|
73 | 73 | "items": { |
74 | 74 | "type": "string", |
75 | 75 | "enum": [ |
76 | | - "SBOM", |
77 | | - "SAASBOM", |
78 | | - "CBOM", |
79 | 76 | "AI/ML-BOM", |
| 77 | + "CBOM", |
| 78 | + "CDXA", |
80 | 79 | "HBOM", |
81 | 80 | "MBOM", |
82 | 81 | "OBOM", |
83 | | - "CDXA", |
84 | 82 | "RELEASE_NOTES", |
| 83 | + "SAASBOM", |
| 84 | + "SBOM", |
85 | 85 | "VDR/VEX" |
86 | 86 | ], |
87 | 87 | "meta:enum": { |
88 | | - "SBOM": "Software Bill of Materials", |
89 | | - "SAASBOM": "Software as-a Service Bill of Materials", |
90 | | - "CBOM": "Cryptography Bill of Materials", |
91 | 88 | "AI/ML-BOM": "AI/ML Bill of Materials", |
| 89 | + "CBOM": "Cryptography Bill of Materials", |
| 90 | + "CDXA": "CycloneDX Attestations", |
92 | 91 | "HBOM": "Hardware Bill of Materials", |
93 | 92 | "MBOM": "Manufacturing Bill of Materials (Formulation)", |
94 | 93 | "OBOM": "Operations Bill of Materials", |
95 | | - "CDXA": "CycloneDX Attestations", |
96 | 94 | "RELEASE_NOTES": "Standardized Release Notes Format", |
| 95 | + "SAASBOM": "Software as-a Service Bill of Materials", |
| 96 | + "SBOM": "Software Bill of Materials", |
97 | 97 | "VDR/VEX": "Vulnerability Disclosure Report and Vulnerability eXploitability Exchange" |
98 | 98 | } |
99 | 99 | }, |
|
104 | 104 | "items": { |
105 | 105 | "type": "string", |
106 | 106 | "enum": [ |
107 | | - "OPEN_SOURCE", |
108 | | - "FREEMIUM", |
109 | | - "SUBSCRIPTION", |
110 | 107 | "COMMERCIAL_LICENSE", |
111 | | - "OSI_APPROVED" |
| 108 | + "FREEMIUM", |
| 109 | + "OPEN_SOURCE", |
| 110 | + "OSI_APPROVED", |
| 111 | + "SUBSCRIPTION" |
112 | 112 | ], |
113 | 113 | "meta:enum": { |
114 | | - "OPEN_SOURCE": "Freely available under an open-source license.", |
115 | | - "FREEMIUM": "Core features are free to use, with optional paid features or upgrades.", |
116 | | - "SUBSCRIPTION": "Access is provided through a recurring payment model, such as monthly or annually.", |
117 | 114 | "COMMERCIAL_LICENSE": "Requires a proprietary or paid license; not open source and typically restricts redistribution or modification.", |
118 | | - "OSI_APPROVED": "The tool is licensed under an OSI-approved open-source license." |
| 115 | + "FREEMIUM": "Core features are free to use, with optional paid features or upgrades.", |
| 116 | + "OPEN_SOURCE": "Freely available under an open-source license.", |
| 117 | + "OSI_APPROVED": "The tool is licensed under an OSI-approved open-source license.", |
| 118 | + "SUBSCRIPTION": "Access is provided through a recurring payment model, such as monthly or annually." |
119 | 119 | } |
120 | 120 | }, |
121 | 121 | "description": "Indicates the availability or license model." |
|
129 | 129 | "AUTHOR", |
130 | 130 | "DISTRIBUTE", |
131 | 131 | "PACKAGE_MANAGER_INTEGRATION", |
132 | | - "TRANSFORM", |
133 | | - "SIGNING/NOTARY" |
| 132 | + "SIGNING/NOTARY", |
| 133 | + "TRANSFORM" |
134 | 134 | ], |
135 | 135 | "meta:enum": { |
136 | 136 | "ANALYSIS": "Tools that can analyze CycloneDX BOMs.", |
137 | 137 | "AUTHOR": "Tools that human authors can use to create CycloneDX BOMs.", |
138 | 138 | "DISTRIBUTE": "Tools used to capture and distribute CycloneDX BOMs.", |
139 | 139 | "PACKAGE_MANAGER_INTEGRATION": "Tools that integrate with build systems and package managers.", |
140 | | - "TRANSFORM": "Tools that transform CycloneDX into other formats or transform other formats into CycloneDX.", |
141 | | - "SIGNING/NOTARY": "Tools used to sign or notarize software and CycloneDX BOMs." |
| 140 | + "SIGNING/NOTARY": "Tools used to sign or notarize software and CycloneDX BOMs.", |
| 141 | + "TRANSFORM": "Tools that transform CycloneDX into other formats or transform other formats into CycloneDX." |
142 | 142 | } |
143 | 143 | }, |
