From 9c14ee606b5537e8f12f6925a8fca5475a331012 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Sun, 20 Jul 2025 17:00:28 +0200 Subject: [PATCH 01/76] feat: use only nonGPL dependencies (#854) change optional dependency from `jsonschemap[format]>=4.18,<5` to `jsonschemap[format-nongpl]>=4.25,<5` - requires https://github.com/python-jsonschema/jsonschema/releases/tag/v4.25.0 - fixes #743 considered a non-breaking change, since all functionality and capabilities stay the same. Signed-off-by: Jan Kowalleck --- pyproject.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pyproject.toml b/pyproject.toml index 4ef28e07c..d9505a66f 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -72,7 +72,7 @@ packageurl-python = ">=0.11, <2" py-serializable = "^2.0.0" sortedcontainers = "^2.4.0" license-expression = "^30" -jsonschema = { version = "^4.18", extras=['format'], optional=true } +jsonschema = { version = "^4.25", extras=['format-nongpl'], optional=true } referencing = { version = ">=0.28.4", optional=true } # in sync with the transitive dependency of `jsonschema` lxml = { version=">=4,<7", optional=true } typing_extensions = { version="^4.6", python = "<3.13"} # for `@deprecated` - which was added in v4.5 but this version appesrs to be broken... From 2cfb3d6a6b39984cd33303b23fbe1a7aefe6730a Mon Sep 17 00:00:00 2001 From: semantic-release Date: Sun, 20 Jul 2025 15:47:29 +0000 Subject: [PATCH 02/76] chore(release): 10.5.0 Automatically generated by python-semantic-release Signed-off-by: semantic-release --- CHANGELOG.md | 8 ++++++++ cyclonedx/__init__.py | 2 +- docs/conf.py | 2 +- pyproject.toml | 2 +- 4 files changed, 11 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2da4dee35..e3e144de5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,14 @@ +## v10.5.0 (2025-07-20) + +### Features + +- Use only nonGPL dependencies ([#854](https://github.com/CycloneDX/cyclonedx-python-lib/pull/854), + [`9c14ee6`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/9c14ee606b5537e8f12f6925a8fca5475a331012)) + + ## v10.4.1 (2025-07-08) ### Bug Fixes diff --git a/cyclonedx/__init__.py b/cyclonedx/__init__.py index 5ab627b27..328e7324a 100644 --- a/cyclonedx/__init__.py +++ b/cyclonedx/__init__.py @@ -22,4 +22,4 @@ # !! version is managed by semantic_release # do not use typing here, or else `semantic_release` might have issues finding the variable -__version__ = "10.4.1" # noqa:Q000 +__version__ = "10.5.0" # noqa:Q000 diff --git a/docs/conf.py b/docs/conf.py index ab6f2a15d..45ec8f6f7 100644 --- a/docs/conf.py +++ b/docs/conf.py @@ -23,7 +23,7 @@ # The full version, including alpha/beta/rc tags # !! version is managed by semantic_release -release = '10.4.1' +release = '10.5.0' # -- General configuration --------------------------------------------------- diff --git a/pyproject.toml b/pyproject.toml index d9505a66f..33fe0bde1 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -5,7 +5,7 @@ build-backend = "poetry.core.masonry.api" [tool.poetry] name = "cyclonedx-python-lib" # !! version is managed by semantic_release -version = "10.4.1" +version = "10.5.0" description = "Python library for CycloneDX" authors = [ "Paul Horton ", From 4842828031771cf62b1e17abe0123a1d4c137bd1 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Mon, 21 Jul 2025 12:35:35 +0200 Subject: [PATCH 03/76] feat!: ignore unknown properties when deserializing (#853) when deserializing JSON: ignore unknown/unsupported properties when deserializing XML: ignore unknown/unsupported attributes and elements this is considered a **BREAKING Change**, as the old behavior was to throw an error when deserializing unknown/unsupported features - which no longer happens, instead, unknown/unsupported features are simply ignored. ----- - fixes #850 ----- --------- Signed-off-by: Jan Kowalleck --- cyclonedx/model/__init__.py | 14 ++++----- cyclonedx/model/bom.py | 4 +-- cyclonedx/model/bom_ref.py | 2 +- cyclonedx/model/component.py | 16 +++++----- cyclonedx/model/component_evidence.py | 12 ++++---- cyclonedx/model/contact.py | 6 ++-- cyclonedx/model/crypto.py | 16 +++++----- cyclonedx/model/definition.py | 13 ++++---- cyclonedx/model/dependency.py | 2 +- cyclonedx/model/issue.py | 4 +-- cyclonedx/model/license.py | 10 +++++-- cyclonedx/model/lifecycle.py | 4 +-- cyclonedx/model/release_note.py | 2 +- cyclonedx/model/service.py | 2 +- cyclonedx/model/tool.py | 2 +- cyclonedx/model/vulnerability.py | 18 +++++------ pyproject.toml | 2 +- .../_data/own/xml/1.6/regression_issue850.xml | 30 +++++++++++++++++++ tests/test_real_world_examples.py | 5 ++++ 19 files changed, 104 insertions(+), 60 deletions(-) create mode 100644 tests/_data/own/xml/1.6/regression_issue850.xml diff --git a/cyclonedx/model/__init__.py b/cyclonedx/model/__init__.py index 19e2de369..ba3a79a33 100644 --- a/cyclonedx/model/__init__.py +++ b/cyclonedx/model/__init__.py @@ -676,7 +676,7 @@ def deserialize(cls, o: Any) -> ExternalReferenceType: return ExternalReferenceType(o) -@serializable.serializable_class +@serializable.serializable_class(ignore_unknown_during_deserialization=True) class XsUri(serializable.helpers.BaseHelper): """ Helper class that allows us to perform validation on data strings that are defined as xs:anyURI @@ -802,7 +802,7 @@ def is_bom_link(self) -> bool: return self._uri.startswith(_BOM_LINK_PREFIX) -@serializable.serializable_class +@serializable.serializable_class(ignore_unknown_during_deserialization=True) class ExternalReference: """ This is our internal representation of an ExternalReference complex type that can be used in multiple places within @@ -914,7 +914,7 @@ def __repr__(self) -> str: return f'' -@serializable.serializable_class +@serializable.serializable_class(ignore_unknown_during_deserialization=True) class Property: """ This is our internal representation of `propertyType` complex type that can be used in multiple places within @@ -989,7 +989,7 @@ def __repr__(self) -> str: return f'' -@serializable.serializable_class +@serializable.serializable_class(ignore_unknown_during_deserialization=True) class NoteText: """ This is our internal representation of the Note.text complex type that can be used in multiple places within @@ -1081,7 +1081,7 @@ def __repr__(self) -> str: return f'' -@serializable.serializable_class +@serializable.serializable_class(ignore_unknown_during_deserialization=True) class Note: """ This is our internal representation of the Note complex type that can be used in multiple places within @@ -1166,7 +1166,7 @@ def __repr__(self) -> str: return f'' -@serializable.serializable_class +@serializable.serializable_class(ignore_unknown_during_deserialization=True) class IdentifiableAction: """ This is our internal representation of the `identifiableActionType` complex type. @@ -1252,7 +1252,7 @@ def __repr__(self) -> str: return f'' -@serializable.serializable_class +@serializable.serializable_class(ignore_unknown_during_deserialization=True) class Copyright: """ This is our internal representation of the `copyrightsType` complex type. diff --git a/cyclonedx/model/bom.py b/cyclonedx/model/bom.py index 4d030169b..1719bcf54 100644 --- a/cyclonedx/model/bom.py +++ b/cyclonedx/model/bom.py @@ -55,7 +55,7 @@ from packageurl import PackageURL -@serializable.serializable_class +@serializable.serializable_class(ignore_unknown_during_deserialization=True) class BomMetaData: """ This is our internal representation of the metadata complex type within the CycloneDX standard. @@ -314,7 +314,7 @@ def __repr__(self) -> str: return f'' -@serializable.serializable_class(ignore_during_deserialization=['$schema', 'bom_format', 'spec_version']) +@serializable.serializable_class(ignore_unknown_during_deserialization=True) class Bom: """ This is our internal representation of a bill-of-materials (BOM). diff --git a/cyclonedx/model/bom_ref.py b/cyclonedx/model/bom_ref.py index a1895d3ef..edde98efe 100644 --- a/cyclonedx/model/bom_ref.py +++ b/cyclonedx/model/bom_ref.py @@ -28,7 +28,7 @@ _T_BR = TypeVar('_T_BR', bound='BomRef') -@serializable.serializable_class +@serializable.serializable_class(ignore_unknown_during_deserialization=True) class BomRef(serializable.helpers.BaseHelper): """ An identifier that can be used to reference objects elsewhere in the BOM. diff --git a/cyclonedx/model/component.py b/cyclonedx/model/component.py index 6737b39e7..2b350f7d7 100644 --- a/cyclonedx/model/component.py +++ b/cyclonedx/model/component.py @@ -66,7 +66,7 @@ from .release_note import ReleaseNotes -@serializable.serializable_class +@serializable.serializable_class(ignore_unknown_during_deserialization=True) class Commit: """ Our internal representation of the `commitType` complex type. @@ -326,7 +326,7 @@ def deserialize(cls, o: Any) -> ComponentType: return ComponentType(o) -@serializable.serializable_class +@serializable.serializable_class(ignore_unknown_during_deserialization=True) class Diff: """ Our internal representation of the `diffType` complex type. @@ -408,7 +408,7 @@ class PatchClassification(str, Enum): UNOFFICIAL = 'unofficial' -@serializable.serializable_class +@serializable.serializable_class(ignore_unknown_during_deserialization=True) class Patch: """ Our internal representation of the `patchType` complex type. @@ -498,7 +498,7 @@ def __repr__(self) -> str: return f'' -@serializable.serializable_class +@serializable.serializable_class(ignore_unknown_during_deserialization=True) class Pedigree: """ Our internal representation of the `pedigreeType` complex type. @@ -661,7 +661,7 @@ def __repr__(self) -> str: return f'' -@serializable.serializable_class +@serializable.serializable_class(ignore_unknown_during_deserialization=True) class Swid: """ Our internal representation of the `swidType` complex type. @@ -813,7 +813,7 @@ def __repr__(self) -> str: return f'' -@serializable.serializable_class +@serializable.serializable_class(ignore_unknown_during_deserialization=True) class OmniborId(serializable.helpers.BaseHelper): """ Helper class that allows us to perform validation on data strings that must conform to @@ -872,7 +872,7 @@ def __str__(self) -> str: return self._id -@serializable.serializable_class +@serializable.serializable_class(ignore_unknown_during_deserialization=True) class Swhid(serializable.helpers.BaseHelper): """ Helper class that allows us to perform validation on data strings that must conform to @@ -931,7 +931,7 @@ def __str__(self) -> str: return self._id -@serializable.serializable_class +@serializable.serializable_class(ignore_unknown_during_deserialization=True) class Component(Dependable): """ This is our internal representation of a Component within a Bom. diff --git a/cyclonedx/model/component_evidence.py b/cyclonedx/model/component_evidence.py index 2b5f12407..395f93e20 100644 --- a/cyclonedx/model/component_evidence.py +++ b/cyclonedx/model/component_evidence.py @@ -75,7 +75,7 @@ class AnalysisTechnique(str, Enum): OTHER = 'other' -@serializable.serializable_class +@serializable.serializable_class(ignore_unknown_during_deserialization=True) class Method: """ Represents a method used to extract and/or analyze evidence. @@ -181,7 +181,7 @@ def xml_denormalize(cls, o: 'XmlElement', *, return [BomRef(value=t.get('ref')) for t in o] -@serializable.serializable_class +@serializable.serializable_class(ignore_unknown_during_deserialization=True) class Identity: """ Our internal representation of the `identityType` complex type. @@ -288,7 +288,7 @@ def __repr__(self) -> str: f' methods={self.methods}, tools={self.tools}>' -@serializable.serializable_class +@serializable.serializable_class(ignore_unknown_during_deserialization=True) class Occurrence: """ Our internal representation of the `occurrenceType` complex type. @@ -423,7 +423,7 @@ def __repr__(self) -> str: return f'' -@serializable.serializable_class +@serializable.serializable_class(ignore_unknown_during_deserialization=True) class CallStackFrame: """ Represents an individual frame in a call stack. @@ -567,7 +567,7 @@ def __repr__(self) -> str: f' line={self.line}, column={self.column}, full_filename={self.full_filename}>' -@serializable.serializable_class +@serializable.serializable_class(ignore_unknown_during_deserialization=True) class CallStack: """ Our internal representation of the `callStackType` complex type. @@ -622,7 +622,7 @@ def __repr__(self) -> str: return f'' -@serializable.serializable_class +@serializable.serializable_class(ignore_unknown_during_deserialization=True) class ComponentEvidence: """ Our internal representation of the `componentEvidenceType` complex type. diff --git a/cyclonedx/model/contact.py b/cyclonedx/model/contact.py index 8bc19114d..8ee7898dd 100644 --- a/cyclonedx/model/contact.py +++ b/cyclonedx/model/contact.py @@ -29,7 +29,7 @@ from .bom_ref import BomRef -@serializable.serializable_class +@serializable.serializable_class(ignore_unknown_during_deserialization=True) class PostalAddress: """ This is our internal representation of the `postalAddressType` complex type that can be used in multiple places @@ -187,7 +187,7 @@ def __repr__(self) -> str: return f'' -@serializable.serializable_class +@serializable.serializable_class(ignore_unknown_during_deserialization=True) class OrganizationalContact: """ This is our internal representation of the `organizationalContact` complex type that can be used in multiple places @@ -277,7 +277,7 @@ def __repr__(self) -> str: return f'' -@serializable.serializable_class +@serializable.serializable_class(ignore_unknown_during_deserialization=True) class OrganizationalEntity: """ This is our internal representation of the `organizationalEntity` complex type that can be used in multiple places diff --git a/cyclonedx/model/crypto.py b/cyclonedx/model/crypto.py index 6bed02831..d2ccc6c29 100644 --- a/cyclonedx/model/crypto.py +++ b/cyclonedx/model/crypto.py @@ -263,7 +263,7 @@ class CryptoFunction(str, Enum): UNKNOWN = 'unknown' -@serializable.serializable_class +@serializable.serializable_class(ignore_unknown_during_deserialization=True) class AlgorithmProperties: """ This is our internal representation of the cryptoPropertiesType.algorithmProperties ENUM type within the CycloneDX @@ -514,7 +514,7 @@ def __repr__(self) -> str: return f'' -@serializable.serializable_class +@serializable.serializable_class(ignore_unknown_during_deserialization=True) class CertificateProperties: """ This is our internal representation of the `cryptoPropertiesType.certificateProperties` complex type within @@ -746,7 +746,7 @@ class RelatedCryptoMaterialState(str, Enum): SUSPENDED = 'suspended' -@serializable.serializable_class +@serializable.serializable_class(ignore_unknown_during_deserialization=True) class RelatedCryptoMaterialSecuredBy: """ This is our internal representation of the `cryptoPropertiesType.relatedCryptoMaterialProperties.securedBy` complex @@ -817,7 +817,7 @@ def __repr__(self) -> str: return f'' -@serializable.serializable_class +@serializable.serializable_class(ignore_unknown_during_deserialization=True) class RelatedCryptoMaterialProperties: """ This is our internal representation of the `cryptoPropertiesType.relatedCryptoMaterialProperties` complex type @@ -1086,7 +1086,7 @@ class ProtocolPropertiesType(str, Enum): UNKNOWN = 'unknown' -@serializable.serializable_class +@serializable.serializable_class(ignore_unknown_during_deserialization=True) class ProtocolPropertiesCipherSuite: """ This is our internal representation of the `cryptoPropertiesType.protocolProperties.cipherSuites.cipherSuite` @@ -1179,7 +1179,7 @@ def __repr__(self) -> str: return f'' -@serializable.serializable_class +@serializable.serializable_class(ignore_unknown_during_deserialization=True) class Ikev2TransformTypes: """ This is our internal representation of the `cryptoPropertiesType.protocolProperties.ikev2TransformTypes` @@ -1321,7 +1321,7 @@ def __repr__(self) -> str: return f'' -@serializable.serializable_class +@serializable.serializable_class(ignore_unknown_during_deserialization=True) class ProtocolProperties: """ This is our internal representation of the `cryptoPropertiesType.protocolProperties` complex type within @@ -1447,7 +1447,7 @@ def __repr__(self) -> str: return f'' -@serializable.serializable_class +@serializable.serializable_class(ignore_unknown_during_deserialization=True) class CryptoProperties: """ This is our internal representation of the `cryptoPropertiesType` complex type within CycloneDX standard. diff --git a/cyclonedx/model/definition.py b/cyclonedx/model/definition.py index 1665cbf8f..e773b5dbd 100644 --- a/cyclonedx/model/definition.py +++ b/cyclonedx/model/definition.py @@ -35,7 +35,7 @@ _T_CreId = TypeVar('_T_CreId', bound='CreId') -@serializable.serializable_class +@serializable.serializable_class(ignore_unknown_during_deserialization=True) class CreId(serializable.helpers.BaseHelper): """ Helper class that allows us to perform validation on data strings that must conform to @@ -89,7 +89,7 @@ def __str__(self) -> str: return self._id -@serializable.serializable_class +@serializable.serializable_class(ignore_unknown_during_deserialization=True) class Requirement: """ A requirement comprising a standard. @@ -282,7 +282,7 @@ def __repr__(self) -> str: f'title={self.title}, text={self.text}, parent={self.parent}>' -@serializable.serializable_class +@serializable.serializable_class(ignore_unknown_during_deserialization=True) class Level: """ Level of compliance for a standard. @@ -397,7 +397,7 @@ def __repr__(self) -> str: f'title={self.title}, description={self.description}>' -@serializable.serializable_class +@serializable.serializable_class(ignore_unknown_during_deserialization=True) class Standard: """ A standard of regulations, industry or organizational-specific standards, maturity models, best practices, @@ -574,7 +574,10 @@ def __repr__(self) -> str: f'description={self.description}, owner={self.owner}>' -@serializable.serializable_class(name='definitions') +@serializable.serializable_class( + name='definitions', + ignore_unknown_during_deserialization=True +) class Definitions: """ The repository for definitions diff --git a/cyclonedx/model/dependency.py b/cyclonedx/model/dependency.py index eea799556..b9220570d 100644 --- a/cyclonedx/model/dependency.py +++ b/cyclonedx/model/dependency.py @@ -47,7 +47,7 @@ def deserialize(cls, o: Any) -> set['Dependency']: return dependencies -@serializable.serializable_class +@serializable.serializable_class(ignore_unknown_during_deserialization=True) class Dependency: """ Models a Dependency within a BOM. diff --git a/cyclonedx/model/issue.py b/cyclonedx/model/issue.py index 3d9f30ded..762dcfa43 100644 --- a/cyclonedx/model/issue.py +++ b/cyclonedx/model/issue.py @@ -39,7 +39,7 @@ class IssueClassification(str, Enum): SECURITY = 'security' -@serializable.serializable_class +@serializable.serializable_class(ignore_unknown_during_deserialization=True) class IssueTypeSource: """ This is our internal representation ofa source within the IssueType complex type that can be used in multiple @@ -108,7 +108,7 @@ def __repr__(self) -> str: return f'' -@serializable.serializable_class +@serializable.serializable_class(ignore_unknown_during_deserialization=True) class IssueType: """ This is our internal representation of an IssueType complex type that can be used in multiple places within diff --git a/cyclonedx/model/license.py b/cyclonedx/model/license.py index 86f08dbec..123de5524 100644 --- a/cyclonedx/model/license.py +++ b/cyclonedx/model/license.py @@ -60,7 +60,10 @@ class LicenseAcknowledgement(str, Enum): """Deprecated alias for :class:`LicenseAcknowledgement`""" -@serializable.serializable_class(name='license') +@serializable.serializable_class( + name='license', + ignore_unknown_during_deserialization=True +) class DisjunctiveLicense: """ This is our internal representation of `licenseType` complex type that can be used in multiple places within @@ -245,7 +248,10 @@ def __repr__(self) -> str: return f'' -@serializable.serializable_class(name='expression') +@serializable.serializable_class( + name='expression', + ignore_unknown_during_deserialization=True +) class LicenseExpression: """ This is our internal representation of `licenseType`'s expression type that can be used in multiple places within diff --git a/cyclonedx/model/lifecycle.py b/cyclonedx/model/lifecycle.py index d8f1db521..c64e3b37e 100644 --- a/cyclonedx/model/lifecycle.py +++ b/cyclonedx/model/lifecycle.py @@ -58,7 +58,7 @@ class LifecyclePhase(str, Enum): DECOMMISSION = 'decommission' -@serializable.serializable_class +@serializable.serializable_class(ignore_unknown_during_deserialization=True) class PredefinedLifecycle: """ Object that defines pre-defined phases in the product lifecycle. @@ -97,7 +97,7 @@ def __repr__(self) -> str: return f'' -@serializable.serializable_class +@serializable.serializable_class(ignore_unknown_during_deserialization=True) class NamedLifecycle: """ Object that defines custom state in the product lifecycle. diff --git a/cyclonedx/model/release_note.py b/cyclonedx/model/release_note.py index 51b704d60..77745edfc 100644 --- a/cyclonedx/model/release_note.py +++ b/cyclonedx/model/release_note.py @@ -27,7 +27,7 @@ from ..model.issue import IssueType -@serializable.serializable_class +@serializable.serializable_class(ignore_unknown_during_deserialization=True) class ReleaseNotes: """ This is our internal representation of a `releaseNotesType` for a Component in a BOM. diff --git a/cyclonedx/model/service.py b/cyclonedx/model/service.py index c50bcb25d..443db05b6 100644 --- a/cyclonedx/model/service.py +++ b/cyclonedx/model/service.py @@ -41,7 +41,7 @@ from .release_note import ReleaseNotes -@serializable.serializable_class +@serializable.serializable_class(ignore_unknown_during_deserialization=True) class Service(Dependable): """ Class that models the `service` complex type in the CycloneDX schema. diff --git a/cyclonedx/model/tool.py b/cyclonedx/model/tool.py index 904cd78b7..c8cfeab0f 100644 --- a/cyclonedx/model/tool.py +++ b/cyclonedx/model/tool.py @@ -37,7 +37,7 @@ from py_serializable import ObjectMetadataLibrary, ViewType -@serializable.serializable_class +@serializable.serializable_class(ignore_unknown_during_deserialization=True) class Tool: """ This is our internal representation of the `toolType` complex type within the CycloneDX standard. diff --git a/cyclonedx/model/vulnerability.py b/cyclonedx/model/vulnerability.py index b217583a8..4ce767b35 100644 --- a/cyclonedx/model/vulnerability.py +++ b/cyclonedx/model/vulnerability.py @@ -55,7 +55,7 @@ from .tool import Tool, ToolRepository, _ToolRepositoryHelper -@serializable.serializable_class +@serializable.serializable_class(ignore_unknown_during_deserialization=True) class BomTargetVersionRange: """ Class that represents either a version or version range and its affected status. @@ -148,7 +148,7 @@ def __repr__(self) -> str: return f'' -@serializable.serializable_class +@serializable.serializable_class(ignore_unknown_during_deserialization=True) class BomTarget: """ Class that represents referencing a Component or Service in a BOM. @@ -221,7 +221,7 @@ def __repr__(self) -> str: return f'' -@serializable.serializable_class +@serializable.serializable_class(ignore_unknown_during_deserialization=True) class VulnerabilityAnalysis: """ Class that models the `analysis` sub-element of the `vulnerabilityType` complex type. @@ -361,7 +361,7 @@ def __repr__(self) -> str: return f'' -@serializable.serializable_class +@serializable.serializable_class(ignore_unknown_during_deserialization=True) class VulnerabilityAdvisory: """ Class that models the `advisoryType` complex type. @@ -425,7 +425,7 @@ def __repr__(self) -> str: return f'' -@serializable.serializable_class +@serializable.serializable_class(ignore_unknown_during_deserialization=True) class VulnerabilitySource: """ Class that models the `vulnerabilitySourceType` complex type. @@ -491,7 +491,7 @@ def __repr__(self) -> str: return f'' -@serializable.serializable_class +@serializable.serializable_class(ignore_unknown_during_deserialization=True) class VulnerabilityReference: """ Class that models the nested `reference` within the `vulnerabilityType` complex type. @@ -753,7 +753,7 @@ def get_from_cvss_scores(scores: Union[tuple[float, ...], float, None]) -> 'Vuln return VulnerabilitySeverity.NONE -@serializable.serializable_class +@serializable.serializable_class(ignore_unknown_during_deserialization=True) class VulnerabilityRating: """ Class that models the `ratingType` complex element CycloneDX core schema. @@ -891,7 +891,7 @@ def __repr__(self) -> str: f'justification={self.justification}>' -@serializable.serializable_class +@serializable.serializable_class(ignore_unknown_during_deserialization=True) class VulnerabilityCredits: """ Class that models the `credits` of `vulnerabilityType` complex type in the CycloneDX schema (version >= 1.4). @@ -966,7 +966,7 @@ def __repr__(self) -> str: return f'' -@serializable.serializable_class +@serializable.serializable_class(ignore_unknown_during_deserialization=True) class Vulnerability: """ Class that models the `vulnerabilityType` complex type in the CycloneDX schema (version >= 1.4). diff --git a/pyproject.toml b/pyproject.toml index 33fe0bde1..2d4eb6796 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -69,7 +69,7 @@ keywords = [ [tool.poetry.dependencies] python = "^3.9" packageurl-python = ">=0.11, <2" -py-serializable = "^2.0.0" +py-serializable = "^2.1.0" sortedcontainers = "^2.4.0" license-expression = "^30" jsonschema = { version = "^4.25", extras=['format-nongpl'], optional=true } diff --git a/tests/_data/own/xml/1.6/regression_issue850.xml b/tests/_data/own/xml/1.6/regression_issue850.xml new file mode 100644 index 000000000..04bfab07e --- /dev/null +++ b/tests/_data/own/xml/1.6/regression_issue850.xml @@ -0,0 +1,30 @@ + + + + + example + 15.8.0 + + + + + + + + + + + + + tSHVo7UgCxvvmFusf+2UzjhxXa2PyvLHaIvyNlB/yp8= + + + + gep3n58O7GLUk/jwmOda8HlwkiqA40CRhJYgoJbMJ6xZphfn7s/JHDByeptXvbolB6nVw5qAQ/mKCAkh0x7NGzWwSWypmpysK3zuUZuMihTSizd+kclwCJYamQ0l4Lqqp13Ii/6C8N56vlbci9P3NwOVC910Jj6GAFj2Ci4zCNz0tstpu7cDE2/okRR4jBzisOpr2FCaHWUfkZUiGm7ueCg/T+v2Z0HM8qcG//+iMlvHcb5yXKUObDvW8CYsMzNW0Zdhs/qf6WkPpp6QBeWxVB+5QUfMZ+F0fP3fRaerjwh6mGkOVl7QODHcIcp153yX8JxU+c0ndRacNywPBGmxTQ== + + + diff --git a/tests/test_real_world_examples.py b/tests/test_real_world_examples.py index 0fe3e4808..3170e7308 100644 --- a/tests/test_real_world_examples.py +++ b/tests/test_real_world_examples.py @@ -53,3 +53,8 @@ def test_regression_issue753(self, *_: Any, **__: Any) -> None: bom = Bom.from_json(json) self.assertEqual(2, len(bom.components)) bom.validate() + + def test_regression_issue_850(self, *_: Any, **__: Any) -> None: + # tests https://github.com/CycloneDX/cyclonedx-python-lib/issues/850 + with open(join(OWN_DATA_DIRECTORY, 'xml', '1.6', 'regression_issue850.xml')) as input_xml: + Bom.from_xml(input_xml) From 6b91494148333aa343350c33722da65068bb6b3a Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Mon, 21 Jul 2025 12:39:30 +0200 Subject: [PATCH 04/76] refactor: explicitely ignore json-implementation's format hints Signed-off-by: Jan Kowalleck --- cyclonedx/model/bom.py | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/cyclonedx/model/bom.py b/cyclonedx/model/bom.py index 1719bcf54..b9bf521e7 100644 --- a/cyclonedx/model/bom.py +++ b/cyclonedx/model/bom.py @@ -314,7 +314,12 @@ def __repr__(self) -> str: return f'' -@serializable.serializable_class(ignore_unknown_during_deserialization=True) +@serializable.serializable_class( + ignore_during_deserialization={ + '$schema', 'bom_format', 'spec_version', # JSON-implementation's format hints + }, + ignore_unknown_during_deserialization=True +) class Bom: """ This is our internal representation of a bill-of-materials (BOM). From 17046d47649ca8260e635387914b8a3e9c750c50 Mon Sep 17 00:00:00 2001 From: semantic-release Date: Mon, 21 Jul 2025 10:53:24 +0000 Subject: [PATCH 05/76] chore(release): 11.0.0 Automatically generated by python-semantic-release Signed-off-by: semantic-release --- CHANGELOG.md | 9 +++++++++ cyclonedx/__init__.py | 2 +- docs/conf.py | 2 +- pyproject.toml | 2 +- 4 files changed, 12 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e3e144de5..afc604044 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,15 @@ +## v11.0.0 (2025-07-21) + +### Features + +- Ignore unknown properties when deserializing + ([#853](https://github.com/CycloneDX/cyclonedx-python-lib/pull/853), + [`4842828`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/4842828031771cf62b1e17abe0123a1d4c137bd1)) + + ## v10.5.0 (2025-07-20) ### Features diff --git a/cyclonedx/__init__.py b/cyclonedx/__init__.py index 328e7324a..bcb6c496a 100644 --- a/cyclonedx/__init__.py +++ b/cyclonedx/__init__.py @@ -22,4 +22,4 @@ # !! version is managed by semantic_release # do not use typing here, or else `semantic_release` might have issues finding the variable -__version__ = "10.5.0" # noqa:Q000 +__version__ = "11.0.0" # noqa:Q000 diff --git a/docs/conf.py b/docs/conf.py index 45ec8f6f7..6a2f394d8 100644 --- a/docs/conf.py +++ b/docs/conf.py @@ -23,7 +23,7 @@ # The full version, including alpha/beta/rc tags # !! version is managed by semantic_release -release = '10.5.0' +release = '11.0.0' # -- General configuration --------------------------------------------------- diff --git a/pyproject.toml b/pyproject.toml index 2d4eb6796..51a5eaa83 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -5,7 +5,7 @@ build-backend = "poetry.core.masonry.api" [tool.poetry] name = "cyclonedx-python-lib" # !! version is managed by semantic_release -version = "10.5.0" +version = "11.0.0" description = "Python library for CycloneDX" authors = [ "Paul Horton ", From d801c2c62d6a55bb8846503239bae8dbceab2fa1 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 21 Jul 2025 19:52:49 +0200 Subject: [PATCH 06/76] chore(deps-dev): update mypy requirement from 1.16.1 to 1.17.0 (#855) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Updates the requirements on [mypy](https://github.com/python/mypy) to permit the latest version.
Changelog

Sourced from mypy's changelog.

Mypy Release Notes

Next Release

Mypy 1.17

We’ve just uploaded mypy 1.17 to the Python Package Index (PyPI). Mypy is a static type checker for Python. This release includes new features and bug fixes. You can install it as follows:

python3 -m pip install -U mypy

You can read the full documentation for this release on Read the Docs.

Optionally Check That Match Is Exhaustive

Mypy can now optionally generate an error if a match statement does not match exhaustively, without having to use assert_never(...). Enable this by using --enable-error-code exhaustive-match.

Example:

# mypy: enable-error-code=exhaustive-match

import enum


class Color(enum.Enum):
RED = 1
BLUE = 2


def show_color(val: Color) -> None:
# error: Unhandled case for values of type
"Literal[Color.BLUE]"
match val:
case Color.RED:
print("red")

This feature was contributed by Donal Burns (PR 19144).

Further Improvements to Attribute Resolution

This release includes additional improvements to how attribute types and kinds are resolved. These fix many bugs and overall improve consistency.

  • Handle corner case: protocol/class variable/descriptor (Ivan Levkivskyi, PR 19277)
  • Fix a few inconsistencies in protocol/type object interactions (Ivan Levkivskyi, PR 19267)
  • Refactor/unify access to static attributes (Ivan Levkivskyi, PR 19254)
  • Remove inconsistencies in operator handling (Ivan Levkivskyi, PR 19250)
  • Make protocol subtyping more consistent (Ivan Levkivskyi, PR 18943)

... (truncated)

Commits
  • 0260991 Update version string
  • 3901aa2 Updates to 1.17 changelog (#19436)
  • 7d13396 Initial changelog for 1.17 release (#19427)
  • a182dec Combine the revealed types of multiple iteration steps in a more robust manne...
  • ab4fd57 Improve the handling of "iteration dependent" errors and notes in finally cla...
  • 09ba1f6 [mypyc] Fix exception swallowing in async try/finally blocks with await (#19353)
  • 5c65e33 [mypyc] Fix AttributeError in async try/finally with mixed return paths (#19361)
  • 934ec50 Lessen dmypy suggest path limitations for Windows machines (#19337)
  • a4801f9 Type ignore comments erroneously marked as unused by dmypy (#15043)
  • c3bfa0d Handle corner case: protocol vs classvar vs descriptor (#19277)
  • Additional commits viewable in compare view

Most Recent Ignore Conditions Applied to This Pull Request | Dependency Name | Ignore Conditions | | --- | --- | | mypy | [>= 0.971.a, < 0.972] |
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) ---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- pyproject.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pyproject.toml b/pyproject.toml index 51a5eaa83..64f0ce8a0 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -95,7 +95,7 @@ flake8-use-fstring = "1.4" pep8-naming = "0.15.1" isort = "6.0.1" autopep8 = "2.3.2" -mypy = "1.16.1" +mypy = "1.17.0" tomli = { version = "2.2.1", python = "<3.11" } tox = "4.27.0" xmldiff = "2.7.0" From ea627ec8fa3e8e19a2a8f4a618c9b084922e025f Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Tue, 22 Jul 2025 10:33:30 +0200 Subject: [PATCH 07/76] docs: update linked XML spec (#857) Signed-off-by: Jan Kowalleck --- cyclonedx/model/__init__.py | 12 ++++----- cyclonedx/model/bom.py | 4 +-- cyclonedx/model/component.py | 6 ++--- cyclonedx/model/crypto.py | 40 +++++++++++++++--------------- cyclonedx/model/impact_analysis.py | 8 +++--- cyclonedx/model/license.py | 2 +- cyclonedx/model/lifecycle.py | 8 +++--- cyclonedx/model/release_note.py | 2 +- cyclonedx/model/tool.py | 2 +- cyclonedx/model/vulnerability.py | 12 ++++----- 10 files changed, 48 insertions(+), 48 deletions(-) diff --git a/cyclonedx/model/__init__.py b/cyclonedx/model/__init__.py index ba3a79a33..69c98d705 100644 --- a/cyclonedx/model/__init__.py +++ b/cyclonedx/model/__init__.py @@ -157,7 +157,7 @@ class Encoding(str, Enum): This is our internal representation of the encoding simple type within the CycloneDX standard. .. note:: - See the CycloneDX Schema: https://cyclonedx.org/docs/1.6/#type_encoding + See the CycloneDX Schema: https://cyclonedx.org/docs/1.6/xml/#type_encoding """ BASE_64 = 'base64' @@ -168,7 +168,7 @@ class AttachedText: This is our internal representation of the `attachedTextType` complex type within the CycloneDX standard. .. note:: - See the CycloneDX Schema for hashType: https://cyclonedx.org/docs/1.6/#type_attachedTextType + See the CycloneDX Schema for hashType: https://cyclonedx.org/docs/1.6/xml/#type_attachedTextType """ DEFAULT_CONTENT_TYPE = 'text/plain' @@ -261,7 +261,7 @@ class HashAlgorithm(str, Enum): This is our internal representation of the hashAlg simple type within the CycloneDX standard. .. note:: - See the CycloneDX Schema: https://cyclonedx.org/docs/1.6/#type_hashAlg + See the CycloneDX Schema: https://cyclonedx.org/docs/1.6/xml/#type_hashAlg """ # see `_HashTypeRepositorySerializationHelper.__CASES` for view/case map BLAKE2B_256 = 'BLAKE2b-256' # Only supported in >= 1.2 @@ -384,7 +384,7 @@ class HashType: This is our internal representation of the hashType complex type within the CycloneDX standard. .. note:: - See the CycloneDX Schema for hashType: https://cyclonedx.org/docs/1.6/#type_hashType + See the CycloneDX Schema for hashType: https://cyclonedx.org/docs/1.6/xml/#type_hashType """ @staticmethod @@ -541,7 +541,7 @@ class ExternalReferenceType(str, Enum): Enum object that defines the permissible 'types' for an External Reference according to the CycloneDX schema. .. note:: - See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.6/#type_externalReferenceType + See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.6/xml/#type_externalReferenceType """ # see `_ExternalReferenceSerializationHelper.__CASES` for view/case map ADVERSARY_MODEL = 'adversary-model' # Only supported in >= 1.5 @@ -809,7 +809,7 @@ class ExternalReference: a CycloneDX BOM document. .. note:: - See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.6/#type_externalReference + See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.6/xml/#type_externalReference """ def __init__( diff --git a/cyclonedx/model/bom.py b/cyclonedx/model/bom.py index b9bf521e7..5ebb2f952 100644 --- a/cyclonedx/model/bom.py +++ b/cyclonedx/model/bom.py @@ -61,7 +61,7 @@ class BomMetaData: This is our internal representation of the metadata complex type within the CycloneDX standard. .. note:: - See the CycloneDX Schema for Bom metadata: https://cyclonedx.org/docs/1.6/#type_metadata + See the CycloneDX Schema for Bom metadata: https://cyclonedx.org/docs/1.6/xml/#type_metadata """ def __init__( @@ -405,7 +405,7 @@ def metadata(self) -> BomMetaData: Metadata object instance for this Bom. .. note:: - See the CycloneDX Schema for Bom metadata: https://cyclonedx.org/docs/1.6/#type_metadata + See the CycloneDX Schema for Bom metadata: https://cyclonedx.org/docs/1.6/xml/#type_metadata """ return self._metadata diff --git a/cyclonedx/model/component.py b/cyclonedx/model/component.py index 2b350f7d7..65d2eecf3 100644 --- a/cyclonedx/model/component.py +++ b/cyclonedx/model/component.py @@ -197,7 +197,7 @@ class ComponentScope(str, Enum): Enum object that defines the permissable 'scopes' for a Component according to the CycloneDX schema. .. note:: - See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.6/#type_scope + See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.6/xml/#type_scope """ # see `_ComponentScopeSerializationHelper.__CASES` for view/case map REQUIRED = 'required' @@ -253,7 +253,7 @@ class ComponentType(str, Enum): Enum object that defines the permissible 'types' for a Component according to the CycloneDX schema. .. note:: - See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.6/#type_classification + See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.6/xml/#type_classification """ # see `_ComponentTypeSerializationHelper.__CASES` for view/case map APPLICATION = 'application' @@ -937,7 +937,7 @@ class Component(Dependable): This is our internal representation of a Component within a Bom. .. note:: - See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.6/#type_component + See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.6/xml/#type_component """ @staticmethod diff --git a/cyclonedx/model/crypto.py b/cyclonedx/model/crypto.py index d2ccc6c29..4a7d1f1a8 100644 --- a/cyclonedx/model/crypto.py +++ b/cyclonedx/model/crypto.py @@ -22,7 +22,7 @@ Introduced in CycloneDX v1.6 .. note:: - See the CycloneDX Schema for hashType: https://cyclonedx.org/docs/1.6/#type_cryptoPropertiesType + See the CycloneDX Schema for hashType: https://cyclonedx.org/docs/1.6/xml/#type_cryptoPropertiesType """ from collections.abc import Iterable @@ -48,7 +48,7 @@ class CryptoAssetType(str, Enum): Introduced in CycloneDX v1.6 .. note:: - See the CycloneDX Schema for hashType: https://cyclonedx.org/docs/1.6/#type_cryptoPropertiesType + See the CycloneDX Schema for hashType: https://cyclonedx.org/docs/1.6/xml/#type_cryptoPropertiesType """ ALGORITHM = 'algorithm' @@ -67,7 +67,7 @@ class CryptoPrimitive(str, Enum): Introduced in CycloneDX v1.6 .. note:: - See the CycloneDX Schema for hashType: https://cyclonedx.org/docs/1.6/#type_cryptoPropertiesType + See the CycloneDX Schema for hashType: https://cyclonedx.org/docs/1.6/xml/#type_cryptoPropertiesType """ AE = 'ae' @@ -98,7 +98,7 @@ class CryptoExecutionEnvironment(str, Enum): Introduced in CycloneDX v1.6 .. note:: - See the CycloneDX Schema for hashType: https://cyclonedx.org/docs/1.6/#type_cryptoPropertiesType + See the CycloneDX Schema for hashType: https://cyclonedx.org/docs/1.6/xml/#type_cryptoPropertiesType """ HARDWARE = 'hardware' @@ -120,7 +120,7 @@ class CryptoImplementationPlatform(str, Enum): Introduced in CycloneDX v1.6 .. note:: - See the CycloneDX Schema for hashType: https://cyclonedx.org/docs/1.6/#type_cryptoPropertiesType + See the CycloneDX Schema for hashType: https://cyclonedx.org/docs/1.6/xml/#type_cryptoPropertiesType """ ARMV7_A = 'armv7-a' @@ -150,7 +150,7 @@ class CryptoCertificationLevel(str, Enum): Introduced in CycloneDX v1.6 .. note:: - See the CycloneDX Schema for hashType: https://cyclonedx.org/docs/1.6/#type_cryptoPropertiesType + See the CycloneDX Schema for hashType: https://cyclonedx.org/docs/1.6/xml/#type_cryptoPropertiesType """ NONE = 'none' @@ -196,7 +196,7 @@ class CryptoMode(str, Enum): Introduced in CycloneDX v1.6 .. note:: - See the CycloneDX Schema for hashType: https://cyclonedx.org/docs/1.6/#type_cryptoPropertiesType + See the CycloneDX Schema for hashType: https://cyclonedx.org/docs/1.6/xml/#type_cryptoPropertiesType """ CBC = 'cbc' @@ -221,7 +221,7 @@ class CryptoPadding(str, Enum): Introduced in CycloneDX v1.6 .. note:: - See the CycloneDX Schema for hashType: https://cyclonedx.org/docs/1.6/#type_cryptoPropertiesType + See the CycloneDX Schema for hashType: https://cyclonedx.org/docs/1.6/xml/#type_cryptoPropertiesType """ PKCS5 = 'pkcs5' @@ -244,7 +244,7 @@ class CryptoFunction(str, Enum): Introduced in CycloneDX v1.6 .. note:: - See the CycloneDX Schema for hashType: https://cyclonedx.org/docs/1.6/#type_cryptoPropertiesType + See the CycloneDX Schema for hashType: https://cyclonedx.org/docs/1.6/xml/#type_cryptoPropertiesType """ DECAPSULATE = 'decapsulate' @@ -273,7 +273,7 @@ class AlgorithmProperties: Introduced in CycloneDX v1.6 .. note:: - See the CycloneDX Schema for hashType: https://cyclonedx.org/docs/1.6/#type_cryptoPropertiesType + See the CycloneDX Schema for hashType: https://cyclonedx.org/docs/1.6/xml/#type_cryptoPropertiesType """ def __init__( @@ -525,7 +525,7 @@ class CertificateProperties: .. note:: - See the CycloneDX Schema for hashType: https://cyclonedx.org/docs/1.6/#type_cryptoPropertiesType + See the CycloneDX Schema for hashType: https://cyclonedx.org/docs/1.6/xml/#type_cryptoPropertiesType """ def __init__( @@ -700,7 +700,7 @@ class RelatedCryptoMaterialType(str, Enum): Introduced in CycloneDX v1.6 .. note:: - See the CycloneDX Schema for hashType: https://cyclonedx.org/docs/1.6/#type_cryptoPropertiesType + See the CycloneDX Schema for hashType: https://cyclonedx.org/docs/1.6/xml/#type_cryptoPropertiesType """ ADDITIONAL_DATA = 'additional-data' @@ -735,7 +735,7 @@ class RelatedCryptoMaterialState(str, Enum): Introduced in CycloneDX v1.6 .. note:: - See the CycloneDX Schema for hashType: https://cyclonedx.org/docs/1.6/#type_cryptoPropertiesType + See the CycloneDX Schema for hashType: https://cyclonedx.org/docs/1.6/xml/#type_cryptoPropertiesType """ ACTIVE = 'active' @@ -757,7 +757,7 @@ class RelatedCryptoMaterialSecuredBy: .. note:: - See the CycloneDX Schema for hashType: https://cyclonedx.org/docs/1.6/#type_cryptoPropertiesType + See the CycloneDX Schema for hashType: https://cyclonedx.org/docs/1.6/xml/#type_cryptoPropertiesType """ def __init__( @@ -828,7 +828,7 @@ class RelatedCryptoMaterialProperties: .. note:: - See the CycloneDX Schema for hashType: https://cyclonedx.org/docs/1.6/#type_cryptoPropertiesType + See the CycloneDX Schema for hashType: https://cyclonedx.org/docs/1.6/xml/#type_cryptoPropertiesType """ def __init__( @@ -1072,7 +1072,7 @@ class ProtocolPropertiesType(str, Enum): Introduced in CycloneDX v1.6 .. note:: - See the CycloneDX Schema for hashType: https://cyclonedx.org/docs/1.6/#type_cryptoPropertiesType + See the CycloneDX Schema for hashType: https://cyclonedx.org/docs/1.6/xml/#type_cryptoPropertiesType """ IKE = 'ike' @@ -1097,7 +1097,7 @@ class ProtocolPropertiesCipherSuite: .. note:: - See the CycloneDX Schema for hashType: https://cyclonedx.org/docs/1.6/#type_cryptoPropertiesType + See the CycloneDX Schema for hashType: https://cyclonedx.org/docs/1.6/xml/#type_cryptoPropertiesType """ def __init__( @@ -1190,7 +1190,7 @@ class Ikev2TransformTypes: .. note:: - See the CycloneDX Schema for hashType: https://cyclonedx.org/docs/1.6/#type_cryptoPropertiesType + See the CycloneDX Schema for hashType: https://cyclonedx.org/docs/1.6/xml/#type_cryptoPropertiesType """ def __init__( @@ -1332,7 +1332,7 @@ class ProtocolProperties: .. note:: - See the CycloneDX Schema for hashType: https://cyclonedx.org/docs/1.6/#type_cryptoPropertiesType + See the CycloneDX Schema for hashType: https://cyclonedx.org/docs/1.6/xml/#type_cryptoPropertiesType """ def __init__( @@ -1457,7 +1457,7 @@ class CryptoProperties: .. note:: - See the CycloneDX Schema for hashType: https://cyclonedx.org/docs/1.6/#type_cryptoPropertiesType + See the CycloneDX Schema for hashType: https://cyclonedx.org/docs/1.6/xml/#type_cryptoPropertiesType """ def __init__( diff --git a/cyclonedx/model/impact_analysis.py b/cyclonedx/model/impact_analysis.py index a289daf2d..d82ed7365 100644 --- a/cyclonedx/model/impact_analysis.py +++ b/cyclonedx/model/impact_analysis.py @@ -45,7 +45,7 @@ class ImpactAnalysisAffectedStatus(str, Enum): has not disclosed the status. .. note:: - See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.6/#type_impactAnalysisAffectedStatusType + See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.6/xml/#type_impactAnalysisAffectedStatusType """ AFFECTED = 'affected' @@ -59,7 +59,7 @@ class ImpactAnalysisJustification(str, Enum): Enum object that defines the rationale of why the impact analysis state was asserted. .. note:: - See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.6/#type_impactAnalysisJustificationType + See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.6/xml/#type_impactAnalysisJustificationType """ CODE_NOT_PRESENT = 'code_not_present' @@ -79,7 +79,7 @@ class ImpactAnalysisResponse(str, Enum): Enum object that defines the valid rationales as to why the impact analysis state was asserted. .. note:: - See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.6/#type_impactAnalysisResponsesType + See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.6/xml/#type_impactAnalysisResponsesType """ CAN_NOT_FIX = 'can_not_fix' @@ -95,7 +95,7 @@ class ImpactAnalysisState(str, Enum): Enum object that defines the permissible impact analysis states. .. note:: - See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.6/#type_impactAnalysisStateType + See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.6/xml/#type_impactAnalysisStateType """ RESOLVED = 'resolved' diff --git a/cyclonedx/model/license.py b/cyclonedx/model/license.py index 123de5524..c7a34eb14 100644 --- a/cyclonedx/model/license.py +++ b/cyclonedx/model/license.py @@ -47,7 +47,7 @@ class LicenseAcknowledgement(str, Enum): .. note:: See the CycloneDX Schema for hashType: - https://cyclonedx.org/docs/1.6/#type_licenseAcknowledgementEnumerationType + https://cyclonedx.org/docs/1.6/xml/#type_licenseAcknowledgementEnumerationType """ CONCLUDED = 'concluded' diff --git a/cyclonedx/model/lifecycle.py b/cyclonedx/model/lifecycle.py index c64e3b37e..e6aed27b9 100644 --- a/cyclonedx/model/lifecycle.py +++ b/cyclonedx/model/lifecycle.py @@ -22,7 +22,7 @@ Introduced in CycloneDX v1.5 .. note:: - See the CycloneDX Schema for lifecycles: https://cyclonedx.org/docs/1.6/#metadata_lifecycles + See the CycloneDX Schema for lifecycles: https://cyclonedx.org/docs/1.6/xml/#metadata_lifecycles """ from enum import Enum @@ -47,7 +47,7 @@ class LifecyclePhase(str, Enum): Enum object that defines the permissible 'phase' for a Lifecycle according to the CycloneDX schema. .. note:: - See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.6/#type_classification + See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.6/xml/#type_classification """ DESIGN = 'design' PRE_BUILD = 'pre-build' @@ -64,7 +64,7 @@ class PredefinedLifecycle: Object that defines pre-defined phases in the product lifecycle. .. note:: - See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.6/#metadata_lifecycles + See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.6/xml/#metadata_lifecycles """ def __init__(self, phase: LifecyclePhase) -> None: @@ -103,7 +103,7 @@ class NamedLifecycle: Object that defines custom state in the product lifecycle. .. note:: - See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.6/#metadata_lifecycles + See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.6/xml/#metadata_lifecycles """ def __init__(self, name: str, *, description: Optional[str] = None) -> None: diff --git a/cyclonedx/model/release_note.py b/cyclonedx/model/release_note.py index 77745edfc..9f1ff82c3 100644 --- a/cyclonedx/model/release_note.py +++ b/cyclonedx/model/release_note.py @@ -33,7 +33,7 @@ class ReleaseNotes: This is our internal representation of a `releaseNotesType` for a Component in a BOM. .. note:: - See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.6/#type_releaseNotesType + See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.6/xml/#type_releaseNotesType """ def __init__( diff --git a/cyclonedx/model/tool.py b/cyclonedx/model/tool.py index c8cfeab0f..c547ab921 100644 --- a/cyclonedx/model/tool.py +++ b/cyclonedx/model/tool.py @@ -48,7 +48,7 @@ class Tool: In fact, this library will try to provide a compatibility layer if needed. .. note:: - See the CycloneDX Schema for toolType: https://cyclonedx.org/docs/1.6/#type_toolType + See the CycloneDX Schema for toolType: https://cyclonedx.org/docs/1.6/xml/#type_toolType """ def __init__( diff --git a/cyclonedx/model/vulnerability.py b/cyclonedx/model/vulnerability.py index 4ce767b35..744de15d0 100644 --- a/cyclonedx/model/vulnerability.py +++ b/cyclonedx/model/vulnerability.py @@ -25,7 +25,7 @@ Since CycloneDX schema version 1.4, this has become part of the core schema. .. note:: - See the CycloneDX Schema extension definition https://cyclonedx.org/docs/1.6/#type_vulnerabilitiesType + See the CycloneDX Schema extension definition https://cyclonedx.org/docs/1.6/xml/#type_vulnerabilitiesType """ @@ -159,7 +159,7 @@ class BomTarget: from a `cyclonedx.parser.BaseParser` implementation. .. note:: - See the CycloneDX schema: https://cyclonedx.org/docs/1.6/#type_vulnerabilityType + See the CycloneDX schema: https://cyclonedx.org/docs/1.6/xml/#type_vulnerabilityType """ def __init__( @@ -367,7 +367,7 @@ class VulnerabilityAdvisory: Class that models the `advisoryType` complex type. .. note:: - See the CycloneDX schema: https://cyclonedx.org/docs/1.6/#type_advisoryType + See the CycloneDX schema: https://cyclonedx.org/docs/1.6/xml/#type_advisoryType """ def __init__( @@ -582,7 +582,7 @@ class VulnerabilityScoreSource(str, Enum): Enum object that defines the permissible source types for a Vulnerability's score. .. note:: - See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.6/#type_scoreSourceType + See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.6/xml/#type_scoreSourceType .. note:: No explicit carry-over from the former schema extension: @@ -708,7 +708,7 @@ class VulnerabilitySeverity(str, Enum): Class that defines the permissible severities for a Vulnerability. .. note:: - See the CycloneDX schema: https://cyclonedx.org/docs/1.6/#type_severityType + See the CycloneDX schema: https://cyclonedx.org/docs/1.6/xml/#type_severityType """ NONE = 'none' INFO = 'info' # Only >= 1.4 @@ -975,7 +975,7 @@ class Vulnerability: extension (in XML only). .. note:: - See the CycloneDX schema: https://cyclonedx.org/docs/1.6/#type_vulnerabilityType + See the CycloneDX schema: https://cyclonedx.org/docs/1.6/xml/#type_vulnerabilityType """ def __init__( From ba0b5c092cd4c5761e3b00e808506e7ba71de3a8 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Tue, 22 Jul 2025 12:50:04 +0200 Subject: [PATCH 08/76] docs: update CDX spec links (#858) Signed-off-by: Jan Kowalleck --- cyclonedx/model/component_evidence.py | 4 ++++ cyclonedx/model/definition.py | 3 +++ cyclonedx/model/issue.py | 3 ++- cyclonedx/model/license.py | 2 +- cyclonedx/model/vulnerability.py | 18 ++++++++++-------- 5 files changed, 20 insertions(+), 10 deletions(-) diff --git a/cyclonedx/model/component_evidence.py b/cyclonedx/model/component_evidence.py index 395f93e20..c23acac9d 100644 --- a/cyclonedx/model/component_evidence.py +++ b/cyclonedx/model/component_evidence.py @@ -79,6 +79,10 @@ class AnalysisTechnique(str, Enum): class Method: """ Represents a method used to extract and/or analyze evidence. + + .. note:: + See the CycloneDX Schema definition: + https://cyclonedx.org/docs/1.6/json/#components_items_evidence_identity_oneOf_i0_items_methods """ def __init__( diff --git a/cyclonedx/model/definition.py b/cyclonedx/model/definition.py index e773b5dbd..cb01568ef 100644 --- a/cyclonedx/model/definition.py +++ b/cyclonedx/model/definition.py @@ -581,6 +581,9 @@ def __repr__(self) -> str: class Definitions: """ The repository for definitions + + .. note:: + See the CycloneDX Schema for hashType: https://cyclonedx.org/docs/1.6/xml/#type_definitionsType """ def __init__( diff --git a/cyclonedx/model/issue.py b/cyclonedx/model/issue.py index 762dcfa43..8c5ca0c1a 100644 --- a/cyclonedx/model/issue.py +++ b/cyclonedx/model/issue.py @@ -46,7 +46,8 @@ class IssueTypeSource: places within a CycloneDX BOM document. .. note:: - See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.6/xml/#type_issueType + See the CycloneDX Schema definition: + https://cyclonedx.org/docs/1.6/json/#components_items_pedigree_patches_items_resolves_items_source """ def __init__( diff --git a/cyclonedx/model/license.py b/cyclonedx/model/license.py index c7a34eb14..dddf70fb3 100644 --- a/cyclonedx/model/license.py +++ b/cyclonedx/model/license.py @@ -70,7 +70,7 @@ class DisjunctiveLicense: a CycloneDX BOM document. .. note:: - See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.6/json/#components_items_licenses + See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.6/xml/#type_licenseType """ def __init__( diff --git a/cyclonedx/model/vulnerability.py b/cyclonedx/model/vulnerability.py index 744de15d0..5999f64c9 100644 --- a/cyclonedx/model/vulnerability.py +++ b/cyclonedx/model/vulnerability.py @@ -63,7 +63,8 @@ class BomTargetVersionRange: `version` and `version_range` are mutually exclusive. .. note:: - See the CycloneDX schema: https://cyclonedx.org/docs/1.6/xml/#type_vulnerabilityType + See the CycloneDX schema: + https://cyclonedx.org/docs/1.6/json/#tab-pane_vulnerabilities_items_affects_items_versions_items_oneOf_i0 """ def __init__( @@ -159,7 +160,7 @@ class BomTarget: from a `cyclonedx.parser.BaseParser` implementation. .. note:: - See the CycloneDX schema: https://cyclonedx.org/docs/1.6/xml/#type_vulnerabilityType + See the CycloneDX schema: https://cyclonedx.org/docs/1.6/json/#vulnerabilities_items_affects """ def __init__( @@ -227,7 +228,7 @@ class VulnerabilityAnalysis: Class that models the `analysis` sub-element of the `vulnerabilityType` complex type. .. note:: - See the CycloneDX schema: https://cyclonedx.org/docs/1.6/xml/#type_vulnerabilityType + See the CycloneDX schema: https://cyclonedx.org/docs/1.6/json/#vulnerabilities_items_analysis """ def __init__( @@ -367,7 +368,7 @@ class VulnerabilityAdvisory: Class that models the `advisoryType` complex type. .. note:: - See the CycloneDX schema: https://cyclonedx.org/docs/1.6/xml/#type_advisoryType + See the CycloneDX schema: https://cyclonedx.org/docs/1.6/json/#vulnerabilities_items_advisories """ def __init__( @@ -433,7 +434,7 @@ class VulnerabilitySource: This type is used for multiple purposes in the CycloneDX schema. .. note:: - See the CycloneDX schema: https://cyclonedx.org/docs/1.6/xml/#type_vulnerabilitySourceType + See the CycloneDX schema: https://cyclonedx.org/docs/1.6/json/#vulnerabilities_items_source """ def __init__( @@ -502,7 +503,7 @@ class VulnerabilityReference: intelligence. .. note:: - See the CycloneDX schema: https://cyclonedx.org/docs/1.6/xml/#type_vulnerabilityType + See the CycloneDX schema: https://cyclonedx.org/docs/1.6/json/#vulnerabilities_items_references .. note:: Properties ``id`` and ``source`` are mandatory. @@ -588,6 +589,7 @@ class VulnerabilityScoreSource(str, Enum): No explicit carry-over from the former schema extension: https://github.com/CycloneDX/specification/blob/master/schema/ext/vulnerability-1.0.xsd """ + # see `_VulnerabilityScoreSourceSerializationHelper.__CASES` for view/case map CVSS_V2 = 'CVSSv2' CVSS_V3 = 'CVSSv3' @@ -762,7 +764,7 @@ class VulnerabilityRating: 1.4 - see https://github.com/CycloneDX/specification/blob/master/schema/ext/vulnerability-1.0.xsd. .. note:: - See `ratingType` in https://cyclonedx.org/docs/1.6/xml/#ratingType + See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.6/xml/#type_ratingType .. warning:: As part of implementing support for CycloneDX schema version 1.4, the three score types defined in the schema @@ -900,7 +902,7 @@ class VulnerabilityCredits: extension (in XML only). .. note:: - See the CycloneDX schema: https://cyclonedx.org/docs/1.6/xml/#type_vulnerabilityType + See the CycloneDX schema: https://cyclonedx.org/docs/1.6/json/#vulnerabilities_items_credits """ def __init__( From 0ecdaa8eff200dce74e1fee8202807ab273b6971 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Tue, 22 Jul 2025 13:06:51 +0200 Subject: [PATCH 09/76] docs: update linked CDX spec (#860) Signed-off-by: Jan Kowalleck --- cyclonedx/model/definition.py | 9 +++++++++ cyclonedx/model/lifecycle.py | 6 ++++-- 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/cyclonedx/model/definition.py b/cyclonedx/model/definition.py index cb01568ef..9d9562e83 100644 --- a/cyclonedx/model/definition.py +++ b/cyclonedx/model/definition.py @@ -93,6 +93,9 @@ def __str__(self) -> str: class Requirement: """ A requirement comprising a standard. + + .. note:: + See the CycloneDX Schema for hashType: https://cyclonedx.org/docs/1.6/json/#definitions_standards_items_requirements """ def __init__( @@ -286,6 +289,9 @@ def __repr__(self) -> str: class Level: """ Level of compliance for a standard. + + .. note:: + See the CycloneDX Schema for hashType: https://cyclonedx.org/docs/1.6/json/#definitions_standards_items_levels """ def __init__( @@ -402,6 +408,9 @@ class Standard: """ A standard of regulations, industry or organizational-specific standards, maturity models, best practices, or any other requirements. + + .. note:: + See the CycloneDX Schema for hashType: https://cyclonedx.org/docs/1.6/xml/#type_standard """ def __init__( diff --git a/cyclonedx/model/lifecycle.py b/cyclonedx/model/lifecycle.py index e6aed27b9..081aeb3af 100644 --- a/cyclonedx/model/lifecycle.py +++ b/cyclonedx/model/lifecycle.py @@ -64,7 +64,8 @@ class PredefinedLifecycle: Object that defines pre-defined phases in the product lifecycle. .. note:: - See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.6/xml/#metadata_lifecycles + See the CycloneDX Schema definition: + https://cyclonedx.org/docs/1.6/json/#tab-pane_metadata_lifecycles_items_oneOf_i0 """ def __init__(self, phase: LifecyclePhase) -> None: @@ -103,7 +104,8 @@ class NamedLifecycle: Object that defines custom state in the product lifecycle. .. note:: - See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.6/xml/#metadata_lifecycles + See the CycloneDX Schema definition: + https://cyclonedx.org/docs/1.6/json/#tab-pane_metadata_lifecycles_items_oneOf_i1 """ def __init__(self, name: str, *, description: Optional[str] = None) -> None: From 5621705fef98e0d5a510af22f8ece16c8f2f1e76 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Tue, 22 Jul 2025 13:08:20 +0200 Subject: [PATCH 10/76] docs: shorten lines Signed-off-by: Jan Kowalleck --- cyclonedx/model/definition.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/cyclonedx/model/definition.py b/cyclonedx/model/definition.py index 9d9562e83..4eaa93e66 100644 --- a/cyclonedx/model/definition.py +++ b/cyclonedx/model/definition.py @@ -95,7 +95,8 @@ class Requirement: A requirement comprising a standard. .. note:: - See the CycloneDX Schema for hashType: https://cyclonedx.org/docs/1.6/json/#definitions_standards_items_requirements + See the CycloneDX Schema for hashType: + https://cyclonedx.org/docs/1.6/json/#definitions_standards_items_requirements """ def __init__( From 0898cf76f1ad97a49cb438fe2130a86a59f8c150 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Wed, 23 Jul 2025 11:26:42 +0200 Subject: [PATCH 11/76] feat: add BomRefs for known models according to CycloneDX 1.5 (#859) ## Changed - getter `model.contact.PostalAddress.bom_ref` may no longer return `None` ## Added - Class `model.contact.OrganizationalContact` supports `bom_ref` - Class `model.contact.OrganizationalEntity` supports `bom_ref` - Class `model.license.DisjunctiveLicense` supports `bom_ref` - Class `model.license.LicenseExpression` supports `bom_ref` Signed-off-by: Jan Kowalleck --- cyclonedx/model/contact.py | 54 +++++++++++++++++++++++++++----- cyclonedx/model/license.py | 64 +++++++++++++++++++++++++------------- 2 files changed, 90 insertions(+), 28 deletions(-) diff --git a/cyclonedx/model/contact.py b/cyclonedx/model/contact.py index 8ee7898dd..83c5b9d2c 100644 --- a/cyclonedx/model/contact.py +++ b/cyclonedx/model/contact.py @@ -24,7 +24,7 @@ from .._internal.bom_ref import bom_ref_from_str as _bom_ref_from_str from .._internal.compare import ComparableTuple as _ComparableTuple -from ..schema.schema import SchemaVersion1Dot6 +from ..schema.schema import SchemaVersion1Dot5, SchemaVersion1Dot6 from . import XsUri from .bom_ref import BomRef @@ -49,7 +49,7 @@ def __init__( postal_code: Optional[str] = None, street_address: Optional[str] = None, ) -> None: - self._bom_ref = _bom_ref_from_str(bom_ref, optional=True) + self._bom_ref = _bom_ref_from_str(bom_ref) self.country = country self.region = region self.locality = locality @@ -58,11 +58,11 @@ def __init__( self.street_address = street_address @property - @serializable.json_name('bom-ref') @serializable.type_mapping(BomRef) @serializable.xml_attribute() @serializable.xml_name('bom-ref') - def bom_ref(self) -> Optional[BomRef]: + @serializable.json_name('bom-ref') + def bom_ref(self) -> BomRef: """ An optional identifier which can be used to reference the component elsewhere in the BOM. Every bom-ref MUST be unique within the BOM. @@ -167,7 +167,7 @@ def __comparable_tuple(self) -> _ComparableTuple: self.country, self.region, self.locality, self.postal_code, self.post_office_box_number, self.street_address, - None if self.bom_ref is None else self.bom_ref.value, + self._bom_ref.value, )) def __eq__(self, other: object) -> bool: @@ -199,14 +199,33 @@ class OrganizationalContact: def __init__( self, *, + bom_ref: Optional[Union[str, BomRef]] = None, name: Optional[str] = None, phone: Optional[str] = None, email: Optional[str] = None, ) -> None: + self._bom_ref = _bom_ref_from_str(bom_ref) self.name = name self.email = email self.phone = phone + @property + @serializable.view(SchemaVersion1Dot5) + @serializable.view(SchemaVersion1Dot6) + @serializable.type_mapping(BomRef) + @serializable.xml_attribute() + @serializable.xml_name('bom-ref') + @serializable.json_name('bom-ref') + def bom_ref(self) -> BomRef: + """ + An optional identifier which can be used to reference the component elsewhere in the BOM. Every bom-ref MUST be + unique within the BOM. + + Returns: + `BomRef` + """ + return self._bom_ref + @property @serializable.xml_sequence(1) @serializable.xml_string(serializable.XmlStringSerializationType.NORMALIZED_STRING) @@ -257,7 +276,8 @@ def phone(self, phone: Optional[str]) -> None: def __comparable_tuple(self) -> _ComparableTuple: return _ComparableTuple(( - self.name, self.email, self.phone + self.name, self.email, self.phone, + self._bom_ref.value, )) def __eq__(self, other: object) -> bool: @@ -289,16 +309,35 @@ class OrganizationalEntity: def __init__( self, *, + bom_ref: Optional[Union[str, BomRef]] = None, name: Optional[str] = None, urls: Optional[Iterable[XsUri]] = None, contacts: Optional[Iterable[OrganizationalContact]] = None, address: Optional[PostalAddress] = None, ) -> None: + self._bom_ref = _bom_ref_from_str(bom_ref) self.name = name self.address = address self.urls = urls or [] self.contacts = contacts or [] + @property + @serializable.view(SchemaVersion1Dot5) + @serializable.view(SchemaVersion1Dot6) + @serializable.type_mapping(BomRef) + @serializable.xml_attribute() + @serializable.xml_name('bom-ref') + @serializable.json_name('bom-ref') + def bom_ref(self) -> BomRef: + """ + An optional identifier which can be used to reference the component elsewhere in the BOM. Every bom-ref MUST be + unique within the BOM. + + Returns: + `BomRef` + """ + return self._bom_ref + @property @serializable.xml_sequence(10) @serializable.xml_string(serializable.XmlStringSerializationType.NORMALIZED_STRING) @@ -367,7 +406,8 @@ def contacts(self, contacts: Iterable[OrganizationalContact]) -> None: def __comparable_tuple(self) -> _ComparableTuple: return _ComparableTuple(( - self.name, _ComparableTuple(self.urls), _ComparableTuple(self.contacts) + self.name, _ComparableTuple(self.urls), _ComparableTuple(self.contacts), + self._bom_ref.value, )) def __eq__(self, other: object) -> bool: diff --git a/cyclonedx/model/license.py b/cyclonedx/model/license.py index dddf70fb3..49b9fd3df 100644 --- a/cyclonedx/model/license.py +++ b/cyclonedx/model/license.py @@ -29,11 +29,13 @@ import py_serializable as serializable from sortedcontainers import SortedSet +from .._internal.bom_ref import bom_ref_from_str as _bom_ref_from_str from .._internal.compare import ComparableTuple as _ComparableTuple from ..exception.model import MutuallyExclusivePropertiesException from ..exception.serialization import CycloneDxDeserializationException -from ..schema.schema import SchemaVersion1Dot6 +from ..schema.schema import SchemaVersion1Dot5, SchemaVersion1Dot6 from . import AttachedText, XsUri +from .bom_ref import BomRef @serializable.serializable_enum @@ -75,6 +77,7 @@ class DisjunctiveLicense: def __init__( self, *, + bom_ref: Optional[Union[str, BomRef]] = None, id: Optional[str] = None, name: Optional[str] = None, text: Optional[AttachedText] = None, url: Optional[XsUri] = None, acknowledgement: Optional[LicenseAcknowledgement] = None, @@ -86,12 +89,30 @@ def __init__( 'Both `id` and `name` have been supplied - `name` will be ignored!', category=RuntimeWarning, stacklevel=1 ) + self._bom_ref = _bom_ref_from_str(bom_ref) self._id = id self._name = name if not id else None self._text = text self._url = url self._acknowledgement = acknowledgement + @property + @serializable.view(SchemaVersion1Dot5) + @serializable.view(SchemaVersion1Dot6) + @serializable.type_mapping(BomRef) + @serializable.xml_attribute() + @serializable.xml_name('bom-ref') + @serializable.json_name('bom-ref') + def bom_ref(self) -> BomRef: + """ + An optional identifier which can be used to reference the component elsewhere in the BOM. Every bom-ref MUST be + unique within the BOM. + + Returns: + `BomRef` + """ + return self._bom_ref + @property @serializable.xml_sequence(1) def id(self) -> Optional[str]: @@ -186,16 +207,6 @@ def url(self, url: Optional[XsUri]) -> None: # def properties(self, ...) -> None: # ... # TODO since CDX1.5 - # @property - # @serializable.json_name('bom-ref') - # @serializable.type_mapping(BomRefHelper) - # @serializable.view(SchemaVersion1Dot5) - # @serializable.view(SchemaVersion1Dot6) - # @serializable.xml_attribute() - # @serializable.xml_name('bom-ref') - # def bom_ref(self) -> BomRef: - # ... # TODO since CDX1.5 - @property @serializable.view(SchemaVersion1Dot6) @serializable.xml_attribute() @@ -227,6 +238,7 @@ def __comparable_tuple(self) -> _ComparableTuple: self._id, self._name, self._url, self._text, + self._bom_ref.value, )) def __eq__(self, other: object) -> bool: @@ -264,11 +276,30 @@ class LicenseExpression: def __init__( self, value: str, *, + bom_ref: Optional[Union[str, BomRef]] = None, acknowledgement: Optional[LicenseAcknowledgement] = None, ) -> None: + self._bom_ref = _bom_ref_from_str(bom_ref) self._value = value self._acknowledgement = acknowledgement + @property + @serializable.view(SchemaVersion1Dot5) + @serializable.view(SchemaVersion1Dot6) + @serializable.type_mapping(BomRef) + @serializable.xml_attribute() + @serializable.xml_name('bom-ref') + @serializable.json_name('bom-ref') + def bom_ref(self) -> BomRef: + """ + An optional identifier which can be used to reference the component elsewhere in the BOM. Every bom-ref MUST be + unique within the BOM. + + Returns: + `BomRef` + """ + return self._bom_ref + @property @serializable.xml_name('.') @serializable.xml_string(serializable.XmlStringSerializationType.NORMALIZED_STRING) @@ -286,16 +317,6 @@ def value(self) -> str: def value(self, value: str) -> None: self._value = value - # @property - # @serializable.json_name('bom-ref') - # @serializable.type_mapping(BomRefHelper) - # @serializable.view(SchemaVersion1Dot5) - # @serializable.view(SchemaVersion1Dot6) - # @serializable.xml_attribute() - # @serializable.xml_name('bom-ref') - # def bom_ref(self) -> BomRef: - # ... # TODO since CDX1.5 - @property @serializable.view(SchemaVersion1Dot6) @serializable.xml_attribute() @@ -325,6 +346,7 @@ def __comparable_tuple(self) -> _ComparableTuple: return _ComparableTuple(( self._acknowledgement, self._value, + self._bom_ref.value, )) def __hash__(self) -> int: From 6b3f52653960cbb8da3a91b3596c863b33b6c6cd Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 5 Aug 2025 12:55:40 +0200 Subject: [PATCH 12/76] chore(deps-dev): update coverage requirement from 7.9.2 to 7.10.1 (#865) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Updates the requirements on [coverage](https://github.com/nedbat/coveragepy) to permit the latest version.
Changelog

Sourced from coverage's changelog.

Version 7.10.1 — 2025-07-27

  • Fix: the exclusion for if TYPE_CHECKING: was wrong: it marked the branch as partial, but it should have been a line exclusion so the entire clause would be excluded. Improves issue 831_.

  • Fix: changed where .pth files are written for patch = subprocess, closing issue 2006_.

.. _issue 2006: nedbat/coveragepy#2006

.. _changes_7-10-0:

Version 7.10.0 — 2025-07-24

  • A new configuration option: ":ref:config_run_patch" specifies named patches to work around some limitations in coverage measurement. These patches are available:

    • patch = _exit lets coverage save its data even when :func:os._exit() <python:os._exit> is used to abruptly end the process. This closes long-standing issue 310_ as well as its duplicates: issue 312, issue 1673, issue 1845, and issue 1941.

    • patch = subprocess measures coverage in Python subprocesses created with :mod:subprocess, :func:os.system, or one of the :func:execv <python:os.execl> or :func:spawnv <python:os.spawnl> family of functions. Closes old issue 367_ and duplicate issue 378_.

    • patch = execv adjusts the :func:execv <python:os.execl> family of functions to save coverage data before ending the current program and starting the next. Not available on Windows. Closes issue 43_ after 15 years!

  • The HTML report now dimly colors subsequent lines in multi-line statements. They used to have no color. This gives a better indication of the amount of code missing in the report. Closes issue 1308_.

  • Two new exclusion patterns are part of the defaults: ... is automatically excluded as a line and if TYPE_CHECKING: is excluded as a branch. Closes issue 831_.

  • A new command-line option: --save-signal=USR1 specifies a signal that coverage.py will listen for. When the signal is sent, the coverage data will be saved. This makes it possible to save data from within long-running processes. Thanks, Arkady Gilinsky <pull 1998_>_.

... (truncated)

Commits
  • 7fdcbeb docs: sample HTML for 7.10.1
  • c9e9625 docs: prep for 7.10.1
  • e8193ff chore: make upgrade
  • 9aad22a test: improve the if TYPE_CHECKING: exclusion test
  • 1e2f41a fix: excluding TYPE_CHECKING should have been the line not the branch
  • 2134e57 fix: use getsitepackages for writing .pth files. #2006
  • a4300a7 test: signal statuses are mysterious. #2008
  • 2fd4961 docs: update the man page, for once
  • a13607f build: comment_on_fixes should show html urls
  • 0f00d49 build: bump version to 7.10.1
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) ---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- pyproject.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pyproject.toml b/pyproject.toml index 64f0ce8a0..e10126d85 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -84,7 +84,7 @@ xml-validation = ["lxml"] [tool.poetry.group.dev.dependencies] ddt = "1.7.2" -coverage = "7.9.2" +coverage = "7.10.1" flake8 = "7.3.0" flake8-annotations = "3.1.1" flake8-bugbear = "24.12.12" From 2e300a6a9c8f7ec24f2cc5fcca46373f2901172d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 5 Aug 2025 12:57:17 +0200 Subject: [PATCH 13/76] chore(deps-dev): update mypy requirement from 1.17.0 to 1.17.1 (#868) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Updates the requirements on [mypy](https://github.com/python/mypy) to permit the latest version.
Changelog

Sourced from mypy's changelog.

Mypy 1.17.1

  • Retain None as constraints bottom if no bottoms were provided (Stanislav Terliakov, PR 19485)
  • Fix "ignored exception in hasattr" in dmypy (Stanislav Terliakov, PR 19428)
  • Prevent a crash when InitVar is redefined with a method in a subclass (Stanislav Terliakov, PR 19453)

Acknowledgements

Thanks to all mypy contributors who contributed to this release:

  • Alexey Makridenko
  • Brian Schubert
  • Chad Dombrova
  • Chainfire
  • Charlie Denton
  • Charulata
  • Christoph Tyralla
  • CoolCat467
  • Donal Burns
  • Guy Wilson
  • Ivan Levkivskyi
  • johnthagen
  • Jukka Lehtosalo
  • Łukasz Kwieciński
  • Marc Mueller
  • Michael J. Sullivan
  • Mikhail Golubev
  • Sebastian Rittau
  • Shantanu
  • Stanislav Terliakov
  • wyattscarpenter

I’d also like to thank my employer, Dropbox, for supporting mypy development.

Mypy 1.16

We’ve just uploaded mypy 1.16 to the Python Package Index (PyPI). Mypy is a static type checker for Python. This release includes new features and bug fixes. You can install it as follows:

python3 -m pip install -U mypy

You can read the full documentation for this release on Read the Docs.

Different Property Getter and Setter Types

Mypy now supports using different types for a property getter and setter:

class A:
    _value: int
</tr></table>

... (truncated)

Commits

Most Recent Ignore Conditions Applied to This Pull Request | Dependency Name | Ignore Conditions | | --- | --- | | mypy | [>= 0.971.a, < 0.972] |
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) ---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- pyproject.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pyproject.toml b/pyproject.toml index e10126d85..d7dcba418 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -95,7 +95,7 @@ flake8-use-fstring = "1.4" pep8-naming = "0.15.1" isort = "6.0.1" autopep8 = "2.3.2" -mypy = "1.17.0" +mypy = "1.17.1" tomli = { version = "2.2.1", python = "<3.11" } tox = "4.27.0" xmldiff = "2.7.0" From a6e157f2da006728855cd9bdd9469e12b992e143 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 5 Aug 2025 13:24:39 +0200 Subject: [PATCH 14/76] chore(deps-dev): update tox requirement from 4.27.0 to 4.28.4 (#867) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Updates the requirements on [tox](https://github.com/tox-dev/tox) to permit the latest version.
Release notes

Sourced from tox's releases.

4.28.4

What's Changed

New Contributors

Full Changelog: https://github.com/tox-dev/tox/compare/4.28.3...4.28.4

Changelog

Sourced from tox's changelog.

v4.28.4 (2025-07-31)

Features - 4.28.4

- Pass ssh-agent variables ``SSH_AGENT_PID`` and
``SSH_AUTH_SOCK`` in ``pass_env`` by default.
  - by :user:`daniilgankov` (:issue:`3572`)

v4.28.3 (2025-07-25)


No significant changes.


v4.28.2 (2025-07-25)


Bugfixes - 4.28.2

  • Don't pass in the filter argument to tar.extractall on old Python versions - by :user:gaborbernat. (:issue:3568)

v4.28.1 (2025-07-22)

Bugfixes - 4.28.1

- Use `tarfile.data_filter
<https://docs.python.org/3/library/tarfile.html#tarfile.data_filter>`_
with ``extractall``
  only on supported Python versions:

    

  • &gt;= 3.11.4
    • 

  • &gt;= 3.10.12 and &lt; 3.11
    • 

  • &gt;= 3.9.17 and &lt; 3.10
    • 



by :user:gaborbernat. (:issue:3565)


v4.28.0 (2025-07-20)


Features - 4.28.0

  • Added constraints to allow specifying constraints files for all dependencies. (:issue:3550)
  • Allow disabling tox plugins via the TOX_DISABLED_EXTERNAL_PLUGINS environment variable - by :user:gaborbernat. (:issue:3468)

Improved Documentation - 4.28.0

- The ``min_version``/``minversion`` config option is
deprecated in favor of the ``requires`` option. (:issue:`3553`)

v4.27.0 (2025-06-17)


</tr></table>

... (truncated)

Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) ---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- pyproject.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pyproject.toml b/pyproject.toml index d7dcba418..46ea0fa59 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -97,7 +97,7 @@ isort = "6.0.1" autopep8 = "2.3.2" mypy = "1.17.1" tomli = { version = "2.2.1", python = "<3.11" } -tox = "4.27.0" +tox = "4.28.4" xmldiff = "2.7.0" bandit = "1.8.6" pyupgrade = "3.20.0" From 10f6d322a39ed1a3f7272c55cef2d021963d9bc3 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 5 Aug 2025 13:24:53 +0200 Subject: [PATCH 15/76] chore(deps-dev): update deptry requirement from 0.23.0 to 0.23.1 (#866) Updates the requirements on [deptry](https://github.com/fpgmaas/deptry) to permit the latest version.
Release notes

Sourced from deptry's releases.

0.23.1

What's Changed

Bug Fixes

  • Improve handling of TYPE_CHECKING blocks by supporting import typing as t and checking t.TYPE_CHECKING (#1218)
  • Fix missing hyperlink in report output (#1162)

Full Changelog

https://github.com/fpgmaas/deptry/compare/0.23.0...0.23.1

Changelog

Sourced from deptry's changelog.

0.23.1 - 2025-07-30

Bug Fixes

  • Improve handling of TYPE_CHECKING blocks by supporting import typing as t and checking t.TYPE_CHECKING (#1218)
  • Fix missing hyperlink in report output (#1162)

Full Changelog

https://github.com/fpgmaas/deptry/compare/0.23.0...0.23.1

0.23.0 - 2025-01-25

Features

  • Correctly detect transitive dependencies with different module names (#1033)

Full Changelog

https://github.com/fpgmaas/deptry/compare/0.22.0...0.23.0

0.22.0 - 2025-01-10

Poetry 2.0 introduced support for defining project metadata in PEP 621. This is now supported by deptry. Documentation has been updated to detail deptry's behavior.

Features

  • Support PEP 621 in Poetry 2.0+ (#1003)

Full Changelog

https://github.com/fpgmaas/deptry/compare/0.21.2...0.22.0

0.21.2 - 2024-12-19

Miscellaneous

  • Provide wheels for musllinux (#979)

Full Changelog

https://github.com/fpgmaas/deptry/compare/0.21.1...0.21.2

... (truncated)

Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) ---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- pyproject.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pyproject.toml b/pyproject.toml index 46ea0fa59..2734a2f9f 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -101,7 +101,7 @@ tox = "4.28.4" xmldiff = "2.7.0" bandit = "1.8.6" pyupgrade = "3.20.0" -deptry = "0.23.0" +deptry = "0.23.1" [tool.semantic_release] # see https://python-semantic-release.readthedocs.io/en/latest/configuration.html From 03567aee51c8b14a4bda05c3eb5dd43a0a899b06 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 12 Aug 2025 16:38:41 +0200 Subject: [PATCH 16/76] chore(deps-dev): update coverage requirement from 7.10.1 to 7.10.2 (#871) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Updates the requirements on [coverage](https://github.com/nedbat/coveragepy) to permit the latest version.
Changelog

Sourced from coverage's changelog.

Version 7.10.2 — 2025-08-03

  • Fix: some code with NOP bytecodes could report missing branches that are actually executed. This is now fixed, closing issue 1999_. Python 3.9 still shows the problem.

.. _issue 1999: nedbat/coveragepy#1999

.. _changes_7-10-1:

Version 7.10.1 — 2025-07-27

  • Fix: the exclusion for if TYPE_CHECKING: was wrong: it marked the branch as partial, but it should have been a line exclusion so the entire clause would be excluded. Improves issue 831_.

  • Fix: changed where .pth files are written for patch = subprocess, closing issue 2006_.

.. _issue 2006: nedbat/coveragepy#2006

.. _changes_7-10-0:

Version 7.10.0 — 2025-07-24

  • A new configuration option: ":ref:config_run_patch" specifies named patches to work around some limitations in coverage measurement. These patches are available:

    • patch = _exit lets coverage save its data even when :func:os._exit() <python:os._exit> is used to abruptly end the process. This closes long-standing issue 310_ as well as its duplicates: issue 312, issue 1673, issue 1845, and issue 1941.

    • patch = subprocess measures coverage in Python subprocesses created with :mod:subprocess, :func:os.system, or one of the :func:execv <python:os.execl> or :func:spawnv <python:os.spawnl> family of functions. Closes old issue 367, its duplicate issue 378 and old issue 689_.

    • patch = execv adjusts the :func:execv <python:os.execl> family of functions to save coverage data before ending the current program and starting the next. Not available on Windows. Closes issue 43_ after 15 years!

... (truncated)

Commits
  • a867852 docs: sample HTML for 7.10.2
  • e7bfabe docs: prep for 7.10.2
  • 5dbd736 test: this test often borks metacov, retry it
  • b7430fa debug: more convenient run_trace.py
  • e2039d0 refactor: less redundancy in branch_trails
  • c177731 fix: see through nop bytecodes to get the right arcs. #1999
  • 7a83ab0 test: don't try to make pth files when invoked from pth #2011
  • 6d8b091 refactor: remove a commented-out line
  • fc507ad test: add a case for an extension-less Python file parse error
  • 05a6e8d test: no need for skip, we already skip windows
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) ---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- pyproject.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pyproject.toml b/pyproject.toml index 2734a2f9f..834122e09 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -84,7 +84,7 @@ xml-validation = ["lxml"] [tool.poetry.group.dev.dependencies] ddt = "1.7.2" -coverage = "7.10.1" +coverage = "7.10.2" flake8 = "7.3.0" flake8-annotations = "3.1.1" flake8-bugbear = "24.12.12" From e51a8c99e4e00c2d3720410b3fc40a70fc65a547 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 15 Aug 2025 11:42:20 +0200 Subject: [PATCH 17/76] chore(deps): bump actions/download-artifact from 4 to 5 (#873) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 4 to 5.
Release notes

Sourced from actions/download-artifact's releases.

v5.0.0

What's Changed

v5.0.0

🚨 Breaking Change

This release fixes an inconsistency in path behavior for single artifact downloads by ID. If you're downloading single artifacts by ID, the output path may change.

What Changed

Previously, single artifact downloads behaved differently depending on how you specified the artifact:

  • By name: name: my-artifact → extracted to path/ (direct)
  • By ID: artifact-ids: 12345 → extracted to path/my-artifact/ (nested)

Now both methods are consistent:

  • By name: name: my-artifact → extracted to path/ (unchanged)
  • By ID: artifact-ids: 12345 → extracted to path/ (fixed - now direct)

Migration Guide

✅ No Action Needed If:
  • You download artifacts by name
  • You download multiple artifacts by ID
  • You already use merge-multiple: true as a workaround
⚠️ Action Required If:

You download single artifacts by ID and your workflows expect the nested directory structure.

Before v5 (nested structure):

- uses: actions/download-artifact@v4
  with:
    artifact-ids: 12345
    path: dist
# Files were in: dist/my-artifact/

Where my-artifact is the name of the artifact you previously uploaded

To maintain old behavior (if needed):

</tr></table>

... (truncated)

Commits
  • 634f93c Merge pull request #416 from actions/single-artifact-id-download-path
  • b19ff43 refactor: resolve download path correctly in artifact download tests (mainly ...
  • e262cbe bundle dist
  • bff23f9 update docs
  • fff8c14 fix download path logic when downloading a single artifact by id
  • 448e3f8 Merge pull request #407 from actions/nebuk89-patch-1
  • 47225c4 Update README.md
  • See full diff in compare view

[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=actions/download-artifact&package-manager=github_actions&previous-version=4&new-version=5)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) ---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/python.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/python.yml b/.github/workflows/python.yml index 5d77350ac..ef316566c 100644 --- a/.github/workflows/python.yml +++ b/.github/workflows/python.yml @@ -252,7 +252,7 @@ jobs: steps: - name: fetch test artifacts # see https://github.com/actions/download-artifact - uses: actions/download-artifact@v4 + uses: actions/download-artifact@v5 with: path: ${{ env.REPORTS_DIR }} pattern: ${{ env.TESTS_REPORTS_ARTIFACT }}-* From eedfe08e83076caecf0945db16e789f629de0119 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 18 Aug 2025 14:00:29 +0200 Subject: [PATCH 18/76] chore(deps): bump actions/checkout from 4 to 5 (#875) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Bumps [actions/checkout](https://github.com/actions/checkout) from 4 to 5.
Release notes

Sourced from actions/checkout's releases.

v5.0.0

What's Changed

⚠️ Minimum Compatible Runner Version

v2.327.1
Release Notes

Make sure your runner is updated to this version or newer to use this release.

Full Changelog: https://github.com/actions/checkout/compare/v4...v5.0.0

v4.3.0

What's Changed

New Contributors

Full Changelog: https://github.com/actions/checkout/compare/v4...v4.3.0

v4.2.2

What's Changed

Full Changelog: https://github.com/actions/checkout/compare/v4.2.1...v4.2.2

v4.2.1

What's Changed

New Contributors

Full Changelog: https://github.com/actions/checkout/compare/v4.2.0...v4.2.1

... (truncated)

Changelog

Sourced from actions/checkout's changelog.

Changelog

V5.0.0

V4.3.0

v4.2.2

v4.2.1

v4.2.0

v4.1.7

v4.1.6

v4.1.5

v4.1.4

v4.1.3

... (truncated)

Commits

[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=actions/checkout&package-manager=github_actions&previous-version=4&new-version=5)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) ---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/python.yml | 14 +++++++------- .github/workflows/release.yml | 6 +++--- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/.github/workflows/python.yml b/.github/workflows/python.yml index ef316566c..8f5347e41 100644 --- a/.github/workflows/python.yml +++ b/.github/workflows/python.yml @@ -33,7 +33,7 @@ jobs: steps: - name: Checkout # see https://github.com/actions/checkout - uses: actions/checkout@v4 + uses: actions/checkout@v5 - name: Setup Python Environment # see https://github.com/actions/setup-python uses: actions/setup-python@v5 @@ -57,7 +57,7 @@ jobs: steps: - name: Checkout # see https://github.com/actions/checkout - uses: actions/checkout@v4 + uses: actions/checkout@v5 - name: Setup Python Environment # see https://github.com/actions/setup-python uses: actions/setup-python@v5 @@ -81,7 +81,7 @@ jobs: steps: - name: Checkout # see https://github.com/actions/checkout - uses: actions/checkout@v4 + uses: actions/checkout@v5 - name: Setup Python Environment # see https://github.com/actions/setup-python uses: actions/setup-python@v5 @@ -105,7 +105,7 @@ jobs: steps: - name: Checkout # see https://github.com/actions/checkout - uses: actions/checkout@v4 + uses: actions/checkout@v5 - name: Setup Python Environment # see https://github.com/actions/setup-python uses: actions/setup-python@v5 @@ -141,7 +141,7 @@ jobs: steps: - name: Checkout # see https://github.com/actions/checkout - uses: actions/checkout@v4 + uses: actions/checkout@v5 - name: Setup Python Environment # see https://github.com/actions/setup-python uses: actions/setup-python@v5 @@ -203,7 +203,7 @@ jobs: git config --global core.eol lf - name: Checkout # see https://github.com/actions/checkout - uses: actions/checkout@v4 + uses: actions/checkout@v5 - name: Create reports directory run: mkdir ${{ env.REPORTS_DIR }} - name: Setup Python Environment @@ -281,7 +281,7 @@ jobs: steps: - name: Checkout # see https://github.com/actions/checkout - uses: actions/checkout@v4 + uses: actions/checkout@v5 - name: Setup Python Environment # see https://github.com/actions/setup-python uses: actions/setup-python@v5 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 1091da4ed..7e10bf5de 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -48,7 +48,7 @@ jobs: steps: - name: Checkout code # see https://github.com/actions/checkout - uses: actions/checkout@v4 + uses: actions/checkout@v5 - name: Setup Python Environment # see https://github.com/actions/setup-python uses: actions/setup-python@v5 @@ -70,7 +70,7 @@ jobs: steps: - name: Checkout code # see https://github.com/actions/checkout - uses: actions/checkout@v4 + uses: actions/checkout@v5 - name: Setup Python Environment # see https://github.com/actions/setup-python uses: actions/setup-python@v5 @@ -105,7 +105,7 @@ jobs: steps: - name: Checkout code # see https://github.com/actions/checkout - uses: actions/checkout@v4 + uses: actions/checkout@v5 with: fetch-depth: 0 From bbd31ffc85d8581e380b7b1e93b06cb3dd12b670 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Tue, 2 Sep 2025 17:45:09 +0200 Subject: [PATCH 19/76] test: fix slow tests and add timing reports (#880) Signed-off-by: Jan Kowalleck --- pyproject.toml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pyproject.toml b/pyproject.toml index 834122e09..535d7fe39 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -102,6 +102,8 @@ xmldiff = "2.7.0" bandit = "1.8.6" pyupgrade = "3.20.0" deptry = "0.23.1" +# for tests, use the GPL-version of jsonschema format validators - they are faster +jsonschema = { version = "*", extras = ["format"], optional=true } [tool.semantic_release] # see https://python-semantic-release.readthedocs.io/en/latest/configuration.html From 6d35f692f40a492a70d6d761dec4f410ecd81738 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 2 Sep 2025 18:05:21 +0200 Subject: [PATCH 20/76] chore(deps-dev): update tox requirement from 4.28.4 to 4.29.0 (#879) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Updates the requirements on [tox](https://github.com/tox-dev/tox) to permit the latest version.
Release notes

Sourced from tox's releases.

4.29.0

What's Changed

Full Changelog: https://github.com/tox-dev/tox/compare/4.28.4...4.29.0

Changelog

Sourced from tox's changelog.

v4.29.0 (2025-08-29)

Features - 4.29.0

- A new tox life cycle event is now exposed for use via
:doc:`Plugins
  API </plugins>` -- by :user:`webknjaz`.

The corresponding hook point is :func:tox_extend_envs
&lt;tox.plugin.spec.tox_extend_envs&gt;. It allows plugin
authors to
declare ephemeral environments that they can then populate through
the in-memory configuration loader interface.


This patch was made possible thanks to pair programming with
:user:gaborbernat at PyCon US 2025.
(:issue:3510, :issue:3591)


v4.28.4 (2025-07-31)


Features - 4.28.4

  • Pass ssh-agent variables SSH_AGENT_PID and SSH_AUTH_SOCK in pass_env by default.
    • by :user:daniilgankov (:issue:3572)

v4.28.3 (2025-07-25)

No significant changes.

v4.28.2 (2025-07-25)

Bugfixes - 4.28.2

- Don't pass in the filter argument to tar.extractall on old
Python versions - by :user:`gaborbernat`. (:issue:`3568`)

v4.28.1 (2025-07-22)


Bugfixes - 4.28.1

  • Use tarfile.data_filter <https://docs.python.org/3/library/tarfile.html#tarfile.data_filter>_ with extractall only on supported Python versions:

    • >= 3.11.4
    • >= 3.10.12 and < 3.11
    • >= 3.9.17 and < 3.10

    by :user:gaborbernat. (:issue:3565)

... (truncated)

Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) ---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- pyproject.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pyproject.toml b/pyproject.toml index 535d7fe39..bfc6c6fb8 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -97,7 +97,7 @@ isort = "6.0.1" autopep8 = "2.3.2" mypy = "1.17.1" tomli = { version = "2.2.1", python = "<3.11" } -tox = "4.28.4" +tox = "4.29.0" xmldiff = "2.7.0" bandit = "1.8.6" pyupgrade = "3.20.0" From 98c9a6395e867959dc1973d446e9bb3600d1b311 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 2 Sep 2025 18:05:32 +0200 Subject: [PATCH 21/76] chore(deps-dev): update coverage requirement from 7.10.2 to 7.10.6 (#878) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Updates the requirements on [coverage](https://github.com/nedbat/coveragepy) to permit the latest version.
Changelog

Sourced from coverage's changelog.

Version 7.10.6 — 2025-08-29

  • Fix: source directories were not properly communicated to subprocesses that ran in different directories, as reported in issue 1499_. This is now fixed.

  • Performance: Alex Gaynor continues fine-tuning <pull 2038_>_ the speed of combination, especially with many contexts.

.. _issue 1499: nedbat/coveragepy#1499 .. _pull 2038: nedbat/coveragepy#2038

.. _changes_7-10-5:

Version 7.10.5 — 2025-08-23

  • Big speed improvements for coverage combine: it's now about twice as fast! Huge thanks to Alex Gaynor for pull requests 2032 <pull 2032_>, 2033 <pull 2033_>, and 2034 <pull 2034_>_.

.. _pull 2032: nedbat/coveragepy#2032 .. _pull 2033: nedbat/coveragepy#2033 .. _pull 2034: nedbat/coveragepy#2034

.. _changes_7-10-4:

Version 7.10.4 — 2025-08-16

  • Added patch = fork for times when the built-in forking support is insufficient.

  • Fix: patch = execv also inherits the entire coverage configuration now.

.. _changes_7-10-3:

Version 7.10.3 — 2025-08-10

  • Fixes for patch = subprocess:

    • If subprocesses spawned yet more subprocesses simultaneously, some coverage could be missed. This is now fixed, closing issue 2024_.

    • If subprocesses were created in other directories, their data files were

... (truncated)

Commits
  • 88c55ff docs: sample HTML for 7.10.6
  • 01d8995 docs: prep for 7.10.6
  • 9b0c24f docs: thanks Alex #2038
  • 66d6910 fix: make source paths absolute where they exist. #1499
  • bb3382f build: no need for the combine/html times now
  • 9ea349a lab: warn_executed.py
  • 808c9b4 build: changing metacov.ini should trigger metacov
  • 384f5f2 build: oops, some 'if's are really line pragmas
  • a7224af perf: pre-compute the mapping between other_db.context and main.context (#2038)
  • 5c00c5b chore: bump the action-dependencies group with 3 updates (#2039)
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) ---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- pyproject.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pyproject.toml b/pyproject.toml index bfc6c6fb8..212bdd0ee 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -84,7 +84,7 @@ xml-validation = ["lxml"] [tool.poetry.group.dev.dependencies] ddt = "1.7.2" -coverage = "7.10.2" +coverage = "7.10.6" flake8 = "7.3.0" flake8-annotations = "3.1.1" flake8-bugbear = "24.12.12" From 631fbf3e3c85c89e7e7496605bf0208d4b280c2c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 7 Sep 2025 18:44:01 +0200 Subject: [PATCH 22/76] chore(deps): bump actions/setup-python from 5 to 6 (#882) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Bumps [actions/setup-python](https://github.com/actions/setup-python) from 5 to 6.
Release notes

Sourced from actions/setup-python's releases.

v6.0.0

What's Changed

Breaking Changes

Make sure your runner is on version v2.327.1 or later to ensure compatibility with this release. See Release Notes

Enhancements:

Bug fixes:

Dependency updates:

New Contributors

Full Changelog: https://github.com/actions/setup-python/compare/v5...v6.0.0

v5.6.0

What's Changed

Full Changelog: https://github.com/actions/setup-python/compare/v5...v5.6.0

v5.5.0

What's Changed

Enhancements:

Bug fixes:

... (truncated)

Commits
  • e797f83 Upgrade to node 24 (#1164)
  • 3d1e2d2 Revert "Enhance cache-dependency-path handling to support files outside the w...
  • 65b0712 Clarify pythonLocation behavior for PyPy and GraalPy in environment variables...
  • 5b668cf Bump actions/checkout from 4 to 5 (#1181)
  • f62a0e2 Change missing cache directory error to warning (#1182)
  • 9322b3c Upgrade setuptools to 78.1.1 to fix path traversal vulnerability in PackageIn...
  • fbeb884 Bump form-data to fix critical vulnerabilities #182 & #183 (#1163)
  • 03bb615 Bump idna from 2.9 to 3.7 in /tests/data (#843)
  • 36da51d Add version parsing from Pipfile (#1067)
  • 3c6f142 update documentation (#1156)
  • Additional commits viewable in compare view

[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=actions/setup-python&package-manager=github_actions&previous-version=5&new-version=6)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) ---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/python.yml | 14 +++++++------- .github/workflows/release.yml | 6 +++--- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/.github/workflows/python.yml b/.github/workflows/python.yml index 8f5347e41..d5f57463d 100644 --- a/.github/workflows/python.yml +++ b/.github/workflows/python.yml @@ -36,7 +36,7 @@ jobs: uses: actions/checkout@v5 - name: Setup Python Environment # see https://github.com/actions/setup-python - uses: actions/setup-python@v5 + uses: actions/setup-python@v6 with: python-version: ${{ env.PYTHON_VERSION_DEFAULT }} architecture: 'x64' @@ -60,7 +60,7 @@ jobs: uses: actions/checkout@v5 - name: Setup Python Environment # see https://github.com/actions/setup-python - uses: actions/setup-python@v5 + uses: actions/setup-python@v6 with: python-version: ${{ env.PYTHON_VERSION_DEFAULT }} architecture: 'x64' @@ -84,7 +84,7 @@ jobs: uses: actions/checkout@v5 - name: Setup Python Environment # see https://github.com/actions/setup-python - uses: actions/setup-python@v5 + uses: actions/setup-python@v6 with: python-version: ${{ env.PYTHON_VERSION_DEFAULT }} architecture: 'x64' @@ -108,7 +108,7 @@ jobs: uses: actions/checkout@v5 - name: Setup Python Environment # see https://github.com/actions/setup-python - uses: actions/setup-python@v5 + uses: actions/setup-python@v6 with: python-version: ${{ env.PYTHON_VERSION_DEFAULT }} architecture: 'x64' @@ -144,7 +144,7 @@ jobs: uses: actions/checkout@v5 - name: Setup Python Environment # see https://github.com/actions/setup-python - uses: actions/setup-python@v5 + uses: actions/setup-python@v6 with: python-version: ${{ matrix.python-version }} architecture: 'x64' @@ -208,7 +208,7 @@ jobs: run: mkdir ${{ env.REPORTS_DIR }} - name: Setup Python Environment # see https://github.com/actions/setup-python - uses: actions/setup-python@v5 + uses: actions/setup-python@v6 with: python-version: ${{ matrix.python-version }} architecture: 'x64' @@ -284,7 +284,7 @@ jobs: uses: actions/checkout@v5 - name: Setup Python Environment # see https://github.com/actions/setup-python - uses: actions/setup-python@v5 + uses: actions/setup-python@v6 with: python-version: '>=3.9 <=3.13' # supported version range - name: Validate Python Environment diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 7e10bf5de..81b306bfa 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -51,7 +51,7 @@ jobs: uses: actions/checkout@v5 - name: Setup Python Environment # see https://github.com/actions/setup-python - uses: actions/setup-python@v5 + uses: actions/setup-python@v6 with: python-version: ${{ env.PYTHON_VERSION_DEFAULT }} architecture: 'x64' @@ -73,7 +73,7 @@ jobs: uses: actions/checkout@v5 - name: Setup Python Environment # see https://github.com/actions/setup-python - uses: actions/setup-python@v5 + uses: actions/setup-python@v6 with: python-version: ${{ env.PYTHON_VERSION_DEFAULT }} architecture: 'x64' @@ -111,7 +111,7 @@ jobs: - name: Setup python # see https://github.com/actions/setup-python - uses: actions/setup-python@v5 + uses: actions/setup-python@v6 with: python-version: ${{ env.PYTHON_VERSION_DEFAULT }} architecture: 'x64' From 505a85d6a8e397e16ea9b6acb3c4807f5070de8f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 8 Sep 2025 13:27:44 +0200 Subject: [PATCH 23/76] chore(deps-dev): update tox requirement from 4.29.0 to 4.30.2 (#884) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Updates the requirements on [tox](https://github.com/tox-dev/tox) to permit the latest version.
Release notes

Sourced from tox's releases.

4.30.2

What's Changed

Full Changelog: https://github.com/tox-dev/tox/compare/4.30.1...4.30.2

Changelog

Sourced from tox's changelog.

v4.30.2 (2025-09-04)

Bugfixes - 4.30.2

- Previously, when tox ran in an automatically provisioned
environment, it could hang waiting for a PEP 517 build backend
if used in conjunction with the ``--installpkg`` option. This has been
fixed by properly tearing down the automatically
  provisioned environment after the tests.
  - by :user:`vytas7` (:issue:`3600`)

v4.30.1 (2025-09-03)


Bugfixes - 4.30.1

  • Prevent tox from hanging upon exit due to orphaned build threads and subprocesses when the --installpkg option is used with sdist.
    • by :user:vytas7 (:issue:3530)

v4.30.0 (2025-09-03)

Features - 4.30.0

- Add ``__TOX_ENVIRONMENT_VARIABLE_ORIGINAL_CI``, which
passes through the ``CI`` variable if present. This is intended for use
by other libraries to detect if tox is running under CI. (:issue:`3442`)

Bugfixes - 4.30.0

  • Makes the error message more clear when pyproject.toml file cannot be loaded or is missing expected keys. (:issue:3578)

  • The :func:tox_extend_envs() hook <tox.plugin.spec.tox_extend_envs> recently added in :pull:3591 turned out to not work well with tox run. It was fixed internally, not to exhaust the underlying iterator on the first use.

    -- by :user:webknjaz (:issue:3598)

v4.29.0 (2025-08-29)

Features - 4.29.0

- A new tox life cycle event is now exposed for use via
:doc:`Plugins
  API </plugins>` -- by :user:`webknjaz`.

The corresponding hook point is :func:tox_extend_envs
&lt;tox.plugin.spec.tox_extend_envs&gt;. It allows plugin
authors to
declare ephemeral environments that they can then populate through
the in-memory configuration loader interface.


</tr></table>

... (truncated)

Commits
  • 5e0784a release 4.30.2
  • 64e8a34 Bump pypa/gh-action-pypi-publish in /.github/workflows (#3604)
  • 7230088 Ensure automatically provisioned environment is torn down (#3601)
  • 2c31dbc Bump pypa/gh-action-pypi-publish from 1.12.4 to 1.13.0 (#3603)
  • b33a43c release 4.30.1
  • 9ea1c32 Prevent Tox from hanging with --installpkg sdist due to orphaned build back...
  • aa90652 release 4.30.0
  • 48fecab Ensure tox_extend_envs list can be read twice (#3598)
  • 0b8f66f fix: provide clear messaging about config file loading (#3578)
  • adf0997 Add a "version added" note for tox_extend_envs (#3595)
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) ---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- pyproject.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pyproject.toml b/pyproject.toml index 212bdd0ee..e9c12e879 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -97,7 +97,7 @@ isort = "6.0.1" autopep8 = "2.3.2" mypy = "1.17.1" tomli = { version = "2.2.1", python = "<3.11" } -tox = "4.29.0" +tox = "4.30.2" xmldiff = "2.7.0" bandit = "1.8.6" pyupgrade = "3.20.0" From 876a36416d4ea82ec493893c89d9ac0bb6e0d95f Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Tue, 9 Sep 2025 11:30:29 +0200 Subject: [PATCH 24/76] feat: Updating SPDX license list to 3.27.0 (#885) Signed-off-by: Jan Kowalleck --- .../schema/_res/spdx.SNAPSHOT.schema.json | 23 +++- cyclonedx/schema/_res/spdx.SNAPSHOT.xsd | 107 +++++++++++++++++- 2 files changed, 128 insertions(+), 2 deletions(-) diff --git a/cyclonedx/schema/_res/spdx.SNAPSHOT.schema.json b/cyclonedx/schema/_res/spdx.SNAPSHOT.schema.json index 552c631f2..1e49a6d9e 100644 --- a/cyclonedx/schema/_res/spdx.SNAPSHOT.schema.json +++ b/cyclonedx/schema/_res/spdx.SNAPSHOT.schema.json @@ -1,7 +1,7 @@ { "$schema": "http://json-schema.org/draft-07/schema#", "$id": "http://cyclonedx.org/schema/spdx.schema.json", - "$comment": "v1.0-3.26.0", + "$comment": "v1.0-3.27.0", "type": "string", "enum": [ "0BSD", @@ -51,6 +51,8 @@ "Artistic-1.0-cl8", "Artistic-1.0-Perl", "Artistic-2.0", + "Artistic-dist", + "Aspell-RU", "ASWF-Digital-Assets-1.0", "ASWF-Digital-Assets-1.1", "Baekmuk", @@ -76,6 +78,7 @@ "BSD-2-Clause-FreeBSD", "BSD-2-Clause-NetBSD", "BSD-2-Clause-Patent", + "BSD-2-Clause-pkgconf-disclaimer", "BSD-2-Clause-Views", "BSD-3-Clause", "BSD-3-Clause-acpica", @@ -208,6 +211,7 @@ "CPOL-1.02", "Cronyx", "Crossword", + "CryptoSwift", "CrystalStacker", "CUA-OPL-1.0", "Cube", @@ -219,6 +223,7 @@ "DL-DE-BY-2.0", "DL-DE-ZERO-2.0", "DOC", + "DocBook-DTD", "DocBook-Schema", "DocBook-Stylesheet", "DocBook-XML", @@ -257,10 +262,14 @@ "FSFAP-no-warranty-disclaimer", "FSFUL", "FSFULLR", + "FSFULLRSD", "FSFULLRWD", + "FSL-1.1-ALv2", + "FSL-1.1-MIT", "FTL", "Furuseth", "fwlw", + "Game-Programming-Gems", "GCR-docs", "GD", "generic-xts", @@ -315,6 +324,7 @@ "gtkbook", "Gutmann", "HaskellReport", + "HDF5", "hdparm", "HIDAPI", "Hippocratic-2.1", @@ -365,6 +375,7 @@ "ISC-Veillard", "Jam", "JasPer-2.0", + "jove", "JPL-image", "JPNIC", "JSON", @@ -390,6 +401,7 @@ "LGPL-3.0-or-later", "LGPLLR", "Libpng", + "libpng-1.6.35", "libpng-2.0", "libselinux-1.0", "libtiff", @@ -420,6 +432,7 @@ "magaz", "mailprio", "MakeIndex", + "man2html", "Martin-Birgmeier", "McPhee-slideshow", "metamail", @@ -470,6 +483,7 @@ "NetCDF", "Newsletr", "NGPL", + "ngrep", "NICTA-1.0", "NIST-PD", "NIST-PD-fallback", @@ -484,6 +498,7 @@ "NPL-1.1", "NPOSL-3.0", "NRL", + "NTIA-PD", "NTP", "NTP-0", "Nunit", @@ -596,6 +611,7 @@ "SMPPL", "SNIA", "snprintf", + "SOFA", "softSurfer", "Soundex", "Spencer-86", @@ -609,6 +625,7 @@ "SSPL-1.0", "StandardML-NJ", "SugarCRM-1.1.3", + "SUL-1.0", "Sun-PPP", "Sun-PPP-2000", "SunPro", @@ -643,6 +660,8 @@ "Unicode-TOU", "UnixCrypt", "Unlicense", + "Unlicense-libtelnet", + "Unlicense-libwhirlpool", "UPL-1.0", "URT-RLE", "Vim", @@ -699,6 +718,7 @@ "Classpath-exception-2.0", "CLISP-exception-2.0", "cryptsetup-OpenSSL-exception", + "Digia-Qt-LGPL-exception-1.1", "DigiRule-FOSS-exception", "eCos-exception-2.0", "erlang-otp-linking-exception", @@ -741,6 +761,7 @@ "OpenJDK-assembly-exception-1.0", "openvpn-openssl-exception", "PCRE2-exception", + "polyparse-exception", "PS-or-PDF-font-exception-20170817", "QPL-1.0-INRIA-2004-exception", "Qt-GPL-exception-1.0", diff --git a/cyclonedx/schema/_res/spdx.SNAPSHOT.xsd b/cyclonedx/schema/_res/spdx.SNAPSHOT.xsd index 6e90a9e43..41a27b02d 100644 --- a/cyclonedx/schema/_res/spdx.SNAPSHOT.xsd +++ b/cyclonedx/schema/_res/spdx.SNAPSHOT.xsd @@ -2,7 +2,7 @@ + version="1.0-3.27.0"> @@ -242,6 +242,16 @@ Artistic License 2.0 + + + Artistic License 1.0 (dist) + + + + + Aspell Russian License + + ASWF Digital Assets License version 1.0 @@ -367,6 +377,11 @@ BSD-2-Clause Plus Patent License + + + BSD 2-Clause pkgconf disclaimer variant + + BSD 2-Clause with views sentence @@ -1027,6 +1042,11 @@ Crossword License + + + CryptoSwift License + + CrystalStacker License @@ -1082,6 +1102,11 @@ DOC License + + + DocBook DTD License + + DocBook Schema License @@ -1272,11 +1297,26 @@ FSF Unlimited License (with License Retention) + + + FSF Unlimited License (with License Retention and Short Disclaimer) + + FSF Unlimited License (With License Retention and Warranty Disclaimer) + + + Functional Source License, Version 1.1, ALv2 Future License + + + + + Functional Source License, Version 1.1, MIT Future License + + Freetype Project License @@ -1292,6 +1332,11 @@ fwlw License + + + Game Programming Gems License + + Gnome GCR Documentation License @@ -1562,6 +1607,11 @@ Haskell Language Report License + + + HDF5 License + + hdparm License @@ -1812,6 +1862,11 @@ JasPer License + + + Jove License + + JPL Image Use Policy @@ -1937,6 +1992,11 @@ libpng License + + + PNG Reference Library License v1 (for libpng 0.5 through 1.6.35) + + PNG Reference Library version 2 @@ -2087,6 +2147,11 @@ MakeIndex License + + + man2html License + + Martin Birgmeier License @@ -2337,6 +2402,11 @@ Nethack General Public License + + + ngrep License + + NICTA Public Software License, Version 1.0 @@ -2407,6 +2477,11 @@ NRL License + + + NTIA Public Domain Notice + + NTP License @@ -2967,6 +3042,11 @@ snprintf License + + + SOFA Software License + + softSurfer License @@ -3032,6 +3112,11 @@ SugarCRM Public License v1.1.3 + + + Sustainable Use License v1.0 + + Sun PPP License @@ -3202,6 +3287,16 @@ The Unlicense + + + Unlicense - libtelnet variant + + + + + Unlicense - libwhirlpool variant + + Universal Permissive License v1.0 @@ -3483,6 +3578,11 @@ cryptsetup OpenSSL exception + + + Digia Qt LGPL Exception version 1.1 + + DigiRule FOSS License Exception @@ -3693,6 +3793,11 @@ PCRE2 exception + + + Polyparse Exception + + PS/PDF font exception (2017-08-17) From 6e77bf7b7657e01c6c0c167860b2fe2d605c9920 Mon Sep 17 00:00:00 2001 From: semantic-release Date: Tue, 9 Sep 2025 09:37:04 +0000 Subject: [PATCH 25/76] chore(release): 11.1.0 Automatically generated by python-semantic-release Signed-off-by: semantic-release --- CHANGELOG.md | 27 +++++++++++++++++++++++++++ cyclonedx/__init__.py | 2 +- docs/conf.py | 2 +- pyproject.toml | 2 +- 4 files changed, 30 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index afc604044..ef3966f0f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,33 @@ +## v11.1.0 (2025-09-09) + +### Documentation + +- Shorten lines + ([`5621705`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/5621705fef98e0d5a510af22f8ece16c8f2f1e76)) + +- Update CDX spec links ([#858](https://github.com/CycloneDX/cyclonedx-python-lib/pull/858), + [`ba0b5c0`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/ba0b5c092cd4c5761e3b00e808506e7ba71de3a8)) + +- Update linked CDX spec ([#860](https://github.com/CycloneDX/cyclonedx-python-lib/pull/860), + [`0ecdaa8`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/0ecdaa8eff200dce74e1fee8202807ab273b6971)) + +- Update linked XML spec ([#857](https://github.com/CycloneDX/cyclonedx-python-lib/pull/857), + [`ea627ec`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/ea627ec8fa3e8e19a2a8f4a618c9b084922e025f)) + +### Features + +- Add BomRefs for known models according to CycloneDX 1.5 + ([#859](https://github.com/CycloneDX/cyclonedx-python-lib/pull/859), + [`0898cf7`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/0898cf76f1ad97a49cb438fe2130a86a59f8c150)) + +- Updating SPDX license list to 3.27.0 + ([#885](https://github.com/CycloneDX/cyclonedx-python-lib/pull/885), + [`876a364`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/876a36416d4ea82ec493893c89d9ac0bb6e0d95f)) + + ## v11.0.0 (2025-07-21) ### Features diff --git a/cyclonedx/__init__.py b/cyclonedx/__init__.py index bcb6c496a..fb942ee65 100644 --- a/cyclonedx/__init__.py +++ b/cyclonedx/__init__.py @@ -22,4 +22,4 @@ # !! version is managed by semantic_release # do not use typing here, or else `semantic_release` might have issues finding the variable -__version__ = "11.0.0" # noqa:Q000 +__version__ = "11.1.0" # noqa:Q000 diff --git a/docs/conf.py b/docs/conf.py index 6a2f394d8..8092493f0 100644 --- a/docs/conf.py +++ b/docs/conf.py @@ -23,7 +23,7 @@ # The full version, including alpha/beta/rc tags # !! version is managed by semantic_release -release = '11.0.0' +release = '11.1.0' # -- General configuration --------------------------------------------------- diff --git a/pyproject.toml b/pyproject.toml index e9c12e879..ec15e39bc 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -5,7 +5,7 @@ build-backend = "poetry.core.masonry.api" [tool.poetry] name = "cyclonedx-python-lib" # !! version is managed by semantic_release -version = "11.0.0" +version = "11.1.0" description = "Python library for CycloneDX" authors = [ "Paul Horton ", From ac063616c4025be336c3cc3a1d9d7432b2ab7ea3 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 16 Sep 2025 08:58:05 +0200 Subject: [PATCH 26/76] chore(deps-dev): update mypy requirement from 1.17.1 to 1.18.1 (#889) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Updates the requirements on [mypy](https://github.com/python/mypy) to permit the latest version.
Changelog

Sourced from mypy's changelog.

Mypy Release Notes

Next Release

Mypy 1.18

We’ve just uploaded mypy 1.18 to the Python Package Index (PyPI). Mypy is a static type checker for Python. This release includes new features, performance improvements and bug fixes. You can install it as follows:

python3 -m pip install -U mypy

You can read the full documentation for this release on Read the Docs.

Mypy Performance Improvements

Mypy 1.18 includes numerous performance improvements, resulting in about 40% speedup compared to 1.17 when type checking mypy itself. In extreme cases, the improvement can be 10x or higher. The list below is an overview of the various mypy optimizations. Many mypyc improvements (discussed in a separate section below) also improve performance.

Type caching optimizations have a small risk of causing regressions. When reporting issues with unexpected inferred types, please also check if --disable-expression-cache will work around the issue, as it turns off some of these optimizations.

  • Improve self check performance by 1.8% (Jukka Lehtosalo, PR 19768, 19769, 19770)
  • Optimize fixed-format deserialization (Ivan Levkivskyi, PR 19765)
  • Use macros to optimize fixed-format deserialization (Ivan Levkivskyi, PR 19757)
  • Two additional micro‑optimizations (Ivan Levkivskyi, PR 19627)
  • Another set of micro‑optimizations (Ivan Levkivskyi, PR 19633)
  • Cache common types (Ivan Levkivskyi, PR 19621)
  • Skip more method bodies in third‑party libraries for speed (Ivan Levkivskyi, PR 19586)
  • Simplify the representation of callable types (Ivan Levkivskyi, PR 19580)
  • Add cache for types of some expressions (Ivan Levkivskyi, PR 19505)
  • Use cache for dictionary expressions (Ivan Levkivskyi, PR 19536)
  • Use cache for binary operations (Ivan Levkivskyi, PR 19523)
  • Cache types of type objects (Ivan Levkivskyi, PR 19514)
  • Avoid duplicate work when checking boolean operations (Ivan Levkivskyi, PR 19515)
  • Optimize generic inference passes (Ivan Levkivskyi, PR 19501)
  • Speed up the default plugin (Jukka Lehtosalo, PRs 19385 and 19462)
  • Remove nested imports from the default plugin (Ivan Levkivskyi, PR 19388)
  • Micro‑optimize type expansion (Jukka Lehtosalo, PR 19461)
  • Micro‑optimize type indirection (Jukka Lehtosalo, PR 19460)
  • Micro‑optimize the plugin framework (Jukka Lehtosalo, PR 19464)
  • Avoid temporary set creation in subtype checking (Jukka Lehtosalo, PR 19463)
  • Subtype checking micro‑optimization (Jukka Lehtosalo, PR 19384)
  • Return early where possible in subtype check (Stanislav Terliakov, PR 19400)
  • Deduplicate some types before joining (Stanislav Terliakov, PR 19409)
  • Speed up type checking by caching argument inference context (Jukka Lehtosalo, PR 19323)

... (truncated)

Commits

Most Recent Ignore Conditions Applied to This Pull Request | Dependency Name | Ignore Conditions | | --- | --- | | mypy | [>= 0.971.a, < 0.972] |
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) ---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- pyproject.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pyproject.toml b/pyproject.toml index ec15e39bc..450816bb1 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -95,7 +95,7 @@ flake8-use-fstring = "1.4" pep8-naming = "0.15.1" isort = "6.0.1" autopep8 = "2.3.2" -mypy = "1.17.1" +mypy = "1.18.1" tomli = { version = "2.2.1", python = "<3.11" } tox = "4.30.2" xmldiff = "2.7.0" From 72a3e75850432a0eeb0806a5332107fb689ceb28 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 22 Sep 2025 10:04:22 +0200 Subject: [PATCH 27/76] chore(deps-dev): update mypy requirement from 1.18.1 to 1.18.2 (#890) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Updates the requirements on [mypy](https://github.com/python/mypy) to permit the latest version.
Changelog

Sourced from mypy's changelog.

Mypy 1.18.2

  • Fix crash on recursive alias (Ivan Levkivskyi, PR 19845)
  • Add additional guidance for stubtest errors when runtime is object.__init__ (Stephen Morton, PR 19733)
  • Fix handling of None values in f-string expressions in mypyc (BobTheBuidler, PR 19846)

Acknowledgements

Thanks to all mypy contributors who contributed to this release:

  • Ali Hamdan
  • Anthony Sottile
  • BobTheBuidler
  • Brian Schubert
  • Chainfire
  • Charlie Denton
  • Christoph Tyralla
  • CoolCat467
  • Daniel Hnyk
  • Emily
  • Emma Smith
  • Ethan Sarp
  • Ivan Levkivskyi
  • Jahongir Qurbonov
  • Jelle Zijlstra
  • Joren Hammudoglu
  • Jukka Lehtosalo
  • Marc Mueller
  • Omer Hadari
  • Piotr Sawicki
  • PrinceNaroliya
  • Randolf Scholz
  • Robsdedude
  • Saul Shanabrook
  • Shantanu
  • Stanislav Terliakov
  • Stephen Morton
  • wyattscarpenter

I’d also like to thank my employer, Dropbox, for supporting mypy development.

Mypy 1.17

We’ve just uploaded mypy 1.17 to the Python Package Index (PyPI). Mypy is a static type checker for Python. This release includes new features and bug fixes. You can install it as follows:

python3 -m pip install -U mypy

You can read the full documentation for this release on Read the Docs.

... (truncated)

Commits
  • df05f05 remove +dev from version
  • 01a7a12 Update changelog for 1.18.2 (#19873)
  • ca5abf0 Typeshed cherry-pick: Make type of unitest.mock.Any a subclass of Any (#1...
  • 9d794b5 [mypyc] fix: inappropriate Nones in f-strings (#19846)
  • 2c0510c stubtest: additional guidance on errors when runtime is object.init (#19733)
  • 2f3f03c Bump version to 1.18.2+dev for point release
  • 7669841 Fix crash on recursive alias in indirection.py (#19845)
  • See full diff in compare view

Most Recent Ignore Conditions Applied to This Pull Request | Dependency Name | Ignore Conditions | | --- | --- | | mypy | [>= 0.971.a, < 0.972] |
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) ---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- pyproject.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pyproject.toml b/pyproject.toml index 450816bb1..a16605fea 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -95,7 +95,7 @@ flake8-use-fstring = "1.4" pep8-naming = "0.15.1" isort = "6.0.1" autopep8 = "2.3.2" -mypy = "1.18.1" +mypy = "1.18.2" tomli = { version = "2.2.1", python = "<3.11" } tox = "4.30.2" xmldiff = "2.7.0" From 92398a2fa06374f5dd29a5f76466270ba38c4503 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 30 Sep 2025 16:14:24 +0200 Subject: [PATCH 28/76] chore(deps-dev): update coverage requirement from 7.10.6 to 7.10.7 (#891) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Updates the requirements on [coverage](https://github.com/nedbat/coveragepy) to permit the latest version.
Changelog

Sourced from coverage's changelog.

Version 7.10.7 — 2025-09-21

  • Performance: with branch coverage in large files, generating HTML, JSON, or LCOV reports could take far too long due to some quadratic behavior when creating the function and class index pages. This is now fixed, closing issue 2048_. Thanks to Daniel Diniz for help diagnosing the problem.

  • Most warnings and a few errors now have links to a page in the docs explaining the specific message. Closes issue 1921_.

.. _issue 1921: nedbat/coveragepy#1921 .. _issue 2048: nedbat/coveragepy#2048

.. _changes_7-10-6:

Version 7.10.6 — 2025-08-29

  • Fix: source directories were not properly communicated to subprocesses that ran in different directories, as reported in issue 1499_. This is now fixed.

  • Performance: Alex Gaynor continues fine-tuning <pull 2038_>_ the speed of combination, especially with many contexts.

.. _issue 1499: nedbat/coveragepy#1499 .. _pull 2038: nedbat/coveragepy#2038

.. _changes_7-10-5:

Version 7.10.5 — 2025-08-23

  • Big speed improvements for coverage combine: it's now about twice as fast! Huge thanks to Alex Gaynor for pull requests 2032 <pull 2032_>, 2033 <pull 2033_>, and 2034 <pull 2034_>_.

.. _pull 2032: nedbat/coveragepy#2032 .. _pull 2033: nedbat/coveragepy#2033 .. _pull 2034: nedbat/coveragepy#2034

.. _changes_7-10-4:

Version 7.10.4 — 2025-08-16

... (truncated)

Commits
  • 92a2af5 docs: sample HTML for 7.10.7
  • 952afda docs: prep for 7.10.7
  • a301761 build: riscv64 wheels (#2055)
  • 5daff8d docs: now source is formatted with ruff
  • 04bbc3a docs: discuss cog in the contributing docs
  • c181b93 build: use cog --check-fail-msg to instruct devs
  • 33c4ba1 chore: make upgrade
  • 0744b73 chore: bump the action-dependencies group across 1 directory with 2 updates (...
  • 0d5a112 perf: bulk narrowing to avoid N**2. #2048
  • a868ed9 docs: mention Python Discord on the index page
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) ---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- pyproject.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pyproject.toml b/pyproject.toml index a16605fea..c1310e012 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -84,7 +84,7 @@ xml-validation = ["lxml"] [tool.poetry.group.dev.dependencies] ddt = "1.7.2" -coverage = "7.10.6" +coverage = "7.10.7" flake8 = "7.3.0" flake8-annotations = "3.1.1" flake8-bugbear = "24.12.12" From d8a24b788d10dac65ec579c106c6a421b9644b76 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Wed, 15 Oct 2025 10:24:02 +0200 Subject: [PATCH 29/76] docs: add Changelog to project urls Signed-off-by: Jan Kowalleck --- pyproject.toml | 1 + 1 file changed, 1 insertion(+) diff --git a/pyproject.toml b/pyproject.toml index c1310e012..5ad16479d 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -63,6 +63,7 @@ keywords = [ ] [tool.poetry.urls] +"Changelog" = "https://github.com/CycloneDX/cyclonedx-python-lib/releases" "Bug Tracker" = "https://github.com/CycloneDX/cyclonedx-python-lib/issues" "Funding" = "https://owasp.org/donate/?reponame=www-project-cyclonedx&title=OWASP+CycloneDX" From 267672b637c23ebb7f69ccf7c1109f2b874f4b96 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Wed, 15 Oct 2025 15:24:29 +0200 Subject: [PATCH 30/76] feat: support Python 3.14 (#897) Signed-off-by: Jan Kowalleck --- .github/workflows/python.yml | 7 ++++--- pyproject.toml | 1 + 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/.github/workflows/python.yml b/.github/workflows/python.yml index d5f57463d..9925ff189 100644 --- a/.github/workflows/python.yml +++ b/.github/workflows/python.yml @@ -132,7 +132,7 @@ jobs: include: - # test with the latest dependencies os: ubuntu-latest - python-version: '3.13' + python-version: '3.14' toxenv-factors: '-current' - # test with the lowest dependencies os: ubuntu-latest @@ -170,7 +170,8 @@ jobs: - macos-latest - windows-latest python-version: - - "3.13" # highest supported + - "3.14" # highest supported + - "3.13" - "3.12" - "3.11" - "3.10" @@ -286,7 +287,7 @@ jobs: # see https://github.com/actions/setup-python uses: actions/setup-python@v6 with: - python-version: '>=3.9 <=3.13' # supported version range + python-version: '>=3.9 <=3.14' # supported version range - name: Validate Python Environment shell: python run: | diff --git a/pyproject.toml b/pyproject.toml index 5ad16479d..6c76a3cae 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -52,6 +52,7 @@ classifiers = [ 'Programming Language :: Python :: 3.11', 'Programming Language :: Python :: 3.12', 'Programming Language :: Python :: 3.13', + 'Programming Language :: Python :: 3.14', 'Typing :: Typed', ] keywords = [ From 5d6d34ece557e5419133f4755ae7a74b987cbe7a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 15 Oct 2025 15:25:13 +0200 Subject: [PATCH 31/76] chore(deps-dev): update isort requirement from 6.0.1 to 6.1.0 (#894) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Updates the requirements on [isort](https://github.com/PyCQA/isort) to permit the latest version.
Release notes

Sourced from isort's releases.

6.1.0

Changes

:construction_worker: Continuous Integration

:package: Dependencies

Changelog

Sourced from isort's changelog.

Changelog

NOTE: isort follows the semver versioning standard. Find out more about isort's release policy here.

5.13.2 December 13 2023

5.13.1 December 11 2023

5.13.0 December 9 2023

5.12.0 January 28 2023

  • Removed support for Python 3.7
  • Fixed incompatiblity with latest poetry version
  • Added support for directory limitations within built in git hook

... (truncated)

Commits
  • ec0efae Merge pull request #2410 from PyCQA/docs/discussion
  • 8af675f Update docs discussions channel
  • a03dae8 Merge pull request #2409 from PyCQA/build/py314-classifier
  • 2232a26 Add python 3.14 classifier and badge
  • ec48dd7 Merge pull request #2405 from dvarrazzo/fix/drop-pkg-resources
  • be46cd4 refactor: make importlib metadata package import lazy
  • 18ecd0c chore: drop branch guarding unsupported Python versions
  • 1d42e56 fix: drop use of non-standard pkg_resources API
  • 0c8fc82 Merge pull request #2406 from PyCQA/dependabot/github_actions/github-actions-...
  • 3478763 Bump actions/checkout from 4 to 5 in the github-actions group
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) ---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- pyproject.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pyproject.toml b/pyproject.toml index 6c76a3cae..2cf4bbbe5 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -95,7 +95,7 @@ flake8-isort = "6.1.2" flake8-quotes = "3.4.0" flake8-use-fstring = "1.4" pep8-naming = "0.15.1" -isort = "6.0.1" +isort = "6.1.0" autopep8 = "2.3.2" mypy = "1.18.2" tomli = { version = "2.2.1", python = "<3.11" } From b6e8cd5867fe40fee36cd09702de349d7fa7e226 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 15 Oct 2025 15:25:53 +0200 Subject: [PATCH 32/76] chore(deps-dev): update tox requirement from 4.30.2 to 4.30.3 (#893) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Updates the requirements on [tox](https://github.com/tox-dev/tox) to permit the latest version.
Release notes

Sourced from tox's releases.

