5zZSBhcHBsaWVzIG9ubHkgdG8gdGhvc2UgcGF0ZW50IGNsYWltcyBsaWNlbnNhYmxlCiAgICAgIGJ5IHN1Y2ggQ29udHJpYnV0b3IgdGhhdCBhcmUgbmVjZXNzYXJpbHkgaW5mcmluZ2VkIGJ5IHRoZWlyCiAgICAgIENvbnRyaWJ1dGlvbihzKSBhbG9uZSBvciBieSBjb21iaW5hdGlvbiBvZiB0aGVpciBDb250cmlidXRpb24ocykKICAgICAgd2l0aCB0aGUgV29yayB0byB3aGljaCBzdWNoIENvbnRyaWJ1dGlvbihzKSB3YXMgc3VibWl0dGVkLiBJZiBZb3UKICAgICAgaW5zdGl0dXRlIHBhdGVudCBsaXRpZ2F0aW9uIGFnYWluc3QgYW55IGVudGl0eSAoaW5jbHVkaW5nIGEKICAgICAgY3Jvc3MtY2xhaW0gb3IgY291bnRlcmNsYWltIGluIGEgbGF3c3VpdCkgYWxsZWdpbmcgdGhhdCB0aGUgV29yawogICAgICBvciBhIENvbnRyaWJ1dGlvbiBpbmNvcnBvcmF0ZWQgd2l0aGluIHRoZSBXb3JrIGNvbnN0aXR1dGVzIGRpcmVjdAogICAgICBvciBjb250cmlidXRvcnkgcGF0ZW50IGluZnJpbmdlbWVudCwgdGhlbiBhbnkgcGF0ZW50IGxpY2Vuc2VzCiAgICAgIGdyYW50ZWQgdG8gWW91IHVuZGVyIHRoaXMgTGljZW5zZSBmb3IgdGhhdCBXb3JrIHNoYWxsIHRlcm1pbmF0ZQogICAgICBhcyBvZiB0aGUgZGF0ZSBzdWNoIGxpdGlnYXRpb24gaXMgZmlsZWQuCgogICA0LiBSZWRpc3RyaWJ1dGlvbi4gWW91IG1heSByZXByb2R1Y2UgYW5kIGRpc3RyaWJ1dGUgY29waWVzIG9mIHRoZQogICAgICBXb3JrIG9yIERlcml2YXRpdmUgV29ya3MgdGhlcmVvZiBpbiBhbnkgbWVkaXVtLCB3aXRoIG9yIHdpdGhvdXQKICAgICAgbW9kaWZpY2F0aW9ucywgYW5kIGluIFNvdXJjZSBvciBPYmplY3QgZm9ybSwgcHJvdmlkZWQgdGhhdCBZb3UKICAgICAgbWVldCB0aGUgZm9sbG93aW5nIGNvbmRpdGlvbnM6CgogICAgICAoYSkgWW91IG11c3QgZ2l2ZSBhbnkgb3RoZXIgcmVjaXBpZW50cyBvZiB0aGUgV29yayBvcgogICAgICAgICAgRGVyaXZhdGl2ZSBXb3JrcyBhIGNvcHkgb2YgdGhpcyBMaWNlbnNlOyBhbmQKCiAgICAgIChiKSBZb3UgbXVzdCBjYXVzZSBhbnkgbW9kaWZpZWQgZmlsZXMgdG8gY2FycnkgcHJvbWluZW50IG5vdGljZXMKICAgICAgICAgIHN0YXRpbmcgdGhhdCBZb3UgY2hhbmdlZCB0aGUgZmlsZXM7IGFuZAoKICAgICAgKGMpIFlvdSBtdXN0IHJldGFpbiwgaW4gdGhlIFNvdXJjZSBmb3JtIG9mIGFueSBEZXJpdmF0aXZlIFdvcmtzCiAgICAgICAgICB0aGF0IFlvdSBkaXN0cmlidXRlLCBhbGwgY29weXJpZ2h0LCBwYXRlbnQsIHRyYWRlbWFyaywgYW5kCiAgICAgICAgICBhdHRyaWJ1dGlvbiBub3RpY2VzIGZyb20gdGhlIFNvdXJjZSBmb3JtIG9mIHRoZSBXb3JrLAogICAgICAgICAgZXhjbHVkaW5nIHRob3NlIG5vdGljZXMgdGhhdCBkbyBub3QgcGVydGFpbiB0byBhbnkgcGFydCBvZgogICAgICAgICAgdGhlIERlcml2YXRpdmUgV29ya3M7IGFuZAoKICAgICAgKGQpIElmIHRoZSBXb3JrIGluY2x1ZGVzIGEgIk5PVElDRSIgdGV4dCBmaWxlIGFzIHBhcnQgb2YgaXRzCiAgICAgICAgICBkaXN0cmlidXRpb24sIHRoZW4gYW55IERlcml2YXRpdmUgV29ya3MgdGhhdCBZb3UgZGlzdHJpYnV0ZSBtdXN0CiAgICAgICAgICBpbmNsdWRlIGEgcmVhZGFibGUgY29weSBvZiB0aGUgYXR0cmlidXRpb24gbm90aWNlcyBjb250YWluZWQKICAgICAgICAgIHdpdGhpbiBzdWNoIE5PVElDRSBmaWxlLCBleGNsdWRpbmcgdGhvc2Ugbm90aWNlcyB0aGF0IGRvIG5vdAogICAgICAgICAgcGVydGFpbiB0byBhbnkgcGFydCBvZiB0aGUgRGVyaXZhdGl2ZSBXb3JrcywgaW4gYXQgbGVhc3Qgb25lCiAgICAgICAgICBvZiB0aGUgZm9sbG93aW5nIHBsYWNlczogd2l0aGluIGEgTk9USUNFIHRleHQgZmlsZSBkaXN0cmlidXRlZAogICAgICAgICAgYXMgcGFydCBvZiB0aGUgRGVyaXZhdGl2ZSBXb3Jrczsgd2l0aGluIHRoZSBTb3VyY2UgZm9ybSBvcgogICAgICAgICAgZG9jdW1lbnRhdGlvbiwgaWYgcHJvdmlkZWQgYWxvbmcgd2l0aCB0aGUgRGVyaXZhdGl2ZSBXb3Jrczsgb3IsCiAgICAgICAgICB3aXRoaW4gYSBkaXNwbGF5IGdlbmVyYXRlZCBieSB0aGUgRGVyaXZhdGl2ZSBXb3JrcywgaWYgYW5kCiAgICAgICAgICB3aGVyZXZlciBzdWNoIHRoaXJkLXBhcnR5IG5vdGljZXMgbm9ybWFsbHkgYXBwZWFyLiBUaGUgY29udGVudHMKICAgICAgICAgIG9mIHRoZSBOT1RJQ0UgZmlsZSBhcmUgZm9yIGluZm9ybWF0aW9uYWwgcHVycG9zZXMgb25seSBhbmQKICAgICAgICAgIGRvIG5vdCBtb2RpZnkgdGhlIExpY2Vuc2UuIFlvdSBtYXkgYWRkIFlvdXIgb3duIGF0dHJpYnV0aW9uCiAgICAgICAgICBub3RpY2VzIHdpdGhpbiBEZXJpdmF0aXZlIFdvcmtzIHRoYXQgWW91IGRpc3RyaWJ1dGUsIGFsb25nc2lkZQogICAgICAgICAgb3IgYXMgYW4gYWRkZW5kdW0gdG8gdGhlIE5PVElDRSB0ZXh0IGZyb20gdGhlIFdvcmssIHByb3ZpZGVkCiAgICAgICAgICB0aGF0IHN1Y2ggYWRkaXRpb25hbCBhdHRyaWJ1dGlvbiBub3RpY2VzIGNhbm5vdCBiZSBjb25zdHJ1ZWQKICAgICAgICAgIGFzIG1vZGlmeWluZyB0aGUgTGljZW5zZS4KCiAgICAgIFlvdSBtYXkgYWRkIFlvdXIgb3duIGNvcHlyaWdodCBzdGF0ZW1lbnQgdG8gWW91ciBtb2RpZmljYXRpb25zIGFuZAogICAgICBtYXkgcHJvdmlkZSBhZGRpdGlvbmFsIG9yIGRpZmZlcmVudCBsaWNlbnNlIHRlcm1zIGFuZCBjb25kaXRpb25zCiAgICAgIGZvciB1c2UsIHJlcHJvZHVjdGlvbiwgb3IgZGlzdHJpYnV0aW9uIG9mIFlvdXIgbW9kaWZpY2F0aW9ucywgb3IKICAgICAgZm9yIGFueSBzdWNoIERlcml2YXRpdmUgV29ya3MgYXMgYSB3aG9sZSwgcHJvdmlkZWQgWW91ciB1c2UsCiAgICAgIHJlcHJvZHVjdGlvbiwgYW5kIGRpc3RyaWJ1dGlvbiBvZiB0aGUgV29yayBvdGhlcndpc2UgY29tcGxpZXMgd2l0aAogICAgICB0aGUgY29uZGl0aW9ucyBzdGF0ZWQgaW4gdGhpcyBMaWNlbnNlLgoKICAgNS4gU3VibWlzc2lvbiBvZiBDb250cmlidXRpb25zLiBVbmxlc3MgWW91IGV4cGxpY2l0bHkgc3RhdGUgb3RoZXJ3aXNlLAogICAgICBhbnkgQ29udHJpYnV0aW9uIGludGVudGlvbmFsbHkgc3VibWl0dGVkIGZvciBpbmNsdXNpb24gaW4gdGhlIFdvcmsKICAgICAgYnkgWW91IHRvIHRoZSBMaWNlbnNvciBzaGFsbCBiZSB1bmRlciB0aGUgdGVybXMgYW5kIGNvbmRpdGlvbnMgb2YKICAgICAgdGhpcyBMaWNlbnNlLCB3aXRob3V0IGFueSBhZGRpdGlvbmFsIHRlcm1zIG9yIGNvbmRpdGlvbnMuCiAgICAgIE5vdHdpdGhzdGFuZGluZyB0aGUgYWJvdmUsIG5vdGhpbmcgaGVyZWluIHNoYWxsIHN1cGVyc2VkZSBvciBtb2RpZnkKICAgICAgdGhlIHRlcm1zIG9mIGFueSBzZXBhcmF0ZSBsaWNlbnNlIGFncmVlbWVudCB5b3UgbWF5IGhhdmUgZXhlY3V0ZWQKICAgICAgd2l0aCBMaWNlbnNvciByZWdhcmRpbmcgc3VjaCBDb250cmlidXRpb25zLgoKICAgNi4gVHJhZGVtYXJrcy4gVGhpcyBMaWNlbnNlIGRvZXMgbm90IGdyYW50IHBlcm1pc3Npb24gdG8gdXNlIHRoZSB0cmFkZQogICAgICBuYW1lcywgdHJhZGVtYXJrcywgc2VydmljZSBtYXJrcywgb3IgcHJvZHVjdCBuYW1lcyBvZiB0aGUgTGljZW5zb3IsCiAgICAgIGV4Y2VwdCBhcyByZXF1aXJlZCBmb3IgcmVhc29uYWJsZSBhbmQgY3VzdG9tYXJ5IHVzZSBpbiBkZXNjcmliaW5nIHRoZQogICAgICBvcmlnaW4gb2YgdGhlIFdvcmsgYW5kIHJlcHJvZHVjaW5nIHRoZSBjb250ZW50IG9mIHRoZSBOT1RJQ0UgZmlsZS4KCiAgIDcuIERpc2NsYWltZXIgb2YgV2FycmFudHkuIFVubGVzcyByZXF1aXJlZCBieSBhcHBsaWNhYmxlIGxhdyBvcgogICAgICBhZ3JlZWQgdG8gaW4gd3JpdGluZywgTGljZW5zb3IgcHJvdmlkZXMgdGhlIFdvcmsgKGFuZCBlYWNoCiAgICAgIENvbnRyaWJ1dG9yIHByb3ZpZGVzIGl0cyBDb250cmlidXRpb25zKSBvbiBhbiAiQVMgSVMiIEJBU0lTLAogICAgICBXSVRIT1VUIFdBUlJBTlRJRVMgT1IgQ09ORElUSU9OUyBPRiBBTlkgS0lORCwgZWl0aGVyIGV4cHJlc3Mgb3IKICAgICAgaW1wbGllZCwgaW5jbHVkaW5nLCB3aXRob3V0IGxpbWl0YXRpb24sIGFueSB3YXJyYW50aWVzIG9yIGNvbmRpdGlvbnMKICAgICAgb2YgVElUTEUsIE5PTi1JTkZSSU5HRU1FTlQsIE1FUkNIQU5UQUJJTElUWSwgb3IgRklUTkVTUyBGT1IgQQogICAgICBQQVJUSUNVTEFSIFBVUlBPU0UuIFlvdSBhcmUgc29sZWx5IHJlc3BvbnNpYmxlIGZvciBkZXRlcm1pbmluZyB0aGUKICAgICAgYXBwcm9wcmlhdGVuZXNzIG9mIHVzaW5nIG9yIHJlZGlzdHJpYnV0aW5nIHRoZSBXb3JrIGFuZCBhc3N1bWUgYW55CiAgICAgIHJpc2tzIGFzc29jaWF0ZWQgd2l0aCBZb3VyIGV4ZXJjaXNlIG9mIHBlcm1pc3Npb25zIHVuZGVyIHRoaXMgTGljZW5zZS4KCiAgIDguIExpbWl0YXRpb24gb2YgTGlhYmlsaXR5LiBJbiBubyBldmVudCBhbmQgdW5kZXIgbm8gbGVnYWwgdGhlb3J5LAogICAgICB3aGV0aGVyIGluIHRvcnQgKGluY2x1ZGluZyBuZWdsaWdlbmNlKSwgY29udHJhY3QsIG9yIG90aGVyd2lzZSwKICAgICAgdW5sZXNzIHJlcXVpcmVkIGJ5IGFwcGxpY2FibGUgbGF3IChzdWNoIGFzIGRlbGliZXJhdGUgYW5kIGdyb3NzbHkKICAgICAgbmVnbGlnZW50IGFjdHMpIG9yIGFncmVlZCB0byBpbiB3cml0aW5nLCBzaGFsbCBhbnkgQ29udHJpYnV0b3IgYmUKICAgICAgbGlhYmxlIHRvIFlvdSBmb3IgZGFtYWdlcywgaW5jbHVkaW5nIGFueSBkaXJlY3QsIGluZGlyZWN0LCBzcGVjaWFsLAogICAgICBpbmNpZGVudGFsLCBvciBjb25zZXF1ZW50aWFsIGRhbWFnZXMgb2YgYW55IGNoYXJhY3RlciBhcmlzaW5nIGFzIGEKICAgICAgcmVzdWx0IG9mIHRoaXMgTGljZW5zZSBvciBvdXQgb2YgdGhlIHVzZSBvciBpbmFiaWxpdHkgdG8gdXNlIHRoZQogICAgICBXb3JrIChpbmNsdWRpbmcgYnV0IG5vdCBsaW1pdGVkIHRvIGRhbWFnZXMgZm9yIGxvc3Mgb2YgZ29vZHdpbGwsCiAgICAgIHdvcmsgc3RvcHBhZ2UsIGNvbXB1dGVyIGZhaWx1cmUgb3IgbWFsZnVuY3Rpb24sIG9yIGFueSBhbmQgYWxsCiAgICAgIG90aGVyIGNvbW1lcmNpYWwgZGFtYWdlcyBvciBsb3NzZXMpLCBldmVuIGlmIHN1Y2ggQ29udHJpYnV0b3IKICAgICAgaGFzIGJlZW4gYWR2aXNlZCBvZiB0aGUgcG9zc2liaWxpdHkgb2Ygc3VjaCBkYW1hZ2VzLgoKICAgOS4gQWNjZXB0aW5nIFdhcnJhbnR5IG9yIEFkZGl0aW9uYWwgTGlhYmlsaXR5LiBXaGlsZSByZWRpc3RyaWJ1dGluZwogICAgICB0aGUgV29yayBvciBEZXJpdmF0aXZlIFdvcmtzIHRoZXJlb2YsIFlvdSBtYXkgY2hvb3NlIHRvIG9mZmVyLAogICAgICBhbmQgY2hhcmdlIGEgZmVlIGZvciwgYWNjZXB0YW5jZSBvZiBzdXBwb3J0LCB3YXJyYW50eSwgaW5kZW1uaXR5LAogICAgICBvciBvdGhlciBsaWFiaWxpdHkgb2JsaWdhdGlvbnMgYW5kL29yIHJpZ2h0cyBjb25zaXN0ZW50IHdpdGggdGhpcwogICAgICBMaWNlbnNlLiBIb3dldmVyLCBpbiBhY2NlcHRpbmcgc3VjaCBvYmxpZ2F0aW9ucywgWW91IG1heSBhY3Qgb25seQogICAgICBvbiBZb3VyIG93biBiZWhhbGYgYW5kIG9uIFlvdXIgc29sZSByZXNwb25zaWJpbGl0eSwgbm90IG9uIGJlaGFsZgogICAgICBvZiBhbnkgb3RoZXIgQ29udHJpYnV0b3IsIGFuZCBvbmx5IGlmIFlvdSBhZ3JlZSB0byBpbmRlbW5pZnksCiAgICAgIGRlZmVuZCwgYW5kIGhvbGQgZWFjaCBDb250cmlidXRvciBoYXJtbGVzcyBmb3IgYW55IGxpYWJpbGl0eQogICAgICBpbmN1cnJlZCBieSwgb3IgY2xhaW1zIGFzc2VydGVkIGFnYWluc3QsIHN1Y2ggQ29udHJpYnV0b3IgYnkgcmVhc29uCiAgICAgIG9mIHlvdXIgYWNjZXB0aW5nIGFueSBzdWNoIHdhcnJhbnR5IG9yIGFkZGl0aW9uYWwgbGlhYmlsaXR5LgoKICAgRU5EIE9GIFRFUk1TIEFORCBDT05ESVRJT05TCgogICBBUFBFTkRJWDogSG93IHRvIGFwcGx5IHRoZSBBcGFjaGUgTGljZW5zZSB0byB5b3VyIHdvcmsuCgogICAgICBUbyBhcHBseSB0aGUgQXBhY2hlIExpY2Vuc2UgdG8geW91ciB3b3JrLCBhdHRhY2ggdGhlIGZvbGxvd2luZwogICAgICBib2lsZXJwbGF0ZSBub3RpY2UsIHdpdGggdGhlIGZpZWxkcyBlbmNsb3NlZCBieSBicmFja2V0cyAiW10iCiAgICAgIHJlcGxhY2VkIHdpdGggeW91ciBvd24gaWRlbnRpZnlpbmcgaW5mb3JtYXRpb24uIChEb24ndCBpbmNsdWRlCiAgICAgIHRoZSBicmFja2V0cyEpICBUaGUgdGV4dCBzaG91bGQgYmUgZW5jbG9zZWQgaW4gdGhlIGFwcHJvcHJpYXRlCiAgICAgIGNvbW1lbnQgc3ludGF4IGZvciB0aGUgZmlsZSBmb3JtYXQuIFdlIGFsc28gcmVjb21tZW5kIHRoYXQgYQogICAgICBmaWxlIG9yIGNsYXNzIG5hbWUgYW5kIGRlc2NyaXB0aW9uIG9mIHB1cnBvc2UgYmUgaW5jbHVkZWQgb24gdGhlCiAgICAgIHNhbWUgInByaW50ZWQgcGFnZSIgYXMgdGhlIGNvcHlyaWdodCBub3RpY2UgZm9yIGVhc2llcgogICAgICBpZGVudGlmaWNhdGlvbiB3aXRoaW4gdGhpcmQtcGFydHkgYXJjaGl2ZXMuCgogICBDb3B5cmlnaHQgW3l5eXldIFtuYW1lIG9mIGNvcHlyaWdodCBvd25lcl0KCiAgIExpY2Vuc2VkIHVuZGVyIHRoZSBBcGFjaGUgTGljZW5zZSwgVmVyc2lvbiAyLjAgKHRoZSAiTGljZW5zZSIpOwogICB5b3UgbWF5IG5vdCB1c2UgdGhpcyBmaWxlIGV4Y2VwdCBpbiBjb21wbGlhbmNlIHdpdGggdGhlIExpY2Vuc2UuCiAgIFlvdSBtYXkgb2J0YWluIGEgY29weSBvZiB0aGUgTGljZW5zZSBhdAoKICAgICAgIGh0dHA6Ly93d3cuYXBhY2hlLm9yZy9saWNlbnNlcy9MSUNFTlNFLTIuMAoKICAgVW5sZXNzIHJlcXVpcmVkIGJ5IGFwcGxpY2FibGUgbGF3IG9yIGFncmVlZCB0byBpbiB3cml0aW5nLCBzb2Z0d2FyZQogICBkaXN0cmlidXRlZCB1bmRlciB0aGUgTGljZW5zZSBpcyBkaXN0cmlidXRlZCBvbiBhbiAiQVMgSVMiIEJBU0lTLAogICBXSVRIT1VUIFdBUlJBTlRJRVMgT1IgQ09ORElUSU9OUyBPRiBBTlkgS0lORCwgZWl0aGVyIGV4cHJlc3Mgb3IgaW1wbGllZC4KICAgU2VlIHRoZSBMaWNlbnNlIGZvciB0aGUgc3BlY2lmaWMgbGFuZ3VhZ2UgZ292ZXJuaW5nIHBlcm1pc3Npb25zIGFuZAogICBsaW1pdGF0aW9ucyB1bmRlciB0aGUgTGljZW5zZS4= + https://www.apache.org/licenses/LICENSE-2.0.txt + + + pkg:maven/com.acme/tomcat-catalina@9.0.14?packaging=jar + + + + Apache + org.apache.tomcat + tomcat-catalina + 9.0.14 + Apache Catalina + + + Apache-2.0 + + + pkg:maven/org.apache.tomcat/tomcat-catalina@9.0.14?packaging=jar + + + + + 7638417db6d59f3c431d3e1f261cc637155684cd + https://location/to/7638417db6d59f3c431d3e1f261cc637155684cd + + 2018-11-07T22:01:45Z + John Doe + john.doe@example.com + + + 2018-11-07T22:01:45Z + Jane Doe + jane.doe@example.com + + Initial commit + + + Commentary here + + + + org.example + mylibrary + 1.0.0 + required + + 2342c2eaf1feb9a80195dbaddf2ebaa3 + 68b78babe00a053f9e35ec6a2d9080f5b90122b0 + 708f1f53b41f11f02d12a11b1a38d2905d47b099afc71a0f1124ef8582ec7313 + 387b7ae16b9cae45f830671541539bf544202faae5aac544a93b7b0a04f5f846fa2f4e81ef3f1677e13aed7496408a441f5657ab6d54423e56bf6f38da124aef + + + EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0 + + Copyright Example Inc. All rights reserved. + cpe:/a:example:myapplication:1.0.0 + pkg:maven/com.example/myapplication@1.0.0?packaging=war + false + + + http://example.org/docs + All component versions are documented here + + + http://example.org/security + + + + + com.example + myframework + 1.0.0 + Example Inc, enterprise framework + required + + cfcb0b64aacd2f81c1cd546543de965a + 7fbeef2346c45d565c3341f037bce4e088af8a52 + 0384db3cec55d86a6898c489fdb75a8e75fe66b26639634983d2f3c3558493d1 + 854909cdb9e3ca183056837144aab6d8069b377bd66445087cc7157bf0c3f620418705dd0b83bdc2f73a508c2bdb316ca1809d75ee6972d02023a3e7dd655c79 + + + + Some random license + + + pkg:maven/com.example/myframework@1.0.0?packaging=war + false + + + http://example.com/myframework + + + http://example.com/security + + + + + diff --git a/tools/src/test/resources/1.6/invalid-service-data-1.6.json b/tools/src/test/resources/1.6/invalid-service-data-1.6.json new file mode 100644 index 00000000..9f028594 --- /dev/null +++ b/tools/src/test/resources/1.6/invalid-service-data-1.6.json @@ -0,0 +1,20 @@ +{ + "bomFormat": "CycloneDX", + "specVersion": "1.6", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "services": [ + { + "bom-ref": "b2a46a4b-8367-4bae-9820-95557cfe03a8", + "name": "Stock ticker service", + "authenticated": true, + "x-trust-boundary": true, + "data": [ + { + "classification": "foo", + "flow": "bar" + } + ] + } + ] +} diff --git a/tools/src/test/resources/1.6/invalid-service-data-1.6.xml b/tools/src/test/resources/1.6/invalid-service-data-1.6.xml new file mode 100644 index 00000000..0d1a2bf3 --- /dev/null +++ b/tools/src/test/resources/1.6/invalid-service-data-1.6.xml @@ -0,0 +1,11 @@ + + + + + Stock ticker service + + bar + + + + diff --git a/tools/src/test/resources/1.6/valid-annotation-1.6.json b/tools/src/test/resources/1.6/valid-annotation-1.6.json new file mode 100644 index 00000000..790fc280 --- /dev/null +++ b/tools/src/test/resources/1.6/valid-annotation-1.6.json @@ -0,0 +1,102 @@ +{ + "bomFormat": "CycloneDX", + "specVersion": "1.6", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "components": [ + { + "bom-ref": "component-a", + "type": "library", + "name": "Component A", + "version": "1.0.0" + } + ], + "annotations": [ + { + "bom-ref": "annotation-1", + "subjects": [ + "component-a" + ], + "annotator": { + "organization": { + "name": "Acme, Inc.", + "url": [ + "https://example.com" + ], + "contact": [ + { + "name": "Acme Professional Services", + "email": "professional.services@example.com" + } + ] + } + }, + "timestamp": "2022-01-01T00:00:00Z", + "text": "This is a sample annotation made by an organization" + }, + { + "bom-ref": "annotation-2", + "subjects": [ + "component-a" + ], + "annotator": { + "individual": { + "name": "Samantha Wright", + "email": "samantha.wright@example.com", + "phone": "800-555-1212" + } + }, + "timestamp": "2022-01-01T00:00:00Z", + "text": "This is a sample annotation made by a person" + }, + { + "bom-ref": "annotation-3", + "subjects": [ + "component-a" + ], + "annotator": { + "component": { + "type": "application", + "name": "Awesome Tool", + "version": "9.1.2" + } + }, + "timestamp": "2022-01-01T00:00:00Z", + "text": "This is a sample annotation made by a component" + }, + { + "bom-ref": "annotation-4", + "subjects": [ + "component-a" + ], + "annotator": { + "service": { + "bom-ref": "b2a46a4b-8367-4bae-9820-95557cfe03a8", + "provider": { + "name": "Partner Org", + "url": [ + "https://partner.org" + ] + }, + "group": "org.partner", + "name": "BOM Annotation Service", + "version": "2020-Q2", + "endpoints": [ + "https://partner.org/api/v1/inspect", + "https://partner.org/api/v1/annotate" + ], + "authenticated": true, + "x-trust-boundary": true, + "data": [ + { + "classification": "public", + "flow": "bi-directional" + } + ] + } + }, + "timestamp": "2022-01-01T00:00:00Z", + "text": "This is a sample annotation made by a service" + } + ] +} diff --git a/tools/src/test/resources/1.6/valid-annotation-1.6.textproto b/tools/src/test/resources/1.6/valid-annotation-1.6.textproto new file mode 100644 index 00000000..69b10582 --- /dev/null +++ b/tools/src/test/resources/1.6/valid-annotation-1.6.textproto @@ -0,0 +1,94 @@ +spec_version: "1.6" +version: 1 +serial_number: "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" +components { + type: CLASSIFICATION_LIBRARY + bom_ref: "component-a" + name: "Component A" + version: "1.0.0" +} +annotations { + bom_ref: "annotation-1" + subjects: "component-a" + annotator: { + organization: { + name: "Acme, Inc." + url: "https://example.com" + contact { + name: "Acme Professional Services" + email: "professional.services@example.com" + } + } + } + timestamp { + seconds: 3173618478 + nanos: 3 + } + text: "This is a sample annotation made by an organization" +} +annotations { + bom_ref: "annotation-2" + subjects: "component-a" + annotator: { + individual { + name: "Samantha Wright" + email: "samantha.wright@example.com" + phone: "800-555-1212" + } + } + timestamp { + seconds: 3173618478 + nanos: 3 + } + text: "This is a sample annotation made by an person" +} +annotations { + bom_ref: "annotation-3" + subjects: "component-a" + annotator: { + component { + type: CLASSIFICATION_APPLICATION + name: "Awesome Tool" + version: "9.1.2" + } + } + timestamp { + seconds: 3173618478 + nanos: 3 + } + text: "This is a sample annotation made by a component" +} +annotations { + bom_ref: "annotation-4" + subjects: "component-a" + annotator: { + service { + bom_ref: "b2a46a4b-8367-4bae-9820-95557cfe03a8" + provider { + name: "Partner Org" + url: "https://partner.org" + contact { + name: "Support" + email: "support@partner" + phone: "800-555-1212" + } + } + group: "org.partner" + name: "BOM Annotation Service" + version: "2020-Q2" + endpoints: "https://partner.org/api/v1/inspect" + endpoints: "https://partner.org/api/v1/annotate" + authenticated: true + x_trust_boundary: true + data { + flow: DATA_FLOW_BI_DIRECTIONAL + value: "public" + } + } + } + timestamp { + seconds: 3173618478 + nanos: 3 + } + text: "This is a sample annotation made by a service" +} diff --git a/tools/src/test/resources/1.6/valid-annotation-1.6.xml b/tools/src/test/resources/1.6/valid-annotation-1.6.xml new file mode 100644 index 00000000..ea3c2872 --- /dev/null +++ b/tools/src/test/resources/1.6/valid-annotation-1.6.xml @@ -0,0 +1,87 @@ + + + + + Component A + 1.0.0 + + + + + + + + + + Acme, Inc. + https://example.com + + Acme Professional Services + professional.services@example.com + + + + 2020-04-07T07:01:00Z + This is a sample annotation made by an organization + + + + + + + + Samantha Wright + samantha.wright@example.com + 800-555-1212 + + + 2020-04-07T07:01:00Z + This is a sample annotation made by an person + + + + + + + + Awesome Tool + 9.1.2 + + + 2020-04-07T07:01:00Z + This is a sample annotation made by a component + + + + + + + + + Partner Org + https://partner.org + + Support + support@partner + 800-555-1212 + + + org.partner + BOM Annotation Service + 2020-Q2 + + https://partner.org/api/v1/inspect + https://partner.org/api/v1/annotate + + true + true + + pubic + + + + 2020-04-07T07:01:00Z + This is a sample annotation made by a service + + + diff --git a/tools/src/test/resources/1.6/valid-assembly-1.6.json b/tools/src/test/resources/1.6/valid-assembly-1.6.json new file mode 100644 index 00000000..681c10e6 --- /dev/null +++ b/tools/src/test/resources/1.6/valid-assembly-1.6.json @@ -0,0 +1,30 @@ +{ + "bomFormat": "CycloneDX", + "specVersion": "1.6", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "components": [ + { + "type": "library", + "name": "acme-library-a", + "version": "1.0.0", + "components": [ + { + "type": "library", + "name": "acme-library-b", + "version": "2.0.0" + } + ] + } + ], + "services": [ + { + "name": "acme-service-a", + "services": [ + { + "name": "acme-service-b" + } + ] + } + ] +} diff --git a/tools/src/test/resources/1.6/valid-assembly-1.6.textproto b/tools/src/test/resources/1.6/valid-assembly-1.6.textproto new file mode 100644 index 00000000..1434e7f2 --- /dev/null +++ b/tools/src/test/resources/1.6/valid-assembly-1.6.textproto @@ -0,0 +1,19 @@ +spec_version: "1.6" +version: 1 +serial_number: "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" +components { + type: CLASSIFICATION_LIBRARY + name: "acme-library-a" + version: "1.0.0" + components { + type: CLASSIFICATION_LIBRARY + name: "acme-library-b" + version: "2.0.0" + } +} +services { + name: "acme-service-a" + services { + name: "acme-service-b" + } +} diff --git a/tools/src/test/resources/1.6/valid-assembly-1.6.xml b/tools/src/test/resources/1.6/valid-assembly-1.6.xml new file mode 100644 index 00000000..089ce080 --- /dev/null +++ b/tools/src/test/resources/1.6/valid-assembly-1.6.xml @@ -0,0 +1,25 @@ + + + + + acme-library-a + 1.0.0 + + + acme-library-b + 2.0.0 + + + + + + + acme-service-a + + + acme-service-b + + + + + diff --git a/tools/src/test/resources/1.6/valid-bom-1.6.json b/tools/src/test/resources/1.6/valid-bom-1.6.json new file mode 100644 index 00000000..40cb6d65 --- /dev/null +++ b/tools/src/test/resources/1.6/valid-bom-1.6.json @@ -0,0 +1,177 @@ +{ + "bomFormat": "CycloneDX", + "specVersion": "1.6", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "metadata": { + "timestamp": "2020-04-13T20:20:39+00:00", + "tools": [ + { + "vendor": "Awesome Vendor", + "name": "Awesome Tool", + "version": "9.1.2", + "hashes": [ + { + "alg": "SHA-1", + "content": "25ed8e31b995bb927966616df2a42b979a2717f0" + }, + { + "alg": "SHA-256", + "content": "a74f733635a19aefb1f73e5947cef59cd7440c6952ef0f03d09d974274cbd6df" + } + ] + } + ], + "authors": [ + { + "name": "Samantha Wright", + "email": "samantha.wright@example.com", + "phone": "800-555-1212" + } + ], + "component": { + "type": "application", + "author": "Acme Super Heros", + "name": "Acme Application", + "version": "9.1.1", + "swid": { + "tagId": "swidgen-242eb18a-503e-ca37-393b-cf156ef09691_9.1.1", + "name": "Acme Application", + "version": "9.1.1", + "text": { + "contentType": "text/xml", + "encoding": "base64", + "content": "PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiID8+CjxTb2Z0d2FyZUlkZW50aXR5IHhtbDpsYW5nPSJFTiIgbmFtZT0iQWNtZSBBcHBsaWNhdGlvbiIgdmVyc2lvbj0iOS4xLjEiIAogdmVyc2lvblNjaGVtZT0ibXVsdGlwYXJ0bnVtZXJpYyIgCiB0YWdJZD0ic3dpZGdlbi1iNTk1MWFjOS00MmMwLWYzODItM2YxZS1iYzdhMmE0NDk3Y2JfOS4xLjEiIAogeG1sbnM9Imh0dHA6Ly9zdGFuZGFyZHMuaXNvLm9yZy9pc28vMTk3NzAvLTIvMjAxNS9zY2hlbWEueHNkIj4gCiB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiAKIHhzaTpzY2hlbWFMb2NhdGlvbj0iaHR0cDovL3N0YW5kYXJkcy5pc28ub3JnL2lzby8xOTc3MC8tMi8yMDE1LWN1cnJlbnQvc2NoZW1hLnhzZCBzY2hlbWEueHNkIiA+CiAgPE1ldGEgZ2VuZXJhdG9yPSJTV0lEIFRhZyBPbmxpbmUgR2VuZXJhdG9yIHYwLjEiIC8+IAogIDxFbnRpdHkgbmFtZT0iQWNtZSwgSW5jLiIgcmVnaWQ9ImV4YW1wbGUuY29tIiByb2xlPSJ0YWdDcmVhdG9yIiAvPiAKPC9Tb2Z0d2FyZUlkZW50aXR5Pg==" + } + } + }, + "manufacture": { + "name": "Acme, Inc.", + "url": [ + "https://example.com" + ], + "contact": [ + { + "name": "Acme Professional Services", + "email": "professional.services@example.com" + } + ] + }, + "supplier": { + "name": "Acme, Inc.", + "url": [ + "https://example.com" + ], + "contact": [ + { + "name": "Acme Distribution", + "email": "distribution@example.com" + } + ] + } + }, + "components": [ + { + "bom-ref": "pkg:npm/acme/component@1.0.0", + "type": "library", + "publisher": "Acme Inc", + "group": "com.acme", + "name": "tomcat-catalina", + "version": "9.0.14", + "hashes": [ + { + "alg": "MD5", + "content": "3942447fac867ae5cdb3229b658f4d48" + }, + { + "alg": "SHA-1", + "content": "e6b1000b94e835ffd37f4c6dcbdad43f4b48a02a" + }, + { + "alg": "SHA-256", + "content": "f498a8ff2dd007e29c2074f5e4b01a9a01775c3ff3aeaf6906ea503bc5791b7b" + }, + { + "alg": "SHA-512", + "content": "e8f33e424f3f4ed6db76a482fde1a5298970e442c531729119e37991884bdffab4f9426b7ee11fccd074eeda0634d71697d6f88a460dce0ac8d627a29f7d1282" + } + ], + "licenses": [ + { + "license": { + "id": "Apache-2.0", + "text": { + "contentType": "text/plain", + "encoding": "base64", + "content": "License text here" + }, + "url": "https://www.apache.org/licenses/LICENSE-2.0.txt" + } + } + ], + "purl": "pkg:npm/acme/component@1.0.0", + "pedigree": { + "ancestors": [ + { + "type": "library", + "publisher": "Acme Inc", + "group": "com.acme", + "name": "tomcat-catalina", + "version": "9.0.14" + }, + { + "type": "library", + "publisher": "Acme Inc", + "group": "com.acme", + "name": "tomcat-catalina", + "version": "9.0.14" + } + ], + "commits": [ + { + "uid": "7638417db6d59f3c431d3e1f261cc637155684cd", + "url": "https://location/to/7638417db6d59f3c431d3e1f261cc637155684cd", + "author": { + "timestamp": "2018-11-13T20:20:39+00:00", + "name": "me", + "email": "me@acme.org" + } + } + ] + } + }, + { + "type": "library", + "supplier": { + "name": "Example, Inc.", + "url": [ + "https://example.com", + "https://example.net" + ], + "contact": [ + { + "name": "Example Support AMER Distribution", + "email": "support@example.com", + "phone": "800-555-1212" + }, + { + "name": "Example Support APAC", + "email": "support@apac.example.com" + } + ] + }, + "author": "Example Super Heros", + "group": "org.example", + "name": "mylibrary", + "version": "1.0.0" + } + ], + "dependencies": [ + { + "ref": "pkg:npm/acme/component@1.0.0", + "dependsOn": [ + "pkg:npm/acme/component@1.0.0" + ] + } + ] +} diff --git a/tools/src/test/resources/1.6/valid-bom-1.6.textproto b/tools/src/test/resources/1.6/valid-bom-1.6.textproto new file mode 100644 index 00000000..83f5901c --- /dev/null +++ b/tools/src/test/resources/1.6/valid-bom-1.6.textproto @@ -0,0 +1,150 @@ +spec_version: "1.6" +version: 1 +serial_number: "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" +metadata { + timestamp { + seconds: 3173618478 + nanos: 3 + } + tools { + vendor: "Awesome Vendor" + name: "Awesome Tool" + version: "9.1.2" + hashes { + alg: HASH_ALG_SHA_1 + value: "25ed8e31b995bb927966616df2a42b979a2717f0" + } + hashes { + alg: HASH_ALG_SHA_256 + value: "a74f733635a19aefb1f73e5947cef59cd7440c6952ef0f03d09d974274cbd6df" + } + } + authors { + name: "Samantha Wright" + email: "samantha.wright@example.com" + phone: "800-555-1212" + } + component { + type: CLASSIFICATION_APPLICATION + author: "Acme Super Heros" + name: "Acme Application" + version: "9.1.1" + swid { + tag_id: "swidgen-242eb18a-503e-ca37-393b-cf156ef09691_9.1.1" + name: "Acme Application" + version: "9.1.1" + text { + content_type: "text/xml" + encoding: "base64" + value: "PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiID8+CjxTb2Z0d2FyZUlkZW50aXR5IHhtbDpsYW5nPSJFTiIgbmFtZT0iQWNtZSBBcHBsaWNhdGlvbiIgdmVyc2lvbj0iOS4xLjEiIAogdmVyc2lvblNjaGVtZT0ibXVsdGlwYXJ0bnVtZXJpYyIgCiB0YWdJZD0ic3dpZGdlbi1iNTk1MWFjOS00MmMwLWYzODItM2YxZS1iYzdhMmE0NDk3Y2JfOS4xLjEiIAogeG1sbnM9Imh0dHA6Ly9zdGFuZGFyZHMuaXNvLm9yZy9pc28vMTk3NzAvLTIvMjAxNS9zY2hlbWEueHNkIj4gCiB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiAKIHhzaTpzY2hlbWFMb2NhdGlvbj0iaHR0cDovL3N0YW5kYXJkcy5pc28ub3JnL2lzby8xOTc3MC8tMi8yMDE1LWN1cnJlbnQvc2NoZW1hLnhzZCBzY2hlbWEueHNkIiA+CiAgPE1ldGEgZ2VuZXJhdG9yPSJTV0lEIFRhZyBPbmxpbmUgR2VuZXJhdG9yIHYwLjEiIC8+IAogIDxFbnRpdHkgbmFtZT0iQWNtZSwgSW5jLiIgcmVnaWQ9ImV4YW1wbGUuY29tIiByb2xlPSJ0YWdDcmVhdG9yIiAvPiAKPC9Tb2Z0d2FyZUlkZW50aXR5Pg==" + } + } + } + manufacture { + name: "Acme, Inc." + url: "https://example.com" + contact { + name: "Acme Professional Services" + email: "professional.services@example.com" + } + } + supplier { + name: "Acme, Inc." + url: "https://example.com" + contact { + name: "Acme Distribution" + email: "distribution@example.com" + } + } +} +components { + type: CLASSIFICATION_LIBRARY + bom_ref: "pkg:npm/acme/component@1.0.0" + publisher: "Acme Inc" + group: "com.acme" + name: "tomcat-catalina" + version: "9.0.14" + hashes { + alg: HASH_ALG_MD_5 + value: "3942447fac867ae5cdb3229b658f4d48" + } + hashes { + alg: HASH_ALG_SHA_1 + value: "e6b1000b94e835ffd37f4c6dcbdad43f4b48a02a" + } + hashes { + alg: HASH_ALG_SHA_256 + value: "f498a8ff2dd007e29c2074f5e4b01a9a01775c3ff3aeaf6906ea503bc5791b7b" + } + hashes { + alg: HASH_ALG_SHA_512 + value: "e8f33e424f3f4ed6db76a482fde1a5298970e442c531729119e37991884bdffab4f9426b7ee11fccd074eeda0634d71697d6f88a460dce0ac8d627a29f7d1282" + } + licenses { + license { + id: "Apache-2.0" + text { + content_type: "text/plain" + encoding: "base64" + value: "License text here" + } + url: "https://www.apache.org/licenses/LICENSE-2.0.txt" + } + } + purl: "pkg:npm/acme/component@1.0.0" + pedigree { + ancestors { + type: CLASSIFICATION_LIBRARY + publisher: "Acme Inc" + group: "com.acme" + name: "tomcat-catalina" + version: "9.0.14" + } + ancestors { + type: CLASSIFICATION_LIBRARY + publisher: "Acme Inc" + group: "com.acme" + name: "tomcat-catalina" + version: "9.0.14" + } + commits { + uid: "123" + url: "" + author { + timestamp { + seconds: 3084280878 + nanos: 3 + } + name: "" + email: "" + } + } + } +} +components { + type: CLASSIFICATION_LIBRARY + supplier { + name: "Example, Inc." + url: "https://example.com" + url: "https://example.net" + contact { + name: "Example Support AMER Distribution" + email: "support@example.com" + phone: "800-555-1212" + } + contact { + name: "Example Support APAC" + email: "support@apac.example.com" + } + } + author: "Example Super Heros" + group: "org.example" + name: "mylibrary" + version: "1.0.0" +} +dependencies { + ref: "pkg:npm/acme/component@1.0.0" + dependencies { + ref: "pkg:npm/acme/component@1.0.0" + } +} diff --git a/tools/src/test/resources/1.6/valid-bom-1.6.xml b/tools/src/test/resources/1.6/valid-bom-1.6.xml new file mode 100644 index 00000000..fc1904d3 --- /dev/null +++ b/tools/src/test/resources/1.6/valid-bom-1.6.xml @@ -0,0 +1,181 @@ + + + + 2020-04-07T07:01:00Z + + + Awesome Vendor + Awesome Tool + 9.1.2 + + 25ed8e31b995bb927966616df2a42b979a2717f0 + a74f733635a19aefb1f73e5947cef59cd7440c6952ef0f03d09d974274cbd6df + + + + + + Samantha Wright + samantha.wright@example.com + 800-555-1212 + + + + Acme Super Heros + Acme Application + 9.1.1 + + PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiID8+CjxTb2Z0d2FyZUlkZW50aXR5IHhtbDpsYW5nPSJFTiIgbmFtZT0iQWNtZSBBcHBsaWNhdGlvbiIgdmVyc2lvbj0iOS4xLjEiIAogdmVyc2lvblNjaGVtZT0ibXVsdGlwYXJ0bnVtZXJpYyIgCiB0YWdJZD0ic3dpZGdlbi1iNTk1MWFjOS00MmMwLWYzODItM2YxZS1iYzdhMmE0NDk3Y2JfOS4xLjEiIAogeG1sbnM9Imh0dHA6Ly9zdGFuZGFyZHMuaXNvLm9yZy9pc28vMTk3NzAvLTIvMjAxNS9zY2hlbWEueHNkIj4gCiB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiAKIHhzaTpzY2hlbWFMb2NhdGlvbj0iaHR0cDovL3N0YW5kYXJkcy5pc28ub3JnL2lzby8xOTc3MC8tMi8yMDE1LWN1cnJlbnQvc2NoZW1hLnhzZCBzY2hlbWEueHNkIiA+CiAgPE1ldGEgZ2VuZXJhdG9yPSJTV0lEIFRhZyBPbmxpbmUgR2VuZXJhdG9yIHYwLjEiIC8+IAogIDxFbnRpdHkgbmFtZT0iQWNtZSwgSW5jLiIgcmVnaWQ9ImV4YW1wbGUuY29tIiByb2xlPSJ0YWdDcmVhdG9yIiAvPiAKPC9Tb2Z0d2FyZUlkZW50aXR5Pg== + + + + Acme, Inc. + https://example.com + + Acme Professional Services + professional.services@example.com + + + + Acme, Inc. + https://example.com + + Acme Distribution + distribution@example.com + + + + + + Acme Super Heros + Acme Inc + com.acme + tomcat-catalina + 9.0.14 + Modified version of Apache Catalina + required + + 3942447fac867ae5cdb3229b658f4d48 + e6b1000b94e835ffd37f4c6dcbdad43f4b48a02a + f498a8ff2dd007e29c2074f5e4b01a9a01775c3ff3aeaf6906ea503bc5791b7b + e8f33e424f3f4ed6db76a482fde1a5298970e442c531729119e37991884bdffab4f9426b7ee11fccd074eeda0634d71697d6f88a460dce0ac8d627a29f7d1282 + + + + Apache-2.0 + CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFwYWNoZSBMaWNlbnNlCiAgICAgICAgICAgICAgICAgICAgICAgICAgIFZlcnNpb24gMi4wLCBKYW51YXJ5IDIwMDQKICAgICAgICAgICAgICAgICAgICAgICAgaHR0cDovL3d3dy5hcGFjaGUub3JnL2xpY2Vuc2VzLwoKICAgVEVSTVMgQU5EIENPTkRJVElPTlMgRk9SIFVTRSwgUkVQUk9EVUNUSU9OLCBBTkQgRElTVFJJQlVUSU9OCgogICAxLiBEZWZpbml0aW9ucy4KCiAgICAgICJMaWNlbnNlIiBzaGFsbCBtZWFuIHRoZSB0ZXJtcyBhbmQgY29uZGl0aW9ucyBmb3IgdXNlLCByZXByb2R1Y3Rpb24sCiAgICAgIGFuZCBkaXN0cmlidXRpb24gYXMgZGVmaW5lZCBieSBTZWN0aW9ucyAxIHRocm91Z2ggOSBvZiB0aGlzIGRvY3VtZW50LgoKICAgICAgIkxpY2Vuc29yIiBzaGFsbCBtZWFuIHRoZSBjb3B5cmlnaHQgb3duZXIgb3IgZW50aXR5IGF1dGhvcml6ZWQgYnkKICAgICAgdGhlIGNvcHlyaWdodCBvd25lciB0aGF0IGlzIGdyYW50aW5nIHRoZSBMaWNlbnNlLgoKICAgICAgIkxlZ2FsIEVudGl0eSIgc2hhbGwgbWVhbiB0aGUgdW5pb24gb2YgdGhlIGFjdGluZyBlbnRpdHkgYW5kIGFsbAogICAgICBvdGhlciBlbnRpdGllcyB0aGF0IGNvbnRyb2wsIGFyZSBjb250cm9sbGVkIGJ5LCBvciBhcmUgdW5kZXIgY29tbW9uCiAgICAgIGNvbnRyb2wgd2l0aCB0aGF0IGVudGl0eS4gRm9yIHRoZSBwdXJwb3NlcyBvZiB0aGlzIGRlZmluaXRpb24sCiAgICAgICJjb250cm9sIiBtZWFucyAoaSkgdGhlIHBvd2VyLCBkaXJlY3Qgb3IgaW5kaXJlY3QsIHRvIGNhdXNlIHRoZQogICAgICBkaXJlY3Rpb24gb3IgbWFuYWdlbWVudCBvZiBzdWNoIGVudGl0eSwgd2hldGhlciBieSBjb250cmFjdCBvcgogICAgICBvdGhlcndpc2UsIG9yIChpaSkgb3duZXJzaGlwIG9mIGZpZnR5IHBlcmNlbnQgKDUwJSkgb3IgbW9yZSBvZiB0aGUKICAgICAgb3V0c3RhbmRpbmcgc2hhcmVzLCBvciAoaWlpKSBiZW5lZmljaWFsIG93bmVyc2hpcCBvZiBzdWNoIGVudGl0eS4KCiAgICAgICJZb3UiIChvciAiWW91ciIpIHNoYWxsIG1lYW4gYW4gaW5kaXZpZHVhbCBvciBMZWdhbCBFbnRpdHkKICAgICAgZXhlcmNpc2luZyBwZXJtaXNzaW9ucyBncmFudGVkIGJ5IHRoaXMgTGljZW5zZS4KCiAgICAgICJTb3VyY2UiIGZvcm0gc2hhbGwgbWVhbiB0aGUgcHJlZmVycmVkIGZvcm0gZm9yIG1ha2luZyBtb2RpZmljYXRpb25zLAogICAgICBpbmNsdWRpbmcgYnV0IG5vdCBsaW1pdGVkIHRvIHNvZnR3YXJlIHNvdXJjZSBjb2RlLCBkb2N1bWVudGF0aW9uCiAgICAgIHNvdXJjZSwgYW5kIGNvbmZpZ3VyYXRpb24gZmlsZXMuCgogICAgICAiT2JqZWN0IiBmb3JtIHNoYWxsIG1lYW4gYW55IGZvcm0gcmVzdWx0aW5nIGZyb20gbWVjaGFuaWNhbAogICAgICB0cmFuc2Zvcm1hdGlvbiBvciB0cmFuc2xhdGlvbiBvZiBhIFNvdXJjZSBmb3JtLCBpbmNsdWRpbmcgYnV0CiAgICAgIG5vdCBsaW1pdGVkIHRvIGNvbXBpbGVkIG9iamVjdCBjb2RlLCBnZW5lcmF0ZWQgZG9jdW1lbnRhdGlvbiwKICAgICAgYW5kIGNvbnZlcnNpb25zIHRvIG90aGVyIG1lZGlhIHR5cGVzLgoKICAgICAgIldvcmsiIHNoYWxsIG1lYW4gdGhlIHdvcmsgb2YgYXV0aG9yc2hpcCwgd2hldGhlciBpbiBTb3VyY2Ugb3IKICAgICAgT2JqZWN0IGZvcm0sIG1hZGUgYXZhaWxhYmxlIHVuZGVyIHRoZSBMaWNlbnNlLCBhcyBpbmRpY2F0ZWQgYnkgYQogICAgICBjb3B5cmlnaHQgbm90aWNlIHRoYXQgaXMgaW5jbHVkZWQgaW4gb3IgYXR0YWNoZWQgdG8gdGhlIHdvcmsKICAgICAgKGFuIGV4YW1wbGUgaXMgcHJvdmlkZWQgaW4gdGhlIEFwcGVuZGl4IGJlbG93KS4KCiAgICAgICJEZXJpdmF0aXZlIFdvcmtzIiBzaGFsbCBtZWFuIGFueSB3b3JrLCB3aGV0aGVyIGluIFNvdXJjZSBvciBPYmplY3QKICAgICAgZm9ybSwgdGhhdCBpcyBiYXNlZCBvbiAob3IgZGVyaXZlZCBmcm9tKSB0aGUgV29yayBhbmQgZm9yIHdoaWNoIHRoZQogICAgICBlZGl0b3JpYWwgcmV2aXNpb25zLCBhbm5vdGF0aW9ucywgZWxhYm9yYXRpb25zLCBvciBvdGhlciBtb2RpZmljYXRpb25zCiAgICAgIHJlcHJlc2VudCwgYXMgYSB3aG9sZSwgYW4gb3JpZ2luYWwgd29yayBvZiBhdXRob3JzaGlwLiBGb3IgdGhlIHB1cnBvc2VzCiAgICAgIG9mIHRoaXMgTGljZW5zZSwgRGVyaXZhdGl2ZSBXb3JrcyBzaGFsbCBub3QgaW5jbHVkZSB3b3JrcyB0aGF0IHJlbWFpbgogICAgICBzZXBhcmFibGUgZnJvbSwgb3IgbWVyZWx5IGxpbmsgKG9yIGJpbmQgYnkgbmFtZSkgdG8gdGhlIGludGVyZmFjZXMgb2YsCiAgICAgIHRoZSBXb3JrIGFuZCBEZXJpdmF0aXZlIFdvcmtzIHRoZXJlb2YuCgogICAgICAiQ29udHJpYnV0aW9uIiBzaGFsbCBtZWFuIGFueSB3b3JrIG9mIGF1dGhvcnNoaXAsIGluY2x1ZGluZwogICAgICB0aGUgb3JpZ2luYWwgdmVyc2lvbiBvZiB0aGUgV29yayBhbmQgYW55IG1vZGlmaWNhdGlvbnMgb3IgYWRkaXRpb25zCiAgICAgIHRvIHRoYXQgV29yayBvciBEZXJpdmF0aXZlIFdvcmtzIHRoZXJlb2YsIHRoYXQgaXMgaW50ZW50aW9uYWxseQogICAgICBzdWJtaXR0ZWQgdG8gTGljZW5zb3IgZm9yIGluY2x1c2lvbiBpbiB0aGUgV29yayBieSB0aGUgY29weXJpZ2h0IG93bmVyCiAgICAgIG9yIGJ5IGFuIGluZGl2aWR1YWwgb3IgTGVnYWwgRW50aXR5IGF1dGhvcml6ZWQgdG8gc3VibWl0IG9uIGJlaGFsZiBvZgogICAgICB0aGUgY29weXJpZ2h0IG93bmVyLiBGb3IgdGhlIHB1cnBvc2VzIG9mIHRoaXMgZGVmaW5pdGlvbiwgInN1Ym1pdHRlZCIKICAgICAgbWVhbnMgYW55IGZvcm0gb2YgZWxlY3Ryb25pYywgdmVyYmFsLCBvciB3cml0dGVuIGNvbW11bmljYXRpb24gc2VudAogICAgICB0byB0aGUgTGljZW5zb3Igb3IgaXRzIHJlcHJlc2VudGF0aXZlcywgaW5jbHVkaW5nIGJ1dCBub3QgbGltaXRlZCB0bwogICAgICBjb21tdW5pY2F0aW9uIG9uIGVsZWN0cm9uaWMgbWFpbGluZyBsaXN0cywgc291cmNlIGNvZGUgY29udHJvbCBzeXN0ZW1zLAogICAgICBhbmQgaXNzdWUgdHJhY2tpbmcgc3lzdGVtcyB0aGF0IGFyZSBtYW5hZ2VkIGJ5LCBvciBvbiBiZWhhbGYgb2YsIHRoZQogICAgICBMaWNlbnNvciBmb3IgdGhlIHB1cnBvc2Ugb2YgZGlzY3Vzc2luZyBhbmQgaW1wcm92aW5nIHRoZSBXb3JrLCBidXQKICAgICAgZXhjbHVkaW5nIGNvbW11bmljYXRpb24gdGhhdCBpcyBjb25zcGljdW91c2x5IG1hcmtlZCBvciBvdGhlcndpc2UKICAgICAgZGVzaWduYXRlZCBpbiB3cml0aW5nIGJ5IHRoZSBjb3B5cmlnaHQgb3duZXIgYXMgIk5vdCBhIENvbnRyaWJ1dGlvbi4iCgogICAgICAiQ29udHJpYnV0b3IiIHNoYWxsIG1lYW4gTGljZW5zb3IgYW5kIGFueSBpbmRpdmlkdWFsIG9yIExlZ2FsIEVudGl0eQogICAgICBvbiBiZWhhbGYgb2Ygd2hvbSBhIENvbnRyaWJ1dGlvbiBoYXMgYmVlbiByZWNlaXZlZCBieSBMaWNlbnNvciBhbmQKICAgICAgc3Vic2VxdWVudGx5IGluY29ycG9yYXRlZCB3aXRoaW4gdGhlIFdvcmsuCgogICAyLiBHcmFudCBvZiBDb3B5cmlnaHQgTGljZW5zZS4gU3ViamVjdCB0byB0aGUgdGVybXMgYW5kIGNvbmRpdGlvbnMgb2YKICAgICAgdGhpcyBMaWNlbnNlLCBlYWNoIENvbnRyaWJ1dG9yIGhlcmVieSBncmFudHMgdG8gWW91IGEgcGVycGV0dWFsLAogICAgICB3b3JsZHdpZGUsIG5vbi1leGNsdXNpdmUsIG5vLWNoYXJnZSwgcm95YWx0eS1mcmVlLCBpcnJldm9jYWJsZQogICAgICBjb3B5cmlnaHQgbGljZW5zZSB0byByZXByb2R1Y2UsIHByZXBhcmUgRGVyaXZhdGl2ZSBXb3JrcyBvZiwKICAgICAgcHVibGljbHkgZGlzcGxheSwgcHVibGljbHkgcGVyZm9ybSwgc3VibGljZW5zZSwgYW5kIGRpc3RyaWJ1dGUgdGhlCiAgICAgIFdvcmsgYW5kIHN1Y2ggRGVyaXZhdGl2ZSBXb3JrcyBpbiBTb3VyY2Ugb3IgT2JqZWN0IGZvcm0uCgogICAzLiBHcmFudCBvZiBQYXRlbnQgTGljZW5zZS4gU3ViamVjdCB0byB0aGUgdGVybXMgYW5kIGNvbmRpdGlvbnMgb2YKICAgICAgdGhpcyBMaWNlbnNlLCBlYWNoIENvbnRyaWJ1dG9yIGhlcmVieSBncmFudHMgdG8gWW91IGEgcGVycGV0dWFsLAogICAgICB3b3JsZHdpZGUsIG5vbi1leGNsdXNpdmUsIG5vLWNoYXJnZSwgcm95YWx0eS1mcmVlLCBpcnJldm9jYWJsZQogICAgICAoZXhjZXB0IGFzIHN0YXRlZCBpbiB0aGlzIHNlY3Rpb24pIHBhdGVudCBsaWNlbnNlIHRvIG1ha2UsIGhhdmUgbWFkZSwKICAgICAgdXNlLCBvZmZlciB0byBzZWxsLCBzZWxsLCBpbXBvcnQsIGFuZCBvdGhlcndpc2UgdHJhbnNmZXIgdGhlIFdvcmssCiAgICAgIHdoZXJlIHN1Y2ggbGljZW5zZSBhcHBsaWVzIG9ubHkgdG8gdGhvc2UgcGF0ZW50IGNsYWltcyBsaWNlbnNhYmxlCiAgICAgIGJ5IHN1Y2ggQ29udHJpYnV0b3IgdGhhdCBhcmUgbmVjZXNzYXJpbHkgaW5mcmluZ2VkIGJ5IHRoZWlyCiAgICAgIENvbnRyaWJ1dGlvbihzKSBhbG9uZSBvciBieSBjb21iaW5hdGlvbiBvZiB0aGVpciBDb250cmlidXRpb24ocykKICAgICAgd2l0aCB0aGUgV29yayB0byB3aGljaCBzdWNoIENvbnRyaWJ1dGlvbihzKSB3YXMgc3VibWl0dGVkLiBJZiBZb3UKICAgICAgaW5zdGl0dXRlIHBhdGVudCBsaXRpZ2F0aW9uIGFnYWluc3QgYW55IGVudGl0eSAoaW5jbHVkaW5nIGEKICAgICAgY3Jvc3MtY2xhaW0gb3IgY291bnRlcmNsYWltIGluIGEgbGF3c3VpdCkgYWxsZWdpbmcgdGhhdCB0aGUgV29yawogICAgICBvciBhIENvbnRyaWJ1dGlvbiBpbmNvcnBvcmF0ZWQgd2l0aGluIHRoZSBXb3JrIGNvbnN0aXR1dGVzIGRpcmVjdAogICAgICBvciBjb250cmlidXRvcnkgcGF0ZW50IGluZnJpbmdlbWVudCwgdGhlbiBhbnkgcGF0ZW50IGxpY2Vuc2VzCiAgICAgIGdyYW50ZWQgdG8gWW91IHVuZGVyIHRoaXMgTGljZW5zZSBmb3IgdGhhdCBXb3JrIHNoYWxsIHRlcm1pbmF0ZQogICAgICBhcyBvZiB0aGUgZGF0ZSBzdWNoIGxpdGlnYXRpb24gaXMgZmlsZWQuCgogICA0LiBSZWRpc3RyaWJ1dGlvbi4gWW91IG1heSByZXByb2R1Y2UgYW5kIGRpc3RyaWJ1dGUgY29waWVzIG9mIHRoZQogICAgICBXb3JrIG9yIERlcml2YXRpdmUgV29ya3MgdGhlcmVvZiBpbiBhbnkgbWVkaXVtLCB3aXRoIG9yIHdpdGhvdXQKICAgICAgbW9kaWZpY2F0aW9ucywgYW5kIGluIFNvdXJjZSBvciBPYmplY3QgZm9ybSwgcHJvdmlkZWQgdGhhdCBZb3UKICAgICAgbWVldCB0aGUgZm9sbG93aW5nIGNvbmRpdGlvbnM6CgogICAgICAoYSkgWW91IG11c3QgZ2l2ZSBhbnkgb3RoZXIgcmVjaXBpZW50cyBvZiB0aGUgV29yayBvcgogICAgICAgICAgRGVyaXZhdGl2ZSBXb3JrcyBhIGNvcHkgb2YgdGhpcyBMaWNlbnNlOyBhbmQKCiAgICAgIChiKSBZb3UgbXVzdCBjYXVzZSBhbnkgbW9kaWZpZWQgZmlsZXMgdG8gY2FycnkgcHJvbWluZW50IG5vdGljZXMKICAgICAgICAgIHN0YXRpbmcgdGhhdCBZb3UgY2hhbmdlZCB0aGUgZmlsZXM7IGFuZAoKICAgICAgKGMpIFlvdSBtdXN0IHJldGFpbiwgaW4gdGhlIFNvdXJjZSBmb3JtIG9mIGFueSBEZXJpdmF0aXZlIFdvcmtzCiAgICAgICAgICB0aGF0IFlvdSBkaXN0cmlidXRlLCBhbGwgY29weXJpZ2h0LCBwYXRlbnQsIHRyYWRlbWFyaywgYW5kCiAgICAgICAgICBhdHRyaWJ1dGlvbiBub3RpY2VzIGZyb20gdGhlIFNvdXJjZSBmb3JtIG9mIHRoZSBXb3JrLAogICAgICAgICAgZXhjbHVkaW5nIHRob3NlIG5vdGljZXMgdGhhdCBkbyBub3QgcGVydGFpbiB0byBhbnkgcGFydCBvZgogICAgICAgICAgdGhlIERlcml2YXRpdmUgV29ya3M7IGFuZAoKICAgICAgKGQpIElmIHRoZSBXb3JrIGluY2x1ZGVzIGEgIk5PVElDRSIgdGV4dCBmaWxlIGFzIHBhcnQgb2YgaXRzCiAgICAgICAgICBkaXN0cmlidXRpb24sIHRoZW4gYW55IERlcml2YXRpdmUgV29ya3MgdGhhdCBZb3UgZGlzdHJpYnV0ZSBtdXN0CiAgICAgICAgICBpbmNsdWRlIGEgcmVhZGFibGUgY29weSBvZiB0aGUgYXR0cmlidXRpb24gbm90aWNlcyBjb250YWluZWQKICAgICAgICAgIHdpdGhpbiBzdWNoIE5PVElDRSBmaWxlLCBleGNsdWRpbmcgdGhvc2Ugbm90aWNlcyB0aGF0IGRvIG5vdAogICAgICAgICAgcGVydGFpbiB0byBhbnkgcGFydCBvZiB0aGUgRGVyaXZhdGl2ZSBXb3JrcywgaW4gYXQgbGVhc3Qgb25lCiAgICAgICAgICBvZiB0aGUgZm9sbG93aW5nIHBsYWNlczogd2l0aGluIGEgTk9USUNFIHRleHQgZmlsZSBkaXN0cmlidXRlZAogICAgICAgICAgYXMgcGFydCBvZiB0aGUgRGVyaXZhdGl2ZSBXb3Jrczsgd2l0aGluIHRoZSBTb3VyY2UgZm9ybSBvcgogICAgICAgICAgZG9jdW1lbnRhdGlvbiwgaWYgcHJvdmlkZWQgYWxvbmcgd2l0aCB0aGUgRGVyaXZhdGl2ZSBXb3Jrczsgb3IsCiAgICAgICAgICB3aXRoaW4gYSBkaXNwbGF5IGdlbmVyYXRlZCBieSB0aGUgRGVyaXZhdGl2ZSBXb3JrcywgaWYgYW5kCiAgICAgICAgICB3aGVyZXZlciBzdWNoIHRoaXJkLXBhcnR5IG5vdGljZXMgbm9ybWFsbHkgYXBwZWFyLiBUaGUgY29udGVudHMKICAgICAgICAgIG9mIHRoZSBOT1RJQ0UgZmlsZSBhcmUgZm9yIGluZm9ybWF0aW9uYWwgcHVycG9zZXMgb25seSBhbmQKICAgICAgICAgIGRvIG5vdCBtb2RpZnkgdGhlIExpY2Vuc2UuIFlvdSBtYXkgYWRkIFlvdXIgb3duIGF0dHJpYnV0aW9uCiAgICAgICAgICBub3RpY2VzIHdpdGhpbiBEZXJpdmF0aXZlIFdvcmtzIHRoYXQgWW91IGRpc3RyaWJ1dGUsIGFsb25nc2lkZQogICAgICAgICAgb3IgYXMgYW4gYWRkZW5kdW0gdG8gdGhlIE5PVElDRSB0ZXh0IGZyb20gdGhlIFdvcmssIHByb3ZpZGVkCiAgICAgICAgICB0aGF0IHN1Y2ggYWRkaXRpb25hbCBhdHRyaWJ1dGlvbiBub3RpY2VzIGNhbm5vdCBiZSBjb25zdHJ1ZWQKICAgICAgICAgIGFzIG1vZGlmeWluZyB0aGUgTGljZW5zZS4KCiAgICAgIFlvdSBtYXkgYWRkIFlvdXIgb3duIGNvcHlyaWdodCBzdGF0ZW1lbnQgdG8gWW91ciBtb2RpZmljYXRpb25zIGFuZAogICAgICBtYXkgcHJvdmlkZSBhZGRpdGlvbmFsIG9yIGRpZmZlcmVudCBsaWNlbnNlIHRlcm1zIGFuZCBjb25kaXRpb25zCiAgICAgIGZvciB1c2UsIHJlcHJvZHVjdGlvbiwgb3IgZGlzdHJpYnV0aW9uIG9mIFlvdXIgbW9kaWZpY2F0aW9ucywgb3IKICAgICAgZm9yIGFueSBzdWNoIERlcml2YXRpdmUgV29ya3MgYXMgYSB3aG9sZSwgcHJvdmlkZWQgWW91ciB1c2UsCiAgICAgIHJlcHJvZHVjdGlvbiwgYW5kIGRpc3RyaWJ1dGlvbiBvZiB0aGUgV29yayBvdGhlcndpc2UgY29tcGxpZXMgd2l0aAogICAgICB0aGUgY29uZGl0aW9ucyBzdGF0ZWQgaW4gdGhpcyBMaWNlbnNlLgoKICAgNS4gU3VibWlzc2lvbiBvZiBDb250cmlidXRpb25zLiBVbmxlc3MgWW91IGV4cGxpY2l0bHkgc3RhdGUgb3RoZXJ3aXNlLAogICAgICBhbnkgQ29udHJpYnV0aW9uIGludGVudGlvbmFsbHkgc3VibWl0dGVkIGZvciBpbmNsdXNpb24gaW4gdGhlIFdvcmsKICAgICAgYnkgWW91IHRvIHRoZSBMaWNlbnNvciBzaGFsbCBiZSB1bmRlciB0aGUgdGVybXMgYW5kIGNvbmRpdGlvbnMgb2YKICAgICAgdGhpcyBMaWNlbnNlLCB3aXRob3V0IGFueSBhZGRpdGlvbmFsIHRlcm1zIG9yIGNvbmRpdGlvbnMuCiAgICAgIE5vdHdpdGhzdGFuZGluZyB0aGUgYWJvdmUsIG5vdGhpbmcgaGVyZWluIHNoYWxsIHN1cGVyc2VkZSBvciBtb2RpZnkKICAgICAgdGhlIHRlcm1zIG9mIGFueSBzZXBhcmF0ZSBsaWNlbnNlIGFncmVlbWVudCB5b3UgbWF5IGhhdmUgZXhlY3V0ZWQKICAgICAgd2l0aCBMaWNlbnNvciByZWdhcmRpbmcgc3VjaCBDb250cmlidXRpb25zLgoKICAgNi4gVHJhZGVtYXJrcy4gVGhpcyBMaWNlbnNlIGRvZXMgbm90IGdyYW50IHBlcm1pc3Npb24gdG8gdXNlIHRoZSB0cmFkZQogICAgICBuYW1lcywgdHJhZGVtYXJrcywgc2VydmljZSBtYXJrcywgb3IgcHJvZHVjdCBuYW1lcyBvZiB0aGUgTGljZW5zb3IsCiAgICAgIGV4Y2VwdCBhcyByZXF1aXJlZCBmb3IgcmVhc29uYWJsZSBhbmQgY3VzdG9tYXJ5IHVzZSBpbiBkZXNjcmliaW5nIHRoZQogICAgICBvcmlnaW4gb2YgdGhlIFdvcmsgYW5kIHJlcHJvZHVjaW5nIHRoZSBjb250ZW50IG9mIHRoZSBOT1RJQ0UgZmlsZS4KCiAgIDcuIERpc2NsYWltZXIgb2YgV2FycmFudHkuIFVubGVzcyByZXF1aXJlZCBieSBhcHBsaWNhYmxlIGxhdyBvcgogICAgICBhZ3JlZWQgdG8gaW4gd3JpdGluZywgTGljZW5zb3IgcHJvdmlkZXMgdGhlIFdvcmsgKGFuZCBlYWNoCiAgICAgIENvbnRyaWJ1dG9yIHByb3ZpZGVzIGl0cyBDb250cmlidXRpb25zKSBvbiBhbiAiQVMgSVMiIEJBU0lTLAogICAgICBXSVRIT1VUIFdBUlJBTlRJRVMgT1IgQ09ORElUSU9OUyBPRiBBTlkgS0lORCwgZWl0aGVyIGV4cHJlc3Mgb3IKICAgICAgaW1wbGllZCwgaW5jbHVkaW5nLCB3aXRob3V0IGxpbWl0YXRpb24sIGFueSB3YXJyYW50aWVzIG9yIGNvbmRpdGlvbnMKICAgICAgb2YgVElUTEUsIE5PTi1JTkZSSU5HRU1FTlQsIE1FUkNIQU5UQUJJTElUWSwgb3IgRklUTkVTUyBGT1IgQQogICAgICBQQVJUSUNVTEFSIFBVUlBPU0UuIFlvdSBhcmUgc29sZWx5IHJlc3BvbnNpYmxlIGZvciBkZXRlcm1pbmluZyB0aGUKICAgICAgYXBwcm9wcmlhdGVuZXNzIG9mIHVzaW5nIG9yIHJlZGlzdHJpYnV0aW5nIHRoZSBXb3JrIGFuZCBhc3N1bWUgYW55CiAgICAgIHJpc2tzIGFzc29jaWF0ZWQgd2l0aCBZb3VyIGV4ZXJjaXNlIG9mIHBlcm1pc3Npb25zIHVuZGVyIHRoaXMgTGljZW5zZS4KCiAgIDguIExpbWl0YXRpb24gb2YgTGlhYmlsaXR5LiBJbiBubyBldmVudCBhbmQgdW5kZXIgbm8gbGVnYWwgdGhlb3J5LAogICAgICB3aGV0aGVyIGluIHRvcnQgKGluY2x1ZGluZyBuZWdsaWdlbmNlKSwgY29udHJhY3QsIG9yIG90aGVyd2lzZSwKICAgICAgdW5sZXNzIHJlcXVpcmVkIGJ5IGFwcGxpY2FibGUgbGF3IChzdWNoIGFzIGRlbGliZXJhdGUgYW5kIGdyb3NzbHkKICAgICAgbmVnbGlnZW50IGFjdHMpIG9yIGFncmVlZCB0byBpbiB3cml0aW5nLCBzaGFsbCBhbnkgQ29udHJpYnV0b3IgYmUKICAgICAgbGlhYmxlIHRvIFlvdSBmb3IgZGFtYWdlcywgaW5jbHVkaW5nIGFueSBkaXJlY3QsIGluZGlyZWN0LCBzcGVjaWFsLAogICAgICBpbmNpZGVudGFsLCBvciBjb25zZXF1ZW50aWFsIGRhbWFnZXMgb2YgYW55IGNoYXJhY3RlciBhcmlzaW5nIGFzIGEKICAgICAgcmVzdWx0IG9mIHRoaXMgTGljZW5zZSBvciBvdXQgb2YgdGhlIHVzZSBvciBpbmFiaWxpdHkgdG8gdXNlIHRoZQogICAgICBXb3JrIChpbmNsdWRpbmcgYnV0IG5vdCBsaW1pdGVkIHRvIGRhbWFnZXMgZm9yIGxvc3Mgb2YgZ29vZHdpbGwsCiAgICAgIHdvcmsgc3RvcHBhZ2UsIGNvbXB1dGVyIGZhaWx1cmUgb3IgbWFsZnVuY3Rpb24sIG9yIGFueSBhbmQgYWxsCiAgICAgIG90aGVyIGNvbW1lcmNpYWwgZGFtYWdlcyBvciBsb3NzZXMpLCBldmVuIGlmIHN1Y2ggQ29udHJpYnV0b3IKICAgICAgaGFzIGJlZW4gYWR2aXNlZCBvZiB0aGUgcG9zc2liaWxpdHkgb2Ygc3VjaCBkYW1hZ2VzLgoKICAgOS4gQWNjZXB0aW5nIFdhcnJhbnR5IG9yIEFkZGl0aW9uYWwgTGlhYmlsaXR5LiBXaGlsZSByZWRpc3RyaWJ1dGluZwogICAgICB0aGUgV29yayBvciBEZXJpdmF0aXZlIFdvcmtzIHRoZXJlb2YsIFlvdSBtYXkgY2hvb3NlIHRvIG9mZmVyLAogICAgICBhbmQgY2hhcmdlIGEgZmVlIGZvciwgYWNjZXB0YW5jZSBvZiBzdXBwb3J0LCB3YXJyYW50eSwgaW5kZW1uaXR5LAogICAgICBvciBvdGhlciBsaWFiaWxpdHkgb2JsaWdhdGlvbnMgYW5kL29yIHJpZ2h0cyBjb25zaXN0ZW50IHdpdGggdGhpcwogICAgICBMaWNlbnNlLiBIb3dldmVyLCBpbiBhY2NlcHRpbmcgc3VjaCBvYmxpZ2F0aW9ucywgWW91IG1heSBhY3Qgb25seQogICAgICBvbiBZb3VyIG93biBiZWhhbGYgYW5kIG9uIFlvdXIgc29sZSByZXNwb25zaWJpbGl0eSwgbm90IG9uIGJlaGFsZgogICAgICBvZiBhbnkgb3RoZXIgQ29udHJpYnV0b3IsIGFuZCBvbmx5IGlmIFlvdSBhZ3JlZSB0byBpbmRlbW5pZnksCiAgICAgIGRlZmVuZCwgYW5kIGhvbGQgZWFjaCBDb250cmlidXRvciBoYXJtbGVzcyBmb3IgYW55IGxpYWJpbGl0eQogICAgICBpbmN1cnJlZCBieSwgb3IgY2xhaW1zIGFzc2VydGVkIGFnYWluc3QsIHN1Y2ggQ29udHJpYnV0b3IgYnkgcmVhc29uCiAgICAgIG9mIHlvdXIgYWNjZXB0aW5nIGFueSBzdWNoIHdhcnJhbnR5IG9yIGFkZGl0aW9uYWwgbGlhYmlsaXR5LgoKICAgRU5EIE9GIFRFUk1TIEFORCBDT05ESVRJT05TCgogICBBUFBFTkRJWDogSG93IHRvIGFwcGx5IHRoZSBBcGFjaGUgTGljZW5zZSB0byB5b3VyIHdvcmsuCgogICAgICBUbyBhcHBseSB0aGUgQXBhY2hlIExpY2Vuc2UgdG8geW91ciB3b3JrLCBhdHRhY2ggdGhlIGZvbGxvd2luZwogICAgICBib2lsZXJwbGF0ZSBub3RpY2UsIHdpdGggdGhlIGZpZWxkcyBlbmNsb3NlZCBieSBicmFja2V0cyAiW10iCiAgICAgIHJlcGxhY2VkIHdpdGggeW91ciBvd24gaWRlbnRpZnlpbmcgaW5mb3JtYXRpb24uIChEb24ndCBpbmNsdWRlCiAgICAgIHRoZSBicmFja2V0cyEpICBUaGUgdGV4dCBzaG91bGQgYmUgZW5jbG9zZWQgaW4gdGhlIGFwcHJvcHJpYXRlCiAgICAgIGNvbW1lbnQgc3ludGF4IGZvciB0aGUgZmlsZSBmb3JtYXQuIFdlIGFsc28gcmVjb21tZW5kIHRoYXQgYQogICAgICBmaWxlIG9yIGNsYXNzIG5hbWUgYW5kIGRlc2NyaXB0aW9uIG9mIHB1cnBvc2UgYmUgaW5jbHVkZWQgb24gdGhlCiAgICAgIHNhbWUgInByaW50ZWQgcGFnZSIgYXMgdGhlIGNvcHlyaWdodCBub3RpY2UgZm9yIGVhc2llcgogICAgICBpZGVudGlmaWNhdGlvbiB3aXRoaW4gdGhpcmQtcGFydHkgYXJjaGl2ZXMuCgogICBDb3B5cmlnaHQgW3l5eXldIFtuYW1lIG9mIGNvcHlyaWdodCBvd25lcl0KCiAgIExpY2Vuc2VkIHVuZGVyIHRoZSBBcGFjaGUgTGljZW5zZSwgVmVyc2lvbiAyLjAgKHRoZSAiTGljZW5zZSIpOwogICB5b3UgbWF5IG5vdCB1c2UgdGhpcyBmaWxlIGV4Y2VwdCBpbiBjb21wbGlhbmNlIHdpdGggdGhlIExpY2Vuc2UuCiAgIFlvdSBtYXkgb2J0YWluIGEgY29weSBvZiB0aGUgTGljZW5zZSBhdAoKICAgICAgIGh0dHA6Ly93d3cuYXBhY2hlLm9yZy9saWNlbnNlcy9MSUNFTlNFLTIuMAoKICAgVW5sZXNzIHJlcXVpcmVkIGJ5IGFwcGxpY2FibGUgbGF3IG9yIGFncmVlZCB0byBpbiB3cml0aW5nLCBzb2Z0d2FyZQogICBkaXN0cmlidXRlZCB1bmRlciB0aGUgTGljZW5zZSBpcyBkaXN0cmlidXRlZCBvbiBhbiAiQVMgSVMiIEJBU0lTLAogICBXSVRIT1VUIFdBUlJBTlRJRVMgT1IgQ09ORElUSU9OUyBPRiBBTlkgS0lORCwgZWl0aGVyIGV4cHJlc3Mgb3IgaW1wbGllZC4KICAgU2VlIHRoZSBMaWNlbnNlIGZvciB0aGUgc3BlY2lmaWMgbGFuZ3VhZ2UgZ292ZXJuaW5nIHBlcm1pc3Npb25zIGFuZAogICBsaW1pdGF0aW9ucyB1bmRlciB0aGUgTGljZW5zZS4= + https://www.apache.org/licenses/LICENSE-2.0.txt + + + pkg:maven/com.acme/tomcat-catalina@9.0.14?packaging=jar + + + + Apache Super Heros + Apache + org.apache.tomcat + tomcat-catalina + 9.0.14 + Apache Catalina + + + Apache-2.0 + + + pkg:maven/org.apache.tomcat/tomcat-catalina@9.0.14?packaging=jar + + + + + 7638417db6d59f3c431d3e1f261cc637155684cd + https://location/to/7638417db6d59f3c431d3e1f261cc637155684cd + + 2018-11-07T22:01:45Z + John Doe + john.doe@example.com + + + 2018-11-07T22:01:45Z + Jane Doe + jane.doe@example.com + + Initial commit + + + Commentary here + + + + + Example Inc. + https://example.com + https://example.net + + Example Support AMER + support@example.com + 800-555-1212 + + + Example Support APAC + support@apac.example.com + + + Example Super Heros + org.example + mylibrary + 1.0.0 + required + + 2342c2eaf1feb9a80195dbaddf2ebaa3 + 68b78babe00a053f9e35ec6a2d9080f5b90122b0 + 708f1f53b41f11f02d12a11b1a38d2905d47b099afc71a0f1124ef8582ec7313 + 387b7ae16b9cae45f830671541539bf544202faae5aac544a93b7b0a04f5f846fa2f4e81ef3f1677e13aed7496408a441f5657ab6d54423e56bf6f38da124aef + + + EPL-2.0 OR GPL-2.0-with-classpath-exception + + Copyright Example Inc. All rights reserved. + cpe:/a:example:myapplication:1.0.0 + pkg:maven/com.example/myapplication@1.0.0?packaging=war + false + + + http://example.org/docs + All component versions are documented here + + + http://example.org/security + + + + + Example Super Heros + com.example + myframework + 1.0.0 + Example Inc, enterprise framework + required + + cfcb0b64aacd2f81c1cd546543de965a + 7fbeef2346c45d565c3341f037bce4e088af8a52 + 0384db3cec55d86a6898c489fdb75a8e75fe66b26639634983d2f3c3558493d1 + 854909cdb9e3ca183056837144aab6d8069b377bd66445087cc7157bf0c3f620418705dd0b83bdc2f73a508c2bdb316ca1809d75ee6972d02023a3e7dd655c79 + + + + Some random license + + + pkg:maven/com.example/myframework@1.0.0?packaging=war + false + + + http://example.com/myframework + + + http://example.com/security + + + + + diff --git a/tools/src/test/resources/1.6/valid-component-hashes-1.6.json b/tools/src/test/resources/1.6/valid-component-hashes-1.6.json new file mode 100644 index 00000000..fcb58a93 --- /dev/null +++ b/tools/src/test/resources/1.6/valid-component-hashes-1.6.json @@ -0,0 +1,63 @@ +{ + "bomFormat": "CycloneDX", + "specVersion": "1.6", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "components": [ + { + "type": "library", + "name": "acme-example", + "version": "1.0.0", + "hashes": [ + { + "alg": "MD5", + "content": "641b6e166f8b33c5e959e2adcc18b1c7" + }, + { + "alg": "SHA-1", + "content": "9188560f22e0b73070d2efce670c74af2bdf30af" + }, + { + "alg": "SHA-256", + "content": "d88bc4e70bfb34d18b5542136639acbb26a8ae2429aa1e47489332fb389cc964" + }, + { + "alg": "SHA-384", + "content": "d4835048a0f57c74b8fb617d5366ab81376fc92bebe9a93bf24ba7f9da6c9aeeb6179f5d1361f6533211b15f3224cbad" + }, + { + "alg": "SHA-512", + "content": "74a51ff45e4c11df9ba1f0094282c80489649cb157a75fa337992d2d4592a5a1b8cb4525de8db0ae25233553924d76c36e093ea7fa9df4e5b8b07fd2e074efd6" + }, + { + "alg": "SHA3-256", + "content": "7478c7cf41c883a04ee89f1813f687886d53fa86f791fff90690c6221e3853aa" + }, + { + "alg": "SHA3-384", + "content": "a1eea7229716487ad2ebe96b2f997a8408f32f14047994fbcc99b49012cf86c96dbd518e5d57a61b0e57dd37dd0b48f5" + }, + { + "alg": "SHA3-512", + "content": "7d584825bc1767dfabe7e82b45ccb7a1119b145fa17e76b885e71429c706cef0a3171bc6575b968eec5da56a7966c02fec5402fcee55097ac01d40c550de9d20" + }, + { + "alg": "BLAKE2b-256", + "content": "d8779633380c050bccf4e733b763ab2abd8ad2db60b517d47fd29bbf76433237" + }, + { + "alg": "BLAKE2b-384", + "content": "e728ba56c2da995a559a178116c594e8bee4894a79ceb4399d8f479e5563cb1942b85936f646d14170717c576b14db7a" + }, + { + "alg": "BLAKE2b-512", + "content": "f8ce8d612a6c85c96cf7cebc230f6ddef26e6cedcfbc4a41c766033cc08c6ba097d1470948226807fb2d88d2a2b6fc0ff5e5440e93a603086fdd568bafcd1a9d" + }, + { + "alg": "BLAKE3", + "content": "26cdc7fb3fd65fc3b621a4ef70bc7d2489d5c19e70c76cf7ec20e538df0047cf" + } + ] + } + ] +} diff --git a/tools/src/test/resources/1.6/valid-component-hashes-1.6.textproto b/tools/src/test/resources/1.6/valid-component-hashes-1.6.textproto new file mode 100644 index 00000000..e29665c7 --- /dev/null +++ b/tools/src/test/resources/1.6/valid-component-hashes-1.6.textproto @@ -0,0 +1,56 @@ +spec_version: "1.6" +version: 1 +serial_number: "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" +components { + type: CLASSIFICATION_LIBRARY + name: "acme-example" + version: "1.0.0" + hashes { + alg: HASH_ALG_MD_5 + value: "641b6e166f8b33c5e959e2adcc18b1c7" + } + hashes { + alg: HASH_ALG_SHA_1 + value: "9188560f22e0b73070d2efce670c74af2bdf30af" + } + hashes { + alg: HASH_ALG_SHA_256 + value: "d88bc4e70bfb34d18b5542136639acbb26a8ae2429aa1e47489332fb389cc964" + } + hashes { + alg: HASH_ALG_SHA_384 + value: "d4835048a0f57c74b8fb617d5366ab81376fc92bebe9a93bf24ba7f9da6c9aeeb6179f5d1361f6533211b15f3224cbad" + } + hashes { + alg: HASH_ALG_SHA_512 + value: "74a51ff45e4c11df9ba1f0094282c80489649cb157a75fa337992d2d4592a5a1b8cb4525de8db0ae25233553924d76c36e093ea7fa9df4e5b8b07fd2e074efd6" + } + hashes { + alg: HASH_ALG_SHA_3_256 + value: "7478c7cf41c883a04ee89f1813f687886d53fa86f791fff90690c6221e3853aa" + } + hashes { + alg: HASH_ALG_SHA_3_384 + value: "a1eea7229716487ad2ebe96b2f997a8408f32f14047994fbcc99b49012cf86c96dbd518e5d57a61b0e57dd37dd0b48f5" + } + hashes { + alg: HASH_ALG_SHA_3_512 + value: "7d584825bc1767dfabe7e82b45ccb7a1119b145fa17e76b885e71429c706cef0a3171bc6575b968eec5da56a7966c02fec5402fcee55097ac01d40c550de9d20" + } + hashes { + alg: HASH_ALG_BLAKE_2_B_256 + value: "d8779633380c050bccf4e733b763ab2abd8ad2db60b517d47fd29bbf76433237" + } + hashes { + alg: HASH_ALG_BLAKE_2_B_384 + value: "e728ba56c2da995a559a178116c594e8bee4894a79ceb4399d8f479e5563cb1942b85936f646d14170717c576b14db7a" + } + hashes { + alg: HASH_ALG_BLAKE_2_B_512 + value: "f8ce8d612a6c85c96cf7cebc230f6ddef26e6cedcfbc4a41c766033cc08c6ba097d1470948226807fb2d88d2a2b6fc0ff5e5440e93a603086fdd568bafcd1a9d" + } + hashes { + alg: HASH_ALG_BLAKE_3 + value: "26cdc7fb3fd65fc3b621a4ef70bc7d2489d5c19e70c76cf7ec20e538df0047cf" + } +} diff --git a/tools/src/test/resources/1.6/valid-component-hashes-1.6.xml b/tools/src/test/resources/1.6/valid-component-hashes-1.6.xml new file mode 100644 index 00000000..4e5fcc61 --- /dev/null +++ b/tools/src/test/resources/1.6/valid-component-hashes-1.6.xml @@ -0,0 +1,23 @@ + + + + + acme-example + 1.0.0 + + 641b6e166f8b33c5e959e2adcc18b1c7 + 9188560f22e0b73070d2efce670c74af2bdf30af + d88bc4e70bfb34d18b5542136639acbb26a8ae2429aa1e47489332fb389cc964 + d4835048a0f57c74b8fb617d5366ab81376fc92bebe9a93bf24ba7f9da6c9aeeb6179f5d1361f6533211b15f3224cbad + 74a51ff45e4c11df9ba1f0094282c80489649cb157a75fa337992d2d4592a5a1b8cb4525de8db0ae25233553924d76c36e093ea7fa9df4e5b8b07fd2e074efd6 + 7478c7cf41c883a04ee89f1813f687886d53fa86f791fff90690c6221e3853aa + a1eea7229716487ad2ebe96b2f997a8408f32f14047994fbcc99b49012cf86c96dbd518e5d57a61b0e57dd37dd0b48f5 + 7d584825bc1767dfabe7e82b45ccb7a1119b145fa17e76b885e71429c706cef0a3171bc6575b968eec5da56a7966c02fec5402fcee55097ac01d40c550de9d20 + d8779633380c050bccf4e733b763ab2abd8ad2db60b517d47fd29bbf76433237 + e728ba56c2da995a559a178116c594e8bee4894a79ceb4399d8f479e5563cb1942b85936f646d14170717c576b14db7a + f8ce8d612a6c85c96cf7cebc230f6ddef26e6cedcfbc4a41c766033cc08c6ba097d1470948226807fb2d88d2a2b6fc0ff5e5440e93a603086fdd568bafcd1a9d + 26cdc7fb3fd65fc3b621a4ef70bc7d2489d5c19e70c76cf7ec20e538df0047cf + + + + diff --git a/tools/src/test/resources/1.6/valid-component-ref-1.6.json b/tools/src/test/resources/1.6/valid-component-ref-1.6.json new file mode 100644 index 00000000..977fb1eb --- /dev/null +++ b/tools/src/test/resources/1.6/valid-component-ref-1.6.json @@ -0,0 +1,20 @@ +{ + "bomFormat": "CycloneDX", + "specVersion": "1.6", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "components": [ + { + "type": "library", + "bom-ref": "123", + "name": "acme-library", + "version": "1.0.0" + }, + { + "type": "library", + "bom-ref": "456", + "name": "acme-library", + "version": "1.0.0" + } + ] +} diff --git a/tools/src/test/resources/1.6/valid-component-ref-1.6.textproto b/tools/src/test/resources/1.6/valid-component-ref-1.6.textproto new file mode 100644 index 00000000..fa646839 --- /dev/null +++ b/tools/src/test/resources/1.6/valid-component-ref-1.6.textproto @@ -0,0 +1,15 @@ +spec_version: "1.6" +version: 1 +serial_number: "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" +components { + type: CLASSIFICATION_LIBRARY + bom_ref: "123" + name: "acme-library" + version: "1.0.0" +} +components { + type: CLASSIFICATION_LIBRARY + bom_ref: "456" + name: "acme-library" + version: "1.0.0" +} diff --git a/tools/src/test/resources/1.6/valid-component-ref-1.6.xml b/tools/src/test/resources/1.6/valid-component-ref-1.6.xml new file mode 100644 index 00000000..b65c42d1 --- /dev/null +++ b/tools/src/test/resources/1.6/valid-component-ref-1.6.xml @@ -0,0 +1,19 @@ + + + + + acme-library + 1.0.0 + + + acme-library + 1.0.0 + + + + + acme-library + 1.0.0 + + + diff --git a/tools/src/test/resources/1.6/valid-component-swid-1.6.json b/tools/src/test/resources/1.6/valid-component-swid-1.6.json new file mode 100644 index 00000000..9b63b942 --- /dev/null +++ b/tools/src/test/resources/1.6/valid-component-swid-1.6.json @@ -0,0 +1,19 @@ +{ + "bomFormat": "CycloneDX", + "specVersion": "1.6", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "components": [ + { + "type": "application", + "author": "Acme Super Heros", + "name": "Acme Application", + "version": "9.1.1", + "swid": { + "tagId": "swidgen-242eb18a-503e-ca37-393b-cf156ef09691_9.1.1", + "name": "Acme Application", + "version": "9.1.1" + } + } + ] +} diff --git a/tools/src/test/resources/1.6/valid-component-swid-1.6.textproto b/tools/src/test/resources/1.6/valid-component-swid-1.6.textproto new file mode 100644 index 00000000..43ff0d91 --- /dev/null +++ b/tools/src/test/resources/1.6/valid-component-swid-1.6.textproto @@ -0,0 +1,14 @@ +spec_version: "1.6" +version: 1 +serial_number: "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" +components { + type: CLASSIFICATION_APPLICATION + author: "Acme Super Heros" + name: "Acme Application" + version: "9.1.1" + swid { + tag_id: "swidgen-242eb18a-503e-ca37-393b-cf156ef09691_9.1.1" + name: "Acme Application" + version: "9.1.1" + } +} diff --git a/tools/src/test/resources/1.6/valid-component-swid-1.6.xml b/tools/src/test/resources/1.6/valid-component-swid-1.6.xml new file mode 100644 index 00000000..3d4a954d --- /dev/null +++ b/tools/src/test/resources/1.6/valid-component-swid-1.6.xml @@ -0,0 +1,11 @@ + + + + + Acme Super Heros + Acme Application + 9.1.1 + + + + diff --git a/tools/src/test/resources/1.6/valid-component-swid-full-1.6.json b/tools/src/test/resources/1.6/valid-component-swid-full-1.6.json new file mode 100644 index 00000000..576131ce --- /dev/null +++ b/tools/src/test/resources/1.6/valid-component-swid-full-1.6.json @@ -0,0 +1,24 @@ +{ + "bomFormat": "CycloneDX", + "specVersion": "1.6", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "components": [ + { + "type": "application", + "author": "Acme Super Heros", + "name": "Acme Application", + "version": "9.1.1", + "swid": { + "tagId": "swidgen-242eb18a-503e-ca37-393b-cf156ef09691_9.1.1", + "name": "Acme Application", + "version": "9.1.1", + "text": { + "contentType": "text/xml", + "encoding": "base64", + "content": "PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiID8+CjxTb2Z0d2FyZUlkZW50aXR5IHhtbDpsYW5nPSJFTiIgbmFtZT0iQWNtZSBBcHBsaWNhdGlvbiIgdmVyc2lvbj0iOS4xLjEiIAogdmVyc2lvblNjaGVtZT0ibXVsdGlwYXJ0bnVtZXJpYyIgCiB0YWdJZD0ic3dpZGdlbi1iNTk1MWFjOS00MmMwLWYzODItM2YxZS1iYzdhMmE0NDk3Y2JfOS4xLjEiIAogeG1sbnM9Imh0dHA6Ly9zdGFuZGFyZHMuaXNvLm9yZy9pc28vMTk3NzAvLTIvMjAxNS9zY2hlbWEueHNkIj4gCiB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiAKIHhzaTpzY2hlbWFMb2NhdGlvbj0iaHR0cDovL3N0YW5kYXJkcy5pc28ub3JnL2lzby8xOTc3MC8tMi8yMDE1LWN1cnJlbnQvc2NoZW1hLnhzZCBzY2hlbWEueHNkIiA+CiAgPE1ldGEgZ2VuZXJhdG9yPSJTV0lEIFRhZyBPbmxpbmUgR2VuZXJhdG9yIHYwLjEiIC8+IAogIDxFbnRpdHkgbmFtZT0iQWNtZSwgSW5jLiIgcmVnaWQ9ImV4YW1wbGUuY29tIiByb2xlPSJ0YWdDcmVhdG9yIiAvPiAKPC9Tb2Z0d2FyZUlkZW50aXR5Pg==" + } + } + } + ] +} diff --git a/tools/src/test/resources/1.6/valid-component-swid-full-1.6.textproto b/tools/src/test/resources/1.6/valid-component-swid-full-1.6.textproto new file mode 100644 index 00000000..043aaf31 --- /dev/null +++ b/tools/src/test/resources/1.6/valid-component-swid-full-1.6.textproto @@ -0,0 +1,19 @@ +spec_version: "1.6" +version: 1 +serial_number: "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" +components { + type: CLASSIFICATION_APPLICATION + author: "Acme Super Heros" + name: "Acme Application" + version: "9.1.1" + swid { + tag_id: "swidgen-242eb18a-503e-ca37-393b-cf156ef09691_9.1.1" + name: "Acme Application" + version: "9.1.1" + text { + content_type: "text/xml" + encoding: "base64" + value: "PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiID8+CjxTb2Z0d2FyZUlkZW50aXR5IHhtbDpsYW5nPSJFTiIgbmFtZT0iQWNtZSBBcHBsaWNhdGlvbiIgdmVyc2lvbj0iOS4xLjEiIAogdmVyc2lvblNjaGVtZT0ibXVsdGlwYXJ0bnVtZXJpYyIgCiB0YWdJZD0ic3dpZGdlbi1iNTk1MWFjOS00MmMwLWYzODItM2YxZS1iYzdhMmE0NDk3Y2JfOS4xLjEiIAogeG1sbnM9Imh0dHA6Ly9zdGFuZGFyZHMuaXNvLm9yZy9pc28vMTk3NzAvLTIvMjAxNS9zY2hlbWEueHNkIj4gCiB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiAKIHhzaTpzY2hlbWFMb2NhdGlvbj0iaHR0cDovL3N0YW5kYXJkcy5pc28ub3JnL2lzby8xOTc3MC8tMi8yMDE1LWN1cnJlbnQvc2NoZW1hLnhzZCBzY2hlbWEueHNkIiA+CiAgPE1ldGEgZ2VuZXJhdG9yPSJTV0lEIFRhZyBPbmxpbmUgR2VuZXJhdG9yIHYwLjEiIC8+IAogIDxFbnRpdHkgbmFtZT0iQWNtZSwgSW5jLiIgcmVnaWQ9ImV4YW1wbGUuY29tIiByb2xlPSJ0YWdDcmVhdG9yIiAvPiAKPC9Tb2Z0d2FyZUlkZW50aXR5Pg==" + } + } +} diff --git a/tools/src/test/resources/1.6/valid-component-swid-full-1.6.xml b/tools/src/test/resources/1.6/valid-component-swid-full-1.6.xml new file mode 100644 index 00000000..f0f7d407 --- /dev/null +++ b/tools/src/test/resources/1.6/valid-component-swid-full-1.6.xml @@ -0,0 +1,13 @@ + + + + + Acme Super Heros + Acme Application + 9.1.1 + + PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiID8+CjxTb2Z0d2FyZUlkZW50aXR5IHhtbDpsYW5nPSJFTiIgbmFtZT0iQWNtZSBBcHBsaWNhdGlvbiIgdmVyc2lvbj0iOS4xLjEiIAogdmVyc2lvblNjaGVtZT0ibXVsdGlwYXJ0bnVtZXJpYyIgCiB0YWdJZD0ic3dpZGdlbi1iNTk1MWFjOS00MmMwLWYzODItM2YxZS1iYzdhMmE0NDk3Y2JfOS4xLjEiIAogeG1sbnM9Imh0dHA6Ly9zdGFuZGFyZHMuaXNvLm9yZy9pc28vMTk3NzAvLTIvMjAxNS9zY2hlbWEueHNkIj4gCiB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiAKIHhzaTpzY2hlbWFMb2NhdGlvbj0iaHR0cDovL3N0YW5kYXJkcy5pc28ub3JnL2lzby8xOTc3MC8tMi8yMDE1LWN1cnJlbnQvc2NoZW1hLnhzZCBzY2hlbWEueHNkIiA+CiAgPE1ldGEgZ2VuZXJhdG9yPSJTV0lEIFRhZyBPbmxpbmUgR2VuZXJhdG9yIHYwLjEiIC8+IAogIDxFbnRpdHkgbmFtZT0iQWNtZSwgSW5jLiIgcmVnaWQ9ImV4YW1wbGUuY29tIiByb2xlPSJ0YWdDcmVhdG9yIiAvPiAKPC9Tb2Z0d2FyZUlkZW50aXR5Pg== + + + + diff --git a/tools/src/test/resources/1.6/valid-component-types-1.6.json b/tools/src/test/resources/1.6/valid-component-types-1.6.json new file mode 100644 index 00000000..782e701b --- /dev/null +++ b/tools/src/test/resources/1.6/valid-component-types-1.6.json @@ -0,0 +1,48 @@ +{ + "bomFormat": "CycloneDX", + "specVersion": "1.6", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "components": [ + { + "type": "application", + "name": "application-a", + "version": "1.0" + }, + { + "type": "library", + "name": "library-a", + "version": "1.0" + }, + { + "type": "framework", + "name": "framework-a", + "version": "1.0" + }, + { + "type": "container", + "name": "container-a", + "version": "1.0" + }, + { + "type": "operating-system", + "name": "operating-system-a", + "version": "1.0" + }, + { + "type": "firmware", + "name": "firmware-a", + "version": "1.0" + }, + { + "type": "device", + "name": "device-a", + "version": "1.0" + }, + { + "type": "file", + "name": "file-a", + "version": "1.0" + } + ] +} diff --git a/tools/src/test/resources/1.6/valid-component-types-1.6.textproto b/tools/src/test/resources/1.6/valid-component-types-1.6.textproto new file mode 100644 index 00000000..8416d660 --- /dev/null +++ b/tools/src/test/resources/1.6/valid-component-types-1.6.textproto @@ -0,0 +1,43 @@ +spec_version: "1.6" +version: 1 +serial_number: "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" +components { + type: CLASSIFICATION_APPLICATION + name: "application-a" + version: "1.0" +} +components { + type: CLASSIFICATION_LIBRARY + name: "library-a" + version: "1.0" +} +components { + type: CLASSIFICATION_FRAMEWORK + name: "framework-a" + version: "1.0" +} +components { + type: CLASSIFICATION_CONTAINER + name: "container-a" + version: "1.0" +} +components { + type: CLASSIFICATION_OPERATING_SYSTEM + name: "operating-system-a" + version: "1.0" +} +components { + type: CLASSIFICATION_FIRMWARE + name: "firmware-a" + version: "1.0" +} +components { + type: CLASSIFICATION_DEVICE + name: "device-a" + version: "1.0" +} +components { + type: CLASSIFICATION_FILE + name: "file-a" + version: "1.0" +} diff --git a/tools/src/test/resources/1.6/valid-component-types-1.6.xml b/tools/src/test/resources/1.6/valid-component-types-1.6.xml new file mode 100644 index 00000000..b66c396e --- /dev/null +++ b/tools/src/test/resources/1.6/valid-component-types-1.6.xml @@ -0,0 +1,37 @@ + + + + + application-a + 1.0 + + + library-a + 1.0 + + + framework-a + 1.0 + + + container-a + 1.0 + + + operating-system-a + 1.0 + + + firmware-a + 1.0 + + + device-a + 1.0 + + + file-a + 1.0 + + + diff --git a/tools/src/test/resources/1.6/valid-compositions-1.6.json b/tools/src/test/resources/1.6/valid-compositions-1.6.json new file mode 100644 index 00000000..b42952ef --- /dev/null +++ b/tools/src/test/resources/1.6/valid-compositions-1.6.json @@ -0,0 +1,80 @@ +{ + "bomFormat": "CycloneDX", + "specVersion": "1.6", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "metadata": { + "component": { + "bom-ref": "acme-application-1.0", + "type": "application", + "name": "Acme Application", + "version": "1.0" + } + }, + "components": [ + { + "bom-ref": "pkg:maven/partner/shaded-library@1.0", + "type": "library", + "name": "Partner Shaded Library", + "version": "1.0", + "purl": "pkg:maven/partner/shaded-library@1.0", + "components": [ + { + "bom-ref": "pkg:maven/ossproject/library@2.0", + "type": "library", + "name": "Some Opensource Library", + "version": "2.0", + "purl": "pkg:maven/ossproject/library@2.0" + } + ] + }, + { + "type": "library", + "name": "Acme Library", + "version": "3.0", + "purl": "pkg:maven/acme/library@3.0" + } + ], + "dependencies": [ + { + "ref": "acme-application-1.0", + "dependsOn": [ + "pkg:maven/partner/shaded-library@1.0", + "pkg:maven/acme/library@3.0" + ] + } + ], + "vulnerabilities": [ + { + "bom-ref": "vulnerability-1", + "id": "ACME-12345", + "source": { + "name": "Acme Inc" + } + } + ], + "compositions": [ + { + "bom-ref": "composition-1", + "aggregate": "complete", + "assemblies": [ + "pkg:maven/partner/shaded-library@1.0" + ], + "dependencies": [ + "acme-application-1.0" + ] + }, + { + "aggregate": "unknown", + "assemblies": [ + "pkg:maven/acme/library@3.0" + ] + }, + { + "aggregate": "incomplete_first_party_only", + "vulnerabilities": [ + "vulnerability-1" + ] + } + ] +} diff --git a/tools/src/test/resources/1.6/valid-compositions-1.6.textproto b/tools/src/test/resources/1.6/valid-compositions-1.6.textproto new file mode 100644 index 00000000..f67f7650 --- /dev/null +++ b/tools/src/test/resources/1.6/valid-compositions-1.6.textproto @@ -0,0 +1,61 @@ +spec_version: "1.6" +version: 1 +serial_number: "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" +metadata { + component { + type: CLASSIFICATION_APPLICATION + bom_ref: "acme-application-1.0" + name: "Acme Application" + version: "1.0" + } +} +components { + type: CLASSIFICATION_LIBRARY + bom_ref: "pkg:maven/partner/shaded-library@1.0" + name: "Partner Shaded Library" + version: "1.0" + purl: "pkg:maven/partner/shaded-library@1.0" + components { + type: CLASSIFICATION_LIBRARY + bom_ref: "pkg:maven/ossproject/library@2.0" + name: "Some Opensource Library" + version: "2.0" + purl: "pkg:maven/ossproject/library@2.0" + } +} +components { + type: CLASSIFICATION_LIBRARY + name: "Acme Library" + version: "3.0" + purl: "pkg:maven/acme/library@3.0" +} +dependencies { + ref: "acme-application-1.0" + dependencies { + ref: "pkg:maven/partner/shaded-library@1.0" + } + dependencies { + ref: "pkg:maven/acme/library@3.0" + } +} +compositions { + bom_ref: "composition-1" + aggregate: AGGREGATE_COMPLETE + assemblies: "pkg:maven/partner/shaded-library@1.0" + dependencies: "acme-application-1.0" +} +compositions { + aggregate: AGGREGATE_UNKNOWN + assemblies: "pkg:maven/acme/library@3.0" +} +compositions { + aggregate: AGGREGATE_INCOMPLETE_FIRST_PARTY_ONLY, + vulnerabilities: "vulnerability-1" +} +vulnerabilities { + bom_ref: "vulnerability-1" + id: "ACME-12345" + source: { + name: "Acme Inc" + } +} diff --git a/tools/src/test/resources/1.6/valid-compositions-1.6.xml b/tools/src/test/resources/1.6/valid-compositions-1.6.xml new file mode 100644 index 00000000..5f8a76d0 --- /dev/null +++ b/tools/src/test/resources/1.6/valid-compositions-1.6.xml @@ -0,0 +1,65 @@ + + + + + Acme Application + 1.0 + + + + + Partner Shaded Library + 1.0 + pkg:maven/partner/shaded-library@1.0 + + + Some Opensource Library + 2.0 + pkg:maven/ossproject/library@2.0 + + + + + Acme Library + 2.0 + pkg:maven/acme/library@3.0 + + + + + + + + + + + complete + + + + + + + + + unknown + + + + + + incomplete_first_party_only + + + + + + + + ACME-12345 + + Acme Inc + + + + diff --git a/tools/src/test/resources/1.6/valid-dependency-1.6.json b/tools/src/test/resources/1.6/valid-dependency-1.6.json new file mode 100644 index 00000000..3d246547 --- /dev/null +++ b/tools/src/test/resources/1.6/valid-dependency-1.6.json @@ -0,0 +1,38 @@ +{ + "bomFormat": "CycloneDX", + "specVersion": "1.6", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "components": [ + { + "bom-ref": "library-a", + "type": "library", + "name": "library-a", + "version": "1.0.0" + }, + { + "bom-ref": "library-b", + "type": "library", + "name": "library-b", + "version": "1.0.0" + }, + { + "bom-ref": "library-c", + "type": "library", + "name": "library-c", + "version": "1.0.0" + } + ], + "dependencies": [ + { + "ref": "library-a", + "dependsOn": [] + }, + { + "ref": "library-b", + "dependsOn": [ + "library-c" + ] + } + ] +} diff --git a/tools/src/test/resources/1.6/valid-dependency-1.6.textproto b/tools/src/test/resources/1.6/valid-dependency-1.6.textproto new file mode 100644 index 00000000..c3e9a248 --- /dev/null +++ b/tools/src/test/resources/1.6/valid-dependency-1.6.textproto @@ -0,0 +1,30 @@ +spec_version: "1.6" +version: 1 +serial_number: "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" +components { + type: CLASSIFICATION_LIBRARY + bom_ref: "library-a" + name: "library-a" + version: "1.0.0" +} +components { + type: CLASSIFICATION_LIBRARY + bom_ref: "library-b" + name: "library-b" + version: "1.0.0" +} +components { + type: CLASSIFICATION_LIBRARY + bom_ref: "library-c" + name: "library-c" + version: "1.0.0" +} +dependencies { + ref: "library-a" +} +dependencies { + ref: "library-b" + dependencies { + ref: "library-c" + } +} diff --git a/tools/src/test/resources/1.6/valid-dependency-1.6.xml b/tools/src/test/resources/1.6/valid-dependency-1.6.xml new file mode 100644 index 00000000..903670cf --- /dev/null +++ b/tools/src/test/resources/1.6/valid-dependency-1.6.xml @@ -0,0 +1,23 @@ + + + + + acme-library-a + 1.0.0 + + + acme-library-b + 1.0.0 + + + acme-library-b + 1.0.0 + + + + + + + + + diff --git a/tools/src/test/resources/1.6/valid-empty-components-1.6.json b/tools/src/test/resources/1.6/valid-empty-components-1.6.json new file mode 100644 index 00000000..572b398c --- /dev/null +++ b/tools/src/test/resources/1.6/valid-empty-components-1.6.json @@ -0,0 +1,8 @@ +{ + "bomFormat": "CycloneDX", + "specVersion": "1.6", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "components": [ + ] +} diff --git a/tools/src/test/resources/1.6/valid-empty-components-1.6.textproto b/tools/src/test/resources/1.6/valid-empty-components-1.6.textproto new file mode 100644 index 00000000..b58adef1 --- /dev/null +++ b/tools/src/test/resources/1.6/valid-empty-components-1.6.textproto @@ -0,0 +1,3 @@ +spec_version: "1.6" +version: 1 +serial_number: "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" diff --git a/tools/src/test/resources/1.6/valid-empty-components-1.6.xml b/tools/src/test/resources/1.6/valid-empty-components-1.6.xml new file mode 100644 index 00000000..58f7c849 --- /dev/null +++ b/tools/src/test/resources/1.6/valid-empty-components-1.6.xml @@ -0,0 +1,5 @@ + + + + + diff --git a/tools/src/test/resources/1.6/valid-evidence-1.6.json b/tools/src/test/resources/1.6/valid-evidence-1.6.json new file mode 100644 index 00000000..2d6187dc --- /dev/null +++ b/tools/src/test/resources/1.6/valid-evidence-1.6.json @@ -0,0 +1,110 @@ +{ + "bomFormat": "CycloneDX", + "specVersion": "1.6", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "components": [ + { + "type": "application", + "group": "com.google.code.findbugs", + "name": "findbugs-project", + "version": "3.0.0", + "licenses": [ + { + "license": { + "id": "LGPL-3.0-or-later", + "url": "https://www.gnu.org/licenses/lgpl-3.0-standalone.html" + } + } + ], + "purl": "pkg:maven/com.google.code.findbugs/findbugs-project@3.0.0", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "filename", + "confidence": 0.1, + "value": "findbugs-project-3.0.0.jar" + }, + { + "technique": "ast-fingerprint", + "confidence": 0.9, + "value": "61e4bc08251761c3a73b606b9110a65899cb7d44f3b14c81ebc1e67c98e1d9ab" + }, + { + "technique": "hash-comparison", + "confidence": 0.7, + "value": "7c547a9d67cc7bc315c93b6e2ff8e4b6b41ae5be454ac249655ecb5ca2a85abf" + } + ], + "tools": [ + "bom-ref-of-tool-that-performed-analysis" + ] + }, + "occurrences": [ + { + "bom-ref": "d6bf237e-4e11-4713-9f62-56d18d5e2079", + "location": "/path/to/component" + }, + { + "bom-ref": "b574d5d1-e3cf-4dcd-9ba5-f3507eb1b175", + "location": "/another/path/to/component" + } + ], + "callstack": { + "frames": [ + { + + "package": "com.apache.logging.log4j.core", + "module": "Logger.class", + "function": "logMessage", + "parameters": [ + "com.acme.HelloWorld", "Level.INFO", "null", "Hello World" + ], + "line": 150, + "column": 17, + "fullFilename": "/path/to/log4j-core-2.14.0.jar!/org/apache/logging/log4j/core/Logger.class" + }, + { + "module": "HelloWorld.class", + "function": "main", + "line": 20, + "column": 12, + "fullFilename": "/path/to/HelloWorld.class" + } + ] + }, + "licenses": [ + { + "license": { + "id": "Apache-2.0", + "url": "http://www.apache.org/licenses/LICENSE-2.0" + } + }, + { + "license": { + "id": "LGPL-2.1-only", + "url": "https://opensource.org/licenses/LGPL-2.1" + } + } + ], + "copyright": [ + { + "text": "Copyright 2012 Google Inc. All Rights Reserved." + }, + { + "text": "Copyright (C) 2004,2005 Dave Brosius " + }, + { + "text": "Copyright (C) 2005 William Pugh" + }, + { + "text": "Copyright (C) 2004,2005 University of Maryland" + } + ] + } + } + ] +} diff --git a/tools/src/test/resources/1.6/valid-evidence-1.6.textproto b/tools/src/test/resources/1.6/valid-evidence-1.6.textproto new file mode 100644 index 00000000..38641730 --- /dev/null +++ b/tools/src/test/resources/1.6/valid-evidence-1.6.textproto @@ -0,0 +1,102 @@ +# proto-file: bom-1.5.proto +# proto-message: Bom + +spec_version: "1.6" +version: 1 +serial_number: "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" +components { + type: CLASSIFICATION_APPLICATION + group: "com.google.code.findbugs" + name: "findbugs-project" + version: "3.0.0" + licenses { + license { + id: "LGPL-3.0-or-later" + url: "https://www.gnu.org/licenses/lgpl-3.0-standalone.html" + } + } + purl: "pkg:maven/com.google.code.findbugs/findbugs-project@3.0.0" + evidence { + identity: { + field: EVIDENCE_FIELD_PURL, + confidence: 1, + methods: [ + { + technique: EVIDENCE_TECHNIQUE_FILENAME, + confidence: 0.1, + value: "findbugs-project-3.0.0.jar" + }, + { + technique: EVIDENCE_TECHNIQUE_AST_FINGERPRINT + confidence: 0.9, + value: "61e4bc08251761c3a73b606b9110a65899cb7d44f3b14c81ebc1e67c98e1d9ab" + }, + { + technique: EVIDENCE_TECHNIQUE_HASH_COMPARISON + confidence: 0.7, + value: "7c547a9d67cc7bc315c93b6e2ff8e4b6b41ae5be454ac249655ecb5ca2a85abf" + } + ], + tools: [ + "bom-ref-of-tool-that-performed-analysis", + "bom-ref-of-tool-that-performed-analysis" + ] + }, + occurrences: [ + { + bom_ref: "d6bf237e-4e11-4713-9f62-56d18d5e2079" + location: "/path/to/component" + }, + { + bom_ref: "b574d5d1-e3cf-4dcd-9ba5-f3507eb1b175" + location: "/another/path/to/component" + } + ], + callstack: { + frames: [ + { + package: "com.apache.logging.log4j.core" + module: "Logger.class" + function: "logMessage" + parameters: [ + "com.acme.HelloWorld", "Level.INFO", "null", "Hello World" + ], + line: 150 + column: 17 + fullFilename: "/path/to/log4j-core-2.14.0.jar!/org/apache/logging/log4j/core/Logger.class" + }, + { + module: "HelloWorld.class" + function: "main" + line: 20 + column: 12 + fullFilename: "/path/to/HelloWorld.class" + } + ] + }, + licenses { + license { + id: "Apache-2.0" + url: "http://www.apache.org/licenses/LICENSE-2.0" + } + } + licenses { + license { + id: "LGPL-2.1-only" + url: "https://opensource.org/licenses/LGPL-2.1" + } + } + copyright { + text: "Copyright 2012 Google Inc. All Rights Reserved." + } + copyright { + text: "Copyright (C) 2004,2005 Dave Brosius " + } + copyright { + text: "Copyright (C) 2005 William Pugh" + } + copyright { + text: "Copyright (C) 2004,2005 University of Maryland" + } + } +} diff --git a/tools/src/test/resources/1.6/valid-evidence-1.6.xml b/tools/src/test/resources/1.6/valid-evidence-1.6.xml new file mode 100644 index 00000000..6efdda27 --- /dev/null +++ b/tools/src/test/resources/1.6/valid-evidence-1.6.xml @@ -0,0 +1,92 @@ + + + + + com.google.code.findbugs + findbugs-project + 3.0.0 + + + LGPL-3.0-or-later + https://www.gnu.org/licenses/lgpl-3.0-standalone.html + + + pkg:maven/com.google.code.findbugs/findbugs-project@3.0.0 + + + purl + 1 + + + filename + 0.1 + findbugs-project-3.0.0.jar + + + ast-fingerprint + 0.9 + 61e4bc08251761c3a73b606b9110a65899cb7d44f3b14c81ebc1e67c98e1d9ab + + + hash-comparison + 0.7 + 7c547a9d67cc7bc315c93b6e2ff8e4b6b41ae5be454ac249655ecb5ca2a85abf + + + + + + + + + /path/to/component + + + /another/path/to/component + + + + + + com.apache.logging.log4j.core + Logger.class + logMessage + + com.acme.HelloWorld + Level.INFO + null + Hello World + + 150 + 17 + /path/to/log4j-core-2.14.0.jar!/org/apache/logging/log4j/core/Logger.class + + + HelloWorld.class + main + 20 + 12 + /path/to/HelloWorld.class + + + + + + Apache-2.0 + http://www.apache.org/licenses/LICENSE-2.0 + + + LGPL-2.1-only + https://opensource.org/licenses/LGPL-2.1 + + + + + ]]> + + + + + + + diff --git a/tools/src/test/resources/1.6/valid-external-elements-1.6.xml b/tools/src/test/resources/1.6/valid-external-elements-1.6.xml new file mode 100644 index 00000000..768137a7 --- /dev/null +++ b/tools/src/test/resources/1.6/valid-external-elements-1.6.xml @@ -0,0 +1,158 @@ + + + + + Acme Inc + com.acme + tomcat-catalina + 9.0.14 + Modified version of Apache Catalina + required + + 3942447fac867ae5cdb3229b658f4d48 + e6b1000b94e835ffd37f4c6dcbdad43f4b48a02a + f498a8ff2dd007e29c2074f5e4b01a9a01775c3ff3aeaf6906ea503bc5791b7b + e8f33e424f3f4ed6db76a482fde1a5298970e442c531729119e37991884bdffab4f9426b7ee11fccd074eeda0634d71697d6f88a460dce0ac8d627a29f7d1282 + + + + Apache-2.0 + CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFwYWNoZSBMaWNlbnNlCiAgICAgICAgICAgICAgICAgICAgICAgICAgIFZlcnNpb24gMi4wLCBKYW51YXJ5IDIwMDQKICAgICAgICAgICAgICAgICAgICAgICAgaHR0cDovL3d3dy5hcGFjaGUub3JnL2xpY2Vuc2VzLwoKICAgVEVSTVMgQU5EIENPTkRJVElPTlMgRk9SIFVTRSwgUkVQUk9EVUNUSU9OLCBBTkQgRElTVFJJQlVUSU9OCgogICAxLiBEZWZpbml0aW9ucy4KCiAgICAgICJMaWNlbnNlIiBzaGFsbCBtZWFuIHRoZSB0ZXJtcyBhbmQgY29uZGl0aW9ucyBmb3IgdXNlLCByZXByb2R1Y3Rpb24sCiAgICAgIGFuZCBkaXN0cmlidXRpb24gYXMgZGVmaW5lZCBieSBTZWN0aW9ucyAxIHRocm91Z2ggOSBvZiB0aGlzIGRvY3VtZW50LgoKICAgICAgIkxpY2Vuc29yIiBzaGFsbCBtZWFuIHRoZSBjb3B5cmlnaHQgb3duZXIgb3IgZW50aXR5IGF1dGhvcml6ZWQgYnkKICAgICAgdGhlIGNvcHlyaWdodCBvd25lciB0aGF0IGlzIGdyYW50aW5nIHRoZSBMaWNlbnNlLgoKICAgICAgIkxlZ2FsIEVudGl0eSIgc2hhbGwgbWVhbiB0aGUgdW5pb24gb2YgdGhlIGFjdGluZyBlbnRpdHkgYW5kIGFsbAogICAgICBvdGhlciBlbnRpdGllcyB0aGF0IGNvbnRyb2wsIGFyZSBjb250cm9sbGVkIGJ5LCBvciBhcmUgdW5kZXIgY29tbW9uCiAgICAgIGNvbnRyb2wgd2l0aCB0aGF0IGVudGl0eS4gRm9yIHRoZSBwdXJwb3NlcyBvZiB0aGlzIGRlZmluaXRpb24sCiAgICAgICJjb250cm9sIiBtZWFucyAoaSkgdGhlIHBvd2VyLCBkaXJlY3Qgb3IgaW5kaXJlY3QsIHRvIGNhdXNlIHRoZQogICAgICBkaXJlY3Rpb24gb3IgbWFuYWdlbWVudCBvZiBzdWNoIGVudGl0eSwgd2hldGhlciBieSBjb250cmFjdCBvcgogICAgICBvdGhlcndpc2UsIG9yIChpaSkgb3duZXJzaGlwIG9mIGZpZnR5IHBlcmNlbnQgKDUwJSkgb3IgbW9yZSBvZiB0aGUKICAgICAgb3V0c3RhbmRpbmcgc2hhcmVzLCBvciAoaWlpKSBiZW5lZmljaWFsIG93bmVyc2hpcCBvZiBzdWNoIGVudGl0eS4KCiAgICAgICJZb3UiIChvciAiWW91ciIpIHNoYWxsIG1lYW4gYW4gaW5kaXZpZHVhbCBvciBMZWdhbCBFbnRpdHkKICAgICAgZXhlcmNpc2luZyBwZXJtaXNzaW9ucyBncmFudGVkIGJ5IHRoaXMgTGljZW5zZS4KCiAgICAgICJTb3VyY2UiIGZvcm0gc2hhbGwgbWVhbiB0aGUgcHJlZmVycmVkIGZvcm0gZm9yIG1ha2luZyBtb2RpZmljYXRpb25zLAogICAgICBpbmNsdWRpbmcgYnV0IG5vdCBsaW1pdGVkIHRvIHNvZnR3YXJlIHNvdXJjZSBjb2RlLCBkb2N1bWVudGF0aW9uCiAgICAgIHNvdXJjZSwgYW5kIGNvbmZpZ3VyYXRpb24gZmlsZXMuCgogICAgICAiT2JqZWN0IiBmb3JtIHNoYWxsIG1lYW4gYW55IGZvcm0gcmVzdWx0aW5nIGZyb20gbWVjaGFuaWNhbAogICAgICB0cmFuc2Zvcm1hdGlvbiBvciB0cmFuc2xhdGlvbiBvZiBhIFNvdXJjZSBmb3JtLCBpbmNsdWRpbmcgYnV0CiAgICAgIG5vdCBsaW1pdGVkIHRvIGNvbXBpbGVkIG9iamVjdCBjb2RlLCBnZW5lcmF0ZWQgZG9jdW1lbnRhdGlvbiwKICAgICAgYW5kIGNvbnZlcnNpb25zIHRvIG90aGVyIG1lZGlhIHR5cGVzLgoKICAgICAgIldvcmsiIHNoYWxsIG1lYW4gdGhlIHdvcmsgb2YgYXV0aG9yc2hpcCwgd2hldGhlciBpbiBTb3VyY2Ugb3IKICAgICAgT2JqZWN0IGZvcm0sIG1hZGUgYXZhaWxhYmxlIHVuZGVyIHRoZSBMaWNlbnNlLCBhcyBpbmRpY2F0ZWQgYnkgYQogICAgICBjb3B5cmlnaHQgbm90aWNlIHRoYXQgaXMgaW5jbHVkZWQgaW4gb3IgYXR0YWNoZWQgdG8gdGhlIHdvcmsKICAgICAgKGFuIGV4YW1wbGUgaXMgcHJvdmlkZWQgaW4gdGhlIEFwcGVuZGl4IGJlbG93KS4KCiAgICAgICJEZXJpdmF0aXZlIFdvcmtzIiBzaGFsbCBtZWFuIGFueSB3b3JrLCB3aGV0aGVyIGluIFNvdXJjZSBvciBPYmplY3QKICAgICAgZm9ybSwgdGhhdCBpcyBiYXNlZCBvbiAob3IgZGVyaXZlZCBmcm9tKSB0aGUgV29yayBhbmQgZm9yIHdoaWNoIHRoZQogICAgICBlZGl0b3JpYWwgcmV2aXNpb25zLCBhbm5vdGF0aW9ucywgZWxhYm9yYXRpb25zLCBvciBvdGhlciBtb2RpZmljYXRpb25zCiAgICAgIHJlcHJlc2VudCwgYXMgYSB3aG9sZSwgYW4gb3JpZ2luYWwgd29yayBvZiBhdXRob3JzaGlwLiBGb3IgdGhlIHB1cnBvc2VzCiAgICAgIG9mIHRoaXMgTGljZW5zZSwgRGVyaXZhdGl2ZSBXb3JrcyBzaGFsbCBub3QgaW5jbHVkZSB3b3JrcyB0aGF0IHJlbWFpbgogICAgICBzZXBhcmFibGUgZnJvbSwgb3IgbWVyZWx5IGxpbmsgKG9yIGJpbmQgYnkgbmFtZSkgdG8gdGhlIGludGVyZmFjZXMgb2YsCiAgICAgIHRoZSBXb3JrIGFuZCBEZXJpdmF0aXZlIFdvcmtzIHRoZXJlb2YuCgogICAgICAiQ29udHJpYnV0aW9uIiBzaGFsbCBtZWFuIGFueSB3b3JrIG9mIGF1dGhvcnNoaXAsIGluY2x1ZGluZwogICAgICB0aGUgb3JpZ2luYWwgdmVyc2lvbiBvZiB0aGUgV29yayBhbmQgYW55IG1vZGlmaWNhdGlvbnMgb3IgYWRkaXRpb25zCiAgICAgIHRvIHRoYXQgV29yayBvciBEZXJpdmF0aXZlIFdvcmtzIHRoZXJlb2YsIHRoYXQgaXMgaW50ZW50aW9uYWxseQogICAgICBzdWJtaXR0ZWQgdG8gTGljZW5zb3IgZm9yIGluY2x1c2lvbiBpbiB0aGUgV29yayBieSB0aGUgY29weXJpZ2h0IG93bmVyCiAgICAgIG9yIGJ5IGFuIGluZGl2aWR1YWwgb3IgTGVnYWwgRW50aXR5IGF1dGhvcml6ZWQgdG8gc3VibWl0IG9uIGJlaGFsZiBvZgogICAgICB0aGUgY29weXJpZ2h0IG93bmVyLiBGb3IgdGhlIHB1cnBvc2VzIG9mIHRoaXMgZGVmaW5pdGlvbiwgInN1Ym1pdHRlZCIKICAgICAgbWVhbnMgYW55IGZvcm0gb2YgZWxlY3Ryb25pYywgdmVyYmFsLCBvciB3cml0dGVuIGNvbW11bmljYXRpb24gc2VudAogICAgICB0byB0aGUgTGljZW5zb3Igb3IgaXRzIHJlcHJlc2VudGF0aXZlcywgaW5jbHVkaW5nIGJ1dCBub3QgbGltaXRlZCB0bwogICAgICBjb21tdW5pY2F0aW9uIG9uIGVsZWN0cm9uaWMgbWFpbGluZyBsaXN0cywgc291cmNlIGNvZGUgY29udHJvbCBzeXN0ZW1zLAogICAgICBhbmQgaXNzdWUgdHJhY2tpbmcgc3lzdGVtcyB0aGF0IGFyZSBtYW5hZ2VkIGJ5LCBvciBvbiBiZWhhbGYgb2YsIHRoZQogICAgICBMaWNlbnNvciBmb3IgdGhlIHB1cnBvc2Ugb2YgZGlzY3Vzc2luZyBhbmQgaW1wcm92aW5nIHRoZSBXb3JrLCBidXQKICAgICAgZXhjbHVkaW5nIGNvbW11bmljYXRpb24gdGhhdCBpcyBjb25zcGljdW91c2x5IG1hcmtlZCBvciBvdGhlcndpc2UKICAgICAgZGVzaWduYXRlZCBpbiB3cml0aW5nIGJ5IHRoZSBjb3B5cmlnaHQgb3duZXIgYXMgIk5vdCBhIENvbnRyaWJ1dGlvbi4iCgogICAgICAiQ29udHJpYnV0b3IiIHNoYWxsIG1lYW4gTGljZW5zb3IgYW5kIGFueSBpbmRpdmlkdWFsIG9yIExlZ2FsIEVudGl0eQogICAgICBvbiBiZWhhbGYgb2Ygd2hvbSBhIENvbnRyaWJ1dGlvbiBoYXMgYmVlbiByZWNlaXZlZCBieSBMaWNlbnNvciBhbmQKICAgICAgc3Vic2VxdWVudGx5IGluY29ycG9yYXRlZCB3aXRoaW4gdGhlIFdvcmsuCgogICAyLiBHcmFudCBvZiBDb3B5cmlnaHQgTGljZW5zZS4gU3ViamVjdCB0byB0aGUgdGVybXMgYW5kIGNvbmRpdGlvbnMgb2YKICAgICAgdGhpcyBMaWNlbnNlLCBlYWNoIENvbnRyaWJ1dG9yIGhlcmVieSBncmFudHMgdG8gWW91IGEgcGVycGV0dWFsLAogICAgICB3b3JsZHdpZGUsIG5vbi1leGNsdXNpdmUsIG5vLWNoYXJnZSwgcm95YWx0eS1mcmVlLCBpcnJldm9jYWJsZQogICAgICBjb3B5cmlnaHQgbGljZW5zZSB0byByZXByb2R1Y2UsIHByZXBhcmUgRGVyaXZhdGl2ZSBXb3JrcyBvZiwKICAgICAgcHVibGljbHkgZGlzcGxheSwgcHVibGljbHkgcGVyZm9ybSwgc3VibGljZW5zZSwgYW5kIGRpc3RyaWJ1dGUgdGhlCiAgICAgIFdvcmsgYW5kIHN1Y2ggRGVyaXZhdGl2ZSBXb3JrcyBpbiBTb3VyY2Ugb3IgT2JqZWN0IGZvcm0uCgogICAzLiBHcmFudCBvZiBQYXRlbnQgTGljZW5zZS4gU3ViamVjdCB0byB0aGUgdGVybXMgYW5kIGNvbmRpdGlvbnMgb2YKICAgICAgdGhpcyBMaWNlbnNlLCBlYWNoIENvbnRyaWJ1dG9yIGhlcmVieSBncmFudHMgdG8gWW91IGEgcGVycGV0dWFsLAogICAgICB3b3JsZHdpZGUsIG5vbi1leGNsdXNpdmUsIG5vLWNoYXJnZSwgcm95YWx0eS1mcmVlLCBpcnJldm9jYWJsZQogICAgICAoZXhjZXB0IGFzIHN0YXRlZCBpbiB0aGlzIHNlY3Rpb24pIHBhdGVudCBsaWNlbnNlIHRvIG1ha2UsIGhhdmUgbWFkZSwKICAgICAgdXNlLCBvZmZlciB0byBzZWxsLCBzZWxsLCBpbXBvcnQsIGFuZCBvdGhlcndpc2UgdHJhbnNmZXIgdGhlIFdvcmssCiAgICAgIHdoZXJlIHN1Y2ggbGljZW5zZSBhcHBsaWVzIG9ubHkgdG8gdGhvc2UgcGF0ZW50IGNsYWltcyBsaWNlbnNhYmxlCiAgICAgIGJ5IHN1Y2ggQ29udHJpYnV0b3IgdGhhdCBhcmUgbmVjZXNzYXJpbHkgaW5mcmluZ2VkIGJ5IHRoZWlyCiAgICAgIENvbnRyaWJ1dGlvbihzKSBhbG9uZSBvciBieSBjb21iaW5hdGlvbiBvZiB0aGVpciBDb250cmlidXRpb24ocykKICAgICAgd2l0aCB0aGUgV29yayB0byB3aGljaCBzdWNoIENvbnRyaWJ1dGlvbihzKSB3YXMgc3VibWl0dGVkLiBJZiBZb3UKICAgICAgaW5zdGl0dXRlIHBhdGVudCBsaXRpZ2F0aW9uIGFnYWluc3QgYW55IGVudGl0eSAoaW5jbHVkaW5nIGEKICAgICAgY3Jvc3MtY2xhaW0gb3IgY291bnRlcmNsYWltIGluIGEgbGF3c3VpdCkgYWxsZWdpbmcgdGhhdCB0aGUgV29yawogICAgICBvciBhIENvbnRyaWJ1dGlvbiBpbmNvcnBvcmF0ZWQgd2l0aGluIHRoZSBXb3JrIGNvbnN0aXR1dGVzIGRpcmVjdAogICAgICBvciBjb250cmlidXRvcnkgcGF0ZW50IGluZnJpbmdlbWVudCwgdGhlbiBhbnkgcGF0ZW50IGxpY2Vuc2VzCiAgICAgIGdyYW50ZWQgdG8gWW91IHVuZGVyIHRoaXMgTGljZW5zZSBmb3IgdGhhdCBXb3JrIHNoYWxsIHRlcm1pbmF0ZQogICAgICBhcyBvZiB0aGUgZGF0ZSBzdWNoIGxpdGlnYXRpb24gaXMgZmlsZWQuCgogICA0LiBSZWRpc3RyaWJ1dGlvbi4gWW91IG1heSByZXByb2R1Y2UgYW5kIGRpc3RyaWJ1dGUgY29waWVzIG9mIHRoZQogICAgICBXb3JrIG9yIERlcml2YXRpdmUgV29ya3MgdGhlcmVvZiBpbiBhbnkgbWVkaXVtLCB3aXRoIG9yIHdpdGhvdXQKICAgICAgbW9kaWZpY2F0aW9ucywgYW5kIGluIFNvdXJjZSBvciBPYmplY3QgZm9ybSwgcHJvdmlkZWQgdGhhdCBZb3UKICAgICAgbWVldCB0aGUgZm9sbG93aW5nIGNvbmRpdGlvbnM6CgogICAgICAoYSkgWW91IG11c3QgZ2l2ZSBhbnkgb3RoZXIgcmVjaXBpZW50cyBvZiB0aGUgV29yayBvcgogICAgICAgICAgRGVyaXZhdGl2ZSBXb3JrcyBhIGNvcHkgb2YgdGhpcyBMaWNlbnNlOyBhbmQKCiAgICAgIChiKSBZb3UgbXVzdCBjYXVzZSBhbnkgbW9kaWZpZWQgZmlsZXMgdG8gY2FycnkgcHJvbWluZW50IG5vdGljZXMKICAgICAgICAgIHN0YXRpbmcgdGhhdCBZb3UgY2hhbmdlZCB0aGUgZmlsZXM7IGFuZAoKICAgICAgKGMpIFlvdSBtdXN0IHJldGFpbiwgaW4gdGhlIFNvdXJjZSBmb3JtIG9mIGFueSBEZXJpdmF0aXZlIFdvcmtzCiAgICAgICAgICB0aGF0IFlvdSBkaXN0cmlidXRlLCBhbGwgY29weXJpZ2h0LCBwYXRlbnQsIHRyYWRlbWFyaywgYW5kCiAgICAgICAgICBhdHRyaWJ1dGlvbiBub3RpY2VzIGZyb20gdGhlIFNvdXJjZSBmb3JtIG9mIHRoZSBXb3JrLAogICAgICAgICAgZXhjbHVkaW5nIHRob3NlIG5vdGljZXMgdGhhdCBkbyBub3QgcGVydGFpbiB0byBhbnkgcGFydCBvZgogICAgICAgICAgdGhlIERlcml2YXRpdmUgV29ya3M7IGFuZAoKICAgICAgKGQpIElmIHRoZSBXb3JrIGluY2x1ZGVzIGEgIk5PVElDRSIgdGV4dCBmaWxlIGFzIHBhcnQgb2YgaXRzCiAgICAgICAgICBkaXN0cmlidXRpb24sIHRoZW4gYW55IERlcml2YXRpdmUgV29ya3MgdGhhdCBZb3UgZGlzdHJpYnV0ZSBtdXN0CiAgICAgICAgICBpbmNsdWRlIGEgcmVhZGFibGUgY29weSBvZiB0aGUgYXR0cmlidXRpb24gbm90aWNlcyBjb250YWluZWQKICAgICAgICAgIHdpdGhpbiBzdWNoIE5PVElDRSBmaWxlLCBleGNsdWRpbmcgdGhvc2Ugbm90aWNlcyB0aGF0IGRvIG5vdAogICAgICAgICAgcGVydGFpbiB0byBhbnkgcGFydCBvZiB0aGUgRGVyaXZhdGl2ZSBXb3JrcywgaW4gYXQgbGVhc3Qgb25lCiAgICAgICAgICBvZiB0aGUgZm9sbG93aW5nIHBsYWNlczogd2l0aGluIGEgTk9USUNFIHRleHQgZmlsZSBkaXN0cmlidXRlZAogICAgICAgICAgYXMgcGFydCBvZiB0aGUgRGVyaXZhdGl2ZSBXb3Jrczsgd2l0aGluIHRoZSBTb3VyY2UgZm9ybSBvcgogICAgICAgICAgZG9jdW1lbnRhdGlvbiwgaWYgcHJvdmlkZWQgYWxvbmcgd2l0aCB0aGUgRGVyaXZhdGl2ZSBXb3Jrczsgb3IsCiAgICAgICAgICB3aXRoaW4gYSBkaXNwbGF5IGdlbmVyYXRlZCBieSB0aGUgRGVyaXZhdGl2ZSBXb3JrcywgaWYgYW5kCiAgICAgICAgICB3aGVyZXZlciBzdWNoIHRoaXJkLXBhcnR5IG5vdGljZXMgbm9ybWFsbHkgYXBwZWFyLiBUaGUgY29udGVudHMKICAgICAgICAgIG9mIHRoZSBOT1RJQ0UgZmlsZSBhcmUgZm9yIGluZm9ybWF0aW9uYWwgcHVycG9zZXMgb25seSBhbmQKICAgICAgICAgIGRvIG5vdCBtb2RpZnkgdGhlIExpY2Vuc2UuIFlvdSBtYXkgYWRkIFlvdXIgb3duIGF0dHJpYnV0aW9uCiAgICAgICAgICBub3RpY2VzIHdpdGhpbiBEZXJpdmF0aXZlIFdvcmtzIHRoYXQgWW91IGRpc3RyaWJ1dGUsIGFsb25nc2lkZQogICAgICAgICAgb3IgYXMgYW4gYWRkZW5kdW0gdG8gdGhlIE5PVElDRSB0ZXh0IGZyb20gdGhlIFdvcmssIHByb3ZpZGVkCiAgICAgICAgICB0aGF0IHN1Y2ggYWRkaXRpb25hbCBhdHRyaWJ1dGlvbiBub3RpY2VzIGNhbm5vdCBiZSBjb25zdHJ1ZWQKICAgICAgICAgIGFzIG1vZGlmeWluZyB0aGUgTGljZW5zZS4KCiAgICAgIFlvdSBtYXkgYWRkIFlvdXIgb3duIGNvcHlyaWdodCBzdGF0ZW1lbnQgdG8gWW91ciBtb2RpZmljYXRpb25zIGFuZAogICAgICBtYXkgcHJvdmlkZSBhZGRpdGlvbmFsIG9yIGRpZmZlcmVudCBsaWNlbnNlIHRlcm1zIGFuZCBjb25kaXRpb25zCiAgICAgIGZvciB1c2UsIHJlcHJvZHVjdGlvbiwgb3IgZGlzdHJpYnV0aW9uIG9mIFlvdXIgbW9kaWZpY2F0aW9ucywgb3IKICAgICAgZm9yIGFueSBzdWNoIERlcml2YXRpdmUgV29ya3MgYXMgYSB3aG9sZSwgcHJvdmlkZWQgWW91ciB1c2UsCiAgICAgIHJlcHJvZHVjdGlvbiwgYW5kIGRpc3RyaWJ1dGlvbiBvZiB0aGUgV29yayBvdGhlcndpc2UgY29tcGxpZXMgd2l0aAogICAgICB0aGUgY29uZGl0aW9ucyBzdGF0ZWQgaW4gdGhpcyBMaWNlbnNlLgoKICAgNS4gU3VibWlzc2lvbiBvZiBDb250cmlidXRpb25zLiBVbmxlc3MgWW91IGV4cGxpY2l0bHkgc3RhdGUgb3RoZXJ3aXNlLAogICAgICBhbnkgQ29udHJpYnV0aW9uIGludGVudGlvbmFsbHkgc3VibWl0dGVkIGZvciBpbmNsdXNpb24gaW4gdGhlIFdvcmsKICAgICAgYnkgWW91IHRvIHRoZSBMaWNlbnNvciBzaGFsbCBiZSB1bmRlciB0aGUgdGVybXMgYW5kIGNvbmRpdGlvbnMgb2YKICAgICAgdGhpcyBMaWNlbnNlLCB3aXRob3V0IGFueSBhZGRpdGlvbmFsIHRlcm1zIG9yIGNvbmRpdGlvbnMuCiAgICAgIE5vdHdpdGhzdGFuZGluZyB0aGUgYWJvdmUsIG5vdGhpbmcgaGVyZWluIHNoYWxsIHN1cGVyc2VkZSBvciBtb2RpZnkKICAgICAgdGhlIHRlcm1zIG9mIGFueSBzZXBhcmF0ZSBsaWNlbnNlIGFncmVlbWVudCB5b3UgbWF5IGhhdmUgZXhlY3V0ZWQKICAgICAgd2l0aCBMaWNlbnNvciByZWdhcmRpbmcgc3VjaCBDb250cmlidXRpb25zLgoKICAgNi4gVHJhZGVtYXJrcy4gVGhpcyBMaWNlbnNlIGRvZXMgbm90IGdyYW50IHBlcm1pc3Npb24gdG8gdXNlIHRoZSB0cmFkZQogICAgICBuYW1lcywgdHJhZGVtYXJrcywgc2VydmljZSBtYXJrcywgb3IgcHJvZHVjdCBuYW1lcyBvZiB0aGUgTGljZW5zb3IsCiAgICAgIGV4Y2VwdCBhcyByZXF1aXJlZCBmb3IgcmVhc29uYWJsZSBhbmQgY3VzdG9tYXJ5IHVzZSBpbiBkZXNjcmliaW5nIHRoZQogICAgICBvcmlnaW4gb2YgdGhlIFdvcmsgYW5kIHJlcHJvZHVjaW5nIHRoZSBjb250ZW50IG9mIHRoZSBOT1RJQ0UgZmlsZS4KCiAgIDcuIERpc2NsYWltZXIgb2YgV2FycmFudHkuIFVubGVzcyByZXF1aXJlZCBieSBhcHBsaWNhYmxlIGxhdyBvcgogICAgICBhZ3JlZWQgdG8gaW4gd3JpdGluZywgTGljZW5zb3IgcHJvdmlkZXMgdGhlIFdvcmsgKGFuZCBlYWNoCiAgICAgIENvbnRyaWJ1dG9yIHByb3ZpZGVzIGl0cyBDb250cmlidXRpb25zKSBvbiBhbiAiQVMgSVMiIEJBU0lTLAogICAgICBXSVRIT1VUIFdBUlJBTlRJRVMgT1IgQ09ORElUSU9OUyBPRiBBTlkgS0lORCwgZWl0aGVyIGV4cHJlc3Mgb3IKICAgICAgaW1wbGllZCwgaW5jbHVkaW5nLCB3aXRob3V0IGxpbWl0YXRpb24sIGFueSB3YXJyYW50aWVzIG9yIGNvbmRpdGlvbnMKICAgICAgb2YgVElUTEUsIE5PTi1JTkZSSU5HRU1FTlQsIE1FUkNIQU5UQUJJTElUWSwgb3IgRklUTkVTUyBGT1IgQQogICAgICBQQVJUSUNVTEFSIFBVUlBPU0UuIFlvdSBhcmUgc29sZWx5IHJlc3BvbnNpYmxlIGZvciBkZXRlcm1pbmluZyB0aGUKICAgICAgYXBwcm9wcmlhdGVuZXNzIG9mIHVzaW5nIG9yIHJlZGlzdHJpYnV0aW5nIHRoZSBXb3JrIGFuZCBhc3N1bWUgYW55CiAgICAgIHJpc2tzIGFzc29jaWF0ZWQgd2l0aCBZb3VyIGV4ZXJjaXNlIG9mIHBlcm1pc3Npb25zIHVuZGVyIHRoaXMgTGljZW5zZS4KCiAgIDguIExpbWl0YXRpb24gb2YgTGlhYmlsaXR5LiBJbiBubyBldmVudCBhbmQgdW5kZXIgbm8gbGVnYWwgdGhlb3J5LAogICAgICB3aGV0aGVyIGluIHRvcnQgKGluY2x1ZGluZyBuZWdsaWdlbmNlKSwgY29udHJhY3QsIG9yIG90aGVyd2lzZSwKICAgICAgdW5sZXNzIHJlcXVpcmVkIGJ5IGFwcGxpY2FibGUgbGF3IChzdWNoIGFzIGRlbGliZXJhdGUgYW5kIGdyb3NzbHkKICAgICAgbmVnbGlnZW50IGFjdHMpIG9yIGFncmVlZCB0byBpbiB3cml0aW5nLCBzaGFsbCBhbnkgQ29udHJpYnV0b3IgYmUKICAgICAgbGlhYmxlIHRvIFlvdSBmb3IgZGFtYWdlcywgaW5jbHVkaW5nIGFueSBkaXJlY3QsIGluZGlyZWN0LCBzcGVjaWFsLAogICAgICBpbmNpZGVudGFsLCBvciBjb25zZXF1ZW50aWFsIGRhbWFnZXMgb2YgYW55IGNoYXJhY3RlciBhcmlzaW5nIGFzIGEKICAgICAgcmVzdWx0IG9mIHRoaXMgTGljZW5zZSBvciBvdXQgb2YgdGhlIHVzZSBvciBpbmFiaWxpdHkgdG8gdXNlIHRoZQogICAgICBXb3JrIChpbmNsdWRpbmcgYnV0IG5vdCBsaW1pdGVkIHRvIGRhbWFnZXMgZm9yIGxvc3Mgb2YgZ29vZHdpbGwsCiAgICAgIHdvcmsgc3RvcHBhZ2UsIGNvbXB1dGVyIGZhaWx1cmUgb3IgbWFsZnVuY3Rpb24sIG9yIGFueSBhbmQgYWxsCiAgICAgIG90aGVyIGNvbW1lcmNpYWwgZGFtYWdlcyBvciBsb3NzZXMpLCBldmVuIGlmIHN1Y2ggQ29udHJpYnV0b3IKICAgICAgaGFzIGJlZW4gYWR2aXNlZCBvZiB0aGUgcG9zc2liaWxpdHkgb2Ygc3VjaCBkYW1hZ2VzLgoKICAgOS4gQWNjZXB0aW5nIFdhcnJhbnR5IG9yIEFkZGl0aW9uYWwgTGlhYmlsaXR5LiBXaGlsZSByZWRpc3RyaWJ1dGluZwogICAgICB0aGUgV29yayBvciBEZXJpdmF0aXZlIFdvcmtzIHRoZXJlb2YsIFlvdSBtYXkgY2hvb3NlIHRvIG9mZmVyLAogICAgICBhbmQgY2hhcmdlIGEgZmVlIGZvciwgYWNjZXB0YW5jZSBvZiBzdXBwb3J0LCB3YXJyYW50eSwgaW5kZW1uaXR5LAogICAgICBvciBvdGhlciBsaWFiaWxpdHkgb2JsaWdhdGlvbnMgYW5kL29yIHJpZ2h0cyBjb25zaXN0ZW50IHdpdGggdGhpcwogICAgICBMaWNlbnNlLiBIb3dldmVyLCBpbiBhY2NlcHRpbmcgc3VjaCBvYmxpZ2F0aW9ucywgWW91IG1heSBhY3Qgb25seQogICAgICBvbiBZb3VyIG93biBiZWhhbGYgYW5kIG9uIFlvdXIgc29sZSByZXNwb25zaWJpbGl0eSwgbm90IG9uIGJlaGFsZgogICAgICBvZiBhbnkgb3RoZXIgQ29udHJpYnV0b3IsIGFuZCBvbmx5IGlmIFlvdSBhZ3JlZSB0byBpbmRlbW5pZnksCiAgICAgIGRlZmVuZCwgYW5kIGhvbGQgZWFjaCBDb250cmlidXRvciBoYXJtbGVzcyBmb3IgYW55IGxpYWJpbGl0eQogICAgICBpbmN1cnJlZCBieSwgb3IgY2xhaW1zIGFzc2VydGVkIGFnYWluc3QsIHN1Y2ggQ29udHJpYnV0b3IgYnkgcmVhc29uCiAgICAgIG9mIHlvdXIgYWNjZXB0aW5nIGFueSBzdWNoIHdhcnJhbnR5IG9yIGFkZGl0aW9uYWwgbGlhYmlsaXR5LgoKICAgRU5EIE9GIFRFUk1TIEFORCBDT05ESVRJT05TCgogICBBUFBFTkRJWDogSG93IHRvIGFwcGx5IHRoZSBBcGFjaGUgTGljZW5zZSB0byB5b3VyIHdvcmsuCgogICAgICBUbyBhcHBseSB0aGUgQXBhY2hlIExpY2Vuc2UgdG8geW91ciB3b3JrLCBhdHRhY2ggdGhlIGZvbGxvd2luZwogICAgICBib2lsZXJwbGF0ZSBub3RpY2UsIHdpdGggdGhlIGZpZWxkcyBlbmNsb3NlZCBieSBicmFja2V0cyAiW10iCiAgICAgIHJlcGxhY2VkIHdpdGggeW91ciBvd24gaWRlbnRpZnlpbmcgaW5mb3JtYXRpb24uIChEb24ndCBpbmNsdWRlCiAgICAgIHRoZSBicmFja2V0cyEpICBUaGUgdGV4dCBzaG91bGQgYmUgZW5jbG9zZWQgaW4gdGhlIGFwcHJvcHJpYXRlCiAgICAgIGNvbW1lbnQgc3ludGF4IGZvciB0aGUgZmlsZSBmb3JtYXQuIFdlIGFsc28gcmVjb21tZW5kIHRoYXQgYQogICAgICBmaWxlIG9yIGNsYXNzIG5hbWUgYW5kIGRlc2NyaXB0aW9uIG9mIHB1cnBvc2UgYmUgaW5jbHVkZWQgb24gdGhlCiAgICAgIHNhbWUgInByaW50ZWQgcGFnZSIgYXMgdGhlIGNvcHlyaWdodCBub3RpY2UgZm9yIGVhc2llcgogICAgICBpZGVudGlmaWNhdGlvbiB3aXRoaW4gdGhpcmQtcGFydHkgYXJjaGl2ZXMuCgogICBDb3B5cmlnaHQgW3l5eXldIFtuYW1lIG9mIGNvcHlyaWdodCBvd25lcl0KCiAgIExpY2Vuc2VkIHVuZGVyIHRoZSBBcGFjaGUgTGljZW5zZSwgVmVyc2lvbiAyLjAgKHRoZSAiTGljZW5zZSIpOwogICB5b3UgbWF5IG5vdCB1c2UgdGhpcyBmaWxlIGV4Y2VwdCBpbiBjb21wbGlhbmNlIHdpdGggdGhlIExpY2Vuc2UuCiAgIFlvdSBtYXkgb2J0YWluIGEgY29weSBvZiB0aGUgTGljZW5zZSBhdAoKICAgICAgIGh0dHA6Ly93d3cuYXBhY2hlLm9yZy9saWNlbnNlcy9MSUNFTlNFLTIuMAoKICAgVW5sZXNzIHJlcXVpcmVkIGJ5IGFwcGxpY2FibGUgbGF3IG9yIGFncmVlZCB0byBpbiB3cml0aW5nLCBzb2Z0d2FyZQogICBkaXN0cmlidXRlZCB1bmRlciB0aGUgTGljZW5zZSBpcyBkaXN0cmlidXRlZCBvbiBhbiAiQVMgSVMiIEJBU0lTLAogICBXSVRIT1VUIFdBUlJBTlRJRVMgT1IgQ09ORElUSU9OUyBPRiBBTlkgS0lORCwgZWl0aGVyIGV4cHJlc3Mgb3IgaW1wbGllZC4KICAgU2VlIHRoZSBMaWNlbnNlIGZvciB0aGUgc3BlY2lmaWMgbGFuZ3VhZ2UgZ292ZXJuaW5nIHBlcm1pc3Npb25zIGFuZAogICBsaW1pdGF0aW9ucyB1bmRlciB0aGUgTGljZW5zZS4= + https://www.apache.org/licenses/LICENSE-2.0.txt + + Banana + + + Banana + + + + pkg:maven/com.acme/tomcat-catalina@9.0.14?packaging=jar + + + + Apache + org.apache.tomcat + tomcat-catalina + 9.0.14 + Apache Catalina + + + Apache-2.0 + + Banana + + + Banana + + + + pkg:maven/org.apache.tomcat/tomcat-catalina@9.0.14?packaging=jar + + Banana + + + Banana + + + + Banana + + + Banana + + + + + foo + 1.0 + + + Banana + + + Banana + + + + + bar + 1.0 + + + Banana + + + Banana + + + + + 7638417db6d59f3c431d3e1f261cc637155684cd + https://location/to/7638417db6d59f3c431d3e1f261cc637155684cd + + 2018-11-07T22:01:45Z + John Doe + john.doe@example.com + + Banana + + + Banana + + + + 2018-11-07T22:01:45Z + Jane Doe + jane.doe@example.com + + Banana + + + Banana + + + Initial commit + + Banana + + + Banana + + + + Banana + + + Banana + + + Commentary here + + Banana + + + Banana + + + + Banana + + + Banana + + + + Banana + + + Banana + + + + Banana + + + Banana + + diff --git a/tools/src/test/resources/1.6/valid-external-reference-1.6.json b/tools/src/test/resources/1.6/valid-external-reference-1.6.json new file mode 100644 index 00000000..e3913d84 --- /dev/null +++ b/tools/src/test/resources/1.6/valid-external-reference-1.6.json @@ -0,0 +1,38 @@ +{ + "bomFormat": "CycloneDX", + "specVersion": "1.6", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "components": [ + { + "type": "library", + "publisher": "Acme Inc", + "group": "org.example", + "name": "mylibrary", + "version": "1.0.0", + "externalReferences": [ + { + "type": "advisories", + "url": "https://example.org/security/feed/csaf", + "comment": "Security advisories from the vendor" + }, + { + "type": "bom", + "url": "https://example.org/support/sbom/portal-server/1.0.0", + "comment": "An external SBOM that describes what this component includes", + "hashes": [ + { + "alg": "SHA-256", + "content": "708f1f53b41f11f02d12a11b1a38d2905d47b099afc71a0f1124ef8582ec7313" + } + ] + }, + { + "type": "documentation", + "url": "https://example.org/support/documentation/portal-server/1.0.0", + "comment": "Vendor provided documentation for the product" + } + ] + } + ] +} diff --git a/tools/src/test/resources/1.6/valid-external-reference-1.6.textproto b/tools/src/test/resources/1.6/valid-external-reference-1.6.textproto new file mode 100644 index 00000000..c2d5d672 --- /dev/null +++ b/tools/src/test/resources/1.6/valid-external-reference-1.6.textproto @@ -0,0 +1,29 @@ +spec_version: "1.6" +version: 1 +serial_number: "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" +components { + type: CLASSIFICATION_LIBRARY + publisher: "Acme Inc" + group: "org.example" + name: "mylibrary" + version: "1.0.0" + external_references { + type: EXTERNAL_REFERENCE_TYPE_ADVISORIES + url: "https://example.org/security/feed/csaf" + comment: "Security advisories from the vendor" + } + external_references { + type: EXTERNAL_REFERENCE_TYPE_BOM + url: "https://example.org/support/sbom/portal-server/1.0.0" + comment: "An external SBOM that describes what this component includes" + hashes { + alg: HASH_ALG_SHA_256 + value: "708f1f53b41f11f02d12a11b1a38d2905d47b099afc71a0f1124ef8582ec7313" + } + } + external_references { + type: EXTERNAL_REFERENCE_TYPE_DOCUMENTATION + url: "https://example.org/support/documentation/portal-server/1.0.0" + comment: "Vendor provided documentation for the product" + } +} diff --git a/tools/src/test/resources/1.6/valid-external-reference-1.6.xml b/tools/src/test/resources/1.6/valid-external-reference-1.6.xml new file mode 100644 index 00000000..21810f3c --- /dev/null +++ b/tools/src/test/resources/1.6/valid-external-reference-1.6.xml @@ -0,0 +1,27 @@ + + + + + org.example + mylibrary + 1.0.0 + + + https://example.org/security/feed/csaf + Security advisories from the vendor + + + https://example.org/support/sbom/portal-server/1.0.0 + An external SBOM that describes what this component includes + + f498a8ff2dd007e29c2074f5e4b01a9a01775c3ff3aeaf6906ea503bc5791b7b + + + + https://example.org/support/documentation/portal-server/1.0.0 + Vendor provided documentation for the product + + + + + diff --git a/tools/src/test/resources/1.6/valid-formulation-1.6.json b/tools/src/test/resources/1.6/valid-formulation-1.6.json new file mode 100644 index 00000000..9169d9ca --- /dev/null +++ b/tools/src/test/resources/1.6/valid-formulation-1.6.json @@ -0,0 +1,294 @@ +{ + "bomFormat": "CycloneDX", + "specVersion": "1.6", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "components": [ + { + "type": "library", + "publisher": "Acme Inc", + "group": "org.example", + "name": "mylibrary", + "version": "1.0.0" + } + ], + "formulation": [ + { + "bom-ref": "formula-1", + "components": [ + { + "bom-ref": "component-1", + "type": "platform", + "name": "Pipeline controller image", + "version": "v0.47.0" + } + ], + "workflows": [ + { + "bom-ref": "workflow-1", + "uid": "8edb2b08-e2c7-11ed-b5ea-0242ac120002", + "name": "My workflow", + "description": "Workflow description here", + "resourceReferences": [ + { + "ref": "component-a" + } + ], + "tasks": [ + { + "bom-ref": "task-1", + "uid": "task-uid-1", + "name": "fetch-repository", + "description": "Description here", + "resourceReferences": [ + { + "ref": "component-a" + } + ], + "taskTypes": [ "clone", "build" ], + "trigger": { + "bom-ref": "trigger-1", + "uid": "trigger-1", + "type": "api" + }, + "steps": [ + { + "name": "My step" + } + ], + "inputs": [ + { + "resource": { + "ref": "component-a" + } + } + ], + "outputs": [ + { + "resource": { + "ref": "component-b" + } + } + ], + "timeStart": "2023-01-01T00:00:00+00:00", + "timeEnd": "2023-01-01T00:00:00+00:00", + "workspaces": [ + { + "bom-ref": "workspace-1", + "uid": "workspace-uid-1", + "name": "workspace" + } + ], + "runtimeTopology": [ + { + "ref": "task-1", + "dependsOn": [ "task-2" ] + } + ] + } + ], + "taskDependencies": [ + { + "ref": "task-1", + "dependsOn": ["task-2"] + } + ], + "taskTypes": [ "clone", "build" ], + "trigger": { + "bom-ref": "trigger-2", + "uid": "trigger-uid-2", + "name": "My trigger", + "description": "Description here", + "resourceReferences": [ + { + "ref": "component-a" + } + ], + "type": "api", + "event": { + "uid": "event-1", + "description": "Description here", + "timeReceived": "2023-01-01T00:00:00+00:00", + "data": { + "contentType": "text/plain", + "content": "Foo/Bar" + }, + "source": { + "ref": "component-g" + }, + "target": { + "ref": "component-h" + }, + "properties": [ + { + "name": "Foo", + "value": "Bar" + } + ] + }, + "conditions": [ + { + "description": "Description here", + "expression": "1 == 1", + "properties": [ + { + "name": "Foo", + "value": "Bar" + } + ] + } + ], + "timeActivated": "2023-01-01T00:00:00+00:00", + "inputs": [ + { + "resource": { + "ref": "component-10" + }, + "source": { + "ref": "component-11" + }, + "target": { + "ref": "component-12" + } + } + ], + "outputs": [ + { + "resource": { + "ref": "component-14" + }, + "type": "artifact", + "source": { + "ref": "component-15" + }, + "target": { + "ref": "component-16" + } + } + ], + "properties": [ + { + "name": "Foo", + "value": "Bar" + } + ] + }, + "steps": [ + { + "name": "My step", + "description": "Description here", + "commands": [ + { + "executed": "ls -las", + "properties": [ + { + "name": "Foo", + "value": "Bar" + } + ] + } + ], + "properties": [ + { + "name": "Foo", + "value": "Bar" + } + ] + } + ], + "inputs": [ + { + "environmentVars": [ + { + "name": "Foo", + "value": "Bar" + } + ] + }, + { + "environmentVars": [ + "FooBar" + ] + }, + { + "environmentVars": [ + { + "name": "Foo", + "value": "Bar" + }, + "FooBar" + ] + } + ], + "outputs": [ + { + "environmentVars": [ + { + "name": "Foo", + "value": "Bar" + } + ] + }, + { + "environmentVars": [ + "FooBar" + ] + }, + { + "environmentVars": [ + { + "name": "Foo", + "value": "Bar" + }, + "FooBar" + ] + } + ], + "timeStart": "2023-01-01T00:00:00+00:00", + "timeEnd": "2023-01-01T00:00:00+10:00", + "workspaces": [ + { + "bom-ref": "workspace-1", + "uid": "workspace-1", + "name": "My workspace", + "aliases": [ "default-workspace" ], + "description": "Description here", + "resourceReferences": [ + { + "ref": "component-t" + } + ], + "accessMode": "read-write", + "mountPath": "/tmp/workspace", + "managedDataType": "ConfigMap", + "volumeRequest": "requestedVolumeClaim", + "volume": { + "uid": "volume-1", + "name": "My volume", + "mode": "filesystem", + "path": "/", + "sizeAllocated": "10GB", + "persistent": true, + "remote": false + } + } + ], + "runtimeTopology": [ + { + "ref": "component-s", + "dependsOn": [ + "component-r" + ] + } + ], + "properties": [ + { + "name": "Foo", + "value": "Bar" + } + ] + } + ] + } + ] +} diff --git a/tools/src/test/resources/1.6/valid-formulation-1.6.textproto b/tools/src/test/resources/1.6/valid-formulation-1.6.textproto new file mode 100644 index 00000000..f9c11475 --- /dev/null +++ b/tools/src/test/resources/1.6/valid-formulation-1.6.textproto @@ -0,0 +1,336 @@ +spec_version: "1.6" +version: 1 +serial_number: "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" +components { + type: CLASSIFICATION_LIBRARY + publisher: "Acme Inc" + group: "org.example" + name: "mylibrary", + version: "1.0.0" +} +formulation: [ + { + bom_ref: "formula-1" + components: [ + { + bom_ref: "component-1" + type: CLASSIFICATION_PLATFORM + name: "Pipeline controller image" + version: "v0.47.0" + } + ] + workflows: [ + { + bom_ref: "workflow-1" + uid: "8edb2b08-e2c7-11ed-b5ea-0242ac120002" + name: "My workflow" + description: "Workflow description here" + resourceReferences: [ + { + ref: "component-a" + } + ] + tasks: [ + { + bom_ref: "task-1" + uid: "task-uid-1" + name: "fetch-repository" + taskTypes: [ TASK_TYPE_CLONE ] + description: "Description here" + resourceReferences: [ + { + ref: "component-a" + } + ] + taskTypes: [ + TASK_TYPE_CLONE, TASK_TYPE_BUILD + ] + trigger { + bom_ref: "trigger-1" + uid: "trigger-1" + type: TRIGGER_TYPE_API + } + steps: [ + { + name: "My step" + } + ] + inputs: [ + { + resource: { + ref: "component-a" + } + } + ] + outputs: [ + { + resource: { + ref: "component-a" + } + } + ] + timeStart { + seconds: 3173618478 + nanos: 3 + } + timeEnd { + seconds: 3173618478 + nanos: 3 + } + workspaces: [ + { + bom_ref: "workspace-1" + uid: "workspace-uid-1" + name: "workspace" + } + ] + runtimeTopology: [ + { + ref: "task-1" + dependencies: [ + { + ref: "task-2" + } + ] + } + ] + } + ] + taskDependencies: [ + { + ref: "task-1" + dependencies: [ + { + ref: "task-2" + } + ] + } + ] + taskTypes: [ TASK_TYPE_CLONE, TASK_TYPE_BUILD ] + trigger: { + bom_ref: "trigger-2" + uid: "trigger-uid-2" + name: "My trigger" + description: "Description here" + resourceReferences: [ + { + ref: "component-a" + } + ] + type: TRIGGER_TYPE_WEBHOOK + event: { + uid: "event-1" + description: "Description here" + timeReceived { + seconds: 3173618478 + nanos: 3 + } + data: { + content_type: "text/plain" + value: "Foo/Bar" + } + source: { + ref: "component-g" + } + target: { + ref: "component-h" + } + properties: [ + { + name: "Foo" + value: "Bar" + } + ] + } + conditions: [ + { + description: "Description here" + expression: "1 == 1" + properties: [ + { + name: "Foo" + value: "Bar" + } + ] + } + ] + timeActivated { + seconds: 3173618478 + nanos: 3 + } + inputs: [ + { + resource: { + ref: "component-10" + } + source: { + ref: "component-11" + } + target: { + ref: "component-12" + } + } + ] + outputs: [ + { + resource: { + ref: "component-14" + } + type: OUTPUT_TYPE_ARTIFACT + source: { + ref: "component-15" + } + target: { + ref: "component-16" + } + } + ] + } + properties: [ + { + name: "Foo" + value: "Bar" + } + ] + steps: [ + { + name: "My step" + description: "Description here" + commands: [ + { + executed: "ls -las" + properties: [ + { + name: "Foo" + value: "Bar" + } + ] + } + ] + properties: [ + { + name: "Foo" + value: "Bar" + } + ] + } + ] + inputs: [ + { + environmentVars: [ + { + property: { + name: "Foo" + value: "Bar" + } + } + ] + }, + { + environmentVars: [ + { + value: "FooBar" + } + ] + }, + { + environmentVars: [ + { + property: { + name: "Foo" + value: "Bar" + } + }, + { + value: "FooBar" + } + ] + } + ] + outputs: [ + { + environmentVars: [ + { + property: { + name: "Foo" + value: "Bar" + } + } + ] + }, + { + environmentVars: [ + { + value: "FooBar" + } + ] + }, + { + environmentVars: [ + { + property: { + name: "Foo" + value: "Bar" + } + }, + { + value: "FooBar" + } + ] + } + ] + timeStart { + seconds: 3173618478 + nanos: 3 + } + timeEnd { + seconds: 3173618478 + nanos: 3 + } + workspaces: [ + { + bom_ref: "workspace-1" + uid: "workspace-1" + name: "My workspace" + aliases: [ "default-workspace" ] + description: "Description here" + resourceReferences: [ + { + ref: "component-t" + } + ] + accessMode: ACCESS_MODE_READ_WRITE + mountPath: "/tmp/workspace" + managedDataType: "ConfigMap" + volumeRequest: "requestedVolumeClaim" + volume: { + uid: "volume-1" + name: "My volume" + mode: VOLUME_MODE_FILESYSTEM + path: "/" + sizeAllocated: "10GB" + persistent: true + remote: false + } + } + ] + runtimeTopology: [ + { + ref: "component-s" + dependencies: [ + { + ref: "component-r" + } + ] + } + ] + properties: [ + { + name: "Foo" + value: "Bar" + } + ] + } + ] + } +] diff --git a/tools/src/test/resources/1.6/valid-formulation-1.6.xml b/tools/src/test/resources/1.6/valid-formulation-1.6.xml new file mode 100644 index 00000000..7f500a33 --- /dev/null +++ b/tools/src/test/resources/1.6/valid-formulation-1.6.xml @@ -0,0 +1,251 @@ + + + + + Acme Inc + org.example + mylibrary + 1.0.0 + + + + + + + Pipeline controller image + v0.47.0 + + + + + 8edb2b08-e2c7-11ed-b5ea-0242ac120002 + My workflow + Workflow description here + + + component-a + + + + + task-uid-1 + fetch-repository + Description here + + + component-a + + + + clone + build + + + trigger-1 + api + + + + My step + + + + + + component-a + + + + + + + component-b + + + + 2023-01-01T00:00:00+00:00 + 2023-01-01T00:00:00+00:00 + + + workspace-uid-1 + workspace + + + + + + + + + + + + + + + + clean + build + + + trigger-uid-1 + My trigger + Description here + + + component-a + + + api + + event-1 + Description here + 2023-01-01T00:00:00+00:00 + FooBar + + component-g + + + component-h + + + Bar + + + + + Description here + 1 == 1 + + Bar + + + + 2023-01-01T00:00:00+00:00 + + + + component-10 + + + component-11 + + + component-12 + + + + + + + component-14 + + artifact + + component-15 + + + component-16 + + + + + Bar + + + + + My step + Description here + + + ls -las + + Bar + + + + + Bar + + + + + + + Bar + + + + + FooBar + + + + + Bar + FooBar + + + + + + + Bar + + + + + FooBar + + + + + Bar + FooBar + + + + 2023-01-01T00:00:00+00:00 + 2023-01-01T00:00:00+00:00 + + + workspace-1 + My workspace + + default-workspace + + Description here + + + component-t + + + read-write + /tmp/workspace + ConfigMap + requestedVolumeClaim + + volume-1 + My volume + filesystem + / + 10GB + true + false + + + + + + + + + + Bar + + + + + + diff --git a/tools/src/test/resources/1.6/valid-license-expression-1.6.json b/tools/src/test/resources/1.6/valid-license-expression-1.6.json new file mode 100644 index 00000000..140b5a78 --- /dev/null +++ b/tools/src/test/resources/1.6/valid-license-expression-1.6.json @@ -0,0 +1,21 @@ +{ + "bomFormat": "CycloneDX", + "specVersion": "1.6", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "components": [ + { + "type": "library", + "publisher": "Acme Inc", + "group": "com.acme", + "name": "tomcat-catalina", + "version": "9.0.14", + "licenses": [ + { + "expression": "EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0", + "bom-ref": "my-license" + } + ] + } + ] +} diff --git a/tools/src/test/resources/1.6/valid-license-expression-1.6.textproto b/tools/src/test/resources/1.6/valid-license-expression-1.6.textproto new file mode 100644 index 00000000..42376100 --- /dev/null +++ b/tools/src/test/resources/1.6/valid-license-expression-1.6.textproto @@ -0,0 +1,13 @@ +spec_version: "1.6" +version: 1 +serial_number: "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" +components { + type: CLASSIFICATION_LIBRARY + publisher: "Acme Inc" + group: "com.acme" + name: "tomcat-catalina" + version: "9.0.14" + licenses { + expression: "EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0" + } +} diff --git a/tools/src/test/resources/1.6/valid-license-expression-1.6.xml b/tools/src/test/resources/1.6/valid-license-expression-1.6.xml new file mode 100644 index 00000000..23b3ac3b --- /dev/null +++ b/tools/src/test/resources/1.6/valid-license-expression-1.6.xml @@ -0,0 +1,25 @@ + + + + + Acme Inc + com.acme + tomcat-catalina + 9.0.14 + Modified version of Apache Catalina + required + + 3942447fac867ae5cdb3229b658f4d48 + e6b1000b94e835ffd37f4c6dcbdad43f4b48a02a + f498a8ff2dd007e29c2074f5e4b01a9a01775c3ff3aeaf6906ea503bc5791b7b + e8f33e424f3f4ed6db76a482fde1a5298970e442c531729119e37991884bdffab4f9426b7ee11fccd074eeda0634d71697d6f88a460dce0ac8d627a29f7d1282 + + + + EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0 + + + pkg:maven/com.acme/tomcat-catalina@9.0.14?packaging=jar + + + diff --git a/tools/src/test/resources/1.6/valid-license-id-1.6.json b/tools/src/test/resources/1.6/valid-license-id-1.6.json new file mode 100644 index 00000000..1b80e90e --- /dev/null +++ b/tools/src/test/resources/1.6/valid-license-id-1.6.json @@ -0,0 +1,23 @@ +{ + "bomFormat": "CycloneDX", + "specVersion": "1.6", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "components": [ + { + "type": "library", + "publisher": "Acme Inc", + "group": "com.acme", + "name": "tomcat-catalina", + "version": "9.0.14", + "licenses": [ + { + "license": { + "id": "Apache-2.0", + "bom-ref": "my-license" + } + } + ] + } + ] +} diff --git a/tools/src/test/resources/1.6/valid-license-id-1.6.textproto b/tools/src/test/resources/1.6/valid-license-id-1.6.textproto new file mode 100644 index 00000000..e4ecfffa --- /dev/null +++ b/tools/src/test/resources/1.6/valid-license-id-1.6.textproto @@ -0,0 +1,15 @@ +spec_version: "1.6" +version: 1 +serial_number: "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" +components { + type: CLASSIFICATION_LIBRARY + publisher: "Acme Inc" + group: "com.acme" + name: "tomcat-catalina" + version: "9.0.14" + licenses { + license { + id: "Apache-2.0" + } + } +} diff --git a/tools/src/test/resources/1.6/valid-license-id-1.6.xml b/tools/src/test/resources/1.6/valid-license-id-1.6.xml new file mode 100644 index 00000000..09da31cd --- /dev/null +++ b/tools/src/test/resources/1.6/valid-license-id-1.6.xml @@ -0,0 +1,25 @@ + + + + + Acme Inc + com.acme + tomcat-catalina + 9.0.14 + Modified version of Apache Catalina + required + + 3942447fac867ae5cdb3229b658f4d48 + e6b1000b94e835ffd37f4c6dcbdad43f4b48a02a + f498a8ff2dd007e29c2074f5e4b01a9a01775c3ff3aeaf6906ea503bc5791b7b + e8f33e424f3f4ed6db76a482fde1a5298970e442c531729119e37991884bdffab4f9426b7ee11fccd074eeda0634d71697d6f88a460dce0ac8d627a29f7d1282 + + + + Apache-2.0 + + + pkg:maven/com.acme/tomcat-catalina@9.0.14?packaging=jar + + + diff --git a/tools/src/test/resources/1.6/valid-license-licensing-1.6.json b/tools/src/test/resources/1.6/valid-license-licensing-1.6.json new file mode 100644 index 00000000..f3a8d3ad --- /dev/null +++ b/tools/src/test/resources/1.6/valid-license-licensing-1.6.json @@ -0,0 +1,55 @@ +{ + "bomFormat": "CycloneDX", + "specVersion": "1.6", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "components": [ + { + "type": "library", + "publisher": "Acme Inc", + "group": "com.acme", + "name": "cryptographic-provider", + "version": "2.2.0", + "licenses": [ + { + "license": { + "bom-ref": "acme-license-1", + "name": "Acme Commercial License", + "licensing": { + "altIds": [ + "acme", "acme-license" + ], + "licensor": { + "organization": { + "name": "Acme Inc", + "contact": [ + { + "name": "Acme Licensing Fulfillment", + "email": "licensing@example.com" + } + ] + } + }, + "licensee": { + "organization": { + "name": "Example Co." + } + }, + "purchaser": { + "individual": { + "name": "Samantha Wright", + "email": "samantha.wright@gmail.com", + "phone": "800-555-1212" + } + }, + "purchaseOrder": "PO-12345", + "licenseTypes": ["appliance"], + "lastRenewal": "2022-04-13T20:20:39+00:00", + "expiration": "2023-04-13T20:20:39+00:00" + } + } + } + ] + } + ] +} diff --git a/tools/src/test/resources/1.6/valid-license-licensing-1.6.textproto b/tools/src/test/resources/1.6/valid-license-licensing-1.6.textproto new file mode 100644 index 00000000..f5f787ec --- /dev/null +++ b/tools/src/test/resources/1.6/valid-license-licensing-1.6.textproto @@ -0,0 +1,51 @@ +spec_version: "1.6" +version: 1 +serial_number: "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" +components { + type: CLASSIFICATION_LIBRARY + publisher: "Acme Inc" + group: "com.acme" + name: "cryptographic-provider" + version: "2.2.0" + licenses { + license { + bom_ref: "acme-license-1" + name: "Acme Commercial License" + licensing { + altIds: "acme" + altIds: "acme-license" + licensor { + organization { + name: "Acme Inc" + contact { + name: "Acme Licensing Fulfillment" + email: "licensing@example.com" + } + } + } + licensee { + organization { + name: "Example Co." + } + } + purchaser { + individual { + name: "Samantha Wright" + email: "samantha.wright@gmail.com" + phone: "800-555-1212" + } + } + purchaseOrder: "PO-12345" + licenseTypes: LICENSING_TYPE_APPLIANCE + lastRenewal { + seconds: 1649881239 + nanos: 3 + } + expiration { + seconds: 1681417239 + nanos: 3 + } + } + } + } +} diff --git a/tools/src/test/resources/1.6/valid-license-licensing-1.6.xml b/tools/src/test/resources/1.6/valid-license-licensing-1.6.xml new file mode 100644 index 00000000..6f620e84 --- /dev/null +++ b/tools/src/test/resources/1.6/valid-license-licensing-1.6.xml @@ -0,0 +1,49 @@ + + + + + Acme Inc + com.acme + cryptographic-provider + 2.2.0 + + + Acme Commercial License + + + acme + acme-license + + + + Acme Inc + + Acme Licensing Fulfillment + licensing@example.com + + + + + + Example Co. + + + + + Samantha Wright + samantha.wright@gmail.com + 800-555-1212 + + + PO-12345 + + appliance + + 2022-04-13T20:20:39+00:00 + 2023-04-13T20:20:39+00:00 + + + + + + diff --git a/tools/src/test/resources/1.6/valid-license-name-1.6.json b/tools/src/test/resources/1.6/valid-license-name-1.6.json new file mode 100644 index 00000000..dab01719 --- /dev/null +++ b/tools/src/test/resources/1.6/valid-license-name-1.6.json @@ -0,0 +1,23 @@ +{ + "bomFormat": "CycloneDX", + "specVersion": "1.6", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "components": [ + { + "type": "library", + "publisher": "Acme Inc", + "group": "com.acme", + "name": "tomcat-catalina", + "version": "9.0.14", + "licenses": [ + { + "license": { + "name": "Apache License 2.0", + "bom-ref": "my-license" + } + } + ] + } + ] +} diff --git a/tools/src/test/resources/1.6/valid-license-name-1.6.textproto b/tools/src/test/resources/1.6/valid-license-name-1.6.textproto new file mode 100644 index 00000000..5dccc7ff --- /dev/null +++ b/tools/src/test/resources/1.6/valid-license-name-1.6.textproto @@ -0,0 +1,15 @@ +spec_version: "1.6" +version: 1 +serial_number: "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" +components { + type: CLASSIFICATION_LIBRARY + publisher: "Acme Inc" + group: "com.acme" + name: "tomcat-catalina" + version: "9.0.14" + licenses { + license { + name: "Apache License 2.0" + } + } +} diff --git a/tools/src/test/resources/1.6/valid-license-name-1.6.xml b/tools/src/test/resources/1.6/valid-license-name-1.6.xml new file mode 100644 index 00000000..b6def92e --- /dev/null +++ b/tools/src/test/resources/1.6/valid-license-name-1.6.xml @@ -0,0 +1,25 @@ + + + + + Acme Inc + com.acme + tomcat-catalina + 9.0.14 + Modified version of Apache Catalina + required + + 3942447fac867ae5cdb3229b658f4d48 + e6b1000b94e835ffd37f4c6dcbdad43f4b48a02a + f498a8ff2dd007e29c2074f5e4b01a9a01775c3ff3aeaf6906ea503bc5791b7b + e8f33e424f3f4ed6db76a482fde1a5298970e442c531729119e37991884bdffab4f9426b7ee11fccd074eeda0634d71697d6f88a460dce0ac8d627a29f7d1282 + + + + Apache License 2.0 + + + pkg:maven/com.acme/tomcat-catalina@9.0.14?packaging=jar + + + diff --git a/tools/src/test/resources/1.6/valid-machine-learning-1.6.json b/tools/src/test/resources/1.6/valid-machine-learning-1.6.json new file mode 100644 index 00000000..0aeef9be --- /dev/null +++ b/tools/src/test/resources/1.6/valid-machine-learning-1.6.json @@ -0,0 +1,92 @@ +{ + "bomFormat": "CycloneDX", + "specVersion": "1.6", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "components": [ + { + "bom-ref": "component-a", + "type": "machine-learning-model", + "group": "CompVis", + "name": "stable-diffusion", + "version": "1.4", + "description": "Stable Diffusion is a latent text-to-image diffusion model capable of generating photo-realistic images given any text input. For more information about how Stable Diffusion functions, please have a look at \uD83E\uDD17's Stable Diffusion with \uD83E\uDDE8Diffusers blog.", + "modelCard": { + "modelParameters": { + "approach": { + "type": "supervised" + }, + "task": "task goes here", + "architectureFamily": "the architecture family goes here", + "modelArchitecture": "The architecture of the model.", + "datasets": [ + { + "type": "dataset", + "name": "Training Data", + "contents": { + "url": "https://example.com/path/to/dataset" + }, + "classification": "public" + } + ], + "inputs": [ { "format": "string" } ], + "outputs": [ { "format": "byte[]" } ] + }, + "quantitativeAnalysis": { + "performanceMetrics": [ + { + "type": "The type of performance metric", + "value": "The value of the performance metric", + "slice": "The name of the slice this metric was computed on. By default, assume this metric is not sliced", + "confidenceInterval": { + "lowerBound": "The lower bound of the confidence interval", + "upperBound": "The upper bound of the confidence interval" + } + } + ], + "graphics": { + "description": "Performance images", + "collection": [ + { + "name": "FID vs CLIP Scores on 512x512 samples for different v1-versions", + "image": { + "contentType": "image/jpeg", + "encoding": "base64", + "content": "/9j/4AAQSkZJRgABAQEASABIAAD/2wBDAAIBAQEBAQIBAQECAgICAgQDAgICAgUEBAMEBgUGBgYFBgYGBwkIBgcJBwYGCAsICQoKCgoKBggLDAsKDAkKCgr/2wBDAQICAgICAgUDAwUKBwYHCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgr/wAARCAH4AxgDASIAAhEBAxEB/8QAHwAAAQUBAQEBAQEAAAAAAAAAAAECAwQFBgcICQoL/8QAtRAAAgEDAwIEAwUFBAQAAAF9AQIDAAQRBRIhMUEGE1FhByJxFDKBkaEII0KxwRVS0fAkM2JyggkKFhcYGRolJicoKSo0NTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqDhIWGh4iJipKTlJWWl5iZmqKjpKWmp6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uHi4+Tl5ufo6erx8vP09fb3+Pn6/8QAHwEAAwEBAQEBAQEBAQAAAAAAAAECAwQFBgcICQoL/8QAtREAAgECBAQDBAcFBAQAAQJ3AAECAxEEBSExBhJBUQdhcRMiMoEIFEKRobHBCSMzUvAVYnLRChYkNOEl8RcYGRomJygpKjU2Nzg5OkNERUZHSElKU1RVVldYWVpjZGVmZ2hpanN0dXZ3eHl6goOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExcbHyMnK0tPU1dbX2Nna4uPk5ebn6Onq8vP09fb3+Pn6/9oADAMBAAIRAxEAPwD9/KKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKAPDv2yv+CkH7G3/AAT/ALrwpYftYfFe68N3PjiW8i8K2tl4S1XV5dQe1WJrgKmnWs7LsWeI/OFyG4ztbGN+y9/wVb/YY/bK+Jp+D/7PHxO8Qav4gXTZb82mpfDPxDpMfkRlA7efqFhBDkF1+XfuOeAcHHyZ/wAFx/ird/BH/gpn+wN8U7D4UeLfHE2j+KfHUieFPAmnRXerahu0qyj2W8U0sSOw37yGkX5UY5JGD9i/smftw69+1R4r1Twvq37DPx4+FKaZp4uk1T4teE7HT7S9JkCeTA9tfXDNKM7iCqjaCc9qANj4f/t7fsnfFH4O/Ef4/eBPit9u8JfCTWNa0v4hat/YV/F/ZV3pMIm1CPypIFln8qMht0KSK/RC54rwnSf+DiL/AII+6xY22sJ+1feWenXao1vq+r/DHxLY2LK33W+03GnJCFOR8xcDnrXyt+wD/wAodv8Ago7/ANlg+NH/AKaEr7a/4IwWNlqf/BIL9njTdSs4ri2uPg3osdxbzxh0lRrNAysp4YEEgg8EGgD6G+F3xW+GPxu8B6d8Ufg58QtF8VeG9Xh83S9e8P6lFeWl0mSCUliZlbBBBweCCDgit+vzQ/4Je+GNH/ZN/wCC1X7Xn7C/wZtE0z4YXGjeHfH2h+FLQbLPQNSvLeNb1LeMfLCkzyBtigKqQxKoAQV9Zf8ABUXVP2qfDP7A/wATPHX7FPjt/D/xL8MeHX1zw5crpFrf/avsbLcT2fkXUUiOZ4I5oVwAweRSGBFAHvtFfB37Zv8AwVc1Sw/4I0eH/wBt39lSaMeP/jNpOiaJ8JdOjiiuHj8TauywJbqkqtHLLav9pYo6sjNaFWDAkHgv2/v2yv2sP2eP2i/gZ+w744/4KA+GvgRo+v8Awqk1Txd+0j4s8Eafdp4j8RWskVvLptulysenWLuC10xdAoWRFUL8quAfpdRXhH7BugftAaX4C1PWPjJ+3l4f/aD0nVLmKbwl4x0Pwhp+lGKEKwlikOnSvb3PzbSsiBMcgg9a8O/4ORPj78R/2dv+CPvxT8U/CjXZ9J1nWxpvh5dXtpSj2Vvf30NvcuGHKloHljDAgqZAQcgUAdj8TP8Aguz/AMEnfhN451P4d+KP2w9KvNT0SYxayfC/h/VNbtrBwSGWe6061ngiKkEMGcbSCDgg16F4w/4KZ/sI+CP2Qbn9vbVP2ktEvPhFZywRXXjTQIbjVIIpZbiO2SIxWUcswk86WNGTZuQt84UAkdh+yh+y58G/2Mv2fvDP7N/wI8IWWj+HfDOlxWsEdpbrG11IqASXUxUZkmlYF3kbLMzEkmvhf/g5o+Fvw2+FP/BC3426b8MvAek+H7bVfEug6nqNro1hHbRXF5Lr2nebcMkYCmR9oLNjLHJOSSSAfpbXnfgb9q74BfEn9ofx1+yn4K8e/bfH3w1s9NuvGug/2XdR/wBnQ38PnWjefJEsM3mR/NiJ3K9GCnivRK/PD9hr/lYa/bm/7E/4b/8ApnoA7zUf+Dhr/gkNpGo6pp2o/tS6jENF1SfTtWvT8LfE5s7S5hkMcqPdDTfJXawILb9vfOOa+svhR8Wvhj8dvh1pHxd+DXjzSvE/hjXrQXOj67ol6lxbXcRJG5HQkHDAqR1VlKkAgivx4/4Iz/8ABVf9ib9kL9lL4q/BL44ah4u1TxRJ8dfGV0nhDw18Lta1l9ShmugqQpLb2j2jPJtZdjzLjPzbQc19af8ABuV+zf8AG39mz/gnjcaX8b/hlf8AgWXxb8Sdd8UeGfAWqxmO58N6PdyR/ZrKSI8wsPLeTyyAyiYbgrblAB9c/tH/ALT37Pv7IXwtu/jV+0z8XNF8F+F7KVYpdX1u7EaPK2dsMajLzSsFYiOMM5CnAODXi3wH/wCC0/8AwTL/AGlfilo3wU+Ef7TsNz4q8RSFNA0bWfCmr6RLqTBSxFub+0hWY4BPyE5A4ry//gtj+yx+1P8AFXxd+z5+1l+y78F9M+K118BPiFc+INa+Eep6vFZf8JDBNBGizQSTgxC5tzGWj3AkNJuUOV2NF8Dv+C437PPxa/aC8Ifsr/tmfsffFL4CfEXxDqiJ4Hs/jB4NWPTtT1HIVI7C/BKvMWbYrlIwWdUVizhSAffNFfBPxj/aW/bl/bK/4KM+Pv8Agn3+wx8bdF+D/hv4J+HtHvvir8T7vwhBr2qXGparC1xZabY2t0fsyJ9nVneaQOQykADbhus+N3x4/ac/4JOf8E8/i9+1B+2D+0XY/HS88G2iXfhK+XwTb+HZ5ZJ3htLazu0tHaJgbuaPM0aoQjn5MqMgH2VRX5gfGnX/APgul+yR+xhP/wAFI/Hn7aXg7xrqPhnQIfFXjz9n5/hXY2OkQ6ZtWW8s7TVInN6JreEuRLIzhzEflPAboP8Agob/AMFC/wBsC68d/sQyf8E7/GOlaZaftJ3F7Nc2PirRYLq0msrjSbS6tbi5+UzKtqty9yY7eWJpTF5ZfDZAB+j9Ffmz+3B+19+2B/wS4+GXgv4M/Ev9vbwb43+JPx1+IZ0vwp8Sfin4S0zwx4f8BaVBbI+oXk6WsiJcLFuQxJNJuZ51VncKEfz3SP8AgqB8Sf2Rf2j/AIQaXr//AAWa+C/7XHgz4o/EKw8F+KPDnhqz8PWGu+F7i/LJbarapo9w5ls0mCpMJlYqrqAxZwVAP1oor8uvjt+3V+0d8Sv+ClvxW/ZD13/gqT4N/ZE0f4frpEfgLStf8D6TeXvjuK7tBNJqC3WtMIGjWUtEsVv8/wApDYZCW/Qb9mDw98Z/C3wQ0XRPj/8AHPS/iV4njE73PjjRvDselQatA8zvbSi1ikkjjbyGiVtjFWZSwwGwADv6K+P/APgrB+2p8f8A9n2/+Dv7LH7H9tokXxZ+P/jl/D/hrXvEtqbix8PWNvEJtQ1N4Aw+0PDEyFIidpLEndt2N5R46+Of/BRr/gl7+058ENI/az/a4034+fCf43fEG18AX2qXnw5sPDuq+FtfvEY2EkP2AiO4tpXSQOsilkVCdxOMgH6L0V+b/jP49/8ABTb49/8ABZH4y/sE/s7ftMaN4B+H/hf4deHdc/4SPUPA9lq11oEk8f7yOyidU8+e5kbJe6klihjgk2xFnXHoH/BN/wDaX/bB0r9tn42/8E2/21fi3pfxK1r4b6RoviTwf8SrDwxBo1xq+lagjh4ru0tv3EcsMqqoaMAMCxPYUAfbGrarYaHpVzreqz+Va2du89zLtLbI0UsxwAScAHgDNfFuif8ABxP/AMEifE2lw654c/aO8S6hZXAJt7yx+Cvi+WKUAkEq66SQ3II4PUV9h/EDSb7X/Aet6FpkQe5vdIuYLdCwUM7xMqjJ4HJHNflZ+zFr/wDwWR/4Inf8E4vCmifF39jb4U/ED4ZfCbQLm48XW/gf4jXf/CUWenG4mu7q88ue0W0l8hJXYxxyMSsR+YDLAA/TL43ftJ/Ar9m34OXn7QXx5+Jum+FPBthFBJea/rLtFDEJnVIgQRu3O7ooXG4lgMZrhf2KP+Ckv7FP/BRSx8S6p+xp8bY/Glt4QvILXxDPDoOoWSW0syyNEAby3i80MI3O6PcvHJGRntvh34x+CP7Y/wAAPC/xX0bSNO8UeCvGuiafr+ixa1psc0csEqJcW7vDKGCyLlTgjKOvYivi7/gkVaWtj/wU4/4KA2VjbRwwxfFPwykUMSBVRRpEgAAHAA9KAPpf9rP/AIKZ/sLfsN+JdM8EftQftC6b4b1/WbL7ZpXhyDT7vUdSurfe6CZLSyhmnMZaORQ+zBMbAHINbX7JH7eP7In7dvhnUfFn7J/xz0nxhb6NdLb61a2yTW17psrZ2rc2lykdxb7trbfMjXdsbGdpx6Nc+FfAmneJrj4oXfhzSYNZGlLZ3XiKSziW5FjG7yrC9wRv8lXkkcIW2guzYBJNfnP/AME8b/Sf20v+C1/xq/4KWfs3aCLP4L6b8MIPhpF4rt4fKtviF4gg1CO4uNTgwMXEVtHF9lFxyGCx7GILAAH6XVy/xr+M3w1/Z1+EfiP47fGPxJ/Y/hXwlo8+qeIdV+xzXH2S0hQvJJ5UCPJJhQTtRWY9ga/P79pz/gqN+0d/wSK/aK8eeB/217bXvix4E+IdrNq/7M2uaF4bt4r2XV8pGfBl0tjAil/MkjaC5dGdoixZpX+SP0jX/wBmb/gor+0B/wAEa/ij8GP2qPiHp/in44fFfwPrHk6FBZ2OnaZ4ZlvoSLbRYZII08yO3DKjTzPLIz7z5jrtoA6H4df8F4/+CXXxY8U6F4N8AfHXxNf33iXULWy0Qf8ACnPFkUNzNcOqQ/vpNLWJEZnX947KgByWAya9y/at/bO/Zc/Yd+HcHxX/AGsfjRpHgjQLq/FlaX+rM5+03JjeQQxJGrPI+yN22qpOFJr4XH7av/BSv/gkF+zv8Pb/APb6/ZL+Gur/AAQ8I6TofhbxL44+Efji9vNT8MQKkFjDf3lpeWkQuEaTywywHgyDBJwG/RzXvB3w7+JVppuoeJ/Cmja/BaTrfaRNqFhFdLBIUIWeEurbG2OQHXBwx5waAOD/AGOv23P2YP2/fhG/x2/ZI+Jw8W+FI9Xn0t9VGjXtji7hVGkj8u8hikOBIh3bdp3cE4OOE/aY/wCCvH/BOf8AZA+J1z8Ffj5+0zYab4vsreOfUPDGk6HqOsX9nE8ayI88GnW87who3RwXC5Vw3Qg14N/wbfgL+yx8Z1UYA/ap8c4A/wCvmGvuDxTd/Bj4GaP4q+Oni1fDvhazFp/afjTxVcww2okitoAgnu58AuI4Y1QM5O1EVRwAKAMj9mb9q39nP9sn4XwfGf8AZf8AjBovjTw1PO0H9p6NcFvJnUAtDNGwEkEoDKTHIquAykjBBPoNfnJ/wQp8Nav8Vfjx+1N/wUh8GfD+68H/AAm+P3jrSrj4V6Dd2RtW1G1022nt7jXvIIHlLfyy+cCQGYhycjYx+zf21PjF8Rf2ev2RPiX8dPhF8Pz4q8UeEfBGpatoHh4RO4vrqC3eSOMpH87ruUEonzMAQvJFAHp1FfmT/wAE6fjP+1h+2Na+AvjD4L/4L9/Dfx3qGof2fq/jX4M6Z8KtBj+y2zGOW80xRHMmpWrpGZIlnl3HcocpjIr1X/gq3+0ZrvwF8b6FJrH/AAWT8C/sweHbvQw0Oj3vw+0/Xdd1i7E0okuI1vHfZbKnlJ8lu3zh8uMgUAfcNFfnp/wRN/4KheKv2yvip8Yv2W/HH7R3hX40N8MG0q/8L/GLwl4cbR4/EumX0cm5bmy+5Bc280Rjby8I4cYHylm8p/4J3/ET/gtr/wAFK/2U/E3xi0L/AIKDeH/hxN4e8eeIdG8Jzn4T6Vqdx4ka1u3Ef21nRIbW1T5LZRBCZj5csryMSqUAfrDRX5YfsiftE/8ABYr/AIKufsEWf7a/wl/af8JfAm6stKu7XRvCumfDq11tPFep6fuiurm8nvmY2NvNdRSwpDApeJULmWQkIHftP/8ABXr9pnX/APg3P8K/8FQ/gTeW/hX4ja2+hx3iafptvcwm5/ttNOv4oYryOZFjlaOYJuVmRZBhiy7qAP1Nrz/x3+1J8Cfhn8fPAX7MHjfx19i8c/E631SfwPof9mXUn9pR6dAs94fOjiaGHy4mVsSuhbOE3Hivg39s34nf8Fkv+CdXwCH/AAUh+KH7WfhH4g6D4au7C9+KXwDsPhtZ2FhY6bc3EUNxHpeqLI15JLbGYBZJ3ZZApkKjHlN0n7YniXR/Gf8AwXJ/4J9eMPD1z51hq3hH4l3ljNtx5kMugWzo2O2VYGgD9DqK/LX48/8ABUjxv8ff25fip+zH4B/4KmfB79kvwR8GdRt9Fu/EPjQaJeeIPF+stHvuhbW+sTpDBZ25/dGQI7M4ODhsR7P7H3/BW347eJPhf+1V8JZfiL4A/aK+IX7Ovg//AISLwL4++GBhbTfiDZ3Gnz3FskkFjLLHHdRTwGGeKBsEuFQbhuYA/TGivy//AOCdPxy/a3/bV0fwJ8Y/Bv8AwX5+G3izW9USw1fxj8EtO+FOgoLGFtkt3pYVZk1OBo0MkQnkydyBymOK/UCgD59/au/4KnfsG/sSeP7D4UftIfHhdI8Ualpn9o2vhzSfDWp6zf8A2PeUFw8Gm21xJFGWVlDuFBKnBODXvtjeW+o2UOoWjlop4lkiZkKkqwyDggEcHoea/H/4C/sxftveIP8Agvj+0To2gf8ABTLXtI1jRvAvhS91TxAnws8P3Emq6XO8ksOlGKWAx28cKjYJogJZM7nJYZr3Hwt8dv8Agon/AMFNv2tfjh4I/ZI/ay034C/Cr4FeNpPAya1afDyw8Rat4o8Q26A35kF+TFbW0LsiqqLvcMDuBJ2gH6KUV+ef7N3/AAUO/ay139m79r/4G/tE6lokXx1/ZY0fUkm8ZeG9LSKy1qCbSLm+0fVhaS+YkUrrAXeAhowVHGGKCf8A4JK6l/wVU/bC/Z++DH7bX7Sn7b+maToes6Db3mo/DLQvhlprf8JFaeS8a3d7qDAPBPcPi52WkcMcSlI9rfMSAfoLWX448Z+Gvhx4L1j4h+M9S+xaPoOl3Go6teeS8nkW0EbSyybIwzttRWO1QWOMAE8VyP7Wn7Q/hv8AZJ/Zh+IH7Tvi3Tpb3T/AXhC/1y4sIHCvd/ZoHkWBWIIVpGVUBPALAmvzm8Rr/wAFqfij/wAEvPFP7ffj79rzwdfL4x+EWoeJrj9nmL4ZWsGmWug3enSTfZINWWT7aL1bOTzFeQyJ5wEbIy5egD7v1z/gop+xx4b/AGZPCP7Y+tfGHyfhv47vNNtfCniP/hH9Rb7dNfyeVaL9nW3M8XmOcZkjUL1YqOa1P2t/25P2U/2FPB+m+Ov2qvjBZ+FLHWtRFhosbWNze3Wo3O3cYre1tIpZ5iBydiNtyM4yM/nHpP7S3xp/ZV/4NyP2UfiL8CPF0Wi6xfan4E0a6u5tItL0PZXd4Ip4vLuopEBZCRvCh16qynmtD/grN8B/2p/G/wDwXM/Y2svh/wDtz6v4STxcfiA/gFYPAGj3y+BpLLw1atePCLmJhqBvOQftW/yN2YdpoA+1viD/AMFa/wDgn18KfgL4O/aV+I3x+Oj+FPiDc3EHgtr3wpqy6lq8kEjRzLDpn2X7cdjL8xMAADIejoT7L8FfjN8O/wBob4V6L8afhNq9zf8AhzxDafatJvLzSbqwlli3Fctb3ccc0Ryp+WRFPfGCK/J39s39lr9uiX/gtb+yh4Guf+CoOvy+I9Q8A+LX8M+MX+FHh7zPD0ltpNrHfyR2v2fyJzfMrO/mqfJ37YtqgCvV/wBsv/go18Xvh9+1n4W/4Jg6H/wUZ+GPwX1Hwp8LLDXviz+0R8VbPSIbrV759sMVrpunXUsNkLmfa11KMNHGkoCKNm1wD9NKK/OP/gnX/wAFJvHepf8ABQK+/wCCeXxK/bw+GP7Tek638P5fFfgb4t/DwaZDdW01vcLFdaRqdvpcslssgRhNHIgTKKcglgE47/gm/wDFD/gsD/wUh0D4l+Lb39vXTPht4X8BfHHxD4b0O/sfhVpOqapr0NrdAiCXzUSC3tYYmjhUrE1xI5mZ5RtQUAfqbRX5KTf8FU/H37afxz+KH/CJ/wDBZX4Jfsj+A/h746vvCfhTRfEUHh7UPEXimSyISfVbmPWblBb2bykiFYkDMqsGYFdzdR8Kv+CuXx5+LP8AwSn/AGsPHdl8XfBWrfFv9nK01rTrL4ofDhbW+0PxCIrM3Gna1bRv50H7xd2+E+ZGHibgBtigH6h1z/jv4s/Cv4Wz6Ha/E34l+H/DkvibXIdF8Nx69rMFm2ralMGMNlbCV1M9w4VtsSbnbacA4NfmP42+J/8AwW80D/gmLpv/AAVVb9uHwhY6honwtsfG+o/BU/Cmxl03VNNSzjuZlu9RyLpbuW33Tv8AZxDEkjGKNFUCSsP/AILTXvxi/ay8NfsB/tF/CT9ovUvAekfEX45eBZ9B0KHwxp9//YurajaT3dtrIluIy00tvG5jFs/+jvncyE4oA/XSivNP2VvhP8ffg58OLjwr+0b+1ZqPxh16XV5bmDxTqfhDTdFkhtWjiVLQQadHHEyqySP5hG8+aQThVx4F+3h+1V8fP2PP2/P2a/EF948x8Cfiprt38PvGuiTaXa7NP8R3UZl0a+W5MXnqZZFkgZDKIgqbthY5oA+yK+W/2kv+C1X/AAS9/ZH+Mb/s+fH79rbR9G8axXsFpc+G7TR9Q1G5tpplR4kmWyt5fJLLIjDeVGHB71znx0/aq+PfjP8A4LCfCP8AYK/Z28ef2R4c8O+BtT8ffHiSHS7W5N1pzMLTS9OEk8Tm3eS63SP5ZSUxEEMAMnyb/g5b8A+BNB/4Jwap4w0PwVpNlq+rfFjwe2q6paabFHc3rLqluoMsqqGkIVVUbicBQOwoA/SCiqHijxV4Y8EeH7rxZ408R2GkaVYxebfanql4lvb26dNzySEKg5HJIFfLn/BRP9pjx94p/YH+KfxH/wCCZX7Tvha9+JXgDQV8RWv/AAjl1pmuCW3tXE9xaSwMJgPPtoriNCAr79u1gQaAPrKivhH9u3/gqZrmmf8ABIrwr+1x+xzexr8QvjrD4f0H4M2jQw3Lx+INZZESIpKrRvLbL9pYo6Mpe22spBIrk/8Agob/AMFFfi7+zh8bfg7/AME1tC/bT+G3wv8AGfiH4eDxF8TP2hPizHp0FtZWUB+yCSzspnt7Sa+vLuKdhEdscaI5WMjlAD9GqK/Mn9j3/gpf4+8Cf8FFfAX7DXjn/gpb8Kv2sPC/xf0LV5vDXjbwNHo1tq/hfVtNt/tT2moQaPM9ubae3EhikKo7SRsvIQ5pfsv/ABa/4K3/ALfP7Tv7Unwf8Eftv6Z8L/A/wl+OGpaF4a8UQ/DHS9Y1V4gAIdMijnRIFggRfMeaZZp5WuUUOoQkgH6h15/+1H+1H8Cf2LvgTrv7S/7S/jn/AIRrwT4a+y/23rf9mXV59m+0XUVrD+5tYpZn3TTxJ8qHG7JwoJH54fFv9t/9qDx5/wAFFPiX+xt42/4KveDf2UrL4cWmiW/g2DxB4A0e4vviH9psVmn1RZ9YYW4j8/fGsFr8wwVJBQlvTP8Agqx8dP20P2Fv+CEvj744W/7UGjeLfiv4ZGkPY/E3TfA1hDa38F14ksoEl/s6YXNqGNlceW3DqWzIm07doB+gdFfFX/BSH9r39qWw/aw+Dn/BNf8AYd8SaJ4V8efFi01TWvEXxG1/RV1KPwnoNggLzwWbsqXNzLJujQSEoCmGHz74+R8E/tE/t5/sHf8ABRT4U/sZftpftF6Z8bPAfx80/V4fBHj5vBFnoGq6FrenW4uJLO5hscQTW8sTKEcIr73A4CMWAP0Dor8y/hL8ZP8Agqz+2n/wUC/ar/Zg+FX7Y2lfDPwB8J/Gul22ieKG+HOm6xqlqLiwEi6daxTIkJj3LJNLPc+fJzEkYQFmHXfsc/t8/tq6b8Fv2uPhD8erHTPin8Yv2WLi+XRtV0DQ/wCz18bwvpUl/pnmWcBIhuJTGUdIePnVVBYFmAP0Gor8tf8AgnT8fv2vf24vDfgf4yeEP+C+3w11zxNrENlq3i34Gaf8J9CA0xW2S3Wk7POTU4mjXzIhcOSSyb9pHB/UqgAooooAKKKKACiiigAooooAKKKKAPjP9v39lH4+/Gz/AIKU/sZfH/4Y+Av7T8I/CfxJ4uuvH+rf2paw/wBlQ3umW8Fs3lSyrLPvkRlxCjlcZYKCDX2ZRRQB+b/7IH7BP7WPwu/4JsftrfAHx38KfsPi34t/Ej4nap8PdJ/t2wl/tW01bTlh0+TzY52ig82QFdszxsnVwg5qp+xB8Vv+Cx/7LH7Fnw1/ZOsf+CMNxda14F8E2Gg/8JHr3x/8N2+nTSwQrH9oZLWS4nCZG7YqliOMjqP0rooA+Qf+CYf/AAT++Mv7N3jv4r/tiftj/EHQ/E/xz+OesWl54xm8LRSrpGh2FnEYbHSrEzASPHFGdpkcAvtjBBMe9/r10SRSjqGVhggjIIpaKAPyK/Y8/wCCSP7avw3/AOCiPhb4NfFbwFaQfsm/s/8AxM8WfEL4LamuvWco1G81QQNp2nNaJM1xF/Z8s97MkjxIpcS8kMm77W/bq8b/ALYWm+K4PAvw4/4JkeF/2iPhnqehRPqltqHj/S9Nu7XUhNOHje01WM29xAYvIKuJFYM0gIIxXb+P/j1+0X/w0XrPwF+BHwL8Fa+nh/wVouv6nq/i74k3ejEnUbvVbeOCKG30e+3hP7KdmdnTPnKAvykl3/Ccf8FC/wDo1/4M/wDh+NW/+ZegD5w/4I2/sH/HX9lz4w/Hv9oH4ifArwx8EvC3xc1rR7nwj8A/B/iCPUrPwybO2khuLt5LdEtUmumZXKW42KFAJIVAPpv9uv8AY9+HH7fX7JPjj9kT4rXM9to3jXSPsrX9qgaWxuY5EntrpFPDNFPFFKFPDbMHgmqf/Ccf8FC/+jX/AIM/+H41b/5l6P8AhOP+Chf/AEa/8Gf/AA/Grf8AzL0AfNPwb+NH/Bcb9ln4caZ+z/8AFH/gnT4f+PN/4ZsY9O034reDPjPpmiQa5bxKEhnvbPU0We3uCiqZWjEqs5YquMZwf+Co/wCzH/wU0/b2/wCCKfxH+B3jb4N+Dbj4y+LfEWmXeieA/A/iWP7JYadBq9jOtu99qDQRy3CQwyvJJlUZsiMY2ivrT/hOP+Chf/Rr/wAGf/D8at/8y9H/AAnH/BQv/o1/4M/+H41b/wCZegDwW1/b8/4LEy3McVz/AMECNbijaQCSU/tLeE22KTy2A+TjritT9lP9lH4+/Db/AILKftW/tWeNfAX2LwD8SvDfgm18Fa9/alrJ/aM1hpvk3a+RHK00PlyfLmVEDdVLDmvZv+E4/wCChf8A0a/8Gf8Aw/Grf/MvR/wnH/BQv/o1/wCDP/h+NW/+ZegDxn/gh3+yj8ff2Pv2W/Gvw5/aL8Bf8I7rOr/GzxPr+n2f9qWt35unXdwj282+1lkRd6gnYxDr/Eor7Mrxn/hOP+Chf/Rr/wAGf/D8at/8y9H/AAnH/BQv/o1/4M/+H41b/wCZegCt+2T8Sf27/ha3hjxL+xj+zR4S+KtiJbtPGnhnW/G39g6iVIh+zSWNzLG9ucHz/MSUDP7vaw+avj39pL4Cf8FLP+CtXxa+DHgz4/8A7EOjfs/fDT4V/FnTPHuu69rXxM0/xBrerzWAkEdjYxaaGS3WTzWDySOP4WAzHsk+y/8AhOP+Chf/AEa/8Gf/AA/Grf8AzL0f8Jx/wUL/AOjX/gz/AOH41b/5l6APm74x/s1/tzfsZ/8ABRrx9/wUD/YZ+B+jfGHw18bfD2j2PxU+GN14wt9B1S21PSoWtrLUrG6ux9meP7OzI8MjIxZiQTuyvW/HD4DftN/8FY/+Cefxd/Zf/bA/Z1sfgXeeMrRLTwlYr42t/EU8UkDw3dteXb2iLEoF3DHmKNnJRD8+WGPZP+E4/wCChf8A0a/8Gf8Aw/Grf/MvR/wnH/BQv/o1/wCDP/h+NW/+ZegD4n+NWg/8F0f2uP2MLj/gm747/Yq8H+CtR8TeH4fCvjz9oCT4q2N/o82m7VivL200uJBema4hDgRSKgQyn5hwV9V/aD/YA+KOk/tO/sFQ/ADwRLqnw+/Z1m1fTvE2rT6pawvpmnDQIdPsnaOWRJJy7RBSIUcg8kAc19B/8Jx/wUL/AOjX/gz/AOH41b/5l6P+E4/4KF/9Gv8AwZ/8Pxq3/wAy9AHkP/BXH/gn58Qf2wrH4WfHP4EaP4O1n4i/BHxfLrfh/wAK/EK283RPEtlcQiG+0u5Ox/KMsaRmOUqwR4xkDdvThfgjoX7UXiz4s+FtO1//AIN8/hF8LNPg1y1l1/xxqvj7w3fnTrdJVaSaxg060aeacAZiL+SAwBbGK+mP+E4/4KF/9Gv/AAZ/8Pxq3/zL0f8ACcf8FC/+jX/gz/4fjVv/AJl6APBP2zNa/bM+IXjPxF8KPHf/AAQ78BftB+Borp18Ia/qHxO0GGOa3dF/4+bTVoC9rIGyC8JkzgEAEV1//BFf9iz41/sFfsMad8B/jxrGmnWH8T6rrFr4c0PUZryw8L2d3cGWHSbaeYBpY4QSS2Mb5HwWADt6Z/wnH/BQv/o1/wCDP/h+NW/+Zej/AITj/goX/wBGv/Bn/wAPxq3/AMy9AHkv/BV/9iz4/ftBah8Hf2qP2QLjRJfix8APHL+IPDWg+JLs29j4hsbiIQ6hpjzhT9neaJUCSkFVKkHbu3r5R47+Bv8AwUZ/4Kh/tN/BDVv2sv2RtN+Afwn+CPxBtfH99pd58RrDxFqvinX7NWFhFD/Z4MdvbRO8hdpGDOrkBQcY+sf+E4/4KF/9Gv8AwZ/8Pxq3/wAy9H/Ccf8ABQv/AKNf+DP/AIfjVv8A5l6APJfgB+y38dvBP/BZn9oL9q/xP4F+y+APHHw38KaX4X1/+07V/tt3ZpILmPyElM8ewsPmkRVbPyk0fBn9lv47eFP+C1fxo/a31/wL9n+Hviz4P+HNE8P+IP7TtX+1X9rM7Tw+QspnTaCDueNVPYmvWv8AhOP+Chf/AEa/8Gf/AA/Grf8AzL0f8Jx/wUL/AOjX/gz/AOH41b/5l6APSfijqHxB0n4Z+ItV+Evh6w1fxXbaFdy+GdJ1S8Nva3uoLC5toJpQCYo3lCKzgHarE9q+Cf2mfin/AMFuP2w/gF4n/ZN8Kf8ABLbw78KLvx/oV14f1r4k+KvjnpWr6Zo9ldxNBczw21jH9qnk8p32ZjXaxUkNjbX1b/wnH/BQv/o1/wCDP/h+NW/+Zej/AITj/goX/wBGv/Bn/wAPxq3/AMy9AGT4J+F3xA/4J6f8E8vC/wAFv2YPg/efF/xB8MvBmlaLofhgeILTRZvEDw+TBNMbm7byLYlTLcEMcfKUXkrXw7+wcP8AgsH+zz+2x8dfjr44/wCCOOpJov7QHj/RNTuZF+PPhdj4Xtre3NrK7hJ2a7wrmXCKjELtAJINffH/AAnH/BQv/o1/4M/+H41b/wCZej/hOP8AgoX/ANGv/Bn/AMPxq3/zL0AfJX/BcXwD/wAFSP2kvF/hH9lf9mP9lnXvFfwB1SwjvvjNqvg34j6LoeseIB50ynw/HJqF1E9tbskcTzTIj+alx5YICSK/u/7AfxK/aZtG039njxj/AMEmb/8AZ8+HfhjwwYvDt+PiX4e1a0iaJ4kisUttNneVSyNI/msNuY23Hc4z33/Ccf8ABQv/AKNf+DP/AIfjVv8A5l6P+E4/4KF/9Gv/AAZ/8Pxq3/zL0AfHPxR/4JRfGP8A4K1fGz4mfGv/AIKU6NrHw/0PRbK58M/s0+CtK8SW8934WXdHKfFk0ljPJCb+aaOIpF5hEccZjcNhGr3b9nL4g/8ABVrwX+wXqOm/Gv8AZn0TxR8efAeox6RpwufG1laaX8RrKG6iT+1ormFpWsJJrQyuUuIkYTpkxqr7V9Q/4Tj/AIKF/wDRr/wZ/wDD8at/8y9H/Ccf8FC/+jX/AIM/+H41b/5l6APjP9tXwR/wV0/4K0/BWb9hXxl+wVo/7PPgLxfqNiPiN8QvEfxY0zxDdLptvdxXLwadaacCWmdoUAebYuMqQu7ev2p+0x4/+P37N/wS0ib9kT9kG7+Mmr2d7a6Yng+18c6foL21gsEgN0brUCI3CGOJPLHzt5u4cK1V/wDhOP8AgoX/ANGv/Bn/AMPxq3/zL0f8Jx/wUL/6Nf8Agz/4fjVv/mXoA+JP+CLHh7/gqj+yHNrXwA+P3/BLG/0Pwz4++Mmv+LtV+IA+M3h26j0C31FhKsTWVtPJNclGjVCUwTvztABqn/wVh+EX/BUH9rj9tbS/hXqf/BPzW/iV+yd4Kaz1I+GfC/xV8P6MfiJqwihnX+0/tt3HMljbTM8YtfLAleDzCzB49n3P/wAJx/wUL/6Nf+DP/h+NW/8AmXo/4Tj/AIKF/wDRr/wZ/wDD8at/8y9AFP8AYw+NX7UHxRtNW8P/ALQP/BPbUfgPp+g2lnD4ahu/HuiazFqKESK8USaXK4tlhWOIYcKCJQF+6cekfG/WPi94f+E2va38A/Bmk+IvGNrYNL4f0LXNUaytL+4BBEMk6qxhDDI37SAcEgiuD/4Tj/goX/0a/wDBn/w/Grf/ADL0f8Jx/wAFC/8Ao1/4M/8Ah+NW/wDmXoA/Pz9qn9i79tn/AIKL+P8AwHLF/wAEhvA37N/jLQfiJpXiHVf2hB8TNF1DVLCC1nEs0dp/ZUS3V3JKMhRceXHkDcFJDp6x8e/2av22v2dP+CtXij/gof8AAb9jPQv2g9B8ffDrS/D0OnzeN9P0TWPBVxZsd5t31EeU1tPkO4jYOXJJA2DzPqv/AITj/goX/wBGv/Bn/wAPxq3/AMy9H/Ccf8FC/wDo1/4M/wDh+NW/+ZegD5f/AOCbn7Ln/BQfwr/wVI/aC/bU/bV+GehaDYfFLwX4ch8PReG/EUF/aacbUOn9mBtyzyyQRCPzZ3hijkleQx5TBr0b/gh/+y38dv2QP2IpvhB+0V4F/wCEd8RN8SPE2qLp39p2t3m0u9Slmt5PMtZZI/njZW27ty5wwB4r1r/hOP8AgoX/ANGv/Bn/AMPxq3/zL0f8Jx/wUL/6Nf8Agz/4fjVv/mXoA8Z/4Iifso/H39kL/glV4V/Zt/aJ8Bf8I9410288SPe6L/alrd+Wt1q99cQHzraWSI7opo24c43YbBBA+DP2u/2VPjz+yl/waUeFf2Vv2gfDLeEfHeh+KNKttWsF1C2vTYSXHjJp4XEtrLJFJ+7mif5JDjOCQQQP1Z/4Tj/goX/0a/8ABn/w/Grf/MvXn/7TXwU/aV/bG+E1x8Df2jv2Jfgz4j8LXeoWd9caX/w0X4gs989rOlxA/mWvhuOQbZY0bAbBxgggkUAfOf7Z3wz/AOCyX/BRb4A/8O3vid+yV4S+HuheJruwsvij8fLH4lWd/YXum21xFNcS6XpaxreRy3JhBWOdFWMOYyxz5q+x/tE/sbfF/Wf+Cpv7G/xv+FHw88/4bfBvwx430zxVq39q2yf2St5o8Fpp6eTJKs0+94ymYkfbjL7RzXtP/Ccf8FC/+jX/AIM/+H41b/5l6P8AhOP+Chf/AEa/8Gf/AA/Grf8AzL0AfG3xN/YB/aB/ZI/bW+K/7RnwK/4J9fDf9pzwB8a9ag8Qan4X8Q6rpemeIPCmtCIR3T29xqkTW9zaTkCTZvR1c4AAXMnuv7MNn+1x4d+GHxK+Iejf8EtPhN8FfFi6Vbr8P/CGm+MbGefX7hBM0iald6daJDbR7vJEewzYLSM3QA+qf8Jx/wAFC/8Ao1/4M/8Ah+NW/wDmXo/4Tj/goX/0a/8ABn/w/Grf/MvQB+fH7YX7GP7cH/BSXX/CWmL/AMEgPAv7O3jnTPHel65fftFn4naLqGpaRHa3KzTfYzpcS3l1JIAQon8tM4LBTh0/W2vGf+E4/wCChf8A0a/8Gf8Aw/Grf/MvR/wnH/BQv/o1/wCDP/h+NW/+ZegDyX4Afst/HbwT/wAFmf2gv2r/ABP4F+y+APHHw38KaX4X1/8AtO1f7bd2aSC5j8hJTPHsLD5pEVWz8pNeV+FvgV/wUT/4Jk/tafHDxt+yT+yZpvx7+FXx18bSeOY9GtPiJYeHdW8L+IbhAL8SnUAIrm2mdUZWjbegUDaSDu+rv+E4/wCChf8A0a/8Gf8Aw/Grf/MvR/wnH/BQv/o1/wCDP/h+NW/+ZegD5Z/Zu/4J4/tY6F+zf+1/8c/2iNL0ST46ftT6PqTy+DfDeqJLZaLBDpFzY6PpIu5fLSWVFnKPOSsZLDnClz9Kf8Evfgz8Sv2df+CdfwV+BPxj8N/2P4q8JfDfStL8Q6V9shuPsl3DbokkfmwO8cmGBG5GZT2JrS/4Tj/goX/0a/8ABn/w/Grf/MvR/wAJx/wUL/6Nf+DP/h+NW/8AmXoA6P8Aa1/Z48Oftb/swfED9mHxZqUllp/j3whf6HcX8MYd7T7TA8azqpIDNGzK4BOCVANfn3pXhD/gubbf8E8NR/4Jg3n7Fvg9dW0z4bXHgey+PUPxTsX0zUdLjsmtI7iDTCq3YvZLYLEqzeVEJmEryIuVH3D/AMJx/wAFC/8Ao1/4M/8Ah+NW/wDmXo/4Tj/goX/0a/8ABn/w/Grf/MvQB8RfFT/gnX+2P4k/4IW/s6fscaL8HvO+JHgTxJ4KuvFfhz/hINOX7DDYXolu2+0NcCCXy0GcRyMW6KGPFfQn7Zf7Lnx2+K//AAVi/Yv/AGl/AHgb7f4J+E3/AAsX/hYGt/2naxf2V/amhQWtj+5klWafzZkZP3KSbMZfauDXrP8AwnH/AAUL/wCjX/gz/wCH41b/AOZej/hOP+Chf/Rr/wAGf/D8at/8y9AHkv7TP7Lfx2+IP/BYf9mP9qfwh4F+1+A/h54P8aWPjDXf7TtY/wCz57+zijtE8h5RNLvdWGY0cLjLFRzXnP7dH/BP742+G/2+h/wUg/Zs/ZX+Hnx4i8ReBYPC3xF+EXj27tLK4lNtN5lrqmmXl5FJBHOqHyZI5dqsijBJbKfUH/Ccf8FC/wDo1/4M/wDh+NW/+Zej/hOP+Chf/Rr/AMGf/D8at/8AMvQB5T+wtoHx11P403Pij4k/8Eg/hr+zvoNn4fnWz1yw8VaNqevXl88sIWFV0q3EcNv5Xnl2M7MWEYC4yaj/AOCLn7Lfx2/ZM/Z6+Ifgb9oHwL/YGqa78ePFniLSrX+07W78/Tb27WS2n3W0sirvUE7GIdf4lBr1r/hOP+Chf/Rr/wAGf/D8at/8y9H/AAnH/BQv/o1/4M/+H41b/wCZegD4b8N/sBftIf8ABPj4wfErRPhV/wAEvPhj+1F8MvH/AI+1Dxd4Y1C91zRdJ8ReFpb5lkn0y4OrRGO6tUkBMLxybwrNuBJ2r618R/2dv2nPjr/wSp/aF+Elv/wT7+H/AMHfHXj7wlqul+EPh34G8SadcPfh7ERwG9vI4bW1WdpnlUDcURNuZOTX0V/wnH/BQv8A6Nf+DP8A4fjVv/mXo/4Tj/goX/0a/wDBn/w/Grf/ADL0AeY/F79mX43+KP8Agh5rP7H2heCfP+It1+zGfCdv4d/tK2XdrH9gi0+zfaGkEA/f/J5hk8vvu28147+1P+wb+134o/4JvfsdaR8I/hlp2sfFD9mnxR8PfFmsfD7UfEdvZjVpNH0z7NeabHe5e3SXe5CyljHiNiC2Vz9Yf8Jx/wAFC/8Ao1/4M/8Ah+NW/wDmXo/4Tj/goX/0a/8ABn/w/Grf/MvQBufsr/Fj4+fGP4cXHir9o39lPUfg9r0WrS20PhbU/F2m61JNbLHGy3QuNOkeIKzPIgQkOPKJIAZc+df8Fav2NtU/bv8A2APiF+z94O/d+LptMXVvAF2s6wvba/YyLdWLJKxAh3TRLE0mRtSV+2a6n/hOP+Chf/Rr/wAGf/D8at/8y9H/AAnH/BQv/o1/4M/+H41b/wCZegD5+/4Ix/sr/tf+B9W+Mf7bP/BRfwBZ+HPjb8Z/FVmuo6LZ6raX0el6HplnHbWFuktrLLENxM8jBG5zGWAYEDzP/gvD4O/4KcfthfDvV/2N/wBmT/gmje+KvDFr4q8Pa3pvxPHxc8P2MV/9klgu5oRYXc0c8REgeDcxwSm8AqRX2b/wnH/BQv8A6Nf+DP8A4fjVv/mXo/4Tj/goX/0a/wDBn/w/Grf/ADL0AZv7PXir41ftjfB7xP4T/b//AOCd9n8NrK6uhYt4H8V+LtH8W2mvWRRXaSUWgeEJv+XypASSucYxXZfBT9jz9kj9muTVJv2c/wBlr4c+AH1yGOHWn8FeCLDSjqEabtiTm1hTzVXe+A2QN7Y6muf/AOE4/wCChf8A0a/8Gf8Aw/Grf/MvR/wnH/BQv/o1/wCDP/h+NW/+ZegD88v2GP8Agkr+2z8Lv+CgnhL4TfG3wLaw/ss/s3+NvGHi/wCA+pjX7Oc6pcatJCbCzltUmaeM2PnXkqyyRoPMDYyGXP0J/wAFK/8Agn58X/Gv7YfgH/go9+zb8DPAPxa8ReFfBl14O8Z/CX4jSwQW/iHRJLk3UL2V1cRSw2t7BcPIwaVdrJIRuXBD/RP/AAnH/BQv/o1/4M/+H41b/wCZej/hOP8AgoX/ANGv/Bn/AMPxq3/zL0AeJfsd6F+0Hr3x80jW/G3/AARP+GHwC0HTba5lu/GB8YaDqWsiZoWSOOzi0m2IQMzEPI8y/u2YBcnFaf8AwSy/Zb+O37OPxY/ar8TfGfwL/Y1j8Sf2kNX8U+Cp/wC07W4/tHSZoLdIrnEErmHcyMPLlCSDHKjIr1r/AITj/goX/wBGv/Bn/wAPxq3/AMy9H/Ccf8FC/wDo1/4M/wDh+NW/+ZegDwT9szWv2zPiF4z8RfCjx3/wQ78BftB+Borp18Ia/qHxO0GGOa3dF/4+bTVoC9rIGyC8JkzgEAEV83/EL/gkT+3D4b/4Nt/iL/wTw0Dw7pviX4neKPE9vrHhrwFofiWMWGgWb+JbDUP7JtrzUJIkaO3ghmkLOyguzqpclS/6F/8ACcf8FC/+jX/gz/4fjVv/AJl66T9l/wCMvif48fCT/hPPGngew8OavbeKPEGhanpGl64+pW0U+laze6W7xXMlvbNKkjWZkG6GMgSbSDjJAPmz/gpB+yF+1LfftYfBv/gpT+w94a0XxV48+E9pqmi+Ivhzr+tLpkfizQb9AHggvHVktrmKTdIhkAQl8sfk2Scj4J/Z2/by/bx/4KKfCn9s39tH9nPTfgl4E+Aen6vN4J8At43s9f1bXtb1GBbeS8uZrHMENvFEqlEDs+9AeQ7Bf0DooA+P/wDgnn+y38dvgZ+27+198X/in4F/svw78UfiRo+qeBdR/tO1n/tO0g03yZZPLhleSHbJ8u2VUY9QCOa5z9mf9m39sX9n39rf9uX9ojQPg/plxN8StY0DUvg9HrXiK3jtPEM1lozwOkzQPJLZp5+2MtLGpwdyqwGa+46KAPyP/bZ/Y0/bo/4KYroXhX/hz14E/Z98fweMdM1af9pBvihouoajoK210k8stk2mwre3UjqhVVmEaZYE4IDr+uFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRX5wf8Fev2Rv2N/ht8MdZ8TfCH4TXMv7U3xb8RSwfBbXND1y7Pid/EssomF1b3LTGS0sLQHz5wClrFBGUKgMikA/R+ivib/gpD+zT+z5P4NtvjT8aP8AgmL4i/aU8ey+GPsF5f8AgyK1+0ae1vDkSRm4vYZbQPI7lXsYpZwQTsJC59R/4JLatrOt/wDBNb4L6l4i+O8XxMv38CWi3vjaKWd/7RlUFWDNcok7PEQYWaZElLQsZFV9wAB0Xgf/AJSF/FD/ALIz4D/9O3i+vZq+ePgF8TvDfxR/b9+L+oeGtN8Q20enfCvwPY3C+IvCOo6O7ypqvi4lokv4IWni+YYmjDRMchXJU4+h6ACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAor5w/bY/bY8Vfs2eKtJ8D+B/Cmn3l7eaeL66utVWRoliMjxqiLG6HdmNiSTgDHBzx6/8A/itH8b/AIQ6J8UY9JaxOq27tLaM27y5EkeJwD3XchIPoRXzeB4tyLMeIMRktCo3iKCvNcrS6XtLZtc0b22ut9bfRY3hXO8vyHD5zXppYeu7QfMm+trx3V+WVu9ntpfsKKKK+kPnQooooAKKKKACiiigAooooAK8Z/YP/wCSIa5/2Wb4j/8Aqa63Xs1eM/sH/wDJENc/7LN8R/8A1NdboA9mooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAr4lm/wCCbn7cWjfto+Pf20vBX7fXgGfXfFYOneHF8a/AO41abwloCuXi0eylj8QW0aRZw8siwo9xKN8mcKq/bVFAHz98WvgN/wAFBvFniSa8+E3/AAUD8PeEtIvdMt4LrTrr4KQalPZ3Kwqk1xZTtqEYi8yQNKEuI7kIW25ZQBXc/sh/sv8AgD9jD9m/wp+zJ8ML/UrzR/Cti8MV/rFwJbu9mlmkuLi5mZVVTJLPLLK21VUFyAAABXpFFAHjPgf/AJSF/FD/ALIz4D/9O3i+vZq8Z8D/APKQv4of9kZ8B/8Ap28X17NQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFc58Vvi38N/gd4FvfiX8WPF1roeh6eoN1f3ZOAScKqqoLOxPAVQWPYGrhTnVmoQTbeiS1bfkiKlSnSg5zaSWrb0SXds6OiuJ+BH7RvwT/aa8IP47+BnxAtfEGmRXBgnmgikikhkAztkilVJIzggjcoyORkV21OrSq0Kjp1YuMlumrNeqYqNajiKSqUpKUXqmmmn6NaBRRRWZofP37XHw+8G/FD48fCHwH4v0GK8t9SvtWN2hZkeSCG2SUpvQhgu7BwDXu2haFo3hjRrbw94e0yGzsbOFYrW1t4wqRIBgKAK8j+I3/Ez/AG3PhxY9f7L8M6xeY9PMVYc/pXs9fI8PYbDPO81xigueVZQ5rLmahRpaXte3NJu199dz6vP8TiFk2WYRzfJGi58t3ZOdarra9r8qSvbbTYKKKK+uPlAooooAKKKKACiiigAooooAK8Z/YP8A+SIa5/2Wb4j/APqa63Xs1eM/sH/8kQ1z/ss3xH/9TXW6APZqKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigDxnwP8A8pC/ih/2RnwH/wCnbxfXs1eM+B/+UhfxQ/7Iz4D/APTt4vr2agAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKK+cf+Cp/j74+fDf9ky+8R/s+S39vqA1WCPWtR0tT9psdOKSmSaNl+ZCJBCpccqrscjGR5j/AMEVP2gvjb8avAHjXQ/i/wCO7vxBFoF/Zf2Re6tfG4vR56zGVJHcmRkHlxlS2eWcA4GB49TOaNPOYZc4S5pR5lL7Ozdu/Tfo9DwKvEGHo8QwymVOXPOPMpacuzdu70Tu1onZH25RRRXsHvhRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAV8m/8Fq/h1ofjv8AYN1zWda16WxfwtrFjq1gsabhdXBc2iwMPRhdN06MFPQGvrKvl/8A4KR/8V/rvwV/Zph+f/hN/irZ3OqQdfN0zTlNzdLj8YzntivZ4flOnnVCpF25JczflFSlL8E18zxOI4wqZHXpSV+ePKl5ycYx/wDJmn8il/wSo/YF8WfsP/DvxBd/EPxXa3+v+MJbOa9stOLm3sY4Fl8tAzqrNITO+87QOFAzjJ+raKK48wx+JzTGTxWId5y30t5Ky8krHbluXYXKsDDCYdWhBWV3d922+7bbCiiiuI7jxc/8TT/goEB1TS/hTn6SSah/8TXtFeMfDz/iZ/tu/EW+6/2X4X0izz6eYGmx+lez18xwt79HF1f58TXf3TjD/wBsPpeJ/drYSl/LhqC++Mp/+3hRRRX0580FFFFABRRRQAUUUUAFFFFABXjP7B//ACRDXP8Ass3xH/8AU11uvZq8Z/YP/wCSIa5/2Wb4j/8Aqa63QB7NRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABXzv4x/4Kt/sC/D74iah8MvGnx5Om3mka+dE1jV7rwrqq6Lp2oiXyTa3GrfZfsFvIJDsKyTrhuDzX0RXxV/wU68e3/wC1pa61/wAEhP2bLK11Txj8QtCWP4p6/JAJbD4d+GLlsTX112a/uE8xLO1yHdz57FI49zAHrvx3/wCCmH7Fn7Nfj7Ufhn8X/ivfWWr6JaRXWvx6Z4M1jU4NHgkj8xJb24srSaGyQoQ+6d0G05zjmvaPCfizwv488Lab448EeIrLV9G1iwivdJ1XTbpZ7e8tpUDxzRSISro6MGVgSCCCK+dP21v2nZP2b/BWgfsifs0+EofGnxq8faQ+mfDvwdeSeZFBbxxLBLrerPg+Tp1su1pZGGZmCwxhnf5fSP2IP2Y9O/Yv/ZD+HP7Kml+JZtZj8B+ErPSH1adNrXksUYEkoXJ2KzliqZO1SFycZoAzPA//ACkL+KH/AGRnwH/6dvF9ezV88fALUvivqf7fvxfk+LPgvw9olzH8K/A6aZF4d8Tz6olxZjVfF2yaV5rK0MMpO4GJVkVQARI2SB9D0AFFFeR/teftrfBH9ifwbY+MPjFdahK2q3LQaVpOjWyTXd4yAGQoruiBUDLuZmAG5RySBW+Gw2IxleNGhFynLZLdmGJxWHwVCVevNRhHVt6JHrlFcD+zV+0r8K/2sfhXa/F/4QapPPpk87288F5CI7izuEALwSoCQrgMp4JBDKQSCDXfVNajVw9WVKrFxlF2ae6fYqhXo4mjGrSkpRkrprVNPqgooorI1CiiigAooooAKKKKACiiigAooooAKKKKACiiigAr5i/bB8L+IP2cPinp37fnws0ma5i0+BNN+K2iWi86noxIAuwvea3ODn+4oyQqNn6dqK/sLHVbGfS9Ts4ri2uYWiuLeZAySowIZWB4IIJBB6g1yY3CrF0ORO0lrF/yyWz/AEa6ptdThzDBLHYZwT5ZJqUZdYyWqf6NdYuSe5V8K+KfD/jfwzp/jHwnq0N/pmqWcd1p97btlJoZFDI4PoQQav18sfs5399+xf8AtB3H7Fvi68lPgrxTJPqvwg1O5clYCW33OkMx/iRmLpnkhuSTIqj6npYHFPFUbzVpxdpLtJb/ACe8X1TXmTluNeNw95rlqRfLOP8ALJb/ACekovrFp9wooorsPQCiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACvl/Uv+Lrf8FaNNs/9ZYfCj4VzXW7r5Op6nP5W32zajOfavqCvl/8A4J8f8XE+LXx+/aTl+dfEnxNbQ9NnPPm2Okwi3hdf9lt7fitevln7rDYrEdocq9aklH/0lSPGzT99isLh/wCapzP0pxcv/SnA+oKKKK8g9kKKKy/G/im18DeC9X8a3trJPDo+l3F9NDD9+RYo2kKr7kLgVnVq06FKVWo7Rim2+ySbb+STfyNKVKpXqxpwV5SaSXdtpJfNtL5nln7Pf/Ex/aR+NPiHr5ms6VZhv+uFmVx/49Xs9fFv7CP7V2oeLP2gPEHgzWPCsMY8eavdarFcW8jFrSVIWfymzwyeXGQDgHd7Hj7Sr4jw5znLs84ceIwk+Ze1rc2jVpSqzqde8Zwfz7po+08Qcnx+S8Qqhi48r9lR5dU7qNKEOn96El8uzQUUUV92fDhRRRQAUUUUAFFFFABRRRQAV4z+wf8A8kQ1z/ss3xH/APU11uvZq8Z/YP8A+SIa5/2Wb4j/APqa63QB7NRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABXzFq3/AAR5/YM1X4keLfi3b+C/H2k6/wCO9fm1vxbd+Gfjn4v0mPUr+U5ed4bLVYogcYUBUCqoCqAoAH07RQB83fEX/gkt+w58Uvi/d/H3xR4L8bQeMb/QrLRr/wAQaB8Z/FWkz3NjaRiO3hk+w6nCHChcksCWcs7FnZmPuPws+GXhT4N/D/S/hj4HOqHSdHgMNkda8QXmq3W0sW/eXd7LLcTHLH5pJGOMDOAAOgooA8Z8D/8AKQv4of8AZGfAf/p28X17NXjPgf8A5SF/FD/sjPgP/wBO3i+vZqACvn3/AIKB/wDBPzwb+3t4N0TRtZ8a3PhzWPDlzNJo+sQWQukRJhGJo3hLpvDeVGQQ6kFB2JB+gqK6sHjMTl+JjiMPLlnHZ/h102OXG4LC5jhZYbEx5oS3X49Ndz45/wCCVOkaV+zC3jT9gjxrYix8aeHNdm1xbsuRF4k064EccWoQBidoVY4o3QE7CFyS28D7Gr5//bs/Z68aeOdJ0b9or9n9Fg+Kfw1ma/8ADbKP+Qta4/0jTJcY3pKm4KD0Y4BUOxr0L9mb9obwV+1F8GdI+MXgdmjhv4il/p8zfvtOvE4mtZRwQ6NkdBuBVhwwr0s2bzGP9px1c3aov5alt/8ADNK8ezUo9EeXlCWWy/suWigr03/NTvt/ig3yy7pxl1Z31FFFeGe8FFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQB5j+1t+znYftL/AAiuPB9vqJ0zxBp1wmp+ENejJWTTNTh+aGZWHIGflbHO1iRyARn/ALGn7Rl9+0B8M5rXxzpw0zx14TvW0fx3ojAK1tfx5UyKv/POUAupHH3lBO0mvXq+X/2uPDuufswfF+w/b5+GmlTT6fHDHpfxc0WzTJv9KJCx36qOs1udvPUoACVUOT5ONTwVdY2Hw7VF3j0l6wvr3g2uiPDzFPL8Ssxgvdso1V3h0n60769XByX2UfUFFUvDfiLQ/F/h+x8V+GNUhvtN1K0jurC8t33RzwyKGR1PcFSD+NXa9VNSV1se3GSkk07phRRRTGFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQBynx1+I1v8H/AIK+LfircsoXw54bvdRAbozQwO6r7ksoAHcmvNf+CaPw5uPhj+w58PNH1BW+26lov9s30kn33lvpGuyX77gJlXn+7iue/wCCr2sahcfsqJ8INCuTFqfxL8Y6P4U09k+9uuLpXcAd8xwup9mr6N0XSNP8P6PaaDpNuIbWxto7e2iXokaKFVfwAAr15fuMiiutWo38qcVFf+TTf3HjQ/f5/J9KVNL51JOT/wDJYL7yzRRRXkHshXP/ABX8V2fgb4Y+IfGN/HG8WmaLc3LRSqCsmyJiEIPXcQBjvmugrxn9ua9ub74PWXwx02Zku/G/ifT9EhKfeVZJg7t9NsZBPo1eNxFjp5ZkOJxUNZRhLlXeTXLBfOc4I9jh/AwzLPMNhp6RlOPM+0U+ab+UIyZV/Yl/Z0+H/wAMfhR4f8fxeFIU8Uazokc+o6nIztIVm/ehAGJWPCsikIFzt5ya9wqKys7bTrOHT7KERwwRLHDGvRVUYAH0AqWryLJ8HkOU0cDhoKMYRSdkleSSUpO27k0229XfVkZ3m+LzzNauNxM3KU5N6tuybbjFX2UU0kloraIKKKK9Y8oKKKKACiiigAooooAKKKKACvGf2D/+SIa5/wBlm+I//qa63Xs1eM/sH/8AJENc/wCyzfEf/wBTXW6APZqKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigDxnwP/ykL+KH/ZGfAf8A6dvF9ezV4z4H/wCUhfxQ/wCyM+A//Tt4vr2agAooooAK+Q/ipFL/AME8v2oD+0RpEbRfCL4o6nFa/Ea0jH7rw/rLnbDqwA+5FKTtlPqSTkmNR9eVi/EX4e+EPix4E1b4bePtGi1DRtbsZLTUbOUcSRuMHB6qw6hhypAIwQK9DLsZHCVmqq5qc1yzXePdf3ov3ovo12bPOzLBSxlFOk+WrB80Jdpdn/dkrxkuqfdI2IZoriJZ4JVdHUMjo2QwPIII6inV8t/sSfELxf8AAr4h6l/wTy+Oesy3eqeGrQ3nw08Q3ZwfEHh/JCJnoZ7cAoyj+FDgERlj9SVnjsHLA4h02+aLs4yW0ovVSXqt10aaeqNMvxscfhlUS5ZK6lF7xktJRfo9n1TTWjCiiiuM7QooooAKKKKACiiigAooooAKKKKACiiigAooooAKg1TS9N1zTLnRdYsYrq0vIHguraeMMk0bqVZGU8EEEgg9QanopNJqzE0mrM+Wf2ZdU1L9jv49XX7D3ja/lfwnrpn1b4O6tdyE/udxe40lnPV4mJZM8lSSfvoo+pq8s/a9/Zyg/aS+E0nh3SdT/svxRo10mq+C9fjO2TTtTh+aJww5CsRtbrw2cZUVB+xz+0bP+0R8LWuPFmmf2V408N3j6R450Jxtey1GL5XIXtHJjep5HJXJKmvJwbeBxH1KXwu7pvy6w9YX07wa/lPDwDeW4r+z5/A7ypP+79qn6wvePem1/IetUUUV657oUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFAH5Gf8ABWn4aftXfFX/AIKLr4Q+Glnr3iOS30HTtT8H6b4e8yVtGtztikmfy+LY/a45GMrFQA8eW+7j9UfhDp3jnSPhP4X0n4n6kl54ltfDtlD4ivI2BWe+WBFnkBGMhpA5z718/fsHf8Xh+P3xx/a3uP3ltrHi9fC3heU8r/Z2loI2kjP9yWRtx/2kNfUdfU8RZlOrh8PlrhFewjFNpauTinJP0ur95Xb1PkuGssp0sRiczjOT+sSk0m7pRUmotebs7do2S0Ciiivlj60K8V+Jv/Fd/tmfD/wOp32/hXRL7xFfRjoWkxbQE+6uCR9a9qrxX9n3/it/2ifiv8VW+eC11S28N6a/ZBaR5nUH3kZTXy/Ev+01cDgP+ftaLf8Agop1pfK8aa+Z9Nw5/s9LG47/AJ9UZJf46zVGPztKo/ke1UUUV9QfMhRRRQAUUUUAFFFFABRRRQAUUUUAFeM/sH/8kQ1z/ss3xH/9TXW69mrxn9g//kiGuf8AZZviP/6mut0AezUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFYnxMl+I0Hw38QT/B+z0e48Wpod23ha38RTSx6fLqIhf7Mt08IMiwGXYHKAsELFQTgUAbdFfA2rf8Edfjx+1JcP4i/4KH/8FS/jB4k1KdRLJ4I+D+rr4P8AC9grZIiW2hWSe6CEMqzzS+YwBLDOQILf/gh9f/s6qvi39h//AIKkftA/C3WIpo0tbTxT4vj8UeHZ5XcIi3GmX6BZizMqLiRW+bA5IoA/QCvk79pr9vn9rL9lrRfGfxu8df8ABPiSf4Q+A7m5m1zxTZ/FGzbW5dJgciXVbfSRbmN4RGGm8uS7jm2D/Vhvlr3n9nCL9oq3+C+i2v7WF14SuPH8AuItfu/AyXCaXdbbiVYJ4Uuf3kZktxC7xksEkd1VmVQx/O/9uf8A4KRfsZ/tkftO+I/+CdnxZ/bA8DfDT4NfD7WUtvjhe+JPFUGnal431CCUMfDVlHI6yR2KOgF7dYBlwbeI4MklAH01+2x/wUT+M/7KWt+CfEvgr9jg+Nvhj4r1zw1pl58SZPiHaabHZTazqUdjEsViYZrm4aMTQynKxIVkAD5DY+rq/On/AILuftn/ALIPw6/Zz+H3ws8R/H/wjpWsaj8TPh74p0fRZdTjSSfQYPElnK9/Eg62yRW8zbxwFib0r7u+DPxq+E37RPwz0v4y/Az4g6X4q8K60kraTr+i3QmtbsRyvC5Rxw22SN0PupHagDgfA/8AykL+KH/ZGfAf/p28X17NXzx8AvBfiTwT+378X7XxL8XPEPi+S8+Ffge5t7nxFbadE9jE2q+LgLWIWFpbKYlwSDIry5Y7pGGAPoegAooooAKKKKAPEv24f2Z9b+PPgGw8YfCrUV0r4leBb3+1/AOtAhStyuC9rITwYZ1UIwPy52kggEHc/ZD/AGmNE/an+Ddr4/t9ObS9bs5307xb4emBE2kapD8s9u6nkAH5lzyVZc4OQPUa+Sf2mNJ1T9hz9oWP9ufwHp80ngbxRJBpvxp0WzjLCEFtlvrSIOrxs22THJDdMyMw9vBNZlhvqM/jV3Sfm9ZU/SW8e01b7Z4WOTyzFf2hD+HKyqryWkanrDaXeDv9g+tqKr6Rq2l6/pVrruiahDd2V7bpPZ3dvIHjmidQyOrDhlIIII6g1YrxWmnZnuJpq6CiiikMKKKKACiiigAooooAKKKKACiiigAooooAKKKKACvlz9q3QtY/ZR+NVl+3l8PNNmm0S5SHSvjBo1nGWNzYFgsOpKg6ywHAJ6lMD5RvNfUdVta0bSfEej3fh/XtOhvLG+tnt7y0uIw0c0TqVdGB4KlSQR6GuTG4X63Q5U7STvF9pLZ+nRrqm0cGY4L69h+WL5ZxalCX8sls/TpJdYtoboWuaP4n0Sz8SeHtShvLDULWO5sru3cNHPE6hkdSOoKkEH3q3Xy5+yzrOrfskfG+8/YS8fajNL4e1BZtV+DusXkhYzWe4vPpbOessBJZR1K5PAKLX1HSwWK+t0OaStJO0l2kt16dU+qaYZdjfr2H5pLlnFuM4/yyW69OsX1i0+4UUUV2HeFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFeZftmfGhf2ev2WvHPxejuRFdaToE39mOT/wAvsuIbYf8Af6SOvTa+XP8AgoH/AMXd+L3wT/ZCtv3kPinxt/b/AImhXkHStLTz3jk9FkcgA/3o8V6OUUKeIzGnGp8CfNL/AAwTlL71G3zPMzjEVMNltSVP42uWP+KbUI/c5X+R6b+w98F2/Z9/ZN8C/Cu5tjFe2OgxTasjDkXs+Z7gH1xLK457AV6tRRXJia9TFYidafxSbb9W2/1OzDYenhMNChT+GCUV6JJfoFFFFYm5neLvEdl4P8Kan4t1I4t9L0+a7n5x8kaF2/RTXm37EPhy90T9nLRdX1cZ1DxDJPrV/JjHmPcytIrfjH5dcF/wU2+LvjP4e/CnT/BvhizC2nit7i11XUDHnyokVD5I7AyBm567UbHqOv8A2Cfih4o+Kn7O+n6j4q0mO2k0m5bS7SWGHYlzBDHGEkC9BjcUOOMxnp0r87XEOXYzxOWVe97Shh5Ne6+XmqShKWvlTUUns22k7pn6A8gx+D8Nnmnu+zr14p+8ublhGcY6edRybW6STas0e0UUUV+iH5+FFFFABRRRQAUUUUAFFFfCX7d//BWv4hfsv/tIzfBH4efDLRr+00OK1fXbrWjN5l0ZoY59luY3URgRyKN7B/mz8uBz5+ZZng8pw6rYl2i2lom9X5I8vN85y/I8KsRjJNRbUdE27vyXo36H3bRWH8MvHNl8T/ht4e+JWmWU1tbeIdDtNTt7a4x5kSTwpKqNj+IBwD7ityu6EozgpR2eq9Hr+p6UJxqQU4u6aTXo0mvwaCvGf2D/APkiGuf9lm+I/wD6mut17NXjP7B//JENc/7LN8R//U11uqKPZqKKKACiiigAooooAKKKKACiiigAooooAKKKKACmyyxQRNPPIqIilnd2wFA6knsKdWD8VPhn4F+NPww8SfBz4oaEuqeGfFug3mjeItMeeSIXdjdQPBcQl42V0Dxu67lZWGcgg4NAHyR/wUO0b48/s/8Axi0r/gp3+x/rs/i698L+GYtB+Lnwah1JGTxh4WguLi6WawQnCarZvdXUsXeZJHizyEk8y+A/jv4k/wDBbX9oDwn+1Hq+p6x4B/Za+G3iqz1r4XeFbqf7Fq3xN8QWU6y2+r30YbdFpttcRq0Fuf8AXSRiR8gBV+Rvij4F/wCDSPwT491T4cfC/wDYa8a/F3UNDu2tdZn+EFt4q1qztZlPzJ9qW/SGXH96J3Xnr1r2H/gm78Af+DYX49ftMaBp/wCzF+zXe+CvjR4N1S28R+HfCXj688SaVq8NxZyrcxXMMF5dmG6MbxeYY1MmFjYumwE0Afr1RRRQAUUUUAeM+B/+UhfxQ/7Iz4D/APTt4vr2avGfA/8AykL+KH/ZGfAf/p28X17NQAUUUUAFFFFABVLxJ4c0Lxh4evvCfijSYL/TdTtJLXULK5TdHPDIpV0YHqCpIP1q7RTTcWmt0JpSTTV0z5O/ZK8R69+x78cLn/gn58UdVnuNAvUm1P4K6/fSEm6sMlptKdz1mtySVHUpn7oMa19Y15L+2X+zHbftP/CQ6Do+rf2P4t0K8TVvA3iSI7ZdL1OE7onDAZCMRtcc8HOMquK37FH7Tlz+0j8MJ4/GukjR/HnhO9bR/H/h5wFey1CPKs6rn/VS7S6EZH3lBOwmvaxyWY4b6/Be+rKqv7z2n6T69pp/zI8PASeW4n+zpv3Hd0n/AHVvT9YX93vTa/kZ7HRRRXiHuhRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAeUfth/s5N+0Z8Kv7N8N6n/ZXjDw/eJq3gjXkO17DUofmjO7sj42N1GCGwSop37H37Ry/tH/ChdZ17TP7K8WaFdvpPjbQJBtk0/UoflkXaeQjEb168HbklTXqtfLf7UOkap+yH8dLT9ujwJYTSeGtWEGk/GLSLSMtvtdwS31VUHWSEkK3cqQONztXkYxPA4j67H4dFUX93pP1hfXvBv8AlPCzBPLcUsxh8DtGqv7v2anrC/vd6bf8qPqSiq+kavpev6Ta67omoQ3dle26T2l1byBo5onUMrqw4KkEEEdQasV6yaauj3E01dBRRRTGFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAV8ufAH/i+P/BRv4tfHGX97pnw70ez8B+HpTypuCftV+R2DpLhCeu1se1fQXxb+Iuj/CD4W+I/ip4gI+xeHNEutRuVLY3rDE0m0e524HqSK8e/4Jh/DrWPA37H+geJfFoLeIPHVzc+LfEE7LgzXF/IZlcjqD5Pkg57ivYwf+z5ZiMR1lamv+3ven/5LFL/ALePFxv+05rhsP0jzVZf9u+7D/yeTf8A26fQVFFFeOe0FFFFAHh/7R2m6d8Tf2gvhf8ABrVtPgvdOW6vdd1qzuYhJE8cEJSEOjAhlZ2dSCMc17RpWk6VoWnQ6PoemW9naW6BLe1tIVjjiUdFVVACj2FeO/Df/iuP20vH3jJvng8KeH7Dw/Zydi0pNzMB7qw2n617VXynDVOnicTjsyaXNVrTinZX5KPLSir2vbmjUdr2u726n1HEdSph8PgsuTfLTowk1d256vNVbte1+WVNXte2l+gUUUV9WfLhRRRQAUUUUAFFFFABXx5qnwC+D37X/wDwUk8eX/xT8C2utaR8NfCOjaYlvI8kccuozs92sknlsvnFIy0ZR9y4IBXgY+wmZUUu7AADJJPAFfNv/BNBW8Y/D/x1+0RcAs3xI+JWq6pYzEcmwjl+z26e4Xy5APrXkZlTp4rFYfDTScXJzaaurQjp/wCTSX3HhZtRpY3GYXCVIqUXKU5Jq6tTjpdP+/OP3H0hbW1vZ28dnZ26RRRIEiijQKqKBgKAOAAOMU+iivXPd2CvGf2D/wDkiGuf9lm+I/8A6mut17NXjP7B/wDyRDXP+yzfEf8A9TXW6APZqKKKACiiigAooooAKKKKACiiigAooooAKKKKACvPP2uvhx44+MX7KHxP+EXwx1gad4l8VfDzWtH8Pag0xjFrfXNhNDBLuHK7ZHRs9sZr0OoNU1TTND0y41rWtRgs7Ozgee7u7qZY4oIkUszuzEBVABJJOAASaAPzA/YO/wCC3P8AwTC/Yr/Zf8D/ALGv7ULap+zp4/8Ah34Xs9G8T/DzxZ4C1GDZewRLHcXUU1tbyQ3Ec8qvMJt++XzN7AliaqfGj9uH9mj/AILE/ta/s8eAv+Ccfh3WvH2pfCv41aX4w8Y/GSDwjeafpfhbRLNZGvdPN7dxRPJJeqyQi3QFJPvEnyxj9BfE3xp/Y48aW8dr4x+LPwz1aKJt0Uep69p86ofUB3IFeVftUf8ABRz4JfsrWvwj8N/CFvB/jCT4jfG3w18PxpGg+K7aI6TBqtw0LX6xwLJ5ghIB8vCBiwG9aAPqGiiigAooooA8Z8D/APKQv4of9kZ8B/8Ap28X17NXjPgf/lIX8UP+yM+A/wD07eL69moAKKKKACiiigAooooAK+VP2yfB3ib9l/4uWf8AwUP+DujTXUFnbx6f8YfD1kvOraMCAL5V7z23B3d0UZKqr5+q6ivbKz1Kzm07UbSOe3uImjngmQMkiMMMrKeCCCQQeua7cBjHgsRztc0WmpR6Si91+qfSSTWxw5hgljsPyJ8sk1KMusZLZ/o11i2nuUfBvjHwz8QvCem+OvBesw6jpOr2Ud3p19btlJ4ZFDKw+oPQ8joa06+RvgJe3v7A37SZ/Y+8VXcn/Cs/Ht3Pf/CDU7mQlNMvGbfcaK7HoCzb4snksBlmkO365qswwawdZcj5qclzQl3i+/mneMl0kn0aJy3GvG0H7RctSD5Zx7SXbvFq0ovrFrqnYooorgPQCiiigAooooAKKKKACiiigAorxn9vHwl8WfGn7P11ovwgju5rz7fE+p2dgx866swrh40A5Y7zGSo5IUjnofM/+CY9/wCNfCv/AAlfwh+JE2oadeWi2l7pfh3WIJIZ4Yn8wSyokgBCEmLOOAef4ufisXxhPB8aUMhqYWfJVjdVtoc1pNQWlm/da+JS5rWi1dn2WE4ShjODq2eQxUOelKzo7z5bxTm9bpe8n8Lja95J2R9ZUUUV9qfGhRRRQAVU8QaBovirQr3wx4j0yG90/UbWS2vrO4TdHPC6lXRgeoKkgj3q3RSaUlZiaUk09mfL37Juv61+yv8AGW+/YK+I+pzT6TJHLqvwg1q8fJvNNLFpdOZj1ltzkgdSmThV2A/UNeR/tk/s5XX7Qvwwj/4Q3UhpfjfwveLq/gXXEIV7PUIvmVC3/POTARgcjlWIO0Crf7Iv7Rtr+0p8JIfFGoaadL8S6VcvpfjLQZAVk03U4TtmjKnkKT8y5/hYA8g48rBN4Ku8FP4d6b/u9Y+sL6d4Nfys8TL28uxLy6fw2cqT7x6w9ad9O8HF/ZZ6jRRRXrHuBRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAfMf8AwVI1O/8AFfwl8Kfsu+Hrp49R+LnjrT9BkMJw8Ngsqz3c/wDuqsaBvZzX0rpemWGi6Zb6NpVqkFraQJDbQRjCxxqoVVHsAAK+VNE8U+GP2mv+CqCXfh3xHYarofwU8BSiGSyu0mRda1GTy5dpUkHbbrsbHKum04PFfWVezmUZYbB4fCtWai5y9aj0+6EY/eeJlco4rG4nFp3TkqcX/dpqz++cpfcFFFFeMe2FNmmit4XuJ5AiIpZ3Y4CgckmnV57+1f41Pw//AGcvGHiWOXZKNFktrZweRLPiBCPcNID+FcWZY2nluXVsZU+GnCU36Ri5fpb5nZl2CqZjmFHCU/iqTjBespKP63+RzP7DkMus/DDWfivdxsJvG/i/UdXBcfMIjMYo1+gEZx9a9orl/gn4LHw6+EPhrwOYtkmmaJbQTjGMyiMeYfxfcfxrqK4eGsFUy7h/C4er8ahFy/xyXPP/AMnnI7uI8bTzDPsTiKfwOcuX/BH3If8AkkIhRRRXtnihRRRQAUUUUAFFFFAHmP7aPxK/4VD+yj4/+IEdx5U9n4YuY7KTONtzMvkQn/v7IlWf2Rvhr/wqD9mLwJ8OZLfyp9N8MWi3qYxi5eMST/8AkV3NeY/8FI/+K30H4a/s5w/P/wALB+Jum2upQf3tOtmNxctjvt2RHFfSdeXS/fZvVn0hGMfnJub/AAUTxqH7/Pa0+lOEIL1k3Ul+Cggooor1D2Qrxn9g/wD5Ihrn/ZZviP8A+prrdezV4z+wf/yRDXP+yzfEf/1NdboA9mooooAKKKKACiiigAooooAKKKKACiiigAooooAK4D9q74Nf8NF/st/Er9nz7QsX/Cd+ANZ8O+azFQn22xmttxI6Y83Oa7+sP4m+G/E/jL4b+IfCHgnx5c+Fda1XQ7uz0jxPZ2cVxNpF1LC6RXiRTAxyvE7LIEcFWKAMCCaAPz7/AGJP+Dc//gnj4f8A2Svh94e/bC/YR8DXnxO07wzb2njW/stVvJ47y+iXy3uA6TKrGQKJDhQNzkYFWfj/AP8ABvR+x7oXjf4K/FT9gv8AZr8D+BPFHw/+PvhXxZ4j1ebUb5Hn0HT7z7ReW0OTMHmfbEUVgoJXl177+r/tO/8ABdH9kqQ+Gfiz+wD4P/aS0i3Oy1+IPwf8axeH76eIcK93pGoByJ2xlhbyGJSeOOKZpn7cP/Bbf9o6QeGPgL/wSW0T4RpMdr+O/jt8S4Z7Wz9T/Zmmp9qmbHIwyrnAJAyaAPvuvhv/AIKN65+3T+xv8CPiX+3Pof8AwUFtvsvhCSXVPDPwr1H4aaWui6jAbhVtdGlnCtqEt1PuS3WeK4jzLIpEQHy19Wfs3+BPjF8Nfgvovg74/wDxr/4WJ4xtxcSa74vGgw6Yl7LLcSzBY7WElIYokkWBFyzbIVLMzFmPxD8ZtM/b2+Lv7fV38UP2g/8Agmn4+8c/C34Va7v+BvhTwt498IJpl/fx7l/4SjUUvtYgllusE/ZYHiVbVWL4MzFlAPQdZ+Kv7Zf7Z/7X3xC/Z9+AX7Q0/wADtG+EHgzw7Prc9r4Q07Wb/VfEWsWst6ttP9vjkjSztrdIA6RLHLI87YlQKK9i/wCCbX7UPi79sT9jLwh8c/iPodjpvim4fUdI8W2Wmbvs0eraZqFzpt40IYlliee0kkRSSQjqCSRk+QeIvBf7ZX7Ln7ZHxH/as+AX7I1z8T9F+OXhDw9JrXhi38baVpWoeF/EWl20tqone7mWGa0lt5IFeSB5ZEe2bbHIrAn17/gmz+y94v8A2O/2MfCHwM+I+t2Oo+KYH1HV/Ft7pm77M+ranqFzqV4sJYBmiSe7kjRiASiKSATgAF7wP/ykL+KH/ZGfAf8A6dvF9ezV88fAL4R/Cj4Qft+/F/TfhN8MfD3he21T4V+B9Q1O38O6LBZJeXkmq+Lg9xKsKKJJWCqDI2WIUZPAr6HoAKKKKACiiigAooooAKKKKAPN/wBq39m7wt+1T8GNR+FfiK5eyumZbvQNagyJtK1GLJguoyCCCrcHBBKsy5Gc1yP7DH7SPin4u+E9V+EnxttksPil8O7tdK8baecD7SQP3OoRdN0U6AOCABuzgBSufdq+Yv25vhb41+GXi7Sf2/P2f9Ha58VeCbUweMtDt/l/4STw8TunhYDrLEAZEPJG3oxRFr2cvnDGUXl9V2u702/sz7N9Iz0T6KXLLueJmVOeCrrMaKvZWqJfah3S6yp6yXVx5o9j6dornvhP8UvBPxs+G+jfFf4dawl9ouu2KXVjcL12nqjD+F1YFWU8qykHkV0NeROE6U3Cas07NPdNbo9inUhVgpwd01dNbNPVMKKKKksKKKKACiiigAooooAK8r/aV+D/AIi8Uw6f8XPhO62/jrwkxn0iToNQg582yl/vI4Jxnox6jcTXqlFefmmW4bN8DPC172lazWkoyTvGcX0lGSUovo11TafflmY4nKcbDE0bXV7p6xlFq0oyXWMotxkuz6NJrkvgl8YPDvxv+H9p450BGgdyYdR0+b/W2N0nEkDjggqfUDIIPeutrwX4t6ZqP7MHxQk/aR8H2MsvhXXJUh+IukWyE+SxOE1KNR/EpOHA65J6sWX3PS9U07W9Mt9Z0i9iubS7gWa2uIXDJLGwBVlI6gggg152RZlia/tMBjrLE0bKVtFOL+CrFfyzS1X2KinB7Rv6Gd5dhqHJjsFd4atdxvq4SXx0pP8Amg3o/twcJreVp6KKK+hPACiiigAr5Z/aU03UP2Nvj9bftt+DLGVvB/iJoNK+MOlWsZIRCwS21dUHV42YI+OSDgDLsw+pqo+JvDWg+M/Dl/4R8U6VDfabqdpJa39ncLuSeGRSrow9CCRXHjsK8VRtF2nF3i+0lt8ns11i2uxwZjgnjcPaD5akXzQl/LJbP0esZLrFtdixpupafrGnW+r6TexXNrdQpNbXMEgZJY2AZXVhwQQQQR1BqavmD9kPxLr37M/xa1D9gT4n6rNcWltBJqfwl1u7bJ1HSCSXsmY9Zrc5GOpQEgBVXP0/TwWKWLoczVpLSS/lkt1+qfVNPqPLsasdhudrlmm4yj/LJbr9U+sXF9QooorrO4KKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAK5X466LN4k+CHjLw7beKv7Ckv/AArqNtHrmSP7OZ7aRRcZXkeXnfxz8tdVXzz/AMFQfiBrXhP9krVPAvg98+IfiLqVp4P8PwhsGWe/k8t145/1Am6d8V25bQnicwpUoOzco69tU2/RJNvyWpw5nXp4XLq1WaulGWnfRpJebbSVtbvTU+Kf+CLP7D/7ROm/Gnw/+15rkA0XwSdJvGs3e/RpNcWWOW3VPKRi6IsmJcyhcmJCoOQR+rlYXwv+H+i/Cj4baB8MPDibbDw9o1tp1p8uCY4YljBPuQuT7k1u13cQ51Wz3MpYmaSS92Nlb3U3a/d66/5Hn8OZHR4fyuOFpttv3pNu/vNK9uyutPvd2wooorxD3grxX9sT/iqrz4d/BuP5v+Em8cW0l7F132VqDNMMf98H8K9qrxW//wCK6/bvsLbG+18C+B5bjd/zzvLyTy8e2YRn8K+X4u/fZXDBLfEVaVL/ALdlNSn/AOU6cr+T8z6bhT9zmc8Y/wDmHp1an/byg4w/8nqRt6eR7VRRRX1B8yFFFFABRRRQAUUUUAFFFVNf13R/C2hXvibxDqMVnp+nWkl1fXc7YSCGNS7ux7AKCT7Ck2krsTaim3sj538Xf8XR/wCConhPQB+8s/hh8OL3WHbqsd9qEotQh/2vJAcewr6Tr4f/AOCff7XHwV+Nn7afxf1i21q5TXPG17aDwpFeWxRbnS9Pt2jAQ5+WQrmVkIBwM8kMB9wV4+SV6OLoVMRTkpc9Sb08mopf+AxT9GeBw7icPjsNWxVKal7SrN6O+zUYr/wGKfpJBRRRXsn0AV4z+wf/AMkQ1z/ss3xH/wDU11uvZq8Z/YP/AOSIa5/2Wb4j/wDqa63QB7NRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFfA37cvhn4jftw/wDBTnw1/wAE2dT/AGjPG3w3+GWl/A+X4ieJovhzrZ0vVPFl2+rnTYrF7xQXjtYFTzZET75nQN/CyfPn7Mnxy+LvhH/glD/wTm+KGjfGLxOniDxB8evD3h/XIR4guT/wkem6jc6nbXkF5HvxdokWJx5gbyzbBhgigD9fKKKKACiiigDxnwP/AMpC/ih/2RnwH/6dvF9ezV4z4H/5SF/FD/sjPgP/ANO3i+vZqACiiigAooooAKKKKACiiigApGVWUqwBBGCD3paKAPkLwgx/4J0ftTj4Z3beR8GPi7q7S+F5mOIfC/iF+Xss9I4LjGUHADAAABZGP17XFftDfAfwL+0t8H9a+DPxEtC+n6xbFFnjA820nX5oriMno6OAw7HGDkEg+V/sJfHjx1qg1v8AZM/aIux/ws34bFLe9unJxr+lnAttTiJ5cMpUOeSGILYL7R7mJ/4VMH9bX8Wmkqn96O0anrtGfnyye7Z4OF/4Scb9Tf8ACqNun/dlq5U/TeVPy5or4Uj6Jooorwz3gooooAKKKKACiiigAooooAh1LTrDWNPn0nVbOK4tbqForm3mQMkqMCGVgeCCCQRXhXwq1G//AGWvinH+zt4rvJJPB/iCeSb4earcOT9mkJy+myMe4JyhPXIHJbC+91ynxq+EXhv43fD+88B+I90Xm4lsb6IfvbK5XmOeM9Qyn3GQSOhNfPZ7lmJxHs8dgbLE0buF9FOL+OlJ/wAs0tHryTUJraV/fyTMsPQ58FjbvDVrKVtXCS+CrFfzQb1X24OcHvG3V0V5T+zV8XvEniIaj8Gvi3th8c+EyItS7LqVtwIr6P8AvK4I3Y6MRkDcAPVq9HK8zw2b4GGKoXSd009JRknaUJLpKMk4yXddU035+Z5biMpxssNWtdWaa1jKLV4yi+sZRacX2fRppFFFFegcAUUUUAeP/tnfs56l8fPhtb6l4A1EaZ498IXo1jwJrSkK0F9Hg+SzH/llKFCMD8v3WIO3B0/2S/2i9N/aY+EFt42bTjpuu2M76d4s0KQFZNL1OH5ZoWU8gZ+Zc87WGecgem18r/tDWV5+xX+0PB+2V4VtJP8AhBvFssGl/F3TbZCVtXLbLbV1Ud1ZgkmByG6FpCR5GLX1DEfXI/A7KovLaM/+3b2l/cf908LHp5Zi/wC0I/A7Rqry2jU9YXtLvB3+wfVFFRWV7Z6lZQ6jp13HPb3ESyQTwuGSRGGVZSOCCCCCOualr19z3U01dBRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABXy38Yv+L7f8FMfhv8ACWM+dpHwq8NXfjHW0HKNf3BFtZRt6On+uX2Y19RsyqpZmAAGSSelfLv/AATdB+LGu/Fn9su7HmD4jeOpbXw9Oed+i6aDa2rA9skSggcZQda9jK/3FDEYv+WPLH/FU938I87PFzX/AGjEYfBr7c+aX+Gn734y5EfUdFFFeOe0FFFFABXiv7KP/FXePvip8YnG4ax4yOmWch/jtrCMRIw9juP5V1P7TXx60f8AZ0+Fdz4+1OykuZ5ZxZ6Xax8ebdOjsgYn7qgIzE88L0JNecf8E1/if4X8Y/Ar/hB9Ktp4tT8OXLHWGnO7z3uZZZVmDd84ZcHkbO/Br4XM84yytx3gMplVXtYQq1eXq5OChBbWvyurNK+ybPt8tynMqPBGOzSNJ+znKlS5uiipuc3ve3MqUHpu0j6Iooor7o+ICiiigAooooAKKKKACvLv22fGnhvwB+yP8RvEfi2FZbE+Eb20e3Zyone4iNvHFkcjfJKi5HPzV6jXzR+3b/xd74r/AAh/ZFtv3kHiXxX/AG94oiHI/srTV85o5PRZZCFB/vR15+aVZUsBU5fikuVesvdX/pV/RM8vOq8qGWVeTWUlyR85T9xfjK78kzgP+Cd//BK7Sf2dvE/h/wDaR8d+O7nUvEZ0FJrTRF04W8ek3FzbbJld/MYzsqyPGDhByTgnGPtaiiqy7LcJleGVDDxtHd+b0u362/yKynKcDkuDWGwkOWO73u3ZXbv1dv0WgUUUV3HpBXjP7B//ACRDXP8Ass3xH/8AU11uvZq8Z/YP/wCSIa5/2Wb4j/8Aqa63QB7NRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAfDP7dXwS+E37b37f8A4b/Zcj13x78Lvit4E+EsvjrwL8dPh74iSyvra2uNSOnXWk+UyMLqAlIpJUf5QJYwCvmMWqf8E+/+CD/ww/Yq8VeCfGnxI/ah+IXxfuPhbZXNr8KdE8W3EUGi+ERcBhNcWljECv2lld1852YgNwAVVgn/AAVr/wCCfvhf44/FTwp+2n8Q/wDgqd4l/Zw074daL/Z2k6ppmpWGmW9pcTSzNPN9uuHjdTcI0MTwb/LkW1iyrEVxH7En7Pmq/Gr4o6N47+Bv/ByJ40+NOn+ENdsdS8ReENI1fRL6K9tYrhHe1u1tyZYoZgpiLYBIc4OaAP0pooooAKKKKAPGfA//ACkL+KH/AGRnwH/6dvF9ezV4z4H/AOUhfxQ/7Iz4D/8ATt4vr2agAooooAKKKKACiiigAooooAKKKKACvnX9u74E+Or46J+1x+ztZ5+Jnw23z2tpGDjxBpRybnTJQvL7lLNGOSGLBcM4YfRVFdWCxdTA4mNaGtt09mno4vyaun9+6RyY7B0sfhpUZ6X1TW8WtYyXnF2a+7Zs4v8AZ7+O3gX9pT4QaL8Zvh3eGTTtYtQ5hkI820mHyy28gHR0cFT24yMggntK+QfFIP8AwTn/AGqD8QrUGD4L/F7WFj8RxLxB4X8RPwl5jpHb3GMOeApBJICIp+vgQwDKcg9CK6MxwlOhONWhrSqK8X1XeL/vQej7q0tpHPlmMq4iEqVfStTdppbPtJf3ZrVdnzR3iFFFFeaemFFFFABRRRQAUUUUAFFFFAHk/wC0t8JPE2tnTvjX8IVWLxx4TzJYLj5dUteTLYyY+8GGdvoxOCN24dd8GPi54a+Nvw/svHvhksiTgx3llKf3tncLxJBIOzKfzBBHBFdVXgfxRsL79lb4qyftBeF7OR/BniO4SH4g6XboSLOYnampRqPc4kA65zyWyvx+ZRlw5mEs2pr/AGepb6xFfZeijiEv7qtGtbeHLU3pu/1uXNcQ4COV1H+/p39hJ/aWrlQb/vO8qN9p80Nqit75RUOn6hY6rYQappl3HcW1zEstvPC4ZJEYZVlI4IIIINTV9fGSkk07pnybTi2mrNBRRRTEFZ3i7wn4d8d+F9Q8F+LtJhv9L1WzktdQsp1yk0LqVZT9QT71o0UpRUotNXTFKMZxcZK6Z8x/sdeLPEX7O/xO1H9gL4r6tNc/2VbtqHws1u7bnVdEJJ+zFu81vypUfwqcAKgJ+nK8b/bS/Z11n44/D6z8TfDS+GnfELwVe/2v4F1YEApdJgtbOTwYplUIwPy52k5CkHc/ZT/aJ0X9pv4PWXxCtLE6fqsEr2PibRJQRLpepRYWe3dTyMN8y55KspODkDysDJ4Os8DN6JXpvvHrH1ht5xcX0Z4mXSlgMQ8uqPRK9JvrDrG/endLu4OL6M9Iooor1j3AooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKAPFf+Ch/wAYLz4J/seeNfFGiO/9r3+m/wBj6FHD/rXvbxhbRlB3ZfMMgH/TM12P7M3wfs/gD+z94P8Ag3aIgPh7QLe1uXj6SXAQGeT/AIFKXb/gVeK/tcf8Xu/bY+CP7MEP72w0O8n+IHiqHqFiswYrHcO6tcM6kHjkda+o69jFf7NlNCh1m3Ufp8EPwUn8zxcJ/tOcV6/Smo0l6/HP8XBfIKKKK8c9oKKKKAPCv25NMsviPpXgv4ALAr3vi/xZDiQKDJa2tupe5nTIOGVGx9Gau4+AX7OPw2/Zw8PXPh/4ewXbm+mEt9fahMsk9wVBChiqquFBOAFA5PcmuP8AA/8Axdb9svxP44b95pvgDR4tC0w/wm9n/e3Lr/tKP3R9iK9tr4nI8twGZ55is/qUoupzulSm1qqdJezk0/79T2mu9opJpaP7PO8xx2W5Lhsip1ZKnyKrVino6lV+0imv7kPZ6bXk203qiiiivtj4wKKKKACiiigAooooAK+aP2bv+L2/tx/Fv9oaX97pvhFIPAXhmXqA0JE9/jtkTlcEdmr2X9ob4sWPwL+Bvir4u35TGgaJPdQxydJZwpEMf/A5Ci/8CrjP2APhNffB/wDZO8J6Jr4dta1WzbWtflmH7yS8vGNw+/1ZQ6xn/rnXl4n/AGjMqNHpC9R/L3Yfi5P5Hi4z/as3w+H6QTqy9V7kP/JpSl/26ey0UUV6h7QUUUUAFeM/sH/8kQ1z/ss3xH/9TXW69mrxn9g//kiGuf8AZZviP/6mut0AezUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFAH5qf8FB/D37J3xH/AOC1/wAJvh5/wUpm0Gb4VRfBC9vvhVo/j+5SPw5qPjP+1xHeJMsxEE9wtj9l2RTZU+YcAsUB5f8AbR+GP/BOT4L/ALdX7Kus/wDBO3w98OPDPx21D436XY6jo3wfjs7WW+8GSRT/ANtvqNrYYjNutsCwllXduQBCQr4+sv2nbr9lf9sD9rG1/wCCX37Rv7L2j/EGzPwwf4hahqHiGKKS30mL+0P7Ot1hBXzVuJX+0YkjZCqROMndg8UP2e/+Cdn/AARn8W/DjxF+zr+xB4f0KX4tfE7Tfh9deKtIYvf6XLqIl+zM01yZJmt3nhjjaNJFG6SNiG28AH2tX59f8FtP2UvgJqeq/B39rrUvAz3HxC079ob4a6Rp+uz6vdutrZnxLbbkitjL9njZhI4aRYw7A4LEAY/QWvlX/go3+wp+1L+25feGNF+F/wC2P4a+HnhTw14h0LxJHoupfCRtcup9b0vUTewXBuhqtqFgYpbo0HlE/u3PmfPhQDxr/gpRP+zLd/8ABSX4e6B/wU71vSLT9nqf4QanJ4Si8c6gbbwvceNF1GLzheszLA1yun7TbLcHHM5j/eV0P/BAX45p8Xf2fPi74L8MaxrWoeBvhv8AtCeIvDXwqu9fe4e4HhcR2l7p0W+5/fPGkV7tiMhLCDyR2AHuPjz4Fft7+J/hr4W8O+Hv23fBOneI7C2uY/GOs3nwOF5Za1I8qtBNb2baqrWTxINozNOrE7ivAA6z9kT9lnwt+yN8KJvh7ovinU/Eeraxr994h8ZeLtbEYvfEGtXsplu76ZYlWNCzYVY0UJHHHHGowgoA4n4BfE7w38Uf2/fi/qHhrTfENtHp3wr8D2NwviLwjqOju8qar4uJaJL+CFp4vmGJow0THIVyVOPoevGfA/8AykL+KH/ZGfAf/p28X17NQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQBzvxb+FXgn43/DbWfhP8RtIW+0XXbF7W+t24O08h1P8LqwDKw5VlBHSvBv2Gfip42+HHivVv2Bv2gtXa48WeB7VZvCOuXHH/CS+HidsFwpP3pYgBHIMkjaOWKu1fTdeEftz/s3+Kvi14W0n4wfBC4Sw+KXw6u21TwXf4x9rwP32ny8jdFOgK4JA3YyQpbPr5bXpVISwWIdoTd039ieyl6P4Z/3WnvE8fM6FalUjj8Or1IKzivtw3cf8S+KH95NbSPd6K85/ZU/aQ8K/tUfBfTfit4bt3s7iQta67o0+RNpWoRYE9rICAQVbkZAJVlbAzXo1ebXoVcNWlSqq0otprs1/X69T0sPXo4qhGtSd4ySafdP+vzW6CiiisjYKKKKACiiigAooooAKr6tpOm69pdzoms2MV1Z3kDw3VtOgZJY2BDKwPUEEirFFTKMZxcZK6ejXdMcZShJSi7Napng3wf1bUv2Zfien7NPjO+ll8MazJJP8OdYuXJ2c5fTZGP8AEpOUz1BA/iVR7zXI/G/4PeH/AI4fD+68E65I9vKWE+l6lDxLYXacxzoRggg9cEZBIzzXNfs1fGHxB4uttQ+FPxVjW28deE3FvrUPQX0X/LO9i6bkkGCcdCegDKK+SyuUuHcwjlFV/uJ3eHk+ltZUG+8FeVK796neGrpa/WZnGPEGAlm1Jfv4WWIiut9I10u03aNW3w1LS0VTT1Oiiivrz5IKKKKACvlb4721z+xD+0fF+1v4dt3X4e+ObiDTPixYwISmn3RbZbauFHTltkhHXcThmkBH1TWX418GeGfiJ4R1LwJ4z0iK/wBK1eyktNQs5h8ssTqVYe3B4I5BwRyK4sdhXiqK5HacXzRfaS/R6qS6pvsjz8ywUsZQXs3y1IPmhLtJd/7rV4yXWLfVI0bW6tr22jvLO4SaGZA8UsThldSMhgRwQRzmn18zfsZeMvE3wI+Iep/sB/F7V5bm68P2xvvhrrd0cHWdBJO2LPQzW+ChUfwqcDbHk/TNXgsUsXQU7Wa0kusZLdfJ7Pqmn1Ly/Gxx+GVS3LJNqUesZLSUX6PZ9U01owooorqO0KKKKACiiigAooooAKKKKACiiigAooooAKKK8B/4KUfteap+xf8Asz3HxL8N6Et/rOq6pHo2ieaxEVtczQzSCeTHJVFhc7RjLbRkAk104PCV8fi4Yairzm0l6v8Ap/ccuNxlDL8HUxNd2hBNv0X9JfM5n9iX/i9P7Unxx/axuP3tm3iGPwV4UlPRbLTlH2h4z3SWdlfPqpr6kr4f/wCCFP7Qtj8Tv2atS+DCeEvsF34AvUNzqCSFl1IX0tzMJWLc+aGSQNyRjZjHQfcFenxJRq4bOatCatycsUv7sYpRfzXvesmeVwxWpYrJKWIg7+05pt/3pSk5L5P3fSKCiiivDPfCsb4ieNNN+HPgPWPHmrkfZ9I02a7kUnG/YhYKPckAD3IrZrxT9sqebxla+EP2d9OlYTeOvEkUeoKjYYabbET3LDHphPrzXjcQ5jUyvJa2IpK9RK0F3qTahTXznOPyTPXyDL6eZ5xRw9V2pt3m+0Ipzm/lCMvm0a/7GngvUvCnwI07WfEIJ1jxRcS6/rEjDBee6bzAT6ER+WCPUGvVKbBBDawJbW8SpHGgWNEGAqgYAA7CnV05Tl1PKcro4Km7qnGMb92lq35yk5SfnJmGa5hUzXM62MmrOpJyt2TeiXlGKjFeUUFFFFegeeFFFFABRRRQAUUUUAfNH/BQZj8VfEvws/Y/syZF8feMkvfEUK850bTgLm4VvTcwj2k8EoRzX0sqqqhVUAAYAA6V+XvwT/4KSz/F3/gpzovxD8QfDkf2ZrUCeDPDdqJW8/TIbi7UpcsD8rSM7fvMAYRiATt+b9Q6+fyPHYXNKuIxNGV/eUfSMV7v33lI+X4czLBZzXxeMoS5vfUNmrRhH3d/5m5y+avqFFFFfQH1AUUUUAFeM/sH/wDJENc/7LN8R/8A1Ndbr2avGf2D/wDkiGuf9lm+I/8A6mut0AezUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFeW/tyfE7xJ8Ev2KfjB8Z/BkjprHhH4W+INa0po1ywubXTbieIgdzvjWgDwT9vv8AZe/bY8PftVeE/wDgo3/wTph8J69470TwTP4L8b/DjxxfPaWfinQHu/tkK290vFtdwXJkdWfCsJSCcApJ574c+Cv/AAVb/wCCif7Q/wAL/F37f3wI8DfA74U/CLxva+NbbwVoHjJNf1nxNr9mr/YGluYAIYbSGRzKV+8zKAQ2Q8eX+2V+1/8AHL9j/wD4N4PCXxe+H3xZ1XxF8WfGfw88KaP4c8XajeG4vb/W9aS2827SR8kyKk1zNF12mOMdFrzm7/4J+ePf+CNHxT/Zv/aF+FH7aPxa8bar49+MmgfD7416J458WvqGl+JV1oSQPfxwOoMUsFyFkjJZ2CdXOH3gH600UUUAFFFFAHjPgf8A5SF/FD/sjPgP/wBO3i+vZq8Z8D/8pC/ih/2RnwH/AOnbxfXs1ABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQB8i/Hazu/2A/2lh+134XtZB8MPiBeQ2Hxc023QlNKvmbZb60qjoCzbJcDksT8zSLt+trO8tNRtItQ0+6jngnjWSCeFwySIwyGUjgggggjrVDxr4M8MfETwjqXgPxro0Oo6RrFlJaajY3C5SaGRSrKfwPUcjqOa+Z/2MvGfif9mT4s3v8AwTu+MmszXUen2z6h8IPEN43Or6ICSbNm6Ge2wRtH8CnACopb3J/8KuB5/wDl9RWvedNaJ+cqeifeFn9lngw/4SMf7P8A5c1np2hUerj5RqatdFO6+2j6rooorwz3gooooAKKKKACiiigAooooAK8k/aV+FHie9udP+PPwdhC+NvCiloYAPl1ey6y2UgH3sjJT0YkDBII9borzs1yzD5vgZYatdXs1JaShJO8ZxfSUZJNP1TunJP0MrzLEZTjY4mlZ2unF6xlFq0oSXWMo3TXo1ZpNcx8H/iv4X+NXw/sfiB4UmPkXabZ7aQ/vLWdeJIZB2ZTx7jBHBBrp68C+Itnd/smfFeT45eHraRvAnim7SLx1p0CEjTbpjtTUUUdFJOJAOpPcldvvNneWmoWkV/YXMc0E8ayQzROGWRGGQwI4IIIINcGRZniMUqmDxtliaNlNLRST+CrBfyVEr215JqcHrFX7s7y3D4ZwxmCu8NWu4X1cWvipSf89Nu19OaDhNaSdpKKKK+gPBCiiigDxb9tf9nnxB8ZfAth46+FF0th8RvAl5/a/gjUhgFplAMlm5PWKdV2FScZ25+UEHpf2W/2hvD/AO038HdP+Jmj2rWV7ua01/R5ciXS9Riws9s4PIKtyMgEqynAzivRK+VPjRDN+wx+0vH+1FosTR/DX4h3kOn/ABQtIl/d6VqLHbb6uFH3VYnZKfViTuZ1x5GK/wCE/E/XF8ErKp5dIz/7d2l/daf2Twsb/wAJeM+vx/hytGqu3SNT/t2/LP8AuNN/AfVdFNhmhuYUuLeVZI5FDI6NkMDyCCOop1eue6FFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFfG/iLwh4f/wCCmP7WGq+H/F1i2pfBf4QyTadLbLcSRw+IfEkkZSYh42ViltG2AVIIcgglZDXpn7fnx98X/DP4faZ8Hfgq3m/Ev4m350PwbAjYa13AfaL9sfdSCNt27naxUkEBq9C/Zq+AfhD9mT4J6D8FvBa77bR7QLcXjriS9uWO6a4f/aeQs3sCAOAK9zCSlleCeMTtVqXjT7pbTmuz+xF93JrY8HGRjm2OWCavSp2lU7Se8Kb7r7c12UE9yT4Efs5fBP8AZl8IP4E+Bnw/tfD+mS3BnnhglklkmkIxukllZ5JDgADcxwOBgV21FFePVq1a9R1KsnKT3bd2/Vs9qjRo4ekqdKKjFaJJJJeiWgUUUVmaBXiXw9/4ur+2J4t+IL/vNN8C6XF4d0puqm7kPm3Tj0Zf9WfYivUfiX440/4a/D7WvH+qYMGkabNdMhON5RSVQe7HCj3NcV+xz4I1Dwb8BdKvdfy2r+IpJNc1mVhhpLi6bzMsPUIY1PutfLZt/wAKHEGCwC+GnzYif/bnuUk/WpOUv+4fkfT5X/sGQ4zHP4qlqEP+3/fqtelOEY/9v+Z6jRRRX1J8wFFFFABRRRQAUUUUAFcl8ePirpnwP+DHif4uavtMPh/RZ7xY3OBNIqHy4vq77UHuwrra+aP+Cgzv8V/EPww/Y5sXLj4geLkvPEkSnP8AxJdPxc3Ct/d3MI9pPBKEc1xZjiJ4bBTnD4to/wCKT5Y/i19zPOzbFTweX1KlP47Wj/ik1GP/AJNJP0TKP7AH7Cvwh+HPw48IfHzxt8PYLr4mappp1TU9cvJpWeGW7Zptqwl/KidEkWMsqBuDzya+paRESNBHGgVVGFUDAA9KWqwWCw+Aw0aNGKSVr2Vruyu33b3bLy7LsLleEjh6EUkkr2SV3ZJyfdvdt66hRRRXWdwUUUUAFeM/sH/8kQ1z/ss3xH/9TXW69mrxn9g//kiGuf8AZZviP/6mut0AezUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFUvEvhvQfGXhzUPCHirSYL/S9VspbPUrG5TdHc28qFJI3B6qysQR3Bq7RQB+eHwo/4N5Phj4A+LfgHUvGv7aXxf8AHPwo+E3iaPxB8L/gn4r1lLjSNEvoSxtdz433EVuWIiQgFV+Usys6v9UftS/sc6X+1T8UPg5418WfEG+sdG+EfxAHjFPDVtZo0es6nDbSw2Tyyk7o1gaaWQBQdzEZxtBrw39qH/g4M/4Jm/sr/GDUvgBrnxP13xj4y0SZote0L4c+FbnWH0yRTh45pYlEIdTlXQOXRgVYKeK9I/YQ/wCCtH7CX/BR641TQf2X/jGL3xFoUXm634P1zTJ9N1ayj3BTI1vcKpkjDMqtJGXRWZVZgSBQB9I0UV4X8d/+ClX7E37M/wAc/Dv7Nfxp+NqaT438VXum2mi6FB4f1G9aSW/ufstmJZLW3kjt1lmyivMyLkckDmgD3SivLf2k/wBtH9mv9kh9Ds/jv8Q5NO1DxNLPH4d0LSdBvtX1PUzCoaZoLHT4J7mVI1ZS7rGVTeu4jcM7v7P/AO0Z8E/2pvhvB8W/gD8QrPxJoE91Nam8tUkje3uYXKTW88MqrLbzIww0UqK6nqozQBx3gf8A5SF/FD/sjPgP/wBO3i+vZq8Z8D/8pC/ih/2RnwH/AOnbxfXs1ABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAV41+2x+zHd/tHfDK3uvAuqjR/H/hG9GsfD/xAhCtZ6hHgiNm/wCeUu0I4OR91iG2AV7LRW+FxNbB4iNak7Si7/8AAa6pq6a6ptHPisLRxuGlQqq8ZKz/AEafRp2ae6aTPJv2Nf2nLT9qD4Rr4j1XSTo/ivRLt9J8ceHJQVl0vVIflljKnkIxG5DzwcE7lYD1mvk79rHw7rn7HPxzt/8AgoD8MNKnn8O6gsOmfGvQLGMsbixyFh1ZEHWaAkBj1KY+6DI1fUnhzxFoXi7w/Y+KvDGqwX+m6laR3Vhe20gaOeGRQyOpHUFSCD7125lhqK5cVh1+6qXsv5ZL4oP0vePeDT6M4csxVaTlhMS71adrv+eL+Ga9bWkuk1JbNF2iiivLPWCiiigAooooAKKKKACiiigCrrei6T4k0e68P69p8V3ZXtu8F3bTLlJY2BDKR6EGvEvgtrerfs4fEpf2XvHeoSzaDqJef4b61dNnfFnL6fIx/wCWkefl9QQOMote71xvx1+DeifHDwDP4Q1O4e0u45FudG1WHiXT7xOY5kI5GDwQCMgkZHUfO57luKqunmGAS+s0b8qvZVIPWdKT7TteLfwVFGW3Pf6DJMxw1JTwGOf+zVrcz3dOa0hViu8b2kl8dNyjvy27KivMP2a/jJrnjrTr/wCHHxOt0svHPhSQWviC06C5X/lneR9N0cgwcjgE9ACufT69PLMywubYGGKw7fLLo1ZxadpRkukoyTjJPZrtZvzcyy7E5VjZ4Wuvej1WqkmrxlF9Yyi1KLW6fqkUUUV3nCFZHj3wL4W+JvgvVPh7430iO/0nWbKS01C0lHEkbjB56gjqCOQQCORWvRUyjGcXGSumTOEakHGSuno13T3Pmn9izx14q+DfjbVf2CPjLq0lzqvhS2+1+ANbuuDrnh8kiLB7ywY8tlHZcDIjLH6WrxL9tr9n3xN8VvB2m/E/4OzLZ/En4f3Z1XwZfAYM7AfvrF+m6OdBsKkgbtuTtLZ639mP9oLwx+018HdM+KnhyFrWWcNb6xpUp/e6bfR/LPbSA4IKt0yASpVsDdXl4GUsJVeBqPZXg31h29YbPvHlfc8bLZzwNd5dVd+VXpt/ah/LfrKnpF9XHkl3PQKKKK9Y9sKKKKACiiigAooooAKKKKACqmv69o3hbQr3xN4i1KGy0/TrSS5vry4fbHBDGpZ3YnooUEk+gq3Xyp+29r2s/tMfF3w//wAE7vh1qc0Nvq8aa18WdUtHIbT9CjcFbXcPuy3LhVA6hdpIKua7cvwf13EqDfLFXcpfyxWsn92iXVtLqcOY436jhXUiuabajGP80npFffq30ipPoH7EWg6z+0z8XvEH/BRD4iabNDbatHJonwl0u7TDafoUbkNd7T92W5cM2eoXcASjivquqmgaDo3hXQrLwx4c0yGy0/TrSO1sbO3TbHBDGoVEUdgFAAHoKt0ZhjPruJc0uWKtGMf5YrSK+7VvrJt9Qy7BfUcKqcnzTbcpS/mk9ZP79EukVFdAoooriO4KKKKAPE/2xZZPHD+DP2c7F2L+NvEcZ1RUPI021xPcHjp0THrg17VFFHBEsMMaoiKFRVGAAOgFeKfDP/i6n7XvjP4lSfvNO8FWEXhnR26qblj5t2w9GVv3ZPowr22vluHf9uxmNzR7VKns4f8AXuhemreUqntZeejPp+IP9iwmDyxb04e0n/18rWm7+cafso+WoUUUV9SfMBRRRQAUUUUAFFFFABXzP+z/AP8AF9P28vij8fJT52k+A7SHwJ4ZkPK+eh8/UGHYMspVMjkq+K9l/aJ+Len/AAH+Bnir4v6iUK6Bos91BHIeJZwuIY/+BylE/wCBVxv7Afwk1D4O/sp+FtG8Qh21zV7Ztb8QzTD95Je3jGd9/qyh1jP/AFzry8T/ALRmNGh0heo/l7sP/JnJ/I8XGf7Vm1DD9IXqy+XuU1/4E5S/7dPZaKKK9Q9oKKKKACiiigArxn9g/wD5Ihrn/ZZviP8A+prrdezV4z+wf/yRDXP+yzfEf/1NdboA9mooooAKKKKACiiigAooooAKKKKACiiigAooooAK8r/bo+K+v/Af9iT4x/HHwpceVqngz4V+Idd02UDOy4tNNuLiNvwaMGvVK4P9qX4ffC/4tfsx/Eb4VfG/xX/YPgvxN4D1fSfF+uf2jFZ/2dpdzZSw3Vz58wMcHlwvI/mSAom3cwIBoA8i/wCCQH7Lfwr/AGU/+CePwr8KfDjwxa2t9rngjS9c8XawsI+1a3q93ax3F1d3Mv35naWV9pcsVQKgO1QK8s/4Kx/DLwV8L/2mP2Vf25/BGg2umfEGx/aK8PeBtT16zhWOfVNA13ztPubK4ZQDOitJFJHv3eWVfbjeTXzRpX/BO/8A4I0aFpdtomif8HE3xZs7Kzt0gs7O1/bK0aOKCJFCpGiKgCqqgAADAAAFdH8I/wDgnb/wR5vPjv8ADnxFYf8ABcL4g/EnXfDPxD0XXfCPg7xL+1No+tW2o6zaXsU1lF9j8stOzTKqBI8SNvKqQWoA/WCvj3/gtP8A8kB+FP8A2dF8NP8A1JbOvsKvBf2sf+CZ37HX7b/i3TfG37S3gfxLrd7pFvaxadHpvxN8QaRawm2uJLiCYW2nX8EBnSWRnWcoZRhBvwiBQDwv9tS2+LnjL/grV8J/Cn7HPiPQPDPxZ0T4K+IdS13xJ49sZNQ0OXwtPqVhC1mLCF4p7i7N7FBIskVzbiKON95lEioN/wD4IvSX+leEPjx4B+IKxXHxK0T9ojXD8V9c025V9L1nW7i0sbgXVggjQ21v9kktI/sz7pInicPJKxMj+qeM/wDgmR+xZ8QvAfg74f8AjD4YatexeAI7mPwfrrePdbTXtMjuGLTomsJeDUGSQn5la4ZSFUEYRQPQ/wBnr9mz4G/sp/DpPhR+z78ObLw1oQvZr2a1tXkkkuruZt0tzcTSs8txO5A3Syu7tgZY4FAHmHwC1L4r6n+378X5Piz4L8PaJcx/CvwOmmReHfE8+qJcWY1XxdsmleaytDDKTuBiVZFUAESNkgfQ9eM+B/8AlIX8UP8AsjPgP/07eL69moAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigCtrGj6V4h0i60DXdOhvLG+tnt7y0uYw8c8TqVdGU8MpUkEHqDXyn+zHrGq/sQftBSfsKePtQmk8E+JHn1P4K63eSFhGm7fcaM7nq8bNujzyQ3XLoo+ta8t/a/8A2ZtG/an+Dlz4Ek1JtL12xuE1Lwh4hhJWbSNUh+aC4Rl5Az8rY5KscYOCPUy3E0Yc2GxD/dVLJv8AlkvhmvOLeq6xcl2PKzPC1p8uKwy/fU7tLbmi/ig/KSWj6TUX3PUqK8T/AGH/ANpnWfj58Pr7wr8UdNXSviT4Gvf7H8f6IwCmO7TIW6QDgwzqpdSPlzuAJCgn2yuPFYWtg8RKjVXvR+59mn1TVmn1TTOzCYqjjcNGvSfuyXzXRpro00010aaCiiiuc6QooooAKKKKACiiigAooooA8h/aU+F3ilNRsP2hvg3bD/hMvC8Z8yzXga1p+cy2bgfeOMlO4PTkqR3fwm+KPhb4y+ArD4heELkvaX0WWif/AFlvKOHicdmVsg/mMgg10deA+Oba4/ZF+LUnxe0WB/8AhX3i69RPGVjEpK6RfOdqX6KOiOTh8dz3JQD4/ME+GsxlmcP92qte3XSEtIxrpdto1v7vLV3hNn12Aa4jy+OWz/3mkn7B/wA8dXKg/PeVH+9zU9pxR79RTLa5t7y3ju7SdJYpUDxSxsGV1IyCCOCCO9Pr69NNXR8k007MKKKKYgr5U+K0cn7CX7TqftEaWjRfC/4mX8Vl8RbZB+60XVmOINUwOFSQkrKeBkljuZkA+q6xfiN8PvCXxX8Cat8N/HekpfaRrVi9rf2z/wASMMZB/hYHDKw5VgCORXFjsLLE0k6btUi+aL7Nd/KSvGS7PukedmWCnjKCdJ8tWD5oPtJdH/dkrxkuqfdI2Y5I5Y1licMrAFWU5BB7ilr5s/Ym+IXi34XeK9X/AGEPjXqr3HiDwZbC48Gazc8HXvD5O2CQeskPEbgdAAOdjNX0nV4PFRxlBVErPZp7xktGn6P71ZrRmmAxsMfhlVSs9VKL3jJaSi/NP71ZrRoKKKK6jtCiiigAooooAKKKKAOF/aU+PnhD9mT4Ka98afGrbrXR7Qtb2aNiS9uWO2G3T/aeQqvsCSeAa89/YD+Afi/4a/D/AFT4yfGpPN+JfxOvxrnjKZ0w1puH+j2C5+6kEZ27f4WZgCQFrhdS/wCM8f23U0Nf9J+FnwJ1MS33eDXPFePlj9HS0UnPo+QQVkFfW1e1if8AhOwCwq/iVLSn5R3hD/2+S7uCex4WF/4U8weLf8OleNPzltOf4ezi+ym1uFFFFeKe6FFFFABWB8U/Hdh8MPhxrfxB1LaYtI0yW52MceY6qdifVm2qPc1v18Z/8FRfjv4r0bU9P+A2jGGLTL7TYdS1Z9oZ7gidxHCc/dUNCHP97I7DB+T444lo8JcMYjMZ35kuWFlf95O6h8k9X5R8z6rgvhyrxVxJQy+FuVvmnd29yNnP5taLzfke/fsfeA7/AMCfATRzru5tW1zfrOsyuMO9xdHzTu/2gpRT/u16dXDfs1fETxB8V/gX4c+IHinR0sb/AFGyZri3jjKIdkjxh1U9FdVDgejiu5r0uHIYOnw/hI4Rt0vZQ5W1ZtOKd2nqm7uTv1k/V+bxDPF1M+xcsUkqntJ8yTuk1Jqya0aVklbol6Iooor2jxwooooAKKKKACiiigD5n/b5J+L3j74VfsdWhMkPjLxWNW8UxLyP7H04CeVH9BI+0KT/ABR4r6YAAGAMAdAK+Z/2bP8Ai+X7b3xY/aMm/faX4RWHwF4WlPK7oCJr9h2z55UBh1ViK+mK8vLf3062Kf25WX+GF4r73zs8XKf9oqV8a/8Al5K0f8FO8F98ueXzCiiivUPaCiiigAooooAK8Z/YP/5Ihrn/AGWb4j/+prrdezV4z+wf/wAkQ1z/ALLN8R//AFNdboA9mooooAKKKKACiiigAooooAKKKKACiiigAooooAK83/bJ8cfDT4ZfshfFX4k/GfwKPFHg7w98N9c1PxZ4ZMMcg1fTINPnlurPZIQj+bCjx7WIU78HjNekV5F/wUD+Ffjn46/sF/G74I/DDSF1DxL4y+EXiXQ/D1g9zHCLm+u9LubeCIySMqRhpJEXc7BRnJIAJoA+Wfif+xr/AMEMfgv+xzpn7bnxJ/4Js/Da08J6lp3h+6+zWnw8sp7uH+17mztbVCgABIlvYQ5DYADEZxz7x4I/4JFf8Ev/AIa+NNI+I3w//YJ+Feja9oGqW+paJq+neDrWK4sbuCRZYZ4nVMo6SKrKw5BUGvz3/aM0X/gv9+0L/wAE/NP/AGCrz/gkD4a0u00+w8LWw8SxfHvRZZHGi3+n3it5BkUDzTYBCN/yiUn5tuD9UfCL9sf/AILpeKPix4X8NfF3/gjb4X8L+E9R8RWVr4n8TW/x90q8k0jTpJ0S5u1t0+adooi8gjX5nKbRyaAPuuiiigAooooA8Z8D/wDKQv4of9kZ8B/+nbxfXs1eM+B/+UhfxQ/7Iz4D/wDTt4vr2agAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigD5a/bZ8AeLvgJ8RtO/wCCh3wO0WW71Dw7aCy+J3h60GDr/h/ILyY6Ge3ADqx/hQZO2Pafoz4efEDwj8VfA2lfEjwFrMWoaNrdjHd6deQniSJxkZHVSOhU8ggg4INa80MNxC9vcRLJHIpV0dchgeCCD1FfIvwmmm/4J6ftPj9m/WpWj+EfxP1KW7+Gt5I37rQNYc7ptJJP3Y5Sd0Q9SANzGRh7lP8A4VcD7J/xqS93vOmtXHzlDWUe8OaP2UeDU/4SMf7VfwazXN2hUeil5RnpGXafLL7TPryiiivDPeCiiigAooooAKKKKACiiigAqn4g8P6N4r0O78NeItOivLC/t3gu7WZcrLGwwyn8DVyipnCFSDhNXTVmnqmno011TTsyoTnTmpwdmndNaNNapp90zwr4G+INZ/Z9+Ig/ZW+IWoyz6Xcq8/w41u5b/j4tgctYu3TzYs/L6r6AoK91rivj18F9J+OHgOTwzc3bWOpWsq3eg6vDkS6feJzHKpHOM8EDqCehwRkfs2/GfV/iLo994H+Itoth438LTC08S6fwBIcfJdR+scg+YEcAnjgqT8llM55Bj1k1d3pSu8PJ9lrKg2/tU1rTu7ypaaypO/1WaQhnuBeb0VarGyxEV3eirJL7NR6VLaRq66RqK3plFFFfXnyYUUUUAeG/tu/ALxZ8R/DGlfGT4KsLb4l/Du6bU/Cdwo/4/VA/f6fJ03RzICu0kfNgZAZs9v8As1/H3wn+0v8AB7Sfiz4TVoReRmPUdOlP73T7xPlmtpBwQyNnqBlSrYwwru6+A/2qf2mNJ/4Jjfti6hrfgDw//bmkfEvQ11nxN4L+2G0S0vxM8S38MvluoMuyXem35mUkkfJjw8wr0snr/XZu1OVoz9dozS6v7MratWf2T5vNMTQyDEf2jUdqM2o1PJ7Qml1enJJLVx5Xryn35RXG/s/fG7wn+0d8HNC+NXgiK4j03XbVpIobpQJIXSR4pY2xwSskbrkcHbkcGuyr2aVSnWpxqQd4tJp909UfQUa1LEUY1abvGSTTXVNXT+4KKKKs0CiiigArwv8Ab1/aG8T/AAZ+F9l4D+EUX2r4kfEPUBoPgSyQ/MlxJgSXjddscCNvLEFQxTdwSa9t1XVNN0PS7nW9Zv4rWzs7d57u6nkCRwxIpZnZjwFABJJ6AV8sfsa6VqX7WPx313/goT43sJU0ZUm0D4OaddIVNtpUbss+obT92S4fcAeGC715Uqa9bK6NKLljK6vTpWdn9qb+CHo2ry/uxfc8jNa9WShgqDtUq3V19mC+Ofqk+WP9+S7M9s/Za/Z68MfsufA7Q/g54Zl+0HT4DJqmpOP3moXsh3T3Lk8ku5JGScKFXOFFehUUV51etVxNaVWo7yk22+7Z6VChSw1CNGkrRikkuyWiCiiisjUKKKKAML4mfEPw58KPAeqfEPxZc+XY6XatNLgjdIeixrnqzMQoHqwry39n34EWXjDQ7/4yftB+CtM1bxL4zukv5LLV7CO4TS7UDFtbIsqnYVQgngHJAPK5qp4p/wCMpP2ho/AEP73wP8OrtLnxAw5j1PV+fKtfRki5LD1ypHKmveq+Nw9KlxNm8sVWipYbDuUKaaTjOp8NWpZppqGtKndNX9rJdGfX16tXhvKY4WlJxxNdRnUabUoU/ip07pppz0qzs07eyi+qGwww20KW9vCsccahY40UBVUDAAA6CnUUV9kkkrI+Qbbd2FFFFABRRRQAUUUUAFfPP/BTf9pj4lfsq/syv8QPhRaw/wBsX+uW+lxX88AlXT1kjlc3GxgVYgxBAGBXMgJBxg/Q1fLHxSsbL9s39tfT/gfeWcWofD/4QRx6x4yt5oxJb6lrcyEWlm6nKuscZZ2ByDmRGHSvLzipWWCdKjLlqVPdi1um+vpFJtvt52PFz6rXWXSoYeTjVqtQg1upPd+kYqUm+iWmrRw//BDj4u+LfHfwQ8U+BNf8Polr4d1xZ7XXFRg2oS3hmlmWRjw8iFFJbrtlQEcAn7frL8H+CPBfw80OPwx4A8IaXoemxMzRado+nx20CEnJIjjUKCT14rUrTKsHVy/LqeGqT53FWvt1f5ba69zXJMBWyvKqWEq1OeUFbmta+r/K9tde+oUUUV6B6oUUUUAFFFFABXjP7B//ACRDXP8Ass3xH/8AU11uvZq8Z/YP/wCSIa5/2Wb4j/8Aqa63QB7NRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRXy1+3D+3z8e/2PPip4I0jTf2LH8T/D3xV428N+GdQ+I8/xEtLBbC81fUksVWKwEM1xcNEZEkbcIkYNgSZBIAPqWivJf2hviF+2l4O8QWFn+zF+y94F8eaZNZl9SvvFfxbuPDsttPvIEaRRaPfCVduDvLocnG3jJ5n/AIJpftoeNf2+f2aD+0X4v+Clh4IguvFWraXodtpXi5tattVs7G5a0/tCG4eztG8qWaKcIDECURXz8+1QDa8D/wDKQv4of9kZ8B/+nbxfXqviG+vbZbSx02RY5r67ECTMm4RgI8jNjudqHHuRXlXgf/lIX8UP+yM+A/8A07eL69S8Qf8AIW0P/sKv/wCklxQAg8P6vjnxzqmfaG0/+MUv/CP6t/0POq/9+bT/AOMVqUUAZf8Awj+rf9Dzqv8A35tP/jFH/CP6t/0POq/9+bT/AOMVqUUAZf8Awj+rf9Dzqv8A35tP/jFH/CP6t/0POq/9+bT/AOMVqUUAZf8Awj+rf9Dzqv8A35tP/jFH/CP6t/0POq/9+bT/AOMVqVz3xa+Kfgf4G/C7xF8Z/ibqs1h4c8KaLc6tr1/b6fPdvbWdvE0s0oht0eWTaisxVEZsA4BoAu/8I/q3/Q86r/35tP8A4xR/wj+rf9Dzqv8A35tP/jFcve/tO/AbTv2aH/bEvPiRZp8NU8Gf8JYfFYilMJ0c2v2oXQQJ5hBhwwQJvOQoXccV8of8FLP26/8AgoD8HP2Xrv8Abg/YE8H/AAa1j4S6X8LIfGV3rnxRGuRarfCQPKsFtpsKQMgNubd83EsTBpGVkBTBAPtf/hH9W/6HnVf+/Np/8Yo/4R/Vv+h51X/vzaf/ABisr4G+N9W+JvwT8HfEjXre3hvvEPhbT9SvYrRGWJJZ7aOV1QMzEKGcgAknGMk9ap/tE6n+0DpHwb1m/wD2WfCvhfWvHqrAvh/TvGmqT2elyM08aytcTQRySKqQmVwEUlmRV43ZAB0P/CP6t/0POq/9+bT/AOMUh0DWQMx+ONSLDoJILUr+IEIP6ivlH/glh+2X+2H+0n8R/j58FP20dA+Gln4m+Dfjqy0GOb4X22oJY3Cz2K3TEvfSvJKRvChtkWcH5K+w6AKPhzUbnVNJS5vFUTJLLDNsGFLxyNGxA7AlSfxq9WX4P/5BM3/YVvv/AErlrUoAKKKKACuA/ab/AGePBf7UfwZ1b4PeNg0Ud9GJNO1KFf32nXicw3UR4IdG54I3KWU8Ma7+itaNarh60atN2lFpp9mjKvQpYmjKlVV4yTTT6pngH7Cn7Q/jPx9o2s/s9/H7bbfFP4bTrp/ieNj/AMhW3x/o+pxZxvSZNpJH8RyQodRXv9fnh/wXP0P4pfDW98C/tM/Aka3oOpQWt/o3ijxf4ZvZrW4itnMD2sEskLAiMt9oIJ4BwM8rWn/wTz/4KWzeDvgro/g79vfWfE+ialfXjnwp428U6FcJZavYFU8vdeFSHlVxMDI+FKBCXJzX1WL4eq4/LY5tgkmpvWnH4oyV+blV9Y3XMklzRjLZpJnyOE4jpZfmksnxzadNaVZaRlF25eZtaSs+Vyb5ZSjum2j78oqh4a8U+GfGmiQeJfB3iKx1bTbpN9rqGm3aTwTL6q6Eqw+hq/XyLjKLs1Zn2UZRkk07phRRRSGFFFFABRRRQAUUUUAFePftJfDTxVpmsWP7SXwas9/izw1CVv8ATo+Brmm5zLauB95gMsh5ORgAnbj2GivNzfK6GcYGWHqNxejjJfFCcXeM4vpKL1XRq8XeMmn6OVZnXynGxxFNKS1Uov4ZwkrShJdYyWj6p2krOKa5/wCFvxL8LfF/wJp/xC8HXnm2OoQ7lVsb4XHDxOOzq2QR7cZGDXQV4B4shl/Y++Lb/EnTImX4ceMr9U8T2sYymiai5wt6oH3YpDgPjof+ALXvsM0NxClxbyrJG6hkdGyGB5BBHUVxZFmlfGQnhcYlHE0Wo1Etnf4akP7lRLmW/LLng9Ya9md5ZQwk4YnCNyw1a7pt7q3xU5f36bdn/MuWa0lo6iiivfPCCvEf2tP+Cf8A8Af2yr/S9b+KUer2Wp6REYLfVNBvI4Z5ICxbyH8yORWQMWYfLkFmwRk59uorDE4XDYyi6VeClF9Hsc2MwWEzDDuhiYKcHumrrTY+Urj9lT42fsVSnxl+wvqs+u+GEAfXPhH4j1FnjucAb5rC4fJgnbGSp+ViT97Cx16/+zh+1p8KP2mNMuYvCV1c6Z4g0tvL8QeENbh+z6lpcoOGWWFuSoPG9cr2JByo9Orx39o/9jPwF8eNTtviLoGsXng34g6UM6J478Pny7uEgYEcwBAuYuxR/wCEkAqCc+f9Tr5f72C1h1pt6f8Abjfwv+6/cf8Ad3PK+oYnK/ey7WHWk3Zf9w278j/uu8H/AHHqexUV8z+A/wBsf4g/A7xZZ/BT9vjQ7XQb+6l8jQPiTpykaFrpHTzHwBaTkclWwvU/INufpaKWKeJZoZFdHUMjqchgehB7iu3C4yhi4vk0a3i9JRfZrp5PVPdNo9HBZhhsfFum2pR0lFq0ovtKL1Xk9U902h1FFeJfte/tdL8BINM+GXww8N/8JZ8UvFxMHg3whbtksxyDd3JBHlW0eCzMSN21gCAHdPSwuFr4yuqNJXk/kkurb2SS1beiRpi8XQwVB1qztFfNtvRJJatt6JLVv8PFv2x/2pvh3+1b8TNB/wCCc/wM+LFp9p8Va89p8R9ZtZSi2OnW6+bPZQysAs0820x4jLgbWRvvHH2N4U8LeH/A/hjTvBnhPSorHS9JsorPTrKBcJBBGgREUegUAfhX5vfsrf8ABDj4yfCb9pHwp8Xfib8XvDs+j+GtUtNYMOjPcNeXF5CySiEiSJUWPzVwX3kso+6pbj9Ma9/iJZVhoUMJl1b2lOKbk7bzb1b0V9Eklb3Vpd3bPnuGnm+JnXxmZ0PZVJNRir7QS0S1dlzNtu/vN3srJBRRRXzB9UFFFFABXmv7T3xd1f4aeCYNB8Cwi58X+KboaZ4WsxjPnvw059EiU7iTwDtB4NeiajqNhpGnz6tql3Hb21rC01xPK21I41BLMxPQAAkn2rxH9njTr/46fEvUf2sfFVpIlgVk0z4e2NwuDBYqxWS72no8zZ56hdw5BWvmuIcZiZKnleDly18Rdcy3p01b2lX1SfLDvUnH+Vn0eQYTDxdTM8ZHmo0LPle1So7+zp+ja5p9qcJfzI9F+BXwi0n4I/DSw8B6bMbiaIGbU79877y7fmWZieSS3TOSFCjtXX0UV7mDweGy/CU8Nh48sIJRil0SVl/wXu223q2eJjMXiMfip4nES5pzblJvq27v/htkkktEgooorpOcKKKKACiiigAooooA89/am+POk/s1/ArX/i3qMIuLiwtfL0iw5Jvb6Q7LeAAcndIVzjkKGPasH9iD4C6t8BvgZa2njeZrnxh4lu5de8bX8uDJPqdyd8isR12DbHxwShI+9Xn3jD/jLr9uzT/h7H+/8DfBBo9W17vFfeI5VP2WA9m8hMucdG3qw5FfUNeThv8AbMfPEP4YXhD1+3L77QXlGR4mE/4UMzni38FO9OHm/wDl5L70oJ9oy7hRRRXrHthRRRQAUUUUAFFFFABXjP7B/wDyRDXP+yzfEf8A9TXW69mrxn9g/wD5Ihrn/ZZviP8A+prrdAHs1FFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFfnp/wAF7v2xf2Wvg/4O+FvwZ+KHx58NaF4ri+OXw98VyaBqWpLHdLolv4khafUCh58hBbXBZ+g8l/Sv0LooA+P/APgox+25oF//AME0dQ+Jn7GvxD0zxPrfxkntvAnwd1jRLwSQ32s6vcnTopoZF4JgzcXBPQC0b0r6I/Zo+Angv9lr9nrwT+zh8O4NmieB/C9lounEoFaVLeFY/NfHV3Kl2PUsxJ613FFAHzx8AvBfiTwT+378X7XxL8XPEPi+S8+Ffge5t7nxFbadE9jE2q+LgLWIWFpbKYlwSDIry5Y7pGGAPc/EH/IW0P8A7Cr/APpJcV5b4H/5SF/FD/sjPgP/ANO3i+vUvEH/ACFtD/7Cr/8ApJcUAcN+0b+zP/w0V/Y3/GQPxO8C/wBj/aP+Sc+K/wCy/t3m+V/x8fu383Z5XydNvmSdd3HmP/Ds/wD6yBftN/8Ah1v/ALmr6bor0aGbZjhqSp0qlorpywf5wb/E83EZPluKrOrVp3k93zTXlsqkV+CPmT/h2f8A9ZAv2m//AA63/wBzUf8ADs//AKyBftN/+HW/+5q+m6K2/t3Nv+fv/ktP/wCVGH+r+T/8+v8Ayap/8tPmT/h2f/1kC/ab/wDDrf8A3NXT/Bz9hv8A4U98SNO+I3/DYPx08U/2d53/ABIfGXxB+3abdeZC8X76DyV37d+9eRh0Vu2K90oqKmdZnVpuE6l01Z+7DZ+lNP7mvU0p5HlVGopwp2ad171TdetRr70/QKra1o2k+I9Hu/D2vadDeWN/bSW97aXEYaOeJ1KujKeCpUkEdwas0V5Z6p+GGn634s1b4aaZ/wAGwt/qd9Jr1l+0g/h7Up3kb7RJ8I7cr4jS8aX+F3tmis1GcEDZk5wfvr/gvL8TPg78P/8Agk/8cPhZrPxB8NaJq2pfCq+i8P8Ahy61a3trm6QKEVbe3Zg0gGNoCKemO1fVEfwD+BUPxhk/aHi+C3hJfiBLpn9my+OV8OWo1h7Pj/Rje+X55i4H7vft4HHFYXxu/Yy/Y+/aZ1qz8SftIfso/DX4g6jp1qbbT7/xv4F0/Vp7WAsXMUb3ULsibiW2qQMknFAGF+w58Zvg/wCPf2TfBE/gT4q+G9bTQPAGjJrraPrlvdf2cwsI8rP5bt5R+R+Gwflb0Ndt4W/aF+A/jf4P2/7QnhL4zeF9Q8B3Vu1xb+MrbXYG0uSJZDE0gud/lbRIpTO7G4EdaofBn9k79lj9nHStW0L9nn9mn4f+A7HXtn9u2fgzwbY6XFqOxWVPPS2iQTbVdwN4OA7AdTVqL9mn9nKD4KH9mqH4AeCU+HJtTbHwAvhWzGieSZTKYvsPl+RsMhLldmNx3YzzQB8J/wDBJv8AaH+AFz/wUL/bUs7f45eDpJvFXxs0c+GIk8TWhbWB/Y8CZtQJM3Hz/L+73fNx1r9Iq8T8E/8ABNT/AIJzfDXxdpvxA+HP7AXwT0DXtGvI7vSNb0T4VaRaXdjcIdyTQzRW6vE6kAhlIIIyDXtlAGX4P/5BM3/YVvv/AErlrUrL8H/8gmb/ALCt9/6Vy1qUAFFFFABRRRQAVR8R+GfDfjHRbjw34u8P2WqaddJsurDUbRJ4Zl9GRwVYexFXqKabi7p2YnGMlZq6PmXxN/wTM8C+FdbuPHX7H3xW8SfBvX5n8yWPw3cm40i6ft5+nzExuOmFUqo/u1R/4aJ/b2/ZoP2f9pj9nSD4keHYPv8Ajb4TZe7RB/HPpsuHLY5YxlUXHevqiivWWcVqq5cZBVl/e+NelRWl9/MvI8eWS0KTc8FN0X/d+B+tN3h9yg/M8t+Af7aP7M/7S6fZ/hJ8VtPvNSUH7RoN4xtdRgZfvBraYLJ8pyCwBXI6mvUq8o+Pn7Ef7Mf7Sj/2j8UPhbZSawhDW/iPTM2epQuv3WFzCVdtp5AcsvtXlv8Awof/AIKC/szfvv2ePj/a/FTw5B93wd8VDt1FEH8MOpR4Lv0A83ai46Gn9VyvF/7vV9nL+Wpt8qkVb/wKMfUn63m2D/3mj7SP81Lf505O/wD4BKXofVNFfNHhP/gpr8M9E16DwF+1l8OfEfwa8RzNsjj8XWpfTLl+/kahGPKkQf32CLx1r6M0LX9C8UaRBr/hnWrTUbC6jD2t7YXKzQzKf4ldCVYe4NceLy/GYJr20Gk9nvF+kleL+TO7CZjgsen7Com1utpL1i7SXzXzLdFFFcZ2hRRRQAUUUUAUfE3hrQvGXh698K+JtNjvNP1C2aC7tpRlZEYYI9vqOQeRXjXwG8S658CvH5/ZR+JOpST2pief4d63cn/j+shybNm/56xDgDuo6AbM+51w/wAf/gtp/wAbvAraGt82n6xYTreeHdZiyJLC9TlJARztJ4YdwfUAj5zPcuxUpwzLAL/aaKdleyq03rOlJ/3rc1Nv4Kii9pTPockzDDRhPLsc/wDZ61rvd05rSNWK8r8s0vjpuS3jA7iivNv2b/jTqHxP0C88L+O7Ead408MTiy8UaYcDEo+7cIO8UgG4EcdQMjBPpNerluY4XNsDDF4d3hJddGmtHGS3UotOMovVSTXr5eY5ficrxs8LiFaUX01TT1UovZxkmpRa0aafoUUUV3HEFFFFAGP488AeCfih4UvPA3xD8L2Ws6Rfx7LvT7+ASRyDscHoQeQwwQQCCCM180y/Dj9pH9gKRtV+BcepfEv4SxMXuvAV3OZdY8PxdS2nytzcRL/zxbngAclpK+rq8b/a7/a40v8AZv0bTvCvhLw7J4p+IviuU2vgnwVZHM19OePOlx/q7dOrucDAIBHJXF5RLNcTGNC6q/ZkrJpbu99HBbyUvdtd6bnjZvh8EqX1upN05wWk4/Er7Rt9tN2XI07t6Weq4j4kf8FN/hDc/DPSLn9mc/8ACd+PvF87WPhPwRbgpdR3YHztexkhraKLO52bAYD5W25deo/ZB/ZFu/gtPqfxm+M/iNfFfxZ8XASeKvFEi5W3U4K2NoCB5VtHhQAAN+0EgAIq+S+C/wDgmd8V9AsG/aHtf2gbnSvj7qN9Nqmq69aQqdHkeYKW01rYLhrYbQu/G4nL7ThVHpnwU/bZuJPG8P7P37Wfg5fh98RG+WyWaXOleIBnAlsbgnadxx+6Y7gSFBZgQN55xLLaby6pZOTs60b8lXXSKbScF/cl8cveUpLlivHwVfEyxtOtnMeSWnsv+fabVrvV8tZ9pO0U+WnJvmb+gaKKKR9iFFFFABRRXKfGz4s6H8E/htqXxC1xfNFpHts7NT893ctxFCvfLNjpnAyegrnxeLw+Aws8TiJKMIJyk3skldv+t9EtWjowmFxGOxUMPQi5Tm1GKW7bdkv6829Ezzn9pHVtT+M3j7TP2SvB17JFFfRrqHjy/t2wbPTFYEQZHR5mwMehGQVY17TpGkaZoGk22haLZR21nZW6QWtvEuFijRQqqB2AAArzj9l34T654C8JXfjT4hsJvGXi+6/tLxLcMOY3Yfu7YeiRKdoHQEtjjFen14PD2ExFR1M1xkXGtiLWi96dJX9nT8nZ89TvUm19hHuZ/isPTVPK8JJSo0L3ktqlV29pU81dclP/AKdwT+2wooor6Y+bCiiigAooooAKKKKACvOP2sfj5Yfs1fAfXfipLbi5v7eAW2g6ftLNe6hKdlvCFHLZcgkDnarHtXo9fL2u5/a7/bxtfDC/v/AvwLZL7Uu8V/4mlU+TH6N9mQFuOVkDKRhq8/Ma9SlQUKX8Sb5Y+Te8vSKvJ+iXU8vNsTVoYZU6D/e1HyQ8m95ekI3k/RLqej/sU/AO/wD2fPgRY6B4ruDdeKtbuJda8aag7BnutUuTvmLMPvbfljB7iPPc161RRXVh6FPC0I0ae0VZf13erfm2dmFw1LB4aFCkvdikl8u/m9W31bbCiiitjoCiiigAooooAKKKKACvGf2D/wDkiGuf9lm+I/8A6mut17NXjP7B/wDyRDXP+yzfEf8A9TXW6APZqKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigDxnwP/AMpC/ih/2RnwH/6dvF9epeIP+Qtof/YVf/0kuK8t8D/8pC/ih/2RnwH/AOnbxfXqXiD/AJC2h/8AYVf/ANJLigDUorjPi7+0J8IPgP8A2f8A8LW8Xf2V/avm/YP+JfcT+b5Wzf8A6mN9uPMTrjOeM4NcX/w8I/ZB/wCiu/8AlA1D/wCR68LGcUcM5diZYfF42lTqRteMqkIyV1dXTaaunf0PbwfDPEeYYeOIwuDq1KctpRpylF2dnZpNOzVvU9norxj/AIeEfsg/9Fd/8oGof/I9H/Dwj9kH/orv/lA1D/5Hrl/124N/6GVD/wAG0/8A5I6v9TeL/wDoX1//AAVP/wCRPZ6K8Y/4eEfsg/8ARXf/ACgah/8AI9bXw9/bG/Zw+KvjCz8BeAviN9v1a/8AM+yWn9kXkW/ZG0jfNJCqjCIx5I6Y64Fa0OL+E8TWjRo4+jKcmkkqsG23okkndtvRIyrcJ8U4ajKrVwNaMIptt05pJLVttqySW7PTaKK5X46Xvxd034LeLdS+ANlo9z45tvDl7N4PtfEEEktjcaksDtbRXCxSxOYmlCK211IDEg8V9EfPnVUV8Oal/wAFgrRf+CI8H/BUTR/CtjN4svvBsUFj4QMMpifxlJcDTf7M8oOJmjXU8oUDCTykJyD8w8w/4Lm/sJ/Db46f8EwfHH7XX7XXhL+0vjF4J+BKqBoXiXVLXQtN1WJGmmmttPF20L4nmlCvP5z7FjBY7QaAP0yorz39kj/k1L4Y/wDZPdF/9IYaT9p39l/4V/te/DA/Bv40jW5fDc+ow3Wo6fofiO70tr9YskW801pJHK0LE5aMOA20A8cUAeh0V+Vmrfs1fAL9jj/gtL8AfgX/AMEr9CvPCmr3Wm6xqf7R3hDw5rV3NoqeF/soWzudTglleOK6a5YCBgBIzMpbKlCf1ToAy/B//IJm/wCwrff+lctalZfg/wD5BM3/AGFb7/0rlrUoAKKKKACiiigAooooAKKKKACiiigDN8WeDvCPj3QZ/C3jnwvp2s6ZdLtudO1WyS4glHoySAqfxFfOmu/8E0fD3gLV5/Gf7Fvxp8TfB/WJpDLLp+lXBvtEupPWawuCUPoNpCqOi19O0V24XMcbgk1Rm0nut4v1i7xfzXzOHF5bgcc060E5LaSupL0kmpL5O3kfK/8Aw1B+2/8As1/6L+1d+zMPGmgwcP48+EZa5ZUH8c+nSkSrxy7qQg5wDXr3wF/a/wD2bv2mLTzfg18WdL1W6VS0+kPIYL6DHXfbShZVAORu27eOCa9KryD49fsJfsv/ALRl5/b/AI++Glvba+jB7fxVoMhsNThkH3XE8OGcjsJN4HpXZ9ZyrGfx6TpS/mp6x+dOT/8ASJL0OP6rm+C/3eqqsf5amkvlUiv/AEuD9T1+ivlb/hT/APwUW/Zj/e/BD40af8ZPDUH3fC3xIYW2sJGP4IdRTCyuePmmwo7LWt4J/wCCm/wdg8Qw/D39prwf4g+DniiU7VsfHNmY7G4bu0F8o8mSMf322A9qmWTYipFzwklWj/c+JesHaa+SkvMcc7w1OShjIujJ/wA/wv0qK8H83F+R9J0VX0rVtK13TYdZ0PU7e8s7mMSW91aTLJHKh6MrKSGB9RVivJaadmewmmroKKKKQzxv9pD4c+KfDmv2f7TnwcsTJ4l8PQGPWdLj4GuaZ1kgYDrIoG5DyeMYJCgej/DT4jeFviz4H074geDb8XGn6lAJIicbo26NG47OrAqR6g1u18C/tEfG74ofsk/tJ+JfCfwSvX0bQ7+7ttTl0q4s45ra5mkhRpXiDoTGjMWUhCOUIyMAD834nzrC+HmIeb1FJ4XESUakIq7jVa92rFaL31Hlqq6u1CavLmUv0PhrJ8Vx9h1lVNpYmhFypzk7KVJP3qUnq/dcuam7OycoO0bNffVFeG6H+2s/9i2d54z/AGbfibp801rHJPNB4UaW13FQTscPkrnplQcYyKtD9vj9nS0OPEmq65ox7jVPDV2mPrtjavfhxtwnKClLGQhez9/mp766+0pw79/meHPgzimMnGOElO2nucs9u3JOf5fI9oory7Sv21P2WdYx9k+NOkpnp9q8yD/0ai4rnP2iv29fg98HPhwfEHw/1mx8c+I9QmFn4c8NeHdQjuJLq7fhPNaMnyIR1aR8ADgZJAPrYDOskzStGlhcXSnKTsrVaf61F9/RHk4/J85yyjKrisLVhGKu70qn6QfyXVmp+1z+1toX7NHh6w0bQ9Bl8T+PfE8xs/BHgqwObjUrk8b2xzHAhOXkPAHA5rE/ZE/ZJ134aazqP7Q/7Q+vQ+J/i74qiH9t6wBmDSLc8rp1kD/q4U4BIwXIyeMVR/Y1/ZmvfDmv3/7TX7QHjDT/ABb8W/E8AGo6haTrLa6DanldOsQCQkag4Zhy5zyRkt9E19VXxeGwuHeFwU1JS+Oovt/3Yv8A59p/ObV37vLE+Vw+DxOLxKxeOg48v8Om/sf3pLrUa+UE+Ve9zSCuR+NfwJ+FP7Q/gif4ffF3wfbavp0vzReaNsttJjAlhkHzROP7ykdwcgkHrqK8WpTp1qbhUScXunqmerVpUq9J06sVKL0aaumvNM+UF8T/ALS//BPpha/EB9W+KnwegOIfEcUfm6/4Zh7C6Qf8fcCj/loOVAJO0BUP0j8Nfif8P/jF4OtPiB8MfFtlrWj3ybre+sZdyk91YdUcdCjAMp4IBrdZVZSrAEEYIPevm74lfsYeMPhh4yu/jv8AsJ+JLXwl4iuX83XPBV4p/sHxFjkh4lwLaU84kTAyf4NzPXl+yxeW60b1KX8t7zj/AIW/iX92Tuvsyex4vscdlGtC9Wj/ACN3nBf3G376X8knzL7MnpE+kqK8W/Z1/bR8IfGPX5vhL8QvDl34E+JOnLjVPBOvMFlfAyZbWThbqIgEhl5wM424Y+016GHxNDF0vaUpXX5Pqmt011TSaPVwmMw2Oo+1oS5l+KfVNOzTXVNJrsFeC6Vj9qb9opvET/vvAvw0vTFpw6xaprYHzS+jJAMAH+9ggkMRXRftUfEvxHoujad8HfhjNnxj43nax0tkPNjb4/f3jY5UImcHrk5GdpFdt8KPhp4c+D/w90v4c+FYdtpplsIxIRhppDy8rf7TMSx9z6V8xjv+F/Oll61oYdxnW7SqfFSpeajpVqLypRe7R9pgf+EHJnj3pXrqUKXeNP4atXyctaVN+dWS2TOiooor64+UCiiigAooooAKKKKACiiqmv67o/hbQr3xN4h1GKz0/TrSS6vrudsJBDGpd3Y9gFBJ9hSbSV2JtRTb2R59+158foP2bPgNrPxJgt/tWrFFsfDWnBdzXupTnZbxKo5b5juIHO1GxVb9jH4A3H7OnwG0zwfr9z9q8SajLJq3jDUXfc93qlyd87s38W04jDd1jB6mvmnwB+1h8Hf+Cg37f3hHw/puq3Nt4V8Aaddar4b0vVrfy313W1OBOEBYbIYQZYwxDgox2gFgPuuvGwFejmmLnjKclKELwhb5Ocvm7RX91dmfPZXicPnOOqY+lJSpwvThbXs6kvm7RX92Lez1KKKK9o+iCiiigAooooAKKKKACiiigArxn9g//kiGuf8AZZviP/6mut17NXjP7B//ACRDXP8Ass3xH/8AU11ugD2aiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiivkL/got+1J+3h+yl8RPh74y+FGh/CO4+FXiD4leEfCevf8JDFqlx4hkl1bV47KdrdIZIbaFY45VZHdpSWzmPAGQD69or5U/b8/4KB6l+zl8UvCv7N/wy8YfDTwz4n8Q+Hr7xLr3jj4waybPw74T0K1nt7Y3VwFlha5mnurqGCGBZogSJGaRQgDexfsm+NfiX8Rfgrp/jX4ofE/4beNLrUJpZdO8U/CZZl0XUbPOI5YhNcXJDZDBts0i5HDdQADC8D/APKQv4of9kZ8B/8Ap28X16l4g/5C2h/9hV//AEkuK8t8D/8AKQv4of8AZGfAf/p28X16l4g/5C2h/wDYVf8A9JLigDUooooAKKKKACiiigAooooA/KrR/wDglj+2Ha/8FN4vhLc+ArQfsgab8fJ/jrYat/blp5jeIpNOXZpAsxL56QR6o0l0B5Xkle4bFe+/8FsrL9t74yfsr+N/2PP2Tf2FdT+JcPxI8B3enXPjC1+IWiaTBolzIxRY5LfULiKSf5QH3J8vzYzkV9sUUAfOP/BPr4g/td6j+zzH4I/aP/Ye1P4V6v4I8M6bpmh2upePtH1ceInhtDG7o2nzSLbAPEgxKQf3oIztNc78f/jp/wAFVLv/AIJuJ8SfgB+w7pth+0drkX2U/Di98eaXd23hlnmlQ3jXkk0Vre+XCscqxhwC8qg5COD9YUUAfnb/AMEuPCH7WP7Jj2vw78Vf8Eo/iJb614815L/4wfHfxj8XfCeoahrF++fM1C7jtb+Sdoo8sIrWEMIkO1QWLs36JUUUAZfg/wD5BM3/AGFb7/0rlrUrL8H/APIJm/7Ct9/6Vy1qUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABWT428BeB/iV4em8JfEPwfpmu6XcDE+n6vYx3EL+5SQEZ9+1a1FVGUoSUouzXVaEyhGcXGSun0eq+5ny/qv8AwTZh+GOpTeK/2H/jz4l+E+oSSGWTQopjqWg3L9T5llcEhSem4NhQflWq/wDw1t+2N+zd/on7YX7LsniDRYOJPiB8JC17AEH/AC0nsZMTQgDlnyF67VNfVFFess4qVly42CrLu9J/KcbS/wDAudHjvJadB82BqSovtHWHzpyvH/wHkZ578Cv2rv2d/wBpbTP7R+CfxZ0nXHWPfPYRT+XeQD1kt5AssY7ZZQD2Jr0KvGfjr+wH+y7+0Bqf/CVeKPh8ukeJUk8238XeFZzp2pwy9pPOhx5jDt5gcD0rzz/hXH/BST9mEeb8LPifpXxw8MQfd8PeOWGn67HGP4Ir9f3c7erzevC0/qeW4v8A3WtyS/lqWX3VF7r/AO3lD1F9dzTB6Yqjzx/npXf30376/wC3XP0PqmsnxB4B8C+LNQtdW8U+C9J1O6sW3WVzqGmxTSW5znKM6koc88YrwjwB/wAFNfgXfeI4vh1+0BomufCHxY/H9j/ECxNrBMehaG8/1MkeSMOxTd2FfRFhf2OqWUWpaZexXNvPGHguIJA6SKRkMrDgg+orzMfldailTxlHR6rmSlF21TTtKLtumm7b6M9PL81oYhupg62q0fK3GSvo01eMo32aaV9tSWggMNrDIPUGivK/2r/2rfBf7K/geDV9U0+41vxJrVx9i8H+ENMG691q9bAWKNQCQgLLvfBCgjgsyqxh8PWxdaNGlG8paJf106tvRK7bSQ8TiaGEoSrVpcsY6t/1u3skrttpJNsxP2yPjj8Ff2d/B1tceIPhpp/ivxZ4huPsXg3wbb6bFNea1eNgKiqVYrGCyl5MEKCAMsyqeN/ZY/4J/wCk6PpGp/E39qnQ9I1zxr4slFzf6LZW6xaT4fjP3bO0gjwgKjAaXlmI+8eWfa/ZN/ZS8aaR4yuv2sf2r9Qt9b+LGv2+yOKM7rPwrZHO3T7MZIUgEh5ASWJYAnLvJ9D1WZ5dkCoPCLD0qrfxzlTpyu19mDlBtQT3as5vXSNk88sx+fSrrGTr1aSX8Omqk48qf2pqM0nNraLuoLTWTk15DqP7Bv7KGov5zfCWG3kByslnqd3CVPsElA/Sqv8Awwx8KrP/AJFnxv450TH3f7K8Wzpt+m/dXtFFfIy4M4SlLmWBpJ94wUH98HB/ifXR4w4qjHl+u1Wu0puS+6amvwPF/wDhkzxlpn/IsftcfEuHH3RqerR3gH/faDNH/Cj/ANrHSjnQv2y3nQdINV8EWkmfq4bdXtFFL/U/I4/wlUh/gr14/wDuaRX+tudS/iunP/HQoS/9xI8X/wCEb/b10n/kH/Er4davjp/auj3Vvu+vknij/hKv28dJ/wCQh8Kvh/q+Ov8AZWuXFvn6ecOK9ooo/wBWHD+DjsTH/uNzL7p05fmH+sin/FwWGl/3C5X98KkfyPlD9orwb8Tv2h9Ah0z4w/sN3yahpzeZonirwt46tBqOlzA5ElvIF3rggHacqSASMgEcL4b/AG6f2rv2SvB97o37WvwP8S67pFpH5WgeP5NN8klzhYotR2bkBJIHmq25sDh2JYfdNUfEnhrw/wCMdAvPCvivRrbUdN1C3aC9sbyESRTRsMFWU8EVyS4ZzalVnXoZlU53Fr3oUXd2aXM4whez2bi2vNaHiZhLKsXWjicNgqdCunFuUJVXGaTXu1KcptTi1pdShON/cmtj5K/YE+PR/aL/AGhPFPj/AMcadDca9c+HYm0i8smJtLKxjkVHgiUliu55EfO45w3TJz9h18m6j+xv8SP2NfFd78Y/2BrO2vdNu0U+JPhZrdyWjvo1yc2V1IS8EvJIRmKknuAqV7D+zf8Atb/Cr9paxurPw1NdaT4l0k+X4h8G67D9n1LS5QcMJIm5ZQeN65HIBwcqM+C8Fjcgy7+zszq8+Ic6k+dq3tOeXNfm2lJL4tpaJcvKla8/4twnEGdpvDfVZckIRp83NTfJGz9jJ293qoO043fMpNuT9Rooor7Y4gooooAKKKKACiivOf2jf2o/hV+zH4Zh1nx9qM1xqWoSeToPhvS4vP1DVpyQFighHLZJALHCgkAnJAOVatSw9J1KslGK3b/r+uiZjiMRQwtGVWtJRit29v67LVt6JN6HbeK/FnhjwJ4cvPF/jPX7TS9L0+AzXuoX86xRQoOrMzHA/wAivlnXfHHxq/4KPx3ngb4Mi98E/Be6WS01zxxe2m3UPFEByksFhDIP3cDDKtKw5Bx2aM6XhT9mj4w/te+I7P4uftywrp3h61nFz4Y+DllcFrW2/uTak4x9pmx/yz+6OQQAzR19QWdnaadaRafp9rHBBBGscEEKBUjRRgKoHAAAAAHSvMcMTmq99OnRfTac159YRfb4mt3FOx4zhi86X7xOlh39nadRf3usIP8Al+OS+JwTsfJX7H//AAST+H37KHxx/wCF3H4p3/iO5sI508PWc2mLbCyEqNEzSMsjee/lOyghUHzE7emPrmiiuzA5fg8to+yw0OWN27a7v1ud+W5Xl+UYf2GDpqEbt2V9311bf/A0Ciiiuw9AKKKKACiiigAooooAKKKKACvGf2D/APkiGuf9lm+I/wD6mut17NXjP7B//JENc/7LN8R//U11ugD2aiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACvgz/gt18XNXj8O/Dj4L+Df2dfjF4z1XTPi74G8a3954B+Ems65YQaXYa/HPdBrqyt5IluEitpH+zlvMKtGduJFz950UAfnL+034Q0Hxd+3t8Cv+CtWufshfEfxv4CtvhprfhPVPDsnwtvZ/EPhS/a8E1lqcuhyxfbSrL9thJSFnjE0b42uGHr//AASJ+Enjn4feFPjL8QtW+DuqfDfwl8SfjZqfif4dfD7W7BbO70nSpbSzgaWW0B/0Frm5gubn7MQCgmBYBnYD67ooA+ePgF8MfDfwu/b9+L+n+GtS8Q3Meo/CvwPfXDeIvF2o6w6Svqvi4FYnv55mgi+UYhjKxKclUBY59z8Qf8hbQ/8AsKv/AOklxXlvgf8A5SF/FD/sjPgP/wBO3i+vUvEH/IW0P/sKv/6SXFAGpRXnH7QX/DXf/Eo/4ZW/4Vv/AMvH9vf8LB+3/wDTPyPs/wBj/wC22/f/ALGO9eb/APG3b/q3D/yv1w1sd7Go4eyqSt1jC6+T5l+R5uIzL6vWdP2FWVusYXT9Hzr8tz6Por5w/wCNu3/VuH/lfo/427f9W4f+V+sv7T/6cVf/AAD/AO3MP7Y/6hq3/gv/AO6H0fRXzh/xt2/6tw/8r9dJ8I/+HjH/AAsLT/8AhfH/AApT/hFP3v8Aav8AwiP9r/2j/qn8ryvtH7v/AFvl7t38G7HOKqGY881H2NRX6uFkvV870NKea+0qKH1esru13Tsl5t87su7sz2uiiuV+Onwc8FftD/Bbxb8BviPYfadA8Z+HL3RdYhAGWtrmB4ZNuejBXJB7EA9q9E9U6qvlz/goH/wVe+En/BOqacfEr9nP41+M7aw8MjX9Z1b4bfD1tR07SrDzZYjJdX0ssNtAwMLko8gbaVOPmXPwXN+1h8ZvEv8AwRW03/gl/L4iZPj9f/Fb/hmLUZVyXiWGbyp9UK53tb/2EokM2cFpN249/sf/AIK8/DDwd8Ev+CFfxk+DXw70sWWgeE/gjLo+iWa/8sbS2tkhiT3wiKKAPrf4deN9J+Jvw+0L4kaDb3ENj4h0a11Kyiu0VZUiniWVFcKzAMFcAgEjOcE9axP2gvjTbfs+fCjUvitdfDPxn4xXT5IEXw78P/Dsmq6tdtLMkSiG2QgsAXDMxIVEVnYhVJqj+yR/yal8Mf8Asnui/wDpDDXoLBipCtg44OOlAHyv8Jf+CtXwh8cfHTwz+zr8Yv2c/jN8F/E3jh5ovAyfF3wTHYWniCeKMySW1tdWtzcw+eIxu8qR0Y5AALMAfqmvyx/ac+GH7VH7PH7df7LPxh/4KVftQ2Hxu8B3XxitfC/w+07wf4Og8J/8I/4x1K2njsdRurQPdPqUIEcicXUXkMwfZICyn9TqAMvwf/yCZv8AsK33/pXLWpWX4P8A+QTN/wBhW+/9K5a1KACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigDE+IHw1+HvxX8OS+EPib4I0rX9Lm/1lhq9hHcRE/3grggMOzDkdjXzvff8E4tV+EN7L4k/YV/aH8R/DGdpDK3ha7lOq6BcMTkg2twSYi3ILqzFQflUV9R0V3YXMsbg4uNKfuveLtKL9YyvF/cn5nBi8swOOkp1Ye8tpK8ZL0lFqS9LteR+f37Wf8AwUw/bp/Yk8L2HhT41/s6+CZfEerSyDQ/F+maxNPpGoRw7PO/0TKTxuPMj4aRAd+QMDFdN/wSjktv2um8Qft9fGmaTWfH7a9caFpyzW+yx8PWkcUUgh0+Ms2wMtxhpCd5ywzku0n1L8d/2cvgn+014QTwJ8c/h/a+INMiuBPBDPLJFJDIBjdHLEySRnBIO1hkcHIrT+FPwk+G/wADvAtl8NPhP4RtdD0PT1ItbC0BwCTlmZmJZ2J5LMSx7k17dbOsreSOjh8P7PETdpSjonG92ldtpPS8VZabtPlPCo5Hmqz1V8Rifa4aCvCEtZKdrJu0Um462k7vXZNcx0dFFFfLH1gUUUUAFFFFABRRRQAUUUUAFeQftIfsbfD74/X9r490rVLzwj4+0kZ0Lx34ebyr22YDhJcEC4i7GN+xYAruOfX6KxxGHoYqk6dWN0/6uuqa6NNNdGc+KwmGxtF0q8VKL/Po09010aaa6M+ZfA/7YXxH+Animz+DH7fWi2ujXN1KIPD/AMTtNQjRNbPYTHAFnORyVbCdThF27vpiGaG5hS4t5lkjkUNHIjAqykZBBHUVl+OPAng34l+FbzwR8QPDNlrGkahF5d5p9/AJI5F9wehB5BHIIBBBFfNE/wAL/wBo/wDYGnfWf2fI9R+JHwpRi958O725MmraDHnLNp0rZM8Y/wCeDZPGBks0g87nxeW/xL1KX8284/4kvjX95LmXVS3PJ9pjso0q3rUf5t6kF/eS+OK/miudfajLc+raK4f4C/tF/CL9pXwaPGvwl8VR38KMI7+ykHl3VhL3inhPzRuMHrwcZUkc13FenSq0q9NVKck4vZrVM9mjXo4mkqtKSlF6pp3T+YUVT8Q+ItA8I6Hd+J/FOtWunadYwNNe317OsUMEajJd3YgKB6mvl3U/jD8dv2+NRn8G/sv3194J+FyTNBrXxSuLdo73WFB2vDpcbYKKeQZzgjnG0rtfnxeNp4VqFnKcvhit3/kl1k7Jeb0fJjsxo4Jxgk51JfDCPxPz7KK6ylaK7t2T6747/tmapb+OJf2dP2TvCkXjj4kMNt6BIf7L8OLnBmv5l4BU/wDLIHcSMHBKq2j+zl+xnpfwv8TTfG34y+K5fHnxQ1KP/iYeLNTjGyyUg/6PYxfdt4gCVG0BiCfug7B3XwI/Z8+FH7N3gaLwB8JfDEen2gPmXdwx33F9NjmaeU/NI59TwOgAAAHa1hRwVSrVVfGNSktYxXww9P5pf33/ANuqK35sPl1atWWJx7UprWMV8EPS/wAUu85K/wDKorcooor0z2QooooAKKKKACiiigAooooAKKKKACiiigArxn9g/wD5Ihrn/ZZviP8A+prrdezV4z+wf/yRDXP+yzfEf/1NdboA9mooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKAPGfA/wDykL+KH/ZGfAf/AKdvF9epeIP+Qtof/YVf/wBJLivLfA//ACkL+KH/AGRnwH/6dvF9eoeKWNrJpurOjGGy1DzLgqpJVGhlj3YHYGQE+gyaANaisoeOfBJGf+Ew0sfW/jH/ALNS/wDCc+Cf+hw0r/wYR/8AxVAGpRWX/wAJz4J/6HDSv/BhH/8AFUf8Jz4J/wChw0r/AMGEf/xVAGpRWX/wnPgn/ocNK/8ABhH/APFUf8Jz4J/6HDSv/BhH/wDFUAalFZf/AAnPgn/ocNK/8GEf/wAVR/wnPgn/AKHDSv8AwYR//FUAfOVn/wAEjv2VrH/gpRN/wVJhv/FJ8fS2bougtqcH9hRXj2Cae+pJbeR5gu2tEEJk83aQSduTmrf/AAUD/wCCZ3hv/golo7+D/iF+1v8AGrwR4YvNBk0nXPCPw48TWFnpuswu5ZmuormxuDI+DtyGUbQBjvX0F/wnPgn/AKHDSv8AwYR//FUf8Jz4J/6HDSv/AAYR/wDxVAHj37H/AOwyv7IPw61n4Y237Wvxk+Imn6nY29np0nxL8S2d7NoUEMLxLHYtbWduIQVYZ3B+Y0xjBzVX/gn54f8A+GPfD37H7/tT/G4p4ZuVuLD4lx/EN4vFssyzSyh59QjiUTD980ZRoyjRqqspxXtf/Cc+Cf8AocNK/wDBhH/8VR/wnPgn/ocNK/8ABhH/APFUAfMfwq/4JC/Bfwf8cvDX7RPxs/aI+M3xt8S+CJnuPA7fGHxvHqFn4funXYbq2tLW3toBPt4EsiO4wrAhlVh9YVl/8Jz4J/6HDSv/AAYR/wDxVIfHXgsD5fFumueyx3qMx+gByfwoAXwf/wAgmb/sK33/AKVy1qVmeEIpo9DEk8LRme6uLhUdcMFkneRcg9DhhxWnQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAeD/Hr9iex8XeMj8ef2d/F8nw8+JkKk/27p0Q+yauOvk39vjbOjYAL4LDgnftArzTX/wDgq1a/s3xv8O/20Pgn4g0Tx1ZqhMHheGG6sdVgbcFvbaSWZNsTMjAqSSp4ySGC/YdfMn7eH/BNDwd+234m0bx2/wARrrwxrelWIsJbtNNF5Fc2gkeRYzGZI9rK8khDBv4yCDxjwMzweOw9KVfKtKresdOWV93Z2Sku6av1voz5fOcBmeEozxOSWVZvWDtySvvLldkpre6cebXmvoznPhN8NPHP/BSCz0r9oP8AaT1qC3+Gks5ufCHwu0S/LwXPlyMon1KZcec4ZSPKGApGCF+dW+t9M0zTdF06DR9H0+C0tLWFYra1tohHHDGowqKqgBVAAAA4ArlP2fvgl4T/AGcvg5oXwV8ES3Emm6FatHFNdMDJM7yPLLI2OAWkkdsDgbsDgV2Vd+XYN4agpVNaskueV7tu2qv2TvZKyS2XV+nlOAeDwynW1rTSdSTd25W1V/5U7qKSUUtl1ZRRRXoHqhRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAV4z+wf/yRDXP+yzfEf/1Ndbr2avGf2D/+SIa5/wBlm+I//qa63QB7NRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAeM+B/+UhfxQ/7Iz4D/wDTt4vr2avMfib+yD8Fviz8SJfi54km8a6f4guNDtNIu77wj8UfEGgC5s7aa6mt45YtMvreOUxyXt0Vd1LDzmGcYAx/+GD/AII/9Dx8Zv8AxI7xr/8ALegD2aivGf8Ahg/4I/8AQ8fGb/xI7xr/APLeuR/aA/YC0bUvgP42074EfEv4w2Xji48I6lH4MvJ/2jvGWyDVWtZBaSN5mqsmFnMZO5WXA5BGRQB9KUV4z/wwf8Ef+h4+M3/iR3jX/wCW9H/DB/wR/wCh4+M3/iR3jX/5b0AezUV4z/wwf8Ef+h4+M3/iR3jX/wCW9H/DB/wR/wCh4+M3/iR3jX/5b0AezUV4z/wwf8Ef+h4+M3/iR3jX/wCW9H/DB/wR/wCh4+M3/iR3jX/5b0AezUV4z/wwf8Ef+h4+M3/iR3jX/wCW9H/DB/wR/wCh4+M3/iR3jX/5b0AezUV4z/wwf8Ef+h4+M3/iR3jX/wCW9cjrP7AWjSfHjw3qOj/Ev4wp4Hi8I63H4isz+0d4y3y6q91pR06QZ1XfhYE1QHawXMi7gx2FQD6Uorxn/hg/4I/9Dx8Zv/EjvGv/AMt6P+GD/gj/ANDx8Zv/ABI7xr/8t6APZqK8Z/4YP+CP/Q8fGb/xI7xr/wDLej/hg/4I/wDQ8fGb/wASO8a//LegD2aivGf+GD/gj/0PHxm/8SO8a/8Ay3o/4YP+CP8A0PHxm/8AEjvGv/y3oA9morxn/hg/4I/9Dx8Zv/EjvGv/AMt6P+GD/gj/ANDx8Zv/ABI7xr/8t6APZqK8Z/4YP+CP/Q8fGb/xI7xr/wDLeuR+Cf7AWjWHg29g+MvxL+MN3q7eLvEElnLD+0d4ywulPrF4+lx/u9VUZTT2tEORuyp3FmyxAPpSivGf+GD/AII/9Dx8Zv8AxI7xr/8ALej/AIYP+CP/AEPHxm/8SO8a/wDy3oA9morxn/hg/wCCP/Q8fGb/AMSO8a//AC3o/wCGD/gj/wBDx8Zv/EjvGv8A8t6APZqK8Z/4YP8Agj/0PHxm/wDEjvGv/wAt6P8Ahg/4I/8AQ8fGb/xI7xr/APLegD2aivGf+GD/AII/9Dx8Zv8AxI7xr/8ALej/AIYP+CP/AEPHxm/8SO8a/wDy3oA9mor5r+JH7AWjXXjL4fz/AA7+Jfxhg0i28XTSePIpP2jvGWbnSjo+pJHGu7VScjUH05/kKtiM87dyt13/AAwf8Ef+h4+M3/iR3jX/AOW9AHs1FeM/8MH/AAR/6Hj4zf8AiR3jX/5b0f8ADB/wR/6Hj4zf+JHeNf8A5b0AezUV4z/wwf8ABH/oePjN/wCJHeNf/lvR/wAMH/BH/oePjN/4kd41/wDlvQB7NRXjP/DB/wAEf+h4+M3/AIkd41/+W9H/AAwf8Ef+h4+M3/iR3jX/AOW9AHs1FeM/8MH/AAR/6Hj4zf8AiR3jX/5b0f8ADB/wR/6Hj4zf+JHeNf8A5b0AezUV81/Df9gLRrXxl8QJ/iJ8S/jDPpFz4uhk8BxR/tHeMs22lDR9NSSNtuqg5OoJqL/OWbEg527VXrv+GD/gj/0PHxm/8SO8a/8Ay3oA9morxn/hg/4I/wDQ8fGb/wASO8a//Lej/hg/4I/9Dx8Zv/EjvGv/AMt6APZqK8Z/4YP+CP8A0PHxm/8AEjvGv/y3o/4YP+CP/Q8fGb/xI7xr/wDLegD2aivGf+GD/gj/ANDx8Zv/ABI7xr/8t6P+GD/gj/0PHxm/8SO8a/8Ay3oA9morxn/hg/4I/wDQ8fGb/wASO8a//LeuR/aA/YC0bUvgP42074EfEv4w2Xji48I6lH4MvJ/2jvGWyDVWtZBaSN5mqsmFnMZO5WXA5BGRQB9KUV4z/wAMH/BH/oePjN/4kd41/wDlvR/wwf8ABH/oePjN/wCJHeNf/lvQB7NRXjP/AAwf8Ef+h4+M3/iR3jX/AOW9H/DB/wAEf+h4+M3/AIkd41/+W9AHs1FeM/8ADB/wR/6Hj4zf+JHeNf8A5b0f8MH/AAR/6Hj4zf8AiR3jX/5b0AezUV4z/wAMH/BH/oePjN/4kd41/wDlvR/wwf8ABH/oePjN/wCJHeNf/lvQB7NRXjP/AAwf8Ef+h4+M3/iR3jX/AOW9cjo37AWjR/HjxJqOsfEv4wv4Hl8I6JH4dsx+0d4y3xaql1qp1GQ41XfhoH0sDcxXMbbQp3lgD6Uorxn/AIYP+CP/AEPHxm/8SO8a/wDy3o/4YP8Agj/0PHxm/wDEjvGv/wAt6APZqK8Z/wCGD/gj/wBDx8Zv/EjvGv8A8t6P+GD/AII/9Dx8Zv8AxI7xr/8ALegD2aivGf8Ahg/4I/8AQ8fGb/xI7xr/APLej/hg/wCCP/Q8fGb/AMSO8a//AC3oA9morxn/AIYP+CP/AEPHxm/8SO8a/wDy3o/4YP8Agj/0PHxm/wDEjvGv/wAt6APZqK8Z/wCGD/gj/wBDx8Zv/EjvGv8A8t65H9n/APYC0bTfgP4J0747/Ev4w3vji38I6bH4zvIP2jvGWyfVVtYxdyL5eqqmGnEhG1VXB4AGBQB9KUV4z/wwf8Ef+h4+M3/iR3jX/wCW9H/DB/wR/wCh4+M3/iR3jX/5b0AezUV4z/wwf8Ef+h4+M3/iR3jX/wCW9H/DB/wR/wCh4+M3/iR3jX/5b0AezV4z+wf/AMkQ1z/ss3xH/wDU11uj/hg/4I/9Dx8Zv/EjvGv/AMt6774N/BvwB8A/AEHwy+GVhf2+k29/fXoGqa5ealcy3N5eTXt1NLdXsss8zyXFxNIWkdjl8DAAAAOoooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACvy0i/Zk+Gv7cXwj/bD/bB+OAvbj4m+D/ih440D4XeM49VnhvPAVr4cjNvpx0xkcCzPn27XchQDzmnbzN6nFfqXXxx8YP+CWfxM8U638V/CfwO/bNv/h98Mvjrqk2o/FHwVB4Kgv71rq6to7XUpdK1F50OnG8hiUSb4bnbIzyR+WzcAHu37D/xb8T/AB//AGLPhB8d/GqqNZ8bfC7w/r2rhIwgF1eadBcS4UcKN8jcdq+I/wDgoF+x9+yp8EPHfw4+HX7Dfw2k0j9qfxv8SNL1fwt4p0bWLubWLTS7fU4Z9a1TVrmSV5JNLFp9pgeKctHI9xHFGhbAX7msPgr458G+Ovh5bfCT4sxeGvhn4J8L3ej6l8NYfDUFwmr/ALq3i0+Rb52860FokMgEaAiXzvnI2DPzF8FP+Can7fHwM+Onj39oLRP+Chfw71zxN8RddF1r2v8Air9nm5u9STTo2/0bSIJ08RRpBaQISscccSruZpGDOxNAHV/8FNf2cf2YfE1lF8c/il/wTG8Q/tGeJV0ptLtbXwxHZS3emW8QlmRlF5fW/kZeVwJLVZLjcw+U7Vx8tfDnUdd+Of7E37Bn7HXxA+PF5448L/Fzxtqdv8SNattUvlfVtO0fTdX1EeHrma4WK5dI57W3spxKsckn2F1dRudT92/Hr4Lftz+M/Htzrf7Pf7ceheBfD13YRwtoOtfCCHXJrOZQQ09tc/brbazZB2zRzqCOBg4rz64/4JO+BPDn7I/w5/Z1+D/xn8QeH/FPwn8ZN4x8FfE2+tIL++XxBNPdzXt1dwERx3MN0b+9Sa3BjUpPtUoUQgA5r9jLwJ4W/ZD/AOCn/wAW/wBiX4G6Z/ZHwx1H4ReGfH+ieELWVzYeHNSn1DVNNvI7OIki3juFs7eZolwgdWZQNzZ+168I/ZK/Y38VfAz4leO/2iPjn8bv+FjfE74iJp1prXiO38Npo9jZaZYJKLPT7KyE05giVri4lYtNI8kkzMzcKB7vQAUUUUAfMH/BZn4r/EP4Nf8ABNj4keLPhT4ru9B16/8A7H8P2eu6fJsuNNXVtYsdLluonHMckcV5I6uOVZQwIIzXkUv7NPwY/wCCcn/BSX9mjwp+x94R/wCEP0L4u2vivwx8RNCsb2Z7fXPsOjNqlnqVykjsJL2KW0kQ3R/eut26uzAgV9e/tT/s3/Dz9r39njxd+zT8VRdroXjDR5LG8uNPm8u5tWJDxXMLkELNFKscqMQQHjUkEcV5F8Ef2D/jRpv7Q/hj9pX9sH9rgfFjXPh94bvtH+HlvY+BIdAttN+2iJLzULlI7mc3d9LFBHF5gMUSI0gSFTISAD2X9oD9nP4O/tSeAR8Lfjr4UfXfDrX8V3caQdRuLeG6ePOxJhBIhmiycmJyY2wNykDFfH//AATO8DfDKz/bk+N+rfsM6AdC/Zr07w9pnhxbDS7iQaBqvja2ubr+0rvR4ixSOKG3a2tZ5IAscs8ZxvMTNXrX7SX7Gf7Yn7QX7Ivjb9m2D/goPNoeu+L/ABffXEXjm1+HMKS6d4anuWdNBSG1vLdjsgK2xvRKkzoGb5WbK7H7Iv7L37Uv7OXgYfCLxV+0X8OLvwdpPhb+yfBeh/D34KSeHToUqhVimDT6xfJOqKG/dtGNzHcznkMAfGXxw+Bn7Pn7Lv7ePwI8K/s3fsX+Iv2fXi+NOn2Wp/Hmd0j0jxlZvBKG0AyWd1czXcmoOyQodTS3AdCVcybFe/8AtjfsJ+JtE/bY+Pn7bnxd/wCCVHw1/aM8C61pfh650t/EHimzj1zTbTTNJ8u++w2VxZTJO7tkiN57cuYABu3LX0dqv/BPr9qD44eL/A7/ALaP7dNn468I+AfGen+K9N8LeFfhXB4efVdUsJRNYyahc/bbozRxTBZTFBHbq7Iu75RtO9+0d+yj+3b8bdV8WeFPBn/BRKx8H/D/AMWwtayaLa/CC2uda0qzkgWKeGz1Nr1I0Zv3jLLLayvGZOD8q4APY/2cfij8L/jf+z94I+MXwSwPB/ifwpp+p+F0FuIfLsJrdJIEMY/1ZWNlUp/CQR2rtK5T4FfBjwH+zl8FfCfwB+F2nyWvhvwV4cs9E0O3ml8yRLW2hWGPe/8AG+1AWY8sST3rq6ACiiigD4d/aQ+FXgH9tb/grnpv7Jv7Svh2PxR8NPAv7PS+M7TwRqUjHTdR1vUNbnsBd3MAIW5a3t7FliEgZY2u3YAMQa6j/gj9qut6P8PfjP8As73Gv6hqOhfBv9oXxD4N8Ey6pfSXU9voiQWV/a2hmlLSSrbjUGtkLsWEcCLn5a7n9p39i/x/8Tvjv4a/aw/Zq/aAi+GnxL8P+Grzw1d6rqPhJdd03WdEuJo7g2l1Zm4tmLRXESywyxzIyM0gYOrlap/C39hn4jfAD9lq++DXwF/amv8ARfH/AIh8ct4t8ZfFfVfCVnqNxrWpXWpR3eps1i5WCJbiFXtIwp/0eIxldzRgkA47/gpZ+zf/AMEyfDvgfxV+2J+2/wDBuDxLqA06HTdMknvbu41Ke7K+TZ2GiwrL+4vppCFj+yqkjSNuZsKWHLeD/i3+19+zB/wTP+Bf7OHxA8R/2l+1D8RvD9p4Y0OTXLgXkmnXxgMt1ql+5P79NMs8yzuSRNNEke4tcKT0v7U3/BO39qn47ftt+H/2vvA37Z3hHS7DwVo/2bwD4D8bfBybX7Lw/fyLtudViaLWbISXki5jWWSNjFGSqEZZm9T8b/sLfBz9qD4beFfD3/BQz4Z/Dv4z+I/DK3Ri1u/8Ara2aSTuu97aznuLprbckcCsPOfcYg2RkKAD8+P2edf1X/gnZ/wSX/b8u/2f/FOoy6v8OfjJ4yh8Pa/qF6bm/N3/AGPpES6lLI2TJP5rm4ZjwXycY4r2Dxp+yT8Hv+CZPx9/ZN+IP7LWm3Glan44+JS/D34oXMepTyv44tb3QdRujf6kXdvtV1Fd2EVwtw2XBd13bGK16f8Asz/8ER/2Nv2dfAfx5+Gtp8PfDk+k/HXV9Xiv10TwzHpk2k+Hb61hhXQ4pEkctFC0csqSDYA82RGpXJ1fgr/wTj+MWh/Fr4a/ED9qb9sy6+KemfBa0uU+GGif8IPBpDxXcto1iNR1OdLiX+0btLR5YkdEt0BmeTyy5BAB9ZUUUUAFeX/tu/FvxN8Af2L/AIvfHfwWqtrPgr4X6/r2kq8YcG5s9OnuIsqeGG+NeD1r1Csvxt4M8M/EbwZq/wAPfGukx3+ja9pdxp2rWE2dlzbTxtFLG2OcMjMp+tAH5jv+zL8Nv2IPg/8AseftifBH7bb/ABP8YfFDwNoPxR8aSarPNeePLbxGgt9S/tNnci8/fXC3cZcHyWgXy9ijFfpT8XPhR4I+Ofw31b4S/EmwurvQdcthb6pa2ep3FnJNFuDFPOt3SVA23B2sCQSOhNfLfwg/4JY/EvwrrXwo8IfG/wDbNv8A4gfDD4FapDqPwv8ABM/gqCxvRc2ttJa6bJquopO/9omzhlby9kNtukVJJPMZefXfiZ8CP2s/GXhH4x+HPCP7bDeH7nx0kEXww1GP4f2sr/DyMWkUM+zbNG2pPJKs06yTMhiaUKMqgyAfMH7O3wW+Bfw4/wCCutv4H/4JueBYfCngb4feANVsP2jV8MzSR6Be6zcvaPo+nmLcYpNWgC3U8sqjzI4p1SR8yBK8f/bt8ZXv7Z/x6+B/7YsfiGRfhn4H/a/8FeEfg/ZR3W2HW511jZrHiJ1BxJE00AsrRjkCK3uJl+W6Uj67/wCCfX7Cn7Uv7Dvh3w/8I739qP4ca/8AD3R4bhr/AEXRPgpd6VqurXsqsz31xqU2vXZkuJJ286WR4XaUkjK5BHG/tHf8G/X/AATb+NMPhH/hAP2XPhn4Hn0D4i6T4i1240/4fW0za9p9rOZLnSZdrx7YrlTsdzvAHJjfpQByv/BRX9gT4l/Hb/goFpf7UQ/4J+/DH9oXwbpfwSXw7H4a+InjC30zyNT/ALWluzNaiayuleQQkIN4iQ+cf3owa+nP+CdHxi+BPxy/Y58HeNf2cPhY3gTwtbw3Wkw+BJLCK1fw5d2V1LaXenNFESiGG4hlT5flYAMOGFUfjN+zx+2bf65bWP7Jn7aHhv4Y+ELbw/baZa+FdR+DkGt/2eYQyia0n+3W3lnYY1EcqTRr5QwuCQer/Y0/ZS8EfsVfs7aH+zz4E17VNYg0uW7u9R17XJVe91fULy6lu7y9nZFVd8txPK+AAFDBRwooA9RooooAK+Mf+Cj+gad+0B+2t+zF+xD8SxNefDbxxN4w8R+OPDguXit/EB0WwtPsdjdbCDNbefqHntASUkNqm4MBivs6vEv2xf2P9S/aT1LwH8T/AIZ/FubwB8Sfhfr0+qeB/GC6KmpwQi5tntbyzurN5Ixc2s8D4dFkicNHG6yKU5APHv8AgnD4f039n79tj9pz9iL4ZLNZ/DbwRJ4P8SeB/DZuXlt/D51qxu/tlja7yTDbedp/nrApCRtdPtCg4r079uT9mT/gn54+8OXf7SX7fPgfw/qvh/wJ4eme4vvGV7M+maZahjI832Uv5JmJwFk8szE7UQ5IBzvg5+wz8VfhB8O/jB4isv2qZbv44/GNmudW+L7eCrcQaVdw2Is9N+y6Q8rxfZbNFVkt5ZZDIzSmSRvMOOS/bf8A+Cdf7TP7X3ij4TavaftneHbHSPhqsWoap4R8W/CRtY0rxP4giUCLVrqC31WyB8pgZIrZi8SSHfhiq7QD598P/sfftR/tRf8ABBnxh+zvo/gfUZp/G/js6r8JfBHxK1p0vNM8FjxTa3+nadqE9x5joU06EnY5kdI2SIgsuwd7+yF4y+Cn7HHxY+JvwJg/4Jg+BP2fPijb/Ce58b6enw91G21PSvGGjWUjRNsvIbS0l8yC5ljV4JYUYC4V1LKc19NH4S/tx33wDuPBuqftmeFbb4inWlubLx1onwfEOnpZqUP2SXS7jU7gybsOGlW5jbDjbtK5blv2ff2EfiD4X/aO1f8Aa7/a1/aNi+Knjy98Et4P0ZdO8Fx6Doui6LJcpc3EEFl9ouXeSeaOJpJpZ3JWJEUKowQD4XsPgd4R+Av/AAS2+Av/AAVw8KXd7N8fdV1z4feLPG3xCbUpm1DxYviPVtPg1LSrxt+JrQw6pJGlvjZCIIzGEKZr9eq+KPh9/wAEivGHhXTfAfwD8V/tg3+v/AL4X+MbXxD4J+F03g2GK/DWVwbnTbC+1b7QxvLK0m8tkiFvG7CCJZJHCnP2vQAUUUUAFflpF+zJ8Nf24vhH+2H+2D8cBe3HxN8H/FDxxoHwu8Zx6rPDeeArXw5GbfTjpjI4FmfPt2u5CgHnNO3mb1OK/Uuvjj4wf8Es/iZ4p1v4r+E/gd+2bf8Aw++GXx11SbUfij4Kg8FQX9611dW0drqUulai86HTjeQxKJN8NztkZ5I/LZuAD3b9h/4t+J/j/wDsWfCD47+NVUaz42+F3h/XtXCRhALq806C4lwo4Ub5G47V8R/8FAv2Pv2VPgh47+HHw6/Yb+G0mkftT+N/iRper+FvFOjaxdzaxaaXb6nDPrWqatcySvJJpYtPtMDxTlo5HuI4o0LYC/c1h8FfHPg3x18PLb4SfFmLw18M/BPhe70fUvhrD4aguE1f91bxafIt87edaC0SGQCNARL53zkbBn5i+Cn/AATU/b4+Bnx08e/tBaJ/wUL+HeueJviLroute1/xV+zzc3epJp0bf6NpEE6eIo0gtIEJWOOOJV3M0jBnYmgDlP8Agoh+wB8TPjX/AMFDov2qZf8Agnf8Mf2h/B1j8DrTw3B4d+IXjG20yS21OPV727kktFnsrpHk8mWNB5nkofNx5owaofHr4T+FP+Cov/BMn4AXn7Ev7Knhq98G+HfixpOq6j8HPG1zDo1haWOjvf2d/o1yFhnSMJcI1sQkUoP3grLX1V+0H8Ev27PHXjq61f8AZ1/br0L4f+H7zTY7dtE1f4PQa7PZzDcHuba5N9b7XYFTtmjnQFfu4JFYHgf9hf4pfs0/sn+CP2Zv2I/2oj4MuPCd9c3WqeI/GfguHxI3iOW6luLm7ku4hPasskt3cPcFoZY9p+UDbxQByP8AwS38RfAvwT4v+J/7JvhP9gzw3+zt4/8ABdzpmp+MvB3hG4tbrTNWtb6KUWWp2t5bwwfao2FvNG2+GOSNoirKMivsGvAv2Qf2KvEf7P8A8S/H37RXxs+O1z8Svif8SV0628Q+Jf8AhH4tIsbTT9PSVbOwsbGOSX7PChuJ3YtLK8jyFmY4GPfaACiiigD5g/4LM/Ff4h/Br/gmx8SPFnwp8V3eg69f/wBj+H7PXdPk2XGmrq2sWOly3UTjmOSOK8kdXHKsoYEEZryKX9mn4Mf8E5P+Ckv7NHhT9j7wj/wh+hfF218V+GPiJoVjezPb659h0ZtUs9SuUkdhJexS2kiG6P711u3V2YECvr39qf8AZv8Ah5+17+zx4u/Zp+Kou10Lxho8ljeXGnzeXc2rEh4rmFyCFmilWOVGIIDxqSCOK8i+CP7B/wAaNN/aH8MftK/tg/tcD4sa58PvDd9o/wAPLex8CQ6Bbab9tESXmoXKR3M5u76WKCOLzAYokRpAkKmQkAHsv7QH7Ofwd/ak8Aj4W/HXwo+u+HWv4ru40g6jcW8N08ediTCCRDNFk5MTkxtgblIGK+I/2Gk+HPwn/ac/aP8Ai7+wf4RbTP2cPB3gK306HRtLuJBoOt+ONPe9l1G40eIkxxxR2/2a0nkhCxyzxnG8xM1e7ftJfsZ/tiftBfsi+Nv2bYP+Cg82h674v8X31xF45tfhzCkuneGp7lnTQUhtby3Y7ICtsb0SpM6Bm+Vmyu9+xp+y/wDtFfs4+Frf4R/E/wCNfwx8Q/D3SPDiaT4b8HeBvgvN4bTT1Uqo3SS6xfLLH5YdTH5almfcXPIYA/N79hP4j+Frb4JfBf8A4KZ/tqf8E7v+EgPjrxZpE2tftLa14/W58R6drOoagtvb3Y0wR/6HoqXkkVrDFDc8W4jZrbDEH6M8Ffsk/B7/AIKcftB/tY+PP2ptNuNV1HwP8ST8PfhhcS6lPE/ge1s9B066+36aUdfst1Ld38tw1wuHJjRd2xQtdj4T/wCCO3jLQ/BfhX9lbXf2yr/VP2c/BPjG017w/wDCt/BMEepPFZ341Cx0q61n7QxuLGC5SJggtkmZIURpiBmuy+NX/BOX4x638W/iV8Q/2WP2zLn4V6b8aLO2j+J+i/8ACDw6u8t1DaCx/tHTJnuIf7Ou3tEiid3S4QmGOTyw4JIB1f8AwSY+O3j79pr/AIJp/BH46fFPUJLzxJ4h+HenTa5fzD5726SMRSXLf7UrIZDjjLnHFfQ1cr8Dfgz4B/Z0+DHhT4B/CzS2svDfgzw9Z6Lodq8m90tbaFYo97fxuVQFmPLMSTya6qgAooooA+A4/wBmr4Mf8FG/+Ck/7S3hP9sHwh/wmGg/CKz8KeGPh5oN/ezJb6J9v0ddUvNStkjdRHeyS3UcYuh+9RbRFRlANeuf8EZvit8Q/jJ/wTa+HPir4q+LLvX9d09tZ8P3mu6hJvuNSXSdZvtLiupXPMkkkVnG7OeWZixyTUvxv/YQ+NGpftD+Jv2lv2Pf2tx8J9e+IHhux0b4h2994Eh1+21L7EJUs9Qt0kuYDa30UU8kQkJlidBGHhYxgnqPhh+xxrv7OHwT+D37PH7LHxvu/CPhX4aapbt4kg1HQLfVbnxhpqw3H2i1mmlKm1mnuplunuYhu3oyhQrnAB8w/wDBX/8AZP8A2H/h58HfFvxM0P4O3WoftI/FK8m074L6romt3Z8UT+LZkP2OTTpzNvs7e2cJcTeWY7eKCFy4wcNzv/BRvxt8efG37WH7NX/BPDxh8Ipvi2mufDXVvEfjjwhD4qOg6N4r1myS0gRtUu1jZl02EteXBhWKUSzPaq0LAceveJ/+Cb/7a0n7cfi39t/wT+3j4EOq6xYrpPg3T/G3wIuNYbwbow5awsZItftUXzXAeabylkmYKGO1VUemftK/sR/EL44eIvhd8evAn7Qlt4L+M/wus7u1sPHEHg1b3TNTgvreKLUbW50uS5VmtpnhilRFuRJC0a7ZW+bcAfKWvfBrQv2wf+CWX7Qn/BPP9lT9jbRPhH8RfDvjax0jxd8JG8QxSaRb3zT6XqAube7VFjazuLARyqywxkkODCG+96d/wTzj+BP7OX7XGufspah/wTG8B/s6fEjX/A58RaVf/DrU7XU9L8VaNbXccEyreRWdpIs0E08Ja3lhHyyh1Zhk16X8KP2C/jR8FPhd8QL/AMBftfyf8Ln+J/jODxL4x+K2p+A7a4triaGK3torOPSvOVYrNLS2jt0jE5lUFn84seLv7PX7DXxQ8J/tO3P7ZP7V37TSfE7x9B4Ok8LeGF0fwZH4f0fQNLmuY7m5EFoLm6keeaWGEvPJOx2xKihVyKAPpCiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigDzP9sX9rT4O/sMfs0+Lf2qvjzq81p4Y8Iab9pvRaxh57qRnWOG2hUkBpZZXjiQEgbnG4qMkfLnw9+Mv/BwB+0L4Ls/jf4C+An7NXwu0PW7Vb3QvAHxP1PX9Q19LZxujF7cWPlwWsrIVJQRSNHnDqGBUc1/wdBaBrd5/wAExIvHEGk3F/oPgv4reGNf8aWdvEZDLpEN55c25B95Q8sTHsAuTwM1+gnhPxX4a8eeFtN8b+DNdtdU0fWLCG+0rUrGYSQ3dtKgkjljYcMjIysCOCCKAPiD9tv/AIKRftsfsif8E5/Df7TPjz9m7wl4P+J938T9L8LeIPCOrapLrWmJb3Govatd209tJbs6ywqk8W45TzArqxU1931+dn/BzPdWt3/wTp0Q2tzHJ5fxz8IJJ5bhtrDUBlTjoR6V+idAHyr+xZ+3H8Wf2jf2+P2q/wBlnxv4e8O2vh/4Ga94ZsvCV5pVpOl5dx6jp81zObt5JnSRleNQnlpEApOQx5Hy3+wx+3d/wXy/b2/ZBg/bN+DHhb9lC40661DVYLHwVqWi+I7LUb02N1LbtEtz/aEsEckhiOxmGzLDcVGSO/8A+CVv/KYz/gol/wBjh4C/9Mt1Xy3/AMEH/AP/AAWC+IP/AASt0Twv+yT8e/gT4F8B6j4h8SQadrmv+DNW1HxPprtqlys0yFbtbN2Ehdow0WANobJyaAP0y/4Jf/t8eGv+Clf7GXhf9q/QfBVx4ZudVkurHXvDV1cec+l6jazNBPCJNq+Ym5d6NtUlHXKq2VHG/wDBRr9v74xfs5fF34Q/scfsk/CXQfF3xk+ON/qkfhRfGOqy2eiaPZabbC5vL69eFWlkVYz8sUeGfa+DlVR+/wD+Cbv7B/w+/wCCbX7IHhf9kv4d+Jb3XYdC+0XGqeIdSiEc+q39xM01xcsgJEYZ3IVMttRUUsxBY8//AMFE/wDgmL8I/wDgohZeD/EOv/Ejxl8PvH3w41G4vvh78Svh9q/2PVdEmnVFmRWIIeKQRx70OCQgAZctkAzfgHq3/BZ/RfjT4e0j9q7wr+zjr3gDUWuE8Qa18MbrW7DU9HZbaV4XW31BpY7lGmWKI7ZFYCQttwpr3f4x/tB/AT9nbQYfFX7QPxv8IeBdLuJTFBqXjHxLa6ZbyOBkqslzIiscHoDmvze1j4q/8FTP+CRf7X/wH+Fv7SH7aen/ALR3wf8Ajj8RbbwNBJr3g630nxF4ev7oqsE6y2zN9pjVmDO8jP8AKrDbGWVq2f2SPgr8H/22P+C0n7X3jr9sjwHo3jjX/hFqHhvw18NPDHjCwjvrTw5olxYPcG5trWcMivcyDzDNtLAlgpAcggH6LfDL4ufCj41+E4/Hvwa+J3h7xboUsjRxa14Y1qC/tHdQCyiaB2QkZGRnjIrl/A37ZX7IHxP+Is3wg+Gn7Vnw28ReLbdnW48L6F450+71GIpneGtopmlXbg5yvGDmvi3/AILzeDPCH7EP/BGX4wWX7HngLRvhfYeLvEWkxeL7rwNo8WnRww399Y2F9dmO3VVDy2yR27sBllbnnmuR/wCC0v8AwT4/YK/Zf/4I3+Ivid+z38IPCXw/8QfB/TNI1j4XfEHwvp9vaataajDeWyW8i30SiWd7gsFdmZvMaQOcuFYAH6ReMvjb8GPhz4r0nwJ8Qvi74Y0HXNetL260LRtZ1+2tbvUYLOLzruWCGV1eZIIj5krICI1+ZiBzWb4E/af/AGafij8PdV+Lfwy/aH8DeIvCmhXUttrnifQvFtneafp08SJJLFPcxStHC6JJGzK7AqsikgBhn81/+CgHwj8Pftq/8FOv+Cb/AIP/AGmvCkd7ZeI/BXjPWPGPhy4jKwXk8WiafetaTx9HhNxGqyQsCroGRgQxFVP+C13w2/4RX9rP9kb9ib4AfsZeD/E/w68b+K/E/iXxF8HbTV7XwlovjTWNM061NnFe3CW7xMIU/e+VJG4n8qOIjhSoB+mPwY/al/Zk/aQN8P2eP2jPAnj3+zCBqX/CF+L7LVPshJwBL9mlfy8kH72Old3X5P2/7IH7evib9uj4CftJfCT/AIJDfDL9m9/AnjFLfx74m8B/F7TLoa14VuU8m9sLiytNPtBcBVKyxli5Ro8KoJBH6wUAfNPgz9sz4kfGj/gpd41/Y++Duj6CfA/wh8D2lz8T/Et/aTTXZ8Ral+807TbQpMkaLHapJPOzLIxLxxgRnLHE/wCCSn7ePxZ/bS+G/wARPB/7Tnhjw7oPxc+D/wAUNV8HeP8AR/C1tPBYs0Eha1vLeO4mmkWGaE8M0jbmikZcKQB5X/wQfaXU/H37bfiPxPk+JJv21/F9pemT/WCwt4rNbFOeTGqNIEPp0rnPjH4h0H/gmj/wXq0r48eJdVh0T4XftZ/DmfSvF2oXD+Xa2XivQIfOtrqZhwvmWP7lRjLPJI2Tg0Ae6eNv28Pi/rP/AAV/8H/8E5fgX4c8N3nhzSPhpe+M/jZr2p2dxNd6bDI4g0y0tHjnjjhneYo7iVJd0MoKhdpJzfh78VP+Cq/7Qn7Jfgb4m/s+fGD9kPVvF95qesR+Mda0r+2dd8LXMEV48VoumzWd6r+aiIVuPMdwJQyqF2kV5v8A8EAfDGvfHHwz8ZP+CsfxH0qaDXv2mfiPcah4djvE/fWXhPTWex0m2OeQQqTZIwHURNjoav8A/BsH/wAoYvhr/wBjB4q/9SLUaAPPPgj+2h/wXn+OP7bHxv8A2ItE1b9kWy1r4GweHJdb1m68F+KDa6iNYsDewiALqhceWg2tvA56ZFfoj8Aofj/b/CPR4f2pNS8HXfjxUm/4SC48AWV3b6Q7edJ5X2eO7kkmUeT5Qbe7ZcORgEAfEP8AwT5/5WAf+ChH/YP+Fn/qNtXvVh+1h+31c/tHt8K73/glN4itvAY8WyaavxSb4u+HGtzpi3DRpqv2AXH2vY0QE3kbPNAbaV3AigDL/Zb/AG4/iz8bv+CoP7Uv7FHivw94dt/CvwQtfBcnhTUNPtJ01C7Or6Sby5+1u8zRyBZBiPy448Lw28819U1+eH/BPn/lYB/4KEf9g/4Wf+o21fQn/BWj9qDVf2Pv+CdvxT+N3hR5T4lh8NtpXg2K25ml1vUHWxsBGo5dhc3ET4HOEbpjIAPOP2e/26f22f2s/wBlz4xftE/s1fBTwL4muNP+L2peG/gTpV/qU+mW2u6JYX0NjPql7dvJIGzIt9IqxJHlbdUwWbNVP+CT/wC3R+3B+0z+0F+0V+zX+3T4L+F+j+JPgnrXh+yg/wCFXR6gbWX+0bS4umEkt7M7TFFSFdyxxDdv4YbTX0B+wL+zBpf7F37Fnwx/ZZ0tIs+CfBtlp+oTQ/duL4Rh7ucf9dLhppPq9fKf/BLH/lL5/wAFDf8AsdvAv/pknoA+2P2g/j18Lf2Xfgl4n/aF+NfiaPSPC3hDSJdR1m/k5KxIOEReryOxVEQcu7qoyWAr48/4I7f8FLv2wf27Pj3+0H8Jv2tvgb4Y+H8nwxk8K3nhjw/pEF0NRtbHXLO8v4YNSkmnkSS6jt0tFfy44QshmBXoF8+/4Kt/HH4ia7/wUI+G/wAGPi9+xP8AH/x38AfhzY2/jbUl+E3wmvvEFt4v8UiVhp9ndvEFiFpZBTctEXYyTGIOhVQa80/4JLft36b44/4La/tevH+yb8dtK/4WzrXgRIBrnwvubY+E/sWhXaE67ub/AIlYn6wGTPmryKAPu34V/tmfEJf+CkfxE/YA+O2iaHZyJ4QsvG3wf1nR7aaE6zoLv9lvYLkSyyKby2vFwTHtDwyo3lptJb6Tr8+v+CgrzaT/AMF3P2BdQ8J5GqalY/Eyy11Yv+W2mJolvKolx0RZcsueC9foLQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFAGf4t8JeFvH3hbUvA3jjw7ZaxousWMtlq2lalarPb3ltKhSSGWNwVdGVipUgggkGvjDSP+CE/wAFfh5aTeEv2df23f2oPhR4Kkmd4Ph38P8A4xyQaPZB2LOlstzBPPbKSScRTL14Ir7fooA+TvjP/wAEa/2S/i/+wnpv/BPaz17x34U8FaV4li8QW+reHvE/m60+pLdyXj3Ml5qEd0XkkuJZJHYrnLfLtAAHN+GP+CM+ueGfEuneJH/4K/8A7aupDT76G5Onap8YbGW2uvLcN5UyDTAXjbG1lBGVJGRX2rRQB4z8AP2HPhN+zl+0r8Z/2pvBHiHxFdeIPjnqWkXvi2z1W7geztJNOtZLaAWiRwo8askjF/MeUlgMFRwT9gf9hz4Tf8E6v2atL/ZZ+CfiHxFqnh/SdSv722vPFN3BPeNJd3UlzIGeCGFCoeRguEBCgZJPJ9mooAK8H/bF/wCCfPwx/bK8Q+GvHmufF74oeAPFXhGC6t9B8WfCrx5caJfQwXLRNNC+wNFOjGCP5ZI2HBx1OfeKKAPkf4Jf8Ebf2ffhl+0DoP7Ufxd+Ofxi+N3jfwisv/CF6t8afHf9rR+HXkG2SWztoYYII5CP4zGxBAYEMoYbv7Vn/BKf4A/tQ/G20/ae0b4lfEn4T/E+30kaVdfEL4O+Lv7G1HUtPB3La3YaKWC6jU4x5kTMNqjdhVA+m6KAPCvhj/wT4+DXg79mjxb+yr8VPGnjr4veHPHlzczeL7z4v+LJdav9RE8EMDR+cQnkxqkEflpCsYjYF02sS1eI+F/+CBf7Kthd+F9C+Jv7Qfx2+JPgHwVqMF74U+EXxF+Jbah4Y0+S3/49l+yiBJJ44RgRxzyyIFG0gqSp+46KAPH/AIs/sU/Cv4x/tdfCT9tDxPr/AIgg8U/Bmz1628L2FhdQLp90mr2qWtybpHhaRyqIDH5ckeGyW3jipf2yP2Iv2e/27fhna/DH9oDw3eTx6VqsWq+G9d0TU5bDVdB1GLPlXtldwkSW8y5PIOCDhgw4r1uigD5U+CP/AASl8PfCP4p6D8VfF/7d37TPxLl8NXf2rRtD+I/xbe70yOYIyLJLbW0Futyyhjjz/M555NfVdFFAHyZ8F/2WvjH+zL/wVQ+KHxc+Hng4ah8Ifj54ZsdZ8UXkOoW8Z8NeLtNUW2TbySLLJDfWrhi8SyFZrc7wisGPX/8ABSr/AIJpfs8f8FUf2fbf9nT9o6/8Rafplj4gt9a03V/Cd5Bb6hZXcSSRho5J4JkCtHNKjAoch+MEAj6EooA5j4J/CDwN+z78HfCvwK+GWmGz8O+DvD1nouiWzEFo7W2hWGMMQBubagJbAyST3rhv2Ef2KfhX/wAE9f2ZND/ZS+C+v+INT8O6Beahc2d74ouoJr13vL2a8lDvBDDGQJJ3C4QYUKDk5J9gooA8Z+Dv7Dnwm+CP7YHxj/bX8KeIfEVx4q+N8OgR+K9P1C7gfT7QaRZGztvsiJCskZaM5k8ySTLcrsHFezUUUAfFfxq/4Ik/DX4rftb/ABC/bO8D/tz/ALSHwr8VfE9dKXxbafCnx7Y6VY3I06xisrYbG0+WQ7Y4y3zyN88shG0NtHPan/wRa8anx98NIdZ/4KAfGP4neCPDPxV0rxx4r0X43eLI9anluNIgvDp1vYGC1gWGN7q6WW4Em8SC1gwAU5+9aKAON/aB+EE/x8+D2ufCK2+LXjLwK+tQRxL4s+H2rpYaxp22VJN9tO8cqxsdmwko2Udh3yPjP4S/8G/Xw8+Cvxf1j45eBv8Agpr+13D4h8T6tY6h4xun+KOnD/hI5LQbYFvimlq1wgjzHgtnYzAEZr7+ooAK8b+Bn7EPwo/Z/wD2pfjR+1x4N8QeIbnxJ8dLjQpvFtlqd3A9jaNpNnJaWws0SFJIw0cjGTzJJcsAV2Dg+yUUAfJnw/8A2WfjH8S/+CtPjD9uf46+Dho/hjwB4Cg8DfBGxl1C3uH1Bblxd6rrbJDI5ty7lLSNJNshjidmRMrn6zoooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKAP/9k=" + } + } + ] + } + }, + "considerations": { + "users": [ + "Who are the intended users of the model?" + ], + "useCases": [ + "Who are the intended users of the model?" + ], + "technicalLimitations": [ + "What are the known technical limitations of the model? E.g. What kind(s) of data should the model be expected not to perform well on? What are the factors that might degrade model performance?" + ], + "performanceTradeoffs": [ + "What are the known tradeoffs in accuracy/performance of the model?" + ], + "ethicalConsiderations": [ + { + "name": "The name of the risk", + "mitigationStrategy": "Strategy used to address this risk" + } + ], + "fairnessAssessments": [ + { + "groupAtRisk": "The groups or individuals at risk of being systematically disadvantaged by the model", + "benefits": "Expected benefits to the identified groups", + "harms": "Expected harms to the identified groups", + "mitigationStrategy": "With respect to the benefits and harms outlined, please describe any mitigation strategy implemented." + } + ] + } + } + } + ] +} \ No newline at end of file diff --git a/tools/src/test/resources/1.6/valid-machine-learning-1.6.textproto b/tools/src/test/resources/1.6/valid-machine-learning-1.6.textproto new file mode 100644 index 00000000..92c133a5 --- /dev/null +++ b/tools/src/test/resources/1.6/valid-machine-learning-1.6.textproto @@ -0,0 +1,63 @@ +spec_version: "1.6" +version: 1 +serial_number: "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" +components { + type: CLASSIFICATION_MACHINE_LEARNING_MODEL + bom_ref: "component-a" + group: "CompVis" + name: "stable-diffusion" + version: "1.4" + modelCard: { + modelParameters: { + approach: { + type: MODEL_PARAMETER_APPROACH_TYPE_SUPERVISED + } + task: "task goes here" + architectureFamily: "the architecture family goes here" + modelArchitecture: "The architecture of the model." + datasets: { + dataset: { + type: COMPONENT_DATA_TYPE_DATASET + name: "Training Data" + contents: { + url: "https://example.com/path/to/dataset" + } + classification: "public" + } + } + inputs: { + format: "string" + } + outputs: { + format: "string" + } + } + quantitativeAnalysis: { + performanceMetrics: { + type: "The type of performance metric" + value: "The value of the performance metric" + slice: "The name of the slice this metric was computed on. By default, assume this metric is not sliced" + confidenceInterval: { + lowerBound: "The lower bound of the confidence interval" + upperBound: "The upper bound of the confidence interval" + } + } + } + considerations: { + users: "Who are the intended users of the model?" + useCases: "Who are the intended users of the model?" + technicalLimitations: "What are the known technical limitations of the model? E.g. What kind(s) of data should the model be expected not to perform well on? What are the factors that might degrade model performance?" + performanceTradeoffs: "What are the known tradeoffs in accuracy/performance of the model?" + ethicalConsiderations: { + name: "The name of the risk" + mitigationStrategy: "Strategy used to address this risk" + } + fairnessAssessments: { + groupAtRisk: "The groups or individuals at risk of being systematically disadvantaged by the model" + benefits: "Expected benefits to the identified groups" + harms: "Expected harms to the identified groups" + mitigationStrategy: "With respect to the benefits and harms outlined, please describe any mitigation strategy implemented." + } + } + } +} diff --git a/tools/src/test/resources/1.6/valid-machine-learning-1.6.xml b/tools/src/test/resources/1.6/valid-machine-learning-1.6.xml new file mode 100644 index 00000000..aff62682 --- /dev/null +++ b/tools/src/test/resources/1.6/valid-machine-learning-1.6.xml @@ -0,0 +1,92 @@ + + + + + Acme Inc + CompVis + stable-diffusion + 1.4 + Stable Diffusion is a latent text-to-image diffusion model capable of generating photo-realistic images given any text input. For more information about how Stable Diffusion functions, please have a look at 🤗's Stable Diffusion with 🧨Diffusers blog. + + + + supervised + + task goes here + the architecture family goes here + The architecture of the model. + + + dataset + Training Data + + https://example.com/path/to/dataset + + public + + + + + string + + + + + string + + + + + + + The type of performance metric + The value of the performance metric + The name of the slice this metric was computed on. By default, assume this metric is not sliced + + The lower bound of the confidence interval + The upper bound of the confidence interval + + + + + Performance images + + + FID vs CLIP Scores on 512x512 samples for different v1-versions + /9j/4AAQSkZJRgABAQEASABIAAD/2wBDAAIBAQEBAQIBAQECAgICAgQDAgICAgUEBAMEBgUGBgYFBgYGBwkIBgcJBwYGCAsICQoKCgoKBggLDAsKDAkKCgr/2wBDAQICAgICAgUDAwUKBwYHCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgr/wAARCAH4AxgDASIAAhEBAxEB/8QAHwAAAQUBAQEBAQEAAAAAAAAAAAECAwQFBgcICQoL/8QAtRAAAgEDAwIEAwUFBAQAAAF9AQIDAAQRBRIhMUEGE1FhByJxFDKBkaEII0KxwRVS0fAkM2JyggkKFhcYGRolJicoKSo0NTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqDhIWGh4iJipKTlJWWl5iZmqKjpKWmp6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uHi4+Tl5ufo6erx8vP09fb3+Pn6/8QAHwEAAwEBAQEBAQEBAQAAAAAAAAECAwQFBgcICQoL/8QAtREAAgECBAQDBAcFBAQAAQJ3AAECAxEEBSExBhJBUQdhcRMiMoEIFEKRobHBCSMzUvAVYnLRChYkNOEl8RcYGRomJygpKjU2Nzg5OkNERUZHSElKU1RVVldYWVpjZGVmZ2hpanN0dXZ3eHl6goOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExcbHyMnK0tPU1dbX2Nna4uPk5ebn6Onq8vP09fb3+Pn6/9oADAMBAAIRAxEAPwD9/KKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKAPDv2yv+CkH7G3/AAT/ALrwpYftYfFe68N3PjiW8i8K2tl4S1XV5dQe1WJrgKmnWs7LsWeI/OFyG4ztbGN+y9/wVb/YY/bK+Jp+D/7PHxO8Qav4gXTZb82mpfDPxDpMfkRlA7efqFhBDkF1+XfuOeAcHHyZ/wAFx/ird/BH/gpn+wN8U7D4UeLfHE2j+KfHUieFPAmnRXerahu0qyj2W8U0sSOw37yGkX5UY5JGD9i/smftw69+1R4r1Twvq37DPx4+FKaZp4uk1T4teE7HT7S9JkCeTA9tfXDNKM7iCqjaCc9qANj4f/t7fsnfFH4O/Ef4/eBPit9u8JfCTWNa0v4hat/YV/F/ZV3pMIm1CPypIFln8qMht0KSK/RC54rwnSf+DiL/AII+6xY22sJ+1feWenXao1vq+r/DHxLY2LK33W+03GnJCFOR8xcDnrXyt+wD/wAodv8Ago7/ANlg+NH/AKaEr7a/4IwWNlqf/BIL9njTdSs4ri2uPg3osdxbzxh0lRrNAysp4YEEgg8EGgD6G+F3xW+GPxu8B6d8Ufg58QtF8VeG9Xh83S9e8P6lFeWl0mSCUliZlbBBBweCCDgit+vzQ/4Je+GNH/ZN/wCC1X7Xn7C/wZtE0z4YXGjeHfH2h+FLQbLPQNSvLeNb1LeMfLCkzyBtigKqQxKoAQV9Zf8ABUXVP2qfDP7A/wATPHX7FPjt/D/xL8MeHX1zw5crpFrf/avsbLcT2fkXUUiOZ4I5oVwAweRSGBFAHvtFfB37Zv8AwVc1Sw/4I0eH/wBt39lSaMeP/jNpOiaJ8JdOjiiuHj8TauywJbqkqtHLLav9pYo6sjNaFWDAkHgv2/v2yv2sP2eP2i/gZ+w744/4KA+GvgRo+v8Awqk1Txd+0j4s8Eafdp4j8RWskVvLptulysenWLuC10xdAoWRFUL8quAfpdRXhH7BugftAaX4C1PWPjJ+3l4f/aD0nVLmKbwl4x0Pwhp+lGKEKwlikOnSvb3PzbSsiBMcgg9a8O/4ORPj78R/2dv+CPvxT8U/CjXZ9J1nWxpvh5dXtpSj2Vvf30NvcuGHKloHljDAgqZAQcgUAdj8TP8Aguz/AMEnfhN451P4d+KP2w9KvNT0SYxayfC/h/VNbtrBwSGWe6061ngiKkEMGcbSCDgg16F4w/4KZ/sI+CP2Qbn9vbVP2ktEvPhFZywRXXjTQIbjVIIpZbiO2SIxWUcswk86WNGTZuQt84UAkdh+yh+y58G/2Mv2fvDP7N/wI8IWWj+HfDOlxWsEdpbrG11IqASXUxUZkmlYF3kbLMzEkmvhf/g5o+Fvw2+FP/BC3426b8MvAek+H7bVfEug6nqNro1hHbRXF5Lr2nebcMkYCmR9oLNjLHJOSSSAfpbXnfgb9q74BfEn9ofx1+yn4K8e/bfH3w1s9NuvGug/2XdR/wBnQ38PnWjefJEsM3mR/NiJ3K9GCnivRK/PD9hr/lYa/bm/7E/4b/8ApnoA7zUf+Dhr/gkNpGo6pp2o/tS6jENF1SfTtWvT8LfE5s7S5hkMcqPdDTfJXawILb9vfOOa+svhR8Wvhj8dvh1pHxd+DXjzSvE/hjXrQXOj67ol6lxbXcRJG5HQkHDAqR1VlKkAgivx4/4Iz/8ABVf9ib9kL9lL4q/BL44ah4u1TxRJ8dfGV0nhDw18Lta1l9ShmugqQpLb2j2jPJtZdjzLjPzbQc19af8ABuV+zf8AG39mz/gnjcaX8b/hlf8AgWXxb8Sdd8UeGfAWqxmO58N6PdyR/ZrKSI8wsPLeTyyAyiYbgrblAB9c/tH/ALT37Pv7IXwtu/jV+0z8XNF8F+F7KVYpdX1u7EaPK2dsMajLzSsFYiOMM5CnAODXi3wH/wCC0/8AwTL/AGlfilo3wU+Ef7TsNz4q8RSFNA0bWfCmr6RLqTBSxFub+0hWY4BPyE5A4ry//gtj+yx+1P8AFXxd+z5+1l+y78F9M+K118BPiFc+INa+Eep6vFZf8JDBNBGizQSTgxC5tzGWj3AkNJuUOV2NF8Dv+C437PPxa/aC8Ifsr/tmfsffFL4CfEXxDqiJ4Hs/jB4NWPTtT1HIVI7C/BKvMWbYrlIwWdUVizhSAffNFfBPxj/aW/bl/bK/4KM+Pv8Agn3+wx8bdF+D/hv4J+HtHvvir8T7vwhBr2qXGparC1xZabY2t0fsyJ9nVneaQOQykADbhus+N3x4/ac/4JOf8E8/i9+1B+2D+0XY/HS88G2iXfhK+XwTb+HZ5ZJ3htLazu0tHaJgbuaPM0aoQjn5MqMgH2VRX5gfGnX/APgul+yR+xhP/wAFI/Hn7aXg7xrqPhnQIfFXjz9n5/hXY2OkQ6ZtWW8s7TVInN6JreEuRLIzhzEflPAboP8Agob/AMFC/wBsC68d/sQyf8E7/GOlaZaftJ3F7Nc2PirRYLq0msrjSbS6tbi5+UzKtqty9yY7eWJpTF5ZfDZAB+j9Ffmz+3B+19+2B/wS4+GXgv4M/Ev9vbwb43+JPx1+IZ0vwp8Sfin4S0zwx4f8BaVBbI+oXk6WsiJcLFuQxJNJuZ51VncKEfz3SP8AgqB8Sf2Rf2j/AIQaXr//AAWa+C/7XHgz4o/EKw8F+KPDnhqz8PWGu+F7i/LJbarapo9w5ls0mCpMJlYqrqAxZwVAP1oor8uvjt+3V+0d8Sv+ClvxW/ZD13/gqT4N/ZE0f4frpEfgLStf8D6TeXvjuK7tBNJqC3WtMIGjWUtEsVv8/wApDYZCW/Qb9mDw98Z/C3wQ0XRPj/8AHPS/iV4njE73PjjRvDselQatA8zvbSi1ikkjjbyGiVtjFWZSwwGwADv6K+P/APgrB+2p8f8A9n2/+Dv7LH7H9tokXxZ+P/jl/D/hrXvEtqbix8PWNvEJtQ1N4Aw+0PDEyFIidpLEndt2N5R46+Of/BRr/gl7+058ENI/az/a4034+fCf43fEG18AX2qXnw5sPDuq+FtfvEY2EkP2AiO4tpXSQOsilkVCdxOMgH6L0V+b/jP49/8ABTb49/8ABZH4y/sE/s7ftMaN4B+H/hf4deHdc/4SPUPA9lq11oEk8f7yOyidU8+e5kbJe6klihjgk2xFnXHoH/BN/wDaX/bB0r9tn42/8E2/21fi3pfxK1r4b6RoviTwf8SrDwxBo1xq+lagjh4ru0tv3EcsMqqoaMAMCxPYUAfbGrarYaHpVzreqz+Va2du89zLtLbI0UsxwAScAHgDNfFuif8ABxP/AMEifE2lw654c/aO8S6hZXAJt7yx+Cvi+WKUAkEq66SQ3II4PUV9h/EDSb7X/Aet6FpkQe5vdIuYLdCwUM7xMqjJ4HJHNflZ+zFr/wDwWR/4Inf8E4vCmifF39jb4U/ED4ZfCbQLm48XW/gf4jXf/CUWenG4mu7q88ue0W0l8hJXYxxyMSsR+YDLAA/TL43ftJ/Ar9m34OXn7QXx5+Jum+FPBthFBJea/rLtFDEJnVIgQRu3O7ooXG4lgMZrhf2KP+Ckv7FP/BRSx8S6p+xp8bY/Glt4QvILXxDPDoOoWSW0syyNEAby3i80MI3O6PcvHJGRntvh34x+CP7Y/wAAPC/xX0bSNO8UeCvGuiafr+ixa1psc0csEqJcW7vDKGCyLlTgjKOvYivi7/gkVaWtj/wU4/4KA2VjbRwwxfFPwykUMSBVRRpEgAAHAA9KAPpf9rP/AIKZ/sLfsN+JdM8EftQftC6b4b1/WbL7ZpXhyDT7vUdSurfe6CZLSyhmnMZaORQ+zBMbAHINbX7JH7eP7In7dvhnUfFn7J/xz0nxhb6NdLb61a2yTW17psrZ2rc2lykdxb7trbfMjXdsbGdpx6Nc+FfAmneJrj4oXfhzSYNZGlLZ3XiKSziW5FjG7yrC9wRv8lXkkcIW2guzYBJNfnP/AME8b/Sf20v+C1/xq/4KWfs3aCLP4L6b8MIPhpF4rt4fKtviF4gg1CO4uNTgwMXEVtHF9lFxyGCx7GILAAH6XVy/xr+M3w1/Z1+EfiP47fGPxJ/Y/hXwlo8+qeIdV+xzXH2S0hQvJJ5UCPJJhQTtRWY9ga/P79pz/gqN+0d/wSK/aK8eeB/217bXvix4E+IdrNq/7M2uaF4bt4r2XV8pGfBl0tjAil/MkjaC5dGdoixZpX+SP0jX/wBmb/gor+0B/wAEa/ij8GP2qPiHp/in44fFfwPrHk6FBZ2OnaZ4ZlvoSLbRYZII08yO3DKjTzPLIz7z5jrtoA6H4df8F4/+CXXxY8U6F4N8AfHXxNf33iXULWy0Qf8ACnPFkUNzNcOqQ/vpNLWJEZnX947KgByWAya9y/at/bO/Zc/Yd+HcHxX/AGsfjRpHgjQLq/FlaX+rM5+03JjeQQxJGrPI+yN22qpOFJr4XH7av/BSv/gkF+zv8Pb/APb6/ZL+Gur/AAQ8I6TofhbxL44+Efji9vNT8MQKkFjDf3lpeWkQuEaTywywHgyDBJwG/RzXvB3w7+JVppuoeJ/Cmja/BaTrfaRNqFhFdLBIUIWeEurbG2OQHXBwx5waAOD/AGOv23P2YP2/fhG/x2/ZI+Jw8W+FI9Xn0t9VGjXtji7hVGkj8u8hikOBIh3bdp3cE4OOE/aY/wCCvH/BOf8AZA+J1z8Ffj5+0zYab4vsreOfUPDGk6HqOsX9nE8ayI88GnW87who3RwXC5Vw3Qg14N/wbfgL+yx8Z1UYA/ap8c4A/wCvmGvuDxTd/Bj4GaP4q+Oni1fDvhazFp/afjTxVcww2okitoAgnu58AuI4Y1QM5O1EVRwAKAMj9mb9q39nP9sn4XwfGf8AZf8AjBovjTw1PO0H9p6NcFvJnUAtDNGwEkEoDKTHIquAykjBBPoNfnJ/wQp8Nav8Vfjx+1N/wUh8GfD+68H/AAm+P3jrSrj4V6Dd2RtW1G1022nt7jXvIIHlLfyy+cCQGYhycjYx+zf21PjF8Rf2ev2RPiX8dPhF8Pz4q8UeEfBGpatoHh4RO4vrqC3eSOMpH87ruUEonzMAQvJFAHp1FfmT/wAE6fjP+1h+2Na+AvjD4L/4L9/Dfx3qGof2fq/jX4M6Z8KtBj+y2zGOW80xRHMmpWrpGZIlnl3HcocpjIr1X/gq3+0ZrvwF8b6FJrH/AAWT8C/sweHbvQw0Oj3vw+0/Xdd1i7E0okuI1vHfZbKnlJ8lu3zh8uMgUAfcNFfnp/wRN/4KheKv2yvip8Yv2W/HH7R3hX40N8MG0q/8L/GLwl4cbR4/EumX0cm5bmy+5Bc280Rjby8I4cYHylm8p/4J3/ET/gtr/wAFK/2U/E3xi0L/AIKDeH/hxN4e8eeIdG8Jzn4T6Vqdx4ka1u3Ef21nRIbW1T5LZRBCZj5csryMSqUAfrDRX5YfsiftE/8ABYr/AIKufsEWf7a/wl/af8JfAm6stKu7XRvCumfDq11tPFep6fuiurm8nvmY2NvNdRSwpDApeJULmWQkIHftP/8ABXr9pnX/APg3P8K/8FQ/gTeW/hX4ja2+hx3iafptvcwm5/ttNOv4oYryOZFjlaOYJuVmRZBhiy7qAP1Nrz/x3+1J8Cfhn8fPAX7MHjfx19i8c/E631SfwPof9mXUn9pR6dAs94fOjiaGHy4mVsSuhbOE3Hivg39s34nf8Fkv+CdXwCH/AAUh+KH7WfhH4g6D4au7C9+KXwDsPhtZ2FhY6bc3EUNxHpeqLI15JLbGYBZJ3ZZApkKjHlN0n7YniXR/Gf8AwXJ/4J9eMPD1z51hq3hH4l3ljNtx5kMugWzo2O2VYGgD9DqK/LX48/8ABUjxv8ff25fip+zH4B/4KmfB79kvwR8GdRt9Fu/EPjQaJeeIPF+stHvuhbW+sTpDBZ25/dGQI7M4ODhsR7P7H3/BW347eJPhf+1V8JZfiL4A/aK+IX7Ovg//AISLwL4++GBhbTfiDZ3Gnz3FskkFjLLHHdRTwGGeKBsEuFQbhuYA/TGivy//AOCdPxy/a3/bV0fwJ8Y/Bv8AwX5+G3izW9USw1fxj8EtO+FOgoLGFtkt3pYVZk1OBo0MkQnkydyBymOK/UCgD59/au/4KnfsG/sSeP7D4UftIfHhdI8Ualpn9o2vhzSfDWp6zf8A2PeUFw8Gm21xJFGWVlDuFBKnBODXvtjeW+o2UOoWjlop4lkiZkKkqwyDggEcHoea/H/4C/sxftveIP8Agvj+0To2gf8ABTLXtI1jRvAvhS91TxAnws8P3Emq6XO8ksOlGKWAx28cKjYJogJZM7nJYZr3Hwt8dv8Agon/AMFNv2tfjh4I/ZI/ay034C/Cr4FeNpPAya1afDyw8Rat4o8Q26A35kF+TFbW0LsiqqLvcMDuBJ2gH6KUV+ef7N3/AAUO/ay139m79r/4G/tE6lokXx1/ZY0fUkm8ZeG9LSKy1qCbSLm+0fVhaS+YkUrrAXeAhowVHGGKCf8A4JK6l/wVU/bC/Z++DH7bX7Sn7b+maToes6Db3mo/DLQvhlprf8JFaeS8a3d7qDAPBPcPi52WkcMcSlI9rfMSAfoLWX448Z+Gvhx4L1j4h+M9S+xaPoOl3Go6teeS8nkW0EbSyybIwzttRWO1QWOMAE8VyP7Wn7Q/hv8AZJ/Zh+IH7Tvi3Tpb3T/AXhC/1y4sIHCvd/ZoHkWBWIIVpGVUBPALAmvzm8Rr/wAFqfij/wAEvPFP7ffj79rzwdfL4x+EWoeJrj9nmL4ZWsGmWug3enSTfZINWWT7aL1bOTzFeQyJ5wEbIy5egD7v1z/gop+xx4b/AGZPCP7Y+tfGHyfhv47vNNtfCniP/hH9Rb7dNfyeVaL9nW3M8XmOcZkjUL1YqOa1P2t/25P2U/2FPB+m+Ov2qvjBZ+FLHWtRFhosbWNze3Wo3O3cYre1tIpZ5iBydiNtyM4yM/nHpP7S3xp/ZV/4NyP2UfiL8CPF0Wi6xfan4E0a6u5tItL0PZXd4Ip4vLuopEBZCRvCh16qynmtD/grN8B/2p/G/wDwXM/Y2svh/wDtz6v4STxcfiA/gFYPAGj3y+BpLLw1atePCLmJhqBvOQftW/yN2YdpoA+1viD/AMFa/wDgn18KfgL4O/aV+I3x+Oj+FPiDc3EHgtr3wpqy6lq8kEjRzLDpn2X7cdjL8xMAADIejoT7L8FfjN8O/wBob4V6L8afhNq9zf8AhzxDafatJvLzSbqwlli3Fctb3ccc0Ryp+WRFPfGCK/J39s39lr9uiX/gtb+yh4Guf+CoOvy+I9Q8A+LX8M+MX+FHh7zPD0ltpNrHfyR2v2fyJzfMrO/mqfJ37YtqgCvV/wBsv/go18Xvh9+1n4W/4Jg6H/wUZ+GPwX1Hwp8LLDXviz+0R8VbPSIbrV759sMVrpunXUsNkLmfa11KMNHGkoCKNm1wD9NKK/OP/gnX/wAFJvHepf8ABQK+/wCCeXxK/bw+GP7Tek638P5fFfgb4t/DwaZDdW01vcLFdaRqdvpcslssgRhNHIgTKKcglgE47/gm/wDFD/gsD/wUh0D4l+Lb39vXTPht4X8BfHHxD4b0O/sfhVpOqapr0NrdAiCXzUSC3tYYmjhUrE1xI5mZ5RtQUAfqbRX5KTf8FU/H37afxz+KH/CJ/wDBZX4Jfsj+A/h746vvCfhTRfEUHh7UPEXimSyISfVbmPWblBb2bykiFYkDMqsGYFdzdR8Kv+CuXx5+LP8AwSn/AGsPHdl8XfBWrfFv9nK01rTrL4ofDhbW+0PxCIrM3Gna1bRv50H7xd2+E+ZGHibgBtigH6h1z/jv4s/Cv4Wz6Ha/E34l+H/DkvibXIdF8Nx69rMFm2ralMGMNlbCV1M9w4VtsSbnbacA4NfmP42+J/8AwW80D/gmLpv/AAVVb9uHwhY6honwtsfG+o/BU/Cmxl03VNNSzjuZlu9RyLpbuW33Tv8AZxDEkjGKNFUCSsP/AILTXvxi/ay8NfsB/tF/CT9ovUvAekfEX45eBZ9B0KHwxp9//YurajaT3dtrIluIy00tvG5jFs/+jvncyE4oA/XSivNP2VvhP8ffg58OLjwr+0b+1ZqPxh16XV5bmDxTqfhDTdFkhtWjiVLQQadHHEyqySP5hG8+aQThVx4F+3h+1V8fP2PP2/P2a/EF948x8Cfiprt38PvGuiTaXa7NP8R3UZl0a+W5MXnqZZFkgZDKIgqbthY5oA+yK+W/2kv+C1X/AAS9/ZH+Mb/s+fH79rbR9G8axXsFpc+G7TR9Q1G5tpplR4kmWyt5fJLLIjDeVGHB71znx0/aq+PfjP8A4LCfCP8AYK/Z28ef2R4c8O+BtT8ffHiSHS7W5N1pzMLTS9OEk8Tm3eS63SP5ZSUxEEMAMnyb/g5b8A+BNB/4Jwap4w0PwVpNlq+rfFjwe2q6paabFHc3rLqluoMsqqGkIVVUbicBQOwoA/SCiqHijxV4Y8EeH7rxZ408R2GkaVYxebfanql4lvb26dNzySEKg5HJIFfLn/BRP9pjx94p/YH+KfxH/wCCZX7Tvha9+JXgDQV8RWv/AAjl1pmuCW3tXE9xaSwMJgPPtoriNCAr79u1gQaAPrKivhH9u3/gqZrmmf8ABIrwr+1x+xzexr8QvjrD4f0H4M2jQw3Lx+INZZESIpKrRvLbL9pYo6Mpe22spBIrk/8Agob/AMFFfi7+zh8bfg7/AME1tC/bT+G3wv8AGfiH4eDxF8TP2hPizHp0FtZWUB+yCSzspnt7Sa+vLuKdhEdscaI5WMjlAD9GqK/Mn9j3/gpf4+8Cf8FFfAX7DXjn/gpb8Kv2sPC/xf0LV5vDXjbwNHo1tq/hfVtNt/tT2moQaPM9ubae3EhikKo7SRsvIQ5pfsv/ABa/4K3/ALfP7Tv7Unwf8Eftv6Z8L/A/wl+OGpaF4a8UQ/DHS9Y1V4gAIdMijnRIFggRfMeaZZp5WuUUOoQkgH6h15/+1H+1H8Cf2LvgTrv7S/7S/jn/AIRrwT4a+y/23rf9mXV59m+0XUVrD+5tYpZn3TTxJ8qHG7JwoJH54fFv9t/9qDx5/wAFFPiX+xt42/4KveDf2UrL4cWmiW/g2DxB4A0e4vviH9psVmn1RZ9YYW4j8/fGsFr8wwVJBQlvTP8Agqx8dP20P2Fv+CEvj744W/7UGjeLfiv4ZGkPY/E3TfA1hDa38F14ksoEl/s6YXNqGNlceW3DqWzIm07doB+gdFfFX/BSH9r39qWw/aw+Dn/BNf8AYd8SaJ4V8efFi01TWvEXxG1/RV1KPwnoNggLzwWbsqXNzLJujQSEoCmGHz74+R8E/tE/t5/sHf8ABRT4U/sZftpftF6Z8bPAfx80/V4fBHj5vBFnoGq6FrenW4uJLO5hscQTW8sTKEcIr73A4CMWAP0Dor8y/hL8ZP8Agqz+2n/wUC/ar/Zg+FX7Y2lfDPwB8J/Gul22ieKG+HOm6xqlqLiwEi6daxTIkJj3LJNLPc+fJzEkYQFmHXfsc/t8/tq6b8Fv2uPhD8erHTPin8Yv2WLi+XRtV0DQ/wCz18bwvpUl/pnmWcBIhuJTGUdIePnVVBYFmAP0Gor8tf8AgnT8fv2vf24vDfgf4yeEP+C+3w11zxNrENlq3i34Gaf8J9CA0xW2S3Wk7POTU4mjXzIhcOSSyb9pHB/UqgAooooAKKKKACiiigAooooAKKKKAPjP9v39lH4+/Gz/AIKU/sZfH/4Y+Av7T8I/CfxJ4uuvH+rf2paw/wBlQ3umW8Fs3lSyrLPvkRlxCjlcZYKCDX2ZRRQB+b/7IH7BP7WPwu/4JsftrfAHx38KfsPi34t/Ej4nap8PdJ/t2wl/tW01bTlh0+TzY52ig82QFdszxsnVwg5qp+xB8Vv+Cx/7LH7Fnw1/ZOsf+CMNxda14F8E2Gg/8JHr3x/8N2+nTSwQrH9oZLWS4nCZG7YqliOMjqP0rooA+Qf+CYf/AAT++Mv7N3jv4r/tiftj/EHQ/E/xz+OesWl54xm8LRSrpGh2FnEYbHSrEzASPHFGdpkcAvtjBBMe9/r10SRSjqGVhggjIIpaKAPyK/Y8/wCCSP7avw3/AOCiPhb4NfFbwFaQfsm/s/8AxM8WfEL4LamuvWco1G81QQNp2nNaJM1xF/Z8s97MkjxIpcS8kMm77W/bq8b/ALYWm+K4PAvw4/4JkeF/2iPhnqehRPqltqHj/S9Nu7XUhNOHje01WM29xAYvIKuJFYM0gIIxXb+P/j1+0X/w0XrPwF+BHwL8Fa+nh/wVouv6nq/i74k3ejEnUbvVbeOCKG30e+3hP7KdmdnTPnKAvykl3/Ccf8FC/wDo1/4M/wDh+NW/+ZegD5w/4I2/sH/HX9lz4w/Hv9oH4ifArwx8EvC3xc1rR7nwj8A/B/iCPUrPwybO2khuLt5LdEtUmumZXKW42KFAJIVAPpv9uv8AY9+HH7fX7JPjj9kT4rXM9to3jXSPsrX9qgaWxuY5EntrpFPDNFPFFKFPDbMHgmqf/Ccf8FC/+jX/AIM/+H41b/5l6P8AhOP+Chf/AEa/8Gf/AA/Grf8AzL0AfNPwb+NH/Bcb9ln4caZ+z/8AFH/gnT4f+PN/4ZsY9O034reDPjPpmiQa5bxKEhnvbPU0We3uCiqZWjEqs5YquMZwf+Co/wCzH/wU0/b2/wCCKfxH+B3jb4N+Dbj4y+LfEWmXeieA/A/iWP7JYadBq9jOtu99qDQRy3CQwyvJJlUZsiMY2ivrT/hOP+Chf/Rr/wAGf/D8at/8y9H/AAnH/BQv/o1/4M/+H41b/wCZegDwW1/b8/4LEy3McVz/AMECNbijaQCSU/tLeE22KTy2A+TjritT9lP9lH4+/Db/AILKftW/tWeNfAX2LwD8SvDfgm18Fa9/alrJ/aM1hpvk3a+RHK00PlyfLmVEDdVLDmvZv+E4/wCChf8A0a/8Gf8Aw/Grf/MvR/wnH/BQv/o1/wCDP/h+NW/+ZegDxn/gh3+yj8ff2Pv2W/Gvw5/aL8Bf8I7rOr/GzxPr+n2f9qWt35unXdwj282+1lkRd6gnYxDr/Eor7Mrxn/hOP+Chf/Rr/wAGf/D8at/8y9H/AAnH/BQv/o1/4M/+H41b/wCZegCt+2T8Sf27/ha3hjxL+xj+zR4S+KtiJbtPGnhnW/G39g6iVIh+zSWNzLG9ucHz/MSUDP7vaw+avj39pL4Cf8FLP+CtXxa+DHgz4/8A7EOjfs/fDT4V/FnTPHuu69rXxM0/xBrerzWAkEdjYxaaGS3WTzWDySOP4WAzHsk+y/8AhOP+Chf/AEa/8Gf/AA/Grf8AzL0f8Jx/wUL/AOjX/gz/AOH41b/5l6APm74x/s1/tzfsZ/8ABRrx9/wUD/YZ+B+jfGHw18bfD2j2PxU+GN14wt9B1S21PSoWtrLUrG6ux9meP7OzI8MjIxZiQTuyvW/HD4DftN/8FY/+Cefxd/Zf/bA/Z1sfgXeeMrRLTwlYr42t/EU8UkDw3dteXb2iLEoF3DHmKNnJRD8+WGPZP+E4/wCChf8A0a/8Gf8Aw/Grf/MvR/wnH/BQv/o1/wCDP/h+NW/+ZegD4n+NWg/8F0f2uP2MLj/gm747/Yq8H+CtR8TeH4fCvjz9oCT4q2N/o82m7VivL200uJBema4hDgRSKgQyn5hwV9V/aD/YA+KOk/tO/sFQ/ADwRLqnw+/Z1m1fTvE2rT6pawvpmnDQIdPsnaOWRJJy7RBSIUcg8kAc19B/8Jx/wUL/AOjX/gz/AOH41b/5l6P+E4/4KF/9Gv8AwZ/8Pxq3/wAy9AHkP/BXH/gn58Qf2wrH4WfHP4EaP4O1n4i/BHxfLrfh/wAK/EK283RPEtlcQiG+0u5Ox/KMsaRmOUqwR4xkDdvThfgjoX7UXiz4s+FtO1//AIN8/hF8LNPg1y1l1/xxqvj7w3fnTrdJVaSaxg060aeacAZiL+SAwBbGK+mP+E4/4KF/9Gv/AAZ/8Pxq3/zL0f8ACcf8FC/+jX/gz/4fjVv/AJl6APBP2zNa/bM+IXjPxF8KPHf/AAQ78BftB+Borp18Ia/qHxO0GGOa3dF/4+bTVoC9rIGyC8JkzgEAEV1//BFf9iz41/sFfsMad8B/jxrGmnWH8T6rrFr4c0PUZryw8L2d3cGWHSbaeYBpY4QSS2Mb5HwWADt6Z/wnH/BQv/o1/wCDP/h+NW/+Zej/AITj/goX/wBGv/Bn/wAPxq3/AMy9AHkv/BV/9iz4/ftBah8Hf2qP2QLjRJfix8APHL+IPDWg+JLs29j4hsbiIQ6hpjzhT9neaJUCSkFVKkHbu3r5R47+Bv8AwUZ/4Kh/tN/BDVv2sv2RtN+Afwn+CPxBtfH99pd58RrDxFqvinX7NWFhFD/Z4MdvbRO8hdpGDOrkBQcY+sf+E4/4KF/9Gv8AwZ/8Pxq3/wAy9H/Ccf8ABQv/AKNf+DP/AIfjVv8A5l6APJfgB+y38dvBP/BZn9oL9q/xP4F+y+APHHw38KaX4X1/+07V/tt3ZpILmPyElM8ewsPmkRVbPyk0fBn9lv47eFP+C1fxo/a31/wL9n+Hviz4P+HNE8P+IP7TtX+1X9rM7Tw+QspnTaCDueNVPYmvWv8AhOP+Chf/AEa/8Gf/AA/Grf8AzL0f8Jx/wUL/AOjX/gz/AOH41b/5l6APSfijqHxB0n4Z+ItV+Evh6w1fxXbaFdy+GdJ1S8Nva3uoLC5toJpQCYo3lCKzgHarE9q+Cf2mfin/AMFuP2w/gF4n/ZN8Kf8ABLbw78KLvx/oV14f1r4k+KvjnpWr6Zo9ldxNBczw21jH9qnk8p32ZjXaxUkNjbX1b/wnH/BQv/o1/wCDP/h+NW/+Zej/AITj/goX/wBGv/Bn/wAPxq3/AMy9AGT4J+F3xA/4J6f8E8vC/wAFv2YPg/efF/xB8MvBmlaLofhgeILTRZvEDw+TBNMbm7byLYlTLcEMcfKUXkrXw7+wcP8AgsH+zz+2x8dfjr44/wCCOOpJov7QHj/RNTuZF+PPhdj4Xtre3NrK7hJ2a7wrmXCKjELtAJINffH/AAnH/BQv/o1/4M/+H41b/wCZej/hOP8AgoX/ANGv/Bn/AMPxq3/zL0AfJX/BcXwD/wAFSP2kvF/hH9lf9mP9lnXvFfwB1SwjvvjNqvg34j6LoeseIB50ynw/HJqF1E9tbskcTzTIj+alx5YICSK/u/7AfxK/aZtG039njxj/AMEmb/8AZ8+HfhjwwYvDt+PiX4e1a0iaJ4kisUttNneVSyNI/msNuY23Hc4z33/Ccf8ABQv/AKNf+DP/AIfjVv8A5l6P+E4/4KF/9Gv/AAZ/8Pxq3/zL0AfHPxR/4JRfGP8A4K1fGz4mfGv/AIKU6NrHw/0PRbK58M/s0+CtK8SW8934WXdHKfFk0ljPJCb+aaOIpF5hEccZjcNhGr3b9nL4g/8ABVrwX+wXqOm/Gv8AZn0TxR8efAeox6RpwufG1laaX8RrKG6iT+1ormFpWsJJrQyuUuIkYTpkxqr7V9Q/4Tj/AIKF/wDRr/wZ/wDD8at/8y9H/Ccf8FC/+jX/AIM/+H41b/5l6APjP9tXwR/wV0/4K0/BWb9hXxl+wVo/7PPgLxfqNiPiN8QvEfxY0zxDdLptvdxXLwadaacCWmdoUAebYuMqQu7ev2p+0x4/+P37N/wS0ib9kT9kG7+Mmr2d7a6Yng+18c6foL21gsEgN0brUCI3CGOJPLHzt5u4cK1V/wDhOP8AgoX/ANGv/Bn/AMPxq3/zL0f8Jx/wUL/6Nf8Agz/4fjVv/mXoA+JP+CLHh7/gqj+yHNrXwA+P3/BLG/0Pwz4++Mmv+LtV+IA+M3h26j0C31FhKsTWVtPJNclGjVCUwTvztABqn/wVh+EX/BUH9rj9tbS/hXqf/BPzW/iV+yd4Kaz1I+GfC/xV8P6MfiJqwihnX+0/tt3HMljbTM8YtfLAleDzCzB49n3P/wAJx/wUL/6Nf+DP/h+NW/8AmXo/4Tj/AIKF/wDRr/wZ/wDD8at/8y9AFP8AYw+NX7UHxRtNW8P/ALQP/BPbUfgPp+g2lnD4ahu/HuiazFqKESK8USaXK4tlhWOIYcKCJQF+6cekfG/WPi94f+E2va38A/Bmk+IvGNrYNL4f0LXNUaytL+4BBEMk6qxhDDI37SAcEgiuD/4Tj/goX/0a/wDBn/w/Grf/ADL0f8Jx/wAFC/8Ao1/4M/8Ah+NW/wDmXoA/Pz9qn9i79tn/AIKL+P8AwHLF/wAEhvA37N/jLQfiJpXiHVf2hB8TNF1DVLCC1nEs0dp/ZUS3V3JKMhRceXHkDcFJDp6x8e/2av22v2dP+CtXij/gof8AAb9jPQv2g9B8ffDrS/D0OnzeN9P0TWPBVxZsd5t31EeU1tPkO4jYOXJJA2DzPqv/AITj/goX/wBGv/Bn/wAPxq3/AMy9H/Ccf8FC/wDo1/4M/wDh+NW/+ZegD5f/AOCbn7Ln/BQfwr/wVI/aC/bU/bV+GehaDYfFLwX4ch8PReG/EUF/aacbUOn9mBtyzyyQRCPzZ3hijkleQx5TBr0b/gh/+y38dv2QP2IpvhB+0V4F/wCEd8RN8SPE2qLp39p2t3m0u9Slmt5PMtZZI/njZW27ty5wwB4r1r/hOP8AgoX/ANGv/Bn/AMPxq3/zL0f8Jx/wUL/6Nf8Agz/4fjVv/mXoA8Z/4Iifso/H39kL/glV4V/Zt/aJ8Bf8I9410288SPe6L/alrd+Wt1q99cQHzraWSI7opo24c43YbBBA+DP2u/2VPjz+yl/waUeFf2Vv2gfDLeEfHeh+KNKttWsF1C2vTYSXHjJp4XEtrLJFJ+7mif5JDjOCQQQP1Z/4Tj/goX/0a/8ABn/w/Grf/MvXn/7TXwU/aV/bG+E1x8Df2jv2Jfgz4j8LXeoWd9caX/w0X4gs989rOlxA/mWvhuOQbZY0bAbBxgggkUAfOf7Z3wz/AOCyX/BRb4A/8O3vid+yV4S+HuheJruwsvij8fLH4lWd/YXum21xFNcS6XpaxreRy3JhBWOdFWMOYyxz5q+x/tE/sbfF/Wf+Cpv7G/xv+FHw88/4bfBvwx430zxVq39q2yf2St5o8Fpp6eTJKs0+94ymYkfbjL7RzXtP/Ccf8FC/+jX/AIM/+H41b/5l6P8AhOP+Chf/AEa/8Gf/AA/Grf8AzL0AfG3xN/YB/aB/ZI/bW+K/7RnwK/4J9fDf9pzwB8a9ag8Qan4X8Q6rpemeIPCmtCIR3T29xqkTW9zaTkCTZvR1c4AAXMnuv7MNn+1x4d+GHxK+Iejf8EtPhN8FfFi6Vbr8P/CGm+MbGefX7hBM0iald6daJDbR7vJEewzYLSM3QA+qf8Jx/wAFC/8Ao1/4M/8Ah+NW/wDmXo/4Tj/goX/0a/8ABn/w/Grf/MvQB+fH7YX7GP7cH/BSXX/CWmL/AMEgPAv7O3jnTPHel65fftFn4naLqGpaRHa3KzTfYzpcS3l1JIAQon8tM4LBTh0/W2vGf+E4/wCChf8A0a/8Gf8Aw/Grf/MvR/wnH/BQv/o1/wCDP/h+NW/+ZegDyX4Afst/HbwT/wAFmf2gv2r/ABP4F+y+APHHw38KaX4X1/8AtO1f7bd2aSC5j8hJTPHsLD5pEVWz8pNeV+FvgV/wUT/4Jk/tafHDxt+yT+yZpvx7+FXx18bSeOY9GtPiJYeHdW8L+IbhAL8SnUAIrm2mdUZWjbegUDaSDu+rv+E4/wCChf8A0a/8Gf8Aw/Grf/MvR/wnH/BQv/o1/wCDP/h+NW/+ZegD5Z/Zu/4J4/tY6F+zf+1/8c/2iNL0ST46ftT6PqTy+DfDeqJLZaLBDpFzY6PpIu5fLSWVFnKPOSsZLDnClz9Kf8Evfgz8Sv2df+CdfwV+BPxj8N/2P4q8JfDfStL8Q6V9shuPsl3DbokkfmwO8cmGBG5GZT2JrS/4Tj/goX/0a/8ABn/w/Grf/MvR/wAJx/wUL/6Nf+DP/h+NW/8AmXoA6P8Aa1/Z48Oftb/swfED9mHxZqUllp/j3whf6HcX8MYd7T7TA8azqpIDNGzK4BOCVANfn3pXhD/gubbf8E8NR/4Jg3n7Fvg9dW0z4bXHgey+PUPxTsX0zUdLjsmtI7iDTCq3YvZLYLEqzeVEJmEryIuVH3D/AMJx/wAFC/8Ao1/4M/8Ah+NW/wDmXo/4Tj/goX/0a/8ABn/w/Grf/MvQB8RfFT/gnX+2P4k/4IW/s6fscaL8HvO+JHgTxJ4KuvFfhz/hINOX7DDYXolu2+0NcCCXy0GcRyMW6KGPFfQn7Zf7Lnx2+K//AAVi/Yv/AGl/AHgb7f4J+E3/AAsX/hYGt/2naxf2V/amhQWtj+5klWafzZkZP3KSbMZfauDXrP8AwnH/AAUL/wCjX/gz/wCH41b/AOZej/hOP+Chf/Rr/wAGf/D8at/8y9AHkv7TP7Lfx2+IP/BYf9mP9qfwh4F+1+A/h54P8aWPjDXf7TtY/wCz57+zijtE8h5RNLvdWGY0cLjLFRzXnP7dH/BP742+G/2+h/wUg/Zs/ZX+Hnx4i8ReBYPC3xF+EXj27tLK4lNtN5lrqmmXl5FJBHOqHyZI5dqsijBJbKfUH/Ccf8FC/wDo1/4M/wDh+NW/+Zej/hOP+Chf/Rr/AMGf/D8at/8AMvQB5T+wtoHx11P403Pij4k/8Eg/hr+zvoNn4fnWz1yw8VaNqevXl88sIWFV0q3EcNv5Xnl2M7MWEYC4yaj/AOCLn7Lfx2/ZM/Z6+Ifgb9oHwL/YGqa78ePFniLSrX+07W78/Tb27WS2n3W0sirvUE7GIdf4lBr1r/hOP+Chf/Rr/wAGf/D8at/8y9H/AAnH/BQv/o1/4M/+H41b/wCZegD4b8N/sBftIf8ABPj4wfErRPhV/wAEvPhj+1F8MvH/AI+1Dxd4Y1C91zRdJ8ReFpb5lkn0y4OrRGO6tUkBMLxybwrNuBJ2r618R/2dv2nPjr/wSp/aF+Elv/wT7+H/AMHfHXj7wlqul+EPh34G8SadcPfh7ERwG9vI4bW1WdpnlUDcURNuZOTX0V/wnH/BQv8A6Nf+DP8A4fjVv/mXo/4Tj/goX/0a/wDBn/w/Grf/ADL0AeY/F79mX43+KP8Agh5rP7H2heCfP+It1+zGfCdv4d/tK2XdrH9gi0+zfaGkEA/f/J5hk8vvu28147+1P+wb+134o/4JvfsdaR8I/hlp2sfFD9mnxR8PfFmsfD7UfEdvZjVpNH0z7NeabHe5e3SXe5CyljHiNiC2Vz9Yf8Jx/wAFC/8Ao1/4M/8Ah+NW/wDmXo/4Tj/goX/0a/8ABn/w/Grf/MvQBufsr/Fj4+fGP4cXHir9o39lPUfg9r0WrS20PhbU/F2m61JNbLHGy3QuNOkeIKzPIgQkOPKJIAZc+df8Fav2NtU/bv8A2APiF+z94O/d+LptMXVvAF2s6wvba/YyLdWLJKxAh3TRLE0mRtSV+2a6n/hOP+Chf/Rr/wAGf/D8at/8y9H/AAnH/BQv/o1/4M/+H41b/wCZegD5+/4Ix/sr/tf+B9W+Mf7bP/BRfwBZ+HPjb8Z/FVmuo6LZ6raX0el6HplnHbWFuktrLLENxM8jBG5zGWAYEDzP/gvD4O/4KcfthfDvV/2N/wBmT/gmje+KvDFr4q8Pa3pvxPHxc8P2MV/9klgu5oRYXc0c8REgeDcxwSm8AqRX2b/wnH/BQv8A6Nf+DP8A4fjVv/mXo/4Tj/goX/0a/wDBn/w/Grf/ADL0AZv7PXir41ftjfB7xP4T/b//AOCd9n8NrK6uhYt4H8V+LtH8W2mvWRRXaSUWgeEJv+XypASSucYxXZfBT9jz9kj9muTVJv2c/wBlr4c+AH1yGOHWn8FeCLDSjqEabtiTm1hTzVXe+A2QN7Y6muf/AOE4/wCChf8A0a/8Gf8Aw/Grf/MvR/wnH/BQv/o1/wCDP/h+NW/+ZegD88v2GP8Agkr+2z8Lv+CgnhL4TfG3wLaw/ss/s3+NvGHi/wCA+pjX7Oc6pcatJCbCzltUmaeM2PnXkqyyRoPMDYyGXP0J/wAFK/8Agn58X/Gv7YfgH/go9+zb8DPAPxa8ReFfBl14O8Z/CX4jSwQW/iHRJLk3UL2V1cRSw2t7BcPIwaVdrJIRuXBD/RP/AAnH/BQv/o1/4M/+H41b/wCZej/hOP8AgoX/ANGv/Bn/AMPxq3/zL0AeJfsd6F+0Hr3x80jW/G3/AARP+GHwC0HTba5lu/GB8YaDqWsiZoWSOOzi0m2IQMzEPI8y/u2YBcnFaf8AwSy/Zb+O37OPxY/ar8TfGfwL/Y1j8Sf2kNX8U+Cp/wC07W4/tHSZoLdIrnEErmHcyMPLlCSDHKjIr1r/AITj/goX/wBGv/Bn/wAPxq3/AMy9H/Ccf8FC/wDo1/4M/wDh+NW/+ZegDwT9szWv2zPiF4z8RfCjx3/wQ78BftB+Borp18Ia/qHxO0GGOa3dF/4+bTVoC9rIGyC8JkzgEAEV83/EL/gkT+3D4b/4Nt/iL/wTw0Dw7pviX4neKPE9vrHhrwFofiWMWGgWb+JbDUP7JtrzUJIkaO3ghmkLOyguzqpclS/6F/8ACcf8FC/+jX/gz/4fjVv/AJl66T9l/wCMvif48fCT/hPPGngew8OavbeKPEGhanpGl64+pW0U+laze6W7xXMlvbNKkjWZkG6GMgSbSDjJAPmz/gpB+yF+1LfftYfBv/gpT+w94a0XxV48+E9pqmi+Ivhzr+tLpkfizQb9AHggvHVktrmKTdIhkAQl8sfk2Scj4J/Z2/by/bx/4KKfCn9s39tH9nPTfgl4E+Aen6vN4J8At43s9f1bXtb1GBbeS8uZrHMENvFEqlEDs+9AeQ7Bf0DooA+P/wDgnn+y38dvgZ+27+198X/in4F/svw78UfiRo+qeBdR/tO1n/tO0g03yZZPLhleSHbJ8u2VUY9QCOa5z9mf9m39sX9n39rf9uX9ojQPg/plxN8StY0DUvg9HrXiK3jtPEM1lozwOkzQPJLZp5+2MtLGpwdyqwGa+46KAPyP/bZ/Y0/bo/4KYroXhX/hz14E/Z98fweMdM1af9pBvihouoajoK210k8stk2mwre3UjqhVVmEaZYE4IDr+uFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRX5wf8Fev2Rv2N/ht8MdZ8TfCH4TXMv7U3xb8RSwfBbXND1y7Pid/EssomF1b3LTGS0sLQHz5wClrFBGUKgMikA/R+ivib/gpD+zT+z5P4NtvjT8aP8AgmL4i/aU8ey+GPsF5f8AgyK1+0ae1vDkSRm4vYZbQPI7lXsYpZwQTsJC59R/4JLatrOt/wDBNb4L6l4i+O8XxMv38CWi3vjaKWd/7RlUFWDNcok7PEQYWaZElLQsZFV9wAB0Xgf/AJSF/FD/ALIz4D/9O3i+vZq+ePgF8TvDfxR/b9+L+oeGtN8Q20enfCvwPY3C+IvCOo6O7ypqvi4lokv4IWni+YYmjDRMchXJU4+h6ACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAor5w/bY/bY8Vfs2eKtJ8D+B/Cmn3l7eaeL66utVWRoliMjxqiLG6HdmNiSTgDHBzx6/8A/itH8b/AIQ6J8UY9JaxOq27tLaM27y5EkeJwD3XchIPoRXzeB4tyLMeIMRktCo3iKCvNcrS6XtLZtc0b22ut9bfRY3hXO8vyHD5zXppYeu7QfMm+trx3V+WVu9ntpfsKKKK+kPnQooooAKKKKACiiigAooooAK8Z/YP/wCSIa5/2Wb4j/8Aqa63Xs1eM/sH/wDJENc/7LN8R/8A1NdboA9mooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAr4lm/wCCbn7cWjfto+Pf20vBX7fXgGfXfFYOneHF8a/AO41abwloCuXi0eylj8QW0aRZw8siwo9xKN8mcKq/bVFAHz98WvgN/wAFBvFniSa8+E3/AAUD8PeEtIvdMt4LrTrr4KQalPZ3Kwqk1xZTtqEYi8yQNKEuI7kIW25ZQBXc/sh/sv8AgD9jD9m/wp+zJ8ML/UrzR/Cti8MV/rFwJbu9mlmkuLi5mZVVTJLPLLK21VUFyAAABXpFFAHjPgf/AJSF/FD/ALIz4D/9O3i+vZq8Z8D/APKQv4of9kZ8B/8Ap28X17NQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFc58Vvi38N/gd4FvfiX8WPF1roeh6eoN1f3ZOAScKqqoLOxPAVQWPYGrhTnVmoQTbeiS1bfkiKlSnSg5zaSWrb0SXds6OiuJ+BH7RvwT/aa8IP47+BnxAtfEGmRXBgnmgikikhkAztkilVJIzggjcoyORkV21OrSq0Kjp1YuMlumrNeqYqNajiKSqUpKUXqmmmn6NaBRRRWZofP37XHw+8G/FD48fCHwH4v0GK8t9SvtWN2hZkeSCG2SUpvQhgu7BwDXu2haFo3hjRrbw94e0yGzsbOFYrW1t4wqRIBgKAK8j+I3/Ez/AG3PhxY9f7L8M6xeY9PMVYc/pXs9fI8PYbDPO81xigueVZQ5rLmahRpaXte3NJu199dz6vP8TiFk2WYRzfJGi58t3ZOdarra9r8qSvbbTYKKKK+uPlAooooAKKKKACiiigAooooAK8Z/YP8A+SIa5/2Wb4j/APqa63Xs1eM/sH/8kQ1z/ss3xH/9TXW6APZqKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigDxnwP8A8pC/ih/2RnwH/wCnbxfXs1eM+B/+UhfxQ/7Iz4D/APTt4vr2agAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKK+cf+Cp/j74+fDf9ky+8R/s+S39vqA1WCPWtR0tT9psdOKSmSaNl+ZCJBCpccqrscjGR5j/AMEVP2gvjb8avAHjXQ/i/wCO7vxBFoF/Zf2Re6tfG4vR56zGVJHcmRkHlxlS2eWcA4GB49TOaNPOYZc4S5pR5lL7Ozdu/Tfo9DwKvEGHo8QwymVOXPOPMpacuzdu70Tu1onZH25RRRXsHvhRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAV8m/8Fq/h1ofjv8AYN1zWda16WxfwtrFjq1gsabhdXBc2iwMPRhdN06MFPQGvrKvl/8A4KR/8V/rvwV/Zph+f/hN/irZ3OqQdfN0zTlNzdLj8YzntivZ4flOnnVCpF25JczflFSlL8E18zxOI4wqZHXpSV+ePKl5ycYx/wDJmn8il/wSo/YF8WfsP/DvxBd/EPxXa3+v+MJbOa9stOLm3sY4Fl8tAzqrNITO+87QOFAzjJ+raKK48wx+JzTGTxWId5y30t5Ky8krHbluXYXKsDDCYdWhBWV3d922+7bbCiiiuI7jxc/8TT/goEB1TS/hTn6SSah/8TXtFeMfDz/iZ/tu/EW+6/2X4X0izz6eYGmx+lez18xwt79HF1f58TXf3TjD/wBsPpeJ/drYSl/LhqC++Mp/+3hRRRX0580FFFFABRRRQAUUUUAFFFFABXjP7B//ACRDXP8Ass3xH/8AU11uvZq8Z/YP/wCSIa5/2Wb4j/8Aqa63QB7NRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABXzv4x/4Kt/sC/D74iah8MvGnx5Om3mka+dE1jV7rwrqq6Lp2oiXyTa3GrfZfsFvIJDsKyTrhuDzX0RXxV/wU68e3/wC1pa61/wAEhP2bLK11Txj8QtCWP4p6/JAJbD4d+GLlsTX112a/uE8xLO1yHdz57FI49zAHrvx3/wCCmH7Fn7Nfj7Ufhn8X/ivfWWr6JaRXWvx6Z4M1jU4NHgkj8xJb24srSaGyQoQ+6d0G05zjmvaPCfizwv488Lab448EeIrLV9G1iwivdJ1XTbpZ7e8tpUDxzRSISro6MGVgSCCCK+dP21v2nZP2b/BWgfsifs0+EofGnxq8faQ+mfDvwdeSeZFBbxxLBLrerPg+Tp1su1pZGGZmCwxhnf5fSP2IP2Y9O/Yv/ZD+HP7Kml+JZtZj8B+ErPSH1adNrXksUYEkoXJ2KzliqZO1SFycZoAzPA//ACkL+KH/AGRnwH/6dvF9ezV88fALUvivqf7fvxfk+LPgvw9olzH8K/A6aZF4d8Tz6olxZjVfF2yaV5rK0MMpO4GJVkVQARI2SB9D0AFFFeR/teftrfBH9ifwbY+MPjFdahK2q3LQaVpOjWyTXd4yAGQoruiBUDLuZmAG5RySBW+Gw2IxleNGhFynLZLdmGJxWHwVCVevNRhHVt6JHrlFcD+zV+0r8K/2sfhXa/F/4QapPPpk87288F5CI7izuEALwSoCQrgMp4JBDKQSCDXfVNajVw9WVKrFxlF2ae6fYqhXo4mjGrSkpRkrprVNPqgooorI1CiiigAooooAKKKKACiiigAooooAKKKKACiiigAr5i/bB8L+IP2cPinp37fnws0ma5i0+BNN+K2iWi86noxIAuwvea3ODn+4oyQqNn6dqK/sLHVbGfS9Ts4ri2uYWiuLeZAySowIZWB4IIJBB6g1yY3CrF0ORO0lrF/yyWz/AEa6ptdThzDBLHYZwT5ZJqUZdYyWqf6NdYuSe5V8K+KfD/jfwzp/jHwnq0N/pmqWcd1p97btlJoZFDI4PoQQav18sfs5399+xf8AtB3H7Fvi68lPgrxTJPqvwg1O5clYCW33OkMx/iRmLpnkhuSTIqj6npYHFPFUbzVpxdpLtJb/ACe8X1TXmTluNeNw95rlqRfLOP8ALJb/ACekovrFp9wooorsPQCiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACvl/Uv+Lrf8FaNNs/9ZYfCj4VzXW7r5Op6nP5W32zajOfavqCvl/8A4J8f8XE+LXx+/aTl+dfEnxNbQ9NnPPm2Okwi3hdf9lt7fitevln7rDYrEdocq9aklH/0lSPGzT99isLh/wCapzP0pxcv/SnA+oKKKK8g9kKKKy/G/im18DeC9X8a3trJPDo+l3F9NDD9+RYo2kKr7kLgVnVq06FKVWo7Rim2+ySbb+STfyNKVKpXqxpwV5SaSXdtpJfNtL5nln7Pf/Ex/aR+NPiHr5ms6VZhv+uFmVx/49Xs9fFv7CP7V2oeLP2gPEHgzWPCsMY8eavdarFcW8jFrSVIWfymzwyeXGQDgHd7Hj7Sr4jw5znLs84ceIwk+Ze1rc2jVpSqzqde8Zwfz7po+08Qcnx+S8Qqhi48r9lR5dU7qNKEOn96El8uzQUUUV92fDhRRRQAUUUUAFFFFABRRRQAV4z+wf8A8kQ1z/ss3xH/APU11uvZq8Z/YP8A+SIa5/2Wb4j/APqa63QB7NRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABXzFq3/AAR5/YM1X4keLfi3b+C/H2k6/wCO9fm1vxbd+Gfjn4v0mPUr+U5ed4bLVYogcYUBUCqoCqAoAH07RQB83fEX/gkt+w58Uvi/d/H3xR4L8bQeMb/QrLRr/wAQaB8Z/FWkz3NjaRiO3hk+w6nCHChcksCWcs7FnZmPuPws+GXhT4N/D/S/hj4HOqHSdHgMNkda8QXmq3W0sW/eXd7LLcTHLH5pJGOMDOAAOgooA8Z8D/8AKQv4of8AZGfAf/p28X17NXjPgf8A5SF/FD/sjPgP/wBO3i+vZqACvn3/AIKB/wDBPzwb+3t4N0TRtZ8a3PhzWPDlzNJo+sQWQukRJhGJo3hLpvDeVGQQ6kFB2JB+gqK6sHjMTl+JjiMPLlnHZ/h102OXG4LC5jhZYbEx5oS3X49Ndz45/wCCVOkaV+zC3jT9gjxrYix8aeHNdm1xbsuRF4k064EccWoQBidoVY4o3QE7CFyS28D7Gr5//bs/Z68aeOdJ0b9or9n9Fg+Kfw1ma/8ADbKP+Qta4/0jTJcY3pKm4KD0Y4BUOxr0L9mb9obwV+1F8GdI+MXgdmjhv4il/p8zfvtOvE4mtZRwQ6NkdBuBVhwwr0s2bzGP9px1c3aov5alt/8ADNK8ezUo9EeXlCWWy/suWigr03/NTvt/ig3yy7pxl1Z31FFFeGe8FFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQB5j+1t+znYftL/AAiuPB9vqJ0zxBp1wmp+ENejJWTTNTh+aGZWHIGflbHO1iRyARn/ALGn7Rl9+0B8M5rXxzpw0zx14TvW0fx3ojAK1tfx5UyKv/POUAupHH3lBO0mvXq+X/2uPDuufswfF+w/b5+GmlTT6fHDHpfxc0WzTJv9KJCx36qOs1udvPUoACVUOT5ONTwVdY2Hw7VF3j0l6wvr3g2uiPDzFPL8Ssxgvdso1V3h0n60769XByX2UfUFFUvDfiLQ/F/h+x8V+GNUhvtN1K0jurC8t33RzwyKGR1PcFSD+NXa9VNSV1se3GSkk07phRRRTGFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQBynx1+I1v8H/AIK+LfircsoXw54bvdRAbozQwO6r7ksoAHcmvNf+CaPw5uPhj+w58PNH1BW+26lov9s30kn33lvpGuyX77gJlXn+7iue/wCCr2sahcfsqJ8INCuTFqfxL8Y6P4U09k+9uuLpXcAd8xwup9mr6N0XSNP8P6PaaDpNuIbWxto7e2iXokaKFVfwAAr15fuMiiutWo38qcVFf+TTf3HjQ/f5/J9KVNL51JOT/wDJYL7yzRRRXkHshXP/ABX8V2fgb4Y+IfGN/HG8WmaLc3LRSqCsmyJiEIPXcQBjvmugrxn9ua9ub74PWXwx02Zku/G/ifT9EhKfeVZJg7t9NsZBPo1eNxFjp5ZkOJxUNZRhLlXeTXLBfOc4I9jh/AwzLPMNhp6RlOPM+0U+ab+UIyZV/Yl/Z0+H/wAMfhR4f8fxeFIU8Uazokc+o6nIztIVm/ehAGJWPCsikIFzt5ya9wqKys7bTrOHT7KERwwRLHDGvRVUYAH0AqWryLJ8HkOU0cDhoKMYRSdkleSSUpO27k0229XfVkZ3m+LzzNauNxM3KU5N6tuybbjFX2UU0kloraIKKKK9Y8oKKKKACiiigAooooAKKKKACvGf2D/+SIa5/wBlm+I//qa63Xs1eM/sH/8AJENc/wCyzfEf/wBTXW6APZqKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigDxnwP/ykL+KH/ZGfAf8A6dvF9ezV4z4H/wCUhfxQ/wCyM+A//Tt4vr2agAooooAK+Q/ipFL/AME8v2oD+0RpEbRfCL4o6nFa/Ea0jH7rw/rLnbDqwA+5FKTtlPqSTkmNR9eVi/EX4e+EPix4E1b4bePtGi1DRtbsZLTUbOUcSRuMHB6qw6hhypAIwQK9DLsZHCVmqq5qc1yzXePdf3ov3ovo12bPOzLBSxlFOk+WrB80Jdpdn/dkrxkuqfdI2IZoriJZ4JVdHUMjo2QwPIII6inV8t/sSfELxf8AAr4h6l/wTy+Oesy3eqeGrQ3nw08Q3ZwfEHh/JCJnoZ7cAoyj+FDgERlj9SVnjsHLA4h02+aLs4yW0ovVSXqt10aaeqNMvxscfhlUS5ZK6lF7xktJRfo9n1TTWjCiiiuM7QooooAKKKKACiiigAooooAKKKKACiiigAooooAKg1TS9N1zTLnRdYsYrq0vIHguraeMMk0bqVZGU8EEEgg9QanopNJqzE0mrM+Wf2ZdU1L9jv49XX7D3ja/lfwnrpn1b4O6tdyE/udxe40lnPV4mJZM8lSSfvoo+pq8s/a9/Zyg/aS+E0nh3SdT/svxRo10mq+C9fjO2TTtTh+aJww5CsRtbrw2cZUVB+xz+0bP+0R8LWuPFmmf2V408N3j6R450Jxtey1GL5XIXtHJjep5HJXJKmvJwbeBxH1KXwu7pvy6w9YX07wa/lPDwDeW4r+z5/A7ypP+79qn6wvePem1/IetUUUV657oUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFAH5Gf8ABWn4aftXfFX/AIKLr4Q+Glnr3iOS30HTtT8H6b4e8yVtGtztikmfy+LY/a45GMrFQA8eW+7j9UfhDp3jnSPhP4X0n4n6kl54ltfDtlD4ivI2BWe+WBFnkBGMhpA5z718/fsHf8Xh+P3xx/a3uP3ltrHi9fC3heU8r/Z2loI2kjP9yWRtx/2kNfUdfU8RZlOrh8PlrhFewjFNpauTinJP0ur95Xb1PkuGssp0sRiczjOT+sSk0m7pRUmotebs7do2S0Ciiivlj60K8V+Jv/Fd/tmfD/wOp32/hXRL7xFfRjoWkxbQE+6uCR9a9qrxX9n3/it/2ifiv8VW+eC11S28N6a/ZBaR5nUH3kZTXy/Ev+01cDgP+ftaLf8Agop1pfK8aa+Z9Nw5/s9LG47/AJ9UZJf46zVGPztKo/ke1UUUV9QfMhRRRQAUUUUAFFFFABRRRQAUUUUAFeM/sH/8kQ1z/ss3xH/9TXW69mrxn9g//kiGuf8AZZviP/6mut0AezUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFYnxMl+I0Hw38QT/B+z0e48Wpod23ha38RTSx6fLqIhf7Mt08IMiwGXYHKAsELFQTgUAbdFfA2rf8Edfjx+1JcP4i/4KH/8FS/jB4k1KdRLJ4I+D+rr4P8AC9grZIiW2hWSe6CEMqzzS+YwBLDOQILf/gh9f/s6qvi39h//AIKkftA/C3WIpo0tbTxT4vj8UeHZ5XcIi3GmX6BZizMqLiRW+bA5IoA/QCvk79pr9vn9rL9lrRfGfxu8df8ABPiSf4Q+A7m5m1zxTZ/FGzbW5dJgciXVbfSRbmN4RGGm8uS7jm2D/Vhvlr3n9nCL9oq3+C+i2v7WF14SuPH8AuItfu/AyXCaXdbbiVYJ4Uuf3kZktxC7xksEkd1VmVQx/O/9uf8A4KRfsZ/tkftO+I/+CdnxZ/bA8DfDT4NfD7WUtvjhe+JPFUGnal431CCUMfDVlHI6yR2KOgF7dYBlwbeI4MklAH01+2x/wUT+M/7KWt+CfEvgr9jg+Nvhj4r1zw1pl58SZPiHaabHZTazqUdjEsViYZrm4aMTQynKxIVkAD5DY+rq/On/AILuftn/ALIPw6/Zz+H3ws8R/H/wjpWsaj8TPh74p0fRZdTjSSfQYPElnK9/Eg62yRW8zbxwFib0r7u+DPxq+E37RPwz0v4y/Az4g6X4q8K60kraTr+i3QmtbsRyvC5Rxw22SN0PupHagDgfA/8AykL+KH/ZGfAf/p28X17NXzx8AvBfiTwT+378X7XxL8XPEPi+S8+Ffge5t7nxFbadE9jE2q+LgLWIWFpbKYlwSDIry5Y7pGGAPoegAooooAKKKKAPEv24f2Z9b+PPgGw8YfCrUV0r4leBb3+1/AOtAhStyuC9rITwYZ1UIwPy52kggEHc/ZD/AGmNE/an+Ddr4/t9ObS9bs5307xb4emBE2kapD8s9u6nkAH5lzyVZc4OQPUa+Sf2mNJ1T9hz9oWP9ufwHp80ngbxRJBpvxp0WzjLCEFtlvrSIOrxs22THJDdMyMw9vBNZlhvqM/jV3Sfm9ZU/SW8e01b7Z4WOTyzFf2hD+HKyqryWkanrDaXeDv9g+tqKr6Rq2l6/pVrruiahDd2V7bpPZ3dvIHjmidQyOrDhlIIII6g1YrxWmnZnuJpq6CiiikMKKKKACiiigAooooAKKKKACiiigAooooAKKKKACvlz9q3QtY/ZR+NVl+3l8PNNmm0S5SHSvjBo1nGWNzYFgsOpKg6ywHAJ6lMD5RvNfUdVta0bSfEej3fh/XtOhvLG+tnt7y0uIw0c0TqVdGB4KlSQR6GuTG4X63Q5U7STvF9pLZ+nRrqm0cGY4L69h+WL5ZxalCX8sls/TpJdYtoboWuaP4n0Sz8SeHtShvLDULWO5sru3cNHPE6hkdSOoKkEH3q3Xy5+yzrOrfskfG+8/YS8fajNL4e1BZtV+DusXkhYzWe4vPpbOessBJZR1K5PAKLX1HSwWK+t0OaStJO0l2kt16dU+qaYZdjfr2H5pLlnFuM4/yyW69OsX1i0+4UUUV2HeFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFeZftmfGhf2ev2WvHPxejuRFdaToE39mOT/wAvsuIbYf8Af6SOvTa+XP8AgoH/AMXd+L3wT/ZCtv3kPinxt/b/AImhXkHStLTz3jk9FkcgA/3o8V6OUUKeIzGnGp8CfNL/AAwTlL71G3zPMzjEVMNltSVP42uWP+KbUI/c5X+R6b+w98F2/Z9/ZN8C/Cu5tjFe2OgxTasjDkXs+Z7gH1xLK457AV6tRRXJia9TFYidafxSbb9W2/1OzDYenhMNChT+GCUV6JJfoFFFFYm5neLvEdl4P8Kan4t1I4t9L0+a7n5x8kaF2/RTXm37EPhy90T9nLRdX1cZ1DxDJPrV/JjHmPcytIrfjH5dcF/wU2+LvjP4e/CnT/BvhizC2nit7i11XUDHnyokVD5I7AyBm567UbHqOv8A2Cfih4o+Kn7O+n6j4q0mO2k0m5bS7SWGHYlzBDHGEkC9BjcUOOMxnp0r87XEOXYzxOWVe97Shh5Ne6+XmqShKWvlTUUns22k7pn6A8gx+D8Nnmnu+zr14p+8ublhGcY6edRybW6STas0e0UUUV+iH5+FFFFABRRRQAUUUUAFFFfCX7d//BWv4hfsv/tIzfBH4efDLRr+00OK1fXbrWjN5l0ZoY59luY3URgRyKN7B/mz8uBz5+ZZng8pw6rYl2i2lom9X5I8vN85y/I8KsRjJNRbUdE27vyXo36H3bRWH8MvHNl8T/ht4e+JWmWU1tbeIdDtNTt7a4x5kSTwpKqNj+IBwD7ityu6EozgpR2eq9Hr+p6UJxqQU4u6aTXo0mvwaCvGf2D/APkiGuf9lm+I/wD6mut17NXjP7B//JENc/7LN8R//U11uqKPZqKKKACiiigAooooAKKKKACiiigAooooAKKKKACmyyxQRNPPIqIilnd2wFA6knsKdWD8VPhn4F+NPww8SfBz4oaEuqeGfFug3mjeItMeeSIXdjdQPBcQl42V0Dxu67lZWGcgg4NAHyR/wUO0b48/s/8Axi0r/gp3+x/rs/i698L+GYtB+Lnwah1JGTxh4WguLi6WawQnCarZvdXUsXeZJHizyEk8y+A/jv4k/wDBbX9oDwn+1Hq+p6x4B/Za+G3iqz1r4XeFbqf7Fq3xN8QWU6y2+r30YbdFpttcRq0Fuf8AXSRiR8gBV+Rvij4F/wCDSPwT491T4cfC/wDYa8a/F3UNDu2tdZn+EFt4q1qztZlPzJ9qW/SGXH96J3Xnr1r2H/gm78Af+DYX49ftMaBp/wCzF+zXe+CvjR4N1S28R+HfCXj688SaVq8NxZyrcxXMMF5dmG6MbxeYY1MmFjYumwE0Afr1RRRQAUUUUAeM+B/+UhfxQ/7Iz4D/APTt4vr2avGfA/8AykL+KH/ZGfAf/p28X17NQAUUUUAFFFFABVLxJ4c0Lxh4evvCfijSYL/TdTtJLXULK5TdHPDIpV0YHqCpIP1q7RTTcWmt0JpSTTV0z5O/ZK8R69+x78cLn/gn58UdVnuNAvUm1P4K6/fSEm6sMlptKdz1mtySVHUpn7oMa19Y15L+2X+zHbftP/CQ6Do+rf2P4t0K8TVvA3iSI7ZdL1OE7onDAZCMRtcc8HOMquK37FH7Tlz+0j8MJ4/GukjR/HnhO9bR/H/h5wFey1CPKs6rn/VS7S6EZH3lBOwmvaxyWY4b6/Be+rKqv7z2n6T69pp/zI8PASeW4n+zpv3Hd0n/AHVvT9YX93vTa/kZ7HRRRXiHuhRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAeUfth/s5N+0Z8Kv7N8N6n/ZXjDw/eJq3gjXkO17DUofmjO7sj42N1GCGwSop37H37Ry/tH/ChdZ17TP7K8WaFdvpPjbQJBtk0/UoflkXaeQjEb168HbklTXqtfLf7UOkap+yH8dLT9ujwJYTSeGtWEGk/GLSLSMtvtdwS31VUHWSEkK3cqQONztXkYxPA4j67H4dFUX93pP1hfXvBv8AlPCzBPLcUsxh8DtGqv7v2anrC/vd6bf8qPqSiq+kavpev6Ta67omoQ3dle26T2l1byBo5onUMrqw4KkEEEdQasV6yaauj3E01dBRRRTGFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAV8ufAH/i+P/BRv4tfHGX97pnw70ez8B+HpTypuCftV+R2DpLhCeu1se1fQXxb+Iuj/CD4W+I/ip4gI+xeHNEutRuVLY3rDE0m0e524HqSK8e/4Jh/DrWPA37H+geJfFoLeIPHVzc+LfEE7LgzXF/IZlcjqD5Pkg57ivYwf+z5ZiMR1lamv+3ven/5LFL/ALePFxv+05rhsP0jzVZf9u+7D/yeTf8A26fQVFFFeOe0FFFFAHh/7R2m6d8Tf2gvhf8ABrVtPgvdOW6vdd1qzuYhJE8cEJSEOjAhlZ2dSCMc17RpWk6VoWnQ6PoemW9naW6BLe1tIVjjiUdFVVACj2FeO/Df/iuP20vH3jJvng8KeH7Dw/Zydi0pNzMB7qw2n617VXynDVOnicTjsyaXNVrTinZX5KPLSir2vbmjUdr2u726n1HEdSph8PgsuTfLTowk1d256vNVbte1+WVNXte2l+gUUUV9WfLhRRRQAUUUUAFFFFABXx5qnwC+D37X/wDwUk8eX/xT8C2utaR8NfCOjaYlvI8kccuozs92sknlsvnFIy0ZR9y4IBXgY+wmZUUu7AADJJPAFfNv/BNBW8Y/D/x1+0RcAs3xI+JWq6pYzEcmwjl+z26e4Xy5APrXkZlTp4rFYfDTScXJzaaurQjp/wCTSX3HhZtRpY3GYXCVIqUXKU5Jq6tTjpdP+/OP3H0hbW1vZ28dnZ26RRRIEiijQKqKBgKAOAAOMU+iivXPd2CvGf2D/wDkiGuf9lm+I/8A6mut17NXjP7B/wDyRDXP+yzfEf8A9TXW6APZqKKKACiiigAooooAKKKKACiiigAooooAKKKKACvPP2uvhx44+MX7KHxP+EXwx1gad4l8VfDzWtH8Pag0xjFrfXNhNDBLuHK7ZHRs9sZr0OoNU1TTND0y41rWtRgs7Ozgee7u7qZY4oIkUszuzEBVABJJOAASaAPzA/YO/wCC3P8AwTC/Yr/Zf8D/ALGv7ULap+zp4/8Ah34Xs9G8T/DzxZ4C1GDZewRLHcXUU1tbyQ3Ec8qvMJt++XzN7AliaqfGj9uH9mj/AILE/ta/s8eAv+Ccfh3WvH2pfCv41aX4w8Y/GSDwjeafpfhbRLNZGvdPN7dxRPJJeqyQi3QFJPvEnyxj9BfE3xp/Y48aW8dr4x+LPwz1aKJt0Uep69p86ofUB3IFeVftUf8ABRz4JfsrWvwj8N/CFvB/jCT4jfG3w18PxpGg+K7aI6TBqtw0LX6xwLJ5ghIB8vCBiwG9aAPqGiiigAooooA8Z8D/APKQv4of9kZ8B/8Ap28X17NXjPgf/lIX8UP+yM+A/wD07eL69moAKKKKACiiigAooooAK+VP2yfB3ib9l/4uWf8AwUP+DujTXUFnbx6f8YfD1kvOraMCAL5V7z23B3d0UZKqr5+q6ivbKz1Kzm07UbSOe3uImjngmQMkiMMMrKeCCCQQeua7cBjHgsRztc0WmpR6Si91+qfSSTWxw5hgljsPyJ8sk1KMusZLZ/o11i2nuUfBvjHwz8QvCem+OvBesw6jpOr2Ud3p19btlJ4ZFDKw+oPQ8joa06+RvgJe3v7A37SZ/Y+8VXcn/Cs/Ht3Pf/CDU7mQlNMvGbfcaK7HoCzb4snksBlmkO365qswwawdZcj5qclzQl3i+/mneMl0kn0aJy3GvG0H7RctSD5Zx7SXbvFq0ovrFrqnYooorgPQCiiigAooooAKKKKACiiigAorxn9vHwl8WfGn7P11ovwgju5rz7fE+p2dgx866swrh40A5Y7zGSo5IUjnofM/+CY9/wCNfCv/AAlfwh+JE2oadeWi2l7pfh3WIJIZ4Yn8wSyokgBCEmLOOAef4ufisXxhPB8aUMhqYWfJVjdVtoc1pNQWlm/da+JS5rWi1dn2WE4ShjODq2eQxUOelKzo7z5bxTm9bpe8n8Lja95J2R9ZUUUV9qfGhRRRQAVU8QaBovirQr3wx4j0yG90/UbWS2vrO4TdHPC6lXRgeoKkgj3q3RSaUlZiaUk09mfL37Juv61+yv8AGW+/YK+I+pzT6TJHLqvwg1q8fJvNNLFpdOZj1ltzkgdSmThV2A/UNeR/tk/s5XX7Qvwwj/4Q3UhpfjfwveLq/gXXEIV7PUIvmVC3/POTARgcjlWIO0Crf7Iv7Rtr+0p8JIfFGoaadL8S6VcvpfjLQZAVk03U4TtmjKnkKT8y5/hYA8g48rBN4Ku8FP4d6b/u9Y+sL6d4Nfys8TL28uxLy6fw2cqT7x6w9ad9O8HF/ZZ6jRRRXrHuBRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAfMf8AwVI1O/8AFfwl8Kfsu+Hrp49R+LnjrT9BkMJw8Ngsqz3c/wDuqsaBvZzX0rpemWGi6Zb6NpVqkFraQJDbQRjCxxqoVVHsAAK+VNE8U+GP2mv+CqCXfh3xHYarofwU8BSiGSyu0mRda1GTy5dpUkHbbrsbHKum04PFfWVezmUZYbB4fCtWai5y9aj0+6EY/eeJlco4rG4nFp3TkqcX/dpqz++cpfcFFFFeMe2FNmmit4XuJ5AiIpZ3Y4CgckmnV57+1f41Pw//AGcvGHiWOXZKNFktrZweRLPiBCPcNID+FcWZY2nluXVsZU+GnCU36Ri5fpb5nZl2CqZjmFHCU/iqTjBespKP63+RzP7DkMus/DDWfivdxsJvG/i/UdXBcfMIjMYo1+gEZx9a9orl/gn4LHw6+EPhrwOYtkmmaJbQTjGMyiMeYfxfcfxrqK4eGsFUy7h/C4er8ahFy/xyXPP/AMnnI7uI8bTzDPsTiKfwOcuX/BH3If8AkkIhRRRXtnihRRRQAUUUUAFFFFAHmP7aPxK/4VD+yj4/+IEdx5U9n4YuY7KTONtzMvkQn/v7IlWf2Rvhr/wqD9mLwJ8OZLfyp9N8MWi3qYxi5eMST/8AkV3NeY/8FI/+K30H4a/s5w/P/wALB+Jum2upQf3tOtmNxctjvt2RHFfSdeXS/fZvVn0hGMfnJub/AAUTxqH7/Pa0+lOEIL1k3Ul+Cggooor1D2Qrxn9g/wD5Ihrn/ZZviP8A+prrdezV4z+wf/yRDXP+yzfEf/1NdboA9mooooAKKKKACiiigAooooAKKKKACiiigAooooAK4D9q74Nf8NF/st/Er9nz7QsX/Cd+ANZ8O+azFQn22xmttxI6Y83Oa7+sP4m+G/E/jL4b+IfCHgnx5c+Fda1XQ7uz0jxPZ2cVxNpF1LC6RXiRTAxyvE7LIEcFWKAMCCaAPz7/AGJP+Dc//gnj4f8A2Svh94e/bC/YR8DXnxO07wzb2njW/stVvJ47y+iXy3uA6TKrGQKJDhQNzkYFWfj/AP8ABvR+x7oXjf4K/FT9gv8AZr8D+BPFHw/+PvhXxZ4j1ebUb5Hn0HT7z7ReW0OTMHmfbEUVgoJXl177+r/tO/8ABdH9kqQ+Gfiz+wD4P/aS0i3Oy1+IPwf8axeH76eIcK93pGoByJ2xlhbyGJSeOOKZpn7cP/Bbf9o6QeGPgL/wSW0T4RpMdr+O/jt8S4Z7Wz9T/Zmmp9qmbHIwyrnAJAyaAPvuvhv/AIKN65+3T+xv8CPiX+3Pof8AwUFtvsvhCSXVPDPwr1H4aaWui6jAbhVtdGlnCtqEt1PuS3WeK4jzLIpEQHy19Wfs3+BPjF8Nfgvovg74/wDxr/4WJ4xtxcSa74vGgw6Yl7LLcSzBY7WElIYokkWBFyzbIVLMzFmPxD8ZtM/b2+Lv7fV38UP2g/8Agmn4+8c/C34Va7v+BvhTwt498IJpl/fx7l/4SjUUvtYgllusE/ZYHiVbVWL4MzFlAPQdZ+Kv7Zf7Z/7X3xC/Z9+AX7Q0/wADtG+EHgzw7Prc9r4Q07Wb/VfEWsWst6ttP9vjkjSztrdIA6RLHLI87YlQKK9i/wCCbX7UPi79sT9jLwh8c/iPodjpvim4fUdI8W2Wmbvs0eraZqFzpt40IYlliee0kkRSSQjqCSRk+QeIvBf7ZX7Ln7ZHxH/as+AX7I1z8T9F+OXhDw9JrXhi38baVpWoeF/EWl20tqone7mWGa0lt5IFeSB5ZEe2bbHIrAn17/gmz+y94v8A2O/2MfCHwM+I+t2Oo+KYH1HV/Ft7pm77M+ranqFzqV4sJYBmiSe7kjRiASiKSATgAF7wP/ykL+KH/ZGfAf8A6dvF9ezV88fAL4R/Cj4Qft+/F/TfhN8MfD3he21T4V+B9Q1O38O6LBZJeXkmq+Lg9xKsKKJJWCqDI2WIUZPAr6HoAKKKKACiiigAooooAKKKKAPN/wBq39m7wt+1T8GNR+FfiK5eyumZbvQNagyJtK1GLJguoyCCCrcHBBKsy5Gc1yP7DH7SPin4u+E9V+EnxttksPil8O7tdK8baecD7SQP3OoRdN0U6AOCABuzgBSufdq+Yv25vhb41+GXi7Sf2/P2f9Ha58VeCbUweMtDt/l/4STw8TunhYDrLEAZEPJG3oxRFr2cvnDGUXl9V2u702/sz7N9Iz0T6KXLLueJmVOeCrrMaKvZWqJfah3S6yp6yXVx5o9j6dornvhP8UvBPxs+G+jfFf4dawl9ouu2KXVjcL12nqjD+F1YFWU8qykHkV0NeROE6U3Cas07NPdNbo9inUhVgpwd01dNbNPVMKKKKksKKKKACiiigAooooAK8r/aV+D/AIi8Uw6f8XPhO62/jrwkxn0iToNQg582yl/vI4Jxnox6jcTXqlFefmmW4bN8DPC172lazWkoyTvGcX0lGSUovo11TafflmY4nKcbDE0bXV7p6xlFq0oyXWMotxkuz6NJrkvgl8YPDvxv+H9p450BGgdyYdR0+b/W2N0nEkDjggqfUDIIPeutrwX4t6ZqP7MHxQk/aR8H2MsvhXXJUh+IukWyE+SxOE1KNR/EpOHA65J6sWX3PS9U07W9Mt9Z0i9iubS7gWa2uIXDJLGwBVlI6gggg152RZlia/tMBjrLE0bKVtFOL+CrFfyzS1X2KinB7Rv6Gd5dhqHJjsFd4atdxvq4SXx0pP8Amg3o/twcJreVp6KKK+hPACiiigAr5Z/aU03UP2Nvj9bftt+DLGVvB/iJoNK+MOlWsZIRCwS21dUHV42YI+OSDgDLsw+pqo+JvDWg+M/Dl/4R8U6VDfabqdpJa39ncLuSeGRSrow9CCRXHjsK8VRtF2nF3i+0lt8ns11i2uxwZjgnjcPaD5akXzQl/LJbP0esZLrFtdixpupafrGnW+r6TexXNrdQpNbXMEgZJY2AZXVhwQQQQR1BqavmD9kPxLr37M/xa1D9gT4n6rNcWltBJqfwl1u7bJ1HSCSXsmY9Zrc5GOpQEgBVXP0/TwWKWLoczVpLSS/lkt1+qfVNPqPLsasdhudrlmm4yj/LJbr9U+sXF9QooorrO4KKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAK5X466LN4k+CHjLw7beKv7Ckv/AArqNtHrmSP7OZ7aRRcZXkeXnfxz8tdVXzz/AMFQfiBrXhP9krVPAvg98+IfiLqVp4P8PwhsGWe/k8t145/1Am6d8V25bQnicwpUoOzco69tU2/RJNvyWpw5nXp4XLq1WaulGWnfRpJebbSVtbvTU+Kf+CLP7D/7ROm/Gnw/+15rkA0XwSdJvGs3e/RpNcWWOW3VPKRi6IsmJcyhcmJCoOQR+rlYXwv+H+i/Cj4baB8MPDibbDw9o1tp1p8uCY4YljBPuQuT7k1u13cQ51Wz3MpYmaSS92Nlb3U3a/d66/5Hn8OZHR4fyuOFpttv3pNu/vNK9uyutPvd2wooorxD3grxX9sT/iqrz4d/BuP5v+Em8cW0l7F132VqDNMMf98H8K9qrxW//wCK6/bvsLbG+18C+B5bjd/zzvLyTy8e2YRn8K+X4u/fZXDBLfEVaVL/ALdlNSn/AOU6cr+T8z6bhT9zmc8Y/wDmHp1an/byg4w/8nqRt6eR7VRRRX1B8yFFFFABRRRQAUUUUAFFFVNf13R/C2hXvibxDqMVnp+nWkl1fXc7YSCGNS7ux7AKCT7Ck2krsTaim3sj538Xf8XR/wCConhPQB+8s/hh8OL3WHbqsd9qEotQh/2vJAcewr6Tr4f/AOCff7XHwV+Nn7afxf1i21q5TXPG17aDwpFeWxRbnS9Pt2jAQ5+WQrmVkIBwM8kMB9wV4+SV6OLoVMRTkpc9Sb08mopf+AxT9GeBw7icPjsNWxVKal7SrN6O+zUYr/wGKfpJBRRRXsn0AV4z+wf/AMkQ1z/ss3xH/wDU11uvZq8Z/YP/AOSIa5/2Wb4j/wDqa63QB7NRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFfA37cvhn4jftw/wDBTnw1/wAE2dT/AGjPG3w3+GWl/A+X4ieJovhzrZ0vVPFl2+rnTYrF7xQXjtYFTzZET75nQN/CyfPn7Mnxy+LvhH/glD/wTm+KGjfGLxOniDxB8evD3h/XIR4guT/wkem6jc6nbXkF5HvxdokWJx5gbyzbBhgigD9fKKKKACiiigDxnwP/AMpC/ih/2RnwH/6dvF9ezV4z4H/5SF/FD/sjPgP/ANO3i+vZqACiiigAooooAKKKKACiiigApGVWUqwBBGCD3paKAPkLwgx/4J0ftTj4Z3beR8GPi7q7S+F5mOIfC/iF+Xss9I4LjGUHADAAABZGP17XFftDfAfwL+0t8H9a+DPxEtC+n6xbFFnjA820nX5oriMno6OAw7HGDkEg+V/sJfHjx1qg1v8AZM/aIux/ws34bFLe9unJxr+lnAttTiJ5cMpUOeSGILYL7R7mJ/4VMH9bX8Wmkqn96O0anrtGfnyye7Z4OF/4Scb9Tf8ACqNun/dlq5U/TeVPy5or4Uj6Jooorwz3gooooAKKKKACiiigAooooAh1LTrDWNPn0nVbOK4tbqForm3mQMkqMCGVgeCCCQRXhXwq1G//AGWvinH+zt4rvJJPB/iCeSb4earcOT9mkJy+myMe4JyhPXIHJbC+91ynxq+EXhv43fD+88B+I90Xm4lsb6IfvbK5XmOeM9Qyn3GQSOhNfPZ7lmJxHs8dgbLE0buF9FOL+OlJ/wAs0tHryTUJraV/fyTMsPQ58FjbvDVrKVtXCS+CrFfzQb1X24OcHvG3V0V5T+zV8XvEniIaj8Gvi3th8c+EyItS7LqVtwIr6P8AvK4I3Y6MRkDcAPVq9HK8zw2b4GGKoXSd009JRknaUJLpKMk4yXddU035+Z5biMpxssNWtdWaa1jKLV4yi+sZRacX2fRppFFFFegcAUUUUAeP/tnfs56l8fPhtb6l4A1EaZ498IXo1jwJrSkK0F9Hg+SzH/llKFCMD8v3WIO3B0/2S/2i9N/aY+EFt42bTjpuu2M76d4s0KQFZNL1OH5ZoWU8gZ+Zc87WGecgem18r/tDWV5+xX+0PB+2V4VtJP8AhBvFssGl/F3TbZCVtXLbLbV1Ud1ZgkmByG6FpCR5GLX1DEfXI/A7KovLaM/+3b2l/cf908LHp5Zi/wC0I/A7Rqry2jU9YXtLvB3+wfVFFRWV7Z6lZQ6jp13HPb3ESyQTwuGSRGGVZSOCCCCCOualr19z3U01dBRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABXy38Yv+L7f8FMfhv8ACWM+dpHwq8NXfjHW0HKNf3BFtZRt6On+uX2Y19RsyqpZmAAGSSelfLv/AATdB+LGu/Fn9su7HmD4jeOpbXw9Oed+i6aDa2rA9skSggcZQda9jK/3FDEYv+WPLH/FU938I87PFzX/AGjEYfBr7c+aX+Gn734y5EfUdFFFeOe0FFFFABXiv7KP/FXePvip8YnG4ax4yOmWch/jtrCMRIw9juP5V1P7TXx60f8AZ0+Fdz4+1OykuZ5ZxZ6Xax8ebdOjsgYn7qgIzE88L0JNecf8E1/if4X8Y/Ar/hB9Ktp4tT8OXLHWGnO7z3uZZZVmDd84ZcHkbO/Br4XM84yytx3gMplVXtYQq1eXq5OChBbWvyurNK+ybPt8tynMqPBGOzSNJ+znKlS5uiipuc3ve3MqUHpu0j6Iooor7o+ICiiigAooooAKKKKACvLv22fGnhvwB+yP8RvEfi2FZbE+Eb20e3Zyone4iNvHFkcjfJKi5HPzV6jXzR+3b/xd74r/AAh/ZFtv3kHiXxX/AG94oiHI/srTV85o5PRZZCFB/vR15+aVZUsBU5fikuVesvdX/pV/RM8vOq8qGWVeTWUlyR85T9xfjK78kzgP+Cd//BK7Sf2dvE/h/wDaR8d+O7nUvEZ0FJrTRF04W8ek3FzbbJld/MYzsqyPGDhByTgnGPtaiiqy7LcJleGVDDxtHd+b0u362/yKynKcDkuDWGwkOWO73u3ZXbv1dv0WgUUUV3HpBXjP7B//ACRDXP8Ass3xH/8AU11uvZq8Z/YP/wCSIa5/2Wb4j/8Aqa63QB7NRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAfDP7dXwS+E37b37f8A4b/Zcj13x78Lvit4E+EsvjrwL8dPh74iSyvra2uNSOnXWk+UyMLqAlIpJUf5QJYwCvmMWqf8E+/+CD/ww/Yq8VeCfGnxI/ah+IXxfuPhbZXNr8KdE8W3EUGi+ERcBhNcWljECv2lld1852YgNwAVVgn/AAVr/wCCfvhf44/FTwp+2n8Q/wDgqd4l/Zw074daL/Z2k6ppmpWGmW9pcTSzNPN9uuHjdTcI0MTwb/LkW1iyrEVxH7En7Pmq/Gr4o6N47+Bv/ByJ40+NOn+ENdsdS8ReENI1fRL6K9tYrhHe1u1tyZYoZgpiLYBIc4OaAP0pooooAKKKKAPGfA//ACkL+KH/AGRnwH/6dvF9ezV4z4H/AOUhfxQ/7Iz4D/8ATt4vr2agAooooAKKKKACiiigAooooAKKKKACvnX9u74E+Or46J+1x+ztZ5+Jnw23z2tpGDjxBpRybnTJQvL7lLNGOSGLBcM4YfRVFdWCxdTA4mNaGtt09mno4vyaun9+6RyY7B0sfhpUZ6X1TW8WtYyXnF2a+7Zs4v8AZ7+O3gX9pT4QaL8Zvh3eGTTtYtQ5hkI820mHyy28gHR0cFT24yMggntK+QfFIP8AwTn/AGqD8QrUGD4L/F7WFj8RxLxB4X8RPwl5jpHb3GMOeApBJICIp+vgQwDKcg9CK6MxwlOhONWhrSqK8X1XeL/vQej7q0tpHPlmMq4iEqVfStTdppbPtJf3ZrVdnzR3iFFFFeaemFFFFABRRRQAUUUUAFFFFAHk/wC0t8JPE2tnTvjX8IVWLxx4TzJYLj5dUteTLYyY+8GGdvoxOCN24dd8GPi54a+Nvw/svHvhksiTgx3llKf3tncLxJBIOzKfzBBHBFdVXgfxRsL79lb4qyftBeF7OR/BniO4SH4g6XboSLOYnampRqPc4kA65zyWyvx+ZRlw5mEs2pr/AGepb6xFfZeijiEv7qtGtbeHLU3pu/1uXNcQ4COV1H+/p39hJ/aWrlQb/vO8qN9p80Nqit75RUOn6hY6rYQappl3HcW1zEstvPC4ZJEYZVlI4IIIINTV9fGSkk07pnybTi2mrNBRRRTEFZ3i7wn4d8d+F9Q8F+LtJhv9L1WzktdQsp1yk0LqVZT9QT71o0UpRUotNXTFKMZxcZK6Z8x/sdeLPEX7O/xO1H9gL4r6tNc/2VbtqHws1u7bnVdEJJ+zFu81vypUfwqcAKgJ+nK8b/bS/Z11n44/D6z8TfDS+GnfELwVe/2v4F1YEApdJgtbOTwYplUIwPy52k5CkHc/ZT/aJ0X9pv4PWXxCtLE6fqsEr2PibRJQRLpepRYWe3dTyMN8y55KspODkDysDJ4Os8DN6JXpvvHrH1ht5xcX0Z4mXSlgMQ8uqPRK9JvrDrG/endLu4OL6M9Iooor1j3AooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKAPFf+Ch/wAYLz4J/seeNfFGiO/9r3+m/wBj6FHD/rXvbxhbRlB3ZfMMgH/TM12P7M3wfs/gD+z94P8Ag3aIgPh7QLe1uXj6SXAQGeT/AIFKXb/gVeK/tcf8Xu/bY+CP7MEP72w0O8n+IHiqHqFiswYrHcO6tcM6kHjkda+o69jFf7NlNCh1m3Ufp8EPwUn8zxcJ/tOcV6/Smo0l6/HP8XBfIKKKK8c9oKKKKAPCv25NMsviPpXgv4ALAr3vi/xZDiQKDJa2tupe5nTIOGVGx9Gau4+AX7OPw2/Zw8PXPh/4ewXbm+mEt9fahMsk9wVBChiqquFBOAFA5PcmuP8AA/8Axdb9svxP44b95pvgDR4tC0w/wm9n/e3Lr/tKP3R9iK9tr4nI8twGZ55is/qUoupzulSm1qqdJezk0/79T2mu9opJpaP7PO8xx2W5Lhsip1ZKnyKrVino6lV+0imv7kPZ6bXk203qiiiivtj4wKKKKACiiigAooooAK+aP2bv+L2/tx/Fv9oaX97pvhFIPAXhmXqA0JE9/jtkTlcEdmr2X9ob4sWPwL+Bvir4u35TGgaJPdQxydJZwpEMf/A5Ci/8CrjP2APhNffB/wDZO8J6Jr4dta1WzbWtflmH7yS8vGNw+/1ZQ6xn/rnXl4n/AGjMqNHpC9R/L3Yfi5P5Hi4z/as3w+H6QTqy9V7kP/JpSl/26ey0UUV6h7QUUUUAFeM/sH/8kQ1z/ss3xH/9TXW69mrxn9g//kiGuf8AZZviP/6mut0AezUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFAH5qf8FB/D37J3xH/AOC1/wAJvh5/wUpm0Gb4VRfBC9vvhVo/j+5SPw5qPjP+1xHeJMsxEE9wtj9l2RTZU+YcAsUB5f8AbR+GP/BOT4L/ALdX7Kus/wDBO3w98OPDPx21D436XY6jo3wfjs7WW+8GSRT/ANtvqNrYYjNutsCwllXduQBCQr4+sv2nbr9lf9sD9rG1/wCCX37Rv7L2j/EGzPwwf4hahqHiGKKS30mL+0P7Ot1hBXzVuJX+0YkjZCqROMndg8UP2e/+Cdn/AARn8W/DjxF+zr+xB4f0KX4tfE7Tfh9deKtIYvf6XLqIl+zM01yZJmt3nhjjaNJFG6SNiG28AH2tX59f8FtP2UvgJqeq/B39rrUvAz3HxC079ob4a6Rp+uz6vdutrZnxLbbkitjL9njZhI4aRYw7A4LEAY/QWvlX/go3+wp+1L+25feGNF+F/wC2P4a+HnhTw14h0LxJHoupfCRtcup9b0vUTewXBuhqtqFgYpbo0HlE/u3PmfPhQDxr/gpRP+zLd/8ABSX4e6B/wU71vSLT9nqf4QanJ4Si8c6gbbwvceNF1GLzheszLA1yun7TbLcHHM5j/eV0P/BAX45p8Xf2fPi74L8MaxrWoeBvhv8AtCeIvDXwqu9fe4e4HhcR2l7p0W+5/fPGkV7tiMhLCDyR2AHuPjz4Fft7+J/hr4W8O+Hv23fBOneI7C2uY/GOs3nwOF5Za1I8qtBNb2baqrWTxINozNOrE7ivAA6z9kT9lnwt+yN8KJvh7ovinU/Eeraxr994h8ZeLtbEYvfEGtXsplu76ZYlWNCzYVY0UJHHHHGowgoA4n4BfE7w38Uf2/fi/qHhrTfENtHp3wr8D2NwviLwjqOju8qar4uJaJL+CFp4vmGJow0THIVyVOPoevGfA/8AykL+KH/ZGfAf/p28X17NQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQBzvxb+FXgn43/DbWfhP8RtIW+0XXbF7W+t24O08h1P8LqwDKw5VlBHSvBv2Gfip42+HHivVv2Bv2gtXa48WeB7VZvCOuXHH/CS+HidsFwpP3pYgBHIMkjaOWKu1fTdeEftz/s3+Kvi14W0n4wfBC4Sw+KXw6u21TwXf4x9rwP32ny8jdFOgK4JA3YyQpbPr5bXpVISwWIdoTd039ieyl6P4Z/3WnvE8fM6FalUjj8Or1IKzivtw3cf8S+KH95NbSPd6K85/ZU/aQ8K/tUfBfTfit4bt3s7iQta67o0+RNpWoRYE9rICAQVbkZAJVlbAzXo1ebXoVcNWlSqq0otprs1/X69T0sPXo4qhGtSd4ySafdP+vzW6CiiisjYKKKKACiiigAooooAKr6tpOm69pdzoms2MV1Z3kDw3VtOgZJY2BDKwPUEEirFFTKMZxcZK6ejXdMcZShJSi7Napng3wf1bUv2Zfien7NPjO+ll8MazJJP8OdYuXJ2c5fTZGP8AEpOUz1BA/iVR7zXI/G/4PeH/AI4fD+68E65I9vKWE+l6lDxLYXacxzoRggg9cEZBIzzXNfs1fGHxB4uttQ+FPxVjW28deE3FvrUPQX0X/LO9i6bkkGCcdCegDKK+SyuUuHcwjlFV/uJ3eHk+ltZUG+8FeVK796neGrpa/WZnGPEGAlm1Jfv4WWIiut9I10u03aNW3w1LS0VTT1Oiiivrz5IKKKKACvlb4721z+xD+0fF+1v4dt3X4e+ObiDTPixYwISmn3RbZbauFHTltkhHXcThmkBH1TWX418GeGfiJ4R1LwJ4z0iK/wBK1eyktNQs5h8ssTqVYe3B4I5BwRyK4sdhXiqK5HacXzRfaS/R6qS6pvsjz8ywUsZQXs3y1IPmhLtJd/7rV4yXWLfVI0bW6tr22jvLO4SaGZA8UsThldSMhgRwQRzmn18zfsZeMvE3wI+Iep/sB/F7V5bm68P2xvvhrrd0cHWdBJO2LPQzW+ChUfwqcDbHk/TNXgsUsXQU7Wa0kusZLdfJ7Pqmn1Ly/Gxx+GVS3LJNqUesZLSUX6PZ9U01owooorqO0KKKKACiiigAooooAKKKKACiiigAooooAKKK8B/4KUfteap+xf8Asz3HxL8N6Et/rOq6pHo2ieaxEVtczQzSCeTHJVFhc7RjLbRkAk104PCV8fi4Yairzm0l6v8Ap/ccuNxlDL8HUxNd2hBNv0X9JfM5n9iX/i9P7Unxx/axuP3tm3iGPwV4UlPRbLTlH2h4z3SWdlfPqpr6kr4f/wCCFP7Qtj8Tv2atS+DCeEvsF34AvUNzqCSFl1IX0tzMJWLc+aGSQNyRjZjHQfcFenxJRq4bOatCatycsUv7sYpRfzXvesmeVwxWpYrJKWIg7+05pt/3pSk5L5P3fSKCiiivDPfCsb4ieNNN+HPgPWPHmrkfZ9I02a7kUnG/YhYKPckAD3IrZrxT9sqebxla+EP2d9OlYTeOvEkUeoKjYYabbET3LDHphPrzXjcQ5jUyvJa2IpK9RK0F3qTahTXznOPyTPXyDL6eZ5xRw9V2pt3m+0Ipzm/lCMvm0a/7GngvUvCnwI07WfEIJ1jxRcS6/rEjDBee6bzAT6ER+WCPUGvVKbBBDawJbW8SpHGgWNEGAqgYAA7CnV05Tl1PKcro4Km7qnGMb92lq35yk5SfnJmGa5hUzXM62MmrOpJyt2TeiXlGKjFeUUFFFFegeeFFFFABRRRQAUUUUAfNH/BQZj8VfEvws/Y/syZF8feMkvfEUK850bTgLm4VvTcwj2k8EoRzX0sqqqhVUAAYAA6V+XvwT/4KSz/F3/gpzovxD8QfDkf2ZrUCeDPDdqJW8/TIbi7UpcsD8rSM7fvMAYRiATt+b9Q6+fyPHYXNKuIxNGV/eUfSMV7v33lI+X4czLBZzXxeMoS5vfUNmrRhH3d/5m5y+avqFFFFfQH1AUUUUAFeM/sH/wDJENc/7LN8R/8A1Ndbr2avGf2D/wDkiGuf9lm+I/8A6mut0AezUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFeW/tyfE7xJ8Ev2KfjB8Z/BkjprHhH4W+INa0po1ywubXTbieIgdzvjWgDwT9vv8AZe/bY8PftVeE/wDgo3/wTph8J69470TwTP4L8b/DjxxfPaWfinQHu/tkK290vFtdwXJkdWfCsJSCcApJ574c+Cv/AAVb/wCCif7Q/wAL/F37f3wI8DfA74U/CLxva+NbbwVoHjJNf1nxNr9mr/YGluYAIYbSGRzKV+8zKAQ2Q8eX+2V+1/8AHL9j/wD4N4PCXxe+H3xZ1XxF8WfGfw88KaP4c8XajeG4vb/W9aS2827SR8kyKk1zNF12mOMdFrzm7/4J+ePf+CNHxT/Zv/aF+FH7aPxa8bar49+MmgfD7416J458WvqGl+JV1oSQPfxwOoMUsFyFkjJZ2CdXOH3gH600UUUAFFFFAHjPgf8A5SF/FD/sjPgP/wBO3i+vZq8Z8D/8pC/ih/2RnwH/AOnbxfXs1ABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQB8i/Hazu/2A/2lh+134XtZB8MPiBeQ2Hxc023QlNKvmbZb60qjoCzbJcDksT8zSLt+trO8tNRtItQ0+6jngnjWSCeFwySIwyGUjgggggjrVDxr4M8MfETwjqXgPxro0Oo6RrFlJaajY3C5SaGRSrKfwPUcjqOa+Z/2MvGfif9mT4s3v8AwTu+MmszXUen2z6h8IPEN43Or6ICSbNm6Ge2wRtH8CnACopb3J/8KuB5/wDl9RWvedNaJ+cqeifeFn9lngw/4SMf7P8A5c1np2hUerj5RqatdFO6+2j6rooorwz3gooooAKKKKACiiigAooooAK8k/aV+FHie9udP+PPwdhC+NvCiloYAPl1ey6y2UgH3sjJT0YkDBII9borzs1yzD5vgZYatdXs1JaShJO8ZxfSUZJNP1TunJP0MrzLEZTjY4mlZ2unF6xlFq0oSXWMo3TXo1ZpNcx8H/iv4X+NXw/sfiB4UmPkXabZ7aQ/vLWdeJIZB2ZTx7jBHBBrp68C+Itnd/smfFeT45eHraRvAnim7SLx1p0CEjTbpjtTUUUdFJOJAOpPcldvvNneWmoWkV/YXMc0E8ayQzROGWRGGQwI4IIIINcGRZniMUqmDxtliaNlNLRST+CrBfyVEr215JqcHrFX7s7y3D4ZwxmCu8NWu4X1cWvipSf89Nu19OaDhNaSdpKKKK+gPBCiiigDxb9tf9nnxB8ZfAth46+FF0th8RvAl5/a/gjUhgFplAMlm5PWKdV2FScZ25+UEHpf2W/2hvD/AO038HdP+Jmj2rWV7ua01/R5ciXS9Riws9s4PIKtyMgEqynAzivRK+VPjRDN+wx+0vH+1FosTR/DX4h3kOn/ABQtIl/d6VqLHbb6uFH3VYnZKfViTuZ1x5GK/wCE/E/XF8ErKp5dIz/7d2l/daf2Twsb/wAJeM+vx/hytGqu3SNT/t2/LP8AuNN/AfVdFNhmhuYUuLeVZI5FDI6NkMDyCCOop1eue6FFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFfG/iLwh4f/wCCmP7WGq+H/F1i2pfBf4QyTadLbLcSRw+IfEkkZSYh42ViltG2AVIIcgglZDXpn7fnx98X/DP4faZ8Hfgq3m/Ev4m350PwbAjYa13AfaL9sfdSCNt27naxUkEBq9C/Zq+AfhD9mT4J6D8FvBa77bR7QLcXjriS9uWO6a4f/aeQs3sCAOAK9zCSlleCeMTtVqXjT7pbTmuz+xF93JrY8HGRjm2OWCavSp2lU7Se8Kb7r7c12UE9yT4Efs5fBP8AZl8IP4E+Bnw/tfD+mS3BnnhglklkmkIxukllZ5JDgADcxwOBgV21FFePVq1a9R1KsnKT3bd2/Vs9qjRo4ekqdKKjFaJJJJeiWgUUUVmaBXiXw9/4ur+2J4t+IL/vNN8C6XF4d0puqm7kPm3Tj0Zf9WfYivUfiX440/4a/D7WvH+qYMGkabNdMhON5RSVQe7HCj3NcV+xz4I1Dwb8BdKvdfy2r+IpJNc1mVhhpLi6bzMsPUIY1PutfLZt/wAKHEGCwC+GnzYif/bnuUk/WpOUv+4fkfT5X/sGQ4zHP4qlqEP+3/fqtelOEY/9v+Z6jRRRX1J8wFFFFABRRRQAUUUUAFcl8ePirpnwP+DHif4uavtMPh/RZ7xY3OBNIqHy4vq77UHuwrra+aP+Cgzv8V/EPww/Y5sXLj4geLkvPEkSnP8AxJdPxc3Ct/d3MI9pPBKEc1xZjiJ4bBTnD4to/wCKT5Y/i19zPOzbFTweX1KlP47Wj/ik1GP/AJNJP0TKP7AH7Cvwh+HPw48IfHzxt8PYLr4mappp1TU9cvJpWeGW7Zptqwl/KidEkWMsqBuDzya+paRESNBHGgVVGFUDAA9KWqwWCw+Aw0aNGKSVr2Vruyu33b3bLy7LsLleEjh6EUkkr2SV3ZJyfdvdt66hRRRXWdwUUUUAFeM/sH/8kQ1z/ss3xH/9TXW69mrxn9g//kiGuf8AZZviP/6mut0AezUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFUvEvhvQfGXhzUPCHirSYL/S9VspbPUrG5TdHc28qFJI3B6qysQR3Bq7RQB+eHwo/4N5Phj4A+LfgHUvGv7aXxf8AHPwo+E3iaPxB8L/gn4r1lLjSNEvoSxtdz433EVuWIiQgFV+Usys6v9UftS/sc6X+1T8UPg5418WfEG+sdG+EfxAHjFPDVtZo0es6nDbSw2Tyyk7o1gaaWQBQdzEZxtBrw39qH/g4M/4Jm/sr/GDUvgBrnxP13xj4y0SZote0L4c+FbnWH0yRTh45pYlEIdTlXQOXRgVYKeK9I/YQ/wCCtH7CX/BR641TQf2X/jGL3xFoUXm634P1zTJ9N1ayj3BTI1vcKpkjDMqtJGXRWZVZgSBQB9I0UV4X8d/+ClX7E37M/wAc/Dv7Nfxp+NqaT438VXum2mi6FB4f1G9aSW/ufstmJZLW3kjt1lmyivMyLkckDmgD3SivLf2k/wBtH9mv9kh9Ds/jv8Q5NO1DxNLPH4d0LSdBvtX1PUzCoaZoLHT4J7mVI1ZS7rGVTeu4jcM7v7P/AO0Z8E/2pvhvB8W/gD8QrPxJoE91Nam8tUkje3uYXKTW88MqrLbzIww0UqK6nqozQBx3gf8A5SF/FD/sjPgP/wBO3i+vZq8Z8D/8pC/ih/2RnwH/AOnbxfXs1ABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAV41+2x+zHd/tHfDK3uvAuqjR/H/hG9GsfD/xAhCtZ6hHgiNm/wCeUu0I4OR91iG2AV7LRW+FxNbB4iNak7Si7/8AAa6pq6a6ptHPisLRxuGlQqq8ZKz/AEafRp2ae6aTPJv2Nf2nLT9qD4Rr4j1XSTo/ivRLt9J8ceHJQVl0vVIflljKnkIxG5DzwcE7lYD1mvk79rHw7rn7HPxzt/8AgoD8MNKnn8O6gsOmfGvQLGMsbixyFh1ZEHWaAkBj1KY+6DI1fUnhzxFoXi7w/Y+KvDGqwX+m6laR3Vhe20gaOeGRQyOpHUFSCD7125lhqK5cVh1+6qXsv5ZL4oP0vePeDT6M4csxVaTlhMS71adrv+eL+Ga9bWkuk1JbNF2iiivLPWCiiigAooooAKKKKACiiigCrrei6T4k0e68P69p8V3ZXtu8F3bTLlJY2BDKR6EGvEvgtrerfs4fEpf2XvHeoSzaDqJef4b61dNnfFnL6fIx/wCWkefl9QQOMote71xvx1+DeifHDwDP4Q1O4e0u45FudG1WHiXT7xOY5kI5GDwQCMgkZHUfO57luKqunmGAS+s0b8qvZVIPWdKT7TteLfwVFGW3Pf6DJMxw1JTwGOf+zVrcz3dOa0hViu8b2kl8dNyjvy27KivMP2a/jJrnjrTr/wCHHxOt0svHPhSQWviC06C5X/lneR9N0cgwcjgE9ACufT69PLMywubYGGKw7fLLo1ZxadpRkukoyTjJPZrtZvzcyy7E5VjZ4Wuvej1WqkmrxlF9Yyi1KLW6fqkUUUV3nCFZHj3wL4W+JvgvVPh7430iO/0nWbKS01C0lHEkbjB56gjqCOQQCORWvRUyjGcXGSumTOEakHGSuno13T3Pmn9izx14q+DfjbVf2CPjLq0lzqvhS2+1+ANbuuDrnh8kiLB7ywY8tlHZcDIjLH6WrxL9tr9n3xN8VvB2m/E/4OzLZ/En4f3Z1XwZfAYM7AfvrF+m6OdBsKkgbtuTtLZ639mP9oLwx+018HdM+KnhyFrWWcNb6xpUp/e6bfR/LPbSA4IKt0yASpVsDdXl4GUsJVeBqPZXg31h29YbPvHlfc8bLZzwNd5dVd+VXpt/ah/LfrKnpF9XHkl3PQKKKK9Y9sKKKKACiiigAooooAKKKKACqmv69o3hbQr3xN4i1KGy0/TrSS5vry4fbHBDGpZ3YnooUEk+gq3Xyp+29r2s/tMfF3w//wAE7vh1qc0Nvq8aa18WdUtHIbT9CjcFbXcPuy3LhVA6hdpIKua7cvwf13EqDfLFXcpfyxWsn92iXVtLqcOY436jhXUiuabajGP80npFffq30ipPoH7EWg6z+0z8XvEH/BRD4iabNDbatHJonwl0u7TDafoUbkNd7T92W5cM2eoXcASjivquqmgaDo3hXQrLwx4c0yGy0/TrSO1sbO3TbHBDGoVEUdgFAAHoKt0ZhjPruJc0uWKtGMf5YrSK+7VvrJt9Qy7BfUcKqcnzTbcpS/mk9ZP79EukVFdAoooriO4KKKKAPE/2xZZPHD+DP2c7F2L+NvEcZ1RUPI021xPcHjp0THrg17VFFHBEsMMaoiKFRVGAAOgFeKfDP/i6n7XvjP4lSfvNO8FWEXhnR26qblj5t2w9GVv3ZPowr22vluHf9uxmNzR7VKns4f8AXuhemreUqntZeejPp+IP9iwmDyxb04e0n/18rWm7+cafso+WoUUUV9SfMBRRRQAUUUUAFFFFABXzP+z/AP8AF9P28vij8fJT52k+A7SHwJ4ZkPK+eh8/UGHYMspVMjkq+K9l/aJ+Len/AAH+Bnir4v6iUK6Bos91BHIeJZwuIY/+BylE/wCBVxv7Afwk1D4O/sp+FtG8Qh21zV7Ztb8QzTD95Je3jGd9/qyh1jP/AFzry8T/ALRmNGh0heo/l7sP/JnJ/I8XGf7Vm1DD9IXqy+XuU1/4E5S/7dPZaKKK9Q9oKKKKACiiigArxn9g/wD5Ihrn/ZZviP8A+prrdezV4z+wf/yRDXP+yzfEf/1NdboA9mooooAKKKKACiiigAooooAKKKKACiiigAooooAK8r/bo+K+v/Af9iT4x/HHwpceVqngz4V+Idd02UDOy4tNNuLiNvwaMGvVK4P9qX4ffC/4tfsx/Eb4VfG/xX/YPgvxN4D1fSfF+uf2jFZ/2dpdzZSw3Vz58wMcHlwvI/mSAom3cwIBoA8i/wCCQH7Lfwr/AGU/+CePwr8KfDjwxa2t9rngjS9c8XawsI+1a3q93ax3F1d3Mv35naWV9pcsVQKgO1QK8s/4Kx/DLwV8L/2mP2Vf25/BGg2umfEGx/aK8PeBtT16zhWOfVNA13ztPubK4ZQDOitJFJHv3eWVfbjeTXzRpX/BO/8A4I0aFpdtomif8HE3xZs7Kzt0gs7O1/bK0aOKCJFCpGiKgCqqgAADAAAFdH8I/wDgnb/wR5vPjv8ADnxFYf8ABcL4g/EnXfDPxD0XXfCPg7xL+1No+tW2o6zaXsU1lF9j8stOzTKqBI8SNvKqQWoA/WCvj3/gtP8A8kB+FP8A2dF8NP8A1JbOvsKvBf2sf+CZ37HX7b/i3TfG37S3gfxLrd7pFvaxadHpvxN8QaRawm2uJLiCYW2nX8EBnSWRnWcoZRhBvwiBQDwv9tS2+LnjL/grV8J/Cn7HPiPQPDPxZ0T4K+IdS13xJ49sZNQ0OXwtPqVhC1mLCF4p7i7N7FBIskVzbiKON95lEioN/wD4IvSX+leEPjx4B+IKxXHxK0T9ojXD8V9c025V9L1nW7i0sbgXVggjQ21v9kktI/sz7pInicPJKxMj+qeM/wDgmR+xZ8QvAfg74f8AjD4YatexeAI7mPwfrrePdbTXtMjuGLTomsJeDUGSQn5la4ZSFUEYRQPQ/wBnr9mz4G/sp/DpPhR+z78ObLw1oQvZr2a1tXkkkuruZt0tzcTSs8txO5A3Syu7tgZY4FAHmHwC1L4r6n+378X5Piz4L8PaJcx/CvwOmmReHfE8+qJcWY1XxdsmleaytDDKTuBiVZFUAESNkgfQ9eM+B/8AlIX8UP8AsjPgP/07eL69moAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigCtrGj6V4h0i60DXdOhvLG+tnt7y0uYw8c8TqVdGU8MpUkEHqDXyn+zHrGq/sQftBSfsKePtQmk8E+JHn1P4K63eSFhGm7fcaM7nq8bNujzyQ3XLoo+ta8t/a/8A2ZtG/an+Dlz4Ek1JtL12xuE1Lwh4hhJWbSNUh+aC4Rl5Az8rY5KscYOCPUy3E0Yc2GxD/dVLJv8AlkvhmvOLeq6xcl2PKzPC1p8uKwy/fU7tLbmi/ig/KSWj6TUX3PUqK8T/AGH/ANpnWfj58Pr7wr8UdNXSviT4Gvf7H8f6IwCmO7TIW6QDgwzqpdSPlzuAJCgn2yuPFYWtg8RKjVXvR+59mn1TVmn1TTOzCYqjjcNGvSfuyXzXRpro00010aaCiiiuc6QooooAKKKKACiiigAooooA8h/aU+F3ilNRsP2hvg3bD/hMvC8Z8yzXga1p+cy2bgfeOMlO4PTkqR3fwm+KPhb4y+ArD4heELkvaX0WWif/AFlvKOHicdmVsg/mMgg10deA+Oba4/ZF+LUnxe0WB/8AhX3i69RPGVjEpK6RfOdqX6KOiOTh8dz3JQD4/ME+GsxlmcP92qte3XSEtIxrpdto1v7vLV3hNn12Aa4jy+OWz/3mkn7B/wA8dXKg/PeVH+9zU9pxR79RTLa5t7y3ju7SdJYpUDxSxsGV1IyCCOCCO9Pr69NNXR8k007MKKKKYgr5U+K0cn7CX7TqftEaWjRfC/4mX8Vl8RbZB+60XVmOINUwOFSQkrKeBkljuZkA+q6xfiN8PvCXxX8Cat8N/HekpfaRrVi9rf2z/wASMMZB/hYHDKw5VgCORXFjsLLE0k6btUi+aL7Nd/KSvGS7PukedmWCnjKCdJ8tWD5oPtJdH/dkrxkuqfdI2Y5I5Y1licMrAFWU5BB7ilr5s/Ym+IXi34XeK9X/AGEPjXqr3HiDwZbC48Gazc8HXvD5O2CQeskPEbgdAAOdjNX0nV4PFRxlBVErPZp7xktGn6P71ZrRmmAxsMfhlVSs9VKL3jJaSi/NP71ZrRoKKKK6jtCiiigAooooAKKKKAOF/aU+PnhD9mT4Ka98afGrbrXR7Qtb2aNiS9uWO2G3T/aeQqvsCSeAa89/YD+Afi/4a/D/AFT4yfGpPN+JfxOvxrnjKZ0w1puH+j2C5+6kEZ27f4WZgCQFrhdS/wCM8f23U0Nf9J+FnwJ1MS33eDXPFePlj9HS0UnPo+QQVkFfW1e1if8AhOwCwq/iVLSn5R3hD/2+S7uCex4WF/4U8weLf8OleNPzltOf4ezi+ym1uFFFFeKe6FFFFABWB8U/Hdh8MPhxrfxB1LaYtI0yW52MceY6qdifVm2qPc1v18Z/8FRfjv4r0bU9P+A2jGGLTL7TYdS1Z9oZ7gidxHCc/dUNCHP97I7DB+T444lo8JcMYjMZ35kuWFlf95O6h8k9X5R8z6rgvhyrxVxJQy+FuVvmnd29yNnP5taLzfke/fsfeA7/AMCfATRzru5tW1zfrOsyuMO9xdHzTu/2gpRT/u16dXDfs1fETxB8V/gX4c+IHinR0sb/AFGyZri3jjKIdkjxh1U9FdVDgejiu5r0uHIYOnw/hI4Rt0vZQ5W1ZtOKd2nqm7uTv1k/V+bxDPF1M+xcsUkqntJ8yTuk1Jqya0aVklbol6Iooor2jxwooooAKKKKACiiigD5n/b5J+L3j74VfsdWhMkPjLxWNW8UxLyP7H04CeVH9BI+0KT/ABR4r6YAAGAMAdAK+Z/2bP8Ai+X7b3xY/aMm/faX4RWHwF4WlPK7oCJr9h2z55UBh1ViK+mK8vLf3062Kf25WX+GF4r73zs8XKf9oqV8a/8Al5K0f8FO8F98ueXzCiiivUPaCiiigAooooAK8Z/YP/5Ihrn/AGWb4j/+prrdezV4z+wf/wAkQ1z/ALLN8R//AFNdboA9mooooAKKKKACiiigAooooAKKKKACiiigAooooAK83/bJ8cfDT4ZfshfFX4k/GfwKPFHg7w98N9c1PxZ4ZMMcg1fTINPnlurPZIQj+bCjx7WIU78HjNekV5F/wUD+Ffjn46/sF/G74I/DDSF1DxL4y+EXiXQ/D1g9zHCLm+u9LubeCIySMqRhpJEXc7BRnJIAJoA+Wfif+xr/AMEMfgv+xzpn7bnxJ/4Js/Da08J6lp3h+6+zWnw8sp7uH+17mztbVCgABIlvYQ5DYADEZxz7x4I/4JFf8Ev/AIa+NNI+I3w//YJ+Feja9oGqW+paJq+neDrWK4sbuCRZYZ4nVMo6SKrKw5BUGvz3/aM0X/gv9+0L/wAE/NP/AGCrz/gkD4a0u00+w8LWw8SxfHvRZZHGi3+n3it5BkUDzTYBCN/yiUn5tuD9UfCL9sf/AILpeKPix4X8NfF3/gjb4X8L+E9R8RWVr4n8TW/x90q8k0jTpJ0S5u1t0+adooi8gjX5nKbRyaAPuuiiigAooooA8Z8D/wDKQv4of9kZ8B/+nbxfXs1eM+B/+UhfxQ/7Iz4D/wDTt4vr2agAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigD5a/bZ8AeLvgJ8RtO/wCCh3wO0WW71Dw7aCy+J3h60GDr/h/ILyY6Ge3ADqx/hQZO2Pafoz4efEDwj8VfA2lfEjwFrMWoaNrdjHd6deQniSJxkZHVSOhU8ggg4INa80MNxC9vcRLJHIpV0dchgeCCD1FfIvwmmm/4J6ftPj9m/WpWj+EfxP1KW7+Gt5I37rQNYc7ptJJP3Y5Sd0Q9SANzGRh7lP8A4VcD7J/xqS93vOmtXHzlDWUe8OaP2UeDU/4SMf7VfwazXN2hUeil5RnpGXafLL7TPryiiivDPeCiiigAooooAKKKKACiiigAqn4g8P6N4r0O78NeItOivLC/t3gu7WZcrLGwwyn8DVyipnCFSDhNXTVmnqmno011TTsyoTnTmpwdmndNaNNapp90zwr4G+INZ/Z9+Ig/ZW+IWoyz6Xcq8/w41u5b/j4tgctYu3TzYs/L6r6AoK91rivj18F9J+OHgOTwzc3bWOpWsq3eg6vDkS6feJzHKpHOM8EDqCehwRkfs2/GfV/iLo994H+Itoth438LTC08S6fwBIcfJdR+scg+YEcAnjgqT8llM55Bj1k1d3pSu8PJ9lrKg2/tU1rTu7ypaaypO/1WaQhnuBeb0VarGyxEV3eirJL7NR6VLaRq66RqK3plFFFfXnyYUUUUAeG/tu/ALxZ8R/DGlfGT4KsLb4l/Du6bU/Cdwo/4/VA/f6fJ03RzICu0kfNgZAZs9v8As1/H3wn+0v8AB7Sfiz4TVoReRmPUdOlP73T7xPlmtpBwQyNnqBlSrYwwru6+A/2qf2mNJ/4Jjfti6hrfgDw//bmkfEvQ11nxN4L+2G0S0vxM8S38MvluoMuyXem35mUkkfJjw8wr0snr/XZu1OVoz9dozS6v7MratWf2T5vNMTQyDEf2jUdqM2o1PJ7Qml1enJJLVx5Xryn35RXG/s/fG7wn+0d8HNC+NXgiK4j03XbVpIobpQJIXSR4pY2xwSskbrkcHbkcGuyr2aVSnWpxqQd4tJp909UfQUa1LEUY1abvGSTTXVNXT+4KKKKs0CiiigArwv8Ab1/aG8T/AAZ+F9l4D+EUX2r4kfEPUBoPgSyQ/MlxJgSXjddscCNvLEFQxTdwSa9t1XVNN0PS7nW9Zv4rWzs7d57u6nkCRwxIpZnZjwFABJJ6AV8sfsa6VqX7WPx313/goT43sJU0ZUm0D4OaddIVNtpUbss+obT92S4fcAeGC715Uqa9bK6NKLljK6vTpWdn9qb+CHo2ry/uxfc8jNa9WShgqDtUq3V19mC+Ofqk+WP9+S7M9s/Za/Z68MfsufA7Q/g54Zl+0HT4DJqmpOP3moXsh3T3Lk8ku5JGScKFXOFFehUUV51etVxNaVWo7yk22+7Z6VChSw1CNGkrRikkuyWiCiiisjUKKKKAML4mfEPw58KPAeqfEPxZc+XY6XatNLgjdIeixrnqzMQoHqwry39n34EWXjDQ7/4yftB+CtM1bxL4zukv5LLV7CO4TS7UDFtbIsqnYVQgngHJAPK5qp4p/wCMpP2ho/AEP73wP8OrtLnxAw5j1PV+fKtfRki5LD1ypHKmveq+Nw9KlxNm8sVWipYbDuUKaaTjOp8NWpZppqGtKndNX9rJdGfX16tXhvKY4WlJxxNdRnUabUoU/ip07pppz0qzs07eyi+qGwww20KW9vCsccahY40UBVUDAAA6CnUUV9kkkrI+Qbbd2FFFFABRRRQAUUUUAFfPP/BTf9pj4lfsq/syv8QPhRaw/wBsX+uW+lxX88AlXT1kjlc3GxgVYgxBAGBXMgJBxg/Q1fLHxSsbL9s39tfT/gfeWcWofD/4QRx6x4yt5oxJb6lrcyEWlm6nKuscZZ2ByDmRGHSvLzipWWCdKjLlqVPdi1um+vpFJtvt52PFz6rXWXSoYeTjVqtQg1upPd+kYqUm+iWmrRw//BDj4u+LfHfwQ8U+BNf8Polr4d1xZ7XXFRg2oS3hmlmWRjw8iFFJbrtlQEcAn7frL8H+CPBfw80OPwx4A8IaXoemxMzRado+nx20CEnJIjjUKCT14rUrTKsHVy/LqeGqT53FWvt1f5ba69zXJMBWyvKqWEq1OeUFbmta+r/K9tde+oUUUV6B6oUUUUAFFFFABXjP7B//ACRDXP8Ass3xH/8AU11uvZq8Z/YP/wCSIa5/2Wb4j/8Aqa63QB7NRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRXy1+3D+3z8e/2PPip4I0jTf2LH8T/D3xV428N+GdQ+I8/xEtLBbC81fUksVWKwEM1xcNEZEkbcIkYNgSZBIAPqWivJf2hviF+2l4O8QWFn+zF+y94F8eaZNZl9SvvFfxbuPDsttPvIEaRRaPfCVduDvLocnG3jJ5n/AIJpftoeNf2+f2aD+0X4v+Clh4IguvFWraXodtpXi5tattVs7G5a0/tCG4eztG8qWaKcIDECURXz8+1QDa8D/wDKQv4of9kZ8B/+nbxfXqviG+vbZbSx02RY5r67ECTMm4RgI8jNjudqHHuRXlXgf/lIX8UP+yM+A/8A07eL69S8Qf8AIW0P/sKv/wCklxQAg8P6vjnxzqmfaG0/+MUv/CP6t/0POq/9+bT/AOMVqUUAZf8Awj+rf9Dzqv8A35tP/jFH/CP6t/0POq/9+bT/AOMVqUUAZf8Awj+rf9Dzqv8A35tP/jFH/CP6t/0POq/9+bT/AOMVqUUAZf8Awj+rf9Dzqv8A35tP/jFH/CP6t/0POq/9+bT/AOMVqVz3xa+Kfgf4G/C7xF8Z/ibqs1h4c8KaLc6tr1/b6fPdvbWdvE0s0oht0eWTaisxVEZsA4BoAu/8I/q3/Q86r/35tP8A4xR/wj+rf9Dzqv8A35tP/jFcve/tO/AbTv2aH/bEvPiRZp8NU8Gf8JYfFYilMJ0c2v2oXQQJ5hBhwwQJvOQoXccV8of8FLP26/8AgoD8HP2Xrv8Abg/YE8H/AAa1j4S6X8LIfGV3rnxRGuRarfCQPKsFtpsKQMgNubd83EsTBpGVkBTBAPtf/hH9W/6HnVf+/Np/8Yo/4R/Vv+h51X/vzaf/ABisr4G+N9W+JvwT8HfEjXre3hvvEPhbT9SvYrRGWJJZ7aOV1QMzEKGcgAknGMk9ap/tE6n+0DpHwb1m/wD2WfCvhfWvHqrAvh/TvGmqT2elyM08aytcTQRySKqQmVwEUlmRV43ZAB0P/CP6t/0POq/9+bT/AOMUh0DWQMx+ONSLDoJILUr+IEIP6ivlH/glh+2X+2H+0n8R/j58FP20dA+Gln4m+Dfjqy0GOb4X22oJY3Cz2K3TEvfSvJKRvChtkWcH5K+w6AKPhzUbnVNJS5vFUTJLLDNsGFLxyNGxA7AlSfxq9WX4P/5BM3/YVvv/AErlrUoAKKKKACuA/ab/AGePBf7UfwZ1b4PeNg0Ud9GJNO1KFf32nXicw3UR4IdG54I3KWU8Ma7+itaNarh60atN2lFpp9mjKvQpYmjKlVV4yTTT6pngH7Cn7Q/jPx9o2s/s9/H7bbfFP4bTrp/ieNj/AMhW3x/o+pxZxvSZNpJH8RyQodRXv9fnh/wXP0P4pfDW98C/tM/Aka3oOpQWt/o3ijxf4ZvZrW4itnMD2sEskLAiMt9oIJ4BwM8rWn/wTz/4KWzeDvgro/g79vfWfE+ialfXjnwp428U6FcJZavYFU8vdeFSHlVxMDI+FKBCXJzX1WL4eq4/LY5tgkmpvWnH4oyV+blV9Y3XMklzRjLZpJnyOE4jpZfmksnxzadNaVZaRlF25eZtaSs+Vyb5ZSjum2j78oqh4a8U+GfGmiQeJfB3iKx1bTbpN9rqGm3aTwTL6q6Eqw+hq/XyLjKLs1Zn2UZRkk07phRRRSGFFFFABRRRQAUUUUAFePftJfDTxVpmsWP7SXwas9/izw1CVv8ATo+Brmm5zLauB95gMsh5ORgAnbj2GivNzfK6GcYGWHqNxejjJfFCcXeM4vpKL1XRq8XeMmn6OVZnXynGxxFNKS1Uov4ZwkrShJdYyWj6p2krOKa5/wCFvxL8LfF/wJp/xC8HXnm2OoQ7lVsb4XHDxOOzq2QR7cZGDXQV4B4shl/Y++Lb/EnTImX4ceMr9U8T2sYymiai5wt6oH3YpDgPjof+ALXvsM0NxClxbyrJG6hkdGyGB5BBHUVxZFmlfGQnhcYlHE0Wo1Etnf4akP7lRLmW/LLng9Ya9md5ZQwk4YnCNyw1a7pt7q3xU5f36bdn/MuWa0lo6iiivfPCCvEf2tP+Cf8A8Af2yr/S9b+KUer2Wp6REYLfVNBvI4Z5ICxbyH8yORWQMWYfLkFmwRk59uorDE4XDYyi6VeClF9Hsc2MwWEzDDuhiYKcHumrrTY+Urj9lT42fsVSnxl+wvqs+u+GEAfXPhH4j1FnjucAb5rC4fJgnbGSp+ViT97Cx16/+zh+1p8KP2mNMuYvCV1c6Z4g0tvL8QeENbh+z6lpcoOGWWFuSoPG9cr2JByo9Orx39o/9jPwF8eNTtviLoGsXng34g6UM6J478Pny7uEgYEcwBAuYuxR/wCEkAqCc+f9Tr5f72C1h1pt6f8Abjfwv+6/cf8Ad3PK+oYnK/ey7WHWk3Zf9w278j/uu8H/AHHqexUV8z+A/wBsf4g/A7xZZ/BT9vjQ7XQb+6l8jQPiTpykaFrpHTzHwBaTkclWwvU/INufpaKWKeJZoZFdHUMjqchgehB7iu3C4yhi4vk0a3i9JRfZrp5PVPdNo9HBZhhsfFum2pR0lFq0ovtKL1Xk9U902h1FFeJfte/tdL8BINM+GXww8N/8JZ8UvFxMHg3whbtksxyDd3JBHlW0eCzMSN21gCAHdPSwuFr4yuqNJXk/kkurb2SS1beiRpi8XQwVB1qztFfNtvRJJatt6JLVv8PFv2x/2pvh3+1b8TNB/wCCc/wM+LFp9p8Va89p8R9ZtZSi2OnW6+bPZQysAs0820x4jLgbWRvvHH2N4U8LeH/A/hjTvBnhPSorHS9JsorPTrKBcJBBGgREUegUAfhX5vfsrf8ABDj4yfCb9pHwp8Xfib8XvDs+j+GtUtNYMOjPcNeXF5CySiEiSJUWPzVwX3kso+6pbj9Ma9/iJZVhoUMJl1b2lOKbk7bzb1b0V9Eklb3Vpd3bPnuGnm+JnXxmZ0PZVJNRir7QS0S1dlzNtu/vN3srJBRRRXzB9UFFFFABXmv7T3xd1f4aeCYNB8Cwi58X+KboaZ4WsxjPnvw059EiU7iTwDtB4NeiajqNhpGnz6tql3Hb21rC01xPK21I41BLMxPQAAkn2rxH9njTr/46fEvUf2sfFVpIlgVk0z4e2NwuDBYqxWS72no8zZ56hdw5BWvmuIcZiZKnleDly18Rdcy3p01b2lX1SfLDvUnH+Vn0eQYTDxdTM8ZHmo0LPle1So7+zp+ja5p9qcJfzI9F+BXwi0n4I/DSw8B6bMbiaIGbU79877y7fmWZieSS3TOSFCjtXX0UV7mDweGy/CU8Nh48sIJRil0SVl/wXu223q2eJjMXiMfip4nES5pzblJvq27v/htkkktEgooorpOcKKKKACiiigAooooA89/am+POk/s1/ArX/i3qMIuLiwtfL0iw5Jvb6Q7LeAAcndIVzjkKGPasH9iD4C6t8BvgZa2njeZrnxh4lu5de8bX8uDJPqdyd8isR12DbHxwShI+9Xn3jD/jLr9uzT/h7H+/8DfBBo9W17vFfeI5VP2WA9m8hMucdG3qw5FfUNeThv8AbMfPEP4YXhD1+3L77QXlGR4mE/4UMzni38FO9OHm/wDl5L70oJ9oy7hRRRXrHthRRRQAUUUUAFFFFABXjP7B/wDyRDXP+yzfEf8A9TXW69mrxn9g/wD5Ihrn/ZZviP8A+prrdAHs1FFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFfnp/wAF7v2xf2Wvg/4O+FvwZ+KHx58NaF4ri+OXw98VyaBqWpLHdLolv4khafUCh58hBbXBZ+g8l/Sv0LooA+P/APgox+25oF//AME0dQ+Jn7GvxD0zxPrfxkntvAnwd1jRLwSQ32s6vcnTopoZF4JgzcXBPQC0b0r6I/Zo+Angv9lr9nrwT+zh8O4NmieB/C9lounEoFaVLeFY/NfHV3Kl2PUsxJ613FFAHzx8AvBfiTwT+378X7XxL8XPEPi+S8+Ffge5t7nxFbadE9jE2q+LgLWIWFpbKYlwSDIry5Y7pGGAPc/EH/IW0P8A7Cr/APpJcV5b4H/5SF/FD/sjPgP/ANO3i+vUvEH/ACFtD/7Cr/8ApJcUAcN+0b+zP/w0V/Y3/GQPxO8C/wBj/aP+Sc+K/wCy/t3m+V/x8fu383Z5XydNvmSdd3HmP/Ds/wD6yBftN/8Ah1v/ALmr6bor0aGbZjhqSp0qlorpywf5wb/E83EZPluKrOrVp3k93zTXlsqkV+CPmT/h2f8A9ZAv2m//AA63/wBzUf8ADs//AKyBftN/+HW/+5q+m6K2/t3Nv+fv/ktP/wCVGH+r+T/8+v8Ayap/8tPmT/h2f/1kC/ab/wDDrf8A3NXT/Bz9hv8A4U98SNO+I3/DYPx08U/2d53/ABIfGXxB+3abdeZC8X76DyV37d+9eRh0Vu2K90oqKmdZnVpuE6l01Z+7DZ+lNP7mvU0p5HlVGopwp2ad171TdetRr70/QKra1o2k+I9Hu/D2vadDeWN/bSW97aXEYaOeJ1KujKeCpUkEdwas0V5Z6p+GGn634s1b4aaZ/wAGwt/qd9Jr1l+0g/h7Up3kb7RJ8I7cr4jS8aX+F3tmis1GcEDZk5wfvr/gvL8TPg78P/8Agk/8cPhZrPxB8NaJq2pfCq+i8P8Ahy61a3trm6QKEVbe3Zg0gGNoCKemO1fVEfwD+BUPxhk/aHi+C3hJfiBLpn9my+OV8OWo1h7Pj/Rje+X55i4H7vft4HHFYXxu/Yy/Y+/aZ1qz8SftIfso/DX4g6jp1qbbT7/xv4F0/Vp7WAsXMUb3ULsibiW2qQMknFAGF+w58Zvg/wCPf2TfBE/gT4q+G9bTQPAGjJrraPrlvdf2cwsI8rP5bt5R+R+Gwflb0Ndt4W/aF+A/jf4P2/7QnhL4zeF9Q8B3Vu1xb+MrbXYG0uSJZDE0gud/lbRIpTO7G4EdaofBn9k79lj9nHStW0L9nn9mn4f+A7HXtn9u2fgzwbY6XFqOxWVPPS2iQTbVdwN4OA7AdTVqL9mn9nKD4KH9mqH4AeCU+HJtTbHwAvhWzGieSZTKYvsPl+RsMhLldmNx3YzzQB8J/wDBJv8AaH+AFz/wUL/bUs7f45eDpJvFXxs0c+GIk8TWhbWB/Y8CZtQJM3Hz/L+73fNx1r9Iq8T8E/8ABNT/AIJzfDXxdpvxA+HP7AXwT0DXtGvI7vSNb0T4VaRaXdjcIdyTQzRW6vE6kAhlIIIyDXtlAGX4P/5BM3/YVvv/AErlrUrL8H/8gmb/ALCt9/6Vy1qUAFFFFABRRRQAVR8R+GfDfjHRbjw34u8P2WqaddJsurDUbRJ4Zl9GRwVYexFXqKabi7p2YnGMlZq6PmXxN/wTM8C+FdbuPHX7H3xW8SfBvX5n8yWPw3cm40i6ft5+nzExuOmFUqo/u1R/4aJ/b2/ZoP2f9pj9nSD4keHYPv8Ajb4TZe7RB/HPpsuHLY5YxlUXHevqiivWWcVqq5cZBVl/e+NelRWl9/MvI8eWS0KTc8FN0X/d+B+tN3h9yg/M8t+Af7aP7M/7S6fZ/hJ8VtPvNSUH7RoN4xtdRgZfvBraYLJ8pyCwBXI6mvUq8o+Pn7Ef7Mf7Sj/2j8UPhbZSawhDW/iPTM2epQuv3WFzCVdtp5AcsvtXlv8Awof/AIKC/szfvv2ePj/a/FTw5B93wd8VDt1FEH8MOpR4Lv0A83ai46Gn9VyvF/7vV9nL+Wpt8qkVb/wKMfUn63m2D/3mj7SP81Lf505O/wD4BKXofVNFfNHhP/gpr8M9E16DwF+1l8OfEfwa8RzNsjj8XWpfTLl+/kahGPKkQf32CLx1r6M0LX9C8UaRBr/hnWrTUbC6jD2t7YXKzQzKf4ldCVYe4NceLy/GYJr20Gk9nvF+kleL+TO7CZjgsen7Com1utpL1i7SXzXzLdFFFcZ2hRRRQAUUUUAUfE3hrQvGXh698K+JtNjvNP1C2aC7tpRlZEYYI9vqOQeRXjXwG8S658CvH5/ZR+JOpST2pief4d63cn/j+shybNm/56xDgDuo6AbM+51w/wAf/gtp/wAbvAraGt82n6xYTreeHdZiyJLC9TlJARztJ4YdwfUAj5zPcuxUpwzLAL/aaKdleyq03rOlJ/3rc1Nv4Kii9pTPockzDDRhPLsc/wDZ61rvd05rSNWK8r8s0vjpuS3jA7iivNv2b/jTqHxP0C88L+O7Ead408MTiy8UaYcDEo+7cIO8UgG4EcdQMjBPpNerluY4XNsDDF4d3hJddGmtHGS3UotOMovVSTXr5eY5ficrxs8LiFaUX01TT1UovZxkmpRa0aafoUUUV3HEFFFFAGP488AeCfih4UvPA3xD8L2Ws6Rfx7LvT7+ASRyDscHoQeQwwQQCCCM180y/Dj9pH9gKRtV+BcepfEv4SxMXuvAV3OZdY8PxdS2nytzcRL/zxbngAclpK+rq8b/a7/a40v8AZv0bTvCvhLw7J4p+IviuU2vgnwVZHM19OePOlx/q7dOrucDAIBHJXF5RLNcTGNC6q/ZkrJpbu99HBbyUvdtd6bnjZvh8EqX1upN05wWk4/Er7Rt9tN2XI07t6Weq4j4kf8FN/hDc/DPSLn9mc/8ACd+PvF87WPhPwRbgpdR3YHztexkhraKLO52bAYD5W25deo/ZB/ZFu/gtPqfxm+M/iNfFfxZ8XASeKvFEi5W3U4K2NoCB5VtHhQAAN+0EgAIq+S+C/wDgmd8V9AsG/aHtf2gbnSvj7qN9Nqmq69aQqdHkeYKW01rYLhrYbQu/G4nL7ThVHpnwU/bZuJPG8P7P37Wfg5fh98RG+WyWaXOleIBnAlsbgnadxx+6Y7gSFBZgQN55xLLaby6pZOTs60b8lXXSKbScF/cl8cveUpLlivHwVfEyxtOtnMeSWnsv+fabVrvV8tZ9pO0U+WnJvmb+gaKKKR9iFFFFABRRXKfGz4s6H8E/htqXxC1xfNFpHts7NT893ctxFCvfLNjpnAyegrnxeLw+Aws8TiJKMIJyk3skldv+t9EtWjowmFxGOxUMPQi5Tm1GKW7bdkv6829Ezzn9pHVtT+M3j7TP2SvB17JFFfRrqHjy/t2wbPTFYEQZHR5mwMehGQVY17TpGkaZoGk22haLZR21nZW6QWtvEuFijRQqqB2AAArzj9l34T654C8JXfjT4hsJvGXi+6/tLxLcMOY3Yfu7YeiRKdoHQEtjjFen14PD2ExFR1M1xkXGtiLWi96dJX9nT8nZ89TvUm19hHuZ/isPTVPK8JJSo0L3ktqlV29pU81dclP/AKdwT+2wooor6Y+bCiiigAooooAKKKKACvOP2sfj5Yfs1fAfXfipLbi5v7eAW2g6ftLNe6hKdlvCFHLZcgkDnarHtXo9fL2u5/a7/bxtfDC/v/AvwLZL7Uu8V/4mlU+TH6N9mQFuOVkDKRhq8/Ma9SlQUKX8Sb5Y+Te8vSKvJ+iXU8vNsTVoYZU6D/e1HyQ8m95ekI3k/RLqej/sU/AO/wD2fPgRY6B4ruDdeKtbuJda8aag7BnutUuTvmLMPvbfljB7iPPc161RRXVh6FPC0I0ae0VZf13erfm2dmFw1LB4aFCkvdikl8u/m9W31bbCiiitjoCiiigAooooAKKKKACvGf2D/wDkiGuf9lm+I/8A6mut17NXjP7B/wDyRDXP+yzfEf8A9TXW6APZqKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigDxnwP/AMpC/ih/2RnwH/6dvF9epeIP+Qtof/YVf/0kuK8t8D/8pC/ih/2RnwH/AOnbxfXqXiD/AJC2h/8AYVf/ANJLigDUorjPi7+0J8IPgP8A2f8A8LW8Xf2V/avm/YP+JfcT+b5Wzf8A6mN9uPMTrjOeM4NcX/w8I/ZB/wCiu/8AlA1D/wCR68LGcUcM5diZYfF42lTqRteMqkIyV1dXTaaunf0PbwfDPEeYYeOIwuDq1KctpRpylF2dnZpNOzVvU9norxj/AIeEfsg/9Fd/8oGof/I9H/Dwj9kH/orv/lA1D/5Hrl/124N/6GVD/wAG0/8A5I6v9TeL/wDoX1//AAVP/wCRPZ6K8Y/4eEfsg/8ARXf/ACgah/8AI9bXw9/bG/Zw+KvjCz8BeAviN9v1a/8AM+yWn9kXkW/ZG0jfNJCqjCIx5I6Y64Fa0OL+E8TWjRo4+jKcmkkqsG23okkndtvRIyrcJ8U4ajKrVwNaMIptt05pJLVttqySW7PTaKK5X46Xvxd034LeLdS+ANlo9z45tvDl7N4PtfEEEktjcaksDtbRXCxSxOYmlCK211IDEg8V9EfPnVUV8Oal/wAFgrRf+CI8H/BUTR/CtjN4svvBsUFj4QMMpifxlJcDTf7M8oOJmjXU8oUDCTykJyD8w8w/4Lm/sJ/Db46f8EwfHH7XX7XXhL+0vjF4J+BKqBoXiXVLXQtN1WJGmmmttPF20L4nmlCvP5z7FjBY7QaAP0yorz39kj/k1L4Y/wDZPdF/9IYaT9p39l/4V/te/DA/Bv40jW5fDc+ow3Wo6fofiO70tr9YskW801pJHK0LE5aMOA20A8cUAeh0V+Vmrfs1fAL9jj/gtL8AfgX/AMEr9CvPCmr3Wm6xqf7R3hDw5rV3NoqeF/soWzudTglleOK6a5YCBgBIzMpbKlCf1ToAy/B//IJm/wCwrff+lctalZfg/wD5BM3/AGFb7/0rlrUoAKKKKACiiigAooooAKKKKACiiigDN8WeDvCPj3QZ/C3jnwvp2s6ZdLtudO1WyS4glHoySAqfxFfOmu/8E0fD3gLV5/Gf7Fvxp8TfB/WJpDLLp+lXBvtEupPWawuCUPoNpCqOi19O0V24XMcbgk1Rm0nut4v1i7xfzXzOHF5bgcc060E5LaSupL0kmpL5O3kfK/8Aw1B+2/8As1/6L+1d+zMPGmgwcP48+EZa5ZUH8c+nSkSrxy7qQg5wDXr3wF/a/wD2bv2mLTzfg18WdL1W6VS0+kPIYL6DHXfbShZVAORu27eOCa9KryD49fsJfsv/ALRl5/b/AI++Glvba+jB7fxVoMhsNThkH3XE8OGcjsJN4HpXZ9ZyrGfx6TpS/mp6x+dOT/8ASJL0OP6rm+C/3eqqsf5amkvlUiv/AEuD9T1+ivlb/hT/APwUW/Zj/e/BD40af8ZPDUH3fC3xIYW2sJGP4IdRTCyuePmmwo7LWt4J/wCCm/wdg8Qw/D39prwf4g+DniiU7VsfHNmY7G4bu0F8o8mSMf322A9qmWTYipFzwklWj/c+JesHaa+SkvMcc7w1OShjIujJ/wA/wv0qK8H83F+R9J0VX0rVtK13TYdZ0PU7e8s7mMSW91aTLJHKh6MrKSGB9RVivJaadmewmmroKKKKQzxv9pD4c+KfDmv2f7TnwcsTJ4l8PQGPWdLj4GuaZ1kgYDrIoG5DyeMYJCgej/DT4jeFviz4H074geDb8XGn6lAJIicbo26NG47OrAqR6g1u18C/tEfG74ofsk/tJ+JfCfwSvX0bQ7+7ttTl0q4s45ra5mkhRpXiDoTGjMWUhCOUIyMAD834nzrC+HmIeb1FJ4XESUakIq7jVa92rFaL31Hlqq6u1CavLmUv0PhrJ8Vx9h1lVNpYmhFypzk7KVJP3qUnq/dcuam7OycoO0bNffVFeG6H+2s/9i2d54z/AGbfibp801rHJPNB4UaW13FQTscPkrnplQcYyKtD9vj9nS0OPEmq65ox7jVPDV2mPrtjavfhxtwnKClLGQhez9/mp766+0pw79/meHPgzimMnGOElO2nucs9u3JOf5fI9oory7Sv21P2WdYx9k+NOkpnp9q8yD/0ai4rnP2iv29fg98HPhwfEHw/1mx8c+I9QmFn4c8NeHdQjuJLq7fhPNaMnyIR1aR8ADgZJAPrYDOskzStGlhcXSnKTsrVaf61F9/RHk4/J85yyjKrisLVhGKu70qn6QfyXVmp+1z+1toX7NHh6w0bQ9Bl8T+PfE8xs/BHgqwObjUrk8b2xzHAhOXkPAHA5rE/ZE/ZJ134aazqP7Q/7Q+vQ+J/i74qiH9t6wBmDSLc8rp1kD/q4U4BIwXIyeMVR/Y1/ZmvfDmv3/7TX7QHjDT/ABb8W/E8AGo6haTrLa6DanldOsQCQkag4Zhy5zyRkt9E19VXxeGwuHeFwU1JS+Oovt/3Yv8A59p/ObV37vLE+Vw+DxOLxKxeOg48v8Om/sf3pLrUa+UE+Ve9zSCuR+NfwJ+FP7Q/gif4ffF3wfbavp0vzReaNsttJjAlhkHzROP7ykdwcgkHrqK8WpTp1qbhUScXunqmerVpUq9J06sVKL0aaumvNM+UF8T/ALS//BPpha/EB9W+KnwegOIfEcUfm6/4Zh7C6Qf8fcCj/loOVAJO0BUP0j8Nfif8P/jF4OtPiB8MfFtlrWj3ybre+sZdyk91YdUcdCjAMp4IBrdZVZSrAEEYIPevm74lfsYeMPhh4yu/jv8AsJ+JLXwl4iuX83XPBV4p/sHxFjkh4lwLaU84kTAyf4NzPXl+yxeW60b1KX8t7zj/AIW/iX92Tuvsyex4vscdlGtC9Wj/ACN3nBf3G376X8knzL7MnpE+kqK8W/Z1/bR8IfGPX5vhL8QvDl34E+JOnLjVPBOvMFlfAyZbWThbqIgEhl5wM424Y+016GHxNDF0vaUpXX5Pqmt011TSaPVwmMw2Oo+1oS5l+KfVNOzTXVNJrsFeC6Vj9qb9opvET/vvAvw0vTFpw6xaprYHzS+jJAMAH+9ggkMRXRftUfEvxHoujad8HfhjNnxj43nax0tkPNjb4/f3jY5UImcHrk5GdpFdt8KPhp4c+D/w90v4c+FYdtpplsIxIRhppDy8rf7TMSx9z6V8xjv+F/Oll61oYdxnW7SqfFSpeajpVqLypRe7R9pgf+EHJnj3pXrqUKXeNP4atXyctaVN+dWS2TOiooor64+UCiiigAooooAKKKKACiiqmv67o/hbQr3xN4h1GKz0/TrSS6vrudsJBDGpd3Y9gFBJ9hSbSV2JtRTb2R59+158foP2bPgNrPxJgt/tWrFFsfDWnBdzXupTnZbxKo5b5juIHO1GxVb9jH4A3H7OnwG0zwfr9z9q8SajLJq3jDUXfc93qlyd87s38W04jDd1jB6mvmnwB+1h8Hf+Cg37f3hHw/puq3Nt4V8Aaddar4b0vVrfy313W1OBOEBYbIYQZYwxDgox2gFgPuuvGwFejmmLnjKclKELwhb5Ocvm7RX91dmfPZXicPnOOqY+lJSpwvThbXs6kvm7RX92Lez1KKKK9o+iCiiigAooooAKKKKACiiigArxn9g//kiGuf8AZZviP/6mut17NXjP7B//ACRDXP8Ass3xH/8AU11ugD2aiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiivkL/got+1J+3h+yl8RPh74y+FGh/CO4+FXiD4leEfCevf8JDFqlx4hkl1bV47KdrdIZIbaFY45VZHdpSWzmPAGQD69or5U/b8/4KB6l+zl8UvCv7N/wy8YfDTwz4n8Q+Hr7xLr3jj4waybPw74T0K1nt7Y3VwFlha5mnurqGCGBZogSJGaRQgDexfsm+NfiX8Rfgrp/jX4ofE/4beNLrUJpZdO8U/CZZl0XUbPOI5YhNcXJDZDBts0i5HDdQADC8D/APKQv4of9kZ8B/8Ap28X16l4g/5C2h/9hV//AEkuK8t8D/8AKQv4of8AZGfAf/p28X16l4g/5C2h/wDYVf8A9JLigDUooooAKKKKACiiigAooooA/KrR/wDglj+2Ha/8FN4vhLc+ArQfsgab8fJ/jrYat/blp5jeIpNOXZpAsxL56QR6o0l0B5Xkle4bFe+/8FsrL9t74yfsr+N/2PP2Tf2FdT+JcPxI8B3enXPjC1+IWiaTBolzIxRY5LfULiKSf5QH3J8vzYzkV9sUUAfOP/BPr4g/td6j+zzH4I/aP/Ye1P4V6v4I8M6bpmh2upePtH1ceInhtDG7o2nzSLbAPEgxKQf3oIztNc78f/jp/wAFVLv/AIJuJ8SfgB+w7pth+0drkX2U/Di98eaXd23hlnmlQ3jXkk0Vre+XCscqxhwC8qg5COD9YUUAfnb/AMEuPCH7WP7Jj2vw78Vf8Eo/iJb614815L/4wfHfxj8XfCeoahrF++fM1C7jtb+Sdoo8sIrWEMIkO1QWLs36JUUUAZfg/wD5BM3/AGFb7/0rlrUrL8H/APIJm/7Ct9/6Vy1qUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABWT428BeB/iV4em8JfEPwfpmu6XcDE+n6vYx3EL+5SQEZ9+1a1FVGUoSUouzXVaEyhGcXGSun0eq+5ny/qv8AwTZh+GOpTeK/2H/jz4l+E+oSSGWTQopjqWg3L9T5llcEhSem4NhQflWq/wDw1t+2N+zd/on7YX7LsniDRYOJPiB8JC17AEH/AC0nsZMTQgDlnyF67VNfVFFess4qVly42CrLu9J/KcbS/wDAudHjvJadB82BqSovtHWHzpyvH/wHkZ578Cv2rv2d/wBpbTP7R+CfxZ0nXHWPfPYRT+XeQD1kt5AssY7ZZQD2Jr0KvGfjr+wH+y7+0Bqf/CVeKPh8ukeJUk8238XeFZzp2pwy9pPOhx5jDt5gcD0rzz/hXH/BST9mEeb8LPifpXxw8MQfd8PeOWGn67HGP4Ir9f3c7erzevC0/qeW4v8A3WtyS/lqWX3VF7r/AO3lD1F9dzTB6Yqjzx/npXf30376/wC3XP0PqmsnxB4B8C+LNQtdW8U+C9J1O6sW3WVzqGmxTSW5znKM6koc88YrwjwB/wAFNfgXfeI4vh1+0BomufCHxY/H9j/ECxNrBMehaG8/1MkeSMOxTd2FfRFhf2OqWUWpaZexXNvPGHguIJA6SKRkMrDgg+orzMfldailTxlHR6rmSlF21TTtKLtumm7b6M9PL81oYhupg62q0fK3GSvo01eMo32aaV9tSWggMNrDIPUGivK/2r/2rfBf7K/geDV9U0+41vxJrVx9i8H+ENMG691q9bAWKNQCQgLLvfBCgjgsyqxh8PWxdaNGlG8paJf106tvRK7bSQ8TiaGEoSrVpcsY6t/1u3skrttpJNsxP2yPjj8Ff2d/B1tceIPhpp/ivxZ4huPsXg3wbb6bFNea1eNgKiqVYrGCyl5MEKCAMsyqeN/ZY/4J/wCk6PpGp/E39qnQ9I1zxr4slFzf6LZW6xaT4fjP3bO0gjwgKjAaXlmI+8eWfa/ZN/ZS8aaR4yuv2sf2r9Qt9b+LGv2+yOKM7rPwrZHO3T7MZIUgEh5ASWJYAnLvJ9D1WZ5dkCoPCLD0qrfxzlTpyu19mDlBtQT3as5vXSNk88sx+fSrrGTr1aSX8Omqk48qf2pqM0nNraLuoLTWTk15DqP7Bv7KGov5zfCWG3kByslnqd3CVPsElA/Sqv8Awwx8KrP/AJFnxv450TH3f7K8Wzpt+m/dXtFFfIy4M4SlLmWBpJ94wUH98HB/ifXR4w4qjHl+u1Wu0puS+6amvwPF/wDhkzxlpn/IsftcfEuHH3RqerR3gH/faDNH/Cj/ANrHSjnQv2y3nQdINV8EWkmfq4bdXtFFL/U/I4/wlUh/gr14/wDuaRX+tudS/iunP/HQoS/9xI8X/wCEb/b10n/kH/Er4davjp/auj3Vvu+vknij/hKv28dJ/wCQh8Kvh/q+Ov8AZWuXFvn6ecOK9ooo/wBWHD+DjsTH/uNzL7p05fmH+sin/FwWGl/3C5X98KkfyPlD9orwb8Tv2h9Ah0z4w/sN3yahpzeZonirwt46tBqOlzA5ElvIF3rggHacqSASMgEcL4b/AG6f2rv2SvB97o37WvwP8S67pFpH5WgeP5NN8klzhYotR2bkBJIHmq25sDh2JYfdNUfEnhrw/wCMdAvPCvivRrbUdN1C3aC9sbyESRTRsMFWU8EVyS4ZzalVnXoZlU53Fr3oUXd2aXM4whez2bi2vNaHiZhLKsXWjicNgqdCunFuUJVXGaTXu1KcptTi1pdShON/cmtj5K/YE+PR/aL/AGhPFPj/AMcadDca9c+HYm0i8smJtLKxjkVHgiUliu55EfO45w3TJz9h18m6j+xv8SP2NfFd78Y/2BrO2vdNu0U+JPhZrdyWjvo1yc2V1IS8EvJIRmKknuAqV7D+zf8Atb/Cr9paxurPw1NdaT4l0k+X4h8G67D9n1LS5QcMJIm5ZQeN65HIBwcqM+C8Fjcgy7+zszq8+Ic6k+dq3tOeXNfm2lJL4tpaJcvKla8/4twnEGdpvDfVZckIRp83NTfJGz9jJ293qoO043fMpNuT9Rooor7Y4gooooAKKKKACiivOf2jf2o/hV+zH4Zh1nx9qM1xqWoSeToPhvS4vP1DVpyQFighHLZJALHCgkAnJAOVatSw9J1KslGK3b/r+uiZjiMRQwtGVWtJRit29v67LVt6JN6HbeK/FnhjwJ4cvPF/jPX7TS9L0+AzXuoX86xRQoOrMzHA/wAivlnXfHHxq/4KPx3ngb4Mi98E/Be6WS01zxxe2m3UPFEByksFhDIP3cDDKtKw5Bx2aM6XhT9mj4w/te+I7P4uftywrp3h61nFz4Y+DllcFrW2/uTak4x9pmx/yz+6OQQAzR19QWdnaadaRafp9rHBBBGscEEKBUjRRgKoHAAAAAHSvMcMTmq99OnRfTac159YRfb4mt3FOx4zhi86X7xOlh39nadRf3usIP8Al+OS+JwTsfJX7H//AAST+H37KHxx/wCF3H4p3/iO5sI508PWc2mLbCyEqNEzSMsjee/lOyghUHzE7emPrmiiuzA5fg8to+yw0OWN27a7v1ud+W5Xl+UYf2GDpqEbt2V9311bf/A0Ciiiuw9AKKKKACiiigAooooAKKKKACvGf2D/APkiGuf9lm+I/wD6mut17NXjP7B//JENc/7LN8R//U11ugD2aiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACvgz/gt18XNXj8O/Dj4L+Df2dfjF4z1XTPi74G8a3954B+Ems65YQaXYa/HPdBrqyt5IluEitpH+zlvMKtGduJFz950UAfnL+034Q0Hxd+3t8Cv+CtWufshfEfxv4CtvhprfhPVPDsnwtvZ/EPhS/a8E1lqcuhyxfbSrL9thJSFnjE0b42uGHr//AASJ+Enjn4feFPjL8QtW+DuqfDfwl8SfjZqfif4dfD7W7BbO70nSpbSzgaWW0B/0Frm5gubn7MQCgmBYBnYD67ooA+ePgF8MfDfwu/b9+L+n+GtS8Q3Meo/CvwPfXDeIvF2o6w6Svqvi4FYnv55mgi+UYhjKxKclUBY59z8Qf8hbQ/8AsKv/AOklxXlvgf8A5SF/FD/sjPgP/wBO3i+vUvEH/IW0P/sKv/6SXFAGpRXnH7QX/DXf/Eo/4ZW/4Vv/AMvH9vf8LB+3/wDTPyPs/wBj/wC22/f/ALGO9eb/APG3b/q3D/yv1w1sd7Go4eyqSt1jC6+T5l+R5uIzL6vWdP2FWVusYXT9Hzr8tz6Por5w/wCNu3/VuH/lfo/427f9W4f+V+sv7T/6cVf/AAD/AO3MP7Y/6hq3/gv/AO6H0fRXzh/xt2/6tw/8r9dJ8I/+HjH/AAsLT/8AhfH/AApT/hFP3v8Aav8AwiP9r/2j/qn8ryvtH7v/AFvl7t38G7HOKqGY881H2NRX6uFkvV870NKea+0qKH1esru13Tsl5t87su7sz2uiiuV+Onwc8FftD/Bbxb8BviPYfadA8Z+HL3RdYhAGWtrmB4ZNuejBXJB7EA9q9E9U6qvlz/goH/wVe+En/BOqacfEr9nP41+M7aw8MjX9Z1b4bfD1tR07SrDzZYjJdX0ssNtAwMLko8gbaVOPmXPwXN+1h8ZvEv8AwRW03/gl/L4iZPj9f/Fb/hmLUZVyXiWGbyp9UK53tb/2EokM2cFpN249/sf/AIK8/DDwd8Ev+CFfxk+DXw70sWWgeE/gjLo+iWa/8sbS2tkhiT3wiKKAPrf4deN9J+Jvw+0L4kaDb3ENj4h0a11Kyiu0VZUiniWVFcKzAMFcAgEjOcE9axP2gvjTbfs+fCjUvitdfDPxn4xXT5IEXw78P/Dsmq6tdtLMkSiG2QgsAXDMxIVEVnYhVJqj+yR/yal8Mf8Asnui/wDpDDXoLBipCtg44OOlAHyv8Jf+CtXwh8cfHTwz+zr8Yv2c/jN8F/E3jh5ovAyfF3wTHYWniCeKMySW1tdWtzcw+eIxu8qR0Y5AALMAfqmvyx/ac+GH7VH7PH7df7LPxh/4KVftQ2Hxu8B3XxitfC/w+07wf4Og8J/8I/4x1K2njsdRurQPdPqUIEcicXUXkMwfZICyn9TqAMvwf/yCZv8AsK33/pXLWpWX4P8A+QTN/wBhW+/9K5a1KACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigDE+IHw1+HvxX8OS+EPib4I0rX9Lm/1lhq9hHcRE/3grggMOzDkdjXzvff8E4tV+EN7L4k/YV/aH8R/DGdpDK3ha7lOq6BcMTkg2twSYi3ILqzFQflUV9R0V3YXMsbg4uNKfuveLtKL9YyvF/cn5nBi8swOOkp1Ye8tpK8ZL0lFqS9LteR+f37Wf8AwUw/bp/Yk8L2HhT41/s6+CZfEerSyDQ/F+maxNPpGoRw7PO/0TKTxuPMj4aRAd+QMDFdN/wSjktv2um8Qft9fGmaTWfH7a9caFpyzW+yx8PWkcUUgh0+Ms2wMtxhpCd5ywzku0n1L8d/2cvgn+014QTwJ8c/h/a+INMiuBPBDPLJFJDIBjdHLEySRnBIO1hkcHIrT+FPwk+G/wADvAtl8NPhP4RtdD0PT1ItbC0BwCTlmZmJZ2J5LMSx7k17dbOsreSOjh8P7PETdpSjonG92ldtpPS8VZabtPlPCo5Hmqz1V8Rifa4aCvCEtZKdrJu0Um462k7vXZNcx0dFFFfLH1gUUUUAFFFFABRRRQAUUUUAFeQftIfsbfD74/X9r490rVLzwj4+0kZ0Lx34ebyr22YDhJcEC4i7GN+xYAruOfX6KxxGHoYqk6dWN0/6uuqa6NNNdGc+KwmGxtF0q8VKL/Po09010aaa6M+ZfA/7YXxH+Animz+DH7fWi2ujXN1KIPD/AMTtNQjRNbPYTHAFnORyVbCdThF27vpiGaG5hS4t5lkjkUNHIjAqykZBBHUVl+OPAng34l+FbzwR8QPDNlrGkahF5d5p9/AJI5F9wehB5BHIIBBBFfNE/wAL/wBo/wDYGnfWf2fI9R+JHwpRi958O725MmraDHnLNp0rZM8Y/wCeDZPGBks0g87nxeW/xL1KX8284/4kvjX95LmXVS3PJ9pjso0q3rUf5t6kF/eS+OK/miudfajLc+raK4f4C/tF/CL9pXwaPGvwl8VR38KMI7+ykHl3VhL3inhPzRuMHrwcZUkc13FenSq0q9NVKck4vZrVM9mjXo4mkqtKSlF6pp3T+YUVT8Q+ItA8I6Hd+J/FOtWunadYwNNe317OsUMEajJd3YgKB6mvl3U/jD8dv2+NRn8G/sv3194J+FyTNBrXxSuLdo73WFB2vDpcbYKKeQZzgjnG0rtfnxeNp4VqFnKcvhit3/kl1k7Jeb0fJjsxo4Jxgk51JfDCPxPz7KK6ylaK7t2T6747/tmapb+OJf2dP2TvCkXjj4kMNt6BIf7L8OLnBmv5l4BU/wDLIHcSMHBKq2j+zl+xnpfwv8TTfG34y+K5fHnxQ1KP/iYeLNTjGyyUg/6PYxfdt4gCVG0BiCfug7B3XwI/Z8+FH7N3gaLwB8JfDEen2gPmXdwx33F9NjmaeU/NI59TwOgAAAHa1hRwVSrVVfGNSktYxXww9P5pf33/ANuqK35sPl1atWWJx7UprWMV8EPS/wAUu85K/wDKorcooor0z2QooooAKKKKACiiigAooooAKKKKACiiigArxn9g/wD5Ihrn/ZZviP8A+prrdezV4z+wf/yRDXP+yzfEf/1NdboA9mooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKAPGfA/wDykL+KH/ZGfAf/AKdvF9epeIP+Qtof/YVf/wBJLivLfA//ACkL+KH/AGRnwH/6dvF9eoeKWNrJpurOjGGy1DzLgqpJVGhlj3YHYGQE+gyaANaisoeOfBJGf+Ew0sfW/jH/ALNS/wDCc+Cf+hw0r/wYR/8AxVAGpRWX/wAJz4J/6HDSv/BhH/8AFUf8Jz4J/wChw0r/AMGEf/xVAGpRWX/wnPgn/ocNK/8ABhH/APFUf8Jz4J/6HDSv/BhH/wDFUAalFZf/AAnPgn/ocNK/8GEf/wAVR/wnPgn/AKHDSv8AwYR//FUAfOVn/wAEjv2VrH/gpRN/wVJhv/FJ8fS2bougtqcH9hRXj2Cae+pJbeR5gu2tEEJk83aQSduTmrf/AAUD/wCCZ3hv/golo7+D/iF+1v8AGrwR4YvNBk0nXPCPw48TWFnpuswu5ZmuormxuDI+DtyGUbQBjvX0F/wnPgn/AKHDSv8AwYR//FUf8Jz4J/6HDSv/AAYR/wDxVAHj37H/AOwyv7IPw61n4Y237Wvxk+Imn6nY29np0nxL8S2d7NoUEMLxLHYtbWduIQVYZ3B+Y0xjBzVX/gn54f8A+GPfD37H7/tT/G4p4ZuVuLD4lx/EN4vFssyzSyh59QjiUTD980ZRoyjRqqspxXtf/Cc+Cf8AocNK/wDBhH/8VR/wnPgn/ocNK/8ABhH/APFUAfMfwq/4JC/Bfwf8cvDX7RPxs/aI+M3xt8S+CJnuPA7fGHxvHqFn4funXYbq2tLW3toBPt4EsiO4wrAhlVh9YVl/8Jz4J/6HDSv/AAYR/wDxVIfHXgsD5fFumueyx3qMx+gByfwoAXwf/wAgmb/sK33/AKVy1qVmeEIpo9DEk8LRme6uLhUdcMFkneRcg9DhhxWnQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAeD/Hr9iex8XeMj8ef2d/F8nw8+JkKk/27p0Q+yauOvk39vjbOjYAL4LDgnftArzTX/wDgq1a/s3xv8O/20Pgn4g0Tx1ZqhMHheGG6sdVgbcFvbaSWZNsTMjAqSSp4ySGC/YdfMn7eH/BNDwd+234m0bx2/wARrrwxrelWIsJbtNNF5Fc2gkeRYzGZI9rK8khDBv4yCDxjwMzweOw9KVfKtKresdOWV93Z2Sku6av1voz5fOcBmeEozxOSWVZvWDtySvvLldkpre6cebXmvoznPhN8NPHP/BSCz0r9oP8AaT1qC3+Gks5ufCHwu0S/LwXPlyMon1KZcec4ZSPKGApGCF+dW+t9M0zTdF06DR9H0+C0tLWFYra1tohHHDGowqKqgBVAAAA4ArlP2fvgl4T/AGcvg5oXwV8ES3Emm6FatHFNdMDJM7yPLLI2OAWkkdsDgbsDgV2Vd+XYN4agpVNaskueV7tu2qv2TvZKyS2XV+nlOAeDwynW1rTSdSTd25W1V/5U7qKSUUtl1ZRRRXoHqhRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAV4z+wf/yRDXP+yzfEf/1Ndbr2avGf2D/+SIa5/wBlm+I//qa63QB7NRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAeM+B/+UhfxQ/7Iz4D/wDTt4vr2avMfib+yD8Fviz8SJfi54km8a6f4guNDtNIu77wj8UfEGgC5s7aa6mt45YtMvreOUxyXt0Vd1LDzmGcYAx/+GD/AII/9Dx8Zv8AxI7xr/8ALegD2aivGf8Ahg/4I/8AQ8fGb/xI7xr/APLeuR/aA/YC0bUvgP42074EfEv4w2Xji48I6lH4MvJ/2jvGWyDVWtZBaSN5mqsmFnMZO5WXA5BGRQB9KUV4z/wwf8Ef+h4+M3/iR3jX/wCW9H/DB/wR/wCh4+M3/iR3jX/5b0AezUV4z/wwf8Ef+h4+M3/iR3jX/wCW9H/DB/wR/wCh4+M3/iR3jX/5b0AezUV4z/wwf8Ef+h4+M3/iR3jX/wCW9H/DB/wR/wCh4+M3/iR3jX/5b0AezUV4z/wwf8Ef+h4+M3/iR3jX/wCW9H/DB/wR/wCh4+M3/iR3jX/5b0AezUV4z/wwf8Ef+h4+M3/iR3jX/wCW9cjrP7AWjSfHjw3qOj/Ev4wp4Hi8I63H4isz+0d4y3y6q91pR06QZ1XfhYE1QHawXMi7gx2FQD6Uorxn/hg/4I/9Dx8Zv/EjvGv/AMt6P+GD/gj/ANDx8Zv/ABI7xr/8t6APZqK8Z/4YP+CP/Q8fGb/xI7xr/wDLej/hg/4I/wDQ8fGb/wASO8a//LegD2aivGf+GD/gj/0PHxm/8SO8a/8Ay3o/4YP+CP8A0PHxm/8AEjvGv/y3oA9morxn/hg/4I/9Dx8Zv/EjvGv/AMt6P+GD/gj/ANDx8Zv/ABI7xr/8t6APZqK8Z/4YP+CP/Q8fGb/xI7xr/wDLeuR+Cf7AWjWHg29g+MvxL+MN3q7eLvEElnLD+0d4ywulPrF4+lx/u9VUZTT2tEORuyp3FmyxAPpSivGf+GD/AII/9Dx8Zv8AxI7xr/8ALej/AIYP+CP/AEPHxm/8SO8a/wDy3oA9morxn/hg/wCCP/Q8fGb/AMSO8a//AC3o/wCGD/gj/wBDx8Zv/EjvGv8A8t6APZqK8Z/4YP8Agj/0PHxm/wDEjvGv/wAt6P8Ahg/4I/8AQ8fGb/xI7xr/APLegD2aivGf+GD/AII/9Dx8Zv8AxI7xr/8ALej/AIYP+CP/AEPHxm/8SO8a/wDy3oA9mor5r+JH7AWjXXjL4fz/AA7+Jfxhg0i28XTSePIpP2jvGWbnSjo+pJHGu7VScjUH05/kKtiM87dyt13/AAwf8Ef+h4+M3/iR3jX/AOW9AHs1FeM/8MH/AAR/6Hj4zf8AiR3jX/5b0f8ADB/wR/6Hj4zf+JHeNf8A5b0AezUV4z/wwf8ABH/oePjN/wCJHeNf/lvR/wAMH/BH/oePjN/4kd41/wDlvQB7NRXjP/DB/wAEf+h4+M3/AIkd41/+W9H/AAwf8Ef+h4+M3/iR3jX/AOW9AHs1FeM/8MH/AAR/6Hj4zf8AiR3jX/5b0f8ADB/wR/6Hj4zf+JHeNf8A5b0AezUV81/Df9gLRrXxl8QJ/iJ8S/jDPpFz4uhk8BxR/tHeMs22lDR9NSSNtuqg5OoJqL/OWbEg527VXrv+GD/gj/0PHxm/8SO8a/8Ay3oA9morxn/hg/4I/wDQ8fGb/wASO8a//Lej/hg/4I/9Dx8Zv/EjvGv/AMt6APZqK8Z/4YP+CP8A0PHxm/8AEjvGv/y3o/4YP+CP/Q8fGb/xI7xr/wDLegD2aivGf+GD/gj/ANDx8Zv/ABI7xr/8t6P+GD/gj/0PHxm/8SO8a/8Ay3oA9morxn/hg/4I/wDQ8fGb/wASO8a//LeuR/aA/YC0bUvgP42074EfEv4w2Xji48I6lH4MvJ/2jvGWyDVWtZBaSN5mqsmFnMZO5WXA5BGRQB9KUV4z/wAMH/BH/oePjN/4kd41/wDlvR/wwf8ABH/oePjN/wCJHeNf/lvQB7NRXjP/AAwf8Ef+h4+M3/iR3jX/AOW9H/DB/wAEf+h4+M3/AIkd41/+W9AHs1FeM/8ADB/wR/6Hj4zf+JHeNf8A5b0f8MH/AAR/6Hj4zf8AiR3jX/5b0AezUV4z/wAMH/BH/oePjN/4kd41/wDlvR/wwf8ABH/oePjN/wCJHeNf/lvQB7NRXjP/AAwf8Ef+h4+M3/iR3jX/AOW9cjo37AWjR/HjxJqOsfEv4wv4Hl8I6JH4dsx+0d4y3xaql1qp1GQ41XfhoH0sDcxXMbbQp3lgD6Uorxn/AIYP+CP/AEPHxm/8SO8a/wDy3o/4YP8Agj/0PHxm/wDEjvGv/wAt6APZqK8Z/wCGD/gj/wBDx8Zv/EjvGv8A8t6P+GD/AII/9Dx8Zv8AxI7xr/8ALegD2aivGf8Ahg/4I/8AQ8fGb/xI7xr/APLej/hg/wCCP/Q8fGb/AMSO8a//AC3oA9morxn/AIYP+CP/AEPHxm/8SO8a/wDy3o/4YP8Agj/0PHxm/wDEjvGv/wAt6APZqK8Z/wCGD/gj/wBDx8Zv/EjvGv8A8t65H9n/APYC0bTfgP4J0747/Ev4w3vji38I6bH4zvIP2jvGWyfVVtYxdyL5eqqmGnEhG1VXB4AGBQB9KUV4z/wwf8Ef+h4+M3/iR3jX/wCW9H/DB/wR/wCh4+M3/iR3jX/5b0AezUV4z/wwf8Ef+h4+M3/iR3jX/wCW9H/DB/wR/wCh4+M3/iR3jX/5b0AezV4z+wf/AMkQ1z/ss3xH/wDU11uj/hg/4I/9Dx8Zv/EjvGv/AMt6774N/BvwB8A/AEHwy+GVhf2+k29/fXoGqa5ealcy3N5eTXt1NLdXsss8zyXFxNIWkdjl8DAAAAOoooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACvy0i/Zk+Gv7cXwj/bD/bB+OAvbj4m+D/ih440D4XeM49VnhvPAVr4cjNvpx0xkcCzPn27XchQDzmnbzN6nFfqXXxx8YP+CWfxM8U638V/CfwO/bNv/h98Mvjrqk2o/FHwVB4Kgv71rq6to7XUpdK1F50OnG8hiUSb4bnbIzyR+WzcAHu37D/xb8T/AB//AGLPhB8d/GqqNZ8bfC7w/r2rhIwgF1eadBcS4UcKN8jcdq+I/wDgoF+x9+yp8EPHfw4+HX7Dfw2k0j9qfxv8SNL1fwt4p0bWLubWLTS7fU4Z9a1TVrmSV5JNLFp9pgeKctHI9xHFGhbAX7msPgr458G+Ovh5bfCT4sxeGvhn4J8L3ej6l8NYfDUFwmr/ALq3i0+Rb52860FokMgEaAiXzvnI2DPzF8FP+Can7fHwM+Onj39oLRP+Chfw71zxN8RddF1r2v8Air9nm5u9STTo2/0bSIJ08RRpBaQISscccSruZpGDOxNAHV/8FNf2cf2YfE1lF8c/il/wTG8Q/tGeJV0ptLtbXwxHZS3emW8QlmRlF5fW/kZeVwJLVZLjcw+U7Vx8tfDnUdd+Of7E37Bn7HXxA+PF5448L/Fzxtqdv8SNattUvlfVtO0fTdX1EeHrma4WK5dI57W3spxKsckn2F1dRudT92/Hr4Lftz+M/Htzrf7Pf7ceheBfD13YRwtoOtfCCHXJrOZQQ09tc/brbazZB2zRzqCOBg4rz64/4JO+BPDn7I/w5/Z1+D/xn8QeH/FPwn8ZN4x8FfE2+tIL++XxBNPdzXt1dwERx3MN0b+9Sa3BjUpPtUoUQgA5r9jLwJ4W/ZD/AOCn/wAW/wBiX4G6Z/ZHwx1H4ReGfH+ieELWVzYeHNSn1DVNNvI7OIki3juFs7eZolwgdWZQNzZ+168I/ZK/Y38VfAz4leO/2iPjn8bv+FjfE74iJp1prXiO38Npo9jZaZYJKLPT7KyE05giVri4lYtNI8kkzMzcKB7vQAUUUUAfMH/BZn4r/EP4Nf8ABNj4keLPhT4ru9B16/8A7H8P2eu6fJsuNNXVtYsdLluonHMckcV5I6uOVZQwIIzXkUv7NPwY/wCCcn/BSX9mjwp+x94R/wCEP0L4u2vivwx8RNCsb2Z7fXPsOjNqlnqVykjsJL2KW0kQ3R/eut26uzAgV9e/tT/s3/Dz9r39njxd+zT8VRdroXjDR5LG8uNPm8u5tWJDxXMLkELNFKscqMQQHjUkEcV5F8Ef2D/jRpv7Q/hj9pX9sH9rgfFjXPh94bvtH+HlvY+BIdAttN+2iJLzULlI7mc3d9LFBHF5gMUSI0gSFTISAD2X9oD9nP4O/tSeAR8Lfjr4UfXfDrX8V3caQdRuLeG6ePOxJhBIhmiycmJyY2wNykDFfH//AATO8DfDKz/bk+N+rfsM6AdC/Zr07w9pnhxbDS7iQaBqvja2ubr+0rvR4ixSOKG3a2tZ5IAscs8ZxvMTNXrX7SX7Gf7Yn7QX7Ivjb9m2D/goPNoeu+L/ABffXEXjm1+HMKS6d4anuWdNBSG1vLdjsgK2xvRKkzoGb5WbK7H7Iv7L37Uv7OXgYfCLxV+0X8OLvwdpPhb+yfBeh/D34KSeHToUqhVimDT6xfJOqKG/dtGNzHcznkMAfGXxw+Bn7Pn7Lv7ePwI8K/s3fsX+Iv2fXi+NOn2Wp/Hmd0j0jxlZvBKG0AyWd1czXcmoOyQodTS3AdCVcybFe/8AtjfsJ+JtE/bY+Pn7bnxd/wCCVHw1/aM8C61pfh650t/EHimzj1zTbTTNJ8u++w2VxZTJO7tkiN57cuYABu3LX0dqv/BPr9qD44eL/A7/ALaP7dNn468I+AfGen+K9N8LeFfhXB4efVdUsJRNYyahc/bbozRxTBZTFBHbq7Iu75RtO9+0d+yj+3b8bdV8WeFPBn/BRKx8H/D/AMWwtayaLa/CC2uda0qzkgWKeGz1Nr1I0Zv3jLLLayvGZOD8q4APY/2cfij8L/jf+z94I+MXwSwPB/ifwpp+p+F0FuIfLsJrdJIEMY/1ZWNlUp/CQR2rtK5T4FfBjwH+zl8FfCfwB+F2nyWvhvwV4cs9E0O3ml8yRLW2hWGPe/8AG+1AWY8sST3rq6ACiiigD4d/aQ+FXgH9tb/grnpv7Jv7Svh2PxR8NPAv7PS+M7TwRqUjHTdR1vUNbnsBd3MAIW5a3t7FliEgZY2u3YAMQa6j/gj9qut6P8PfjP8As73Gv6hqOhfBv9oXxD4N8Ey6pfSXU9voiQWV/a2hmlLSSrbjUGtkLsWEcCLn5a7n9p39i/x/8Tvjv4a/aw/Zq/aAi+GnxL8P+Grzw1d6rqPhJdd03WdEuJo7g2l1Zm4tmLRXESywyxzIyM0gYOrlap/C39hn4jfAD9lq++DXwF/amv8ARfH/AIh8ct4t8ZfFfVfCVnqNxrWpXWpR3eps1i5WCJbiFXtIwp/0eIxldzRgkA47/gpZ+zf/AMEyfDvgfxV+2J+2/wDBuDxLqA06HTdMknvbu41Ke7K+TZ2GiwrL+4vppCFj+yqkjSNuZsKWHLeD/i3+19+zB/wTP+Bf7OHxA8R/2l+1D8RvD9p4Y0OTXLgXkmnXxgMt1ql+5P79NMs8yzuSRNNEke4tcKT0v7U3/BO39qn47ftt+H/2vvA37Z3hHS7DwVo/2bwD4D8bfBybX7Lw/fyLtudViaLWbISXki5jWWSNjFGSqEZZm9T8b/sLfBz9qD4beFfD3/BQz4Z/Dv4z+I/DK3Ri1u/8Ara2aSTuu97aznuLprbckcCsPOfcYg2RkKAD8+P2edf1X/gnZ/wSX/b8u/2f/FOoy6v8OfjJ4yh8Pa/qF6bm/N3/AGPpES6lLI2TJP5rm4ZjwXycY4r2Dxp+yT8Hv+CZPx9/ZN+IP7LWm3Glan44+JS/D34oXMepTyv44tb3QdRujf6kXdvtV1Fd2EVwtw2XBd13bGK16f8Asz/8ER/2Nv2dfAfx5+Gtp8PfDk+k/HXV9Xiv10TwzHpk2k+Hb61hhXQ4pEkctFC0csqSDYA82RGpXJ1fgr/wTj+MWh/Fr4a/ED9qb9sy6+KemfBa0uU+GGif8IPBpDxXcto1iNR1OdLiX+0btLR5YkdEt0BmeTyy5BAB9ZUUUUAFeX/tu/FvxN8Af2L/AIvfHfwWqtrPgr4X6/r2kq8YcG5s9OnuIsqeGG+NeD1r1Csvxt4M8M/EbwZq/wAPfGukx3+ja9pdxp2rWE2dlzbTxtFLG2OcMjMp+tAH5jv+zL8Nv2IPg/8AseftifBH7bb/ABP8YfFDwNoPxR8aSarPNeePLbxGgt9S/tNnci8/fXC3cZcHyWgXy9ijFfpT8XPhR4I+Ofw31b4S/EmwurvQdcthb6pa2ep3FnJNFuDFPOt3SVA23B2sCQSOhNfLfwg/4JY/EvwrrXwo8IfG/wDbNv8A4gfDD4FapDqPwv8ABM/gqCxvRc2ttJa6bJquopO/9omzhlby9kNtukVJJPMZefXfiZ8CP2s/GXhH4x+HPCP7bDeH7nx0kEXww1GP4f2sr/DyMWkUM+zbNG2pPJKs06yTMhiaUKMqgyAfMH7O3wW+Bfw4/wCCutv4H/4JueBYfCngb4feANVsP2jV8MzSR6Be6zcvaPo+nmLcYpNWgC3U8sqjzI4p1SR8yBK8f/bt8ZXv7Z/x6+B/7YsfiGRfhn4H/a/8FeEfg/ZR3W2HW511jZrHiJ1BxJE00AsrRjkCK3uJl+W6Uj67/wCCfX7Cn7Uv7Dvh3w/8I739qP4ca/8AD3R4bhr/AEXRPgpd6VqurXsqsz31xqU2vXZkuJJ286WR4XaUkjK5BHG/tHf8G/X/AATb+NMPhH/hAP2XPhn4Hn0D4i6T4i1240/4fW0za9p9rOZLnSZdrx7YrlTsdzvAHJjfpQByv/BRX9gT4l/Hb/goFpf7UQ/4J+/DH9oXwbpfwSXw7H4a+InjC30zyNT/ALWluzNaiayuleQQkIN4iQ+cf3owa+nP+CdHxi+BPxy/Y58HeNf2cPhY3gTwtbw3Wkw+BJLCK1fw5d2V1LaXenNFESiGG4hlT5flYAMOGFUfjN+zx+2bf65bWP7Jn7aHhv4Y+ELbw/baZa+FdR+DkGt/2eYQyia0n+3W3lnYY1EcqTRr5QwuCQer/Y0/ZS8EfsVfs7aH+zz4E17VNYg0uW7u9R17XJVe91fULy6lu7y9nZFVd8txPK+AAFDBRwooA9RooooAK+Mf+Cj+gad+0B+2t+zF+xD8SxNefDbxxN4w8R+OPDguXit/EB0WwtPsdjdbCDNbefqHntASUkNqm4MBivs6vEv2xf2P9S/aT1LwH8T/AIZ/FubwB8Sfhfr0+qeB/GC6KmpwQi5tntbyzurN5Ixc2s8D4dFkicNHG6yKU5APHv8AgnD4f039n79tj9pz9iL4ZLNZ/DbwRJ4P8SeB/DZuXlt/D51qxu/tlja7yTDbedp/nrApCRtdPtCg4r079uT9mT/gn54+8OXf7SX7fPgfw/qvh/wJ4eme4vvGV7M+maZahjI832Uv5JmJwFk8szE7UQ5IBzvg5+wz8VfhB8O/jB4isv2qZbv44/GNmudW+L7eCrcQaVdw2Is9N+y6Q8rxfZbNFVkt5ZZDIzSmSRvMOOS/bf8A+Cdf7TP7X3ij4TavaftneHbHSPhqsWoap4R8W/CRtY0rxP4giUCLVrqC31WyB8pgZIrZi8SSHfhiq7QD598P/sfftR/tRf8ABBnxh+zvo/gfUZp/G/js6r8JfBHxK1p0vNM8FjxTa3+nadqE9x5joU06EnY5kdI2SIgsuwd7+yF4y+Cn7HHxY+JvwJg/4Jg+BP2fPijb/Ce58b6enw91G21PSvGGjWUjRNsvIbS0l8yC5ljV4JYUYC4V1LKc19NH4S/tx33wDuPBuqftmeFbb4inWlubLx1onwfEOnpZqUP2SXS7jU7gybsOGlW5jbDjbtK5blv2ff2EfiD4X/aO1f8Aa7/a1/aNi+Knjy98Et4P0ZdO8Fx6Doui6LJcpc3EEFl9ouXeSeaOJpJpZ3JWJEUKowQD4XsPgd4R+Av/AAS2+Av/AAVw8KXd7N8fdV1z4feLPG3xCbUpm1DxYviPVtPg1LSrxt+JrQw6pJGlvjZCIIzGEKZr9eq+KPh9/wAEivGHhXTfAfwD8V/tg3+v/AL4X+MbXxD4J+F03g2GK/DWVwbnTbC+1b7QxvLK0m8tkiFvG7CCJZJHCnP2vQAUUUUAFflpF+zJ8Nf24vhH+2H+2D8cBe3HxN8H/FDxxoHwu8Zx6rPDeeArXw5GbfTjpjI4FmfPt2u5CgHnNO3mb1OK/Uuvjj4wf8Es/iZ4p1v4r+E/gd+2bf8Aw++GXx11SbUfij4Kg8FQX9611dW0drqUulai86HTjeQxKJN8NztkZ5I/LZuAD3b9h/4t+J/j/wDsWfCD47+NVUaz42+F3h/XtXCRhALq806C4lwo4Ub5G47V8R/8FAv2Pv2VPgh47+HHw6/Yb+G0mkftT+N/iRper+FvFOjaxdzaxaaXb6nDPrWqatcySvJJpYtPtMDxTlo5HuI4o0LYC/c1h8FfHPg3x18PLb4SfFmLw18M/BPhe70fUvhrD4aguE1f91bxafIt87edaC0SGQCNARL53zkbBn5i+Cn/AATU/b4+Bnx08e/tBaJ/wUL+HeueJviLroute1/xV+zzc3epJp0bf6NpEE6eIo0gtIEJWOOOJV3M0jBnYmgDlP8Agoh+wB8TPjX/AMFDov2qZf8Agnf8Mf2h/B1j8DrTw3B4d+IXjG20yS21OPV727kktFnsrpHk8mWNB5nkofNx5owaofHr4T+FP+Cov/BMn4AXn7Ev7Knhq98G+HfixpOq6j8HPG1zDo1haWOjvf2d/o1yFhnSMJcI1sQkUoP3grLX1V+0H8Ev27PHXjq61f8AZ1/br0L4f+H7zTY7dtE1f4PQa7PZzDcHuba5N9b7XYFTtmjnQFfu4JFYHgf9hf4pfs0/sn+CP2Zv2I/2oj4MuPCd9c3WqeI/GfguHxI3iOW6luLm7ku4hPasskt3cPcFoZY9p+UDbxQByP8AwS38RfAvwT4v+J/7JvhP9gzw3+zt4/8ABdzpmp+MvB3hG4tbrTNWtb6KUWWp2t5bwwfao2FvNG2+GOSNoirKMivsGvAv2Qf2KvEf7P8A8S/H37RXxs+O1z8Svif8SV0628Q+Jf8AhH4tIsbTT9PSVbOwsbGOSX7PChuJ3YtLK8jyFmY4GPfaACiiigD5g/4LM/Ff4h/Br/gmx8SPFnwp8V3eg69f/wBj+H7PXdPk2XGmrq2sWOly3UTjmOSOK8kdXHKsoYEEZryKX9mn4Mf8E5P+Ckv7NHhT9j7wj/wh+hfF218V+GPiJoVjezPb659h0ZtUs9SuUkdhJexS2kiG6P711u3V2YECvr39qf8AZv8Ah5+17+zx4u/Zp+Kou10Lxho8ljeXGnzeXc2rEh4rmFyCFmilWOVGIIDxqSCOK8i+CP7B/wAaNN/aH8MftK/tg/tcD4sa58PvDd9o/wAPLex8CQ6Bbab9tESXmoXKR3M5u76WKCOLzAYokRpAkKmQkAHsv7QH7Ofwd/ak8Aj4W/HXwo+u+HWv4ru40g6jcW8N08ediTCCRDNFk5MTkxtgblIGK+I/2Gk+HPwn/ac/aP8Ai7+wf4RbTP2cPB3gK306HRtLuJBoOt+ONPe9l1G40eIkxxxR2/2a0nkhCxyzxnG8xM1e7ftJfsZ/tiftBfsi+Nv2bYP+Cg82h674v8X31xF45tfhzCkuneGp7lnTQUhtby3Y7ICtsb0SpM6Bm+Vmyu9+xp+y/wDtFfs4+Frf4R/E/wCNfwx8Q/D3SPDiaT4b8HeBvgvN4bTT1Uqo3SS6xfLLH5YdTH5almfcXPIYA/N79hP4j+Frb4JfBf8A4KZ/tqf8E7v+EgPjrxZpE2tftLa14/W58R6drOoagtvb3Y0wR/6HoqXkkVrDFDc8W4jZrbDEH6M8Ffsk/B7/AIKcftB/tY+PP2ptNuNV1HwP8ST8PfhhcS6lPE/ge1s9B066+36aUdfst1Ld38tw1wuHJjRd2xQtdj4T/wCCO3jLQ/BfhX9lbXf2yr/VP2c/BPjG017w/wDCt/BMEepPFZ341Cx0q61n7QxuLGC5SJggtkmZIURpiBmuy+NX/BOX4x638W/iV8Q/2WP2zLn4V6b8aLO2j+J+i/8ACDw6u8t1DaCx/tHTJnuIf7Ou3tEiid3S4QmGOTyw4JIB1f8AwSY+O3j79pr/AIJp/BH46fFPUJLzxJ4h+HenTa5fzD5726SMRSXLf7UrIZDjjLnHFfQ1cr8Dfgz4B/Z0+DHhT4B/CzS2svDfgzw9Z6Lodq8m90tbaFYo97fxuVQFmPLMSTya6qgAooooA+A4/wBmr4Mf8FG/+Ck/7S3hP9sHwh/wmGg/CKz8KeGPh5oN/ezJb6J9v0ddUvNStkjdRHeyS3UcYuh+9RbRFRlANeuf8EZvit8Q/jJ/wTa+HPir4q+LLvX9d09tZ8P3mu6hJvuNSXSdZvtLiupXPMkkkVnG7OeWZixyTUvxv/YQ+NGpftD+Jv2lv2Pf2tx8J9e+IHhux0b4h2994Eh1+21L7EJUs9Qt0kuYDa30UU8kQkJlidBGHhYxgnqPhh+xxrv7OHwT+D37PH7LHxvu/CPhX4aapbt4kg1HQLfVbnxhpqw3H2i1mmlKm1mnuplunuYhu3oyhQrnAB8w/wDBX/8AZP8A2H/h58HfFvxM0P4O3WoftI/FK8m074L6romt3Z8UT+LZkP2OTTpzNvs7e2cJcTeWY7eKCFy4wcNzv/BRvxt8efG37WH7NX/BPDxh8Ipvi2mufDXVvEfjjwhD4qOg6N4r1myS0gRtUu1jZl02EteXBhWKUSzPaq0LAceveJ/+Cb/7a0n7cfi39t/wT+3j4EOq6xYrpPg3T/G3wIuNYbwbow5awsZItftUXzXAeabylkmYKGO1VUemftK/sR/EL44eIvhd8evAn7Qlt4L+M/wus7u1sPHEHg1b3TNTgvreKLUbW50uS5VmtpnhilRFuRJC0a7ZW+bcAfKWvfBrQv2wf+CWX7Qn/BPP9lT9jbRPhH8RfDvjax0jxd8JG8QxSaRb3zT6XqAube7VFjazuLARyqywxkkODCG+96d/wTzj+BP7OX7XGufspah/wTG8B/s6fEjX/A58RaVf/DrU7XU9L8VaNbXccEyreRWdpIs0E08Ja3lhHyyh1Zhk16X8KP2C/jR8FPhd8QL/AMBftfyf8Ln+J/jODxL4x+K2p+A7a4triaGK3torOPSvOVYrNLS2jt0jE5lUFn84seLv7PX7DXxQ8J/tO3P7ZP7V37TSfE7x9B4Ok8LeGF0fwZH4f0fQNLmuY7m5EFoLm6keeaWGEvPJOx2xKihVyKAPpCiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigDzP9sX9rT4O/sMfs0+Lf2qvjzq81p4Y8Iab9pvRaxh57qRnWOG2hUkBpZZXjiQEgbnG4qMkfLnw9+Mv/BwB+0L4Ls/jf4C+An7NXwu0PW7Vb3QvAHxP1PX9Q19LZxujF7cWPlwWsrIVJQRSNHnDqGBUc1/wdBaBrd5/wAExIvHEGk3F/oPgv4reGNf8aWdvEZDLpEN55c25B95Q8sTHsAuTwM1+gnhPxX4a8eeFtN8b+DNdtdU0fWLCG+0rUrGYSQ3dtKgkjljYcMjIysCOCCKAPiD9tv/AIKRftsfsif8E5/Df7TPjz9m7wl4P+J938T9L8LeIPCOrapLrWmJb3Govatd209tJbs6ywqk8W45TzArqxU1931+dn/BzPdWt3/wTp0Q2tzHJ5fxz8IJJ5bhtrDUBlTjoR6V+idAHyr+xZ+3H8Wf2jf2+P2q/wBlnxv4e8O2vh/4Ga94ZsvCV5pVpOl5dx6jp81zObt5JnSRleNQnlpEApOQx5Hy3+wx+3d/wXy/b2/ZBg/bN+DHhb9lC40661DVYLHwVqWi+I7LUb02N1LbtEtz/aEsEckhiOxmGzLDcVGSO/8A+CVv/KYz/gol/wBjh4C/9Mt1Xy3/AMEH/AP/AAWC+IP/AASt0Twv+yT8e/gT4F8B6j4h8SQadrmv+DNW1HxPprtqlys0yFbtbN2Ehdow0WANobJyaAP0y/4Jf/t8eGv+Clf7GXhf9q/QfBVx4ZudVkurHXvDV1cec+l6jazNBPCJNq+Ym5d6NtUlHXKq2VHG/wDBRr9v74xfs5fF34Q/scfsk/CXQfF3xk+ON/qkfhRfGOqy2eiaPZabbC5vL69eFWlkVYz8sUeGfa+DlVR+/wD+Cbv7B/w+/wCCbX7IHhf9kv4d+Jb3XYdC+0XGqeIdSiEc+q39xM01xcsgJEYZ3IVMttRUUsxBY8//AMFE/wDgmL8I/wDgohZeD/EOv/Ejxl8PvH3w41G4vvh78Svh9q/2PVdEmnVFmRWIIeKQRx70OCQgAZctkAzfgHq3/BZ/RfjT4e0j9q7wr+zjr3gDUWuE8Qa18MbrW7DU9HZbaV4XW31BpY7lGmWKI7ZFYCQttwpr3f4x/tB/AT9nbQYfFX7QPxv8IeBdLuJTFBqXjHxLa6ZbyOBkqslzIiscHoDmvze1j4q/8FTP+CRf7X/wH+Fv7SH7aen/ALR3wf8Ajj8RbbwNBJr3g630nxF4ev7oqsE6y2zN9pjVmDO8jP8AKrDbGWVq2f2SPgr8H/22P+C0n7X3jr9sjwHo3jjX/hFqHhvw18NPDHjCwjvrTw5olxYPcG5trWcMivcyDzDNtLAlgpAcggH6LfDL4ufCj41+E4/Hvwa+J3h7xboUsjRxa14Y1qC/tHdQCyiaB2QkZGRnjIrl/A37ZX7IHxP+Is3wg+Gn7Vnw28ReLbdnW48L6F450+71GIpneGtopmlXbg5yvGDmvi3/AILzeDPCH7EP/BGX4wWX7HngLRvhfYeLvEWkxeL7rwNo8WnRww399Y2F9dmO3VVDy2yR27sBllbnnmuR/wCC0v8AwT4/YK/Zf/4I3+Ivid+z38IPCXw/8QfB/TNI1j4XfEHwvp9vaataajDeWyW8i30SiWd7gsFdmZvMaQOcuFYAH6ReMvjb8GPhz4r0nwJ8Qvi74Y0HXNetL260LRtZ1+2tbvUYLOLzruWCGV1eZIIj5krICI1+ZiBzWb4E/af/AGafij8PdV+Lfwy/aH8DeIvCmhXUttrnifQvFtneafp08SJJLFPcxStHC6JJGzK7AqsikgBhn81/+CgHwj8Pftq/8FOv+Cb/AIP/AGmvCkd7ZeI/BXjPWPGPhy4jKwXk8WiafetaTx9HhNxGqyQsCroGRgQxFVP+C13w2/4RX9rP9kb9ib4AfsZeD/E/w68b+K/E/iXxF8HbTV7XwlovjTWNM061NnFe3CW7xMIU/e+VJG4n8qOIjhSoB+mPwY/al/Zk/aQN8P2eP2jPAnj3+zCBqX/CF+L7LVPshJwBL9mlfy8kH72Old3X5P2/7IH7evib9uj4CftJfCT/AIJDfDL9m9/AnjFLfx74m8B/F7TLoa14VuU8m9sLiytNPtBcBVKyxli5Ro8KoJBH6wUAfNPgz9sz4kfGj/gpd41/Y++Duj6CfA/wh8D2lz8T/Et/aTTXZ8Ral+807TbQpMkaLHapJPOzLIxLxxgRnLHE/wCCSn7ePxZ/bS+G/wARPB/7Tnhjw7oPxc+D/wAUNV8HeP8AR/C1tPBYs0Eha1vLeO4mmkWGaE8M0jbmikZcKQB5X/wQfaXU/H37bfiPxPk+JJv21/F9pemT/WCwt4rNbFOeTGqNIEPp0rnPjH4h0H/gmj/wXq0r48eJdVh0T4XftZ/DmfSvF2oXD+Xa2XivQIfOtrqZhwvmWP7lRjLPJI2Tg0Ae6eNv28Pi/rP/AAV/8H/8E5fgX4c8N3nhzSPhpe+M/jZr2p2dxNd6bDI4g0y0tHjnjjhneYo7iVJd0MoKhdpJzfh78VP+Cq/7Qn7Jfgb4m/s+fGD9kPVvF95qesR+Mda0r+2dd8LXMEV48VoumzWd6r+aiIVuPMdwJQyqF2kV5v8A8EAfDGvfHHwz8ZP+CsfxH0qaDXv2mfiPcah4djvE/fWXhPTWex0m2OeQQqTZIwHURNjoav8A/BsH/wAoYvhr/wBjB4q/9SLUaAPPPgj+2h/wXn+OP7bHxv8A2ItE1b9kWy1r4GweHJdb1m68F+KDa6iNYsDewiALqhceWg2tvA56ZFfoj8Aofj/b/CPR4f2pNS8HXfjxUm/4SC48AWV3b6Q7edJ5X2eO7kkmUeT5Qbe7ZcORgEAfEP8AwT5/5WAf+ChH/YP+Fn/qNtXvVh+1h+31c/tHt8K73/glN4itvAY8WyaavxSb4u+HGtzpi3DRpqv2AXH2vY0QE3kbPNAbaV3AigDL/Zb/AG4/iz8bv+CoP7Uv7FHivw94dt/CvwQtfBcnhTUNPtJ01C7Or6Sby5+1u8zRyBZBiPy448Lw28819U1+eH/BPn/lYB/4KEf9g/4Wf+o21fQn/BWj9qDVf2Pv+CdvxT+N3hR5T4lh8NtpXg2K25ml1vUHWxsBGo5dhc3ET4HOEbpjIAPOP2e/26f22f2s/wBlz4xftE/s1fBTwL4muNP+L2peG/gTpV/qU+mW2u6JYX0NjPql7dvJIGzIt9IqxJHlbdUwWbNVP+CT/wC3R+3B+0z+0F+0V+zX+3T4L+F+j+JPgnrXh+yg/wCFXR6gbWX+0bS4umEkt7M7TFFSFdyxxDdv4YbTX0B+wL+zBpf7F37Fnwx/ZZ0tIs+CfBtlp+oTQ/duL4Rh7ucf9dLhppPq9fKf/BLH/lL5/wAFDf8AsdvAv/pknoA+2P2g/j18Lf2Xfgl4n/aF+NfiaPSPC3hDSJdR1m/k5KxIOEReryOxVEQcu7qoyWAr48/4I7f8FLv2wf27Pj3+0H8Jv2tvgb4Y+H8nwxk8K3nhjw/pEF0NRtbHXLO8v4YNSkmnkSS6jt0tFfy44QshmBXoF8+/4Kt/HH4ia7/wUI+G/wAGPi9+xP8AH/x38AfhzY2/jbUl+E3wmvvEFt4v8UiVhp9ndvEFiFpZBTctEXYyTGIOhVQa80/4JLft36b44/4La/tevH+yb8dtK/4WzrXgRIBrnwvubY+E/sWhXaE67ub/AIlYn6wGTPmryKAPu34V/tmfEJf+CkfxE/YA+O2iaHZyJ4QsvG3wf1nR7aaE6zoLv9lvYLkSyyKby2vFwTHtDwyo3lptJb6Tr8+v+CgrzaT/AMF3P2BdQ8J5GqalY/Eyy11Yv+W2mJolvKolx0RZcsueC9foLQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFAGf4t8JeFvH3hbUvA3jjw7ZaxousWMtlq2lalarPb3ltKhSSGWNwVdGVipUgggkGvjDSP+CE/wAFfh5aTeEv2df23f2oPhR4Kkmd4Ph38P8A4xyQaPZB2LOlstzBPPbKSScRTL14Ir7fooA+TvjP/wAEa/2S/i/+wnpv/BPaz17x34U8FaV4li8QW+reHvE/m60+pLdyXj3Ml5qEd0XkkuJZJHYrnLfLtAAHN+GP+CM+ueGfEuneJH/4K/8A7aupDT76G5Onap8YbGW2uvLcN5UyDTAXjbG1lBGVJGRX2rRQB4z8AP2HPhN+zl+0r8Z/2pvBHiHxFdeIPjnqWkXvi2z1W7geztJNOtZLaAWiRwo8askjF/MeUlgMFRwT9gf9hz4Tf8E6v2atL/ZZ+CfiHxFqnh/SdSv722vPFN3BPeNJd3UlzIGeCGFCoeRguEBCgZJPJ9mooAK8H/bF/wCCfPwx/bK8Q+GvHmufF74oeAPFXhGC6t9B8WfCrx5caJfQwXLRNNC+wNFOjGCP5ZI2HBx1OfeKKAPkf4Jf8Ebf2ffhl+0DoP7Ufxd+Ofxi+N3jfwisv/CF6t8afHf9rR+HXkG2SWztoYYII5CP4zGxBAYEMoYbv7Vn/BKf4A/tQ/G20/ae0b4lfEn4T/E+30kaVdfEL4O+Lv7G1HUtPB3La3YaKWC6jU4x5kTMNqjdhVA+m6KAPCvhj/wT4+DXg79mjxb+yr8VPGnjr4veHPHlzczeL7z4v+LJdav9RE8EMDR+cQnkxqkEflpCsYjYF02sS1eI+F/+CBf7Kthd+F9C+Jv7Qfx2+JPgHwVqMF74U+EXxF+Jbah4Y0+S3/49l+yiBJJ44RgRxzyyIFG0gqSp+46KAPH/AIs/sU/Cv4x/tdfCT9tDxPr/AIgg8U/Bmz1628L2FhdQLp90mr2qWtybpHhaRyqIDH5ckeGyW3jipf2yP2Iv2e/27fhna/DH9oDw3eTx6VqsWq+G9d0TU5bDVdB1GLPlXtldwkSW8y5PIOCDhgw4r1uigD5U+CP/AASl8PfCP4p6D8VfF/7d37TPxLl8NXf2rRtD+I/xbe70yOYIyLJLbW0Futyyhjjz/M555NfVdFFAHyZ8F/2WvjH+zL/wVQ+KHxc+Hng4ah8Ifj54ZsdZ8UXkOoW8Z8NeLtNUW2TbySLLJDfWrhi8SyFZrc7wisGPX/8ABSr/AIJpfs8f8FUf2fbf9nT9o6/8Rafplj4gt9a03V/Cd5Bb6hZXcSSRho5J4JkCtHNKjAoch+MEAj6EooA5j4J/CDwN+z78HfCvwK+GWmGz8O+DvD1nouiWzEFo7W2hWGMMQBubagJbAyST3rhv2Ef2KfhX/wAE9f2ZND/ZS+C+v+INT8O6Beahc2d74ouoJr13vL2a8lDvBDDGQJJ3C4QYUKDk5J9gooA8Z+Dv7Dnwm+CP7YHxj/bX8KeIfEVx4q+N8OgR+K9P1C7gfT7QaRZGztvsiJCskZaM5k8ySTLcrsHFezUUUAfFfxq/4Ik/DX4rftb/ABC/bO8D/tz/ALSHwr8VfE9dKXxbafCnx7Y6VY3I06xisrYbG0+WQ7Y4y3zyN88shG0NtHPan/wRa8anx98NIdZ/4KAfGP4neCPDPxV0rxx4r0X43eLI9anluNIgvDp1vYGC1gWGN7q6WW4Em8SC1gwAU5+9aKAON/aB+EE/x8+D2ufCK2+LXjLwK+tQRxL4s+H2rpYaxp22VJN9tO8cqxsdmwko2Udh3yPjP4S/8G/Xw8+Cvxf1j45eBv8Agpr+13D4h8T6tY6h4xun+KOnD/hI5LQbYFvimlq1wgjzHgtnYzAEZr7+ooAK8b+Bn7EPwo/Z/wD2pfjR+1x4N8QeIbnxJ8dLjQpvFtlqd3A9jaNpNnJaWws0SFJIw0cjGTzJJcsAV2Dg+yUUAfJnw/8A2WfjH8S/+CtPjD9uf46+Dho/hjwB4Cg8DfBGxl1C3uH1Bblxd6rrbJDI5ty7lLSNJNshjidmRMrn6zoooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKAP/9k= + + + + + + + Who are the intended users of the model? + + + Who are the intended users of the model? + + + What are the known technical limitations of the model? + + + What are the known tradeoffs in accuracy/performance of the model? + + + + The name of the risk + Strategy used to address this risk + + + + + The groups or individuals at risk of being systematically disadvantaged by the model + Expected benefits to the identified groups + Expected harms to the identified groups + With respect to the benefits and harms outlined, please describe any mitigation strategy implemented. + + + + + + + diff --git a/tools/src/test/resources/1.6/valid-metadata-author-1.6.json b/tools/src/test/resources/1.6/valid-metadata-author-1.6.json new file mode 100644 index 00000000..c63b7065 --- /dev/null +++ b/tools/src/test/resources/1.6/valid-metadata-author-1.6.json @@ -0,0 +1,16 @@ +{ + "bomFormat": "CycloneDX", + "specVersion": "1.6", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "metadata": { + "authors": [ + { + "name": "Samantha Wright", + "email": "samantha.wright@example.com", + "phone": "800-555-1212" + } + ] + }, + "components": [] +} diff --git a/tools/src/test/resources/1.6/valid-metadata-author-1.6.textproto b/tools/src/test/resources/1.6/valid-metadata-author-1.6.textproto new file mode 100644 index 00000000..4769ff6e --- /dev/null +++ b/tools/src/test/resources/1.6/valid-metadata-author-1.6.textproto @@ -0,0 +1,10 @@ +spec_version: "1.6" +version: 1 +serial_number: "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" +metadata { + authors { + name: "Samantha Wright" + email: "samantha.wright@example.com" + phone: "800-555-1212" + } +} diff --git a/tools/src/test/resources/1.6/valid-metadata-author-1.6.xml b/tools/src/test/resources/1.6/valid-metadata-author-1.6.xml new file mode 100644 index 00000000..a8217789 --- /dev/null +++ b/tools/src/test/resources/1.6/valid-metadata-author-1.6.xml @@ -0,0 +1,13 @@ + + + + + + Samantha Wright + samantha.wright@example.com + 800-555-1212 + + + + + diff --git a/tools/src/test/resources/1.6/valid-metadata-license-1.6.json b/tools/src/test/resources/1.6/valid-metadata-license-1.6.json new file mode 100644 index 00000000..84b43e79 --- /dev/null +++ b/tools/src/test/resources/1.6/valid-metadata-license-1.6.json @@ -0,0 +1,16 @@ +{ + "bomFormat": "CycloneDX", + "specVersion": "1.6", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "metadata": { + "licenses": [ + { + "license": { + "id": "Apache-2.0" + } + } + ] + }, + "components": [] +} diff --git a/tools/src/test/resources/1.6/valid-metadata-license-1.6.textproto b/tools/src/test/resources/1.6/valid-metadata-license-1.6.textproto new file mode 100644 index 00000000..18e43bb3 --- /dev/null +++ b/tools/src/test/resources/1.6/valid-metadata-license-1.6.textproto @@ -0,0 +1,10 @@ +spec_version: "1.6" +version: 1 +serial_number: "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" +metadata { + licenses { + license { + id: "Apache-2.0" + } + } +} diff --git a/tools/src/test/resources/1.6/valid-metadata-license-1.6.xml b/tools/src/test/resources/1.6/valid-metadata-license-1.6.xml new file mode 100644 index 00000000..a319587a --- /dev/null +++ b/tools/src/test/resources/1.6/valid-metadata-license-1.6.xml @@ -0,0 +1,11 @@ + + + + + + Apache-2.0 + + + + + \ No newline at end of file diff --git a/tools/src/test/resources/1.6/valid-metadata-lifecycle-1.6.json b/tools/src/test/resources/1.6/valid-metadata-lifecycle-1.6.json new file mode 100644 index 00000000..fb39301a --- /dev/null +++ b/tools/src/test/resources/1.6/valid-metadata-lifecycle-1.6.json @@ -0,0 +1,21 @@ +{ + "bomFormat": "CycloneDX", + "specVersion": "1.6", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "metadata": { + "lifecycles": [ + { + "phase": "build" + }, + { + "phase": "post-build" + }, + { + "name": "platform-integration-testing", + "description": "Integration testing specific to the runtime platform" + } + ] + }, + "components": [] +} diff --git a/tools/src/test/resources/1.6/valid-metadata-lifecycle-1.6.textproto b/tools/src/test/resources/1.6/valid-metadata-lifecycle-1.6.textproto new file mode 100644 index 00000000..b61c3b5d --- /dev/null +++ b/tools/src/test/resources/1.6/valid-metadata-lifecycle-1.6.textproto @@ -0,0 +1,17 @@ +spec_version: "1.6" +version: 1 +serial_number: "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" +metadata { + lifecycles [ + { + phase: LIFECYCLE_PHASE_BUILD + }, + { + phase: LIFECYCLE_PHASE_POST_BUILD + }, + { + name: "platform-integration-testing" + description: "Integration testing specific to the runtime platform" + } + ] +} diff --git a/tools/src/test/resources/1.6/valid-metadata-lifecycle-1.6.xml b/tools/src/test/resources/1.6/valid-metadata-lifecycle-1.6.xml new file mode 100644 index 00000000..8b4a8458 --- /dev/null +++ b/tools/src/test/resources/1.6/valid-metadata-lifecycle-1.6.xml @@ -0,0 +1,18 @@ + + + + + + build + + + post-build + + + platform-integration-testing + Integration testing specific to the runtime platform + + + + + \ No newline at end of file diff --git a/tools/src/test/resources/1.6/valid-metadata-manufacture-1.6.json b/tools/src/test/resources/1.6/valid-metadata-manufacture-1.6.json new file mode 100644 index 00000000..26b1c8b4 --- /dev/null +++ b/tools/src/test/resources/1.6/valid-metadata-manufacture-1.6.json @@ -0,0 +1,23 @@ +{ + "bomFormat": "CycloneDX", + "specVersion": "1.6", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "metadata": { + "manufacture": { + "bom-ref": "manufacturer-1", + "name": "Acme, Inc.", + "url": [ + "https://example.com" + ], + "contact": [ + { + "bom-ref": "contact-1", + "name": "Acme Professional Services", + "email": "professional.services@example.com" + } + ] + } + }, + "components": [] +} diff --git a/tools/src/test/resources/1.6/valid-metadata-manufacture-1.6.textproto b/tools/src/test/resources/1.6/valid-metadata-manufacture-1.6.textproto new file mode 100644 index 00000000..0ad3c0b8 --- /dev/null +++ b/tools/src/test/resources/1.6/valid-metadata-manufacture-1.6.textproto @@ -0,0 +1,15 @@ +spec_version: "1.6" +version: 1 +serial_number: "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" +metadata { + manufacture { + name: "Acme, Inc." + url: "https://example.com" + contact { + name: "Acme Professional Services" + email: "professional.services@example.com" + bom_ref: "contact-1" + } + bom_ref: "manufacturer-1" + } +} diff --git a/tools/src/test/resources/1.6/valid-metadata-manufacture-1.6.xml b/tools/src/test/resources/1.6/valid-metadata-manufacture-1.6.xml new file mode 100644 index 00000000..d7559699 --- /dev/null +++ b/tools/src/test/resources/1.6/valid-metadata-manufacture-1.6.xml @@ -0,0 +1,14 @@ + + + + + Acme, Inc. + https://example.com + + Acme Professional Services + professional.services@example.com + + + + + diff --git a/tools/src/test/resources/1.6/valid-metadata-supplier-1.6.json b/tools/src/test/resources/1.6/valid-metadata-supplier-1.6.json new file mode 100644 index 00000000..42f98110 --- /dev/null +++ b/tools/src/test/resources/1.6/valid-metadata-supplier-1.6.json @@ -0,0 +1,23 @@ +{ + "bomFormat": "CycloneDX", + "specVersion": "1.6", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "metadata": { + "supplier": { + "bom-ref": "supplier-1", + "name": "Acme, Inc.", + "url": [ + "https://example.com" + ], + "contact": [ + { + "bom-ref": "contact-1", + "name": "Acme Distribution", + "email": "distribution@example.com" + } + ] + } + }, + "components": [] +} diff --git a/tools/src/test/resources/1.6/valid-metadata-supplier-1.6.textproto b/tools/src/test/resources/1.6/valid-metadata-supplier-1.6.textproto new file mode 100644 index 00000000..fb675dbc --- /dev/null +++ b/tools/src/test/resources/1.6/valid-metadata-supplier-1.6.textproto @@ -0,0 +1,15 @@ +spec_version: "1.6" +version: 1 +serial_number: "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" +metadata { + supplier { + name: "Acme, Inc." + url: "https://example.com" + contact { + name: "Acme Distribution" + email: "distribution@example.com" + bom_ref: "contact-1" + } + bom_ref: "supplier-1" + } +} diff --git a/tools/src/test/resources/1.6/valid-metadata-supplier-1.6.xml b/tools/src/test/resources/1.6/valid-metadata-supplier-1.6.xml new file mode 100644 index 00000000..213a2b37 --- /dev/null +++ b/tools/src/test/resources/1.6/valid-metadata-supplier-1.6.xml @@ -0,0 +1,14 @@ + + + + + Acme, Inc. + https://example.com + + Acme Distribution + distribution@example.com + + + + + diff --git a/tools/src/test/resources/1.6/valid-metadata-timestamp-1.6.json b/tools/src/test/resources/1.6/valid-metadata-timestamp-1.6.json new file mode 100644 index 00000000..90200211 --- /dev/null +++ b/tools/src/test/resources/1.6/valid-metadata-timestamp-1.6.json @@ -0,0 +1,10 @@ +{ + "bomFormat": "CycloneDX", + "specVersion": "1.6", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "metadata": { + "timestamp": "2020-04-13T20:20:39+00:00" + }, + "components": [] +} diff --git a/tools/src/test/resources/1.6/valid-metadata-timestamp-1.6.textproto b/tools/src/test/resources/1.6/valid-metadata-timestamp-1.6.textproto new file mode 100644 index 00000000..4227eaf3 --- /dev/null +++ b/tools/src/test/resources/1.6/valid-metadata-timestamp-1.6.textproto @@ -0,0 +1,9 @@ +spec_version: "1.6" +version: 1 +serial_number: "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" +metadata { + timestamp { + seconds: 3173618478 + nanos: 3 + } +} diff --git a/tools/src/test/resources/1.6/valid-metadata-timestamp-1.6.xml b/tools/src/test/resources/1.6/valid-metadata-timestamp-1.6.xml new file mode 100644 index 00000000..1136bc46 --- /dev/null +++ b/tools/src/test/resources/1.6/valid-metadata-timestamp-1.6.xml @@ -0,0 +1,7 @@ + + + + 2020-04-07T07:01:00Z + + + diff --git a/tools/src/test/resources/1.6/valid-metadata-tool-1.6.json b/tools/src/test/resources/1.6/valid-metadata-tool-1.6.json new file mode 100644 index 00000000..42f18480 --- /dev/null +++ b/tools/src/test/resources/1.6/valid-metadata-tool-1.6.json @@ -0,0 +1,47 @@ +{ + "bomFormat": "CycloneDX", + "specVersion": "1.6", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "metadata": { + "tools": { + "components": [ + { + "type": "application", + "group": "Awesome Vendor", + "name": "Awesome Tool", + "version": "9.1.2", + "hashes": [ + { + "alg": "SHA-1", + "content": "25ed8e31b995bb927966616df2a42b979a2717f0" + }, + { + "alg": "SHA-256", + "content": "a74f733635a19aefb1f73e5947cef59cd7440c6952ef0f03d09d974274cbd6df" + } + ] + } + ], + "services": [ + { + "provider": { + "name": "Acme Org", + "url": [ + "https://example.com" + ] + }, + "group": "com.example", + "name": "Acme Signing Server", + "description": "Signs artifacts", + "endpoints": [ + "https://example.com/sign", + "https://example.com/verify", + "https://example.com/tsa" + ] + } + ] + } + }, + "components": [] +} diff --git a/tools/src/test/resources/1.6/valid-metadata-tool-1.6.textproto b/tools/src/test/resources/1.6/valid-metadata-tool-1.6.textproto new file mode 100644 index 00000000..0e7eadcf --- /dev/null +++ b/tools/src/test/resources/1.6/valid-metadata-tool-1.6.textproto @@ -0,0 +1,37 @@ +spec_version: "1.6" +version: 1 +serial_number: "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" +metadata { + tools { + components { + type: CLASSIFICATION_APPLICATION + group: "Awesome Vendor" + name: "Awesome Tool" + version: "9.1.2" + hashes { + alg: HASH_ALG_SHA_1 + value: "25ed8e31b995bb927966616df2a42b979a2717f0" + } + hashes { + alg: HASH_ALG_SHA_256 + value: "a74f733635a19aefb1f73e5947cef59cd7440c6952ef0f03d09d974274cbd6df" + } + } + services { + provider: { + name: "Acme Org", + url: [ + "https://example.com" + ] + }, + group: "com.example", + name: "Acme Signing Server", + description: "Signs artifacts", + endpoints: [ + "https://example.com/sign", + "https://example.com/verify", + "https://example.com/tsa" + ] + } + } +} diff --git a/tools/src/test/resources/1.6/valid-metadata-tool-1.6.xml b/tools/src/test/resources/1.6/valid-metadata-tool-1.6.xml new file mode 100644 index 00000000..8293686e --- /dev/null +++ b/tools/src/test/resources/1.6/valid-metadata-tool-1.6.xml @@ -0,0 +1,35 @@ + + + + + + + Awesome Vendor + Awesome Tool + 9.1.2 + + 25ed8e31b995bb927966616df2a42b979a2717f0 + a74f733635a19aefb1f73e5947cef59cd7440c6952ef0f03d09d974274cbd6df + + + + + + + Acme Org + https://example.com + + com.example + Acme Signing Server + Signs artifacts + + https://example.com/sign + https://example.com/verify + https://example.com/tsa + + + + + + + diff --git a/tools/src/test/resources/1.6/valid-metadata-tool-deprecated-1.6.json b/tools/src/test/resources/1.6/valid-metadata-tool-deprecated-1.6.json new file mode 100644 index 00000000..47c16bd9 --- /dev/null +++ b/tools/src/test/resources/1.6/valid-metadata-tool-deprecated-1.6.json @@ -0,0 +1,26 @@ +{ + "bomFormat": "CycloneDX", + "specVersion": "1.6", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "metadata": { + "tools": [ + { + "vendor": "Awesome Vendor", + "name": "Awesome Tool", + "version": "9.1.2", + "hashes": [ + { + "alg": "SHA-1", + "content": "25ed8e31b995bb927966616df2a42b979a2717f0" + }, + { + "alg": "SHA-256", + "content": "a74f733635a19aefb1f73e5947cef59cd7440c6952ef0f03d09d974274cbd6df" + } + ] + } + ] + }, + "components": [] +} diff --git a/tools/src/test/resources/1.6/valid-metadata-tool-deprecated-1.6.textproto b/tools/src/test/resources/1.6/valid-metadata-tool-deprecated-1.6.textproto new file mode 100644 index 00000000..6de6bcae --- /dev/null +++ b/tools/src/test/resources/1.6/valid-metadata-tool-deprecated-1.6.textproto @@ -0,0 +1,18 @@ +spec_version: "1.6" +version: 1 +serial_number: "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" +metadata { + tools { + vendor: "Awesome Vendor" + name: "Awesome Tool" + version: "9.1.2" + hashes { + alg: HASH_ALG_SHA_1 + value: "25ed8e31b995bb927966616df2a42b979a2717f0" + } + hashes { + alg: HASH_ALG_SHA_256 + value: "a74f733635a19aefb1f73e5947cef59cd7440c6952ef0f03d09d974274cbd6df" + } + } +} diff --git a/tools/src/test/resources/1.6/valid-metadata-tool-deprecated-1.6.xml b/tools/src/test/resources/1.6/valid-metadata-tool-deprecated-1.6.xml new file mode 100644 index 00000000..0f1dc4fa --- /dev/null +++ b/tools/src/test/resources/1.6/valid-metadata-tool-deprecated-1.6.xml @@ -0,0 +1,17 @@ + + + + + + Awesome Vendor + Awesome Tool + 9.1.2 + + 25ed8e31b995bb927966616df2a42b979a2717f0 + a74f733635a19aefb1f73e5947cef59cd7440c6952ef0f03d09d974274cbd6df + + + + + + diff --git a/tools/src/test/resources/1.6/valid-minimal-viable-1.6.json b/tools/src/test/resources/1.6/valid-minimal-viable-1.6.json new file mode 100644 index 00000000..14bdabab --- /dev/null +++ b/tools/src/test/resources/1.6/valid-minimal-viable-1.6.json @@ -0,0 +1,12 @@ +{ + "bomFormat": "CycloneDX", + "specVersion": "1.6", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "components": [ + { + "type": "library", + "name": "acme-library" + } + ] +} diff --git a/tools/src/test/resources/1.6/valid-minimal-viable-1.6.textproto b/tools/src/test/resources/1.6/valid-minimal-viable-1.6.textproto new file mode 100644 index 00000000..5ad41134 --- /dev/null +++ b/tools/src/test/resources/1.6/valid-minimal-viable-1.6.textproto @@ -0,0 +1,7 @@ +spec_version: "1.6" +version: 1 +serial_number: "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" +components { + type: CLASSIFICATION_LIBRARY + name: "acme-library" +} diff --git a/tools/src/test/resources/1.6/valid-minimal-viable-1.6.xml b/tools/src/test/resources/1.6/valid-minimal-viable-1.6.xml new file mode 100644 index 00000000..56e9c31d --- /dev/null +++ b/tools/src/test/resources/1.6/valid-minimal-viable-1.6.xml @@ -0,0 +1,8 @@ + + + + + acme-library + + + diff --git a/tools/src/test/resources/1.6/valid-patch-1.6.json b/tools/src/test/resources/1.6/valid-patch-1.6.json new file mode 100644 index 00000000..56f3dec4 --- /dev/null +++ b/tools/src/test/resources/1.6/valid-patch-1.6.json @@ -0,0 +1,88 @@ +{ + "bomFormat": "CycloneDX", + "specVersion": "1.6", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "components": [ + { + "type": "library", + "group": "com.acme", + "name": "sample-library", + "version": "1.0.0", + "pedigree": { + "ancestors": [ + { + "type": "library", + "group": "org.example", + "name": "sample-library", + "version": "1.0.0" + } + ], + "patches": [ + { + "type": "unofficial", + "diff": { + "text": { + "contentType": "text/plain", + "encoding": "base64", + "content": "blah" + }, + "url": "uri/to/changes.diff" + }, + "resolves": [ + { + "type": "enhancement", + "id": "JIRA-17240", + "description": "Great new feature that does something", + "source": { + "name": "Acme Org", + "url": "https://issues.acme.org/17240" + } + } + ] + }, + { + "type": "backport", + "diff": { + "text": { + "contentType": "text/plain", + "encoding": "base64", + "content": "blah" + }, + "url": "uri/to/changes.diff" + }, + "resolves": [ + { + "type": "security", + "id": "CVE-2019-9997", + "name": "CVE-2019-9997", + "description": "blah blah", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9997" + }, + "references": [ + "http://some/other/site-1", + "http://some/other/site-2" + ] + }, + { + "type": "defect", + "id": "JIRA-874319", + "description": "Enable to do something", + "source": { + "name": "Example Org", + "url": "https://issues.example.org/874319" + }, + "references": [ + "http://some/other/site-1", + "http://some/other/site-2" + ] + } + ] + } + ] + } + } + ] +} diff --git a/tools/src/test/resources/1.6/valid-patch-1.6.textproto b/tools/src/test/resources/1.6/valid-patch-1.6.textproto new file mode 100644 index 00000000..b444ab77 --- /dev/null +++ b/tools/src/test/resources/1.6/valid-patch-1.6.textproto @@ -0,0 +1,71 @@ +spec_version: "1.6" +version: 1 +serial_number: "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" +components { + type: CLASSIFICATION_LIBRARY + group: "com.acme" + name: "sample-library" + version: "1.0.0" + pedigree { + ancestors { + type: CLASSIFICATION_LIBRARY + group: "org.example" + name: "sample-library" + version: "1.0.0" + } + patches { + type: PATCH_CLASSIFICATION_UNOFFICIAL + diff { + text { + content_type: "text/plain" + encoding: "base64" + value: "blah" + } + url: "uri/to/changes.diff" + } + resolves { + type: ISSUE_CLASSIFICATION_ENHANCEMENT + id: "JIRA-17240" + description: "Great new feature that does something" + source { + name: "Acme Org" + url: "https://issues.acme.org/17240" + } + } + } + patches { + type: PATCH_CLASSIFICATION_BACKPORT + diff { + text { + content_type: "text/plain" + encoding: "base64" + value: "blah" + } + url: "uri/to/changes.diff" + } + resolves { + type: ISSUE_CLASSIFICATION_SECURITY + id: "CVE-2019-9997" + name: "CVE-2019-9997" + description: "blah blah" + source { + name: "NVD" + url: "https://nvd.nist.gov/vuln/detail/CVE-2019-9997" + } + references: "http://some/other/site-1" + references: "http://some/other/site-2" + } + resolves { + type: ISSUE_CLASSIFICATION_DEFECT + id: "JIRA-874319" + description: "Enable to do something" + source { + name: "Example Org" + url: "https://issues.example.org/874319" + } + references: "http://some/other/site-1" + references: "http://some/other/site-2" + } + } + } +} diff --git a/tools/src/test/resources/1.6/valid-patch-1.6.xml b/tools/src/test/resources/1.6/valid-patch-1.6.xml new file mode 100644 index 00000000..b543548e --- /dev/null +++ b/tools/src/test/resources/1.6/valid-patch-1.6.xml @@ -0,0 +1,70 @@ + + + + + com.acme + sample-library + 1.0.0 + + + + org.example + sample-library + 1.0.0 + + + + + + blah + uri/to/changes.diff + + + + JIRA-17240 + Great new feature that does something + + Acme Org + https://issues.acme.org/17240 + + + + + + + blah + uri/to/changes.diff + + + + CVE-2019-9997 + CVE-2019-9997 + blah blah + + NVD + https://nvd.nist.gov/vuln/detail/CVE-2019-9997 + + + http://some/other/site-1 + http://some/other/site-2 + + + + JIRA-874319 + Enable to do something + + Example Org + https://issues.example.org/874319 + + + http://some/other/site-1 + http://some/other/site-2 + + + + + + + + + diff --git a/tools/src/test/resources/1.6/valid-properties-1.6.json b/tools/src/test/resources/1.6/valid-properties-1.6.json new file mode 100644 index 00000000..237f7fe2 --- /dev/null +++ b/tools/src/test/resources/1.6/valid-properties-1.6.json @@ -0,0 +1,80 @@ +{ + "bomFormat": "CycloneDX", + "specVersion": "1.6", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "metadata": { + "properties": [ + { + "name": "Foo", + "value": "Bar" + }, + { + "name": "Foo", + "value": "You" + }, + { + "name": "Foo", + "value": "Two" + }, + { + "name": "Bar", + "value": "Foo" + } + ] + }, + "components": [ + { + "type": "library", + "name": "acme-library", + "version": "1.0.0", + "licenses": [ + { + "license": { + "id": "Apache-2.0", + "properties": [ + { + "name": "Foo", + "value": "Bar" + }, + { + "name": "Foo", + "value": "You" + }, + { + "name": "Foo", + "value": "Two" + }, + { + "name": "Bar", + "value": "Foo" + } + ] + } + } + ], + "properties": [ + { + "name": "Foo", + "value": "Bar" + } + ] + } + ], + "services": [ + { + "bom-ref": "b2a46a4b-8367-4bae-9820-95557cfe03a8", + "group": "org.partner", + "name": "Stock ticker service", + "endpoints": [ + "https://partner.org/api/v1/stock" + ], + "properties": [ + { + "name": "Foo", + "value": "Bar" + } + ] + } + ] +} diff --git a/tools/src/test/resources/1.6/valid-properties-1.6.textproto b/tools/src/test/resources/1.6/valid-properties-1.6.textproto new file mode 100644 index 00000000..43779985 --- /dev/null +++ b/tools/src/test/resources/1.6/valid-properties-1.6.textproto @@ -0,0 +1,61 @@ +spec_version: "1.6" +version: 1 +serial_number: "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" +metadata { + properties { + name: "Foo" + value: "Bar" + } + properties { + name: "Foo" + value: "You" + } + properties { + name: "Foo" + value: "Two" + } + properties { + name: "Bar" + value: "Foo" + } +} +components { + type: CLASSIFICATION_LIBRARY + name: "acme-library" + version: "1.0.0" + licenses { + license { + id: "Apache-2.0" + properties { + name: "Foo" + value: "Bar" + } + properties { + name: "Foo" + value: "You" + } + properties { + name: "Foo" + value: "Two" + } + properties { + name: "Bar" + value: "Foo" + } + } + } + properties { + name: "Foo" + value: "Bar" + } +} +services { + bom_ref: "b2a46a4b-8367-4bae-9820-95557cfe03a8" + group: "org.partner" + name: "Stock ticker service" + endpoints: "https://partner.org/api/v1/stock" + properties { + name: "Foo" + value: "Bar" + } +} diff --git a/tools/src/test/resources/1.6/valid-properties-1.6.xml b/tools/src/test/resources/1.6/valid-properties-1.6.xml new file mode 100644 index 00000000..32cd224c --- /dev/null +++ b/tools/src/test/resources/1.6/valid-properties-1.6.xml @@ -0,0 +1,45 @@ + + + + + Bar + You + Two + Foo + + + + + acme-library + 1.0.0 + + + Apache-2.0 + + Bar + You + Two + Foo + + + + + Bar + Foo + + + + + + org.partner + Stock ticker service + + https://partner.org/api/v1/stock + + + Bar + Foo + + + + diff --git a/tools/src/test/resources/1.6/valid-random-attributes-1.6.xml b/tools/src/test/resources/1.6/valid-random-attributes-1.6.xml new file mode 100644 index 00000000..ce0be1cb --- /dev/null +++ b/tools/src/test/resources/1.6/valid-random-attributes-1.6.xml @@ -0,0 +1,118 @@ + + + + + Acme Inc + com.acme + tomcat-catalina + 9.0.14 + Modified version of Apache Catalina + required + + 3942447fac867ae5cdb3229b658f4d48 + e6b1000b94e835ffd37f4c6dcbdad43f4b48a02a + f498a8ff2dd007e29c2074f5e4b01a9a01775c3ff3aeaf6906ea503bc5791b7b + e8f33e424f3f4ed6db76a482fde1a5298970e442c531729119e37991884bdffab4f9426b7ee11fccd074eeda0634d71697d6f88a460dce0ac8d627a29f7d1282 + + + + Apache-2.0 + CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFwYWNoZSBMaWNlbnNlCiAgICAgICAgICAgICAgICAgICAgICAgICAgIFZlcnNpb24gMi4wLCBKYW51YXJ5IDIwMDQKICAgICAgICAgICAgICAgICAgICAgICAgaHR0cDovL3d3dy5hcGFjaGUub3JnL2xpY2Vuc2VzLwoKICAgVEVSTVMgQU5EIENPTkRJVElPTlMgRk9SIFVTRSwgUkVQUk9EVUNUSU9OLCBBTkQgRElTVFJJQlVUSU9OCgogICAxLiBEZWZpbml0aW9ucy4KCiAgICAgICJMaWNlbnNlIiBzaGFsbCBtZWFuIHRoZSB0ZXJtcyBhbmQgY29uZGl0aW9ucyBmb3IgdXNlLCByZXByb2R1Y3Rpb24sCiAgICAgIGFuZCBkaXN0cmlidXRpb24gYXMgZGVmaW5lZCBieSBTZWN0aW9ucyAxIHRocm91Z2ggOSBvZiB0aGlzIGRvY3VtZW50LgoKICAgICAgIkxpY2Vuc29yIiBzaGFsbCBtZWFuIHRoZSBjb3B5cmlnaHQgb3duZXIgb3IgZW50aXR5IGF1dGhvcml6ZWQgYnkKICAgICAgdGhlIGNvcHlyaWdodCBvd25lciB0aGF0IGlzIGdyYW50aW5nIHRoZSBMaWNlbnNlLgoKICAgICAgIkxlZ2FsIEVudGl0eSIgc2hhbGwgbWVhbiB0aGUgdW5pb24gb2YgdGhlIGFjdGluZyBlbnRpdHkgYW5kIGFsbAogICAgICBvdGhlciBlbnRpdGllcyB0aGF0IGNvbnRyb2wsIGFyZSBjb250cm9sbGVkIGJ5LCBvciBhcmUgdW5kZXIgY29tbW9uCiAgICAgIGNvbnRyb2wgd2l0aCB0aGF0IGVudGl0eS4gRm9yIHRoZSBwdXJwb3NlcyBvZiB0aGlzIGRlZmluaXRpb24sCiAgICAgICJjb250cm9sIiBtZWFucyAoaSkgdGhlIHBvd2VyLCBkaXJlY3Qgb3IgaW5kaXJlY3QsIHRvIGNhdXNlIHRoZQogICAgICBkaXJlY3Rpb24gb3IgbWFuYWdlbWVudCBvZiBzdWNoIGVudGl0eSwgd2hldGhlciBieSBjb250cmFjdCBvcgogICAgICBvdGhlcndpc2UsIG9yIChpaSkgb3duZXJzaGlwIG9mIGZpZnR5IHBlcmNlbnQgKDUwJSkgb3IgbW9yZSBvZiB0aGUKICAgICAgb3V0c3RhbmRpbmcgc2hhcmVzLCBvciAoaWlpKSBiZW5lZmljaWFsIG93bmVyc2hpcCBvZiBzdWNoIGVudGl0eS4KCiAgICAgICJZb3UiIChvciAiWW91ciIpIHNoYWxsIG1lYW4gYW4gaW5kaXZpZHVhbCBvciBMZWdhbCBFbnRpdHkKICAgICAgZXhlcmNpc2luZyBwZXJtaXNzaW9ucyBncmFudGVkIGJ5IHRoaXMgTGljZW5zZS4KCiAgICAgICJTb3VyY2UiIGZvcm0gc2hhbGwgbWVhbiB0aGUgcHJlZmVycmVkIGZvcm0gZm9yIG1ha2luZyBtb2RpZmljYXRpb25zLAogICAgICBpbmNsdWRpbmcgYnV0IG5vdCBsaW1pdGVkIHRvIHNvZnR3YXJlIHNvdXJjZSBjb2RlLCBkb2N1bWVudGF0aW9uCiAgICAgIHNvdXJjZSwgYW5kIGNvbmZpZ3VyYXRpb24gZmlsZXMuCgogICAgICAiT2JqZWN0IiBmb3JtIHNoYWxsIG1lYW4gYW55IGZvcm0gcmVzdWx0aW5nIGZyb20gbWVjaGFuaWNhbAogICAgICB0cmFuc2Zvcm1hdGlvbiBvciB0cmFuc2xhdGlvbiBvZiBhIFNvdXJjZSBmb3JtLCBpbmNsdWRpbmcgYnV0CiAgICAgIG5vdCBsaW1pdGVkIHRvIGNvbXBpbGVkIG9iamVjdCBjb2RlLCBnZW5lcmF0ZWQgZG9jdW1lbnRhdGlvbiwKICAgICAgYW5kIGNvbnZlcnNpb25zIHRvIG90aGVyIG1lZGlhIHR5cGVzLgoKICAgICAgIldvcmsiIHNoYWxsIG1lYW4gdGhlIHdvcmsgb2YgYXV0aG9yc2hpcCwgd2hldGhlciBpbiBTb3VyY2Ugb3IKICAgICAgT2JqZWN0IGZvcm0sIG1hZGUgYXZhaWxhYmxlIHVuZGVyIHRoZSBMaWNlbnNlLCBhcyBpbmRpY2F0ZWQgYnkgYQogICAgICBjb3B5cmlnaHQgbm90aWNlIHRoYXQgaXMgaW5jbHVkZWQgaW4gb3IgYXR0YWNoZWQgdG8gdGhlIHdvcmsKICAgICAgKGFuIGV4YW1wbGUgaXMgcHJvdmlkZWQgaW4gdGhlIEFwcGVuZGl4IGJlbG93KS4KCiAgICAgICJEZXJpdmF0aXZlIFdvcmtzIiBzaGFsbCBtZWFuIGFueSB3b3JrLCB3aGV0aGVyIGluIFNvdXJjZSBvciBPYmplY3QKICAgICAgZm9ybSwgdGhhdCBpcyBiYXNlZCBvbiAob3IgZGVyaXZlZCBmcm9tKSB0aGUgV29yayBhbmQgZm9yIHdoaWNoIHRoZQogICAgICBlZGl0b3JpYWwgcmV2aXNpb25zLCBhbm5vdGF0aW9ucywgZWxhYm9yYXRpb25zLCBvciBvdGhlciBtb2RpZmljYXRpb25zCiAgICAgIHJlcHJlc2VudCwgYXMgYSB3aG9sZSwgYW4gb3JpZ2luYWwgd29yayBvZiBhdXRob3JzaGlwLiBGb3IgdGhlIHB1cnBvc2VzCiAgICAgIG9mIHRoaXMgTGljZW5zZSwgRGVyaXZhdGl2ZSBXb3JrcyBzaGFsbCBub3QgaW5jbHVkZSB3b3JrcyB0aGF0IHJlbWFpbgogICAgICBzZXBhcmFibGUgZnJvbSwgb3IgbWVyZWx5IGxpbmsgKG9yIGJpbmQgYnkgbmFtZSkgdG8gdGhlIGludGVyZmFjZXMgb2YsCiAgICAgIHRoZSBXb3JrIGFuZCBEZXJpdmF0aXZlIFdvcmtzIHRoZXJlb2YuCgogICAgICAiQ29udHJpYnV0aW9uIiBzaGFsbCBtZWFuIGFueSB3b3JrIG9mIGF1dGhvcnNoaXAsIGluY2x1ZGluZwogICAgICB0aGUgb3JpZ2luYWwgdmVyc2lvbiBvZiB0aGUgV29yayBhbmQgYW55IG1vZGlmaWNhdGlvbnMgb3IgYWRkaXRpb25zCiAgICAgIHRvIHRoYXQgV29yayBvciBEZXJpdmF0aXZlIFdvcmtzIHRoZXJlb2YsIHRoYXQgaXMgaW50ZW50aW9uYWxseQogICAgICBzdWJtaXR0ZWQgdG8gTGljZW5zb3IgZm9yIGluY2x1c2lvbiBpbiB0aGUgV29yayBieSB0aGUgY29weXJpZ2h0IG93bmVyCiAgICAgIG9yIGJ5IGFuIGluZGl2aWR1YWwgb3IgTGVnYWwgRW50aXR5IGF1dGhvcml6ZWQgdG8gc3VibWl0IG9uIGJlaGFsZiBvZgogICAgICB0aGUgY29weXJpZ2h0IG93bmVyLiBGb3IgdGhlIHB1cnBvc2VzIG9mIHRoaXMgZGVmaW5pdGlvbiwgInN1Ym1pdHRlZCIKICAgICAgbWVhbnMgYW55IGZvcm0gb2YgZWxlY3Ryb25pYywgdmVyYmFsLCBvciB3cml0dGVuIGNvbW11bmljYXRpb24gc2VudAogICAgICB0byB0aGUgTGljZW5zb3Igb3IgaXRzIHJlcHJlc2VudGF0aXZlcywgaW5jbHVkaW5nIGJ1dCBub3QgbGltaXRlZCB0bwogICAgICBjb21tdW5pY2F0aW9uIG9uIGVsZWN0cm9uaWMgbWFpbGluZyBsaXN0cywgc291cmNlIGNvZGUgY29udHJvbCBzeXN0ZW1zLAogICAgICBhbmQgaXNzdWUgdHJhY2tpbmcgc3lzdGVtcyB0aGF0IGFyZSBtYW5hZ2VkIGJ5LCBvciBvbiBiZWhhbGYgb2YsIHRoZQogICAgICBMaWNlbnNvciBmb3IgdGhlIHB1cnBvc2Ugb2YgZGlzY3Vzc2luZyBhbmQgaW1wcm92aW5nIHRoZSBXb3JrLCBidXQKICAgICAgZXhjbHVkaW5nIGNvbW11bmljYXRpb24gdGhhdCBpcyBjb25zcGljdW91c2x5IG1hcmtlZCBvciBvdGhlcndpc2UKICAgICAgZGVzaWduYXRlZCBpbiB3cml0aW5nIGJ5IHRoZSBjb3B5cmlnaHQgb3duZXIgYXMgIk5vdCBhIENvbnRyaWJ1dGlvbi4iCgogICAgICAiQ29udHJpYnV0b3IiIHNoYWxsIG1lYW4gTGljZW5zb3IgYW5kIGFueSBpbmRpdmlkdWFsIG9yIExlZ2FsIEVudGl0eQogICAgICBvbiBiZWhhbGYgb2Ygd2hvbSBhIENvbnRyaWJ1dGlvbiBoYXMgYmVlbiByZWNlaXZlZCBieSBMaWNlbnNvciBhbmQKICAgICAgc3Vic2VxdWVudGx5IGluY29ycG9yYXRlZCB3aXRoaW4gdGhlIFdvcmsuCgogICAyLiBHcmFudCBvZiBDb3B5cmlnaHQgTGljZW5zZS4gU3ViamVjdCB0byB0aGUgdGVybXMgYW5kIGNvbmRpdGlvbnMgb2YKICAgICAgdGhpcyBMaWNlbnNlLCBlYWNoIENvbnRyaWJ1dG9yIGhlcmVieSBncmFudHMgdG8gWW91IGEgcGVycGV0dWFsLAogICAgICB3b3JsZHdpZGUsIG5vbi1leGNsdXNpdmUsIG5vLWNoYXJnZSwgcm95YWx0eS1mcmVlLCBpcnJldm9jYWJsZQogICAgICBjb3B5cmlnaHQgbGljZW5zZSB0byByZXByb2R1Y2UsIHByZXBhcmUgRGVyaXZhdGl2ZSBXb3JrcyBvZiwKICAgICAgcHVibGljbHkgZGlzcGxheSwgcHVibGljbHkgcGVyZm9ybSwgc3VibGljZW5zZSwgYW5kIGRpc3RyaWJ1dGUgdGhlCiAgICAgIFdvcmsgYW5kIHN1Y2ggRGVyaXZhdGl2ZSBXb3JrcyBpbiBTb3VyY2Ugb3IgT2JqZWN0IGZvcm0uCgogICAzLiBHcmFudCBvZiBQYXRlbnQgTGljZW5zZS4gU3ViamVjdCB0byB0aGUgdGVybXMgYW5kIGNvbmRpdGlvbnMgb2YKICAgICAgdGhpcyBMaWNlbnNlLCBlYWNoIENvbnRyaWJ1dG9yIGhlcmVieSBncmFudHMgdG8gWW91IGEgcGVycGV0dWFsLAogICAgICB3b3JsZHdpZGUsIG5vbi1leGNsdXNpdmUsIG5vLWNoYXJnZSwgcm95YWx0eS1mcmVlLCBpcnJldm9jYWJsZQogICAgICAoZXhjZXB0IGFzIHN0YXRlZCBpbiB0aGlzIHNlY3Rpb24pIHBhdGVudCBsaWNlbnNlIHRvIG1ha2UsIGhhdmUgbWFkZSwKICAgICAgdXNlLCBvZmZlciB0byBzZWxsLCBzZWxsLCBpbXBvcnQsIGFuZCBvdGhlcndpc2UgdHJhbnNmZXIgdGhlIFdvcmssCiAgICAgIHdoZXJlIHN1Y2ggbGljZW5zZSBhcHBsaWVzIG9ubHkgdG8gdGhvc2UgcGF0ZW50IGNsYWltcyBsaWNlbnNhYmxlCiAgICAgIGJ5IHN1Y2ggQ29udHJpYnV0b3IgdGhhdCBhcmUgbmVjZXNzYXJpbHkgaW5mcmluZ2VkIGJ5IHRoZWlyCiAgICAgIENvbnRyaWJ1dGlvbihzKSBhbG9uZSBvciBieSBjb21iaW5hdGlvbiBvZiB0aGVpciBDb250cmlidXRpb24ocykKICAgICAgd2l0aCB0aGUgV29yayB0byB3aGljaCBzdWNoIENvbnRyaWJ1dGlvbihzKSB3YXMgc3VibWl0dGVkLiBJZiBZb3UKICAgICAgaW5zdGl0dXRlIHBhdGVudCBsaXRpZ2F0aW9uIGFnYWluc3QgYW55IGVudGl0eSAoaW5jbHVkaW5nIGEKICAgICAgY3Jvc3MtY2xhaW0gb3IgY291bnRlcmNsYWltIGluIGEgbGF3c3VpdCkgYWxsZWdpbmcgdGhhdCB0aGUgV29yawogICAgICBvciBhIENvbnRyaWJ1dGlvbiBpbmNvcnBvcmF0ZWQgd2l0aGluIHRoZSBXb3JrIGNvbnN0aXR1dGVzIGRpcmVjdAogICAgICBvciBjb250cmlidXRvcnkgcGF0ZW50IGluZnJpbmdlbWVudCwgdGhlbiBhbnkgcGF0ZW50IGxpY2Vuc2VzCiAgICAgIGdyYW50ZWQgdG8gWW91IHVuZGVyIHRoaXMgTGljZW5zZSBmb3IgdGhhdCBXb3JrIHNoYWxsIHRlcm1pbmF0ZQogICAgICBhcyBvZiB0aGUgZGF0ZSBzdWNoIGxpdGlnYXRpb24gaXMgZmlsZWQuCgogICA0LiBSZWRpc3RyaWJ1dGlvbi4gWW91IG1heSByZXByb2R1Y2UgYW5kIGRpc3RyaWJ1dGUgY29waWVzIG9mIHRoZQogICAgICBXb3JrIG9yIERlcml2YXRpdmUgV29ya3MgdGhlcmVvZiBpbiBhbnkgbWVkaXVtLCB3aXRoIG9yIHdpdGhvdXQKICAgICAgbW9kaWZpY2F0aW9ucywgYW5kIGluIFNvdXJjZSBvciBPYmplY3QgZm9ybSwgcHJvdmlkZWQgdGhhdCBZb3UKICAgICAgbWVldCB0aGUgZm9sbG93aW5nIGNvbmRpdGlvbnM6CgogICAgICAoYSkgWW91IG11c3QgZ2l2ZSBhbnkgb3RoZXIgcmVjaXBpZW50cyBvZiB0aGUgV29yayBvcgogICAgICAgICAgRGVyaXZhdGl2ZSBXb3JrcyBhIGNvcHkgb2YgdGhpcyBMaWNlbnNlOyBhbmQKCiAgICAgIChiKSBZb3UgbXVzdCBjYXVzZSBhbnkgbW9kaWZpZWQgZmlsZXMgdG8gY2FycnkgcHJvbWluZW50IG5vdGljZXMKICAgICAgICAgIHN0YXRpbmcgdGhhdCBZb3UgY2hhbmdlZCB0aGUgZmlsZXM7IGFuZAoKICAgICAgKGMpIFlvdSBtdXN0IHJldGFpbiwgaW4gdGhlIFNvdXJjZSBmb3JtIG9mIGFueSBEZXJpdmF0aXZlIFdvcmtzCiAgICAgICAgICB0aGF0IFlvdSBkaXN0cmlidXRlLCBhbGwgY29weXJpZ2h0LCBwYXRlbnQsIHRyYWRlbWFyaywgYW5kCiAgICAgICAgICBhdHRyaWJ1dGlvbiBub3RpY2VzIGZyb20gdGhlIFNvdXJjZSBmb3JtIG9mIHRoZSBXb3JrLAogICAgICAgICAgZXhjbHVkaW5nIHRob3NlIG5vdGljZXMgdGhhdCBkbyBub3QgcGVydGFpbiB0byBhbnkgcGFydCBvZgogICAgICAgICAgdGhlIERlcml2YXRpdmUgV29ya3M7IGFuZAoKICAgICAgKGQpIElmIHRoZSBXb3JrIGluY2x1ZGVzIGEgIk5PVElDRSIgdGV4dCBmaWxlIGFzIHBhcnQgb2YgaXRzCiAgICAgICAgICBkaXN0cmlidXRpb24sIHRoZW4gYW55IERlcml2YXRpdmUgV29ya3MgdGhhdCBZb3UgZGlzdHJpYnV0ZSBtdXN0CiAgICAgICAgICBpbmNsdWRlIGEgcmVhZGFibGUgY29weSBvZiB0aGUgYXR0cmlidXRpb24gbm90aWNlcyBjb250YWluZWQKICAgICAgICAgIHdpdGhpbiBzdWNoIE5PVElDRSBmaWxlLCBleGNsdWRpbmcgdGhvc2Ugbm90aWNlcyB0aGF0IGRvIG5vdAogICAgICAgICAgcGVydGFpbiB0byBhbnkgcGFydCBvZiB0aGUgRGVyaXZhdGl2ZSBXb3JrcywgaW4gYXQgbGVhc3Qgb25lCiAgICAgICAgICBvZiB0aGUgZm9sbG93aW5nIHBsYWNlczogd2l0aGluIGEgTk9USUNFIHRleHQgZmlsZSBkaXN0cmlidXRlZAogICAgICAgICAgYXMgcGFydCBvZiB0aGUgRGVyaXZhdGl2ZSBXb3Jrczsgd2l0aGluIHRoZSBTb3VyY2UgZm9ybSBvcgogICAgICAgICAgZG9jdW1lbnRhdGlvbiwgaWYgcHJvdmlkZWQgYWxvbmcgd2l0aCB0aGUgRGVyaXZhdGl2ZSBXb3Jrczsgb3IsCiAgICAgICAgICB3aXRoaW4gYSBkaXNwbGF5IGdlbmVyYXRlZCBieSB0aGUgRGVyaXZhdGl2ZSBXb3JrcywgaWYgYW5kCiAgICAgICAgICB3aGVyZXZlciBzdWNoIHRoaXJkLXBhcnR5IG5vdGljZXMgbm9ybWFsbHkgYXBwZWFyLiBUaGUgY29udGVudHMKICAgICAgICAgIG9mIHRoZSBOT1RJQ0UgZmlsZSBhcmUgZm9yIGluZm9ybWF0aW9uYWwgcHVycG9zZXMgb25seSBhbmQKICAgICAgICAgIGRvIG5vdCBtb2RpZnkgdGhlIExpY2Vuc2UuIFlvdSBtYXkgYWRkIFlvdXIgb3duIGF0dHJpYnV0aW9uCiAgICAgICAgICBub3RpY2VzIHdpdGhpbiBEZXJpdmF0aXZlIFdvcmtzIHRoYXQgWW91IGRpc3RyaWJ1dGUsIGFsb25nc2lkZQogICAgICAgICAgb3IgYXMgYW4gYWRkZW5kdW0gdG8gdGhlIE5PVElDRSB0ZXh0IGZyb20gdGhlIFdvcmssIHByb3ZpZGVkCiAgICAgICAgICB0aGF0IHN1Y2ggYWRkaXRpb25hbCBhdHRyaWJ1dGlvbiBub3RpY2VzIGNhbm5vdCBiZSBjb25zdHJ1ZWQKICAgICAgICAgIGFzIG1vZGlmeWluZyB0aGUgTGljZW5zZS4KCiAgICAgIFlvdSBtYXkgYWRkIFlvdXIgb3duIGNvcHlyaWdodCBzdGF0ZW1lbnQgdG8gWW91ciBtb2RpZmljYXRpb25zIGFuZAogICAgICBtYXkgcHJvdmlkZSBhZGRpdGlvbmFsIG9yIGRpZmZlcmVudCBsaWNlbnNlIHRlcm1zIGFuZCBjb25kaXRpb25zCiAgICAgIGZvciB1c2UsIHJlcHJvZHVjdGlvbiwgb3IgZGlzdHJpYnV0aW9uIG9mIFlvdXIgbW9kaWZpY2F0aW9ucywgb3IKICAgICAgZm9yIGFueSBzdWNoIERlcml2YXRpdmUgV29ya3MgYXMgYSB3aG9sZSwgcHJvdmlkZWQgWW91ciB1c2UsCiAgICAgIHJlcHJvZHVjdGlvbiwgYW5kIGRpc3RyaWJ1dGlvbiBvZiB0aGUgV29yayBvdGhlcndpc2UgY29tcGxpZXMgd2l0aAogICAgICB0aGUgY29uZGl0aW9ucyBzdGF0ZWQgaW4gdGhpcyBMaWNlbnNlLgoKICAgNS4gU3VibWlzc2lvbiBvZiBDb250cmlidXRpb25zLiBVbmxlc3MgWW91IGV4cGxpY2l0bHkgc3RhdGUgb3RoZXJ3aXNlLAogICAgICBhbnkgQ29udHJpYnV0aW9uIGludGVudGlvbmFsbHkgc3VibWl0dGVkIGZvciBpbmNsdXNpb24gaW4gdGhlIFdvcmsKICAgICAgYnkgWW91IHRvIHRoZSBMaWNlbnNvciBzaGFsbCBiZSB1bmRlciB0aGUgdGVybXMgYW5kIGNvbmRpdGlvbnMgb2YKICAgICAgdGhpcyBMaWNlbnNlLCB3aXRob3V0IGFueSBhZGRpdGlvbmFsIHRlcm1zIG9yIGNvbmRpdGlvbnMuCiAgICAgIE5vdHdpdGhzdGFuZGluZyB0aGUgYWJvdmUsIG5vdGhpbmcgaGVyZWluIHNoYWxsIHN1cGVyc2VkZSBvciBtb2RpZnkKICAgICAgdGhlIHRlcm1zIG9mIGFueSBzZXBhcmF0ZSBsaWNlbnNlIGFncmVlbWVudCB5b3UgbWF5IGhhdmUgZXhlY3V0ZWQKICAgICAgd2l0aCBMaWNlbnNvciByZWdhcmRpbmcgc3VjaCBDb250cmlidXRpb25zLgoKICAgNi4gVHJhZGVtYXJrcy4gVGhpcyBMaWNlbnNlIGRvZXMgbm90IGdyYW50IHBlcm1pc3Npb24gdG8gdXNlIHRoZSB0cmFkZQogICAgICBuYW1lcywgdHJhZGVtYXJrcywgc2VydmljZSBtYXJrcywgb3IgcHJvZHVjdCBuYW1lcyBvZiB0aGUgTGljZW5zb3IsCiAgICAgIGV4Y2VwdCBhcyByZXF1aXJlZCBmb3IgcmVhc29uYWJsZSBhbmQgY3VzdG9tYXJ5IHVzZSBpbiBkZXNjcmliaW5nIHRoZQogICAgICBvcmlnaW4gb2YgdGhlIFdvcmsgYW5kIHJlcHJvZHVjaW5nIHRoZSBjb250ZW50IG9mIHRoZSBOT1RJQ0UgZmlsZS4KCiAgIDcuIERpc2NsYWltZXIgb2YgV2FycmFudHkuIFVubGVzcyByZXF1aXJlZCBieSBhcHBsaWNhYmxlIGxhdyBvcgogICAgICBhZ3JlZWQgdG8gaW4gd3JpdGluZywgTGljZW5zb3IgcHJvdmlkZXMgdGhlIFdvcmsgKGFuZCBlYWNoCiAgICAgIENvbnRyaWJ1dG9yIHByb3ZpZGVzIGl0cyBDb250cmlidXRpb25zKSBvbiBhbiAiQVMgSVMiIEJBU0lTLAogICAgICBXSVRIT1VUIFdBUlJBTlRJRVMgT1IgQ09ORElUSU9OUyBPRiBBTlkgS0lORCwgZWl0aGVyIGV4cHJlc3Mgb3IKICAgICAgaW1wbGllZCwgaW5jbHVkaW5nLCB3aXRob3V0IGxpbWl0YXRpb24sIGFueSB3YXJyYW50aWVzIG9yIGNvbmRpdGlvbnMKICAgICAgb2YgVElUTEUsIE5PTi1JTkZSSU5HRU1FTlQsIE1FUkNIQU5UQUJJTElUWSwgb3IgRklUTkVTUyBGT1IgQQogICAgICBQQVJUSUNVTEFSIFBVUlBPU0UuIFlvdSBhcmUgc29sZWx5IHJlc3BvbnNpYmxlIGZvciBkZXRlcm1pbmluZyB0aGUKICAgICAgYXBwcm9wcmlhdGVuZXNzIG9mIHVzaW5nIG9yIHJlZGlzdHJpYnV0aW5nIHRoZSBXb3JrIGFuZCBhc3N1bWUgYW55CiAgICAgIHJpc2tzIGFzc29jaWF0ZWQgd2l0aCBZb3VyIGV4ZXJjaXNlIG9mIHBlcm1pc3Npb25zIHVuZGVyIHRoaXMgTGljZW5zZS4KCiAgIDguIExpbWl0YXRpb24gb2YgTGlhYmlsaXR5LiBJbiBubyBldmVudCBhbmQgdW5kZXIgbm8gbGVnYWwgdGhlb3J5LAogICAgICB3aGV0aGVyIGluIHRvcnQgKGluY2x1ZGluZyBuZWdsaWdlbmNlKSwgY29udHJhY3QsIG9yIG90aGVyd2lzZSwKICAgICAgdW5sZXNzIHJlcXVpcmVkIGJ5IGFwcGxpY2FibGUgbGF3IChzdWNoIGFzIGRlbGliZXJhdGUgYW5kIGdyb3NzbHkKICAgICAgbmVnbGlnZW50IGFjdHMpIG9yIGFncmVlZCB0byBpbiB3cml0aW5nLCBzaGFsbCBhbnkgQ29udHJpYnV0b3IgYmUKICAgICAgbGlhYmxlIHRvIFlvdSBmb3IgZGFtYWdlcywgaW5jbHVkaW5nIGFueSBkaXJlY3QsIGluZGlyZWN0LCBzcGVjaWFsLAogICAgICBpbmNpZGVudGFsLCBvciBjb25zZXF1ZW50aWFsIGRhbWFnZXMgb2YgYW55IGNoYXJhY3RlciBhcmlzaW5nIGFzIGEKICAgICAgcmVzdWx0IG9mIHRoaXMgTGljZW5zZSBvciBvdXQgb2YgdGhlIHVzZSBvciBpbmFiaWxpdHkgdG8gdXNlIHRoZQogICAgICBXb3JrIChpbmNsdWRpbmcgYnV0IG5vdCBsaW1pdGVkIHRvIGRhbWFnZXMgZm9yIGxvc3Mgb2YgZ29vZHdpbGwsCiAgICAgIHdvcmsgc3RvcHBhZ2UsIGNvbXB1dGVyIGZhaWx1cmUgb3IgbWFsZnVuY3Rpb24sIG9yIGFueSBhbmQgYWxsCiAgICAgIG90aGVyIGNvbW1lcmNpYWwgZGFtYWdlcyBvciBsb3NzZXMpLCBldmVuIGlmIHN1Y2ggQ29udHJpYnV0b3IKICAgICAgaGFzIGJlZW4gYWR2aXNlZCBvZiB0aGUgcG9zc2liaWxpdHkgb2Ygc3VjaCBkYW1hZ2VzLgoKICAgOS4gQWNjZXB0aW5nIFdhcnJhbnR5IG9yIEFkZGl0aW9uYWwgTGlhYmlsaXR5LiBXaGlsZSByZWRpc3RyaWJ1dGluZwogICAgICB0aGUgV29yayBvciBEZXJpdmF0aXZlIFdvcmtzIHRoZXJlb2YsIFlvdSBtYXkgY2hvb3NlIHRvIG9mZmVyLAogICAgICBhbmQgY2hhcmdlIGEgZmVlIGZvciwgYWNjZXB0YW5jZSBvZiBzdXBwb3J0LCB3YXJyYW50eSwgaW5kZW1uaXR5LAogICAgICBvciBvdGhlciBsaWFiaWxpdHkgb2JsaWdhdGlvbnMgYW5kL29yIHJpZ2h0cyBjb25zaXN0ZW50IHdpdGggdGhpcwogICAgICBMaWNlbnNlLiBIb3dldmVyLCBpbiBhY2NlcHRpbmcgc3VjaCBvYmxpZ2F0aW9ucywgWW91IG1heSBhY3Qgb25seQogICAgICBvbiBZb3VyIG93biBiZWhhbGYgYW5kIG9uIFlvdXIgc29sZSByZXNwb25zaWJpbGl0eSwgbm90IG9uIGJlaGFsZgogICAgICBvZiBhbnkgb3RoZXIgQ29udHJpYnV0b3IsIGFuZCBvbmx5IGlmIFlvdSBhZ3JlZSB0byBpbmRlbW5pZnksCiAgICAgIGRlZmVuZCwgYW5kIGhvbGQgZWFjaCBDb250cmlidXRvciBoYXJtbGVzcyBmb3IgYW55IGxpYWJpbGl0eQogICAgICBpbmN1cnJlZCBieSwgb3IgY2xhaW1zIGFzc2VydGVkIGFnYWluc3QsIHN1Y2ggQ29udHJpYnV0b3IgYnkgcmVhc29uCiAgICAgIG9mIHlvdXIgYWNjZXB0aW5nIGFueSBzdWNoIHdhcnJhbnR5IG9yIGFkZGl0aW9uYWwgbGlhYmlsaXR5LgoKICAgRU5EIE9GIFRFUk1TIEFORCBDT05ESVRJT05TCgogICBBUFBFTkRJWDogSG93IHRvIGFwcGx5IHRoZSBBcGFjaGUgTGljZW5zZSB0byB5b3VyIHdvcmsuCgogICAgICBUbyBhcHBseSB0aGUgQXBhY2hlIExpY2Vuc2UgdG8geW91ciB3b3JrLCBhdHRhY2ggdGhlIGZvbGxvd2luZwogICAgICBib2lsZXJwbGF0ZSBub3RpY2UsIHdpdGggdGhlIGZpZWxkcyBlbmNsb3NlZCBieSBicmFja2V0cyAiW10iCiAgICAgIHJlcGxhY2VkIHdpdGggeW91ciBvd24gaWRlbnRpZnlpbmcgaW5mb3JtYXRpb24uIChEb24ndCBpbmNsdWRlCiAgICAgIHRoZSBicmFja2V0cyEpICBUaGUgdGV4dCBzaG91bGQgYmUgZW5jbG9zZWQgaW4gdGhlIGFwcHJvcHJpYXRlCiAgICAgIGNvbW1lbnQgc3ludGF4IGZvciB0aGUgZmlsZSBmb3JtYXQuIFdlIGFsc28gcmVjb21tZW5kIHRoYXQgYQogICAgICBmaWxlIG9yIGNsYXNzIG5hbWUgYW5kIGRlc2NyaXB0aW9uIG9mIHB1cnBvc2UgYmUgaW5jbHVkZWQgb24gdGhlCiAgICAgIHNhbWUgInByaW50ZWQgcGFnZSIgYXMgdGhlIGNvcHlyaWdodCBub3RpY2UgZm9yIGVhc2llcgogICAgICBpZGVudGlmaWNhdGlvbiB3aXRoaW4gdGhpcmQtcGFydHkgYXJjaGl2ZXMuCgogICBDb3B5cmlnaHQgW3l5eXldIFtuYW1lIG9mIGNvcHlyaWdodCBvd25lcl0KCiAgIExpY2Vuc2VkIHVuZGVyIHRoZSBBcGFjaGUgTGljZW5zZSwgVmVyc2lvbiAyLjAgKHRoZSAiTGljZW5zZSIpOwogICB5b3UgbWF5IG5vdCB1c2UgdGhpcyBmaWxlIGV4Y2VwdCBpbiBjb21wbGlhbmNlIHdpdGggdGhlIExpY2Vuc2UuCiAgIFlvdSBtYXkgb2J0YWluIGEgY29weSBvZiB0aGUgTGljZW5zZSBhdAoKICAgICAgIGh0dHA6Ly93d3cuYXBhY2hlLm9yZy9saWNlbnNlcy9MSUNFTlNFLTIuMAoKICAgVW5sZXNzIHJlcXVpcmVkIGJ5IGFwcGxpY2FibGUgbGF3IG9yIGFncmVlZCB0byBpbiB3cml0aW5nLCBzb2Z0d2FyZQogICBkaXN0cmlidXRlZCB1bmRlciB0aGUgTGljZW5zZSBpcyBkaXN0cmlidXRlZCBvbiBhbiAiQVMgSVMiIEJBU0lTLAogICBXSVRIT1VUIFdBUlJBTlRJRVMgT1IgQ09ORElUSU9OUyBPRiBBTlkgS0lORCwgZWl0aGVyIGV4cHJlc3Mgb3IgaW1wbGllZC4KICAgU2VlIHRoZSBMaWNlbnNlIGZvciB0aGUgc3BlY2lmaWMgbGFuZ3VhZ2UgZ292ZXJuaW5nIHBlcm1pc3Npb25zIGFuZAogICBsaW1pdGF0aW9ucyB1bmRlciB0aGUgTGljZW5zZS4= + https://www.apache.org/licenses/LICENSE-2.0.txt + + + pkg:maven/com.acme/tomcat-catalina@9.0.14?packaging=jar + + + + Apache + org.apache.tomcat + tomcat-catalina + 9.0.14 + Apache Catalina + + + Apache-2.0 + + + pkg:maven/org.apache.tomcat/tomcat-catalina@9.0.14?packaging=jar + + + + + 7638417db6d59f3c431d3e1f261cc637155684cd + https://location/to/7638417db6d59f3c431d3e1f261cc637155684cd + + 2018-11-07T22:01:45Z + John Doe + john.doe@example.com + + + 2018-11-07T22:01:45Z + Jane Doe + jane.doe@example.com + + Initial commit + + + Commentary here + + + + org.example + mylibrary + 1.0.0 + required + + 2342c2eaf1feb9a80195dbaddf2ebaa3 + 68b78babe00a053f9e35ec6a2d9080f5b90122b0 + 708f1f53b41f11f02d12a11b1a38d2905d47b099afc71a0f1124ef8582ec7313 + 387b7ae16b9cae45f830671541539bf544202faae5aac544a93b7b0a04f5f846fa2f4e81ef3f1677e13aed7496408a441f5657ab6d54423e56bf6f38da124aef + + + EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0 + + Copyright Example Inc. All rights reserved. + cpe:/a:example:myapplication:1.0.0 + pkg:maven/com.example/myapplication@1.0.0?packaging=war + false + + + http://example.org/docs + All component versions are documented here + + + http://example.org/security + + + + + com.example + myframework + 1.0.0 + Example Inc, enterprise framework + required + + cfcb0b64aacd2f81c1cd546543de965a + 7fbeef2346c45d565c3341f037bce4e088af8a52 + 0384db3cec55d86a6898c489fdb75a8e75fe66b26639634983d2f3c3558493d1 + 854909cdb9e3ca183056837144aab6d8069b377bd66445087cc7157bf0c3f620418705dd0b83bdc2f73a508c2bdb316ca1809d75ee6972d02023a3e7dd655c79 + + + + Some random license + + + pkg:maven/com.example/myframework@1.0.0?packaging=war + false + + + http://example.com/myframework + + + http://example.com/security + + + + + diff --git a/tools/src/test/resources/1.6/valid-release-notes-1.6.json b/tools/src/test/resources/1.6/valid-release-notes-1.6.json new file mode 100644 index 00000000..759a710e --- /dev/null +++ b/tools/src/test/resources/1.6/valid-release-notes-1.6.json @@ -0,0 +1,194 @@ +{ + "bomFormat": "CycloneDX", + "specVersion": "1.6", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "components": [ + { + "type": "library", + "name": "acme-example", + "version": "1.0.0", + "releaseNotes": { + "type": "major", + "title": "My new release", + "featuredImage": "https://example.com/featured_image.png", + "socialImage": "https://example.com/social_image.png", + "description": "The main description of your release", + "timestamp": "2021-09-17T00:51:18+00:00", + "aliases": [ + "Project Orion" + ], + "tags": [ + "CMS", + "SEO", + "wysiwyg" + ], + "resolves": [ + { + "type": "enhancement", + "id": "JIRA-17240", + "description": "Great new feature that does something", + "source": { + "name": "Acme Org", + "url": "https://issues.example.com/17240" + } + }, + { + "type": "security", + "id": "CVE-2019-9997", + "name": "CVE-2019-9997", + "description": "Great new feature that does something", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9997" + }, + "references": [ + "http://some/other/site-1", + "http://some/other/site-2" + ] + } + ], + "notes": [ + { + "locale": "en-US", + "text": { + "contentType": "text/html", + "encoding": "base64", + "content": "PGgxPk15IG5ldyByZWxlYXNlPGgxPgo8cD5SZWxlYXNlIG5vdGVzIGhlcmU8L3A+" + } + }, + { + "locale": "es", + "text": { + "contentType": "text/html", + "encoding": "base64", + "content": "PGgxPk15IG5ldyByZWxlYXNlPGgxPgo8cD5Ob3RhcyBkZSBsYSB2ZXJzacOzbiBhcXXDrTwvcD4=" + } + } + ] + } + } + ], + "services": [ + { + "bom-ref": "b2a46a4b-8367-4bae-9820-95557cfe03a8", + "provider": { + "name": "Partner Org", + "url": [ + "https://partner.org" + ], + "contact": [ + { + "name": "Support", + "email": "support@partner.org", + "phone": "800-555-1212" + } + ] + }, + "group": "org.partner", + "name": "Stock ticker service", + "version": "2020-Q2", + "description": "Provides real-time stock information", + "endpoints": [ + "https://partner.org/api/v1/lookup", + "https://partner.org/api/v1/stock" + ], + "authenticated": true, + "x-trust-boundary": true, + "data": [ + { + "classification": "PII", + "flow": "inbound" + }, + { + "classification": "PIFI", + "flow": "outbound" + }, + { + "classification": "pubic", + "flow": "bi-directional" + }, + { + "classification": "partner-data", + "flow": "unknown" + } + ], + "licenses": [ + { + "license": { + "name": "Partner license" + } + } + ], + "externalReferences": [ + { + "type": "website", + "url": "http://partner.org" + }, + { + "type": "documentation", + "url": "http://api.partner.org/swagger" + } + ], + "releaseNotes": { + "type": "major", + "title": "My new release", + "featuredImage": "https://example.com/featured_image.png", + "socialImage": "https://example.com/social_image.png", + "description": "The main description of your release", + "timestamp": "2021-09-17T00:51:18+00:00", + "aliases": [ + "Project Orion" + ], + "tags": [ + "CMS", + "SEO", + "wysiwyg" + ], + "resolves": [ + { + "type": "enhancement", + "id": "JIRA-17240", + "description": "Great new feature that does something", + "source": { + "name": "Acme Org", + "url": "https://issues.example.com/17240" + } + }, + { + "type": "security", + "id": "CVE-2019-9997", + "name": "CVE-2019-9997", + "description": "Great new feature that does something", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9997" + }, + "references": [ + "http://some/other/site-1", + "http://some/other/site-2" + ] + } + ], + "notes": [ + { + "locale": "en-US", + "text": { + "contentType": "text/html", + "encoding": "base64", + "content": "PGgxPk15IG5ldyByZWxlYXNlPGgxPgo8cD5SZWxlYXNlIG5vdGVzIGhlcmU8L3A+" + } + }, + { + "locale": "es", + "text": { + "contentType": "text/html", + "encoding": "base64", + "content": "PGgxPk15IG5ldyByZWxlYXNlPGgxPgo8cD5Ob3RhcyBkZSBsYSB2ZXJzacOzbiBhcXXDrTwvcD4=" + } + } + ] + } + } + ] +} diff --git a/tools/src/test/resources/1.6/valid-release-notes-1.6.textproto b/tools/src/test/resources/1.6/valid-release-notes-1.6.textproto new file mode 100644 index 00000000..f2a79cd7 --- /dev/null +++ b/tools/src/test/resources/1.6/valid-release-notes-1.6.textproto @@ -0,0 +1,117 @@ +spec_version: "1.6" +version: 1 +serial_number: "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" +components { + type: CLASSIFICATION_LIBRARY + name: "acme-example" + version: "1.0.0" + releaseNotes: { + type: "major" + title: "My new release" + featuredImage: "https://example.com/featured_image.png" + socialImage: "https://example.com/social_image.png" + description: "The main description of your release" + aliases: "Project Orion" + tags: "CMS" + tags: "SEO" + tags: "wysiwyg" + resolves { + type: ISSUE_CLASSIFICATION_ENHANCEMENT + id: "JIRA-17240" + description: "Great new feature that does something" + source { + name: "Acme Org" + url: "https://issues.acme.org/17240" + } + } + resolves { + type: ISSUE_CLASSIFICATION_SECURITY + id: "CVE-2019-9997" + name: "CVE-2019-9997" + description: "Great new feature that does something" + source { + name: "NVD" + url: "https://nvd.nist.gov/vuln/detail/CVE-2019-9997" + } + } + } +} +services { + bom_ref: "b2a46a4b-8367-4bae-9820-95557cfe03a8" + provider { + name: "Partner Org" + url: "https://partner.org" + contact { + name: "Support" + email: "support@partner" + phone: "800-555-1212" + } + } + group: "org.partner" + name: "Stock ticker service" + version: "2020-Q2" + description: "Provides real-time stock information" + endpoints: "https://partner.org/api/v1/lookup" + endpoints: "https://partner.org/api/v1/stock" + authenticated: true + x_trust_boundary: true + data { + flow: DATA_FLOW_INBOUND + value: "PII" + } + data { + flow: DATA_FLOW_OUTBOUND + value: "PIFI" + } + data { + flow: DATA_FLOW_BI_DIRECTIONAL + value: "public" + } + data { + flow: DATA_FLOW_UNKNOWN + value: "partner-data" + } + licenses { + license { + name: "Partner license" + } + } + external_references { + type: EXTERNAL_REFERENCE_TYPE_WEBSITE + url: "http://partner.org" + } + external_references { + type: EXTERNAL_REFERENCE_TYPE_DOCUMENTATION + url: "http://api.partner.org/swagger" + } + releaseNotes: { + type: RELEASE_TYPE_MAJOR + title: "My new release" + featuredImage: "https://example.com/featured_image.png" + socialImage: "https://example.com/social_image.png" + description: "The main description of your release" + aliases: "Project Orion" + tags: "CMS" + tags: "SEO" + tags: "wysiwyg" + resolves { + type: ISSUE_CLASSIFICATION_ENHANCEMENT + id: "JIRA-17240" + description: "Great new feature that does something" + source { + name: "Acme Org" + url: "https://issues.acme.org/17240" + } + } + resolves { + type: ISSUE_CLASSIFICATION_SECURITY + id: "CVE-2019-9997" + name: "CVE-2019-9997" + description: "Great new feature that does something" + source { + name: "NVD" + url: "https://nvd.nist.gov/vuln/detail/CVE-2019-9997" + } + } + } +} diff --git a/tools/src/test/resources/1.6/valid-release-notes-1.6.xml b/tools/src/test/resources/1.6/valid-release-notes-1.6.xml new file mode 100644 index 00000000..f7ce16b0 --- /dev/null +++ b/tools/src/test/resources/1.6/valid-release-notes-1.6.xml @@ -0,0 +1,149 @@ + + + + + acme-example + 1.0.0 + + major + My new release + https://example.com/featured_image.png + https://example.com/social_image.png + The main description of your release + 2021-09-17T00:51:18+00:00 + + Project Orion + + + CMS + SEO + wysiwyg + + + + JIRA-17240 + Great new feature that does something + + Acme Org + https://issues.example.com/17240 + + + + CVE-2019-9997 + CVE-2019-9997 + A security issue was fixed that did something bad + + NVD + https://nvd.nist.gov/vuln/detail/CVE-2019-9997 + + + http://some/other/site-1 + http://some/other/site-2 + + + + + + en-US + PGgxPk15IG5ldyByZWxlYXNlPGgxPgo8cD5SZWxlYXNlIG5vdGVzIGhlcmU8L3A+ + + + es + PGgxPk15IG5ldyByZWxlYXNlPGgxPgo8cD5Ob3RhcyBkZSBsYSB2ZXJzacOzbiBhcXXDrTwvcD4= + + + + + + + + + Partner Org + https://partner.org + + Support + support@partner + 800-555-1212 + + + org.partner + Stock ticker service + 2020-Q2 + Provides real-time stock information + + https://partner.org/api/v1/lookup + https://partner.org/api/v1/stock + + true + true + + PII + PIFI + pubic + partner-data + + + + Partner license + + + + + http://partner.org + + + http://api.partner.org/swagger + + + + major + My new release + https://example.com/featured_image.png + https://example.com/social_image.png + The main description of your release + 2021-09-17T00:51:18+00:00 + + Project Orion + + + CMS + SEO + wysiwyg + + + + JIRA-17240 + Great new feature that does something + + Acme Org + https://issues.example.com/17240 + + + + CVE-2019-9997 + CVE-2019-9997 + A security issue was fixed that did something bad + + NVD + https://nvd.nist.gov/vuln/detail/CVE-2019-9997 + + + http://some/other/site-1 + http://some/other/site-2 + + + + + + en-US + PGgxPk15IG5ldyByZWxlYXNlPGgxPgo8cD5SZWxlYXNlIG5vdGVzIGhlcmU8L3A+ + + + es + PGgxPk15IG5ldyByZWxlYXNlPGgxPgo8cD5Ob3RhcyBkZSBsYSB2ZXJzacOzbiBhcXXDrTwvcD4= + + + + + + diff --git a/tools/src/test/resources/1.6/valid-saasbom-1.6.json b/tools/src/test/resources/1.6/valid-saasbom-1.6.json new file mode 100644 index 00000000..20709de8 --- /dev/null +++ b/tools/src/test/resources/1.6/valid-saasbom-1.6.json @@ -0,0 +1,303 @@ +{ + "bomFormat": "CycloneDX", + "specVersion": "1.6", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "metadata": { + "timestamp": "2021-01-10T12:00:00Z", + "component": { + "bom-ref": "acme-stock-application", + "type": "application", + "name": "Acme SaaSBOM Example", + "version": "2022-1" + } + }, + "services": [ + { + "bom-ref": "stock-ticker-service", + "provider": { + "name": "Acme Inc", + "url": [ "https://example.com" ] + }, + "group": "com.example", + "name": "Stock Ticker Service", + "version": "2022-1", + "endpoints": [ + "https://example.com/", + "https://example.com/app" + ], + "authenticated": true, + "trustZone": "Acme Public Zone", + "data": [ + { + "name": "Consumer to Stock Service", + "description": "Traffic to/from consumer to service", + "classification": "Customer", + "flow": "bi-directional", + "source": [ + "https://0.0.0.0" + ], + "destination": [ + "https://0.0.0.0" + ] + }, + { + "name": "Stock Service to MS-1", + "description": "Traffic to/from stock service to microservice-1", + "classification": "PII", + "flow": "bi-directional", + "source": [ + "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-1.example.com" + ], + "destination": [ + "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-1.example.com" + ] + }, + { + "name": "Stock Service to MS-2", + "description": "Traffic to/from stock service to microservice-2", + "classification": "PIFI", + "flow": "bi-directional", + "source": [ + "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-2.example.com" + ], + "destination": [ + "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-2.example.com" + ] + }, + { + "name": "Stock Service to MS-3", + "description": "Traffic to/from stock service to microservice-3", + "classification": "Public", + "flow": "bi-directional", + "source": [ + "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-3.example.com" + ], + "destination": [ + "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-3.example.com" + ] + } + ], + "externalReferences": [ + { + "type": "documentation", + "url": "https://example.com/app/swagger" + } + ], + "services": [ + { + "bom-ref": "ms-1.example.com", + "provider": { + "name": "Acme Inc", + "url": [ "https://example.com" ] + }, + "group": "com.example", + "name": "Microservice 1", + "version": "2022-1", + "description": "Example Microservice", + "endpoints": [ + "https://ms-1.example.com" + ], + "authenticated": true, + "trustZone": "Acme Private Zone", + "data": [ + { + "name": "Stock Service to MS-1", + "description": "Traffic to/from stock service to microservice-1", + "classification": "PII", + "flow": "bi-directional", + "governance": { + "owners": [ + { + "organization": { + "name": "Customer Name" + } + } + ] + }, + "source": [ + "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#stock-ticker-service" + ], + "destination": [ + "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#stock-ticker-service" + ] + }, + { + "name": "MS-1 to Database", + "description": "Traffic to/from microservice-1 to database", + "classification": "PII", + "flow": "bi-directional", + "source": [ + "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-1-pgsql.example.com" + ], + "destination": [ + "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-1-pgsql.example.com" + ] + } + ], + "externalReferences": [ + { + "type": "documentation", + "url": "https://ms-1.example.com/swagger" + } + ] + }, + { + "bom-ref": "ms-2.example.com", + "provider": { + "name": "Acme Inc", + "url": [ "https://example.com" ] + }, + "group": "com.example", + "name": "Microservice 2", + "version": "2022-1", + "description": "Example Microservice", + "endpoints": [ + "https://ms-2.example.com" + ], + "authenticated": true, + "trustZone": "Acme Private Zone", + "data": [ + { + "name": "Stock Service to MS-2", + "description": "Traffic to/from stock service to microservice-2", + "classification": "PIFI", + "flow": "bi-directional", + "source": [ + "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#stock-ticker-service" + ], + "destination": [ + "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#stock-ticker-service" + ] + } + ], + "externalReferences": [ + { + "type": "documentation", + "url": "https://ms-2.example.com/swagger" + } + ] + }, + { + "bom-ref": "ms-3.example.com", + "provider": { + "name": "Acme Inc", + "url": [ "https://example.com" ] + }, + "group": "com.example", + "name": "Microservice 3", + "version": "2022-1", + "description": "Example Microservice", + "endpoints": [ + "https://ms-3.example.com" + ], + "authenticated": true, + "trustZone": "Acme Private Zone", + "data": [ + { + "name": "Stock Service to MS-3", + "description": "Traffic to/from stock service to microservice-3", + "classification": "Public", + "flow": "bi-directional", + "source": [ + "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#stock-ticker-service" + ], + "destination": [ + "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#stock-ticker-service" + ] + }, + { + "name": "MS-3 to S3", + "description": "Data pushed from microservice-3 to S3 bucket", + "classification": "Public", + "flow": "outbound", + "destination": [ + "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#s3-example.amazon.com" + ] + } + ], + "externalReferences": [ + { + "type": "documentation", + "url": "https://ms-3.example.com/swagger" + } + ] + }, + { + "bom-ref": "ms-1-pgsql.example.com", + "group": "org.postgresql", + "name": "Postgres", + "version": "14.1", + "description": "Postgres database for Microservice #1", + "endpoints": [ + "https://ms-1-pgsql.example.com:5432" + ], + "authenticated": true, + "trustZone": "Acme Private Zone", + "data": [ + { + "name": "MS-1 to Database", + "description": "Traffic to/from microservice-1 to database", + "classification": "PII", + "flow": "bi-directional", + "source": [ + "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-1.example.com" + ], + "destination": [ + "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-1.example.com" + ] + } + ] + }, + { + "bom-ref": "s3-example.amazon.com", + "group": "com.amazon", + "name": "S3", + "description": "S3 bucket", + "endpoints": [ + "https://s3-example.amazon.com" + ], + "authenticated": true, + "trustZone": "Public Internet", + "data": [ + { + "name": "MS-3 to S3", + "description": "Data pushed from microservice-3 to S3 bucket", + "classification": "Public", + "flow": "inbound", + "source": [ + "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-3.example.com" + ] + } + ] + } + ] + } + ], + "dependencies": [ + { + "ref": "acme-stock-application", + "dependsOn": [ "stock-ticker-service" ] + }, + { + "ref": "stock-ticker-service", + "dependsOn": [ + "ms-1.example.com", + "ms-2.example.com", + "ms-3.example.com" + ] + }, + { + "ref": "ms-1.example.com", + "dependsOn": [ "ms-1-pgsql.example.com" ] + }, + { + "ref": "ms-2.example.com", + "dependsOn": [ ] + }, + { + "ref": "ms-3.example.com", + "dependsOn": [ "s3-example.amazon.com" ] + } + ] +} \ No newline at end of file diff --git a/tools/src/test/resources/1.6/valid-saasbom-1.6.textproto b/tools/src/test/resources/1.6/valid-saasbom-1.6.textproto new file mode 100644 index 00000000..31947dc8 --- /dev/null +++ b/tools/src/test/resources/1.6/valid-saasbom-1.6.textproto @@ -0,0 +1,204 @@ +spec_version: "1.6" +version: 1 +serial_number: "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" +metadata { + timestamp { + seconds: 3173618478 + nanos: 3 + } + component { + type: CLASSIFICATION_APPLICATION + bom_ref: "acme-stock-application" + name: "Acme SaaSBOM Example" + version: "2022-1" + } +} +services { + bom_ref: "stock-ticker-service" + provider { + name: "Acme Inc" + url: "https://example.com" + } + group: "com.example" + name: "Stock Ticker Service" + version:"2022-1" + endpoints: "https://example.com/" + endpoints: "https://example.com/app" + authenticated: true + trustZone: "Acme Public Zone" + data { + flow: DATA_FLOW_BI_DIRECTIONAL + value: "Customer" + name: "Consumer to Stock Service", + description: "Traffic to/from consumer to service" + governance: { + owners: [ + { + organization: { + name: "Customer Name" + } + } + ] + }, + source: "https://0.0.0.0" + destination: "https://0.0.0.0" + } + data { + flow: DATA_FLOW_BI_DIRECTIONAL + value: "PII" + name: "Stock Service to MS-1" + description: "Traffic to/from stock service to microservice-1" + source: "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-1.example.com" + destination: "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-1.example.com" + } + data { + flow: DATA_FLOW_BI_DIRECTIONAL + value: "PIFI" + name: "Stock Service to MS-2" + description: "Traffic to/from stock service to microservice-2" + source: "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-2.example.com" + destination: "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-2.example.com" + } + data { + flow: DATA_FLOW_BI_DIRECTIONAL + value: "Public" + name: "Stock Service to MS-3" + description: "Traffic to/from stock service to microservice-3" + source: "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-3.example.com" + destination: "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-3.example.com" + } + external_references { + type: EXTERNAL_REFERENCE_TYPE_DOCUMENTATION + url: "https://example.com/app/swagger" + } + services { + bom_ref: "ms-1.example.com" + provider { + name: "Acme Inc" + url: "https://example.com" + } + group: "com.example" + name: "Microservice 1" + version:"2022-1" + endpoints: "https://ms-1.example.com" + authenticated: true + trustZone: "Acme Private Zone" + data { + flow: DATA_FLOW_BI_DIRECTIONAL + value: "PII" + name: "Stock Service to MS-1" + description: "Traffic to/from stock service to microservice-1" + source: "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#stock-ticker-service" + destination: "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#stock-ticker-service" + } + data { + flow: DATA_FLOW_BI_DIRECTIONAL + value: "PII" + name: "MS-1 to Database" + description: "Traffic to/from microservice-1 to database" + source: "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-1-pgsql.example.com" + destination: "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-1-pgsql.example.com" + } + external_references { + type: EXTERNAL_REFERENCE_TYPE_DOCUMENTATION + url: "https://ms-1.example.com/swagger" + } + } + services { + bom_ref: "ms-2.example.com" + provider { + name: "Acme Inc" + url: "https://example.com" + } + group: "com.example" + name: "Microservice 2" + version:"2022-1" + endpoints: "https://ms-2.example.com" + authenticated: true + trustZone: "Acme Private Zone" + data { + flow: DATA_FLOW_BI_DIRECTIONAL + value: "PIFI" + name: "Stock Service to MS-2" + description: "Traffic to/from stock service to microservice-2" + source: "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#stock-ticker-service" + destination: "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#stock-ticker-service" + } + external_references { + type: EXTERNAL_REFERENCE_TYPE_DOCUMENTATION + url: "https://ms-2.example.com/swagger" + } + } + services { + bom_ref: "ms-3.example.com" + provider { + name: "Acme Inc" + url: "https://example.com" + } + group: "com.example" + name: "Microservice 3" + version:"2022-1" + endpoints: "https://ms-3.example.com" + authenticated: true + trustZone: "Acme Private Zone" + data { + flow: DATA_FLOW_BI_DIRECTIONAL + value: "Public" + name: "Stock Service to MS-3" + description: "Traffic to/from stock service to microservice-3" + source: "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#stock-ticker-service" + destination: "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#stock-ticker-service" + } + data { + flow: DATA_FLOW_OUTBOUND + value: "Public" + name: "MS-3 to S3" + description: "Data pushed from microservice-3 to S3 bucket" + destination: "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#s3-example.amazon.com" + } + external_references { + type: EXTERNAL_REFERENCE_TYPE_DOCUMENTATION + url: "https://ms-3.example.com/swagger" + } + } + services { + bom_ref: "ms-1-pgsql.example.com" + group: "org.postgresql" + name: "Postgres" + version:"14.1" + description: "Postgres database for Microservice #1" + endpoints: "https://ms-1-pgsql.example.com:5432" + authenticated: true + trustZone: "Acme Private Zone" + data { + flow: DATA_FLOW_BI_DIRECTIONAL + value: "PII" + name: "MS-1 to Database" + description: "Traffic to/from microservice-1 to database" + source: "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-1.example.com" + destination: "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-1.example.com" + } + } + services { + bom_ref: "s3-example.amazon.com" + group: "com.amazon" + name: "S3" + description: "S3 bucket" + endpoints: "https://s3-example.amazon.com" + authenticated: true + trustZone: "Public Internet" + data { + flow: DATA_FLOW_INBOUND + value: "PII" + name: "MS-3 to S3" + description: "Data pushed from microservice-3 to S3 bucket" + source: "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-3.example.com" + } + } +} +dependencies { + ref: "pkg:maven/com.acme/stock-java-client@1.0.12" + dependencies { + ref: "b2a46a4b-8367-4bae-9820-95557cfe03a8" + } +} diff --git a/tools/src/test/resources/1.6/valid-saasbom-1.6.xml b/tools/src/test/resources/1.6/valid-saasbom-1.6.xml new file mode 100644 index 00000000..e18c7b37 --- /dev/null +++ b/tools/src/test/resources/1.6/valid-saasbom-1.6.xml @@ -0,0 +1,239 @@ + + + + 2021-01-10T12:00:00Z + + Acme SaaSBOM Example + 2022-1 + + + + + + Acme Inc + https://example.com + + com.example + Stock ticker Service + + https://example.com/ + https://example.com/app + + true + Acme Public Zone + + + Customer + + + + + Customer Name + + + + + + https://0.0.0.0 + + + https://0.0.0.0 + + + + PII + + urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-1.example.com + + + urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-1.example.com + + + + PIFI + + urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-2.example.com + + + urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-2.example.com + + + + Public + + urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-3.example.com + + + urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-3.example.com + + + + + + https://example.com/app/swagger + + + + + + Acme Inc + https://example.com + + com.example + Microservice 1 + + https://ms-1.example.com + + true + Acme Private Zone + + + PII + + urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#stock-ticker-service + + + urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#stock-ticker-service + + + + PII + + urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-1-pgsql.example.com + + + urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-1-pgsql.example.com + + + + + + https://ms-1.example.com/swagger + + + + + + Acme Inc + https://example.com + + com.example + Microservice 2 + + https://ms-2.example.com + + true + Acme Private Zone + + + PII + + urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#stock-ticker-service + + + urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#stock-ticker-service + + + + + + https://ms-2.example.com/swagger + + + + + + Acme Inc + https://example.com + + com.example + Microservice 3 + + https://ms-3.example.com + + true + Acme Private Zone + + + PII + + urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#stock-ticker-service + + + urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#stock-ticker-service + + + + Public + + urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#s3-example.amazon.com + + + + + + https://ms-3.example.com/swagger + + + + + org.postgresql + Postgres + 14.1 + Postgres database for Microservice #1 + + https://ms-1-pgsql.example.com:5432 + + true + Acme Private Zone + + + PII + + urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-1.example.com + + + urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-1.example.com + + + + + + com.amazon + S3 + S3 bucket + + https://s3-example.amazon.com + + true + Public Internet + + + Public + + urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-3.example.com + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/tools/src/test/resources/1.6/valid-service-1.6.json b/tools/src/test/resources/1.6/valid-service-1.6.json new file mode 100644 index 00000000..496ef885 --- /dev/null +++ b/tools/src/test/resources/1.6/valid-service-1.6.json @@ -0,0 +1,101 @@ +{ + "bomFormat": "CycloneDX", + "specVersion": "1.6", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "components": [ + { + "bom-ref": "pkg:npm/acme/component@1.0.0", + "type": "library", + "publisher": "Acme Inc", + "group": "com.acme", + "name": "stock-java-client", + "version": "1.0.12", + "hashes": [ + { + "alg": "SHA-1", + "content": "e6b1000b94e835ffd37f4c6dcbdad43f4b48a02a" + } + ], + "licenses": [ + { + "license": { + "id": "Apache-2.0" + } + } + ], + "purl": "pkg:maven/com.acme/stock-java-client@1.0.12" + } + ], + "services": [ + { + "bom-ref": "b2a46a4b-8367-4bae-9820-95557cfe03a8", + "provider": { + "name": "Partner Org", + "url": [ + "https://partner.org" + ], + "contact": [ + { + "name": "Support", + "email": "support@partner.org", + "phone": "800-555-1212" + } + ] + }, + "group": "org.partner", + "name": "Stock ticker service", + "version": "2020-Q2", + "description": "Provides real-time stock information", + "endpoints": [ + "https://partner.org/api/v1/lookup", + "https://partner.org/api/v1/stock" + ], + "authenticated": true, + "x-trust-boundary": true, + "data": [ + { + "classification": "PII", + "flow": "inbound" + }, + { + "classification": "PIFI", + "flow": "outbound" + }, + { + "classification": "pubic", + "flow": "bi-directional" + }, + { + "classification": "partner-data", + "flow": "unknown" + } + ], + "licenses": [ + { + "license": { + "name": "Partner license" + } + } + ], + "externalReferences": [ + { + "type": "website", + "url": "http://partner.org" + }, + { + "type": "documentation", + "url": "http://api.partner.org/swagger" + } + ] + } + ], + "dependencies": [ + { + "ref": "pkg:maven/com.acme/stock-java-client@1.0.12", + "dependsOn": [ + "b2a46a4b-8367-4bae-9820-95557cfe03a8" + ] + } + ] +} diff --git a/tools/src/test/resources/1.6/valid-service-1.6.textproto b/tools/src/test/resources/1.6/valid-service-1.6.textproto new file mode 100644 index 00000000..de744504 --- /dev/null +++ b/tools/src/test/resources/1.6/valid-service-1.6.textproto @@ -0,0 +1,76 @@ +spec_version: "1.6" +version: 1 +serial_number: "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" +components { + type: CLASSIFICATION_LIBRARY + bom_ref: "pkg:npm/acme/component@1.0.0" + publisher: "Acme Inc" + group: "com.acme" + name: "stock-java-client" + version: "1.0.12" + hashes { + alg: HASH_ALG_SHA_1 + value: "e6b1000b94e835ffd37f4c6dcbdad43f4b48a02a" + } + licenses { + license { + id: "Apache-2.0" + } + } + purl: "pkg:maven/com.acme/stock-java-client@1.0.12" +} +services { + bom_ref: "b2a46a4b-8367-4bae-9820-95557cfe03a8" + provider { + name: "Partner Org" + url: "https://partner.org" + contact { + name: "Support" + email: "support@partner" + phone: "800-555-1212" + } + } + group: "org.partner" + name: "Stock ticker service" + version: "2020-Q2" + description: "Provides real-time stock information" + endpoints: "https://partner.org/api/v1/lookup" + endpoints: "https://partner.org/api/v1/stock" + authenticated: true + x_trust_boundary: true + data { + flow: DATA_FLOW_INBOUND + value: "PII" + } + data { + flow: DATA_FLOW_OUTBOUND + value: "PIFI" + } + data { + flow: DATA_FLOW_BI_DIRECTIONAL + value: "public" + } + data { + flow: DATA_FLOW_UNKNOWN + value: "partner-data" + } + licenses { + license { + name: "Partner license" + } + } + external_references { + type: EXTERNAL_REFERENCE_TYPE_WEBSITE + url: "http://partner.org" + } + external_references { + type: EXTERNAL_REFERENCE_TYPE_DOCUMENTATION + url: "http://api.partner.org/swagger" + } +} +dependencies { + ref: "pkg:maven/com.acme/stock-java-client@1.0.12" + dependencies { + ref: "b2a46a4b-8367-4bae-9820-95557cfe03a8" + } +} diff --git a/tools/src/test/resources/1.6/valid-service-1.6.xml b/tools/src/test/resources/1.6/valid-service-1.6.xml new file mode 100644 index 00000000..26ec8463 --- /dev/null +++ b/tools/src/test/resources/1.6/valid-service-1.6.xml @@ -0,0 +1,66 @@ + + + + + com.acme + stock-java-client + 1.0.12 + + e6b1000b94e835ffd37f4c6dcbdad43f4b48a02a + + + + Apache-2.0 + + + pkg:maven/com.acme/stock-java-client@1.0.12 + + + + + + Partner Org + https://partner.org + + Support + support@partner + 800-555-1212 + + + org.partner + Stock ticker service + 2020-Q2 + Provides real-time stock information + + https://partner.org/api/v1/lookup + https://partner.org/api/v1/stock + + true + true + + PII + PIFI + pubic + partner-data + + + + Partner license + + + + + http://partner.org + + + http://api.partner.org/swagger + + + + + + + + + + diff --git a/tools/src/test/resources/1.6/valid-service-empty-objects-1.6.json b/tools/src/test/resources/1.6/valid-service-empty-objects-1.6.json new file mode 100644 index 00000000..d77ba2dc --- /dev/null +++ b/tools/src/test/resources/1.6/valid-service-empty-objects-1.6.json @@ -0,0 +1,22 @@ +{ + "bomFormat": "CycloneDX", + "specVersion": "1.6", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "services": [ + { + "bom-ref": "b2a46a4b-8367-4bae-9820-95557cfe03a8", + "provider": { + "contact": [ + ] + }, + "name": "Stock ticker service", + "endpoints": [ + ], + "data": [ + ], + "externalReferences": [ + ] + } + ] +} diff --git a/tools/src/test/resources/1.6/valid-service-empty-objects-1.6.textproto b/tools/src/test/resources/1.6/valid-service-empty-objects-1.6.textproto new file mode 100644 index 00000000..0cbb8970 --- /dev/null +++ b/tools/src/test/resources/1.6/valid-service-empty-objects-1.6.textproto @@ -0,0 +1,9 @@ +spec_version: "1.6" +version: 1 +serial_number: "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" +services { + bom_ref: "b2a46a4b-8367-4bae-9820-95557cfe03a8" + provider { + } + name: "Stock ticker service" +} diff --git a/tools/src/test/resources/1.6/valid-service-empty-objects-1.6.xml b/tools/src/test/resources/1.6/valid-service-empty-objects-1.6.xml new file mode 100644 index 00000000..38023db3 --- /dev/null +++ b/tools/src/test/resources/1.6/valid-service-empty-objects-1.6.xml @@ -0,0 +1,16 @@ + + + + + + + Stock ticker service + + + + + + + + + diff --git a/tools/src/test/resources/1.6/valid-signatures-1.6.json b/tools/src/test/resources/1.6/valid-signatures-1.6.json new file mode 100644 index 00000000..b5630f6d --- /dev/null +++ b/tools/src/test/resources/1.6/valid-signatures-1.6.json @@ -0,0 +1,78 @@ +{ + "bomFormat": "CycloneDX", + "specVersion": "1.6", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "components": [ + { + "bom-ref": "5366293e-0740-4dcf-b1d0-0c1fc26e4981", + "type": "application", + "name": "amce app", + "version": "1.0", + "signature": { + "algorithm": "ES256", + "certificatePath": [ + "MIIB-TCCAVigAwIBAgIGAWFcc4YkMAwGCCqGSM49BAMEBQAwLTELMAkGA1UEBhMCRVUxHjAcBgNVBAMTFVRydXN0IE5ldHdvcmsgU3ViIENBMzAeFw0xODAxMDEwMDAwMDBaFw0yMjEyMzEyMzU5NTlaMDIxCzAJBgNVBAYTAkZSMQ0wCwYDVQQFEwQ0NTAxMRQwEgYDVQQDEwtleGFtcGxlLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABHHp7A83DBJIInj8-g1we3A7sBXprIQBUfdFDVUBQoPExq8rze6ewG0-eVcSF72J77gKiD0IHnzpwHaU7t6nVeajXTBbMAkGA1UdEwQCMAAwDgYDVR0PAQH_BAQDAgP4MB0GA1UdDgQWBBQQyJ9rXSIskoUuA946von62LoxqzAfBgNVHSMEGDAWgBTUWrS54qC2NgG3UK6rVAr0gbQ0MTAMBggqhkjOPQQDBAUAA4GMADCBiAJCAaWoVQ0r6jFjhO5e0WJTgyMmA8BhpO1t7gXQ6xoKGso9jCOYf9OG9BFfZoVmdIyfYiwkhy1ld27tiOJ5X4m6WasRAkIBpEkUDf8irbSZ1V7zXALaR2mJTjKQV_5jRHsiBQWA-5DxEa-x_zJVRz8tpp-jjT2tSCU82bwUOBLu6te1YIDpWCA", + "MIIDsTCCAZmgAwIBAgIBAzANBgkqhkiG9w0BAQ0FADAuMQswCQYDVQQGEwJVUzEfMB0GA1UEAxMWVHJ1c3QgTmV0d29yayBSb290IENBMTAeFw0xNjA3MTAxMDAwMDBaFw0yNTA3MTAwOTU5NTlaMC0xCzAJBgNVBAYTAkVVMR4wHAYDVQQDExVUcnVzdCBOZXR3b3JrIFN1YiBDQTMwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYABAGJzPZsjniwyZeXrgrlQM3Y13r3znR8FSQpKbC2bplrOWySQJPGm-GFObe5Dk4t3Jrtk_Pbs8-3VW_4q5drL0YqYwBYNJPhqjbSM6SGHrc6wNdPZRw_WnJVa0ELXKICC73lkjskWPfE-cLpZ3sTq1ovEmoNjgaySVRUH1wFDdkqyReJaKNjMGEwDwYDVR0TAQH_BAUwAwEB_zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFNRatLnioLY2AbdQrqtUCvSBtDQxMB8GA1UdIwQYMBaAFEkmC1HDAh0fXehpiUhUGE868Hk2MA0GCSqGSIb3DQEBDQUAA4ICAQAs2KADYyGQCVy8tJZWakNtGdww4OumZpBuR66p_2xK7veRubQEhG-nJn7oVkJ4w5pEec3sYQEqtPbHyZcEKEYbOJ2cVf1nMH-DvFZ6ypQocGRp3WSWsTzL3SgqiWrQdPX1Y5dO6Hvx7p9ST9H2WgkxB-Q75Jov1gVF3bScAbxb7Mw7tf5z3Cvqmfo0Gatkgzz6-jDPrtUK7AAAOw3C0kHMbE3EnNarsfhBkUerE8QVmHIvz373mWt0SnguaHq0A9ZuSia_pF7bgfVRZi2ZzIzpu2O276sB2Yji9tcSn5l21jq63rXtvY_DLAi4kaLyf9sHT_tkH-gkTdkdkfQq8sA5ysRW21wPQbmjTIVwsfY4JjajVIUitjPbkUJqURpf2VD0JXdYQHS6KVPWqHWTlKPlsKbhw4ghuLqCMYda88L9rxWnSC5L8s0DJSuBBm-nq23NtHl5FbCzeXWcKRayIgimT-An1WIOeJP4F7-BctYLIooKoQzJZR1tOWvprUs22_xAivVBz7J_LmJyVlKesB2ic8qYdt7YVoCsWrnEUgoNoJPwLHeva8KPvd0gLXrwaMyTCCjeoemXFj6nCbbMHJeVffh6jYBAzlbcAEvTiZcdzrVVr54kOtWskyaeDnAcMXW4Of1vWdUJ2as5nyfletfTp4E6A9P2dZ5g7nMoL90yIw" + ], + "value": "tqITqIm0gUMWXIjqDgwqzqPw1CwTUKRewZQ5YpX3VwFMWV68NJgX4npU91cSwSC-MRlx1QfOYwSQkeU26VpXSg" + } + } + ], + "services": [ + { + "bom-ref": "ee10d0a2-baba-4656-a5ac-d49e172a0d3d", + "group": "org.partner", + "name": "Stock ticker service", + "version": "2020-Q2", + "endpoints": [ + "https://partner.org/api/v1/lookup", + "https://partner.org/api/v1/stock" + ], + "authenticated": true, + "x-trust-boundary": true, + "data": [ + { + "classification": "PII", + "flow": "inbound" + } + ], + "signature": { + "algorithm": "ES256", + "certificatePath": [ + "MIIB-TCCAVigAwIBAgIGAWFcc4YkMAwGCCqGSM49BAMEBQAwLTELMAkGA1UEBhMCRVUxHjAcBgNVBAMTFVRydXN0IE5ldHdvcmsgU3ViIENBMzAeFw0xODAxMDEwMDAwMDBaFw0yMjEyMzEyMzU5NTlaMDIxCzAJBgNVBAYTAkZSMQ0wCwYDVQQFEwQ0NTAxMRQwEgYDVQQDEwtleGFtcGxlLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABHHp7A83DBJIInj8-g1we3A7sBXprIQBUfdFDVUBQoPExq8rze6ewG0-eVcSF72J77gKiD0IHnzpwHaU7t6nVeajXTBbMAkGA1UdEwQCMAAwDgYDVR0PAQH_BAQDAgP4MB0GA1UdDgQWBBQQyJ9rXSIskoUuA946von62LoxqzAfBgNVHSMEGDAWgBTUWrS54qC2NgG3UK6rVAr0gbQ0MTAMBggqhkjOPQQDBAUAA4GMADCBiAJCAaWoVQ0r6jFjhO5e0WJTgyMmA8BhpO1t7gXQ6xoKGso9jCOYf9OG9BFfZoVmdIyfYiwkhy1ld27tiOJ5X4m6WasRAkIBpEkUDf8irbSZ1V7zXALaR2mJTjKQV_5jRHsiBQWA-5DxEa-x_zJVRz8tpp-jjT2tSCU82bwUOBLu6te1YIDpWCA", + "MIIDsTCCAZmgAwIBAgIBAzANBgkqhkiG9w0BAQ0FADAuMQswCQYDVQQGEwJVUzEfMB0GA1UEAxMWVHJ1c3QgTmV0d29yayBSb290IENBMTAeFw0xNjA3MTAxMDAwMDBaFw0yNTA3MTAwOTU5NTlaMC0xCzAJBgNVBAYTAkVVMR4wHAYDVQQDExVUcnVzdCBOZXR3b3JrIFN1YiBDQTMwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYABAGJzPZsjniwyZeXrgrlQM3Y13r3znR8FSQpKbC2bplrOWySQJPGm-GFObe5Dk4t3Jrtk_Pbs8-3VW_4q5drL0YqYwBYNJPhqjbSM6SGHrc6wNdPZRw_WnJVa0ELXKICC73lkjskWPfE-cLpZ3sTq1ovEmoNjgaySVRUH1wFDdkqyReJaKNjMGEwDwYDVR0TAQH_BAUwAwEB_zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFNRatLnioLY2AbdQrqtUCvSBtDQxMB8GA1UdIwQYMBaAFEkmC1HDAh0fXehpiUhUGE868Hk2MA0GCSqGSIb3DQEBDQUAA4ICAQAs2KADYyGQCVy8tJZWakNtGdww4OumZpBuR66p_2xK7veRubQEhG-nJn7oVkJ4w5pEec3sYQEqtPbHyZcEKEYbOJ2cVf1nMH-DvFZ6ypQocGRp3WSWsTzL3SgqiWrQdPX1Y5dO6Hvx7p9ST9H2WgkxB-Q75Jov1gVF3bScAbxb7Mw7tf5z3Cvqmfo0Gatkgzz6-jDPrtUK7AAAOw3C0kHMbE3EnNarsfhBkUerE8QVmHIvz373mWt0SnguaHq0A9ZuSia_pF7bgfVRZi2ZzIzpu2O276sB2Yji9tcSn5l21jq63rXtvY_DLAi4kaLyf9sHT_tkH-gkTdkdkfQq8sA5ysRW21wPQbmjTIVwsfY4JjajVIUitjPbkUJqURpf2VD0JXdYQHS6KVPWqHWTlKPlsKbhw4ghuLqCMYda88L9rxWnSC5L8s0DJSuBBm-nq23NtHl5FbCzeXWcKRayIgimT-An1WIOeJP4F7-BctYLIooKoQzJZR1tOWvprUs22_xAivVBz7J_LmJyVlKesB2ic8qYdt7YVoCsWrnEUgoNoJPwLHeva8KPvd0gLXrwaMyTCCjeoemXFj6nCbbMHJeVffh6jYBAzlbcAEvTiZcdzrVVr54kOtWskyaeDnAcMXW4Of1vWdUJ2as5nyfletfTp4E6A9P2dZ5g7nMoL90yIw" + ], + "value": "6A77T3RBTAuVpZOgFFFfOvGOQ1hqMbfSQ91VucRM1RIP6QqX9kEF1Pi1_vCl37qpVzK51kIyppgUF_i9s999XA" + } + } + ], + "compositions": [ + { + "aggregate": "complete", + "assemblies": [ + "5366293e-0740-4dcf-b1d0-0c1fc26e4981", + "ee10d0a2-baba-4656-a5ac-d49e172a0d3d" + ], + "dependencies": [ + "5366293e-0740-4dcf-b1d0-0c1fc26e4981" + ], + "signature": { + "algorithm": "ES256", + "certificatePath": [ + "MIIB-TCCAVigAwIBAgIGAWFcc4YkMAwGCCqGSM49BAMEBQAwLTELMAkGA1UEBhMCRVUxHjAcBgNVBAMTFVRydXN0IE5ldHdvcmsgU3ViIENBMzAeFw0xODAxMDEwMDAwMDBaFw0yMjEyMzEyMzU5NTlaMDIxCzAJBgNVBAYTAkZSMQ0wCwYDVQQFEwQ0NTAxMRQwEgYDVQQDEwtleGFtcGxlLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABHHp7A83DBJIInj8-g1we3A7sBXprIQBUfdFDVUBQoPExq8rze6ewG0-eVcSF72J77gKiD0IHnzpwHaU7t6nVeajXTBbMAkGA1UdEwQCMAAwDgYDVR0PAQH_BAQDAgP4MB0GA1UdDgQWBBQQyJ9rXSIskoUuA946von62LoxqzAfBgNVHSMEGDAWgBTUWrS54qC2NgG3UK6rVAr0gbQ0MTAMBggqhkjOPQQDBAUAA4GMADCBiAJCAaWoVQ0r6jFjhO5e0WJTgyMmA8BhpO1t7gXQ6xoKGso9jCOYf9OG9BFfZoVmdIyfYiwkhy1ld27tiOJ5X4m6WasRAkIBpEkUDf8irbSZ1V7zXALaR2mJTjKQV_5jRHsiBQWA-5DxEa-x_zJVRz8tpp-jjT2tSCU82bwUOBLu6te1YIDpWCA", + "MIIDsTCCAZmgAwIBAgIBAzANBgkqhkiG9w0BAQ0FADAuMQswCQYDVQQGEwJVUzEfMB0GA1UEAxMWVHJ1c3QgTmV0d29yayBSb290IENBMTAeFw0xNjA3MTAxMDAwMDBaFw0yNTA3MTAwOTU5NTlaMC0xCzAJBgNVBAYTAkVVMR4wHAYDVQQDExVUcnVzdCBOZXR3b3JrIFN1YiBDQTMwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYABAGJzPZsjniwyZeXrgrlQM3Y13r3znR8FSQpKbC2bplrOWySQJPGm-GFObe5Dk4t3Jrtk_Pbs8-3VW_4q5drL0YqYwBYNJPhqjbSM6SGHrc6wNdPZRw_WnJVa0ELXKICC73lkjskWPfE-cLpZ3sTq1ovEmoNjgaySVRUH1wFDdkqyReJaKNjMGEwDwYDVR0TAQH_BAUwAwEB_zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFNRatLnioLY2AbdQrqtUCvSBtDQxMB8GA1UdIwQYMBaAFEkmC1HDAh0fXehpiUhUGE868Hk2MA0GCSqGSIb3DQEBDQUAA4ICAQAs2KADYyGQCVy8tJZWakNtGdww4OumZpBuR66p_2xK7veRubQEhG-nJn7oVkJ4w5pEec3sYQEqtPbHyZcEKEYbOJ2cVf1nMH-DvFZ6ypQocGRp3WSWsTzL3SgqiWrQdPX1Y5dO6Hvx7p9ST9H2WgkxB-Q75Jov1gVF3bScAbxb7Mw7tf5z3Cvqmfo0Gatkgzz6-jDPrtUK7AAAOw3C0kHMbE3EnNarsfhBkUerE8QVmHIvz373mWt0SnguaHq0A9ZuSia_pF7bgfVRZi2ZzIzpu2O276sB2Yji9tcSn5l21jq63rXtvY_DLAi4kaLyf9sHT_tkH-gkTdkdkfQq8sA5ysRW21wPQbmjTIVwsfY4JjajVIUitjPbkUJqURpf2VD0JXdYQHS6KVPWqHWTlKPlsKbhw4ghuLqCMYda88L9rxWnSC5L8s0DJSuBBm-nq23NtHl5FbCzeXWcKRayIgimT-An1WIOeJP4F7-BctYLIooKoQzJZR1tOWvprUs22_xAivVBz7J_LmJyVlKesB2ic8qYdt7YVoCsWrnEUgoNoJPwLHeva8KPvd0gLXrwaMyTCCjeoemXFj6nCbbMHJeVffh6jYBAzlbcAEvTiZcdzrVVr54kOtWskyaeDnAcMXW4Of1vWdUJ2as5nyfletfTp4E6A9P2dZ5g7nMoL90yIw" + ], + "value": "lm6wx-elyBTbNMKNF8riooZhvrm6f5j8JpvgP9JtVv50dd7sXQLH7PqJcn9fmKV8eoF8cszPllEsQQhEQOM4hA" + } + } + ], + "signature": { + "algorithm": "ES256", + "certificatePath": [ + "MIIB-TCCAVigAwIBAgIGAWFcc4YkMAwGCCqGSM49BAMEBQAwLTELMAkGA1UEBhMCRVUxHjAcBgNVBAMTFVRydXN0IE5ldHdvcmsgU3ViIENBMzAeFw0xODAxMDEwMDAwMDBaFw0yMjEyMzEyMzU5NTlaMDIxCzAJBgNVBAYTAkZSMQ0wCwYDVQQFEwQ0NTAxMRQwEgYDVQQDEwtleGFtcGxlLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABHHp7A83DBJIInj8-g1we3A7sBXprIQBUfdFDVUBQoPExq8rze6ewG0-eVcSF72J77gKiD0IHnzpwHaU7t6nVeajXTBbMAkGA1UdEwQCMAAwDgYDVR0PAQH_BAQDAgP4MB0GA1UdDgQWBBQQyJ9rXSIskoUuA946von62LoxqzAfBgNVHSMEGDAWgBTUWrS54qC2NgG3UK6rVAr0gbQ0MTAMBggqhkjOPQQDBAUAA4GMADCBiAJCAaWoVQ0r6jFjhO5e0WJTgyMmA8BhpO1t7gXQ6xoKGso9jCOYf9OG9BFfZoVmdIyfYiwkhy1ld27tiOJ5X4m6WasRAkIBpEkUDf8irbSZ1V7zXALaR2mJTjKQV_5jRHsiBQWA-5DxEa-x_zJVRz8tpp-jjT2tSCU82bwUOBLu6te1YIDpWCA", + "MIIDsTCCAZmgAwIBAgIBAzANBgkqhkiG9w0BAQ0FADAuMQswCQYDVQQGEwJVUzEfMB0GA1UEAxMWVHJ1c3QgTmV0d29yayBSb290IENBMTAeFw0xNjA3MTAxMDAwMDBaFw0yNTA3MTAwOTU5NTlaMC0xCzAJBgNVBAYTAkVVMR4wHAYDVQQDExVUcnVzdCBOZXR3b3JrIFN1YiBDQTMwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYABAGJzPZsjniwyZeXrgrlQM3Y13r3znR8FSQpKbC2bplrOWySQJPGm-GFObe5Dk4t3Jrtk_Pbs8-3VW_4q5drL0YqYwBYNJPhqjbSM6SGHrc6wNdPZRw_WnJVa0ELXKICC73lkjskWPfE-cLpZ3sTq1ovEmoNjgaySVRUH1wFDdkqyReJaKNjMGEwDwYDVR0TAQH_BAUwAwEB_zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFNRatLnioLY2AbdQrqtUCvSBtDQxMB8GA1UdIwQYMBaAFEkmC1HDAh0fXehpiUhUGE868Hk2MA0GCSqGSIb3DQEBDQUAA4ICAQAs2KADYyGQCVy8tJZWakNtGdww4OumZpBuR66p_2xK7veRubQEhG-nJn7oVkJ4w5pEec3sYQEqtPbHyZcEKEYbOJ2cVf1nMH-DvFZ6ypQocGRp3WSWsTzL3SgqiWrQdPX1Y5dO6Hvx7p9ST9H2WgkxB-Q75Jov1gVF3bScAbxb7Mw7tf5z3Cvqmfo0Gatkgzz6-jDPrtUK7AAAOw3C0kHMbE3EnNarsfhBkUerE8QVmHIvz373mWt0SnguaHq0A9ZuSia_pF7bgfVRZi2ZzIzpu2O276sB2Yji9tcSn5l21jq63rXtvY_DLAi4kaLyf9sHT_tkH-gkTdkdkfQq8sA5ysRW21wPQbmjTIVwsfY4JjajVIUitjPbkUJqURpf2VD0JXdYQHS6KVPWqHWTlKPlsKbhw4ghuLqCMYda88L9rxWnSC5L8s0DJSuBBm-nq23NtHl5FbCzeXWcKRayIgimT-An1WIOeJP4F7-BctYLIooKoQzJZR1tOWvprUs22_xAivVBz7J_LmJyVlKesB2ic8qYdt7YVoCsWrnEUgoNoJPwLHeva8KPvd0gLXrwaMyTCCjeoemXFj6nCbbMHJeVffh6jYBAzlbcAEvTiZcdzrVVr54kOtWskyaeDnAcMXW4Of1vWdUJ2as5nyfletfTp4E6A9P2dZ5g7nMoL90yIw" + ], + "value": "m4pMbQQVV61TlP4Og7a75SeY8lh00LkkUDXZ4PIhXsR512MPRgZmusFYorJlYq9wM3P9n9gM3T8BTg9XdFdQkQ" + } +} diff --git a/tools/src/test/resources/1.6/valid-vulnerability-1.6.json b/tools/src/test/resources/1.6/valid-vulnerability-1.6.json new file mode 100644 index 00000000..c0f77d36 --- /dev/null +++ b/tools/src/test/resources/1.6/valid-vulnerability-1.6.json @@ -0,0 +1,169 @@ +{ + "bomFormat": "CycloneDX", + "specVersion": "1.6", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "components": [ + { + "bom-ref": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.4", + "type": "library", + "group": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "2.9.4", + "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.4" + } + ], + "vulnerabilities": [ + { + "bom-ref": "6eee14da-8f42-4cc4-bb65-203235f02415", + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-32111", + "source": { + "name": "Snyk", + "url": "https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-32111" + }, + "references": [ + { + "id": "CVE-2018-7489", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9997" + } + } + ], + "ratings": [ + { + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H&version=3.0" + }, + "score": 9.8, + "severity": "critical", + "method": "CVSSv3", + "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "justification": "An optional reason for rating the vulnerability as it was" + } + ], + "cwes": [ + 184, + 502 + ], + "description": "FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.", + "detail": "", + "recommendation": "Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.6.7.5, 2.8.11.1, 2.9.5 or higher.", + "workaround": "Describe the workarounds here", + "proofOfConcept": { + "reproductionSteps": "Precise steps to reproduce go here", + "environment": "Describe the environment", + "supportingMaterial": [ + { + "contentType": "image/jpeg", + "encoding": "base64", + "content": "/9j/4AAQSkZJRgABAQAASABIAAD/4QBYRXhpZgAATU0AKgAAAAgAAgESAAMAAAABAAEAAIdpAAQAAAABAAAAJgAAAAAAA6ABAAMAAAABAAEAAKACAAQAAAABAAABQKADAAQAAAABAAABQAAAAAD/wAARCAFAAUADASIAAhEBAxEB/8QAHwAAAQUBAQEBAQEAAAAAAAAAAAECAwQFBgcICQoL/8QAtRAAAgEDAwIEAwUFBAQAAAF9AQIDAAQRBRIhMUEGE1FhByJxFDKBkaEII0KxwRVS0fAkM2JyggkKFhcYGRolJicoKSo0NTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqDhIWGh4iJipKTlJWWl5iZmqKjpKWmp6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uHi4+Tl5ufo6erx8vP09fb3+Pn6/8QAHwEAAwEBAQEBAQEBAQAAAAAAAAECAwQFBgcICQoL/8QAtREAAgECBAQDBAcFBAQAAQJ3AAECAxEEBSExBhJBUQdhcRMiMoEIFEKRobHBCSMzUvAVYnLRChYkNOEl8RcYGRomJygpKjU2Nzg5OkNERUZHSElKU1RVVldYWVpjZGVmZ2hpanN0dXZ3eHl6goOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExcbHyMnK0tPU1dbX2Nna4uPk5ebn6Onq8vP09fb3+Pn6/9sAQwACAgICAgIDAgIDBQMDAwUGBQUFBQYIBgYGBgYICggICAgICAoKCgoKCgoKDAwMDAwMDg4ODg4PDw8PDw8PDw8P/9sAQwECAgIEBAQHBAQHEAsJCxAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQ/90ABAAU/9oADAMBAAIRAxEAPwD9xKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigD/9D9xKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigD/9H9xKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigD/9L9xKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigD/9P9xKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigD/9T9xKKKKACiiigAooooAKKKKACiiigAooooAKKzdY1jSfD2lXWua7eRafp9jG0s9xO4SONF6szHgCvyK+P/APwUJ1zV7i68MfAxTpmnKTG2sTJ/pU3Ym3jbIiU9mYFz1AWmkB+qvjL4ieA/h5Z/bvHPiCy0OEjK/a51jZv91CdzfgDXy3r/APwUA/Zw0WVobPUr/WWXvZ2T7D9GmMQNfitofhT4ofGXX5ptHsdR8V6rK2Zrht85BPeSaQ7V/wCBMK+nvDv7Afxk1WJZtcvtL0PdzskmeeQfUQqVz/wI185nXF+VZc+XG4mMH2b1+5Xf4HTRwlWprCLZ9xW//BSD4DSy7JtO12Bf77WsBH5LOT+leweEP2yv2cfGc0drZeL4tNuJOBHqUclmST23yKI//H6/Om4/4J2eOli3Wvi/TJJP7rwzoPzAb+VeL+NP2NPjx4Ohku00aPXrWPJL6ZKJ2x/1yYLIfwU15WX+JeQYqfs6OMhfzfL/AOlJGk8trxV3Bn9Ctpd2t/bR3thPHc28w3JLEweNwe6spII+lWK/me+G3xr+LfwN1hj4P1e50zyXxcadcBmtnI6rLbScA+4CsOxr9mP2bv2x/Bfxz8rwzrUaeHfGIX/jzd8wXeBy1q7ck9zG3zDtuGTX2+6ujiPsmiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigD//1f3EooooAKKKKACiiigAooooAKKKKACop54LWCS6upFhhhVnkdyFVEUZZmJ4AAGSalr88P8AgoV8aJ/BXgCz+F+hXBi1PxeGa7ZDho9OiOGX285/k91DChAfDv7Xn7Uuo/GzxHN4V8LXL2/gbSZSIUUlft8qHH2mUd1z/qlPAHzH5jx1P7NH7HM/j21tfHvxQWWy8Py4ktbBSY571ezu3WOE9sfMw5GBgnhP2PfgTB8WfGsviHxJb+b4Z8NsjzIw+W6uTzFAfVRjc49MD+Kv2w/dxR/wxxxr7Kqqo/IAD8q/nbxl8VauAm8pyyVqlvfkt432S/vNat9Fa2r0+hyjK1Ne1qbdEZWgeHtB8K6VDofhrT4NL0+3GI4LeMRoPfA6n1J5Pc1sV8+X/wC1V+z9pustoV14ytTOjbGeNJZIFYcYMyIU/EEj3r3iw1Cw1Wyg1LS7mO8tLpBJFNC4eORG5DKy5BB9q/lbM8px1C1XG0px59U5Jrm+bWp9NTqwlpBrTsW6KKK8k1PD/jD+z78OvjRp8ieI7IWurBcQanbKFuoz23HpInqr59sHmvxc+K/wl8c/AbxlHpWtFo3VvP0/UbYsiTqjZWSJxyrqcblzuU+2Cf6E68r+Mnwn0H4yeBb3wfraqkrAyWVzjL2t0o+SRT1x2cd1JHpX7D4ZeKuJyevHDYqTlhno09eTzj6dY7P1PJzLLI1k5RVpfmef/sZftQn41aA/gvxnMo8Z6JEGaQ4X+0LZcL54H/PRTgSgeoYdSB9yV/MPoWs+M/gP8U4dTgU2XiDwnfFZIySFYxNtkjb1jkXI91Oa/pQ8E+LtI8feENG8a6C++w1u1iuovVRIuSp91OVPuDX9ywqRnFTg7p6pnxTTTszqKKKKoQUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFAH//W/cSiiigAooooAKKKKACiiigD8fP2q/21fiZo/wAStW+Hnwsvl0LTvD0xtZ7pYkkuLm4T/WYaQMERW+UBRk4yTg4r5Z/4bJ/aZ/6Hu6/79W//AMbr6u/a+/Yz8cX3jLWfi18L7U63Zau5u77Tov8Aj7gnI/ePEn/LVHI3bV+YEkYIr8z9Ovrnw9qhe4soppYGKS295CHGQeVZGAKkfgRTe2iNKUYuSU3Zd9z6C/4bJ/aZ/wCh7uv+/Vv/APG68Z8e/EXxr8T9dHiXx7qsusaksKQCaUKCIoySqgIFAAJJ6d6+gPBPiT4Q+KvLs9Q0Gx0rUWwPLliTy3P+xIQB+BwfrWR8efDHh3Q9E0u40bTYLGWS5ZGaGMIWXYTg468ivIp5x+/VCdNxbPv8TwBbLp5lh8VCpCO9r33StqtHrsz9EP2G9X8J33wOt9M8PKY7/TbqZdUV8bmuZTvWTjqjR7QvptI7VN+3B4o1vw18C7iHRZHg/tm+gsbmRCQRburu65HQOUCn1BI714P/AME5Wbb48TJ2/wDEvOO2f33NfoJ8QvAXh74m+D9R8E+KImksNRQAlDiSN1O5JEJzhkYAj8jwTX8Y8WTw+VcaTr105041Izd9X7yUn62b0XkkcOFUquDSjo7W/Q/m/wCnAr9XP+CePifWr/wx4q8KXkjy6bpM9tPa7iSImuQ/mIvoCUDY9cnvXll//wAE8PiAmsmDTPFGmS6UW4nmWZJwnvEqspbHo+K/Qz4KfBrw58EfBq+FdBka7mmk8+8u5AFe4nIA3YGdqqBhVycDuSSa/UfF/wASMlx2SywmEqqpUm4tWT92zTbd0rO11bfXseblOXVoVueaskev0UUV/JR9SFFFFAH5F/8ABQLwFDovj7RvH1lGEj8R2zQ3GBgG5tMAMfdo2X/vmvrj/gnD43l174Qat4NupN8vhfUT5QJ5FveL5qj6CQSfnXHf8FBNPiuPg/o+oMP3llrEQU9wssMqsPxwPyrzP/gmNqEqeNvHWlZ/dTabazkf7UU5Qfo5r+9vBfNJ4rh2h7R3cLw+Sen3JpfI+Hziko4iVuup+xNFFFfqR5YUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFAH//1/3EooooAKKKKACiiigAooooAK+cPjd+yz8KfjnBJda9Y/2Zr+3Eeq2QVLgHt5o+7Mvs/Powr6Pr57/aW+PFp+z78PB4s+wjU9SvrhbOxtmYpG8zKzlpGHIRFUk45JwBjOQ0B+MHxz/ZJ+KvwOabVL+1GueGkPy6rZKWjRScD7RHy0J+uVz0Y18+XvibXdS0i30LULt7mztH8yFZDuKHG3AY84x26V6f8Wf2iPi18abpm8ba3I1gG3R6fbfuLKP0xEp+Yj+85Y+9eJU3BOza2NqWIqQUowk0no7dV2fc/Tr/AIJy/wDM+f8AcP8A/a1fp1X5mf8ABOa2mFt47vCP3RewjB/2gJmI/Kv0zr+CPGlp8S4q39z/ANIifZ5P/u8fn+YUUUV+WHphRRRQAUUUUAfAv/BQrWIbX4X+H9DLfvtQ1YSgf7FvC+4/m61xv/BMXSJX8SePNf2nyobOztM9t0sryY/KOvDP26PiNB4x+LMfhXTpRJZeEYDbMQcqbuUh5/8AvnCofdTX6Ff8E+/AE3hD4EJ4hvY/LuvF15JfjIwfs0YEMH4EKzD2av798H8nnguH8PCorSneb/7ed1/5LY+Fzasp15NdND7looor9LPNCiiigAooooAKK5rxf4x8MeAfD134r8Y6lFpWlWK7pZ5jhRngKAMlmY8KqgknoK+KW/4KOfAVdW+wCy1prPdt+2C1j8vH97yzL5mP+A59qLAffdFcp4K8ceE/iL4ctfFngrU4tV0q7zsmiJ4ZfvIynDK691YAiuroAKKKKACiiigAooooAKKKKAP/0P3EooooAKKKKACiiigAooooAK8J/aH+Bej/ALQHw/bwdqN42m3dtOt3Y3arv8mdVK/MmRuRlYqwBB7jkV7tRQB+MDf8EzPiiCQvi/RiOx2XIz+Gyuf8V/8ABOn4seGfC+q+IrbXNN1ibTLd7hbK1Sfz5xHyyx7lA3bckDuRgcmv2/r5b/ay+P8AqX7Pnw+ste0Cwiv9Y1i8Fnai43GCLCNI8jhSC2AMBQRknk4FVcD8Xv2cvjbefA/x/HrMwebQ9RAttTt16tDnIkUf89IjyPUZXvX7xaLrWk+I9JtNe0K7jvtOv41mgniO5JEbkEH+Y6g8Hmv5yPG3iqXxv4p1HxZc6faaZcapIZpobFGit/Nb77IjM23efmIBxknAFe2fAH9prxh8Drv+z1U6x4ZuH3z6fI+0ox6yW7nOxz3GNrdxnkfhni54UvOF9fwFlXirNbKaW2vSS6N6NaPZHt5Vmnsv3c/h/I/d6iuY8F+LtG8e+FNL8ZeH3Z9P1eBZ4t42uA3BVhzhlIIPuK6ev4tr0J0pypVFaUW00+jW6PsIyTV0FFFRT3EFpBJdXUqQwxKWeSRgqKo6lmOAAPU1mlfRDJa+bP2lvj5pnwS8GyCzlSXxTqqNHp1v1KE8G4kHZI+2fvNgDvjzP40/tt+A/A9vcaN8Onj8U69gqJUJ+wQN6tIMeaR/dTg92FflvHH8S/j78RViQT+IvE+uSYHoAP8Ax2KKMfRVFfv3hj4NYnG1oY3NabhRWqi9JT+W6j3vutFvdeFmWbxgnCk7v8ja+Cnws8Q/Hv4qWPhOB5Jft0xutTuzljFbBt08zMf4jnC56uwr+k3SdK07QdKstD0iEW1jp8MdvBEvRIolCoo+gFfP/wCzL+zpo37P/go6bEVv/EWqBJNUvlXh3UfLDFnkRR5OP7xyx64H0kUcdVI/Cv7J0WiPkBtFGCKKACilCk9Bmql/e2WlWz3uq3EVlbxjc8k7rEij1LMQAKALVVb6+stMs59R1K4jtLS2QySzTOI440XkszNgAD1NfGHxa/bw+C/w7jmsPDFyfGespkCKwbFqrf8ATS6IK4/65hz9K/Jf40/tMfFb473f2fxPf/ZdI35h0qy3R2qnPy7lyWlf3cn2A6U0gPbP25P2idC+MfijS/C3gPUHvPDPh5ZGeUApDdXrnBkTPLIiDarEDqxHBzXgi/AbxF/wol/jxJewx6cLsW62jKwmeMy+T5ob7uN/AHoCc9q92+Af7FninxzNbeJvidHLoHh7IkW1YbL27XqBtPMKHuzfMR0HevsD9suw0rw1+zLd6Bo1tHZWMFzp1tbwRDakcaSghVH0WvxziLxToLNcJlOWTUpyqRU2rNKLdnFPu+62t329jD5ZL2U6tRWSTsfPH/BNjxlrNl8TNe8BrKX0nVdOe9aIn5UuLV0VZFHqyOVPrgegr9oa/D3/AIJvW5l+OuqTgcQaHck/8CmhFfuFX7HI8cKKKKQBRRRQAUUUUAFFFFAH/9H9xKKKKACiiigAooooAKKKKACiiigAr83P+CmUBf4WeEbgDiLW2B/4FbSf4V+kdfBX/BRjS2vfgBb36jJ07WrOQ+yyJLGf1YU0B+ef7JXwK8DfHG58UWPjGW8hfSYrWS3a0lWMjzWdW3BkcH7ox0r6suv+Cd/w5kmV7PxTq0MWRuRkgcle4DbVwfcg14p/wTw1IQfEbxRpRODeaUkoHqYJ1H8pK/XCv5D8WeOs6yzPq1DCYmUYWi0tGtYq9k0+tz6zK8FRqUFKcbvU5zwh4U0bwN4Y0zwh4eiMOm6TAsEKsdzbV7se7Mckn1NdHRRX871q06k5VKjvJu7b3be7PfSSVkFfOX7VXgLxn8R/g5qPhvwKTJqHnwTvbBwhuoYiS8QJIGScMATglcelfRtFd2TZrUwOLpYykk5QkpK+qunfUitSU4uD6n88t78BPjZp2ftfgXWEx/ds5H/9ABrmZvAvxE0d/Mn8PatYuv8AEbS4jI/HYDX9IOSOhpwkkHRiPxr+gaP0ksYv4mEi/STX5pngvh6HSbP5u49e+I+lf6rUtZstvpPcxY/UVpQ/GD4s2J2weNdahI7DULgf+z1/RbIkcv8ArkWT/eAP86oy6RpE4xPYW8g/2oUb+Yr06f0lV9vA/dU/+0M3w72n+H/BP59ov2g/jlBxF8Q9dUf9hKf/AOLqz/w0d8eiMf8ACxddx/2EJv8A4qv3tk8HeEJuZtB09/8AetIT/Nag/wCEE8DZz/wjemZ/68oP/iK6l9JSh1wT/wDA1/8AIk/6uv8An/A/Am6+PHxpvVK3fj/XJQeobUrj/wCLrnmHxF8eTrC/9r+I5nPyq32i8JPsDur+iS38L+F7QhrXRrGEjulrEv8AJa11MFmm1NsK+igKPyFc1f6Sd1ajgdfOf6KBcOHO8/w/4J+Kvw1/Yk+MHjZ4rrxHAnhHTGwS9781yV/2LdTuz/vlK/ST4SfsufCn4RGLUNNsTq+tx4P9o34WSVW9Ykxsi/4CN3+0a96l1KMcRLuPqeBVq2nFxHvxgg4Ir8s4w8T89zSDjWn7Ok/sw0Xzd+Z+jdvI9fD5NTormtd92WCSTk18M/8ABQDUha/BjTdPzhr/AFiAY9RFFK5/XFfc1fmL/wAFF9eGPBPhZG5/0y+df++IkP8A6HXF4RYJ1+I8JFdG5f8AgMW/0JzWfLh5srf8EytMM3xC8aaxji10qCDPvPOG/wDaVfsnX5h/8EyfD7W/g3xt4odcfbb+2tEb1FtEXb9ZRX6eV/oDI+DCiiikAUUUUAFFFFABRRRQB//S/cSiiigAooooAKKKKACiiigAooooAK+aP2w/DreJv2bfG9nGm+SztUvkHvZypMT+Cqa+l6yte0a08R6FqXh6/GbbVLaa1kB/uToUP6GgD+fv9i3xEugftBaHFK22PWIbmwPpuljLp+boB+NfuTX841jNq3wn+JcMsylNQ8I6qN69DvspsMPx2kfQ1/RZpuo2esadaavp7iS1voY54mHIaOVQ6n8jX8ifSNylwx+HxqWk4uPzi7/lJfcfWcP1b05Q7P8AMu0UUV/OR9AFFFFAGHNfXAlYKdoBxjFMGoXI/iB/Ctp4IZDudASe9Rmztj/yzH617EMbh7JOH5HUqsLaozBqVx/sn8KX+05v7q/rV/7Ban+D9TSf2fa/3T+dV9awv8g/aU+xS/tOb+4v60h1Oc9FUfnV3+z7b0P50o0+1H8JP40fWMJ/KHPS7GU95cvwXwPbiokimmPyqW966BLW3j+6gz781PQ80hFWpQB4hL4UczNA8BAkxkjPFa2mjEBPq1Z19J5lw2Oi8flWxaJ5dug7kZP41rj6reHjzbsqtJ8iuWa/ED9tjxcvij486pZQvvt/D0EGnLg8B0HmS/8Aj7kH6V+zni/xRp/grwrq/i/VWC2mj2st1JnuI1JCj3Y4A9zX88+l2GvfFv4kW2nrmbV/F2phSev728lyx+i7ifoK/cfo55E6mNr5jJaQjyr1lq/uS/8AJj5HiCvaEaffU/df9iDwi3hL9m/w0Zo/LuNba41OTPXFxIRH/wCQ1SvrSsvRNGsfDui6f4f0xAlnplvFawqO0cKBF/QVqV/XDPlAooooAKKKKACiiigAooooA//T/cSiiigAooooAKKKKACiiigAooooAKKKKAPwj/4KAfDGTwT8bH8XWkOzTPGcIu1YD5RdxAR3C/U/K/8AwKvrz9h/4oR+NfhSvg++m3ar4RYWxUn5ms3y0D/ReY/+Aj1r6M/at+Cg+OHwkv8AQtPjDa9pRN/pbdzcRqd0OfSZMp/vbT2r8Mvgn8U9Y+CPxJs/FMcUhhiZrXUbQ/K0luxxKhB6OhG5c9GUe9fn3ifwe86ymeHpr95H3oeq6fNXXrZ9D0Mtxfsaqk9noz+hGisfw94g0fxXodj4k8PXS3um6lEs0EyHhkYcfQjoR1ByDWxX+fdSnKEnCas1o0+jPu076oKKKKgYUUUUAFFFFABRRR70AFVrq4FvGT/Efuio576KLIT529un51jM0tzLk/MzdK9TB5e5PmqaI6aVBvV7C28RnmC9up+ldLVW1thbpg8s3U15p8ZPi14f+DPgi78X64wkmAMdla5w91ckfJGvsOrn+Fcn0rZ0quOxMMNho80m7RS6tmWKxEVeTeiPjP8Ab6+LkdlpFh8HtHn/ANJvyl7qe0/cgQ5gib/fYbyPRV9a4r/gnP8ACZ/EXxA1H4ranDnT/C8Zt7RmHD31yuCR/wBcoiSfQutfEUj+NvjZ8Scqrap4l8VXoCqvQySnAA/uxov4Ki+1f0Y/Bf4WaR8Gfhto3w/0giT7BHuuZwMG4upPmmlP+83T0UAdq/0A4E4UhkuWU8DHWW8n3k936dF5JH51jsU61Rz+49Sooor645AooooAKKKKACiiigAooooA/9T9xKKKKACiiigAooooAKKKKACiiigAooooAK/Ij9u79ly4sr28+Ofw/szJZ3B8zXLSJeYpO94ij+Bv+WuOjfP0Jx+u9MkjjmjeGZBJHICrKwBVlIwQQeCCOoppgfz5/syftO6n8FdQ/wCEe8QCTUPB99JulhX5pLSRus0APUH+NP4uo+br+0fhvxN4f8Y6Ja+I/C9/Fqem3i7op4W3KfUHuGHQqcEHgivz4/ah/YPvLa4vPH/wLtPtFtIWlutDT/WRE8s1n/eX/pl1H8GR8o+Bvhr8XviT8FNcluPCd9JYsJNt3YXCkwSsvBWaFsYYdMjDD1r8Q8SvBujm8pY3AtQr9b/DP17Pz69V1Pay7N3S9yesfyP6HKQ5wcda+Ffhl+3j8N/E8cVh8QraTwrqJwGmAa4smb1DqN6fRlIH96vs/wAP+J/DfiyzXUPC+q2ur2zDIktZkmX8dhOPxr+SM+4RzLK58mOoSh5291+klo/kz6qhiqdRXg7ldp7lJCWdlbvzUq6hcr1Ib6it1kR+HUH6ioGs7Zv+WYH0rlWYUZL34Hp+3g90Zo1Kfuqn86Dqc3ZV/Wrx0+29D+dH9n23ofzp/WMJ/KPnpdjObULk9CB9BVZ5ZpjhmLe1bq2Vsv8ABn6mrCRonEagfQUf2hRh8EA9vBfCjCisZ5OWGwep/wAK2ILaO3GEGSepPWuS8Y/EbwH8PrVrzxrr1npCAZCzygSt/uxjLsfopr4H+LH7f9jDHNpPwe0xriY5X+0tQTbGv+1Fb5y3sZCB/smvoci4SznO5KODovk/m2ivWT0forvyPOxmaQgvfl8j7X+LXxk8D/Bnw82ueL7sCaQH7LZREG5unH8Ma9hnq5+Ve57V+Hnxf+L/AIx+OHjD+3/EBIUHybCxhy0dvGx+WONerOxxubGWP4AYLv8AEb40eNVU/bfFXiXVX2qoBllb2AHCIv4Ko9BX7Dfsr/sVaX8J5Lbx98SRDqvi9QHt7dcSW2nE91PSSYf3/ur/AA5PzV/XPhz4VYXIY+3qP2ldrWXReUf1e78lofGZhmkq/urSJJ+xT+yzJ8JdI/4WP48tgvi/V4dsEDjJ061cZKn0mk/j/uj5eu6vvyiiv1Q8sKKKKACiiigAooooAKKKKACiiigD/9X9xKKKKACiiigAooooAKKKKACiiigAooooAKKKKACvnL40fssfCP44LJe+I9OOna4y4XVLHEVzkdPM4KSgf7YJ9CK+jaKAPwv+Jv8AwT3+Mvg55rzwS8HjLTkyVFuRBehf9qCQ4Y/7jtn0r45v9L8e/DXVtmo2upeFtSjPV1ms5c+x+Un8DX9S1UdT0vS9atWsdasoNQtm4MVxEsyEf7rgiiSUk4yV0xp2P5zPD/7Vf7QHhxUSz8ZXV1EvRLxY7sfnKrN+terad+3x8crQBb2HSb8Du9q0bH8Y5FH6V+sniP8AZO/Z08UO8upeBNPhlfkvaB7Rs+v7hkH6V5Fqf/BPP9nS+YtZwarp2f8AnjfFgPoJVevlMbwHkmId62Dpt9+VJ/ekmdUMdWjtN/efEEP/AAUP+JiDE3hfR5D6g3C/+1KfL/wUQ+JLLiLwto6H1LXDf+1BX1fP/wAE1vgw7E2/iDXYh6NLbP8A+0RUcP8AwTU+DitmfxFrkg9A9uv6+Sa8n/iFHDl7/U4/fL/M1/tXEfznxVqf7fPxwvAVsINJ04Hulq0jD8ZJGH6V474m/ae+PPipHi1TxleQQv1jtClomD2/cqhx+NfrLpf/AATw/Z2sGDXseraljtPfbAfqIUjr2Xwz+yp+zx4SdJtJ8CadJMnIku0a8fPrm4aQfpXr4DgTJMM+ahg6afflTf3u7MZ46tL4pv7z+fPw34J+IfxN1Qx+F9G1HxJfTH5nhikuDk93lOQPqzV93fCr/gnH49154dS+K+qReGrE4ZrO1K3N6w9Cw/dR/XLn2r9l7Ozs9OtlstOt47S3ThYoUWNAPZVAA/KrNfVrRWRynlXwr+Cnw1+DGknSvh/o0di0gAnun/eXdxjvLM3zH/dGFHYCvVaKKQBRRRQAUUUUAFFFFABRRRQAUUUUAFFFFAH/1v3EooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKAP/1/3EooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKAP/0P3EooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKAP/0f3EooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKAP/0v3Eoq9/Z15/zz/UUf2def8APP8AUUAUaKvf2def88/1FH9nXn/PP9RQBRoq9/Z15/zz/UUf2def88/1FAFGir39nXn/ADz/AFFH9nXn/PP9RQBRoq9/Z15/zz/UUf2def8APP8AUUAUaKvf2def88/1FH9nXn/PP9RQBRoq9/Z15/zz/UUf2def88/1FAFGir39nXn/ADz/AFFH9nXn/PP9RQBRoq9/Z15/zz/UUf2def8APP8AUUAUaKvf2def88/1FH9nXn/PP9RQBRoq9/Z15/zz/UUf2def88/1FAFGir39nXn/ADz/AFFH9nXn/PP9RQBRoq9/Z15/zz/UUf2def8APP8AUUAUaKvf2def88/1FH9nXn/PP9RQBRoq9/Z15/zz/UUf2def88/1FAFGir39nXn/ADz/AFFH9nXn/PP9RQBRoq9/Z15/zz/UUf2def8APP8AUUAUaKvf2def88/1FH9nXn/PP9RQBRoq9/Z15/zz/UUf2def88/1FAFGir39nXn/ADz/AFFH9nXn/PP9RQB//9k=" + } + ] + }, + "advisories": [ + { + "title": "GitHub Commit", + "url": "https://github.com/FasterXML/jackson-databind/commit/6799f8f10cc78e9af6d443ed6982d00a13f2e7d2" + }, + { + "title": "GitHub Issue", + "url": "https://github.com/FasterXML/jackson-databind/issues/1931" + } + ], + "created": "2021-01-01T00:00:00.000Z", + "published": "2021-01-01T00:00:00.000Z", + "updated": "2021-01-01T00:00:00.000Z", + "rejected": "2022-01-01T00:00:00.000Z", + "credits": { + "organizations": [ + { + "name": "Acme, Inc.", + "url": [ + "https://example.com" + ] + } + ], + "individuals": [ + { + "name": "Jane Doe", + "email": "jane.doe@example.com" + } + ] + }, + "tools": { + "components": [ + { + "type": "application", + "group": "Snyk", + "name": "Snyk CLI (Linux)", + "version": "1.729.0", + "hashes": [ + { + "alg": "SHA-256", + "content": "2eaf8c62831a1658c95d41fdc683cd177c147733c64a93e59cb2362829e45b7d" + } + ] + } + ], + "services": [ + { + "provider": { + "name": "Acme Inc" + }, + "name": "Acme BOM Analyzer", + "endpoints": [ + "https://example.com/analyze" + ] + } + ] + }, + "analysis": { + "state": "not_affected", + "justification": "code_not_reachable", + "response": ["will_not_fix", "update"], + "detail": "An optional explanation of why the application is not affected by the vulnerable component.", + "firstIssued": "2022-01-01T00:00:00.000Z", + "lastUpdated": "2022-02-01T00:00:00.000Z" + }, + "affects": [ + { + "ref": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.4", + "versions": [ + { + "range": "vers:semver/<2.6.7.5", + "status": "affected" + }, + { + "range": "vers:semver/2.7.0|<2.8.11.1", + "status": "affected" + }, + { + "range": "vers:semver/2.9.0|<2.9.5", + "status": "affected" + } + ] + } + ], + "properties": [ + { + "name": "Foo", + "value": "Bar" + }, + { + "name": "Foo", + "value": "You" + }, + { + "name": "Foo", + "value": "Two" + }, + { + "name": "Bar", + "value": "Foo" + } + ] + } + ] +} diff --git a/tools/src/test/resources/1.6/valid-vulnerability-1.6.textproto b/tools/src/test/resources/1.6/valid-vulnerability-1.6.textproto new file mode 100644 index 00000000..6daca7b0 --- /dev/null +++ b/tools/src/test/resources/1.6/valid-vulnerability-1.6.textproto @@ -0,0 +1,161 @@ +spec_version: "1.6" +version: 1 +serial_number: "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" +components { + type: CLASSIFICATION_LIBRARY + bom_ref: "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.4" + group: "com.fasterxml.jackson.core" + name: "jackson-databind" + version: "2.9.4" + purl: "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.4" +} +vulnerabilities { + bom_ref: "6eee14da-8f42-4cc4-bb65-203235f02415" + id: "SNYK-JAVA-COMFASTERXMLJACKSONCORE-32111" + source: { + name: "Snyk" + url: "https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-32111" + } + references: { + id: "CVE-2018-7489" + source: { + name: "NVD", + url: "https://nvd.nist.gov/vuln/detail/CVE-2019-9997" + } + } + ratings: { + source: { + name: "NVD" + url: "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H&version=3.0" + } + score: 9.8 + severity: SEVERITY_CRITICAL + method: SCORE_METHOD_CVSSV3 + vector: "AN/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + justification: "An optional reason for rating the vulnerability as it was" + } + cwes: 184 + cwes: 502 + description: "FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath." + detail: "" + recommendation: "Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.6.7.5, 2.8.11.1, 2.9.5 or higher." + proofOfConcept: { + reproductionSteps: "Precise steps to reproduce go here" + environment: "Describe the environment" + supportingMaterial: [ + { + content_type: "image/jpeg" + encoding: "base64" + value: "/9j/4AAQSkZJRgABAQAASABIAAD/4QBYRXhpZgAATU0AKgAAAAgAAgESAAMAAAABAAEAAIdpAAQAAAABAAAAJgAAAAAAA6ABAAMAAAABAAEAAKACAAQAAAABAAABQKADAAQAAAABAAABQAAAAAD/wAARCAFAAUADASIAAhEBAxEB/8QAHwAAAQUBAQEBAQEAAAAAAAAAAAECAwQFBgcICQoL/8QAtRAAAgEDAwIEAwUFBAQAAAF9AQIDAAQRBRIhMUEGE1FhByJxFDKBkaEII0KxwRVS0fAkM2JyggkKFhcYGRolJicoKSo0NTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqDhIWGh4iJipKTlJWWl5iZmqKjpKWmp6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uHi4+Tl5ufo6erx8vP09fb3+Pn6/8QAHwEAAwEBAQEBAQEBAQAAAAAAAAECAwQFBgcICQoL/8QAtREAAgECBAQDBAcFBAQAAQJ3AAECAxEEBSExBhJBUQdhcRMiMoEIFEKRobHBCSMzUvAVYnLRChYkNOEl8RcYGRomJygpKjU2Nzg5OkNERUZHSElKU1RVVldYWVpjZGVmZ2hpanN0dXZ3eHl6goOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExcbHyMnK0tPU1dbX2Nna4uPk5ebn6Onq8vP09fb3+Pn6/9sAQwACAgICAgIDAgIDBQMDAwUGBQUFBQYIBgYGBgYICggICAgICAoKCgoKCgoKDAwMDAwMDg4ODg4PDw8PDw8PDw8P/9sAQwECAgIEBAQHBAQHEAsJCxAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQ/90ABAAU/9oADAMBAAIRAxEAPwD9xKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigD/9D9xKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigD/9H9xKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigD/9L9xKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigD/9P9xKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigD/9T9xKKKKACiiigAooooAKKKKACiiigAooooAKKzdY1jSfD2lXWua7eRafp9jG0s9xO4SONF6szHgCvyK+P/APwUJ1zV7i68MfAxTpmnKTG2sTJ/pU3Ym3jbIiU9mYFz1AWmkB+qvjL4ieA/h5Z/bvHPiCy0OEjK/a51jZv91CdzfgDXy3r/APwUA/Zw0WVobPUr/WWXvZ2T7D9GmMQNfitofhT4ofGXX5ptHsdR8V6rK2Zrht85BPeSaQ7V/wCBMK+nvDv7Afxk1WJZtcvtL0PdzskmeeQfUQqVz/wI185nXF+VZc+XG4mMH2b1+5Xf4HTRwlWprCLZ9xW//BSD4DSy7JtO12Bf77WsBH5LOT+leweEP2yv2cfGc0drZeL4tNuJOBHqUclmST23yKI//H6/Om4/4J2eOli3Wvi/TJJP7rwzoPzAb+VeL+NP2NPjx4Ohku00aPXrWPJL6ZKJ2x/1yYLIfwU15WX+JeQYqfs6OMhfzfL/AOlJGk8trxV3Bn9Ctpd2t/bR3thPHc28w3JLEweNwe6spII+lWK/me+G3xr+LfwN1hj4P1e50zyXxcadcBmtnI6rLbScA+4CsOxr9mP2bv2x/Bfxz8rwzrUaeHfGIX/jzd8wXeBy1q7ck9zG3zDtuGTX2+6ujiPsmiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigD//1f3EooooAKKKKACiiigAooooAKKKKACop54LWCS6upFhhhVnkdyFVEUZZmJ4AAGSalr88P8AgoV8aJ/BXgCz+F+hXBi1PxeGa7ZDho9OiOGX285/k91DChAfDv7Xn7Uuo/GzxHN4V8LXL2/gbSZSIUUlft8qHH2mUd1z/qlPAHzH5jx1P7NH7HM/j21tfHvxQWWy8Py4ktbBSY571ezu3WOE9sfMw5GBgnhP2PfgTB8WfGsviHxJb+b4Z8NsjzIw+W6uTzFAfVRjc49MD+Kv2w/dxR/wxxxr7Kqqo/IAD8q/nbxl8VauAm8pyyVqlvfkt432S/vNat9Fa2r0+hyjK1Ne1qbdEZWgeHtB8K6VDofhrT4NL0+3GI4LeMRoPfA6n1J5Pc1sV8+X/wC1V+z9pustoV14ytTOjbGeNJZIFYcYMyIU/EEj3r3iw1Cw1Wyg1LS7mO8tLpBJFNC4eORG5DKy5BB9q/lbM8px1C1XG0px59U5Jrm+bWp9NTqwlpBrTsW6KKK8k1PD/jD+z78OvjRp8ieI7IWurBcQanbKFuoz23HpInqr59sHmvxc+K/wl8c/AbxlHpWtFo3VvP0/UbYsiTqjZWSJxyrqcblzuU+2Cf6E68r+Mnwn0H4yeBb3wfraqkrAyWVzjL2t0o+SRT1x2cd1JHpX7D4ZeKuJyevHDYqTlhno09eTzj6dY7P1PJzLLI1k5RVpfmef/sZftQn41aA/gvxnMo8Z6JEGaQ4X+0LZcL54H/PRTgSgeoYdSB9yV/MPoWs+M/gP8U4dTgU2XiDwnfFZIySFYxNtkjb1jkXI91Oa/pQ8E+LtI8feENG8a6C++w1u1iuovVRIuSp91OVPuDX9ywqRnFTg7p6pnxTTTszqKKKKoQUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFAH//W/cSiiigAooooAKKKKACiiigD8fP2q/21fiZo/wAStW+Hnwsvl0LTvD0xtZ7pYkkuLm4T/WYaQMERW+UBRk4yTg4r5Z/4bJ/aZ/6Hu6/79W//AMbr6u/a+/Yz8cX3jLWfi18L7U63Zau5u77Tov8Aj7gnI/ePEn/LVHI3bV+YEkYIr8z9Ovrnw9qhe4soppYGKS295CHGQeVZGAKkfgRTe2iNKUYuSU3Zd9z6C/4bJ/aZ/wCh7uv+/Vv/APG68Z8e/EXxr8T9dHiXx7qsusaksKQCaUKCIoySqgIFAAJJ6d6+gPBPiT4Q+KvLs9Q0Gx0rUWwPLliTy3P+xIQB+BwfrWR8efDHh3Q9E0u40bTYLGWS5ZGaGMIWXYTg468ivIp5x+/VCdNxbPv8TwBbLp5lh8VCpCO9r33StqtHrsz9EP2G9X8J33wOt9M8PKY7/TbqZdUV8bmuZTvWTjqjR7QvptI7VN+3B4o1vw18C7iHRZHg/tm+gsbmRCQRburu65HQOUCn1BI714P/AME5Wbb48TJ2/wDEvOO2f33NfoJ8QvAXh74m+D9R8E+KImksNRQAlDiSN1O5JEJzhkYAj8jwTX8Y8WTw+VcaTr105041Izd9X7yUn62b0XkkcOFUquDSjo7W/Q/m/wCnAr9XP+CePifWr/wx4q8KXkjy6bpM9tPa7iSImuQ/mIvoCUDY9cnvXll//wAE8PiAmsmDTPFGmS6UW4nmWZJwnvEqspbHo+K/Qz4KfBrw58EfBq+FdBka7mmk8+8u5AFe4nIA3YGdqqBhVycDuSSa/UfF/wASMlx2SywmEqqpUm4tWT92zTbd0rO11bfXseblOXVoVueaskev0UUV/JR9SFFFFAH5F/8ABQLwFDovj7RvH1lGEj8R2zQ3GBgG5tMAMfdo2X/vmvrj/gnD43l174Qat4NupN8vhfUT5QJ5FveL5qj6CQSfnXHf8FBNPiuPg/o+oMP3llrEQU9wssMqsPxwPyrzP/gmNqEqeNvHWlZ/dTabazkf7UU5Qfo5r+9vBfNJ4rh2h7R3cLw+Sen3JpfI+Hziko4iVuup+xNFFFfqR5YUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFAH//1/3EooooAKKKKACiiigAooooAK+cPjd+yz8KfjnBJda9Y/2Zr+3Eeq2QVLgHt5o+7Mvs/Powr6Pr57/aW+PFp+z78PB4s+wjU9SvrhbOxtmYpG8zKzlpGHIRFUk45JwBjOQ0B+MHxz/ZJ+KvwOabVL+1GueGkPy6rZKWjRScD7RHy0J+uVz0Y18+XvibXdS0i30LULt7mztH8yFZDuKHG3AY84x26V6f8Wf2iPi18abpm8ba3I1gG3R6fbfuLKP0xEp+Yj+85Y+9eJU3BOza2NqWIqQUowk0no7dV2fc/Tr/AIJy/wDM+f8AcP8A/a1fp1X5mf8ABOa2mFt47vCP3RewjB/2gJmI/Kv0zr+CPGlp8S4q39z/ANIifZ5P/u8fn+YUUUV+WHphRRRQAUUUUAfAv/BQrWIbX4X+H9DLfvtQ1YSgf7FvC+4/m61xv/BMXSJX8SePNf2nyobOztM9t0sryY/KOvDP26PiNB4x+LMfhXTpRJZeEYDbMQcqbuUh5/8AvnCofdTX6Ff8E+/AE3hD4EJ4hvY/LuvF15JfjIwfs0YEMH4EKzD2av798H8nnguH8PCorSneb/7ed1/5LY+Fzasp15NdND7looor9LPNCiiigAooooAKK5rxf4x8MeAfD134r8Y6lFpWlWK7pZ5jhRngKAMlmY8KqgknoK+KW/4KOfAVdW+wCy1prPdt+2C1j8vH97yzL5mP+A59qLAffdFcp4K8ceE/iL4ctfFngrU4tV0q7zsmiJ4ZfvIynDK691YAiuroAKKKKACiiigAooooAKKKKAP/0P3EooooAKKKKACiiigAooooAK8J/aH+Bej/ALQHw/bwdqN42m3dtOt3Y3arv8mdVK/MmRuRlYqwBB7jkV7tRQB+MDf8EzPiiCQvi/RiOx2XIz+Gyuf8V/8ABOn4seGfC+q+IrbXNN1ibTLd7hbK1Sfz5xHyyx7lA3bckDuRgcmv2/r5b/ay+P8AqX7Pnw+ste0Cwiv9Y1i8Fnai43GCLCNI8jhSC2AMBQRknk4FVcD8Xv2cvjbefA/x/HrMwebQ9RAttTt16tDnIkUf89IjyPUZXvX7xaLrWk+I9JtNe0K7jvtOv41mgniO5JEbkEH+Y6g8Hmv5yPG3iqXxv4p1HxZc6faaZcapIZpobFGit/Nb77IjM23efmIBxknAFe2fAH9prxh8Drv+z1U6x4ZuH3z6fI+0ox6yW7nOxz3GNrdxnkfhni54UvOF9fwFlXirNbKaW2vSS6N6NaPZHt5Vmnsv3c/h/I/d6iuY8F+LtG8e+FNL8ZeH3Z9P1eBZ4t42uA3BVhzhlIIPuK6ev4tr0J0pypVFaUW00+jW6PsIyTV0FFFRT3EFpBJdXUqQwxKWeSRgqKo6lmOAAPU1mlfRDJa+bP2lvj5pnwS8GyCzlSXxTqqNHp1v1KE8G4kHZI+2fvNgDvjzP40/tt+A/A9vcaN8Onj8U69gqJUJ+wQN6tIMeaR/dTg92FflvHH8S/j78RViQT+IvE+uSYHoAP8Ax2KKMfRVFfv3hj4NYnG1oY3NabhRWqi9JT+W6j3vutFvdeFmWbxgnCk7v8ja+Cnws8Q/Hv4qWPhOB5Jft0xutTuzljFbBt08zMf4jnC56uwr+k3SdK07QdKstD0iEW1jp8MdvBEvRIolCoo+gFfP/wCzL+zpo37P/go6bEVv/EWqBJNUvlXh3UfLDFnkRR5OP7xyx64H0kUcdVI/Cv7J0WiPkBtFGCKKACilCk9Bmql/e2WlWz3uq3EVlbxjc8k7rEij1LMQAKALVVb6+stMs59R1K4jtLS2QySzTOI440XkszNgAD1NfGHxa/bw+C/w7jmsPDFyfGespkCKwbFqrf8ATS6IK4/65hz9K/Jf40/tMfFb473f2fxPf/ZdI35h0qy3R2qnPy7lyWlf3cn2A6U0gPbP25P2idC+MfijS/C3gPUHvPDPh5ZGeUApDdXrnBkTPLIiDarEDqxHBzXgi/AbxF/wol/jxJewx6cLsW62jKwmeMy+T5ob7uN/AHoCc9q92+Af7FninxzNbeJvidHLoHh7IkW1YbL27XqBtPMKHuzfMR0HevsD9suw0rw1+zLd6Bo1tHZWMFzp1tbwRDakcaSghVH0WvxziLxToLNcJlOWTUpyqRU2rNKLdnFPu+62t329jD5ZL2U6tRWSTsfPH/BNjxlrNl8TNe8BrKX0nVdOe9aIn5UuLV0VZFHqyOVPrgegr9oa/D3/AIJvW5l+OuqTgcQaHck/8CmhFfuFX7HI8cKKKKQBRRRQAUUUUAFFFFAH/9H9xKKKKACiiigAooooAKKKKACiiigAr83P+CmUBf4WeEbgDiLW2B/4FbSf4V+kdfBX/BRjS2vfgBb36jJ07WrOQ+yyJLGf1YU0B+ef7JXwK8DfHG58UWPjGW8hfSYrWS3a0lWMjzWdW3BkcH7ox0r6suv+Cd/w5kmV7PxTq0MWRuRkgcle4DbVwfcg14p/wTw1IQfEbxRpRODeaUkoHqYJ1H8pK/XCv5D8WeOs6yzPq1DCYmUYWi0tGtYq9k0+tz6zK8FRqUFKcbvU5zwh4U0bwN4Y0zwh4eiMOm6TAsEKsdzbV7se7Mckn1NdHRRX871q06k5VKjvJu7b3be7PfSSVkFfOX7VXgLxn8R/g5qPhvwKTJqHnwTvbBwhuoYiS8QJIGScMATglcelfRtFd2TZrUwOLpYykk5QkpK+qunfUitSU4uD6n88t78BPjZp2ftfgXWEx/ds5H/9ABrmZvAvxE0d/Mn8PatYuv8AEbS4jI/HYDX9IOSOhpwkkHRiPxr+gaP0ksYv4mEi/STX5pngvh6HSbP5u49e+I+lf6rUtZstvpPcxY/UVpQ/GD4s2J2weNdahI7DULgf+z1/RbIkcv8ArkWT/eAP86oy6RpE4xPYW8g/2oUb+Yr06f0lV9vA/dU/+0M3w72n+H/BP59ov2g/jlBxF8Q9dUf9hKf/AOLqz/w0d8eiMf8ACxddx/2EJv8A4qv3tk8HeEJuZtB09/8AetIT/Nag/wCEE8DZz/wjemZ/68oP/iK6l9JSh1wT/wDA1/8AIk/6uv8An/A/Am6+PHxpvVK3fj/XJQeobUrj/wCLrnmHxF8eTrC/9r+I5nPyq32i8JPsDur+iS38L+F7QhrXRrGEjulrEv8AJa11MFmm1NsK+igKPyFc1f6Sd1ajgdfOf6KBcOHO8/w/4J+Kvw1/Yk+MHjZ4rrxHAnhHTGwS9781yV/2LdTuz/vlK/ST4SfsufCn4RGLUNNsTq+tx4P9o34WSVW9Ykxsi/4CN3+0a96l1KMcRLuPqeBVq2nFxHvxgg4Ir8s4w8T89zSDjWn7Ok/sw0Xzd+Z+jdvI9fD5NTormtd92WCSTk18M/8ABQDUha/BjTdPzhr/AFiAY9RFFK5/XFfc1fmL/wAFF9eGPBPhZG5/0y+df++IkP8A6HXF4RYJ1+I8JFdG5f8AgMW/0JzWfLh5srf8EytMM3xC8aaxji10qCDPvPOG/wDaVfsnX5h/8EyfD7W/g3xt4odcfbb+2tEb1FtEXb9ZRX6eV/oDI+DCiiikAUUUUAFFFFABRRRQB//S/cSiiigAooooAKKKKACiiigAooooAK+aP2w/DreJv2bfG9nGm+SztUvkHvZypMT+Cqa+l6yte0a08R6FqXh6/GbbVLaa1kB/uToUP6GgD+fv9i3xEugftBaHFK22PWIbmwPpuljLp+boB+NfuTX841jNq3wn+JcMsylNQ8I6qN69DvspsMPx2kfQ1/RZpuo2esadaavp7iS1voY54mHIaOVQ6n8jX8ifSNylwx+HxqWk4uPzi7/lJfcfWcP1b05Q7P8AMu0UUV/OR9AFFFFAGHNfXAlYKdoBxjFMGoXI/iB/Ctp4IZDudASe9Rmztj/yzH617EMbh7JOH5HUqsLaozBqVx/sn8KX+05v7q/rV/7Ban+D9TSf2fa/3T+dV9awv8g/aU+xS/tOb+4v60h1Oc9FUfnV3+z7b0P50o0+1H8JP40fWMJ/KHPS7GU95cvwXwPbiokimmPyqW966BLW3j+6gz781PQ80hFWpQB4hL4UczNA8BAkxkjPFa2mjEBPq1Z19J5lw2Oi8flWxaJ5dug7kZP41rj6reHjzbsqtJ8iuWa/ED9tjxcvij486pZQvvt/D0EGnLg8B0HmS/8Aj7kH6V+zni/xRp/grwrq/i/VWC2mj2st1JnuI1JCj3Y4A9zX88+l2GvfFv4kW2nrmbV/F2phSev728lyx+i7ifoK/cfo55E6mNr5jJaQjyr1lq/uS/8AJj5HiCvaEaffU/df9iDwi3hL9m/w0Zo/LuNba41OTPXFxIRH/wCQ1SvrSsvRNGsfDui6f4f0xAlnplvFawqO0cKBF/QVqV/XDPlAooooAKKKKACiiigAooooA//T/cSiiigAooooAKKKKACiiigAooooAKKKKAPwj/4KAfDGTwT8bH8XWkOzTPGcIu1YD5RdxAR3C/U/K/8AwKvrz9h/4oR+NfhSvg++m3ar4RYWxUn5ms3y0D/ReY/+Aj1r6M/at+Cg+OHwkv8AQtPjDa9pRN/pbdzcRqd0OfSZMp/vbT2r8Mvgn8U9Y+CPxJs/FMcUhhiZrXUbQ/K0luxxKhB6OhG5c9GUe9fn3ifwe86ymeHpr95H3oeq6fNXXrZ9D0Mtxfsaqk9noz+hGisfw94g0fxXodj4k8PXS3um6lEs0EyHhkYcfQjoR1ByDWxX+fdSnKEnCas1o0+jPu076oKKKKgYUUUUAFFFFABRRR70AFVrq4FvGT/Efuio576KLIT529un51jM0tzLk/MzdK9TB5e5PmqaI6aVBvV7C28RnmC9up+ldLVW1thbpg8s3U15p8ZPi14f+DPgi78X64wkmAMdla5w91ckfJGvsOrn+Fcn0rZ0quOxMMNho80m7RS6tmWKxEVeTeiPjP8Ab6+LkdlpFh8HtHn/ANJvyl7qe0/cgQ5gib/fYbyPRV9a4r/gnP8ACZ/EXxA1H4ranDnT/C8Zt7RmHD31yuCR/wBcoiSfQutfEUj+NvjZ8Scqrap4l8VXoCqvQySnAA/uxov4Ki+1f0Y/Bf4WaR8Gfhto3w/0giT7BHuuZwMG4upPmmlP+83T0UAdq/0A4E4UhkuWU8DHWW8n3k936dF5JH51jsU61Rz+49Sooor645AooooAKKKKACiiigAooooA/9T9xKKKKACiiigAooooAKKKKACiiigAooooAK/Ij9u79ly4sr28+Ofw/szJZ3B8zXLSJeYpO94ij+Bv+WuOjfP0Jx+u9MkjjmjeGZBJHICrKwBVlIwQQeCCOoppgfz5/syftO6n8FdQ/wCEe8QCTUPB99JulhX5pLSRus0APUH+NP4uo+br+0fhvxN4f8Y6Ja+I/C9/Fqem3i7op4W3KfUHuGHQqcEHgivz4/ah/YPvLa4vPH/wLtPtFtIWlutDT/WRE8s1n/eX/pl1H8GR8o+Bvhr8XviT8FNcluPCd9JYsJNt3YXCkwSsvBWaFsYYdMjDD1r8Q8SvBujm8pY3AtQr9b/DP17Pz69V1Pay7N3S9yesfyP6HKQ5wcda+Ffhl+3j8N/E8cVh8QraTwrqJwGmAa4smb1DqN6fRlIH96vs/wAP+J/DfiyzXUPC+q2ur2zDIktZkmX8dhOPxr+SM+4RzLK58mOoSh5291+klo/kz6qhiqdRXg7ldp7lJCWdlbvzUq6hcr1Ib6it1kR+HUH6ioGs7Zv+WYH0rlWYUZL34Hp+3g90Zo1Kfuqn86Dqc3ZV/Wrx0+29D+dH9n23ofzp/WMJ/KPnpdjObULk9CB9BVZ5ZpjhmLe1bq2Vsv8ABn6mrCRonEagfQUf2hRh8EA9vBfCjCisZ5OWGwep/wAK2ILaO3GEGSepPWuS8Y/EbwH8PrVrzxrr1npCAZCzygSt/uxjLsfopr4H+LH7f9jDHNpPwe0xriY5X+0tQTbGv+1Fb5y3sZCB/smvoci4SznO5KODovk/m2ivWT0forvyPOxmaQgvfl8j7X+LXxk8D/Bnw82ueL7sCaQH7LZREG5unH8Ma9hnq5+Ve57V+Hnxf+L/AIx+OHjD+3/EBIUHybCxhy0dvGx+WONerOxxubGWP4AYLv8AEb40eNVU/bfFXiXVX2qoBllb2AHCIv4Ko9BX7Dfsr/sVaX8J5Lbx98SRDqvi9QHt7dcSW2nE91PSSYf3/ur/AA5PzV/XPhz4VYXIY+3qP2ldrWXReUf1e78lofGZhmkq/urSJJ+xT+yzJ8JdI/4WP48tgvi/V4dsEDjJ061cZKn0mk/j/uj5eu6vvyiiv1Q8sKKKKACiiigAooooAKKKKACiiigD/9X9xKKKKACiiigAooooAKKKKACiiigAooooAKKKKACvnL40fssfCP44LJe+I9OOna4y4XVLHEVzkdPM4KSgf7YJ9CK+jaKAPwv+Jv8AwT3+Mvg55rzwS8HjLTkyVFuRBehf9qCQ4Y/7jtn0r45v9L8e/DXVtmo2upeFtSjPV1ms5c+x+Un8DX9S1UdT0vS9atWsdasoNQtm4MVxEsyEf7rgiiSUk4yV0xp2P5zPD/7Vf7QHhxUSz8ZXV1EvRLxY7sfnKrN+terad+3x8crQBb2HSb8Du9q0bH8Y5FH6V+sniP8AZO/Z08UO8upeBNPhlfkvaB7Rs+v7hkH6V5Fqf/BPP9nS+YtZwarp2f8AnjfFgPoJVevlMbwHkmId62Dpt9+VJ/ekmdUMdWjtN/efEEP/AAUP+JiDE3hfR5D6g3C/+1KfL/wUQ+JLLiLwto6H1LXDf+1BX1fP/wAE1vgw7E2/iDXYh6NLbP8A+0RUcP8AwTU+DitmfxFrkg9A9uv6+Sa8n/iFHDl7/U4/fL/M1/tXEfznxVqf7fPxwvAVsINJ04Hulq0jD8ZJGH6V474m/ae+PPipHi1TxleQQv1jtClomD2/cqhx+NfrLpf/AATw/Z2sGDXseraljtPfbAfqIUjr2Xwz+yp+zx4SdJtJ8CadJMnIku0a8fPrm4aQfpXr4DgTJMM+ahg6afflTf3u7MZ46tL4pv7z+fPw34J+IfxN1Qx+F9G1HxJfTH5nhikuDk93lOQPqzV93fCr/gnH49154dS+K+qReGrE4ZrO1K3N6w9Cw/dR/XLn2r9l7Ozs9OtlstOt47S3ThYoUWNAPZVAA/KrNfVrRWRynlXwr+Cnw1+DGknSvh/o0di0gAnun/eXdxjvLM3zH/dGFHYCvVaKKQBRRRQAUUUUAFFFFABRRRQAUUUUAFFFFAH/1v3EooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKAP/1/3EooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKAP/0P3EooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKAP/0f3EooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKAP/0v3Eoq9/Z15/zz/UUf2def8APP8AUUAUaKvf2def88/1FH9nXn/PP9RQBRoq9/Z15/zz/UUf2def88/1FAFGir39nXn/ADz/AFFH9nXn/PP9RQBRoq9/Z15/zz/UUf2def8APP8AUUAUaKvf2def88/1FH9nXn/PP9RQBRoq9/Z15/zz/UUf2def88/1FAFGir39nXn/ADz/AFFH9nXn/PP9RQBRoq9/Z15/zz/UUf2def8APP8AUUAUaKvf2def88/1FH9nXn/PP9RQBRoq9/Z15/zz/UUf2def88/1FAFGir39nXn/ADz/AFFH9nXn/PP9RQBRoq9/Z15/zz/UUf2def8APP8AUUAUaKvf2def88/1FH9nXn/PP9RQBRoq9/Z15/zz/UUf2def88/1FAFGir39nXn/ADz/AFFH9nXn/PP9RQBRoq9/Z15/zz/UUf2def8APP8AUUAUaKvf2def88/1FH9nXn/PP9RQBRoq9/Z15/zz/UUf2def88/1FAFGir39nXn/ADz/AFFH9nXn/PP9RQB//9k=" + } + ] + } + advisories: { + title: "GitHub Commit" + url: "https://github.com/FasterXML/jackson-databind/commit/6799f8f10cc78e9af6d443ed6982d00a13f2e7d2" + } + advisories: { + title: "GitHub Issue" + url: "https://github.com/FasterXML/jackson-databind/issues/1931" + } + created: { + seconds: 3173618478 + nanos: 3 + } + published: { + seconds: 3173618478 + nanos: 3 + } + updated: { + seconds: 3173618478 + nanos: 3 + } + rejected: { + seconds: 3173618478 + nanos: 3 + } + credits: { + organizations: { + name: "Acme, Inc." + url: "https://example.com" + } + individuals: { + name: "Jane Doe" + email: "jane.doe@example.com" + } + } + tools: { + components: [ + { + type: CLASSIFICATION_APPLICATION, + group: "Snyk", + name: "Snyk CLI (Linux)", + version: "1.729.0", + hashes: [ + { + alg: HASH_ALG_SHA_256 + value: "2eaf8c62831a1658c95d41fdc683cd177c147733c64a93e59cb2362829e45b7d" + } + ] + } + ] + services: [ + { + provider: { + name: "Acme Inc" + }, + name: "Acme BOM Analyzer", + endpoints: [ + "https://example.com/analyze" + ] + } + ] + } + analysis: { + state: IMPACT_ANALYSIS_STATE_NOT_AFFECTED + justification: IMPACT_ANALYSIS_JUSTIFICATION_CODE_NOT_REACHABLE + response: VULNERABILITY_RESPONSE_WILL_NOT_FIX + response: VULNERABILITY_RESPONSE_UPDATE + detail: "An optional explanation of why the application is not affected by the vulnerable component." + firstIssued: { + seconds: 1641042000 + nanos: 3 + } + lastUpdated: { + seconds: 1643720400 + nanos: 3 + } + } + affects: { + ref: "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.4" + versions: { + range: "vers:semver/<2.6.7.5" + status: VULNERABILITY_AFFECTED_STATUS_AFFECTED + } + versions: { + range: "vers:semver/2.7.0|<2.8.11.1" + status: VULNERABILITY_AFFECTED_STATUS_AFFECTED + } + versions: { + range: "vers:semver/2.9.0|<2.9.5" + status: VULNERABILITY_AFFECTED_STATUS_AFFECTED + } + } + properties { + name: "Foo" + value: "Bar" + } + properties { + name: "Foo" + value: "You" + } + properties { + name: "Foo" + value: "Two" + } + properties { + name: "Bar" + value: "Foo" + } + workaround: "Describe the workarounds here" +} diff --git a/tools/src/test/resources/1.6/valid-vulnerability-1.6.xml b/tools/src/test/resources/1.6/valid-vulnerability-1.6.xml new file mode 100644 index 00000000..115b91d5 --- /dev/null +++ b/tools/src/test/resources/1.6/valid-vulnerability-1.6.xml @@ -0,0 +1,151 @@ + + + + + com.fasterxml.jackson.core + jackson-databind + 2.9.4 + pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.4 + + + + + SNYK-JAVA-COMFASTERXMLJACKSONCORE-32111 + + Snyk + https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-32111 + + + + CVE-2018-7489 + + NVD + https://nvd.nist.gov/vuln/detail/CVE-2019-9997 + + + + CVE-2018-7489 + + NVD + https://nvd.nist.gov/vuln/detail/CVE-2019-9997 + + + + + + + NVD + https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H&version=3.0 + + 9.8 + critical + CVSSv3 + AN/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + An optional reason for rating the vulnerability as it was + + + + 184 + 502 + + FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath. + + Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.6.7.5, 2.8.11.1, 2.9.5 or higher. + Describe the workarounds here + + Precise steps to reproduce go here + Describe the environment + + /9j/4AAQSkZJRgABAQAASABIAAD/4QBYRXhpZgAATU0AKgAAAAgAAgESAAMAAAABAAEAAIdpAAQAAAABAAAAJgAAAAAAA6ABAAMAAAABAAEAAKACAAQAAAABAAABQKADAAQAAAABAAABQAAAAAD/wAARCAFAAUADASIAAhEBAxEB/8QAHwAAAQUBAQEBAQEAAAAAAAAAAAECAwQFBgcICQoL/8QAtRAAAgEDAwIEAwUFBAQAAAF9AQIDAAQRBRIhMUEGE1FhByJxFDKBkaEII0KxwRVS0fAkM2JyggkKFhcYGRolJicoKSo0NTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqDhIWGh4iJipKTlJWWl5iZmqKjpKWmp6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uHi4+Tl5ufo6erx8vP09fb3+Pn6/8QAHwEAAwEBAQEBAQEBAQAAAAAAAAECAwQFBgcICQoL/8QAtREAAgECBAQDBAcFBAQAAQJ3AAECAxEEBSExBhJBUQdhcRMiMoEIFEKRobHBCSMzUvAVYnLRChYkNOEl8RcYGRomJygpKjU2Nzg5OkNERUZHSElKU1RVVldYWVpjZGVmZ2hpanN0dXZ3eHl6goOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExcbHyMnK0tPU1dbX2Nna4uPk5ebn6Onq8vP09fb3+Pn6/9sAQwACAgICAgIDAgIDBQMDAwUGBQUFBQYIBgYGBgYICggICAgICAoKCgoKCgoKDAwMDAwMDg4ODg4PDw8PDw8PDw8P/9sAQwECAgIEBAQHBAQHEAsJCxAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQ/90ABAAU/9oADAMBAAIRAxEAPwD9xKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigD/9D9xKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigD/9H9xKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigD/9L9xKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigD/9P9xKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigD/9T9xKKKKACiiigAooooAKKKKACiiigAooooAKKzdY1jSfD2lXWua7eRafp9jG0s9xO4SONF6szHgCvyK+P/APwUJ1zV7i68MfAxTpmnKTG2sTJ/pU3Ym3jbIiU9mYFz1AWmkB+qvjL4ieA/h5Z/bvHPiCy0OEjK/a51jZv91CdzfgDXy3r/APwUA/Zw0WVobPUr/WWXvZ2T7D9GmMQNfitofhT4ofGXX5ptHsdR8V6rK2Zrht85BPeSaQ7V/wCBMK+nvDv7Afxk1WJZtcvtL0PdzskmeeQfUQqVz/wI185nXF+VZc+XG4mMH2b1+5Xf4HTRwlWprCLZ9xW//BSD4DSy7JtO12Bf77WsBH5LOT+leweEP2yv2cfGc0drZeL4tNuJOBHqUclmST23yKI//H6/Om4/4J2eOli3Wvi/TJJP7rwzoPzAb+VeL+NP2NPjx4Ohku00aPXrWPJL6ZKJ2x/1yYLIfwU15WX+JeQYqfs6OMhfzfL/AOlJGk8trxV3Bn9Ctpd2t/bR3thPHc28w3JLEweNwe6spII+lWK/me+G3xr+LfwN1hj4P1e50zyXxcadcBmtnI6rLbScA+4CsOxr9mP2bv2x/Bfxz8rwzrUaeHfGIX/jzd8wXeBy1q7ck9zG3zDtuGTX2+6ujiPsmiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigD//1f3EooooAKKKKACiiigAooooAKKKKACop54LWCS6upFhhhVnkdyFVEUZZmJ4AAGSalr88P8AgoV8aJ/BXgCz+F+hXBi1PxeGa7ZDho9OiOGX285/k91DChAfDv7Xn7Uuo/GzxHN4V8LXL2/gbSZSIUUlft8qHH2mUd1z/qlPAHzH5jx1P7NH7HM/j21tfHvxQWWy8Py4ktbBSY571ezu3WOE9sfMw5GBgnhP2PfgTB8WfGsviHxJb+b4Z8NsjzIw+W6uTzFAfVRjc49MD+Kv2w/dxR/wxxxr7Kqqo/IAD8q/nbxl8VauAm8pyyVqlvfkt432S/vNat9Fa2r0+hyjK1Ne1qbdEZWgeHtB8K6VDofhrT4NL0+3GI4LeMRoPfA6n1J5Pc1sV8+X/wC1V+z9pustoV14ytTOjbGeNJZIFYcYMyIU/EEj3r3iw1Cw1Wyg1LS7mO8tLpBJFNC4eORG5DKy5BB9q/lbM8px1C1XG0px59U5Jrm+bWp9NTqwlpBrTsW6KKK8k1PD/jD+z78OvjRp8ieI7IWurBcQanbKFuoz23HpInqr59sHmvxc+K/wl8c/AbxlHpWtFo3VvP0/UbYsiTqjZWSJxyrqcblzuU+2Cf6E68r+Mnwn0H4yeBb3wfraqkrAyWVzjL2t0o+SRT1x2cd1JHpX7D4ZeKuJyevHDYqTlhno09eTzj6dY7P1PJzLLI1k5RVpfmef/sZftQn41aA/gvxnMo8Z6JEGaQ4X+0LZcL54H/PRTgSgeoYdSB9yV/MPoWs+M/gP8U4dTgU2XiDwnfFZIySFYxNtkjb1jkXI91Oa/pQ8E+LtI8feENG8a6C++w1u1iuovVRIuSp91OVPuDX9ywqRnFTg7p6pnxTTTszqKKKKoQUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFAH//W/cSiiigAooooAKKKKACiiigD8fP2q/21fiZo/wAStW+Hnwsvl0LTvD0xtZ7pYkkuLm4T/WYaQMERW+UBRk4yTg4r5Z/4bJ/aZ/6Hu6/79W//AMbr6u/a+/Yz8cX3jLWfi18L7U63Zau5u77Tov8Aj7gnI/ePEn/LVHI3bV+YEkYIr8z9Ovrnw9qhe4soppYGKS295CHGQeVZGAKkfgRTe2iNKUYuSU3Zd9z6C/4bJ/aZ/wCh7uv+/Vv/APG68Z8e/EXxr8T9dHiXx7qsusaksKQCaUKCIoySqgIFAAJJ6d6+gPBPiT4Q+KvLs9Q0Gx0rUWwPLliTy3P+xIQB+BwfrWR8efDHh3Q9E0u40bTYLGWS5ZGaGMIWXYTg468ivIp5x+/VCdNxbPv8TwBbLp5lh8VCpCO9r33StqtHrsz9EP2G9X8J33wOt9M8PKY7/TbqZdUV8bmuZTvWTjqjR7QvptI7VN+3B4o1vw18C7iHRZHg/tm+gsbmRCQRburu65HQOUCn1BI714P/AME5Wbb48TJ2/wDEvOO2f33NfoJ8QvAXh74m+D9R8E+KImksNRQAlDiSN1O5JEJzhkYAj8jwTX8Y8WTw+VcaTr105041Izd9X7yUn62b0XkkcOFUquDSjo7W/Q/m/wCnAr9XP+CePifWr/wx4q8KXkjy6bpM9tPa7iSImuQ/mIvoCUDY9cnvXll//wAE8PiAmsmDTPFGmS6UW4nmWZJwnvEqspbHo+K/Qz4KfBrw58EfBq+FdBka7mmk8+8u5AFe4nIA3YGdqqBhVycDuSSa/UfF/wASMlx2SywmEqqpUm4tWT92zTbd0rO11bfXseblOXVoVueaskev0UUV/JR9SFFFFAH5F/8ABQLwFDovj7RvH1lGEj8R2zQ3GBgG5tMAMfdo2X/vmvrj/gnD43l174Qat4NupN8vhfUT5QJ5FveL5qj6CQSfnXHf8FBNPiuPg/o+oMP3llrEQU9wssMqsPxwPyrzP/gmNqEqeNvHWlZ/dTabazkf7UU5Qfo5r+9vBfNJ4rh2h7R3cLw+Sen3JpfI+Hziko4iVuup+xNFFFfqR5YUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFAH//1/3EooooAKKKKACiiigAooooAK+cPjd+yz8KfjnBJda9Y/2Zr+3Eeq2QVLgHt5o+7Mvs/Powr6Pr57/aW+PFp+z78PB4s+wjU9SvrhbOxtmYpG8zKzlpGHIRFUk45JwBjOQ0B+MHxz/ZJ+KvwOabVL+1GueGkPy6rZKWjRScD7RHy0J+uVz0Y18+XvibXdS0i30LULt7mztH8yFZDuKHG3AY84x26V6f8Wf2iPi18abpm8ba3I1gG3R6fbfuLKP0xEp+Yj+85Y+9eJU3BOza2NqWIqQUowk0no7dV2fc/Tr/AIJy/wDM+f8AcP8A/a1fp1X5mf8ABOa2mFt47vCP3RewjB/2gJmI/Kv0zr+CPGlp8S4q39z/ANIifZ5P/u8fn+YUUUV+WHphRRRQAUUUUAfAv/BQrWIbX4X+H9DLfvtQ1YSgf7FvC+4/m61xv/BMXSJX8SePNf2nyobOztM9t0sryY/KOvDP26PiNB4x+LMfhXTpRJZeEYDbMQcqbuUh5/8AvnCofdTX6Ff8E+/AE3hD4EJ4hvY/LuvF15JfjIwfs0YEMH4EKzD2av798H8nnguH8PCorSneb/7ed1/5LY+Fzasp15NdND7looor9LPNCiiigAooooAKK5rxf4x8MeAfD134r8Y6lFpWlWK7pZ5jhRngKAMlmY8KqgknoK+KW/4KOfAVdW+wCy1prPdt+2C1j8vH97yzL5mP+A59qLAffdFcp4K8ceE/iL4ctfFngrU4tV0q7zsmiJ4ZfvIynDK691YAiuroAKKKKACiiigAooooAKKKKAP/0P3EooooAKKKKACiiigAooooAK8J/aH+Bej/ALQHw/bwdqN42m3dtOt3Y3arv8mdVK/MmRuRlYqwBB7jkV7tRQB+MDf8EzPiiCQvi/RiOx2XIz+Gyuf8V/8ABOn4seGfC+q+IrbXNN1ibTLd7hbK1Sfz5xHyyx7lA3bckDuRgcmv2/r5b/ay+P8AqX7Pnw+ste0Cwiv9Y1i8Fnai43GCLCNI8jhSC2AMBQRknk4FVcD8Xv2cvjbefA/x/HrMwebQ9RAttTt16tDnIkUf89IjyPUZXvX7xaLrWk+I9JtNe0K7jvtOv41mgniO5JEbkEH+Y6g8Hmv5yPG3iqXxv4p1HxZc6faaZcapIZpobFGit/Nb77IjM23efmIBxknAFe2fAH9prxh8Drv+z1U6x4ZuH3z6fI+0ox6yW7nOxz3GNrdxnkfhni54UvOF9fwFlXirNbKaW2vSS6N6NaPZHt5Vmnsv3c/h/I/d6iuY8F+LtG8e+FNL8ZeH3Z9P1eBZ4t42uA3BVhzhlIIPuK6ev4tr0J0pypVFaUW00+jW6PsIyTV0FFFRT3EFpBJdXUqQwxKWeSRgqKo6lmOAAPU1mlfRDJa+bP2lvj5pnwS8GyCzlSXxTqqNHp1v1KE8G4kHZI+2fvNgDvjzP40/tt+A/A9vcaN8Onj8U69gqJUJ+wQN6tIMeaR/dTg92FflvHH8S/j78RViQT+IvE+uSYHoAP8Ax2KKMfRVFfv3hj4NYnG1oY3NabhRWqi9JT+W6j3vutFvdeFmWbxgnCk7v8ja+Cnws8Q/Hv4qWPhOB5Jft0xutTuzljFbBt08zMf4jnC56uwr+k3SdK07QdKstD0iEW1jp8MdvBEvRIolCoo+gFfP/wCzL+zpo37P/go6bEVv/EWqBJNUvlXh3UfLDFnkRR5OP7xyx64H0kUcdVI/Cv7J0WiPkBtFGCKKACilCk9Bmql/e2WlWz3uq3EVlbxjc8k7rEij1LMQAKALVVb6+stMs59R1K4jtLS2QySzTOI440XkszNgAD1NfGHxa/bw+C/w7jmsPDFyfGespkCKwbFqrf8ATS6IK4/65hz9K/Jf40/tMfFb473f2fxPf/ZdI35h0qy3R2qnPy7lyWlf3cn2A6U0gPbP25P2idC+MfijS/C3gPUHvPDPh5ZGeUApDdXrnBkTPLIiDarEDqxHBzXgi/AbxF/wol/jxJewx6cLsW62jKwmeMy+T5ob7uN/AHoCc9q92+Af7FninxzNbeJvidHLoHh7IkW1YbL27XqBtPMKHuzfMR0HevsD9suw0rw1+zLd6Bo1tHZWMFzp1tbwRDakcaSghVH0WvxziLxToLNcJlOWTUpyqRU2rNKLdnFPu+62t329jD5ZL2U6tRWSTsfPH/BNjxlrNl8TNe8BrKX0nVdOe9aIn5UuLV0VZFHqyOVPrgegr9oa/D3/AIJvW5l+OuqTgcQaHck/8CmhFfuFX7HI8cKKKKQBRRRQAUUUUAFFFFAH/9H9xKKKKACiiigAooooAKKKKACiiigAr83P+CmUBf4WeEbgDiLW2B/4FbSf4V+kdfBX/BRjS2vfgBb36jJ07WrOQ+yyJLGf1YU0B+ef7JXwK8DfHG58UWPjGW8hfSYrWS3a0lWMjzWdW3BkcH7ox0r6suv+Cd/w5kmV7PxTq0MWRuRkgcle4DbVwfcg14p/wTw1IQfEbxRpRODeaUkoHqYJ1H8pK/XCv5D8WeOs6yzPq1DCYmUYWi0tGtYq9k0+tz6zK8FRqUFKcbvU5zwh4U0bwN4Y0zwh4eiMOm6TAsEKsdzbV7se7Mckn1NdHRRX871q06k5VKjvJu7b3be7PfSSVkFfOX7VXgLxn8R/g5qPhvwKTJqHnwTvbBwhuoYiS8QJIGScMATglcelfRtFd2TZrUwOLpYykk5QkpK+qunfUitSU4uD6n88t78BPjZp2ftfgXWEx/ds5H/9ABrmZvAvxE0d/Mn8PatYuv8AEbS4jI/HYDX9IOSOhpwkkHRiPxr+gaP0ksYv4mEi/STX5pngvh6HSbP5u49e+I+lf6rUtZstvpPcxY/UVpQ/GD4s2J2weNdahI7DULgf+z1/RbIkcv8ArkWT/eAP86oy6RpE4xPYW8g/2oUb+Yr06f0lV9vA/dU/+0M3w72n+H/BP59ov2g/jlBxF8Q9dUf9hKf/AOLqz/w0d8eiMf8ACxddx/2EJv8A4qv3tk8HeEJuZtB09/8AetIT/Nag/wCEE8DZz/wjemZ/68oP/iK6l9JSh1wT/wDA1/8AIk/6uv8An/A/Am6+PHxpvVK3fj/XJQeobUrj/wCLrnmHxF8eTrC/9r+I5nPyq32i8JPsDur+iS38L+F7QhrXRrGEjulrEv8AJa11MFmm1NsK+igKPyFc1f6Sd1ajgdfOf6KBcOHO8/w/4J+Kvw1/Yk+MHjZ4rrxHAnhHTGwS9781yV/2LdTuz/vlK/ST4SfsufCn4RGLUNNsTq+tx4P9o34WSVW9Ykxsi/4CN3+0a96l1KMcRLuPqeBVq2nFxHvxgg4Ir8s4w8T89zSDjWn7Ok/sw0Xzd+Z+jdvI9fD5NTormtd92WCSTk18M/8ABQDUha/BjTdPzhr/AFiAY9RFFK5/XFfc1fmL/wAFF9eGPBPhZG5/0y+df++IkP8A6HXF4RYJ1+I8JFdG5f8AgMW/0JzWfLh5srf8EytMM3xC8aaxji10qCDPvPOG/wDaVfsnX5h/8EyfD7W/g3xt4odcfbb+2tEb1FtEXb9ZRX6eV/oDI+DCiiikAUUUUAFFFFABRRRQB//S/cSiiigAooooAKKKKACiiigAooooAK+aP2w/DreJv2bfG9nGm+SztUvkHvZypMT+Cqa+l6yte0a08R6FqXh6/GbbVLaa1kB/uToUP6GgD+fv9i3xEugftBaHFK22PWIbmwPpuljLp+boB+NfuTX841jNq3wn+JcMsylNQ8I6qN69DvspsMPx2kfQ1/RZpuo2esadaavp7iS1voY54mHIaOVQ6n8jX8ifSNylwx+HxqWk4uPzi7/lJfcfWcP1b05Q7P8AMu0UUV/OR9AFFFFAGHNfXAlYKdoBxjFMGoXI/iB/Ctp4IZDudASe9Rmztj/yzH617EMbh7JOH5HUqsLaozBqVx/sn8KX+05v7q/rV/7Ban+D9TSf2fa/3T+dV9awv8g/aU+xS/tOb+4v60h1Oc9FUfnV3+z7b0P50o0+1H8JP40fWMJ/KHPS7GU95cvwXwPbiokimmPyqW966BLW3j+6gz781PQ80hFWpQB4hL4UczNA8BAkxkjPFa2mjEBPq1Z19J5lw2Oi8flWxaJ5dug7kZP41rj6reHjzbsqtJ8iuWa/ED9tjxcvij486pZQvvt/D0EGnLg8B0HmS/8Aj7kH6V+zni/xRp/grwrq/i/VWC2mj2st1JnuI1JCj3Y4A9zX88+l2GvfFv4kW2nrmbV/F2phSev728lyx+i7ifoK/cfo55E6mNr5jJaQjyr1lq/uS/8AJj5HiCvaEaffU/df9iDwi3hL9m/w0Zo/LuNba41OTPXFxIRH/wCQ1SvrSsvRNGsfDui6f4f0xAlnplvFawqO0cKBF/QVqV/XDPlAooooAKKKKACiiigAooooA//T/cSiiigAooooAKKKKACiiigAooooAKKKKAPwj/4KAfDGTwT8bH8XWkOzTPGcIu1YD5RdxAR3C/U/K/8AwKvrz9h/4oR+NfhSvg++m3ar4RYWxUn5ms3y0D/ReY/+Aj1r6M/at+Cg+OHwkv8AQtPjDa9pRN/pbdzcRqd0OfSZMp/vbT2r8Mvgn8U9Y+CPxJs/FMcUhhiZrXUbQ/K0luxxKhB6OhG5c9GUe9fn3ifwe86ymeHpr95H3oeq6fNXXrZ9D0Mtxfsaqk9noz+hGisfw94g0fxXodj4k8PXS3um6lEs0EyHhkYcfQjoR1ByDWxX+fdSnKEnCas1o0+jPu076oKKKKgYUUUUAFFFFABRRR70AFVrq4FvGT/Efuio576KLIT529un51jM0tzLk/MzdK9TB5e5PmqaI6aVBvV7C28RnmC9up+ldLVW1thbpg8s3U15p8ZPi14f+DPgi78X64wkmAMdla5w91ckfJGvsOrn+Fcn0rZ0quOxMMNho80m7RS6tmWKxEVeTeiPjP8Ab6+LkdlpFh8HtHn/ANJvyl7qe0/cgQ5gib/fYbyPRV9a4r/gnP8ACZ/EXxA1H4ranDnT/C8Zt7RmHD31yuCR/wBcoiSfQutfEUj+NvjZ8Scqrap4l8VXoCqvQySnAA/uxov4Ki+1f0Y/Bf4WaR8Gfhto3w/0giT7BHuuZwMG4upPmmlP+83T0UAdq/0A4E4UhkuWU8DHWW8n3k936dF5JH51jsU61Rz+49Sooor645AooooAKKKKACiiigAooooA/9T9xKKKKACiiigAooooAKKKKACiiigAooooAK/Ij9u79ly4sr28+Ofw/szJZ3B8zXLSJeYpO94ij+Bv+WuOjfP0Jx+u9MkjjmjeGZBJHICrKwBVlIwQQeCCOoppgfz5/syftO6n8FdQ/wCEe8QCTUPB99JulhX5pLSRus0APUH+NP4uo+br+0fhvxN4f8Y6Ja+I/C9/Fqem3i7op4W3KfUHuGHQqcEHgivz4/ah/YPvLa4vPH/wLtPtFtIWlutDT/WRE8s1n/eX/pl1H8GR8o+Bvhr8XviT8FNcluPCd9JYsJNt3YXCkwSsvBWaFsYYdMjDD1r8Q8SvBujm8pY3AtQr9b/DP17Pz69V1Pay7N3S9yesfyP6HKQ5wcda+Ffhl+3j8N/E8cVh8QraTwrqJwGmAa4smb1DqN6fRlIH96vs/wAP+J/DfiyzXUPC+q2ur2zDIktZkmX8dhOPxr+SM+4RzLK58mOoSh5291+klo/kz6qhiqdRXg7ldp7lJCWdlbvzUq6hcr1Ib6it1kR+HUH6ioGs7Zv+WYH0rlWYUZL34Hp+3g90Zo1Kfuqn86Dqc3ZV/Wrx0+29D+dH9n23ofzp/WMJ/KPnpdjObULk9CB9BVZ5ZpjhmLe1bq2Vsv8ABn6mrCRonEagfQUf2hRh8EA9vBfCjCisZ5OWGwep/wAK2ILaO3GEGSepPWuS8Y/EbwH8PrVrzxrr1npCAZCzygSt/uxjLsfopr4H+LH7f9jDHNpPwe0xriY5X+0tQTbGv+1Fb5y3sZCB/smvoci4SznO5KODovk/m2ivWT0forvyPOxmaQgvfl8j7X+LXxk8D/Bnw82ueL7sCaQH7LZREG5unH8Ma9hnq5+Ve57V+Hnxf+L/AIx+OHjD+3/EBIUHybCxhy0dvGx+WONerOxxubGWP4AYLv8AEb40eNVU/bfFXiXVX2qoBllb2AHCIv4Ko9BX7Dfsr/sVaX8J5Lbx98SRDqvi9QHt7dcSW2nE91PSSYf3/ur/AA5PzV/XPhz4VYXIY+3qP2ldrWXReUf1e78lofGZhmkq/urSJJ+xT+yzJ8JdI/4WP48tgvi/V4dsEDjJ061cZKn0mk/j/uj5eu6vvyiiv1Q8sKKKKACiiigAooooAKKKKACiiigD/9X9xKKKKACiiigAooooAKKKKACiiigAooooAKKKKACvnL40fssfCP44LJe+I9OOna4y4XVLHEVzkdPM4KSgf7YJ9CK+jaKAPwv+Jv8AwT3+Mvg55rzwS8HjLTkyVFuRBehf9qCQ4Y/7jtn0r45v9L8e/DXVtmo2upeFtSjPV1ms5c+x+Un8DX9S1UdT0vS9atWsdasoNQtm4MVxEsyEf7rgiiSUk4yV0xp2P5zPD/7Vf7QHhxUSz8ZXV1EvRLxY7sfnKrN+terad+3x8crQBb2HSb8Du9q0bH8Y5FH6V+sniP8AZO/Z08UO8upeBNPhlfkvaB7Rs+v7hkH6V5Fqf/BPP9nS+YtZwarp2f8AnjfFgPoJVevlMbwHkmId62Dpt9+VJ/ekmdUMdWjtN/efEEP/AAUP+JiDE3hfR5D6g3C/+1KfL/wUQ+JLLiLwto6H1LXDf+1BX1fP/wAE1vgw7E2/iDXYh6NLbP8A+0RUcP8AwTU+DitmfxFrkg9A9uv6+Sa8n/iFHDl7/U4/fL/M1/tXEfznxVqf7fPxwvAVsINJ04Hulq0jD8ZJGH6V474m/ae+PPipHi1TxleQQv1jtClomD2/cqhx+NfrLpf/AATw/Z2sGDXseraljtPfbAfqIUjr2Xwz+yp+zx4SdJtJ8CadJMnIku0a8fPrm4aQfpXr4DgTJMM+ahg6afflTf3u7MZ46tL4pv7z+fPw34J+IfxN1Qx+F9G1HxJfTH5nhikuDk93lOQPqzV93fCr/gnH49154dS+K+qReGrE4ZrO1K3N6w9Cw/dR/XLn2r9l7Ozs9OtlstOt47S3ThYoUWNAPZVAA/KrNfVrRWRynlXwr+Cnw1+DGknSvh/o0di0gAnun/eXdxjvLM3zH/dGFHYCvVaKKQBRRRQAUUUUAFFFFABRRRQAUUUUAFFFFAH/1v3EooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKAP/1/3EooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKAP/0P3EooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKAP/0f3EooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKAP/0v3Eoq9/Z15/zz/UUf2def8APP8AUUAUaKvf2def88/1FH9nXn/PP9RQBRoq9/Z15/zz/UUf2def88/1FAFGir39nXn/ADz/AFFH9nXn/PP9RQBRoq9/Z15/zz/UUf2def8APP8AUUAUaKvf2def88/1FH9nXn/PP9RQBRoq9/Z15/zz/UUf2def88/1FAFGir39nXn/ADz/AFFH9nXn/PP9RQBRoq9/Z15/zz/UUf2def8APP8AUUAUaKvf2def88/1FH9nXn/PP9RQBRoq9/Z15/zz/UUf2def88/1FAFGir39nXn/ADz/AFFH9nXn/PP9RQBRoq9/Z15/zz/UUf2def8APP8AUUAUaKvf2def88/1FH9nXn/PP9RQBRoq9/Z15/zz/UUf2def88/1FAFGir39nXn/ADz/AFFH9nXn/PP9RQBRoq9/Z15/zz/UUf2def8APP8AUUAUaKvf2def88/1FH9nXn/PP9RQBRoq9/Z15/zz/UUf2def88/1FAFGir39nXn/ADz/AFFH9nXn/PP9RQB//9k= + + + + + GitHub Commit + https://github.com/FasterXML/jackson-databind/commit/6799f8f10cc78e9af6d443ed6982d00a13f2e7d2 + + + GitHub Issue + https://github.com/FasterXML/jackson-databind/issues/1931 + + + 2021-01-01T00:00:00.000Z + 2021-01-01T00:00:00.000Z + 2021-01-01T00:00:00.000Z + 2022-01-01T00:00:00.000Z + + + + Acme, Inc. + https://example.com + + + + + Jane Doe + jane.doe@example.com + + + + + + + Snyk + Snyk CLI (Linux) + 1.729.0 + + 2eaf8c62831a1658c95d41fdc683cd177c147733c64a93e59cb2362829e45b7d + + + + + + + Acme Inf + + Acme BOM Analyzer + + https://example.com/analyze + + + + + + not_affected + code_not_reachable + + will_not_fix + update + + An optional explanation of why the application is not affected by the vulnerable component. + 2022-01-01T00:00:00.000Z + 2022-02-01T00:00:00.000Z + + + + pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.4 + + + vers:semver/<2.6.7.5 + affected + + + vers:semver/2.7.0|<2.8.11.1 + affected + + + vers:semver/2.9.0|<2.9.5 + affected + + + + + + Bar + You + Two + Foo + + + + diff --git a/tools/src/test/resources/1.6/valid-xml-signature-1.6.xml b/tools/src/test/resources/1.6/valid-xml-signature-1.6.xml new file mode 100644 index 00000000..930c06ac --- /dev/null +++ b/tools/src/test/resources/1.6/valid-xml-signature-1.6.xml @@ -0,0 +1,177 @@ + + + + + Acme Inc + com.acme + tomcat-catalina + 9.0.14 + + 3942447fac867ae5cdb3229b658f4d48 + e6b1000b94e835ffd37f4c6dcbdad43f4b48a02a + f498a8ff2dd007e29c2074f5e4b01a9a01775c3ff3aeaf6906ea503bc5791b7b + e8f33e424f3f4ed6db76a482fde1a5298970e442c531729119e37991884bdffab4f9426b7ee11fccd074eeda0634d71697d6f88a460dce0ac8d627a29f7d1282 + + + + Apache-2.0 + + + pkg:maven/com.acme/tomcat-catalina@9.0.14?packaging=jar + + + + Apache + org.apache.tomcat + tomcat-catalina + 9.0.14 + + + Apache-2.0 + + + pkg:maven/org.apache.tomcat/tomcat-catalina@9.0.14?packaging=jar + + + + + + 7638417db6d59f3c431d3e1f261cc637155684cd + https://location/to/7638417db6d59f3c431d3e1f261cc637155684cd + + 2018-11-07T22:01:45Z + John Doe + jdoe@example.com + + + 2018-11-07T22:01:45Z + John Doe + jdoe@example.com + + Initial commit + + + + + + org.example + mylibrary + 1.0.0 + required + + 2342c2eaf1feb9a80195dbaddf2ebaa3 + 68b78babe00a053f9e35ec6a2d9080f5b90122b0 + 708f1f53b41f11f02d12a11b1a38d2905d47b099afc71a0f1124ef8582ec7313 + 387b7ae16b9cae45f830671541539bf544202faae5aac544a93b7b0a04f5f846fa2f4e81ef3f1677e13aed7496408a441f5657ab6d54423e56bf6f38da124aef + + + + Apache-2.0 + blah + fdaf + + + Copyright Example Inc. All rights reserved. + cpe:/a:example:myapplication:1.0.0 + pkg:maven/com.example/myapplication@1.0.0?packaging=war + false + + + com.example + myframework + 1.0.0 + Example Inc, enterprise framework + required + + cfcb0b64aacd2f81c1cd546543de965a + 7fbeef2346c45d565c3341f037bce4e088af8a52 + 0384db3cec55d86a6898c489fdb75a8e75fe66b26639634983d2f3c3558493d1 + 854909cdb9e3ca183056837144aab6d8069b377bd66445087cc7157bf0c3f620418705dd0b83bdc2f73a508c2bdb316ca1809d75ee6972d02023a3e7dd655c79 + + + + Apache-2.0 + + + pkg:maven/com.example/myframework@1.0.0?packaging=war + false + + + http://example.com/myframework + + + http://example.com/security + + + + + + + + + + + + + + PrB8/rofGs34XwIX5OIdYSjV2aKSe5VaztJKBvsgjIk= + + + + ePGNg30Zl9CW7RZdcRn8gFCp1AlWncjudA9pQDXyqZOvyj9RC2YtkI688WdfDOdVRZs6mflJFXr7 + IKA9wY6jVrEqZmlef55Qp/8iGwOjOjWbwYsm2AhrdkUi9gaFSWEd8uITYHOpWbiPFSsnimiK9+ft + 56dkg/oJMLdXzlaukzq9iGkRcafRkW433OQcZIXwD2K8lg4cdD0pNNNqBa+PgIvzbxA5H84TyQDB + HBcQiw/j1edRBJgPOwlqzZDUawOJaFhAPUQ+GGKMetIJH2FqqrHXGuV1NIwnbWTCg40RdOcBdCrl + PDtDVjFh34uZ4dYBpJBIlM4daD2N4B6WPB5iHRyuZTczF2q03ObabuTgkpK6EeadFVqFNsEOOPPt + MDDyda+Lwff5KjvUHvRRtUDIOm2rNIQKzaseulwYcA9UWQHAFcupJmWcLLM4zzY7F/uOdZuSurzh + U6h5kdb76Juepof6ee4Q5YpwNOGNL5JfB4C3sc/Dbbv8dZ8OuXFYSZN7reUGZzCNksByqERPEbAe + n1ldJu1HnRXRQpwaon8Asy9CuNmPfFCfDwOs2B4p4tb+tLNIKFHdRlpd19Zr9vCMCbltXeqq0Cpq + OejSyLYGqSWzzzUh449dJrg6KTevrTNEln5GAlLBFSdjM5JA7KV2u/GyDVFwSEW7UKooGN4CtgU= + + + + CN=bomsigner,OU=development,O=cyclonedx + + MIIE+DCCAuCgAwIBAgIEXGzayTANBgkqhkiG9w0BAQsFADA+MRIwEAYDVQQKDAljeWNsb25lZHgx + FDASBgNVBAsMC2RldmVsb3BtZW50MRIwEAYDVQQDDAlib21zaWduZXIwHhcNMTkwMjIwMDQ0MjQ5 + WhcNNDkwMjIwMDQ0MjQ5WjA+MRIwEAYDVQQKDAljeWNsb25lZHgxFDASBgNVBAsMC2RldmVsb3Bt + ZW50MRIwEAYDVQQDDAlib21zaWduZXIwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCo + 5JZsM4ZLfWW/dpRlU6CpnItWspddF+bEVDETKVwVj9tGpqR5jURgKS/BOQP2TGUsR3/ZJJBhYRll + ONhrUQrVKV/I6wp3Z40qPEa1RJLE+QlG9iL8qBV52CnXkLmnUSax3dspSzmSct5vDiTnvpHG9jr0 + AKFeTjy7U9rv8GJybz0ijwlpBoO9JRdYPX2PrrzoSeJLoxKq+GwuyCZ5LhXRN0p1a+NAirTAmY+c + G1ZTLkMmfeCUy1t6H/bG4RnYOSSPOvk7Rb68lQpUqb+pbbNuB2o/b9cDwtLLCtGVlu+5Wj8mrytY + 3FGFQM20j3yVeRInmGqTTDBelQa/CO4JKqBlmaeYEIvNYbFs9+AlqadivwDO51RpdPo9fPSpsBpy + ZMv6S2bXNuUML+Rk99WyKJTPM0PTZhRLZ64ZXEhlz3kQWVoSlrcwwim6sj6LRUb5IRqA3lxRFUI6 + NXKyiQLamQp+t3/9OGW9L1rLCcw7yFo0s8LhMTPMiv4ol9/hQViT+8ICzDsr0OM9ZiF4/UagFRlt + IClV70cjh1DpsZjzQIRVGaj8uQ/JdtfRz4E43Ki7U0a2Vpho/t6poLVndv46tkX5nYGtMW4WfMoD + ZflQ9pajvvKtr2jB1wob6nsU+VTmAcWZy4BCPH+XyfDw/0SFBdUceJJJtPWIeYFDUY7onptf+wID + AQABMA0GCSqGSIb3DQEBCwUAA4ICAQCOVariNgK+9OF/5T9ZaSvZbkk45RTmzgQNXtFc5xfRvqwP + s+pu/DFXm1R+ltjyS5j3w6NBZUFUI5MqLQr6JEEDrbu8BvfBO57wJNAEATj1JIHEfDfh7BxnBF8f + oYFOwbrh4jOt0wz0FW2obsSVmF4GSvS7tTlWqTcsxjdZVmwP40RWu18B9jzv7M61adrWD3ksDA5O + amSOsZi3Nt0aacDkyGRdCIEFi0fplxQInXMtD1z3RhXu2JSTAIr54Cei49Bh71kAXSWHMCog/f8a + lSrZyqZBty/ACfU9DqlPIM+giHePKm4z2bcdpUdKZk6wcKDn4CvuBOqsMBMg7L05UEyyqTPD/4dk + 2GwJ8Nv0E5gsYHCIXF2cZ3OUVsw0mB/ozleEJVDE02uZZN/1wW1Xq028LsMdgN0Wk1WvWyF5MEdh + nPWuhqp6tNaDI/kK6XQF+LjYJUzua3AQFOHfYNLKhO6d+bJ4rr0833v4v3cLW34kbXkKb6U3Yv8X + SK3jBGCACiPgnc0N6awkh1kDlrZQ7GMsl14c+2+vpl9Lf0sL0mRUIyICfSC8MjlsP/BZH3emyfsk + iWivPALomycKqP+PSkt1WaWApGENZWk1wNN99FYSYlt6LViW2p6T97fRx4jPRlHu+wecfD2k9RP4 + bt5W2HWfOP0zNAS7SnAVLEl2QZxXKw== + + + + + + qOSWbDOGS31lv3aUZVOgqZyLVrKXXRfmxFQxEylcFY/bRqakeY1EYCkvwTkD9kxlLEd/2SSQYWEZ + ZTjYa1EK1SlfyOsKd2eNKjxGtUSSxPkJRvYi/KgVedgp15C5p1Emsd3bKUs5knLebw4k576RxvY6 + 9AChXk48u1Pa7/Bicm89Io8JaQaDvSUXWD19j6686EniS6MSqvhsLsgmeS4V0TdKdWvjQIq0wJmP + nBtWUy5DJn3glMtbeh/2xuEZ2Dkkjzr5O0W+vJUKVKm/qW2zbgdqP2/XA8LSywrRlZbvuVo/Jq8r + WNxRhUDNtI98lXkSJ5hqk0wwXpUGvwjuCSqgZZmnmBCLzWGxbPfgJamnYr8AzudUaXT6PXz0qbAa + cmTL+ktm1zblDC/kZPfVsiiUzzND02YUS2euGVxIZc95EFlaEpa3MMIpurI+i0VG+SEagN5cURVC + OjVysokC2pkKfrd//ThlvS9aywnMO8haNLPC4TEzzIr+KJff4UFYk/vCAsw7K9DjPWYheP1GoBUZ + bSApVe9HI4dQ6bGY80CEVRmo/LkPyXbX0c+BONyou1NGtlaYaP7eqaC1Z3b+OrZF+Z2BrTFuFnzK + A2X5UPaWo77yra9owdcKG+p7FPlU5gHFmcuAQjx/l8nw8P9EhQXVHHiSSbT1iHmBQ1GO6J6bX/s= + + AQAB + + + + From de4193c331e4f688df28eaa5848483c39f8dfb88 Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Tue, 11 Jul 2023 14:23:10 -0500 Subject: [PATCH 002/217] Initial checkin of 1.6 attestation support Signed-off-by: Steve Springett --- schema/bom-1.6.schema.json | 446 +++++++++++++++++++++++++++++++++++++ 1 file changed, 446 insertions(+) diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index 726fbf03..3243832d 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -105,6 +105,452 @@ "title": "Formulation", "description": "Describes how a component or service was manufactured or deployed. This is achieved through the use of formulas, workflows, tasks, and steps, which declare the precise steps to reproduce along with the observed formulas describing the steps which transpired in the manufacturing process." }, + "declarations": { + "type": "object", + "title": "Declarations", + "description": "", + "additionalProperties": false, + "properties": { + "standards": { + "type": "array", + "title": "Standards", + "description": "", + "items": { + "type": "object", + "title": "Standard", + "description": "", + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref MUST be unique within the BOM." + }, + "name": { + "type": "string", + "title": "Name", + "description": "The name of the standard" + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the standard" + }, + "version": { + "type": "string", + "title": "Version", + "description": "A version of the standard" + }, + "owner": { + "type": "string", + "title": "Owner", + "description": "The owner of the standard" + }, + "requirements": { + "type": "array", + "title": "Requirements", + "description": "The requirements that make up the standard", + "items": { + "type": "object", + "title": "Requirement", + "description": "", + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref MUST be unique within the BOM." + }, + "identifier": { + "type": "string", + "title": "Identifier", + "description": "The identifier used in the standard to identify a specific requirement" + }, + "title": { + "type": "string", + "title": "Title", + "description": "The title of the requirement" + }, + "text": { + "type": "string", + "title": "Text", + "description": "The textual content of the requirement" + }, + "opencre": { + "type": "string", + "format": "iri-reference", + "title": "OWASP OpenCRE", + "description": "URL to the Common Requirements Enumeration" + }, + "parent": { + "$ref": "#/definitions/refLinkType", + "title": "Parent BOM Reference", + "description": "The optional `bom-ref` to a parent requirement. This establishes a hierarchy of requirements." + }, + "externalReferences": { + "type": "array", + "items": {"$ref": "#/definitions/externalReference"}, + "title": "External References", + "description": "External references provide a way to document systems, sites, and information that may be relevant, but are not included with the BOM. They may also establish specific relationships within or external to the BOM." + } + } + } + }, + "levels": { + "type": "array", + "title": "Levels", + "description": "", + "items": { + "type": "object", + "title": "Level", + "description": "", + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref MUST be unique within the BOM." + }, + "identifier": { + "type": "string", + "title": "Identifier", + "description": "The identifier used in the standard to identify a specific level" + }, + "title": { + "type": "string", + "title": "Title", + "description": "The title of the level" + }, + "description": { + "type": "string", + "title": "Description", + "description": "The description of the level" + }, + "requirements": { + "type": "array", + "title": "Requirements", + "description": "", + "items": { "$ref": "#/definitions/refLinkType" } + } + } + } + }, + "externalReferences": { + "type": "array", + "items": {"$ref": "#/definitions/externalReference"}, + "title": "External References", + "description": "External references provide a way to document systems, sites, and information that may be relevant, but are not included with the BOM. They may also establish specific relationships within or external to the BOM." + }, + "signature": { + "$ref": "#/definitions/signature", + "title": "Signature", + "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." + } + } + } + }, + "assessors": { + "type": "array", + "title": "Assessors", + "description": "", + "items": { + "type": "object", + "title": "Assessor", + "description": "", + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref MUST be unique within the BOM." + }, + "type": { + "type": "string", + "enum": [ + "self", + "purchaser", + "independent" + ], + "title": "Type", + "description": "" + }, + "organization": { + "$ref": "#/definitions/organizationalEntity", + "title": "Organization", + "description": "" + } + } + } + }, + "attestations": { + "type": "array", + "title": "Attestations", + "description": "", + "items": { + "additionalProperties": false, + "properties": { + "targets": { + "type": "array", + "title": "Targets", + "description": "", + "items": { "$ref": "#/definitions/refLinkType" } + }, + "assessor": { + "$ref": "#/definitions/refLinkType", + "title": "Assessor", + "description": "" + }, + "map": { + "type": "array", + "title": "Map", + "description": "", + "items": { + "type": "object", + "additionalProperties": false, + "properties": { + "requirement": { + "$ref": "#/definitions/refLinkType", + "title": "Requirement", + "description": "" + }, + "claims": { + "type": "array", + "title": "Claims", + "description": "", + "items": { "$ref": "#/definitions/refLinkType" } + }, + "counterClaims": { + "type": "array", + "title": "Claims", + "description": "", + "items": { "$ref": "#/definitions/refLinkType" } + }, + "conformance": { + "type": "number", + "minimum": 0, + "maximum": 1, + "title": "Conformance", + "description": "The conformance to a requirement from 0 - 1, where 1 is 100% conformance." + }, + "mitigationStrategy": { + "type": "array", + "title": "Mitigation Strategy", + "description": "", + "items": { "$ref": "#/definitions/refLinkType" } + }, + "confidence": { + "type": "object", + "title": "Confidence", + "description": "", + "additionalProperties": false, + "properties": { + "score": { + "type": "number", + "minimum": 0, + "maximum": 1, + "title": "Score", + "description": "The confidence of the attestation from 0 - 1, where 1 is 100% confidence." + }, + "rationale": { + "type": "string", + "title": "Rationale", + "description": "" + } + } + } + } + } + }, + "signature": { + "$ref": "#/definitions/signature", + "title": "Signature", + "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." + } + } + } + }, + "claims": { + "type": "array", + "title": "Claims", + "description": "", + "items": { + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref MUST be unique within the BOM." + }, + "target": { + "$ref": "#/definitions/refLinkType", + "title": "Target", + "description": "" + }, + "predicate": { + "type": "string", + "title": "Predicate", + "description": "" + }, + "mitigationStrategy": { + "type": "array", + "title": "Mitigation Strategy", + "description": "", + "items": { "$ref": "#/definitions/refLinkType" } + }, + "reasoning": { + "type": "string", + "title": "Reasoning", + "description": "" + }, + "evidence": { + "type": "array", + "title": "Evidence", + "description": "", + "items": { "$ref": "#/definitions/refLinkType" } + }, + "counterEvidence": { + "type": "array", + "title": "Counter Evidence", + "description": "", + "items": { "$ref": "#/definitions/refLinkType" } + }, + "externalReferences": { + "type": "array", + "items": {"$ref": "#/definitions/externalReference"}, + "title": "External References", + "description": "External references provide a way to document systems, sites, and information that may be relevant, but are not included with the BOM. They may also establish specific relationships within or external to the BOM." + }, + "signature": { + "$ref": "#/definitions/signature", + "title": "Signature", + "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." + } + } + } + }, + "evidence": { + "type": "array", + "title": "Evidence", + "description": "", + "items": { + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref MUST be unique within the BOM." + }, + "type": { + "type": "string", + "title": "Type", + "description": "TODO - make this extensible - see valid-attestations-1.6.json for notes" + }, + "description": { + "type": "string", + "title": "Description", + "description": "" + }, + "data": { + "type": "string", + "title": "Description", + "description": "", + "additionalProperties": false, + "properties": { + "contents": { + "type": "object", + "title": "Data Contents", + "description": "The contents or references to the contents of the data being described.", + "additionalProperties": false, + "properties": { + "attachment": { + "title": "Data Attachment", + "description": "An optional way to include textual or encoded data.", + "$ref": "#/definitions/attachment" + }, + "url": { + "type": "string", + "title": "Data URL", + "description": "The URL to where the data can be retrieved.", + "format": "iri-reference" + } + } + } + } + }, + "created": { + "type": "string", + "format": "date-time", + "title": "Created", + "description": "" + }, + "expires": { + "type": "string", + "format": "date-time", + "title": "Expires", + "description": "" + }, + "author": { + "$ref": "#/definitions/organizationalContact", + "title": "Author", + "description": "" + }, + "reviewer": { + "$ref": "#/definitions/organizationalContact", + "title": "Reviewer", + "description": "" + }, + "signature": { + "$ref": "#/definitions/signature", + "title": "Signature", + "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." + } + } + } + }, + "targets": { + "type": "object", + "title": "Targets", + "description": "", + "additionalProperties": false, + "properties": { + "organizations": { + "type": "array", + "title": "Organizations", + "description": "", + "items": {"$ref": "#/definitions/organizationalEntity"} + }, + "contacts": { + "type": "array", + "title": "Contacts", + "description": "", + "items": {"$ref": "#/definitions/organizationalContact"} + }, + "components": { + "type": "array", + "title": "Components", + "description": "", + "items": {"$ref": "#/definitions/component"} + }, + "services": { + "type": "array", + "title": "Services", + "description": "", + "items": {"$ref": "#/definitions/service"} + } + } + }, + "affirmation": { + "type": "object", + "title": "Affirmation", + "additionalProperties": false, + "properties": { + "text": { + + } + } + } + } + }, "properties": { "type": "array", "title": "Properties", From 2a62ac30517304a6cd877676f996b609a019cbdc Mon Sep 17 00:00:00 2001 From: "steve.springett" Date: Tue, 1 Aug 2023 14:57:35 -0500 Subject: [PATCH 003/217] Updates at the end of todays call --- schema/bom-1.6.schema.json | 40 +++++++++++++++++++++++++------------- 1 file changed, 26 insertions(+), 14 deletions(-) diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index 3243832d..8e946f51 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -289,11 +289,10 @@ "items": { "additionalProperties": false, "properties": { - "targets": { - "type": "array", - "title": "Targets", - "description": "", - "items": { "$ref": "#/definitions/refLinkType" } + "summary": { + "type": "string", + "title": "Summary", + "description": "" }, "assessor": { "$ref": "#/definitions/refLinkType", @@ -326,17 +325,30 @@ "items": { "$ref": "#/definitions/refLinkType" } }, "conformance": { - "type": "number", - "minimum": 0, - "maximum": 1, + "type": "object", "title": "Conformance", - "description": "The conformance to a requirement from 0 - 1, where 1 is 100% conformance." - }, - "mitigationStrategy": { - "type": "array", - "title": "Mitigation Strategy", "description": "", - "items": { "$ref": "#/definitions/refLinkType" } + "additionalProperties": false, + "properties": { + "score": { + "type": "number", + "minimum": 0, + "maximum": 1, + "title": "Score", + "description": "The conformance to a requirement from 0 - 1, where 1 is 100% conformance." + }, + "rationale": { + "type": "string", + "title": "Rationale", + "description": "" + }, + "mitigationStrategy": { + "type": "array", + "title": "Mitigation Strategy", + "description": "", + "items": { "$ref": "#/definitions/refLinkType" } + } + } }, "confidence": { "type": "object", From 4a64108e1b1e6e0fe8fa8132cb8bf69582398507 Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Mon, 28 Aug 2023 16:44:57 -0500 Subject: [PATCH 004/217] Moved standards out from declarations into definitions. Signed-off-by: Steve Springett --- schema/bom-1.6.schema.json | 287 +++++++++++++++++++------------------ 1 file changed, 149 insertions(+), 138 deletions(-) diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index 3243832d..2091e048 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -111,144 +111,6 @@ "description": "", "additionalProperties": false, "properties": { - "standards": { - "type": "array", - "title": "Standards", - "description": "", - "items": { - "type": "object", - "title": "Standard", - "description": "", - "additionalProperties": false, - "properties": { - "bom-ref": { - "$ref": "#/definitions/refType", - "title": "BOM Reference", - "description": "An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref MUST be unique within the BOM." - }, - "name": { - "type": "string", - "title": "Name", - "description": "The name of the standard" - }, - "description": { - "type": "string", - "title": "Description", - "description": "A description of the standard" - }, - "version": { - "type": "string", - "title": "Version", - "description": "A version of the standard" - }, - "owner": { - "type": "string", - "title": "Owner", - "description": "The owner of the standard" - }, - "requirements": { - "type": "array", - "title": "Requirements", - "description": "The requirements that make up the standard", - "items": { - "type": "object", - "title": "Requirement", - "description": "", - "additionalProperties": false, - "properties": { - "bom-ref": { - "$ref": "#/definitions/refType", - "title": "BOM Reference", - "description": "An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref MUST be unique within the BOM." - }, - "identifier": { - "type": "string", - "title": "Identifier", - "description": "The identifier used in the standard to identify a specific requirement" - }, - "title": { - "type": "string", - "title": "Title", - "description": "The title of the requirement" - }, - "text": { - "type": "string", - "title": "Text", - "description": "The textual content of the requirement" - }, - "opencre": { - "type": "string", - "format": "iri-reference", - "title": "OWASP OpenCRE", - "description": "URL to the Common Requirements Enumeration" - }, - "parent": { - "$ref": "#/definitions/refLinkType", - "title": "Parent BOM Reference", - "description": "The optional `bom-ref` to a parent requirement. This establishes a hierarchy of requirements." - }, - "externalReferences": { - "type": "array", - "items": {"$ref": "#/definitions/externalReference"}, - "title": "External References", - "description": "External references provide a way to document systems, sites, and information that may be relevant, but are not included with the BOM. They may also establish specific relationships within or external to the BOM." - } - } - } - }, - "levels": { - "type": "array", - "title": "Levels", - "description": "", - "items": { - "type": "object", - "title": "Level", - "description": "", - "additionalProperties": false, - "properties": { - "bom-ref": { - "$ref": "#/definitions/refType", - "title": "BOM Reference", - "description": "An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref MUST be unique within the BOM." - }, - "identifier": { - "type": "string", - "title": "Identifier", - "description": "The identifier used in the standard to identify a specific level" - }, - "title": { - "type": "string", - "title": "Title", - "description": "The title of the level" - }, - "description": { - "type": "string", - "title": "Description", - "description": "The description of the level" - }, - "requirements": { - "type": "array", - "title": "Requirements", - "description": "", - "items": { "$ref": "#/definitions/refLinkType" } - } - } - } - }, - "externalReferences": { - "type": "array", - "items": {"$ref": "#/definitions/externalReference"}, - "title": "External References", - "description": "External references provide a way to document systems, sites, and information that may be relevant, but are not included with the BOM. They may also establish specific relationships within or external to the BOM." - }, - "signature": { - "$ref": "#/definitions/signature", - "title": "Signature", - "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." - } - } - } - }, "assessors": { "type": "array", "title": "Assessors", @@ -551,6 +413,22 @@ } } }, + "definitions": { + "type": "object", + "title": "Definitions", + "description": "", + "additionalProperties": false, + "properties": { + "standards": { + "type": "array", + "title": "Standards", + "description": "Defines standards which may consist of regulations, industry or organizational-specific standards, maturity models, and best practices which can be evaluated against or attested to.", + "items": { + "$ref": "#/definitions/standard" + } + } + } + }, "properties": { "type": "array", "title": "Properties", @@ -4236,6 +4114,139 @@ } } }, + "standard": { + "type": "object", + "title": "Standard", + "description": "", + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref MUST be unique within the BOM." + }, + "name": { + "type": "string", + "title": "Name", + "description": "The name of the standard" + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the standard" + }, + "version": { + "type": "string", + "title": "Version", + "description": "A version of the standard" + }, + "owner": { + "type": "string", + "title": "Owner", + "description": "The owner of the standard" + }, + "requirements": { + "type": "array", + "title": "Requirements", + "description": "The requirements that make up the standard", + "items": { + "type": "object", + "title": "Requirement", + "description": "", + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref MUST be unique within the BOM." + }, + "identifier": { + "type": "string", + "title": "Identifier", + "description": "The identifier used in the standard to identify a specific requirement" + }, + "title": { + "type": "string", + "title": "Title", + "description": "The title of the requirement" + }, + "text": { + "type": "string", + "title": "Text", + "description": "The textual content of the requirement" + }, + "opencre": { + "type": "string", + "format": "iri-reference", + "title": "OWASP OpenCRE", + "description": "URL to the Common Requirements Enumeration" + }, + "parent": { + "$ref": "#/definitions/refLinkType", + "title": "Parent BOM Reference", + "description": "The optional `bom-ref` to a parent requirement. This establishes a hierarchy of requirements." + }, + "externalReferences": { + "type": "array", + "items": {"$ref": "#/definitions/externalReference"}, + "title": "External References", + "description": "External references provide a way to document systems, sites, and information that may be relevant, but are not included with the BOM. They may also establish specific relationships within or external to the BOM." + } + } + } + }, + "levels": { + "type": "array", + "title": "Levels", + "description": "", + "items": { + "type": "object", + "title": "Level", + "description": "", + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref MUST be unique within the BOM." + }, + "identifier": { + "type": "string", + "title": "Identifier", + "description": "The identifier used in the standard to identify a specific level" + }, + "title": { + "type": "string", + "title": "Title", + "description": "The title of the level" + }, + "description": { + "type": "string", + "title": "Description", + "description": "The description of the level" + }, + "requirements": { + "type": "array", + "title": "Requirements", + "description": "", + "items": { "$ref": "#/definitions/refLinkType" } + } + } + } + }, + "externalReferences": { + "type": "array", + "items": {"$ref": "#/definitions/externalReference"}, + "title": "External References", + "description": "External references provide a way to document systems, sites, and information that may be relevant, but are not included with the BOM. They may also establish specific relationships within or external to the BOM." + }, + "signature": { + "$ref": "#/definitions/signature", + "title": "Signature", + "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." + } + } + }, "signature": { "$ref": "jsf-0.82.schema.json#/definitions/signature", "title": "Signature", From 53ff77d2c6146897ea14500a0a9f3446571a5ff6 Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Mon, 28 Aug 2023 19:58:48 -0500 Subject: [PATCH 005/217] Removing invalid types Signed-off-by: Steve Springett --- schema/bom-1.6.schema.json | 2 -- 1 file changed, 2 deletions(-) diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index e3042202..1e94f62f 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -1723,7 +1723,6 @@ ] }, "governance": { - "type": "object", "title": "Data Governance", "$ref": "#/definitions/dataGovernance" }, @@ -3026,7 +3025,6 @@ "type": "string" }, "governance": { - "type": "object", "title": "Data Governance", "$ref": "#/definitions/dataGovernance" } From f73a14a12dd4b91a7c79c1ef6a4690a7d37561c6 Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Mon, 28 Aug 2023 20:01:56 -0500 Subject: [PATCH 006/217] adding missing type Signed-off-by: Steve Springett --- schema/bom-1.6.schema.json | 1 + 1 file changed, 1 insertion(+) diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index 1e94f62f..2c733040 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -149,6 +149,7 @@ "title": "Attestations", "description": "", "items": { + "type": "object", "additionalProperties": false, "properties": { "summary": { From e70a6e38f4c8309327aa9807547ce96bf376311d Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Mon, 28 Aug 2023 20:55:58 -0500 Subject: [PATCH 007/217] Added missing type Signed-off-by: Steve Springett --- schema/bom-1.6.schema.json | 1 + 1 file changed, 1 insertion(+) diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index 2c733040..54184306 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -249,6 +249,7 @@ "title": "Claims", "description": "", "items": { + "type": "object", "additionalProperties": false, "properties": { "bom-ref": { From 8f86882b49b8eb5f295e103319d4f44150766090 Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Mon, 28 Aug 2023 21:28:18 -0500 Subject: [PATCH 008/217] Added missing type Signed-off-by: Steve Springett --- schema/bom-1.6.schema.json | 1 + 1 file changed, 1 insertion(+) diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index 54184306..5bad4307 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -309,6 +309,7 @@ "title": "Evidence", "description": "", "items": { + "type": "object", "additionalProperties": false, "properties": { "bom-ref": { From 52506bbff0b526eb658db8c21879f50ed1f89353 Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Mon, 28 Aug 2023 23:05:03 -0500 Subject: [PATCH 009/217] Correcting object type Signed-off-by: Steve Springett --- schema/bom-1.6.schema.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index 5bad4307..103f673e 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -328,7 +328,7 @@ "description": "" }, "data": { - "type": "string", + "type": "object", "title": "Description", "description": "", "additionalProperties": false, From fe7512f7117b2f97321501d1195aa6717b65eaf8 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Fri, 8 Sep 2023 02:30:22 +0200 Subject: [PATCH 010/217] fix #288 Signed-off-by: Jan Kowalleck --- schema/bom-1.6.xsd | 4 ++-- ...nvalid-license-missing-id-and-name-1.6.json | 18 ++++++++++++++++++ ...d-license-missing-id-and-name-1.6.textproto | 12 ++++++++++++ ...invalid-license-missing-id-and-name-1.6.xml | 13 +++++++++++++ 4 files changed, 45 insertions(+), 2 deletions(-) create mode 100644 tools/src/test/resources/1.6/invalid-license-missing-id-and-name-1.6.json create mode 100644 tools/src/test/resources/1.6/invalid-license-missing-id-and-name-1.6.textproto create mode 100644 tools/src/test/resources/1.6/invalid-license-missing-id-and-name-1.6.xml diff --git a/schema/bom-1.6.xsd b/schema/bom-1.6.xsd index 1cc87910..d7f903eb 100644 --- a/schema/bom-1.6.xsd +++ b/schema/bom-1.6.xsd @@ -641,12 +641,12 @@ limitations under the License. - + A valid SPDX license ID - + If SPDX does not define the license used, this field may be used to provide the license name diff --git a/tools/src/test/resources/1.6/invalid-license-missing-id-and-name-1.6.json b/tools/src/test/resources/1.6/invalid-license-missing-id-and-name-1.6.json new file mode 100644 index 00000000..65b72d31 --- /dev/null +++ b/tools/src/test/resources/1.6/invalid-license-missing-id-and-name-1.6.json @@ -0,0 +1,18 @@ +{ + "bomFormat": "CycloneDX", + "specVersion": "1.6", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "components": [ + { + "name": "license-with-no-id-nor-name", + "version": "23", + "description": "testcase for issue#288", + "licenses": [ + { + "license": {} + } + ] + } + ] +} diff --git a/tools/src/test/resources/1.6/invalid-license-missing-id-and-name-1.6.textproto b/tools/src/test/resources/1.6/invalid-license-missing-id-and-name-1.6.textproto new file mode 100644 index 00000000..14f6a657 --- /dev/null +++ b/tools/src/test/resources/1.6/invalid-license-missing-id-and-name-1.6.textproto @@ -0,0 +1,12 @@ +spec_version: "1.6" +version: 1 +serial_number: "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" +components { + type: CLASSIFICATION_LIBRARY + name: "license-with-no-id-nor-name" + version: "23" + description: "testcase for issue#288" + licenses { + license {} + } +} \ No newline at end of file diff --git a/tools/src/test/resources/1.6/invalid-license-missing-id-and-name-1.6.xml b/tools/src/test/resources/1.6/invalid-license-missing-id-and-name-1.6.xml new file mode 100644 index 00000000..34fff4ec --- /dev/null +++ b/tools/src/test/resources/1.6/invalid-license-missing-id-and-name-1.6.xml @@ -0,0 +1,13 @@ + + + + + license-with-no-id-nor-name + 23 + testcase for issue#288 + + + + + + \ No newline at end of file From d614c0f2e11514ba264dcf3a00f21ec46cb1bbc5 Mon Sep 17 00:00:00 2001 From: tokcum <47994370+tokcum@users.noreply.github.com> Date: Mon, 11 Sep 2023 14:06:01 +0200 Subject: [PATCH 011/217] Fix test data inconsistency regarding dependency tree in `valid-service` (#295) Fixes an inconsistency in test data of valid-service. First experienced in valid-service-1.4.json, other files (other versions and filetypes) showed the same deviation. The fix was derived from working test data of valid-service. closes #294 Signed-off-by: tokcum --- tools/src/test/resources/1.2/valid-service-1.2.json | 2 +- tools/src/test/resources/1.3/valid-service-1.3.json | 2 +- tools/src/test/resources/1.3/valid-service-1.3.textproto | 2 +- tools/src/test/resources/1.4/valid-service-1.4.json | 2 +- tools/src/test/resources/1.4/valid-service-1.4.textproto | 2 +- tools/src/test/resources/1.5/valid-service-1.5.json | 2 +- tools/src/test/resources/1.5/valid-service-1.5.textproto | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/tools/src/test/resources/1.2/valid-service-1.2.json b/tools/src/test/resources/1.2/valid-service-1.2.json index 5228ffe5..2b75c68b 100644 --- a/tools/src/test/resources/1.2/valid-service-1.2.json +++ b/tools/src/test/resources/1.2/valid-service-1.2.json @@ -5,7 +5,7 @@ "version": 1, "components": [ { - "bom-ref": "pkg:npm/acme/component@1.0.0", + "bom-ref": "pkg:maven/com.acme/stock-java-client@1.0.12", "type": "library", "publisher": "Acme Inc", "group": "com.acme", diff --git a/tools/src/test/resources/1.3/valid-service-1.3.json b/tools/src/test/resources/1.3/valid-service-1.3.json index 519f3236..1a627c4c 100644 --- a/tools/src/test/resources/1.3/valid-service-1.3.json +++ b/tools/src/test/resources/1.3/valid-service-1.3.json @@ -5,7 +5,7 @@ "version": 1, "components": [ { - "bom-ref": "pkg:npm/acme/component@1.0.0", + "bom-ref": "pkg:maven/com.acme/stock-java-client@1.0.12", "type": "library", "publisher": "Acme Inc", "group": "com.acme", diff --git a/tools/src/test/resources/1.3/valid-service-1.3.textproto b/tools/src/test/resources/1.3/valid-service-1.3.textproto index 604ad2ce..1a0083fd 100644 --- a/tools/src/test/resources/1.3/valid-service-1.3.textproto +++ b/tools/src/test/resources/1.3/valid-service-1.3.textproto @@ -3,7 +3,7 @@ version: 1 serial_number: "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" components { type: CLASSIFICATION_LIBRARY - bom_ref: "pkg:npm/acme/component@1.0.0" + bom_ref: "pkg:maven/com.acme/stock-java-client@1.0.12" publisher: "Acme Inc" group: "com.acme" name: "stock-java-client" diff --git a/tools/src/test/resources/1.4/valid-service-1.4.json b/tools/src/test/resources/1.4/valid-service-1.4.json index db7c1555..2b23fce2 100644 --- a/tools/src/test/resources/1.4/valid-service-1.4.json +++ b/tools/src/test/resources/1.4/valid-service-1.4.json @@ -5,7 +5,7 @@ "version": 1, "components": [ { - "bom-ref": "pkg:npm/acme/component@1.0.0", + "bom-ref": "pkg:maven/com.acme/stock-java-client@1.0.12", "type": "library", "publisher": "Acme Inc", "group": "com.acme", diff --git a/tools/src/test/resources/1.4/valid-service-1.4.textproto b/tools/src/test/resources/1.4/valid-service-1.4.textproto index 87471dc6..18cb8b7f 100644 --- a/tools/src/test/resources/1.4/valid-service-1.4.textproto +++ b/tools/src/test/resources/1.4/valid-service-1.4.textproto @@ -3,7 +3,7 @@ version: 1 serial_number: "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" components { type: CLASSIFICATION_LIBRARY - bom_ref: "pkg:npm/acme/component@1.0.0" + bom_ref: "pkg:maven/com.acme/stock-java-client@1.0.12" publisher: "Acme Inc" group: "com.acme" name: "stock-java-client" diff --git a/tools/src/test/resources/1.5/valid-service-1.5.json b/tools/src/test/resources/1.5/valid-service-1.5.json index c799e9c0..d59cf884 100644 --- a/tools/src/test/resources/1.5/valid-service-1.5.json +++ b/tools/src/test/resources/1.5/valid-service-1.5.json @@ -5,7 +5,7 @@ "version": 1, "components": [ { - "bom-ref": "pkg:npm/acme/component@1.0.0", + "bom-ref": "pkg:maven/com.acme/stock-java-client@1.0.12", "type": "library", "publisher": "Acme Inc", "group": "com.acme", diff --git a/tools/src/test/resources/1.5/valid-service-1.5.textproto b/tools/src/test/resources/1.5/valid-service-1.5.textproto index ab0c1c7b..4394430e 100644 --- a/tools/src/test/resources/1.5/valid-service-1.5.textproto +++ b/tools/src/test/resources/1.5/valid-service-1.5.textproto @@ -3,7 +3,7 @@ version: 1 serial_number: "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" components { type: CLASSIFICATION_LIBRARY - bom_ref: "pkg:npm/acme/component@1.0.0" + bom_ref: "pkg:maven/com.acme/stock-java-client@1.0.12" publisher: "Acme Inc" group: "com.acme" name: "stock-java-client" From 6ac7c54e0703ce698cd4781a7bed5ce4ff1b6e32 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Mon, 11 Sep 2023 14:26:34 +0200 Subject: [PATCH 012/217] fix test data inconsistency for `valid-service-1.6` forward-port of #295 fixes #294 in 1.6 Signed-off-by: Jan Kowalleck --- tools/src/test/resources/1.6/valid-service-1.6.json | 2 +- tools/src/test/resources/1.6/valid-service-1.6.textproto | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/tools/src/test/resources/1.6/valid-service-1.6.json b/tools/src/test/resources/1.6/valid-service-1.6.json index 496ef885..e48157b7 100644 --- a/tools/src/test/resources/1.6/valid-service-1.6.json +++ b/tools/src/test/resources/1.6/valid-service-1.6.json @@ -5,7 +5,7 @@ "version": 1, "components": [ { - "bom-ref": "pkg:npm/acme/component@1.0.0", + "bom-ref": "pkg:maven/com.acme/stock-java-client@1.0.12", "type": "library", "publisher": "Acme Inc", "group": "com.acme", diff --git a/tools/src/test/resources/1.6/valid-service-1.6.textproto b/tools/src/test/resources/1.6/valid-service-1.6.textproto index de744504..465d596f 100644 --- a/tools/src/test/resources/1.6/valid-service-1.6.textproto +++ b/tools/src/test/resources/1.6/valid-service-1.6.textproto @@ -3,7 +3,7 @@ version: 1 serial_number: "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" components { type: CLASSIFICATION_LIBRARY - bom_ref: "pkg:npm/acme/component@1.0.0" + bom_ref: "pkg:maven/com.acme/stock-java-client@1.0.12" publisher: "Acme Inc" group: "com.acme" name: "stock-java-client" From 275aebf268fd9abbc4d8c312202eef583bf5aa77 Mon Sep 17 00:00:00 2001 From: tokcum <47994370+tokcum@users.noreply.github.com> Date: Mon, 11 Sep 2023 15:48:44 +0200 Subject: [PATCH 013/217] Fix test data regarding base64-encoded contents (#299) Fix test data inconsistency regarding encoding of license content in `valid-bom` fixes #296 Signed-off-by: tokcum --- tools/src/test/resources/1.2/valid-bom-1.2.json | 2 +- tools/src/test/resources/1.3/valid-bom-1.3.json | 2 +- tools/src/test/resources/1.3/valid-bom-1.3.textproto | 2 +- tools/src/test/resources/1.4/valid-bom-1.4.json | 2 +- tools/src/test/resources/1.4/valid-bom-1.4.textproto | 2 +- tools/src/test/resources/1.5/valid-bom-1.5.json | 2 +- tools/src/test/resources/1.5/valid-bom-1.5.textproto | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/tools/src/test/resources/1.2/valid-bom-1.2.json b/tools/src/test/resources/1.2/valid-bom-1.2.json index 5cd907fc..62979356 100644 --- a/tools/src/test/resources/1.2/valid-bom-1.2.json +++ b/tools/src/test/resources/1.2/valid-bom-1.2.json @@ -103,7 +103,7 @@ "text": { "contentType": "text/plain", "encoding": "base64", - "content": "License text here" + "content": "CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFwYWNoZSBMaWNlbnNlCiAgICAgICAgICAgICAgICAgICAgICAgICAgIFZlcnNpb24gMi4wLCBKYW51YXJ5IDIwMDQKICAgICAgICAgICAgICAgICAgICAgICAgaHR0cDovL3d3dy5hcGFjaGUub3JnL2xpY2Vuc2VzLwoKICAgVEVSTVMgQU5EIENPTkRJVElPTlMgRk9SIFVTRSwgUkVQUk9EVUNUSU9OLCBBTkQgRElTVFJJQlVUSU9OCgogICAxLiBEZWZpbml0aW9ucy4KCiAgICAgICJMaWNlbnNlIiBzaGFsbCBtZWFuIHRoZSB0ZXJtcyBhbmQgY29uZGl0aW9ucyBmb3IgdXNlLCByZXByb2R1Y3Rpb24sCiAgICAgIGFuZCBkaXN0cmlidXRpb24gYXMgZGVmaW5lZCBieSBTZWN0aW9ucyAxIHRocm91Z2ggOSBvZiB0aGlzIGRvY3VtZW50LgoKICAgICAgIkxpY2Vuc29yIiBzaGFsbCBtZWFuIHRoZSBjb3B5cmlnaHQgb3duZXIgb3IgZW50aXR5IGF1dGhvcml6ZWQgYnkKICAgICAgdGhlIGNvcHlyaWdodCBvd25lciB0aGF0IGlzIGdyYW50aW5nIHRoZSBMaWNlbnNlLgoKICAgICAgIkxlZ2FsIEVudGl0eSIgc2hhbGwgbWVhbiB0aGUgdW5pb24gb2YgdGhlIGFjdGluZyBlbnRpdHkgYW5kIGFsbAogICAgICBvdGhlciBlbnRpdGllcyB0aGF0IGNvbnRyb2wsIGFyZSBjb250cm9sbGVkIGJ5LCBvciBhcmUgdW5kZXIgY29tbW9uCiAgICAgIGNvbnRyb2wgd2l0aCB0aGF0IGVudGl0eS4gRm9yIHRoZSBwdXJwb3NlcyBvZiB0aGlzIGRlZmluaXRpb24sCiAgICAgICJjb250cm9sIiBtZWFucyAoaSkgdGhlIHBvd2VyLCBkaXJlY3Qgb3IgaW5kaXJlY3QsIHRvIGNhdXNlIHRoZQogICAgICBkaXJlY3Rpb24gb3IgbWFuYWdlbWVudCBvZiBzdWNoIGVudGl0eSwgd2hldGhlciBieSBjb250cmFjdCBvcgogICAgICBvdGhlcndpc2UsIG9yIChpaSkgb3duZXJzaGlwIG9mIGZpZnR5IHBlcmNlbnQgKDUwJSkgb3IgbW9yZSBvZiB0aGUKICAgICAgb3V0c3RhbmRpbmcgc2hhcmVzLCBvciAoaWlpKSBiZW5lZmljaWFsIG93bmVyc2hpcCBvZiBzdWNoIGVudGl0eS4KCiAgICAgICJZb3UiIChvciAiWW91ciIpIHNoYWxsIG1lYW4gYW4gaW5kaXZpZHVhbCBvciBMZWdhbCBFbnRpdHkKICAgICAgZXhlcmNpc2luZyBwZXJtaXNzaW9ucyBncmFudGVkIGJ5IHRoaXMgTGljZW5zZS4KCiAgICAgICJTb3VyY2UiIGZvcm0gc2hhbGwgbWVhbiB0aGUgcHJlZmVycmVkIGZvcm0gZm9yIG1ha2luZyBtb2RpZmljYXRpb25zLAogICAgICBpbmNsdWRpbmcgYnV0IG5vdCBsaW1pdGVkIHRvIHNvZnR3YXJlIHNvdXJjZSBjb2RlLCBkb2N1bWVudGF0aW9uCiAgICAgIHNvdXJjZSwgYW5kIGNvbmZpZ3VyYXRpb24gZmlsZXMuCgogICAgICAiT2JqZWN0IiBmb3JtIHNoYWxsIG1lYW4gYW55IGZvcm0gcmVzdWx0aW5nIGZyb20gbWVjaGFuaWNhbAogICAgICB0cmFuc2Zvcm1hdGlvbiBvciB0cmFuc2xhdGlvbiBvZiBhIFNvdXJjZSBmb3JtLCBpbmNsdWRpbmcgYnV0CiAgICAgIG5vdCBsaW1pdGVkIHRvIGNvbXBpbGVkIG9iamVjdCBjb2RlLCBnZW5lcmF0ZWQgZG9jdW1lbnRhdGlvbiwKICAgICAgYW5kIGNvbnZlcnNpb25zIHRvIG90aGVyIG1lZGlhIHR5cGVzLgoKICAgICAgIldvcmsiIHNoYWxsIG1lYW4gdGhlIHdvcmsgb2YgYXV0aG9yc2hpcCwgd2hldGhlciBpbiBTb3VyY2Ugb3IKICAgICAgT2JqZWN0IGZvcm0sIG1hZGUgYXZhaWxhYmxlIHVuZGVyIHRoZSBMaWNlbnNlLCBhcyBpbmRpY2F0ZWQgYnkgYQogICAgICBjb3B5cmlnaHQgbm90aWNlIHRoYXQgaXMgaW5jbHVkZWQgaW4gb3IgYXR0YWNoZWQgdG8gdGhlIHdvcmsKICAgICAgKGFuIGV4YW1wbGUgaXMgcHJvdmlkZWQgaW4gdGhlIEFwcGVuZGl4IGJlbG93KS4KCiAgICAgICJEZXJpdmF0aXZlIFdvcmtzIiBzaGFsbCBtZWFuIGFueSB3b3JrLCB3aGV0aGVyIGluIFNvdXJjZSBvciBPYmplY3QKICAgICAgZm9ybSwgdGhhdCBpcyBiYXNlZCBvbiAob3IgZGVyaXZlZCBmcm9tKSB0aGUgV29yayBhbmQgZm9yIHdoaWNoIHRoZQogICAgICBlZGl0b3JpYWwgcmV2aXNpb25zLCBhbm5vdGF0aW9ucywgZWxhYm9yYXRpb25zLCBvciBvdGhlciBtb2RpZmljYXRpb25zCiAgICAgIHJlcHJlc2VudCwgYXMgYSB3aG9sZSwgYW4gb3JpZ2luYWwgd29yayBvZiBhdXRob3JzaGlwLiBGb3IgdGhlIHB1cnBvc2VzCiAgICAgIG9mIHRoaXMgTGljZW5zZSwgRGVyaXZhdGl2ZSBXb3JrcyBzaGFsbCBub3QgaW5jbHVkZSB3b3JrcyB0aGF0IHJlbWFpbgogICAgICBzZXBhcmFibGUgZnJvbSwgb3IgbWVyZWx5IGxpbmsgKG9yIGJpbmQgYnkgbmFtZSkgdG8gdGhlIGludGVyZmFjZXMgb2YsCiAgICAgIHRoZSBXb3JrIGFuZCBEZXJpdmF0aXZlIFdvcmtzIHRoZXJlb2YuCgogICAgICAiQ29udHJpYnV0aW9uIiBzaGFsbCBtZWFuIGFueSB3b3JrIG9mIGF1dGhvcnNoaXAsIGluY2x1ZGluZwogICAgICB0aGUgb3JpZ2luYWwgdmVyc2lvbiBvZiB0aGUgV29yayBhbmQgYW55IG1vZGlmaWNhdGlvbnMgb3IgYWRkaXRpb25zCiAgICAgIHRvIHRoYXQgV29yayBvciBEZXJpdmF0aXZlIFdvcmtzIHRoZXJlb2YsIHRoYXQgaXMgaW50ZW50aW9uYWxseQogICAgICBzdWJtaXR0ZWQgdG8gTGljZW5zb3IgZm9yIGluY2x1c2lvbiBpbiB0aGUgV29yayBieSB0aGUgY29weXJpZ2h0IG93bmVyCiAgICAgIG9yIGJ5IGFuIGluZGl2aWR1YWwgb3IgTGVnYWwgRW50aXR5IGF1dGhvcml6ZWQgdG8gc3VibWl0IG9uIGJlaGFsZiBvZgogICAgICB0aGUgY29weXJpZ2h0IG93bmVyLiBGb3IgdGhlIHB1cnBvc2VzIG9mIHRoaXMgZGVmaW5pdGlvbiwgInN1Ym1pdHRlZCIKICAgICAgbWVhbnMgYW55IGZvcm0gb2YgZWxlY3Ryb25pYywgdmVyYmFsLCBvciB3cml0dGVuIGNvbW11bmljYXRpb24gc2VudAogICAgICB0byB0aGUgTGljZW5zb3Igb3IgaXRzIHJlcHJlc2VudGF0aXZlcywgaW5jbHVkaW5nIGJ1dCBub3QgbGltaXRlZCB0bwogICAgICBjb21tdW5pY2F0aW9uIG9uIGVsZWN0cm9uaWMgbWFpbGluZyBsaXN0cywgc291cmNlIGNvZGUgY29udHJvbCBzeXN0ZW1zLAogICAgICBhbmQgaXNzdWUgdHJhY2tpbmcgc3lzdGVtcyB0aGF0IGFyZSBtYW5hZ2VkIGJ5LCBvciBvbiBiZWhhbGYgb2YsIHRoZQogICAgICBMaWNlbnNvciBmb3IgdGhlIHB1cnBvc2Ugb2YgZGlzY3Vzc2luZyBhbmQgaW1wcm92aW5nIHRoZSBXb3JrLCBidXQKICAgICAgZXhjbHVkaW5nIGNvbW11bmljYXRpb24gdGhhdCBpcyBjb25zcGljdW91c2x5IG1hcmtlZCBvciBvdGhlcndpc2UKICAgICAgZGVzaWduYXRlZCBpbiB3cml0aW5nIGJ5IHRoZSBjb3B5cmlnaHQgb3duZXIgYXMgIk5vdCBhIENvbnRyaWJ1dGlvbi4iCgogICAgICAiQ29udHJpYnV0b3IiIHNoYWxsIG1lYW4gTGljZW5zb3IgYW5kIGFueSBpbmRpdmlkdWFsIG9yIExlZ2FsIEVudGl0eQogICAgICBvbiBiZWhhbGYgb2Ygd2hvbSBhIENvbnRyaWJ1dGlvbiBoYXMgYmVlbiByZWNlaXZlZCBieSBMaWNlbnNvciBhbmQKICAgICAgc3Vic2VxdWVudGx5IGluY29ycG9yYXRlZCB3aXRoaW4gdGhlIFdvcmsuCgogICAyLiBHcmFudCBvZiBDb3B5cmlnaHQgTGljZW5zZS4gU3ViamVjdCB0byB0aGUgdGVybXMgYW5kIGNvbmRpdGlvbnMgb2YKICAgICAgdGhpcyBMaWNlbnNlLCBlYWNoIENvbnRyaWJ1dG9yIGhlcmVieSBncmFudHMgdG8gWW91IGEgcGVycGV0dWFsLAogICAgICB3b3JsZHdpZGUsIG5vbi1leGNsdXNpdmUsIG5vLWNoYXJnZSwgcm95YWx0eS1mcmVlLCBpcnJldm9jYWJsZQogICAgICBjb3B5cmlnaHQgbGljZW5zZSB0byByZXByb2R1Y2UsIHByZXBhcmUgRGVyaXZhdGl2ZSBXb3JrcyBvZiwKICAgICAgcHVibGljbHkgZGlzcGxheSwgcHVibGljbHkgcGVyZm9ybSwgc3VibGljZW5zZSwgYW5kIGRpc3RyaWJ1dGUgdGhlCiAgICAgIFdvcmsgYW5kIHN1Y2ggRGVyaXZhdGl2ZSBXb3JrcyBpbiBTb3VyY2Ugb3IgT2JqZWN0IGZvcm0uCgogICAzLiBHcmFudCBvZiBQYXRlbnQgTGljZW5zZS4gU3ViamVjdCB0byB0aGUgdGVybXMgYW5kIGNvbmRpdGlvbnMgb2YKICAgICAgdGhpcyBMaWNlbnNlLCBlYWNoIENvbnRyaWJ1dG9yIGhlcmVieSBncmFudHMgdG8gWW91IGEgcGVycGV0dWFsLAogICAgICB3b3JsZHdpZGUsIG5vbi1leGNsdXNpdmUsIG5vLWNoYXJnZSwgcm95YWx0eS1mcmVlLCBpcnJldm9jYWJsZQogICAgICAoZXhjZXB0IGFzIHN0YXRlZCBpbiB0aGlzIHNlY3Rpb24pIHBhdGVudCBsaWNlbnNlIHRvIG1ha2UsIGhhdmUgbWFkZSwKICAgICAgdXNlLCBvZmZlciB0byBzZWxsLCBzZWxsLCBpbXBvcnQsIGFuZCBvdGhlcndpc2UgdHJhbnNmZXIgdGhlIFdvcmssCiAgICAgIHdoZXJlIHN1Y2ggbGljZW5zZSBhcHBsaWVzIG9ubHkgdG8gdGhvc2UgcGF0ZW50IGNsYWltcyBsaWNlbnNhYmxlCiAgICAgIGJ5IHN1Y2ggQ29udHJpYnV0b3IgdGhhdCBhcmUgbmVjZXNzYXJpbHkgaW5mcmluZ2VkIGJ5IHRoZWlyCiAgICAgIENvbnRyaWJ1dGlvbihzKSBhbG9uZSBvciBieSBjb21iaW5hdGlvbiBvZiB0aGVpciBDb250cmlidXRpb24ocykKICAgICAgd2l0aCB0aGUgV29yayB0byB3aGljaCBzdWNoIENvbnRyaWJ1dGlvbihzKSB3YXMgc3VibWl0dGVkLiBJZiBZb3UKICAgICAgaW5zdGl0dXRlIHBhdGVudCBsaXRpZ2F0aW9uIGFnYWluc3QgYW55IGVudGl0eSAoaW5jbHVkaW5nIGEKICAgICAgY3Jvc3MtY2xhaW0gb3IgY291bnRlcmNsYWltIGluIGEgbGF3c3VpdCkgYWxsZWdpbmcgdGhhdCB0aGUgV29yawogICAgICBvciBhIENvbnRyaWJ1dGlvbiBpbmNvcnBvcmF0ZWQgd2l0aGluIHRoZSBXb3JrIGNvbnN0aXR1dGVzIGRpcmVjdAogICAgICBvciBjb250cmlidXRvcnkgcGF0ZW50IGluZnJpbmdlbWVudCwgdGhlbiBhbnkgcGF0ZW50IGxpY2Vuc2VzCiAgICAgIGdyYW50ZWQgdG8gWW91IHVuZGVyIHRoaXMgTGljZW5zZSBmb3IgdGhhdCBXb3JrIHNoYWxsIHRlcm1pbmF0ZQogICAgICBhcyBvZiB0aGUgZGF0ZSBzdWNoIGxpdGlnYXRpb24gaXMgZmlsZWQuCgogICA0LiBSZWRpc3RyaWJ1dGlvbi4gWW91IG1heSByZXByb2R1Y2UgYW5kIGRpc3RyaWJ1dGUgY29waWVzIG9mIHRoZQogICAgICBXb3JrIG9yIERlcml2YXRpdmUgV29ya3MgdGhlcmVvZiBpbiBhbnkgbWVkaXVtLCB3aXRoIG9yIHdpdGhvdXQKICAgICAgbW9kaWZpY2F0aW9ucywgYW5kIGluIFNvdXJjZSBvciBPYmplY3QgZm9ybSwgcHJvdmlkZWQgdGhhdCBZb3UKICAgICAgbWVldCB0aGUgZm9sbG93aW5nIGNvbmRpdGlvbnM6CgogICAgICAoYSkgWW91IG11c3QgZ2l2ZSBhbnkgb3RoZXIgcmVjaXBpZW50cyBvZiB0aGUgV29yayBvcgogICAgICAgICAgRGVyaXZhdGl2ZSBXb3JrcyBhIGNvcHkgb2YgdGhpcyBMaWNlbnNlOyBhbmQKCiAgICAgIChiKSBZb3UgbXVzdCBjYXVzZSBhbnkgbW9kaWZpZWQgZmlsZXMgdG8gY2FycnkgcHJvbWluZW50IG5vdGljZXMKICAgICAgICAgIHN0YXRpbmcgdGhhdCBZb3UgY2hhbmdlZCB0aGUgZmlsZXM7IGFuZAoKICAgICAgKGMpIFlvdSBtdXN0IHJldGFpbiwgaW4gdGhlIFNvdXJjZSBmb3JtIG9mIGFueSBEZXJpdmF0aXZlIFdvcmtzCiAgICAgICAgICB0aGF0IFlvdSBkaXN0cmlidXRlLCBhbGwgY29weXJpZ2h0LCBwYXRlbnQsIHRyYWRlbWFyaywgYW5kCiAgICAgICAgICBhdHRyaWJ1dGlvbiBub3RpY2VzIGZyb20gdGhlIFNvdXJjZSBmb3JtIG9mIHRoZSBXb3JrLAogICAgICAgICAgZXhjbHVkaW5nIHRob3NlIG5vdGljZXMgdGhhdCBkbyBub3QgcGVydGFpbiB0byBhbnkgcGFydCBvZgogICAgICAgICAgdGhlIERlcml2YXRpdmUgV29ya3M7IGFuZAoKICAgICAgKGQpIElmIHRoZSBXb3JrIGluY2x1ZGVzIGEgIk5PVElDRSIgdGV4dCBmaWxlIGFzIHBhcnQgb2YgaXRzCiAgICAgICAgICBkaXN0cmlidXRpb24sIHRoZW4gYW55IERlcml2YXRpdmUgV29ya3MgdGhhdCBZb3UgZGlzdHJpYnV0ZSBtdXN0CiAgICAgICAgICBpbmNsdWRlIGEgcmVhZGFibGUgY29weSBvZiB0aGUgYXR0cmlidXRpb24gbm90aWNlcyBjb250YWluZWQKICAgICAgICAgIHdpdGhpbiBzdWNoIE5PVElDRSBmaWxlLCBleGNsdWRpbmcgdGhvc2Ugbm90aWNlcyB0aGF0IGRvIG5vdAogICAgICAgICAgcGVydGFpbiB0byBhbnkgcGFydCBvZiB0aGUgRGVyaXZhdGl2ZSBXb3JrcywgaW4gYXQgbGVhc3Qgb25lCiAgICAgICAgICBvZiB0aGUgZm9sbG93aW5nIHBsYWNlczogd2l0aGluIGEgTk9USUNFIHRleHQgZmlsZSBkaXN0cmlidXRlZAogICAgICAgICAgYXMgcGFydCBvZiB0aGUgRGVyaXZhdGl2ZSBXb3Jrczsgd2l0aGluIHRoZSBTb3VyY2UgZm9ybSBvcgogICAgICAgICAgZG9jdW1lbnRhdGlvbiwgaWYgcHJvdmlkZWQgYWxvbmcgd2l0aCB0aGUgRGVyaXZhdGl2ZSBXb3Jrczsgb3IsCiAgICAgICAgICB3aXRoaW4gYSBkaXNwbGF5IGdlbmVyYXRlZCBieSB0aGUgRGVyaXZhdGl2ZSBXb3JrcywgaWYgYW5kCiAgICAgICAgICB3aGVyZXZlciBzdWNoIHRoaXJkLXBhcnR5IG5vdGljZXMgbm9ybWFsbHkgYXBwZWFyLiBUaGUgY29udGVudHMKICAgICAgICAgIG9mIHRoZSBOT1RJQ0UgZmlsZSBhcmUgZm9yIGluZm9ybWF0aW9uYWwgcHVycG9zZXMgb25seSBhbmQKICAgICAgICAgIGRvIG5vdCBtb2RpZnkgdGhlIExpY2Vuc2UuIFlvdSBtYXkgYWRkIFlvdXIgb3duIGF0dHJpYnV0aW9uCiAgICAgICAgICBub3RpY2VzIHdpdGhpbiBEZXJpdmF0aXZlIFdvcmtzIHRoYXQgWW91IGRpc3RyaWJ1dGUsIGFsb25nc2lkZQogICAgICAgICAgb3IgYXMgYW4gYWRkZW5kdW0gdG8gdGhlIE5PVElDRSB0ZXh0IGZyb20gdGhlIFdvcmssIHByb3ZpZGVkCiAgICAgICAgICB0aGF0IHN1Y2ggYWRkaXRpb25hbCBhdHRyaWJ1dGlvbiBub3RpY2VzIGNhbm5vdCBiZSBjb25zdHJ1ZWQKICAgICAgICAgIGFzIG1vZGlmeWluZyB0aGUgTGljZW5zZS4KCiAgICAgIFlvdSBtYXkgYWRkIFlvdXIgb3duIGNvcHlyaWdodCBzdGF0ZW1lbnQgdG8gWW91ciBtb2RpZmljYXRpb25zIGFuZAogICAgICBtYXkgcHJvdmlkZSBhZGRpdGlvbmFsIG9yIGRpZmZlcmVudCBsaWNlbnNlIHRlcm1zIGFuZCBjb25kaXRpb25zCiAgICAgIGZvciB1c2UsIHJlcHJvZHVjdGlvbiwgb3IgZGlzdHJpYnV0aW9uIG9mIFlvdXIgbW9kaWZpY2F0aW9ucywgb3IKICAgICAgZm9yIGFueSBzdWNoIERlcml2YXRpdmUgV29ya3MgYXMgYSB3aG9sZSwgcHJvdmlkZWQgWW91ciB1c2UsCiAgICAgIHJlcHJvZHVjdGlvbiwgYW5kIGRpc3RyaWJ1dGlvbiBvZiB0aGUgV29yayBvdGhlcndpc2UgY29tcGxpZXMgd2l0aAogICAgICB0aGUgY29uZGl0aW9ucyBzdGF0ZWQgaW4gdGhpcyBMaWNlbnNlLgoKICAgNS4gU3VibWlzc2lvbiBvZiBDb250cmlidXRpb25zLiBVbmxlc3MgWW91IGV4cGxpY2l0bHkgc3RhdGUgb3RoZXJ3aXNlLAogICAgICBhbnkgQ29udHJpYnV0aW9uIGludGVudGlvbmFsbHkgc3VibWl0dGVkIGZvciBpbmNsdXNpb24gaW4gdGhlIFdvcmsKICAgICAgYnkgWW91IHRvIHRoZSBMaWNlbnNvciBzaGFsbCBiZSB1bmRlciB0aGUgdGVybXMgYW5kIGNvbmRpdGlvbnMgb2YKICAgICAgdGhpcyBMaWNlbnNlLCB3aXRob3V0IGFueSBhZGRpdGlvbmFsIHRlcm1zIG9yIGNvbmRpdGlvbnMuCiAgICAgIE5vdHdpdGhzdGFuZGluZyB0aGUgYWJvdmUsIG5vdGhpbmcgaGVyZWluIHNoYWxsIHN1cGVyc2VkZSBvciBtb2RpZnkKICAgICAgdGhlIHRlcm1zIG9mIGFueSBzZXBhcmF0ZSBsaWNlbnNlIGFncmVlbWVudCB5b3UgbWF5IGhhdmUgZXhlY3V0ZWQKICAgICAgd2l0aCBMaWNlbnNvciByZWdhcmRpbmcgc3VjaCBDb250cmlidXRpb25zLgoKICAgNi4gVHJhZGVtYXJrcy4gVGhpcyBMaWNlbnNlIGRvZXMgbm90IGdyYW50IHBlcm1pc3Npb24gdG8gdXNlIHRoZSB0cmFkZQogICAgICBuYW1lcywgdHJhZGVtYXJrcywgc2VydmljZSBtYXJrcywgb3IgcHJvZHVjdCBuYW1lcyBvZiB0aGUgTGljZW5zb3IsCiAgICAgIGV4Y2VwdCBhcyByZXF1aXJlZCBmb3IgcmVhc29uYWJsZSBhbmQgY3VzdG9tYXJ5IHVzZSBpbiBkZXNjcmliaW5nIHRoZQogICAgICBvcmlnaW4gb2YgdGhlIFdvcmsgYW5kIHJlcHJvZHVjaW5nIHRoZSBjb250ZW50IG9mIHRoZSBOT1RJQ0UgZmlsZS4KCiAgIDcuIERpc2NsYWltZXIgb2YgV2FycmFudHkuIFVubGVzcyByZXF1aXJlZCBieSBhcHBsaWNhYmxlIGxhdyBvcgogICAgICBhZ3JlZWQgdG8gaW4gd3JpdGluZywgTGljZW5zb3IgcHJvdmlkZXMgdGhlIFdvcmsgKGFuZCBlYWNoCiAgICAgIENvbnRyaWJ1dG9yIHByb3ZpZGVzIGl0cyBDb250cmlidXRpb25zKSBvbiBhbiAiQVMgSVMiIEJBU0lTLAogICAgICBXSVRIT1VUIFdBUlJBTlRJRVMgT1IgQ09ORElUSU9OUyBPRiBBTlkgS0lORCwgZWl0aGVyIGV4cHJlc3Mgb3IKICAgICAgaW1wbGllZCwgaW5jbHVkaW5nLCB3aXRob3V0IGxpbWl0YXRpb24sIGFueSB3YXJyYW50aWVzIG9yIGNvbmRpdGlvbnMKICAgICAgb2YgVElUTEUsIE5PTi1JTkZSSU5HRU1FTlQsIE1FUkNIQU5UQUJJTElUWSwgb3IgRklUTkVTUyBGT1IgQQogICAgICBQQVJUSUNVTEFSIFBVUlBPU0UuIFlvdSBhcmUgc29sZWx5IHJlc3BvbnNpYmxlIGZvciBkZXRlcm1pbmluZyB0aGUKICAgICAgYXBwcm9wcmlhdGVuZXNzIG9mIHVzaW5nIG9yIHJlZGlzdHJpYnV0aW5nIHRoZSBXb3JrIGFuZCBhc3N1bWUgYW55CiAgICAgIHJpc2tzIGFzc29jaWF0ZWQgd2l0aCBZb3VyIGV4ZXJjaXNlIG9mIHBlcm1pc3Npb25zIHVuZGVyIHRoaXMgTGljZW5zZS4KCiAgIDguIExpbWl0YXRpb24gb2YgTGlhYmlsaXR5LiBJbiBubyBldmVudCBhbmQgdW5kZXIgbm8gbGVnYWwgdGhlb3J5LAogICAgICB3aGV0aGVyIGluIHRvcnQgKGluY2x1ZGluZyBuZWdsaWdlbmNlKSwgY29udHJhY3QsIG9yIG90aGVyd2lzZSwKICAgICAgdW5sZXNzIHJlcXVpcmVkIGJ5IGFwcGxpY2FibGUgbGF3IChzdWNoIGFzIGRlbGliZXJhdGUgYW5kIGdyb3NzbHkKICAgICAgbmVnbGlnZW50IGFjdHMpIG9yIGFncmVlZCB0byBpbiB3cml0aW5nLCBzaGFsbCBhbnkgQ29udHJpYnV0b3IgYmUKICAgICAgbGlhYmxlIHRvIFlvdSBmb3IgZGFtYWdlcywgaW5jbHVkaW5nIGFueSBkaXJlY3QsIGluZGlyZWN0LCBzcGVjaWFsLAogICAgICBpbmNpZGVudGFsLCBvciBjb25zZXF1ZW50aWFsIGRhbWFnZXMgb2YgYW55IGNoYXJhY3RlciBhcmlzaW5nIGFzIGEKICAgICAgcmVzdWx0IG9mIHRoaXMgTGljZW5zZSBvciBvdXQgb2YgdGhlIHVzZSBvciBpbmFiaWxpdHkgdG8gdXNlIHRoZQogICAgICBXb3JrIChpbmNsdWRpbmcgYnV0IG5vdCBsaW1pdGVkIHRvIGRhbWFnZXMgZm9yIGxvc3Mgb2YgZ29vZHdpbGwsCiAgICAgIHdvcmsgc3RvcHBhZ2UsIGNvbXB1dGVyIGZhaWx1cmUgb3IgbWFsZnVuY3Rpb24sIG9yIGFueSBhbmQgYWxsCiAgICAgIG90aGVyIGNvbW1lcmNpYWwgZGFtYWdlcyBvciBsb3NzZXMpLCBldmVuIGlmIHN1Y2ggQ29udHJpYnV0b3IKICAgICAgaGFzIGJlZW4gYWR2aXNlZCBvZiB0aGUgcG9zc2liaWxpdHkgb2Ygc3VjaCBkYW1hZ2VzLgoKICAgOS4gQWNjZXB0aW5nIFdhcnJhbnR5IG9yIEFkZGl0aW9uYWwgTGlhYmlsaXR5LiBXaGlsZSByZWRpc3RyaWJ1dGluZwogICAgICB0aGUgV29yayBvciBEZXJpdmF0aXZlIFdvcmtzIHRoZXJlb2YsIFlvdSBtYXkgY2hvb3NlIHRvIG9mZmVyLAogICAgICBhbmQgY2hhcmdlIGEgZmVlIGZvciwgYWNjZXB0YW5jZSBvZiBzdXBwb3J0LCB3YXJyYW50eSwgaW5kZW1uaXR5LAogICAgICBvciBvdGhlciBsaWFiaWxpdHkgb2JsaWdhdGlvbnMgYW5kL29yIHJpZ2h0cyBjb25zaXN0ZW50IHdpdGggdGhpcwogICAgICBMaWNlbnNlLiBIb3dldmVyLCBpbiBhY2NlcHRpbmcgc3VjaCBvYmxpZ2F0aW9ucywgWW91IG1heSBhY3Qgb25seQogICAgICBvbiBZb3VyIG93biBiZWhhbGYgYW5kIG9uIFlvdXIgc29sZSByZXNwb25zaWJpbGl0eSwgbm90IG9uIGJlaGFsZgogICAgICBvZiBhbnkgb3RoZXIgQ29udHJpYnV0b3IsIGFuZCBvbmx5IGlmIFlvdSBhZ3JlZSB0byBpbmRlbW5pZnksCiAgICAgIGRlZmVuZCwgYW5kIGhvbGQgZWFjaCBDb250cmlidXRvciBoYXJtbGVzcyBmb3IgYW55IGxpYWJpbGl0eQogICAgICBpbmN1cnJlZCBieSwgb3IgY2xhaW1zIGFzc2VydGVkIGFnYWluc3QsIHN1Y2ggQ29udHJpYnV0b3IgYnkgcmVhc29uCiAgICAgIG9mIHlvdXIgYWNjZXB0aW5nIGFueSBzdWNoIHdhcnJhbnR5IG9yIGFkZGl0aW9uYWwgbGlhYmlsaXR5LgoKICAgRU5EIE9GIFRFUk1TIEFORCBDT05ESVRJT05TCgogICBBUFBFTkRJWDogSG93IHRvIGFwcGx5IHRoZSBBcGFjaGUgTGljZW5zZSB0byB5b3VyIHdvcmsuCgogICAgICBUbyBhcHBseSB0aGUgQXBhY2hlIExpY2Vuc2UgdG8geW91ciB3b3JrLCBhdHRhY2ggdGhlIGZvbGxvd2luZwogICAgICBib2lsZXJwbGF0ZSBub3RpY2UsIHdpdGggdGhlIGZpZWxkcyBlbmNsb3NlZCBieSBicmFja2V0cyAiW10iCiAgICAgIHJlcGxhY2VkIHdpdGggeW91ciBvd24gaWRlbnRpZnlpbmcgaW5mb3JtYXRpb24uIChEb24ndCBpbmNsdWRlCiAgICAgIHRoZSBicmFja2V0cyEpICBUaGUgdGV4dCBzaG91bGQgYmUgZW5jbG9zZWQgaW4gdGhlIGFwcHJvcHJpYXRlCiAgICAgIGNvbW1lbnQgc3ludGF4IGZvciB0aGUgZmlsZSBmb3JtYXQuIFdlIGFsc28gcmVjb21tZW5kIHRoYXQgYQogICAgICBmaWxlIG9yIGNsYXNzIG5hbWUgYW5kIGRlc2NyaXB0aW9uIG9mIHB1cnBvc2UgYmUgaW5jbHVkZWQgb24gdGhlCiAgICAgIHNhbWUgInByaW50ZWQgcGFnZSIgYXMgdGhlIGNvcHlyaWdodCBub3RpY2UgZm9yIGVhc2llcgogICAgICBpZGVudGlmaWNhdGlvbiB3aXRoaW4gdGhpcmQtcGFydHkgYXJjaGl2ZXMuCgogICBDb3B5cmlnaHQgW3l5eXldIFtuYW1lIG9mIGNvcHlyaWdodCBvd25lcl0KCiAgIExpY2Vuc2VkIHVuZGVyIHRoZSBBcGFjaGUgTGljZW5zZSwgVmVyc2lvbiAyLjAgKHRoZSAiTGljZW5zZSIpOwogICB5b3UgbWF5IG5vdCB1c2UgdGhpcyBmaWxlIGV4Y2VwdCBpbiBjb21wbGlhbmNlIHdpdGggdGhlIExpY2Vuc2UuCiAgIFlvdSBtYXkgb2J0YWluIGEgY29weSBvZiB0aGUgTGljZW5zZSBhdAoKICAgICAgIGh0dHA6Ly93d3cuYXBhY2hlLm9yZy9saWNlbnNlcy9MSUNFTlNFLTIuMAoKICAgVW5sZXNzIHJlcXVpcmVkIGJ5IGFwcGxpY2FibGUgbGF3IG9yIGFncmVlZCB0byBpbiB3cml0aW5nLCBzb2Z0d2FyZQogICBkaXN0cmlidXRlZCB1bmRlciB0aGUgTGljZW5zZSBpcyBkaXN0cmlidXRlZCBvbiBhbiAiQVMgSVMiIEJBU0lTLAogICBXSVRIT1VUIFdBUlJBTlRJRVMgT1IgQ09ORElUSU9OUyBPRiBBTlkgS0lORCwgZWl0aGVyIGV4cHJlc3Mgb3IgaW1wbGllZC4KICAgU2VlIHRoZSBMaWNlbnNlIGZvciB0aGUgc3BlY2lmaWMgbGFuZ3VhZ2UgZ292ZXJuaW5nIHBlcm1pc3Npb25zIGFuZAogICBsaW1pdGF0aW9ucyB1bmRlciB0aGUgTGljZW5zZS4=" }, "url": "https://www.apache.org/licenses/LICENSE-2.0.txt" } diff --git a/tools/src/test/resources/1.3/valid-bom-1.3.json b/tools/src/test/resources/1.3/valid-bom-1.3.json index c2f62963..75550db7 100644 --- a/tools/src/test/resources/1.3/valid-bom-1.3.json +++ b/tools/src/test/resources/1.3/valid-bom-1.3.json @@ -103,7 +103,7 @@ "text": { "contentType": "text/plain", "encoding": "base64", - "content": "License text here" + "content": "CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFwYWNoZSBMaWNlbnNlCiAgICAgICAgICAgICAgICAgICAgICAgICAgIFZlcnNpb24gMi4wLCBKYW51YXJ5IDIwMDQKICAgICAgICAgICAgICAgICAgICAgICAgaHR0cDovL3d3dy5hcGFjaGUub3JnL2xpY2Vuc2VzLwoKICAgVEVSTVMgQU5EIENPTkRJVElPTlMgRk9SIFVTRSwgUkVQUk9EVUNUSU9OLCBBTkQgRElTVFJJQlVUSU9OCgogICAxLiBEZWZpbml0aW9ucy4KCiAgICAgICJMaWNlbnNlIiBzaGFsbCBtZWFuIHRoZSB0ZXJtcyBhbmQgY29uZGl0aW9ucyBmb3IgdXNlLCByZXByb2R1Y3Rpb24sCiAgICAgIGFuZCBkaXN0cmlidXRpb24gYXMgZGVmaW5lZCBieSBTZWN0aW9ucyAxIHRocm91Z2ggOSBvZiB0aGlzIGRvY3VtZW50LgoKICAgICAgIkxpY2Vuc29yIiBzaGFsbCBtZWFuIHRoZSBjb3B5cmlnaHQgb3duZXIgb3IgZW50aXR5IGF1dGhvcml6ZWQgYnkKICAgICAgdGhlIGNvcHlyaWdodCBvd25lciB0aGF0IGlzIGdyYW50aW5nIHRoZSBMaWNlbnNlLgoKICAgICAgIkxlZ2FsIEVudGl0eSIgc2hhbGwgbWVhbiB0aGUgdW5pb24gb2YgdGhlIGFjdGluZyBlbnRpdHkgYW5kIGFsbAogICAgICBvdGhlciBlbnRpdGllcyB0aGF0IGNvbnRyb2wsIGFyZSBjb250cm9sbGVkIGJ5LCBvciBhcmUgdW5kZXIgY29tbW9uCiAgICAgIGNvbnRyb2wgd2l0aCB0aGF0IGVudGl0eS4gRm9yIHRoZSBwdXJwb3NlcyBvZiB0aGlzIGRlZmluaXRpb24sCiAgICAgICJjb250cm9sIiBtZWFucyAoaSkgdGhlIHBvd2VyLCBkaXJlY3Qgb3IgaW5kaXJlY3QsIHRvIGNhdXNlIHRoZQogICAgICBkaXJlY3Rpb24gb3IgbWFuYWdlbWVudCBvZiBzdWNoIGVudGl0eSwgd2hldGhlciBieSBjb250cmFjdCBvcgogICAgICBvdGhlcndpc2UsIG9yIChpaSkgb3duZXJzaGlwIG9mIGZpZnR5IHBlcmNlbnQgKDUwJSkgb3IgbW9yZSBvZiB0aGUKICAgICAgb3V0c3RhbmRpbmcgc2hhcmVzLCBvciAoaWlpKSBiZW5lZmljaWFsIG93bmVyc2hpcCBvZiBzdWNoIGVudGl0eS4KCiAgICAgICJZb3UiIChvciAiWW91ciIpIHNoYWxsIG1lYW4gYW4gaW5kaXZpZHVhbCBvciBMZWdhbCBFbnRpdHkKICAgICAgZXhlcmNpc2luZyBwZXJtaXNzaW9ucyBncmFudGVkIGJ5IHRoaXMgTGljZW5zZS4KCiAgICAgICJTb3VyY2UiIGZvcm0gc2hhbGwgbWVhbiB0aGUgcHJlZmVycmVkIGZvcm0gZm9yIG1ha2luZyBtb2RpZmljYXRpb25zLAogICAgICBpbmNsdWRpbmcgYnV0IG5vdCBsaW1pdGVkIHRvIHNvZnR3YXJlIHNvdXJjZSBjb2RlLCBkb2N1bWVudGF0aW9uCiAgICAgIHNvdXJjZSwgYW5kIGNvbmZpZ3VyYXRpb24gZmlsZXMuCgogICAgICAiT2JqZWN0IiBmb3JtIHNoYWxsIG1lYW4gYW55IGZvcm0gcmVzdWx0aW5nIGZyb20gbWVjaGFuaWNhbAogICAgICB0cmFuc2Zvcm1hdGlvbiBvciB0cmFuc2xhdGlvbiBvZiBhIFNvdXJjZSBmb3JtLCBpbmNsdWRpbmcgYnV0CiAgICAgIG5vdCBsaW1pdGVkIHRvIGNvbXBpbGVkIG9iamVjdCBjb2RlLCBnZW5lcmF0ZWQgZG9jdW1lbnRhdGlvbiwKICAgICAgYW5kIGNvbnZlcnNpb25zIHRvIG90aGVyIG1lZGlhIHR5cGVzLgoKICAgICAgIldvcmsiIHNoYWxsIG1lYW4gdGhlIHdvcmsgb2YgYXV0aG9yc2hpcCwgd2hldGhlciBpbiBTb3VyY2Ugb3IKICAgICAgT2JqZWN0IGZvcm0sIG1hZGUgYXZhaWxhYmxlIHVuZGVyIHRoZSBMaWNlbnNlLCBhcyBpbmRpY2F0ZWQgYnkgYQogICAgICBjb3B5cmlnaHQgbm90aWNlIHRoYXQgaXMgaW5jbHVkZWQgaW4gb3IgYXR0YWNoZWQgdG8gdGhlIHdvcmsKICAgICAgKGFuIGV4YW1wbGUgaXMgcHJvdmlkZWQgaW4gdGhlIEFwcGVuZGl4IGJlbG93KS4KCiAgICAgICJEZXJpdmF0aXZlIFdvcmtzIiBzaGFsbCBtZWFuIGFueSB3b3JrLCB3aGV0aGVyIGluIFNvdXJjZSBvciBPYmplY3QKICAgICAgZm9ybSwgdGhhdCBpcyBiYXNlZCBvbiAob3IgZGVyaXZlZCBmcm9tKSB0aGUgV29yayBhbmQgZm9yIHdoaWNoIHRoZQogICAgICBlZGl0b3JpYWwgcmV2aXNpb25zLCBhbm5vdGF0aW9ucywgZWxhYm9yYXRpb25zLCBvciBvdGhlciBtb2RpZmljYXRpb25zCiAgICAgIHJlcHJlc2VudCwgYXMgYSB3aG9sZSwgYW4gb3JpZ2luYWwgd29yayBvZiBhdXRob3JzaGlwLiBGb3IgdGhlIHB1cnBvc2VzCiAgICAgIG9mIHRoaXMgTGljZW5zZSwgRGVyaXZhdGl2ZSBXb3JrcyBzaGFsbCBub3QgaW5jbHVkZSB3b3JrcyB0aGF0IHJlbWFpbgogICAgICBzZXBhcmFibGUgZnJvbSwgb3IgbWVyZWx5IGxpbmsgKG9yIGJpbmQgYnkgbmFtZSkgdG8gdGhlIGludGVyZmFjZXMgb2YsCiAgICAgIHRoZSBXb3JrIGFuZCBEZXJpdmF0aXZlIFdvcmtzIHRoZXJlb2YuCgogICAgICAiQ29udHJpYnV0aW9uIiBzaGFsbCBtZWFuIGFueSB3b3JrIG9mIGF1dGhvcnNoaXAsIGluY2x1ZGluZwogICAgICB0aGUgb3JpZ2luYWwgdmVyc2lvbiBvZiB0aGUgV29yayBhbmQgYW55IG1vZGlmaWNhdGlvbnMgb3IgYWRkaXRpb25zCiAgICAgIHRvIHRoYXQgV29yayBvciBEZXJpdmF0aXZlIFdvcmtzIHRoZXJlb2YsIHRoYXQgaXMgaW50ZW50aW9uYWxseQogICAgICBzdWJtaXR0ZWQgdG8gTGljZW5zb3IgZm9yIGluY2x1c2lvbiBpbiB0aGUgV29yayBieSB0aGUgY29weXJpZ2h0IG93bmVyCiAgICAgIG9yIGJ5IGFuIGluZGl2aWR1YWwgb3IgTGVnYWwgRW50aXR5IGF1dGhvcml6ZWQgdG8gc3VibWl0IG9uIGJlaGFsZiBvZgogICAgICB0aGUgY29weXJpZ2h0IG93bmVyLiBGb3IgdGhlIHB1cnBvc2VzIG9mIHRoaXMgZGVmaW5pdGlvbiwgInN1Ym1pdHRlZCIKICAgICAgbWVhbnMgYW55IGZvcm0gb2YgZWxlY3Ryb25pYywgdmVyYmFsLCBvciB3cml0dGVuIGNvbW11bmljYXRpb24gc2VudAogICAgICB0byB0aGUgTGljZW5zb3Igb3IgaXRzIHJlcHJlc2VudGF0aXZlcywgaW5jbHVkaW5nIGJ1dCBub3QgbGltaXRlZCB0bwogICAgICBjb21tdW5pY2F0aW9uIG9uIGVsZWN0cm9uaWMgbWFpbGluZyBsaXN0cywgc291cmNlIGNvZGUgY29udHJvbCBzeXN0ZW1zLAogICAgICBhbmQgaXNzdWUgdHJhY2tpbmcgc3lzdGVtcyB0aGF0IGFyZSBtYW5hZ2VkIGJ5LCBvciBvbiBiZWhhbGYgb2YsIHRoZQogICAgICBMaWNlbnNvciBmb3IgdGhlIHB1cnBvc2Ugb2YgZGlzY3Vzc2luZyBhbmQgaW1wcm92aW5nIHRoZSBXb3JrLCBidXQKICAgICAgZXhjbHVkaW5nIGNvbW11bmljYXRpb24gdGhhdCBpcyBjb25zcGljdW91c2x5IG1hcmtlZCBvciBvdGhlcndpc2UKICAgICAgZGVzaWduYXRlZCBpbiB3cml0aW5nIGJ5IHRoZSBjb3B5cmlnaHQgb3duZXIgYXMgIk5vdCBhIENvbnRyaWJ1dGlvbi4iCgogICAgICAiQ29udHJpYnV0b3IiIHNoYWxsIG1lYW4gTGljZW5zb3IgYW5kIGFueSBpbmRpdmlkdWFsIG9yIExlZ2FsIEVudGl0eQogICAgICBvbiBiZWhhbGYgb2Ygd2hvbSBhIENvbnRyaWJ1dGlvbiBoYXMgYmVlbiByZWNlaXZlZCBieSBMaWNlbnNvciBhbmQKICAgICAgc3Vic2VxdWVudGx5IGluY29ycG9yYXRlZCB3aXRoaW4gdGhlIFdvcmsuCgogICAyLiBHcmFudCBvZiBDb3B5cmlnaHQgTGljZW5zZS4gU3ViamVjdCB0byB0aGUgdGVybXMgYW5kIGNvbmRpdGlvbnMgb2YKICAgICAgdGhpcyBMaWNlbnNlLCBlYWNoIENvbnRyaWJ1dG9yIGhlcmVieSBncmFudHMgdG8gWW91IGEgcGVycGV0dWFsLAogICAgICB3b3JsZHdpZGUsIG5vbi1leGNsdXNpdmUsIG5vLWNoYXJnZSwgcm95YWx0eS1mcmVlLCBpcnJldm9jYWJsZQogICAgICBjb3B5cmlnaHQgbGljZW5zZSB0byByZXByb2R1Y2UsIHByZXBhcmUgRGVyaXZhdGl2ZSBXb3JrcyBvZiwKICAgICAgcHVibGljbHkgZGlzcGxheSwgcHVibGljbHkgcGVyZm9ybSwgc3VibGljZW5zZSwgYW5kIGRpc3RyaWJ1dGUgdGhlCiAgICAgIFdvcmsgYW5kIHN1Y2ggRGVyaXZhdGl2ZSBXb3JrcyBpbiBTb3VyY2Ugb3IgT2JqZWN0IGZvcm0uCgogICAzLiBHcmFudCBvZiBQYXRlbnQgTGljZW5zZS4gU3ViamVjdCB0byB0aGUgdGVybXMgYW5kIGNvbmRpdGlvbnMgb2YKICAgICAgdGhpcyBMaWNlbnNlLCBlYWNoIENvbnRyaWJ1dG9yIGhlcmVieSBncmFudHMgdG8gWW91IGEgcGVycGV0dWFsLAogICAgICB3b3JsZHdpZGUsIG5vbi1leGNsdXNpdmUsIG5vLWNoYXJnZSwgcm95YWx0eS1mcmVlLCBpcnJldm9jYWJsZQogICAgICAoZXhjZXB0IGFzIHN0YXRlZCBpbiB0aGlzIHNlY3Rpb24pIHBhdGVudCBsaWNlbnNlIHRvIG1ha2UsIGhhdmUgbWFkZSwKICAgICAgdXNlLCBvZmZlciB0byBzZWxsLCBzZWxsLCBpbXBvcnQsIGFuZCBvdGhlcndpc2UgdHJhbnNmZXIgdGhlIFdvcmssCiAgICAgIHdoZXJlIHN1Y2ggbGljZW5zZSBhcHBsaWVzIG9ubHkgdG8gdGhvc2UgcGF0ZW50IGNsYWltcyBsaWNlbnNhYmxlCiAgICAgIGJ5IHN1Y2ggQ29udHJpYnV0b3IgdGhhdCBhcmUgbmVjZXNzYXJpbHkgaW5mcmluZ2VkIGJ5IHRoZWlyCiAgICAgIENvbnRyaWJ1dGlvbihzKSBhbG9uZSBvciBieSBjb21iaW5hdGlvbiBvZiB0aGVpciBDb250cmlidXRpb24ocykKICAgICAgd2l0aCB0aGUgV29yayB0byB3aGljaCBzdWNoIENvbnRyaWJ1dGlvbihzKSB3YXMgc3VibWl0dGVkLiBJZiBZb3UKICAgICAgaW5zdGl0dXRlIHBhdGVudCBsaXRpZ2F0aW9uIGFnYWluc3QgYW55IGVudGl0eSAoaW5jbHVkaW5nIGEKICAgICAgY3Jvc3MtY2xhaW0gb3IgY291bnRlcmNsYWltIGluIGEgbGF3c3VpdCkgYWxsZWdpbmcgdGhhdCB0aGUgV29yawogICAgICBvciBhIENvbnRyaWJ1dGlvbiBpbmNvcnBvcmF0ZWQgd2l0aGluIHRoZSBXb3JrIGNvbnN0aXR1dGVzIGRpcmVjdAogICAgICBvciBjb250cmlidXRvcnkgcGF0ZW50IGluZnJpbmdlbWVudCwgdGhlbiBhbnkgcGF0ZW50IGxpY2Vuc2VzCiAgICAgIGdyYW50ZWQgdG8gWW91IHVuZGVyIHRoaXMgTGljZW5zZSBmb3IgdGhhdCBXb3JrIHNoYWxsIHRlcm1pbmF0ZQogICAgICBhcyBvZiB0aGUgZGF0ZSBzdWNoIGxpdGlnYXRpb24gaXMgZmlsZWQuCgogICA0LiBSZWRpc3RyaWJ1dGlvbi4gWW91IG1heSByZXByb2R1Y2UgYW5kIGRpc3RyaWJ1dGUgY29waWVzIG9mIHRoZQogICAgICBXb3JrIG9yIERlcml2YXRpdmUgV29ya3MgdGhlcmVvZiBpbiBhbnkgbWVkaXVtLCB3aXRoIG9yIHdpdGhvdXQKICAgICAgbW9kaWZpY2F0aW9ucywgYW5kIGluIFNvdXJjZSBvciBPYmplY3QgZm9ybSwgcHJvdmlkZWQgdGhhdCBZb3UKICAgICAgbWVldCB0aGUgZm9sbG93aW5nIGNvbmRpdGlvbnM6CgogICAgICAoYSkgWW91IG11c3QgZ2l2ZSBhbnkgb3RoZXIgcmVjaXBpZW50cyBvZiB0aGUgV29yayBvcgogICAgICAgICAgRGVyaXZhdGl2ZSBXb3JrcyBhIGNvcHkgb2YgdGhpcyBMaWNlbnNlOyBhbmQKCiAgICAgIChiKSBZb3UgbXVzdCBjYXVzZSBhbnkgbW9kaWZpZWQgZmlsZXMgdG8gY2FycnkgcHJvbWluZW50IG5vdGljZXMKICAgICAgICAgIHN0YXRpbmcgdGhhdCBZb3UgY2hhbmdlZCB0aGUgZmlsZXM7IGFuZAoKICAgICAgKGMpIFlvdSBtdXN0IHJldGFpbiwgaW4gdGhlIFNvdXJjZSBmb3JtIG9mIGFueSBEZXJpdmF0aXZlIFdvcmtzCiAgICAgICAgICB0aGF0IFlvdSBkaXN0cmlidXRlLCBhbGwgY29weXJpZ2h0LCBwYXRlbnQsIHRyYWRlbWFyaywgYW5kCiAgICAgICAgICBhdHRyaWJ1dGlvbiBub3RpY2VzIGZyb20gdGhlIFNvdXJjZSBmb3JtIG9mIHRoZSBXb3JrLAogICAgICAgICAgZXhjbHVkaW5nIHRob3NlIG5vdGljZXMgdGhhdCBkbyBub3QgcGVydGFpbiB0byBhbnkgcGFydCBvZgogICAgICAgICAgdGhlIERlcml2YXRpdmUgV29ya3M7IGFuZAoKICAgICAgKGQpIElmIHRoZSBXb3JrIGluY2x1ZGVzIGEgIk5PVElDRSIgdGV4dCBmaWxlIGFzIHBhcnQgb2YgaXRzCiAgICAgICAgICBkaXN0cmlidXRpb24sIHRoZW4gYW55IERlcml2YXRpdmUgV29ya3MgdGhhdCBZb3UgZGlzdHJpYnV0ZSBtdXN0CiAgICAgICAgICBpbmNsdWRlIGEgcmVhZGFibGUgY29weSBvZiB0aGUgYXR0cmlidXRpb24gbm90aWNlcyBjb250YWluZWQKICAgICAgICAgIHdpdGhpbiBzdWNoIE5PVElDRSBmaWxlLCBleGNsdWRpbmcgdGhvc2Ugbm90aWNlcyB0aGF0IGRvIG5vdAogICAgICAgICAgcGVydGFpbiB0byBhbnkgcGFydCBvZiB0aGUgRGVyaXZhdGl2ZSBXb3JrcywgaW4gYXQgbGVhc3Qgb25lCiAgICAgICAgICBvZiB0aGUgZm9sbG93aW5nIHBsYWNlczogd2l0aGluIGEgTk9USUNFIHRleHQgZmlsZSBkaXN0cmlidXRlZAogICAgICAgICAgYXMgcGFydCBvZiB0aGUgRGVyaXZhdGl2ZSBXb3Jrczsgd2l0aGluIHRoZSBTb3VyY2UgZm9ybSBvcgogICAgICAgICAgZG9jdW1lbnRhdGlvbiwgaWYgcHJvdmlkZWQgYWxvbmcgd2l0aCB0aGUgRGVyaXZhdGl2ZSBXb3Jrczsgb3IsCiAgICAgICAgICB3aXRoaW4gYSBkaXNwbGF5IGdlbmVyYXRlZCBieSB0aGUgRGVyaXZhdGl2ZSBXb3JrcywgaWYgYW5kCiAgICAgICAgICB3aGVyZXZlciBzdWNoIHRoaXJkLXBhcnR5IG5vdGljZXMgbm9ybWFsbHkgYXBwZWFyLiBUaGUgY29udGVudHMKICAgICAgICAgIG9mIHRoZSBOT1RJQ0UgZmlsZSBhcmUgZm9yIGluZm9ybWF0aW9uYWwgcHVycG9zZXMgb25seSBhbmQKICAgICAgICAgIGRvIG5vdCBtb2RpZnkgdGhlIExpY2Vuc2UuIFlvdSBtYXkgYWRkIFlvdXIgb3duIGF0dHJpYnV0aW9uCiAgICAgICAgICBub3RpY2VzIHdpdGhpbiBEZXJpdmF0aXZlIFdvcmtzIHRoYXQgWW91IGRpc3RyaWJ1dGUsIGFsb25nc2lkZQogICAgICAgICAgb3IgYXMgYW4gYWRkZW5kdW0gdG8gdGhlIE5PVElDRSB0ZXh0IGZyb20gdGhlIFdvcmssIHByb3ZpZGVkCiAgICAgICAgICB0aGF0IHN1Y2ggYWRkaXRpb25hbCBhdHRyaWJ1dGlvbiBub3RpY2VzIGNhbm5vdCBiZSBjb25zdHJ1ZWQKICAgICAgICAgIGFzIG1vZGlmeWluZyB0aGUgTGljZW5zZS4KCiAgICAgIFlvdSBtYXkgYWRkIFlvdXIgb3duIGNvcHlyaWdodCBzdGF0ZW1lbnQgdG8gWW91ciBtb2RpZmljYXRpb25zIGFuZAogICAgICBtYXkgcHJvdmlkZSBhZGRpdGlvbmFsIG9yIGRpZmZlcmVudCBsaWNlbnNlIHRlcm1zIGFuZCBjb25kaXRpb25zCiAgICAgIGZvciB1c2UsIHJlcHJvZHVjdGlvbiwgb3IgZGlzdHJpYnV0aW9uIG9mIFlvdXIgbW9kaWZpY2F0aW9ucywgb3IKICAgICAgZm9yIGFueSBzdWNoIERlcml2YXRpdmUgV29ya3MgYXMgYSB3aG9sZSwgcHJvdmlkZWQgWW91ciB1c2UsCiAgICAgIHJlcHJvZHVjdGlvbiwgYW5kIGRpc3RyaWJ1dGlvbiBvZiB0aGUgV29yayBvdGhlcndpc2UgY29tcGxpZXMgd2l0aAogICAgICB0aGUgY29uZGl0aW9ucyBzdGF0ZWQgaW4gdGhpcyBMaWNlbnNlLgoKICAgNS4gU3VibWlzc2lvbiBvZiBDb250cmlidXRpb25zLiBVbmxlc3MgWW91IGV4cGxpY2l0bHkgc3RhdGUgb3RoZXJ3aXNlLAogICAgICBhbnkgQ29udHJpYnV0aW9uIGludGVudGlvbmFsbHkgc3VibWl0dGVkIGZvciBpbmNsdXNpb24gaW4gdGhlIFdvcmsKICAgICAgYnkgWW91IHRvIHRoZSBMaWNlbnNvciBzaGFsbCBiZSB1bmRlciB0aGUgdGVybXMgYW5kIGNvbmRpdGlvbnMgb2YKICAgICAgdGhpcyBMaWNlbnNlLCB3aXRob3V0IGFueSBhZGRpdGlvbmFsIHRlcm1zIG9yIGNvbmRpdGlvbnMuCiAgICAgIE5vdHdpdGhzdGFuZGluZyB0aGUgYWJvdmUsIG5vdGhpbmcgaGVyZWluIHNoYWxsIHN1cGVyc2VkZSBvciBtb2RpZnkKICAgICAgdGhlIHRlcm1zIG9mIGFueSBzZXBhcmF0ZSBsaWNlbnNlIGFncmVlbWVudCB5b3UgbWF5IGhhdmUgZXhlY3V0ZWQKICAgICAgd2l0aCBMaWNlbnNvciByZWdhcmRpbmcgc3VjaCBDb250cmlidXRpb25zLgoKICAgNi4gVHJhZGVtYXJrcy4gVGhpcyBMaWNlbnNlIGRvZXMgbm90IGdyYW50IHBlcm1pc3Npb24gdG8gdXNlIHRoZSB0cmFkZQogICAgICBuYW1lcywgdHJhZGVtYXJrcywgc2VydmljZSBtYXJrcywgb3IgcHJvZHVjdCBuYW1lcyBvZiB0aGUgTGljZW5zb3IsCiAgICAgIGV4Y2VwdCBhcyByZXF1aXJlZCBmb3IgcmVhc29uYWJsZSBhbmQgY3VzdG9tYXJ5IHVzZSBpbiBkZXNjcmliaW5nIHRoZQogICAgICBvcmlnaW4gb2YgdGhlIFdvcmsgYW5kIHJlcHJvZHVjaW5nIHRoZSBjb250ZW50IG9mIHRoZSBOT1RJQ0UgZmlsZS4KCiAgIDcuIERpc2NsYWltZXIgb2YgV2FycmFudHkuIFVubGVzcyByZXF1aXJlZCBieSBhcHBsaWNhYmxlIGxhdyBvcgogICAgICBhZ3JlZWQgdG8gaW4gd3JpdGluZywgTGljZW5zb3IgcHJvdmlkZXMgdGhlIFdvcmsgKGFuZCBlYWNoCiAgICAgIENvbnRyaWJ1dG9yIHByb3ZpZGVzIGl0cyBDb250cmlidXRpb25zKSBvbiBhbiAiQVMgSVMiIEJBU0lTLAogICAgICBXSVRIT1VUIFdBUlJBTlRJRVMgT1IgQ09ORElUSU9OUyBPRiBBTlkgS0lORCwgZWl0aGVyIGV4cHJlc3Mgb3IKICAgICAgaW1wbGllZCwgaW5jbHVkaW5nLCB3aXRob3V0IGxpbWl0YXRpb24sIGFueSB3YXJyYW50aWVzIG9yIGNvbmRpdGlvbnMKICAgICAgb2YgVElUTEUsIE5PTi1JTkZSSU5HRU1FTlQsIE1FUkNIQU5UQUJJTElUWSwgb3IgRklUTkVTUyBGT1IgQQogICAgICBQQVJUSUNVTEFSIFBVUlBPU0UuIFlvdSBhcmUgc29sZWx5IHJlc3BvbnNpYmxlIGZvciBkZXRlcm1pbmluZyB0aGUKICAgICAgYXBwcm9wcmlhdGVuZXNzIG9mIHVzaW5nIG9yIHJlZGlzdHJpYnV0aW5nIHRoZSBXb3JrIGFuZCBhc3N1bWUgYW55CiAgICAgIHJpc2tzIGFzc29jaWF0ZWQgd2l0aCBZb3VyIGV4ZXJjaXNlIG9mIHBlcm1pc3Npb25zIHVuZGVyIHRoaXMgTGljZW5zZS4KCiAgIDguIExpbWl0YXRpb24gb2YgTGlhYmlsaXR5LiBJbiBubyBldmVudCBhbmQgdW5kZXIgbm8gbGVnYWwgdGhlb3J5LAogICAgICB3aGV0aGVyIGluIHRvcnQgKGluY2x1ZGluZyBuZWdsaWdlbmNlKSwgY29udHJhY3QsIG9yIG90aGVyd2lzZSwKICAgICAgdW5sZXNzIHJlcXVpcmVkIGJ5IGFwcGxpY2FibGUgbGF3IChzdWNoIGFzIGRlbGliZXJhdGUgYW5kIGdyb3NzbHkKICAgICAgbmVnbGlnZW50IGFjdHMpIG9yIGFncmVlZCB0byBpbiB3cml0aW5nLCBzaGFsbCBhbnkgQ29udHJpYnV0b3IgYmUKICAgICAgbGlhYmxlIHRvIFlvdSBmb3IgZGFtYWdlcywgaW5jbHVkaW5nIGFueSBkaXJlY3QsIGluZGlyZWN0LCBzcGVjaWFsLAogICAgICBpbmNpZGVudGFsLCBvciBjb25zZXF1ZW50aWFsIGRhbWFnZXMgb2YgYW55IGNoYXJhY3RlciBhcmlzaW5nIGFzIGEKICAgICAgcmVzdWx0IG9mIHRoaXMgTGljZW5zZSBvciBvdXQgb2YgdGhlIHVzZSBvciBpbmFiaWxpdHkgdG8gdXNlIHRoZQogICAgICBXb3JrIChpbmNsdWRpbmcgYnV0IG5vdCBsaW1pdGVkIHRvIGRhbWFnZXMgZm9yIGxvc3Mgb2YgZ29vZHdpbGwsCiAgICAgIHdvcmsgc3RvcHBhZ2UsIGNvbXB1dGVyIGZhaWx1cmUgb3IgbWFsZnVuY3Rpb24sIG9yIGFueSBhbmQgYWxsCiAgICAgIG90aGVyIGNvbW1lcmNpYWwgZGFtYWdlcyBvciBsb3NzZXMpLCBldmVuIGlmIHN1Y2ggQ29udHJpYnV0b3IKICAgICAgaGFzIGJlZW4gYWR2aXNlZCBvZiB0aGUgcG9zc2liaWxpdHkgb2Ygc3VjaCBkYW1hZ2VzLgoKICAgOS4gQWNjZXB0aW5nIFdhcnJhbnR5IG9yIEFkZGl0aW9uYWwgTGlhYmlsaXR5LiBXaGlsZSByZWRpc3RyaWJ1dGluZwogICAgICB0aGUgV29yayBvciBEZXJpdmF0aXZlIFdvcmtzIHRoZXJlb2YsIFlvdSBtYXkgY2hvb3NlIHRvIG9mZmVyLAogICAgICBhbmQgY2hhcmdlIGEgZmVlIGZvciwgYWNjZXB0YW5jZSBvZiBzdXBwb3J0LCB3YXJyYW50eSwgaW5kZW1uaXR5LAogICAgICBvciBvdGhlciBsaWFiaWxpdHkgb2JsaWdhdGlvbnMgYW5kL29yIHJpZ2h0cyBjb25zaXN0ZW50IHdpdGggdGhpcwogICAgICBMaWNlbnNlLiBIb3dldmVyLCBpbiBhY2NlcHRpbmcgc3VjaCBvYmxpZ2F0aW9ucywgWW91IG1heSBhY3Qgb25seQogICAgICBvbiBZb3VyIG93biBiZWhhbGYgYW5kIG9uIFlvdXIgc29sZSByZXNwb25zaWJpbGl0eSwgbm90IG9uIGJlaGFsZgogICAgICBvZiBhbnkgb3RoZXIgQ29udHJpYnV0b3IsIGFuZCBvbmx5IGlmIFlvdSBhZ3JlZSB0byBpbmRlbW5pZnksCiAgICAgIGRlZmVuZCwgYW5kIGhvbGQgZWFjaCBDb250cmlidXRvciBoYXJtbGVzcyBmb3IgYW55IGxpYWJpbGl0eQogICAgICBpbmN1cnJlZCBieSwgb3IgY2xhaW1zIGFzc2VydGVkIGFnYWluc3QsIHN1Y2ggQ29udHJpYnV0b3IgYnkgcmVhc29uCiAgICAgIG9mIHlvdXIgYWNjZXB0aW5nIGFueSBzdWNoIHdhcnJhbnR5IG9yIGFkZGl0aW9uYWwgbGlhYmlsaXR5LgoKICAgRU5EIE9GIFRFUk1TIEFORCBDT05ESVRJT05TCgogICBBUFBFTkRJWDogSG93IHRvIGFwcGx5IHRoZSBBcGFjaGUgTGljZW5zZSB0byB5b3VyIHdvcmsuCgogICAgICBUbyBhcHBseSB0aGUgQXBhY2hlIExpY2Vuc2UgdG8geW91ciB3b3JrLCBhdHRhY2ggdGhlIGZvbGxvd2luZwogICAgICBib2lsZXJwbGF0ZSBub3RpY2UsIHdpdGggdGhlIGZpZWxkcyBlbmNsb3NlZCBieSBicmFja2V0cyAiW10iCiAgICAgIHJlcGxhY2VkIHdpdGggeW91ciBvd24gaWRlbnRpZnlpbmcgaW5mb3JtYXRpb24uIChEb24ndCBpbmNsdWRlCiAgICAgIHRoZSBicmFja2V0cyEpICBUaGUgdGV4dCBzaG91bGQgYmUgZW5jbG9zZWQgaW4gdGhlIGFwcHJvcHJpYXRlCiAgICAgIGNvbW1lbnQgc3ludGF4IGZvciB0aGUgZmlsZSBmb3JtYXQuIFdlIGFsc28gcmVjb21tZW5kIHRoYXQgYQogICAgICBmaWxlIG9yIGNsYXNzIG5hbWUgYW5kIGRlc2NyaXB0aW9uIG9mIHB1cnBvc2UgYmUgaW5jbHVkZWQgb24gdGhlCiAgICAgIHNhbWUgInByaW50ZWQgcGFnZSIgYXMgdGhlIGNvcHlyaWdodCBub3RpY2UgZm9yIGVhc2llcgogICAgICBpZGVudGlmaWNhdGlvbiB3aXRoaW4gdGhpcmQtcGFydHkgYXJjaGl2ZXMuCgogICBDb3B5cmlnaHQgW3l5eXldIFtuYW1lIG9mIGNvcHlyaWdodCBvd25lcl0KCiAgIExpY2Vuc2VkIHVuZGVyIHRoZSBBcGFjaGUgTGljZW5zZSwgVmVyc2lvbiAyLjAgKHRoZSAiTGljZW5zZSIpOwogICB5b3UgbWF5IG5vdCB1c2UgdGhpcyBmaWxlIGV4Y2VwdCBpbiBjb21wbGlhbmNlIHdpdGggdGhlIExpY2Vuc2UuCiAgIFlvdSBtYXkgb2J0YWluIGEgY29weSBvZiB0aGUgTGljZW5zZSBhdAoKICAgICAgIGh0dHA6Ly93d3cuYXBhY2hlLm9yZy9saWNlbnNlcy9MSUNFTlNFLTIuMAoKICAgVW5sZXNzIHJlcXVpcmVkIGJ5IGFwcGxpY2FibGUgbGF3IG9yIGFncmVlZCB0byBpbiB3cml0aW5nLCBzb2Z0d2FyZQogICBkaXN0cmlidXRlZCB1bmRlciB0aGUgTGljZW5zZSBpcyBkaXN0cmlidXRlZCBvbiBhbiAiQVMgSVMiIEJBU0lTLAogICBXSVRIT1VUIFdBUlJBTlRJRVMgT1IgQ09ORElUSU9OUyBPRiBBTlkgS0lORCwgZWl0aGVyIGV4cHJlc3Mgb3IgaW1wbGllZC4KICAgU2VlIHRoZSBMaWNlbnNlIGZvciB0aGUgc3BlY2lmaWMgbGFuZ3VhZ2UgZ292ZXJuaW5nIHBlcm1pc3Npb25zIGFuZAogICBsaW1pdGF0aW9ucyB1bmRlciB0aGUgTGljZW5zZS4=" }, "url": "https://www.apache.org/licenses/LICENSE-2.0.txt" } diff --git a/tools/src/test/resources/1.3/valid-bom-1.3.textproto b/tools/src/test/resources/1.3/valid-bom-1.3.textproto index 262f96be..e326d124 100644 --- a/tools/src/test/resources/1.3/valid-bom-1.3.textproto +++ b/tools/src/test/resources/1.3/valid-bom-1.3.textproto @@ -86,7 +86,7 @@ components { text { content_type: "text/plain" encoding: "base64" - value: "License text here" + value: "CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFwYWNoZSBMaWNlbnNlCiAgICAgICAgICAgICAgICAgICAgICAgICAgIFZlcnNpb24gMi4wLCBKYW51YXJ5IDIwMDQKICAgICAgICAgICAgICAgICAgICAgICAgaHR0cDovL3d3dy5hcGFjaGUub3JnL2xpY2Vuc2VzLwoKICAgVEVSTVMgQU5EIENPTkRJVElPTlMgRk9SIFVTRSwgUkVQUk9EVUNUSU9OLCBBTkQgRElTVFJJQlVUSU9OCgogICAxLiBEZWZpbml0aW9ucy4KCiAgICAgICJMaWNlbnNlIiBzaGFsbCBtZWFuIHRoZSB0ZXJtcyBhbmQgY29uZGl0aW9ucyBmb3IgdXNlLCByZXByb2R1Y3Rpb24sCiAgICAgIGFuZCBkaXN0cmlidXRpb24gYXMgZGVmaW5lZCBieSBTZWN0aW9ucyAxIHRocm91Z2ggOSBvZiB0aGlzIGRvY3VtZW50LgoKICAgICAgIkxpY2Vuc29yIiBzaGFsbCBtZWFuIHRoZSBjb3B5cmlnaHQgb3duZXIgb3IgZW50aXR5IGF1dGhvcml6ZWQgYnkKICAgICAgdGhlIGNvcHlyaWdodCBvd25lciB0aGF0IGlzIGdyYW50aW5nIHRoZSBMaWNlbnNlLgoKICAgICAgIkxlZ2FsIEVudGl0eSIgc2hhbGwgbWVhbiB0aGUgdW5pb24gb2YgdGhlIGFjdGluZyBlbnRpdHkgYW5kIGFsbAogICAgICBvdGhlciBlbnRpdGllcyB0aGF0IGNvbnRyb2wsIGFyZSBjb250cm9sbGVkIGJ5LCBvciBhcmUgdW5kZXIgY29tbW9uCiAgICAgIGNvbnRyb2wgd2l0aCB0aGF0IGVudGl0eS4gRm9yIHRoZSBwdXJwb3NlcyBvZiB0aGlzIGRlZmluaXRpb24sCiAgICAgICJjb250cm9sIiBtZWFucyAoaSkgdGhlIHBvd2VyLCBkaXJlY3Qgb3IgaW5kaXJlY3QsIHRvIGNhdXNlIHRoZQogICAgICBkaXJlY3Rpb24gb3IgbWFuYWdlbWVudCBvZiBzdWNoIGVudGl0eSwgd2hldGhlciBieSBjb250cmFjdCBvcgogICAgICBvdGhlcndpc2UsIG9yIChpaSkgb3duZXJzaGlwIG9mIGZpZnR5IHBlcmNlbnQgKDUwJSkgb3IgbW9yZSBvZiB0aGUKICAgICAgb3V0c3RhbmRpbmcgc2hhcmVzLCBvciAoaWlpKSBiZW5lZmljaWFsIG93bmVyc2hpcCBvZiBzdWNoIGVudGl0eS4KCiAgICAgICJZb3UiIChvciAiWW91ciIpIHNoYWxsIG1lYW4gYW4gaW5kaXZpZHVhbCBvciBMZWdhbCBFbnRpdHkKICAgICAgZXhlcmNpc2luZyBwZXJtaXNzaW9ucyBncmFudGVkIGJ5IHRoaXMgTGljZW5zZS4KCiAgICAgICJTb3VyY2UiIGZvcm0gc2hhbGwgbWVhbiB0aGUgcHJlZmVycmVkIGZvcm0gZm9yIG1ha2luZyBtb2RpZmljYXRpb25zLAogICAgICBpbmNsdWRpbmcgYnV0IG5vdCBsaW1pdGVkIHRvIHNvZnR3YXJlIHNvdXJjZSBjb2RlLCBkb2N1bWVudGF0aW9uCiAgICAgIHNvdXJjZSwgYW5kIGNvbmZpZ3VyYXRpb24gZmlsZXMuCgogICAgICAiT2JqZWN0IiBmb3JtIHNoYWxsIG1lYW4gYW55IGZvcm0gcmVzdWx0aW5nIGZyb20gbWVjaGFuaWNhbAogICAgICB0cmFuc2Zvcm1hdGlvbiBvciB0cmFuc2xhdGlvbiBvZiBhIFNvdXJjZSBmb3JtLCBpbmNsdWRpbmcgYnV0CiAgICAgIG5vdCBsaW1pdGVkIHRvIGNvbXBpbGVkIG9iamVjdCBjb2RlLCBnZW5lcmF0ZWQgZG9jdW1lbnRhdGlvbiwKICAgICAgYW5kIGNvbnZlcnNpb25zIHRvIG90aGVyIG1lZGlhIHR5cGVzLgoKICAgICAgIldvcmsiIHNoYWxsIG1lYW4gdGhlIHdvcmsgb2YgYXV0aG9yc2hpcCwgd2hldGhlciBpbiBTb3VyY2Ugb3IKICAgICAgT2JqZWN0IGZvcm0sIG1hZGUgYXZhaWxhYmxlIHVuZGVyIHRoZSBMaWNlbnNlLCBhcyBpbmRpY2F0ZWQgYnkgYQogICAgICBjb3B5cmlnaHQgbm90aWNlIHRoYXQgaXMgaW5jbHVkZWQgaW4gb3IgYXR0YWNoZWQgdG8gdGhlIHdvcmsKICAgICAgKGFuIGV4YW1wbGUgaXMgcHJvdmlkZWQgaW4gdGhlIEFwcGVuZGl4IGJlbG93KS4KCiAgICAgICJEZXJpdmF0aXZlIFdvcmtzIiBzaGFsbCBtZWFuIGFueSB3b3JrLCB3aGV0aGVyIGluIFNvdXJjZSBvciBPYmplY3QKICAgICAgZm9ybSwgdGhhdCBpcyBiYXNlZCBvbiAob3IgZGVyaXZlZCBmcm9tKSB0aGUgV29yayBhbmQgZm9yIHdoaWNoIHRoZQogICAgICBlZGl0b3JpYWwgcmV2aXNpb25zLCBhbm5vdGF0aW9ucywgZWxhYm9yYXRpb25zLCBvciBvdGhlciBtb2RpZmljYXRpb25zCiAgICAgIHJlcHJlc2VudCwgYXMgYSB3aG9sZSwgYW4gb3JpZ2luYWwgd29yayBvZiBhdXRob3JzaGlwLiBGb3IgdGhlIHB1cnBvc2VzCiAgICAgIG9mIHRoaXMgTGljZW5zZSwgRGVyaXZhdGl2ZSBXb3JrcyBzaGFsbCBub3QgaW5jbHVkZSB3b3JrcyB0aGF0IHJlbWFpbgogICAgICBzZXBhcmFibGUgZnJvbSwgb3IgbWVyZWx5IGxpbmsgKG9yIGJpbmQgYnkgbmFtZSkgdG8gdGhlIGludGVyZmFjZXMgb2YsCiAgICAgIHRoZSBXb3JrIGFuZCBEZXJpdmF0aXZlIFdvcmtzIHRoZXJlb2YuCgogICAgICAiQ29udHJpYnV0aW9uIiBzaGFsbCBtZWFuIGFueSB3b3JrIG9mIGF1dGhvcnNoaXAsIGluY2x1ZGluZwogICAgICB0aGUgb3JpZ2luYWwgdmVyc2lvbiBvZiB0aGUgV29yayBhbmQgYW55IG1vZGlmaWNhdGlvbnMgb3IgYWRkaXRpb25zCiAgICAgIHRvIHRoYXQgV29yayBvciBEZXJpdmF0aXZlIFdvcmtzIHRoZXJlb2YsIHRoYXQgaXMgaW50ZW50aW9uYWxseQogICAgICBzdWJtaXR0ZWQgdG8gTGljZW5zb3IgZm9yIGluY2x1c2lvbiBpbiB0aGUgV29yayBieSB0aGUgY29weXJpZ2h0IG93bmVyCiAgICAgIG9yIGJ5IGFuIGluZGl2aWR1YWwgb3IgTGVnYWwgRW50aXR5IGF1dGhvcml6ZWQgdG8gc3VibWl0IG9uIGJlaGFsZiBvZgogICAgICB0aGUgY29weXJpZ2h0IG93bmVyLiBGb3IgdGhlIHB1cnBvc2VzIG9mIHRoaXMgZGVmaW5pdGlvbiwgInN1Ym1pdHRlZCIKICAgICAgbWVhbnMgYW55IGZvcm0gb2YgZWxlY3Ryb25pYywgdmVyYmFsLCBvciB3cml0dGVuIGNvbW11bmljYXRpb24gc2VudAogICAgICB0byB0aGUgTGljZW5zb3Igb3IgaXRzIHJlcHJlc2VudGF0aXZlcywgaW5jbHVkaW5nIGJ1dCBub3QgbGltaXRlZCB0bwogICAgICBjb21tdW5pY2F0aW9uIG9uIGVsZWN0cm9uaWMgbWFpbGluZyBsaXN0cywgc291cmNlIGNvZGUgY29udHJvbCBzeXN0ZW1zLAogICAgICBhbmQgaXNzdWUgdHJhY2tpbmcgc3lzdGVtcyB0aGF0IGFyZSBtYW5hZ2VkIGJ5LCBvciBvbiBiZWhhbGYgb2YsIHRoZQogICAgICBMaWNlbnNvciBmb3IgdGhlIHB1cnBvc2Ugb2YgZGlzY3Vzc2luZyBhbmQgaW1wcm92aW5nIHRoZSBXb3JrLCBidXQKICAgICAgZXhjbHVkaW5nIGNvbW11bmljYXRpb24gdGhhdCBpcyBjb25zcGljdW91c2x5IG1hcmtlZCBvciBvdGhlcndpc2UKICAgICAgZGVzaWduYXRlZCBpbiB3cml0aW5nIGJ5IHRoZSBjb3B5cmlnaHQgb3duZXIgYXMgIk5vdCBhIENvbnRyaWJ1dGlvbi4iCgogICAgICAiQ29udHJpYnV0b3IiIHNoYWxsIG1lYW4gTGljZW5zb3IgYW5kIGFueSBpbmRpdmlkdWFsIG9yIExlZ2FsIEVudGl0eQogICAgICBvbiBiZWhhbGYgb2Ygd2hvbSBhIENvbnRyaWJ1dGlvbiBoYXMgYmVlbiByZWNlaXZlZCBieSBMaWNlbnNvciBhbmQKICAgICAgc3Vic2VxdWVudGx5IGluY29ycG9yYXRlZCB3aXRoaW4gdGhlIFdvcmsuCgogICAyLiBHcmFudCBvZiBDb3B5cmlnaHQgTGljZW5zZS4gU3ViamVjdCB0byB0aGUgdGVybXMgYW5kIGNvbmRpdGlvbnMgb2YKICAgICAgdGhpcyBMaWNlbnNlLCBlYWNoIENvbnRyaWJ1dG9yIGhlcmVieSBncmFudHMgdG8gWW91IGEgcGVycGV0dWFsLAogICAgICB3b3JsZHdpZGUsIG5vbi1leGNsdXNpdmUsIG5vLWNoYXJnZSwgcm95YWx0eS1mcmVlLCBpcnJldm9jYWJsZQogICAgICBjb3B5cmlnaHQgbGljZW5zZSB0byByZXByb2R1Y2UsIHByZXBhcmUgRGVyaXZhdGl2ZSBXb3JrcyBvZiwKICAgICAgcHVibGljbHkgZGlzcGxheSwgcHVibGljbHkgcGVyZm9ybSwgc3VibGljZW5zZSwgYW5kIGRpc3RyaWJ1dGUgdGhlCiAgICAgIFdvcmsgYW5kIHN1Y2ggRGVyaXZhdGl2ZSBXb3JrcyBpbiBTb3VyY2Ugb3IgT2JqZWN0IGZvcm0uCgogICAzLiBHcmFudCBvZiBQYXRlbnQgTGljZW5zZS4gU3ViamVjdCB0byB0aGUgdGVybXMgYW5kIGNvbmRpdGlvbnMgb2YKICAgICAgdGhpcyBMaWNlbnNlLCBlYWNoIENvbnRyaWJ1dG9yIGhlcmVieSBncmFudHMgdG8gWW91IGEgcGVycGV0dWFsLAogICAgICB3b3JsZHdpZGUsIG5vbi1leGNsdXNpdmUsIG5vLWNoYXJnZSwgcm95YWx0eS1mcmVlLCBpcnJldm9jYWJsZQogICAgICAoZXhjZXB0IGFzIHN0YXRlZCBpbiB0aGlzIHNlY3Rpb24pIHBhdGVudCBsaWNlbnNlIHRvIG1ha2UsIGhhdmUgbWFkZSwKICAgICAgdXNlLCBvZmZlciB0byBzZWxsLCBzZWxsLCBpbXBvcnQsIGFuZCBvdGhlcndpc2UgdHJhbnNmZXIgdGhlIFdvcmssCiAgICAgIHdoZXJlIHN1Y2ggbGljZW5zZSBhcHBsaWVzIG9ubHkgdG8gdGhvc2UgcGF0ZW50IGNsYWltcyBsaWNlbnNhYmxlCiAgICAgIGJ5IHN1Y2ggQ29udHJpYnV0b3IgdGhhdCBhcmUgbmVjZXNzYXJpbHkgaW5mcmluZ2VkIGJ5IHRoZWlyCiAgICAgIENvbnRyaWJ1dGlvbihzKSBhbG9uZSBvciBieSBjb21iaW5hdGlvbiBvZiB0aGVpciBDb250cmlidXRpb24ocykKICAgICAgd2l0aCB0aGUgV29yayB0byB3aGljaCBzdWNoIENvbnRyaWJ1dGlvbihzKSB3YXMgc3VibWl0dGVkLiBJZiBZb3UKICAgICAgaW5zdGl0dXRlIHBhdGVudCBsaXRpZ2F0aW9uIGFnYWluc3QgYW55IGVudGl0eSAoaW5jbHVkaW5nIGEKICAgICAgY3Jvc3MtY2xhaW0gb3IgY291bnRlcmNsYWltIGluIGEgbGF3c3VpdCkgYWxsZWdpbmcgdGhhdCB0aGUgV29yawogICAgICBvciBhIENvbnRyaWJ1dGlvbiBpbmNvcnBvcmF0ZWQgd2l0aGluIHRoZSBXb3JrIGNvbnN0aXR1dGVzIGRpcmVjdAogICAgICBvciBjb250cmlidXRvcnkgcGF0ZW50IGluZnJpbmdlbWVudCwgdGhlbiBhbnkgcGF0ZW50IGxpY2Vuc2VzCiAgICAgIGdyYW50ZWQgdG8gWW91IHVuZGVyIHRoaXMgTGljZW5zZSBmb3IgdGhhdCBXb3JrIHNoYWxsIHRlcm1pbmF0ZQogICAgICBhcyBvZiB0aGUgZGF0ZSBzdWNoIGxpdGlnYXRpb24gaXMgZmlsZWQuCgogICA0LiBSZWRpc3RyaWJ1dGlvbi4gWW91IG1heSByZXByb2R1Y2UgYW5kIGRpc3RyaWJ1dGUgY29waWVzIG9mIHRoZQogICAgICBXb3JrIG9yIERlcml2YXRpdmUgV29ya3MgdGhlcmVvZiBpbiBhbnkgbWVkaXVtLCB3aXRoIG9yIHdpdGhvdXQKICAgICAgbW9kaWZpY2F0aW9ucywgYW5kIGluIFNvdXJjZSBvciBPYmplY3QgZm9ybSwgcHJvdmlkZWQgdGhhdCBZb3UKICAgICAgbWVldCB0aGUgZm9sbG93aW5nIGNvbmRpdGlvbnM6CgogICAgICAoYSkgWW91IG11c3QgZ2l2ZSBhbnkgb3RoZXIgcmVjaXBpZW50cyBvZiB0aGUgV29yayBvcgogICAgICAgICAgRGVyaXZhdGl2ZSBXb3JrcyBhIGNvcHkgb2YgdGhpcyBMaWNlbnNlOyBhbmQKCiAgICAgIChiKSBZb3UgbXVzdCBjYXVzZSBhbnkgbW9kaWZpZWQgZmlsZXMgdG8gY2FycnkgcHJvbWluZW50IG5vdGljZXMKICAgICAgICAgIHN0YXRpbmcgdGhhdCBZb3UgY2hhbmdlZCB0aGUgZmlsZXM7IGFuZAoKICAgICAgKGMpIFlvdSBtdXN0IHJldGFpbiwgaW4gdGhlIFNvdXJjZSBmb3JtIG9mIGFueSBEZXJpdmF0aXZlIFdvcmtzCiAgICAgICAgICB0aGF0IFlvdSBkaXN0cmlidXRlLCBhbGwgY29weXJpZ2h0LCBwYXRlbnQsIHRyYWRlbWFyaywgYW5kCiAgICAgICAgICBhdHRyaWJ1dGlvbiBub3RpY2VzIGZyb20gdGhlIFNvdXJjZSBmb3JtIG9mIHRoZSBXb3JrLAogICAgICAgICAgZXhjbHVkaW5nIHRob3NlIG5vdGljZXMgdGhhdCBkbyBub3QgcGVydGFpbiB0byBhbnkgcGFydCBvZgogICAgICAgICAgdGhlIERlcml2YXRpdmUgV29ya3M7IGFuZAoKICAgICAgKGQpIElmIHRoZSBXb3JrIGluY2x1ZGVzIGEgIk5PVElDRSIgdGV4dCBmaWxlIGFzIHBhcnQgb2YgaXRzCiAgICAgICAgICBkaXN0cmlidXRpb24sIHRoZW4gYW55IERlcml2YXRpdmUgV29ya3MgdGhhdCBZb3UgZGlzdHJpYnV0ZSBtdXN0CiAgICAgICAgICBpbmNsdWRlIGEgcmVhZGFibGUgY29weSBvZiB0aGUgYXR0cmlidXRpb24gbm90aWNlcyBjb250YWluZWQKICAgICAgICAgIHdpdGhpbiBzdWNoIE5PVElDRSBmaWxlLCBleGNsdWRpbmcgdGhvc2Ugbm90aWNlcyB0aGF0IGRvIG5vdAogICAgICAgICAgcGVydGFpbiB0byBhbnkgcGFydCBvZiB0aGUgRGVyaXZhdGl2ZSBXb3JrcywgaW4gYXQgbGVhc3Qgb25lCiAgICAgICAgICBvZiB0aGUgZm9sbG93aW5nIHBsYWNlczogd2l0aGluIGEgTk9USUNFIHRleHQgZmlsZSBkaXN0cmlidXRlZAogICAgICAgICAgYXMgcGFydCBvZiB0aGUgRGVyaXZhdGl2ZSBXb3Jrczsgd2l0aGluIHRoZSBTb3VyY2UgZm9ybSBvcgogICAgICAgICAgZG9jdW1lbnRhdGlvbiwgaWYgcHJvdmlkZWQgYWxvbmcgd2l0aCB0aGUgRGVyaXZhdGl2ZSBXb3Jrczsgb3IsCiAgICAgICAgICB3aXRoaW4gYSBkaXNwbGF5IGdlbmVyYXRlZCBieSB0aGUgRGVyaXZhdGl2ZSBXb3JrcywgaWYgYW5kCiAgICAgICAgICB3aGVyZXZlciBzdWNoIHRoaXJkLXBhcnR5IG5vdGljZXMgbm9ybWFsbHkgYXBwZWFyLiBUaGUgY29udGVudHMKICAgICAgICAgIG9mIHRoZSBOT1RJQ0UgZmlsZSBhcmUgZm9yIGluZm9ybWF0aW9uYWwgcHVycG9zZXMgb25seSBhbmQKICAgICAgICAgIGRvIG5vdCBtb2RpZnkgdGhlIExpY2Vuc2UuIFlvdSBtYXkgYWRkIFlvdXIgb3duIGF0dHJpYnV0aW9uCiAgICAgICAgICBub3RpY2VzIHdpdGhpbiBEZXJpdmF0aXZlIFdvcmtzIHRoYXQgWW91IGRpc3RyaWJ1dGUsIGFsb25nc2lkZQogICAgICAgICAgb3IgYXMgYW4gYWRkZW5kdW0gdG8gdGhlIE5PVElDRSB0ZXh0IGZyb20gdGhlIFdvcmssIHByb3ZpZGVkCiAgICAgICAgICB0aGF0IHN1Y2ggYWRkaXRpb25hbCBhdHRyaWJ1dGlvbiBub3RpY2VzIGNhbm5vdCBiZSBjb25zdHJ1ZWQKICAgICAgICAgIGFzIG1vZGlmeWluZyB0aGUgTGljZW5zZS4KCiAgICAgIFlvdSBtYXkgYWRkIFlvdXIgb3duIGNvcHlyaWdodCBzdGF0ZW1lbnQgdG8gWW91ciBtb2RpZmljYXRpb25zIGFuZAogICAgICBtYXkgcHJvdmlkZSBhZGRpdGlvbmFsIG9yIGRpZmZlcmVudCBsaWNlbnNlIHRlcm1zIGFuZCBjb25kaXRpb25zCiAgICAgIGZvciB1c2UsIHJlcHJvZHVjdGlvbiwgb3IgZGlzdHJpYnV0aW9uIG9mIFlvdXIgbW9kaWZpY2F0aW9ucywgb3IKICAgICAgZm9yIGFueSBzdWNoIERlcml2YXRpdmUgV29ya3MgYXMgYSB3aG9sZSwgcHJvdmlkZWQgWW91ciB1c2UsCiAgICAgIHJlcHJvZHVjdGlvbiwgYW5kIGRpc3RyaWJ1dGlvbiBvZiB0aGUgV29yayBvdGhlcndpc2UgY29tcGxpZXMgd2l0aAogICAgICB0aGUgY29uZGl0aW9ucyBzdGF0ZWQgaW4gdGhpcyBMaWNlbnNlLgoKICAgNS4gU3VibWlzc2lvbiBvZiBDb250cmlidXRpb25zLiBVbmxlc3MgWW91IGV4cGxpY2l0bHkgc3RhdGUgb3RoZXJ3aXNlLAogICAgICBhbnkgQ29udHJpYnV0aW9uIGludGVudGlvbmFsbHkgc3VibWl0dGVkIGZvciBpbmNsdXNpb24gaW4gdGhlIFdvcmsKICAgICAgYnkgWW91IHRvIHRoZSBMaWNlbnNvciBzaGFsbCBiZSB1bmRlciB0aGUgdGVybXMgYW5kIGNvbmRpdGlvbnMgb2YKICAgICAgdGhpcyBMaWNlbnNlLCB3aXRob3V0IGFueSBhZGRpdGlvbmFsIHRlcm1zIG9yIGNvbmRpdGlvbnMuCiAgICAgIE5vdHdpdGhzdGFuZGluZyB0aGUgYWJvdmUsIG5vdGhpbmcgaGVyZWluIHNoYWxsIHN1cGVyc2VkZSBvciBtb2RpZnkKICAgICAgdGhlIHRlcm1zIG9mIGFueSBzZXBhcmF0ZSBsaWNlbnNlIGFncmVlbWVudCB5b3UgbWF5IGhhdmUgZXhlY3V0ZWQKICAgICAgd2l0aCBMaWNlbnNvciByZWdhcmRpbmcgc3VjaCBDb250cmlidXRpb25zLgoKICAgNi4gVHJhZGVtYXJrcy4gVGhpcyBMaWNlbnNlIGRvZXMgbm90IGdyYW50IHBlcm1pc3Npb24gdG8gdXNlIHRoZSB0cmFkZQogICAgICBuYW1lcywgdHJhZGVtYXJrcywgc2VydmljZSBtYXJrcywgb3IgcHJvZHVjdCBuYW1lcyBvZiB0aGUgTGljZW5zb3IsCiAgICAgIGV4Y2VwdCBhcyByZXF1aXJlZCBmb3IgcmVhc29uYWJsZSBhbmQgY3VzdG9tYXJ5IHVzZSBpbiBkZXNjcmliaW5nIHRoZQogICAgICBvcmlnaW4gb2YgdGhlIFdvcmsgYW5kIHJlcHJvZHVjaW5nIHRoZSBjb250ZW50IG9mIHRoZSBOT1RJQ0UgZmlsZS4KCiAgIDcuIERpc2NsYWltZXIgb2YgV2FycmFudHkuIFVubGVzcyByZXF1aXJlZCBieSBhcHBsaWNhYmxlIGxhdyBvcgogICAgICBhZ3JlZWQgdG8gaW4gd3JpdGluZywgTGljZW5zb3IgcHJvdmlkZXMgdGhlIFdvcmsgKGFuZCBlYWNoCiAgICAgIENvbnRyaWJ1dG9yIHByb3ZpZGVzIGl0cyBDb250cmlidXRpb25zKSBvbiBhbiAiQVMgSVMiIEJBU0lTLAogICAgICBXSVRIT1VUIFdBUlJBTlRJRVMgT1IgQ09ORElUSU9OUyBPRiBBTlkgS0lORCwgZWl0aGVyIGV4cHJlc3Mgb3IKICAgICAgaW1wbGllZCwgaW5jbHVkaW5nLCB3aXRob3V0IGxpbWl0YXRpb24sIGFueSB3YXJyYW50aWVzIG9yIGNvbmRpdGlvbnMKICAgICAgb2YgVElUTEUsIE5PTi1JTkZSSU5HRU1FTlQsIE1FUkNIQU5UQUJJTElUWSwgb3IgRklUTkVTUyBGT1IgQQogICAgICBQQVJUSUNVTEFSIFBVUlBPU0UuIFlvdSBhcmUgc29sZWx5IHJlc3BvbnNpYmxlIGZvciBkZXRlcm1pbmluZyB0aGUKICAgICAgYXBwcm9wcmlhdGVuZXNzIG9mIHVzaW5nIG9yIHJlZGlzdHJpYnV0aW5nIHRoZSBXb3JrIGFuZCBhc3N1bWUgYW55CiAgICAgIHJpc2tzIGFzc29jaWF0ZWQgd2l0aCBZb3VyIGV4ZXJjaXNlIG9mIHBlcm1pc3Npb25zIHVuZGVyIHRoaXMgTGljZW5zZS4KCiAgIDguIExpbWl0YXRpb24gb2YgTGlhYmlsaXR5LiBJbiBubyBldmVudCBhbmQgdW5kZXIgbm8gbGVnYWwgdGhlb3J5LAogICAgICB3aGV0aGVyIGluIHRvcnQgKGluY2x1ZGluZyBuZWdsaWdlbmNlKSwgY29udHJhY3QsIG9yIG90aGVyd2lzZSwKICAgICAgdW5sZXNzIHJlcXVpcmVkIGJ5IGFwcGxpY2FibGUgbGF3IChzdWNoIGFzIGRlbGliZXJhdGUgYW5kIGdyb3NzbHkKICAgICAgbmVnbGlnZW50IGFjdHMpIG9yIGFncmVlZCB0byBpbiB3cml0aW5nLCBzaGFsbCBhbnkgQ29udHJpYnV0b3IgYmUKICAgICAgbGlhYmxlIHRvIFlvdSBmb3IgZGFtYWdlcywgaW5jbHVkaW5nIGFueSBkaXJlY3QsIGluZGlyZWN0LCBzcGVjaWFsLAogICAgICBpbmNpZGVudGFsLCBvciBjb25zZXF1ZW50aWFsIGRhbWFnZXMgb2YgYW55IGNoYXJhY3RlciBhcmlzaW5nIGFzIGEKICAgICAgcmVzdWx0IG9mIHRoaXMgTGljZW5zZSBvciBvdXQgb2YgdGhlIHVzZSBvciBpbmFiaWxpdHkgdG8gdXNlIHRoZQogICAgICBXb3JrIChpbmNsdWRpbmcgYnV0IG5vdCBsaW1pdGVkIHRvIGRhbWFnZXMgZm9yIGxvc3Mgb2YgZ29vZHdpbGwsCiAgICAgIHdvcmsgc3RvcHBhZ2UsIGNvbXB1dGVyIGZhaWx1cmUgb3IgbWFsZnVuY3Rpb24sIG9yIGFueSBhbmQgYWxsCiAgICAgIG90aGVyIGNvbW1lcmNpYWwgZGFtYWdlcyBvciBsb3NzZXMpLCBldmVuIGlmIHN1Y2ggQ29udHJpYnV0b3IKICAgICAgaGFzIGJlZW4gYWR2aXNlZCBvZiB0aGUgcG9zc2liaWxpdHkgb2Ygc3VjaCBkYW1hZ2VzLgoKICAgOS4gQWNjZXB0aW5nIFdhcnJhbnR5IG9yIEFkZGl0aW9uYWwgTGlhYmlsaXR5LiBXaGlsZSByZWRpc3RyaWJ1dGluZwogICAgICB0aGUgV29yayBvciBEZXJpdmF0aXZlIFdvcmtzIHRoZXJlb2YsIFlvdSBtYXkgY2hvb3NlIHRvIG9mZmVyLAogICAgICBhbmQgY2hhcmdlIGEgZmVlIGZvciwgYWNjZXB0YW5jZSBvZiBzdXBwb3J0LCB3YXJyYW50eSwgaW5kZW1uaXR5LAogICAgICBvciBvdGhlciBsaWFiaWxpdHkgb2JsaWdhdGlvbnMgYW5kL29yIHJpZ2h0cyBjb25zaXN0ZW50IHdpdGggdGhpcwogICAgICBMaWNlbnNlLiBIb3dldmVyLCBpbiBhY2NlcHRpbmcgc3VjaCBvYmxpZ2F0aW9ucywgWW91IG1heSBhY3Qgb25seQogICAgICBvbiBZb3VyIG93biBiZWhhbGYgYW5kIG9uIFlvdXIgc29sZSByZXNwb25zaWJpbGl0eSwgbm90IG9uIGJlaGFsZgogICAgICBvZiBhbnkgb3RoZXIgQ29udHJpYnV0b3IsIGFuZCBvbmx5IGlmIFlvdSBhZ3JlZSB0byBpbmRlbW5pZnksCiAgICAgIGRlZmVuZCwgYW5kIGhvbGQgZWFjaCBDb250cmlidXRvciBoYXJtbGVzcyBmb3IgYW55IGxpYWJpbGl0eQogICAgICBpbmN1cnJlZCBieSwgb3IgY2xhaW1zIGFzc2VydGVkIGFnYWluc3QsIHN1Y2ggQ29udHJpYnV0b3IgYnkgcmVhc29uCiAgICAgIG9mIHlvdXIgYWNjZXB0aW5nIGFueSBzdWNoIHdhcnJhbnR5IG9yIGFkZGl0aW9uYWwgbGlhYmlsaXR5LgoKICAgRU5EIE9GIFRFUk1TIEFORCBDT05ESVRJT05TCgogICBBUFBFTkRJWDogSG93IHRvIGFwcGx5IHRoZSBBcGFjaGUgTGljZW5zZSB0byB5b3VyIHdvcmsuCgogICAgICBUbyBhcHBseSB0aGUgQXBhY2hlIExpY2Vuc2UgdG8geW91ciB3b3JrLCBhdHRhY2ggdGhlIGZvbGxvd2luZwogICAgICBib2lsZXJwbGF0ZSBub3RpY2UsIHdpdGggdGhlIGZpZWxkcyBlbmNsb3NlZCBieSBicmFja2V0cyAiW10iCiAgICAgIHJlcGxhY2VkIHdpdGggeW91ciBvd24gaWRlbnRpZnlpbmcgaW5mb3JtYXRpb24uIChEb24ndCBpbmNsdWRlCiAgICAgIHRoZSBicmFja2V0cyEpICBUaGUgdGV4dCBzaG91bGQgYmUgZW5jbG9zZWQgaW4gdGhlIGFwcHJvcHJpYXRlCiAgICAgIGNvbW1lbnQgc3ludGF4IGZvciB0aGUgZmlsZSBmb3JtYXQuIFdlIGFsc28gcmVjb21tZW5kIHRoYXQgYQogICAgICBmaWxlIG9yIGNsYXNzIG5hbWUgYW5kIGRlc2NyaXB0aW9uIG9mIHB1cnBvc2UgYmUgaW5jbHVkZWQgb24gdGhlCiAgICAgIHNhbWUgInByaW50ZWQgcGFnZSIgYXMgdGhlIGNvcHlyaWdodCBub3RpY2UgZm9yIGVhc2llcgogICAgICBpZGVudGlmaWNhdGlvbiB3aXRoaW4gdGhpcmQtcGFydHkgYXJjaGl2ZXMuCgogICBDb3B5cmlnaHQgW3l5eXldIFtuYW1lIG9mIGNvcHlyaWdodCBvd25lcl0KCiAgIExpY2Vuc2VkIHVuZGVyIHRoZSBBcGFjaGUgTGljZW5zZSwgVmVyc2lvbiAyLjAgKHRoZSAiTGljZW5zZSIpOwogICB5b3UgbWF5IG5vdCB1c2UgdGhpcyBmaWxlIGV4Y2VwdCBpbiBjb21wbGlhbmNlIHdpdGggdGhlIExpY2Vuc2UuCiAgIFlvdSBtYXkgb2J0YWluIGEgY29weSBvZiB0aGUgTGljZW5zZSBhdAoKICAgICAgIGh0dHA6Ly93d3cuYXBhY2hlLm9yZy9saWNlbnNlcy9MSUNFTlNFLTIuMAoKICAgVW5sZXNzIHJlcXVpcmVkIGJ5IGFwcGxpY2FibGUgbGF3IG9yIGFncmVlZCB0byBpbiB3cml0aW5nLCBzb2Z0d2FyZQogICBkaXN0cmlidXRlZCB1bmRlciB0aGUgTGljZW5zZSBpcyBkaXN0cmlidXRlZCBvbiBhbiAiQVMgSVMiIEJBU0lTLAogICBXSVRIT1VUIFdBUlJBTlRJRVMgT1IgQ09ORElUSU9OUyBPRiBBTlkgS0lORCwgZWl0aGVyIGV4cHJlc3Mgb3IgaW1wbGllZC4KICAgU2VlIHRoZSBMaWNlbnNlIGZvciB0aGUgc3BlY2lmaWMgbGFuZ3VhZ2UgZ292ZXJuaW5nIHBlcm1pc3Npb25zIGFuZAogICBsaW1pdGF0aW9ucyB1bmRlciB0aGUgTGljZW5zZS4=" } url: "https://www.apache.org/licenses/LICENSE-2.0.txt" } diff --git a/tools/src/test/resources/1.4/valid-bom-1.4.json b/tools/src/test/resources/1.4/valid-bom-1.4.json index a47aa7d7..a6494a7b 100644 --- a/tools/src/test/resources/1.4/valid-bom-1.4.json +++ b/tools/src/test/resources/1.4/valid-bom-1.4.json @@ -103,7 +103,7 @@ "text": { "contentType": "text/plain", "encoding": "base64", - "content": "License text here" + "content": "CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFwYWNoZSBMaWNlbnNlCiAgICAgICAgICAgICAgICAgICAgICAgICAgIFZlcnNpb24gMi4wLCBKYW51YXJ5IDIwMDQKICAgICAgICAgICAgICAgICAgICAgICAgaHR0cDovL3d3dy5hcGFjaGUub3JnL2xpY2Vuc2VzLwoKICAgVEVSTVMgQU5EIENPTkRJVElPTlMgRk9SIFVTRSwgUkVQUk9EVUNUSU9OLCBBTkQgRElTVFJJQlVUSU9OCgogICAxLiBEZWZpbml0aW9ucy4KCiAgICAgICJMaWNlbnNlIiBzaGFsbCBtZWFuIHRoZSB0ZXJtcyBhbmQgY29uZGl0aW9ucyBmb3IgdXNlLCByZXByb2R1Y3Rpb24sCiAgICAgIGFuZCBkaXN0cmlidXRpb24gYXMgZGVmaW5lZCBieSBTZWN0aW9ucyAxIHRocm91Z2ggOSBvZiB0aGlzIGRvY3VtZW50LgoKICAgICAgIkxpY2Vuc29yIiBzaGFsbCBtZWFuIHRoZSBjb3B5cmlnaHQgb3duZXIgb3IgZW50aXR5IGF1dGhvcml6ZWQgYnkKICAgICAgdGhlIGNvcHlyaWdodCBvd25lciB0aGF0IGlzIGdyYW50aW5nIHRoZSBMaWNlbnNlLgoKICAgICAgIkxlZ2FsIEVudGl0eSIgc2hhbGwgbWVhbiB0aGUgdW5pb24gb2YgdGhlIGFjdGluZyBlbnRpdHkgYW5kIGFsbAogICAgICBvdGhlciBlbnRpdGllcyB0aGF0IGNvbnRyb2wsIGFyZSBjb250cm9sbGVkIGJ5LCBvciBhcmUgdW5kZXIgY29tbW9uCiAgICAgIGNvbnRyb2wgd2l0aCB0aGF0IGVudGl0eS4gRm9yIHRoZSBwdXJwb3NlcyBvZiB0aGlzIGRlZmluaXRpb24sCiAgICAgICJjb250cm9sIiBtZWFucyAoaSkgdGhlIHBvd2VyLCBkaXJlY3Qgb3IgaW5kaXJlY3QsIHRvIGNhdXNlIHRoZQogICAgICBkaXJlY3Rpb24gb3IgbWFuYWdlbWVudCBvZiBzdWNoIGVudGl0eSwgd2hldGhlciBieSBjb250cmFjdCBvcgogICAgICBvdGhlcndpc2UsIG9yIChpaSkgb3duZXJzaGlwIG9mIGZpZnR5IHBlcmNlbnQgKDUwJSkgb3IgbW9yZSBvZiB0aGUKICAgICAgb3V0c3RhbmRpbmcgc2hhcmVzLCBvciAoaWlpKSBiZW5lZmljaWFsIG93bmVyc2hpcCBvZiBzdWNoIGVudGl0eS4KCiAgICAgICJZb3UiIChvciAiWW91ciIpIHNoYWxsIG1lYW4gYW4gaW5kaXZpZHVhbCBvciBMZWdhbCBFbnRpdHkKICAgICAgZXhlcmNpc2luZyBwZXJtaXNzaW9ucyBncmFudGVkIGJ5IHRoaXMgTGljZW5zZS4KCiAgICAgICJTb3VyY2UiIGZvcm0gc2hhbGwgbWVhbiB0aGUgcHJlZmVycmVkIGZvcm0gZm9yIG1ha2luZyBtb2RpZmljYXRpb25zLAogICAgICBpbmNsdWRpbmcgYnV0IG5vdCBsaW1pdGVkIHRvIHNvZnR3YXJlIHNvdXJjZSBjb2RlLCBkb2N1bWVudGF0aW9uCiAgICAgIHNvdXJjZSwgYW5kIGNvbmZpZ3VyYXRpb24gZmlsZXMuCgogICAgICAiT2JqZWN0IiBmb3JtIHNoYWxsIG1lYW4gYW55IGZvcm0gcmVzdWx0aW5nIGZyb20gbWVjaGFuaWNhbAogICAgICB0cmFuc2Zvcm1hdGlvbiBvciB0cmFuc2xhdGlvbiBvZiBhIFNvdXJjZSBmb3JtLCBpbmNsdWRpbmcgYnV0CiAgICAgIG5vdCBsaW1pdGVkIHRvIGNvbXBpbGVkIG9iamVjdCBjb2RlLCBnZW5lcmF0ZWQgZG9jdW1lbnRhdGlvbiwKICAgICAgYW5kIGNvbnZlcnNpb25zIHRvIG90aGVyIG1lZGlhIHR5cGVzLgoKICAgICAgIldvcmsiIHNoYWxsIG1lYW4gdGhlIHdvcmsgb2YgYXV0aG9yc2hpcCwgd2hldGhlciBpbiBTb3VyY2Ugb3IKICAgICAgT2JqZWN0IGZvcm0sIG1hZGUgYXZhaWxhYmxlIHVuZGVyIHRoZSBMaWNlbnNlLCBhcyBpbmRpY2F0ZWQgYnkgYQogICAgICBjb3B5cmlnaHQgbm90aWNlIHRoYXQgaXMgaW5jbHVkZWQgaW4gb3IgYXR0YWNoZWQgdG8gdGhlIHdvcmsKICAgICAgKGFuIGV4YW1wbGUgaXMgcHJvdmlkZWQgaW4gdGhlIEFwcGVuZGl4IGJlbG93KS4KCiAgICAgICJEZXJpdmF0aXZlIFdvcmtzIiBzaGFsbCBtZWFuIGFueSB3b3JrLCB3aGV0aGVyIGluIFNvdXJjZSBvciBPYmplY3QKICAgICAgZm9ybSwgdGhhdCBpcyBiYXNlZCBvbiAob3IgZGVyaXZlZCBmcm9tKSB0aGUgV29yayBhbmQgZm9yIHdoaWNoIHRoZQogICAgICBlZGl0b3JpYWwgcmV2aXNpb25zLCBhbm5vdGF0aW9ucywgZWxhYm9yYXRpb25zLCBvciBvdGhlciBtb2RpZmljYXRpb25zCiAgICAgIHJlcHJlc2VudCwgYXMgYSB3aG9sZSwgYW4gb3JpZ2luYWwgd29yayBvZiBhdXRob3JzaGlwLiBGb3IgdGhlIHB1cnBvc2VzCiAgICAgIG9mIHRoaXMgTGljZW5zZSwgRGVyaXZhdGl2ZSBXb3JrcyBzaGFsbCBub3QgaW5jbHVkZSB3b3JrcyB0aGF0IHJlbWFpbgogICAgICBzZXBhcmFibGUgZnJvbSwgb3IgbWVyZWx5IGxpbmsgKG9yIGJpbmQgYnkgbmFtZSkgdG8gdGhlIGludGVyZmFjZXMgb2YsCiAgICAgIHRoZSBXb3JrIGFuZCBEZXJpdmF0aXZlIFdvcmtzIHRoZXJlb2YuCgogICAgICAiQ29udHJpYnV0aW9uIiBzaGFsbCBtZWFuIGFueSB3b3JrIG9mIGF1dGhvcnNoaXAsIGluY2x1ZGluZwogICAgICB0aGUgb3JpZ2luYWwgdmVyc2lvbiBvZiB0aGUgV29yayBhbmQgYW55IG1vZGlmaWNhdGlvbnMgb3IgYWRkaXRpb25zCiAgICAgIHRvIHRoYXQgV29yayBvciBEZXJpdmF0aXZlIFdvcmtzIHRoZXJlb2YsIHRoYXQgaXMgaW50ZW50aW9uYWxseQogICAgICBzdWJtaXR0ZWQgdG8gTGljZW5zb3IgZm9yIGluY2x1c2lvbiBpbiB0aGUgV29yayBieSB0aGUgY29weXJpZ2h0IG93bmVyCiAgICAgIG9yIGJ5IGFuIGluZGl2aWR1YWwgb3IgTGVnYWwgRW50aXR5IGF1dGhvcml6ZWQgdG8gc3VibWl0IG9uIGJlaGFsZiBvZgogICAgICB0aGUgY29weXJpZ2h0IG93bmVyLiBGb3IgdGhlIHB1cnBvc2VzIG9mIHRoaXMgZGVmaW5pdGlvbiwgInN1Ym1pdHRlZCIKICAgICAgbWVhbnMgYW55IGZvcm0gb2YgZWxlY3Ryb25pYywgdmVyYmFsLCBvciB3cml0dGVuIGNvbW11bmljYXRpb24gc2VudAogICAgICB0byB0aGUgTGljZW5zb3Igb3IgaXRzIHJlcHJlc2VudGF0aXZlcywgaW5jbHVkaW5nIGJ1dCBub3QgbGltaXRlZCB0bwogICAgICBjb21tdW5pY2F0aW9uIG9uIGVsZWN0cm9uaWMgbWFpbGluZyBsaXN0cywgc291cmNlIGNvZGUgY29udHJvbCBzeXN0ZW1zLAogICAgICBhbmQgaXNzdWUgdHJhY2tpbmcgc3lzdGVtcyB0aGF0IGFyZSBtYW5hZ2VkIGJ5LCBvciBvbiBiZWhhbGYgb2YsIHRoZQogICAgICBMaWNlbnNvciBmb3IgdGhlIHB1cnBvc2Ugb2YgZGlzY3Vzc2luZyBhbmQgaW1wcm92aW5nIHRoZSBXb3JrLCBidXQKICAgICAgZXhjbHVkaW5nIGNvbW11bmljYXRpb24gdGhhdCBpcyBjb25zcGljdW91c2x5IG1hcmtlZCBvciBvdGhlcndpc2UKICAgICAgZGVzaWduYXRlZCBpbiB3cml0aW5nIGJ5IHRoZSBjb3B5cmlnaHQgb3duZXIgYXMgIk5vdCBhIENvbnRyaWJ1dGlvbi4iCgogICAgICAiQ29udHJpYnV0b3IiIHNoYWxsIG1lYW4gTGljZW5zb3IgYW5kIGFueSBpbmRpdmlkdWFsIG9yIExlZ2FsIEVudGl0eQogICAgICBvbiBiZWhhbGYgb2Ygd2hvbSBhIENvbnRyaWJ1dGlvbiBoYXMgYmVlbiByZWNlaXZlZCBieSBMaWNlbnNvciBhbmQKICAgICAgc3Vic2VxdWVudGx5IGluY29ycG9yYXRlZCB3aXRoaW4gdGhlIFdvcmsuCgogICAyLiBHcmFudCBvZiBDb3B5cmlnaHQgTGljZW5zZS4gU3ViamVjdCB0byB0aGUgdGVybXMgYW5kIGNvbmRpdGlvbnMgb2YKICAgICAgdGhpcyBMaWNlbnNlLCBlYWNoIENvbnRyaWJ1dG9yIGhlcmVieSBncmFudHMgdG8gWW91IGEgcGVycGV0dWFsLAogICAgICB3b3JsZHdpZGUsIG5vbi1leGNsdXNpdmUsIG5vLWNoYXJnZSwgcm95YWx0eS1mcmVlLCBpcnJldm9jYWJsZQogICAgICBjb3B5cmlnaHQgbGljZW5zZSB0byByZXByb2R1Y2UsIHByZXBhcmUgRGVyaXZhdGl2ZSBXb3JrcyBvZiwKICAgICAgcHVibGljbHkgZGlzcGxheSwgcHVibGljbHkgcGVyZm9ybSwgc3VibGljZW5zZSwgYW5kIGRpc3RyaWJ1dGUgdGhlCiAgICAgIFdvcmsgYW5kIHN1Y2ggRGVyaXZhdGl2ZSBXb3JrcyBpbiBTb3VyY2Ugb3IgT2JqZWN0IGZvcm0uCgogICAzLiBHcmFudCBvZiBQYXRlbnQgTGljZW5zZS4gU3ViamVjdCB0byB0aGUgdGVybXMgYW5kIGNvbmRpdGlvbnMgb2YKICAgICAgdGhpcyBMaWNlbnNlLCBlYWNoIENvbnRyaWJ1dG9yIGhlcmVieSBncmFudHMgdG8gWW91IGEgcGVycGV0dWFsLAogICAgICB3b3JsZHdpZGUsIG5vbi1leGNsdXNpdmUsIG5vLWNoYXJnZSwgcm95YWx0eS1mcmVlLCBpcnJldm9jYWJsZQogICAgICAoZXhjZXB0IGFzIHN0YXRlZCBpbiB0aGlzIHNlY3Rpb24pIHBhdGVudCBsaWNlbnNlIHRvIG1ha2UsIGhhdmUgbWFkZSwKICAgICAgdXNlLCBvZmZlciB0byBzZWxsLCBzZWxsLCBpbXBvcnQsIGFuZCBvdGhlcndpc2UgdHJhbnNmZXIgdGhlIFdvcmssCiAgICAgIHdoZXJlIHN1Y2ggbGljZW5zZSBhcHBsaWVzIG9ubHkgdG8gdGhvc2UgcGF0ZW50IGNsYWltcyBsaWNlbnNhYmxlCiAgICAgIGJ5IHN1Y2ggQ29udHJpYnV0b3IgdGhhdCBhcmUgbmVjZXNzYXJpbHkgaW5mcmluZ2VkIGJ5IHRoZWlyCiAgICAgIENvbnRyaWJ1dGlvbihzKSBhbG9uZSBvciBieSBjb21iaW5hdGlvbiBvZiB0aGVpciBDb250cmlidXRpb24ocykKICAgICAgd2l0aCB0aGUgV29yayB0byB3aGljaCBzdWNoIENvbnRyaWJ1dGlvbihzKSB3YXMgc3VibWl0dGVkLiBJZiBZb3UKICAgICAgaW5zdGl0dXRlIHBhdGVudCBsaXRpZ2F0aW9uIGFnYWluc3QgYW55IGVudGl0eSAoaW5jbHVkaW5nIGEKICAgICAgY3Jvc3MtY2xhaW0gb3IgY291bnRlcmNsYWltIGluIGEgbGF3c3VpdCkgYWxsZWdpbmcgdGhhdCB0aGUgV29yawogICAgICBvciBhIENvbnRyaWJ1dGlvbiBpbmNvcnBvcmF0ZWQgd2l0aGluIHRoZSBXb3JrIGNvbnN0aXR1dGVzIGRpcmVjdAogICAgICBvciBjb250cmlidXRvcnkgcGF0ZW50IGluZnJpbmdlbWVudCwgdGhlbiBhbnkgcGF0ZW50IGxpY2Vuc2VzCiAgICAgIGdyYW50ZWQgdG8gWW91IHVuZGVyIHRoaXMgTGljZW5zZSBmb3IgdGhhdCBXb3JrIHNoYWxsIHRlcm1pbmF0ZQogICAgICBhcyBvZiB0aGUgZGF0ZSBzdWNoIGxpdGlnYXRpb24gaXMgZmlsZWQuCgogICA0LiBSZWRpc3RyaWJ1dGlvbi4gWW91IG1heSByZXByb2R1Y2UgYW5kIGRpc3RyaWJ1dGUgY29waWVzIG9mIHRoZQogICAgICBXb3JrIG9yIERlcml2YXRpdmUgV29ya3MgdGhlcmVvZiBpbiBhbnkgbWVkaXVtLCB3aXRoIG9yIHdpdGhvdXQKICAgICAgbW9kaWZpY2F0aW9ucywgYW5kIGluIFNvdXJjZSBvciBPYmplY3QgZm9ybSwgcHJvdmlkZWQgdGhhdCBZb3UKICAgICAgbWVldCB0aGUgZm9sbG93aW5nIGNvbmRpdGlvbnM6CgogICAgICAoYSkgWW91IG11c3QgZ2l2ZSBhbnkgb3RoZXIgcmVjaXBpZW50cyBvZiB0aGUgV29yayBvcgogICAgICAgICAgRGVyaXZhdGl2ZSBXb3JrcyBhIGNvcHkgb2YgdGhpcyBMaWNlbnNlOyBhbmQKCiAgICAgIChiKSBZb3UgbXVzdCBjYXVzZSBhbnkgbW9kaWZpZWQgZmlsZXMgdG8gY2FycnkgcHJvbWluZW50IG5vdGljZXMKICAgICAgICAgIHN0YXRpbmcgdGhhdCBZb3UgY2hhbmdlZCB0aGUgZmlsZXM7IGFuZAoKICAgICAgKGMpIFlvdSBtdXN0IHJldGFpbiwgaW4gdGhlIFNvdXJjZSBmb3JtIG9mIGFueSBEZXJpdmF0aXZlIFdvcmtzCiAgICAgICAgICB0aGF0IFlvdSBkaXN0cmlidXRlLCBhbGwgY29weXJpZ2h0LCBwYXRlbnQsIHRyYWRlbWFyaywgYW5kCiAgICAgICAgICBhdHRyaWJ1dGlvbiBub3RpY2VzIGZyb20gdGhlIFNvdXJjZSBmb3JtIG9mIHRoZSBXb3JrLAogICAgICAgICAgZXhjbHVkaW5nIHRob3NlIG5vdGljZXMgdGhhdCBkbyBub3QgcGVydGFpbiB0byBhbnkgcGFydCBvZgogICAgICAgICAgdGhlIERlcml2YXRpdmUgV29ya3M7IGFuZAoKICAgICAgKGQpIElmIHRoZSBXb3JrIGluY2x1ZGVzIGEgIk5PVElDRSIgdGV4dCBmaWxlIGFzIHBhcnQgb2YgaXRzCiAgICAgICAgICBkaXN0cmlidXRpb24sIHRoZW4gYW55IERlcml2YXRpdmUgV29ya3MgdGhhdCBZb3UgZGlzdHJpYnV0ZSBtdXN0CiAgICAgICAgICBpbmNsdWRlIGEgcmVhZGFibGUgY29weSBvZiB0aGUgYXR0cmlidXRpb24gbm90aWNlcyBjb250YWluZWQKICAgICAgICAgIHdpdGhpbiBzdWNoIE5PVElDRSBmaWxlLCBleGNsdWRpbmcgdGhvc2Ugbm90aWNlcyB0aGF0IGRvIG5vdAogICAgICAgICAgcGVydGFpbiB0byBhbnkgcGFydCBvZiB0aGUgRGVyaXZhdGl2ZSBXb3JrcywgaW4gYXQgbGVhc3Qgb25lCiAgICAgICAgICBvZiB0aGUgZm9sbG93aW5nIHBsYWNlczogd2l0aGluIGEgTk9USUNFIHRleHQgZmlsZSBkaXN0cmlidXRlZAogICAgICAgICAgYXMgcGFydCBvZiB0aGUgRGVyaXZhdGl2ZSBXb3Jrczsgd2l0aGluIHRoZSBTb3VyY2UgZm9ybSBvcgogICAgICAgICAgZG9jdW1lbnRhdGlvbiwgaWYgcHJvdmlkZWQgYWxvbmcgd2l0aCB0aGUgRGVyaXZhdGl2ZSBXb3Jrczsgb3IsCiAgICAgICAgICB3aXRoaW4gYSBkaXNwbGF5IGdlbmVyYXRlZCBieSB0aGUgRGVyaXZhdGl2ZSBXb3JrcywgaWYgYW5kCiAgICAgICAgICB3aGVyZXZlciBzdWNoIHRoaXJkLXBhcnR5IG5vdGljZXMgbm9ybWFsbHkgYXBwZWFyLiBUaGUgY29udGVudHMKICAgICAgICAgIG9mIHRoZSBOT1RJQ0UgZmlsZSBhcmUgZm9yIGluZm9ybWF0aW9uYWwgcHVycG9zZXMgb25seSBhbmQKICAgICAgICAgIGRvIG5vdCBtb2RpZnkgdGhlIExpY2Vuc2UuIFlvdSBtYXkgYWRkIFlvdXIgb3duIGF0dHJpYnV0aW9uCiAgICAgICAgICBub3RpY2VzIHdpdGhpbiBEZXJpdmF0aXZlIFdvcmtzIHRoYXQgWW91IGRpc3RyaWJ1dGUsIGFsb25nc2lkZQogICAgICAgICAgb3IgYXMgYW4gYWRkZW5kdW0gdG8gdGhlIE5PVElDRSB0ZXh0IGZyb20gdGhlIFdvcmssIHByb3ZpZGVkCiAgICAgICAgICB0aGF0IHN1Y2ggYWRkaXRpb25hbCBhdHRyaWJ1dGlvbiBub3RpY2VzIGNhbm5vdCBiZSBjb25zdHJ1ZWQKICAgICAgICAgIGFzIG1vZGlmeWluZyB0aGUgTGljZW5zZS4KCiAgICAgIFlvdSBtYXkgYWRkIFlvdXIgb3duIGNvcHlyaWdodCBzdGF0ZW1lbnQgdG8gWW91ciBtb2RpZmljYXRpb25zIGFuZAogICAgICBtYXkgcHJvdmlkZSBhZGRpdGlvbmFsIG9yIGRpZmZlcmVudCBsaWNlbnNlIHRlcm1zIGFuZCBjb25kaXRpb25zCiAgICAgIGZvciB1c2UsIHJlcHJvZHVjdGlvbiwgb3IgZGlzdHJpYnV0aW9uIG9mIFlvdXIgbW9kaWZpY2F0aW9ucywgb3IKICAgICAgZm9yIGFueSBzdWNoIERlcml2YXRpdmUgV29ya3MgYXMgYSB3aG9sZSwgcHJvdmlkZWQgWW91ciB1c2UsCiAgICAgIHJlcHJvZHVjdGlvbiwgYW5kIGRpc3RyaWJ1dGlvbiBvZiB0aGUgV29yayBvdGhlcndpc2UgY29tcGxpZXMgd2l0aAogICAgICB0aGUgY29uZGl0aW9ucyBzdGF0ZWQgaW4gdGhpcyBMaWNlbnNlLgoKICAgNS4gU3VibWlzc2lvbiBvZiBDb250cmlidXRpb25zLiBVbmxlc3MgWW91IGV4cGxpY2l0bHkgc3RhdGUgb3RoZXJ3aXNlLAogICAgICBhbnkgQ29udHJpYnV0aW9uIGludGVudGlvbmFsbHkgc3VibWl0dGVkIGZvciBpbmNsdXNpb24gaW4gdGhlIFdvcmsKICAgICAgYnkgWW91IHRvIHRoZSBMaWNlbnNvciBzaGFsbCBiZSB1bmRlciB0aGUgdGVybXMgYW5kIGNvbmRpdGlvbnMgb2YKICAgICAgdGhpcyBMaWNlbnNlLCB3aXRob3V0IGFueSBhZGRpdGlvbmFsIHRlcm1zIG9yIGNvbmRpdGlvbnMuCiAgICAgIE5vdHdpdGhzdGFuZGluZyB0aGUgYWJvdmUsIG5vdGhpbmcgaGVyZWluIHNoYWxsIHN1cGVyc2VkZSBvciBtb2RpZnkKICAgICAgdGhlIHRlcm1zIG9mIGFueSBzZXBhcmF0ZSBsaWNlbnNlIGFncmVlbWVudCB5b3UgbWF5IGhhdmUgZXhlY3V0ZWQKICAgICAgd2l0aCBMaWNlbnNvciByZWdhcmRpbmcgc3VjaCBDb250cmlidXRpb25zLgoKICAgNi4gVHJhZGVtYXJrcy4gVGhpcyBMaWNlbnNlIGRvZXMgbm90IGdyYW50IHBlcm1pc3Npb24gdG8gdXNlIHRoZSB0cmFkZQogICAgICBuYW1lcywgdHJhZGVtYXJrcywgc2VydmljZSBtYXJrcywgb3IgcHJvZHVjdCBuYW1lcyBvZiB0aGUgTGljZW5zb3IsCiAgICAgIGV4Y2VwdCBhcyByZXF1aXJlZCBmb3IgcmVhc29uYWJsZSBhbmQgY3VzdG9tYXJ5IHVzZSBpbiBkZXNjcmliaW5nIHRoZQogICAgICBvcmlnaW4gb2YgdGhlIFdvcmsgYW5kIHJlcHJvZHVjaW5nIHRoZSBjb250ZW50IG9mIHRoZSBOT1RJQ0UgZmlsZS4KCiAgIDcuIERpc2NsYWltZXIgb2YgV2FycmFudHkuIFVubGVzcyByZXF1aXJlZCBieSBhcHBsaWNhYmxlIGxhdyBvcgogICAgICBhZ3JlZWQgdG8gaW4gd3JpdGluZywgTGljZW5zb3IgcHJvdmlkZXMgdGhlIFdvcmsgKGFuZCBlYWNoCiAgICAgIENvbnRyaWJ1dG9yIHByb3ZpZGVzIGl0cyBDb250cmlidXRpb25zKSBvbiBhbiAiQVMgSVMiIEJBU0lTLAogICAgICBXSVRIT1VUIFdBUlJBTlRJRVMgT1IgQ09ORElUSU9OUyBPRiBBTlkgS0lORCwgZWl0aGVyIGV4cHJlc3Mgb3IKICAgICAgaW1wbGllZCwgaW5jbHVkaW5nLCB3aXRob3V0IGxpbWl0YXRpb24sIGFueSB3YXJyYW50aWVzIG9yIGNvbmRpdGlvbnMKICAgICAgb2YgVElUTEUsIE5PTi1JTkZSSU5HRU1FTlQsIE1FUkNIQU5UQUJJTElUWSwgb3IgRklUTkVTUyBGT1IgQQogICAgICBQQVJUSUNVTEFSIFBVUlBPU0UuIFlvdSBhcmUgc29sZWx5IHJlc3BvbnNpYmxlIGZvciBkZXRlcm1pbmluZyB0aGUKICAgICAgYXBwcm9wcmlhdGVuZXNzIG9mIHVzaW5nIG9yIHJlZGlzdHJpYnV0aW5nIHRoZSBXb3JrIGFuZCBhc3N1bWUgYW55CiAgICAgIHJpc2tzIGFzc29jaWF0ZWQgd2l0aCBZb3VyIGV4ZXJjaXNlIG9mIHBlcm1pc3Npb25zIHVuZGVyIHRoaXMgTGljZW5zZS4KCiAgIDguIExpbWl0YXRpb24gb2YgTGlhYmlsaXR5LiBJbiBubyBldmVudCBhbmQgdW5kZXIgbm8gbGVnYWwgdGhlb3J5LAogICAgICB3aGV0aGVyIGluIHRvcnQgKGluY2x1ZGluZyBuZWdsaWdlbmNlKSwgY29udHJhY3QsIG9yIG90aGVyd2lzZSwKICAgICAgdW5sZXNzIHJlcXVpcmVkIGJ5IGFwcGxpY2FibGUgbGF3IChzdWNoIGFzIGRlbGliZXJhdGUgYW5kIGdyb3NzbHkKICAgICAgbmVnbGlnZW50IGFjdHMpIG9yIGFncmVlZCB0byBpbiB3cml0aW5nLCBzaGFsbCBhbnkgQ29udHJpYnV0b3IgYmUKICAgICAgbGlhYmxlIHRvIFlvdSBmb3IgZGFtYWdlcywgaW5jbHVkaW5nIGFueSBkaXJlY3QsIGluZGlyZWN0LCBzcGVjaWFsLAogICAgICBpbmNpZGVudGFsLCBvciBjb25zZXF1ZW50aWFsIGRhbWFnZXMgb2YgYW55IGNoYXJhY3RlciBhcmlzaW5nIGFzIGEKICAgICAgcmVzdWx0IG9mIHRoaXMgTGljZW5zZSBvciBvdXQgb2YgdGhlIHVzZSBvciBpbmFiaWxpdHkgdG8gdXNlIHRoZQogICAgICBXb3JrIChpbmNsdWRpbmcgYnV0IG5vdCBsaW1pdGVkIHRvIGRhbWFnZXMgZm9yIGxvc3Mgb2YgZ29vZHdpbGwsCiAgICAgIHdvcmsgc3RvcHBhZ2UsIGNvbXB1dGVyIGZhaWx1cmUgb3IgbWFsZnVuY3Rpb24sIG9yIGFueSBhbmQgYWxsCiAgICAgIG90aGVyIGNvbW1lcmNpYWwgZGFtYWdlcyBvciBsb3NzZXMpLCBldmVuIGlmIHN1Y2ggQ29udHJpYnV0b3IKICAgICAgaGFzIGJlZW4gYWR2aXNlZCBvZiB0aGUgcG9zc2liaWxpdHkgb2Ygc3VjaCBkYW1hZ2VzLgoKICAgOS4gQWNjZXB0aW5nIFdhcnJhbnR5IG9yIEFkZGl0aW9uYWwgTGlhYmlsaXR5LiBXaGlsZSByZWRpc3RyaWJ1dGluZwogICAgICB0aGUgV29yayBvciBEZXJpdmF0aXZlIFdvcmtzIHRoZXJlb2YsIFlvdSBtYXkgY2hvb3NlIHRvIG9mZmVyLAogICAgICBhbmQgY2hhcmdlIGEgZmVlIGZvciwgYWNjZXB0YW5jZSBvZiBzdXBwb3J0LCB3YXJyYW50eSwgaW5kZW1uaXR5LAogICAgICBvciBvdGhlciBsaWFiaWxpdHkgb2JsaWdhdGlvbnMgYW5kL29yIHJpZ2h0cyBjb25zaXN0ZW50IHdpdGggdGhpcwogICAgICBMaWNlbnNlLiBIb3dldmVyLCBpbiBhY2NlcHRpbmcgc3VjaCBvYmxpZ2F0aW9ucywgWW91IG1heSBhY3Qgb25seQogICAgICBvbiBZb3VyIG93biBiZWhhbGYgYW5kIG9uIFlvdXIgc29sZSByZXNwb25zaWJpbGl0eSwgbm90IG9uIGJlaGFsZgogICAgICBvZiBhbnkgb3RoZXIgQ29udHJpYnV0b3IsIGFuZCBvbmx5IGlmIFlvdSBhZ3JlZSB0byBpbmRlbW5pZnksCiAgICAgIGRlZmVuZCwgYW5kIGhvbGQgZWFjaCBDb250cmlidXRvciBoYXJtbGVzcyBmb3IgYW55IGxpYWJpbGl0eQogICAgICBpbmN1cnJlZCBieSwgb3IgY2xhaW1zIGFzc2VydGVkIGFnYWluc3QsIHN1Y2ggQ29udHJpYnV0b3IgYnkgcmVhc29uCiAgICAgIG9mIHlvdXIgYWNjZXB0aW5nIGFueSBzdWNoIHdhcnJhbnR5IG9yIGFkZGl0aW9uYWwgbGlhYmlsaXR5LgoKICAgRU5EIE9GIFRFUk1TIEFORCBDT05ESVRJT05TCgogICBBUFBFTkRJWDogSG93IHRvIGFwcGx5IHRoZSBBcGFjaGUgTGljZW5zZSB0byB5b3VyIHdvcmsuCgogICAgICBUbyBhcHBseSB0aGUgQXBhY2hlIExpY2Vuc2UgdG8geW91ciB3b3JrLCBhdHRhY2ggdGhlIGZvbGxvd2luZwogICAgICBib2lsZXJwbGF0ZSBub3RpY2UsIHdpdGggdGhlIGZpZWxkcyBlbmNsb3NlZCBieSBicmFja2V0cyAiW10iCiAgICAgIHJlcGxhY2VkIHdpdGggeW91ciBvd24gaWRlbnRpZnlpbmcgaW5mb3JtYXRpb24uIChEb24ndCBpbmNsdWRlCiAgICAgIHRoZSBicmFja2V0cyEpICBUaGUgdGV4dCBzaG91bGQgYmUgZW5jbG9zZWQgaW4gdGhlIGFwcHJvcHJpYXRlCiAgICAgIGNvbW1lbnQgc3ludGF4IGZvciB0aGUgZmlsZSBmb3JtYXQuIFdlIGFsc28gcmVjb21tZW5kIHRoYXQgYQogICAgICBmaWxlIG9yIGNsYXNzIG5hbWUgYW5kIGRlc2NyaXB0aW9uIG9mIHB1cnBvc2UgYmUgaW5jbHVkZWQgb24gdGhlCiAgICAgIHNhbWUgInByaW50ZWQgcGFnZSIgYXMgdGhlIGNvcHlyaWdodCBub3RpY2UgZm9yIGVhc2llcgogICAgICBpZGVudGlmaWNhdGlvbiB3aXRoaW4gdGhpcmQtcGFydHkgYXJjaGl2ZXMuCgogICBDb3B5cmlnaHQgW3l5eXldIFtuYW1lIG9mIGNvcHlyaWdodCBvd25lcl0KCiAgIExpY2Vuc2VkIHVuZGVyIHRoZSBBcGFjaGUgTGljZW5zZSwgVmVyc2lvbiAyLjAgKHRoZSAiTGljZW5zZSIpOwogICB5b3UgbWF5IG5vdCB1c2UgdGhpcyBmaWxlIGV4Y2VwdCBpbiBjb21wbGlhbmNlIHdpdGggdGhlIExpY2Vuc2UuCiAgIFlvdSBtYXkgb2J0YWluIGEgY29weSBvZiB0aGUgTGljZW5zZSBhdAoKICAgICAgIGh0dHA6Ly93d3cuYXBhY2hlLm9yZy9saWNlbnNlcy9MSUNFTlNFLTIuMAoKICAgVW5sZXNzIHJlcXVpcmVkIGJ5IGFwcGxpY2FibGUgbGF3IG9yIGFncmVlZCB0byBpbiB3cml0aW5nLCBzb2Z0d2FyZQogICBkaXN0cmlidXRlZCB1bmRlciB0aGUgTGljZW5zZSBpcyBkaXN0cmlidXRlZCBvbiBhbiAiQVMgSVMiIEJBU0lTLAogICBXSVRIT1VUIFdBUlJBTlRJRVMgT1IgQ09ORElUSU9OUyBPRiBBTlkgS0lORCwgZWl0aGVyIGV4cHJlc3Mgb3IgaW1wbGllZC4KICAgU2VlIHRoZSBMaWNlbnNlIGZvciB0aGUgc3BlY2lmaWMgbGFuZ3VhZ2UgZ292ZXJuaW5nIHBlcm1pc3Npb25zIGFuZAogICBsaW1pdGF0aW9ucyB1bmRlciB0aGUgTGljZW5zZS4=" }, "url": "https://www.apache.org/licenses/LICENSE-2.0.txt" } diff --git a/tools/src/test/resources/1.4/valid-bom-1.4.textproto b/tools/src/test/resources/1.4/valid-bom-1.4.textproto index c39dc611..7b347790 100644 --- a/tools/src/test/resources/1.4/valid-bom-1.4.textproto +++ b/tools/src/test/resources/1.4/valid-bom-1.4.textproto @@ -86,7 +86,7 @@ components { text { content_type: "text/plain" encoding: "base64" - value: "License text here" + value: "CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFwYWNoZSBMaWNlbnNlCiAgICAgICAgICAgICAgICAgICAgICAgICAgIFZlcnNpb24gMi4wLCBKYW51YXJ5IDIwMDQKICAgICAgICAgICAgICAgICAgICAgICAgaHR0cDovL3d3dy5hcGFjaGUub3JnL2xpY2Vuc2VzLwoKICAgVEVSTVMgQU5EIENPTkRJVElPTlMgRk9SIFVTRSwgUkVQUk9EVUNUSU9OLCBBTkQgRElTVFJJQlVUSU9OCgogICAxLiBEZWZpbml0aW9ucy4KCiAgICAgICJMaWNlbnNlIiBzaGFsbCBtZWFuIHRoZSB0ZXJtcyBhbmQgY29uZGl0aW9ucyBmb3IgdXNlLCByZXByb2R1Y3Rpb24sCiAgICAgIGFuZCBkaXN0cmlidXRpb24gYXMgZGVmaW5lZCBieSBTZWN0aW9ucyAxIHRocm91Z2ggOSBvZiB0aGlzIGRvY3VtZW50LgoKICAgICAgIkxpY2Vuc29yIiBzaGFsbCBtZWFuIHRoZSBjb3B5cmlnaHQgb3duZXIgb3IgZW50aXR5IGF1dGhvcml6ZWQgYnkKICAgICAgdGhlIGNvcHlyaWdodCBvd25lciB0aGF0IGlzIGdyYW50aW5nIHRoZSBMaWNlbnNlLgoKICAgICAgIkxlZ2FsIEVudGl0eSIgc2hhbGwgbWVhbiB0aGUgdW5pb24gb2YgdGhlIGFjdGluZyBlbnRpdHkgYW5kIGFsbAogICAgICBvdGhlciBlbnRpdGllcyB0aGF0IGNvbnRyb2wsIGFyZSBjb250cm9sbGVkIGJ5LCBvciBhcmUgdW5kZXIgY29tbW9uCiAgICAgIGNvbnRyb2wgd2l0aCB0aGF0IGVudGl0eS4gRm9yIHRoZSBwdXJwb3NlcyBvZiB0aGlzIGRlZmluaXRpb24sCiAgICAgICJjb250cm9sIiBtZWFucyAoaSkgdGhlIHBvd2VyLCBkaXJlY3Qgb3IgaW5kaXJlY3QsIHRvIGNhdXNlIHRoZQogICAgICBkaXJlY3Rpb24gb3IgbWFuYWdlbWVudCBvZiBzdWNoIGVudGl0eSwgd2hldGhlciBieSBjb250cmFjdCBvcgogICAgICBvdGhlcndpc2UsIG9yIChpaSkgb3duZXJzaGlwIG9mIGZpZnR5IHBlcmNlbnQgKDUwJSkgb3IgbW9yZSBvZiB0aGUKICAgICAgb3V0c3RhbmRpbmcgc2hhcmVzLCBvciAoaWlpKSBiZW5lZmljaWFsIG93bmVyc2hpcCBvZiBzdWNoIGVudGl0eS4KCiAgICAgICJZb3UiIChvciAiWW91ciIpIHNoYWxsIG1lYW4gYW4gaW5kaXZpZHVhbCBvciBMZWdhbCBFbnRpdHkKICAgICAgZXhlcmNpc2luZyBwZXJtaXNzaW9ucyBncmFudGVkIGJ5IHRoaXMgTGljZW5zZS4KCiAgICAgICJTb3VyY2UiIGZvcm0gc2hhbGwgbWVhbiB0aGUgcHJlZmVycmVkIGZvcm0gZm9yIG1ha2luZyBtb2RpZmljYXRpb25zLAogICAgICBpbmNsdWRpbmcgYnV0IG5vdCBsaW1pdGVkIHRvIHNvZnR3YXJlIHNvdXJjZSBjb2RlLCBkb2N1bWVudGF0aW9uCiAgICAgIHNvdXJjZSwgYW5kIGNvbmZpZ3VyYXRpb24gZmlsZXMuCgogICAgICAiT2JqZWN0IiBmb3JtIHNoYWxsIG1lYW4gYW55IGZvcm0gcmVzdWx0aW5nIGZyb20gbWVjaGFuaWNhbAogICAgICB0cmFuc2Zvcm1hdGlvbiBvciB0cmFuc2xhdGlvbiBvZiBhIFNvdXJjZSBmb3JtLCBpbmNsdWRpbmcgYnV0CiAgICAgIG5vdCBsaW1pdGVkIHRvIGNvbXBpbGVkIG9iamVjdCBjb2RlLCBnZW5lcmF0ZWQgZG9jdW1lbnRhdGlvbiwKICAgICAgYW5kIGNvbnZlcnNpb25zIHRvIG90aGVyIG1lZGlhIHR5cGVzLgoKICAgICAgIldvcmsiIHNoYWxsIG1lYW4gdGhlIHdvcmsgb2YgYXV0aG9yc2hpcCwgd2hldGhlciBpbiBTb3VyY2Ugb3IKICAgICAgT2JqZWN0IGZvcm0sIG1hZGUgYXZhaWxhYmxlIHVuZGVyIHRoZSBMaWNlbnNlLCBhcyBpbmRpY2F0ZWQgYnkgYQogICAgICBjb3B5cmlnaHQgbm90aWNlIHRoYXQgaXMgaW5jbHVkZWQgaW4gb3IgYXR0YWNoZWQgdG8gdGhlIHdvcmsKICAgICAgKGFuIGV4YW1wbGUgaXMgcHJvdmlkZWQgaW4gdGhlIEFwcGVuZGl4IGJlbG93KS4KCiAgICAgICJEZXJpdmF0aXZlIFdvcmtzIiBzaGFsbCBtZWFuIGFueSB3b3JrLCB3aGV0aGVyIGluIFNvdXJjZSBvciBPYmplY3QKICAgICAgZm9ybSwgdGhhdCBpcyBiYXNlZCBvbiAob3IgZGVyaXZlZCBmcm9tKSB0aGUgV29yayBhbmQgZm9yIHdoaWNoIHRoZQogICAgICBlZGl0b3JpYWwgcmV2aXNpb25zLCBhbm5vdGF0aW9ucywgZWxhYm9yYXRpb25zLCBvciBvdGhlciBtb2RpZmljYXRpb25zCiAgICAgIHJlcHJlc2VudCwgYXMgYSB3aG9sZSwgYW4gb3JpZ2luYWwgd29yayBvZiBhdXRob3JzaGlwLiBGb3IgdGhlIHB1cnBvc2VzCiAgICAgIG9mIHRoaXMgTGljZW5zZSwgRGVyaXZhdGl2ZSBXb3JrcyBzaGFsbCBub3QgaW5jbHVkZSB3b3JrcyB0aGF0IHJlbWFpbgogICAgICBzZXBhcmFibGUgZnJvbSwgb3IgbWVyZWx5IGxpbmsgKG9yIGJpbmQgYnkgbmFtZSkgdG8gdGhlIGludGVyZmFjZXMgb2YsCiAgICAgIHRoZSBXb3JrIGFuZCBEZXJpdmF0aXZlIFdvcmtzIHRoZXJlb2YuCgogICAgICAiQ29udHJpYnV0aW9uIiBzaGFsbCBtZWFuIGFueSB3b3JrIG9mIGF1dGhvcnNoaXAsIGluY2x1ZGluZwogICAgICB0aGUgb3JpZ2luYWwgdmVyc2lvbiBvZiB0aGUgV29yayBhbmQgYW55IG1vZGlmaWNhdGlvbnMgb3IgYWRkaXRpb25zCiAgICAgIHRvIHRoYXQgV29yayBvciBEZXJpdmF0aXZlIFdvcmtzIHRoZXJlb2YsIHRoYXQgaXMgaW50ZW50aW9uYWxseQogICAgICBzdWJtaXR0ZWQgdG8gTGljZW5zb3IgZm9yIGluY2x1c2lvbiBpbiB0aGUgV29yayBieSB0aGUgY29weXJpZ2h0IG93bmVyCiAgICAgIG9yIGJ5IGFuIGluZGl2aWR1YWwgb3IgTGVnYWwgRW50aXR5IGF1dGhvcml6ZWQgdG8gc3VibWl0IG9uIGJlaGFsZiBvZgogICAgICB0aGUgY29weXJpZ2h0IG93bmVyLiBGb3IgdGhlIHB1cnBvc2VzIG9mIHRoaXMgZGVmaW5pdGlvbiwgInN1Ym1pdHRlZCIKICAgICAgbWVhbnMgYW55IGZvcm0gb2YgZWxlY3Ryb25pYywgdmVyYmFsLCBvciB3cml0dGVuIGNvbW11bmljYXRpb24gc2VudAogICAgICB0byB0aGUgTGljZW5zb3Igb3IgaXRzIHJlcHJlc2VudGF0aXZlcywgaW5jbHVkaW5nIGJ1dCBub3QgbGltaXRlZCB0bwogICAgICBjb21tdW5pY2F0aW9uIG9uIGVsZWN0cm9uaWMgbWFpbGluZyBsaXN0cywgc291cmNlIGNvZGUgY29udHJvbCBzeXN0ZW1zLAogICAgICBhbmQgaXNzdWUgdHJhY2tpbmcgc3lzdGVtcyB0aGF0IGFyZSBtYW5hZ2VkIGJ5LCBvciBvbiBiZWhhbGYgb2YsIHRoZQogICAgICBMaWNlbnNvciBmb3IgdGhlIHB1cnBvc2Ugb2YgZGlzY3Vzc2luZyBhbmQgaW1wcm92aW5nIHRoZSBXb3JrLCBidXQKICAgICAgZXhjbHVkaW5nIGNvbW11bmljYXRpb24gdGhhdCBpcyBjb25zcGljdW91c2x5IG1hcmtlZCBvciBvdGhlcndpc2UKICAgICAgZGVzaWduYXRlZCBpbiB3cml0aW5nIGJ5IHRoZSBjb3B5cmlnaHQgb3duZXIgYXMgIk5vdCBhIENvbnRyaWJ1dGlvbi4iCgogICAgICAiQ29udHJpYnV0b3IiIHNoYWxsIG1lYW4gTGljZW5zb3IgYW5kIGFueSBpbmRpdmlkdWFsIG9yIExlZ2FsIEVudGl0eQogICAgICBvbiBiZWhhbGYgb2Ygd2hvbSBhIENvbnRyaWJ1dGlvbiBoYXMgYmVlbiByZWNlaXZlZCBieSBMaWNlbnNvciBhbmQKICAgICAgc3Vic2VxdWVudGx5IGluY29ycG9yYXRlZCB3aXRoaW4gdGhlIFdvcmsuCgogICAyLiBHcmFudCBvZiBDb3B5cmlnaHQgTGljZW5zZS4gU3ViamVjdCB0byB0aGUgdGVybXMgYW5kIGNvbmRpdGlvbnMgb2YKICAgICAgdGhpcyBMaWNlbnNlLCBlYWNoIENvbnRyaWJ1dG9yIGhlcmVieSBncmFudHMgdG8gWW91IGEgcGVycGV0dWFsLAogICAgICB3b3JsZHdpZGUsIG5vbi1leGNsdXNpdmUsIG5vLWNoYXJnZSwgcm95YWx0eS1mcmVlLCBpcnJldm9jYWJsZQogICAgICBjb3B5cmlnaHQgbGljZW5zZSB0byByZXByb2R1Y2UsIHByZXBhcmUgRGVyaXZhdGl2ZSBXb3JrcyBvZiwKICAgICAgcHVibGljbHkgZGlzcGxheSwgcHVibGljbHkgcGVyZm9ybSwgc3VibGljZW5zZSwgYW5kIGRpc3RyaWJ1dGUgdGhlCiAgICAgIFdvcmsgYW5kIHN1Y2ggRGVyaXZhdGl2ZSBXb3JrcyBpbiBTb3VyY2Ugb3IgT2JqZWN0IGZvcm0uCgogICAzLiBHcmFudCBvZiBQYXRlbnQgTGljZW5zZS4gU3ViamVjdCB0byB0aGUgdGVybXMgYW5kIGNvbmRpdGlvbnMgb2YKICAgICAgdGhpcyBMaWNlbnNlLCBlYWNoIENvbnRyaWJ1dG9yIGhlcmVieSBncmFudHMgdG8gWW91IGEgcGVycGV0dWFsLAogICAgICB3b3JsZHdpZGUsIG5vbi1leGNsdXNpdmUsIG5vLWNoYXJnZSwgcm95YWx0eS1mcmVlLCBpcnJldm9jYWJsZQogICAgICAoZXhjZXB0IGFzIHN0YXRlZCBpbiB0aGlzIHNlY3Rpb24pIHBhdGVudCBsaWNlbnNlIHRvIG1ha2UsIGhhdmUgbWFkZSwKICAgICAgdXNlLCBvZmZlciB0byBzZWxsLCBzZWxsLCBpbXBvcnQsIGFuZCBvdGhlcndpc2UgdHJhbnNmZXIgdGhlIFdvcmssCiAgICAgIHdoZXJlIHN1Y2ggbGljZW5zZSBhcHBsaWVzIG9ubHkgdG8gdGhvc2UgcGF0ZW50IGNsYWltcyBsaWNlbnNhYmxlCiAgICAgIGJ5IHN1Y2ggQ29udHJpYnV0b3IgdGhhdCBhcmUgbmVjZXNzYXJpbHkgaW5mcmluZ2VkIGJ5IHRoZWlyCiAgICAgIENvbnRyaWJ1dGlvbihzKSBhbG9uZSBvciBieSBjb21iaW5hdGlvbiBvZiB0aGVpciBDb250cmlidXRpb24ocykKICAgICAgd2l0aCB0aGUgV29yayB0byB3aGljaCBzdWNoIENvbnRyaWJ1dGlvbihzKSB3YXMgc3VibWl0dGVkLiBJZiBZb3UKICAgICAgaW5zdGl0dXRlIHBhdGVudCBsaXRpZ2F0aW9uIGFnYWluc3QgYW55IGVudGl0eSAoaW5jbHVkaW5nIGEKICAgICAgY3Jvc3MtY2xhaW0gb3IgY291bnRlcmNsYWltIGluIGEgbGF3c3VpdCkgYWxsZWdpbmcgdGhhdCB0aGUgV29yawogICAgICBvciBhIENvbnRyaWJ1dGlvbiBpbmNvcnBvcmF0ZWQgd2l0aGluIHRoZSBXb3JrIGNvbnN0aXR1dGVzIGRpcmVjdAogICAgICBvciBjb250cmlidXRvcnkgcGF0ZW50IGluZnJpbmdlbWVudCwgdGhlbiBhbnkgcGF0ZW50IGxpY2Vuc2VzCiAgICAgIGdyYW50ZWQgdG8gWW91IHVuZGVyIHRoaXMgTGljZW5zZSBmb3IgdGhhdCBXb3JrIHNoYWxsIHRlcm1pbmF0ZQogICAgICBhcyBvZiB0aGUgZGF0ZSBzdWNoIGxpdGlnYXRpb24gaXMgZmlsZWQuCgogICA0LiBSZWRpc3RyaWJ1dGlvbi4gWW91IG1heSByZXByb2R1Y2UgYW5kIGRpc3RyaWJ1dGUgY29waWVzIG9mIHRoZQogICAgICBXb3JrIG9yIERlcml2YXRpdmUgV29ya3MgdGhlcmVvZiBpbiBhbnkgbWVkaXVtLCB3aXRoIG9yIHdpdGhvdXQKICAgICAgbW9kaWZpY2F0aW9ucywgYW5kIGluIFNvdXJjZSBvciBPYmplY3QgZm9ybSwgcHJvdmlkZWQgdGhhdCBZb3UKICAgICAgbWVldCB0aGUgZm9sbG93aW5nIGNvbmRpdGlvbnM6CgogICAgICAoYSkgWW91IG11c3QgZ2l2ZSBhbnkgb3RoZXIgcmVjaXBpZW50cyBvZiB0aGUgV29yayBvcgogICAgICAgICAgRGVyaXZhdGl2ZSBXb3JrcyBhIGNvcHkgb2YgdGhpcyBMaWNlbnNlOyBhbmQKCiAgICAgIChiKSBZb3UgbXVzdCBjYXVzZSBhbnkgbW9kaWZpZWQgZmlsZXMgdG8gY2FycnkgcHJvbWluZW50IG5vdGljZXMKICAgICAgICAgIHN0YXRpbmcgdGhhdCBZb3UgY2hhbmdlZCB0aGUgZmlsZXM7IGFuZAoKICAgICAgKGMpIFlvdSBtdXN0IHJldGFpbiwgaW4gdGhlIFNvdXJjZSBmb3JtIG9mIGFueSBEZXJpdmF0aXZlIFdvcmtzCiAgICAgICAgICB0aGF0IFlvdSBkaXN0cmlidXRlLCBhbGwgY29weXJpZ2h0LCBwYXRlbnQsIHRyYWRlbWFyaywgYW5kCiAgICAgICAgICBhdHRyaWJ1dGlvbiBub3RpY2VzIGZyb20gdGhlIFNvdXJjZSBmb3JtIG9mIHRoZSBXb3JrLAogICAgICAgICAgZXhjbHVkaW5nIHRob3NlIG5vdGljZXMgdGhhdCBkbyBub3QgcGVydGFpbiB0byBhbnkgcGFydCBvZgogICAgICAgICAgdGhlIERlcml2YXRpdmUgV29ya3M7IGFuZAoKICAgICAgKGQpIElmIHRoZSBXb3JrIGluY2x1ZGVzIGEgIk5PVElDRSIgdGV4dCBmaWxlIGFzIHBhcnQgb2YgaXRzCiAgICAgICAgICBkaXN0cmlidXRpb24sIHRoZW4gYW55IERlcml2YXRpdmUgV29ya3MgdGhhdCBZb3UgZGlzdHJpYnV0ZSBtdXN0CiAgICAgICAgICBpbmNsdWRlIGEgcmVhZGFibGUgY29weSBvZiB0aGUgYXR0cmlidXRpb24gbm90aWNlcyBjb250YWluZWQKICAgICAgICAgIHdpdGhpbiBzdWNoIE5PVElDRSBmaWxlLCBleGNsdWRpbmcgdGhvc2Ugbm90aWNlcyB0aGF0IGRvIG5vdAogICAgICAgICAgcGVydGFpbiB0byBhbnkgcGFydCBvZiB0aGUgRGVyaXZhdGl2ZSBXb3JrcywgaW4gYXQgbGVhc3Qgb25lCiAgICAgICAgICBvZiB0aGUgZm9sbG93aW5nIHBsYWNlczogd2l0aGluIGEgTk9USUNFIHRleHQgZmlsZSBkaXN0cmlidXRlZAogICAgICAgICAgYXMgcGFydCBvZiB0aGUgRGVyaXZhdGl2ZSBXb3Jrczsgd2l0aGluIHRoZSBTb3VyY2UgZm9ybSBvcgogICAgICAgICAgZG9jdW1lbnRhdGlvbiwgaWYgcHJvdmlkZWQgYWxvbmcgd2l0aCB0aGUgRGVyaXZhdGl2ZSBXb3Jrczsgb3IsCiAgICAgICAgICB3aXRoaW4gYSBkaXNwbGF5IGdlbmVyYXRlZCBieSB0aGUgRGVyaXZhdGl2ZSBXb3JrcywgaWYgYW5kCiAgICAgICAgICB3aGVyZXZlciBzdWNoIHRoaXJkLXBhcnR5IG5vdGljZXMgbm9ybWFsbHkgYXBwZWFyLiBUaGUgY29udGVudHMKICAgICAgICAgIG9mIHRoZSBOT1RJQ0UgZmlsZSBhcmUgZm9yIGluZm9ybWF0aW9uYWwgcHVycG9zZXMgb25seSBhbmQKICAgICAgICAgIGRvIG5vdCBtb2RpZnkgdGhlIExpY2Vuc2UuIFlvdSBtYXkgYWRkIFlvdXIgb3duIGF0dHJpYnV0aW9uCiAgICAgICAgICBub3RpY2VzIHdpdGhpbiBEZXJpdmF0aXZlIFdvcmtzIHRoYXQgWW91IGRpc3RyaWJ1dGUsIGFsb25nc2lkZQogICAgICAgICAgb3IgYXMgYW4gYWRkZW5kdW0gdG8gdGhlIE5PVElDRSB0ZXh0IGZyb20gdGhlIFdvcmssIHByb3ZpZGVkCiAgICAgICAgICB0aGF0IHN1Y2ggYWRkaXRpb25hbCBhdHRyaWJ1dGlvbiBub3RpY2VzIGNhbm5vdCBiZSBjb25zdHJ1ZWQKICAgICAgICAgIGFzIG1vZGlmeWluZyB0aGUgTGljZW5zZS4KCiAgICAgIFlvdSBtYXkgYWRkIFlvdXIgb3duIGNvcHlyaWdodCBzdGF0ZW1lbnQgdG8gWW91ciBtb2RpZmljYXRpb25zIGFuZAogICAgICBtYXkgcHJvdmlkZSBhZGRpdGlvbmFsIG9yIGRpZmZlcmVudCBsaWNlbnNlIHRlcm1zIGFuZCBjb25kaXRpb25zCiAgICAgIGZvciB1c2UsIHJlcHJvZHVjdGlvbiwgb3IgZGlzdHJpYnV0aW9uIG9mIFlvdXIgbW9kaWZpY2F0aW9ucywgb3IKICAgICAgZm9yIGFueSBzdWNoIERlcml2YXRpdmUgV29ya3MgYXMgYSB3aG9sZSwgcHJvdmlkZWQgWW91ciB1c2UsCiAgICAgIHJlcHJvZHVjdGlvbiwgYW5kIGRpc3RyaWJ1dGlvbiBvZiB0aGUgV29yayBvdGhlcndpc2UgY29tcGxpZXMgd2l0aAogICAgICB0aGUgY29uZGl0aW9ucyBzdGF0ZWQgaW4gdGhpcyBMaWNlbnNlLgoKICAgNS4gU3VibWlzc2lvbiBvZiBDb250cmlidXRpb25zLiBVbmxlc3MgWW91IGV4cGxpY2l0bHkgc3RhdGUgb3RoZXJ3aXNlLAogICAgICBhbnkgQ29udHJpYnV0aW9uIGludGVudGlvbmFsbHkgc3VibWl0dGVkIGZvciBpbmNsdXNpb24gaW4gdGhlIFdvcmsKICAgICAgYnkgWW91IHRvIHRoZSBMaWNlbnNvciBzaGFsbCBiZSB1bmRlciB0aGUgdGVybXMgYW5kIGNvbmRpdGlvbnMgb2YKICAgICAgdGhpcyBMaWNlbnNlLCB3aXRob3V0IGFueSBhZGRpdGlvbmFsIHRlcm1zIG9yIGNvbmRpdGlvbnMuCiAgICAgIE5vdHdpdGhzdGFuZGluZyB0aGUgYWJvdmUsIG5vdGhpbmcgaGVyZWluIHNoYWxsIHN1cGVyc2VkZSBvciBtb2RpZnkKICAgICAgdGhlIHRlcm1zIG9mIGFueSBzZXBhcmF0ZSBsaWNlbnNlIGFncmVlbWVudCB5b3UgbWF5IGhhdmUgZXhlY3V0ZWQKICAgICAgd2l0aCBMaWNlbnNvciByZWdhcmRpbmcgc3VjaCBDb250cmlidXRpb25zLgoKICAgNi4gVHJhZGVtYXJrcy4gVGhpcyBMaWNlbnNlIGRvZXMgbm90IGdyYW50IHBlcm1pc3Npb24gdG8gdXNlIHRoZSB0cmFkZQogICAgICBuYW1lcywgdHJhZGVtYXJrcywgc2VydmljZSBtYXJrcywgb3IgcHJvZHVjdCBuYW1lcyBvZiB0aGUgTGljZW5zb3IsCiAgICAgIGV4Y2VwdCBhcyByZXF1aXJlZCBmb3IgcmVhc29uYWJsZSBhbmQgY3VzdG9tYXJ5IHVzZSBpbiBkZXNjcmliaW5nIHRoZQogICAgICBvcmlnaW4gb2YgdGhlIFdvcmsgYW5kIHJlcHJvZHVjaW5nIHRoZSBjb250ZW50IG9mIHRoZSBOT1RJQ0UgZmlsZS4KCiAgIDcuIERpc2NsYWltZXIgb2YgV2FycmFudHkuIFVubGVzcyByZXF1aXJlZCBieSBhcHBsaWNhYmxlIGxhdyBvcgogICAgICBhZ3JlZWQgdG8gaW4gd3JpdGluZywgTGljZW5zb3IgcHJvdmlkZXMgdGhlIFdvcmsgKGFuZCBlYWNoCiAgICAgIENvbnRyaWJ1dG9yIHByb3ZpZGVzIGl0cyBDb250cmlidXRpb25zKSBvbiBhbiAiQVMgSVMiIEJBU0lTLAogICAgICBXSVRIT1VUIFdBUlJBTlRJRVMgT1IgQ09ORElUSU9OUyBPRiBBTlkgS0lORCwgZWl0aGVyIGV4cHJlc3Mgb3IKICAgICAgaW1wbGllZCwgaW5jbHVkaW5nLCB3aXRob3V0IGxpbWl0YXRpb24sIGFueSB3YXJyYW50aWVzIG9yIGNvbmRpdGlvbnMKICAgICAgb2YgVElUTEUsIE5PTi1JTkZSSU5HRU1FTlQsIE1FUkNIQU5UQUJJTElUWSwgb3IgRklUTkVTUyBGT1IgQQogICAgICBQQVJUSUNVTEFSIFBVUlBPU0UuIFlvdSBhcmUgc29sZWx5IHJlc3BvbnNpYmxlIGZvciBkZXRlcm1pbmluZyB0aGUKICAgICAgYXBwcm9wcmlhdGVuZXNzIG9mIHVzaW5nIG9yIHJlZGlzdHJpYnV0aW5nIHRoZSBXb3JrIGFuZCBhc3N1bWUgYW55CiAgICAgIHJpc2tzIGFzc29jaWF0ZWQgd2l0aCBZb3VyIGV4ZXJjaXNlIG9mIHBlcm1pc3Npb25zIHVuZGVyIHRoaXMgTGljZW5zZS4KCiAgIDguIExpbWl0YXRpb24gb2YgTGlhYmlsaXR5LiBJbiBubyBldmVudCBhbmQgdW5kZXIgbm8gbGVnYWwgdGhlb3J5LAogICAgICB3aGV0aGVyIGluIHRvcnQgKGluY2x1ZGluZyBuZWdsaWdlbmNlKSwgY29udHJhY3QsIG9yIG90aGVyd2lzZSwKICAgICAgdW5sZXNzIHJlcXVpcmVkIGJ5IGFwcGxpY2FibGUgbGF3IChzdWNoIGFzIGRlbGliZXJhdGUgYW5kIGdyb3NzbHkKICAgICAgbmVnbGlnZW50IGFjdHMpIG9yIGFncmVlZCB0byBpbiB3cml0aW5nLCBzaGFsbCBhbnkgQ29udHJpYnV0b3IgYmUKICAgICAgbGlhYmxlIHRvIFlvdSBmb3IgZGFtYWdlcywgaW5jbHVkaW5nIGFueSBkaXJlY3QsIGluZGlyZWN0LCBzcGVjaWFsLAogICAgICBpbmNpZGVudGFsLCBvciBjb25zZXF1ZW50aWFsIGRhbWFnZXMgb2YgYW55IGNoYXJhY3RlciBhcmlzaW5nIGFzIGEKICAgICAgcmVzdWx0IG9mIHRoaXMgTGljZW5zZSBvciBvdXQgb2YgdGhlIHVzZSBvciBpbmFiaWxpdHkgdG8gdXNlIHRoZQogICAgICBXb3JrIChpbmNsdWRpbmcgYnV0IG5vdCBsaW1pdGVkIHRvIGRhbWFnZXMgZm9yIGxvc3Mgb2YgZ29vZHdpbGwsCiAgICAgIHdvcmsgc3RvcHBhZ2UsIGNvbXB1dGVyIGZhaWx1cmUgb3IgbWFsZnVuY3Rpb24sIG9yIGFueSBhbmQgYWxsCiAgICAgIG90aGVyIGNvbW1lcmNpYWwgZGFtYWdlcyBvciBsb3NzZXMpLCBldmVuIGlmIHN1Y2ggQ29udHJpYnV0b3IKICAgICAgaGFzIGJlZW4gYWR2aXNlZCBvZiB0aGUgcG9zc2liaWxpdHkgb2Ygc3VjaCBkYW1hZ2VzLgoKICAgOS4gQWNjZXB0aW5nIFdhcnJhbnR5IG9yIEFkZGl0aW9uYWwgTGlhYmlsaXR5LiBXaGlsZSByZWRpc3RyaWJ1dGluZwogICAgICB0aGUgV29yayBvciBEZXJpdmF0aXZlIFdvcmtzIHRoZXJlb2YsIFlvdSBtYXkgY2hvb3NlIHRvIG9mZmVyLAogICAgICBhbmQgY2hhcmdlIGEgZmVlIGZvciwgYWNjZXB0YW5jZSBvZiBzdXBwb3J0LCB3YXJyYW50eSwgaW5kZW1uaXR5LAogICAgICBvciBvdGhlciBsaWFiaWxpdHkgb2JsaWdhdGlvbnMgYW5kL29yIHJpZ2h0cyBjb25zaXN0ZW50IHdpdGggdGhpcwogICAgICBMaWNlbnNlLiBIb3dldmVyLCBpbiBhY2NlcHRpbmcgc3VjaCBvYmxpZ2F0aW9ucywgWW91IG1heSBhY3Qgb25seQogICAgICBvbiBZb3VyIG93biBiZWhhbGYgYW5kIG9uIFlvdXIgc29sZSByZXNwb25zaWJpbGl0eSwgbm90IG9uIGJlaGFsZgogICAgICBvZiBhbnkgb3RoZXIgQ29udHJpYnV0b3IsIGFuZCBvbmx5IGlmIFlvdSBhZ3JlZSB0byBpbmRlbW5pZnksCiAgICAgIGRlZmVuZCwgYW5kIGhvbGQgZWFjaCBDb250cmlidXRvciBoYXJtbGVzcyBmb3IgYW55IGxpYWJpbGl0eQogICAgICBpbmN1cnJlZCBieSwgb3IgY2xhaW1zIGFzc2VydGVkIGFnYWluc3QsIHN1Y2ggQ29udHJpYnV0b3IgYnkgcmVhc29uCiAgICAgIG9mIHlvdXIgYWNjZXB0aW5nIGFueSBzdWNoIHdhcnJhbnR5IG9yIGFkZGl0aW9uYWwgbGlhYmlsaXR5LgoKICAgRU5EIE9GIFRFUk1TIEFORCBDT05ESVRJT05TCgogICBBUFBFTkRJWDogSG93IHRvIGFwcGx5IHRoZSBBcGFjaGUgTGljZW5zZSB0byB5b3VyIHdvcmsuCgogICAgICBUbyBhcHBseSB0aGUgQXBhY2hlIExpY2Vuc2UgdG8geW91ciB3b3JrLCBhdHRhY2ggdGhlIGZvbGxvd2luZwogICAgICBib2lsZXJwbGF0ZSBub3RpY2UsIHdpdGggdGhlIGZpZWxkcyBlbmNsb3NlZCBieSBicmFja2V0cyAiW10iCiAgICAgIHJlcGxhY2VkIHdpdGggeW91ciBvd24gaWRlbnRpZnlpbmcgaW5mb3JtYXRpb24uIChEb24ndCBpbmNsdWRlCiAgICAgIHRoZSBicmFja2V0cyEpICBUaGUgdGV4dCBzaG91bGQgYmUgZW5jbG9zZWQgaW4gdGhlIGFwcHJvcHJpYXRlCiAgICAgIGNvbW1lbnQgc3ludGF4IGZvciB0aGUgZmlsZSBmb3JtYXQuIFdlIGFsc28gcmVjb21tZW5kIHRoYXQgYQogICAgICBmaWxlIG9yIGNsYXNzIG5hbWUgYW5kIGRlc2NyaXB0aW9uIG9mIHB1cnBvc2UgYmUgaW5jbHVkZWQgb24gdGhlCiAgICAgIHNhbWUgInByaW50ZWQgcGFnZSIgYXMgdGhlIGNvcHlyaWdodCBub3RpY2UgZm9yIGVhc2llcgogICAgICBpZGVudGlmaWNhdGlvbiB3aXRoaW4gdGhpcmQtcGFydHkgYXJjaGl2ZXMuCgogICBDb3B5cmlnaHQgW3l5eXldIFtuYW1lIG9mIGNvcHlyaWdodCBvd25lcl0KCiAgIExpY2Vuc2VkIHVuZGVyIHRoZSBBcGFjaGUgTGljZW5zZSwgVmVyc2lvbiAyLjAgKHRoZSAiTGljZW5zZSIpOwogICB5b3UgbWF5IG5vdCB1c2UgdGhpcyBmaWxlIGV4Y2VwdCBpbiBjb21wbGlhbmNlIHdpdGggdGhlIExpY2Vuc2UuCiAgIFlvdSBtYXkgb2J0YWluIGEgY29weSBvZiB0aGUgTGljZW5zZSBhdAoKICAgICAgIGh0dHA6Ly93d3cuYXBhY2hlLm9yZy9saWNlbnNlcy9MSUNFTlNFLTIuMAoKICAgVW5sZXNzIHJlcXVpcmVkIGJ5IGFwcGxpY2FibGUgbGF3IG9yIGFncmVlZCB0byBpbiB3cml0aW5nLCBzb2Z0d2FyZQogICBkaXN0cmlidXRlZCB1bmRlciB0aGUgTGljZW5zZSBpcyBkaXN0cmlidXRlZCBvbiBhbiAiQVMgSVMiIEJBU0lTLAogICBXSVRIT1VUIFdBUlJBTlRJRVMgT1IgQ09ORElUSU9OUyBPRiBBTlkgS0lORCwgZWl0aGVyIGV4cHJlc3Mgb3IgaW1wbGllZC4KICAgU2VlIHRoZSBMaWNlbnNlIGZvciB0aGUgc3BlY2lmaWMgbGFuZ3VhZ2UgZ292ZXJuaW5nIHBlcm1pc3Npb25zIGFuZAogICBsaW1pdGF0aW9ucyB1bmRlciB0aGUgTGljZW5zZS4=" } url: "https://www.apache.org/licenses/LICENSE-2.0.txt" } diff --git a/tools/src/test/resources/1.5/valid-bom-1.5.json b/tools/src/test/resources/1.5/valid-bom-1.5.json index 3bdbeaa1..23197b9a 100644 --- a/tools/src/test/resources/1.5/valid-bom-1.5.json +++ b/tools/src/test/resources/1.5/valid-bom-1.5.json @@ -103,7 +103,7 @@ "text": { "contentType": "text/plain", "encoding": "base64", - "content": "License text here" + "content": "CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFwYWNoZSBMaWNlbnNlCiAgICAgICAgICAgICAgICAgICAgICAgICAgIFZlcnNpb24gMi4wLCBKYW51YXJ5IDIwMDQKICAgICAgICAgICAgICAgICAgICAgICAgaHR0cDovL3d3dy5hcGFjaGUub3JnL2xpY2Vuc2VzLwoKICAgVEVSTVMgQU5EIENPTkRJVElPTlMgRk9SIFVTRSwgUkVQUk9EVUNUSU9OLCBBTkQgRElTVFJJQlVUSU9OCgogICAxLiBEZWZpbml0aW9ucy4KCiAgICAgICJMaWNlbnNlIiBzaGFsbCBtZWFuIHRoZSB0ZXJtcyBhbmQgY29uZGl0aW9ucyBmb3IgdXNlLCByZXByb2R1Y3Rpb24sCiAgICAgIGFuZCBkaXN0cmlidXRpb24gYXMgZGVmaW5lZCBieSBTZWN0aW9ucyAxIHRocm91Z2ggOSBvZiB0aGlzIGRvY3VtZW50LgoKICAgICAgIkxpY2Vuc29yIiBzaGFsbCBtZWFuIHRoZSBjb3B5cmlnaHQgb3duZXIgb3IgZW50aXR5IGF1dGhvcml6ZWQgYnkKICAgICAgdGhlIGNvcHlyaWdodCBvd25lciB0aGF0IGlzIGdyYW50aW5nIHRoZSBMaWNlbnNlLgoKICAgICAgIkxlZ2FsIEVudGl0eSIgc2hhbGwgbWVhbiB0aGUgdW5pb24gb2YgdGhlIGFjdGluZyBlbnRpdHkgYW5kIGFsbAogICAgICBvdGhlciBlbnRpdGllcyB0aGF0IGNvbnRyb2wsIGFyZSBjb250cm9sbGVkIGJ5LCBvciBhcmUgdW5kZXIgY29tbW9uCiAgICAgIGNvbnRyb2wgd2l0aCB0aGF0IGVudGl0eS4gRm9yIHRoZSBwdXJwb3NlcyBvZiB0aGlzIGRlZmluaXRpb24sCiAgICAgICJjb250cm9sIiBtZWFucyAoaSkgdGhlIHBvd2VyLCBkaXJlY3Qgb3IgaW5kaXJlY3QsIHRvIGNhdXNlIHRoZQogICAgICBkaXJlY3Rpb24gb3IgbWFuYWdlbWVudCBvZiBzdWNoIGVudGl0eSwgd2hldGhlciBieSBjb250cmFjdCBvcgogICAgICBvdGhlcndpc2UsIG9yIChpaSkgb3duZXJzaGlwIG9mIGZpZnR5IHBlcmNlbnQgKDUwJSkgb3IgbW9yZSBvZiB0aGUKICAgICAgb3V0c3RhbmRpbmcgc2hhcmVzLCBvciAoaWlpKSBiZW5lZmljaWFsIG93bmVyc2hpcCBvZiBzdWNoIGVudGl0eS4KCiAgICAgICJZb3UiIChvciAiWW91ciIpIHNoYWxsIG1lYW4gYW4gaW5kaXZpZHVhbCBvciBMZWdhbCBFbnRpdHkKICAgICAgZXhlcmNpc2luZyBwZXJtaXNzaW9ucyBncmFudGVkIGJ5IHRoaXMgTGljZW5zZS4KCiAgICAgICJTb3VyY2UiIGZvcm0gc2hhbGwgbWVhbiB0aGUgcHJlZmVycmVkIGZvcm0gZm9yIG1ha2luZyBtb2RpZmljYXRpb25zLAogICAgICBpbmNsdWRpbmcgYnV0IG5vdCBsaW1pdGVkIHRvIHNvZnR3YXJlIHNvdXJjZSBjb2RlLCBkb2N1bWVudGF0aW9uCiAgICAgIHNvdXJjZSwgYW5kIGNvbmZpZ3VyYXRpb24gZmlsZXMuCgogICAgICAiT2JqZWN0IiBmb3JtIHNoYWxsIG1lYW4gYW55IGZvcm0gcmVzdWx0aW5nIGZyb20gbWVjaGFuaWNhbAogICAgICB0cmFuc2Zvcm1hdGlvbiBvciB0cmFuc2xhdGlvbiBvZiBhIFNvdXJjZSBmb3JtLCBpbmNsdWRpbmcgYnV0CiAgICAgIG5vdCBsaW1pdGVkIHRvIGNvbXBpbGVkIG9iamVjdCBjb2RlLCBnZW5lcmF0ZWQgZG9jdW1lbnRhdGlvbiwKICAgICAgYW5kIGNvbnZlcnNpb25zIHRvIG90aGVyIG1lZGlhIHR5cGVzLgoKICAgICAgIldvcmsiIHNoYWxsIG1lYW4gdGhlIHdvcmsgb2YgYXV0aG9yc2hpcCwgd2hldGhlciBpbiBTb3VyY2Ugb3IKICAgICAgT2JqZWN0IGZvcm0sIG1hZGUgYXZhaWxhYmxlIHVuZGVyIHRoZSBMaWNlbnNlLCBhcyBpbmRpY2F0ZWQgYnkgYQogICAgICBjb3B5cmlnaHQgbm90aWNlIHRoYXQgaXMgaW5jbHVkZWQgaW4gb3IgYXR0YWNoZWQgdG8gdGhlIHdvcmsKICAgICAgKGFuIGV4YW1wbGUgaXMgcHJvdmlkZWQgaW4gdGhlIEFwcGVuZGl4IGJlbG93KS4KCiAgICAgICJEZXJpdmF0aXZlIFdvcmtzIiBzaGFsbCBtZWFuIGFueSB3b3JrLCB3aGV0aGVyIGluIFNvdXJjZSBvciBPYmplY3QKICAgICAgZm9ybSwgdGhhdCBpcyBiYXNlZCBvbiAob3IgZGVyaXZlZCBmcm9tKSB0aGUgV29yayBhbmQgZm9yIHdoaWNoIHRoZQogICAgICBlZGl0b3JpYWwgcmV2aXNpb25zLCBhbm5vdGF0aW9ucywgZWxhYm9yYXRpb25zLCBvciBvdGhlciBtb2RpZmljYXRpb25zCiAgICAgIHJlcHJlc2VudCwgYXMgYSB3aG9sZSwgYW4gb3JpZ2luYWwgd29yayBvZiBhdXRob3JzaGlwLiBGb3IgdGhlIHB1cnBvc2VzCiAgICAgIG9mIHRoaXMgTGljZW5zZSwgRGVyaXZhdGl2ZSBXb3JrcyBzaGFsbCBub3QgaW5jbHVkZSB3b3JrcyB0aGF0IHJlbWFpbgogICAgICBzZXBhcmFibGUgZnJvbSwgb3IgbWVyZWx5IGxpbmsgKG9yIGJpbmQgYnkgbmFtZSkgdG8gdGhlIGludGVyZmFjZXMgb2YsCiAgICAgIHRoZSBXb3JrIGFuZCBEZXJpdmF0aXZlIFdvcmtzIHRoZXJlb2YuCgogICAgICAiQ29udHJpYnV0aW9uIiBzaGFsbCBtZWFuIGFueSB3b3JrIG9mIGF1dGhvcnNoaXAsIGluY2x1ZGluZwogICAgICB0aGUgb3JpZ2luYWwgdmVyc2lvbiBvZiB0aGUgV29yayBhbmQgYW55IG1vZGlmaWNhdGlvbnMgb3IgYWRkaXRpb25zCiAgICAgIHRvIHRoYXQgV29yayBvciBEZXJpdmF0aXZlIFdvcmtzIHRoZXJlb2YsIHRoYXQgaXMgaW50ZW50aW9uYWxseQogICAgICBzdWJtaXR0ZWQgdG8gTGljZW5zb3IgZm9yIGluY2x1c2lvbiBpbiB0aGUgV29yayBieSB0aGUgY29weXJpZ2h0IG93bmVyCiAgICAgIG9yIGJ5IGFuIGluZGl2aWR1YWwgb3IgTGVnYWwgRW50aXR5IGF1dGhvcml6ZWQgdG8gc3VibWl0IG9uIGJlaGFsZiBvZgogICAgICB0aGUgY29weXJpZ2h0IG93bmVyLiBGb3IgdGhlIHB1cnBvc2VzIG9mIHRoaXMgZGVmaW5pdGlvbiwgInN1Ym1pdHRlZCIKICAgICAgbWVhbnMgYW55IGZvcm0gb2YgZWxlY3Ryb25pYywgdmVyYmFsLCBvciB3cml0dGVuIGNvbW11bmljYXRpb24gc2VudAogICAgICB0byB0aGUgTGljZW5zb3Igb3IgaXRzIHJlcHJlc2VudGF0aXZlcywgaW5jbHVkaW5nIGJ1dCBub3QgbGltaXRlZCB0bwogICAgICBjb21tdW5pY2F0aW9uIG9uIGVsZWN0cm9uaWMgbWFpbGluZyBsaXN0cywgc291cmNlIGNvZGUgY29udHJvbCBzeXN0ZW1zLAogICAgICBhbmQgaXNzdWUgdHJhY2tpbmcgc3lzdGVtcyB0aGF0IGFyZSBtYW5hZ2VkIGJ5LCBvciBvbiBiZWhhbGYgb2YsIHRoZQogICAgICBMaWNlbnNvciBmb3IgdGhlIHB1cnBvc2Ugb2YgZGlzY3Vzc2luZyBhbmQgaW1wcm92aW5nIHRoZSBXb3JrLCBidXQKICAgICAgZXhjbHVkaW5nIGNvbW11bmljYXRpb24gdGhhdCBpcyBjb25zcGljdW91c2x5IG1hcmtlZCBvciBvdGhlcndpc2UKICAgICAgZGVzaWduYXRlZCBpbiB3cml0aW5nIGJ5IHRoZSBjb3B5cmlnaHQgb3duZXIgYXMgIk5vdCBhIENvbnRyaWJ1dGlvbi4iCgogICAgICAiQ29udHJpYnV0b3IiIHNoYWxsIG1lYW4gTGljZW5zb3IgYW5kIGFueSBpbmRpdmlkdWFsIG9yIExlZ2FsIEVudGl0eQogICAgICBvbiBiZWhhbGYgb2Ygd2hvbSBhIENvbnRyaWJ1dGlvbiBoYXMgYmVlbiByZWNlaXZlZCBieSBMaWNlbnNvciBhbmQKICAgICAgc3Vic2VxdWVudGx5IGluY29ycG9yYXRlZCB3aXRoaW4gdGhlIFdvcmsuCgogICAyLiBHcmFudCBvZiBDb3B5cmlnaHQgTGljZW5zZS4gU3ViamVjdCB0byB0aGUgdGVybXMgYW5kIGNvbmRpdGlvbnMgb2YKICAgICAgdGhpcyBMaWNlbnNlLCBlYWNoIENvbnRyaWJ1dG9yIGhlcmVieSBncmFudHMgdG8gWW91IGEgcGVycGV0dWFsLAogICAgICB3b3JsZHdpZGUsIG5vbi1leGNsdXNpdmUsIG5vLWNoYXJnZSwgcm95YWx0eS1mcmVlLCBpcnJldm9jYWJsZQogICAgICBjb3B5cmlnaHQgbGljZW5zZSB0byByZXByb2R1Y2UsIHByZXBhcmUgRGVyaXZhdGl2ZSBXb3JrcyBvZiwKICAgICAgcHVibGljbHkgZGlzcGxheSwgcHVibGljbHkgcGVyZm9ybSwgc3VibGljZW5zZSwgYW5kIGRpc3RyaWJ1dGUgdGhlCiAgICAgIFdvcmsgYW5kIHN1Y2ggRGVyaXZhdGl2ZSBXb3JrcyBpbiBTb3VyY2Ugb3IgT2JqZWN0IGZvcm0uCgogICAzLiBHcmFudCBvZiBQYXRlbnQgTGljZW5zZS4gU3ViamVjdCB0byB0aGUgdGVybXMgYW5kIGNvbmRpdGlvbnMgb2YKICAgICAgdGhpcyBMaWNlbnNlLCBlYWNoIENvbnRyaWJ1dG9yIGhlcmVieSBncmFudHMgdG8gWW91IGEgcGVycGV0dWFsLAogICAgICB3b3JsZHdpZGUsIG5vbi1leGNsdXNpdmUsIG5vLWNoYXJnZSwgcm95YWx0eS1mcmVlLCBpcnJldm9jYWJsZQogICAgICAoZXhjZXB0IGFzIHN0YXRlZCBpbiB0aGlzIHNlY3Rpb24pIHBhdGVudCBsaWNlbnNlIHRvIG1ha2UsIGhhdmUgbWFkZSwKICAgICAgdXNlLCBvZmZlciB0byBzZWxsLCBzZWxsLCBpbXBvcnQsIGFuZCBvdGhlcndpc2UgdHJhbnNmZXIgdGhlIFdvcmssCiAgICAgIHdoZXJlIHN1Y2ggbGljZW5zZSBhcHBsaWVzIG9ubHkgdG8gdGhvc2UgcGF0ZW50IGNsYWltcyBsaWNlbnNhYmxlCiAgICAgIGJ5IHN1Y2ggQ29udHJpYnV0b3IgdGhhdCBhcmUgbmVjZXNzYXJpbHkgaW5mcmluZ2VkIGJ5IHRoZWlyCiAgICAgIENvbnRyaWJ1dGlvbihzKSBhbG9uZSBvciBieSBjb21iaW5hdGlvbiBvZiB0aGVpciBDb250cmlidXRpb24ocykKICAgICAgd2l0aCB0aGUgV29yayB0byB3aGljaCBzdWNoIENvbnRyaWJ1dGlvbihzKSB3YXMgc3VibWl0dGVkLiBJZiBZb3UKICAgICAgaW5zdGl0dXRlIHBhdGVudCBsaXRpZ2F0aW9uIGFnYWluc3QgYW55IGVudGl0eSAoaW5jbHVkaW5nIGEKICAgICAgY3Jvc3MtY2xhaW0gb3IgY291bnRlcmNsYWltIGluIGEgbGF3c3VpdCkgYWxsZWdpbmcgdGhhdCB0aGUgV29yawogICAgICBvciBhIENvbnRyaWJ1dGlvbiBpbmNvcnBvcmF0ZWQgd2l0aGluIHRoZSBXb3JrIGNvbnN0aXR1dGVzIGRpcmVjdAogICAgICBvciBjb250cmlidXRvcnkgcGF0ZW50IGluZnJpbmdlbWVudCwgdGhlbiBhbnkgcGF0ZW50IGxpY2Vuc2VzCiAgICAgIGdyYW50ZWQgdG8gWW91IHVuZGVyIHRoaXMgTGljZW5zZSBmb3IgdGhhdCBXb3JrIHNoYWxsIHRlcm1pbmF0ZQogICAgICBhcyBvZiB0aGUgZGF0ZSBzdWNoIGxpdGlnYXRpb24gaXMgZmlsZWQuCgogICA0LiBSZWRpc3RyaWJ1dGlvbi4gWW91IG1heSByZXByb2R1Y2UgYW5kIGRpc3RyaWJ1dGUgY29waWVzIG9mIHRoZQogICAgICBXb3JrIG9yIERlcml2YXRpdmUgV29ya3MgdGhlcmVvZiBpbiBhbnkgbWVkaXVtLCB3aXRoIG9yIHdpdGhvdXQKICAgICAgbW9kaWZpY2F0aW9ucywgYW5kIGluIFNvdXJjZSBvciBPYmplY3QgZm9ybSwgcHJvdmlkZWQgdGhhdCBZb3UKICAgICAgbWVldCB0aGUgZm9sbG93aW5nIGNvbmRpdGlvbnM6CgogICAgICAoYSkgWW91IG11c3QgZ2l2ZSBhbnkgb3RoZXIgcmVjaXBpZW50cyBvZiB0aGUgV29yayBvcgogICAgICAgICAgRGVyaXZhdGl2ZSBXb3JrcyBhIGNvcHkgb2YgdGhpcyBMaWNlbnNlOyBhbmQKCiAgICAgIChiKSBZb3UgbXVzdCBjYXVzZSBhbnkgbW9kaWZpZWQgZmlsZXMgdG8gY2FycnkgcHJvbWluZW50IG5vdGljZXMKICAgICAgICAgIHN0YXRpbmcgdGhhdCBZb3UgY2hhbmdlZCB0aGUgZmlsZXM7IGFuZAoKICAgICAgKGMpIFlvdSBtdXN0IHJldGFpbiwgaW4gdGhlIFNvdXJjZSBmb3JtIG9mIGFueSBEZXJpdmF0aXZlIFdvcmtzCiAgICAgICAgICB0aGF0IFlvdSBkaXN0cmlidXRlLCBhbGwgY29weXJpZ2h0LCBwYXRlbnQsIHRyYWRlbWFyaywgYW5kCiAgICAgICAgICBhdHRyaWJ1dGlvbiBub3RpY2VzIGZyb20gdGhlIFNvdXJjZSBmb3JtIG9mIHRoZSBXb3JrLAogICAgICAgICAgZXhjbHVkaW5nIHRob3NlIG5vdGljZXMgdGhhdCBkbyBub3QgcGVydGFpbiB0byBhbnkgcGFydCBvZgogICAgICAgICAgdGhlIERlcml2YXRpdmUgV29ya3M7IGFuZAoKICAgICAgKGQpIElmIHRoZSBXb3JrIGluY2x1ZGVzIGEgIk5PVElDRSIgdGV4dCBmaWxlIGFzIHBhcnQgb2YgaXRzCiAgICAgICAgICBkaXN0cmlidXRpb24sIHRoZW4gYW55IERlcml2YXRpdmUgV29ya3MgdGhhdCBZb3UgZGlzdHJpYnV0ZSBtdXN0CiAgICAgICAgICBpbmNsdWRlIGEgcmVhZGFibGUgY29weSBvZiB0aGUgYXR0cmlidXRpb24gbm90aWNlcyBjb250YWluZWQKICAgICAgICAgIHdpdGhpbiBzdWNoIE5PVElDRSBmaWxlLCBleGNsdWRpbmcgdGhvc2Ugbm90aWNlcyB0aGF0IGRvIG5vdAogICAgICAgICAgcGVydGFpbiB0byBhbnkgcGFydCBvZiB0aGUgRGVyaXZhdGl2ZSBXb3JrcywgaW4gYXQgbGVhc3Qgb25lCiAgICAgICAgICBvZiB0aGUgZm9sbG93aW5nIHBsYWNlczogd2l0aGluIGEgTk9USUNFIHRleHQgZmlsZSBkaXN0cmlidXRlZAogICAgICAgICAgYXMgcGFydCBvZiB0aGUgRGVyaXZhdGl2ZSBXb3Jrczsgd2l0aGluIHRoZSBTb3VyY2UgZm9ybSBvcgogICAgICAgICAgZG9jdW1lbnRhdGlvbiwgaWYgcHJvdmlkZWQgYWxvbmcgd2l0aCB0aGUgRGVyaXZhdGl2ZSBXb3Jrczsgb3IsCiAgICAgICAgICB3aXRoaW4gYSBkaXNwbGF5IGdlbmVyYXRlZCBieSB0aGUgRGVyaXZhdGl2ZSBXb3JrcywgaWYgYW5kCiAgICAgICAgICB3aGVyZXZlciBzdWNoIHRoaXJkLXBhcnR5IG5vdGljZXMgbm9ybWFsbHkgYXBwZWFyLiBUaGUgY29udGVudHMKICAgICAgICAgIG9mIHRoZSBOT1RJQ0UgZmlsZSBhcmUgZm9yIGluZm9ybWF0aW9uYWwgcHVycG9zZXMgb25seSBhbmQKICAgICAgICAgIGRvIG5vdCBtb2RpZnkgdGhlIExpY2Vuc2UuIFlvdSBtYXkgYWRkIFlvdXIgb3duIGF0dHJpYnV0aW9uCiAgICAgICAgICBub3RpY2VzIHdpdGhpbiBEZXJpdmF0aXZlIFdvcmtzIHRoYXQgWW91IGRpc3RyaWJ1dGUsIGFsb25nc2lkZQogICAgICAgICAgb3IgYXMgYW4gYWRkZW5kdW0gdG8gdGhlIE5PVElDRSB0ZXh0IGZyb20gdGhlIFdvcmssIHByb3ZpZGVkCiAgICAgICAgICB0aGF0IHN1Y2ggYWRkaXRpb25hbCBhdHRyaWJ1dGlvbiBub3RpY2VzIGNhbm5vdCBiZSBjb25zdHJ1ZWQKICAgICAgICAgIGFzIG1vZGlmeWluZyB0aGUgTGljZW5zZS4KCiAgICAgIFlvdSBtYXkgYWRkIFlvdXIgb3duIGNvcHlyaWdodCBzdGF0ZW1lbnQgdG8gWW91ciBtb2RpZmljYXRpb25zIGFuZAogICAgICBtYXkgcHJvdmlkZSBhZGRpdGlvbmFsIG9yIGRpZmZlcmVudCBsaWNlbnNlIHRlcm1zIGFuZCBjb25kaXRpb25zCiAgICAgIGZvciB1c2UsIHJlcHJvZHVjdGlvbiwgb3IgZGlzdHJpYnV0aW9uIG9mIFlvdXIgbW9kaWZpY2F0aW9ucywgb3IKICAgICAgZm9yIGFueSBzdWNoIERlcml2YXRpdmUgV29ya3MgYXMgYSB3aG9sZSwgcHJvdmlkZWQgWW91ciB1c2UsCiAgICAgIHJlcHJvZHVjdGlvbiwgYW5kIGRpc3RyaWJ1dGlvbiBvZiB0aGUgV29yayBvdGhlcndpc2UgY29tcGxpZXMgd2l0aAogICAgICB0aGUgY29uZGl0aW9ucyBzdGF0ZWQgaW4gdGhpcyBMaWNlbnNlLgoKICAgNS4gU3VibWlzc2lvbiBvZiBDb250cmlidXRpb25zLiBVbmxlc3MgWW91IGV4cGxpY2l0bHkgc3RhdGUgb3RoZXJ3aXNlLAogICAgICBhbnkgQ29udHJpYnV0aW9uIGludGVudGlvbmFsbHkgc3VibWl0dGVkIGZvciBpbmNsdXNpb24gaW4gdGhlIFdvcmsKICAgICAgYnkgWW91IHRvIHRoZSBMaWNlbnNvciBzaGFsbCBiZSB1bmRlciB0aGUgdGVybXMgYW5kIGNvbmRpdGlvbnMgb2YKICAgICAgdGhpcyBMaWNlbnNlLCB3aXRob3V0IGFueSBhZGRpdGlvbmFsIHRlcm1zIG9yIGNvbmRpdGlvbnMuCiAgICAgIE5vdHdpdGhzdGFuZGluZyB0aGUgYWJvdmUsIG5vdGhpbmcgaGVyZWluIHNoYWxsIHN1cGVyc2VkZSBvciBtb2RpZnkKICAgICAgdGhlIHRlcm1zIG9mIGFueSBzZXBhcmF0ZSBsaWNlbnNlIGFncmVlbWVudCB5b3UgbWF5IGhhdmUgZXhlY3V0ZWQKICAgICAgd2l0aCBMaWNlbnNvciByZWdhcmRpbmcgc3VjaCBDb250cmlidXRpb25zLgoKICAgNi4gVHJhZGVtYXJrcy4gVGhpcyBMaWNlbnNlIGRvZXMgbm90IGdyYW50IHBlcm1pc3Npb24gdG8gdXNlIHRoZSB0cmFkZQogICAgICBuYW1lcywgdHJhZGVtYXJrcywgc2VydmljZSBtYXJrcywgb3IgcHJvZHVjdCBuYW1lcyBvZiB0aGUgTGljZW5zb3IsCiAgICAgIGV4Y2VwdCBhcyByZXF1aXJlZCBmb3IgcmVhc29uYWJsZSBhbmQgY3VzdG9tYXJ5IHVzZSBpbiBkZXNjcmliaW5nIHRoZQogICAgICBvcmlnaW4gb2YgdGhlIFdvcmsgYW5kIHJlcHJvZHVjaW5nIHRoZSBjb250ZW50IG9mIHRoZSBOT1RJQ0UgZmlsZS4KCiAgIDcuIERpc2NsYWltZXIgb2YgV2FycmFudHkuIFVubGVzcyByZXF1aXJlZCBieSBhcHBsaWNhYmxlIGxhdyBvcgogICAgICBhZ3JlZWQgdG8gaW4gd3JpdGluZywgTGljZW5zb3IgcHJvdmlkZXMgdGhlIFdvcmsgKGFuZCBlYWNoCiAgICAgIENvbnRyaWJ1dG9yIHByb3ZpZGVzIGl0cyBDb250cmlidXRpb25zKSBvbiBhbiAiQVMgSVMiIEJBU0lTLAogICAgICBXSVRIT1VUIFdBUlJBTlRJRVMgT1IgQ09ORElUSU9OUyBPRiBBTlkgS0lORCwgZWl0aGVyIGV4cHJlc3Mgb3IKICAgICAgaW1wbGllZCwgaW5jbHVkaW5nLCB3aXRob3V0IGxpbWl0YXRpb24sIGFueSB3YXJyYW50aWVzIG9yIGNvbmRpdGlvbnMKICAgICAgb2YgVElUTEUsIE5PTi1JTkZSSU5HRU1FTlQsIE1FUkNIQU5UQUJJTElUWSwgb3IgRklUTkVTUyBGT1IgQQogICAgICBQQVJUSUNVTEFSIFBVUlBPU0UuIFlvdSBhcmUgc29sZWx5IHJlc3BvbnNpYmxlIGZvciBkZXRlcm1pbmluZyB0aGUKICAgICAgYXBwcm9wcmlhdGVuZXNzIG9mIHVzaW5nIG9yIHJlZGlzdHJpYnV0aW5nIHRoZSBXb3JrIGFuZCBhc3N1bWUgYW55CiAgICAgIHJpc2tzIGFzc29jaWF0ZWQgd2l0aCBZb3VyIGV4ZXJjaXNlIG9mIHBlcm1pc3Npb25zIHVuZGVyIHRoaXMgTGljZW5zZS4KCiAgIDguIExpbWl0YXRpb24gb2YgTGlhYmlsaXR5LiBJbiBubyBldmVudCBhbmQgdW5kZXIgbm8gbGVnYWwgdGhlb3J5LAogICAgICB3aGV0aGVyIGluIHRvcnQgKGluY2x1ZGluZyBuZWdsaWdlbmNlKSwgY29udHJhY3QsIG9yIG90aGVyd2lzZSwKICAgICAgdW5sZXNzIHJlcXVpcmVkIGJ5IGFwcGxpY2FibGUgbGF3IChzdWNoIGFzIGRlbGliZXJhdGUgYW5kIGdyb3NzbHkKICAgICAgbmVnbGlnZW50IGFjdHMpIG9yIGFncmVlZCB0byBpbiB3cml0aW5nLCBzaGFsbCBhbnkgQ29udHJpYnV0b3IgYmUKICAgICAgbGlhYmxlIHRvIFlvdSBmb3IgZGFtYWdlcywgaW5jbHVkaW5nIGFueSBkaXJlY3QsIGluZGlyZWN0LCBzcGVjaWFsLAogICAgICBpbmNpZGVudGFsLCBvciBjb25zZXF1ZW50aWFsIGRhbWFnZXMgb2YgYW55IGNoYXJhY3RlciBhcmlzaW5nIGFzIGEKICAgICAgcmVzdWx0IG9mIHRoaXMgTGljZW5zZSBvciBvdXQgb2YgdGhlIHVzZSBvciBpbmFiaWxpdHkgdG8gdXNlIHRoZQogICAgICBXb3JrIChpbmNsdWRpbmcgYnV0IG5vdCBsaW1pdGVkIHRvIGRhbWFnZXMgZm9yIGxvc3Mgb2YgZ29vZHdpbGwsCiAgICAgIHdvcmsgc3RvcHBhZ2UsIGNvbXB1dGVyIGZhaWx1cmUgb3IgbWFsZnVuY3Rpb24sIG9yIGFueSBhbmQgYWxsCiAgICAgIG90aGVyIGNvbW1lcmNpYWwgZGFtYWdlcyBvciBsb3NzZXMpLCBldmVuIGlmIHN1Y2ggQ29udHJpYnV0b3IKICAgICAgaGFzIGJlZW4gYWR2aXNlZCBvZiB0aGUgcG9zc2liaWxpdHkgb2Ygc3VjaCBkYW1hZ2VzLgoKICAgOS4gQWNjZXB0aW5nIFdhcnJhbnR5IG9yIEFkZGl0aW9uYWwgTGlhYmlsaXR5LiBXaGlsZSByZWRpc3RyaWJ1dGluZwogICAgICB0aGUgV29yayBvciBEZXJpdmF0aXZlIFdvcmtzIHRoZXJlb2YsIFlvdSBtYXkgY2hvb3NlIHRvIG9mZmVyLAogICAgICBhbmQgY2hhcmdlIGEgZmVlIGZvciwgYWNjZXB0YW5jZSBvZiBzdXBwb3J0LCB3YXJyYW50eSwgaW5kZW1uaXR5LAogICAgICBvciBvdGhlciBsaWFiaWxpdHkgb2JsaWdhdGlvbnMgYW5kL29yIHJpZ2h0cyBjb25zaXN0ZW50IHdpdGggdGhpcwogICAgICBMaWNlbnNlLiBIb3dldmVyLCBpbiBhY2NlcHRpbmcgc3VjaCBvYmxpZ2F0aW9ucywgWW91IG1heSBhY3Qgb25seQogICAgICBvbiBZb3VyIG93biBiZWhhbGYgYW5kIG9uIFlvdXIgc29sZSByZXNwb25zaWJpbGl0eSwgbm90IG9uIGJlaGFsZgogICAgICBvZiBhbnkgb3RoZXIgQ29udHJpYnV0b3IsIGFuZCBvbmx5IGlmIFlvdSBhZ3JlZSB0byBpbmRlbW5pZnksCiAgICAgIGRlZmVuZCwgYW5kIGhvbGQgZWFjaCBDb250cmlidXRvciBoYXJtbGVzcyBmb3IgYW55IGxpYWJpbGl0eQogICAgICBpbmN1cnJlZCBieSwgb3IgY2xhaW1zIGFzc2VydGVkIGFnYWluc3QsIHN1Y2ggQ29udHJpYnV0b3IgYnkgcmVhc29uCiAgICAgIG9mIHlvdXIgYWNjZXB0aW5nIGFueSBzdWNoIHdhcnJhbnR5IG9yIGFkZGl0aW9uYWwgbGlhYmlsaXR5LgoKICAgRU5EIE9GIFRFUk1TIEFORCBDT05ESVRJT05TCgogICBBUFBFTkRJWDogSG93IHRvIGFwcGx5IHRoZSBBcGFjaGUgTGljZW5zZSB0byB5b3VyIHdvcmsuCgogICAgICBUbyBhcHBseSB0aGUgQXBhY2hlIExpY2Vuc2UgdG8geW91ciB3b3JrLCBhdHRhY2ggdGhlIGZvbGxvd2luZwogICAgICBib2lsZXJwbGF0ZSBub3RpY2UsIHdpdGggdGhlIGZpZWxkcyBlbmNsb3NlZCBieSBicmFja2V0cyAiW10iCiAgICAgIHJlcGxhY2VkIHdpdGggeW91ciBvd24gaWRlbnRpZnlpbmcgaW5mb3JtYXRpb24uIChEb24ndCBpbmNsdWRlCiAgICAgIHRoZSBicmFja2V0cyEpICBUaGUgdGV4dCBzaG91bGQgYmUgZW5jbG9zZWQgaW4gdGhlIGFwcHJvcHJpYXRlCiAgICAgIGNvbW1lbnQgc3ludGF4IGZvciB0aGUgZmlsZSBmb3JtYXQuIFdlIGFsc28gcmVjb21tZW5kIHRoYXQgYQogICAgICBmaWxlIG9yIGNsYXNzIG5hbWUgYW5kIGRlc2NyaXB0aW9uIG9mIHB1cnBvc2UgYmUgaW5jbHVkZWQgb24gdGhlCiAgICAgIHNhbWUgInByaW50ZWQgcGFnZSIgYXMgdGhlIGNvcHlyaWdodCBub3RpY2UgZm9yIGVhc2llcgogICAgICBpZGVudGlmaWNhdGlvbiB3aXRoaW4gdGhpcmQtcGFydHkgYXJjaGl2ZXMuCgogICBDb3B5cmlnaHQgW3l5eXldIFtuYW1lIG9mIGNvcHlyaWdodCBvd25lcl0KCiAgIExpY2Vuc2VkIHVuZGVyIHRoZSBBcGFjaGUgTGljZW5zZSwgVmVyc2lvbiAyLjAgKHRoZSAiTGljZW5zZSIpOwogICB5b3UgbWF5IG5vdCB1c2UgdGhpcyBmaWxlIGV4Y2VwdCBpbiBjb21wbGlhbmNlIHdpdGggdGhlIExpY2Vuc2UuCiAgIFlvdSBtYXkgb2J0YWluIGEgY29weSBvZiB0aGUgTGljZW5zZSBhdAoKICAgICAgIGh0dHA6Ly93d3cuYXBhY2hlLm9yZy9saWNlbnNlcy9MSUNFTlNFLTIuMAoKICAgVW5sZXNzIHJlcXVpcmVkIGJ5IGFwcGxpY2FibGUgbGF3IG9yIGFncmVlZCB0byBpbiB3cml0aW5nLCBzb2Z0d2FyZQogICBkaXN0cmlidXRlZCB1bmRlciB0aGUgTGljZW5zZSBpcyBkaXN0cmlidXRlZCBvbiBhbiAiQVMgSVMiIEJBU0lTLAogICBXSVRIT1VUIFdBUlJBTlRJRVMgT1IgQ09ORElUSU9OUyBPRiBBTlkgS0lORCwgZWl0aGVyIGV4cHJlc3Mgb3IgaW1wbGllZC4KICAgU2VlIHRoZSBMaWNlbnNlIGZvciB0aGUgc3BlY2lmaWMgbGFuZ3VhZ2UgZ292ZXJuaW5nIHBlcm1pc3Npb25zIGFuZAogICBsaW1pdGF0aW9ucyB1bmRlciB0aGUgTGljZW5zZS4=" }, "url": "https://www.apache.org/licenses/LICENSE-2.0.txt" } diff --git a/tools/src/test/resources/1.5/valid-bom-1.5.textproto b/tools/src/test/resources/1.5/valid-bom-1.5.textproto index fede993c..136eff6f 100644 --- a/tools/src/test/resources/1.5/valid-bom-1.5.textproto +++ b/tools/src/test/resources/1.5/valid-bom-1.5.textproto @@ -86,7 +86,7 @@ components { text { content_type: "text/plain" encoding: "base64" - value: "License text here" + value: "CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFwYWNoZSBMaWNlbnNlCiAgICAgICAgICAgICAgICAgICAgICAgICAgIFZlcnNpb24gMi4wLCBKYW51YXJ5IDIwMDQKICAgICAgICAgICAgICAgICAgICAgICAgaHR0cDovL3d3dy5hcGFjaGUub3JnL2xpY2Vuc2VzLwoKICAgVEVSTVMgQU5EIENPTkRJVElPTlMgRk9SIFVTRSwgUkVQUk9EVUNUSU9OLCBBTkQgRElTVFJJQlVUSU9OCgogICAxLiBEZWZpbml0aW9ucy4KCiAgICAgICJMaWNlbnNlIiBzaGFsbCBtZWFuIHRoZSB0ZXJtcyBhbmQgY29uZGl0aW9ucyBmb3IgdXNlLCByZXByb2R1Y3Rpb24sCiAgICAgIGFuZCBkaXN0cmlidXRpb24gYXMgZGVmaW5lZCBieSBTZWN0aW9ucyAxIHRocm91Z2ggOSBvZiB0aGlzIGRvY3VtZW50LgoKICAgICAgIkxpY2Vuc29yIiBzaGFsbCBtZWFuIHRoZSBjb3B5cmlnaHQgb3duZXIgb3IgZW50aXR5IGF1dGhvcml6ZWQgYnkKICAgICAgdGhlIGNvcHlyaWdodCBvd25lciB0aGF0IGlzIGdyYW50aW5nIHRoZSBMaWNlbnNlLgoKICAgICAgIkxlZ2FsIEVudGl0eSIgc2hhbGwgbWVhbiB0aGUgdW5pb24gb2YgdGhlIGFjdGluZyBlbnRpdHkgYW5kIGFsbAogICAgICBvdGhlciBlbnRpdGllcyB0aGF0IGNvbnRyb2wsIGFyZSBjb250cm9sbGVkIGJ5LCBvciBhcmUgdW5kZXIgY29tbW9uCiAgICAgIGNvbnRyb2wgd2l0aCB0aGF0IGVudGl0eS4gRm9yIHRoZSBwdXJwb3NlcyBvZiB0aGlzIGRlZmluaXRpb24sCiAgICAgICJjb250cm9sIiBtZWFucyAoaSkgdGhlIHBvd2VyLCBkaXJlY3Qgb3IgaW5kaXJlY3QsIHRvIGNhdXNlIHRoZQogICAgICBkaXJlY3Rpb24gb3IgbWFuYWdlbWVudCBvZiBzdWNoIGVudGl0eSwgd2hldGhlciBieSBjb250cmFjdCBvcgogICAgICBvdGhlcndpc2UsIG9yIChpaSkgb3duZXJzaGlwIG9mIGZpZnR5IHBlcmNlbnQgKDUwJSkgb3IgbW9yZSBvZiB0aGUKICAgICAgb3V0c3RhbmRpbmcgc2hhcmVzLCBvciAoaWlpKSBiZW5lZmljaWFsIG93bmVyc2hpcCBvZiBzdWNoIGVudGl0eS4KCiAgICAgICJZb3UiIChvciAiWW91ciIpIHNoYWxsIG1lYW4gYW4gaW5kaXZpZHVhbCBvciBMZWdhbCBFbnRpdHkKICAgICAgZXhlcmNpc2luZyBwZXJtaXNzaW9ucyBncmFudGVkIGJ5IHRoaXMgTGljZW5zZS4KCiAgICAgICJTb3VyY2UiIGZvcm0gc2hhbGwgbWVhbiB0aGUgcHJlZmVycmVkIGZvcm0gZm9yIG1ha2luZyBtb2RpZmljYXRpb25zLAogICAgICBpbmNsdWRpbmcgYnV0IG5vdCBsaW1pdGVkIHRvIHNvZnR3YXJlIHNvdXJjZSBjb2RlLCBkb2N1bWVudGF0aW9uCiAgICAgIHNvdXJjZSwgYW5kIGNvbmZpZ3VyYXRpb24gZmlsZXMuCgogICAgICAiT2JqZWN0IiBmb3JtIHNoYWxsIG1lYW4gYW55IGZvcm0gcmVzdWx0aW5nIGZyb20gbWVjaGFuaWNhbAogICAgICB0cmFuc2Zvcm1hdGlvbiBvciB0cmFuc2xhdGlvbiBvZiBhIFNvdXJjZSBmb3JtLCBpbmNsdWRpbmcgYnV0CiAgICAgIG5vdCBsaW1pdGVkIHRvIGNvbXBpbGVkIG9iamVjdCBjb2RlLCBnZW5lcmF0ZWQgZG9jdW1lbnRhdGlvbiwKICAgICAgYW5kIGNvbnZlcnNpb25zIHRvIG90aGVyIG1lZGlhIHR5cGVzLgoKICAgICAgIldvcmsiIHNoYWxsIG1lYW4gdGhlIHdvcmsgb2YgYXV0aG9yc2hpcCwgd2hldGhlciBpbiBTb3VyY2Ugb3IKICAgICAgT2JqZWN0IGZvcm0sIG1hZGUgYXZhaWxhYmxlIHVuZGVyIHRoZSBMaWNlbnNlLCBhcyBpbmRpY2F0ZWQgYnkgYQogICAgICBjb3B5cmlnaHQgbm90aWNlIHRoYXQgaXMgaW5jbHVkZWQgaW4gb3IgYXR0YWNoZWQgdG8gdGhlIHdvcmsKICAgICAgKGFuIGV4YW1wbGUgaXMgcHJvdmlkZWQgaW4gdGhlIEFwcGVuZGl4IGJlbG93KS4KCiAgICAgICJEZXJpdmF0aXZlIFdvcmtzIiBzaGFsbCBtZWFuIGFueSB3b3JrLCB3aGV0aGVyIGluIFNvdXJjZSBvciBPYmplY3QKICAgICAgZm9ybSwgdGhhdCBpcyBiYXNlZCBvbiAob3IgZGVyaXZlZCBmcm9tKSB0aGUgV29yayBhbmQgZm9yIHdoaWNoIHRoZQogICAgICBlZGl0b3JpYWwgcmV2aXNpb25zLCBhbm5vdGF0aW9ucywgZWxhYm9yYXRpb25zLCBvciBvdGhlciBtb2RpZmljYXRpb25zCiAgICAgIHJlcHJlc2VudCwgYXMgYSB3aG9sZSwgYW4gb3JpZ2luYWwgd29yayBvZiBhdXRob3JzaGlwLiBGb3IgdGhlIHB1cnBvc2VzCiAgICAgIG9mIHRoaXMgTGljZW5zZSwgRGVyaXZhdGl2ZSBXb3JrcyBzaGFsbCBub3QgaW5jbHVkZSB3b3JrcyB0aGF0IHJlbWFpbgogICAgICBzZXBhcmFibGUgZnJvbSwgb3IgbWVyZWx5IGxpbmsgKG9yIGJpbmQgYnkgbmFtZSkgdG8gdGhlIGludGVyZmFjZXMgb2YsCiAgICAgIHRoZSBXb3JrIGFuZCBEZXJpdmF0aXZlIFdvcmtzIHRoZXJlb2YuCgogICAgICAiQ29udHJpYnV0aW9uIiBzaGFsbCBtZWFuIGFueSB3b3JrIG9mIGF1dGhvcnNoaXAsIGluY2x1ZGluZwogICAgICB0aGUgb3JpZ2luYWwgdmVyc2lvbiBvZiB0aGUgV29yayBhbmQgYW55IG1vZGlmaWNhdGlvbnMgb3IgYWRkaXRpb25zCiAgICAgIHRvIHRoYXQgV29yayBvciBEZXJpdmF0aXZlIFdvcmtzIHRoZXJlb2YsIHRoYXQgaXMgaW50ZW50aW9uYWxseQogICAgICBzdWJtaXR0ZWQgdG8gTGljZW5zb3IgZm9yIGluY2x1c2lvbiBpbiB0aGUgV29yayBieSB0aGUgY29weXJpZ2h0IG93bmVyCiAgICAgIG9yIGJ5IGFuIGluZGl2aWR1YWwgb3IgTGVnYWwgRW50aXR5IGF1dGhvcml6ZWQgdG8gc3VibWl0IG9uIGJlaGFsZiBvZgogICAgICB0aGUgY29weXJpZ2h0IG93bmVyLiBGb3IgdGhlIHB1cnBvc2VzIG9mIHRoaXMgZGVmaW5pdGlvbiwgInN1Ym1pdHRlZCIKICAgICAgbWVhbnMgYW55IGZvcm0gb2YgZWxlY3Ryb25pYywgdmVyYmFsLCBvciB3cml0dGVuIGNvbW11bmljYXRpb24gc2VudAogICAgICB0byB0aGUgTGljZW5zb3Igb3IgaXRzIHJlcHJlc2VudGF0aXZlcywgaW5jbHVkaW5nIGJ1dCBub3QgbGltaXRlZCB0bwogICAgICBjb21tdW5pY2F0aW9uIG9uIGVsZWN0cm9uaWMgbWFpbGluZyBsaXN0cywgc291cmNlIGNvZGUgY29udHJvbCBzeXN0ZW1zLAogICAgICBhbmQgaXNzdWUgdHJhY2tpbmcgc3lzdGVtcyB0aGF0IGFyZSBtYW5hZ2VkIGJ5LCBvciBvbiBiZWhhbGYgb2YsIHRoZQogICAgICBMaWNlbnNvciBmb3IgdGhlIHB1cnBvc2Ugb2YgZGlzY3Vzc2luZyBhbmQgaW1wcm92aW5nIHRoZSBXb3JrLCBidXQKICAgICAgZXhjbHVkaW5nIGNvbW11bmljYXRpb24gdGhhdCBpcyBjb25zcGljdW91c2x5IG1hcmtlZCBvciBvdGhlcndpc2UKICAgICAgZGVzaWduYXRlZCBpbiB3cml0aW5nIGJ5IHRoZSBjb3B5cmlnaHQgb3duZXIgYXMgIk5vdCBhIENvbnRyaWJ1dGlvbi4iCgogICAgICAiQ29udHJpYnV0b3IiIHNoYWxsIG1lYW4gTGljZW5zb3IgYW5kIGFueSBpbmRpdmlkdWFsIG9yIExlZ2FsIEVudGl0eQogICAgICBvbiBiZWhhbGYgb2Ygd2hvbSBhIENvbnRyaWJ1dGlvbiBoYXMgYmVlbiByZWNlaXZlZCBieSBMaWNlbnNvciBhbmQKICAgICAgc3Vic2VxdWVudGx5IGluY29ycG9yYXRlZCB3aXRoaW4gdGhlIFdvcmsuCgogICAyLiBHcmFudCBvZiBDb3B5cmlnaHQgTGljZW5zZS4gU3ViamVjdCB0byB0aGUgdGVybXMgYW5kIGNvbmRpdGlvbnMgb2YKICAgICAgdGhpcyBMaWNlbnNlLCBlYWNoIENvbnRyaWJ1dG9yIGhlcmVieSBncmFudHMgdG8gWW91IGEgcGVycGV0dWFsLAogICAgICB3b3JsZHdpZGUsIG5vbi1leGNsdXNpdmUsIG5vLWNoYXJnZSwgcm95YWx0eS1mcmVlLCBpcnJldm9jYWJsZQogICAgICBjb3B5cmlnaHQgbGljZW5zZSB0byByZXByb2R1Y2UsIHByZXBhcmUgRGVyaXZhdGl2ZSBXb3JrcyBvZiwKICAgICAgcHVibGljbHkgZGlzcGxheSwgcHVibGljbHkgcGVyZm9ybSwgc3VibGljZW5zZSwgYW5kIGRpc3RyaWJ1dGUgdGhlCiAgICAgIFdvcmsgYW5kIHN1Y2ggRGVyaXZhdGl2ZSBXb3JrcyBpbiBTb3VyY2Ugb3IgT2JqZWN0IGZvcm0uCgogICAzLiBHcmFudCBvZiBQYXRlbnQgTGljZW5zZS4gU3ViamVjdCB0byB0aGUgdGVybXMgYW5kIGNvbmRpdGlvbnMgb2YKICAgICAgdGhpcyBMaWNlbnNlLCBlYWNoIENvbnRyaWJ1dG9yIGhlcmVieSBncmFudHMgdG8gWW91IGEgcGVycGV0dWFsLAogICAgICB3b3JsZHdpZGUsIG5vbi1leGNsdXNpdmUsIG5vLWNoYXJnZSwgcm95YWx0eS1mcmVlLCBpcnJldm9jYWJsZQogICAgICAoZXhjZXB0IGFzIHN0YXRlZCBpbiB0aGlzIHNlY3Rpb24pIHBhdGVudCBsaWNlbnNlIHRvIG1ha2UsIGhhdmUgbWFkZSwKICAgICAgdXNlLCBvZmZlciB0byBzZWxsLCBzZWxsLCBpbXBvcnQsIGFuZCBvdGhlcndpc2UgdHJhbnNmZXIgdGhlIFdvcmssCiAgICAgIHdoZXJlIHN1Y2ggbGljZW5zZSBhcHBsaWVzIG9ubHkgdG8gdGhvc2UgcGF0ZW50IGNsYWltcyBsaWNlbnNhYmxlCiAgICAgIGJ5IHN1Y2ggQ29udHJpYnV0b3IgdGhhdCBhcmUgbmVjZXNzYXJpbHkgaW5mcmluZ2VkIGJ5IHRoZWlyCiAgICAgIENvbnRyaWJ1dGlvbihzKSBhbG9uZSBvciBieSBjb21iaW5hdGlvbiBvZiB0aGVpciBDb250cmlidXRpb24ocykKICAgICAgd2l0aCB0aGUgV29yayB0byB3aGljaCBzdWNoIENvbnRyaWJ1dGlvbihzKSB3YXMgc3VibWl0dGVkLiBJZiBZb3UKICAgICAgaW5zdGl0dXRlIHBhdGVudCBsaXRpZ2F0aW9uIGFnYWluc3QgYW55IGVudGl0eSAoaW5jbHVkaW5nIGEKICAgICAgY3Jvc3MtY2xhaW0gb3IgY291bnRlcmNsYWltIGluIGEgbGF3c3VpdCkgYWxsZWdpbmcgdGhhdCB0aGUgV29yawogICAgICBvciBhIENvbnRyaWJ1dGlvbiBpbmNvcnBvcmF0ZWQgd2l0aGluIHRoZSBXb3JrIGNvbnN0aXR1dGVzIGRpcmVjdAogICAgICBvciBjb250cmlidXRvcnkgcGF0ZW50IGluZnJpbmdlbWVudCwgdGhlbiBhbnkgcGF0ZW50IGxpY2Vuc2VzCiAgICAgIGdyYW50ZWQgdG8gWW91IHVuZGVyIHRoaXMgTGljZW5zZSBmb3IgdGhhdCBXb3JrIHNoYWxsIHRlcm1pbmF0ZQogICAgICBhcyBvZiB0aGUgZGF0ZSBzdWNoIGxpdGlnYXRpb24gaXMgZmlsZWQuCgogICA0LiBSZWRpc3RyaWJ1dGlvbi4gWW91IG1heSByZXByb2R1Y2UgYW5kIGRpc3RyaWJ1dGUgY29waWVzIG9mIHRoZQogICAgICBXb3JrIG9yIERlcml2YXRpdmUgV29ya3MgdGhlcmVvZiBpbiBhbnkgbWVkaXVtLCB3aXRoIG9yIHdpdGhvdXQKICAgICAgbW9kaWZpY2F0aW9ucywgYW5kIGluIFNvdXJjZSBvciBPYmplY3QgZm9ybSwgcHJvdmlkZWQgdGhhdCBZb3UKICAgICAgbWVldCB0aGUgZm9sbG93aW5nIGNvbmRpdGlvbnM6CgogICAgICAoYSkgWW91IG11c3QgZ2l2ZSBhbnkgb3RoZXIgcmVjaXBpZW50cyBvZiB0aGUgV29yayBvcgogICAgICAgICAgRGVyaXZhdGl2ZSBXb3JrcyBhIGNvcHkgb2YgdGhpcyBMaWNlbnNlOyBhbmQKCiAgICAgIChiKSBZb3UgbXVzdCBjYXVzZSBhbnkgbW9kaWZpZWQgZmlsZXMgdG8gY2FycnkgcHJvbWluZW50IG5vdGljZXMKICAgICAgICAgIHN0YXRpbmcgdGhhdCBZb3UgY2hhbmdlZCB0aGUgZmlsZXM7IGFuZAoKICAgICAgKGMpIFlvdSBtdXN0IHJldGFpbiwgaW4gdGhlIFNvdXJjZSBmb3JtIG9mIGFueSBEZXJpdmF0aXZlIFdvcmtzCiAgICAgICAgICB0aGF0IFlvdSBkaXN0cmlidXRlLCBhbGwgY29weXJpZ2h0LCBwYXRlbnQsIHRyYWRlbWFyaywgYW5kCiAgICAgICAgICBhdHRyaWJ1dGlvbiBub3RpY2VzIGZyb20gdGhlIFNvdXJjZSBmb3JtIG9mIHRoZSBXb3JrLAogICAgICAgICAgZXhjbHVkaW5nIHRob3NlIG5vdGljZXMgdGhhdCBkbyBub3QgcGVydGFpbiB0byBhbnkgcGFydCBvZgogICAgICAgICAgdGhlIERlcml2YXRpdmUgV29ya3M7IGFuZAoKICAgICAgKGQpIElmIHRoZSBXb3JrIGluY2x1ZGVzIGEgIk5PVElDRSIgdGV4dCBmaWxlIGFzIHBhcnQgb2YgaXRzCiAgICAgICAgICBkaXN0cmlidXRpb24sIHRoZW4gYW55IERlcml2YXRpdmUgV29ya3MgdGhhdCBZb3UgZGlzdHJpYnV0ZSBtdXN0CiAgICAgICAgICBpbmNsdWRlIGEgcmVhZGFibGUgY29weSBvZiB0aGUgYXR0cmlidXRpb24gbm90aWNlcyBjb250YWluZWQKICAgICAgICAgIHdpdGhpbiBzdWNoIE5PVElDRSBmaWxlLCBleGNsdWRpbmcgdGhvc2Ugbm90aWNlcyB0aGF0IGRvIG5vdAogICAgICAgICAgcGVydGFpbiB0byBhbnkgcGFydCBvZiB0aGUgRGVyaXZhdGl2ZSBXb3JrcywgaW4gYXQgbGVhc3Qgb25lCiAgICAgICAgICBvZiB0aGUgZm9sbG93aW5nIHBsYWNlczogd2l0aGluIGEgTk9USUNFIHRleHQgZmlsZSBkaXN0cmlidXRlZAogICAgICAgICAgYXMgcGFydCBvZiB0aGUgRGVyaXZhdGl2ZSBXb3Jrczsgd2l0aGluIHRoZSBTb3VyY2UgZm9ybSBvcgogICAgICAgICAgZG9jdW1lbnRhdGlvbiwgaWYgcHJvdmlkZWQgYWxvbmcgd2l0aCB0aGUgRGVyaXZhdGl2ZSBXb3Jrczsgb3IsCiAgICAgICAgICB3aXRoaW4gYSBkaXNwbGF5IGdlbmVyYXRlZCBieSB0aGUgRGVyaXZhdGl2ZSBXb3JrcywgaWYgYW5kCiAgICAgICAgICB3aGVyZXZlciBzdWNoIHRoaXJkLXBhcnR5IG5vdGljZXMgbm9ybWFsbHkgYXBwZWFyLiBUaGUgY29udGVudHMKICAgICAgICAgIG9mIHRoZSBOT1RJQ0UgZmlsZSBhcmUgZm9yIGluZm9ybWF0aW9uYWwgcHVycG9zZXMgb25seSBhbmQKICAgICAgICAgIGRvIG5vdCBtb2RpZnkgdGhlIExpY2Vuc2UuIFlvdSBtYXkgYWRkIFlvdXIgb3duIGF0dHJpYnV0aW9uCiAgICAgICAgICBub3RpY2VzIHdpdGhpbiBEZXJpdmF0aXZlIFdvcmtzIHRoYXQgWW91IGRpc3RyaWJ1dGUsIGFsb25nc2lkZQogICAgICAgICAgb3IgYXMgYW4gYWRkZW5kdW0gdG8gdGhlIE5PVElDRSB0ZXh0IGZyb20gdGhlIFdvcmssIHByb3ZpZGVkCiAgICAgICAgICB0aGF0IHN1Y2ggYWRkaXRpb25hbCBhdHRyaWJ1dGlvbiBub3RpY2VzIGNhbm5vdCBiZSBjb25zdHJ1ZWQKICAgICAgICAgIGFzIG1vZGlmeWluZyB0aGUgTGljZW5zZS4KCiAgICAgIFlvdSBtYXkgYWRkIFlvdXIgb3duIGNvcHlyaWdodCBzdGF0ZW1lbnQgdG8gWW91ciBtb2RpZmljYXRpb25zIGFuZAogICAgICBtYXkgcHJvdmlkZSBhZGRpdGlvbmFsIG9yIGRpZmZlcmVudCBsaWNlbnNlIHRlcm1zIGFuZCBjb25kaXRpb25zCiAgICAgIGZvciB1c2UsIHJlcHJvZHVjdGlvbiwgb3IgZGlzdHJpYnV0aW9uIG9mIFlvdXIgbW9kaWZpY2F0aW9ucywgb3IKICAgICAgZm9yIGFueSBzdWNoIERlcml2YXRpdmUgV29ya3MgYXMgYSB3aG9sZSwgcHJvdmlkZWQgWW91ciB1c2UsCiAgICAgIHJlcHJvZHVjdGlvbiwgYW5kIGRpc3RyaWJ1dGlvbiBvZiB0aGUgV29yayBvdGhlcndpc2UgY29tcGxpZXMgd2l0aAogICAgICB0aGUgY29uZGl0aW9ucyBzdGF0ZWQgaW4gdGhpcyBMaWNlbnNlLgoKICAgNS4gU3VibWlzc2lvbiBvZiBDb250cmlidXRpb25zLiBVbmxlc3MgWW91IGV4cGxpY2l0bHkgc3RhdGUgb3RoZXJ3aXNlLAogICAgICBhbnkgQ29udHJpYnV0aW9uIGludGVudGlvbmFsbHkgc3VibWl0dGVkIGZvciBpbmNsdXNpb24gaW4gdGhlIFdvcmsKICAgICAgYnkgWW91IHRvIHRoZSBMaWNlbnNvciBzaGFsbCBiZSB1bmRlciB0aGUgdGVybXMgYW5kIGNvbmRpdGlvbnMgb2YKICAgICAgdGhpcyBMaWNlbnNlLCB3aXRob3V0IGFueSBhZGRpdGlvbmFsIHRlcm1zIG9yIGNvbmRpdGlvbnMuCiAgICAgIE5vdHdpdGhzdGFuZGluZyB0aGUgYWJvdmUsIG5vdGhpbmcgaGVyZWluIHNoYWxsIHN1cGVyc2VkZSBvciBtb2RpZnkKICAgICAgdGhlIHRlcm1zIG9mIGFueSBzZXBhcmF0ZSBsaWNlbnNlIGFncmVlbWVudCB5b3UgbWF5IGhhdmUgZXhlY3V0ZWQKICAgICAgd2l0aCBMaWNlbnNvciByZWdhcmRpbmcgc3VjaCBDb250cmlidXRpb25zLgoKICAgNi4gVHJhZGVtYXJrcy4gVGhpcyBMaWNlbnNlIGRvZXMgbm90IGdyYW50IHBlcm1pc3Npb24gdG8gdXNlIHRoZSB0cmFkZQogICAgICBuYW1lcywgdHJhZGVtYXJrcywgc2VydmljZSBtYXJrcywgb3IgcHJvZHVjdCBuYW1lcyBvZiB0aGUgTGljZW5zb3IsCiAgICAgIGV4Y2VwdCBhcyByZXF1aXJlZCBmb3IgcmVhc29uYWJsZSBhbmQgY3VzdG9tYXJ5IHVzZSBpbiBkZXNjcmliaW5nIHRoZQogICAgICBvcmlnaW4gb2YgdGhlIFdvcmsgYW5kIHJlcHJvZHVjaW5nIHRoZSBjb250ZW50IG9mIHRoZSBOT1RJQ0UgZmlsZS4KCiAgIDcuIERpc2NsYWltZXIgb2YgV2FycmFudHkuIFVubGVzcyByZXF1aXJlZCBieSBhcHBsaWNhYmxlIGxhdyBvcgogICAgICBhZ3JlZWQgdG8gaW4gd3JpdGluZywgTGljZW5zb3IgcHJvdmlkZXMgdGhlIFdvcmsgKGFuZCBlYWNoCiAgICAgIENvbnRyaWJ1dG9yIHByb3ZpZGVzIGl0cyBDb250cmlidXRpb25zKSBvbiBhbiAiQVMgSVMiIEJBU0lTLAogICAgICBXSVRIT1VUIFdBUlJBTlRJRVMgT1IgQ09ORElUSU9OUyBPRiBBTlkgS0lORCwgZWl0aGVyIGV4cHJlc3Mgb3IKICAgICAgaW1wbGllZCwgaW5jbHVkaW5nLCB3aXRob3V0IGxpbWl0YXRpb24sIGFueSB3YXJyYW50aWVzIG9yIGNvbmRpdGlvbnMKICAgICAgb2YgVElUTEUsIE5PTi1JTkZSSU5HRU1FTlQsIE1FUkNIQU5UQUJJTElUWSwgb3IgRklUTkVTUyBGT1IgQQogICAgICBQQVJUSUNVTEFSIFBVUlBPU0UuIFlvdSBhcmUgc29sZWx5IHJlc3BvbnNpYmxlIGZvciBkZXRlcm1pbmluZyB0aGUKICAgICAgYXBwcm9wcmlhdGVuZXNzIG9mIHVzaW5nIG9yIHJlZGlzdHJpYnV0aW5nIHRoZSBXb3JrIGFuZCBhc3N1bWUgYW55CiAgICAgIHJpc2tzIGFzc29jaWF0ZWQgd2l0aCBZb3VyIGV4ZXJjaXNlIG9mIHBlcm1pc3Npb25zIHVuZGVyIHRoaXMgTGljZW5zZS4KCiAgIDguIExpbWl0YXRpb24gb2YgTGlhYmlsaXR5LiBJbiBubyBldmVudCBhbmQgdW5kZXIgbm8gbGVnYWwgdGhlb3J5LAogICAgICB3aGV0aGVyIGluIHRvcnQgKGluY2x1ZGluZyBuZWdsaWdlbmNlKSwgY29udHJhY3QsIG9yIG90aGVyd2lzZSwKICAgICAgdW5sZXNzIHJlcXVpcmVkIGJ5IGFwcGxpY2FibGUgbGF3IChzdWNoIGFzIGRlbGliZXJhdGUgYW5kIGdyb3NzbHkKICAgICAgbmVnbGlnZW50IGFjdHMpIG9yIGFncmVlZCB0byBpbiB3cml0aW5nLCBzaGFsbCBhbnkgQ29udHJpYnV0b3IgYmUKICAgICAgbGlhYmxlIHRvIFlvdSBmb3IgZGFtYWdlcywgaW5jbHVkaW5nIGFueSBkaXJlY3QsIGluZGlyZWN0LCBzcGVjaWFsLAogICAgICBpbmNpZGVudGFsLCBvciBjb25zZXF1ZW50aWFsIGRhbWFnZXMgb2YgYW55IGNoYXJhY3RlciBhcmlzaW5nIGFzIGEKICAgICAgcmVzdWx0IG9mIHRoaXMgTGljZW5zZSBvciBvdXQgb2YgdGhlIHVzZSBvciBpbmFiaWxpdHkgdG8gdXNlIHRoZQogICAgICBXb3JrIChpbmNsdWRpbmcgYnV0IG5vdCBsaW1pdGVkIHRvIGRhbWFnZXMgZm9yIGxvc3Mgb2YgZ29vZHdpbGwsCiAgICAgIHdvcmsgc3RvcHBhZ2UsIGNvbXB1dGVyIGZhaWx1cmUgb3IgbWFsZnVuY3Rpb24sIG9yIGFueSBhbmQgYWxsCiAgICAgIG90aGVyIGNvbW1lcmNpYWwgZGFtYWdlcyBvciBsb3NzZXMpLCBldmVuIGlmIHN1Y2ggQ29udHJpYnV0b3IKICAgICAgaGFzIGJlZW4gYWR2aXNlZCBvZiB0aGUgcG9zc2liaWxpdHkgb2Ygc3VjaCBkYW1hZ2VzLgoKICAgOS4gQWNjZXB0aW5nIFdhcnJhbnR5IG9yIEFkZGl0aW9uYWwgTGlhYmlsaXR5LiBXaGlsZSByZWRpc3RyaWJ1dGluZwogICAgICB0aGUgV29yayBvciBEZXJpdmF0aXZlIFdvcmtzIHRoZXJlb2YsIFlvdSBtYXkgY2hvb3NlIHRvIG9mZmVyLAogICAgICBhbmQgY2hhcmdlIGEgZmVlIGZvciwgYWNjZXB0YW5jZSBvZiBzdXBwb3J0LCB3YXJyYW50eSwgaW5kZW1uaXR5LAogICAgICBvciBvdGhlciBsaWFiaWxpdHkgb2JsaWdhdGlvbnMgYW5kL29yIHJpZ2h0cyBjb25zaXN0ZW50IHdpdGggdGhpcwogICAgICBMaWNlbnNlLiBIb3dldmVyLCBpbiBhY2NlcHRpbmcgc3VjaCBvYmxpZ2F0aW9ucywgWW91IG1heSBhY3Qgb25seQogICAgICBvbiBZb3VyIG93biBiZWhhbGYgYW5kIG9uIFlvdXIgc29sZSByZXNwb25zaWJpbGl0eSwgbm90IG9uIGJlaGFsZgogICAgICBvZiBhbnkgb3RoZXIgQ29udHJpYnV0b3IsIGFuZCBvbmx5IGlmIFlvdSBhZ3JlZSB0byBpbmRlbW5pZnksCiAgICAgIGRlZmVuZCwgYW5kIGhvbGQgZWFjaCBDb250cmlidXRvciBoYXJtbGVzcyBmb3IgYW55IGxpYWJpbGl0eQogICAgICBpbmN1cnJlZCBieSwgb3IgY2xhaW1zIGFzc2VydGVkIGFnYWluc3QsIHN1Y2ggQ29udHJpYnV0b3IgYnkgcmVhc29uCiAgICAgIG9mIHlvdXIgYWNjZXB0aW5nIGFueSBzdWNoIHdhcnJhbnR5IG9yIGFkZGl0aW9uYWwgbGlhYmlsaXR5LgoKICAgRU5EIE9GIFRFUk1TIEFORCBDT05ESVRJT05TCgogICBBUFBFTkRJWDogSG93IHRvIGFwcGx5IHRoZSBBcGFjaGUgTGljZW5zZSB0byB5b3VyIHdvcmsuCgogICAgICBUbyBhcHBseSB0aGUgQXBhY2hlIExpY2Vuc2UgdG8geW91ciB3b3JrLCBhdHRhY2ggdGhlIGZvbGxvd2luZwogICAgICBib2lsZXJwbGF0ZSBub3RpY2UsIHdpdGggdGhlIGZpZWxkcyBlbmNsb3NlZCBieSBicmFja2V0cyAiW10iCiAgICAgIHJlcGxhY2VkIHdpdGggeW91ciBvd24gaWRlbnRpZnlpbmcgaW5mb3JtYXRpb24uIChEb24ndCBpbmNsdWRlCiAgICAgIHRoZSBicmFja2V0cyEpICBUaGUgdGV4dCBzaG91bGQgYmUgZW5jbG9zZWQgaW4gdGhlIGFwcHJvcHJpYXRlCiAgICAgIGNvbW1lbnQgc3ludGF4IGZvciB0aGUgZmlsZSBmb3JtYXQuIFdlIGFsc28gcmVjb21tZW5kIHRoYXQgYQogICAgICBmaWxlIG9yIGNsYXNzIG5hbWUgYW5kIGRlc2NyaXB0aW9uIG9mIHB1cnBvc2UgYmUgaW5jbHVkZWQgb24gdGhlCiAgICAgIHNhbWUgInByaW50ZWQgcGFnZSIgYXMgdGhlIGNvcHlyaWdodCBub3RpY2UgZm9yIGVhc2llcgogICAgICBpZGVudGlmaWNhdGlvbiB3aXRoaW4gdGhpcmQtcGFydHkgYXJjaGl2ZXMuCgogICBDb3B5cmlnaHQgW3l5eXldIFtuYW1lIG9mIGNvcHlyaWdodCBvd25lcl0KCiAgIExpY2Vuc2VkIHVuZGVyIHRoZSBBcGFjaGUgTGljZW5zZSwgVmVyc2lvbiAyLjAgKHRoZSAiTGljZW5zZSIpOwogICB5b3UgbWF5IG5vdCB1c2UgdGhpcyBmaWxlIGV4Y2VwdCBpbiBjb21wbGlhbmNlIHdpdGggdGhlIExpY2Vuc2UuCiAgIFlvdSBtYXkgb2J0YWluIGEgY29weSBvZiB0aGUgTGljZW5zZSBhdAoKICAgICAgIGh0dHA6Ly93d3cuYXBhY2hlLm9yZy9saWNlbnNlcy9MSUNFTlNFLTIuMAoKICAgVW5sZXNzIHJlcXVpcmVkIGJ5IGFwcGxpY2FibGUgbGF3IG9yIGFncmVlZCB0byBpbiB3cml0aW5nLCBzb2Z0d2FyZQogICBkaXN0cmlidXRlZCB1bmRlciB0aGUgTGljZW5zZSBpcyBkaXN0cmlidXRlZCBvbiBhbiAiQVMgSVMiIEJBU0lTLAogICBXSVRIT1VUIFdBUlJBTlRJRVMgT1IgQ09ORElUSU9OUyBPRiBBTlkgS0lORCwgZWl0aGVyIGV4cHJlc3Mgb3IgaW1wbGllZC4KICAgU2VlIHRoZSBMaWNlbnNlIGZvciB0aGUgc3BlY2lmaWMgbGFuZ3VhZ2UgZ292ZXJuaW5nIHBlcm1pc3Npb25zIGFuZAogICBsaW1pdGF0aW9ucyB1bmRlciB0aGUgTGljZW5zZS4=" } url: "https://www.apache.org/licenses/LICENSE-2.0.txt" } From 32f8cce659cb92767954a0194056fc288bcafa37 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Mon, 11 Sep 2023 15:53:25 +0200 Subject: [PATCH 014/217] Fix test data regarding base64-encoded contents forward-port of #299 fixes #296 in 1.6 Signed-off-by: Jan Kowalleck --- tools/src/test/resources/1.6/valid-bom-1.6.json | 2 +- tools/src/test/resources/1.6/valid-bom-1.6.textproto | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/tools/src/test/resources/1.6/valid-bom-1.6.json b/tools/src/test/resources/1.6/valid-bom-1.6.json index 40cb6d65..994f726f 100644 --- a/tools/src/test/resources/1.6/valid-bom-1.6.json +++ b/tools/src/test/resources/1.6/valid-bom-1.6.json @@ -103,7 +103,7 @@ "text": { "contentType": "text/plain", "encoding": "base64", - "content": "License text here" + "content": "PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiID8+CjxTb2Z0d2FyZUlkZW50aXR5IHhtbDpsYW5nPSJFTiIgbmFtZT0iQWNtZSBBcHBsaWNhdGlvbiIgdmVyc2lvbj0iOS4xLjEiIAogdmVyc2lvblNjaGVtZT0ibXVsdGlwYXJ0bnVtZXJpYyIgCiB0YWdJZD0ic3dpZGdlbi1iNTk1MWFjOS00MmMwLWYzODItM2YxZS1iYzdhMmE0NDk3Y2JfOS4xLjEiIAogeG1sbnM9Imh0dHA6Ly9zdGFuZGFyZHMuaXNvLm9yZy9pc28vMTk3NzAvLTIvMjAxNS9zY2hlbWEueHNkIj4gCiB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiAKIHhzaTpzY2hlbWFMb2NhdGlvbj0iaHR0cDovL3N0YW5kYXJkcy5pc28ub3JnL2lzby8xOTc3MC8tMi8yMDE1LWN1cnJlbnQvc2NoZW1hLnhzZCBzY2hlbWEueHNkIiA+CiAgPE1ldGEgZ2VuZXJhdG9yPSJTV0lEIFRhZyBPbmxpbmUgR2VuZXJhdG9yIHYwLjEiIC8+IAogIDxFbnRpdHkgbmFtZT0iQWNtZSwgSW5jLiIgcmVnaWQ9ImV4YW1wbGUuY29tIiByb2xlPSJ0YWdDcmVhdG9yIiAvPiAKPC9Tb2Z0d2FyZUlkZW50aXR5Pg==" }, "url": "https://www.apache.org/licenses/LICENSE-2.0.txt" } diff --git a/tools/src/test/resources/1.6/valid-bom-1.6.textproto b/tools/src/test/resources/1.6/valid-bom-1.6.textproto index 83f5901c..3e81e348 100644 --- a/tools/src/test/resources/1.6/valid-bom-1.6.textproto +++ b/tools/src/test/resources/1.6/valid-bom-1.6.textproto @@ -86,7 +86,7 @@ components { text { content_type: "text/plain" encoding: "base64" - value: "License text here" + value: "PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiID8+CjxTb2Z0d2FyZUlkZW50aXR5IHhtbDpsYW5nPSJFTiIgbmFtZT0iQWNtZSBBcHBsaWNhdGlvbiIgdmVyc2lvbj0iOS4xLjEiIAogdmVyc2lvblNjaGVtZT0ibXVsdGlwYXJ0bnVtZXJpYyIgCiB0YWdJZD0ic3dpZGdlbi1iNTk1MWFjOS00MmMwLWYzODItM2YxZS1iYzdhMmE0NDk3Y2JfOS4xLjEiIAogeG1sbnM9Imh0dHA6Ly9zdGFuZGFyZHMuaXNvLm9yZy9pc28vMTk3NzAvLTIvMjAxNS9zY2hlbWEueHNkIj4gCiB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiAKIHhzaTpzY2hlbWFMb2NhdGlvbj0iaHR0cDovL3N0YW5kYXJkcy5pc28ub3JnL2lzby8xOTc3MC8tMi8yMDE1LWN1cnJlbnQvc2NoZW1hLnhzZCBzY2hlbWEueHNkIiA+CiAgPE1ldGEgZ2VuZXJhdG9yPSJTV0lEIFRhZyBPbmxpbmUgR2VuZXJhdG9yIHYwLjEiIC8+IAogIDxFbnRpdHkgbmFtZT0iQWNtZSwgSW5jLiIgcmVnaWQ9ImV4YW1wbGUuY29tIiByb2xlPSJ0YWdDcmVhdG9yIiAvPiAKPC9Tb2Z0d2FyZUlkZW50aXR5Pg==" } url: "https://www.apache.org/licenses/LICENSE-2.0.txt" } From 9bab9e38ef98564c676be4bddd26a4dff0a3c907 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Mon, 11 Sep 2023 14:59:56 +0200 Subject: [PATCH 015/217] chore: add `@CycloneDX/core-team` as default reviewers (#298) Signed-off-by: Jan Kowalleck --- CODEOWNERS | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 CODEOWNERS diff --git a/CODEOWNERS b/CODEOWNERS new file mode 100644 index 00000000..00f26f95 --- /dev/null +++ b/CODEOWNERS @@ -0,0 +1,5 @@ +# see https://docs.github.com/en/github/creating-cloning-and-archiving-repositories/about-code-owners + +# all Core Team members are default-reviewers of new pull requests. +# see https://github.com/orgs/CycloneDX/teams/core-team +* @CycloneDX/core-team From c61c85d851a4f20ae99558b2fc9337d3ff2379bf Mon Sep 17 00:00:00 2001 From: tokcum <47994370+tokcum@users.noreply.github.com> Date: Tue, 12 Sep 2023 10:08:12 +0200 Subject: [PATCH 016/217] Fix `bom-ref` in test data `valid-compositions` (#302) fixes #301 Signed-off-by: tokcum --- tools/src/test/resources/1.3/valid-compositions-1.3.json | 1 + tools/src/test/resources/1.3/valid-compositions-1.3.textproto | 1 + tools/src/test/resources/1.4/valid-compositions-1.4.json | 1 + tools/src/test/resources/1.4/valid-compositions-1.4.textproto | 1 + tools/src/test/resources/1.5/valid-compositions-1.5.json | 1 + tools/src/test/resources/1.5/valid-compositions-1.5.textproto | 1 + 6 files changed, 6 insertions(+) diff --git a/tools/src/test/resources/1.3/valid-compositions-1.3.json b/tools/src/test/resources/1.3/valid-compositions-1.3.json index a11b4266..eeb6e48f 100644 --- a/tools/src/test/resources/1.3/valid-compositions-1.3.json +++ b/tools/src/test/resources/1.3/valid-compositions-1.3.json @@ -29,6 +29,7 @@ ] }, { + "bom-ref": "pkg:maven/acme/library@3.0", "type": "library", "name": "Acme Library", "version": "3.0", diff --git a/tools/src/test/resources/1.3/valid-compositions-1.3.textproto b/tools/src/test/resources/1.3/valid-compositions-1.3.textproto index f67f96b7..91f08fae 100644 --- a/tools/src/test/resources/1.3/valid-compositions-1.3.textproto +++ b/tools/src/test/resources/1.3/valid-compositions-1.3.textproto @@ -25,6 +25,7 @@ components { } components { type: CLASSIFICATION_LIBRARY + bom_ref: "pkg:maven/acme/library@3.0" name: "Acme Library" version: "3.0" purl: "pkg:maven/acme/library@3.0" diff --git a/tools/src/test/resources/1.4/valid-compositions-1.4.json b/tools/src/test/resources/1.4/valid-compositions-1.4.json index 42aa73fd..ed86e490 100644 --- a/tools/src/test/resources/1.4/valid-compositions-1.4.json +++ b/tools/src/test/resources/1.4/valid-compositions-1.4.json @@ -29,6 +29,7 @@ ] }, { + "bom-ref": "pkg:maven/acme/library@3.0", "type": "library", "name": "Acme Library", "version": "3.0", diff --git a/tools/src/test/resources/1.4/valid-compositions-1.4.textproto b/tools/src/test/resources/1.4/valid-compositions-1.4.textproto index a340e39c..ad0dfe73 100644 --- a/tools/src/test/resources/1.4/valid-compositions-1.4.textproto +++ b/tools/src/test/resources/1.4/valid-compositions-1.4.textproto @@ -25,6 +25,7 @@ components { } components { type: CLASSIFICATION_LIBRARY + bom_ref: "pkg:maven/acme/library@3.0" name: "Acme Library" version: "3.0" purl: "pkg:maven/acme/library@3.0" diff --git a/tools/src/test/resources/1.5/valid-compositions-1.5.json b/tools/src/test/resources/1.5/valid-compositions-1.5.json index 11c8a001..74b8712f 100644 --- a/tools/src/test/resources/1.5/valid-compositions-1.5.json +++ b/tools/src/test/resources/1.5/valid-compositions-1.5.json @@ -29,6 +29,7 @@ ] }, { + "bom-ref": "pkg:maven/acme/library@3.0", "type": "library", "name": "Acme Library", "version": "3.0", diff --git a/tools/src/test/resources/1.5/valid-compositions-1.5.textproto b/tools/src/test/resources/1.5/valid-compositions-1.5.textproto index bc542cf4..62d6d9f3 100644 --- a/tools/src/test/resources/1.5/valid-compositions-1.5.textproto +++ b/tools/src/test/resources/1.5/valid-compositions-1.5.textproto @@ -25,6 +25,7 @@ components { } components { type: CLASSIFICATION_LIBRARY + bom_ref: "pkg:maven/acme/library@3.0" name: "Acme Library" version: "3.0" purl: "pkg:maven/acme/library@3.0" From c6442124f95e568c41f28adc84fdc66403f5f6a6 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Tue, 12 Sep 2023 10:14:38 +0200 Subject: [PATCH 017/217] Fix `bom-ref` in test data `valid-compositions` forward-port of #302 fixes #301 in 1.6 Signed-off-by: Jan Kowalleck --- tools/src/test/resources/1.6/valid-compositions-1.6.json | 1 + tools/src/test/resources/1.6/valid-compositions-1.6.textproto | 1 + 2 files changed, 2 insertions(+) diff --git a/tools/src/test/resources/1.6/valid-compositions-1.6.json b/tools/src/test/resources/1.6/valid-compositions-1.6.json index b42952ef..9cdbfe98 100644 --- a/tools/src/test/resources/1.6/valid-compositions-1.6.json +++ b/tools/src/test/resources/1.6/valid-compositions-1.6.json @@ -29,6 +29,7 @@ ] }, { + "bom-ref": "pkg:maven/acme/library@3.0", "type": "library", "name": "Acme Library", "version": "3.0", diff --git a/tools/src/test/resources/1.6/valid-compositions-1.6.textproto b/tools/src/test/resources/1.6/valid-compositions-1.6.textproto index f67f7650..ea7b75ac 100644 --- a/tools/src/test/resources/1.6/valid-compositions-1.6.textproto +++ b/tools/src/test/resources/1.6/valid-compositions-1.6.textproto @@ -25,6 +25,7 @@ components { } components { type: CLASSIFICATION_LIBRARY + bom_ref: "pkg:maven/acme/library@3.0" name: "Acme Library" version: "3.0" purl: "pkg:maven/acme/library@3.0" From 0b48361838af53dbd4082de0f0bb385945186ffe Mon Sep 17 00:00:00 2001 From: tokcum <47994370+tokcum@users.noreply.github.com> Date: Tue, 12 Sep 2023 11:27:45 +0200 Subject: [PATCH 018/217] Fix test data regarding invalid SPDX license ID (#305) closes #303 Signed-off-by: tokcum --- tools/src/test/resources/1.1/invalid-license-id-count-1.1.xml | 4 ++-- tools/src/test/resources/1.2/invalid-license-id-count-1.2.xml | 4 ++-- tools/src/test/resources/1.3/invalid-license-id-count-1.3.xml | 4 ++-- tools/src/test/resources/1.4/invalid-license-id-count-1.4.xml | 4 ++-- tools/src/test/resources/1.5/invalid-license-id-count-1.5.xml | 4 ++-- 5 files changed, 10 insertions(+), 10 deletions(-) diff --git a/tools/src/test/resources/1.1/invalid-license-id-count-1.1.xml b/tools/src/test/resources/1.1/invalid-license-id-count-1.1.xml index 2b2d39b0..7f89adf3 100644 --- a/tools/src/test/resources/1.1/invalid-license-id-count-1.1.xml +++ b/tools/src/test/resources/1.1/invalid-license-id-count-1.1.xml @@ -16,9 +16,9 @@ - Apache-2 + MIT - Apache-2 + MIT pkg:maven/com.acme/tomcat-catalina@9.0.14?packaging=jar diff --git a/tools/src/test/resources/1.2/invalid-license-id-count-1.2.xml b/tools/src/test/resources/1.2/invalid-license-id-count-1.2.xml index b79b0f53..cca7e050 100644 --- a/tools/src/test/resources/1.2/invalid-license-id-count-1.2.xml +++ b/tools/src/test/resources/1.2/invalid-license-id-count-1.2.xml @@ -16,9 +16,9 @@ - Apache-2 + MIT - Apache-2 + MIT pkg:maven/com.acme/tomcat-catalina@9.0.14?packaging=jar diff --git a/tools/src/test/resources/1.3/invalid-license-id-count-1.3.xml b/tools/src/test/resources/1.3/invalid-license-id-count-1.3.xml index 09c4b3aa..ce13178d 100644 --- a/tools/src/test/resources/1.3/invalid-license-id-count-1.3.xml +++ b/tools/src/test/resources/1.3/invalid-license-id-count-1.3.xml @@ -16,9 +16,9 @@ - Apache-2 + MIT - Apache-2 + MIT pkg:maven/com.acme/tomcat-catalina@9.0.14?packaging=jar diff --git a/tools/src/test/resources/1.4/invalid-license-id-count-1.4.xml b/tools/src/test/resources/1.4/invalid-license-id-count-1.4.xml index 1b289971..27f73e5d 100644 --- a/tools/src/test/resources/1.4/invalid-license-id-count-1.4.xml +++ b/tools/src/test/resources/1.4/invalid-license-id-count-1.4.xml @@ -16,9 +16,9 @@ - Apache-2 + MIT - Apache-2 + MIT pkg:maven/com.acme/tomcat-catalina@9.0.14?packaging=jar diff --git a/tools/src/test/resources/1.5/invalid-license-id-count-1.5.xml b/tools/src/test/resources/1.5/invalid-license-id-count-1.5.xml index ecb0f870..dee67120 100644 --- a/tools/src/test/resources/1.5/invalid-license-id-count-1.5.xml +++ b/tools/src/test/resources/1.5/invalid-license-id-count-1.5.xml @@ -16,9 +16,9 @@ - Apache-2 + MIT - Apache-2 + MIT pkg:maven/com.acme/tomcat-catalina@9.0.14?packaging=jar From 723b63e8ffe1012a8d0ab602efe15c6fc9d8a085 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Tue, 12 Sep 2023 11:30:42 +0200 Subject: [PATCH 019/217] Fix test data regarding invalid SPDX license ID forward-port of #305 fixes #303 in 1.6 Signed-off-by: Jan Kowalleck --- tools/src/test/resources/1.6/invalid-license-id-count-1.6.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tools/src/test/resources/1.6/invalid-license-id-count-1.6.xml b/tools/src/test/resources/1.6/invalid-license-id-count-1.6.xml index 984e9943..3c21750a 100644 --- a/tools/src/test/resources/1.6/invalid-license-id-count-1.6.xml +++ b/tools/src/test/resources/1.6/invalid-license-id-count-1.6.xml @@ -16,9 +16,9 @@ - Apache-2 + MIT - Apache-2 + MIT pkg:maven/com.acme/tomcat-catalina@9.0.14?packaging=jar From a1697ef52ccc9fb5f2dd4e549082ce6face33dda Mon Sep 17 00:00:00 2001 From: "steve.springett" Date: Wed, 20 Sep 2023 14:47:26 -0500 Subject: [PATCH 020/217] Added schema documentation generation for v1.6 Signed-off-by: steve.springett --- docgen/json/gen.sh | 5 +++-- docgen/xml/gen.sh | 3 ++- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/docgen/json/gen.sh b/docgen/json/gen.sh index b37d2461..e92128bc 100755 --- a/docgen/json/gen.sh +++ b/docgen/json/gen.sh @@ -1,6 +1,6 @@ #!/bin/bash rm -f -R docs -mkdir -p docs/{1.2,1.3,1.4,1.5} +mkdir -p docs/{1.2,1.3,1.4,1.5,1.6} # Check to see if generate-schema-doc is executable and is in the path. If not, install JSON Schema for Humans. if ! [ -x "$(command -v generate-schema-doc)" ]; then @@ -27,4 +27,5 @@ generate () { generate 1.2 generate 1.3 generate 1.4 -generate 1.5 \ No newline at end of file +generate 1.5 +generate 1.6 \ No newline at end of file diff --git a/docgen/xml/gen.sh b/docgen/xml/gen.sh index 03e494df..fc850311 100755 --- a/docgen/xml/gen.sh +++ b/docgen/xml/gen.sh @@ -16,4 +16,5 @@ generate 1.1 generate 1.2 generate 1.3 generate 1.4 -generate 1.5 \ No newline at end of file +generate 1.5 +generate 1.6 \ No newline at end of file From f1c9fe298e1f4fcdd4c7410625d64b1c66a0aedf Mon Sep 17 00:00:00 2001 From: "steve.springett" Date: Wed, 20 Sep 2023 17:17:13 -0500 Subject: [PATCH 021/217] Initial commit and port of IBM/CBOM Signed-off-by: steve.springett --- schema/bom-1.6.schema.json | 850 ++++++++++++++++++++++++++++++++++++- 1 file changed, 848 insertions(+), 2 deletions(-) diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index 726fbf03..f038ab14 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -409,10 +409,11 @@ "firmware", "file", "machine-learning-model", - "data" + "data", + "crypto-asset" ], "title": "Component Type", - "description": "Specifies the type of component. For software components, classify as application if no more specific appropriate classification is available or cannot be determined for the component. Types include:\n\n* __application__ = A software application. Refer to [https://en.wikipedia.org/wiki/Application_software](https://en.wikipedia.org/wiki/Application_software) for information about applications.\n* __framework__ = A software framework. Refer to [https://en.wikipedia.org/wiki/Software_framework](https://en.wikipedia.org/wiki/Software_framework) for information on how frameworks vary slightly from libraries.\n* __library__ = A software library. Refer to [https://en.wikipedia.org/wiki/Library_(computing)](https://en.wikipedia.org/wiki/Library_(computing))\n for information about libraries. All third-party and open source reusable components will likely be a library. If the library also has key features of a framework, then it should be classified as a framework. If not, or is unknown, then specifying library is RECOMMENDED.\n* __container__ = A packaging and/or runtime format, not specific to any particular technology, which isolates software inside the container from software outside of a container through virtualization technology. Refer to [https://en.wikipedia.org/wiki/OS-level_virtualization](https://en.wikipedia.org/wiki/OS-level_virtualization)\n* __platform__ = A runtime environment which interprets or executes software. This may include runtimes such as those that execute bytecode or low-code/no-code application platforms.\n* __operating-system__ = A software operating system without regard to deployment model (i.e. installed on physical hardware, virtual machine, image, etc) Refer to [https://en.wikipedia.org/wiki/Operating_system](https://en.wikipedia.org/wiki/Operating_system)\n* __device__ = A hardware device such as a processor, or chip-set. A hardware device containing firmware SHOULD include a component for the physical hardware itself, and another component of type 'firmware' or 'operating-system' (whichever is relevant), describing information about the software running on the device.\n See also the list of [known device properties](https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/device.md).\n* __device-driver__ = A special type of software that operates or controls a particular type of device. Refer to [https://en.wikipedia.org/wiki/Device_driver](https://en.wikipedia.org/wiki/Device_driver)\n* __firmware__ = A special type of software that provides low-level control over a devices hardware. Refer to [https://en.wikipedia.org/wiki/Firmware](https://en.wikipedia.org/wiki/Firmware)\n* __file__ = A computer file. Refer to [https://en.wikipedia.org/wiki/Computer_file](https://en.wikipedia.org/wiki/Computer_file) for information about files.\n* __machine-learning-model__ = A model based on training data that can make predictions or decisions without being explicitly programmed to do so.\n* __data__ = A collection of discrete values that convey information.", + "description": "Specifies the type of component. For software components, classify as application if no more specific appropriate classification is available or cannot be determined for the component. Types include:\n\n* __application__ = A software application. Refer to [https://en.wikipedia.org/wiki/Application_software](https://en.wikipedia.org/wiki/Application_software) for information about applications.\n* __framework__ = A software framework. Refer to [https://en.wikipedia.org/wiki/Software_framework](https://en.wikipedia.org/wiki/Software_framework) for information on how frameworks vary slightly from libraries.\n* __library__ = A software library. Refer to [https://en.wikipedia.org/wiki/Library_(computing)](https://en.wikipedia.org/wiki/Library_(computing))\n for information about libraries. All third-party and open source reusable components will likely be a library. If the library also has key features of a framework, then it should be classified as a framework. If not, or is unknown, then specifying library is RECOMMENDED.\n* __container__ = A packaging and/or runtime format, not specific to any particular technology, which isolates software inside the container from software outside of a container through virtualization technology. Refer to [https://en.wikipedia.org/wiki/OS-level_virtualization](https://en.wikipedia.org/wiki/OS-level_virtualization)\n* __platform__ = A runtime environment which interprets or executes software. This may include runtimes such as those that execute bytecode or low-code/no-code application platforms.\n* __operating-system__ = A software operating system without regard to deployment model (i.e. installed on physical hardware, virtual machine, image, etc) Refer to [https://en.wikipedia.org/wiki/Operating_system](https://en.wikipedia.org/wiki/Operating_system)\n* __device__ = A hardware device such as a processor, or chip-set. A hardware device containing firmware SHOULD include a component for the physical hardware itself, and another component of type 'firmware' or 'operating-system' (whichever is relevant), describing information about the software running on the device.\n See also the list of [known device properties](https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/device.md).\n* __device-driver__ = A special type of software that operates or controls a particular type of device. Refer to [https://en.wikipedia.org/wiki/Device_driver](https://en.wikipedia.org/wiki/Device_driver)\n* __firmware__ = A special type of software that provides low-level control over a devices hardware. Refer to [https://en.wikipedia.org/wiki/Firmware](https://en.wikipedia.org/wiki/Firmware)\n* __file__ = A computer file. Refer to [https://en.wikipedia.org/wiki/Computer_file](https://en.wikipedia.org/wiki/Computer_file) for information about files.\n* __machine-learning-model__ = A model based on training data that can make predictions or decisions without being explicitly programmed to do so.\n* __data__ = A collection of discrete values that convey information.\n* __crypto-asset__ = Cryptographic asset including algorithms, protocols, certificates, keys, tokens, and secrets.", "examples": ["library"] }, "mime-type": { @@ -591,6 +592,11 @@ "title": "Data", "description": "This object SHOULD be specified for any component of type `data` and MUST NOT be specified for other component types." }, + "cryptoProperties": { + "$ref": "#/definitions/cryptoProperties", + "title": "Crypto Properties", + "description": "Properties for Crypto Assets" + }, "properties": { "type": "array", "title": "Properties", @@ -1243,6 +1249,12 @@ }, "title": "Depends On", "description": "The bom-ref identifiers of the components or services that are dependencies of this dependency object." + }, + "dependencyType": { + "type": "string", + "title": "Type of dependency", + "description": "Defines and characterizes the type of dependency", + "$ref": "#/definitions/dependencyType" } } }, @@ -3794,6 +3806,840 @@ "$ref": "jsf-0.82.schema.json#/definitions/signature", "title": "Signature", "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." + }, + "dependencyType": { + "type": "string", + "enum": [ + "implements", + "uses" + ], + "title": "Type to characterize a dependency" + }, + "cryptoProperties": { + "type": "object", + "title": "Crypto Properties", + "description": "Properties for Crypto Assets", + "additionalProperties": false, + "properties": { + "assetType": { + "type": "string", + "title": "assetType", + "description": "The specific asset type for the crypto asset", + "enum": [ + "algorithm", + "certificate", + "key", + "protocol", + "relatedCryptoMaterial" + ] + }, + "algorithmProperties": { + "type": "object", + "title": "algorithm properties", + "description": "Properties for crypto assets of asset type 'algorithm'", + "additionalProperties": false, + "properties": { + "primitive": { + "type": "string", + "title": "primitive", + "description": "The primitive for the crypto algorithm", + "enum": [ + "drbg", + "mac", + "blockcipher", + "streamcipher", + "signature", + "hash", + "pke", + "xof", + "kdf", + "keyagree", + "kem", + "ae", + "other", + "unknown" + ] + }, + "variant": { + "type": "string", + "title": "variant", + "description": "The variant for the crypto algorithm, algorithm components should be delimited with '-'", + "examples": [ + "aes128-cbc-pkcs7", + "rsa2048-cbc-oaep-sha256-mgf1", + "kyber1024" + ] + }, + "curve": { + "type": "string", + "title": "elliptic curve", + "description": "If applicable, the curve of the crypto algorithm", + "enum": [ + "brainpoolP160r1", + "brainpoolP160t1", + "brainpoolP192r1", + "brainpoolP192t1", + "brainpoolP224r1", + "brainpoolP224t1", + "brainpoolP256r1", + "brainpoolP256t1", + "brainpoolP320r1", + "brainpoolP320t1", + "brainpoolP384r1", + "brainpoolP384t1", + "brainpoolP512r1", + "brainpoolP512t1", + "secp160k1", + "secp192k1", + "secp224k1", + "secp256k1", + "secp112r1", + "secp128r1", + "secp160r1", + "secp192r1", + "secp224r1", + "secp256r1", + "secp384r1", + "secp521r1", + "secp112r2", + "secp128r2", + "secp160r2", + "sect163k1", + "sect233k1", + "sect239k1", + "sect283k1", + "sect409k1", + "sect571k1", + "sect113r1", + "sect131r1", + "sect163r1", + "sect193r1", + "sect233r1", + "sect283r1", + "sect409r1", + "sect571r1", + "sect113r2", + "sect131r2", + "sect163r2", + "sect193r2", + "BLS12-377", + "BLS12-381", + "BLS12-446", + "BLS12-455", + "BLS12-638", + "BLS24-477", + "gost256", + "gost512", + "curve25519", + "curve448", + "sm2", + "Fp256BN", + "Fp384BN", + "Fp512BN", + "prime192v1", + "prime192v2", + "prime192v3", + "prime239v1", + "prime239v2", + "prime239v3", + "prime256v1", + "c2pnb176w1", + "c2pnb163v1", + "c2pnb163v2", + "c2pnb163v3", + "c2pnb208w1", + "c2tnb191v3", + "c2tnb191v2", + "c2tnb191v1", + "c2tnb239v3", + "c2tnb239v2", + "c2tnb239v1", + "c2pnb272w1", + "c2pnb304w1", + "c2pnb368w1", + "c2tnb359v1", + "c2tnb431r1", + "c2onb191v4", + "c2onb191v5", + "c2onb239v4", + "c2onb239v5", + "ansit163k1", + "ansit163r1", + "ansit163r2", + "ansit193r1", + "ansit193r2", + "ansit233k1", + "ansit233r1", + "ansit239k1", + "ansit283k1", + "ansit283r1", + "ansit409k1", + "ansit409r1", + "ansit571k1", + "ansit571r1", + "ansip160k1", + "ansip160r1", + "ansip160r2", + "ansip192k1", + "ansip224k1", + "ansip224r1", + "ansip256k1", + "ansip384r1", + "ansip521r1", + "FRP256v1", + "bn158", + "bn190", + "bn222", + "bn254", + "bn286", + "bn318", + "bn350", + "bn382", + "bn414", + "bn446", + "bn478", + "bn510", + "bn542", + "bn574", + "bn606", + "bn638", + "P-192", + "P-224", + "P-256", + "P-384", + "P-521", + "K-163", + "B-163", + "K-233", + "B-233", + "K-283", + "B-283", + "K-409", + "B-409", + "K-571", + "B-571", + "FourQ", + "wap-wsg-idm-ecid-wtls1", + "wap-wsg-idm-ecid-wtls3", + "wap-wsg-idm-ecid-wtls4", + "wap-wsg-idm-ecid-wtls5", + "wap-wsg-idm-ecid-wtls6", + "wap-wsg-idm-ecid-wtls7", + "wap-wsg-idm-ecid-wtls8", + "wap-wsg-idm-ecid-wtls9", + "wap-wsg-idm-ecid-wtls1", + "wap-wsg-idm-ecid-wtls1", + "wap-wsg-idm-ecid-wtls1", + "other", + "unknown" + ] + }, + "implementationLevel": { + "type": "string", + "title": "implementation level", + "description": "The implementation level for the crypto algorithm", + "enum": [ + "softwarePlainRam", + "softwareEncryptedRam", + "softwareTee", + "hardware", + "other", + "unknown" + ] + }, + "implementationPlatform": { + "type": "string", + "title": "implementation platform", + "description": "The implementation platform for the crypto algorithm", + "enum": [ + "generic", + "x86_32", + "x86_64", + "armv7-a", + "armv7-m", + "armv8-a", + "armv8-m", + "s390x", + "ppc64", + "ppc64le", + "other", + "unknown" + ] + }, + "certificationLevel": { + "type": "string", + "title": "certification level", + "description": "The certification level for the crypto algorithm", + "enum": [ + "none", + "fips140-1-l1", + "fips140-1-l2", + "fips140-1-l3", + "fips140-1-l4", + "fips140-2-l1", + "fips140-2-l2", + "fips140-2-l3", + "fips140-2-l4", + "fips140-3-l1", + "fips140-3-l2", + "fips140-3-l3", + "fips140-3-l4", + "cc-eal1", + "cc-eal1+", + "cc-eal2", + "cc-eal2+", + "cc-eal3", + "cc-eal3+", + "cc-eal4", + "cc-eal4+", + "cc-eal5", + "cc-eal5+", + "cc-eal6", + "cc-eal6+", + "cc-eal7", + "cc-eal7+", + "other", + "unknown" + ] + }, + "mode": { + "type": "string", + "title": "mode", + "description": "The cipher mode of operation for the crypto algorithm", + "enum": [ + "cbc", + "ecb", + "ccm", + "gcm", + "cfb", + "ofb", + "ctr", + "other", + "unknown" + ] + }, + "padding": { + "type": "string", + "title": "padding", + "description": "The padding for the crypto algorithm ", + "enum": [ + "pkcs5", + "pkcs7", + "pkcs1v15", + "oaep", + "raw", + "other", + "unknown" + ] + }, + "cryptoFunctions": { + "type": "array", + "title": "crypto function", + "description": "The crypto functions implemented by the crypto algorithm", + "items": { + "type": "string", + "enum": [ + "generate", + "keygen", + "encrypt", + "decrypt", + "digest", + "tag", + "keyderive", + "sign", + "verify", + "encapsulate", + "decapsulate", + "other", + "unknown" + ] + } + }, + "classicalSecurityLevel": { + "type": "integer", + "title": "classical security level", + "description": "classical security level", + "minimum": 0 + }, + "nistQuantumSecurityLevel": { + "type": "integer", + "title": "NIST security strength category", + "description": "NIST security strength category as defined in https://csrc.nist.gov/projects/post-quantum-cryptography/post-quantum-cryptography-standardization/evaluation-criteria/security-(evaluation-criteria), or 0 if none of the categories are met", + "minimum": 0, + "maximum": 6 + } + } + }, + "certificateProperties": { + "type": "object", + "title": "certificate properties", + "description": "Properties for crypto assets of asset type 'certificate'", + "additionalProperties": false, + "properties": { + "subjectName": { + "type": "string", + "title": "Subject Name", + "description": "The subject name for the crypto certificate" + }, + "issuerName": { + "type": "string", + "title": "Issuer Name", + "description": "The issuer name for the crypto certificate" + }, + "notValidBefore": { + "type": "string", + "title": "Not Valid Before", + "description": "The date and time according to ISO-8601 standard from which the certificate is valid" + }, + "notValidAfter": { + "type": "string", + "title": "Not Valid After", + "description": "The date and time according to ISO-8601 standard from which the certificate is not valid anymore" + }, + "signatureAlgorithm": { + "$ref": "#/definitions/cryptoRef", + "title": "Algorithm reference", + "description": "Bom-ref to signature algorithm used by the certificate" + }, + "subjectPublicKey": { + "$ref": "#/definitions/cryptoRef", + "title": "Key reference", + "description": "Bom-ref to the public key of the subject" + }, + "certificateFormat": { + "type": "string", + "title": "Certificate format", + "description": "The format of the certificate", + "examples": [ + "X.509", + "PEM", + "DER", + "CVC" + ] + }, + "certificateExtension": { + "type": "string", + "title": "Certificate extensions", + "description": "The certificate extensions of the crypto certificate", + "examples": [ + "crt", + "pem", + "cer", + "der", + "p12" + ] + } + } + }, + "keyProperties": { + "type": "object", + "title": "Properties for Keys", + "description": "Properties for crypto assets of asset type 'key'", + "additionalProperties": false, + "properties": { + "type": { + "type": "string", + "title": "key type", + "description": "The type of the key", + "enum": [ + "privateKey", + "publicKey", + "secretKey" + ] + }, + "id": { + "type": "string", + "title": "key id", + "description": "The identifier for the key" + }, + "state": { + "type": "string", + "title": "key state", + "description": "The key state according to NIST SP 800-57", + "enum": [ + "preActivation", + "active", + "suspended", + "deactivated", + "compromised", + "destroyed" + ] + }, + "size": { + "type": "integer", + "title": "Crypto asset size (in bits)", + "description": "Size of the crypto asset (in bits)" + }, + "keyAlgorithmRef": { + "$ref": "#/definitions/cryptoRef", + "title": "Algorithm reference", + "description": "Bom-ref to algorithm used to generate the key" + }, + "securedBy": { + "$ref": "#/definitions/securedBy", + "title": "Crypto asset is secured by" + }, + "creationDate": { + "type": "string", + "format": "date-time", + "title": "creation date", + "description": "The date and time (timestamp) when the key was created." + }, + "activationDate": { + "type": "string", + "format": "date-time", + "title": "activation date", + "description": "The date and time (timestamp) when the key was activated." + }, + "updateDate": { + "type": "string", + "format": "date-time", + "title": "update date", + "description": "The date and time (timestamp) when the key was updated." + }, + "expirationDate": { + "type": "string", + "format": "date-time", + "title": "expiration date", + "description": "The date and time (timestamp) when the key expired." + } + } + }, + "relatedCryptoMaterialProperties": { + "type": "object", + "title": "related crypto material properties", + "description": "Properties for crypto assets of asset type 'relatedCryptoMaterial'", + "additionalProperties": false, + "properties": { + "type": { + "type": "string", + "title": "relatedCryptoMaterialType", + "description": "The type for the related crypto material", + "enum": [ + "ciphertext", + "signature", + "digest", + "initializationVector", + "nonce", + "seed", + "salt", + "sharedSecret", + "tag", + "additionalData", + "password", + "credential", + "token", + "other", + "unknown" + ] + }, + "value": { + "type": "string", + "title": "Value assosiated to the crypto material", + "description": "The assosiated value of the crypto material" + }, + "size": { + "type": "integer", + "title": "Crypto asset size (in bits)", + "description": "Size of the crypto asset (in bits)" + }, + "format": { + "type": "string", + "title": "format", + "description": "format of the related crypto material (e.g. P8, PEM, DER)" + }, + "securedBy": { + "$ref": "#/definitions/securedBy", + "title": "Crypto asset is secured by" + } + } + }, + "protocolProperties": { + "type": "object", + "title": "protocol properties", + "description": "Properties for crypto assets of asset type 'protocol'", + "additionalProperties": false, + "properties": { + "type": { + "type": "string", + "title": "type", + "description": "The concrete protocol type", + "enum": [ + "tls", + "ssh", + "ipsec", + "ike", + "sstp", + "wpa", + "other", + "unknown" + ] + }, + "version": { + "type": "string", + "title": "protocol version", + "description": "The version of the protocol", + "examples": [ + "1.0", + "1.2", + "1.99" + ] + }, + "cipherSuites": { + "type": "array", + "title": "Cipher suites related to the protocol", + "description": "A list of cipher suites related to the protocol", + "additionalItems": false, + "items": { + "$ref": "#/definitions/cipherSuite", + "title": "Cipher suite" + } + }, + "ikev2TransformTypes": { + "type": "object", + "title": "IKEv2 transform types supported", + "description": "the IKEv2 transform types supported (types 1-4), according to RFC7296 section 3.3.2, and additional properties", + "properties": { + "encr": { + "$ref": "#/definitions/cryptoRefArray", + "title": "Transform Type 1: encryption algorithms" + }, + "prf": { + "$ref": "#/definitions/cryptoRefArray", + "title": "Transform Type 2: pseudorandom functions" + }, + "integ": { + "$ref": "#/definitions/cryptoRefArray", + "title": "Transform Type 3: integrity algorithms" + }, + "ke": { + "$ref": "#/definitions/cryptoRefArray", + "title": "Key Exchange Method (KE) by RFC9370, formerly called dh" + }, + "esn": { + "type": "boolean", + "title": "Extended Sequence Number is used" + }, + "auth": { + "$ref": "#/definitions/cryptoRefArray", + "title": "IKEv2 Authentication method" + } + } + }, + "cryptoRefArray": { + "$ref": "#/definitions/cryptoRefArray", + "title": "A list of protocol-related cryptographic assets" + } + } + }, + "oid": { + "type": "string", + "title": "OID", + "description": "OID of crypto asset" + }, + "confidenceLevels": { + "type": "object", + "additionalItems": false, + "title": "confidence levels", + "description": "confidence levels of the reported crypto properties", + "properties": { + "assetType": { + "$ref": "#/definitions/confidenceLevel", + "title": "assetType confidence level" + }, + "primitive": { + "$ref": "#/definitions/confidenceLevel", + "title": "primitive confidence level" + }, + "relatedCryptoMaterialType": { + "$ref": "#/definitions/confidenceLevel", + "title": "related crypto material confidence level" + }, + "variant": { + "$ref": "#/definitions/confidenceLevel", + "title": "variant confidence level" + }, + "mode": { + "$ref": "#/definitions/confidenceLevel", + "title": "mode of opreation confidence level" + }, + "padding": { + "$ref": "#/definitions/confidenceLevel", + "title": "padding confidence level" + }, + "cryptoFunctions": { + "$ref": "#/definitions/confidenceLevel", + "title": "related crypto material confidence level" + }, + "subjectName": { + "$ref": "#/definitions/confidenceLevel", + "title": "subjectName confidence level" + }, + "issuerName": { + "$ref": "#/definitions/confidenceLevel", + "title": "issuerName confidence level" + }, + "notValidBefore": { + "$ref": "#/definitions/confidenceLevel", + "title": "notValidBefore confidence level" + }, + "notValidAfter": { + "$ref": "#/definitions/confidenceLevel", + "title": "notValidAfter confidence level" + }, + "certificateAlgorithm": { + "$ref": "#/definitions/confidenceLevel", + "title": "certificateAlgorithm confidence level" + }, + "certificateSignatureAlgorithm": { + "$ref": "#/definitions/confidenceLevel", + "title": "certificateSignatureAlgorithm confidence level" + }, + "certificateFormat": { + "$ref": "#/definitions/confidenceLevel", + "title": "certificateFormat confidence level" + }, + "certificateExtension": { + "$ref": "#/definitions/confidenceLevel", + "title": "certificateExtension confidence level" + }, + "tlsCipherSuites": { + "$ref": "#/definitions/confidenceLevel", + "title": "tlsCipherSuites confidence level" + }, + "ikev2TransformTypes": { + "$ref": "#/definitions/confidenceLevel", + "title": "ikev2TransformTypes confidence level" + } + } + }, + "detectionContext": { + "type": "array", + "additionalItems": false, + "title": "detection context", + "description": "Defines additional context metadata related to the detected crypto asset", + "items": { + "type": "object", + "title": "detection context", + "additionalProperties": false, + "properties": { + "filePath": { + "type": "string", + "title": "filePath", + "description": "File path of the detected crypto asset" + }, + "lineNumbers": { + "type": "array", + "title": "lineNumbers", + "description": "Line numbers of the detected crypto asset" + }, + "offsets": { + "type": "array", + "title": "offsets", + "description": "Offsets of the detected crypto asset" + }, + "symbols": { + "type": "array", + "title": "symbols", + "description": "symbol names detected for the crypto asset" + }, + "keywords": { + "type": "array", + "title": "keywords", + "description": "keywords detected for the crypto asset" + }, + "additionalContext": { + "type": "string", + "title": "additionalContext", + "description": "additional context of the detected crypto asset (e.g. code snippet)" + } + } + } + } + } + }, + "cryptoRef": { + "type": "string", + "title": "Reference to a crypto asset", + "description": "Reference (bom-ref) to the crypto asset used in this context" + }, + "confidenceLevel": { + "title": "ConfidenceLevel", + "description": "The ConfidenceLevel related to a property", + "type": "number" + }, + "cipherSuite": { + "type": "object", + "title": "Cipher suite", + "description": "Object representing a cipher suite", + "additionalItems": false, + "properties": { + "name": { + "type": "string", + "title": "Common name", + "description": "A common name for the cipher suite", + "examples": [ + "TLS_DHE_RSA_WITH_AES_128_CCM" + ] + }, + "algorithms": { + "type": "array", + "title": "Related algorithms", + "description": "List of algorithms related to the cipher suite", + "additionalItems": false, + "items": { + "$ref": "#/definitions/cryptoRef", + "title": "Algorithm reference", + "description": "Bom-ref to algorithm crypto asset" + } + }, + "identifiers": { + "type": "array", + "title": "Cipher suite identifiers", + "description": "A list of common identifiers for the cipher suite", + "additionalItems": false, + "items": { + "type": "string", + "title": "identifier", + "description": "Cipher suite identifier", + "examples": [ + "0xC0", + "0x9E" + ] + } + } + } + }, + "cryptoRefArray" : { + "type": "array", + "additionalItems": false, + "items": { + "$ref": "#/definitions/cryptoRef" + } + }, + "securedBy": { + "type": "object", + "title": "Crypto asset is secured by", + "description": "Specifies the mechanism by which the crypto asset is secured by", + "additionalProperties": false, + "properties": { + "mechanism": { + "type": "string", + "title": "mechanism by which the crypto asset is secured by", + "description": "Specifies the mechanism by which the crypto asset is secured by", + "examples": [ + "HSM", + "TPM", + "SGX", + "Software", + "None" + ] + }, + "algorithmRef": { + "$ref": "#/definitions/cryptoRef", + "title": "Algorithm reference" + } + } } } } From 7801028b5e1a7d9d31032c019b1bcba27bc65b45 Mon Sep 17 00:00:00 2001 From: "steve.springett" Date: Thu, 21 Sep 2023 08:11:52 -0500 Subject: [PATCH 022/217] Removed duplicate curves Signed-off-by: steve.springett --- schema/bom-1.6.schema.json | 3 --- 1 file changed, 3 deletions(-) diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index f038ab14..d9f6dfd0 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -4027,9 +4027,6 @@ "wap-wsg-idm-ecid-wtls7", "wap-wsg-idm-ecid-wtls8", "wap-wsg-idm-ecid-wtls9", - "wap-wsg-idm-ecid-wtls1", - "wap-wsg-idm-ecid-wtls1", - "wap-wsg-idm-ecid-wtls1", "other", "unknown" ] From 8f0557e710e07e91a639d2467a8374465b06ffd4 Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Tue, 26 Sep 2023 13:52:19 -0500 Subject: [PATCH 023/217] Added descriptions that were developed by the working group. Minor changes to schema to include some changes and omissions. Signed-off-by: Steve Springett --- schema/bom-1.6.schema.json | 178 +++++++++++++++++++++++-------------- 1 file changed, 109 insertions(+), 69 deletions(-) diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index 103f673e..305937ae 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -108,13 +108,13 @@ "declarations": { "type": "object", "title": "Declarations", - "description": "", + "description": "The list of declarations which describe the conformance to standards. Each declaration may include attestations, claims, and evidence.", "additionalProperties": false, "properties": { "assessors": { "type": "array", "title": "Assessors", - "description": "", + "description": "The list of assessors evaluating claims and determining conformance to requirements and confidence in that assessment.", "items": { "type": "object", "title": "Assessor", @@ -126,20 +126,15 @@ "title": "BOM Reference", "description": "An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref MUST be unique within the BOM." }, - "type": { - "type": "string", - "enum": [ - "self", - "purchaser", - "independent" - ], - "title": "Type", - "description": "" + "thirdParty": { + "type": "boolean", + "title": "Third Party", + "description": "The boolean indicating if the assessor is outside the organization generating claims. A value of false indicates a self assessor." }, "organization": { "$ref": "#/definitions/organizationalEntity", "title": "Organization", - "description": "" + "description": "The entity issuing the assessment." } } } @@ -147,7 +142,7 @@ "attestations": { "type": "array", "title": "Attestations", - "description": "", + "description": "The list of attestations asserted by an assessor that maps requirements to claims.", "items": { "type": "object", "additionalProperties": false, @@ -160,12 +155,12 @@ "assessor": { "$ref": "#/definitions/refLinkType", "title": "Assessor", - "description": "" + "description": "The `bom-ref` to the assessor asserting the attestation." }, "map": { "type": "array", "title": "Map", - "description": "", + "description": "The grouping of requirements to claims and the attestors declaired conformance and confidence thereof.", "items": { "type": "object", "additionalProperties": false, @@ -173,24 +168,24 @@ "requirement": { "$ref": "#/definitions/refLinkType", "title": "Requirement", - "description": "" + "description": "The `bom-ref` to the requirement being attested to." }, "claims": { "type": "array", "title": "Claims", - "description": "", + "description": "The list of `bom-ref` to the claims being attested to.", "items": { "$ref": "#/definitions/refLinkType" } }, "counterClaims": { "type": "array", "title": "Claims", - "description": "", + "description": "The list of `bom-ref` to the counter claims being attested to.", "items": { "$ref": "#/definitions/refLinkType" } }, "conformance": { "type": "object", "title": "Conformance", - "description": "", + "description": "The conformance of the claim meeting a requirement.", "additionalProperties": false, "properties": { "score": { @@ -198,17 +193,17 @@ "minimum": 0, "maximum": 1, "title": "Score", - "description": "The conformance to a requirement from 0 - 1, where 1 is 100% conformance." + "description": "The conformance of the claim within [0,1], where 1 is 100% confidence." }, "rationale": { "type": "string", "title": "Rationale", - "description": "" + "description": "The rationale for the score of conformance." }, "mitigationStrategy": { "type": "array", "title": "Mitigation Strategy", - "description": "", + "description": "The description of the mitigation strategy if conformance is not `1`.", "items": { "$ref": "#/definitions/refLinkType" } } } @@ -216,7 +211,7 @@ "confidence": { "type": "object", "title": "Confidence", - "description": "", + "description": "The confidence of the claim meeting the requirement.", "additionalProperties": false, "properties": { "score": { @@ -224,12 +219,12 @@ "minimum": 0, "maximum": 1, "title": "Score", - "description": "The confidence of the attestation from 0 - 1, where 1 is 100% confidence." + "description": "The confidence of the claim within [0,1], where 1 is 100% confidence." }, "rationale": { "type": "string", "title": "Rationale", - "description": "" + "description": "The rationale for the confidence score." } } } @@ -247,7 +242,7 @@ "claims": { "type": "array", "title": "Claims", - "description": "", + "description": "The list of claims.", "items": { "type": "object", "additionalProperties": false, @@ -260,34 +255,34 @@ "target": { "$ref": "#/definitions/refLinkType", "title": "Target", - "description": "" + "description": "The `bom-ref` to a target representing a specific system, application, API, module, team, person, process, business unit, company, etc... that this claim is being applied to." }, "predicate": { "type": "string", "title": "Predicate", - "description": "" + "description": "The specific statement or assertion about the target." }, "mitigationStrategy": { "type": "array", "title": "Mitigation Strategy", - "description": "", + "description": "The written explanation of how any weaknesses in the evidence will be mitigated.", "items": { "$ref": "#/definitions/refLinkType" } }, "reasoning": { "type": "string", "title": "Reasoning", - "description": "" + "description": "The written explanation of why the evidence provided substantiates the claim." }, "evidence": { "type": "array", "title": "Evidence", - "description": "", + "description": "The array of references to evidence that supports this claim.", "items": { "$ref": "#/definitions/refLinkType" } }, "counterEvidence": { "type": "array", "title": "Counter Evidence", - "description": "", + "description": "The array of references to counterEvidence that undermines this claim.", "items": { "$ref": "#/definitions/refLinkType" } }, "externalReferences": { @@ -307,7 +302,7 @@ "evidence": { "type": "array", "title": "Evidence", - "description": "", + "description": "The list of evidence.", "items": { "type": "object", "additionalProperties": false, @@ -325,12 +320,12 @@ "description": { "type": "string", "title": "Description", - "description": "" + "description": "The written description of what this evidence is and how it was created." }, "data": { "type": "object", "title": "Description", - "description": "", + "description": "The output or analysis that supports claims.", "additionalProperties": false, "properties": { "contents": { @@ -341,13 +336,13 @@ "properties": { "attachment": { "title": "Data Attachment", - "description": "An optional way to include textual or encoded data.", + "description": "The optional way to include textual or encoded data.", "$ref": "#/definitions/attachment" }, "url": { "type": "string", "title": "Data URL", - "description": "The URL to where the data can be retrieved.", + "description": "The URL where the data can be retrieved.", "format": "iri-reference" } } @@ -358,23 +353,23 @@ "type": "string", "format": "date-time", "title": "Created", - "description": "" + "description": "The date and time (timestamp) when the evidence was created." }, "expires": { "type": "string", "format": "date-time", "title": "Expires", - "description": "" + "description": "The optional date and time (timestamp) when the evidence is no longer valid." }, "author": { "$ref": "#/definitions/organizationalContact", "title": "Author", - "description": "" + "description": "The author of the evidence." }, "reviewer": { "$ref": "#/definitions/organizationalContact", "title": "Reviewer", - "description": "" + "description": "The reviewer of the evidence." }, "signature": { "$ref": "#/definitions/signature", @@ -387,31 +382,31 @@ "targets": { "type": "object", "title": "Targets", - "description": "", + "description": "The list of targets which claims are made against.", "additionalProperties": false, "properties": { "organizations": { "type": "array", "title": "Organizations", - "description": "", + "description": "The list of organizations which claims are made against.", "items": {"$ref": "#/definitions/organizationalEntity"} }, - "contacts": { + "people": { "type": "array", - "title": "Contacts", - "description": "", + "title": "People", + "description": "The list of individuals which claims are made against.", "items": {"$ref": "#/definitions/organizationalContact"} }, "components": { "type": "array", "title": "Components", - "description": "", + "description": "The list of components which claims are made against.", "items": {"$ref": "#/definitions/component"} }, "services": { "type": "array", "title": "Services", - "description": "", + "description": "The list of services which claims are made against.", "items": {"$ref": "#/definitions/service"} } } @@ -421,8 +416,55 @@ "title": "Affirmation", "additionalProperties": false, "properties": { - "text": { - + "statement": { + "type": "string", + "title": "Text", + "description": "The brief statement affirmed by an individual regarding all declarations.\n*- Notes This could be an affirmation of acceptance by a third-party auditor or receiving individual of a file.", + "examples": [ "I certify, to the best of my knowledge, that all information is correct." ] + }, + "signatories": { + "type": "array", + "title": "Signatories", + "description": "The list of signatories authorized on behalf of an organization to assert validity of this document.", + "items": { + "type": "object", + "additionalProperties": false, + "oneOf": [ + { + "required": ["signature"] + }, + { + "required": ["externalReference", "organization"] + } + ], + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "The signatory's name." + }, + "role": { + "type": "string", + "title": "Role", + "description": "The signatory's role within an organization." + }, + "signature": { + "$ref": "#/definitions/signature", + "title": "Signature", + "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." + }, + "organization": { + "$ref": "#/definitions/organizationalEntity", + "title": "Organization", + "description": "The signatory's organization." + }, + "externalReference": { + "$ref": "#/definitions/externalReference", + "title": "External Reference", + "description": "An External reference provide a way to document systems, sites, and information that may be relevant, but are not included with the BOM. They may also establish specific relationships within or external to the BOM." + } + } + } } } } @@ -437,7 +479,7 @@ "standards": { "type": "array", "title": "Standards", - "description": "Defines standards which may consist of regulations, industry or organizational-specific standards, maturity models, and best practices which can be evaluated against or attested to.", + "description": "The list of standards which may consist of regulations, industry or organizational-specific standards, maturity models, best practices, or any other requirements which can be evaluated against or attested to.", "items": { "$ref": "#/definitions/standard" } @@ -4130,7 +4172,7 @@ "standard": { "type": "object", "title": "Standard", - "description": "", + "description": "A standard may consist of regulations, industry or organizational-specific standards, maturity models, best practices, or any other requirements which can be evaluated against or attested to.", "additionalProperties": false, "properties": { "bom-ref": { @@ -4141,31 +4183,30 @@ "name": { "type": "string", "title": "Name", - "description": "The name of the standard" + "description": "The name of the standard. This will often be a shortened, single name of the standard." }, "description": { "type": "string", "title": "Description", - "description": "A description of the standard" + "description": "The description of the standard." }, "version": { "type": "string", "title": "Version", - "description": "A version of the standard" + "description": "The version of the standard." }, "owner": { "type": "string", "title": "Owner", - "description": "The owner of the standard" + "description": "The owner of the standard, often the entity responsible for its release." }, "requirements": { "type": "array", "title": "Requirements", - "description": "The requirements that make up the standard", + "description": "The list of requirements comprising the standard.", "items": { "type": "object", "title": "Requirement", - "description": "", "additionalProperties": false, "properties": { "bom-ref": { @@ -4176,28 +4217,28 @@ "identifier": { "type": "string", "title": "Identifier", - "description": "The identifier used in the standard to identify a specific requirement" + "description": "The unique identifier used in the standard to identify a specific requirement. This should match what is in the standard and should not be the requirements bom-ref." }, "title": { "type": "string", "title": "Title", - "description": "The title of the requirement" + "description": "The title of the requirement." }, "text": { "type": "string", "title": "Text", - "description": "The textual content of the requirement" + "description": "The textual content of the requirement." }, "opencre": { "type": "string", "format": "iri-reference", "title": "OWASP OpenCRE", - "description": "URL to the Common Requirements Enumeration" + "description": "The URL to the corresponding Common Requirements Enumeration (CRE) common requirement identifier." }, "parent": { "$ref": "#/definitions/refLinkType", "title": "Parent BOM Reference", - "description": "The optional `bom-ref` to a parent requirement. This establishes a hierarchy of requirements." + "description": "The optional `bom-ref` to a parent requirement. This establishes a hierarchy of requirements. Top-level requirements must not define a parent. Only child requirements should define parents." }, "externalReferences": { "type": "array", @@ -4211,11 +4252,10 @@ "levels": { "type": "array", "title": "Levels", - "description": "", + "description": "The list of levels associated with the standard. Some standards have different levels of compliance.", "items": { "type": "object", "title": "Level", - "description": "", "additionalProperties": false, "properties": { "bom-ref": { @@ -4226,22 +4266,22 @@ "identifier": { "type": "string", "title": "Identifier", - "description": "The identifier used in the standard to identify a specific level" + "description": "The identifier used in the standard to identify a specific level." }, "title": { "type": "string", "title": "Title", - "description": "The title of the level" + "description": "The title of the level." }, "description": { "type": "string", "title": "Description", - "description": "The description of the level" + "description": "The description of the level." }, "requirements": { "type": "array", "title": "Requirements", - "description": "", + "description": "The list of requirement `bom-ref`s that comprise the level.", "items": { "$ref": "#/definitions/refLinkType" } } } From 1fde9ff8868f4a4445704b6531cb02cfcfba351c Mon Sep 17 00:00:00 2001 From: "steve.springett" Date: Tue, 26 Sep 2023 14:49:28 -0500 Subject: [PATCH 024/217] Updates as of todays working group Signed-off-by: steve.springett --- schema/bom-1.6.schema.json | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index 305937ae..6e13682b 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -150,7 +150,7 @@ "summary": { "type": "string", "title": "Summary", - "description": "" + "description": "The short description explaining the main points of the attestation." }, "assessor": { "$ref": "#/definitions/refLinkType", @@ -193,7 +193,7 @@ "minimum": 0, "maximum": 1, "title": "Score", - "description": "The conformance of the claim within [0,1], where 1 is 100% confidence." + "description": "The conformance of the claim between and inclusive of 0 and 1, where 1 is 100% confidence." }, "rationale": { "type": "string", @@ -219,7 +219,7 @@ "minimum": 0, "maximum": 1, "title": "Score", - "description": "The confidence of the claim within [0,1], where 1 is 100% confidence." + "description": "The confidence of the claim between and inclusive of 0 and 1, where 1 is 100% confidence." }, "rationale": { "type": "string", @@ -312,10 +312,10 @@ "title": "BOM Reference", "description": "An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref MUST be unique within the BOM." }, - "type": { + "propertyName": { "type": "string", "title": "Type", - "description": "TODO - make this extensible - see valid-attestations-1.6.json for notes" + "description": "The reference to the property name as defined in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy/). " }, "description": { "type": "string", From d854c03ae6283cc157331ce1fcd7f7a97bc2273f Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Tue, 3 Oct 2023 22:40:23 -0500 Subject: [PATCH 025/217] Added properties and description array as a result of todays meeting Signed-off-by: Steve Springett --- schema/bom-1.6.schema.json | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index 305937ae..cee16af7 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -4229,6 +4229,12 @@ "title": "Text", "description": "The textual content of the requirement." }, + "descriptions": { + "type": "array", + "title": "Descriptions", + "description": "The supplemental text that provides additional guidance or context to the requirement, but is not directly part of the requirement.", + "items": { "type": "string" } + }, "opencre": { "type": "string", "format": "iri-reference", @@ -4240,6 +4246,14 @@ "title": "Parent BOM Reference", "description": "The optional `bom-ref` to a parent requirement. This establishes a hierarchy of requirements. Top-level requirements must not define a parent. Only child requirements should define parents." }, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is OPTIONAL.", + "items": { + "$ref": "#/definitions/property" + } + }, "externalReferences": { "type": "array", "items": {"$ref": "#/definitions/externalReference"}, From f3d54daa2f6f3cc480124e4c667bb594a941c756 Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Mon, 9 Oct 2023 22:26:14 -0500 Subject: [PATCH 026/217] Updated CRE support based on conversation with CRE project. Signed-off-by: Steve Springett --- schema/bom-1.6.schema.json | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index dd86287c..46248ee7 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -4236,10 +4236,14 @@ "items": { "type": "string" } }, "opencre": { - "type": "string", - "format": "iri-reference", - "title": "OWASP OpenCRE", - "description": "The URL to the corresponding Common Requirements Enumeration (CRE) common requirement identifier." + "type": "array", + "title": "OWASP OpenCRE Identifier(s)", + "description": "The Common Requirements Enumeration (CRE) identifier(s). CRE is a structured and standardized framework for uniting security standards and guidelines. CRE links each section of a resource to a shared topic identifier (a Common Requirement). Through this shared topic link, all resources map to each other. Use of CRE promotes clear and unambiguous communication among stakeholders.", + "items": { + "type": "string", + "pattern": "^CRE:[0-9]+-[0-9]+$", + "examples": [ "CRE:764-507" ] + } }, "parent": { "$ref": "#/definitions/refLinkType", From 6f38f48cd88359f16c6d17be775049ac4436aecc Mon Sep 17 00:00:00 2001 From: Basil Hess Date: Wed, 11 Oct 2023 19:36:46 +0200 Subject: [PATCH 027/217] CBOM: merges relatedCryptoMaterial and key asset types Signed-off-by: Basil Hess --- schema/bom-1.6.schema.json | 206 ++++++++++++++++--------------------- 1 file changed, 90 insertions(+), 116 deletions(-) diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index d9f6dfd0..789a92b7 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -3828,7 +3828,6 @@ "enum": [ "algorithm", "certificate", - "key", "protocol", "relatedCryptoMaterial" ] @@ -4228,127 +4227,102 @@ } } }, - "keyProperties": { - "type": "object", - "title": "Properties for Keys", - "description": "Properties for crypto assets of asset type 'key'", - "additionalProperties": false, - "properties": { - "type": { - "type": "string", - "title": "key type", - "description": "The type of the key", - "enum": [ - "privateKey", - "publicKey", - "secretKey" - ] - }, - "id": { - "type": "string", - "title": "key id", - "description": "The identifier for the key" - }, - "state": { - "type": "string", - "title": "key state", - "description": "The key state according to NIST SP 800-57", - "enum": [ - "preActivation", - "active", - "suspended", - "deactivated", - "compromised", - "destroyed" - ] - }, - "size": { - "type": "integer", - "title": "Crypto asset size (in bits)", - "description": "Size of the crypto asset (in bits)" - }, - "keyAlgorithmRef": { - "$ref": "#/definitions/cryptoRef", - "title": "Algorithm reference", - "description": "Bom-ref to algorithm used to generate the key" - }, - "securedBy": { - "$ref": "#/definitions/securedBy", - "title": "Crypto asset is secured by" - }, - "creationDate": { - "type": "string", - "format": "date-time", - "title": "creation date", - "description": "The date and time (timestamp) when the key was created." - }, - "activationDate": { - "type": "string", - "format": "date-time", - "title": "activation date", - "description": "The date and time (timestamp) when the key was activated." - }, - "updateDate": { - "type": "string", - "format": "date-time", - "title": "update date", - "description": "The date and time (timestamp) when the key was updated." - }, - "expirationDate": { - "type": "string", - "format": "date-time", - "title": "expiration date", - "description": "The date and time (timestamp) when the key expired." - } - } - }, "relatedCryptoMaterialProperties": { "type": "object", "title": "related crypto material properties", "description": "Properties for crypto assets of asset type 'relatedCryptoMaterial'", "additionalProperties": false, "properties": { - "type": { - "type": "string", - "title": "relatedCryptoMaterialType", - "description": "The type for the related crypto material", - "enum": [ - "ciphertext", - "signature", - "digest", - "initializationVector", - "nonce", - "seed", - "salt", - "sharedSecret", - "tag", - "additionalData", - "password", - "credential", - "token", - "other", - "unknown" - ] - }, - "value": { - "type": "string", - "title": "Value assosiated to the crypto material", - "description": "The assosiated value of the crypto material" - }, - "size": { - "type": "integer", - "title": "Crypto asset size (in bits)", - "description": "Size of the crypto asset (in bits)" - }, - "format": { - "type": "string", - "title": "format", - "description": "format of the related crypto material (e.g. P8, PEM, DER)" - }, - "securedBy": { - "$ref": "#/definitions/securedBy", - "title": "Crypto asset is secured by" - } + "type": { + "type": "string", + "title": "relatedCryptoMaterialType", + "description": "The type for the related crypto material", + "enum": [ + "privateKey", + "publicKey", + "secretKey", + "ciphertext", + "signature", + "digest", + "initializationVector", + "nonce", + "seed", + "salt", + "sharedSecret", + "tag", + "additionalData", + "password", + "credential", + "token", + "other", + "unknown" + ] + }, + "id": { + "type": "string", + "title": "key id", + "description": "The identifier for the key" + }, + "state": { + "type": "string", + "title": "key state", + "description": "The key state according to NIST SP 800-57", + "enum": [ + "preActivation", + "active", + "suspended", + "deactivated", + "compromised", + "destroyed" + ] + }, + "algorithmRef": { + "$ref": "#/definitions/cryptoRef", + "title": "Algorithm reference", + "description": "Bom-ref to algorithm used to generate the relatedCryptoMaterial" + }, + "creationDate": { + "type": "string", + "format": "date-time", + "title": "creation date", + "description": "The date and time (timestamp) when the relatedCryptoMaterial was created." + }, + "activationDate": { + "type": "string", + "format": "date-time", + "title": "activation date", + "description": "The date and time (timestamp) when the relatedCryptoMaterial was activated." + }, + "updateDate": { + "type": "string", + "format": "date-time", + "title": "update date", + "description": "The date and time (timestamp) when the relatedCryptoMaterial was updated." + }, + "expirationDate": { + "type": "string", + "format": "date-time", + "title": "expiration date", + "description": "The date and time (timestamp) when the relatedCryptoMaterial expired." + }, + "value": { + "type": "string", + "title": "Value assosiated to the crypto material", + "description": "The assosiated value of the crypto material" + }, + "size": { + "$ref": "#/definitions/size", + "title": "Crypto asset size (in bits)" + }, + "format": { + "type": "string", + "title": "format", + "description": "format of the related crypto material (e.g. P8, PEM, DER)" + }, + "securedBy": { + "$ref": "#/definitions/securedBy", + "title": "Crypto asset is secured by" + } } }, "protocolProperties": { From e91b9f07b6f989125928cbd657c32f1d8553c3c5 Mon Sep 17 00:00:00 2001 From: Basil Hess Date: Thu, 12 Oct 2023 16:09:30 +0200 Subject: [PATCH 028/217] fix size type and formatting Signed-off-by: Basil Hess --- schema/bom-1.6.schema.json | 180 ++++++++++++++++++------------------- 1 file changed, 90 insertions(+), 90 deletions(-) diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index 789a92b7..8d918819 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -4233,96 +4233,96 @@ "description": "Properties for crypto assets of asset type 'relatedCryptoMaterial'", "additionalProperties": false, "properties": { - "type": { - "type": "string", - "title": "relatedCryptoMaterialType", - "description": "The type for the related crypto material", - "enum": [ - "privateKey", - "publicKey", - "secretKey", - "ciphertext", - "signature", - "digest", - "initializationVector", - "nonce", - "seed", - "salt", - "sharedSecret", - "tag", - "additionalData", - "password", - "credential", - "token", - "other", - "unknown" - ] - }, - "id": { - "type": "string", - "title": "key id", - "description": "The identifier for the key" - }, - "state": { - "type": "string", - "title": "key state", - "description": "The key state according to NIST SP 800-57", - "enum": [ - "preActivation", - "active", - "suspended", - "deactivated", - "compromised", - "destroyed" - ] - }, - "algorithmRef": { - "$ref": "#/definitions/cryptoRef", - "title": "Algorithm reference", - "description": "Bom-ref to algorithm used to generate the relatedCryptoMaterial" - }, - "creationDate": { - "type": "string", - "format": "date-time", - "title": "creation date", - "description": "The date and time (timestamp) when the relatedCryptoMaterial was created." - }, - "activationDate": { - "type": "string", - "format": "date-time", - "title": "activation date", - "description": "The date and time (timestamp) when the relatedCryptoMaterial was activated." - }, - "updateDate": { - "type": "string", - "format": "date-time", - "title": "update date", - "description": "The date and time (timestamp) when the relatedCryptoMaterial was updated." - }, - "expirationDate": { - "type": "string", - "format": "date-time", - "title": "expiration date", - "description": "The date and time (timestamp) when the relatedCryptoMaterial expired." - }, - "value": { - "type": "string", - "title": "Value assosiated to the crypto material", - "description": "The assosiated value of the crypto material" - }, - "size": { - "$ref": "#/definitions/size", - "title": "Crypto asset size (in bits)" - }, - "format": { - "type": "string", - "title": "format", - "description": "format of the related crypto material (e.g. P8, PEM, DER)" - }, - "securedBy": { - "$ref": "#/definitions/securedBy", - "title": "Crypto asset is secured by" - } + "type": { + "type": "string", + "title": "relatedCryptoMaterialType", + "description": "The type for the related crypto material", + "enum": [ + "privateKey", + "publicKey", + "secretKey", + "ciphertext", + "signature", + "digest", + "initializationVector", + "nonce", + "seed", + "salt", + "sharedSecret", + "tag", + "additionalData", + "password", + "credential", + "token", + "other", + "unknown" + ] + }, + "id": { + "type": "string", + "title": "id", + "description": "The identifier for the relatedCryptoMaterial" + }, + "state": { + "type": "string", + "title": "state", + "description": "The key state according to NIST SP 800-57", + "enum": [ + "preActivation", + "active", + "suspended", + "deactivated", + "compromised", + "destroyed" + ] + }, + "algorithmRef": { + "$ref": "#/definitions/cryptoRef", + "title": "Algorithm reference", + "description": "Bom-ref to algorithm used to generate the relatedCryptoMaterial" + }, + "creationDate": { + "type": "string", + "format": "date-time", + "title": "creation date", + "description": "The date and time (timestamp) when the relatedCryptoMaterial was created." + }, + "activationDate": { + "type": "string", + "format": "date-time", + "title": "activation date", + "description": "The date and time (timestamp) when the relatedCryptoMaterial was activated." + }, + "updateDate": { + "type": "string", + "format": "date-time", + "title": "update date", + "description": "The date and time (timestamp) when the relatedCryptoMaterial was updated." + }, + "expirationDate": { + "type": "string", + "format": "date-time", + "title": "expiration date", + "description": "The date and time (timestamp) when the relatedCryptoMaterial expired." + }, + "value": { + "type": "string", + "title": "Value assosiated to the crypto material", + "description": "The assosiated value of the crypto material" + }, + "size": { + "type": "integer", + "title": "Crypto asset size (in bits)" + }, + "format": { + "type": "string", + "title": "format", + "description": "format of the related crypto material (e.g. P8, PEM, DER)" + }, + "securedBy": { + "$ref": "#/definitions/securedBy", + "title": "Crypto asset is secured by" + } } }, "protocolProperties": { From da1286b3f52a02bdab969d9100f2d9b9e38898f8 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Sun, 15 Oct 2023 13:08:15 +0200 Subject: [PATCH 029/217] chore: generate docs for v1.6 Signed-off-by: Jan Kowalleck --- docgen/json/gen.sh | 2 +- docgen/xml/gen.sh | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/docgen/json/gen.sh b/docgen/json/gen.sh index b37d2461..76b5f2fd 100755 --- a/docgen/json/gen.sh +++ b/docgen/json/gen.sh @@ -1,6 +1,6 @@ #!/bin/bash rm -f -R docs -mkdir -p docs/{1.2,1.3,1.4,1.5} +mkdir -p docs/{1.2,1.3,1.4,1.5,1.6} # Check to see if generate-schema-doc is executable and is in the path. If not, install JSON Schema for Humans. if ! [ -x "$(command -v generate-schema-doc)" ]; then diff --git a/docgen/xml/gen.sh b/docgen/xml/gen.sh index 03e494df..fc850311 100755 --- a/docgen/xml/gen.sh +++ b/docgen/xml/gen.sh @@ -16,4 +16,5 @@ generate 1.1 generate 1.2 generate 1.3 generate 1.4 -generate 1.5 \ No newline at end of file +generate 1.5 +generate 1.6 \ No newline at end of file From 5d8c05baab140d0634f76d51da196d37f990b2d1 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Sun, 15 Oct 2023 13:17:45 +0200 Subject: [PATCH 030/217] chore: generate docs for v1.6 Signed-off-by: Jan Kowalleck --- docgen/json/gen.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docgen/json/gen.sh b/docgen/json/gen.sh index 76b5f2fd..e92128bc 100755 --- a/docgen/json/gen.sh +++ b/docgen/json/gen.sh @@ -27,4 +27,5 @@ generate () { generate 1.2 generate 1.3 generate 1.4 -generate 1.5 \ No newline at end of file +generate 1.5 +generate 1.6 \ No newline at end of file From 8d1c9a4fcd24d8499d6f506f7d9214cff7a92678 Mon Sep 17 00:00:00 2001 From: Basil Hess Date: Wed, 18 Oct 2023 14:04:55 +0200 Subject: [PATCH 031/217] Merges detectionContext properties with component evidence Signed-off-by: Basil Hess --- schema/bom-1.6.schema.json | 139 ++++++------------------------------- 1 file changed, 20 insertions(+), 119 deletions(-) diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index d9f6dfd0..b3da20d6 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -1576,6 +1576,26 @@ "type": "string", "title": "Location", "description": "The location or path to where the component was found." + }, + "lineNumber": { + "type": "integer", + "title": "Line Number", + "description": "The line number where the component was found." + }, + "offset": { + "type": "integer", + "title": "Offset", + "description": "The offset where the component was found." + }, + "symbol": { + "type": "string", + "title": "Symbol", + "description": "The symbol name that was found associated with the component." + }, + "additionalContext": { + "type": "string", + "title": "Additional Context", + "description": "Any additional context of the detected component (e.g. a code snippet)." } } } @@ -4433,125 +4453,6 @@ "type": "string", "title": "OID", "description": "OID of crypto asset" - }, - "confidenceLevels": { - "type": "object", - "additionalItems": false, - "title": "confidence levels", - "description": "confidence levels of the reported crypto properties", - "properties": { - "assetType": { - "$ref": "#/definitions/confidenceLevel", - "title": "assetType confidence level" - }, - "primitive": { - "$ref": "#/definitions/confidenceLevel", - "title": "primitive confidence level" - }, - "relatedCryptoMaterialType": { - "$ref": "#/definitions/confidenceLevel", - "title": "related crypto material confidence level" - }, - "variant": { - "$ref": "#/definitions/confidenceLevel", - "title": "variant confidence level" - }, - "mode": { - "$ref": "#/definitions/confidenceLevel", - "title": "mode of opreation confidence level" - }, - "padding": { - "$ref": "#/definitions/confidenceLevel", - "title": "padding confidence level" - }, - "cryptoFunctions": { - "$ref": "#/definitions/confidenceLevel", - "title": "related crypto material confidence level" - }, - "subjectName": { - "$ref": "#/definitions/confidenceLevel", - "title": "subjectName confidence level" - }, - "issuerName": { - "$ref": "#/definitions/confidenceLevel", - "title": "issuerName confidence level" - }, - "notValidBefore": { - "$ref": "#/definitions/confidenceLevel", - "title": "notValidBefore confidence level" - }, - "notValidAfter": { - "$ref": "#/definitions/confidenceLevel", - "title": "notValidAfter confidence level" - }, - "certificateAlgorithm": { - "$ref": "#/definitions/confidenceLevel", - "title": "certificateAlgorithm confidence level" - }, - "certificateSignatureAlgorithm": { - "$ref": "#/definitions/confidenceLevel", - "title": "certificateSignatureAlgorithm confidence level" - }, - "certificateFormat": { - "$ref": "#/definitions/confidenceLevel", - "title": "certificateFormat confidence level" - }, - "certificateExtension": { - "$ref": "#/definitions/confidenceLevel", - "title": "certificateExtension confidence level" - }, - "tlsCipherSuites": { - "$ref": "#/definitions/confidenceLevel", - "title": "tlsCipherSuites confidence level" - }, - "ikev2TransformTypes": { - "$ref": "#/definitions/confidenceLevel", - "title": "ikev2TransformTypes confidence level" - } - } - }, - "detectionContext": { - "type": "array", - "additionalItems": false, - "title": "detection context", - "description": "Defines additional context metadata related to the detected crypto asset", - "items": { - "type": "object", - "title": "detection context", - "additionalProperties": false, - "properties": { - "filePath": { - "type": "string", - "title": "filePath", - "description": "File path of the detected crypto asset" - }, - "lineNumbers": { - "type": "array", - "title": "lineNumbers", - "description": "Line numbers of the detected crypto asset" - }, - "offsets": { - "type": "array", - "title": "offsets", - "description": "Offsets of the detected crypto asset" - }, - "symbols": { - "type": "array", - "title": "symbols", - "description": "symbol names detected for the crypto asset" - }, - "keywords": { - "type": "array", - "title": "keywords", - "description": "keywords detected for the crypto asset" - }, - "additionalContext": { - "type": "string", - "title": "additionalContext", - "description": "additional context of the detected crypto asset (e.g. code snippet)" - } - } - } } } }, From 92ae29eaaf3299f074d14b1cf7ac424b67f09ac3 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Sun, 15 Oct 2023 10:19:52 +0200 Subject: [PATCH 032/217] refactor: centralize version and version-range Signed-off-by: Jan Kowalleck --- schema/bom-1.6.schema.json | 42 ++++++++++++++++++++++++---------- schema/bom-1.6.xsd | 47 ++++++++++++++++++++++++++++++++++---- 2 files changed, 72 insertions(+), 17 deletions(-) diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index 726fbf03..dc93c21f 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -299,7 +299,7 @@ "description": "The name of the tool" }, "version": { - "type": "string", + "$ref": "#/definitions/version", "title": "Tool Version", "description": "The version of the tool" }, @@ -457,10 +457,9 @@ "examples": ["tomcat-catalina"] }, "version": { - "type": "string", + "$ref": "#/definitions/version", "title": "Component Version", - "description": "The component version. The version should ideally comply with semantic versioning but is not enforced.", - "examples": ["9.0.14"] + "description": "The component version. The version should ideally comply with semantic versioning but is not enforced." }, "description": { "type": "string", @@ -1277,10 +1276,9 @@ "examples": ["ticker-service"] }, "version": { - "type": "string", + "$ref": "#/definitions/version", "title": "Service Version", - "description": "The service version.", - "examples": ["1.0.0"] + "description": "The service version." }, "description": { "type": "string", @@ -2285,7 +2283,7 @@ }, "range": { "description": "A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/purl-spec/VERSION-RANGE-SPEC.rst", - "$ref": "#/definitions/range" + "$ref": "#/definitions/versionRange" }, "status": { "description": "The vulnerability status for the version or range of versions.", @@ -2320,16 +2318,36 @@ ] }, "version": { - "description": "A single version of a component or service.", + "description": "A single disjunctive version identifier, for a component or service.", "type": "string", "minLength": 1, - "maxLength": 1024 + "maxLength": 1024, + "examples": [ + "9.0.14", + "v1.33.7", + "7.0.0-M1", + "2.0pre1", + "1.0.0-beta1", + "0.8.15" + ] }, - "range": { + "versionRange": { "description": "A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/purl-spec/VERSION-RANGE-SPEC.rst", "type": "string", "minLength": 1, - "maxLength": 1024 + "maxLength": 1024, + "examples": [ + "9.0.14", + "1.2.3|>=2.0.0|<5.0.0", + "0.0.0|0.0.1|0.0.2|0.0.3|1.0|2.0pre1", + ">=1.0.0-beta1|<=1.7.5|>=7.0.0-M1|<=7.0.7|>=7.1.0|<=7.1.2|>=8.0.0-M1|<=8.0.1", + ">=2.2.0|!= 2.2.1|<2.3.0" + ] + }, + "range": { + "deprecated": true, + "description": "Deprecated definition. use definition `versionRange` instead.", + "allOf": [{"$ref": "#/definitions/versionRange"}] }, "annotations": { "type": "object", diff --git a/schema/bom-1.6.xsd b/schema/bom-1.6.xsd index 1cc87910..8cb54003 100644 --- a/schema/bom-1.6.xsd +++ b/schema/bom-1.6.xsd @@ -54,6 +54,43 @@ limitations under the License. + + + + + + + + + + =2.0.0|<5.0.0" + - "0.0.0|0.0.1|0.0.2|0.0.3|1.0|2.0pre1" + - ">=1.0.0-beta1|<=1.7.5|>=7.0.0-M1|<=7.0.7|>=7.1.0|<=7.1.2|>=8.0.0-M1|<=8.0.1" + - ">=2.2.0|!= 2.2.1|<2.3.0" + ]]> + + + + + + + + @@ -338,7 +375,7 @@ limitations under the License. The name of the tool - + The version of the tool @@ -463,7 +500,7 @@ limitations under the License. of the component. Examples: commons-lang3 and jquery - + The component version. The version should ideally comply with semantic versioning but is not enforced. @@ -1851,7 +1888,7 @@ limitations under the License. of the service. - + The service version. @@ -3637,12 +3674,12 @@ limitations under the License. - + A single version of a component or service. - + A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/purl-spec/VERSION-RANGE-SPEC.rst From 29373d7ad8b4a2d26e5649894ccb911428cf1b10 Mon Sep 17 00:00:00 2001 From: Basil Hess Date: Thu, 19 Oct 2023 15:10:51 +0200 Subject: [PATCH 033/217] remove remaining confidenceLevel Signed-off-by: Basil Hess --- schema/bom-1.6.schema.json | 5 ----- 1 file changed, 5 deletions(-) diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index b3da20d6..9eeb3cb8 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -4461,11 +4461,6 @@ "title": "Reference to a crypto asset", "description": "Reference (bom-ref) to the crypto asset used in this context" }, - "confidenceLevel": { - "title": "ConfidenceLevel", - "description": "The ConfidenceLevel related to a property", - "type": "number" - }, "cipherSuite": { "type": "object", "title": "Cipher suite", From 17019b00d0b850aaf161132023f55c084f93cb9d Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Sat, 21 Oct 2023 17:50:20 -0500 Subject: [PATCH 034/217] Corrected strict schema violations Signed-off-by: Steve Springett --- schema/bom-1.6.schema.json | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index d9f6dfd0..99081f5a 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -4386,7 +4386,6 @@ "type": "array", "title": "Cipher suites related to the protocol", "description": "A list of cipher suites related to the protocol", - "additionalItems": false, "items": { "$ref": "#/definitions/cipherSuite", "title": "Cipher suite" @@ -4436,9 +4435,9 @@ }, "confidenceLevels": { "type": "object", - "additionalItems": false, "title": "confidence levels", "description": "confidence levels of the reported crypto properties", + "additionalProperties": false, "properties": { "assetType": { "$ref": "#/definitions/confidenceLevel", @@ -4512,7 +4511,6 @@ }, "detectionContext": { "type": "array", - "additionalItems": false, "title": "detection context", "description": "Defines additional context metadata related to the detected crypto asset", "items": { @@ -4569,7 +4567,7 @@ "type": "object", "title": "Cipher suite", "description": "Object representing a cipher suite", - "additionalItems": false, + "additionalProperties": false, "properties": { "name": { "type": "string", @@ -4583,7 +4581,6 @@ "type": "array", "title": "Related algorithms", "description": "List of algorithms related to the cipher suite", - "additionalItems": false, "items": { "$ref": "#/definitions/cryptoRef", "title": "Algorithm reference", @@ -4594,7 +4591,6 @@ "type": "array", "title": "Cipher suite identifiers", "description": "A list of common identifiers for the cipher suite", - "additionalItems": false, "items": { "type": "string", "title": "identifier", @@ -4609,7 +4605,6 @@ }, "cryptoRefArray" : { "type": "array", - "additionalItems": false, "items": { "$ref": "#/definitions/cryptoRef" } From 6dac0124f4937eba36ef091dca3f8f8e7bde0f44 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Sun, 22 Oct 2023 17:31:10 +0200 Subject: [PATCH 035/217] tests: enable more tests for v1.6 Signed-off-by: Jan Kowalleck --- tools/src/test/js/package.json | 1 + tools/src/test/php/composer.json | 4 ++++ tools/src/test/resources/1.6/valid-evidence-1.6.textproto | 2 +- 3 files changed, 6 insertions(+), 1 deletion(-) diff --git a/tools/src/test/js/package.json b/tools/src/test/js/package.json index 429aeb36..4e52a5c2 100644 --- a/tools/src/test/js/package.json +++ b/tools/src/test/js/package.json @@ -18,6 +18,7 @@ "test": "run-s test:*", "test:json-schema-lint": "node -- json-schema-lint-tests.js", "test:json-schema-functional": "run-s test:json-schema-functional:*", + "test:json-schema-functional:1.6": "node -- json-schema-functional-tests.js -v 1.6", "test:json-schema-functional:1.5": "node -- json-schema-functional-tests.js -v 1.5", "test:json-schema-functional:1.4": "node -- json-schema-functional-tests.js -v 1.4", "test:json-schema-functional:1.3": "node -- json-schema-functional-tests.js -v 1.3", diff --git a/tools/src/test/php/composer.json b/tools/src/test/php/composer.json index 204156ff..76c26c2a 100644 --- a/tools/src/test/php/composer.json +++ b/tools/src/test/php/composer.json @@ -18,16 +18,19 @@ ], "test:json-schema-lint": "@php -f json-schema-lint-tests.php --", "test:json-schema-functional": [ + "@test:json-schema-functional:1.6", "@test:json-schema-functional:1.5", "@test:json-schema-functional:1.4", "@test:json-schema-functional:1.3", "@test:json-schema-functional:1.2" ], + "test:json-schema-functional:1.6": "@php -f json-schema-functional-tests.php -- -v 1.6 --", "test:json-schema-functional:1.5": "@php -f json-schema-functional-tests.php -- -v 1.5 --", "test:json-schema-functional:1.4": "@php -f json-schema-functional-tests.php -- -v 1.4 --", "test:json-schema-functional:1.3": "@php -f json-schema-functional-tests.php -- -v 1.3 --", "test:json-schema-functional:1.2": "@php -f json-schema-functional-tests.php -- -v 1.2 --", "test:xml-schema-functional": [ + "@test:xml-schema-functional:1.6", "@test:xml-schema-functional:1.5", "@test:xml-schema-functional:1.4", "@test:xml-schema-functional:1.3", @@ -35,6 +38,7 @@ "@test:xml-schema-functional:1.1", "@test:xml-schema-functional:1.0" ], + "test:xml-schema-functional:1.6": "@php -f xml-schema-functional-tests.php -- -v 1.6 --", "test:xml-schema-functional:1.5": "@php -f xml-schema-functional-tests.php -- -v 1.5 --", "test:xml-schema-functional:1.4": "@php -f xml-schema-functional-tests.php -- -v 1.4 --", "test:xml-schema-functional:1.3": "@php -f xml-schema-functional-tests.php -- -v 1.3 --", diff --git a/tools/src/test/resources/1.6/valid-evidence-1.6.textproto b/tools/src/test/resources/1.6/valid-evidence-1.6.textproto index 38641730..d9bcf194 100644 --- a/tools/src/test/resources/1.6/valid-evidence-1.6.textproto +++ b/tools/src/test/resources/1.6/valid-evidence-1.6.textproto @@ -1,4 +1,4 @@ -# proto-file: bom-1.5.proto +# proto-file: bom-1.6.proto # proto-message: Bom spec_version: "1.6" From ad6f39d8b619f9e0e1140d16e08b626f3211f0ab Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Tue, 24 Oct 2023 16:43:03 +0200 Subject: [PATCH 036/217] docs: improve SPDX expression docs Signed-off-by: Jan Kowalleck --- schema/bom-1.6.proto | 1 + schema/bom-1.6.schema.json | 1 + schema/bom-1.6.xsd | 7 ++++++- 3 files changed, 8 insertions(+), 1 deletion(-) diff --git a/schema/bom-1.6.proto b/schema/bom-1.6.proto index a02e9b20..e6a6c4fe 100644 --- a/schema/bom-1.6.proto +++ b/schema/bom-1.6.proto @@ -332,6 +332,7 @@ message Source { message LicenseChoice { oneof choice { License license = 1; + // A valid SPDX license expression. Refer to https://spdx.org/specifications for syntax requirements string expression = 2; } } diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index dc93c21f..a6574a59 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -945,6 +945,7 @@ "expression": { "type": "string", "title": "SPDX License Expression", + "description": "A valid SPDX license expression.\nRefer to https://spdx.org/specifications for syntax requirements", "examples": [ "Apache-2.0 AND (MIT OR GPL-2.0-only)", "GPL-3.0-only WITH Classpath-exception-2.0" diff --git a/schema/bom-1.6.xsd b/schema/bom-1.6.xsd index 8cb54003..5e218c47 100644 --- a/schema/bom-1.6.xsd +++ b/schema/bom-1.6.xsd @@ -2106,7 +2106,12 @@ limitations under the License. A valid SPDX license expression. - Refer to https://spdx.org/specifications for syntax requirements + Refer to https://spdx.org/specifications for syntax requirements + + Example values: + - Apache-2.0 AND (MIT OR GPL-2.0-only) + - GPL-3.0-only WITH Classpath-exception-2.0 + From dd517f6ea8fda373390e93c6f7d0b9d46b926948 Mon Sep 17 00:00:00 2001 From: Basil Hess Date: Thu, 16 Nov 2023 11:04:25 +0100 Subject: [PATCH 037/217] CBOM: adds 'parameterSetIdentifier' property, replacing 'variant' Signed-off-by: Basil Hess --- schema/bom-1.6.schema.json | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index 8014bdb6..58a17f89 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -3879,15 +3879,10 @@ "unknown" ] }, - "variant": { + "parameterSetIdentifier": { "type": "string", - "title": "variant", - "description": "The variant for the crypto algorithm, algorithm components should be delimited with '-'", - "examples": [ - "aes128-cbc-pkcs7", - "rsa2048-cbc-oaep-sha256-mgf1", - "kyber1024" - ] + "title": "parameter set identifier", + "description": "An identifier for the parameter set of the crypto algorithm. Exampes: in AES128, '128' identifies the key length in bits, in SHA256, '256' identifies the digest length, '128' in SHAKE128 identifies its maximum security level in bits, and 'SHA2-128s' identifies a parameter set used in SLH-DSA (FIPS205)." }, "curve": { "type": "string", From d39b039b49085802df430f315ae87ac156ce0137 Mon Sep 17 00:00:00 2001 From: "steve.springett" Date: Thu, 16 Nov 2023 09:04:24 -0600 Subject: [PATCH 038/217] Description and minor field updates Signed-off-by: steve.springett --- schema/bom-1.6.schema.json | 32 ++++++++++++++++---------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index 58a17f89..663fa63a 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -3837,14 +3837,14 @@ }, "cryptoProperties": { "type": "object", - "title": "Crypto Properties", - "description": "Properties for Crypto Assets", + "title": "Cryptographic Properties", + "description": "Cryptographic assets have properties that uniquely define them and that make them actionable for further reasoning. As an example, it makes a difference if one knows the algorithm family (e.g. AES) or the specific variant or instantiation (e.g. AES-128-GCM). This is because the security level and the algorithm primitive (authenticated encryption) is only defined by the definition of the algorithm variant. The presence of a weak cryptographic algorithm like SHA1 vs. HMAC-SHA1 also makes a difference.", "additionalProperties": false, "properties": { "assetType": { "type": "string", "title": "assetType", - "description": "The specific asset type for the crypto asset", + "description": "Cryptographic assets occur in several forms. Algorithms and protocols are most commonly implemented in specialized cryptographic libraries. They may however also be 'hardcoded' in software components. Certificates and related cryptographic material like keys, tokens, secrets or passwords are other cryptographic assets to be modelled.\n\n* __algorithm__ = Mathematical functions that encrypt text. They are used for data encryption, authentication, and digital signatures.\n* __certificate__ = An electronic document that is used to provide the identity or validate a public key.\n* __protocol__ = A set of rules and guidelines that govern the behavior and communication with each other.\n* __relatedCryptoMaterial__ = Other cryptographic assets that are related to algorithms, certificate, and protocols such as keys and tokens.", "enum": [ "algorithm", "certificate", @@ -3854,14 +3854,14 @@ }, "algorithmProperties": { "type": "object", - "title": "algorithm properties", - "description": "Properties for crypto assets of asset type 'algorithm'", + "title": "Algorithm Properties", + "description": "Additional properties specific to a cryptographic algorithm.", "additionalProperties": false, "properties": { "primitive": { "type": "string", "title": "primitive", - "description": "The primitive for the crypto algorithm", + "description": "Low-level cryptographic building block used in higher-level cryptographic functions. Primitives can be used to construct algorithms used for encryption (e.g. AES), digital signatures (e.g. ECDSA), and pseudorandom number generators (e.g. PRNG).\n\n TODO Basil", "enum": [ "drbg", "mac", @@ -3881,13 +3881,13 @@ }, "parameterSetIdentifier": { "type": "string", - "title": "parameter set identifier", - "description": "An identifier for the parameter set of the crypto algorithm. Exampes: in AES128, '128' identifies the key length in bits, in SHA256, '256' identifies the digest length, '128' in SHAKE128 identifies its maximum security level in bits, and 'SHA2-128s' identifies a parameter set used in SLH-DSA (FIPS205)." + "title": "Parameter Set Identifier", + "description": "An identifier for the parameter set of the cryptographic algorithm. Examples: in AES128, '128' identifies the key length in bits, in SHA256, '256' identifies the digest length, '128' in SHAKE128 identifies its maximum security level in bits, and 'SHA2-128s' identifies a parameter set used in SLH-DSA (FIPS205)." }, "curve": { "type": "string", - "title": "elliptic curve", - "description": "If applicable, the curve of the crypto algorithm", + "title": "Elliptic Curve", + "description": "The specific underlying Elliptic Curve (EC) definition employed which is an indicator of the level of security strength, performance and complexity.", "enum": [ "brainpoolP160r1", "brainpoolP160t1", @@ -4045,14 +4045,14 @@ "unknown" ] }, - "implementationLevel": { + "executionEnvironment": { "type": "string", - "title": "implementation level", - "description": "The implementation level for the crypto algorithm", + "title": "Execution Environment", + "description": "The target and execution environment in which the algorithm is implemented in.\n\n* TODO Basil", "enum": [ - "softwarePlainRam", - "softwareEncryptedRam", - "softwareTee", + "softwarePlainRAM", + "softwareEncryptedRAM", + "softwareTEE", "hardware", "other", "unknown" From 38950aebd81eedb3a805d7bb741a044dd9b26c7a Mon Sep 17 00:00:00 2001 From: andreas hilti Date: Sun, 19 Nov 2023 10:35:51 +0100 Subject: [PATCH 039/217] Move comment to description Signed-off-by: andreas hilti --- schema/bom-1.6.schema.json | 38 +++++++++++++++++++------------------- 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index a6574a59..c9ab597d 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -121,10 +121,10 @@ }, "definitions": { "refType": { - "description": "Identifier for referable and therefore interlink-able elements.", + "description": "Identifier for referable and therefore interlink-able elements.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", "type": "string", "minLength": 1, - "$comment": "value SHOULD not start with the BOM-Link intro 'urn:cdx:'" + "$comment": "TODO (breaking change): add a format constraint that prevents the value from staring with 'urn:cdx:'" }, "refLinkType": { "description": "Descriptor for an element identified by the attribute 'bom-ref' in the same BOM document.\nIn contrast to `bomLinkElementType`.", @@ -326,7 +326,7 @@ "bom-ref": { "$ref": "#/definitions/refType", "title": "BOM Reference", - "description": "An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref MUST be unique within the BOM." + "description": "An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref MUST be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." }, "name": { "type": "string", @@ -363,7 +363,7 @@ "bom-ref": { "$ref": "#/definitions/refType", "title": "BOM Reference", - "description": "An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref MUST be unique within the BOM." + "description": "An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref MUST be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." }, "name": { "type": "string", @@ -425,7 +425,7 @@ "bom-ref": { "$ref": "#/definitions/refType", "title": "BOM Reference", - "description": "An optional identifier which can be used to reference the component elsewhere in the BOM. Every bom-ref MUST be unique within the BOM." + "description": "An optional identifier which can be used to reference the component elsewhere in the BOM. Every bom-ref MUST be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." }, "supplier": { "title": "Component Supplier", @@ -741,7 +741,7 @@ "bom-ref": { "$ref": "#/definitions/refType", "title": "BOM Reference", - "description": "An optional identifier which can be used to reference the license elsewhere in the BOM. Every bom-ref MUST be unique within the BOM." + "description": "An optional identifier which can be used to reference the license elsewhere in the BOM. Every bom-ref MUST be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." }, "id": { "$ref": "spdx.schema.json", @@ -954,7 +954,7 @@ "bom-ref": { "$ref": "#/definitions/refType", "title": "BOM Reference", - "description": "An optional identifier which can be used to reference the license elsewhere in the BOM. Every bom-ref MUST be unique within the BOM." + "description": "An optional identifier which can be used to reference the license elsewhere in the BOM. Every bom-ref MUST be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." } } }] @@ -1257,7 +1257,7 @@ "bom-ref": { "$ref": "#/definitions/refType", "title": "BOM Reference", - "description": "An optional identifier which can be used to reference the service elsewhere in the BOM. Every bom-ref MUST be unique within the BOM." + "description": "An optional identifier which can be used to reference the service elsewhere in the BOM. Every bom-ref MUST be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." }, "provider": { "title": "Provider", @@ -1557,7 +1557,7 @@ "bom-ref": { "$ref": "#/definitions/refType", "title": "BOM Reference", - "description": "An optional identifier which can be used to reference the occurrence elsewhere in the BOM. Every bom-ref MUST be unique within the BOM." + "description": "An optional identifier which can be used to reference the occurrence elsewhere in the BOM. Every bom-ref MUST be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." }, "location": { "type": "string", @@ -1647,7 +1647,7 @@ "bom-ref": { "$ref": "#/definitions/refType", "title": "BOM Reference", - "description": "An optional identifier which can be used to reference the composition elsewhere in the BOM. Every bom-ref MUST be unique within the BOM." + "description": "An optional identifier which can be used to reference the composition elsewhere in the BOM. Every bom-ref MUST be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." }, "aggregate": { "$ref": "#/definitions/aggregateType", @@ -1999,7 +1999,7 @@ "bom-ref": { "$ref": "#/definitions/refType", "title": "BOM Reference", - "description": "An optional identifier which can be used to reference the vulnerability elsewhere in the BOM. Every bom-ref MUST be unique within the BOM." + "description": "An optional identifier which can be used to reference the vulnerability elsewhere in the BOM. Every bom-ref MUST be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." }, "id": { "type": "string", @@ -2365,7 +2365,7 @@ "bom-ref": { "$ref": "#/definitions/refType", "title": "BOM Reference", - "description": "An optional identifier which can be used to reference the annotation elsewhere in the BOM. Every bom-ref MUST be unique within the BOM." + "description": "An optional identifier which can be used to reference the annotation elsewhere in the BOM. Every bom-ref MUST be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." }, "subjects": { "type": "array", @@ -2459,7 +2459,7 @@ "bom-ref": { "$ref": "#/definitions/refType", "title": "BOM Reference", - "description": "An optional identifier which can be used to reference the model card elsewhere in the BOM. Every bom-ref MUST be unique within the BOM." + "description": "An optional identifier which can be used to reference the model card elsewhere in the BOM. Every bom-ref MUST be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." }, "modelParameters": { "type": "object", @@ -2648,7 +2648,7 @@ "bom-ref": { "$ref": "#/definitions/refType", "title": "BOM Reference", - "description": "An optional identifier which can be used to reference the dataset elsewhere in the BOM. Every bom-ref MUST be unique within the BOM." + "description": "An optional identifier which can be used to reference the dataset elsewhere in the BOM. Every bom-ref MUST be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." }, "type": { "type": "string", @@ -2878,7 +2878,7 @@ "properties": { "bom-ref": { "title": "BOM Reference", - "description": "An optional identifier which can be used to reference the formula elsewhere in the BOM. Every bom-ref MUST be unique within the BOM.", + "description": "An optional identifier which can be used to reference the formula elsewhere in the BOM. Every bom-ref MUST be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", "$ref": "#/definitions/refType" }, "components": { @@ -2932,7 +2932,7 @@ "properties": { "bom-ref": { "title": "BOM Reference", - "description": "An optional identifier which can be used to reference the workflow elsewhere in the BOM. Every bom-ref MUST be unique within the BOM.", + "description": "An optional identifier which can be used to reference the workflow elsewhere in the BOM. Every bom-ref MUST be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", "$ref": "#/definitions/refType" }, "uid": { @@ -3075,7 +3075,7 @@ "properties": { "bom-ref": { "title": "BOM Reference", - "description": "An optional identifier which can be used to reference the task elsewhere in the BOM. Every bom-ref MUST be unique within the BOM.", + "description": "An optional identifier which can be used to reference the task elsewhere in the BOM. Every bom-ref MUST be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", "$ref": "#/definitions/refType" }, "uid": { @@ -3247,7 +3247,7 @@ "properties": { "bom-ref": { "title": "BOM Reference", - "description": "An optional identifier which can be used to reference the workspace elsewhere in the BOM. Every bom-ref MUST be unique within the BOM.", + "description": "An optional identifier which can be used to reference the workspace elsewhere in the BOM. Every bom-ref MUST be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", "$ref": "#/definitions/refType" }, "uid": { @@ -3394,7 +3394,7 @@ "properties": { "bom-ref": { "title": "BOM Reference", - "description": "An optional identifier which can be used to reference the trigger elsewhere in the BOM. Every bom-ref MUST be unique within the BOM.", + "description": "An optional identifier which can be used to reference the trigger elsewhere in the BOM. Every bom-ref MUST be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", "$ref": "#/definitions/refType" }, "uid": { From 224f7561e97e03d49e1bf08c387e8bd4334456a1 Mon Sep 17 00:00:00 2001 From: Basil Hess Date: Wed, 29 Nov 2023 16:48:42 +0100 Subject: [PATCH 040/217] Review description fields of 'algorithmProperties' Signed-off-by: Basil Hess --- schema/bom-1.6.schema.json | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index ef27e1a7..a25450c9 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -3880,7 +3880,7 @@ "primitive": { "type": "string", "title": "primitive", - "description": "Low-level cryptographic building block used in higher-level cryptographic functions. Primitives can be used to construct algorithms used for encryption (e.g. AES), digital signatures (e.g. ECDSA), and pseudorandom number generators (e.g. PRNG).\n\n TODO Basil", + "description": "Cryptographic building blocks used in higher-level cryptographic systems and protocols. Primitives represent different cryptographic routines: deterministic random bit generators (drbg, e.g. CTR_DRBG from NIST SP800-90A-r1), message authentication codes (mac, e.g. HMAC-SHA-256), blockciphers (e.g. AES), streamciphers (e.g. Salsa20), signatures (e.g. ECDSA), hash functions (e.g. SHA-256), public-key encryption schemes (pke, e.g. RSA), extended output functions (xof, e.g. SHAKE256), key derivation functions (e.g. pbkdf2), key agreement algoorithms (e.g. ECDH), key encapsulation mechanisms (e.g. ML-KEM) and authenticated encryption (ae, e.g. AES-GCM).", "enum": [ "drbg", "mac", @@ -4067,7 +4067,7 @@ "executionEnvironment": { "type": "string", "title": "Execution Environment", - "description": "The target and execution environment in which the algorithm is implemented in.\n\n* TODO Basil", + "description": "The target and execution environment in which the algorithm is implemented in. The execution environment can be a software implementation running in plain unencrypted RAM ('softwarePlainRAM'), a software implementation running in encrypted RAM ('softwareEncryptedRAM'), a software implementation runing in a trusted execution environment ('softwareTEE'), or an implementation in 'hardware'.", "enum": [ "softwarePlainRAM", "softwareEncryptedRAM", @@ -4080,7 +4080,7 @@ "implementationPlatform": { "type": "string", "title": "implementation platform", - "description": "The implementation platform for the crypto algorithm", + "description": "The target platform for which the algorithm is implemented. The implementation can be 'generic', running on any platform or for a specific platform such as 'x86_32', 'x86_64, 'armv7-a', 'armv7-m', 'armv8-a', 'armv8-m', 's390x', 'ppc64' or 'ppc64le'.", "enum": [ "generic", "x86_32", @@ -4099,7 +4099,7 @@ "certificationLevel": { "type": "string", "title": "certification level", - "description": "The certification level for the crypto algorithm", + "description": "The certification that the implementation of the cryptographic algorithm has received, if any. Certifications include revisions and levels of FIPS 140 or Common Criteria of different Extended Assurance Levels (CC-EAL).", "enum": [ "none", "fips140-1-l1", @@ -4135,7 +4135,7 @@ "mode": { "type": "string", "title": "mode", - "description": "The cipher mode of operation for the crypto algorithm", + "description": "The mode of operation in which the cryptographic algorithm (block cipher) is used.", "enum": [ "cbc", "ecb", @@ -4151,7 +4151,7 @@ "padding": { "type": "string", "title": "padding", - "description": "The padding for the crypto algorithm ", + "description": "The padding scheme that is used for the cryptographic algorithm.", "enum": [ "pkcs5", "pkcs7", @@ -4165,7 +4165,7 @@ "cryptoFunctions": { "type": "array", "title": "crypto function", - "description": "The crypto functions implemented by the crypto algorithm", + "description": "The cryptographic functions implemented by the cryptographic algorithm", "items": { "type": "string", "enum": [ @@ -4188,13 +4188,13 @@ "classicalSecurityLevel": { "type": "integer", "title": "classical security level", - "description": "classical security level", + "description": "The classical security level that a cryptographic algorithm provides (in bits).", "minimum": 0 }, "nistQuantumSecurityLevel": { "type": "integer", "title": "NIST security strength category", - "description": "NIST security strength category as defined in https://csrc.nist.gov/projects/post-quantum-cryptography/post-quantum-cryptography-standardization/evaluation-criteria/security-(evaluation-criteria), or 0 if none of the categories are met", + "description": "The NIST security strength category as defined in https://csrc.nist.gov/projects/post-quantum-cryptography/post-quantum-cryptography-standardization/evaluation-criteria/security-(evaluation-criteria). A value of 0 indicates that none of the categories are met.", "minimum": 0, "maximum": 6 } From ad47938ed2323a5d7ca853b78d669a6944a72319 Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Thu, 7 Dec 2023 08:21:39 -0600 Subject: [PATCH 041/217] Added key to enum Signed-off-by: Steve Springett --- schema/bom-1.6.schema.json | 1 + 1 file changed, 1 insertion(+) diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index a25450c9..e2547587 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -4275,6 +4275,7 @@ "privateKey", "publicKey", "secretKey", + "key", "ciphertext", "signature", "digest", From 800ad2a7e4620ee5cbdab631c839219fc1c1cf8e Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Mon, 11 Dec 2023 21:18:39 -0600 Subject: [PATCH 042/217] Commits as of last meeting Signed-off-by: Steve Springett --- schema/bom-1.6.schema.json | 170 ++----------------------------------- 1 file changed, 8 insertions(+), 162 deletions(-) diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index e2547587..43db4eb1 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -3906,168 +3906,12 @@ "curve": { "type": "string", "title": "Elliptic Curve", - "description": "The specific underlying Elliptic Curve (EC) definition employed which is an indicator of the level of security strength, performance and complexity.", - "enum": [ - "brainpoolP160r1", - "brainpoolP160t1", - "brainpoolP192r1", - "brainpoolP192t1", - "brainpoolP224r1", - "brainpoolP224t1", - "brainpoolP256r1", - "brainpoolP256t1", - "brainpoolP320r1", - "brainpoolP320t1", - "brainpoolP384r1", - "brainpoolP384t1", - "brainpoolP512r1", - "brainpoolP512t1", - "secp160k1", - "secp192k1", - "secp224k1", - "secp256k1", - "secp112r1", - "secp128r1", - "secp160r1", - "secp192r1", - "secp224r1", - "secp256r1", - "secp384r1", - "secp521r1", - "secp112r2", - "secp128r2", - "secp160r2", - "sect163k1", - "sect233k1", - "sect239k1", - "sect283k1", - "sect409k1", - "sect571k1", - "sect113r1", - "sect131r1", - "sect163r1", - "sect193r1", - "sect233r1", - "sect283r1", - "sect409r1", - "sect571r1", - "sect113r2", - "sect131r2", - "sect163r2", - "sect193r2", - "BLS12-377", - "BLS12-381", - "BLS12-446", - "BLS12-455", - "BLS12-638", - "BLS24-477", - "gost256", - "gost512", - "curve25519", - "curve448", - "sm2", - "Fp256BN", - "Fp384BN", - "Fp512BN", - "prime192v1", - "prime192v2", - "prime192v3", - "prime239v1", - "prime239v2", - "prime239v3", - "prime256v1", - "c2pnb176w1", - "c2pnb163v1", - "c2pnb163v2", - "c2pnb163v3", - "c2pnb208w1", - "c2tnb191v3", - "c2tnb191v2", - "c2tnb191v1", - "c2tnb239v3", - "c2tnb239v2", - "c2tnb239v1", - "c2pnb272w1", - "c2pnb304w1", - "c2pnb368w1", - "c2tnb359v1", - "c2tnb431r1", - "c2onb191v4", - "c2onb191v5", - "c2onb239v4", - "c2onb239v5", - "ansit163k1", - "ansit163r1", - "ansit163r2", - "ansit193r1", - "ansit193r2", - "ansit233k1", - "ansit233r1", - "ansit239k1", - "ansit283k1", - "ansit283r1", - "ansit409k1", - "ansit409r1", - "ansit571k1", - "ansit571r1", - "ansip160k1", - "ansip160r1", - "ansip160r2", - "ansip192k1", - "ansip224k1", - "ansip224r1", - "ansip256k1", - "ansip384r1", - "ansip521r1", - "FRP256v1", - "bn158", - "bn190", - "bn222", - "bn254", - "bn286", - "bn318", - "bn350", - "bn382", - "bn414", - "bn446", - "bn478", - "bn510", - "bn542", - "bn574", - "bn606", - "bn638", - "P-192", - "P-224", - "P-256", - "P-384", - "P-521", - "K-163", - "B-163", - "K-233", - "B-233", - "K-283", - "B-283", - "K-409", - "B-409", - "K-571", - "B-571", - "FourQ", - "wap-wsg-idm-ecid-wtls1", - "wap-wsg-idm-ecid-wtls3", - "wap-wsg-idm-ecid-wtls4", - "wap-wsg-idm-ecid-wtls5", - "wap-wsg-idm-ecid-wtls6", - "wap-wsg-idm-ecid-wtls7", - "wap-wsg-idm-ecid-wtls8", - "wap-wsg-idm-ecid-wtls9", - "other", - "unknown" - ] + "description": "The specific underlying Elliptic Curve (EC) definition employed which is an indicator of the level of security strength, performance and complexity. Absent an authoritative source of curve names, CycloneDX recommends use of curve names as defined at [https://neuromancer.sk/std/](https://neuromancer.sk/std/), the source from which can be found at [https://github.com/J08nY/std-curves](https://github.com/J08nY/std-curves)." }, "executionEnvironment": { "type": "string", "title": "Execution Environment", - "description": "The target and execution environment in which the algorithm is implemented in. The execution environment can be a software implementation running in plain unencrypted RAM ('softwarePlainRAM'), a software implementation running in encrypted RAM ('softwareEncryptedRAM'), a software implementation runing in a trusted execution environment ('softwareTEE'), or an implementation in 'hardware'.", + "description": "The target and execution environment in which the algorithm is implemented in. The execution environment can be a software implementation running in plain unencrypted RAM ('softwarePlainRAM'), a software implementation running in encrypted RAM ('softwareEncryptedRAM'), a software implementation running in a trusted execution environment ('softwareTEE'), or an implementation in 'hardware'.", "enum": [ "softwarePlainRAM", "softwareEncryptedRAM", @@ -4089,6 +3933,8 @@ "armv7-m", "armv8-a", "armv8-m", + "armv9-a", + "armv9-m", "s390x", "ppc64", "ppc64le", @@ -4098,7 +3944,7 @@ }, "certificationLevel": { "type": "string", - "title": "certification level", + "title": "Certification Level", "description": "The certification that the implementation of the cryptographic algorithm has received, if any. Certifications include revisions and levels of FIPS 140 or Common Criteria of different Extended Assurance Levels (CC-EAL).", "enum": [ "none", @@ -4134,7 +3980,7 @@ }, "mode": { "type": "string", - "title": "mode", + "title": "Mode", "description": "The mode of operation in which the cryptographic algorithm (block cipher) is used.", "enum": [ "cbc", @@ -4150,7 +3996,7 @@ }, "padding": { "type": "string", - "title": "padding", + "title": "Padding", "description": "The padding scheme that is used for the cryptographic algorithm.", "enum": [ "pkcs5", @@ -4164,7 +4010,7 @@ }, "cryptoFunctions": { "type": "array", - "title": "crypto function", + "title": "Crypto function", "description": "The cryptographic functions implemented by the cryptographic algorithm", "items": { "type": "string", From 32ffcc0796b5aae0c76b39d53ae209c7d480ca67 Mon Sep 17 00:00:00 2001 From: Basil Hess Date: Tue, 12 Dec 2023 10:47:26 +0100 Subject: [PATCH 043/217] add 'combiner' as primitive Signed-off-by: Basil Hess --- schema/bom-1.6.schema.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index e2547587..11863f12 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -3880,7 +3880,7 @@ "primitive": { "type": "string", "title": "primitive", - "description": "Cryptographic building blocks used in higher-level cryptographic systems and protocols. Primitives represent different cryptographic routines: deterministic random bit generators (drbg, e.g. CTR_DRBG from NIST SP800-90A-r1), message authentication codes (mac, e.g. HMAC-SHA-256), blockciphers (e.g. AES), streamciphers (e.g. Salsa20), signatures (e.g. ECDSA), hash functions (e.g. SHA-256), public-key encryption schemes (pke, e.g. RSA), extended output functions (xof, e.g. SHAKE256), key derivation functions (e.g. pbkdf2), key agreement algoorithms (e.g. ECDH), key encapsulation mechanisms (e.g. ML-KEM) and authenticated encryption (ae, e.g. AES-GCM).", + "description": "Cryptographic building blocks used in higher-level cryptographic systems and protocols. Primitives represent different cryptographic routines: deterministic random bit generators (drbg, e.g. CTR_DRBG from NIST SP800-90A-r1), message authentication codes (mac, e.g. HMAC-SHA-256), blockciphers (e.g. AES), streamciphers (e.g. Salsa20), signatures (e.g. ECDSA), hash functions (e.g. SHA-256), public-key encryption schemes (pke, e.g. RSA), extended output functions (xof, e.g. SHAKE256), key derivation functions (e.g. pbkdf2), key agreement algoorithms (e.g. ECDH), key encapsulation mechanisms (e.g. ML-KEM), authenticated encryption (ae, e.g. AES-GCM) and the combination of multiple algorithms (combiner, e.g. SP800-56Cr2).", "enum": [ "drbg", "mac", @@ -3894,6 +3894,7 @@ "keyagree", "kem", "ae", + "combiner", "other", "unknown" ] From 551d7ff16f74b8020f476ee470d2ade3fb6e440d Mon Sep 17 00:00:00 2001 From: "steve.springett" Date: Thu, 14 Dec 2023 08:58:45 -0600 Subject: [PATCH 044/217] Updates from todays CBOM meeting Signed-off-by: steve.springett --- schema/bom-1.6.schema.json | 109 +++++++++++++++++++------------------ 1 file changed, 57 insertions(+), 52 deletions(-) diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index f4267821..78f4fa11 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -3848,11 +3848,13 @@ }, "dependencyType": { "type": "string", + "title": "Dependency Type", "enum": [ "implements", - "uses" + "uses", + "protectedBy" ], - "title": "Type to characterize a dependency" + "description": "An optional field that describes the type of dependency.\n\n* implement: refers to crypto assets implemented, or statically available in a component. Examples are the algorithms provided by crypto libraries. A crypto asset 'implemented' by a component does not imply that it is in use.\n* uses: refers to crypto assets in use, or being referenced by other components. The referencing can be done by explicit function calls or by configuration at run time. Usage may change over time, so CBOMs always represent a snapshot at a given point in time." }, "cryptoProperties": { "type": "object", @@ -4049,19 +4051,19 @@ }, "certificateProperties": { "type": "object", - "title": "certificate properties", - "description": "Properties for crypto assets of asset type 'certificate'", + "title": "Certificate Properties", + "description": "Properties for cryptographic assets of asset type 'certificate'", "additionalProperties": false, "properties": { "subjectName": { "type": "string", "title": "Subject Name", - "description": "The subject name for the crypto certificate" + "description": "The subject name for the certificate" }, "issuerName": { "type": "string", "title": "Issuer Name", - "description": "The issuer name for the crypto certificate" + "description": "The issuer name for the certificate" }, "notValidBefore": { "type": "string", @@ -4075,7 +4077,7 @@ }, "signatureAlgorithm": { "$ref": "#/definitions/cryptoRef", - "title": "Algorithm reference", + "title": "Algorithm Reference", "description": "Bom-ref to signature algorithm used by the certificate" }, "subjectPublicKey": { @@ -4085,7 +4087,7 @@ }, "certificateFormat": { "type": "string", - "title": "Certificate format", + "title": "Certificate Format", "description": "The format of the certificate", "examples": [ "X.509", @@ -4096,8 +4098,8 @@ }, "certificateExtension": { "type": "string", - "title": "Certificate extensions", - "description": "The certificate extensions of the crypto certificate", + "title": "Certificate File Extension", + "description": "The file extension of the certificate", "examples": [ "crt", "pem", @@ -4110,14 +4112,14 @@ }, "relatedCryptoMaterialProperties": { "type": "object", - "title": "related crypto material properties", - "description": "Properties for crypto assets of asset type 'relatedCryptoMaterial'", + "title": "Related Cryptographic Material Properties", + "description": "Properties for cryptographic assets of asset type 'relatedCryptoMaterial'", "additionalProperties": false, "properties": { "type": { "type": "string", "title": "relatedCryptoMaterialType", - "description": "The type for the related crypto material", + "description": "The type for the related cryptographic material", "enum": [ "privateKey", "publicKey", @@ -4142,13 +4144,13 @@ }, "id": { "type": "string", - "title": "id", - "description": "The identifier for the relatedCryptoMaterial" + "title": "ID", + "description": "The optional unique identifier for the related cryptographic material" }, "state": { "type": "string", - "title": "state", - "description": "The key state according to NIST SP 800-57", + "title": "State", + "description": "The key state as defined by NIST SP 800-57", "enum": [ "preActivation", "active", @@ -4160,62 +4162,64 @@ }, "algorithmRef": { "$ref": "#/definitions/cryptoRef", - "title": "Algorithm reference", - "description": "Bom-ref to algorithm used to generate the relatedCryptoMaterial" + "title": "Algorithm Reference", + "description": "Bom-ref to the algorithm used to generate the related cryptographic material" }, "creationDate": { "type": "string", "format": "date-time", - "title": "creation date", - "description": "The date and time (timestamp) when the relatedCryptoMaterial was created." + "title": "Creation Date", + "description": "The date and time (timestamp) when the related cryptographic material was created." }, "activationDate": { "type": "string", "format": "date-time", - "title": "activation date", - "description": "The date and time (timestamp) when the relatedCryptoMaterial was activated." + "title": "Activation Date", + "description": "The date and time (timestamp) when the related cryptographic material was activated." }, "updateDate": { "type": "string", "format": "date-time", - "title": "update date", - "description": "The date and time (timestamp) when the relatedCryptoMaterial was updated." + "title": "Update Date", + "description": "The date and time (timestamp) when the related cryptographic material was updated." }, "expirationDate": { "type": "string", "format": "date-time", - "title": "expiration date", - "description": "The date and time (timestamp) when the relatedCryptoMaterial expired." + "title": "Expiration Date", + "description": "The date and time (timestamp) when the related cryptographic material expires." }, "value": { "type": "string", - "title": "Value assosiated to the crypto material", - "description": "The assosiated value of the crypto material" + "title": "Value", + "description": "The associated value of the cryptographic material" }, "size": { "type": "integer", - "title": "Crypto asset size (in bits)" + "title":"Size", + "description": "Cryptographic asset size (in bits)" }, "format": { "type": "string", - "title": "format", - "description": "format of the related crypto material (e.g. P8, PEM, DER)" + "title": "Format", + "description": "Format of the related cryptographic material (e.g. P8, PEM, DER)" }, "securedBy": { "$ref": "#/definitions/securedBy", - "title": "Crypto asset is secured by" + "title": "Secured By", + "description": "The mechanism by which the cryptographic asset is secured by." } } }, "protocolProperties": { "type": "object", - "title": "protocol properties", - "description": "Properties for crypto assets of asset type 'protocol'", + "title": "Protocol Properties", + "description": "Properties for cryptographic assets of asset type 'protocol'", "additionalProperties": false, "properties": { "type": { "type": "string", - "title": "type", + "title": "Type", "description": "The concrete protocol type", "enum": [ "tls", @@ -4230,7 +4234,7 @@ }, "version": { "type": "string", - "title": "protocol version", + "title": "Protocol Version", "description": "The version of the protocol", "examples": [ "1.0", @@ -4240,17 +4244,17 @@ }, "cipherSuites": { "type": "array", - "title": "Cipher suites related to the protocol", + "title": "Cipher Suites", "description": "A list of cipher suites related to the protocol", "items": { "$ref": "#/definitions/cipherSuite", - "title": "Cipher suite" + "title": "Cipher Suite" } }, "ikev2TransformTypes": { "type": "object", - "title": "IKEv2 transform types supported", - "description": "the IKEv2 transform types supported (types 1-4), according to RFC7296 section 3.3.2, and additional properties", + "title": "IKEv2 Transform Types", + "description": "The IKEv2 transform types supported (types 1-4), defined in RFC7296 section 3.3.2, and additional properties", "properties": { "encr": { "$ref": "#/definitions/cryptoRefArray", @@ -4280,31 +4284,32 @@ }, "cryptoRefArray": { "$ref": "#/definitions/cryptoRefArray", - "title": "A list of protocol-related cryptographic assets" + "title": "Cryptographic References", + "description": "A list of protocol-related cryptographic assets" } } }, "oid": { "type": "string", "title": "OID", - "description": "OID of crypto asset" + "description": "Object identifier of cryptographic asset" } } }, "cryptoRef": { "type": "string", - "title": "Reference to a crypto asset", - "description": "Reference (bom-ref) to the crypto asset used in this context" + "title": "Reference to a Cryptographic Asset", + "description": "Reference (bom-ref) to the cryptographic asset used in this context" }, "cipherSuite": { "type": "object", - "title": "Cipher suite", + "title": "Cipher Suite", "description": "Object representing a cipher suite", "additionalProperties": false, "properties": { "name": { "type": "string", - "title": "Common name", + "title": "Common Name", "description": "A common name for the cipher suite", "examples": [ "TLS_DHE_RSA_WITH_AES_128_CCM" @@ -4312,17 +4317,17 @@ }, "algorithms": { "type": "array", - "title": "Related algorithms", + "title": "Related Algorithms", "description": "List of algorithms related to the cipher suite", "items": { "$ref": "#/definitions/cryptoRef", "title": "Algorithm reference", - "description": "Bom-ref to algorithm crypto asset" + "description": "Bom-ref to algorithm cryptographic asset" } }, "identifiers": { "type": "array", - "title": "Cipher suite identifiers", + "title": "Cipher Suite Identifiers", "description": "A list of common identifiers for the cipher suite", "items": { "type": "string", @@ -4344,13 +4349,13 @@ }, "securedBy": { "type": "object", - "title": "Crypto asset is secured by", + "title": "Secured By", "description": "Specifies the mechanism by which the crypto asset is secured by", "additionalProperties": false, "properties": { "mechanism": { "type": "string", - "title": "mechanism by which the crypto asset is secured by", + "title": "Mechanism", "description": "Specifies the mechanism by which the crypto asset is secured by", "examples": [ "HSM", From 29a9a7d7d831d634a912ac548de74bae5c41dbf8 Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Thu, 21 Dec 2023 16:54:47 -0600 Subject: [PATCH 045/217] Added attestation support to XSD and added JSON and XML test cases. Signed-off-by: Steve Springett --- schema/bom-1.6.schema.json | 111 +- schema/bom-1.6.xsd | 991 ++++++++++++++++-- .../resources/1.6/valid-attestation-1.6.json | 209 ++++ .../resources/1.6/valid-attestation-1.6.xml | 165 +++ 4 files changed, 1370 insertions(+), 106 deletions(-) create mode 100644 tools/src/test/resources/1.6/valid-attestation-1.6.json create mode 100644 tools/src/test/resources/1.6/valid-attestation-1.6.xml diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index 76d0ef02..7ed54830 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -118,7 +118,7 @@ "items": { "type": "object", "title": "Assessor", - "description": "", + "description": "The assessor who evaluates claims and determines conformance to requirements and confidence in that assessment.", "additionalProperties": false, "properties": { "bom-ref": { @@ -160,7 +160,7 @@ "map": { "type": "array", "title": "Map", - "description": "The grouping of requirements to claims and the attestors declaired conformance and confidence thereof.", + "description": "The grouping of requirements to claims and the attestors declared conformance and confidence thereof.", "items": { "type": "object", "additionalProperties": false, @@ -193,17 +193,17 @@ "minimum": 0, "maximum": 1, "title": "Score", - "description": "The conformance of the claim between and inclusive of 0 and 1, where 1 is 100% confidence." + "description": "The conformance of the claim between and inclusive of 0 and 1, where 1 is 100% conformance." }, "rationale": { "type": "string", "title": "Rationale", - "description": "The rationale for the score of conformance." + "description": "The rationale for the conformance score." }, - "mitigationStrategy": { + "mitigationStrategies": { "type": "array", - "title": "Mitigation Strategy", - "description": "The description of the mitigation strategy if conformance is not `1`.", + "title": "Mitigation Strategies", + "description": "The list of `bom-ref` to the evidence provided describing the mitigation strategies.", "items": { "$ref": "#/definitions/refLinkType" } } } @@ -262,10 +262,10 @@ "title": "Predicate", "description": "The specific statement or assertion about the target." }, - "mitigationStrategy": { + "mitigationStrategies": { "type": "array", - "title": "Mitigation Strategy", - "description": "The written explanation of how any weaknesses in the evidence will be mitigated.", + "title": "Mitigation Strategies", + "description": "The list of `bom-ref` to the evidence provided describing the mitigation strategies. Each mitigation strategy should include an explanation of how any weaknesses in the evidence will be mitigated.", "items": { "$ref": "#/definitions/refLinkType" } }, "reasoning": { @@ -276,13 +276,13 @@ "evidence": { "type": "array", "title": "Evidence", - "description": "The array of references to evidence that supports this claim.", + "description": "The list of `bom-ref` to evidence that supports this claim.", "items": { "$ref": "#/definitions/refLinkType" } }, "counterEvidence": { "type": "array", "title": "Counter Evidence", - "description": "The array of references to counterEvidence that undermines this claim.", + "description": "The list of `bom-ref` to counterEvidence that supports this claim.", "items": { "$ref": "#/definitions/refLinkType" } }, "externalReferences": { @@ -302,7 +302,7 @@ "evidence": { "type": "array", "title": "Evidence", - "description": "The list of evidence.", + "description": "The list of evidence", "items": { "type": "object", "additionalProperties": false, @@ -315,7 +315,7 @@ "propertyName": { "type": "string", "title": "Type", - "description": "The reference to the property name as defined in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy/). " + "description": "The reference to the property name as defined in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy/)." }, "description": { "type": "string", @@ -323,28 +323,49 @@ "description": "The written description of what this evidence is and how it was created." }, "data": { - "type": "object", - "title": "Description", + "type": "array", + "title": "Data", "description": "The output or analysis that supports claims.", - "additionalProperties": false, - "properties": { - "contents": { - "type": "object", - "title": "Data Contents", - "description": "The contents or references to the contents of the data being described.", - "additionalProperties": false, - "properties": { - "attachment": { - "title": "Data Attachment", - "description": "The optional way to include textual or encoded data.", - "$ref": "#/definitions/attachment" - }, - "url": { - "type": "string", - "title": "Data URL", - "description": "The URL where the data can be retrieved.", - "format": "iri-reference" + "items": { + "type": "object", + "additionalProperties": false, + "properties": { + "name": { + "description": "The name of the data.", + "type": "string" + }, + "contents": { + "type": "object", + "title": "Data Contents", + "description": "The contents or references to the contents of the data being described.", + "additionalProperties": false, + "properties": { + "attachment": { + "title": "Data Attachment", + "description": "An optional way to include textual or encoded data.", + "$ref": "#/definitions/attachment" + }, + "url": { + "type": "string", + "title": "Data URL", + "description": "The URL to where the data can be retrieved.", + "format": "iri-reference" + } } + }, + "classification": { + "$ref": "#/definitions/dataClassification" + }, + "sensitiveData": { + "type": "array", + "description": "A description of any sensitive data included.", + "items": { + "type": "string" + } + }, + "governance": { + "title": "Data Governance", + "$ref": "#/definitions/dataGovernance" } } } @@ -391,12 +412,6 @@ "description": "The list of organizations which claims are made against.", "items": {"$ref": "#/definitions/organizationalEntity"} }, - "people": { - "type": "array", - "title": "People", - "description": "The list of individuals which claims are made against.", - "items": {"$ref": "#/definitions/organizationalContact"} - }, "components": { "type": "array", "title": "Components", @@ -465,15 +480,25 @@ } } } + }, + "signature": { + "$ref": "#/definitions/signature", + "title": "Signature", + "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." } } + }, + "signature": { + "$ref": "#/definitions/signature", + "title": "Signature", + "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." } } }, "definitions": { "type": "object", "title": "Definitions", - "description": "", + "description": "A collection of reusable objects that are defined and may be used elsewhere in the BOM.", "additionalProperties": false, "properties": { "standards": { @@ -1551,7 +1576,7 @@ "type": { "type": "string", "title": "Type", - "description": "Specifies the type of external reference.\n\n* __vcs__ = Version Control System\n* __issue-tracker__ = Issue or defect tracking system, or an Application Lifecycle Management (ALM) system\n* __website__ = Website\n* __advisories__ = Security advisories\n* __bom__ = Bill of Materials (SBOM, OBOM, HBOM, SaaSBOM, etc)\n* __mailing-list__ = Mailing list or discussion group\n* __social__ = Social media account\n* __chat__ = Real-time chat platform\n* __documentation__ = Documentation, guides, or how-to instructions\n* __support__ = Community or commercial support\n* __distribution__ = Direct or repository download location\n* __distribution-intake__ = The location where a component was published to. This is often the same as \"distribution\" but may also include specialized publishing processes that act as an intermediary\n* __license__ = The URL to the license file. If a license URL has been defined in the license node, it should also be defined as an external reference for completeness\n* __build-meta__ = Build-system specific meta file (i.e. pom.xml, package.json, .nuspec, etc)\n* __build-system__ = URL to an automated build system\n* __release-notes__ = URL to release notes\n* __security-contact__ = Specifies a way to contact the maintainer, supplier, or provider in the event of a security incident. Common URIs include links to a disclosure procedure, a mailto (RFC-2368) that specifies an email address, a tel (RFC-3966) that specifies a phone number, or dns (RFC-4501) that specifies the records containing DNS Security TXT\n* __model-card__ = A model card describes the intended uses of a machine learning model, potential limitations, biases, ethical considerations, training parameters, datasets used to train the model, performance metrics, and other relevant data useful for ML transparency\n* __log__ = A record of events that occurred in a computer system or application, such as problems, errors, or information on current operations\n* __configuration__ = Parameters or settings that may be used by other components or services\n* __evidence__ = Information used to substantiate a claim\n* __formulation__ = Describes how a component or service was manufactured or deployed\n* __attestation__ = Human or machine-readable statements containing facts, evidence, or testimony\n* __threat-model__ = An enumeration of identified weaknesses, threats, and countermeasures, dataflow diagram (DFD), attack tree, and other supporting documentation in human-readable or machine-readable format\n* __adversary-model__ = The defined assumptions, goals, and capabilities of an adversary.\n* __risk-assessment__ = Identifies and analyzes the potential of future events that may negatively impact individuals, assets, and/or the environment. Risk assessments may also include judgments on the tolerability of each risk.\n* __vulnerability-assertion__ = A Vulnerability Disclosure Report (VDR) which asserts the known and previously unknown vulnerabilities that affect a component, service, or product including the analysis and findings describing the impact (or lack of impact) that the reported vulnerability has on a component, service, or product.\n* __exploitability-statement__ = A Vulnerability Exploitability eXchange (VEX) which asserts the known vulnerabilities that do not affect a product, product family, or organization, and optionally the ones that do. The VEX should include the analysis and findings describing the impact (or lack of impact) that the reported vulnerability has on the product, product family, or organization.\n* __pentest-report__ = Results from an authorized simulated cyberattack on a component or service, otherwise known as a penetration test\n* __static-analysis-report__ = SARIF or proprietary machine or human-readable report for which static analysis has identified code quality, security, and other potential issues with the source code\n* __dynamic-analysis-report__ = Dynamic analysis report that has identified issues such as vulnerabilities and misconfigurations\n* __runtime-analysis-report__ = Report generated by analyzing the call stack of a running application\n* __component-analysis-report__ = Report generated by Software Composition Analysis (SCA), container analysis, or other forms of component analysis\n* __maturity-report__ = Report containing a formal assessment of an organization, business unit, or team against a maturity model\n* __certification-report__ = Industry, regulatory, or other certification from an accredited (if applicable) certification body\n* __quality-metrics__ = Report or system in which quality metrics can be obtained\n* __codified-infrastructure__ = Code or configuration that defines and provisions virtualized infrastructure, commonly referred to as Infrastructure as Code (IaC)\n* __poam__ = Plans of Action and Milestones (POAM) compliment an \"attestation\" external reference. POAM is defined by NIST as a \"document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks and scheduled completion dates for the milestones\".\n* __other__ = Use this if no other types accurately describe the purpose of the external reference", + "description": "Specifies the type of external reference.\n\n* __vcs__ = Version Control System\n* __issue-tracker__ = Issue or defect tracking system, or an Application Lifecycle Management (ALM) system\n* __website__ = Website\n* __advisories__ = Security advisories\n* __bom__ = Bill of Materials (SBOM, OBOM, HBOM, SaaSBOM, etc)\n* __mailing-list__ = Mailing list or discussion group\n* __social__ = Social media account\n* __chat__ = Real-time chat platform\n* __documentation__ = Documentation, guides, or how-to instructions\n* __support__ = Community or commercial support\n* __distribution__ = Direct or repository download location\n* __distribution-intake__ = The location where a component was published to. This is often the same as \"distribution\" but may also include specialized publishing processes that act as an intermediary\n* __license__ = The URL to the license file. If a license URL has been defined in the license node, it should also be defined as an external reference for completeness\n* __build-meta__ = Build-system specific meta file (i.e. pom.xml, package.json, .nuspec, etc)\n* __build-system__ = URL to an automated build system\n* __release-notes__ = URL to release notes\n* __security-contact__ = Specifies a way to contact the maintainer, supplier, or provider in the event of a security incident. Common URIs include links to a disclosure procedure, a mailto (RFC-2368) that specifies an email address, a tel (RFC-3966) that specifies a phone number, or dns (RFC-4501) that specifies the records containing DNS Security TXT\n* __model-card__ = A model card describes the intended uses of a machine learning model, potential limitations, biases, ethical considerations, training parameters, datasets used to train the model, performance metrics, and other relevant data useful for ML transparency\n* __log__ = A record of events that occurred in a computer system or application, such as problems, errors, or information on current operations\n* __configuration__ = Parameters or settings that may be used by other components or services\n* __evidence__ = Information used to substantiate a claim\n* __formulation__ = Describes how a component or service was manufactured or deployed\n* __attestation__ = Human or machine-readable statements containing facts, evidence, or testimony\n* __threat-model__ = An enumeration of identified weaknesses, threats, and countermeasures, dataflow diagram (DFD), attack tree, and other supporting documentation in human-readable or machine-readable format\n* __adversary-model__ = The defined assumptions, goals, and capabilities of an adversary.\n* __risk-assessment__ = Identifies and analyzes the potential of future events that may negatively impact individuals, assets, and/or the environment. Risk assessments may also include judgments on the tolerability of each risk.\n* __vulnerability-assertion__ = A Vulnerability Disclosure Report (VDR) which asserts the known and previously unknown vulnerabilities that affect a component, service, or product including the analysis and findings describing the impact (or lack of impact) that the reported vulnerability has on a component, service, or product.\n* __exploitability-statement__ = A Vulnerability Exploitability eXchange (VEX) which asserts the known vulnerabilities that do not affect a product, product family, or organization, and optionally the ones that do. The VEX should include the analysis and findings describing the impact (or lack of impact) that the reported vulnerability has on the product, product family, or organization.\n* __pentest-report__ = Results from an authorized simulated cyberattack on a component or service, otherwise known as a penetration test\n* __static-analysis-report__ = SARIF or proprietary machine or human-readable report for which static analysis has identified code quality, security, and other potential issues with the source code\n* __dynamic-analysis-report__ = Dynamic analysis report that has identified issues such as vulnerabilities and misconfigurations\n* __runtime-analysis-report__ = Report generated by analyzing the call stack of a running application\n* __component-analysis-report__ = Report generated by Software Composition Analysis (SCA), container analysis, or other forms of component analysis\n* __maturity-report__ = Report containing a formal assessment of an organization, business unit, or team against a maturity model\n* __certification-report__ = Industry, regulatory, or other certification from an accredited (if applicable) certification body\n* __quality-metrics__ = Report or system in which quality metrics can be obtained\n* __codified-infrastructure__ = Code or configuration that defines and provisions virtualized infrastructure, commonly referred to as Infrastructure as Code (IaC)\n* __poam__ = Plans of Action and Milestones (POAM) compliment an \"attestation\" external reference. POAM is defined by NIST as a \"document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks and scheduled completion dates for the milestones\".\n* __electronic-signature__ An e-signature is commonly a scanned representation of a written signature or a stylized script of the persons name.\n* __digital-signature__ = A signature that leverages cryptography, typically public/private key pairs, which provides strong authenticity verification.\n* __other__ = Use this if no other types accurately describe the purpose of the external reference", "enum": [ "vcs", "issue-tracker", @@ -1591,6 +1616,8 @@ "codified-infrastructure", "quality-metrics", "poam", + "electronic-signature", + "digital-signature", "other" ] }, diff --git a/schema/bom-1.6.xsd b/schema/bom-1.6.xsd index 5e218c47..51ed8658 100644 --- a/schema/bom-1.6.xsd +++ b/schema/bom-1.6.xsd @@ -1402,6 +1402,16 @@ limitations under the License. Plans of Action and Milestones (POAM) compliment an "attestation" external reference. POAM is defined by NIST as a "document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks and scheduled completion dates for the milestones". + + + An e-signature is commonly a scanned representation of a written signature or a stylized script of the persons name. + + + + + A signature that leverages cryptography, typically public/private key pairs, which provides strong authenticity verification. + + Use this if no other types accurately describe the purpose of the external reference @@ -5402,70 +5412,923 @@ limitations under the License. - - - - - - Provides additional information about a BOM. - - - - - A list of software and hardware components. - - - - - A list of services. This may include microservices, function-as-a-service, and other types of network or intra-process services. - - - - - Provides the ability to document external references related to the BOM or - to the project the BOM describes. - - - - - Provides the ability to document dependency relationships. - - - - - Compositions describe constituent parts (including components, services, and dependency relationships) and their completeness. The completeness of vulnerabilities expressed in a BOM may also be described. - - - - - Provides the ability to document properties in a name/value store. - This provides flexibility to include data not officially supported in the standard - without having to use additional namespaces or create extensions. Property names - of interest to the general public are encouraged to be registered in the - CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. - Formal registration is OPTIONAL. - - - - - Vulnerabilities identified in components or services. - - - - - Comments made by people, organizations, or tools about any object with - a bom-ref, such as components, services, vulnerabilities, or the BOM itself. Unlike - inventory information, annotations may contain opinion or commentary from various - stakeholders. Annotations may be inline (with inventory) or externalized via BOM-Link, - and may optionally be signed. - - - - - Describes how a component or service was manufactured or deployed. This is - achieved through the use of formulas, workflows, tasks, and steps, which declare the precise - steps to reproduce along with the observed formulas describing the steps which transpired - in the manufacturing process. + + + + + + The list of assessors evaluating claims and determining conformance to requirements and confidence in that assessment. + + + + + + + + The assessor who evaluates claims and determines conformance to requirements and confidence in that assessment. + + + + + + + + The boolean indicating if the assessor is outside the organization generating claims. A value of false indicates a self assessor. + + + + + + + The entity issuing the assessment. + + + + + + + + An optional identifier which can be used to reference the object elsewhere in the BOM. + Every bom-ref MUST be unique within the BOM. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + + The list of attestations asserted by an assessor that maps requirements to claims. + + + + + + + + An attestation asserted by an assessor that maps requirements to claims. + + + + + + + + The short description explaining the main points of the attestation. + + + + + + + The `bom-ref` to the assessor asserting the attestation. + + + + + + + The grouping of requirements to claims and the attestors declared conformance and confidence thereof. + + + + + + + + The `bom-ref` to the requirement being attested to. + + + + + + + The list of `bom-ref` to the claims being attested to. + + + + + + + + The `bom-ref` to the claim being attested to. + + + + + + + + + + The list of `bom-ref` to the counter claims being attested to. + + + + + + + + The `bom-ref` to the counter claim being attested to. + + + + + + + + + + The conformance of the claim meeting a requirement. + + + + + + + + The conformance of the claim between and inclusive of 0 and 1, where 1 is 100% conformance. + + + + + + + + + + + + + The rationale for the score of conformance. + + + + + + + The list of `bom-ref` to the evidence provided describing the + mitigation strategies. Each mitigation strategy should include an + explanation of how any weaknesses in the evidence will be mitigated. + + + + + + + + + + + + + + + The confidence of the claim meeting the requirement. + + + + + + + + The confidence of the claim between and inclusive of 0 and 1, where 1 is 100% confidence. + + + + + + + + + + + + + The rationale for the confidence score. + + + + + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + + + + + The list of claims. + + + + + + + + + + + The `bom-ref` to a target representing a specific system, application, + API, module, team, person, process, business unit, company, etc... + that this claim is being applied to. + + + + + + + The specific statement or assertion about the target. + + + + + + + The list of `bom-ref` to the evidence provided describing the + mitigation strategies. Each mitigation strategy should include an + explanation of how any weaknesses in the evidence will be mitigated. + + + + + + + + + + + + The written explanation of why the evidence provided substantiates the claim. + + + + + + + The list of `bom-ref` to evidence that supports this claim. + + + + + + + The list of `bom-ref` to counterEvidence that supports this claim. + + + + + + Provides the ability to document external references related to the claim the BOM describes. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + An optional identifier which can be used to reference the object elsewhere + in the BOM. Every bom-ref MUST be unique within the BOM. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + + The list of evidence + + + + + + + + The list of evidence + + + + + + + + The reference to the property name as defined in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy/). + + + + + + + The written description of what this evidence is and how it was created. + + + + + + + The output or analysis that supports claims. + + + + + + + + The name of the data. + + + + + + + The contents or references to the contents of the data being described. + + + + + + + An optional way to include textual or encoded data. + + + + + The URL to where the data can be retrieved. + + + + + + + + + Data classification tags data according to its type, sensitivity, and value if altered, stolen, or destroyed. + + + + + + + A description of any sensitive data. + + + + + + + + + + The date and time (timestamp) when the evidence was created. + + + + + The optional date and time (timestamp) when the evidence is no longer valid. + + + + + The author of the evidence. + + + + + The reviewer of the evidence. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + An optional identifier which can be used to reference the object elsewhere + in the BOM. Every bom-ref MUST be unique within the BOM. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + + The list of targets which claims are made against. + + + + + + + + The list of organizations which claims are made against. + + + + + + + + + + + + The list of components which claims are made against. + + + + + + + + + + + + The list of services which claims are made against. + + + + + + + + + + + + + + + + + + The brief statement affirmed by an individual regarding all declarations. + This could be an affirmation of acceptance by a third-party auditor or receiving + individual of a file. For example: "I certify, to the best of my knowledge, that all information is correct." + + + + + + + The list of signatories authorized on behalf of an organization to assert validity of this document. + + + + + + + + + + + The signatory's name. + + + + + + + The signatory's role within an organization. + + + + + + + The signatory's organization. + + + + + + + An External reference provide a way to document systems, sites, and information that may be relevant, but are not included with the BOM. They may also establish specific relationships within or external to the BOM. + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + + A collection of reusable objects that are defined and may be used elsewhere in the BOM. + + + + + + + + + + + The list of standards which may consist of regulations, industry or organizational-specific standards, maturity models, best practices, or any other requirements which can be evaluated against or attested to. + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + A standard may consist of regulations, industry or organizational-specific standards, maturity models, best practices, or any other requirements which can be evaluated against or attested to. + + + + + + + The name of the standard. This will often be a shortened, single name of the standard. + + + + + + + The description of the standard. + + + + + + + The version of the standard. + + + + + + + The owner of the standard, often the entity responsible for its release. + + + + + + + The list of requirements comprising the standard. + + + + + + + + + + + The unique identifier used in the standard to identify a specific requirement. This should match what is in the standard and should not be the requirements bom-ref. + + + + + + + The title of the requirement. + + + + + + + The textual content of the requirement. + + + + + + + The supplemental text that provides additional guidance or context to the requirement, but is not directly part of the requirement. + + + + + + + + + + + + The Common Requirements Enumeration (CRE) identifier(s). CRE is a structured and standardized framework for uniting security standards and guidelines. CRE links each section of a resource to a shared topic identifier (a Common Requirement). Through this shared topic link, all resources map to each other. Use of CRE promotes clear and unambiguous communication among stakeholders. + + + + + + + + + + + + The optional `bom-ref` to a parent requirement. This establishes a hierarchy of requirements. Top-level requirements must not define a parent. Only child requirements should define parents. + + + + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is OPTIONAL. + + + + + Provides the ability to document external references related to the BOM or + to the project the BOM describes. + + + + + + + An optional identifier which can be used to reference the object elsewhere + in the BOM. Every bom-ref MUST be unique within the BOM. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + + The list of levels associated with the standard. Some standards have different levels of compliance. + + + + + + + + The identifier used in the standard to identify a specific level. + + + + + + + The title of the level. + + + + + + + The description of the level. + + + + + + + The list of requirement `bom-ref`s that comprise the level. + + + + + + + + + + + + + An optional identifier which can be used to reference the object elsewhere + in the BOM. Every bom-ref MUST be unique within the BOM. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + Provides the ability to document external references related to the BOM or + to the project the BOM describes. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + An optional identifier which can be used to reference the object elsewhere + in the BOM. Every bom-ref MUST be unique within the BOM. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + Provides additional information about a BOM. + + + + + A list of software and hardware components. + + + + + A list of services. This may include microservices, function-as-a-service, and other types of network or intra-process services. + + + + + Provides the ability to document external references related to the BOM or + to the project the BOM describes. + + + + + Provides the ability to document dependency relationships. + + + + + Compositions describe constituent parts (including components, services, and dependency relationships) and their completeness. The completeness of vulnerabilities expressed in a BOM may also be described. + + + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is OPTIONAL. + + + + + Vulnerabilities identified in components or services. + + + + + Comments made by people, organizations, or tools about any object with + a bom-ref, such as components, services, vulnerabilities, or the BOM itself. Unlike + inventory information, annotations may contain opinion or commentary from various + stakeholders. Annotations may be inline (with inventory) or externalized via BOM-Link, + and may optionally be signed. + + + + + Describes how a component or service was manufactured or deployed. This is + achieved through the use of formulas, workflows, tasks, and steps, which declare the precise + steps to reproduce along with the observed formulas describing the steps which transpired + in the manufacturing process. + + + + + + The list of declarations which describe the conformance to standards. Each declaration may + include attestations, claims, and evidence. + + + + + + + A collection of reusable objects that are defined and may be used elsewhere in the BOM. + diff --git a/tools/src/test/resources/1.6/valid-attestation-1.6.json b/tools/src/test/resources/1.6/valid-attestation-1.6.json new file mode 100644 index 00000000..c270d49b --- /dev/null +++ b/tools/src/test/resources/1.6/valid-attestation-1.6.json @@ -0,0 +1,209 @@ +{ + "bomFormat": "CycloneDX", + "specVersion": "1.6", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "declarations": { + "assessors": [ + { + "bom-ref": "assessor-1", + "thirdParty": true, + "organization": { + "name": "Assessors Inc" + } + } + ], + "attestations": [ + { + "summary": "Attestation summary here", + "assessor": "assessor-1", + "map": [ + { + "requirement": "requirement-1", + "claims": [ "claim-1" ], + "counterClaims": [ "counterClaim-1" ], + "conformance": { + "score": 0.8, + "rationale": "Conformance rationale here", + "mitigationStrategies": [ "mitigationStrategy-1" ] + }, + "confidence": { + "score": 1, + "rationale": "Confidence rationale here" + } + } + ], + "signature": { + "algorithm": "ES256", + "certificatePath": [ "MIIB...", "MIID..." ], + "value": "tqIT..." + } + } + ], + "claims": [ + { + "bom-ref": "claim-1", + "target": "acme-inc", + "predicate": "Predicate here", + "mitigationStrategies": [ "mitigationStrategy-1" ], + "reasoning": "Reasoning here", + "evidence": [ "evidence-1" ], + "counterEvidence": [ "counterEvidence-1" ], + "externalReferences": [ + { + "type": "issue-tracker", + "url": "https://alm.example.com" + } + ], + "signature": { + "algorithm": "ES256", + "certificatePath": [ "MIIB...", "MIID..." ], + "value": "tqIT..." + } + } + ], + "evidence": [ + { + "bom-ref": "evidence-1", + "propertyName": "internal.com.acme.someProperty", + "description": "Description here", + "data": [ + { + "name": "Name of the data", + "contents": { + "attachment": { + "content": "Evidence here", + "contentType": "text/plain" + } + }, + "classification": "PII", + "sensitiveData": [ "Describe sensitive data here" ] + } + ], + "created": "2023-04-25T00:00:00+00:00", + "expires": "2023-05-25T00:00:00+00:00", + "author": { + "name": "Mary" + }, + "reviewer": { + "name": "Jane" + }, + "signature": { + "algorithm": "ES256", + "certificatePath": [ "MIIB...", "MIID..." ], + "value": "tqIT..." + } + }, + { + "bom-ref": "counterEvidence-1", + "propertyName": "internal.com.acme.someProperty", + "description": "Description here", + "data": [ + { + "name": "Name of the data", + "contents": { + "attachment": { + "content": "Counter evidence here", + "contentType": "text/plain" + } + }, + "classification": "Pubic", + "sensitiveData": [ "Describe sensitive data here" ] + } + ], + "created": "2023-04-25T00:00:00+00:00", + "expires": "2023-05-25T00:00:00+00:00", + "author": { + "name": "Mary" + }, + "reviewer": { + "name": "Jane" + }, + "signature": { + "algorithm": "ES256", + "certificatePath": [ "MIIB...", "MIID..." ], + "value": "tqIT..." + } + }, + { + "bom-ref": "mitigationStrategy-1", + "propertyName": "internal.com.acme.someProperty", + "description": "Description here", + "data": [ + { + "name": "Name of the data", + "contents": { + "attachment": { + "content": "Mitigation strategy here", + "contentType": "text/plain" + } + }, + "classification": "Company Confidential", + "sensitiveData": [ "Describe sensitive data here" ] + } + ], + "created": "2023-04-25T00:00:00+00:00", + "expires": "2023-05-25T00:00:00+00:00", + "author": { + "name": "Mary" + }, + "reviewer": { + "name": "Jane" + }, + "signature": { + "algorithm": "ES256", + "certificatePath": [ "MIIB...", "MIID..." ], + "value": "tqIT..." + } + } + ], + "targets": { + "organizations": [ + { + "bom-ref": "acme-inc", + "name": "Acme Inc" + } + ] + }, + "affirmation": { + "statement": "I certify, to the best of my knowledge, that all information is correct...", + "signatories": [ + { + "name": "Tom", + "role": "CEO", + "signature": { + "algorithm": "ES256", + "certificatePath": [ "MIIB...", "MIID..." ], + "value": "tqIT..." + } + }, + { + "name": "Jerry", + "role": "COO", + "organization": { + "name": "Acme Inc" + }, + "externalReference": { + "type": "electronic-signature", + "url": "https://example.com/coo-sig.png" + } + } + ], + "signature": { + "algorithm": "ES256", + "certificatePath": [ "MIIB...", "MIID..." ], + "value": "tqIT..." + } + }, + "signature": { + "algorithm": "ES256", + "certificatePath": [ "MIIB...", "MIID..." ], + "value": "tqIT..." + } + }, + "signature": { + "algorithm": "ES256", + "certificatePath": [ "MIIB...", "MIID..." ], + "value": "tqIT..." + } +} \ No newline at end of file diff --git a/tools/src/test/resources/1.6/valid-attestation-1.6.xml b/tools/src/test/resources/1.6/valid-attestation-1.6.xml new file mode 100644 index 00000000..1dce0ced --- /dev/null +++ b/tools/src/test/resources/1.6/valid-attestation-1.6.xml @@ -0,0 +1,165 @@ + + + + + + false + + Acme Inc + + + + + + Attestation summary here + assessor-1 + + requirement-1 + + claim-1 + + + counterClaim-1 + + + 0.8 + Conformance rationale here + + mitigations-1 + + + + 1 + Confidence rationale here + + + + + + + + + + acme-inc + Predicate here + + mitigationStrategy-1 + + Reasoning here + evidence-1 + counterEvidence-1 + + + https://alm.example.com + + + + + + + + + + internal.com.acme.someProperty + Description here + + Name of the data + + Evidence here + + PII + Describe sensitive data here + + 2023-04-25T00:00:00+00:00 + 2023-05-25T00:00:00+00:00 + + Mary + + + Jane + + + + + + + internal.com.acme.someProperty + Description here + + Name of the data + + Counter evidence here + + Public + Describe sensitive data here + + 2023-04-25T00:00:00+00:00 + 2023-05-25T00:00:00+00:00 + + Mary + + + Jane + + + + internal.com.acme.someProperty + Description here + + Name of the data + + Mitigation strategy here + + Public + Describe sensitive data here + + 2023-04-25T00:00:00+00:00 + 2023-05-25T00:00:00+00:00 + + Mary + + + Jane + + + + + + + Acme Inc + + + + + I certify, to the best of my knowledge, that all information is correct... + + + Tom + CEO + + + + + + Jerry + COO + + Acme Inc + + + https://example.com/coo-sig.png + + + + + + + + + + + + + + + \ No newline at end of file From 5be18a145aec7999776f5acbce2ce62516f9708e Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Thu, 21 Dec 2023 17:58:35 -0600 Subject: [PATCH 046/217] Added valid standard JSON and XML test cases and minor corrections to schemas. Signed-off-by: Steve Springett --- schema/bom-1.6.schema.json | 10 +- schema/bom-1.6.xsd | 98 ++++++++++--------- .../resources/1.6/valid-standard-1.6.json | 73 ++++++++++++++ 3 files changed, 130 insertions(+), 51 deletions(-) create mode 100644 tools/src/test/resources/1.6/valid-standard-1.6.json diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index 7ed54830..f9fcc6b4 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -4231,16 +4231,16 @@ "title": "Name", "description": "The name of the standard. This will often be a shortened, single name of the standard." }, - "description": { - "type": "string", - "title": "Description", - "description": "The description of the standard." - }, "version": { "type": "string", "title": "Version", "description": "The version of the standard." }, + "description": { + "type": "string", + "title": "Description", + "description": "The description of the standard." + }, "owner": { "type": "string", "title": "Owner", diff --git a/schema/bom-1.6.xsd b/schema/bom-1.6.xsd index 51ed8658..05748c18 100644 --- a/schema/bom-1.6.xsd +++ b/schema/bom-1.6.xsd @@ -6042,17 +6042,17 @@ limitations under the License. - + - The description of the standard. + The version of the standard. - + - The version of the standard. + The description of the standard. @@ -6170,54 +6170,60 @@ limitations under the License. - - - - The identifier used in the standard to identify a specific level. - - - - - - - The title of the level. - - - - - - - The description of the level. - - - - - - - The list of requirement `bom-ref`s that comprise the level. - - + - + + + + The identifier used in the standard to identify a specific level. + + + + + + + The title of the level. + + + + + + + The description of the level. + + + + + + + The list of requirement `bom-ref`s that comprise the level. + + + + + + + + + + + + An optional identifier which can be used to reference the object elsewhere + in the BOM. Every bom-ref MUST be unique within the BOM. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + - - - - An optional identifier which can be used to reference the object elsewhere - in the BOM. Every bom-ref MUST be unique within the BOM. - - - - - - User-defined attributes may be used on this element as long as they - do not have the same name as an existing attribute used by the schema. - - diff --git a/tools/src/test/resources/1.6/valid-standard-1.6.json b/tools/src/test/resources/1.6/valid-standard-1.6.json new file mode 100644 index 00000000..b7b1e5fd --- /dev/null +++ b/tools/src/test/resources/1.6/valid-standard-1.6.json @@ -0,0 +1,73 @@ +{ + "bomFormat": "CycloneDX", + "specVersion": "1.6", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "definitions": { + "standards": [ + { + "bom-ref": "standard-1", + "name": "Sample Standard", + "version": "1.0.0", + "description": "Description here", + "owner": "Acme Inc", + "requirements": [ + { + "bom-ref": "requirement-1", + "identifier": "v1", + "title": "Title here" + }, + { + "bom-ref": "requirement-1.1", + "identifier": "v1.1", + "title": "Title here", + "parent": "requirement-1" + }, + { + "bom-ref": "requirement-1.1.1", + "identifier": "v1.1.1", + "text": "Text of the requirement here", + "descriptions": [ + "Supplemental text here" + ], + "opencre": [ + "CRE:616-305" + ], + "parent": "requirement-1.1" + } + ], + "levels": [ + { + "bom-ref": "level-1", + "identifier": "Level 1", + "description": "Description here", + "requirements": [ + "requirement-1.1.1" + ] + }, + { + "bom-ref": "level-2", + "identifier": "Level 2", + "description": "Description here", + "requirements": [ + "requirement-1.1.1" + ] + }, + { + "bom-ref": "level-3", + "identifier": "Level 3", + "description": "Description here", + "requirements": [ + "requirement-1.1.1" + ] + } + ], + "signature": { + "algorithm": "ES256", + "certificatePath": [ "MIIB...", "MIID..." ], + "value": "tqIT..." + } + } + ] + } +} \ No newline at end of file From 89c0088cd99174c6ebcb4660db776fd51dd11724 Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Thu, 21 Dec 2023 18:02:06 -0600 Subject: [PATCH 047/217] Added valid standard JSON and XML test cases and minor corrections to schemas. Signed-off-by: Steve Springett --- .../test/resources/1.6/valid-standard-1.6.xml | 59 +++++++++++++++++++ 1 file changed, 59 insertions(+) create mode 100644 tools/src/test/resources/1.6/valid-standard-1.6.xml diff --git a/tools/src/test/resources/1.6/valid-standard-1.6.xml b/tools/src/test/resources/1.6/valid-standard-1.6.xml new file mode 100644 index 00000000..68272488 --- /dev/null +++ b/tools/src/test/resources/1.6/valid-standard-1.6.xml @@ -0,0 +1,59 @@ + + + + + + Sample Standard + 1.0.0 + Description here + Acme Inc + + + v1 + Title here + + + v1.1 + Title here + requirement-1 + + + v1.1.1 + Text of the requirement here + + Supplemental text here + + CRE:616-305 + requirement-1.1.1 + + + + + Level 1 + Description here + + v1.1.1 + + + + Level 2 + Description here + + v1.1.1 + + + + Level 3 + Description here + + v1.1.1 + + + + + + + + + + \ No newline at end of file From c537c581d615b7e8e4ed485ee44c3aafa54de0a6 Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Thu, 21 Dec 2023 18:04:25 -0600 Subject: [PATCH 048/217] corrected parent Signed-off-by: Steve Springett --- tools/src/test/resources/1.6/valid-standard-1.6.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/src/test/resources/1.6/valid-standard-1.6.xml b/tools/src/test/resources/1.6/valid-standard-1.6.xml index 68272488..530b3c08 100644 --- a/tools/src/test/resources/1.6/valid-standard-1.6.xml +++ b/tools/src/test/resources/1.6/valid-standard-1.6.xml @@ -24,7 +24,7 @@ Supplemental text here CRE:616-305 - requirement-1.1.1 + requirement-1.1 From 1bac4d62e6016d3e7faf6d4b7310f4e9e8c9b90d Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Thu, 21 Dec 2023 18:05:35 -0600 Subject: [PATCH 049/217] Corrected level ref Signed-off-by: Steve Springett --- tools/src/test/resources/1.6/valid-standard-1.6.xml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tools/src/test/resources/1.6/valid-standard-1.6.xml b/tools/src/test/resources/1.6/valid-standard-1.6.xml index 530b3c08..f2cb0119 100644 --- a/tools/src/test/resources/1.6/valid-standard-1.6.xml +++ b/tools/src/test/resources/1.6/valid-standard-1.6.xml @@ -32,21 +32,21 @@ Level 1 Description here - v1.1.1 + requirement-1.1.1 Level 2 Description here - v1.1.1 + requirement-1.1.1 Level 3 Description here - v1.1.1 + requirement-1.1.1 From 423fefe397e1be4b98f6519936d128f70f7690fa Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Tue, 26 Dec 2023 20:15:16 -0600 Subject: [PATCH 050/217] Added protobuf support and test cases Signed-off-by: Steve Springett --- schema/bom-1.6.proto | 197 ++++++++++++++++++ .../1.6/valid-attestation-1.6.textproto | 179 ++++++++++++++++ .../1.6/valid-standard-1.6.textproto | 65 ++++++ 3 files changed, 441 insertions(+) create mode 100644 tools/src/test/resources/1.6/valid-attestation-1.6.textproto create mode 100644 tools/src/test/resources/1.6/valid-standard-1.6.textproto diff --git a/schema/bom-1.6.proto b/schema/bom-1.6.proto index e6a6c4fe..78eb7698 100644 --- a/schema/bom-1.6.proto +++ b/schema/bom-1.6.proto @@ -39,6 +39,10 @@ message Bom { repeated Property properties = 12; // Describes how a component or service was manufactured or deployed. This is achieved through the use of formulas, workflows, tasks, and steps, which declare the precise steps to reproduce along with the observed formulas describing the steps which transpired in the manufacturing process. repeated Formula formulation = 13; + // The list of declarations which describe the conformance to standards. Each declaration may include attestations, claims, and evidence. + repeated Declarations declarations = 14; + // A collection of reusable objects that are defined and may be used elsewhere in the BOM. + repeated Definition definitions = 15; } enum Classification { @@ -263,6 +267,10 @@ enum ExternalReferenceType { EXTERNAL_REFERENCE_TYPE_EVIDENCE = 36; // Describes how a component or service was manufactured or deployed. EXTERNAL_REFERENCE_TYPE_FORMULATION = 37; + // An e-signature is commonly a scanned representation of a written signature or a stylized script of the persons name. + EXTERNAL_REFERENCE_TYPE_ELECTRONIC_SIGNATURE = 38; + // A signature that leverages cryptography, typically public/private key pairs, which provides strong authenticity verification. + EXTERNAL_REFERENCE_TYPE_DIGITAL_SIGNATURE = 39; } enum HashAlg { @@ -1486,3 +1494,192 @@ message EnvironmentVars { string value = 2; } } + +message Declarations { + message Assessor { + // An optional identifier which can be used to reference the component elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element. + optional string bom_ref = 1; + // The boolean indicating if the assessor is outside the organization generating claims. A value of false indicates a self assessor. + optional bool thirdParty = 2; + // The entity issuing the assessment. + optional OrganizationalEntity organization = 3; + } + message Attestation { + message AttestationMap { + message AttestationConformance { + // The conformance of the claim between and inclusive of 0 and 1, where 1 is 100% conformance. + optional double score = 1; + // The rationale for the conformance score. + optional string rationale = 2; + // The list of `bom-ref` to the evidence provided describing the mitigation strategies. + repeated string mitigationStrategies = 3; + } + message AttestationConfidence { + // The confidence of the claim between and inclusive of 0 and 1, where 1 is 100% confidence. + optional double score = 1; + // The rationale for the confidence score. + optional string rationale = 2; + } + // The `bom-ref` to the requirement being attested to. + optional string requirement = 1; + // The list of `bom-ref` to the claims being attested to. + repeated string claims = 2; + // The list of `bom-ref` to the counter claims being attested to. + repeated string counterClaims = 3; + // The conformance of the claim meeting a requirement. + optional AttestationConformance conformance = 4; + // The confidence of the claim meeting the requirement. + optional AttestationConfidence confidence = 5; + } + // The short description explaining the main points of the attestation. + optional string summary = 1; + // The `bom-ref` to the assessor asserting the attestation. + optional string assessor = 2; + // The grouping of requirements to claims and the attestors declared conformance and confidence thereof. + repeated AttestationMap map = 3; + } + message Claim { + // An optional identifier which can be used to reference the component elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element. + optional string bom_ref = 1; + // The `bom-ref` to a target representing a specific system, application, API, module, team, person, process, business unit, company, etc... that this claim is being applied to. + optional string target = 2; + // The specific statement or assertion about the target. + optional string predicate = 3; + // The list of `bom-ref` to the evidence provided describing the mitigation strategies. Each mitigation strategy should include an explanation of how any weaknesses in the evidence will be mitigated. + repeated string mitigationStrategies = 4; + // The written explanation of why the evidence provided substantiates the claim. + optional string reasoning = 5; + // The list of `bom-ref` to evidence that supports this claim. + repeated string evidence = 6; + // The list of `bom-ref` to counterEvidence that supports this claim. + repeated string counterEvidence = 7; + // External references provide a way to document systems, sites, and information that may be relevant, but are not included with the BOM. They may also establish specific relationships within or external to the BOM. + repeated ExternalReference externalReferences = 8; + } + message Evidence { + message Data { + message Contents { + // An optional way to include textual or encoded data. + optional AttachedText attachment = 1; + // The URL to where the data can be retrieved. + optional string url = 2; + } + // The name of the data. + optional string name = 1; + // The contents or references to the contents of the data being described. + optional Contents contents = 2; + // Data classification tags data according to its type, sensitivity, and value if altered, stolen, or destroyed. + optional string classification = 3; + // A description of any sensitive data included. + repeated string sensitiveData = 4; + // Data Governance + optional DataGovernance governance = 5; + } + // An optional identifier which can be used to reference the component elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element. + optional string bom_ref = 1; + // The reference to the property name as defined in the CycloneDX Property Taxonomy: https://github.com/CycloneDX/cyclonedx-property-taxonomy/. + optional string propertyName = 2; + // The written description of what this evidence is and how it was created. + optional string description = 3; + // The output or analysis that supports claims. + repeated Data data = 4; + // The date and time (timestamp) when the evidence was created. + optional google.protobuf.Timestamp created = 5; + // The optional date and time (timestamp) when the evidence is no longer valid. + optional google.protobuf.Timestamp expires = 6; + // The author of the evidence. + optional OrganizationalContact author = 7; + // The reviewer of the evidence. + optional OrganizationalContact reviewer = 8; + } + message Targets { + // The list of organizations which claims are made against. + repeated OrganizationalEntity organizations = 1; + // The list of components which claims are made against. + repeated Component components = 2; + // The list of services which claims are made against. + repeated Service services = 3; + } + message Affirmation { + message Signatory { + // The signatory's name. + optional string name = 1; + // The signatory's role within an organization. + optional string role = 2; + // The signatory's organization. + optional OrganizationalEntity organization = 3; + // An External reference provide a way to document systems, sites, and information that may be relevant, but are not included with the BOM. They may also establish specific relationships within or external to the BOM. + optional ExternalReference externalReference = 4; + } + // The brief statement affirmed by an individual regarding all declarations. Notes: This could be an affirmation of acceptance by a third-party auditor or receiving individual of a file. + optional string statement = 1; + // The list of signatories authorized on behalf of an organization to assert validity of this document. + repeated Signatory signatories = 2; + } + // The list of assessors evaluating claims and determining conformance to requirements and confidence in that assessment. + repeated Assessor assessors = 1; + // The list of attestations asserted by an assessor that maps requirements to claims. + repeated Attestation attestations = 2; + // The list of claims. + repeated Claim claims = 3; + // The list of evidence + repeated Evidence evidence = 4; + // The list of targets which claims are made against. + optional Targets targets = 5; + // affirmation + optional Affirmation affirmation = 6; +} + +message Definition { + message Standard { + message Requirement { + // An optional identifier which can be used to reference the component elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element. + optional string bom_ref = 1; + // The unique identifier used in the standard to identify a specific requirement. This should match what is in the standard and should not be the requirements bom-ref. + optional string identifier = 2; + // The title of the requirement. + optional string title = 3; + // The textual content of the requirement. + optional string text = 4; + // The supplemental text that provides additional guidance or context to the requirement, but is not directly part of the requirement. + repeated string descriptions = 5; + // The Common Requirements Enumeration (CRE) identifier(s). CRE is a structured and standardized framework for uniting security standards and guidelines. CRE links each section of a resource to a shared topic identifier (a Common Requirement). Through this shared topic link, all resources map to each other. Use of CRE promotes clear and unambiguous communication among stakeholders. + repeated string opencre = 6; + // The optional `bom-ref` to a parent requirement. This establishes a hierarchy of requirements. Top-level requirements must not define a parent. Only child requirements should define parents. + optional string parent = 7; + // Specifies optional, custom, properties + repeated Property properties = 8; + // External references provide a way to document systems, sites, and information that may be relevant, but are not included with the BOM. They may also establish specific relationships within or external to the BOM. + repeated ExternalReference externalReferences = 9; + } + message Level { + // An optional identifier which can be used to reference the component elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element. + optional string bom_ref = 1; + // The identifier used in the standard to identify a specific level. + optional string identifier = 2; + // The title of the level. + optional string title = 3; + // The description of the level. + optional string description = 4; + // The list of requirement `bom-ref`s that comprise the level. + repeated string requirements = 5; + } + // An optional identifier which can be used to reference the component elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element. + optional string bom_ref = 1; + // The name of the standard. This will often be a shortened, single name of the standard. + optional string name = 2; + // The version of the standard. + optional string version = 3; + // The description of the standard. + optional string description = 4; + // The owner of the standard, often the entity responsible for its release. + optional string owner = 5; + // The list of requirements comprising the standard. + repeated Requirement requirements = 6; + // The list of levels associated with the standard. Some standards have different levels of compliance. + repeated Level levels = 7; + // External references provide a way to document systems, sites, and information that may be relevant, but are not included with the BOM. They may also establish specific relationships within or external to the BOM. + repeated ExternalReference externalReferences = 8; + } + repeated Standard standards = 1; +} diff --git a/tools/src/test/resources/1.6/valid-attestation-1.6.textproto b/tools/src/test/resources/1.6/valid-attestation-1.6.textproto new file mode 100644 index 00000000..ca16cf57 --- /dev/null +++ b/tools/src/test/resources/1.6/valid-attestation-1.6.textproto @@ -0,0 +1,179 @@ +spec_version: "1.6" +version: 1 +serial_number: "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" +declarations: { + assessors: [ + { + bom_ref: "assessor-1" + thirdParty: true + organization: { + name: "Assessors Inc" + } + } + ] + attestations: [ + { + summary: "Attestation summary here" + assessor: "assessor-1" + map: [ + { + requirement: "requirement-1" + claims: [ "claim-1" ] + counterClaims: [ "counterClaim-1" ] + conformance: { + score: 0.8, + rationale: "Conformance rationale here", + mitigationStrategies: [ "mitigationStrategy-1" ] + } + confidence: { + score: 1, + rationale: "Confidence rationale here" + } + } + ] + } + ], + claims: [ + { + bom_ref: "claim-1" + target: "acme-inc" + predicate: "Predicate here" + mitigationStrategies: [ "mitigationStrategy-1" ] + reasoning: "Reasoning here" + evidence: [ "evidence-1" ] + counterEvidence: [ "counterEvidence-1" ] + externalReferences: [ + { + type: EXTERNAL_REFERENCE_TYPE_ISSUE_TRACKER, + url: "https://alm.example.com" + } + ] + } + ] + evidence: [ + { + bom_ref: "evidence-1" + propertyName: "internal.com.acme.someProperty" + description: "Description here" + data: [ + { + name: "Name of the data" + contents: { + attachment: { + content_type: "text/plain" + value: "Evidence here" + } + } + classification: "PII", + sensitiveData: [ "Describe sensitive data here" ] + } + ] + created { + seconds: 1714003200 + nanos: 0 + } + expires { + seconds: 1712102400 + nanos: 0 + } + author: { + name: "Mary" + } + reviewer: { + name: "Jane" + } + }, + { + bom_ref: "counterEvidence-1" + propertyName: "internal.com.acme.someProperty" + description: "Description here" + data: [ + { + name: "Name of the data" + contents: { + attachment: { + content_type: "text/plain" + value: "Counter evidence here" + } + } + classification: "Pubic" + sensitiveData: [ "Describe sensitive data here" ] + } + ] + created { + seconds: 1714003200 + nanos: 0 + } + expires { + seconds: 1712102400 + nanos: 0 + } + author: { + name: "Mary" + } + reviewer: { + name: "Jane" + } + }, + { + bom_ref: "mitigationStrategy-1" + propertyName: "internal.com.acme.someProperty" + description: "Description here" + data: [ + { + name: "Name of the data" + contents: { + attachment: { + content_type: "text/plain" + value: "Mitigation strategy here" + } + } + classification: "Company Confidential" + sensitiveData: [ "Describe sensitive data here" ] + } + ] + created { + seconds: 1714003200 + nanos: 0 + } + expires { + seconds: 1712102400 + nanos: 0 + } + author: { + name: "Mary" + } + reviewer: { + name: "Jane" + } + } + ], + targets: { + organizations: [ + { + bom_ref: "acme-inc" + name: "Acme Inc" + } + ] + } + affirmation: { + statement: "I certify, to the best of my knowledge, that all information is correct..." + signatories: [ + { + name: "Tom" + role: "CEO" + }, + { + name: "Jerry" + role: "COO" + organization: { + name: "Acme Inc" + } + externalReference: { + type: EXTERNAL_REFERENCE_TYPE_ELECTRONIC_SIGNATURE + url: "https://example.com/coo-sig.png" + } + } + ] + } +} \ No newline at end of file diff --git a/tools/src/test/resources/1.6/valid-standard-1.6.textproto b/tools/src/test/resources/1.6/valid-standard-1.6.textproto new file mode 100644 index 00000000..a9a68bc7 --- /dev/null +++ b/tools/src/test/resources/1.6/valid-standard-1.6.textproto @@ -0,0 +1,65 @@ +spec_version: "1.6", +version: 1 +serial_number: "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" +definitions { + standards: [ + { + bom_ref: "standard-1" + name: "Sample Standard" + version: "1.0.0" + description: "Description here" + owner: "Acme Inc" + requirements: [ + { + bom_ref: "requirement-1" + identifier: "v1" + title: "Title here" + }, + { + bom_ref: "requirement-1.1" + identifier: "v1.1" + title: "Title here" + parent: "requirement-1" + }, + { + bom_ref: "requirement-1.1.1" + identifier: "v1.1.1" + text: "Text of the requirement here" + descriptions: [ + "Supplemental text here" + ] + opencre: [ + "CRE:616-305" + ], + parent: "requirement-1.1" + } + ] + levels: [ + { + bom_ref: "level-1" + identifier: "Level 1" + description: "Description here" + requirements: [ + "requirement-1.1.1" + ] + }, + { + bom_ref: "level-2" + identifier: "Level 2" + description: "Description here" + requirements: [ + "requirement-1.1.1" + ] + }, + { + bom_ref: "level-3" + identifier: "Level 3" + description: "Description here" + requirements: [ + "requirement-1.1.1" + ] + } + ] + } + ] +} \ No newline at end of file From 55a7aad33abdc5dabd6436748b25666d3c77f10d Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Wed, 27 Dec 2023 00:39:07 -0600 Subject: [PATCH 051/217] Fixed evidence identity. Updated test cases Signed-off-by: Steve Springett --- schema/bom-1.6.schema.json | 4 +- schema/bom-1.6.xsd | 7 +- .../resources/1.6/valid-evidence-1.6.json | 44 ++++ .../1.6/valid-evidence-1.6.textproto | 208 +++++++++++------- .../test/resources/1.6/valid-evidence-1.6.xml | 41 ++++ 5 files changed, 219 insertions(+), 85 deletions(-) diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index c9ab597d..fde826bd 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -1461,8 +1461,8 @@ "additionalProperties": false, "properties": { "identity": { - "type": "object", - "description": "Evidence that substantiates the identity of a component.", + "type": ["array", "object"], + "description": "Evidence that substantiates the identity of a component. The identify may be an object or an array of identity objects. Support for specifying identify as a single object was introduced in CycloneDX v1.5. Arrays were introduced in v1.6. It is RECOMMENDED that all implementations use arrays, even if only one identity object is specified.", "required": [ "field" ], "additionalProperties": false, "properties": { diff --git a/schema/bom-1.6.xsd b/schema/bom-1.6.xsd index 5e218c47..b6e10d9d 100644 --- a/schema/bom-1.6.xsd +++ b/schema/bom-1.6.xsd @@ -2173,9 +2173,12 @@ limitations under the License. - + - Evidence that substantiates the identity of a component. + Evidence that substantiates the identity of a component. The identify may be an + object or an array of identity objects. Support for specifying identify as a single object was + introduced in CycloneDX v1.5. Arrays were introduced in v1.6. It is RECOMMENDED that all + implementations use arrays, even if only one identity object is specified. diff --git a/tools/src/test/resources/1.6/valid-evidence-1.6.json b/tools/src/test/resources/1.6/valid-evidence-1.6.json index 2d6187dc..b4e0e71f 100644 --- a/tools/src/test/resources/1.6/valid-evidence-1.6.json +++ b/tools/src/test/resources/1.6/valid-evidence-1.6.json @@ -105,6 +105,50 @@ } ] } + }, + { + "type": "application", + "group": "com.example", + "name": "example-project", + "version": "1.0.0", + "purl": "pkg:maven/com.example/example-project@1.0.0", + "evidence": { + "identity": [ + { + "field": "group", + "confidence": 0.1, + "methods": [ + { + "technique": "filename", + "confidence": 0.1, + "value": "example-project-1.0.0.jar" + } + ] + }, + { + "field": "name", + "confidence": 0.1, + "methods": [ + { + "technique": "filename", + "confidence": 0.1, + "value": "example-project-1.0.0.jar" + } + ] + }, + { + "field": "version", + "confidence": 0.1, + "methods": [ + { + "technique": "filename", + "confidence": 0.1, + "value": "example-project-1.0.0.jar" + } + ] + } + ] + } } ] } diff --git a/tools/src/test/resources/1.6/valid-evidence-1.6.textproto b/tools/src/test/resources/1.6/valid-evidence-1.6.textproto index d9bcf194..c0704d7f 100644 --- a/tools/src/test/resources/1.6/valid-evidence-1.6.textproto +++ b/tools/src/test/resources/1.6/valid-evidence-1.6.textproto @@ -4,99 +4,145 @@ spec_version: "1.6" version: 1 serial_number: "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" -components { - type: CLASSIFICATION_APPLICATION - group: "com.google.code.findbugs" - name: "findbugs-project" - version: "3.0.0" - licenses { - license { - id: "LGPL-3.0-or-later" - url: "https://www.gnu.org/licenses/lgpl-3.0-standalone.html" +components [ + { + type: CLASSIFICATION_APPLICATION + group: "com.google.code.findbugs" + name: "findbugs-project" + version: "3.0.0" + licenses { + license { + id: "LGPL-3.0-or-later" + url: "https://www.gnu.org/licenses/lgpl-3.0-standalone.html" + } } - } - purl: "pkg:maven/com.google.code.findbugs/findbugs-project@3.0.0" - evidence { - identity: { - field: EVIDENCE_FIELD_PURL, - confidence: 1, - methods: [ - { - technique: EVIDENCE_TECHNIQUE_FILENAME, - confidence: 0.1, - value: "findbugs-project-3.0.0.jar" - }, + purl: "pkg:maven/com.google.code.findbugs/findbugs-project@3.0.0" + evidence { + identity: { + field: EVIDENCE_FIELD_PURL, + confidence: 1, + methods: [ + { + technique: EVIDENCE_TECHNIQUE_FILENAME, + confidence: 0.1, + value: "findbugs-project-3.0.0.jar" + }, + { + technique: EVIDENCE_TECHNIQUE_AST_FINGERPRINT + confidence: 0.9, + value: "61e4bc08251761c3a73b606b9110a65899cb7d44f3b14c81ebc1e67c98e1d9ab" + }, + { + technique: EVIDENCE_TECHNIQUE_HASH_COMPARISON + confidence: 0.7, + value: "7c547a9d67cc7bc315c93b6e2ff8e4b6b41ae5be454ac249655ecb5ca2a85abf" + } + ], + tools: [ + "bom-ref-of-tool-that-performed-analysis", + "bom-ref-of-tool-that-performed-analysis" + ] + }, + occurrences: [ { - technique: EVIDENCE_TECHNIQUE_AST_FINGERPRINT - confidence: 0.9, - value: "61e4bc08251761c3a73b606b9110a65899cb7d44f3b14c81ebc1e67c98e1d9ab" + bom_ref: "d6bf237e-4e11-4713-9f62-56d18d5e2079" + location: "/path/to/component" }, { - technique: EVIDENCE_TECHNIQUE_HASH_COMPARISON - confidence: 0.7, - value: "7c547a9d67cc7bc315c93b6e2ff8e4b6b41ae5be454ac249655ecb5ca2a85abf" + bom_ref: "b574d5d1-e3cf-4dcd-9ba5-f3507eb1b175" + location: "/another/path/to/component" } ], - tools: [ - "bom-ref-of-tool-that-performed-analysis", - "bom-ref-of-tool-that-performed-analysis" - ] - }, - occurrences: [ - { - bom_ref: "d6bf237e-4e11-4713-9f62-56d18d5e2079" - location: "/path/to/component" + callstack: { + frames: [ + { + package: "com.apache.logging.log4j.core" + module: "Logger.class" + function: "logMessage" + parameters: [ + "com.acme.HelloWorld", "Level.INFO", "null", "Hello World" + ], + line: 150 + column: 17 + fullFilename: "/path/to/log4j-core-2.14.0.jar!/org/apache/logging/log4j/core/Logger.class" + }, + { + module: "HelloWorld.class" + function: "main" + line: 20 + column: 12 + fullFilename: "/path/to/HelloWorld.class" + } + ] }, - { - bom_ref: "b574d5d1-e3cf-4dcd-9ba5-f3507eb1b175" - location: "/another/path/to/component" + licenses { + license { + id: "Apache-2.0" + url: "http://www.apache.org/licenses/LICENSE-2.0" + } + } + licenses { + license { + id: "LGPL-2.1-only" + url: "https://opensource.org/licenses/LGPL-2.1" + } + } + copyright { + text: "Copyright 2012 Google Inc. All Rights Reserved." + } + copyright { + text: "Copyright (C) 2004,2005 Dave Brosius " + } + copyright { + text: "Copyright (C) 2005 William Pugh" + } + copyright { + text: "Copyright (C) 2004,2005 University of Maryland" } - ], - callstack: { - frames: [ + } + }, + { + type: CLASSIFICATION_APPLICATION + group: "com.example" + name: "example-project" + version: "1.0.0" + purl: "pkg:maven/com.example/example-project@1.0.0" + evidence: { + identity: [ + { + field: EVIDENCE_FIELD_GROUP + confidence: 0.1 + methods: [ + { + technique: EVIDENCE_TECHNIQUE_FILENAME + confidence: 0.1 + value: "example-project-1.0.0.jar" + } + ] + }, { - package: "com.apache.logging.log4j.core" - module: "Logger.class" - function: "logMessage" - parameters: [ - "com.acme.HelloWorld", "Level.INFO", "null", "Hello World" - ], - line: 150 - column: 17 - fullFilename: "/path/to/log4j-core-2.14.0.jar!/org/apache/logging/log4j/core/Logger.class" + field: EVIDENCE_FIELD_NAME + confidence: 0.1 + methods: [ + { + technique: EVIDENCE_TECHNIQUE_FILENAME + confidence: 0.1 + value: "example-project-1.0.0.jar" + } + ] }, { - module: "HelloWorld.class" - function: "main" - line: 20 - column: 12 - fullFilename: "/path/to/HelloWorld.class" + field: EVIDENCE_FIELD_VERSION + confidence: 0.1 + methods: [ + { + technique: EVIDENCE_TECHNIQUE_FILENAME + confidence: 0.1 + value: "example-project-1.0.0.jar" + } + ] } ] - }, - licenses { - license { - id: "Apache-2.0" - url: "http://www.apache.org/licenses/LICENSE-2.0" - } - } - licenses { - license { - id: "LGPL-2.1-only" - url: "https://opensource.org/licenses/LGPL-2.1" - } - } - copyright { - text: "Copyright 2012 Google Inc. All Rights Reserved." - } - copyright { - text: "Copyright (C) 2004,2005 Dave Brosius " - } - copyright { - text: "Copyright (C) 2005 William Pugh" - } - copyright { - text: "Copyright (C) 2004,2005 University of Maryland" } } -} +] diff --git a/tools/src/test/resources/1.6/valid-evidence-1.6.xml b/tools/src/test/resources/1.6/valid-evidence-1.6.xml index 6efdda27..336d96c3 100644 --- a/tools/src/test/resources/1.6/valid-evidence-1.6.xml +++ b/tools/src/test/resources/1.6/valid-evidence-1.6.xml @@ -88,5 +88,46 @@ + + com.example + example-project + 1.0.0 + pkg:maven/com.example/example-project@1.0.0 + + + group + 0.1 + + + filename + 0.1 + example-project-1.0.0.jar + + + + + name + 0.1 + + + filename + 0.1 + example-project-1.0.0.jar + + + + + version + 0.1 + + + filename + 0.1 + example-project-1.0.0.jar + + + + + From 6df7182392f618131c70d9fb1c023abd887930c1 Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Wed, 27 Dec 2023 00:46:06 -0600 Subject: [PATCH 052/217] Removed unnecessary type for dataGovernance ref that resulted in warnings in some parsers. Signed-off-by: Steve Springett --- schema/bom-1.6.schema.json | 2 -- 1 file changed, 2 deletions(-) diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index c9ab597d..a7f9bb05 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -1386,7 +1386,6 @@ ] }, "governance": { - "type": "object", "title": "Data Governance", "$ref": "#/definitions/dataGovernance" }, @@ -2709,7 +2708,6 @@ "type": "string" }, "governance": { - "type": "object", "title": "Data Governance", "$ref": "#/definitions/dataGovernance" } From 64d237ecbbb52cd07a0bf6b30d24be667c88928e Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Wed, 27 Dec 2023 00:58:08 -0600 Subject: [PATCH 053/217] Allowing allowUnionTypes to schema linting Signed-off-by: Steve Springett --- tools/src/test/js/json-schema-lint-tests.js | 1 + 1 file changed, 1 insertion(+) diff --git a/tools/src/test/js/json-schema-lint-tests.js b/tools/src/test/js/json-schema-lint-tests.js index 2afd4bcb..8fd7954e 100644 --- a/tools/src/test/js/json-schema-lint-tests.js +++ b/tools/src/test/js/json-schema-lint-tests.js @@ -49,6 +49,7 @@ function getAjv(strict) { validateFormats: true, allowMatchingProperties: true, addUsedSchema: false, + allowUnionTypes: true, schemas: { 'http://cyclonedx.org/schema/spdx.schema.json': spdxSchema, 'http://cyclonedx.org/schema/jsf-0.82.schema.json': jsfSchema From 0820650512cc165614167da28817a2ed63bd53e2 Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Wed, 27 Dec 2023 20:21:32 -0600 Subject: [PATCH 054/217] Refactoring identity evidence. Adding back in strict union support in linking. Adding deprecation check to tabs (oneOf, anyOf, allOf). Signed-off-by: Steve Springett --- .../templates/cyclonedx/tabbed_section.html | 6 +- schema/bom-1.6.schema.json | 174 ++++++++++-------- tools/src/test/js/json-schema-lint-tests.js | 2 +- 3 files changed, 101 insertions(+), 81 deletions(-) diff --git a/docgen/json/templates/cyclonedx/tabbed_section.html b/docgen/json/templates/cyclonedx/tabbed_section.html index 9cecf4c1..81ea390b 100644 --- a/docgen/json/templates/cyclonedx/tabbed_section.html +++ b/docgen/json/templates/cyclonedx/tabbed_section.html @@ -11,7 +11,11 @@

