CycloneDX · madpah · Apr 9, 2024 · Apr 3, 2024 · Apr 3, 2024 · Apr 3, 2024
@@ -48,6 +48,7 @@
     SchemaVersion1Dot3,
     SchemaVersion1Dot4,
     SchemaVersion1Dot5,
+    SchemaVersion1Dot6,
 )
 
 
@@ -508,10 +509,12 @@ class ExternalReferenceType(str, Enum):
     CODIFIED_INFRASTRUCTURE = 'codified-infrastructure'  # Only supported in >= 1.5
     COMPONENT_ANALYSIS_REPORT = 'component-analysis-report'  # Only supported in >= 1.5
     CONFIGURATION = 'configuration'  # Only supported in >= 1.5
+    DIGITAL_SIGNATURE = 'digital-signature'  # Only supported in >= 1.6
     DISTRIBUTION = 'distribution'
     DISTRIBUTION_INTAKE = 'distribution-intake'  # Only supported in >= 1.5
     DOCUMENTATION = 'documentation'
     DYNAMIC_ANALYSIS_REPORT = 'dynamic-analysis-report'  # Only supported in >= 1.5
+    ELECTRONIC_SIGNATURE = 'electronic-signature'  # Only supported in >= 1.6
     EVIDENCE = 'evidence'  # Only supported in >= 1.5
     EXPLOITABILITY_STATEMENT = 'exploitability-statement'  # Only supported in >= 1.5
     FORMULATION = 'formulation'  # Only supported in >= 1.5
@@ -525,11 +528,13 @@ class ExternalReferenceType(str, Enum):
     POAM = 'poam'  # Only supported in >= 1.5
     QUALITY_METRICS = 'quality-metrics'  # Only supported in >= 1.5
     RELEASE_NOTES = 'release-notes'  # Only supported in >= 1.4
+    RFC_9166 = 'rfc-9116'  # Only supported in >= 1.6
     RISK_ASSESSMENT = 'risk-assessment'  # Only supported in >= 1.5
     RUNTIME_ANALYSIS_REPORT = 'runtime-analysis-report'  # Only supported in >= 1.5
     SECURITY_CONTACT = 'security-contact'  # Only supported in >= 1.5
     STATIC_ANALYSIS_REPORT = 'static-analysis-report'  # Only supported in >= 1.5
     SOCIAL = 'social'
+    SOURCE_DISTRIBUTION = 'source-distribution'  # Only supported in >= 1.6
     SCM = 'vcs'
     SUPPORT = 'support'
     THREAT_MODEL = 'threat-model'  # Only supported in >= 1.5
@@ -591,6 +596,12 @@ class _ExternalReferenceSerializationHelper(serializable.helpers.BaseHelper):
         ExternalReferenceType.CODIFIED_INFRASTRUCTURE,
         ExternalReferenceType.POAM,
     }
+    __CASES[SchemaVersion1Dot6] = __CASES[SchemaVersion1Dot5] | {
+        ExternalReferenceType.SOURCE_DISTRIBUTION,
+        ExternalReferenceType.ELECTRONIC_SIGNATURE,
+        ExternalReferenceType.DIGITAL_SIGNATURE,
+        ExternalReferenceType.RFC_9166,
+    }
 
     @classmethod
     def __normalize(cls, extref: ExternalReferenceType, view: Type[serializable.ViewType]) -> str:

@@ -59,20 +59,28 @@ class BomMetaData:
 
     def __init__(self, *, tools: Optional[Iterable[Tool]] = None,
                  authors: Optional[Iterable[OrganizationalContact]] = None, component: Optional[Component] = None,
-                 manufacture: Optional[OrganizationalEntity] = None,
                  supplier: Optional[OrganizationalEntity] = None,
                  licenses: Optional[Iterable[License]] = None,
                  properties: Optional[Iterable[Property]] = None,
-                 timestamp: Optional[datetime] = None) -> None:
+                 timestamp: Optional[datetime] = None,
+                 # Deprecated as of v1.6
+                 manufacture: Optional[OrganizationalEntity] = None) -> None:
         self.timestamp = timestamp or _get_now_utc()
         self.tools = tools or []  # type:ignore[assignment]
         self.authors = authors or []  # type:ignore[assignment]
         self.component = component
-        self.manufacture = manufacture
         self.supplier = supplier
         self.licenses = licenses or []  # type:ignore[assignment]
         self.properties = properties or []  # type:ignore[assignment]
 
+        self.manufacture = manufacture
+        if manufacture:
+            warn(
+                "`bom.metadata.manufacture` is deprecated from CycloneDX v1.6 onwards. "
+                "Please use `bom.metadata.component.manufacturer` instead.",
+                DeprecationWarning)
+
+
         if not tools:
             self.tools.add(ThisTool)
 