4.30.3

What's Changed

New Contributors

Full Changelog: https://github.com/tox-dev/tox/compare/4.30.2...4.30.3

Changelog

Sourced from tox's changelog.

v4.30.3 (2025-10-02)

Bugfixes - 4.30.3

- Fix incorrect type annotation in
``PythonPathPackageWithDeps.__init__()``
  where ``deps`` was annotated as ``Sequence[Package]`` but should be
``Sequence[Requirement]`` to match actual runtime usage - by
:user:`PreistlyPython` (:issue:`3607`)
- Fix ``None`` appearing as the config filename in error output
when the user's default config file is corrupt. - by :user:`kurtmckee`
(:issue:`3611`)

v4.30.2 (2025-09-04)


Bugfixes - 4.30.2

  • Previously, when tox ran in an automatically provisioned environment, it could hang waiting for a PEP 517 build backend if used in conjunction with the --installpkg option. This has been fixed by properly tearing down the automatically provisioned environment after the tests.
    • by :user:vytas7 (:issue:3600)

v4.30.1 (2025-09-03)

Bugfixes - 4.30.1

- Prevent tox from hanging upon exit due to orphaned build
threads and subprocesses when the ``--installpkg`` option is
  used with *sdist*.
  - by :user:`vytas7` (:issue:`3530`)

v4.30.0 (2025-09-03)


Features - 4.30.0

  • Add __TOX_ENVIRONMENT_VARIABLE_ORIGINAL_CI, which passes through the CI variable if present. This is intended for use by other libraries to detect if tox is running under CI. (:issue:3442)

Bugfixes - 4.30.0

- Makes the error message more clear when pyproject.toml file
cannot be loaded
  or is missing expected keys. (:issue:`3578`)
- The :func:`tox_extend_envs() hook
<tox.plugin.spec.tox_extend_envs>`
  recently added in :pull:`3591` turned out to not work well with
  ``tox run``. It was fixed internally, not to exhaust the underlying
  iterator on the first use.

-- by :user:webknjaz (:issue:3598)


v4.29.0 (2025-08-29)


</tr></table>

... (truncated)

Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) ---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- pyproject.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pyproject.toml b/pyproject.toml index 2cf4bbbe5..42e7fde8b 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -99,7 +99,7 @@ isort = "6.1.0" autopep8 = "2.3.2" mypy = "1.18.2" tomli = { version = "2.2.1", python = "<3.11" } -tox = "4.30.2" +tox = "4.30.3" xmldiff = "2.7.0" bandit = "1.8.6" pyupgrade = "3.20.0" From f812b8497f346431c1ce059b3e11d92669edec25 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 15 Oct 2025 15:27:01 +0200 Subject: [PATCH 33/76] chore(deps-dev): update pyupgrade requirement from 3.20.0 to 3.21.0 (#896) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit [//]: # (dependabot-start) ⚠️ **Dependabot is rebasing this PR** ⚠️ Rebasing might not happen immediately, so don't worry if this takes some time. Note: if you make any changes to this PR yourself, they will take precedence over the rebase. --- [//]: # (dependabot-end) Updates the requirements on [pyupgrade](https://github.com/asottile/pyupgrade) to permit the latest version.
Commits
  • f90119b v3.21.0
  • 8a237c9 Merge pull request #1034 from asottile/py314
  • 6f1d9c5 regenerate symbols for --py314-plus
  • 70fcfb4 Merge pull request #1033 from asottile/pre-commit-ci-update-config
  • 5b443e0 [pre-commit.ci] pre-commit autoupdate
  • c02489c Merge pull request #1031 from asottile/pre-commit-ci-update-config
  • fe2ab32 [pre-commit.ci] pre-commit autoupdate
  • 1b2ebe8 Merge pull request #1029 from asottile/pre-commit-ci-update-config
  • 97f5982 [pre-commit.ci] pre-commit autoupdate
  • 7da659f Merge pull request #1025 from asottile/pre-commit-ci-update-config
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) ---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- pyproject.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pyproject.toml b/pyproject.toml index 42e7fde8b..eef96e297 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -102,7 +102,7 @@ tomli = { version = "2.2.1", python = "<3.11" } tox = "4.30.3" xmldiff = "2.7.0" bandit = "1.8.6" -pyupgrade = "3.20.0" +pyupgrade = "3.21.0" deptry = "0.23.1" # for tests, use the GPL-version of jsonschema format validators - they are faster jsonschema = { version = "*", extras = ["format"], optional=true } From 3587094baf1d2b880658bd2df521ba49030b255a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 15 Oct 2025 15:33:10 +0200 Subject: [PATCH 34/76] chore(deps-dev): update tomli requirement from 2.2.1 to 2.3.0 (#895) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Updates the requirements on [tomli](https://github.com/hukkin/tomli) to permit the latest version.
Changelog

Sourced from tomli's changelog.

2.3.0

  • Added
    • Binary wheels for Python 3.14 (also free-threaded)
  • Performance
    • Reduced import time

2.2.1

  • Fixed
    • Don't attempt to compile binary wheels for Python 3.8, 3.9 and 3.10 where cibuildwheel depends on a conflicting Tomli version

2.2.0

  • Added
    • mypyc generated binary wheels for common platforms

2.1.0

  • Deprecated
    • Instantiating TOMLDecodeError with free-form arguments. msg, doc and pos arguments should be given.
  • Added
    • msg, doc, pos, lineno and colno attributes to TOMLDecodeError

2.0.2

  • Removed
    • Python 3.7 support
  • Improved
    • Make loads raise TypeError not AttributeError on bad input types that do not have the replace attribute. Improve error message when bytes is received.
  • Type annotations
    • Type annotate load input as typing.IO[bytes] (previously typing.BinaryIO).

2.0.1

  • Improved
    • Make bundling easier by using relative imports internally and adding license and copyright notice to source files.
    • Make error messages more uniform
    • Raise a friendly TypeError for wrong file mode
    • Allow parse_float to return objects having the append attr
    • Eagerly raise an error if parse_float returns an illegal type
  • Packaging
    • Move from pytest testing framework to unittest and remove python-dateutil test dependency. Tests now only require Python interpreter.

1.2.3

  • Fixed

... (truncated)