{{ node.definition_name or tab_label ~ " " ~ loop.index }} + >{{ node.definition_name or tab_label ~ " " ~ loop.index }} + {%- if node is deprecated -%} + {{ " " }}Deprecated + {%- endif -%} + {%- endfor -%} diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index fde826bd..6b9149e9 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -1461,89 +1461,20 @@ "additionalProperties": false, "properties": { "identity": { - "type": ["array", "object"], "description": "Evidence that substantiates the identity of a component. The identify may be an object or an array of identity objects. Support for specifying identify as a single object was introduced in CycloneDX v1.5. Arrays were introduced in v1.6. It is RECOMMENDED that all implementations use arrays, even if only one identity object is specified.", - "required": [ "field" ], - "additionalProperties": false, - "properties": { - "field": { - "type": "string", - "enum": [ - "group", "name", "version", "purl", "cpe", "swid", "hash" - ], - "title": "Field", - "description": "The identity field of the component which the evidence describes." - }, - "confidence": { - "type": "number", - "minimum": 0, - "maximum": 1, - "title": "Confidence", - "description": "The overall confidence of the evidence from 0 - 1, where 1 is 100% confidence." - }, - "methods": { + "oneOf" : [ + { "type": "array", - "title": "Methods", - "description": "The methods used to extract and/or analyze the evidence.", - "items": { - "type": "object", - "required": [ - "technique" , - "confidence" - ], - "additionalProperties": false, - "properties": { - "technique": { - "title": "Technique", - "description": "The technique used in this method of analysis.", - "type": "string", - "enum": [ - "source-code-analysis", - "binary-analysis", - "manifest-analysis", - "ast-fingerprint", - "hash-comparison", - "instrumentation", - "dynamic-analysis", - "filename", - "attestation", - "other" - ] - }, - "confidence": { - "type": "number", - "minimum": 0, - "maximum": 1, - "title": "Confidence", - "description": "The confidence of the evidence from 0 - 1, where 1 is 100% confidence. Confidence is specific to the technique used. Each technique of analysis can have independent confidence." - }, - "value": { - "type": "string", - "title": "Value", - "description": "The value or contents of the evidence." - } - } - } + "title": "Array of Identity Objects", + "items": { "$ref": "#/definitions/componentIdentityEvidence" } }, - "tools": { - "type": "array", - "uniqueItems": true, - "items": { - "anyOf": [ - { - "title": "Ref", - "$ref": "#/definitions/refLinkType" - }, - { - "title": "BOM-Link Element", - "$ref": "#/definitions/bomLinkElementType" - } - ] - }, - "title": "BOM References", - "description": "The object in the BOM identified by its bom-ref. This is often a component or service, but may be any object type supporting bom-refs. Tools used for analysis should already be defined in the BOM, either in the metadata/tools, components, or formulation." + { + "title": "A Single Identity Object", + "description": "[Deprecated]", + "$ref": "#/definitions/componentIdentityEvidence", + "deprecated": true } - } + ] }, "occurrences": { "type": "array", @@ -3809,6 +3740,91 @@ } } }, + "componentIdentityEvidence": { + "type": "object", + "description": "Evidence that substantiates the identity of a component.", + "required": [ "field" ], + "additionalProperties": false, + "properties": { + "field": { + "type": "string", + "enum": [ + "group", "name", "version", "purl", "cpe", "swid", "hash" + ], + "title": "Field", + "description": "The identity field of the component which the evidence describes." + }, + "confidence": { + "type": "number", + "minimum": 0, + "maximum": 1, + "title": "Confidence", + "description": "The overall confidence of the evidence from 0 - 1, where 1 is 100% confidence." + }, + "methods": { + "type": "array", + "title": "Methods", + "description": "The methods used to extract and/or analyze the evidence.", + "items": { + "type": "object", + "required": [ + "technique" , + "confidence" + ], + "additionalProperties": false, + "properties": { + "technique": { + "title": "Technique", + "description": "The technique used in this method of analysis.", + "type": "string", + "enum": [ + "source-code-analysis", + "binary-analysis", + "manifest-analysis", + "ast-fingerprint", + "hash-comparison", + "instrumentation", + "dynamic-analysis", + "filename", + "attestation", + "other" + ] + }, + "confidence": { + "type": "number", + "minimum": 0, + "maximum": 1, + "title": "Confidence", + "description": "The confidence of the evidence from 0 - 1, where 1 is 100% confidence. Confidence is specific to the technique used. Each technique of analysis can have independent confidence." + }, + "value": { + "type": "string", + "title": "Value", + "description": "The value or contents of the evidence." + } + } + } + }, + "tools": { + "type": "array", + "uniqueItems": true, + "items": { + "anyOf": [ + { + "title": "Ref", + "$ref": "#/definitions/refLinkType" + }, + { + "title": "BOM-Link Element", + "$ref": "#/definitions/bomLinkElementType" + } + ] + }, + "title": "BOM References", + "description": "The object in the BOM identified by its bom-ref. This is often a component or service, but may be any object type supporting bom-refs. Tools used for analysis should already be defined in the BOM, either in the metadata/tools, components, or formulation." + } + } + }, "signature": { "$ref": "jsf-0.82.schema.json#/definitions/signature", "title": "Signature", diff --git a/tools/src/test/js/json-schema-lint-tests.js b/tools/src/test/js/json-schema-lint-tests.js index 8fd7954e..85a53554 100644 --- a/tools/src/test/js/json-schema-lint-tests.js +++ b/tools/src/test/js/json-schema-lint-tests.js @@ -49,7 +49,7 @@ function getAjv(strict) { validateFormats: true, allowMatchingProperties: true, addUsedSchema: false, - allowUnionTypes: true, + allowUnionTypes: false, schemas: { 'http://cyclonedx.org/schema/spdx.schema.json': spdxSchema, 'http://cyclonedx.org/schema/jsf-0.82.schema.json': jsfSchema From 163859d414e774753d362f72c4d3ec1bb043b370 Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Wed, 27 Dec 2023 20:24:07 -0600 Subject: [PATCH 055/217] Making suggested modifications to XML schema documentation Signed-off-by: Steve Springett --- schema/bom-1.6.xsd | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/schema/bom-1.6.xsd b/schema/bom-1.6.xsd index b6e10d9d..c67fc8da 100644 --- a/schema/bom-1.6.xsd +++ b/schema/bom-1.6.xsd @@ -2177,8 +2177,8 @@ limitations under the License. Evidence that substantiates the identity of a component. The identify may be an object or an array of identity objects. Support for specifying identify as a single object was - introduced in CycloneDX v1.5. Arrays were introduced in v1.6. It is RECOMMENDED that all - implementations use arrays, even if only one identity object is specified. + introduced in CycloneDX v1.5. "unbounded" was introduced in v1.6. It is RECOMMENDED that all + implementations are aware of "unbounded". From 29087203fd848fabb34748b4db0272ae72b543cf Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Fri, 5 Jan 2024 17:37:47 -0600 Subject: [PATCH 056/217] Normalizing CBOM and porting to XML and Protobuf. Adding test files. Signed-off-by: Steve Springett --- docgen/json/templates/cyclonedx/content.html | 6 +- schema/bom-1.6.proto | 254 ++++ schema/bom-1.6.schema.json | 282 ++-- schema/bom-1.6.xsd | 1199 +++++++++++++++++ tools/src/test/js/json-schema-lint-tests.js | 1 + .../resources/1.6/valid-cryptography-1.6.json | 71 + .../1.6/valid-cryptography-1.6.textproto | 77 ++ .../resources/1.6/valid-cryptography-1.6.xml | 57 + .../1.6/valid-cryptography-full-1.6.json | 99 ++ .../1.6/valid-cryptography-full-1.6.textproto | 119 ++ .../1.6/valid-cryptography-full-1.6.xml | 93 ++ 11 files changed, 2164 insertions(+), 94 deletions(-) create mode 100644 tools/src/test/resources/1.6/valid-cryptography-1.6.json create mode 100644 tools/src/test/resources/1.6/valid-cryptography-1.6.textproto create mode 100644 tools/src/test/resources/1.6/valid-cryptography-1.6.xml create mode 100644 tools/src/test/resources/1.6/valid-cryptography-full-1.6.json create mode 100644 tools/src/test/resources/1.6/valid-cryptography-full-1.6.textproto create mode 100644 tools/src/test/resources/1.6/valid-cryptography-full-1.6.xml diff --git a/docgen/json/templates/cyclonedx/content.html b/docgen/json/templates/cyclonedx/content.html index 3e880425..7a2dbd0d 100644 --- a/docgen/json/templates/cyclonedx/content.html +++ b/docgen/json/templates/cyclonedx/content.html @@ -67,7 +67,11 @@