@@ -36,6 +36,7 @@
     SchemaVersion1Dot3,
     SchemaVersion1Dot4,
     SchemaVersion1Dot5,
+    SchemaVersion1Dot6,
 )
 from ..serialization import BomRefHelper, LicenseRepositoryHelper, PackageUrl
 from . import (
@@ -341,6 +342,7 @@ class ComponentType(str, Enum):
     # see `_ComponentTypeSerializationHelper.__CASES` for view/case map
     APPLICATION = 'application'
     CONTAINER = 'container'  # Only supported in >= 1.2
+    CRYPTOGRAPHIC_ASSET = 'cryptographic-asset'  # Only supported in >= 1.6
     DATA = 'data'  # Only supported in >= 1.5
     DEVICE = 'device'
     DEVICE_DRIVER = 'device-driver'  # Only supported in >= 1.5
@@ -379,6 +381,9 @@ class _ComponentTypeSerializationHelper(serializable.helpers.BaseHelper):
         ComponentType.MACHINE_LEARNING_MODEL,
         ComponentType.PLATFORM,
     }
+    __CASES[SchemaVersion1Dot6] = __CASES[SchemaVersion1Dot5] | {
+        ComponentType.CRYPTOGRAPHIC_ASSET,
+    }
 
     @classmethod
     def __normalize(cls, ct: ComponentType, view: Type[serializable.ViewType]) -> Optional[str]:

@@ -30,6 +30,7 @@
     SchemaVersion1Dot3,
     SchemaVersion1Dot4,
     SchemaVersion1Dot5,
+    SchemaVersion1Dot6,
 )
 from . import BaseOutput, BomRefDiscriminator
 
@@ -124,7 +125,14 @@ def _get_schema_uri(self) -> str:
         return 'http://cyclonedx.org/schema/bom-1.5.schema.json'
 
 
+class JsonV1Dot6(Json, SchemaVersion1Dot6):
+
+    def _get_schema_uri(self) -> str:
+        return 'http://cyclonedx.org/schema/bom-1.6.schema.json'
+
+
 BY_SCHEMA_VERSION: Dict[SchemaVersion, Type[Json]] = {
+    SchemaVersion.V1_6: JsonV1Dot6,
     SchemaVersion.V1_5: JsonV1Dot5,
     SchemaVersion.V1_4: JsonV1Dot4,
     SchemaVersion.V1_3: JsonV1Dot3,

@@ -30,6 +30,7 @@
     SchemaVersion1Dot3,
     SchemaVersion1Dot4,
     SchemaVersion1Dot5,
+    SchemaVersion1Dot6,
 )
 from . import BaseOutput, BomRefDiscriminator
 
@@ -119,7 +120,12 @@ class XmlV1Dot5(Xml, SchemaVersion1Dot5):
     pass
 
 
+class XmlV1Dot6(Xml, SchemaVersion1Dot6):
+    pass
+
+
 BY_SCHEMA_VERSION: Dict[SchemaVersion, Type[Xml]] = {
+    SchemaVersion.V1_6: XmlV1Dot6,
     SchemaVersion.V1_5: XmlV1Dot5,
     SchemaVersion.V1_4: XmlV1Dot4,
     SchemaVersion.V1_3: XmlV1Dot3,

@@ -49,6 +49,7 @@
 }
 
 BOM_JSON_STRICT: Dict[SchemaVersion, Optional[str]] = {
+    SchemaVersion.V1_6: BOM_JSON[SchemaVersion.V1_6],
     # >= v1.4 is already strict - no special file here
     SchemaVersion.V1_5: BOM_JSON[SchemaVersion.V1_5],
     SchemaVersion.V1_4: BOM_JSON[SchemaVersion.V1_4],

@@ -24,7 +24,7 @@ limitations under the License.
            vc:maxVersion="1.1"
            version="1.6.0">
 
-    <xs:import namespace="http://cyclonedx.org/schema/spdx" schemaLocation="http://cyclonedx.org/schema/spdx"/>
+    <xs:import namespace="http://cyclonedx.org/schema/spdx" schemaLocation="spdx.SNAPSHOT.xsd"/>
 