Commits
  • 3fccd16 Bump version: 2.2.1 → 2.3.0
  • 6504016 Add 2.3.0 changelog
  • 0bc66fc Remove now off-by-default PyPy from cibuildwheel skip list
  • 0aa242f Update license metadata to appease PEP 639
  • a18221e Bump GitHub CI actions
  • 6fa4d90 [pre-commit.ci] pre-commit autoupdate (#260)
  • b974fa1 [pre-commit.ci] pre-commit autoupdate (#248)
  • f574f36 Update mypy to 1.15 and use --strict mode (#257)
  • 1da01ef Reduce import time by removing typing import (#251)
  • 4188188 Reduce import time by removing string and tomli._types imports
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) ---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- pyproject.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pyproject.toml b/pyproject.toml index eef96e297..d83703418 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -98,7 +98,7 @@ pep8-naming = "0.15.1" isort = "6.1.0" autopep8 = "2.3.2" mypy = "1.18.2" -tomli = { version = "2.2.1", python = "<3.11" } +tomli = { version = "2.3.0", python = "<3.11" } tox = "4.30.3" xmldiff = "2.7.0" bandit = "1.8.6" From 9f7bdc8071ed2afbf01f5e587d2a41402e34cb9b Mon Sep 17 00:00:00 2001 From: semantic-release Date: Wed, 15 Oct 2025 13:44:34 +0000 Subject: [PATCH 35/76] chore(release): 11.2.0 Automatically generated by python-semantic-release Signed-off-by: semantic-release --- CHANGELOG.md | 13 +++++++++++++ cyclonedx/__init__.py | 2 +- docs/conf.py | 2 +- pyproject.toml | 2 +- 4 files changed, 16 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index ef3966f0f..3983d2a89 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,19 @@ +## v11.2.0 (2025-10-15) + +### Documentation + +- Add Changelog to project urls + ([`d8a24b7`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/d8a24b788d10dac65ec579c106c6a421b9644b76)) + +### Features + +- Support Python 3.14 ([#897](https://github.com/CycloneDX/cyclonedx-python-lib/pull/897), + [`267672b`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/267672b637c23ebb7f69ccf7c1109f2b874f4b96)) + + ## v11.1.0 (2025-09-09) ### Documentation diff --git a/cyclonedx/__init__.py b/cyclonedx/__init__.py index fb942ee65..dc2feb857 100644 --- a/cyclonedx/__init__.py +++ b/cyclonedx/__init__.py @@ -22,4 +22,4 @@ # !! version is managed by semantic_release # do not use typing here, or else `semantic_release` might have issues finding the variable -__version__ = "11.1.0" # noqa:Q000 +__version__ = "11.2.0" # noqa:Q000 diff --git a/docs/conf.py b/docs/conf.py index 8092493f0..92a8bce06 100644 --- a/docs/conf.py +++ b/docs/conf.py @@ -23,7 +23,7 @@ # The full version, including alpha/beta/rc tags # !! version is managed by semantic_release -release = '11.1.0' +release = '11.2.0' # -- General configuration --------------------------------------------------- diff --git a/pyproject.toml b/pyproject.toml index d83703418..ecd1f75fc 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -5,7 +5,7 @@ build-backend = "poetry.core.masonry.api" [tool.poetry] name = "cyclonedx-python-lib" # !! version is managed by semantic_release -version = "11.1.0" +version = "11.2.0" description = "Python library for CycloneDX" authors = [ "Paul Horton ", From 0f1734873872429232eca52da605b151a1850bb5 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Wed, 15 Oct 2025 15:53:00 +0200 Subject: [PATCH 36/76] ci: use py314 per default (#898) Signed-off-by: Jan Kowalleck --- .github/workflows/python.yml | 2 +- .github/workflows/release.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/python.yml b/.github/workflows/python.yml index 9925ff189..f78d975d5 100644 --- a/.github/workflows/python.yml +++ b/.github/workflows/python.yml @@ -21,7 +21,7 @@ permissions: {} env: REPORTS_DIR: CI_reports - PYTHON_VERSION_DEFAULT: "3.11" + PYTHON_VERSION_DEFAULT: "3.14" POETRY_VERSION: "1.8.1" TESTS_REPORTS_ARTIFACT: tests-reports diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 81b306bfa..b32afec33 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -39,7 +39,7 @@ concurrency: permissions: {} env: - PYTHON_VERSION_DEFAULT: "3.11" + PYTHON_VERSION_DEFAULT: "3.14" POETRY_VERSION: "1.8.1" jobs: From 9425c67557a3f547c64cd740e19b112196146577 Mon Sep 17 00:00:00 2001 From: Quentin Kaiser <569494+qkaiser@users.noreply.github.com> Date: Wed, 22 Oct 2025 10:42:00 +0200 Subject: [PATCH 37/76] feat: deserialize single `ComponentEvidence.identity` (#900) --------- Signed-off-by: Quentin Kaiser Signed-off-by: Jan Kowalleck Co-authored-by: Jan Kowalleck --- cyclonedx/model/component_evidence.py | 14 ++++-- .../json/1.5/component_evidence_identity.json | 39 ++++++++++++++++ .../json/1.6/component_evidence_identity.json | 45 +++++++++++++++++++ .../xml/1.5/component_evidence_identity.xml | 33 ++++++++++++++ .../xml/1.6/component_evidence_identity.xml | 37 +++++++++++++++ tests/test_deserialize_json.py | 9 ++++ tests/test_deserialize_xml.py | 11 ++++- tests/test_model_component_evidence.py | 4 +- 8 files changed, 185 insertions(+), 7 deletions(-) create mode 100644 tests/_data/own/json/1.5/component_evidence_identity.json create mode 100644 tests/_data/own/json/1.6/component_evidence_identity.json create mode 100644 tests/_data/own/xml/1.5/component_evidence_identity.xml create mode 100644 tests/_data/own/xml/1.6/component_evidence_identity.xml diff --git a/cyclonedx/model/component_evidence.py b/cyclonedx/model/component_evidence.py index c23acac9d..e9711f9f9 100644 --- a/cyclonedx/model/component_evidence.py +++ b/cyclonedx/model/component_evidence.py @@ -752,7 +752,10 @@ def __repr__(self) -> str: class _ComponentEvidenceSerializationHelper(serializable.helpers.BaseHelper): - """THIS CLASS IS NON-PUBLIC API""" + """THIS CLASS IS NON-PUBLIC API + + This helper takes care of :attr:`ComponentEvidence.identity`. + """ @classmethod def json_normalize(cls, o: ComponentEvidence, *, @@ -761,13 +764,16 @@ def json_normalize(cls, o: ComponentEvidence, *, data: dict[str, Any] = json_loads(o.as_json(view)) # type:ignore[attr-defined] if view is SchemaVersion1Dot5: identities = data.get('identity', []) - if il := len(identities) > 1: - warn(f'CycloneDX 1.5 does not support multiple identity items; dropping {il - 1} items.') + if identities: + if (il := len(identities)) > 1: + warn(f'CycloneDX 1.5 does not support multiple identity items; dropping {il - 1} items.') data['identity'] = identities[0] return data @classmethod def json_denormalize(cls, o: dict[str, Any], **__: Any) -> Any: + if isinstance(identity := o.get('identity'), dict): + o = {**o, 'identity': [identity]} return ComponentEvidence.from_json(o) # type:ignore[attr-defined] @classmethod @@ -779,7 +785,7 @@ def xml_normalize(cls, o: ComponentEvidence, *, normalized: 'XmlElement' = o.as_xml(view, False, element_name, xmlns) # type:ignore[attr-defined] if view is SchemaVersion1Dot5: identities = normalized.findall(f'./{{{xmlns}}}identity' if xmlns else './identity') - if il := len(identities) > 1: + if (il := len(identities)) > 1: warn(f'CycloneDX 1.5 does not support multiple identity items; dropping {il - 1} items.') for i in identities[1:]: normalized.remove(i) diff --git a/tests/_data/own/json/1.5/component_evidence_identity.json b/tests/_data/own/json/1.5/component_evidence_identity.json new file mode 100644 index 000000000..563a9b1c0 --- /dev/null +++ b/tests/_data/own/json/1.5/component_evidence_identity.json @@ -0,0 +1,39 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.5", + "serialNumber": "urn:uuid:66fa5692-2e9d-45c5-830a-ec8ccaf7dcc9", + "version": 1, + "metadata": { + "component": { + "description": "test component evidence identity", + "type": "application", + "name": "test" + } + }, + "components": [ + { + "type": "operating-system", + "bom-ref": "alpine12", + "name": "alpine", + "version": "12", + "evidence": { + "identity": { + "field": "name", + "confidence": 1.0 + } + } + }, + { + "type": "library", + "bom-ref": "libssl", + "name": "libssl", + "evidence": { + "identity": { + "field": "name", + "confidence": 1.0 + } + } + } + ] +} diff --git a/tests/_data/own/json/1.6/component_evidence_identity.json b/tests/_data/own/json/1.6/component_evidence_identity.json new file mode 100644 index 000000000..0ef019e50 --- /dev/null +++ b/tests/_data/own/json/1.6/component_evidence_identity.json @@ -0,0 +1,45 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.6", + "serialNumber": "urn:uuid:66fa5692-2e9d-45c5-830a-ec8ccaf7dcc9", + "version": 1, + "metadata": { + "component": { + "description": "test component evidence identity", + "type": "application", + "name": "test" + } + }, + "components": [ + { + "type": "operating-system", + "bom-ref": "alpine12", + "name": "alpine", + "version": "12", + "evidence": { + "identity": [ + { + "field": "name", + "confidence": 1.0 + }, + { + "field": "version", + "confidence": 0.98 + } + ] + } + }, + { + "type": "library", + "bom-ref": "libssl", + "name": "libssl", + "evidence": { + "identity": { + "field": "name", + "confidence": 1.0 + } + } + } + ] +} diff --git a/tests/_data/own/xml/1.5/component_evidence_identity.xml b/tests/_data/own/xml/1.5/component_evidence_identity.xml new file mode 100644 index 000000000..93f4de154 --- /dev/null +++ b/tests/_data/own/xml/1.5/component_evidence_identity.xml @@ -0,0 +1,33 @@ + + + + + test + test component evidence identit + + + + + alpine + 12 + + + name + 1.0 + + + + + libssl + + + name + 1.0 + + + + + diff --git a/tests/_data/own/xml/1.6/component_evidence_identity.xml b/tests/_data/own/xml/1.6/component_evidence_identity.xml new file mode 100644 index 000000000..c490d85aa --- /dev/null +++ b/tests/_data/own/xml/1.6/component_evidence_identity.xml @@ -0,0 +1,37 @@ + + + + + test + test component evidence identit + + + + + alpine + 12 + + + name + 1.0 + + + version + 0.98 + + + + + libssl + + + name + 1.0 + + + + + diff --git a/tests/test_deserialize_json.py b/tests/test_deserialize_json.py index 21ee621f5..ff5e7298a 100644 --- a/tests/test_deserialize_json.py +++ b/tests/test_deserialize_json.py @@ -127,3 +127,12 @@ def test_regression_issue690(self) -> None: json = json_loads(f.read()) bom: Bom = Bom.from_json(json) # <<< is expected to not crash self.assertIsNotNone(bom) + + def test_component_evidence_identity(self) -> None: + json_file = join(OWN_DATA_DIRECTORY, 'json', + SchemaVersion.V1_6.to_version(), + 'component_evidence_identity.json') + with open(json_file) as f: + json = json_loads(f.read()) + bom: Bom = Bom.from_json(json) # <<< is expected to not crash + self.assertIsNotNone(bom) diff --git a/tests/test_deserialize_xml.py b/tests/test_deserialize_xml.py index 157c0d314..4d526c5ef 100644 --- a/tests/test_deserialize_xml.py +++ b/tests/test_deserialize_xml.py @@ -16,6 +16,7 @@ # Copyright (c) OWASP Foundation. All Rights Reserved. from collections.abc import Callable +from os.path import join from typing import Any from unittest import TestCase from unittest.mock import patch @@ -24,7 +25,7 @@ from cyclonedx.model.bom import Bom from cyclonedx.schema import OutputFormat, SchemaVersion -from tests import DeepCompareMixin, SnapshotMixin, mksname +from tests import OWN_DATA_DIRECTORY, DeepCompareMixin, SnapshotMixin, mksname from tests._data.models import ( all_get_bom_funct_valid_immut, all_get_bom_funct_valid_reversible_migrate, @@ -46,3 +47,11 @@ def test_prepared(self, get_bom: Callable[[], Bom], *_: Any, **__: Any) -> None: bom = Bom.from_xml(s) self.assertBomDeepEqual(expected, bom, fuzzy_deps=get_bom in all_get_bom_funct_with_incomplete_deps) + + def test_component_evidence_identity(self) -> None: + xml_file = join(OWN_DATA_DIRECTORY, 'xml', + SchemaVersion.V1_6.to_version(), + 'component_evidence_identity.xml') + with open(xml_file) as f: + bom: Bom = Bom.from_xml(f) # <<< is expected to not crash + self.assertIsNotNone(bom) diff --git a/tests/test_model_component_evidence.py b/tests/test_model_component_evidence.py index f4561cbb8..2041d28ef 100644 --- a/tests/test_model_component_evidence.py +++ b/tests/test_model_component_evidence.py @@ -37,9 +37,9 @@ class TestModelComponentEvidence(TestCase): def test_no_params(self) -> None: ComponentEvidence() # Does not raise `NoPropertiesProvidedException` - def test_identity(self) -> None: + def test_identity_single(self) -> None: identity = Identity(field=IdentityField.NAME, confidence=Decimal('1'), concluded_value='test') - ce = ComponentEvidence(identity=[identity]) + ce = ComponentEvidence(identity=identity) self.assertEqual(len(ce.identity), 1) self.assertEqual(ce.identity.pop().field, 'name') From bebda4fe34e9aa6149c032fd1aa41eb39cd57124 Mon Sep 17 00:00:00 2001 From: Quentin Kaiser <569494+qkaiser@users.noreply.github.com> Date: Wed, 22 Oct 2025 11:30:53 +0200 Subject: [PATCH 38/76] fix: implement `__lt__` for models still missing it (#899) --------- Signed-off-by: Quentin Kaiser Signed-off-by: Jan Kowalleck Co-authored-by: Jan Kowalleck --- cyclonedx/model/bom.py | 5 + cyclonedx/model/component.py | 10 ++ cyclonedx/model/component_evidence.py | 10 ++ cyclonedx/model/crypto.py | 30 +++++ cyclonedx/model/release_note.py | 5 + cyclonedx/model/tool.py | 5 + tests/_data/own/json/1.6/pr899.json | 170 +++++++++++++++++++++++++ tests/test_deserialize_json.py | 12 ++ tests/test_model_bom.py | 20 +++ tests/test_model_component.py | 22 ++++ tests/test_model_component_evidence.py | 22 ++++ tests/test_model_crypto.py | 136 ++++++++++++++++++++ tests/test_model_release_note.py | 11 ++ tests/test_model_tool_repository.py | 16 +++ 14 files changed, 474 insertions(+) create mode 100644 tests/_data/own/json/1.6/pr899.json create mode 100644 tests/test_model_crypto.py diff --git a/cyclonedx/model/bom.py b/cyclonedx/model/bom.py index 5ebb2f952..df3daa561 100644 --- a/cyclonedx/model/bom.py +++ b/cyclonedx/model/bom.py @@ -307,6 +307,11 @@ def __eq__(self, other: object) -> bool: return self.__comparable_tuple() == other.__comparable_tuple() return False + def __lt__(self, other: object) -> bool: + if isinstance(other, BomMetaData): + return self.__comparable_tuple() == other.__comparable_tuple() + return NotImplemented + def __hash__(self) -> int: return hash(self.__comparable_tuple()) diff --git a/cyclonedx/model/component.py b/cyclonedx/model/component.py index 65d2eecf3..ada6249a7 100644 --- a/cyclonedx/model/component.py +++ b/cyclonedx/model/component.py @@ -654,6 +654,11 @@ def __eq__(self, other: object) -> bool: return self.__comparable_tuple() == other.__comparable_tuple() return False + def __lt__(self, other: object) -> bool: + if isinstance(other, Pedigree): + return self.__comparable_tuple() < other.__comparable_tuple() + return NotImplemented + def __hash__(self) -> int: return hash(self.__comparable_tuple()) @@ -806,6 +811,11 @@ def __eq__(self, other: object) -> bool: return self.__comparable_tuple() == other.__comparable_tuple() return False + def __lt__(self, other: object) -> bool: + if isinstance(other, Swid): + return self.__comparable_tuple() < other.__comparable_tuple() + return NotImplemented + def __hash__(self) -> int: return hash(self.__comparable_tuple()) diff --git a/cyclonedx/model/component_evidence.py b/cyclonedx/model/component_evidence.py index e9711f9f9..3d54795ec 100644 --- a/cyclonedx/model/component_evidence.py +++ b/cyclonedx/model/component_evidence.py @@ -561,6 +561,11 @@ def __eq__(self, other: object) -> bool: return self.__comparable_tuple() == other.__comparable_tuple() return False + def __lt__(self, other: object) -> bool: + if isinstance(other, CallStackFrame): + return self.__comparable_tuple() < other.__comparable_tuple() + return NotImplemented + def __hash__(self) -> int: return hash(self.__comparable_tuple()) @@ -744,6 +749,11 @@ def __eq__(self, other: object) -> bool: return self.__comparable_tuple() == other.__comparable_tuple() return False + def __lt__(self, other: object) -> bool: + if isinstance(other, ComponentEvidence): + return self.__comparable_tuple() < other.__comparable_tuple() + return NotImplemented + def __hash__(self) -> int: return hash(self.__comparable_tuple()) diff --git a/cyclonedx/model/crypto.py b/cyclonedx/model/crypto.py index 4a7d1f1a8..eeab12a82 100644 --- a/cyclonedx/model/crypto.py +++ b/cyclonedx/model/crypto.py @@ -507,6 +507,11 @@ def __eq__(self, other: object) -> bool: return self.__comparable_tuple() == other.__comparable_tuple() return False + def __lt__(self, other: object) -> bool: + if isinstance(other, AlgorithmProperties): + return self.__comparable_tuple() < other.__comparable_tuple() + return NotImplemented + def __hash__(self) -> int: return hash(self.__comparable_tuple()) @@ -683,6 +688,11 @@ def __eq__(self, other: object) -> bool: return self.__comparable_tuple() == other.__comparable_tuple() return False + def __lt__(self, other: object) -> bool: + if isinstance(other, CertificateProperties): + return self.__comparable_tuple() < other.__comparable_tuple() + return NotImplemented + def __hash__(self) -> int: return hash(self.__comparable_tuple()) @@ -810,6 +820,11 @@ def __eq__(self, other: object) -> bool: return self.__comparable_tuple() == other.__comparable_tuple() return False + def __lt__(self, other: object) -> bool: + if isinstance(other, RelatedCryptoMaterialSecuredBy): + return self.__comparable_tuple() < other.__comparable_tuple() + return NotImplemented + def __hash__(self) -> int: return hash(self.__comparable_tuple()) @@ -1055,6 +1070,11 @@ def __eq__(self, other: object) -> bool: return self.__comparable_tuple() == other.__comparable_tuple() return False + def __lt__(self, other: object) -> bool: + if isinstance(other, RelatedCryptoMaterialProperties): + return self.__comparable_tuple() < other.__comparable_tuple() + return NotImplemented + def __hash__(self) -> int: return hash(self.__comparable_tuple()) @@ -1314,6 +1334,11 @@ def __eq__(self, other: object) -> bool: return self.__comparable_tuple() == other.__comparable_tuple() return False + def __lt__(self, other: object) -> bool: + if isinstance(other, Ikev2TransformTypes): + return self.__comparable_tuple() < other.__comparable_tuple() + return NotImplemented + def __hash__(self) -> int: return hash(self.__comparable_tuple()) @@ -1440,6 +1465,11 @@ def __eq__(self, other: object) -> bool: return self.__comparable_tuple() == other.__comparable_tuple() return False + def __lt__(self, other: object) -> bool: + if isinstance(other, ProtocolProperties): + return self.__comparable_tuple() < other.__comparable_tuple() + return NotImplemented + def __hash__(self) -> int: return hash(self.__comparable_tuple()) diff --git a/cyclonedx/model/release_note.py b/cyclonedx/model/release_note.py index 9f1ff82c3..27387f183 100644 --- a/cyclonedx/model/release_note.py +++ b/cyclonedx/model/release_note.py @@ -250,6 +250,11 @@ def __eq__(self, other: object) -> bool: return self.__comparable_tuple() == other.__comparable_tuple() return False + def __lt__(self, other: object) -> bool: + if isinstance(other, ReleaseNotes): + return self.__comparable_tuple() < other.__comparable_tuple() + return NotImplemented + def __hash__(self) -> int: return hash(self.__comparable_tuple()) diff --git a/cyclonedx/model/tool.py b/cyclonedx/model/tool.py index c547ab921..2d2b70054 100644 --- a/cyclonedx/model/tool.py +++ b/cyclonedx/model/tool.py @@ -266,6 +266,11 @@ def __eq__(self, other: object) -> bool: return self.__comparable_tuple() == other.__comparable_tuple() return False + def __lt__(self, other: object) -> bool: + if isinstance(other, ToolRepository): + return self.__comparable_tuple() < other.__comparable_tuple() + return NotImplemented + def __hash__(self) -> int: return hash(self.__comparable_tuple()) diff --git a/tests/_data/own/json/1.6/pr899.json b/tests/_data/own/json/1.6/pr899.json new file mode 100644 index 000000000..b449dc0d2 --- /dev/null +++ b/tests/_data/own/json/1.6/pr899.json @@ -0,0 +1,170 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.6", + "serialNumber": "urn:uuid:57ef9d7a-89f4-4822-928f-e06e22cacfc3", + "version": 1, + "metadata": { + "timestamp": "2025-09-08T12:45:24Z", + "tools": { + "components": [ + { + "type": "application", + "bom-ref": "pkg:npm/@cyclonedx/cdxgen@11.6.0", + "authors": [ + { + "name": "OWASP Foundation" + } + ], + "publisher": "OWASP Foundation", + "group": "@cyclonedx", + "name": "cdxgen", + "version": "11.6.0", + "purl": "pkg:npm/%40cyclonedx/cdxgen@11.6.0" + } + ] + }, + "component": { + "type": "application", + "bom-ref": "pkg:npm/redacted@1.0.0", + "group": "", + "name": "redacted", + "version": "1.0.0", + "description": "redacted", + "licenses": [ + { + "license": { + "id": "Unlicense", + "url": "https://opensource.org/licenses/Unlicense" + } + } + ], + "purl": "pkg:npm/redacted@1.0.0" + } + }, + "components": [ + { + "type": "application", + "bom-ref": "pkg:npm/redacted@1.0.0", + "group": "", + "name": "redacted", + "version": "1.0.0", + "description": "redacted.", + "licenses": [ + { + "license": { + "id": "Unlicense", + "url": "https://opensource.org/licenses/Unlicense" + } + } + ], + "purl": "pkg:npm/redacted@1.0.0" + }, + { + "type": "library", + "bom-ref": "pkg:npm/jsonwebtoken@9.0.2", + "group": "", + "name": "jsonwebtoken", + "version": "9.0.2", + "scope": "required", + "hashes": [ + { + "alg": "SHA-512", + "content": "3d1a7aeaf27ceb9492a8e960a92f21ba34f953800e80c7e1af0608b8885f29aa12099722aeb980490afc097edc520f9132287e860ce7ae3a7df68f96e2924b1d" + } + ], + "purl": "pkg:npm/jsonwebtoken@9.0.2", + "properties": [ + { + "name": "SrcFile", + "value": "package-lock.json" + }, + { + "name": "ResolvedUrl", + "value": "https://registry.npmjs.org/jsonwebtoken/-/jsonwebtoken-9.0.2.tgz" + }, + { + "name": "ImportedModules", + "value": "jsonwebtoken" + } + ], + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "concludedValue": "package-lock.json", + "methods": [ + { + "technique": "manifest-analysis", + "confidence": 1, + "value": "package-lock.json" + } + ] + }, + "occurrences": [ + { + "location": "handlers/AuthenticationHandler.js#1" + } + ] + }, + "tags": [ + "registry" + ] + }, + { + "type": "library", + "bom-ref": "pkg:npm/jsonwebtoken@9.0.2", + "group": "", + "name": "jsonwebtoken", + "version": "9.0.2", + "scope": "required", + "hashes": [ + { + "alg": "SHA-512", + "content": "3d1a7aeaf27ceb9492a8e960a92f21ba34f953800e80c7e1af0608b8885f29aa12099722aeb980490afc097edc520f9132287e860ce7ae3a7df68f96e2924b1d" + } + ], + "purl": "pkg:npm/jsonwebtoken@9.0.2", + "properties": [ + { + "name": "SrcFile", + "value": "package-lock.json" + }, + { + "name": "ResolvedUrl", + "value": "https://registry.npmjs.org/jsonwebtoken/-/jsonwebtoken-9.0.2.tgz" + }, + { + "name": "ImportedModules", + "value": "jsonwebtoken" + } + ], + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "concludedValue": "package-lock.json", + "methods": [ + { + "technique": "manifest-analysis", + "confidence": 1, + "value": "package-lock.json" + } + ] + }, + "occurrences": [ + { + "location": "authorize.js#4" + } + ] + }, + "tags": [ + "registry" + ] + } + ], + "dependencies": [ + ], + "compositions": [ + ] +} diff --git a/tests/test_deserialize_json.py b/tests/test_deserialize_json.py index ff5e7298a..958335e63 100644 --- a/tests/test_deserialize_json.py +++ b/tests/test_deserialize_json.py @@ -136,3 +136,15 @@ def test_component_evidence_identity(self) -> None: json = json_loads(f.read()) bom: Bom = Bom.from_json(json) # <<< is expected to not crash self.assertIsNotNone(bom) + + def test_pr899(self) -> None: + """real world case from PR#899 + see https://github.com/CycloneDX/cyclonedx-python-lib/pull/899 + """ + json_file = join(OWN_DATA_DIRECTORY, 'json', + SchemaVersion.V1_6.to_version(), + 'pr899.json') + with open(json_file) as f: + json = json_loads(f.read()) + bom: Bom = Bom.from_json(json) # <<< is expected to not crash + self.assertIsNotNone(bom) diff --git a/tests/test_model_bom.py b/tests/test_model_bom.py index d47e2466d..8dd1288b5 100644 --- a/tests/test_model_bom.py +++ b/tests/test_model_bom.py @@ -107,6 +107,26 @@ def test_basic_bom_metadata(self) -> None: self.assertTrue(tools[0] in metadata.tools.tools) self.assertTrue(tools[1] in metadata.tools.tools) + def test_bom_metadata_sorting(self) -> None: + """Test that BomMetaData instances can be sorted without triggering TypeError""" + metadata1 = BomMetaData( + tools=[Tool(name='tool_a')], + authors=[OrganizationalContact(name='contact_a')] + ) + metadata2 = BomMetaData( + tools=[Tool(name='tool_b')], + authors=[OrganizationalContact(name='contact_b')] + ) + metadata3 = BomMetaData( + tools=[Tool(name='tool_c')], + authors=[OrganizationalContact(name='contact_c')] + ) + + # This should not raise TypeError: '<' not supported between instances + metadata_list = [metadata3, metadata1, metadata2] + sorted_metadata = sorted(metadata_list) + self.assertEqual(len(sorted_metadata), 3) + @ddt class TestBom(TestCase): diff --git a/tests/test_model_component.py b/tests/test_model_component.py index bc18a10d9..9c47fe024 100644 --- a/tests/test_model_component.py +++ b/tests/test_model_component.py @@ -419,6 +419,17 @@ def test_not_same_1(self) -> None: self.assertNotEqual(hash(p1), hash(p2), 'hash') self.assertFalse(p1 == p2, 'equal') + def test_pedigree_sorting(self) -> None: + """Test that Pedigree instances can be sorted without triggering TypeError""" + p1 = Pedigree(notes='Note A') + p2 = Pedigree(notes='Note B') + p3 = Pedigree(notes='Note C') + + # This should not raise TypeError: '<' not supported between instances + pedigree_list = [p3, p1, p2] + sorted_pedigree = sorted(pedigree_list) + self.assertEqual(len(sorted_pedigree), 3) + class TestModelSwid(TestCase): @@ -442,3 +453,14 @@ def test_not_same(self) -> None: self.assertNotEqual(id(sw_1), id(sw_2), 'id') self.assertNotEqual(hash(sw_1), hash(sw_2), 'hash') self.assertFalse(sw_1 == sw_2, 'equal') + + def test_swid_sorting(self) -> None: + """Test that Swid instances can be sorted without triggering TypeError""" + sw_1 = get_swid_1() + sw_2 = get_swid_2() + sw_3 = get_swid_1() + + # This should not raise TypeError: '<' not supported between instances + swid_list = [sw_2, sw_1, sw_3] + sorted_swid = sorted(swid_list) + self.assertEqual(len(sorted_swid), 3) diff --git a/tests/test_model_component_evidence.py b/tests/test_model_component_evidence.py index 2041d28ef..fe16aff66 100644 --- a/tests/test_model_component_evidence.py +++ b/tests/test_model_component_evidence.py @@ -201,6 +201,17 @@ def test_not_same_1(self) -> None: self.assertNotEqual(hash(ce_1), hash(ce_2)) self.assertFalse(ce_1 == ce_2) + def test_component_evidence_sorting(self) -> None: + """Test that ComponentEvidence instances can be sorted without triggering TypeError""" + ce_1 = ComponentEvidence(copyright=[Copyright(text='Copyright A')]) + ce_2 = ComponentEvidence(copyright=[Copyright(text='Copyright B')]) + ce_3 = ComponentEvidence(copyright=[Copyright(text='Copyright C')]) + + # This should not raise TypeError: '<' not supported between instances + evidence_list = [ce_3, ce_1, ce_2] + sorted_evidence = sorted(evidence_list) + self.assertEqual(len(sorted_evidence), 3) + class TestModelCallStackFrame(TestCase): @@ -233,3 +244,14 @@ def test_module_required(self) -> None: self.assertIsNone(frame.line) self.assertIsNone(frame.column) self.assertIsNone(frame.full_filename) + + def test_callstack_frame_sorting(self) -> None: + """Test that CallStackFrame instances can be sorted without triggering TypeError""" + frame1 = CallStackFrame(module='app_a', function='func_a') + frame2 = CallStackFrame(module='app_b', function='func_b') + frame3 = CallStackFrame(module='app_c', function='func_c') + + # This should not raise TypeError: '<' not supported between instances + frame_list = [frame3, frame1, frame2] + sorted_frames = sorted(frame_list) + self.assertEqual(len(sorted_frames), 3) diff --git a/tests/test_model_crypto.py b/tests/test_model_crypto.py new file mode 100644 index 000000000..12265ee19 --- /dev/null +++ b/tests/test_model_crypto.py @@ -0,0 +1,136 @@ +# This file is part of CycloneDX Python Library +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# Copyright (c) OWASP Foundation. All Rights Reserved. + +from unittest import TestCase + +from cyclonedx.model.bom_ref import BomRef +from cyclonedx.model.crypto import ( + AlgorithmProperties, + CertificateProperties, + CryptoPrimitive, + Ikev2TransformTypes, + ProtocolProperties, + ProtocolPropertiesType, + RelatedCryptoMaterialProperties, + RelatedCryptoMaterialSecuredBy, + RelatedCryptoMaterialType, +) + + +class TestModelAlgorithmProperties(TestCase): + + def test_algorithm_properties_sorting(self) -> None: + """Test that AlgorithmProperties instances can be sorted without triggering TypeError""" + algo1 = AlgorithmProperties(primitive=CryptoPrimitive.HASH, classical_security_level=128) + algo2 = AlgorithmProperties(primitive=CryptoPrimitive.SIGNATURE, classical_security_level=256) + algo3 = AlgorithmProperties(primitive=CryptoPrimitive.BLOCK_CIPHER, classical_security_level=192) + + # This should not raise TypeError: '<' not supported between instances + algo_list = [algo2, algo3, algo1] + sorted_algos = sorted(algo_list) + self.assertEqual(len(sorted_algos), 3) + + +class TestModelCertificateProperties(TestCase): + + def test_certificate_properties_sorting(self) -> None: + """Test that CertificateProperties instances can be sorted without triggering TypeError""" + cert1 = CertificateProperties(subject_name='CN=Test1', certificate_format='X.509') + cert2 = CertificateProperties(subject_name='CN=Test2', certificate_format='PEM') + cert3 = CertificateProperties(subject_name='CN=Test3', certificate_format='DER') + + # This should not raise TypeError: '<' not supported between instances + cert_list = [cert2, cert3, cert1] + sorted_certs = sorted(cert_list) + self.assertEqual(len(sorted_certs), 3) + + +class TestModelRelatedCryptoMaterialSecuredBy(TestCase): + + def test_related_crypto_material_secured_by_sorting(self) -> None: + """Test that RelatedCryptoMaterialSecuredBy instances can be sorted without triggering TypeError""" + secured1 = RelatedCryptoMaterialSecuredBy(mechanism='HSM', algorithm_ref=BomRef('algo1')) + secured2 = RelatedCryptoMaterialSecuredBy(mechanism='TPM', algorithm_ref=BomRef('algo2')) + secured3 = RelatedCryptoMaterialSecuredBy(mechanism='Software', algorithm_ref=BomRef('algo3')) + + # This should not raise TypeError: '<' not supported between instances + secured_list = [secured3, secured1, secured2] + sorted_secured = sorted(secured_list) + self.assertEqual(len(sorted_secured), 3) + + +class TestModelRelatedCryptoMaterialProperties(TestCase): + + def test_related_crypto_material_properties_sorting(self) -> None: + """Test that RelatedCryptoMaterialProperties instances can be sorted without triggering TypeError""" + material1 = RelatedCryptoMaterialProperties( + type=RelatedCryptoMaterialType.KEY, + id='key1', + size=256 + ) + material2 = RelatedCryptoMaterialProperties( + type=RelatedCryptoMaterialType.PRIVATE_KEY, + id='key2', + size=512 + ) + material3 = RelatedCryptoMaterialProperties( + type=RelatedCryptoMaterialType.PUBLIC_KEY, + id='key3', + size=1024 + ) + + # This should not raise TypeError: '<' not supported between instances + material_list = [material3, material1, material2] + sorted_materials = sorted(material_list) + self.assertEqual(len(sorted_materials), 3) + + +class TestModelIkev2TransformTypes(TestCase): + + def test_ikev2_transform_types_sorting(self) -> None: + """Test that Ikev2TransformTypes instances can be sorted without triggering TypeError""" + ikev2_1 = Ikev2TransformTypes( + encr=[BomRef('encr1')], + esn=True + ) + ikev2_2 = Ikev2TransformTypes( + encr=[BomRef('encr2')], + esn=False + ) + ikev2_3 = Ikev2TransformTypes( + encr=[BomRef('encr3')], + esn=True + ) + + # This should not raise TypeError: '<' not supported between instances + ikev2_list = [ikev2_3, ikev2_1, ikev2_2] + sorted_ikev2 = sorted(ikev2_list) + self.assertEqual(len(sorted_ikev2), 3) + + +class TestModelProtocolProperties(TestCase): + + def test_protocol_properties_sorting(self) -> None: + """Test that ProtocolProperties instances can be sorted without triggering TypeError""" + proto1 = ProtocolProperties(type=ProtocolPropertiesType.TLS, version='1.2') + proto2 = ProtocolProperties(type=ProtocolPropertiesType.SSH, version='2.0') + proto3 = ProtocolProperties(type=ProtocolPropertiesType.IPSEC, version='1.0') + + # This should not raise TypeError: '<' not supported between instances + proto_list = [proto3, proto1, proto2] + sorted_protos = sorted(proto_list) + self.assertEqual(len(sorted_protos), 3) diff --git a/tests/test_model_release_note.py b/tests/test_model_release_note.py index 4bf6eca6a..bdd1052db 100644 --- a/tests/test_model_release_note.py +++ b/tests/test_model_release_note.py @@ -68,3 +68,14 @@ def test_complete(self) -> None: self.assertSetEqual(rn.resolves, set()) self.assertFalse(rn.notes) self.assertSetEqual(rn.properties, set()) + + def test_release_notes_sorting(self) -> None: + """Test that ReleaseNotes instances can be sorted without triggering TypeError""" + rn1 = ReleaseNotes(type='major', title='Release 1.0') + rn2 = ReleaseNotes(type='minor', title='Release 1.1') + rn3 = ReleaseNotes(type='patch', title='Release 1.1.1') + + # This should not raise TypeError: '<' not supported between instances + rn_list = [rn3, rn1, rn2] + sorted_rn = sorted(rn_list) + self.assertEqual(len(sorted_rn), 3) diff --git a/tests/test_model_tool_repository.py b/tests/test_model_tool_repository.py index fe54c8e65..d50221c67 100644 --- a/tests/test_model_tool_repository.py +++ b/tests/test_model_tool_repository.py @@ -79,3 +79,19 @@ def test_equal(self) -> None: tr2.services.add(s) tr2.tools.add(t) self.assertTrue(tr1 == tr2) + + def test_tool_repository_sorting(self) -> None: + """Test that ToolRepository instances can be sorted without triggering TypeError""" + tr1 = ToolRepository() + tr1.tools.add(Tool(name='tool-a')) + + tr2 = ToolRepository() + tr2.tools.add(Tool(name='tool-b')) + + tr3 = ToolRepository() + tr3.tools.add(Tool(name='tool-c')) + + # This should not raise TypeError: '<' not supported between instances + tr_list = [tr3, tr1, tr2] + sorted_tr = sorted(tr_list) + self.assertEqual(len(sorted_tr), 3) From 2e02bab3fbc09408e6533a1e0fb8dbafa2a08ba9 Mon Sep 17 00:00:00 2001 From: semantic-release Date: Wed, 22 Oct 2025 11:02:38 +0000 Subject: [PATCH 39/76] chore(release): 11.3.0 Automatically generated by python-semantic-release Signed-off-by: semantic-release --- CHANGELOG.md | 15 +++++++++++++++ cyclonedx/__init__.py | 2 +- docs/conf.py | 2 +- pyproject.toml | 2 +- 4 files changed, 18 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3983d2a89..5fb65c590 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,21 @@ +## v11.3.0 (2025-10-22) + +### Bug Fixes + +- Implement `__lt__` for models still missing it + ([#899](https://github.com/CycloneDX/cyclonedx-python-lib/pull/899), + [`bebda4f`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/bebda4fe34e9aa6149c032fd1aa41eb39cd57124)) + +### Features + +- Deserialize single `ComponentEvidence.identity` + ([#900](https://github.com/CycloneDX/cyclonedx-python-lib/pull/900), + [`9425c67`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/9425c67557a3f547c64cd740e19b112196146577)) + + ## v11.2.0 (2025-10-15) ### Documentation diff --git a/cyclonedx/__init__.py b/cyclonedx/__init__.py index dc2feb857..b283f8ec6 100644 --- a/cyclonedx/__init__.py +++ b/cyclonedx/__init__.py @@ -22,4 +22,4 @@ # !! version is managed by semantic_release # do not use typing here, or else `semantic_release` might have issues finding the variable -__version__ = "11.2.0" # noqa:Q000 +__version__ = "11.3.0" # noqa:Q000 diff --git a/docs/conf.py b/docs/conf.py index 92a8bce06..bd6b126b8 100644 --- a/docs/conf.py +++ b/docs/conf.py @@ -23,7 +23,7 @@ # The full version, including alpha/beta/rc tags # !! version is managed by semantic_release -release = '11.2.0' +release = '11.3.0' # -- General configuration --------------------------------------------------- diff --git a/pyproject.toml b/pyproject.toml index ecd1f75fc..05af72669 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -5,7 +5,7 @@ build-backend = "poetry.core.masonry.api" [tool.poetry] name = "cyclonedx-python-lib" # !! version is managed by semantic_release -version = "11.2.0" +version = "11.3.0" description = "Python library for CycloneDX" authors = [ "Paul Horton ", From f35b9eed0803f70882e30616f6fb3c0a4e212651 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Thu, 23 Oct 2025 16:20:22 +0200 Subject: [PATCH 40/76] feat: add support for CycloneDX 1.7 (basics) (#902) fixes #901 adds basic functionality only. --------- Signed-off-by: Jan Kowalleck --- cyclonedx/model/__init__.py | 44 +- cyclonedx/model/bom.py | 18 +- cyclonedx/model/component.py | 40 +- cyclonedx/model/component_evidence.py | 24 +- cyclonedx/model/contact.py | 11 +- cyclonedx/model/crypto.py | 43 +- cyclonedx/model/definition.py | 8 +- cyclonedx/model/dependency.py | 2 +- cyclonedx/model/impact_analysis.py | 8 +- cyclonedx/model/issue.py | 6 +- cyclonedx/model/license.py | 14 +- cyclonedx/model/lifecycle.py | 8 +- cyclonedx/model/release_note.py | 2 +- cyclonedx/model/service.py | 14 +- cyclonedx/model/tool.py | 5 +- cyclonedx/model/vulnerability.py | 30 +- cyclonedx/output/json.py | 8 + cyclonedx/output/xml.py | 6 + cyclonedx/schema/__init__.py | 1 + cyclonedx/schema/_res/README.md | 9 +- cyclonedx/schema/_res/__init__.py | 5 + .../schema/_res/bom-1.4.SNAPSHOT.schema.json | 4 +- cyclonedx/schema/_res/bom-1.4.SNAPSHOT.xsd | 2 +- .../schema/_res/bom-1.5.SNAPSHOT.schema.json | 4 +- cyclonedx/schema/_res/bom-1.5.SNAPSHOT.xsd | 6 +- .../schema/_res/bom-1.6.SNAPSHOT.schema.json | 8 +- cyclonedx/schema/_res/bom-1.6.SNAPSHOT.xsd | 12 +- .../schema/_res/bom-1.7.SNAPSHOT.schema.json | 6700 ++++++++++++ cyclonedx/schema/_res/bom-1.7.SNAPSHOT.xsd | 9742 +++++++++++++++++ .../cryptography-defs.SNAPSHOT.schema.json | 576 + cyclonedx/schema/schema.py | 8 + cyclonedx/validation/json.py | 12 +- docs/outputting.rst | 6 +- docs/responsibilities_capabilities.rst | 1 + examples/complex_deserialize.py | 10 +- examples/complex_serialize.py | 4 +- tests/_data/own/json/1.5/issue677.json | 1 + tests/_data/own/json/1.6/issue690.json | 1 + tests/_data/own/json/1.6/issue764.json | 1 + tests/_data/own/json/1.6/issue771.json | 1 + tests/_data/own/xml/1.4/bom_setuptools.xml | 6 +- tests/_data/own/xml/1.4/webgoat-6.1.xml | 13 +- ...id-license-declared-concluded-mix-1.6.json | 79 + ...lid-license-declared-concluded-mix-1.6.xml | 46 + .../1.6/valid-cryptography-full-1.6.json | 11 +- .../1.6/valid-cryptography-full-1.6.xml | 24 + ...ent-versionRange-non-external-explicit.xml | 16 + ...ent-versionRange-non-external-implicit.xml | 17 + .../1.7/invalid-bomformat-1.7.json | 9 + .../1.7/invalid-citations-1.7.json | 40 + .../1.7/invalid-citations-1.7.xml | 100 + ...-component-external-version-and-range.json | 17 + ...d-component-external-version-and-range.xml | 14 + .../1.7/invalid-component-ref-1.7.json | 21 + .../1.7/invalid-component-ref-1.7.xml | 28 + .../1.7/invalid-component-swid-1.7.json | 19 + .../1.7/invalid-component-swid-1.7.xml | 14 + .../1.7/invalid-component-type-1.7.json | 14 + .../1.7/invalid-component-type-1.7.xml | 12 + ...nt-versionRange-non-external-explicit.json | 16 + ...nt-versionRange-non-external-implicit.json | 15 + .../1.7/invalid-dependency-1.7.json | 44 + .../1.7/invalid-dependency-1.7.xml | 34 + .../1.7/invalid-empty-component-1.7.json | 12 + .../1.7/invalid-empty-component-1.7.xml | 10 + .../1.7/invalid-hash-alg-1.7.json | 33 + .../1.7/invalid-hash-alg-1.7.xml | 21 + .../1.7/invalid-hash-md5-1.7.json | 33 + .../1.7/invalid-hash-md5-1.7.xml | 19 + .../1.7/invalid-hash-sha1-1.7.json | 33 + .../1.7/invalid-hash-sha1-1.7.xml | 19 + .../1.7/invalid-hash-sha256-1.7.json | 33 + .../1.7/invalid-hash-sha256-1.7.xml | 19 + .../1.7/invalid-hash-sha512-1.7.json | 33 + .../1.7/invalid-hash-sha512-1.7.xml | 19 + .../1.7/invalid-issue-type-1.7.json | 49 + .../1.7/invalid-issue-type-1.7.xml | 40 + .../1.7/invalid-license-choice-1.7.json | 24 + .../1.7/invalid-license-encoding-1.7.json | 29 + .../1.7/invalid-license-encoding-1.7.xml | 30 + .../1.7/invalid-license-id-1.7.json | 23 + .../1.7/invalid-license-id-1.7.xml | 30 + .../1.7/invalid-license-id-count-1.7.xml | 30 + ...valid-license-missing-id-and-name-1.7.json | 20 + ...nvalid-license-missing-id-and-name-1.7.xml | 16 + .../1.7/invalid-license-name-count-1.7.xml | 30 + .../invalid-metadata-distribution-1.7.json | 11 + .../1.7/invalid-metadata-distribution-1.7.xml | 10 + .../1.7/invalid-metadata-license-1.7.json | 17 + .../1.7/invalid-metadata-license-1.7.xml | 14 + .../1.7/invalid-metadata-timestamp-1.7.json | 11 + .../1.7/invalid-metadata-timestamp-1.7.xml | 10 + .../invalid-missing-component-type-1.7.json | 13 + .../invalid-missing-component-type-1.7.xml | 12 + .../1.7/invalid-namespace-1.7.xml | 121 + .../1.7/invalid-patch-type-1.7.json | 49 + .../1.7/invalid-patch-type-1.7.xml | 40 + .../1.7/invalid-properties-1.7.json | 69 + .../1.7/invalid-properties-1.7.xml | 44 + .../schemaTestData/1.7/invalid-scope-1.7.json | 15 + .../schemaTestData/1.7/invalid-scope-1.7.xml | 13 + .../1.7/invalid-serialnumber-1.7.json | 9 + .../1.7/invalid-serialnumber-1.7.xml | 121 + .../1.7/invalid-service-data-1.7.json | 21 + .../1.7/invalid-service-data-1.7.xml | 14 + .../1.7/valid-annotation-1.7.json | 110 + .../1.7/valid-annotation-1.7.xml | 90 + .../1.7/valid-assembly-1.7.json | 31 + .../schemaTestData/1.7/valid-assembly-1.7.xml | 28 + .../1.7/valid-attestation-1.7.json | 237 + .../1.7/valid-attestation-1.7.xml | 168 + .../schemaTestData/1.7/valid-bom-1.7.json | 298 + .../schemaTestData/1.7/valid-bom-1.7.xml | 206 + .../1.7/valid-citations-1.7.json | 91 + .../1.7/valid-citations-1.7.xml | 88 + .../1.7/valid-component-data-1.7.json | 30 + .../1.7/valid-component-data-1.7.xml | 26 + ...valid-component-external-with-version.json | 35 + .../valid-component-external-with-version.xml | 26 + ...-component-external-with-versionRange.json | 35 + ...d-component-external-with-versionRange.xml | 26 + ...id-component-external-without-version.json | 34 + ...lid-component-external-without-version.xml | 25 + .../1.7/valid-component-hashes-1.7.json | 64 + .../1.7/valid-component-hashes-1.7.xml | 26 + .../1.7/valid-component-identifiers-1.7.json | 25 + .../1.7/valid-component-identifiers-1.7.xml | 19 + .../1.7/valid-component-ref-1.7.json | 29 + .../1.7/valid-component-ref-1.7.xml | 22 + .../1.7/valid-component-swid-1.7.json | 20 + .../1.7/valid-component-swid-1.7.xml | 14 + .../1.7/valid-component-swid-full-1.7.json | 25 + .../1.7/valid-component-swid-full-1.7.xml | 16 + .../1.7/valid-component-types-1.7.json | 54 + .../1.7/valid-component-types-1.7.xml | 44 + .../1.7/valid-compositions-1.7.json | 82 + .../1.7/valid-compositions-1.7.xml | 68 + .../valid-cryptography-certificate-1.7.json | 172 + .../valid-cryptography-certificate-1.7.xml | 171 + ...cryptography-certificate-advanced-1.7.json | 285 + ...-cryptography-certificate-advanced-1.7.xml | 260 + .../1.7/valid-cryptography-full-1.7.json | 292 + .../1.7/valid-cryptography-full-1.7.xml | 268 + ...alid-cryptography-full-deprecated-1.7.json | 114 + ...valid-cryptography-full-deprecated-1.7.xml | 120 + ...valid-cryptography-implementation-1.7.json | 135 + .../valid-cryptography-implementation-1.7.xml | 115 + .../1.7/valid-dependency-1.7.json | 39 + .../1.7/valid-dependency-1.7.xml | 26 + .../1.7/valid-empty-components-1.7.json | 9 + .../1.7/valid-empty-components-1.7.xml | 8 + .../1.7/valid-evidence-1.7.json | 160 + .../schemaTestData/1.7/valid-evidence-1.7.xml | 139 + .../1.7/valid-external-elements-1.7.xml | 161 + .../1.7/valid-external-reference-1.7.json | 218 + .../1.7/valid-external-reference-1.7.xml | 80 + ...lid-external-reference-properties-1.7.json | 30 + ...alid-external-reference-properties-1.7.xml | 21 + .../1.7/valid-formulation-1.7.json | 301 + .../1.7/valid-formulation-1.7.xml | 254 + .../1.7/valid-license-choice-1.7.json | 45 + .../1.7/valid-license-choice-1.7.xml | 32 + ...id-license-declared-concluded-mix-1.7.json | 167 + ...lid-license-declared-concluded-mix-1.7.xml | 115 + .../1.7/valid-license-expression-1.7.json | 44 + .../1.7/valid-license-expression-1.7.xml | 26 + ...license-expression-with-licensing-1.7.json | 57 + ...-license-expression-with-licensing-1.7.xml | 52 + ...alid-license-expression-with-text-1.7.json | 58 + ...valid-license-expression-with-text-1.7.xml | 72 + .../1.7/valid-license-id-1.7.json | 46 + .../1.7/valid-license-id-1.7.xml | 28 + .../1.7/valid-license-id-with-text-1.7.json | 50 + .../1.7/valid-license-id-with-text-1.7.xml | 34 + .../1.7/valid-license-name-1.7.json | 45 + .../1.7/valid-license-name-1.7.xml | 28 + ...valid-license-name-with-licensing-1.7.json | 57 + .../valid-license-name-with-licensing-1.7.xml | 52 + .../1.7/valid-license-name-with-text-1.7.json | 50 + .../1.7/valid-license-name-with-text-1.7.xml | 29 + .../1.7/valid-machine-learning-1.7.json | 102 + .../1.7/valid-machine-learning-1.7.xml | 94 + ...chine-learning-considerations-env-1.7.json | 66 + ...achine-learning-considerations-env-1.7.xml | 60 + .../1.7/valid-metadata-author-1.7.json | 17 + .../1.7/valid-metadata-author-1.7.xml | 16 + .../1.7/valid-metadata-distribution-1.7.json | 13 + .../1.7/valid-metadata-distribution-1.7.xml | 12 + .../1.7/valid-metadata-license-1.7.json | 25 + .../1.7/valid-metadata-license-1.7.xml | 18 + .../1.7/valid-metadata-lifecycle-1.7.json | 22 + .../1.7/valid-metadata-lifecycle-1.7.xml | 21 + .../1.7/valid-metadata-manufacture-1.7.json | 24 + .../1.7/valid-metadata-manufacture-1.7.xml | 17 + .../1.7/valid-metadata-manufacturer-1.7.json | 24 + .../1.7/valid-metadata-manufacturer-1.7.xml | 17 + .../1.7/valid-metadata-supplier-1.7.json | 24 + .../1.7/valid-metadata-supplier-1.7.xml | 17 + .../1.7/valid-metadata-timestamp-1.7.json | 11 + .../1.7/valid-metadata-timestamp-1.7.xml | 10 + .../1.7/valid-metadata-tool-1.7.json | 48 + .../1.7/valid-metadata-tool-1.7.xml | 38 + .../valid-metadata-tool-deprecated-1.7.json | 27 + .../valid-metadata-tool-deprecated-1.7.xml | 20 + .../1.7/valid-minimal-viable-1.7.json | 13 + .../1.7/valid-minimal-viable-1.7.xml | 11 + .../schemaTestData/1.7/valid-patch-1.7.json | 89 + .../schemaTestData/1.7/valid-patch-1.7.xml | 73 + .../schemaTestData/1.7/valid-patent-1.7.json | 157 + .../schemaTestData/1.7/valid-patent-1.7.xml | 157 + .../1.7/valid-properties-1.7.json | 101 + .../1.7/valid-properties-1.7.xml | 52 + .../1.7/valid-random-attributes-1.7.xml | 122 + .../1.7/valid-release-notes-1.7.json | 201 + .../1.7/valid-release-notes-1.7.xml | 157 + .../schemaTestData/1.7/valid-saasbom-1.7.json | 304 + .../schemaTestData/1.7/valid-saasbom-1.7.xml | 271 + .../schemaTestData/1.7/valid-service-1.7.json | 102 + .../schemaTestData/1.7/valid-service-1.7.xml | 70 + .../1.7/valid-service-empty-objects-1.7.json | 23 + .../1.7/valid-service-empty-objects-1.7.xml | 19 + .../1.7/valid-signatures-1.7.json | 79 + .../1.7/valid-standard-1.7.json | 82 + .../schemaTestData/1.7/valid-standard-1.7.xml | 67 + .../schemaTestData/1.7/valid-tags-1.7.json | 31 + .../schemaTestData/1.7/valid-tags-1.7.xml | 31 + .../1.7/valid-vulnerability-1.7.json | 173 + .../1.7/valid-vulnerability-1.7.xml | 147 + .../1.7/valid-xml-signature-1.7.xml | 181 + tests/_data/schemaTestData/fetch.sh | 2 +- .../enum_ComponentScope-1.7.json.bin | 51 + .../snapshots/enum_ComponentScope-1.7.xml.bin | 29 + .../snapshots/enum_ComponentType-1.7.json.bin | 128 + .../snapshots/enum_ComponentType-1.7.xml.bin | 66 + .../snapshots/enum_DataFlow-1.7.json.bin | 49 + .../_data/snapshots/enum_DataFlow-1.7.xml.bin | 24 + .../snapshots/enum_Encoding-1.7.json.bin | 44 + .../_data/snapshots/enum_Encoding-1.7.xml.bin | 24 + .../enum_ExternalReferenceType-1.1.xml.bin | 12 + .../enum_ExternalReferenceType-1.2.json.bin | 16 + .../enum_ExternalReferenceType-1.2.xml.bin | 12 + .../enum_ExternalReferenceType-1.3.json.bin | 16 + .../enum_ExternalReferenceType-1.3.xml.bin | 12 + .../enum_ExternalReferenceType-1.4.json.bin | 16 + .../enum_ExternalReferenceType-1.4.xml.bin | 12 + .../enum_ExternalReferenceType-1.5.json.bin | 16 + .../enum_ExternalReferenceType-1.5.xml.bin | 12 + .../enum_ExternalReferenceType-1.6.json.bin | 16 + .../enum_ExternalReferenceType-1.6.xml.bin | 12 + .../enum_ExternalReferenceType-1.7.json.bin | 222 + .../enum_ExternalReferenceType-1.7.xml.bin | 161 + .../snapshots/enum_HashAlgorithm-1.7.json.bin | 90 + .../snapshots/enum_HashAlgorithm-1.7.xml.bin | 34 + ..._ImpactAnalysisAffectedStatus-1.7.json.bin | 45 + ...m_ImpactAnalysisAffectedStatus-1.7.xml.bin | 34 + ...m_ImpactAnalysisJustification-1.7.json.bin | 85 + ...um_ImpactAnalysisJustification-1.7.xml.bin | 66 + .../enum_ImpactAnalysisResponse-1.7.json.bin | 35 + .../enum_ImpactAnalysisResponse-1.7.xml.bin | 24 + .../enum_ImpactAnalysisState-1.7.json.bin | 64 + .../enum_ImpactAnalysisState-1.7.xml.bin | 48 + .../enum_IssueClassification-1.7.json.bin | 53 + .../enum_IssueClassification-1.7.xml.bin | 35 + .../enum_LifecyclePhase-1.7.json.bin | 43 + .../snapshots/enum_LifecyclePhase-1.7.xml.bin | 33 + .../enum_PatchClassification-1.7.json.bin | 48 + .../enum_PatchClassification-1.7.xml.bin | 26 + ...enum_VulnerabilityScoreSource-1.7.json.bin | 49 + .../enum_VulnerabilityScoreSource-1.7.xml.bin | 38 + .../enum_VulnerabilitySeverity-1.7.json.bin | 49 + .../enum_VulnerabilitySeverity-1.7.xml.bin | 38 + ...issue540_duplicate_components-1.7.json.bin | 63 + ..._issue540_duplicate_components-1.7.xml.bin | 35 + ..._bom_for_issue_275_components-1.7.json.bin | 69 + ...t_bom_for_issue_275_components-1.7.xml.bin | 41 + ..._bom_for_issue_328_components-1.7.json.bin | 73 + ...t_bom_for_issue_328_components-1.7.xml.bin | 44 + .../get_bom_for_issue_497_urls-1.7.json.bin | 49 + .../get_bom_for_issue_497_urls-1.7.xml.bin | 32 + ...mponents_with_purl_qualifiers-1.7.json.bin | 44 + ...omponents_with_purl_qualifiers-1.7.xml.bin | 26 + ..._for_issue_630_empty_property-1.7.json.bin | 38 + ...m_for_issue_630_empty_property-1.7.xml.bin | 22 + ...et_bom_just_complete_metadata-1.7.json.bin | 460 + ...get_bom_just_complete_metadata-1.7.xml.bin | 328 + ...om_v1_6_with_crypto_algorithm-1.7.json.bin | 60 + ...bom_v1_6_with_crypto_algorithm-1.7.xml.bin | 44 + ..._v1_6_with_crypto_certificate-1.7.json.bin | 48 + ...m_v1_6_with_crypto_certificate-1.7.xml.bin | 34 + ...bom_v1_6_with_crypto_protocol-1.7.json.bin | 81 + ..._bom_v1_6_with_crypto_protocol-1.7.xml.bin | 65 + ..._with_crypto_related_material-1.7.json.bin | 55 + ...6_with_crypto_related_material-1.7.xml.bin | 41 + ...t_bom_with_component_evidence-1.7.json.bin | 143 + ...et_bom_with_component_evidence-1.7.xml.bin | 110 + ...th_component_setuptools_basic-1.7.json.bin | 42 + ...ith_component_setuptools_basic-1.7.xml.bin | 26 + ...component_setuptools_complete-1.7.json.bin | 354 + ..._component_setuptools_complete-1.7.xml.bin | 246 + ...tuptools_no_component_version-1.7.json.bin | 41 + ...etuptools_no_component_version-1.7.xml.bin | 25 + ...component_setuptools_with_cpe-1.7.json.bin | 43 + ..._component_setuptools_with_cpe-1.7.xml.bin | 27 + ...setuptools_with_release_notes-1.7.json.bin | 101 + ..._setuptools_with_release_notes-1.7.xml.bin | 70 + ...nt_setuptools_with_v16_fields-1.7.json.bin | 86 + ...ent_setuptools_with_v16_fields-1.7.xml.bin | 62 + ...setuptools_with_vulnerability-1.7.json.bin | 176 + ..._setuptools_with_vulnerability-1.7.xml.bin | 149 + ...get_bom_with_component_toml_1-1.7.json.bin | 53 + .../get_bom_with_component_toml_1-1.7.xml.bin | 32 + ...itions_and_detailed_standards-1.7.json.bin | 159 + ...nitions_and_detailed_standards-1.7.xml.bin | 117 + ...om_with_definitions_standards-1.7.json.bin | 37 + ...bom_with_definitions_standards-1.7.xml.bin | 25 + ...bom_with_dependencies_hanging-1.7.json.bin | 82 + ..._bom_with_dependencies_hanging-1.7.xml.bin | 50 + ...t_bom_with_dependencies_valid-1.7.json.bin | 74 + ...et_bom_with_dependencies_valid-1.7.xml.bin | 46 + ..._bom_with_external_references-1.7.json.bin | 37 + ...t_bom_with_external_references-1.7.xml.bin | 22 + .../get_bom_with_licenses-1.7.json.bin | 163 + .../get_bom_with_licenses-1.7.xml.bin | 92 + .../get_bom_with_lifecycles-1.7.json.bin | 42 + .../get_bom_with_lifecycles-1.7.xml.bin | 28 + ...ta_component_and_dependencies-1.7.json.bin | 74 + ...ata_component_and_dependencies-1.7.xml.bin | 46 + ...et_bom_with_multiple_licenses-1.7.json.bin | 97 + ...get_bom_with_multiple_licenses-1.7.xml.bin | 60 + .../get_bom_with_nested_services-1.7.json.bin | 249 + .../get_bom_with_nested_services-1.7.xml.bin | 183 + ...get_bom_with_services_complex-1.7.json.bin | 175 + .../get_bom_with_services_complex-1.7.xml.bin | 121 + .../get_bom_with_services_simple-1.7.json.bin | 47 + .../get_bom_with_services_simple-1.7.xml.bin | 27 + .../snapshots/get_bom_with_tools-1.7.json.bin | 88 + .../snapshots/get_bom_with_tools-1.7.xml.bin | 63 + ...ed_tools_irreversible_migrate-1.7.json.bin | 75 + ...ted_tools_irreversible_migrate-1.7.xml.bin | 57 + ...nd_tools_irreversible_migrate-1.7.json.bin | 134 + ...and_tools_irreversible_migrate-1.7.xml.bin | 98 + ...component_and_service_migrate-1.7.json.bin | 127 + ..._component_and_service_migrate-1.7.xml.bin | 88 + ..._tools_with_component_migrate-1.7.json.bin | 103 + ...h_tools_with_component_migrate-1.7.xml.bin | 70 + ...th_tools_with_service_migrate-1.7.json.bin | 46 + ...ith_tools_with_service_migrate-1.7.xml.bin | 30 + tests/test_deserialize_json.py | 4 +- tests/test_deserialize_xml.py | 4 +- tests/test_model_bom.py | 6 +- tests/test_schema_SchemaVersion.py | 1 + tests/test_schema__res.py | 1 + tools/schema-downloader.py | 10 +- 353 files changed, 37583 insertions(+), 148 deletions(-) create mode 100644 cyclonedx/schema/_res/bom-1.7.SNAPSHOT.schema.json create mode 100644 cyclonedx/schema/_res/bom-1.7.SNAPSHOT.xsd create mode 100644 cyclonedx/schema/_res/cryptography-defs.SNAPSHOT.schema.json create mode 100644 tests/_data/schemaTestData/1.6/invalid-license-declared-concluded-mix-1.6.json create mode 100644 tests/_data/schemaTestData/1.6/invalid-license-declared-concluded-mix-1.6.xml create mode 100644 tests/_data/schemaTestData/1.7/informal-invalid-component-versionRange-non-external-explicit.xml create mode 100644 tests/_data/schemaTestData/1.7/informal-invalid-component-versionRange-non-external-implicit.xml create mode 100644 tests/_data/schemaTestData/1.7/invalid-bomformat-1.7.json create mode 100644 tests/_data/schemaTestData/1.7/invalid-citations-1.7.json create mode 100644 tests/_data/schemaTestData/1.7/invalid-citations-1.7.xml create mode 100644 tests/_data/schemaTestData/1.7/invalid-component-external-version-and-range.json create mode 100644 tests/_data/schemaTestData/1.7/invalid-component-external-version-and-range.xml create mode 100644 tests/_data/schemaTestData/1.7/invalid-component-ref-1.7.json create mode 100644 tests/_data/schemaTestData/1.7/invalid-component-ref-1.7.xml create mode 100644 tests/_data/schemaTestData/1.7/invalid-component-swid-1.7.json create mode 100644 tests/_data/schemaTestData/1.7/invalid-component-swid-1.7.xml create mode 100644 tests/_data/schemaTestData/1.7/invalid-component-type-1.7.json create mode 100644 tests/_data/schemaTestData/1.7/invalid-component-type-1.7.xml create mode 100644 tests/_data/schemaTestData/1.7/invalid-component-versionRange-non-external-explicit.json create mode 100644 tests/_data/schemaTestData/1.7/invalid-component-versionRange-non-external-implicit.json create mode 100644 tests/_data/schemaTestData/1.7/invalid-dependency-1.7.json create mode 100644 tests/_data/schemaTestData/1.7/invalid-dependency-1.7.xml create mode 100644 tests/_data/schemaTestData/1.7/invalid-empty-component-1.7.json create mode 100644 tests/_data/schemaTestData/1.7/invalid-empty-component-1.7.xml create mode 100644 tests/_data/schemaTestData/1.7/invalid-hash-alg-1.7.json create mode 100644 tests/_data/schemaTestData/1.7/invalid-hash-alg-1.7.xml create mode 100644 tests/_data/schemaTestData/1.7/invalid-hash-md5-1.7.json create mode 100644 tests/_data/schemaTestData/1.7/invalid-hash-md5-1.7.xml create mode 100644 tests/_data/schemaTestData/1.7/invalid-hash-sha1-1.7.json create mode 100644 tests/_data/schemaTestData/1.7/invalid-hash-sha1-1.7.xml create mode 100644 tests/_data/schemaTestData/1.7/invalid-hash-sha256-1.7.json create mode 100644 tests/_data/schemaTestData/1.7/invalid-hash-sha256-1.7.xml create mode 100644 tests/_data/schemaTestData/1.7/invalid-hash-sha512-1.7.json create mode 100644 tests/_data/schemaTestData/1.7/invalid-hash-sha512-1.7.xml create mode 100644 tests/_data/schemaTestData/1.7/invalid-issue-type-1.7.json create mode 100644 tests/_data/schemaTestData/1.7/invalid-issue-type-1.7.xml create mode 100644 tests/_data/schemaTestData/1.7/invalid-license-choice-1.7.json create mode 100644 tests/_data/schemaTestData/1.7/invalid-license-encoding-1.7.json create mode 100644 tests/_data/schemaTestData/1.7/invalid-license-encoding-1.7.xml create mode 100644 tests/_data/schemaTestData/1.7/invalid-license-id-1.7.json create mode 100644 tests/_data/schemaTestData/1.7/invalid-license-id-1.7.xml create mode 100644 tests/_data/schemaTestData/1.7/invalid-license-id-count-1.7.xml create mode 100644 tests/_data/schemaTestData/1.7/invalid-license-missing-id-and-name-1.7.json create mode 100644 tests/_data/schemaTestData/1.7/invalid-license-missing-id-and-name-1.7.xml create mode 100644 tests/_data/schemaTestData/1.7/invalid-license-name-count-1.7.xml create mode 100644 tests/_data/schemaTestData/1.7/invalid-metadata-distribution-1.7.json create mode 100644 tests/_data/schemaTestData/1.7/invalid-metadata-distribution-1.7.xml create mode 100644 tests/_data/schemaTestData/1.7/invalid-metadata-license-1.7.json create mode 100644 tests/_data/schemaTestData/1.7/invalid-metadata-license-1.7.xml create mode 100644 tests/_data/schemaTestData/1.7/invalid-metadata-timestamp-1.7.json create mode 100644 tests/_data/schemaTestData/1.7/invalid-metadata-timestamp-1.7.xml create mode 100644 tests/_data/schemaTestData/1.7/invalid-missing-component-type-1.7.json create mode 100644 tests/_data/schemaTestData/1.7/invalid-missing-component-type-1.7.xml create mode 100644 tests/_data/schemaTestData/1.7/invalid-namespace-1.7.xml create mode 100644 tests/_data/schemaTestData/1.7/invalid-patch-type-1.7.json create mode 100644 tests/_data/schemaTestData/1.7/invalid-patch-type-1.7.xml create mode 100644 tests/_data/schemaTestData/1.7/invalid-properties-1.7.json create mode 100644 tests/_data/schemaTestData/1.7/invalid-properties-1.7.xml create mode 100644 tests/_data/schemaTestData/1.7/invalid-scope-1.7.json create mode 100644 tests/_data/schemaTestData/1.7/invalid-scope-1.7.xml create mode 100644 tests/_data/schemaTestData/1.7/invalid-serialnumber-1.7.json create mode 100644 tests/_data/schemaTestData/1.7/invalid-serialnumber-1.7.xml create mode 100644 tests/_data/schemaTestData/1.7/invalid-service-data-1.7.json create mode 100644 tests/_data/schemaTestData/1.7/invalid-service-data-1.7.xml create mode 100644 tests/_data/schemaTestData/1.7/valid-annotation-1.7.json create mode 100644 tests/_data/schemaTestData/1.7/valid-annotation-1.7.xml create mode 100644 tests/_data/schemaTestData/1.7/valid-assembly-1.7.json create mode 100644 tests/_data/schemaTestData/1.7/valid-assembly-1.7.xml create mode 100644 tests/_data/schemaTestData/1.7/valid-attestation-1.7.json create mode 100644 tests/_data/schemaTestData/1.7/valid-attestation-1.7.xml create mode 100644 tests/_data/schemaTestData/1.7/valid-bom-1.7.json create mode 100644 tests/_data/schemaTestData/1.7/valid-bom-1.7.xml create mode 100644 tests/_data/schemaTestData/1.7/valid-citations-1.7.json create mode 100644 tests/_data/schemaTestData/1.7/valid-citations-1.7.xml create mode 100644 tests/_data/schemaTestData/1.7/valid-component-data-1.7.json create mode 100644 tests/_data/schemaTestData/1.7/valid-component-data-1.7.xml create mode 100644 tests/_data/schemaTestData/1.7/valid-component-external-with-version.json create mode 100644 tests/_data/schemaTestData/1.7/valid-component-external-with-version.xml create mode 100644 tests/_data/schemaTestData/1.7/valid-component-external-with-versionRange.json create mode 100644 tests/_data/schemaTestData/1.7/valid-component-external-with-versionRange.xml create mode 100644 tests/_data/schemaTestData/1.7/valid-component-external-without-version.json create mode 100644 tests/_data/schemaTestData/1.7/valid-component-external-without-version.xml create mode 100644 tests/_data/schemaTestData/1.7/valid-component-hashes-1.7.json create mode 100644 tests/_data/schemaTestData/1.7/valid-component-hashes-1.7.xml create mode 100644 tests/_data/schemaTestData/1.7/valid-component-identifiers-1.7.json create mode 100644 tests/_data/schemaTestData/1.7/valid-component-identifiers-1.7.xml create mode 100644 tests/_data/schemaTestData/1.7/valid-component-ref-1.7.json create mode 100644 tests/_data/schemaTestData/1.7/valid-component-ref-1.7.xml create mode 100644 tests/_data/schemaTestData/1.7/valid-component-swid-1.7.json create mode 100644 tests/_data/schemaTestData/1.7/valid-component-swid-1.7.xml create mode 100644 tests/_data/schemaTestData/1.7/valid-component-swid-full-1.7.json create mode 100644 tests/_data/schemaTestData/1.7/valid-component-swid-full-1.7.xml create mode 100644 tests/_data/schemaTestData/1.7/valid-component-types-1.7.json create mode 100644 tests/_data/schemaTestData/1.7/valid-component-types-1.7.xml create mode 100644 tests/_data/schemaTestData/1.7/valid-compositions-1.7.json create mode 100644 tests/_data/schemaTestData/1.7/valid-compositions-1.7.xml create mode 100644 tests/_data/schemaTestData/1.7/valid-cryptography-certificate-1.7.json create mode 100644 tests/_data/schemaTestData/1.7/valid-cryptography-certificate-1.7.xml create mode 100644 tests/_data/schemaTestData/1.7/valid-cryptography-certificate-advanced-1.7.json create mode 100644 tests/_data/schemaTestData/1.7/valid-cryptography-certificate-advanced-1.7.xml create mode 100644 tests/_data/schemaTestData/1.7/valid-cryptography-full-1.7.json create mode 100644 tests/_data/schemaTestData/1.7/valid-cryptography-full-1.7.xml create mode 100644 tests/_data/schemaTestData/1.7/valid-cryptography-full-deprecated-1.7.json create mode 100644 tests/_data/schemaTestData/1.7/valid-cryptography-full-deprecated-1.7.xml create mode 100644 tests/_data/schemaTestData/1.7/valid-cryptography-implementation-1.7.json create mode 100644 tests/_data/schemaTestData/1.7/valid-cryptography-implementation-1.7.xml create mode 100644 tests/_data/schemaTestData/1.7/valid-dependency-1.7.json create mode 100644 tests/_data/schemaTestData/1.7/valid-dependency-1.7.xml create mode 100644 tests/_data/schemaTestData/1.7/valid-empty-components-1.7.json create mode 100644 tests/_data/schemaTestData/1.7/valid-empty-components-1.7.xml create mode 100644 tests/_data/schemaTestData/1.7/valid-evidence-1.7.json create mode 100644 tests/_data/schemaTestData/1.7/valid-evidence-1.7.xml create mode 100644 tests/_data/schemaTestData/1.7/valid-external-elements-1.7.xml create mode 100644 tests/_data/schemaTestData/1.7/valid-external-reference-1.7.json create mode 100644 tests/_data/schemaTestData/1.7/valid-external-reference-1.7.xml create mode 100644 tests/_data/schemaTestData/1.7/valid-external-reference-properties-1.7.json create mode 100644 tests/_data/schemaTestData/1.7/valid-external-reference-properties-1.7.xml create mode 100644 tests/_data/schemaTestData/1.7/valid-formulation-1.7.json create mode 100644 tests/_data/schemaTestData/1.7/valid-formulation-1.7.xml create mode 100644 tests/_data/schemaTestData/1.7/valid-license-choice-1.7.json create mode 100644 tests/_data/schemaTestData/1.7/valid-license-choice-1.7.xml create mode 100644 tests/_data/schemaTestData/1.7/valid-license-declared-concluded-mix-1.7.json create mode 100644 tests/_data/schemaTestData/1.7/valid-license-declared-concluded-mix-1.7.xml create mode 100644 tests/_data/schemaTestData/1.7/valid-license-expression-1.7.json create mode 100644 tests/_data/schemaTestData/1.7/valid-license-expression-1.7.xml create mode 100644 tests/_data/schemaTestData/1.7/valid-license-expression-with-licensing-1.7.json create mode 100644 tests/_data/schemaTestData/1.7/valid-license-expression-with-licensing-1.7.xml create mode 100644 tests/_data/schemaTestData/1.7/valid-license-expression-with-text-1.7.json create mode 100644 tests/_data/schemaTestData/1.7/valid-license-expression-with-text-1.7.xml create mode 100644 tests/_data/schemaTestData/1.7/valid-license-id-1.7.json create mode 100644 tests/_data/schemaTestData/1.7/valid-license-id-1.7.xml create mode 100644 tests/_data/schemaTestData/1.7/valid-license-id-with-text-1.7.json create mode 100644 tests/_data/schemaTestData/1.7/valid-license-id-with-text-1.7.xml create mode 100644 tests/_data/schemaTestData/1.7/valid-license-name-1.7.json create mode 100644 tests/_data/schemaTestData/1.7/valid-license-name-1.7.xml create mode 100644 tests/_data/schemaTestData/1.7/valid-license-name-with-licensing-1.7.json create mode 100644 tests/_data/schemaTestData/1.7/valid-license-name-with-licensing-1.7.xml create mode 100644 tests/_data/schemaTestData/1.7/valid-license-name-with-text-1.7.json create mode 100644 tests/_data/schemaTestData/1.7/valid-license-name-with-text-1.7.xml create mode 100644 tests/_data/schemaTestData/1.7/valid-machine-learning-1.7.json create mode 100644 tests/_data/schemaTestData/1.7/valid-machine-learning-1.7.xml create mode 100644 tests/_data/schemaTestData/1.7/valid-machine-learning-considerations-env-1.7.json create mode 100644 tests/_data/schemaTestData/1.7/valid-machine-learning-considerations-env-1.7.xml create mode 100644 tests/_data/schemaTestData/1.7/valid-metadata-author-1.7.json create mode 100644 tests/_data/schemaTestData/1.7/valid-metadata-author-1.7.xml create mode 100644 tests/_data/schemaTestData/1.7/valid-metadata-distribution-1.7.json create mode 100644 tests/_data/schemaTestData/1.7/valid-metadata-distribution-1.7.xml create mode 100644 tests/_data/schemaTestData/1.7/valid-metadata-license-1.7.json create mode 100644 tests/_data/schemaTestData/1.7/valid-metadata-license-1.7.xml create mode 100644 tests/_data/schemaTestData/1.7/valid-metadata-lifecycle-1.7.json create mode 100644 tests/_data/schemaTestData/1.7/valid-metadata-lifecycle-1.7.xml create mode 100644 tests/_data/schemaTestData/1.7/valid-metadata-manufacture-1.7.json create mode 100644 tests/_data/schemaTestData/1.7/valid-metadata-manufacture-1.7.xml create mode 100644 tests/_data/schemaTestData/1.7/valid-metadata-manufacturer-1.7.json create mode 100644 tests/_data/schemaTestData/1.7/valid-metadata-manufacturer-1.7.xml create mode 100644 tests/_data/schemaTestData/1.7/valid-metadata-supplier-1.7.json create mode 100644 tests/_data/schemaTestData/1.7/valid-metadata-supplier-1.7.xml create mode 100644 tests/_data/schemaTestData/1.7/valid-metadata-timestamp-1.7.json create mode 100644 tests/_data/schemaTestData/1.7/valid-metadata-timestamp-1.7.xml create mode 100644 tests/_data/schemaTestData/1.7/valid-metadata-tool-1.7.json create mode 100644 tests/_data/schemaTestData/1.7/valid-metadata-tool-1.7.xml create mode 100644 tests/_data/schemaTestData/1.7/valid-metadata-tool-deprecated-1.7.json create mode 100644 tests/_data/schemaTestData/1.7/valid-metadata-tool-deprecated-1.7.xml create mode 100644 tests/_data/schemaTestData/1.7/valid-minimal-viable-1.7.json create mode 100644 tests/_data/schemaTestData/1.7/valid-minimal-viable-1.7.xml create mode 100644 tests/_data/schemaTestData/1.7/valid-patch-1.7.json create mode 100644 tests/_data/schemaTestData/1.7/valid-patch-1.7.xml create mode 100644 tests/_data/schemaTestData/1.7/valid-patent-1.7.json create mode 100644 tests/_data/schemaTestData/1.7/valid-patent-1.7.xml create mode 100644 tests/_data/schemaTestData/1.7/valid-properties-1.7.json create mode 100644 tests/_data/schemaTestData/1.7/valid-properties-1.7.xml create mode 100644 tests/_data/schemaTestData/1.7/valid-random-attributes-1.7.xml create mode 100644 tests/_data/schemaTestData/1.7/valid-release-notes-1.7.json create mode 100644 tests/_data/schemaTestData/1.7/valid-release-notes-1.7.xml create mode 100644 tests/_data/schemaTestData/1.7/valid-saasbom-1.7.json create mode 100644 tests/_data/schemaTestData/1.7/valid-saasbom-1.7.xml create mode 100644 tests/_data/schemaTestData/1.7/valid-service-1.7.json create mode 100644 tests/_data/schemaTestData/1.7/valid-service-1.7.xml create mode 100644 tests/_data/schemaTestData/1.7/valid-service-empty-objects-1.7.json create mode 100644 tests/_data/schemaTestData/1.7/valid-service-empty-objects-1.7.xml create mode 100644 tests/_data/schemaTestData/1.7/valid-signatures-1.7.json create mode 100644 tests/_data/schemaTestData/1.7/valid-standard-1.7.json create mode 100644 tests/_data/schemaTestData/1.7/valid-standard-1.7.xml create mode 100644 tests/_data/schemaTestData/1.7/valid-tags-1.7.json create mode 100644 tests/_data/schemaTestData/1.7/valid-tags-1.7.xml create mode 100644 tests/_data/schemaTestData/1.7/valid-vulnerability-1.7.json create mode 100644 tests/_data/schemaTestData/1.7/valid-vulnerability-1.7.xml create mode 100644 tests/_data/schemaTestData/1.7/valid-xml-signature-1.7.xml create mode 100644 tests/_data/snapshots/enum_ComponentScope-1.7.json.bin create mode 100644 tests/_data/snapshots/enum_ComponentScope-1.7.xml.bin create mode 100644 tests/_data/snapshots/enum_ComponentType-1.7.json.bin create mode 100644 tests/_data/snapshots/enum_ComponentType-1.7.xml.bin create mode 100644 tests/_data/snapshots/enum_DataFlow-1.7.json.bin create mode 100644 tests/_data/snapshots/enum_DataFlow-1.7.xml.bin create mode 100644 tests/_data/snapshots/enum_Encoding-1.7.json.bin create mode 100644 tests/_data/snapshots/enum_Encoding-1.7.xml.bin create mode 100644 tests/_data/snapshots/enum_ExternalReferenceType-1.7.json.bin create mode 100644 tests/_data/snapshots/enum_ExternalReferenceType-1.7.xml.bin create mode 100644 tests/_data/snapshots/enum_HashAlgorithm-1.7.json.bin create mode 100644 tests/_data/snapshots/enum_HashAlgorithm-1.7.xml.bin create mode 100644 tests/_data/snapshots/enum_ImpactAnalysisAffectedStatus-1.7.json.bin create mode 100644 tests/_data/snapshots/enum_ImpactAnalysisAffectedStatus-1.7.xml.bin create mode 100644 tests/_data/snapshots/enum_ImpactAnalysisJustification-1.7.json.bin create mode 100644 tests/_data/snapshots/enum_ImpactAnalysisJustification-1.7.xml.bin create mode 100644 tests/_data/snapshots/enum_ImpactAnalysisResponse-1.7.json.bin create mode 100644 tests/_data/snapshots/enum_ImpactAnalysisResponse-1.7.xml.bin create mode 100644 tests/_data/snapshots/enum_ImpactAnalysisState-1.7.json.bin create mode 100644 tests/_data/snapshots/enum_ImpactAnalysisState-1.7.xml.bin create mode 100644 tests/_data/snapshots/enum_IssueClassification-1.7.json.bin create mode 100644 tests/_data/snapshots/enum_IssueClassification-1.7.xml.bin create mode 100644 tests/_data/snapshots/enum_LifecyclePhase-1.7.json.bin create mode 100644 tests/_data/snapshots/enum_LifecyclePhase-1.7.xml.bin create mode 100644 tests/_data/snapshots/enum_PatchClassification-1.7.json.bin create mode 100644 tests/_data/snapshots/enum_PatchClassification-1.7.xml.bin create mode 100644 tests/_data/snapshots/enum_VulnerabilityScoreSource-1.7.json.bin create mode 100644 tests/_data/snapshots/enum_VulnerabilityScoreSource-1.7.xml.bin create mode 100644 tests/_data/snapshots/enum_VulnerabilitySeverity-1.7.json.bin create mode 100644 tests/_data/snapshots/enum_VulnerabilitySeverity-1.7.xml.bin create mode 100644 tests/_data/snapshots/get_bom_for_issue540_duplicate_components-1.7.json.bin create mode 100644 tests/_data/snapshots/get_bom_for_issue540_duplicate_components-1.7.xml.bin create mode 100644 tests/_data/snapshots/get_bom_for_issue_275_components-1.7.json.bin create mode 100644 tests/_data/snapshots/get_bom_for_issue_275_components-1.7.xml.bin create mode 100644 tests/_data/snapshots/get_bom_for_issue_328_components-1.7.json.bin create mode 100644 tests/_data/snapshots/get_bom_for_issue_328_components-1.7.xml.bin create mode 100644 tests/_data/snapshots/get_bom_for_issue_497_urls-1.7.json.bin create mode 100644 tests/_data/snapshots/get_bom_for_issue_497_urls-1.7.xml.bin create mode 100644 tests/_data/snapshots/get_bom_for_issue_598_multiple_components_with_purl_qualifiers-1.7.json.bin create mode 100644 tests/_data/snapshots/get_bom_for_issue_598_multiple_components_with_purl_qualifiers-1.7.xml.bin create mode 100644 tests/_data/snapshots/get_bom_for_issue_630_empty_property-1.7.json.bin create mode 100644 tests/_data/snapshots/get_bom_for_issue_630_empty_property-1.7.xml.bin create mode 100644 tests/_data/snapshots/get_bom_just_complete_metadata-1.7.json.bin create mode 100644 tests/_data/snapshots/get_bom_just_complete_metadata-1.7.xml.bin create mode 100644 tests/_data/snapshots/get_bom_v1_6_with_crypto_algorithm-1.7.json.bin create mode 100644 tests/_data/snapshots/get_bom_v1_6_with_crypto_algorithm-1.7.xml.bin create mode 100644 tests/_data/snapshots/get_bom_v1_6_with_crypto_certificate-1.7.json.bin create mode 100644 tests/_data/snapshots/get_bom_v1_6_with_crypto_certificate-1.7.xml.bin create mode 100644 tests/_data/snapshots/get_bom_v1_6_with_crypto_protocol-1.7.json.bin create mode 100644 tests/_data/snapshots/get_bom_v1_6_with_crypto_protocol-1.7.xml.bin create mode 100644 tests/_data/snapshots/get_bom_v1_6_with_crypto_related_material-1.7.json.bin create mode 100644 tests/_data/snapshots/get_bom_v1_6_with_crypto_related_material-1.7.xml.bin create mode 100644 tests/_data/snapshots/get_bom_with_component_evidence-1.7.json.bin create mode 100644 tests/_data/snapshots/get_bom_with_component_evidence-1.7.xml.bin create mode 100644 tests/_data/snapshots/get_bom_with_component_setuptools_basic-1.7.json.bin create mode 100644 tests/_data/snapshots/get_bom_with_component_setuptools_basic-1.7.xml.bin create mode 100644 tests/_data/snapshots/get_bom_with_component_setuptools_complete-1.7.json.bin create mode 100644 tests/_data/snapshots/get_bom_with_component_setuptools_complete-1.7.xml.bin create mode 100644 tests/_data/snapshots/get_bom_with_component_setuptools_no_component_version-1.7.json.bin create mode 100644 tests/_data/snapshots/get_bom_with_component_setuptools_no_component_version-1.7.xml.bin create mode 100644 tests/_data/snapshots/get_bom_with_component_setuptools_with_cpe-1.7.json.bin create mode 100644 tests/_data/snapshots/get_bom_with_component_setuptools_with_cpe-1.7.xml.bin create mode 100644 tests/_data/snapshots/get_bom_with_component_setuptools_with_release_notes-1.7.json.bin create mode 100644 tests/_data/snapshots/get_bom_with_component_setuptools_with_release_notes-1.7.xml.bin create mode 100644 tests/_data/snapshots/get_bom_with_component_setuptools_with_v16_fields-1.7.json.bin create mode 100644 tests/_data/snapshots/get_bom_with_component_setuptools_with_v16_fields-1.7.xml.bin create mode 100644 tests/_data/snapshots/get_bom_with_component_setuptools_with_vulnerability-1.7.json.bin create mode 100644 tests/_data/snapshots/get_bom_with_component_setuptools_with_vulnerability-1.7.xml.bin create mode 100644 tests/_data/snapshots/get_bom_with_component_toml_1-1.7.json.bin create mode 100644 tests/_data/snapshots/get_bom_with_component_toml_1-1.7.xml.bin create mode 100644 tests/_data/snapshots/get_bom_with_definitions_and_detailed_standards-1.7.json.bin create mode 100644 tests/_data/snapshots/get_bom_with_definitions_and_detailed_standards-1.7.xml.bin create mode 100644 tests/_data/snapshots/get_bom_with_definitions_standards-1.7.json.bin create mode 100644 tests/_data/snapshots/get_bom_with_definitions_standards-1.7.xml.bin create mode 100644 tests/_data/snapshots/get_bom_with_dependencies_hanging-1.7.json.bin create mode 100644 tests/_data/snapshots/get_bom_with_dependencies_hanging-1.7.xml.bin create mode 100644 tests/_data/snapshots/get_bom_with_dependencies_valid-1.7.json.bin create mode 100644 tests/_data/snapshots/get_bom_with_dependencies_valid-1.7.xml.bin create mode 100644 tests/_data/snapshots/get_bom_with_external_references-1.7.json.bin create mode 100644 tests/_data/snapshots/get_bom_with_external_references-1.7.xml.bin create mode 100644 tests/_data/snapshots/get_bom_with_licenses-1.7.json.bin create mode 100644 tests/_data/snapshots/get_bom_with_licenses-1.7.xml.bin create mode 100644 tests/_data/snapshots/get_bom_with_lifecycles-1.7.json.bin create mode 100644 tests/_data/snapshots/get_bom_with_lifecycles-1.7.xml.bin create mode 100644 tests/_data/snapshots/get_bom_with_metadata_component_and_dependencies-1.7.json.bin create mode 100644 tests/_data/snapshots/get_bom_with_metadata_component_and_dependencies-1.7.xml.bin create mode 100644 tests/_data/snapshots/get_bom_with_multiple_licenses-1.7.json.bin create mode 100644 tests/_data/snapshots/get_bom_with_multiple_licenses-1.7.xml.bin create mode 100644 tests/_data/snapshots/get_bom_with_nested_services-1.7.json.bin create mode 100644 tests/_data/snapshots/get_bom_with_nested_services-1.7.xml.bin create mode 100644 tests/_data/snapshots/get_bom_with_services_complex-1.7.json.bin create mode 100644 tests/_data/snapshots/get_bom_with_services_complex-1.7.xml.bin create mode 100644 tests/_data/snapshots/get_bom_with_services_simple-1.7.json.bin create mode 100644 tests/_data/snapshots/get_bom_with_services_simple-1.7.xml.bin create mode 100644 tests/_data/snapshots/get_bom_with_tools-1.7.json.bin create mode 100644 tests/_data/snapshots/get_bom_with_tools-1.7.xml.bin create mode 100644 tests/_data/snapshots/get_bom_with_tools_with_component_and_service_and_duplicated_tools_irreversible_migrate-1.7.json.bin create mode 100644 tests/_data/snapshots/get_bom_with_tools_with_component_and_service_and_duplicated_tools_irreversible_migrate-1.7.xml.bin create mode 100644 tests/_data/snapshots/get_bom_with_tools_with_component_and_service_and_tools_irreversible_migrate-1.7.json.bin create mode 100644 tests/_data/snapshots/get_bom_with_tools_with_component_and_service_and_tools_irreversible_migrate-1.7.xml.bin create mode 100644 tests/_data/snapshots/get_bom_with_tools_with_component_and_service_migrate-1.7.json.bin create mode 100644 tests/_data/snapshots/get_bom_with_tools_with_component_and_service_migrate-1.7.xml.bin create mode 100644 tests/_data/snapshots/get_bom_with_tools_with_component_migrate-1.7.json.bin create mode 100644 tests/_data/snapshots/get_bom_with_tools_with_component_migrate-1.7.xml.bin create mode 100644 tests/_data/snapshots/get_bom_with_tools_with_service_migrate-1.7.json.bin create mode 100644 tests/_data/snapshots/get_bom_with_tools_with_service_migrate-1.7.xml.bin diff --git a/cyclonedx/model/__init__.py b/cyclonedx/model/__init__.py index 69c98d705..925c2a90e 100644 --- a/cyclonedx/model/__init__.py +++ b/cyclonedx/model/__init__.py @@ -48,6 +48,7 @@ SchemaVersion1Dot4, SchemaVersion1Dot5, SchemaVersion1Dot6, + SchemaVersion1Dot7, ) from .bom_ref import BomRef @@ -60,7 +61,7 @@ class DataFlow(str, Enum): This is our internal representation of the dataFlowType simple type within the CycloneDX standard. .. note:: - See the CycloneDX Schema: https://cyclonedx.org/docs/1.6/xml/#type_dataFlowType + See the CycloneDX Schema: https://cyclonedx.org/docs/1.7/xml/#type_dataFlowType """ INBOUND = 'inbound' OUTBOUND = 'outbound' @@ -78,7 +79,7 @@ class DataClassification: .. note:: See the CycloneDX Schema for dataClassificationType: - https://cyclonedx.org/docs/1.6/xml/#type_dataClassificationType + https://cyclonedx.org/docs/1.7/xml/#type_dataClassificationType """ def __init__( @@ -157,7 +158,7 @@ class Encoding(str, Enum): This is our internal representation of the encoding simple type within the CycloneDX standard. .. note:: - See the CycloneDX Schema: https://cyclonedx.org/docs/1.6/xml/#type_encoding + See the CycloneDX Schema: https://cyclonedx.org/docs/1.7/xml/#type_encoding """ BASE_64 = 'base64' @@ -168,7 +169,7 @@ class AttachedText: This is our internal representation of the `attachedTextType` complex type within the CycloneDX standard. .. note:: - See the CycloneDX Schema for hashType: https://cyclonedx.org/docs/1.6/xml/#type_attachedTextType + See the CycloneDX Schema for hashType: https://cyclonedx.org/docs/1.7/xml/#type_attachedTextType """ DEFAULT_CONTENT_TYPE = 'text/plain' @@ -261,7 +262,7 @@ class HashAlgorithm(str, Enum): This is our internal representation of the hashAlg simple type within the CycloneDX standard. .. note:: - See the CycloneDX Schema: https://cyclonedx.org/docs/1.6/xml/#type_hashAlg + See the CycloneDX Schema: https://cyclonedx.org/docs/1.7/xml/#type_hashAlg """ # see `_HashTypeRepositorySerializationHelper.__CASES` for view/case map BLAKE2B_256 = 'BLAKE2b-256' # Only supported in >= 1.2 @@ -276,6 +277,8 @@ class HashAlgorithm(str, Enum): SHA3_256 = 'SHA3-256' SHA3_384 = 'SHA3-384' # Only supported in >= 1.2 SHA3_512 = 'SHA3-512' + STREEBOG_256 = 'Streebog-256' # Only supported in >= 1.7 + STREEBOG_512 = 'Streebog-512' # Only supported in >= 1.7 class _HashTypeRepositorySerializationHelper(serializable.helpers.BaseHelper): @@ -303,6 +306,10 @@ class _HashTypeRepositorySerializationHelper(serializable.helpers.BaseHelper): __CASES[SchemaVersion1Dot4] = __CASES[SchemaVersion1Dot3] __CASES[SchemaVersion1Dot5] = __CASES[SchemaVersion1Dot4] __CASES[SchemaVersion1Dot6] = __CASES[SchemaVersion1Dot5] + __CASES[SchemaVersion1Dot7] = __CASES[SchemaVersion1Dot6] | { + HashAlgorithm.STREEBOG_256, + HashAlgorithm.STREEBOG_512, + } @classmethod def __prep(cls, hts: Iterable['HashType'], view: type[serializable.ViewType]) -> Generator['HashType', None, None]: @@ -384,7 +391,7 @@ class HashType: This is our internal representation of the hashType complex type within the CycloneDX standard. .. note:: - See the CycloneDX Schema for hashType: https://cyclonedx.org/docs/1.6/xml/#type_hashType + See the CycloneDX Schema for hashType: https://cyclonedx.org/docs/1.7/xml/#type_hashType """ @staticmethod @@ -541,7 +548,7 @@ class ExternalReferenceType(str, Enum): Enum object that defines the permissible 'types' for an External Reference according to the CycloneDX schema. .. note:: - See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.6/xml/#type_externalReferenceType + See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.7/xml/#type_externalReferenceType """ # see `_ExternalReferenceSerializationHelper.__CASES` for view/case map ADVERSARY_MODEL = 'adversary-model' # Only supported in >= 1.5 @@ -552,6 +559,7 @@ class ExternalReferenceType(str, Enum): BUILD_SYSTEM = 'build-system' CERTIFICATION_REPORT = 'certification-report' # Only supported in >= 1.5 CHAT = 'chat' + CITATION = 'citation' # Only supported in >= 1.7 CODIFIED_INFRASTRUCTURE = 'codified-infrastructure' # Only supported in >= 1.5 COMPONENT_ANALYSIS_REPORT = 'component-analysis-report' # Only supported in >= 1.5 CONFIGURATION = 'configuration' # Only supported in >= 1.5 @@ -570,6 +578,9 @@ class ExternalReferenceType(str, Enum): MAILING_LIST = 'mailing-list' MATURITY_REPORT = 'maturity-report' # Only supported in >= 1.5 MODEL_CARD = 'model-card' # Only supported in >= 1.5 + PATENT = 'patent' # Only supported in >= 1.7 + PATENT_ASSERTION = 'patent-assertion' # Only supported in >= 1.7 + PATENT_FAMILY = 'patent-family' # Only supported in >= 1.7 PENTEST_REPORT = 'pentest-report' # Only supported in >= 1.5 POAM = 'poam' # Only supported in >= 1.5 QUALITY_METRICS = 'quality-metrics' # Only supported in >= 1.5 @@ -648,6 +659,12 @@ class _ExternalReferenceSerializationHelper(serializable.helpers.BaseHelper): ExternalReferenceType.DIGITAL_SIGNATURE, ExternalReferenceType.RFC_9166, } + __CASES[SchemaVersion1Dot7] = __CASES[SchemaVersion1Dot6] | { + ExternalReferenceType.CITATION, + ExternalReferenceType.PATENT, + ExternalReferenceType.PATENT_ASSERTION, + ExternalReferenceType.PATENT_FAMILY, + } @classmethod def __normalize(cls, extref: ExternalReferenceType, view: type[serializable.ViewType]) -> str: @@ -809,7 +826,7 @@ class ExternalReference: a CycloneDX BOM document. .. note:: - See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.6/xml/#type_externalReference + See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.7/xml/#type_externalReference """ def __init__( @@ -877,6 +894,7 @@ def type(self, type: ExternalReferenceType) -> None: @serializable.view(SchemaVersion1Dot4) @serializable.view(SchemaVersion1Dot5) @serializable.view(SchemaVersion1Dot6) + @serializable.view(SchemaVersion1Dot7) @serializable.type_mapping(_HashTypeRepositorySerializationHelper) def hashes(self) -> 'SortedSet[HashType]': """ @@ -921,7 +939,7 @@ class Property: a CycloneDX BOM document. .. note:: - See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.6/xml/#type_propertyType + See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.7/xml/#type_propertyType Specifies an individual property with a name and value. """ @@ -996,7 +1014,7 @@ class NoteText: a CycloneDX BOM document. .. note:: - See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.6/xml/#type_releaseNotesType + See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.7/xml/#type_releaseNotesType """ DEFAULT_CONTENT_TYPE: str = 'text/plain' @@ -1088,7 +1106,7 @@ class Note: a CycloneDX BOM document. .. note:: - See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.6/xml/#type_releaseNotesType + See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.7/xml/#type_releaseNotesType @todo: Replace ``NoteText`` with ``AttachedText``? """ @@ -1172,7 +1190,7 @@ class IdentifiableAction: This is our internal representation of the `identifiableActionType` complex type. .. note:: - See the CycloneDX specification: https://cyclonedx.org/docs/1.6/xml/#type_identifiableActionType + See the CycloneDX specification: https://cyclonedx.org/docs/1.7/xml/#type_identifiableActionType """ def __init__( @@ -1258,7 +1276,7 @@ class Copyright: This is our internal representation of the `copyrightsType` complex type. .. note:: - See the CycloneDX specification: https://cyclonedx.org/docs/1.6/xml/#type_copyrightsType + See the CycloneDX specification: https://cyclonedx.org/docs/1.7/xml/#type_copyrightsType """ def __init__( diff --git a/cyclonedx/model/bom.py b/cyclonedx/model/bom.py index df3daa561..4debf4217 100644 --- a/cyclonedx/model/bom.py +++ b/cyclonedx/model/bom.py @@ -37,6 +37,7 @@ SchemaVersion1Dot4, SchemaVersion1Dot5, SchemaVersion1Dot6, + SchemaVersion1Dot7, ) from ..serialization import UrnUuidHelper from . import _BOM_LINK_PREFIX, ExternalReference, Property @@ -61,7 +62,7 @@ class BomMetaData: This is our internal representation of the metadata complex type within the CycloneDX standard. .. note:: - See the CycloneDX Schema for Bom metadata: https://cyclonedx.org/docs/1.6/xml/#type_metadata + See the CycloneDX Schema for Bom metadata: https://cyclonedx.org/docs/1.7/xml/#type_metadata """ def __init__( @@ -109,6 +110,7 @@ def timestamp(self, timestamp: datetime) -> None: @property @serializable.view(SchemaVersion1Dot5) @serializable.view(SchemaVersion1Dot6) + @serializable.view(SchemaVersion1Dot7) @serializable.type_mapping(_LifecycleRepositoryHelper) @serializable.xml_sequence(2) def lifecycles(self) -> LifecycleRepository: @@ -193,6 +195,7 @@ def component(self, component: Optional[Component]) -> None: @serializable.view(SchemaVersion1Dot4) @serializable.view(SchemaVersion1Dot5) @serializable.view(SchemaVersion1Dot6) + @serializable.view(SchemaVersion1Dot7) @serializable.xml_sequence(6) def manufacture(self) -> Optional[OrganizationalEntity]: """ @@ -218,6 +221,7 @@ def manufacture(self, manufacture: Optional[OrganizationalEntity]) -> None: @property @serializable.view(SchemaVersion1Dot6) + @serializable.view(SchemaVersion1Dot7) @serializable.xml_sequence(7) def manufacturer(self) -> Optional[OrganizationalEntity]: """ @@ -256,6 +260,7 @@ def supplier(self, supplier: Optional[OrganizationalEntity]) -> None: @serializable.view(SchemaVersion1Dot4) @serializable.view(SchemaVersion1Dot5) @serializable.view(SchemaVersion1Dot6) + @serializable.view(SchemaVersion1Dot7) @serializable.type_mapping(_LicenseRepositorySerializationHelper) @serializable.xml_sequence(9) def licenses(self) -> LicenseRepository: @@ -276,6 +281,7 @@ def licenses(self, licenses: Iterable[License]) -> None: @serializable.view(SchemaVersion1Dot4) @serializable.view(SchemaVersion1Dot5) @serializable.view(SchemaVersion1Dot6) + @serializable.view(SchemaVersion1Dot7) @serializable.xml_array(serializable.XmlArraySerializationType.NESTED, 'property') @serializable.xml_sequence(10) def properties(self) -> 'SortedSet[Property]': @@ -371,6 +377,7 @@ def __init__( @serializable.view(SchemaVersion1Dot4) @serializable.view(SchemaVersion1Dot5) @serializable.view(SchemaVersion1Dot6) + @serializable.view(SchemaVersion1Dot7) @serializable.xml_attribute() def serial_number(self) -> UUID: """ @@ -401,6 +408,7 @@ def version(self, version: int) -> None: @serializable.view(SchemaVersion1Dot4) @serializable.view(SchemaVersion1Dot5) @serializable.view(SchemaVersion1Dot6) + @serializable.view(SchemaVersion1Dot7) @serializable.xml_sequence(10) def metadata(self) -> BomMetaData: """ @@ -410,7 +418,7 @@ def metadata(self) -> BomMetaData: Metadata object instance for this Bom. .. note:: - See the CycloneDX Schema for Bom metadata: https://cyclonedx.org/docs/1.6/xml/#type_metadata + See the CycloneDX Schema for Bom metadata: https://cyclonedx.org/docs/1.7/xml/#type_metadata """ return self._metadata @@ -442,6 +450,7 @@ def components(self, components: Iterable[Component]) -> None: @serializable.view(SchemaVersion1Dot4) @serializable.view(SchemaVersion1Dot5) @serializable.view(SchemaVersion1Dot6) + @serializable.view(SchemaVersion1Dot7) @serializable.xml_array(serializable.XmlArraySerializationType.NESTED, 'service') @serializable.xml_sequence(30) def services(self) -> 'SortedSet[Service]': @@ -464,6 +473,7 @@ def services(self, services: Iterable[Service]) -> None: @serializable.view(SchemaVersion1Dot4) @serializable.view(SchemaVersion1Dot5) @serializable.view(SchemaVersion1Dot6) + @serializable.view(SchemaVersion1Dot7) @serializable.xml_array(serializable.XmlArraySerializationType.NESTED, 'reference') @serializable.xml_sequence(40) def external_references(self) -> 'SortedSet[ExternalReference]': @@ -485,6 +495,7 @@ def external_references(self, external_references: Iterable[ExternalReference]) @serializable.view(SchemaVersion1Dot4) @serializable.view(SchemaVersion1Dot5) @serializable.view(SchemaVersion1Dot6) + @serializable.view(SchemaVersion1Dot7) @serializable.xml_array(serializable.XmlArraySerializationType.NESTED, 'dependency') @serializable.xml_sequence(50) def dependencies(self) -> 'SortedSet[Dependency]': @@ -512,6 +523,7 @@ def dependencies(self, dependencies: Iterable[Dependency]) -> None: # @serializable.view(SchemaVersion1Dot4) @todo: Update py-serializable to support view by OutputFormat filtering @serializable.view(SchemaVersion1Dot5) @serializable.view(SchemaVersion1Dot6) + @serializable.view(SchemaVersion1Dot7) @serializable.xml_array(serializable.XmlArraySerializationType.NESTED, 'property') @serializable.xml_sequence(70) def properties(self) -> 'SortedSet[Property]': @@ -534,6 +546,7 @@ def properties(self, properties: Iterable[Property]) -> None: @serializable.view(SchemaVersion1Dot4) @serializable.view(SchemaVersion1Dot5) @serializable.view(SchemaVersion1Dot6) + @serializable.view(SchemaVersion1Dot7) @serializable.xml_array(serializable.XmlArraySerializationType.NESTED, 'vulnerability') @serializable.xml_sequence(80) def vulnerabilities(self) -> 'SortedSet[Vulnerability]': @@ -573,6 +586,7 @@ def vulnerabilities(self, vulnerabilities: Iterable[Vulnerability]) -> None: @property @serializable.view(SchemaVersion1Dot6) + @serializable.view(SchemaVersion1Dot7) @serializable.xml_sequence(110) def definitions(self) -> Optional[Definitions]: """ diff --git a/cyclonedx/model/component.py b/cyclonedx/model/component.py index ada6249a7..c4e4e5c6d 100644 --- a/cyclonedx/model/component.py +++ b/cyclonedx/model/component.py @@ -44,6 +44,7 @@ SchemaVersion1Dot4, SchemaVersion1Dot5, SchemaVersion1Dot6, + SchemaVersion1Dot7, ) from ..serialization import PackageUrl as PackageUrlSH from . import ( @@ -72,7 +73,7 @@ class Commit: Our internal representation of the `commitType` complex type. .. note:: - See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.6/xml/#type_commitType + See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.7/xml/#type_commitType """ def __init__( @@ -197,7 +198,7 @@ class ComponentScope(str, Enum): Enum object that defines the permissable 'scopes' for a Component according to the CycloneDX schema. .. note:: - See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.6/xml/#type_scope + See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.7/xml/#type_scope """ # see `_ComponentScopeSerializationHelper.__CASES` for view/case map REQUIRED = 'required' @@ -221,6 +222,7 @@ class _ComponentScopeSerializationHelper(serializable.helpers.BaseHelper): __CASES[SchemaVersion1Dot4] = __CASES[SchemaVersion1Dot3] __CASES[SchemaVersion1Dot5] = __CASES[SchemaVersion1Dot4] __CASES[SchemaVersion1Dot6] = __CASES[SchemaVersion1Dot5] + __CASES[SchemaVersion1Dot7] = __CASES[SchemaVersion1Dot6] @classmethod def __normalize(cls, cs: ComponentScope, view: type[serializable.ViewType]) -> Optional[str]: @@ -253,7 +255,7 @@ class ComponentType(str, Enum): Enum object that defines the permissible 'types' for a Component according to the CycloneDX schema. .. note:: - See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.6/xml/#type_classification + See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.7/xml/#type_classification """ # see `_ComponentTypeSerializationHelper.__CASES` for view/case map APPLICATION = 'application' @@ -300,6 +302,7 @@ class _ComponentTypeSerializationHelper(serializable.helpers.BaseHelper): __CASES[SchemaVersion1Dot6] = __CASES[SchemaVersion1Dot5] | { ComponentType.CRYPTOGRAPHIC_ASSET, } + __CASES[SchemaVersion1Dot7] = __CASES[SchemaVersion1Dot6] @classmethod def __normalize(cls, ct: ComponentType, view: type[serializable.ViewType]) -> Optional[str]: @@ -332,7 +335,7 @@ class Diff: Our internal representation of the `diffType` complex type. .. note:: - See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.6/xml/#type_diffType + See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.7/xml/#type_diffType """ def __init__( @@ -400,7 +403,7 @@ class PatchClassification(str, Enum): Enum object that defines the permissible `patchClassification`s. .. note:: - See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.6/xml/#type_patchClassification + See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.7/xml/#type_patchClassification """ BACKPORT = 'backport' CHERRY_PICK = 'cherry-pick' @@ -414,7 +417,7 @@ class Patch: Our internal representation of the `patchType` complex type. .. note:: - See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.6/xml/#type_patchType + See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.7/xml/#type_patchType """ def __init__( @@ -509,7 +512,7 @@ class Pedigree: may not be known. .. note:: - See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.6/xml/#type_pedigreeType + See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.7/xml/#type_pedigreeType """ def __init__( @@ -608,6 +611,7 @@ def commits(self, commits: Iterable[Commit]) -> None: @serializable.view(SchemaVersion1Dot4) @serializable.view(SchemaVersion1Dot5) @serializable.view(SchemaVersion1Dot6) + @serializable.view(SchemaVersion1Dot7) @serializable.xml_array(serializable.XmlArraySerializationType.NESTED, 'patch') @serializable.xml_sequence(5) def patches(self) -> 'SortedSet[Patch]': @@ -672,7 +676,7 @@ class Swid: Our internal representation of the `swidType` complex type. .. note:: - See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.6/xml/#type_swidType + See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.7/xml/#type_swidType """ def __init__( @@ -947,7 +951,7 @@ class Component(Dependable): This is our internal representation of a Component within a Bom. .. note:: - See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.6/xml/#type_component + See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.7/xml/#type_component """ @staticmethod @@ -1090,6 +1094,7 @@ def mime_type(self, mime_type: Optional[str]) -> None: @serializable.view(SchemaVersion1Dot4) @serializable.view(SchemaVersion1Dot5) @serializable.view(SchemaVersion1Dot6) + @serializable.view(SchemaVersion1Dot7) @serializable.xml_attribute() @serializable.xml_name('bom-ref') def bom_ref(self) -> BomRef: @@ -1108,6 +1113,7 @@ def bom_ref(self) -> BomRef: @serializable.view(SchemaVersion1Dot4) @serializable.view(SchemaVersion1Dot5) @serializable.view(SchemaVersion1Dot6) + @serializable.view(SchemaVersion1Dot7) @serializable.xml_sequence(1) def supplier(self) -> Optional[OrganizationalEntity]: """ @@ -1125,6 +1131,7 @@ def supplier(self, supplier: Optional[OrganizationalEntity]) -> None: @property @serializable.view(SchemaVersion1Dot6) + @serializable.view(SchemaVersion1Dot7) @serializable.xml_sequence(2) def manufacturer(self) -> Optional[OrganizationalEntity]: """ @@ -1143,6 +1150,7 @@ def manufacturer(self, manufacturer: Optional[OrganizationalEntity]) -> None: @property @serializable.view(SchemaVersion1Dot6) + @serializable.view(SchemaVersion1Dot7) @serializable.xml_array(serializable.XmlArraySerializationType.NESTED, 'author') @serializable.xml_sequence(3) def authors(self) -> 'SortedSet[OrganizationalContact]': @@ -1165,7 +1173,8 @@ def authors(self, authors: Iterable[OrganizationalContact]) -> None: @serializable.view(SchemaVersion1Dot3) @serializable.view(SchemaVersion1Dot4) @serializable.view(SchemaVersion1Dot5) - @serializable.view(SchemaVersion1Dot6) # todo: this is deprecated in v1.6? + @serializable.view(SchemaVersion1Dot6) + @serializable.view(SchemaVersion1Dot7) @serializable.xml_sequence(4) @serializable.xml_string(serializable.XmlStringSerializationType.NORMALIZED_STRING) def author(self) -> Optional[str]: @@ -1322,6 +1331,7 @@ def hashes(self, hashes: Iterable[HashType]) -> None: @serializable.view(SchemaVersion1Dot4) @serializable.view(SchemaVersion1Dot5) @serializable.view(SchemaVersion1Dot6) + @serializable.view(SchemaVersion1Dot7) @serializable.type_mapping(_LicenseRepositorySerializationHelper) @serializable.xml_sequence(12) def licenses(self) -> LicenseRepository: @@ -1392,6 +1402,7 @@ def purl(self, purl: Optional[PackageURL]) -> None: @property @serializable.json_name('omniborId') @serializable.view(SchemaVersion1Dot6) + @serializable.view(SchemaVersion1Dot7) @serializable.xml_array(serializable.XmlArraySerializationType.FLAT, child_name='omniborId') @serializable.xml_sequence(16) def omnibor_ids(self) -> 'SortedSet[OmniborId]': @@ -1412,6 +1423,7 @@ def omnibor_ids(self, omnibor_ids: Iterable[OmniborId]) -> None: @property @serializable.json_name('swhid') @serializable.view(SchemaVersion1Dot6) + @serializable.view(SchemaVersion1Dot7) @serializable.xml_array(serializable.XmlArraySerializationType.FLAT, child_name='swhid') @serializable.xml_sequence(17) def swhids(self) -> 'SortedSet[Swhid]': @@ -1435,6 +1447,7 @@ def swhids(self, swhids: Iterable[Swhid]) -> None: @serializable.view(SchemaVersion1Dot4) @serializable.view(SchemaVersion1Dot5) @serializable.view(SchemaVersion1Dot6) + @serializable.view(SchemaVersion1Dot7) @serializable.xml_sequence(18) def swid(self) -> Optional[Swid]: """ @@ -1469,6 +1482,7 @@ def modified(self, modified: bool) -> None: @serializable.view(SchemaVersion1Dot4) @serializable.view(SchemaVersion1Dot5) @serializable.view(SchemaVersion1Dot6) + @serializable.view(SchemaVersion1Dot7) @serializable.xml_sequence(20) def pedigree(self) -> Optional[Pedigree]: """ @@ -1491,6 +1505,7 @@ def pedigree(self, pedigree: Optional[Pedigree]) -> None: @serializable.view(SchemaVersion1Dot4) @serializable.view(SchemaVersion1Dot5) @serializable.view(SchemaVersion1Dot6) + @serializable.view(SchemaVersion1Dot7) @serializable.xml_array(serializable.XmlArraySerializationType.NESTED, 'reference') @serializable.xml_sequence(21) def external_references(self) -> 'SortedSet[ExternalReference]': @@ -1512,6 +1527,7 @@ def external_references(self, external_references: Iterable[ExternalReference]) @serializable.view(SchemaVersion1Dot4) @serializable.view(SchemaVersion1Dot5) @serializable.view(SchemaVersion1Dot6) + @serializable.view(SchemaVersion1Dot7) @serializable.xml_array(serializable.XmlArraySerializationType.NESTED, 'property') @serializable.xml_sequence(22) def properties(self) -> 'SortedSet[Property]': @@ -1551,6 +1567,7 @@ def components(self, components: Iterable['Component']) -> None: @serializable.view(SchemaVersion1Dot4) @serializable.view(SchemaVersion1Dot5) @serializable.view(SchemaVersion1Dot6) + @serializable.view(SchemaVersion1Dot7) @serializable.xml_sequence(24) @serializable.type_mapping(_ComponentEvidenceSerializationHelper) def evidence(self) -> Optional[ComponentEvidence]: @@ -1570,6 +1587,7 @@ def evidence(self, evidence: Optional[ComponentEvidence]) -> None: @serializable.view(SchemaVersion1Dot4) @serializable.view(SchemaVersion1Dot5) @serializable.view(SchemaVersion1Dot6) + @serializable.view(SchemaVersion1Dot7) @serializable.xml_sequence(25) def release_notes(self) -> Optional[ReleaseNotes]: """ @@ -1608,6 +1626,7 @@ def release_notes(self, release_notes: Optional[ReleaseNotes]) -> None: @property @serializable.view(SchemaVersion1Dot6) + @serializable.view(SchemaVersion1Dot7) @serializable.xml_sequence(30) def crypto_properties(self) -> Optional[CryptoProperties]: """ @@ -1628,6 +1647,7 @@ def crypto_properties(self, crypto_properties: Optional[CryptoProperties]) -> No @property @serializable.view(SchemaVersion1Dot6) + @serializable.view(SchemaVersion1Dot7) @serializable.xml_array(serializable.XmlArraySerializationType.NESTED, 'tag') @serializable.xml_sequence(31) def tags(self) -> 'SortedSet[str]': diff --git a/cyclonedx/model/component_evidence.py b/cyclonedx/model/component_evidence.py index 3d54795ec..f68956b35 100644 --- a/cyclonedx/model/component_evidence.py +++ b/cyclonedx/model/component_evidence.py @@ -31,7 +31,7 @@ from .._internal.bom_ref import bom_ref_from_str as _bom_ref_from_str from .._internal.compare import ComparableTuple as _ComparableTuple from ..exception.model import InvalidConfidenceException, InvalidValueException -from ..schema.schema import SchemaVersion1Dot5, SchemaVersion1Dot6 +from ..schema.schema import SchemaVersion1Dot5, SchemaVersion1Dot6, SchemaVersion1Dot7 from . import Copyright from .bom_ref import BomRef from .license import License, LicenseRepository, _LicenseRepositorySerializationHelper @@ -43,7 +43,7 @@ class IdentityField(str, Enum): Enum object that defines the permissible field types for Identity. .. note:: - See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.6/json/#components_items_evidence_identity + See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.7/json/#components_items_evidence_identity """ GROUP = 'group' @@ -82,7 +82,7 @@ class Method: .. note:: See the CycloneDX Schema definition: - https://cyclonedx.org/docs/1.6/json/#components_items_evidence_identity_oneOf_i0_items_methods + https://cyclonedx.org/docs/1.7/json/#components_items_evidence_identity_oneOf_i0_items_methods """ def __init__( @@ -191,7 +191,7 @@ class Identity: Our internal representation of the `identityType` complex type. .. note:: - See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.6/json/#components_items_evidence_identity + See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.7/json/#components_items_evidence_identity """ def __init__( @@ -233,6 +233,7 @@ def confidence(self, confidence: Optional[Decimal]) -> None: @property @serializable.view(SchemaVersion1Dot6) + @serializable.view(SchemaVersion1Dot7) @serializable.xml_sequence(3) def concluded_value(self) -> Optional[str]: return self._concluded_value @@ -298,7 +299,7 @@ class Occurrence: Our internal representation of the `occurrenceType` complex type. .. note:: - See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.6/json/#components_items_evidence_occurrences + See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.7/json/#components_items_evidence_occurrences """ def __init__( @@ -346,6 +347,7 @@ def location(self, location: str) -> None: @property @serializable.view(SchemaVersion1Dot6) + @serializable.view(SchemaVersion1Dot7) @serializable.xml_sequence(2) def line(self) -> Optional[int]: """ @@ -361,6 +363,7 @@ def line(self, line: Optional[int]) -> None: @property @serializable.view(SchemaVersion1Dot6) + @serializable.view(SchemaVersion1Dot7) @serializable.xml_sequence(3) def offset(self) -> Optional[int]: """ @@ -376,6 +379,7 @@ def offset(self, offset: Optional[int]) -> None: @property @serializable.view(SchemaVersion1Dot6) + @serializable.view(SchemaVersion1Dot7) @serializable.xml_sequence(4) def symbol(self) -> Optional[str]: """ @@ -389,6 +393,7 @@ def symbol(self, symbol: Optional[str]) -> None: @property @serializable.view(SchemaVersion1Dot6) + @serializable.view(SchemaVersion1Dot7) @serializable.xml_sequence(5) def additional_context(self) -> Optional[str]: """ @@ -433,7 +438,7 @@ class CallStackFrame: Represents an individual frame in a call stack. .. note:: - See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.6/json/#components_items_evidence_callstack + See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.7/json/#components_items_evidence_callstack """ def __init__( @@ -583,7 +588,7 @@ class CallStack: Contains an array of stack frames describing a call stack from when a component was identified. .. note:: - See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.6/json/#components_items_evidence_callstack + See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.7/json/#components_items_evidence_callstack """ def __init__( @@ -639,7 +644,7 @@ class ComponentEvidence: Provides the ability to document evidence collected through various forms of extraction or analysis. .. note:: - See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.6/xml/#type_componentEvidenceType + See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.7/xml/#type_componentEvidenceType """ def __init__( @@ -659,6 +664,7 @@ def __init__( @property @serializable.view(SchemaVersion1Dot5) @serializable.view(SchemaVersion1Dot6) + @serializable.view(SchemaVersion1Dot7) @serializable.xml_sequence(1) @serializable.xml_array(serializable.XmlArraySerializationType.FLAT, 'identity') def identity(self) -> 'SortedSet[Identity]': @@ -679,6 +685,7 @@ def identity(self, identity: Union[Iterable[Identity], Identity]) -> None: @property @serializable.view(SchemaVersion1Dot5) @serializable.view(SchemaVersion1Dot6) + @serializable.view(SchemaVersion1Dot7) @serializable.xml_array(serializable.XmlArraySerializationType.NESTED, 'occurrence') @serializable.xml_sequence(2) def occurrences(self) -> 'SortedSet[Occurrence]': @@ -692,6 +699,7 @@ def occurrences(self, occurrences: Iterable[Occurrence]) -> None: @property @serializable.view(SchemaVersion1Dot5) @serializable.view(SchemaVersion1Dot6) + @serializable.view(SchemaVersion1Dot7) @serializable.xml_sequence(3) def callstack(self) -> Optional[CallStack]: """ diff --git a/cyclonedx/model/contact.py b/cyclonedx/model/contact.py index 83c5b9d2c..cb26af212 100644 --- a/cyclonedx/model/contact.py +++ b/cyclonedx/model/contact.py @@ -24,7 +24,7 @@ from .._internal.bom_ref import bom_ref_from_str as _bom_ref_from_str from .._internal.compare import ComparableTuple as _ComparableTuple -from ..schema.schema import SchemaVersion1Dot5, SchemaVersion1Dot6 +from ..schema.schema import SchemaVersion1Dot5, SchemaVersion1Dot6, SchemaVersion1Dot7 from . import XsUri from .bom_ref import BomRef @@ -36,7 +36,7 @@ class PostalAddress: within a CycloneDX BOM document. .. note:: - See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.6/xml/#type_postalAddressType + See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.7/xml/#type_postalAddressType """ def __init__( @@ -194,7 +194,7 @@ class OrganizationalContact: within a CycloneDX BOM document. .. note:: - See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.6/xml/#type_organizationalContact + See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.7/xml/#type_organizationalContact """ def __init__( @@ -212,6 +212,7 @@ def __init__( @property @serializable.view(SchemaVersion1Dot5) @serializable.view(SchemaVersion1Dot6) + @serializable.view(SchemaVersion1Dot7) @serializable.type_mapping(BomRef) @serializable.xml_attribute() @serializable.xml_name('bom-ref') @@ -304,7 +305,7 @@ class OrganizationalEntity: within a CycloneDX BOM document. .. note:: - See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.6/xml/#type_organizationalEntity + See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.7/xml/#type_organizationalEntity """ def __init__( @@ -324,6 +325,7 @@ def __init__( @property @serializable.view(SchemaVersion1Dot5) @serializable.view(SchemaVersion1Dot6) + @serializable.view(SchemaVersion1Dot7) @serializable.type_mapping(BomRef) @serializable.xml_attribute() @serializable.xml_name('bom-ref') @@ -356,6 +358,7 @@ def name(self, name: Optional[str]) -> None: @property @serializable.view(SchemaVersion1Dot6) + @serializable.view(SchemaVersion1Dot7) @serializable.xml_sequence(20) def address(self) -> Optional[PostalAddress]: """ diff --git a/cyclonedx/model/crypto.py b/cyclonedx/model/crypto.py index eeab12a82..a3d32d0ea 100644 --- a/cyclonedx/model/crypto.py +++ b/cyclonedx/model/crypto.py @@ -22,7 +22,7 @@ Introduced in CycloneDX v1.6 .. note:: - See the CycloneDX Schema for hashType: https://cyclonedx.org/docs/1.6/xml/#type_cryptoPropertiesType + See the CycloneDX Schema for hashType: https://cyclonedx.org/docs/1.7/xml/#type_cryptoPropertiesType """ from collections.abc import Iterable @@ -35,7 +35,7 @@ from .._internal.compare import ComparableTuple as _ComparableTuple from ..exception.model import InvalidNistQuantumSecurityLevelException, InvalidRelatedCryptoMaterialSizeException -from ..schema.schema import SchemaVersion1Dot6 +from ..schema.schema import SchemaVersion1Dot6, SchemaVersion1Dot7 from .bom_ref import BomRef @@ -48,7 +48,7 @@ class CryptoAssetType(str, Enum): Introduced in CycloneDX v1.6 .. note:: - See the CycloneDX Schema for hashType: https://cyclonedx.org/docs/1.6/xml/#type_cryptoPropertiesType + See the CycloneDX Schema for hashType: https://cyclonedx.org/docs/1.7/xml/#type_cryptoPropertiesType """ ALGORITHM = 'algorithm' @@ -67,7 +67,7 @@ class CryptoPrimitive(str, Enum): Introduced in CycloneDX v1.6 .. note:: - See the CycloneDX Schema for hashType: https://cyclonedx.org/docs/1.6/xml/#type_cryptoPropertiesType + See the CycloneDX Schema for hashType: https://cyclonedx.org/docs/1.7/xml/#type_cryptoPropertiesType """ AE = 'ae' @@ -98,7 +98,7 @@ class CryptoExecutionEnvironment(str, Enum): Introduced in CycloneDX v1.6 .. note:: - See the CycloneDX Schema for hashType: https://cyclonedx.org/docs/1.6/xml/#type_cryptoPropertiesType + See the CycloneDX Schema for hashType: https://cyclonedx.org/docs/1.7/xml/#type_cryptoPropertiesType """ HARDWARE = 'hardware' @@ -120,7 +120,7 @@ class CryptoImplementationPlatform(str, Enum): Introduced in CycloneDX v1.6 .. note:: - See the CycloneDX Schema for hashType: https://cyclonedx.org/docs/1.6/xml/#type_cryptoPropertiesType + See the CycloneDX Schema for hashType: https://cyclonedx.org/docs/1.7/xml/#type_cryptoPropertiesType """ ARMV7_A = 'armv7-a' @@ -150,7 +150,7 @@ class CryptoCertificationLevel(str, Enum): Introduced in CycloneDX v1.6 .. note:: - See the CycloneDX Schema for hashType: https://cyclonedx.org/docs/1.6/xml/#type_cryptoPropertiesType + See the CycloneDX Schema for hashType: https://cyclonedx.org/docs/1.7/xml/#type_cryptoPropertiesType """ NONE = 'none' @@ -196,7 +196,7 @@ class CryptoMode(str, Enum): Introduced in CycloneDX v1.6 .. note:: - See the CycloneDX Schema for hashType: https://cyclonedx.org/docs/1.6/xml/#type_cryptoPropertiesType + See the CycloneDX Schema for hashType: https://cyclonedx.org/docs/1.7/xml/#type_cryptoPropertiesType """ CBC = 'cbc' @@ -221,7 +221,7 @@ class CryptoPadding(str, Enum): Introduced in CycloneDX v1.6 .. note:: - See the CycloneDX Schema for hashType: https://cyclonedx.org/docs/1.6/xml/#type_cryptoPropertiesType + See the CycloneDX Schema for hashType: https://cyclonedx.org/docs/1.7/xml/#type_cryptoPropertiesType """ PKCS5 = 'pkcs5' @@ -244,7 +244,7 @@ class CryptoFunction(str, Enum): Introduced in CycloneDX v1.6 .. note:: - See the CycloneDX Schema for hashType: https://cyclonedx.org/docs/1.6/xml/#type_cryptoPropertiesType + See the CycloneDX Schema for hashType: https://cyclonedx.org/docs/1.7/xml/#type_cryptoPropertiesType """ DECAPSULATE = 'decapsulate' @@ -273,7 +273,7 @@ class AlgorithmProperties: Introduced in CycloneDX v1.6 .. note:: - See the CycloneDX Schema for hashType: https://cyclonedx.org/docs/1.6/xml/#type_cryptoPropertiesType + See the CycloneDX Schema for hashType: https://cyclonedx.org/docs/1.7/xml/#type_cryptoPropertiesType """ def __init__( @@ -394,6 +394,7 @@ def implementation_platform(self, implementation_platform: Optional[CryptoImplem @property @serializable.json_name('certificationLevel') @serializable.view(SchemaVersion1Dot6) + @serializable.view(SchemaVersion1Dot7) @serializable.xml_array(serializable.XmlArraySerializationType.FLAT, child_name='certificationLevel') @serializable.xml_sequence(5) def certification_levels(self) -> 'SortedSet[CryptoCertificationLevel]': @@ -530,7 +531,7 @@ class CertificateProperties: .. note:: - See the CycloneDX Schema for hashType: https://cyclonedx.org/docs/1.6/xml/#type_cryptoPropertiesType + See the CycloneDX Schema for hashType: https://cyclonedx.org/docs/1.7/xml/#type_cryptoPropertiesType """ def __init__( @@ -710,7 +711,7 @@ class RelatedCryptoMaterialType(str, Enum): Introduced in CycloneDX v1.6 .. note:: - See the CycloneDX Schema for hashType: https://cyclonedx.org/docs/1.6/xml/#type_cryptoPropertiesType + See the CycloneDX Schema for hashType: https://cyclonedx.org/docs/1.7/xml/#type_cryptoPropertiesType """ ADDITIONAL_DATA = 'additional-data' @@ -745,7 +746,7 @@ class RelatedCryptoMaterialState(str, Enum): Introduced in CycloneDX v1.6 .. note:: - See the CycloneDX Schema for hashType: https://cyclonedx.org/docs/1.6/xml/#type_cryptoPropertiesType + See the CycloneDX Schema for hashType: https://cyclonedx.org/docs/1.7/xml/#type_cryptoPropertiesType """ ACTIVE = 'active' @@ -767,7 +768,7 @@ class RelatedCryptoMaterialSecuredBy: .. note:: - See the CycloneDX Schema for hashType: https://cyclonedx.org/docs/1.6/xml/#type_cryptoPropertiesType + See the CycloneDX Schema for hashType: https://cyclonedx.org/docs/1.7/xml/#type_cryptoPropertiesType """ def __init__( @@ -843,7 +844,7 @@ class RelatedCryptoMaterialProperties: .. note:: - See the CycloneDX Schema for hashType: https://cyclonedx.org/docs/1.6/xml/#type_cryptoPropertiesType + See the CycloneDX Schema for hashType: https://cyclonedx.org/docs/1.7/xml/#type_cryptoPropertiesType """ def __init__( @@ -1092,7 +1093,7 @@ class ProtocolPropertiesType(str, Enum): Introduced in CycloneDX v1.6 .. note:: - See the CycloneDX Schema for hashType: https://cyclonedx.org/docs/1.6/xml/#type_cryptoPropertiesType + See the CycloneDX Schema for hashType: https://cyclonedx.org/docs/1.7/xml/#type_cryptoPropertiesType """ IKE = 'ike' @@ -1117,7 +1118,7 @@ class ProtocolPropertiesCipherSuite: .. note:: - See the CycloneDX Schema for hashType: https://cyclonedx.org/docs/1.6/xml/#type_cryptoPropertiesType + See the CycloneDX Schema for hashType: https://cyclonedx.org/docs/1.7/xml/#type_cryptoPropertiesType """ def __init__( @@ -1210,7 +1211,7 @@ class Ikev2TransformTypes: .. note:: - See the CycloneDX Schema for hashType: https://cyclonedx.org/docs/1.6/xml/#type_cryptoPropertiesType + See the CycloneDX Schema for hashType: https://cyclonedx.org/docs/1.7/xml/#type_cryptoPropertiesType """ def __init__( @@ -1357,7 +1358,7 @@ class ProtocolProperties: .. note:: - See the CycloneDX Schema for hashType: https://cyclonedx.org/docs/1.6/xml/#type_cryptoPropertiesType + See the CycloneDX Schema for hashType: https://cyclonedx.org/docs/1.7/xml/#type_cryptoPropertiesType """ def __init__( @@ -1487,7 +1488,7 @@ class CryptoProperties: .. note:: - See the CycloneDX Schema for hashType: https://cyclonedx.org/docs/1.6/xml/#type_cryptoPropertiesType + See the CycloneDX Schema for hashType: https://cyclonedx.org/docs/1.7/xml/#type_cryptoPropertiesType """ def __init__( diff --git a/cyclonedx/model/definition.py b/cyclonedx/model/definition.py index 4eaa93e66..639743e57 100644 --- a/cyclonedx/model/definition.py +++ b/cyclonedx/model/definition.py @@ -96,7 +96,7 @@ class Requirement: .. note:: See the CycloneDX Schema for hashType: - https://cyclonedx.org/docs/1.6/json/#definitions_standards_items_requirements + https://cyclonedx.org/docs/1.7/json/#definitions_standards_items_requirements """ def __init__( @@ -292,7 +292,7 @@ class Level: Level of compliance for a standard. .. note:: - See the CycloneDX Schema for hashType: https://cyclonedx.org/docs/1.6/json/#definitions_standards_items_levels + See the CycloneDX Schema for hashType: https://cyclonedx.org/docs/1.7/json/#definitions_standards_items_levels """ def __init__( @@ -411,7 +411,7 @@ class Standard: or any other requirements. .. note:: - See the CycloneDX Schema for hashType: https://cyclonedx.org/docs/1.6/xml/#type_standard + See the CycloneDX Schema for hashType: https://cyclonedx.org/docs/1.7/xml/#type_standard """ def __init__( @@ -593,7 +593,7 @@ class Definitions: The repository for definitions .. note:: - See the CycloneDX Schema for hashType: https://cyclonedx.org/docs/1.6/xml/#type_definitionsType + See the CycloneDX Schema for hashType: https://cyclonedx.org/docs/1.7/xml/#type_definitionsType """ def __init__( diff --git a/cyclonedx/model/dependency.py b/cyclonedx/model/dependency.py index b9220570d..de3ca3260 100644 --- a/cyclonedx/model/dependency.py +++ b/cyclonedx/model/dependency.py @@ -53,7 +53,7 @@ class Dependency: Models a Dependency within a BOM. .. note:: - See https://cyclonedx.org/docs/1.6/xml/#type_dependencyType + See https://cyclonedx.org/docs/1.7/xml/#type_dependencyType """ def __init__(self, ref: BomRef, dependencies: Optional[Iterable['Dependency']] = None) -> None: diff --git a/cyclonedx/model/impact_analysis.py b/cyclonedx/model/impact_analysis.py index d82ed7365..41d35ea33 100644 --- a/cyclonedx/model/impact_analysis.py +++ b/cyclonedx/model/impact_analysis.py @@ -45,7 +45,7 @@ class ImpactAnalysisAffectedStatus(str, Enum): has not disclosed the status. .. note:: - See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.6/xml/#type_impactAnalysisAffectedStatusType + See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.7/xml/#type_impactAnalysisAffectedStatusType """ AFFECTED = 'affected' @@ -59,7 +59,7 @@ class ImpactAnalysisJustification(str, Enum): Enum object that defines the rationale of why the impact analysis state was asserted. .. note:: - See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.6/xml/#type_impactAnalysisJustificationType + See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.7/xml/#type_impactAnalysisJustificationType """ CODE_NOT_PRESENT = 'code_not_present' @@ -79,7 +79,7 @@ class ImpactAnalysisResponse(str, Enum): Enum object that defines the valid rationales as to why the impact analysis state was asserted. .. note:: - See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.6/xml/#type_impactAnalysisResponsesType + See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.7/xml/#type_impactAnalysisResponsesType """ CAN_NOT_FIX = 'can_not_fix' @@ -95,7 +95,7 @@ class ImpactAnalysisState(str, Enum): Enum object that defines the permissible impact analysis states. .. note:: - See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.6/xml/#type_impactAnalysisStateType + See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.7/xml/#type_impactAnalysisStateType """ RESOLVED = 'resolved' diff --git a/cyclonedx/model/issue.py b/cyclonedx/model/issue.py index 8c5ca0c1a..1663a7265 100644 --- a/cyclonedx/model/issue.py +++ b/cyclonedx/model/issue.py @@ -32,7 +32,7 @@ class IssueClassification(str, Enum): This is our internal representation of the enum `issueClassification`. .. note:: - See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.6/xml/#type_issueClassification + See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.7/xml/#type_issueClassification """ DEFECT = 'defect' ENHANCEMENT = 'enhancement' @@ -47,7 +47,7 @@ class IssueTypeSource: .. note:: See the CycloneDX Schema definition: - https://cyclonedx.org/docs/1.6/json/#components_items_pedigree_patches_items_resolves_items_source + https://cyclonedx.org/docs/1.7/json/#components_items_pedigree_patches_items_resolves_items_source """ def __init__( @@ -116,7 +116,7 @@ class IssueType: a CycloneDX BOM document. .. note:: - See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.6/xml/#type_issueType + See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.7/xml/#type_issueType """ def __init__( diff --git a/cyclonedx/model/license.py b/cyclonedx/model/license.py index 49b9fd3df..3d9369429 100644 --- a/cyclonedx/model/license.py +++ b/cyclonedx/model/license.py @@ -33,7 +33,7 @@ from .._internal.compare import ComparableTuple as _ComparableTuple from ..exception.model import MutuallyExclusivePropertiesException from ..exception.serialization import CycloneDxDeserializationException -from ..schema.schema import SchemaVersion1Dot5, SchemaVersion1Dot6 +from ..schema.schema import SchemaVersion1Dot5, SchemaVersion1Dot6, SchemaVersion1Dot7 from . import AttachedText, XsUri from .bom_ref import BomRef @@ -49,7 +49,7 @@ class LicenseAcknowledgement(str, Enum): .. note:: See the CycloneDX Schema for hashType: - https://cyclonedx.org/docs/1.6/xml/#type_licenseAcknowledgementEnumerationType + https://cyclonedx.org/docs/1.7/xml/#type_licenseAcknowledgementEnumerationType """ CONCLUDED = 'concluded' @@ -72,7 +72,7 @@ class DisjunctiveLicense: a CycloneDX BOM document. .. note:: - See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.6/xml/#type_licenseType + See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.7/xml/#type_licenseType """ def __init__( @@ -99,6 +99,7 @@ def __init__( @property @serializable.view(SchemaVersion1Dot5) @serializable.view(SchemaVersion1Dot6) + @serializable.view(SchemaVersion1Dot7) @serializable.type_mapping(BomRef) @serializable.xml_attribute() @serializable.xml_name('bom-ref') @@ -121,7 +122,7 @@ def id(self) -> Optional[str]: .. note:: See the list of expected values: - https://cyclonedx.org/docs/1.6/json/#components_items_licenses_items_license_id + https://cyclonedx.org/docs/1.7/json/#components_items_licenses_items_license_id Returns: `str` or `None` @@ -209,6 +210,7 @@ def url(self, url: Optional[XsUri]) -> None: @property @serializable.view(SchemaVersion1Dot6) + @serializable.view(SchemaVersion1Dot7) @serializable.xml_attribute() def acknowledgement(self) -> Optional[LicenseAcknowledgement]: """ @@ -271,7 +273,7 @@ class LicenseExpression: .. note:: See the CycloneDX Schema definition: - https://cyclonedx.org/docs/1.6/json/#components_items_licenses_items_expression + https://cyclonedx.org/docs/1.7/json/#components_items_licenses_items_expression """ def __init__( @@ -286,6 +288,7 @@ def __init__( @property @serializable.view(SchemaVersion1Dot5) @serializable.view(SchemaVersion1Dot6) + @serializable.view(SchemaVersion1Dot7) @serializable.type_mapping(BomRef) @serializable.xml_attribute() @serializable.xml_name('bom-ref') @@ -319,6 +322,7 @@ def value(self, value: str) -> None: @property @serializable.view(SchemaVersion1Dot6) + @serializable.view(SchemaVersion1Dot7) @serializable.xml_attribute() def acknowledgement(self) -> Optional[LicenseAcknowledgement]: """ diff --git a/cyclonedx/model/lifecycle.py b/cyclonedx/model/lifecycle.py index 081aeb3af..b7aa062d3 100644 --- a/cyclonedx/model/lifecycle.py +++ b/cyclonedx/model/lifecycle.py @@ -22,7 +22,7 @@ Introduced in CycloneDX v1.5 .. note:: - See the CycloneDX Schema for lifecycles: https://cyclonedx.org/docs/1.6/xml/#metadata_lifecycles + See the CycloneDX Schema for lifecycles: https://cyclonedx.org/docs/1.7/xml/#metadata_lifecycles """ from enum import Enum @@ -47,7 +47,7 @@ class LifecyclePhase(str, Enum): Enum object that defines the permissible 'phase' for a Lifecycle according to the CycloneDX schema. .. note:: - See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.6/xml/#type_classification + See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.7/xml/#type_classification """ DESIGN = 'design' PRE_BUILD = 'pre-build' @@ -65,7 +65,7 @@ class PredefinedLifecycle: .. note:: See the CycloneDX Schema definition: - https://cyclonedx.org/docs/1.6/json/#tab-pane_metadata_lifecycles_items_oneOf_i0 + https://cyclonedx.org/docs/1.7/json/#tab-pane_metadata_lifecycles_items_oneOf_i0 """ def __init__(self, phase: LifecyclePhase) -> None: @@ -105,7 +105,7 @@ class NamedLifecycle: .. note:: See the CycloneDX Schema definition: - https://cyclonedx.org/docs/1.6/json/#tab-pane_metadata_lifecycles_items_oneOf_i1 + https://cyclonedx.org/docs/1.7/json/#tab-pane_metadata_lifecycles_items_oneOf_i1 """ def __init__(self, name: str, *, description: Optional[str] = None) -> None: diff --git a/cyclonedx/model/release_note.py b/cyclonedx/model/release_note.py index 27387f183..890e1b097 100644 --- a/cyclonedx/model/release_note.py +++ b/cyclonedx/model/release_note.py @@ -33,7 +33,7 @@ class ReleaseNotes: This is our internal representation of a `releaseNotesType` for a Component in a BOM. .. note:: - See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.6/xml/#type_releaseNotesType + See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.7/xml/#type_releaseNotesType """ def __init__( diff --git a/cyclonedx/model/service.py b/cyclonedx/model/service.py index 443db05b6..105973703 100644 --- a/cyclonedx/model/service.py +++ b/cyclonedx/model/service.py @@ -20,7 +20,7 @@ This set of classes represents the data that is possible about known Services. .. note:: - See the CycloneDX Schema extension definition https://cyclonedx.org/docs/1.6/xml/#type_servicesType + See the CycloneDX Schema extension definition https://cyclonedx.org/docs/1.7/xml/#type_servicesType """ @@ -32,7 +32,13 @@ from .._internal.bom_ref import bom_ref_from_str as _bom_ref_from_str from .._internal.compare import ComparableTuple as _ComparableTuple -from ..schema.schema import SchemaVersion1Dot3, SchemaVersion1Dot4, SchemaVersion1Dot5, SchemaVersion1Dot6 +from ..schema.schema import ( + SchemaVersion1Dot3, + SchemaVersion1Dot4, + SchemaVersion1Dot5, + SchemaVersion1Dot6, + SchemaVersion1Dot7, +) from . import DataClassification, ExternalReference, Property, XsUri from .bom_ref import BomRef from .contact import OrganizationalEntity @@ -47,7 +53,7 @@ class Service(Dependable): Class that models the `service` complex type in the CycloneDX schema. .. note:: - See the CycloneDX schema: https://cyclonedx.org/docs/1.6/xml/#type_service + See the CycloneDX schema: https://cyclonedx.org/docs/1.7/xml/#type_service """ def __init__( @@ -299,6 +305,7 @@ def external_references(self, external_references: Iterable[ExternalReference]) @serializable.view(SchemaVersion1Dot4) @serializable.view(SchemaVersion1Dot5) @serializable.view(SchemaVersion1Dot6) + @serializable.view(SchemaVersion1Dot7) @serializable.xml_array(serializable.XmlArraySerializationType.NESTED, 'property') @serializable.xml_sequence(13) def properties(self) -> 'SortedSet[Property]': @@ -339,6 +346,7 @@ def services(self, services: Iterable['Service']) -> None: @serializable.view(SchemaVersion1Dot4) @serializable.view(SchemaVersion1Dot5) @serializable.view(SchemaVersion1Dot6) + @serializable.view(SchemaVersion1Dot7) @serializable.xml_sequence(15) def release_notes(self) -> Optional[ReleaseNotes]: """ diff --git a/cyclonedx/model/tool.py b/cyclonedx/model/tool.py index 2d2b70054..5ef648c71 100644 --- a/cyclonedx/model/tool.py +++ b/cyclonedx/model/tool.py @@ -28,7 +28,7 @@ from .._internal.compare import ComparableTuple as _ComparableTuple from ..schema import SchemaVersion -from ..schema.schema import SchemaVersion1Dot4, SchemaVersion1Dot5, SchemaVersion1Dot6 +from ..schema.schema import SchemaVersion1Dot4, SchemaVersion1Dot5, SchemaVersion1Dot6, SchemaVersion1Dot7 from . import ExternalReference, HashType, _HashTypeRepositorySerializationHelper from .component import Component from .service import Service @@ -48,7 +48,7 @@ class Tool: In fact, this library will try to provide a compatibility layer if needed. .. note:: - See the CycloneDX Schema for toolType: https://cyclonedx.org/docs/1.6/xml/#type_toolType + See the CycloneDX Schema for toolType: https://cyclonedx.org/docs/1.7/xml/#type_toolType """ def __init__( @@ -133,6 +133,7 @@ def hashes(self, hashes: Iterable[HashType]) -> None: @serializable.view(SchemaVersion1Dot4) @serializable.view(SchemaVersion1Dot5) @serializable.view(SchemaVersion1Dot6) + @serializable.view(SchemaVersion1Dot7) @serializable.xml_array(serializable.XmlArraySerializationType.NESTED, 'reference') @serializable.xml_sequence(5) def external_references(self) -> 'SortedSet[ExternalReference]': diff --git a/cyclonedx/model/vulnerability.py b/cyclonedx/model/vulnerability.py index 5999f64c9..fcfb4a687 100644 --- a/cyclonedx/model/vulnerability.py +++ b/cyclonedx/model/vulnerability.py @@ -25,7 +25,7 @@ Since CycloneDX schema version 1.4, this has become part of the core schema. .. note:: - See the CycloneDX Schema extension definition https://cyclonedx.org/docs/1.6/xml/#type_vulnerabilitiesType + See the CycloneDX Schema extension definition https://cyclonedx.org/docs/1.7/xml/#type_vulnerabilitiesType """ @@ -42,7 +42,7 @@ from .._internal.bom_ref import bom_ref_from_str as _bom_ref_from_str from .._internal.compare import ComparableTuple as _ComparableTuple from ..exception.model import MutuallyExclusivePropertiesException, NoPropertiesProvidedException -from ..schema.schema import SchemaVersion1Dot4, SchemaVersion1Dot5, SchemaVersion1Dot6 +from ..schema.schema import SchemaVersion1Dot4, SchemaVersion1Dot5, SchemaVersion1Dot6, SchemaVersion1Dot7 from . import Property, XsUri from .bom_ref import BomRef from .contact import OrganizationalContact, OrganizationalEntity @@ -64,7 +64,7 @@ class BomTargetVersionRange: .. note:: See the CycloneDX schema: - https://cyclonedx.org/docs/1.6/json/#tab-pane_vulnerabilities_items_affects_items_versions_items_oneOf_i0 + https://cyclonedx.org/docs/1.7/json/#tab-pane_vulnerabilities_items_affects_items_versions_items_oneOf_i0 """ def __init__( @@ -160,7 +160,7 @@ class BomTarget: from a `cyclonedx.parser.BaseParser` implementation. .. note:: - See the CycloneDX schema: https://cyclonedx.org/docs/1.6/json/#vulnerabilities_items_affects + See the CycloneDX schema: https://cyclonedx.org/docs/1.7/json/#vulnerabilities_items_affects """ def __init__( @@ -228,7 +228,7 @@ class VulnerabilityAnalysis: Class that models the `analysis` sub-element of the `vulnerabilityType` complex type. .. note:: - See the CycloneDX schema: https://cyclonedx.org/docs/1.6/json/#vulnerabilities_items_analysis + See the CycloneDX schema: https://cyclonedx.org/docs/1.7/json/#vulnerabilities_items_analysis """ def __init__( @@ -316,6 +316,7 @@ def detail(self, detail: Optional[str]) -> None: @property @serializable.view(SchemaVersion1Dot5) @serializable.view(SchemaVersion1Dot6) + @serializable.view(SchemaVersion1Dot7) @serializable.type_mapping(serializable.helpers.XsdDateTime) @serializable.xml_sequence(5) def first_issued(self) -> Optional[datetime]: @@ -328,6 +329,7 @@ def first_issued(self, first_issue: Optional[datetime]) -> None: @property @serializable.view(SchemaVersion1Dot5) @serializable.view(SchemaVersion1Dot6) + @serializable.view(SchemaVersion1Dot7) @serializable.type_mapping(serializable.helpers.XsdDateTime) @serializable.xml_sequence(6) def last_updated(self) -> Optional[datetime]: @@ -368,7 +370,7 @@ class VulnerabilityAdvisory: Class that models the `advisoryType` complex type. .. note:: - See the CycloneDX schema: https://cyclonedx.org/docs/1.6/json/#vulnerabilities_items_advisories + See the CycloneDX schema: https://cyclonedx.org/docs/1.7/json/#vulnerabilities_items_advisories """ def __init__( @@ -434,7 +436,7 @@ class VulnerabilitySource: This type is used for multiple purposes in the CycloneDX schema. .. note:: - See the CycloneDX schema: https://cyclonedx.org/docs/1.6/json/#vulnerabilities_items_source + See the CycloneDX schema: https://cyclonedx.org/docs/1.7/json/#vulnerabilities_items_source """ def __init__( @@ -503,7 +505,7 @@ class VulnerabilityReference: intelligence. .. note:: - See the CycloneDX schema: https://cyclonedx.org/docs/1.6/json/#vulnerabilities_items_references + See the CycloneDX schema: https://cyclonedx.org/docs/1.7/json/#vulnerabilities_items_references .. note:: Properties ``id`` and ``source`` are mandatory. @@ -583,7 +585,7 @@ class VulnerabilityScoreSource(str, Enum): Enum object that defines the permissible source types for a Vulnerability's score. .. note:: - See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.6/xml/#type_scoreSourceType + See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.7/xml/#type_scoreSourceType .. note:: No explicit carry-over from the former schema extension: @@ -676,6 +678,7 @@ class _VulnerabilityScoreSourceSerializationHelper(serializable.helpers.BaseHelp VulnerabilityScoreSource.SSVC } __CASES[SchemaVersion1Dot6] = __CASES[SchemaVersion1Dot5] + __CASES[SchemaVersion1Dot7] = __CASES[SchemaVersion1Dot6] @classmethod def __normalize(cls, vss: VulnerabilityScoreSource, view: type[serializable.ViewType]) -> str: @@ -710,7 +713,7 @@ class VulnerabilitySeverity(str, Enum): Class that defines the permissible severities for a Vulnerability. .. note:: - See the CycloneDX schema: https://cyclonedx.org/docs/1.6/xml/#type_severityType + See the CycloneDX schema: https://cyclonedx.org/docs/1.7/xml/#type_severityType """ NONE = 'none' INFO = 'info' # Only >= 1.4 @@ -764,7 +767,7 @@ class VulnerabilityRating: 1.4 - see https://github.com/CycloneDX/specification/blob/master/schema/ext/vulnerability-1.0.xsd. .. note:: - See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.6/xml/#type_ratingType + See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.7/xml/#type_ratingType .. warning:: As part of implementing support for CycloneDX schema version 1.4, the three score types defined in the schema @@ -902,7 +905,7 @@ class VulnerabilityCredits: extension (in XML only). .. note:: - See the CycloneDX schema: https://cyclonedx.org/docs/1.6/json/#vulnerabilities_items_credits + See the CycloneDX schema: https://cyclonedx.org/docs/1.7/json/#vulnerabilities_items_credits """ def __init__( @@ -977,7 +980,7 @@ class Vulnerability: extension (in XML only). .. note:: - See the CycloneDX schema: https://cyclonedx.org/docs/1.6/xml/#type_vulnerabilityType + See the CycloneDX schema: https://cyclonedx.org/docs/1.7/xml/#type_vulnerabilityType """ def __init__( @@ -1170,6 +1173,7 @@ def recommendation(self, recommendation: Optional[str]) -> None: @property @serializable.view(SchemaVersion1Dot5) @serializable.view(SchemaVersion1Dot6) + @serializable.view(SchemaVersion1Dot7) @serializable.xml_sequence(9) def workaround(self) -> Optional[str]: """ diff --git a/cyclonedx/output/json.py b/cyclonedx/output/json.py index 8caa7b902..23d7a6666 100644 --- a/cyclonedx/output/json.py +++ b/cyclonedx/output/json.py @@ -31,6 +31,7 @@ SchemaVersion1Dot4, SchemaVersion1Dot5, SchemaVersion1Dot6, + SchemaVersion1Dot7, ) from . import BaseOutput, BomRefDiscriminator @@ -131,7 +132,14 @@ def _get_schema_uri(self) -> str: return 'http://cyclonedx.org/schema/bom-1.6.schema.json' +class JsonV1Dot7(Json, SchemaVersion1Dot7): + + def _get_schema_uri(self) -> str: + return 'http://cyclonedx.org/schema/bom-1.7.schema.json' + + BY_SCHEMA_VERSION: dict[SchemaVersion, type[Json]] = { + SchemaVersion.V1_7: JsonV1Dot7, SchemaVersion.V1_6: JsonV1Dot6, SchemaVersion.V1_5: JsonV1Dot5, SchemaVersion.V1_4: JsonV1Dot4, diff --git a/cyclonedx/output/xml.py b/cyclonedx/output/xml.py index 3e5799fac..8c206349f 100644 --- a/cyclonedx/output/xml.py +++ b/cyclonedx/output/xml.py @@ -31,6 +31,7 @@ SchemaVersion1Dot4, SchemaVersion1Dot5, SchemaVersion1Dot6, + SchemaVersion1Dot7, ) from . import BaseOutput, BomRefDiscriminator @@ -124,7 +125,12 @@ class XmlV1Dot6(Xml, SchemaVersion1Dot6): pass +class XmlV1Dot7(Xml, SchemaVersion1Dot7): + pass + + BY_SCHEMA_VERSION: dict[SchemaVersion, type[Xml]] = { + SchemaVersion.V1_7: XmlV1Dot7, SchemaVersion.V1_6: XmlV1Dot6, SchemaVersion.V1_5: XmlV1Dot5, SchemaVersion.V1_4: XmlV1Dot4, diff --git a/cyclonedx/schema/__init__.py b/cyclonedx/schema/__init__.py index cb57d8ef9..083dc7f9a 100644 --- a/cyclonedx/schema/__init__.py +++ b/cyclonedx/schema/__init__.py @@ -55,6 +55,7 @@ class SchemaVersion(Enum): my_sv = SchemaVersion.V1_3 """ + V1_7 = (1, 7) V1_6 = (1, 6) V1_5 = (1, 5) V1_4 = (1, 4) diff --git a/cyclonedx/schema/_res/README.md b/cyclonedx/schema/_res/README.md index 83f33cd77..207414b9e 100644 --- a/cyclonedx/schema/_res/README.md +++ b/cyclonedx/schema/_res/README.md @@ -1,10 +1,10 @@ # Resources: Schema files -some schema for offline use as download via [script](../../../tools/schema-downloader.py). +some schema for offline use as downloaded via [script](../../../tools/schema-downloader.py). original sources: Currently using version -[8a27bfd1be5be0dcb2c208a34d2f4fa0b6d75bd7](https://github.com/CycloneDX/specification/commit/8a27bfd1be5be0dcb2c208a34d2f4fa0b6d75bd7) +[4b3f59453366e27c8073fd24e98bf21ef8892c8e](https://github.com/CycloneDX/specification/commit/4b3f59453366e27c8073fd24e98bf21ef8892c8e) | file | note | |------|------| @@ -15,15 +15,18 @@ Currently using version | [`bom-1.4.SNAPSHOT.xsd`](bom-1.4.SNAPSHOT.xsd) | applied changes: 1 | | [`bom-1.5.SNAPSHOT.xsd`](bom-1.5.SNAPSHOT.xsd) | applied changes: 1 | | [`bom-1.6.SNAPSHOT.xsd`](bom-1.6.SNAPSHOT.xsd) | applied changes: 1 | +| [`bom-1.7.SNAPSHOT.xsd`](bom-1.7.SNAPSHOT.xsd) | applied changes: 1 | | [`bom-1.2.SNAPSHOT.schema.json`](bom-1.2.SNAPSHOT.schema.json) | applied changes: 2,3,4,5,6 | | [`bom-1.3.SNAPSHOT.schema.json`](bom-1.3.SNAPSHOT.schema.json) | applied changes: 2,3,4,5,6 | | [`bom-1.4.SNAPSHOT.schema.json`](bom-1.4.SNAPSHOT.schema.json) | applied changes: 2,3,4,5,6 | | [`bom-1.5.SNAPSHOT.schema.json`](bom-1.5.SNAPSHOT.schema.json) | applied changes: 2,3,4,5,6 | | [`bom-1.6.SNAPSHOT.schema.json`](bom-1.6.SNAPSHOT.schema.json) | applied changes: 2,3,4,5,6 | +| [`bom-1.7.SNAPSHOT.schema.json`](bom-1.7.SNAPSHOT.schema.json) | applied changes: 2,3,4,5,6,7 | | [`bom-1.2-strict.SNAPSHOT.schema.json`](bom-1.2-strict.SNAPSHOT.schema.json) | applied changes: 2,3,4,5,6 | | [`bom-1.3-strict.SNAPSHOT.schema.json`](bom-1.3-strict.SNAPSHOT.schema.json) | applied changes: 2,3,4,5,6 | | [`spdx.SNAPSHOT.xsd`](spdx.SNAPSHOT.xsd) | | | [`spdx.SNAPSHOT.schema.json`](spdx.SNAPSHOT.schema.json) | | +| [`cryptography-defs.SNAPSHOT.schema.json`](cryptography-defs.SNAPSHOT.schema.json) | | | [`jsf-0.82.SNAPSHOT.schema.json`](jsf-0.82.SNAPSHOT.schema.json) | | changes: @@ -33,3 +36,5 @@ changes: 4. `properties.