Must be one of:

    {%- for enum_choice in schema.kw_enum.array_items -%} -
  • {{ enum_choice.literal | python_to_json }}
    • +
  • + {%- if schema.kw_meta_enum -%}{%- endif -%} + {{ enum_choice.literal | python_to_json }} + {%- if schema.kw_meta_enum -%} = {{ schema.enum_description(enum_choice.literal) }}{%- endif -%} +
    • {%- endfor -%}
diff --git a/schema/bom-1.6.proto b/schema/bom-1.6.proto index e6a6c4fe..87963505 100644 --- a/schema/bom-1.6.proto +++ b/schema/bom-1.6.proto @@ -67,6 +67,8 @@ enum Classification { CLASSIFICATION_MACHINE_LEARNING_MODEL = 11; // A collection of discrete values that convey information. CLASSIFICATION_DATA = 12; + // Cryptographic asset including algorithms, protocols, certificates, keys, tokens, and secrets. + CLASSIFICATION_CRYPTOGRAPHIC_ASSET = 13; } message Commit { @@ -133,6 +135,8 @@ message Component { optional ModelCard modelCard = 25; // This object SHOULD be specified for any component of type `data` and MUST NOT be specified for other component types. optional ComponentData data = 26; + // Cryptographic assets have properties that uniquely define them and that make them actionable for further reasoning. As an example, it makes a difference if one knows the algorithm family (e.g. AES) or the specific variant or instantiation (e.g. AES-128-GCM). This is because the security level and the algorithm primitive (authenticated encryption) is only defined by the definition of the algorithm variant. The presence of a weak cryptographic algorithm like SHA1 vs. HMAC-SHA1 also makes a difference. + optional CryptoProperties cryptoProperties = 27; } // Specifies the data flow. @@ -163,9 +167,17 @@ enum DataFlowDirection { } message Dependency { + enum DependencyType { + DEPENDENCY_TYPE_IMPLEMENTS = 0; + DEPENDENCY_TYPE_USES = 1; + DEPENDENCY_TYPE_PROTECTED_BY = 2; + } // References a component or service by the its bom-ref attribute string ref = 1; + // The bom-ref identifiers of the components or services that are dependencies of this dependency object. repeated Dependency dependencies = 2; + // Defines and characterizes the type of dependency + optional DependencyType type = 3; } message Diff { @@ -1486,3 +1498,245 @@ message EnvironmentVars { string value = 2; } } + +message CryptoProperties { + enum CryptoAssetType { + CRYPTO_ASSET_TYPE_ALGORITHM = 0; + CRYPTO_ASSET_TYPE_CERTIFICATE = 1; + CRYPTO_ASSET_TYPE_PROTOCOL = 2; + CRYPTO_ASSET_TYPE_RELATED_CRYPTO_MATERIAL = 3; + } + message AlgorithmProperties { + enum CryptoPrimitive { + CRYPTO_PRIMITIVE_DRBG = 0; + CRYPTO_PRIMITIVE_MAC = 1; + CRYPTO_PRIMITIVE_BLOCK_CIPHER = 2; + CRYPTO_PRIMITIVE_STREAM_CIPHER = 3; + CRYPTO_PRIMITIVE_SIGNATURE = 4; + CRYPTO_PRIMITIVE_HASH = 5; + CRYPTO_PRIMITIVE_PKE = 6; + CRYPTO_PRIMITIVE_XOF = 7; + CRYPTO_PRIMITIVE_KDF = 8; + CRYPTO_PRIMITIVE_KEY_AGREE = 9; + CRYPTO_PRIMITIVE_KEM = 10; + CRYPTO_PRIMITIVE_AE = 11; + CRYPTO_PRIMITIVE_COMBINER = 12; + CRYPTO_PRIMITIVE_OTHER = 13; + CRYPTO_PRIMITIVE_UNKNOWN = 14; + } + enum CryptoExecutionEnvironment { + CRYPTO_EXECUTION_ENVIRONMENT_SOFTWARE_PLAIN_RAM = 0; + CRYPTO_EXECUTION_ENVIRONMENT_SOFTWARE_ENCRYPTED_RAM = 1; + CRYPTO_EXECUTION_ENVIRONMENT_SOFTWARE_TEE = 2; + CRYPTO_EXECUTION_ENVIRONMENT_HARDWARE = 3; + CRYPTO_EXECUTION_ENVIRONMENT_OTHER = 4; + CRYPTO_EXECUTION_ENVIRONMENT_UNKNOWN = 5; + } + enum CryptoImplementationPlatform { + CRYPTO_IMPLEMENTATION_PLATFORM_GENERIC = 0; + CRYPTO_IMPLEMENTATION_PLATFORM_X86_32 = 1; + CRYPTO_IMPLEMENTATION_PLATFORM_X86_64 = 2; + CRYPTO_IMPLEMENTATION_PLATFORM_ARMV7A = 3; + CRYPTO_IMPLEMENTATION_PLATFORM_ARMV7M = 4; + CRYPTO_IMPLEMENTATION_PLATFORM_ARMV8A = 5; + CRYPTO_IMPLEMENTATION_PLATFORM_ARMV8M = 6; + CRYPTO_IMPLEMENTATION_PLATFORM_ARMV9A = 7; + CRYPTO_IMPLEMENTATION_PLATFORM_ARMV9M = 8; + CRYPTO_IMPLEMENTATION_PLATFORM_X390X = 9; + CRYPTO_IMPLEMENTATION_PLATFORM_PPC64 = 10; + CRYPTO_IMPLEMENTATION_PLATFORM_PPC64LE = 11; + CRYPTO_IMPLEMENTATION_PLATFORM_OTHER = 12; + CRYPTO_IMPLEMENTATION_PLATFORM_UNKNOWN = 13; + } + enum CryptoAlgorithmMode { + CRYPTO_ALGORITHM_MODE_CBC = 0; + CRYPTO_ALGORITHM_MODE_ECB = 1; + CRYPTO_ALGORITHM_MODE_CCM = 2; + CRYPTO_ALGORITHM_MODE_GCM = 3; + CRYPTO_ALGORITHM_MODE_CFB = 4; + CRYPTO_ALGORITHM_MODE_OFB = 5; + CRYPTO_ALGORITHM_MODE_CTR = 6; + CRYPTO_ALGORITHM_MODE_OTHER = 7; + CRYPTO_ALGORITHM_MODE_UNKNOWN = 8; + } + enum CryptoAlgorithmPadding { + CRYPTO_ALGORITHM_PADDING_PKCS5 = 0; + CRYPTO_ALGORITHM_PADDING_PKCS7 = 1; + CRYPTO_ALGORITHM_PADDING_PKCS1V15 = 2; + CRYPTO_ALGORITHM_PADDING_OAEP = 3; + CRYPTO_ALGORITHM_PADDING_RAW = 4; + CRYPTO_ALGORITHM_PADDING_OTHER = 5; + CRYPTO_ALGORITHM_PADDING_UNKNOWN = 6; + } + enum CryptoAlgorithmFunction { + CRYPTO_ALGORITHM_FUNCTION_GENERATE = 0; + CRYPTO_ALGORITHM_FUNCTION_KEYGEN = 1; + CRYPTO_ALGORITHM_FUNCTION_ENCRYPT = 2; + CRYPTO_ALGORITHM_FUNCTION_DECRYPT = 3; + CRYPTO_ALGORITHM_FUNCTION_DIGEST = 4; + CRYPTO_ALGORITHM_FUNCTION_TAG = 5; + CRYPTO_ALGORITHM_FUNCTION_KEYDERIVE = 6; + CRYPTO_ALGORITHM_FUNCTION_SIGN = 7; + CRYPTO_ALGORITHM_FUNCTION_VERIFY = 8; + CRYPTO_ALGORITHM_FUNCTION_ENCAPSULATE = 9; + CRYPTO_ALGORITHM_FUNCTION_DECAPSULATE = 10; + CRYPTO_ALGORITHM_FUNCTION_OTHER = 11; + CRYPTO_ALGORITHM_FUNCTION_UNKNOWN = 12; + } + // Cryptographic building blocks used in higher-level cryptographic systems and protocols. Primitives represent different cryptographic routines: deterministic random bit generators (drbg, e.g. CTR_DRBG from NIST SP800-90A-r1), message authentication codes (mac, e.g. HMAC-SHA-256), blockciphers (e.g. AES), streamciphers (e.g. Salsa20), signatures (e.g. ECDSA), hash functions (e.g. SHA-256), public-key encryption schemes (pke, e.g. RSA), extended output functions (xof, e.g. SHAKE256), key derivation functions (e.g. pbkdf2), key agreement algorithms (e.g. ECDH), key encapsulation mechanisms (e.g. ML-KEM), authenticated encryption (ae, e.g. AES-GCM) and the combination of multiple algorithms (combiner, e.g. SP800-56Cr2). + optional CryptoPrimitive primitive = 1; + // An identifier for the parameter set of the cryptographic algorithm. Examples: in AES128, '128' identifies the key length in bits, in SHA256, '256' identifies the digest length, '128' in SHAKE128 identifies its maximum security level in bits, and 'SHA2-128s' identifies a parameter set used in SLH-DSA (FIPS205). + optional string parameterSetIdentifier = 2; + // The specific underlying Elliptic Curve (EC) definition employed which is an indicator of the level of security strength, performance and complexity. Absent an authoritative source of curve names, CycloneDX recommends use of curve names as defined at [https://neuromancer.sk/std/](https://neuromancer.sk/std/), the source from which can be found at [https://github.com/J08nY/std-curves](https://github.com/J08nY/std-curves). + optional string curve = 3; + // The target and execution environment in which the algorithm is implemented in. + optional CryptoExecutionEnvironment executionEnvironment = 4; + // The target platform for which the algorithm is implemented. The implementation can be 'generic', running on any platform or for a specific platform. + optional CryptoImplementationPlatform implementationPlatform = 5; + // The certification that the implementation of the cryptographic algorithm has received, if any. Certifications include revisions and levels of FIPS 140 or Common Criteria of different Extended Assurance Levels (CC-EAL). + optional string certificationLevel = 6; + // The mode of operation in which the cryptographic algorithm (block cipher) is used. + optional CryptoAlgorithmMode mode = 7; + // The padding scheme that is used for the cryptographic algorithm. + optional CryptoAlgorithmPadding padding = 8; + // The cryptographic functions implemented by the cryptographic algorithm. + repeated CryptoAlgorithmFunction cryptoFunctions = 9; + // The classical security level that a cryptographic algorithm provides (in bits). + optional int32 classicalSecurityLevel = 10; + // The NIST security strength category as defined in https://csrc.nist.gov/projects/post-quantum-cryptography/post-quantum-cryptography-standardization/evaluation-criteria/security-(evaluation-criteria). A value of 0 indicates that none of the categories are met. + optional int32 nistQuantumSecurityLevel = 11; + } // end of AlgorithmProperties + message CertificateProperties { + // The subject name for the certificate + optional string subjectName = 1; + // The issuer name for the certificate + optional string issuerName = 2; + // The date and time according to ISO-8601 standard from which the certificate is valid + optional google.protobuf.Timestamp notValidBefore = 3; + // The date and time according to ISO-8601 standard from which the certificate is not valid anymore + optional google.protobuf.Timestamp notValidAfter = 4; + // The bom-ref to signature algorithm used by the certificate + optional string signatureAlgorithm = 5; + // The bom-ref to the public key of the subject + optional string subjectPublicKey = 6; + // The format of the certificate. Examples include X.509, PEM, DER, and CVC. + optional string certificateFormat = 7; + // The file extension of the certificate. Examples include crt, pem, cer, der, and p12. + optional string certificateExtension = 8; + } // end of CertificateProperties + message RelatedCryptoMaterialProperties { + enum CryptoRelatedType { + CRYPTO_RELATED_TYPE_PRIVATE_KEY = 0; + CRYPTO_RELATED_TYPE_PUBLIC_KEY = 1; + CRYPTO_RELATED_TYPE_SECRET_KEY = 2; + CRYPTO_RELATED_TYPE_KEY = 3; + CRYPTO_RELATED_TYPE_CIPHERTEXT = 4; + CRYPTO_RELATED_TYPE_SIGNATURE = 5; + CRYPTO_RELATED_TYPE_DIGEST = 6; + CRYPTO_RELATED_TYPE_INITIALIZATION_VECTOR = 7; + CRYPTO_RELATED_TYPE_NONCE = 8; + CRYPTO_RELATED_TYPE_SEED = 9; + CRYPTO_RELATED_TYPE_SALT = 10; + CRYPTO_RELATED_TYPE_SHARED_SECRET = 11; + CRYPTO_RELATED_TYPE_TAG = 12; + CRYPTO_RELATED_TYPE_ADDITIONAL_DATA = 13; + CRYPTO_RELATED_TYPE_PASSWORD = 14; + CRYPTO_RELATED_TYPE_CREDENTIAL = 15; + CRYPTO_RELATED_TYPE_TOKEN = 16; + CRYPTO_RELATED_TYPE_OTHER = 17; + CRYPTO_RELATED_TYPE_UNKNOWN = 18; + } + enum CryptoRelatedState { + CRYPTO_RELATED_STATE_PRE_ACTIVATION = 0; + CRYPTO_RELATED_STATE_ACTIVE = 1; + CRYPTO_RELATED_STATE_SUSPENDED = 2; + CRYPTO_RELATED_STATE_DEACTIVATED = 3; + CRYPTO_RELATED_STATE_COMPROMISED = 4; + CRYPTO_RELATED_STATE_DESTROYED = 5; + } + message CryptoRelatedSecuredBy { + // Specifies the mechanism by which the cryptographic asset is secured by. Examples include HSM, TPM, SGX, Software, and None + optional string mechanism = 1; + // The bom-ref to the algorithm. + optional string algorithmRef = 2; + } + // The type for the related cryptographic material + optional CryptoRelatedType type = 1; + // The optional unique identifier for the related cryptographic material. + optional string id = 2; + // The key state as defined by NIST SP 800-57. + optional CryptoRelatedState state = 3; + // The bom-ref to the algorithm used to generate the related cryptographic material. + optional string algorithmRef = 4; + // The date and time (timestamp) when the related cryptographic material was created. + optional google.protobuf.Timestamp creationDate = 5; + // The date and time (timestamp) when the related cryptographic material was activated. + optional google.protobuf.Timestamp activationDate = 6; + // The date and time (timestamp) when the related cryptographic material was updated. + optional google.protobuf.Timestamp updateDate = 7; + // The date and time (timestamp) when the related cryptographic material expires. + optional google.protobuf.Timestamp expirationDate = 8; + // The associated value of the cryptographic material. + optional string value = 9; + // The size of the cryptographic asset (in bits). + optional int64 size = 10; + // The format of the related cryptographic material (e.g. P8, PEM, DER). + optional string format = 11; + // The mechanism by which the cryptographic asset is secured by. + optional CryptoRelatedSecuredBy securedBy = 12; + } // end of RelatedCryptoMaterialProperties + message ProtocolProperties { + enum CryptoProtocolType { + CRYPTO_PROTOCOL_TYPE_TLS = 0; + CRYPTO_PROTOCOL_TYPE_SSH = 1; + CRYPTO_PROTOCOL_TYPE_IPSEC = 2; + CRYPTO_PROTOCOL_TYPE_IKE = 3; + CRYPTO_PROTOCOL_TYPE_SSTP = 4; + CRYPTO_PROTOCOL_TYPE_WPA = 5; + CRYPTO_PROTOCOL_TYPE_OTHER = 6; + CRYPTO_PROTOCOL_TYPE_UNKNOWN = 7; + } + message CryptoProtocolCipherSuite { + // A common name for the cipher suite. For example: TLS_DHE_RSA_WITH_AES_128_CCM + optional string name = 1; + // A list of algorithms related to the cipher suite. Use the bom-ref to the algorithm cryptographic asset. + repeated string algorithms = 2; + // A list of common identifiers for the cipher suite. For example: 0xC0 and 0x9E + repeated string identifiers = 3; + } + message Ikev2TransformTypes { + // Transform Type 1: encryption algorithms + repeated string encr = 1; + // Transform Type 2: pseudorandom functions + repeated string prf = 2; + // Transform Type 3: integrity algorithms + repeated string integ = 3; + // Transform Type 4: Key Exchange Method (KE) per RFC9370, formerly called Diffie-Hellman Group (D-H) + repeated string ke = 4; + // Specifies if an Extended Sequence Number (ESN) is used. + optional bool esn = 5; + // IKEv2 Authentication method + repeated string auth = 6; + } + // The concrete protocol type. + optional CryptoProtocolType type = 1; + // The version of the protocol. Examples include 1.0, 1.2, and 1.99. + optional string version = 2; + // A list of cipher suites related to the protocol. + repeated CryptoProtocolCipherSuite cipherSuites = 3; + // The IKEv2 transform types supported (types 1-4), defined in RFC7296 section 3.3.2, and additional properties. + optional Ikev2TransformTypes ikev2TransformTypes = 4; + } // end of ProtocolProperties + // Cryptographic assets occur in several forms. Algorithms and protocols are most commonly implemented in specialized cryptographic libraries. They may however also be 'hardcoded' in software components. Certificates and related cryptographic material like keys, tokens, secrets or passwords are other cryptographic assets to be modelled. + optional CryptoAssetType assetType = 1; + // Additional properties specific to a cryptographic algorithm. + optional AlgorithmProperties algorithmProperties = 2; + // Properties for cryptographic assets of asset type 'certificate' + optional CertificateProperties certificateProperties = 3; + // Properties for cryptographic assets of asset type: `related-crypto-material` + optional RelatedCryptoMaterialProperties relatedCryptoMaterialProperties = 4; + // Properties specific to cryptographic assets of type: `protocol`. + optional ProtocolProperties protocolProperties = 5; + // The object identifier (OID) of the cryptographic asset. + optional string oid = 6; +} diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index 78f4fa11..eae7430b 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -410,10 +410,10 @@ "file", "machine-learning-model", "data", - "crypto-asset" + "cryptographic-asset" ], "title": "Component Type", - "description": "Specifies the type of component. For software components, classify as application if no more specific appropriate classification is available or cannot be determined for the component. Types include:\n\n* __application__ = A software application. Refer to [https://en.wikipedia.org/wiki/Application_software](https://en.wikipedia.org/wiki/Application_software) for information about applications.\n* __framework__ = A software framework. Refer to [https://en.wikipedia.org/wiki/Software_framework](https://en.wikipedia.org/wiki/Software_framework) for information on how frameworks vary slightly from libraries.\n* __library__ = A software library. Refer to [https://en.wikipedia.org/wiki/Library_(computing)](https://en.wikipedia.org/wiki/Library_(computing))\n for information about libraries. All third-party and open source reusable components will likely be a library. If the library also has key features of a framework, then it should be classified as a framework. If not, or is unknown, then specifying library is RECOMMENDED.\n* __container__ = A packaging and/or runtime format, not specific to any particular technology, which isolates software inside the container from software outside of a container through virtualization technology. Refer to [https://en.wikipedia.org/wiki/OS-level_virtualization](https://en.wikipedia.org/wiki/OS-level_virtualization)\n* __platform__ = A runtime environment which interprets or executes software. This may include runtimes such as those that execute bytecode or low-code/no-code application platforms.\n* __operating-system__ = A software operating system without regard to deployment model (i.e. installed on physical hardware, virtual machine, image, etc) Refer to [https://en.wikipedia.org/wiki/Operating_system](https://en.wikipedia.org/wiki/Operating_system)\n* __device__ = A hardware device such as a processor, or chip-set. A hardware device containing firmware SHOULD include a component for the physical hardware itself, and another component of type 'firmware' or 'operating-system' (whichever is relevant), describing information about the software running on the device.\n See also the list of [known device properties](https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/device.md).\n* __device-driver__ = A special type of software that operates or controls a particular type of device. Refer to [https://en.wikipedia.org/wiki/Device_driver](https://en.wikipedia.org/wiki/Device_driver)\n* __firmware__ = A special type of software that provides low-level control over a devices hardware. Refer to [https://en.wikipedia.org/wiki/Firmware](https://en.wikipedia.org/wiki/Firmware)\n* __file__ = A computer file. Refer to [https://en.wikipedia.org/wiki/Computer_file](https://en.wikipedia.org/wiki/Computer_file) for information about files.\n* __machine-learning-model__ = A model based on training data that can make predictions or decisions without being explicitly programmed to do so.\n* __data__ = A collection of discrete values that convey information.\n* __crypto-asset__ = Cryptographic asset including algorithms, protocols, certificates, keys, tokens, and secrets.", + "description": "Specifies the type of component. For software components, classify as application if no more specific appropriate classification is available or cannot be determined for the component. Types include:\n\n* __application__ = A software application. Refer to [https://en.wikipedia.org/wiki/Application_software](https://en.wikipedia.org/wiki/Application_software) for information about applications.\n* __framework__ = A software framework. Refer to [https://en.wikipedia.org/wiki/Software_framework](https://en.wikipedia.org/wiki/Software_framework) for information on how frameworks vary slightly from libraries.\n* __library__ = A software library. Refer to [https://en.wikipedia.org/wiki/Library_(computing)](https://en.wikipedia.org/wiki/Library_(computing))\n for information about libraries. All third-party and open source reusable components will likely be a library. If the library also has key features of a framework, then it should be classified as a framework. If not, or is unknown, then specifying library is RECOMMENDED.\n* __container__ = A packaging and/or runtime format, not specific to any particular technology, which isolates software inside the container from software outside of a container through virtualization technology. Refer to [https://en.wikipedia.org/wiki/OS-level_virtualization](https://en.wikipedia.org/wiki/OS-level_virtualization)\n* __platform__ = A runtime environment which interprets or executes software. This may include runtimes such as those that execute bytecode or low-code/no-code application platforms.\n* __operating-system__ = A software operating system without regard to deployment model (i.e. installed on physical hardware, virtual machine, image, etc) Refer to [https://en.wikipedia.org/wiki/Operating_system](https://en.wikipedia.org/wiki/Operating_system)\n* __device__ = A hardware device such as a processor, or chip-set. A hardware device containing firmware SHOULD include a component for the physical hardware itself, and another component of type 'firmware' or 'operating-system' (whichever is relevant), describing information about the software running on the device.\n See also the list of [known device properties](https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/device.md).\n* __device-driver__ = A special type of software that operates or controls a particular type of device. Refer to [https://en.wikipedia.org/wiki/Device_driver](https://en.wikipedia.org/wiki/Device_driver)\n* __firmware__ = A special type of software that provides low-level control over a devices hardware. Refer to [https://en.wikipedia.org/wiki/Firmware](https://en.wikipedia.org/wiki/Firmware)\n* __file__ = A computer file. Refer to [https://en.wikipedia.org/wiki/Computer_file](https://en.wikipedia.org/wiki/Computer_file) for information about files.\n* __machine-learning-model__ = A model based on training data that can make predictions or decisions without being explicitly programmed to do so.\n* __data__ = A collection of discrete values that convey information.\n* __cryptographic-asset__ = Cryptographic asset including algorithms, protocols, certificates, keys, tokens, and secrets.", "examples": ["library"] }, "mime-type": { @@ -593,8 +593,7 @@ }, "cryptoProperties": { "$ref": "#/definitions/cryptoProperties", - "title": "Crypto Properties", - "description": "Properties for Crypto Assets" + "title": "Cryptographic Properties" }, "properties": { "type": "array", @@ -1250,9 +1249,9 @@ "title": "Depends On", "description": "The bom-ref identifiers of the components or services that are dependencies of this dependency object." }, - "dependencyType": { + "type": { "type": "string", - "title": "Type of dependency", + "title": "Dependency Type", "description": "Defines and characterizes the type of dependency", "$ref": "#/definitions/dependencyType" } @@ -3852,9 +3851,15 @@ "enum": [ "implements", "uses", - "protectedBy" + "protected-by" ], - "description": "An optional field that describes the type of dependency.\n\n* implement: refers to crypto assets implemented, or statically available in a component. Examples are the algorithms provided by crypto libraries. A crypto asset 'implemented' by a component does not imply that it is in use.\n* uses: refers to crypto assets in use, or being referenced by other components. The referencing can be done by explicit function calls or by configuration at run time. Usage may change over time, so CBOMs always represent a snapshot at a given point in time." + "meta:enum": { + "implements": "Refers to a component or service that fulfills the requirements of a given specification or standard. For example, a cryptographic library which implements a cryptographic algorithm. A component which implements another component does not imply that the implementation is in use.", + "uses": "Refers to a component or service that relies on another component or service, either explicitly via function calls or via configuration at run time.", + "protected-by": "Refers to a component or service that safeguards another component or service. For example, a cryptographic component that protects a data component. A component or service which is protected by another component or service does not imply that either are in use." + }, + "default": "uses", + "description": "An optional field that describes the type of dependency." }, "cryptoProperties": { "type": "object", @@ -3864,14 +3869,20 @@ "properties": { "assetType": { "type": "string", - "title": "assetType", - "description": "Cryptographic assets occur in several forms. Algorithms and protocols are most commonly implemented in specialized cryptographic libraries. They may however also be 'hardcoded' in software components. Certificates and related cryptographic material like keys, tokens, secrets or passwords are other cryptographic assets to be modelled.\n\n* __algorithm__ = Mathematical functions that encrypt text. They are used for data encryption, authentication, and digital signatures.\n* __certificate__ = An electronic document that is used to provide the identity or validate a public key.\n* __protocol__ = A set of rules and guidelines that govern the behavior and communication with each other.\n* __relatedCryptoMaterial__ = Other cryptographic assets that are related to algorithms, certificate, and protocols such as keys and tokens.", + "title": "Asset Type", + "description": "Cryptographic assets occur in several forms. Algorithms and protocols are most commonly implemented in specialized cryptographic libraries. They may however also be 'hardcoded' in software components. Certificates and related cryptographic material like keys, tokens, secrets or passwords are other cryptographic assets to be modelled.", "enum": [ "algorithm", "certificate", "protocol", - "relatedCryptoMaterial" - ] + "related-crypto-material" + ], + "meta:enum": { + "algorithm": "Mathematical function commonly used for data encryption, authentication, and digital signatures.", + "certificate": "An electronic document that is used to provide the identity or validate a public key.", + "protocol": "A set of rules and guidelines that govern the behavior and communication with each other.", + "related-crypto-material": "Other cryptographic assets that are related to algorithms, certificate, and protocols such as keys and tokens." + } }, "algorithmProperties": { "type": "object", @@ -3882,24 +3893,41 @@ "primitive": { "type": "string", "title": "primitive", - "description": "Cryptographic building blocks used in higher-level cryptographic systems and protocols. Primitives represent different cryptographic routines: deterministic random bit generators (drbg, e.g. CTR_DRBG from NIST SP800-90A-r1), message authentication codes (mac, e.g. HMAC-SHA-256), blockciphers (e.g. AES), streamciphers (e.g. Salsa20), signatures (e.g. ECDSA), hash functions (e.g. SHA-256), public-key encryption schemes (pke, e.g. RSA), extended output functions (xof, e.g. SHAKE256), key derivation functions (e.g. pbkdf2), key agreement algoorithms (e.g. ECDH), key encapsulation mechanisms (e.g. ML-KEM), authenticated encryption (ae, e.g. AES-GCM) and the combination of multiple algorithms (combiner, e.g. SP800-56Cr2).", + "description": "Cryptographic building blocks used in higher-level cryptographic systems and protocols. Primitives represent different cryptographic routines: deterministic random bit generators (drbg, e.g. CTR_DRBG from NIST SP800-90A-r1), message authentication codes (mac, e.g. HMAC-SHA-256), blockciphers (e.g. AES), streamciphers (e.g. Salsa20), signatures (e.g. ECDSA), hash functions (e.g. SHA-256), public-key encryption schemes (pke, e.g. RSA), extended output functions (xof, e.g. SHAKE256), key derivation functions (e.g. pbkdf2), key agreement algorithms (e.g. ECDH), key encapsulation mechanisms (e.g. ML-KEM), authenticated encryption (ae, e.g. AES-GCM) and the combination of multiple algorithms (combiner, e.g. SP800-56Cr2).", "enum": [ "drbg", "mac", - "blockcipher", - "streamcipher", + "block-cipher", + "stream-cipher", "signature", "hash", "pke", "xof", "kdf", - "keyagree", + "key-agree", "kem", "ae", "combiner", "other", "unknown" - ] + ], + "meta:enum": { + "drbg": "Deterministic Random Bit Generator (DRBG) is a type of pseudorandom number generator designed to produce a sequence of bits from an initial seed value. DRBGs are commonly used in cryptographic applications where reproducibility of random values is important.", + "mac": "In cryptography, a Message Authentication Code (MAC) is information used for authenticating and integrity-checking a message.", + "block-cipher": "A block cipher is a symmetric key algorithm that operates on fixed-size blocks of data. It encrypts or decrypts the data in block units, providing confidentiality. Block ciphers are widely used in various cryptographic modes and protocols for secure data transmission.", + "stream-cipher": "A stream cipher is a symmetric key cipher where plaintext digits are combined with a pseudorandom cipher digit stream (keystream).", + "signature": "In cryptography, a signature is a digital representation of a message or data that proves its origin, identity, and integrity. Digital signatures are generated using cryptographic algorithms and are widely used for authentication and verification in secure communication.", + "hash": "A hash function is a mathematical algorithm that takes an input (or 'message') and produces a fixed-size string of characters, which is typically a hash value. Hash functions are commonly used in various cryptographic applications, including data integrity verification and password hashing.", + "pke": "Public Key Encryption (PKE) is a type of encryption that uses a pair of public and private keys for secure communication. The public key is used for encryption, while the private key is used for decryption. PKE is a fundamental component of public-key cryptography.", + "xof": "An XOF is an extendable output function that can take arbitrary input and creates a stream of output, up to a limit determined by the size of the internal state of the hash function that underlies the XOF.", + "kdf": "A Key Derivation Function (KDF) derives key material from another source of entropy while preserving the entropy of the input.", + "key-agree": "In cryptography, a key-agreement is a protocol whereby two or more parties agree on a cryptographic key in such a way that both influence the outcome.", + "kem": "A Key Encapsulation Mechanism (KEM) algorithm is a mechanism for transporting random keying material to a recipient using the recipient's public key.", + "ae": "Authenticated Encryption (AE) is a cryptographic process that provides both confidentiality and data integrity. It ensures that the encrypted data has not been tampered with and comes from a legitimate source. AE is commonly used in secure communication protocols.", + "combiner": "A combiner aggregates many candidates for a cryptographic primitive and generates a new candidate for the same primitive.", + "other": "Another primitive type.", + "unknown": "The primitive is not known." + } }, "parameterSetIdentifier": { "type": "string", @@ -3914,20 +3942,28 @@ "executionEnvironment": { "type": "string", "title": "Execution Environment", - "description": "The target and execution environment in which the algorithm is implemented in. The execution environment can be a software implementation running in plain unencrypted RAM ('softwarePlainRAM'), a software implementation running in encrypted RAM ('softwareEncryptedRAM'), a software implementation running in a trusted execution environment ('softwareTEE'), or an implementation in 'hardware'.", + "description": "The target and execution environment in which the algorithm is implemented in.", "enum": [ - "softwarePlainRAM", - "softwareEncryptedRAM", - "softwareTEE", + "software-plain-ram", + "software-encrypted-ram", + "software-tee", "hardware", "other", "unknown" - ] + ], + "meta:enum": { + "software-plain-ram": "A software implementation running in plain unencrypted RAM.", + "software-encrypted-ram": "A software implementation running in encrypted RAM.", + "software-tee": "A software implementation running in a trusted execution environment.", + "hardware": "A hardware implementation.", + "other": "Another implementation environment.", + "unknown": "The execution environment is not known." + } }, "implementationPlatform": { "type": "string", "title": "implementation platform", - "description": "The target platform for which the algorithm is implemented. The implementation can be 'generic', running on any platform or for a specific platform such as 'x86_32', 'x86_64, 'armv7-a', 'armv7-m', 'armv8-a', 'armv8-m', 's390x', 'ppc64' or 'ppc64le'.", + "description": "The target platform for which the algorithm is implemented. The implementation can be 'generic', running on any platform or for a specific platform.", "enum": [ "generic", "x86_32", @@ -3979,7 +4015,38 @@ "cc-eal7+", "other", "unknown" - ] + ], + "meta:enum": { + "none": "No certification obtained", + "fips140-1-l1": "FIPS 140-1 Level 1", + "fips140-1-l2": "FIPS 140-1 Level 2", + "fips140-1-l3": "FIPS 140-1 Level 3", + "fips140-1-l4": "FIPS 140-1 Level 4", + "fips140-2-l1": "FIPS 140-2 Level 1", + "fips140-2-l2": "FIPS 140-2 Level 2", + "fips140-2-l3": "FIPS 140-2 Level 3", + "fips140-2-l4": "FIPS 140-2 Level 4", + "fips140-3-l1": "FIPS 140-3 Level 1", + "fips140-3-l2": "FIPS 140-3 Level 2", + "fips140-3-l3": "FIPS 140-3 Level 3", + "fips140-3-l4": "FIPS 140-3 Level 4", + "cc-eal1": "Common Criteria - Evaluation Assurance Level 1", + "cc-eal1+": "Common Criteria - Evaluation Assurance Level 1 (Augmented)", + "cc-eal2": "Common Criteria - Evaluation Assurance Level 2", + "cc-eal2+": "Common Criteria - Evaluation Assurance Level 2 (Augmented)", + "cc-eal3": "Common Criteria - Evaluation Assurance Level 3", + "cc-eal3+": "Common Criteria - Evaluation Assurance Level 3 (Augmented)", + "cc-eal4": "Common Criteria - Evaluation Assurance Level 4", + "cc-eal4+": "Common Criteria - Evaluation Assurance Level 4 (Augmented)", + "cc-eal5": "Common Criteria - Evaluation Assurance Level 5", + "cc-eal5+": "Common Criteria - Evaluation Assurance Level 5 (Augmented)", + "cc-eal6": "Common Criteria - Evaluation Assurance Level 6", + "cc-eal6+": "Common Criteria - Evaluation Assurance Level 6 (Augmented)", + "cc-eal7": "Common Criteria - Evaluation Assurance Level 7", + "cc-eal7+": "Common Criteria - Evaluation Assurance Level 7 (Augmented)", + "other": "Another certification", + "unknown": "The certification level is not known" + } }, "mode": { "type": "string", @@ -3995,7 +4062,18 @@ "ctr", "other", "unknown" - ] + ], + "meta:enum": { + "cbc": "Cipher block chaining", + "ecb": "Electronic codebook", + "ccm": "Counter with cipher block chaining message authentication code", + "gcm": "Galois/counter", + "cfb": "Cipher feedback", + "ofb": "Output feedback", + "ctr": "Counter", + "other": "Another mode of operation", + "unknown": "The mode of operation is not known" + } }, "padding": { "type": "string", @@ -4009,12 +4087,21 @@ "raw", "other", "unknown" - ] + ], + "meta:enum": { + "pkcs5": "Public Key Cryptography Standard: Password-Based Cryptography", + "pkcs7": "Public Key Cryptography Standard: Cryptographic Message Syntax", + "pkcs1v15": "Public Key Cryptography Standard: RSA Cryptography v1.5", + "oaep": "Optimal asymmetric encryption padding", + "raw": "Raw", + "other": "Another padding scheme", + "unknown": "The padding scheme is not known" + } }, "cryptoFunctions": { "type": "array", - "title": "Crypto function", - "description": "The cryptographic functions implemented by the cryptographic algorithm", + "title": "Cryptographic functions", + "description": "The cryptographic functions implemented by the cryptographic algorithm.", "items": { "type": "string", "enum": [ @@ -4067,23 +4154,25 @@ }, "notValidBefore": { "type": "string", + "format": "date-time", "title": "Not Valid Before", "description": "The date and time according to ISO-8601 standard from which the certificate is valid" }, "notValidAfter": { "type": "string", + "format": "date-time", "title": "Not Valid After", "description": "The date and time according to ISO-8601 standard from which the certificate is not valid anymore" }, "signatureAlgorithm": { - "$ref": "#/definitions/cryptoRef", + "$ref": "#/definitions/refType", "title": "Algorithm Reference", - "description": "Bom-ref to signature algorithm used by the certificate" + "description": "The bom-ref to signature algorithm used by the certificate" }, "subjectPublicKey": { - "$ref": "#/definitions/cryptoRef", + "$ref": "#/definitions/refType", "title": "Key reference", - "description": "Bom-ref to the public key of the subject" + "description": "The bom-ref to the public key of the subject" }, "certificateFormat": { "type": "string", @@ -4113,46 +4202,46 @@ "relatedCryptoMaterialProperties": { "type": "object", "title": "Related Cryptographic Material Properties", - "description": "Properties for cryptographic assets of asset type 'relatedCryptoMaterial'", + "description": "Properties for cryptographic assets of asset type: `related-crypto-material`", "additionalProperties": false, "properties": { "type": { - "type": "string", - "title": "relatedCryptoMaterialType", - "description": "The type for the related cryptographic material", - "enum": [ - "privateKey", - "publicKey", - "secretKey", - "key", - "ciphertext", - "signature", - "digest", - "initializationVector", - "nonce", - "seed", - "salt", - "sharedSecret", - "tag", - "additionalData", - "password", - "credential", - "token", - "other", - "unknown" - ] + "type": "string", + "title": "relatedCryptoMaterialType", + "description": "The type for the related cryptographic material", + "enum": [ + "private-key", + "public-key", + "secret-key", + "key", + "ciphertext", + "signature", + "digest", + "initialization-vector", + "nonce", + "seed", + "salt", + "shared-secret", + "tag", + "additional-data", + "password", + "credential", + "token", + "other", + "unknown" + ] }, "id": { "type": "string", "title": "ID", - "description": "The optional unique identifier for the related cryptographic material" + "description": "The optional unique identifier for the related cryptographic material." }, "state": { "type": "string", "title": "State", - "description": "The key state as defined by NIST SP 800-57", + "description": "The key state as defined by NIST SP 800-57.", "enum": [ - "preActivation", + "pre-activation", "active", "suspended", "deactivated", @@ -4161,9 +4250,9 @@ ] }, "algorithmRef": { - "$ref": "#/definitions/cryptoRef", + "$ref": "#/definitions/refType", "title": "Algorithm Reference", - "description": "Bom-ref to the algorithm used to generate the related cryptographic material" + "description": "The bom-ref to the algorithm used to generate the related cryptographic material." }, "creationDate": { "type": "string", @@ -4192,17 +4281,17 @@ "value": { "type": "string", "title": "Value", - "description": "The associated value of the cryptographic material" + "description": "The associated value of the cryptographic material." }, "size": { "type": "integer", "title":"Size", - "description": "Cryptographic asset size (in bits)" + "description": "The size of the cryptographic asset (in bits)." }, "format": { "type": "string", "title": "Format", - "description": "Format of the related cryptographic material (e.g. P8, PEM, DER)" + "description": "The format of the related cryptographic material (e.g. P8, PEM, DER)." }, "securedBy": { "$ref": "#/definitions/securedBy", @@ -4214,13 +4303,13 @@ "protocolProperties": { "type": "object", "title": "Protocol Properties", - "description": "Properties for cryptographic assets of asset type 'protocol'", + "description": "Properties specific to cryptographic assets of type: `protocol`.", "additionalProperties": false, "properties": { "type": { "type": "string", "title": "Type", - "description": "The concrete protocol type", + "description": "The concrete protocol type.", "enum": [ "tls", "ssh", @@ -4230,12 +4319,22 @@ "wpa", "other", "unknown" - ] + ], + "meta:enum": { + "tls": "Transport Layer Security", + "ssh": "Secure Shell", + "ipsec": "Internet Protocol Security", + "ike": "Internet Key Exchange", + "sstp": "Secure Socket Tunneling Protocol", + "wpa": "Wi-Fi Protected Access", + "other": "Another protocol type", + "unknown": "The protocol type is not known" + } }, "version": { "type": "string", "title": "Protocol Version", - "description": "The version of the protocol", + "description": "The version of the protocol.", "examples": [ "1.0", "1.2", @@ -4245,7 +4344,7 @@ "cipherSuites": { "type": "array", "title": "Cipher Suites", - "description": "A list of cipher suites related to the protocol", + "description": "A list of cipher suites related to the protocol.", "items": { "$ref": "#/definitions/cipherSuite", "title": "Cipher Suite" @@ -4254,31 +4353,32 @@ "ikev2TransformTypes": { "type": "object", "title": "IKEv2 Transform Types", - "description": "The IKEv2 transform types supported (types 1-4), defined in RFC7296 section 3.3.2, and additional properties", + "description": "The IKEv2 transform types supported (types 1-4), defined in RFC7296 section 3.3.2, and additional properties.", + "additionalProperties": false, "properties": { "encr": { "$ref": "#/definitions/cryptoRefArray", - "title": "Transform Type 1: encryption algorithms" + "description": "Transform Type 1: encryption algorithms" }, "prf": { "$ref": "#/definitions/cryptoRefArray", - "title": "Transform Type 2: pseudorandom functions" + "description": "Transform Type 2: pseudorandom functions" }, "integ": { "$ref": "#/definitions/cryptoRefArray", - "title": "Transform Type 3: integrity algorithms" + "description": "Transform Type 3: integrity algorithms" }, "ke": { "$ref": "#/definitions/cryptoRefArray", - "title": "Key Exchange Method (KE) by RFC9370, formerly called dh" + "description": "Transform Type 4: Key Exchange Method (KE) per RFC9370, formerly called Diffie-Hellman Group (D-H)" }, "esn": { "type": "boolean", - "title": "Extended Sequence Number is used" + "description": "Specifies if an Extended Sequence Number (ESN) is used." }, "auth": { "$ref": "#/definitions/cryptoRefArray", - "title": "IKEv2 Authentication method" + "description": "IKEv2 Authentication method" } } }, @@ -4292,15 +4392,10 @@ "oid": { "type": "string", "title": "OID", - "description": "Object identifier of cryptographic asset" + "description": "The object identifier (OID) of the cryptographic asset." } } }, - "cryptoRef": { - "type": "string", - "title": "Reference to a Cryptographic Asset", - "description": "Reference (bom-ref) to the cryptographic asset used in this context" - }, "cipherSuite": { "type": "object", "title": "Cipher Suite", @@ -4310,7 +4405,7 @@ "name": { "type": "string", "title": "Common Name", - "description": "A common name for the cipher suite", + "description": "A common name for the cipher suite.", "examples": [ "TLS_DHE_RSA_WITH_AES_128_CCM" ] @@ -4318,17 +4413,17 @@ "algorithms": { "type": "array", "title": "Related Algorithms", - "description": "List of algorithms related to the cipher suite", + "description": "A list of algorithms related to the cipher suite.", "items": { - "$ref": "#/definitions/cryptoRef", + "$ref": "#/definitions/refType", "title": "Algorithm reference", - "description": "Bom-ref to algorithm cryptographic asset" + "description": "The bom-ref to algorithm cryptographic asset." } }, "identifiers": { "type": "array", "title": "Cipher Suite Identifiers", - "description": "A list of common identifiers for the cipher suite", + "description": "A list of common identifiers for the cipher suite.", "items": { "type": "string", "title": "identifier", @@ -4344,19 +4439,19 @@ "cryptoRefArray" : { "type": "array", "items": { - "$ref": "#/definitions/cryptoRef" + "$ref": "#/definitions/refType" } }, "securedBy": { "type": "object", "title": "Secured By", - "description": "Specifies the mechanism by which the crypto asset is secured by", + "description": "Specifies the mechanism by which the cryptographic asset is secured by", "additionalProperties": false, "properties": { "mechanism": { "type": "string", "title": "Mechanism", - "description": "Specifies the mechanism by which the crypto asset is secured by", + "description": "Specifies the mechanism by which the cryptographic asset is secured by.", "examples": [ "HSM", "TPM", @@ -4366,8 +4461,9 @@ ] }, "algorithmRef": { - "$ref": "#/definitions/cryptoRef", - "title": "Algorithm reference" + "$ref": "#/definitions/refType", + "title": "Algorithm Reference", + "description": "The bom-ref to the algorithm." } } } diff --git a/schema/bom-1.6.xsd b/schema/bom-1.6.xsd index 5e218c47..a672e8d7 100644 --- a/schema/bom-1.6.xsd +++ b/schema/bom-1.6.xsd @@ -634,6 +634,18 @@ limitations under the License. specified for other component types. + + + + Cryptographic assets have properties that uniquely define them and that make them actionable + for further reasoning. As an example, it makes a difference if one knows the algorithm family + (e.g. AES) or the specific variant or instantiation (e.g. AES-128-GCM). This is because the + security level and the algorithm primitive (authenticated encryption) is only defined by the + definition of the algorithm variant. The presence of a weak cryptographic algorithm like SHA1 + vs. HMAC-SHA1 also makes a difference. + + + @@ -997,6 +1009,11 @@ limitations under the License. A collection of discrete values that convey information. + + + Cryptographic asset including algorithms, protocols, certificates, keys, tokens, and secrets. + + @@ -1826,6 +1843,11 @@ limitations under the License. References a component or service by its bom-ref attribute + + + An optional field that describes the type of dependency. + + User-defined attributes may be used on this element as long as they @@ -1834,6 +1856,37 @@ limitations under the License. + + + + + + Refers to a component or service that fulfills the requirements of a given specification or + standard. For example, a cryptographic library which implements a cryptographic algorithm. + A component which implements another component does not imply that the implementation is in use. + + + + + + + Refers to a component or service that relies on another component or service, either explicitly + via function calls or via configuration at run time. + + + + + + + Refers to a component or service that safeguards another component or service. For example, + a cryptographic component that protects a data component. A component or service which is + protected by another component or service does not imply that either are in use. + + + + + + @@ -5402,6 +5455,1152 @@ limitations under the License. + + + + Cryptographic assets have properties that uniquely define them and that make them actionable for + further reasoning. As an example, it makes a difference if one knows the algorithm family (e.g. AES) + or the specific variant or instantiation (e.g. AES-128-GCM). This is because the security level and the + algorithm primitive (authenticated encryption) is only defined by the definition of the algorithm variant. + The presence of a weak cryptographic algorithm like SHA1 vs. HMAC-SHA1 also makes a difference. + + + + + + + Cryptographic assets occur in several forms. Algorithms and protocols are most commonly + implemented in specialized cryptographic libraries. They may however also be 'hardcoded' + in software components. Certificates and related cryptographic material like keys, tokens, + secrets or passwords are other cryptographic assets to be modelled. + + + + + + + + Mathematical function commonly used for data encryption, authentication, and + digital signatures. + + + + + + + An electronic document that is used to provide the identity or validate a public key. + + + + + + + A set of rules and guidelines that govern the behavior and communication with each other. + + + + + + + Other cryptographic assets that are related to algorithms, certificate, and protocols + such as keys and tokens. + + + + + + + + + + Additional properties specific to a cryptographic algorithm. + + + + + + + + Cryptographic building blocks used in higher-level cryptographic systems and + protocols. Primitives represent different cryptographic routines: deterministic + random bit generators (drbg, e.g. CTR_DRBG from NIST SP800-90A-r1), message + authentication codes (mac, e.g. HMAC-SHA-256), blockciphers (e.g. AES), + streamciphers (e.g. Salsa20), signatures (e.g. ECDSA), hash functions (e.g. SHA-256), + public-key encryption schemes (pke, e.g. RSA), extended output functions + (xof, e.g. SHAKE256), key derivation functions (e.g. pbkdf2), key agreement + algorithms (e.g. ECDH), key encapsulation mechanisms (e.g. ML-KEM), authenticated + encryption (ae, e.g. AES-GCM) and the combination of multiple algorithms + (combiner, e.g. SP800-56Cr2). + + + + + + + + Deterministic Random Bit Generator (DRBG) is a type of pseudorandom + number generator designed to produce a sequence of bits from an initial + seed value. DRBGs are commonly used in cryptographic applications where + reproducibility of random values is important. + + + + + + + In cryptography, a Message Authentication Code (MAC) is information + used for authenticating and integrity-checking a message. + + + + + + + A block cipher is a symmetric key algorithm that operates on fixed-size + blocks of data. It encrypts or decrypts the data in block units, + providing confidentiality. Block ciphers are widely used in various + cryptographic modes and protocols for secure data transmission. + + + + + + + A stream cipher is a symmetric key cipher where plaintext digits are + combined with a pseudorandom cipher digit stream (keystream). + + + + + + + In cryptography, a signature is a digital representation of a message + or data that proves its origin, identity, and integrity. Digital + signatures are generated using cryptographic algorithms and are widely + used for authentication and verification in secure communication. + + + + + + + A hash function is a mathematical algorithm that takes an input + (or 'message') and produces a fixed-size string of characters, which is + typically a hash value. Hash functions are commonly used in various + cryptographic applications, including data integrity verification and + password hashing. + + + + + + + Public Key Encryption (PKE) is a type of encryption that uses a pair of + public and private keys for secure communication. The public key is used + for encryption, while the private key is used for decryption. PKE is a + fundamental component of public-key cryptography. + + + + + + + An XOF is an extendable output function that can take arbitrary input + and creates a stream of output, up to a limit determined by the size of + the internal state of the hash function that underlies the XOF. + + + + + + + A Key Derivation Function (KDF) derives key material from another source + of entropy while preserving the entropy of the input. + + + + + + + In cryptography, a key-agreement is a protocol whereby two or more + parties agree on a cryptographic key in such a way that both influence + the outcome. + + + + + + + A Key Encapsulation Mechanism (KEM) algorithm is a mechanism for + transporting random keying material to a recipient using the recipient's + public key. + + + + + + + Authenticated Encryption (AE) is a cryptographic process that provides + both confidentiality and data integrity. It ensures that the encrypted + data has not been tampered with and comes from a legitimate source. + AE is commonly used in secure communication protocols. + + + + + + + A combiner aggregates many candidates for a cryptographic primitive and + generates a new candidate for the same primitive. + + + + + + + Another primitive type. + + + + + + + The primitive is not known. + + + + + + + + + + An identifier for the parameter set of the cryptographic algorithm. Examples: in + AES128, '128' identifies the key length in bits, in SHA256, '256' identifies the + digest length, '128' in SHAKE128 identifies its maximum security level in bits, and + 'SHA2-128s' identifies a parameter set used in SLH-DSA (FIPS205). + + + + + + + The specific underlying Elliptic Curve (EC) definition employed which is an indicator + of the level of security strength, performance and complexity. Absent an + authoritative source of curve names, CycloneDX recommends use of curve names as + defined at https://neuromancer.sk/std/, the source from which can be found at + https://github.com/J08nY/std-curves. + + + + + + + The target and execution environment in which the algorithm is implemented in. + + + + + + + + A software implementation running in plain unencrypted RAM. + + + + + + + A software implementation running in encrypted RAM. + + + + + + A software implementation running in a trusted execution environment. + + + + + + A hardware implementation. + + + + + + Another implementation environment. + + + + + + The execution environment is not known. + + + + + + + + + + The target platform for which the algorithm is implemented. The implementation can + be 'generic', running on any platform or for a specific platform. + + + + + + + + + + + + + + + + + + + + + + + + + The certification that the implementation of the cryptographic algorithm has + received, if any. Certifications include revisions and levels of FIPS 140 or + Common Criteria of different Extended Assurance Levels (CC-EAL). + + + + + + + + No certification obtained + + + + + + + FIPS 140-1 Level 1 + + + + + + + FIPS 140-1 Level 2 + + + + + + + FIPS 140-1 Level 3 + + + + + + + FIPS 140-1 Level 4 + + + + + + + FIPS 140-2 Level 1 + + + + + + + FIPS 140-2 Level 2 + + + + + + + FIPS 140-2 Level 3 + + + + + + + FIPS 140-2 Level 4 + + + + + + + FIPS 140-3 Level 1 + + + + + + + FIPS 140-3 Level 2 + + + + + + + FIPS 140-3 Level 3 + + + + + + + FIPS 140-3 Level 4 + + + + + + + Common Criteria - Evaluation Assurance Level 1 + + + + + + + Common Criteria - Evaluation Assurance Level 1 (Augmented) + + + + + + + Common Criteria - Evaluation Assurance Level 2 + + + + + + + Common Criteria - Evaluation Assurance Level 2 (Augmented) + + + + + + + Common Criteria - Evaluation Assurance Level 3 + + + + + + + Common Criteria - Evaluation Assurance Level 3 (Augmented) + + + + + + + Common Criteria - Evaluation Assurance Level 4 + + + + + + + Common Criteria - Evaluation Assurance Level 4 (Augmented) + + + + + + + Common Criteria - Evaluation Assurance Level 5 + + + + + + + Common Criteria - Evaluation Assurance Level 5 (Augmented) + + + + + + + Common Criteria - Evaluation Assurance Level 6 + + + + + + + Common Criteria - Evaluation Assurance Level 6 (Augmented) + + + + + + + Common Criteria - Evaluation Assurance Level 7 + + + + + + + Common Criteria - Evaluation Assurance Level 7 (Augmented) + + + + + + + Another certification + + + + + + + The certification level is not known + + + + + + + + + + The mode of operation in which the cryptographic algorithm (block cipher) is used. + + + + + + + + Cipher block chaining + + + + + + + Electronic codebook + + + + + + + Counter with cipher block chaining message authentication code + + + + + + + Galois/counter + + + + + + + Cipher feedback + + + + + + + Output feedback + + + + + + + Counter + + + + + + + Another mode of operation + + + + + + + The mode of operation is not known + + + + + + + + + + The padding scheme that is used for the cryptographic algorithm. + + + + + + + + Password-Based Cryptography Specification #5 + + + + + + + Public Key Cryptography Standard: Cryptographic Message Syntax + + + + + + + Public Key Cryptography Standard: RSA Cryptography v1.5 + + + + + + + Optimal asymmetric encryption padding + + + + + + + Raw + + + + + + + Another padding scheme + + + + + + + The padding scheme is not known + + + + + + + + + + The cryptographic functions implemented by the cryptographic algorithm. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + The classical security level that a cryptographic algorithm provides (in bits). + + + + + + + + + + + + The NIST security strength category as defined in + https://csrc.nist.gov/projects/post-quantum-cryptography/post-quantum-cryptography-standardization/evaluation-criteria/security-(evaluation-criteria). + A value of 0 indicates that none of the categories are met. + + + + + + + + + + + + + + + + Properties for cryptographic assets of asset type 'certificate' + + + + + + + + The subject name for the certificate + + + + + + + The issuer name for the certificate + + + + + + + The date and time according to ISO-8601 standard from which the certificate is valid + + + + + + + The date and time according to ISO-8601 standard from which the certificate is not valid anymore + + + + + + + The bom-ref to signature algorithm used by the certificate + + + + + + + The bom-ref to the public key of the subject + + + + + + + The format of the certificate. Examples include X.509, PEM, DER, and CVC + + + + + + + The file extension of the certificate. Examples include crt, pem, cer, der, and p12. + + + + + + + + + + Properties for cryptographic assets of asset type 'relatedCryptoMaterial' + + + + + + + + The type for the related cryptographic material + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + The optional unique identifier for the related cryptographic material. + + + + + + + The key state as defined by NIST SP 800-57. + + + + + + + + + + + + + + + + + The bom-ref to the algorithm used to generate the related cryptographic material. + + + + + + + The date and time (timestamp) when the related cryptographic material was created. + + + + + + + The date and time (timestamp) when the related cryptographic material was activated. + + + + + + + The date and time (timestamp) when the related cryptographic material was updated. + + + + + + + The date and time (timestamp) when the related cryptographic material expires. + + + + + + + The associated value of the cryptographic material. + + + + + + + The size of the cryptographic asset (in bits). + + + + + + + The format of the related cryptographic material (e.g. P8, PEM, DER). + + + + + + + The mechanism by which the cryptographic asset is secured by. + + + + + + + + Specifies the mechanism by which the cryptographic asset is secured by. + Examples include HSM, TPM, XGX, Software, and None. + + + + + + + The bom-ref to the algorithm. + + + + + + + + + + + + + Properties specific to cryptographic assets of type: 'protocol'. + + + + + + + + The concrete protocol type. + + + + + + + + Transport Layer Security + + + + + + + Secure Shell + + + + + + + Internet Protocol Security + + + + + + + Internet Key Exchange + + + + + + + Secure Socket Tunneling Protocol + + + + + + + Wi-Fi Protected Access + + + + + + + Another protocol type + + + + + + + The protocol type is not known + + + + + + + + + + The version of the protocol. Examples include 1.0, 1.2, and 1.99. + + + + + + + A list of cipher suites related to the protocol. + + + + + + + + + + + A common name for the cipher suite. For example: TLS_DHE_RSA_WITH_AES_128_CCM + + + + + + + A list of algorithms related to the cipher suite. + + + + + + + + The bom-ref to algorithm cryptographic asset. + + + + + + + + + + A list of common identifiers for the cipher suite. + + + + + + + + Cipher suite identifier. Examples include 0xC0 and 0x9E. + + + + + + + + + + + + + + + + The IKEv2 transform types supported (types 1-4), defined in RFC7296 section 3.3.2, + and additional properties. + + + + + + + + Transform Type 1: encryption algorithms + + + + + + + Transform Type 2: pseudorandom functions + + + + + + + Transform Type 3: integrity algorithms + + + + + + + Transform Type 4: Key Exchange Method (KE) per RFC9370, formerly called Diffie-Hellman Group (D-H) + + + + + + + Specifies if an Extended Sequence Number (ESN) is used. + + + + + + + IKEv2 Authentication method + + + + + + + + + + + + + The object identifier (OID) of the cryptographic asset. + + + + + + diff --git a/tools/src/test/js/json-schema-lint-tests.js b/tools/src/test/js/json-schema-lint-tests.js index 2afd4bcb..651ef18f 100644 --- a/tools/src/test/js/json-schema-lint-tests.js +++ b/tools/src/test/js/json-schema-lint-tests.js @@ -49,6 +49,7 @@ function getAjv(strict) { validateFormats: true, allowMatchingProperties: true, addUsedSchema: false, + keywords: ["meta:enum"], schemas: { 'http://cyclonedx.org/schema/spdx.schema.json': spdxSchema, 'http://cyclonedx.org/schema/jsf-0.82.schema.json': jsfSchema diff --git a/tools/src/test/resources/1.6/valid-cryptography-1.6.json b/tools/src/test/resources/1.6/valid-cryptography-1.6.json new file mode 100644 index 00000000..1a9dfb5a --- /dev/null +++ b/tools/src/test/resources/1.6/valid-cryptography-1.6.json @@ -0,0 +1,71 @@ +{ + "bomFormat": "CycloneDX", + "specVersion": "1.6", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "metadata": { + "component": { + "type": "application", + "bom-ref": "acme-application", + "name": "Acme Application", + "version": "1.0" + } + }, + "components": [ + { + "type": "cryptographic-asset", + "bom-ref": "aes128gcm", + "name": "AES", + "cryptoProperties": { + "assetType": "algorithm", + "algorithmProperties": { + "primitive": "ae", + "parameterSetIdentifier": "128", + "executionEnvironment": "software-plain-ram", + "implementationPlatform": "x86_64", + "certificationLevel": "none", + "mode": "gcm", + "cryptoFunctions": ["keygen", "encrypt", "decrypt", "tag"], + "classicalSecurityLevel": 128, + "nistQuantumSecurityLevel": 1 + }, + "oid": "oid:2.16.840.1.101.3.4.1.6" + } + }, + { + "type": "library", + "bom-ref": "crypto-library", + "name": "Crypto library", + "version": "1.0.0" + }, + { + "type": "data", + "bom-ref": "some-data", + "name": "Some Data", + "data": [ + { + "type": "dataset", + "classification": "confidential", + "sensitiveData": [ "Highly sensitive data including all PII fields and some PHI" ] + } + ] + } + ], + "dependencies": [ + { + "ref": "acme-application", + "type": "uses", + "dependsOn": ["crypto-library"] + }, + { + "ref": "crypto-library", + "type": "implements", + "dependsOn": ["aes128gcm"] + }, + { + "ref": "some-data", + "type": "protected-by", + "dependsOn": [ "crypto-library" ] + } + ] +} diff --git a/tools/src/test/resources/1.6/valid-cryptography-1.6.textproto b/tools/src/test/resources/1.6/valid-cryptography-1.6.textproto new file mode 100644 index 00000000..99ef7699 --- /dev/null +++ b/tools/src/test/resources/1.6/valid-cryptography-1.6.textproto @@ -0,0 +1,77 @@ +spec_version: "1.6" +version: 1 +serial_number: "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" +metadata: { + component: { + type: CLASSIFICATION_APPLICATION + bom_ref: "acme-application" + name: "Acme Application" + version: "1.0" + } +} +components: [ + { + type: CLASSIFICATION_CRYPTOGRAPHIC_ASSET + bom_ref: "aes128gcm" + name: "AES" + cryptoProperties: { + assetType: CRYPTO_ASSET_TYPE_ALGORITHM + algorithmProperties: { + primitive: CRYPTO_PRIMITIVE_AE + parameterSetIdentifier: "128" + executionEnvironment: CRYPTO_EXECUTION_ENVIRONMENT_SOFTWARE_PLAIN_RAM + implementationPlatform: CRYPTO_IMPLEMENTATION_PLATFORM_X86_64 + certificationLevel: "none", + mode: CRYPTO_ALGORITHM_MODE_GCM + cryptoFunctions: [ + CRYPTO_ALGORITHM_FUNCTION_KEYGEN, + CRYPTO_ALGORITHM_FUNCTION_ENCRYPT, + CRYPTO_ALGORITHM_FUNCTION_DECRYPT, + CRYPTO_ALGORITHM_FUNCTION_TAG + ] + classicalSecurityLevel: 128 + nistQuantumSecurityLevel: 1 + }, + oid: "oid:2.16.840.1.101.3.4.1.6" + } + }, + { + type: CLASSIFICATION_LIBRARY + bom_ref: "crypto-library" + name: "Crypto library" + version: "1.0.0" + }, + { + type: CLASSIFICATION_DATA + bom_ref: "some-data" + name: "Some Data" + data: { + type: COMPONENT_DATA_TYPE_DATASET + classification: "confidential" + sensitiveData: [ "Highly sensitive data including all PII fields and some PHI" ] + } + } +], +dependencies: [ + { + ref: "acme-application" + type: DEPENDENCY_TYPE_USES + dependencies { + ref: "crypto-library" + } + }, + { + ref: "crypto-library" + type: DEPENDENCY_TYPE_IMPLEMENTS + dependencies { + ref: "aes128gcm" + } + }, + { + ref: "some-data" + type: DEPENDENCY_TYPE_PROTECTED_BY + dependencies { + ref: "crypto-library" + } + } +] diff --git a/tools/src/test/resources/1.6/valid-cryptography-1.6.xml b/tools/src/test/resources/1.6/valid-cryptography-1.6.xml new file mode 100644 index 00000000..97baac72 --- /dev/null +++ b/tools/src/test/resources/1.6/valid-cryptography-1.6.xml @@ -0,0 +1,57 @@ + + + + + Acme Application + 1.0 + + + + + AES + + algorithm + + ae + 128 + software-plain-ram + x86_64 + none + gcm + + keygen + encrypt + decrypt + tag + + 128 + 1 + + oid:2.16.840.1.101.3.4.1.6 + + + + Crypto Library + 1.0.0 + + + Some Data + + dataset + confidential + Highly sensitive data including all PII fields and some PHI + + + + + + + + + + + + + + + diff --git a/tools/src/test/resources/1.6/valid-cryptography-full-1.6.json b/tools/src/test/resources/1.6/valid-cryptography-full-1.6.json new file mode 100644 index 00000000..af88e859 --- /dev/null +++ b/tools/src/test/resources/1.6/valid-cryptography-full-1.6.json @@ -0,0 +1,99 @@ +{ + "bomFormat": "CycloneDX", + "specVersion": "1.6", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "components": [ + { + "type": "cryptographic-asset", + "bom-ref": "asset-1", + "name": "Name here", + "cryptoProperties": { + "assetType": "algorithm", + "algorithmProperties": { + "primitive": "ae", + "parameterSetIdentifier": "128", + "curve": "brainpoolP160r1", + "executionEnvironment": "software-plain-ram", + "implementationPlatform": "x86_64", + "certificationLevel": "fips140-1-l4", + "mode": "gcm", + "padding": "pkcs5", + "cryptoFunctions": ["keygen", "encrypt", "decrypt", "tag"], + "classicalSecurityLevel": 128, + "nistQuantumSecurityLevel": 1 + }, + "oid": "oid:1.2.3.4.5.6.7.8.9" + } + }, + { + "type": "cryptographic-asset", + "bom-ref": "asset-2", + "name": "Name here", + "cryptoProperties": { + "assetType": "certificate", + "certificateProperties": { + "subjectName": "Subject name here", + "issuerName": "Issuer name here", + "notValidBefore": "2022-01-01T00:00:00.000Z", + "notValidAfter": "2024-01-01T00:00:00.000Z", + "signatureAlgorithm": "bom-ref-to-algorithm", + "subjectPublicKey": "bom-ref-to-public-key", + "certificateFormat": "X.509", + "certificateExtension": "crt" + }, + "oid": "oid:1.2.3.4.5.6.7.8.9" + } + }, + { + "type": "cryptographic-asset", + "bom-ref": "asset-3", + "name": "Name here", + "cryptoProperties": { + "assetType": "protocol", + "protocolProperties": { + "type": "tls", + "version": "1.3", + "cipherSuites": [ + { + "name": "TLS_DHE_RSA_WITH_AES_128_CCM", + "algorithms": [ + "bom-ref-to-algorithm" + ], + "identifiers": [ + "0xC0" + ] + } + ] + }, + "oid": "oid:1.2.3.4.5.6.7.8.9" + } + }, + { + "type": "cryptographic-asset", + "bom-ref": "asset-4", + "name": "Name here", + "cryptoProperties": { + "assetType": "related-crypto-material", + "relatedCryptoMaterialProperties": { + "type": "private-key", + "id": "12345", + "state": "active", + "algorithmRef": "bom-ref-to-algorithm", + "creationDate": "2024-01-01T00:00:00.000Z", + "activationDate": "2024-01-02T00:00:00.000Z", + "updateDate": "2024-01-03T00:00:00.000Z", + "expirationDate": "2024-01-04T00:00:00.000Z", + "value": "Value here", + "size": 1024, + "format": "PEM", + "securedBy": { + "mechanism": "HSM", + "algorithmRef": "bom-ref-to-algorithm" + } + }, + "oid": "oid:1.2.3.4.5.6.7.8.9" + } + } + ] +} diff --git a/tools/src/test/resources/1.6/valid-cryptography-full-1.6.textproto b/tools/src/test/resources/1.6/valid-cryptography-full-1.6.textproto new file mode 100644 index 00000000..fc985e0a --- /dev/null +++ b/tools/src/test/resources/1.6/valid-cryptography-full-1.6.textproto @@ -0,0 +1,119 @@ +spec_version: "1.6" +version: 1 +serial_number: "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" +components: [ + { + type: CLASSIFICATION_CRYPTOGRAPHIC_ASSET + bom_ref: "asset-1" + name: "Name here" + cryptoProperties: { + assetType: CRYPTO_ASSET_TYPE_ALGORITHM + algorithmProperties: { + primitive: CRYPTO_PRIMITIVE_AE + parameterSetIdentifier: "128" + curve: "brainpoolP160r1" + executionEnvironment: CRYPTO_EXECUTION_ENVIRONMENT_SOFTWARE_PLAIN_RAM + implementationPlatform: CRYPTO_IMPLEMENTATION_PLATFORM_X86_64 + certificationLevel: "fips140-1-l4" + mode: CRYPTO_ALGORITHM_MODE_GCM + padding: CRYPTO_ALGORITHM_PADDING_PKCS5 + cryptoFunctions: [ + CRYPTO_ALGORITHM_FUNCTION_KEYGEN, + CRYPTO_ALGORITHM_FUNCTION_ENCRYPT, + CRYPTO_ALGORITHM_FUNCTION_DECRYPT, + CRYPTO_ALGORITHM_FUNCTION_TAG + ] + classicalSecurityLevel: 128 + nistQuantumSecurityLevel: 1 + }, + oid: "oid:1.2.3.4.5.6.7.8.9" + } + }, + { + type: CLASSIFICATION_CRYPTOGRAPHIC_ASSET + bom_ref: "asset-2" + name: "Name here" + cryptoProperties: { + assetType: CRYPTO_ASSET_TYPE_CERTIFICATE + certificateProperties: { + subjectName: "Subject name here" + issuerName: "Issuer name here" + notValidBefore { + seconds: 3173618478 + nanos: 3 + } + notValidAfter { + seconds: 3173618478 + nanos: 3 + } + signatureAlgorithm: "bom-ref-to-algorithm" + subjectPublicKey: "bom-ref-to-public-key" + certificateFormat: "X.509" + certificateExtension: "crt" + } + oid: "oid:1.2.3.4.5.6.7.8.9" + } + }, + { + type: CLASSIFICATION_CRYPTOGRAPHIC_ASSET + bom_ref: "asset-3" + name: "Name here" + cryptoProperties: { + assetType: CRYPTO_ASSET_TYPE_PROTOCOL + protocolProperties: { + type: CRYPTO_PROTOCOL_TYPE_TLS + version: "1.3" + cipherSuites: [ + { + name: "TLS_DHE_RSA_WITH_AES_128_CCM" + algorithms: [ + "bom-ref-to-algorithm" + ] + identifiers: [ + "0xC0" + ] + } + ] + } + oid: "oid:1.2.3.4.5.6.7.8.9" + } + }, + { + type: CLASSIFICATION_CRYPTOGRAPHIC_ASSET + bom_ref: "asset-4" + name: "Name here" + cryptoProperties: { + assetType: CRYPTO_ASSET_TYPE_RELATED_CRYPTO_MATERIAL + relatedCryptoMaterialProperties: { + type: CRYPTO_RELATED_TYPE_PRIVATE_KEY + id: "12345" + state: CRYPTO_RELATED_STATE_ACTIVE + algorithmRef: "bom-ref-to-algorithm" + creationDate { + seconds: 3173618478 + nanos: 3 + } + activationDate { + seconds: 3173618478 + nanos: 3 + } + updateDate { + seconds: 3173618478 + nanos: 3 + } + expirationDate { + seconds: 3173618478 + nanos: 3 + } + value: "Value here" + size: 1024 + format: "PEM" + securedBy: { + mechanism: "HSM" + algorithmRef: "bom-ref-to-algorithm" + } + } + oid: "oid:1.2.3.4.5.6.7.8.9" + } + } +] diff --git a/tools/src/test/resources/1.6/valid-cryptography-full-1.6.xml b/tools/src/test/resources/1.6/valid-cryptography-full-1.6.xml new file mode 100644 index 00000000..5fed9e98 --- /dev/null +++ b/tools/src/test/resources/1.6/valid-cryptography-full-1.6.xml @@ -0,0 +1,93 @@ + + + + + Name here + + algorithm + + ae + 128 + brainpoolP160r1 + software-plain-ram + x86_64 + fips140-1-l4 + gcm + pkcs5 + + keygen + encrypt + decrypt + tag + + 128 + 1 + + oid:1.2.3.4.5.6.7.8.9 + + + + Name here + + certificate + + Subject name here + Issuer name here + 2022-01-01T00:00:00.000Z + 2024-01-01T00:00:00.000Z + bom-ref-to-algorithm + bom-ref-to-public-key + X.509 + crt + + oid:1.2.3.4.5.6.7.8.9 + + + + Name here + + protocol + + tls + 1.3 + + + TLS_DHE_RSA_WITH_AES_128_CCM + + bom-ref-to-algorithm + + + 0xC0 + + + + + oid:1.2.3.4.5.6.7.8.9 + + + + Name here + + related-crypto-material + + private-key + 12345 + active + bom-ref-to-algorithm + 2024-01-01T00:00:00.000Z + 2024-01-02T00:00:00.000Z + 2024-01-03T00:00:00.000Z + 2024-01-04T00:00:00.000Z + Value here + 1024 + PEM + + HSM + bom-ref-to-algorithm + + + oid:1.2.3.4.5.6.7.8.9 + + + + From 0044906f0c3c211472b618ec1229106df9f0fed4 Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Sun, 7 Jan 2024 22:00:35 -0600 Subject: [PATCH 057/217] Updating JSON Schema for Humans to latest release. Porting template changes. Signed-off-by: Steve Springett --- docgen/json/gen.sh | 2 +- docgen/json/templates/cyclonedx/content.html | 132 +++++++++--------- docgen/json/templates/cyclonedx/schema_doc.js | 4 +- .../templates/cyclonedx/schema_doc.min.js | 2 +- .../templates/cyclonedx/section_array.html | 11 ++ 5 files changed, 79 insertions(+), 72 deletions(-) diff --git a/docgen/json/gen.sh b/docgen/json/gen.sh index e92128bc..a4e98d83 100755 --- a/docgen/json/gen.sh +++ b/docgen/json/gen.sh @@ -4,7 +4,7 @@ mkdir -p docs/{1.2,1.3,1.4,1.5,1.6} # Check to see if generate-schema-doc is executable and is in the path. If not, install JSON Schema for Humans. if ! [ -x "$(command -v generate-schema-doc)" ]; then - pip3 install json-schema-for-humans==0.44.3 + pip3 install json-schema-for-humans==0.47 fi generate () { diff --git a/docgen/json/templates/cyclonedx/content.html b/docgen/json/templates/cyclonedx/content.html index 3e880425..f5ae10c6 100644 --- a/docgen/json/templates/cyclonedx/content.html +++ b/docgen/json/templates/cyclonedx/content.html @@ -17,13 +17,17 @@ {# Display type #} {%- if not schema is combining -%} - Type: {{ type_name }} + Type: {{ type_name }} + {%- endif -%} + + {%- if schema.format -%} + Format: {{ schema.format }} {%- endif -%} {# Display default #} {%- set default_value = schema.default_value -%} {%- if default_value -%} - {{ " " }}Default: {{ default_value }} + {{ " " }}Default: {{ default_value }} {%- endif -%}
@@ -37,80 +41,72 @@ {%- elif schema.refers_to -%} {{ content(schema.refers_to_merged, True) }} {%- else -%} - {# Handle having oneOf or allOf with only one condition #} - {%- if schema.kw_all_of and (schema.kw_all_of.array_items | length) == 1 -%} - {{ content(schema.kw_all_of.array_items[0]) }} - {%- elif schema.kw_any_of and (schema.kw_any_of.array_items | length) == 1 -%} - {{ content(schema.kw_any_of.array_items[0]) }} - {%- else -%} - {%- if schema.explicit_no_additional_properties -%} - {{ " " }}No Additional Properties - {%- endif -%} - - {# Combining: allOf, anyOf, oneOf, not #} - {%- if schema.kw_all_of -%} -
{{ tabbed_section("allOf", schema.kw_all_of) }}
- {%- endif -%} - {%- if schema.kw_any_of -%} -
{{ tabbed_section("anyOf", schema.kw_any_of) }}
- {%- endif -%} - {%- if schema.kw_one_of -%} -
{{ tabbed_section("oneOf", schema.kw_one_of) }}
- {%- endif -%} - {%- if schema.kw_not -%} - {% include "section_not.html" %} - {%- endif -%} - - {# Enum and const #} - {%- if schema.kw_enum -%} -
-