     <xs:annotation>
         <xs:documentation>

@@ -0,0 +1,20 @@
+{
+  "components": [
+    {
+      "name": "dummy-EXCLUDED",
+      "type": "library"
+    },
+    {
+      "name": "dummy-OPTIONAL",
+      "type": "library"
+    },
+    {
+      "name": "dummy-REQUIRED",
+      "type": "library"
+    }
+  ],
+  "version": 1,
+  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.6"
+}
@@ -0,0 +1,14 @@
+<?xml version="1.0" ?>
+<bom xmlns="http://cyclonedx.org/schema/bom/1.6" version="1">
+  <components>
+    <component type="library">
+      <name>dummy-EXCLUDED</name>
+    </component>
+    <component type="library">
+      <name>dummy-OPTIONAL</name>
+    </component>
+    <component type="library">
+      <name>dummy-REQUIRED</name>
+    </component>
+  </components>
+</bom>
@@ -0,0 +1,60 @@
+{
+  "components": [
+    {
+      "name": "dummy APPLICATION",
+      "type": "application"
+    },
+    {
+      "name": "dummy CONTAINER",
+      "type": "container"
+    },
+    {
+      "name": "dummy CRYPTOGRAPHIC_ASSET",
+      "type": "cryptographic-asset"
+    },
+    {
+      "name": "dummy DATA",
+      "type": "data"
+    },
+    {
+      "name": "dummy DEVICE",
+      "type": "device"
+    },
+    {
+      "name": "dummy DEVICE_DRIVER",
+      "type": "device-driver"
+    },
+    {
+      "name": "dummy FILE",
+      "type": "file"
+    },
+    {
+      "name": "dummy FIRMWARE",
+      "type": "firmware"
+    },
+    {
+      "name": "dummy FRAMEWORK",
+      "type": "framework"
+    },
+    {
+      "name": "dummy LIBRARY",
+      "type": "library"
+    },
+    {
+      "name": "dummy MACHINE_LEARNING_MODEL",
+      "type": "machine-learning-model"
+    },
+    {
+      "name": "dummy OPERATING_SYSTEM",
+      "type": "operating-system"
+    },
+    {
+      "name": "dummy PLATFORM",
+      "type": "platform"
+    }
+  ],
+  "version": 1,
+  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.6"
+}
@@ -0,0 +1,44 @@
+<?xml version="1.0" ?>
+<bom xmlns="http://cyclonedx.org/schema/bom/1.6" version="1">
+  <components>
+    <component type="application">
+      <name>dummy APPLICATION</name>
+    </component>
+    <component type="container">
+      <name>dummy CONTAINER</name>
+    </component>
+    <component type="cryptographic-asset">
+      <name>dummy CRYPTOGRAPHIC_ASSET</name>
+    </component>
+    <component type="data">
+      <name>dummy DATA</name>
+    </component>
+    <component type="device">
+      <name>dummy DEVICE</name>
+    </component>
+    <component type="device-driver">
+      <name>dummy DEVICE_DRIVER</name>
+    </component>
+    <component type="file">
+      <name>dummy FILE</name>
+    </component>
+    <component type="firmware">
+      <name>dummy FIRMWARE</name>
+    </component>
+    <component type="framework">
+      <name>dummy FRAMEWORK</name>
+    </component>
+    <component type="library">
+      <name>dummy LIBRARY</name>
+    </component>
+    <component type="machine-learning-model">
+      <name>dummy MACHINE_LEARNING_MODEL</name>
+    </component>
+    <component type="operating-system">
+      <name>dummy OPERATING_SYSTEM</name>
+    </component>
+    <component type="platform">
+      <name>dummy PLATFORM</name>
+    </component>
+  </components>
+</bom>
@@ -0,0 +1,6 @@
+{
+  "version": 1,
+  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.6"
+}
@@ -0,0 +1,2 @@
+<?xml version="1.0" ?>
+<bom xmlns="http://cyclonedx.org/schema/bom/1.6" version="1"/>
@@ -0,0 +1,12 @@
+{
+  "components": [
+    {
+      "name": "dummy",
+      "type": "library"
+    }
+  ],
+  "version": 1,
+  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.6"
+}
@@ -0,0 +1,8 @@
+<?xml version="1.0" ?>
+<bom xmlns="http://cyclonedx.org/schema/bom/1.6" version="1">
+  <components>
+    <component type="library">
+      <name>dummy</name>
+    </component>
+  </components>
+</bom>
@@ -38,6 +38,9 @@
         <reference type="other">
           <url>tests/CONFIGURATION</url>
         </reference>
+        <reference type="other">
+          <url>tests/DIGITAL_SIGNATURE</url>
+        </reference>
         <reference type="distribution">
           <url>tests/DISTRIBUTION</url>
         </reference>
@@ -50,6 +53,9 @@
         <reference type="other">
           <url>tests/DYNAMIC_ANALYSIS_REPORT</url>
         </reference>
+        <reference type="other">
+          <url>tests/ELECTRONIC_SIGNATURE</url>
+        </reference>
         <reference type="other">
           <url>tests/EVIDENCE</url>
         </reference>
@@ -92,6 +98,9 @@
         <reference type="other">
           <url>tests/RELEASE_NOTES</url>
         </reference>
+        <reference type="other">
+          <url>tests/RFC_9166</url>
+        </reference>
         <reference type="other">
           <url>tests/RISK_ASSESSMENT</url>
         </reference>
@@ -104,6 +113,9 @@
         <reference type="social">
           <url>tests/SOCIAL</url>
         </reference>
+        <reference type="other">
+          <url>tests/SOURCE_DISTRIBUTION</url>
+        </reference>
         <reference type="other">
           <url>tests/STATIC_ANALYSIS_REPORT</url>
         </reference>