$schema.enum` was removed 5. `required.version` removed, as it is actually optional with default value 6. `"pattern": "^(.*)$"` removed as it has no meaning +7. `cryptography-defs.schema.json` was replaced with `cryptography-defs.SNAPSHOT.schema.json` + diff --git a/cyclonedx/schema/_res/__init__.py b/cyclonedx/schema/_res/__init__.py index 3a9678838..0e63d043d 100644 --- a/cyclonedx/schema/_res/__init__.py +++ b/cyclonedx/schema/_res/__init__.py @@ -30,6 +30,7 @@ __DIR = dirname(__file__) BOM_XML: dict[SchemaVersion, Optional[str]] = { + SchemaVersion.V1_7: join(__DIR, 'bom-1.7.SNAPSHOT.xsd'), SchemaVersion.V1_6: join(__DIR, 'bom-1.6.SNAPSHOT.xsd'), SchemaVersion.V1_5: join(__DIR, 'bom-1.5.SNAPSHOT.xsd'), SchemaVersion.V1_4: join(__DIR, 'bom-1.4.SNAPSHOT.xsd'), @@ -40,6 +41,7 @@ } BOM_JSON: dict[SchemaVersion, Optional[str]] = { + SchemaVersion.V1_7: join(__DIR, 'bom-1.7.SNAPSHOT.schema.json'), SchemaVersion.V1_6: join(__DIR, 'bom-1.6.SNAPSHOT.schema.json'), SchemaVersion.V1_5: join(__DIR, 'bom-1.5.SNAPSHOT.schema.json'), SchemaVersion.V1_4: join(__DIR, 'bom-1.4.SNAPSHOT.schema.json'), @@ -51,6 +53,7 @@ } BOM_JSON_STRICT: dict[SchemaVersion, Optional[str]] = { + SchemaVersion.V1_7: BOM_JSON[SchemaVersion.V1_7], SchemaVersion.V1_6: BOM_JSON[SchemaVersion.V1_6], SchemaVersion.V1_5: BOM_JSON[SchemaVersion.V1_5], SchemaVersion.V1_4: BOM_JSON[SchemaVersion.V1_4], @@ -65,4 +68,6 @@ SPDX_JSON = join(__DIR, 'spdx.SNAPSHOT.schema.json') SPDX_XML = join(__DIR, 'spdx.SNAPSHOT.xsd') +CRYPTOGRAPHY_DEFS = join(__DIR, 'cryptography-defs.SNAPSHOT.schema.json') + JSF = join(__DIR, 'jsf-0.82.SNAPSHOT.schema.json') diff --git a/cyclonedx/schema/_res/bom-1.4.SNAPSHOT.schema.json b/cyclonedx/schema/_res/bom-1.4.SNAPSHOT.schema.json index 48a462e30..cb855c78e 100644 --- a/cyclonedx/schema/_res/bom-1.4.SNAPSHOT.schema.json +++ b/cyclonedx/schema/_res/bom-1.4.SNAPSHOT.schema.json @@ -1636,7 +1636,7 @@ "$ref": "#/definitions/version" }, "range": { - "description": "A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/purl-spec/VERSION-RANGE-SPEC.rst", + "description": "A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/vers-spec", "$ref": "#/definitions/range" }, "status": { @@ -1679,7 +1679,7 @@ "maxLength": 1024 }, "range": { - "description": "A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/purl-spec/VERSION-RANGE-SPEC.rst", + "description": "A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/vers-spec", "type": "string", "minLength": 1, "maxLength": 1024 diff --git a/cyclonedx/schema/_res/bom-1.4.SNAPSHOT.xsd b/cyclonedx/schema/_res/bom-1.4.SNAPSHOT.xsd index 4b3b250d4..9bb59ddf5 100644 --- a/cyclonedx/schema/_res/bom-1.4.SNAPSHOT.xsd +++ b/cyclonedx/schema/_res/bom-1.4.SNAPSHOT.xsd @@ -1993,7 +1993,7 @@ limitations under the License. - A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/purl-spec/VERSION-RANGE-SPEC.rst + A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/vers-spec diff --git a/cyclonedx/schema/_res/bom-1.5.SNAPSHOT.schema.json b/cyclonedx/schema/_res/bom-1.5.SNAPSHOT.schema.json index 72781e909..cee291b5f 100644 --- a/cyclonedx/schema/_res/bom-1.5.SNAPSHOT.schema.json +++ b/cyclonedx/schema/_res/bom-1.5.SNAPSHOT.schema.json @@ -2281,7 +2281,7 @@ "$ref": "#/definitions/version" }, "range": { - "description": "A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/purl-spec/VERSION-RANGE-SPEC.rst", + "description": "A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/vers-spec", "$ref": "#/definitions/range" }, "status": { @@ -2323,7 +2323,7 @@ "maxLength": 1024 }, "range": { - "description": "A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/purl-spec/VERSION-RANGE-SPEC.rst", + "description": "A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/vers-spec", "type": "string", "minLength": 1, "maxLength": 1024 diff --git a/cyclonedx/schema/_res/bom-1.5.SNAPSHOT.xsd b/cyclonedx/schema/_res/bom-1.5.SNAPSHOT.xsd index db6e1b0c7..022c09072 100644 --- a/cyclonedx/schema/_res/bom-1.5.SNAPSHOT.xsd +++ b/cyclonedx/schema/_res/bom-1.5.SNAPSHOT.xsd @@ -2433,12 +2433,12 @@ limitations under the License. - The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are proprietary. + The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented, limited specifically to those that are proprietary. - The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are opensource. + The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented, limited specifically to those that are opensource. @@ -3644,7 +3644,7 @@ limitations under the License. - A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/purl-spec/VERSION-RANGE-SPEC.rst + A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/vers-spec diff --git a/cyclonedx/schema/_res/bom-1.6.SNAPSHOT.schema.json b/cyclonedx/schema/_res/bom-1.6.SNAPSHOT.schema.json index bc61ce449..981961dd6 100644 --- a/cyclonedx/schema/_res/bom-1.6.SNAPSHOT.schema.json +++ b/cyclonedx/schema/_res/bom-1.6.SNAPSHOT.schema.json @@ -25,7 +25,7 @@ "type": "string", "title": "CycloneDX Specification Version", "description": "The version of the CycloneDX specification the BOM conforms to.", - "examples": ["1.6.1"] + "examples": ["1.6"] }, "serialNumber": { "type": "string", @@ -2237,7 +2237,7 @@ "aggregate": { "$ref": "#/definitions/aggregateType", "title": "Aggregate", - "description": "Specifies an aggregate type that describe how complete a relationship is." + "description": "Specifies an aggregate type that describes how complete a relationship is." }, "assemblies": { "type": "array", @@ -2928,7 +2928,7 @@ }, "range": { "title": "Version Range", - "description": "A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/purl-spec/VERSION-RANGE-SPEC.rst", + "description": "A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/vers-spec", "$ref": "#/definitions/versionRange" }, "status": { @@ -2983,7 +2983,7 @@ ] }, "versionRange": { - "description": "A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/purl-spec/VERSION-RANGE-SPEC.rst", + "description": "A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/vers-spec", "type": "string", "minLength": 1, "maxLength": 4096, diff --git a/cyclonedx/schema/_res/bom-1.6.SNAPSHOT.xsd b/cyclonedx/schema/_res/bom-1.6.SNAPSHOT.xsd index d6d57e318..427f3c4f0 100644 --- a/cyclonedx/schema/_res/bom-1.6.SNAPSHOT.xsd +++ b/cyclonedx/schema/_res/bom-1.6.SNAPSHOT.xsd @@ -76,7 +76,7 @@ limitations under the License. - opyright evidence captures intellectual property assertions, providing evidence of possible ownership and legal protection. + Copyright evidence captures intellectual property assertions, providing evidence of possible ownership and legal protection. @@ -2715,7 +2715,7 @@ limitations under the License. - Specifies an aggregate type that describe how complete a relationship is. + Specifies an aggregate type that describes how complete a relationship is. @@ -2810,12 +2810,12 @@ limitations under the License. - The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are proprietary. + The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented, limited specifically to those that are proprietary. - The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are opensource. + The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented, limited specifically to those that are opensource. @@ -4475,7 +4475,7 @@ limitations under the License. - A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/purl-spec/VERSION-RANGE-SPEC.rst + A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/vers-spec diff --git a/cyclonedx/schema/_res/bom-1.7.SNAPSHOT.schema.json b/cyclonedx/schema/_res/bom-1.7.SNAPSHOT.schema.json new file mode 100644 index 000000000..c0ed5071d --- /dev/null +++ b/cyclonedx/schema/_res/bom-1.7.SNAPSHOT.schema.json @@ -0,0 +1,6700 @@ +{ + "$schema": "http://json-schema.org/draft-07/schema#", + "$id": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "type": "object", + "title": "CycloneDX Bill of Materials Standard", + "$comment" : "CycloneDX JSON schema is published under the terms of the Apache License 2.0.", + "required": [ + "bomFormat", + "specVersion" + ], + "additionalProperties": false, + "properties": { + "$schema": { + "type": "string" + }, + "bomFormat": { + "type": "string", + "title": "BOM Format", + "description": "Specifies the format of the BOM. This helps to identify the file as CycloneDX since BOMs do not have a filename convention, nor does JSON schema support namespaces. This value must be \"CycloneDX\".", + "enum": [ + "CycloneDX" + ] + }, + "specVersion": { + "type": "string", + "title": "CycloneDX Specification Version", + "description": "The version of the CycloneDX specification the BOM conforms to.", + "examples": ["1.7"] + }, + "serialNumber": { + "type": "string", + "title": "BOM Serial Number", + "description": "Every BOM generated SHOULD have a unique serial number, even if the contents of the BOM have not changed over time. If specified, the serial number must conform to [RFC 4122](https://www.ietf.org/rfc/rfc4122.html). Use of serial numbers is recommended.", + "examples": ["urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79"], + "pattern": "^urn:uuid:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$" + }, + "version": { + "type": "integer", + "title": "BOM Version", + "description": "Whenever an existing BOM is modified, either manually or through automated processes, the version of the BOM SHOULD be incremented by 1. When a system is presented with multiple BOMs with identical serial numbers, the system SHOULD use the most recent version of the BOM. The default version is '1'.", + "minimum": 1, + "default": 1, + "examples": [1] + }, + "metadata": { + "$ref": "#/definitions/metadata", + "title": "BOM Metadata", + "description": "Provides additional information about a BOM." + }, + "components": { + "type": "array", + "items": {"$ref": "#/definitions/component"}, + "uniqueItems": true, + "title": "Components", + "description": "A list of software and hardware components." + }, + "services": { + "type": "array", + "items": {"$ref": "#/definitions/service"}, + "uniqueItems": true, + "title": "Services", + "description": "A list of services. This may include microservices, function-as-a-service, and other types of network or intra-process services." + }, + "externalReferences": { + "type": "array", + "items": {"$ref": "#/definitions/externalReference"}, + "title": "External References", + "description": "External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM." + }, + "dependencies": { + "type": "array", + "items": {"$ref": "#/definitions/dependency"}, + "uniqueItems": true, + "title": "Dependencies", + "description": "Provides the ability to document dependency relationships including provided & implemented components." + }, + "compositions": { + "type": "array", + "items": {"$ref": "#/definitions/compositions"}, + "uniqueItems": true, + "title": "Compositions", + "description": "Compositions describe constituent parts (including components, services, and dependency relationships) and their completeness. The completeness of vulnerabilities expressed in a BOM may also be described." + }, + "vulnerabilities": { + "type": "array", + "items": {"$ref": "#/definitions/vulnerability"}, + "uniqueItems": true, + "title": "Vulnerabilities", + "description": "Vulnerabilities identified in components or services." + }, + "annotations": { + "type": "array", + "items": {"$ref": "#/definitions/annotations"}, + "uniqueItems": true, + "title": "Annotations", + "description": "Comments made by people, organizations, or tools about any object with a bom-ref, such as components, services, vulnerabilities, or the BOM itself. Unlike inventory information, annotations may contain opinions or commentary from various stakeholders. Annotations may be inline (with inventory) or externalized via BOM-Link and may optionally be signed." + }, + "formulation": { + "type": "array", + "items": {"$ref": "#/definitions/formula"}, + "uniqueItems": true, + "title": "Formulation", + "description": "Describes the formulation of any referencable object within the BOM, including components, services, metadata, declarations, or the BOM itself. This may encompass how the object was created, assembled, deployed, tested, certified, or otherwise brought into its present form. Common examples include software build pipelines, deployment processes, AI/ML model training, cryptographic key generation or certification, and third-party audits. Processes are modeled using declared and observed formulas, composed of workflows, tasks, and individual steps." + }, + "declarations": { + "type": "object", + "title": "Declarations", + "description": "The list of declarations which describe the conformance to standards. Each declaration may include attestations, claims, and evidence.", + "additionalProperties": false, + "properties": { + "assessors": { + "type": "array", + "title": "Assessors", + "description": "The list of assessors evaluating claims and determining conformance to requirements and confidence in that assessment.", + "items": { + "type": "object", + "title": "Assessor", + "description": "The assessor who evaluates claims and determines conformance to requirements and confidence in that assessment.", + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM." + }, + "thirdParty": { + "type": "boolean", + "title": "Third Party", + "description": "The boolean indicating if the assessor is outside the organization generating claims. A value of false indicates a self assessor." + }, + "organization": { + "$ref": "#/definitions/organizationalEntity", + "title": "Organization", + "description": "The entity issuing the assessment." + } + } + } + }, + "attestations": { + "type": "array", + "title": "Attestations", + "description": "The list of attestations asserted by an assessor that maps requirements to claims.", + "items": { + "type": "object", + "title": "Attestation", + "additionalProperties": false, + "properties": { + "summary": { + "type": "string", + "title": "Summary", + "description": "The short description explaining the main points of the attestation." + }, + "assessor": { + "$ref": "#/definitions/refLinkType", + "title": "Assessor", + "description": "The `bom-ref` to the assessor asserting the attestation." + }, + "map": { + "type": "array", + "title": "Map", + "description": "The grouping of requirements to claims and the attestors declared conformance and confidence thereof.", + "items": { + "type": "object", + "title": "Map", + "additionalProperties": false, + "properties": { + "requirement": { + "$ref": "#/definitions/refLinkType", + "title": "Requirement", + "description": "The `bom-ref` to the requirement being attested to." + }, + "claims": { + "type": "array", + "title": "Claims", + "description": "The list of `bom-ref` to the claims being attested to.", + "items": { "$ref": "#/definitions/refLinkType" } + }, + "counterClaims": { + "type": "array", + "title": "Counter Claims", + "description": "The list of `bom-ref` to the counter claims being attested to.", + "items": { "$ref": "#/definitions/refLinkType" } + }, + "conformance": { + "type": "object", + "title": "Conformance", + "description": "The conformance of the claim meeting a requirement.", + "additionalProperties": false, + "properties": { + "score": { + "type": "number", + "minimum": 0, + "maximum": 1, + "title": "Score", + "description": "The conformance of the claim between and inclusive of 0 and 1, where 1 is 100% conformance." + }, + "rationale": { + "type": "string", + "title": "Rationale", + "description": "The rationale for the conformance score." + }, + "mitigationStrategies": { + "type": "array", + "title": "Mitigation Strategies", + "description": "The list of `bom-ref` to the evidence provided describing the mitigation strategies.", + "items": { "$ref": "#/definitions/refLinkType" } + } + } + }, + "confidence": { + "type": "object", + "title": "Confidence", + "description": "The confidence of the claim meeting the requirement.", + "additionalProperties": false, + "properties": { + "score": { + "type": "number", + "minimum": 0, + "maximum": 1, + "title": "Score", + "description": "The confidence of the claim between and inclusive of 0 and 1, where 1 is 100% confidence." + }, + "rationale": { + "type": "string", + "title": "Rationale", + "description": "The rationale for the confidence score." + } + } + } + } + } + }, + "signature": { + "$ref": "#/definitions/signature", + "title": "Signature", + "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." + } + } + } + }, + "claims": { + "type": "array", + "title": "Claims", + "description": "The list of claims.", + "items": { + "type": "object", + "title": "Claim", + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM." + }, + "target": { + "$ref": "#/definitions/refLinkType", + "title": "Target", + "description": "The `bom-ref` to a target representing a specific system, application, API, module, team, person, process, business unit, company, etc... that this claim is being applied to." + }, + "predicate": { + "type": "string", + "title": "Predicate", + "description": "The specific statement or assertion about the target." + }, + "mitigationStrategies": { + "type": "array", + "title": "Mitigation Strategies", + "description": "The list of `bom-ref` to the evidence provided describing the mitigation strategies. Each mitigation strategy should include an explanation of how any weaknesses in the evidence will be mitigated.", + "items": { "$ref": "#/definitions/refLinkType" } + }, + "reasoning": { + "type": "string", + "title": "Reasoning", + "description": "The written explanation of why the evidence provided substantiates the claim." + }, + "evidence": { + "type": "array", + "title": "Evidence", + "description": "The list of `bom-ref` to evidence that supports this claim.", + "items": { "$ref": "#/definitions/refLinkType" } + }, + "counterEvidence": { + "type": "array", + "title": "Counter Evidence", + "description": "The list of `bom-ref` to counterEvidence that supports this claim.", + "items": { "$ref": "#/definitions/refLinkType" } + }, + "externalReferences": { + "type": "array", + "items": {"$ref": "#/definitions/externalReference"}, + "title": "External References", + "description": "External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM." + }, + "signature": { + "$ref": "#/definitions/signature", + "title": "Signature", + "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." + } + } + } + }, + "evidence": { + "type": "array", + "title": "Evidence", + "description": "The list of evidence", + "items": { + "type": "object", + "title": "Evidence", + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM." + }, + "propertyName": { + "type": "string", + "title": "Property Name", + "description": "The reference to the property name as defined in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy/)." + }, + "description": { + "type": "string", + "title": "Description", + "description": "The written description of what this evidence is and how it was created." + }, + "data": { + "type": "array", + "title": "Data", + "description": "The output or analysis that supports claims.", + "items": { + "type": "object", + "title": "Data", + "additionalProperties": false, + "properties": { + "name": { + "title": "Data Name", + "description": "The name of the data.", + "type": "string" + }, + "contents": { + "type": "object", + "title": "Data Contents", + "description": "The contents or references to the contents of the data being described.", + "additionalProperties": false, + "properties": { + "attachment": { + "title": "Data Attachment", + "description": "A way to include textual or encoded data.", + "$ref": "#/definitions/attachment" + }, + "url": { + "type": "string", + "title": "Data URL", + "description": "The URL to where the data can be retrieved.", + "format": "iri-reference" + } + } + }, + "classification": { + "$ref": "#/definitions/dataClassification" + }, + "sensitiveData": { + "type": "array", + "title": "Sensitive Data", + "description": "A description of any sensitive data included.", + "items": { + "type": "string" + } + }, + "governance": { + "title": "Data Governance", + "$ref": "#/definitions/dataGovernance" + } + } + } + }, + "created": { + "type": "string", + "format": "date-time", + "title": "Created", + "description": "The date and time (timestamp) when the evidence was created." + }, + "expires": { + "type": "string", + "format": "date-time", + "title": "Expires", + "description": "The date and time (timestamp) when the evidence is no longer valid." + }, + "author": { + "$ref": "#/definitions/organizationalContact", + "title": "Author", + "description": "The author of the evidence." + }, + "reviewer": { + "$ref": "#/definitions/organizationalContact", + "title": "Reviewer", + "description": "The reviewer of the evidence." + }, + "signature": { + "$ref": "#/definitions/signature", + "title": "Signature", + "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." + } + } + } + }, + "targets": { + "type": "object", + "title": "Targets", + "description": "The list of targets which claims are made against.", + "additionalProperties": false, + "properties": { + "organizations": { + "type": "array", + "title": "Organizations", + "description": "The list of organizations which claims are made against.", + "items": {"$ref": "#/definitions/organizationalEntity"} + }, + "components": { + "type": "array", + "title": "Components", + "description": "The list of components which claims are made against.", + "items": {"$ref": "#/definitions/component"} + }, + "services": { + "type": "array", + "title": "Services", + "description": "The list of services which claims are made against.", + "items": {"$ref": "#/definitions/service"} + } + } + }, + "affirmation": { + "type": "object", + "title": "Affirmation", + "description": "A concise statement affirmed by an individual regarding all declarations, often used for third-party auditor acceptance or recipient acknowledgment. It includes a list of authorized signatories who assert the validity of the document on behalf of the organization.", + "additionalProperties": false, + "properties": { + "statement": { + "type": "string", + "title": "Statement", + "description": "The brief statement affirmed by an individual regarding all declarations.\n*- Notes This could be an affirmation of acceptance by a third-party auditor or receiving individual of a file.", + "examples": [ "I certify, to the best of my knowledge, that all information is correct." ] + }, + "signatories": { + "type": "array", + "title": "Signatories", + "description": "The list of signatories authorized on behalf of an organization to assert validity of this document.", + "items": { + "type": "object", + "title": "Signatory", + "additionalProperties": false, + "oneOf": [ + { + "required": ["signature"] + }, + { + "required": ["externalReference", "organization"] + } + ], + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "The signatory's name." + }, + "role": { + "type": "string", + "title": "Role", + "description": "The signatory's role within an organization." + }, + "signature": { + "$ref": "#/definitions/signature", + "title": "Signature", + "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." + }, + "organization": { + "$ref": "#/definitions/organizationalEntity", + "title": "Organization", + "description": "The signatory's organization." + }, + "externalReference": { + "$ref": "#/definitions/externalReference", + "title": "External Reference", + "description": "External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM." + } + } + } + }, + "signature": { + "$ref": "#/definitions/signature", + "title": "Signature", + "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." + } + } + }, + "signature": { + "$ref": "#/definitions/signature", + "title": "Signature", + "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." + } + } + }, + "definitions": { + "type": "object", + "title": "Definitions", + "description": "A collection of reusable objects that are defined and may be used elsewhere in the BOM.", + "additionalProperties": false, + "properties": { + "standards": { + "type": "array", + "title": "Standards", + "description": "The list of standards which may consist of regulations, industry or organizational-specific standards, maturity models, best practices, or any other requirements which can be evaluated against or attested to.", + "items": { + "$ref": "#/definitions/standard" + } + }, + "patents": { + "type": "array", + "title": "Patents", + "description": "The list of either individual patents or patent families.", + "items": { + "anyOf": [ + { "$ref": "#/definitions/patent" }, + { "$ref": "#/definitions/patentFamily" } + ] + } + } + } + }, + "citations": { + "type": "array", + "items": {"$ref": "#/definitions/citation"}, + "uniqueItems": true, + "title": "Citations", + "description": "A collection of attributions indicating which entity supplied information for specific fields within the BOM." + }, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", + "items": { + "$ref": "#/definitions/property" + } + }, + "signature": { + "$ref": "#/definitions/signature", + "title": "Signature", + "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." + } + }, + "definitions": { + "refType": { + "title": "BOM Reference", + "description": "Identifier for referable and therefore interlinkable elements.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", + "type": "string", + "minLength": 1, + "$comment": "TODO (breaking change): add a format constraint that prevents the value from staring with 'urn:cdx:'" + }, + "refLinkType": { + "title": "BOM Reference", + "description": "Descriptor for an element identified by the attribute 'bom-ref' in the same BOM document.\nIn contrast to `bomLinkElementType`.", + "$ref": "#/definitions/refType" + }, + "bomLinkDocumentType": { + "title": "BOM-Link Document", + "description": "Descriptor for another BOM document. See https://cyclonedx.org/capabilities/bomlink/", + "type": "string", + "format": "iri-reference", + "pattern": "^urn:cdx:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/[1-9][0-9]*$", + "$comment": "part of the pattern is based on `bom.serialNumber`'s pattern" + }, + "bomLinkElementType": { + "title": "BOM-Link Element", + "description": "Descriptor for an element in a BOM document. See https://cyclonedx.org/capabilities/bomlink/", + "type": "string", + "format": "iri-reference", + "pattern": "^urn:cdx:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/[1-9][0-9]*#.+$", + "$comment": "part of the pattern is based on `bom.serialNumber`'s pattern" + }, + "bomLink": { + "title": "BOM-Link", + "anyOf": [ + { + "title": "BOM-Link Document", + "$ref": "#/definitions/bomLinkDocumentType" + }, + { + "title": "BOM-Link Element", + "$ref": "#/definitions/bomLinkElementType" + } + ] + }, + "metadata": { + "type": "object", + "title": "BOM Metadata", + "additionalProperties": false, + "properties": { + "timestamp": { + "type": "string", + "format": "date-time", + "title": "Timestamp", + "description": "The date and time (timestamp) when the BOM was created." + }, + "lifecycles": { + "type": "array", + "title": "Lifecycles", + "description": "Lifecycles communicate the stage(s) in which data in the BOM was captured. Different types of data may be available at various phases of a lifecycle, such as the Software Development Lifecycle (SDLC), IT Asset Management (ITAM), and Software Asset Management (SAM). Thus, a BOM may include data specific to or only obtainable in a given lifecycle.", + "items": { + "type": "object", + "title": "Lifecycle", + "description": "The product lifecycle(s) that this BOM represents.", + "oneOf": [ + { + "title": "Pre-Defined Phase", + "required": ["phase"], + "additionalProperties": false, + "properties": { + "phase": { + "type": "string", + "title": "Phase", + "description": "A pre-defined phase in the product lifecycle.", + "enum": [ + "design", + "pre-build", + "build", + "post-build", + "operations", + "discovery", + "decommission" + ], + "meta:enum": { + "design": "BOM produced early in the development lifecycle containing an inventory of components and services that are proposed or planned to be used. The inventory may need to be procured, retrieved, or resourced prior to use.", + "pre-build": "BOM consisting of information obtained prior to a build process and may contain source files and development artifacts and manifests. The inventory may need to be resolved and retrieved prior to use.", + "build": "BOM consisting of information obtained during a build process where component inventory is available for use. The precise versions of resolved components are usually available at this time as well as the provenance of where the components were retrieved from.", + "post-build": "BOM consisting of information obtained after a build process has completed and the resulting components(s) are available for further analysis. Built components may exist as the result of a CI/CD process, may have been installed or deployed to a system or device, and may need to be retrieved or extracted from the system or device.", + "operations": "BOM produced that represents inventory that is running and operational. This may include staging or production environments and will generally encompass multiple SBOMs describing the applications and operating system, along with HBOMs describing the hardware that makes up the system. Operations Bill of Materials (OBOM) can provide full-stack inventory of runtime environments, configurations, and additional dependencies.", + "discovery": "BOM consisting of information observed through network discovery providing point-in-time enumeration of embedded, on-premise, and cloud-native services such as server applications, connected devices, microservices, and serverless functions.", + "decommission": "BOM containing inventory that will be, or has been retired from operations." + } + } + } + }, + { + "title": "Custom Phase", + "required": ["name"], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "The name of the lifecycle phase" + }, + "description": { + "type": "string", + "title": "Description", + "description": "The description of the lifecycle phase" + } + } + } + ] + } + }, + "tools": { + "title": "Tools", + "description": "The tool(s) used in the creation, enrichment, and validation of the BOM.", + "oneOf": [ + { + "type": "object", + "title": "Tools", + "description": "The tool(s) used in the creation, enrichment, and validation of the BOM.", + "additionalProperties": false, + "properties": { + "components": { + "type": "array", + "items": {"$ref": "#/definitions/component"}, + "uniqueItems": true, + "title": "Components", + "description": "A list of software and hardware components used as tools." + }, + "services": { + "type": "array", + "items": {"$ref": "#/definitions/service"}, + "uniqueItems": true, + "title": "Services", + "description": "A list of services used as tools. This may include microservices, function-as-a-service, and other types of network or intra-process services." + } + } + }, + { + "type": "array", + "title": "Tools (legacy)", + "description": "[Deprecated]\nThe tool(s) used in the creation, enrichment, and validation of the BOM.", + "deprecated": true, + "items": {"$ref": "#/definitions/tool"} + } + ] + }, + "manufacturer": { + "title": "BOM Manufacturer", + "description": "The organization that created the BOM.\nManufacturer is common in BOMs created through automated processes. BOMs created through manual means may have `@.authors` instead.", + "$ref": "#/definitions/organizationalEntity" + }, + "authors": { + "type": "array", + "title": "BOM Authors", + "description": "The person(s) who created the BOM.\nAuthors are common in BOMs created through manual processes. BOMs created through automated means may have `@.manufacturer` instead.", + "items": {"$ref": "#/definitions/organizationalContact"} + }, + "component": { + "title": "Component", + "description": "The component that the BOM describes.", + "$ref": "#/definitions/component" + }, + "manufacture": { + "deprecated": true, + "title": "Component Manufacture (legacy)", + "description": "[Deprecated] This will be removed in a future version. Use the `@.component.manufacturer` instead.\nThe organization that manufactured the component that the BOM describes.", + "$ref": "#/definitions/organizationalEntity" + }, + "supplier": { + "title": "Supplier", + "description": " The organization that supplied the component that the BOM describes. The supplier may often be the manufacturer, but may also be a distributor or repackager.", + "$ref": "#/definitions/organizationalEntity" + }, + "licenses": { + "title": "BOM License(s)", + "description": "The license information for the BOM document.\nThis may be different from the license(s) of the component(s) that the BOM describes.", + "$ref": "#/definitions/licenseChoice" + }, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", + "items": {"$ref": "#/definitions/property"} + }, + "distributionConstraints": { + "title": "Distribution Constraints", + "description": "Conditions and constraints governing the sharing and distribution of the data or components described by this BOM.", + "type": "object", + "properties": { + "tlp": { + "$ref": "#/definitions/tlpClassification", + "description": "The Traffic Light Protocol (TLP) classification that controls the sharing and distribution of the data that the BOM describes." + } + }, + "additionalProperties": false + } + } + }, + "tlpClassification": { + "title": "Traffic Light Protocol (TLP) Classification", + "description": "Traffic Light Protocol (TLP) is a classification system for identifying the potential risk associated with artefact, including whether it is subject to certain types of legal, financial, or technical threats. Refer to [https://www.first.org/tlp/](https://www.first.org/tlp/) for further information.\nThe default classification is \"CLEAR\"", + "type" : "string", + "default": "CLEAR", + "enum": [ + "CLEAR", + "GREEN", + "AMBER", + "AMBER_AND_STRICT", + "RED" + ], + "meta:enum": { + "CLEAR": "The information is not subject to any restrictions as regards the sharing.", + "GREEN": "The information is subject to limited disclosure, and recipients can share it within their community but not via publicly accessible channels.", + "AMBER": "The information is subject to limited disclosure, and recipients can only share it on a need-to-know basis within their organization and with clients.", + "AMBER_AND_STRICT": "The information is subject to limited disclosure, and recipients can only share it on a need-to-know basis within their organization.", + "RED": "The information is subject to restricted distribution to individual recipients only and must not be shared." + } + }, + "tool": { + "type": "object", + "title": "Tool", + "description": "[Deprecated] This will be removed in a future version. Use component or service instead.\nInformation about the automated or manual tool used", + "additionalProperties": false, + "deprecated": true, + "properties": { + "vendor": { + "type": "string", + "title": "Tool Vendor", + "description": "The name of the vendor who created the tool" + }, + "name": { + "type": "string", + "title": "Tool Name", + "description": "The name of the tool" + }, + "version": { + "$ref": "#/definitions/version", + "title": "Tool Version", + "description": "The version of the tool" + }, + "hashes": { + "type": "array", + "items": {"$ref": "#/definitions/hash"}, + "title": "Hashes", + "description": "The hashes of the tool (if applicable)." + }, + "externalReferences": { + "type": "array", + "items": {"$ref": "#/definitions/externalReference"}, + "title": "External References", + "description": "External references provide a way to document systems, sites, and information that may be relevant, but are not included with the BOM. They may also establish specific relationships within or external to the BOM." + } + } + }, + "organizationalEntity": { + "type": "object", + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." + }, + "name": { + "type": "string", + "title": "Organization Name", + "description": "The name of the organization", + "examples": [ + "Example Inc." + ] + }, + "address": { + "$ref": "#/definitions/postalAddress", + "title": "Organization Address", + "description": "The physical address (location) of the organization" + }, + "url": { + "type": "array", + "items": { + "type": "string", + "format": "iri-reference" + }, + "title": "Organization URL(s)", + "description": "The URL of the organization. Multiple URLs are allowed.", + "examples": ["https://example.com"] + }, + "contact": { + "type": "array", + "title": "Organizational Contact", + "description": "A contact at the organization. Multiple contacts are allowed.", + "items": {"$ref": "#/definitions/organizationalContact"} + } + } + }, + "organizationalContact": { + "type": "object", + "additionalProperties": false, + "title": "Organizational Person", + "properties": { + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." + }, + "name": { + "type": "string", + "title": "Name", + "description": "The name of a contact", + "examples": ["Contact name"] + }, + "email": { + "type": "string", + "format": "idn-email", + "title": "Email Address", + "description": "The email address of the contact.", + "examples": ["firstname.lastname@example.com"] + }, + "phone": { + "type": "string", + "title": "Phone", + "description": "The phone number of the contact.", + "examples": ["800-555-1212"] + } + } + }, + "component": { + "type": "object", + "title": "Component", + "required": [ + "type", + "name" + ], + "additionalProperties": false, + "properties": { + "type": { + "type": "string", + "enum": [ + "application", + "framework", + "library", + "container", + "platform", + "operating-system", + "device", + "device-driver", + "firmware", + "file", + "machine-learning-model", + "data", + "cryptographic-asset" + ], + "meta:enum": { + "application": "A software application. Refer to [https://en.wikipedia.org/wiki/Application_software](https://en.wikipedia.org/wiki/Application_software) for information about applications.", + "framework": "A software framework. Refer to [https://en.wikipedia.org/wiki/Software_framework](https://en.wikipedia.org/wiki/Software_framework) for information on how frameworks vary slightly from libraries.", + "library": "A software library. Refer to [https://en.wikipedia.org/wiki/Library_(computing)](https://en.wikipedia.org/wiki/Library_(computing)) for information about libraries. All third-party and open source reusable components will likely be a library. If the library also has key features of a framework, then it should be classified as a framework. If not, or is unknown, then specifying library is recommended.", + "container": "A packaging and/or runtime format, not specific to any particular technology, which isolates software inside the container from software outside of a container through virtualization technology. Refer to [https://en.wikipedia.org/wiki/OS-level_virtualization](https://en.wikipedia.org/wiki/OS-level_virtualization).", + "platform": "A runtime environment that interprets or executes software. This may include runtimes such as those that execute bytecode, just-in-time compilers, interpreters, or low-code/no-code application platforms.", + "operating-system": "A software operating system without regard to deployment model (i.e. installed on physical hardware, virtual machine, image, etc) Refer to [https://en.wikipedia.org/wiki/Operating_system](https://en.wikipedia.org/wiki/Operating_system).", + "device": "A hardware device such as a processor or chip-set. A hardware device containing firmware SHOULD include a component for the physical hardware itself and another component of type 'firmware' or 'operating-system' (whichever is relevant), describing information about the software running on the device. See also the list of [known device properties](https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/device.md).", + "device-driver": "A special type of software that operates or controls a particular type of device. Refer to [https://en.wikipedia.org/wiki/Device_driver](https://en.wikipedia.org/wiki/Device_driver).", + "firmware": "A special type of software that provides low-level control over a device's hardware. Refer to [https://en.wikipedia.org/wiki/Firmware](https://en.wikipedia.org/wiki/Firmware).", + "file": "A computer file. Refer to [https://en.wikipedia.org/wiki/Computer_file](https://en.wikipedia.org/wiki/Computer_file) for information about files.", + "machine-learning-model": "A model based on training data that can make predictions or decisions without being explicitly programmed to do so.", + "data": "A collection of discrete values that convey information.", + "cryptographic-asset": "A cryptographic asset including algorithms, protocols, certificates, keys, tokens, and secrets." + }, + "title": "Component Type", + "description": "Specifies the type of component. For software components, classify as application if no more specific appropriate classification is available or cannot be determined for the component.", + "examples": ["library"] + }, + "mime-type": { + "type": "string", + "title": "Mime-Type", + "description": "The mime-type of the component. When used on file components, the mime-type can provide additional context about the kind of file being represented, such as an image, font, or executable. Some library or framework components may also have an associated mime-type.", + "examples": ["image/jpeg"], + "pattern": "^[-+a-z0-9.]+/[-+a-z0-9.]+$" + }, + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An identifier which can be used to reference the component elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." + }, + "supplier": { + "title": "Component Supplier", + "description": " The organization that supplied the component. The supplier may often be the manufacturer, but may also be a distributor or repackager.", + "$ref": "#/definitions/organizationalEntity" + }, + "manufacturer": { + "title": "Component Manufacturer", + "description": "The organization that created the component.\nManufacturer is common in components created through automated processes. Components created through manual means may have `@.authors` instead.", + "$ref": "#/definitions/organizationalEntity" + }, + "authors" :{ + "type": "array", + "title": "Component Authors", + "description": "The person(s) who created the component.\nAuthors are common in components created through manual processes. Components created through automated means may have `@.manufacturer` instead.", + "items": {"$ref": "#/definitions/organizationalContact"} + }, + "author": { + "deprecated": true, + "type": "string", + "title": "Component Author (legacy)", + "description": "[Deprecated] This will be removed in a future version. Use `@.authors` or `@.manufacturer` instead.\nThe person(s) or organization(s) that authored the component", + "examples": ["Acme Inc"] + }, + "publisher": { + "type": "string", + "title": "Component Publisher", + "description": "The person(s) or organization(s) that published the component", + "examples": ["Acme Inc"] + }, + "group": { + "type": "string", + "title": "Component Group", + "description": "The grouping name or identifier. This will often be a shortened, single name of the company or project that produced the component, or the source package or domain name. Whitespace and special characters should be avoided. Examples include: apache, org.apache.commons, and apache.org.", + "examples": ["com.acme"] + }, + "name": { + "type": "string", + "title": "Component Name", + "description": "The name of the component. This will often be a shortened, single name of the component. Examples: commons-lang3 and jquery", + "examples": ["tomcat-catalina"] + }, + "version": { + "$ref": "#/definitions/version", + "title": "Component Version", + "description": "The component version. The version should ideally comply with semantic versioning but is not enforced.\nMust be used exclusively, either 'version' or 'versionRange', but not both." + }, + "versionRange": { + "$ref": "#/definitions/versionRange", + "title": "Component Version Range", + "description": "For an external component, this specifies the accepted version range.\nThe value must adhere to the Package URL Version Range syntax (vers), as defined at A list of zero or more patches describing how the component deviates from an ancestor, descendant, or variant. Patches may be complementary to commits or may be used in place of commits.", + "items": {"$ref": "#/definitions/patch"} + }, + "notes": { + "type": "string", + "title": "Notes", + "description": "Notes, observations, and other non-structured commentary describing the components pedigree." + } + } + }, + "externalReferences": { + "type": "array", + "items": {"$ref": "#/definitions/externalReference"}, + "title": "External References", + "description": "External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM." + }, + "components": { + "type": "array", + "items": {"$ref": "#/definitions/component"}, + "uniqueItems": true, + "title": "Components", + "description": "A list of software and hardware components included in the parent component. This is not a dependency tree. It provides a way to specify a hierarchical representation of component assemblies, similar to system → subsystem → parts assembly in physical supply chains." + }, + "evidence": { + "$ref": "#/definitions/componentEvidence", + "title": "Evidence", + "description": "Provides the ability to document evidence collected through various forms of extraction or analysis." + }, + "releaseNotes": { + "$ref": "#/definitions/releaseNotes", + "title": "Release notes", + "description": "Specifies release notes." + }, + "modelCard": { + "$ref": "#/definitions/modelCard", + "title": "AI/ML Model Card" + }, + "data": { + "type": "array", + "items": {"$ref": "#/definitions/componentData"}, + "title": "Data", + "description": "This object SHOULD be specified for any component of type `data` and must not be specified for other component types." + }, + "cryptoProperties": { + "$ref": "#/definitions/cryptoProperties", + "title": "Cryptographic Properties" + }, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", + "items": {"$ref": "#/definitions/property"} + }, + "tags": { + "$ref": "#/definitions/tags", + "title": "Tags" + }, + "signature": { + "$ref": "#/definitions/signature", + "title": "Signature", + "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." + } + }, + "allOf": [ + { + "description": "Requirement: ensure that `version` and `versionRange` are not present simultaneously.", + "not": { + "required": ["version", "versionRange"] + } + }, + { + "description": "Requirement: 'versionRange' must not be present when 'isExternal' is `false`.", + "if": { + "properties": { "isExternal": { "const": false } } + }, + "then": { + "not": { "required": ["versionRange"] } + }, + "else": true + } + ] + }, + "swid": { + "type": "object", + "title": "SWID Tag", + "description": "Specifies metadata and content for ISO-IEC 19770-2 Software Identification (SWID) Tags.", + "required": [ + "tagId", + "name" + ], + "additionalProperties": false, + "properties": { + "tagId": { + "type": "string", + "title": "Tag ID", + "description": "Maps to the tagId of a SoftwareIdentity." + }, + "name": { + "type": "string", + "title": "Name", + "description": "Maps to the name of a SoftwareIdentity." + }, + "version": { + "type": "string", + "title": "Version", + "default": "0.0", + "description": "Maps to the version of a SoftwareIdentity." + }, + "tagVersion": { + "type": "integer", + "title": "Tag Version", + "default": 0, + "description": "Maps to the tagVersion of a SoftwareIdentity." + }, + "patch": { + "type": "boolean", + "title": "Patch", + "default": false, + "description": "Maps to the patch of a SoftwareIdentity." + }, + "text": { + "title": "Attachment text", + "description": "Specifies the metadata and content of the SWID tag.", + "$ref": "#/definitions/attachment" + }, + "url": { + "type": "string", + "title": "URL", + "description": "The URL to the SWID file.", + "format": "iri-reference" + } + } + }, + "attachment": { + "type": "object", + "title": "Attachment", + "description": "Specifies the metadata and content for an attachment.", + "required": [ + "content" + ], + "additionalProperties": false, + "properties": { + "contentType": { + "type": "string", + "title": "Content-Type", + "description": "Specifies the format and nature of the data being attached, helping systems correctly interpret and process the content. Common content type examples include `application/json` for JSON data and `text/plain` for plan text documents.\n [RFC 2045 section 5.1](https://www.ietf.org/rfc/rfc2045.html#section-5.1) outlines the structure and use of content types. For a comprehensive list of registered content types, refer to the [IANA media types registry](https://www.iana.org/assignments/media-types/media-types.xhtml).", + "default": "text/plain", + "examples": [ + "text/plain", + "application/json", + "image/png" + ] + }, + "encoding": { + "type": "string", + "title": "Encoding", + "description": "Specifies the encoding the text is represented in.", + "enum": [ + "base64" + ], + "meta:enum": { + "base64": "Base64 is a binary-to-text encoding scheme that represents binary data in an ASCII string." + } + }, + "content": { + "type": "string", + "title": "Attachment Text", + "description": "The attachment data. Proactive controls such as input validation and sanitization should be employed to prevent misuse of attachment text." + } + } + }, + "hash": { + "type": "object", + "title": "Hash", + "required": [ + "alg", + "content" + ], + "additionalProperties": false, + "properties": { + "alg": { + "$ref": "#/definitions/hash-alg" + }, + "content": { + "$ref": "#/definitions/hash-content" + } + } + }, + "hash-alg": { + "type": "string", + "title": "Hash Algorithm", + "description": "The algorithm that generated the hash value.", + "enum": [ + "MD5", + "SHA-1", + "SHA-256", + "SHA-384", + "SHA-512", + "SHA3-256", + "SHA3-384", + "SHA3-512", + "BLAKE2b-256", + "BLAKE2b-384", + "BLAKE2b-512", + "BLAKE3", + "Streebog-256", + "Streebog-512" + ] + }, + "hash-content": { + "type": "string", + "title": "Hash Value", + "description": "The value of the hash.", + "examples": ["3942447fac867ae5cdb3229b658f4d48"], + "pattern": "^([a-fA-F0-9]{32}|[a-fA-F0-9]{40}|[a-fA-F0-9]{64}|[a-fA-F0-9]{96}|[a-fA-F0-9]{128})$" + }, + "licensing": { + "type": "object", + "title": "Licensing information", + "description": "Licensing details describing the licensor/licensee, license type, renewal and expiration dates, and other important metadata", + "additionalProperties": false, + "properties": { + "altIds": { + "type": "array", + "title": "Alternate License Identifiers", + "description": "License identifiers that may be used to manage licenses and their lifecycle", + "items": { + "type": "string" + } + }, + "licensor": { + "title": "Licensor", + "description": "The individual or organization that grants a license to another individual or organization", + "type": "object", + "additionalProperties": false, + "properties": { + "organization": { + "title": "Licensor (Organization)", + "description": "The organization that granted the license", + "$ref": "#/definitions/organizationalEntity" + }, + "individual": { + "title": "Licensor (Individual)", + "description": "The individual, not associated with an organization, that granted the license", + "$ref": "#/definitions/organizationalContact" + } + }, + "oneOf":[ + { + "required": ["organization"] + }, + { + "required": ["individual"] + } + ] + }, + "licensee": { + "title": "Licensee", + "description": "The individual or organization for which a license was granted to", + "type": "object", + "additionalProperties": false, + "properties": { + "organization": { + "title": "Licensee (Organization)", + "description": "The organization that was granted the license", + "$ref": "#/definitions/organizationalEntity" + }, + "individual": { + "title": "Licensee (Individual)", + "description": "The individual, not associated with an organization, that was granted the license", + "$ref": "#/definitions/organizationalContact" + } + }, + "oneOf":[ + { + "required": ["organization"] + }, + { + "required": ["individual"] + } + ] + }, + "purchaser": { + "title": "Purchaser", + "description": "The individual or organization that purchased the license", + "type": "object", + "additionalProperties": false, + "properties": { + "organization": { + "title": "Purchaser (Organization)", + "description": "The organization that purchased the license", + "$ref": "#/definitions/organizationalEntity" + }, + "individual": { + "title": "Purchaser (Individual)", + "description": "The individual, not associated with an organization, that purchased the license", + "$ref": "#/definitions/organizationalContact" + } + }, + "oneOf":[ + { + "required": ["organization"] + }, + { + "required": ["individual"] + } + ] + }, + "purchaseOrder": { + "type": "string", + "title": "Purchase Order", + "description": "The purchase order identifier the purchaser sent to a supplier or vendor to authorize a purchase" + }, + "licenseTypes": { + "type": "array", + "title": "License Type", + "description": "The type of license(s) that was granted to the licensee.", + "items": { + "type": "string", + "enum": [ + "academic", + "appliance", + "client-access", + "concurrent-user", + "core-points", + "custom-metric", + "device", + "evaluation", + "named-user", + "node-locked", + "oem", + "perpetual", + "processor-points", + "subscription", + "user", + "other" + ], + "meta:enum": { + "academic": "A license that grants use of software solely for the purpose of education or research.", + "appliance": "A license covering use of software embedded in a specific piece of hardware.", + "client-access": "A Client Access License (CAL) allows client computers to access services provided by server software.", + "concurrent-user": "A Concurrent User license (aka floating license) limits the number of licenses for a software application and licenses are shared among a larger number of users.", + "core-points": "A license where the core of a computer's processor is assigned a specific number of points.", + "custom-metric": "A license for which consumption is measured by non-standard metrics.", + "device": "A license that covers a defined number of installations on computers and other types of devices.", + "evaluation": "A license that grants permission to install and use software for trial purposes.", + "named-user": "A license that grants access to the software to one or more pre-defined users.", + "node-locked": "A license that grants access to the software on one or more pre-defined computers or devices.", + "oem": "An Original Equipment Manufacturer license that is delivered with hardware, cannot be transferred to other hardware, and is valid for the life of the hardware.", + "perpetual": "A license where the software is sold on a one-time basis and the licensee can use a copy of the software indefinitely.", + "processor-points": "A license where each installation consumes points per processor.", + "subscription": "A license where the licensee pays a fee to use the software or service.", + "user": "A license that grants access to the software or service by a specified number of users.", + "other": "Another license type." + } + } + }, + "lastRenewal": { + "type": "string", + "format": "date-time", + "title": "Last Renewal", + "description": "The timestamp indicating when the license was last renewed. For new purchases, this is often the purchase or acquisition date. For non-perpetual licenses or subscriptions, this is the timestamp of when the license was last renewed." + }, + "expiration": { + "type": "string", + "format": "date-time", + "title": "Expiration", + "description": "The timestamp indicating when the current license expires (if applicable)." + } + } + }, + "license": { + "type": "object", + "title": "License", + "description": "Specifies the details and attributes related to a software license. It can either include a valid SPDX license identifier or a named license, along with additional properties such as license acknowledgment, comprehensive commercial licensing information, and the full text of the license.", + "oneOf": [ + { + "required": ["id"] + }, + { + "required": ["name"] + } + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An identifier which can be used to reference the license elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." + }, + "id": { + "$ref": "spdx.SNAPSHOT.schema.json", + "title": "License ID (SPDX)", + "description": "A valid SPDX license identifier. If specified, this value must be one of the enumeration of valid SPDX license identifiers defined in the spdx.SNAPSHOT.schema.json (or spdx.xml) subschema which is synchronized with the official SPDX license list.", + "examples": ["Apache-2.0"] + }, + "name": { + "type": "string", + "title": "License Name", + "description": "The name of the license. This may include the name of a commercial or proprietary license or an open source license that may not be defined by SPDX.", + "examples": ["Acme Software License"] + }, + "acknowledgement": { + "$ref": "#/definitions/licenseAcknowledgementEnumeration" + }, + "text": { + "title": "License text", + "description": "A way to include the textual content of a license.", + "$ref": "#/definitions/attachment" + }, + "url": { + "type": "string", + "title": "License URL", + "description": "The URL to the license file. If specified, a 'license' externalReference should also be specified for completeness", + "examples": ["https://www.apache.org/licenses/LICENSE-2.0.txt"], + "format": "iri-reference" + }, + "licensing": {"$ref": "#/definitions/licensing"}, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", + "items": {"$ref": "#/definitions/property"} + } + } + }, + "licenseAcknowledgementEnumeration": { + "title": "License Acknowledgement", + "description": "Declared licenses and concluded licenses represent two different stages in the licensing process within software development. Declared licenses refer to the initial intention of the software authors regarding the licensing terms under which their code is released. On the other hand, concluded licenses are the result of a comprehensive analysis of the project's codebase to identify and confirm the actual licenses of the components used, which may differ from the initially declared licenses. While declared licenses provide an upfront indication of the licensing intentions, concluded licenses offer a more thorough understanding of the actual licensing within a project, facilitating proper compliance and risk management. Observed licenses are defined in `@.evidence.licenses`. Observed licenses form the evidence necessary to substantiate a concluded license.", + "type": "string", + "enum": [ + "declared", + "concluded" + ], + "meta:enum": { + "declared": "Declared licenses represent the initial intentions of authors regarding the licensing terms of their code.", + "concluded": "Concluded licenses are verified and confirmed." + } + }, + "licenseChoice": { + "title": "License Choice", + "description": "A list of SPDX licenses and/or named licenses and/or SPDX License Expression.", + "type": "array", + "items": { + "oneOf": [ + { + "type": "object", + "title": "License", + "required": [ + "license" + ], + "additionalProperties": false, + "properties": { + "license": { + "$ref": "#/definitions/license" + } + } + }, + { + "title": "License Expression", + "description": "Specifies the details and attributes related to a software license.\nIt must be a valid SPDX license expression, along with additional properties such as license acknowledgment.", + "type": "object", + "additionalProperties": false, + "required": [ + "expression" + ], + "properties": { + "expression": { + "type": "string", + "title": "SPDX License Expression", + "description": "A valid SPDX license expression.\nRefer to https://spdx.org/specifications for syntax requirements.", + "examples": [ + "Apache-2.0 AND (MIT OR GPL-2.0-only)", + "GPL-3.0-only WITH Classpath-exception-2.0" + ] + }, + "expressionDetails": { + "title": "Expression Details", + "description": "Details for parts of the `expression`.", + "type": "array", + "items": { + "type": "object", + "description": "This document specifies the details and attributes related to a software license identifier. An SPDX expression may be a compound of license identifiers.\nThe `license_identifier` property serves as the key that identifies each record. Note that this key is not required to be unique, as the same license identifier could apply to multiple, different but similar license details, texts, etc.", + "required": [ + "licenseIdentifier" + ], + "properties": { + "licenseIdentifier": { + "title": "License Identifier", + "description": "The valid SPDX license identifier. Refer to https://spdx.org/specifications for syntax requirements.\nThis property serves as the primary key, which uniquely identifies each record.", + "type": "string", + "examples": [ + "Apache-2.0", + "GPL-3.0-only WITH Classpath-exception-2.0", + "LicenseRef-my-custom-license" + ] + }, + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An identifier which can be used to reference the license elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." + }, + "text": { + "title": "License texts", + "description": "A way to include the textual content of the license.", + "$ref": "#/definitions/attachment" + }, + "url": { + "type": "string", + "title": "License URL", + "description": "The URL to the license file. If specified, a 'license' externalReference should also be specified for completeness", + "examples": [ + "https://www.apache.org/licenses/LICENSE-2.0.txt" + ], + "format": "iri-reference" + } + }, + "additionalProperties": false + } + }, + "acknowledgement": { + "$ref": "#/definitions/licenseAcknowledgementEnumeration" + }, + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An identifier which can be used to reference the license elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." + }, + "licensing": { + "$ref": "#/definitions/licensing" + }, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", + "items": { + "$ref": "#/definitions/property" + } + } + } + } + ] + } + }, + "commit": { + "type": "object", + "title": "Commit", + "description": "Specifies an individual commit", + "additionalProperties": false, + "properties": { + "uid": { + "type": "string", + "title": "UID", + "description": "A unique identifier of the commit. This may be version control specific. For example, Subversion uses revision numbers whereas git uses commit hashes." + }, + "url": { + "type": "string", + "title": "URL", + "description": "The URL to the commit. This URL will typically point to a commit in a version control system.", + "format": "iri-reference" + }, + "author": { + "title": "Author", + "description": "The author who created the changes in the commit", + "$ref": "#/definitions/identifiableAction" + }, + "committer": { + "title": "Committer", + "description": "The person who committed or pushed the commit", + "$ref": "#/definitions/identifiableAction" + }, + "message": { + "type": "string", + "title": "Message", + "description": "The text description of the contents of the commit" + } + } + }, + "patch": { + "type": "object", + "title": "Patch", + "description": "Specifies an individual patch", + "required": [ + "type" + ], + "additionalProperties": false, + "properties": { + "type": { + "type": "string", + "enum": [ + "unofficial", + "monkey", + "backport", + "cherry-pick" + ], + "meta:enum": { + "unofficial": "A patch which is not developed by the creators or maintainers of the software being patched. Refer to [https://en.wikipedia.org/wiki/Unofficial_patch](https://en.wikipedia.org/wiki/Unofficial_patch).", + "monkey": "A patch which dynamically modifies runtime behavior. Refer to [https://en.wikipedia.org/wiki/Monkey_patch](https://en.wikipedia.org/wiki/Monkey_patch).", + "backport": "A patch which takes code from a newer version of the software and applies it to older versions of the same software. Refer to [https://en.wikipedia.org/wiki/Backporting](https://en.wikipedia.org/wiki/Backporting).", + "cherry-pick": "A patch created by selectively applying commits from other versions or branches of the same software." + }, + "title": "Patch Type", + "description": "Specifies the purpose for the patch including the resolution of defects, security issues, or new behavior or functionality." + }, + "diff": { + "title": "Diff", + "description": "The patch file (or diff) that shows changes. Refer to [https://en.wikipedia.org/wiki/Diff](https://en.wikipedia.org/wiki/Diff)", + "$ref": "#/definitions/diff" + }, + "resolves": { + "type": "array", + "items": {"$ref": "#/definitions/issue"}, + "title": "Resolves", + "description": "A collection of issues the patch resolves" + } + } + }, + "diff": { + "type": "object", + "title": "Diff", + "description": "The patch file (or diff) that shows changes. Refer to https://en.wikipedia.org/wiki/Diff", + "additionalProperties": false, + "properties": { + "text": { + "title": "Diff text", + "description": "Specifies the text of the diff", + "$ref": "#/definitions/attachment" + }, + "url": { + "type": "string", + "title": "URL", + "description": "Specifies the URL to the diff", + "format": "iri-reference" + } + } + }, + "issue": { + "type": "object", + "title": "Issue", + "description": "An individual issue that has been resolved.", + "required": [ + "type" + ], + "additionalProperties": false, + "properties": { + "type": { + "type": "string", + "enum": [ + "defect", + "enhancement", + "security" + ], + "meta:enum": { + "defect": "A fault, flaw, or bug in software.", + "enhancement": "A new feature or behavior in software.", + "security": "A special type of defect which impacts security." + }, + "title": "Issue Type", + "description": "Specifies the type of issue" + }, + "id": { + "type": "string", + "title": "Issue ID", + "description": "The identifier of the issue assigned by the source of the issue" + }, + "name": { + "type": "string", + "title": "Issue Name", + "description": "The name of the issue" + }, + "description": { + "type": "string", + "title": "Issue Description", + "description": "A description of the issue" + }, + "source": { + "type": "object", + "title": "Source", + "description": "The source of the issue where it is documented", + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "The name of the source.", + "examples": [ + "National Vulnerability Database", + "NVD", + "Apache" + ] + }, + "url": { + "type": "string", + "title": "URL", + "description": "The url of the issue documentation as provided by the source", + "format": "iri-reference" + } + } + }, + "references": { + "type": "array", + "items": { + "type": "string", + "format": "iri-reference" + }, + "title": "References", + "description": "A collection of URL's for reference. Multiple URLs are allowed.", + "examples": ["https://example.com"] + } + } + }, + "identifiableAction": { + "type": "object", + "title": "Identifiable Action", + "description": "Specifies an individual commit", + "additionalProperties": false, + "properties": { + "timestamp": { + "type": "string", + "format": "date-time", + "title": "Timestamp", + "description": "The timestamp in which the action occurred" + }, + "name": { + "type": "string", + "title": "Name", + "description": "The name of the individual who performed the action" + }, + "email": { + "type": "string", + "format": "idn-email", + "title": "E-mail", + "description": "The email address of the individual who performed the action" + } + } + }, + "externalReference": { + "type": "object", + "title": "External Reference", + "description": "External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM.", + "required": [ + "url", + "type" + ], + "additionalProperties": false, + "properties": { + "url": { + "anyOf": [ + { + "title": "URL", + "type": "string", + "format": "iri-reference" + }, + { + "title": "BOM-Link", + "$ref": "#/definitions/bomLink" + } + ], + "title": "URL", + "description": "The URI (URL or URN) to the external reference. External references are URIs and therefore can accept any URL scheme including https ([RFC-7230](https://www.ietf.org/rfc/rfc7230.txt)), mailto ([RFC-2368](https://www.ietf.org/rfc/rfc2368.txt)), tel ([RFC-3966](https://www.ietf.org/rfc/rfc3966.txt)), and dns ([RFC-4501](https://www.ietf.org/rfc/rfc4501.txt)). External references may also include formally registered URNs such as [CycloneDX BOM-Link](https://cyclonedx.org/capabilities/bomlink/) to reference CycloneDX BOMs or any object within a BOM. BOM-Link transforms applicable external references into relationships that can be expressed in a BOM or across BOMs." + }, + "comment": { + "type": "string", + "title": "Comment", + "description": "A comment describing the external reference" + }, + "type": { + "type": "string", + "title": "Type", + "description": "Specifies the type of external reference.", + "enum": [ + "vcs", + "issue-tracker", + "website", + "advisories", + "bom", + "mailing-list", + "social", + "chat", + "documentation", + "support", + "source-distribution", + "distribution", + "distribution-intake", + "license", + "build-meta", + "build-system", + "release-notes", + "security-contact", + "model-card", + "log", + "configuration", + "evidence", + "formulation", + "attestation", + "threat-model", + "adversary-model", + "risk-assessment", + "vulnerability-assertion", + "exploitability-statement", + "pentest-report", + "static-analysis-report", + "dynamic-analysis-report", + "runtime-analysis-report", + "component-analysis-report", + "maturity-report", + "certification-report", + "codified-infrastructure", + "quality-metrics", + "poam", + "electronic-signature", + "digital-signature", + "rfc-9116", + "patent", + "patent-family", + "patent-assertion", + "citation", + "other" + ], + "meta:enum": { + "vcs": "Version Control System", + "issue-tracker": "Issue or defect tracking system, or an Application Lifecycle Management (ALM) system", + "website": "Website", + "advisories": "Security advisories", + "bom": "Bill of Materials (SBOM, OBOM, HBOM, SaaSBOM, etc)", + "mailing-list": "Mailing list or discussion group", + "social": "Social media account", + "chat": "Real-time chat platform", + "documentation": "Documentation, guides, or how-to instructions", + "support": "Community or commercial support", + "source-distribution": "The location where the source code distributable can be obtained. This is often an archive format such as zip or tgz. The source-distribution type complements use of the version control (vcs) type.", + "distribution": "Direct or repository download location", + "distribution-intake": "The location where a component was published to. This is often the same as \"distribution\" but may also include specialized publishing processes that act as an intermediary.", + "license": "The reference to the license file. If a license URL has been defined in the license node, it should also be defined as an external reference for completeness.", + "build-meta": "Build-system specific meta file (i.e. pom.xml, package.json, .nuspec, etc)", + "build-system": "Reference to an automated build system", + "release-notes": "Reference to release notes", + "security-contact": "Specifies a way to contact the maintainer, supplier, or provider in the event of a security incident. Common URIs include links to a disclosure procedure, a mailto (RFC-2368) that specifies an email address, a tel (RFC-3966) that specifies a phone number, or dns (RFC-4501) that specifies the records containing DNS Security TXT.", + "model-card": "A model card describes the intended uses of a machine learning model, potential limitations, biases, ethical considerations, training parameters, datasets used to train the model, performance metrics, and other relevant data useful for ML transparency.", + "log": "A record of events that occurred in a computer system or application, such as problems, errors, or information on current operations.", + "configuration": "Parameters or settings that may be used by other components or services.", + "evidence": "Information used to substantiate a claim.", + "formulation": "Describes the formulation of any referencable object within the BOM, including components, services, metadata, declarations, or the BOM itself.", + "attestation": "Human or machine-readable statements containing facts, evidence, or testimony.", + "threat-model": "An enumeration of identified weaknesses, threats, and countermeasures, dataflow diagram (DFD), attack tree, and other supporting documentation in human-readable or machine-readable format.", + "adversary-model": "The defined assumptions, goals, and capabilities of an adversary.", + "risk-assessment": "Identifies and analyzes the potential of future events that may negatively impact individuals, assets, and/or the environment. Risk assessments may also include judgments on the tolerability of each risk.", + "vulnerability-assertion": "A Vulnerability Disclosure Report (VDR) which asserts the known and previously unknown vulnerabilities that affect a component, service, or product including the analysis and findings describing the impact (or lack of impact) that the reported vulnerability has on a component, service, or product.", + "exploitability-statement": "A Vulnerability Exploitability eXchange (VEX) which asserts the known vulnerabilities that do not affect a product, product family, or organization, and optionally the ones that do. The VEX should include the analysis and findings describing the impact (or lack of impact) that the reported vulnerability has on the product, product family, or organization.", + "pentest-report": "Results from an authorized simulated cyberattack on a component or service, otherwise known as a penetration test.", + "static-analysis-report": "SARIF or proprietary machine or human-readable report for which static analysis has identified code quality, security, and other potential issues with the source code.", + "dynamic-analysis-report": "Dynamic analysis report that has identified issues such as vulnerabilities and misconfigurations.", + "runtime-analysis-report": "Report generated by analyzing the call stack of a running application.", + "component-analysis-report": "Report generated by Software Composition Analysis (SCA), container analysis, or other forms of component analysis.", + "maturity-report": "Report containing a formal assessment of an organization, business unit, or team against a maturity model.", + "certification-report": "Industry, regulatory, or other certification from an accredited (if applicable) certification body.", + "codified-infrastructure": "Code or configuration that defines and provisions virtualized infrastructure, commonly referred to as Infrastructure as Code (IaC).", + "quality-metrics": "Report or system in which quality metrics can be obtained.", + "poam": "Plans of Action and Milestones (POA&M) complement an \"attestation\" external reference. POA&M is defined by NIST as a \"document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks and scheduled completion dates for the milestones\".", + "electronic-signature": "An e-signature is commonly a scanned representation of a written signature or a stylized script of the person's name.", + "digital-signature": "A signature that leverages cryptography, typically public/private key pairs, which provides strong authenticity verification.", + "rfc-9116": "Document that complies with [RFC 9116](https://www.ietf.org/rfc/rfc9116.html) (A File Format to Aid in Security Vulnerability Disclosure)", + "patent": "References information about patents which may be defined in human-readable documents or in machine-readable formats such as CycloneDX or ST.96. For detailed patent information or to reference the information provided directly by patent offices, it is recommended to leverage standards from the World Intellectual Property Organization (WIPO) such as [ST.96](https://www.wipo.int/standards/en/st96).", + "patent-family": "References information about a patent family which may be defined in human-readable documents or in machine-readable formats such as CycloneDX or ST.96. A patent family is a group of related patent applications or granted patents that cover the same or similar invention. For detailed patent family information or to reference the information provided directly by patent offices, it is recommended to leverage standards from the World Intellectual Property Organization (WIPO) such as [ST.96](https://www.wipo.int/standards/en/st96).", + "patent-assertion" : "References assertions made regarding patents associated with a component or service. Assertions distinguish between ownership, licensing, and other relevant interactions with patents.", + "citation": "A reference to external citations applicable to the object identified by this BOM entry or the BOM itself. When used with a BOM-Link, this allows offloading citations into a separate CycloneDX BOM.", + "other": "Use this if no other types accurately describe the purpose of the external reference." + } + }, + "hashes": { + "type": "array", + "items": {"$ref": "#/definitions/hash"}, + "title": "Hashes", + "description": "The hashes of the external reference (if applicable)." + }, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", + "items": {"$ref": "#/definitions/property"} + } + } + }, + "dependency": { + "type": "object", + "title": "Dependency", + "description": "Defines the direct dependencies of a component, service, or the components provided/implemented by a given component. Components or services that do not have their own dependencies must be declared as empty elements within the graph. Components or services that are not represented in the dependency graph may have unknown dependencies. It is recommended that implementations assume this to be opaque and not an indicator of an object being dependency-free. It is recommended to leverage compositions to indicate unknown dependency graphs.", + "required": [ + "ref" + ], + "additionalProperties": false, + "properties": { + "ref": { + "$ref": "#/definitions/refLinkType", + "title": "Reference", + "description": "References a component or service by its bom-ref attribute" + }, + "dependsOn": { + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/definitions/refLinkType" + }, + "title": "Depends On", + "description": "The bom-ref identifiers of the components or services that are dependencies of this dependency object." + }, + "provides": { + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/definitions/refLinkType" + }, + "title": "Provides", + "description": "The bom-ref identifiers of the components or services that define a given specification or standard, which are provided or implemented by this dependency object.\nFor example, a cryptographic library which implements a cryptographic algorithm. A component which implements another component does not imply that the implementation is in use." + } + } + }, + "service": { + "type": "object", + "title": "Service", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An identifier which can be used to reference the service elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." + }, + "provider": { + "title": "Provider", + "description": "The organization that provides the service.", + "$ref": "#/definitions/organizationalEntity" + }, + "group": { + "type": "string", + "title": "Service Group", + "description": "The grouping name, namespace, or identifier. This will often be a shortened, single name of the company or project that produced the service or domain name. Whitespace and special characters should be avoided.", + "examples": ["com.acme"] + }, + "name": { + "type": "string", + "title": "Service Name", + "description": "The name of the service. This will often be a shortened, single name of the service.", + "examples": ["ticker-service"] + }, + "version": { + "$ref": "#/definitions/version", + "title": "Service Version", + "description": "The service version." + }, + "description": { + "type": "string", + "title": "Service Description", + "description": "Specifies a description for the service" + }, + "endpoints": { + "type": "array", + "items": { + "type": "string", + "format": "iri-reference" + }, + "title": "Endpoints", + "description": "The endpoint URIs of the service. Multiple endpoints are allowed.", + "examples": ["https://example.com/api/v1/ticker"] + }, + "authenticated": { + "type": "boolean", + "title": "Authentication Required", + "description": "A boolean value indicating if the service requires authentication. A value of true indicates the service requires authentication prior to use. A value of false indicates the service does not require authentication." + }, + "x-trust-boundary": { + "type": "boolean", + "title": "Crosses Trust Boundary", + "description": "A boolean value indicating if use of the service crosses a trust zone or boundary. A value of true indicates that by using the service, a trust boundary is crossed. A value of false indicates that by using the service, a trust boundary is not crossed." + }, + "trustZone": { + "type": "string", + "title": "Trust Zone", + "description": "The name of the trust zone the service resides in." + }, + "data": { + "type": "array", + "items": {"$ref": "#/definitions/serviceData"}, + "title": "Data", + "description": "Specifies information about the data including the directional flow of data and the data classification." + }, + "licenses": { + "$ref": "#/definitions/licenseChoice", + "title": "Service License(s)" + }, + "patentAssertions": { + "$ref": "#/definitions/patentAssertions", + "title": "Service Patent(s)" + }, + "externalReferences": { + "type": "array", + "items": {"$ref": "#/definitions/externalReference"}, + "title": "External References", + "description": "External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM." + }, + "services": { + "type": "array", + "items": {"$ref": "#/definitions/service"}, + "uniqueItems": true, + "title": "Services", + "description": "A list of services included or deployed behind the parent service. This is not a dependency tree. It provides a way to specify a hierarchical representation of service assemblies." + }, + "releaseNotes": { + "$ref": "#/definitions/releaseNotes", + "title": "Release notes", + "description": "Specifies release notes." + }, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", + "items": {"$ref": "#/definitions/property"} + }, + "tags": { + "$ref": "#/definitions/tags", + "title": "Tags" + }, + "signature": { + "$ref": "#/definitions/signature", + "title": "Signature", + "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." + } + } + }, + "serviceData": { + "type": "object", + "title": "Hash Objects", + "required": [ + "flow", + "classification" + ], + "additionalProperties": false, + "properties": { + "flow": { + "$ref": "#/definitions/dataFlowDirection", + "title": "Directional Flow", + "description": "Specifies the flow direction of the data. Direction is relative to the service. Inbound flow states that data enters the service. Outbound flow states that data leaves the service. Bi-directional states that data flows both ways and unknown states that the direction is not known." + }, + "classification": { + "$ref": "#/definitions/dataClassification" + }, + "name": { + "type": "string", + "title": "Name", + "description": "Name for the defined data", + "examples": [ + "Credit card reporting" + ] + }, + "description": { + "type": "string", + "title": "Description", + "description": "Short description of the data content and usage", + "examples": [ + "Credit card information being exchanged in between the web app and the database" + ] + }, + "governance": { + "title": "Data Governance", + "$ref": "#/definitions/dataGovernance" + }, + "source": { + "type": "array", + "items": { + "anyOf": [ + { + "title": "URL", + "type": "string", + "format": "iri-reference" + }, + { + "title": "BOM-Link Element", + "$ref": "#/definitions/bomLinkElementType" + } + ] + }, + "title": "Source", + "description": "The URI, URL, or BOM-Link of the components or services the data came in from" + }, + "destination": { + "type": "array", + "items": { + "anyOf": [ + { + "title": "URL", + "type": "string", + "format": "iri-reference" + }, + { + "title": "BOM-Link Element", + "$ref": "#/definitions/bomLinkElementType" + } + ] + }, + "title": "Destination", + "description": "The URI, URL, or BOM-Link of the components or services the data is sent to" + } + } + }, + "dataFlowDirection": { + "type": "string", + "enum": [ + "inbound", + "outbound", + "bi-directional", + "unknown" + ], + "meta:enum": { + "inbound": "Data that enters a service.", + "outbound": "Data that exits a service.", + "bi-directional": "Data flows in and out of the service.", + "unknown": "The directional flow of data is not known." + }, + "title": "Data flow direction", + "description": "Specifies the flow direction of the data. Direction is relative to the service." + }, + "copyright": { + "type": "object", + "title": "Copyright", + "description": "A copyright notice informing users of the underlying claims to copyright ownership in a published work.", + "required": [ + "text" + ], + "additionalProperties": false, + "properties": { + "text": { + "type": "string", + "title": "Copyright Text", + "description": "The textual content of the copyright." + } + } + }, + "componentEvidence": { + "type": "object", + "title": "Evidence", + "description": "Provides the ability to document evidence collected through various forms of extraction or analysis.", + "additionalProperties": false, + "properties": { + "identity": { + "title": "Identity Evidence", + "description": "Evidence that substantiates the identity of a component. The identity may be an object or an array of identity objects. Support for specifying identity as a single object was introduced in CycloneDX v1.5. Arrays were introduced in v1.6. It is recommended that all implementations use arrays, even if only one identity object is specified.", + "oneOf" : [ + { + "type": "array", + "title": "Array of Identity Objects", + "items": { "$ref": "#/definitions/componentIdentityEvidence" } + }, + { + "title": "A Single Identity Object", + "description": "[Deprecated]", + "$ref": "#/definitions/componentIdentityEvidence", + "deprecated": true + } + ] + }, + "occurrences": { + "type": "array", + "title": "Occurrences", + "description": "Evidence of individual instances of a component spread across multiple locations.", + "items": { + "type": "object", + "required": [ "location" ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An identifier which can be used to reference the occurrence elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." + }, + "location": { + "type": "string", + "title": "Location", + "description": "The location or path to where the component was found." + }, + "line": { + "type": "integer", + "minimum": 0, + "title": "Line Number", + "description": "The line number where the component was found." + }, + "offset": { + "type": "integer", + "minimum": 0, + "title": "Offset", + "description": "The offset where the component was found." + }, + "symbol": { + "type": "string", + "title": "Symbol", + "description": "The symbol name that was found associated with the component." + }, + "additionalContext": { + "type": "string", + "title": "Additional Context", + "description": "Any additional context of the detected component (e.g. a code snippet)." + } + } + } + }, + "callstack": { + "type": "object", + "title": "Call Stack", + "description": "Evidence of the components use through the callstack.", + "additionalProperties": false, + "properties": { + "frames": { + "type": "array", + "title": "Frames", + "description": "Within a call stack, a frame is a discrete unit that encapsulates an execution context, including local variables, parameters, and the return address. As function calls are made, frames are pushed onto the stack, forming an array-like structure that orchestrates the flow of program execution and manages the sequence of function invocations.", + "items": { + "type": "object", + "required": [ + "module" + ], + "additionalProperties": false, + "properties": { + "package": { + "title": "Package", + "description": "A package organizes modules into namespaces, providing a unique namespace for each type it contains.", + "type": "string" + }, + "module": { + "title": "Module", + "description": "A module or class that encloses functions/methods and other code.", + "type": "string" + }, + "function": { + "title": "Function", + "description": "A block of code designed to perform a particular task.", + "type": "string" + }, + "parameters": { + "title": "Parameters", + "description": "Arguments that are passed to the module or function.", + "type": "array", + "items": { + "type": "string" + } + }, + "line": { + "title": "Line", + "description": "The line number the code that is called resides on.", + "type": "integer" + }, + "column": { + "title": "Column", + "description": "The column the code that is called resides.", + "type": "integer" + }, + "fullFilename": { + "title": "Full Filename", + "description": "The full path and filename of the module.", + "type": "string" + } + } + } + } + } + }, + "licenses": { + "$ref": "#/definitions/licenseChoice", + "title": "License Evidence" + }, + "copyright": { + "type": "array", + "items": {"$ref": "#/definitions/copyright"}, + "title": "Copyright Evidence", + "description": "Copyright evidence captures intellectual property assertions, providing evidence of possible ownership and legal protection." + } + } + }, + "compositions": { + "type": "object", + "title": "Compositions", + "required": [ + "aggregate" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An identifier which can be used to reference the composition elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." + }, + "aggregate": { + "$ref": "#/definitions/aggregateType", + "title": "Aggregate", + "description": "Specifies an aggregate type that describes how complete a relationship is." + }, + "assemblies": { + "type": "array", + "uniqueItems": true, + "items": { + "anyOf": [ + { + "title": "Ref", + "$ref": "#/definitions/refLinkType" + }, + { + "title": "BOM-Link Element", + "$ref": "#/definitions/bomLinkElementType" + } + ] + }, + "title": "BOM references", + "description": "The bom-ref identifiers of the components or services being described. Assemblies refer to nested relationships whereby a constituent part may include other constituent parts. References do not cascade to child parts. References are explicit for the specified constituent part only." + }, + "dependencies": { + "type": "array", + "uniqueItems": true, + "items": { + "type": "string" + }, + "title": "BOM references", + "description": "The bom-ref identifiers of the components or services being described. Dependencies refer to a relationship whereby an independent constituent part requires another independent constituent part. References do not cascade to transitive dependencies. References are explicit for the specified dependency only." + }, + "vulnerabilities": { + "type": "array", + "uniqueItems": true, + "items": { + "type": "string" + }, + "title": "BOM references", + "description": "The bom-ref identifiers of the vulnerabilities being described." + }, + "signature": { + "$ref": "#/definitions/signature", + "title": "Signature", + "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." + } + } + }, + "aggregateType": { + "type": "string", + "default": "not_specified", + "enum": [ + "complete", + "incomplete", + "incomplete_first_party_only", + "incomplete_first_party_proprietary_only", + "incomplete_first_party_opensource_only", + "incomplete_third_party_only", + "incomplete_third_party_proprietary_only", + "incomplete_third_party_opensource_only", + "unknown", + "not_specified" + ], + "meta:enum": { + "complete": "The relationship is complete. No further relationships including constituent components, services, or dependencies are known to exist.", + "incomplete": "The relationship is incomplete. Additional relationships exist and may include constituent components, services, or dependencies.", + "incomplete_first_party_only": "The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented.", + "incomplete_first_party_proprietary_only": "The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented, limited specifically to those that are proprietary.", + "incomplete_first_party_opensource_only": "The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented, limited specifically to those that are opensource.", + "incomplete_third_party_only": "The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented.", + "incomplete_third_party_proprietary_only": "The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are proprietary.", + "incomplete_third_party_opensource_only": "The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are opensource.", + "unknown": "The relationship may be complete or incomplete. This usually signifies a 'best-effort' to obtain constituent components, services, or dependencies but the completeness is inconclusive.", + "not_specified": "The relationship completeness is not specified." + } + }, + "property": { + "type": "object", + "title": "Lightweight name-value pair", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "The name of the property. Duplicate names are allowed, each potentially having a different value." + }, + "value": { + "type": "string", + "title": "Value", + "description": "The value of the property." + } + } + }, + "localeType": { + "type": "string", + "pattern": "^([a-z]{2})(-[A-Z]{2})?$", + "title": "Locale", + "description": "Defines a syntax for representing two character language code (ISO-639) followed by an optional two character country code. The language code must be lower case. If the country code is specified, the country code must be upper case. The language code and country code must be separated by a minus sign. Examples: en, en-US, fr, fr-CA" + }, + "releaseType": { + "type": "string", + "examples": [ + "major", + "minor", + "patch", + "pre-release", + "internal" + ], + "description": "The software versioning type. It is recommended that the release type use one of 'major', 'minor', 'patch', 'pre-release', or 'internal'. Representing all possible software release types is not practical, so standardizing on the recommended values, whenever possible, is strongly encouraged.\n\n* __major__ = A major release may contain significant changes or may introduce breaking changes.\n* __minor__ = A minor release, also known as an update, may contain a smaller number of changes than major releases.\n* __patch__ = Patch releases are typically unplanned and may resolve defects or important security issues.\n* __pre-release__ = A pre-release may include alpha, beta, or release candidates and typically have limited support. They provide the ability to preview a release prior to its general availability.\n* __internal__ = Internal releases are not for public consumption and are intended to be used exclusively by the project or manufacturer that produced it." + }, + "note": { + "type": "object", + "title": "Note", + "description": "A note containing the locale and content.", + "required": [ + "text" + ], + "additionalProperties": false, + "properties": { + "locale": { + "$ref": "#/definitions/localeType", + "title": "Locale", + "description": "The ISO-639 (or higher) language code and optional ISO-3166 (or higher) country code. Examples include: \"en\", \"en-US\", \"fr\" and \"fr-CA\"" + }, + "text": { + "title": "Release note content", + "description": "Specifies the full content of the release note.", + "$ref": "#/definitions/attachment" + } + } + }, + "releaseNotes": { + "type": "object", + "title": "Release notes", + "required": [ + "type" + ], + "additionalProperties": false, + "properties": { + "type": { + "$ref": "#/definitions/releaseType", + "title": "Type", + "description": "The software versioning type the release note describes." + }, + "title": { + "type": "string", + "title": "Title", + "description": "The title of the release." + }, + "featuredImage": { + "type": "string", + "format": "iri-reference", + "title": "Featured image", + "description": "The URL to an image that may be prominently displayed with the release note." + }, + "socialImage": { + "type": "string", + "format": "iri-reference", + "title": "Social image", + "description": "The URL to an image that may be used in messaging on social media platforms." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A short description of the release." + }, + "timestamp": { + "type": "string", + "format": "date-time", + "title": "Timestamp", + "description": "The date and time (timestamp) when the release note was created." + }, + "aliases": { + "type": "array", + "items": { + "type": "string" + }, + "title": "Aliases", + "description": "One or more alternate names the release may be referred to. This may include unofficial terms used by development and marketing teams (e.g. code names)." + }, + "tags": { + "$ref": "#/definitions/tags", + "title": "Tags" + }, + "resolves": { + "type": "array", + "items": {"$ref": "#/definitions/issue"}, + "title": "Resolves", + "description": "A collection of issues that have been resolved." + }, + "notes": { + "type": "array", + "items": {"$ref": "#/definitions/note"}, + "title": "Notes", + "description": "Zero or more release notes containing the locale and content. Multiple note objects may be specified to support release notes in a wide variety of languages." + }, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", + "items": {"$ref": "#/definitions/property"} + } + } + }, + "advisory": { + "type": "object", + "title": "Advisory", + "description": "Title and location where advisory information can be obtained. An advisory is a notification of a threat to a component, service, or system.", + "required": ["url"], + "additionalProperties": false, + "properties": { + "title": { + "type": "string", + "title": "Title", + "description": "A name of the advisory." + }, + "url": { + "type": "string", + "title": "URL", + "format": "iri-reference", + "description": "Location where the advisory can be obtained." + } + } + }, + "cwe": { + "type": "integer", + "minimum": 1, + "title": "CWE", + "description": "Integer representation of a Common Weaknesses Enumerations (CWE). For example 399 (of https://cwe.mitre.org/data/definitions/399.html)" + }, + "severity": { + "type": "string", + "title": "Severity", + "description": "Textual representation of the severity of the vulnerability adopted by the analysis method. If the analysis method uses values other than what is provided, the user is expected to translate appropriately.", + "enum": [ + "critical", + "high", + "medium", + "low", + "info", + "none", + "unknown" + ], + "meta:enum": { + "critical": "Critical severity", + "high": "High severity", + "medium": "Medium severity", + "low": "Low severity", + "info": "Informational warning.", + "none": "None", + "unknown": "The severity is not known" + } + }, + "scoreMethod": { + "type": "string", + "title": "Method", + "description": "Specifies the severity or risk scoring methodology or standard used.", + "enum": [ + "CVSSv2", + "CVSSv3", + "CVSSv31", + "CVSSv4", + "OWASP", + "SSVC", + "other" + ], + "meta:enum": { + "CVSSv2": "Common Vulnerability Scoring System v2.0", + "CVSSv3": "Common Vulnerability Scoring System v3.0", + "CVSSv31": "Common Vulnerability Scoring System v3.1", + "CVSSv4": "Common Vulnerability Scoring System v4.0", + "OWASP": "OWASP Risk Rating Methodology", + "SSVC": "Stakeholder Specific Vulnerability Categorization", + "other": "Another severity or risk scoring methodology" + } + }, + "impactAnalysisState": { + "type": "string", + "title": "Impact Analysis State", + "description": "Declares the current state of an occurrence of a vulnerability, after automated or manual analysis.", + "enum": [ + "resolved", + "resolved_with_pedigree", + "exploitable", + "in_triage", + "false_positive", + "not_affected" + ], + "meta:enum": { + "resolved": "The vulnerability has been remediated.", + "resolved_with_pedigree": "The vulnerability has been remediated and evidence of the changes are provided in the affected components pedigree containing verifiable commit history and/or diff(s).", + "exploitable": "The vulnerability may be directly or indirectly exploitable.", + "in_triage": "The vulnerability is being investigated.", + "false_positive": "The vulnerability is not specific to the component or service and was falsely identified or associated.", + "not_affected": "The component or service is not affected by the vulnerability. Justification should be specified for all not_affected cases." + } + }, + "impactAnalysisJustification": { + "type": "string", + "title": "Impact Analysis Justification", + "description": "The rationale of why the impact analysis state was asserted.", + "enum": [ + "code_not_present", + "code_not_reachable", + "requires_configuration", + "requires_dependency", + "requires_environment", + "protected_by_compiler", + "protected_at_runtime", + "protected_at_perimeter", + "protected_by_mitigating_control" + ], + "meta:enum": { + "code_not_present": "The code has been removed or tree-shaked.", + "code_not_reachable": "The vulnerable code is not invoked at runtime.", + "requires_configuration": "Exploitability requires a configurable option to be set/unset.", + "requires_dependency": "Exploitability requires a dependency that is not present.", + "requires_environment": "Exploitability requires a certain environment which is not present.", + "protected_by_compiler": "Exploitability requires a compiler flag to be set/unset.", + "protected_at_runtime": "Exploits are prevented at runtime.", + "protected_at_perimeter": "Attacks are blocked at physical, logical, or network perimeter.", + "protected_by_mitigating_control": "Preventative measures have been implemented that reduce the likelihood and/or impact of the vulnerability." + } + }, + "rating": { + "type": "object", + "title": "Rating", + "description": "Defines the severity or risk ratings of a vulnerability.", + "additionalProperties": false, + "properties": { + "source": { + "$ref": "#/definitions/vulnerabilitySource", + "description": "The source that calculated the severity or risk rating of the vulnerability." + }, + "score": { + "type": "number", + "title": "Score", + "description": "The numerical score of the rating." + }, + "severity": { + "$ref": "#/definitions/severity", + "description": "Textual representation of the severity that corresponds to the numerical score of the rating." + }, + "method": { + "$ref": "#/definitions/scoreMethod" + }, + "vector": { + "type": "string", + "title": "Vector", + "description": "Textual representation of the metric values used to score the vulnerability" + }, + "justification": { + "type": "string", + "title": "Justification", + "description": "A reason for rating the vulnerability as it was" + } + } + }, + "vulnerabilitySource": { + "type": "object", + "title": "Source", + "description": "The source of vulnerability information. This is often the organization that published the vulnerability.", + "additionalProperties": false, + "properties": { + "url": { + "type": "string", + "title": "URL", + "description": "The url of the vulnerability documentation as provided by the source.", + "examples": [ + "https://nvd.nist.gov/vuln/detail/CVE-2021-39182" + ] + }, + "name": { + "type": "string", + "title": "Name", + "description": "The name of the source.", + "examples": [ + "NVD", + "National Vulnerability Database", + "OSS Index", + "VulnDB", + "GitHub Advisories" + ] + } + } + }, + "vulnerability": { + "type": "object", + "title": "Vulnerability", + "description": "Defines a weakness in a component or service that could be exploited or triggered by a threat source.", + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An identifier which can be used to reference the vulnerability elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." + }, + "id": { + "type": "string", + "title": "ID", + "description": "The identifier that uniquely identifies the vulnerability.", + "examples": [ + "CVE-2021-39182", + "GHSA-35m5-8cvj-8783", + "SNYK-PYTHON-ENROCRYPT-1912876" + ] + }, + "source": { + "$ref": "#/definitions/vulnerabilitySource", + "description": "The source that published the vulnerability." + }, + "references": { + "type": "array", + "title": "References", + "description": "Zero or more pointers to vulnerabilities that are the equivalent of the vulnerability specified. Often times, the same vulnerability may exist in multiple sources of vulnerability intelligence, but have different identifiers. References provide a way to correlate vulnerabilities across multiple sources of vulnerability intelligence.", + "items": { + "type": "object", + "required": [ + "id", + "source" + ], + "additionalProperties": false, + "properties": { + "id": { + "type": "string", + "title": "ID", + "description": "An identifier that uniquely identifies the vulnerability.", + "examples": [ + "CVE-2021-39182", + "GHSA-35m5-8cvj-8783", + "SNYK-PYTHON-ENROCRYPT-1912876" + ] + }, + "source": { + "$ref": "#/definitions/vulnerabilitySource", + "description": "The source that published the vulnerability." + } + } + } + }, + "ratings": { + "type": "array", + "title": "Ratings", + "description": "List of vulnerability ratings", + "items": { + "$ref": "#/definitions/rating" + } + }, + "cwes": { + "type": "array", + "title": "CWEs", + "description": "List of Common Weaknesses Enumerations (CWEs) codes that describes this vulnerability.", + "examples": [399], + "items": { + "$ref": "#/definitions/cwe" + } + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the vulnerability as provided by the source." + }, + "detail": { + "type": "string", + "title": "Details", + "description": "If available, an in-depth description of the vulnerability as provided by the source organization. Details often include information useful in understanding root cause." + }, + "recommendation": { + "type": "string", + "title": "Recommendation", + "description": "Recommendations of how the vulnerability can be remediated or mitigated." + }, + "workaround": { + "type": "string", + "title": "Workarounds", + "description": "A bypass, usually temporary, of the vulnerability that reduces its likelihood and/or impact. Workarounds often involve changes to configuration or deployments." + }, + "proofOfConcept": { + "type": "object", + "title": "Proof of Concept", + "description": "Evidence used to reproduce the vulnerability.", + "properties": { + "reproductionSteps": { + "type": "string", + "title": "Steps to Reproduce", + "description": "Precise steps to reproduce the vulnerability." + }, + "environment": { + "type": "string", + "title": "Environment", + "description": "A description of the environment in which reproduction was possible." + }, + "supportingMaterial": { + "type": "array", + "title": "Supporting Material", + "description": "Supporting material that helps in reproducing or understanding how reproduction is possible. This may include screenshots, payloads, and PoC exploit code.", + "items": { "$ref": "#/definitions/attachment" } + } + } + }, + "advisories": { + "type": "array", + "title": "Advisories", + "description": "Published advisories of the vulnerability if provided.", + "items": { + "$ref": "#/definitions/advisory" + } + }, + "created": { + "type": "string", + "format": "date-time", + "title": "Created", + "description": "The date and time (timestamp) when the vulnerability record was created in the vulnerability database." + }, + "published": { + "type": "string", + "format": "date-time", + "title": "Published", + "description": "The date and time (timestamp) when the vulnerability record was first published." + }, + "updated": { + "type": "string", + "format": "date-time", + "title": "Updated", + "description": "The date and time (timestamp) when the vulnerability record was last updated." + }, + "rejected": { + "type": "string", + "format": "date-time", + "title": "Rejected", + "description": "The date and time (timestamp) when the vulnerability record was rejected (if applicable)." + }, + "credits": { + "type": "object", + "title": "Credits", + "description": "Individuals or organizations credited with the discovery of the vulnerability.", + "additionalProperties": false, + "properties": { + "organizations": { + "type": "array", + "title": "Organizations", + "description": "The organizations credited with vulnerability discovery.", + "items": { + "$ref": "#/definitions/organizationalEntity" + } + }, + "individuals": { + "type": "array", + "title": "Individuals", + "description": "The individuals, not associated with organizations, that are credited with vulnerability discovery.", + "items": { + "$ref": "#/definitions/organizationalContact" + } + } + } + }, + "tools": { + "title": "Tools", + "description": "The tool(s) used to identify, confirm, or score the vulnerability.", + "oneOf": [ + { + "type": "object", + "title": "Tools", + "description": "The tool(s) used to identify, confirm, or score the vulnerability.", + "additionalProperties": false, + "properties": { + "components": { + "type": "array", + "items": {"$ref": "#/definitions/component"}, + "uniqueItems": true, + "title": "Components", + "description": "A list of software and hardware components used as tools." + }, + "services": { + "type": "array", + "items": {"$ref": "#/definitions/service"}, + "uniqueItems": true, + "title": "Services", + "description": "A list of services used as tools. This may include microservices, function-as-a-service, and other types of network or intra-process services." + } + } + }, + { + "type": "array", + "title": "Tools (legacy)", + "description": "[Deprecated]\nThe tool(s) used to identify, confirm, or score the vulnerability.", + "deprecated": true, + "items": {"$ref": "#/definitions/tool"} + } + ] + }, + "analysis": { + "type": "object", + "title": "Impact Analysis", + "description": "An assessment of the impact and exploitability of the vulnerability.", + "additionalProperties": false, + "properties": { + "state": { + "$ref": "#/definitions/impactAnalysisState" + }, + "justification": { + "$ref": "#/definitions/impactAnalysisJustification" + }, + "response": { + "type": "array", + "title": "Response", + "description": "A response to the vulnerability by the manufacturer, supplier, or project responsible for the affected component or service. More than one response is allowed. Responses are strongly encouraged for vulnerabilities where the analysis state is exploitable.", + "items": { + "type": "string", + "enum": [ + "can_not_fix", + "will_not_fix", + "update", + "rollback", + "workaround_available" + ], + "meta:enum": { + "can_not_fix": "Can not fix", + "will_not_fix": "Will not fix", + "update": "Update to a different revision or release", + "rollback": "Revert to a previous revision or release", + "workaround_available": "There is a workaround available" + } + } + }, + "detail": { + "type": "string", + "title": "Detail", + "description": "Detailed description of the impact including methods used during assessment. If a vulnerability is not exploitable, this field should include specific details on why the component or service is not impacted by this vulnerability." + }, + "firstIssued": { + "type": "string", + "format": "date-time", + "title": "First Issued", + "description": "The date and time (timestamp) when the analysis was first issued." + }, + "lastUpdated": { + "type": "string", + "format": "date-time", + "title": "Last Updated", + "description": "The date and time (timestamp) when the analysis was last updated." + } + } + }, + "affects": { + "type": "array", + "uniqueItems": true, + "items": { + "type": "object", + "required": [ + "ref" + ], + "additionalProperties": false, + "properties": { + "ref": { + "anyOf": [ + { + "title": "Ref", + "$ref": "#/definitions/refLinkType" + }, + { + "title": "BOM-Link Element", + "$ref": "#/definitions/bomLinkElementType" + } + ], + "title": "Reference", + "description": "References a component or service by the objects bom-ref" + }, + "versions": { + "type": "array", + "title": "Versions", + "description": "Zero or more individual versions or range of versions.", + "items": { + "type": "object", + "oneOf": [ + { + "required": ["version"] + }, + { + "required": ["range"] + } + ], + "additionalProperties": false, + "properties": { + "version": { + "title": "Version", + "description": "A single version of a component or service.", + "$ref": "#/definitions/version" + }, + "range": { + "title": "Version Range", + "description": "A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/vers-spec", + "$ref": "#/definitions/versionRange" + }, + "status": { + "title": "Status", + "description": "The vulnerability status for the version or range of versions.", + "$ref": "#/definitions/affectedStatus", + "default": "affected" + } + } + } + } + } + }, + "title": "Affects", + "description": "The components or services that are affected by the vulnerability." + }, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", + "items": { + "$ref": "#/definitions/property" + } + } + } + }, + "affectedStatus": { + "description": "The vulnerability status of a given version or range of versions of a product. The statuses 'affected' and 'unaffected' indicate that the version is affected or unaffected by the vulnerability. The status 'unknown' indicates that it is unknown or unspecified whether the given version is affected. There can be many reasons for an 'unknown' status, including that an investigation has not been undertaken or that a vendor has not disclosed the status.", + "type": "string", + "enum": [ + "affected", + "unaffected", + "unknown" + ], + "meta:enum": { + "affected": "The version is affected by the vulnerability.", + "unaffected": "The version is not affected by the vulnerability.", + "unknown": "It is unknown (or unspecified) whether the given version is affected." + } + }, + "version": { + "description": "A single disjunctive version identifier, for a component or service.", + "type": "string", + "maxLength": 1024, + "examples": [ + "9.0.14", + "v1.33.7", + "7.0.0-M1", + "2.0pre1", + "1.0.0-beta1", + "0.8.15" + ] + }, + "versionRange": { + "description": "A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/vers-spec", + "type": "string", + "minLength": 1, + "maxLength": 4096, + "examples": [ + "vers:cargo/9.0.14", + "vers:npm/1.2.3|>=2.0.0|<5.0.0", + "vers:pypi/0.0.0|0.0.1|0.0.2|0.0.3|1.0|2.0pre1", + "vers:tomee/>=1.0.0-beta1|<=1.7.5|>=7.0.0-M1|<=7.0.7|>=7.1.0|<=7.1.2|>=8.0.0-M1|<=8.0.1", + "vers:gem/>=2.2.0|!