144 | 144 | "description": "Describes what the tool does." |
|
148 | 148 | "items": { |
149 | 149 | "type": "string", |
150 | 150 | "enum": [ |
151 | | - "SECURITY_VULNERABILITIES", |
| 151 | + "LICENSE_REPORTING", |
| 152 | + "OUTDATED_COMPONENTS", |
152 | 153 | "POLICY_EVALUATION", |
153 | 154 | "RESOURCE_REPORTING", |
154 | | - "LICENSE_REPORTING", |
155 | | - "OUTDATED_COMPONENTS" |
| 155 | + "SECURITY_VULNERABILITIES" |
156 | 156 | ], |
157 | 157 | "meta:enum": { |
158 | | - "SECURITY_VULNERABILITIES": "Performs security vulnerability analysis based on the contents of a BOM. For SBOMs, this typically involves identifying known vulnerabilities in software components (e.g., via CVEs). For SaaSBOMs or other service-inclusive BOMs, the analysis may expand to include service exposure, data handling practices, or configuration weaknesses.", |
| 158 | + "LICENSE_REPORTING": "Extracts and reports license data associated with BOM components to support legal compliance, attribution, and license compatibility analysis. May vary depending on whether components are libraries, containers, or services.", |
| 159 | + "OUTDATED_COMPONENTS": "Identifies components or services in the BOM that are outdated, deprecated, or no longer supported. This may include checking for newer versions of libraries, services, or platforms.", |
159 | 160 | "POLICY_EVALUATION": "Evaluates BOM contents against defined policies, such as allowed licenses, approved component lists, or internal security/compliance rules. Policies may differ based on BOM type (e.g., stricter rules for embedded systems vs. cloud services).", |
160 | 161 | "RESOURCE_REPORTING": "Analyzes and reports on the resource characteristics of components or services defined in the BOM, such as CPU usage, storage, memory footprint, or cloud infrastructure details.", |
161 | | - "LICENSE_REPORTING": "Extracts and reports license data associated with BOM components to support legal compliance, attribution, and license compatibility analysis. May vary depending on whether components are libraries, containers, or services.", |
162 | | - "OUTDATED_COMPONENTS": "Identifies components or services in the BOM that are outdated, deprecated, or no longer supported. This may include checking for newer versions of libraries, services, or platforms." |
| 162 | + "SECURITY_VULNERABILITIES": "Performs security vulnerability analysis based on the contents of a BOM. For SBOMs, this typically involves identifying known vulnerabilities in software components (e.g., via CVEs). For SaaSBOMs or other service-inclusive BOMs, the analysis may expand to include service exposure, data handling practices, or configuration weaknesses." |
163 | 163 | } |
164 | 164 | }, |
165 | 165 | "description": "Specifies the types of analysis the tool support.s" |
|
169 | 169 | "items": { |
170 | 170 | "type": "string", |
171 | 171 | "enum": [ |
172 | | - "BOM_STANDARD", |
173 | 172 | "BOM_SERIALIZATION_FORMAT", |
| 173 | + "BOM_STANDARD", |
174 | 174 | "BOM_VERSION" |
175 | 175 | ], |
176 | 176 | "meta:enum": { |
177 | | - "BOM_STANDARD": "Supports conversion between different BOM standards (e.g., CycloneDX, SPDX).", |
178 | 177 | "BOM_SERIALIZATION_FORMAT": "Transforms the BOM between supported serialization formats such as XML and JSON.", |
| 178 | + "BOM_STANDARD": "Supports conversion between different BOM standards (e.g., CycloneDX, SPDX).", |
179 | 179 | "BOM_VERSION": "Upgrades or downgrades a BOM to a different version of the same standard." |
180 | 180 | } |
181 | 181 | }, |
|
219 | 219 | "enum": [ |
220 | 220 | "C/C++", |
221 | 221 | "C#", |
| 222 | + ".NET", |
| 223 | + "ERLANG_ELIXIR", |
| 224 | + "FORTRAN", |
222 | 225 | "GO", |
| 226 | + "GROOVY", |