Must be one of:

-
    - {%- for enum_choice in schema.kw_enum.array_items -%} -
  • {{ enum_choice.literal | python_to_json }}
    • - {%- endfor -%} -
-
- {%- endif -%} - {%- if schema.kw_const -%} - Specific value: {{ schema.kw_const.raw | python_to_json }} - {%- endif -%} + {%- if schema.explicit_no_additional_properties -%} + {{ " " }}No Additional Properties + {%- endif -%} - {# Pattern (Regular Expression) #} - {%- if schema.kw_pattern -%} - Must match regular expression: {{ schema.kw_pattern.literal | escape }} - {%- endif -%} + {# Combining: allOf, anyOf, oneOf, not #} + {%- if schema.kw_all_of -%} +
{{ tabbed_section("allOf", schema.kw_all_of) }}
+ {%- endif -%} + {%- if schema.kw_any_of -%} +
{{ tabbed_section("anyOf", schema.kw_any_of) }}
+ {%- endif -%} + {%- if schema.kw_one_of -%} +
{{ tabbed_section("oneOf", schema.kw_one_of) }}
+ {%- endif -%} + {%- if schema.kw_not -%} + {% include "section_not.html" %} + {%- endif -%} - {# Conditional subschema, or if-then-else section #} - {%- if schema.has_conditional -%} - {% include "section_conditional_subschema.html" %} - {%- endif -%} + {# Enum and const #} + {%- if schema.kw_enum -%} +
+

Must be one of:

+
    + {%- for enum_choice in schema.kw_enum.array_items -%} +
  • {{ enum_choice.literal | python_to_json }}
    • + {%- endfor -%} +
+
+ {%- endif -%} + {%- if schema.kw_const -%} + Specific value: {{ schema.kw_const.raw | python_to_json }} + {%- endif -%} - {# Required properties that are not defined under "properties". They will only be listed #} - {% include "section_undocumented_required_properties.html" %} + {# Pattern (Regular Expression) #} + {%- if schema.kw_pattern -%} + Must match regular expression: {{ schema.kw_pattern.literal | escape }} + {%- endif -%} - {# Show the requested type(s) #} - {% include "badge_type.html" %} + {# Conditional subschema, or if-then-else section #} + {%- if schema.has_conditional -%} + {% include "section_conditional_subschema.html" %} + {%- endif -%} - {# Show array restrictions #} - {%- if type_name.startswith("array") -%} - {% include "section_array.html" %} - {%- endif -%} + {# Required properties that are not defined under "properties". They will only be listed #} + {% include "section_undocumented_required_properties.html" %} - {# Display examples #} - {%- set examples = schema.examples -%} - {%- if examples -%} - {% include "section_examples.html" %} - {%- endif -%} + {# Show the requested type(s) #} + {% include "badge_type.html" %} - {# Properties, pattern properties, additional properties #} - {%- for sub_property in schema.iterate_properties -%} - {# Custom modification to remove $ properties from documentation #} - {%- if not sub_property.property_display_name.startswith("$") -%} - {% include "section_properties.html" %} - {%- endif -%} - {%- endfor -%} + {# Show array restrictions #} + {%- if type_name.startswith("array") -%} + {% include "section_array.html" %} + {%- endif -%} + {# Display examples #} + {%- set examples = schema.examples -%} + {%- if examples -%} + {% include "section_examples.html" %} {%- endif -%} + + {# Properties, pattern properties, additional properties #} + {%- for sub_property in schema.iterate_properties -%} + {# Custom modification to remove $ properties from documentation #} + {%- if not sub_property.property_display_name.startswith("$") -%} + {% include "section_properties.html" %} + {%- endif -%} + {%- endfor -%} {%- endif -%} {%- endmacro -%} \ No newline at end of file diff --git a/docgen/json/templates/cyclonedx/schema_doc.js b/docgen/json/templates/cyclonedx/schema_doc.js index be02797f..e03ce946 100644 --- a/docgen/json/templates/cyclonedx/schema_doc.js +++ b/docgen/json/templates/cyclonedx/schema_doc.js @@ -19,7 +19,7 @@ function setAnchor(anchorLinkDestination) { function anchorOnLoad() { // Added to onload on body, checks if there is an anchor link and if so, expand - let linkTarget = window.location.hash.split("?")[0].split("&")[0]; + let linkTarget = decodeURIComponent(window.location.hash.split("?")[0].split("&")[0]); if (linkTarget[0] === "#") { linkTarget = linkTarget.substr(1); } @@ -37,7 +37,7 @@ function anchorLink(linkTarget) { if($( this ).hasClass("collapse")) { $( this ).collapse("show"); } else if ($( this ).hasClass("tab-pane")) { - // We have the pane and not the the tab itself, find the tab + // We have the pane and not the tab itself, find the tab const tabToShow = $( "a[href='#" + $( this ).attr("id") + "']" ); if (tabToShow) { tabToShow.tab("show"); diff --git a/docgen/json/templates/cyclonedx/schema_doc.min.js b/docgen/json/templates/cyclonedx/schema_doc.min.js index 0d9c7882..0c58a70e 100644 --- a/docgen/json/templates/cyclonedx/schema_doc.min.js +++ b/docgen/json/templates/cyclonedx/schema_doc.min.js @@ -1 +1 @@ -function flashElement(t){myElement=document.getElementById(t),myElement.classList.add("jsfh-animated-property"),setTimeout(function(){myElement.classList.remove("jsfh-animated-property")},1e3)}function setAnchor(t){history.pushState({},"",t)}function anchorOnLoad(){let t=window.location.hash.split("?")[0].split("&")[0];"#"===t[0]&&(t=t.substr(1)),t.length>0&&anchorLink(t)}function anchorLink(t){$("#"+t).parents().addBack().filter(".collapse:not(.show), .tab-pane, [role='tab']").each(function(t){if($(this).hasClass("collapse"))$(this).collapse("show");else if($(this).hasClass("tab-pane")){const t=$("a[href='#"+$(this).attr("id")+"']");t&&t.tab("show")}else"tab"===$(this).attr("role")&&$(this).tab("show")}),setTimeout(function(){let e=document.getElementById(t);e&&(e.scrollIntoView({block:"center",behavior:"smooth"}),setTimeout(function(){flashElement(t)},500))},1e3)}$(document).on("click",'a[href^="#"]',function(t){t.preventDefault(),history.pushState({},"",this.href)}); \ No newline at end of file +function flashElement(t){(myElement=document.getElementById(t)).classList.add("jsfh-animated-property"),setTimeout(function(){myElement.classList.remove("jsfh-animated-property")},1e3)}function setAnchor(t){history.pushState({},"",t)}function anchorOnLoad(){let t=decodeURIComponent(window.location.hash.split("?")[0].split("&")[0]);"#"===t[0]&&(t=t.substr(1)),t.length>0&&anchorLink(t)}function anchorLink(t){let e=$("#"+t);e.parents().addBack().filter(".collapse:not(.show), .tab-pane, [role='tab']").each(function(t){if($(this).hasClass("collapse"))$(this).collapse("show");else if($(this).hasClass("tab-pane")){let e=$("a[href='#"+$(this).attr("id")+"']");e&&e.tab("show")}else"tab"===$(this).attr("role")&&$(this).tab("show")}),setTimeout(function(){let e=document.getElementById(t);e&&(e.scrollIntoView({block:"center",behavior:"smooth"}),setTimeout(function(){flashElement(t)},500))},1e3)}$(document).on("click",'a[href^="#"]',function(t){t.preventDefault(),history.pushState({},"",this.href)}); \ No newline at end of file diff --git a/docgen/json/templates/cyclonedx/section_array.html b/docgen/json/templates/cyclonedx/section_array.html index 1aad2e0f..15489a4b 100644 --- a/docgen/json/templates/cyclonedx/section_array.html +++ b/docgen/json/templates/cyclonedx/section_array.html @@ -7,6 +7,9 @@ {%- if schema.kw_unique_items and schema.kw_unique_items.literal == True -%} {{ restriction("All items must be unique", "unique-items", schema.kw_unique_items.html_id) }} {%- endif -%} +{%- if not schema.array_additional_items -%} + {{ " " }}No Additional Items +{%- endif -%} {%- if schema.array_items_def -%}

Each item of this array must be:

@@ -34,4 +37,12 @@

At least one of the items must be:

{{ content(schema.kw_contains) }}
+{%- endif -%} +{%- if schema.array_additional_items_def -%} +

All other items must be:

+
+
+ {{ content(schema.array_additional_items_def) }} +
+
{%- endif -%} \ No newline at end of file From deb137963c0944593a5c564b85fdd740c97248cf Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Sun, 7 Jan 2024 22:17:44 -0600 Subject: [PATCH 058/217] Initial commit for Ecma documentation generation Signed-off-by: Steve Springett --- docgen/ecma/gen.sh | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100755 docgen/ecma/gen.sh diff --git a/docgen/ecma/gen.sh b/docgen/ecma/gen.sh new file mode 100755 index 00000000..534f3cab --- /dev/null +++ b/docgen/ecma/gen.sh @@ -0,0 +1,15 @@ +#!/bin/bash +rm -f -R docs temp out +mkdir -p docs temp +cp ../../schema/bom-1.6.schema.json temp +cp ../../schema/jsf-0.82.schema.json temp +cp ../../schema/spdx.schema.json temp + +# Check to see if jsonschema2md is executable and is in the path. If not, install jsonschema2md. +if ! [ -x "$(command -v jsonschema2md)" ]; then + npm install -g @adobe/jsonschema2md +fi + +echo Generating Ecma Documentation +jsonschema2md -d temp -o docs +rm -f -R temp out From d92e58efe09a384ce1b68ff1b7808903feb26d38 Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Wed, 10 Jan 2024 22:43:34 -0600 Subject: [PATCH 059/217] Refactored JSON enum descriptions to use meta:enum Signed-off-by: Steve Springett --- schema/bom-1.6.schema.json | 244 +++++++++++++++++++++++++++++++++---- 1 file changed, 217 insertions(+), 27 deletions(-) diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index a7f9bb05..ebd3baea 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -179,13 +179,14 @@ "description": "The product lifecycle(s) that this BOM represents.", "oneOf": [ { + "title": "Pre-Defined Phase", "required": ["phase"], "additionalProperties": false, "properties": { "phase": { "type": "string", "title": "Phase", - "description": "A pre-defined phase in the product lifecycle.\n\n* __design__ = BOM produced early in the development lifecycle containing inventory of components and services that are proposed or planned to be used. The inventory may need to be procured, retrieved, or resourced prior to use.\n* __pre-build__ = BOM consisting of information obtained prior to a build process and may contain source files and development artifacts and manifests. The inventory may need to be resolved and retrieved prior to use.\n* __build__ = BOM consisting of information obtained during a build process where component inventory is available for use. The precise versions of resolved components are usually available at this time as well as the provenance of where the components were retrieved from.\n* __post-build__ = BOM consisting of information obtained after a build process has completed and the resulting components(s) are available for further analysis. Built components may exist as the result of a CI/CD process, may have been installed or deployed to a system or device, and may need to be retrieved or extracted from the system or device.\n* __operations__ = BOM produced that represents inventory that is running and operational. This may include staging or production environments and will generally encompass multiple SBOMs describing the applications and operating system, along with HBOMs describing the hardware that makes up the system. Operations Bill of Materials (OBOM) can provide full-stack inventory of runtime environments, configurations, and additional dependencies.\n* __discovery__ = BOM consisting of information observed through network discovery providing point-in-time enumeration of embedded, on-premise, and cloud-native services such as server applications, connected devices, microservices, and serverless functions.\n* __decommission__ = BOM containing inventory that will be, or has been retired from operations.", + "description": "A pre-defined phase in the product lifecycle.", "enum": [ "design", "pre-build", @@ -194,11 +195,21 @@ "operations", "discovery", "decommission" - ] + ], + "meta:enum": { + "design": "BOM produced early in the development lifecycle containing inventory of components and services that are proposed or planned to be used. The inventory may need to be procured, retrieved, or resourced prior to use.", + "pre-build": "BOM consisting of information obtained prior to a build process and may contain source files and development artifacts and manifests. The inventory may need to be resolved and retrieved prior to use.", + "build": "BOM consisting of information obtained during a build process where component inventory is available for use. The precise versions of resolved components are usually available at this time as well as the provenance of where the components were retrieved from.", + "post-build": "BOM consisting of information obtained after a build process has completed and the resulting components(s) are available for further analysis. Built components may exist as the result of a CI/CD process, may have been installed or deployed to a system or device, and may need to be retrieved or extracted from the system or device.", + "operations": "BOM produced that represents inventory that is running and operational. This may include staging or production environments and will generally encompass multiple SBOMs describing the applications and operating system, along with HBOMs describing the hardware that makes up the system. Operations Bill of Materials (OBOM) can provide full-stack inventory of runtime environments, configurations, and additional dependencies.", + "discovery": "BOM consisting of information observed through network discovery providing point-in-time enumeration of embedded, on-premise, and cloud-native services such as server applications, connected devices, microservices, and serverless functions.", + "decommission": "BOM containing inventory that will be, or has been retired from operations." + } } } }, { + "title": "Custom Phase", "required": ["name"], "additionalProperties": false, "properties": { @@ -411,8 +422,22 @@ "machine-learning-model", "data" ], + "meta:enum": { + "application": "A software application. Refer to [https://en.wikipedia.org/wiki/Application_software](https://en.wikipedia.org/wiki/Application_software) for information about applications.", + "framework": "A software framework. Refer to [https://en.wikipedia.org/wiki/Software_framework](https://en.wikipedia.org/wiki/Software_framework) for information on how frameworks vary slightly from libraries.", + "library": "A software library. Refer to [https://en.wikipedia.org/wiki/Library_(computing)](https://en.wikipedia.org/wiki/Library_(computing)) for information about libraries. All third-party and open source reusable components will likely be a library. If the library also has key features of a framework, then it should be classified as a framework. If not, or is unknown, then specifying library is RECOMMENDED.", + "container": "A packaging and/or runtime format, not specific to any particular technology, which isolates software inside the container from software outside of a container through virtualization technology. Refer to [https://en.wikipedia.org/wiki/OS-level_virtualization](https://en.wikipedia.org/wiki/OS-level_virtualization).", + "platform": "A runtime environment which interprets or executes software. This may include runtimes such as those that execute bytecode or low-code/no-code application platforms.", + "operating-system": "A software operating system without regard to deployment model (i.e. installed on physical hardware, virtual machine, image, etc) Refer to [https://en.wikipedia.org/wiki/Operating_system](https://en.wikipedia.org/wiki/Operating_system).", + "device": "A hardware device such as a processor, or chip-set. A hardware device containing firmware SHOULD include a component for the physical hardware itself, and another component of type 'firmware' or 'operating-system' (whichever is relevant), describing information about the software running on the device. See also the list of [known device properties](https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/device.md).", + "device-driver": "A special type of software that operates or controls a particular type of device. Refer to [https://en.wikipedia.org/wiki/Device_driver](https://en.wikipedia.org/wiki/Device_driver).", + "firmware": "A special type of software that provides low-level control over a devices hardware. Refer to [https://en.wikipedia.org/wiki/Firmware](https://en.wikipedia.org/wiki/Firmware).", + "file": "A computer file. Refer to [https://en.wikipedia.org/wiki/Computer_file](https://en.wikipedia.org/wiki/Computer_file) for information about files.", + "machine-learning-model": "A model based on training data that can make predictions or decisions without being explicitly programmed to do so.", + "data": "A collection of discrete values that convey information." + }, "title": "Component Type", - "description": "Specifies the type of component. For software components, classify as application if no more specific appropriate classification is available or cannot be determined for the component. Types include:\n\n* __application__ = A software application. Refer to [https://en.wikipedia.org/wiki/Application_software](https://en.wikipedia.org/wiki/Application_software) for information about applications.\n* __framework__ = A software framework. Refer to [https://en.wikipedia.org/wiki/Software_framework](https://en.wikipedia.org/wiki/Software_framework) for information on how frameworks vary slightly from libraries.\n* __library__ = A software library. Refer to [https://en.wikipedia.org/wiki/Library_(computing)](https://en.wikipedia.org/wiki/Library_(computing))\n for information about libraries. All third-party and open source reusable components will likely be a library. If the library also has key features of a framework, then it should be classified as a framework. If not, or is unknown, then specifying library is RECOMMENDED.\n* __container__ = A packaging and/or runtime format, not specific to any particular technology, which isolates software inside the container from software outside of a container through virtualization technology. Refer to [https://en.wikipedia.org/wiki/OS-level_virtualization](https://en.wikipedia.org/wiki/OS-level_virtualization)\n* __platform__ = A runtime environment which interprets or executes software. This may include runtimes such as those that execute bytecode or low-code/no-code application platforms.\n* __operating-system__ = A software operating system without regard to deployment model (i.e. installed on physical hardware, virtual machine, image, etc) Refer to [https://en.wikipedia.org/wiki/Operating_system](https://en.wikipedia.org/wiki/Operating_system)\n* __device__ = A hardware device such as a processor, or chip-set. A hardware device containing firmware SHOULD include a component for the physical hardware itself, and another component of type 'firmware' or 'operating-system' (whichever is relevant), describing information about the software running on the device.\n See also the list of [known device properties](https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/device.md).\n* __device-driver__ = A special type of software that operates or controls a particular type of device. Refer to [https://en.wikipedia.org/wiki/Device_driver](https://en.wikipedia.org/wiki/Device_driver)\n* __firmware__ = A special type of software that provides low-level control over a devices hardware. Refer to [https://en.wikipedia.org/wiki/Firmware](https://en.wikipedia.org/wiki/Firmware)\n* __file__ = A computer file. Refer to [https://en.wikipedia.org/wiki/Computer_file](https://en.wikipedia.org/wiki/Computer_file) for information about files.\n* __machine-learning-model__ = A model based on training data that can make predictions or decisions without being explicitly programmed to do so.\n* __data__ = A collection of discrete values that convey information.", + "description": "Specifies the type of component. For software components, classify as application if no more specific appropriate classification is available or cannot be determined for the component.", "examples": ["library"] }, "mime-type": { @@ -473,6 +498,11 @@ "optional", "excluded" ], + "meta:enum": { + "required": "The component is required for runtime", + "optional": "The component is optional at runtime. Optional components are components that are not capable of being called due to them not be installed or otherwise accessible by any means. Components that are installed but due to configuration or other restrictions are prohibited from being called must be scoped as 'required'.", + "excluded": "Components that are excluded provide the ability to document component usage for test and other non-runtime purposes. Excluded components are not reachable within a call graph at runtime." + }, "title": "Component Scope", "description": "Specifies the scope of the component. If scope is not specified, 'required' scope SHOULD be assumed by the consumer of the BOM.", "default": "required" @@ -675,7 +705,10 @@ "description": "Specifies the optional encoding the text is represented in.", "enum": [ "base64" - ] + ], + "meta:enum": { + "base64": "Base64 is a binary-to-text encoding scheme that represents binary data in an ASCII string." + } }, "content": { "type": "string", @@ -867,7 +900,7 @@ "licenseTypes": { "type": "array", "title": "License Type", - "description": "The type of license(s) that was granted to the licensee\n\n* __academic__ = A license that grants use of software solely for the purpose of education or research.\n* __appliance__ = A license covering use of software embedded in a specific piece of hardware.\n* __client-access__ = A Client Access License (CAL) allows client computers to access services provided by server software.\n* __concurrent-user__ = A Concurrent User license (aka floating license) limits the number of licenses for a software application and licenses are shared among a larger number of users.\n* __core-points__ = A license where the core of a computer's processor is assigned a specific number of points.\n* __custom-metric__ = A license for which consumption is measured by non-standard metrics.\n* __device__ = A license that covers a defined number of installations on computers and other types of devices.\n* __evaluation__ = A license that grants permission to install and use software for trial purposes.\n* __named-user__ = A license that grants access to the software to one or more pre-defined users.\n* __node-locked__ = A license that grants access to the software on one or more pre-defined computers or devices.\n* __oem__ = An Original Equipment Manufacturer license that is delivered with hardware, cannot be transferred to other hardware, and is valid for the life of the hardware.\n* __perpetual__ = A license where the software is sold on a one-time basis and the licensee can use a copy of the software indefinitely.\n* __processor-points__ = A license where each installation consumes points per processor.\n* __subscription__ = A license where the licensee pays a fee to use the software or service.\n* __user__ = A license that grants access to the software or service by a specified number of users.\n* __other__ = Another license type.\n", + "description": "The type of license(s) that was granted to the licensee.", "items": { "type": "string", "enum": [ @@ -887,7 +920,25 @@ "subscription", "user", "other" - ] + ], + "meta:enum": { + "academic": "A license that grants use of software solely for the purpose of education or research.", + "appliance": "A license covering use of software embedded in a specific piece of hardware.", + "client-access": "A Client Access License (CAL) allows client computers to access services provided by server software.", + "concurrent-user": "A Concurrent User license (aka floating license) limits the number of licenses for a software application and licenses are shared among a larger number of users.", + "core-points": "A license where the core of a computer's processor is assigned a specific number of points.", + "custom-metric": "A license for which consumption is measured by non-standard metrics.", + "device": "A license that covers a defined number of installations on computers and other types of devices.", + "evaluation": "A license that grants permission to install and use software for trial purposes.", + "named-user": "A license that grants access to the software to one or more pre-defined users.", + "node-locked": "A license that grants access to the software on one or more pre-defined computers or devices.", + "oem": "An Original Equipment Manufacturer license that is delivered with hardware, cannot be transferred to other hardware, and is valid for the life of the hardware.", + "perpetual": "A license where the software is sold on a one-time basis and the licensee can use a copy of the software indefinitely.", + "processor-points": "A license where each installation consumes points per processor.", + "subscription": "A license where the licensee pays a fee to use the software or service.", + "user": "A license that grants access to the software or service by a specified number of users.", + "other": "Another license type." + } } }, "lastRenewal": { @@ -1012,8 +1063,14 @@ "backport", "cherry-pick" ], + "meta:enum": { + "unofficial": "A patch which is not developed by the creators or maintainers of the software being patched. Refer to [https://en.wikipedia.org/wiki/Unofficial_patch](https://en.wikipedia.org/wiki/Unofficial_patch).", + "monkey": "A patch which dynamically modifies runtime behavior. Refer to [https://en.wikipedia.org/wiki/Monkey_patch](https://en.wikipedia.org/wiki/Monkey_patch).", + "backport": "A patch which takes code from a newer version of software and applies it to older versions of the same software. Refer to [https://en.wikipedia.org/wiki/Backporting](https://en.wikipedia.org/wiki/Backporting).", + "cherry-pick": "A patch created by selectively applying commits from other versions or branches of the same software." + }, "title": "Type", - "description": "Specifies the purpose for the patch including the resolution of defects, security issues, or new behavior or functionality.\n\n* __unofficial__ = A patch which is not developed by the creators or maintainers of the software being patched. Refer to [https://en.wikipedia.org/wiki/Unofficial_patch](https://en.wikipedia.org/wiki/Unofficial_patch)\n* __monkey__ = A patch which dynamically modifies runtime behavior. Refer to [https://en.wikipedia.org/wiki/Monkey_patch](https://en.wikipedia.org/wiki/Monkey_patch)\n* __backport__ = A patch which takes code from a newer version of software and applies it to older versions of the same software. Refer to [https://en.wikipedia.org/wiki/Backporting](https://en.wikipedia.org/wiki/Backporting)\n* __cherry-pick__ = A patch created by selectively applying commits from other versions or branches of the same software." + "description": "Specifies the purpose for the patch including the resolution of defects, security issues, or new behavior or functionality." }, "diff": { "title": "Diff", @@ -1063,6 +1120,11 @@ "enhancement", "security" ], + "meta:enum": { + "defect": "A fault, flaw, or bug in software.", + "enhancement": "A new feature or behavior in software.", + "security": "A special type of defect which impacts security." + }, "title": "Type", "description": "Specifies the type of issue" }, @@ -1170,7 +1232,7 @@ "type": { "type": "string", "title": "Type", - "description": "Specifies the type of external reference.\n\n* __vcs__ = Version Control System\n* __issue-tracker__ = Issue or defect tracking system, or an Application Lifecycle Management (ALM) system\n* __website__ = Website\n* __advisories__ = Security advisories\n* __bom__ = Bill of Materials (SBOM, OBOM, HBOM, SaaSBOM, etc)\n* __mailing-list__ = Mailing list or discussion group\n* __social__ = Social media account\n* __chat__ = Real-time chat platform\n* __documentation__ = Documentation, guides, or how-to instructions\n* __support__ = Community or commercial support\n* __distribution__ = Direct or repository download location\n* __distribution-intake__ = The location where a component was published to. This is often the same as \"distribution\" but may also include specialized publishing processes that act as an intermediary\n* __license__ = The URL to the license file. If a license URL has been defined in the license node, it should also be defined as an external reference for completeness\n* __build-meta__ = Build-system specific meta file (i.e. pom.xml, package.json, .nuspec, etc)\n* __build-system__ = URL to an automated build system\n* __release-notes__ = URL to release notes\n* __security-contact__ = Specifies a way to contact the maintainer, supplier, or provider in the event of a security incident. Common URIs include links to a disclosure procedure, a mailto (RFC-2368) that specifies an email address, a tel (RFC-3966) that specifies a phone number, or dns (RFC-4501) that specifies the records containing DNS Security TXT\n* __model-card__ = A model card describes the intended uses of a machine learning model, potential limitations, biases, ethical considerations, training parameters, datasets used to train the model, performance metrics, and other relevant data useful for ML transparency\n* __log__ = A record of events that occurred in a computer system or application, such as problems, errors, or information on current operations\n* __configuration__ = Parameters or settings that may be used by other components or services\n* __evidence__ = Information used to substantiate a claim\n* __formulation__ = Describes how a component or service was manufactured or deployed\n* __attestation__ = Human or machine-readable statements containing facts, evidence, or testimony\n* __threat-model__ = An enumeration of identified weaknesses, threats, and countermeasures, dataflow diagram (DFD), attack tree, and other supporting documentation in human-readable or machine-readable format\n* __adversary-model__ = The defined assumptions, goals, and capabilities of an adversary.\n* __risk-assessment__ = Identifies and analyzes the potential of future events that may negatively impact individuals, assets, and/or the environment. Risk assessments may also include judgments on the tolerability of each risk.\n* __vulnerability-assertion__ = A Vulnerability Disclosure Report (VDR) which asserts the known and previously unknown vulnerabilities that affect a component, service, or product including the analysis and findings describing the impact (or lack of impact) that the reported vulnerability has on a component, service, or product.\n* __exploitability-statement__ = A Vulnerability Exploitability eXchange (VEX) which asserts the known vulnerabilities that do not affect a product, product family, or organization, and optionally the ones that do. The VEX should include the analysis and findings describing the impact (or lack of impact) that the reported vulnerability has on the product, product family, or organization.\n* __pentest-report__ = Results from an authorized simulated cyberattack on a component or service, otherwise known as a penetration test\n* __static-analysis-report__ = SARIF or proprietary machine or human-readable report for which static analysis has identified code quality, security, and other potential issues with the source code\n* __dynamic-analysis-report__ = Dynamic analysis report that has identified issues such as vulnerabilities and misconfigurations\n* __runtime-analysis-report__ = Report generated by analyzing the call stack of a running application\n* __component-analysis-report__ = Report generated by Software Composition Analysis (SCA), container analysis, or other forms of component analysis\n* __maturity-report__ = Report containing a formal assessment of an organization, business unit, or team against a maturity model\n* __certification-report__ = Industry, regulatory, or other certification from an accredited (if applicable) certification body\n* __quality-metrics__ = Report or system in which quality metrics can be obtained\n* __codified-infrastructure__ = Code or configuration that defines and provisions virtualized infrastructure, commonly referred to as Infrastructure as Code (IaC)\n* __poam__ = Plans of Action and Milestones (POAM) compliment an \"attestation\" external reference. POAM is defined by NIST as a \"document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks and scheduled completion dates for the milestones\".\n* __other__ = Use this if no other types accurately describe the purpose of the external reference", + "description": "Specifies the type of external reference.", "enum": [ "vcs", "issue-tracker", @@ -1211,7 +1273,49 @@ "quality-metrics", "poam", "other" - ] + ], + "meta:enum": { + "vcs": "Version Control System", + "issue-tracker": "Issue or defect tracking system, or an Application Lifecycle Management (ALM) system", + "website": "Website", + "advisories": "Security advisories", + "bom": "Bill of Materials (SBOM, OBOM, HBOM, SaaSBOM, etc)", + "mailing-list": "Mailing list or discussion group", + "social": "Social media account", + "chat": "Real-time chat platform", + "documentation": "Documentation, guides, or how-to instructions", + "support": "Community or commercial support", + "distribution": "Direct or repository download location", + "distribution-intake": "The location where a component was published to. This is often the same as \"distribution\" but may also include specialized publishing processes that act as an intermediary.", + "license": "The reference to the license file. If a license URL has been defined in the license node, it should also be defined as an external reference for completeness.", + "build-meta": "Build-system specific meta file (i.e. pom.xml, package.json, .nuspec, etc)", + "build-system": "Reference to an automated build system", + "release-notes": "Reference to release notes", + "security-contact": "Specifies a way to contact the maintainer, supplier, or provider in the event of a security incident. Common URIs include links to a disclosure procedure, a mailto (RFC-2368) that specifies an email address, a tel (RFC-3966) that specifies a phone number, or dns (RFC-4501) that specifies the records containing DNS Security TXT.", + "model-card": "A model card describes the intended uses of a machine learning model, potential limitations, biases, ethical considerations, training parameters, datasets used to train the model, performance metrics, and other relevant data useful for ML transparency.", + "log": "A record of events that occurred in a computer system or application, such as problems, errors, or information on current operations.", + "configuration": "Parameters or settings that may be used by other components or services.", + "evidence": "Information used to substantiate a claim.", + "formulation": "Describes how a component or service was manufactured or deployed.", + "attestation": "Human or machine-readable statements containing facts, evidence, or testimony.", + "threat-model": "An enumeration of identified weaknesses, threats, and countermeasures, dataflow diagram (DFD), attack tree, and other supporting documentation in human-readable or machine-readable format.", + "adversary-model": "The defined assumptions, goals, and capabilities of an adversary.", + "risk-assessment": "Identifies and analyzes the potential of future events that may negatively impact individuals, assets, and/or the environment. Risk assessments may also include judgments on the tolerability of each risk.", + "vulnerability-assertion": "A Vulnerability Disclosure Report (VDR) which asserts the known and previously unknown vulnerabilities that affect a component, service, or product including the analysis and findings describing the impact (or lack of impact) that the reported vulnerability has on a component, service, or product.", + "exploitability-statement": "A Vulnerability Exploitability eXchange (VEX) which asserts the known vulnerabilities that do not affect a product, product family, or organization, and optionally the ones that do. The VEX should include the analysis and findings describing the impact (or lack of impact) that the reported vulnerability has on the product, product family, or organization.", + "pentest-report": "Results from an authorized simulated cyberattack on a component or service, otherwise known as a penetration test.", + "static-analysis-report": "SARIF or proprietary machine or human-readable report for which static analysis has identified code quality, security, and other potential issues with the source code.", + "dynamic-analysis-report": "Dynamic analysis report that has identified issues such as vulnerabilities and misconfigurations.", + "runtime-analysis-report": "Report generated by analyzing the call stack of a running application.", + "component-analysis-report": "Report generated by Software Composition Analysis (SCA), container analysis, or other forms of component analysis.", + "maturity-report": "Report containing a formal assessment of an organization, business unit, or team against a maturity model.", + "certification-report": "Industry, regulatory, or other certification from an accredited (if applicable) certification body.", + "codified-infrastructure": "Code or configuration that defines and provisions virtualized infrastructure, commonly referred to as Infrastructure as Code (IaC).", + "quality-metrics": "Report or system in which quality metrics can be obtained.", + "poam": "Plans of Action and Milestones (POAM) compliment an \"attestation\" external reference. POAM is defined by NIST as a \"document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks and scheduled completion dates for the milestones\".", + "other": "Use this if no other types accurately describe the purpose of the external reference." + } + }, "hashes": { "type": "array", @@ -1435,8 +1539,14 @@ "bi-directional", "unknown" ], + "meta:enum": { + "inbound": "Data that enters a service.", + "outbound": "Data that exits a service.", + "bi-directional": "Data flows in and out of the service.", + "unknown": "The directional flow of data is not known." + }, "title": "Data flow direction", - "description": "Specifies the flow direction of the data. Direction is relative to the service. Inbound flow states that data enters the service. Outbound flow states that data leaves the service. Bi-directional states that data flows both ways, and unknown states that the direction is not known." + "description": "Specifies the flow direction of the data. Direction is relative to the service." }, "copyright": { @@ -1507,7 +1617,19 @@ "filename", "attestation", "other" - ] + ], + "meta:enum": { + "source-code-analysis": "Examines the source code without executing it.", + "binary-analysis": "Examines a compiled binary through reverse engineering, typically via disassembly or bytecode reversal.", + "manifest-analysis": "Examines a package management system such as those used for building software or installing software.", + "ast-fingerprint": "Examines the Abstract Syntax Tree (AST) of source code or a compiled binary.", + "hash-comparison": "Evaluates the cryptographic hash of a component against a set of pre-computed hashes of identified software.", + "instrumentation": "Examines the call stack of running applications by intercepting and monitoring application logic without the need to modify the application.", + "dynamic-analysis": "Evaluates a running application.", + "filename": "Evaluates file name of a component against a set of known file names of identified software.", + "attestation": "A testimony to the accuracy of the identify of a component made by an individual or entity.", + "other": "Any other technique." + } }, "confidence": { "type": "number", @@ -1651,7 +1773,7 @@ "aggregate": { "$ref": "#/definitions/aggregateType", "title": "Aggregate", - "description": "Specifies an aggregate type that describe how complete a relationship is.\n\n* __complete__ = The relationship is complete. No further relationships including constituent components, services, or dependencies are known to exist.\n* __incomplete__ = The relationship is incomplete. Additional relationships exist and may include constituent components, services, or dependencies.\n* __incomplete_first_party_only__ = The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented.\n* __incomplete_first_party_proprietary_only__ = The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented, limited specifically to those that are proprietary.\n* __incomplete_first_party_opensource_only__ = The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented, limited specifically to those that are opensource.\n* __incomplete_third_party_only__ = The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented.\n* __incomplete_third_party_proprietary_only__ = The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are proprietary.\n* __incomplete_third_party_opensource_only__ = The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are opensource.\n* __unknown__ = The relationship may be complete or incomplete. This usually signifies a 'best-effort' to obtain constituent components, services, or dependencies but the completeness is inconclusive.\n* __not_specified__ = The relationship completeness is not specified.\n" + "description": "Specifies an aggregate type that describe how complete a relationship is." }, "assemblies": { "type": "array", @@ -1710,7 +1832,19 @@ "incomplete_third_party_opensource_only", "unknown", "not_specified" - ] + ], + "meta:enum": { + "complete": "The relationship is complete. No further relationships including constituent components, services, or dependencies are known to exist.", + "incomplete": "The relationship is incomplete. Additional relationships exist and may include constituent components, services, or dependencies.", + "incomplete_first_party_only": "The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented.", + "incomplete_first_party_proprietary_only": "The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented, limited specifically to those that are proprietary.", + "incomplete_first_party_opensource_only": "The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented, limited specifically to those that are opensource.", + "incomplete_third_party_only": "The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented.", + "incomplete_third_party_proprietary_only": "The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are proprietary.", + "incomplete_third_party_opensource_only": "The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are opensource.", + "unknown": "The relationship may be complete or incomplete. This usually signifies a 'best-effort' to obtain constituent components, services, or dependencies but the completeness is inconclusive.", + "not_specified": "The relationship completeness is not specified." + } }, "property": { "type": "object", @@ -1882,12 +2016,21 @@ "info", "none", "unknown" - ] + ], + "meta:enum": { + "critical": "Critical severity", + "high": "High severity", + "medium": "Medium severity", + "low": "Low severity", + "info": "Informational warning.", + "none": "None", + "unknown": "The severity is not known" + } }, "scoreMethod": { "type": "string", "title": "Method", - "description": "Specifies the severity or risk scoring methodology or standard used.\n\n* CVSSv2 - [Common Vulnerability Scoring System v2](https://www.first.org/cvss/v2/)\n* CVSSv3 - [Common Vulnerability Scoring System v3](https://www.first.org/cvss/v3-0/)\n* CVSSv31 - [Common Vulnerability Scoring System v3.1](https://www.first.org/cvss/v3-1/)\n* CVSSv4 - [Common Vulnerability Scoring System v4](https://www.first.org/cvss/v4-0/)\n* OWASP - [OWASP Risk Rating Methodology](https://owasp.org/www-community/OWASP_Risk_Rating_Methodology)\n* SSVC - [Stakeholder Specific Vulnerability Categorization](https://github.com/CERTCC/SSVC) (all versions)", + "description": "Specifies the severity or risk scoring methodology or standard used.", "enum": [ "CVSSv2", "CVSSv3", @@ -1896,12 +2039,21 @@ "OWASP", "SSVC", "other" - ] + ], + "meta:enum": { + "CVSSv2": "Common Vulnerability Scoring System v2.0", + "CVSSv3": "Common Vulnerability Scoring System v3.0", + "CVSSv31": "Common Vulnerability Scoring System v3.1", + "CVSSv4": "Common Vulnerability Scoring System v4.0", + "OWASP": "OWASP Risk Rating Methodology", + "SSVC": "Stakeholder Specific Vulnerability Categorization", + "other": "Another severity or risk scoring methodology" + } }, "impactAnalysisState": { "type": "string", "title": "Impact Analysis State", - "description": "Declares the current state of an occurrence of a vulnerability, after automated or manual analysis. \n\n* __resolved__ = the vulnerability has been remediated. \n* __resolved\\_with\\_pedigree__ = the vulnerability has been remediated and evidence of the changes are provided in the affected components pedigree containing verifiable commit history and/or diff(s). \n* __exploitable__ = the vulnerability may be directly or indirectly exploitable. \n* __in\\_triage__ = the vulnerability is being investigated. \n* __false\\_positive__ = the vulnerability is not specific to the component or service and was falsely identified or associated. \n* __not\\_affected__ = the component or service is not affected by the vulnerability. Justification should be specified for all not_affected cases.", + "description": "Declares the current state of an occurrence of a vulnerability, after automated or manual analysis.", "enum": [ "resolved", "resolved_with_pedigree", @@ -1909,12 +2061,20 @@ "in_triage", "false_positive", "not_affected" - ] + ], + "meta:enum": { + "resolved": "The vulnerability has been remediated.", + "resolved_with_pedigree": "The vulnerability has been remediated and evidence of the changes are provided in the affected components pedigree containing verifiable commit history and/or diff(s).", + "exploitable": "The vulnerability may be directly or indirectly exploitable.", + "in_triage": "The vulnerability is being investigated.", + "false_positive": "The vulnerability is not specific to the component or service and was falsely identified or associated.", + "not_affected": "The component or service is not affected by the vulnerability. Justification should be specified for all not_affected cases." + } }, "impactAnalysisJustification": { "type": "string", "title": "Impact Analysis Justification", - "description": "The rationale of why the impact analysis state was asserted. \n\n* __code\\_not\\_present__ = the code has been removed or tree-shaked. \n* __code\\_not\\_reachable__ = the vulnerable code is not invoked at runtime. \n* __requires\\_configuration__ = exploitability requires a configurable option to be set/unset. \n* __requires\\_dependency__ = exploitability requires a dependency that is not present. \n* __requires\\_environment__ = exploitability requires a certain environment which is not present. \n* __protected\\_by\\_compiler__ = exploitability requires a compiler flag to be set/unset. \n* __protected\\_at\\_runtime__ = exploits are prevented at runtime. \n* __protected\\_at\\_perimeter__ = attacks are blocked at physical, logical, or network perimeter. \n* __protected\\_by\\_mitigating\\_control__ = preventative measures have been implemented that reduce the likelihood and/or impact of the vulnerability.", + "description": "The rationale of why the impact analysis state was asserted.", "enum": [ "code_not_present", "code_not_reachable", @@ -1925,7 +2085,18 @@ "protected_at_runtime", "protected_at_perimeter", "protected_by_mitigating_control" - ] + ], + "meta:enum": { + "code_not_present": "The code has been removed or tree-shaked.", + "code_not_reachable": "The vulnerable code is not invoked at runtime.", + "requires_configuration": "Exploitability requires a configurable option to be set/unset.", + "requires_dependency": "Exploitability requires a dependency that is not present.", + "requires_environment": "Exploitability requires a certain environment which is not present.", + "protected_by_compiler": "Exploitability requires a compiler flag to be set/unset.", + "protected_at_runtime": "Exploits are prevented at runtime.", + "protected_at_perimeter": "Attacks are blocked at physical, logical, or network perimeter.", + "protected_by_mitigating_control": "Preventative measures have been implemented that reduce the likelihood and/or impact of the vulnerability." + } }, "rating": { "type": "object", @@ -2054,7 +2225,7 @@ "cwes": { "type": "array", "title": "CWEs", - "description": "List of Common Weaknesses Enumerations (CWEs) codes that describes this vulnerability. For example 399 (of https://cwe.mitre.org/data/definitions/399.html)", + "description": "List of Common Weaknesses Enumerations (CWEs) codes that describes this vulnerability.", "examples": [399], "items": { "$ref": "#/definitions/cwe" @@ -2215,7 +2386,14 @@ "update", "rollback", "workaround_available" - ] + ], + "meta:enum": { + "can_not_fix": "Can not fix", + "will_not_fix": "Will not fix", + "update": "Update to a different revision or release", + "rollback": "Revert to a previous revision or release", + "workaround_available": "There is a workaround available" + } } }, "detail": { @@ -2315,7 +2493,12 @@ "affected", "unaffected", "unknown" - ] + ], + "meta:enum": { + "affected": "The version is affected by the vulnerability.", + "unaffected": "The version is not affected by the vulnerability.", + "unknown": "It is unknown (or unspecified) whether the given version is affected." + } }, "version": { "description": "A single disjunctive version identifier, for a component or service.", @@ -2508,12 +2691,12 @@ "items" : { "oneOf" : [ { - "title": "Inline Component Data", + "title": "Inline Data Information", "$ref": "#/definitions/componentData" }, { "type": "object", - "title": "Data Component Reference", + "title": "Data Reference", "additionalProperties": false, "properties": { "ref": { @@ -2652,14 +2835,21 @@ "type": { "type": "string", "title": "Type of Data", - "description": "The general theme or subject matter of the data being specified.\n\n* __source-code__ = Any type of code, code snippet, or data-as-code.\n* __configuration__ = Parameters or settings that may be used by other components.\n* __dataset__ = A collection of data.\n* __definition__ = Data that can be used to create new instances of what the definition defines.\n* __other__ = Any other type of data that does not fit into existing definitions.", + "description": "The general theme or subject matter of the data being specified.", "enum": [ "source-code", "configuration", "dataset", "definition", "other" - ] + ], + "meta:enum": { + "source-code": "Any type of code, code snippet, or data-as-code.", + "configuration": "Parameters or settings that may be used by other components.", + "dataset": "A collection of data.", + "definition": "Data that can be used to create new instances of what the definition defines.", + "other": "Any other type of data that does not fit into existing definitions." + } }, "name": { "description": "The name of the dataset.", From a9072169c05043346dfc38d895916a475b65083d Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Wed, 10 Jan 2024 22:47:44 -0600 Subject: [PATCH 060/217] Fixed unit tests Signed-off-by: Steve Springett --- tools/src/test/js/json-schema-lint-tests.js | 1 + 1 file changed, 1 insertion(+) diff --git a/tools/src/test/js/json-schema-lint-tests.js b/tools/src/test/js/json-schema-lint-tests.js index 2afd4bcb..651ef18f 100644 --- a/tools/src/test/js/json-schema-lint-tests.js +++ b/tools/src/test/js/json-schema-lint-tests.js @@ -49,6 +49,7 @@ function getAjv(strict) { validateFormats: true, allowMatchingProperties: true, addUsedSchema: false, + keywords: ["meta:enum"], schemas: { 'http://cyclonedx.org/schema/spdx.schema.json': spdxSchema, 'http://cyclonedx.org/schema/jsf-0.82.schema.json': jsfSchema From ae45d7c52257cb6c2889c4e65c097bb736711396 Mon Sep 17 00:00:00 2001 From: Thomas Jensen Date: Mon, 11 Dec 2023 15:41:32 +0100 Subject: [PATCH 061/217] Add `source-distribution` element to `externalReferenceType` #98 Signed-off-by: Thomas Jensen --- schema/bom-1.6.proto | 2 ++ schema/bom-1.6.schema.json | 2 ++ schema/bom-1.6.xsd | 5 +++++ 3 files changed, 9 insertions(+) diff --git a/schema/bom-1.6.proto b/schema/bom-1.6.proto index e6a6c4fe..c803035c 100644 --- a/schema/bom-1.6.proto +++ b/schema/bom-1.6.proto @@ -263,6 +263,8 @@ enum ExternalReferenceType { EXTERNAL_REFERENCE_TYPE_EVIDENCE = 36; // Describes how a component or service was manufactured or deployed. EXTERNAL_REFERENCE_TYPE_FORMULATION = 37; + // URL to a source archive. + EXTERNAL_REFERENCE_TYPE_SOURCE_DISTRIBUTION = 38; } enum HashAlg { diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index ebd3baea..e1194bef 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -1244,6 +1244,7 @@ "chat", "documentation", "support", + "source-distribution", "distribution", "distribution-intake", "license", @@ -1285,6 +1286,7 @@ "chat": "Real-time chat platform", "documentation": "Documentation, guides, or how-to instructions", "support": "Community or commercial support", + "source-distribution": "URL to a source archive", "distribution": "Direct or repository download location", "distribution-intake": "The location where a component was published to. This is often the same as \"distribution\" but may also include specialized publishing processes that act as an intermediary.", "license": "The reference to the license file. If a license URL has been defined in the license node, it should also be defined as an external reference for completeness.", diff --git a/schema/bom-1.6.xsd b/schema/bom-1.6.xsd index 5e218c47..345c4862 100644 --- a/schema/bom-1.6.xsd +++ b/schema/bom-1.6.xsd @@ -1259,6 +1259,11 @@ limitations under the License. Community or commercial support + + + URL to a source archive + + Direct or repository download location From fff3552eb39cdc970c4d8614c0e5d19405c6a68f Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Sat, 13 Jan 2024 21:45:10 -0600 Subject: [PATCH 062/217] Added missing descriptions Signed-off-by: Steve Springett --- schema/bom-1.6.xsd | 100 ++++++++++++++++++++++++++++++++++----------- 1 file changed, 77 insertions(+), 23 deletions(-) diff --git a/schema/bom-1.6.xsd b/schema/bom-1.6.xsd index 5e218c47..7b09b12d 100644 --- a/schema/bom-1.6.xsd +++ b/schema/bom-1.6.xsd @@ -2158,16 +2158,76 @@ limitations under the License. - - - - - - - - - - + + + + Examines the source code without executing it. + + + + + + + Examines a compiled binary through reverse engineering, typically via disassembly or bytecode reversal. + + + + + + + Examines a package management system such as those used for building software or installing software. + + + + + + + Examines the Abstract Syntax Tree (AST) of source code or a compiled binary. + + + + + + + Evaluates the cryptographic hash of a component against a set of pre-computed hashes of identified software. + + + + + + + Examines the call stack of running applications by intercepting and monitoring application logic without the need to modify the application. + + + + + + + Evaluates a running application. + + + + + + + Evaluates file name of a component against a set of known file names of identified software. + + + + + + + A testimony to the accuracy of the identify of a component made by an individual or entity. + + + + + + + Any other technique. + + + @@ -4058,55 +4118,49 @@ limitations under the License. - The rating is based on CVSS v2 standard - https://www.first.org/cvss/v2/ + Common Vulnerability Scoring System v2.0 standard as defined at https://www.first.org/cvss/v2/ - The rating is based on CVSS v3.0 standard - https://www.first.org/cvss/v3-0/ + Common Vulnerability Scoring System v3.0 standard as defined at https://www.first.org/cvss/v3-0/ - The rating is based on CVSS v3.1 standard - https://www.first.org/cvss/v3-1/ + Common Vulnerability Scoring System v3.1 standard as defined at https://www.first.org/cvss/v3-1/ - The rating is based on CVSS v4.0 standard - https://www.first.org/cvss/v4-0/ + Common Vulnerability Scoring System v4.0 standard as defined at https://www.first.org/cvss/v4-0/ - The rating is based on OWASP Risk Rating - https://owasp.org/www-community/OWASP_Risk_Rating_Methodology + OWASP Risk Rating as defined at https://owasp.org/www-community/OWASP_Risk_Rating_Methodology - The rating is based on Stakeholder Specific Vulnerability Categorization (all versions) - https://github.com/CERTCC/SSVC + Stakeholder Specific Vulnerability Categorization as defined at https://github.com/CERTCC/SSVC - Use this if the risk scoring methodology is not based on any of the options above + Another severity or risk scoring methodology From c65fed23ed228c30268d3946fa67e11e6ddb62d5 Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Sat, 13 Jan 2024 21:45:56 -0600 Subject: [PATCH 063/217] Updated template to support markdown in meta:enum descriptions. Signed-off-by: Steve Springett --- docgen/json/templates/cyclonedx/content.html | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/docgen/json/templates/cyclonedx/content.html b/docgen/json/templates/cyclonedx/content.html index f5ae10c6..3ad78b84 100644 --- a/docgen/json/templates/cyclonedx/content.html +++ b/docgen/json/templates/cyclonedx/content.html @@ -65,7 +65,13 @@

Must be one of:

    {%- for enum_choice in schema.kw_enum.array_items -%} -
  • {{ enum_choice.literal | python_to_json }}
    • +
  • + {%- if schema.kw_meta_enum -%}{%- endif -%} + {{ enum_choice.literal | python_to_json }} + {%- if schema.kw_meta_enum -%} + : {{ (schema.enum_description(enum_choice.literal) | get_description_literal) }} + {%- endif -%} +
    • {%- endfor -%}
From b2033e0b708d2f7e74bc0f766c3bf79caca4669a Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Sat, 13 Jan 2024 22:53:40 -0600 Subject: [PATCH 064/217] Changed opencre to openCre Signed-off-by: Steve Springett --- schema/bom-1.6.proto | 2 +- schema/bom-1.6.schema.json | 2 +- schema/bom-1.6.xsd | 2 +- tools/src/test/resources/1.6/valid-standard-1.6.json | 2 +- tools/src/test/resources/1.6/valid-standard-1.6.textproto | 2 +- tools/src/test/resources/1.6/valid-standard-1.6.xml | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/schema/bom-1.6.proto b/schema/bom-1.6.proto index 78eb7698..ca17a107 100644 --- a/schema/bom-1.6.proto +++ b/schema/bom-1.6.proto @@ -1644,7 +1644,7 @@ message Definition { // The supplemental text that provides additional guidance or context to the requirement, but is not directly part of the requirement. repeated string descriptions = 5; // The Common Requirements Enumeration (CRE) identifier(s). CRE is a structured and standardized framework for uniting security standards and guidelines. CRE links each section of a resource to a shared topic identifier (a Common Requirement). Through this shared topic link, all resources map to each other. Use of CRE promotes clear and unambiguous communication among stakeholders. - repeated string opencre = 6; + repeated string openCre = 6; // The optional `bom-ref` to a parent requirement. This establishes a hierarchy of requirements. Top-level requirements must not define a parent. Only child requirements should define parents. optional string parent = 7; // Specifies optional, custom, properties diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index f9fcc6b4..b4fd4ca6 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -4281,7 +4281,7 @@ "description": "The supplemental text that provides additional guidance or context to the requirement, but is not directly part of the requirement.", "items": { "type": "string" } }, - "opencre": { + "openCre": { "type": "array", "title": "OWASP OpenCRE Identifier(s)", "description": "The Common Requirements Enumeration (CRE) identifier(s). CRE is a structured and standardized framework for uniting security standards and guidelines. CRE links each section of a resource to a shared topic identifier (a Common Requirement). Through this shared topic link, all resources map to each other. Use of CRE promotes clear and unambiguous communication among stakeholders.", diff --git a/schema/bom-1.6.xsd b/schema/bom-1.6.xsd index 05748c18..dcb729dc 100644 --- a/schema/bom-1.6.xsd +++ b/schema/bom-1.6.xsd @@ -6107,7 +6107,7 @@ limitations under the License. - + The Common Requirements Enumeration (CRE) identifier(s). CRE is a structured and standardized framework for uniting security standards and guidelines. CRE links each section of a resource to a shared topic identifier (a Common Requirement). Through this shared topic link, all resources map to each other. Use of CRE promotes clear and unambiguous communication among stakeholders. diff --git a/tools/src/test/resources/1.6/valid-standard-1.6.json b/tools/src/test/resources/1.6/valid-standard-1.6.json index b7b1e5fd..ad6b4bab 100644 --- a/tools/src/test/resources/1.6/valid-standard-1.6.json +++ b/tools/src/test/resources/1.6/valid-standard-1.6.json @@ -30,7 +30,7 @@ "descriptions": [ "Supplemental text here" ], - "opencre": [ + "openCre": [ "CRE:616-305" ], "parent": "requirement-1.1" diff --git a/tools/src/test/resources/1.6/valid-standard-1.6.textproto b/tools/src/test/resources/1.6/valid-standard-1.6.textproto index a9a68bc7..65b90e2a 100644 --- a/tools/src/test/resources/1.6/valid-standard-1.6.textproto +++ b/tools/src/test/resources/1.6/valid-standard-1.6.textproto @@ -28,7 +28,7 @@ definitions { descriptions: [ "Supplemental text here" ] - opencre: [ + openCre: [ "CRE:616-305" ], parent: "requirement-1.1" diff --git a/tools/src/test/resources/1.6/valid-standard-1.6.xml b/tools/src/test/resources/1.6/valid-standard-1.6.xml index f2cb0119..7a36430a 100644 --- a/tools/src/test/resources/1.6/valid-standard-1.6.xml +++ b/tools/src/test/resources/1.6/valid-standard-1.6.xml @@ -23,7 +23,7 @@ Supplemental text here - CRE:616-305 + CRE:616-305 requirement-1.1 From 76bf8f923bce5a631557ff64a998dcfc72c96c53 Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Sun, 14 Jan 2024 23:11:16 -0600 Subject: [PATCH 065/217] Updating gitignore Signed-off-by: Steve Springett --- .gitignore | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.gitignore b/.gitignore index fd07c943..32180a04 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,3 @@ .idea/ -tools/target/ \ No newline at end of file +tools/target/ +.DS_Store \ No newline at end of file From 13026283c68dca39da755bb6c2fcda370077fd97 Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Sun, 14 Jan 2024 23:37:32 -0600 Subject: [PATCH 066/217] # Conflicts: # schema/bom-1.6.schema.json # tools/src/test/js/json-schema-lint-tests.js --- .github/workflows/build_docs.yml | 4 +- docgen/ecma/gen.sh | 15 + docgen/json/gen.sh | 2 +- docgen/json/templates/cyclonedx/content.html | 138 ++- docgen/json/templates/cyclonedx/schema_doc.js | 4 +- .../templates/cyclonedx/schema_doc.min.js | 2 +- .../templates/cyclonedx/section_array.html | 11 + schema/bom-1.6.proto | 199 +++ schema/bom-1.6.schema.json | 793 +++++++++++- schema/bom-1.6.xsd | 1102 +++++++++++++++-- tools/src/test/js/json-schema-lint-tests.js | 1 + .../resources/1.6/valid-attestation-1.6.json | 209 ++++ .../1.6/valid-attestation-1.6.textproto | 179 +++ .../resources/1.6/valid-attestation-1.6.xml | 165 +++ .../resources/1.6/valid-standard-1.6.json | 73 ++ .../1.6/valid-standard-1.6.textproto | 65 + .../test/resources/1.6/valid-standard-1.6.xml | 59 + 17 files changed, 2832 insertions(+), 189 deletions(-) create mode 100755 docgen/ecma/gen.sh create mode 100644 tools/src/test/resources/1.6/valid-attestation-1.6.json create mode 100644 tools/src/test/resources/1.6/valid-attestation-1.6.textproto create mode 100644 tools/src/test/resources/1.6/valid-attestation-1.6.xml create mode 100644 tools/src/test/resources/1.6/valid-standard-1.6.json create mode 100644 tools/src/test/resources/1.6/valid-standard-1.6.textproto create mode 100644 tools/src/test/resources/1.6/valid-standard-1.6.xml diff --git a/.github/workflows/build_docs.yml b/.github/workflows/build_docs.yml index a1747b34..f59c0ec4 100644 --- a/.github/workflows/build_docs.yml +++ b/.github/workflows/build_docs.yml @@ -29,7 +29,7 @@ jobs: run: ./gen.sh - name: Archive Schema documentation # https://github.com/actions/upload-artifact - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: XML-Schema-documentation path: docgen/xml/docs @@ -53,7 +53,7 @@ jobs: run: ./gen.sh - name: Archive Schema documentation # https://github.com/actions/upload-artifact - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: JSON-Schema-documentation path: docgen/json/docs diff --git a/docgen/ecma/gen.sh b/docgen/ecma/gen.sh new file mode 100755 index 00000000..534f3cab --- /dev/null +++ b/docgen/ecma/gen.sh @@ -0,0 +1,15 @@ +#!/bin/bash +rm -f -R docs temp out +mkdir -p docs temp +cp ../../schema/bom-1.6.schema.json temp +cp ../../schema/jsf-0.82.schema.json temp +cp ../../schema/spdx.schema.json temp + +# Check to see if jsonschema2md is executable and is in the path. If not, install jsonschema2md. +if ! [ -x "$(command -v jsonschema2md)" ]; then + npm install -g @adobe/jsonschema2md +fi + +echo Generating Ecma Documentation +jsonschema2md -d temp -o docs +rm -f -R temp out diff --git a/docgen/json/gen.sh b/docgen/json/gen.sh index e92128bc..a4e98d83 100755 --- a/docgen/json/gen.sh +++ b/docgen/json/gen.sh @@ -4,7 +4,7 @@ mkdir -p docs/{1.2,1.3,1.4,1.5,1.6} # Check to see if generate-schema-doc is executable and is in the path. If not, install JSON Schema for Humans. if ! [ -x "$(command -v generate-schema-doc)" ]; then - pip3 install json-schema-for-humans==0.44.3 + pip3 install json-schema-for-humans==0.47 fi generate () { diff --git a/docgen/json/templates/cyclonedx/content.html b/docgen/json/templates/cyclonedx/content.html index 3e880425..3ad78b84 100644 --- a/docgen/json/templates/cyclonedx/content.html +++ b/docgen/json/templates/cyclonedx/content.html @@ -17,13 +17,17 @@ {# Display type #} {%- if not schema is combining -%} - Type: {{ type_name }} + Type: {{ type_name }} + {%- endif -%} + + {%- if schema.format -%} + Format: {{ schema.format }} {%- endif -%} {# Display default #} {%- set default_value = schema.default_value -%} {%- if default_value -%} - {{ " " }}Default: {{ default_value }} + {{ " " }}Default: {{ default_value }} {%- endif -%}
@@ -37,80 +41,78 @@ {%- elif schema.refers_to -%} {{ content(schema.refers_to_merged, True) }} {%- else -%} - {# Handle having oneOf or allOf with only one condition #} - {%- if schema.kw_all_of and (schema.kw_all_of.array_items | length) == 1 -%} - {{ content(schema.kw_all_of.array_items[0]) }} - {%- elif schema.kw_any_of and (schema.kw_any_of.array_items | length) == 1 -%} - {{ content(schema.kw_any_of.array_items[0]) }} - {%- else -%} - {%- if schema.explicit_no_additional_properties -%} - {{ " " }}No Additional Properties - {%- endif -%} - - {# Combining: allOf, anyOf, oneOf, not #} - {%- if schema.kw_all_of -%} -
{{ tabbed_section("allOf", schema.kw_all_of) }}
- {%- endif -%} - {%- if schema.kw_any_of -%} -
{{ tabbed_section("anyOf", schema.kw_any_of) }}
- {%- endif -%} - {%- if schema.kw_one_of -%} -
{{ tabbed_section("oneOf", schema.kw_one_of) }}
- {%- endif -%} - {%- if schema.kw_not -%} - {% include "section_not.html" %} - {%- endif -%} - - {# Enum and const #} - {%- if schema.kw_enum -%} -
-

Must be one of:

-
    - {%- for enum_choice in schema.kw_enum.array_items -%} -
  • {{ enum_choice.literal | python_to_json }}
    • - {%- endfor -%} -
-
- {%- endif -%} - {%- if schema.kw_const -%} - Specific value: {{ schema.kw_const.raw | python_to_json }} - {%- endif -%} + {%- if schema.explicit_no_additional_properties -%} + {{ " " }}No Additional Properties + {%- endif -%} - {# Pattern (Regular Expression) #} - {%- if schema.kw_pattern -%} - Must match regular expression: {{ schema.kw_pattern.literal | escape }} - {%- endif -%} + {# Combining: allOf, anyOf, oneOf, not #} + {%- if schema.kw_all_of -%} +
{{ tabbed_section("allOf", schema.kw_all_of) }}
+ {%- endif -%} + {%- if schema.kw_any_of -%} +
{{ tabbed_section("anyOf", schema.kw_any_of) }}
+ {%- endif -%} + {%- if schema.kw_one_of -%} +
{{ tabbed_section("oneOf", schema.kw_one_of) }}
+ {%- endif -%} + {%- if schema.kw_not -%} + {% include "section_not.html" %} + {%- endif -%} - {# Conditional subschema, or if-then-else section #} - {%- if schema.has_conditional -%} - {% include "section_conditional_subschema.html" %} - {%- endif -%} + {# Enum and const #} + {%- if schema.kw_enum -%} +
+

Must be one of:

+
    + {%- for enum_choice in schema.kw_enum.array_items -%} +
  • + {%- if schema.kw_meta_enum -%}{%- endif -%} + {{ enum_choice.literal | python_to_json }} + {%- if schema.kw_meta_enum -%} + : {{ (schema.enum_description(enum_choice.literal) | get_description_literal) }} + {%- endif -%} +
    • + {%- endfor -%} +
+
+ {%- endif -%} + {%- if schema.kw_const -%} + Specific value: {{ schema.kw_const.raw | python_to_json }} + {%- endif -%} - {# Required properties that are not defined under "properties". They will only be listed #} - {% include "section_undocumented_required_properties.html" %} + {# Pattern (Regular Expression) #} + {%- if schema.kw_pattern -%} + Must match regular expression: {{ schema.kw_pattern.literal | escape }} + {%- endif -%} - {# Show the requested type(s) #} - {% include "badge_type.html" %} + {# Conditional subschema, or if-then-else section #} + {%- if schema.has_conditional -%} + {% include "section_conditional_subschema.html" %} + {%- endif -%} - {# Show array restrictions #} - {%- if type_name.startswith("array") -%} - {% include "section_array.html" %} - {%- endif -%} + {# Required properties that are not defined under "properties". They will only be listed #} + {% include "section_undocumented_required_properties.html" %} - {# Display examples #} - {%- set examples = schema.examples -%} - {%- if examples -%} - {% include "section_examples.html" %} - {%- endif -%} + {# Show the requested type(s) #} + {% include "badge_type.html" %} - {# Properties, pattern properties, additional properties #} - {%- for sub_property in schema.iterate_properties -%} - {# Custom modification to remove $ properties from documentation #} - {%- if not sub_property.property_display_name.startswith("$") -%} - {% include "section_properties.html" %} - {%- endif -%} - {%- endfor -%} + {# Show array restrictions #} + {%- if type_name.startswith("array") -%} + {% include "section_array.html" %} + {%- endif -%} + {# Display examples #} + {%- set examples = schema.examples -%} + {%- if examples -%} + {% include "section_examples.html" %} {%- endif -%} + + {# Properties, pattern properties, additional properties #} + {%- for sub_property in schema.iterate_properties -%} + {# Custom modification to remove $ properties from documentation #} + {%- if not sub_property.property_display_name.startswith("$") -%} + {% include "section_properties.html" %} + {%- endif -%} + {%- endfor -%} {%- endif -%} {%- endmacro -%} \ No newline at end of file diff --git a/docgen/json/templates/cyclonedx/schema_doc.js b/docgen/json/templates/cyclonedx/schema_doc.js index be02797f..e03ce946 100644 --- a/docgen/json/templates/cyclonedx/schema_doc.js +++ b/docgen/json/templates/cyclonedx/schema_doc.js @@ -19,7 +19,7 @@ function setAnchor(anchorLinkDestination) { function anchorOnLoad() { // Added to onload on body, checks if there is an anchor link and if so, expand - let linkTarget = window.location.hash.split("?")[0].split("&")[0]; + let linkTarget = decodeURIComponent(window.location.hash.split("?")[0].split("&")[0]); if (linkTarget[0] === "#") { linkTarget = linkTarget.substr(1); } @@ -37,7 +37,7 @@ function anchorLink(linkTarget) { if($( this ).hasClass("collapse")) { $( this ).collapse("show"); } else if ($( this ).hasClass("tab-pane")) { - // We have the pane and not the the tab itself, find the tab + // We have the pane and not the tab itself, find the tab const tabToShow = $( "a[href='#" + $( this ).attr("id") + "']" ); if (tabToShow) { tabToShow.tab("show"); diff --git a/docgen/json/templates/cyclonedx/schema_doc.min.js b/docgen/json/templates/cyclonedx/schema_doc.min.js index 0d9c7882..0c58a70e 100644 --- a/docgen/json/templates/cyclonedx/schema_doc.min.js +++ b/docgen/json/templates/cyclonedx/schema_doc.min.js @@ -1 +1 @@ -function flashElement(t){myElement=document.getElementById(t),myElement.classList.add("jsfh-animated-property"),setTimeout(function(){myElement.classList.remove("jsfh-animated-property")},1e3)}function setAnchor(t){history.pushState({},"",t)}function anchorOnLoad(){let t=window.location.hash.split("?")[0].split("&")[0];"#"===t[0]&&(t=t.substr(1)),t.length>0&&anchorLink(t)}function anchorLink(t){$("#"+t).parents().addBack().filter(".collapse:not(.show), .tab-pane, [role='tab']").each(function(t){if($(this).hasClass("collapse"))$(this).collapse("show");else if($(this).hasClass("tab-pane")){const t=$("a[href='#"+$(this).attr("id")+"']");t&&t.tab("show")}else"tab"===$(this).attr("role")&&$(this).tab("show")}),setTimeout(function(){let e=document.getElementById(t);e&&(e.scrollIntoView({block:"center",behavior:"smooth"}),setTimeout(function(){flashElement(t)},500))},1e3)}$(document).on("click",'a[href^="#"]',function(t){t.preventDefault(),history.pushState({},"",this.href)}); \ No newline at end of file +function flashElement(t){(myElement=document.getElementById(t)).classList.add("jsfh-animated-property"),setTimeout(function(){myElement.classList.remove("jsfh-animated-property")},1e3)}function setAnchor(t){history.pushState({},"",t)}function anchorOnLoad(){let t=decodeURIComponent(window.location.hash.split("?")[0].split("&")[0]);"#"===t[0]&&(t=t.substr(1)),t.length>0&&anchorLink(t)}function anchorLink(t){let e=$("#"+t);e.parents().addBack().filter(".collapse:not(.show), .tab-pane, [role='tab']").each(function(t){if($(this).hasClass("collapse"))$(this).collapse("show");else if($(this).hasClass("tab-pane")){let e=$("a[href='#"+$(this).attr("id")+"']");e&&e.tab("show")}else"tab"===$(this).attr("role")&&$(this).tab("show")}),setTimeout(function(){let e=document.getElementById(t);e&&(e.scrollIntoView({block:"center",behavior:"smooth"}),setTimeout(function(){flashElement(t)},500))},1e3)}$(document).on("click",'a[href^="#"]',function(t){t.preventDefault(),history.pushState({},"",this.href)}); \ No newline at end of file diff --git a/docgen/json/templates/cyclonedx/section_array.html b/docgen/json/templates/cyclonedx/section_array.html index 1aad2e0f..15489a4b 100644 --- a/docgen/json/templates/cyclonedx/section_array.html +++ b/docgen/json/templates/cyclonedx/section_array.html @@ -7,6 +7,9 @@ {%- if schema.kw_unique_items and schema.kw_unique_items.literal == True -%} {{ restriction("All items must be unique", "unique-items", schema.kw_unique_items.html_id) }} {%- endif -%} +{%- if not schema.array_additional_items -%} + {{ " " }}No Additional Items +{%- endif -%} {%- if schema.array_items_def -%}

Each item of this array must be:

@@ -34,4 +37,12 @@

At least one of the items must be:

{{ content(schema.kw_contains) }}
+{%- endif -%} +{%- if schema.array_additional_items_def -%} +

All other items must be:

+
+
+ {{ content(schema.array_additional_items_def) }} +
+
{%- endif -%} \ No newline at end of file diff --git a/schema/bom-1.6.proto b/schema/bom-1.6.proto index e6a6c4fe..f7c04a68 100644 --- a/schema/bom-1.6.proto +++ b/schema/bom-1.6.proto @@ -39,6 +39,10 @@ message Bom { repeated Property properties = 12; // Describes how a component or service was manufactured or deployed. This is achieved through the use of formulas, workflows, tasks, and steps, which declare the precise steps to reproduce along with the observed formulas describing the steps which transpired in the manufacturing process. repeated Formula formulation = 13; + // The list of declarations which describe the conformance to standards. Each declaration may include attestations, claims, and evidence. + repeated Declarations declarations = 14; + // A collection of reusable objects that are defined and may be used elsewhere in the BOM. + repeated Definition definitions = 15; } enum Classification { @@ -263,6 +267,12 @@ enum ExternalReferenceType { EXTERNAL_REFERENCE_TYPE_EVIDENCE = 36; // Describes how a component or service was manufactured or deployed. EXTERNAL_REFERENCE_TYPE_FORMULATION = 37; + // URL to a source archive. + EXTERNAL_REFERENCE_TYPE_SOURCE_DISTRIBUTION = 38; + // An e-signature is commonly a scanned representation of a written signature or a stylized script of the persons name. + EXTERNAL_REFERENCE_TYPE_ELECTRONIC_SIGNATURE = 39; + // A signature that leverages cryptography, typically public/private key pairs, which provides strong authenticity verification. + EXTERNAL_REFERENCE_TYPE_DIGITAL_SIGNATURE = 40; } enum HashAlg { @@ -1486,3 +1496,192 @@ message EnvironmentVars { string value = 2; } } + +message Declarations { + message Assessor { + // An optional identifier which can be used to reference the component elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element. + optional string bom_ref = 1; + // The boolean indicating if the assessor is outside the organization generating claims. A value of false indicates a self assessor. + optional bool thirdParty = 2; + // The entity issuing the assessment. + optional OrganizationalEntity organization = 3; + } + message Attestation { + message AttestationMap { + message AttestationConformance { + // The conformance of the claim between and inclusive of 0 and 1, where 1 is 100% conformance. + optional double score = 1; + // The rationale for the conformance score. + optional string rationale = 2; + // The list of `bom-ref` to the evidence provided describing the mitigation strategies. + repeated string mitigationStrategies = 3; + } + message AttestationConfidence { + // The confidence of the claim between and inclusive of 0 and 1, where 1 is 100% confidence. + optional double score = 1; + // The rationale for the confidence score. + optional string rationale = 2; + } + // The `bom-ref` to the requirement being attested to. + optional string requirement = 1; + // The list of `bom-ref` to the claims being attested to. + repeated string claims = 2; + // The list of `bom-ref` to the counter claims being attested to. + repeated string counterClaims = 3; + // The conformance of the claim meeting a requirement. + optional AttestationConformance conformance = 4; + // The confidence of the claim meeting the requirement. + optional AttestationConfidence confidence = 5; + } + // The short description explaining the main points of the attestation. + optional string summary = 1; + // The `bom-ref` to the assessor asserting the attestation. + optional string assessor = 2; + // The grouping of requirements to claims and the attestors declared conformance and confidence thereof. + repeated AttestationMap map = 3; + } + message Claim { + // An optional identifier which can be used to reference the component elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element. + optional string bom_ref = 1; + // The `bom-ref` to a target representing a specific system, application, API, module, team, person, process, business unit, company, etc... that this claim is being applied to. + optional string target = 2; + // The specific statement or assertion about the target. + optional string predicate = 3; + // The list of `bom-ref` to the evidence provided describing the mitigation strategies. Each mitigation strategy should include an explanation of how any weaknesses in the evidence will be mitigated. + repeated string mitigationStrategies = 4; + // The written explanation of why the evidence provided substantiates the claim. + optional string reasoning = 5; + // The list of `bom-ref` to evidence that supports this claim. + repeated string evidence = 6; + // The list of `bom-ref` to counterEvidence that supports this claim. + repeated string counterEvidence = 7; + // External references provide a way to document systems, sites, and information that may be relevant, but are not included with the BOM. They may also establish specific relationships within or external to the BOM. + repeated ExternalReference externalReferences = 8; + } + message Evidence { + message Data { + message Contents { + // An optional way to include textual or encoded data. + optional AttachedText attachment = 1; + // The URL to where the data can be retrieved. + optional string url = 2; + } + // The name of the data. + optional string name = 1; + // The contents or references to the contents of the data being described. + optional Contents contents = 2; + // Data classification tags data according to its type, sensitivity, and value if altered, stolen, or destroyed. + optional string classification = 3; + // A description of any sensitive data included. + repeated string sensitiveData = 4; + // Data Governance + optional DataGovernance governance = 5; + } + // An optional identifier which can be used to reference the component elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element. + optional string bom_ref = 1; + // The reference to the property name as defined in the CycloneDX Property Taxonomy: https://github.com/CycloneDX/cyclonedx-property-taxonomy/. + optional string propertyName = 2; + // The written description of what this evidence is and how it was created. + optional string description = 3; + // The output or analysis that supports claims. + repeated Data data = 4; + // The date and time (timestamp) when the evidence was created. + optional google.protobuf.Timestamp created = 5; + // The optional date and time (timestamp) when the evidence is no longer valid. + optional google.protobuf.Timestamp expires = 6; + // The author of the evidence. + optional OrganizationalContact author = 7; + // The reviewer of the evidence. + optional OrganizationalContact reviewer = 8; + } + message Targets { + // The list of organizations which claims are made against. + repeated OrganizationalEntity organizations = 1; + // The list of components which claims are made against. + repeated Component components = 2; + // The list of services which claims are made against. + repeated Service services = 3; + } + message Affirmation { + message Signatory { + // The signatory's name. + optional string name = 1; + // The signatory's role within an organization. + optional string role = 2; + // The signatory's organization. + optional OrganizationalEntity organization = 3; + // An External reference provide a way to document systems, sites, and information that may be relevant, but are not included with the BOM. They may also establish specific relationships within or external to the BOM. + optional ExternalReference externalReference = 4; + } + // The brief statement affirmed by an individual regarding all declarations. Notes: This could be an affirmation of acceptance by a third-party auditor or receiving individual of a file. + optional string statement = 1; + // The list of signatories authorized on behalf of an organization to assert validity of this document. + repeated Signatory signatories = 2; + } + // The list of assessors evaluating claims and determining conformance to requirements and confidence in that assessment. + repeated Assessor assessors = 1; + // The list of attestations asserted by an assessor that maps requirements to claims. + repeated Attestation attestations = 2; + // The list of claims. + repeated Claim claims = 3; + // The list of evidence + repeated Evidence evidence = 4; + // The list of targets which claims are made against. + optional Targets targets = 5; + // affirmation + optional Affirmation affirmation = 6; +} + +message Definition { + message Standard { + message Requirement { + // An optional identifier which can be used to reference the component elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element. + optional string bom_ref = 1; + // The unique identifier used in the standard to identify a specific requirement. This should match what is in the standard and should not be the requirements bom-ref. + optional string identifier = 2; + // The title of the requirement. + optional string title = 3; + // The textual content of the requirement. + optional string text = 4; + // The supplemental text that provides additional guidance or context to the requirement, but is not directly part of the requirement. + repeated string descriptions = 5; + // The Common Requirements Enumeration (CRE) identifier(s). CRE is a structured and standardized framework for uniting security standards and guidelines. CRE links each section of a resource to a shared topic identifier (a Common Requirement). Through this shared topic link, all resources map to each other. Use of CRE promotes clear and unambiguous communication among stakeholders. + repeated string openCre = 6; + // The optional `bom-ref` to a parent requirement. This establishes a hierarchy of requirements. Top-level requirements must not define a parent. Only child requirements should define parents. + optional string parent = 7; + // Specifies optional, custom, properties + repeated Property properties = 8; + // External references provide a way to document systems, sites, and information that may be relevant, but are not included with the BOM. They may also establish specific relationships within or external to the BOM. + repeated ExternalReference externalReferences = 9; + } + message Level { + // An optional identifier which can be used to reference the component elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element. + optional string bom_ref = 1; + // The identifier used in the standard to identify a specific level. + optional string identifier = 2; + // The title of the level. + optional string title = 3; + // The description of the level. + optional string description = 4; + // The list of requirement `bom-ref`s that comprise the level. + repeated string requirements = 5; + } + // An optional identifier which can be used to reference the component elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element. + optional string bom_ref = 1; + // The name of the standard. This will often be a shortened, single name of the standard. + optional string name = 2; + // The version of the standard. + optional string version = 3; + // The description of the standard. + optional string description = 4; + // The owner of the standard, often the entity responsible for its release. + optional string owner = 5; + // The list of requirements comprising the standard. + repeated Requirement requirements = 6; + // The list of levels associated with the standard. Some standards have different levels of compliance. + repeated Level levels = 7; + // External references provide a way to document systems, sites, and information that may be relevant, but are not included with the BOM. They may also establish specific relationships within or external to the BOM. + repeated ExternalReference externalReferences = 8; + } + repeated Standard standards = 1; +} diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index 6b9149e9..a25cf5d5 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -105,6 +105,412 @@ "title": "Formulation", "description": "Describes how a component or service was manufactured or deployed. This is achieved through the use of formulas, workflows, tasks, and steps, which declare the precise steps to reproduce along with the observed formulas describing the steps which transpired in the manufacturing process." }, + "declarations": { + "type": "object", + "title": "Declarations", + "description": "The list of declarations which describe the conformance to standards. Each declaration may include attestations, claims, and evidence.", + "additionalProperties": false, + "properties": { + "assessors": { + "type": "array", + "title": "Assessors", + "description": "The list of assessors evaluating claims and determining conformance to requirements and confidence in that assessment.", + "items": { + "type": "object", + "title": "Assessor", + "description": "The assessor who evaluates claims and determines conformance to requirements and confidence in that assessment.", + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref MUST be unique within the BOM." + }, + "thirdParty": { + "type": "boolean", + "title": "Third Party", + "description": "The boolean indicating if the assessor is outside the organization generating claims. A value of false indicates a self assessor." + }, + "organization": { + "$ref": "#/definitions/organizationalEntity", + "title": "Organization", + "description": "The entity issuing the assessment." + } + } + } + }, + "attestations": { + "type": "array", + "title": "Attestations", + "description": "The list of attestations asserted by an assessor that maps requirements to claims.", + "items": { + "type": "object", + "additionalProperties": false, + "properties": { + "summary": { + "type": "string", + "title": "Summary", + "description": "The short description explaining the main points of the attestation." + }, + "assessor": { + "$ref": "#/definitions/refLinkType", + "title": "Assessor", + "description": "The `bom-ref` to the assessor asserting the attestation." + }, + "map": { + "type": "array", + "title": "Map", + "description": "The grouping of requirements to claims and the attestors declared conformance and confidence thereof.", + "items": { + "type": "object", + "additionalProperties": false, + "properties": { + "requirement": { + "$ref": "#/definitions/refLinkType", + "title": "Requirement", + "description": "The `bom-ref` to the requirement being attested to." + }, + "claims": { + "type": "array", + "title": "Claims", + "description": "The list of `bom-ref` to the claims being attested to.", + "items": { "$ref": "#/definitions/refLinkType" } + }, + "counterClaims": { + "type": "array", + "title": "Claims", + "description": "The list of `bom-ref` to the counter claims being attested to.", + "items": { "$ref": "#/definitions/refLinkType" } + }, + "conformance": { + "type": "object", + "title": "Conformance", + "description": "The conformance of the claim meeting a requirement.", + "additionalProperties": false, + "properties": { + "score": { + "type": "number", + "minimum": 0, + "maximum": 1, + "title": "Score", + "description": "The conformance of the claim between and inclusive of 0 and 1, where 1 is 100% conformance." + }, + "rationale": { + "type": "string", + "title": "Rationale", + "description": "The rationale for the conformance score." + }, + "mitigationStrategies": { + "type": "array", + "title": "Mitigation Strategies", + "description": "The list of `bom-ref` to the evidence provided describing the mitigation strategies.", + "items": { "$ref": "#/definitions/refLinkType" } + } + } + }, + "confidence": { + "type": "object", + "title": "Confidence", + "description": "The confidence of the claim meeting the requirement.", + "additionalProperties": false, + "properties": { + "score": { + "type": "number", + "minimum": 0, + "maximum": 1, + "title": "Score", + "description": "The confidence of the claim between and inclusive of 0 and 1, where 1 is 100% confidence." + }, + "rationale": { + "type": "string", + "title": "Rationale", + "description": "The rationale for the confidence score." + } + } + } + } + } + }, + "signature": { + "$ref": "#/definitions/signature", + "title": "Signature", + "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." + } + } + } + }, + "claims": { + "type": "array", + "title": "Claims", + "description": "The list of claims.", + "items": { + "type": "object", + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref MUST be unique within the BOM." + }, + "target": { + "$ref": "#/definitions/refLinkType", + "title": "Target", + "description": "The `bom-ref` to a target representing a specific system, application, API, module, team, person, process, business unit, company, etc... that this claim is being applied to." + }, + "predicate": { + "type": "string", + "title": "Predicate", + "description": "The specific statement or assertion about the target." + }, + "mitigationStrategies": { + "type": "array", + "title": "Mitigation Strategies", + "description": "The list of `bom-ref` to the evidence provided describing the mitigation strategies. Each mitigation strategy should include an explanation of how any weaknesses in the evidence will be mitigated.", + "items": { "$ref": "#/definitions/refLinkType" } + }, + "reasoning": { + "type": "string", + "title": "Reasoning", + "description": "The written explanation of why the evidence provided substantiates the claim." + }, + "evidence": { + "type": "array", + "title": "Evidence", + "description": "The list of `bom-ref` to evidence that supports this claim.", + "items": { "$ref": "#/definitions/refLinkType" } + }, + "counterEvidence": { + "type": "array", + "title": "Counter Evidence", + "description": "The list of `bom-ref` to counterEvidence that supports this claim.", + "items": { "$ref": "#/definitions/refLinkType" } + }, + "externalReferences": { + "type": "array", + "items": {"$ref": "#/definitions/externalReference"}, + "title": "External References", + "description": "External references provide a way to document systems, sites, and information that may be relevant, but are not included with the BOM. They may also establish specific relationships within or external to the BOM." + }, + "signature": { + "$ref": "#/definitions/signature", + "title": "Signature", + "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." + } + } + } + }, + "evidence": { + "type": "array", + "title": "Evidence", + "description": "The list of evidence", + "items": { + "type": "object", + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref MUST be unique within the BOM." + }, + "propertyName": { + "type": "string", + "title": "Type", + "description": "The reference to the property name as defined in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy/)." + }, + "description": { + "type": "string", + "title": "Description", + "description": "The written description of what this evidence is and how it was created." + }, + "data": { + "type": "array", + "title": "Data", + "description": "The output or analysis that supports claims.", + "items": { + "type": "object", + "additionalProperties": false, + "properties": { + "name": { + "description": "The name of the data.", + "type": "string" + }, + "contents": { + "type": "object", + "title": "Data Contents", + "description": "The contents or references to the contents of the data being described.", + "additionalProperties": false, + "properties": { + "attachment": { + "title": "Data Attachment", + "description": "An optional way to include textual or encoded data.", + "$ref": "#/definitions/attachment" + }, + "url": { + "type": "string", + "title": "Data URL", + "description": "The URL to where the data can be retrieved.", + "format": "iri-reference" + } + } + }, + "classification": { + "$ref": "#/definitions/dataClassification" + }, + "sensitiveData": { + "type": "array", + "description": "A description of any sensitive data included.", + "items": { + "type": "string" + } + }, + "governance": { + "title": "Data Governance", + "$ref": "#/definitions/dataGovernance" + } + } + } + }, + "created": { + "type": "string", + "format": "date-time", + "title": "Created", + "description": "The date and time (timestamp) when the evidence was created." + }, + "expires": { + "type": "string", + "format": "date-time", + "title": "Expires", + "description": "The optional date and time (timestamp) when the evidence is no longer valid." + }, + "author": { + "$ref": "#/definitions/organizationalContact", + "title": "Author", + "description": "The author of the evidence." + }, + "reviewer": { + "$ref": "#/definitions/organizationalContact", + "title": "Reviewer", + "description": "The reviewer of the evidence." + }, + "signature": { + "$ref": "#/definitions/signature", + "title": "Signature", + "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." + } + } + } + }, + "targets": { + "type": "object", + "title": "Targets", + "description": "The list of targets which claims are made against.", + "additionalProperties": false, + "properties": { + "organizations": { + "type": "array", + "title": "Organizations", + "description": "The list of organizations which claims are made against.", + "items": {"$ref": "#/definitions/organizationalEntity"} + }, + "components": { + "type": "array", + "title": "Components", + "description": "The list of components which claims are made against.", + "items": {"$ref": "#/definitions/component"} + }, + "services": { + "type": "array", + "title": "Services", + "description": "The list of services which claims are made against.", + "items": {"$ref": "#/definitions/service"} + } + } + }, + "affirmation": { + "type": "object", + "title": "Affirmation", + "additionalProperties": false, + "properties": { + "statement": { + "type": "string", + "title": "Text", + "description": "The brief statement affirmed by an individual regarding all declarations.\n*- Notes This could be an affirmation of acceptance by a third-party auditor or receiving individual of a file.", + "examples": [ "I certify, to the best of my knowledge, that all information is correct." ] + }, + "signatories": { + "type": "array", + "title": "Signatories", + "description": "The list of signatories authorized on behalf of an organization to assert validity of this document.", + "items": { + "type": "object", + "additionalProperties": false, + "oneOf": [ + { + "required": ["signature"] + }, + { + "required": ["externalReference", "organization"] + } + ], + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "The signatory's name." + }, + "role": { + "type": "string", + "title": "Role", + "description": "The signatory's role within an organization." + }, + "signature": { + "$ref": "#/definitions/signature", + "title": "Signature", + "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." + }, + "organization": { + "$ref": "#/definitions/organizationalEntity", + "title": "Organization", + "description": "The signatory's organization." + }, + "externalReference": { + "$ref": "#/definitions/externalReference", + "title": "External Reference", + "description": "An External reference provide a way to document systems, sites, and information that may be relevant, but are not included with the BOM. They may also establish specific relationships within or external to the BOM." + } + } + } + }, + "signature": { + "$ref": "#/definitions/signature", + "title": "Signature", + "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." + } + } + }, + "signature": { + "$ref": "#/definitions/signature", + "title": "Signature", + "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." + } + } + }, + "definitions": { + "type": "object", + "title": "Definitions", + "description": "A collection of reusable objects that are defined and may be used elsewhere in the BOM.", + "additionalProperties": false, + "properties": { + "standards": { + "type": "array", + "title": "Standards", + "description": "The list of standards which may consist of regulations, industry or organizational-specific standards, maturity models, best practices, or any other requirements which can be evaluated against or attested to.", + "items": { + "$ref": "#/definitions/standard" + } + } + } + }, "properties": { "type": "array", "title": "Properties", @@ -179,13 +585,14 @@ "description": "The product lifecycle(s) that this BOM represents.", "oneOf": [ { + "title": "Pre-Defined Phase", "required": ["phase"], "additionalProperties": false, "properties": { "phase": { "type": "string", "title": "Phase", - "description": "A pre-defined phase in the product lifecycle.\n\n* __design__ = BOM produced early in the development lifecycle containing inventory of components and services that are proposed or planned to be used. The inventory may need to be procured, retrieved, or resourced prior to use.\n* __pre-build__ = BOM consisting of information obtained prior to a build process and may contain source files and development artifacts and manifests. The inventory may need to be resolved and retrieved prior to use.\n* __build__ = BOM consisting of information obtained during a build process where component inventory is available for use. The precise versions of resolved components are usually available at this time as well as the provenance of where the components were retrieved from.\n* __post-build__ = BOM consisting of information obtained after a build process has completed and the resulting components(s) are available for further analysis. Built components may exist as the result of a CI/CD process, may have been installed or deployed to a system or device, and may need to be retrieved or extracted from the system or device.\n* __operations__ = BOM produced that represents inventory that is running and operational. This may include staging or production environments and will generally encompass multiple SBOMs describing the applications and operating system, along with HBOMs describing the hardware that makes up the system. Operations Bill of Materials (OBOM) can provide full-stack inventory of runtime environments, configurations, and additional dependencies.\n* __discovery__ = BOM consisting of information observed through network discovery providing point-in-time enumeration of embedded, on-premise, and cloud-native services such as server applications, connected devices, microservices, and serverless functions.\n* __decommission__ = BOM containing inventory that will be, or has been retired from operations.", + "description": "A pre-defined phase in the product lifecycle.", "enum": [ "design", "pre-build", @@ -194,11 +601,21 @@ "operations", "discovery", "decommission" - ] + ], + "meta:enum": { + "design": "BOM produced early in the development lifecycle containing inventory of components and services that are proposed or planned to be used. The inventory may need to be procured, retrieved, or resourced prior to use.", + "pre-build": "BOM consisting of information obtained prior to a build process and may contain source files and development artifacts and manifests. The inventory may need to be resolved and retrieved prior to use.", + "build": "BOM consisting of information obtained during a build process where component inventory is available for use. The precise versions of resolved components are usually available at this time as well as the provenance of where the components were retrieved from.", + "post-build": "BOM consisting of information obtained after a build process has completed and the resulting components(s) are available for further analysis. Built components may exist as the result of a CI/CD process, may have been installed or deployed to a system or device, and may need to be retrieved or extracted from the system or device.", + "operations": "BOM produced that represents inventory that is running and operational. This may include staging or production environments and will generally encompass multiple SBOMs describing the applications and operating system, along with HBOMs describing the hardware that makes up the system. Operations Bill of Materials (OBOM) can provide full-stack inventory of runtime environments, configurations, and additional dependencies.", + "discovery": "BOM consisting of information observed through network discovery providing point-in-time enumeration of embedded, on-premise, and cloud-native services such as server applications, connected devices, microservices, and serverless functions.", + "decommission": "BOM containing inventory that will be, or has been retired from operations." + } } } }, { + "title": "Custom Phase", "required": ["name"], "additionalProperties": false, "properties": { @@ -411,8 +828,22 @@ "machine-learning-model", "data" ], + "meta:enum": { + "application": "A software application. Refer to [https://en.wikipedia.org/wiki/Application_software](https://en.wikipedia.org/wiki/Application_software) for information about applications.", + "framework": "A software framework. Refer to [https://en.wikipedia.org/wiki/Software_framework](https://en.wikipedia.org/wiki/Software_framework) for information on how frameworks vary slightly from libraries.", + "library": "A software library. Refer to [https://en.wikipedia.org/wiki/Library_(computing)](https://en.wikipedia.org/wiki/Library_(computing)) for information about libraries. All third-party and open source reusable components will likely be a library. If the library also has key features of a framework, then it should be classified as a framework. If not, or is unknown, then specifying library is RECOMMENDED.", + "container": "A packaging and/or runtime format, not specific to any particular technology, which isolates software inside the container from software outside of a container through virtualization technology. Refer to [https://en.wikipedia.org/wiki/OS-level_virtualization](https://en.wikipedia.org/wiki/OS-level_virtualization).", + "platform": "A runtime environment which interprets or executes software. This may include runtimes such as those that execute bytecode or low-code/no-code application platforms.", + "operating-system": "A software operating system without regard to deployment model (i.e. installed on physical hardware, virtual machine, image, etc) Refer to [https://en.wikipedia.org/wiki/Operating_system](https://en.wikipedia.org/wiki/Operating_system).", + "device": "A hardware device such as a processor, or chip-set. A hardware device containing firmware SHOULD include a component for the physical hardware itself, and another component of type 'firmware' or 'operating-system' (whichever is relevant), describing information about the software running on the device. See also the list of [known device properties](https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/device.md).", + "device-driver": "A special type of software that operates or controls a particular type of device. Refer to [https://en.wikipedia.org/wiki/Device_driver](https://en.wikipedia.org/wiki/Device_driver).", + "firmware": "A special type of software that provides low-level control over a devices hardware. Refer to [https://en.wikipedia.org/wiki/Firmware](https://en.wikipedia.org/wiki/Firmware).", + "file": "A computer file. Refer to [https://en.wikipedia.org/wiki/Computer_file](https://en.wikipedia.org/wiki/Computer_file) for information about files.", + "machine-learning-model": "A model based on training data that can make predictions or decisions without being explicitly programmed to do so.", + "data": "A collection of discrete values that convey information." + }, "title": "Component Type", - "description": "Specifies the type of component. For software components, classify as application if no more specific appropriate classification is available or cannot be determined for the component. Types include:\n\n* __application__ = A software application. Refer to [https://en.wikipedia.org/wiki/Application_software](https://en.wikipedia.org/wiki/Application_software) for information about applications.\n* __framework__ = A software framework. Refer to [https://en.wikipedia.org/wiki/Software_framework](https://en.wikipedia.org/wiki/Software_framework) for information on how frameworks vary slightly from libraries.\n* __library__ = A software library. Refer to [https://en.wikipedia.org/wiki/Library_(computing)](https://en.wikipedia.org/wiki/Library_(computing))\n for information about libraries. All third-party and open source reusable components will likely be a library. If the library also has key features of a framework, then it should be classified as a framework. If not, or is unknown, then specifying library is RECOMMENDED.\n* __container__ = A packaging and/or runtime format, not specific to any particular technology, which isolates software inside the container from software outside of a container through virtualization technology. Refer to [https://en.wikipedia.org/wiki/OS-level_virtualization](https://en.wikipedia.org/wiki/OS-level_virtualization)\n* __platform__ = A runtime environment which interprets or executes software. This may include runtimes such as those that execute bytecode or low-code/no-code application platforms.\n* __operating-system__ = A software operating system without regard to deployment model (i.e. installed on physical hardware, virtual machine, image, etc) Refer to [https://en.wikipedia.org/wiki/Operating_system](https://en.wikipedia.org/wiki/Operating_system)\n* __device__ = A hardware device such as a processor, or chip-set. A hardware device containing firmware SHOULD include a component for the physical hardware itself, and another component of type 'firmware' or 'operating-system' (whichever is relevant), describing information about the software running on the device.\n See also the list of [known device properties](https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/device.md).\n* __device-driver__ = A special type of software that operates or controls a particular type of device. Refer to [https://en.wikipedia.org/wiki/Device_driver](https://en.wikipedia.org/wiki/Device_driver)\n* __firmware__ = A special type of software that provides low-level control over a devices hardware. Refer to [https://en.wikipedia.org/wiki/Firmware](https://en.wikipedia.org/wiki/Firmware)\n* __file__ = A computer file. Refer to [https://en.wikipedia.org/wiki/Computer_file](https://en.wikipedia.org/wiki/Computer_file) for information about files.\n* __machine-learning-model__ = A model based on training data that can make predictions or decisions without being explicitly programmed to do so.\n* __data__ = A collection of discrete values that convey information.", + "description": "Specifies the type of component. For software components, classify as application if no more specific appropriate classification is available or cannot be determined for the component.", "examples": ["library"] }, "mime-type": { @@ -473,6 +904,11 @@ "optional", "excluded" ], + "meta:enum": { + "required": "The component is required for runtime", + "optional": "The component is optional at runtime. Optional components are components that are not capable of being called due to them not be installed or otherwise accessible by any means. Components that are installed but due to configuration or other restrictions are prohibited from being called must be scoped as 'required'.", + "excluded": "Components that are excluded provide the ability to document component usage for test and other non-runtime purposes. Excluded components are not reachable within a call graph at runtime." + }, "title": "Component Scope", "description": "Specifies the scope of the component. If scope is not specified, 'required' scope SHOULD be assumed by the consumer of the BOM.", "default": "required" @@ -675,7 +1111,10 @@ "description": "Specifies the optional encoding the text is represented in.", "enum": [ "base64" - ] + ], + "meta:enum": { + "base64": "Base64 is a binary-to-text encoding scheme that represents binary data in an ASCII string." + } }, "content": { "type": "string", @@ -867,7 +1306,7 @@ "licenseTypes": { "type": "array", "title": "License Type", - "description": "The type of license(s) that was granted to the licensee\n\n* __academic__ = A license that grants use of software solely for the purpose of education or research.\n* __appliance__ = A license covering use of software embedded in a specific piece of hardware.\n* __client-access__ = A Client Access License (CAL) allows client computers to access services provided by server software.\n* __concurrent-user__ = A Concurrent User license (aka floating license) limits the number of licenses for a software application and licenses are shared among a larger number of users.\n* __core-points__ = A license where the core of a computer's processor is assigned a specific number of points.\n* __custom-metric__ = A license for which consumption is measured by non-standard metrics.\n* __device__ = A license that covers a defined number of installations on computers and other types of devices.\n* __evaluation__ = A license that grants permission to install and use software for trial purposes.\n* __named-user__ = A license that grants access to the software to one or more pre-defined users.\n* __node-locked__ = A license that grants access to the software on one or more pre-defined computers or devices.\n* __oem__ = An Original Equipment Manufacturer license that is delivered with hardware, cannot be transferred to other hardware, and is valid for the life of the hardware.\n* __perpetual__ = A license where the software is sold on a one-time basis and the licensee can use a copy of the software indefinitely.\n* __processor-points__ = A license where each installation consumes points per processor.\n* __subscription__ = A license where the licensee pays a fee to use the software or service.\n* __user__ = A license that grants access to the software or service by a specified number of users.\n* __other__ = Another license type.\n", + "description": "The type of license(s) that was granted to the licensee.", "items": { "type": "string", "enum": [ @@ -887,7 +1326,25 @@ "subscription", "user", "other" - ] + ], + "meta:enum": { + "academic": "A license that grants use of software solely for the purpose of education or research.", + "appliance": "A license covering use of software embedded in a specific piece of hardware.", + "client-access": "A Client Access License (CAL) allows client computers to access services provided by server software.", + "concurrent-user": "A Concurrent User license (aka floating license) limits the number of licenses for a software application and licenses are shared among a larger number of users.", + "core-points": "A license where the core of a computer's processor is assigned a specific number of points.", + "custom-metric": "A license for which consumption is measured by non-standard metrics.", + "device": "A license that covers a defined number of installations on computers and other types of devices.", + "evaluation": "A license that grants permission to install and use software for trial purposes.", + "named-user": "A license that grants access to the software to one or more pre-defined users.", + "node-locked": "A license that grants access to the software on one or more pre-defined computers or devices.", + "oem": "An Original Equipment Manufacturer license that is delivered with hardware, cannot be transferred to other hardware, and is valid for the life of the hardware.", + "perpetual": "A license where the software is sold on a one-time basis and the licensee can use a copy of the software indefinitely.", + "processor-points": "A license where each installation consumes points per processor.", + "subscription": "A license where the licensee pays a fee to use the software or service.", + "user": "A license that grants access to the software or service by a specified number of users.", + "other": "Another license type." + } } }, "lastRenewal": { @@ -1012,8 +1469,14 @@ "backport", "cherry-pick" ], + "meta:enum": { + "unofficial": "A patch which is not developed by the creators or maintainers of the software being patched. Refer to [https://en.wikipedia.org/wiki/Unofficial_patch](https://en.wikipedia.org/wiki/Unofficial_patch).", + "monkey": "A patch which dynamically modifies runtime behavior. Refer to [https://en.wikipedia.org/wiki/Monkey_patch](https://en.wikipedia.org/wiki/Monkey_patch).", + "backport": "A patch which takes code from a newer version of software and applies it to older versions of the same software. Refer to [https://en.wikipedia.org/wiki/Backporting](https://en.wikipedia.org/wiki/Backporting).", + "cherry-pick": "A patch created by selectively applying commits from other versions or branches of the same software." + }, "title": "Type", - "description": "Specifies the purpose for the patch including the resolution of defects, security issues, or new behavior or functionality.\n\n* __unofficial__ = A patch which is not developed by the creators or maintainers of the software being patched. Refer to [https://en.wikipedia.org/wiki/Unofficial_patch](https://en.wikipedia.org/wiki/Unofficial_patch)\n* __monkey__ = A patch which dynamically modifies runtime behavior. Refer to [https://en.wikipedia.org/wiki/Monkey_patch](https://en.wikipedia.org/wiki/Monkey_patch)\n* __backport__ = A patch which takes code from a newer version of software and applies it to older versions of the same software. Refer to [https://en.wikipedia.org/wiki/Backporting](https://en.wikipedia.org/wiki/Backporting)\n* __cherry-pick__ = A patch created by selectively applying commits from other versions or branches of the same software." + "description": "Specifies the purpose for the patch including the resolution of defects, security issues, or new behavior or functionality." }, "diff": { "title": "Diff", @@ -1063,6 +1526,11 @@ "enhancement", "security" ], + "meta:enum": { + "defect": "A fault, flaw, or bug in software.", + "enhancement": "A new feature or behavior in software.", + "security": "A special type of defect which impacts security." + }, "title": "Type", "description": "Specifies the type of issue" }, @@ -1170,7 +1638,7 @@ "type": { "type": "string", "title": "Type", - "description": "Specifies the type of external reference.\n\n* __vcs__ = Version Control System\n* __issue-tracker__ = Issue or defect tracking system, or an Application Lifecycle Management (ALM) system\n* __website__ = Website\n* __advisories__ = Security advisories\n* __bom__ = Bill of Materials (SBOM, OBOM, HBOM, SaaSBOM, etc)\n* __mailing-list__ = Mailing list or discussion group\n* __social__ = Social media account\n* __chat__ = Real-time chat platform\n* __documentation__ = Documentation, guides, or how-to instructions\n* __support__ = Community or commercial support\n* __distribution__ = Direct or repository download location\n* __distribution-intake__ = The location where a component was published to. This is often the same as \"distribution\" but may also include specialized publishing processes that act as an intermediary\n* __license__ = The URL to the license file. If a license URL has been defined in the license node, it should also be defined as an external reference for completeness\n* __build-meta__ = Build-system specific meta file (i.e. pom.xml, package.json, .nuspec, etc)\n* __build-system__ = URL to an automated build system\n* __release-notes__ = URL to release notes\n* __security-contact__ = Specifies a way to contact the maintainer, supplier, or provider in the event of a security incident. Common URIs include links to a disclosure procedure, a mailto (RFC-2368) that specifies an email address, a tel (RFC-3966) that specifies a phone number, or dns (RFC-4501) that specifies the records containing DNS Security TXT\n* __model-card__ = A model card describes the intended uses of a machine learning model, potential limitations, biases, ethical considerations, training parameters, datasets used to train the model, performance metrics, and other relevant data useful for ML transparency\n* __log__ = A record of events that occurred in a computer system or application, such as problems, errors, or information on current operations\n* __configuration__ = Parameters or settings that may be used by other components or services\n* __evidence__ = Information used to substantiate a claim\n* __formulation__ = Describes how a component or service was manufactured or deployed\n* __attestation__ = Human or machine-readable statements containing facts, evidence, or testimony\n* __threat-model__ = An enumeration of identified weaknesses, threats, and countermeasures, dataflow diagram (DFD), attack tree, and other supporting documentation in human-readable or machine-readable format\n* __adversary-model__ = The defined assumptions, goals, and capabilities of an adversary.\n* __risk-assessment__ = Identifies and analyzes the potential of future events that may negatively impact individuals, assets, and/or the environment. Risk assessments may also include judgments on the tolerability of each risk.\n* __vulnerability-assertion__ = A Vulnerability Disclosure Report (VDR) which asserts the known and previously unknown vulnerabilities that affect a component, service, or product including the analysis and findings describing the impact (or lack of impact) that the reported vulnerability has on a component, service, or product.\n* __exploitability-statement__ = A Vulnerability Exploitability eXchange (VEX) which asserts the known vulnerabilities that do not affect a product, product family, or organization, and optionally the ones that do. The VEX should include the analysis and findings describing the impact (or lack of impact) that the reported vulnerability has on the product, product family, or organization.\n* __pentest-report__ = Results from an authorized simulated cyberattack on a component or service, otherwise known as a penetration test\n* __static-analysis-report__ = SARIF or proprietary machine or human-readable report for which static analysis has identified code quality, security, and other potential issues with the source code\n* __dynamic-analysis-report__ = Dynamic analysis report that has identified issues such as vulnerabilities and misconfigurations\n* __runtime-analysis-report__ = Report generated by analyzing the call stack of a running application\n* __component-analysis-report__ = Report generated by Software Composition Analysis (SCA), container analysis, or other forms of component analysis\n* __maturity-report__ = Report containing a formal assessment of an organization, business unit, or team against a maturity model\n* __certification-report__ = Industry, regulatory, or other certification from an accredited (if applicable) certification body\n* __quality-metrics__ = Report or system in which quality metrics can be obtained\n* __codified-infrastructure__ = Code or configuration that defines and provisions virtualized infrastructure, commonly referred to as Infrastructure as Code (IaC)\n* __poam__ = Plans of Action and Milestones (POAM) compliment an \"attestation\" external reference. POAM is defined by NIST as a \"document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks and scheduled completion dates for the milestones\".\n* __other__ = Use this if no other types accurately describe the purpose of the external reference", + "description": "Specifies the type of external reference.", "enum": [ "vcs", "issue-tracker", @@ -1182,6 +1650,7 @@ "chat", "documentation", "support", + "source-distribution", "distribution", "distribution-intake", "license", @@ -1210,8 +1679,55 @@ "codified-infrastructure", "quality-metrics", "poam", + "electronic-signature", + "digital-signature", "other" - ] + ], + "meta:enum": { + "vcs": "Version Control System", + "issue-tracker": "Issue or defect tracking system, or an Application Lifecycle Management (ALM) system", + "website": "Website", + "advisories": "Security advisories", + "bom": "Bill of Materials (SBOM, OBOM, HBOM, SaaSBOM, etc)", + "mailing-list": "Mailing list or discussion group", + "social": "Social media account", + "chat": "Real-time chat platform", + "documentation": "Documentation, guides, or how-to instructions", + "support": "Community or commercial support", + "source-distribution": "URL to a source archive", + "distribution": "Direct or repository download location", + "distribution-intake": "The location where a component was published to. This is often the same as \"distribution\" but may also include specialized publishing processes that act as an intermediary.", + "license": "The reference to the license file. If a license URL has been defined in the license node, it should also be defined as an external reference for completeness.", + "build-meta": "Build-system specific meta file (i.e. pom.xml, package.json, .nuspec, etc)", + "build-system": "Reference to an automated build system", + "release-notes": "Reference to release notes", + "security-contact": "Specifies a way to contact the maintainer, supplier, or provider in the event of a security incident. Common URIs include links to a disclosure procedure, a mailto (RFC-2368) that specifies an email address, a tel (RFC-3966) that specifies a phone number, or dns (RFC-4501) that specifies the records containing DNS Security TXT.", + "model-card": "A model card describes the intended uses of a machine learning model, potential limitations, biases, ethical considerations, training parameters, datasets used to train the model, performance metrics, and other relevant data useful for ML transparency.", + "log": "A record of events that occurred in a computer system or application, such as problems, errors, or information on current operations.", + "configuration": "Parameters or settings that may be used by other components or services.", + "evidence": "Information used to substantiate a claim.", + "formulation": "Describes how a component or service was manufactured or deployed.", + "attestation": "Human or machine-readable statements containing facts, evidence, or testimony.", + "threat-model": "An enumeration of identified weaknesses, threats, and countermeasures, dataflow diagram (DFD), attack tree, and other supporting documentation in human-readable or machine-readable format.", + "adversary-model": "The defined assumptions, goals, and capabilities of an adversary.", + "risk-assessment": "Identifies and analyzes the potential of future events that may negatively impact individuals, assets, and/or the environment. Risk assessments may also include judgments on the tolerability of each risk.", + "vulnerability-assertion": "A Vulnerability Disclosure Report (VDR) which asserts the known and previously unknown vulnerabilities that affect a component, service, or product including the analysis and findings describing the impact (or lack of impact) that the reported vulnerability has on a component, service, or product.", + "exploitability-statement": "A Vulnerability Exploitability eXchange (VEX) which asserts the known vulnerabilities that do not affect a product, product family, or organization, and optionally the ones that do. The VEX should include the analysis and findings describing the impact (or lack of impact) that the reported vulnerability has on the product, product family, or organization.", + "pentest-report": "Results from an authorized simulated cyberattack on a component or service, otherwise known as a penetration test.", + "static-analysis-report": "SARIF or proprietary machine or human-readable report for which static analysis has identified code quality, security, and other potential issues with the source code.", + "dynamic-analysis-report": "Dynamic analysis report that has identified issues such as vulnerabilities and misconfigurations.", + "runtime-analysis-report": "Report generated by analyzing the call stack of a running application.", + "component-analysis-report": "Report generated by Software Composition Analysis (SCA), container analysis, or other forms of component analysis.", + "maturity-report": "Report containing a formal assessment of an organization, business unit, or team against a maturity model.", + "certification-report": "Industry, regulatory, or other certification from an accredited (if applicable) certification body.", + "codified-infrastructure": "Code or configuration that defines and provisions virtualized infrastructure, commonly referred to as Infrastructure as Code (IaC).", + "quality-metrics": "Report or system in which quality metrics can be obtained.", + "poam": "Plans of Action and Milestones (POAM) compliment an \"attestation\" external reference. POAM is defined by NIST as a \"document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks and scheduled completion dates for the milestones\".", + "electronic-signature": "An e-signature is commonly a scanned representation of a written signature or a stylized script of the persons name.", + "digital-signature": "A signature that leverages cryptography, typically public/private key pairs, which provides strong authenticity verification.", + "other": "Use this if no other types accurately describe the purpose of the external reference." + } + }, "hashes": { "type": "array", @@ -1386,7 +1902,6 @@ ] }, "governance": { - "type": "object", "title": "Data Governance", "$ref": "#/definitions/dataGovernance" }, @@ -1436,8 +1951,14 @@ "bi-directional", "unknown" ], + "meta:enum": { + "inbound": "Data that enters a service.", + "outbound": "Data that exits a service.", + "bi-directional": "Data flows in and out of the service.", + "unknown": "The directional flow of data is not known." + }, "title": "Data flow direction", - "description": "Specifies the flow direction of the data. Direction is relative to the service. Inbound flow states that data enters the service. Outbound flow states that data leaves the service. Bi-directional states that data flows both ways, and unknown states that the direction is not known." + "description": "Specifies the flow direction of the data. Direction is relative to the service." }, "copyright": { @@ -1583,7 +2104,7 @@ "aggregate": { "$ref": "#/definitions/aggregateType", "title": "Aggregate", - "description": "Specifies an aggregate type that describe how complete a relationship is.\n\n* __complete__ = The relationship is complete. No further relationships including constituent components, services, or dependencies are known to exist.\n* __incomplete__ = The relationship is incomplete. Additional relationships exist and may include constituent components, services, or dependencies.\n* __incomplete_first_party_only__ = The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented.\n* __incomplete_first_party_proprietary_only__ = The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented, limited specifically to those that are proprietary.\n* __incomplete_first_party_opensource_only__ = The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented, limited specifically to those that are opensource.\n* __incomplete_third_party_only__ = The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented.\n* __incomplete_third_party_proprietary_only__ = The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are proprietary.\n* __incomplete_third_party_opensource_only__ = The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are opensource.\n* __unknown__ = The relationship may be complete or incomplete. This usually signifies a 'best-effort' to obtain constituent components, services, or dependencies but the completeness is inconclusive.\n* __not_specified__ = The relationship completeness is not specified.\n" + "description": "Specifies an aggregate type that describe how complete a relationship is." }, "assemblies": { "type": "array", @@ -1642,7 +2163,19 @@ "incomplete_third_party_opensource_only", "unknown", "not_specified" - ] + ], + "meta:enum": { + "complete": "The relationship is complete. No further relationships including constituent components, services, or dependencies are known to exist.", + "incomplete": "The relationship is incomplete. Additional relationships exist and may include constituent components, services, or dependencies.", + "incomplete_first_party_only": "The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented.", + "incomplete_first_party_proprietary_only": "The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented, limited specifically to those that are proprietary.", + "incomplete_first_party_opensource_only": "The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented, limited specifically to those that are opensource.", + "incomplete_third_party_only": "The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented.", + "incomplete_third_party_proprietary_only": "The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are proprietary.", + "incomplete_third_party_opensource_only": "The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are opensource.", + "unknown": "The relationship may be complete or incomplete. This usually signifies a 'best-effort' to obtain constituent components, services, or dependencies but the completeness is inconclusive.", + "not_specified": "The relationship completeness is not specified." + } }, "property": { "type": "object", @@ -1814,12 +2347,21 @@ "info", "none", "unknown" - ] + ], + "meta:enum": { + "critical": "Critical severity", + "high": "High severity", + "medium": "Medium severity", + "low": "Low severity", + "info": "Informational warning.", + "none": "None", + "unknown": "The severity is not known" + } }, "scoreMethod": { "type": "string", "title": "Method", - "description": "Specifies the severity or risk scoring methodology or standard used.\n\n* CVSSv2 - [Common Vulnerability Scoring System v2](https://www.first.org/cvss/v2/)\n* CVSSv3 - [Common Vulnerability Scoring System v3](https://www.first.org/cvss/v3-0/)\n* CVSSv31 - [Common Vulnerability Scoring System v3.1](https://www.first.org/cvss/v3-1/)\n* CVSSv4 - [Common Vulnerability Scoring System v4](https://www.first.org/cvss/v4-0/)\n* OWASP - [OWASP Risk Rating Methodology](https://owasp.org/www-community/OWASP_Risk_Rating_Methodology)\n* SSVC - [Stakeholder Specific Vulnerability Categorization](https://github.com/CERTCC/SSVC) (all versions)", + "description": "Specifies the severity or risk scoring methodology or standard used.", "enum": [ "CVSSv2", "CVSSv3", @@ -1828,12 +2370,21 @@ "OWASP", "SSVC", "other" - ] + ], + "meta:enum": { + "CVSSv2": "Common Vulnerability Scoring System v2.0", + "CVSSv3": "Common Vulnerability Scoring System v3.0", + "CVSSv31": "Common Vulnerability Scoring System v3.1", + "CVSSv4": "Common Vulnerability Scoring System v4.0", + "OWASP": "OWASP Risk Rating Methodology", + "SSVC": "Stakeholder Specific Vulnerability Categorization", + "other": "Another severity or risk scoring methodology" + } }, "impactAnalysisState": { "type": "string", "title": "Impact Analysis State", - "description": "Declares the current state of an occurrence of a vulnerability, after automated or manual analysis. \n\n* __resolved__ = the vulnerability has been remediated. \n* __resolved\\_with\\_pedigree__ = the vulnerability has been remediated and evidence of the changes are provided in the affected components pedigree containing verifiable commit history and/or diff(s). \n* __exploitable__ = the vulnerability may be directly or indirectly exploitable. \n* __in\\_triage__ = the vulnerability is being investigated. \n* __false\\_positive__ = the vulnerability is not specific to the component or service and was falsely identified or associated. \n* __not\\_affected__ = the component or service is not affected by the vulnerability. Justification should be specified for all not_affected cases.", + "description": "Declares the current state of an occurrence of a vulnerability, after automated or manual analysis.", "enum": [ "resolved", "resolved_with_pedigree", @@ -1841,12 +2392,20 @@ "in_triage", "false_positive", "not_affected" - ] + ], + "meta:enum": { + "resolved": "The vulnerability has been remediated.", + "resolved_with_pedigree": "The vulnerability has been remediated and evidence of the changes are provided in the affected components pedigree containing verifiable commit history and/or diff(s).", + "exploitable": "The vulnerability may be directly or indirectly exploitable.", + "in_triage": "The vulnerability is being investigated.", + "false_positive": "The vulnerability is not specific to the component or service and was falsely identified or associated.", + "not_affected": "The component or service is not affected by the vulnerability. Justification should be specified for all not_affected cases." + } }, "impactAnalysisJustification": { "type": "string", "title": "Impact Analysis Justification", - "description": "The rationale of why the impact analysis state was asserted. \n\n* __code\\_not\\_present__ = the code has been removed or tree-shaked. \n* __code\\_not\\_reachable__ = the vulnerable code is not invoked at runtime. \n* __requires\\_configuration__ = exploitability requires a configurable option to be set/unset. \n* __requires\\_dependency__ = exploitability requires a dependency that is not present. \n* __requires\\_environment__ = exploitability requires a certain environment which is not present. \n* __protected\\_by\\_compiler__ = exploitability requires a compiler flag to be set/unset. \n* __protected\\_at\\_runtime__ = exploits are prevented at runtime. \n* __protected\\_at\\_perimeter__ = attacks are blocked at physical, logical, or network perimeter. \n* __protected\\_by\\_mitigating\\_control__ = preventative measures have been implemented that reduce the likelihood and/or impact of the vulnerability.", + "description": "The rationale of why the impact analysis state was asserted.", "enum": [ "code_not_present", "code_not_reachable", @@ -1857,7 +2416,18 @@ "protected_at_runtime", "protected_at_perimeter", "protected_by_mitigating_control" - ] + ], + "meta:enum": { + "code_not_present": "The code has been removed or tree-shaked.", + "code_not_reachable": "The vulnerable code is not invoked at runtime.", + "requires_configuration": "Exploitability requires a configurable option to be set/unset.", + "requires_dependency": "Exploitability requires a dependency that is not present.", + "requires_environment": "Exploitability requires a certain environment which is not present.", + "protected_by_compiler": "Exploitability requires a compiler flag to be set/unset.", + "protected_at_runtime": "Exploits are prevented at runtime.", + "protected_at_perimeter": "Attacks are blocked at physical, logical, or network perimeter.", + "protected_by_mitigating_control": "Preventative measures have been implemented that reduce the likelihood and/or impact of the vulnerability." + } }, "rating": { "type": "object", @@ -1986,7 +2556,7 @@ "cwes": { "type": "array", "title": "CWEs", - "description": "List of Common Weaknesses Enumerations (CWEs) codes that describes this vulnerability. For example 399 (of https://cwe.mitre.org/data/definitions/399.html)", + "description": "List of Common Weaknesses Enumerations (CWEs) codes that describes this vulnerability.", "examples": [399], "items": { "$ref": "#/definitions/cwe" @@ -2147,7 +2717,14 @@ "update", "rollback", "workaround_available" - ] + ], + "meta:enum": { + "can_not_fix": "Can not fix", + "will_not_fix": "Will not fix", + "update": "Update to a different revision or release", + "rollback": "Revert to a previous revision or release", + "workaround_available": "There is a workaround available" + } } }, "detail": { @@ -2247,7 +2824,12 @@ "affected", "unaffected", "unknown" - ] + ], + "meta:enum": { + "affected": "The version is affected by the vulnerability.", + "unaffected": "The version is not affected by the vulnerability.", + "unknown": "It is unknown (or unspecified) whether the given version is affected." + } }, "version": { "description": "A single disjunctive version identifier, for a component or service.", @@ -2440,12 +3022,12 @@ "items" : { "oneOf" : [ { - "title": "Inline Component Data", + "title": "Inline Data Information", "$ref": "#/definitions/componentData" }, { "type": "object", - "title": "Data Component Reference", + "title": "Data Reference", "additionalProperties": false, "properties": { "ref": { @@ -2584,14 +3166,21 @@ "type": { "type": "string", "title": "Type of Data", - "description": "The general theme or subject matter of the data being specified.\n\n* __source-code__ = Any type of code, code snippet, or data-as-code.\n* __configuration__ = Parameters or settings that may be used by other components.\n* __dataset__ = A collection of data.\n* __definition__ = Data that can be used to create new instances of what the definition defines.\n* __other__ = Any other type of data that does not fit into existing definitions.", + "description": "The general theme or subject matter of the data being specified.", "enum": [ "source-code", "configuration", "dataset", "definition", "other" - ] + ], + "meta:enum": { + "source-code": "Any type of code, code snippet, or data-as-code.", + "configuration": "Parameters or settings that may be used by other components.", + "dataset": "A collection of data.", + "definition": "Data that can be used to create new instances of what the definition defines.", + "other": "Any other type of data that does not fit into existing definitions." + } }, "name": { "description": "The name of the dataset.", @@ -2640,7 +3229,6 @@ "type": "string" }, "governance": { - "type": "object", "title": "Data Governance", "$ref": "#/definitions/dataGovernance" } @@ -3825,6 +4413,155 @@ } } }, + "standard": { + "type": "object", + "title": "Standard", + "description": "A standard may consist of regulations, industry or organizational-specific standards, maturity models, best practices, or any other requirements which can be evaluated against or attested to.", + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref MUST be unique within the BOM." + }, + "name": { + "type": "string", + "title": "Name", + "description": "The name of the standard. This will often be a shortened, single name of the standard." + }, + "version": { + "type": "string", + "title": "Version", + "description": "The version of the standard." + }, + "description": { + "type": "string", + "title": "Description", + "description": "The description of the standard." + }, + "owner": { + "type": "string", + "title": "Owner", + "description": "The owner of the standard, often the entity responsible for its release." + }, + "requirements": { + "type": "array", + "title": "Requirements", + "description": "The list of requirements comprising the standard.", + "items": { + "type": "object", + "title": "Requirement", + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref MUST be unique within the BOM." + }, + "identifier": { + "type": "string", + "title": "Identifier", + "description": "The unique identifier used in the standard to identify a specific requirement. This should match what is in the standard and should not be the requirements bom-ref." + }, + "title": { + "type": "string", + "title": "Title", + "description": "The title of the requirement." + }, + "text": { + "type": "string", + "title": "Text", + "description": "The textual content of the requirement." + }, + "descriptions": { + "type": "array", + "title": "Descriptions", + "description": "The supplemental text that provides additional guidance or context to the requirement, but is not directly part of the requirement.", + "items": { "type": "string" } + }, + "openCre": { + "type": "array", + "title": "OWASP OpenCRE Identifier(s)", + "description": "The Common Requirements Enumeration (CRE) identifier(s). CRE is a structured and standardized framework for uniting security standards and guidelines. CRE links each section of a resource to a shared topic identifier (a Common Requirement). Through this shared topic link, all resources map to each other. Use of CRE promotes clear and unambiguous communication among stakeholders.", + "items": { + "type": "string", + "pattern": "^CRE:[0-9]+-[0-9]+$", + "examples": [ "CRE:764-507" ] + } + }, + "parent": { + "$ref": "#/definitions/refLinkType", + "title": "Parent BOM Reference", + "description": "The optional `bom-ref` to a parent requirement. This establishes a hierarchy of requirements. Top-level requirements must not define a parent. Only child requirements should define parents." + }, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is OPTIONAL.", + "items": { + "$ref": "#/definitions/property" + } + }, + "externalReferences": { + "type": "array", + "items": {"$ref": "#/definitions/externalReference"}, + "title": "External References", + "description": "External references provide a way to document systems, sites, and information that may be relevant, but are not included with the BOM. They may also establish specific relationships within or external to the BOM." + } + } + } + }, + "levels": { + "type": "array", + "title": "Levels", + "description": "The list of levels associated with the standard. Some standards have different levels of compliance.", + "items": { + "type": "object", + "title": "Level", + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref MUST be unique within the BOM." + }, + "identifier": { + "type": "string", + "title": "Identifier", + "description": "The identifier used in the standard to identify a specific level." + }, + "title": { + "type": "string", + "title": "Title", + "description": "The title of the level." + }, + "description": { + "type": "string", + "title": "Description", + "description": "The description of the level." + }, + "requirements": { + "type": "array", + "title": "Requirements", + "description": "The list of requirement `bom-ref`s that comprise the level.", + "items": { "$ref": "#/definitions/refLinkType" } + } + } + } + }, + "externalReferences": { + "type": "array", + "items": {"$ref": "#/definitions/externalReference"}, + "title": "External References", + "description": "External references provide a way to document systems, sites, and information that may be relevant, but are not included with the BOM. They may also establish specific relationships within or external to the BOM." + }, + "signature": { + "$ref": "#/definitions/signature", + "title": "Signature", + "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." + } + } + }, "signature": { "$ref": "jsf-0.82.schema.json#/definitions/signature", "title": "Signature", diff --git a/schema/bom-1.6.xsd b/schema/bom-1.6.xsd index c67fc8da..e500f8e8 100644 --- a/schema/bom-1.6.xsd +++ b/schema/bom-1.6.xsd @@ -1259,6 +1259,11 @@ limitations under the License. Community or commercial support + + + URL to a source archive + + Direct or repository download location @@ -1402,6 +1407,16 @@ limitations under the License. Plans of Action and Milestones (POAM) compliment an "attestation" external reference. POAM is defined by NIST as a "document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks and scheduled completion dates for the milestones". + + + An e-signature is commonly a scanned representation of a written signature or a stylized script of the persons name. + + + + + A signature that leverages cryptography, typically public/private key pairs, which provides strong authenticity verification. + + Use this if no other types accurately describe the purpose of the external reference @@ -2158,16 +2173,76 @@ limitations under the License. - - - - - - - - - - + + + + Examines the source code without executing it. + + + + + + + Examines a compiled binary through reverse engineering, typically via disassembly or bytecode reversal. + + + + + + + Examines a package management system such as those used for building software or installing software. + + + + + + + Examines the Abstract Syntax Tree (AST) of source code or a compiled binary. + + + + + + + Evaluates the cryptographic hash of a component against a set of pre-computed hashes of identified software. + + + + + + + Examines the call stack of running applications by intercepting and monitoring application logic without the need to modify the application. + + + + + + + Evaluates a running application. + + + + + + + Evaluates file name of a component against a set of known file names of identified software. + + + + + + + A testimony to the accuracy of the identify of a component made by an individual or entity. + + + + + + + Any other technique. + + + @@ -4061,55 +4136,49 @@ limitations under the License. - The rating is based on CVSS v2 standard - https://www.first.org/cvss/v2/ + Common Vulnerability Scoring System v2.0 standard as defined at https://www.first.org/cvss/v2/ - The rating is based on CVSS v3.0 standard - https://www.first.org/cvss/v3-0/ + Common Vulnerability Scoring System v3.0 standard as defined at https://www.first.org/cvss/v3-0/ - The rating is based on CVSS v3.1 standard - https://www.first.org/cvss/v3-1/ + Common Vulnerability Scoring System v3.1 standard as defined at https://www.first.org/cvss/v3-1/ - The rating is based on CVSS v4.0 standard - https://www.first.org/cvss/v4-0/ + Common Vulnerability Scoring System v4.0 standard as defined at https://www.first.org/cvss/v4-0/ - The rating is based on OWASP Risk Rating - https://owasp.org/www-community/OWASP_Risk_Rating_Methodology + OWASP Risk Rating as defined at https://owasp.org/www-community/OWASP_Risk_Rating_Methodology - The rating is based on Stakeholder Specific Vulnerability Categorization (all versions) - https://github.com/CERTCC/SSVC + Stakeholder Specific Vulnerability Categorization as defined at https://github.com/CERTCC/SSVC - Use this if the risk scoring methodology is not based on any of the options above + Another severity or risk scoring methodology @@ -5405,70 +5474,929 @@ limitations under the License. - - - - - - Provides additional information about a BOM. - - - - - A list of software and hardware components. - - - - - A list of services. This may include microservices, function-as-a-service, and other types of network or intra-process services. - - - - - Provides the ability to document external references related to the BOM or - to the project the BOM describes. - - - - - Provides the ability to document dependency relationships. - - - - - Compositions describe constituent parts (including components, services, and dependency relationships) and their completeness. The completeness of vulnerabilities expressed in a BOM may also be described. - - - - - Provides the ability to document properties in a name/value store. - This provides flexibility to include data not officially supported in the standard - without having to use additional namespaces or create extensions. Property names - of interest to the general public are encouraged to be registered in the - CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. - Formal registration is OPTIONAL. - - - - - Vulnerabilities identified in components or services. - - - - - Comments made by people, organizations, or tools about any object with - a bom-ref, such as components, services, vulnerabilities, or the BOM itself. Unlike - inventory information, annotations may contain opinion or commentary from various - stakeholders. Annotations may be inline (with inventory) or externalized via BOM-Link, - and may optionally be signed. - - - - - Describes how a component or service was manufactured or deployed. This is - achieved through the use of formulas, workflows, tasks, and steps, which declare the precise - steps to reproduce along with the observed formulas describing the steps which transpired - in the manufacturing process. + + + + + + The list of assessors evaluating claims and determining conformance to requirements and confidence in that assessment. + + + + + + + + The assessor who evaluates claims and determines conformance to requirements and confidence in that assessment. + + + + + + + + The boolean indicating if the assessor is outside the organization generating claims. A value of false indicates a self assessor. + + + + + + + The entity issuing the assessment. + + + + + + + + An optional identifier which can be used to reference the object elsewhere in the BOM. + Every bom-ref MUST be unique within the BOM. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + + The list of attestations asserted by an assessor that maps requirements to claims. + + + + + + + + An attestation asserted by an assessor that maps requirements to claims. + + + + + + + + The short description explaining the main points of the attestation. + + + + + + + The `bom-ref` to the assessor asserting the attestation. + + + + + + + The grouping of requirements to claims and the attestors declared conformance and confidence thereof. + + + + + + + + The `bom-ref` to the requirement being attested to. + + + + + + + The list of `bom-ref` to the claims being attested to. + + + + + + + + The `bom-ref` to the claim being attested to. + + + + + + + + + + The list of `bom-ref` to the counter claims being attested to. + + + + + + + + The `bom-ref` to the counter claim being attested to. + + + + + + + + + + The conformance of the claim meeting a requirement. + + + + + + + + The conformance of the claim between and inclusive of 0 and 1, where 1 is 100% conformance. + + + + + + + + + + + + + The rationale for the score of conformance. + + + + + + + The list of `bom-ref` to the evidence provided describing the + mitigation strategies. Each mitigation strategy should include an + explanation of how any weaknesses in the evidence will be mitigated. + + + + + + + + + + + + + + + The confidence of the claim meeting the requirement. + + + + + + + + The confidence of the claim between and inclusive of 0 and 1, where 1 is 100% confidence. + + + + + + + + + + + + + The rationale for the confidence score. + + + + + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + + + + + The list of claims. + + + + + + + + + + + The `bom-ref` to a target representing a specific system, application, + API, module, team, person, process, business unit, company, etc... + that this claim is being applied to. + + + + + + + The specific statement or assertion about the target. + + + + + + + The list of `bom-ref` to the evidence provided describing the + mitigation strategies. Each mitigation strategy should include an + explanation of how any weaknesses in the evidence will be mitigated. + + + + + + + + + + + + The written explanation of why the evidence provided substantiates the claim. + + + + + + + The list of `bom-ref` to evidence that supports this claim. + + + + + + + The list of `bom-ref` to counterEvidence that supports this claim. + + + + + + Provides the ability to document external references related to the claim the BOM describes. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + An optional identifier which can be used to reference the object elsewhere + in the BOM. Every bom-ref MUST be unique within the BOM. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + + The list of evidence + + + + + + + + The list of evidence + + + + + + + + The reference to the property name as defined in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy/). + + + + + + + The written description of what this evidence is and how it was created. + + + + + + + The output or analysis that supports claims. + + + + + + + + The name of the data. + + + + + + + The contents or references to the contents of the data being described. + + + + + + + An optional way to include textual or encoded data. + + + + + The URL to where the data can be retrieved. + + + + + + + + + Data classification tags data according to its type, sensitivity, and value if altered, stolen, or destroyed. + + + + + + + A description of any sensitive data. + + + + + + + + + + The date and time (timestamp) when the evidence was created. + + + + + The optional date and time (timestamp) when the evidence is no longer valid. + + + + + The author of the evidence. + + + + + The reviewer of the evidence. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + An optional identifier which can be used to reference the object elsewhere + in the BOM. Every bom-ref MUST be unique within the BOM. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + + The list of targets which claims are made against. + + + + + + + + The list of organizations which claims are made against. + + + + + + + + + + + + The list of components which claims are made against. + + + + + + + + + + + + The list of services which claims are made against. + + + + + + + + + + + + + + + + + + The brief statement affirmed by an individual regarding all declarations. + This could be an affirmation of acceptance by a third-party auditor or receiving + individual of a file. For example: "I certify, to the best of my knowledge, that all information is correct." + + + + + + + The list of signatories authorized on behalf of an organization to assert validity of this document. + + + + + + + + + + + The signatory's name. + + + + + + + The signatory's role within an organization. + + + + + + + The signatory's organization. + + + + + + + An External reference provide a way to document systems, sites, and information that may be relevant, but are not included with the BOM. They may also establish specific relationships within or external to the BOM. + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + + A collection of reusable objects that are defined and may be used elsewhere in the BOM. + + + + + + + + + + + The list of standards which may consist of regulations, industry or organizational-specific standards, maturity models, best practices, or any other requirements which can be evaluated against or attested to. + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + A standard may consist of regulations, industry or organizational-specific standards, maturity models, best practices, or any other requirements which can be evaluated against or attested to. + + + + + + + The name of the standard. This will often be a shortened, single name of the standard. + + + + + + + The version of the standard. + + + + + + + The description of the standard. + + + + + + + The owner of the standard, often the entity responsible for its release. + + + + + + + The list of requirements comprising the standard. + + + + + + + + + + + The unique identifier used in the standard to identify a specific requirement. This should match what is in the standard and should not be the requirements bom-ref. + + + + + + + The title of the requirement. + + + + + + + The textual content of the requirement. + + + + + + + The supplemental text that provides additional guidance or context to the requirement, but is not directly part of the requirement. + + + + + + + + + + + + The Common Requirements Enumeration (CRE) identifier(s). CRE is a structured and standardized framework for uniting security standards and guidelines. CRE links each section of a resource to a shared topic identifier (a Common Requirement). Through this shared topic link, all resources map to each other. Use of CRE promotes clear and unambiguous communication among stakeholders. + + + + + + + + + + + + The optional `bom-ref` to a parent requirement. This establishes a hierarchy of requirements. Top-level requirements must not define a parent. Only child requirements should define parents. + + + + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is OPTIONAL. + + + + + Provides the ability to document external references related to the BOM or + to the project the BOM describes. + + + + + + + An optional identifier which can be used to reference the object elsewhere + in the BOM. Every bom-ref MUST be unique within the BOM. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + + The list of levels associated with the standard. Some standards have different levels of compliance. + + + + + + + + + + + The identifier used in the standard to identify a specific level. + + + + + + + The title of the level. + + + + + + + The description of the level. + + + + + + + The list of requirement `bom-ref`s that comprise the level. + + + + + + + + + + + + + An optional identifier which can be used to reference the object elsewhere + in the BOM. Every bom-ref MUST be unique within the BOM. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + Provides the ability to document external references related to the BOM or + to the project the BOM describes. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + An optional identifier which can be used to reference the object elsewhere + in the BOM. Every bom-ref MUST be unique within the BOM. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + Provides additional information about a BOM. + + + + + A list of software and hardware components. + + + + + A list of services. This may include microservices, function-as-a-service, and other types of network or intra-process services. + + + + + Provides the ability to document external references related to the BOM or + to the project the BOM describes. + + + + + Provides the ability to document dependency relationships. + + + + + Compositions describe constituent parts (including components, services, and dependency relationships) and their completeness. The completeness of vulnerabilities expressed in a BOM may also be described. + + + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is OPTIONAL. + + + + + Vulnerabilities identified in components or services. + + + + + Comments made by people, organizations, or tools about any object with + a bom-ref, such as components, services, vulnerabilities, or the BOM itself. Unlike + inventory information, annotations may contain opinion or commentary from various + stakeholders. Annotations may be inline (with inventory) or externalized via BOM-Link, + and may optionally be signed. + + + + + Describes how a component or service was manufactured or deployed. This is + achieved through the use of formulas, workflows, tasks, and steps, which declare the precise + steps to reproduce along with the observed formulas describing the steps which transpired + in the manufacturing process. + + + + + + The list of declarations which describe the conformance to standards. Each declaration may + include attestations, claims, and evidence. + + + + + + + A collection of reusable objects that are defined and may be used elsewhere in the BOM. + diff --git a/tools/src/test/js/json-schema-lint-tests.js b/tools/src/test/js/json-schema-lint-tests.js index 85a53554..5033ac6b 100644 --- a/tools/src/test/js/json-schema-lint-tests.js +++ b/tools/src/test/js/json-schema-lint-tests.js @@ -50,6 +50,7 @@ function getAjv(strict) { allowMatchingProperties: true, addUsedSchema: false, allowUnionTypes: false, + keywords: ["meta:enum"], schemas: { 'http://cyclonedx.org/schema/spdx.schema.json': spdxSchema, 'http://cyclonedx.org/schema/jsf-0.82.schema.json': jsfSchema diff --git a/tools/src/test/resources/1.6/valid-attestation-1.6.json b/tools/src/test/resources/1.6/valid-attestation-1.6.json new file mode 100644 index 00000000..c270d49b --- /dev/null +++ b/tools/src/test/resources/1.6/valid-attestation-1.6.json @@ -0,0 +1,209 @@ +{ + "bomFormat": "CycloneDX", + "specVersion": "1.6", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "declarations": { + "assessors": [ + { + "bom-ref": "assessor-1", + "thirdParty": true, + "organization": { + "name": "Assessors Inc" + } + } + ], + "attestations": [ + { + "summary": "Attestation summary here", + "assessor": "assessor-1", + "map": [ + { + "requirement": "requirement-1", + "claims": [ "claim-1" ], + "counterClaims": [ "counterClaim-1" ], + "conformance": { + "score": 0.8, + "rationale": "Conformance rationale here", + "mitigationStrategies": [ "mitigationStrategy-1" ] + }, + "confidence": { + "score": 1, + "rationale": "Confidence rationale here" + } + } + ], + "signature": { + "algorithm": "ES256", + "certificatePath": [ "MIIB...", "MIID..." ], + "value": "tqIT..." + } + } + ], + "claims": [ + { + "bom-ref": "claim-1", + "target": "acme-inc", + "predicate": "Predicate here", + "mitigationStrategies": [ "mitigationStrategy-1" ], + "reasoning": "Reasoning here", + "evidence": [ "evidence-1" ], + "counterEvidence": [ "counterEvidence-1" ], + "externalReferences": [ + { + "type": "issue-tracker", + "url": "https://alm.example.com" + } + ], + "signature": { + "algorithm": "ES256", + "certificatePath": [ "MIIB...", "MIID..." ], + "value": "tqIT..." + } + } + ], + "evidence": [ + { + "bom-ref": "evidence-1", + "propertyName": "internal.com.acme.someProperty", + "description": "Description here", + "data": [ + { + "name": "Name of the data", + "contents": { + "attachment": { + "content": "Evidence here", + "contentType": "text/plain" + } + }, + "classification": "PII", + "sensitiveData": [ "Describe sensitive data here" ] + } + ], + "created": "2023-04-25T00:00:00+00:00", + "expires": "2023-05-25T00:00:00+00:00", + "author": { + "name": "Mary" + }, + "reviewer": { + "name": "Jane" + }, + "signature": { + "algorithm": "ES256", + "certificatePath": [ "MIIB...", "MIID..." ], + "value": "tqIT..." + } + }, + { + "bom-ref": "counterEvidence-1", + "propertyName": "internal.com.acme.someProperty", + "description": "Description here", + "data": [ + { + "name": "Name of the data", + "contents": { + "attachment": { + "content": "Counter evidence here", + "contentType": "text/plain" + } + }, + "classification": "Pubic", + "sensitiveData": [ "Describe sensitive data here" ] + } + ], + "created": "2023-04-25T00:00:00+00:00", + "expires": "2023-05-25T00:00:00+00:00", + "author": { + "name": "Mary" + }, + "reviewer": { + "name": "Jane" + }, + "signature": { + "algorithm": "ES256", + "certificatePath": [ "MIIB...", "MIID..." ], + "value": "tqIT..." + } + }, + { + "bom-ref": "mitigationStrategy-1", + "propertyName": "internal.com.acme.someProperty", + "description": "Description here", + "data": [ + { + "name": "Name of the data", + "contents": { + "attachment": { + "content": "Mitigation strategy here", + "contentType": "text/plain" + } + }, + "classification": "Company Confidential", + "sensitiveData": [ "Describe sensitive data here" ] + } + ], + "created": "2023-04-25T00:00:00+00:00", + "expires": "2023-05-25T00:00:00+00:00", + "author": { + "name": "Mary" + }, + "reviewer": { + "name": "Jane" + }, + "signature": { + "algorithm": "ES256", + "certificatePath": [ "MIIB...", "MIID..." ], + "value": "tqIT..." + } + } + ], + "targets": { + "organizations": [ + { + "bom-ref": "acme-inc", + "name": "Acme Inc" + } + ] + }, + "affirmation": { + "statement": "I certify, to the best of my knowledge, that all information is correct...", + "signatories": [ + { + "name": "Tom", + "role": "CEO", + "signature": { + "algorithm": "ES256", + "certificatePath": [ "MIIB...", "MIID..." ], + "value": "tqIT..." + } + }, + { + "name": "Jerry", + "role": "COO", + "organization": { + "name": "Acme Inc" + }, + "externalReference": { + "type": "electronic-signature", + "url": "https://example.com/coo-sig.png" + } + } + ], + "signature": { + "algorithm": "ES256", + "certificatePath": [ "MIIB...", "MIID..." ], + "value": "tqIT..." + } + }, + "signature": { + "algorithm": "ES256", + "certificatePath": [ "MIIB...", "MIID..." ], + "value": "tqIT..." + } + }, + "signature": { + "algorithm": "ES256", + "certificatePath": [ "MIIB...", "MIID..." ], + "value": "tqIT..." + } +} \ No newline at end of file diff --git a/tools/src/test/resources/1.6/valid-attestation-1.6.textproto b/tools/src/test/resources/1.6/valid-attestation-1.6.textproto new file mode 100644 index 00000000..ca16cf57 --- /dev/null +++ b/tools/src/test/resources/1.6/valid-attestation-1.6.textproto @@ -0,0 +1,179 @@ +spec_version: "1.6" +version: 1 +serial_number: "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" +declarations: { + assessors: [ + { + bom_ref: "assessor-1" + thirdParty: true + organization: { + name: "Assessors Inc" + } + } + ] + attestations: [ + { + summary: "Attestation summary here" + assessor: "assessor-1" + map: [ + { + requirement: "requirement-1" + claims: [ "claim-1" ] + counterClaims: [ "counterClaim-1" ] + conformance: { + score: 0.8, + rationale: "Conformance rationale here", + mitigationStrategies: [ "mitigationStrategy-1" ] + } + confidence: { + score: 1, + rationale: "Confidence rationale here" + } + } + ] + } + ], + claims: [ + { + bom_ref: "claim-1" + target: "acme-inc" + predicate: "Predicate here" + mitigationStrategies: [ "mitigationStrategy-1" ] + reasoning: "Reasoning here" + evidence: [ "evidence-1" ] + counterEvidence: [ "counterEvidence-1" ] + externalReferences: [ + { + type: EXTERNAL_REFERENCE_TYPE_ISSUE_TRACKER, + url: "https://alm.example.com" + } + ] + } + ] + evidence: [ + { + bom_ref: "evidence-1" + propertyName: "internal.com.acme.someProperty" + description: "Description here" + data: [ + { + name: "Name of the data" + contents: { + attachment: { + content_type: "text/plain" + value: "Evidence here" + } + } + classification: "PII", + sensitiveData: [ "Describe sensitive data here" ] + } + ] + created { + seconds: 1714003200 + nanos: 0 + } + expires { + seconds: 1712102400 + nanos: 0 + } + author: { + name: "Mary" + } + reviewer: { + name: "Jane" + } + }, + { + bom_ref: "counterEvidence-1" + propertyName: "internal.com.acme.someProperty" + description: "Description here" + data: [ + { + name: "Name of the data" + contents: { + attachment: { + content_type: "text/plain" + value: "Counter evidence here" + } + } + classification: "Pubic" + sensitiveData: [ "Describe sensitive data here" ] + } + ] + created { + seconds: 1714003200 + nanos: 0 + } + expires { + seconds: 1712102400 + nanos: 0 + } + author: { + name: "Mary" + } + reviewer: { + name: "Jane" + } + }, + { + bom_ref: "mitigationStrategy-1" + propertyName: "internal.com.acme.someProperty" + description: "Description here" + data: [ + { + name: "Name of the data" + contents: { + attachment: { + content_type: "text/plain" + value: "Mitigation strategy here" + } + } + classification: "Company Confidential" + sensitiveData: [ "Describe sensitive data here" ] + } + ] + created { + seconds: 1714003200 + nanos: 0 + } + expires { + seconds: 1712102400 + nanos: 0 + } + author: { + name: "Mary" + } + reviewer: { + name: "Jane" + } + } + ], + targets: { + organizations: [ + { + bom_ref: "acme-inc" + name: "Acme Inc" + } + ] + } + affirmation: { + statement: "I certify, to the best of my knowledge, that all information is correct..." + signatories: [ + { + name: "Tom" + role: "CEO" + }, + { + name: "Jerry" + role: "COO" + organization: { + name: "Acme Inc" + } + externalReference: { + type: EXTERNAL_REFERENCE_TYPE_ELECTRONIC_SIGNATURE + url: "https://example.com/coo-sig.png" + } + } + ] + } +} \ No newline at end of file diff --git a/tools/src/test/resources/1.6/valid-attestation-1.6.xml b/tools/src/test/resources/1.6/valid-attestation-1.6.xml new file mode 100644 index 00000000..1dce0ced --- /dev/null +++ b/tools/src/test/resources/1.6/valid-attestation-1.6.xml @@ -0,0 +1,165 @@ + + + + + + false + + Acme Inc + + + + + + Attestation summary here + assessor-1 + + requirement-1 + + claim-1 + + + counterClaim-1 + + + 0.8 + Conformance rationale here + + mitigations-1 + + + + 1 + Confidence rationale here + + + + + + + + + + acme-inc + Predicate here + + mitigationStrategy-1 + + Reasoning here + evidence-1 + counterEvidence-1 + + + https://alm.example.com + + + + + + + + + + internal.com.acme.someProperty + Description here + + Name of the data + + Evidence here + + PII + Describe sensitive data here + + 2023-04-25T00:00:00+00:00 + 2023-05-25T00:00:00+00:00 + + Mary + + + Jane + + + + + + + internal.com.acme.someProperty + Description here + + Name of the data + + Counter evidence here + + Public + Describe sensitive data here + + 2023-04-25T00:00:00+00:00 + 2023-05-25T00:00:00+00:00 + + Mary + + + Jane + + + + internal.com.acme.someProperty + Description here + + Name of the data + + Mitigation strategy here + + Public + Describe sensitive data here + + 2023-04-25T00:00:00+00:00 + 2023-05-25T00:00:00+00:00 + + Mary + + + Jane + + + + + + + Acme Inc + + + + + I certify, to the best of my knowledge, that all information is correct... + + + Tom + CEO + + + + + + Jerry + COO + + Acme Inc + + + https://example.com/coo-sig.png + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/tools/src/test/resources/1.6/valid-standard-1.6.json b/tools/src/test/resources/1.6/valid-standard-1.6.json new file mode 100644 index 00000000..ad6b4bab --- /dev/null +++ b/tools/src/test/resources/1.6/valid-standard-1.6.json @@ -0,0 +1,73 @@ +{ + "bomFormat": "CycloneDX", + "specVersion": "1.6", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "definitions": { + "standards": [ + { + "bom-ref": "standard-1", + "name": "Sample Standard", + "version": "1.0.0", + "description": "Description here", + "owner": "Acme Inc", + "requirements": [ + { + "bom-ref": "requirement-1", + "identifier": "v1", + "title": "Title here" + }, + { + "bom-ref": "requirement-1.1", + "identifier": "v1.1", + "title": "Title here", + "parent": "requirement-1" + }, + { + "bom-ref": "requirement-1.1.1", + "identifier": "v1.1.1", + "text": "Text of the requirement here", + "descriptions": [ + "Supplemental text here" + ], + "openCre": [ + "CRE:616-305" + ], + "parent": "requirement-1.1" + } + ], + "levels": [ + { + "bom-ref": "level-1", + "identifier": "Level 1", + "description": "Description here", + "requirements": [ + "requirement-1.1.1" + ] + }, + { + "bom-ref": "level-2", + "identifier": "Level 2", + "description": "Description here", + "requirements": [ + "requirement-1.1.1" + ] + }, + { + "bom-ref": "level-3", + "identifier": "Level 3", + "description": "Description here", + "requirements": [ + "requirement-1.1.1" + ] + } + ], + "signature": { + "algorithm": "ES256", + "certificatePath": [ "MIIB...", "MIID..." ], + "value": "tqIT..." + } + } + ] + } +} \ No newline at end of file diff --git a/tools/src/test/resources/1.6/valid-standard-1.6.textproto b/tools/src/test/resources/1.6/valid-standard-1.6.textproto new file mode 100644 index 00000000..65b90e2a --- /dev/null +++ b/tools/src/test/resources/1.6/valid-standard-1.6.textproto @@ -0,0 +1,65 @@ +spec_version: "1.6", +version: 1 +serial_number: "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" +definitions { + standards: [ + { + bom_ref: "standard-1" + name: "Sample Standard" + version: "1.0.0" + description: "Description here" + owner: "Acme Inc" + requirements: [ + { + bom_ref: "requirement-1" + identifier: "v1" + title: "Title here" + }, + { + bom_ref: "requirement-1.1" + identifier: "v1.1" + title: "Title here" + parent: "requirement-1" + }, + { + bom_ref: "requirement-1.1.1" + identifier: "v1.1.1" + text: "Text of the requirement here" + descriptions: [ + "Supplemental text here" + ] + openCre: [ + "CRE:616-305" + ], + parent: "requirement-1.1" + } + ] + levels: [ + { + bom_ref: "level-1" + identifier: "Level 1" + description: "Description here" + requirements: [ + "requirement-1.1.1" + ] + }, + { + bom_ref: "level-2" + identifier: "Level 2" + description: "Description here" + requirements: [ + "requirement-1.1.1" + ] + }, + { + bom_ref: "level-3" + identifier: "Level 3" + description: "Description here" + requirements: [ + "requirement-1.1.1" + ] + } + ] + } + ] +} \ No newline at end of file diff --git a/tools/src/test/resources/1.6/valid-standard-1.6.xml b/tools/src/test/resources/1.6/valid-standard-1.6.xml new file mode 100644 index 00000000..7a36430a --- /dev/null +++ b/tools/src/test/resources/1.6/valid-standard-1.6.xml @@ -0,0 +1,59 @@ + + + + + + Sample Standard + 1.0.0 + Description here + Acme Inc + + + v1 + Title here + + + v1.1 + Title here + requirement-1 + + + v1.1.1 + Text of the requirement here + + Supplemental text here + + CRE:616-305 + requirement-1.1 + + + + + Level 1 + Description here + + requirement-1.1.1 + + + + Level 2 + Description here + + requirement-1.1.1 + + + + Level 3 + Description here + + requirement-1.1.1 + + + + + + + + + + \ No newline at end of file From ad68d991994a0da28c87b3d2fa7de31069bad5d7 Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Mon, 15 Jan 2024 21:30:43 -0600 Subject: [PATCH 067/217] Revert "# Conflicts:" This reverts commit 13026283c68dca39da755bb6c2fcda370077fd97. --- .github/workflows/build_docs.yml | 4 +- docgen/ecma/gen.sh | 15 - docgen/json/gen.sh | 2 +- docgen/json/templates/cyclonedx/content.html | 138 ++- docgen/json/templates/cyclonedx/schema_doc.js | 4 +- .../templates/cyclonedx/schema_doc.min.js | 2 +- .../templates/cyclonedx/section_array.html | 11 - schema/bom-1.6.proto | 199 ---- schema/bom-1.6.schema.json | 793 +------------- schema/bom-1.6.xsd | 974 +----------------- tools/src/test/js/json-schema-lint-tests.js | 1 - .../resources/1.6/valid-attestation-1.6.json | 209 ---- .../1.6/valid-attestation-1.6.textproto | 179 ---- .../resources/1.6/valid-attestation-1.6.xml | 165 --- .../resources/1.6/valid-standard-1.6.json | 73 -- .../1.6/valid-standard-1.6.textproto | 65 -- .../test/resources/1.6/valid-standard-1.6.xml | 59 -- 17 files changed, 125 insertions(+), 2768 deletions(-) delete mode 100755 docgen/ecma/gen.sh delete mode 100644 tools/src/test/resources/1.6/valid-attestation-1.6.json delete mode 100644 tools/src/test/resources/1.6/valid-attestation-1.6.textproto delete mode 100644 tools/src/test/resources/1.6/valid-attestation-1.6.xml delete mode 100644 tools/src/test/resources/1.6/valid-standard-1.6.json delete mode 100644 tools/src/test/resources/1.6/valid-standard-1.6.textproto delete mode 100644 tools/src/test/resources/1.6/valid-standard-1.6.xml diff --git a/.github/workflows/build_docs.yml b/.github/workflows/build_docs.yml index f59c0ec4..a1747b34 100644 --- a/.github/workflows/build_docs.yml +++ b/.github/workflows/build_docs.yml @@ -29,7 +29,7 @@ jobs: run: ./gen.sh - name: Archive Schema documentation # https://github.com/actions/upload-artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v3 with: name: XML-Schema-documentation path: docgen/xml/docs @@ -53,7 +53,7 @@ jobs: run: ./gen.sh - name: Archive Schema documentation # https://github.com/actions/upload-artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v3 with: name: JSON-Schema-documentation path: docgen/json/docs diff --git a/docgen/ecma/gen.sh b/docgen/ecma/gen.sh deleted file mode 100755 index 534f3cab..00000000 --- a/docgen/ecma/gen.sh +++ /dev/null @@ -1,15 +0,0 @@ -#!/bin/bash -rm -f -R docs temp out -mkdir -p docs temp -cp ../../schema/bom-1.6.schema.json temp -cp ../../schema/jsf-0.82.schema.json temp -cp ../../schema/spdx.schema.json temp - -# Check to see if jsonschema2md is executable and is in the path. If not, install jsonschema2md. -if ! [ -x "$(command -v jsonschema2md)" ]; then - npm install -g @adobe/jsonschema2md -fi - -echo Generating Ecma Documentation -jsonschema2md -d temp -o docs -rm -f -R temp out diff --git a/docgen/json/gen.sh b/docgen/json/gen.sh index a4e98d83..e92128bc 100755 --- a/docgen/json/gen.sh +++ b/docgen/json/gen.sh @@ -4,7 +4,7 @@ mkdir -p docs/{1.2,1.3,1.4,1.5,1.6} # Check to see if generate-schema-doc is executable and is in the path. If not, install JSON Schema for Humans. if ! [ -x "$(command -v generate-schema-doc)" ]; then - pip3 install json-schema-for-humans==0.47 + pip3 install json-schema-for-humans==0.44.3 fi generate () { diff --git a/docgen/json/templates/cyclonedx/content.html b/docgen/json/templates/cyclonedx/content.html index 3ad78b84..3e880425 100644 --- a/docgen/json/templates/cyclonedx/content.html +++ b/docgen/json/templates/cyclonedx/content.html @@ -17,17 +17,13 @@ {# Display type #} {%- if not schema is combining -%} - Type: {{ type_name }} - {%- endif -%} - - {%- if schema.format -%} - Format: {{ schema.format }} + Type: {{ type_name }} {%- endif -%} {# Display default #} {%- set default_value = schema.default_value -%} {%- if default_value -%} - {{ " " }}Default: {{ default_value }} + {{ " " }}Default: {{ default_value }} {%- endif -%}
@@ -41,78 +37,80 @@ {%- elif schema.refers_to -%} {{ content(schema.refers_to_merged, True) }} {%- else -%} - {%- if schema.explicit_no_additional_properties -%} - {{ " " }}No Additional Properties - {%- endif -%} - - {# Combining: allOf, anyOf, oneOf, not #} - {%- if schema.kw_all_of -%} -
{{ tabbed_section("allOf", schema.kw_all_of) }}
- {%- endif -%} - {%- if schema.kw_any_of -%} -
{{ tabbed_section("anyOf", schema.kw_any_of) }}
- {%- endif -%} - {%- if schema.kw_one_of -%} -
{{ tabbed_section("oneOf", schema.kw_one_of) }}
- {%- endif -%} - {%- if schema.kw_not -%} - {% include "section_not.html" %} - {%- endif -%} + {# Handle having oneOf or allOf with only one condition #} + {%- if schema.kw_all_of and (schema.kw_all_of.array_items | length) == 1 -%} + {{ content(schema.kw_all_of.array_items[0]) }} + {%- elif schema.kw_any_of and (schema.kw_any_of.array_items | length) == 1 -%} + {{ content(schema.kw_any_of.array_items[0]) }} + {%- else -%} + {%- if schema.explicit_no_additional_properties -%} + {{ " " }}No Additional Properties + {%- endif -%} - {# Enum and const #} - {%- if schema.kw_enum -%} -
-

Must be one of:

-
    - {%- for enum_choice in schema.kw_enum.array_items -%} -
  • - {%- if schema.kw_meta_enum -%}{%- endif -%} - {{ enum_choice.literal | python_to_json }} - {%- if schema.kw_meta_enum -%} - : {{ (schema.enum_description(enum_choice.literal) | get_description_literal) }} - {%- endif -%} -
    • - {%- endfor -%} -
-
- {%- endif -%} - {%- if schema.kw_const -%} - Specific value: {{ schema.kw_const.raw | python_to_json }} - {%- endif -%} + {# Combining: allOf, anyOf, oneOf, not #} + {%- if schema.kw_all_of -%} +
{{ tabbed_section("allOf", schema.kw_all_of) }}
+ {%- endif -%} + {%- if schema.kw_any_of -%} +
{{ tabbed_section("anyOf", schema.kw_any_of) }}
+ {%- endif -%} + {%- if schema.kw_one_of -%} +
{{ tabbed_section("oneOf", schema.kw_one_of) }}
+ {%- endif -%} + {%- if schema.kw_not -%} + {% include "section_not.html" %} + {%- endif -%} - {# Pattern (Regular Expression) #} - {%- if schema.kw_pattern -%} - Must match regular expression: {{ schema.kw_pattern.literal | escape }} - {%- endif -%} + {# Enum and const #} + {%- if schema.kw_enum -%} +
+

Must be one of:

+
    + {%- for enum_choice in schema.kw_enum.array_items -%} +
  • {{ enum_choice.literal | python_to_json }}
    • + {%- endfor -%} +
+
+ {%- endif -%} + {%- if schema.kw_const -%} + Specific value: {{ schema.kw_const.raw | python_to_json }} + {%- endif -%} - {# Conditional subschema, or if-then-else section #} - {%- if schema.has_conditional -%} - {% include "section_conditional_subschema.html" %} - {%- endif -%} + {# Pattern (Regular Expression) #} + {%- if schema.kw_pattern -%} + Must match regular expression: {{ schema.kw_pattern.literal | escape }} + {%- endif -%} - {# Required properties that are not defined under "properties". They will only be listed #} - {% include "section_undocumented_required_properties.html" %} + {# Conditional subschema, or if-then-else section #} + {%- if schema.has_conditional -%} + {% include "section_conditional_subschema.html" %} + {%- endif -%} - {# Show the requested type(s) #} - {% include "badge_type.html" %} + {# Required properties that are not defined under "properties". They will only be listed #} + {% include "section_undocumented_required_properties.html" %} - {# Show array restrictions #} - {%- if type_name.startswith("array") -%} - {% include "section_array.html" %} - {%- endif -%} + {# Show the requested type(s) #} + {% include "badge_type.html" %} - {# Display examples #} - {%- set examples = schema.examples -%} - {%- if examples -%} - {% include "section_examples.html" %} - {%- endif -%} + {# Show array restrictions #} + {%- if type_name.startswith("array") -%} + {% include "section_array.html" %} + {%- endif -%} - {# Properties, pattern properties, additional properties #} - {%- for sub_property in schema.iterate_properties -%} - {# Custom modification to remove $ properties from documentation #} - {%- if not sub_property.property_display_name.startswith("$") -%} - {% include "section_properties.html" %} + {# Display examples #} + {%- set examples = schema.examples -%} + {%- if examples -%} + {% include "section_examples.html" %} {%- endif -%} - {%- endfor -%} + + {# Properties, pattern properties, additional properties #} + {%- for sub_property in schema.iterate_properties -%} + {# Custom modification to remove $ properties from documentation #} + {%- if not sub_property.property_display_name.startswith("$") -%} + {% include "section_properties.html" %} + {%- endif -%} + {%- endfor -%} + + {%- endif -%} {%- endif -%} {%- endmacro -%} \ No newline at end of file diff --git a/docgen/json/templates/cyclonedx/schema_doc.js b/docgen/json/templates/cyclonedx/schema_doc.js index e03ce946..be02797f 100644 --- a/docgen/json/templates/cyclonedx/schema_doc.js +++ b/docgen/json/templates/cyclonedx/schema_doc.js @@ -19,7 +19,7 @@ function setAnchor(anchorLinkDestination) { function anchorOnLoad() { // Added to onload on body, checks if there is an anchor link and if so, expand - let linkTarget = decodeURIComponent(window.location.hash.split("?")[0].split("&")[0]); + let linkTarget = window.location.hash.split("?")[0].split("&")[0]; if (linkTarget[0] === "#") { linkTarget = linkTarget.substr(1); } @@ -37,7 +37,7 @@ function anchorLink(linkTarget) { if($( this ).hasClass("collapse")) { $( this ).collapse("show"); } else if ($( this ).hasClass("tab-pane")) { - // We have the pane and not the tab itself, find the tab + // We have the pane and not the the tab itself, find the tab const tabToShow = $( "a[href='#" + $( this ).attr("id") + "']" ); if (tabToShow) { tabToShow.tab("show"); diff --git a/docgen/json/templates/cyclonedx/schema_doc.min.js b/docgen/json/templates/cyclonedx/schema_doc.min.js index 0c58a70e..0d9c7882 100644 --- a/docgen/json/templates/cyclonedx/schema_doc.min.js +++ b/docgen/json/templates/cyclonedx/schema_doc.min.js @@ -1 +1 @@ -function flashElement(t){(myElement=document.getElementById(t)).classList.add("jsfh-animated-property"),setTimeout(function(){myElement.classList.remove("jsfh-animated-property")},1e3)}function setAnchor(t){history.pushState({},"",t)}function anchorOnLoad(){let t=decodeURIComponent(window.location.hash.split("?")[0].split("&")[0]);"#"===t[0]&&(t=t.substr(1)),t.length>0&&anchorLink(t)}function anchorLink(t){let e=$("#"+t);e.parents().addBack().filter(".collapse:not(.show), .tab-pane, [role='tab']").each(function(t){if($(this).hasClass("collapse"))$(this).collapse("show");else if($(this).hasClass("tab-pane")){let e=$("a[href='#"+$(this).attr("id")+"']");e&&e.tab("show")}else"tab"===$(this).attr("role")&&$(this).tab("show")}),setTimeout(function(){let e=document.getElementById(t);e&&(e.scrollIntoView({block:"center",behavior:"smooth"}),setTimeout(function(){flashElement(t)},500))},1e3)}$(document).on("click",'a[href^="#"]',function(t){t.preventDefault(),history.pushState({},"",this.href)}); \ No newline at end of file +function flashElement(t){myElement=document.getElementById(t),myElement.classList.add("jsfh-animated-property"),setTimeout(function(){myElement.classList.remove("jsfh-animated-property")},1e3)}function setAnchor(t){history.pushState({},"",t)}function anchorOnLoad(){let t=window.location.hash.split("?")[0].split("&")[0];"#"===t[0]&&(t=t.substr(1)),t.length>0&&anchorLink(t)}function anchorLink(t){$("#"+t).parents().addBack().filter(".collapse:not(.show), .tab-pane, [role='tab']").each(function(t){if($(this).hasClass("collapse"))$(this).collapse("show");else if($(this).hasClass("tab-pane")){const t=$("a[href='#"+$(this).attr("id")+"']");t&&t.tab("show")}else"tab"===$(this).attr("role")&&$(this).tab("show")}),setTimeout(function(){let e=document.getElementById(t);e&&(e.scrollIntoView({block:"center",behavior:"smooth"}),setTimeout(function(){flashElement(t)},500))},1e3)}$(document).on("click",'a[href^="#"]',function(t){t.preventDefault(),history.pushState({},"",this.href)}); \ No newline at end of file diff --git a/docgen/json/templates/cyclonedx/section_array.html b/docgen/json/templates/cyclonedx/section_array.html index 15489a4b..1aad2e0f 100644 --- a/docgen/json/templates/cyclonedx/section_array.html +++ b/docgen/json/templates/cyclonedx/section_array.html @@ -7,9 +7,6 @@ {%- if schema.kw_unique_items and schema.kw_unique_items.literal == True -%} {{ restriction("All items must be unique", "unique-items", schema.kw_unique_items.html_id) }} {%- endif -%} -{%- if not schema.array_additional_items -%} - {{ " " }}No Additional Items -{%- endif -%} {%- if schema.array_items_def -%}

Each item of this array must be:

@@ -37,12 +34,4 @@

At least one of the items must be:

{{ content(schema.kw_contains) }}
-{%- endif -%} -{%- if schema.array_additional_items_def -%} -

All other items must be:

-
-
- {{ content(schema.array_additional_items_def) }} -
-
{%- endif -%} \ No newline at end of file diff --git a/schema/bom-1.6.proto b/schema/bom-1.6.proto index f7c04a68..e6a6c4fe 100644 --- a/schema/bom-1.6.proto +++ b/schema/bom-1.6.proto @@ -39,10 +39,6 @@ message Bom { repeated Property properties = 12; // Describes how a component or service was manufactured or deployed. This is achieved through the use of formulas, workflows, tasks, and steps, which declare the precise steps to reproduce along with the observed formulas describing the steps which transpired in the manufacturing process. repeated Formula formulation = 13; - // The list of declarations which describe the conformance to standards. Each declaration may include attestations, claims, and evidence. - repeated Declarations declarations = 14; - // A collection of reusable objects that are defined and may be used elsewhere in the BOM. - repeated Definition definitions = 15; } enum Classification { @@ -267,12 +263,6 @@ enum ExternalReferenceType { EXTERNAL_REFERENCE_TYPE_EVIDENCE = 36; // Describes how a component or service was manufactured or deployed. EXTERNAL_REFERENCE_TYPE_FORMULATION = 37; - // URL to a source archive. - EXTERNAL_REFERENCE_TYPE_SOURCE_DISTRIBUTION = 38; - // An e-signature is commonly a scanned representation of a written signature or a stylized script of the persons name. - EXTERNAL_REFERENCE_TYPE_ELECTRONIC_SIGNATURE = 39; - // A signature that leverages cryptography, typically public/private key pairs, which provides strong authenticity verification. - EXTERNAL_REFERENCE_TYPE_DIGITAL_SIGNATURE = 40; } enum HashAlg { @@ -1496,192 +1486,3 @@ message EnvironmentVars { string value = 2; } } - -message Declarations { - message Assessor { - // An optional identifier which can be used to reference the component elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element. - optional string bom_ref = 1; - // The boolean indicating if the assessor is outside the organization generating claims. A value of false indicates a self assessor. - optional bool thirdParty = 2; - // The entity issuing the assessment. - optional OrganizationalEntity organization = 3; - } - message Attestation { - message AttestationMap { - message AttestationConformance { - // The conformance of the claim between and inclusive of 0 and 1, where 1 is 100% conformance. - optional double score = 1; - // The rationale for the conformance score. - optional string rationale = 2; - // The list of `bom-ref` to the evidence provided describing the mitigation strategies. - repeated string mitigationStrategies = 3; - } - message AttestationConfidence { - // The confidence of the claim between and inclusive of 0 and 1, where 1 is 100% confidence. - optional double score = 1; - // The rationale for the confidence score. - optional string rationale = 2; - } - // The `bom-ref` to the requirement being attested to. - optional string requirement = 1; - // The list of `bom-ref` to the claims being attested to. - repeated string claims = 2; - // The list of `bom-ref` to the counter claims being attested to. - repeated string counterClaims = 3; - // The conformance of the claim meeting a requirement. - optional AttestationConformance conformance = 4; - // The confidence of the claim meeting the requirement. - optional AttestationConfidence confidence = 5; - } - // The short description explaining the main points of the attestation. - optional string summary = 1; - // The `bom-ref` to the assessor asserting the attestation. - optional string assessor = 2; - // The grouping of requirements to claims and the attestors declared conformance and confidence thereof. - repeated AttestationMap map = 3; - } - message Claim { - // An optional identifier which can be used to reference the component elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element. - optional string bom_ref = 1; - // The `bom-ref` to a target representing a specific system, application, API, module, team, person, process, business unit, company, etc... that this claim is being applied to. - optional string target = 2; - // The specific statement or assertion about the target. - optional string predicate = 3; - // The list of `bom-ref` to the evidence provided describing the mitigation strategies. Each mitigation strategy should include an explanation of how any weaknesses in the evidence will be mitigated. - repeated string mitigationStrategies = 4; - // The written explanation of why the evidence provided substantiates the claim. - optional string reasoning = 5; - // The list of `bom-ref` to evidence that supports this claim. - repeated string evidence = 6; - // The list of `bom-ref` to counterEvidence that supports this claim. - repeated string counterEvidence = 7; - // External references provide a way to document systems, sites, and information that may be relevant, but are not included with the BOM. They may also establish specific relationships within or external to the BOM. - repeated ExternalReference externalReferences = 8; - } - message Evidence { - message Data { - message Contents { - // An optional way to include textual or encoded data. - optional AttachedText attachment = 1; - // The URL to where the data can be retrieved. - optional string url = 2; - } - // The name of the data. - optional string name = 1; - // The contents or references to the contents of the data being described. - optional Contents contents = 2; - // Data classification tags data according to its type, sensitivity, and value if altered, stolen, or destroyed. - optional string classification = 3; - // A description of any sensitive data included. - repeated string sensitiveData = 4; - // Data Governance - optional DataGovernance governance = 5; - } - // An optional identifier which can be used to reference the component elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element. - optional string bom_ref = 1; - // The reference to the property name as defined in the CycloneDX Property Taxonomy: https://github.com/CycloneDX/cyclonedx-property-taxonomy/. - optional string propertyName = 2; - // The written description of what this evidence is and how it was created. - optional string description = 3; - // The output or analysis that supports claims. - repeated Data data = 4; - // The date and time (timestamp) when the evidence was created. - optional google.protobuf.Timestamp created = 5; - // The optional date and time (timestamp) when the evidence is no longer valid. - optional google.protobuf.Timestamp expires = 6; - // The author of the evidence. - optional OrganizationalContact author = 7; - // The reviewer of the evidence. - optional OrganizationalContact reviewer = 8; - } - message Targets { - // The list of organizations which claims are made against. - repeated OrganizationalEntity organizations = 1; - // The list of components which claims are made against. - repeated Component components = 2; - // The list of services which claims are made against. - repeated Service services = 3; - } - message Affirmation { - message Signatory { - // The signatory's name. - optional string name = 1; - // The signatory's role within an organization. - optional string role = 2; - // The signatory's organization. - optional OrganizationalEntity organization = 3; - // An External reference provide a way to document systems, sites, and information that may be relevant, but are not included with the BOM. They may also establish specific relationships within or external to the BOM. - optional ExternalReference externalReference = 4; - } - // The brief statement affirmed by an individual regarding all declarations. Notes: This could be an affirmation of acceptance by a third-party auditor or receiving individual of a file. - optional string statement = 1; - // The list of signatories authorized on behalf of an organization to assert validity of this document. - repeated Signatory signatories = 2; - } - // The list of assessors evaluating claims and determining conformance to requirements and confidence in that assessment. - repeated Assessor assessors = 1; - // The list of attestations asserted by an assessor that maps requirements to claims. - repeated Attestation attestations = 2; - // The list of claims. - repeated Claim claims = 3; - // The list of evidence - repeated Evidence evidence = 4; - // The list of targets which claims are made against. - optional Targets targets = 5; - // affirmation - optional Affirmation affirmation = 6; -} - -message Definition { - message Standard { - message Requirement { - // An optional identifier which can be used to reference the component elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element. - optional string bom_ref = 1; - // The unique identifier used in the standard to identify a specific requirement. This should match what is in the standard and should not be the requirements bom-ref. - optional string identifier = 2; - // The title of the requirement. - optional string title = 3; - // The textual content of the requirement. - optional string text = 4; - // The supplemental text that provides additional guidance or context to the requirement, but is not directly part of the requirement. - repeated string descriptions = 5; - // The Common Requirements Enumeration (CRE) identifier(s). CRE is a structured and standardized framework for uniting security standards and guidelines. CRE links each section of a resource to a shared topic identifier (a Common Requirement). Through this shared topic link, all resources map to each other. Use of CRE promotes clear and unambiguous communication among stakeholders. - repeated string openCre = 6; - // The optional `bom-ref` to a parent requirement. This establishes a hierarchy of requirements. Top-level requirements must not define a parent. Only child requirements should define parents. - optional string parent = 7; - // Specifies optional, custom, properties - repeated Property properties = 8; - // External references provide a way to document systems, sites, and information that may be relevant, but are not included with the BOM. They may also establish specific relationships within or external to the BOM. - repeated ExternalReference externalReferences = 9; - } - message Level { - // An optional identifier which can be used to reference the component elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element. - optional string bom_ref = 1; - // The identifier used in the standard to identify a specific level. - optional string identifier = 2; - // The title of the level. - optional string title = 3; - // The description of the level. - optional string description = 4; - // The list of requirement `bom-ref`s that comprise the level. - repeated string requirements = 5; - } - // An optional identifier which can be used to reference the component elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element. - optional string bom_ref = 1; - // The name of the standard. This will often be a shortened, single name of the standard. - optional string name = 2; - // The version of the standard. - optional string version = 3; - // The description of the standard. - optional string description = 4; - // The owner of the standard, often the entity responsible for its release. - optional string owner = 5; - // The list of requirements comprising the standard. - repeated Requirement requirements = 6; - // The list of levels associated with the standard. Some standards have different levels of compliance. - repeated Level levels = 7; - // External references provide a way to document systems, sites, and information that may be relevant, but are not included with the BOM. They may also establish specific relationships within or external to the BOM. - repeated ExternalReference externalReferences = 8; - } - repeated Standard standards = 1; -} diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index a25cf5d5..6b9149e9 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -105,412 +105,6 @@ "title": "Formulation", "description": "Describes how a component or service was manufactured or deployed. This is achieved through the use of formulas, workflows, tasks, and steps, which declare the precise steps to reproduce along with the observed formulas describing the steps which transpired in the manufacturing process." }, - "declarations": { - "type": "object", - "title": "Declarations", - "description": "The list of declarations which describe the conformance to standards. Each declaration may include attestations, claims, and evidence.", - "additionalProperties": false, - "properties": { - "assessors": { - "type": "array", - "title": "Assessors", - "description": "The list of assessors evaluating claims and determining conformance to requirements and confidence in that assessment.", - "items": { - "type": "object", - "title": "Assessor", - "description": "The assessor who evaluates claims and determines conformance to requirements and confidence in that assessment.", - "additionalProperties": false, - "properties": { - "bom-ref": { - "$ref": "#/definitions/refType", - "title": "BOM Reference", - "description": "An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref MUST be unique within the BOM." - }, - "thirdParty": { - "type": "boolean", - "title": "Third Party", - "description": "The boolean indicating if the assessor is outside the organization generating claims. A value of false indicates a self assessor." - }, - "organization": { - "$ref": "#/definitions/organizationalEntity", - "title": "Organization", - "description": "The entity issuing the assessment." - } - } - } - }, - "attestations": { - "type": "array", - "title": "Attestations", - "description": "The list of attestations asserted by an assessor that maps requirements to claims.", - "items": { - "type": "object", - "additionalProperties": false, - "properties": { - "summary": { - "type": "string", - "title": "Summary", - "description": "The short description explaining the main points of the attestation." - }, - "assessor": { - "$ref": "#/definitions/refLinkType", - "title": "Assessor", - "description": "The `bom-ref` to the assessor asserting the attestation." - }, - "map": { - "type": "array", - "title": "Map", - "description": "The grouping of requirements to claims and the attestors declared conformance and confidence thereof.", - "items": { - "type": "object", - "additionalProperties": false, - "properties": { - "requirement": { - "$ref": "#/definitions/refLinkType", - "title": "Requirement", - "description": "The `bom-ref` to the requirement being attested to." - }, - "claims": { - "type": "array", - "title": "Claims", - "description": "The list of `bom-ref` to the claims being attested to.", - "items": { "$ref": "#/definitions/refLinkType" } - }, - "counterClaims": { - "type": "array", - "title": "Claims", - "description": "The list of `bom-ref` to the counter claims being attested to.", - "items": { "$ref": "#/definitions/refLinkType" } - }, - "conformance": { - "type": "object", - "title": "Conformance", - "description": "The conformance of the claim meeting a requirement.", - "additionalProperties": false, - "properties": { - "score": { - "type": "number", - "minimum": 0, - "maximum": 1, - "title": "Score", - "description": "The conformance of the claim between and inclusive of 0 and 1, where 1 is 100% conformance." - }, - "rationale": { - "type": "string", - "title": "Rationale", - "description": "The rationale for the conformance score." - }, - "mitigationStrategies": { - "type": "array", - "title": "Mitigation Strategies", - "description": "The list of `bom-ref` to the evidence provided describing the mitigation strategies.", - "items": { "$ref": "#/definitions/refLinkType" } - } - } - }, - "confidence": { - "type": "object", - "title": "Confidence", - "description": "The confidence of the claim meeting the requirement.", - "additionalProperties": false, - "properties": { - "score": { - "type": "number", - "minimum": 0, - "maximum": 1, - "title": "Score", - "description": "The confidence of the claim between and inclusive of 0 and 1, where 1 is 100% confidence." - }, - "rationale": { - "type": "string", - "title": "Rationale", - "description": "The rationale for the confidence score." - } - } - } - } - } - }, - "signature": { - "$ref": "#/definitions/signature", - "title": "Signature", - "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." - } - } - } - }, - "claims": { - "type": "array", - "title": "Claims", - "description": "The list of claims.", - "items": { - "type": "object", - "additionalProperties": false, - "properties": { - "bom-ref": { - "$ref": "#/definitions/refType", - "title": "BOM Reference", - "description": "An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref MUST be unique within the BOM." - }, - "target": { - "$ref": "#/definitions/refLinkType", - "title": "Target", - "description": "The `bom-ref` to a target representing a specific system, application, API, module, team, person, process, business unit, company, etc... that this claim is being applied to." - }, - "predicate": { - "type": "string", - "title": "Predicate", - "description": "The specific statement or assertion about the target." - }, - "mitigationStrategies": { - "type": "array", - "title": "Mitigation Strategies", - "description": "The list of `bom-ref` to the evidence provided describing the mitigation strategies. Each mitigation strategy should include an explanation of how any weaknesses in the evidence will be mitigated.", - "items": { "$ref": "#/definitions/refLinkType" } - }, - "reasoning": { - "type": "string", - "title": "Reasoning", - "description": "The written explanation of why the evidence provided substantiates the claim." - }, - "evidence": { - "type": "array", - "title": "Evidence", - "description": "The list of `bom-ref` to evidence that supports this claim.", - "items": { "$ref": "#/definitions/refLinkType" } - }, - "counterEvidence": { - "type": "array", - "title": "Counter Evidence", - "description": "The list of `bom-ref` to counterEvidence that supports this claim.", - "items": { "$ref": "#/definitions/refLinkType" } - }, - "externalReferences": { - "type": "array", - "items": {"$ref": "#/definitions/externalReference"}, - "title": "External References", - "description": "External references provide a way to document systems, sites, and information that may be relevant, but are not included with the BOM. They may also establish specific relationships within or external to the BOM." - }, - "signature": { - "$ref": "#/definitions/signature", - "title": "Signature", - "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." - } - } - } - }, - "evidence": { - "type": "array", - "title": "Evidence", - "description": "The list of evidence", - "items": { - "type": "object", - "additionalProperties": false, - "properties": { - "bom-ref": { - "$ref": "#/definitions/refType", - "title": "BOM Reference", - "description": "An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref MUST be unique within the BOM." - }, - "propertyName": { - "type": "string", - "title": "Type", - "description": "The reference to the property name as defined in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy/)." - }, - "description": { - "type": "string", - "title": "Description", - "description": "The written description of what this evidence is and how it was created." - }, - "data": { - "type": "array", - "title": "Data", - "description": "The output or analysis that supports claims.", - "items": { - "type": "object", - "additionalProperties": false, - "properties": { - "name": { - "description": "The name of the data.", - "type": "string" - }, - "contents": { - "type": "object", - "title": "Data Contents", - "description": "The contents or references to the contents of the data being described.", - "additionalProperties": false, - "properties": { - "attachment": { - "title": "Data Attachment", - "description": "An optional way to include textual or encoded data.", - "$ref": "#/definitions/attachment" - }, - "url": { - "type": "string", - "title": "Data URL", - "description": "The URL to where the data can be retrieved.", - "format": "iri-reference" - } - } - }, - "classification": { - "$ref": "#/definitions/dataClassification" - }, - "sensitiveData": { - "type": "array", - "description": "A description of any sensitive data included.", - "items": { - "type": "string" - } - }, - "governance": { - "title": "Data Governance", - "$ref": "#/definitions/dataGovernance" - } - } - } - }, - "created": { - "type": "string", - "format": "date-time", - "title": "Created", - "description": "The date and time (timestamp) when the evidence was created." - }, - "expires": { - "type": "string", - "format": "date-time", - "title": "Expires", - "description": "The optional date and time (timestamp) when the evidence is no longer valid." - }, - "author": { - "$ref": "#/definitions/organizationalContact", - "title": "Author", - "description": "The author of the evidence." - }, - "reviewer": { - "$ref": "#/definitions/organizationalContact", - "title": "Reviewer", - "description": "The reviewer of the evidence." - }, - "signature": { - "$ref": "#/definitions/signature", - "title": "Signature", - "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." - } - } - } - }, - "targets": { - "type": "object", - "title": "Targets", - "description": "The list of targets which claims are made against.", - "additionalProperties": false, - "properties": { - "organizations": { - "type": "array", - "title": "Organizations", - "description": "The list of organizations which claims are made against.", - "items": {"$ref": "#/definitions/organizationalEntity"} - }, - "components": { - "type": "array", - "title": "Components", - "description": "The list of components which claims are made against.", - "items": {"$ref": "#/definitions/component"} - }, - "services": { - "type": "array", - "title": "Services", - "description": "The list of services which claims are made against.", - "items": {"$ref": "#/definitions/service"} - } - } - }, - "affirmation": { - "type": "object", - "title": "Affirmation", - "additionalProperties": false, - "properties": { - "statement": { - "type": "string", - "title": "Text", - "description": "The brief statement affirmed by an individual regarding all declarations.\n*- Notes This could be an affirmation of acceptance by a third-party auditor or receiving individual of a file.", - "examples": [ "I certify, to the best of my knowledge, that all information is correct." ] - }, - "signatories": { - "type": "array", - "title": "Signatories", - "description": "The list of signatories authorized on behalf of an organization to assert validity of this document.", - "items": { - "type": "object", - "additionalProperties": false, - "oneOf": [ - { - "required": ["signature"] - }, - { - "required": ["externalReference", "organization"] - } - ], - "properties": { - "name": { - "type": "string", - "title": "Name", - "description": "The signatory's name." - }, - "role": { - "type": "string", - "title": "Role", - "description": "The signatory's role within an organization." - }, - "signature": { - "$ref": "#/definitions/signature", - "title": "Signature", - "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." - }, - "organization": { - "$ref": "#/definitions/organizationalEntity", - "title": "Organization", - "description": "The signatory's organization." - }, - "externalReference": { - "$ref": "#/definitions/externalReference", - "title": "External Reference", - "description": "An External reference provide a way to document systems, sites, and information that may be relevant, but are not included with the BOM. They may also establish specific relationships within or external to the BOM." - } - } - } - }, - "signature": { - "$ref": "#/definitions/signature", - "title": "Signature", - "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." - } - } - }, - "signature": { - "$ref": "#/definitions/signature", - "title": "Signature", - "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." - } - } - }, - "definitions": { - "type": "object", - "title": "Definitions", - "description": "A collection of reusable objects that are defined and may be used elsewhere in the BOM.", - "additionalProperties": false, - "properties": { - "standards": { - "type": "array", - "title": "Standards", - "description": "The list of standards which may consist of regulations, industry or organizational-specific standards, maturity models, best practices, or any other requirements which can be evaluated against or attested to.", - "items": { - "$ref": "#/definitions/standard" - } - } - } - }, "properties": { "type": "array", "title": "Properties", @@ -585,14 +179,13 @@ "description": "The product lifecycle(s) that this BOM represents.", "oneOf": [ { - "title": "Pre-Defined Phase", "required": ["phase"], "additionalProperties": false, "properties": { "phase": { "type": "string", "title": "Phase", - "description": "A pre-defined phase in the product lifecycle.", + "description": "A pre-defined phase in the product lifecycle.\n\n* __design__ = BOM produced early in the development lifecycle containing inventory of components and services that are proposed or planned to be used. The inventory may need to be procured, retrieved, or resourced prior to use.\n* __pre-build__ = BOM consisting of information obtained prior to a build process and may contain source files and development artifacts and manifests. The inventory may need to be resolved and retrieved prior to use.\n* __build__ = BOM consisting of information obtained during a build process where component inventory is available for use. The precise versions of resolved components are usually available at this time as well as the provenance of where the components were retrieved from.\n* __post-build__ = BOM consisting of information obtained after a build process has completed and the resulting components(s) are available for further analysis. Built components may exist as the result of a CI/CD process, may have been installed or deployed to a system or device, and may need to be retrieved or extracted from the system or device.\n* __operations__ = BOM produced that represents inventory that is running and operational. This may include staging or production environments and will generally encompass multiple SBOMs describing the applications and operating system, along with HBOMs describing the hardware that makes up the system. Operations Bill of Materials (OBOM) can provide full-stack inventory of runtime environments, configurations, and additional dependencies.\n* __discovery__ = BOM consisting of information observed through network discovery providing point-in-time enumeration of embedded, on-premise, and cloud-native services such as server applications, connected devices, microservices, and serverless functions.\n* __decommission__ = BOM containing inventory that will be, or has been retired from operations.", "enum": [ "design", "pre-build", @@ -601,21 +194,11 @@ "operations", "discovery", "decommission" - ], - "meta:enum": { - "design": "BOM produced early in the development lifecycle containing inventory of components and services that are proposed or planned to be used. The inventory may need to be procured, retrieved, or resourced prior to use.", - "pre-build": "BOM consisting of information obtained prior to a build process and may contain source files and development artifacts and manifests. The inventory may need to be resolved and retrieved prior to use.", - "build": "BOM consisting of information obtained during a build process where component inventory is available for use. The precise versions of resolved components are usually available at this time as well as the provenance of where the components were retrieved from.", - "post-build": "BOM consisting of information obtained after a build process has completed and the resulting components(s) are available for further analysis. Built components may exist as the result of a CI/CD process, may have been installed or deployed to a system or device, and may need to be retrieved or extracted from the system or device.", - "operations": "BOM produced that represents inventory that is running and operational. This may include staging or production environments and will generally encompass multiple SBOMs describing the applications and operating system, along with HBOMs describing the hardware that makes up the system. Operations Bill of Materials (OBOM) can provide full-stack inventory of runtime environments, configurations, and additional dependencies.", - "discovery": "BOM consisting of information observed through network discovery providing point-in-time enumeration of embedded, on-premise, and cloud-native services such as server applications, connected devices, microservices, and serverless functions.", - "decommission": "BOM containing inventory that will be, or has been retired from operations." - } + ] } } }, { - "title": "Custom Phase", "required": ["name"], "additionalProperties": false, "properties": { @@ -828,22 +411,8 @@ "machine-learning-model", "data" ], - "meta:enum": { - "application": "A software application. Refer to [https://en.wikipedia.org/wiki/Application_software](https://en.wikipedia.org/wiki/Application_software) for information about applications.", - "framework": "A software framework. Refer to [https://en.wikipedia.org/wiki/Software_framework](https://en.wikipedia.org/wiki/Software_framework) for information on how frameworks vary slightly from libraries.", - "library": "A software library. Refer to [https://en.wikipedia.org/wiki/Library_(computing)](https://en.wikipedia.org/wiki/Library_(computing)) for information about libraries. All third-party and open source reusable components will likely be a library. If the library also has key features of a framework, then it should be classified as a framework. If not, or is unknown, then specifying library is RECOMMENDED.", - "container": "A packaging and/or runtime format, not specific to any particular technology, which isolates software inside the container from software outside of a container through virtualization technology. Refer to [https://en.wikipedia.org/wiki/OS-level_virtualization](https://en.wikipedia.org/wiki/OS-level_virtualization).", - "platform": "A runtime environment which interprets or executes software. This may include runtimes such as those that execute bytecode or low-code/no-code application platforms.", - "operating-system": "A software operating system without regard to deployment model (i.e. installed on physical hardware, virtual machine, image, etc) Refer to [https://en.wikipedia.org/wiki/Operating_system](https://en.wikipedia.org/wiki/Operating_system).", - "device": "A hardware device such as a processor, or chip-set. A hardware device containing firmware SHOULD include a component for the physical hardware itself, and another component of type 'firmware' or 'operating-system' (whichever is relevant), describing information about the software running on the device. See also the list of [known device properties](https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/device.md).", - "device-driver": "A special type of software that operates or controls a particular type of device. Refer to [https://en.wikipedia.org/wiki/Device_driver](https://en.wikipedia.org/wiki/Device_driver).", - "firmware": "A special type of software that provides low-level control over a devices hardware. Refer to [https://en.wikipedia.org/wiki/Firmware](https://en.wikipedia.org/wiki/Firmware).", - "file": "A computer file. Refer to [https://en.wikipedia.org/wiki/Computer_file](https://en.wikipedia.org/wiki/Computer_file) for information about files.", - "machine-learning-model": "A model based on training data that can make predictions or decisions without being explicitly programmed to do so.", - "data": "A collection of discrete values that convey information." - }, "title": "Component Type", - "description": "Specifies the type of component. For software components, classify as application if no more specific appropriate classification is available or cannot be determined for the component.", + "description": "Specifies the type of component. For software components, classify as application if no more specific appropriate classification is available or cannot be determined for the component. Types include:\n\n* __application__ = A software application. Refer to [https://en.wikipedia.org/wiki/Application_software](https://en.wikipedia.org/wiki/Application_software) for information about applications.\n* __framework__ = A software framework. Refer to [https://en.wikipedia.org/wiki/Software_framework](https://en.wikipedia.org/wiki/Software_framework) for information on how frameworks vary slightly from libraries.\n* __library__ = A software library. Refer to [https://en.wikipedia.org/wiki/Library_(computing)](https://en.wikipedia.org/wiki/Library_(computing))\n for information about libraries. All third-party and open source reusable components will likely be a library. If the library also has key features of a framework, then it should be classified as a framework. If not, or is unknown, then specifying library is RECOMMENDED.\n* __container__ = A packaging and/or runtime format, not specific to any particular technology, which isolates software inside the container from software outside of a container through virtualization technology. Refer to [https://en.wikipedia.org/wiki/OS-level_virtualization](https://en.wikipedia.org/wiki/OS-level_virtualization)\n* __platform__ = A runtime environment which interprets or executes software. This may include runtimes such as those that execute bytecode or low-code/no-code application platforms.\n* __operating-system__ = A software operating system without regard to deployment model (i.e. installed on physical hardware, virtual machine, image, etc) Refer to [https://en.wikipedia.org/wiki/Operating_system](https://en.wikipedia.org/wiki/Operating_system)\n* __device__ = A hardware device such as a processor, or chip-set. A hardware device containing firmware SHOULD include a component for the physical hardware itself, and another component of type 'firmware' or 'operating-system' (whichever is relevant), describing information about the software running on the device.\n See also the list of [known device properties](https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/device.md).\n* __device-driver__ = A special type of software that operates or controls a particular type of device. Refer to [https://en.wikipedia.org/wiki/Device_driver](https://en.wikipedia.org/wiki/Device_driver)\n* __firmware__ = A special type of software that provides low-level control over a devices hardware. Refer to [https://en.wikipedia.org/wiki/Firmware](https://en.wikipedia.org/wiki/Firmware)\n* __file__ = A computer file. Refer to [https://en.wikipedia.org/wiki/Computer_file](https://en.wikipedia.org/wiki/Computer_file) for information about files.\n* __machine-learning-model__ = A model based on training data that can make predictions or decisions without being explicitly programmed to do so.\n* __data__ = A collection of discrete values that convey information.", "examples": ["library"] }, "mime-type": { @@ -904,11 +473,6 @@ "optional", "excluded" ], - "meta:enum": { - "required": "The component is required for runtime", - "optional": "The component is optional at runtime. Optional components are components that are not capable of being called due to them not be installed or otherwise accessible by any means. Components that are installed but due to configuration or other restrictions are prohibited from being called must be scoped as 'required'.", - "excluded": "Components that are excluded provide the ability to document component usage for test and other non-runtime purposes. Excluded components are not reachable within a call graph at runtime." - }, "title": "Component Scope", "description": "Specifies the scope of the component. If scope is not specified, 'required' scope SHOULD be assumed by the consumer of the BOM.", "default": "required" @@ -1111,10 +675,7 @@ "description": "Specifies the optional encoding the text is represented in.", "enum": [ "base64" - ], - "meta:enum": { - "base64": "Base64 is a binary-to-text encoding scheme that represents binary data in an ASCII string." - } + ] }, "content": { "type": "string", @@ -1306,7 +867,7 @@ "licenseTypes": { "type": "array", "title": "License Type", - "description": "The type of license(s) that was granted to the licensee.", + "description": "The type of license(s) that was granted to the licensee\n\n* __academic__ = A license that grants use of software solely for the purpose of education or research.\n* __appliance__ = A license covering use of software embedded in a specific piece of hardware.\n* __client-access__ = A Client Access License (CAL) allows client computers to access services provided by server software.\n* __concurrent-user__ = A Concurrent User license (aka floating license) limits the number of licenses for a software application and licenses are shared among a larger number of users.\n* __core-points__ = A license where the core of a computer's processor is assigned a specific number of points.\n* __custom-metric__ = A license for which consumption is measured by non-standard metrics.\n* __device__ = A license that covers a defined number of installations on computers and other types of devices.\n* __evaluation__ = A license that grants permission to install and use software for trial purposes.\n* __named-user__ = A license that grants access to the software to one or more pre-defined users.\n* __node-locked__ = A license that grants access to the software on one or more pre-defined computers or devices.\n* __oem__ = An Original Equipment Manufacturer license that is delivered with hardware, cannot be transferred to other hardware, and is valid for the life of the hardware.\n* __perpetual__ = A license where the software is sold on a one-time basis and the licensee can use a copy of the software indefinitely.\n* __processor-points__ = A license where each installation consumes points per processor.\n* __subscription__ = A license where the licensee pays a fee to use the software or service.\n* __user__ = A license that grants access to the software or service by a specified number of users.\n* __other__ = Another license type.\n", "items": { "type": "string", "enum": [ @@ -1326,25 +887,7 @@ "subscription", "user", "other" - ], - "meta:enum": { - "academic": "A license that grants use of software solely for the purpose of education or research.", - "appliance": "A license covering use of software embedded in a specific piece of hardware.", - "client-access": "A Client Access License (CAL) allows client computers to access services provided by server software.", - "concurrent-user": "A Concurrent User license (aka floating license) limits the number of licenses for a software application and licenses are shared among a larger number of users.", - "core-points": "A license where the core of a computer's processor is assigned a specific number of points.", - "custom-metric": "A license for which consumption is measured by non-standard metrics.", - "device": "A license that covers a defined number of installations on computers and other types of devices.", - "evaluation": "A license that grants permission to install and use software for trial purposes.", - "named-user": "A license that grants access to the software to one or more pre-defined users.", - "node-locked": "A license that grants access to the software on one or more pre-defined computers or devices.", - "oem": "An Original Equipment Manufacturer license that is delivered with hardware, cannot be transferred to other hardware, and is valid for the life of the hardware.", - "perpetual": "A license where the software is sold on a one-time basis and the licensee can use a copy of the software indefinitely.", - "processor-points": "A license where each installation consumes points per processor.", - "subscription": "A license where the licensee pays a fee to use the software or service.", - "user": "A license that grants access to the software or service by a specified number of users.", - "other": "Another license type." - } + ] } }, "lastRenewal": { @@ -1469,14 +1012,8 @@ "backport", "cherry-pick" ], - "meta:enum": { - "unofficial": "A patch which is not developed by the creators or maintainers of the software being patched. Refer to [https://en.wikipedia.org/wiki/Unofficial_patch](https://en.wikipedia.org/wiki/Unofficial_patch).", - "monkey": "A patch which dynamically modifies runtime behavior. Refer to [https://en.wikipedia.org/wiki/Monkey_patch](https://en.wikipedia.org/wiki/Monkey_patch).", - "backport": "A patch which takes code from a newer version of software and applies it to older versions of the same software. Refer to [https://en.wikipedia.org/wiki/Backporting](https://en.wikipedia.org/wiki/Backporting).", - "cherry-pick": "A patch created by selectively applying commits from other versions or branches of the same software." - }, "title": "Type", - "description": "Specifies the purpose for the patch including the resolution of defects, security issues, or new behavior or functionality." + "description": "Specifies the purpose for the patch including the resolution of defects, security issues, or new behavior or functionality.\n\n* __unofficial__ = A patch which is not developed by the creators or maintainers of the software being patched. Refer to [https://en.wikipedia.org/wiki/Unofficial_patch](https://en.wikipedia.org/wiki/Unofficial_patch)\n* __monkey__ = A patch which dynamically modifies runtime behavior. Refer to [https://en.wikipedia.org/wiki/Monkey_patch](https://en.wikipedia.org/wiki/Monkey_patch)\n* __backport__ = A patch which takes code from a newer version of software and applies it to older versions of the same software. Refer to [https://en.wikipedia.org/wiki/Backporting](https://en.wikipedia.org/wiki/Backporting)\n* __cherry-pick__ = A patch created by selectively applying commits from other versions or branches of the same software." }, "diff": { "title": "Diff", @@ -1526,11 +1063,6 @@ "enhancement", "security" ], - "meta:enum": { - "defect": "A fault, flaw, or bug in software.", - "enhancement": "A new feature or behavior in software.", - "security": "A special type of defect which impacts security." - }, "title": "Type", "description": "Specifies the type of issue" }, @@ -1638,7 +1170,7 @@ "type": { "type": "string", "title": "Type", - "description": "Specifies the type of external reference.", + "description": "Specifies the type of external reference.\n\n* __vcs__ = Version Control System\n* __issue-tracker__ = Issue or defect tracking system, or an Application Lifecycle Management (ALM) system\n* __website__ = Website\n* __advisories__ = Security advisories\n* __bom__ = Bill of Materials (SBOM, OBOM, HBOM, SaaSBOM, etc)\n* __mailing-list__ = Mailing list or discussion group\n* __social__ = Social media account\n* __chat__ = Real-time chat platform\n* __documentation__ = Documentation, guides, or how-to instructions\n* __support__ = Community or commercial support\n* __distribution__ = Direct or repository download location\n* __distribution-intake__ = The location where a component was published to. This is often the same as \"distribution\" but may also include specialized publishing processes that act as an intermediary\n* __license__ = The URL to the license file. If a license URL has been defined in the license node, it should also be defined as an external reference for completeness\n* __build-meta__ = Build-system specific meta file (i.e. pom.xml, package.json, .nuspec, etc)\n* __build-system__ = URL to an automated build system\n* __release-notes__ = URL to release notes\n* __security-contact__ = Specifies a way to contact the maintainer, supplier, or provider in the event of a security incident. Common URIs include links to a disclosure procedure, a mailto (RFC-2368) that specifies an email address, a tel (RFC-3966) that specifies a phone number, or dns (RFC-4501) that specifies the records containing DNS Security TXT\n* __model-card__ = A model card describes the intended uses of a machine learning model, potential limitations, biases, ethical considerations, training parameters, datasets used to train the model, performance metrics, and other relevant data useful for ML transparency\n* __log__ = A record of events that occurred in a computer system or application, such as problems, errors, or information on current operations\n* __configuration__ = Parameters or settings that may be used by other components or services\n* __evidence__ = Information used to substantiate a claim\n* __formulation__ = Describes how a component or service was manufactured or deployed\n* __attestation__ = Human or machine-readable statements containing facts, evidence, or testimony\n* __threat-model__ = An enumeration of identified weaknesses, threats, and countermeasures, dataflow diagram (DFD), attack tree, and other supporting documentation in human-readable or machine-readable format\n* __adversary-model__ = The defined assumptions, goals, and capabilities of an adversary.\n* __risk-assessment__ = Identifies and analyzes the potential of future events that may negatively impact individuals, assets, and/or the environment. Risk assessments may also include judgments on the tolerability of each risk.\n* __vulnerability-assertion__ = A Vulnerability Disclosure Report (VDR) which asserts the known and previously unknown vulnerabilities that affect a component, service, or product including the analysis and findings describing the impact (or lack of impact) that the reported vulnerability has on a component, service, or product.\n* __exploitability-statement__ = A Vulnerability Exploitability eXchange (VEX) which asserts the known vulnerabilities that do not affect a product, product family, or organization, and optionally the ones that do. The VEX should include the analysis and findings describing the impact (or lack of impact) that the reported vulnerability has on the product, product family, or organization.\n* __pentest-report__ = Results from an authorized simulated cyberattack on a component or service, otherwise known as a penetration test\n* __static-analysis-report__ = SARIF or proprietary machine or human-readable report for which static analysis has identified code quality, security, and other potential issues with the source code\n* __dynamic-analysis-report__ = Dynamic analysis report that has identified issues such as vulnerabilities and misconfigurations\n* __runtime-analysis-report__ = Report generated by analyzing the call stack of a running application\n* __component-analysis-report__ = Report generated by Software Composition Analysis (SCA), container analysis, or other forms of component analysis\n* __maturity-report__ = Report containing a formal assessment of an organization, business unit, or team against a maturity model\n* __certification-report__ = Industry, regulatory, or other certification from an accredited (if applicable) certification body\n* __quality-metrics__ = Report or system in which quality metrics can be obtained\n* __codified-infrastructure__ = Code or configuration that defines and provisions virtualized infrastructure, commonly referred to as Infrastructure as Code (IaC)\n* __poam__ = Plans of Action and Milestones (POAM) compliment an \"attestation\" external reference. POAM is defined by NIST as a \"document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks and scheduled completion dates for the milestones\".\n* __other__ = Use this if no other types accurately describe the purpose of the external reference", "enum": [ "vcs", "issue-tracker", @@ -1650,7 +1182,6 @@ "chat", "documentation", "support", - "source-distribution", "distribution", "distribution-intake", "license", @@ -1679,55 +1210,8 @@ "codified-infrastructure", "quality-metrics", "poam", - "electronic-signature", - "digital-signature", "other" - ], - "meta:enum": { - "vcs": "Version Control System", - "issue-tracker": "Issue or defect tracking system, or an Application Lifecycle Management (ALM) system", - "website": "Website", - "advisories": "Security advisories", - "bom": "Bill of Materials (SBOM, OBOM, HBOM, SaaSBOM, etc)", - "mailing-list": "Mailing list or discussion group", - "social": "Social media account", - "chat": "Real-time chat platform", - "documentation": "Documentation, guides, or how-to instructions", - "support": "Community or commercial support", - "source-distribution": "URL to a source archive", - "distribution": "Direct or repository download location", - "distribution-intake": "The location where a component was published to. This is often the same as \"distribution\" but may also include specialized publishing processes that act as an intermediary.", - "license": "The reference to the license file. If a license URL has been defined in the license node, it should also be defined as an external reference for completeness.", - "build-meta": "Build-system specific meta file (i.e. pom.xml, package.json, .nuspec, etc)", - "build-system": "Reference to an automated build system", - "release-notes": "Reference to release notes", - "security-contact": "Specifies a way to contact the maintainer, supplier, or provider in the event of a security incident. Common URIs include links to a disclosure procedure, a mailto (RFC-2368) that specifies an email address, a tel (RFC-3966) that specifies a phone number, or dns (RFC-4501) that specifies the records containing DNS Security TXT.", - "model-card": "A model card describes the intended uses of a machine learning model, potential limitations, biases, ethical considerations, training parameters, datasets used to train the model, performance metrics, and other relevant data useful for ML transparency.", - "log": "A record of events that occurred in a computer system or application, such as problems, errors, or information on current operations.", - "configuration": "Parameters or settings that may be used by other components or services.", - "evidence": "Information used to substantiate a claim.", - "formulation": "Describes how a component or service was manufactured or deployed.", - "attestation": "Human or machine-readable statements containing facts, evidence, or testimony.", - "threat-model": "An enumeration of identified weaknesses, threats, and countermeasures, dataflow diagram (DFD), attack tree, and other supporting documentation in human-readable or machine-readable format.", - "adversary-model": "The defined assumptions, goals, and capabilities of an adversary.", - "risk-assessment": "Identifies and analyzes the potential of future events that may negatively impact individuals, assets, and/or the environment. Risk assessments may also include judgments on the tolerability of each risk.", - "vulnerability-assertion": "A Vulnerability Disclosure Report (VDR) which asserts the known and previously unknown vulnerabilities that affect a component, service, or product including the analysis and findings describing the impact (or lack of impact) that the reported vulnerability has on a component, service, or product.", - "exploitability-statement": "A Vulnerability Exploitability eXchange (VEX) which asserts the known vulnerabilities that do not affect a product, product family, or organization, and optionally the ones that do. The VEX should include the analysis and findings describing the impact (or lack of impact) that the reported vulnerability has on the product, product family, or organization.", - "pentest-report": "Results from an authorized simulated cyberattack on a component or service, otherwise known as a penetration test.", - "static-analysis-report": "SARIF or proprietary machine or human-readable report for which static analysis has identified code quality, security, and other potential issues with the source code.", - "dynamic-analysis-report": "Dynamic analysis report that has identified issues such as vulnerabilities and misconfigurations.", - "runtime-analysis-report": "Report generated by analyzing the call stack of a running application.", - "component-analysis-report": "Report generated by Software Composition Analysis (SCA), container analysis, or other forms of component analysis.", - "maturity-report": "Report containing a formal assessment of an organization, business unit, or team against a maturity model.", - "certification-report": "Industry, regulatory, or other certification from an accredited (if applicable) certification body.", - "codified-infrastructure": "Code or configuration that defines and provisions virtualized infrastructure, commonly referred to as Infrastructure as Code (IaC).", - "quality-metrics": "Report or system in which quality metrics can be obtained.", - "poam": "Plans of Action and Milestones (POAM) compliment an \"attestation\" external reference. POAM is defined by NIST as a \"document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks and scheduled completion dates for the milestones\".", - "electronic-signature": "An e-signature is commonly a scanned representation of a written signature or a stylized script of the persons name.", - "digital-signature": "A signature that leverages cryptography, typically public/private key pairs, which provides strong authenticity verification.", - "other": "Use this if no other types accurately describe the purpose of the external reference." - } - + ] }, "hashes": { "type": "array", @@ -1902,6 +1386,7 @@ ] }, "governance": { + "type": "object", "title": "Data Governance", "$ref": "#/definitions/dataGovernance" }, @@ -1951,14 +1436,8 @@ "bi-directional", "unknown" ], - "meta:enum": { - "inbound": "Data that enters a service.", - "outbound": "Data that exits a service.", - "bi-directional": "Data flows in and out of the service.", - "unknown": "The directional flow of data is not known." - }, "title": "Data flow direction", - "description": "Specifies the flow direction of the data. Direction is relative to the service." + "description": "Specifies the flow direction of the data. Direction is relative to the service. Inbound flow states that data enters the service. Outbound flow states that data leaves the service. Bi-directional states that data flows both ways, and unknown states that the direction is not known." }, "copyright": { @@ -2104,7 +1583,7 @@ "aggregate": { "$ref": "#/definitions/aggregateType", "title": "Aggregate", - "description": "Specifies an aggregate type that describe how complete a relationship is." + "description": "Specifies an aggregate type that describe how complete a relationship is.\n\n* __complete__ = The relationship is complete. No further relationships including constituent components, services, or dependencies are known to exist.\n* __incomplete__ = The relationship is incomplete. Additional relationships exist and may include constituent components, services, or dependencies.\n* __incomplete_first_party_only__ = The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented.\n* __incomplete_first_party_proprietary_only__ = The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented, limited specifically to those that are proprietary.\n* __incomplete_first_party_opensource_only__ = The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented, limited specifically to those that are opensource.\n* __incomplete_third_party_only__ = The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented.\n* __incomplete_third_party_proprietary_only__ = The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are proprietary.\n* __incomplete_third_party_opensource_only__ = The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are opensource.\n* __unknown__ = The relationship may be complete or incomplete. This usually signifies a 'best-effort' to obtain constituent components, services, or dependencies but the completeness is inconclusive.\n* __not_specified__ = The relationship completeness is not specified.\n" }, "assemblies": { "type": "array", @@ -2163,19 +1642,7 @@ "incomplete_third_party_opensource_only", "unknown", "not_specified" - ], - "meta:enum": { - "complete": "The relationship is complete. No further relationships including constituent components, services, or dependencies are known to exist.", - "incomplete": "The relationship is incomplete. Additional relationships exist and may include constituent components, services, or dependencies.", - "incomplete_first_party_only": "The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented.", - "incomplete_first_party_proprietary_only": "The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented, limited specifically to those that are proprietary.", - "incomplete_first_party_opensource_only": "The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented, limited specifically to those that are opensource.", - "incomplete_third_party_only": "The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented.", - "incomplete_third_party_proprietary_only": "The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are proprietary.", - "incomplete_third_party_opensource_only": "The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are opensource.", - "unknown": "The relationship may be complete or incomplete. This usually signifies a 'best-effort' to obtain constituent components, services, or dependencies but the completeness is inconclusive.", - "not_specified": "The relationship completeness is not specified." - } + ] }, "property": { "type": "object", @@ -2347,21 +1814,12 @@ "info", "none", "unknown" - ], - "meta:enum": { - "critical": "Critical severity", - "high": "High severity", - "medium": "Medium severity", - "low": "Low severity", - "info": "Informational warning.", - "none": "None", - "unknown": "The severity is not known" - } + ] }, "scoreMethod": { "type": "string", "title": "Method", - "description": "Specifies the severity or risk scoring methodology or standard used.", + "description": "Specifies the severity or risk scoring methodology or standard used.\n\n* CVSSv2 - [Common Vulnerability Scoring System v2](https://www.first.org/cvss/v2/)\n* CVSSv3 - [Common Vulnerability Scoring System v3](https://www.first.org/cvss/v3-0/)\n* CVSSv31 - [Common Vulnerability Scoring System v3.1](https://www.first.org/cvss/v3-1/)\n* CVSSv4 - [Common Vulnerability Scoring System v4](https://www.first.org/cvss/v4-0/)\n* OWASP - [OWASP Risk Rating Methodology](https://owasp.org/www-community/OWASP_Risk_Rating_Methodology)\n* SSVC - [Stakeholder Specific Vulnerability Categorization](https://github.com/CERTCC/SSVC) (all versions)", "enum": [ "CVSSv2", "CVSSv3", @@ -2370,21 +1828,12 @@ "OWASP", "SSVC", "other" - ], - "meta:enum": { - "CVSSv2": "Common Vulnerability Scoring System v2.0", - "CVSSv3": "Common Vulnerability Scoring System v3.0", - "CVSSv31": "Common Vulnerability Scoring System v3.1", - "CVSSv4": "Common Vulnerability Scoring System v4.0", - "OWASP": "OWASP Risk Rating Methodology", - "SSVC": "Stakeholder Specific Vulnerability Categorization", - "other": "Another severity or risk scoring methodology" - } + ] }, "impactAnalysisState": { "type": "string", "title": "Impact Analysis State", - "description": "Declares the current state of an occurrence of a vulnerability, after automated or manual analysis.", + "description": "Declares the current state of an occurrence of a vulnerability, after automated or manual analysis. \n\n* __resolved__ = the vulnerability has been remediated. \n* __resolved\\_with\\_pedigree__ = the vulnerability has been remediated and evidence of the changes are provided in the affected components pedigree containing verifiable commit history and/or diff(s). \n* __exploitable__ = the vulnerability may be directly or indirectly exploitable. \n* __in\\_triage__ = the vulnerability is being investigated. \n* __false\\_positive__ = the vulnerability is not specific to the component or service and was falsely identified or associated. \n* __not\\_affected__ = the component or service is not affected by the vulnerability. Justification should be specified for all not_affected cases.", "enum": [ "resolved", "resolved_with_pedigree", @@ -2392,20 +1841,12 @@ "in_triage", "false_positive", "not_affected" - ], - "meta:enum": { - "resolved": "The vulnerability has been remediated.", - "resolved_with_pedigree": "The vulnerability has been remediated and evidence of the changes are provided in the affected components pedigree containing verifiable commit history and/or diff(s).", - "exploitable": "The vulnerability may be directly or indirectly exploitable.", - "in_triage": "The vulnerability is being investigated.", - "false_positive": "The vulnerability is not specific to the component or service and was falsely identified or associated.", - "not_affected": "The component or service is not affected by the vulnerability. Justification should be specified for all not_affected cases." - } + ] }, "impactAnalysisJustification": { "type": "string", "title": "Impact Analysis Justification", - "description": "The rationale of why the impact analysis state was asserted.", + "description": "The rationale of why the impact analysis state was asserted. \n\n* __code\\_not\\_present__ = the code has been removed or tree-shaked. \n* __code\\_not\\_reachable__ = the vulnerable code is not invoked at runtime. \n* __requires\\_configuration__ = exploitability requires a configurable option to be set/unset. \n* __requires\\_dependency__ = exploitability requires a dependency that is not present. \n* __requires\\_environment__ = exploitability requires a certain environment which is not present. \n* __protected\\_by\\_compiler__ = exploitability requires a compiler flag to be set/unset. \n* __protected\\_at\\_runtime__ = exploits are prevented at runtime. \n* __protected\\_at\\_perimeter__ = attacks are blocked at physical, logical, or network perimeter. \n* __protected\\_by\\_mitigating\\_control__ = preventative measures have been implemented that reduce the likelihood and/or impact of the vulnerability.", "enum": [ "code_not_present", "code_not_reachable", @@ -2416,18 +1857,7 @@ "protected_at_runtime", "protected_at_perimeter", "protected_by_mitigating_control" - ], - "meta:enum": { - "code_not_present": "The code has been removed or tree-shaked.", - "code_not_reachable": "The vulnerable code is not invoked at runtime.", - "requires_configuration": "Exploitability requires a configurable option to be set/unset.", - "requires_dependency": "Exploitability requires a dependency that is not present.", - "requires_environment": "Exploitability requires a certain environment which is not present.", - "protected_by_compiler": "Exploitability requires a compiler flag to be set/unset.", - "protected_at_runtime": "Exploits are prevented at runtime.", - "protected_at_perimeter": "Attacks are blocked at physical, logical, or network perimeter.", - "protected_by_mitigating_control": "Preventative measures have been implemented that reduce the likelihood and/or impact of the vulnerability." - } + ] }, "rating": { "type": "object", @@ -2556,7 +1986,7 @@ "cwes": { "type": "array", "title": "CWEs", - "description": "List of Common Weaknesses Enumerations (CWEs) codes that describes this vulnerability.", + "description": "List of Common Weaknesses Enumerations (CWEs) codes that describes this vulnerability. For example 399 (of https://cwe.mitre.org/data/definitions/399.html)", "examples": [399], "items": { "$ref": "#/definitions/cwe" @@ -2717,14 +2147,7 @@ "update", "rollback", "workaround_available" - ], - "meta:enum": { - "can_not_fix": "Can not fix", - "will_not_fix": "Will not fix", - "update": "Update to a different revision or release", - "rollback": "Revert to a previous revision or release", - "workaround_available": "There is a workaround available" - } + ] } }, "detail": { @@ -2824,12 +2247,7 @@ "affected", "unaffected", "unknown" - ], - "meta:enum": { - "affected": "The version is affected by the vulnerability.", - "unaffected": "The version is not affected by the vulnerability.", - "unknown": "It is unknown (or unspecified) whether the given version is affected." - } + ] }, "version": { "description": "A single disjunctive version identifier, for a component or service.", @@ -3022,12 +2440,12 @@ "items" : { "oneOf" : [ { - "title": "Inline Data Information", + "title": "Inline Component Data", "$ref": "#/definitions/componentData" }, { "type": "object", - "title": "Data Reference", + "title": "Data Component Reference", "additionalProperties": false, "properties": { "ref": { @@ -3166,21 +2584,14 @@ "type": { "type": "string", "title": "Type of Data", - "description": "The general theme or subject matter of the data being specified.", + "description": "The general theme or subject matter of the data being specified.\n\n* __source-code__ = Any type of code, code snippet, or data-as-code.\n* __configuration__ = Parameters or settings that may be used by other components.\n* __dataset__ = A collection of data.\n* __definition__ = Data that can be used to create new instances of what the definition defines.\n* __other__ = Any other type of data that does not fit into existing definitions.", "enum": [ "source-code", "configuration", "dataset", "definition", "other" - ], - "meta:enum": { - "source-code": "Any type of code, code snippet, or data-as-code.", - "configuration": "Parameters or settings that may be used by other components.", - "dataset": "A collection of data.", - "definition": "Data that can be used to create new instances of what the definition defines.", - "other": "Any other type of data that does not fit into existing definitions." - } + ] }, "name": { "description": "The name of the dataset.", @@ -3229,6 +2640,7 @@ "type": "string" }, "governance": { + "type": "object", "title": "Data Governance", "$ref": "#/definitions/dataGovernance" } @@ -4413,155 +3825,6 @@ } } }, - "standard": { - "type": "object", - "title": "Standard", - "description": "A standard may consist of regulations, industry or organizational-specific standards, maturity models, best practices, or any other requirements which can be evaluated against or attested to.", - "additionalProperties": false, - "properties": { - "bom-ref": { - "$ref": "#/definitions/refType", - "title": "BOM Reference", - "description": "An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref MUST be unique within the BOM." - }, - "name": { - "type": "string", - "title": "Name", - "description": "The name of the standard. This will often be a shortened, single name of the standard." - }, - "version": { - "type": "string", - "title": "Version", - "description": "The version of the standard." - }, - "description": { - "type": "string", - "title": "Description", - "description": "The description of the standard." - }, - "owner": { - "type": "string", - "title": "Owner", - "description": "The owner of the standard, often the entity responsible for its release." - }, - "requirements": { - "type": "array", - "title": "Requirements", - "description": "The list of requirements comprising the standard.", - "items": { - "type": "object", - "title": "Requirement", - "additionalProperties": false, - "properties": { - "bom-ref": { - "$ref": "#/definitions/refType", - "title": "BOM Reference", - "description": "An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref MUST be unique within the BOM." - }, - "identifier": { - "type": "string", - "title": "Identifier", - "description": "The unique identifier used in the standard to identify a specific requirement. This should match what is in the standard and should not be the requirements bom-ref." - }, - "title": { - "type": "string", - "title": "Title", - "description": "The title of the requirement." - }, - "text": { - "type": "string", - "title": "Text", - "description": "The textual content of the requirement." - }, - "descriptions": { - "type": "array", - "title": "Descriptions", - "description": "The supplemental text that provides additional guidance or context to the requirement, but is not directly part of the requirement.", - "items": { "type": "string" } - }, - "openCre": { - "type": "array", - "title": "OWASP OpenCRE Identifier(s)", - "description": "The Common Requirements Enumeration (CRE) identifier(s). CRE is a structured and standardized framework for uniting security standards and guidelines. CRE links each section of a resource to a shared topic identifier (a Common Requirement). Through this shared topic link, all resources map to each other. Use of CRE promotes clear and unambiguous communication among stakeholders.", - "items": { - "type": "string", - "pattern": "^CRE:[0-9]+-[0-9]+$", - "examples": [ "CRE:764-507" ] - } - }, - "parent": { - "$ref": "#/definitions/refLinkType", - "title": "Parent BOM Reference", - "description": "The optional `bom-ref` to a parent requirement. This establishes a hierarchy of requirements. Top-level requirements must not define a parent. Only child requirements should define parents." - }, - "properties": { - "type": "array", - "title": "Properties", - "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is OPTIONAL.", - "items": { - "$ref": "#/definitions/property" - } - }, - "externalReferences": { - "type": "array", - "items": {"$ref": "#/definitions/externalReference"}, - "title": "External References", - "description": "External references provide a way to document systems, sites, and information that may be relevant, but are not included with the BOM. They may also establish specific relationships within or external to the BOM." - } - } - } - }, - "levels": { - "type": "array", - "title": "Levels", - "description": "The list of levels associated with the standard. Some standards have different levels of compliance.", - "items": { - "type": "object", - "title": "Level", - "additionalProperties": false, - "properties": { - "bom-ref": { - "$ref": "#/definitions/refType", - "title": "BOM Reference", - "description": "An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref MUST be unique within the BOM." - }, - "identifier": { - "type": "string", - "title": "Identifier", - "description": "The identifier used in the standard to identify a specific level." - }, - "title": { - "type": "string", - "title": "Title", - "description": "The title of the level." - }, - "description": { - "type": "string", - "title": "Description", - "description": "The description of the level." - }, - "requirements": { - "type": "array", - "title": "Requirements", - "description": "The list of requirement `bom-ref`s that comprise the level.", - "items": { "$ref": "#/definitions/refLinkType" } - } - } - } - }, - "externalReferences": { - "type": "array", - "items": {"$ref": "#/definitions/externalReference"}, - "title": "External References", - "description": "External references provide a way to document systems, sites, and information that may be relevant, but are not included with the BOM. They may also establish specific relationships within or external to the BOM." - }, - "signature": { - "$ref": "#/definitions/signature", - "title": "Signature", - "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." - } - } - }, "signature": { "$ref": "jsf-0.82.schema.json#/definitions/signature", "title": "Signature", diff --git a/schema/bom-1.6.xsd b/schema/bom-1.6.xsd index e500f8e8..c67fc8da 100644 --- a/schema/bom-1.6.xsd +++ b/schema/bom-1.6.xsd @@ -1259,11 +1259,6 @@ limitations under the License. Community or commercial support - - - URL to a source archive - - Direct or repository download location @@ -1407,16 +1402,6 @@ limitations under the License. Plans of Action and Milestones (POAM) compliment an "attestation" external reference. POAM is defined by NIST as a "document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks and scheduled completion dates for the milestones". - - - An e-signature is commonly a scanned representation of a written signature or a stylized script of the persons name. - - - - - A signature that leverages cryptography, typically public/private key pairs, which provides strong authenticity verification. - - Use this if no other types accurately describe the purpose of the external reference @@ -2173,76 +2158,16 @@ limitations under the License. - - - - Examines the source code without executing it. - - - - - - - Examines a compiled binary through reverse engineering, typically via disassembly or bytecode reversal. - - - - - - - Examines a package management system such as those used for building software or installing software. - - - - - - - Examines the Abstract Syntax Tree (AST) of source code or a compiled binary. - - - - - - - Evaluates the cryptographic hash of a component against a set of pre-computed hashes of identified software. - - - - - - - Examines the call stack of running applications by intercepting and monitoring application logic without the need to modify the application. - - - - - - - Evaluates a running application. - - - - - - - Evaluates file name of a component against a set of known file names of identified software. - - - - - - - A testimony to the accuracy of the identify of a component made by an individual or entity. - - - - - - - Any other technique. - - - + + + + + + + + + + @@ -4136,49 +4061,55 @@ limitations under the License. - Common Vulnerability Scoring System v2.0 standard as defined at https://www.first.org/cvss/v2/ + The rating is based on CVSS v2 standard + https://www.first.org/cvss/v2/ - Common Vulnerability Scoring System v3.0 standard as defined at https://www.first.org/cvss/v3-0/ + The rating is based on CVSS v3.0 standard + https://www.first.org/cvss/v3-0/ - Common Vulnerability Scoring System v3.1 standard as defined at https://www.first.org/cvss/v3-1/ + The rating is based on CVSS v3.1 standard + https://www.first.org/cvss/v3-1/ - Common Vulnerability Scoring System v4.0 standard as defined at https://www.first.org/cvss/v4-0/ + The rating is based on CVSS v4.0 standard + https://www.first.org/cvss/v4-0/ - OWASP Risk Rating as defined at https://owasp.org/www-community/OWASP_Risk_Rating_Methodology + The rating is based on OWASP Risk Rating + https://owasp.org/www-community/OWASP_Risk_Rating_Methodology - Stakeholder Specific Vulnerability Categorization as defined at https://github.com/CERTCC/SSVC + The rating is based on Stakeholder Specific Vulnerability Categorization (all versions) + https://github.com/CERTCC/SSVC - Another severity or risk scoring methodology + Use this if the risk scoring methodology is not based on any of the options above @@ -5474,850 +5405,6 @@ limitations under the License. - - - - - - The list of assessors evaluating claims and determining conformance to requirements and confidence in that assessment. - - - - - - - - The assessor who evaluates claims and determines conformance to requirements and confidence in that assessment. - - - - - - - - The boolean indicating if the assessor is outside the organization generating claims. A value of false indicates a self assessor. - - - - - - - The entity issuing the assessment. - - - - - - - - An optional identifier which can be used to reference the object elsewhere in the BOM. - Every bom-ref MUST be unique within the BOM. - - - - - - User-defined attributes may be used on this element as long as they - do not have the same name as an existing attribute used by the schema. - - - - - - - - - - - The list of attestations asserted by an assessor that maps requirements to claims. - - - - - - - - An attestation asserted by an assessor that maps requirements to claims. - - - - - - - - The short description explaining the main points of the attestation. - - - - - - - The `bom-ref` to the assessor asserting the attestation. - - - - - - - The grouping of requirements to claims and the attestors declared conformance and confidence thereof. - - - - - - - - The `bom-ref` to the requirement being attested to. - - - - - - - The list of `bom-ref` to the claims being attested to. - - - - - - - - The `bom-ref` to the claim being attested to. - - - - - - - - - - The list of `bom-ref` to the counter claims being attested to. - - - - - - - - The `bom-ref` to the counter claim being attested to. - - - - - - - - - - The conformance of the claim meeting a requirement. - - - - - - - - The conformance of the claim between and inclusive of 0 and 1, where 1 is 100% conformance. - - - - - - - - - - - - - The rationale for the score of conformance. - - - - - - - The list of `bom-ref` to the evidence provided describing the - mitigation strategies. Each mitigation strategy should include an - explanation of how any weaknesses in the evidence will be mitigated. - - - - - - - - - - - - - - - The confidence of the claim meeting the requirement. - - - - - - - - The confidence of the claim between and inclusive of 0 and 1, where 1 is 100% confidence. - - - - - - - - - - - - - The rationale for the confidence score. - - - - - - - - - - - - - Allows any undeclared elements as long as the elements are placed in a different namespace. - - - - - - - - - - - - - The list of claims. - - - - - - - - - - - The `bom-ref` to a target representing a specific system, application, - API, module, team, person, process, business unit, company, etc... - that this claim is being applied to. - - - - - - - The specific statement or assertion about the target. - - - - - - - The list of `bom-ref` to the evidence provided describing the - mitigation strategies. Each mitigation strategy should include an - explanation of how any weaknesses in the evidence will be mitigated. - - - - - - - - - - - - The written explanation of why the evidence provided substantiates the claim. - - - - - - - The list of `bom-ref` to evidence that supports this claim. - - - - - - - The list of `bom-ref` to counterEvidence that supports this claim. - - - - - - Provides the ability to document external references related to the claim the BOM describes. - - - - - - Allows any undeclared elements as long as the elements are placed in a different namespace. - - - - - - - - An optional identifier which can be used to reference the object elsewhere - in the BOM. Every bom-ref MUST be unique within the BOM. - - - - - - User-defined attributes may be used on this element as long as they - do not have the same name as an existing attribute used by the schema. - - - - - - - - - - - The list of evidence - - - - - - - - The list of evidence - - - - - - - - The reference to the property name as defined in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy/). - - - - - - - The written description of what this evidence is and how it was created. - - - - - - - The output or analysis that supports claims. - - - - - - - - The name of the data. - - - - - - - The contents or references to the contents of the data being described. - - - - - - - An optional way to include textual or encoded data. - - - - - The URL to where the data can be retrieved. - - - - - - - - - Data classification tags data according to its type, sensitivity, and value if altered, stolen, or destroyed. - - - - - - - A description of any sensitive data. - - - - - - - - - - The date and time (timestamp) when the evidence was created. - - - - - The optional date and time (timestamp) when the evidence is no longer valid. - - - - - The author of the evidence. - - - - - The reviewer of the evidence. - - - - - - Allows any undeclared elements as long as the elements are placed in a different namespace. - - - - - - - - An optional identifier which can be used to reference the object elsewhere - in the BOM. Every bom-ref MUST be unique within the BOM. - - - - - - User-defined attributes may be used on this element as long as they - do not have the same name as an existing attribute used by the schema. - - - - - - - - - - - The list of targets which claims are made against. - - - - - - - - The list of organizations which claims are made against. - - - - - - - - - - - - The list of components which claims are made against. - - - - - - - - - - - - The list of services which claims are made against. - - - - - - - - - - - - - - - - - - The brief statement affirmed by an individual regarding all declarations. - This could be an affirmation of acceptance by a third-party auditor or receiving - individual of a file. For example: "I certify, to the best of my knowledge, that all information is correct." - - - - - - - The list of signatories authorized on behalf of an organization to assert validity of this document. - - - - - - - - - - - The signatory's name. - - - - - - - The signatory's role within an organization. - - - - - - - The signatory's organization. - - - - - - - An External reference provide a way to document systems, sites, and information that may be relevant, but are not included with the BOM. They may also establish specific relationships within or external to the BOM. - - - - - - - Allows any undeclared elements as long as the elements are placed in a different namespace. - - - - - - - - - - - - - Allows any undeclared elements as long as the elements are placed in a different namespace. - - - - - - - - - - Allows any undeclared elements as long as the elements are placed in a different namespace. - - - - - - - - - - A collection of reusable objects that are defined and may be used elsewhere in the BOM. - - - - - - - - - - - The list of standards which may consist of regulations, industry or organizational-specific standards, maturity models, best practices, or any other requirements which can be evaluated against or attested to. - - - - - - - - Allows any undeclared elements as long as the elements are placed in a different namespace. - - - - - - - User-defined attributes may be used on this element as long as they - do not have the same name as an existing attribute used by the schema. - - - - - - - - A standard may consist of regulations, industry or organizational-specific standards, maturity models, best practices, or any other requirements which can be evaluated against or attested to. - - - - - - - The name of the standard. This will often be a shortened, single name of the standard. - - - - - - - The version of the standard. - - - - - - - The description of the standard. - - - - - - - The owner of the standard, often the entity responsible for its release. - - - - - - - The list of requirements comprising the standard. - - - - - - - - - - - The unique identifier used in the standard to identify a specific requirement. This should match what is in the standard and should not be the requirements bom-ref. - - - - - - - The title of the requirement. - - - - - - - The textual content of the requirement. - - - - - - - The supplemental text that provides additional guidance or context to the requirement, but is not directly part of the requirement. - - - - - - - - - - - - The Common Requirements Enumeration (CRE) identifier(s). CRE is a structured and standardized framework for uniting security standards and guidelines. CRE links each section of a resource to a shared topic identifier (a Common Requirement). Through this shared topic link, all resources map to each other. Use of CRE promotes clear and unambiguous communication among stakeholders. - - - - - - - - - - - - The optional `bom-ref` to a parent requirement. This establishes a hierarchy of requirements. Top-level requirements must not define a parent. Only child requirements should define parents. - - - - - - Provides the ability to document properties in a name/value store. - This provides flexibility to include data not officially supported in the standard - without having to use additional namespaces or create extensions. Property names - of interest to the general public are encouraged to be registered in the - CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. - Formal registration is OPTIONAL. - - - - - Provides the ability to document external references related to the BOM or - to the project the BOM describes. - - - - - - - An optional identifier which can be used to reference the object elsewhere - in the BOM. Every bom-ref MUST be unique within the BOM. - - - - - - User-defined attributes may be used on this element as long as they - do not have the same name as an existing attribute used by the schema. - - - - - - - - - - - The list of levels associated with the standard. Some standards have different levels of compliance. - - - - - - - - - - - The identifier used in the standard to identify a specific level. - - - - - - - The title of the level. - - - - - - - The description of the level. - - - - - - - The list of requirement `bom-ref`s that comprise the level. - - - - - - - - - - - - - An optional identifier which can be used to reference the object elsewhere - in the BOM. Every bom-ref MUST be unique within the BOM. - - - - - - User-defined attributes may be used on this element as long as they - do not have the same name as an existing attribute used by the schema. - - - - - - - - - - Provides the ability to document external references related to the BOM or - to the project the BOM describes. - - - - - - Allows any undeclared elements as long as the elements are placed in a different namespace. - - - - - - - - An optional identifier which can be used to reference the object elsewhere - in the BOM. Every bom-ref MUST be unique within the BOM. - - - - - - User-defined attributes may be used on this element as long as they - do not have the same name as an existing attribute used by the schema. - - - - @@ -6384,21 +5471,6 @@ limitations under the License. in the manufacturing process. - - - - The list of declarations which describe the conformance to standards. Each declaration may - include attestations, claims, and evidence. - - - - - - - A collection of reusable objects that are defined and may be used elsewhere in the BOM. - - - diff --git a/tools/src/test/js/json-schema-lint-tests.js b/tools/src/test/js/json-schema-lint-tests.js index 5033ac6b..85a53554 100644 --- a/tools/src/test/js/json-schema-lint-tests.js +++ b/tools/src/test/js/json-schema-lint-tests.js @@ -50,7 +50,6 @@ function getAjv(strict) { allowMatchingProperties: true, addUsedSchema: false, allowUnionTypes: false, - keywords: ["meta:enum"], schemas: { 'http://cyclonedx.org/schema/spdx.schema.json': spdxSchema, 'http://cyclonedx.org/schema/jsf-0.82.schema.json': jsfSchema diff --git a/tools/src/test/resources/1.6/valid-attestation-1.6.json b/tools/src/test/resources/1.6/valid-attestation-1.6.json deleted file mode 100644 index c270d49b..00000000 --- a/tools/src/test/resources/1.6/valid-attestation-1.6.json +++ /dev/null @@ -1,209 +0,0 @@ -{ - "bomFormat": "CycloneDX", - "specVersion": "1.6", - "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", - "version": 1, - "declarations": { - "assessors": [ - { - "bom-ref": "assessor-1", - "thirdParty": true, - "organization": { - "name": "Assessors Inc" - } - } - ], - "attestations": [ - { - "summary": "Attestation summary here", - "assessor": "assessor-1", - "map": [ - { - "requirement": "requirement-1", - "claims": [ "claim-1" ], - "counterClaims": [ "counterClaim-1" ], - "conformance": { - "score": 0.8, - "rationale": "Conformance rationale here", - "mitigationStrategies": [ "mitigationStrategy-1" ] - }, - "confidence": { - "score": 1, - "rationale": "Confidence rationale here" - } - } - ], - "signature": { - "algorithm": "ES256", - "certificatePath": [ "MIIB...", "MIID..." ], - "value": "tqIT..." - } - } - ], - "claims": [ - { - "bom-ref": "claim-1", - "target": "acme-inc", - "predicate": "Predicate here", - "mitigationStrategies": [ "mitigationStrategy-1" ], - "reasoning": "Reasoning here", - "evidence": [ "evidence-1" ], - "counterEvidence": [ "counterEvidence-1" ], - "externalReferences": [ - { - "type": "issue-tracker", - "url": "https://alm.example.com" - } - ], - "signature": { - "algorithm": "ES256", - "certificatePath": [ "MIIB...", "MIID..." ], - "value": "tqIT..." - } - } - ], - "evidence": [ - { - "bom-ref": "evidence-1", - "propertyName": "internal.com.acme.someProperty", - "description": "Description here", - "data": [ - { - "name": "Name of the data", - "contents": { - "attachment": { - "content": "Evidence here", - "contentType": "text/plain" - } - }, - "classification": "PII", - "sensitiveData": [ "Describe sensitive data here" ] - } - ], - "created": "2023-04-25T00:00:00+00:00", - "expires": "2023-05-25T00:00:00+00:00", - "author": { - "name": "Mary" - }, - "reviewer": { - "name": "Jane" - }, - "signature": { - "algorithm": "ES256", - "certificatePath": [ "MIIB...", "MIID..." ], - "value": "tqIT..." - } - }, - { - "bom-ref": "counterEvidence-1", - "propertyName": "internal.com.acme.someProperty", - "description": "Description here", - "data": [ - { - "name": "Name of the data", - "contents": { - "attachment": { - "content": "Counter evidence here", - "contentType": "text/plain" - } - }, - "classification": "Pubic", - "sensitiveData": [ "Describe sensitive data here" ] - } - ], - "created": "2023-04-25T00:00:00+00:00", - "expires": "2023-05-25T00:00:00+00:00", - "author": { - "name": "Mary" - }, - "reviewer": { - "name": "Jane" - }, - "signature": { - "algorithm": "ES256", - "certificatePath": [ "MIIB...", "MIID..." ], - "value": "tqIT..." - } - }, - { - "bom-ref": "mitigationStrategy-1", - "propertyName": "internal.com.acme.someProperty", - "description": "Description here", - "data": [ - { - "name": "Name of the data", - "contents": { - "attachment": { - "content": "Mitigation strategy here", - "contentType": "text/plain" - } - }, - "classification": "Company Confidential", - "sensitiveData": [ "Describe sensitive data here" ] - } - ], - "created": "2023-04-25T00:00:00+00:00", - "expires": "2023-05-25T00:00:00+00:00", - "author": { - "name": "Mary" - }, - "reviewer": { - "name": "Jane" - }, - "signature": { - "algorithm": "ES256", - "certificatePath": [ "MIIB...", "MIID..." ], - "value": "tqIT..." - } - } - ], - "targets": { - "organizations": [ - { - "bom-ref": "acme-inc", - "name": "Acme Inc" - } - ] - }, - "affirmation": { - "statement": "I certify, to the best of my knowledge, that all information is correct...", - "signatories": [ - { - "name": "Tom", - "role": "CEO", - "signature": { - "algorithm": "ES256", - "certificatePath": [ "MIIB...", "MIID..." ], - "value": "tqIT..." - } - }, - { - "name": "Jerry", - "role": "COO", - "organization": { - "name": "Acme Inc" - }, - "externalReference": { - "type": "electronic-signature", - "url": "https://example.com/coo-sig.png" - } - } - ], - "signature": { - "algorithm": "ES256", - "certificatePath": [ "MIIB...", "MIID..." ], - "value": "tqIT..." - } - }, - "signature": { - "algorithm": "ES256", - "certificatePath": [ "MIIB...", "MIID..." ], - "value": "tqIT..." - } - }, - "signature": { - "algorithm": "ES256", - "certificatePath": [ "MIIB...", "MIID..." ], - "value": "tqIT..." - } -} \ No newline at end of file diff --git a/tools/src/test/resources/1.6/valid-attestation-1.6.textproto b/tools/src/test/resources/1.6/valid-attestation-1.6.textproto deleted file mode 100644 index ca16cf57..00000000 --- a/tools/src/test/resources/1.6/valid-attestation-1.6.textproto +++ /dev/null @@ -1,179 +0,0 @@ -spec_version: "1.6" -version: 1 -serial_number: "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" -declarations: { - assessors: [ - { - bom_ref: "assessor-1" - thirdParty: true - organization: { - name: "Assessors Inc" - } - } - ] - attestations: [ - { - summary: "Attestation summary here" - assessor: "assessor-1" - map: [ - { - requirement: "requirement-1" - claims: [ "claim-1" ] - counterClaims: [ "counterClaim-1" ] - conformance: { - score: 0.8, - rationale: "Conformance rationale here", - mitigationStrategies: [ "mitigationStrategy-1" ] - } - confidence: { - score: 1, - rationale: "Confidence rationale here" - } - } - ] - } - ], - claims: [ - { - bom_ref: "claim-1" - target: "acme-inc" - predicate: "Predicate here" - mitigationStrategies: [ "mitigationStrategy-1" ] - reasoning: "Reasoning here" - evidence: [ "evidence-1" ] - counterEvidence: [ "counterEvidence-1" ] - externalReferences: [ - { - type: EXTERNAL_REFERENCE_TYPE_ISSUE_TRACKER, - url: "https://alm.example.com" - } - ] - } - ] - evidence: [ - { - bom_ref: "evidence-1" - propertyName: "internal.com.acme.someProperty" - description: "Description here" - data: [ - { - name: "Name of the data" - contents: { - attachment: { - content_type: "text/plain" - value: "Evidence here" - } - } - classification: "PII", - sensitiveData: [ "Describe sensitive data here" ] - } - ] - created { - seconds: 1714003200 - nanos: 0 - } - expires { - seconds: 1712102400 - nanos: 0 - } - author: { - name: "Mary" - } - reviewer: { - name: "Jane" - } - }, - { - bom_ref: "counterEvidence-1" - propertyName: "internal.com.acme.someProperty" - description: "Description here" - data: [ - { - name: "Name of the data" - contents: { - attachment: { - content_type: "text/plain" - value: "Counter evidence here" - } - } - classification: "Pubic" - sensitiveData: [ "Describe sensitive data here" ] - } - ] - created { - seconds: 1714003200 - nanos: 0 - } - expires { - seconds: 1712102400 - nanos: 0 - } - author: { - name: "Mary" - } - reviewer: { - name: "Jane" - } - }, - { - bom_ref: "mitigationStrategy-1" - propertyName: "internal.com.acme.someProperty" - description: "Description here" - data: [ - { - name: "Name of the data" - contents: { - attachment: { - content_type: "text/plain" - value: "Mitigation strategy here" - } - } - classification: "Company Confidential" - sensitiveData: [ "Describe sensitive data here" ] - } - ] - created { - seconds: 1714003200 - nanos: 0 - } - expires { - seconds: 1712102400 - nanos: 0 - } - author: { - name: "Mary" - } - reviewer: { - name: "Jane" - } - } - ], - targets: { - organizations: [ - { - bom_ref: "acme-inc" - name: "Acme Inc" - } - ] - } - affirmation: { - statement: "I certify, to the best of my knowledge, that all information is correct..." - signatories: [ - { - name: "Tom" - role: "CEO" - }, - { - name: "Jerry" - role: "COO" - organization: { - name: "Acme Inc" - } - externalReference: { - type: EXTERNAL_REFERENCE_TYPE_ELECTRONIC_SIGNATURE - url: "https://example.com/coo-sig.png" - } - } - ] - } -} \ No newline at end of file diff --git a/tools/src/test/resources/1.6/valid-attestation-1.6.xml b/tools/src/test/resources/1.6/valid-attestation-1.6.xml deleted file mode 100644 index 1dce0ced..00000000 --- a/tools/src/test/resources/1.6/valid-attestation-1.6.xml +++ /dev/null @@ -1,165 +0,0 @@ - - - - - - false - - Acme Inc - - - - - - Attestation summary here - assessor-1 - - requirement-1 - - claim-1 - - - counterClaim-1 - - - 0.8 - Conformance rationale here - - mitigations-1 - - - - 1 - Confidence rationale here - - - - - - - - - - acme-inc - Predicate here - - mitigationStrategy-1 - - Reasoning here - evidence-1 - counterEvidence-1 - - - https://alm.example.com - - - - - - - - - - internal.com.acme.someProperty - Description here - - Name of the data - - Evidence here - - PII - Describe sensitive data here - - 2023-04-25T00:00:00+00:00 - 2023-05-25T00:00:00+00:00 - - Mary - - - Jane - - - - - - - internal.com.acme.someProperty - Description here - - Name of the data - - Counter evidence here - - Public - Describe sensitive data here - - 2023-04-25T00:00:00+00:00 - 2023-05-25T00:00:00+00:00 - - Mary - - - Jane - - - - internal.com.acme.someProperty - Description here - - Name of the data - - Mitigation strategy here - - Public - Describe sensitive data here - - 2023-04-25T00:00:00+00:00 - 2023-05-25T00:00:00+00:00 - - Mary - - - Jane - - - - - - - Acme Inc - - - - - I certify, to the best of my knowledge, that all information is correct... - - - Tom - CEO - - - - - - Jerry - COO - - Acme Inc - - - https://example.com/coo-sig.png - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/tools/src/test/resources/1.6/valid-standard-1.6.json b/tools/src/test/resources/1.6/valid-standard-1.6.json deleted file mode 100644 index ad6b4bab..00000000 --- a/tools/src/test/resources/1.6/valid-standard-1.6.json +++ /dev/null @@ -1,73 +0,0 @@ -{ - "bomFormat": "CycloneDX", - "specVersion": "1.6", - "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", - "version": 1, - "definitions": { - "standards": [ - { - "bom-ref": "standard-1", - "name": "Sample Standard", - "version": "1.0.0", - "description": "Description here", - "owner": "Acme Inc", - "requirements": [ - { - "bom-ref": "requirement-1", - "identifier": "v1", - "title": "Title here" - }, - { - "bom-ref": "requirement-1.1", - "identifier": "v1.1", - "title": "Title here", - "parent": "requirement-1" - }, - { - "bom-ref": "requirement-1.1.1", - "identifier": "v1.1.1", - "text": "Text of the requirement here", - "descriptions": [ - "Supplemental text here" - ], - "openCre": [ - "CRE:616-305" - ], - "parent": "requirement-1.1" - } - ], - "levels": [ - { - "bom-ref": "level-1", - "identifier": "Level 1", - "description": "Description here", - "requirements": [ - "requirement-1.1.1" - ] - }, - { - "bom-ref": "level-2", - "identifier": "Level 2", - "description": "Description here", - "requirements": [ - "requirement-1.1.1" - ] - }, - { - "bom-ref": "level-3", - "identifier": "Level 3", - "description": "Description here", - "requirements": [ - "requirement-1.1.1" - ] - } - ], - "signature": { - "algorithm": "ES256", - "certificatePath": [ "MIIB...", "MIID..." ], - "value": "tqIT..." - } - } - ] - } -} \ No newline at end of file diff --git a/tools/src/test/resources/1.6/valid-standard-1.6.textproto b/tools/src/test/resources/1.6/valid-standard-1.6.textproto deleted file mode 100644 index 65b90e2a..00000000 --- a/tools/src/test/resources/1.6/valid-standard-1.6.textproto +++ /dev/null @@ -1,65 +0,0 @@ -spec_version: "1.6", -version: 1 -serial_number: "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" -definitions { - standards: [ - { - bom_ref: "standard-1" - name: "Sample Standard" - version: "1.0.0" - description: "Description here" - owner: "Acme Inc" - requirements: [ - { - bom_ref: "requirement-1" - identifier: "v1" - title: "Title here" - }, - { - bom_ref: "requirement-1.1" - identifier: "v1.1" - title: "Title here" - parent: "requirement-1" - }, - { - bom_ref: "requirement-1.1.1" - identifier: "v1.1.1" - text: "Text of the requirement here" - descriptions: [ - "Supplemental text here" - ] - openCre: [ - "CRE:616-305" - ], - parent: "requirement-1.1" - } - ] - levels: [ - { - bom_ref: "level-1" - identifier: "Level 1" - description: "Description here" - requirements: [ - "requirement-1.1.1" - ] - }, - { - bom_ref: "level-2" - identifier: "Level 2" - description: "Description here" - requirements: [ - "requirement-1.1.1" - ] - }, - { - bom_ref: "level-3" - identifier: "Level 3" - description: "Description here" - requirements: [ - "requirement-1.1.1" - ] - } - ] - } - ] -} \ No newline at end of file diff --git a/tools/src/test/resources/1.6/valid-standard-1.6.xml b/tools/src/test/resources/1.6/valid-standard-1.6.xml deleted file mode 100644 index 7a36430a..00000000 --- a/tools/src/test/resources/1.6/valid-standard-1.6.xml +++ /dev/null @@ -1,59 +0,0 @@ - - - - - - Sample Standard - 1.0.0 - Description here - Acme Inc - - - v1 - Title here - - - v1.1 - Title here - requirement-1 - - - v1.1.1 - Text of the requirement here - - Supplemental text here - - CRE:616-305 - requirement-1.1 - - - - - Level 1 - Description here - - requirement-1.1.1 - - - - Level 2 - Description here - - requirement-1.1.1 - - - - Level 3 - Description here - - requirement-1.1.1 - - - - - - - - - - \ No newline at end of file From e151ee44d988a05ab35780c8cff2e44f9daa9f0a Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Mon, 15 Jan 2024 21:30:50 -0600 Subject: [PATCH 068/217] Revert "Updating gitignore" This reverts commit 76bf8f923bce5a631557ff64a998dcfc72c96c53. --- .gitignore | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.gitignore b/.gitignore index 32180a04..fd07c943 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,2 @@ .idea/ -tools/target/ -.DS_Store \ No newline at end of file +tools/target/ \ No newline at end of file From 81858fec82a7af3211ad68adb9e7203ae875791a Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Sun, 21 Jan 2024 20:34:31 -0600 Subject: [PATCH 069/217] Removing support for protected-by dependency type Signed-off-by: Steve Springett --- schema/bom-1.6.proto | 1 - schema/bom-1.6.schema.json | 6 ++---- schema/bom-1.6.xsd | 9 --------- .../resources/1.6/valid-cryptography-1.6.json | 17 ----------------- .../1.6/valid-cryptography-1.6.textproto | 17 ----------------- .../resources/1.6/valid-cryptography-1.6.xml | 11 ----------- 6 files changed, 2 insertions(+), 59 deletions(-) diff --git a/schema/bom-1.6.proto b/schema/bom-1.6.proto index 87963505..c8aae923 100644 --- a/schema/bom-1.6.proto +++ b/schema/bom-1.6.proto @@ -170,7 +170,6 @@ message Dependency { enum DependencyType { DEPENDENCY_TYPE_IMPLEMENTS = 0; DEPENDENCY_TYPE_USES = 1; - DEPENDENCY_TYPE_PROTECTED_BY = 2; } // References a component or service by the its bom-ref attribute string ref = 1; diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index eae7430b..cfb3c026 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -3850,13 +3850,11 @@ "title": "Dependency Type", "enum": [ "implements", - "uses", - "protected-by" + "uses" ], "meta:enum": { "implements": "Refers to a component or service that fulfills the requirements of a given specification or standard. For example, a cryptographic library which implements a cryptographic algorithm. A component which implements another component does not imply that the implementation is in use.", - "uses": "Refers to a component or service that relies on another component or service, either explicitly via function calls or via configuration at run time.", - "protected-by": "Refers to a component or service that safeguards another component or service. For example, a cryptographic component that protects a data component. A component or service which is protected by another component or service does not imply that either are in use." + "uses": "Refers to a component or service that relies on another component or service, either explicitly via function calls or via configuration at run time." }, "default": "uses", "description": "An optional field that describes the type of dependency." diff --git a/schema/bom-1.6.xsd b/schema/bom-1.6.xsd index a672e8d7..0ce2fb82 100644 --- a/schema/bom-1.6.xsd +++ b/schema/bom-1.6.xsd @@ -1875,15 +1875,6 @@ limitations under the License. - - - - Refers to a component or service that safeguards another component or service. For example, - a cryptographic component that protects a data component. A component or service which is - protected by another component or service does not imply that either are in use. - - - diff --git a/tools/src/test/resources/1.6/valid-cryptography-1.6.json b/tools/src/test/resources/1.6/valid-cryptography-1.6.json index 1a9dfb5a..00f8f20d 100644 --- a/tools/src/test/resources/1.6/valid-cryptography-1.6.json +++ b/tools/src/test/resources/1.6/valid-cryptography-1.6.json @@ -37,18 +37,6 @@ "bom-ref": "crypto-library", "name": "Crypto library", "version": "1.0.0" - }, - { - "type": "data", - "bom-ref": "some-data", - "name": "Some Data", - "data": [ - { - "type": "dataset", - "classification": "confidential", - "sensitiveData": [ "Highly sensitive data including all PII fields and some PHI" ] - } - ] } ], "dependencies": [ @@ -61,11 +49,6 @@ "ref": "crypto-library", "type": "implements", "dependsOn": ["aes128gcm"] - }, - { - "ref": "some-data", - "type": "protected-by", - "dependsOn": [ "crypto-library" ] } ] } diff --git a/tools/src/test/resources/1.6/valid-cryptography-1.6.textproto b/tools/src/test/resources/1.6/valid-cryptography-1.6.textproto index 99ef7699..e3de29b1 100644 --- a/tools/src/test/resources/1.6/valid-cryptography-1.6.textproto +++ b/tools/src/test/resources/1.6/valid-cryptography-1.6.textproto @@ -40,16 +40,6 @@ components: [ bom_ref: "crypto-library" name: "Crypto library" version: "1.0.0" - }, - { - type: CLASSIFICATION_DATA - bom_ref: "some-data" - name: "Some Data" - data: { - type: COMPONENT_DATA_TYPE_DATASET - classification: "confidential" - sensitiveData: [ "Highly sensitive data including all PII fields and some PHI" ] - } } ], dependencies: [ @@ -66,12 +56,5 @@ dependencies: [ dependencies { ref: "aes128gcm" } - }, - { - ref: "some-data" - type: DEPENDENCY_TYPE_PROTECTED_BY - dependencies { - ref: "crypto-library" - } } ] diff --git a/tools/src/test/resources/1.6/valid-cryptography-1.6.xml b/tools/src/test/resources/1.6/valid-cryptography-1.6.xml index 97baac72..4639eb5c 100644 --- a/tools/src/test/resources/1.6/valid-cryptography-1.6.xml +++ b/tools/src/test/resources/1.6/valid-cryptography-1.6.xml @@ -34,14 +34,6 @@ Crypto Library 1.0.0 - - Some Data - - dataset - confidential - Highly sensitive data including all PII fields and some PHI - - @@ -50,8 +42,5 @@ - - - From 82ddeb04a2563b7821841c9e2cd6c40802815491 Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Sun, 21 Jan 2024 20:55:41 -0600 Subject: [PATCH 070/217] Updated signatureAlgorithm and subjectPublicKey to include 'Ref'. Signed-off-by: Steve Springett --- schema/bom-1.6.proto | 4 ++-- schema/bom-1.6.schema.json | 4 ++-- schema/bom-1.6.xsd | 4 ++-- tools/src/test/resources/1.6/valid-cryptography-full-1.6.json | 4 ++-- .../test/resources/1.6/valid-cryptography-full-1.6.textproto | 4 ++-- tools/src/test/resources/1.6/valid-cryptography-full-1.6.xml | 4 ++-- 6 files changed, 12 insertions(+), 12 deletions(-) diff --git a/schema/bom-1.6.proto b/schema/bom-1.6.proto index c8aae923..1a89fb41 100644 --- a/schema/bom-1.6.proto +++ b/schema/bom-1.6.proto @@ -1615,9 +1615,9 @@ message CryptoProperties { // The date and time according to ISO-8601 standard from which the certificate is not valid anymore optional google.protobuf.Timestamp notValidAfter = 4; // The bom-ref to signature algorithm used by the certificate - optional string signatureAlgorithm = 5; + optional string signatureAlgorithmRef = 5; // The bom-ref to the public key of the subject - optional string subjectPublicKey = 6; + optional string subjectPublicKeyRef = 6; // The format of the certificate. Examples include X.509, PEM, DER, and CVC. optional string certificateFormat = 7; // The file extension of the certificate. Examples include crt, pem, cer, der, and p12. diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index cfb3c026..ef8f18d3 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -4162,12 +4162,12 @@ "title": "Not Valid After", "description": "The date and time according to ISO-8601 standard from which the certificate is not valid anymore" }, - "signatureAlgorithm": { + "signatureAlgorithmRef": { "$ref": "#/definitions/refType", "title": "Algorithm Reference", "description": "The bom-ref to signature algorithm used by the certificate" }, - "subjectPublicKey": { + "subjectPublicKeyRef": { "$ref": "#/definitions/refType", "title": "Key reference", "description": "The bom-ref to the public key of the subject" diff --git a/schema/bom-1.6.xsd b/schema/bom-1.6.xsd index 0ce2fb82..baca0eda 100644 --- a/schema/bom-1.6.xsd +++ b/schema/bom-1.6.xsd @@ -6205,14 +6205,14 @@ limitations under the License. - + The bom-ref to signature algorithm used by the certificate - + The bom-ref to the public key of the subject diff --git a/tools/src/test/resources/1.6/valid-cryptography-full-1.6.json b/tools/src/test/resources/1.6/valid-cryptography-full-1.6.json index af88e859..bd12cbbd 100644 --- a/tools/src/test/resources/1.6/valid-cryptography-full-1.6.json +++ b/tools/src/test/resources/1.6/valid-cryptography-full-1.6.json @@ -37,8 +37,8 @@ "issuerName": "Issuer name here", "notValidBefore": "2022-01-01T00:00:00.000Z", "notValidAfter": "2024-01-01T00:00:00.000Z", - "signatureAlgorithm": "bom-ref-to-algorithm", - "subjectPublicKey": "bom-ref-to-public-key", + "signatureAlgorithmRef": "bom-ref-to-algorithm", + "subjectPublicKeyRef": "bom-ref-to-public-key", "certificateFormat": "X.509", "certificateExtension": "crt" }, diff --git a/tools/src/test/resources/1.6/valid-cryptography-full-1.6.textproto b/tools/src/test/resources/1.6/valid-cryptography-full-1.6.textproto index fc985e0a..caf46df1 100644 --- a/tools/src/test/resources/1.6/valid-cryptography-full-1.6.textproto +++ b/tools/src/test/resources/1.6/valid-cryptography-full-1.6.textproto @@ -46,8 +46,8 @@ components: [ seconds: 3173618478 nanos: 3 } - signatureAlgorithm: "bom-ref-to-algorithm" - subjectPublicKey: "bom-ref-to-public-key" + signatureAlgorithmRef: "bom-ref-to-algorithm" + subjectPublicKeyRef: "bom-ref-to-public-key" certificateFormat: "X.509" certificateExtension: "crt" } diff --git a/tools/src/test/resources/1.6/valid-cryptography-full-1.6.xml b/tools/src/test/resources/1.6/valid-cryptography-full-1.6.xml index 5fed9e98..0e151a34 100644 --- a/tools/src/test/resources/1.6/valid-cryptography-full-1.6.xml +++ b/tools/src/test/resources/1.6/valid-cryptography-full-1.6.xml @@ -35,8 +35,8 @@ Issuer name here 2022-01-01T00:00:00.000Z 2024-01-01T00:00:00.000Z - bom-ref-to-algorithm - bom-ref-to-public-key + bom-ref-to-algorithm + bom-ref-to-public-key X.509 crt From 9a9fab8377d218c4daa32406c7ee562136b3d1f8 Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Mon, 22 Jan 2024 22:54:32 -0600 Subject: [PATCH 071/217] Added missing evidence in XSD and Protobuf originally missed when porting. Minor changes to JSON schema. Signed-off-by: Steve Springett --- schema/bom-1.6.proto | 8 ++++++++ schema/bom-1.6.schema.json | 2 ++ schema/bom-1.6.xsd | 23 ++++++++++++++++++++++- 3 files changed, 32 insertions(+), 1 deletion(-) diff --git a/schema/bom-1.6.proto b/schema/bom-1.6.proto index 0b4df631..83c8dce6 100644 --- a/schema/bom-1.6.proto +++ b/schema/bom-1.6.proto @@ -726,6 +726,14 @@ message EvidenceOccurrences { optional string bom_ref = 1; // The location or path to where the component was found. string location = 2; + // The line number where the component was found. + optional int32 lineNumber = 3; + // The offset where the component was found. + optional int32 offset = 4; + // The symbol name that was found associated with the component. + optional string symbol = 5; + // Any additional context of the detected component (e.g. a code snippet). + optional string additionalContext = 6; } enum EvidenceFieldType { diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index da1011b4..0243e2a4 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -2030,11 +2030,13 @@ }, "lineNumber": { "type": "integer", + "minimum": 0, "title": "Line Number", "description": "The line number where the component was found." }, "offset": { "type": "integer", + "minimum": 0, "title": "Offset", "description": "The offset where the component was found." }, diff --git a/schema/bom-1.6.xsd b/schema/bom-1.6.xsd index 7ed436b9..96ee9090 100644 --- a/schema/bom-1.6.xsd +++ b/schema/bom-1.6.xsd @@ -2367,11 +2367,32 @@ limitations under the License. - + The location or path to where the component was found. + + + The line number where the component was found. + + + + + The offset where the component was found. + + + + + The symbol name that was found associated with the component. + + + + + Any additional context of the detected component (e.g. a code snippet). + + + From 3446cce296c6ceb899785e9c0d29693c195778d5 Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Tue, 23 Jan 2024 12:22:21 -0600 Subject: [PATCH 072/217] Made certificationLevel an array. Updated test cases. Signed-off-by: Steve Springett --- schema/bom-1.6.proto | 2 +- schema/bom-1.6.schema.json | 127 +++++++++--------- schema/bom-1.6.xsd | 2 +- .../resources/1.6/valid-cryptography-1.6.json | 2 +- .../1.6/valid-cryptography-1.6.textproto | 2 +- .../1.6/valid-cryptography-full-1.6.json | 2 +- .../1.6/valid-cryptography-full-1.6.textproto | 2 +- 7 files changed, 71 insertions(+), 68 deletions(-) diff --git a/schema/bom-1.6.proto b/schema/bom-1.6.proto index 83c8dce6..9bce71e7 100644 --- a/schema/bom-1.6.proto +++ b/schema/bom-1.6.proto @@ -1800,7 +1800,7 @@ message CryptoProperties { // The target platform for which the algorithm is implemented. The implementation can be 'generic', running on any platform or for a specific platform. optional CryptoImplementationPlatform implementationPlatform = 5; // The certification that the implementation of the cryptographic algorithm has received, if any. Certifications include revisions and levels of FIPS 140 or Common Criteria of different Extended Assurance Levels (CC-EAL). - optional string certificationLevel = 6; + repeated string certificationLevel = 6; // The mode of operation in which the cryptographic algorithm (block cipher) is used. optional CryptoAlgorithmMode mode = 7; // The padding scheme that is used for the cryptographic algorithm. diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index 0243e2a4..f33aaa71 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -4736,70 +4736,73 @@ ] }, "certificationLevel": { - "type": "string", + "type": "array", "title": "Certification Level", "description": "The certification that the implementation of the cryptographic algorithm has received, if any. Certifications include revisions and levels of FIPS 140 or Common Criteria of different Extended Assurance Levels (CC-EAL).", - "enum": [ - "none", - "fips140-1-l1", - "fips140-1-l2", - "fips140-1-l3", - "fips140-1-l4", - "fips140-2-l1", - "fips140-2-l2", - "fips140-2-l3", - "fips140-2-l4", - "fips140-3-l1", - "fips140-3-l2", - "fips140-3-l3", - "fips140-3-l4", - "cc-eal1", - "cc-eal1+", - "cc-eal2", - "cc-eal2+", - "cc-eal3", - "cc-eal3+", - "cc-eal4", - "cc-eal4+", - "cc-eal5", - "cc-eal5+", - "cc-eal6", - "cc-eal6+", - "cc-eal7", - "cc-eal7+", - "other", - "unknown" - ], - "meta:enum": { - "none": "No certification obtained", - "fips140-1-l1": "FIPS 140-1 Level 1", - "fips140-1-l2": "FIPS 140-1 Level 2", - "fips140-1-l3": "FIPS 140-1 Level 3", - "fips140-1-l4": "FIPS 140-1 Level 4", - "fips140-2-l1": "FIPS 140-2 Level 1", - "fips140-2-l2": "FIPS 140-2 Level 2", - "fips140-2-l3": "FIPS 140-2 Level 3", - "fips140-2-l4": "FIPS 140-2 Level 4", - "fips140-3-l1": "FIPS 140-3 Level 1", - "fips140-3-l2": "FIPS 140-3 Level 2", - "fips140-3-l3": "FIPS 140-3 Level 3", - "fips140-3-l4": "FIPS 140-3 Level 4", - "cc-eal1": "Common Criteria - Evaluation Assurance Level 1", - "cc-eal1+": "Common Criteria - Evaluation Assurance Level 1 (Augmented)", - "cc-eal2": "Common Criteria - Evaluation Assurance Level 2", - "cc-eal2+": "Common Criteria - Evaluation Assurance Level 2 (Augmented)", - "cc-eal3": "Common Criteria - Evaluation Assurance Level 3", - "cc-eal3+": "Common Criteria - Evaluation Assurance Level 3 (Augmented)", - "cc-eal4": "Common Criteria - Evaluation Assurance Level 4", - "cc-eal4+": "Common Criteria - Evaluation Assurance Level 4 (Augmented)", - "cc-eal5": "Common Criteria - Evaluation Assurance Level 5", - "cc-eal5+": "Common Criteria - Evaluation Assurance Level 5 (Augmented)", - "cc-eal6": "Common Criteria - Evaluation Assurance Level 6", - "cc-eal6+": "Common Criteria - Evaluation Assurance Level 6 (Augmented)", - "cc-eal7": "Common Criteria - Evaluation Assurance Level 7", - "cc-eal7+": "Common Criteria - Evaluation Assurance Level 7 (Augmented)", - "other": "Another certification", - "unknown": "The certification level is not known" + "items": { + "type": "string", + "enum": [ + "none", + "fips140-1-l1", + "fips140-1-l2", + "fips140-1-l3", + "fips140-1-l4", + "fips140-2-l1", + "fips140-2-l2", + "fips140-2-l3", + "fips140-2-l4", + "fips140-3-l1", + "fips140-3-l2", + "fips140-3-l3", + "fips140-3-l4", + "cc-eal1", + "cc-eal1+", + "cc-eal2", + "cc-eal2+", + "cc-eal3", + "cc-eal3+", + "cc-eal4", + "cc-eal4+", + "cc-eal5", + "cc-eal5+", + "cc-eal6", + "cc-eal6+", + "cc-eal7", + "cc-eal7+", + "other", + "unknown" + ], + "meta:enum": { + "none": "No certification obtained", + "fips140-1-l1": "FIPS 140-1 Level 1", + "fips140-1-l2": "FIPS 140-1 Level 2", + "fips140-1-l3": "FIPS 140-1 Level 3", + "fips140-1-l4": "FIPS 140-1 Level 4", + "fips140-2-l1": "FIPS 140-2 Level 1", + "fips140-2-l2": "FIPS 140-2 Level 2", + "fips140-2-l3": "FIPS 140-2 Level 3", + "fips140-2-l4": "FIPS 140-2 Level 4", + "fips140-3-l1": "FIPS 140-3 Level 1", + "fips140-3-l2": "FIPS 140-3 Level 2", + "fips140-3-l3": "FIPS 140-3 Level 3", + "fips140-3-l4": "FIPS 140-3 Level 4", + "cc-eal1": "Common Criteria - Evaluation Assurance Level 1", + "cc-eal1+": "Common Criteria - Evaluation Assurance Level 1 (Augmented)", + "cc-eal2": "Common Criteria - Evaluation Assurance Level 2", + "cc-eal2+": "Common Criteria - Evaluation Assurance Level 2 (Augmented)", + "cc-eal3": "Common Criteria - Evaluation Assurance Level 3", + "cc-eal3+": "Common Criteria - Evaluation Assurance Level 3 (Augmented)", + "cc-eal4": "Common Criteria - Evaluation Assurance Level 4", + "cc-eal4+": "Common Criteria - Evaluation Assurance Level 4 (Augmented)", + "cc-eal5": "Common Criteria - Evaluation Assurance Level 5", + "cc-eal5+": "Common Criteria - Evaluation Assurance Level 5 (Augmented)", + "cc-eal6": "Common Criteria - Evaluation Assurance Level 6", + "cc-eal6+": "Common Criteria - Evaluation Assurance Level 6 (Augmented)", + "cc-eal7": "Common Criteria - Evaluation Assurance Level 7", + "cc-eal7+": "Common Criteria - Evaluation Assurance Level 7 (Augmented)", + "other": "Another certification", + "unknown": "The certification level is not known" + } } }, "mode": { diff --git a/schema/bom-1.6.xsd b/schema/bom-1.6.xsd index 96ee9090..ba5a7bb8 100644 --- a/schema/bom-1.6.xsd +++ b/schema/bom-1.6.xsd @@ -5852,7 +5852,7 @@ limitations under the License. - + The certification that the implementation of the cryptographic algorithm has diff --git a/tools/src/test/resources/1.6/valid-cryptography-1.6.json b/tools/src/test/resources/1.6/valid-cryptography-1.6.json index 00f8f20d..b498646a 100644 --- a/tools/src/test/resources/1.6/valid-cryptography-1.6.json +++ b/tools/src/test/resources/1.6/valid-cryptography-1.6.json @@ -23,7 +23,7 @@ "parameterSetIdentifier": "128", "executionEnvironment": "software-plain-ram", "implementationPlatform": "x86_64", - "certificationLevel": "none", + "certificationLevel": [ "none" ], "mode": "gcm", "cryptoFunctions": ["keygen", "encrypt", "decrypt", "tag"], "classicalSecurityLevel": 128, diff --git a/tools/src/test/resources/1.6/valid-cryptography-1.6.textproto b/tools/src/test/resources/1.6/valid-cryptography-1.6.textproto index e3de29b1..ccc3dbb0 100644 --- a/tools/src/test/resources/1.6/valid-cryptography-1.6.textproto +++ b/tools/src/test/resources/1.6/valid-cryptography-1.6.textproto @@ -21,7 +21,7 @@ components: [ parameterSetIdentifier: "128" executionEnvironment: CRYPTO_EXECUTION_ENVIRONMENT_SOFTWARE_PLAIN_RAM implementationPlatform: CRYPTO_IMPLEMENTATION_PLATFORM_X86_64 - certificationLevel: "none", + certificationLevel: [ "none" ], mode: CRYPTO_ALGORITHM_MODE_GCM cryptoFunctions: [ CRYPTO_ALGORITHM_FUNCTION_KEYGEN, diff --git a/tools/src/test/resources/1.6/valid-cryptography-full-1.6.json b/tools/src/test/resources/1.6/valid-cryptography-full-1.6.json index bd12cbbd..e25d4dd9 100644 --- a/tools/src/test/resources/1.6/valid-cryptography-full-1.6.json +++ b/tools/src/test/resources/1.6/valid-cryptography-full-1.6.json @@ -16,7 +16,7 @@ "curve": "brainpoolP160r1", "executionEnvironment": "software-plain-ram", "implementationPlatform": "x86_64", - "certificationLevel": "fips140-1-l4", + "certificationLevel": [ "fips140-1-l4" ], "mode": "gcm", "padding": "pkcs5", "cryptoFunctions": ["keygen", "encrypt", "decrypt", "tag"], diff --git a/tools/src/test/resources/1.6/valid-cryptography-full-1.6.textproto b/tools/src/test/resources/1.6/valid-cryptography-full-1.6.textproto index caf46df1..a135dc63 100644 --- a/tools/src/test/resources/1.6/valid-cryptography-full-1.6.textproto +++ b/tools/src/test/resources/1.6/valid-cryptography-full-1.6.textproto @@ -14,7 +14,7 @@ components: [ curve: "brainpoolP160r1" executionEnvironment: CRYPTO_EXECUTION_ENVIRONMENT_SOFTWARE_PLAIN_RAM implementationPlatform: CRYPTO_IMPLEMENTATION_PLATFORM_X86_64 - certificationLevel: "fips140-1-l4" + certificationLevel: [ "fips140-1-l4" ] mode: CRYPTO_ALGORITHM_MODE_GCM padding: CRYPTO_ALGORITHM_PADDING_PKCS5 cryptoFunctions: [ From 29fc0a6e1470874ec7a26c63f23d894cceb11edd Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Tue, 23 Jan 2024 12:30:43 -0600 Subject: [PATCH 073/217] Renamed lineNumber to line to align properties with those in callstack/frames. Signed-off-by: Steve Springett --- schema/bom-1.6.proto | 2 +- schema/bom-1.6.schema.json | 2 +- schema/bom-1.6.xsd | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/schema/bom-1.6.proto b/schema/bom-1.6.proto index 9bce71e7..d8d3abd3 100644 --- a/schema/bom-1.6.proto +++ b/schema/bom-1.6.proto @@ -727,7 +727,7 @@ message EvidenceOccurrences { // The location or path to where the component was found. string location = 2; // The line number where the component was found. - optional int32 lineNumber = 3; + optional int32 line = 3; // The offset where the component was found. optional int32 offset = 4; // The symbol name that was found associated with the component. diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index f33aaa71..51013151 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -2028,7 +2028,7 @@ "title": "Location", "description": "The location or path to where the component was found." }, - "lineNumber": { + "line": { "type": "integer", "minimum": 0, "title": "Line Number", diff --git a/schema/bom-1.6.xsd b/schema/bom-1.6.xsd index ba5a7bb8..15a903b6 100644 --- a/schema/bom-1.6.xsd +++ b/schema/bom-1.6.xsd @@ -2372,7 +2372,7 @@ limitations under the License. The location or path to where the component was found. - + The line number where the component was found. From d8ae85ecd1458c6d2951a3671bca955492b2d7f6 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Fri, 26 Jan 2024 15:38:22 +0100 Subject: [PATCH 074/217] rework dependency type to `provides` Signed-off-by: Jan Kowalleck --- schema/bom-1.6.proto | 8 +--- schema/bom-1.6.schema.json | 27 ++++------- schema/bom-1.6.xsd | 48 ++++++++----------- ...alid-cryptography-implementation-1.6.json} | 11 +++-- ...cryptography-implementation-1.6.textproto} | 14 ++++-- ...valid-cryptography-implementation-1.6.xml} | 11 +++-- 6 files changed, 57 insertions(+), 62 deletions(-) rename tools/src/test/resources/1.6/{valid-cryptography-1.6.json => valid-cryptography-implementation-1.6.json} (86%) rename tools/src/test/resources/1.6/{valid-cryptography-1.6.textproto => valid-cryptography-implementation-1.6.textproto} (85%) rename tools/src/test/resources/1.6/{valid-cryptography-1.6.xml => valid-cryptography-implementation-1.6.xml} (85%) diff --git a/schema/bom-1.6.proto b/schema/bom-1.6.proto index d8d3abd3..511e7c34 100644 --- a/schema/bom-1.6.proto +++ b/schema/bom-1.6.proto @@ -171,16 +171,12 @@ enum DataFlowDirection { } message Dependency { - enum DependencyType { - DEPENDENCY_TYPE_IMPLEMENTS = 0; - DEPENDENCY_TYPE_USES = 1; - } // References a component or service by the its bom-ref attribute string ref = 1; // The bom-ref identifiers of the components or services that are dependencies of this dependency object. repeated Dependency dependencies = 2; - // Defines and characterizes the type of dependency - optional DependencyType type = 3; + // The bom-ref identifiers of the components or services that define a given specification or standard, which are provided or implemented by this dependency object. + repeated string provides = 3; } message Diff { diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index 51013151..4ecc4ae5 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -1766,11 +1766,14 @@ "title": "Depends On", "description": "The bom-ref identifiers of the components or services that are dependencies of this dependency object." }, - "type": { - "type": "string", - "title": "Dependency Type", - "description": "Defines and characterizes the type of dependency", - "$ref": "#/definitions/dependencyType" + "provides": { + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/definitions/refLinkType" + }, + "title": "Provides", + "description": "The bom-ref identifiers of the components or services that define a given specification or standard, which are provided or implemented by this dependency object.\nFor example, a cryptographic library which implements a cryptographic algorithm. A component which implements another component does not imply that the implementation is in use." } } }, @@ -4601,20 +4604,6 @@ "title": "Signature", "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." }, - "dependencyType": { - "type": "string", - "title": "Dependency Type", - "enum": [ - "implements", - "uses" - ], - "meta:enum": { - "implements": "Refers to a component or service that fulfills the requirements of a given specification or standard. For example, a cryptographic library which implements a cryptographic algorithm. A component which implements another component does not imply that the implementation is in use.", - "uses": "Refers to a component or service that relies on another component or service, either explicitly via function calls or via configuration at run time." - }, - "default": "uses", - "description": "An optional field that describes the type of dependency." - }, "cryptoProperties": { "type": "object", "title": "Cryptographic Properties", diff --git a/schema/bom-1.6.xsd b/schema/bom-1.6.xsd index 15a903b6..12731aa6 100644 --- a/schema/bom-1.6.xsd +++ b/schema/bom-1.6.xsd @@ -1851,18 +1851,32 @@ limitations under the License. - + + + The component or service that is a dependency of this dependency object. + + + + + + The component or service that define a given specification or standard, which is provided or implemented by this dependency object. + For example, a cryptographic library which implements a cryptographic algorithm. A component which implements another component does not imply that the implementation is in use. + + + + + + References a component or service by its bom-ref attribute + + + + References a component or service by its bom-ref attribute - - - An optional field that describes the type of dependency. - - User-defined attributes may be used on this element as long as they @@ -1871,28 +1885,6 @@ limitations under the License. - - - - - - Refers to a component or service that fulfills the requirements of a given specification or - standard. For example, a cryptographic library which implements a cryptographic algorithm. - A component which implements another component does not imply that the implementation is in use. - - - - - - - Refers to a component or service that relies on another component or service, either explicitly - via function calls or via configuration at run time. - - - - - - diff --git a/tools/src/test/resources/1.6/valid-cryptography-1.6.json b/tools/src/test/resources/1.6/valid-cryptography-implementation-1.6.json similarity index 86% rename from tools/src/test/resources/1.6/valid-cryptography-1.6.json rename to tools/src/test/resources/1.6/valid-cryptography-implementation-1.6.json index b498646a..3bff0945 100644 --- a/tools/src/test/resources/1.6/valid-cryptography-1.6.json +++ b/tools/src/test/resources/1.6/valid-cryptography-implementation-1.6.json @@ -37,18 +37,23 @@ "bom-ref": "crypto-library", "name": "Crypto library", "version": "1.0.0" + }, + { + "type": "library", + "bom-ref": "some-library", + "name": "Some library", + "version": "1.0.0" } ], "dependencies": [ { "ref": "acme-application", - "type": "uses", "dependsOn": ["crypto-library"] }, { "ref": "crypto-library", - "type": "implements", - "dependsOn": ["aes128gcm"] + "provides": ["aes128gcm"], + "dependsOn": ["some-library"] } ] } diff --git a/tools/src/test/resources/1.6/valid-cryptography-1.6.textproto b/tools/src/test/resources/1.6/valid-cryptography-implementation-1.6.textproto similarity index 85% rename from tools/src/test/resources/1.6/valid-cryptography-1.6.textproto rename to tools/src/test/resources/1.6/valid-cryptography-implementation-1.6.textproto index ccc3dbb0..a7b1a0be 100644 --- a/tools/src/test/resources/1.6/valid-cryptography-1.6.textproto +++ b/tools/src/test/resources/1.6/valid-cryptography-implementation-1.6.textproto @@ -1,3 +1,6 @@ +# proto-file: schema/bom-1.6.proto +# proto-message: + spec_version: "1.6" version: 1 serial_number: "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" @@ -40,21 +43,26 @@ components: [ bom_ref: "crypto-library" name: "Crypto library" version: "1.0.0" + }, + { + type: CLASSIFICATION_LIBRARY + bom_ref: "some-library" + name: "Some library" + version: "1.0.0" } ], dependencies: [ { ref: "acme-application" - type: DEPENDENCY_TYPE_USES dependencies { ref: "crypto-library" } }, { ref: "crypto-library" - type: DEPENDENCY_TYPE_IMPLEMENTS + provides: [ "aes128gcm" ] dependencies { - ref: "aes128gcm" + ref: "some-library" } } ] diff --git a/tools/src/test/resources/1.6/valid-cryptography-1.6.xml b/tools/src/test/resources/1.6/valid-cryptography-implementation-1.6.xml similarity index 85% rename from tools/src/test/resources/1.6/valid-cryptography-1.6.xml rename to tools/src/test/resources/1.6/valid-cryptography-implementation-1.6.xml index 4639eb5c..d9c97fee 100644 --- a/tools/src/test/resources/1.6/valid-cryptography-1.6.xml +++ b/tools/src/test/resources/1.6/valid-cryptography-implementation-1.6.xml @@ -34,13 +34,18 @@ Crypto Library 1.0.0 + + Some Library + 1.0.0 + - + - - + + + From 4dd558844752f369bf2b686e3b38c94925beaaad Mon Sep 17 00:00:00 2001 From: Mark Symons Date: Sun, 4 Feb 2024 22:23:17 +0000 Subject: [PATCH 075/217] Tweak compliment to complement Signed-off-by: Mark Symons --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index c692f064..7651e541 100644 --- a/README.md +++ b/README.md @@ -68,9 +68,9 @@ The officially supported media type for Protocol Buffer format is `application/x ## Related Work [SPDX (Software Package Data Exchange)][spdx-url] is a specification that provides low-level details of components, including all files, hashes, authors, and copyrights. SPDX also defines over 300 open source license IDs. CycloneDX builds on top of the work SPDX has accomplished with license IDs, but varies greatly in its approach towards building a software bill of material specification. -[SWID (ISO/IEC 19770-2:2015)][swid-url] is used primarily to identify installed software and is the preferred format of the NVD. SWID tags are used in the National Vulnerability Database to describe vulnerable components. The CycloneDX specification compliments this work as CycloneDX documents can incorporate SWID tags and other high-level SWID metadata and optionally include entire SWID documents. Use of SWID tag ID's are useful in determining if a specific component has known vulnerabilities. +[SWID (ISO/IEC 19770-2:2015)][swid-url] is used primarily to identify installed software and is the preferred format of the NVD. SWID tags are used in the National Vulnerability Database to describe vulnerable components. The CycloneDX specification complements this work as CycloneDX documents can incorporate SWID tags and other high-level SWID metadata and optionally include entire SWID documents. Use of SWID tag ID's are useful in determining if a specific component has known vulnerabilities. -[CPE (Common Platform Enumeration)][cpe-url] is a specification that describes the vendor, name, and version for an application, operating system, or hardware device. CPE identifiers are used in the National Vulnerability Database to describe vulnerable components. The CycloneDX specification compliments this work as CycloneDX documents can easily be used to construct exact CPE identifiers that are useful in determining if a specific component has known vulnerabilities. +[CPE (Common Platform Enumeration)][cpe-url] is a specification that describes the vendor, name, and version for an application, operating system, or hardware device. CPE identifiers are used in the National Vulnerability Database to describe vulnerable components. The CycloneDX specification complements this work as CycloneDX documents can easily be used to construct exact CPE identifiers that are useful in determining if a specific component has known vulnerabilities. ## Copyright & License From a7ee90746bf80ef6a74d5b72206e74530b739388 Mon Sep 17 00:00:00 2001 From: Mark Symons Date: Sun, 4 Feb 2024 22:43:28 +0000 Subject: [PATCH 076/217] Tweak compliment to complement Signed-off-by: Mark Symons --- schema/bom-1.6.proto | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/schema/bom-1.6.proto b/schema/bom-1.6.proto index 511e7c34..89991875 100644 --- a/schema/bom-1.6.proto +++ b/schema/bom-1.6.proto @@ -264,7 +264,7 @@ enum ExternalReferenceType { EXTERNAL_REFERENCE_TYPE_CODIFIED_INFRASTRUCTURE = 31; // A model card describes the intended uses of a machine learning model, potential limitations, biases, ethical considerations, training parameters, datasets used to train the model, performance metrics, and other relevant data useful for ML transparency. EXTERNAL_REFERENCE_TYPE_MODEL_CARD = 32; - // Plans of Action and Milestones (POAM) compliment an "attestation" external reference. POAM is defined by NIST as a "document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks and scheduled completion dates for the milestones". + // Plans of Action and Milestones (POAM) complement an "attestation" external reference. POAM is defined by NIST as a "document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks and scheduled completion dates for the milestones". EXTERNAL_REFERENCE_TYPE_POAM = 33; // A record of events that occurred in a computer system or application, such as problems, errors, or information on current operations. EXTERNAL_REFERENCE_TYPE_LOG = 34; @@ -536,7 +536,7 @@ message Pedigree { repeated Component variants = 3; // A list of zero or more commits which provide a trail describing how the component deviates from an ancestor, descendant, or variant. repeated Commit commits = 4; - // A list of zero or more patches describing how the component deviates from an ancestor, descendant, or variant. Patches may be complimentary to commits or may be used in place of commits. + // A list of zero or more patches describing how the component deviates from an ancestor, descendant, or variant. Patches may be complementary to commits or may be used in place of commits. repeated Patch patches = 5; // Notes, observations, and other non-structured commentary describing the components pedigree. optional string notes = 6; From 2a9d676e88759aff91517ffa1cb67eec7cb70285 Mon Sep 17 00:00:00 2001 From: Mark Symons Date: Sun, 4 Feb 2024 22:45:14 +0000 Subject: [PATCH 077/217] Tweak compliment to complement Signed-off-by: Mark Symons --- schema/bom-1.6.schema.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index 4ecc4ae5..695b1d2d 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -985,7 +985,7 @@ "patches": { "type": "array", "title": "Patches", - "description": ">A list of zero or more patches describing how the component deviates from an ancestor, descendant, or variant. Patches may be complimentary to commits or may be used in place of commits.", + "description": ">A list of zero or more patches describing how the component deviates from an ancestor, descendant, or variant. Patches may be complementary to commits or may be used in place of commits.", "items": {"$ref": "#/definitions/patch"} }, "notes": { @@ -1728,7 +1728,7 @@ "certification-report": "Industry, regulatory, or other certification from an accredited (if applicable) certification body.", "codified-infrastructure": "Code or configuration that defines and provisions virtualized infrastructure, commonly referred to as Infrastructure as Code (IaC).", "quality-metrics": "Report or system in which quality metrics can be obtained.", - "poam": "Plans of Action and Milestones (POAM) compliment an \"attestation\" external reference. POAM is defined by NIST as a \"document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks and scheduled completion dates for the milestones\".", + "poam": "Plans of Action and Milestones (POAM) complement an \"attestation\" external reference. POAM is defined by NIST as a \"document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks and scheduled completion dates for the milestones\".", "electronic-signature": "An e-signature is commonly a scanned representation of a written signature or a stylized script of the persons name.", "digital-signature": "A signature that leverages cryptography, typically public/private key pairs, which provides strong authenticity verification.", "other": "Use this if no other types accurately describe the purpose of the external reference." From 52a4ee27b5c653c46ba5f8b8ce478f663f93cb43 Mon Sep 17 00:00:00 2001 From: Mark Symons Date: Sun, 4 Feb 2024 22:46:44 +0000 Subject: [PATCH 078/217] Tweak compliment to complement Signed-off-by: Mark Symons --- schema/bom-1.6.xsd | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/schema/bom-1.6.xsd b/schema/bom-1.6.xsd index 12731aa6..8d1ded1e 100644 --- a/schema/bom-1.6.xsd +++ b/schema/bom-1.6.xsd @@ -1421,7 +1421,7 @@ limitations under the License. - Plans of Action and Milestones (POAM) compliment an "attestation" external reference. POAM is defined by NIST as a "document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks and scheduled completion dates for the milestones". + Plans of Action and Milestones (POAM) complement an "attestation" external reference. POAM is defined by NIST as a "document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks and scheduled completion dates for the milestones". @@ -1828,7 +1828,7 @@ limitations under the License. A list of zero or more patches describing how the component - deviates from an ancestor, descendant, or variant. Patches may be complimentary to commits + deviates from an ancestor, descendant, or variant. Patches may be complementary to commits or may be used in place of commits. From 71b47545f7e8555d7e847ca90bd8d32e1df6f36b Mon Sep 17 00:00:00 2001 From: Ian Dunbar-Hall Date: Thu, 8 Feb 2024 07:48:09 -0800 Subject: [PATCH 079/217] fix: correcting title of counterClaim Signed-off-by: Ian Dunbar-Hall --- schema/bom-1.6.schema.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index 695b1d2d..13994c0e 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -178,7 +178,7 @@ }, "counterClaims": { "type": "array", - "title": "Claims", + "title": "Counter Claims", "description": "The list of `bom-ref` to the counter claims being attested to.", "items": { "$ref": "#/definitions/refLinkType" } }, From c418c2a27d1723de0b03766f90fff0466c293679 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Fri, 9 Feb 2024 13:18:55 +0100 Subject: [PATCH 080/217] tests: test data and examples for valid and invalid property Signed-off-by: Jan Kowalleck --- .../resources/1.6/valid-properties-1.6.json | 36 ++++++++++++++----- .../1.6/valid-properties-1.6.textproto | 36 ++++++++++++++----- .../resources/1.6/valid-properties-1.6.xml | 8 +++-- 3 files changed, 62 insertions(+), 18 deletions(-) diff --git a/tools/src/test/resources/1.6/valid-properties-1.6.json b/tools/src/test/resources/1.6/valid-properties-1.6.json index 237f7fe2..68c47f86 100644 --- a/tools/src/test/resources/1.6/valid-properties-1.6.json +++ b/tools/src/test/resources/1.6/valid-properties-1.6.json @@ -9,10 +9,6 @@ "name": "Foo", "value": "Bar" }, - { - "name": "Foo", - "value": "You" - }, { "name": "Foo", "value": "Two" @@ -20,6 +16,9 @@ { "name": "Bar", "value": "Foo" + }, + { + "name": "value-is-optional" } ] }, @@ -37,10 +36,6 @@ "name": "Foo", "value": "Bar" }, - { - "name": "Foo", - "value": "You" - }, { "name": "Foo", "value": "Two" @@ -48,6 +43,9 @@ { "name": "Bar", "value": "Foo" + }, + { + "name": "value-is-optional" } ] } @@ -57,6 +55,17 @@ { "name": "Foo", "value": "Bar" + }, + { + "name": "Foo", + "value": "Two" + }, + { + "name": "Bar", + "value": "Foo" + }, + { + "name": "value-is-optional" } ] } @@ -73,6 +82,17 @@ { "name": "Foo", "value": "Bar" + }, + { + "name": "Foo", + "value": "Two" + }, + { + "name": "Bar", + "value": "Foo" + }, + { + "name": "value-is-optional" } ] } diff --git a/tools/src/test/resources/1.6/valid-properties-1.6.textproto b/tools/src/test/resources/1.6/valid-properties-1.6.textproto index 43779985..3f1c2ac6 100644 --- a/tools/src/test/resources/1.6/valid-properties-1.6.textproto +++ b/tools/src/test/resources/1.6/valid-properties-1.6.textproto @@ -6,10 +6,6 @@ metadata { name: "Foo" value: "Bar" } - properties { - name: "Foo" - value: "You" - } properties { name: "Foo" value: "Two" @@ -18,6 +14,9 @@ metadata { name: "Bar" value: "Foo" } + properties { + name: "value-is-optional" + } } components { type: CLASSIFICATION_LIBRARY @@ -30,10 +29,6 @@ components { name: "Foo" value: "Bar" } - properties { - name: "Foo" - value: "You" - } properties { name: "Foo" value: "Two" @@ -42,12 +37,26 @@ components { name: "Bar" value: "Foo" } + properties { + name: "value-is-optional" + } } } properties { name: "Foo" value: "Bar" } + properties { + name: "Foo" + value: "Two" + } + properties { + name: "Bar" + value: "Foo" + } + properties { + name: "value-is-optional" + } } services { bom_ref: "b2a46a4b-8367-4bae-9820-95557cfe03a8" @@ -58,4 +67,15 @@ services { name: "Foo" value: "Bar" } + properties { + name: "Foo" + value: "Two" + } + properties { + name: "Bar" + value: "Foo" + } + properties { + name: "value-is-optional" + } } diff --git a/tools/src/test/resources/1.6/valid-properties-1.6.xml b/tools/src/test/resources/1.6/valid-properties-1.6.xml index 32cd224c..ac03d4b8 100644 --- a/tools/src/test/resources/1.6/valid-properties-1.6.xml +++ b/tools/src/test/resources/1.6/valid-properties-1.6.xml @@ -3,9 +3,9 @@ Bar - You Two Foo + @@ -17,15 +17,17 @@ Apache-2.0 Bar - You Two Foo + Bar + Two Foo + @@ -38,7 +40,9 @@ Bar + Two Foo + From e6ea842ea49d7b9a50951220ce86a24a56c5971e Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Fri, 9 Feb 2024 13:19:00 +0100 Subject: [PATCH 081/217] tests: test data and examples for valid and invalid property Signed-off-by: Jan Kowalleck --- .../resources/1.6/invalid-properties-1.6.json | 68 +++++++++++++++++++ .../1.6/invalid-properties-1.6.textproto | 45 ++++++++++++ .../resources/1.6/invalid-properties-1.6.xml | 41 +++++++++++ 3 files changed, 154 insertions(+) create mode 100644 tools/src/test/resources/1.6/invalid-properties-1.6.json create mode 100644 tools/src/test/resources/1.6/invalid-properties-1.6.textproto create mode 100644 tools/src/test/resources/1.6/invalid-properties-1.6.xml diff --git a/tools/src/test/resources/1.6/invalid-properties-1.6.json b/tools/src/test/resources/1.6/invalid-properties-1.6.json new file mode 100644 index 00000000..06985035 --- /dev/null +++ b/tools/src/test/resources/1.6/invalid-properties-1.6.json @@ -0,0 +1,68 @@ +{ + "bomFormat": "CycloneDX", + "specVersion": "1.6", + "serialNumber": "urn:uuid:bcb403ae-91fa-436e-bc93-84d1078cdeed", + "version": 1, + "metadata": { + "properties": [ + { + "value": "missing a name" + }, + { + "unexpected-property": "foo" + }, + {} + ] + }, + "components": [ + { + "type": "library", + "name": "acme-library", + "version": "1.0.0", + "licenses": [ + { + "license": { + "id": "Apache-2.0", + "properties": [ + { + "value": "missing a name" + }, + { + "unexpected-property": "foo" + }, + {} + ] + } + } + ], + "properties": [ + { + "value": "missing a name" + }, + { + "unexpected-property": "foo" + }, + {} + ] + } + ], + "services": [ + { + "bom-ref": "b2a46a4b-8367-4bae-9820-95557cfe03a8", + "group": "org.partner", + "name": "Stock ticker service", + "endpoints": [ + "https://partner.org/api/v1/stock" + ], + "properties": [ + { + "value": "missing a name" + }, + { + "unexpected-property": "foo" + }, + {} + ] + } + ] +} diff --git a/tools/src/test/resources/1.6/invalid-properties-1.6.textproto b/tools/src/test/resources/1.6/invalid-properties-1.6.textproto new file mode 100644 index 00000000..9afebf51 --- /dev/null +++ b/tools/src/test/resources/1.6/invalid-properties-1.6.textproto @@ -0,0 +1,45 @@ +spec_version: "1.6" +version: 1 +serial_number: "urn:uuid:bcb403ae-91fa-436e-bc93-84d1078cdeed" +metadata { + properties { + value: "missing a name" + } + properties { + # no name and no value + } +} +components { + type: CLASSIFICATION_LIBRARY + name: "acme-library" + version: "1.0.0" + licenses { + license { + id: "Apache-2.0" + properties { + value: "missing a name" + } + properties { + # no name and no value + } + } + } + properties { + value: "missing a name" + } + properties { + # no name and no value + } +} +services { + bom_ref: "b2a46a4b-8367-4bae-9820-95557cfe03a8" + group: "org.partner" + name: "Stock ticker service" + endpoints: "https://partner.org/api/v1/stock" + properties { + value: "missing a name" + } + properties { + # no name and no value + } +} diff --git a/tools/src/test/resources/1.6/invalid-properties-1.6.xml b/tools/src/test/resources/1.6/invalid-properties-1.6.xml new file mode 100644 index 00000000..9c54127f --- /dev/null +++ b/tools/src/test/resources/1.6/invalid-properties-1.6.xml @@ -0,0 +1,41 @@ + + + + + missing a name + + + + + + acme-library + 1.0.0 + + + Apache-2.0 + + missing a name + + + + + + missing a name + + + + + + + org.partner + Stock ticker service + + https://partner.org/api/v1/stock + + + missing a name + + + + + From 09819671005b06d8790b4a501737f7a7efcb38c2 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Fri, 9 Feb 2024 13:32:22 +0100 Subject: [PATCH 082/217] fix: in JSON, CycloneDX property has mandatory name and no additionalProperties Signed-off-by: Jan Kowalleck --- schema/bom-1.6.schema.json | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index 695b1d2d..3765d4da 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -2218,6 +2218,9 @@ "type": "object", "title": "Lightweight name-value pair", "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is OPTIONAL.", + "required": [ + "name" + ], "properties": { "name": { "type": "string", @@ -2229,7 +2232,8 @@ "title": "Value", "description": "The value of the property." } - } + }, + "additionalProperties": false }, "localeType": { "type": "string", From e0dc6107f2d189fc9bce1b414224c1a27f5b7179 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Fri, 9 Feb 2024 10:29:04 -0600 Subject: [PATCH 083/217] Add descriptions for task types Signed-off-by: Matt Rutkowski --- schema/bom-1.6.schema.json | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index 695b1d2d..dda439be 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -4340,7 +4340,21 @@ "release", "clean", "other" - ] + ], + "meta:enum": { + "copy": "A task that copies software or data used to accomplish other tasks in the workflow.", + "clone": "A task that clones a software repository into the workflow in order to retrieve its source code or data for use in a build step.", + "lint": "A task that checks source code for programmatic and stylistic errors.", + "scan": "A task that performs a scan against source code, or built or deployed components and services. Scans are typically run to gather or test for security vulnerabilities or policy compliance.", + "merge": "A task that merges changes or fixes into source code prior to a build step in the workflow.", + "build": "A task that builds the source code, dependencies and/or data into an artifact that can be deployed to and executed on target systems.", + "test": "A task that verifies the functionality of a component or service.", + "deliver": "A task that delivers a built artifact to one or more target repositories or storage systems.", + "deploy": "A task that deploys a built artifact for execution on one or more target systems.", + "release": "A task that releases a built, versioned artifact to a target repository or distribution system.", + "clean": "A task that cleans unnecessary tools, build artifacts and/or data from workflow storage.", + "other": "A workflow task that does not match current task type definitions." + } }, "parameter": { "title": "Parameter", From 07cd714bb9115b5ab2008c75d1023dbf0ed485f8 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Fri, 9 Feb 2024 12:08:46 -0600 Subject: [PATCH 084/217] Add descriptions for task types as comments in protobuf schema Signed-off-by: Matt Rutkowski --- schema/bom-1.6.proto | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/schema/bom-1.6.proto b/schema/bom-1.6.proto index 89991875..f75677a8 100644 --- a/schema/bom-1.6.proto +++ b/schema/bom-1.6.proto @@ -370,7 +370,7 @@ message License { // Licensing details describing the licensor/licensee, license type, renewal and expiration dates, and other important metadata optional Licensing licensing = 6; // Specifies optional, custom, properties - repeated Property properties = 7; + repeated Property properties = 7; } message Licensing { @@ -1482,17 +1482,29 @@ message Condition { enum TaskType { TASK_TYPE_COPY = 0; + // A task that copies software or data used to accomplish other tasks in the workflow. TASK_TYPE_CLONE = 1; + // A task that clones a software repository into the workflow in order to retrieve its source code or data for use in a build step. TASK_TYPE_LINT = 2; + // A task that checks source code for programmatic and stylistic errors. TASK_TYPE_SCAN = 3; + // A task that performs a scan against source code, or built or deployed components and services. Scans are typically run to gather or test for security vulnerabilities or policy compliance. TASK_TYPE_MERGE = 4; + // A task that merges changes or fixes into source code prior to a build step in the workflow. TASK_TYPE_BUILD = 5; + // A task that builds the source code, dependencies and/or data into an artifact that can be deployed to and executed on target systems. TASK_TYPE_TEST = 6; + // A task that verifies the functionality of a component or service. TASK_TYPE_DELIVER = 7; + // A task that delivers a built artifact to one or more target repositories or storage systems. TASK_TYPE_DEPLOY = 8; + // A task that deploys a built artifact for execution on one or more target systems. TASK_TYPE_RELEASE = 9; + // A task that releases a built, versioned artifact to a target repository or distribution system. TASK_TYPE_CLEAN = 10; + // A task that cleans unnecessary tools, build artifacts and/or data from workflow storage. TASK_TYPE_OTHER = 11; + // A workflow task that does not match current task type definitions. } // A representation of a functional parameter. From 1c293d84304954aa2c3e12ce218d0412fe48126f Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Fri, 9 Feb 2024 12:32:34 -0600 Subject: [PATCH 085/217] Add descriptions for task types as comments in v1.6 XSD schema Signed-off-by: Matt Rutkowski --- schema/bom-1.6.xsd | 80 ++++++++++++++++++++++++++++++++++++---------- 1 file changed, 64 insertions(+), 16 deletions(-) diff --git a/schema/bom-1.6.xsd b/schema/bom-1.6.xsd index c3c9b230..2254dad6 100644 --- a/schema/bom-1.6.xsd +++ b/schema/bom-1.6.xsd @@ -845,8 +845,8 @@ limitations under the License. of interest to the general public are encouraged to be registered in the CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. Formal registration is OPTIONAL. - - + + @@ -2158,7 +2158,7 @@ limitations under the License. A valid SPDX license expression. Refer to https://spdx.org/specifications for syntax requirements - + Example values: - Apache-2.0 AND (MIT OR GPL-2.0-only) - GPL-3.0-only WITH Classpath-exception-2.0 @@ -3976,7 +3976,7 @@ limitations under the License. - + @@ -4745,18 +4745,66 @@ limitations under the License. - - - - - - - - - - - - + + + A task that copies software or data used to accomplish other tasks in the workflow. + + + + + A task that clones a software repository into the workflow in order to retrieve its source code or data for use in a build step. + + + + + A task that checks source code for programmatic and stylistic errors. + + + + + A task that performs a scan against source code, or built or deployed components and services. Scans are typically run to gather or test for security vulnerabilities or policy compliance. + + + + + A task that merges changes or fixes into source code prior to a build step in the workflow. + + + + + A task that builds the source code, dependencies and/or data into an artifact that can be deployed to and executed on target systems. + + + + + A task that verifies the functionality of a component or service. + + + + + A task that delivers a built artifact to one or more target repositories or storage systems. + + + + + A task that deploys a built artifact for execution on one or more target systems. + + + + + A task that releases a built, versioned artifact to a target repository or distribution system. + + + + + A task that cleans unnecessary tools, build artifacts and/or data from workflow storage. + + + + + A workflow task that does not match current task type definitions. + + From 233bcc5bb120652c0c2e92a897fe219198d101da Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Fri, 9 Feb 2024 14:02:28 -0600 Subject: [PATCH 086/217] Add descriptions for task types as comments in protobuf schema Signed-off-by: Matt Rutkowski --- schema/bom-1.6.proto | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/schema/bom-1.6.proto b/schema/bom-1.6.proto index f75677a8..d39a06bc 100644 --- a/schema/bom-1.6.proto +++ b/schema/bom-1.6.proto @@ -1481,30 +1481,30 @@ message Condition { } enum TaskType { + // A task that copies software or data used to accomplish other tasks in the workflow. TASK_TYPE_COPY = 0; - // A task that copies software or data used to accomplish other tasks in the workflow. + // A task that clones a software repository into the workflow in order to retrieve its source code or data for use in a build step. TASK_TYPE_CLONE = 1; - // A task that clones a software repository into the workflow in order to retrieve its source code or data for use in a build step. - TASK_TYPE_LINT = 2; // A task that checks source code for programmatic and stylistic errors. - TASK_TYPE_SCAN = 3; + TASK_TYPE_LINT = 2; // A task that performs a scan against source code, or built or deployed components and services. Scans are typically run to gather or test for security vulnerabilities or policy compliance. - TASK_TYPE_MERGE = 4; + TASK_TYPE_SCAN = 3; // A task that merges changes or fixes into source code prior to a build step in the workflow. - TASK_TYPE_BUILD = 5; + TASK_TYPE_MERGE = 4; // A task that builds the source code, dependencies and/or data into an artifact that can be deployed to and executed on target systems. - TASK_TYPE_TEST = 6; + TASK_TYPE_BUILD = 5; // A task that verifies the functionality of a component or service. - TASK_TYPE_DELIVER = 7; + TASK_TYPE_TEST = 6; // A task that delivers a built artifact to one or more target repositories or storage systems. - TASK_TYPE_DEPLOY = 8; + TASK_TYPE_DELIVER = 7; // A task that deploys a built artifact for execution on one or more target systems. - TASK_TYPE_RELEASE = 9; + TASK_TYPE_DEPLOY = 8; // A task that releases a built, versioned artifact to a target repository or distribution system. - TASK_TYPE_CLEAN = 10; + TASK_TYPE_RELEASE = 9; // A task that cleans unnecessary tools, build artifacts and/or data from workflow storage. - TASK_TYPE_OTHER = 11; + TASK_TYPE_CLEAN = 10; // A workflow task that does not match current task type definitions. + TASK_TYPE_OTHER = 11; } // A representation of a functional parameter. From 7224f3e1a93f2dae624396c7e62323415a606913 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Fri, 9 Feb 2024 14:04:22 -0600 Subject: [PATCH 087/217] Add descriptions for task types as comments in protobuf schema Signed-off-by: Matt Rutkowski --- schema/bom-1.6.proto | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/schema/bom-1.6.proto b/schema/bom-1.6.proto index d39a06bc..1c6f842c 100644 --- a/schema/bom-1.6.proto +++ b/schema/bom-1.6.proto @@ -1481,9 +1481,9 @@ message Condition { } enum TaskType { - // A task that copies software or data used to accomplish other tasks in the workflow. + // A task that copies software or data used to accomplish other tasks in the workflow. TASK_TYPE_COPY = 0; - // A task that clones a software repository into the workflow in order to retrieve its source code or data for use in a build step. + // A task that clones a software repository into the workflow in order to retrieve its source code or data for use in a build step. TASK_TYPE_CLONE = 1; // A task that checks source code for programmatic and stylistic errors. TASK_TYPE_LINT = 2; From e5a8713c21f2b6579c4916780adaded1aa6700f3 Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Mon, 12 Feb 2024 10:41:59 -0600 Subject: [PATCH 088/217] Added enum descriptions provided by Cryptography FWG Signed-off-by: Steve Springett --- schema/bom-1.6.schema.json | 23 ++++++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-) diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index 4ecc4ae5..07680cff 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -4975,7 +4975,28 @@ "token", "other", "unknown" - ] + ], + "meta:enum": { + "private-key": "The confidential key of a key pair used in asymmetric cryptography.", + "public-key": "The non-confidential key of a key pair used in asymmetric cryptography.", + "secret-key": "A key used to encrypt and decrypt messages in symmetric cryptography.", + "key": "A piece of information, usually an octet string, which, when processed through a cryptographic algorithm, processes cryptographic data.", + "ciphertext": "The result of encryption performed on plaintext using an algorithm (or cipher).", + "signature": "A cryptographic value that is calculated from the data and a key known only by the signer.", + "digest": "The output of the hash function.", + "initialization-vector": "A fixed-size random or pseudo-random value used as an input parameter for cryptographic algorithms.", + "nonce": "A random or pseudo-random number that can only be used once in a cryptographic communication.", + "seed": "The input to a pseudo-random number generator. Different seeds generate different pseudo-random sequences.", + "salt": "A value used in a cryptographic process, usually to ensure that the results of computations for one instance cannot be reused by an attacker.", + "shared-secret": "A piece of data known only to the parties involved, in a secure communication.", + "tag": "A message authentication code (MAC), sometimes known as an authentication tag, is a short piece of information used for authenticating and integrity-checking a message.", + "additional-data": "An unspecified collection of data with relevance to cryptographic activity.", + "password": "A secret word, phrase, or sequence of characters used during authentication or authorization.", + "credential": "Establishes the identity of a party to communication, usually in the form of cryptographic keys or passwords.", + "token": "An object encapsulating a security identity.", + "other": "Another type of cryptographic asset.", + "unknown": "The type of cryptographic asset is not known." + } }, "id": { "type": "string", From 6c3f3e370b90064d3a7de0628dec3d9d795e136c Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Wed, 14 Feb 2024 18:38:55 +0100 Subject: [PATCH 089/217] docs: describe `$.metadata.licenses` Signed-off-by: Jan Kowalleck --- schema/bom-1.6.proto | 2 +- schema/bom-1.6.schema.json | 1 + schema/bom-1.6.xsd | 9 ++++++++- 3 files changed, 10 insertions(+), 2 deletions(-) diff --git a/schema/bom-1.6.proto b/schema/bom-1.6.proto index 1c6f842c..f19815d8 100644 --- a/schema/bom-1.6.proto +++ b/schema/bom-1.6.proto @@ -448,7 +448,7 @@ message Metadata { optional OrganizationalEntity manufacture = 5; // The organization that supplied the component that the BOM describes. The supplier may often be the manufacture, but may also be a distributor or repackager. optional OrganizationalEntity supplier = 6; - // The license information for the BOM document + // The license information for the BOM document. This may be different from the license(s) of the component that the BOM describes. optional LicenseChoice licenses = 7; // Specifies optional, custom, properties repeated Property properties = 8; diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index f607294d..f6604e76 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -689,6 +689,7 @@ }, "licenses": { "title": "BOM License(s)", + "description": "The license information for the BOM document.\nThis may be different from the license(s) of the component that the BOM describes.", "$ref": "#/definitions/licenseChoice" }, "properties": { diff --git a/schema/bom-1.6.xsd b/schema/bom-1.6.xsd index 2254dad6..1087e23b 100644 --- a/schema/bom-1.6.xsd +++ b/schema/bom-1.6.xsd @@ -223,7 +223,14 @@ limitations under the License. supplier may often be the manufacturer, but may also be a distributor or repackager. - + + + + The license information for the BOM document. + This may be different from the license(s) of the component that the BOM describes. + + + Provides the ability to document properties in a name/value store. From 4ca69c9cdf81356d7f114ceaa9fca15a7872c97c Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Thu, 8 Feb 2024 13:05:09 +0100 Subject: [PATCH 090/217] feat: devide metadata from its component - add `component.manufacturer` - add `component.authors` - deprecate `component.author` in favour of `component.authors` and `component.manufacturer` - deprecate `metatada.manufature` in favour of `metadata.component.manufacturer` - deprecate `metadata.supplier` in favour of `metadata.component.supplier` Signed-off-by: Jan Kowalleck --- schema/bom-1.6.schema.json | 36 ++++++++++++++++++++++++++++-------- 1 file changed, 28 insertions(+), 8 deletions(-) diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index f607294d..3d5a6870 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -666,10 +666,16 @@ } ] }, + "manufacturer" :{ + "type": "array", + "title": "BOM Manufacturer", + "description": "The organization that created the BOM. Manufacturer is common in BOMs created through automated processes. BOMs created through manual means may have '@.authors' instead.", + "items": {"$ref": "#/definitions/organizationalEntity"} + }, "authors" :{ "type": "array", - "title": "Authors", - "description": "The person(s) who created the BOM. Authors are common in BOMs created through manual processes. BOMs created through automated means may not have authors.", + "title": "BOM Authors", + "description": "The person(s) who created the BOM. Authors are common in BOMs created through manual processes. BOMs created through automated means may have '@.manufacturer' instead.", "items": {"$ref": "#/definitions/organizationalContact"} }, "component": { @@ -678,13 +684,15 @@ "$ref": "#/definitions/component" }, "manufacture": { - "title": "Manufacture", - "description": "The organization that manufactured the component that the BOM describes.", + "deprecated": true, + "title": "Component Manufacture (legacy)", + "description": "[Deprecated] - DO NOT USE. This will be removed in a future version. Use the `@.component.manufacturer` instead.\nThe organization that manufactured the component that the BOM describes.", "$ref": "#/definitions/organizationalEntity" }, "supplier": { - "title": "Supplier", - "description": " The organization that supplied the component that the BOM describes. The supplier may often be the manufacturer, but may also be a distributor or repackager.", + "deprecated": true, + "title": "Component Supplier (legacy)", + "description": "[Deprecated] - DO NOT USE. This will be removed in a future version. Use `@.component.supplier` instead.\n The organization that supplied the component that the BOM describes. The supplier may often be the manufacturer, but may also be a distributor or repackager.", "$ref": "#/definitions/organizationalEntity" }, "licenses": { @@ -865,10 +873,22 @@ "description": " The organization that supplied the component. The supplier may often be the manufacturer, but may also be a distributor or repackager.", "$ref": "#/definitions/organizationalEntity" }, + "manufacturer": { + "title": "Component Manufacturer", + "description": "The organization that created the component. Manufacturer is common in components created through automated processes. Components created through manual means may have `@.authors` instead.", + "$ref": "#/definitions/organizationalEntity" + }, + "authors" :{ + "type": "array", + "title": "Component Authors", + "description": "The person(s) who created the component. Authors are common in components created through manual processes. Components created through automated means may have `@.manufacturer` instead.", + "items": {"$ref": "#/definitions/organizationalContact"} + }, "author": { + "deprecated": true, "type": "string", - "title": "Component Author", - "description": "The person(s) or organization(s) that authored the component", + "title": "Component Author (legacy)", + "description": "[Deprecated] - DO NOT USE. This will be removed in a future version. Use `@.authors` or `@.manufacturer` instead.\nThe person(s) or organization(s) that authored the component", "examples": ["Acme Inc"] }, "publisher": { From cbd6265ee5ee7b9f5f79a5fc7908e47c0965e8b1 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Thu, 15 Feb 2024 09:10:59 +0100 Subject: [PATCH 091/217] revert proposed changes on `metadata.supplier` Signed-off-by: Jan Kowalleck --- schema/bom-1.6.schema.json | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index 3d5a6870..6d0ec757 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -690,9 +690,8 @@ "$ref": "#/definitions/organizationalEntity" }, "supplier": { - "deprecated": true, - "title": "Component Supplier (legacy)", - "description": "[Deprecated] - DO NOT USE. This will be removed in a future version. Use `@.component.supplier` instead.\n The organization that supplied the component that the BOM describes. The supplier may often be the manufacturer, but may also be a distributor or repackager.", + "title": "Supplier", + "description": " The organization that supplied the component that the BOM describes. The supplier may often be the manufacturer, but may also be a distributor or repackager.", "$ref": "#/definitions/organizationalEntity" }, "licenses": { From 138e2496a27025ad4ee100aa704d68157cc70836 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Fri, 16 Feb 2024 16:14:09 +0100 Subject: [PATCH 092/217] feat: external reference type for RFC9116 Signed-off-by: Jan Kowalleck --- schema/bom-1.6.proto | 2 ++ schema/bom-1.6.schema.json | 2 ++ schema/bom-1.6.xsd | 5 +++++ 3 files changed, 9 insertions(+) diff --git a/schema/bom-1.6.proto b/schema/bom-1.6.proto index 1c6f842c..047a7f79 100644 --- a/schema/bom-1.6.proto +++ b/schema/bom-1.6.proto @@ -280,6 +280,8 @@ enum ExternalReferenceType { EXTERNAL_REFERENCE_TYPE_ELECTRONIC_SIGNATURE = 39; // A signature that leverages cryptography, typically public/private key pairs, which provides strong authenticity verification. EXTERNAL_REFERENCE_TYPE_DIGITAL_SIGNATURE = 40; + // Document that complies with RFC-9116 (A File Format to Aid in Security Vulnerability Disclosure) + EXTERNAL_REFERENCE_TYPE_RFC_9116 = 41; } enum HashAlg { diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index f607294d..3d19af00 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -1687,6 +1687,7 @@ "poam", "electronic-signature", "digital-signature", + "rfc-9116", "other" ], "meta:enum": { @@ -1731,6 +1732,7 @@ "poam": "Plans of Action and Milestones (POAM) complement an \"attestation\" external reference. POAM is defined by NIST as a \"document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks and scheduled completion dates for the milestones\".", "electronic-signature": "An e-signature is commonly a scanned representation of a written signature or a stylized script of the persons name.", "digital-signature": "A signature that leverages cryptography, typically public/private key pairs, which provides strong authenticity verification.", + "rfc-9116": "Document that complies with RFC-9116 (A File Format to Aid in Security Vulnerability Disclosure)", "other": "Use this if no other types accurately describe the purpose of the external reference." } diff --git a/schema/bom-1.6.xsd b/schema/bom-1.6.xsd index 2254dad6..ba755b2b 100644 --- a/schema/bom-1.6.xsd +++ b/schema/bom-1.6.xsd @@ -1434,6 +1434,11 @@ limitations under the License. A signature that leverages cryptography, typically public/private key pairs, which provides strong authenticity verification. + + + Document that complies with RFC-9116 (A File Format to Aid in Security Vulnerability Disclosure) + + Use this if no other types accurately describe the purpose of the external reference From a9573183d7d237a87c288b8ed6eedbd5f25f6fa8 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Fri, 16 Feb 2024 16:41:24 +0100 Subject: [PATCH 093/217] docs: fix malform/typo Signed-off-by: Jan Kowalleck --- schema/bom-1.6.proto | 2 +- schema/bom-1.6.xsd | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/schema/bom-1.6.proto b/schema/bom-1.6.proto index 1c6f842c..1b93ee5c 100644 --- a/schema/bom-1.6.proto +++ b/schema/bom-1.6.proto @@ -228,7 +228,7 @@ enum ExternalReferenceType { EXTERNAL_REFERENCE_TYPE_BUILD_META = 13; // URL to an automated build system EXTERNAL_REFERENCE_TYPE_BUILD_SYSTEM = 14; - // Specifies a way to contact the maintainer, supplier, or provider in the event of a security incident. Common URIs include links to a disclosure procedure, a mailto (RFC-2368) that specifies an email address, a tel (RFC-3966) that specifies a phone number, or dns (RFC-4501]) that specifies the records containing DNS Security TXT. + // Specifies a way to contact the maintainer, supplier, or provider in the event of a security incident. Common URIs include links to a disclosure procedure, a mailto (RFC-2368) that specifies an email address, a tel (RFC-3966) that specifies a phone number, or dns (RFC-4501) that specifies the records containing DNS Security TXT. EXTERNAL_REFERENCE_TYPE_SECURITY_CONTACT = 15; // Human or machine-readable statements containing facts, evidence, or testimony EXTERNAL_REFERENCE_TYPE_ATTESTATION = 16; diff --git a/schema/bom-1.6.xsd b/schema/bom-1.6.xsd index 2254dad6..8fc52396 100644 --- a/schema/bom-1.6.xsd +++ b/schema/bom-1.6.xsd @@ -1314,7 +1314,7 @@ limitations under the License. - Specifies a way to contact the maintainer, supplier, or provider in the event of a security incident. Common URIs include links to a disclosure procedure, a mailto (RFC-2368) that specifies an email address, a tel (RFC-3966) that specifies a phone number, or dns (RFC-4501]) that specifies the records containing DNS Security TXT. + Specifies a way to contact the maintainer, supplier, or provider in the event of a security incident. Common URIs include links to a disclosure procedure, a mailto (RFC-2368) that specifies an email address, a tel (RFC-3966) that specifies a phone number, or dns (RFC-4501) that specifies the records containing DNS Security TXT. From 702653c10db93e92cc0c0827d53cefce20575b74 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Tue, 20 Feb 2024 22:08:41 +0100 Subject: [PATCH 094/217] sam fix indended JSON data structures Signed-off-by: Jan Kowalleck --- schema/bom-1.6.schema.json | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index dde75787..ecde89aa 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -666,13 +666,12 @@ } ] }, - "manufacturer" :{ - "type": "array", + "manufacturer": { "title": "BOM Manufacturer", "description": "The organization that created the BOM. Manufacturer is common in BOMs created through automated processes. BOMs created through manual means may have '@.authors' instead.", - "items": {"$ref": "#/definitions/organizationalEntity"} + "$ref": "#/definitions/organizationalEntity" }, - "authors" :{ + "authors": { "type": "array", "title": "BOM Authors", "description": "The person(s) who created the BOM. Authors are common in BOMs created through manual processes. BOMs created through automated means may have '@.manufacturer' instead.", From 4cc4e14d92a0f3caaf465b9059024fdb679f7283 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Tue, 20 Feb 2024 22:09:00 +0100 Subject: [PATCH 095/217] add JSON test data Signed-off-by: Jan Kowalleck --- .../src/test/resources/1.6/valid-bom-1.6.json | 26 +++++++++++++++++-- .../1.6/valid-metadata-manufacture-1.6.json | 2 +- .../1.6/valid-metadata-manufacturer-1.6.json | 23 ++++++++++++++++ 3 files changed, 48 insertions(+), 3 deletions(-) create mode 100644 tools/src/test/resources/1.6/valid-metadata-manufacturer-1.6.json diff --git a/tools/src/test/resources/1.6/valid-bom-1.6.json b/tools/src/test/resources/1.6/valid-bom-1.6.json index 994f726f..23482e78 100644 --- a/tools/src/test/resources/1.6/valid-bom-1.6.json +++ b/tools/src/test/resources/1.6/valid-bom-1.6.json @@ -45,7 +45,7 @@ } } }, - "manufacture": { + "manufacturer": { "name": "Acme, Inc.", "url": [ "https://example.com" @@ -74,6 +74,7 @@ { "bom-ref": "pkg:npm/acme/component@1.0.0", "type": "library", + "author": "Joane DOe et al.", "publisher": "Acme Inc", "group": "com.acme", "name": "tomcat-catalina", @@ -160,7 +161,28 @@ } ] }, - "author": "Example Super Heros", + "manufacturer": { + "name": "Example-2, Inc.", + "url": [ + "https://example.org" + ], + "contact": [ + { + "email": "support@example.org" + } + ] + }, + "authors": [ + { + "name": "Anthony Edward Stark", + "phone": "555-212-970-4133", + "email": "ironman@example.org" + }, + { + "name": "Peter Benjamin Parker", + "email": "spiderman@example.org" + } + ], "group": "org.example", "name": "mylibrary", "version": "1.0.0" diff --git a/tools/src/test/resources/1.6/valid-metadata-manufacture-1.6.json b/tools/src/test/resources/1.6/valid-metadata-manufacture-1.6.json index 26b1c8b4..bee88561 100644 --- a/tools/src/test/resources/1.6/valid-metadata-manufacture-1.6.json +++ b/tools/src/test/resources/1.6/valid-metadata-manufacture-1.6.json @@ -6,7 +6,7 @@ "metadata": { "manufacture": { "bom-ref": "manufacturer-1", - "name": "Acme, Inc.", + "name": "Acme, Inc. // deprecated", "url": [ "https://example.com" ], diff --git a/tools/src/test/resources/1.6/valid-metadata-manufacturer-1.6.json b/tools/src/test/resources/1.6/valid-metadata-manufacturer-1.6.json new file mode 100644 index 00000000..7fc82b90 --- /dev/null +++ b/tools/src/test/resources/1.6/valid-metadata-manufacturer-1.6.json @@ -0,0 +1,23 @@ +{ + "bomFormat": "CycloneDX", + "specVersion": "1.6", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "metadata": { + "manufacturer": { + "bom-ref": "manufacturer-1", + "name": "Acme, Inc.", + "url": [ + "https://example.com" + ], + "contact": [ + { + "bom-ref": "contact-1", + "name": "Acme Professional Services", + "email": "professional.services@example.com" + } + ] + } + }, + "components": [] +} From 5639eef48b2284f756d6d729f18cc8a6bee6497f Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Tue, 20 Feb 2024 22:09:55 +0100 Subject: [PATCH 096/217] fix typo Signed-off-by: Jan Kowalleck --- tools/src/test/resources/1.6/valid-bom-1.6.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/src/test/resources/1.6/valid-bom-1.6.json b/tools/src/test/resources/1.6/valid-bom-1.6.json index 23482e78..f077c793 100644 --- a/tools/src/test/resources/1.6/valid-bom-1.6.json +++ b/tools/src/test/resources/1.6/valid-bom-1.6.json @@ -74,7 +74,7 @@ { "bom-ref": "pkg:npm/acme/component@1.0.0", "type": "library", - "author": "Joane DOe et al.", + "author": "Joane Doe et al.", "publisher": "Acme Inc", "group": "com.acme", "name": "tomcat-catalina", From cd1fbe9f29873616ec0acc7a491f62ea06a50654 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Tue, 20 Feb 2024 23:21:07 +0100 Subject: [PATCH 097/217] xml Signed-off-by: Jan Kowalleck --- schema/bom-1.6.schema.json | 8 ++-- schema/bom-1.6.xsd | 45 +++++++++++++++++-- .../src/test/resources/1.6/valid-bom-1.6.xml | 25 +++++++++-- .../1.6/valid-metadata-manufacture-1.6.xml | 2 +- .../1.6/valid-metadata-manufacturer-1.6.xml | 14 ++++++ 5 files changed, 81 insertions(+), 13 deletions(-) create mode 100644 tools/src/test/resources/1.6/valid-metadata-manufacturer-1.6.xml diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index ecde89aa..ae5d0083 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -668,13 +668,13 @@ }, "manufacturer": { "title": "BOM Manufacturer", - "description": "The organization that created the BOM. Manufacturer is common in BOMs created through automated processes. BOMs created through manual means may have '@.authors' instead.", + "description": "The organization that created the BOM.\nManufacturer is common in BOMs created through automated processes. BOMs created through manual means may have '@.authors' instead.", "$ref": "#/definitions/organizationalEntity" }, "authors": { "type": "array", "title": "BOM Authors", - "description": "The person(s) who created the BOM. Authors are common in BOMs created through manual processes. BOMs created through automated means may have '@.manufacturer' instead.", + "description": "The person(s) who created the BOM.\nAuthors are common in BOMs created through manual processes. BOMs created through automated means may have '@.manufacturer' instead.", "items": {"$ref": "#/definitions/organizationalContact"} }, "component": { @@ -874,13 +874,13 @@ }, "manufacturer": { "title": "Component Manufacturer", - "description": "The organization that created the component. Manufacturer is common in components created through automated processes. Components created through manual means may have `@.authors` instead.", + "description": "The organization that created the component.\nManufacturer is common in components created through automated processes. Components created through manual means may have `@.authors` instead.", "$ref": "#/definitions/organizationalEntity" }, "authors" :{ "type": "array", "title": "Component Authors", - "description": "The person(s) who created the component. Authors are common in components created through manual processes. Components created through automated means may have `@.manufacturer` instead.", + "description": "The person(s) who created the component.\nAuthors are common in components created through manual processes. Components created through automated means may have `@.manufacturer` instead.", "items": {"$ref": "#/definitions/organizationalContact"} }, "author": { diff --git a/schema/bom-1.6.xsd b/schema/bom-1.6.xsd index 1df0505c..ba049e36 100644 --- a/schema/bom-1.6.xsd +++ b/schema/bom-1.6.xsd @@ -198,8 +198,10 @@ limitations under the License. - The person(s) who created the BOM. Authors are common in BOMs created through - manual processes. BOMs created through automated means may not have authors. + + The person(s) who created the BOM. + Authors are common in BOMs created through manual processes. BOMs created through automated means may have './manufacturer' instead. + @@ -212,9 +214,20 @@ limitations under the License. The component that the BOM describes. + + + + The organization that created the BOM. + Manufacturer is common in BOMs created through automated processes. BOMs created through manual means may have './authors' instead. + + + - The organization that manufactured the component that the BOM describes. + + DEPRECATED - DO NOT USE. This will be removed in a future version. Use the `./component/manufacturer` instead. + The organization that manufactured the component that the BOM describes. + @@ -483,9 +496,33 @@ limitations under the License. be the manufacturer, but may also be a distributor or repackager. + + + + The organization that created the component. + Manufacturer is common in components created through automated processes. Components created through manual means may have './authors' instead. + + + + + + + The person(s) who created the component. + Authors are common in components created through manual processes. Components created through automated means may have `./manufacturer` instead. + + + + + + + + - The person(s) or organization(s) that authored the component + + DEPRECATED - DO NOT USE. This will be removed in a future version. Use `./authors` or `./manufacturer` instead. + The person(s) or organization(s) that authored the component. + diff --git a/tools/src/test/resources/1.6/valid-bom-1.6.xml b/tools/src/test/resources/1.6/valid-bom-1.6.xml index fc1904d3..6760b9da 100644 --- a/tools/src/test/resources/1.6/valid-bom-1.6.xml +++ b/tools/src/test/resources/1.6/valid-bom-1.6.xml @@ -28,14 +28,14 @@ PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiID8+CjxTb2Z0d2FyZUlkZW50aXR5IHhtbDpsYW5nPSJFTiIgbmFtZT0iQWNtZSBBcHBsaWNhdGlvbiIgdmVyc2lvbj0iOS4xLjEiIAogdmVyc2lvblNjaGVtZT0ibXVsdGlwYXJ0bnVtZXJpYyIgCiB0YWdJZD0ic3dpZGdlbi1iNTk1MWFjOS00MmMwLWYzODItM2YxZS1iYzdhMmE0NDk3Y2JfOS4xLjEiIAogeG1sbnM9Imh0dHA6Ly9zdGFuZGFyZHMuaXNvLm9yZy9pc28vMTk3NzAvLTIvMjAxNS9zY2hlbWEueHNkIj4gCiB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiAKIHhzaTpzY2hlbWFMb2NhdGlvbj0iaHR0cDovL3N0YW5kYXJkcy5pc28ub3JnL2lzby8xOTc3MC8tMi8yMDE1LWN1cnJlbnQvc2NoZW1hLnhzZCBzY2hlbWEueHNkIiA+CiAgPE1ldGEgZ2VuZXJhdG9yPSJTV0lEIFRhZyBPbmxpbmUgR2VuZXJhdG9yIHYwLjEiIC8+IAogIDxFbnRpdHkgbmFtZT0iQWNtZSwgSW5jLiIgcmVnaWQ9ImV4YW1wbGUuY29tIiByb2xlPSJ0YWdDcmVhdG9yIiAvPiAKPC9Tb2Z0d2FyZUlkZW50aXR5Pg== - + Acme, Inc. https://example.com Acme Professional Services professional.services@example.com - + Acme, Inc. https://example.com @@ -47,7 +47,7 @@ - Acme Super Heros + Joane Doe et al. Acme Inc com.acme tomcat-catalina @@ -120,7 +120,24 @@ support@apac.example.com - Example Super Heros + + Example-2, Inc.Example-2, Inc. + https://example.org + + support@example.org + + + + + Anthony Edward Stark + ironman@example.org + 555-212-970-4133 + + + Peter Benjamin Parker + spiderman@example.org + + org.example mylibrary 1.0.0 diff --git a/tools/src/test/resources/1.6/valid-metadata-manufacture-1.6.xml b/tools/src/test/resources/1.6/valid-metadata-manufacture-1.6.xml index d7559699..78ea7e22 100644 --- a/tools/src/test/resources/1.6/valid-metadata-manufacture-1.6.xml +++ b/tools/src/test/resources/1.6/valid-metadata-manufacture-1.6.xml @@ -2,7 +2,7 @@ - Acme, Inc. + Acme, Inc. // deprecated https://example.com Acme Professional Services diff --git a/tools/src/test/resources/1.6/valid-metadata-manufacturer-1.6.xml b/tools/src/test/resources/1.6/valid-metadata-manufacturer-1.6.xml new file mode 100644 index 00000000..94a536cc --- /dev/null +++ b/tools/src/test/resources/1.6/valid-metadata-manufacturer-1.6.xml @@ -0,0 +1,14 @@ + + + + + Acme, Inc. + https://example.com + + Acme Professional Services + professional.services@example.com + + + + + From c8f97ce1df3c6494680fcd82c6b54339d099fcba Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Tue, 20 Feb 2024 23:34:28 +0100 Subject: [PATCH 098/217] protobuf Signed-off-by: Jan Kowalleck --- schema/bom-1.6.proto | 16 +++++++++++----- .../test/resources/1.6/valid-bom-1.6.textproto | 12 ++++++------ .../1.6/valid-metadata-manufacture-1.6.textproto | 2 +- .../valid-metadata-manufacturer-1.6.textproto | 15 +++++++++++++++ 4 files changed, 33 insertions(+), 12 deletions(-) create mode 100644 tools/src/test/resources/1.6/valid-metadata-manufacturer-1.6.textproto diff --git a/schema/bom-1.6.proto b/schema/bom-1.6.proto index d1a02573..8e802f4a 100644 --- a/schema/bom-1.6.proto +++ b/schema/bom-1.6.proto @@ -97,8 +97,8 @@ message Component { optional string bom_ref = 3; // The organization that supplied the component. The supplier may often be the manufacture, but may also be a distributor or repackager. optional OrganizationalEntity supplier = 4; - // The person(s) or organization(s) that authored the component - optional string author = 5; + // This will be removed in a future version. Use `.authors` or `.manufacturer` instead. The person(s) or organization(s) that authored the component + optional string author = 5 [deprecated = true]; // The person(s) or organization(s) that published the component optional string publisher = 6; // The grouping name or identifier. This will often be a shortened, single name of the company or project that produced the component, or the source package or domain name. Whitespace and special characters should be avoided. Examples include: apache, org.apache.commons, and apache.org. @@ -141,6 +141,10 @@ message Component { optional ComponentData data = 26; // Cryptographic assets have properties that uniquely define them and that make them actionable for further reasoning. As an example, it makes a difference if one knows the algorithm family (e.g. AES) or the specific variant or instantiation (e.g. AES-128-GCM). This is because the security level and the algorithm primitive (authenticated encryption) is only defined by the definition of the algorithm variant. The presence of a weak cryptographic algorithm like SHA1 vs. HMAC-SHA1 also makes a difference. optional CryptoProperties cryptoProperties = 27; + // The organization that created the component. Manufacturer is common in components created through automated processes. Components created through manual means may have `.authors` instead. + optional OrganizationalEntity manufacturer = 28; + // The person(s) who created the component. Authors are common in components created through manual processes. Components created through automated means may have `.manufacturer` instead. + repeated OrganizationalContact authors = 29; } // Specifies the data flow. @@ -440,12 +444,12 @@ message Metadata { optional google.protobuf.Timestamp timestamp = 1; // The tool(s) used in the creation of the BOM. optional Tool tools = 2; - // The person(s) who created the BOM. Authors are common in BOMs created through manual processes. BOMs created through automated means may not have authors. + // The person(s) who created the BOM. Authors are common in BOMs created through manual processes. BOMs created through automated means may have '.manufacturer' instead. repeated OrganizationalContact authors = 3; // The component that the BOM describes. optional Component component = 4; - // The organization that manufactured the component that the BOM describes. - optional OrganizationalEntity manufacture = 5; + // DEPRECATED - DO NOT USE. This will be removed in a future version. Use the `.component.manufacturer` instead. The organization that manufactured the component that the BOM describes. + optional OrganizationalEntity manufacture = 5 [deprecated = true]; // The organization that supplied the component that the BOM describes. The supplier may often be the manufacture, but may also be a distributor or repackager. optional OrganizationalEntity supplier = 6; // The license information for the BOM document. This may be different from the license(s) of the component that the BOM describes. @@ -454,6 +458,8 @@ message Metadata { repeated Property properties = 8; // The product lifecycle(s) that this BOM represents. repeated Lifecycles lifecycles = 9; + // The organization that created the BOM. Manufacturer is common in BOMs created through automated processes. BOMs created through manual means may have '.authors' instead. + optional OrganizationalEntity manufacturer = 10; } message Lifecycles { diff --git a/tools/src/test/resources/1.6/valid-bom-1.6.textproto b/tools/src/test/resources/1.6/valid-bom-1.6.textproto index 3e81e348..97903a05 100644 --- a/tools/src/test/resources/1.6/valid-bom-1.6.textproto +++ b/tools/src/test/resources/1.6/valid-bom-1.6.textproto @@ -40,20 +40,20 @@ metadata { } } } - manufacture { + supplier { name: "Acme, Inc." url: "https://example.com" contact { - name: "Acme Professional Services" - email: "professional.services@example.com" + name: "Acme Distribution" + email: "distribution@example.com" } } - supplier { + manufacturer { name: "Acme, Inc." url: "https://example.com" contact { - name: "Acme Distribution" - email: "distribution@example.com" + name: "Acme Professional Services" + email: "professional.services@example.com" } } } diff --git a/tools/src/test/resources/1.6/valid-metadata-manufacture-1.6.textproto b/tools/src/test/resources/1.6/valid-metadata-manufacture-1.6.textproto index 0ad3c0b8..d5bc8f1b 100644 --- a/tools/src/test/resources/1.6/valid-metadata-manufacture-1.6.textproto +++ b/tools/src/test/resources/1.6/valid-metadata-manufacture-1.6.textproto @@ -3,7 +3,7 @@ version: 1 serial_number: "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" metadata { manufacture { - name: "Acme, Inc." + name: "Acme, Inc. // deprecated" url: "https://example.com" contact { name: "Acme Professional Services" diff --git a/tools/src/test/resources/1.6/valid-metadata-manufacturer-1.6.textproto b/tools/src/test/resources/1.6/valid-metadata-manufacturer-1.6.textproto new file mode 100644 index 00000000..00b1fcd7 --- /dev/null +++ b/tools/src/test/resources/1.6/valid-metadata-manufacturer-1.6.textproto @@ -0,0 +1,15 @@ +spec_version: "1.6" +version: 1 +serial_number: "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" +metadata { + manufacturer { + name: "Acme, Inc." + url: "https://example.com" + contact { + name: "Acme Professional Services" + email: "professional.services@example.com" + bom_ref: "contact-1" + } + bom_ref: "manufacturer-1" + } +} From 8b0f6e66f15966694e7878e22762e4f46aa58b87 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Tue, 20 Feb 2024 23:38:07 +0100 Subject: [PATCH 099/217] typo Signed-off-by: Jan Kowalleck --- schema/bom-1.6.proto | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/schema/bom-1.6.proto b/schema/bom-1.6.proto index 8e802f4a..32b5bfc3 100644 --- a/schema/bom-1.6.proto +++ b/schema/bom-1.6.proto @@ -97,7 +97,7 @@ message Component { optional string bom_ref = 3; // The organization that supplied the component. The supplier may often be the manufacture, but may also be a distributor or repackager. optional OrganizationalEntity supplier = 4; - // This will be removed in a future version. Use `.authors` or `.manufacturer` instead. The person(s) or organization(s) that authored the component + // DEPRECATED - DO NOT USE - This will be removed in a future version - Use `.authors` or `.manufacturer` instead. The person(s) or organization(s) that authored the component optional string author = 5 [deprecated = true]; // The person(s) or organization(s) that published the component optional string publisher = 6; @@ -448,7 +448,7 @@ message Metadata { repeated OrganizationalContact authors = 3; // The component that the BOM describes. optional Component component = 4; - // DEPRECATED - DO NOT USE. This will be removed in a future version. Use the `.component.manufacturer` instead. The organization that manufactured the component that the BOM describes. + // DEPRECATED - DO NOT USE - This will be removed in a future version - Use the `.component.manufacturer` instead. The organization that manufactured the component that the BOM describes. optional OrganizationalEntity manufacture = 5 [deprecated = true]; // The organization that supplied the component that the BOM describes. The supplier may often be the manufacture, but may also be a distributor or repackager. optional OrganizationalEntity supplier = 6; From b31cdb1b5c6477073959686517ffe2f6eb0f1d33 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Wed, 21 Feb 2024 00:15:25 +0100 Subject: [PATCH 100/217] protobuff test case Signed-off-by: Jan Kowalleck --- .../test/resources/1.6/valid-bom-1.6.textproto | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/tools/src/test/resources/1.6/valid-bom-1.6.textproto b/tools/src/test/resources/1.6/valid-bom-1.6.textproto index 97903a05..b1009915 100644 --- a/tools/src/test/resources/1.6/valid-bom-1.6.textproto +++ b/tools/src/test/resources/1.6/valid-bom-1.6.textproto @@ -60,6 +60,7 @@ metadata { components { type: CLASSIFICATION_LIBRARY bom_ref: "pkg:npm/acme/component@1.0.0" + author: "Joane Doe et al." publisher: "Acme Inc" group: "com.acme" name: "tomcat-catalina" @@ -141,6 +142,22 @@ components { group: "org.example" name: "mylibrary" version: "1.0.0" + manufacturer { + name: "Example-2, Inc." + url: "https://example.org" + contact { + email: "support@example.org" + } + } + authors { + name: "Anthony Edward Stark" + email: "ironman@example.org" + phone: "555-212-970-4133" + } + authors { + name: "Peter Benjamin Parker" + email: "spiderman@example.org" + } } dependencies { ref: "pkg:npm/acme/component@1.0.0" From 23066d558956861b6cd79e7ff3f1cb3495be0d24 Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Wed, 21 Feb 2024 17:26:33 -0600 Subject: [PATCH 101/217] Added missing titles Signed-off-by: Steve Springett --- schema/bom-1.6.schema.json | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index f607294d..ad9b1169 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -2,7 +2,7 @@ "$schema": "http://json-schema.org/draft-07/schema#", "$id": "http://cyclonedx.org/schema/bom-1.6.schema.json", "type": "object", - "title": "CycloneDX Software Bill of Materials Standard", + "title": "CycloneDX Bill of Materials Standard", "$comment" : "CycloneDX JSON schema is published under the terms of the Apache License 2.0.", "required": [ "bomFormat", @@ -635,6 +635,8 @@ } }, "tools": { + "title": "Tools", + "description": "The tool(s) used in the creation of the BOM.", "oneOf": [ { "type": "object", From 0a983f3aa3d8c4f91a5de02d1e52b2c26b7c2937 Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Wed, 21 Feb 2024 21:37:52 -0600 Subject: [PATCH 102/217] Added support for tags along with unit tests. Signed-off-by: Steve Springett --- schema/bom-1.6.proto | 6 +++- schema/bom-1.6.schema.json | 31 +++++++++++++++---- schema/bom-1.6.xsd | 30 +++++++++++------- .../test/resources/1.6/valid-tags-1.6.json | 21 +++++++++++++ .../resources/1.6/valid-tags-1.6.textproto | 14 +++++++++ .../src/test/resources/1.6/valid-tags-1.6.xml | 28 +++++++++++++++++ 6 files changed, 112 insertions(+), 18 deletions(-) create mode 100644 tools/src/test/resources/1.6/valid-tags-1.6.json create mode 100644 tools/src/test/resources/1.6/valid-tags-1.6.textproto create mode 100644 tools/src/test/resources/1.6/valid-tags-1.6.xml diff --git a/schema/bom-1.6.proto b/schema/bom-1.6.proto index d1a02573..6509067d 100644 --- a/schema/bom-1.6.proto +++ b/schema/bom-1.6.proto @@ -141,6 +141,8 @@ message Component { optional ComponentData data = 26; // Cryptographic assets have properties that uniquely define them and that make them actionable for further reasoning. As an example, it makes a difference if one knows the algorithm family (e.g. AES) or the specific variant or instantiation (e.g. AES-128-GCM). This is because the security level and the algorithm primitive (authenticated encryption) is only defined by the definition of the algorithm variant. The presence of a weak cryptographic algorithm like SHA1 vs. HMAC-SHA1 also makes a difference. optional CryptoProperties cryptoProperties = 27; + // Textual strings that aid in discovery, search, and retrieval of the associated object. Tags often serve as a way to group or categorize similar or related objects by various attributes. Examples include "json-parser", "object-persistence", "text-to-image", "translation", and "object-detection". + repeated string tags = 28; } // Specifies the data flow. @@ -583,6 +585,8 @@ message Service { optional ReleaseNotes releaseNotes = 15; // The name of the trust zone the service resides in. optional string trustZone = 16; + // Textual strings that aid in discovery, search, and retrieval of the associated object. Tags often serve as a way to group or categorize similar or related objects by various attributes. Examples include "json-parser", "object-persistence", "text-to-image", "translation", and "object-detection". + repeated string tags = 17; } message Swid { @@ -778,7 +782,7 @@ message ReleaseNotes { optional google.protobuf.Timestamp timestamp = 6; // Optional alternate names the release may be referred to. This may include unofficial terms used by development and marketing teams (e.g. code names). repeated string aliases = 7; - // Optional tags that may aid in search or retrieval of the release note. + // Textual strings that aid in discovery, search, and retrieval of the associated object. Tags often serve as a way to group or categorize similar or related objects by various attributes. Examples include "json-parser", "object-persistence", "text-to-image", "translation", and "object-detection". repeated string tags = 8; // A collection of issues that have been resolved. repeated Issue resolves = 9; diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index f570e4a3..4f0f9c04 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -1041,6 +1041,10 @@ "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is OPTIONAL.", "items": {"$ref": "#/definitions/property"} }, + "tags": { + "$ref": "#/definitions/tags", + "title": "Tags" + }, "signature": { "$ref": "#/definitions/signature", "title": "Signature", @@ -1879,6 +1883,10 @@ "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is OPTIONAL.", "items": {"$ref": "#/definitions/property"} }, + "tags": { + "$ref": "#/definitions/tags", + "title": "Tags" + }, "signature": { "$ref": "#/definitions/signature", "title": "Signature", @@ -2326,12 +2334,8 @@ "description": "One or more alternate names the release may be referred to. This may include unofficial terms used by development and marketing teams (e.g. code names)." }, "tags": { - "type": "array", - "items": { - "type": "string" - }, - "title": "Tags", - "description": "One or more tags that may aid in search or retrieval of the release note." + "$ref": "#/definitions/tags", + "title": "Tags" }, "resolves": { "type": "array", @@ -5254,6 +5258,21 @@ "description": "The bom-ref to the algorithm." } } + }, + "tags": { + "type": "array", + "items": { + "type": "string" + }, + "title": "Tags", + "description": "Textual strings that aid in discovery, search, and retrieval of the associated object. Tags often serve as a way to group or categorize similar or related objects by various attributes.", + "examples": [ + "json-parser", + "object-persistence", + "text-to-image", + "translation", + "object-detection" + ] } } } diff --git a/schema/bom-1.6.xsd b/schema/bom-1.6.xsd index 1df0505c..9a81e717 100644 --- a/schema/bom-1.6.xsd +++ b/schema/bom-1.6.xsd @@ -653,6 +653,7 @@ limitations under the License. + @@ -2103,6 +2104,7 @@ limitations under the License. Specifies optional release notes. + @@ -2722,17 +2724,7 @@ limitations under the License. - - - - - - One or more tags that may aid in search or retrieval of the release note. - - - - - + A collection of issues that have been resolved. @@ -7576,6 +7568,22 @@ limitations under the License. + + + + + Textual strings that aid in discovery, search, and retrieval of the associated + object. Tags often serve as a way to group or categorize similar or related objects by various + attributes. + + Examples include: + "json-parser", "object-persistence", "text-to-image", "translation", and "object-detection" + + + + + + diff --git a/tools/src/test/resources/1.6/valid-tags-1.6.json b/tools/src/test/resources/1.6/valid-tags-1.6.json new file mode 100644 index 00000000..0a4b286c --- /dev/null +++ b/tools/src/test/resources/1.6/valid-tags-1.6.json @@ -0,0 +1,21 @@ +{ + "bomFormat": "CycloneDX", + "specVersion": "1.6", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "components": [ + { + "type": "library", + "name": "my-json-parser", + "version": "1.0", + "tags": [ "json-parser", "javascript", "node.js" ] + } + ], + "services": [ + { + "name": "my service", + "endpoints": [ "https://example.com/myservice" ], + "tags": [ "microservice", "golang", "aws", "us-east-1" ] + } + ] +} diff --git a/tools/src/test/resources/1.6/valid-tags-1.6.textproto b/tools/src/test/resources/1.6/valid-tags-1.6.textproto new file mode 100644 index 00000000..0540a111 --- /dev/null +++ b/tools/src/test/resources/1.6/valid-tags-1.6.textproto @@ -0,0 +1,14 @@ +spec_version: "1.6" +version: 1 +serial_number: "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" +components { + type: CLASSIFICATION_LIBRARY + name: "my-json-parser" + version: "1.0" + tags: [ "json-parser", "javascript", "node.js" ] +} +services { + name: "my service" + endpoints: [ "https://example.com/myservice" ] + tags: [ "microservice", "golang", "aws", "us-east-1" ] +} diff --git a/tools/src/test/resources/1.6/valid-tags-1.6.xml b/tools/src/test/resources/1.6/valid-tags-1.6.xml new file mode 100644 index 00000000..49497a1c --- /dev/null +++ b/tools/src/test/resources/1.6/valid-tags-1.6.xml @@ -0,0 +1,28 @@ + + + + + my-json-parser + 1.0 + + json-parser + javascript + node.js + + + + + + my service + + https://example.com/myservice + + + microservice + golang + aws + us-east-1 + + + + From 7122df4554930982216defc32b35f43cc8e66428 Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Thu, 22 Feb 2024 15:47:07 -0600 Subject: [PATCH 103/217] Removed ecma doc generation. Signed-off-by: Steve Springett --- docgen/ecma/gen.sh | 15 --------------- 1 file changed, 15 deletions(-) delete mode 100755 docgen/ecma/gen.sh diff --git a/docgen/ecma/gen.sh b/docgen/ecma/gen.sh deleted file mode 100755 index 534f3cab..00000000 --- a/docgen/ecma/gen.sh +++ /dev/null @@ -1,15 +0,0 @@ -#!/bin/bash -rm -f -R docs temp out -mkdir -p docs temp -cp ../../schema/bom-1.6.schema.json temp -cp ../../schema/jsf-0.82.schema.json temp -cp ../../schema/spdx.schema.json temp - -# Check to see if jsonschema2md is executable and is in the path. If not, install jsonschema2md. -if ! [ -x "$(command -v jsonschema2md)" ]; then - npm install -g @adobe/jsonschema2md -fi - -echo Generating Ecma Documentation -jsonschema2md -d temp -o docs -rm -f -R temp out From 751cc178e0f765ad343b037c984914576cd648a5 Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Thu, 22 Feb 2024 15:50:56 -0600 Subject: [PATCH 104/217] Minor doc change Signed-off-by: Steve Springett --- schema/bom-1.6.proto | 2 +- schema/bom-1.6.schema.json | 2 +- schema/bom-1.6.xsd | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/schema/bom-1.6.proto b/schema/bom-1.6.proto index 0eee2c15..c182a815 100644 --- a/schema/bom-1.6.proto +++ b/schema/bom-1.6.proto @@ -71,7 +71,7 @@ enum Classification { CLASSIFICATION_MACHINE_LEARNING_MODEL = 11; // A collection of discrete values that convey information. CLASSIFICATION_DATA = 12; - // Cryptographic asset including algorithms, protocols, certificates, keys, tokens, and secrets. + // A cryptographic asset including algorithms, protocols, certificates, keys, tokens, and secrets. CLASSIFICATION_CRYPTOGRAPHIC_ASSET = 13; } diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index 1052b670..b0b5bede 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -851,7 +851,7 @@ "file": "A computer file. Refer to [https://en.wikipedia.org/wiki/Computer_file](https://en.wikipedia.org/wiki/Computer_file) for information about files.", "machine-learning-model": "A model based on training data that can make predictions or decisions without being explicitly programmed to do so.", "data": "A collection of discrete values that convey information.", - "cryptographic-asset": "Cryptographic asset including algorithms, protocols, certificates, keys, tokens, and secrets." + "cryptographic-asset": "A cryptographic asset including algorithms, protocols, certificates, keys, tokens, and secrets." }, "title": "Component Type", "description": "Specifies the type of component. For software components, classify as application if no more specific appropriate classification is available or cannot be determined for the component.", diff --git a/schema/bom-1.6.xsd b/schema/bom-1.6.xsd index 28367171..84a942a5 100644 --- a/schema/bom-1.6.xsd +++ b/schema/bom-1.6.xsd @@ -1056,7 +1056,7 @@ limitations under the License. - Cryptographic asset including algorithms, protocols, certificates, keys, tokens, and secrets. + A cryptographic asset including algorithms, protocols, certificates, keys, tokens, and secrets. From 2873c49989725d08faa6b2d14c332bc9da174348 Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Thu, 22 Feb 2024 16:29:07 -0600 Subject: [PATCH 105/217] Alignment of spec name with JSON schema Signed-off-by: Steve Springett --- schema/bom-1.6.xsd | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/schema/bom-1.6.xsd b/schema/bom-1.6.xsd index 84a942a5..6f727602 100644 --- a/schema/bom-1.6.xsd +++ b/schema/bom-1.6.xsd @@ -1,6 +1,6 @@ + + + + Describes various environmental impact metrics the corresponding model has exhibited across its lifecycle. + + + + + + + Describes energy consumption information incurred for specified model lifecycle activities. + + + + + + + + + + + Describes energy consumption information incurred for the specified model lifecycle activity. + + + + + + + TBD + + + + + + + + + + A measure of energy. + + + + + + + Quantity of energy. + + + + + + + "Unit of energy. + + + + + + + + + + + + From 1d47a9b64e029bef5e06a0fddf49db464c0022de Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Thu, 21 Mar 2024 15:04:24 -0500 Subject: [PATCH 127/217] Add XML schema for co2MeasureType Signed-off-by: Matt Rutkowski --- schema/bom-1.6.xsd | 45 +++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 43 insertions(+), 2 deletions(-) diff --git a/schema/bom-1.6.xsd b/schema/bom-1.6.xsd index 7728044c..d429f2bc 100644 --- a/schema/bom-1.6.xsd +++ b/schema/bom-1.6.xsd @@ -3297,12 +3297,53 @@ limitations under the License. - "Unit of energy. + Unit of energy. - + + + + kilowatt-hour (kWh) is the energy delivered by one kilowatt (kW) of power for one hour (h). + + + + + + + + + + + + + A measure of carbon dioxide (CO2). + + + + + + + Quantity of carbon dioxide (CO2). + + + + + + + Unit of carbon dioxide (CO2). + + + + + + + + Tonnes (t) of carbon dioxide (CO2) equivalent (eq). + + + From ce19f62e2ec1050424eebd93fadb305dff73262c Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Thu, 21 Mar 2024 15:34:00 -0500 Subject: [PATCH 128/217] Add energyProviderType and postalAddressType to XML schema Signed-off-by: Matt Rutkowski --- schema/bom-1.6.schema.json | 28 ++++++++-- schema/bom-1.6.xsd | 112 +++++++++++++++++++++++++++++++++++++ 2 files changed, 136 insertions(+), 4 deletions(-) diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index 0d7dee86..b756ceb3 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -3496,6 +3496,11 @@ "type": "array", "items": { "type": "object", + "required": [ + "activity", + "energySources" + ], + "additionalProperties": false, "properties": { "activity": { "type": "string", @@ -3512,7 +3517,6 @@ "deployment": "explicit model deployment to a target hosting infrastructure.", "inference": "generating an output response from a hosted model from a set of inputs." } - }, "energySources": { "title": "Energy Sources", @@ -3542,6 +3546,11 @@ "type": "object", "title": "Energy Measure", "description": "A measure of energy.", + "required": [ + "value", + "unit" + ], + "additionalProperties": false, "properties": { "value": { "type": "string", @@ -3563,6 +3572,11 @@ "type": "object", "title": "CO2 Measure", "description": "A measure of carbon dioxide (CO2).", + "required": [ + "value", + "unit" + ], + "additionalProperties": false, "properties": { "value": { "type": "number", @@ -3584,6 +3598,12 @@ "type": "object", "title": "Energy Provider", "description": "Describes the physical provider of energy used for model development or operations.", + "required": [ + "name", + "energySource", + "energyProvided" + ], + "additionalProperties": false, "properties": { "name": { "type": "string", @@ -3602,14 +3622,14 @@ }, "energySource": { "type": "string", - "enum": [ "coal", "oil", "natural-gas", "propane", "nuclear", "wind", "solar", "geothermal", "hydropower", "other" ], + "enum": [ "coal", "oil", "natural-gas", "propane", "nuclear", "wind", "solar", "geothermal", "hydropower", "unknown", "other" ], "title": "Energy Source", "description": "The energy source for the energy provider." }, "energyProvided": { "$ref": "#/definitions/energyMeasure", "title": "Energy Provided", - "description": "The energy provided by the energy source for the activity." + "description": "The energy provided by the energy source for an associated activity." } } }, @@ -3621,7 +3641,7 @@ "country": { "type": "string", "title": "Country", - "description": "The country name or the two-letter ISO 3166-1 alpha-2 country code." + "description": "The country name or the two-letter ISO 3166-1 country code." }, "region": { "type": "string", diff --git a/schema/bom-1.6.xsd b/schema/bom-1.6.xsd index d429f2bc..98ba9c99 100644 --- a/schema/bom-1.6.xsd +++ b/schema/bom-1.6.xsd @@ -3350,6 +3350,118 @@ limitations under the License. + + + + Describes the physical provider of energy used for model development or operations. + + + + + + + The name of the energy provider. + + + + + + + A description of the energy provider. + + + + + + + The physical address (location) of the energy provider. + + + + + + + The energy source for the energy provider. + + + + + + + + + + + + + + + + + + + + + + The energy provided by the energy source for an associated activity. + + + + + + + + + + An address used to identify a contactable location. + + + + + + + The country name or the two-letter ISO 3166-1 country code. + + + + + + + The region or state in the country. For example, Texas. + + + + + + + The locality or city within the country. For example, Austin. + + + + + + + The post office box number. For example, 901. + + + + + + + The postal code. For example, 78758. + + + + + + + The street address. For example, 100 Main Street. + + + + + + From 97500b30f4599c69f4f80c34503efe5483b8ccde Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Thu, 21 Mar 2024 21:47:44 -0500 Subject: [PATCH 129/217] Add energyConsumptionType to XML schema Signed-off-by: Matt Rutkowski --- schema/bom-1.6.schema.json | 7 +-- schema/bom-1.6.xsd | 95 ++++++++++++++++++++++++++++++++++++-- 2 files changed, 94 insertions(+), 8 deletions(-) diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index b756ceb3..71988a9b 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -3498,7 +3498,8 @@ "type": "object", "required": [ "activity", - "energySources" + "energySources", + "energyCost" ], "additionalProperties": false, "properties": { @@ -3529,12 +3530,12 @@ "description": "The total energy cost associated with the model lifecycle activity.", "$ref": "#/definitions/energyMeasure" }, - "CO2CostEquivalent": { + "co2CostEquivalent": { "title": "CO2 Equivalent Cost", "description": "The CO2 cost (debit) equivalent to the total energy cost.", "$ref": "#/definitions/co2Measure" }, - "CO2CostOffset": { + "co2CostOffset": { "title": "CO2 Cost Offset", "description": "The CO2 offset (credit) for the CO2 equivalent cost.", "$ref": "#/definitions/co2Measure" diff --git a/schema/bom-1.6.xsd b/schema/bom-1.6.xsd index 98ba9c99..b95776ef 100644 --- a/schema/bom-1.6.xsd +++ b/schema/bom-1.6.xsd @@ -3244,7 +3244,6 @@ limitations under the License. - @@ -3259,7 +3258,6 @@ limitations under the License. - @@ -3270,10 +3268,98 @@ limitations under the License. - + + + + An activity that is part of a machine learning model development or operational lifecycle. + + + + + + + + model design including problem framing, goal definition and algorithm selection. + + + + + + + model data acquisition including search, selection and transfer. + + + + + + + model data preparation including data cleaning, labeling and conversion. + + + + + + + model building, training and generalized tuning. + + + + + + + refining a trained model to produce desired outputs for a given problem space. + + + + + + + model validation including model output evaluation and testing. + + + + + + + explicit model deployment to a target hosting infrastructure. + + + + + + + generating an output response from a hosted model from a set of inputs. + + + + + + + + + + The provider(s) of the energy consumed by the associated model development lifecycle activity. + + + + + + + Quantity of carbon dioxide (CO2). + + + + + + + The CO2 cost (debit) equivalent to the total energy cost. + + + + - TBD + The CO2 offset (credit) for the CO2 equivalent cost. @@ -3462,7 +3548,6 @@ limitations under the License. - From ac530ca196e92c2917804c880e37b689814c89b2 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Thu, 21 Mar 2024 22:03:31 -0500 Subject: [PATCH 130/217] Assure json schema types do not allow additional props. Signed-off-by: Matt Rutkowski --- schema/bom-1.6.schema.json | 34 ++++++++++++++++++---------------- schema/bom-1.6.xsd | 2 +- 2 files changed, 19 insertions(+), 17 deletions(-) diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index 71988a9b..5dbdbd75 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -3479,6 +3479,7 @@ "type": "object", "title": "Environmental Considerations", "description": "Describes various environmental impact metrics the corresponding model has exhibited across its lifecycle.", + "additionalProperties": false, "properties": { "energyConsumptions": { "title": "Energy Consumptions", @@ -3524,22 +3525,22 @@ "description": "The provider(s) of the energy consumed by the associated model development lifecycle activity.", "type": "array", "items": { "$ref": "#/definitions/energyProvider" } - }, - "energyCost": { - "title": "Energy Cost", - "description": "The total energy cost associated with the model lifecycle activity.", - "$ref": "#/definitions/energyMeasure" - }, - "co2CostEquivalent": { - "title": "CO2 Equivalent Cost", - "description": "The CO2 cost (debit) equivalent to the total energy cost.", - "$ref": "#/definitions/co2Measure" - }, - "co2CostOffset": { - "title": "CO2 Cost Offset", - "description": "The CO2 offset (credit) for the CO2 equivalent cost.", - "$ref": "#/definitions/co2Measure" - } + }, + "energyCost": { + "title": "Energy Cost", + "description": "The total energy cost associated with the model lifecycle activity.", + "$ref": "#/definitions/energyMeasure" + }, + "co2CostEquivalent": { + "title": "CO2 Equivalent Cost", + "description": "The CO2 cost (debit) equivalent to the total energy cost.", + "$ref": "#/definitions/co2Measure" + }, + "co2CostOffset": { + "title": "CO2 Cost Offset", + "description": "The CO2 offset (credit) for the CO2 equivalent cost.", + "$ref": "#/definitions/co2Measure" + } } } }, @@ -3638,6 +3639,7 @@ "type": "object", "title": "Postal address", "description": "An address used to identify a contactable location.", + "additionalProperties": false, "properties": { "country": { "type": "string", diff --git a/schema/bom-1.6.xsd b/schema/bom-1.6.xsd index b95776ef..fec5aac6 100644 --- a/schema/bom-1.6.xsd +++ b/schema/bom-1.6.xsd @@ -3503,7 +3503,7 @@ limitations under the License. - + The country name or the two-letter ISO 3166-1 country code. From 248f4e06fa62a5c5a40201749008a08fbe572163 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Fri, 22 Mar 2024 11:36:19 -0500 Subject: [PATCH 131/217] Correct data type for energyMeasureType's element named value Signed-off-by: Matt Rutkowski --- schema/bom-1.6.schema.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index 5dbdbd75..8a2c3ba8 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -3205,7 +3205,7 @@ }, "environmentalConsiderations":{ "$ref": "#/definitions/environmentalConsiderations", - "title": "Environmental", + "title": "Environmental Considerations", "description": "Describes various environmental impact metrics the corresponding model has exhibited across its lifecycle." }, "fairnessAssessments": { @@ -3555,7 +3555,7 @@ "additionalProperties": false, "properties": { "value": { - "type": "string", + "type": "number", "title": "Value", "description": "Quantity of energy." }, From 649367ae89ee64f8c57996d2087be3c720c8b33e Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Fri, 22 Mar 2024 11:48:58 -0500 Subject: [PATCH 132/217] Correct data type within environmentalConsiderations to be an array of energyConsumptionType Signed-off-by: Matt Rutkowski --- schema/bom-1.6.schema.json | 2 +- schema/bom-1.6.xsd | 44 ++------------------------------------ 2 files changed, 3 insertions(+), 43 deletions(-) diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index 8a2c3ba8..35e48bee 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -3483,7 +3483,7 @@ "properties": { "energyConsumptions": { "title": "Energy Consumptions", - "description": "Describes energy consumption information incurred for specified model lifecycle activities.", + "description": "Describes energy consumption information incurred for one or more specified model lifecycle activities.", "type": "array", "items": { "$ref": "#/definitions/energyConsumption" diff --git a/schema/bom-1.6.xsd b/schema/bom-1.6.xsd index fec5aac6..376e5cab 100644 --- a/schema/bom-1.6.xsd +++ b/schema/bom-1.6.xsd @@ -3183,52 +3183,12 @@ limitations under the License. - + - How does the model affect groups at risk of being systematically disadvantaged? - What are the harms and benefits to the various affected groups? + Describes energy consumption information incurred for one or more specified model lifecycle activities. - - - - - - - - - The groups or individuals at risk of being systematically disadvantaged by the model. - - - - - - - Expected benefits to the identified groups. - - - - - - - Expected harms to the identified groups. - - - - - - - With respect to the benefits and harms outlined, please - describe any mitigation strategy implemented. - - - - - - - - From 48ea7f9a2374f98afbe4681eff873b4206c9993c Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Fri, 22 Mar 2024 11:50:51 -0500 Subject: [PATCH 133/217] Correct data type within environmentalConsiderations to be an array of energyConsumptionType Signed-off-by: Matt Rutkowski --- schema/bom-1.6.xsd | 44 ++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 42 insertions(+), 2 deletions(-) diff --git a/schema/bom-1.6.xsd b/schema/bom-1.6.xsd index 376e5cab..fec5aac6 100644 --- a/schema/bom-1.6.xsd +++ b/schema/bom-1.6.xsd @@ -3183,12 +3183,52 @@ limitations under the License. - + - Describes energy consumption information incurred for one or more specified model lifecycle activities. + How does the model affect groups at risk of being systematically disadvantaged? + What are the harms and benefits to the various affected groups? + + + + + + + + + The groups or individuals at risk of being systematically disadvantaged by the model. + + + + + + + Expected benefits to the identified groups. + + + + + + + Expected harms to the identified groups. + + + + + + + With respect to the benefits and harms outlined, please + describe any mitigation strategy implemented. + + + + + + + + From ed2304bd72550844b155f74be3351a05c25fabe7 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Fri, 22 Mar 2024 11:59:13 -0500 Subject: [PATCH 134/217] Correct data type within environmentalConsiderations to be an array of energyConsumptionType Signed-off-by: Matt Rutkowski --- schema/bom-1.6.xsd | 30 ++++++++++++------------------ 1 file changed, 12 insertions(+), 18 deletions(-) diff --git a/schema/bom-1.6.xsd b/schema/bom-1.6.xsd index fec5aac6..4f8e4f18 100644 --- a/schema/bom-1.6.xsd +++ b/schema/bom-1.6.xsd @@ -3176,12 +3176,23 @@ limitations under the License. - + Describes various environmental impact metrics the corresponding model has exhibited across its lifecycle. + + + + + + Describes energy consumption information incurred for one or more specified model lifecycle activities. + + + + + @@ -3244,23 +3255,6 @@ limitations under the License. - - - - Describes various environmental impact metrics the corresponding model has exhibited across its lifecycle. - - - - - - - Describes energy consumption information incurred for specified model lifecycle activities. - - - - - - From 915481bc9e8413bcbd67c3024fde060c4523a1f7 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Fri, 22 Mar 2024 12:09:33 -0500 Subject: [PATCH 135/217] Correct data type within environmentalConsiderations to be an array of energyConsumptionType Signed-off-by: Matt Rutkowski --- schema/bom-1.6.schema.json | 6 +++--- schema/bom-1.6.xsd | 32 +++++++++++++++++++------------- 2 files changed, 22 insertions(+), 16 deletions(-) diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index 35e48bee..527ff551 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -3478,12 +3478,12 @@ "environmentalConsiderations": { "type": "object", "title": "Environmental Considerations", - "description": "Describes various environmental impact metrics the corresponding model has exhibited across its lifecycle.", + "description": "Describes various environmental impact metrics.", "additionalProperties": false, "properties": { "energyConsumptions": { "title": "Energy Consumptions", - "description": "Describes energy consumption information incurred for one or more specified model lifecycle activities.", + "description": "Describes energy consumption information incurred for one or more component lifecycle activities.", "type": "array", "items": { "$ref": "#/definitions/energyConsumption" @@ -3493,7 +3493,7 @@ }, "energyConsumption": { "title": "Energy consumption", - "description": "Describes energy consumption information incurred for the specified model lifecycle activity.", + "description": "Describes energy consumption information incurred for the specified lifecycle activity.", "type": "array", "items": { "type": "object", diff --git a/schema/bom-1.6.xsd b/schema/bom-1.6.xsd index 4f8e4f18..5cc215f9 100644 --- a/schema/bom-1.6.xsd +++ b/schema/bom-1.6.xsd @@ -3176,23 +3176,12 @@ limitations under the License. - + Describes various environmental impact metrics the corresponding model has exhibited across its lifecycle. - - - - - - Describes energy consumption information incurred for one or more specified model lifecycle activities. - - - - - @@ -3255,10 +3244,27 @@ limitations under the License. + + + + Describes various environmental impact metrics. + + + + + + + Describes energy consumption information incurred for one or more component lifecycle activities. + + + + + + - Describes energy consumption information incurred for the specified model lifecycle activity. + Describes energy consumption information incurred for the specified lifecycle activity. From c04e4cad52dec3075611980f3e50723bdc8386b5 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Fri, 22 Mar 2024 12:10:45 -0500 Subject: [PATCH 136/217] Correct data type within environmentalConsiderations to be an array of energyConsumptionType Signed-off-by: Matt Rutkowski --- schema/bom-1.6.schema.json | 2 +- schema/bom-1.6.xsd | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index 527ff551..add7edc5 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -3206,7 +3206,7 @@ "environmentalConsiderations":{ "$ref": "#/definitions/environmentalConsiderations", "title": "Environmental Considerations", - "description": "Describes various environmental impact metrics the corresponding model has exhibited across its lifecycle." + "description": "Describes various environmental impact metrics the corresponding machine learning model has exhibited across its lifecycle." }, "fairnessAssessments": { "type": "array", diff --git a/schema/bom-1.6.xsd b/schema/bom-1.6.xsd index 5cc215f9..ac813d5b 100644 --- a/schema/bom-1.6.xsd +++ b/schema/bom-1.6.xsd @@ -3179,7 +3179,7 @@ limitations under the License. - Describes various environmental impact metrics the corresponding model has exhibited across its lifecycle. + Describes various environmental impact metrics the corresponding machine learning model has exhibited across its lifecycle. From 535e72e563d9cad5d161b490fca18e0f175cb9c0 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Fri, 22 Mar 2024 12:15:31 -0500 Subject: [PATCH 137/217] Fix description for energyCost element Signed-off-by: Matt Rutkowski --- schema/bom-1.6.xsd | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/schema/bom-1.6.xsd b/schema/bom-1.6.xsd index ac813d5b..55e7e0ac 100644 --- a/schema/bom-1.6.xsd +++ b/schema/bom-1.6.xsd @@ -3345,7 +3345,7 @@ limitations under the License. - Quantity of carbon dioxide (CO2). + The total energy cost associated with the model lifecycle activity. From 964173bf486d93029aa963d9cda7da15f9c3e8f8 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Fri, 22 Mar 2024 12:28:49 -0500 Subject: [PATCH 138/217] add bom-ref to postal address type Signed-off-by: Matt Rutkowski --- schema/bom-1.6.schema.json | 5 +++++ schema/bom-1.6.xsd | 8 ++++++++ 2 files changed, 13 insertions(+) diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index add7edc5..2ac0518b 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -3641,6 +3641,11 @@ "description": "An address used to identify a contactable location.", "additionalProperties": false, "properties": { + "bom-ref": { + "title": "BOM Reference", + "description": "An optional identifier which can be used to reference the address elsewhere in the BOM. Every bom-ref MUST be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", + "$ref": "#/definitions/refType" + }, "country": { "type": "string", "title": "Country", diff --git a/schema/bom-1.6.xsd b/schema/bom-1.6.xsd index 55e7e0ac..b6949325 100644 --- a/schema/bom-1.6.xsd +++ b/schema/bom-1.6.xsd @@ -3546,6 +3546,14 @@ limitations under the License. + + + + An optional identifier which can be used to reference the address elsewhere in the BOM. + Uniqueness is enforced within all elements and children of the root-level bom element. + + + From a5867280da6f662e6245cff5784660f2776d0d8f Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Fri, 22 Mar 2024 13:19:40 -0500 Subject: [PATCH 139/217] Add missing descs. to formulation related types Signed-off-by: Matt Rutkowski --- schema/bom-1.6.proto | 2 ++ 1 file changed, 2 insertions(+) diff --git a/schema/bom-1.6.proto b/schema/bom-1.6.proto index 7312e33f..1dbcd51c 100644 --- a/schema/bom-1.6.proto +++ b/schema/bom-1.6.proto @@ -1476,6 +1476,7 @@ message InputType { repeated Property properties = 7; } +// Type that represents various output data types and formats. message OutputType { // Describes the type of data output. optional OutputTypeType type = 1; @@ -1504,6 +1505,7 @@ message OutputType { } } +// Type that permits a choice to reference a resource using an iternal bom-ref identifier or an external reference. message ResourceReferenceChoice { oneof choice { string ref = 1; From 44034448a72a1aab1a2f01ef2559ace4a09b4d99 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Fri, 22 Mar 2024 14:20:12 -0500 Subject: [PATCH 140/217] Add EnergyConsumptionType to protobuf sceham Signed-off-by: Matt Rutkowski --- schema/bom-1.6.proto | 32 +++++++++++++++++++++++++++++++- schema/bom-1.6.schema.json | 9 +++++++-- schema/bom-1.6.xsd | 12 ++++++++++-- 3 files changed, 48 insertions(+), 5 deletions(-) diff --git a/schema/bom-1.6.proto b/schema/bom-1.6.proto index 1dbcd51c..8305ee63 100644 --- a/schema/bom-1.6.proto +++ b/schema/bom-1.6.proto @@ -1129,10 +1129,12 @@ message ModelCard { repeated string technicalLimitations = 3; // What are the known tradeoffs in accuracy/performance of the model? repeated string performanceTradeoffs = 4; - // What are the ethical (or environmental) risks involved in the application of this model? + // What are the ethical risks involved in the application of this model? repeated EthicalConsiderations ethicalConsiderations = 5; // How does the model affect groups at risk of being systematically disadvantaged? What are the harms and benefits to the various affected groups? repeated FairnessAssessments fairnessAssessments = 6; + // What are the various environmental impacts the corresponding machine learning model has exhibited across its lifecycle? + optional EnvironmentalConsiderations environmentalConsiderations = 7; message EthicalConsiderations { // The name of the risk. @@ -1150,9 +1152,37 @@ message ModelCard { // With respect to the benefits and harms outlined, please describe any mitigation strategy implemented. optional string mitigationStrategy = 4; } + message EnvironmentalConsiderations { + // Describes energy consumption information incurred for one or more component lifecycle activities. + repeated EnergyConsumption energyConsumptions = 1; + } + message EnergyConsumption { + // Describes energy consumption information incurred for the specified lifecycle activity. + ActivityType activity = 1 + } } } +enum ActivityType { + // An activity that is part of a machine learning model development or operational lifecycle. + // model design including problem framing, goal definition and algorithm selection. + ACTIVITY_TYPE_DESIGN = 0; + // model data acquisition including search, selection and transfer. + ACTIVITY_TYPE_DATA_COLLECTION = 1; + // model data preparation including data cleaning, labeling and conversion. + ACTIVITY_TYPE_DATA_PREPARATION = 2; + // model building, training and generalized tuning. + ACTIVITY_TYPE_TRAINING = 3; + // refining a trained model to produce desired outputs for a given problem space. + ACTIVITY_TYPE_FINE_TUNING = 4; + // model validation including model output evaluation and testing. + ACTIVITY_TYPE_VALIDATION = 5; + // explicit model deployment to a target hosting infrastructure. + ACTIVITY_TYPE_DEPLOYMENT = 6; + // generating an output response from a hosted model from a set of inputs. + ACTIVITY_TYPE_INFERENCE = 7; +} + enum ModelParameterApproachType { // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- value `0` is a fallback(meaning "unspecified") in protobuf3. this usage here is an error, it shall be fixed with v2.0 of this very schema MODEL_PARAMETER_APPROACH_TYPE_SUPERVISED = 0; diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index 2ac0518b..8263d48b 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -3200,13 +3200,13 @@ "ethicalConsiderations": { "type": "array", "title": "Ethical Considerations", - "description": "What are the ethical (or environmental) risks involved in the application of this model?", + "description": "What are the ethical risks involved in the application of this model?", "items": { "$ref": "#/definitions/risk" } }, "environmentalConsiderations":{ "$ref": "#/definitions/environmentalConsiderations", "title": "Environmental Considerations", - "description": "Describes various environmental impact metrics the corresponding machine learning model has exhibited across its lifecycle." + "description": "What are the various environmental impacts the corresponding machine learning model has exhibited across its lifecycle?" }, "fairnessAssessments": { "type": "array", @@ -3607,6 +3607,11 @@ ], "additionalProperties": false, "properties": { + "bom-ref": { + "title": "BOM Reference", + "description": "An optional identifier which can be used to reference the energy provider elsewhere in the BOM. Every bom-ref MUST be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", + "$ref": "#/definitions/refType" + }, "name": { "type": "string", "title": "Name", diff --git a/schema/bom-1.6.xsd b/schema/bom-1.6.xsd index b6949325..c60c309e 100644 --- a/schema/bom-1.6.xsd +++ b/schema/bom-1.6.xsd @@ -3148,7 +3148,7 @@ limitations under the License. - What are the ethical (or environmental) risks involved in the application of this model? + What are the ethical risks involved in the application of this model? @@ -3179,7 +3179,7 @@ limitations under the License. - Describes various environmental impact metrics the corresponding machine learning model has exhibited across its lifecycle. + What are the various environmental impacts the corresponding machine learning model has exhibited across its lifecycle? @@ -3494,6 +3494,14 @@ limitations under the License. + + + + An optional identifier which can be used to reference the energy provider elsewhere in the BOM. + Uniqueness is enforced within all elements and children of the root-level bom element. + + + From d10662eeb42691c479d8351ffa77800f08e21573 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Fri, 22 Mar 2024 16:08:13 -0500 Subject: [PATCH 141/217] Add EnergyConsumption, EnergyProvider and their ref. subtypes Signed-off-by: Matt Rutkowski --- schema/bom-1.6.proto | 114 +++++++++++++++++++++++++++++++++---- schema/bom-1.6.schema.json | 3 +- schema/bom-1.6.xsd | 7 +++ 3 files changed, 113 insertions(+), 11 deletions(-) diff --git a/schema/bom-1.6.proto b/schema/bom-1.6.proto index 8305ee63..76b089a7 100644 --- a/schema/bom-1.6.proto +++ b/schema/bom-1.6.proto @@ -1158,29 +1158,123 @@ message ModelCard { } message EnergyConsumption { // Describes energy consumption information incurred for the specified lifecycle activity. - ActivityType activity = 1 + ActivityType activity = 1; + // The providers of the energy consumed by the associated model development lifecycle activity. + repeated EnergyProviderType energySources = 2; + // The total energy cost associated with the model lifecycle activity. + EnergyMeasureType energyCost = 3; + // The CO2 cost or debit equivalent to the total energy cost. + optional CO2MeasureType co2CostEquivalent = 4; + // The CO2 offset or credit for the CO2 equivalent cost. + optional CO2MeasureType co2CostOffset = 5; } } } +// An activity that is part of a machine learning model development or operational lifecycle. enum ActivityType { - // An activity that is part of a machine learning model development or operational lifecycle. + // a lifecycle activity type whose description does not match currently defined values. + ACTIVITY_TYPE_OTHER = 0; // model design including problem framing, goal definition and algorithm selection. - ACTIVITY_TYPE_DESIGN = 0; + ACTIVITY_TYPE_DESIGN = 1; // model data acquisition including search, selection and transfer. - ACTIVITY_TYPE_DATA_COLLECTION = 1; + ACTIVITY_TYPE_DATA_COLLECTION = 2; // model data preparation including data cleaning, labeling and conversion. - ACTIVITY_TYPE_DATA_PREPARATION = 2; + ACTIVITY_TYPE_DATA_PREPARATION = 3; // model building, training and generalized tuning. - ACTIVITY_TYPE_TRAINING = 3; + ACTIVITY_TYPE_TRAINING = 4; // refining a trained model to produce desired outputs for a given problem space. - ACTIVITY_TYPE_FINE_TUNING = 4; + ACTIVITY_TYPE_FINE_TUNING = 5; // model validation including model output evaluation and testing. - ACTIVITY_TYPE_VALIDATION = 5; + ACTIVITY_TYPE_VALIDATION = 6; // explicit model deployment to a target hosting infrastructure. - ACTIVITY_TYPE_DEPLOYMENT = 6; + ACTIVITY_TYPE_DEPLOYMENT = 7; // generating an output response from a hosted model from a set of inputs. - ACTIVITY_TYPE_INFERENCE = 7; + ACTIVITY_TYPE_INFERENCE = 8; +} + +// Describes the physical provider of energy used for model development or operations. +message EnergyProviderType { + // BOM unique reference to the energy provider. + optional string bom_ref = 1; + // The name of the energy provider. + string name 1; + // A description of the energy provider. + optional string description = 2; + // TThe physical address (location) of the energy provider.BD + optional PostalAddressType address = 3; + // The energy source for the energy provider. + EnerySourceType energySource = 4; + // The energy provided by the energy source for an associated activity. + EnergyMeasureType energyProvided = 5; +} + +enum EnerySourceType { + // energy source: unknown + ENERGY_SOURCE_TYPE_UNKNOWN = 0; + // energy source: coal + ENERGY_SOURCE_TYPE_COAL = 1; + // energy source: oil + ENERGY_SOURCE_TYPE_OIL = 2; + // energy source: natural gas + ENERGY_SOURCE_TYPE_NATURAL_GAS = 3; + // energy source: propane + ENERGY_SOURCE_TYPE_PROPANE = 4; + // energy source: nuclear + ENERGY_SOURCE_TYPE_NUCLEAR = 5; + // energy source: wind + ENERGY_SOURCE_TYPE_WIND = 6; + // energy source: solar + ENERGY_SOURCE_TYPE_SOLAR = 7; + // energy source: geothermal + ENERGY_SOURCE_TYPE_GEOTHERMAL = 8; + // energy source: hydropower + ENERGY_SOURCE_TYPE_HYDROPOWER = 9; + // energy source: other; not yet defined + ENERGY_SOURCE_TYPE_OTHER = 10; +} + + +// A measure of energy. +message EnergyMeasureType { + // Quantity of energy. + float value = 1; + // Unit of energy. + EnergyMeasureUnitType unit = 2; +} + +enum EnergyMeasureUnitType { + // kilowatt-hour (kWh) is the energy delivered by one kilowatt (kW) of power for one hour (h). + ENERGY_MEASURE_UNIT_TYPE_KILOWATT_HOURS = 0; +} + +// A measure of carbon dioxide (CO2). +message CO2MeasureType { + // Quantity of carbon dioxide (CO2). + float value = 1; + // Unit of carbon dioxide (CO2). + CO2MeasureUnitType unit = 2; +} + +enum CO2MeasureUnitType { + // Tonnes (t) of carbon dioxide (CO2) equivalent (eq). + C02_MEASURE_UNIT_TYPE_TONNES_CO2_EQUIVALENT = 0; +} + +// A measure of carbon dioxide (CO2). +message PostalAddressType { + // TBD. + optional string value = 1; + // TBD + optional string value = 2; + // TBD + optional string value = 3; + // TBD + optional string value = 4; + // TBD + optional string value = 5; + // TBD + optional string value = 6; } enum ModelParameterApproachType { diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index 8263d48b..538545ca 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -3517,7 +3517,8 @@ "fine-tuning": "refining a trained model to produce desired outputs for a given problem space.", "validation": "model validation including model output evaluation and testing.", "deployment": "explicit model deployment to a target hosting infrastructure.", - "inference": "generating an output response from a hosted model from a set of inputs." + "inference": "generating an output response from a hosted model from a set of inputs.", + "other": "a lifecycle activity type whose description does not match currently defined values." } }, "energySources": { diff --git a/schema/bom-1.6.xsd b/schema/bom-1.6.xsd index c60c309e..bb82463c 100644 --- a/schema/bom-1.6.xsd +++ b/schema/bom-1.6.xsd @@ -3332,6 +3332,13 @@ limitations under the License. + + + + a lifecycle activity type whose description does not match currently defined values. + + + From 8ced6e83bfa80c2da64c5ab2b33b296ef7566c33 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Fri, 22 Mar 2024 16:22:00 -0500 Subject: [PATCH 142/217] Add PostalAddressType to protobuf Signed-off-by: Matt Rutkowski --- schema/bom-1.6.proto | 29 +++++++++++++++-------------- 1 file changed, 15 insertions(+), 14 deletions(-) diff --git a/schema/bom-1.6.proto b/schema/bom-1.6.proto index 76b089a7..91d7cf54 100644 --- a/schema/bom-1.6.proto +++ b/schema/bom-1.6.proto @@ -1234,7 +1234,6 @@ enum EnerySourceType { ENERGY_SOURCE_TYPE_OTHER = 10; } - // A measure of energy. message EnergyMeasureType { // Quantity of energy. @@ -1261,20 +1260,22 @@ enum CO2MeasureUnitType { C02_MEASURE_UNIT_TYPE_TONNES_CO2_EQUIVALENT = 0; } -// A measure of carbon dioxide (CO2). +// An address used to identify a contactable location. message PostalAddressType { - // TBD. - optional string value = 1; - // TBD - optional string value = 2; - // TBD - optional string value = 3; - // TBD - optional string value = 4; - // TBD - optional string value = 5; - // TBD - optional string value = 6; + // An optional identifier which can be used to reference the address elsewhere in the BOM. Every bom-ref MUST be unique within the BOM. + optional string bom_ref = 1; + // The country name or the two-letter ISO 3166-1 country code. + optional string country = 2; + // The region or state in the country. For example, Texas. + optional string region = 3; + // The locality or city within the country. For example, Austin. + optional string locality = 4; + // The post office box number. For example, 901. + optional string postOfficeBoxNumber = 5; + // The postal code. For example, 78758. + optional string postalCodeue = 6; + // The street address. For example, 100 Main Street. + optional string streetAddress = 7; } enum ModelParameterApproachType { From 6ea561d142e08c3b146af877c9ddbbae5e4f4b6a Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Fri, 22 Mar 2024 16:27:07 -0500 Subject: [PATCH 143/217] Fix syntaax error in EnergyProviderType Signed-off-by: Matt Rutkowski --- schema/bom-1.6.proto | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/schema/bom-1.6.proto b/schema/bom-1.6.proto index 91d7cf54..87c1289c 100644 --- a/schema/bom-1.6.proto +++ b/schema/bom-1.6.proto @@ -1198,15 +1198,15 @@ message EnergyProviderType { // BOM unique reference to the energy provider. optional string bom_ref = 1; // The name of the energy provider. - string name 1; + string name = 2; // A description of the energy provider. - optional string description = 2; + optional string description = 3; // TThe physical address (location) of the energy provider.BD - optional PostalAddressType address = 3; + optional PostalAddressType address = 4; // The energy source for the energy provider. - EnerySourceType energySource = 4; + EnerySourceType energySource = 5; // The energy provided by the energy source for an associated activity. - EnergyMeasureType energyProvided = 5; + EnergyMeasureType energyProvided = 6; } enum EnerySourceType { From 72f36e0093d89c7ecfce612a63a5e516291fdecc Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Fri, 22 Mar 2024 16:43:50 -0500 Subject: [PATCH 144/217] Fix zero value enums errors (i.e., should be suffixed with _UNSPECIFIED) Signed-off-by: Matt Rutkowski --- schema/bom-1.6.proto | 3 +++ 1 file changed, 3 insertions(+) diff --git a/schema/bom-1.6.proto b/schema/bom-1.6.proto index 87c1289c..8484fe09 100644 --- a/schema/bom-1.6.proto +++ b/schema/bom-1.6.proto @@ -1174,6 +1174,7 @@ message ModelCard { // An activity that is part of a machine learning model development or operational lifecycle. enum ActivityType { // a lifecycle activity type whose description does not match currently defined values. + // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- `other` is our fallback ACTIVITY_TYPE_OTHER = 0; // model design including problem framing, goal definition and algorithm selection. ACTIVITY_TYPE_DESIGN = 1; @@ -1244,6 +1245,7 @@ message EnergyMeasureType { enum EnergyMeasureUnitType { // kilowatt-hour (kWh) is the energy delivered by one kilowatt (kW) of power for one hour (h). + // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- `kWh` is our fallback ENERGY_MEASURE_UNIT_TYPE_KILOWATT_HOURS = 0; } @@ -1257,6 +1259,7 @@ message CO2MeasureType { enum CO2MeasureUnitType { // Tonnes (t) of carbon dioxide (CO2) equivalent (eq). + // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- `tCO2eq` is our fallback C02_MEASURE_UNIT_TYPE_TONNES_CO2_EQUIVALENT = 0; } From 7c701a2b7838081c56bd847e46638d31b1d03d79 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Fri, 22 Mar 2024 16:44:24 -0500 Subject: [PATCH 145/217] Fix zero value enums errors (i.e., should be suffixed with _UNSPECIFIED) Signed-off-by: Matt Rutkowski --- schema/bom-1.6.proto | 1 + 1 file changed, 1 insertion(+) diff --git a/schema/bom-1.6.proto b/schema/bom-1.6.proto index 8484fe09..540acde1 100644 --- a/schema/bom-1.6.proto +++ b/schema/bom-1.6.proto @@ -1212,6 +1212,7 @@ message EnergyProviderType { enum EnerySourceType { // energy source: unknown + // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- `unknown` is our fallback ENERGY_SOURCE_TYPE_UNKNOWN = 0; // energy source: coal ENERGY_SOURCE_TYPE_COAL = 1; From 7237bc3229b50ede4fe2d947d9b111d7a89370cc Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Fri, 22 Mar 2024 16:52:09 -0500 Subject: [PATCH 146/217] Fix zero value enums errors (i.e., should be suffixed with _UNSPECIFIED) Signed-off-by: Matt Rutkowski --- schema/bom-1.6.proto | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/schema/bom-1.6.proto b/schema/bom-1.6.proto index 540acde1..72635b85 100644 --- a/schema/bom-1.6.proto +++ b/schema/bom-1.6.proto @@ -1210,7 +1210,7 @@ message EnergyProviderType { EnergyMeasureType energyProvided = 6; } -enum EnerySourceType { +enum EnergySourceType { // energy source: unknown // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- `unknown` is our fallback ENERGY_SOURCE_TYPE_UNKNOWN = 0; From 1b8b8862e2afdef590591be214500ee9c98d3552 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Fri, 22 Mar 2024 16:55:03 -0500 Subject: [PATCH 147/217] Fix typo in EnergySourceType Signed-off-by: Matt Rutkowski --- schema/bom-1.6.proto | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/schema/bom-1.6.proto b/schema/bom-1.6.proto index 72635b85..fa8b77d5 100644 --- a/schema/bom-1.6.proto +++ b/schema/bom-1.6.proto @@ -1205,7 +1205,7 @@ message EnergyProviderType { // TThe physical address (location) of the energy provider.BD optional PostalAddressType address = 4; // The energy source for the energy provider. - EnerySourceType energySource = 5; + EnergySourceType energySource = 5; // The energy provided by the energy source for an associated activity. EnergyMeasureType energyProvided = 6; } From 488489da0580e4d3300227f32e7b390e6adf21bb Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Fri, 22 Mar 2024 16:59:31 -0500 Subject: [PATCH 148/217] Fix typo in CO2_MEASURE_UNIT_TYPE_TONNES_CO2_EQUIVALENT enum defn. Signed-off-by: Matt Rutkowski --- schema/bom-1.6.proto | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/schema/bom-1.6.proto b/schema/bom-1.6.proto index fa8b77d5..c3680a06 100644 --- a/schema/bom-1.6.proto +++ b/schema/bom-1.6.proto @@ -1261,7 +1261,7 @@ message CO2MeasureType { enum CO2MeasureUnitType { // Tonnes (t) of carbon dioxide (CO2) equivalent (eq). // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- `tCO2eq` is our fallback - C02_MEASURE_UNIT_TYPE_TONNES_CO2_EQUIVALENT = 0; + CO2_MEASURE_UNIT_TYPE_TONNES_CO2_EQUIVALENT = 0; } // An address used to identify a contactable location. From b870a937d68a8ca3231bacb153e88c8cf01302af Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Fri, 22 Mar 2024 17:54:32 -0500 Subject: [PATCH 149/217] Added support for license acknowledgements Signed-off-by: Steve Springett --- schema/bom-1.6.proto | 14 +++++ schema/bom-1.6.schema.json | 19 +++++++ schema/bom-1.6.xsd | 54 +++++++++++++++++++ .../1.6/valid-license-expression-1.6.json | 1 + .../valid-license-expression-1.6.textproto | 1 + .../1.6/valid-license-expression-1.6.xml | 2 +- .../resources/1.6/valid-license-id-1.6.json | 1 + .../1.6/valid-license-id-1.6.textproto | 3 +- .../resources/1.6/valid-license-id-1.6.xml | 2 +- 9 files changed, 94 insertions(+), 3 deletions(-) diff --git a/schema/bom-1.6.proto b/schema/bom-1.6.proto index 7312e33f..0cdae20c 100644 --- a/schema/bom-1.6.proto +++ b/schema/bom-1.6.proto @@ -366,6 +366,8 @@ message LicenseChoice { // A valid SPDX license expression. Refer to https://spdx.org/specifications for syntax requirements string expression = 2; } + // This field must only be used when "expression" is chosen as the License object has its own acknowledgement. + optional LicenseAcknowledgementEnumeration acknowledgement = 3; } message License { @@ -385,6 +387,18 @@ message License { optional Licensing licensing = 6; // Specifies optional, custom, properties repeated Property properties = 7; + // Declared licenses and concluded licenses represent two different stages in the licensing process within software development. Declared licenses refer to the initial intention of the software authors regarding the licensing terms under which their code is released. On the other hand, concluded licenses are the result of a comprehensive analysis of the project's codebase to identify and confirm the actual licenses of the components used, which may differ from the initially declared licenses. While declared licenses provide an upfront indication of the licensing intentions, concluded licenses offer a more thorough understanding of the actual licensing within a project, facilitating proper compliance and risk management. Observed licenses are defined in `@.evidence.licenses`. Observed licenses form the evidence necessary to substantiate a concluded license. + optional LicenseAcknowledgementEnumeration acknowledgement = 8; +} + +// Declared licenses and concluded licenses represent two different stages in the licensing process within software development. Declared licenses refer to the initial intention of the software authors regarding the licensing terms under which their code is released. On the other hand, concluded licenses are the result of a comprehensive analysis of the project's codebase to identify and confirm the actual licenses of the components used, which may differ from the initially declared licenses. While declared licenses provide an upfront indication of the licensing intentions, concluded licenses offer a more thorough understanding of the actual licensing within a project, facilitating proper compliance and risk management. Observed licenses are defined in `@.evidence.licenses`. Observed licenses form the evidence necessary to substantiate a concluded license. +enum LicenseAcknowledgementEnumeration { + // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- `null` is our fallback, doubling `unspecified` + LICENSING_ACK_UNSPECIFIED = 0; + // Declared licenses represent the initial intentions of authors regarding the licensing terms of their code. + LICENSING_ACK_DECLARED = 1; + // Concluded licenses are verified and confirmed. + LICENSING_ACK_CONCLUDED = 2; } message Licensing { diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index 8e96ebda..d1aa8938 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -1234,6 +1234,9 @@ "description": "If SPDX does not define the license used, this field may be used to provide the license name", "examples": ["Acme Software License"] }, + "acknowledgement": { + "$ref": "#/definitions/licenseAcknowledgementEnumeration" + }, "text": { "title": "License text", "description": "An optional way to include the textual content of a license.", @@ -1409,6 +1412,19 @@ } } }, + "licenseAcknowledgementEnumeration": { + "title": "License Acknowledgement", + "description": "Declared licenses and concluded licenses represent two different stages in the licensing process within software development. Declared licenses refer to the initial intention of the software authors regarding the licensing terms under which their code is released. On the other hand, concluded licenses are the result of a comprehensive analysis of the project's codebase to identify and confirm the actual licenses of the components used, which may differ from the initially declared licenses. While declared licenses provide an upfront indication of the licensing intentions, concluded licenses offer a more thorough understanding of the actual licensing within a project, facilitating proper compliance and risk management. Observed licenses are defined in `@.evidence.licenses`. Observed licenses form the evidence necessary to substantiate a concluded license.", + "type": "string", + "enum": [ + "declared", + "concluded" + ], + "meta:enum": { + "declared": "Declared licenses represent the initial intentions of authors regarding the licensing terms of their code.", + "concluded": "Concluded licenses are verified and confirmed." + } + }, "licenseChoice": { "title": "License Choice", "description": "EITHER (list of SPDX licenses and/or named licenses) OR (tuple of one SPDX License Expression)", @@ -1449,6 +1465,9 @@ "GPL-3.0-only WITH Classpath-exception-2.0" ] }, + "acknowledgement": { + "$ref": "#/definitions/licenseAcknowledgementEnumeration" + }, "bom-ref": { "$ref": "#/definitions/refType", "title": "BOM Reference", diff --git a/schema/bom-1.6.xsd b/schema/bom-1.6.xsd index b904975e..d27cdb8c 100644 --- a/schema/bom-1.6.xsd +++ b/schema/bom-1.6.xsd @@ -908,6 +908,23 @@ limitations under the License. + + + + Declared licenses and concluded licenses represent two different stages in the + licensing process within software development. Declared licenses refer to the + initial intention of the software authors regarding the licensing terms under + which their code is released. On the other hand, concluded licenses are the + result of a comprehensive analysis of the project's codebase to identify and + confirm the actual licenses of the components used, which may differ from the + initially declared licenses. While declared licenses provide an upfront indication + of the licensing intentions, concluded licenses offer a more thorough understanding + of the actual licensing within a project, facilitating proper compliance and risk + management. Observed licenses are defined in `evidence.licenses`. Observed licenses + form the evidence necessary to substantiate a concluded license. + + + @@ -2226,6 +2243,23 @@ limitations under the License. + + + + Declared licenses and concluded licenses represent two different stages in the + licensing process within software development. Declared licenses refer to the + initial intention of the software authors regarding the licensing terms under + which their code is released. On the other hand, concluded licenses are the + result of a comprehensive analysis of the project's codebase to identify and + confirm the actual licenses of the components used, which may differ from the + initially declared licenses. While declared licenses provide an upfront indication + of the licensing intentions, concluded licenses offer a more thorough understanding + of the actual licensing within a project, facilitating proper compliance and risk + management. Observed licenses are defined in `evidence.licenses`. Observed licenses + form the evidence necessary to substantiate a concluded license. + + + @@ -2233,6 +2267,26 @@ limitations under the License. + + + + + + Declared licenses represent the initial intentions of authors regarding + the licensing terms of their code. + + + + + + + Concluded licenses are verified and confirmed. + + + + + + diff --git a/tools/src/test/resources/1.6/valid-license-expression-1.6.json b/tools/src/test/resources/1.6/valid-license-expression-1.6.json index 140b5a78..057ad915 100644 --- a/tools/src/test/resources/1.6/valid-license-expression-1.6.json +++ b/tools/src/test/resources/1.6/valid-license-expression-1.6.json @@ -13,6 +13,7 @@ "licenses": [ { "expression": "EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0", + "acknowledgement": "declared", "bom-ref": "my-license" } ] diff --git a/tools/src/test/resources/1.6/valid-license-expression-1.6.textproto b/tools/src/test/resources/1.6/valid-license-expression-1.6.textproto index 20c77469..87644d22 100644 --- a/tools/src/test/resources/1.6/valid-license-expression-1.6.textproto +++ b/tools/src/test/resources/1.6/valid-license-expression-1.6.textproto @@ -12,5 +12,6 @@ components { version: "9.0.14" licenses { expression: "EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0" + acknowledgement: LICENSING_ACK_DECLARED } } diff --git a/tools/src/test/resources/1.6/valid-license-expression-1.6.xml b/tools/src/test/resources/1.6/valid-license-expression-1.6.xml index 23b3ac3b..4eb0a6f7 100644 --- a/tools/src/test/resources/1.6/valid-license-expression-1.6.xml +++ b/tools/src/test/resources/1.6/valid-license-expression-1.6.xml @@ -15,7 +15,7 @@ e8f33e424f3f4ed6db76a482fde1a5298970e442c531729119e37991884bdffab4f9426b7ee11fccd074eeda0634d71697d6f88a460dce0ac8d627a29f7d1282 - + EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0 diff --git a/tools/src/test/resources/1.6/valid-license-id-1.6.json b/tools/src/test/resources/1.6/valid-license-id-1.6.json index 1b80e90e..07ec492d 100644 --- a/tools/src/test/resources/1.6/valid-license-id-1.6.json +++ b/tools/src/test/resources/1.6/valid-license-id-1.6.json @@ -14,6 +14,7 @@ { "license": { "id": "Apache-2.0", + "acknowledgement": "declared", "bom-ref": "my-license" } } diff --git a/tools/src/test/resources/1.6/valid-license-id-1.6.textproto b/tools/src/test/resources/1.6/valid-license-id-1.6.textproto index e6b9a084..3c051d63 100644 --- a/tools/src/test/resources/1.6/valid-license-id-1.6.textproto +++ b/tools/src/test/resources/1.6/valid-license-id-1.6.textproto @@ -12,7 +12,8 @@ components { version: "9.0.14" licenses { license { - id: "Apache-2.0" + id: "Apache-2.0", + acknowledgement: LICENSING_ACK_DECLARED } } } diff --git a/tools/src/test/resources/1.6/valid-license-id-1.6.xml b/tools/src/test/resources/1.6/valid-license-id-1.6.xml index 09da31cd..1ab6b94f 100644 --- a/tools/src/test/resources/1.6/valid-license-id-1.6.xml +++ b/tools/src/test/resources/1.6/valid-license-id-1.6.xml @@ -15,7 +15,7 @@ e8f33e424f3f4ed6db76a482fde1a5298970e442c531729119e37991884bdffab4f9426b7ee11fccd074eeda0634d71697d6f88a460dce0ac8d627a29f7d1282 - + Apache-2.0 From 74803ecf358978dfd47c928dc9626de7497d6374 Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Fri, 22 Mar 2024 18:02:35 -0500 Subject: [PATCH 150/217] Fixed unit tests Signed-off-by: Steve Springett --- schema/bom-1.6.proto | 6 +++--- .../resources/1.6/valid-license-expression-1.6.textproto | 2 +- tools/src/test/resources/1.6/valid-license-id-1.6.textproto | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/schema/bom-1.6.proto b/schema/bom-1.6.proto index 0cdae20c..7e592a1d 100644 --- a/schema/bom-1.6.proto +++ b/schema/bom-1.6.proto @@ -394,11 +394,11 @@ message License { // Declared licenses and concluded licenses represent two different stages in the licensing process within software development. Declared licenses refer to the initial intention of the software authors regarding the licensing terms under which their code is released. On the other hand, concluded licenses are the result of a comprehensive analysis of the project's codebase to identify and confirm the actual licenses of the components used, which may differ from the initially declared licenses. While declared licenses provide an upfront indication of the licensing intentions, concluded licenses offer a more thorough understanding of the actual licensing within a project, facilitating proper compliance and risk management. Observed licenses are defined in `@.evidence.licenses`. Observed licenses form the evidence necessary to substantiate a concluded license. enum LicenseAcknowledgementEnumeration { // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- `null` is our fallback, doubling `unspecified` - LICENSING_ACK_UNSPECIFIED = 0; + LICENSE_ACKNOWLEDGEMENT_ENUMERATION_UNSPECIFIED = 0; // Declared licenses represent the initial intentions of authors regarding the licensing terms of their code. - LICENSING_ACK_DECLARED = 1; + LICENSE_ACKNOWLEDGEMENT_ENUMERATION_DECLARED = 1; // Concluded licenses are verified and confirmed. - LICENSING_ACK_CONCLUDED = 2; + LICENSE_ACKNOWLEDGEMENT_ENUMERATION_CONCLUDED = 2; } message Licensing { diff --git a/tools/src/test/resources/1.6/valid-license-expression-1.6.textproto b/tools/src/test/resources/1.6/valid-license-expression-1.6.textproto index 87644d22..8ecb3253 100644 --- a/tools/src/test/resources/1.6/valid-license-expression-1.6.textproto +++ b/tools/src/test/resources/1.6/valid-license-expression-1.6.textproto @@ -12,6 +12,6 @@ components { version: "9.0.14" licenses { expression: "EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0" - acknowledgement: LICENSING_ACK_DECLARED + acknowledgement: LICENSE_ACKNOWLEDGEMENT_ENUMERATION_DECLARED } } diff --git a/tools/src/test/resources/1.6/valid-license-id-1.6.textproto b/tools/src/test/resources/1.6/valid-license-id-1.6.textproto index 3c051d63..228ff80b 100644 --- a/tools/src/test/resources/1.6/valid-license-id-1.6.textproto +++ b/tools/src/test/resources/1.6/valid-license-id-1.6.textproto @@ -12,8 +12,8 @@ components { version: "9.0.14" licenses { license { - id: "Apache-2.0", - acknowledgement: LICENSING_ACK_DECLARED + id: "Apache-2.0" + acknowledgement: LICENSE_ACKNOWLEDGEMENT_ENUMERATION_DECLARED } } } From 83691a6669753385b5186c98aa6e2ddaff65cb79 Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Sat, 23 Mar 2024 14:42:23 -0500 Subject: [PATCH 151/217] Updated comment Signed-off-by: Steve Springett --- schema/bom-1.6.proto | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/schema/bom-1.6.proto b/schema/bom-1.6.proto index 7e592a1d..760d078d 100644 --- a/schema/bom-1.6.proto +++ b/schema/bom-1.6.proto @@ -393,7 +393,7 @@ message License { // Declared licenses and concluded licenses represent two different stages in the licensing process within software development. Declared licenses refer to the initial intention of the software authors regarding the licensing terms under which their code is released. On the other hand, concluded licenses are the result of a comprehensive analysis of the project's codebase to identify and confirm the actual licenses of the components used, which may differ from the initially declared licenses. While declared licenses provide an upfront indication of the licensing intentions, concluded licenses offer a more thorough understanding of the actual licensing within a project, facilitating proper compliance and risk management. Observed licenses are defined in `@.evidence.licenses`. Observed licenses form the evidence necessary to substantiate a concluded license. enum LicenseAcknowledgementEnumeration { - // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- `null` is our fallback, doubling `unspecified` + // The license acknowledgement is not specified. LICENSE_ACKNOWLEDGEMENT_ENUMERATION_UNSPECIFIED = 0; // Declared licenses represent the initial intentions of authors regarding the licensing terms of their code. LICENSE_ACKNOWLEDGEMENT_ENUMERATION_DECLARED = 1; From 45db721ae0b2f730d33f35b7429e342a1d77edc0 Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Sat, 23 Mar 2024 20:36:09 -0500 Subject: [PATCH 152/217] Added support for concluded value. Updated test cases. Signed-off-by: Steve Springett --- schema/bom-1.6.proto | 2 ++ schema/bom-1.6.schema.json | 5 +++++ schema/bom-1.6.xsd | 5 +++++ tools/src/test/resources/1.6/valid-evidence-1.6.json | 3 +++ tools/src/test/resources/1.6/valid-evidence-1.6.textproto | 3 +++ tools/src/test/resources/1.6/valid-evidence-1.6.xml | 3 +++ 6 files changed, 21 insertions(+) diff --git a/schema/bom-1.6.proto b/schema/bom-1.6.proto index 3e6ee48c..d469b069 100644 --- a/schema/bom-1.6.proto +++ b/schema/bom-1.6.proto @@ -729,6 +729,8 @@ message EvidenceIdentity { repeated EvidenceMethods methods = 3; // The object in the BOM identified by its bom-ref. This is often a component or service, but may be any object type supporting bom-refs. Tools used for analysis should already be defined in the BOM, either in the metadata/tools, components, or formulation. repeated string tools = 4; + // The value of the field (cpe, purl, etc) that has been concluded based on the aggregate of all methods (if available). + optional string concludedValue = 5; } message EvidenceMethods { diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index 6e959ac9..6c97e88e 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -4441,6 +4441,11 @@ "title": "Confidence", "description": "The overall confidence of the evidence from 0 - 1, where 1 is 100% confidence." }, + "concludedValue": { + "type": "string", + "title": "Concluded Value", + "description": "The value of the field (cpe, purl, etc) that has been concluded based on the aggregate of all methods (if available)." + }, "methods": { "type": "array", "title": "Methods", diff --git a/schema/bom-1.6.xsd b/schema/bom-1.6.xsd index b904975e..6b4212ab 100644 --- a/schema/bom-1.6.xsd +++ b/schema/bom-1.6.xsd @@ -2354,6 +2354,11 @@ limitations under the License. The overall confidence of the evidence from 0 - 1, where 1 is 100% confidence. + + + The value of the field (cpe, purl, etc) that has been concluded based on the aggregate of all methods (if available). + + The methods used to extract and/or analyze the evidence. diff --git a/tools/src/test/resources/1.6/valid-evidence-1.6.json b/tools/src/test/resources/1.6/valid-evidence-1.6.json index b4e0e71f..b80656bb 100644 --- a/tools/src/test/resources/1.6/valid-evidence-1.6.json +++ b/tools/src/test/resources/1.6/valid-evidence-1.6.json @@ -117,6 +117,7 @@ { "field": "group", "confidence": 0.1, + "concludedValue": "com.example", "methods": [ { "technique": "filename", @@ -128,6 +129,7 @@ { "field": "name", "confidence": 0.1, + "concludedValue": "example-project", "methods": [ { "technique": "filename", @@ -139,6 +141,7 @@ { "field": "version", "confidence": 0.1, + "concludedValue": "1.0.0", "methods": [ { "technique": "filename", diff --git a/tools/src/test/resources/1.6/valid-evidence-1.6.textproto b/tools/src/test/resources/1.6/valid-evidence-1.6.textproto index ca1a4289..216e9bb5 100644 --- a/tools/src/test/resources/1.6/valid-evidence-1.6.textproto +++ b/tools/src/test/resources/1.6/valid-evidence-1.6.textproto @@ -122,6 +122,7 @@ components [ value: "example-project-1.0.0.jar" } ] + concludedValue: "com.example" }, { field: EVIDENCE_FIELD_NAME @@ -133,6 +134,7 @@ components [ value: "example-project-1.0.0.jar" } ] + concludedValue: "example-project" }, { field: EVIDENCE_FIELD_VERSION @@ -144,6 +146,7 @@ components [ value: "example-project-1.0.0.jar" } ] + concludedValue: "1.0.0" } ] } diff --git a/tools/src/test/resources/1.6/valid-evidence-1.6.xml b/tools/src/test/resources/1.6/valid-evidence-1.6.xml index 336d96c3..32d96983 100644 --- a/tools/src/test/resources/1.6/valid-evidence-1.6.xml +++ b/tools/src/test/resources/1.6/valid-evidence-1.6.xml @@ -97,6 +97,7 @@ group 0.1 + com.example filename @@ -108,6 +109,7 @@ name 0.1 + example-project filename @@ -119,6 +121,7 @@ version 0.1 + 1.0.0 filename From c71f22b19e2d8f8f26c10096572c17f57747a097 Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Sun, 24 Mar 2024 16:04:53 -0500 Subject: [PATCH 153/217] Add support for OmniBOR and Software Heritage persistent IDs Signed-off-by: Steve Springett --- schema/bom-1.6.proto | 6 ++++++ schema/bom-1.6.schema.json | 14 +++++++++++++- schema/bom-1.6.xsd | 19 +++++++++++++++++++ .../1.6/valid-component-identifiers-1.6.json | 18 ++++++++++++++++++ .../valid-component-identifiers-1.6.textproto | 16 ++++++++++++++++ .../1.6/valid-component-identifiers-1.6.xml | 14 ++++++++++++++ 6 files changed, 86 insertions(+), 1 deletion(-) create mode 100644 tools/src/test/resources/1.6/valid-component-identifiers-1.6.json create mode 100644 tools/src/test/resources/1.6/valid-component-identifiers-1.6.textproto create mode 100644 tools/src/test/resources/1.6/valid-component-identifiers-1.6.xml diff --git a/schema/bom-1.6.proto b/schema/bom-1.6.proto index 3e6ee48c..5f71962d 100644 --- a/schema/bom-1.6.proto +++ b/schema/bom-1.6.proto @@ -148,6 +148,10 @@ message Component { repeated OrganizationalContact authors = 29; // Textual strings that aid in discovery, search, and retrieval of the associated object. Tags often serve as a way to group or categorize similar or related objects by various attributes. Examples include "json-parser", "object-persistence", "text-to-image", "translation", and "object-detection". repeated string tags = 30; + // Specifies the OmniBOR Artifact ID. The OmniBOR, if specified, MUST be valid and conform to the specification defined at: https://www.iana.org/assignments/uri-schemes/prov/gitoid + optional string omnibor = 31; + // Specifies the Software Heritage persistent identifier (SWHID). The SWHID, if specified, MUST be valid and conform to the specification defined at: https://docs.softwareheritage.org/devel/swh-model/persistent-identifiers.html + optional string swhid = 32; } // Specifies the data flow. @@ -766,6 +770,8 @@ enum EvidenceFieldType { EVIDENCE_FIELD_CPE = 5; EVIDENCE_FIELD_SWID = 6; EVIDENCE_FIELD_HASH = 7; + EVIDENCE_FIELD_OMNIBOR = 8; + EVIDENCE_FIELD_SWHID = 9; } enum EvidenceTechnique { diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index 6e959ac9..7a4c8b4b 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -969,6 +969,18 @@ "description": "Specifies the package-url (purl). The purl, if specified, MUST be valid and conform to the specification defined at: [https://github.com/package-url/purl-spec](https://github.com/package-url/purl-spec)", "examples": ["pkg:maven/com.acme/tomcat-catalina@9.0.14?packaging=jar"] }, + "omnibor": { + "type": "string", + "title": "OmniBOR Artifact Identifier (gitoid)", + "description": "Specifies the OmniBOR Artifact ID. The OmniBOR, if specified, MUST be valid and conform to the specification defined at: [https://www.iana.org/assignments/uri-schemes/prov/gitoid](https://www.iana.org/assignments/uri-schemes/prov/gitoid)", + "examples": ["gitoid:blob:sha1:261eeb9e9f8b2b4b0d119366dda99c6fd7d35c64"] + }, + "swhid": { + "type": "string", + "title": "SoftWare Heritage Identifier", + "description": "Specifies the Software Heritage persistent identifier (SWHID). The SWHID, if specified, MUST be valid and conform to the specification defined at: [https://docs.softwareheritage.org/devel/swh-model/persistent-identifiers.html](https://docs.softwareheritage.org/devel/swh-model/persistent-identifiers.html)", + "examples": ["swh:1:cnt:94a9ed024d3859793618152ea559a168bbcbb5e2"] + }, "swid": { "$ref": "#/definitions/swid", "title": "SWID Tag", @@ -4429,7 +4441,7 @@ "field": { "type": "string", "enum": [ - "group", "name", "version", "purl", "cpe", "swid", "hash" + "group", "name", "version", "purl", "cpe", "omnibor", "swhid", "swid", "hash" ], "title": "Field", "description": "The identity field of the component which the evidence describes." diff --git a/schema/bom-1.6.xsd b/schema/bom-1.6.xsd index b904975e..b5b4fa1f 100644 --- a/schema/bom-1.6.xsd +++ b/schema/bom-1.6.xsd @@ -590,6 +590,23 @@ limitations under the License. + + + + Specifies the OmniBOR Artifact ID. The OmniBOR, if specified, MUST be valid and conform + to the specification defined at: https://www.iana.org/assignments/uri-schemes/prov/gitoid + + + + + + + Specifies the Software Heritage persistent identifier (SWHID). The SWHID, if specified, MUST + be valid and conform to the specification defined at: + https://docs.softwareheritage.org/devel/swh-model/persistent-identifiers.html + + + @@ -2246,6 +2263,8 @@ limitations under the License. + + diff --git a/tools/src/test/resources/1.6/valid-component-identifiers-1.6.json b/tools/src/test/resources/1.6/valid-component-identifiers-1.6.json new file mode 100644 index 00000000..c084ba08 --- /dev/null +++ b/tools/src/test/resources/1.6/valid-component-identifiers-1.6.json @@ -0,0 +1,18 @@ +{ + "bomFormat": "CycloneDX", + "specVersion": "1.6", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "components": [ + { + "type": "library", + "group": "com.example", + "name": "acme-library", + "version": "1.0.0", + "cpe": "cpe:2.3:a:example:acme-library:1.0.0:*:*:*:*:*:*:*", + "purl": "pkg:maven/com.example/acme-library@1.0.0", + "omnibor": "gitoid:blob:sha1:261eeb9e9f8b2b4b0d119366dda99c6fd7d35c64", + "swhid": "swh:1:cnt:94a9ed024d3859793618152ea559a168bbcbb5e2" + } + ] +} diff --git a/tools/src/test/resources/1.6/valid-component-identifiers-1.6.textproto b/tools/src/test/resources/1.6/valid-component-identifiers-1.6.textproto new file mode 100644 index 00000000..33499ddf --- /dev/null +++ b/tools/src/test/resources/1.6/valid-component-identifiers-1.6.textproto @@ -0,0 +1,16 @@ +# proto-file: schema/bom-1.6.proto +# proto-message: Bom + +spec_version: "1.6" +version: 1 +serial_number: "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" +components { + type: CLASSIFICATION_LIBRARY + group: "com.example" + name: "acme-example" + version: "1.0.0" + cpe: "cpe:2.3:a:example:acme-library:1.0.0:*:*:*:*:*:*:*" + purl: "pkg:maven/com.example/acme-library@1.0.0" + omnibor: "gitoid:blob:sha1:261eeb9e9f8b2b4b0d119366dda99c6fd7d35c64" + swhid: "swh:1:cnt:94a9ed024d3859793618152ea559a168bbcbb5e2" +} diff --git a/tools/src/test/resources/1.6/valid-component-identifiers-1.6.xml b/tools/src/test/resources/1.6/valid-component-identifiers-1.6.xml new file mode 100644 index 00000000..c3e99b7d --- /dev/null +++ b/tools/src/test/resources/1.6/valid-component-identifiers-1.6.xml @@ -0,0 +1,14 @@ + + + + + com.example + acme-library + 1.0.0 + cpe:2.3:a:example:acme-library:1.0.0:*:*:*:*:*:*:* + pkg:maven/com.example/acme-library@1.0.0 + gitoid:blob:sha1:261eeb9e9f8b2b4b0d119366dda99c6fd7d35c64 + swh:1:cnt:94a9ed024d3859793618152ea559a168bbcbb5e2 + + + From 7325eb17d0305912350f86b7baf14912b6e3c3c0 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Mon, 25 Mar 2024 13:03:42 +0100 Subject: [PATCH 154/217] docs: fix examples for `versionRange` according to VERS spec Signed-off-by: Jan Kowalleck --- schema/bom-1.6.schema.json | 10 +++++----- schema/bom-1.6.xsd | 10 +++++----- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index 6e959ac9..28c9899b 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -2929,11 +2929,11 @@ "minLength": 1, "maxLength": 1024, "examples": [ - "9.0.14", - "1.2.3|>=2.0.0|<5.0.0", - "0.0.0|0.0.1|0.0.2|0.0.3|1.0|2.0pre1", - ">=1.0.0-beta1|<=1.7.5|>=7.0.0-M1|<=7.0.7|>=7.1.0|<=7.1.2|>=8.0.0-M1|<=8.0.1", - ">=2.2.0|!= 2.2.1|<2.3.0" + "vers:cargo/9.0.14", + "vers:npm/1.2.3|>=2.0.0|<5.0.0", + "vers:pypi/0.0.0|0.0.1|0.0.2|0.0.3|1.0|2.0pre1", + "vers:tomee/>=1.0.0-beta1|<=1.7.5|>=7.0.0-M1|<=7.0.7|>=7.1.0|<=7.1.2|>=8.0.0-M1|<=8.0.1", + "vers:gem/>=2.2.0|!= 2.2.1|<2.3.0" ] }, "range": { diff --git a/schema/bom-1.6.xsd b/schema/bom-1.6.xsd index b904975e..276d8af9 100644 --- a/schema/bom-1.6.xsd +++ b/schema/bom-1.6.xsd @@ -77,11 +77,11 @@ limitations under the License. A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/purl-spec/VERSION-RANGE-SPEC.rst Example values: - - "9.0.14" - - "1.2.3|>=2.0.0|<5.0.0" - - "0.0.0|0.0.1|0.0.2|0.0.3|1.0|2.0pre1" - - ">=1.0.0-beta1|<=1.7.5|>=7.0.0-M1|<=7.0.7|>=7.1.0|<=7.1.2|>=8.0.0-M1|<=8.0.1" - - ">=2.2.0|!= 2.2.1|<2.3.0" + - "vers:cargo/9.0.14" + - "vers:npm/1.2.3|>=2.0.0|<5.0.0" + - "vers:pypi/0.0.0|0.0.1|0.0.2|0.0.3|1.0|2.0pre1" + - "vers:tomee/>=1.0.0-beta1|<=1.7.5|>=7.0.0-M1|<=7.0.7|>=7.1.0|<=7.1.2|>=8.0.0-M1|<=8.0.1" + - "vers:gem/>=2.2.0|!= 2.2.1|<2.3.0" ]]> From 628ed726087dbb4cdebd54fc2b2569a000cc51c3 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Mon, 25 Mar 2024 10:21:03 -0500 Subject: [PATCH 155/217] Use the best practice of using an unspecified value of 0 for enums Signed-off-by: Matt Rutkowski --- schema/bom-1.6.proto | 60 ++++++++++++++++++++++---------------------- 1 file changed, 30 insertions(+), 30 deletions(-) diff --git a/schema/bom-1.6.proto b/schema/bom-1.6.proto index c3680a06..e9499643 100644 --- a/schema/bom-1.6.proto +++ b/schema/bom-1.6.proto @@ -1173,25 +1173,25 @@ message ModelCard { // An activity that is part of a machine learning model development or operational lifecycle. enum ActivityType { - // a lifecycle activity type whose description does not match currently defined values. - // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- `other` is our fallback - ACTIVITY_TYPE_OTHER = 0; + ACTIVITY_TYPE_UNSPECIFIED = 0; + // a lifecycle activity type whose description does not match currently defined values (the default type). + ACTIVITY_TYPE_OTHER = 1; // model design including problem framing, goal definition and algorithm selection. - ACTIVITY_TYPE_DESIGN = 1; + ACTIVITY_TYPE_DESIGN = 2; // model data acquisition including search, selection and transfer. - ACTIVITY_TYPE_DATA_COLLECTION = 2; + ACTIVITY_TYPE_DATA_COLLECTION = 3; // model data preparation including data cleaning, labeling and conversion. - ACTIVITY_TYPE_DATA_PREPARATION = 3; + ACTIVITY_TYPE_DATA_PREPARATION = 4; // model building, training and generalized tuning. - ACTIVITY_TYPE_TRAINING = 4; + ACTIVITY_TYPE_TRAINING = 5; // refining a trained model to produce desired outputs for a given problem space. - ACTIVITY_TYPE_FINE_TUNING = 5; + ACTIVITY_TYPE_FINE_TUNING = 6; // model validation including model output evaluation and testing. - ACTIVITY_TYPE_VALIDATION = 6; + ACTIVITY_TYPE_VALIDATION = 7; // explicit model deployment to a target hosting infrastructure. - ACTIVITY_TYPE_DEPLOYMENT = 7; + ACTIVITY_TYPE_DEPLOYMENT = 8; // generating an output response from a hosted model from a set of inputs. - ACTIVITY_TYPE_INFERENCE = 8; + ACTIVITY_TYPE_INFERENCE = 9; } // Describes the physical provider of energy used for model development or operations. @@ -1211,29 +1211,29 @@ message EnergyProviderType { } enum EnergySourceType { - // energy source: unknown - // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- `unknown` is our fallback + ENERGY_SOURCE_TYPE_UNSPECIFIED = 0; + // energy source: unknown (default) ENERGY_SOURCE_TYPE_UNKNOWN = 0; + // energy source: other (not yet defined) + ENERGY_SOURCE_TYPE_OTHER = 1; // energy source: coal - ENERGY_SOURCE_TYPE_COAL = 1; + ENERGY_SOURCE_TYPE_COAL = 2; // energy source: oil - ENERGY_SOURCE_TYPE_OIL = 2; + ENERGY_SOURCE_TYPE_OIL = 3; // energy source: natural gas - ENERGY_SOURCE_TYPE_NATURAL_GAS = 3; + ENERGY_SOURCE_TYPE_NATURAL_GAS = 4; // energy source: propane - ENERGY_SOURCE_TYPE_PROPANE = 4; + ENERGY_SOURCE_TYPE_PROPANE = 5; // energy source: nuclear - ENERGY_SOURCE_TYPE_NUCLEAR = 5; + ENERGY_SOURCE_TYPE_NUCLEAR = 6; // energy source: wind - ENERGY_SOURCE_TYPE_WIND = 6; + ENERGY_SOURCE_TYPE_WIND = 7; // energy source: solar - ENERGY_SOURCE_TYPE_SOLAR = 7; + ENERGY_SOURCE_TYPE_SOLAR = 8; // energy source: geothermal - ENERGY_SOURCE_TYPE_GEOTHERMAL = 8; + ENERGY_SOURCE_TYPE_GEOTHERMAL = 9; // energy source: hydropower - ENERGY_SOURCE_TYPE_HYDROPOWER = 9; - // energy source: other; not yet defined - ENERGY_SOURCE_TYPE_OTHER = 10; + ENERGY_SOURCE_TYPE_HYDROPOWER = 10; } // A measure of energy. @@ -1245,9 +1245,9 @@ message EnergyMeasureType { } enum EnergyMeasureUnitType { - // kilowatt-hour (kWh) is the energy delivered by one kilowatt (kW) of power for one hour (h). - // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- `kWh` is our fallback - ENERGY_MEASURE_UNIT_TYPE_KILOWATT_HOURS = 0; + ENERGY_MEASURE_UNIT_TYPE_UNSPECIFIED = 0; + // kilowatt-hour (kWh) is the energy delivered by one kilowatt (kW) of power for one hour (h) (the default unit). + ENERGY_MEASURE_UNIT_TYPE_KILOWATT_HOURS = 1; } // A measure of carbon dioxide (CO2). @@ -1259,9 +1259,9 @@ message CO2MeasureType { } enum CO2MeasureUnitType { - // Tonnes (t) of carbon dioxide (CO2) equivalent (eq). - // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- `tCO2eq` is our fallback - CO2_MEASURE_UNIT_TYPE_TONNES_CO2_EQUIVALENT = 0; + CO2_MEASURE_UNIT_TYPE_UNSPECIFIED = 0; + // Tonnes (t) of carbon dioxide (CO2) equivalent (eq) (the default unit). + CO2_MEASURE_UNIT_TYPE_TONNES_CO2_EQUIVALENT = 1; } // An address used to identify a contactable location. From 3e545a3d1dae5ebffc3c4d8acb5a9936708c6fa1 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Mon, 25 Mar 2024 10:23:45 -0500 Subject: [PATCH 156/217] Use the best practice of using an unspecified value of 0 for enums Signed-off-by: Matt Rutkowski --- schema/bom-1.6.proto | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/schema/bom-1.6.proto b/schema/bom-1.6.proto index e9499643..959f18b0 100644 --- a/schema/bom-1.6.proto +++ b/schema/bom-1.6.proto @@ -1213,27 +1213,27 @@ message EnergyProviderType { enum EnergySourceType { ENERGY_SOURCE_TYPE_UNSPECIFIED = 0; // energy source: unknown (default) - ENERGY_SOURCE_TYPE_UNKNOWN = 0; + ENERGY_SOURCE_TYPE_UNKNOWN = 1; // energy source: other (not yet defined) - ENERGY_SOURCE_TYPE_OTHER = 1; + ENERGY_SOURCE_TYPE_OTHER = 2; // energy source: coal - ENERGY_SOURCE_TYPE_COAL = 2; + ENERGY_SOURCE_TYPE_COAL = 3; // energy source: oil - ENERGY_SOURCE_TYPE_OIL = 3; + ENERGY_SOURCE_TYPE_OIL = 4; // energy source: natural gas - ENERGY_SOURCE_TYPE_NATURAL_GAS = 4; + ENERGY_SOURCE_TYPE_NATURAL_GAS = 5; // energy source: propane - ENERGY_SOURCE_TYPE_PROPANE = 5; + ENERGY_SOURCE_TYPE_PROPANE = 6; // energy source: nuclear - ENERGY_SOURCE_TYPE_NUCLEAR = 6; + ENERGY_SOURCE_TYPE_NUCLEAR = 7; // energy source: wind - ENERGY_SOURCE_TYPE_WIND = 7; + ENERGY_SOURCE_TYPE_WIND = 8; // energy source: solar - ENERGY_SOURCE_TYPE_SOLAR = 8; + ENERGY_SOURCE_TYPE_SOLAR = 9; // energy source: geothermal - ENERGY_SOURCE_TYPE_GEOTHERMAL = 9; + ENERGY_SOURCE_TYPE_GEOTHERMAL = 10; // energy source: hydropower - ENERGY_SOURCE_TYPE_HYDROPOWER = 10; + ENERGY_SOURCE_TYPE_HYDROPOWER = 11; } // A measure of energy. From a3db74a72c4d0d82483f5d8d5cf4581e46455c7a Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Mon, 25 Mar 2024 12:08:53 -0500 Subject: [PATCH 157/217] Adjust energy source types and add enum. definitions for values Signed-off-by: Matt Rutkowski --- schema/bom-1.6.proto | 32 +++++++------- schema/bom-1.6.schema.json | 15 ++++++- schema/bom-1.6.xsd | 88 +++++++++++++++++++++++++++++++++----- 3 files changed, 107 insertions(+), 28 deletions(-) diff --git a/schema/bom-1.6.proto b/schema/bom-1.6.proto index 959f18b0..567f09b2 100644 --- a/schema/bom-1.6.proto +++ b/schema/bom-1.6.proto @@ -1212,27 +1212,27 @@ message EnergyProviderType { enum EnergySourceType { ENERGY_SOURCE_TYPE_UNSPECIFIED = 0; - // energy source: unknown (default) + // energy source: unknown. The energy source is unknown. ENERGY_SOURCE_TYPE_UNKNOWN = 1; - // energy source: other (not yet defined) + // energy source: other (default). An energy source that is not listed. ENERGY_SOURCE_TYPE_OTHER = 2; - // energy source: coal + // energy source: coal. Energy produced by types of coal. ENERGY_SOURCE_TYPE_COAL = 3; - // energy source: oil + // energy source: oil. Petroleum products (primarily crude oil and its derivative fuel oils). ENERGY_SOURCE_TYPE_OIL = 4; - // energy source: natural gas + // energy source: natural-gas. Hydrocarbon gas liquids (HGL) that occur as gases at atmospheric pressure and as liquids under higher pressures including Natural gas (C5H12 and heavier), Ethane (C2H6), Propane (C3H8), etc. ENERGY_SOURCE_TYPE_NATURAL_GAS = 5; - // energy source: propane - ENERGY_SOURCE_TYPE_PROPANE = 6; - // energy source: nuclear - ENERGY_SOURCE_TYPE_NUCLEAR = 7; - // energy source: wind - ENERGY_SOURCE_TYPE_WIND = 8; - // energy source: solar - ENERGY_SOURCE_TYPE_SOLAR = 9; - // energy source: geothermal - ENERGY_SOURCE_TYPE_GEOTHERMAL = 10; - // energy source: hydropower + // energy source: nuclear. Energy produced from the cores of atoms (i.e., through nuclear fission or fusion). + ENERGY_SOURCE_TYPE_NUCLEAR = 6; + // energy source: wind. Energy produced from moving air. + ENERGY_SOURCE_TYPE_WIND = 7; + // energy source: solar. Energy produced from the sun (i.e., solar radiation). + ENERGY_SOURCE_TYPE_SOLAR = 8; + // energy source: geothermal. Energy produced from heat within the earth. + ENERGY_SOURCE_TYPE_GEOTHERMAL = 9; + // energy source: hydropower. Energy produced from flowing water. + ENERGY_SOURCE_TYPE_HYDROPOWER = 10; + // energy source: biofuel. Liquid fuels produced from biomass feedstocks (i.e., organic materials such as plants or animals). ENERGY_SOURCE_TYPE_HYDROPOWER = 11; } diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index 538545ca..7a5c8f60 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -3630,7 +3630,20 @@ }, "energySource": { "type": "string", - "enum": [ "coal", "oil", "natural-gas", "propane", "nuclear", "wind", "solar", "geothermal", "hydropower", "unknown", "other" ], + "enum": [ "coal", "oil", "hydrocarbon", "nuclear", "wind", "solar", "geothermal", "hydropower", "biofuel", "unknown", "other" ], + "meta:enum": { + "coal": "Energy produced by types of coal.", + "oil": "Petroleum products (primarily crude oil and its derivative fuel oils).", + "natural-gas": "Hydrocarbon gas liquids (HGL) that occur as gases at atmospheric pressure and as liquids under higher pressures including Natural gas (C5H12 and heavier), Ethane (C2H6), Propane (C3H8), etc.", + "nuclear": "Energy produced from the cores of atoms (i.e., through nuclear fission or fusion).", + "wind": "Energy produced from moving air.", + "solar": "Energy produced from the sun (i.e., solar radiation).", + "geothermal": "Energy produced from heat within the earth.", + "hydropower": "Energy produced from flowing water.", + "biofuel": "Liquid fuels produced from biomass feedstocks (i.e., organic materials such as plants or animals).", + "unknown": "The energy source is unknown.", + "other": "An energy source that is not listed." + }, "title": "Energy Source", "description": "The energy source for the energy provider." }, diff --git a/schema/bom-1.6.xsd b/schema/bom-1.6.xsd index bb82463c..33a6baaa 100644 --- a/schema/bom-1.6.xsd +++ b/schema/bom-1.6.xsd @@ -3479,17 +3479,83 @@ limitations under the License. - - - - - - - - - - - + + + + Energy produced by types of coal. + + + + + + + Petroleum products (primarily crude oil and its derivative fuel oils). + + + + + + + Hydrocarbon gas liquids (HGL) that occur as gases at atmospheric pressure and as liquids under higher pressures including Natural gas (C5H12 and heavier), Ethane (C2H6), Propane (C3H8), etc. + + + + + + + Energy produced from the cores of atoms (i.e., through nuclear fission or fusion). + + + + + + + Energy produced from moving air. + + + + + + + Energy produced from the sun (i.e., solar radiation). + + + + + + + Energy produced from heat within the earth. + + + + + + + Energy produced from flowing water. + + + + + + + Liquid fuels produced from biomass feedstocks (i.e., organic materials such as plants or animals). + + + + + + + The energy source is unknown. + + + + + + + An energy source that is not listed. + + + From 2c3e1c80a68e99e54c1e06d359d5c6717f548016 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Mon, 25 Mar 2024 12:25:14 -0500 Subject: [PATCH 158/217] Adjust energy source types and add enum. definitions for values Signed-off-by: Matt Rutkowski --- schema/bom-1.6.proto | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/schema/bom-1.6.proto b/schema/bom-1.6.proto index 567f09b2..d2295bb6 100644 --- a/schema/bom-1.6.proto +++ b/schema/bom-1.6.proto @@ -1233,7 +1233,7 @@ enum EnergySourceType { // energy source: hydropower. Energy produced from flowing water. ENERGY_SOURCE_TYPE_HYDROPOWER = 10; // energy source: biofuel. Liquid fuels produced from biomass feedstocks (i.e., organic materials such as plants or animals). - ENERGY_SOURCE_TYPE_HYDROPOWER = 11; + ENERGY_SOURCE_TYPE_BIOFUEL = 11; } // A measure of energy. From 076ba714abf6ea81dae10ac5ceb6b69c4442b339 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Mon, 25 Mar 2024 14:11:49 -0500 Subject: [PATCH 159/217] Adjust energy source types and add enum. definitions for values Signed-off-by: Matt Rutkowski --- schema/bom-1.6.proto | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/schema/bom-1.6.proto b/schema/bom-1.6.proto index d2295bb6..52ef3074 100644 --- a/schema/bom-1.6.proto +++ b/schema/bom-1.6.proto @@ -1214,7 +1214,7 @@ enum EnergySourceType { ENERGY_SOURCE_TYPE_UNSPECIFIED = 0; // energy source: unknown. The energy source is unknown. ENERGY_SOURCE_TYPE_UNKNOWN = 1; - // energy source: other (default). An energy source that is not listed. + // energy source: other. An energy source that is not listed. ENERGY_SOURCE_TYPE_OTHER = 2; // energy source: coal. Energy produced by types of coal. ENERGY_SOURCE_TYPE_COAL = 3; From 3e01ce62a1c75e732538fe7e591dabb57a601983 Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Mon, 25 Mar 2024 16:30:23 -0500 Subject: [PATCH 160/217] Increasing version range character limit per @prabhu request Signed-off-by: Steve Springett --- schema/bom-1.6.schema.json | 2 +- schema/bom-1.6.xsd | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index 6e959ac9..ee61af71 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -2927,7 +2927,7 @@ "description": "A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/purl-spec/VERSION-RANGE-SPEC.rst", "type": "string", "minLength": 1, - "maxLength": 1024, + "maxLength": 4096, "examples": [ "9.0.14", "1.2.3|>=2.0.0|<5.0.0", diff --git a/schema/bom-1.6.xsd b/schema/bom-1.6.xsd index b904975e..57f0b839 100644 --- a/schema/bom-1.6.xsd +++ b/schema/bom-1.6.xsd @@ -87,7 +87,7 @@ limitations under the License. - + From f3815581494af0eaac392d2c77c8bc1052bfdc8c Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Mon, 25 Mar 2024 18:31:02 -0500 Subject: [PATCH 161/217] Correct double type defn. for energyConsumption Signed-off-by: Matt Rutkowski --- schema/bom-1.6.proto | 7 +-- schema/bom-1.6.schema.json | 91 ++++++++++++++++++-------------------- schema/bom-1.6.xsd | 6 +-- 3 files changed, 51 insertions(+), 53 deletions(-) diff --git a/schema/bom-1.6.proto b/schema/bom-1.6.proto index 52ef3074..f041b187 100644 --- a/schema/bom-1.6.proto +++ b/schema/bom-1.6.proto @@ -1156,13 +1156,14 @@ message ModelCard { // Describes energy consumption information incurred for one or more component lifecycle activities. repeated EnergyConsumption energyConsumptions = 1; } + // Describes energy consumption information incurred for the specified lifecycle activity. message EnergyConsumption { - // Describes energy consumption information incurred for the specified lifecycle activity. + // An activity that is part of a machine learning model development or operational lifecycle. ActivityType activity = 1; // The providers of the energy consumed by the associated model development lifecycle activity. - repeated EnergyProviderType energySources = 2; + repeated EnergyProviderType energyProviders = 2; // The total energy cost associated with the model lifecycle activity. - EnergyMeasureType energyCost = 3; + EnergyMeasureType activityEnergyCost = 3; // The CO2 cost or debit equivalent to the total energy cost. optional CO2MeasureType co2CostEquivalent = 4; // The CO2 offset or credit for the CO2 equivalent cost. diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index 7a5c8f60..3ec706cb 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -3494,54 +3494,51 @@ "energyConsumption": { "title": "Energy consumption", "description": "Describes energy consumption information incurred for the specified lifecycle activity.", - "type": "array", - "items": { - "type": "object", - "required": [ - "activity", - "energySources", - "energyCost" - ], - "additionalProperties": false, - "properties": { - "activity": { - "type": "string", - "title": "Activity", - "description": "An activity that is part of a machine learning model development or operational lifecycle.", - "enum": [ "design", "data-collection", "data-preparation", "training", "fine-tuning", "validation", "deployment", "inference" ], - "meta:enum": { - "design": "model design including problem framing, goal definition and algorithm selection.", - "data-collection": "model data acquisition including search, selection and transfer.", - "data-preparation": "model data preparation including data cleaning, labeling and conversion.", - "training": "model building, training and generalized tuning.", - "fine-tuning": "refining a trained model to produce desired outputs for a given problem space.", - "validation": "model validation including model output evaluation and testing.", - "deployment": "explicit model deployment to a target hosting infrastructure.", - "inference": "generating an output response from a hosted model from a set of inputs.", - "other": "a lifecycle activity type whose description does not match currently defined values." - } - }, - "energySources": { - "title": "Energy Sources", - "description": "The provider(s) of the energy consumed by the associated model development lifecycle activity.", - "type": "array", - "items": { "$ref": "#/definitions/energyProvider" } - }, - "energyCost": { - "title": "Energy Cost", - "description": "The total energy cost associated with the model lifecycle activity.", - "$ref": "#/definitions/energyMeasure" - }, - "co2CostEquivalent": { - "title": "CO2 Equivalent Cost", - "description": "The CO2 cost (debit) equivalent to the total energy cost.", - "$ref": "#/definitions/co2Measure" - }, - "co2CostOffset": { - "title": "CO2 Cost Offset", - "description": "The CO2 offset (credit) for the CO2 equivalent cost.", - "$ref": "#/definitions/co2Measure" + "type": "object", + "required": [ + "activity", + "energyProviders", + "activityEnergyCost" + ], + "additionalProperties": false, + "properties": { + "activity": { + "type": "string", + "title": "Activity", + "description": "The type of activity that is part of a machine learning model development or operational lifecycle.", + "enum": [ "design", "data-collection", "data-preparation", "training", "fine-tuning", "validation", "deployment", "inference" ], + "meta:enum": { + "design": "model design including problem framing, goal definition and algorithm selection.", + "data-collection": "model data acquisition including search, selection and transfer.", + "data-preparation": "model data preparation including data cleaning, labeling and conversion.", + "training": "model building, training and generalized tuning.", + "fine-tuning": "refining a trained model to produce desired outputs for a given problem space.", + "validation": "model validation including model output evaluation and testing.", + "deployment": "explicit model deployment to a target hosting infrastructure.", + "inference": "generating an output response from a hosted model from a set of inputs.", + "other": "a lifecycle activity type whose description does not match currently defined values." } + }, + "energyProviders": { + "title": "Energy Providers", + "description": "The provider(s) of the energy consumed by the associated model development lifecycle activity.", + "type": "array", + "items": { "$ref": "#/definitions/energyProvider" } + }, + "activityEnergyCost": { + "title": "Activity Energy Cost", + "description": "The total energy cost associated with the model lifecycle activity.", + "$ref": "#/definitions/energyMeasure" + }, + "co2CostEquivalent": { + "title": "CO2 Equivalent Cost", + "description": "The CO2 cost (debit) equivalent to the total energy cost.", + "$ref": "#/definitions/co2Measure" + }, + "co2CostOffset": { + "title": "CO2 Cost Offset", + "description": "The CO2 offset (credit) for the CO2 equivalent cost.", + "$ref": "#/definitions/co2Measure" } } }, diff --git a/schema/bom-1.6.xsd b/schema/bom-1.6.xsd index 33a6baaa..d9b562f7 100644 --- a/schema/bom-1.6.xsd +++ b/schema/bom-1.6.xsd @@ -3271,7 +3271,7 @@ limitations under the License. - An activity that is part of a machine learning model development or operational lifecycle. + The type of activity that is part of a machine learning model development or operational lifecycle. @@ -3342,14 +3342,14 @@ limitations under the License. - + The provider(s) of the energy consumed by the associated model development lifecycle activity. - + The total energy cost associated with the model lifecycle activity. From 597b956188099c81a50cb5262218776c30bf15c4 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Mon, 25 Mar 2024 18:36:29 -0500 Subject: [PATCH 162/217] Restore natural-gas as one of the energy sources Signed-off-by: Matt Rutkowski --- schema/bom-1.6.schema.json | 2 +- schema/bom-1.6.xsd | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index 3ec706cb..76c7c398 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -3627,7 +3627,7 @@ }, "energySource": { "type": "string", - "enum": [ "coal", "oil", "hydrocarbon", "nuclear", "wind", "solar", "geothermal", "hydropower", "biofuel", "unknown", "other" ], + "enum": [ "coal", "oil", "natural-gas", "nuclear", "wind", "solar", "geothermal", "hydropower", "biofuel", "unknown", "other" ], "meta:enum": { "coal": "Energy produced by types of coal.", "oil": "Petroleum products (primarily crude oil and its derivative fuel oils).", diff --git a/schema/bom-1.6.xsd b/schema/bom-1.6.xsd index d9b562f7..43eb5d03 100644 --- a/schema/bom-1.6.xsd +++ b/schema/bom-1.6.xsd @@ -3493,7 +3493,7 @@ limitations under the License. - + Hydrocarbon gas liquids (HGL) that occur as gases at atmospheric pressure and as liquids under higher pressures including Natural gas (C5H12 and heavier), Ethane (C2H6), Propane (C3H8), etc. From 3daf1087a784402c025e4d949abe2c01b0a1a79b Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Mon, 25 Mar 2024 18:55:04 -0500 Subject: [PATCH 163/217] Add VSCode settings path to git ignore Signed-off-by: Matt Rutkowski --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index fd07c943..cf27b685 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,3 @@ .idea/ +.vscode/ tools/target/ \ No newline at end of file From ac3e662621a2812bdd02d25f53e9514ce1777e8a Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Mon, 25 Mar 2024 22:38:06 -0500 Subject: [PATCH 164/217] Added descriptions for ML learning types Signed-off-by: Steve Springett --- schema/bom-1.6.proto | 5 +++++ schema/bom-1.6.schema.json | 9 ++++++++- schema/bom-1.6.xsd | 31 ++++++++++++++++++++++++++----- 3 files changed, 39 insertions(+), 6 deletions(-) diff --git a/schema/bom-1.6.proto b/schema/bom-1.6.proto index 3e6ee48c..a6206997 100644 --- a/schema/bom-1.6.proto +++ b/schema/bom-1.6.proto @@ -1155,10 +1155,15 @@ message ModelCard { enum ModelParameterApproachType { // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- value `0` is a fallback(meaning "unspecified") in protobuf3. this usage here is an error, it shall be fixed with v2.0 of this very schema + // Supervised machine learning involves training an algorithm on labeled data to predict or classify new data based on the patterns learned from the labeled examples. MODEL_PARAMETER_APPROACH_TYPE_SUPERVISED = 0; + // Unsupervised machine learning involves training algorithms on unlabeled data to discover patterns, structures, or relationships without explicit guidance, allowing the model to identify inherent structures or clusters within the data. MODEL_PARAMETER_APPROACH_TYPE_UNSUPERVISED = 1; + // Reinforcement learning is a type of machine learning where an agent learns to make decisions by interacting with an environment to maximize cumulative rewards, through trial and error. MODEL_PARAMETER_APPROACH_TYPE_REINFORCED_LEARNING = 2; + // Semi-supervised machine learning utilizes a combination of labeled and unlabeled data during training to improve model performance, leveraging the benefits of both supervised and unsupervised learning techniques. MODEL_PARAMETER_APPROACH_TYPE_SEMI_SUPERVISED = 3; + // Self-supervised machine learning involves training models to predict parts of the input data from other parts of the same data, without requiring external labels, enabling learning from large amounts of unlabeled data. MODEL_PARAMETER_APPROACH_TYPE_SELF_SUPERVISED = 4; } diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index 046bf715..7cde088e 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -3074,7 +3074,14 @@ "reinforcement-learning", "semi-supervised", "self-supervised" - ] + ], + "meta:enum": { + "supervised": "Supervised machine learning involves training an algorithm on labeled data to predict or classify new data based on the patterns learned from the labeled examples.", + "unsupervised": "Unsupervised machine learning involves training algorithms on unlabeled data to discover patterns, structures, or relationships without explicit guidance, allowing the model to identify inherent structures or clusters within the data.", + "reinforcement-learning": "Reinforcement learning is a type of machine learning where an agent learns to make decisions by interacting with an environment to maximize cumulative rewards, through trial and error.", + "semi-supervised": "Semi-supervised machine learning utilizes a combination of labeled and unlabeled data during training to improve model performance, leveraging the benefits of both supervised and unsupervised learning techniques.", + "self-supervised": "Self-supervised machine learning involves training models to predict parts of the input data from other parts of the same data, without requiring external labels, enabling learning from large amounts of unlabeled data." + } } } }, diff --git a/schema/bom-1.6.xsd b/schema/bom-1.6.xsd index fe69c835..d55c183c 100644 --- a/schema/bom-1.6.xsd +++ b/schema/bom-1.6.xsd @@ -3241,27 +3241,48 @@ limitations under the License. - TODO + + Supervised machine learning involves training an algorithm on labeled + data to predict or classify new data based on the patterns learned from + the labeled examples. + - TODO + + Unsupervised machine learning involves training algorithms on unlabeled + data to discover patterns, structures, or relationships without explicit + guidance, allowing the model to identify inherent structures or clusters + within the data. + - TODO + + Reinforcement learning is a type of machine learning where an agent learns + to make decisions by interacting with an environment to maximize cumulative + rewards, through trial and error. + - TODO + + Semi-supervised machine learning utilizes a combination of labeled and + unlabeled data during training to improve model performance, leveraging + the benefits of both supervised and unsupervised learning techniques. + - TODO + + Self-supervised machine learning involves training models to predict parts + of the input data from other parts of the same data, without requiring + external labels, enabling learning from large amounts of unlabeled data. + From 4a76e571e3b1d8b1dd935732be450e404c250de7 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Tue, 26 Mar 2024 09:08:45 -0500 Subject: [PATCH 165/217] Add first example of env. consideration info. Signed-off-by: Matt Rutkowski --- .../md/mlbom-1.6-env-considerations-1.json | 47 +++++++++++++++++++ 1 file changed, 47 insertions(+) create mode 100644 docgen/examples/md/mlbom-1.6-env-considerations-1.json diff --git a/docgen/examples/md/mlbom-1.6-env-considerations-1.json b/docgen/examples/md/mlbom-1.6-env-considerations-1.json new file mode 100644 index 00000000..fa095acd --- /dev/null +++ b/docgen/examples/md/mlbom-1.6-env-considerations-1.json @@ -0,0 +1,47 @@ +{ + "bomFormat": "CycloneDX", + "specVersion": "1.6", + "metadata": { + "component": { + "name": "meta-llama/Llama-2-7b", + "type": "machine-learning-model", + "manufacturer": { "name": "meta" }, + "publisher": { "name": "meta" }, + "supplier": { "name": "Hugging Face", "url": "https://huggingface.co/meta-llama" }, + "externalReferences": [ { "url": "https://huggingface.co/meta-llama/Llama-2-7b" } ], + "modelCard": { + "considerations": { + "environmentalConsiderations": { + "energyConsumptions": [ + { + "activity": "training", + "energyProviders": [ + { + "name": "Meta data-center, US-East", + "energySource": "natural-gas", + "energyProvided": { + "value": 0.4, + "unit": "kWh" + } + } + ], + "activityEnergyCost": { + "value": 0.4, + "unit": "kWh" + }, + "co2CostEquivalent": { + "value": 31.22, + "unit": "tCO2eq" + }, + "co2CostOffset": { + "value": 31.22, + "unit": "tCO2eq" + } + } + ] + } + } + } + } + } +} \ No newline at end of file From 68757cc0c7081e2bc3d0709ac5c2d6901679a455 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Tue, 26 Mar 2024 12:08:42 -0500 Subject: [PATCH 166/217] Add LF at end of example JSON file and git ignore for linting warnings Signed-off-by: Matt Rutkowski --- .gitignore | 2 +- docgen/examples/md/mlbom-1.6-env-considerations-1.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.gitignore b/.gitignore index cf27b685..2628a539 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ .idea/ .vscode/ -tools/target/ \ No newline at end of file +tools/target/ diff --git a/docgen/examples/md/mlbom-1.6-env-considerations-1.json b/docgen/examples/md/mlbom-1.6-env-considerations-1.json index fa095acd..0c7fc840 100644 --- a/docgen/examples/md/mlbom-1.6-env-considerations-1.json +++ b/docgen/examples/md/mlbom-1.6-env-considerations-1.json @@ -44,4 +44,4 @@ } } } -} \ No newline at end of file +} From a20e98209993621d1c61abcbe5ff3449ca7790bb Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Tue, 26 Mar 2024 13:29:13 -0500 Subject: [PATCH 167/217] Add ExternalReferences and Properties where they are needed for extension Signed-off-by: Matt Rutkowski --- schema/bom-1.6.proto | 8 +++++++- schema/bom-1.6.schema.json | 20 ++++++++++++++++++++ schema/bom-1.6.xsd | 27 +++++++++++++++++++++++++++ 3 files changed, 54 insertions(+), 1 deletion(-) diff --git a/schema/bom-1.6.proto b/schema/bom-1.6.proto index f041b187..80500457 100644 --- a/schema/bom-1.6.proto +++ b/schema/bom-1.6.proto @@ -1155,10 +1155,12 @@ message ModelCard { message EnvironmentalConsiderations { // Describes energy consumption information incurred for one or more component lifecycle activities. repeated EnergyConsumption energyConsumptions = 1; + // Specifies optional, custom properties for environment considerations + repeated Property properties = 2; } // Describes energy consumption information incurred for the specified lifecycle activity. message EnergyConsumption { - // An activity that is part of a machine learning model development or operational lifecycle. + // The type of activity that is part of a machine learning model development or operational lifecycle. ActivityType activity = 1; // The providers of the energy consumed by the associated model development lifecycle activity. repeated EnergyProviderType energyProviders = 2; @@ -1168,6 +1170,8 @@ message ModelCard { optional CO2MeasureType co2CostEquivalent = 4; // The CO2 offset or credit for the CO2 equivalent cost. optional CO2MeasureType co2CostOffset = 5; + // Specifies optional, custom properties for environment considerations + repeated Property properties = 6; } } } @@ -1209,6 +1213,8 @@ message EnergyProviderType { EnergySourceType energySource = 5; // The energy provided by the energy source for an associated activity. EnergyMeasureType energyProvided = 6; + // Provides the ability to document external references related to the BOM or to the project the BOM describes. + repeated ExternalReference external_references = 7; } enum EnergySourceType { diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index 76c7c398..8223ffb7 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -3488,6 +3488,13 @@ "items": { "$ref": "#/definitions/energyConsumption" } + }, + "properties": { + "type": "array", + "title": "Properties", + "items": { + "$ref": "#/definitions/property" + } } } }, @@ -3539,6 +3546,13 @@ "title": "CO2 Cost Offset", "description": "The CO2 offset (credit) for the CO2 equivalent cost.", "$ref": "#/definitions/co2Measure" + }, + "properties": { + "type": "array", + "title": "Properties", + "items": { + "$ref": "#/definitions/property" + } } } }, @@ -3648,6 +3662,12 @@ "$ref": "#/definitions/energyMeasure", "title": "Energy Provided", "description": "The energy provided by the energy source for an associated activity." + }, + "externalReferences": { + "type": "array", + "items": {"$ref": "#/definitions/externalReference"}, + "title": "External References", + "description": "External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM." } } }, diff --git a/schema/bom-1.6.xsd b/schema/bom-1.6.xsd index 43eb5d03..d13c4e34 100644 --- a/schema/bom-1.6.xsd +++ b/schema/bom-1.6.xsd @@ -3258,6 +3258,17 @@ limitations under the License. + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is OPTIONAL. + + + @@ -3370,6 +3381,17 @@ limitations under the License. + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is OPTIONAL. + + + @@ -3566,6 +3588,11 @@ limitations under the License. + + + External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM. + + From 1c15d63d82de799f6fda42673dd01104e0aa8390 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Tue, 26 Mar 2024 14:33:21 -0500 Subject: [PATCH 168/217] Add valid tests to resources Signed-off-by: Matt Rutkowski --- ...chine-learning-considerations-env-1.6.json | 49 +++++++++++++++++ ...achine-learning-considerations-env-1.6.xml | 54 +++++++++++++++++++ ...e-learning-consideratons-env-1.6.textproto | 52 ++++++++++++++++++ 3 files changed, 155 insertions(+) create mode 100644 tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.json create mode 100644 tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.xml create mode 100644 tools/src/test/resources/1.6/valid-machine-learning-consideratons-env-1.6.textproto diff --git a/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.json b/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.json new file mode 100644 index 00000000..db37f702 --- /dev/null +++ b/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.json @@ -0,0 +1,49 @@ +{ + "bomFormat": "CycloneDX", + "specVersion": "1.6", + "serialNumber": "urn:uuid:ed5c5ba0-2be6-4b58-ac29-01a7fd375123", + "version": 1, + "components": [ + { + "bom-ref": "huggingface.co-meta-llama-Llama-2-7b", + "name": "meta-llama/Llama-2-7b", + "type": "machine-learning-model", + "supplier": { "name": "Hugging Face" }, + "publisher": { "name": "meta" }, + "externalReferences": [ { "url": "https://huggingface.co/meta-llama/Llama-2-7b" } ], + "modelCard": { + "considerations": { + "environmentalConsiderations": { + "energyConsumptions": [ + { + "activity": "training", + "energyProviders": [ + { + "name": "Meta data-center, US-East", + "energySource": "natural-gas", + "energyProvided": { + "value": 0.4, + "unit": "kWh" + } + } + ], + "activityEnergyCost": { + "value": 0.4, + "unit": "kWh" + }, + "co2CostEquivalent": { + "value": 31.22, + "unit": "tCO2eq" + }, + "co2CostOffset": { + "value": 31.22, + "unit": "tCO2eq" + } + } + ] + } + } + } + } + ] +} \ No newline at end of file diff --git a/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.xml b/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.xml new file mode 100644 index 00000000..40837996 --- /dev/null +++ b/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.xml @@ -0,0 +1,54 @@ + + + + + meta-llama/Llama-2-7b + + Hugging Face + + + meta + + + + https://huggingface.co/meta-llama/Llama-2-7b + + + + + + + + + training + + + 0.4 + kWh + + + + Meta data-center, US-East + natural-gas + + 0.4 + kWh + + + + + 31.22 + tCO2eq + + + 31.22 + tCO2eq + + + + + + + + + diff --git a/tools/src/test/resources/1.6/valid-machine-learning-consideratons-env-1.6.textproto b/tools/src/test/resources/1.6/valid-machine-learning-consideratons-env-1.6.textproto new file mode 100644 index 00000000..5ab576c0 --- /dev/null +++ b/tools/src/test/resources/1.6/valid-machine-learning-consideratons-env-1.6.textproto @@ -0,0 +1,52 @@ +# proto-file: schema/bom-1.6.proto +# proto-message: Bom + +spec_version: "1.6" +version: 1 +serial_number: "urn:uuid:ed5c5ba0-2be6-4b58-ac29-01a7fd375123" +components { + component { + type: CLASSIFICATION_MACHINE_LEARNING_MODEL + bom_ref: "huggingface.co-meta-llama-Llama-2-7b" + name: "meta-llama/Llama-2-7b" + supplier { + name: "Hugging Face" + } + supplier { + name: "meta" + } + modelCard: { + considerations: { + environmentalConsiderations: { + energyConsumptions: { + energyConsumption: { + activity: "training" + activityEnergyCost: { + value: 0.4 + unit: "kWh" + } + energyProviders: { + energyProvider: { + name: "Meta data-center, US-East" + energySource: "natural-gas" + energyProvided: { + value: 0.4 + unit: "kWh" + } + } + } + co2CostEquivalent: { + value: 31.22 + unit: "tCO2eq" + } + co2CostOffset: { + value: 31.22 + unit: "tCO2eq" + } + } + } + } + } + } + } +} \ No newline at end of file From df4b5362ed92e83a1ef8711d97f30ca1b80d0831 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Tue, 26 Mar 2024 21:35:42 +0100 Subject: [PATCH 169/217] foo Signed-off-by: Jan Kowalleck --- schema/bom-1.6.proto | 133 ++++++++++++++++++------------------- schema/bom-1.6.schema.json | 25 +++---- schema/bom-1.6.xsd | 23 ++----- 3 files changed, 83 insertions(+), 98 deletions(-) diff --git a/schema/bom-1.6.proto b/schema/bom-1.6.proto index 80500457..0bd82552 100644 --- a/schema/bom-1.6.proto +++ b/schema/bom-1.6.proto @@ -1160,6 +1160,29 @@ message ModelCard { } // Describes energy consumption information incurred for the specified lifecycle activity. message EnergyConsumption { + // An activity that is part of a machine learning model development or operational lifecycle. + enum ActivityType { + ACTIVITY_TYPE_UNSPECIFIED = 0; + // a lifecycle activity type whose description does not match currently defined values (the default type). + ACTIVITY_TYPE_OTHER = 1; + // model design including problem framing, goal definition and algorithm selection. + ACTIVITY_TYPE_DESIGN = 2; + // model data acquisition including search, selection and transfer. + ACTIVITY_TYPE_DATA_COLLECTION = 3; + // model data preparation including data cleaning, labeling and conversion. + ACTIVITY_TYPE_DATA_PREPARATION = 4; + // model building, training and generalized tuning. + ACTIVITY_TYPE_TRAINING = 5; + // refining a trained model to produce desired outputs for a given problem space. + ACTIVITY_TYPE_FINE_TUNING = 6; + // model validation including model output evaluation and testing. + ACTIVITY_TYPE_VALIDATION = 7; + // explicit model deployment to a target hosting infrastructure. + ACTIVITY_TYPE_DEPLOYMENT = 8; + // generating an output response from a hosted model from a set of inputs. + ACTIVITY_TYPE_INFERENCE = 9; + } + // The type of activity that is part of a machine learning model development or operational lifecycle. ActivityType activity = 1; // The providers of the energy consumed by the associated model development lifecycle activity. @@ -1176,100 +1199,76 @@ message ModelCard { } } -// An activity that is part of a machine learning model development or operational lifecycle. -enum ActivityType { - ACTIVITY_TYPE_UNSPECIFIED = 0; - // a lifecycle activity type whose description does not match currently defined values (the default type). - ACTIVITY_TYPE_OTHER = 1; - // model design including problem framing, goal definition and algorithm selection. - ACTIVITY_TYPE_DESIGN = 2; - // model data acquisition including search, selection and transfer. - ACTIVITY_TYPE_DATA_COLLECTION = 3; - // model data preparation including data cleaning, labeling and conversion. - ACTIVITY_TYPE_DATA_PREPARATION = 4; - // model building, training and generalized tuning. - ACTIVITY_TYPE_TRAINING = 5; - // refining a trained model to produce desired outputs for a given problem space. - ACTIVITY_TYPE_FINE_TUNING = 6; - // model validation including model output evaluation and testing. - ACTIVITY_TYPE_VALIDATION = 7; - // explicit model deployment to a target hosting infrastructure. - ACTIVITY_TYPE_DEPLOYMENT = 8; - // generating an output response from a hosted model from a set of inputs. - ACTIVITY_TYPE_INFERENCE = 9; -} // Describes the physical provider of energy used for model development or operations. message EnergyProviderType { + enum EnergySourceType { + ENERGY_SOURCE_TYPE_UNSPECIFIED = 0; + // energy source: unknown. The energy source is unknown. + ENERGY_SOURCE_TYPE_UNKNOWN = 1; + // energy source: other. An energy source that is not listed. + ENERGY_SOURCE_TYPE_OTHER = 2; + // energy source: coal. Energy produced by types of coal. + ENERGY_SOURCE_TYPE_COAL = 3; + // energy source: oil. Petroleum products (primarily crude oil and its derivative fuel oils). + ENERGY_SOURCE_TYPE_OIL = 4; + // energy source: natural-gas. Hydrocarbon gas liquids (HGL) that occur as gases at atmospheric pressure and as liquids under higher pressures including Natural gas (C5H12 and heavier), Ethane (C2H6), Propane (C3H8), etc. + ENERGY_SOURCE_TYPE_NATURAL_GAS = 5; + // energy source: nuclear. Energy produced from the cores of atoms (i.e., through nuclear fission or fusion). + ENERGY_SOURCE_TYPE_NUCLEAR = 6; + // energy source: wind. Energy produced from moving air. + ENERGY_SOURCE_TYPE_WIND = 7; + // energy source: solar. Energy produced from the sun (i.e., solar radiation). + ENERGY_SOURCE_TYPE_SOLAR = 8; + // energy source: geothermal. Energy produced from heat within the earth. + ENERGY_SOURCE_TYPE_GEOTHERMAL = 9; + // energy source: hydropower. Energy produced from flowing water. + ENERGY_SOURCE_TYPE_HYDROPOWER = 10; + // energy source: biofuel. Liquid fuels produced from biomass feedstocks (i.e., organic materials such as plants or animals). + ENERGY_SOURCE_TYPE_BIOFUEL = 11; + } + // BOM unique reference to the energy provider. optional string bom_ref = 1; - // The name of the energy provider. - string name = 2; - // A description of the energy provider. - optional string description = 3; - // TThe physical address (location) of the energy provider.BD - optional PostalAddressType address = 4; + // The organization of the energy provider. + OrganizationalEntity organization = 2; // The energy source for the energy provider. - EnergySourceType energySource = 5; + EnergySourceType energySource = 3; // The energy provided by the energy source for an associated activity. - EnergyMeasureType energyProvided = 6; + EnergyMeasureType energyProvided = 4; // Provides the ability to document external references related to the BOM or to the project the BOM describes. - repeated ExternalReference external_references = 7; -} - -enum EnergySourceType { - ENERGY_SOURCE_TYPE_UNSPECIFIED = 0; - // energy source: unknown. The energy source is unknown. - ENERGY_SOURCE_TYPE_UNKNOWN = 1; - // energy source: other. An energy source that is not listed. - ENERGY_SOURCE_TYPE_OTHER = 2; - // energy source: coal. Energy produced by types of coal. - ENERGY_SOURCE_TYPE_COAL = 3; - // energy source: oil. Petroleum products (primarily crude oil and its derivative fuel oils). - ENERGY_SOURCE_TYPE_OIL = 4; - // energy source: natural-gas. Hydrocarbon gas liquids (HGL) that occur as gases at atmospheric pressure and as liquids under higher pressures including Natural gas (C5H12 and heavier), Ethane (C2H6), Propane (C3H8), etc. - ENERGY_SOURCE_TYPE_NATURAL_GAS = 5; - // energy source: nuclear. Energy produced from the cores of atoms (i.e., through nuclear fission or fusion). - ENERGY_SOURCE_TYPE_NUCLEAR = 6; - // energy source: wind. Energy produced from moving air. - ENERGY_SOURCE_TYPE_WIND = 7; - // energy source: solar. Energy produced from the sun (i.e., solar radiation). - ENERGY_SOURCE_TYPE_SOLAR = 8; - // energy source: geothermal. Energy produced from heat within the earth. - ENERGY_SOURCE_TYPE_GEOTHERMAL = 9; - // energy source: hydropower. Energy produced from flowing water. - ENERGY_SOURCE_TYPE_HYDROPOWER = 10; - // energy source: biofuel. Liquid fuels produced from biomass feedstocks (i.e., organic materials such as plants or animals). - ENERGY_SOURCE_TYPE_BIOFUEL = 11; + repeated ExternalReference external_references = 5; } // A measure of energy. message EnergyMeasureType { + enum EnergyMeasureUnitType { + ENERGY_MEASURE_UNIT_TYPE_UNSPECIFIED = 0; + // kilowatt-hour (kWh) is the energy delivered by one kilowatt (kW) of power for one hour (h) (the default unit). + ENERGY_MEASURE_UNIT_TYPE_KILOWATT_HOURS = 1; + } + // Quantity of energy. float value = 1; // Unit of energy. EnergyMeasureUnitType unit = 2; } -enum EnergyMeasureUnitType { - ENERGY_MEASURE_UNIT_TYPE_UNSPECIFIED = 0; - // kilowatt-hour (kWh) is the energy delivered by one kilowatt (kW) of power for one hour (h) (the default unit). - ENERGY_MEASURE_UNIT_TYPE_KILOWATT_HOURS = 1; -} // A measure of carbon dioxide (CO2). message CO2MeasureType { + enum CO2MeasureUnitType { + CO2_MEASURE_UNIT_TYPE_UNSPECIFIED = 0; + // Tonnes (t) of carbon dioxide (CO2) equivalent (eq) (the default unit). + CO2_MEASURE_UNIT_TYPE_TONNES_CO2_EQUIVALENT = 1; + } + // Quantity of carbon dioxide (CO2). float value = 1; // Unit of carbon dioxide (CO2). CO2MeasureUnitType unit = 2; } -enum CO2MeasureUnitType { - CO2_MEASURE_UNIT_TYPE_UNSPECIFIED = 0; - // Tonnes (t) of carbon dioxide (CO2) equivalent (eq) (the default unit). - CO2_MEASURE_UNIT_TYPE_TONNES_CO2_EQUIVALENT = 1; -} // An address used to identify a contactable location. message PostalAddressType { diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index 8223ffb7..393c4938 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -771,6 +771,11 @@ "Example Inc." ] }, + "address": { + "$ref": "#/definitions/postalAddress", + "title": "Address", + "description": "The physical address (location) of the organization" + }, "url": { "type": "array", "items": { @@ -3613,7 +3618,7 @@ "title": "Energy Provider", "description": "Describes the physical provider of energy used for model development or operations.", "required": [ - "name", + "organization", "energySource", "energyProvided" ], @@ -3624,20 +3629,10 @@ "description": "An optional identifier which can be used to reference the energy provider elsewhere in the BOM. Every bom-ref MUST be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", "$ref": "#/definitions/refType" }, - "name": { - "type": "string", - "title": "Name", - "description": "The name of the energy provider." - }, - "description": { - "type": "string", - "title": "Description", - "description": "A description of the energy provider." - }, - "address": { - "$ref": "#/definitions/postalAddress", - "title": "Address", - "description": "The physical address (location) of the energy provider." + "organization": { + "type": "object", + "title": "Organization", + "$ref": "#/definitions/organizationalEntity" }, "energySource": { "type": "string", diff --git a/schema/bom-1.6.xsd b/schema/bom-1.6.xsd index d13c4e34..1ccf81f4 100644 --- a/schema/bom-1.6.xsd +++ b/schema/bom-1.6.xsd @@ -346,6 +346,11 @@ limitations under the License. The name of the organization + + + The physical address (location) of the organization. + + The URL of the organization. Multiple URLs are allowed. @@ -3472,24 +3477,10 @@ limitations under the License. - - - - The name of the energy provider. - - - - - - - A description of the energy provider. - - - - + - The physical address (location) of the energy provider. + The organization of the energy provider. From 921e4daf0fd1150bf30a90b19ad07d5daa357fd1 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Tue, 26 Mar 2024 15:46:14 -0500 Subject: [PATCH 170/217] Fix wrong type for publisher on json and xml schema tests Signed-off-by: Matt Rutkowski --- docgen/examples/md/mlbom-1.6-env-considerations-1.json | 2 +- .../1.6/valid-machine-learning-considerations-env-1.6.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docgen/examples/md/mlbom-1.6-env-considerations-1.json b/docgen/examples/md/mlbom-1.6-env-considerations-1.json index 0c7fc840..41486e69 100644 --- a/docgen/examples/md/mlbom-1.6-env-considerations-1.json +++ b/docgen/examples/md/mlbom-1.6-env-considerations-1.json @@ -6,7 +6,7 @@ "name": "meta-llama/Llama-2-7b", "type": "machine-learning-model", "manufacturer": { "name": "meta" }, - "publisher": { "name": "meta" }, + "publisher": "meta", "supplier": { "name": "Hugging Face", "url": "https://huggingface.co/meta-llama" }, "externalReferences": [ { "url": "https://huggingface.co/meta-llama/Llama-2-7b" } ], "modelCard": { diff --git a/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.json b/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.json index db37f702..cd9a34b0 100644 --- a/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.json +++ b/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.json @@ -9,7 +9,7 @@ "name": "meta-llama/Llama-2-7b", "type": "machine-learning-model", "supplier": { "name": "Hugging Face" }, - "publisher": { "name": "meta" }, + "publisher": "meta", "externalReferences": [ { "url": "https://huggingface.co/meta-llama/Llama-2-7b" } ], "modelCard": { "considerations": { From 1cdd16fdd8f6e875a6b27b35d5c522e317965562 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Tue, 26 Mar 2024 15:48:59 -0500 Subject: [PATCH 171/217] Fix wrong type for publisher on json and xml schema tests Signed-off-by: Matt Rutkowski --- ...e-learning-consideratons-env-1.6.textproto | 22 +++++++++---------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/tools/src/test/resources/1.6/valid-machine-learning-consideratons-env-1.6.textproto b/tools/src/test/resources/1.6/valid-machine-learning-consideratons-env-1.6.textproto index 5ab576c0..a7bafd36 100644 --- a/tools/src/test/resources/1.6/valid-machine-learning-consideratons-env-1.6.textproto +++ b/tools/src/test/resources/1.6/valid-machine-learning-consideratons-env-1.6.textproto @@ -15,31 +15,31 @@ components { supplier { name: "meta" } - modelCard: { - considerations: { - environmentalConsiderations: { - energyConsumptions: { - energyConsumption: { + modelCard { + considerations { + environmentalConsiderations { + energyConsumptions { + energyConsumption { activity: "training" - activityEnergyCost: { + activityEnergyCost { value: 0.4 unit: "kWh" } - energyProviders: { - energyProvider: { + energyProviders { + energyProvider { name: "Meta data-center, US-East" energySource: "natural-gas" - energyProvided: { + energyProvided { value: 0.4 unit: "kWh" } } } - co2CostEquivalent: { + co2CostEquivalent { value: 31.22 unit: "tCO2eq" } - co2CostOffset: { + co2CostOffset { value: 31.22 unit: "tCO2eq" } From b8dfe000f483c19ce696cd6ec34240b05ffe8bdf Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Tue, 26 Mar 2024 16:02:28 -0500 Subject: [PATCH 172/217] Fix wrong type for publisher on json and xml schema tests Signed-off-by: Matt Rutkowski --- .../1.6/valid-machine-learning-considerations-env-1.6.json | 2 +- .../1.6/valid-machine-learning-considerations-env-1.6.xml | 4 +--- .../valid-machine-learning-consideratons-env-1.6.textproto | 4 +--- 3 files changed, 3 insertions(+), 7 deletions(-) diff --git a/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.json b/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.json index cd9a34b0..efdddaa7 100644 --- a/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.json +++ b/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.json @@ -9,7 +9,7 @@ "name": "meta-llama/Llama-2-7b", "type": "machine-learning-model", "supplier": { "name": "Hugging Face" }, - "publisher": "meta", + "publisher": "meta", "externalReferences": [ { "url": "https://huggingface.co/meta-llama/Llama-2-7b" } ], "modelCard": { "considerations": { diff --git a/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.xml b/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.xml index 40837996..f6ee837b 100644 --- a/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.xml +++ b/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.xml @@ -6,9 +6,7 @@ Hugging Face - - meta - + meta https://huggingface.co/meta-llama/Llama-2-7b diff --git a/tools/src/test/resources/1.6/valid-machine-learning-consideratons-env-1.6.textproto b/tools/src/test/resources/1.6/valid-machine-learning-consideratons-env-1.6.textproto index a7bafd36..22c6f4b2 100644 --- a/tools/src/test/resources/1.6/valid-machine-learning-consideratons-env-1.6.textproto +++ b/tools/src/test/resources/1.6/valid-machine-learning-consideratons-env-1.6.textproto @@ -9,12 +9,10 @@ components { type: CLASSIFICATION_MACHINE_LEARNING_MODEL bom_ref: "huggingface.co-meta-llama-Llama-2-7b" name: "meta-llama/Llama-2-7b" + publisher: "meta" supplier { name: "Hugging Face" } - supplier { - name: "meta" - } modelCard { considerations { environmentalConsiderations { From 6084dea2184ba8b8f42f12f1a8ef538e038fc807 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Tue, 26 Mar 2024 22:41:45 +0100 Subject: [PATCH 173/217] add description back in Signed-off-by: Jan Kowalleck --- schema/bom-1.6.proto | 10 ++++++---- schema/bom-1.6.schema.json | 5 +++++ schema/bom-1.6.xsd | 7 +++++++ 3 files changed, 18 insertions(+), 4 deletions(-) diff --git a/schema/bom-1.6.proto b/schema/bom-1.6.proto index 0bd82552..b6c49f5b 100644 --- a/schema/bom-1.6.proto +++ b/schema/bom-1.6.proto @@ -1230,14 +1230,16 @@ message EnergyProviderType { // BOM unique reference to the energy provider. optional string bom_ref = 1; + // A description of the energy provider. + string description = 2; // The organization of the energy provider. - OrganizationalEntity organization = 2; + OrganizationalEntity organization = 3; // The energy source for the energy provider. - EnergySourceType energySource = 3; + EnergySourceType energySource = 4; // The energy provided by the energy source for an associated activity. - EnergyMeasureType energyProvided = 4; + EnergyMeasureType energyProvided = 5; // Provides the ability to document external references related to the BOM or to the project the BOM describes. - repeated ExternalReference external_references = 5; + repeated ExternalReference external_references = 6; } // A measure of energy. diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index 393c4938..85a10f46 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -3629,6 +3629,11 @@ "description": "An optional identifier which can be used to reference the energy provider elsewhere in the BOM. Every bom-ref MUST be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", "$ref": "#/definitions/refType" }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the energy provider." + }, "organization": { "type": "object", "title": "Organization", diff --git a/schema/bom-1.6.xsd b/schema/bom-1.6.xsd index 1ccf81f4..4eeee2fa 100644 --- a/schema/bom-1.6.xsd +++ b/schema/bom-1.6.xsd @@ -3477,6 +3477,13 @@ limitations under the License. + + + + A description of the energy provider. + + + From e467a33fee9dc07a1605d4e7267e7c044870d07c Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Tue, 26 Mar 2024 21:19:57 -0500 Subject: [PATCH 174/217] Updated tests to account for new organization element Signed-off-by: Matt Rutkowski --- ...-machine-learning-considerations-env-1.6.json | 16 ++++++++++++++-- ...d-machine-learning-considerations-env-1.6.xml | 9 +++++++++ ...hine-learning-consideratons-env-1.6.textproto | 13 ++++++++++++- 3 files changed, 35 insertions(+), 3 deletions(-) diff --git a/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.json b/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.json index efdddaa7..7fa6b73d 100644 --- a/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.json +++ b/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.json @@ -10,7 +10,12 @@ "type": "machine-learning-model", "supplier": { "name": "Hugging Face" }, "publisher": "meta", - "externalReferences": [ { "url": "https://huggingface.co/meta-llama/Llama-2-7b" } ], + "externalReferences": [ + { + "type": "distribution", + "url": "https://huggingface.co/meta-llama/Llama-2-7b" + } + ], "modelCard": { "considerations": { "environmentalConsiderations": { @@ -19,7 +24,14 @@ "activity": "training", "energyProviders": [ { - "name": "Meta data-center, US-East", + "organization": { + "name": "Meta data-center, US-East", + "address": { + "country": "United States", + "region": "New Jersey", + "locality": "Newark" + } + }, "energySource": "natural-gas", "energyProvided": { "value": 0.4, diff --git a/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.xml b/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.xml index f6ee837b..9cdf9dae 100644 --- a/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.xml +++ b/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.xml @@ -9,6 +9,7 @@ meta + distribution https://huggingface.co/meta-llama/Llama-2-7b @@ -28,6 +29,14 @@ Meta data-center, US-East natural-gas + + Meta data-center, US-East +
+ United States + New Jersey + Newark +
+ 0.4 kWh diff --git a/tools/src/test/resources/1.6/valid-machine-learning-consideratons-env-1.6.textproto b/tools/src/test/resources/1.6/valid-machine-learning-consideratons-env-1.6.textproto index 22c6f4b2..a691fd91 100644 --- a/tools/src/test/resources/1.6/valid-machine-learning-consideratons-env-1.6.textproto +++ b/tools/src/test/resources/1.6/valid-machine-learning-consideratons-env-1.6.textproto @@ -13,6 +13,10 @@ components { supplier { name: "Hugging Face" } + externalReferences { + type: "distribution" + url: "https://huggingface.co/meta-llama/Llama-2-7b" + } modelCard { considerations { environmentalConsiderations { @@ -25,7 +29,14 @@ components { } energyProviders { energyProvider { - name: "Meta data-center, US-East" + organization { + name: "Meta data-center, US-East" + address { + country: "United States" + region: "New Jersey" + locality: "Newark" + } + } energySource: "natural-gas" energyProvided { value: 0.4 From 57d401f2ceda81235f4da8d7c929dd3d74e5eead Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Tue, 26 Mar 2024 22:15:10 -0500 Subject: [PATCH 175/217] Add type element to xml example Signed-off-by: Matt Rutkowski --- .../1.6/valid-machine-learning-considerations-env-1.6.xml | 1 + 1 file changed, 1 insertion(+) diff --git a/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.xml b/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.xml index 9cdf9dae..66a9fd47 100644 --- a/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.xml +++ b/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.xml @@ -2,6 +2,7 @@ + machine-learning-model meta-llama/Llama-2-7b Hugging Face From 347cc3e99905c57cc22c45923679f03ede085420 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Tue, 26 Mar 2024 22:29:50 -0500 Subject: [PATCH 176/217] Try a full supplier in XML example Signed-off-by: Matt Rutkowski --- ...id-machine-learning-considerations-env-1.6.xml | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.xml b/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.xml index 66a9fd47..78647d19 100644 --- a/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.xml +++ b/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.xml @@ -1,16 +1,19 @@ - - machine-learning-model + meta-llama/Llama-2-7b - - Hugging Face + + Acme, Inc. + https://example.com + + Acme Distribution + distribution@example.com + meta - - distribution + https://huggingface.co/meta-llama/Llama-2-7b From bb6d189f928cf68f9af75a444f837f0269a57387 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Tue, 26 Mar 2024 22:36:46 -0500 Subject: [PATCH 177/217] Try a full supplier in XML example Signed-off-by: Matt Rutkowski --- .../1.6/valid-machine-learning-considerations-env-1.6.xml | 8 -------- 1 file changed, 8 deletions(-) diff --git a/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.xml b/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.xml index 78647d19..70ffa1b9 100644 --- a/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.xml +++ b/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.xml @@ -3,14 +3,6 @@ meta-llama/Llama-2-7b - - Acme, Inc. - https://example.com - - Acme Distribution - distribution@example.com - - meta From 00c8338f24b5e0c519c5e3d16828ef7206d2ebe6 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Tue, 26 Mar 2024 22:43:50 -0500 Subject: [PATCH 178/217] Try a full supplier in XML example Signed-off-by: Matt Rutkowski --- .../1.6/valid-machine-learning-considerations-env-1.6.xml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.xml b/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.xml index 70ffa1b9..7e8ca52a 100644 --- a/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.xml +++ b/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.xml @@ -1,8 +1,11 @@ - + meta-llama/Llama-2-7b + + Hugging Face + meta From f3cbda569882a3f76eab5bcd19b3120ccd796454 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Tue, 26 Mar 2024 22:52:40 -0500 Subject: [PATCH 179/217] XML example attempt tp fix test error Signed-off-by: Matt Rutkowski --- .../1.6/valid-machine-learning-considerations-env-1.6.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.xml b/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.xml index 7e8ca52a..1dc0c0ca 100644 --- a/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.xml +++ b/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.xml @@ -1,7 +1,7 @@ - + meta-llama/Llama-2-7b Hugging Face From a88f91b4553f0c15844fa6c42f59afb0f056c2e0 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Tue, 26 Mar 2024 23:00:35 -0500 Subject: [PATCH 180/217] remove all but required fields from component Signed-off-by: Matt Rutkowski --- .../valid-machine-learning-considerations-env-1.6.xml | 9 --------- 1 file changed, 9 deletions(-) diff --git a/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.xml b/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.xml index 1dc0c0ca..bb39d2b1 100644 --- a/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.xml +++ b/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.xml @@ -3,15 +3,6 @@ meta-llama/Llama-2-7b - - Hugging Face - - meta - - - https://huggingface.co/meta-llama/Llama-2-7b - - From ae5a631e06afc67b708d8bb73b2aa776487a2c32 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Tue, 26 Mar 2024 23:08:51 -0500 Subject: [PATCH 181/217] build up xml test from scratch Signed-off-by: Matt Rutkowski --- ...achine-learning-considerations-env-1.6.xml | 30 ++++++++++++++++++- 1 file changed, 29 insertions(+), 1 deletion(-) diff --git a/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.xml b/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.xml index bb39d2b1..33ea1ded 100644 --- a/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.xml +++ b/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.xml @@ -1,8 +1,36 @@ + + + + stable-diffusion + + + + + The name of the risk + Strategy used to address this risk + + + + + + + + + From 838a7bead71ebdbea212f4c77731a9aba22dac61 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Tue, 26 Mar 2024 23:10:59 -0500 Subject: [PATCH 182/217] build up xml test from scratch Signed-off-by: Matt Rutkowski --- .../1.6/valid-machine-learning-considerations-env-1.6.xml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.xml b/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.xml index 33ea1ded..f0ce985c 100644 --- a/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.xml +++ b/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.xml @@ -2,7 +2,11 @@ - stable-diffusion + meta-llama/Llama-2-7b + + Hugging Face + + meta From f9784ee80193e1b0ac94a36faed7bfd29b200076 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Tue, 26 Mar 2024 23:18:05 -0500 Subject: [PATCH 183/217] build up xml test from scratch Signed-off-by: Matt Rutkowski --- .../1.6/valid-machine-learning-considerations-env-1.6.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.xml b/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.xml index f0ce985c..adbdd0cf 100644 --- a/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.xml +++ b/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.xml @@ -2,7 +2,7 @@ - meta-llama/Llama-2-7b + llama-2-7b Hugging Face From f55385c12d966e2f707bfc5afd2ac7bbb0f06d89 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Tue, 26 Mar 2024 23:22:28 -0500 Subject: [PATCH 184/217] build up xml test from scratch Signed-off-by: Matt Rutkowski --- ...alid-machine-learning-considerations-env-1.6.xml | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.xml b/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.xml index adbdd0cf..b2c9b086 100644 --- a/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.xml +++ b/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.xml @@ -4,7 +4,18 @@ llama-2-7b - Hugging Face + Example Inc. + https://example.com + https://example.net + + Example Support AMER + support@example.com + 800-555-1212 + + + Example Support APAC + support@apac.example.com + meta From b04b6823d2f895698cfc32f5a708c4c473a8e604 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Tue, 26 Mar 2024 23:25:53 -0500 Subject: [PATCH 185/217] build up xml test from scratch Signed-off-by: Matt Rutkowski --- ...lid-machine-learning-considerations-env-1.6.xml | 14 -------------- 1 file changed, 14 deletions(-) diff --git a/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.xml b/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.xml index b2c9b086..536c9385 100644 --- a/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.xml +++ b/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.xml @@ -3,20 +3,6 @@ llama-2-7b - - Example Inc. - https://example.com - https://example.net - - Example Support AMER - support@example.com - 800-555-1212 - - - Example Support APAC - support@apac.example.com - - meta From c8e9d1c673faf9ac28c196aa1bfc1646b721ffa6 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Tue, 26 Mar 2024 23:28:51 -0500 Subject: [PATCH 186/217] build up xml test from scratch Signed-off-by: Matt Rutkowski --- .../1.6/valid-machine-learning-considerations-env-1.6.xml | 1 - 1 file changed, 1 deletion(-) diff --git a/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.xml b/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.xml index 536c9385..7dfb1958 100644 --- a/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.xml +++ b/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.xml @@ -3,7 +3,6 @@ llama-2-7b - meta From bbcfd93c1aac112e61400ce4d39876092715bd57 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Tue, 26 Mar 2024 23:32:28 -0500 Subject: [PATCH 187/217] build up xml test from scratch Signed-off-by: Matt Rutkowski --- .../1.6/valid-machine-learning-considerations-env-1.6.xml | 1 + 1 file changed, 1 insertion(+) diff --git a/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.xml b/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.xml index 7dfb1958..83c5fb6c 100644 --- a/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.xml +++ b/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.xml @@ -2,6 +2,7 @@ + Acme Inc llama-2-7b From fdfe19f7d3cc7af6c5bee7d05c91207ab08caffe Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Tue, 26 Mar 2024 23:34:20 -0500 Subject: [PATCH 188/217] build up xml test from scratch Signed-off-by: Matt Rutkowski --- .../1.6/valid-machine-learning-considerations-env-1.6.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.xml b/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.xml index 83c5fb6c..a8c8ac48 100644 --- a/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.xml +++ b/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.xml @@ -2,7 +2,7 @@ - Acme Inc + meta llama-2-7b From 825a866bef5cf3cd92bde947030b297356cfc6f8 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Tue, 26 Mar 2024 23:37:55 -0500 Subject: [PATCH 189/217] build up xml test from scratch Signed-off-by: Matt Rutkowski --- ...lid-machine-learning-considerations-env-1.6.xml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.xml b/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.xml index a8c8ac48..f6c4d573 100644 --- a/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.xml +++ b/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.xml @@ -4,6 +4,20 @@ meta llama-2-7b + + Example Inc. + https://example.com + https://example.net + + Example Support AMER + support@example.com + 800-555-1212 + + + Example Support APAC + support@apac.example.com + + From c7793d199937c15c0d1ee2a078439e85ad6607a1 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Wed, 27 Mar 2024 09:43:18 +0100 Subject: [PATCH 190/217] fix examples Signed-off-by: Jan Kowalleck --- schema/bom-1.6.proto | 2 + ...chine-learning-considerations-env-1.6.json | 9 +- ...achine-learning-considerations-env-1.6.xml | 106 ++++++------------ ...e-learning-consideratons-env-1.6.textproto | 90 +++++++-------- 4 files changed, 86 insertions(+), 121 deletions(-) diff --git a/schema/bom-1.6.proto b/schema/bom-1.6.proto index 0bd82552..90542bce 100644 --- a/schema/bom-1.6.proto +++ b/schema/bom-1.6.proto @@ -523,6 +523,8 @@ message OrganizationalEntity { repeated OrganizationalContact contact = 3; // An optional identifier which can be used to reference the object elsewhere in the BOM. Uniqueness is enforced within all elements and children of the root-level bom element. optional string bom_ref = 4; + // The physical address (location) of the organization + optional PostalAddressType address = 5; } enum PatchClassification { diff --git a/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.json b/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.json index 7fa6b73d..d1249644 100644 --- a/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.json +++ b/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.json @@ -6,9 +6,12 @@ "components": [ { "bom-ref": "huggingface.co-meta-llama-Llama-2-7b", - "name": "meta-llama/Llama-2-7b", + "group": "meta-llama", + "name": "Llama-2-7b", "type": "machine-learning-model", - "supplier": { "name": "Hugging Face" }, + "supplier": { + "name": "Hugging Face" + }, "publisher": "meta", "externalReferences": [ { @@ -58,4 +61,4 @@ } } ] -} \ No newline at end of file +} diff --git a/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.xml b/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.xml index f6c4d573..f25db7b2 100644 --- a/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.xml +++ b/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.xml @@ -1,46 +1,17 @@ - + - - meta - llama-2-7b - - Example Inc. - https://example.com - https://example.net - - Example Support AMER - support@example.com - 800-555-1212 - - - Example Support APAC - support@apac.example.com - - - - - - - The name of the risk - Strategy used to address this risk - - - - - - - - - + diff --git a/tools/src/test/resources/1.6/valid-machine-learning-consideratons-env-1.6.textproto b/tools/src/test/resources/1.6/valid-machine-learning-consideratons-env-1.6.textproto index a691fd91..637e0880 100644 --- a/tools/src/test/resources/1.6/valid-machine-learning-consideratons-env-1.6.textproto +++ b/tools/src/test/resources/1.6/valid-machine-learning-consideratons-env-1.6.textproto @@ -5,57 +5,53 @@ spec_version: "1.6" version: 1 serial_number: "urn:uuid:ed5c5ba0-2be6-4b58-ac29-01a7fd375123" components { - component { - type: CLASSIFICATION_MACHINE_LEARNING_MODEL - bom_ref: "huggingface.co-meta-llama-Llama-2-7b" - name: "meta-llama/Llama-2-7b" - publisher: "meta" - supplier { - name: "Hugging Face" - } - externalReferences { - type: "distribution" - url: "https://huggingface.co/meta-llama/Llama-2-7b" - } - modelCard { - considerations { - environmentalConsiderations { - energyConsumptions { - energyConsumption { - activity: "training" - activityEnergyCost { - value: 0.4 - unit: "kWh" - } - energyProviders { - energyProvider { - organization { - name: "Meta data-center, US-East" - address { - country: "United States" - region: "New Jersey" - locality: "Newark" - } - } - energySource: "natural-gas" - energyProvided { - value: 0.4 - unit: "kWh" - } - } - } - co2CostEquivalent { - value: 31.22 - unit: "tCO2eq" - } - co2CostOffset { - value: 31.22 - unit: "tCO2eq" + type: CLASSIFICATION_MACHINE_LEARNING_MODEL + bom_ref: "huggingface.co-meta-llama-Llama-2-7b" + group: "meta-llama" + name: "Llama-2-7b" + publisher: "meta" + supplier { + name: "Hugging Face" + } + external_references { + type: EXTERNAL_REFERENCE_TYPE_DISTRIBUTION + url: "https://huggingface.co/meta-llama/Llama-2-7b" + } + modelCard { + considerations { + environmentalConsiderations { + energyConsumptions { + activity: ACTIVITY_TYPE_TRAINING + activityEnergyCost { + value: 0.4 + unit: ENERGY_MEASURE_UNIT_TYPE_KILOWATT_HOURS + } + energyProviders { + organization { + name: "Meta data-center, US-East" + address { + country: "United States" + region: "New Jersey" + locality: "Newark" } } + energySource: ENERGY_SOURCE_TYPE_NATURAL_GAS + energyProvided { + value: 0.4 + unit: ENERGY_MEASURE_UNIT_TYPE_KILOWATT_HOURS + } + } + + co2CostEquivalent { + value: 31.22 + unit: CO2_MEASURE_UNIT_TYPE_TONNES_CO2_EQUIVALENT + } + co2CostOffset { + value: 31.22 + unit: CO2_MEASURE_UNIT_TYPE_TONNES_CO2_EQUIVALENT } } } } } -} \ No newline at end of file +} From 60af7d84052dcfbe68ccb90fd4c80b063ffe8411 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Wed, 27 Mar 2024 09:51:05 +0100 Subject: [PATCH 191/217] fix examples Signed-off-by: Jan Kowalleck --- .../1.6/valid-machine-learning-considerations-env-1.6.json | 3 ++- .../1.6/valid-machine-learning-considerations-env-1.6.xml | 3 ++- .../valid-machine-learning-consideratons-env-1.6.textproto | 4 ++-- 3 files changed, 6 insertions(+), 4 deletions(-) diff --git a/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.json b/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.json index d1249644..a7a0dbf5 100644 --- a/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.json +++ b/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.json @@ -27,8 +27,9 @@ "activity": "training", "energyProviders": [ { + "description": "Meta data-center, US-East", "organization": { - "name": "Meta data-center, US-East", + "name": "Meta", "address": { "country": "United States", "region": "New Jersey", diff --git a/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.xml b/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.xml index f25db7b2..8e46a6f4 100644 --- a/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.xml +++ b/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.xml @@ -23,8 +23,9 @@ training + Meta data-center, US-East - Meta data-center, US-East + Meta
United States New Jersey diff --git a/tools/src/test/resources/1.6/valid-machine-learning-consideratons-env-1.6.textproto b/tools/src/test/resources/1.6/valid-machine-learning-consideratons-env-1.6.textproto index 637e0880..c045c9e6 100644 --- a/tools/src/test/resources/1.6/valid-machine-learning-consideratons-env-1.6.textproto +++ b/tools/src/test/resources/1.6/valid-machine-learning-consideratons-env-1.6.textproto @@ -27,8 +27,9 @@ components { unit: ENERGY_MEASURE_UNIT_TYPE_KILOWATT_HOURS } energyProviders { + description: "Meta data-center, US-East" organization { - name: "Meta data-center, US-East" + name: "Meta" address { country: "United States" region: "New Jersey" @@ -41,7 +42,6 @@ components { unit: ENERGY_MEASURE_UNIT_TYPE_KILOWATT_HOURS } } - co2CostEquivalent { value: 31.22 unit: CO2_MEASURE_UNIT_TYPE_TONNES_CO2_EQUIVALENT From 394d6986a48109f8ce86bb24ef178c7a4477358f Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Wed, 27 Mar 2024 04:40:16 -0500 Subject: [PATCH 192/217] build up xml test from scratch Signed-off-by: Matt Rutkowski --- .../1.6/valid-machine-learning-considerations-env-1.6.xml | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.xml b/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.xml index f6c4d573..ac24387c 100644 --- a/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.xml +++ b/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.xml @@ -5,18 +5,13 @@ meta llama-2-7b - Example Inc. + Hugging Face https://example.com - https://example.net Example Support AMER support@example.com 800-555-1212 - - Example Support APAC - support@apac.example.com - From 6779610028cd3540e56ec6183690275f4bc2ec0d Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Wed, 27 Mar 2024 04:44:09 -0500 Subject: [PATCH 193/217] build up xml test from scratch Signed-off-by: Matt Rutkowski --- .../1.6/valid-machine-learning-considerations-env-1.6.xml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.xml b/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.xml index ac24387c..52823b54 100644 --- a/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.xml +++ b/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.xml @@ -5,8 +5,9 @@ meta llama-2-7b - Hugging Face + Example Inc. https://example.com + https://example.net Example Support AMER support@example.com From 44c8ba3654c443753456a5ddd7c95547407870c1 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Wed, 27 Mar 2024 04:49:08 -0500 Subject: [PATCH 194/217] build up xml test from scratch Signed-off-by: Matt Rutkowski --- .../valid-machine-learning-considerations-env-1.6.xml | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.xml b/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.xml index 52823b54..a8c8ac48 100644 --- a/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.xml +++ b/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.xml @@ -4,16 +4,6 @@ meta llama-2-7b - - Example Inc. - https://example.com - https://example.net - - Example Support AMER - support@example.com - 800-555-1212 - - From 4e2bff0eed1b781fbf78b99dc8a359e1e0f7fcb7 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Wed, 27 Mar 2024 04:52:34 -0500 Subject: [PATCH 195/217] build up xml test from scratch Signed-off-by: Matt Rutkowski --- ...achine-learning-considerations-env-1.6.xml | 43 ++++++++++++++++++- 1 file changed, 41 insertions(+), 2 deletions(-) diff --git a/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.xml b/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.xml index a8c8ac48..2b3ba9d0 100644 --- a/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.xml +++ b/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.xml @@ -7,10 +7,49 @@ - + The name of the risk Strategy used to address this risk - + + + + + + training + + + 0.4 + kWh + + + + Meta data-center, US-East + natural-gas + + Meta data-center, US-East +
+ United States + New Jersey + Newark +
+ + + 0.4 + kWh + + + + + 31.22 + tCO2eq + + + 31.22 + tCO2eq + + + + From 8fca4458880c7d7aafce953f6584388f3f25eedb Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Wed, 27 Mar 2024 04:56:53 -0500 Subject: [PATCH 196/217] build up xml test from scratch Signed-off-by: Matt Rutkowski --- ...achine-learning-considerations-env-1.6.xml | 84 +++++++++---------- 1 file changed, 42 insertions(+), 42 deletions(-) diff --git a/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.xml b/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.xml index 2b3ba9d0..ab091ecc 100644 --- a/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.xml +++ b/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.xml @@ -7,50 +7,50 @@ - + The name of the risk - Strategy used to address this risk - - - - - - training - - - 0.4 - kWh - - - - Meta data-center, US-East - natural-gas - - Meta data-center, US-East -
- United States - New Jersey - Newark -
- - - 0.4 - kWh - - - - - 31.22 - tCO2eq - - - 31.22 - tCO2eq - - - - + Strategy + + + + + + training + + + 0.4 + kWh + + + + Meta data-center, US-East + natural-gas + + Meta data-center, US-East +
+ United States + New Jersey + Newark +
+ + + 0.4 + kWh + + + + + 31.22 + tCO2eq + + + 31.22 + tCO2eq + + + + From 352546268c1c0317fc61536b7519661d84757c11 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Wed, 27 Mar 2024 06:06:26 -0500 Subject: [PATCH 197/217] insert energyConsumptionsType (plural) into XSD to account for anon. type in JSON Signed-off-by: Matt Rutkowski --- schema/bom-1.6.xsd | 21 ++++++- ...achine-learning-considerations-env-1.6.xml | 56 ++++++++++--------- 2 files changed, 49 insertions(+), 28 deletions(-) diff --git a/schema/bom-1.6.xsd b/schema/bom-1.6.xsd index 4eeee2fa..afbf659a 100644 --- a/schema/bom-1.6.xsd +++ b/schema/bom-1.6.xsd @@ -3256,7 +3256,7 @@ limitations under the License. - + Describes energy consumption information incurred for one or more component lifecycle activities. @@ -3277,6 +3277,25 @@ limitations under the License. + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + diff --git a/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.xml b/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.xml index 7ba77baa..d12bb7db 100644 --- a/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.xml +++ b/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.xml @@ -22,35 +22,37 @@ - training - - Meta data-center, US-East - - Meta -
- United States - New Jersey - Newark -
- - natural-gas - + + training + + Meta data-center, US-East + + Meta +
+ United States + New Jersey + Newark +
+ + natural-gas + + 0.4 + kWh + + + 0.4 kWh - - - - 0.4 - kWh - - - 31.22 - tCO2eq - - - 31.22 - tCO2eq - + + + 31.22 + tCO2eq + + + 31.22 + tCO2eq + + From 5d85af3af2e383c69ae6bb1213da68ce5ab6aac7 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Wed, 27 Mar 2024 06:15:01 -0500 Subject: [PATCH 198/217] fix line-wrap in top of xml example Signed-off-by: Matt Rutkowski --- .../valid-machine-learning-considerations-env-1.6.xml | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.xml b/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.xml index d12bb7db..2b4938c1 100644 --- a/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.xml +++ b/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.xml @@ -1,12 +1,7 @@ - + - - + Hugging Face From 6cd03027543bdc31b874691cfba864e310b6b198 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Wed, 27 Mar 2024 16:20:40 +0100 Subject: [PATCH 199/217] fix/harmonize version length Signed-off-by: Jan Kowalleck --- schema/bom-1.6.schema.json | 1 - schema/bom-1.6.xsd | 4 +++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index 7cde088e..59ebd48a 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -2912,7 +2912,6 @@ "version": { "description": "A single disjunctive version identifier, for a component or service.", "type": "string", - "minLength": 1, "maxLength": 1024, "examples": [ "9.0.14", diff --git a/schema/bom-1.6.xsd b/schema/bom-1.6.xsd index d55c183c..12e24e26 100644 --- a/schema/bom-1.6.xsd +++ b/schema/bom-1.6.xsd @@ -69,7 +69,9 @@ limitations under the License. ]]> - + + + From 641bd14e7c2046ce1b68d9f8e9e4314b2197359e Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Wed, 27 Mar 2024 10:41:46 -0500 Subject: [PATCH 200/217] remove old example Signed-off-by: Matt Rutkowski --- .../md/mlbom-1.6-env-considerations-1.json | 47 ------------------- 1 file changed, 47 deletions(-) delete mode 100644 docgen/examples/md/mlbom-1.6-env-considerations-1.json diff --git a/docgen/examples/md/mlbom-1.6-env-considerations-1.json b/docgen/examples/md/mlbom-1.6-env-considerations-1.json deleted file mode 100644 index 41486e69..00000000 --- a/docgen/examples/md/mlbom-1.6-env-considerations-1.json +++ /dev/null @@ -1,47 +0,0 @@ -{ - "bomFormat": "CycloneDX", - "specVersion": "1.6", - "metadata": { - "component": { - "name": "meta-llama/Llama-2-7b", - "type": "machine-learning-model", - "manufacturer": { "name": "meta" }, - "publisher": "meta", - "supplier": { "name": "Hugging Face", "url": "https://huggingface.co/meta-llama" }, - "externalReferences": [ { "url": "https://huggingface.co/meta-llama/Llama-2-7b" } ], - "modelCard": { - "considerations": { - "environmentalConsiderations": { - "energyConsumptions": [ - { - "activity": "training", - "energyProviders": [ - { - "name": "Meta data-center, US-East", - "energySource": "natural-gas", - "energyProvided": { - "value": 0.4, - "unit": "kWh" - } - } - ], - "activityEnergyCost": { - "value": 0.4, - "unit": "kWh" - }, - "co2CostEquivalent": { - "value": 31.22, - "unit": "tCO2eq" - }, - "co2CostOffset": { - "value": 31.22, - "unit": "tCO2eq" - } - } - ] - } - } - } - } - } -} From 2a83cf9b87d876b984d3b6076aa21e0bd8a88c21 Mon Sep 17 00:00:00 2001 From: Matt Rutkowski Date: Wed, 27 Mar 2024 10:49:49 -0500 Subject: [PATCH 201/217] Fix typo in name of test file Signed-off-by: Matt Rutkowski --- ...to => valid-machine-learning-considerations-env-1.6.textproto} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename tools/src/test/resources/1.6/{valid-machine-learning-consideratons-env-1.6.textproto => valid-machine-learning-considerations-env-1.6.textproto} (100%) diff --git a/tools/src/test/resources/1.6/valid-machine-learning-consideratons-env-1.6.textproto b/tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.textproto similarity index 100% rename from tools/src/test/resources/1.6/valid-machine-learning-consideratons-env-1.6.textproto rename to tools/src/test/resources/1.6/valid-machine-learning-considerations-env-1.6.textproto From f156ca506317350a17c47d9abe08e150f897e942 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Wed, 27 Mar 2024 22:03:29 +0100 Subject: [PATCH 202/217] 1.6 bump bufbuild buf 1.30.0 (#418) Signed-off-by: Jan Kowalleck --- tools/src/test/proto/test.sh | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/tools/src/test/proto/test.sh b/tools/src/test/proto/test.sh index a09b4dc7..d1d39406 100755 --- a/tools/src/test/proto/test.sh +++ b/tools/src/test/proto/test.sh @@ -28,7 +28,7 @@ function schema-lint () { --volume "${ROOT_PATH}/${SCHEMA_DIR}:/workspace/${SCHEMA_DIR}:ro" \ --volume "${THIS_PATH}/buf_lint.yaml:/workspace/buf.yaml:ro" \ --workdir '/workspace' \ - bufbuild/buf:1.29.0 \ + bufbuild/buf:1.30.0 \ lint --path "$SCHEMA_DIR" \ --config 'buf.yaml' \ --error-format "$LOG_FORMAT" @@ -59,7 +59,7 @@ function schema-breaking-version () { --volume "${ROOT_PATH}/${SCHEMA_DIR}/${OLD}:/workspace/${SCHEMA_DIR_OLD}/${NEW}:ro" \ --volume "${THIS_PATH}/buf_breaking-version.yaml:/workspace/buf.yaml:ro" \ --workdir '/workspace' \ - bufbuild/buf:1.29.0 \ + bufbuild/buf:1.30.0 \ breaking "$SCHEMA_DIR" \ --against "$SCHEMA_DIR_OLD" \ --config 'buf.yaml' \ @@ -87,7 +87,7 @@ function schema-breaking-remote () { --volume "${ROOT_PATH}/${SCHEMA_DIR}:/workspace/${SCHEMA_DIR}:ro" \ --volume "${THIS_PATH}/buf_breaking-remote.yaml:/workspace/buf.yaml:ro" \ --workdir '/workspace' \ - bufbuild/buf:1.29.0 \ + bufbuild/buf:1.30.0 \ breaking "$SCHEMA_DIR" \ --against "${REMOTE}#subdir=${SCHEMA_DIR}" \ --config 'buf.yaml' \ @@ -107,11 +107,13 @@ function schema-functional () { echo ">> validate $(realpath --relative-to="$PWD" "$FILE") as ${MESSAGE} of ${SCHEMA_FILE}" >&2 + # this test method is a bare minimum, and it might not detect all kinds of malformed input. + # could be improved by utilizing protoc -- see https://github.com/CycloneDX/specification/pull/385/commits/8db0967c11cb913ac3c7a9a037159338df3f3bd9 docker run --rm \ --volume "${ROOT_PATH}/${SCHEMA_DIR}:/workspace/${SCHEMA_DIR}:ro" \ --volume "${FILE}:/workspace/test_res:ro" \ --workdir '/workspace' \ - bufbuild/buf:1.29.0 \ + bufbuild/buf:1.30.0 \ convert "${SCHEMA_DIR}/${SCHEMA_FILE}" \ --type "$MESSAGE" \ --from 'test_res#format=txtpb' \ @@ -162,4 +164,4 @@ case "${1:-all}" in >&2 exit 1 ;; -esac \ No newline at end of file +esac From 6fcbd0275aef86ef5b6ddac4c581aadbe864756f Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Thu, 28 Mar 2024 22:24:39 -0500 Subject: [PATCH 203/217] Changed to array. Updated examples Signed-off-by: Steve Springett --- schema/bom-1.6.proto | 4 ++-- schema/bom-1.6.schema.json | 11 ++++++++--- schema/bom-1.6.xsd | 4 ++-- .../1.6/valid-component-identifiers-1.6.json | 7 +++++-- .../1.6/valid-component-identifiers-1.6.textproto | 7 +++++-- .../resources/1.6/valid-component-identifiers-1.6.xml | 3 ++- 6 files changed, 24 insertions(+), 12 deletions(-) diff --git a/schema/bom-1.6.proto b/schema/bom-1.6.proto index 5f71962d..46e108a3 100644 --- a/schema/bom-1.6.proto +++ b/schema/bom-1.6.proto @@ -149,9 +149,9 @@ message Component { // Textual strings that aid in discovery, search, and retrieval of the associated object. Tags often serve as a way to group or categorize similar or related objects by various attributes. Examples include "json-parser", "object-persistence", "text-to-image", "translation", and "object-detection". repeated string tags = 30; // Specifies the OmniBOR Artifact ID. The OmniBOR, if specified, MUST be valid and conform to the specification defined at: https://www.iana.org/assignments/uri-schemes/prov/gitoid - optional string omnibor = 31; + repeated string omnibor = 31; // Specifies the Software Heritage persistent identifier (SWHID). The SWHID, if specified, MUST be valid and conform to the specification defined at: https://docs.softwareheritage.org/devel/swh-model/persistent-identifiers.html - optional string swhid = 32; + repeated string swhid = 32; } // Specifies the data flow. diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index 7a4c8b4b..02c427ec 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -970,15 +970,20 @@ "examples": ["pkg:maven/com.acme/tomcat-catalina@9.0.14?packaging=jar"] }, "omnibor": { - "type": "string", + "type": "array", "title": "OmniBOR Artifact Identifier (gitoid)", "description": "Specifies the OmniBOR Artifact ID. The OmniBOR, if specified, MUST be valid and conform to the specification defined at: [https://www.iana.org/assignments/uri-schemes/prov/gitoid](https://www.iana.org/assignments/uri-schemes/prov/gitoid)", - "examples": ["gitoid:blob:sha1:261eeb9e9f8b2b4b0d119366dda99c6fd7d35c64"] + "items": { "type": "string" }, + "examples": [ + "gitoid:blob:sha1:a94a8fe5ccb19ba61c4c0873d391e987982fbbd3", + "gitoid:blob:sha256:9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08" + ] }, "swhid": { - "type": "string", + "type": "array", "title": "SoftWare Heritage Identifier", "description": "Specifies the Software Heritage persistent identifier (SWHID). The SWHID, if specified, MUST be valid and conform to the specification defined at: [https://docs.softwareheritage.org/devel/swh-model/persistent-identifiers.html](https://docs.softwareheritage.org/devel/swh-model/persistent-identifiers.html)", + "items": { "type": "string" }, "examples": ["swh:1:cnt:94a9ed024d3859793618152ea559a168bbcbb5e2"] }, "swid": { diff --git a/schema/bom-1.6.xsd b/schema/bom-1.6.xsd index b5b4fa1f..b97594ec 100644 --- a/schema/bom-1.6.xsd +++ b/schema/bom-1.6.xsd @@ -590,7 +590,7 @@ limitations under the License. - + Specifies the OmniBOR Artifact ID. The OmniBOR, if specified, MUST be valid and conform @@ -598,7 +598,7 @@ limitations under the License. - + Specifies the Software Heritage persistent identifier (SWHID). The SWHID, if specified, MUST diff --git a/tools/src/test/resources/1.6/valid-component-identifiers-1.6.json b/tools/src/test/resources/1.6/valid-component-identifiers-1.6.json index c084ba08..3bb2f44a 100644 --- a/tools/src/test/resources/1.6/valid-component-identifiers-1.6.json +++ b/tools/src/test/resources/1.6/valid-component-identifiers-1.6.json @@ -11,8 +11,11 @@ "version": "1.0.0", "cpe": "cpe:2.3:a:example:acme-library:1.0.0:*:*:*:*:*:*:*", "purl": "pkg:maven/com.example/acme-library@1.0.0", - "omnibor": "gitoid:blob:sha1:261eeb9e9f8b2b4b0d119366dda99c6fd7d35c64", - "swhid": "swh:1:cnt:94a9ed024d3859793618152ea559a168bbcbb5e2" + "omnibor": [ + "gitoid:blob:sha1:261eeb9e9f8b2b4b0d119366dda99c6fd7d35c64", + "gitoid:blob:sha256:9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08" + ], + "swhid": [ "swh:1:cnt:94a9ed024d3859793618152ea559a168bbcbb5e2" ] } ] } diff --git a/tools/src/test/resources/1.6/valid-component-identifiers-1.6.textproto b/tools/src/test/resources/1.6/valid-component-identifiers-1.6.textproto index 33499ddf..4f048f7d 100644 --- a/tools/src/test/resources/1.6/valid-component-identifiers-1.6.textproto +++ b/tools/src/test/resources/1.6/valid-component-identifiers-1.6.textproto @@ -11,6 +11,9 @@ components { version: "1.0.0" cpe: "cpe:2.3:a:example:acme-library:1.0.0:*:*:*:*:*:*:*" purl: "pkg:maven/com.example/acme-library@1.0.0" - omnibor: "gitoid:blob:sha1:261eeb9e9f8b2b4b0d119366dda99c6fd7d35c64" - swhid: "swh:1:cnt:94a9ed024d3859793618152ea559a168bbcbb5e2" + omnibor: [ + "gitoid:blob:sha1:261eeb9e9f8b2b4b0d119366dda99c6fd7d35c64", + "gitoid:blob:sha256:9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08" + ] + swhid: [ "swh:1:cnt:94a9ed024d3859793618152ea559a168bbcbb5e2" ] } diff --git a/tools/src/test/resources/1.6/valid-component-identifiers-1.6.xml b/tools/src/test/resources/1.6/valid-component-identifiers-1.6.xml index c3e99b7d..d97aed21 100644 --- a/tools/src/test/resources/1.6/valid-component-identifiers-1.6.xml +++ b/tools/src/test/resources/1.6/valid-component-identifiers-1.6.xml @@ -7,7 +7,8 @@ 1.0.0 cpe:2.3:a:example:acme-library:1.0.0:*:*:*:*:*:*:* pkg:maven/com.example/acme-library@1.0.0 - gitoid:blob:sha1:261eeb9e9f8b2b4b0d119366dda99c6fd7d35c64 + gitoid:blob:sha1:261eeb9e9f8b2b4b0d119366dda99c6fd7d35c64 + gitoid:blob:sha256:9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08 swh:1:cnt:94a9ed024d3859793618152ea559a168bbcbb5e2 From f3e98d41e504adacb178c5d187cc9cce14fd5361 Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Thu, 28 Mar 2024 22:29:15 -0500 Subject: [PATCH 204/217] Changed omnibor to omniborId Signed-off-by: Steve Springett --- schema/bom-1.6.proto | 4 ++-- schema/bom-1.6.schema.json | 4 ++-- schema/bom-1.6.xsd | 4 ++-- .../test/resources/1.6/valid-component-identifiers-1.6.json | 2 +- .../resources/1.6/valid-component-identifiers-1.6.textproto | 2 +- .../test/resources/1.6/valid-component-identifiers-1.6.xml | 4 ++-- 6 files changed, 10 insertions(+), 10 deletions(-) diff --git a/schema/bom-1.6.proto b/schema/bom-1.6.proto index 46e108a3..4f69a9e3 100644 --- a/schema/bom-1.6.proto +++ b/schema/bom-1.6.proto @@ -149,7 +149,7 @@ message Component { // Textual strings that aid in discovery, search, and retrieval of the associated object. Tags often serve as a way to group or categorize similar or related objects by various attributes. Examples include "json-parser", "object-persistence", "text-to-image", "translation", and "object-detection". repeated string tags = 30; // Specifies the OmniBOR Artifact ID. The OmniBOR, if specified, MUST be valid and conform to the specification defined at: https://www.iana.org/assignments/uri-schemes/prov/gitoid - repeated string omnibor = 31; + repeated string omniborId = 31; // Specifies the Software Heritage persistent identifier (SWHID). The SWHID, if specified, MUST be valid and conform to the specification defined at: https://docs.softwareheritage.org/devel/swh-model/persistent-identifiers.html repeated string swhid = 32; } @@ -770,7 +770,7 @@ enum EvidenceFieldType { EVIDENCE_FIELD_CPE = 5; EVIDENCE_FIELD_SWID = 6; EVIDENCE_FIELD_HASH = 7; - EVIDENCE_FIELD_OMNIBOR = 8; + EVIDENCE_FIELD_OMNIBOR_ID = 8; EVIDENCE_FIELD_SWHID = 9; } diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index 02c427ec..ef78f863 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -969,7 +969,7 @@ "description": "Specifies the package-url (purl). The purl, if specified, MUST be valid and conform to the specification defined at: [https://github.com/package-url/purl-spec](https://github.com/package-url/purl-spec)", "examples": ["pkg:maven/com.acme/tomcat-catalina@9.0.14?packaging=jar"] }, - "omnibor": { + "omniborId": { "type": "array", "title": "OmniBOR Artifact Identifier (gitoid)", "description": "Specifies the OmniBOR Artifact ID. The OmniBOR, if specified, MUST be valid and conform to the specification defined at: [https://www.iana.org/assignments/uri-schemes/prov/gitoid](https://www.iana.org/assignments/uri-schemes/prov/gitoid)", @@ -4446,7 +4446,7 @@ "field": { "type": "string", "enum": [ - "group", "name", "version", "purl", "cpe", "omnibor", "swhid", "swid", "hash" + "group", "name", "version", "purl", "cpe", "omniborId", "swhid", "swid", "hash" ], "title": "Field", "description": "The identity field of the component which the evidence describes." diff --git a/schema/bom-1.6.xsd b/schema/bom-1.6.xsd index b97594ec..daa73b20 100644 --- a/schema/bom-1.6.xsd +++ b/schema/bom-1.6.xsd @@ -590,7 +590,7 @@ limitations under the License. - + Specifies the OmniBOR Artifact ID. The OmniBOR, if specified, MUST be valid and conform @@ -2263,7 +2263,7 @@ limitations under the License. - + diff --git a/tools/src/test/resources/1.6/valid-component-identifiers-1.6.json b/tools/src/test/resources/1.6/valid-component-identifiers-1.6.json index 3bb2f44a..ca44eebc 100644 --- a/tools/src/test/resources/1.6/valid-component-identifiers-1.6.json +++ b/tools/src/test/resources/1.6/valid-component-identifiers-1.6.json @@ -11,7 +11,7 @@ "version": "1.0.0", "cpe": "cpe:2.3:a:example:acme-library:1.0.0:*:*:*:*:*:*:*", "purl": "pkg:maven/com.example/acme-library@1.0.0", - "omnibor": [ + "omniborId": [ "gitoid:blob:sha1:261eeb9e9f8b2b4b0d119366dda99c6fd7d35c64", "gitoid:blob:sha256:9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08" ], diff --git a/tools/src/test/resources/1.6/valid-component-identifiers-1.6.textproto b/tools/src/test/resources/1.6/valid-component-identifiers-1.6.textproto index 4f048f7d..52a05dae 100644 --- a/tools/src/test/resources/1.6/valid-component-identifiers-1.6.textproto +++ b/tools/src/test/resources/1.6/valid-component-identifiers-1.6.textproto @@ -11,7 +11,7 @@ components { version: "1.0.0" cpe: "cpe:2.3:a:example:acme-library:1.0.0:*:*:*:*:*:*:*" purl: "pkg:maven/com.example/acme-library@1.0.0" - omnibor: [ + omniborId: [ "gitoid:blob:sha1:261eeb9e9f8b2b4b0d119366dda99c6fd7d35c64", "gitoid:blob:sha256:9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08" ] diff --git a/tools/src/test/resources/1.6/valid-component-identifiers-1.6.xml b/tools/src/test/resources/1.6/valid-component-identifiers-1.6.xml index d97aed21..9fc7b85c 100644 --- a/tools/src/test/resources/1.6/valid-component-identifiers-1.6.xml +++ b/tools/src/test/resources/1.6/valid-component-identifiers-1.6.xml @@ -7,8 +7,8 @@ 1.0.0 cpe:2.3:a:example:acme-library:1.0.0:*:*:*:*:*:*:* pkg:maven/com.example/acme-library@1.0.0 - gitoid:blob:sha1:261eeb9e9f8b2b4b0d119366dda99c6fd7d35c64 - gitoid:blob:sha256:9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08 + gitoid:blob:sha1:261eeb9e9f8b2b4b0d119366dda99c6fd7d35c64 + gitoid:blob:sha256:9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08 swh:1:cnt:94a9ed024d3859793618152ea559a168bbcbb5e2 From 197d1065426b666178683ff194700a40b28581e1 Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Thu, 28 Mar 2024 22:38:19 -0500 Subject: [PATCH 205/217] Minor doc corrections Signed-off-by: Steve Springett --- schema/bom-1.6.schema.json | 46 ++++++++++++++++++++++++++++---------- 1 file changed, 34 insertions(+), 12 deletions(-) diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index 22a19ae7..4f3bdab5 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -3557,17 +3557,27 @@ "type": "string", "title": "Activity", "description": "The type of activity that is part of a machine learning model development or operational lifecycle.", - "enum": [ "design", "data-collection", "data-preparation", "training", "fine-tuning", "validation", "deployment", "inference" ], + "enum": [ + "design", + "data-collection", + "data-preparation", + "training", + "fine-tuning", + "validation", + "deployment", + "inference", + "other" + ], "meta:enum": { - "design": "model design including problem framing, goal definition and algorithm selection.", - "data-collection": "model data acquisition including search, selection and transfer.", - "data-preparation": "model data preparation including data cleaning, labeling and conversion.", - "training": "model building, training and generalized tuning.", - "fine-tuning": "refining a trained model to produce desired outputs for a given problem space.", - "validation": "model validation including model output evaluation and testing.", - "deployment": "explicit model deployment to a target hosting infrastructure.", - "inference": "generating an output response from a hosted model from a set of inputs.", - "other": "a lifecycle activity type whose description does not match currently defined values." + "design": "A model design including problem framing, goal definition and algorithm selection.", + "data-collection": "Model data acquisition including search, selection and transfer.", + "data-preparation": "Model data preparation including data cleaning, labeling and conversion.", + "training": "Model building, training and generalized tuning.", + "fine-tuning": "Refining a trained model to produce desired outputs for a given problem space.", + "validation": "Model validation including model output evaluation and testing.", + "deployment": "Explicit model deployment to a target hosting infrastructure.", + "inference": "Generating an output response from a hosted model from a set of inputs.", + "other": "A lifecycle activity type whose description does not match currently defined values." } }, "energyProviders": { @@ -3621,7 +3631,7 @@ "title": "Unit", "description": "Unit of energy.", "meta:enum": { - "kWh": "kilowatt-hour (kWh) is the energy delivered by one kilowatt (kW) of power for one hour (h)." + "kWh": "Kilowatt-hour (kWh) is the energy delivered by one kilowatt (kW) of power for one hour (h)." } } } @@ -3680,7 +3690,19 @@ }, "energySource": { "type": "string", - "enum": [ "coal", "oil", "natural-gas", "nuclear", "wind", "solar", "geothermal", "hydropower", "biofuel", "unknown", "other" ], + "enum": [ + "coal", + "oil", + "natural-gas", + "nuclear", + "wind", + "solar", + "geothermal", + "hydropower", + "biofuel", + "unknown", + "other" + ], "meta:enum": { "coal": "Energy produced by types of coal.", "oil": "Petroleum products (primarily crude oil and its derivative fuel oils).", From 7c96e727c1ea38ac78a9216f04b2777c1b3b1ecd Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Fri, 29 Mar 2024 11:13:42 +0100 Subject: [PATCH 206/217] revisit new component identifiers Signed-off-by: Jan Kowalleck --- schema/bom-1.6.xsd | 4 ++-- .../resources/1.6/valid-component-identifiers-1.6.json | 5 ++++- .../1.6/valid-component-identifiers-1.6.textproto | 9 ++++----- .../resources/1.6/valid-component-identifiers-1.6.xml | 3 ++- 4 files changed, 12 insertions(+), 9 deletions(-) diff --git a/schema/bom-1.6.xsd b/schema/bom-1.6.xsd index fd0b977c..c388813b 100644 --- a/schema/bom-1.6.xsd +++ b/schema/bom-1.6.xsd @@ -597,7 +597,7 @@ limitations under the License. - + Specifies the OmniBOR Artifact ID. The OmniBOR, if specified, MUST be valid and conform @@ -605,7 +605,7 @@ limitations under the License. - + Specifies the Software Heritage persistent identifier (SWHID). The SWHID, if specified, MUST diff --git a/tools/src/test/resources/1.6/valid-component-identifiers-1.6.json b/tools/src/test/resources/1.6/valid-component-identifiers-1.6.json index ca44eebc..37175a6e 100644 --- a/tools/src/test/resources/1.6/valid-component-identifiers-1.6.json +++ b/tools/src/test/resources/1.6/valid-component-identifiers-1.6.json @@ -15,7 +15,10 @@ "gitoid:blob:sha1:261eeb9e9f8b2b4b0d119366dda99c6fd7d35c64", "gitoid:blob:sha256:9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08" ], - "swhid": [ "swh:1:cnt:94a9ed024d3859793618152ea559a168bbcbb5e2" ] + "swhid": [ + "swh:1:cnt:94a9ed024d3859793618152ea559a168bbcbb5e2", + "swh:1:dir:d198bc9d7a6bcf6db04f476d29314f157507d505" + ] } ] } diff --git a/tools/src/test/resources/1.6/valid-component-identifiers-1.6.textproto b/tools/src/test/resources/1.6/valid-component-identifiers-1.6.textproto index 52a05dae..26ffb8e2 100644 --- a/tools/src/test/resources/1.6/valid-component-identifiers-1.6.textproto +++ b/tools/src/test/resources/1.6/valid-component-identifiers-1.6.textproto @@ -11,9 +11,8 @@ components { version: "1.0.0" cpe: "cpe:2.3:a:example:acme-library:1.0.0:*:*:*:*:*:*:*" purl: "pkg:maven/com.example/acme-library@1.0.0" - omniborId: [ - "gitoid:blob:sha1:261eeb9e9f8b2b4b0d119366dda99c6fd7d35c64", - "gitoid:blob:sha256:9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08" - ] - swhid: [ "swh:1:cnt:94a9ed024d3859793618152ea559a168bbcbb5e2" ] + omniborId: "gitoid:blob:sha1:261eeb9e9f8b2b4b0d119366dda99c6fd7d35c64" + omniborId: "gitoid:blob:sha256:9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08" + swhid: "swh:1:cnt:94a9ed024d3859793618152ea559a168bbcbb5e2" + swhid: "swh:1:dir:d198bc9d7a6bcf6db04f476d29314f157507d505" } diff --git a/tools/src/test/resources/1.6/valid-component-identifiers-1.6.xml b/tools/src/test/resources/1.6/valid-component-identifiers-1.6.xml index 9fc7b85c..bf74b7df 100644 --- a/tools/src/test/resources/1.6/valid-component-identifiers-1.6.xml +++ b/tools/src/test/resources/1.6/valid-component-identifiers-1.6.xml @@ -7,9 +7,10 @@ 1.0.0 cpe:2.3:a:example:acme-library:1.0.0:*:*:*:*:*:*:* pkg:maven/com.example/acme-library@1.0.0 - gitoid:blob:sha1:261eeb9e9f8b2b4b0d119366dda99c6fd7d35c64 + gitoid:blob:sha1:261eeb9e9f8b2b4b0d119366dda99c6fd7d35c64 gitoid:blob:sha256:9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08 swh:1:cnt:94a9ed024d3859793618152ea559a168bbcbb5e2 + swh:1:dir:d198bc9d7a6bcf6db04f476d29314f157507d505 From 60b0e4600c1c95f982d13ad29bc207faac831fdb Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Sat, 30 Mar 2024 11:29:49 -0500 Subject: [PATCH 207/217] Minor doc updates Signed-off-by: Steve Springett --- schema/bom-1.6.schema.json | 65 +++++++++++++++++++++++++++++++------- 1 file changed, 54 insertions(+), 11 deletions(-) diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index 4f3bdab5..9d691c74 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -1184,7 +1184,7 @@ }, "hash": { "type": "object", - "title": "Hash Objects", + "title": "Hash", "required": [ "alg", "content" @@ -1637,7 +1637,12 @@ "name": { "type": "string", "title": "Name", - "description": "The name of the source. For example 'National Vulnerability Database', 'NVD', and 'Apache'" + "description": "The name of the source.", + "examples": [ + "National Vulnerability Database", + "NVD", + "Apache" + ] }, "url": { "type": "string", @@ -2074,6 +2079,7 @@ "additionalProperties": false, "properties": { "identity": { + "title": "Identity Evidence", "description": "Evidence that substantiates the identity of a component. The identify may be an object or an array of identity objects. Support for specifying identify as a single object was introduced in CycloneDX v1.5. Arrays were introduced in v1.6. It is RECOMMENDED that all implementations use arrays, even if only one identity object is specified.", "oneOf" : [ { @@ -2135,6 +2141,7 @@ }, "callstack": { "type": "object", + "title": "Call Stack", "description": "Evidence of the components use through the callstack.", "additionalProperties": false, "properties": { @@ -2193,12 +2200,12 @@ }, "licenses": { "$ref": "#/definitions/licenseChoice", - "title": "Component License(s)" + "title": "License Evidence" }, "copyright": { "type": "array", "items": {"$ref": "#/definitions/copyright"}, - "title": "Copyright" + "title": "Copyright Evidence" } } }, @@ -3276,8 +3283,10 @@ "additionalProperties": false, "properties": { "format": { - "description": "The data format for input/output to the model. Example formats include string, image, time-series", - "type": "string" + "title": "Input/Output Format", + "description": "The data format for input/output to the model.", + "type": "string", + "examples": [ "string", "image", "time-series"] } } }, @@ -3313,6 +3322,7 @@ } }, "name": { + "title": "Dataset Name", "description": "The name of the dataset.", "type": "string" }, @@ -3348,6 +3358,7 @@ }, "sensitiveData": { "type": "array", + "title": "Sensitive Data", "description": "A description of any sensitive data in a dataset.", "items": { "type": "string" @@ -3355,6 +3366,7 @@ }, "graphics": { "$ref": "#/definitions/graphicsCollection" }, "description": { + "title": "Dataset Description", "description": "A description of the dataset. Can describe size of dataset, whether it's used for source code, training, testing, or validation, etc.", "type": "string" }, @@ -3418,10 +3430,12 @@ "additionalProperties": false, "properties": { "description": { + "title": "Description", "description": "A description of this collection of graphics.", "type": "string" }, "collection": { + "title": "Collection", "description": "A collection of graphics.", "type": "array", "items": { "$ref": "#/definitions/graphic" } @@ -3430,9 +3444,11 @@ }, "graphic": { "type": "object", + "title": "Graphic", "additionalProperties": false, "properties": { "name": { + "title": "Name", "description": "The name of the graphic.", "type": "string" }, @@ -3445,30 +3461,37 @@ }, "performanceMetric": { "type": "object", + "title": "Performance Metric", "additionalProperties": false, "properties": { "type": { + "title": "Type", "description": "The type of performance metric.", "type": "string" }, "value": { + "title": "Value", "description": "The value of the performance metric.", "type": "string" }, "slice": { + "title": "Slice", "description": "The name of the slice this metric was computed on. By default, assume this metric is not sliced.", "type": "string" }, "confidenceInterval": { + "title": "Confidence Interval", "description": "The confidence interval of the metric.", "type": "object", "additionalProperties": false, "properties": { "lowerBound": { + "title": "Lower Bound", "description": "The lower bound of the confidence interval.", "type": "string" }, "upperBound": { + "title": "Upper Bound", "description": "The upper bound of the confidence interval.", "type": "string" } @@ -3478,13 +3501,16 @@ }, "risk": { "type": "object", + "title": "Risk", "additionalProperties": false, "properties": { "name": { + "title": "Name", "description": "The name of the risk.", "type": "string" }, "mitigationStrategy": { + "title": "Mitigation Strategy", "description": "Strategy used to address this risk.", "type": "string" } @@ -3498,18 +3524,22 @@ "properties": { "groupAtRisk": { "type": "string", + "title": "Group at Risk", "description": "The groups or individuals at risk of being systematically disadvantaged by the model." }, "benefits": { "type": "string", + "title": "Benefits", "description": "Expected benefits to the identified groups." }, "harms": { "type": "string", + "title": "Harms", "description": "Expected harms to the identified groups." }, "mitigationStrategy": { "type": "string", + "title": "Mitigation Strategy", "description": "With respect to the benefits and harms outlined, please describe any mitigation strategy implemented." } } @@ -3751,27 +3781,32 @@ "region": { "type": "string", "title": "Region", - "description": "The region or state in the country. For example, Texas." + "description": "The region or state in the country.", + "examples": [ "Texas" ] }, "locality": { "type": "string", "title": "Locality", - "description": "The locality or city within the country. For example, Austin." + "description": "The locality or city within the country.", + "examples": [ "Austin" ] }, "postOfficeBoxNumber ": { "type": "string", "title": "Post Office Box Number", - "description": "The post office box number. For example, 901." + "description": "The post office box number.", + "examples": [ "901" ] }, "postalCode": { "type": "string", "title": "Postal Code", - "description": "The postal code. For example, 78758." + "description": "The postal code.", + "examples": [ "78758" ] }, "streetAddress": { "type": "string", "title": "Street Address", - "description": "The street address. For example, 100 Main Street." + "description": "The street address.", + "examples": [ "100 Main Street" ] } } }, @@ -4344,6 +4379,7 @@ }, "conditions": { "type": "array", + "title": "Conditions", "uniqueItems": true, "items": { "$ref": "#/definitions/condition" @@ -4730,6 +4766,7 @@ }, "componentIdentityEvidence": { "type": "object", + "title": "Identity Evidence", "description": "Evidence that substantiates the identity of a component.", "required": [ "field" ], "additionalProperties": false, @@ -5493,26 +5530,32 @@ "properties": { "encr": { "$ref": "#/definitions/cryptoRefArray", + "title": "Encryption Algorithm (ENCR)", "description": "Transform Type 1: encryption algorithms" }, "prf": { "$ref": "#/definitions/cryptoRefArray", + "title": "Pseudorandom Function (PRF)", "description": "Transform Type 2: pseudorandom functions" }, "integ": { "$ref": "#/definitions/cryptoRefArray", + "title": "Integrity Algorithm (INTEG)", "description": "Transform Type 3: integrity algorithms" }, "ke": { "$ref": "#/definitions/cryptoRefArray", + "title": "Key Exchange Method (KE)", "description": "Transform Type 4: Key Exchange Method (KE) per RFC9370, formerly called Diffie-Hellman Group (D-H)" }, "esn": { "type": "boolean", + "title": "Extended Sequence Numbers (ESN)", "description": "Specifies if an Extended Sequence Number (ESN) is used." }, "auth": { "$ref": "#/definitions/cryptoRefArray", + "title": "IKEv2 Authentication method", "description": "IKEv2 Authentication method" } } From c8d57a41ffd1a8f094d558b9a9ee96c931861a3b Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Mon, 1 Apr 2024 20:54:36 -0500 Subject: [PATCH 208/217] Minor doc updates - titles, descriptions, etc Signed-off-by: Steve Springett --- schema/bom-1.6.schema.json | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index 9d691c74..772e7eed 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -762,7 +762,7 @@ }, "name": { "type": "string", - "title": "Name", + "title": "Organization Name", "description": "The name of the organization", "examples": [ "Example Inc." @@ -770,7 +770,7 @@ }, "address": { "$ref": "#/definitions/postalAddress", - "title": "Address", + "title": "Organization Address", "description": "The physical address (location) of the organization" }, "url": { @@ -779,13 +779,13 @@ "type": "string", "format": "iri-reference" }, - "title": "URL", + "title": "Organization URL(s)", "description": "The URL of the organization. Multiple URLs are allowed.", "examples": ["https://example.com"] }, "contact": { "type": "array", - "title": "Contact", + "title": "Organizational Contact", "description": "A contact at the organization. Multiple contacts are allowed.", "items": {"$ref": "#/definitions/organizationalContact"} } @@ -950,6 +950,7 @@ "hashes": { "type": "array", "title": "Component Hashes", + "description": "The hashes of the component.", "items": {"$ref": "#/definitions/hash"} }, "licenses": { @@ -1201,6 +1202,8 @@ }, "hash-alg": { "type": "string", + "title": "Hash Algorithm", + "description": "The algorithm that generated the hash value.", "enum": [ "MD5", "SHA-1", @@ -1214,12 +1217,12 @@ "BLAKE2b-384", "BLAKE2b-512", "BLAKE3" - ], - "title": "Hash Algorithm" + ] }, "hash-content": { "type": "string", "title": "Hash Value", + "description": "The value of the hash.", "examples": ["3942447fac867ae5cdb3229b658f4d48"], "pattern": "^([a-fA-F0-9]{32}|[a-fA-F0-9]{40}|[a-fA-F0-9]{64}|[a-fA-F0-9]{96}|[a-fA-F0-9]{128})$" }, From 176f1e4b5b97db30a6617d71f0d5c95ce38ad5b9 Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Mon, 1 Apr 2024 21:43:21 -0500 Subject: [PATCH 209/217] Minor doc updates Signed-off-by: Steve Springett --- schema/bom-1.6.schema.json | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index 772e7eed..62ea9310 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -2150,7 +2150,8 @@ "properties": { "frames": { "type": "array", - "title": "Methods", + "title": "Frames", + "description": "Within a call stack, a frame is a discrete unit that encapsulates an execution context, including local variables, parameters, and the return address. As function calls are made, frames are pushed onto the stack, forming an array-like structure that orchestrates the flow of program execution and manages the sequence of function invocations.", "items": { "type": "object", "required": [ @@ -2208,7 +2209,8 @@ "copyright": { "type": "array", "items": {"$ref": "#/definitions/copyright"}, - "title": "Copyright Evidence" + "title": "Copyright Evidence", + "description": "An array of copyright statements." } } }, From 494661a37e8e3c5d45c32564e9167fc2ea16c0bb Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Tue, 2 Apr 2024 19:52:21 -0500 Subject: [PATCH 210/217] Correct property that included space Signed-off-by: Steve Springett --- schema/bom-1.6.schema.json | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index 62ea9310..ad8db3f0 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -2210,7 +2210,7 @@ "type": "array", "items": {"$ref": "#/definitions/copyright"}, "title": "Copyright Evidence", - "description": "An array of copyright statements." + "description": "Copyright evidence captures intellectual property assertions, providing evidence of possible ownership and legal protection." } } }, @@ -3384,6 +3384,7 @@ "dataGovernance": { "type": "object", "title": "Data Governance", + "description": "Data governance captures information regarding data ownership, stewardship, and custodianship, providing insights into the individuals or entities responsible for managing, overseeing, and safeguarding the data throughout its lifecycle.", "additionalProperties": false, "properties": { "custodians": { @@ -3795,7 +3796,7 @@ "description": "The locality or city within the country.", "examples": [ "Austin" ] }, - "postOfficeBoxNumber ": { + "postOfficeBoxNumber": { "type": "string", "title": "Post Office Box Number", "description": "The post office box number.", From f34a8320f33f9a653cb0f13e31e8561a0ede03f7 Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Wed, 3 Apr 2024 10:57:38 -0500 Subject: [PATCH 211/217] Clarification of descriptions Signed-off-by: Steve Springett --- schema/bom-1.6.schema.json | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index ad8db3f0..e5fafe3c 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -966,19 +966,19 @@ "cpe": { "type": "string", "title": "Common Platform Enumeration (CPE)", - "description": "Specifies a well-formed CPE name that conforms to the CPE 2.2 or 2.3 specification. See [https://nvd.nist.gov/products/cpe](https://nvd.nist.gov/products/cpe)", + "description": "Asserts the identity of the component using CPE. The CPE must conform to the CPE 2.2 or 2.3 specification. See [https://nvd.nist.gov/products/cpe](https://nvd.nist.gov/products/cpe). Refer to `@.evidence.identity` to optionally provide evidence that substantiates the assertion of the component's identity.", "examples": ["cpe:2.3:a:acme:component_framework:-:*:*:*:*:*:*:*"] }, "purl": { "type": "string", "title": "Package URL (purl)", - "description": "Specifies the package-url (purl). The purl, if specified, MUST be valid and conform to the specification defined at: [https://github.com/package-url/purl-spec](https://github.com/package-url/purl-spec)", + "description": "Asserts the identity of the component using package-url (purl). The purl, if specified, MUST be valid and conform to the specification defined at: [https://github.com/package-url/purl-spec](https://github.com/package-url/purl-spec). Refer to `@.evidence.identity` to optionally provide evidence that substantiates the assertion of the component's identity.", "examples": ["pkg:maven/com.acme/tomcat-catalina@9.0.14?packaging=jar"] }, "omniborId": { "type": "array", "title": "OmniBOR Artifact Identifier (gitoid)", - "description": "Specifies the OmniBOR Artifact ID. The OmniBOR, if specified, MUST be valid and conform to the specification defined at: [https://www.iana.org/assignments/uri-schemes/prov/gitoid](https://www.iana.org/assignments/uri-schemes/prov/gitoid)", + "description": "Asserts the identity of the component using the OmniBOR Artifact ID. The OmniBOR, if specified, MUST be valid and conform to the specification defined at: [https://www.iana.org/assignments/uri-schemes/prov/gitoid](https://www.iana.org/assignments/uri-schemes/prov/gitoid). Refer to `@.evidence.identity` to optionally provide evidence that substantiates the assertion of the component's identity.", "items": { "type": "string" }, "examples": [ "gitoid:blob:sha1:a94a8fe5ccb19ba61c4c0873d391e987982fbbd3", @@ -988,14 +988,14 @@ "swhid": { "type": "array", "title": "SoftWare Heritage Identifier", - "description": "Specifies the Software Heritage persistent identifier (SWHID). The SWHID, if specified, MUST be valid and conform to the specification defined at: [https://docs.softwareheritage.org/devel/swh-model/persistent-identifiers.html](https://docs.softwareheritage.org/devel/swh-model/persistent-identifiers.html)", + "description": "Asserts the identity of the component using the Software Heritage persistent identifier (SWHID). The SWHID, if specified, MUST be valid and conform to the specification defined at: [https://docs.softwareheritage.org/devel/swh-model/persistent-identifiers.html](https://docs.softwareheritage.org/devel/swh-model/persistent-identifiers.html). Refer to `@.evidence.identity` to optionally provide evidence that substantiates the assertion of the component's identity.", "items": { "type": "string" }, "examples": ["swh:1:cnt:94a9ed024d3859793618152ea559a168bbcbb5e2"] }, "swid": { "$ref": "#/definitions/swid", "title": "SWID Tag", - "description": "Specifies metadata and content for [ISO-IEC 19770-2 Software Identification (SWID) Tags](https://www.iso.org/standard/65666.html)." + "description": "Asserts the identity of the component using [ISO-IEC 19770-2 Software Identification (SWID) Tags](https://www.iso.org/standard/65666.html). Refer to `@.evidence.identity` to optionally provide evidence that substantiates the assertion of the component's identity." }, "modified": { "type": "boolean", From 2bb8bae596044654ce703c1d4c630f8daac5c2e8 Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Fri, 5 Apr 2024 21:37:20 -0400 Subject: [PATCH 212/217] Correcting optional state for crypto assetType Signed-off-by: Steve Springett --- schema/bom-1.6.proto | 2 +- schema/bom-1.6.schema.json | 3 +++ schema/bom-1.6.xsd | 2 +- 3 files changed, 5 insertions(+), 2 deletions(-) diff --git a/schema/bom-1.6.proto b/schema/bom-1.6.proto index 0fab23b1..573b4435 100644 --- a/schema/bom-1.6.proto +++ b/schema/bom-1.6.proto @@ -2188,7 +2188,7 @@ message CryptoProperties { optional Ikev2TransformTypes ikev2TransformTypes = 4; } // end of ProtocolProperties // Cryptographic assets occur in several forms. Algorithms and protocols are most commonly implemented in specialized cryptographic libraries. They may, however, also be 'hardcoded' in software components. Certificates and related cryptographic material like keys, tokens, secrets or passwords are other cryptographic assets to be modelled. - optional CryptoAssetType assetType = 1; + CryptoAssetType assetType = 1; // Additional properties specific to a cryptographic algorithm. optional AlgorithmProperties algorithmProperties = 2; // Properties for cryptographic assets of asset type 'certificate' diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index e5fafe3c..fac711fb 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -5020,6 +5020,9 @@ "title": "Cryptographic Properties", "description": "Cryptographic assets have properties that uniquely define them and that make them actionable for further reasoning. As an example, it makes a difference if one knows the algorithm family (e.g. AES) or the specific variant or instantiation (e.g. AES-128-GCM). This is because the security level and the algorithm primitive (authenticated encryption) are only defined by the definition of the algorithm variant. The presence of a weak cryptographic algorithm like SHA1 vs. HMAC-SHA1 also makes a difference.", "additionalProperties": false, + "required": [ + "assetType" + ], "properties": { "assetType": { "type": "string", diff --git a/schema/bom-1.6.xsd b/schema/bom-1.6.xsd index c388813b..793ecdc1 100644 --- a/schema/bom-1.6.xsd +++ b/schema/bom-1.6.xsd @@ -6176,7 +6176,7 @@ limitations under the License. - + Cryptographic assets occur in several forms. Algorithms and protocols are most commonly From f5d959b91a4def6832a9f93bd012ac5054af0c7f Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Fri, 5 Apr 2024 21:40:19 -0400 Subject: [PATCH 213/217] Explicit string type correction Signed-off-by: Steve Springett --- schema/bom-1.6.xsd | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/schema/bom-1.6.xsd b/schema/bom-1.6.xsd index 793ecdc1..f2685c70 100644 --- a/schema/bom-1.6.xsd +++ b/schema/bom-1.6.xsd @@ -7177,7 +7177,7 @@ limitations under the License. - + The version of the protocol. Examples include 1.0, 1.2, and 1.99. From d278e706772a63e8e68894036a6ecacd14ec09de Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Fri, 5 Apr 2024 21:45:15 -0400 Subject: [PATCH 214/217] Corrected maxOccurs with esn Signed-off-by: Steve Springett --- schema/bom-1.6.xsd | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/schema/bom-1.6.xsd b/schema/bom-1.6.xsd index f2685c70..51190564 100644 --- a/schema/bom-1.6.xsd +++ b/schema/bom-1.6.xsd @@ -7281,7 +7281,7 @@ limitations under the License. - + Specifies if an Extended Sequence Number (ESN) is used. From 6c88ab9e01f44649f404f2bcd49aa95a09ac15d6 Mon Sep 17 00:00:00 2001 From: Prabhu Subramanian Date: Sat, 6 Apr 2024 21:54:18 +0100 Subject: [PATCH 215/217] Updated dependency attribute docs Signed-off-by: Prabhu Subramanian --- schema/bom-1.6.schema.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index fac711fb..d52d4631 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -72,7 +72,7 @@ "items": {"$ref": "#/definitions/dependency"}, "uniqueItems": true, "title": "Dependencies", - "description": "Provides the ability to document dependency relationships." + "description": "Provides the ability to document dependency relationships including provided & implemented components." }, "compositions": { "type": "array", @@ -1828,7 +1828,7 @@ "dependency": { "type": "object", "title": "Dependency", - "description": "Defines the direct dependencies of a component or service. Components or services that do not have their own dependencies MUST be declared as empty elements within the graph. Components or services that are not represented in the dependency graph MAY have unknown dependencies. It is RECOMMENDED that implementations assume this to be opaque and not an indicator of an object being dependency-free. It is RECOMMENDED to leverage compositions to indicate unknown dependency graphs.", + "description": "Defines the direct dependencies of a component, service, or the components provided/implemented by a given component. Components or services that do not have their own dependencies MUST be declared as empty elements within the graph. Components or services that are not represented in the dependency graph MAY have unknown dependencies. It is RECOMMENDED that implementations assume this to be opaque and not an indicator of an object being dependency-free. It is RECOMMENDED to leverage compositions to indicate unknown dependency graphs.", "required": [ "ref" ], From b3ea018a65ab361718dea825e2fc9a14f205e342 Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Mon, 8 Apr 2024 21:09:13 -0500 Subject: [PATCH 216/217] Updates to online docs Signed-off-by: Steve Springett --- docgen/json/templates/cyclonedx/base.html | 10 ++++++---- docgen/xml/xs3p.xsl | 4 +++- 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/docgen/json/templates/cyclonedx/base.html b/docgen/json/templates/cyclonedx/base.html index d047ca7b..6f89d18b 100644 --- a/docgen/json/templates/cyclonedx/base.html +++ b/docgen/json/templates/cyclonedx/base.html @@ -18,12 +18,12 @@ - + - - - + + + @@ -40,11 +40,13 @@ v${version} (JSON)