= 2.2.1|<2.3.0" + ] + }, + "range": { + "deprecated": true, + "description": "Deprecated definition. use definition `versionRange` instead.", + "$ref": "#/definitions/versionRange" + }, + "annotations": { + "type": "object", + "title": "Annotations", + "description": "A comment, note, explanation, or similar textual content which provides additional context to the object(s) being annotated.", + "required": [ + "subjects", + "annotator", + "timestamp", + "text" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An identifier which can be used to reference the annotation elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." + }, + "subjects": { + "type": "array", + "uniqueItems": true, + "items": { + "anyOf": [ + { + "title": "Ref", + "$ref": "#/definitions/refLinkType" + }, + { + "title": "BOM-Link Element", + "$ref": "#/definitions/bomLinkElementType" + } + ] + }, + "title": "Subjects", + "description": "The object in the BOM identified by its bom-ref. This is often a component or service, but may be any object type supporting bom-refs." + }, + "annotator": { + "type": "object", + "title": "Annotator", + "description": "The organization, person, component, or service which created the textual content of the annotation.", + "oneOf": [ + { + "required": [ + "organization" + ] + }, + { + "required": [ + "individual" + ] + }, + { + "required": [ + "component" + ] + }, + { + "required": [ + "service" + ] + } + ], + "additionalProperties": false, + "properties": { + "organization": { + "description": "The organization that created the annotation", + "$ref": "#/definitions/organizationalEntity" + }, + "individual": { + "description": "The person that created the annotation", + "$ref": "#/definitions/organizationalContact" + }, + "component": { + "description": "The tool or component that created the annotation", + "$ref": "#/definitions/component" + }, + "service": { + "description": "The service that created the annotation", + "$ref": "#/definitions/service" + } + } + }, + "timestamp": { + "type": "string", + "format": "date-time", + "title": "Timestamp", + "description": "The date and time (timestamp) when the annotation was created." + }, + "text": { + "type": "string", + "title": "Text", + "description": "The textual content of the annotation." + }, + "signature": { + "$ref": "#/definitions/signature", + "title": "Signature", + "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." + } + } + }, + "modelCard": { + "$comment": "Model card support in CycloneDX is derived from TensorFlow Model Card Toolkit released under the Apache 2.0 license and available from https://github.com/tensorflow/model-card-toolkit/blob/main/model_card_toolkit/schema/v0.0.2/model_card.schema.json. In addition, CycloneDX model card support includes portions of VerifyML, also released under the Apache 2.0 license and available from https://github.com/cylynx/verifyml/blob/main/verifyml/model_card_toolkit/schema/v0.0.4/model_card.schema.json.", + "type": "object", + "title": "Model Card", + "description": "A model card describes the intended uses of a machine learning model and potential limitations, including biases and ethical considerations. Model cards typically contain the training parameters, which datasets were used to train the model, performance metrics, and other relevant data useful for ML transparency. This object SHOULD be specified for any component of type `machine-learning-model` and must not be specified for other component types.", + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An identifier which can be used to reference the model card elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." + }, + "modelParameters": { + "type": "object", + "title": "Model Parameters", + "description": "Hyper-parameters for construction of the model.", + "additionalProperties": false, + "properties": { + "approach": { + "type": "object", + "title": "Approach", + "description": "The overall approach to learning used by the model for problem solving.", + "additionalProperties": false, + "properties": { + "type": { + "type": "string", + "title": "Learning Type", + "description": "Learning types describing the learning problem or hybrid learning problem.", + "enum": [ + "supervised", + "unsupervised", + "reinforcement-learning", + "semi-supervised", + "self-supervised" + ], + "meta:enum": { + "supervised": "Supervised machine learning involves training an algorithm on labeled data to predict or classify new data based on the patterns learned from the labeled examples.", + "unsupervised": "Unsupervised machine learning involves training algorithms on unlabeled data to discover patterns, structures, or relationships without explicit guidance, allowing the model to identify inherent structures or clusters within the data.", + "reinforcement-learning": "Reinforcement learning is a type of machine learning where an agent learns to make decisions by interacting with an environment to maximize cumulative rewards, through trial and error.", + "semi-supervised": "Semi-supervised machine learning utilizes a combination of labeled and unlabeled data during training to improve model performance, leveraging the benefits of both supervised and unsupervised learning techniques.", + "self-supervised": "Self-supervised machine learning involves training models to predict parts of the input data from other parts of the same data, without requiring external labels, enabling learning from large amounts of unlabeled data." + } + } + } + }, + "task": { + "type": "string", + "title": "Task", + "description": "Directly influences the input and/or output. Examples include classification, regression, clustering, etc." + }, + "architectureFamily": { + "type": "string", + "title": "Architecture Family", + "description": "The model architecture family such as transformer network, convolutional neural network, residual neural network, LSTM neural network, etc." + }, + "modelArchitecture": { + "type": "string", + "title": "Model Architecture", + "description": "The specific architecture of the model such as GPT-1, ResNet-50, YOLOv3, etc." + }, + "datasets": { + "type": "array", + "title": "Datasets", + "description": "The datasets used to train and evaluate the model.", + "items" : { + "oneOf" : [ + { + "title": "Inline Data Information", + "$ref": "#/definitions/componentData" + }, + { + "type": "object", + "title": "Data Reference", + "additionalProperties": false, + "properties": { + "ref": { + "anyOf": [ + { + "title": "Ref", + "$ref": "#/definitions/refLinkType" + }, + { + "title": "BOM-Link Element", + "$ref": "#/definitions/bomLinkElementType" + } + ], + "title": "Reference", + "type": "string", + "description": "References a data component by the components bom-ref attribute" + } + } + } + ] + } + }, + "inputs": { + "type": "array", + "title": "Inputs", + "description": "The input format(s) of the model", + "items": { "$ref": "#/definitions/inputOutputMLParameters" } + }, + "outputs": { + "type": "array", + "title": "Outputs", + "description": "The output format(s) from the model", + "items": { "$ref": "#/definitions/inputOutputMLParameters" } + } + } + }, + "quantitativeAnalysis": { + "type": "object", + "title": "Quantitative Analysis", + "description": "A quantitative analysis of the model", + "additionalProperties": false, + "properties": { + "performanceMetrics": { + "type": "array", + "title": "Performance Metrics", + "description": "The model performance metrics being reported. Examples may include accuracy, F1 score, precision, top-3 error rates, MSC, etc.", + "items": { "$ref": "#/definitions/performanceMetric" } + }, + "graphics": { "$ref": "#/definitions/graphicsCollection" } + } + }, + "considerations": { + "type": "object", + "title": "Considerations", + "description": "What considerations should be taken into account regarding the model's construction, training, and application?", + "additionalProperties": false, + "properties": { + "users": { + "type": "array", + "title": "Users", + "description": "Who are the intended users of the model?", + "items": { + "type": "string" + } + }, + "useCases": { + "type": "array", + "title": "Use Cases", + "description": "What are the intended use cases of the model?", + "items": { + "type": "string" + } + }, + "technicalLimitations": { + "type": "array", + "title": "Technical Limitations", + "description": "What are the known technical limitations of the model? E.g. What kind(s) of data should the model be expected not to perform well on? What are the factors that might degrade model performance?", + "items": { + "type": "string" + } + }, + "performanceTradeoffs": { + "type": "array", + "title": "Performance Tradeoffs", + "description": "What are the known tradeoffs in accuracy/performance of the model?", + "items": { + "type": "string" + } + }, + "ethicalConsiderations": { + "type": "array", + "title": "Ethical Considerations", + "description": "What are the ethical risks involved in the application of this model?", + "items": { "$ref": "#/definitions/risk" } + }, + "environmentalConsiderations":{ + "$ref": "#/definitions/environmentalConsiderations", + "title": "Environmental Considerations", + "description": "What are the various environmental impacts the corresponding machine learning model has exhibited across its lifecycle?" + }, + "fairnessAssessments": { + "type": "array", + "title": "Fairness Assessments", + "description": "How does the model affect groups at risk of being systematically disadvantaged? What are the harms and benefits to the various affected groups?", + "items": { + "$ref": "#/definitions/fairnessAssessment" + } + } + } + }, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", + "items": {"$ref": "#/definitions/property"} + } + } + }, + "inputOutputMLParameters": { + "type": "object", + "title": "Input and Output Parameters", + "additionalProperties": false, + "properties": { + "format": { + "title": "Input/Output Format", + "description": "The data format for input/output to the model.", + "type": "string", + "examples": [ "string", "image", "time-series"] + } + } + }, + "componentData": { + "type": "object", + "additionalProperties": false, + "required": [ + "type" + ], + "properties": { + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An identifier which can be used to reference the dataset elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links." + }, + "type": { + "type": "string", + "title": "Type of Data", + "description": "The general theme or subject matter of the data being specified.", + "enum": [ + "source-code", + "configuration", + "dataset", + "definition", + "other" + ], + "meta:enum": { + "source-code": "Any type of code, code snippet, or data-as-code.", + "configuration": "Parameters or settings that may be used by other components.", + "dataset": "A collection of data.", + "definition": "Data that can be used to create new instances of what the definition defines.", + "other": "Any other type of data that does not fit into existing definitions." + } + }, + "name": { + "title": "Dataset Name", + "description": "The name of the dataset.", + "type": "string" + }, + "contents": { + "type": "object", + "title": "Data Contents", + "description": "The contents or references to the contents of the data being described.", + "additionalProperties": false, + "properties": { + "attachment": { + "title": "Data Attachment", + "description": "A way to include textual or encoded data.", + "$ref": "#/definitions/attachment" + }, + "url": { + "type": "string", + "title": "Data URL", + "description": "The URL to where the data can be retrieved.", + "format": "iri-reference" + }, + "properties": { + "type": "array", + "title": "Configuration Properties", + "description": "Provides the ability to document name-value parameters used for configuration.", + "items": { + "$ref": "#/definitions/property" + } + } + } + }, + "classification": { + "$ref": "#/definitions/dataClassification" + }, + "sensitiveData": { + "type": "array", + "title": "Sensitive Data", + "description": "A description of any sensitive data in a dataset.", + "items": { + "type": "string" + } + }, + "graphics": { "$ref": "#/definitions/graphicsCollection" }, + "description": { + "title": "Dataset Description", + "description": "A description of the dataset. Can describe size of dataset, whether it's used for source code, training, testing, or validation, etc.", + "type": "string" + }, + "governance": { + "title": "Data Governance", + "$ref": "#/definitions/dataGovernance" + } + } + }, + "dataGovernance": { + "type": "object", + "title": "Data Governance", + "description": "Data governance captures information regarding data ownership, stewardship, and custodianship, providing insights into the individuals or entities responsible for managing, overseeing, and safeguarding the data throughout its lifecycle.", + "additionalProperties": false, + "properties": { + "custodians": { + "type": "array", + "title": "Data Custodians", + "description": "Data custodians are responsible for the safe custody, transport, and storage of data.", + "items": { "$ref": "#/definitions/dataGovernanceResponsibleParty" } + }, + "stewards": { + "type": "array", + "title": "Data Stewards", + "description": "Data stewards are responsible for data content, context, and associated business rules.", + "items": { "$ref": "#/definitions/dataGovernanceResponsibleParty" } + }, + "owners": { + "type": "array", + "title": "Data Owners", + "description": "Data owners are concerned with risk and appropriate access to data.", + "items": { "$ref": "#/definitions/dataGovernanceResponsibleParty" } + } + } + }, + "dataGovernanceResponsibleParty": { + "type": "object", + "additionalProperties": false, + "properties": { + "organization": { + "title": "Organization", + "description": "The organization that is responsible for specific data governance role(s).", + "$ref": "#/definitions/organizationalEntity" + }, + "contact": { + "title": "Individual", + "description": "The individual that is responsible for specific data governance role(s).", + "$ref": "#/definitions/organizationalContact" + } + }, + "oneOf":[ + { + "required": ["organization"] + }, + { + "required": ["contact"] + } + ] + }, + "graphicsCollection": { + "type": "object", + "title": "Graphics Collection", + "description": "A collection of graphics that represent various measurements.", + "additionalProperties": false, + "properties": { + "description": { + "title": "Description", + "description": "A description of this collection of graphics.", + "type": "string" + }, + "collection": { + "title": "Collection", + "description": "A collection of graphics.", + "type": "array", + "items": { "$ref": "#/definitions/graphic" } + } + } + }, + "graphic": { + "type": "object", + "title": "Graphic", + "additionalProperties": false, + "properties": { + "name": { + "title": "Name", + "description": "The name of the graphic.", + "type": "string" + }, + "image": { + "title": "Graphic Image", + "description": "The graphic (vector or raster). Base64 encoding must be specified for binary images.", + "$ref": "#/definitions/attachment" + } + } + }, + "performanceMetric": { + "type": "object", + "title": "Performance Metric", + "additionalProperties": false, + "properties": { + "type": { + "title": "Type", + "description": "The type of performance metric.", + "type": "string" + }, + "value": { + "title": "Value", + "description": "The value of the performance metric.", + "type": "string" + }, + "slice": { + "title": "Slice", + "description": "The name of the slice this metric was computed on. By default, assume this metric is not sliced.", + "type": "string" + }, + "confidenceInterval": { + "title": "Confidence Interval", + "description": "The confidence interval of the metric.", + "type": "object", + "additionalProperties": false, + "properties": { + "lowerBound": { + "title": "Lower Bound", + "description": "The lower bound of the confidence interval.", + "type": "string" + }, + "upperBound": { + "title": "Upper Bound", + "description": "The upper bound of the confidence interval.", + "type": "string" + } + } + } + } + }, + "risk": { + "type": "object", + "title": "Risk", + "additionalProperties": false, + "properties": { + "name": { + "title": "Name", + "description": "The name of the risk.", + "type": "string" + }, + "mitigationStrategy": { + "title": "Mitigation Strategy", + "description": "Strategy used to address this risk.", + "type": "string" + } + } + }, + "fairnessAssessment": { + "type": "object", + "title": "Fairness Assessment", + "description": "Information about the benefits and harms of the model to an identified at risk group.", + "additionalProperties": false, + "properties": { + "groupAtRisk": { + "type": "string", + "title": "Group at Risk", + "description": "The groups or individuals at risk of being systematically disadvantaged by the model." + }, + "benefits": { + "type": "string", + "title": "Benefits", + "description": "Expected benefits to the identified groups." + }, + "harms": { + "type": "string", + "title": "Harms", + "description": "Expected harms to the identified groups." + }, + "mitigationStrategy": { + "type": "string", + "title": "Mitigation Strategy", + "description": "With respect to the benefits and harms outlined, please describe any mitigation strategy implemented." + } + } + }, + "dataClassification": { + "type": "string", + "title": "Data Classification", + "description": "Data classification tags data according to its type, sensitivity, and value if altered, stolen, or destroyed." + }, + "environmentalConsiderations": { + "type": "object", + "title": "Environmental Considerations", + "description": "Describes various environmental impact metrics.", + "additionalProperties": false, + "properties": { + "energyConsumptions": { + "title": "Energy Consumptions", + "description": "Describes energy consumption information incurred for one or more component lifecycle activities.", + "type": "array", + "items": { + "$ref": "#/definitions/energyConsumption" + } + }, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", + "items": { + "$ref": "#/definitions/property" + } + } + } + }, + "energyConsumption": { + "title": "Energy consumption", + "description": "Describes energy consumption information incurred for the specified lifecycle activity.", + "type": "object", + "required": [ + "activity", + "energyProviders", + "activityEnergyCost" + ], + "additionalProperties": false, + "properties": { + "activity": { + "type": "string", + "title": "Activity", + "description": "The type of activity that is part of a machine learning model development or operational lifecycle.", + "enum": [ + "design", + "data-collection", + "data-preparation", + "training", + "fine-tuning", + "validation", + "deployment", + "inference", + "other" + ], + "meta:enum": { + "design": "A model design including problem framing, goal definition and algorithm selection.", + "data-collection": "Model data acquisition including search, selection and transfer.", + "data-preparation": "Model data preparation including data cleaning, labeling and conversion.", + "training": "Model building, training and generalized tuning.", + "fine-tuning": "Refining a trained model to produce desired outputs for a given problem space.", + "validation": "Model validation including model output evaluation and testing.", + "deployment": "Explicit model deployment to a target hosting infrastructure.", + "inference": "Generating an output response from a hosted model from a set of inputs.", + "other": "A lifecycle activity type whose description does not match currently defined values." + } + }, + "energyProviders": { + "title": "Energy Providers", + "description": "The provider(s) of the energy consumed by the associated model development lifecycle activity.", + "type": "array", + "items": { "$ref": "#/definitions/energyProvider" } + }, + "activityEnergyCost": { + "title": "Activity Energy Cost", + "description": "The total energy cost associated with the model lifecycle activity.", + "$ref": "#/definitions/energyMeasure" + }, + "co2CostEquivalent": { + "title": "CO2 Equivalent Cost", + "description": "The CO2 cost (debit) equivalent to the total energy cost.", + "$ref": "#/definitions/co2Measure" + }, + "co2CostOffset": { + "title": "CO2 Cost Offset", + "description": "The CO2 offset (credit) for the CO2 equivalent cost.", + "$ref": "#/definitions/co2Measure" + }, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", + "items": { + "$ref": "#/definitions/property" + } + } + } + }, + "energyMeasure": { + "type": "object", + "title": "Energy Measure", + "description": "A measure of energy.", + "required": [ + "value", + "unit" + ], + "additionalProperties": false, + "properties": { + "value": { + "type": "number", + "title": "Value", + "description": "Quantity of energy." + }, + "unit": { + "type": "string", + "enum": [ "kWh" ], + "title": "Unit", + "description": "Unit of energy.", + "meta:enum": { + "kWh": "Kilowatt-hour (kWh) is the energy delivered by one kilowatt (kW) of power for one hour (h)." + } + } + } + }, + "co2Measure": { + "type": "object", + "title": "CO2 Measure", + "description": "A measure of carbon dioxide (CO2).", + "required": [ + "value", + "unit" + ], + "additionalProperties": false, + "properties": { + "value": { + "type": "number", + "title": "Value", + "description": "Quantity of carbon dioxide (CO2)." + }, + "unit": { + "type": "string", + "enum": [ "tCO2eq" ], + "title": "Unit", + "description": "Unit of carbon dioxide (CO2).", + "meta:enum": { + "tCO2eq": "Tonnes (t) of carbon dioxide (CO2) equivalent (eq)." + } + } + } + }, + "energyProvider": { + "type": "object", + "title": "Energy Provider", + "description": "Describes the physical provider of energy used for model development or operations.", + "required": [ + "organization", + "energySource", + "energyProvided" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "title": "BOM Reference", + "description": "An identifier which can be used to reference the energy provider elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", + "$ref": "#/definitions/refType" + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the energy provider." + }, + "organization": { + "type": "object", + "title": "Organization", + "description": "The organization that provides energy.", + "$ref": "#/definitions/organizationalEntity" + }, + "energySource": { + "type": "string", + "enum": [ + "coal", + "oil", + "natural-gas", + "nuclear", + "wind", + "solar", + "geothermal", + "hydropower", + "biofuel", + "unknown", + "other" + ], + "meta:enum": { + "coal": "Energy produced by types of coal.", + "oil": "Petroleum products (primarily crude oil and its derivative fuel oils).", + "natural-gas": "Hydrocarbon gas liquids (HGL) that occur as gases at atmospheric pressure and as liquids under higher pressures including Natural gas (C5H12 and heavier), Ethane (C2H6), Propane (C3H8), etc.", + "nuclear": "Energy produced from the cores of atoms (i.e., through nuclear fission or fusion).", + "wind": "Energy produced from moving air.", + "solar": "Energy produced from the sun (i.e., solar radiation).", + "geothermal": "Energy produced from heat within the earth.", + "hydropower": "Energy produced from flowing water.", + "biofuel": "Liquid fuels produced from biomass feedstocks (i.e., organic materials such as plants or animals).", + "unknown": "The energy source is unknown.", + "other": "An energy source that is not listed." + }, + "title": "Energy Source", + "description": "The energy source for the energy provider." + }, + "energyProvided": { + "$ref": "#/definitions/energyMeasure", + "title": "Energy Provided", + "description": "The energy provided by the energy source for an associated activity." + }, + "externalReferences": { + "type": "array", + "items": {"$ref": "#/definitions/externalReference"}, + "title": "External References", + "description": "External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM." + } + } + }, + "postalAddress": { + "type": "object", + "title": "Postal address", + "description": "An address used to identify a contactable location.", + "additionalProperties": false, + "properties": { + "bom-ref": { + "title": "BOM Reference", + "description": "An identifier which can be used to reference the address elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", + "$ref": "#/definitions/refType" + }, + "country": { + "type": "string", + "title": "Country", + "description": "The country name or the two-letter ISO 3166-1 country code." + }, + "region": { + "type": "string", + "title": "Region", + "description": "The region or state in the country.", + "examples": [ "Texas" ] + }, + "locality": { + "type": "string", + "title": "Locality", + "description": "The locality or city within the country.", + "examples": [ "Austin" ] + }, + "postOfficeBoxNumber": { + "type": "string", + "title": "Post Office Box Number", + "description": "The post office box number.", + "examples": [ "901" ] + }, + "postalCode": { + "type": "string", + "title": "Postal Code", + "description": "The postal code.", + "examples": [ "78758" ] + }, + "streetAddress": { + "type": "string", + "title": "Street Address", + "description": "The street address.", + "examples": [ "100 Main Street" ] + } + } + }, + "formula": { + "title": "Formula", + "description": "Describes workflows and resources that captures rules and other aspects of how the associated BOM component or service was formed.", + "type": "object", + "additionalProperties": false, + "properties": { + "bom-ref": { + "title": "BOM Reference", + "description": "An identifier which can be used to reference the formula elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", + "$ref": "#/definitions/refType" + }, + "components": { + "title": "Components", + "description": "Transient components that are used in tasks that constitute one or more of this formula's workflows", + "type": "array", + "items": { + "$ref": "#/definitions/component" + }, + "uniqueItems": true + }, + "services": { + "title": "Services", + "description": "Transient services that are used in tasks that constitute one or more of this formula's workflows", + "type": "array", + "items": { + "$ref": "#/definitions/service" + }, + "uniqueItems": true + }, + "workflows": { + "title": "Workflows", + "description": "List of workflows that can be declared to accomplish specific orchestrated goals and independently triggered.", + "$comment": "Different workflows can be designed to work together to perform end-to-end CI/CD builds and deployments.", + "type": "array", + "items": { + "$ref": "#/definitions/workflow" + }, + "uniqueItems": true + }, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", + "items": { + "$ref": "#/definitions/property" + } + } + } + }, + "workflow": { + "title": "Workflow", + "description": "A specialized orchestration task.", + "$comment": "Workflow are as task themselves and can trigger other workflow tasks. These relationships can be modeled in the taskDependencies graph.", + "type": "object", + "required": [ + "bom-ref", + "uid", + "taskTypes" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "title": "BOM Reference", + "description": "An identifier which can be used to reference the workflow elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", + "$ref": "#/definitions/refType" + }, + "uid": { + "title": "Unique Identifier (UID)", + "description": "The unique identifier for the resource instance within its deployment context.", + "type": "string" + }, + "name": { + "title": "Name", + "description": "The name of the resource instance.", + "type": "string" + }, + "description": { + "title": "Description", + "description": "A description of the resource instance.", + "type": "string" + }, + "resourceReferences": { + "title": "Resource references", + "description": "References to component or service resources that are used to realize the resource instance.", + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/definitions/resourceReferenceChoice" + } + }, + "tasks": { + "title": "Tasks", + "description": "The tasks that comprise the workflow.", + "$comment": "Note that tasks can appear more than once as different instances (by name or UID).", + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/definitions/task" + } + }, + "taskDependencies": { + "title": "Task dependency graph", + "description": "The graph of dependencies between tasks within the workflow.", + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/definitions/dependency" + } + }, + "taskTypes": { + "title": "Task types", + "description": "Indicates the types of activities performed by the set of workflow tasks.", + "$comment": "Currently, these types reflect common CI/CD actions.", + "type": "array", + "items": { + "$ref": "#/definitions/taskType" + } + }, + "trigger": { + "title": "Trigger", + "description": "The trigger that initiated the task.", + "$ref": "#/definitions/trigger" + }, + "steps": { + "title": "Steps", + "description": "The sequence of steps for the task.", + "type": "array", + "items": { + "$ref": "#/definitions/step" + }, + "uniqueItems": true + }, + "inputs": { + "title": "Inputs", + "description": "Represents resources and data brought into a task at runtime by executor or task commands", + "examples": ["a `configuration` file which was declared as a local `component` or `externalReference`"], + "type": "array", + "items": { + "$ref": "#/definitions/inputType" + }, + "uniqueItems": true + }, + "outputs": { + "title": "Outputs", + "description": "Represents resources and data output from a task at runtime by executor or task commands", + "examples": ["a log file or metrics data produced by the task"], + "type": "array", + "items": { + "$ref": "#/definitions/outputType" + }, + "uniqueItems": true + }, + "timeStart": { + "title": "Time start", + "description": "The date and time (timestamp) when the task started.", + "type": "string", + "format": "date-time" + }, + "timeEnd": { + "title": "Time end", + "description": "The date and time (timestamp) when the task ended.", + "type": "string", + "format": "date-time" + }, + "workspaces": { + "title": "Workspaces", + "description": "A set of named filesystem or data resource shareable by workflow tasks.", + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/definitions/workspace" + } + }, + "runtimeTopology": { + "title": "Runtime topology", + "description": "A graph of the component runtime topology for workflow's instance.", + "$comment": "A description of the runtime component and service topology. This can describe a partial or complete topology used to host and execute the task (e.g., hardware, operating systems, configurations, etc.),", + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/definitions/dependency" + } + }, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", + "items": { + "$ref": "#/definitions/property" + } + } + } + }, + "task": { + "title": "Task", + "description": "Describes the inputs, sequence of steps and resources used to accomplish a task and its output.", + "$comment": "Tasks are building blocks for constructing assemble CI/CD workflows or pipelines.", + "type": "object", + "required": [ + "bom-ref", + "uid", + "taskTypes" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "title": "BOM Reference", + "description": "An identifier which can be used to reference the task elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", + "$ref": "#/definitions/refType" + }, + "uid": { + "title": "Unique Identifier (UID)", + "description": "The unique identifier for the resource instance within its deployment context.", + "type": "string" + }, + "name": { + "title": "Name", + "description": "The name of the resource instance.", + "type": "string" + }, + "description": { + "title": "Description", + "description": "A description of the resource instance.", + "type": "string" + }, + "resourceReferences": { + "title": "Resource references", + "description": "References to component or service resources that are used to realize the resource instance.", + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/definitions/resourceReferenceChoice" + } + }, + "taskTypes": { + "title": "Task types", + "description": "Indicates the types of activities performed by the set of workflow tasks.", + "$comment": "Currently, these types reflect common CI/CD actions.", + "type": "array", + "items": { + "$ref": "#/definitions/taskType" + } + }, + "trigger": { + "title": "Trigger", + "description": "The trigger that initiated the task.", + "$ref": "#/definitions/trigger" + }, + "steps": { + "title": "Steps", + "description": "The sequence of steps for the task.", + "type": "array", + "items": { + "$ref": "#/definitions/step" + }, + "uniqueItems": true + }, + "inputs": { + "title": "Inputs", + "description": "Represents resources and data brought into a task at runtime by executor or task commands", + "examples": ["a `configuration` file which was declared as a local `component` or `externalReference`"], + "type": "array", + "items": { + "$ref": "#/definitions/inputType" + }, + "uniqueItems": true + }, + "outputs": { + "title": "Outputs", + "description": "Represents resources and data output from a task at runtime by executor or task commands", + "examples": ["a log file or metrics data produced by the task"], + "type": "array", + "items": { + "$ref": "#/definitions/outputType" + }, + "uniqueItems": true + }, + "timeStart": { + "title": "Time start", + "description": "The date and time (timestamp) when the task started.", + "type": "string", + "format": "date-time" + }, + "timeEnd": { + "title": "Time end", + "description": "The date and time (timestamp) when the task ended.", + "type": "string", + "format": "date-time" + }, + "workspaces": { + "title": "Workspaces", + "description": "A set of named filesystem or data resource shareable by workflow tasks.", + "type": "array", + "items": { + "$ref": "#/definitions/workspace" + }, + "uniqueItems": true + }, + "runtimeTopology": { + "title": "Runtime topology", + "description": "A graph of the component runtime topology for task's instance.", + "$comment": "A description of the runtime component and service topology. This can describe a partial or complete topology used to host and execute the task (e.g., hardware, operating systems, configurations, etc.),", + "type": "array", + "items": { + "$ref": "#/definitions/dependency" + }, + "uniqueItems": true + }, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", + "items": { + "$ref": "#/definitions/property" + } + } + } + }, + "step": { + "type": "object", + "description": "Executes specific commands or tools in order to accomplish its owning task as part of a sequence.", + "additionalProperties": false, + "properties": { + "name": { + "title": "Name", + "description": "A name for the step.", + "type": "string" + }, + "description": { + "title": "Description", + "description": "A description of the step.", + "type": "string" + }, + "commands": { + "title": "Commands", + "description": "Ordered list of commands or directives for the step", + "type": "array", + "items": { + "$ref": "#/definitions/command" + } + }, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", + "items": { + "$ref": "#/definitions/property" + } + } + } + }, + "command": { + "type": "object", + "additionalProperties": false, + "properties": { + "executed": { + "title": "Executed", + "description": "A text representation of the executed command.", + "type": "string" + }, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", + "items": { + "$ref": "#/definitions/property" + } + } + } + }, + "workspace": { + "title": "Workspace", + "description": "A named filesystem or data resource shareable by workflow tasks.", + "type": "object", + "required": [ + "bom-ref", + "uid" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "title": "BOM Reference", + "description": "An identifier which can be used to reference the workspace elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", + "$ref": "#/definitions/refType" + }, + "uid": { + "title": "Unique Identifier (UID)", + "description": "The unique identifier for the resource instance within its deployment context.", + "type": "string" + }, + "name": { + "title": "Name", + "description": "The name of the resource instance.", + "type": "string" + }, + "aliases": { + "title": "Aliases", + "description": "The names for the workspace as referenced by other workflow tasks. Effectively, a name mapping so other tasks can use their own local name in their steps.", + "type": "array", + "items": {"type": "string"} + }, + "description": { + "title": "Description", + "description": "A description of the resource instance.", + "type": "string" + }, + "resourceReferences": { + "title": "Resource references", + "description": "References to component or service resources that are used to realize the resource instance.", + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/definitions/resourceReferenceChoice" + } + }, + "accessMode": { + "title": "Access mode", + "description": "Describes the read-write access control for the workspace relative to the owning resource instance.", + "type": "string", + "enum": [ + "read-only", + "read-write", + "read-write-once", + "write-once", + "write-only" + ] + }, + "mountPath": { + "title": "Mount path", + "description": "A path to a location on disk where the workspace will be available to the associated task's steps.", + "type": "string" + }, + "managedDataType": { + "title": "Managed data type", + "description": "The name of a domain-specific data type the workspace represents.", + "$comment": "This property is for CI/CD frameworks that are able to provide access to structured, managed data at a more granular level than a filesystem.", + "examples": ["ConfigMap","Secret"], + "type": "string" + }, + "volumeRequest": { + "title": "Volume request", + "description": "Identifies the reference to the request for a specific volume type and parameters.", + "examples": ["a kubernetes Persistent Volume Claim (PVC) name"], + "type": "string" + }, + "volume": { + "title": "Volume", + "description": "Information about the actual volume instance allocated to the workspace.", + "$comment": "The actual volume allocated may be different than the request.", + "examples": ["see https://kubernetes.io/docs/concepts/storage/persistent-volumes/"], + "$ref": "#/definitions/volume" + }, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", + "items": { + "$ref": "#/definitions/property" + } + } + } + }, + "volume": { + "title": "Volume", + "description": "An identifiable, logical unit of data storage tied to a physical device.", + "type": "object", + "additionalProperties": false, + "properties": { + "uid": { + "title": "Unique Identifier (UID)", + "description": "The unique identifier for the volume instance within its deployment context.", + "type": "string" + }, + "name": { + "title": "Name", + "description": "The name of the volume instance", + "type": "string" + }, + "mode": { + "title": "Mode", + "description": "The mode for the volume instance.", + "type": "string", + "enum": [ + "filesystem", "block" + ], + "default": "filesystem" + }, + "path": { + "title": "Path", + "description": "The underlying path created from the actual volume.", + "type": "string" + }, + "sizeAllocated": { + "title": "Size allocated", + "description": "The allocated size of the volume accessible to the associated workspace. This should include the scalar size as well as IEC standard unit in either decimal or binary form.", + "examples": ["10GB", "2Ti", "1Pi"], + "type": "string" + }, + "persistent": { + "title": "Persistent", + "description": "Indicates if the volume persists beyond the life of the resource it is associated with.", + "type": "boolean" + }, + "remote": { + "title": "Remote", + "description": "Indicates if the volume is remotely (i.e., network) attached.", + "type": "boolean" + }, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", + "items": { + "$ref": "#/definitions/property" + } + } + } + }, + "trigger": { + "title": "Trigger", + "description": "Represents a resource that can conditionally activate (or fire) tasks based upon associated events and their data.", + "type": "object", + "additionalProperties": false, + "required": [ + "type", + "bom-ref", + "uid" + ], + "properties": { + "bom-ref": { + "title": "BOM Reference", + "description": "An identifier which can be used to reference the trigger elsewhere in the BOM. Every `bom-ref` must be unique within the BOM.\nValue SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.", + "$ref": "#/definitions/refType" + }, + "uid": { + "title": "Unique Identifier (UID)", + "description": "The unique identifier for the resource instance within its deployment context.", + "type": "string" + }, + "name": { + "title": "Name", + "description": "The name of the resource instance.", + "type": "string" + }, + "description": { + "title": "Description", + "description": "A description of the resource instance.", + "type": "string" + }, + "resourceReferences": { + "title": "Resource references", + "description": "References to component or service resources that are used to realize the resource instance.", + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/definitions/resourceReferenceChoice" + } + }, + "type": { + "title": "Type", + "description": "The source type of event which caused the trigger to fire.", + "type": "string", + "enum": [ + "manual", + "api", + "webhook", + "scheduled" + ] + }, + "event": { + "title": "Event", + "description": "The event data that caused the associated trigger to activate.", + "$ref": "#/definitions/event" + }, + "conditions": { + "type": "array", + "title": "Conditions", + "description": "A list of conditions used to determine if a trigger should be activated.", + "uniqueItems": true, + "items": { + "$ref": "#/definitions/condition" + } + }, + "timeActivated": { + "title": "Time activated", + "description": "The date and time (timestamp) when the trigger was activated.", + "type": "string", + "format": "date-time" + }, + "inputs": { + "title": "Inputs", + "description": "Represents resources and data brought into a task at runtime by executor or task commands", + "examples": ["a `configuration` file which was declared as a local `component` or `externalReference`"], + "type": "array", + "items": { + "$ref": "#/definitions/inputType" + }, + "uniqueItems": true + }, + "outputs": { + "title": "Outputs", + "description": "Represents resources and data output from a task at runtime by executor or task commands", + "examples": ["a log file or metrics data produced by the task"], + "type": "array", + "items": { + "$ref": "#/definitions/outputType" + }, + "uniqueItems": true + }, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", + "items": { + "$ref": "#/definitions/property" + } + } + } + }, + "event": { + "title": "Event", + "description": "Represents something that happened that may trigger a response.", + "type": "object", + "additionalProperties": false, + "properties": { + "uid": { + "title": "Unique Identifier (UID)", + "description": "The unique identifier of the event.", + "type": "string" + }, + "description": { + "title": "Description", + "description": "A description of the event.", + "type": "string" + }, + "timeReceived": { + "title": "Time Received", + "description": "The date and time (timestamp) when the event was received.", + "type": "string", + "format": "date-time" + }, + "data": { + "title": "Data", + "description": "Encoding of the raw event data.", + "$ref": "#/definitions/attachment" + }, + "source": { + "title": "Source", + "description": "References the component or service that was the source of the event", + "$ref": "#/definitions/resourceReferenceChoice" + }, + "target": { + "title": "Target", + "description": "References the component or service that was the target of the event", + "$ref": "#/definitions/resourceReferenceChoice" + }, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", + "items": { + "$ref": "#/definitions/property" + } + } + } + }, + "inputType": { + "title": "Input type", + "description": "Type that represents various input data types and formats.", + "type": "object", + "oneOf": [ + { + "required": [ + "resource" + ] + }, + { + "required": [ + "parameters" + ] + }, + { + "required": [ + "environmentVars" + ] + }, + { + "required": [ + "data" + ] + } + ], + "additionalProperties": false, + "properties": { + "source": { + "title": "Source", + "description": "A reference to the component or service that provided the input to the task (e.g., reference to a service with data flow value of `inbound`)", + "examples": [ + "source code repository", + "database" + ], + "$ref": "#/definitions/resourceReferenceChoice" + }, + "target": { + "title": "Target", + "description": "A reference to the component or service that received or stored the input if not the task itself (e.g., a local, named storage workspace)", + "examples": [ + "workspace", + "directory" + ], + "$ref": "#/definitions/resourceReferenceChoice" + }, + "resource": { + "title": "Resource", + "description": "A reference to an independent resource provided as an input to a task by the workflow runtime.", + "examples": [ + "a reference to a configuration file in a repository (i.e., a bom-ref)", + "a reference to a scanning service used in a task (i.e., a bom-ref)" + ], + "$ref": "#/definitions/resourceReferenceChoice" + }, + "parameters": { + "title": "Parameters", + "description": "Inputs that have the form of parameters with names and values.", + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/definitions/parameter" + } + }, + "environmentVars": { + "title": "Environment variables", + "description": "Inputs that have the form of parameters with names and values.", + "type": "array", + "uniqueItems": true, + "items": { + "oneOf": [ + { + "$ref": "#/definitions/property" + }, + { + "type": "string", + "title": "String-Based Environment Variables", + "description": "In addition to the more common key–value pair format, some environment variables may consist of a single string without an explicit value assignment. These string-based environment variables typically act as flags or signals to software, indicating that a feature should be enabled, a mode should be activated, or a specific condition is present. Their presence alone conveys meaning." + } + ] + } + }, + "data": { + "title": "Data", + "description": "Inputs that have the form of data.", + "$ref": "#/definitions/attachment" + }, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", + "items": { + "$ref": "#/definitions/property" + } + } + } + }, + "outputType": { + "type": "object", + "oneOf": [ + { + "required": [ + "resource" + ] + }, + { + "required": [ + "environmentVars" + ] + }, + { + "required": [ + "data" + ] + } + ], + "additionalProperties": false, + "properties": { + "type": { + "title": "Type", + "description": "Describes the type of data output.", + "type": "string", + "enum": [ + "artifact", + "attestation", + "log", + "evidence", + "metrics", + "other" + ] + }, + "source": { + "title": "Source", + "description": "Component or service that generated or provided the output from the task (e.g., a build tool)", + "$ref": "#/definitions/resourceReferenceChoice" + }, + "target": { + "title": "Target", + "description": "Component or service that received the output from the task (e.g., reference to an artifactory service with data flow value of `outbound`)", + "examples": ["a log file described as an `externalReference` within its target domain."], + "$ref": "#/definitions/resourceReferenceChoice" + }, + "resource": { + "title": "Resource", + "description": "A reference to an independent resource generated as output by the task.", + "examples": [ + "configuration file", + "source code", + "scanning service" + ], + "$ref": "#/definitions/resourceReferenceChoice" + }, + "data": { + "title": "Data", + "description": "Outputs that have the form of data.", + "$ref": "#/definitions/attachment" + }, + "environmentVars": { + "title": "Environment variables", + "description": "Outputs that have the form of environment variables.", + "type": "array", + "items": { + "oneOf": [ + { + "$ref": "#/definitions/property" + }, + { + "type": "string", + "title": "String-Based Environment Variables", + "description": "In addition to the more common key–value pair format, some environment variables may consist of a single string without an explicit value assignment. These string-based environment variables typically act as flags or signals to software, indicating that a feature should be enabled, a mode should be activated, or a specific condition is present. Their presence alone conveys meaning." + } + ] + }, + "uniqueItems": true + }, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", + "items": { + "$ref": "#/definitions/property" + } + } + } + }, + "resourceReferenceChoice": { + "title": "Resource reference choice", + "description": "A reference to a locally defined resource (e.g., a bom-ref) or an externally accessible resource.", + "$comment": "Enables reference to a resource that participates in a workflow; using either internal (bom-ref) or external (externalReference) types.", + "type": "object", + "additionalProperties": false, + "properties": { + "ref": { + "title": "BOM Reference", + "description": "References an object by its bom-ref attribute", + "anyOf": [ + { + "title": "Ref", + "$ref": "#/definitions/refLinkType" + }, + { + "title": "BOM-Link Element", + "$ref": "#/definitions/bomLinkElementType" + } + ] + }, + "externalReference": { + "title": "External reference", + "description": "Reference to an externally accessible resource.", + "$ref": "#/definitions/externalReference" + } + }, + "oneOf": [ + { + "required": [ + "ref" + ] + }, + { + "required": [ + "externalReference" + ] + } + ] + }, + "condition": { + "title": "Condition", + "description": "A condition that was used to determine a trigger should be activated.", + "type": "object", + "additionalProperties": false, + "properties": { + "description": { + "title": "Description", + "description": "Describes the set of conditions which cause the trigger to activate.", + "type": "string" + }, + "expression": { + "title": "Expression", + "description": "The logical expression that was evaluated that determined the trigger should be fired.", + "type": "string" + }, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", + "items": { + "$ref": "#/definitions/property" + } + } + } + }, + "taskType": { + "type": "string", + "enum": [ + "copy", + "clone", + "lint", + "scan", + "merge", + "build", + "test", + "deliver", + "deploy", + "release", + "clean", + "other" + ], + "meta:enum": { + "copy": "A task that copies software or data used to accomplish other tasks in the workflow.", + "clone": "A task that clones a software repository into the workflow in order to retrieve its source code or data for use in a build step.", + "lint": "A task that checks source code for programmatic and stylistic errors.", + "scan": "A task that performs a scan against source code, or built or deployed components and services. Scans are typically run to gather or test for security vulnerabilities or policy compliance.", + "merge": "A task that merges changes or fixes into source code prior to a build step in the workflow.", + "build": "A task that builds the source code, dependencies and/or data into an artifact that can be deployed to and executed on target systems.", + "test": "A task that verifies the functionality of a component or service.", + "deliver": "A task that delivers a built artifact to one or more target repositories or storage systems.", + "deploy": "A task that deploys a built artifact for execution on one or more target systems.", + "release": "A task that releases a built, versioned artifact to a target repository or distribution system.", + "clean": "A task that cleans unnecessary tools, build artifacts and/or data from workflow storage.", + "other": "A workflow task that does not match current task type definitions." + } + }, + "parameter": { + "title": "Parameter", + "description": "A representation of a functional parameter.", + "type": "object", + "additionalProperties": false, + "properties": { + "name": { + "title": "Name", + "description": "The name of the parameter.", + "type": "string" + }, + "value": { + "title": "Value", + "description": "The value of the parameter.", + "type": "string" + }, + "dataType": { + "title": "Data type", + "description": "The data type of the parameter.", + "type": "string" + } + } + }, + "componentIdentityEvidence": { + "type": "object", + "title": "Identity Evidence", + "description": "Evidence that substantiates the identity of a component.", + "required": [ "field" ], + "additionalProperties": false, + "properties": { + "field": { + "type": "string", + "enum": [ + "group", "name", "version", "purl", "cpe", "omniborId", "swhid", "swid", "hash" + ], + "title": "Field", + "description": "The identity field of the component which the evidence describes." + }, + "confidence": { + "type": "number", + "minimum": 0, + "maximum": 1, + "title": "Confidence", + "description": "The overall confidence of the evidence from 0 - 1, where 1 is 100% confidence." + }, + "concludedValue": { + "type": "string", + "title": "Concluded Value", + "description": "The value of the field (cpe, purl, etc) that has been concluded based on the aggregate of all methods (if available)." + }, + "methods": { + "type": "array", + "title": "Methods", + "description": "The methods used to extract and/or analyze the evidence.", + "items": { + "type": "object", + "required": [ + "technique" , + "confidence" + ], + "additionalProperties": false, + "properties": { + "technique": { + "title": "Technique", + "description": "The technique used in this method of analysis.", + "type": "string", + "enum": [ + "source-code-analysis", + "binary-analysis", + "manifest-analysis", + "ast-fingerprint", + "hash-comparison", + "instrumentation", + "dynamic-analysis", + "filename", + "attestation", + "other" + ] + }, + "confidence": { + "type": "number", + "minimum": 0, + "maximum": 1, + "title": "Confidence", + "description": "The confidence of the evidence from 0 - 1, where 1 is 100% confidence. Confidence is specific to the technique used. Each technique of analysis can have independent confidence." + }, + "value": { + "type": "string", + "title": "Value", + "description": "The value or contents of the evidence." + } + } + } + }, + "tools": { + "type": "array", + "uniqueItems": true, + "items": { + "anyOf": [ + { + "title": "Ref", + "$ref": "#/definitions/refLinkType" + }, + { + "title": "BOM-Link Element", + "$ref": "#/definitions/bomLinkElementType" + } + ] + }, + "title": "BOM References", + "description": "The object in the BOM identified by its bom-ref. This is often a component or service but may be any object type supporting bom-refs. Tools used for analysis should already be defined in the BOM, either in the metadata/tools, components, or formulation." + } + } + }, + "standard": { + "type": "object", + "title": "Standard", + "description": "A standard may consist of regulations, industry or organizational-specific standards, maturity models, best practices, or any other requirements which can be evaluated against or attested to.", + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM." + }, + "name": { + "type": "string", + "title": "Name", + "description": "The name of the standard. This will often be a shortened, single name of the standard." + }, + "version": { + "type": "string", + "title": "Version", + "description": "The version of the standard." + }, + "description": { + "type": "string", + "title": "Description", + "description": "The description of the standard." + }, + "owner": { + "type": "string", + "title": "Owner", + "description": "The owner of the standard, often the entity responsible for its release." + }, + "requirements": { + "type": "array", + "title": "Requirements", + "description": "The list of requirements comprising the standard.", + "items": { + "type": "object", + "title": "Requirement", + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM." + }, + "identifier": { + "type": "string", + "title": "Identifier", + "description": "The unique identifier used in the standard to identify a specific requirement. This should match what is in the standard and should not be the requirements bom-ref." + }, + "title": { + "type": "string", + "title": "Title", + "description": "The title of the requirement." + }, + "text": { + "type": "string", + "title": "Text", + "description": "The textual content of the requirement." + }, + "descriptions": { + "type": "array", + "title": "Descriptions", + "description": "The supplemental text that provides additional guidance or context to the requirement, but is not directly part of the requirement.", + "items": { "type": "string" } + }, + "openCre": { + "type": "array", + "title": "OWASP OpenCRE Identifier(s)", + "description": "The Common Requirements Enumeration (CRE) identifier(s). CRE is a structured and standardized framework for uniting security standards and guidelines. CRE links each section of a resource to a shared topic identifier (a Common Requirement). Through this shared topic link, all resources map to each other. Use of CRE promotes clear and unambiguous communication among stakeholders.", + "items": { + "type": "string", + "pattern": "^CRE:[0-9]+-[0-9]+$", + "examples": [ "CRE:764-507" ] + } + }, + "parent": { + "$ref": "#/definitions/refLinkType", + "title": "Parent BOM Reference", + "description": "The `bom-ref` to a parent requirement. This establishes a hierarchy of requirements. Top-level requirements must not define a parent. Only child requirements should define parents." + }, + "properties": { + "type": "array", + "title": "Properties", + "description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.", + "items": { + "$ref": "#/definitions/property" + } + }, + "externalReferences": { + "type": "array", + "items": {"$ref": "#/definitions/externalReference"}, + "title": "External References", + "description": "External references provide a way to document systems, sites, and information that may be relevant, but are not included with the BOM. They may also establish specific relationships within or external to the BOM." + } + } + } + }, + "levels": { + "type": "array", + "title": "Levels", + "description": "The list of levels associated with the standard. Some standards have different levels of compliance.", + "items": { + "type": "object", + "title": "Level", + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM." + }, + "identifier": { + "type": "string", + "title": "Identifier", + "description": "The identifier used in the standard to identify a specific level." + }, + "title": { + "type": "string", + "title": "Title", + "description": "The title of the level." + }, + "description": { + "type": "string", + "title": "Description", + "description": "The description of the level." + }, + "requirements": { + "type": "array", + "title": "Requirements", + "description": "The list of requirement `bom-ref`s that comprise the level.", + "items": { "$ref": "#/definitions/refLinkType" } + } + } + } + }, + "externalReferences": { + "type": "array", + "items": {"$ref": "#/definitions/externalReference"}, + "title": "External References", + "description": "External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM." + }, + "signature": { + "$ref": "#/definitions/signature", + "title": "Signature", + "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." + } + } + }, + "signature": { + "$ref": "jsf-0.82.SNAPSHOT.schema.json#/definitions/signature", + "title": "Signature", + "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)." + }, + "cryptoProperties": { + "type": "object", + "title": "Cryptographic Properties", + "description": "Cryptographic assets have properties that uniquely define them and that make them actionable for further reasoning. As an example, it makes a difference if one knows the algorithm family (e.g. AES) or the specific variant or instantiation (e.g. AES-128-GCM). This is because the security level and the algorithm primitive (authenticated encryption) are only defined by the definition of the algorithm variant. The presence of a weak cryptographic algorithm like SHA1 vs. HMAC-SHA1 also makes a difference.", + "additionalProperties": false, + "required": [ + "assetType" + ], + "properties": { + "assetType": { + "type": "string", + "title": "Asset Type", + "description": "Cryptographic assets occur in several forms. Algorithms and protocols are most commonly implemented in specialized cryptographic libraries. They may, however, also be 'hardcoded' in software components. Certificates and related cryptographic material like keys, tokens, secrets or passwords are other cryptographic assets to be modelled.", + "enum": [ + "algorithm", + "certificate", + "protocol", + "related-crypto-material" + ], + "meta:enum": { + "algorithm": "Mathematical function commonly used for data encryption, authentication, and digital signatures.", + "certificate": "An electronic document that is used to provide the identity or validate a public key.", + "protocol": "A set of rules and guidelines that govern the behavior and communication with each other.", + "related-crypto-material": "Other cryptographic assets related to algorithms, certificates, and protocols such as keys and tokens." + } + }, + "algorithmProperties": { + "type": "object", + "title": "Algorithm Properties", + "description": "Additional properties specific to a cryptographic algorithm.", + "additionalProperties": false, + "properties": { + "primitive": { + "type": "string", + "title": "primitive", + "description": "Cryptographic building blocks used in higher-level cryptographic systems and protocols. Primitives represent different cryptographic routines: deterministic random bit generators (drbg, e.g. CTR_DRBG from NIST SP800-90A-r1), message authentication codes (mac, e.g. HMAC-SHA-256), blockciphers (e.g. AES), streamciphers (e.g. Salsa20), signatures (e.g. ECDSA), hash functions (e.g. SHA-256), public-key encryption schemes (pke, e.g. RSA), extended output functions (xof, e.g. SHAKE256), key derivation functions (e.g. pbkdf2), key agreement algorithms (e.g. ECDH), key encapsulation mechanisms (e.g. ML-KEM), authenticated encryption (ae, e.g. AES-GCM) and the combination of multiple algorithms (combiner, e.g. SP800-56Cr2).", + "enum": [ + "drbg", + "mac", + "block-cipher", + "stream-cipher", + "signature", + "hash", + "pke", + "xof", + "kdf", + "key-agree", + "kem", + "ae", + "combiner", + "key-wrap", + "other", + "unknown" + ], + "meta:enum": { + "drbg": "Deterministic Random Bit Generator (DRBG) is a type of pseudorandom number generator designed to produce a sequence of bits from an initial seed value. DRBGs are commonly used in cryptographic applications where reproducibility of random values is important.", + "mac": "In cryptography, a Message Authentication Code (MAC) is information used for authenticating and integrity-checking a message.", + "block-cipher": "A block cipher is a symmetric key algorithm that operates on fixed-size blocks of data. It encrypts or decrypts the data in block units, providing confidentiality. Block ciphers are widely used in various cryptographic modes and protocols for secure data transmission.", + "stream-cipher": "A stream cipher is a symmetric key cipher where plaintext digits are combined with a pseudorandom cipher digit stream (keystream).", + "signature": "In cryptography, a signature is a digital representation of a message or data that proves its origin, identity, and integrity. Digital signatures are generated using cryptographic algorithms and are widely used for authentication and verification in secure communication.", + "hash": "A hash function is a mathematical algorithm that takes an input (or 'message') and produces a fixed-size string of characters, which is typically a hash value. Hash functions are commonly used in various cryptographic applications, including data integrity verification and password hashing.", + "pke": "Public Key Encryption (PKE) is a type of encryption that uses a pair of public and private keys for secure communication. The public key is used for encryption, while the private key is used for decryption. PKE is a fundamental component of public-key cryptography.", + "xof": "An XOF is an extendable output function that can take arbitrary input and creates a stream of output, up to a limit determined by the size of the internal state of the hash function that underlies the XOF.", + "kdf": "A Key Derivation Function (KDF) derives key material from another source of entropy while preserving the entropy of the input.", + "key-agree": "In cryptography, a key-agreement is a protocol whereby two or more parties agree on a cryptographic key in such a way that both influence the outcome.", + "kem": "A Key Encapsulation Mechanism (KEM) algorithm is a mechanism for transporting random keying material to a recipient using the recipient's public key.", + "ae": "Authenticated Encryption (AE) is a cryptographic process that provides both confidentiality and data integrity. It ensures that the encrypted data has not been tampered with and comes from a legitimate source. AE is commonly used in secure communication protocols.", + "combiner": "A combiner aggregates many candidates for a cryptographic primitive and generates a new candidate for the same primitive.", + "key-wrap": "Key-wrap is a cryptographic technique used to securely encrypt and protect cryptographic keys using algorithms like AES.", + "other": "Another primitive type.", + "unknown": "The primitive is not known." + } + }, + "algorithmFamily": { + "$ref": "cryptography-defs.SNAPSHOT.schema.json#/definitions/algorithmFamiliesEnum", + "title": "Algorithm Family", + "description": "A valid algorithm family identifier. If specified, this value must be one of the enumeration of valid algorithm Family identifiers defined in the `cryptography-defs.SNAPSHOT.schema.json` subschema.", + "examples": ["3DES", "Blowfish", "ECDH"] + }, + "parameterSetIdentifier": { + "type": "string", + "title": "Parameter Set Identifier", + "description": "An identifier for the parameter set of the cryptographic algorithm. Examples: in AES128, '128' identifies the key length in bits, in SHA256, '256' identifies the digest length, '128' in SHAKE128 identifies its maximum security level in bits, and 'SHA2-128s' identifies a parameter set used in SLH-DSA (FIPS205)." + }, + "curve": { + "deprecated": true, + "type": "string", + "title": "Elliptic Curve", + "description": "[Deprecated] This will be removed in a future version. Use `@.ellipticCurve` instead.\nThe specific underlying Elliptic Curve (EC) definition employed which is an indicator of the level of security strength, performance and complexity. Absent an authoritative source of curve names, CycloneDX recommends using curve names as defined at [https://neuromancer.sk/std/](https://neuromancer.sk/std/), the source of which can be found at [https://github.com/J08nY/std-curves](https://github.com/J08nY/std-curves)." + }, + "ellipticCurve": { + "$ref": "cryptography-defs.SNAPSHOT.schema.json#/definitions/ellipticCurvesEnum", + "title": "Elliptic Curve", + "description": "The specific underlying Elliptic Curve (EC) definition employed which is an indicator of the level of security strength, performance and complexity. If specified, this value must be one of the enumeration of valid elliptic curves identifiers defined in the `cryptography-defs.SNAPSHOT.schema.json` subschema." + }, + "executionEnvironment": { + "type": "string", + "title": "Execution Environment", + "description": "The target and execution environment in which the algorithm is implemented in.", + "enum": [ + "software-plain-ram", + "software-encrypted-ram", + "software-tee", + "hardware", + "other", + "unknown" + ], + "meta:enum": { + "software-plain-ram": "A software implementation running in plain unencrypted RAM.", + "software-encrypted-ram": "A software implementation running in encrypted RAM.", + "software-tee": "A software implementation running in a trusted execution environment.", + "hardware": "A hardware implementation.", + "other": "Another implementation environment.", + "unknown": "The execution environment is not known." + } + }, + "implementationPlatform": { + "type": "string", + "title": "Implementation platform", + "description": "The target platform for which the algorithm is implemented. The implementation can be 'generic', running on any platform or for a specific platform.", + "enum": [ + "generic", + "x86_32", + "x86_64", + "armv7-a", + "armv7-m", + "armv8-a", + "armv8-m", + "armv9-a", + "armv9-m", + "s390x", + "ppc64", + "ppc64le", + "other", + "unknown" + ] + }, + "certificationLevel": { + "type": "array", + "title": "Certification Level", + "description": "The certification that the implementation of the cryptographic algorithm has received, if any. Certifications include revisions and levels of FIPS 140 or Common Criteria of different Extended Assurance Levels (CC-EAL).", + "items": { + "type": "string", + "enum": [ + "none", + "fips140-1-l1", + "fips140-1-l2", + "fips140-1-l3", + "fips140-1-l4", + "fips140-2-l1", + "fips140-2-l2", + "fips140-2-l3", + "fips140-2-l4", + "fips140-3-l1", + "fips140-3-l2", + "fips140-3-l3", + "fips140-3-l4", + "cc-eal1", + "cc-eal1+", + "cc-eal2", + "cc-eal2+", + "cc-eal3", + "cc-eal3+", + "cc-eal4", + "cc-eal4+", + "cc-eal5", + "cc-eal5+", + "cc-eal6", + "cc-eal6+", + "cc-eal7", + "cc-eal7+", + "other", + "unknown" + ], + "meta:enum": { + "none": "No certification obtained", + "fips140-1-l1": "FIPS 140-1 Level 1", + "fips140-1-l2": "FIPS 140-1 Level 2", + "fips140-1-l3": "FIPS 140-1 Level 3", + "fips140-1-l4": "FIPS 140-1 Level 4", + "fips140-2-l1": "FIPS 140-2 Level 1", + "fips140-2-l2": "FIPS 140-2 Level 2", + "fips140-2-l3": "FIPS 140-2 Level 3", + "fips140-2-l4": "FIPS 140-2 Level 4", + "fips140-3-l1": "FIPS 140-3 Level 1", + "fips140-3-l2": "FIPS 140-3 Level 2", + "fips140-3-l3": "FIPS 140-3 Level 3", + "fips140-3-l4": "FIPS 140-3 Level 4", + "cc-eal1": "Common Criteria - Evaluation Assurance Level 1", + "cc-eal1+": "Common Criteria - Evaluation Assurance Level 1 (Augmented)", + "cc-eal2": "Common Criteria - Evaluation Assurance Level 2", + "cc-eal2+": "Common Criteria - Evaluation Assurance Level 2 (Augmented)", + "cc-eal3": "Common Criteria - Evaluation Assurance Level 3", + "cc-eal3+": "Common Criteria - Evaluation Assurance Level 3 (Augmented)", + "cc-eal4": "Common Criteria - Evaluation Assurance Level 4", + "cc-eal4+": "Common Criteria - Evaluation Assurance Level 4 (Augmented)", + "cc-eal5": "Common Criteria - Evaluation Assurance Level 5", + "cc-eal5+": "Common Criteria - Evaluation Assurance Level 5 (Augmented)", + "cc-eal6": "Common Criteria - Evaluation Assurance Level 6", + "cc-eal6+": "Common Criteria - Evaluation Assurance Level 6 (Augmented)", + "cc-eal7": "Common Criteria - Evaluation Assurance Level 7", + "cc-eal7+": "Common Criteria - Evaluation Assurance Level 7 (Augmented)", + "other": "Another certification", + "unknown": "The certification level is not known" + } + } + }, + "mode": { + "type": "string", + "title": "Mode", + "description": "The mode of operation in which the cryptographic algorithm (block cipher) is used.", + "enum": [ + "cbc", + "ecb", + "ccm", + "gcm", + "cfb", + "ofb", + "ctr", + "other", + "unknown" + ], + "meta:enum": { + "cbc": "Cipher block chaining", + "ecb": "Electronic codebook", + "ccm": "Counter with cipher block chaining message authentication code", + "gcm": "Galois/counter", + "cfb": "Cipher feedback", + "ofb": "Output feedback", + "ctr": "Counter", + "other": "Another mode of operation", + "unknown": "The mode of operation is not known" + } + }, + "padding": { + "type": "string", + "title": "Padding", + "description": "The padding scheme that is used for the cryptographic algorithm.", + "enum": [ + "pkcs5", + "pkcs7", + "pkcs1v15", + "oaep", + "raw", + "other", + "unknown" + ], + "meta:enum": { + "pkcs5": "Public Key Cryptography Standard: Password-Based Cryptography", + "pkcs7": "Public Key Cryptography Standard: Cryptographic Message Syntax", + "pkcs1v15": "Public Key Cryptography Standard: RSA Cryptography v1.5", + "oaep": "Optimal asymmetric encryption padding", + "raw": "Raw", + "other": "Another padding scheme", + "unknown": "The padding scheme is not known" + } + }, + "cryptoFunctions": { + "type": "array", + "title": "Cryptographic functions", + "description": "The cryptographic functions implemented by the cryptographic algorithm.", + "items": { + "type": "string", + "enum": [ + "generate", + "keygen", + "encrypt", + "decrypt", + "digest", + "tag", + "keyderive", + "sign", + "verify", + "encapsulate", + "decapsulate", + "other", + "unknown" + ] + } + }, + "classicalSecurityLevel": { + "type": "integer", + "title": "classical security level", + "description": "The classical security level that a cryptographic algorithm provides (in bits).", + "minimum": 0 + }, + "nistQuantumSecurityLevel": { + "type": "integer", + "title": "NIST security strength category", + "description": "The NIST security strength category as defined in https://csrc.nist.gov/projects/post-quantum-cryptography/post-quantum-cryptography-standardization/evaluation-criteria/security-(evaluation-criteria). A value of 0 indicates that none of the categories are met.", + "minimum": 0, + "maximum": 6 + } + } + }, + "certificateProperties": { + "type": "object", + "title": "Certificate Properties", + "description": "Properties for cryptographic assets of asset type 'certificate'", + "additionalProperties": false, + "properties": { + "serialNumber": { + "type": "string", + "title": "Serial Number", + "description": "The serial number is a unique identifier for the certificate issued by a CA." + }, + "subjectName": { + "type": "string", + "title": "Subject Name", + "description": "The subject name for the certificate" + }, + "issuerName": { + "type": "string", + "title": "Issuer Name", + "description": "The issuer name for the certificate" + }, + "notValidBefore": { + "type": "string", + "format": "date-time", + "title": "Not Valid Before", + "description": "The date and time according to ISO-8601 standard from which the certificate is valid" + }, + "notValidAfter": { + "type": "string", + "format": "date-time", + "title": "Not Valid After", + "description": "The date and time according to ISO-8601 standard from which the certificate is not valid anymore" + }, + "signatureAlgorithmRef": { + "deprecated": true, + "$ref": "#/definitions/refType", + "title": "Algorithm Reference", + "description": "[DEPRECATED] This will be removed in a future version. Use `@.relatedCryptographicAssets` instead.\nThe bom-ref to signature algorithm used by the certificate" + }, + "subjectPublicKeyRef": { + "deprecated": true, + "$ref": "#/definitions/refType", + "title": "Key reference", + "description": "[DEPRECATED] This will be removed in a future version. Use `@.relatedCryptographicAssets` instead.\nThe bom-ref to the public key of the subject" + }, + "certificateFormat": { + "type": "string", + "title": "Certificate Format", + "description": "The format of the certificate", + "examples": [ + "X.509", + "PEM", + "DER", + "CVC" + ] + }, + "certificateExtension": { + "deprecated": true, + "type": "string", + "title": "Certificate File Extension", + "description": "[DEPRECATED] This will be removed in a future version. Use `@.certificateFileExtension` instead.\nThe file extension of the certificate", + "examples": [ + "crt", + "pem", + "cer", + "der", + "p12" + ] + }, + "certificateFileExtension": { + "type": "string", + "title": "Certificate File Extension", + "description": "The file extension of the certificate.", + "examples": [ + "crt", + "pem", + "cer", + "der", + "p12" + ] + }, + "fingerprint": { + "type": "object", + "$ref": "#/definitions/hash", + "title": "Certificate Fingerprint", + "description": "The fingerprint is a cryptographic hash of the certificate excluding it's signature." + }, + "certificateState": { + "type": "array", + "title": "Certificate Lifecycle State", + "description": "The certificate lifecycle is a comprehensive process that manages digital certificates from their initial creation to eventual expiration or revocation. It typically involves several stages", + "items": { + "type": "object", + "title": "State", + "description": "The state of the certificate.", + "oneOf": [ + { + "title": "Pre-Defined State", + "required": [ + "state" + ], + "additionalProperties": false, + "properties": { + "state": { + "type": "string", + "title": "State", + "description": "A pre-defined state in the certificate lifecycle.", + "enum": [ + "pre-activation", + "active", + "suspended", + "deactivated", + "revoked", + "destroyed" + ], + "meta:enum": { + "pre-activation": "The certificate has been issued by the issuing certificate authority (CA) but has not been authorized for use.", + "active": "The certificate may be used to cryptographically protect information, cryptographically process previously protected information, or both.", + "deactivated": "Certificates in the deactivated state shall not be used to apply cryptographic protection but, in some cases, may be used to process cryptographically protected information.", + "suspended": "The use of a certificate may be suspended for several possible reasons.", + "revoked": "A revoked certificate is a digital certificate that has been invalidated by the issuing certificate authority (CA) before its scheduled expiration date.", + "destroyed": "The certificate has been destroyed." + } + }, + "reason": { + "type": "string", + "title": "Reason", + "description": "A reason for the certificate being in this state." + } + } + }, + { + "title": "Custom State", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "State", + "description": "The name of the certificate lifecycle state." + }, + "description": { + "type": "string", + "title": "Description", + "description": "The description of the certificate lifecycle state." + }, + "reason": { + "type": "string", + "title": "Reason", + "description": "A reason for the certificate being in this state." + } + } + } + ] + } + }, + "creationDate": { + "type": "string", + "format": "date-time", + "title": "Creation Date", + "description": "The date and time (timestamp) when the certificate was created or pre-activated." + }, + "activationDate": { + "type": "string", + "format": "date-time", + "title": "Activation Date", + "description": "The date and time (timestamp) when the certificate was activated." + }, + "deactivationDate": { + "type": "string", + "format": "date-time", + "title": "Deactivation Date", + "description": "The date and time (timestamp) when the related certificate was deactivated." + }, + "revocationDate": { + "type": "string", + "format": "date-time", + "title": "Revocation Date", + "description": "The date and time (timestamp) when the certificate was revoked." + }, + "destructionDate": { + "type": "string", + "format": "date-time", + "title": "Destruction Date", + "description": "The date and time (timestamp) when the certificate was destroyed." + }, + "certificateExtensions": { + "type": "array", + "title": "Certificate Extensions", + "description": "A certificate extension is a field that provides additional information about the certificate or its use. Extensions are used to convey additional information beyond the standard fields.", + "items": { + "type": "object", + "title": "Extension", + "description": "", + "oneOf": [ + { + "title": "Common Extensions", + "required": [ + "commonExtensionName", + "commonExtensionValue" + ], + "additionalProperties": false, + "properties": { + "commonExtensionName": { + "type": "string", + "title": "name", + "description": "The name of the extension.", + "enum": [ + "basicConstraints", + "keyUsage", + "extendedKeyUsage", + "subjectAlternativeName", + "authorityKeyIdentifier", + "subjectKeyIdentifier", + "authorityInformationAccess", + "certificatePolicies", + "crlDistributionPoints", + "signedCertificateTimestamp" + ], + "meta:enum": { + "basicConstraints": "Specifies whether a certificate can be used as a CA certificate or not.", + "keyUsage": "Specifies the allowed uses of the public key in the certificate.", + "extendedKeyUsage": "Specifies additional purposes for which the public key can be used.", + "subjectAlternativeName": "Allows inclusion of additional names to identify the entity associated with the certificate.", + "authorityKeyIdentifier": "Identifies the public key of the CA that issued the certificate.", + "subjectKeyIdentifier": "Identifies the public key associated with the entity the certificate was issued to.", + "authorityInformationAccess": "Contains CA issuers and OCSP information.", + "certificatePolicies": "Defines the policies under which the certificate was issued and can be used.", + "crlDistributionPoints": "Contains one or more URLs where a Certificate Revocation List (CRL) can be obtained.", + "signedCertificateTimestamp": "Shows that the certificate has been publicly logged, which helps prevent the issuance of rogue certificates by a CA. Log ID, timestamp and signature as proof." + } + }, + "commonExtensionValue": { + "type": "string", + "title": "Value", + "description": "The value of the certificate extension." + } + } + }, + { + "title": "Custom Extensions", + "description": "Custom extensions may convey application-specific or vendor-specific data not covered by standard extensions. The structure and semantics of custom extensions are typically defined outside of public standards. CycloneDX leverages properties to support this capability.", + "required": [ + "customExtensionName" + ], + "additionalProperties": false, + "properties": { + "customExtensionName": { + "type": "string", + "title": "Name", + "description": "The name for the custom certificate extension." + }, + "customExtensionValue": { + "type": "string", + "title": "Value", + "description": "The description of the custom certificate extension." + } + } + } + ] + } + }, + "relatedCryptographicAssets": { + "$ref": "#/definitions/relatedCryptographicAssets", + "title": "Related Cryptographic Assets", + "description": "A list of cryptographic assets related to this component." + } + } + }, + "relatedCryptoMaterialProperties": { + "type": "object", + "title": "Related Cryptographic Material Properties", + "description": "Properties for cryptographic assets of asset type: `related-crypto-material`", + "additionalProperties": false, + "properties": { + "type": { + "type": "string", + "title": "relatedCryptoMaterialType", + "description": "The type for the related cryptographic material", + "enum": [ + "private-key", + "public-key", + "secret-key", + "key", + "ciphertext", + "signature", + "digest", + "initialization-vector", + "nonce", + "seed", + "salt", + "shared-secret", + "tag", + "additional-data", + "password", + "credential", + "token", + "other", + "unknown" + ], + "meta:enum": { + "private-key": "The confidential key of a key pair used in asymmetric cryptography.", + "public-key": "The non-confidential key of a key pair used in asymmetric cryptography.", + "secret-key": "A key used to encrypt and decrypt messages in symmetric cryptography.", + "key": "A piece of information, usually an octet string, which, when processed through a cryptographic algorithm, processes cryptographic data.", + "ciphertext": "The result of encryption performed on plaintext using an algorithm (or cipher).", + "signature": "A cryptographic value that is calculated from the data and a key known only by the signer.", + "digest": "The output of the hash function.", + "initialization-vector": "A fixed-size random or pseudo-random value used as an input parameter for cryptographic algorithms.", + "nonce": "A random or pseudo-random number that can only be used once in a cryptographic communication.", + "seed": "The input to a pseudo-random number generator. Different seeds generate different pseudo-random sequences.", + "salt": "A value used in a cryptographic process, usually to ensure that the results of computations for one instance cannot be reused by an attacker.", + "shared-secret": "A piece of data known only to the parties involved, in a secure communication.", + "tag": "A message authentication code (MAC), sometimes known as an authentication tag, is a short piece of information used for authenticating and integrity-checking a message.", + "additional-data": "An unspecified collection of data with relevance to cryptographic activity.", + "password": "A secret word, phrase, or sequence of characters used during authentication or authorization.", + "credential": "Establishes the identity of a party to communication, usually in the form of cryptographic keys or passwords.", + "token": "An object encapsulating a security identity.", + "other": "Another type of cryptographic asset.", + "unknown": "The type of cryptographic asset is not known." + } + }, + "id": { + "type": "string", + "title": "ID", + "description": "The unique identifier for the related cryptographic material." + }, + "state": { + "type": "string", + "title": "State", + "description": "The key state as defined by NIST SP 800-57.", + "enum": [ + "pre-activation", + "active", + "suspended", + "deactivated", + "compromised", + "destroyed" + ] + }, + "algorithmRef": { + "deprecated": true, + "$ref": "#/definitions/refType", + "title": "Algorithm Reference", + "description": "[DEPRECATED] Use `@.relatedCryptographicAssets` instead.\nThe bom-ref to the algorithm used to generate the related cryptographic material." + }, + "creationDate": { + "type": "string", + "format": "date-time", + "title": "Creation Date", + "description": "The date and time (timestamp) when the related cryptographic material was created." + }, + "activationDate": { + "type": "string", + "format": "date-time", + "title": "Activation Date", + "description": "The date and time (timestamp) when the related cryptographic material was activated." + }, + "updateDate": { + "type": "string", + "format": "date-time", + "title": "Update Date", + "description": "The date and time (timestamp) when the related cryptographic material was updated." + }, + "expirationDate": { + "type": "string", + "format": "date-time", + "title": "Expiration Date", + "description": "The date and time (timestamp) when the related cryptographic material expires." + }, + "value": { + "type": "string", + "title": "Value", + "description": "The associated value of the cryptographic material." + }, + "size": { + "type": "integer", + "title": "Size", + "description": "The size of the cryptographic asset (in bits)." + }, + "format": { + "type": "string", + "title": "Format", + "description": "The format of the related cryptographic material (e.g. P8, PEM, DER)." + }, + "securedBy": { + "$ref": "#/definitions/securedBy", + "title": "Secured By", + "description": "The mechanism by which the cryptographic asset is secured by." + }, + "fingerprint": { + "type": "object", + "$ref": "#/definitions/hash", + "title": "Fingerprint", + "description": "The fingerprint is a cryptographic hash of the asset." + }, + "relatedCryptographicAssets": { + "$ref": "#/definitions/relatedCryptographicAssets", + "title": "Related Cryptographic Assets", + "description": "A list of cryptographic assets related to this component." + } + } + }, + "protocolProperties": { + "type": "object", + "title": "Protocol Properties", + "description": "Properties specific to cryptographic assets of type: `protocol`.", + "additionalProperties": false, + "properties": { + "type": { + "type": "string", + "title": "Type", + "description": "The concrete protocol type.", + "enum": [ + "tls", + "ssh", + "ipsec", + "ike", + "sstp", + "wpa", + "dtls", + "quic", + "eap-aka", + "eap-aka-prime", + "prins", + "5g-aka", + "other", + "unknown" + ], + "meta:enum": { + "tls": "Transport Layer Security", + "ssh": "Secure Shell", + "ipsec": "Internet Protocol Security", + "ike": "Internet Key Exchange", + "sstp": "Secure Socket Tunneling Protocol", + "wpa": "Wi-Fi Protected Access", + "dtls": "Datagram Transport Layer Security", + "quic": "Quick UDP Internet Connections", + "eap-aka": "Extensible Authentication Protocol variant", + "eap-aka-prime": "Enhanced version of EAP-AKA", + "prins": "Protection of Inter-Network Signaling", + "5g-aka": "Authentication and Key Agreement for 5G", + "other": "Another protocol type", + "unknown": "The protocol type is not known" + } + }, + "version": { + "type": "string", + "title": "Protocol Version", + "description": "The version of the protocol.", + "examples": [ + "1.0", + "1.2", + "1.99" + ] + }, + "cipherSuites": { + "type": "array", + "title": "Cipher Suites", + "description": "A list of cipher suites related to the protocol.", + "items": { + "$ref": "#/definitions/cipherSuite", + "title": "Cipher Suite" + } + }, + "ikev2TransformTypes": { + "type": "object", + "title": "IKEv2 Transform Types", + "description": "The IKEv2 transform types supported (types 1-4), defined in [RFC 7296 section 3.3.2](https://www.ietf.org/rfc/rfc7296.html#section-3.3.2), and additional properties.", + "additionalProperties": false, + "properties": { + "encr": { + "title": "Encryption Algorithms (ENCR)", + "description": "Transform Type 1: encryption algorithms", + "anyOf": [ + { + "type": "array", + "title": "Encryption Algorithms (ENCR)", + "items": { + "$ref": "#/definitions/ikeV2Enc", + "title": "Encryption Algorithm (ENCR)" + } + }, + { + "deprecated": true, + "$ref": "#/definitions/cryptoRefArray", + "title": "Encryption Algorithm (ENCR) References", + "description": "[DEPRECATED] This will be removed in a future version.\nTransform Type 1: encryption algorithms" + } + ] + }, + "prf": { + "title": "Pseudorandom Functions (PRF)", + "description": "Transform Type 2: pseudorandom functions", + "anyOf": [ + { + "type": "array", + "title": "Pseudorandom Functions (PRF)", + "items": { + "$ref": "#/definitions/ikeV2Prf", + "title": "Pseudorandom Function (PRF)" + } + }, + { + "deprecated": true, + "$ref": "#/definitions/cryptoRefArray", + "description": "[DEPRECATED] This will be removed in a future version.\nTransform Type 2: pseudorandom functions" + } + ] + }, + "integ": { + "title": "Integrity Algorithms (INTEG)", + "description": "Transform Type 3: integrity algorithms", + "anyOf": [ + { + "type": "array", + "title": "Integrity Algorithms (INTEG)", + "items": { + "$ref": "#/definitions/ikeV2Integ", + "title": "Integrity Algorithm (INTEG)" + } + }, + { + "deprecated": true, + "$ref": "#/definitions/cryptoRefArray", + "description": "[DEPRECATED] This will be removed in a future version.\nTransform Type 3: integrity algorithms" + } + ] + }, + "ke": { + "title": "Key Exchange Methods (KE)", + "description": "Transform Type 4: Key Exchange Method (KE) per [RFC 9370](https://www.ietf.org/rfc/rfc9370.html), formerly called Diffie-Hellman Group (D-H).", + "anyOf": [ + { + "type": "array", + "title": "Key Exchange Methods (KE)", + "items": { + "$ref": "#/definitions/ikeV2Ke", + "title": "Key Exchange Method (KE)" + } + }, + { + "deprecated": true, + "$ref": "#/definitions/cryptoRefArray", + "description": "[DEPRECATED] This will be removed in a future version.\nTransform Type 4: Key Exchange Method (KE) per [RFC 9370](https://www.ietf.org/rfc/rfc9370.html), formerly called Diffie-Hellman Group (D-H)." + } + ] + }, + "esn": { + "type": "boolean", + "title": "Extended Sequence Number (ESN)", + "description": "Specifies if an Extended Sequence Number (ESN) is used." + }, + "auth": { + "title": "IKEv2 Authentication methods", + "description": "IKEv2 Authentication method per [RFC9593](https://www.ietf.org/rfc/rfc9593.html).", + "anyOf": [ + { + "type": "array", + "title": "IKEv2 Authentication Methods", + "items": { + "$ref": "#/definitions/ikeV2Auth", + "title": "IKEv2 Authentication Method" + } + }, + { + "deprecated": true, + "$ref": "#/definitions/cryptoRefArray", + "description": "[DEPRECATED] This will be removed in a future version.\nIKEv2 Authentication method" + } + ] + } + } + }, + "cryptoRefArray": { + "deprecated": true, + "$ref": "#/definitions/cryptoRefArray", + "title": "Cryptographic References", + "description": "[DEPRECATED] Use `@.relatedCryptographicAssets` instead.\nA list of protocol-related cryptographic assets" + }, + "relatedCryptographicAssets": { + "$ref": "#/definitions/relatedCryptographicAssets", + "title": "Related Cryptographic Assets", + "description": "A list of cryptographic assets related to this component." + } + } + }, + "oid": { + "type": "string", + "title": "OID", + "description": "The object identifier (OID) of the cryptographic asset." + } + } + }, + "cipherSuite": { + "type": "object", + "title": "Cipher Suite", + "description": "Object representing a cipher suite", + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Common Name", + "description": "A common name for the cipher suite.", + "examples": [ + "TLS_DHE_RSA_WITH_AES_128_CCM" + ] + }, + "algorithms": { + "type": "array", + "title": "Related Algorithms", + "description": "A list of algorithms related to the cipher suite.", + "items": { + "$ref": "#/definitions/refType", + "title": "Algorithm reference", + "description": "The bom-ref to algorithm cryptographic asset." + } + }, + "identifiers": { + "type": "array", + "title": "Cipher Suite Identifiers", + "description": "A list of common identifiers for the cipher suite.", + "items": { + "type": "string", + "title": "identifier", + "description": "Cipher suite identifier", + "examples": [ + "0xC0", + "0x9E" + ] + } + }, + "tlsGroups": { + "type": "array", + "title": "TLS Groups", + "description": "A list of TLS named groups (formerly known as curves) for this cipher suite. These groups define the parameters for key exchange algorithms like ECDHE.", + "items": { + "type": "string", + "title": "Group Name", + "description": "The name of the TLS group", + "examples": [ + "x25519", + "ffdhe2048" + ] + } + }, + "tlsSignatureSchemes": { + "type": "array", + "title": "TLS Signature Schemes", + "description": "A list of signature schemes supported for cipher suite. These schemes specify the algorithms used for digital signatures in TLS handshakes and certificate verification.", + "items": { + "type": "string", + "title": "Signature Scheme", + "description": "The name of the TLS signature scheme", + "examples": [ + "ecdsa_secp256r1_sha256", + "rsa_pss_rsae_sha256", + "ed25519" + ] + } + } + } + }, + "ikeV2Enc": { + "type": "object", + "title": "Encryption Algorithm (ENCR)", + "description": "Object representing an encryption algorithm (ENCR)", + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "A name for the encryption method.", + "examples": [ + "ENCR_AES_GCM_16" + ] + }, + "keyLength": { + "type": "integer", + "title": "Encryption algorithm key length", + "description": "The key length of the encryption algorithm." + }, + "algorithm": { + "$ref": "#/definitions/refType", + "title": "Algorithm reference", + "description": "The bom-ref to algorithm cryptographic asset." + } + } + }, + "ikeV2Prf": { + "type": "object", + "title": "Pseudorandom Function (PRF)", + "description": "Object representing a pseudorandom function (PRF)", + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "A name for the pseudorandom function.", + "examples": [ + "PRF_HMAC_SHA2_256" + ] + }, + "algorithm": { + "$ref": "#/definitions/refType", + "title": "Algorithm reference", + "description": "The bom-ref to algorithm cryptographic asset." + } + } + }, + "ikeV2Integ": { + "type": "object", + "title": "Integrity Algorithm (INTEG)", + "description": "Object representing an integrity algorithm (INTEG)", + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "A name for the integrity algorithm.", + "examples": [ + "AUTH_HMAC_SHA2_256_128" + ] + }, + "algorithm": { + "$ref": "#/definitions/refType", + "title": "Algorithm reference", + "description": "The bom-ref to algorithm cryptographic asset." + } + } + }, + "ikeV2Ke": { + "type": "object", + "title": "Key Exchange Method (KE)", + "description": "Object representing a key exchange method (KE)", + "additionalProperties": false, + "properties": { + "group": { + "type": "integer", + "title": "Group Identifier", + "description": "A group identifier for the key exchange algorithm." + }, + "algorithm": { + "$ref": "#/definitions/refType", + "title": "Algorithm reference", + "description": "The bom-ref to algorithm cryptographic asset." + } + } + }, + "ikeV2Auth": { + "type": "object", + "title": "IKEv2 Authentication method", + "description": "Object representing a IKEv2 Authentication method", + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "A name for the authentication method." + }, + "algorithm": { + "$ref": "#/definitions/refType", + "title": "Algorithm reference", + "description": "The bom-ref to algorithm cryptographic asset." + } + } + }, + "cryptoRefArray" : { + "deprecated": true, + "title": "Encryption Algorithm (ENCR) Reference Array", + "description": "Deprecated definition.", + "type": "array", + "items": { + "$ref": "#/definitions/refType" + } + }, + "relatedCryptographicAssets": { + "type": "array", + "title": "Related Cryptographic Assets", + "description": "A list of cryptographic assets related to this component.", + "items": { + "$ref": "#/definitions/relatedCryptographicAsset", + "title": "Related Cryptographic Asset" + } + }, + "relatedCryptographicAsset": { + "type": "object", + "title": "Related Cryptographic Asset", + "description": "A cryptographic assets related to this component.", + "additionalProperties": false, + "properties": { + "type": { + "type": "string", + "title": "Type", + "description": "Specifies the mechanism by which the cryptographic asset is secured by.", + "examples": [ + "publicKey", + "privateKey", + "algorithm" + ] + }, + "ref": { + "$ref": "#/definitions/refType", + "title": "Reference to cryptographic asset", + "description": "The bom-ref to cryptographic asset." + } + } + }, + "securedBy": { + "type": "object", + "title": "Secured By", + "description": "Specifies the mechanism by which the cryptographic asset is secured by", + "additionalProperties": false, + "properties": { + "mechanism": { + "type": "string", + "title": "Mechanism", + "description": "Specifies the mechanism by which the cryptographic asset is secured by.", + "examples": [ + "HSM", + "TPM", + "SGX", + "Software", + "None" + ] + }, + "algorithmRef": { + "$ref": "#/definitions/refType", + "title": "Algorithm Reference", + "description": "The bom-ref to the algorithm." + } + } + }, + "tags": { + "type": "array", + "items": { + "type": "string" + }, + "title": "Tags", + "description": "Textual strings that aid in discovery, search, and retrieval of the associated object. Tags often serve as a way to group or categorize similar or related objects by various attributes.", + "examples": [ + "json-parser", + "object-persistence", + "text-to-image", + "translation", + "object-detection" + ] + }, + "patentFamily": { + "type": "object", + "title": "Patent Family", + "description": "A patent family is a group of related patent applications or granted patents that cover the same or similar invention. These patents are filed in multiple jurisdictions to protect the invention across different regions or countries. A patent family typically includes patents that share a common priority date, originating from the same initial application, and may vary slightly in scope or claims to comply with regional legal frameworks. Fields align with WIPO ST.96 standards where applicable.", + "required": ["familyId"], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM. \n\nFor a patent, it might be a good idea to use a patent number as the BOM reference ID." + }, + "familyId": { + "type": "string", + "title": "Patent Family ID", + "description": "The unique identifier for the patent family, aligned with the `id` attribute in WIPO ST.96 v8.0's `PatentFamilyType`. Refer to [PatentFamilyType in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/PatentFamilyType.xsd)." + }, + "priorityApplication": { + "$ref": "#/definitions/priorityApplication" + }, + "members": { + "type": "array", + "title": "Family Members", + "description": "A collection of patents or applications that belong to this family, each identified by a `bom-ref` pointing to a patent object defined elsewhere in the BOM.", + "items": { + "$ref": "#/definitions/refLinkType", + "title": "BOM Reference", + "description": "A `bom-ref` linking to a patent or application object within the BOM." + } + }, + "externalReferences": { + "type": "array", + "title": "External References", + "description": "External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM.", + "items": { + "$ref": "#/definitions/externalReference" + } + } + } + }, + "patent": { + "type": "object", + "title": "Patent", + "description": "A patent is a legal instrument, granted by an authority, that confers certain rights over an invention for a specified period, contingent on public disclosure and adherence to relevant legal requirements. The summary information in this object is aligned with [WIPO ST.96](https://www.wipo.int/standards/en/st96/) principles where applicable.", + "required": ["patentNumber", "jurisdiction", "patentLegalStatus"], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "An identifier which can be used to reference the object elsewhere in the BOM. Every `bom-ref` must be unique within the BOM." + }, + "patentNumber": { + "type": "string", + "pattern": "^[A-Za-z0-9][A-Za-z0-9\\-/.()\\s]{0,28}[A-Za-z0-9]$", + "title": "Patent Number", + "description": "The unique number assigned to the granted patent by the issuing authority. Aligned with `PatentNumber` in WIPO ST.96. Refer to [PatentNumber in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/PatentNumber.xsd).", + "examples": ["US987654321", "EP1234567B1"] + }, + "applicationNumber": { + "$ref": "#/definitions/patentApplicationNumber" + }, + "jurisdiction": { + "$ref": "#/definitions/patentJurisdiction" + }, + "priorityApplication": { + "$ref": "#/definitions/priorityApplication" + }, + "publicationNumber": { + "type": "string", + "pattern": "^[A-Za-z0-9][A-Za-z0-9\\-/.()\\s]{0,28}[A-Za-z0-9]$", + "title": "Patent Publication Number", + "description": "This is the number assigned to a patent application once it is published. Patent applications are generally published 18 months after filing (unless an applicant requests non-publication). This number is distinct from the application number. \n\nPurpose: Identifies the publicly available version of the application. \n\nFormat: Varies by jurisdiction, often similar to application numbers but includes an additional suffix indicating publication. \n\nExample:\n - US: US20240000123A1 (indicates the first publication of application US20240000123) \n - Europe: EP23123456A1 (first publication of European application EP23123456). \n\nWIPO ST.96 v8.0: \n - Publication Number field: https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/PublicationNumber.xsd" + }, + "title": { + "type": "string", + "title": "Patent Title", + "description": "The title of the patent, summarising the invention it protects. Aligned with `InventionTitle` in WIPO ST.96. Refer to [InventionTitle in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/InventionTitle.xsd)." + }, + "abstract": { + "type": "string", + "title": "Patent Abstract", + "description": "A brief summary of the invention described in the patent. Aligned with `Abstract` and `P` in WIPO ST.96. Refer to [Abstract in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/Abstract.xsd)." + }, + "filingDate": { + "type": "string", + "format": "date", + "title": "Filing Date", + "description": "The date the patent application was filed with the jurisdiction. Aligned with `FilingDate` in WIPO ST.96. Refer to [FilingDate in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/FilingDate.xsd)." + }, + "grantDate": { + "type": "string", + "format": "date", + "title": "Grant Date", + "description": "The date the patent was granted by the jurisdiction. Aligned with `GrantDate` in WIPO ST.96. Refer to [GrantDate in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/GrantDate.xsd)." + }, + "patentExpirationDate": { + "type": "string", + "format": "date", + "title": "Expiration Date", + "description": "The date the patent expires. Derived from grant or filing date according to jurisdiction-specific rules." + }, + "patentLegalStatus": { + "type": "string", + "title": "Legal Status", + "description": "Indicates the current legal status of the patent or patent application, based on the WIPO ST.27 standard. This status reflects administrative, procedural, or legal events. Values include both active and inactive states and are useful for determining enforceability, procedural history, and maintenance status.", + "enum": [ + "pending", + "granted", + "revoked", + "expired", + "lapsed", + "withdrawn", + "abandoned", + "suspended", + "reinstated", + "opposed", + "terminated", + "invalidated", + "in-force" + ], + "meta:enum": { + "pending": "The patent application has been filed but not yet examined or granted.", + "granted": "The patent application has been examined and a patent has been issued.", + "revoked": "The patent has been declared invalid through a legal or administrative process.", + "expired": "The patent has reached the end of its enforceable term.", + "lapsed": "The patent is no longer in force due to non-payment of maintenance fees or other requirements.", + "withdrawn": "The patent application was voluntarily withdrawn by the applicant.", + "abandoned": "The patent application was abandoned, often due to lack of action or response.", + "suspended": "Processing of the patent application has been temporarily halted.", + "reinstated": "A previously abandoned or lapsed patent has been reinstated.", + "opposed": "The patent application or granted patent is under formal opposition proceedings.", + "terminated": "The patent or application has been officially terminated.", + "invalidated": "The patent has been invalidated, either in part or in full.", + "in-force": "The granted patent is active and enforceable." + } + }, + "patentAssignee": { + "type": "array", + "title": "Patent Assignees", + "description": "A collection of organisations or individuals to whom the patent rights are assigned. This supports joint ownership and allows for flexible representation of both corporate entities and individual inventors.", + "items": { + "oneOf": [ + { + "title": "Person", + "$ref": "#/definitions/organizationalContact" + }, + { + "title": "Organizational Entity", + "$ref": "#/definitions/organizationalEntity" + } + ] + } + }, + "externalReferences": { + "type": "array", + "title": "External References", + "description": "External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM.", + "items": { + "$ref": "#/definitions/externalReference" + } + } + } + }, + "patentAssertions": { + "type": "array", + "title": "Patent Assertions", + "description": "A list of assertions made regarding patents associated with this component or service. Assertions distinguish between ownership, licensing, and other relevant interactions with patents.", + "items": { + "type": "object", + "title": "Patent Assertion", + "description": "An assertion linking a patent or patent family to this component or service.", + "required": ["assertionType", "asserter"], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference", + "description": "A reference to the patent or patent family object within the BOM. This must match the `bom-ref` of a `patent` or `patentFamily` object." + }, + "assertionType": { + "type": "string", + "title": "Assertion Type", + "description": "The type of assertion being made about the patent or patent family. Examples include ownership, licensing, and standards inclusion.", + "enum": [ + "ownership", + "license", + "third-party-claim", + "standards-inclusion", + "prior-art", + "exclusive-rights", + "non-assertion", + "research-or-evaluation" + ], + "meta:enum": { + "ownership": "The manufacturer asserts ownership of the patent or patent family.", + "license": "The manufacturer asserts they have a license to use the patent or patent family.", + "third-party-claim": "A third party has asserted a claim or potential infringement against the manufacturer’s component or service.", + "standards-inclusion": "The patent is part of a standard essential patent (SEP) portfolio relevant to the component or service.", + "prior-art": "The manufacturer asserts the patent or patent family as prior art that invalidates another patent or claim.", + "exclusive-rights": "The manufacturer asserts exclusive rights granted through a licensing agreement.", + "non-assertion": "The manufacturer asserts they will not enforce the patent or patent family against certain uses or users.", + "research-or-evaluation": "The patent or patent family is being used under a research or evaluation license." + } + }, + "patentRefs": { + "type": "array", + "title": "Patent References", + "description": "A list of BOM references (`bom-ref`) linking to patents or patent families associated with this assertion.", + "items": { + "$ref": "#/definitions/refType" + } + }, + "asserter": { + "oneOf": [ + { + "$ref": "#/definitions/organizationalEntity", + "title": "Organizational Entity" + }, + { + "$ref": "#/definitions/organizationalContact", + "title": "Person" + }, + { + "$ref": "#/definitions/refLinkType", + "title": "Reference", + "description": "A reference to a previously defined `organizationalContact` or `organizationalEntity` object in the BOM. The value must be a valid `bom-ref` pointing to one of these objects." + } + ] + }, + "notes": { + "type": "string", + "title": "Notes", + "description": "Additional notes or clarifications regarding the assertion, if necessary. For example, geographical restrictions, duration, or limitations of a license." + } + } + } + }, + "patentApplicationNumber": { + "type": "string", + "pattern": "^[A-Za-z0-9][A-Za-z0-9\\-/.()\\s]{0,28}[A-Za-z0-9]$", + "title": "Patent Application Number", + "description": "The unique number assigned to a patent application when it is filed with a patent office. It is used to identify the specific application and track its progress through the examination process. Aligned with `ApplicationNumber` in ST.96. Refer to [ApplicationIdentificationType in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/ApplicationIdentificationType.xsd).", + "examples": ["US20240000123", "EP23123456"] + }, + "patentJurisdiction": { + "type": "string", + "title": "Jurisdiction", + "description": "The jurisdiction or patent office where the priority application was filed, specified using WIPO ST.3 codes. Aligned with `IPOfficeCode` in ST.96. Refer to [IPOfficeCode in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Common/IPOfficeCode.xsd).", + "pattern": "^[A-Z]{2}$", + "examples": ["US", "EP", "JP"] + }, + "patentFilingDate": { + "type": "string", + "format": "date", + "title": "Filing Date", + "description": "The date the priority application was filed, aligned with `FilingDate` in ST.96. Refer to [FilingDate in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/FilingDate.xsd)." + }, + "priorityApplication": { + "type": "object", + "title": "Priority Application", + "description": "The priorityApplication contains the essential data necessary to identify and reference an earlier patent filing for priority rights. In line with WIPO ST.96 guidelines, it includes the jurisdiction (office code), application number, and filing date-the three key elements that uniquely specify the priority application in a global patent context.", + "required": ["applicationNumber", "jurisdiction", "filingDate"], + "additionalProperties": false, + "properties": { + "applicationNumber": { + "$ref": "#/definitions/patentApplicationNumber" + }, + "jurisdiction": { + "$ref": "#/definitions/patentJurisdiction" + }, + "filingDate": { + "$ref": "#/definitions/patentFilingDate" + } + } + }, + "citation": { + "type": "object", + "title": "Citation", + "description": "Details a specific attribution of data within the BOM to a contributing entity or process.", + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "#/definitions/refType", + "title": "BOM Reference" + }, + "pointers": { + "type": "array", + "items": { + "type": "string", + "title": "Field Reference", + "description": "A [JSON Pointer](https://datatracker.ietf.org/doc/html/rfc6901) identifying the BOM field to which the attribution applies.\nUsers of other serialization formats (e.g. XML) shall use the JSON Pointer format to ensure consistent field referencing across representations." + }, + "minItems": 1, + "title": "Field References", + "description": "One or more [JSON Pointers](https://datatracker.ietf.org/doc/html/rfc6901) identifying the BOM fields to which the attribution applies.\nExactly one of the \"pointers\" or \"expressions\" elements must be present." + }, + "expressions": { + "type": "array", + "items": { + "type": "string", + "title": "Path Expression", + "description": "Specifies a path expression used to locate a value within a BOM. The expression syntax shall conform to the format of the BOM's serialization.\nUse [JSONPath](https://datatracker.ietf.org/doc/html/rfc9535) for JSON, [XPath](https://www.w3.org/TR/xpath/) for XML, and default to JSONPath for Protocol Buffers unless otherwise specified.\nImplementers shall ensure the expression is valid within the context of the applicable serialization format." + }, + "minItems": 1, + "title": "Path Expressions", + "description": "One or more path expressions used to locate values within a BOM.\nExactly one of the \"pointers\" or \"expressions\" elements must be present." + }, + "timestamp": { + "type": "string", + "format": "date-time", + "title": "Timestamp", + "description": "The date and time when the attribution was made or the information was supplied." + }, + "attributedTo": { + "$ref": "#/definitions/refLinkType", + "title": "Attributed To", + "description": "The `bom-ref` of an object, such as a component, service, tool, organisational entity, or person that supplied the cited information.\nAt least one of the \"attributedTo\" or \"process\" elements must be present." + }, + "process": { + "$ref": "#/definitions/refLinkType", + "title": "Process Reference", + "description": "The `bom-ref` to a process (such as a formula, workflow, task, or step) defined in the `formulation` section that executed or generated the attributed data.\nAt least one of the \"attributedTo\" or \"process\" elements must be present." + }, + "note": { + "type": "string", + "title": "Note", + "description": "A description or comment about the context or quality of the data attribution." + }, + "signature": { + "$ref": "#/definitions/signature", + "title": "Signature", + "description": "A digital signature verifying the authenticity or integrity of the attribution." + } + }, + "required": ["timestamp"], + "anyOf": [ + { "required": ["attributedTo"] }, + { "required": ["process"] } + ], + "oneOf": [ + { "required": ["pointers"] }, + { "required": ["expressions"] } + ] + } + } +} diff --git a/cyclonedx/schema/_res/bom-1.7.SNAPSHOT.xsd b/cyclonedx/schema/_res/bom-1.7.SNAPSHOT.xsd new file mode 100644 index 000000000..40aa7ad93 --- /dev/null +++ b/cyclonedx/schema/_res/bom-1.7.SNAPSHOT.xsd @@ -0,0 +1,9742 @@ + + + + + + + + + CycloneDX Bill of Materials Standard + https://cyclonedx.org/ + Apache License, Version 2.0 + + + + + + Identifier for referable and therefore interlink-able elements. + + + + + + + + + + Descriptor for an element identified by the attribute "bom-ref" in the same BOM document. + In contrast to `bomLinkElementType`. + + + + + + + + + + + + + + + + + =2.0.0|<5.0.0" + - "vers:pypi/0.0.0|0.0.1|0.0.2|0.0.3|1.0|2.0pre1" + - "vers:tomee/>=1.0.0-beta1|<=1.7.5|>=7.0.0-M1|<=7.0.7|>=7.1.0|<=7.1.2|>=8.0.0-M1|<=8.0.1" + - "vers:gem/>=2.2.0|!= 2.2.1|<2.3.0" + ]]> + + + + + + + + + + + + Descriptor for another BOM document. + See https://cyclonedx.org/capabilities/bomlink/ + + + + + + + + + + + Descriptor for an element in another BOM document. + See https://cyclonedx.org/capabilities/bomlink/ + + + + + + + + + + + + + + + + The date and time (timestamp) when the BOM was created. + + + + + + Lifecycles communicate the stage(s) in which data in the BOM was captured. Different types of data may be available at various phases of a lifecycle, such as the Software Development Lifecycle (SDLC), IT Asset Management (ITAM), and Software Asset Management (SAM). Thus, a BOM may include data specific to or only obtainable in a given lifecycle. + + + + + + + + + + + + A pre-defined phase in the product lifecycle. + + + + + + + + + The name of the lifecycle phase + + + + + + + The description of the lifecycle phase + + + + + + + + + + + + + The tool(s) used in the creation of the BOM. + + + + + + + DEPRECATED. Use `../components` or `../services` instead. + + + + + + + A list of software and hardware components used as tools. + + + + + A list of services used as tools. + + + + + + + + + + The person(s) who created the BOM. + Authors are common in BOMs created through manual processes. BOMs created through automated means may have './manufacturer' instead. + + + + + + + + + + + The component that the BOM describes. + + + + + + The organization that created the BOM. + Manufacturer is common in BOMs created through automated processes. BOMs created through manual means may have './authors' instead. + + + + + + + DEPRECATED - DO NOT USE. This will be removed in a future version. Use the `./component/manufacturer` instead. + The organization that manufactured the component that the BOM describes. + + + + + + The organization that supplied the component that the BOM describes. The + supplier may often be the manufacturer, but may also be a distributor or repackager. + + + + + + The license information for the BOM document. + This may be different from the license(s) of the component(s) that the BOM describes. + + + + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is optional. + + + + + + Conditions and constraints governing the sharing and distribution of the data or components + described by this BOM. + + + + + + + + The Traffic Light Protocol (TLP) classification that controls the sharing and + distribution of the data that the BOM describes. + + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + BOM produced early in the development lifecycle containing inventory of components and services + that are proposed or planned to be used. The inventory may need to be procured, retrieved, + or resourced prior to use. + + + + + + + BOM consisting of information obtained prior to a build process and may contain source files + and development artifacts and manifests. The inventory may need to be resolved and retrieved + prior to use. + + + + + + + BOM consisting of information obtained during a build process where component inventory is + available for use. The precise versions of resolved components are usually available at this + time as well as the provenance of where the components were retrieved from. + + + + + + + BOM consisting of information obtained after a build process has completed and the resulting + components(s) are available for further analysis. Built components may exist as the result of a + CI/CD process, may have been installed or deployed to a system or device, and may need to be + retrieved or extracted from the system or device. + + + + + + + BOM produced that represents inventory that is running and operational. This may include staging + or production environments and will generally encompass multiple SBOMs describing the applications + and operating system, along with HBOMs describing the hardware that makes up the system. Operations + Bill of Materials (OBOM) can provide full-stack inventory of runtime environments, configurations, + and additional dependencies. + + + + + + + BOM consisting of information observed through network discovery providing point-in-time + enumeration of embedded, on-premise, and cloud-native services such as server applications, + connected devices, microservices, and serverless functions. + + + + + + + BOM containing inventory that will be, or has been retired from operations. + + + + + + + + + + + The name of the organization + + + + + The physical address (location) of the organization. + + + + + + The URL of the organization. Multiple URLs are allowed. + Example: https://example.com + + + + + + A contact person at the organization. Multiple contacts are allowed. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + An identifier which can be used to reference the object elsewhere in the BOM. + Uniqueness is enforced within all elements and children of the root-level bom element. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + Traffic Light Protocol (TLP) is a classification system for identifying the potential risk associated with artefact, including whether it is subject to certain types of legal, financial, or technical threats. Refer to https://www.first.org/tlp/ for further information. + The default classification is "CLEAR" + + + + + + + The information is not subject to any restrictions as regards the sharing. + + + + + + + The information is subject to limited disclosure, and recipients can share it within their community but not via publicly accessible channels. + + + + + + + The information is subject to limited disclosure, and recipients can only share it on a need-to-know basis within their organization and with clients. + + + + + + + The information is subject to limited disclosure, and recipients can only share it on a need-to-know basis within their organization. + + + + + + + The information is subject to restricted distribution to individual recipients only and must not be shared. + + + + + + + + + Information about the automated or manual tool used + + + + + The name of the vendor who created the tool + + + + + The name of the tool + + + + + The version of the tool + + + + + + + + + + + + Provides the ability to document external references related to the tool. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + The name of the contact + + + + + The email address of the contact. + + + + + The phone number of the contact. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + An identifier which can be used to reference the object elsewhere in the BOM. + Uniqueness is enforced within all elements and children of the root-level bom element. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + The organization that supplied the component. The supplier may often + be the manufacturer, but may also be a distributor or repackager. + + + + + + The organization that created the component. + Manufacturer is common in components created through automated processes. Components created through manual means may have './authors' instead. + + + + + + + The person(s) who created the component. + Authors are common in components created through manual processes. Components created through automated means may have `./manufacturer` instead. + + + + + + + + + + + + DEPRECATED - DO NOT USE. This will be removed in a future version. Use `./authors` or `./manufacturer` instead. + The person(s) or organization(s) that authored the component. + + + + + + The person(s) or organization(s) that published the component + + + + + The grouping name or identifier. This will often be a shortened, single + name of the company or project that produced the component, or the source package or + domain name. Whitespace and special characters should be avoided. Examples include: + apache, org.apache.commons, and apache.org. + + + + + The name of the component. This will often be a shortened, single name + of the component. Examples: commons-lang3 and jquery + + + + + Must be used exclusively, either 'version' or 'versionRange', but not both. + + + + The component version. The version should ideally comply with semantic versioning + but is not enforced. + + + + + + + + + + + Specifies a description for the component + + + + + Specifies the scope of the component. If scope is not specified, 'required' + scope SHOULD be assumed by the consumer of the BOM. + + + + + The hashes of the component. + + + + + + + + + + + A copyright notice informing users of the underlying claims to copyright ownership in a published work. + + + + + + A list of assertions made regarding patents associated with this component or service. Assertions distinguish between ownership, licensing, and other relevant interactions with patents. + + + + + + + + + + + + Specifies a well-formed CPE name that conforms to the CPE 2.2 or 2.3 specification. See https://nvd.nist.gov/products/cpe + + + + + + + Specifies the package-url (purl). The purl, if specified, must be valid and conform + to the specification defined at: https://github.com/package-url/purl-spec + + + + + + + Specifies the OmniBOR Artifact ID. The OmniBOR, if specified, must be valid and conform + to the specification defined at: https://www.iana.org/assignments/uri-schemes/prov/gitoid + + + + + + + Specifies the Software Heritage persistent identifier (SWHID). The SWHID, if specified, must + be valid and conform to the specification defined at: + https://docs.softwareheritage.org/devel/swh-model/persistent-identifiers.html + + + + + + + Specifies metadata and content for ISO-IEC 19770-2 Software Identification (SWID) Tags. + + + + + + + DEPRECATED - DO NOT USE. This will be removed in a future version. Use the pedigree + element instead to supply information on exactly how the component was modified. + A boolean value indicating if the component has been modified from the original. + A value of true indicates the component is a derivative of the original. + A value of false indicates the component has not been modified from the original. + + + + + + + Component pedigree is a way to document complex supply chain scenarios where components are + created, distributed, modified, redistributed, combined with other components, etc. + + + + + + Provides the ability to document external references related to the + component or to the project the component describes. + + + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is optional. + + + + + + A list of software and hardware components included in the parent component. This is not a + dependency tree. It provides a way to specify a hierarchical representation of component + assemblies, similar to system -> subsystem -> parts assembly in physical supply chains. + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + Provides the ability to document evidence collected through various forms of extraction or analysis. + + + + + Specifies release notes. + + + + + A model card describes the intended uses of a machine learning model and potential + limitations, including biases and ethical considerations. Model cards typically contain the + training parameters, which datasets were used to train the model, performance metrics, and other + relevant data useful for ML transparency. This object SHOULD be specified for any component of + type `machine-learning-model` and must not be specified for other component types. + + + + + This object SHOULD be specified for any component of type `data` and must not be + specified for other component types. + + + + + + Cryptographic assets have properties that uniquely define them and that make them actionable + for further reasoning. As an example, it makes a difference if one knows the algorithm family + (e.g. AES) or the specific variant or instantiation (e.g. AES-128-GCM). This is because the + security level and the algorithm primitive (authenticated encryption) is only defined by the + definition of the algorithm variant. The presence of a weak cryptographic algorithm like SHA1 + vs. HMAC-SHA1 also makes a difference. + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + Specifies the type of component. For software components, classify as application if no more + specific appropriate classification is available or cannot be determined for the component. + + + + + + + The mime-type of the component. When used on file components, the mime-type + can provide additional context about the kind of file being represented such as an image, + font, or executable. Some library or framework components may also have an associated mime-type. + + + + + + + Determine whether this component is external. + An external component is one that is not part of an assembly, but is expected to be provided by the environment, regardless of the component's `@scope`. This setting can be useful for distinguishing which components are bundled with the product and which can be relied upon to be present in the deployment environment. + This may be set to `true` for runtime components only. For `/metadata/component`, it must be set to `false`. + + + + + + + An identifier which can be used to reference the component elsewhere in the BOM. + Uniqueness is enforced within all elements and children of the root-level bom element. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + An identifier which can be used to reference the license elsewhere in the BOM. + Uniqueness is enforced within all elements and children of the root-level bom element. + + + + + + + Declared licenses and concluded licenses represent two different stages in the + licensing process within software development. Declared licenses refer to the + initial intention of the software authors regarding the licensing terms under + which their code is released. On the other hand, concluded licenses are the + result of a comprehensive analysis of the project's codebase to identify and + confirm the actual licenses of the components used, which may differ from the + initially declared licenses. While declared licenses provide an upfront indication + of the licensing intentions, concluded licenses offer a more thorough understanding + of the actual licensing within a project, facilitating proper compliance and risk + management. Observed licenses are defined in `evidence.licenses`. Observed licenses + form the evidence necessary to substantiate a concluded license. + + + + + + + + + + License identifiers that may be used to manage licenses and + their lifecycle + + + + + + + + + + The individual or organization that grants a license to another + individual or organization + + + + + + + The organization that granted the license + + + + + The individual, not associated with an organization, + that granted the license + + + + + + + + + The individual or organization for which a license was granted to + + + + + + + The organization that was granted the license + + + + + The individual, not associated with an organization, + that was granted the license + + + + + + + + + The individual or organization that purchased the license + + + + + + + The organization that purchased the license + + + + + The individual, not associated with an organization, + that purchased the license + + + + + + + + + The purchase order identifier the purchaser sent to a supplier or + vendor to authorize a purchase + + + + + The type of license(s) that was granted to the licensee + + + + + + + + + + The timestamp indicating when the license was last + renewed. For new purchases, this is often the purchase or acquisition date. + For non-perpetual licenses or subscriptions, this is the timestamp of when the + license was last renewed. + + + + + The timestamp indicating when the current license + expires (if applicable). + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + Specifies the details and attributes related to a software license. + It can either include a valid SPDX license identifier or a named license, along with additional + properties such as license acknowledgment, comprehensive commercial licensing information, and + the full text of the license. + + + + + + A valid SPDX license identifier. If specified, this value must be one of the enumeration of valid SPDX license identifiers defined in the spdx.schema.json (or spdx.xml) subschema which is synchronized with the official SPDX license list. + + + + + The name of the license. This may include the name of a commercial or proprietary license or an open source license that may not be defined by SPDX. + + + + + + Specifies the full text of the attachment + + + + + The URL to the attachment file. If the attachment is a license or BOM, + an externalReference should also be specified for completeness. + + + + + Licensing details describing the licensor/licensee, license type, renewal and + expiration dates, and other important metadata + + + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is optional. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + + + + A valid SPDX license expression. + Refer to https://spdx.org/specifications for syntax requirements. + + Example values: + - Apache-2.0 AND (MIT OR GPL-2.0-only) + - GPL-3.0-only WITH Classpath-exception-2.0 + + + + + + + + + + + Specifies the details and attributes related to a software license. + It must be a valid SPDX license expression, along with additional properties such as license acknowledgment. + + + + + + Details for parts of the `expression`. + + + + + This document specifies the details and attributes related to a software license identifier. An SPDX expression may be a compound of license identifiers. + The `license-identifier` attribute serves as the key that identifies each record. Note that this key is not required to be unique, as the same license identifier could apply to multiple, different but similar license details, texts, etc. + + + + + + A way to include the textual content of the license. + + + + + The URL to the attachment file. If the attachment is a license or BOM, + an externalReference should also be specified for completeness. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + A valid SPDX license identifier. Refer to https://spdx.org/specifications for syntax requirements. + This attribute serves as the primary key, which uniquely identifies each record. + + Example values: + - Apache-2.0 + - GPL-3.0-only WITH Classpath-exception-2.0 + - LicenseRef-my-custom-license + + + + + + + An identifier which can be used to reference the license elsewhere in the BOM. + Uniqueness is enforced within all elements and children of the root-level bom element. + + + + + + + + Licensing details describing the licensor/licensee, license type, renewal and + expiration dates, and other important metadata + + + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is optional. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + A valid SPDX license expression. + Refer to https://spdx.org/specifications for syntax requirements. + + Example values: + - Apache-2.0 AND (MIT OR GPL-2.0-only) + - GPL-3.0-only WITH Classpath-exception-2.0 + + + + + + + + + + The attachment data. Proactive controls such as input validation and sanitization should be employed to prevent misuse of attachment text. + + + + + Specifies the format and nature of the data being attached, helping systems correctly + interpret and process the content. Common content type examples include `application/json` + for JSON data and `text/plain` for plan text documents. + RFC 2045 section 5.1 outlines the structure and use of content types. For a comprehensive + list of registered content types, refer to the IANA media types registry at + https://www.iana.org/assignments/media-types/media-types.xhtml. + + + + + + + Specifies the encoding the text is represented in + + + + + + + + + + Specifies the file hash of the component + + + + + + Specifies the algorithm used to create the hash + + + + + + + + + + + The component is required for runtime + + + + + The component is optional at runtime. Optional components are components that + are not capable of being called due to them not be installed or otherwise accessible by any means. + Components that are installed but due to configuration or other restrictions are prohibited from + being called must be scoped as 'required'. + + + + + Components that are excluded provide the ability to document component usage + for test and other non-runtime purposes. Excluded components are not reachable within a call + graph at runtime. + + + + + + + + + + A software application. Refer to https://en.wikipedia.org/wiki/Application_software + for information about applications. + + + + + A software framework. Refer to https://en.wikipedia.org/wiki/Software_framework + for information on how frameworks vary slightly from libraries. + + + + + A software library. Refer to https://en.wikipedia.org/wiki/Library_(computing) + for information about libraries. All third-party and open source reusable components will likely + be a library. If the library also has key features of a framework, then it should be classified + as a framework. If not, or is unknown, then specifying library is recommended. + + + + + A packaging and/or runtime format, not specific to any particular technology, + which isolates software inside the container from software outside of a container through + virtualization technology. Refer to https://en.wikipedia.org/wiki/OS-level_virtualization + + + + + + A runtime environment that interprets or executes software. + This may include runtimes such as those that execute bytecode, just-in-time compilers, + interpreters, or low-code/no-code application platforms. + + + + + + A software operating system without regard to deployment model + (i.e. installed on physical hardware, virtual machine, image, etc) Refer to + https://en.wikipedia.org/wiki/Operating_system + + + + + A hardware device such as a processor, or chip-set. A hardware device + containing firmware SHOULD include a component for the physical hardware itself, and another + component of type 'firmware' or 'operating-system' (whichever is relevant), describing + information about the software running on the device. + See also the list of known device properties: https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/device.md + + + + + + A special type of software that operates or controls a particular type of device. + Refer to https://en.wikipedia.org/wiki/Device_driver + + + + + A special type of software that provides low-level control over a devices + hardware. Refer to https://en.wikipedia.org/wiki/Firmware + + + + + A computer file. Refer to https://en.wikipedia.org/wiki/Computer_file + for information about files. + + + + + A model based on training data that can make predictions or decisions without + being explicitly programmed to do so. + + + + + A collection of discrete values that convey information. + + + + + A cryptographic asset including algorithms, protocols, certificates, keys, tokens, and secrets. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + A license that grants use of software solely for the purpose + of education or research. + + + + + A license covering use of software embedded in a specific + piece of hardware. + + + + + A Client Access License (CAL) allows client computers to access + services provided by server software. + + + + + A Concurrent User license (aka floating license) limits the + number of licenses for a software application and licenses are shared among + a larger number of users. + + + + + A license where the core of a computer's processor is assigned + a specific number of points. + + + + + A license for which consumption is measured by non-standard + metrics. + + + + + A license that covers a defined number of installations on + computers and other types of devices. + + + + + A license that grants permission to install and use software + for trial purposes. + + + + + A license that grants access to the software to one or more + pre-defined users. + + + + + A license that grants access to the software on one or more + pre-defined computers or devices. + + + + + An Original Equipment Manufacturer license that is delivered + with hardware, cannot be transferred to other hardware, and is valid for the + life of the hardware. + + + + + A license where the software is sold on a one-time basis and + the licensee can use a copy of the software indefinitely. + + + + + A license where each installation consumes points per + processor. + + + + + A license where the licensee pays a fee to use the software + or service. + + + + + A license that grants access to the software or service by a + specified number of users. + + + + + Another license type. + + + + + + + + + + + + + + + + + + + + + + + + + + + Define the format for acceptable CPE URIs. Supports CPE 2.2 and CPE 2.3 formats. + Refer to https://nvd.nist.gov/products/cpe for official specification. + + + + + + + + + + + + Specifies the full content of the SWID tag. + + + + + The URL to the SWID file. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + Maps to the tagId of a SoftwareIdentity. + + + + + Maps to the name of a SoftwareIdentity. + + + + + Maps to the version of a SoftwareIdentity. + + + + + Maps to the tagVersion of a SoftwareIdentity. + + + + + Maps to the patch of a SoftwareIdentity. + + + + + + + + Defines a string representation of a UUID conforming to RFC 4122. + + + + + + + + + + + + Version Control System + + + + + Issue or defect tracking system, or an Application Lifecycle Management (ALM) system + + + + + Website + + + + + Security advisories + + + + + Bill-of-materials (SBOM, OBOM, HBOM, SaaSBOM, etc) + + + + + Mailing list or discussion group + + + + + Social media account + + + + + Real-time chat platform + + + + + Documentation, guides, or how-to instructions + + + + + Community or commercial support + + + + + The location where the source code distributable can be obtained. This is often an archive format such as zip or tgz. The source-distribution type complements use of the version control (vcs) type. + + + + + Direct or repository download location + + + + + The location where a component was published to. This is often the same as "distribution" but may also include specialized publishing processes that act as an intermediary + + + + + + The URL to the license file. If a license URL has been defined in the license + node, it should also be defined as an external reference for completeness. + Example: https://www.apache.org/licenses/LICENSE-2.0.txt + + + + + + Build-system specific meta file (i.e. pom.xml, package.json, .nuspec, etc) + + + + + URL to an automated build system + + + + + URL to release notes + + + + + Specifies a way to contact the maintainer, supplier, or provider in the event of a security incident. Common URIs include links to a disclosure procedure, a mailto (RFC-2368) that specifies an email address, a tel (RFC-3966) that specifies a phone number, or dns (RFC-4501) that specifies the records containing DNS Security TXT. + + + + + A model card describes the intended uses of a machine learning model, potential + limitations, biases, ethical considerations, training parameters, datasets used to train the + model, performance metrics, and other relevant data useful for ML transparency. + + + + + A record of events that occurred in a computer system or application, such as problems, errors, or information on current operations. + + + + + Parameters or settings that may be used by other components or services. + + + + + Information used to substantiate a claim. + + + + + Describes the formulation of any referencable object within the BOM, including components, services, metadata, declarations, or the BOM itself. + + + + + Human or machine-readable statements containing facts, evidence, or testimony + + + + + An enumeration of identified weaknesses, threats, and countermeasures, dataflow diagram (DFD), attack tree, and other supporting documentation in human-readable or machine-readable format + + + + + The defined assumptions, goals, and capabilities of an adversary. + + + + + Identifies and analyzes the potential of future events that may negatively impact individuals, assets, and/or the environment. Risk assessments may also include judgments on the tolerability of each risk. + + + + + A Vulnerability Disclosure Report (VDR) which asserts the known and previously unknown vulnerabilities that affect a component, service, or product including the analysis and findings describing the impact (or lack of impact) that the reported vulnerability has on a component, service, or product. + + + + + A Vulnerability Exploitability eXchange (VEX) which asserts the known vulnerabilities that do not affect a product, product family, or organization, and optionally the ones that do. The VEX should include the analysis and findings describing the impact (or lack of impact) that the reported vulnerability has on the product, product family, or organization. + + + + + Results from an authorized simulated cyberattack on a component or service, otherwise known as a penetration test + + + + + SARIF or proprietary machine or human-readable report for which static analysis has identified code quality, security, and other potential issues with the source code + + + + + Dynamic analysis report that has identified issues such as vulnerabilities and misconfigurations + + + + + Report generated by analyzing the call stack of a running application + + + + + Report generated by Software Composition Analysis (SCA), container analysis, or other forms of component analysis + + + + + Report containing a formal assessment of an organization, business unit, or team against a maturity model + + + + + Industry, regulatory, or other certification from an accredited (if applicable) certification body + + + + + Report or system in which quality metrics can be obtained + + + + + Code or configuration that defines and provisions virtualized infrastructure, commonly referred to as Infrastructure as Code (IaC) + + + + + Plans of Action and Milestones (POA&M) complement an "attestation" external reference. POA&M is defined by NIST as a "document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks and scheduled completion dates for the milestones". + + + + + An e-signature is commonly a scanned representation of a written signature or a stylized script of the persons name. + + + + + A signature that leverages cryptography, typically public/private key pairs, which provides strong authenticity verification. + + + + + Document that complies with RFC-9116 (A File Format to Aid in Security Vulnerability Disclosure) + + + + + References information about patents which may be defined in human-readable documents or in machine-readable formats such as CycloneDX or ST.96. For detailed patent information or to reference the information provided directly by patent offices, it is recommended to leverage standards from the World Intellectual Property Organization (WIPO) such as [ST.96](https://www.wipo.int/standards/en/st96). + + + + + References information about a patent family which may be defined in human-readable documents or in machine-readable formats such as CycloneDX or ST.96. A patent family is a group of related patent applications or granted patents that cover the same or similar invention. For detailed patent family information or to reference the information provided directly by patent offices, it is recommended to leverage standards from the World Intellectual Property Organization (WIPO) such as [ST.96](https://www.wipo.int/standards/en/st96). + + + + + References assertions made regarding patents associated with a component or service. Assertions distinguish between ownership, licensing, and other relevant interactions with patents. + + + + + A reference to external citations applicable to the object identified by this BOM entry or the BOM itself. When used with a BOM-Link, this allows offloading citations into a separate CycloneDX BOM. + + + + + Use this if no other types accurately describe the purpose of the external reference + + + + + + + + + External references provide a way to document systems, sites, and information that may be + relevant, but are not included with the BOM. They may also establish specific relationships + within or external to the BOM. + + + + + + Zero or more external references can be defined + + + + + + + + + + The URI (URL or URN) to the external reference. External references + are URIs and therefore can accept any URL scheme including https, mailto, tel, and dns. + External references may also include formally registered URNs such as CycloneDX BOM-Link to + reference CycloneDX BOMs or any object within a BOM. BOM-Link transforms applicable external + references into relationships that can be expressed in a BOM or across BOMs. Refer to: + https://cyclonedx.org/capabilities/bomlink/ + + + + + + + + A comment describing the external reference + + + + + + + + + + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is optional. + + + + + + Specifies the type of external reference. There are built-in types to describe common + references. If a type does not exist for the reference being referred to, use the "other" type. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + Zero or more commits can be specified. + + + + + Specifies an individual commit. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + + + A unique identifier of the commit. This may be version control + specific. For example, Subversion uses revision numbers whereas git uses commit hashes. + + + + + + The URL to the commit. This URL will typically point to a commit + in a version control system. + + + + + + The author who created the changes in the commit + + + + + The person who committed or pushed the commit + + + + + The text description of the contents of the commit + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + Zero or more patches can be specified. + + + + + Specifies an individual patch. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + + + The patch file (or diff) that show changes. + Refer to https://en.wikipedia.org/wiki/Diff + + + + + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + Specifies the purpose for the patch including the resolution of defects, + security issues, or new behavior or functionality + + + + + + + + + A patch which is not developed by the creators or maintainers of the software + being patched. Refer to https://en.wikipedia.org/wiki/Unofficial_patch + + + + + A patch which dynamically modifies runtime behavior. + Refer to https://en.wikipedia.org/wiki/Monkey_patch + + + + + A patch which takes code from a newer version of software and applies + it to older versions of the same software. Refer to https://en.wikipedia.org/wiki/Backporting + + + + + A patch created by selectively applying commits from other versions or + branches of the same software. + + + + + + + + + + A fault, flaw, or bug in software + + + + + A new feature or behavior in software + + + + + A special type of defect which impacts security + + + + + + + + + + Specifies the text of the diff + + + + + Specifies the URL to the diff + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + + An individual issue that has been resolved. + + + + + + The identifier of the issue assigned by the source of the issue + + + + + The name of the issue + + + + + A description of the issue + + + + + + + The source of the issue where it is documented. + + + + + + + The name of the source. For example "National Vulnerability Database", + "NVD", and "Apache" + + + + + + + The url of the issue documentation as provided by the source + + + + + + + + + + A collection of URL's for reference. Multiple URLs are allowed. + Example: "https://example.com" + + + + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + Specifies the type of issue + + + + + + + + + The timestamp in which the action occurred + + + + + The name of the individual who performed the action + + + + + The email address of the individual who performed the action + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + + Component pedigree is a way to document complex supply chain scenarios where components are created, + distributed, modified, redistributed, combined with other components, etc. Pedigree supports viewing + this complex chain from the beginning, the end, or anywhere in the middle. It also provides a way to + document variants where the exact relation may not be known. + + + + + + Describes zero or more components in which a component is derived + from. This is commonly used to describe forks from existing projects where the forked version + contains a ancestor node containing the original component it was forked from. For example, + Component A is the original component. Component B is the component being used and documented + in the BOM. However, Component B contains a pedigree node with a single ancestor documenting + Component A - the original component from which Component B is derived from. + + + + + + Descendants are the exact opposite of ancestors. This provides a + way to document all forks (and their forks) of an original or root component. + + + + + + Variants describe relations where the relationship between the + components are not known. For example, if Component A contains nearly identical code to + Component B. They are both related, but it is unclear if one is derived from the other, + or if they share a common ancestor. + + + + + + A list of zero or more commits which provide a trail describing + how the component deviates from an ancestor, descendant, or variant. + + + + + A list of zero or more patches describing how the component + deviates from an ancestor, descendant, or variant. Patches may be complementary to commits + or may be used in place of commits. + + + + + Notes, observations, and other non-structured commentary + describing the components pedigree. + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + + + The component or service that is a dependency of this dependency object. + + + + + + The component or service that define a given specification or standard, which is provided or implemented by this dependency object. + For example, a cryptographic library which implements a cryptographic algorithm. A component which implements another component does not imply that the implementation is in use. + + + + + + References a component or service by its bom-ref attribute + + + + + + + + References a component or service by its bom-ref attribute + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + Defines the direct dependencies of a component or service. Components or services + that do not have their own dependencies must be declared as empty elements within the graph. + Components or services that are not represented in the dependency graph may have unknown + dependencies. It is recommended that implementations assume this to be opaque and not an + indicator of a object being dependency-free. It is recommended to leverage compositions to + indicate unknown dependency graphs. + + + + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + The organization that provides the service. + + + + + The grouping name, namespace, or identifier. This will often be a shortened, + single name of the company or project that produced the service or domain name. + Whitespace and special characters should be avoided. + + + + + The name of the service. This will often be a shortened, single name + of the service. + + + + + The service version. + + + + + Specifies a description for the service. + + + + + + The endpoint URIs of the service. Multiple endpoints are allowed. + Example: "https://example.com/api/v1/ticker" + + + + + + + A service endpoint URI. + + + + + + + + A boolean value indicating if the service requires authentication. + A value of true indicates the service requires authentication prior to use. + A value of false indicates the service does not require authentication. + + + + + A boolean value indicating if use of the service crosses a trust zone or boundary. + A value of true indicates that by using the service, a trust boundary is crossed. + A value of false indicates that by using the service, a trust boundary is not crossed. + + + + + The name of the trust zone the service resides in. + + + + + Specifies information about the data including the directional flow of data and the data classification. + + + + + + + DEPRECATED: Specifies the data classification. THIS FIELD IS DEPRECATED AS OF v1.5. Use `./dataflow/classification` instead + + + + + + Specifies the data classification. + + + + + + Specifies the data classification. + + + + + + The URI, URL, or BOM-Link of the components or services the data came in from. + + + + + + + + + + + + + + The URI, URL, or BOM-Link of the components or services the data is sent to. + + + + + + + + + + + + + + + + Name for the defined data. + + + + + + + Short description of the data content and usage. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + + + A list of assertions made regarding patents associated with this component or service. Assertions distinguish between ownership, licensing, and other relevant interactions with patents. + + + + + + + + + + + Provides the ability to document external references related to the service. + + + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is optional. + + + + + + A list of services included or deployed behind the parent service. This is not a dependency + tree. It provides a way to specify a hierarchical representation of service assemblies. + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + Specifies release notes. + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + An identifier which can be used to reference the service elsewhere in the BOM. + Uniqueness is enforced within all elements and children of the root-level bom element. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + Specifies the data classification. + + + + + + Specifies the flow direction of the data. + + + + + + + + + Specifies the flow direction of the data. Valid values are: + inbound, outbound, bi-directional, and unknown. Direction is relative to the service. + Inbound flow states that data enters the service. Outbound flow states that data + leaves the service. Bi-directional states that data flows both ways, and unknown + states that the direction is not known. + + + + + + Data that enters a service. + + + + + + Data that exits a service. + + + + + Data flows in and out of the service. + + + + + The directional flow of data is not known. + + + + + + + + A list of SPDX licenses and/or named licenses and/or SPDX License Expression. + + + + + + + + + + + + + + Declared licenses represent the initial intentions of authors regarding + the licensing terms of their code. + + + + + + + Concluded licenses are verified and confirmed. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Examines the source code without executing it. + + + + + + + Examines a compiled binary through reverse engineering, typically via disassembly or bytecode reversal. + + + + + + + Examines a package management system such as those used for building software or installing software. + + + + + + + Examines the Abstract Syntax Tree (AST) of source code or a compiled binary. + + + + + + + Evaluates the cryptographic hash of a component against a set of pre-computed hashes of identified software. + + + + + + + Examines the call stack of running applications by intercepting and monitoring application logic without the need to modify the application. + + + + + + + Evaluates a running application. + + + + + + + Evaluates file name of a component against a set of known file names of identified software. + + + + + + + A testimony to the accuracy of the identify of a component made by an individual or entity. + + + + + + + Any other technique. + + + + + + + + + + + Evidence that substantiates the identity of a component. The identify may be an + object or an array of identity objects. Support for specifying identity as a single object was + introduced in CycloneDX v1.5. "unbounded" was introduced in v1.6. It is recommended that all + implementations are aware of "unbounded". + + + + + + The identity field of the component which the evidence describes. + + + + + The overall confidence of the evidence from 0 - 1, where 1 is 100% confidence. + + + + + The value of the field (cpe, purl, etc) that has been concluded based on the aggregate of all methods (if available). + + + + + The methods used to extract and/or analyze the evidence. + + + + + + + + + The technique used in this method of analysis. + + + + + The confidence of the evidence from 0 - 1, where 1 is 100% confidence. Confidence is specific to the technique used. Each technique of analysis can have independent confidence. + + + + + The value or contents of the evidence. + + + + + + + + + + + + The object in the BOM identified by its bom-ref. This is often a component or service, + but may be any object type supporting bom-refs. Tools used for analysis should already + be defined in the BOM, either in the metadata/tools, components, or formulation. + + + + + + + + + + + + + + Evidence of individual instances of a component spread across multiple locations. + + + + + + + + + The location or path to where the component was found. + + + + + The line number where the component was found. + + + + + The offset where the component was found. + + + + + The symbol name that was found associated with the component. + + + + + Any additional context of the detected component (e.g. a code snippet). + + + + + + + + An identifier which can be used to reference the occurrence elsewhere + in the BOM. Every `bom-ref` must be unique within the BOM. + + + + + + + + + + + Evidence of the components use through the callstack. + + + + + + + + + + Within a call stack, a frame is a discrete unit that encapsulates an execution context, including local variables, parameters, and the return address. As function calls are made, frames are pushed onto the stack, forming an array-like structure that orchestrates the flow of program execution and manages the sequence of function invocations. + + + + + + + A package organizes modules into namespaces, providing a unique namespace for each type it contains. + + + + + A module or class that encloses functions/methods and other code. + + + + + A block of code designed to perform a particular task. + + + + + Arguments that are passed to the module or function. + + + + + + + + + + The line number the code that is called resides on. + + + + + The column the code that is called resides. + + + + + The full path and filename of the module. + + + + + + + + + + + + The object in the BOM identified by its bom-ref. This is often a component or service, + but may be any object type supporting bom-refs. Tools used for analysis should already + be defined in the BOM, either in the metadata/tools, components, or formulation. + + + + + + + + + + + + + + + + Copyright evidence captures intellectual property assertions, providing evidence of possible ownership and legal protection. + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + Specifies an aggregate type that describes how complete a relationship is. + + + + + + The bom-ref identifiers of the components or services being described. Assemblies refer to + nested relationships whereby a constituent part may include other constituent parts. References + do not cascade to child parts. References are explicit for the specified constituent part only. + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + + The bom-ref identifiers of the components or services being described. Dependencies refer to a + relationship whereby an independent constituent part requires another independent constituent + part. References do not cascade to transitive dependencies. References are explicit for the + specified dependency only. + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + + The bom-ref identifiers of the vulnerabilities being described. + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + + + An identifier which can be used to reference the composition elsewhere in the BOM. + Uniqueness is enforced within all elements and children of the root-level bom element. + + + + + + + + + + The relationship is complete. No further relationships including constituent components, services, or dependencies are known to exist. + + + + + The relationship is incomplete. Additional relationships exist and may include constituent components, services, or dependencies. + + + + + The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented. + + + + + The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented, limited specifically to those that are proprietary. + + + + + The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented, limited specifically to those that are opensource. + + + + + The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented. + + + + + The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are proprietary. + + + + + The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are opensource. + + + + + The relationship may be complete or incomplete. This usually signifies a 'best-effort' to obtain constituent components, services, or dependencies but the completeness is inconclusive. + + + + + The relationship completeness is not specified. + + + + + + + + + Defines a syntax for representing two character language code (ISO-639) followed by an optional two + character country code. The language code must be lower case. If the country code is specified, the + country code must be upper case. The language code and country code must be separated by a minus sign. + Examples: en, en-US, fr, fr-CA + + + + + + + + + + + + The software versioning type. It is recommended that the release type use one + of 'major', 'minor', 'patch', 'pre-release', or 'internal'. Representing all possible software + release types is not practical, so standardizing on the recommended values, whenever possible, + is strongly encouraged. + * major = A major release may contain significant changes or may introduce breaking changes. + * minor = A minor release, also known as an update, may contain a smaller number of changes than major releases. + * patch = Patch releases are typically unplanned and may resolve defects or important security issues. + * pre-release = A pre-release may include alpha, beta, or release candidates and typically have + limited support. They provide the ability to preview a release prior to its general availability. + * internal = Internal releases are not for public consumption and are intended to be used exclusively + by the project or manufacturer that produced it. + + + + + + The title of the release. + + + + + The URL to an image that may be prominently displayed with the release note. + + + + + The URL to an image that may be used in messaging on social media platforms. + + + + + A short description of the release. + + + + + The date and time (timestamp) when the release note was created. + + + + + + + + One or more alternate names the release may be referred to. This may + include unofficial terms used by development and marketing teams (e.g. code names). + + + + + + + + + + A collection of issues that have been resolved. + + + + + + + + + + + + + Zero or more release notes containing the locale and content. Multiple + note elements may be specified to support release notes in a wide variety of languages. + + + + + + + The ISO-639 (or higher) language code and optional ISO-3166 + (or higher) country code. Examples include: "en", "en-US", "fr" and "fr-CA". + + + + + Specifies the full content of the release note. + + + + + + + + + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is optional. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + A model card describes the intended uses of a machine learning model and potential limitations, including + biases and ethical considerations. Model cards typically contain the training parameters, which datasets + were used to train the model, performance metrics, and other relevant data useful for ML transparency. + This object SHOULD be specified for any component of type `machine-learning-model` and must not be specified + for other component types. + + + + + + + Hyper-parameters for construction of the model. + + + + + + + + The overall approach to learning used by the model for problem solving. + + + + + + + + Learning types describing the learning problem or hybrid learning problem. + + + + + + + + + + Directly influences the input and/or output. Examples include classification, + regression, clustering, etc. + + + + + + + The model architecture family such as transformer network, convolutional neural + network, residual neural network, LSTM neural network, etc. + + + + + + + The specific architecture of the model such as GPT-1, ResNet-50, YOLOv3, etc. + + + + + + + The datasets used to train and evaluate the model. + + + + + + + References a data component by the components bom-ref attribute + + + + + + + + Inline Data Information + + + + + + + + + The input format(s) of the model + + + + + + + + + + + The data format for input to the model. Example formats include string, image, time-series + + + + + + + + + + + + + The output format(s) from the model + + + + + + + + + + + The data format for output from the model. Example formats include string, image, time-series + + + + + + + + + + + + + + + + A quantitative analysis of the model + + + + + + + + + + + + + + The type of performance metric. + + + + + + + The value of the performance metric. + + + + + + + The name of the slice this metric was computed on. By default, assume + this metric is not sliced. + + + + + + + The confidence interval of the metric. + + + + + + + + The lower bound of the confidence interval. + + + + + + + The upper bound of the confidence interval. + + + + + + + + + + + + + + + + A collection of graphics that represent various measurements + + + + + + + + A description of this collection of graphics. + + + + + + + A collection of graphics. + + + + + + + + + + + The name of the graphic. + + + + + + + The graphic (vector or raster). Base64 encoding must be specified for binary images. + + + + + + + + + + + + + + + + + + + What considerations should be taken into account regarding the model's construction, training, + and application? + + + + + + + + Who are the intended users of the model? + + + + + + + + + + + + What are the intended use cases of the model? + + + + + + + + + + + + What are the known technical limitations of the model? E.g. What kind(s) of data + should the model be expected not to perform well on? What are the factors that might + degrade model performance? + + + + + + + + + + + + What are the known tradeoffs in accuracy/performance of the model? + + + + + + + + + + + + What are the ethical risks involved in the application of this model? + + + + + + + + + + + The name of the risk + + + + + + + Strategy used to address this risk + + + + + + + + + + + + + What are the various environmental impacts the corresponding machine learning model has exhibited across its lifecycle? + + + + + + + How does the model affect groups at risk of being systematically disadvantaged? + What are the harms and benefits to the various affected groups? + + + + + + + + + + + The groups or individuals at risk of being systematically disadvantaged by the model. + + + + + + + Expected benefits to the identified groups. + + + + + + + Expected harms to the identified groups. + + + + + + + With respect to the benefits and harms outlined, please + describe any mitigation strategy implemented. + + + + + + + + + + + + + + + + + An identifier which can be used to reference the model card elsewhere in the BOM. + Every `bom-ref` must be unique within the BOM. + + + + + + + + + Describes various environmental impact metrics. + + + + + + + Describes energy consumption information incurred for one or more component lifecycle activities. + + + + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is optional. + + + + + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + Describes energy consumption information incurred for the specified lifecycle activity. + + + + + + + The type of activity that is part of a machine learning model development or operational lifecycle. + + + + + + + + model design including problem framing, goal definition and algorithm selection. + + + + + + + model data acquisition including search, selection and transfer. + + + + + + + model data preparation including data cleaning, labeling and conversion. + + + + + + + model building, training and generalized tuning. + + + + + + + refining a trained model to produce desired outputs for a given problem space. + + + + + + + model validation including model output evaluation and testing. + + + + + + + explicit model deployment to a target hosting infrastructure. + + + + + + + generating an output response from a hosted model from a set of inputs. + + + + + + + a lifecycle activity type whose description does not match currently defined values. + + + + + + + + + + The provider(s) of the energy consumed by the associated model development lifecycle activity. + + + + + + + The total energy cost associated with the model lifecycle activity. + + + + + + + The CO2 cost (debit) equivalent to the total energy cost. + + + + + + + The CO2 offset (credit) for the CO2 equivalent cost. + + + + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is optional. + + + + + + + + + + A measure of energy. + + + + + + + Quantity of energy. + + + + + + + Unit of energy. + + + + + + + + kilowatt-hour (kWh) is the energy delivered by one kilowatt (kW) of power for one hour (h). + + + + + + + + + + + + + A measure of carbon dioxide (CO2). + + + + + + + Quantity of carbon dioxide (CO2). + + + + + + + Unit of carbon dioxide (CO2). + + + + + + + + Tonnes (t) of carbon dioxide (CO2) equivalent (eq). + + + + + + + + + + + + + Describes the physical provider of energy used for model development or operations. + + + + + + + A description of the energy provider. + + + + + + + The organization of the energy provider. + + + + + + + The energy source for the energy provider. + + + + + + + + Energy produced by types of coal. + + + + + + + Petroleum products (primarily crude oil and its derivative fuel oils). + + + + + + + Hydrocarbon gas liquids (HGL) that occur as gases at atmospheric pressure and as liquids under higher pressures including Natural gas (C5H12 and heavier), Ethane (C2H6), Propane (C3H8), etc. + + + + + + + Energy produced from the cores of atoms (i.e., through nuclear fission or fusion). + + + + + + + Energy produced from moving air. + + + + + + + Energy produced from the sun (i.e., solar radiation). + + + + + + + Energy produced from heat within the earth. + + + + + + + Energy produced from flowing water. + + + + + + + Liquid fuels produced from biomass feedstocks (i.e., organic materials such as plants or animals). + + + + + + + The energy source is unknown. + + + + + + + An energy source that is not listed. + + + + + + + + + + The energy provided by the energy source for an associated activity. + + + + + + External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM. + + + + + + + An identifier which can be used to reference the energy provider elsewhere in the BOM. + Uniqueness is enforced within all elements and children of the root-level bom element. + + + + + + + + + An address used to identify a contactable location. + + + + + + + The country name or the two-letter ISO 3166-1 country code. + + + + + + + The region or state in the country. For example, Texas. + + + + + + + The locality or city within the country. For example, Austin. + + + + + + + The post office box number. For example, 901. + + + + + + + The postal code. For example, 78758. + + + + + + + The street address. For example, 100 Main Street. + + + + + + + + An identifier which can be used to reference the address elsewhere in the BOM. + Uniqueness is enforced within all elements and children of the root-level bom element. + + + + + + + + + + + Supervised machine learning involves training an algorithm on labeled + data to predict or classify new data based on the patterns learned from + the labeled examples. + + + + + + + Unsupervised machine learning involves training algorithms on unlabeled + data to discover patterns, structures, or relationships without explicit + guidance, allowing the model to identify inherent structures or clusters + within the data. + + + + + + + Reinforcement learning is a type of machine learning where an agent learns + to make decisions by interacting with an environment to maximize cumulative + rewards, through trial and error. + + + + + + + Semi-supervised machine learning utilizes a combination of labeled and + unlabeled data during training to improve model performance, leveraging + the benefits of both supervised and unsupervised learning techniques. + + + + + + + Self-supervised machine learning involves training models to predict parts + of the input data from other parts of the same data, without requiring + external labels, enabling learning from large amounts of unlabeled data. + + + + + + + + + + + + The general theme or subject matter of the data being specified. + + + + + + + The name of the dataset. + + + + + + + The contents or references to the contents of the data being described. + + + + + + + A way to include textual or encoded data. + + + + + The URL to where the data can be retrieved. + + + + + Provides the ability to document name-value parameters used for configuration. + + + + + + + + + Data classification tags data according to its type, sensitivity, and value if altered, stolen, or destroyed. + + + + + + + A description of any sensitive data in a dataset. + + + + + + + A collection of graphics that represent various measurements. + + + + + + + A description of the dataset. Can describe size of dataset, whether it's used for source code, + training, testing, or validation, etc. + + + + + + + + + An identifier which can be used to reference the dataset elsewhere in the BOM. + Every `bom-ref` must be unique within the BOM. + + + + + + + + + + + Data custodians are responsible for the safe custody, transport, and storage of data. + + + + + + + + + + + + Data stewards are responsible for data content, context, and associated business rules. + + + + + + + + + + + + Data owners are concerned with risk and appropriate access to data. + + + + + + + + + + + + + + + + + + + + + + A collection of graphics that represent various measurements. + + + + + + + A description of this collection of graphics. + + + + + + + A collection of graphics. + + + + + + + + + + + The name of the graphic. + + + + + + + The graphic (vector or raster). Base64 encoding must be specified for binary images. + + + + + + + + + + + + + + + + + Any type of code, code snippet, or data-as-code. + + + + + Parameters or settings that may be used by other components. + + + + + A collection of data. + + + + + Data that can be used to create new instances of what the definition defines. + + + + + Any other type of data that does not fit into existing definitions. + + + + + + + + + References a component or service by its bom-ref attribute + + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + Specifies an individual property with a name and value. + + + + + + The name of the property. Duplicate names are allowed, each potentially having a different value. + + + + + + + + + + + Defines a weakness in a component or service that could be exploited or triggered by a threat source. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + The identifier that uniquely identifies the vulnerability. For example: + CVE-2021-39182, GHSA-35m5-8cvj-8783, and SNYK-PYTHON-ENROCRYPT-1912876. + + + + + The source that published the vulnerability. + + + + + Zero or more pointers to vulnerabilities that are the equivalent of the + vulnerability specified. Often times, the same vulnerability may exist in multiple sources of + vulnerability intelligence, but have different identifiers. References provide a way to + correlate vulnerabilities across multiple sources of vulnerability intelligence. + + + + + + A pointer to a vulnerability that is the equivalent of the + vulnerability specified. + + + + + + The identifier that uniquely identifies the vulnerability. For example: + CVE-2021-39182, GHSA-35m5-8cvj-8783, and SNYK-PYTHON-ENROCRYPT-1912876. + + + + + The source that published the vulnerability. + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + List of vulnerability ratings. + + + + + + + + + + + + List of Common Weaknesses Enumerations (CWEs) codes that describes this vulnerability. + For example 399 (of https://cwe.mitre.org/data/definitions/399.html) + + + + + + + + + + A description of the vulnerability as provided by the source. + + + + + If available, an in-depth description of the vulnerability as provided by the + source organization. Details often include information useful in understanding root cause. + + + + + Recommendations of how the vulnerability can be remediated or mitigated. + + + + + A bypass, usually temporary, of the vulnerability that reduces its likelihood and/or impact. Workarounds often involve changes to configuration or deployments. + + + + + + + Evidence used to reproduce the vulnerability. + + + + + + Precise steps to reproduce the vulnerability. + + + + + A description of the environment in which reproduction was possible. + + + + + Supporting material that helps in reproducing or understanding how reproduction is possible. This may include screenshots, payloads, and PoC exploit code. + + + + + + + + + + + + + + + Published advisories of the vulnerability if provided. + + + + + + + + + + The date and time (timestamp) when the vulnerability record was created in the vulnerability database. + + + + + The date and time (timestamp) when the vulnerability record was first published. + + + + + The date and time (timestamp) when the vulnerability record was last updated. + + + + + The date and time (timestamp) when the vulnerability record was rejected (if applicable). + + + + + Individuals or organizations credited with the discovery of the vulnerability. + + + + + + The organizations credited with vulnerability discovery. + + + + + + + + + + The individuals, not associated with organizations, that are credited with vulnerability discovery. + + + + + + + + + + + + + The tool(s) used to identify, confirm, or score the vulnerability. + + + + + + + DEPRECATED. Use `../components` or `../services` instead. + + + + + + + A list of software and hardware components used as tools. + + + + + A list of services used as tools. + + + + + + + + + + + An assessment of the impact and exploitability of the vulnerability. + + + + + + + Declares the current state of an occurrence of a vulnerability, after automated or manual analysis. + + + + + + + The rationale of why the impact analysis state was asserted. + + + + + + A response to the vulnerability by the manufacturer, supplier, or + project responsible for the affected component or service. More than one response + is allowed. Responses are strongly encouraged for vulnerabilities where the analysis + state is exploitable. + + + + + + + + + + + Detailed description of the impact including methods used during assessment. + If a vulnerability is not exploitable, this field should include specific details + on why the component or service is not impacted by this vulnerability. + + + + + + + The date and time (timestamp) when the analysis was first issued. + + + + + + + The date and time (timestamp) when the analysis was last updated. + + + + + + + + + The components or services that are affected by the vulnerability. + + + + + + + + + References a component or service by the objects bom-ref. + + + + + + + + Zero or more individual versions or range of versions. + + + + + + + + + + A single version of a component or service. + + + + + A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/vers-spec + + + + + + + The vulnerability status for the version or range of versions. + + + + + + + + + + + + + + + + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is optional. + + + + + + + An identifier which can be used to reference the vulnerability elsewhere in the BOM. + Uniqueness is enforced within all elements and children of the root-level bom element. + + + + + + + + + + The name of the source. + For example: NVD, National Vulnerability Database, OSS Index, VulnDB, and GitHub Advisories + + + + + + The url of the vulnerability documentation as provided by the source. + For example: https://nvd.nist.gov/vuln/detail/CVE-2021-39182 + + + + + + + + + + + The source that calculated the severity or risk rating of the vulnerability. + + + + + The numerical score of the rating. + + + + + Textual representation of the severity that corresponds to the numerical score of the rating. + + + + + The risk scoring methodology/standard used. + + + + + Textual representation of the metric values used to score the vulnerability. + + + + + A reason for rating the vulnerability as it was. + + + + + + + + + + A name of the advisory. + + + + + Location where the advisory can be obtained. + + + + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + The organization that created the annotation + + + + + The person that created the annotation + + + + + The tool or component that created the annotation + + + + + The service that created the annotation + + + + + + + + + + + The objects in the BOM identified by their bom-ref's. This is often components or services, but may be any object type supporting bom-refs. + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + The organization, individual, component, or service which created the textual content + of the annotation. + + + + + The date and time (timestamp) when the annotation was created. + + + + + The textual content of the annotation. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + An identifier which can be used to reference the annotation elsewhere in the BOM. + Uniqueness is enforced within all elements and children of the root-level bom element. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + Textual representation of the severity of the vulnerability adopted by the analysis method. If the + analysis method uses values other than what is provided, the user is expected to translate appropriately. + + + + + + Critical severity + + + + + High severity + + + + + Medium severity + + + + + Low severity + + + + + Informational warning. + + + + + None + + + + + The severity is not known + + + + + + + + + Declares the current state of an occurrence of a vulnerability, after automated or manual analysis. + + + + + + + The vulnerability has been remediated. + + + + + + + The vulnerability has been remediated and evidence of the changes are provided in the affected + components pedigree containing verifiable commit history and/or diff(s). + + + + + + + The vulnerability may be directly or indirectly exploitable. + + + + + + + The vulnerability is being investigated. + + + + + + + The vulnerability is not specific to the component or service and was falsely identified or associated. + + + + + + + The component or service is not affected by the vulnerability. Justification should be specified + for all not_affected cases. + + + + + + + + + + The rationale of why the impact analysis state was asserted. + + + + + + + The code has been removed or tree-shaked. + + + + + + + The vulnerable code is not invoked at runtime. + + + + + + + Exploitability requires a configurable option to be set/unset. + + + + + + + Exploitability requires a dependency that is not present. + + + + + + + Exploitability requires a certain environment which is not present. + + + + + + + Exploitability requires a compiler flag to be set/unset. + + + + + + + Exploits are prevented at runtime. + + + + + + + Attacks are blocked at physical, logical, or network perimeter. + + + + + + + Preventative measures have been implemented that reduce the likelihood and/or impact of the vulnerability. + + + + + + + + + + Specifies the severity or risk scoring methodology or standard used. + + + + + + + Common Vulnerability Scoring System v2.0 standard as defined at https://www.first.org/cvss/v2/ + + + + + + + Common Vulnerability Scoring System v3.0 standard as defined at https://www.first.org/cvss/v3-0/ + + + + + + + Common Vulnerability Scoring System v3.1 standard as defined at https://www.first.org/cvss/v3-1/ + + + + + + + Common Vulnerability Scoring System v4.0 standard as defined at https://www.first.org/cvss/v4-0/ + + + + + + + OWASP Risk Rating as defined at https://owasp.org/www-community/OWASP_Risk_Rating_Methodology + + + + + + + Stakeholder Specific Vulnerability Categorization as defined at https://github.com/CERTCC/SSVC + + + + + + + Another severity or risk scoring methodology + + + + + + + + + + The rationale of why the impact analysis state was asserted. + + + + + + Can not fix + + + + + Will not fix + + + + + Update to a different revision or release + + + + + Revert to a previous revision or release + + + + + There is a workaround available + + + + + + + + + The vulnerability status of a given version or range of versions of a product. The statuses + 'affected' and 'unaffected' indicate that the version is affected or unaffected by the vulnerability. + The status 'unknown' indicates that it is unknown or unspecified whether the given version is affected. + There can be many reasons for an 'unknown' status, including that an investigation has not been + undertaken or that a vendor has not disclosed the status. + + + + + + The version is affected by the vulnerability. + + + + + The version is not affected by the vulnerability. + + + + + It is unknown (or unspecified) whether the given version is affected. + + + + + + + + + Describes the formulation of any referencable object within the BOM, + including components, services, metadata, declarations, or the BOM itself. This may + encompass how the object was created, assembled, deployed, tested, certified, or otherwise + brought into its present form. Common examples include software build pipelines, + deployment processes, AI/ML model training, cryptographic key generation or certification, + and third-party audits. Processes are modeled using declared and observed formulas, + composed of workflows, tasks, and individual steps. + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + Describes workflows and resources that captures rules and other aspects of how the associated + BOM component or service was formed. + + + + + + Transient components that are used in tasks that constitute one or more of + this formula's workflows + + + + + Transient services that are used in tasks that constitute one or more of + this formula's workflows + + + + + List of workflows that can be declared to accomplish specific orchestrated goals + and independently triggered. + + + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is optional. + + + + + + + An identifier which can be used to reference the formula elsewhere in the BOM. + Uniqueness is enforced within all elements and children of the root-level bom element. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + The unique identifier for the resource instance within its deployment context. + + + + + + + The name of the resource instance. + + + + + + + The description of the resource instance. + + + + + + References to component or service resources that are used to realize + the resource instance. + + + + + The tasks that comprise the workflow. + + + + + The graph of dependencies between tasks within the workflow. + + + + + Indicates the types of activities performed by the set of workflow tasks. + + + + + + + + + + The trigger that initiated the task. + + + + + + The sequence of steps for the task. + + + + + + + + + + + Represents resources and data brought into a task at runtime by executor + or task commands + + + + + + + + + + Represents resources and data output from a task at runtime by executor + or task commands + + + + + + + + + + + The date and time (timestamp) when the task started. + + + + + + + The date and time (timestamp) when the task ended. + + + + + + A set of named filesystem or data resource shareable by workflow tasks. + + + + + A graph of the component runtime topology for workflow's instance. + A description of the runtime component and service topology. This can describe a partial or + complete topology used to host and execute the task (e.g., hardware, operating systems, + configurations, etc.) + + + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is optional. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + An identifier which can be used to reference the workflow elsewhere in the BOM. + Uniqueness is enforced within all elements and children of the root-level bom element. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + + References an object by its bom-ref attribute + + + + + + + + + + Reference to an externally accessible resource. + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + The unique identifier for the resource instance within its deployment context. + + + + + + + The name of the resource instance. + + + + + + + The description of the resource instance. + + + + + + + References to component or service resources that are used to realize the resource instance. + + + + + + + Indicates the types of activities performed by the set of workflow tasks. + + + + + + + + + + + + The trigger that initiated the task. + + + + + + + The sequence of steps for the task. + + + + + + + + + + + + Represents resources and data brought into a task at runtime by executor or task commands. + + + + + + + + + + + + Represents resources and data output from a task at runtime by executor or task commands + + + + + + + + + + + + The date and time (timestamp) when the task started. + + + + + + + The date and time (timestamp) when the task ended. + + + + + + + A set of named filesystem or data resource shareable by workflow tasks. + + + + + + + A graph of the component runtime topology for task's instance. + + + + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is optional. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + An identifier which can be used to reference the task elsewhere in the BOM. + Uniqueness is enforced within all elements and children of the root-level bom element. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + A task that copies software or data used to accomplish other tasks in the workflow. + + + + + A task that clones a software repository into the workflow in order to retrieve its source code or data for use in a build step. + + + + + A task that checks source code for programmatic and stylistic errors. + + + + + A task that performs a scan against source code, or built or deployed components and services. Scans are typically run to gather or test for security vulnerabilities or policy compliance. + + + + + A task that merges changes or fixes into source code prior to a build step in the workflow. + + + + + A task that builds the source code, dependencies and/or data into an artifact that can be deployed to and executed on target systems. + + + + + A task that verifies the functionality of a component or service. + + + + + A task that delivers a built artifact to one or more target repositories or storage systems. + + + + + A task that deploys a built artifact for execution on one or more target systems. + + + + + A task that releases a built, versioned artifact to a target repository or distribution system. + + + + + A task that cleans unnecessary tools, build artifacts and/or data from workflow storage. + + + + + A workflow task that does not match current task type definitions. + + + + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + A named filesystem or data resource shareable by workflow tasks. + + + + + + + The unique identifier for the resource instance within its deployment context. + + + + + + + The name of the resource instance. + + + + + + + The names for the workspace as referenced by other workflow tasks. Effectively, a name mapping + so other tasks can use their own local name in their steps. + + + + + + + + + + + + The description of the resource instance. + + + + + + + References to component or service resources that are used to realize the resource instance. + + + + + + + Describes the read-write access control for the workspace relative to the owning resource instance. + + + + + + + A path to a location on disk where the workspace will be available to the associated task's steps. + + + + + + + The name of a domain-specific data type the workspace represents. This property is for CI/CD + frameworks that are able to provide access to structured, managed data at a more granular level + than a filesystem. + + + + + + + Identifies the reference to the request for a specific volume type and parameters. + + + + + + + Information about the actual volume instance allocated to the workspace. + + + + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is optional. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + An identifier which can be used to reference the workflow elsewhere in the BOM. + Uniqueness is enforced within all elements and children of the root-level bom element. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + + + + + + + + + An identifiable, logical unit of data storage tied to a physical device. + + + + + + + The unique identifier for the volume instance within its deployment context. + + + + + + + The name of the volume instance + + + + + + + The mode for the volume instance. + + + + + + + The underlying path created from the actual volume. + + + + + + + The allocated size of the volume accessible to the associated workspace. This should include + the scalar size as well as IEC standard unit in either decimal or binary form. + + + + + + + Indicates if the volume persists beyond the life of the resource it is associated with. + + + + + + + Indicates if the volume is remotely (i.e., network) attached. + + + + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is optional. + + + + + + + + + + + + + + + + Executes specific commands or tools in order to accomplish its owning task as part of a sequence. + + + + + + + A name for the step. + + + + + + + A description of the step. + + + + + + + Ordered list of commands or directives for the step + + + + + + + + + + + A text representation of the executed command. + + + + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is optional. + + + + + + + + + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is optional. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + The unique identifier for the resource instance within its deployment context. + + + + + + + The name of the resource instance. + + + + + + + The description of the resource instance. + + + + + + + References to component or service resources that are used to realize the resource instance. + + + + + + + The source type of event which caused the trigger to fire. + + + + + + + The event data that caused the associated trigger to activate. + + + + + + A list of conditions used to determine if a trigger should be activated. + + + + + + + A condition that was used to determine a trigger should be activated. + + + + + + + + Describes the set of conditions which cause the trigger to activate. + + + + + + + The logical expression that was evaluated that determined the trigger should be fired. + + + + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is optional. + + + + + + + + + + + + The date and time (timestamp) when the trigger was activated. + + + + + + + Represents resources and data brought into a task at runtime by executor or task commands + + + + + + + + + + + + Represents resources and data output from a task at runtime by executor or task commands + + + + + + + + + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is optional. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + An identifier which can be used to reference the trigger elsewhere in the BOM. + Uniqueness is enforced within all elements and children of the root-level bom element. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + + + + + + + + + + The unique identifier of the event. + + + + + + + A description of the event. + + + + + + + The date and time (timestamp) when the event was received. + + + + + + + Encoding of the raw event data. + + + + + + + References the component or service that was the source of the event + + + + + + + References the component or service that was the target of the event + + + + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is optional. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + Type that represents various input data types and formats. + + + + + + + + A reference to an independent resource provided as an input to a task by the workflow runtime. + + + + + + + Inputs that have the form of parameters with names and values. + + + + + + + Inputs that have the form of parameters with names and values. + + + + + + + + + + + + + + + + Inputs that have the form of data. + + + + + + + + A references to the component or service that provided the input to the task + (e.g., reference to a service with data flow value of inbound) + + + + + + + A reference to the component or service that received or stored the input if not the task + itself (e.g., a local, named storage workspace) + + + + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is optional. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + Represents resources and data output from a task at runtime by executor or task commands + + + + + + + + A reference to an independent resource generated as output by the task. + + + + + + + Outputs that have the form of environment variables. + + + + + + + + + + + + + + + + Outputs that have the form of data. + + + + + + + + Describes the type of data output. + + + + + + + Component or service that generated or provided the output from the task (e.g., a build tool) + + + + + + + Component or service that received the output from the task + (e.g., reference to an artifactory service with data flow value of outbound) + + + + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is optional. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + + + + + + + + + + + + + + + + A representation of a functional parameter. + + + + + + + The name of the parameter. + + + + + + + The value of the parameter. + + + + + + + The data type of the parameter. + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + Cryptographic assets have properties that uniquely define them and that make them actionable for + further reasoning. As an example, it makes a difference if one knows the algorithm family (e.g. AES) + or the specific variant or instantiation (e.g. AES-128-GCM). This is because the security level and the + algorithm primitive (authenticated encryption) is only defined by the definition of the algorithm variant. + The presence of a weak cryptographic algorithm like SHA1 vs. HMAC-SHA1 also makes a difference. + + + + + + + Cryptographic assets occur in several forms. Algorithms and protocols are most commonly + implemented in specialized cryptographic libraries. They may however also be 'hardcoded' + in software components. Certificates and related cryptographic material like keys, tokens, + secrets or passwords are other cryptographic assets to be modelled. + + + + + + + + Mathematical function commonly used for data encryption, authentication, and + digital signatures. + + + + + + + An electronic document that is used to provide the identity or validate a public key. + + + + + + + A set of rules and guidelines that govern the behavior and communication with each other. + + + + + + + Other cryptographic assets that are related to algorithms, certificate, and protocols + such as keys and tokens. + + + + + + + + + + Additional properties specific to a cryptographic algorithm. + + + + + + + + Cryptographic building blocks used in higher-level cryptographic systems and + protocols. Primitives represent different cryptographic routines: deterministic + random bit generators (drbg, e.g. CTR_DRBG from NIST SP800-90A-r1), message + authentication codes (mac, e.g. HMAC-SHA-256), blockciphers (e.g. AES), + streamciphers (e.g. Salsa20), signatures (e.g. ECDSA), hash functions (e.g. SHA-256), + public-key encryption schemes (pke, e.g. RSA), extended output functions + (xof, e.g. SHAKE256), key derivation functions (e.g. pbkdf2), key agreement + algorithms (e.g. ECDH), key encapsulation mechanisms (e.g. ML-KEM), authenticated + encryption (ae, e.g. AES-GCM) and the combination of multiple algorithms + (combiner, e.g. SP800-56Cr2). + + + + + + + + Deterministic Random Bit Generator (DRBG) is a type of pseudorandom + number generator designed to produce a sequence of bits from an initial + seed value. DRBGs are commonly used in cryptographic applications where + reproducibility of random values is important. + + + + + + + In cryptography, a Message Authentication Code (MAC) is information + used for authenticating and integrity-checking a message. + + + + + + + A block cipher is a symmetric key algorithm that operates on fixed-size + blocks of data. It encrypts or decrypts the data in block units, + providing confidentiality. Block ciphers are widely used in various + cryptographic modes and protocols for secure data transmission. + + + + + + + A stream cipher is a symmetric key cipher where plaintext digits are + combined with a pseudorandom cipher digit stream (keystream). + + + + + + + In cryptography, a signature is a digital representation of a message + or data that proves its origin, identity, and integrity. Digital + signatures are generated using cryptographic algorithms and are widely + used for authentication and verification in secure communication. + + + + + + + A hash function is a mathematical algorithm that takes an input + (or 'message') and produces a fixed-size string of characters, which is + typically a hash value. Hash functions are commonly used in various + cryptographic applications, including data integrity verification and + password hashing. + + + + + + + Public Key Encryption (PKE) is a type of encryption that uses a pair of + public and private keys for secure communication. The public key is used + for encryption, while the private key is used for decryption. PKE is a + fundamental component of public-key cryptography. + + + + + + + An XOF is an extendable output function that can take arbitrary input + and creates a stream of output, up to a limit determined by the size of + the internal state of the hash function that underlies the XOF. + + + + + + + A Key Derivation Function (KDF) derives key material from another source + of entropy while preserving the entropy of the input. + + + + + + + In cryptography, a key-agreement is a protocol whereby two or more + parties agree on a cryptographic key in such a way that both influence + the outcome. + + + + + + + A Key Encapsulation Mechanism (KEM) algorithm is a mechanism for + transporting random keying material to a recipient using the recipient's + public key. + + + + + + + Authenticated Encryption (AE) is a cryptographic process that provides + both confidentiality and data integrity. It ensures that the encrypted + data has not been tampered with and comes from a legitimate source. + AE is commonly used in secure communication protocols. + + + + + + + A combiner aggregates many candidates for a cryptographic primitive and + generates a new candidate for the same primitive. + + + + + + + Key-wrap is a cryptographic technique used to securely encrypt and + protect cryptographic keys using algorithms like AES. + + + + + + + Another primitive type. + + + + + + + The primitive is not known. + + + + + + + + + + A valid algorithm family identifier. + If specified, this value must be one of the enumeration of valid algorithm Family identifiers defined in the `cryptography-defs.schema.json` subschema. A corresponding schema for XML is not available. + + + + + + + An identifier for the parameter set of the cryptographic algorithm. Examples: in + AES128, '128' identifies the key length in bits, in SHA256, '256' identifies the + digest length, '128' in SHAKE128 identifies its maximum security level in bits, and + 'SHA2-128s' identifies a parameter set used in SLH-DSA (FIPS205). + + + + + + + DEPRECATED - DO NOT USE. This will be removed in a future version. Use `./ellipticCurve` instead. + The specific underlying Elliptic Curve (EC) definition employed which is an indicator + of the level of security strength, performance and complexity. Absent an + authoritative source of curve names, CycloneDX recommends use of curve names as + defined at https://neuromancer.sk/std/, the source from which can be found at + https://github.com/J08nY/std-curves. + + + + + + + The specific underlying Elliptic Curve (EC) definition employed which is an indicator of the level of security strength, performance and complexity. + If specified, this value must be one of the enumeration of valid elliptic curves identifiers defined in the `cryptography-defs.schema.json` subschema. A corresponding schema for XML is not available. + + + + + + + The target and execution environment in which the algorithm is implemented in. + + + + + + + + A software implementation running in plain unencrypted RAM. + + + + + + + A software implementation running in encrypted RAM. + + + + + + A software implementation running in a trusted execution environment. + + + + + + A hardware implementation. + + + + + + Another implementation environment. + + + + + + The execution environment is not known. + + + + + + + + + + The target platform for which the algorithm is implemented. The implementation can + be 'generic', running on any platform or for a specific platform. + + + + + + + + + + + + + + + + + + + + + + + + + The certification that the implementation of the cryptographic algorithm has + received, if any. Certifications include revisions and levels of FIPS 140 or + Common Criteria of different Extended Assurance Levels (CC-EAL). + + + + + + + + No certification obtained + + + + + + + FIPS 140-1 Level 1 + + + + + + + FIPS 140-1 Level 2 + + + + + + + FIPS 140-1 Level 3 + + + + + + + FIPS 140-1 Level 4 + + + + + + + FIPS 140-2 Level 1 + + + + + + + FIPS 140-2 Level 2 + + + + + + + FIPS 140-2 Level 3 + + + + + + + FIPS 140-2 Level 4 + + + + + + + FIPS 140-3 Level 1 + + + + + + + FIPS 140-3 Level 2 + + + + + + + FIPS 140-3 Level 3 + + + + + + + FIPS 140-3 Level 4 + + + + + + + Common Criteria - Evaluation Assurance Level 1 + + + + + + + Common Criteria - Evaluation Assurance Level 1 (Augmented) + + + + + + + Common Criteria - Evaluation Assurance Level 2 + + + + + + + Common Criteria - Evaluation Assurance Level 2 (Augmented) + + + + + + + Common Criteria - Evaluation Assurance Level 3 + + + + + + + Common Criteria - Evaluation Assurance Level 3 (Augmented) + + + + + + + Common Criteria - Evaluation Assurance Level 4 + + + + + + + Common Criteria - Evaluation Assurance Level 4 (Augmented) + + + + + + + Common Criteria - Evaluation Assurance Level 5 + + + + + + + Common Criteria - Evaluation Assurance Level 5 (Augmented) + + + + + + + Common Criteria - Evaluation Assurance Level 6 + + + + + + + Common Criteria - Evaluation Assurance Level 6 (Augmented) + + + + + + + Common Criteria - Evaluation Assurance Level 7 + + + + + + + Common Criteria - Evaluation Assurance Level 7 (Augmented) + + + + + + + Another certification + + + + + + + The certification level is not known + + + + + + + + + + The mode of operation in which the cryptographic algorithm (block cipher) is used. + + + + + + + + Cipher block chaining + + + + + + + Electronic codebook + + + + + + + Counter with cipher block chaining message authentication code + + + + + + + Galois/counter + + + + + + + Cipher feedback + + + + + + + Output feedback + + + + + + + Counter + + + + + + + Another mode of operation + + + + + + + The mode of operation is not known + + + + + + + + + + The padding scheme that is used for the cryptographic algorithm. + + + + + + + + Password-Based Cryptography Specification #5 + + + + + + + Public Key Cryptography Standard: Cryptographic Message Syntax + + + + + + + Public Key Cryptography Standard: RSA Cryptography v1.5 + + + + + + + Optimal asymmetric encryption padding + + + + + + + Raw + + + + + + + Another padding scheme + + + + + + + The padding scheme is not known + + + + + + + + + + The cryptographic functions implemented by the cryptographic algorithm. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + The classical security level that a cryptographic algorithm provides (in bits). + + + + + + + + + + + + The NIST security strength category as defined in + https://csrc.nist.gov/projects/post-quantum-cryptography/post-quantum-cryptography-standardization/evaluation-criteria/security-(evaluation-criteria). + A value of 0 indicates that none of the categories are met. + + + + + + + + + + + + + + + + Properties for cryptographic assets of asset type 'certificate' + + + + + + + + The serial number is a unique identifier for the certificate issued by a CA. + + + + + + + The subject name for the certificate + + + + + + + The issuer name for the certificate + + + + + + + The date and time according to ISO-8601 standard from which the certificate is valid + + + + + + + The date and time according to ISO-8601 standard from which the certificate is not valid anymore + + + + + + + DEPRECATED - DO NOT USE. This will be removed in a future version. Use `./relatedCryptographicAssets` instead. + The bom-ref to signature algorithm used by the certificate + + + + + + + DEPRECATED - DO NOT USE. This will be removed in a future version. Use `./relatedCryptographicAssets` instead. + The bom-ref to the public key of the subject + + + + + + + The format of the certificate. Examples include X.509, PEM, DER, and CVC + + + + + + + DEPRECATED - DO NOT USE. This will be removed in a future version. Use `./certificateFileExtension` instead. + The file extension of the certificate. Examples include crt, pem, cer, der, and p12. + + + + + + + The file extension of the certificate. Examples include crt, pem, cer, der, and p12. + + + + + + + The fingerprint is a cryptographic hash of the certificate excluding it's signature. + + + + + + + The certificate lifecycle is a comprehensive process that manages digital + certificates from their initial creation to eventual expiration or revocation. + It typically involves several stages. + + + + + + + + + + A pre-defined state in the certificate lifecycle. + + + + + + + + The certificate has been issued by the issuing + certificate authority (CA) but has not been authorized + for use. + + + + + + + The certificate may be used to cryptographically protect + information, cryptographically process previously protected + information, or both. + + + + + + + Certificates in the deactivated state shall not be used + to apply cryptographic protection but, in some cases, + may be used to process cryptographically protected + information. + + + + + + + The use of a certificate may be suspended for several + possible reasons. + + + + + + + A revoked certificate is a digital certificate that has + been invalidated by the issuing certificate authority (CA) + before its scheduled expiration date. + + + + + + + The certificate has been destroyed. + + + + + + + + + + A reason for the certificate being in this state. + + + + + + + + + + The name of the certificate lifecycle state. + + + + + + + The description of the certificate lifecycle state. + + + + + + + A reason for the certificate being in this state. + + + + + + + + + + + The date and time (timestamp) when the certificate was created or pre-activated. + + + + + + + The date and time (timestamp) when the certificate was activated. + + + + + + + The date and time (timestamp) when the related certificate was deactivated. + + + + + + + The date and time (timestamp) when the certificate was revoked. + + + + + + + The date and time (timestamp) when the certificate was destroyed. + + + + + + + A certificate extension is a field that provides additional information about the certificate or its use. Extensions are used to convey additional information beyond the standard fields. + + + + + + + + Extension: This can be either a common extension + (with a well-known name and value) or a custom extension + (for application or vendor-specific data). + + + + + + + + + + The name of the extension. + + + + + + + + Specifies whether a certificate can be used as a CA certificate or not. + + + + + + + Specifies the allowed uses of the public key in the certificate. + + + + + + + Specifies additional purposes for which the public key can be used. + + + + + + + Allows inclusion of additional names to identify the entity associated with the certificate. + + + + + + + Identifies the public key of the CA that issued the certificate. + + + + + + + Identifies the public key associated with the entity the certificate was issued to. + + + + + + + Contains CA issuers and OCSP information. + + + + + + + Defines the policies under which the certificate was issued and can be used. + + + + + + + Contains one or more URLs where a Certificate Revocation List (CRL) can be obtained. + + + + + + + Shows that the certificate has been publicly logged, which helps prevent the issuance of rogue certificates by a CA. Log ID, timestamp and signature as proof. + + + + + + + + + + The value of the certificate extension. + + + + + + + + + + The name for the custom certificate extension. + + + + + + + The description of the custom certificate extension. + + + + + + + + + + + + + + A list of cryptographic assets related to this component. + + + + + + + + A cryptographic asset related to this component. + + + + + + + + Specifies the mechanism by which the cryptographic asset is secured by. + Examples: "publicKey", "privateKey", "algorithm" + + + + + + + The bom-ref to cryptographic asset. + + + + + + + + + + + + + + + + Properties for cryptographic assets of asset type 'relatedCryptoMaterial' + + + + + + + + The type for the related cryptographic material + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + The unique identifier for the related cryptographic material. + + + + + + + The key state as defined by NIST SP 800-57. + + + + + + + + + + + + + + + + + The bom-ref to the algorithm used to generate the related cryptographic material. + + + + + + + The date and time (timestamp) when the related cryptographic material was created. + + + + + + + The date and time (timestamp) when the related cryptographic material was activated. + + + + + + + The date and time (timestamp) when the related cryptographic material was updated. + + + + + + + The date and time (timestamp) when the related cryptographic material expires. + + + + + + + The associated value of the cryptographic material. + + + + + + + The size of the cryptographic asset (in bits). + + + + + + + The format of the related cryptographic material (e.g. P8, PEM, DER). + + + + + + + The mechanism by which the cryptographic asset is secured by. + + + + + + + + Specifies the mechanism by which the cryptographic asset is secured by. + Examples include HSM, TPM, XGX, Software, and None. + + + + + + + The bom-ref to the algorithm. + + + + + + + + + + The fingerprint is a cryptographic hash of the related cryptographic material, excluding it's signature. + + + + + + + A list of cryptographic assets related to this component. + + + + + + + + A cryptographic asset related to this component. + + + + + + + + Specifies the mechanism by which the cryptographic asset is secured by. + Examples: "publicKey", "privateKey", "algorithm" + + + + + + + The bom-ref to cryptographic asset. + + + + + + + + + + + + + + + + Properties specific to cryptographic assets of type: 'protocol'. + + + + + + + + The concrete protocol type. + + + + + + + + Transport Layer Security + + + + + + + Secure Shell + + + + + + + Internet Protocol Security + + + + + + + Internet Key Exchange + + + + + + + Secure Socket Tunneling Protocol + + + + + + + Wi-Fi Protected Access + + + + + + + Datagram Transport Layer Security + + + + + + + Quick UDP Internet Connections + + + + + + + Extensible Authentication Protocol variant + + + + + + + Enhanced version of EAP-AKA + + + + + + + Protection of Inter-Network Signaling + + + + + + + Authentication and Key Agreement for 5G + + + + + + + Another protocol type + + + + + + + The protocol type is not known + + + + + + + + + + The version of the protocol. Examples include 1.0, 1.2, and 1.99. + + + + + + + A list of cipher suites related to the protocol. + + + + + + + + + + + A common name for the cipher suite. For example: TLS_DHE_RSA_WITH_AES_128_CCM + + + + + + + A list of algorithms related to the cipher suite. + + + + + + + + The bom-ref to algorithm cryptographic asset. + + + + + + + + + + A list of common identifiers for the cipher suite. + + + + + + + + Cipher suite identifier. Examples include 0xC0 and 0x9E. + + + + + + + + + + A list of TLS named groups (formerly known as curves) for + this cipher suite. These groups define the parameters for + key exchange algorithms like ECDHE. + + + + + + + + The name of the TLS group. + Example values: x25519, ffdhe2048 + + + + + + + + + + A list of signature schemes supported for cipher suite. + These schemes specify the algorithms used for digital + signatures in TLS handshakes and certificate verification. + + + + + + + + The name of the TLS signature scheme. + Example values: ecdsa_secp256r1_sha256, rsa_pss_rsae_sha256, ed25519 + + + + + + + + + + + + + + + + The IKEv2 transform types supported (types 1-4), defined in RFC7296 section 3.3.2, + and additional properties. + + + + + + + + Transform Type 1: encryption algorithms + + EITHER a detailed description (PREFERRED) + OR a single string representing a "bom:refType" (DEPRECATED This will be removed in a future version.) + + + + + + + + A name for the encryption method. + Example: ENCR_AES_GCM_16 + + + + + + + The key length of the encryption algorithm. + + + + + + + The bom-ref to algorithm cryptographic asset. + + + + + + + + + + Transform Type 2: pseudorandom functions + + EITHER a detailed description (PREFERRED) + OR a single string representing a "bom:refType" (DEPRECATED This will be removed in a future version.) + + + + + + + + A name for the pseudorandom function. + Example: PRF_HMAC_SHA2_256 + + + + + + + The bom-ref to algorithm cryptographic asset. + + + + + + + + + + Transform Type 3: integrity algorithms + + EITHER a detailed description (PREFERRED) + OR a single string representing a "bom:refType" (DEPRECATED This will be removed in a future version.) + + + + + + + + A name for the integrity algorithm. + Example: AUTH_HMAC_SHA2_256_128 + + + + + + + The bom-ref to algorithm cryptographic asset. + + + + + + + + + + Transform Type 4: Key Exchange Method (KE) per RFC9370, formerly called Diffie-Hellman Group (D-H) + + EITHER a detailed description (PREFERRED) + OR a single string representing a "bom:refType" (DEPRECATED This will be removed in a future version.) + + + + + + + + A group identifier for the key exchange algorithm. + + + + + + + The bom-ref to algorithm cryptographic asset. + + + + + + + + + + Specifies if an Extended Sequence Number (ESN) is used. + + + + + + + IKEv2 Authentication method + + EITHER a detailed description (PREFERRED) + OR a single string representing a "bom:refType" (DEPRECATED This will be removed in a future version.) + + + + + + + + A name for the authentication method. + + + + + + + The bom-ref to algorithm cryptographic asset. + + + + + + + + + + + + A protocol-related cryptographic assets + + + + + + + + + The object identifier (OID) of the cryptographic asset. + + + + + + + + + + + + The list of assessors evaluating claims and determining conformance to requirements and confidence in that assessment. + + + + + + + + The assessor who evaluates claims and determines conformance to requirements and confidence in that assessment. + + + + + + + + The boolean indicating if the assessor is outside the organization generating claims. A value of false indicates a self assessor. + + + + + + + The entity issuing the assessment. + + + + + + + + An identifier which can be used to reference the object elsewhere in the BOM. + Every `bom-ref` must be unique within the BOM. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + + The list of attestations asserted by an assessor that maps requirements to claims. + + + + + + + + An attestation asserted by an assessor that maps requirements to claims. + + + + + + + + The short description explaining the main points of the attestation. + + + + + + + The `bom-ref` to the assessor asserting the attestation. + + + + + + + The grouping of requirements to claims and the attestors declared conformance and confidence thereof. + + + + + + + + The `bom-ref` to the requirement being attested to. + + + + + + + The list of `bom-ref` to the claims being attested to. + + + + + + + + The `bom-ref` to the claim being attested to. + + + + + + + + + + The list of `bom-ref` to the counter claims being attested to. + + + + + + + + The `bom-ref` to the counter claim being attested to. + + + + + + + + + + The conformance of the claim meeting a requirement. + + + + + + + + The conformance of the claim between and inclusive of 0 and 1, where 1 is 100% conformance. + + + + + + + + + + + + + The rationale for the score of conformance. + + + + + + + The list of `bom-ref` to the evidence provided describing the + mitigation strategies. Each mitigation strategy should include an + explanation of how any weaknesses in the evidence will be mitigated. + + + + + + + + + + + + + + + The confidence of the claim meeting the requirement. + + + + + + + + The confidence of the claim between and inclusive of 0 and 1, where 1 is 100% confidence. + + + + + + + + + + + + + The rationale for the confidence score. + + + + + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + + + + + The list of claims. + + + + + + + + + + + The `bom-ref` to a target representing a specific system, application, + API, module, team, person, process, business unit, company, etc... + that this claim is being applied to. + + + + + + + The specific statement or assertion about the target. + + + + + + + The list of `bom-ref` to the evidence provided describing the + mitigation strategies. Each mitigation strategy should include an + explanation of how any weaknesses in the evidence will be mitigated. + + + + + + + + + + + + The written explanation of why the evidence provided substantiates the claim. + + + + + + + The list of `bom-ref` to evidence that supports this claim. + + + + + + + The list of `bom-ref` to counterEvidence that supports this claim. + + + + + + Provides the ability to document external references related to the claim the BOM describes. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + An identifier which can be used to reference the object elsewhere + in the BOM. Every `bom-ref` must be unique within the BOM. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + + The list of evidence + + + + + + + + The list of evidence + + + + + + + + The reference to the property name as defined in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy/). + + + + + + + The written description of what this evidence is and how it was created. + + + + + + + The output or analysis that supports claims. + + + + + + + + The name of the data. + + + + + + + The contents or references to the contents of the data being described. + + + + + + + A way to include textual or encoded data. + + + + + The URL to where the data can be retrieved. + + + + + + + + + Data classification tags data according to its type, sensitivity, and value if altered, stolen, or destroyed. + + + + + + + A description of any sensitive data. + + + + + + + + + + The date and time (timestamp) when the evidence was created. + + + + + The date and time (timestamp) when the evidence is no longer valid. + + + + + The author of the evidence. + + + + + The reviewer of the evidence. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + A identifier which can be used to reference the object elsewhere + in the BOM. Every `bom-ref` must be unique within the BOM. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + + The list of targets which claims are made against. + + + + + + + + The list of organizations which claims are made against. + + + + + + + + + + + + The list of components which claims are made against. + + + + + + + + + + + + The list of services which claims are made against. + + + + + + + + + + + + + + + A concise statement affirmed by an individual regarding all declarations, often used for third-party auditor acceptance or recipient acknowledgment. + It includes a list of authorized signatories who assert the validity of the document on behalf of the organization. + + + + + + + + The brief statement affirmed by an individual regarding all declarations. + This could be an affirmation of acceptance by a third-party auditor or receiving + individual of a file. For example: "I certify, to the best of my knowledge, that all information is correct." + + + + + + + The list of signatories authorized on behalf of an organization to assert validity of this document. + + + + + + + + + + + The signatory's name. + + + + + + + The signatory's role within an organization. + + + + + + + The signatory's organization. + + + + + + + An External reference provide a way to document systems, sites, and information that may be relevant, but are not included with the BOM. They may also establish specific relationships within or external to the BOM. + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + + A collection of reusable objects that are defined and may be used elsewhere in the BOM. + + + + + + + + + + + + + + + + + + + + + The list of standards which may consist of regulations, industry or organizational-specific standards, maturity models, best practices, or any other requirements which can be evaluated against or attested to. + + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + A standard may consist of regulations, industry or organizational-specific standards, maturity models, best practices, or any other requirements which can be evaluated against or attested to. + + + + + + + The name of the standard. This will often be a shortened, single name of the standard. + + + + + + + The version of the standard. + + + + + + + The description of the standard. + + + + + + + The owner of the standard, often the entity responsible for its release. + + + + + + + The list of requirements comprising the standard. + + + + + + + + + + + The unique identifier used in the standard to identify a specific requirement. This should match what is in the standard and should not be the requirements bom-ref. + + + + + + + The title of the requirement. + + + + + + + The textual content of the requirement. + + + + + + + The supplemental text that provides additional guidance or context to the requirement, but is not directly part of the requirement. + + + + + + + + + + + + The Common Requirements Enumeration (CRE) identifier(s). CRE is a structured and standardized framework for uniting security standards and guidelines. CRE links each section of a resource to a shared topic identifier (a Common Requirement). Through this shared topic link, all resources map to each other. Use of CRE promotes clear and unambiguous communication among stakeholders. + + + + + + + + + + + + The `bom-ref` to a parent requirement. This establishes a hierarchy of requirements. Top-level requirements must not define a parent. Only child requirements should define parents. + + + + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is optional. + + + + + Provides the ability to document external references related to the BOM or + to the project the BOM describes. + + + + + + + An identifier which can be used to reference the object elsewhere + in the BOM. Every `bom-ref` must be unique within the BOM. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + + The list of levels associated with the standard. Some standards have different levels of compliance. + + + + + + + + + + + The identifier used in the standard to identify a specific level. + + + + + + + The title of the level. + + + + + + + The description of the level. + + + + + + + The list of requirement `bom-ref`s that comprise the level. + + + + + + + + + + + + + An identifier which can be used to reference the object elsewhere + in the BOM. Every `bom-ref` must be unique within the BOM. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + Provides the ability to document external references related to the BOM or + to the project the BOM describes. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + An identifier which can be used to reference the object elsewhere + in the BOM. Every `bom-ref` must be unique within the BOM. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + Textual strings that aid in discovery, search, and retrieval of the associated + object. Tags often serve as a way to group or categorize similar or related objects by various + attributes. + + Examples include: + "json-parser", "object-persistence", "text-to-image", "translation", and "object-detection" + + + + + + + + + + A patent family is a group of related patent applications or granted patents that cover the same or similar invention. These patents are filed in multiple jurisdictions to protect the invention across different regions or countries. A patent family typically includes patents that share a common priority date, originating from the same initial application, and may vary slightly in scope or claims to comply with regional legal frameworks. Fields align with WIPO ST.96 standards where applicable. + + + + + + The unique identifier for the patent family, aligned with the `id` attribute in WIPO ST.96 v8.0's `PatentFamilyType`. Refer to [PatentFamilyType in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/PatentFamilyType.xsd). + + + + + + A collection of patents or applications that belong to this family, each identified by a `bom-ref` pointing to a patent object defined elsewhere in the BOM. + + + + + + + + + + External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM. + + + + + + + An identifier which can be used to reference the object elsewhere in the BOM. + Uniqueness is enforced within all elements and children of the root-level bom element. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + A patent is a legal instrument, granted by an authority, that confers certain rights over an invention for a specified period, contingent on public disclosure and adherence to relevant legal requirements. The summary information in this object is aligned with [WIPO ST.96](https://www.wipo.int/standards/en/st96/) principles where applicable. + + + + + + The unique number assigned to the granted patent by the issuing authority. Aligned with `PatentNumber` in WIPO ST.96. Refer to [PatentNumber in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/PatentNumber.xsd). + + + + + + + + This is the number assigned to a patent application once it is published. Patent applications are generally published 18 months after filing (unless an applicant requests non-publication). This number is distinct from the application number. + + Purpose: Identifies the publicly available version of the application. + + Format: Varies by jurisdiction, often similar to application numbers but includes an additional suffix indicating publication. + + Example: + - US: US20240000123A1 (indicates the first publication of application US20240000123) + - Europe: EP23123456A1 (first publication of European application EP23123456). + + WIPO ST.96 v8.0: + - Publication Number field: https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/PublicationNumber.xsd + + + + + The title of the patent, summarising the invention it protects. Aligned with `InventionTitle` in WIPO ST.96. Refer to [InventionTitle in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/InventionTitle.xsd). + + + + + A brief summary of the invention described in the patent. Aligned with `Abstract` and `P` in WIPO ST.96. Refer to [Abstract in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/Abstract.xsd). + + + + + The date the patent application was filed with the jurisdiction. Aligned with `FilingDate` in WIPO ST.96. Refer to [FilingDate in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/FilingDate.xsd). + + + + + The date the patent was granted by the jurisdiction. Aligned with `GrantDate` in WIPO ST.96. Refer to [GrantDate in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Patent/GrantDate.xsd). + + + + + The date the patent expires. Derived from grant or filing date according to jurisdiction-specific rules. + + + + + Indicates the current legal status of the patent or patent application, based on the WIPO ST.27 standard. This status reflects administrative, procedural, or legal events. Values include both active and inactive states and are useful for determining enforceability, procedural history, and maintenance status. + + + + + Organisations or individuals to whom the patent rights are assigned. Supports joint ownership. + + + + + External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM. + + + + + + + An identifier which can be used to reference the object elsewhere in the BOM. + Uniqueness is enforced within all elements and children of the root-level bom element. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + An assertion linking a patent or patent family to a component or service. This allows expression of ownership, licensing, third-party claims, and other legal relationships. + + + + + + The type of assertion being made (e.g. ownership, license, third-party-claim, etc.). + + + + + A list of references (`bom-ref`) linking to patents or families associated with this assertion. + + + + + + + + + + The organisation, individual, or BOM reference asserting the patent claim. + + + + + + + + + + + + Additional clarifications regarding the assertion, such as geographic or temporal constraints. + + + + + + + An identifier which can be used to reference the object elsewhere in the BOM. + Uniqueness is enforced within all elements and children of the root-level bom element. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + The legal status of the patent, reflecting various administrative or judicial states a patent or application may be in. Aligned with concepts in WIPO ST.27. + + + + + The patent application has been filed but not yet examined or granted. + + + The patent application has been examined and a patent has been issued. + + + The patent has been declared invalid through a legal or administrative process. + + + The patent has reached the end of its enforceable term. + + + The patent is no longer in force due to non-payment of maintenance fees or other requirements. + + + The patent application was voluntarily withdrawn by the applicant. + + + The patent application was abandoned, often due to lack of action or response. + + + Processing of the patent application has been temporarily halted. + + + A previously abandoned or lapsed patent has been reinstated. + + + The patent application or granted patent is under formal opposition proceedings. + + + The patent or application has been officially terminated. + + + The patent has been invalidated, either in part or in full. + + + The granted patent is active and enforceable. + + + + + + + + Specifies the type of assertion made about a patent or patent family. Enables documentation of legal, ownership, or usage-related claims. + + + + + The manufacturer asserts ownership of the patent or patent family. + + + The manufacturer asserts they have a license to use the patent or patent family. + + + A third party has asserted a claim or potential infringement against the manufacturer’s component or service. + + + The patent is part of a standard essential patent (SEP) portfolio relevant to the component or service. + + + The manufacturer asserts the patent or patent family as prior art that invalidates another patent or claim. + + + The manufacturer asserts exclusive rights granted through a licensing agreement. + + + The manufacturer asserts they will not enforce the patent or patent family against certain uses or users. + + + The patent or patent family is being used under a research or evaluation license. + + + + + + + + + + + + + + The jurisdiction or patent office where the priority application was filed, specified using WIPO ST.3 codes. Aligned with `IPOfficeCode` in ST.96. Refer to [IPOfficeCode in ST.96](https://www.wipo.int/standards/XMLSchema/ST96/V8_0/Common/IPOfficeCode.xsd). + + + + + + + + + + + The date the priority application was filed. Aligned with `FilingDate` in WIPO ST.96. + + + + + + + + + The priorityApplication contains the essential data necessary to identify and reference an earlier patent filing for priority rights. In line with WIPO ST.96 guidelines, it includes the jurisdiction (office code), application number, and filing date-the three key elements that uniquely specify the priority application in a global patent context. + + + + + + + + + + + + + + + Details a specific attribution of data within the BOM to a contributing entity or process. + + + + + + + + + + Details a specific attribution of data within the BOM to a contributing entity or process. + + + + + + Exactly one of the "pointers" or "expressions" elements must be present. + + + + + + + One or more JSON Pointers(https://datatracker.ietf.org/doc/html/rfc6901) identifying the BOM fields to which the attribution applies. + + + + + + + + A JSON Pointer(https://datatracker.ietf.org/doc/html/rfc6901) identifying the BOM field to which the attribution applies. + Users of other serialisation formats (e.g. XML) shall use the JSON Pointer format to ensure consistent field referencing across representations. + + + + + + + + + + One or more path expressions used to locate values within a BOM. + + + + + + + + Specifies a path expression used to locate a value within a BOM. The expression syntax shall conform to the format of the BOM's serialisation. + Use [JSONPath](https://datatracker.ietf.org/doc/html/rfc9535) for JSON, [XPath](https://www.w3.org/TR/xpath/) for XML, and default to JSONPath for Protocol Buffers unless otherwise specified. + Implementers shall ensure the expression is valid within the context of the applicable serialisation format. + + + + + + + + + + + The date and time when the attribution was made or the information was supplied. + + + + + + + The `bom-ref` of an object, such as a component, service, tool, organisational entity, or person that supplied the cited information. + At least one of the "attributedTo" or "process" elements must be present. + + + + + + + The `bom-ref` to a process (such as a formula, workflow, task, or step) defined in the `formulation` section that executed or generated the attributed data. + At least one of the "attributedTo" or "process" elements must be present. + + + + + + + An description or comment about the context or quality of the data attribution. + + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + + + An identifier which can be used to reference the object elsewhere in the BOM. + Uniqueness is enforced within all elements and children of the root-level bom element. + + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + + Provides additional information about a BOM. + + + + + A list of software and hardware components. + + + + + A list of services. This may include microservices, function-as-a-service, and other types of network or intra-process services. + + + + + Provides the ability to document external references related to the BOM or + to the project the BOM describes. + + + + + Provides the ability to document dependency relationships. + + + + + Compositions describe constituent parts (including components, services, and dependency relationships) and their completeness. The completeness of vulnerabilities expressed in a BOM may also be described. + + + + + Provides the ability to document properties in a name/value store. + This provides flexibility to include data not officially supported in the standard + without having to use additional namespaces or create extensions. Property names + of interest to the general public are encouraged to be registered in the + CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy. + Formal registration is optional. + + + + + Vulnerabilities identified in components or services. + + + + + Comments made by people, organizations, or tools about any object with + a bom-ref, such as components, services, vulnerabilities, or the BOM itself. Unlike + inventory information, annotations may contain opinion or commentary from various + stakeholders. Annotations may be inline (with inventory) or externalized via BOM-Link, + and may optionally be signed. + + + + + Describes the formulation of any referencable object within the BOM, + including components, services, metadata, declarations, or the BOM itself. This may + encompass how the object was created, assembled, deployed, tested, certified, or otherwise + brought into its present form. Common examples include software build pipelines, + deployment processes, AI/ML model training, cryptographic key generation or certification, + and third-party audits. Processes are modeled using declared and observed formulas, + composed of workflows, tasks, and individual steps. + + + + + + The list of declarations which describe the conformance to standards. Each declaration may + include attestations, claims, and evidence. + + + + + + + A collection of reusable objects that are defined and may be used elsewhere in the BOM. + + + + + + A collection of attributions indicating which entity supplied information for specific fields within the BOM. + + + + + + Allows any undeclared elements as long as the elements are placed in a different namespace. + + + + + + + Whenever an existing BOM is modified, either manually or through automated + processes, the version of the BOM SHOULD be incremented by 1. When a system is presented with + multiple BOMs with identical serial numbers, the system SHOULD use the most recent version of the BOM. + The default version is '1'. + + + + + Every BOM generated SHOULD have a unique serial number, even if the contents of + the BOM have not changed over time. If specified, the serial number must conform to RFC-4122. + Use of serial numbers are recommended. + + + + + User-defined attributes may be used on this element as long as they + do not have the same name as an existing attribute used by the schema. + + + + + + + + + diff --git a/cyclonedx/schema/_res/cryptography-defs.SNAPSHOT.schema.json b/cyclonedx/schema/_res/cryptography-defs.SNAPSHOT.schema.json new file mode 100644 index 000000000..1f06fdff5 --- /dev/null +++ b/cyclonedx/schema/_res/cryptography-defs.SNAPSHOT.schema.json @@ -0,0 +1,576 @@ +{ + "$schema": "http://json-schema.org/draft-07/schema#", + "$id": "http://cyclonedx.org/schema/cryptography-defs.schema.json", + "$comment": "2025-09-07T11:12:52Z", + "title": "Cryptographic Algorithm Family Definitions", + "description": "Enumerates cryptographic algorithm families and their specific metadata.", + "type": "object", + "additionalProperties": false, + "properties": { + "$schema": { + "type": "string" + }, + "lastUpdated": { + "type": "string", + "format": "date-time", + "title": "Last Updated", + "description": "The date and time (timestamp) when the data was last updated." + }, + "algorithms": { + "type": "array", + "title": "Algorithm Families", + "description": "An array of cryptographic algorithm family definitions.", + "items": { + "type": "object", + "title": "Algorithm Family", + "description": "Defines a cryptographic algorithm family and its metadata.", + "additionalProperties": false, + "properties": { + "family": { + "type": "string", + "title": "Algorithm Family", + "description": "The name of the cryptographic algorithm family." + }, + "standard": { + "type": "array", + "title": "Standards", + "description": "List of standards defining or relating to the algorithm family.", + "items": { + "type": "object", + "title": "Standard Reference", + "description": "Reference to a standard, including its name and URL.", + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Standard Name", + "description": "The name or identifier of the standard." + }, + "url": { + "type": "string", + "format": "iri-reference", + "title": "Standard URL", + "description": "A URL pointing to the standard's official documentation." + } + }, + "required": [ + "name", + "url" + ] + } + }, + "variant": { + "type": "array", + "title": "Variants", + "description": "Defines algorithm variants by a naming pattern and the corresponding cryptographic primitive.", + "items": { + "type": "object", + "title": "Standard Reference", + "description": "Reference to a standard, including its name and URL.", + "additionalProperties": false, + "properties": { + "pattern": { + "type": "string", + "title": "Standard Name", + "description": "Defines the pattern used to construct the complete algorithm name. Placeholders are defined by {} for algorithm-specific properties." + }, + "primitive": { + "type": "string", + "title": "Primitive", + "description": "Type of cryptographic primitive (e.g., signature, encryption, hash)." + }, + "standard": { + "type": "array", + "title": "Standards", + "description": "List of standards defining or relating to the algorithm variant.", + "items": { + "type": "object", + "title": "Standard Reference", + "description": "Reference to a standard, including its name and URL.", + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Standard Name", + "description": "The name or identifier of the standard." + }, + "url": { + "type": "string", + "format": "iri-reference", + "title": "Standard URL", + "description": "A URL pointing to the standard's official documentation." + } + }, + "required": [ + "name", + "url" + ] + } + } + }, + "required": [ + "pattern", + "primitive" + ] + } + } + }, + "required": [ + "family", + "variant" + ] + } + }, + "ellipticCurves": { + "type": "array", + "title": "Elliptic Curves", + "description": "An array of elliptic curve family definitions.", + "items": { + "type": "object", + "title": "Elliptic Curve Family", + "description": "Defines an elliptic curve family and its metadata.", + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Curve Family Name", + "description": "The name of the elliptic curve family." + }, + "description": { + "type": [ + "string", + "null" + ], + "title": "Description", + "description": "A description of the elliptic curve family." + }, + "curves": { + "type": "array", + "title": "Curves", + "description": "List of curves in this family.", + "items": { + "type": "object", + "title": "Curve", + "description": "Defines a specific elliptic curve and its metadata.", + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Curve Name", + "description": "The name of the elliptic curve." + }, + "description": { + "type": [ + "string", + "null" + ], + "title": "Description", + "description": "A description of the elliptic curve." + }, + "oid": { + "type": [ + "string", + "null" + ], + "title": "OID", + "description": "The Object Identifier (OID) of the elliptic curve." + }, + "form": { + "type": "string", + "title": "Form", + "description": "The form of the elliptic curve.", + "enum": [ + "Weierstrass", + "Edwards", + "TwistedEdwards", + "Montgomery" + ] + }, + "aliases": { + "type": "array", + "title": "Aliases", + "description": "List of aliases for this curve.", + "items": { + "type": "object", + "title": "Alias", + "description": "An alias for the curve.", + "additionalProperties": false, + "properties": { + "category": { + "type": "string", + "title": "Category", + "description": "The category of the alias." + }, + "name": { + "type": "string", + "title": "Name", + "description": "The name of the alias." + } + }, + "required": [ + "category", + "name" + ] + } + } + }, + "required": [ + "name", + "description", + "oid", + "form" + ] + } + } + }, + "required": [ + "name", + "description", + "curves" + ] + } + } + }, + "required": [ + "lastUpdated", + "algorithms", + "ellipticCurves" + ], + "definitions": { + "algorithmFamiliesEnum": { + "type": "string", + "title": "Algorithm Families", + "description": "An enum for the algorithm families.", + "enum": [ + "3DES", + "3GPP-XOR", + "A5/1", + "A5/2", + "AES", + "ARIA", + "Ascon", + "BLAKE2", + "BLAKE3", + "BLS", + "Blowfish", + "CAMELLIA", + "CAST5", + "CAST6", + "CMAC", + "CMEA", + "ChaCha", + "ChaCha20", + "DES", + "DSA", + "ECDH", + "ECDSA", + "ECIES", + "EdDSA", + "ElGamal", + "FFDH", + "Fortuna", + "GOST", + "HC", + "HKDF", + "HMAC", + "IDEA", + "IKE-PRF", + "KMAC", + "LMS", + "MD2", + "MD4", + "MD5", + "MILENAGE", + "ML-DSA", + "ML-KEM", + "MQV", + "PBES1", + "PBES2", + "PBKDF1", + "PBKDF2", + "PBMAC1", + "Poly1305", + "RABBIT", + "RC2", + "RC4", + "RC5", + "RC6", + "RIPEMD", + "RSAES-OAEP", + "RSAES-PKCS1", + "RSASSA-PKCS1", + "RSASSA-PSS", + "SEED", + "SHA-1", + "SHA-2", + "SHA-3", + "SLH-DSA", + "SNOW3G", + "SP800-108", + "Salsa20", + "Serpent", + "SipHash", + "Skipjack", + "TUAK", + "Twofish", + "Whirlpool", + "X3DH", + "XMSS", + "Yarrow", + "ZUC", + "bcrypt" + ] + }, + "ellipticCurvesEnum": { + "type": "string", + "enum": [ + "anssi/FRP256v1", + "bls/BLS12-377", + "bls/BLS12-381", + "bls/BLS12-446", + "bls/BLS12-455", + "bls/BLS12-638", + "bls/BLS24-477", + "bls/Bandersnatch", + "bn/bn158", + "bn/bn190", + "bn/bn222", + "bn/bn254", + "bn/bn286", + "bn/bn318", + "bn/bn350", + "bn/bn382", + "bn/bn414", + "bn/bn446", + "bn/bn478", + "bn/bn510", + "bn/bn542", + "bn/bn574", + "bn/bn606", + "bn/bn638", + "brainpool/brainpoolP160r1", + "brainpool/brainpoolP160t1", + "brainpool/brainpoolP192r1", + "brainpool/brainpoolP192t1", + "brainpool/brainpoolP224r1", + "brainpool/brainpoolP224t1", + "brainpool/brainpoolP256r1", + "brainpool/brainpoolP256t1", + "brainpool/brainpoolP320r1", + "brainpool/brainpoolP320t1", + "brainpool/brainpoolP384r1", + "brainpool/brainpoolP384t1", + "brainpool/brainpoolP512r1", + "brainpool/brainpoolP512t1", + "gost/gost256", + "gost/gost512", + "gost/id-GostR3410-2001-CryptoPro-A-ParamSet", + "gost/id-GostR3410-2001-CryptoPro-B-ParamSet", + "gost/id-GostR3410-2001-CryptoPro-C-ParamSet", + "gost/id-tc26-gost-3410-12-512-paramSetA", + "gost/id-tc26-gost-3410-12-512-paramSetB", + "gost/id-tc26-gost-3410-2012-256-paramSetA", + "gost/id-tc26-gost-3410-2012-512-paramSetC", + "mnt/mnt1", + "mnt/mnt2/1", + "mnt/mnt2/2", + "mnt/mnt3/1", + "mnt/mnt3/2", + "mnt/mnt3/3", + "mnt/mnt4", + "mnt/mnt5/1", + "mnt/mnt5/2", + "mnt/mnt5/3", + "nist/B-163", + "nist/B-233", + "nist/B-283", + "nist/B-409", + "nist/B-571", + "nist/K-163", + "nist/K-233", + "nist/K-283", + "nist/K-409", + "nist/K-571", + "nist/P-192", + "nist/P-224", + "nist/P-256", + "nist/P-384", + "nist/P-521", + "nums/ed-254-mont", + "nums/ed-255-mers", + "nums/ed-256-mont", + "nums/ed-382-mont", + "nums/ed-383-mers", + "nums/ed-384-mont", + "nums/ed-510-mont", + "nums/ed-511-mers", + "nums/ed-512-mont", + "nums/numsp256d1", + "nums/numsp256t1", + "nums/numsp384d1", + "nums/numsp384t1", + "nums/numsp512d1", + "nums/numsp512t1", + "nums/w-254-mont", + "nums/w-255-mers", + "nums/w-256-mont", + "nums/w-382-mont", + "nums/w-383-mers", + "nums/w-384-mont", + "nums/w-510-mont", + "nums/w-511-mers", + "nums/w-512-mont", + "oakley/192-bit Random ECP Group", + "oakley/224-bit Random ECP Group", + "oakley/256-bit Random ECP Group", + "oakley/384-bit Random ECP Group", + "oakley/521-bit Random ECP Group", + "oakley/Oakley Group 3", + "oakley/Oakley Group 4", + "oscaa/SM2", + "other/BADA55-R-256", + "other/BADA55-VPR-224", + "other/BADA55-VPR2-224", + "other/BADA55-VR-224", + "other/BADA55-VR-256", + "other/BADA55-VR-384", + "other/Curve1174", + "other/Curve22103", + "other/Curve25519", + "other/Curve383187", + "other/Curve41417", + "other/Curve4417", + "other/Curve448", + "other/Curve67254", + "other/E-222", + "other/E-382", + "other/E-521", + "other/Ed25519", + "other/Ed448", + "other/Ed448-Goldilocks", + "other/FourQ", + "other/Fp224BN", + "other/Fp254BNa", + "other/Fp254BNb", + "other/Fp254n2BNa", + "other/Fp256BN", + "other/Fp384BN", + "other/Fp512BN", + "other/JubJub", + "other/M-221", + "other/M-383", + "other/M-511", + "other/MDC201601", + "other/Pallas", + "other/Tom-256", + "other/Tom-384", + "other/Tom-521", + "other/Tweedledee", + "other/Tweedledum", + "other/Vesta", + "other/ssc-160", + "other/ssc-192", + "other/ssc-224", + "other/ssc-256", + "other/ssc-288", + "other/ssc-320", + "other/ssc-384", + "other/ssc-512", + "secg/secp112r1", + "secg/secp112r2", + "secg/secp128r1", + "secg/secp128r2", + "secg/secp160k1", + "secg/secp160r1", + "secg/secp160r2", + "secg/secp192k1", + "secg/secp192r1", + "secg/secp224k1", + "secg/secp224r1", + "secg/secp256k1", + "secg/secp256r1", + "secg/secp384r1", + "secg/secp521r1", + "secg/sect113r1", + "secg/sect113r2", + "secg/sect131r1", + "secg/sect131r2", + "secg/sect163k1", + "secg/sect163r1", + "secg/sect163r2", + "secg/sect193r1", + "secg/sect193r2", + "secg/sect233k1", + "secg/sect233r1", + "secg/sect239k1", + "secg/sect283k1", + "secg/sect283r1", + "secg/sect409k1", + "secg/sect409r1", + "secg/sect571k1", + "secg/sect571r1", + "wtls/wap-wsg-idm-ecid-wtls1", + "wtls/wap-wsg-idm-ecid-wtls10", + "wtls/wap-wsg-idm-ecid-wtls11", + "wtls/wap-wsg-idm-ecid-wtls12", + "wtls/wap-wsg-idm-ecid-wtls3", + "wtls/wap-wsg-idm-ecid-wtls4", + "wtls/wap-wsg-idm-ecid-wtls5", + "wtls/wap-wsg-idm-ecid-wtls6", + "wtls/wap-wsg-idm-ecid-wtls7", + "wtls/wap-wsg-idm-ecid-wtls8", + "wtls/wap-wsg-idm-ecid-wtls9", + "x962/c2onb191v4", + "x962/c2onb191v5", + "x962/c2onb239v4", + "x962/c2onb239v5", + "x962/c2pnb163v1", + "x962/c2pnb163v2", + "x962/c2pnb163v3", + "x962/c2pnb176w1", + "x962/c2pnb208w1", + "x962/c2pnb272w1", + "x962/c2pnb304w1", + "x962/c2pnb368w1", + "x962/c2tnb191v1", + "x962/c2tnb191v2", + "x962/c2tnb191v3", + "x962/c2tnb239v1", + "x962/c2tnb239v2", + "x962/c2tnb239v3", + "x962/c2tnb359v1", + "x962/c2tnb431r1", + "x962/prime192v1", + "x962/prime192v2", + "x962/prime192v3", + "x962/prime239v1", + "x962/prime239v2", + "x962/prime239v3", + "x962/prime256v1", + "x963/ansip160k1", + "x963/ansip160r1", + "x963/ansip160r2", + "x963/ansip192k1", + "x963/ansip224k1", + "x963/ansip224r1", + "x963/ansip256k1", + "x963/ansip384r1", + "x963/ansip521r1", + "x963/ansit163k1", + "x963/ansit163r1", + "x963/ansit163r2", + "x963/ansit193r1", + "x963/ansit193r2", + "x963/ansit233k1", + "x963/ansit233r1", + "x963/ansit239k1", + "x963/ansit283k1", + "x963/ansit283r1", + "x963/ansit409k1", + "x963/ansit409r1", + "x963/ansit571k1", + "x963/ansit571r1" + ] + } + } +} \ No newline at end of file diff --git a/cyclonedx/schema/schema.py b/cyclonedx/schema/schema.py index b29b22da3..3be105619 100644 --- a/cyclonedx/schema/schema.py +++ b/cyclonedx/schema/schema.py @@ -34,6 +34,13 @@ def get_schema_version(self) -> str: return self.schema_version_enum.to_version() +class SchemaVersion1Dot7(BaseSchemaVersion): + + @property + def schema_version_enum(self) -> Literal[SchemaVersion.V1_7]: + return SchemaVersion.V1_7 + + class SchemaVersion1Dot6(BaseSchemaVersion): @property @@ -84,6 +91,7 @@ def schema_version_enum(self) -> Literal[SchemaVersion.V1_0]: SCHEMA_VERSIONS: dict[SchemaVersion, type[BaseSchemaVersion]] = { + SchemaVersion.V1_7: SchemaVersion1Dot7, SchemaVersion.V1_6: SchemaVersion1Dot6, SchemaVersion.V1_5: SchemaVersion1Dot5, SchemaVersion.V1_4: SchemaVersion1Dot4, diff --git a/cyclonedx/validation/json.py b/cyclonedx/validation/json.py index 678a9d943..6431df57a 100644 --- a/cyclonedx/validation/json.py +++ b/cyclonedx/validation/json.py @@ -30,7 +30,13 @@ from ..schema import SchemaVersion from ..exception import MissingOptionalDependencyException -from ..schema._res import BOM_JSON as _S_BOM, BOM_JSON_STRICT as _S_BOM_STRICT, JSF as _S_JSF, SPDX_JSON as _S_SPDX +from ..schema._res import ( + BOM_JSON as _S_BOM, + BOM_JSON_STRICT as _S_BOM_STRICT, + CRYPTOGRAPHY_DEFS as _S_CDEFS, + JSF as _S_JSF, + SPDX_JSON as _S_SPDX, +) from . import BaseSchemabasedValidator, SchemabasedValidator, ValidationError _missing_deps_error: Optional[tuple[MissingOptionalDependencyException, ImportError]] = None @@ -125,9 +131,11 @@ def _validator(self) -> 'JsonSchemaValidator': @staticmethod def __make_validator_registry() -> Registry[Any]: schema_prefix = 'http://cyclonedx.org/schema/' - with open(_S_SPDX) as spdx, open(_S_JSF) as jsf: + with open(_S_SPDX) as spdx, open(_S_JSF) as jsf, open(_S_CDEFS) as cdefs: return Registry().with_resources([ (f'{schema_prefix}spdx.SNAPSHOT.schema.json', DRAFT7.create_resource(json_loads(spdx.read()))), + (f'{schema_prefix}cryptography-defs.SNAPSHOT.schema.json', + DRAFT7.create_resource(json_loads(cdefs.read()))), (f'{schema_prefix}jsf-0.82.SNAPSHOT.schema.json', DRAFT7.create_resource(json_loads(jsf.read()))), ]) diff --git a/docs/outputting.rst b/docs/outputting.rst index 26bd3c9a9..d04ee1a4c 100644 --- a/docs/outputting.rst +++ b/docs/outputting.rst @@ -46,16 +46,16 @@ as a ``str``. from cyclonedx.output import make_outputter, BaseOutput, OutputFormat, SchemaVersion - outputter: BaseOutput = make_outputter(bom=bom, output_format=OutputFormat.JSON, schema_version=SchemaVersion.V1_6) + outputter: BaseOutput = make_outputter(bom=bom, output_format=OutputFormat.JSON, schema_version=SchemaVersion.V1_7) bom_json: str = outputter.output_as_string() Alternatively, if the output format and schema version are constants, you can use the predefined format+schema combined outputs: .. code-block:: python - from cyclonedx.output.json import JsonV1Dot6 + from cyclonedx.output.json import JsonV1Dot7 - outputter = JsonV1Dot6(bom=bom) + outputter = JsonV1Dot7(bom=bom) bom_json: str = outputter.output_as_string() diff --git a/docs/responsibilities_capabilities.rst b/docs/responsibilities_capabilities.rst index 783c43d33..11e891a9a 100644 --- a/docs/responsibilities_capabilities.rst +++ b/docs/responsibilities_capabilities.rst @@ -53,6 +53,7 @@ Capabilities * Build a :class:`Component ` data model that represents this library * Build a :class:`Tool ` data model that represents this library * Implementation of the `CycloneDX Specification`_ for the following versions: + * ``1.7`` * ``1.6`` * ``1.5`` * ``1.4`` diff --git a/examples/complex_deserialize.py b/examples/complex_deserialize.py index 097a3cc9a..ffe595a8b 100644 --- a/examples/complex_deserialize.py +++ b/examples/complex_deserialize.py @@ -33,9 +33,9 @@ # region JSON json_data = """{ - "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", "bomFormat": "CycloneDX", - "specVersion": "1.6", + "specVersion": "1.7", "serialNumber": "urn:uuid:88fabcfa-7529-4ba2-8256-29bec0c03900", "version": 1, "metadata": { @@ -145,7 +145,7 @@ } ] }""" -my_json_validator = JsonStrictValidator(SchemaVersion.V1_6) +my_json_validator = JsonStrictValidator(SchemaVersion.V1_7) try: json_validation_errors = my_json_validator.validate_str(json_data) if json_validation_errors: @@ -165,7 +165,7 @@ # endregion XML xml_data = """ - @@ -246,7 +246,7 @@ """ -my_xml_validator: 'XmlValidator' = make_schemabased_validator(OutputFormat.XML, SchemaVersion.V1_6) +my_xml_validator: 'XmlValidator' = make_schemabased_validator(OutputFormat.XML, SchemaVersion.V1_7) try: xml_validation_errors = my_xml_validator.validate_str(xml_data) if xml_validation_errors: diff --git a/examples/complex_serialize.py b/examples/complex_serialize.py index 771dbc47c..03619f8b1 100644 --- a/examples/complex_serialize.py +++ b/examples/complex_serialize.py @@ -89,7 +89,7 @@ my_json_outputter: 'JsonOutputter' = JsonV1Dot5(bom) serialized_json = my_json_outputter.output_as_string(indent=2) print(serialized_json) -my_json_validator = JsonStrictValidator(SchemaVersion.V1_6) +my_json_validator = JsonStrictValidator(SchemaVersion.V1_7) try: json_validation_errors = my_json_validator.validate_str(serialized_json) if json_validation_errors: @@ -106,7 +106,7 @@ # region XML """demo with implicit instructions for SchemaVersion, outputter and validator. TypeCheckers will catch errors.""" -my_xml_outputter: 'XmlOutputter' = make_outputter(bom, OutputFormat.XML, SchemaVersion.V1_6) +my_xml_outputter: 'XmlOutputter' = make_outputter(bom, OutputFormat.XML, SchemaVersion.V1_7) serialized_xml = my_xml_outputter.output_as_string(indent=2) print(serialized_xml) my_xml_validator: 'XmlValidator' = make_schemabased_validator( diff --git a/tests/_data/own/json/1.5/issue677.json b/tests/_data/own/json/1.5/issue677.json index 090d97f8f..609e9022d 100644 --- a/tests/_data/own/json/1.5/issue677.json +++ b/tests/_data/own/json/1.5/issue677.json @@ -1,4 +1,5 @@ { + "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.5", "serialNumber": "urn:uuid:66fa5692-2e9d-45c5-830a-ec8ccaf7dcc9", diff --git a/tests/_data/own/json/1.6/issue690.json b/tests/_data/own/json/1.6/issue690.json index 71023861c..cbe1bd276 100644 --- a/tests/_data/own/json/1.6/issue690.json +++ b/tests/_data/own/json/1.6/issue690.json @@ -1,4 +1,5 @@ { + "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:e8c355aa-2142-4084-a8c7-6d42c8610ba2", diff --git a/tests/_data/own/json/1.6/issue764.json b/tests/_data/own/json/1.6/issue764.json index 71037999e..9a69a4b1e 100644 --- a/tests/_data/own/json/1.6/issue764.json +++ b/tests/_data/own/json/1.6/issue764.json @@ -1,4 +1,5 @@ { + "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat" : "CycloneDX", "specVersion" : "1.6", "version" : 1, diff --git a/tests/_data/own/json/1.6/issue771.json b/tests/_data/own/json/1.6/issue771.json index 7a84b47df..3d7b6bdcc 100644 --- a/tests/_data/own/json/1.6/issue771.json +++ b/tests/_data/own/json/1.6/issue771.json @@ -1,4 +1,5 @@ { + "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat" : "CycloneDX", "specVersion" : "1.6", "version" : 1, diff --git a/tests/_data/own/xml/1.4/bom_setuptools.xml b/tests/_data/own/xml/1.4/bom_setuptools.xml index 07a313dd9..f9abfee28 100644 --- a/tests/_data/own/xml/1.4/bom_setuptools.xml +++ b/tests/_data/own/xml/1.4/bom_setuptools.xml @@ -1,6 +1,8 @@ - + 2023-01-07T13:44:32.312678+00:00 diff --git a/tests/_data/own/xml/1.4/webgoat-6.1.xml b/tests/_data/own/xml/1.4/webgoat-6.1.xml index c77420629..5ca0fb8c1 100644 --- a/tests/_data/own/xml/1.4/webgoat-6.1.xml +++ b/tests/_data/own/xml/1.4/webgoat-6.1.xml @@ -1,5 +1,8 @@ - + 2022-10-17T17:26:52Z @@ -462,12 +465,12 @@ net.sourceforge.jtds jtds 1.2.2 - TDS is an open source 100% pure Java (type 4) JDBC 3.0 driver + TDS is an open source 100% pure Java (type 4) JDBC 3.0 driver for Microsoft SQL Server (6.5, 7, 2000 and 2005) and Sybase (10, 11, 12, 15). - jTDS is based on FreeTDS and is currently the fastest production-ready JDBC + jTDS is based on FreeTDS and is currently the fastest production-ready JDBC driver for SQL Server and Sybase. jTDS is 100% JDBC 3.0 compatible, supporting - forward-only and scrollable/updateable ResultSets, concurrent (completely - independent) Statements and implementing all the DatabaseMetaData and + forward-only and scrollable/updateable ResultSets, concurrent (completely + independent) Statements and implementing all the DatabaseMetaData and ResultSetMetaData methods. optional diff --git a/tests/_data/schemaTestData/1.6/invalid-license-declared-concluded-mix-1.6.json b/tests/_data/schemaTestData/1.6/invalid-license-declared-concluded-mix-1.6.json new file mode 100644 index 000000000..7c6813c1b --- /dev/null +++ b/tests/_data/schemaTestData/1.6/invalid-license-declared-concluded-mix-1.6.json @@ -0,0 +1,79 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.6", + "serialNumber": "urn:uuid:df628836-6b9b-41c9-a724-b44743c54d42", + "version": 1, + "metadata": { + "lifecycles": [{"phase": "design"}] + }, + "components": [ + { + "type": "library", + "group": "com.example", + "name": "situation-A", + "version": "1", + "description": "Multiple licenses: declared ids/names, and a concluded expression", + "licenses": [ + { + "license": { + "id": "MIT", + "acknowledgement": "declared" + } + }, + { + "license": { + "id": "PostgreSQL", + "acknowledgement": "declared" + } + }, + { + "license": { + "name": "Apache Software License", + "acknowledgement": "declared" + } + }, + { + "expression": "(MIT OR PostgreSQL OR Apache-2.0)", + "acknowledgement": "concluded" + } + ] + }, + { + "type": "library", + "group": "com.example", + "name": "situation-B", + "version": "1", + "description": "Multiple license expressions: one declared, one concluded", + "licenses": [ + { + "expression": "MIT OR (GPL-3.0 OR GPL-2.0)", + "acknowledgement": "declared" + }, + { + "expression": "(GPL-3.0-only AND LGPL-2.0-only)", + "acknowledgement": "concluded" + } + ] + }, + { + "type": "library", + "group": "com.example", + "name": "situation-C", + "version": "1", + "description": "Multiple license: one declared expression, one concluded id", + "licenses": [ + { + "expression": "GPL-3.0-or-later OR GPL-2.0", + "acknowledgement": "declared" + }, + { + "license": { + "id": "GPL-3.0-only", + "acknowledgement": "concluded" + } + } + ] + } + ] +} diff --git a/tests/_data/schemaTestData/1.6/invalid-license-declared-concluded-mix-1.6.xml b/tests/_data/schemaTestData/1.6/invalid-license-declared-concluded-mix-1.6.xml new file mode 100644 index 000000000..849ad97b9 --- /dev/null +++ b/tests/_data/schemaTestData/1.6/invalid-license-declared-concluded-mix-1.6.xml @@ -0,0 +1,46 @@ + + + + + design + + + + com.example + situation-A + 1 + Multiple licenses: declared ids/names, and a concluded expression + + MIT + PostgreSQL + Apache Software License + (MIT OR PostgreSQL OR Apache-2.0) + + + + com.example + situation-B + 1 + Multiple license expressions: one declared, one concluded + + MIT OR (GPL-3.0 OR GPL-2.0) + (GPL-3.0-only AND LGPL-2.0-only) + + + + com.example + situation-C + 1 + Multiple license: one declared expression, one concluded id + + GPL-3.0-or-later OR GPL-2.0 + GPL-3.0-only + + + + diff --git a/tests/_data/schemaTestData/1.6/valid-cryptography-full-1.6.json b/tests/_data/schemaTestData/1.6/valid-cryptography-full-1.6.json index ac1344659..40e97a20a 100644 --- a/tests/_data/schemaTestData/1.6/valid-cryptography-full-1.6.json +++ b/tests/_data/schemaTestData/1.6/valid-cryptography-full-1.6.json @@ -65,7 +65,16 @@ "0xC0" ] } - ] + ], + "ikev2TransformTypes": { + "encr": ["bom-ref-to-encr"], + "prf": ["bom-ref-to-prf"], + "integ": ["bom-ref-to-integ"], + "ke": ["bom-ref-to-ke"], + "esn": true, + "auth": ["bom-ref-to-auth"] + }, + "cryptoRefArray": ["asset-4"] }, "oid": "oid:1.2.3.4.5.6.7.8.9" } diff --git a/tests/_data/schemaTestData/1.6/valid-cryptography-full-1.6.xml b/tests/_data/schemaTestData/1.6/valid-cryptography-full-1.6.xml index 0e151a343..624e228e8 100644 --- a/tests/_data/schemaTestData/1.6/valid-cryptography-full-1.6.xml +++ b/tests/_data/schemaTestData/1.6/valid-cryptography-full-1.6.xml @@ -40,6 +40,30 @@ X.509 crt + + tls + 1.3 + + + TLS_DHE_RSA_WITH_AES_128_CCM + + bom-ref-to-algorithm + + + 0xC0 + + + + + bom-ref-to-encr + bom-ref-to-prf + bom-ref-to-integ + bom-ref-to-ke + true + bom-ref-to-auth + + asset-4 + oid:1.2.3.4.5.6.7.8.9 diff --git a/tests/_data/schemaTestData/1.7/informal-invalid-component-versionRange-non-external-explicit.xml b/tests/_data/schemaTestData/1.7/informal-invalid-component-versionRange-non-external-explicit.xml new file mode 100644 index 000000000..66127f861 --- /dev/null +++ b/tests/_data/schemaTestData/1.7/informal-invalid-component-versionRange-non-external-explicit.xml @@ -0,0 +1,16 @@ + + + + + + InvalidVersions + + versionRange may only exist on extraneous components, set `isExternal` explicit + + + diff --git a/tests/_data/schemaTestData/1.7/informal-invalid-component-versionRange-non-external-implicit.xml b/tests/_data/schemaTestData/1.7/informal-invalid-component-versionRange-non-external-implicit.xml new file mode 100644 index 000000000..f2cb83b28 --- /dev/null +++ b/tests/_data/schemaTestData/1.7/informal-invalid-component-versionRange-non-external-implicit.xml @@ -0,0 +1,17 @@ + + + + + + + InvalidVersions + + versionRange may only exist on extraneous components, set `isExternal` implicit by default value + + + diff --git a/tests/_data/schemaTestData/1.7/invalid-bomformat-1.7.json b/tests/_data/schemaTestData/1.7/invalid-bomformat-1.7.json new file mode 100644 index 000000000..5d237dacb --- /dev/null +++ b/tests/_data/schemaTestData/1.7/invalid-bomformat-1.7.json @@ -0,0 +1,9 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "AnotherFormat", + "specVersion": "1.7", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "components": [ + ] +} diff --git a/tests/_data/schemaTestData/1.7/invalid-citations-1.7.json b/tests/_data/schemaTestData/1.7/invalid-citations-1.7.json new file mode 100644 index 000000000..2ecabb7d4 --- /dev/null +++ b/tests/_data/schemaTestData/1.7/invalid-citations-1.7.json @@ -0,0 +1,40 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "metadata": { + "timestamp": "2025-05-01T14:23:00Z" + }, + "components": [ + { + "type": "library", + "bom-ref": "component-1", + "name": "example-lib", + "version": "1.2.3", + "licenses": [ + { + "license": { + "id": "Apache-2.0" + } + } + ] + } + ], + "citations": [ + { + "bom-ref": "citation-1", + "pointers": ["/components/0/name"], + "timestamp": "2025-05-01T14:00:00Z", + "note": "Should have at least one of the following property sets: property 'attributedTo' or property 'process'" + }, + { + "bom-ref": "citation-1", + "pointers": ["/components/0/name"], + "expressions": ["$..