223 | 227 | "JAVA", |
224 | 228 | "JAVASCRIPT_TYPESCRIPT", |
| 229 | + "KOTLIN", |
225 | 230 | "NODE.JS", |
| 231 | + "OCAML", |
226 | 232 | "PERL", |
227 | 233 | "PHP", |
228 | 234 | "PYTHON", |
229 | 235 | "RUBY", |
230 | 236 | "RUST", |
231 | | - "SWIFT", |
232 | | - "SHELL", |
233 | 237 | "SCALA", |
234 | | - "ERLANG_ELIXIR", |
235 | | - ".NET", |
236 | | - "KOTLIN", |
237 | | - "GROOVY", |
238 | | - "FORTRAN", |
239 | | - "OCAML" |
| 238 | + "SHELL", |
| 239 | + "SWIFT" |
240 | 240 | ], |
241 | 241 | "description": "Languages or ecosystems in which the tool is implemented or provides libraries." |
242 | 242 | } |
|
283 | 283 | "items": { |
284 | 284 | "type": "string", |
285 | 285 | "enum": [ |
286 | | - "CYCLONEDX", |
287 | | - "PACKAGE_URL", |
288 | 286 | "CPE", |
| 287 | + "CYCLONEDX", |
289 | 288 | "OMNIBOR", |
290 | | - "SWID", |
| 289 | + "PACKAGE_URL", |
| 290 | + "SLSA", |
291 | 291 | "SPDX", |
292 | | - "VDR/VEX", |
293 | | - "SLSA" |
| 292 | + "SWID", |
| 293 | + "VDR/VEX" |
294 | 294 | ], |
295 | 295 | "meta:enum": { |
296 | | - "CYCLONEDX": "CycloneDX – A Bill of Materials (BOM) standard and transparency expression language.", |
297 | | - "PACKAGE_URL": "Package-URL (PURL) – A standard format for identifying and locating software packages across ecosystems.", |
298 | 296 | "CPE": "Common Platform Enumeration (CPE) – A naming scheme for classifying operating systems, applications, and hardware.", |
| 297 | + "CYCLONEDX": "CycloneDX – A Bill of Materials (BOM) standard and transparency expression language.", |
299 | 298 | "OMNIBOR": "OmniBOR – A standard for embedding object references to improve traceability and attribution in software artifacts.", |
300 | | - "SWID": "Software Identification (SWID) – An XML-based tag format for uniquely identifying software products and their versions.", |
| 299 | + "PACKAGE_URL": "Package-URL (PURL) – A standard format for identifying and locating software packages across ecosystems.", |
| 300 | + "SLSA": "Supply chain Levels for Software Artifacts (SLSA) – A framework for securing software supply chains.", |
301 | 301 | "SPDX": "Software Package Data Exchange (SPDX) – A standard format for communicating software bill of materials (SBOM) information.", |
| 302 | + "SWID": "Software Identification (SWID) – An XML-based tag format for uniquely identifying software products and their versions.", |
302 | 303 | "VDR/VEX": "Vulnerability Disclosure Report (VDR) and Vulnerability eXploitability eXchange (VEX) – Standards for communicating vulnerability information and exploitability status.", |
303 | | - "SLSA": "Supply chain Levels for Software Artifacts (SLSA) – A framework for securing software supply chains." |
304 | | - |
305 | 304 | } |
306 | 305 | }, |
307 | 306 | "description": "Software supply chain standards that the tool supports." |
|
333 | 332 | "type": "string", |
334 | 333 | "enum": [ |
335 | 334 | "C/C++", |
| 335 | + ".NET", |
| 336 | + "ERLANG_ELIXIR", |
| 337 | + "FORTRAN", |
336 | 338 | "GO", |
| 339 | + "GROOVY", |
337 | 340 | "JAVA", |
338 | 341 | "JAVASCRIPT/TYPESCRIPT", |
339 | | - ".NET", |
| 342 | + "KOTLIN", |
| 343 | + "NIM", |
340 | 344 | "NODE.JS", |
341 | 345 | "PERL", |
342 | 346 | "PHP", |
343 | 347 | "PYTHON", |
344 | 348 | "RUBY", |
345 | 349 | "RUST", |
346 | | - "SWIFT", |
347 | | - "ERLANG_ELIXIR", |
348 | 350 | "SCALA", |
349 | | - "KOTLIN", |
350 | | - "GROOVY", |
351 | | - "FORTRAN", |
352 | | - "NIM" |
| 351 | + "SWIFT" |
353 | 352 | ], |
354 | 353 | "description": "Indicates the programming languages or ecosystems of the artifacts that the tool can analyse, scan, or generate metadata for — not the language the tool itself is written in." |
355 | 354 | } |
|
0 commit comments