[?(@.bom-ref=='component-1')].version"], + "timestamp": "2025-05-01T14:00:00Z", + "note": "Should not have both a pointer and expression." + } + ] +} diff --git a/tests/_data/schemaTestData/1.7/invalid-citations-1.7.xml b/tests/_data/schemaTestData/1.7/invalid-citations-1.7.xml new file mode 100644 index 000000000..c56f1b9c4 --- /dev/null +++ b/tests/_data/schemaTestData/1.7/invalid-citations-1.7.xml @@ -0,0 +1,100 @@ + + + + 2025-05-01T14:23:00Z + + + Alice Example + alice@example.com + + + + + + example-lib + 1.2.3 + + + Apache-2.0 + + + + + + + + + My Scan Tool + + + + + 259bae74-5ec4-4de8-9386-c91b1f7719b8 + My workflow + + + 6d75f8d6-a008-41cf-8b65-c4129fc249f9 + License scan of the source files using OpenSourceScanner v2.1 + + scan + + + + dfc0268a-89cb-4823-bb88-84115a06b64d + License scan of the source files using [REDACTED] + + scan + + + + + scan + + + + + + + + + + /components/0/licenses/0/license/id + + 2025-05-01T14:05:00Z + person-1 + scan-tool-1 + Should have at max one 'attributedTo' + + + + /components/0/licenses/0/license/id + + 2025-05-01T14:05:00Z + task-license-scan + task-license-scan-2 + Should have at max one 'process' + + + + /components/0/licenses/0/license/id + + + //*[@bom-ref='component-1']/version + + 2025-05-01T14:05:00Z + task-license-scan + Should not have both a pointer and expression. + + + diff --git a/tests/_data/schemaTestData/1.7/invalid-component-external-version-and-range.json b/tests/_data/schemaTestData/1.7/invalid-component-external-version-and-range.json new file mode 100644 index 000000000..e1bc979e5 --- /dev/null +++ b/tests/_data/schemaTestData/1.7/invalid-component-external-version-and-range.json @@ -0,0 +1,17 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "components": [ + { + "type": "library", + "name": "InvalidVersions", + "description": "may have `version` or `versionRange`, not both. This one does - it is invalid", + "version": "9.0.14", + "versionRange": "vers:pypi/0.0.0|0.0.1|0.0.2|0.0.3|1.0|2.0pre1", + "isExternal": true + } + ] +} diff --git a/tests/_data/schemaTestData/1.7/invalid-component-external-version-and-range.xml b/tests/_data/schemaTestData/1.7/invalid-component-external-version-and-range.xml new file mode 100644 index 000000000..5f04f4ccc --- /dev/null +++ b/tests/_data/schemaTestData/1.7/invalid-component-external-version-and-range.xml @@ -0,0 +1,14 @@ + + + + + InvalidVersions + 9.0.14 + + may have `version` or `versionRange`, not both. This one does - it is invalid + + + diff --git a/tests/_data/schemaTestData/1.7/invalid-component-ref-1.7.json b/tests/_data/schemaTestData/1.7/invalid-component-ref-1.7.json new file mode 100644 index 000000000..403612d5c --- /dev/null +++ b/tests/_data/schemaTestData/1.7/invalid-component-ref-1.7.json @@ -0,0 +1,21 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "components": [ + { + "type": "library", + "bom-ref": "123", + "name": "acme-library", + "version": "1.0.0" + }, + { + "type": "library", + "bom-ref": "", + "name": "acme-library", + "version": "1.0.0" + } + ] +} diff --git a/tests/_data/schemaTestData/1.7/invalid-component-ref-1.7.xml b/tests/_data/schemaTestData/1.7/invalid-component-ref-1.7.xml new file mode 100644 index 000000000..e4dd289ac --- /dev/null +++ b/tests/_data/schemaTestData/1.7/invalid-component-ref-1.7.xml @@ -0,0 +1,28 @@ + + + + + acme-library + 1.0.0 + + + + acme-library + 1.0.0 + + + acme-library2 + 1.0.0 + + + + acme-library + 1.0.0 + + + + + diff --git a/tests/_data/schemaTestData/1.7/invalid-component-swid-1.7.json b/tests/_data/schemaTestData/1.7/invalid-component-swid-1.7.json new file mode 100644 index 000000000..15fe6bf08 --- /dev/null +++ b/tests/_data/schemaTestData/1.7/invalid-component-swid-1.7.json @@ -0,0 +1,19 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "components": [ + { + "type": "application", + "author": "Acme Super Heros", + "name": "Acme Application", + "version": "9.1.1", + "swid": { + "name": "Acme Application", + "version": "9.1.1" + } + } + ] +} diff --git a/tests/_data/schemaTestData/1.7/invalid-component-swid-1.7.xml b/tests/_data/schemaTestData/1.7/invalid-component-swid-1.7.xml new file mode 100644 index 000000000..8942964bf --- /dev/null +++ b/tests/_data/schemaTestData/1.7/invalid-component-swid-1.7.xml @@ -0,0 +1,14 @@ + + + + + Acme Super Heros + Acme Application + 9.1.1 + + + + diff --git a/tests/_data/schemaTestData/1.7/invalid-component-type-1.7.json b/tests/_data/schemaTestData/1.7/invalid-component-type-1.7.json new file mode 100644 index 000000000..82e45253b --- /dev/null +++ b/tests/_data/schemaTestData/1.7/invalid-component-type-1.7.json @@ -0,0 +1,14 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "components": [ + { + "type": "foo", + "name": "acme-library", + "version": "1.0.0" + } + ] +} diff --git a/tests/_data/schemaTestData/1.7/invalid-component-type-1.7.xml b/tests/_data/schemaTestData/1.7/invalid-component-type-1.7.xml new file mode 100644 index 000000000..4e4faf53d --- /dev/null +++ b/tests/_data/schemaTestData/1.7/invalid-component-type-1.7.xml @@ -0,0 +1,12 @@ + + + + + acme-library + 1.0.0 + + + diff --git a/tests/_data/schemaTestData/1.7/invalid-component-versionRange-non-external-explicit.json b/tests/_data/schemaTestData/1.7/invalid-component-versionRange-non-external-explicit.json new file mode 100644 index 000000000..fd8fea188 --- /dev/null +++ b/tests/_data/schemaTestData/1.7/invalid-component-versionRange-non-external-explicit.json @@ -0,0 +1,16 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "components": [ + { + "type": "library", + "name": "InvalidVersions", + "description": "versionRange may only exist on extraneous components; set `.isExternal` explicit", + "isExternal": false, + "versionRange": "vers:pypi/0.0.0|0.0.1|0.0.2|0.0.3|1.0|2.0pre1" + } + ] +} diff --git a/tests/_data/schemaTestData/1.7/invalid-component-versionRange-non-external-implicit.json b/tests/_data/schemaTestData/1.7/invalid-component-versionRange-non-external-implicit.json new file mode 100644 index 000000000..1d08d7b83 --- /dev/null +++ b/tests/_data/schemaTestData/1.7/invalid-component-versionRange-non-external-implicit.json @@ -0,0 +1,15 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "components": [ + { + "type": "library", + "name": "InvalidVersions", + "description": "versionRange may only exist on extraneous components; set `.isExternal` implicit by default value", + "versionRange": "vers:pypi/0.0.0|0.0.1|0.0.2|0.0.3|1.0|2.0pre1" + } + ] +} diff --git a/tests/_data/schemaTestData/1.7/invalid-dependency-1.7.json b/tests/_data/schemaTestData/1.7/invalid-dependency-1.7.json new file mode 100644 index 000000000..1156cad42 --- /dev/null +++ b/tests/_data/schemaTestData/1.7/invalid-dependency-1.7.json @@ -0,0 +1,44 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "components": [ + { + "bom-ref": "library-a", + "type": "library", + "name": "library-a", + "version": "1.0.0" + }, + { + "bom-ref": "library-b", + "type": "library", + "name": "library-b", + "version": "1.0.0" + }, + { + "bom-ref": "library-c", + "type": "library", + "name": "library-c", + "version": "1.0.0" + } + ], + "dependencies": [ + { + "dependsOn": [] + }, + { + "ref": "", + "dependsOn": [ + "library-a" + ] + }, + { + "ref": "library-b", + "dependsOn": [ + "library-c" + ] + } + ] +} diff --git a/tests/_data/schemaTestData/1.7/invalid-dependency-1.7.xml b/tests/_data/schemaTestData/1.7/invalid-dependency-1.7.xml new file mode 100644 index 000000000..1898e19d5 --- /dev/null +++ b/tests/_data/schemaTestData/1.7/invalid-dependency-1.7.xml @@ -0,0 +1,34 @@ + + + + + acme-library-a + 1.0.0 + + + acme-library-b + 1.0.0 + + + acme-library-b + 1.0.0 + + + + + + + + + + + + + + + + + diff --git a/tests/_data/schemaTestData/1.7/invalid-empty-component-1.7.json b/tests/_data/schemaTestData/1.7/invalid-empty-component-1.7.json new file mode 100644 index 000000000..be61494c3 --- /dev/null +++ b/tests/_data/schemaTestData/1.7/invalid-empty-component-1.7.json @@ -0,0 +1,12 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "components": [ + { + "type": "library" + } + ] +} diff --git a/tests/_data/schemaTestData/1.7/invalid-empty-component-1.7.xml b/tests/_data/schemaTestData/1.7/invalid-empty-component-1.7.xml new file mode 100644 index 000000000..a7907000c --- /dev/null +++ b/tests/_data/schemaTestData/1.7/invalid-empty-component-1.7.xml @@ -0,0 +1,10 @@ + + + + + + + diff --git a/tests/_data/schemaTestData/1.7/invalid-hash-alg-1.7.json b/tests/_data/schemaTestData/1.7/invalid-hash-alg-1.7.json new file mode 100644 index 000000000..cd2fdaecd --- /dev/null +++ b/tests/_data/schemaTestData/1.7/invalid-hash-alg-1.7.json @@ -0,0 +1,33 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "components": [ + { + "type": "library", + "name": "acme-library", + "version": "1.0.0", + "scope": "required", + "hashes": [ + { + "alg": "FOO", + "content": "3942447fac867ae5cdb3229b658f4d48" + }, + { + "alg": "SHA-1", + "content": "e6b1000b94e835ffd37f4c6dcbdad43f4b48a02a" + }, + { + "alg": "SHA-256", + "content": "f498a8ff2dd007e29c2074f5e4b01a9a01775c3ff3aeaf6906ea503bc5791b7b" + }, + { + "alg": "SHA-512", + "content": "e8f33e424f3f4ed6db76a482fde1a5298970e442c531729119e37991884bdffab4f9426b7ee11fccd074eeda0634d71697d6f88a460dce0ac8d627a29f7d1282" + } + ] + } + ] +} diff --git a/tests/_data/schemaTestData/1.7/invalid-hash-alg-1.7.xml b/tests/_data/schemaTestData/1.7/invalid-hash-alg-1.7.xml new file mode 100644 index 000000000..b58c0bc42 --- /dev/null +++ b/tests/_data/schemaTestData/1.7/invalid-hash-alg-1.7.xml @@ -0,0 +1,21 @@ + + + + + acme-library + 1.0.0 + required + + 3942447fac867ae5cdb3229b658f4d48 + e6b1000b94e835ffd37f4c6dcbdad43f4b48a02a + f498a8ff2dd007e29c2074f5e4b01a9a01775c3ff3aeaf6906ea503bc5791b7b + + e8f33e424f3f4ed6db76a482fde1a5298970e442c531729119e37991884bdffab4f9426b7ee11fccd074eeda0634d71697d6f88a460dce0ac8d627a29f7d1282 + + + + + diff --git a/tests/_data/schemaTestData/1.7/invalid-hash-md5-1.7.json b/tests/_data/schemaTestData/1.7/invalid-hash-md5-1.7.json new file mode 100644 index 000000000..95e33a11b --- /dev/null +++ b/tests/_data/schemaTestData/1.7/invalid-hash-md5-1.7.json @@ -0,0 +1,33 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "components": [ + { + "type": "library", + "name": "acme-library", + "version": "1.0.0", + "scope": "required", + "hashes": [ + { + "alg": "MD5", + "content": "foo" + }, + { + "alg": "SHA-1", + "content": "e6b1000b94e835ffd37f4c6dcbdad43f4b48a02a" + }, + { + "alg": "SHA-256", + "content": "f498a8ff2dd007e29c2074f5e4b01a9a01775c3ff3aeaf6906ea503bc5791b7b" + }, + { + "alg": "SHA-512", + "content": "e8f33e424f3f4ed6db76a482fde1a5298970e442c531729119e37991884bdffab4f9426b7ee11fccd074eeda0634d71697d6f88a460dce0ac8d627a29f7d1282" + } + ] + } + ] +} diff --git a/tests/_data/schemaTestData/1.7/invalid-hash-md5-1.7.xml b/tests/_data/schemaTestData/1.7/invalid-hash-md5-1.7.xml new file mode 100644 index 000000000..7d478d267 --- /dev/null +++ b/tests/_data/schemaTestData/1.7/invalid-hash-md5-1.7.xml @@ -0,0 +1,19 @@ + + + + + acme-library + 1.0.0 + required + + foo + e6b1000b94e835ffd37f4c6dcbdad43f4b48a02a + f498a8ff2dd007e29c2074f5e4b01a9a01775c3ff3aeaf6906ea503bc5791b7b + e8f33e424f3f4ed6db76a482fde1a5298970e442c531729119e37991884bdffab4f9426b7ee11fccd074eeda0634d71697d6f88a460dce0ac8d627a29f7d1282 + + + + diff --git a/tests/_data/schemaTestData/1.7/invalid-hash-sha1-1.7.json b/tests/_data/schemaTestData/1.7/invalid-hash-sha1-1.7.json new file mode 100644 index 000000000..a8cb68526 --- /dev/null +++ b/tests/_data/schemaTestData/1.7/invalid-hash-sha1-1.7.json @@ -0,0 +1,33 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "components": [ + { + "type": "library", + "name": "acme-library", + "version": "1.0.0", + "scope": "required", + "hashes": [ + { + "alg": "MD5", + "content": "3942447fac867ae5cdb3229b658f4d48" + }, + { + "alg": "SHA-1", + "content": "foo" + }, + { + "alg": "SHA-256", + "content": "f498a8ff2dd007e29c2074f5e4b01a9a01775c3ff3aeaf6906ea503bc5791b7b" + }, + { + "alg": "SHA-512", + "content": "e8f33e424f3f4ed6db76a482fde1a5298970e442c531729119e37991884bdffab4f9426b7ee11fccd074eeda0634d71697d6f88a460dce0ac8d627a29f7d1282" + } + ] + } + ] +} diff --git a/tests/_data/schemaTestData/1.7/invalid-hash-sha1-1.7.xml b/tests/_data/schemaTestData/1.7/invalid-hash-sha1-1.7.xml new file mode 100644 index 000000000..28b670aa0 --- /dev/null +++ b/tests/_data/schemaTestData/1.7/invalid-hash-sha1-1.7.xml @@ -0,0 +1,19 @@ + + + + + acme-library + 1.0.0 + required + + 3942447fac867ae5cdb3229b658f4d48 + foo + f498a8ff2dd007e29c2074f5e4b01a9a01775c3ff3aeaf6906ea503bc5791b7b + e8f33e424f3f4ed6db76a482fde1a5298970e442c531729119e37991884bdffab4f9426b7ee11fccd074eeda0634d71697d6f88a460dce0ac8d627a29f7d1282 + + + + diff --git a/tests/_data/schemaTestData/1.7/invalid-hash-sha256-1.7.json b/tests/_data/schemaTestData/1.7/invalid-hash-sha256-1.7.json new file mode 100644 index 000000000..9f284dacf --- /dev/null +++ b/tests/_data/schemaTestData/1.7/invalid-hash-sha256-1.7.json @@ -0,0 +1,33 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "components": [ + { + "type": "library", + "name": "acme-library", + "version": "1.0.0", + "scope": "required", + "hashes": [ + { + "alg": "MD5", + "content": "3942447fac867ae5cdb3229b658f4d48" + }, + { + "alg": "SHA-1", + "content": "e6b1000b94e835ffd37f4c6dcbdad43f4b48a02a" + }, + { + "alg": "SHA-256", + "content": "foo" + }, + { + "alg": "SHA-512", + "content": "e8f33e424f3f4ed6db76a482fde1a5298970e442c531729119e37991884bdffab4f9426b7ee11fccd074eeda0634d71697d6f88a460dce0ac8d627a29f7d1282" + } + ] + } + ] +} diff --git a/tests/_data/schemaTestData/1.7/invalid-hash-sha256-1.7.xml b/tests/_data/schemaTestData/1.7/invalid-hash-sha256-1.7.xml new file mode 100644 index 000000000..ec34635f4 --- /dev/null +++ b/tests/_data/schemaTestData/1.7/invalid-hash-sha256-1.7.xml @@ -0,0 +1,19 @@ + + + + + acme-library + 1.0.0 + required + + 3942447fac867ae5cdb3229b658f4d48 + e6b1000b94e835ffd37f4c6dcbdad43f4b48a02a + foo + e8f33e424f3f4ed6db76a482fde1a5298970e442c531729119e37991884bdffab4f9426b7ee11fccd074eeda0634d71697d6f88a460dce0ac8d627a29f7d1282 + + + + diff --git a/tests/_data/schemaTestData/1.7/invalid-hash-sha512-1.7.json b/tests/_data/schemaTestData/1.7/invalid-hash-sha512-1.7.json new file mode 100644 index 000000000..bcfca4930 --- /dev/null +++ b/tests/_data/schemaTestData/1.7/invalid-hash-sha512-1.7.json @@ -0,0 +1,33 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "components": [ + { + "type": "library", + "name": "acme-library", + "version": "1.0.0", + "scope": "required", + "hashes": [ + { + "alg": "MD5", + "content": "3942447fac867ae5cdb3229b658f4d48" + }, + { + "alg": "SHA-1", + "content": "e6b1000b94e835ffd37f4c6dcbdad43f4b48a02a" + }, + { + "alg": "SHA-256", + "content": "f498a8ff2dd007e29c2074f5e4b01a9a01775c3ff3aeaf6906ea503bc5791b7b" + }, + { + "alg": "SHA-512", + "content": "foo" + } + ] + } + ] +} diff --git a/tests/_data/schemaTestData/1.7/invalid-hash-sha512-1.7.xml b/tests/_data/schemaTestData/1.7/invalid-hash-sha512-1.7.xml new file mode 100644 index 000000000..901fe56f3 --- /dev/null +++ b/tests/_data/schemaTestData/1.7/invalid-hash-sha512-1.7.xml @@ -0,0 +1,19 @@ + + + + + acme-library + 1.0.0 + required + + 3942447fac867ae5cdb3229b658f4d48 + e6b1000b94e835ffd37f4c6dcbdad43f4b48a02a + f498a8ff2dd007e29c2074f5e4b01a9a01775c3ff3aeaf6906ea503bc5791b7b + foo + + + + diff --git a/tests/_data/schemaTestData/1.7/invalid-issue-type-1.7.json b/tests/_data/schemaTestData/1.7/invalid-issue-type-1.7.json new file mode 100644 index 000000000..5a851eeff --- /dev/null +++ b/tests/_data/schemaTestData/1.7/invalid-issue-type-1.7.json @@ -0,0 +1,49 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "components": [ + { + "type": "library", + "group": "com.acme", + "name": "sample-library", + "version": "1.0.0", + "pedigree": { + "ancestors": [ + { + "type": "library", + "group": "org.example", + "name": "sample-library", + "version": "1.0.0" + } + ], + "patches": [ + { + "type": "unofficial", + "diff": { + "text": { + "contentType": "text/plain", + "encoding": "base64", + "content": "blah" + }, + "url": "uri/to/changes.diff" + }, + "resolves": [ + { + "type": "foo", + "id": "JIRA-17240", + "description": "Great new feature that does something", + "source": { + "name": "Acme Org", + "url": "https://issues.acme.org/17240" + } + } + ] + } + ] + } + } + ] +} diff --git a/tests/_data/schemaTestData/1.7/invalid-issue-type-1.7.xml b/tests/_data/schemaTestData/1.7/invalid-issue-type-1.7.xml new file mode 100644 index 000000000..8f7f1faa6 --- /dev/null +++ b/tests/_data/schemaTestData/1.7/invalid-issue-type-1.7.xml @@ -0,0 +1,40 @@ + + + + + com.acme + sample-library + 1.0.0 + + + + org.example + sample-library + 1.0.0 + + + + + + blah + uri/to/changes.diff + + + + JIRA-17240 + Great new feature that does something + + Acme Org + https://issues.acme.org/17240 + + + + + + + + + diff --git a/tests/_data/schemaTestData/1.7/invalid-license-choice-1.7.json b/tests/_data/schemaTestData/1.7/invalid-license-choice-1.7.json new file mode 100644 index 000000000..c6005e1a5 --- /dev/null +++ b/tests/_data/schemaTestData/1.7/invalid-license-choice-1.7.json @@ -0,0 +1,24 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "components": [ + { + "type": "library", + "publisher": "Acme Inc", + "group": "com.acme", + "name": "tomcat-catalina", + "version": "9.0.14", + "licenses": [ + { + "expression": "EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0", + "license": { + "name": "Apache License 2.0" + } + } + ] + } + ] +} diff --git a/tests/_data/schemaTestData/1.7/invalid-license-encoding-1.7.json b/tests/_data/schemaTestData/1.7/invalid-license-encoding-1.7.json new file mode 100644 index 000000000..44db080fa --- /dev/null +++ b/tests/_data/schemaTestData/1.7/invalid-license-encoding-1.7.json @@ -0,0 +1,29 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "components": [ + { + "type": "library", + "publisher": "Acme Inc", + "group": "com.acme", + "name": "tomcat-catalina", + "version": "9.0.14", + "licenses": [ + { + "license": { + "id": "Apache-2.0", + "text": { + "contentType": "text/plain", + "encoding": "base85", + "content": "CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFwYWNoZSBMaWNlbnNlCiAgICAgICAgICAgICAgICAgICAgICAgICAgIFZlcnNpb24gMi4wLCBKYW51YXJ5IDIwMDQKICAgICAgICAgICAgICAgICAgICAgICAgaHR0cDovL3d3dy5hcGFjaGUub3JnL2xpY2Vuc2VzLwoKICAgVEVSTVMgQU5EIENPTkRJVElPTlMgRk9SIFVTRSwgUkVQUk9EVUNUSU9OLCBBTkQgRElTVFJJQlVUSU9OCgogICAxLiBEZWZpbml0aW9ucy4KCiAgICAgICJMaWNlbnNlIiBzaGFsbCBtZWFuIHRoZSB0ZXJtcyBhbmQgY29uZGl0aW9ucyBmb3IgdXNlLCByZXByb2R1Y3Rpb24sCiAgICAgIGFuZCBkaXN0cmlidXRpb24gYXMgZGVmaW5lZCBieSBTZWN0aW9ucyAxIHRocm91Z2ggOSBvZiB0aGlzIGRvY3VtZW50LgoKICAgICAgIkxpY2Vuc29yIiBzaGFsbCBtZWFuIHRoZSBjb3B5cmlnaHQgb3duZXIgb3IgZW50aXR5IGF1dGhvcml6ZWQgYnkKICAgICAgdGhlIGNvcHlyaWdodCBvd25lciB0aGF0IGlzIGdyYW50aW5nIHRoZSBMaWNlbnNlLgoKICAgICAgIkxlZ2FsIEVudGl0eSIgc2hhbGwgbWVhbiB0aGUgdW5pb24gb2YgdGhlIGFjdGluZyBlbnRpdHkgYW5kIGFsbAogICAgICBvdGhlciBlbnRpdGllcyB0aGF0IGNvbnRyb2wsIGFyZSBjb250cm9sbGVkIGJ5LCBvciBhcmUgdW5kZXIgY29tbW9uCiAgICAgIGNvbnRyb2wgd2l0aCB0aGF0IGVudGl0eS4gRm9yIHRoZSBwdXJwb3NlcyBvZiB0aGlzIGRlZmluaXRpb24sCiAgICAgICJjb250cm9sIiBtZWFucyAoaSkgdGhlIHBvd2VyLCBkaXJlY3Qgb3IgaW5kaXJlY3QsIHRvIGNhdXNlIHRoZQogICAgICBkaXJlY3Rpb24gb3IgbWFuYWdlbWVudCBvZiBzdWNoIGVudGl0eSwgd2hldGhlciBieSBjb250cmFjdCBvcgogICAgICBvdGhlcndpc2UsIG9yIChpaSkgb3duZXJzaGlwIG9mIGZpZnR5IHBlcmNlbnQgKDUwJSkgb3IgbW9yZSBvZiB0aGUKICAgICAgb3V0c3RhbmRpbmcgc2hhcmVzLCBvciAoaWlpKSBiZW5lZmljaWFsIG93bmVyc2hpcCBvZiBzdWNoIGVudGl0eS4KCiAgICAgICJZb3UiIChvciAiWW91ciIpIHNoYWxsIG1lYW4gYW4gaW5kaXZpZHVhbCBvciBMZWdhbCBFbnRpdHkKICAgICAgZXhlcmNpc2luZyBwZXJtaXNzaW9ucyBncmFudGVkIGJ5IHRoaXMgTGljZW5zZS4KCiAgICAgICJTb3VyY2UiIGZvcm0gc2hhbGwgbWVhbiB0aGUgcHJlZmVycmVkIGZvcm0gZm9yIG1ha2luZyBtb2RpZmljYXRpb25zLAogICAgICBpbmNsdWRpbmcgYnV0IG5vdCBsaW1pdGVkIHRvIHNvZnR3YXJlIHNvdXJjZSBjb2RlLCBkb2N1bWVudGF0aW9uCiAgICAgIHNvdXJjZSwgYW5kIGNvbmZpZ3VyYXRpb24gZmlsZXMuCgogICAgICAiT2JqZWN0IiBmb3JtIHNoYWxsIG1lYW4gYW55IGZvcm0gcmVzdWx0aW5nIGZyb20gbWVjaGFuaWNhbAogICAgICB0cmFuc2Zvcm1hdGlvbiBvciB0cmFuc2xhdGlvbiBvZiBhIFNvdXJjZSBmb3JtLCBpbmNsdWRpbmcgYnV0CiAgICAgIG5vdCBsaW1pdGVkIHRvIGNvbXBpbGVkIG9iamVjdCBjb2RlLCBnZW5lcmF0ZWQgZG9jdW1lbnRhdGlvbiwKICAgICAgYW5kIGNvbnZlcnNpb25zIHRvIG90aGVyIG1lZGlhIHR5cGVzLgoKICAgICAgIldvcmsiIHNoYWxsIG1lYW4gdGhlIHdvcmsgb2YgYXV0aG9yc2hpcCwgd2hldGhlciBpbiBTb3VyY2Ugb3IKICAgICAgT2JqZWN0IGZvcm0sIG1hZGUgYXZhaWxhYmxlIHVuZGVyIHRoZSBMaWNlbnNlLCBhcyBpbmRpY2F0ZWQgYnkgYQogICAgICBjb3B5cmlnaHQgbm90aWNlIHRoYXQgaXMgaW5jbHVkZWQgaW4gb3IgYXR0YWNoZWQgdG8gdGhlIHdvcmsKICAgICAgKGFuIGV4YW1wbGUgaXMgcHJvdmlkZWQgaW4gdGhlIEFwcGVuZGl4IGJlbG93KS4KCiAgICAgICJEZXJpdmF0aXZlIFdvcmtzIiBzaGFsbCBtZWFuIGFueSB3b3JrLCB3aGV0aGVyIGluIFNvdXJjZSBvciBPYmplY3QKICAgICAgZm9ybSwgdGhhdCBpcyBiYXNlZCBvbiAob3IgZGVyaXZlZCBmcm9tKSB0aGUgV29yayBhbmQgZm9yIHdoaWNoIHRoZQogICAgICBlZGl0b3JpYWwgcmV2aXNpb25zLCBhbm5vdGF0aW9ucywgZWxhYm9yYXRpb25zLCBvciBvdGhlciBtb2RpZmljYXRpb25zCiAgICAgIHJlcHJlc2VudCwgYXMgYSB3aG9sZSwgYW4gb3JpZ2luYWwgd29yayBvZiBhdXRob3JzaGlwLiBGb3IgdGhlIHB1cnBvc2VzCiAgICAgIG9mIHRoaXMgTGljZW5zZSwgRGVyaXZhdGl2ZSBXb3JrcyBzaGFsbCBub3QgaW5jbHVkZSB3b3JrcyB0aGF0IHJlbWFpbgogICAgICBzZXBhcmFibGUgZnJvbSwgb3IgbWVyZWx5IGxpbmsgKG9yIGJpbmQgYnkgbmFtZSkgdG8gdGhlIGludGVyZmFjZXMgb2YsCiAgICAgIHRoZSBXb3JrIGFuZCBEZXJpdmF0aXZlIFdvcmtzIHRoZXJlb2YuCgogICAgICAiQ29udHJpYnV0aW9uIiBzaGFsbCBtZWFuIGFueSB3b3JrIG9mIGF1dGhvcnNoaXAsIGluY2x1ZGluZwogICAgICB0aGUgb3JpZ2luYWwgdmVyc2lvbiBvZiB0aGUgV29yayBhbmQgYW55IG1vZGlmaWNhdGlvbnMgb3IgYWRkaXRpb25zCiAgICAgIHRvIHRoYXQgV29yayBvciBEZXJpdmF0aXZlIFdvcmtzIHRoZXJlb2YsIHRoYXQgaXMgaW50ZW50aW9uYWxseQogICAgICBzdWJtaXR0ZWQgdG8gTGljZW5zb3IgZm9yIGluY2x1c2lvbiBpbiB0aGUgV29yayBieSB0aGUgY29weXJpZ2h0IG93bmVyCiAgICAgIG9yIGJ5IGFuIGluZGl2aWR1YWwgb3IgTGVnYWwgRW50aXR5IGF1dGhvcml6ZWQgdG8gc3VibWl0IG9uIGJlaGFsZiBvZgogICAgICB0aGUgY29weXJpZ2h0IG93bmVyLiBGb3IgdGhlIHB1cnBvc2VzIG9mIHRoaXMgZGVmaW5pdGlvbiwgInN1Ym1pdHRlZCIKICAgICAgbWVhbnMgYW55IGZvcm0gb2YgZWxlY3Ryb25pYywgdmVyYmFsLCBvciB3cml0dGVuIGNvbW11bmljYXRpb24gc2VudAogICAgICB0byB0aGUgTGljZW5zb3Igb3IgaXRzIHJlcHJlc2VudGF0aXZlcywgaW5jbHVkaW5nIGJ1dCBub3QgbGltaXRlZCB0bwogICAgICBjb21tdW5pY2F0aW9uIG9uIGVsZWN0cm9uaWMgbWFpbGluZyBsaXN0cywgc291cmNlIGNvZGUgY29udHJvbCBzeXN0ZW1zLAogICAgICBhbmQgaXNzdWUgdHJhY2tpbmcgc3lzdGVtcyB0aGF0IGFyZSBtYW5hZ2VkIGJ5LCBvciBvbiBiZWhhbGYgb2YsIHRoZQogICAgICBMaWNlbnNvciBmb3IgdGhlIHB1cnBvc2Ugb2YgZGlzY3Vzc2luZyBhbmQgaW1wcm92aW5nIHRoZSBXb3JrLCBidXQKICAgICAgZXhjbHVkaW5nIGNvbW11bmljYXRpb24gdGhhdCBpcyBjb25zcGljdW91c2x5IG1hcmtlZCBvciBvdGhlcndpc2UKICAgICAgZGVzaWduYXRlZCBpbiB3cml0aW5nIGJ5IHRoZSBjb3B5cmlnaHQgb3duZXIgYXMgIk5vdCBhIENvbnRyaWJ1dGlvbi4iCgogICAgICAiQ29udHJpYnV0b3IiIHNoYWxsIG1lYW4gTGljZW5zb3IgYW5kIGFueSBpbmRpdmlkdWFsIG9yIExlZ2FsIEVudGl0eQogICAgICBvbiBiZWhhbGYgb2Ygd2hvbSBhIENvbnRyaWJ1dGlvbiBoYXMgYmVlbiByZWNlaXZlZCBieSBMaWNlbnNvciBhbmQKICAgICAgc3Vic2VxdWVudGx5IGluY29ycG9yYXRlZCB3aXRoaW4gdGhlIFdvcmsuCgogICAyLiBHcmFudCBvZiBDb3B5cmlnaHQgTGljZW5zZS4gU3ViamVjdCB0byB0aGUgdGVybXMgYW5kIGNvbmRpdGlvbnMgb2YKICAgICAgdGhpcyBMaWNlbnNlLCBlYWNoIENvbnRyaWJ1dG9yIGhlcmVieSBncmFudHMgdG8gWW91IGEgcGVycGV0dWFsLAogICAgICB3b3JsZHdpZGUsIG5vbi1leGNsdXNpdmUsIG5vLWNoYXJnZSwgcm95YWx0eS1mcmVlLCBpcnJldm9jYWJsZQogICAgICBjb3B5cmlnaHQgbGljZW5zZSB0byByZXByb2R1Y2UsIHByZXBhcmUgRGVyaXZhdGl2ZSBXb3JrcyBvZiwKICAgICAgcHVibGljbHkgZGlzcGxheSwgcHVibGljbHkgcGVyZm9ybSwgc3VibGljZW5zZSwgYW5kIGRpc3RyaWJ1dGUgdGhlCiAgICAgIFdvcmsgYW5kIHN1Y2ggRGVyaXZhdGl2ZSBXb3JrcyBpbiBTb3VyY2Ugb3IgT2JqZWN0IGZvcm0uCgogICAzLiBHcmFudCBvZiBQYXRlbnQgTGljZW5zZS4gU3ViamVjdCB0byB0aGUgdGVybXMgYW5kIGNvbmRpdGlvbnMgb2YKICAgICAgdGhpcyBMaWNlbnNlLCBlYWNoIENvbnRyaWJ1dG9yIGhlcmVieSBncmFudHMgdG8gWW91IGEgcGVycGV0dWFsLAogICAgICB3b3JsZHdpZGUsIG5vbi1leGNsdXNpdmUsIG5vLWNoYXJnZSwgcm95YWx0eS1mcmVlLCBpcnJldm9jYWJsZQogICAgICAoZXhjZXB0IGFzIHN0YXRlZCBpbiB0aGlzIHNlY3Rpb24pIHBhdGVudCBsaWNlbnNlIHRvIG1ha2UsIGhhdmUgbWFkZSwKICAgICAgdXNlLCBvZmZlciB0byBzZWxsLCBzZWxsLCBpbXBvcnQsIGFuZCBvdGhlcndpc2UgdHJhbnNmZXIgdGhlIFdvcmssCiAgICAgIHdoZXJlIHN1Y2ggbGljZW5zZSBhcHBsaWVzIG9ubHkgdG8gdGhvc2UgcGF0ZW50IGNsYWltcyBsaWNlbnNhYmxlCiAgICAgIGJ5IHN1Y2ggQ29udHJpYnV0b3IgdGhhdCBhcmUgbmVjZXNzYXJpbHkgaW5mcmluZ2VkIGJ5IHRoZWlyCiAgICAgIENvbnRyaWJ1dGlvbihzKSBhbG9uZSBvciBieSBjb21iaW5hdGlvbiBvZiB0aGVpciBDb250cmlidXRpb24ocykKICAgICAgd2l0aCB0aGUgV29yayB0byB3aGljaCBzdWNoIENvbnRyaWJ1dGlvbihzKSB3YXMgc3VibWl0dGVkLiBJZiBZb3UKICAgICAgaW5zdGl0dXRlIHBhdGVudCBsaXRpZ2F0aW9uIGFnYWluc3QgYW55IGVudGl0eSAoaW5jbHVkaW5nIGEKICAgICAgY3Jvc3MtY2xhaW0gb3IgY291bnRlcmNsYWltIGluIGEgbGF3c3VpdCkgYWxsZWdpbmcgdGhhdCB0aGUgV29yawogICAgICBvciBhIENvbnRyaWJ1dGlvbiBpbmNvcnBvcmF0ZWQgd2l0aGluIHRoZSBXb3JrIGNvbnN0aXR1dGVzIGRpcmVjdAogICAgICBvciBjb250cmlidXRvcnkgcGF0ZW50IGluZnJpbmdlbWVudCwgdGhlbiBhbnkgcGF0ZW50IGxpY2Vuc2VzCiAgICAgIGdyYW50ZWQgdG8gWW91IHVuZGVyIHRoaXMgTGljZW5zZSBmb3IgdGhhdCBXb3JrIHNoYWxsIHRlcm1pbmF0ZQogICAgICBhcyBvZiB0aGUgZGF0ZSBzdWNoIGxpdGlnYXRpb24gaXMgZmlsZWQuCgogICA0LiBSZWRpc3RyaWJ1dGlvbi4gWW91IG1heSByZXByb2R1Y2UgYW5kIGRpc3RyaWJ1dGUgY29waWVzIG9mIHRoZQogICAgICBXb3JrIG9yIERlcml2YXRpdmUgV29ya3MgdGhlcmVvZiBpbiBhbnkgbWVkaXVtLCB3aXRoIG9yIHdpdGhvdXQKICAgICAgbW9kaWZpY2F0aW9ucywgYW5kIGluIFNvdXJjZSBvciBPYmplY3QgZm9ybSwgcHJvdmlkZWQgdGhhdCBZb3UKICAgICAgbWVldCB0aGUgZm9sbG93aW5nIGNvbmRpdGlvbnM6CgogICAgICAoYSkgWW91IG11c3QgZ2l2ZSBhbnkgb3RoZXIgcmVjaXBpZW50cyBvZiB0aGUgV29yayBvcgogICAgICAgICAgRGVyaXZhdGl2ZSBXb3JrcyBhIGNvcHkgb2YgdGhpcyBMaWNlbnNlOyBhbmQKCiAgICAgIChiKSBZb3UgbXVzdCBjYXVzZSBhbnkgbW9kaWZpZWQgZmlsZXMgdG8gY2FycnkgcHJvbWluZW50IG5vdGljZXMKICAgICAgICAgIHN0YXRpbmcgdGhhdCBZb3UgY2hhbmdlZCB0aGUgZmlsZXM7IGFuZAoKICAgICAgKGMpIFlvdSBtdXN0IHJldGFpbiwgaW4gdGhlIFNvdXJjZSBmb3JtIG9mIGFueSBEZXJpdmF0aXZlIFdvcmtzCiAgICAgICAgICB0aGF0IFlvdSBkaXN0cmlidXRlLCBhbGwgY29weXJpZ2h0LCBwYXRlbnQsIHRyYWRlbWFyaywgYW5kCiAgICAgICAgICBhdHRyaWJ1dGlvbiBub3RpY2VzIGZyb20gdGhlIFNvdXJjZSBmb3JtIG9mIHRoZSBXb3JrLAogICAgICAgICAgZXhjbHVkaW5nIHRob3NlIG5vdGljZXMgdGhhdCBkbyBub3QgcGVydGFpbiB0byBhbnkgcGFydCBvZgogICAgICAgICAgdGhlIERlcml2YXRpdmUgV29ya3M7IGFuZAoKICAgICAgKGQpIElmIHRoZSBXb3JrIGluY2x1ZGVzIGEgIk5PVElDRSIgdGV4dCBmaWxlIGFzIHBhcnQgb2YgaXRzCiAgICAgICAgICBkaXN0cmlidXRpb24sIHRoZW4gYW55IERlcml2YXRpdmUgV29ya3MgdGhhdCBZb3UgZGlzdHJpYnV0ZSBtdXN0CiAgICAgICAgICBpbmNsdWRlIGEgcmVhZGFibGUgY29weSBvZiB0aGUgYXR0cmlidXRpb24gbm90aWNlcyBjb250YWluZWQKICAgICAgICAgIHdpdGhpbiBzdWNoIE5PVElDRSBmaWxlLCBleGNsdWRpbmcgdGhvc2Ugbm90aWNlcyB0aGF0IGRvIG5vdAogICAgICAgICAgcGVydGFpbiB0byBhbnkgcGFydCBvZiB0aGUgRGVyaXZhdGl2ZSBXb3JrcywgaW4gYXQgbGVhc3Qgb25lCiAgICAgICAgICBvZiB0aGUgZm9sbG93aW5nIHBsYWNlczogd2l0aGluIGEgTk9USUNFIHRleHQgZmlsZSBkaXN0cmlidXRlZAogICAgICAgICAgYXMgcGFydCBvZiB0aGUgRGVyaXZhdGl2ZSBXb3Jrczsgd2l0aGluIHRoZSBTb3VyY2UgZm9ybSBvcgogICAgICAgICAgZG9jdW1lbnRhdGlvbiwgaWYgcHJvdmlkZWQgYWxvbmcgd2l0aCB0aGUgRGVyaXZhdGl2ZSBXb3Jrczsgb3IsCiAgICAgICAgICB3aXRoaW4gYSBkaXNwbGF5IGdlbmVyYXRlZCBieSB0aGUgRGVyaXZhdGl2ZSBXb3JrcywgaWYgYW5kCiAgICAgICAgICB3aGVyZXZlciBzdWNoIHRoaXJkLXBhcnR5IG5vdGljZXMgbm9ybWFsbHkgYXBwZWFyLiBUaGUgY29udGVudHMKICAgICAgICAgIG9mIHRoZSBOT1RJQ0UgZmlsZSBhcmUgZm9yIGluZm9ybWF0aW9uYWwgcHVycG9zZXMgb25seSBhbmQKICAgICAgICAgIGRvIG5vdCBtb2RpZnkgdGhlIExpY2Vuc2UuIFlvdSBtYXkgYWRkIFlvdXIgb3duIGF0dHJpYnV0aW9uCiAgICAgICAgICBub3RpY2VzIHdpdGhpbiBEZXJpdmF0aXZlIFdvcmtzIHRoYXQgWW91IGRpc3RyaWJ1dGUsIGFsb25nc2lkZQogICAgICAgICAgb3IgYXMgYW4gYWRkZW5kdW0gdG8gdGhlIE5PVElDRSB0ZXh0IGZyb20gdGhlIFdvcmssIHByb3ZpZGVkCiAgICAgICAgICB0aGF0IHN1Y2ggYWRkaXRpb25hbCBhdHRyaWJ1dGlvbiBub3RpY2VzIGNhbm5vdCBiZSBjb25zdHJ1ZWQKICAgICAgICAgIGFzIG1vZGlmeWluZyB0aGUgTGljZW5zZS4KCiAgICAgIFlvdSBtYXkgYWRkIFlvdXIgb3duIGNvcHlyaWdodCBzdGF0ZW1lbnQgdG8gWW91ciBtb2RpZmljYXRpb25zIGFuZAogICAgICBtYXkgcHJvdmlkZSBhZGRpdGlvbmFsIG9yIGRpZmZlcmVudCBsaWNlbnNlIHRlcm1zIGFuZCBjb25kaXRpb25zCiAgICAgIGZvciB1c2UsIHJlcHJvZHVjdGlvbiwgb3IgZGlzdHJpYnV0aW9uIG9mIFlvdXIgbW9kaWZpY2F0aW9ucywgb3IKICAgICAgZm9yIGFueSBzdWNoIERlcml2YXRpdmUgV29ya3MgYXMgYSB3aG9sZSwgcHJvdmlkZWQgWW91ciB1c2UsCiAgICAgIHJlcHJvZHVjdGlvbiwgYW5kIGRpc3RyaWJ1dGlvbiBvZiB0aGUgV29yayBvdGhlcndpc2UgY29tcGxpZXMgd2l0aAogICAgICB0aGUgY29uZGl0aW9ucyBzdGF0ZWQgaW4gdGhpcyBMaWNlbnNlLgoKICAgNS4gU3VibWlzc2lvbiBvZiBDb250cmlidXRpb25zLiBVbmxlc3MgWW91IGV4cGxpY2l0bHkgc3RhdGUgb3RoZXJ3aXNlLAogICAgICBhbnkgQ29udHJpYnV0aW9uIGludGVudGlvbmFsbHkgc3VibWl0dGVkIGZvciBpbmNsdXNpb24gaW4gdGhlIFdvcmsKICAgICAgYnkgWW91IHRvIHRoZSBMaWNlbnNvciBzaGFsbCBiZSB1bmRlciB0aGUgdGVybXMgYW5kIGNvbmRpdGlvbnMgb2YKICAgICAgdGhpcyBMaWNlbnNlLCB3aXRob3V0IGFueSBhZGRpdGlvbmFsIHRlcm1zIG9yIGNvbmRpdGlvbnMuCiAgICAgIE5vdHdpdGhzdGFuZGluZyB0aGUgYWJvdmUsIG5vdGhpbmcgaGVyZWluIHNoYWxsIHN1cGVyc2VkZSBvciBtb2RpZnkKICAgICAgdGhlIHRlcm1zIG9mIGFueSBzZXBhcmF0ZSBsaWNlbnNlIGFncmVlbWVudCB5b3UgbWF5IGhhdmUgZXhlY3V0ZWQKICAgICAgd2l0aCBMaWNlbnNvciByZWdhcmRpbmcgc3VjaCBDb250cmlidXRpb25zLgoKICAgNi4gVHJhZGVtYXJrcy4gVGhpcyBMaWNlbnNlIGRvZXMgbm90IGdyYW50IHBlcm1pc3Npb24gdG8gdXNlIHRoZSB0cmFkZQogICAgICBuYW1lcywgdHJhZGVtYXJrcywgc2VydmljZSBtYXJrcywgb3IgcHJvZHVjdCBuYW1lcyBvZiB0aGUgTGljZW5zb3IsCiAgICAgIGV4Y2VwdCBhcyByZXF1aXJlZCBmb3IgcmVhc29uYWJsZSBhbmQgY3VzdG9tYXJ5IHVzZSBpbiBkZXNjcmliaW5nIHRoZQogICAgICBvcmlnaW4gb2YgdGhlIFdvcmsgYW5kIHJlcHJvZHVjaW5nIHRoZSBjb250ZW50IG9mIHRoZSBOT1RJQ0UgZmlsZS4KCiAgIDcuIERpc2NsYWltZXIgb2YgV2FycmFudHkuIFVubGVzcyByZXF1aXJlZCBieSBhcHBsaWNhYmxlIGxhdyBvcgogICAgICBhZ3JlZWQgdG8gaW4gd3JpdGluZywgTGljZW5zb3IgcHJvdmlkZXMgdGhlIFdvcmsgKGFuZCBlYWNoCiAgICAgIENvbnRyaWJ1dG9yIHByb3ZpZGVzIGl0cyBDb250cmlidXRpb25zKSBvbiBhbiAiQVMgSVMiIEJBU0lTLAogICAgICBXSVRIT1VUIFdBUlJBTlRJRVMgT1IgQ09ORElUSU9OUyBPRiBBTlkgS0lORCwgZWl0aGVyIGV4cHJlc3Mgb3IKICAgICAgaW1wbGllZCwgaW5jbHVkaW5nLCB3aXRob3V0IGxpbWl0YXRpb24sIGFueSB3YXJyYW50aWVzIG9yIGNvbmRpdGlvbnMKICAgICAgb2YgVElUTEUsIE5PTi1JTkZSSU5HRU1FTlQsIE1FUkNIQU5UQUJJTElUWSwgb3IgRklUTkVTUyBGT1IgQQogICAgICBQQVJUSUNVTEFSIFBVUlBPU0UuIFlvdSBhcmUgc29sZWx5IHJlc3BvbnNpYmxlIGZvciBkZXRlcm1pbmluZyB0aGUKICAgICAgYXBwcm9wcmlhdGVuZXNzIG9mIHVzaW5nIG9yIHJlZGlzdHJpYnV0aW5nIHRoZSBXb3JrIGFuZCBhc3N1bWUgYW55CiAgICAgIHJpc2tzIGFzc29jaWF0ZWQgd2l0aCBZb3VyIGV4ZXJjaXNlIG9mIHBlcm1pc3Npb25zIHVuZGVyIHRoaXMgTGljZW5zZS4KCiAgIDguIExpbWl0YXRpb24gb2YgTGlhYmlsaXR5LiBJbiBubyBldmVudCBhbmQgdW5kZXIgbm8gbGVnYWwgdGhlb3J5LAogICAgICB3aGV0aGVyIGluIHRvcnQgKGluY2x1ZGluZyBuZWdsaWdlbmNlKSwgY29udHJhY3QsIG9yIG90aGVyd2lzZSwKICAgICAgdW5sZXNzIHJlcXVpcmVkIGJ5IGFwcGxpY2FibGUgbGF3IChzdWNoIGFzIGRlbGliZXJhdGUgYW5kIGdyb3NzbHkKICAgICAgbmVnbGlnZW50IGFjdHMpIG9yIGFncmVlZCB0byBpbiB3cml0aW5nLCBzaGFsbCBhbnkgQ29udHJpYnV0b3IgYmUKICAgICAgbGlhYmxlIHRvIFlvdSBmb3IgZGFtYWdlcywgaW5jbHVkaW5nIGFueSBkaXJlY3QsIGluZGlyZWN0LCBzcGVjaWFsLAogICAgICBpbmNpZGVudGFsLCBvciBjb25zZXF1ZW50aWFsIGRhbWFnZXMgb2YgYW55IGNoYXJhY3RlciBhcmlzaW5nIGFzIGEKICAgICAgcmVzdWx0IG9mIHRoaXMgTGljZW5zZSBvciBvdXQgb2YgdGhlIHVzZSBvciBpbmFiaWxpdHkgdG8gdXNlIHRoZQogICAgICBXb3JrIChpbmNsdWRpbmcgYnV0IG5vdCBsaW1pdGVkIHRvIGRhbWFnZXMgZm9yIGxvc3Mgb2YgZ29vZHdpbGwsCiAgICAgIHdvcmsgc3RvcHBhZ2UsIGNvbXB1dGVyIGZhaWx1cmUgb3IgbWFsZnVuY3Rpb24sIG9yIGFueSBhbmQgYWxsCiAgICAgIG90aGVyIGNvbW1lcmNpYWwgZGFtYWdlcyBvciBsb3NzZXMpLCBldmVuIGlmIHN1Y2ggQ29udHJpYnV0b3IKICAgICAgaGFzIGJlZW4gYWR2aXNlZCBvZiB0aGUgcG9zc2liaWxpdHkgb2Ygc3VjaCBkYW1hZ2VzLgoKICAgOS4gQWNjZXB0aW5nIFdhcnJhbnR5IG9yIEFkZGl0aW9uYWwgTGlhYmlsaXR5LiBXaGlsZSByZWRpc3RyaWJ1dGluZwogICAgICB0aGUgV29yayBvciBEZXJpdmF0aXZlIFdvcmtzIHRoZXJlb2YsIFlvdSBtYXkgY2hvb3NlIHRvIG9mZmVyLAogICAgICBhbmQgY2hhcmdlIGEgZmVlIGZvciwgYWNjZXB0YW5jZSBvZiBzdXBwb3J0LCB3YXJyYW50eSwgaW5kZW1uaXR5LAogICAgICBvciBvdGhlciBsaWFiaWxpdHkgb2JsaWdhdGlvbnMgYW5kL29yIHJpZ2h0cyBjb25zaXN0ZW50IHdpdGggdGhpcwogICAgICBMaWNlbnNlLiBIb3dldmVyLCBpbiBhY2NlcHRpbmcgc3VjaCBvYmxpZ2F0aW9ucywgWW91IG1heSBhY3Qgb25seQogICAgICBvbiBZb3VyIG93biBiZWhhbGYgYW5kIG9uIFlvdXIgc29sZSByZXNwb25zaWJpbGl0eSwgbm90IG9uIGJlaGFsZgogICAgICBvZiBhbnkgb3RoZXIgQ29udHJpYnV0b3IsIGFuZCBvbmx5IGlmIFlvdSBhZ3JlZSB0byBpbmRlbW5pZnksCiAgICAgIGRlZmVuZCwgYW5kIGhvbGQgZWFjaCBDb250cmlidXRvciBoYXJtbGVzcyBmb3IgYW55IGxpYWJpbGl0eQogICAgICBpbmN1cnJlZCBieSwgb3IgY2xhaW1zIGFzc2VydGVkIGFnYWluc3QsIHN1Y2ggQ29udHJpYnV0b3IgYnkgcmVhc29uCiAgICAgIG9mIHlvdXIgYWNjZXB0aW5nIGFueSBzdWNoIHdhcnJhbnR5IG9yIGFkZGl0aW9uYWwgbGlhYmlsaXR5LgoKICAgRU5EIE9GIFRFUk1TIEFORCBDT05ESVRJT05TCgogICBBUFBFTkRJWDogSG93IHRvIGFwcGx5IHRoZSBBcGFjaGUgTGljZW5zZSB0byB5b3VyIHdvcmsuCgogICAgICBUbyBhcHBseSB0aGUgQXBhY2hlIExpY2Vuc2UgdG8geW91ciB3b3JrLCBhdHRhY2ggdGhlIGZvbGxvd2luZwogICAgICBib2lsZXJwbGF0ZSBub3RpY2UsIHdpdGggdGhlIGZpZWxkcyBlbmNsb3NlZCBieSBicmFja2V0cyAiW10iCiAgICAgIHJlcGxhY2VkIHdpdGggeW91ciBvd24gaWRlbnRpZnlpbmcgaW5mb3JtYXRpb24uIChEb24ndCBpbmNsdWRlCiAgICAgIHRoZSBicmFja2V0cyEpICBUaGUgdGV4dCBzaG91bGQgYmUgZW5jbG9zZWQgaW4gdGhlIGFwcHJvcHJpYXRlCiAgICAgIGNvbW1lbnQgc3ludGF4IGZvciB0aGUgZmlsZSBmb3JtYXQuIFdlIGFsc28gcmVjb21tZW5kIHRoYXQgYQogICAgICBmaWxlIG9yIGNsYXNzIG5hbWUgYW5kIGRlc2NyaXB0aW9uIG9mIHB1cnBvc2UgYmUgaW5jbHVkZWQgb24gdGhlCiAgICAgIHNhbWUgInByaW50ZWQgcGFnZSIgYXMgdGhlIGNvcHlyaWdodCBub3RpY2UgZm9yIGVhc2llcgogICAgICBpZGVudGlmaWNhdGlvbiB3aXRoaW4gdGhpcmQtcGFydHkgYXJjaGl2ZXMuCgogICBDb3B5cmlnaHQgW3l5eXldIFtuYW1lIG9mIGNvcHlyaWdodCBvd25lcl0KCiAgIExpY2Vuc2VkIHVuZGVyIHRoZSBBcGFjaGUgTGljZW5zZSwgVmVyc2lvbiAyLjAgKHRoZSAiTGljZW5zZSIpOwogICB5b3UgbWF5IG5vdCB1c2UgdGhpcyBmaWxlIGV4Y2VwdCBpbiBjb21wbGlhbmNlIHdpdGggdGhlIExpY2Vuc2UuCiAgIFlvdSBtYXkgb2J0YWluIGEgY29weSBvZiB0aGUgTGljZW5zZSBhdAoKICAgICAgIGh0dHA6Ly93d3cuYXBhY2hlLm9yZy9saWNlbnNlcy9MSUNFTlNFLTIuMAoKICAgVW5sZXNzIHJlcXVpcmVkIGJ5IGFwcGxpY2FibGUgbGF3IG9yIGFncmVlZCB0byBpbiB3cml0aW5nLCBzb2Z0d2FyZQogICBkaXN0cmlidXRlZCB1bmRlciB0aGUgTGljZW5zZSBpcyBkaXN0cmlidXRlZCBvbiBhbiAiQVMgSVMiIEJBU0lTLAogICBXSVRIT1VUIFdBUlJBTlRJRVMgT1IgQ09ORElUSU9OUyBPRiBBTlkgS0lORCwgZWl0aGVyIGV4cHJlc3Mgb3IgaW1wbGllZC4KICAgU2VlIHRoZSBMaWNlbnNlIGZvciB0aGUgc3BlY2lmaWMgbGFuZ3VhZ2UgZ292ZXJuaW5nIHBlcm1pc3Npb25zIGFuZAogICBsaW1pdGF0aW9ucyB1bmRlciB0aGUgTGljZW5zZS4=" + }, + "url": "https://www.apache.org/licenses/LICENSE-2.0.txt" + } + } + ] + } + ] +} diff --git a/tests/_data/schemaTestData/1.7/invalid-license-encoding-1.7.xml b/tests/_data/schemaTestData/1.7/invalid-license-encoding-1.7.xml new file mode 100644 index 000000000..b28fc2009 --- /dev/null +++ b/tests/_data/schemaTestData/1.7/invalid-license-encoding-1.7.xml @@ -0,0 +1,30 @@ + + + + + Acme Inc + com.acme + tomcat-catalina + 9.0.14 + Modified version of Apache Catalina + required + + 3942447fac867ae5cdb3229b658f4d48 + e6b1000b94e835ffd37f4c6dcbdad43f4b48a02a + f498a8ff2dd007e29c2074f5e4b01a9a01775c3ff3aeaf6906ea503bc5791b7b + e8f33e424f3f4ed6db76a482fde1a5298970e442c531729119e37991884bdffab4f9426b7ee11fccd074eeda0634d71697d6f88a460dce0ac8d627a29f7d1282 + + + + Apache-2.0 + CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFwYWNoZSBMaWNlbnNlCiAgICAgICAgICAgICAgICAgICAgICAgICAgIFZlcnNpb24gMi4wLCBKYW51YXJ5IDIwMDQKICAgICAgICAgICAgICAgICAgICAgICAgaHR0cDovL3d3dy5hcGFjaGUub3JnL2xpY2Vuc2VzLwoKICAgVEVSTVMgQU5EIENPTkRJVElPTlMgRk9SIFVTRSwgUkVQUk9EVUNUSU9OLCBBTkQgRElTVFJJQlVUSU9OCgogICAxLiBEZWZpbml0aW9ucy4KCiAgICAgICJMaWNlbnNlIiBzaGFsbCBtZWFuIHRoZSB0ZXJtcyBhbmQgY29uZGl0aW9ucyBmb3IgdXNlLCByZXByb2R1Y3Rpb24sCiAgICAgIGFuZCBkaXN0cmlidXRpb24gYXMgZGVmaW5lZCBieSBTZWN0aW9ucyAxIHRocm91Z2ggOSBvZiB0aGlzIGRvY3VtZW50LgoKICAgICAgIkxpY2Vuc29yIiBzaGFsbCBtZWFuIHRoZSBjb3B5cmlnaHQgb3duZXIgb3IgZW50aXR5IGF1dGhvcml6ZWQgYnkKICAgICAgdGhlIGNvcHlyaWdodCBvd25lciB0aGF0IGlzIGdyYW50aW5nIHRoZSBMaWNlbnNlLgoKICAgICAgIkxlZ2FsIEVudGl0eSIgc2hhbGwgbWVhbiB0aGUgdW5pb24gb2YgdGhlIGFjdGluZyBlbnRpdHkgYW5kIGFsbAogICAgICBvdGhlciBlbnRpdGllcyB0aGF0IGNvbnRyb2wsIGFyZSBjb250cm9sbGVkIGJ5LCBvciBhcmUgdW5kZXIgY29tbW9uCiAgICAgIGNvbnRyb2wgd2l0aCB0aGF0IGVudGl0eS4gRm9yIHRoZSBwdXJwb3NlcyBvZiB0aGlzIGRlZmluaXRpb24sCiAgICAgICJjb250cm9sIiBtZWFucyAoaSkgdGhlIHBvd2VyLCBkaXJlY3Qgb3IgaW5kaXJlY3QsIHRvIGNhdXNlIHRoZQogICAgICBkaXJlY3Rpb24gb3IgbWFuYWdlbWVudCBvZiBzdWNoIGVudGl0eSwgd2hldGhlciBieSBjb250cmFjdCBvcgogICAgICBvdGhlcndpc2UsIG9yIChpaSkgb3duZXJzaGlwIG9mIGZpZnR5IHBlcmNlbnQgKDUwJSkgb3IgbW9yZSBvZiB0aGUKICAgICAgb3V0c3RhbmRpbmcgc2hhcmVzLCBvciAoaWlpKSBiZW5lZmljaWFsIG93bmVyc2hpcCBvZiBzdWNoIGVudGl0eS4KCiAgICAgICJZb3UiIChvciAiWW91ciIpIHNoYWxsIG1lYW4gYW4gaW5kaXZpZHVhbCBvciBMZWdhbCBFbnRpdHkKICAgICAgZXhlcmNpc2luZyBwZXJtaXNzaW9ucyBncmFudGVkIGJ5IHRoaXMgTGljZW5zZS4KCiAgICAgICJTb3VyY2UiIGZvcm0gc2hhbGwgbWVhbiB0aGUgcHJlZmVycmVkIGZvcm0gZm9yIG1ha2luZyBtb2RpZmljYXRpb25zLAogICAgICBpbmNsdWRpbmcgYnV0IG5vdCBsaW1pdGVkIHRvIHNvZnR3YXJlIHNvdXJjZSBjb2RlLCBkb2N1bWVudGF0aW9uCiAgICAgIHNvdXJjZSwgYW5kIGNvbmZpZ3VyYXRpb24gZmlsZXMuCgogICAgICAiT2JqZWN0IiBmb3JtIHNoYWxsIG1lYW4gYW55IGZvcm0gcmVzdWx0aW5nIGZyb20gbWVjaGFuaWNhbAogICAgICB0cmFuc2Zvcm1hdGlvbiBvciB0cmFuc2xhdGlvbiBvZiBhIFNvdXJjZSBmb3JtLCBpbmNsdWRpbmcgYnV0CiAgICAgIG5vdCBsaW1pdGVkIHRvIGNvbXBpbGVkIG9iamVjdCBjb2RlLCBnZW5lcmF0ZWQgZG9jdW1lbnRhdGlvbiwKICAgICAgYW5kIGNvbnZlcnNpb25zIHRvIG90aGVyIG1lZGlhIHR5cGVzLgoKICAgICAgIldvcmsiIHNoYWxsIG1lYW4gdGhlIHdvcmsgb2YgYXV0aG9yc2hpcCwgd2hldGhlciBpbiBTb3VyY2Ugb3IKICAgICAgT2JqZWN0IGZvcm0sIG1hZGUgYXZhaWxhYmxlIHVuZGVyIHRoZSBMaWNlbnNlLCBhcyBpbmRpY2F0ZWQgYnkgYQogICAgICBjb3B5cmlnaHQgbm90aWNlIHRoYXQgaXMgaW5jbHVkZWQgaW4gb3IgYXR0YWNoZWQgdG8gdGhlIHdvcmsKICAgICAgKGFuIGV4YW1wbGUgaXMgcHJvdmlkZWQgaW4gdGhlIEFwcGVuZGl4IGJlbG93KS4KCiAgICAgICJEZXJpdmF0aXZlIFdvcmtzIiBzaGFsbCBtZWFuIGFueSB3b3JrLCB3aGV0aGVyIGluIFNvdXJjZSBvciBPYmplY3QKICAgICAgZm9ybSwgdGhhdCBpcyBiYXNlZCBvbiAob3IgZGVyaXZlZCBmcm9tKSB0aGUgV29yayBhbmQgZm9yIHdoaWNoIHRoZQogICAgICBlZGl0b3JpYWwgcmV2aXNpb25zLCBhbm5vdGF0aW9ucywgZWxhYm9yYXRpb25zLCBvciBvdGhlciBtb2RpZmljYXRpb25zCiAgICAgIHJlcHJlc2VudCwgYXMgYSB3aG9sZSwgYW4gb3JpZ2luYWwgd29yayBvZiBhdXRob3JzaGlwLiBGb3IgdGhlIHB1cnBvc2VzCiAgICAgIG9mIHRoaXMgTGljZW5zZSwgRGVyaXZhdGl2ZSBXb3JrcyBzaGFsbCBub3QgaW5jbHVkZSB3b3JrcyB0aGF0IHJlbWFpbgogICAgICBzZXBhcmFibGUgZnJvbSwgb3IgbWVyZWx5IGxpbmsgKG9yIGJpbmQgYnkgbmFtZSkgdG8gdGhlIGludGVyZmFjZXMgb2YsCiAgICAgIHRoZSBXb3JrIGFuZCBEZXJpdmF0aXZlIFdvcmtzIHRoZXJlb2YuCgogICAgICAiQ29udHJpYnV0aW9uIiBzaGFsbCBtZWFuIGFueSB3b3JrIG9mIGF1dGhvcnNoaXAsIGluY2x1ZGluZwogICAgICB0aGUgb3JpZ2luYWwgdmVyc2lvbiBvZiB0aGUgV29yayBhbmQgYW55IG1vZGlmaWNhdGlvbnMgb3IgYWRkaXRpb25zCiAgICAgIHRvIHRoYXQgV29yayBvciBEZXJpdmF0aXZlIFdvcmtzIHRoZXJlb2YsIHRoYXQgaXMgaW50ZW50aW9uYWxseQogICAgICBzdWJtaXR0ZWQgdG8gTGljZW5zb3IgZm9yIGluY2x1c2lvbiBpbiB0aGUgV29yayBieSB0aGUgY29weXJpZ2h0IG93bmVyCiAgICAgIG9yIGJ5IGFuIGluZGl2aWR1YWwgb3IgTGVnYWwgRW50aXR5IGF1dGhvcml6ZWQgdG8gc3VibWl0IG9uIGJlaGFsZiBvZgogICAgICB0aGUgY29weXJpZ2h0IG93bmVyLiBGb3IgdGhlIHB1cnBvc2VzIG9mIHRoaXMgZGVmaW5pdGlvbiwgInN1Ym1pdHRlZCIKICAgICAgbWVhbnMgYW55IGZvcm0gb2YgZWxlY3Ryb25pYywgdmVyYmFsLCBvciB3cml0dGVuIGNvbW11bmljYXRpb24gc2VudAogICAgICB0byB0aGUgTGljZW5zb3Igb3IgaXRzIHJlcHJlc2VudGF0aXZlcywgaW5jbHVkaW5nIGJ1dCBub3QgbGltaXRlZCB0bwogICAgICBjb21tdW5pY2F0aW9uIG9uIGVsZWN0cm9uaWMgbWFpbGluZyBsaXN0cywgc291cmNlIGNvZGUgY29udHJvbCBzeXN0ZW1zLAogICAgICBhbmQgaXNzdWUgdHJhY2tpbmcgc3lzdGVtcyB0aGF0IGFyZSBtYW5hZ2VkIGJ5LCBvciBvbiBiZWhhbGYgb2YsIHRoZQogICAgICBMaWNlbnNvciBmb3IgdGhlIHB1cnBvc2Ugb2YgZGlzY3Vzc2luZyBhbmQgaW1wcm92aW5nIHRoZSBXb3JrLCBidXQKICAgICAgZXhjbHVkaW5nIGNvbW11bmljYXRpb24gdGhhdCBpcyBjb25zcGljdW91c2x5IG1hcmtlZCBvciBvdGhlcndpc2UKICAgICAgZGVzaWduYXRlZCBpbiB3cml0aW5nIGJ5IHRoZSBjb3B5cmlnaHQgb3duZXIgYXMgIk5vdCBhIENvbnRyaWJ1dGlvbi4iCgogICAgICAiQ29udHJpYnV0b3IiIHNoYWxsIG1lYW4gTGljZW5zb3IgYW5kIGFueSBpbmRpdmlkdWFsIG9yIExlZ2FsIEVudGl0eQogICAgICBvbiBiZWhhbGYgb2Ygd2hvbSBhIENvbnRyaWJ1dGlvbiBoYXMgYmVlbiByZWNlaXZlZCBieSBMaWNlbnNvciBhbmQKICAgICAgc3Vic2VxdWVudGx5IGluY29ycG9yYXRlZCB3aXRoaW4gdGhlIFdvcmsuCgogICAyLiBHcmFudCBvZiBDb3B5cmlnaHQgTGljZW5zZS4gU3ViamVjdCB0byB0aGUgdGVybXMgYW5kIGNvbmRpdGlvbnMgb2YKICAgICAgdGhpcyBMaWNlbnNlLCBlYWNoIENvbnRyaWJ1dG9yIGhlcmVieSBncmFudHMgdG8gWW91IGEgcGVycGV0dWFsLAogICAgICB3b3JsZHdpZGUsIG5vbi1leGNsdXNpdmUsIG5vLWNoYXJnZSwgcm95YWx0eS1mcmVlLCBpcnJldm9jYWJsZQogICAgICBjb3B5cmlnaHQgbGljZW5zZSB0byByZXByb2R1Y2UsIHByZXBhcmUgRGVyaXZhdGl2ZSBXb3JrcyBvZiwKICAgICAgcHVibGljbHkgZGlzcGxheSwgcHVibGljbHkgcGVyZm9ybSwgc3VibGljZW5zZSwgYW5kIGRpc3RyaWJ1dGUgdGhlCiAgICAgIFdvcmsgYW5kIHN1Y2ggRGVyaXZhdGl2ZSBXb3JrcyBpbiBTb3VyY2Ugb3IgT2JqZWN0IGZvcm0uCgogICAzLiBHcmFudCBvZiBQYXRlbnQgTGljZW5zZS4gU3ViamVjdCB0byB0aGUgdGVybXMgYW5kIGNvbmRpdGlvbnMgb2YKICAgICAgdGhpcyBMaWNlbnNlLCBlYWNoIENvbnRyaWJ1dG9yIGhlcmVieSBncmFudHMgdG8gWW91IGEgcGVycGV0dWFsLAogICAgICB3b3JsZHdpZGUsIG5vbi1leGNsdXNpdmUsIG5vLWNoYXJnZSwgcm95YWx0eS1mcmVlLCBpcnJldm9jYWJsZQogICAgICAoZXhjZXB0IGFzIHN0YXRlZCBpbiB0aGlzIHNlY3Rpb24pIHBhdGVudCBsaWNlbnNlIHRvIG1ha2UsIGhhdmUgbWFkZSwKICAgICAgdXNlLCBvZmZlciB0byBzZWxsLCBzZWxsLCBpbXBvcnQsIGFuZCBvdGhlcndpc2UgdHJhbnNmZXIgdGhlIFdvcmssCiAgICAgIHdoZXJlIHN1Y2ggbGljZW5zZSBhcHBsaWVzIG9ubHkgdG8gdGhvc2UgcGF0ZW50IGNsYWltcyBsaWNlbnNhYmxlCiAgICAgIGJ5IHN1Y2ggQ29udHJpYnV0b3IgdGhhdCBhcmUgbmVjZXNzYXJpbHkgaW5mcmluZ2VkIGJ5IHRoZWlyCiAgICAgIENvbnRyaWJ1dGlvbihzKSBhbG9uZSBvciBieSBjb21iaW5hdGlvbiBvZiB0aGVpciBDb250cmlidXRpb24ocykKICAgICAgd2l0aCB0aGUgV29yayB0byB3aGljaCBzdWNoIENvbnRyaWJ1dGlvbihzKSB3YXMgc3VibWl0dGVkLiBJZiBZb3UKICAgICAgaW5zdGl0dXRlIHBhdGVudCBsaXRpZ2F0aW9uIGFnYWluc3QgYW55IGVudGl0eSAoaW5jbHVkaW5nIGEKICAgICAgY3Jvc3MtY2xhaW0gb3IgY291bnRlcmNsYWltIGluIGEgbGF3c3VpdCkgYWxsZWdpbmcgdGhhdCB0aGUgV29yawogICAgICBvciBhIENvbnRyaWJ1dGlvbiBpbmNvcnBvcmF0ZWQgd2l0aGluIHRoZSBXb3JrIGNvbnN0aXR1dGVzIGRpcmVjdAogICAgICBvciBjb250cmlidXRvcnkgcGF0ZW50IGluZnJpbmdlbWVudCwgdGhlbiBhbnkgcGF0ZW50IGxpY2Vuc2VzCiAgICAgIGdyYW50ZWQgdG8gWW91IHVuZGVyIHRoaXMgTGljZW5zZSBmb3IgdGhhdCBXb3JrIHNoYWxsIHRlcm1pbmF0ZQogICAgICBhcyBvZiB0aGUgZGF0ZSBzdWNoIGxpdGlnYXRpb24gaXMgZmlsZWQuCgogICA0LiBSZWRpc3RyaWJ1dGlvbi4gWW91IG1heSByZXByb2R1Y2UgYW5kIGRpc3RyaWJ1dGUgY29waWVzIG9mIHRoZQogICAgICBXb3JrIG9yIERlcml2YXRpdmUgV29ya3MgdGhlcmVvZiBpbiBhbnkgbWVkaXVtLCB3aXRoIG9yIHdpdGhvdXQKICAgICAgbW9kaWZpY2F0aW9ucywgYW5kIGluIFNvdXJjZSBvciBPYmplY3QgZm9ybSwgcHJvdmlkZWQgdGhhdCBZb3UKICAgICAgbWVldCB0aGUgZm9sbG93aW5nIGNvbmRpdGlvbnM6CgogICAgICAoYSkgWW91IG11c3QgZ2l2ZSBhbnkgb3RoZXIgcmVjaXBpZW50cyBvZiB0aGUgV29yayBvcgogICAgICAgICAgRGVyaXZhdGl2ZSBXb3JrcyBhIGNvcHkgb2YgdGhpcyBMaWNlbnNlOyBhbmQKCiAgICAgIChiKSBZb3UgbXVzdCBjYXVzZSBhbnkgbW9kaWZpZWQgZmlsZXMgdG8gY2FycnkgcHJvbWluZW50IG5vdGljZXMKICAgICAgICAgIHN0YXRpbmcgdGhhdCBZb3UgY2hhbmdlZCB0aGUgZmlsZXM7IGFuZAoKICAgICAgKGMpIFlvdSBtdXN0IHJldGFpbiwgaW4gdGhlIFNvdXJjZSBmb3JtIG9mIGFueSBEZXJpdmF0aXZlIFdvcmtzCiAgICAgICAgICB0aGF0IFlvdSBkaXN0cmlidXRlLCBhbGwgY29weXJpZ2h0LCBwYXRlbnQsIHRyYWRlbWFyaywgYW5kCiAgICAgICAgICBhdHRyaWJ1dGlvbiBub3RpY2VzIGZyb20gdGhlIFNvdXJjZSBmb3JtIG9mIHRoZSBXb3JrLAogICAgICAgICAgZXhjbHVkaW5nIHRob3NlIG5vdGljZXMgdGhhdCBkbyBub3QgcGVydGFpbiB0byBhbnkgcGFydCBvZgogICAgICAgICAgdGhlIERlcml2YXRpdmUgV29ya3M7IGFuZAoKICAgICAgKGQpIElmIHRoZSBXb3JrIGluY2x1ZGVzIGEgIk5PVElDRSIgdGV4dCBmaWxlIGFzIHBhcnQgb2YgaXRzCiAgICAgICAgICBkaXN0cmlidXRpb24sIHRoZW4gYW55IERlcml2YXRpdmUgV29ya3MgdGhhdCBZb3UgZGlzdHJpYnV0ZSBtdXN0CiAgICAgICAgICBpbmNsdWRlIGEgcmVhZGFibGUgY29weSBvZiB0aGUgYXR0cmlidXRpb24gbm90aWNlcyBjb250YWluZWQKICAgICAgICAgIHdpdGhpbiBzdWNoIE5PVElDRSBmaWxlLCBleGNsdWRpbmcgdGhvc2Ugbm90aWNlcyB0aGF0IGRvIG5vdAogICAgICAgICAgcGVydGFpbiB0byBhbnkgcGFydCBvZiB0aGUgRGVyaXZhdGl2ZSBXb3JrcywgaW4gYXQgbGVhc3Qgb25lCiAgICAgICAgICBvZiB0aGUgZm9sbG93aW5nIHBsYWNlczogd2l0aGluIGEgTk9USUNFIHRleHQgZmlsZSBkaXN0cmlidXRlZAogICAgICAgICAgYXMgcGFydCBvZiB0aGUgRGVyaXZhdGl2ZSBXb3Jrczsgd2l0aGluIHRoZSBTb3VyY2UgZm9ybSBvcgogICAgICAgICAgZG9jdW1lbnRhdGlvbiwgaWYgcHJvdmlkZWQgYWxvbmcgd2l0aCB0aGUgRGVyaXZhdGl2ZSBXb3Jrczsgb3IsCiAgICAgICAgICB3aXRoaW4gYSBkaXNwbGF5IGdlbmVyYXRlZCBieSB0aGUgRGVyaXZhdGl2ZSBXb3JrcywgaWYgYW5kCiAgICAgICAgICB3aGVyZXZlciBzdWNoIHRoaXJkLXBhcnR5IG5vdGljZXMgbm9ybWFsbHkgYXBwZWFyLiBUaGUgY29udGVudHMKICAgICAgICAgIG9mIHRoZSBOT1RJQ0UgZmlsZSBhcmUgZm9yIGluZm9ybWF0aW9uYWwgcHVycG9zZXMgb25seSBhbmQKICAgICAgICAgIGRvIG5vdCBtb2RpZnkgdGhlIExpY2Vuc2UuIFlvdSBtYXkgYWRkIFlvdXIgb3duIGF0dHJpYnV0aW9uCiAgICAgICAgICBub3RpY2VzIHdpdGhpbiBEZXJpdmF0aXZlIFdvcmtzIHRoYXQgWW91IGRpc3RyaWJ1dGUsIGFsb25nc2lkZQogICAgICAgICAgb3IgYXMgYW4gYWRkZW5kdW0gdG8gdGhlIE5PVElDRSB0ZXh0IGZyb20gdGhlIFdvcmssIHByb3ZpZGVkCiAgICAgICAgICB0aGF0IHN1Y2ggYWRkaXRpb25hbCBhdHRyaWJ1dGlvbiBub3RpY2VzIGNhbm5vdCBiZSBjb25zdHJ1ZWQKICAgICAgICAgIGFzIG1vZGlmeWluZyB0aGUgTGljZW5zZS4KCiAgICAgIFlvdSBtYXkgYWRkIFlvdXIgb3duIGNvcHlyaWdodCBzdGF0ZW1lbnQgdG8gWW91ciBtb2RpZmljYXRpb25zIGFuZAogICAgICBtYXkgcHJvdmlkZSBhZGRpdGlvbmFsIG9yIGRpZmZlcmVudCBsaWNlbnNlIHRlcm1zIGFuZCBjb25kaXRpb25zCiAgICAgIGZvciB1c2UsIHJlcHJvZHVjdGlvbiwgb3IgZGlzdHJpYnV0aW9uIG9mIFlvdXIgbW9kaWZpY2F0aW9ucywgb3IKICAgICAgZm9yIGFueSBzdWNoIERlcml2YXRpdmUgV29ya3MgYXMgYSB3aG9sZSwgcHJvdmlkZWQgWW91ciB1c2UsCiAgICAgIHJlcHJvZHVjdGlvbiwgYW5kIGRpc3RyaWJ1dGlvbiBvZiB0aGUgV29yayBvdGhlcndpc2UgY29tcGxpZXMgd2l0aAogICAgICB0aGUgY29uZGl0aW9ucyBzdGF0ZWQgaW4gdGhpcyBMaWNlbnNlLgoKICAgNS4gU3VibWlzc2lvbiBvZiBDb250cmlidXRpb25zLiBVbmxlc3MgWW91IGV4cGxpY2l0bHkgc3RhdGUgb3RoZXJ3aXNlLAogICAgICBhbnkgQ29udHJpYnV0aW9uIGludGVudGlvbmFsbHkgc3VibWl0dGVkIGZvciBpbmNsdXNpb24gaW4gdGhlIFdvcmsKICAgICAgYnkgWW91IHRvIHRoZSBMaWNlbnNvciBzaGFsbCBiZSB1bmRlciB0aGUgdGVybXMgYW5kIGNvbmRpdGlvbnMgb2YKICAgICAgdGhpcyBMaWNlbnNlLCB3aXRob3V0IGFueSBhZGRpdGlvbmFsIHRlcm1zIG9yIGNvbmRpdGlvbnMuCiAgICAgIE5vdHdpdGhzdGFuZGluZyB0aGUgYWJvdmUsIG5vdGhpbmcgaGVyZWluIHNoYWxsIHN1cGVyc2VkZSBvciBtb2RpZnkKICAgICAgdGhlIHRlcm1zIG9mIGFueSBzZXBhcmF0ZSBsaWNlbnNlIGFncmVlbWVudCB5b3UgbWF5IGhhdmUgZXhlY3V0ZWQKICAgICAgd2l0aCBMaWNlbnNvciByZWdhcmRpbmcgc3VjaCBDb250cmlidXRpb25zLgoKICAgNi4gVHJhZGVtYXJrcy4gVGhpcyBMaWNlbnNlIGRvZXMgbm90IGdyYW50IHBlcm1pc3Npb24gdG8gdXNlIHRoZSB0cmFkZQogICAgICBuYW1lcywgdHJhZGVtYXJrcywgc2VydmljZSBtYXJrcywgb3IgcHJvZHVjdCBuYW1lcyBvZiB0aGUgTGljZW5zb3IsCiAgICAgIGV4Y2VwdCBhcyByZXF1aXJlZCBmb3IgcmVhc29uYWJsZSBhbmQgY3VzdG9tYXJ5IHVzZSBpbiBkZXNjcmliaW5nIHRoZQogICAgICBvcmlnaW4gb2YgdGhlIFdvcmsgYW5kIHJlcHJvZHVjaW5nIHRoZSBjb250ZW50IG9mIHRoZSBOT1RJQ0UgZmlsZS4KCiAgIDcuIERpc2NsYWltZXIgb2YgV2FycmFudHkuIFVubGVzcyByZXF1aXJlZCBieSBhcHBsaWNhYmxlIGxhdyBvcgogICAgICBhZ3JlZWQgdG8gaW4gd3JpdGluZywgTGljZW5zb3IgcHJvdmlkZXMgdGhlIFdvcmsgKGFuZCBlYWNoCiAgICAgIENvbnRyaWJ1dG9yIHByb3ZpZGVzIGl0cyBDb250cmlidXRpb25zKSBvbiBhbiAiQVMgSVMiIEJBU0lTLAogICAgICBXSVRIT1VUIFdBUlJBTlRJRVMgT1IgQ09ORElUSU9OUyBPRiBBTlkgS0lORCwgZWl0aGVyIGV4cHJlc3Mgb3IKICAgICAgaW1wbGllZCwgaW5jbHVkaW5nLCB3aXRob3V0IGxpbWl0YXRpb24sIGFueSB3YXJyYW50aWVzIG9yIGNvbmRpdGlvbnMKICAgICAgb2YgVElUTEUsIE5PTi1JTkZSSU5HRU1FTlQsIE1FUkNIQU5UQUJJTElUWSwgb3IgRklUTkVTUyBGT1IgQQogICAgICBQQVJUSUNVTEFSIFBVUlBPU0UuIFlvdSBhcmUgc29sZWx5IHJlc3BvbnNpYmxlIGZvciBkZXRlcm1pbmluZyB0aGUKICAgICAgYXBwcm9wcmlhdGVuZXNzIG9mIHVzaW5nIG9yIHJlZGlzdHJpYnV0aW5nIHRoZSBXb3JrIGFuZCBhc3N1bWUgYW55CiAgICAgIHJpc2tzIGFzc29jaWF0ZWQgd2l0aCBZb3VyIGV4ZXJjaXNlIG9mIHBlcm1pc3Npb25zIHVuZGVyIHRoaXMgTGljZW5zZS4KCiAgIDguIExpbWl0YXRpb24gb2YgTGlhYmlsaXR5LiBJbiBubyBldmVudCBhbmQgdW5kZXIgbm8gbGVnYWwgdGhlb3J5LAogICAgICB3aGV0aGVyIGluIHRvcnQgKGluY2x1ZGluZyBuZWdsaWdlbmNlKSwgY29udHJhY3QsIG9yIG90aGVyd2lzZSwKICAgICAgdW5sZXNzIHJlcXVpcmVkIGJ5IGFwcGxpY2FibGUgbGF3IChzdWNoIGFzIGRlbGliZXJhdGUgYW5kIGdyb3NzbHkKICAgICAgbmVnbGlnZW50IGFjdHMpIG9yIGFncmVlZCB0byBpbiB3cml0aW5nLCBzaGFsbCBhbnkgQ29udHJpYnV0b3IgYmUKICAgICAgbGlhYmxlIHRvIFlvdSBmb3IgZGFtYWdlcywgaW5jbHVkaW5nIGFueSBkaXJlY3QsIGluZGlyZWN0LCBzcGVjaWFsLAogICAgICBpbmNpZGVudGFsLCBvciBjb25zZXF1ZW50aWFsIGRhbWFnZXMgb2YgYW55IGNoYXJhY3RlciBhcmlzaW5nIGFzIGEKICAgICAgcmVzdWx0IG9mIHRoaXMgTGljZW5zZSBvciBvdXQgb2YgdGhlIHVzZSBvciBpbmFiaWxpdHkgdG8gdXNlIHRoZQogICAgICBXb3JrIChpbmNsdWRpbmcgYnV0IG5vdCBsaW1pdGVkIHRvIGRhbWFnZXMgZm9yIGxvc3Mgb2YgZ29vZHdpbGwsCiAgICAgIHdvcmsgc3RvcHBhZ2UsIGNvbXB1dGVyIGZhaWx1cmUgb3IgbWFsZnVuY3Rpb24sIG9yIGFueSBhbmQgYWxsCiAgICAgIG90aGVyIGNvbW1lcmNpYWwgZGFtYWdlcyBvciBsb3NzZXMpLCBldmVuIGlmIHN1Y2ggQ29udHJpYnV0b3IKICAgICAgaGFzIGJlZW4gYWR2aXNlZCBvZiB0aGUgcG9zc2liaWxpdHkgb2Ygc3VjaCBkYW1hZ2VzLgoKICAgOS4gQWNjZXB0aW5nIFdhcnJhbnR5IG9yIEFkZGl0aW9uYWwgTGlhYmlsaXR5LiBXaGlsZSByZWRpc3RyaWJ1dGluZwogICAgICB0aGUgV29yayBvciBEZXJpdmF0aXZlIFdvcmtzIHRoZXJlb2YsIFlvdSBtYXkgY2hvb3NlIHRvIG9mZmVyLAogICAgICBhbmQgY2hhcmdlIGEgZmVlIGZvciwgYWNjZXB0YW5jZSBvZiBzdXBwb3J0LCB3YXJyYW50eSwgaW5kZW1uaXR5LAogICAgICBvciBvdGhlciBsaWFiaWxpdHkgb2JsaWdhdGlvbnMgYW5kL29yIHJpZ2h0cyBjb25zaXN0ZW50IHdpdGggdGhpcwogICAgICBMaWNlbnNlLiBIb3dldmVyLCBpbiBhY2NlcHRpbmcgc3VjaCBvYmxpZ2F0aW9ucywgWW91IG1heSBhY3Qgb25seQogICAgICBvbiBZb3VyIG93biBiZWhhbGYgYW5kIG9uIFlvdXIgc29sZSByZXNwb25zaWJpbGl0eSwgbm90IG9uIGJlaGFsZgogICAgICBvZiBhbnkgb3RoZXIgQ29udHJpYnV0b3IsIGFuZCBvbmx5IGlmIFlvdSBhZ3JlZSB0byBpbmRlbW5pZnksCiAgICAgIGRlZmVuZCwgYW5kIGhvbGQgZWFjaCBDb250cmlidXRvciBoYXJtbGVzcyBmb3IgYW55IGxpYWJpbGl0eQogICAgICBpbmN1cnJlZCBieSwgb3IgY2xhaW1zIGFzc2VydGVkIGFnYWluc3QsIHN1Y2ggQ29udHJpYnV0b3IgYnkgcmVhc29uCiAgICAgIG9mIHlvdXIgYWNjZXB0aW5nIGFueSBzdWNoIHdhcnJhbnR5IG9yIGFkZGl0aW9uYWwgbGlhYmlsaXR5LgoKICAgRU5EIE9GIFRFUk1TIEFORCBDT05ESVRJT05TCgogICBBUFBFTkRJWDogSG93IHRvIGFwcGx5IHRoZSBBcGFjaGUgTGljZW5zZSB0byB5b3VyIHdvcmsuCgogICAgICBUbyBhcHBseSB0aGUgQXBhY2hlIExpY2Vuc2UgdG8geW91ciB3b3JrLCBhdHRhY2ggdGhlIGZvbGxvd2luZwogICAgICBib2lsZXJwbGF0ZSBub3RpY2UsIHdpdGggdGhlIGZpZWxkcyBlbmNsb3NlZCBieSBicmFja2V0cyAiW10iCiAgICAgIHJlcGxhY2VkIHdpdGggeW91ciBvd24gaWRlbnRpZnlpbmcgaW5mb3JtYXRpb24uIChEb24ndCBpbmNsdWRlCiAgICAgIHRoZSBicmFja2V0cyEpICBUaGUgdGV4dCBzaG91bGQgYmUgZW5jbG9zZWQgaW4gdGhlIGFwcHJvcHJpYXRlCiAgICAgIGNvbW1lbnQgc3ludGF4IGZvciB0aGUgZmlsZSBmb3JtYXQuIFdlIGFsc28gcmVjb21tZW5kIHRoYXQgYQogICAgICBmaWxlIG9yIGNsYXNzIG5hbWUgYW5kIGRlc2NyaXB0aW9uIG9mIHB1cnBvc2UgYmUgaW5jbHVkZWQgb24gdGhlCiAgICAgIHNhbWUgInByaW50ZWQgcGFnZSIgYXMgdGhlIGNvcHlyaWdodCBub3RpY2UgZm9yIGVhc2llcgogICAgICBpZGVudGlmaWNhdGlvbiB3aXRoaW4gdGhpcmQtcGFydHkgYXJjaGl2ZXMuCgogICBDb3B5cmlnaHQgW3l5eXldIFtuYW1lIG9mIGNvcHlyaWdodCBvd25lcl0KCiAgIExpY2Vuc2VkIHVuZGVyIHRoZSBBcGFjaGUgTGljZW5zZSwgVmVyc2lvbiAyLjAgKHRoZSAiTGljZW5zZSIpOwogICB5b3UgbWF5IG5vdCB1c2UgdGhpcyBmaWxlIGV4Y2VwdCBpbiBjb21wbGlhbmNlIHdpdGggdGhlIExpY2Vuc2UuCiAgIFlvdSBtYXkgb2J0YWluIGEgY29weSBvZiB0aGUgTGljZW5zZSBhdAoKICAgICAgIGh0dHA6Ly93d3cuYXBhY2hlLm9yZy9saWNlbnNlcy9MSUNFTlNFLTIuMAoKICAgVW5sZXNzIHJlcXVpcmVkIGJ5IGFwcGxpY2FibGUgbGF3IG9yIGFncmVlZCB0byBpbiB3cml0aW5nLCBzb2Z0d2FyZQogICBkaXN0cmlidXRlZCB1bmRlciB0aGUgTGljZW5zZSBpcyBkaXN0cmlidXRlZCBvbiBhbiAiQVMgSVMiIEJBU0lTLAogICBXSVRIT1VUIFdBUlJBTlRJRVMgT1IgQ09ORElUSU9OUyBPRiBBTlkgS0lORCwgZWl0aGVyIGV4cHJlc3Mgb3IgaW1wbGllZC4KICAgU2VlIHRoZSBMaWNlbnNlIGZvciB0aGUgc3BlY2lmaWMgbGFuZ3VhZ2UgZ292ZXJuaW5nIHBlcm1pc3Npb25zIGFuZAogICBsaW1pdGF0aW9ucyB1bmRlciB0aGUgTGljZW5zZS4= + https://www.apache.org/licenses/LICENSE-2.0.txt + + + pkg:maven/com.acme/tomcat-catalina@9.0.14?packaging=jar + + + diff --git a/tests/_data/schemaTestData/1.7/invalid-license-id-1.7.json b/tests/_data/schemaTestData/1.7/invalid-license-id-1.7.json new file mode 100644 index 000000000..97f558e0a --- /dev/null +++ b/tests/_data/schemaTestData/1.7/invalid-license-id-1.7.json @@ -0,0 +1,23 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "components": [ + { + "type": "library", + "publisher": "Acme Inc", + "group": "com.acme", + "name": "tomcat-catalina", + "version": "9.0.14", + "licenses": [ + { + "license": { + "id": "Apache-2" + } + } + ] + } + ] +} diff --git a/tests/_data/schemaTestData/1.7/invalid-license-id-1.7.xml b/tests/_data/schemaTestData/1.7/invalid-license-id-1.7.xml new file mode 100644 index 000000000..0fd0abe52 --- /dev/null +++ b/tests/_data/schemaTestData/1.7/invalid-license-id-1.7.xml @@ -0,0 +1,30 @@ + + + + + Acme Inc + com.acme + tomcat-catalina + 9.0.14 + Modified version of Apache Catalina + required + + 3942447fac867ae5cdb3229b658f4d48 + e6b1000b94e835ffd37f4c6dcbdad43f4b48a02a + f498a8ff2dd007e29c2074f5e4b01a9a01775c3ff3aeaf6906ea503bc5791b7b + e8f33e424f3f4ed6db76a482fde1a5298970e442c531729119e37991884bdffab4f9426b7ee11fccd074eeda0634d71697d6f88a460dce0ac8d627a29f7d1282 + + + + Apache-2 + CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFwYWNoZSBMaWNlbnNlCiAgICAgICAgICAgICAgICAgICAgICAgICAgIFZlcnNpb24gMi4wLCBKYW51YXJ5IDIwMDQKICAgICAgICAgICAgICAgICAgICAgICAgaHR0cDovL3d3dy5hcGFjaGUub3JnL2xpY2Vuc2VzLwoKICAgVEVSTVMgQU5EIENPTkRJVElPTlMgRk9SIFVTRSwgUkVQUk9EVUNUSU9OLCBBTkQgRElTVFJJQlVUSU9OCgogICAxLiBEZWZpbml0aW9ucy4KCiAgICAgICJMaWNlbnNlIiBzaGFsbCBtZWFuIHRoZSB0ZXJtcyBhbmQgY29uZGl0aW9ucyBmb3IgdXNlLCByZXByb2R1Y3Rpb24sCiAgICAgIGFuZCBkaXN0cmlidXRpb24gYXMgZGVmaW5lZCBieSBTZWN0aW9ucyAxIHRocm91Z2ggOSBvZiB0aGlzIGRvY3VtZW50LgoKICAgICAgIkxpY2Vuc29yIiBzaGFsbCBtZWFuIHRoZSBjb3B5cmlnaHQgb3duZXIgb3IgZW50aXR5IGF1dGhvcml6ZWQgYnkKICAgICAgdGhlIGNvcHlyaWdodCBvd25lciB0aGF0IGlzIGdyYW50aW5nIHRoZSBMaWNlbnNlLgoKICAgICAgIkxlZ2FsIEVudGl0eSIgc2hhbGwgbWVhbiB0aGUgdW5pb24gb2YgdGhlIGFjdGluZyBlbnRpdHkgYW5kIGFsbAogICAgICBvdGhlciBlbnRpdGllcyB0aGF0IGNvbnRyb2wsIGFyZSBjb250cm9sbGVkIGJ5LCBvciBhcmUgdW5kZXIgY29tbW9uCiAgICAgIGNvbnRyb2wgd2l0aCB0aGF0IGVudGl0eS4gRm9yIHRoZSBwdXJwb3NlcyBvZiB0aGlzIGRlZmluaXRpb24sCiAgICAgICJjb250cm9sIiBtZWFucyAoaSkgdGhlIHBvd2VyLCBkaXJlY3Qgb3IgaW5kaXJlY3QsIHRvIGNhdXNlIHRoZQogICAgICBkaXJlY3Rpb24gb3IgbWFuYWdlbWVudCBvZiBzdWNoIGVudGl0eSwgd2hldGhlciBieSBjb250cmFjdCBvcgogICAgICBvdGhlcndpc2UsIG9yIChpaSkgb3duZXJzaGlwIG9mIGZpZnR5IHBlcmNlbnQgKDUwJSkgb3IgbW9yZSBvZiB0aGUKICAgICAgb3V0c3RhbmRpbmcgc2hhcmVzLCBvciAoaWlpKSBiZW5lZmljaWFsIG93bmVyc2hpcCBvZiBzdWNoIGVudGl0eS4KCiAgICAgICJZb3UiIChvciAiWW91ciIpIHNoYWxsIG1lYW4gYW4gaW5kaXZpZHVhbCBvciBMZWdhbCBFbnRpdHkKICAgICAgZXhlcmNpc2luZyBwZXJtaXNzaW9ucyBncmFudGVkIGJ5IHRoaXMgTGljZW5zZS4KCiAgICAgICJTb3VyY2UiIGZvcm0gc2hhbGwgbWVhbiB0aGUgcHJlZmVycmVkIGZvcm0gZm9yIG1ha2luZyBtb2RpZmljYXRpb25zLAogICAgICBpbmNsdWRpbmcgYnV0IG5vdCBsaW1pdGVkIHRvIHNvZnR3YXJlIHNvdXJjZSBjb2RlLCBkb2N1bWVudGF0aW9uCiAgICAgIHNvdXJjZSwgYW5kIGNvbmZpZ3VyYXRpb24gZmlsZXMuCgogICAgICAiT2JqZWN0IiBmb3JtIHNoYWxsIG1lYW4gYW55IGZvcm0gcmVzdWx0aW5nIGZyb20gbWVjaGFuaWNhbAogICAgICB0cmFuc2Zvcm1hdGlvbiBvciB0cmFuc2xhdGlvbiBvZiBhIFNvdXJjZSBmb3JtLCBpbmNsdWRpbmcgYnV0CiAgICAgIG5vdCBsaW1pdGVkIHRvIGNvbXBpbGVkIG9iamVjdCBjb2RlLCBnZW5lcmF0ZWQgZG9jdW1lbnRhdGlvbiwKICAgICAgYW5kIGNvbnZlcnNpb25zIHRvIG90aGVyIG1lZGlhIHR5cGVzLgoKICAgICAgIldvcmsiIHNoYWxsIG1lYW4gdGhlIHdvcmsgb2YgYXV0aG9yc2hpcCwgd2hldGhlciBpbiBTb3VyY2Ugb3IKICAgICAgT2JqZWN0IGZvcm0sIG1hZGUgYXZhaWxhYmxlIHVuZGVyIHRoZSBMaWNlbnNlLCBhcyBpbmRpY2F0ZWQgYnkgYQogICAgICBjb3B5cmlnaHQgbm90aWNlIHRoYXQgaXMgaW5jbHVkZWQgaW4gb3IgYXR0YWNoZWQgdG8gdGhlIHdvcmsKICAgICAgKGFuIGV4YW1wbGUgaXMgcHJvdmlkZWQgaW4gdGhlIEFwcGVuZGl4IGJlbG93KS4KCiAgICAgICJEZXJpdmF0aXZlIFdvcmtzIiBzaGFsbCBtZWFuIGFueSB3b3JrLCB3aGV0aGVyIGluIFNvdXJjZSBvciBPYmplY3QKICAgICAgZm9ybSwgdGhhdCBpcyBiYXNlZCBvbiAob3IgZGVyaXZlZCBmcm9tKSB0aGUgV29yayBhbmQgZm9yIHdoaWNoIHRoZQogICAgICBlZGl0b3JpYWwgcmV2aXNpb25zLCBhbm5vdGF0aW9ucywgZWxhYm9yYXRpb25zLCBvciBvdGhlciBtb2RpZmljYXRpb25zCiAgICAgIHJlcHJlc2VudCwgYXMgYSB3aG9sZSwgYW4gb3JpZ2luYWwgd29yayBvZiBhdXRob3JzaGlwLiBGb3IgdGhlIHB1cnBvc2VzCiAgICAgIG9mIHRoaXMgTGljZW5zZSwgRGVyaXZhdGl2ZSBXb3JrcyBzaGFsbCBub3QgaW5jbHVkZSB3b3JrcyB0aGF0IHJlbWFpbgogICAgICBzZXBhcmFibGUgZnJvbSwgb3IgbWVyZWx5IGxpbmsgKG9yIGJpbmQgYnkgbmFtZSkgdG8gdGhlIGludGVyZmFjZXMgb2YsCiAgICAgIHRoZSBXb3JrIGFuZCBEZXJpdmF0aXZlIFdvcmtzIHRoZXJlb2YuCgogICAgICAiQ29udHJpYnV0aW9uIiBzaGFsbCBtZWFuIGFueSB3b3JrIG9mIGF1dGhvcnNoaXAsIGluY2x1ZGluZwogICAgICB0aGUgb3JpZ2luYWwgdmVyc2lvbiBvZiB0aGUgV29yayBhbmQgYW55IG1vZGlmaWNhdGlvbnMgb3IgYWRkaXRpb25zCiAgICAgIHRvIHRoYXQgV29yayBvciBEZXJpdmF0aXZlIFdvcmtzIHRoZXJlb2YsIHRoYXQgaXMgaW50ZW50aW9uYWxseQogICAgICBzdWJtaXR0ZWQgdG8gTGljZW5zb3IgZm9yIGluY2x1c2lvbiBpbiB0aGUgV29yayBieSB0aGUgY29weXJpZ2h0IG93bmVyCiAgICAgIG9yIGJ5IGFuIGluZGl2aWR1YWwgb3IgTGVnYWwgRW50aXR5IGF1dGhvcml6ZWQgdG8gc3VibWl0IG9uIGJlaGFsZiBvZgogICAgICB0aGUgY29weXJpZ2h0IG93bmVyLiBGb3IgdGhlIHB1cnBvc2VzIG9mIHRoaXMgZGVmaW5pdGlvbiwgInN1Ym1pdHRlZCIKICAgICAgbWVhbnMgYW55IGZvcm0gb2YgZWxlY3Ryb25pYywgdmVyYmFsLCBvciB3cml0dGVuIGNvbW11bmljYXRpb24gc2VudAogICAgICB0byB0aGUgTGljZW5zb3Igb3IgaXRzIHJlcHJlc2VudGF0aXZlcywgaW5jbHVkaW5nIGJ1dCBub3QgbGltaXRlZCB0bwogICAgICBjb21tdW5pY2F0aW9uIG9uIGVsZWN0cm9uaWMgbWFpbGluZyBsaXN0cywgc291cmNlIGNvZGUgY29udHJvbCBzeXN0ZW1zLAogICAgICBhbmQgaXNzdWUgdHJhY2tpbmcgc3lzdGVtcyB0aGF0IGFyZSBtYW5hZ2VkIGJ5LCBvciBvbiBiZWhhbGYgb2YsIHRoZQogICAgICBMaWNlbnNvciBmb3IgdGhlIHB1cnBvc2Ugb2YgZGlzY3Vzc2luZyBhbmQgaW1wcm92aW5nIHRoZSBXb3JrLCBidXQKICAgICAgZXhjbHVkaW5nIGNvbW11bmljYXRpb24gdGhhdCBpcyBjb25zcGljdW91c2x5IG1hcmtlZCBvciBvdGhlcndpc2UKICAgICAgZGVzaWduYXRlZCBpbiB3cml0aW5nIGJ5IHRoZSBjb3B5cmlnaHQgb3duZXIgYXMgIk5vdCBhIENvbnRyaWJ1dGlvbi4iCgogICAgICAiQ29udHJpYnV0b3IiIHNoYWxsIG1lYW4gTGljZW5zb3IgYW5kIGFueSBpbmRpdmlkdWFsIG9yIExlZ2FsIEVudGl0eQogICAgICBvbiBiZWhhbGYgb2Ygd2hvbSBhIENvbnRyaWJ1dGlvbiBoYXMgYmVlbiByZWNlaXZlZCBieSBMaWNlbnNvciBhbmQKICAgICAgc3Vic2VxdWVudGx5IGluY29ycG9yYXRlZCB3aXRoaW4gdGhlIFdvcmsuCgogICAyLiBHcmFudCBvZiBDb3B5cmlnaHQgTGljZW5zZS4gU3ViamVjdCB0byB0aGUgdGVybXMgYW5kIGNvbmRpdGlvbnMgb2YKICAgICAgdGhpcyBMaWNlbnNlLCBlYWNoIENvbnRyaWJ1dG9yIGhlcmVieSBncmFudHMgdG8gWW91IGEgcGVycGV0dWFsLAogICAgICB3b3JsZHdpZGUsIG5vbi1leGNsdXNpdmUsIG5vLWNoYXJnZSwgcm95YWx0eS1mcmVlLCBpcnJldm9jYWJsZQogICAgICBjb3B5cmlnaHQgbGljZW5zZSB0byByZXByb2R1Y2UsIHByZXBhcmUgRGVyaXZhdGl2ZSBXb3JrcyBvZiwKICAgICAgcHVibGljbHkgZGlzcGxheSwgcHVibGljbHkgcGVyZm9ybSwgc3VibGljZW5zZSwgYW5kIGRpc3RyaWJ1dGUgdGhlCiAgICAgIFdvcmsgYW5kIHN1Y2ggRGVyaXZhdGl2ZSBXb3JrcyBpbiBTb3VyY2Ugb3IgT2JqZWN0IGZvcm0uCgogICAzLiBHcmFudCBvZiBQYXRlbnQgTGljZW5zZS4gU3ViamVjdCB0byB0aGUgdGVybXMgYW5kIGNvbmRpdGlvbnMgb2YKICAgICAgdGhpcyBMaWNlbnNlLCBlYWNoIENvbnRyaWJ1dG9yIGhlcmVieSBncmFudHMgdG8gWW91IGEgcGVycGV0dWFsLAogICAgICB3b3JsZHdpZGUsIG5vbi1leGNsdXNpdmUsIG5vLWNoYXJnZSwgcm95YWx0eS1mcmVlLCBpcnJldm9jYWJsZQogICAgICAoZXhjZXB0IGFzIHN0YXRlZCBpbiB0aGlzIHNlY3Rpb24pIHBhdGVudCBsaWNlbnNlIHRvIG1ha2UsIGhhdmUgbWFkZSwKICAgICAgdXNlLCBvZmZlciB0byBzZWxsLCBzZWxsLCBpbXBvcnQsIGFuZCBvdGhlcndpc2UgdHJhbnNmZXIgdGhlIFdvcmssCiAgICAgIHdoZXJlIHN1Y2ggbGljZW5zZSBhcHBsaWVzIG9ubHkgdG8gdGhvc2UgcGF0ZW50IGNsYWltcyBsaWNlbnNhYmxlCiAgICAgIGJ5IHN1Y2ggQ29udHJpYnV0b3IgdGhhdCBhcmUgbmVjZXNzYXJpbHkgaW5mcmluZ2VkIGJ5IHRoZWlyCiAgICAgIENvbnRyaWJ1dGlvbihzKSBhbG9uZSBvciBieSBjb21iaW5hdGlvbiBvZiB0aGVpciBDb250cmlidXRpb24ocykKICAgICAgd2l0aCB0aGUgV29yayB0byB3aGljaCBzdWNoIENvbnRyaWJ1dGlvbihzKSB3YXMgc3VibWl0dGVkLiBJZiBZb3UKICAgICAgaW5zdGl0dXRlIHBhdGVudCBsaXRpZ2F0aW9uIGFnYWluc3QgYW55IGVudGl0eSAoaW5jbHVkaW5nIGEKICAgICAgY3Jvc3MtY2xhaW0gb3IgY291bnRlcmNsYWltIGluIGEgbGF3c3VpdCkgYWxsZWdpbmcgdGhhdCB0aGUgV29yawogICAgICBvciBhIENvbnRyaWJ1dGlvbiBpbmNvcnBvcmF0ZWQgd2l0aGluIHRoZSBXb3JrIGNvbnN0aXR1dGVzIGRpcmVjdAogICAgICBvciBjb250cmlidXRvcnkgcGF0ZW50IGluZnJpbmdlbWVudCwgdGhlbiBhbnkgcGF0ZW50IGxpY2Vuc2VzCiAgICAgIGdyYW50ZWQgdG8gWW91IHVuZGVyIHRoaXMgTGljZW5zZSBmb3IgdGhhdCBXb3JrIHNoYWxsIHRlcm1pbmF0ZQogICAgICBhcyBvZiB0aGUgZGF0ZSBzdWNoIGxpdGlnYXRpb24gaXMgZmlsZWQuCgogICA0LiBSZWRpc3RyaWJ1dGlvbi4gWW91IG1heSByZXByb2R1Y2UgYW5kIGRpc3RyaWJ1dGUgY29waWVzIG9mIHRoZQogICAgICBXb3JrIG9yIERlcml2YXRpdmUgV29ya3MgdGhlcmVvZiBpbiBhbnkgbWVkaXVtLCB3aXRoIG9yIHdpdGhvdXQKICAgICAgbW9kaWZpY2F0aW9ucywgYW5kIGluIFNvdXJjZSBvciBPYmplY3QgZm9ybSwgcHJvdmlkZWQgdGhhdCBZb3UKICAgICAgbWVldCB0aGUgZm9sbG93aW5nIGNvbmRpdGlvbnM6CgogICAgICAoYSkgWW91IG11c3QgZ2l2ZSBhbnkgb3RoZXIgcmVjaXBpZW50cyBvZiB0aGUgV29yayBvcgogICAgICAgICAgRGVyaXZhdGl2ZSBXb3JrcyBhIGNvcHkgb2YgdGhpcyBMaWNlbnNlOyBhbmQKCiAgICAgIChiKSBZb3UgbXVzdCBjYXVzZSBhbnkgbW9kaWZpZWQgZmlsZXMgdG8gY2FycnkgcHJvbWluZW50IG5vdGljZXMKICAgICAgICAgIHN0YXRpbmcgdGhhdCBZb3UgY2hhbmdlZCB0aGUgZmlsZXM7IGFuZAoKICAgICAgKGMpIFlvdSBtdXN0IHJldGFpbiwgaW4gdGhlIFNvdXJjZSBmb3JtIG9mIGFueSBEZXJpdmF0aXZlIFdvcmtzCiAgICAgICAgICB0aGF0IFlvdSBkaXN0cmlidXRlLCBhbGwgY29weXJpZ2h0LCBwYXRlbnQsIHRyYWRlbWFyaywgYW5kCiAgICAgICAgICBhdHRyaWJ1dGlvbiBub3RpY2VzIGZyb20gdGhlIFNvdXJjZSBmb3JtIG9mIHRoZSBXb3JrLAogICAgICAgICAgZXhjbHVkaW5nIHRob3NlIG5vdGljZXMgdGhhdCBkbyBub3QgcGVydGFpbiB0byBhbnkgcGFydCBvZgogICAgICAgICAgdGhlIERlcml2YXRpdmUgV29ya3M7IGFuZAoKICAgICAgKGQpIElmIHRoZSBXb3JrIGluY2x1ZGVzIGEgIk5PVElDRSIgdGV4dCBmaWxlIGFzIHBhcnQgb2YgaXRzCiAgICAgICAgICBkaXN0cmlidXRpb24sIHRoZW4gYW55IERlcml2YXRpdmUgV29ya3MgdGhhdCBZb3UgZGlzdHJpYnV0ZSBtdXN0CiAgICAgICAgICBpbmNsdWRlIGEgcmVhZGFibGUgY29weSBvZiB0aGUgYXR0cmlidXRpb24gbm90aWNlcyBjb250YWluZWQKICAgICAgICAgIHdpdGhpbiBzdWNoIE5PVElDRSBmaWxlLCBleGNsdWRpbmcgdGhvc2Ugbm90aWNlcyB0aGF0IGRvIG5vdAogICAgICAgICAgcGVydGFpbiB0byBhbnkgcGFydCBvZiB0aGUgRGVyaXZhdGl2ZSBXb3JrcywgaW4gYXQgbGVhc3Qgb25lCiAgICAgICAgICBvZiB0aGUgZm9sbG93aW5nIHBsYWNlczogd2l0aGluIGEgTk9USUNFIHRleHQgZmlsZSBkaXN0cmlidXRlZAogICAgICAgICAgYXMgcGFydCBvZiB0aGUgRGVyaXZhdGl2ZSBXb3Jrczsgd2l0aGluIHRoZSBTb3VyY2UgZm9ybSBvcgogICAgICAgICAgZG9jdW1lbnRhdGlvbiwgaWYgcHJvdmlkZWQgYWxvbmcgd2l0aCB0aGUgRGVyaXZhdGl2ZSBXb3Jrczsgb3IsCiAgICAgICAgICB3aXRoaW4gYSBkaXNwbGF5IGdlbmVyYXRlZCBieSB0aGUgRGVyaXZhdGl2ZSBXb3JrcywgaWYgYW5kCiAgICAgICAgICB3aGVyZXZlciBzdWNoIHRoaXJkLXBhcnR5IG5vdGljZXMgbm9ybWFsbHkgYXBwZWFyLiBUaGUgY29udGVudHMKICAgICAgICAgIG9mIHRoZSBOT1RJQ0UgZmlsZSBhcmUgZm9yIGluZm9ybWF0aW9uYWwgcHVycG9zZXMgb25seSBhbmQKICAgICAgICAgIGRvIG5vdCBtb2RpZnkgdGhlIExpY2Vuc2UuIFlvdSBtYXkgYWRkIFlvdXIgb3duIGF0dHJpYnV0aW9uCiAgICAgICAgICBub3RpY2VzIHdpdGhpbiBEZXJpdmF0aXZlIFdvcmtzIHRoYXQgWW91IGRpc3RyaWJ1dGUsIGFsb25nc2lkZQogICAgICAgICAgb3IgYXMgYW4gYWRkZW5kdW0gdG8gdGhlIE5PVElDRSB0ZXh0IGZyb20gdGhlIFdvcmssIHByb3ZpZGVkCiAgICAgICAgICB0aGF0IHN1Y2ggYWRkaXRpb25hbCBhdHRyaWJ1dGlvbiBub3RpY2VzIGNhbm5vdCBiZSBjb25zdHJ1ZWQKICAgICAgICAgIGFzIG1vZGlmeWluZyB0aGUgTGljZW5zZS4KCiAgICAgIFlvdSBtYXkgYWRkIFlvdXIgb3duIGNvcHlyaWdodCBzdGF0ZW1lbnQgdG8gWW91ciBtb2RpZmljYXRpb25zIGFuZAogICAgICBtYXkgcHJvdmlkZSBhZGRpdGlvbmFsIG9yIGRpZmZlcmVudCBsaWNlbnNlIHRlcm1zIGFuZCBjb25kaXRpb25zCiAgICAgIGZvciB1c2UsIHJlcHJvZHVjdGlvbiwgb3IgZGlzdHJpYnV0aW9uIG9mIFlvdXIgbW9kaWZpY2F0aW9ucywgb3IKICAgICAgZm9yIGFueSBzdWNoIERlcml2YXRpdmUgV29ya3MgYXMgYSB3aG9sZSwgcHJvdmlkZWQgWW91ciB1c2UsCiAgICAgIHJlcHJvZHVjdGlvbiwgYW5kIGRpc3RyaWJ1dGlvbiBvZiB0aGUgV29yayBvdGhlcndpc2UgY29tcGxpZXMgd2l0aAogICAgICB0aGUgY29uZGl0aW9ucyBzdGF0ZWQgaW4gdGhpcyBMaWNlbnNlLgoKICAgNS4gU3VibWlzc2lvbiBvZiBDb250cmlidXRpb25zLiBVbmxlc3MgWW91IGV4cGxpY2l0bHkgc3RhdGUgb3RoZXJ3aXNlLAogICAgICBhbnkgQ29udHJpYnV0aW9uIGludGVudGlvbmFsbHkgc3VibWl0dGVkIGZvciBpbmNsdXNpb24gaW4gdGhlIFdvcmsKICAgICAgYnkgWW91IHRvIHRoZSBMaWNlbnNvciBzaGFsbCBiZSB1bmRlciB0aGUgdGVybXMgYW5kIGNvbmRpdGlvbnMgb2YKICAgICAgdGhpcyBMaWNlbnNlLCB3aXRob3V0IGFueSBhZGRpdGlvbmFsIHRlcm1zIG9yIGNvbmRpdGlvbnMuCiAgICAgIE5vdHdpdGhzdGFuZGluZyB0aGUgYWJvdmUsIG5vdGhpbmcgaGVyZWluIHNoYWxsIHN1cGVyc2VkZSBvciBtb2RpZnkKICAgICAgdGhlIHRlcm1zIG9mIGFueSBzZXBhcmF0ZSBsaWNlbnNlIGFncmVlbWVudCB5b3UgbWF5IGhhdmUgZXhlY3V0ZWQKICAgICAgd2l0aCBMaWNlbnNvciByZWdhcmRpbmcgc3VjaCBDb250cmlidXRpb25zLgoKICAgNi4gVHJhZGVtYXJrcy4gVGhpcyBMaWNlbnNlIGRvZXMgbm90IGdyYW50IHBlcm1pc3Npb24gdG8gdXNlIHRoZSB0cmFkZQogICAgICBuYW1lcywgdHJhZGVtYXJrcywgc2VydmljZSBtYXJrcywgb3IgcHJvZHVjdCBuYW1lcyBvZiB0aGUgTGljZW5zb3IsCiAgICAgIGV4Y2VwdCBhcyByZXF1aXJlZCBmb3IgcmVhc29uYWJsZSBhbmQgY3VzdG9tYXJ5IHVzZSBpbiBkZXNjcmliaW5nIHRoZQogICAgICBvcmlnaW4gb2YgdGhlIFdvcmsgYW5kIHJlcHJvZHVjaW5nIHRoZSBjb250ZW50IG9mIHRoZSBOT1RJQ0UgZmlsZS4KCiAgIDcuIERpc2NsYWltZXIgb2YgV2FycmFudHkuIFVubGVzcyByZXF1aXJlZCBieSBhcHBsaWNhYmxlIGxhdyBvcgogICAgICBhZ3JlZWQgdG8gaW4gd3JpdGluZywgTGljZW5zb3IgcHJvdmlkZXMgdGhlIFdvcmsgKGFuZCBlYWNoCiAgICAgIENvbnRyaWJ1dG9yIHByb3ZpZGVzIGl0cyBDb250cmlidXRpb25zKSBvbiBhbiAiQVMgSVMiIEJBU0lTLAogICAgICBXSVRIT1VUIFdBUlJBTlRJRVMgT1IgQ09ORElUSU9OUyBPRiBBTlkgS0lORCwgZWl0aGVyIGV4cHJlc3Mgb3IKICAgICAgaW1wbGllZCwgaW5jbHVkaW5nLCB3aXRob3V0IGxpbWl0YXRpb24sIGFueSB3YXJyYW50aWVzIG9yIGNvbmRpdGlvbnMKICAgICAgb2YgVElUTEUsIE5PTi1JTkZSSU5HRU1FTlQsIE1FUkNIQU5UQUJJTElUWSwgb3IgRklUTkVTUyBGT1IgQQogICAgICBQQVJUSUNVTEFSIFBVUlBPU0UuIFlvdSBhcmUgc29sZWx5IHJlc3BvbnNpYmxlIGZvciBkZXRlcm1pbmluZyB0aGUKICAgICAgYXBwcm9wcmlhdGVuZXNzIG9mIHVzaW5nIG9yIHJlZGlzdHJpYnV0aW5nIHRoZSBXb3JrIGFuZCBhc3N1bWUgYW55CiAgICAgIHJpc2tzIGFzc29jaWF0ZWQgd2l0aCBZb3VyIGV4ZXJjaXNlIG9mIHBlcm1pc3Npb25zIHVuZGVyIHRoaXMgTGljZW5zZS4KCiAgIDguIExpbWl0YXRpb24gb2YgTGlhYmlsaXR5LiBJbiBubyBldmVudCBhbmQgdW5kZXIgbm8gbGVnYWwgdGhlb3J5LAogICAgICB3aGV0aGVyIGluIHRvcnQgKGluY2x1ZGluZyBuZWdsaWdlbmNlKSwgY29udHJhY3QsIG9yIG90aGVyd2lzZSwKICAgICAgdW5sZXNzIHJlcXVpcmVkIGJ5IGFwcGxpY2FibGUgbGF3IChzdWNoIGFzIGRlbGliZXJhdGUgYW5kIGdyb3NzbHkKICAgICAgbmVnbGlnZW50IGFjdHMpIG9yIGFncmVlZCB0byBpbiB3cml0aW5nLCBzaGFsbCBhbnkgQ29udHJpYnV0b3IgYmUKICAgICAgbGlhYmxlIHRvIFlvdSBmb3IgZGFtYWdlcywgaW5jbHVkaW5nIGFueSBkaXJlY3QsIGluZGlyZWN0LCBzcGVjaWFsLAogICAgICBpbmNpZGVudGFsLCBvciBjb25zZXF1ZW50aWFsIGRhbWFnZXMgb2YgYW55IGNoYXJhY3RlciBhcmlzaW5nIGFzIGEKICAgICAgcmVzdWx0IG9mIHRoaXMgTGljZW5zZSBvciBvdXQgb2YgdGhlIHVzZSBvciBpbmFiaWxpdHkgdG8gdXNlIHRoZQogICAgICBXb3JrIChpbmNsdWRpbmcgYnV0IG5vdCBsaW1pdGVkIHRvIGRhbWFnZXMgZm9yIGxvc3Mgb2YgZ29vZHdpbGwsCiAgICAgIHdvcmsgc3RvcHBhZ2UsIGNvbXB1dGVyIGZhaWx1cmUgb3IgbWFsZnVuY3Rpb24sIG9yIGFueSBhbmQgYWxsCiAgICAgIG90aGVyIGNvbW1lcmNpYWwgZGFtYWdlcyBvciBsb3NzZXMpLCBldmVuIGlmIHN1Y2ggQ29udHJpYnV0b3IKICAgICAgaGFzIGJlZW4gYWR2aXNlZCBvZiB0aGUgcG9zc2liaWxpdHkgb2Ygc3VjaCBkYW1hZ2VzLgoKICAgOS4gQWNjZXB0aW5nIFdhcnJhbnR5IG9yIEFkZGl0aW9uYWwgTGlhYmlsaXR5LiBXaGlsZSByZWRpc3RyaWJ1dGluZwogICAgICB0aGUgV29yayBvciBEZXJpdmF0aXZlIFdvcmtzIHRoZXJlb2YsIFlvdSBtYXkgY2hvb3NlIHRvIG9mZmVyLAogICAgICBhbmQgY2hhcmdlIGEgZmVlIGZvciwgYWNjZXB0YW5jZSBvZiBzdXBwb3J0LCB3YXJyYW50eSwgaW5kZW1uaXR5LAogICAgICBvciBvdGhlciBsaWFiaWxpdHkgb2JsaWdhdGlvbnMgYW5kL29yIHJpZ2h0cyBjb25zaXN0ZW50IHdpdGggdGhpcwogICAgICBMaWNlbnNlLiBIb3dldmVyLCBpbiBhY2NlcHRpbmcgc3VjaCBvYmxpZ2F0aW9ucywgWW91IG1heSBhY3Qgb25seQogICAgICBvbiBZb3VyIG93biBiZWhhbGYgYW5kIG9uIFlvdXIgc29sZSByZXNwb25zaWJpbGl0eSwgbm90IG9uIGJlaGFsZgogICAgICBvZiBhbnkgb3RoZXIgQ29udHJpYnV0b3IsIGFuZCBvbmx5IGlmIFlvdSBhZ3JlZSB0byBpbmRlbW5pZnksCiAgICAgIGRlZmVuZCwgYW5kIGhvbGQgZWFjaCBDb250cmlidXRvciBoYXJtbGVzcyBmb3IgYW55IGxpYWJpbGl0eQogICAgICBpbmN1cnJlZCBieSwgb3IgY2xhaW1zIGFzc2VydGVkIGFnYWluc3QsIHN1Y2ggQ29udHJpYnV0b3IgYnkgcmVhc29uCiAgICAgIG9mIHlvdXIgYWNjZXB0aW5nIGFueSBzdWNoIHdhcnJhbnR5IG9yIGFkZGl0aW9uYWwgbGlhYmlsaXR5LgoKICAgRU5EIE9GIFRFUk1TIEFORCBDT05ESVRJT05TCgogICBBUFBFTkRJWDogSG93IHRvIGFwcGx5IHRoZSBBcGFjaGUgTGljZW5zZSB0byB5b3VyIHdvcmsuCgogICAgICBUbyBhcHBseSB0aGUgQXBhY2hlIExpY2Vuc2UgdG8geW91ciB3b3JrLCBhdHRhY2ggdGhlIGZvbGxvd2luZwogICAgICBib2lsZXJwbGF0ZSBub3RpY2UsIHdpdGggdGhlIGZpZWxkcyBlbmNsb3NlZCBieSBicmFja2V0cyAiW10iCiAgICAgIHJlcGxhY2VkIHdpdGggeW91ciBvd24gaWRlbnRpZnlpbmcgaW5mb3JtYXRpb24uIChEb24ndCBpbmNsdWRlCiAgICAgIHRoZSBicmFja2V0cyEpICBUaGUgdGV4dCBzaG91bGQgYmUgZW5jbG9zZWQgaW4gdGhlIGFwcHJvcHJpYXRlCiAgICAgIGNvbW1lbnQgc3ludGF4IGZvciB0aGUgZmlsZSBmb3JtYXQuIFdlIGFsc28gcmVjb21tZW5kIHRoYXQgYQogICAgICBmaWxlIG9yIGNsYXNzIG5hbWUgYW5kIGRlc2NyaXB0aW9uIG9mIHB1cnBvc2UgYmUgaW5jbHVkZWQgb24gdGhlCiAgICAgIHNhbWUgInByaW50ZWQgcGFnZSIgYXMgdGhlIGNvcHlyaWdodCBub3RpY2UgZm9yIGVhc2llcgogICAgICBpZGVudGlmaWNhdGlvbiB3aXRoaW4gdGhpcmQtcGFydHkgYXJjaGl2ZXMuCgogICBDb3B5cmlnaHQgW3l5eXldIFtuYW1lIG9mIGNvcHlyaWdodCBvd25lcl0KCiAgIExpY2Vuc2VkIHVuZGVyIHRoZSBBcGFjaGUgTGljZW5zZSwgVmVyc2lvbiAyLjAgKHRoZSAiTGljZW5zZSIpOwogICB5b3UgbWF5IG5vdCB1c2UgdGhpcyBmaWxlIGV4Y2VwdCBpbiBjb21wbGlhbmNlIHdpdGggdGhlIExpY2Vuc2UuCiAgIFlvdSBtYXkgb2J0YWluIGEgY29weSBvZiB0aGUgTGljZW5zZSBhdAoKICAgICAgIGh0dHA6Ly93d3cuYXBhY2hlLm9yZy9saWNlbnNlcy9MSUNFTlNFLTIuMAoKICAgVW5sZXNzIHJlcXVpcmVkIGJ5IGFwcGxpY2FibGUgbGF3IG9yIGFncmVlZCB0byBpbiB3cml0aW5nLCBzb2Z0d2FyZQogICBkaXN0cmlidXRlZCB1bmRlciB0aGUgTGljZW5zZSBpcyBkaXN0cmlidXRlZCBvbiBhbiAiQVMgSVMiIEJBU0lTLAogICBXSVRIT1VUIFdBUlJBTlRJRVMgT1IgQ09ORElUSU9OUyBPRiBBTlkgS0lORCwgZWl0aGVyIGV4cHJlc3Mgb3IgaW1wbGllZC4KICAgU2VlIHRoZSBMaWNlbnNlIGZvciB0aGUgc3BlY2lmaWMgbGFuZ3VhZ2UgZ292ZXJuaW5nIHBlcm1pc3Npb25zIGFuZAogICBsaW1pdGF0aW9ucyB1bmRlciB0aGUgTGljZW5zZS4= + https://www.apache.org/licenses/LICENSE-2.0.txt + + + pkg:maven/com.acme/tomcat-catalina@9.0.14?packaging=jar + + + diff --git a/tests/_data/schemaTestData/1.7/invalid-license-id-count-1.7.xml b/tests/_data/schemaTestData/1.7/invalid-license-id-count-1.7.xml new file mode 100644 index 000000000..1f24c6fb7 --- /dev/null +++ b/tests/_data/schemaTestData/1.7/invalid-license-id-count-1.7.xml @@ -0,0 +1,30 @@ + + + + + Acme Inc + com.acme + tomcat-catalina + 9.0.14 + Modified version of Apache Catalina + required + + 3942447fac867ae5cdb3229b658f4d48 + e6b1000b94e835ffd37f4c6dcbdad43f4b48a02a + f498a8ff2dd007e29c2074f5e4b01a9a01775c3ff3aeaf6906ea503bc5791b7b + e8f33e424f3f4ed6db76a482fde1a5298970e442c531729119e37991884bdffab4f9426b7ee11fccd074eeda0634d71697d6f88a460dce0ac8d627a29f7d1282 + + + + MIT + + MIT + + + pkg:maven/com.acme/tomcat-catalina@9.0.14?packaging=jar + + + diff --git a/tests/_data/schemaTestData/1.7/invalid-license-missing-id-and-name-1.7.json b/tests/_data/schemaTestData/1.7/invalid-license-missing-id-and-name-1.7.json new file mode 100644 index 000000000..3a9bbeae4 --- /dev/null +++ b/tests/_data/schemaTestData/1.7/invalid-license-missing-id-and-name-1.7.json @@ -0,0 +1,20 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "components": [ + { + "type": "library", + "name": "license-with-no-id-nor-name", + "version": "23", + "description": "testcase for issue#288", + "licenses": [ + { + "license": {} + } + ] + } + ] +} diff --git a/tests/_data/schemaTestData/1.7/invalid-license-missing-id-and-name-1.7.xml b/tests/_data/schemaTestData/1.7/invalid-license-missing-id-and-name-1.7.xml new file mode 100644 index 000000000..2a59b3ed7 --- /dev/null +++ b/tests/_data/schemaTestData/1.7/invalid-license-missing-id-and-name-1.7.xml @@ -0,0 +1,16 @@ + + + + + license-with-no-id-nor-name + 23 + testcase for issue#288 + + + + + + diff --git a/tests/_data/schemaTestData/1.7/invalid-license-name-count-1.7.xml b/tests/_data/schemaTestData/1.7/invalid-license-name-count-1.7.xml new file mode 100644 index 000000000..a935577ba --- /dev/null +++ b/tests/_data/schemaTestData/1.7/invalid-license-name-count-1.7.xml @@ -0,0 +1,30 @@ + + + + + Acme Inc + com.acme + tomcat-catalina + 9.0.14 + Modified version of Apache Catalina + required + + 3942447fac867ae5cdb3229b658f4d48 + e6b1000b94e835ffd37f4c6dcbdad43f4b48a02a + f498a8ff2dd007e29c2074f5e4b01a9a01775c3ff3aeaf6906ea503bc5791b7b + e8f33e424f3f4ed6db76a482fde1a5298970e442c531729119e37991884bdffab4f9426b7ee11fccd074eeda0634d71697d6f88a460dce0ac8d627a29f7d1282 + + + + Apache License 2.0 + + Apache License 2.0 + + + pkg:maven/com.acme/tomcat-catalina@9.0.14?packaging=jar + + + diff --git a/tests/_data/schemaTestData/1.7/invalid-metadata-distribution-1.7.json b/tests/_data/schemaTestData/1.7/invalid-metadata-distribution-1.7.json new file mode 100644 index 000000000..0506bd538 --- /dev/null +++ b/tests/_data/schemaTestData/1.7/invalid-metadata-distribution-1.7.json @@ -0,0 +1,11 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "metadata": { + "distribution": "Unrestricted" + }, + "components": [] +} diff --git a/tests/_data/schemaTestData/1.7/invalid-metadata-distribution-1.7.xml b/tests/_data/schemaTestData/1.7/invalid-metadata-distribution-1.7.xml new file mode 100644 index 000000000..2dbd0abf8 --- /dev/null +++ b/tests/_data/schemaTestData/1.7/invalid-metadata-distribution-1.7.xml @@ -0,0 +1,10 @@ + + + + Unrestricted + + + diff --git a/tests/_data/schemaTestData/1.7/invalid-metadata-license-1.7.json b/tests/_data/schemaTestData/1.7/invalid-metadata-license-1.7.json new file mode 100644 index 000000000..9b67e54fd --- /dev/null +++ b/tests/_data/schemaTestData/1.7/invalid-metadata-license-1.7.json @@ -0,0 +1,17 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "metadata": { + "licenses": [ + { + "license": { + "id": "Apache-2" + } + } + ] + }, + "components": [] +} diff --git a/tests/_data/schemaTestData/1.7/invalid-metadata-license-1.7.xml b/tests/_data/schemaTestData/1.7/invalid-metadata-license-1.7.xml new file mode 100644 index 000000000..c2ae7dd4e --- /dev/null +++ b/tests/_data/schemaTestData/1.7/invalid-metadata-license-1.7.xml @@ -0,0 +1,14 @@ + + + + + + Apache-2 + + + + + diff --git a/tests/_data/schemaTestData/1.7/invalid-metadata-timestamp-1.7.json b/tests/_data/schemaTestData/1.7/invalid-metadata-timestamp-1.7.json new file mode 100644 index 000000000..90b47ad6b --- /dev/null +++ b/tests/_data/schemaTestData/1.7/invalid-metadata-timestamp-1.7.json @@ -0,0 +1,11 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "metadata": { + "timestamp": "2020-04-13" + }, + "components": [] +} diff --git a/tests/_data/schemaTestData/1.7/invalid-metadata-timestamp-1.7.xml b/tests/_data/schemaTestData/1.7/invalid-metadata-timestamp-1.7.xml new file mode 100644 index 000000000..8d973c5a9 --- /dev/null +++ b/tests/_data/schemaTestData/1.7/invalid-metadata-timestamp-1.7.xml @@ -0,0 +1,10 @@ + + + + 2020-04-07 + + + diff --git a/tests/_data/schemaTestData/1.7/invalid-missing-component-type-1.7.json b/tests/_data/schemaTestData/1.7/invalid-missing-component-type-1.7.json new file mode 100644 index 000000000..ae4fdf5d1 --- /dev/null +++ b/tests/_data/schemaTestData/1.7/invalid-missing-component-type-1.7.json @@ -0,0 +1,13 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "components": [ + { + "name": "acme-library", + "version": "1.0.0" + } + ] +} diff --git a/tests/_data/schemaTestData/1.7/invalid-missing-component-type-1.7.xml b/tests/_data/schemaTestData/1.7/invalid-missing-component-type-1.7.xml new file mode 100644 index 000000000..00942ac5a --- /dev/null +++ b/tests/_data/schemaTestData/1.7/invalid-missing-component-type-1.7.xml @@ -0,0 +1,12 @@ + + + + + acme-library + 1.0.0 + + + diff --git a/tests/_data/schemaTestData/1.7/invalid-namespace-1.7.xml b/tests/_data/schemaTestData/1.7/invalid-namespace-1.7.xml new file mode 100644 index 000000000..394221276 --- /dev/null +++ b/tests/_data/schemaTestData/1.7/invalid-namespace-1.7.xml @@ -0,0 +1,121 @@ + + + + + Acme Inc + com.acme + tomcat-catalina + 9.0.14 + Modified version of Apache Catalina + required + + 3942447fac867ae5cdb3229b658f4d48 + e6b1000b94e835ffd37f4c6dcbdad43f4b48a02a + f498a8ff2dd007e29c2074f5e4b01a9a01775c3ff3aeaf6906ea503bc5791b7b + e8f33e424f3f4ed6db76a482fde1a5298970e442c531729119e37991884bdffab4f9426b7ee11fccd074eeda0634d71697d6f88a460dce0ac8d627a29f7d1282 + + + + Apache-2.0 + CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFwYWNoZSBMaWNlbnNlCiAgICAgICAgICAgICAgICAgICAgICAgICAgIFZlcnNpb24gMi4wLCBKYW51YXJ5IDIwMDQKICAgICAgICAgICAgICAgICAgICAgICAgaHR0cDovL3d3dy5hcGFjaGUub3JnL2xpY2Vuc2VzLwoKICAgVEVSTVMgQU5EIENPTkRJVElPTlMgRk9SIFVTRSwgUkVQUk9EVUNUSU9OLCBBTkQgRElTVFJJQlVUSU9OCgogICAxLiBEZWZpbml0aW9ucy4KCiAgICAgICJMaWNlbnNlIiBzaGFsbCBtZWFuIHRoZSB0ZXJtcyBhbmQgY29uZGl0aW9ucyBmb3IgdXNlLCByZXByb2R1Y3Rpb24sCiAgICAgIGFuZCBkaXN0cmlidXRpb24gYXMgZGVmaW5lZCBieSBTZWN0aW9ucyAxIHRocm91Z2ggOSBvZiB0aGlzIGRvY3VtZW50LgoKICAgICAgIkxpY2Vuc29yIiBzaGFsbCBtZWFuIHRoZSBjb3B5cmlnaHQgb3duZXIgb3IgZW50aXR5IGF1dGhvcml6ZWQgYnkKICAgICAgdGhlIGNvcHlyaWdodCBvd25lciB0aGF0IGlzIGdyYW50aW5nIHRoZSBMaWNlbnNlLgoKICAgICAgIkxlZ2FsIEVudGl0eSIgc2hhbGwgbWVhbiB0aGUgdW5pb24gb2YgdGhlIGFjdGluZyBlbnRpdHkgYW5kIGFsbAogICAgICBvdGhlciBlbnRpdGllcyB0aGF0IGNvbnRyb2wsIGFyZSBjb250cm9sbGVkIGJ5LCBvciBhcmUgdW5kZXIgY29tbW9uCiAgICAgIGNvbnRyb2wgd2l0aCB0aGF0IGVudGl0eS4gRm9yIHRoZSBwdXJwb3NlcyBvZiB0aGlzIGRlZmluaXRpb24sCiAgICAgICJjb250cm9sIiBtZWFucyAoaSkgdGhlIHBvd2VyLCBkaXJlY3Qgb3IgaW5kaXJlY3QsIHRvIGNhdXNlIHRoZQogICAgICBkaXJlY3Rpb24gb3IgbWFuYWdlbWVudCBvZiBzdWNoIGVudGl0eSwgd2hldGhlciBieSBjb250cmFjdCBvcgogICAgICBvdGhlcndpc2UsIG9yIChpaSkgb3duZXJzaGlwIG9mIGZpZnR5IHBlcmNlbnQgKDUwJSkgb3IgbW9yZSBvZiB0aGUKICAgICAgb3V0c3RhbmRpbmcgc2hhcmVzLCBvciAoaWlpKSBiZW5lZmljaWFsIG93bmVyc2hpcCBvZiBzdWNoIGVudGl0eS4KCiAgICAgICJZb3UiIChvciAiWW91ciIpIHNoYWxsIG1lYW4gYW4gaW5kaXZpZHVhbCBvciBMZWdhbCBFbnRpdHkKICAgICAgZXhlcmNpc2luZyBwZXJtaXNzaW9ucyBncmFudGVkIGJ5IHRoaXMgTGljZW5zZS4KCiAgICAgICJTb3VyY2UiIGZvcm0gc2hhbGwgbWVhbiB0aGUgcHJlZmVycmVkIGZvcm0gZm9yIG1ha2luZyBtb2RpZmljYXRpb25zLAogICAgICBpbmNsdWRpbmcgYnV0IG5vdCBsaW1pdGVkIHRvIHNvZnR3YXJlIHNvdXJjZSBjb2RlLCBkb2N1bWVudGF0aW9uCiAgICAgIHNvdXJjZSwgYW5kIGNvbmZpZ3VyYXRpb24gZmlsZXMuCgogICAgICAiT2JqZWN0IiBmb3JtIHNoYWxsIG1lYW4gYW55IGZvcm0gcmVzdWx0aW5nIGZyb20gbWVjaGFuaWNhbAogICAgICB0cmFuc2Zvcm1hdGlvbiBvciB0cmFuc2xhdGlvbiBvZiBhIFNvdXJjZSBmb3JtLCBpbmNsdWRpbmcgYnV0CiAgICAgIG5vdCBsaW1pdGVkIHRvIGNvbXBpbGVkIG9iamVjdCBjb2RlLCBnZW5lcmF0ZWQgZG9jdW1lbnRhdGlvbiwKICAgICAgYW5kIGNvbnZlcnNpb25zIHRvIG90aGVyIG1lZGlhIHR5cGVzLgoKICAgICAgIldvcmsiIHNoYWxsIG1lYW4gdGhlIHdvcmsgb2YgYXV0aG9yc2hpcCwgd2hldGhlciBpbiBTb3VyY2Ugb3IKICAgICAgT2JqZWN0IGZvcm0sIG1hZGUgYXZhaWxhYmxlIHVuZGVyIHRoZSBMaWNlbnNlLCBhcyBpbmRpY2F0ZWQgYnkgYQogICAgICBjb3B5cmlnaHQgbm90aWNlIHRoYXQgaXMgaW5jbHVkZWQgaW4gb3IgYXR0YWNoZWQgdG8gdGhlIHdvcmsKICAgICAgKGFuIGV4YW1wbGUgaXMgcHJvdmlkZWQgaW4gdGhlIEFwcGVuZGl4IGJlbG93KS4KCiAgICAgICJEZXJpdmF0aXZlIFdvcmtzIiBzaGFsbCBtZWFuIGFueSB3b3JrLCB3aGV0aGVyIGluIFNvdXJjZSBvciBPYmplY3QKICAgICAgZm9ybSwgdGhhdCBpcyBiYXNlZCBvbiAob3IgZGVyaXZlZCBmcm9tKSB0aGUgV29yayBhbmQgZm9yIHdoaWNoIHRoZQogICAgICBlZGl0b3JpYWwgcmV2aXNpb25zLCBhbm5vdGF0aW9ucywgZWxhYm9yYXRpb25zLCBvciBvdGhlciBtb2RpZmljYXRpb25zCiAgICAgIHJlcHJlc2VudCwgYXMgYSB3aG9sZSwgYW4gb3JpZ2luYWwgd29yayBvZiBhdXRob3JzaGlwLiBGb3IgdGhlIHB1cnBvc2VzCiAgICAgIG9mIHRoaXMgTGljZW5zZSwgRGVyaXZhdGl2ZSBXb3JrcyBzaGFsbCBub3QgaW5jbHVkZSB3b3JrcyB0aGF0IHJlbWFpbgogICAgICBzZXBhcmFibGUgZnJvbSwgb3IgbWVyZWx5IGxpbmsgKG9yIGJpbmQgYnkgbmFtZSkgdG8gdGhlIGludGVyZmFjZXMgb2YsCiAgICAgIHRoZSBXb3JrIGFuZCBEZXJpdmF0aXZlIFdvcmtzIHRoZXJlb2YuCgogICAgICAiQ29udHJpYnV0aW9uIiBzaGFsbCBtZWFuIGFueSB3b3JrIG9mIGF1dGhvcnNoaXAsIGluY2x1ZGluZwogICAgICB0aGUgb3JpZ2luYWwgdmVyc2lvbiBvZiB0aGUgV29yayBhbmQgYW55IG1vZGlmaWNhdGlvbnMgb3IgYWRkaXRpb25zCiAgICAgIHRvIHRoYXQgV29yayBvciBEZXJpdmF0aXZlIFdvcmtzIHRoZXJlb2YsIHRoYXQgaXMgaW50ZW50aW9uYWxseQogICAgICBzdWJtaXR0ZWQgdG8gTGljZW5zb3IgZm9yIGluY2x1c2lvbiBpbiB0aGUgV29yayBieSB0aGUgY29weXJpZ2h0IG93bmVyCiAgICAgIG9yIGJ5IGFuIGluZGl2aWR1YWwgb3IgTGVnYWwgRW50aXR5IGF1dGhvcml6ZWQgdG8gc3VibWl0IG9uIGJlaGFsZiBvZgogICAgICB0aGUgY29weXJpZ2h0IG93bmVyLiBGb3IgdGhlIHB1cnBvc2VzIG9mIHRoaXMgZGVmaW5pdGlvbiwgInN1Ym1pdHRlZCIKICAgICAgbWVhbnMgYW55IGZvcm0gb2YgZWxlY3Ryb25pYywgdmVyYmFsLCBvciB3cml0dGVuIGNvbW11bmljYXRpb24gc2VudAogICAgICB0byB0aGUgTGljZW5zb3Igb3IgaXRzIHJlcHJlc2VudGF0aXZlcywgaW5jbHVkaW5nIGJ1dCBub3QgbGltaXRlZCB0bwogICAgICBjb21tdW5pY2F0aW9uIG9uIGVsZWN0cm9uaWMgbWFpbGluZyBsaXN0cywgc291cmNlIGNvZGUgY29udHJvbCBzeXN0ZW1zLAogICAgICBhbmQgaXNzdWUgdHJhY2tpbmcgc3lzdGVtcyB0aGF0IGFyZSBtYW5hZ2VkIGJ5LCBvciBvbiBiZWhhbGYgb2YsIHRoZQogICAgICBMaWNlbnNvciBmb3IgdGhlIHB1cnBvc2Ugb2YgZGlzY3Vzc2luZyBhbmQgaW1wcm92aW5nIHRoZSBXb3JrLCBidXQKICAgICAgZXhjbHVkaW5nIGNvbW11bmljYXRpb24gdGhhdCBpcyBjb25zcGljdW91c2x5IG1hcmtlZCBvciBvdGhlcndpc2UKICAgICAgZGVzaWduYXRlZCBpbiB3cml0aW5nIGJ5IHRoZSBjb3B5cmlnaHQgb3duZXIgYXMgIk5vdCBhIENvbnRyaWJ1dGlvbi4iCgogICAgICAiQ29udHJpYnV0b3IiIHNoYWxsIG1lYW4gTGljZW5zb3IgYW5kIGFueSBpbmRpdmlkdWFsIG9yIExlZ2FsIEVudGl0eQogICAgICBvbiBiZWhhbGYgb2Ygd2hvbSBhIENvbnRyaWJ1dGlvbiBoYXMgYmVlbiByZWNlaXZlZCBieSBMaWNlbnNvciBhbmQKICAgICAgc3Vic2VxdWVudGx5IGluY29ycG9yYXRlZCB3aXRoaW4gdGhlIFdvcmsuCgogICAyLiBHcmFudCBvZiBDb3B5cmlnaHQgTGljZW5zZS4gU3ViamVjdCB0byB0aGUgdGVybXMgYW5kIGNvbmRpdGlvbnMgb2YKICAgICAgdGhpcyBMaWNlbnNlLCBlYWNoIENvbnRyaWJ1dG9yIGhlcmVieSBncmFudHMgdG8gWW91IGEgcGVycGV0dWFsLAogICAgICB3b3JsZHdpZGUsIG5vbi1leGNsdXNpdmUsIG5vLWNoYXJnZSwgcm95YWx0eS1mcmVlLCBpcnJldm9jYWJsZQogICAgICBjb3B5cmlnaHQgbGljZW5zZSB0byByZXByb2R1Y2UsIHByZXBhcmUgRGVyaXZhdGl2ZSBXb3JrcyBvZiwKICAgICAgcHVibGljbHkgZGlzcGxheSwgcHVibGljbHkgcGVyZm9ybSwgc3VibGljZW5zZSwgYW5kIGRpc3RyaWJ1dGUgdGhlCiAgICAgIFdvcmsgYW5kIHN1Y2ggRGVyaXZhdGl2ZSBXb3JrcyBpbiBTb3VyY2Ugb3IgT2JqZWN0IGZvcm0uCgogICAzLiBHcmFudCBvZiBQYXRlbnQgTGljZW5zZS4gU3ViamVjdCB0byB0aGUgdGVybXMgYW5kIGNvbmRpdGlvbnMgb2YKICAgICAgdGhpcyBMaWNlbnNlLCBlYWNoIENvbnRyaWJ1dG9yIGhlcmVieSBncmFudHMgdG8gWW91IGEgcGVycGV0dWFsLAogICAgICB3b3JsZHdpZGUsIG5vbi1leGNsdXNpdmUsIG5vLWNoYXJnZSwgcm95YWx0eS1mcmVlLCBpcnJldm9jYWJsZQogICAgICAoZXhjZXB0IGFzIHN0YXRlZCBpbiB0aGlzIHNlY3Rpb24pIHBhdGVudCBsaWNlbnNlIHRvIG1ha2UsIGhhdmUgbWFkZSwKICAgICAgdXNlLCBvZmZlciB0byBzZWxsLCBzZWxsLCBpbXBvcnQsIGFuZCBvdGhlcndpc2UgdHJhbnNmZXIgdGhlIFdvcmssCiAgICAgIHdoZXJlIHN1Y2ggbGljZW5zZSBhcHBsaWVzIG9ubHkgdG8gdGhvc2UgcGF0ZW50IGNsYWltcyBsaWNlbnNhYmxlCiAgICAgIGJ5IHN1Y2ggQ29udHJpYnV0b3IgdGhhdCBhcmUgbmVjZXNzYXJpbHkgaW5mcmluZ2VkIGJ5IHRoZWlyCiAgICAgIENvbnRyaWJ1dGlvbihzKSBhbG9uZSBvciBieSBjb21iaW5hdGlvbiBvZiB0aGVpciBDb250cmlidXRpb24ocykKICAgICAgd2l0aCB0aGUgV29yayB0byB3aGljaCBzdWNoIENvbnRyaWJ1dGlvbihzKSB3YXMgc3VibWl0dGVkLiBJZiBZb3UKICAgICAgaW5zdGl0dXRlIHBhdGVudCBsaXRpZ2F0aW9uIGFnYWluc3QgYW55IGVudGl0eSAoaW5jbHVkaW5nIGEKICAgICAgY3Jvc3MtY2xhaW0gb3IgY291bnRlcmNsYWltIGluIGEgbGF3c3VpdCkgYWxsZWdpbmcgdGhhdCB0aGUgV29yawogICAgICBvciBhIENvbnRyaWJ1dGlvbiBpbmNvcnBvcmF0ZWQgd2l0aGluIHRoZSBXb3JrIGNvbnN0aXR1dGVzIGRpcmVjdAogICAgICBvciBjb250cmlidXRvcnkgcGF0ZW50IGluZnJpbmdlbWVudCwgdGhlbiBhbnkgcGF0ZW50IGxpY2Vuc2VzCiAgICAgIGdyYW50ZWQgdG8gWW91IHVuZGVyIHRoaXMgTGljZW5zZSBmb3IgdGhhdCBXb3JrIHNoYWxsIHRlcm1pbmF0ZQogICAgICBhcyBvZiB0aGUgZGF0ZSBzdWNoIGxpdGlnYXRpb24gaXMgZmlsZWQuCgogICA0LiBSZWRpc3RyaWJ1dGlvbi4gWW91IG1heSByZXByb2R1Y2UgYW5kIGRpc3RyaWJ1dGUgY29waWVzIG9mIHRoZQogICAgICBXb3JrIG9yIERlcml2YXRpdmUgV29ya3MgdGhlcmVvZiBpbiBhbnkgbWVkaXVtLCB3aXRoIG9yIHdpdGhvdXQKICAgICAgbW9kaWZpY2F0aW9ucywgYW5kIGluIFNvdXJjZSBvciBPYmplY3QgZm9ybSwgcHJvdmlkZWQgdGhhdCBZb3UKICAgICAgbWVldCB0aGUgZm9sbG93aW5nIGNvbmRpdGlvbnM6CgogICAgICAoYSkgWW91IG11c3QgZ2l2ZSBhbnkgb3RoZXIgcmVjaXBpZW50cyBvZiB0aGUgV29yayBvcgogICAgICAgICAgRGVyaXZhdGl2ZSBXb3JrcyBhIGNvcHkgb2YgdGhpcyBMaWNlbnNlOyBhbmQKCiAgICAgIChiKSBZb3UgbXVzdCBjYXVzZSBhbnkgbW9kaWZpZWQgZmlsZXMgdG8gY2FycnkgcHJvbWluZW50IG5vdGljZXMKICAgICAgICAgIHN0YXRpbmcgdGhhdCBZb3UgY2hhbmdlZCB0aGUgZmlsZXM7IGFuZAoKICAgICAgKGMpIFlvdSBtdXN0IHJldGFpbiwgaW4gdGhlIFNvdXJjZSBmb3JtIG9mIGFueSBEZXJpdmF0aXZlIFdvcmtzCiAgICAgICAgICB0aGF0IFlvdSBkaXN0cmlidXRlLCBhbGwgY29weXJpZ2h0LCBwYXRlbnQsIHRyYWRlbWFyaywgYW5kCiAgICAgICAgICBhdHRyaWJ1dGlvbiBub3RpY2VzIGZyb20gdGhlIFNvdXJjZSBmb3JtIG9mIHRoZSBXb3JrLAogICAgICAgICAgZXhjbHVkaW5nIHRob3NlIG5vdGljZXMgdGhhdCBkbyBub3QgcGVydGFpbiB0byBhbnkgcGFydCBvZgogICAgICAgICAgdGhlIERlcml2YXRpdmUgV29ya3M7IGFuZAoKICAgICAgKGQpIElmIHRoZSBXb3JrIGluY2x1ZGVzIGEgIk5PVElDRSIgdGV4dCBmaWxlIGFzIHBhcnQgb2YgaXRzCiAgICAgICAgICBkaXN0cmlidXRpb24sIHRoZW4gYW55IERlcml2YXRpdmUgV29ya3MgdGhhdCBZb3UgZGlzdHJpYnV0ZSBtdXN0CiAgICAgICAgICBpbmNsdWRlIGEgcmVhZGFibGUgY29weSBvZiB0aGUgYXR0cmlidXRpb24gbm90aWNlcyBjb250YWluZWQKICAgICAgICAgIHdpdGhpbiBzdWNoIE5PVElDRSBmaWxlLCBleGNsdWRpbmcgdGhvc2Ugbm90aWNlcyB0aGF0IGRvIG5vdAogICAgICAgICAgcGVydGFpbiB0byBhbnkgcGFydCBvZiB0aGUgRGVyaXZhdGl2ZSBXb3JrcywgaW4gYXQgbGVhc3Qgb25lCiAgICAgICAgICBvZiB0aGUgZm9sbG93aW5nIHBsYWNlczogd2l0aGluIGEgTk9USUNFIHRleHQgZmlsZSBkaXN0cmlidXRlZAogICAgICAgICAgYXMgcGFydCBvZiB0aGUgRGVyaXZhdGl2ZSBXb3Jrczsgd2l0aGluIHRoZSBTb3VyY2UgZm9ybSBvcgogICAgICAgICAgZG9jdW1lbnRhdGlvbiwgaWYgcHJvdmlkZWQgYWxvbmcgd2l0aCB0aGUgRGVyaXZhdGl2ZSBXb3Jrczsgb3IsCiAgICAgICAgICB3aXRoaW4gYSBkaXNwbGF5IGdlbmVyYXRlZCBieSB0aGUgRGVyaXZhdGl2ZSBXb3JrcywgaWYgYW5kCiAgICAgICAgICB3aGVyZXZlciBzdWNoIHRoaXJkLXBhcnR5IG5vdGljZXMgbm9ybWFsbHkgYXBwZWFyLiBUaGUgY29udGVudHMKICAgICAgICAgIG9mIHRoZSBOT1RJQ0UgZmlsZSBhcmUgZm9yIGluZm9ybWF0aW9uYWwgcHVycG9zZXMgb25seSBhbmQKICAgICAgICAgIGRvIG5vdCBtb2RpZnkgdGhlIExpY2Vuc2UuIFlvdSBtYXkgYWRkIFlvdXIgb3duIGF0dHJpYnV0aW9uCiAgICAgICAgICBub3RpY2VzIHdpdGhpbiBEZXJpdmF0aXZlIFdvcmtzIHRoYXQgWW91IGRpc3RyaWJ1dGUsIGFsb25nc2lkZQogICAgICAgICAgb3IgYXMgYW4gYWRkZW5kdW0gdG8gdGhlIE5PVElDRSB0ZXh0IGZyb20gdGhlIFdvcmssIHByb3ZpZGVkCiAgICAgICAgICB0aGF0IHN1Y2ggYWRkaXRpb25hbCBhdHRyaWJ1dGlvbiBub3RpY2VzIGNhbm5vdCBiZSBjb25zdHJ1ZWQKICAgICAgICAgIGFzIG1vZGlmeWluZyB0aGUgTGljZW5zZS4KCiAgICAgIFlvdSBtYXkgYWRkIFlvdXIgb3duIGNvcHlyaWdodCBzdGF0ZW1lbnQgdG8gWW91ciBtb2RpZmljYXRpb25zIGFuZAogICAgICBtYXkgcHJvdmlkZSBhZGRpdGlvbmFsIG9yIGRpZmZlcmVudCBsaWNlbnNlIHRlcm1zIGFuZCBjb25kaXRpb25zCiAgICAgIGZvciB1c2UsIHJlcHJvZHVjdGlvbiwgb3IgZGlzdHJpYnV0aW9uIG9mIFlvdXIgbW9kaWZpY2F0aW9ucywgb3IKICAgICAgZm9yIGFueSBzdWNoIERlcml2YXRpdmUgV29ya3MgYXMgYSB3aG9sZSwgcHJvdmlkZWQgWW91ciB1c2UsCiAgICAgIHJlcHJvZHVjdGlvbiwgYW5kIGRpc3RyaWJ1dGlvbiBvZiB0aGUgV29yayBvdGhlcndpc2UgY29tcGxpZXMgd2l0aAogICAgICB0aGUgY29uZGl0aW9ucyBzdGF0ZWQgaW4gdGhpcyBMaWNlbnNlLgoKICAgNS4gU3VibWlzc2lvbiBvZiBDb250cmlidXRpb25zLiBVbmxlc3MgWW91IGV4cGxpY2l0bHkgc3RhdGUgb3RoZXJ3aXNlLAogICAgICBhbnkgQ29udHJpYnV0aW9uIGludGVudGlvbmFsbHkgc3VibWl0dGVkIGZvciBpbmNsdXNpb24gaW4gdGhlIFdvcmsKICAgICAgYnkgWW91IHRvIHRoZSBMaWNlbnNvciBzaGFsbCBiZSB1bmRlciB0aGUgdGVybXMgYW5kIGNvbmRpdGlvbnMgb2YKICAgICAgdGhpcyBMaWNlbnNlLCB3aXRob3V0IGFueSBhZGRpdGlvbmFsIHRlcm1zIG9yIGNvbmRpdGlvbnMuCiAgICAgIE5vdHdpdGhzdGFuZGluZyB0aGUgYWJvdmUsIG5vdGhpbmcgaGVyZWluIHNoYWxsIHN1cGVyc2VkZSBvciBtb2RpZnkKICAgICAgdGhlIHRlcm1zIG9mIGFueSBzZXBhcmF0ZSBsaWNlbnNlIGFncmVlbWVudCB5b3UgbWF5IGhhdmUgZXhlY3V0ZWQKICAgICAgd2l0aCBMaWNlbnNvciByZWdhcmRpbmcgc3VjaCBDb250cmlidXRpb25zLgoKICAgNi4gVHJhZGVtYXJrcy4gVGhpcyBMaWNlbnNlIGRvZXMgbm90IGdyYW50IHBlcm1pc3Npb24gdG8gdXNlIHRoZSB0cmFkZQogICAgICBuYW1lcywgdHJhZGVtYXJrcywgc2VydmljZSBtYXJrcywgb3IgcHJvZHVjdCBuYW1lcyBvZiB0aGUgTGljZW5zb3IsCiAgICAgIGV4Y2VwdCBhcyByZXF1aXJlZCBmb3IgcmVhc29uYWJsZSBhbmQgY3VzdG9tYXJ5IHVzZSBpbiBkZXNjcmliaW5nIHRoZQogICAgICBvcmlnaW4gb2YgdGhlIFdvcmsgYW5kIHJlcHJvZHVjaW5nIHRoZSBjb250ZW50IG9mIHRoZSBOT1RJQ0UgZmlsZS4KCiAgIDcuIERpc2NsYWltZXIgb2YgV2FycmFudHkuIFVubGVzcyByZXF1aXJlZCBieSBhcHBsaWNhYmxlIGxhdyBvcgogICAgICBhZ3JlZWQgdG8gaW4gd3JpdGluZywgTGljZW5zb3IgcHJvdmlkZXMgdGhlIFdvcmsgKGFuZCBlYWNoCiAgICAgIENvbnRyaWJ1dG9yIHByb3ZpZGVzIGl0cyBDb250cmlidXRpb25zKSBvbiBhbiAiQVMgSVMiIEJBU0lTLAogICAgICBXSVRIT1VUIFdBUlJBTlRJRVMgT1IgQ09ORElUSU9OUyBPRiBBTlkgS0lORCwgZWl0aGVyIGV4cHJlc3Mgb3IKICAgICAgaW1wbGllZCwgaW5jbHVkaW5nLCB3aXRob3V0IGxpbWl0YXRpb24sIGFueSB3YXJyYW50aWVzIG9yIGNvbmRpdGlvbnMKICAgICAgb2YgVElUTEUsIE5PTi1JTkZSSU5HRU1FTlQsIE1FUkNIQU5UQUJJTElUWSwgb3IgRklUTkVTUyBGT1IgQQogICAgICBQQVJUSUNVTEFSIFBVUlBPU0UuIFlvdSBhcmUgc29sZWx5IHJlc3BvbnNpYmxlIGZvciBkZXRlcm1pbmluZyB0aGUKICAgICAgYXBwcm9wcmlhdGVuZXNzIG9mIHVzaW5nIG9yIHJlZGlzdHJpYnV0aW5nIHRoZSBXb3JrIGFuZCBhc3N1bWUgYW55CiAgICAgIHJpc2tzIGFzc29jaWF0ZWQgd2l0aCBZb3VyIGV4ZXJjaXNlIG9mIHBlcm1pc3Npb25zIHVuZGVyIHRoaXMgTGljZW5zZS4KCiAgIDguIExpbWl0YXRpb24gb2YgTGlhYmlsaXR5LiBJbiBubyBldmVudCBhbmQgdW5kZXIgbm8gbGVnYWwgdGhlb3J5LAogICAgICB3aGV0aGVyIGluIHRvcnQgKGluY2x1ZGluZyBuZWdsaWdlbmNlKSwgY29udHJhY3QsIG9yIG90aGVyd2lzZSwKICAgICAgdW5sZXNzIHJlcXVpcmVkIGJ5IGFwcGxpY2FibGUgbGF3IChzdWNoIGFzIGRlbGliZXJhdGUgYW5kIGdyb3NzbHkKICAgICAgbmVnbGlnZW50IGFjdHMpIG9yIGFncmVlZCB0byBpbiB3cml0aW5nLCBzaGFsbCBhbnkgQ29udHJpYnV0b3IgYmUKICAgICAgbGlhYmxlIHRvIFlvdSBmb3IgZGFtYWdlcywgaW5jbHVkaW5nIGFueSBkaXJlY3QsIGluZGlyZWN0LCBzcGVjaWFsLAogICAgICBpbmNpZGVudGFsLCBvciBjb25zZXF1ZW50aWFsIGRhbWFnZXMgb2YgYW55IGNoYXJhY3RlciBhcmlzaW5nIGFzIGEKICAgICAgcmVzdWx0IG9mIHRoaXMgTGljZW5zZSBvciBvdXQgb2YgdGhlIHVzZSBvciBpbmFiaWxpdHkgdG8gdXNlIHRoZQogICAgICBXb3JrIChpbmNsdWRpbmcgYnV0IG5vdCBsaW1pdGVkIHRvIGRhbWFnZXMgZm9yIGxvc3Mgb2YgZ29vZHdpbGwsCiAgICAgIHdvcmsgc3RvcHBhZ2UsIGNvbXB1dGVyIGZhaWx1cmUgb3IgbWFsZnVuY3Rpb24sIG9yIGFueSBhbmQgYWxsCiAgICAgIG90aGVyIGNvbW1lcmNpYWwgZGFtYWdlcyBvciBsb3NzZXMpLCBldmVuIGlmIHN1Y2ggQ29udHJpYnV0b3IKICAgICAgaGFzIGJlZW4gYWR2aXNlZCBvZiB0aGUgcG9zc2liaWxpdHkgb2Ygc3VjaCBkYW1hZ2VzLgoKICAgOS4gQWNjZXB0aW5nIFdhcnJhbnR5IG9yIEFkZGl0aW9uYWwgTGlhYmlsaXR5LiBXaGlsZSByZWRpc3RyaWJ1dGluZwogICAgICB0aGUgV29yayBvciBEZXJpdmF0aXZlIFdvcmtzIHRoZXJlb2YsIFlvdSBtYXkgY2hvb3NlIHRvIG9mZmVyLAogICAgICBhbmQgY2hhcmdlIGEgZmVlIGZvciwgYWNjZXB0YW5jZSBvZiBzdXBwb3J0LCB3YXJyYW50eSwgaW5kZW1uaXR5LAogICAgICBvciBvdGhlciBsaWFiaWxpdHkgb2JsaWdhdGlvbnMgYW5kL29yIHJpZ2h0cyBjb25zaXN0ZW50IHdpdGggdGhpcwogICAgICBMaWNlbnNlLiBIb3dldmVyLCBpbiBhY2NlcHRpbmcgc3VjaCBvYmxpZ2F0aW9ucywgWW91IG1heSBhY3Qgb25seQogICAgICBvbiBZb3VyIG93biBiZWhhbGYgYW5kIG9uIFlvdXIgc29sZSByZXNwb25zaWJpbGl0eSwgbm90IG9uIGJlaGFsZgogICAgICBvZiBhbnkgb3RoZXIgQ29udHJpYnV0b3IsIGFuZCBvbmx5IGlmIFlvdSBhZ3JlZSB0byBpbmRlbW5pZnksCiAgICAgIGRlZmVuZCwgYW5kIGhvbGQgZWFjaCBDb250cmlidXRvciBoYXJtbGVzcyBmb3IgYW55IGxpYWJpbGl0eQogICAgICBpbmN1cnJlZCBieSwgb3IgY2xhaW1zIGFzc2VydGVkIGFnYWluc3QsIHN1Y2ggQ29udHJpYnV0b3IgYnkgcmVhc29uCiAgICAgIG9mIHlvdXIgYWNjZXB0aW5nIGFueSBzdWNoIHdhcnJhbnR5IG9yIGFkZGl0aW9uYWwgbGlhYmlsaXR5LgoKICAgRU5EIE9GIFRFUk1TIEFORCBDT05ESVRJT05TCgogICBBUFBFTkRJWDogSG93IHRvIGFwcGx5IHRoZSBBcGFjaGUgTGljZW5zZSB0byB5b3VyIHdvcmsuCgogICAgICBUbyBhcHBseSB0aGUgQXBhY2hlIExpY2Vuc2UgdG8geW91ciB3b3JrLCBhdHRhY2ggdGhlIGZvbGxvd2luZwogICAgICBib2lsZXJwbGF0ZSBub3RpY2UsIHdpdGggdGhlIGZpZWxkcyBlbmNsb3NlZCBieSBicmFja2V0cyAiW10iCiAgICAgIHJlcGxhY2VkIHdpdGggeW91ciBvd24gaWRlbnRpZnlpbmcgaW5mb3JtYXRpb24uIChEb24ndCBpbmNsdWRlCiAgICAgIHRoZSBicmFja2V0cyEpICBUaGUgdGV4dCBzaG91bGQgYmUgZW5jbG9zZWQgaW4gdGhlIGFwcHJvcHJpYXRlCiAgICAgIGNvbW1lbnQgc3ludGF4IGZvciB0aGUgZmlsZSBmb3JtYXQuIFdlIGFsc28gcmVjb21tZW5kIHRoYXQgYQogICAgICBmaWxlIG9yIGNsYXNzIG5hbWUgYW5kIGRlc2NyaXB0aW9uIG9mIHB1cnBvc2UgYmUgaW5jbHVkZWQgb24gdGhlCiAgICAgIHNhbWUgInByaW50ZWQgcGFnZSIgYXMgdGhlIGNvcHlyaWdodCBub3RpY2UgZm9yIGVhc2llcgogICAgICBpZGVudGlmaWNhdGlvbiB3aXRoaW4gdGhpcmQtcGFydHkgYXJjaGl2ZXMuCgogICBDb3B5cmlnaHQgW3l5eXldIFtuYW1lIG9mIGNvcHlyaWdodCBvd25lcl0KCiAgIExpY2Vuc2VkIHVuZGVyIHRoZSBBcGFjaGUgTGljZW5zZSwgVmVyc2lvbiAyLjAgKHRoZSAiTGljZW5zZSIpOwogICB5b3UgbWF5IG5vdCB1c2UgdGhpcyBmaWxlIGV4Y2VwdCBpbiBjb21wbGlhbmNlIHdpdGggdGhlIExpY2Vuc2UuCiAgIFlvdSBtYXkgb2J0YWluIGEgY29weSBvZiB0aGUgTGljZW5zZSBhdAoKICAgICAgIGh0dHA6Ly93d3cuYXBhY2hlLm9yZy9saWNlbnNlcy9MSUNFTlNFLTIuMAoKICAgVW5sZXNzIHJlcXVpcmVkIGJ5IGFwcGxpY2FibGUgbGF3IG9yIGFncmVlZCB0byBpbiB3cml0aW5nLCBzb2Z0d2FyZQogICBkaXN0cmlidXRlZCB1bmRlciB0aGUgTGljZW5zZSBpcyBkaXN0cmlidXRlZCBvbiBhbiAiQVMgSVMiIEJBU0lTLAogICBXSVRIT1VUIFdBUlJBTlRJRVMgT1IgQ09ORElUSU9OUyBPRiBBTlkgS0lORCwgZWl0aGVyIGV4cHJlc3Mgb3IgaW1wbGllZC4KICAgU2VlIHRoZSBMaWNlbnNlIGZvciB0aGUgc3BlY2lmaWMgbGFuZ3VhZ2UgZ292ZXJuaW5nIHBlcm1pc3Npb25zIGFuZAogICBsaW1pdGF0aW9ucyB1bmRlciB0aGUgTGljZW5zZS4= + https://www.apache.org/licenses/LICENSE-2.0.txt + + + pkg:maven/com.acme/tomcat-catalina@9.0.14?packaging=jar + + + + Apache + org.apache.tomcat + tomcat-catalina + 9.0.14 + Apache Catalina + + + Apache-2.0 + + + pkg:maven/org.apache.tomcat/tomcat-catalina@9.0.14?packaging=jar + + + + + 7638417db6d59f3c431d3e1f261cc637155684cd + https://location/to/7638417db6d59f3c431d3e1f261cc637155684cd + + 2018-11-07T22:01:45Z + John Doe + john.doe@example.com + + + 2018-11-07T22:01:45Z + Jane Doe + jane.doe@example.com + + Initial commit + + + Commentary here + + + + org.example + mylibrary + 1.0.0 + required + + 2342c2eaf1feb9a80195dbaddf2ebaa3 + 68b78babe00a053f9e35ec6a2d9080f5b90122b0 + 708f1f53b41f11f02d12a11b1a38d2905d47b099afc71a0f1124ef8582ec7313 + 387b7ae16b9cae45f830671541539bf544202faae5aac544a93b7b0a04f5f846fa2f4e81ef3f1677e13aed7496408a441f5657ab6d54423e56bf6f38da124aef + + + EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0 + + Copyright Example Inc. All rights reserved. + cpe:/a:example:myapplication:1.0.0 + pkg:maven/com.example/myapplication@1.0.0?packaging=war + false + + + http://example.org/docs + All component versions are documented here + + + http://example.org/security + + + + + com.example + myframework + 1.0.0 + Example Inc, enterprise framework + required + + cfcb0b64aacd2f81c1cd546543de965a + 7fbeef2346c45d565c3341f037bce4e088af8a52 + 0384db3cec55d86a6898c489fdb75a8e75fe66b26639634983d2f3c3558493d1 + 854909cdb9e3ca183056837144aab6d8069b377bd66445087cc7157bf0c3f620418705dd0b83bdc2f73a508c2bdb316ca1809d75ee6972d02023a3e7dd655c79 + + + + Some random license + + + pkg:maven/com.example/myframework@1.0.0?packaging=war + false + + + http://example.com/myframework + + + http://example.com/security + + + + + diff --git a/tests/_data/schemaTestData/1.7/invalid-patch-type-1.7.json b/tests/_data/schemaTestData/1.7/invalid-patch-type-1.7.json new file mode 100644 index 000000000..34f7ac59f --- /dev/null +++ b/tests/_data/schemaTestData/1.7/invalid-patch-type-1.7.json @@ -0,0 +1,49 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "components": [ + { + "type": "library", + "group": "com.acme", + "name": "sample-library", + "version": "1.0.0", + "pedigree": { + "ancestors": [ + { + "type": "library", + "group": "org.example", + "name": "sample-library", + "version": "1.0.0" + } + ], + "patches": [ + { + "type": "foo", + "diff": { + "text": { + "contentType": "text/plain", + "encoding": "base64", + "content": "blah" + }, + "url": "uri/to/changes.diff" + }, + "resolves": [ + { + "type": "enhancement", + "id": "JIRA-17240", + "description": "Great new feature that does something", + "source": { + "name": "Acme Org", + "url": "https://issues.acme.org/17240" + } + } + ] + } + ] + } + } + ] +} diff --git a/tests/_data/schemaTestData/1.7/invalid-patch-type-1.7.xml b/tests/_data/schemaTestData/1.7/invalid-patch-type-1.7.xml new file mode 100644 index 000000000..2a2c98540 --- /dev/null +++ b/tests/_data/schemaTestData/1.7/invalid-patch-type-1.7.xml @@ -0,0 +1,40 @@ + + + + + com.acme + sample-library + 1.0.0 + + + + org.example + sample-library + 1.0.0 + + + + + + blah + uri/to/changes.diff + + + + JIRA-17240 + Great new feature that does something + + Acme Org + https://issues.acme.org/17240 + + + + + + + + + diff --git a/tests/_data/schemaTestData/1.7/invalid-properties-1.7.json b/tests/_data/schemaTestData/1.7/invalid-properties-1.7.json new file mode 100644 index 000000000..76daa51c0 --- /dev/null +++ b/tests/_data/schemaTestData/1.7/invalid-properties-1.7.json @@ -0,0 +1,69 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7", + "serialNumber": "urn:uuid:bcb403ae-91fa-436e-bc93-84d1078cdeed", + "version": 1, + "metadata": { + "properties": [ + { + "value": "missing a name" + }, + { + "unexpected-property": "foo" + }, + {} + ] + }, + "components": [ + { + "type": "library", + "name": "acme-library", + "version": "1.0.0", + "licenses": [ + { + "license": { + "id": "Apache-2.0", + "properties": [ + { + "value": "missing a name" + }, + { + "unexpected-property": "foo" + }, + {} + ] + } + } + ], + "properties": [ + { + "value": "missing a name" + }, + { + "unexpected-property": "foo" + }, + {} + ] + } + ], + "services": [ + { + "bom-ref": "b2a46a4b-8367-4bae-9820-95557cfe03a8", + "group": "org.partner", + "name": "Stock ticker service", + "endpoints": [ + "https://partner.org/api/v1/stock" + ], + "properties": [ + { + "value": "missing a name" + }, + { + "unexpected-property": "foo" + }, + {} + ] + } + ] +} diff --git a/tests/_data/schemaTestData/1.7/invalid-properties-1.7.xml b/tests/_data/schemaTestData/1.7/invalid-properties-1.7.xml new file mode 100644 index 000000000..adbd0aaf1 --- /dev/null +++ b/tests/_data/schemaTestData/1.7/invalid-properties-1.7.xml @@ -0,0 +1,44 @@ + + + + + missing a name + + + + + + acme-library + 1.0.0 + + + Apache-2.0 + + missing a name + + + + + + missing a name + + + + + + + org.partner + Stock ticker service + + https://partner.org/api/v1/stock + + + missing a name + + + + + diff --git a/tests/_data/schemaTestData/1.7/invalid-scope-1.7.json b/tests/_data/schemaTestData/1.7/invalid-scope-1.7.json new file mode 100644 index 000000000..6ee45e510 --- /dev/null +++ b/tests/_data/schemaTestData/1.7/invalid-scope-1.7.json @@ -0,0 +1,15 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "components": [ + { + "type": "library", + "name": "acme-library", + "version": "1.0.0", + "scope": "foo" + } + ] +} diff --git a/tests/_data/schemaTestData/1.7/invalid-scope-1.7.xml b/tests/_data/schemaTestData/1.7/invalid-scope-1.7.xml new file mode 100644 index 000000000..a5e8b1519 --- /dev/null +++ b/tests/_data/schemaTestData/1.7/invalid-scope-1.7.xml @@ -0,0 +1,13 @@ + + + + + acme-library + 1.0.0 + foo + + + diff --git a/tests/_data/schemaTestData/1.7/invalid-serialnumber-1.7.json b/tests/_data/schemaTestData/1.7/invalid-serialnumber-1.7.json new file mode 100644 index 000000000..d69415f5c --- /dev/null +++ b/tests/_data/schemaTestData/1.7/invalid-serialnumber-1.7.json @@ -0,0 +1,9 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f", + "version": 1, + "components": [ + ] +} diff --git a/tests/_data/schemaTestData/1.7/invalid-serialnumber-1.7.xml b/tests/_data/schemaTestData/1.7/invalid-serialnumber-1.7.xml new file mode 100644 index 000000000..328f8ce5a --- /dev/null +++ b/tests/_data/schemaTestData/1.7/invalid-serialnumber-1.7.xml @@ -0,0 +1,121 @@ + + + + + Acme Inc + com.acme + tomcat-catalina + 9.0.14 + Modified version of Apache Catalina + required + + 3942447fac867ae5cdb3229b658f4d48 + e6b1000b94e835ffd37f4c6dcbdad43f4b48a02a + f498a8ff2dd007e29c2074f5e4b01a9a01775c3ff3aeaf6906ea503bc5791b7b + e8f33e424f3f4ed6db76a482fde1a5298970e442c531729119e37991884bdffab4f9426b7ee11fccd074eeda0634d71697d6f88a460dce0ac8d627a29f7d1282 + + + + Apache-2.0 + CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFwYWNoZSBMaWNlbnNlCiAgICAgICAgICAgICAgICAgICAgICAgICAgIFZlcnNpb24gMi4wLCBKYW51YXJ5IDIwMDQKICAgICAgICAgICAgICAgICAgICAgICAgaHR0cDovL3d3dy5hcGFjaGUub3JnL2xpY2Vuc2VzLwoKICAgVEVSTVMgQU5EIENPTkRJVElPTlMgRk9SIFVTRSwgUkVQUk9EVUNUSU9OLCBBTkQgRElTVFJJQlVUSU9OCgogICAxLiBEZWZpbml0aW9ucy4KCiAgICAgICJMaWNlbnNlIiBzaGFsbCBtZWFuIHRoZSB0ZXJtcyBhbmQgY29uZGl0aW9ucyBmb3IgdXNlLCByZXByb2R1Y3Rpb24sCiAgICAgIGFuZCBkaXN0cmlidXRpb24gYXMgZGVmaW5lZCBieSBTZWN0aW9ucyAxIHRocm91Z2ggOSBvZiB0aGlzIGRvY3VtZW50LgoKICAgICAgIkxpY2Vuc29yIiBzaGFsbCBtZWFuIHRoZSBjb3B5cmlnaHQgb3duZXIgb3IgZW50aXR5IGF1dGhvcml6ZWQgYnkKICAgICAgdGhlIGNvcHlyaWdodCBvd25lciB0aGF0IGlzIGdyYW50aW5nIHRoZSBMaWNlbnNlLgoKICAgICAgIkxlZ2FsIEVudGl0eSIgc2hhbGwgbWVhbiB0aGUgdW5pb24gb2YgdGhlIGFjdGluZyBlbnRpdHkgYW5kIGFsbAogICAgICBvdGhlciBlbnRpdGllcyB0aGF0IGNvbnRyb2wsIGFyZSBjb250cm9sbGVkIGJ5LCBvciBhcmUgdW5kZXIgY29tbW9uCiAgICAgIGNvbnRyb2wgd2l0aCB0aGF0IGVudGl0eS4gRm9yIHRoZSBwdXJwb3NlcyBvZiB0aGlzIGRlZmluaXRpb24sCiAgICAgICJjb250cm9sIiBtZWFucyAoaSkgdGhlIHBvd2VyLCBkaXJlY3Qgb3IgaW5kaXJlY3QsIHRvIGNhdXNlIHRoZQogICAgICBkaXJlY3Rpb24gb3IgbWFuYWdlbWVudCBvZiBzdWNoIGVudGl0eSwgd2hldGhlciBieSBjb250cmFjdCBvcgogICAgICBvdGhlcndpc2UsIG9yIChpaSkgb3duZXJzaGlwIG9mIGZpZnR5IHBlcmNlbnQgKDUwJSkgb3IgbW9yZSBvZiB0aGUKICAgICAgb3V0c3RhbmRpbmcgc2hhcmVzLCBvciAoaWlpKSBiZW5lZmljaWFsIG93bmVyc2hpcCBvZiBzdWNoIGVudGl0eS4KCiAgICAgICJZb3UiIChvciAiWW91ciIpIHNoYWxsIG1lYW4gYW4gaW5kaXZpZHVhbCBvciBMZWdhbCBFbnRpdHkKICAgICAgZXhlcmNpc2luZyBwZXJtaXNzaW9ucyBncmFudGVkIGJ5IHRoaXMgTGljZW5zZS4KCiAgICAgICJTb3VyY2UiIGZvcm0gc2hhbGwgbWVhbiB0aGUgcHJlZmVycmVkIGZvcm0gZm9yIG1ha2luZyBtb2RpZmljYXRpb25zLAogICAgICBpbmNsdWRpbmcgYnV0IG5vdCBsaW1pdGVkIHRvIHNvZnR3YXJlIHNvdXJjZSBjb2RlLCBkb2N1bWVudGF0aW9uCiAgICAgIHNvdXJjZSwgYW5kIGNvbmZpZ3VyYXRpb24gZmlsZXMuCgogICAgICAiT2JqZWN0IiBmb3JtIHNoYWxsIG1lYW4gYW55IGZvcm0gcmVzdWx0aW5nIGZyb20gbWVjaGFuaWNhbAogICAgICB0cmFuc2Zvcm1hdGlvbiBvciB0cmFuc2xhdGlvbiBvZiBhIFNvdXJjZSBmb3JtLCBpbmNsdWRpbmcgYnV0CiAgICAgIG5vdCBsaW1pdGVkIHRvIGNvbXBpbGVkIG9iamVjdCBjb2RlLCBnZW5lcmF0ZWQgZG9jdW1lbnRhdGlvbiwKICAgICAgYW5kIGNvbnZlcnNpb25zIHRvIG90aGVyIG1lZGlhIHR5cGVzLgoKICAgICAgIldvcmsiIHNoYWxsIG1lYW4gdGhlIHdvcmsgb2YgYXV0aG9yc2hpcCwgd2hldGhlciBpbiBTb3VyY2Ugb3IKICAgICAgT2JqZWN0IGZvcm0sIG1hZGUgYXZhaWxhYmxlIHVuZGVyIHRoZSBMaWNlbnNlLCBhcyBpbmRpY2F0ZWQgYnkgYQogICAgICBjb3B5cmlnaHQgbm90aWNlIHRoYXQgaXMgaW5jbHVkZWQgaW4gb3IgYXR0YWNoZWQgdG8gdGhlIHdvcmsKICAgICAgKGFuIGV4YW1wbGUgaXMgcHJvdmlkZWQgaW4gdGhlIEFwcGVuZGl4IGJlbG93KS4KCiAgICAgICJEZXJpdmF0aXZlIFdvcmtzIiBzaGFsbCBtZWFuIGFueSB3b3JrLCB3aGV0aGVyIGluIFNvdXJjZSBvciBPYmplY3QKICAgICAgZm9ybSwgdGhhdCBpcyBiYXNlZCBvbiAob3IgZGVyaXZlZCBmcm9tKSB0aGUgV29yayBhbmQgZm9yIHdoaWNoIHRoZQogICAgICBlZGl0b3JpYWwgcmV2aXNpb25zLCBhbm5vdGF0aW9ucywgZWxhYm9yYXRpb25zLCBvciBvdGhlciBtb2RpZmljYXRpb25zCiAgICAgIHJlcHJlc2VudCwgYXMgYSB3aG9sZSwgYW4gb3JpZ2luYWwgd29yayBvZiBhdXRob3JzaGlwLiBGb3IgdGhlIHB1cnBvc2VzCiAgICAgIG9mIHRoaXMgTGljZW5zZSwgRGVyaXZhdGl2ZSBXb3JrcyBzaGFsbCBub3QgaW5jbHVkZSB3b3JrcyB0aGF0IHJlbWFpbgogICAgICBzZXBhcmFibGUgZnJvbSwgb3IgbWVyZWx5IGxpbmsgKG9yIGJpbmQgYnkgbmFtZSkgdG8gdGhlIGludGVyZmFjZXMgb2YsCiAgICAgIHRoZSBXb3JrIGFuZCBEZXJpdmF0aXZlIFdvcmtzIHRoZXJlb2YuCgogICAgICAiQ29udHJpYnV0aW9uIiBzaGFsbCBtZWFuIGFueSB3b3JrIG9mIGF1dGhvcnNoaXAsIGluY2x1ZGluZwogICAgICB0aGUgb3JpZ2luYWwgdmVyc2lvbiBvZiB0aGUgV29yayBhbmQgYW55IG1vZGlmaWNhdGlvbnMgb3IgYWRkaXRpb25zCiAgICAgIHRvIHRoYXQgV29yayBvciBEZXJpdmF0aXZlIFdvcmtzIHRoZXJlb2YsIHRoYXQgaXMgaW50ZW50aW9uYWxseQogICAgICBzdWJtaXR0ZWQgdG8gTGljZW5zb3IgZm9yIGluY2x1c2lvbiBpbiB0aGUgV29yayBieSB0aGUgY29weXJpZ2h0IG93bmVyCiAgICAgIG9yIGJ5IGFuIGluZGl2aWR1YWwgb3IgTGVnYWwgRW50aXR5IGF1dGhvcml6ZWQgdG8gc3VibWl0IG9uIGJlaGFsZiBvZgogICAgICB0aGUgY29weXJpZ2h0IG93bmVyLiBGb3IgdGhlIHB1cnBvc2VzIG9mIHRoaXMgZGVmaW5pdGlvbiwgInN1Ym1pdHRlZCIKICAgICAgbWVhbnMgYW55IGZvcm0gb2YgZWxlY3Ryb25pYywgdmVyYmFsLCBvciB3cml0dGVuIGNvbW11bmljYXRpb24gc2VudAogICAgICB0byB0aGUgTGljZW5zb3Igb3IgaXRzIHJlcHJlc2VudGF0aXZlcywgaW5jbHVkaW5nIGJ1dCBub3QgbGltaXRlZCB0bwogICAgICBjb21tdW5pY2F0aW9uIG9uIGVsZWN0cm9uaWMgbWFpbGluZyBsaXN0cywgc291cmNlIGNvZGUgY29udHJvbCBzeXN0ZW1zLAogICAgICBhbmQgaXNzdWUgdHJhY2tpbmcgc3lzdGVtcyB0aGF0IGFyZSBtYW5hZ2VkIGJ5LCBvciBvbiBiZWhhbGYgb2YsIHRoZQogICAgICBMaWNlbnNvciBmb3IgdGhlIHB1cnBvc2Ugb2YgZGlzY3Vzc2luZyBhbmQgaW1wcm92aW5nIHRoZSBXb3JrLCBidXQKICAgICAgZXhjbHVkaW5nIGNvbW11bmljYXRpb24gdGhhdCBpcyBjb25zcGljdW91c2x5IG1hcmtlZCBvciBvdGhlcndpc2UKICAgICAgZGVzaWduYXRlZCBpbiB3cml0aW5nIGJ5IHRoZSBjb3B5cmlnaHQgb3duZXIgYXMgIk5vdCBhIENvbnRyaWJ1dGlvbi4iCgogICAgICAiQ29udHJpYnV0b3IiIHNoYWxsIG1lYW4gTGljZW5zb3IgYW5kIGFueSBpbmRpdmlkdWFsIG9yIExlZ2FsIEVudGl0eQogICAgICBvbiBiZWhhbGYgb2Ygd2hvbSBhIENvbnRyaWJ1dGlvbiBoYXMgYmVlbiByZWNlaXZlZCBieSBMaWNlbnNvciBhbmQKICAgICAgc3Vic2VxdWVudGx5IGluY29ycG9yYXRlZCB3aXRoaW4gdGhlIFdvcmsuCgogICAyLiBHcmFudCBvZiBDb3B5cmlnaHQgTGljZW5zZS4gU3ViamVjdCB0byB0aGUgdGVybXMgYW5kIGNvbmRpdGlvbnMgb2YKICAgICAgdGhpcyBMaWNlbnNlLCBlYWNoIENvbnRyaWJ1dG9yIGhlcmVieSBncmFudHMgdG8gWW91IGEgcGVycGV0dWFsLAogICAgICB3b3JsZHdpZGUsIG5vbi1leGNsdXNpdmUsIG5vLWNoYXJnZSwgcm95YWx0eS1mcmVlLCBpcnJldm9jYWJsZQogICAgICBjb3B5cmlnaHQgbGljZW5zZSB0byByZXByb2R1Y2UsIHByZXBhcmUgRGVyaXZhdGl2ZSBXb3JrcyBvZiwKICAgICAgcHVibGljbHkgZGlzcGxheSwgcHVibGljbHkgcGVyZm9ybSwgc3VibGljZW5zZSwgYW5kIGRpc3RyaWJ1dGUgdGhlCiAgICAgIFdvcmsgYW5kIHN1Y2ggRGVyaXZhdGl2ZSBXb3JrcyBpbiBTb3VyY2Ugb3IgT2JqZWN0IGZvcm0uCgogICAzLiBHcmFudCBvZiBQYXRlbnQgTGljZW5zZS4gU3ViamVjdCB0byB0aGUgdGVybXMgYW5kIGNvbmRpdGlvbnMgb2YKICAgICAgdGhpcyBMaWNlbnNlLCBlYWNoIENvbnRyaWJ1dG9yIGhlcmVieSBncmFudHMgdG8gWW91IGEgcGVycGV0dWFsLAogICAgICB3b3JsZHdpZGUsIG5vbi1leGNsdXNpdmUsIG5vLWNoYXJnZSwgcm95YWx0eS1mcmVlLCBpcnJldm9jYWJsZQogICAgICAoZXhjZXB0IGFzIHN0YXRlZCBpbiB0aGlzIHNlY3Rpb24pIHBhdGVudCBsaWNlbnNlIHRvIG1ha2UsIGhhdmUgbWFkZSwKICAgICAgdXNlLCBvZmZlciB0byBzZWxsLCBzZWxsLCBpbXBvcnQsIGFuZCBvdGhlcndpc2UgdHJhbnNmZXIgdGhlIFdvcmssCiAgICAgIHdoZXJlIHN1Y2ggbGljZW5zZSBhcHBsaWVzIG9ubHkgdG8gdGhvc2UgcGF0ZW50IGNsYWltcyBsaWNlbnNhYmxlCiAgICAgIGJ5IHN1Y2ggQ29udHJpYnV0b3IgdGhhdCBhcmUgbmVjZXNzYXJpbHkgaW5mcmluZ2VkIGJ5IHRoZWlyCiAgICAgIENvbnRyaWJ1dGlvbihzKSBhbG9uZSBvciBieSBjb21iaW5hdGlvbiBvZiB0aGVpciBDb250cmlidXRpb24ocykKICAgICAgd2l0aCB0aGUgV29yayB0byB3aGljaCBzdWNoIENvbnRyaWJ1dGlvbihzKSB3YXMgc3VibWl0dGVkLiBJZiBZb3UKICAgICAgaW5zdGl0dXRlIHBhdGVudCBsaXRpZ2F0aW9uIGFnYWluc3QgYW55IGVudGl0eSAoaW5jbHVkaW5nIGEKICAgICAgY3Jvc3MtY2xhaW0gb3IgY291bnRlcmNsYWltIGluIGEgbGF3c3VpdCkgYWxsZWdpbmcgdGhhdCB0aGUgV29yawogICAgICBvciBhIENvbnRyaWJ1dGlvbiBpbmNvcnBvcmF0ZWQgd2l0aGluIHRoZSBXb3JrIGNvbnN0aXR1dGVzIGRpcmVjdAogICAgICBvciBjb250cmlidXRvcnkgcGF0ZW50IGluZnJpbmdlbWVudCwgdGhlbiBhbnkgcGF0ZW50IGxpY2Vuc2VzCiAgICAgIGdyYW50ZWQgdG8gWW91IHVuZGVyIHRoaXMgTGljZW5zZSBmb3IgdGhhdCBXb3JrIHNoYWxsIHRlcm1pbmF0ZQogICAgICBhcyBvZiB0aGUgZGF0ZSBzdWNoIGxpdGlnYXRpb24gaXMgZmlsZWQuCgogICA0LiBSZWRpc3RyaWJ1dGlvbi4gWW91IG1heSByZXByb2R1Y2UgYW5kIGRpc3RyaWJ1dGUgY29waWVzIG9mIHRoZQogICAgICBXb3JrIG9yIERlcml2YXRpdmUgV29ya3MgdGhlcmVvZiBpbiBhbnkgbWVkaXVtLCB3aXRoIG9yIHdpdGhvdXQKICAgICAgbW9kaWZpY2F0aW9ucywgYW5kIGluIFNvdXJjZSBvciBPYmplY3QgZm9ybSwgcHJvdmlkZWQgdGhhdCBZb3UKICAgICAgbWVldCB0aGUgZm9sbG93aW5nIGNvbmRpdGlvbnM6CgogICAgICAoYSkgWW91IG11c3QgZ2l2ZSBhbnkgb3RoZXIgcmVjaXBpZW50cyBvZiB0aGUgV29yayBvcgogICAgICAgICAgRGVyaXZhdGl2ZSBXb3JrcyBhIGNvcHkgb2YgdGhpcyBMaWNlbnNlOyBhbmQKCiAgICAgIChiKSBZb3UgbXVzdCBjYXVzZSBhbnkgbW9kaWZpZWQgZmlsZXMgdG8gY2FycnkgcHJvbWluZW50IG5vdGljZXMKICAgICAgICAgIHN0YXRpbmcgdGhhdCBZb3UgY2hhbmdlZCB0aGUgZmlsZXM7IGFuZAoKICAgICAgKGMpIFlvdSBtdXN0IHJldGFpbiwgaW4gdGhlIFNvdXJjZSBmb3JtIG9mIGFueSBEZXJpdmF0aXZlIFdvcmtzCiAgICAgICAgICB0aGF0IFlvdSBkaXN0cmlidXRlLCBhbGwgY29weXJpZ2h0LCBwYXRlbnQsIHRyYWRlbWFyaywgYW5kCiAgICAgICAgICBhdHRyaWJ1dGlvbiBub3RpY2VzIGZyb20gdGhlIFNvdXJjZSBmb3JtIG9mIHRoZSBXb3JrLAogICAgICAgICAgZXhjbHVkaW5nIHRob3NlIG5vdGljZXMgdGhhdCBkbyBub3QgcGVydGFpbiB0byBhbnkgcGFydCBvZgogICAgICAgICAgdGhlIERlcml2YXRpdmUgV29ya3M7IGFuZAoKICAgICAgKGQpIElmIHRoZSBXb3JrIGluY2x1ZGVzIGEgIk5PVElDRSIgdGV4dCBmaWxlIGFzIHBhcnQgb2YgaXRzCiAgICAgICAgICBkaXN0cmlidXRpb24sIHRoZW4gYW55IERlcml2YXRpdmUgV29ya3MgdGhhdCBZb3UgZGlzdHJpYnV0ZSBtdXN0CiAgICAgICAgICBpbmNsdWRlIGEgcmVhZGFibGUgY29weSBvZiB0aGUgYXR0cmlidXRpb24gbm90aWNlcyBjb250YWluZWQKICAgICAgICAgIHdpdGhpbiBzdWNoIE5PVElDRSBmaWxlLCBleGNsdWRpbmcgdGhvc2Ugbm90aWNlcyB0aGF0IGRvIG5vdAogICAgICAgICAgcGVydGFpbiB0byBhbnkgcGFydCBvZiB0aGUgRGVyaXZhdGl2ZSBXb3JrcywgaW4gYXQgbGVhc3Qgb25lCiAgICAgICAgICBvZiB0aGUgZm9sbG93aW5nIHBsYWNlczogd2l0aGluIGEgTk9USUNFIHRleHQgZmlsZSBkaXN0cmlidXRlZAogICAgICAgICAgYXMgcGFydCBvZiB0aGUgRGVyaXZhdGl2ZSBXb3Jrczsgd2l0aGluIHRoZSBTb3VyY2UgZm9ybSBvcgogICAgICAgICAgZG9jdW1lbnRhdGlvbiwgaWYgcHJvdmlkZWQgYWxvbmcgd2l0aCB0aGUgRGVyaXZhdGl2ZSBXb3Jrczsgb3IsCiAgICAgICAgICB3aXRoaW4gYSBkaXNwbGF5IGdlbmVyYXRlZCBieSB0aGUgRGVyaXZhdGl2ZSBXb3JrcywgaWYgYW5kCiAgICAgICAgICB3aGVyZXZlciBzdWNoIHRoaXJkLXBhcnR5IG5vdGljZXMgbm9ybWFsbHkgYXBwZWFyLiBUaGUgY29udGVudHMKICAgICAgICAgIG9mIHRoZSBOT1RJQ0UgZmlsZSBhcmUgZm9yIGluZm9ybWF0aW9uYWwgcHVycG9zZXMgb25seSBhbmQKICAgICAgICAgIGRvIG5vdCBtb2RpZnkgdGhlIExpY2Vuc2UuIFlvdSBtYXkgYWRkIFlvdXIgb3duIGF0dHJpYnV0aW9uCiAgICAgICAgICBub3RpY2VzIHdpdGhpbiBEZXJpdmF0aXZlIFdvcmtzIHRoYXQgWW91IGRpc3RyaWJ1dGUsIGFsb25nc2lkZQogICAgICAgICAgb3IgYXMgYW4gYWRkZW5kdW0gdG8gdGhlIE5PVElDRSB0ZXh0IGZyb20gdGhlIFdvcmssIHByb3ZpZGVkCiAgICAgICAgICB0aGF0IHN1Y2ggYWRkaXRpb25hbCBhdHRyaWJ1dGlvbiBub3RpY2VzIGNhbm5vdCBiZSBjb25zdHJ1ZWQKICAgICAgICAgIGFzIG1vZGlmeWluZyB0aGUgTGljZW5zZS4KCiAgICAgIFlvdSBtYXkgYWRkIFlvdXIgb3duIGNvcHlyaWdodCBzdGF0ZW1lbnQgdG8gWW91ciBtb2RpZmljYXRpb25zIGFuZAogICAgICBtYXkgcHJvdmlkZSBhZGRpdGlvbmFsIG9yIGRpZmZlcmVudCBsaWNlbnNlIHRlcm1zIGFuZCBjb25kaXRpb25zCiAgICAgIGZvciB1c2UsIHJlcHJvZHVjdGlvbiwgb3IgZGlzdHJpYnV0aW9uIG9mIFlvdXIgbW9kaWZpY2F0aW9ucywgb3IKICAgICAgZm9yIGFueSBzdWNoIERlcml2YXRpdmUgV29ya3MgYXMgYSB3aG9sZSwgcHJvdmlkZWQgWW91ciB1c2UsCiAgICAgIHJlcHJvZHVjdGlvbiwgYW5kIGRpc3RyaWJ1dGlvbiBvZiB0aGUgV29yayBvdGhlcndpc2UgY29tcGxpZXMgd2l0aAogICAgICB0aGUgY29uZGl0aW9ucyBzdGF0ZWQgaW4gdGhpcyBMaWNlbnNlLgoKICAgNS4gU3VibWlzc2lvbiBvZiBDb250cmlidXRpb25zLiBVbmxlc3MgWW91IGV4cGxpY2l0bHkgc3RhdGUgb3RoZXJ3aXNlLAogICAgICBhbnkgQ29udHJpYnV0aW9uIGludGVudGlvbmFsbHkgc3VibWl0dGVkIGZvciBpbmNsdXNpb24gaW4gdGhlIFdvcmsKICAgICAgYnkgWW91IHRvIHRoZSBMaWNlbnNvciBzaGFsbCBiZSB1bmRlciB0aGUgdGVybXMgYW5kIGNvbmRpdGlvbnMgb2YKICAgICAgdGhpcyBMaWNlbnNlLCB3aXRob3V0IGFueSBhZGRpdGlvbmFsIHRlcm1zIG9yIGNvbmRpdGlvbnMuCiAgICAgIE5vdHdpdGhzdGFuZGluZyB0aGUgYWJvdmUsIG5vdGhpbmcgaGVyZWluIHNoYWxsIHN1cGVyc2VkZSBvciBtb2RpZnkKICAgICAgdGhlIHRlcm1zIG9mIGFueSBzZXBhcmF0ZSBsaWNlbnNlIGFncmVlbWVudCB5b3UgbWF5IGhhdmUgZXhlY3V0ZWQKICAgICAgd2l0aCBMaWNlbnNvciByZWdhcmRpbmcgc3VjaCBDb250cmlidXRpb25zLgoKICAgNi4gVHJhZGVtYXJrcy4gVGhpcyBMaWNlbnNlIGRvZXMgbm90IGdyYW50IHBlcm1pc3Npb24gdG8gdXNlIHRoZSB0cmFkZQogICAgICBuYW1lcywgdHJhZGVtYXJrcywgc2VydmljZSBtYXJrcywgb3IgcHJvZHVjdCBuYW1lcyBvZiB0aGUgTGljZW5zb3IsCiAgICAgIGV4Y2VwdCBhcyByZXF1aXJlZCBmb3IgcmVhc29uYWJsZSBhbmQgY3VzdG9tYXJ5IHVzZSBpbiBkZXNjcmliaW5nIHRoZQogICAgICBvcmlnaW4gb2YgdGhlIFdvcmsgYW5kIHJlcHJvZHVjaW5nIHRoZSBjb250ZW50IG9mIHRoZSBOT1RJQ0UgZmlsZS4KCiAgIDcuIERpc2NsYWltZXIgb2YgV2FycmFudHkuIFVubGVzcyByZXF1aXJlZCBieSBhcHBsaWNhYmxlIGxhdyBvcgogICAgICBhZ3JlZWQgdG8gaW4gd3JpdGluZywgTGljZW5zb3IgcHJvdmlkZXMgdGhlIFdvcmsgKGFuZCBlYWNoCiAgICAgIENvbnRyaWJ1dG9yIHByb3ZpZGVzIGl0cyBDb250cmlidXRpb25zKSBvbiBhbiAiQVMgSVMiIEJBU0lTLAogICAgICBXSVRIT1VUIFdBUlJBTlRJRVMgT1IgQ09ORElUSU9OUyBPRiBBTlkgS0lORCwgZWl0aGVyIGV4cHJlc3Mgb3IKICAgICAgaW1wbGllZCwgaW5jbHVkaW5nLCB3aXRob3V0IGxpbWl0YXRpb24sIGFueSB3YXJyYW50aWVzIG9yIGNvbmRpdGlvbnMKICAgICAgb2YgVElUTEUsIE5PTi1JTkZSSU5HRU1FTlQsIE1FUkNIQU5UQUJJTElUWSwgb3IgRklUTkVTUyBGT1IgQQogICAgICBQQVJUSUNVTEFSIFBVUlBPU0UuIFlvdSBhcmUgc29sZWx5IHJlc3BvbnNpYmxlIGZvciBkZXRlcm1pbmluZyB0aGUKICAgICAgYXBwcm9wcmlhdGVuZXNzIG9mIHVzaW5nIG9yIHJlZGlzdHJpYnV0aW5nIHRoZSBXb3JrIGFuZCBhc3N1bWUgYW55CiAgICAgIHJpc2tzIGFzc29jaWF0ZWQgd2l0aCBZb3VyIGV4ZXJjaXNlIG9mIHBlcm1pc3Npb25zIHVuZGVyIHRoaXMgTGljZW5zZS4KCiAgIDguIExpbWl0YXRpb24gb2YgTGlhYmlsaXR5LiBJbiBubyBldmVudCBhbmQgdW5kZXIgbm8gbGVnYWwgdGhlb3J5LAogICAgICB3aGV0aGVyIGluIHRvcnQgKGluY2x1ZGluZyBuZWdsaWdlbmNlKSwgY29udHJhY3QsIG9yIG90aGVyd2lzZSwKICAgICAgdW5sZXNzIHJlcXVpcmVkIGJ5IGFwcGxpY2FibGUgbGF3IChzdWNoIGFzIGRlbGliZXJhdGUgYW5kIGdyb3NzbHkKICAgICAgbmVnbGlnZW50IGFjdHMpIG9yIGFncmVlZCB0byBpbiB3cml0aW5nLCBzaGFsbCBhbnkgQ29udHJpYnV0b3IgYmUKICAgICAgbGlhYmxlIHRvIFlvdSBmb3IgZGFtYWdlcywgaW5jbHVkaW5nIGFueSBkaXJlY3QsIGluZGlyZWN0LCBzcGVjaWFsLAogICAgICBpbmNpZGVudGFsLCBvciBjb25zZXF1ZW50aWFsIGRhbWFnZXMgb2YgYW55IGNoYXJhY3RlciBhcmlzaW5nIGFzIGEKICAgICAgcmVzdWx0IG9mIHRoaXMgTGljZW5zZSBvciBvdXQgb2YgdGhlIHVzZSBvciBpbmFiaWxpdHkgdG8gdXNlIHRoZQogICAgICBXb3JrIChpbmNsdWRpbmcgYnV0IG5vdCBsaW1pdGVkIHRvIGRhbWFnZXMgZm9yIGxvc3Mgb2YgZ29vZHdpbGwsCiAgICAgIHdvcmsgc3RvcHBhZ2UsIGNvbXB1dGVyIGZhaWx1cmUgb3IgbWFsZnVuY3Rpb24sIG9yIGFueSBhbmQgYWxsCiAgICAgIG90aGVyIGNvbW1lcmNpYWwgZGFtYWdlcyBvciBsb3NzZXMpLCBldmVuIGlmIHN1Y2ggQ29udHJpYnV0b3IKICAgICAgaGFzIGJlZW4gYWR2aXNlZCBvZiB0aGUgcG9zc2liaWxpdHkgb2Ygc3VjaCBkYW1hZ2VzLgoKICAgOS4gQWNjZXB0aW5nIFdhcnJhbnR5IG9yIEFkZGl0aW9uYWwgTGlhYmlsaXR5LiBXaGlsZSByZWRpc3RyaWJ1dGluZwogICAgICB0aGUgV29yayBvciBEZXJpdmF0aXZlIFdvcmtzIHRoZXJlb2YsIFlvdSBtYXkgY2hvb3NlIHRvIG9mZmVyLAogICAgICBhbmQgY2hhcmdlIGEgZmVlIGZvciwgYWNjZXB0YW5jZSBvZiBzdXBwb3J0LCB3YXJyYW50eSwgaW5kZW1uaXR5LAogICAgICBvciBvdGhlciBsaWFiaWxpdHkgb2JsaWdhdGlvbnMgYW5kL29yIHJpZ2h0cyBjb25zaXN0ZW50IHdpdGggdGhpcwogICAgICBMaWNlbnNlLiBIb3dldmVyLCBpbiBhY2NlcHRpbmcgc3VjaCBvYmxpZ2F0aW9ucywgWW91IG1heSBhY3Qgb25seQogICAgICBvbiBZb3VyIG93biBiZWhhbGYgYW5kIG9uIFlvdXIgc29sZSByZXNwb25zaWJpbGl0eSwgbm90IG9uIGJlaGFsZgogICAgICBvZiBhbnkgb3RoZXIgQ29udHJpYnV0b3IsIGFuZCBvbmx5IGlmIFlvdSBhZ3JlZSB0byBpbmRlbW5pZnksCiAgICAgIGRlZmVuZCwgYW5kIGhvbGQgZWFjaCBDb250cmlidXRvciBoYXJtbGVzcyBmb3IgYW55IGxpYWJpbGl0eQogICAgICBpbmN1cnJlZCBieSwgb3IgY2xhaW1zIGFzc2VydGVkIGFnYWluc3QsIHN1Y2ggQ29udHJpYnV0b3IgYnkgcmVhc29uCiAgICAgIG9mIHlvdXIgYWNjZXB0aW5nIGFueSBzdWNoIHdhcnJhbnR5IG9yIGFkZGl0aW9uYWwgbGlhYmlsaXR5LgoKICAgRU5EIE9GIFRFUk1TIEFORCBDT05ESVRJT05TCgogICBBUFBFTkRJWDogSG93IHRvIGFwcGx5IHRoZSBBcGFjaGUgTGljZW5zZSB0byB5b3VyIHdvcmsuCgogICAgICBUbyBhcHBseSB0aGUgQXBhY2hlIExpY2Vuc2UgdG8geW91ciB3b3JrLCBhdHRhY2ggdGhlIGZvbGxvd2luZwogICAgICBib2lsZXJwbGF0ZSBub3RpY2UsIHdpdGggdGhlIGZpZWxkcyBlbmNsb3NlZCBieSBicmFja2V0cyAiW10iCiAgICAgIHJlcGxhY2VkIHdpdGggeW91ciBvd24gaWRlbnRpZnlpbmcgaW5mb3JtYXRpb24uIChEb24ndCBpbmNsdWRlCiAgICAgIHRoZSBicmFja2V0cyEpICBUaGUgdGV4dCBzaG91bGQgYmUgZW5jbG9zZWQgaW4gdGhlIGFwcHJvcHJpYXRlCiAgICAgIGNvbW1lbnQgc3ludGF4IGZvciB0aGUgZmlsZSBmb3JtYXQuIFdlIGFsc28gcmVjb21tZW5kIHRoYXQgYQogICAgICBmaWxlIG9yIGNsYXNzIG5hbWUgYW5kIGRlc2NyaXB0aW9uIG9mIHB1cnBvc2UgYmUgaW5jbHVkZWQgb24gdGhlCiAgICAgIHNhbWUgInByaW50ZWQgcGFnZSIgYXMgdGhlIGNvcHlyaWdodCBub3RpY2UgZm9yIGVhc2llcgogICAgICBpZGVudGlmaWNhdGlvbiB3aXRoaW4gdGhpcmQtcGFydHkgYXJjaGl2ZXMuCgogICBDb3B5cmlnaHQgW3l5eXldIFtuYW1lIG9mIGNvcHlyaWdodCBvd25lcl0KCiAgIExpY2Vuc2VkIHVuZGVyIHRoZSBBcGFjaGUgTGljZW5zZSwgVmVyc2lvbiAyLjAgKHRoZSAiTGljZW5zZSIpOwogICB5b3UgbWF5IG5vdCB1c2UgdGhpcyBmaWxlIGV4Y2VwdCBpbiBjb21wbGlhbmNlIHdpdGggdGhlIExpY2Vuc2UuCiAgIFlvdSBtYXkgb2J0YWluIGEgY29weSBvZiB0aGUgTGljZW5zZSBhdAoKICAgICAgIGh0dHA6Ly93d3cuYXBhY2hlLm9yZy9saWNlbnNlcy9MSUNFTlNFLTIuMAoKICAgVW5sZXNzIHJlcXVpcmVkIGJ5IGFwcGxpY2FibGUgbGF3IG9yIGFncmVlZCB0byBpbiB3cml0aW5nLCBzb2Z0d2FyZQogICBkaXN0cmlidXRlZCB1bmRlciB0aGUgTGljZW5zZSBpcyBkaXN0cmlidXRlZCBvbiBhbiAiQVMgSVMiIEJBU0lTLAogICBXSVRIT1VUIFdBUlJBTlRJRVMgT1IgQ09ORElUSU9OUyBPRiBBTlkgS0lORCwgZWl0aGVyIGV4cHJlc3Mgb3IgaW1wbGllZC4KICAgU2VlIHRoZSBMaWNlbnNlIGZvciB0aGUgc3BlY2lmaWMgbGFuZ3VhZ2UgZ292ZXJuaW5nIHBlcm1pc3Npb25zIGFuZAogICBsaW1pdGF0aW9ucyB1bmRlciB0aGUgTGljZW5zZS4= + https://www.apache.org/licenses/LICENSE-2.0.txt + + + pkg:maven/com.acme/tomcat-catalina@9.0.14?packaging=jar + + + + Apache + org.apache.tomcat + tomcat-catalina + 9.0.14 + Apache Catalina + + + Apache-2.0 + + + pkg:maven/org.apache.tomcat/tomcat-catalina@9.0.14?packaging=jar + + + + + 7638417db6d59f3c431d3e1f261cc637155684cd + https://location/to/7638417db6d59f3c431d3e1f261cc637155684cd + + 2018-11-07T22:01:45Z + John Doe + john.doe@example.com + + + 2018-11-07T22:01:45Z + Jane Doe + jane.doe@example.com + + Initial commit + + + Commentary here + + + + org.example + mylibrary + 1.0.0 + required + + 2342c2eaf1feb9a80195dbaddf2ebaa3 + 68b78babe00a053f9e35ec6a2d9080f5b90122b0 + 708f1f53b41f11f02d12a11b1a38d2905d47b099afc71a0f1124ef8582ec7313 + 387b7ae16b9cae45f830671541539bf544202faae5aac544a93b7b0a04f5f846fa2f4e81ef3f1677e13aed7496408a441f5657ab6d54423e56bf6f38da124aef + + + EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0 + + Copyright Example Inc. All rights reserved. + cpe:/a:example:myapplication:1.0.0 + pkg:maven/com.example/myapplication@1.0.0?packaging=war + false + + + http://example.org/docs + All component versions are documented here + + + http://example.org/security + + + + + com.example + myframework + 1.0.0 + Example Inc, enterprise framework + required + + cfcb0b64aacd2f81c1cd546543de965a + 7fbeef2346c45d565c3341f037bce4e088af8a52 + 0384db3cec55d86a6898c489fdb75a8e75fe66b26639634983d2f3c3558493d1 + 854909cdb9e3ca183056837144aab6d8069b377bd66445087cc7157bf0c3f620418705dd0b83bdc2f73a508c2bdb316ca1809d75ee6972d02023a3e7dd655c79 + + + + Some random license + + + pkg:maven/com.example/myframework@1.0.0?packaging=war + false + + + http://example.com/myframework + + + http://example.com/security + + + + + diff --git a/tests/_data/schemaTestData/1.7/invalid-service-data-1.7.json b/tests/_data/schemaTestData/1.7/invalid-service-data-1.7.json new file mode 100644 index 000000000..89f19f293 --- /dev/null +++ b/tests/_data/schemaTestData/1.7/invalid-service-data-1.7.json @@ -0,0 +1,21 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "services": [ + { + "bom-ref": "b2a46a4b-8367-4bae-9820-95557cfe03a8", + "name": "Stock ticker service", + "authenticated": true, + "x-trust-boundary": true, + "data": [ + { + "classification": "foo", + "flow": "bar" + } + ] + } + ] +} diff --git a/tests/_data/schemaTestData/1.7/invalid-service-data-1.7.xml b/tests/_data/schemaTestData/1.7/invalid-service-data-1.7.xml new file mode 100644 index 000000000..caac16828 --- /dev/null +++ b/tests/_data/schemaTestData/1.7/invalid-service-data-1.7.xml @@ -0,0 +1,14 @@ + + + + + Stock ticker service + + bar + + + + diff --git a/tests/_data/schemaTestData/1.7/valid-annotation-1.7.json b/tests/_data/schemaTestData/1.7/valid-annotation-1.7.json new file mode 100644 index 000000000..c773c3d08 --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-annotation-1.7.json @@ -0,0 +1,110 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "components": [ + { + "bom-ref": "component-a", + "type": "library", + "name": "Component A", + "version": "1.0.0" + } + ], + "annotations": [ + { + "bom-ref": "annotation-1", + "subjects": [ + "component-a" + ], + "annotator": { + "organization": { + "name": "Acme, Inc.", + "url": [ + "https://example.com" + ], + "contact": [ + { + "name": "Acme Professional Services", + "email": "professional.services@example.com" + } + ] + } + }, + "timestamp": "2022-01-01T00:00:00Z", + "text": "This is a sample annotation made by an organization" + }, + { + "bom-ref": "annotation-2", + "subjects": [ + "component-a" + ], + "annotator": { + "individual": { + "name": "Samantha Wright", + "email": "samantha.wright@example.com", + "phone": "800-555-1212" + } + }, + "timestamp": "2022-01-01T00:00:00Z", + "text": "This is a sample annotation made by a person" + }, + { + "bom-ref": "annotation-3", + "subjects": [ + "component-a" + ], + "annotator": { + "component": { + "type": "application", + "name": "Awesome Tool", + "version": "9.1.2" + } + }, + "timestamp": "2022-01-01T00:00:00Z", + "text": "This is a sample annotation made by a component" + }, + { + "bom-ref": "annotation-4", + "subjects": [ + "component-a" + ], + "annotator": { + "service": { + "bom-ref": "b2a46a4b-8367-4bae-9820-95557cfe03a8", + "provider": { + "name": "Partner Org", + "url": [ + "https://partner.org" + ], + "contact": [ + { + "name": "Support", + "email": "support@partner.org", + "phone": "800-555-1212" + } + ] + }, + "group": "org.partner", + "name": "BOM Annotation Service", + "version": "2020-Q2", + "endpoints": [ + "https://partner.org/api/v1/inspect", + "https://partner.org/api/v1/annotate" + ], + "authenticated": true, + "x-trust-boundary": true, + "data": [ + { + "classification": "public", + "flow": "bi-directional" + } + ] + } + }, + "timestamp": "2022-01-01T00:00:00Z", + "text": "This is a sample annotation made by a service" + } + ] +} diff --git a/tests/_data/schemaTestData/1.7/valid-annotation-1.7.xml b/tests/_data/schemaTestData/1.7/valid-annotation-1.7.xml new file mode 100644 index 000000000..e9f6d3038 --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-annotation-1.7.xml @@ -0,0 +1,90 @@ + + + + + Component A + 1.0.0 + + + + + + + + + + Acme, Inc. + https://example.com + + Acme Professional Services + professional.services@example.com + + + + 2022-01-01T00:00:00Z + This is a sample annotation made by an organization + + + + + + + + Samantha Wright + samantha.wright@example.com + 800-555-1212 + + + 2022-01-01T00:00:00Z + This is a sample annotation made by a person + + + + + + + + Awesome Tool + 9.1.2 + + + 2022-01-01T00:00:00Z + This is a sample annotation made by a component + + + + + + + + + Partner Org + https://partner.org + + Support + support@partner.org + 800-555-1212 + + + org.partner + BOM Annotation Service + 2020-Q2 + + https://partner.org/api/v1/inspect + https://partner.org/api/v1/annotate + + true + true + + public + + + + 2022-01-01T00:00:00Z + This is a sample annotation made by a service + + + diff --git a/tests/_data/schemaTestData/1.7/valid-assembly-1.7.json b/tests/_data/schemaTestData/1.7/valid-assembly-1.7.json new file mode 100644 index 000000000..26704af43 --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-assembly-1.7.json @@ -0,0 +1,31 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "components": [ + { + "type": "library", + "name": "acme-library-a", + "version": "1.0.0", + "components": [ + { + "type": "library", + "name": "acme-library-b", + "version": "2.0.0" + } + ] + } + ], + "services": [ + { + "name": "acme-service-a", + "services": [ + { + "name": "acme-service-b" + } + ] + } + ] +} diff --git a/tests/_data/schemaTestData/1.7/valid-assembly-1.7.xml b/tests/_data/schemaTestData/1.7/valid-assembly-1.7.xml new file mode 100644 index 000000000..5093e6a9b --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-assembly-1.7.xml @@ -0,0 +1,28 @@ + + + + + acme-library-a + 1.0.0 + + + acme-library-b + 2.0.0 + + + + + + + acme-service-a + + + acme-service-b + + + + + diff --git a/tests/_data/schemaTestData/1.7/valid-attestation-1.7.json b/tests/_data/schemaTestData/1.7/valid-attestation-1.7.json new file mode 100644 index 000000000..0e94469e0 --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-attestation-1.7.json @@ -0,0 +1,237 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "declarations": { + "assessors": [ + { + "bom-ref": "assessor-1", + "thirdParty": true, + "organization": { + "name": "Assessors Inc" + } + } + ], + "attestations": [ + { + "summary": "Attestation summary here", + "assessor": "assessor-1", + "map": [ + { + "requirement": "requirement-1", + "claims": ["claim-1"], + "counterClaims": ["counterClaim-1"], + "conformance": { + "score": 0.8, + "rationale": "Conformance rationale here", + "mitigationStrategies": ["mitigationStrategy-1"] + }, + "confidence": { + "score": 1, + "rationale": "Confidence rationale here" + } + } + ], + "signature": { + "algorithm": "ES256", + "certificatePath": [ + "MIIB...", + "MIID..." + ], + "value": "tqIT..." + } + } + ], + "claims": [ + { + "bom-ref": "claim-1", + "target": "acme-inc", + "predicate": "Predicate here", + "mitigationStrategies": ["mitigationStrategy-1"], + "reasoning": "Reasoning here", + "evidence": ["evidence-1"], + "counterEvidence": ["counterEvidence-1"], + "externalReferences": [ + { + "type": "issue-tracker", + "url": "https://alm.example.com" + } + ], + "signature": { + "algorithm": "ES256", + "certificatePath": [ + "MIIB...", + "MIID..." + ], + "value": "tqIT..." + } + } + ], + "evidence": [ + { + "bom-ref": "evidence-1", + "propertyName": "internal.com.acme.someProperty", + "description": "Description here", + "data": [ + { + "name": "Name of the data", + "contents": { + "attachment": { + "content": "Evidence here", + "contentType": "text/plain" + } + }, + "classification": "PII", + "sensitiveData": ["Describe sensitive data here"] + } + ], + "created": "2023-04-25T00:00:00+00:00", + "expires": "2023-05-25T00:00:00+00:00", + "author": { + "name": "Mary" + }, + "reviewer": { + "name": "Jane" + }, + "signature": { + "algorithm": "ES256", + "certificatePath": [ + "MIIB...", + "MIID..." + ], + "value": "tqIT..." + } + }, + { + "bom-ref": "counterEvidence-1", + "propertyName": "internal.com.acme.someProperty", + "description": "Description here", + "data": [ + { + "name": "Name of the data", + "contents": { + "attachment": { + "content": "Counter evidence here", + "contentType": "text/plain" + } + }, + "classification": "Public", + "sensitiveData": ["Describe sensitive data here"] + } + ], + "created": "2023-04-25T00:00:00+00:00", + "expires": "2023-05-25T00:00:00+00:00", + "author": { + "name": "Mary" + }, + "reviewer": { + "name": "Jane" + }, + "signature": { + "algorithm": "ES256", + "certificatePath": [ + "MIIB...", + "MIID..." + ], + "value": "tqIT..." + } + }, + { + "bom-ref": "mitigationStrategy-1", + "propertyName": "internal.com.acme.someProperty", + "description": "Description here", + "data": [ + { + "name": "Name of the data", + "contents": { + "attachment": { + "content": "Mitigation strategy here", + "contentType": "text/plain" + } + }, + "classification": "Company Confidential", + "sensitiveData": ["Describe sensitive data here"] + } + ], + "created": "2023-04-25T00:00:00+00:00", + "expires": "2023-05-25T00:00:00+00:00", + "author": { + "name": "Mary" + }, + "reviewer": { + "name": "Jane" + }, + "signature": { + "algorithm": "ES256", + "certificatePath": [ + "MIIB...", + "MIID..." + ], + "value": "tqIT..." + } + } + ], + "targets": { + "organizations": [ + { + "bom-ref": "acme-inc", + "name": "Acme Inc" + } + ] + }, + "affirmation": { + "statement": "I certify, to the best of my knowledge, that all information is correct...", + "signatories": [ + { + "name": "Tom", + "role": "CEO", + "signature": { + "algorithm": "ES256", + "certificatePath": [ + "MIIB...", + "MIID..." + ], + "value": "tqIT..." + } + }, + { + "name": "Jerry", + "role": "COO", + "organization": { + "name": "Acme Inc" + }, + "externalReference": { + "type": "electronic-signature", + "url": "https://example.com/coo-sig.png" + } + } + ], + "signature": { + "algorithm": "ES256", + "certificatePath": [ + "MIIB...", + "MIID..." + ], + "value": "tqIT..." + } + }, + "signature": { + "algorithm": "ES256", + "certificatePath": [ + "MIIB...", + "MIID..." + ], + "value": "tqIT..." + } + }, + "signature": { + "algorithm": "ES256", + "certificatePath": [ + "MIIB...", + "MIID..." + ], + "value": "tqIT..." + } +} diff --git a/tests/_data/schemaTestData/1.7/valid-attestation-1.7.xml b/tests/_data/schemaTestData/1.7/valid-attestation-1.7.xml new file mode 100644 index 000000000..68e345d1c --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-attestation-1.7.xml @@ -0,0 +1,168 @@ + + + + + + true + + Assessors Inc + + + + + + Attestation summary here + assessor-1 + + requirement-1 + + claim-1 + + + counterClaim-1 + + + 0.8 + Conformance rationale here + + mitigationStrategy-1 + + + + 1 + Confidence rationale here + + + + + + + + + + acme-inc + Predicate here + + mitigationStrategy-1 + + Reasoning here + evidence-1 + counterEvidence-1 + + + https://alm.example.com + + + + + + + + + + internal.com.acme.someProperty + Description here + + Name of the data + + Evidence here + + PII + Describe sensitive data here + + 2023-04-25T00:00:00+00:00 + 2023-05-25T00:00:00+00:00 + + Mary + + + Jane + + + + + + + internal.com.acme.someProperty + Description here + + Name of the data + + Counter evidence here + + Public + Describe sensitive data here + + 2023-04-25T00:00:00+00:00 + 2023-05-25T00:00:00+00:00 + + Mary + + + Jane + + + + internal.com.acme.someProperty + Description here + + Name of the data + + Mitigation strategy here + + Company Confidential + Describe sensitive data here + + 2023-04-25T00:00:00+00:00 + 2023-05-25T00:00:00+00:00 + + Mary + + + Jane + + + + + + + Acme Inc + + + + + I certify, to the best of my knowledge, that all information is correct... + + + Tom + CEO + + + + + + Jerry + COO + + Acme Inc + + + https://example.com/coo-sig.png + + + + + + + + + + + + + + + diff --git a/tests/_data/schemaTestData/1.7/valid-bom-1.7.json b/tests/_data/schemaTestData/1.7/valid-bom-1.7.json new file mode 100644 index 000000000..f8d70f7e0 --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-bom-1.7.json @@ -0,0 +1,298 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "metadata": { + "timestamp": "2020-04-13T20:20:39+00:00", + "tools": [ + { + "vendor": "Awesome Vendor", + "name": "Awesome Tool", + "version": "9.1.2", + "hashes": [ + { + "alg": "SHA-1", + "content": "25ed8e31b995bb927966616df2a42b979a2717f0" + }, + { + "alg": "SHA-256", + "content": "a74f733635a19aefb1f73e5947cef59cd7440c6952ef0f03d09d974274cbd6df" + } + ] + } + ], + "authors": [ + { + "name": "Samantha Wright", + "email": "samantha.wright@example.com", + "phone": "800-555-1212" + } + ], + "component": { + "type": "application", + "author": "Acme Super Heros", + "name": "Acme Application", + "version": "9.1.1", + "swid": { + "tagId": "swidgen-242eb18a-503e-ca37-393b-cf156ef09691_9.1.1", + "name": "Acme Application", + "version": "9.1.1", + "text": { + "contentType": "text/xml", + "encoding": "base64", + "content": "PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiID8+CjxTb2Z0d2FyZUlkZW50aXR5IHhtbDpsYW5nPSJFTiIgbmFtZT0iQWNtZSBBcHBsaWNhdGlvbiIgdmVyc2lvbj0iOS4xLjEiIAogdmVyc2lvblNjaGVtZT0ibXVsdGlwYXJ0bnVtZXJpYyIgCiB0YWdJZD0ic3dpZGdlbi1iNTk1MWFjOS00MmMwLWYzODItM2YxZS1iYzdhMmE0NDk3Y2JfOS4xLjEiIAogeG1sbnM9Imh0dHA6Ly9zdGFuZGFyZHMuaXNvLm9yZy9pc28vMTk3NzAvLTIvMjAxNS9zY2hlbWEueHNkIj4gCiB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiAKIHhzaTpzY2hlbWFMb2NhdGlvbj0iaHR0cDovL3N0YW5kYXJkcy5pc28ub3JnL2lzby8xOTc3MC8tMi8yMDE1LWN1cnJlbnQvc2NoZW1hLnhzZCBzY2hlbWEueHNkIiA+CiAgPE1ldGEgZ2VuZXJhdG9yPSJTV0lEIFRhZyBPbmxpbmUgR2VuZXJhdG9yIHYwLjEiIC8+IAogIDxFbnRpdHkgbmFtZT0iQWNtZSwgSW5jLiIgcmVnaWQ9ImV4YW1wbGUuY29tIiByb2xlPSJ0YWdDcmVhdG9yIiAvPiAKPC9Tb2Z0d2FyZUlkZW50aXR5Pg==" + } + } + }, + "manufacturer": { + "name": "Acme, Inc.", + "url": [ + "https://example.com" + ], + "contact": [ + { + "name": "Acme Professional Services", + "email": "professional.services@example.com" + } + ] + }, + "supplier": { + "name": "Acme, Inc.", + "url": [ + "https://example.com" + ], + "contact": [ + { + "name": "Acme Distribution", + "email": "distribution@example.com" + } + ] + } + }, + "components": [ + { + "bom-ref": "pkg:maven/com.acme/tomcat-catalina@9.0.14?packaging=jar", + "type": "application", + "author": "Joane Doe et al.", + "publisher": "Acme Inc", + "group": "com.acme", + "name": "tomcat-catalina", + "version": "9.0.14", + "description": "Modified version of Apache Catalina", + "scope": "required", + "hashes": [ + { + "alg": "MD5", + "content": "3942447fac867ae5cdb3229b658f4d48" + }, + { + "alg": "SHA-1", + "content": "e6b1000b94e835ffd37f4c6dcbdad43f4b48a02a" + }, + { + "alg": "SHA-256", + "content": "f498a8ff2dd007e29c2074f5e4b01a9a01775c3ff3aeaf6906ea503bc5791b7b" + }, + { + "alg": "SHA-512", + "content": "e8f33e424f3f4ed6db76a482fde1a5298970e442c531729119e37991884bdffab4f9426b7ee11fccd074eeda0634d71697d6f88a460dce0ac8d627a29f7d1282" + } + ], + "licenses": [ + { + "license": { + "id": "Apache-2.0", + "text": { + "contentType": "text/plain", + "encoding": "base64", + "content": "CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFwYWNoZSBMaWNlbnNlCiAgICAgICAgICAgICAgICAgICAgICAgICAgIFZlcnNpb24gMi4wLCBKYW51YXJ5IDIwMDQKICAgICAgICAgICAgICAgICAgICAgICAgaHR0cDovL3d3dy5hcGFjaGUub3JnL2xpY2Vuc2VzLwoKICAgVEVSTVMgQU5EIENPTkRJVElPTlMgRk9SIFVTRSwgUkVQUk9EVUNUSU9OLCBBTkQgRElTVFJJQlVUSU9OCgogICAxLiBEZWZpbml0aW9ucy4KCiAgICAgICJMaWNlbnNlIiBzaGFsbCBtZWFuIHRoZSB0ZXJtcyBhbmQgY29uZGl0aW9ucyBmb3IgdXNlLCByZXByb2R1Y3Rpb24sCiAgICAgIGFuZCBkaXN0cmlidXRpb24gYXMgZGVmaW5lZCBieSBTZWN0aW9ucyAxIHRocm91Z2ggOSBvZiB0aGlzIGRvY3VtZW50LgoKICAgICAgIkxpY2Vuc29yIiBzaGFsbCBtZWFuIHRoZSBjb3B5cmlnaHQgb3duZXIgb3IgZW50aXR5IGF1dGhvcml6ZWQgYnkKICAgICAgdGhlIGNvcHlyaWdodCBvd25lciB0aGF0IGlzIGdyYW50aW5nIHRoZSBMaWNlbnNlLgoKICAgICAgIkxlZ2FsIEVudGl0eSIgc2hhbGwgbWVhbiB0aGUgdW5pb24gb2YgdGhlIGFjdGluZyBlbnRpdHkgYW5kIGFsbAogICAgICBvdGhlciBlbnRpdGllcyB0aGF0IGNvbnRyb2wsIGFyZSBjb250cm9sbGVkIGJ5LCBvciBhcmUgdW5kZXIgY29tbW9uCiAgICAgIGNvbnRyb2wgd2l0aCB0aGF0IGVudGl0eS4gRm9yIHRoZSBwdXJwb3NlcyBvZiB0aGlzIGRlZmluaXRpb24sCiAgICAgICJjb250cm9sIiBtZWFucyAoaSkgdGhlIHBvd2VyLCBkaXJlY3Qgb3IgaW5kaXJlY3QsIHRvIGNhdXNlIHRoZQogICAgICBkaXJlY3Rpb24gb3IgbWFuYWdlbWVudCBvZiBzdWNoIGVudGl0eSwgd2hldGhlciBieSBjb250cmFjdCBvcgogICAgICBvdGhlcndpc2UsIG9yIChpaSkgb3duZXJzaGlwIG9mIGZpZnR5IHBlcmNlbnQgKDUwJSkgb3IgbW9yZSBvZiB0aGUKICAgICAgb3V0c3RhbmRpbmcgc2hhcmVzLCBvciAoaWlpKSBiZW5lZmljaWFsIG93bmVyc2hpcCBvZiBzdWNoIGVudGl0eS4KCiAgICAgICJZb3UiIChvciAiWW91ciIpIHNoYWxsIG1lYW4gYW4gaW5kaXZpZHVhbCBvciBMZWdhbCBFbnRpdHkKICAgICAgZXhlcmNpc2luZyBwZXJtaXNzaW9ucyBncmFudGVkIGJ5IHRoaXMgTGljZW5zZS4KCiAgICAgICJTb3VyY2UiIGZvcm0gc2hhbGwgbWVhbiB0aGUgcHJlZmVycmVkIGZvcm0gZm9yIG1ha2luZyBtb2RpZmljYXRpb25zLAogICAgICBpbmNsdWRpbmcgYnV0IG5vdCBsaW1pdGVkIHRvIHNvZnR3YXJlIHNvdXJjZSBjb2RlLCBkb2N1bWVudGF0aW9uCiAgICAgIHNvdXJjZSwgYW5kIGNvbmZpZ3VyYXRpb24gZmlsZXMuCgogICAgICAiT2JqZWN0IiBmb3JtIHNoYWxsIG1lYW4gYW55IGZvcm0gcmVzdWx0aW5nIGZyb20gbWVjaGFuaWNhbAogICAgICB0cmFuc2Zvcm1hdGlvbiBvciB0cmFuc2xhdGlvbiBvZiBhIFNvdXJjZSBmb3JtLCBpbmNsdWRpbmcgYnV0CiAgICAgIG5vdCBsaW1pdGVkIHRvIGNvbXBpbGVkIG9iamVjdCBjb2RlLCBnZW5lcmF0ZWQgZG9jdW1lbnRhdGlvbiwKICAgICAgYW5kIGNvbnZlcnNpb25zIHRvIG90aGVyIG1lZGlhIHR5cGVzLgoKICAgICAgIldvcmsiIHNoYWxsIG1lYW4gdGhlIHdvcmsgb2YgYXV0aG9yc2hpcCwgd2hldGhlciBpbiBTb3VyY2Ugb3IKICAgICAgT2JqZWN0IGZvcm0sIG1hZGUgYXZhaWxhYmxlIHVuZGVyIHRoZSBMaWNlbnNlLCBhcyBpbmRpY2F0ZWQgYnkgYQogICAgICBjb3B5cmlnaHQgbm90aWNlIHRoYXQgaXMgaW5jbHVkZWQgaW4gb3IgYXR0YWNoZWQgdG8gdGhlIHdvcmsKICAgICAgKGFuIGV4YW1wbGUgaXMgcHJvdmlkZWQgaW4gdGhlIEFwcGVuZGl4IGJlbG93KS4KCiAgICAgICJEZXJpdmF0aXZlIFdvcmtzIiBzaGFsbCBtZWFuIGFueSB3b3JrLCB3aGV0aGVyIGluIFNvdXJjZSBvciBPYmplY3QKICAgICAgZm9ybSwgdGhhdCBpcyBiYXNlZCBvbiAob3IgZGVyaXZlZCBmcm9tKSB0aGUgV29yayBhbmQgZm9yIHdoaWNoIHRoZQogICAgICBlZGl0b3JpYWwgcmV2aXNpb25zLCBhbm5vdGF0aW9ucywgZWxhYm9yYXRpb25zLCBvciBvdGhlciBtb2RpZmljYXRpb25zCiAgICAgIHJlcHJlc2VudCwgYXMgYSB3aG9sZSwgYW4gb3JpZ2luYWwgd29yayBvZiBhdXRob3JzaGlwLiBGb3IgdGhlIHB1cnBvc2VzCiAgICAgIG9mIHRoaXMgTGljZW5zZSwgRGVyaXZhdGl2ZSBXb3JrcyBzaGFsbCBub3QgaW5jbHVkZSB3b3JrcyB0aGF0IHJlbWFpbgogICAgICBzZXBhcmFibGUgZnJvbSwgb3IgbWVyZWx5IGxpbmsgKG9yIGJpbmQgYnkgbmFtZSkgdG8gdGhlIGludGVyZmFjZXMgb2YsCiAgICAgIHRoZSBXb3JrIGFuZCBEZXJpdmF0aXZlIFdvcmtzIHRoZXJlb2YuCgogICAgICAiQ29udHJpYnV0aW9uIiBzaGFsbCBtZWFuIGFueSB3b3JrIG9mIGF1dGhvcnNoaXAsIGluY2x1ZGluZwogICAgICB0aGUgb3JpZ2luYWwgdmVyc2lvbiBvZiB0aGUgV29yayBhbmQgYW55IG1vZGlmaWNhdGlvbnMgb3IgYWRkaXRpb25zCiAgICAgIHRvIHRoYXQgV29yayBvciBEZXJpdmF0aXZlIFdvcmtzIHRoZXJlb2YsIHRoYXQgaXMgaW50ZW50aW9uYWxseQogICAgICBzdWJtaXR0ZWQgdG8gTGljZW5zb3IgZm9yIGluY2x1c2lvbiBpbiB0aGUgV29yayBieSB0aGUgY29weXJpZ2h0IG93bmVyCiAgICAgIG9yIGJ5IGFuIGluZGl2aWR1YWwgb3IgTGVnYWwgRW50aXR5IGF1dGhvcml6ZWQgdG8gc3VibWl0IG9uIGJlaGFsZiBvZgogICAgICB0aGUgY29weXJpZ2h0IG93bmVyLiBGb3IgdGhlIHB1cnBvc2VzIG9mIHRoaXMgZGVmaW5pdGlvbiwgInN1Ym1pdHRlZCIKICAgICAgbWVhbnMgYW55IGZvcm0gb2YgZWxlY3Ryb25pYywgdmVyYmFsLCBvciB3cml0dGVuIGNvbW11bmljYXRpb24gc2VudAogICAgICB0byB0aGUgTGljZW5zb3Igb3IgaXRzIHJlcHJlc2VudGF0aXZlcywgaW5jbHVkaW5nIGJ1dCBub3QgbGltaXRlZCB0bwogICAgICBjb21tdW5pY2F0aW9uIG9uIGVsZWN0cm9uaWMgbWFpbGluZyBsaXN0cywgc291cmNlIGNvZGUgY29udHJvbCBzeXN0ZW1zLAogICAgICBhbmQgaXNzdWUgdHJhY2tpbmcgc3lzdGVtcyB0aGF0IGFyZSBtYW5hZ2VkIGJ5LCBvciBvbiBiZWhhbGYgb2YsIHRoZQogICAgICBMaWNlbnNvciBmb3IgdGhlIHB1cnBvc2Ugb2YgZGlzY3Vzc2luZyBhbmQgaW1wcm92aW5nIHRoZSBXb3JrLCBidXQKICAgICAgZXhjbHVkaW5nIGNvbW11bmljYXRpb24gdGhhdCBpcyBjb25zcGljdW91c2x5IG1hcmtlZCBvciBvdGhlcndpc2UKICAgICAgZGVzaWduYXRlZCBpbiB3cml0aW5nIGJ5IHRoZSBjb3B5cmlnaHQgb3duZXIgYXMgIk5vdCBhIENvbnRyaWJ1dGlvbi4iCgogICAgICAiQ29udHJpYnV0b3IiIHNoYWxsIG1lYW4gTGljZW5zb3IgYW5kIGFueSBpbmRpdmlkdWFsIG9yIExlZ2FsIEVudGl0eQogICAgICBvbiBiZWhhbGYgb2Ygd2hvbSBhIENvbnRyaWJ1dGlvbiBoYXMgYmVlbiByZWNlaXZlZCBieSBMaWNlbnNvciBhbmQKICAgICAgc3Vic2VxdWVudGx5IGluY29ycG9yYXRlZCB3aXRoaW4gdGhlIFdvcmsuCgogICAyLiBHcmFudCBvZiBDb3B5cmlnaHQgTGljZW5zZS4gU3ViamVjdCB0byB0aGUgdGVybXMgYW5kIGNvbmRpdGlvbnMgb2YKICAgICAgdGhpcyBMaWNlbnNlLCBlYWNoIENvbnRyaWJ1dG9yIGhlcmVieSBncmFudHMgdG8gWW91IGEgcGVycGV0dWFsLAogICAgICB3b3JsZHdpZGUsIG5vbi1leGNsdXNpdmUsIG5vLWNoYXJnZSwgcm95YWx0eS1mcmVlLCBpcnJldm9jYWJsZQogICAgICBjb3B5cmlnaHQgbGljZW5zZSB0byByZXByb2R1Y2UsIHByZXBhcmUgRGVyaXZhdGl2ZSBXb3JrcyBvZiwKICAgICAgcHVibGljbHkgZGlzcGxheSwgcHVibGljbHkgcGVyZm9ybSwgc3VibGljZW5zZSwgYW5kIGRpc3RyaWJ1dGUgdGhlCiAgICAgIFdvcmsgYW5kIHN1Y2ggRGVyaXZhdGl2ZSBXb3JrcyBpbiBTb3VyY2Ugb3IgT2JqZWN0IGZvcm0uCgogICAzLiBHcmFudCBvZiBQYXRlbnQgTGljZW5zZS4gU3ViamVjdCB0byB0aGUgdGVybXMgYW5kIGNvbmRpdGlvbnMgb2YKICAgICAgdGhpcyBMaWNlbnNlLCBlYWNoIENvbnRyaWJ1dG9yIGhlcmVieSBncmFudHMgdG8gWW91IGEgcGVycGV0dWFsLAogICAgICB3b3JsZHdpZGUsIG5vbi1leGNsdXNpdmUsIG5vLWNoYXJnZSwgcm95YWx0eS1mcmVlLCBpcnJldm9jYWJsZQogICAgICAoZXhjZXB0IGFzIHN0YXRlZCBpbiB0aGlzIHNlY3Rpb24pIHBhdGVudCBsaWNlbnNlIHRvIG1ha2UsIGhhdmUgbWFkZSwKICAgICAgdXNlLCBvZmZlciB0byBzZWxsLCBzZWxsLCBpbXBvcnQsIGFuZCBvdGhlcndpc2UgdHJhbnNmZXIgdGhlIFdvcmssCiAgICAgIHdoZXJlIHN1Y2ggbGljZW5zZSBhcHBsaWVzIG9ubHkgdG8gdGhvc2UgcGF0ZW50IGNsYWltcyBsaWNlbnNhYmxlCiAgICAgIGJ5IHN1Y2ggQ29udHJpYnV0b3IgdGhhdCBhcmUgbmVjZXNzYXJpbHkgaW5mcmluZ2VkIGJ5IHRoZWlyCiAgICAgIENvbnRyaWJ1dGlvbihzKSBhbG9uZSBvciBieSBjb21iaW5hdGlvbiBvZiB0aGVpciBDb250cmlidXRpb24ocykKICAgICAgd2l0aCB0aGUgV29yayB0byB3aGljaCBzdWNoIENvbnRyaWJ1dGlvbihzKSB3YXMgc3VibWl0dGVkLiBJZiBZb3UKICAgICAgaW5zdGl0dXRlIHBhdGVudCBsaXRpZ2F0aW9uIGFnYWluc3QgYW55IGVudGl0eSAoaW5jbHVkaW5nIGEKICAgICAgY3Jvc3MtY2xhaW0gb3IgY291bnRlcmNsYWltIGluIGEgbGF3c3VpdCkgYWxsZWdpbmcgdGhhdCB0aGUgV29yawogICAgICBvciBhIENvbnRyaWJ1dGlvbiBpbmNvcnBvcmF0ZWQgd2l0aGluIHRoZSBXb3JrIGNvbnN0aXR1dGVzIGRpcmVjdAogICAgICBvciBjb250cmlidXRvcnkgcGF0ZW50IGluZnJpbmdlbWVudCwgdGhlbiBhbnkgcGF0ZW50IGxpY2Vuc2VzCiAgICAgIGdyYW50ZWQgdG8gWW91IHVuZGVyIHRoaXMgTGljZW5zZSBmb3IgdGhhdCBXb3JrIHNoYWxsIHRlcm1pbmF0ZQogICAgICBhcyBvZiB0aGUgZGF0ZSBzdWNoIGxpdGlnYXRpb24gaXMgZmlsZWQuCgogICA0LiBSZWRpc3RyaWJ1dGlvbi4gWW91IG1heSByZXByb2R1Y2UgYW5kIGRpc3RyaWJ1dGUgY29waWVzIG9mIHRoZQogICAgICBXb3JrIG9yIERlcml2YXRpdmUgV29ya3MgdGhlcmVvZiBpbiBhbnkgbWVkaXVtLCB3aXRoIG9yIHdpdGhvdXQKICAgICAgbW9kaWZpY2F0aW9ucywgYW5kIGluIFNvdXJjZSBvciBPYmplY3QgZm9ybSwgcHJvdmlkZWQgdGhhdCBZb3UKICAgICAgbWVldCB0aGUgZm9sbG93aW5nIGNvbmRpdGlvbnM6CgogICAgICAoYSkgWW91IG11c3QgZ2l2ZSBhbnkgb3RoZXIgcmVjaXBpZW50cyBvZiB0aGUgV29yayBvcgogICAgICAgICAgRGVyaXZhdGl2ZSBXb3JrcyBhIGNvcHkgb2YgdGhpcyBMaWNlbnNlOyBhbmQKCiAgICAgIChiKSBZb3UgbXVzdCBjYXVzZSBhbnkgbW9kaWZpZWQgZmlsZXMgdG8gY2FycnkgcHJvbWluZW50IG5vdGljZXMKICAgICAgICAgIHN0YXRpbmcgdGhhdCBZb3UgY2hhbmdlZCB0aGUgZmlsZXM7IGFuZAoKICAgICAgKGMpIFlvdSBtdXN0IHJldGFpbiwgaW4gdGhlIFNvdXJjZSBmb3JtIG9mIGFueSBEZXJpdmF0aXZlIFdvcmtzCiAgICAgICAgICB0aGF0IFlvdSBkaXN0cmlidXRlLCBhbGwgY29weXJpZ2h0LCBwYXRlbnQsIHRyYWRlbWFyaywgYW5kCiAgICAgICAgICBhdHRyaWJ1dGlvbiBub3RpY2VzIGZyb20gdGhlIFNvdXJjZSBmb3JtIG9mIHRoZSBXb3JrLAogICAgICAgICAgZXhjbHVkaW5nIHRob3NlIG5vdGljZXMgdGhhdCBkbyBub3QgcGVydGFpbiB0byBhbnkgcGFydCBvZgogICAgICAgICAgdGhlIERlcml2YXRpdmUgV29ya3M7IGFuZAoKICAgICAgKGQpIElmIHRoZSBXb3JrIGluY2x1ZGVzIGEgIk5PVElDRSIgdGV4dCBmaWxlIGFzIHBhcnQgb2YgaXRzCiAgICAgICAgICBkaXN0cmlidXRpb24sIHRoZW4gYW55IERlcml2YXRpdmUgV29ya3MgdGhhdCBZb3UgZGlzdHJpYnV0ZSBtdXN0CiAgICAgICAgICBpbmNsdWRlIGEgcmVhZGFibGUgY29weSBvZiB0aGUgYXR0cmlidXRpb24gbm90aWNlcyBjb250YWluZWQKICAgICAgICAgIHdpdGhpbiBzdWNoIE5PVElDRSBmaWxlLCBleGNsdWRpbmcgdGhvc2Ugbm90aWNlcyB0aGF0IGRvIG5vdAogICAgICAgICAgcGVydGFpbiB0byBhbnkgcGFydCBvZiB0aGUgRGVyaXZhdGl2ZSBXb3JrcywgaW4gYXQgbGVhc3Qgb25lCiAgICAgICAgICBvZiB0aGUgZm9sbG93aW5nIHBsYWNlczogd2l0aGluIGEgTk9USUNFIHRleHQgZmlsZSBkaXN0cmlidXRlZAogICAgICAgICAgYXMgcGFydCBvZiB0aGUgRGVyaXZhdGl2ZSBXb3Jrczsgd2l0aGluIHRoZSBTb3VyY2UgZm9ybSBvcgogICAgICAgICAgZG9jdW1lbnRhdGlvbiwgaWYgcHJvdmlkZWQgYWxvbmcgd2l0aCB0aGUgRGVyaXZhdGl2ZSBXb3Jrczsgb3IsCiAgICAgICAgICB3aXRoaW4gYSBkaXNwbGF5IGdlbmVyYXRlZCBieSB0aGUgRGVyaXZhdGl2ZSBXb3JrcywgaWYgYW5kCiAgICAgICAgICB3aGVyZXZlciBzdWNoIHRoaXJkLXBhcnR5IG5vdGljZXMgbm9ybWFsbHkgYXBwZWFyLiBUaGUgY29udGVudHMKICAgICAgICAgIG9mIHRoZSBOT1RJQ0UgZmlsZSBhcmUgZm9yIGluZm9ybWF0aW9uYWwgcHVycG9zZXMgb25seSBhbmQKICAgICAgICAgIGRvIG5vdCBtb2RpZnkgdGhlIExpY2Vuc2UuIFlvdSBtYXkgYWRkIFlvdXIgb3duIGF0dHJpYnV0aW9uCiAgICAgICAgICBub3RpY2VzIHdpdGhpbiBEZXJpdmF0aXZlIFdvcmtzIHRoYXQgWW91IGRpc3RyaWJ1dGUsIGFsb25nc2lkZQogICAgICAgICAgb3IgYXMgYW4gYWRkZW5kdW0gdG8gdGhlIE5PVElDRSB0ZXh0IGZyb20gdGhlIFdvcmssIHByb3ZpZGVkCiAgICAgICAgICB0aGF0IHN1Y2ggYWRkaXRpb25hbCBhdHRyaWJ1dGlvbiBub3RpY2VzIGNhbm5vdCBiZSBjb25zdHJ1ZWQKICAgICAgICAgIGFzIG1vZGlmeWluZyB0aGUgTGljZW5zZS4KCiAgICAgIFlvdSBtYXkgYWRkIFlvdXIgb3duIGNvcHlyaWdodCBzdGF0ZW1lbnQgdG8gWW91ciBtb2RpZmljYXRpb25zIGFuZAogICAgICBtYXkgcHJvdmlkZSBhZGRpdGlvbmFsIG9yIGRpZmZlcmVudCBsaWNlbnNlIHRlcm1zIGFuZCBjb25kaXRpb25zCiAgICAgIGZvciB1c2UsIHJlcHJvZHVjdGlvbiwgb3IgZGlzdHJpYnV0aW9uIG9mIFlvdXIgbW9kaWZpY2F0aW9ucywgb3IKICAgICAgZm9yIGFueSBzdWNoIERlcml2YXRpdmUgV29ya3MgYXMgYSB3aG9sZSwgcHJvdmlkZWQgWW91ciB1c2UsCiAgICAgIHJlcHJvZHVjdGlvbiwgYW5kIGRpc3RyaWJ1dGlvbiBvZiB0aGUgV29yayBvdGhlcndpc2UgY29tcGxpZXMgd2l0aAogICAgICB0aGUgY29uZGl0aW9ucyBzdGF0ZWQgaW4gdGhpcyBMaWNlbnNlLgoKICAgNS4gU3VibWlzc2lvbiBvZiBDb250cmlidXRpb25zLiBVbmxlc3MgWW91IGV4cGxpY2l0bHkgc3RhdGUgb3RoZXJ3aXNlLAogICAgICBhbnkgQ29udHJpYnV0aW9uIGludGVudGlvbmFsbHkgc3VibWl0dGVkIGZvciBpbmNsdXNpb24gaW4gdGhlIFdvcmsKICAgICAgYnkgWW91IHRvIHRoZSBMaWNlbnNvciBzaGFsbCBiZSB1bmRlciB0aGUgdGVybXMgYW5kIGNvbmRpdGlvbnMgb2YKICAgICAgdGhpcyBMaWNlbnNlLCB3aXRob3V0IGFueSBhZGRpdGlvbmFsIHRlcm1zIG9yIGNvbmRpdGlvbnMuCiAgICAgIE5vdHdpdGhzdGFuZGluZyB0aGUgYWJvdmUsIG5vdGhpbmcgaGVyZWluIHNoYWxsIHN1cGVyc2VkZSBvciBtb2RpZnkKICAgICAgdGhlIHRlcm1zIG9mIGFueSBzZXBhcmF0ZSBsaWNlbnNlIGFncmVlbWVudCB5b3UgbWF5IGhhdmUgZXhlY3V0ZWQKICAgICAgd2l0aCBMaWNlbnNvciByZWdhcmRpbmcgc3VjaCBDb250cmlidXRpb25zLgoKICAgNi4gVHJhZGVtYXJrcy4gVGhpcyBMaWNlbnNlIGRvZXMgbm90IGdyYW50IHBlcm1pc3Npb24gdG8gdXNlIHRoZSB0cmFkZQogICAgICBuYW1lcywgdHJhZGVtYXJrcywgc2VydmljZSBtYXJrcywgb3IgcHJvZHVjdCBuYW1lcyBvZiB0aGUgTGljZW5zb3IsCiAgICAgIGV4Y2VwdCBhcyByZXF1aXJlZCBmb3IgcmVhc29uYWJsZSBhbmQgY3VzdG9tYXJ5IHVzZSBpbiBkZXNjcmliaW5nIHRoZQogICAgICBvcmlnaW4gb2YgdGhlIFdvcmsgYW5kIHJlcHJvZHVjaW5nIHRoZSBjb250ZW50IG9mIHRoZSBOT1RJQ0UgZmlsZS4KCiAgIDcuIERpc2NsYWltZXIgb2YgV2FycmFudHkuIFVubGVzcyByZXF1aXJlZCBieSBhcHBsaWNhYmxlIGxhdyBvcgogICAgICBhZ3JlZWQgdG8gaW4gd3JpdGluZywgTGljZW5zb3IgcHJvdmlkZXMgdGhlIFdvcmsgKGFuZCBlYWNoCiAgICAgIENvbnRyaWJ1dG9yIHByb3ZpZGVzIGl0cyBDb250cmlidXRpb25zKSBvbiBhbiAiQVMgSVMiIEJBU0lTLAogICAgICBXSVRIT1VUIFdBUlJBTlRJRVMgT1IgQ09ORElUSU9OUyBPRiBBTlkgS0lORCwgZWl0aGVyIGV4cHJlc3Mgb3IKICAgICAgaW1wbGllZCwgaW5jbHVkaW5nLCB3aXRob3V0IGxpbWl0YXRpb24sIGFueSB3YXJyYW50aWVzIG9yIGNvbmRpdGlvbnMKICAgICAgb2YgVElUTEUsIE5PTi1JTkZSSU5HRU1FTlQsIE1FUkNIQU5UQUJJTElUWSwgb3IgRklUTkVTUyBGT1IgQQogICAgICBQQVJUSUNVTEFSIFBVUlBPU0UuIFlvdSBhcmUgc29sZWx5IHJlc3BvbnNpYmxlIGZvciBkZXRlcm1pbmluZyB0aGUKICAgICAgYXBwcm9wcmlhdGVuZXNzIG9mIHVzaW5nIG9yIHJlZGlzdHJpYnV0aW5nIHRoZSBXb3JrIGFuZCBhc3N1bWUgYW55CiAgICAgIHJpc2tzIGFzc29jaWF0ZWQgd2l0aCBZb3VyIGV4ZXJjaXNlIG9mIHBlcm1pc3Npb25zIHVuZGVyIHRoaXMgTGljZW5zZS4KCiAgIDguIExpbWl0YXRpb24gb2YgTGlhYmlsaXR5LiBJbiBubyBldmVudCBhbmQgdW5kZXIgbm8gbGVnYWwgdGhlb3J5LAogICAgICB3aGV0aGVyIGluIHRvcnQgKGluY2x1ZGluZyBuZWdsaWdlbmNlKSwgY29udHJhY3QsIG9yIG90aGVyd2lzZSwKICAgICAgdW5sZXNzIHJlcXVpcmVkIGJ5IGFwcGxpY2FibGUgbGF3IChzdWNoIGFzIGRlbGliZXJhdGUgYW5kIGdyb3NzbHkKICAgICAgbmVnbGlnZW50IGFjdHMpIG9yIGFncmVlZCB0byBpbiB3cml0aW5nLCBzaGFsbCBhbnkgQ29udHJpYnV0b3IgYmUKICAgICAgbGlhYmxlIHRvIFlvdSBmb3IgZGFtYWdlcywgaW5jbHVkaW5nIGFueSBkaXJlY3QsIGluZGlyZWN0LCBzcGVjaWFsLAogICAgICBpbmNpZGVudGFsLCBvciBjb25zZXF1ZW50aWFsIGRhbWFnZXMgb2YgYW55IGNoYXJhY3RlciBhcmlzaW5nIGFzIGEKICAgICAgcmVzdWx0IG9mIHRoaXMgTGljZW5zZSBvciBvdXQgb2YgdGhlIHVzZSBvciBpbmFiaWxpdHkgdG8gdXNlIHRoZQogICAgICBXb3JrIChpbmNsdWRpbmcgYnV0IG5vdCBsaW1pdGVkIHRvIGRhbWFnZXMgZm9yIGxvc3Mgb2YgZ29vZHdpbGwsCiAgICAgIHdvcmsgc3RvcHBhZ2UsIGNvbXB1dGVyIGZhaWx1cmUgb3IgbWFsZnVuY3Rpb24sIG9yIGFueSBhbmQgYWxsCiAgICAgIG90aGVyIGNvbW1lcmNpYWwgZGFtYWdlcyBvciBsb3NzZXMpLCBldmVuIGlmIHN1Y2ggQ29udHJpYnV0b3IKICAgICAgaGFzIGJlZW4gYWR2aXNlZCBvZiB0aGUgcG9zc2liaWxpdHkgb2Ygc3VjaCBkYW1hZ2VzLgoKICAgOS4gQWNjZXB0aW5nIFdhcnJhbnR5IG9yIEFkZGl0aW9uYWwgTGlhYmlsaXR5LiBXaGlsZSByZWRpc3RyaWJ1dGluZwogICAgICB0aGUgV29yayBvciBEZXJpdmF0aXZlIFdvcmtzIHRoZXJlb2YsIFlvdSBtYXkgY2hvb3NlIHRvIG9mZmVyLAogICAgICBhbmQgY2hhcmdlIGEgZmVlIGZvciwgYWNjZXB0YW5jZSBvZiBzdXBwb3J0LCB3YXJyYW50eSwgaW5kZW1uaXR5LAogICAgICBvciBvdGhlciBsaWFiaWxpdHkgb2JsaWdhdGlvbnMgYW5kL29yIHJpZ2h0cyBjb25zaXN0ZW50IHdpdGggdGhpcwogICAgICBMaWNlbnNlLiBIb3dldmVyLCBpbiBhY2NlcHRpbmcgc3VjaCBvYmxpZ2F0aW9ucywgWW91IG1heSBhY3Qgb25seQogICAgICBvbiBZb3VyIG93biBiZWhhbGYgYW5kIG9uIFlvdXIgc29sZSByZXNwb25zaWJpbGl0eSwgbm90IG9uIGJlaGFsZgogICAgICBvZiBhbnkgb3RoZXIgQ29udHJpYnV0b3IsIGFuZCBvbmx5IGlmIFlvdSBhZ3JlZSB0byBpbmRlbW5pZnksCiAgICAgIGRlZmVuZCwgYW5kIGhvbGQgZWFjaCBDb250cmlidXRvciBoYXJtbGVzcyBmb3IgYW55IGxpYWJpbGl0eQogICAgICBpbmN1cnJlZCBieSwgb3IgY2xhaW1zIGFzc2VydGVkIGFnYWluc3QsIHN1Y2ggQ29udHJpYnV0b3IgYnkgcmVhc29uCiAgICAgIG9mIHlvdXIgYWNjZXB0aW5nIGFueSBzdWNoIHdhcnJhbnR5IG9yIGFkZGl0aW9uYWwgbGlhYmlsaXR5LgoKICAgRU5EIE9GIFRFUk1TIEFORCBDT05ESVRJT05TCgogICBBUFBFTkRJWDogSG93IHRvIGFwcGx5IHRoZSBBcGFjaGUgTGljZW5zZSB0byB5b3VyIHdvcmsuCgogICAgICBUbyBhcHBseSB0aGUgQXBhY2hlIExpY2Vuc2UgdG8geW91ciB3b3JrLCBhdHRhY2ggdGhlIGZvbGxvd2luZwogICAgICBib2lsZXJwbGF0ZSBub3RpY2UsIHdpdGggdGhlIGZpZWxkcyBlbmNsb3NlZCBieSBicmFja2V0cyAiW10iCiAgICAgIHJlcGxhY2VkIHdpdGggeW91ciBvd24gaWRlbnRpZnlpbmcgaW5mb3JtYXRpb24uIChEb24ndCBpbmNsdWRlCiAgICAgIHRoZSBicmFja2V0cyEpICBUaGUgdGV4dCBzaG91bGQgYmUgZW5jbG9zZWQgaW4gdGhlIGFwcHJvcHJpYXRlCiAgICAgIGNvbW1lbnQgc3ludGF4IGZvciB0aGUgZmlsZSBmb3JtYXQuIFdlIGFsc28gcmVjb21tZW5kIHRoYXQgYQogICAgICBmaWxlIG9yIGNsYXNzIG5hbWUgYW5kIGRlc2NyaXB0aW9uIG9mIHB1cnBvc2UgYmUgaW5jbHVkZWQgb24gdGhlCiAgICAgIHNhbWUgInByaW50ZWQgcGFnZSIgYXMgdGhlIGNvcHlyaWdodCBub3RpY2UgZm9yIGVhc2llcgogICAgICBpZGVudGlmaWNhdGlvbiB3aXRoaW4gdGhpcmQtcGFydHkgYXJjaGl2ZXMuCgogICBDb3B5cmlnaHQgW3l5eXldIFtuYW1lIG9mIGNvcHlyaWdodCBvd25lcl0KCiAgIExpY2Vuc2VkIHVuZGVyIHRoZSBBcGFjaGUgTGljZW5zZSwgVmVyc2lvbiAyLjAgKHRoZSAiTGljZW5zZSIpOwogICB5b3UgbWF5IG5vdCB1c2UgdGhpcyBmaWxlIGV4Y2VwdCBpbiBjb21wbGlhbmNlIHdpdGggdGhlIExpY2Vuc2UuCiAgIFlvdSBtYXkgb2J0YWluIGEgY29weSBvZiB0aGUgTGljZW5zZSBhdAoKICAgICAgIGh0dHA6Ly93d3cuYXBhY2hlLm9yZy9saWNlbnNlcy9MSUNFTlNFLTIuMAoKICAgVW5sZXNzIHJlcXVpcmVkIGJ5IGFwcGxpY2FibGUgbGF3IG9yIGFncmVlZCB0byBpbiB3cml0aW5nLCBzb2Z0d2FyZQogICBkaXN0cmlidXRlZCB1bmRlciB0aGUgTGljZW5zZSBpcyBkaXN0cmlidXRlZCBvbiBhbiAiQVMgSVMiIEJBU0lTLAogICBXSVRIT1VUIFdBUlJBTlRJRVMgT1IgQ09ORElUSU9OUyBPRiBBTlkgS0lORCwgZWl0aGVyIGV4cHJlc3Mgb3IgaW1wbGllZC4KICAgU2VlIHRoZSBMaWNlbnNlIGZvciB0aGUgc3BlY2lmaWMgbGFuZ3VhZ2UgZ292ZXJuaW5nIHBlcm1pc3Npb25zIGFuZAogICBsaW1pdGF0aW9ucyB1bmRlciB0aGUgTGljZW5zZS4=" + }, + "url": "https://www.apache.org/licenses/LICENSE-2.0.txt" + } + } + ], + "purl": "pkg:maven/com.acme/tomcat-catalina@9.0.14?packaging=jar", + "pedigree": { + "ancestors": [ + { + "type": "application", + "author": "Apache Super Heros", + "publisher": "Apache", + "group": "org.apache.tomcat", + "name": "tomcat-catalina", + "version": "9.0.14", + "description": "Apache Catalina", + "licenses": [ + { + "license": { + "id": "Apache-2.0" + } + } + ], + "purl": "pkg:maven/org.apache.tomcat/tomcat-catalina@9.0.14?packaging=jar" + } + ], + "commits": [ + { + "uid": "7638417db6d59f3c431d3e1f261cc637155684cd", + "url": "https://location/to/7638417db6d59f3c431d3e1f261cc637155684cd", + "author": { + "timestamp": "2018-11-13T20:20:39+00:00", + "name": "John Doe", + "email": "john.doe@example.com" + }, + "committer": { + "timestamp": "2018-11-07T22:01:45Z", + "name": "Jane Doe", + "email": "jane.doe@example.com" + }, + "message": "Initial commit" + } + ], + "notes": "Commentary here" + } + }, + { + "type": "library", + "bom-ref": "pkg:maven/com.example/myapplication@1.0.0?packaging=war", + "supplier": { + "name": "Example, Inc.", + "url": [ + "https://example.com", + "https://example.net" + ], + "contact": [ + { + "name": "Example Support AMER", + "email": "support@example.com", + "phone": "800-555-1212" + }, + { + "name": "Example Support APAC", + "email": "support@apac.example.com" + } + ] + }, + "manufacturer": { + "name": "Example-2, Inc.", + "url": [ + "https://example.org" + ], + "contact": [ + { + "email": "support@example.org" + } + ] + }, + "authors": [ + { + "name": "Anthony Edward Stark", + "phone": "555-212-970-4133", + "email": "ironman@example.org" + }, + { + "name": "Peter Benjamin Parker", + "email": "spiderman@example.org" + } + ], + "group": "org.example", + "name": "mylibrary", + "version": "1.0.0", + "scope": "required", + "hashes": [ + { + "alg": "MD5", + "content": "2342c2eaf1feb9a80195dbaddf2ebaa3" + }, + { + "alg": "SHA-1", + "content": "68b78babe00a053f9e35ec6a2d9080f5b90122b0" + }, + { + "alg": "SHA-256", + "content": "708f1f53b41f11f02d12a11b1a38d2905d47b099afc71a0f1124ef8582ec7313" + }, + { + "alg": "SHA-512", + "content": "387b7ae16b9cae45f830671541539bf544202faae5aac544a93b7b0a04f5f846fa2f4e81ef3f1677e13aed7496408a441f5657ab6d54423e56bf6f38da124aef" + } + ], + "licenses": [ + { + "expression": "EPL-2.0 OR GPL-2.0-with-classpath-exception" + } + ], + "copyright": "Copyright Example Inc. All rights reserved.", + "cpe": "cpe:/a:example:myapplication:1.0.0", + "purl": "pkg:maven/com.example/myapplication@1.0.0?packaging=war", + "modified": false, + "externalReferences": [ + { + "url": "http://example.org/docs", + "type": "documentation", + "comment": "All component versions are documented here" + }, + { + "url": "http://example.org/security", + "type": "advisories" + } + ] + }, + { + "type": "framework", + "author": "Example Super Heros", + "group": "com.example", + "name": "myframework", + "version": "1.0.0", + "description": "Example Inc, enterprise framework", + "scope": "required", + "hashes": [ + { + "alg": "MD5", + "content": "cfcb0b64aacd2f81c1cd546543de965a" + }, + { + "alg": "SHA-1", + "content": "7fbeef2346c45d565c3341f037bce4e088af8a52" + }, + { + "alg": "SHA-256", + "content": "0384db3cec55d86a6898c489fdb75a8e75fe66b26639634983d2f3c3558493d1" + }, + { + "alg": "SHA-512", + "content": "854909cdb9e3ca183056837144aab6d8069b377bd66445087cc7157bf0c3f620418705dd0b83bdc2f73a508c2bdb316ca1809d75ee6972d02023a3e7dd655c79" + } + ], + "licenses": [ + { + "license": { + "name": "Some random license" + } + } + ], + "purl": "pkg:maven/com.example/myframework@1.0.0?packaging=war", + "modified": false, + "externalReferences": [ + { + "type": "website", + "url": "http://example.com/myframework" + }, + { + "type": "advisories", + "url": "http://example.com/security" + } + ] + } + ], + "dependencies": [ + { + "ref": "pkg:maven/com.acme/tomcat-catalina@9.0.14?packaging=jar", + "dependsOn": [ + "pkg:maven/com.example/myapplication@1.0.0?packaging=war" + ] + } + ] +} diff --git a/tests/_data/schemaTestData/1.7/valid-bom-1.7.xml b/tests/_data/schemaTestData/1.7/valid-bom-1.7.xml new file mode 100644 index 000000000..9c144fea4 --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-bom-1.7.xml @@ -0,0 +1,206 @@ + + + + 2020-04-13T20:20:39+00:00 + + + Awesome Vendor + Awesome Tool + 9.1.2 + + 25ed8e31b995bb927966616df2a42b979a2717f0 + a74f733635a19aefb1f73e5947cef59cd7440c6952ef0f03d09d974274cbd6df + + + + + + Samantha Wright + samantha.wright@example.com + 800-555-1212 + + + + Acme Super Heros + Acme Application + 9.1.1 + + PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiID8+CjxTb2Z0d2FyZUlkZW50aXR5IHhtbDpsYW5nPSJFTiIgbmFtZT0iQWNtZSBBcHBsaWNhdGlvbiIgdmVyc2lvbj0iOS4xLjEiIAogdmVyc2lvblNjaGVtZT0ibXVsdGlwYXJ0bnVtZXJpYyIgCiB0YWdJZD0ic3dpZGdlbi1iNTk1MWFjOS00MmMwLWYzODItM2YxZS1iYzdhMmE0NDk3Y2JfOS4xLjEiIAogeG1sbnM9Imh0dHA6Ly9zdGFuZGFyZHMuaXNvLm9yZy9pc28vMTk3NzAvLTIvMjAxNS9zY2hlbWEueHNkIj4gCiB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiAKIHhzaTpzY2hlbWFMb2NhdGlvbj0iaHR0cDovL3N0YW5kYXJkcy5pc28ub3JnL2lzby8xOTc3MC8tMi8yMDE1LWN1cnJlbnQvc2NoZW1hLnhzZCBzY2hlbWEueHNkIiA+CiAgPE1ldGEgZ2VuZXJhdG9yPSJTV0lEIFRhZyBPbmxpbmUgR2VuZXJhdG9yIHYwLjEiIC8+IAogIDxFbnRpdHkgbmFtZT0iQWNtZSwgSW5jLiIgcmVnaWQ9ImV4YW1wbGUuY29tIiByb2xlPSJ0YWdDcmVhdG9yIiAvPiAKPC9Tb2Z0d2FyZUlkZW50aXR5Pg== + + + + Acme, Inc. + https://example.com + + Acme Professional Services + professional.services@example.com + + + + Acme, Inc. + https://example.com + + Acme Distribution + distribution@example.com + + + + + + Joane Doe et al. + Acme Inc + com.acme + tomcat-catalina + 9.0.14 + Modified version of Apache Catalina + required + + 3942447fac867ae5cdb3229b658f4d48 + e6b1000b94e835ffd37f4c6dcbdad43f4b48a02a + f498a8ff2dd007e29c2074f5e4b01a9a01775c3ff3aeaf6906ea503bc5791b7b + e8f33e424f3f4ed6db76a482fde1a5298970e442c531729119e37991884bdffab4f9426b7ee11fccd074eeda0634d71697d6f88a460dce0ac8d627a29f7d1282 + + + + Apache-2.0 + CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFwYWNoZSBMaWNlbnNlCiAgICAgICAgICAgICAgICAgICAgICAgICAgIFZlcnNpb24gMi4wLCBKYW51YXJ5IDIwMDQKICAgICAgICAgICAgICAgICAgICAgICAgaHR0cDovL3d3dy5hcGFjaGUub3JnL2xpY2Vuc2VzLwoKICAgVEVSTVMgQU5EIENPTkRJVElPTlMgRk9SIFVTRSwgUkVQUk9EVUNUSU9OLCBBTkQgRElTVFJJQlVUSU9OCgogICAxLiBEZWZpbml0aW9ucy4KCiAgICAgICJMaWNlbnNlIiBzaGFsbCBtZWFuIHRoZSB0ZXJtcyBhbmQgY29uZGl0aW9ucyBmb3IgdXNlLCByZXByb2R1Y3Rpb24sCiAgICAgIGFuZCBkaXN0cmlidXRpb24gYXMgZGVmaW5lZCBieSBTZWN0aW9ucyAxIHRocm91Z2ggOSBvZiB0aGlzIGRvY3VtZW50LgoKICAgICAgIkxpY2Vuc29yIiBzaGFsbCBtZWFuIHRoZSBjb3B5cmlnaHQgb3duZXIgb3IgZW50aXR5IGF1dGhvcml6ZWQgYnkKICAgICAgdGhlIGNvcHlyaWdodCBvd25lciB0aGF0IGlzIGdyYW50aW5nIHRoZSBMaWNlbnNlLgoKICAgICAgIkxlZ2FsIEVudGl0eSIgc2hhbGwgbWVhbiB0aGUgdW5pb24gb2YgdGhlIGFjdGluZyBlbnRpdHkgYW5kIGFsbAogICAgICBvdGhlciBlbnRpdGllcyB0aGF0IGNvbnRyb2wsIGFyZSBjb250cm9sbGVkIGJ5LCBvciBhcmUgdW5kZXIgY29tbW9uCiAgICAgIGNvbnRyb2wgd2l0aCB0aGF0IGVudGl0eS4gRm9yIHRoZSBwdXJwb3NlcyBvZiB0aGlzIGRlZmluaXRpb24sCiAgICAgICJjb250cm9sIiBtZWFucyAoaSkgdGhlIHBvd2VyLCBkaXJlY3Qgb3IgaW5kaXJlY3QsIHRvIGNhdXNlIHRoZQogICAgICBkaXJlY3Rpb24gb3IgbWFuYWdlbWVudCBvZiBzdWNoIGVudGl0eSwgd2hldGhlciBieSBjb250cmFjdCBvcgogICAgICBvdGhlcndpc2UsIG9yIChpaSkgb3duZXJzaGlwIG9mIGZpZnR5IHBlcmNlbnQgKDUwJSkgb3IgbW9yZSBvZiB0aGUKICAgICAgb3V0c3RhbmRpbmcgc2hhcmVzLCBvciAoaWlpKSBiZW5lZmljaWFsIG93bmVyc2hpcCBvZiBzdWNoIGVudGl0eS4KCiAgICAgICJZb3UiIChvciAiWW91ciIpIHNoYWxsIG1lYW4gYW4gaW5kaXZpZHVhbCBvciBMZWdhbCBFbnRpdHkKICAgICAgZXhlcmNpc2luZyBwZXJtaXNzaW9ucyBncmFudGVkIGJ5IHRoaXMgTGljZW5zZS4KCiAgICAgICJTb3VyY2UiIGZvcm0gc2hhbGwgbWVhbiB0aGUgcHJlZmVycmVkIGZvcm0gZm9yIG1ha2luZyBtb2RpZmljYXRpb25zLAogICAgICBpbmNsdWRpbmcgYnV0IG5vdCBsaW1pdGVkIHRvIHNvZnR3YXJlIHNvdXJjZSBjb2RlLCBkb2N1bWVudGF0aW9uCiAgICAgIHNvdXJjZSwgYW5kIGNvbmZpZ3VyYXRpb24gZmlsZXMuCgogICAgICAiT2JqZWN0IiBmb3JtIHNoYWxsIG1lYW4gYW55IGZvcm0gcmVzdWx0aW5nIGZyb20gbWVjaGFuaWNhbAogICAgICB0cmFuc2Zvcm1hdGlvbiBvciB0cmFuc2xhdGlvbiBvZiBhIFNvdXJjZSBmb3JtLCBpbmNsdWRpbmcgYnV0CiAgICAgIG5vdCBsaW1pdGVkIHRvIGNvbXBpbGVkIG9iamVjdCBjb2RlLCBnZW5lcmF0ZWQgZG9jdW1lbnRhdGlvbiwKICAgICAgYW5kIGNvbnZlcnNpb25zIHRvIG90aGVyIG1lZGlhIHR5cGVzLgoKICAgICAgIldvcmsiIHNoYWxsIG1lYW4gdGhlIHdvcmsgb2YgYXV0aG9yc2hpcCwgd2hldGhlciBpbiBTb3VyY2Ugb3IKICAgICAgT2JqZWN0IGZvcm0sIG1hZGUgYXZhaWxhYmxlIHVuZGVyIHRoZSBMaWNlbnNlLCBhcyBpbmRpY2F0ZWQgYnkgYQogICAgICBjb3B5cmlnaHQgbm90aWNlIHRoYXQgaXMgaW5jbHVkZWQgaW4gb3IgYXR0YWNoZWQgdG8gdGhlIHdvcmsKICAgICAgKGFuIGV4YW1wbGUgaXMgcHJvdmlkZWQgaW4gdGhlIEFwcGVuZGl4IGJlbG93KS4KCiAgICAgICJEZXJpdmF0aXZlIFdvcmtzIiBzaGFsbCBtZWFuIGFueSB3b3JrLCB3aGV0aGVyIGluIFNvdXJjZSBvciBPYmplY3QKICAgICAgZm9ybSwgdGhhdCBpcyBiYXNlZCBvbiAob3IgZGVyaXZlZCBmcm9tKSB0aGUgV29yayBhbmQgZm9yIHdoaWNoIHRoZQogICAgICBlZGl0b3JpYWwgcmV2aXNpb25zLCBhbm5vdGF0aW9ucywgZWxhYm9yYXRpb25zLCBvciBvdGhlciBtb2RpZmljYXRpb25zCiAgICAgIHJlcHJlc2VudCwgYXMgYSB3aG9sZSwgYW4gb3JpZ2luYWwgd29yayBvZiBhdXRob3JzaGlwLiBGb3IgdGhlIHB1cnBvc2VzCiAgICAgIG9mIHRoaXMgTGljZW5zZSwgRGVyaXZhdGl2ZSBXb3JrcyBzaGFsbCBub3QgaW5jbHVkZSB3b3JrcyB0aGF0IHJlbWFpbgogICAgICBzZXBhcmFibGUgZnJvbSwgb3IgbWVyZWx5IGxpbmsgKG9yIGJpbmQgYnkgbmFtZSkgdG8gdGhlIGludGVyZmFjZXMgb2YsCiAgICAgIHRoZSBXb3JrIGFuZCBEZXJpdmF0aXZlIFdvcmtzIHRoZXJlb2YuCgogICAgICAiQ29udHJpYnV0aW9uIiBzaGFsbCBtZWFuIGFueSB3b3JrIG9mIGF1dGhvcnNoaXAsIGluY2x1ZGluZwogICAgICB0aGUgb3JpZ2luYWwgdmVyc2lvbiBvZiB0aGUgV29yayBhbmQgYW55IG1vZGlmaWNhdGlvbnMgb3IgYWRkaXRpb25zCiAgICAgIHRvIHRoYXQgV29yayBvciBEZXJpdmF0aXZlIFdvcmtzIHRoZXJlb2YsIHRoYXQgaXMgaW50ZW50aW9uYWxseQogICAgICBzdWJtaXR0ZWQgdG8gTGljZW5zb3IgZm9yIGluY2x1c2lvbiBpbiB0aGUgV29yayBieSB0aGUgY29weXJpZ2h0IG93bmVyCiAgICAgIG9yIGJ5IGFuIGluZGl2aWR1YWwgb3IgTGVnYWwgRW50aXR5IGF1dGhvcml6ZWQgdG8gc3VibWl0IG9uIGJlaGFsZiBvZgogICAgICB0aGUgY29weXJpZ2h0IG93bmVyLiBGb3IgdGhlIHB1cnBvc2VzIG9mIHRoaXMgZGVmaW5pdGlvbiwgInN1Ym1pdHRlZCIKICAgICAgbWVhbnMgYW55IGZvcm0gb2YgZWxlY3Ryb25pYywgdmVyYmFsLCBvciB3cml0dGVuIGNvbW11bmljYXRpb24gc2VudAogICAgICB0byB0aGUgTGljZW5zb3Igb3IgaXRzIHJlcHJlc2VudGF0aXZlcywgaW5jbHVkaW5nIGJ1dCBub3QgbGltaXRlZCB0bwogICAgICBjb21tdW5pY2F0aW9uIG9uIGVsZWN0cm9uaWMgbWFpbGluZyBsaXN0cywgc291cmNlIGNvZGUgY29udHJvbCBzeXN0ZW1zLAogICAgICBhbmQgaXNzdWUgdHJhY2tpbmcgc3lzdGVtcyB0aGF0IGFyZSBtYW5hZ2VkIGJ5LCBvciBvbiBiZWhhbGYgb2YsIHRoZQogICAgICBMaWNlbnNvciBmb3IgdGhlIHB1cnBvc2Ugb2YgZGlzY3Vzc2luZyBhbmQgaW1wcm92aW5nIHRoZSBXb3JrLCBidXQKICAgICAgZXhjbHVkaW5nIGNvbW11bmljYXRpb24gdGhhdCBpcyBjb25zcGljdW91c2x5IG1hcmtlZCBvciBvdGhlcndpc2UKICAgICAgZGVzaWduYXRlZCBpbiB3cml0aW5nIGJ5IHRoZSBjb3B5cmlnaHQgb3duZXIgYXMgIk5vdCBhIENvbnRyaWJ1dGlvbi4iCgogICAgICAiQ29udHJpYnV0b3IiIHNoYWxsIG1lYW4gTGljZW5zb3IgYW5kIGFueSBpbmRpdmlkdWFsIG9yIExlZ2FsIEVudGl0eQogICAgICBvbiBiZWhhbGYgb2Ygd2hvbSBhIENvbnRyaWJ1dGlvbiBoYXMgYmVlbiByZWNlaXZlZCBieSBMaWNlbnNvciBhbmQKICAgICAgc3Vic2VxdWVudGx5IGluY29ycG9yYXRlZCB3aXRoaW4gdGhlIFdvcmsuCgogICAyLiBHcmFudCBvZiBDb3B5cmlnaHQgTGljZW5zZS4gU3ViamVjdCB0byB0aGUgdGVybXMgYW5kIGNvbmRpdGlvbnMgb2YKICAgICAgdGhpcyBMaWNlbnNlLCBlYWNoIENvbnRyaWJ1dG9yIGhlcmVieSBncmFudHMgdG8gWW91IGEgcGVycGV0dWFsLAogICAgICB3b3JsZHdpZGUsIG5vbi1leGNsdXNpdmUsIG5vLWNoYXJnZSwgcm95YWx0eS1mcmVlLCBpcnJldm9jYWJsZQogICAgICBjb3B5cmlnaHQgbGljZW5zZSB0byByZXByb2R1Y2UsIHByZXBhcmUgRGVyaXZhdGl2ZSBXb3JrcyBvZiwKICAgICAgcHVibGljbHkgZGlzcGxheSwgcHVibGljbHkgcGVyZm9ybSwgc3VibGljZW5zZSwgYW5kIGRpc3RyaWJ1dGUgdGhlCiAgICAgIFdvcmsgYW5kIHN1Y2ggRGVyaXZhdGl2ZSBXb3JrcyBpbiBTb3VyY2Ugb3IgT2JqZWN0IGZvcm0uCgogICAzLiBHcmFudCBvZiBQYXRlbnQgTGljZW5zZS4gU3ViamVjdCB0byB0aGUgdGVybXMgYW5kIGNvbmRpdGlvbnMgb2YKICAgICAgdGhpcyBMaWNlbnNlLCBlYWNoIENvbnRyaWJ1dG9yIGhlcmVieSBncmFudHMgdG8gWW91IGEgcGVycGV0dWFsLAogICAgICB3b3JsZHdpZGUsIG5vbi1leGNsdXNpdmUsIG5vLWNoYXJnZSwgcm95YWx0eS1mcmVlLCBpcnJldm9jYWJsZQogICAgICAoZXhjZXB0IGFzIHN0YXRlZCBpbiB0aGlzIHNlY3Rpb24pIHBhdGVudCBsaWNlbnNlIHRvIG1ha2UsIGhhdmUgbWFkZSwKICAgICAgdXNlLCBvZmZlciB0byBzZWxsLCBzZWxsLCBpbXBvcnQsIGFuZCBvdGhlcndpc2UgdHJhbnNmZXIgdGhlIFdvcmssCiAgICAgIHdoZXJlIHN1Y2ggbGljZW5zZSBhcHBsaWVzIG9ubHkgdG8gdGhvc2UgcGF0ZW50IGNsYWltcyBsaWNlbnNhYmxlCiAgICAgIGJ5IHN1Y2ggQ29udHJpYnV0b3IgdGhhdCBhcmUgbmVjZXNzYXJpbHkgaW5mcmluZ2VkIGJ5IHRoZWlyCiAgICAgIENvbnRyaWJ1dGlvbihzKSBhbG9uZSBvciBieSBjb21iaW5hdGlvbiBvZiB0aGVpciBDb250cmlidXRpb24ocykKICAgICAgd2l0aCB0aGUgV29yayB0byB3aGljaCBzdWNoIENvbnRyaWJ1dGlvbihzKSB3YXMgc3VibWl0dGVkLiBJZiBZb3UKICAgICAgaW5zdGl0dXRlIHBhdGVudCBsaXRpZ2F0aW9uIGFnYWluc3QgYW55IGVudGl0eSAoaW5jbHVkaW5nIGEKICAgICAgY3Jvc3MtY2xhaW0gb3IgY291bnRlcmNsYWltIGluIGEgbGF3c3VpdCkgYWxsZWdpbmcgdGhhdCB0aGUgV29yawogICAgICBvciBhIENvbnRyaWJ1dGlvbiBpbmNvcnBvcmF0ZWQgd2l0aGluIHRoZSBXb3JrIGNvbnN0aXR1dGVzIGRpcmVjdAogICAgICBvciBjb250cmlidXRvcnkgcGF0ZW50IGluZnJpbmdlbWVudCwgdGhlbiBhbnkgcGF0ZW50IGxpY2Vuc2VzCiAgICAgIGdyYW50ZWQgdG8gWW91IHVuZGVyIHRoaXMgTGljZW5zZSBmb3IgdGhhdCBXb3JrIHNoYWxsIHRlcm1pbmF0ZQogICAgICBhcyBvZiB0aGUgZGF0ZSBzdWNoIGxpdGlnYXRpb24gaXMgZmlsZWQuCgogICA0LiBSZWRpc3RyaWJ1dGlvbi4gWW91IG1heSByZXByb2R1Y2UgYW5kIGRpc3RyaWJ1dGUgY29waWVzIG9mIHRoZQogICAgICBXb3JrIG9yIERlcml2YXRpdmUgV29ya3MgdGhlcmVvZiBpbiBhbnkgbWVkaXVtLCB3aXRoIG9yIHdpdGhvdXQKICAgICAgbW9kaWZpY2F0aW9ucywgYW5kIGluIFNvdXJjZSBvciBPYmplY3QgZm9ybSwgcHJvdmlkZWQgdGhhdCBZb3UKICAgICAgbWVldCB0aGUgZm9sbG93aW5nIGNvbmRpdGlvbnM6CgogICAgICAoYSkgWW91IG11c3QgZ2l2ZSBhbnkgb3RoZXIgcmVjaXBpZW50cyBvZiB0aGUgV29yayBvcgogICAgICAgICAgRGVyaXZhdGl2ZSBXb3JrcyBhIGNvcHkgb2YgdGhpcyBMaWNlbnNlOyBhbmQKCiAgICAgIChiKSBZb3UgbXVzdCBjYXVzZSBhbnkgbW9kaWZpZWQgZmlsZXMgdG8gY2FycnkgcHJvbWluZW50IG5vdGljZXMKICAgICAgICAgIHN0YXRpbmcgdGhhdCBZb3UgY2hhbmdlZCB0aGUgZmlsZXM7IGFuZAoKICAgICAgKGMpIFlvdSBtdXN0IHJldGFpbiwgaW4gdGhlIFNvdXJjZSBmb3JtIG9mIGFueSBEZXJpdmF0aXZlIFdvcmtzCiAgICAgICAgICB0aGF0IFlvdSBkaXN0cmlidXRlLCBhbGwgY29weXJpZ2h0LCBwYXRlbnQsIHRyYWRlbWFyaywgYW5kCiAgICAgICAgICBhdHRyaWJ1dGlvbiBub3RpY2VzIGZyb20gdGhlIFNvdXJjZSBmb3JtIG9mIHRoZSBXb3JrLAogICAgICAgICAgZXhjbHVkaW5nIHRob3NlIG5vdGljZXMgdGhhdCBkbyBub3QgcGVydGFpbiB0byBhbnkgcGFydCBvZgogICAgICAgICAgdGhlIERlcml2YXRpdmUgV29ya3M7IGFuZAoKICAgICAgKGQpIElmIHRoZSBXb3JrIGluY2x1ZGVzIGEgIk5PVElDRSIgdGV4dCBmaWxlIGFzIHBhcnQgb2YgaXRzCiAgICAgICAgICBkaXN0cmlidXRpb24sIHRoZW4gYW55IERlcml2YXRpdmUgV29ya3MgdGhhdCBZb3UgZGlzdHJpYnV0ZSBtdXN0CiAgICAgICAgICBpbmNsdWRlIGEgcmVhZGFibGUgY29weSBvZiB0aGUgYXR0cmlidXRpb24gbm90aWNlcyBjb250YWluZWQKICAgICAgICAgIHdpdGhpbiBzdWNoIE5PVElDRSBmaWxlLCBleGNsdWRpbmcgdGhvc2Ugbm90aWNlcyB0aGF0IGRvIG5vdAogICAgICAgICAgcGVydGFpbiB0byBhbnkgcGFydCBvZiB0aGUgRGVyaXZhdGl2ZSBXb3JrcywgaW4gYXQgbGVhc3Qgb25lCiAgICAgICAgICBvZiB0aGUgZm9sbG93aW5nIHBsYWNlczogd2l0aGluIGEgTk9USUNFIHRleHQgZmlsZSBkaXN0cmlidXRlZAogICAgICAgICAgYXMgcGFydCBvZiB0aGUgRGVyaXZhdGl2ZSBXb3Jrczsgd2l0aGluIHRoZSBTb3VyY2UgZm9ybSBvcgogICAgICAgICAgZG9jdW1lbnRhdGlvbiwgaWYgcHJvdmlkZWQgYWxvbmcgd2l0aCB0aGUgRGVyaXZhdGl2ZSBXb3Jrczsgb3IsCiAgICAgICAgICB3aXRoaW4gYSBkaXNwbGF5IGdlbmVyYXRlZCBieSB0aGUgRGVyaXZhdGl2ZSBXb3JrcywgaWYgYW5kCiAgICAgICAgICB3aGVyZXZlciBzdWNoIHRoaXJkLXBhcnR5IG5vdGljZXMgbm9ybWFsbHkgYXBwZWFyLiBUaGUgY29udGVudHMKICAgICAgICAgIG9mIHRoZSBOT1RJQ0UgZmlsZSBhcmUgZm9yIGluZm9ybWF0aW9uYWwgcHVycG9zZXMgb25seSBhbmQKICAgICAgICAgIGRvIG5vdCBtb2RpZnkgdGhlIExpY2Vuc2UuIFlvdSBtYXkgYWRkIFlvdXIgb3duIGF0dHJpYnV0aW9uCiAgICAgICAgICBub3RpY2VzIHdpdGhpbiBEZXJpdmF0aXZlIFdvcmtzIHRoYXQgWW91IGRpc3RyaWJ1dGUsIGFsb25nc2lkZQogICAgICAgICAgb3IgYXMgYW4gYWRkZW5kdW0gdG8gdGhlIE5PVElDRSB0ZXh0IGZyb20gdGhlIFdvcmssIHByb3ZpZGVkCiAgICAgICAgICB0aGF0IHN1Y2ggYWRkaXRpb25hbCBhdHRyaWJ1dGlvbiBub3RpY2VzIGNhbm5vdCBiZSBjb25zdHJ1ZWQKICAgICAgICAgIGFzIG1vZGlmeWluZyB0aGUgTGljZW5zZS4KCiAgICAgIFlvdSBtYXkgYWRkIFlvdXIgb3duIGNvcHlyaWdodCBzdGF0ZW1lbnQgdG8gWW91ciBtb2RpZmljYXRpb25zIGFuZAogICAgICBtYXkgcHJvdmlkZSBhZGRpdGlvbmFsIG9yIGRpZmZlcmVudCBsaWNlbnNlIHRlcm1zIGFuZCBjb25kaXRpb25zCiAgICAgIGZvciB1c2UsIHJlcHJvZHVjdGlvbiwgb3IgZGlzdHJpYnV0aW9uIG9mIFlvdXIgbW9kaWZpY2F0aW9ucywgb3IKICAgICAgZm9yIGFueSBzdWNoIERlcml2YXRpdmUgV29ya3MgYXMgYSB3aG9sZSwgcHJvdmlkZWQgWW91ciB1c2UsCiAgICAgIHJlcHJvZHVjdGlvbiwgYW5kIGRpc3RyaWJ1dGlvbiBvZiB0aGUgV29yayBvdGhlcndpc2UgY29tcGxpZXMgd2l0aAogICAgICB0aGUgY29uZGl0aW9ucyBzdGF0ZWQgaW4gdGhpcyBMaWNlbnNlLgoKICAgNS4gU3VibWlzc2lvbiBvZiBDb250cmlidXRpb25zLiBVbmxlc3MgWW91IGV4cGxpY2l0bHkgc3RhdGUgb3RoZXJ3aXNlLAogICAgICBhbnkgQ29udHJpYnV0aW9uIGludGVudGlvbmFsbHkgc3VibWl0dGVkIGZvciBpbmNsdXNpb24gaW4gdGhlIFdvcmsKICAgICAgYnkgWW91IHRvIHRoZSBMaWNlbnNvciBzaGFsbCBiZSB1bmRlciB0aGUgdGVybXMgYW5kIGNvbmRpdGlvbnMgb2YKICAgICAgdGhpcyBMaWNlbnNlLCB3aXRob3V0IGFueSBhZGRpdGlvbmFsIHRlcm1zIG9yIGNvbmRpdGlvbnMuCiAgICAgIE5vdHdpdGhzdGFuZGluZyB0aGUgYWJvdmUsIG5vdGhpbmcgaGVyZWluIHNoYWxsIHN1cGVyc2VkZSBvciBtb2RpZnkKICAgICAgdGhlIHRlcm1zIG9mIGFueSBzZXBhcmF0ZSBsaWNlbnNlIGFncmVlbWVudCB5b3UgbWF5IGhhdmUgZXhlY3V0ZWQKICAgICAgd2l0aCBMaWNlbnNvciByZWdhcmRpbmcgc3VjaCBDb250cmlidXRpb25zLgoKICAgNi4gVHJhZGVtYXJrcy4gVGhpcyBMaWNlbnNlIGRvZXMgbm90IGdyYW50IHBlcm1pc3Npb24gdG8gdXNlIHRoZSB0cmFkZQogICAgICBuYW1lcywgdHJhZGVtYXJrcywgc2VydmljZSBtYXJrcywgb3IgcHJvZHVjdCBuYW1lcyBvZiB0aGUgTGljZW5zb3IsCiAgICAgIGV4Y2VwdCBhcyByZXF1aXJlZCBmb3IgcmVhc29uYWJsZSBhbmQgY3VzdG9tYXJ5IHVzZSBpbiBkZXNjcmliaW5nIHRoZQogICAgICBvcmlnaW4gb2YgdGhlIFdvcmsgYW5kIHJlcHJvZHVjaW5nIHRoZSBjb250ZW50IG9mIHRoZSBOT1RJQ0UgZmlsZS4KCiAgIDcuIERpc2NsYWltZXIgb2YgV2FycmFudHkuIFVubGVzcyByZXF1aXJlZCBieSBhcHBsaWNhYmxlIGxhdyBvcgogICAgICBhZ3JlZWQgdG8gaW4gd3JpdGluZywgTGljZW5zb3IgcHJvdmlkZXMgdGhlIFdvcmsgKGFuZCBlYWNoCiAgICAgIENvbnRyaWJ1dG9yIHByb3ZpZGVzIGl0cyBDb250cmlidXRpb25zKSBvbiBhbiAiQVMgSVMiIEJBU0lTLAogICAgICBXSVRIT1VUIFdBUlJBTlRJRVMgT1IgQ09ORElUSU9OUyBPRiBBTlkgS0lORCwgZWl0aGVyIGV4cHJlc3Mgb3IKICAgICAgaW1wbGllZCwgaW5jbHVkaW5nLCB3aXRob3V0IGxpbWl0YXRpb24sIGFueSB3YXJyYW50aWVzIG9yIGNvbmRpdGlvbnMKICAgICAgb2YgVElUTEUsIE5PTi1JTkZSSU5HRU1FTlQsIE1FUkNIQU5UQUJJTElUWSwgb3IgRklUTkVTUyBGT1IgQQogICAgICBQQVJUSUNVTEFSIFBVUlBPU0UuIFlvdSBhcmUgc29sZWx5IHJlc3BvbnNpYmxlIGZvciBkZXRlcm1pbmluZyB0aGUKICAgICAgYXBwcm9wcmlhdGVuZXNzIG9mIHVzaW5nIG9yIHJlZGlzdHJpYnV0aW5nIHRoZSBXb3JrIGFuZCBhc3N1bWUgYW55CiAgICAgIHJpc2tzIGFzc29jaWF0ZWQgd2l0aCBZb3VyIGV4ZXJjaXNlIG9mIHBlcm1pc3Npb25zIHVuZGVyIHRoaXMgTGljZW5zZS4KCiAgIDguIExpbWl0YXRpb24gb2YgTGlhYmlsaXR5LiBJbiBubyBldmVudCBhbmQgdW5kZXIgbm8gbGVnYWwgdGhlb3J5LAogICAgICB3aGV0aGVyIGluIHRvcnQgKGluY2x1ZGluZyBuZWdsaWdlbmNlKSwgY29udHJhY3QsIG9yIG90aGVyd2lzZSwKICAgICAgdW5sZXNzIHJlcXVpcmVkIGJ5IGFwcGxpY2FibGUgbGF3IChzdWNoIGFzIGRlbGliZXJhdGUgYW5kIGdyb3NzbHkKICAgICAgbmVnbGlnZW50IGFjdHMpIG9yIGFncmVlZCB0byBpbiB3cml0aW5nLCBzaGFsbCBhbnkgQ29udHJpYnV0b3IgYmUKICAgICAgbGlhYmxlIHRvIFlvdSBmb3IgZGFtYWdlcywgaW5jbHVkaW5nIGFueSBkaXJlY3QsIGluZGlyZWN0LCBzcGVjaWFsLAogICAgICBpbmNpZGVudGFsLCBvciBjb25zZXF1ZW50aWFsIGRhbWFnZXMgb2YgYW55IGNoYXJhY3RlciBhcmlzaW5nIGFzIGEKICAgICAgcmVzdWx0IG9mIHRoaXMgTGljZW5zZSBvciBvdXQgb2YgdGhlIHVzZSBvciBpbmFiaWxpdHkgdG8gdXNlIHRoZQogICAgICBXb3JrIChpbmNsdWRpbmcgYnV0IG5vdCBsaW1pdGVkIHRvIGRhbWFnZXMgZm9yIGxvc3Mgb2YgZ29vZHdpbGwsCiAgICAgIHdvcmsgc3RvcHBhZ2UsIGNvbXB1dGVyIGZhaWx1cmUgb3IgbWFsZnVuY3Rpb24sIG9yIGFueSBhbmQgYWxsCiAgICAgIG90aGVyIGNvbW1lcmNpYWwgZGFtYWdlcyBvciBsb3NzZXMpLCBldmVuIGlmIHN1Y2ggQ29udHJpYnV0b3IKICAgICAgaGFzIGJlZW4gYWR2aXNlZCBvZiB0aGUgcG9zc2liaWxpdHkgb2Ygc3VjaCBkYW1hZ2VzLgoKICAgOS4gQWNjZXB0aW5nIFdhcnJhbnR5IG9yIEFkZGl0aW9uYWwgTGlhYmlsaXR5LiBXaGlsZSByZWRpc3RyaWJ1dGluZwogICAgICB0aGUgV29yayBvciBEZXJpdmF0aXZlIFdvcmtzIHRoZXJlb2YsIFlvdSBtYXkgY2hvb3NlIHRvIG9mZmVyLAogICAgICBhbmQgY2hhcmdlIGEgZmVlIGZvciwgYWNjZXB0YW5jZSBvZiBzdXBwb3J0LCB3YXJyYW50eSwgaW5kZW1uaXR5LAogICAgICBvciBvdGhlciBsaWFiaWxpdHkgb2JsaWdhdGlvbnMgYW5kL29yIHJpZ2h0cyBjb25zaXN0ZW50IHdpdGggdGhpcwogICAgICBMaWNlbnNlLiBIb3dldmVyLCBpbiBhY2NlcHRpbmcgc3VjaCBvYmxpZ2F0aW9ucywgWW91IG1heSBhY3Qgb25seQogICAgICBvbiBZb3VyIG93biBiZWhhbGYgYW5kIG9uIFlvdXIgc29sZSByZXNwb25zaWJpbGl0eSwgbm90IG9uIGJlaGFsZgogICAgICBvZiBhbnkgb3RoZXIgQ29udHJpYnV0b3IsIGFuZCBvbmx5IGlmIFlvdSBhZ3JlZSB0byBpbmRlbW5pZnksCiAgICAgIGRlZmVuZCwgYW5kIGhvbGQgZWFjaCBDb250cmlidXRvciBoYXJtbGVzcyBmb3IgYW55IGxpYWJpbGl0eQogICAgICBpbmN1cnJlZCBieSwgb3IgY2xhaW1zIGFzc2VydGVkIGFnYWluc3QsIHN1Y2ggQ29udHJpYnV0b3IgYnkgcmVhc29uCiAgICAgIG9mIHlvdXIgYWNjZXB0aW5nIGFueSBzdWNoIHdhcnJhbnR5IG9yIGFkZGl0aW9uYWwgbGlhYmlsaXR5LgoKICAgRU5EIE9GIFRFUk1TIEFORCBDT05ESVRJT05TCgogICBBUFBFTkRJWDogSG93IHRvIGFwcGx5IHRoZSBBcGFjaGUgTGljZW5zZSB0byB5b3VyIHdvcmsuCgogICAgICBUbyBhcHBseSB0aGUgQXBhY2hlIExpY2Vuc2UgdG8geW91ciB3b3JrLCBhdHRhY2ggdGhlIGZvbGxvd2luZwogICAgICBib2lsZXJwbGF0ZSBub3RpY2UsIHdpdGggdGhlIGZpZWxkcyBlbmNsb3NlZCBieSBicmFja2V0cyAiW10iCiAgICAgIHJlcGxhY2VkIHdpdGggeW91ciBvd24gaWRlbnRpZnlpbmcgaW5mb3JtYXRpb24uIChEb24ndCBpbmNsdWRlCiAgICAgIHRoZSBicmFja2V0cyEpICBUaGUgdGV4dCBzaG91bGQgYmUgZW5jbG9zZWQgaW4gdGhlIGFwcHJvcHJpYXRlCiAgICAgIGNvbW1lbnQgc3ludGF4IGZvciB0aGUgZmlsZSBmb3JtYXQuIFdlIGFsc28gcmVjb21tZW5kIHRoYXQgYQogICAgICBmaWxlIG9yIGNsYXNzIG5hbWUgYW5kIGRlc2NyaXB0aW9uIG9mIHB1cnBvc2UgYmUgaW5jbHVkZWQgb24gdGhlCiAgICAgIHNhbWUgInByaW50ZWQgcGFnZSIgYXMgdGhlIGNvcHlyaWdodCBub3RpY2UgZm9yIGVhc2llcgogICAgICBpZGVudGlmaWNhdGlvbiB3aXRoaW4gdGhpcmQtcGFydHkgYXJjaGl2ZXMuCgogICBDb3B5cmlnaHQgW3l5eXldIFtuYW1lIG9mIGNvcHlyaWdodCBvd25lcl0KCiAgIExpY2Vuc2VkIHVuZGVyIHRoZSBBcGFjaGUgTGljZW5zZSwgVmVyc2lvbiAyLjAgKHRoZSAiTGljZW5zZSIpOwogICB5b3UgbWF5IG5vdCB1c2UgdGhpcyBmaWxlIGV4Y2VwdCBpbiBjb21wbGlhbmNlIHdpdGggdGhlIExpY2Vuc2UuCiAgIFlvdSBtYXkgb2J0YWluIGEgY29weSBvZiB0aGUgTGljZW5zZSBhdAoKICAgICAgIGh0dHA6Ly93d3cuYXBhY2hlLm9yZy9saWNlbnNlcy9MSUNFTlNFLTIuMAoKICAgVW5sZXNzIHJlcXVpcmVkIGJ5IGFwcGxpY2FibGUgbGF3IG9yIGFncmVlZCB0byBpbiB3cml0aW5nLCBzb2Z0d2FyZQogICBkaXN0cmlidXRlZCB1bmRlciB0aGUgTGljZW5zZSBpcyBkaXN0cmlidXRlZCBvbiBhbiAiQVMgSVMiIEJBU0lTLAogICBXSVRIT1VUIFdBUlJBTlRJRVMgT1IgQ09ORElUSU9OUyBPRiBBTlkgS0lORCwgZWl0aGVyIGV4cHJlc3Mgb3IgaW1wbGllZC4KICAgU2VlIHRoZSBMaWNlbnNlIGZvciB0aGUgc3BlY2lmaWMgbGFuZ3VhZ2UgZ292ZXJuaW5nIHBlcm1pc3Npb25zIGFuZAogICBsaW1pdGF0aW9ucyB1bmRlciB0aGUgTGljZW5zZS4= + https://www.apache.org/licenses/LICENSE-2.0.txt + + + pkg:maven/com.acme/tomcat-catalina@9.0.14?packaging=jar + + + + Apache Super Heros + Apache + org.apache.tomcat + tomcat-catalina + 9.0.14 + Apache Catalina + + + Apache-2.0 + + + pkg:maven/org.apache.tomcat/tomcat-catalina@9.0.14?packaging=jar + + + + + 7638417db6d59f3c431d3e1f261cc637155684cd + https://location/to/7638417db6d59f3c431d3e1f261cc637155684cd + + 2018-11-13T20:20:39+00:00 + John Doe + john.doe@example.com + + + 2018-11-07T22:01:45Z + Jane Doe + jane.doe@example.com + + Initial commit + + + Commentary here + + + + + Example, Inc. + https://example.com + https://example.net + + Example Support AMER + support@example.com + 800-555-1212 + + + Example Support APAC + support@apac.example.com + + + + Example-2, Inc. + https://example.org + + support@example.org + + + + + Anthony Edward Stark + ironman@example.org + 555-212-970-4133 + + + Peter Benjamin Parker + spiderman@example.org + + + org.example + mylibrary + 1.0.0 + required + + 2342c2eaf1feb9a80195dbaddf2ebaa3 + 68b78babe00a053f9e35ec6a2d9080f5b90122b0 + 708f1f53b41f11f02d12a11b1a38d2905d47b099afc71a0f1124ef8582ec7313 + 387b7ae16b9cae45f830671541539bf544202faae5aac544a93b7b0a04f5f846fa2f4e81ef3f1677e13aed7496408a441f5657ab6d54423e56bf6f38da124aef + + + EPL-2.0 OR GPL-2.0-with-classpath-exception + + Copyright Example Inc. All rights reserved. + cpe:/a:example:myapplication:1.0.0 + pkg:maven/com.example/myapplication@1.0.0?packaging=war + false + + + http://example.org/docs + All component versions are documented here + + + http://example.org/security + + + + + Example Super Heros + com.example + myframework + 1.0.0 + Example Inc, enterprise framework + required + + cfcb0b64aacd2f81c1cd546543de965a + 7fbeef2346c45d565c3341f037bce4e088af8a52 + 0384db3cec55d86a6898c489fdb75a8e75fe66b26639634983d2f3c3558493d1 + 854909cdb9e3ca183056837144aab6d8069b377bd66445087cc7157bf0c3f620418705dd0b83bdc2f73a508c2bdb316ca1809d75ee6972d02023a3e7dd655c79 + + + + Some random license + + + pkg:maven/com.example/myframework@1.0.0?packaging=war + false + + + http://example.com/myframework + + + http://example.com/security + + + + + + + + + + diff --git a/tests/_data/schemaTestData/1.7/valid-citations-1.7.json b/tests/_data/schemaTestData/1.7/valid-citations-1.7.json new file mode 100644 index 000000000..4c33f4195 --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-citations-1.7.json @@ -0,0 +1,91 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "metadata": { + "timestamp": "2025-05-01T14:23:00Z", + "authors": [ + { + "bom-ref": "person-1", + "name": "Alice Example", + "email": "alice@example.com" + } + ] + }, + "components": [ + { + "type": "library", + "bom-ref": "component-1", + "name": "example-lib", + "version": "1.2.3", + "licenses": [ + { + "license": { + "id": "Apache-2.0" + } + } + ] + } + ], + "citations": [ + { + "bom-ref": "citation-1", + "pointers": ["/components/0/name"], + "timestamp": "2025-05-01T14:00:00Z", + "attributedTo": "person-1", + "note": "Manually entered by Alice Example - with `attributedTo`" + }, + { + "bom-ref": "citation-2", + "pointers": ["/components/0/name"], + "timestamp": "2025-05-01T14:00:00Z", + "process": "task-license-scan", + "note": "Semi-manually entered by Alice Example - with `process`" + }, + { + "bom-ref": "citation-3", + "expressions": ["$..[?(@.bom-ref=='component-1')].version"], + "timestamp": "2025-05-01T14:00:00Z", + "process": "task-license-scan", + "note": "Semi-manually entered by Alice Example - with `process`" + }, + { + "bom-ref": "citation-4", + "expressions": ["$.components[*].licenses[*].license.id"], + "timestamp": "2025-05-01T14:05:00Z", + "attributedTo": "scan-tool-1", + "process": "task-license-scan", + "note": "Auto-detected by license scanner tool - with both, 'attributedTo' and 'process'" + } + ], + "formulation": [ + { + "components": [ + { + "bom-ref": "scan-tool-1", + "type": "application", + "name": "My Scan Tool" + } + ], + "bom-ref": "workflow-1", + "workflows": [ + { + "bom-ref": "workflow-1", + "uid": "259bae74-5ec4-4de8-9386-c91b1f7719b8", + "name": "My workflow", + "tasks": [ + { + "bom-ref": "task-license-scan", + "uid": "6d75f8d6-a008-41cf-8b65-c4129fc249f9", + "taskTypes": ["scan"], + "description": "License scan of the source files using OpenSourceScanner v2.1" + } + ], + "taskTypes": ["scan"] + } + ] + } + ] +} diff --git a/tests/_data/schemaTestData/1.7/valid-citations-1.7.xml b/tests/_data/schemaTestData/1.7/valid-citations-1.7.xml new file mode 100644 index 000000000..b2098f9f6 --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-citations-1.7.xml @@ -0,0 +1,88 @@ + + + + 2025-05-01T14:23:00Z + + + Alice Example + alice@example.com + + + + + + example-lib + 1.2.3 + + + Apache-2.0 + + + + + + + + + My Scan Tool + + + + + 259bae74-5ec4-4de8-9386-c91b1f7719b8 + My workflow + + + 6d75f8d6-a008-41cf-8b65-c4129fc249f9 + License scan of the source files using OpenSourceScanner v2.1 + + scan + + + + + scan + + + + + + + + + /components/0/name + + 2025-05-01T14:00:00Z + person-1 + Manually entered by Alice Example - with `attributedTo` + + + + /components/0/name + + 2025-05-01T14:00:00Z + person-1 + Semi-manually entered by Alice Example - with `process` + + + + //*[@bom-ref='component-1']/version + + 2025-05-01T14:00:00Z + person-1 + Semi-manually entered by Alice Example - with `process` + + + + /components/component/licenses/license/id + + 2025-05-01T14:05:00Z + scan-tool-1 + task-license-scan + Auto-detected by license scanner tool - with both, 'attributedTo' and 'process' + + + diff --git a/tests/_data/schemaTestData/1.7/valid-component-data-1.7.json b/tests/_data/schemaTestData/1.7/valid-component-data-1.7.json new file mode 100644 index 000000000..98e07c100 --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-component-data-1.7.json @@ -0,0 +1,30 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7", + "serialNumber": "urn:uuid:1b1bff0e-fdb9-4088-8b9a-1a9f2d9006da", + "version": 1, + "components": [ + { + "type": "data", + "name": "my-configs", + "version": "1337", + "data": [ + { + "type": "configuration", + "name": "app.ini", + "contents": { + "url": "https://example.com/cfg/1337/app.ini" + } + }, + { + "type": "other", + "name": ".env", + "contents": { + "url": "https://example.com/cfg/1337/env" + } + } + ] + } + ] +} diff --git a/tests/_data/schemaTestData/1.7/valid-component-data-1.7.xml b/tests/_data/schemaTestData/1.7/valid-component-data-1.7.xml new file mode 100644 index 000000000..776060151 --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-component-data-1.7.xml @@ -0,0 +1,26 @@ + + + + + my-configs + 1337 + + configuration + app.ini + + https://example.com/cfg/1337/app.ini + + + + other + .env + + https://example.com/cfg/1337/env + + + + + diff --git a/tests/_data/schemaTestData/1.7/valid-component-external-with-version.json b/tests/_data/schemaTestData/1.7/valid-component-external-with-version.json new file mode 100644 index 000000000..826047594 --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-component-external-with-version.json @@ -0,0 +1,35 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7", + "serialNumber": "urn:uuid:7dc07ac8-7fb8-4782-bf89-4762394e189d", + "version": 1, + "metadata": { + "component": { + "bom-ref": "my-app", + "type": "application", + "name": "My Application" + } + }, + "components": [ + { + "bom-ref": "os", + "type": "operating-system", + "name": "Ubuntu", + "version": "24.04", + "description": "Ubuntu 24.04", + "isExternal": true + } + ], + "dependencies": [ + { + "ref": "my-app", + "dependsOn": [ + "os" + ] + }, + { + "ref": "os" + } + ] +} diff --git a/tests/_data/schemaTestData/1.7/valid-component-external-with-version.xml b/tests/_data/schemaTestData/1.7/valid-component-external-with-version.xml new file mode 100644 index 000000000..d61bbb1aa --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-component-external-with-version.xml @@ -0,0 +1,26 @@ + + + + + My Application + + + + + Ubuntu + 24H2 + Windows 11 version 21H2 + + + + + + + + + diff --git a/tests/_data/schemaTestData/1.7/valid-component-external-with-versionRange.json b/tests/_data/schemaTestData/1.7/valid-component-external-with-versionRange.json new file mode 100644 index 000000000..183b2606c --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-component-external-with-versionRange.json @@ -0,0 +1,35 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7", + "serialNumber": "urn:uuid:bdd25550-f1c1-4cb4-b406-0c8d05ad6382", + "version": 1, + "metadata": { + "component": { + "bom-ref": "my-app", + "type": "application", + "name": "My Application" + } + }, + "components": [ + { + "bom-ref": "libcurl", + "type": "library", + "name": "libcurl", + "versionRange": "vers:generic/>=8.7.1|<9.0.0", + "description": "libcurl ^8.7.1", + "isExternal": true + } + ], + "dependencies": [ + { + "ref": "my-app", + "dependsOn": [ + "libcurl" + ] + }, + { + "ref": "libcurl" + } + ] +} diff --git a/tests/_data/schemaTestData/1.7/valid-component-external-with-versionRange.xml b/tests/_data/schemaTestData/1.7/valid-component-external-with-versionRange.xml new file mode 100644 index 000000000..d35e8d13a --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-component-external-with-versionRange.xml @@ -0,0 +1,26 @@ + + + + + My Application + + + + + libcurl + =8.7.1|<9.0.0]]> + libcurl ^8.7.1 + + + + + + + + + diff --git a/tests/_data/schemaTestData/1.7/valid-component-external-without-version.json b/tests/_data/schemaTestData/1.7/valid-component-external-without-version.json new file mode 100644 index 000000000..4933e6fbf --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-component-external-without-version.json @@ -0,0 +1,34 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "metadata": { + "component": { + "bom-ref": "my-app", + "type": "application", + "name": "My Application" + } + }, + "components": [ + { + "bom-ref": "os", + "type": "operating-system", + "name": "Windows 11 (64bit)", + "description": "any Windows 11", + "isExternal": true + } + ], + "dependencies": [ + { + "ref": "my-app", + "dependsOn": [ + "os" + ] + }, + { + "ref": "os" + } + ] +} diff --git a/tests/_data/schemaTestData/1.7/valid-component-external-without-version.xml b/tests/_data/schemaTestData/1.7/valid-component-external-without-version.xml new file mode 100644 index 000000000..5b4844298 --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-component-external-without-version.xml @@ -0,0 +1,25 @@ + + + + + My Application + + + + + Windows 11 (64bit) + any Windows 11 + + + + + + + + + diff --git a/tests/_data/schemaTestData/1.7/valid-component-hashes-1.7.json b/tests/_data/schemaTestData/1.7/valid-component-hashes-1.7.json new file mode 100644 index 000000000..c62e83cff --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-component-hashes-1.7.json @@ -0,0 +1,64 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "components": [ + { + "type": "library", + "name": "acme-example", + "version": "1.0.0", + "hashes": [ + { + "alg": "MD5", + "content": "641b6e166f8b33c5e959e2adcc18b1c7" + }, + { + "alg": "SHA-1", + "content": "9188560f22e0b73070d2efce670c74af2bdf30af" + }, + { + "alg": "SHA-256", + "content": "d88bc4e70bfb34d18b5542136639acbb26a8ae2429aa1e47489332fb389cc964" + }, + { + "alg": "SHA-384", + "content": "d4835048a0f57c74b8fb617d5366ab81376fc92bebe9a93bf24ba7f9da6c9aeeb6179f5d1361f6533211b15f3224cbad" + }, + { + "alg": "SHA-512", + "content": "74a51ff45e4c11df9ba1f0094282c80489649cb157a75fa337992d2d4592a5a1b8cb4525de8db0ae25233553924d76c36e093ea7fa9df4e5b8b07fd2e074efd6" + }, + { + "alg": "SHA3-256", + "content": "7478c7cf41c883a04ee89f1813f687886d53fa86f791fff90690c6221e3853aa" + }, + { + "alg": "SHA3-384", + "content": "a1eea7229716487ad2ebe96b2f997a8408f32f14047994fbcc99b49012cf86c96dbd518e5d57a61b0e57dd37dd0b48f5" + }, + { + "alg": "SHA3-512", + "content": "7d584825bc1767dfabe7e82b45ccb7a1119b145fa17e76b885e71429c706cef0a3171bc6575b968eec5da56a7966c02fec5402fcee55097ac01d40c550de9d20" + }, + { + "alg": "BLAKE2b-256", + "content": "d8779633380c050bccf4e733b763ab2abd8ad2db60b517d47fd29bbf76433237" + }, + { + "alg": "BLAKE2b-384", + "content": "e728ba56c2da995a559a178116c594e8bee4894a79ceb4399d8f479e5563cb1942b85936f646d14170717c576b14db7a" + }, + { + "alg": "BLAKE2b-512", + "content": "f8ce8d612a6c85c96cf7cebc230f6ddef26e6cedcfbc4a41c766033cc08c6ba097d1470948226807fb2d88d2a2b6fc0ff5e5440e93a603086fdd568bafcd1a9d" + }, + { + "alg": "BLAKE3", + "content": "26cdc7fb3fd65fc3b621a4ef70bc7d2489d5c19e70c76cf7ec20e538df0047cf" + } + ] + } + ] +} diff --git a/tests/_data/schemaTestData/1.7/valid-component-hashes-1.7.xml b/tests/_data/schemaTestData/1.7/valid-component-hashes-1.7.xml new file mode 100644 index 000000000..67c50700c --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-component-hashes-1.7.xml @@ -0,0 +1,26 @@ + + + + + acme-example + 1.0.0 + + 641b6e166f8b33c5e959e2adcc18b1c7 + 9188560f22e0b73070d2efce670c74af2bdf30af + d88bc4e70bfb34d18b5542136639acbb26a8ae2429aa1e47489332fb389cc964 + d4835048a0f57c74b8fb617d5366ab81376fc92bebe9a93bf24ba7f9da6c9aeeb6179f5d1361f6533211b15f3224cbad + 74a51ff45e4c11df9ba1f0094282c80489649cb157a75fa337992d2d4592a5a1b8cb4525de8db0ae25233553924d76c36e093ea7fa9df4e5b8b07fd2e074efd6 + 7478c7cf41c883a04ee89f1813f687886d53fa86f791fff90690c6221e3853aa + a1eea7229716487ad2ebe96b2f997a8408f32f14047994fbcc99b49012cf86c96dbd518e5d57a61b0e57dd37dd0b48f5 + 7d584825bc1767dfabe7e82b45ccb7a1119b145fa17e76b885e71429c706cef0a3171bc6575b968eec5da56a7966c02fec5402fcee55097ac01d40c550de9d20 + d8779633380c050bccf4e733b763ab2abd8ad2db60b517d47fd29bbf76433237 + e728ba56c2da995a559a178116c594e8bee4894a79ceb4399d8f479e5563cb1942b85936f646d14170717c576b14db7a + f8ce8d612a6c85c96cf7cebc230f6ddef26e6cedcfbc4a41c766033cc08c6ba097d1470948226807fb2d88d2a2b6fc0ff5e5440e93a603086fdd568bafcd1a9d + 26cdc7fb3fd65fc3b621a4ef70bc7d2489d5c19e70c76cf7ec20e538df0047cf + + + + diff --git a/tests/_data/schemaTestData/1.7/valid-component-identifiers-1.7.json b/tests/_data/schemaTestData/1.7/valid-component-identifiers-1.7.json new file mode 100644 index 000000000..9d2dc84d2 --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-component-identifiers-1.7.json @@ -0,0 +1,25 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "components": [ + { + "type": "library", + "group": "com.example", + "name": "acme-library", + "version": "1.0.0", + "cpe": "cpe:2.3:a:example:acme-library:1.0.0:*:*:*:*:*:*:*", + "purl": "pkg:maven/com.example/acme-library@1.0.0", + "omniborId": [ + "gitoid:blob:sha1:261eeb9e9f8b2b4b0d119366dda99c6fd7d35c64", + "gitoid:blob:sha256:9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08" + ], + "swhid": [ + "swh:1:cnt:94a9ed024d3859793618152ea559a168bbcbb5e2", + "swh:1:dir:d198bc9d7a6bcf6db04f476d29314f157507d505" + ] + } + ] +} diff --git a/tests/_data/schemaTestData/1.7/valid-component-identifiers-1.7.xml b/tests/_data/schemaTestData/1.7/valid-component-identifiers-1.7.xml new file mode 100644 index 000000000..c085dcfba --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-component-identifiers-1.7.xml @@ -0,0 +1,19 @@ + + + + + com.example + acme-library + 1.0.0 + cpe:2.3:a:example:acme-library:1.0.0:*:*:*:*:*:*:* + pkg:maven/com.example/acme-library@1.0.0 + gitoid:blob:sha1:261eeb9e9f8b2b4b0d119366dda99c6fd7d35c64 + gitoid:blob:sha256:9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08 + swh:1:cnt:94a9ed024d3859793618152ea559a168bbcbb5e2 + swh:1:dir:d198bc9d7a6bcf6db04f476d29314f157507d505 + + + diff --git a/tests/_data/schemaTestData/1.7/valid-component-ref-1.7.json b/tests/_data/schemaTestData/1.7/valid-component-ref-1.7.json new file mode 100644 index 000000000..bceff70cd --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-component-ref-1.7.json @@ -0,0 +1,29 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "components": [ + { + "type": "library", + "bom-ref": "123", + "name": "acme-library", + "version": "1.0.0", + "components": [ + { + "type": "library", + "bom-ref": "456", + "name": "acme-library", + "version": "1.0.0" + } + ] + }, + { + "type": "library", + "bom-ref": "789", + "name": "acme-library", + "version": "1.0.0" + } + ] +} diff --git a/tests/_data/schemaTestData/1.7/valid-component-ref-1.7.xml b/tests/_data/schemaTestData/1.7/valid-component-ref-1.7.xml new file mode 100644 index 000000000..45aa476bf --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-component-ref-1.7.xml @@ -0,0 +1,22 @@ + + + + + acme-library + 1.0.0 + + + acme-library + 1.0.0 + + + + + acme-library + 1.0.0 + + + diff --git a/tests/_data/schemaTestData/1.7/valid-component-swid-1.7.json b/tests/_data/schemaTestData/1.7/valid-component-swid-1.7.json new file mode 100644 index 000000000..2cdbb4f2d --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-component-swid-1.7.json @@ -0,0 +1,20 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "components": [ + { + "type": "application", + "author": "Acme Super Heros", + "name": "Acme Application", + "version": "9.1.1", + "swid": { + "tagId": "swidgen-242eb18a-503e-ca37-393b-cf156ef09691_9.1.1", + "name": "Acme Application", + "version": "9.1.1" + } + } + ] +} diff --git a/tests/_data/schemaTestData/1.7/valid-component-swid-1.7.xml b/tests/_data/schemaTestData/1.7/valid-component-swid-1.7.xml new file mode 100644 index 000000000..f8e803e02 --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-component-swid-1.7.xml @@ -0,0 +1,14 @@ + + + + + Acme Super Heros + Acme Application + 9.1.1 + + + + diff --git a/tests/_data/schemaTestData/1.7/valid-component-swid-full-1.7.json b/tests/_data/schemaTestData/1.7/valid-component-swid-full-1.7.json new file mode 100644 index 000000000..65b8aefc1 --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-component-swid-full-1.7.json @@ -0,0 +1,25 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "components": [ + { + "type": "application", + "author": "Acme Super Heros", + "name": "Acme Application", + "version": "9.1.1", + "swid": { + "tagId": "swidgen-242eb18a-503e-ca37-393b-cf156ef09691_9.1.1", + "name": "Acme Application", + "version": "9.1.1", + "text": { + "contentType": "text/xml", + "encoding": "base64", + "content": "PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiID8+CjxTb2Z0d2FyZUlkZW50aXR5IHhtbDpsYW5nPSJFTiIgbmFtZT0iQWNtZSBBcHBsaWNhdGlvbiIgdmVyc2lvbj0iOS4xLjEiIAogdmVyc2lvblNjaGVtZT0ibXVsdGlwYXJ0bnVtZXJpYyIgCiB0YWdJZD0ic3dpZGdlbi1iNTk1MWFjOS00MmMwLWYzODItM2YxZS1iYzdhMmE0NDk3Y2JfOS4xLjEiIAogeG1sbnM9Imh0dHA6Ly9zdGFuZGFyZHMuaXNvLm9yZy9pc28vMTk3NzAvLTIvMjAxNS9zY2hlbWEueHNkIj4gCiB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiAKIHhzaTpzY2hlbWFMb2NhdGlvbj0iaHR0cDovL3N0YW5kYXJkcy5pc28ub3JnL2lzby8xOTc3MC8tMi8yMDE1LWN1cnJlbnQvc2NoZW1hLnhzZCBzY2hlbWEueHNkIiA+CiAgPE1ldGEgZ2VuZXJhdG9yPSJTV0lEIFRhZyBPbmxpbmUgR2VuZXJhdG9yIHYwLjEiIC8+IAogIDxFbnRpdHkgbmFtZT0iQWNtZSwgSW5jLiIgcmVnaWQ9ImV4YW1wbGUuY29tIiByb2xlPSJ0YWdDcmVhdG9yIiAvPiAKPC9Tb2Z0d2FyZUlkZW50aXR5Pg==" + } + } + } + ] +} diff --git a/tests/_data/schemaTestData/1.7/valid-component-swid-full-1.7.xml b/tests/_data/schemaTestData/1.7/valid-component-swid-full-1.7.xml new file mode 100644 index 000000000..d1032c83e --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-component-swid-full-1.7.xml @@ -0,0 +1,16 @@ + + + + + Acme Super Heros + Acme Application + 9.1.1 + + PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiID8+CjxTb2Z0d2FyZUlkZW50aXR5IHhtbDpsYW5nPSJFTiIgbmFtZT0iQWNtZSBBcHBsaWNhdGlvbiIgdmVyc2lvbj0iOS4xLjEiIAogdmVyc2lvblNjaGVtZT0ibXVsdGlwYXJ0bnVtZXJpYyIgCiB0YWdJZD0ic3dpZGdlbi1iNTk1MWFjOS00MmMwLWYzODItM2YxZS1iYzdhMmE0NDk3Y2JfOS4xLjEiIAogeG1sbnM9Imh0dHA6Ly9zdGFuZGFyZHMuaXNvLm9yZy9pc28vMTk3NzAvLTIvMjAxNS9zY2hlbWEueHNkIj4gCiB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiAKIHhzaTpzY2hlbWFMb2NhdGlvbj0iaHR0cDovL3N0YW5kYXJkcy5pc28ub3JnL2lzby8xOTc3MC8tMi8yMDE1LWN1cnJlbnQvc2NoZW1hLnhzZCBzY2hlbWEueHNkIiA+CiAgPE1ldGEgZ2VuZXJhdG9yPSJTV0lEIFRhZyBPbmxpbmUgR2VuZXJhdG9yIHYwLjEiIC8+IAogIDxFbnRpdHkgbmFtZT0iQWNtZSwgSW5jLiIgcmVnaWQ9ImV4YW1wbGUuY29tIiByb2xlPSJ0YWdDcmVhdG9yIiAvPiAKPC9Tb2Z0d2FyZUlkZW50aXR5Pg== + + + + diff --git a/tests/_data/schemaTestData/1.7/valid-component-types-1.7.json b/tests/_data/schemaTestData/1.7/valid-component-types-1.7.json new file mode 100644 index 000000000..ec39472fd --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-component-types-1.7.json @@ -0,0 +1,54 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "components": [ + { + "type": "application", + "name": "application-a", + "version": "1.0" + }, + { + "type": "library", + "name": "library-a", + "version": "1.0" + }, + { + "type": "framework", + "name": "framework-a", + "version": "1.0" + }, + { + "type": "container", + "name": "container-a", + "version": "1.0" + }, + { + "type": "operating-system", + "name": "operating-system-a", + "version": "1.0" + }, + { + "type": "firmware", + "name": "firmware-a", + "version": "1.0" + }, + { + "type": "device", + "name": "device-a", + "version": "1.0" + }, + { + "type": "file", + "name": "file-a", + "version": "1.0" + }, + { + "type": "data", + "name": "data-a", + "version": "1.0" + } + ] +} diff --git a/tests/_data/schemaTestData/1.7/valid-component-types-1.7.xml b/tests/_data/schemaTestData/1.7/valid-component-types-1.7.xml new file mode 100644 index 000000000..8ac75b41f --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-component-types-1.7.xml @@ -0,0 +1,44 @@ + + + + + application-a + 1.0 + + + library-a + 1.0 + + + framework-a + 1.0 + + + container-a + 1.0 + + + operating-system-a + 1.0 + + + firmware-a + 1.0 + + + device-a + 1.0 + + + file-a + 1.0 + + + data-a + 1.0 + + + diff --git a/tests/_data/schemaTestData/1.7/valid-compositions-1.7.json b/tests/_data/schemaTestData/1.7/valid-compositions-1.7.json new file mode 100644 index 000000000..03f475278 --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-compositions-1.7.json @@ -0,0 +1,82 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "metadata": { + "component": { + "bom-ref": "acme-application-1.0", + "type": "application", + "name": "Acme Application", + "version": "1.0" + } + }, + "components": [ + { + "bom-ref": "pkg:maven/partner/shaded-library@1.0", + "type": "library", + "name": "Partner Shaded Library", + "version": "1.0", + "purl": "pkg:maven/partner/shaded-library@1.0", + "components": [ + { + "bom-ref": "pkg:maven/ossproject/library@2.0", + "type": "library", + "name": "Some Opensource Library", + "version": "2.0", + "purl": "pkg:maven/ossproject/library@2.0" + } + ] + }, + { + "bom-ref": "pkg:maven/acme/library@3.0", + "type": "library", + "name": "Acme Library", + "version": "3.0", + "purl": "pkg:maven/acme/library@3.0" + } + ], + "dependencies": [ + { + "ref": "acme-application-1.0", + "dependsOn": [ + "pkg:maven/partner/shaded-library@1.0", + "pkg:maven/acme/library@3.0" + ] + } + ], + "vulnerabilities": [ + { + "bom-ref": "vulnerability-1", + "id": "ACME-12345", + "source": { + "name": "Acme Inc" + } + } + ], + "compositions": [ + { + "bom-ref": "composition-1", + "aggregate": "complete", + "assemblies": [ + "pkg:maven/partner/shaded-library@1.0" + ], + "dependencies": [ + "acme-application-1.0" + ] + }, + { + "aggregate": "unknown", + "assemblies": [ + "pkg:maven/acme/library@3.0" + ] + }, + { + "aggregate": "incomplete_first_party_only", + "vulnerabilities": [ + "vulnerability-1" + ] + } + ] +} diff --git a/tests/_data/schemaTestData/1.7/valid-compositions-1.7.xml b/tests/_data/schemaTestData/1.7/valid-compositions-1.7.xml new file mode 100644 index 000000000..97c29dc1f --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-compositions-1.7.xml @@ -0,0 +1,68 @@ + + + + + Acme Application + 1.0 + + + + + Partner Shaded Library + 1.0 + pkg:maven/partner/shaded-library@1.0 + + + Some Opensource Library + 2.0 + pkg:maven/ossproject/library@2.0 + + + + + Acme Library + 3.0 + pkg:maven/acme/library@3.0 + + + + + + + + + + + complete + + + + + + + + + unknown + + + + + + incomplete_first_party_only + + + + + + + + ACME-12345 + + Acme Inc + + + + diff --git a/tests/_data/schemaTestData/1.7/valid-cryptography-certificate-1.7.json b/tests/_data/schemaTestData/1.7/valid-cryptography-certificate-1.7.json new file mode 100644 index 000000000..a2d79c921 --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-cryptography-certificate-1.7.json @@ -0,0 +1,172 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7", + "serialNumber": "urn:uuid:e8c355aa-2142-4084-a8c7-6d42c8610ba2", + "version": 1, + "metadata": { + "timestamp": "2024-01-09T12:00:00Z", + "component": { + "type": "application", + "name": "my application", + "version": "1.0" + } + }, + "components": [ + { + "name": "google.com", + "type": "cryptographic-asset", + "bom-ref": "c9c7ac91-2115-45e8-ae13-7d0e1dec74be", + "cryptoProperties": { + "assetType": "certificate", + "certificateProperties": { + "serialNumber": "1234567890ABCDEF", + "subjectName": "CN = www.google.com", + "issuerName": "C = US, O = Google Trust Services LLC, CN = GTS CA 1C3", + "notValidBefore": "2016-11-21T08:00:00Z", + "notValidAfter": "2017-11-22T07:59:59Z", + "certificateFormat": "X.509", + "certificateFileExtension": "crt", + "fingerprint": { + "alg": "SHA-256", + "content": "1e15e0fbd3ce95bde5945633ae96add551341b11e5bae7bba12e98ad84a5beb4" + }, + "certificateState": [ + { + "state": "active", + "reason": "Certificate is currently valid and in use" + } + ], + "creationDate": "2016-11-21T07:30:00Z", + "activationDate": "2016-11-21T08:00:00Z", + "relatedCryptographicAssets": [ + { + "type": "algorithm", + "ref": "6b00f384-6c39-420f-91eb-94de0f7be569RR" + }, + { + "type": "publicKey", + "ref": "ceb37320-8239-40e8-ab77-8798dbd98773" + } + ] + }, + "oid": "2.5.4.3" + } + }, + { + "name": "SHA512withRSA", + "type": "cryptographic-asset", + "bom-ref": "6b00f384-6c39-420f-91eb-94de0f7be569", + "cryptoProperties": { + "assetType": "algorithm", + "algorithmProperties": { + "primitive": "signature", + "executionEnvironment": "software-plain-ram", + "implementationPlatform": "x86_64", + "certificationLevel": [ + "none" + ], + "padding": "pkcs1v15", + "cryptoFunctions": [ + "sign", + "verify" + ] + }, + "oid": "1.2.840.113549.1.1.13" + } + }, + { + "name": "RSA-2048", + "type": "cryptographic-asset", + "bom-ref": "ceb37320-8239-40e8-ab77-8798dbd98773", + "cryptoProperties": { + "assetType": "related-crypto-material", + "relatedCryptoMaterialProperties": { + "type": "public-key", + "id": "2e9ef09e-dfac-4526-96b4-d02f31af1b22", + "state": "active", + "size": 2048, + "format": "PEM", + "value": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA...\n-----END PUBLIC KEY-----", + "creationDate": "2016-11-21T08:00:00Z", + "activationDate": "2016-11-21T08:20:00Z", + "updateDate": "2016-11-21T08:00:00Z", + "expirationDate": "2017-11-22T07:59:59Z", + "securedBy": { + "mechanism": "None" + }, + "fingerprint": { + "alg": "SHA-256", + "content": "a1b2c3d4e5f6789012345678901234567890abcdef1234567890abcdef123456" + }, + "relatedCryptographicAssets": [ + { + "type": "algorithm", + "ref": "a154af0a-0dca-4ed5-b611-2405a3a6ae47" + } + ] + }, + "oid": "1.2.840.113549.1.1.1" + } + }, + { + "name": "RSA-2048", + "type": "cryptographic-asset", + "bom-ref": "a154af0a-0dca-4ed5-b611-2405a3a6ae47", + "cryptoProperties": { + "assetType": "algorithm", + "algorithmProperties": { + "primitive": "pke", + "algorithmFamily": "RSAES-OAEP", + "parameterSetIdentifier": "2048", + "executionEnvironment": "software-plain-ram", + "implementationPlatform": "x86_64", + "certificationLevel": [ + "none" + ], + "padding": "oaep", + "cryptoFunctions": [ + "encrypt", + "decrypt" + ] + }, + "oid": "1.2.840.113549.1.1.1" + } + }, + { + "name": "TLS 1.3 Protocol", + "type": "cryptographic-asset", + "bom-ref": "a3553dc1-f376-43d1-89dc-87bb71981c0c", + "cryptoProperties": { + "assetType": "protocol", + "protocolProperties": { + "type": "tls", + "version": "1.3", + "cipherSuites": [ + { + "name": "TLS_AES_256_GCM_SHA384", + "algorithms": [ + "1977d71b-8981-4292-b40d-842a019c2229", + "422fa336-b401-42b7-89b8-8966aa30bca0" + ], + "identifiers": [ + "0x13,0x02" + ] + }, + { + "name": "TLS_CHACHA20_POLY1305_SHA256", + "algorithms": [ + "1af4fc08-5d0d-436e-8058-eeef921983d0", + "6af3066b-ab66-4593-975f-d9ba2c623a89" + ], + "identifiers": [ + "0x13,0x03" + ] + } + ] + }, + "oid": "1.3.6.1.5.5.7.3.1" + } + } + ] +} diff --git a/tests/_data/schemaTestData/1.7/valid-cryptography-certificate-1.7.xml b/tests/_data/schemaTestData/1.7/valid-cryptography-certificate-1.7.xml new file mode 100644 index 000000000..3ebd1b534 --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-cryptography-certificate-1.7.xml @@ -0,0 +1,171 @@ + + + + 2024-01-09T12:00:00Z + + my application + 1.0 + + + + + google.com + + certificate + + 1234567890ABCDEF + CN = www.google.com + C = US, O = Google Trust Services LLC, CN = GTS CA 1C3 + 2016-11-21T08:00:00Z + 2017-11-22T07:59:59Z + X.509 + crt + + 1e15e0fbd3ce95bde5945633ae96add551341b11e5bae7bba12e98ad84a5beb4 + + + active + Certificate is currently valid and in use + + 2016-11-21T07:30:00Z + 2016-11-21T08:00:00Z + + + algorithm + 6b00f384-6c39-420f-91eb-94de0f7be569RR + + + publicKey + ceb37320-8239-40e8-ab77-8798dbd98773 + + + + 2.5.4.3 + + + + + SHA512withRSA + + algorithm + + signature + software-plain-ram + x86_64 + none + pkcs1v15 + + sign + verify + + + 1.2.840.113549.1.1.13 + + + + + RSA-2048 + + related-crypto-material + + public-key + 2e9ef09e-dfac-4526-96b4-d02f31af1b22 + active + 2016-11-21T08:00:00Z + 2016-11-21T08:20:00Z + 2016-11-21T08:00:00Z + 2017-11-22T07:59:59Z + + + 2048 + PEM + + None + + + a1b2c3d4e5f6789012345678901234567890abcdef1234567890abcdef123456 + + + + algorithm + a154af0a-0dca-4ed5-b611-2405a3a6ae47 + + + + 1.2.840.113549.1.1.1 + + + + + RSA-2048 + + algorithm + + pke + RSAES-OAEP + 2048 + software-plain-ram + x86_64 + none + oaep + + encrypt + decrypt + + + 1.2.840.113549.1.1.1 + + + + + TLS 1.3 Protocol + + protocol + + tls + 1.3 + + + TLS_AES_256_GCM_SHA384 + + 1977d71b-8981-4292-b40d-842a019c2229 + 422fa336-b401-42b7-89b8-8966aa30bca0 + + + 0x13,0x02 + + + + TLS_CHACHA20_POLY1305_SHA256 + + 1af4fc08-5d0d-436e-8058-eeef921983d0 + 6af3066b-ab66-4593-975f-d9ba2c623a89 + + + 0x13,0x03 + + + + + 1.3.6.1.5.5.7.3.1 + + + + diff --git a/tests/_data/schemaTestData/1.7/valid-cryptography-certificate-advanced-1.7.json b/tests/_data/schemaTestData/1.7/valid-cryptography-certificate-advanced-1.7.json new file mode 100644 index 000000000..ffb8258ad --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-cryptography-certificate-advanced-1.7.json @@ -0,0 +1,285 @@ +{ + "bomFormat": "CycloneDX", + "specVersion": "1.7", + "serialNumber": "urn:uuid:f47ac10b-58cc-4372-a567-0e02b2c3d479", + "version": 1, + "metadata": { + "timestamp": "2024-01-15T14:30:00Z", + "component": { + "type": "application", + "name": "enterprise-security-app", + "version": "2.1.0" + } + }, + "components": [ + { + "name": "revoked-internal-ca.example.com", + "type": "cryptographic-asset", + "bom-ref": "840ADC47-55CD-44C6-A306-B37A9149B066", + "cryptoProperties": { + "assetType": "certificate", + "certificateProperties": { + "serialNumber": "ABCDEF1234567890FEDCBA", + "subjectName": "CN = internal-ca.example.com, OU = IT Security, O = Example Corp, C = US", + "issuerName": "CN = Example Root CA, O = Example Corp, C = US", + "notValidBefore": "2023-01-01T00:00:00Z", + "notValidAfter": "2025-12-31T23:59:59Z", + "certificateFormat": "X.509", + "certificateFileExtension": "pem", + "fingerprint": { + "alg": "SHA-256", + "content": "9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08" + }, + "certificateState": [ + { + "state": "revoked", + "reason": "Certificate was compromised due to private key exposure in security incident #2024-001" + } + ], + "creationDate": "2022-12-15T10:00:00Z", + "activationDate": "2023-01-01T00:00:00Z", + "revocationDate": "2024-01-10T15:45:30Z", + "certificateExtensions": [ + { + "commonExtensionName": "basicConstraints", + "commonExtensionValue": "CA:TRUE, pathlen:2" + }, + { + "commonExtensionName": "keyUsage", + "commonExtensionValue": "Certificate Sign, CRL Sign, Digital Signature" + }, + { + "commonExtensionName": "extendedKeyUsage", + "commonExtensionValue": "TLS Web Server Authentication, TLS Web Client Authentication" + }, + { + "commonExtensionName": "subjectAlternativeName", + "commonExtensionValue": "DNS:internal-ca.example.com, DNS:ca.internal.example.com, IP:192.168.1.100" + }, + { + "commonExtensionName": "authorityKeyIdentifier", + "commonExtensionValue": "keyid:01:02:03:04:05:06:07:08:09:0A:0B:0C:0D:0E:0F:10:11:12:13:14" + }, + { + "commonExtensionName": "subjectKeyIdentifier", + "commonExtensionValue": "A1:B2:C3:D4:E5:F6:07:08:09:0A:0B:0C:0D:0E:0F:10:11:12:13:14" + }, + { + "commonExtensionName": "crlDistributionPoints", + "commonExtensionValue": "URI:http://crl.example.com/root-ca.crl" + }, + { + "commonExtensionName": "authorityInformationAccess", + "commonExtensionValue": "OCSP - URI:http://ocsp.example.com, CA Issuers - URI:http://certs.example.com/root-ca.crt" + }, + { + "commonExtensionName": "certificatePolicies", + "commonExtensionValue": "Policy: 1.2.3.4.5.6.7.8.1, CPS: http://www.example.com/cps" + }, + { + "customExtensionName": "organizationalSecurityLevel", + "customExtensionValue": "HIGH" + }, + { + "customExtensionName": "incidentTrackingId", + "customExtensionValue": "SEC-2024-001" + }, + { + "customExtensionName": "complianceFramework", + "customExtensionValue": "SOX, PCI-DSS Level 1, ISO 27001" + } + ], + "relatedCryptographicAssets": [ + { + "type": "algorithm", + "ref": "2A0DA4D2-BBCA-4515-9BCD-C870A3EA4CE8" + }, + { + "type": "publicKey", + "ref": "ACCAF8BC-5F73-4869-A3FE-1C64E8D96408" + } + ] + }, + "oid": "2.5.4.3" + } + }, + { + "name": "active-server.example.com", + "type": "cryptographic-asset", + "bom-ref": "4497B977-4D07-4245-9457-C2CF37FF399A", + "cryptoProperties": { + "assetType": "certificate", + "certificateProperties": { + "serialNumber": "1122334455667788AABBCCDD", + "subjectName": "CN = server.example.com, OU = Web Services, O = Example Corp, C = US", + "issuerName": "CN = Example Intermediate CA, O = Example Corp, C = US", + "notValidBefore": "2024-01-01T00:00:00Z", + "notValidAfter": "2025-01-01T23:59:59Z", + "certificateFormat": "X.509", + "certificateFileExtension": "crt", + "fingerprint": { + "alg": "SHA-256", + "content": "9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08" + }, + "certificateState": [ + { + "name": "monitored", + "description": "Certificate is under enhanced monitoring due to recent security incidents", + "reason": "Proactive monitoring following organizational security policy updates" + } + ], + "creationDate": "2023-12-20T09:00:00Z", + "activationDate": "2024-01-01T00:00:00Z", + "certificateExtensions": [ + { + "commonExtensionName": "keyUsage", + "commonExtensionValue": "Digital Signature, Key Encipherment" + }, + { + "commonExtensionName": "extendedKeyUsage", + "commonExtensionValue": "TLS Web Server Authentication" + }, + { + "commonExtensionName": "subjectAlternativeName", + "commonExtensionValue": "DNS:server.example.com, DNS:www.server.example.com, DNS:api.server.example.com" + }, + { + "commonExtensionName": "signedCertificateTimestamp", + "commonExtensionValue": "Log ID: ABCD1234..., Timestamp: 2024-01-01T00:00:00Z, Signature: 3045022100..." + }, + { + "customExtensionName": "deploymentEnvironment", + "customExtensionValue": "PRODUCTION" + }, + { + "customExtensionName": "businessCriticality", + "customExtensionValue": "CRITICAL" + }, + { + "customExtensionName": "autoRenewalEnabled", + "customExtensionValue": "true" + } + ], + "relatedCryptographicAssets": [ + { + "type": "algorithm", + "ref": "14478B86-9306-45B5-BA2A-1660B723244C" + }, + { + "type": "publicKey", + "ref": "F1F3D902-0A1B-4C0C-9F6A-F36E041B0B7D" + } + ] + }, + "oid": "2.5.4.3" + } + }, + { + "name": "RSA-SHA256", + "type": "cryptographic-asset", + "bom-ref": "2A0DA4D2-BBCA-4515-9BCD-C870A3EA4CE8", + "cryptoProperties": { + "assetType": "algorithm", + "algorithmProperties": { + "primitive": "signature", + "executionEnvironment": "software-plain-ram", + "implementationPlatform": "x86_64", + "padding": "pkcs1v15", + "cryptoFunctions": [ + "sign", + "verify" + ] + }, + "oid": "1.2.840.113549.1.1.11" + } + }, + { + "name": "ECDSA-P256", + "type": "cryptographic-asset", + "bom-ref": "14478B86-9306-45B5-BA2A-1660B723244C", + "cryptoProperties": { + "assetType": "algorithm", + "algorithmProperties": { + "primitive": "signature", + "curve": "secp256r1", + "executionEnvironment": "software-plain-ram", + "implementationPlatform": "x86_64", + "certificationLevel": ["fips140-3-l1"], + "cryptoFunctions": [ + "sign", + "verify" + ] + }, + "oid": "1.2.840.10045.4.3.2" + } + }, + { + "name": "RSA-4096-Revoked-CA-Key", + "type": "cryptographic-asset", + "bom-ref": "ACCAF8BC-5F73-4869-A3FE-1C64E8D96408", + "cryptoProperties": { + "assetType": "related-crypto-material", + "relatedCryptoMaterialProperties": { + "type": "public-key", + "id": "revoked-ca-key-2024", + "state": "compromised", + "size": 4096, + "format": "PEM", + "value": "-----BEGIN PUBLIC KEY-----\nMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA...\n-----END PUBLIC KEY-----", + "creationDate": "2022-12-15T10:00:00Z", + "activationDate": "2023-01-01T00:00:00Z", + "updateDate": "2024-01-10T15:45:30Z", + "securedBy": { + "mechanism": "HSM", + "algorithmRef": "aes-256-gcm-ref" + }, + "fingerprint": { + "alg": "SHA-256", + "content": "9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08" + }, + "relatedCryptographicAssets": [ + { + "type": "algorithm", + "ref": "2A0DA4D2-BBCA-4515-9BCD-C870A3EA4CE8" + } + ] + }, + "oid": "1.2.840.113549.1.1.1" + } + }, + { + "name": "ECDSA-P256-Server-Key", + "type": "cryptographic-asset", + "bom-ref": "F1F3D902-0A1B-4C0C-9F6A-F36E041B0B7D", + "cryptoProperties": { + "assetType": "related-crypto-material", + "relatedCryptoMaterialProperties": { + "type": "public-key", + "id": "server-key-2024", + "state": "active", + "size": 256, + "format": "PEM", + "value": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE...\n-----END PUBLIC KEY-----", + "creationDate": "2023-12-20T09:00:00Z", + "activationDate": "2024-01-01T00:00:00Z", + "expirationDate": "2025-01-01T23:59:59Z", + "securedBy": { + "mechanism": "HSM", + "algorithmRef": "aes-256-gcm-ref" + }, + "fingerprint": { + "alg": "SHA-256", + "content": "d4e5f67890123456789abcdef0123456789abcdef0123456789abcdef0123456" + }, + "relatedCryptographicAssets": [ + { + "type": "algorithm", + "ref": "14478B86-9306-45B5-BA2A-1660B723244C" + } + ] + }, + "oid": "1.2.840.10045.2.1" + } + } + ] +} diff --git a/tests/_data/schemaTestData/1.7/valid-cryptography-certificate-advanced-1.7.xml b/tests/_data/schemaTestData/1.7/valid-cryptography-certificate-advanced-1.7.xml new file mode 100644 index 000000000..334c46d1e --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-cryptography-certificate-advanced-1.7.xml @@ -0,0 +1,260 @@ + + + + 2024-01-15T14:30:00Z + + enterprise-security-app + 2.1.0 + + + + + revoked-internal-ca.example.com + + certificate + + ABCDEF1234567890FEDCBA + CN = internal-ca.example.com, OU = IT Security, O = Example Corp, C = US + CN = Example Root CA, O = Example Corp, C = US + 2023-01-01T00:00:00Z + 2025-12-31T23:59:59Z + X.509 + pem + 9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08 + + revoked + Certificate was compromised due to private key exposure in security incident #2024-001 + + 2022-12-15T10:00:00Z + 2023-01-01T00:00:00Z + 2024-01-10T15:45:30Z + + + basicConstraints + CA:TRUE, pathlen:2 + + + keyUsage + Certificate Sign, CRL Sign, Digital Signature + + + extendedKeyUsage + TLS Web Server Authentication, TLS Web Client Authentication + + + subjectAlternativeName + DNS:internal-ca.example.com, DNS:ca.internal.example.com, IP:192.168.1.100 + + + authorityKeyIdentifier + keyid:01:02:03:04:05:06:07:08:09:0A:0B:0C:0D:0E:0F:10:11:12:13:14 + + + subjectKeyIdentifier + A1:B2:C3:D4:E5:F6:07:08:09:0A:0B:0C:0D:0E:0F:10:11:12:13:14 + + + crlDistributionPoints + URI:http://crl.example.com/root-ca.crl + + + authorityInformationAccess + OCSP - URI:http://ocsp.example.com, CA Issuers - URI:http://certs.example.com/root-ca.crt + + + certificatePolicies + Policy: 1.2.3.4.5.6.7.8.1, CPS: http://www.example.com/cps + + + organizationalSecurityLevel + HIGH + + + incidentTrackingId + SEC-2024-001 + + + complianceFramework + SOX, PCI-DSS Level 1, ISO 27001 + + + + + algorithm + 2A0DA4D2-BBCA-4515-9BCD-C870A3EA4CE8 + + + publicKey + ACCAF8BC-5F73-4869-A3FE-1C64E8D96408 + + + + 2.5.4.3 + + + + active-server.example.com + + certificate + + 1122334455667788AABBCCDD + CN = server.example.com, OU = Web Services, O = Example Corp, C = US + CN = Example Intermediate CA, O = Example Corp, C = US + 2024-01-01T00:00:00Z + 2025-01-01T23:59:59Z + X.509 + crt + 9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08 + + monitored + Certificate is under enhanced monitoring due to recent security incidents + Proactive monitoring following organizational security policy updates + + 2023-12-20T09:00:00Z + 2024-01-01T00:00:00Z + + + keyUsage + Digital Signature, Key Encipherment + + + extendedKeyUsage + TLS Web Server Authentication + + + subjectAlternativeName + DNS:server.example.com, DNS:www.server.example.com, DNS:api.server.example.com + + + signedCertificateTimestamp + Log ID: ABCD1234..., Timestamp: 2024-01-01T00:00:00Z, Signature: 3045022100... + + + deploymentEnvironment + PRODUCTION + + + businessCriticality + CRITICAL + + + autoRenewalEnabled + true + + + + + algorithm + 14478B86-9306-45B5-BA2A-1660B723244C + + + publicKey + F1F3D902-0A1B-4C0C-9F6A-F36E041B0B7D + + + + 2.5.4.3 + + + + RSA-SHA256 + + algorithm + + signature + software-plain-ram + x86_64 + pkcs1v15 + + sign + verify + + + 1.2.840.113549.1.1.11 + + + + ECDSA-P256 + + algorithm + + signature + secp256r1 + software-plain-ram + x86_64 + fips140-3-l1 + + sign + verify + + + 1.2.840.10045.4.3.2 + + + + RSA-4096-Revoked-CA-Key + + related-crypto-material + + public-key + revoked-ca-key-2024 + compromised + 2022-12-15T10:00:00Z + 2023-01-01T00:00:00Z + 2024-01-10T15:45:30Z + + 4096 + PEM + + HSM + aes-256-gcm-ref + + 9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08 + + + algorithm + 2A0DA4D2-BBCA-4515-9BCD-C870A3EA4CE8 + + + + 1.2.840.113549.1.1.1 + + + + ECDSA-P256-Server-Key + + related-crypto-material + + public-key + server-key-2024 + active + 2023-12-20T09:00:00Z + 2024-01-01T00:00:00Z + 2025-01-01T23:59:59Z + + 256 + PEM + + HSM + aes-256-gcm-ref + + d4e5f67890123456789abcdef0123456789abcdef0123456789abcdef0123456 + + + algorithm + 14478B86-9306-45B5-BA2A-1660B723244C + + + + 1.2.840.10045.2.1 + + + + diff --git a/tests/_data/schemaTestData/1.7/valid-cryptography-full-1.7.json b/tests/_data/schemaTestData/1.7/valid-cryptography-full-1.7.json new file mode 100644 index 000000000..d03b237e1 --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-cryptography-full-1.7.json @@ -0,0 +1,292 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "components": [ + { + "type": "cryptographic-asset", + "bom-ref": "asset-1", + "name": "Name here", + "cryptoProperties": { + "assetType": "algorithm", + "algorithmProperties": { + "primitive": "key-agree", + "algorithmFamily": "ECDH", + "parameterSetIdentifier": "128", + "ellipticCurve": "brainpool/brainpoolP160r1", + "executionEnvironment": "software-plain-ram", + "implementationPlatform": "x86_64", + "certificationLevel": ["fips140-3-l4"], + "mode": "gcm", + "padding": "pkcs5", + "cryptoFunctions": [ + "keygen", + "keyderive" + ], + "classicalSecurityLevel": 96, + "nistQuantumSecurityLevel": 0 + }, + "oid": "oid:1.2.3.4.5.6.7.8.9" + } + }, + { + "type": "cryptographic-asset", + "bom-ref": "asset-2", + "name": "Example Certificate with All Properties", + "cryptoProperties": { + "assetType": "certificate", + "certificateProperties": { + "serialNumber": "0B:35:82:6D:F5:7A:02:0A:0A:21:8F:BD:F3:91:43:C3", + "subjectName": "CN=example.com, O=Example Corp, C=US", + "issuerName": "CN=Example CA, O=Example Trust Services, C=US", + "notValidBefore": "2022-01-01T00:00:00.000Z", + "notValidAfter": "2024-01-01T00:00:00.000Z", + "signatureAlgorithmRef": "bom-ref-to-algorithm", + "subjectPublicKeyRef": "bom-ref-to-public-key", + "certificateFormat": "X.509", + "certificateExtension": "crt", + "certificateFileExtension": "crt", + "fingerprint": { + "alg": "SHA-256", + "content": "3942447fac867ae5cdb3229b658f4d48" + }, + "certificateState": [ + { + "state": "pre-activation", + "reason": "Certificate created but not yet active" + }, + { + "state": "active", + "reason": "Certificate in active use for TLS connections" + }, + { + "state": "suspended", + "reason": "Temporary suspension due to security audit" + }, + { + "state": "deactivated", + "reason": "Replaced by new certificate" + }, + { + "state": "revoked", + "reason": "Private key compromise suspected" + }, + { + "state": "destroyed", + "reason": "Certificate and associated keys securely destroyed" + } + ], + "creationDate": "2022-01-01T00:00:00.000Z", + "activationDate": "2022-01-02T00:00:00.000Z", + "deactivationDate": "2023-12-31T23:59:59.000Z", + "revocationDate": "2024-01-01T00:00:00.000Z", + "destructionDate": "2024-01-02T00:00:00.000Z", + "certificateExtensions": [ + { + "commonExtensionName": "basicConstraints", + "commonExtensionValue": "CA:FALSE, pathlen:0" + }, + { + "commonExtensionName": "keyUsage", + "commonExtensionValue": "digitalSignature, keyEncipherment" + }, + { + "commonExtensionName": "extendedKeyUsage", + "commonExtensionValue": "serverAuth, clientAuth" + }, + { + "commonExtensionName": "subjectAlternativeName", + "commonExtensionValue": "DNS:example.com, DNS:www.example.com" + }, + { + "commonExtensionName": "authorityKeyIdentifier", + "commonExtensionValue": "keyid:12:34:56:78:90:AB:CD:EF" + }, + { + "commonExtensionName": "subjectKeyIdentifier", + "commonExtensionValue": "AA:BB:CC:DD:EE:FF:00:11" + }, + { + "commonExtensionName": "authorityInformationAccess", + "commonExtensionValue": "OCSP - URI:http://ocsp.example.com" + }, + { + "commonExtensionName": "certificatePolicies", + "commonExtensionValue": "Policy: 2.23.140.1.2.1" + }, + { + "commonExtensionName": "crlDistributionPoints", + "commonExtensionValue": "URI:http://crl.example.com/root.crl" + }, + { + "commonExtensionName": "signedCertificateTimestamp", + "commonExtensionValue": "Signed by Example CT log at 2022-01-01T00:00:00Z" + }, + { + "customExtensionName": "someCustomExtension", + "customExtensionValue": "Custom value for this extension" + } + ], + "relatedCryptographicAssets": [ + { + "type": "publicKey", + "ref": "public-key-ref" + }, + { + "type": "privateKey", + "ref": "private-key-ref" + }, + { + "type": "algorithm", + "ref": "signing-algorithm-ref" + } + ] + }, + "oid": "oid:2.5.4.3" + } + }, + { + "type": "cryptographic-asset", + "bom-ref": "asset-3", + "name": "Example Protocol with All Properties", + "cryptoProperties": { + "assetType": "protocol", + "protocolProperties": { + "type": "tls", + "version": "1.3", + "cipherSuites": [ + { + "name": "TLS_AES_128_GCM_SHA256", + "algorithms": [ + "aes-128-gcm-ref", + "sha256-ref" + ], + "identifiers": [ + "0x1301" + ], + "tlsGroups": [ + "x25519", + "secp256r1", + "secp384r1", + "secp521r1", + "ffdhe2048", + "ffdhe3072" + ], + "tlsSignatureSchemes": [ + "ecdsa_secp256r1_sha256", + "ecdsa_secp384r1_sha384", + "ecdsa_secp521r1_sha512", + "rsa_pss_rsae_sha256", + "rsa_pss_rsae_sha384", + "rsa_pss_rsae_sha512", + "ed25519", + "ed448" + ] + }, + { + "name": "TLS_AES_256_GCM_SHA384", + "algorithms": [ + "aes-256-gcm-ref", + "sha384-ref" + ], + "identifiers": [ + "0x1302" + ] + }, + { + "name": "TLS_CHACHA20_POLY1305_SHA256", + "algorithms": [ + "chacha20-poly1305-ref", + "sha256-ref" + ], + "identifiers": [ + "0x1303" + ] + } + ], + "ikev2TransformTypes": { + "encr": [ + { + "name": "AES-128-GCM", + "keyLength": 128, + "algorithm": "aes-128-gcm-ref" + } + ], + "prf": [ + { + "name": "SHA-256", + "algorithm": "sha256-ref" + } + ], + "integ": [ + { + "name": "SHA-256", + "algorithm": "sha256-ref" + } + ], + "ke": [ + { + "group": 14, + "algorithm": "diffie-hellman-group14-sha256-ref" + } + ], + "esn": true, + "auth": [ + { + "name": "ECDSA", + "algorithm": "ecdsa_secp256r1_sha256" + } + ] + } + }, + "oid": "oid:1.3.6.1.5.5.7.3.1" + } + }, + { + "type": "cryptographic-asset", + "bom-ref": "asset-4", + "name": "Example Related Crypto Material with All Properties", + "cryptoProperties": { + "assetType": "related-crypto-material", + "relatedCryptoMaterialProperties": { + "type": "public-key", + "id": "key-12345-67890", + "state": "active", + "algorithmRef": "rsa-4096-ref", + "creationDate": "2024-01-01T00:00:00.000Z", + "activationDate": "2024-01-02T00:00:00.000Z", + "updateDate": "2024-01-03T00:00:00.000Z", + "expirationDate": "2026-01-01T00:00:00.000Z", + "value": "-----BEGIN PUBLIC KEY-----", + "size": 4096, + "format": "PKCS#8", + "securedBy": { + "mechanism": "HSM", + "algorithmRef": "aes-256-gcm-ref" + }, + "fingerprint": { + "alg": "SHA-256", + "content": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855" + }, + "relatedCryptographicAssets": [ + { + "type": "publicKey", + "ref": "corresponding-public-key-ref" + }, + { + "type": "certificate", + "ref": "certificate-using-this-key-ref" + }, + { + "type": "algorithm", + "ref": "rsa-4096-ref" + } + ] + }, + "oid": "oid:1.2.840.113549.1.1.1" + } + } + ] +} diff --git a/tests/_data/schemaTestData/1.7/valid-cryptography-full-1.7.xml b/tests/_data/schemaTestData/1.7/valid-cryptography-full-1.7.xml new file mode 100644 index 000000000..7201e741b --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-cryptography-full-1.7.xml @@ -0,0 +1,268 @@ + + + + + Name here + + algorithm + + key-agree + ECDH + 128 + brainpool/brainpoolP160r1 + brainpool/brainpoolP160r1 + software-plain-ram + x86_64 + fips140-3-l4 + gcm + pkcs5 + + keygen + keyderive + + 96 + 0 + + oid:1.2.3.4.5.6.7.8.9 + + + + Example Certificate with All Properties + + certificate + + 0B:35:82:6D:F5:7A:02:0A:0A:21:8F:BD:F3:91:43:C3 + CN=example.com, O=Example Corp, C=US + CN=Example CA, O=Example Trust Services, C=US + 2022-01-01T00:00:00.000Z + 2024-01-01T00:00:00.000Z + bom-ref-to-algorithm + bom-ref-to-public-key + X.509 + crt + crt + 3942447fac867ae5cdb3229b658f4d48 + + pre-activation + Certificate created but not yet active + + + active + Certificate in active use for TLS connections + + + suspended + Temporary suspension due to security audit + + + deactivated + Replaced by new certificate + + + revoked + Private key compromise suspected + + + destroyed + Certificate and associated keys securely destroyed + + 2022-01-01T00:00:00.000Z + 2022-01-02T00:00:00.000Z + 2023-12-31T23:59:59.000Z + 2024-01-01T00:00:00.000Z + 2024-01-02T00:00:00.000Z + + + basicConstraints + CA:FALSE, pathlen:0 + + + keyUsage + digitalSignature, keyEncipherment + + + extendedKeyUsage + serverAuth, clientAuth + + + subjectAlternativeName + DNS:example.com, DNS:www.example.com + + + authorityKeyIdentifier + keyid:12:34:56:78:90:AB:CD:EF + + + subjectKeyIdentifier + AA:BB:CC:DD:EE:FF:00:11 + + + authorityInformationAccess + OCSP - URI:http://ocsp.example.com + + + certificatePolicies + Policy: 2.23.140.1.2.1 + + + crlDistributionPoints + URI:http://crl.example.com/root.crl + + + signedCertificateTimestamp + Signed by Example CT log at 2022-01-01T00:00:00Z + + + + someCustomExtension + Custom value for this extension + + + + + publicKey + public-key-ref + + + privateKey + private-key-ref + + + algorithm + signing-algorithm-ref + + + + oid:2.5.4.3 + + + + Example Protocol with All Properties + + protocol + + tls + 1.3 + + + TLS_AES_128_GCM_SHA256 + + aes-128-gcm-ref + sha256-ref + + + 0x1301 + + + x25519 + secp256r1 + secp384r1 + secp521r1 + ffdhe2048 + ffdhe3072 + + + ecdsa_secp256r1_sha256 + ecdsa_secp384r1_sha384 + ecdsa_secp521r1_sha512 + rsa_pss_rsae_sha256 + rsa_pss_rsae_sha384 + rsa_pss_rsae_sha512 + ed25519 + ed448 + + + + TLS_AES_256_GCM_SHA384 + + aes-256-gcm-ref + sha384-ref + + + 0x1302 + + + + TLS_CHACHA20_POLY1305_SHA256 + + chacha20-poly1305-ref + sha256-ref + + + 0x1303 + + + + + + AES-128-GCM + 128 + aes-128-gcm-ref + + + SHA-256 + sha256-ref + + + SHA-256 + sha256-ref + + + 14 + diffie-hellman-group14-sha256-ref + + true + + ECDSA + ecdsa_secp256r1_sha256 + + + + oid:1.3.6.1.5.5.7.3.1 + + + + Example Related Crypto Material with All Properties + + related-crypto-material + + public-key + key-12345-67890 + active + rsa-4096-ref + 2024-01-01T00:00:00.000Z + 2024-01-02T00:00:00.000Z + 2024-01-03T00:00:00.000Z + 2026-01-01T00:00:00.000Z + -----BEGIN PUBLIC KEY----- + 4096 + PKCS#8 + + HSM + aes-256-gcm-ref + + e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + + + + publicKey + corresponding-public-key-ref + + + certificate + certificate-using-this-key-ref + + + algorithm + rsa-4096-ref + + + + oid:1.2.840.113549.1.1.1 + + + + diff --git a/tests/_data/schemaTestData/1.7/valid-cryptography-full-deprecated-1.7.json b/tests/_data/schemaTestData/1.7/valid-cryptography-full-deprecated-1.7.json new file mode 100644 index 000000000..816ecf739 --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-cryptography-full-deprecated-1.7.json @@ -0,0 +1,114 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "components": [ + { + "type": "cryptographic-asset", + "bom-ref": "asset-1", + "name": "Name here", + "cryptoProperties": { + "assetType": "algorithm", + "algorithmProperties": { + "primitive": "ae", + "parameterSetIdentifier": "128", + "curve": "brainpoolP160r1", + "executionEnvironment": "software-plain-ram", + "implementationPlatform": "x86_64", + "certificationLevel": ["fips140-1-l4"], + "mode": "gcm", + "padding": "pkcs5", + "cryptoFunctions": [ + "keygen", + "encrypt", + "decrypt", + "tag" + ], + "classicalSecurityLevel": 128, + "nistQuantumSecurityLevel": 1 + }, + "oid": "oid:1.2.3.4.5.6.7.8.9" + } + }, + { + "type": "cryptographic-asset", + "bom-ref": "asset-2", + "name": "Name here", + "cryptoProperties": { + "assetType": "certificate", + "certificateProperties": { + "subjectName": "Subject name here", + "issuerName": "Issuer name here", + "notValidBefore": "2022-01-01T00:00:00.000Z", + "notValidAfter": "2024-01-01T00:00:00.000Z", + "signatureAlgorithmRef": "bom-ref-to-algorithm", + "subjectPublicKeyRef": "bom-ref-to-public-key", + "certificateFormat": "X.509", + "certificateExtension": "crt" + }, + "oid": "oid:1.2.3.4.5.6.7.8.9" + } + }, + { + "type": "cryptographic-asset", + "bom-ref": "asset-3", + "name": "Name here", + "cryptoProperties": { + "assetType": "protocol", + "protocolProperties": { + "type": "tls", + "version": "1.3", + "cipherSuites": [ + { + "name": "TLS_DHE_RSA_WITH_AES_128_CCM", + "algorithms": [ + "bom-ref-to-algorithm" + ], + "identifiers": [ + "0xC0" + ] + } + ], + "ikev2TransformTypes": { + "encr": ["bom-ref-to-encr"], + "prf": ["bom-ref-to-prf"], + "integ": ["bom-ref-to-integ"], + "ke": ["bom-ref-to-ke"], + "esn": true, + "auth": ["bom-ref-to-auth"] + }, + "cryptoRefArray": ["asset-4"] + }, + "oid": "oid:1.2.3.4.5.6.7.8.9" + } + }, + { + "type": "cryptographic-asset", + "bom-ref": "asset-4", + "name": "Name here", + "cryptoProperties": { + "assetType": "related-crypto-material", + "relatedCryptoMaterialProperties": { + "type": "private-key", + "id": "12345", + "state": "active", + "algorithmRef": "bom-ref-to-algorithm", + "creationDate": "2024-01-01T00:00:00.000Z", + "activationDate": "2024-01-02T00:00:00.000Z", + "updateDate": "2024-01-03T00:00:00.000Z", + "expirationDate": "2024-01-04T00:00:00.000Z", + "value": "Value here", + "size": 1024, + "format": "PEM", + "securedBy": { + "mechanism": "HSM", + "algorithmRef": "bom-ref-to-algorithm" + } + }, + "oid": "oid:1.2.3.4.5.6.7.8.9" + } + } + ] +} diff --git a/tests/_data/schemaTestData/1.7/valid-cryptography-full-deprecated-1.7.xml b/tests/_data/schemaTestData/1.7/valid-cryptography-full-deprecated-1.7.xml new file mode 100644 index 000000000..565c07ef7 --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-cryptography-full-deprecated-1.7.xml @@ -0,0 +1,120 @@ + + + + + Name here + + algorithm + + ae + 128 + brainpoolP160r1 + software-plain-ram + x86_64 + fips140-1-l4 + gcm + pkcs5 + + keygen + encrypt + decrypt + tag + + 128 + 1 + + oid:1.2.3.4.5.6.7.8.9 + + + + Name here + + certificate + + Subject name here + Issuer name here + 2022-01-01T00:00:00.000Z + 2024-01-01T00:00:00.000Z + bom-ref-to-algorithm + bom-ref-to-public-key + X.509 + crt + + + tls + 1.3 + + + TLS_DHE_RSA_WITH_AES_128_CCM + + bom-ref-to-algorithm + + + 0xC0 + + + + + bom-ref-to-encr + bom-ref-to-prf + bom-ref-to-integ + bom-ref-to-ke + true + bom-ref-to-auth + + asset-4 + + oid:1.2.3.4.5.6.7.8.9 + + + + Name here + + protocol + + tls + 1.3 + + + TLS_DHE_RSA_WITH_AES_128_CCM + + bom-ref-to-algorithm + + + 0xC0 + + + + + oid:1.2.3.4.5.6.7.8.9 + + + + Name here + + related-crypto-material + + private-key + 12345 + active + bom-ref-to-algorithm + 2024-01-01T00:00:00.000Z + 2024-01-02T00:00:00.000Z + 2024-01-03T00:00:00.000Z + 2024-01-04T00:00:00.000Z + Value here + 1024 + PEM + + HSM + bom-ref-to-algorithm + + + oid:1.2.3.4.5.6.7.8.9 + + + + diff --git a/tests/_data/schemaTestData/1.7/valid-cryptography-implementation-1.7.json b/tests/_data/schemaTestData/1.7/valid-cryptography-implementation-1.7.json new file mode 100644 index 000000000..c34a83517 --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-cryptography-implementation-1.7.json @@ -0,0 +1,135 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7", + "serialNumber": "urn:uuid:e8c355aa-2142-4084-a8c7-6d42c8610ba2", + "version": 1, + "metadata": { + "timestamp": "2025-07-09T12:00:00Z", + "component": { + "type": "application", + "name": "my application", + "version": "1.0" + } + }, + "components": [ + { + "type": "cryptographic-asset", + "name": "AES-128-GCM-128-12", + "cryptoProperties": { + "assetType": "algorithm", + "algorithmProperties": { + "algorithmFamily": "AES", + "primitive": "ae", + "parameterSetIdentifier": "128", + "mode": "gcm", + "executionEnvironment": "software-plain-ram", + "implementationPlatform": "x86_64", + "certificationLevel": ["none"], + "cryptoFunctions": [ + "keygen", + "encrypt", + "decrypt", + "tag" + ], + "classicalSecurityLevel": 128, + "nistQuantumSecurityLevel": 1 + }, + "oid": "2.16.840.1.101.3.4.1.6" + } + }, + { + "name": "RSA-PKCS1-1.5-SHA512-2048", + "type": "cryptographic-asset", + "cryptoProperties": { + "assetType": "algorithm", + "algorithmProperties": { + "algorithmFamily": "RSASSA-PKCS1", + "primitive": "signature", + "parameterSetIdentifier": "512", + "executionEnvironment": "software-plain-ram", + "implementationPlatform": "x86_64", + "certificationLevel": ["none"], + "cryptoFunctions": [ + "sign", + "verify" + ], + "nistQuantumSecurityLevel": 0 + }, + "oid": "1.2.840.113549.1.1.13" + } + }, + { + "name": "ECDH-secp521r1", + "bom-ref": "ecdhsecp521r1", + "type": "cryptographic-asset", + "cryptoProperties": { + "assetType": "algorithm", + "algorithmProperties": { + "algorithmFamily": "ECDH", + "ellipticCurve": "secg/secp521r1", + "primitive": "key-agree", + "executionEnvironment": "software-plain-ram", + "implementationPlatform": "x86_64", + "certificationLevel": ["none"], + "cryptoFunctions": [ + "keygen", + "keyderive" + ], + "nistQuantumSecurityLevel": 0 + }, + "oid": "1.3.132.0.35" + } + }, + { + "name": "ML-KEM-1024", + "bom-ref": "mlkem1024", + "type": "cryptographic-asset", + "cryptoProperties": { + "assetType": "algorithm", + "algorithmProperties": { + "algorithmFamily": "ML-KEM", + "primitive": "kem", + "executionEnvironment": "software-plain-ram", + "implementationPlatform": "x86_64", + "certificationLevel": ["none"], + "cryptoFunctions": [ + "keygen", + "keyderive" + ], + "nistQuantumSecurityLevel": 5 + }, + "oid": "2.16.840.1.101.3.4.1.48" + } + }, + { + "name": "draft-ietf-tls-hybrid-design-13", + "bom-ref": "draftietftlshybriddesign13", + "type": "cryptographic-asset", + "cryptoProperties": { + "assetType": "algorithm", + "algorithmProperties": { + "primitive": "combiner", + "executionEnvironment": "software-plain-ram", + "implementationPlatform": "x86_64", + "certificationLevel": ["none"], + "cryptoFunctions": [ + "keygen", + "keyderive" + ], + "nistQuantumSecurityLevel": 0 + }, + "oid": "1.3.101.110" + } + } + ], + "dependencies": [ + { + "ref": "draftietftlshybriddesign13", + "dependsOn": [ + "mlkem1024", + "ecdhsecp521r1" + ] + } + ] +} diff --git a/tests/_data/schemaTestData/1.7/valid-cryptography-implementation-1.7.xml b/tests/_data/schemaTestData/1.7/valid-cryptography-implementation-1.7.xml new file mode 100644 index 000000000..9090229ea --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-cryptography-implementation-1.7.xml @@ -0,0 +1,115 @@ + + + + + Acme Application + 1.0 + + + + + AES + + algorithm + + ae + 128 + software-plain-ram + x86_64 + none + gcm + + keygen + encrypt + decrypt + tag + + 128 + 1 + + 2.16.840.1.101.3.4.1.6 + + + + ECDH-secp521r1 + + algorithm + + key-agree + ECDH + secg/secp521r1 + software-plain-ram + x86_64 + none + + keygen + keyderive + + 0 + + 1.3.132.0.35 + + + + ML-KEM-1024 + + algorithm + + kem + ML-KEM + software-plain-ram + x86_64 + none + + keygen + keyderive + + 5 + + 2.16.840.1.101.3.4.1.48 + + + + draft-ietf-tls-hybrid-design-13 + + algorithm + + combiner + software-plain-ram + x86_64 + none + + keygen + keyderive + + 0 + + 1.3.101.110 + + + + Crypto library + 1.0.0 + + + Some library + 1.0.0 + + + + + + + + + + + + + + + + diff --git a/tests/_data/schemaTestData/1.7/valid-dependency-1.7.json b/tests/_data/schemaTestData/1.7/valid-dependency-1.7.json new file mode 100644 index 000000000..4b4d48a8f --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-dependency-1.7.json @@ -0,0 +1,39 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "components": [ + { + "bom-ref": "library-a", + "type": "library", + "name": "library-a", + "version": "1.0.0" + }, + { + "bom-ref": "library-b", + "type": "library", + "name": "library-b", + "version": "1.0.0" + }, + { + "bom-ref": "library-c", + "type": "library", + "name": "library-c", + "version": "1.0.0" + } + ], + "dependencies": [ + { + "ref": "library-a", + "dependsOn": [] + }, + { + "ref": "library-b", + "dependsOn": [ + "library-c" + ] + } + ] +} diff --git a/tests/_data/schemaTestData/1.7/valid-dependency-1.7.xml b/tests/_data/schemaTestData/1.7/valid-dependency-1.7.xml new file mode 100644 index 000000000..3fbe13b67 --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-dependency-1.7.xml @@ -0,0 +1,26 @@ + + + + + library-a + 1.0.0 + + + library-b + 1.0.0 + + + library-c + 1.0.0 + + + + + + + + + diff --git a/tests/_data/schemaTestData/1.7/valid-empty-components-1.7.json b/tests/_data/schemaTestData/1.7/valid-empty-components-1.7.json new file mode 100644 index 000000000..8c3ca406e --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-empty-components-1.7.json @@ -0,0 +1,9 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "components": [ + ] +} diff --git a/tests/_data/schemaTestData/1.7/valid-empty-components-1.7.xml b/tests/_data/schemaTestData/1.7/valid-empty-components-1.7.xml new file mode 100644 index 000000000..1e4afd780 --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-empty-components-1.7.xml @@ -0,0 +1,8 @@ + + + + + diff --git a/tests/_data/schemaTestData/1.7/valid-evidence-1.7.json b/tests/_data/schemaTestData/1.7/valid-evidence-1.7.json new file mode 100644 index 000000000..d7360f79f --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-evidence-1.7.json @@ -0,0 +1,160 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "components": [ + { + "type": "application", + "group": "com.google.code.findbugs", + "name": "findbugs-project", + "version": "3.0.0", + "licenses": [ + { + "license": { + "id": "LGPL-3.0-or-later", + "url": "https://www.gnu.org/licenses/lgpl-3.0-standalone.html" + } + } + ], + "purl": "pkg:maven/com.google.code.findbugs/findbugs-project@3.0.0", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "filename", + "confidence": 0.1, + "value": "findbugs-project-3.0.0.jar" + }, + { + "technique": "ast-fingerprint", + "confidence": 0.9, + "value": "61e4bc08251761c3a73b606b9110a65899cb7d44f3b14c81ebc1e67c98e1d9ab" + }, + { + "technique": "hash-comparison", + "confidence": 0.7, + "value": "7c547a9d67cc7bc315c93b6e2ff8e4b6b41ae5be454ac249655ecb5ca2a85abf" + } + ], + "tools": [ + "bom-ref-of-tool-that-performed-analysis" + ] + }, + "occurrences": [ + { + "bom-ref": "d6bf237e-4e11-4713-9f62-56d18d5e2079", + "location": "/path/to/component" + }, + { + "bom-ref": "b574d5d1-e3cf-4dcd-9ba5-f3507eb1b175", + "location": "/another/path/to/component" + } + ], + "callstack": { + "frames": [ + { + "package": "com.apache.logging.log4j.core", + "module": "Logger.class", + "function": "logMessage", + "parameters": [ + "com.acme.HelloWorld", + "Level.INFO", + "null", + "Hello World" + ], + "line": 150, + "column": 17, + "fullFilename": "/path/to/log4j-core-2.14.0.jar!/org/apache/logging/log4j/core/Logger.class" + }, + { + "module": "HelloWorld.class", + "function": "main", + "line": 20, + "column": 12, + "fullFilename": "/path/to/HelloWorld.class" + } + ] + }, + "licenses": [ + { + "license": { + "id": "Apache-2.0", + "url": "http://www.apache.org/licenses/LICENSE-2.0" + } + }, + { + "license": { + "id": "LGPL-2.1-only", + "url": "https://opensource.org/licenses/LGPL-2.1" + } + } + ], + "copyright": [ + { + "text": "Copyright 2012 Google Inc. All Rights Reserved." + }, + { + "text": "Copyright (C) 2004,2005 Dave Brosius " + }, + { + "text": "Copyright (C) 2005 William Pugh" + }, + { + "text": "Copyright (C) 2004,2005 University of Maryland" + } + ] + } + }, + { + "type": "application", + "group": "com.example", + "name": "example-project", + "version": "1.0.0", + "purl": "pkg:maven/com.example/example-project@1.0.0", + "evidence": { + "identity": [ + { + "field": "group", + "confidence": 0.1, + "concludedValue": "com.example", + "methods": [ + { + "technique": "filename", + "confidence": 0.1, + "value": "example-project-1.0.0.jar" + } + ] + }, + { + "field": "name", + "confidence": 0.1, + "concludedValue": "example-project", + "methods": [ + { + "technique": "filename", + "confidence": 0.1, + "value": "example-project-1.0.0.jar" + } + ] + }, + { + "field": "version", + "confidence": 0.1, + "concludedValue": "1.0.0", + "methods": [ + { + "technique": "filename", + "confidence": 0.1, + "value": "example-project-1.0.0.jar" + } + ] + } + ] + } + } + ] +} diff --git a/tests/_data/schemaTestData/1.7/valid-evidence-1.7.xml b/tests/_data/schemaTestData/1.7/valid-evidence-1.7.xml new file mode 100644 index 000000000..75272be14 --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-evidence-1.7.xml @@ -0,0 +1,139 @@ + + + + + com.google.code.findbugs + findbugs-project + 3.0.0 + + + LGPL-3.0-or-later + https://www.gnu.org/licenses/lgpl-3.0-standalone.html + + + pkg:maven/com.google.code.findbugs/findbugs-project@3.0.0 + + + purl + 1 + + + filename + 0.1 + findbugs-project-3.0.0.jar + + + ast-fingerprint + 0.9 + 61e4bc08251761c3a73b606b9110a65899cb7d44f3b14c81ebc1e67c98e1d9ab + + + hash-comparison + 0.7 + 7c547a9d67cc7bc315c93b6e2ff8e4b6b41ae5be454ac249655ecb5ca2a85abf + + + + + + + + + /path/to/component + + + /another/path/to/component + + + + + + com.apache.logging.log4j.core + Logger.class + logMessage + + com.acme.HelloWorld + Level.INFO + null + Hello World + + 150 + 17 + /path/to/log4j-core-2.14.0.jar!/org/apache/logging/log4j/core/Logger.class + + + HelloWorld.class + main + 20 + 12 + /path/to/HelloWorld.class + + + + + + Apache-2.0 + http://www.apache.org/licenses/LICENSE-2.0 + + + LGPL-2.1-only + https://opensource.org/licenses/LGPL-2.1 + + + + + ]]> + + + + + + + com.example + example-project + 1.0.0 + pkg:maven/com.example/example-project@1.0.0 + + + group + 0.1 + com.example + + + filename + 0.1 + example-project-1.0.0.jar + + + + + name + 0.1 + example-project + + + filename + 0.1 + example-project-1.0.0.jar + + + + + version + 0.1 + 1.0.0 + + + filename + 0.1 + example-project-1.0.0.jar + + + + + + + diff --git a/tests/_data/schemaTestData/1.7/valid-external-elements-1.7.xml b/tests/_data/schemaTestData/1.7/valid-external-elements-1.7.xml new file mode 100644 index 000000000..27497897f --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-external-elements-1.7.xml @@ -0,0 +1,161 @@ + + + + + Acme Inc + com.acme + tomcat-catalina + 9.0.14 + Modified version of Apache Catalina + required + + 3942447fac867ae5cdb3229b658f4d48 + e6b1000b94e835ffd37f4c6dcbdad43f4b48a02a + f498a8ff2dd007e29c2074f5e4b01a9a01775c3ff3aeaf6906ea503bc5791b7b + e8f33e424f3f4ed6db76a482fde1a5298970e442c531729119e37991884bdffab4f9426b7ee11fccd074eeda0634d71697d6f88a460dce0ac8d627a29f7d1282 + + + + Apache-2.0 + CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFwYWNoZSBMaWNlbnNlCiAgICAgICAgICAgICAgICAgICAgICAgICAgIFZlcnNpb24gMi4wLCBKYW51YXJ5IDIwMDQKICAgICAgICAgICAgICAgICAgICAgICAgaHR0cDovL3d3dy5hcGFjaGUub3JnL2xpY2Vuc2VzLwoKICAgVEVSTVMgQU5EIENPTkRJVElPTlMgRk9SIFVTRSwgUkVQUk9EVUNUSU9OLCBBTkQgRElTVFJJQlVUSU9OCgogICAxLiBEZWZpbml0aW9ucy4KCiAgICAgICJMaWNlbnNlIiBzaGFsbCBtZWFuIHRoZSB0ZXJtcyBhbmQgY29uZGl0aW9ucyBmb3IgdXNlLCByZXByb2R1Y3Rpb24sCiAgICAgIGFuZCBkaXN0cmlidXRpb24gYXMgZGVmaW5lZCBieSBTZWN0aW9ucyAxIHRocm91Z2ggOSBvZiB0aGlzIGRvY3VtZW50LgoKICAgICAgIkxpY2Vuc29yIiBzaGFsbCBtZWFuIHRoZSBjb3B5cmlnaHQgb3duZXIgb3IgZW50aXR5IGF1dGhvcml6ZWQgYnkKICAgICAgdGhlIGNvcHlyaWdodCBvd25lciB0aGF0IGlzIGdyYW50aW5nIHRoZSBMaWNlbnNlLgoKICAgICAgIkxlZ2FsIEVudGl0eSIgc2hhbGwgbWVhbiB0aGUgdW5pb24gb2YgdGhlIGFjdGluZyBlbnRpdHkgYW5kIGFsbAogICAgICBvdGhlciBlbnRpdGllcyB0aGF0IGNvbnRyb2wsIGFyZSBjb250cm9sbGVkIGJ5LCBvciBhcmUgdW5kZXIgY29tbW9uCiAgICAgIGNvbnRyb2wgd2l0aCB0aGF0IGVudGl0eS4gRm9yIHRoZSBwdXJwb3NlcyBvZiB0aGlzIGRlZmluaXRpb24sCiAgICAgICJjb250cm9sIiBtZWFucyAoaSkgdGhlIHBvd2VyLCBkaXJlY3Qgb3IgaW5kaXJlY3QsIHRvIGNhdXNlIHRoZQogICAgICBkaXJlY3Rpb24gb3IgbWFuYWdlbWVudCBvZiBzdWNoIGVudGl0eSwgd2hldGhlciBieSBjb250cmFjdCBvcgogICAgICBvdGhlcndpc2UsIG9yIChpaSkgb3duZXJzaGlwIG9mIGZpZnR5IHBlcmNlbnQgKDUwJSkgb3IgbW9yZSBvZiB0aGUKICAgICAgb3V0c3RhbmRpbmcgc2hhcmVzLCBvciAoaWlpKSBiZW5lZmljaWFsIG93bmVyc2hpcCBvZiBzdWNoIGVudGl0eS4KCiAgICAgICJZb3UiIChvciAiWW91ciIpIHNoYWxsIG1lYW4gYW4gaW5kaXZpZHVhbCBvciBMZWdhbCBFbnRpdHkKICAgICAgZXhlcmNpc2luZyBwZXJtaXNzaW9ucyBncmFudGVkIGJ5IHRoaXMgTGljZW5zZS4KCiAgICAgICJTb3VyY2UiIGZvcm0gc2hhbGwgbWVhbiB0aGUgcHJlZmVycmVkIGZvcm0gZm9yIG1ha2luZyBtb2RpZmljYXRpb25zLAogICAgICBpbmNsdWRpbmcgYnV0IG5vdCBsaW1pdGVkIHRvIHNvZnR3YXJlIHNvdXJjZSBjb2RlLCBkb2N1bWVudGF0aW9uCiAgICAgIHNvdXJjZSwgYW5kIGNvbmZpZ3VyYXRpb24gZmlsZXMuCgogICAgICAiT2JqZWN0IiBmb3JtIHNoYWxsIG1lYW4gYW55IGZvcm0gcmVzdWx0aW5nIGZyb20gbWVjaGFuaWNhbAogICAgICB0cmFuc2Zvcm1hdGlvbiBvciB0cmFuc2xhdGlvbiBvZiBhIFNvdXJjZSBmb3JtLCBpbmNsdWRpbmcgYnV0CiAgICAgIG5vdCBsaW1pdGVkIHRvIGNvbXBpbGVkIG9iamVjdCBjb2RlLCBnZW5lcmF0ZWQgZG9jdW1lbnRhdGlvbiwKICAgICAgYW5kIGNvbnZlcnNpb25zIHRvIG90aGVyIG1lZGlhIHR5cGVzLgoKICAgICAgIldvcmsiIHNoYWxsIG1lYW4gdGhlIHdvcmsgb2YgYXV0aG9yc2hpcCwgd2hldGhlciBpbiBTb3VyY2Ugb3IKICAgICAgT2JqZWN0IGZvcm0sIG1hZGUgYXZhaWxhYmxlIHVuZGVyIHRoZSBMaWNlbnNlLCBhcyBpbmRpY2F0ZWQgYnkgYQogICAgICBjb3B5cmlnaHQgbm90aWNlIHRoYXQgaXMgaW5jbHVkZWQgaW4gb3IgYXR0YWNoZWQgdG8gdGhlIHdvcmsKICAgICAgKGFuIGV4YW1wbGUgaXMgcHJvdmlkZWQgaW4gdGhlIEFwcGVuZGl4IGJlbG93KS4KCiAgICAgICJEZXJpdmF0aXZlIFdvcmtzIiBzaGFsbCBtZWFuIGFueSB3b3JrLCB3aGV0aGVyIGluIFNvdXJjZSBvciBPYmplY3QKICAgICAgZm9ybSwgdGhhdCBpcyBiYXNlZCBvbiAob3IgZGVyaXZlZCBmcm9tKSB0aGUgV29yayBhbmQgZm9yIHdoaWNoIHRoZQogICAgICBlZGl0b3JpYWwgcmV2aXNpb25zLCBhbm5vdGF0aW9ucywgZWxhYm9yYXRpb25zLCBvciBvdGhlciBtb2RpZmljYXRpb25zCiAgICAgIHJlcHJlc2VudCwgYXMgYSB3aG9sZSwgYW4gb3JpZ2luYWwgd29yayBvZiBhdXRob3JzaGlwLiBGb3IgdGhlIHB1cnBvc2VzCiAgICAgIG9mIHRoaXMgTGljZW5zZSwgRGVyaXZhdGl2ZSBXb3JrcyBzaGFsbCBub3QgaW5jbHVkZSB3b3JrcyB0aGF0IHJlbWFpbgogICAgICBzZXBhcmFibGUgZnJvbSwgb3IgbWVyZWx5IGxpbmsgKG9yIGJpbmQgYnkgbmFtZSkgdG8gdGhlIGludGVyZmFjZXMgb2YsCiAgICAgIHRoZSBXb3JrIGFuZCBEZXJpdmF0aXZlIFdvcmtzIHRoZXJlb2YuCgogICAgICAiQ29udHJpYnV0aW9uIiBzaGFsbCBtZWFuIGFueSB3b3JrIG9mIGF1dGhvcnNoaXAsIGluY2x1ZGluZwogICAgICB0aGUgb3JpZ2luYWwgdmVyc2lvbiBvZiB0aGUgV29yayBhbmQgYW55IG1vZGlmaWNhdGlvbnMgb3IgYWRkaXRpb25zCiAgICAgIHRvIHRoYXQgV29yayBvciBEZXJpdmF0aXZlIFdvcmtzIHRoZXJlb2YsIHRoYXQgaXMgaW50ZW50aW9uYWxseQogICAgICBzdWJtaXR0ZWQgdG8gTGljZW5zb3IgZm9yIGluY2x1c2lvbiBpbiB0aGUgV29yayBieSB0aGUgY29weXJpZ2h0IG93bmVyCiAgICAgIG9yIGJ5IGFuIGluZGl2aWR1YWwgb3IgTGVnYWwgRW50aXR5IGF1dGhvcml6ZWQgdG8gc3VibWl0IG9uIGJlaGFsZiBvZgogICAgICB0aGUgY29weXJpZ2h0IG93bmVyLiBGb3IgdGhlIHB1cnBvc2VzIG9mIHRoaXMgZGVmaW5pdGlvbiwgInN1Ym1pdHRlZCIKICAgICAgbWVhbnMgYW55IGZvcm0gb2YgZWxlY3Ryb25pYywgdmVyYmFsLCBvciB3cml0dGVuIGNvbW11bmljYXRpb24gc2VudAogICAgICB0byB0aGUgTGljZW5zb3Igb3IgaXRzIHJlcHJlc2VudGF0aXZlcywgaW5jbHVkaW5nIGJ1dCBub3QgbGltaXRlZCB0bwogICAgICBjb21tdW5pY2F0aW9uIG9uIGVsZWN0cm9uaWMgbWFpbGluZyBsaXN0cywgc291cmNlIGNvZGUgY29udHJvbCBzeXN0ZW1zLAogICAgICBhbmQgaXNzdWUgdHJhY2tpbmcgc3lzdGVtcyB0aGF0IGFyZSBtYW5hZ2VkIGJ5LCBvciBvbiBiZWhhbGYgb2YsIHRoZQogICAgICBMaWNlbnNvciBmb3IgdGhlIHB1cnBvc2Ugb2YgZGlzY3Vzc2luZyBhbmQgaW1wcm92aW5nIHRoZSBXb3JrLCBidXQKICAgICAgZXhjbHVkaW5nIGNvbW11bmljYXRpb24gdGhhdCBpcyBjb25zcGljdW91c2x5IG1hcmtlZCBvciBvdGhlcndpc2UKICAgICAgZGVzaWduYXRlZCBpbiB3cml0aW5nIGJ5IHRoZSBjb3B5cmlnaHQgb3duZXIgYXMgIk5vdCBhIENvbnRyaWJ1dGlvbi4iCgogICAgICAiQ29udHJpYnV0b3IiIHNoYWxsIG1lYW4gTGljZW5zb3IgYW5kIGFueSBpbmRpdmlkdWFsIG9yIExlZ2FsIEVudGl0eQogICAgICBvbiBiZWhhbGYgb2Ygd2hvbSBhIENvbnRyaWJ1dGlvbiBoYXMgYmVlbiByZWNlaXZlZCBieSBMaWNlbnNvciBhbmQKICAgICAgc3Vic2VxdWVudGx5IGluY29ycG9yYXRlZCB3aXRoaW4gdGhlIFdvcmsuCgogICAyLiBHcmFudCBvZiBDb3B5cmlnaHQgTGljZW5zZS4gU3ViamVjdCB0byB0aGUgdGVybXMgYW5kIGNvbmRpdGlvbnMgb2YKICAgICAgdGhpcyBMaWNlbnNlLCBlYWNoIENvbnRyaWJ1dG9yIGhlcmVieSBncmFudHMgdG8gWW91IGEgcGVycGV0dWFsLAogICAgICB3b3JsZHdpZGUsIG5vbi1leGNsdXNpdmUsIG5vLWNoYXJnZSwgcm95YWx0eS1mcmVlLCBpcnJldm9jYWJsZQogICAgICBjb3B5cmlnaHQgbGljZW5zZSB0byByZXByb2R1Y2UsIHByZXBhcmUgRGVyaXZhdGl2ZSBXb3JrcyBvZiwKICAgICAgcHVibGljbHkgZGlzcGxheSwgcHVibGljbHkgcGVyZm9ybSwgc3VibGljZW5zZSwgYW5kIGRpc3RyaWJ1dGUgdGhlCiAgICAgIFdvcmsgYW5kIHN1Y2ggRGVyaXZhdGl2ZSBXb3JrcyBpbiBTb3VyY2Ugb3IgT2JqZWN0IGZvcm0uCgogICAzLiBHcmFudCBvZiBQYXRlbnQgTGljZW5zZS4gU3ViamVjdCB0byB0aGUgdGVybXMgYW5kIGNvbmRpdGlvbnMgb2YKICAgICAgdGhpcyBMaWNlbnNlLCBlYWNoIENvbnRyaWJ1dG9yIGhlcmVieSBncmFudHMgdG8gWW91IGEgcGVycGV0dWFsLAogICAgICB3b3JsZHdpZGUsIG5vbi1leGNsdXNpdmUsIG5vLWNoYXJnZSwgcm95YWx0eS1mcmVlLCBpcnJldm9jYWJsZQogICAgICAoZXhjZXB0IGFzIHN0YXRlZCBpbiB0aGlzIHNlY3Rpb24pIHBhdGVudCBsaWNlbnNlIHRvIG1ha2UsIGhhdmUgbWFkZSwKICAgICAgdXNlLCBvZmZlciB0byBzZWxsLCBzZWxsLCBpbXBvcnQsIGFuZCBvdGhlcndpc2UgdHJhbnNmZXIgdGhlIFdvcmssCiAgICAgIHdoZXJlIHN1Y2ggbGljZW5zZSBhcHBsaWVzIG9ubHkgdG8gdGhvc2UgcGF0ZW50IGNsYWltcyBsaWNlbnNhYmxlCiAgICAgIGJ5IHN1Y2ggQ29udHJpYnV0b3IgdGhhdCBhcmUgbmVjZXNzYXJpbHkgaW5mcmluZ2VkIGJ5IHRoZWlyCiAgICAgIENvbnRyaWJ1dGlvbihzKSBhbG9uZSBvciBieSBjb21iaW5hdGlvbiBvZiB0aGVpciBDb250cmlidXRpb24ocykKICAgICAgd2l0aCB0aGUgV29yayB0byB3aGljaCBzdWNoIENvbnRyaWJ1dGlvbihzKSB3YXMgc3VibWl0dGVkLiBJZiBZb3UKICAgICAgaW5zdGl0dXRlIHBhdGVudCBsaXRpZ2F0aW9uIGFnYWluc3QgYW55IGVudGl0eSAoaW5jbHVkaW5nIGEKICAgICAgY3Jvc3MtY2xhaW0gb3IgY291bnRlcmNsYWltIGluIGEgbGF3c3VpdCkgYWxsZWdpbmcgdGhhdCB0aGUgV29yawogICAgICBvciBhIENvbnRyaWJ1dGlvbiBpbmNvcnBvcmF0ZWQgd2l0aGluIHRoZSBXb3JrIGNvbnN0aXR1dGVzIGRpcmVjdAogICAgICBvciBjb250cmlidXRvcnkgcGF0ZW50IGluZnJpbmdlbWVudCwgdGhlbiBhbnkgcGF0ZW50IGxpY2Vuc2VzCiAgICAgIGdyYW50ZWQgdG8gWW91IHVuZGVyIHRoaXMgTGljZW5zZSBmb3IgdGhhdCBXb3JrIHNoYWxsIHRlcm1pbmF0ZQogICAgICBhcyBvZiB0aGUgZGF0ZSBzdWNoIGxpdGlnYXRpb24gaXMgZmlsZWQuCgogICA0LiBSZWRpc3RyaWJ1dGlvbi4gWW91IG1heSByZXByb2R1Y2UgYW5kIGRpc3RyaWJ1dGUgY29waWVzIG9mIHRoZQogICAgICBXb3JrIG9yIERlcml2YXRpdmUgV29ya3MgdGhlcmVvZiBpbiBhbnkgbWVkaXVtLCB3aXRoIG9yIHdpdGhvdXQKICAgICAgbW9kaWZpY2F0aW9ucywgYW5kIGluIFNvdXJjZSBvciBPYmplY3QgZm9ybSwgcHJvdmlkZWQgdGhhdCBZb3UKICAgICAgbWVldCB0aGUgZm9sbG93aW5nIGNvbmRpdGlvbnM6CgogICAgICAoYSkgWW91IG11c3QgZ2l2ZSBhbnkgb3RoZXIgcmVjaXBpZW50cyBvZiB0aGUgV29yayBvcgogICAgICAgICAgRGVyaXZhdGl2ZSBXb3JrcyBhIGNvcHkgb2YgdGhpcyBMaWNlbnNlOyBhbmQKCiAgICAgIChiKSBZb3UgbXVzdCBjYXVzZSBhbnkgbW9kaWZpZWQgZmlsZXMgdG8gY2FycnkgcHJvbWluZW50IG5vdGljZXMKICAgICAgICAgIHN0YXRpbmcgdGhhdCBZb3UgY2hhbmdlZCB0aGUgZmlsZXM7IGFuZAoKICAgICAgKGMpIFlvdSBtdXN0IHJldGFpbiwgaW4gdGhlIFNvdXJjZSBmb3JtIG9mIGFueSBEZXJpdmF0aXZlIFdvcmtzCiAgICAgICAgICB0aGF0IFlvdSBkaXN0cmlidXRlLCBhbGwgY29weXJpZ2h0LCBwYXRlbnQsIHRyYWRlbWFyaywgYW5kCiAgICAgICAgICBhdHRyaWJ1dGlvbiBub3RpY2VzIGZyb20gdGhlIFNvdXJjZSBmb3JtIG9mIHRoZSBXb3JrLAogICAgICAgICAgZXhjbHVkaW5nIHRob3NlIG5vdGljZXMgdGhhdCBkbyBub3QgcGVydGFpbiB0byBhbnkgcGFydCBvZgogICAgICAgICAgdGhlIERlcml2YXRpdmUgV29ya3M7IGFuZAoKICAgICAgKGQpIElmIHRoZSBXb3JrIGluY2x1ZGVzIGEgIk5PVElDRSIgdGV4dCBmaWxlIGFzIHBhcnQgb2YgaXRzCiAgICAgICAgICBkaXN0cmlidXRpb24sIHRoZW4gYW55IERlcml2YXRpdmUgV29ya3MgdGhhdCBZb3UgZGlzdHJpYnV0ZSBtdXN0CiAgICAgICAgICBpbmNsdWRlIGEgcmVhZGFibGUgY29weSBvZiB0aGUgYXR0cmlidXRpb24gbm90aWNlcyBjb250YWluZWQKICAgICAgICAgIHdpdGhpbiBzdWNoIE5PVElDRSBmaWxlLCBleGNsdWRpbmcgdGhvc2Ugbm90aWNlcyB0aGF0IGRvIG5vdAogICAgICAgICAgcGVydGFpbiB0byBhbnkgcGFydCBvZiB0aGUgRGVyaXZhdGl2ZSBXb3JrcywgaW4gYXQgbGVhc3Qgb25lCiAgICAgICAgICBvZiB0aGUgZm9sbG93aW5nIHBsYWNlczogd2l0aGluIGEgTk9USUNFIHRleHQgZmlsZSBkaXN0cmlidXRlZAogICAgICAgICAgYXMgcGFydCBvZiB0aGUgRGVyaXZhdGl2ZSBXb3Jrczsgd2l0aGluIHRoZSBTb3VyY2UgZm9ybSBvcgogICAgICAgICAgZG9jdW1lbnRhdGlvbiwgaWYgcHJvdmlkZWQgYWxvbmcgd2l0aCB0aGUgRGVyaXZhdGl2ZSBXb3Jrczsgb3IsCiAgICAgICAgICB3aXRoaW4gYSBkaXNwbGF5IGdlbmVyYXRlZCBieSB0aGUgRGVyaXZhdGl2ZSBXb3JrcywgaWYgYW5kCiAgICAgICAgICB3aGVyZXZlciBzdWNoIHRoaXJkLXBhcnR5IG5vdGljZXMgbm9ybWFsbHkgYXBwZWFyLiBUaGUgY29udGVudHMKICAgICAgICAgIG9mIHRoZSBOT1RJQ0UgZmlsZSBhcmUgZm9yIGluZm9ybWF0aW9uYWwgcHVycG9zZXMgb25seSBhbmQKICAgICAgICAgIGRvIG5vdCBtb2RpZnkgdGhlIExpY2Vuc2UuIFlvdSBtYXkgYWRkIFlvdXIgb3duIGF0dHJpYnV0aW9uCiAgICAgICAgICBub3RpY2VzIHdpdGhpbiBEZXJpdmF0aXZlIFdvcmtzIHRoYXQgWW91IGRpc3RyaWJ1dGUsIGFsb25nc2lkZQogICAgICAgICAgb3IgYXMgYW4gYWRkZW5kdW0gdG8gdGhlIE5PVElDRSB0ZXh0IGZyb20gdGhlIFdvcmssIHByb3ZpZGVkCiAgICAgICAgICB0aGF0IHN1Y2ggYWRkaXRpb25hbCBhdHRyaWJ1dGlvbiBub3RpY2VzIGNhbm5vdCBiZSBjb25zdHJ1ZWQKICAgICAgICAgIGFzIG1vZGlmeWluZyB0aGUgTGljZW5zZS4KCiAgICAgIFlvdSBtYXkgYWRkIFlvdXIgb3duIGNvcHlyaWdodCBzdGF0ZW1lbnQgdG8gWW91ciBtb2RpZmljYXRpb25zIGFuZAogICAgICBtYXkgcHJvdmlkZSBhZGRpdGlvbmFsIG9yIGRpZmZlcmVudCBsaWNlbnNlIHRlcm1zIGFuZCBjb25kaXRpb25zCiAgICAgIGZvciB1c2UsIHJlcHJvZHVjdGlvbiwgb3IgZGlzdHJpYnV0aW9uIG9mIFlvdXIgbW9kaWZpY2F0aW9ucywgb3IKICAgICAgZm9yIGFueSBzdWNoIERlcml2YXRpdmUgV29ya3MgYXMgYSB3aG9sZSwgcHJvdmlkZWQgWW91ciB1c2UsCiAgICAgIHJlcHJvZHVjdGlvbiwgYW5kIGRpc3RyaWJ1dGlvbiBvZiB0aGUgV29yayBvdGhlcndpc2UgY29tcGxpZXMgd2l0aAogICAgICB0aGUgY29uZGl0aW9ucyBzdGF0ZWQgaW4gdGhpcyBMaWNlbnNlLgoKICAgNS4gU3VibWlzc2lvbiBvZiBDb250cmlidXRpb25zLiBVbmxlc3MgWW91IGV4cGxpY2l0bHkgc3RhdGUgb3RoZXJ3aXNlLAogICAgICBhbnkgQ29udHJpYnV0aW9uIGludGVudGlvbmFsbHkgc3VibWl0dGVkIGZvciBpbmNsdXNpb24gaW4gdGhlIFdvcmsKICAgICAgYnkgWW91IHRvIHRoZSBMaWNlbnNvciBzaGFsbCBiZSB1bmRlciB0aGUgdGVybXMgYW5kIGNvbmRpdGlvbnMgb2YKICAgICAgdGhpcyBMaWNlbnNlLCB3aXRob3V0IGFueSBhZGRpdGlvbmFsIHRlcm1zIG9yIGNvbmRpdGlvbnMuCiAgICAgIE5vdHdpdGhzdGFuZGluZyB0aGUgYWJvdmUsIG5vdGhpbmcgaGVyZWluIHNoYWxsIHN1cGVyc2VkZSBvciBtb2RpZnkKICAgICAgdGhlIHRlcm1zIG9mIGFueSBzZXBhcmF0ZSBsaWNlbnNlIGFncmVlbWVudCB5b3UgbWF5IGhhdmUgZXhlY3V0ZWQKICAgICAgd2l0aCBMaWNlbnNvciByZWdhcmRpbmcgc3VjaCBDb250cmlidXRpb25zLgoKICAgNi4gVHJhZGVtYXJrcy4gVGhpcyBMaWNlbnNlIGRvZXMgbm90IGdyYW50IHBlcm1pc3Npb24gdG8gdXNlIHRoZSB0cmFkZQogICAgICBuYW1lcywgdHJhZGVtYXJrcywgc2VydmljZSBtYXJrcywgb3IgcHJvZHVjdCBuYW1lcyBvZiB0aGUgTGljZW5zb3IsCiAgICAgIGV4Y2VwdCBhcyByZXF1aXJlZCBmb3IgcmVhc29uYWJsZSBhbmQgY3VzdG9tYXJ5IHVzZSBpbiBkZXNjcmliaW5nIHRoZQogICAgICBvcmlnaW4gb2YgdGhlIFdvcmsgYW5kIHJlcHJvZHVjaW5nIHRoZSBjb250ZW50IG9mIHRoZSBOT1RJQ0UgZmlsZS4KCiAgIDcuIERpc2NsYWltZXIgb2YgV2FycmFudHkuIFVubGVzcyByZXF1aXJlZCBieSBhcHBsaWNhYmxlIGxhdyBvcgogICAgICBhZ3JlZWQgdG8gaW4gd3JpdGluZywgTGljZW5zb3IgcHJvdmlkZXMgdGhlIFdvcmsgKGFuZCBlYWNoCiAgICAgIENvbnRyaWJ1dG9yIHByb3ZpZGVzIGl0cyBDb250cmlidXRpb25zKSBvbiBhbiAiQVMgSVMiIEJBU0lTLAogICAgICBXSVRIT1VUIFdBUlJBTlRJRVMgT1IgQ09ORElUSU9OUyBPRiBBTlkgS0lORCwgZWl0aGVyIGV4cHJlc3Mgb3IKICAgICAgaW1wbGllZCwgaW5jbHVkaW5nLCB3aXRob3V0IGxpbWl0YXRpb24sIGFueSB3YXJyYW50aWVzIG9yIGNvbmRpdGlvbnMKICAgICAgb2YgVElUTEUsIE5PTi1JTkZSSU5HRU1FTlQsIE1FUkNIQU5UQUJJTElUWSwgb3IgRklUTkVTUyBGT1IgQQogICAgICBQQVJUSUNVTEFSIFBVUlBPU0UuIFlvdSBhcmUgc29sZWx5IHJlc3BvbnNpYmxlIGZvciBkZXRlcm1pbmluZyB0aGUKICAgICAgYXBwcm9wcmlhdGVuZXNzIG9mIHVzaW5nIG9yIHJlZGlzdHJpYnV0aW5nIHRoZSBXb3JrIGFuZCBhc3N1bWUgYW55CiAgICAgIHJpc2tzIGFzc29jaWF0ZWQgd2l0aCBZb3VyIGV4ZXJjaXNlIG9mIHBlcm1pc3Npb25zIHVuZGVyIHRoaXMgTGljZW5zZS4KCiAgIDguIExpbWl0YXRpb24gb2YgTGlhYmlsaXR5LiBJbiBubyBldmVudCBhbmQgdW5kZXIgbm8gbGVnYWwgdGhlb3J5LAogICAgICB3aGV0aGVyIGluIHRvcnQgKGluY2x1ZGluZyBuZWdsaWdlbmNlKSwgY29udHJhY3QsIG9yIG90aGVyd2lzZSwKICAgICAgdW5sZXNzIHJlcXVpcmVkIGJ5IGFwcGxpY2FibGUgbGF3IChzdWNoIGFzIGRlbGliZXJhdGUgYW5kIGdyb3NzbHkKICAgICAgbmVnbGlnZW50IGFjdHMpIG9yIGFncmVlZCB0byBpbiB3cml0aW5nLCBzaGFsbCBhbnkgQ29udHJpYnV0b3IgYmUKICAgICAgbGlhYmxlIHRvIFlvdSBmb3IgZGFtYWdlcywgaW5jbHVkaW5nIGFueSBkaXJlY3QsIGluZGlyZWN0LCBzcGVjaWFsLAogICAgICBpbmNpZGVudGFsLCBvciBjb25zZXF1ZW50aWFsIGRhbWFnZXMgb2YgYW55IGNoYXJhY3RlciBhcmlzaW5nIGFzIGEKICAgICAgcmVzdWx0IG9mIHRoaXMgTGljZW5zZSBvciBvdXQgb2YgdGhlIHVzZSBvciBpbmFiaWxpdHkgdG8gdXNlIHRoZQogICAgICBXb3JrIChpbmNsdWRpbmcgYnV0IG5vdCBsaW1pdGVkIHRvIGRhbWFnZXMgZm9yIGxvc3Mgb2YgZ29vZHdpbGwsCiAgICAgIHdvcmsgc3RvcHBhZ2UsIGNvbXB1dGVyIGZhaWx1cmUgb3IgbWFsZnVuY3Rpb24sIG9yIGFueSBhbmQgYWxsCiAgICAgIG90aGVyIGNvbW1lcmNpYWwgZGFtYWdlcyBvciBsb3NzZXMpLCBldmVuIGlmIHN1Y2ggQ29udHJpYnV0b3IKICAgICAgaGFzIGJlZW4gYWR2aXNlZCBvZiB0aGUgcG9zc2liaWxpdHkgb2Ygc3VjaCBkYW1hZ2VzLgoKICAgOS4gQWNjZXB0aW5nIFdhcnJhbnR5IG9yIEFkZGl0aW9uYWwgTGlhYmlsaXR5LiBXaGlsZSByZWRpc3RyaWJ1dGluZwogICAgICB0aGUgV29yayBvciBEZXJpdmF0aXZlIFdvcmtzIHRoZXJlb2YsIFlvdSBtYXkgY2hvb3NlIHRvIG9mZmVyLAogICAgICBhbmQgY2hhcmdlIGEgZmVlIGZvciwgYWNjZXB0YW5jZSBvZiBzdXBwb3J0LCB3YXJyYW50eSwgaW5kZW1uaXR5LAogICAgICBvciBvdGhlciBsaWFiaWxpdHkgb2JsaWdhdGlvbnMgYW5kL29yIHJpZ2h0cyBjb25zaXN0ZW50IHdpdGggdGhpcwogICAgICBMaWNlbnNlLiBIb3dldmVyLCBpbiBhY2NlcHRpbmcgc3VjaCBvYmxpZ2F0aW9ucywgWW91IG1heSBhY3Qgb25seQogICAgICBvbiBZb3VyIG93biBiZWhhbGYgYW5kIG9uIFlvdXIgc29sZSByZXNwb25zaWJpbGl0eSwgbm90IG9uIGJlaGFsZgogICAgICBvZiBhbnkgb3RoZXIgQ29udHJpYnV0b3IsIGFuZCBvbmx5IGlmIFlvdSBhZ3JlZSB0byBpbmRlbW5pZnksCiAgICAgIGRlZmVuZCwgYW5kIGhvbGQgZWFjaCBDb250cmlidXRvciBoYXJtbGVzcyBmb3IgYW55IGxpYWJpbGl0eQogICAgICBpbmN1cnJlZCBieSwgb3IgY2xhaW1zIGFzc2VydGVkIGFnYWluc3QsIHN1Y2ggQ29udHJpYnV0b3IgYnkgcmVhc29uCiAgICAgIG9mIHlvdXIgYWNjZXB0aW5nIGFueSBzdWNoIHdhcnJhbnR5IG9yIGFkZGl0aW9uYWwgbGlhYmlsaXR5LgoKICAgRU5EIE9GIFRFUk1TIEFORCBDT05ESVRJT05TCgogICBBUFBFTkRJWDogSG93IHRvIGFwcGx5IHRoZSBBcGFjaGUgTGljZW5zZSB0byB5b3VyIHdvcmsuCgogICAgICBUbyBhcHBseSB0aGUgQXBhY2hlIExpY2Vuc2UgdG8geW91ciB3b3JrLCBhdHRhY2ggdGhlIGZvbGxvd2luZwogICAgICBib2lsZXJwbGF0ZSBub3RpY2UsIHdpdGggdGhlIGZpZWxkcyBlbmNsb3NlZCBieSBicmFja2V0cyAiW10iCiAgICAgIHJlcGxhY2VkIHdpdGggeW91ciBvd24gaWRlbnRpZnlpbmcgaW5mb3JtYXRpb24uIChEb24ndCBpbmNsdWRlCiAgICAgIHRoZSBicmFja2V0cyEpICBUaGUgdGV4dCBzaG91bGQgYmUgZW5jbG9zZWQgaW4gdGhlIGFwcHJvcHJpYXRlCiAgICAgIGNvbW1lbnQgc3ludGF4IGZvciB0aGUgZmlsZSBmb3JtYXQuIFdlIGFsc28gcmVjb21tZW5kIHRoYXQgYQogICAgICBmaWxlIG9yIGNsYXNzIG5hbWUgYW5kIGRlc2NyaXB0aW9uIG9mIHB1cnBvc2UgYmUgaW5jbHVkZWQgb24gdGhlCiAgICAgIHNhbWUgInByaW50ZWQgcGFnZSIgYXMgdGhlIGNvcHlyaWdodCBub3RpY2UgZm9yIGVhc2llcgogICAgICBpZGVudGlmaWNhdGlvbiB3aXRoaW4gdGhpcmQtcGFydHkgYXJjaGl2ZXMuCgogICBDb3B5cmlnaHQgW3l5eXldIFtuYW1lIG9mIGNvcHlyaWdodCBvd25lcl0KCiAgIExpY2Vuc2VkIHVuZGVyIHRoZSBBcGFjaGUgTGljZW5zZSwgVmVyc2lvbiAyLjAgKHRoZSAiTGljZW5zZSIpOwogICB5b3UgbWF5IG5vdCB1c2UgdGhpcyBmaWxlIGV4Y2VwdCBpbiBjb21wbGlhbmNlIHdpdGggdGhlIExpY2Vuc2UuCiAgIFlvdSBtYXkgb2J0YWluIGEgY29weSBvZiB0aGUgTGljZW5zZSBhdAoKICAgICAgIGh0dHA6Ly93d3cuYXBhY2hlLm9yZy9saWNlbnNlcy9MSUNFTlNFLTIuMAoKICAgVW5sZXNzIHJlcXVpcmVkIGJ5IGFwcGxpY2FibGUgbGF3IG9yIGFncmVlZCB0byBpbiB3cml0aW5nLCBzb2Z0d2FyZQogICBkaXN0cmlidXRlZCB1bmRlciB0aGUgTGljZW5zZSBpcyBkaXN0cmlidXRlZCBvbiBhbiAiQVMgSVMiIEJBU0lTLAogICBXSVRIT1VUIFdBUlJBTlRJRVMgT1IgQ09ORElUSU9OUyBPRiBBTlkgS0lORCwgZWl0aGVyIGV4cHJlc3Mgb3IgaW1wbGllZC4KICAgU2VlIHRoZSBMaWNlbnNlIGZvciB0aGUgc3BlY2lmaWMgbGFuZ3VhZ2UgZ292ZXJuaW5nIHBlcm1pc3Npb25zIGFuZAogICBsaW1pdGF0aW9ucyB1bmRlciB0aGUgTGljZW5zZS4= + https://www.apache.org/licenses/LICENSE-2.0.txt + + Banana + + + Banana + + + + pkg:maven/com.acme/tomcat-catalina@9.0.14?packaging=jar + + + + Apache + org.apache.tomcat + tomcat-catalina + 9.0.14 + Apache Catalina + + + Apache-2.0 + + Banana + + + Banana + + + + pkg:maven/org.apache.tomcat/tomcat-catalina@9.0.14?packaging=jar + + Banana + + + Banana + + + + Banana + + + Banana + + + + + foo + 1.0 + + + Banana + + + Banana + + + + + bar + 1.0 + + + Banana + + + Banana + + + + + 7638417db6d59f3c431d3e1f261cc637155684cd + https://location/to/7638417db6d59f3c431d3e1f261cc637155684cd + + 2018-11-07T22:01:45Z + John Doe + john.doe@example.com + + Banana + + + Banana + + + + 2018-11-07T22:01:45Z + Jane Doe + jane.doe@example.com + + Banana + + + Banana + + + Initial commit + + Banana + + + Banana + + + + Banana + + + Banana + + + Commentary here + + Banana + + + Banana + + + + Banana + + + Banana + + + + Banana + + + Banana + + + + Banana + + + Banana + + diff --git a/tests/_data/schemaTestData/1.7/valid-external-reference-1.7.json b/tests/_data/schemaTestData/1.7/valid-external-reference-1.7.json new file mode 100644 index 000000000..6b9895a33 --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-external-reference-1.7.json @@ -0,0 +1,218 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "components": [ + { + "type": "library", + "publisher": "Acme Inc", + "group": "org.example", + "name": "mylibrary", + "version": "1.0.0", + "externalReferences": [ + { + "type": "advisories", + "url": "https://example.org/security/feed/csaf", + "comment": "Security advisories from the vendor" + }, + { + "type": "bom", + "url": "https://example.org/support/sbom/portal-server/1.0.0", + "comment": "An external SBOM that describes what this component includes", + "hashes": [ + { + "alg": "SHA-256", + "content": "708f1f53b41f11f02d12a11b1a38d2905d47b099afc71a0f1124ef8582ec7313" + } + ] + }, + { + "type": "documentation", + "url": "https://example.org/support/documentation/portal-server/1.0.0", + "comment": "Vendor provided documentation for the product" + } + ] + }, + { + "type": "application", + "name": "dummy", + "description": "this component has all external reference types possible", + "externalReferences": [ + { + "type": "vcs", + "url": "http://example.com/extref/vcs" + }, + { + "type": "issue-tracker", + "url": "http://example.com/extref/issue-tracker" + }, + { + "type": "website", + "url": "http://example.com/extref/website" + }, + { + "type": "advisories", + "url": "http://example.com/extref/advisories" + }, + { + "type": "bom", + "url": "http://example.com/extref/bom" + }, + { + "type": "mailing-list", + "url": "http://example.com/extref/mailing-list" + }, + { + "type": "social", + "url": "http://example.com/extref/social" + }, + { + "type": "chat", + "url": "http://example.com/extref/chat" + }, + { + "type": "documentation", + "url": "http://example.com/extref/documentation" + }, + { + "type": "support", + "url": "http://example.com/extref/support" + }, + { + "type": "source-distribution", + "url": "http://example.com/extref/source-distribution" + }, + { + "type": "distribution", + "url": "http://example.com/extref/distribution" + }, + { + "type": "distribution-intake", + "url": "http://example.com/extref/distribution-intake" + }, + { + "type": "license", + "url": "http://example.com/extref/license" + }, + { + "type": "build-meta", + "url": "http://example.com/extref/build-meta" + }, + { + "type": "build-system", + "url": "http://example.com/extref/build-system" + }, + { + "type": "release-notes", + "url": "http://example.com/extref/release-notes" + }, + { + "type": "security-contact", + "url": "http://example.com/extref/security-contact" + }, + { + "type": "model-card", + "url": "http://example.com/extref/model-card" + }, + { + "type": "log", + "url": "http://example.com/extref/log" + }, + { + "type": "configuration", + "url": "http://example.com/extref/configuration" + }, + { + "type": "evidence", + "url": "http://example.com/extref/evidence" + }, + { + "type": "formulation", + "url": "http://example.com/extref/formulation" + }, + { + "type": "attestation", + "url": "http://example.com/extref/attestation" + }, + { + "type": "threat-model", + "url": "http://example.com/extref/threat-model" + }, + { + "type": "adversary-model", + "url": "http://example.com/extref/adversary-model" + }, + { + "type": "risk-assessment", + "url": "http://example.com/extref/risk-assessment" + }, + { + "type": "vulnerability-assertion", + "url": "http://example.com/extref/vulnerability-assertion" + }, + { + "type": "exploitability-statement", + "url": "http://example.com/extref/exploitability-statement" + }, + { + "type": "pentest-report", + "url": "http://example.com/extref/pentest-report" + }, + { + "type": "static-analysis-report", + "url": "http://example.com/extref/static-analysis-report" + }, + { + "type": "dynamic-analysis-report", + "url": "http://example.com/extref/dynamic-analysis-report" + }, + { + "type": "runtime-analysis-report", + "url": "http://example.com/extref/runtime-analysis-report" + }, + { + "type": "component-analysis-report", + "url": "http://example.com/extref/component-analysis-report" + }, + { + "type": "maturity-report", + "url": "http://example.com/extref/maturity-report" + }, + { + "type": "certification-report", + "url": "http://example.com/extref/certification-report" + }, + { + "type": "quality-metrics", + "url": "http://example.com/extref/quality-metrics" + }, + { + "type": "codified-infrastructure", + "url": "http://example.com/extref/codified-infrastructure" + }, + { + "type": "poam", + "url": "http://example.com/extref/poam" + }, + { + "type": "electronic-signature", + "url": "http://example.com/extref/electronic-signature" + }, + { + "type": "digital-signature", + "url": "http://example.com/extref/digital-signature" + }, + { + "type": "rfc-9116", + "url": "http://example.com/extref/rfc-9116" + }, + { + "type": "other", + "url": "http://example.com/extref/other" + } + ] + } + ] +} diff --git a/tests/_data/schemaTestData/1.7/valid-external-reference-1.7.xml b/tests/_data/schemaTestData/1.7/valid-external-reference-1.7.xml new file mode 100644 index 000000000..ff949e459 --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-external-reference-1.7.xml @@ -0,0 +1,80 @@ + + + + + Acme Inc + org.example + mylibrary + 1.0.0 + + + https://example.org/security/feed/csaf + Security advisories from the vendor + + + https://example.org/support/sbom/portal-server/1.0.0 + An external SBOM that describes what this component includes + + 708f1f53b41f11f02d12a11b1a38d2905d47b099afc71a0f1124ef8582ec7313 + + + + https://example.org/support/documentation/portal-server/1.0.0 + Vendor provided documentation for the product + + + + + dummy + this component has all external reference types possible + + http://example.com/extref/vcs + http://example.com/extref/issue-tracker + http://example.com/extref/website + http://example.com/extref/advisories + http://example.com/extref/bom + http://example.com/extref/mailing-list + http://example.com/extref/social + http://example.com/extref/chat + http://example.com/extref/documentation + http://example.com/extref/support + http://example.com/extref/source-distribution + http://example.com/extref/distribution + http://example.com/extref/distribution-intake + http://example.com/extref/license + http://example.com/extref/build-meta + http://example.com/extref/build-system + http://example.com/extref/release-notes + http://example.com/extref/security-contact + http://example.com/extref/model-card + http://example.com/extref/log + http://example.com/extref/configuration + http://example.com/extref/evidence + http://example.com/extref/formulation + http://example.com/extref/attestation + http://example.com/extref/threat-model + http://example.com/extref/adversary-model + http://example.com/extref/risk-assessment + http://example.com/extref/vulnerability-assertion + http://example.com/extref/exploitability-statement + http://example.com/extref/pentest-report + http://example.com/extref/static-analysis-report + http://example.com/extref/dynamic-analysis-report + http://example.com/extref/runtime-analysis-report + http://example.com/extref/component-analysis-report + http://example.com/extref/maturity-report + http://example.com/extref/certification-report + http://example.com/extref/quality-metrics + http://example.com/extref/codified-infrastructure + http://example.com/extref/poam + http://example.com/extref/electronic-signature + http://example.com/extref/digital-signature + http://example.com/extref/rfc-9116 + http://example.com/extref/other + + + + diff --git a/tests/_data/schemaTestData/1.7/valid-external-reference-properties-1.7.json b/tests/_data/schemaTestData/1.7/valid-external-reference-properties-1.7.json new file mode 100644 index 000000000..dba73c1db --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-external-reference-properties-1.7.json @@ -0,0 +1,30 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "components": [ + { + "type": "application", + "name": "dummy", + "description": "this component has an external reference with properties", + "externalReferences": [ + { + "type": "component-analysis-report", + "url": "http://example.com/extref/component-analysis-report", + "properties": [ + { + "name": "author", + "value": "John Doe" + }, + { + "name": "timestamp", + "value": "2025-01-27T12:27:26Z" + } + ] + } + ] + } + ] +} diff --git a/tests/_data/schemaTestData/1.7/valid-external-reference-properties-1.7.xml b/tests/_data/schemaTestData/1.7/valid-external-reference-properties-1.7.xml new file mode 100644 index 000000000..42966ae78 --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-external-reference-properties-1.7.xml @@ -0,0 +1,21 @@ + + + + + dummy + this component has an external reference with properties + + + http://example.com/extref/component-analysis-report + + John Doe + 2025-01-27T12:27:26Z + + + + + + diff --git a/tests/_data/schemaTestData/1.7/valid-formulation-1.7.json b/tests/_data/schemaTestData/1.7/valid-formulation-1.7.json new file mode 100644 index 000000000..97e6572bc --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-formulation-1.7.json @@ -0,0 +1,301 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "components": [ + { + "type": "library", + "publisher": "Acme Inc", + "group": "org.example", + "name": "mylibrary", + "version": "1.0.0" + } + ], + "formulation": [ + { + "bom-ref": "formula-1", + "components": [ + { + "bom-ref": "component-1", + "type": "platform", + "name": "Pipeline controller image", + "version": "v0.47.0" + } + ], + "workflows": [ + { + "bom-ref": "workflow-1", + "uid": "8edb2b08-e2c7-11ed-b5ea-0242ac120002", + "name": "My workflow", + "description": "Workflow description here", + "resourceReferences": [ + { + "ref": "component-a" + } + ], + "tasks": [ + { + "bom-ref": "task-1", + "uid": "task-uid-1", + "name": "fetch-repository", + "description": "Description here", + "resourceReferences": [ + { + "ref": "component-a" + } + ], + "taskTypes": [ + "clone", + "build" + ], + "trigger": { + "bom-ref": "trigger-1", + "uid": "trigger-1", + "type": "api" + }, + "steps": [ + { + "name": "My step" + } + ], + "inputs": [ + { + "resource": { + "ref": "component-a" + } + } + ], + "outputs": [ + { + "resource": { + "ref": "component-b" + } + } + ], + "timeStart": "2023-01-01T00:00:00+00:00", + "timeEnd": "2023-01-01T00:00:00+00:00", + "workspaces": [ + { + "bom-ref": "workspace-1", + "uid": "workspace-uid-1", + "name": "workspace" + } + ], + "runtimeTopology": [ + { + "ref": "task-1", + "dependsOn": ["task-2"] + } + ] + } + ], + "taskDependencies": [ + { + "ref": "task-1", + "dependsOn": ["task-2"] + } + ], + "taskTypes": [ + "clone", + "build" + ], + "trigger": { + "bom-ref": "trigger-2", + "uid": "trigger-uid-2", + "name": "My trigger", + "description": "Description here", + "resourceReferences": [ + { + "ref": "component-a" + } + ], + "type": "api", + "event": { + "uid": "event-1", + "description": "Description here", + "timeReceived": "2023-01-01T00:00:00+00:00", + "data": { + "contentType": "text/plain", + "content": "Foo/Bar" + }, + "source": { + "ref": "component-g" + }, + "target": { + "ref": "component-h" + }, + "properties": [ + { + "name": "Foo", + "value": "Bar" + } + ] + }, + "conditions": [ + { + "description": "Description here", + "expression": "1 == 1", + "properties": [ + { + "name": "Foo", + "value": "Bar" + } + ] + } + ], + "timeActivated": "2023-01-01T00:00:00+00:00", + "inputs": [ + { + "resource": { + "ref": "component-10" + }, + "source": { + "ref": "component-11" + }, + "target": { + "ref": "component-12" + } + } + ], + "outputs": [ + { + "resource": { + "ref": "component-14" + }, + "type": "artifact", + "source": { + "ref": "component-15" + }, + "target": { + "ref": "component-16" + } + } + ], + "properties": [ + { + "name": "Foo", + "value": "Bar" + } + ] + }, + "steps": [ + { + "name": "My step", + "description": "Description here", + "commands": [ + { + "executed": "ls -las", + "properties": [ + { + "name": "Foo", + "value": "Bar" + } + ] + } + ], + "properties": [ + { + "name": "Foo", + "value": "Bar" + } + ] + } + ], + "inputs": [ + { + "environmentVars": [ + { + "name": "Foo", + "value": "Bar" + } + ] + }, + { + "environmentVars": [ + "FooBar" + ] + }, + { + "environmentVars": [ + { + "name": "Foo", + "value": "Bar" + }, + "FooBar" + ] + } + ], + "outputs": [ + { + "environmentVars": [ + { + "name": "Foo", + "value": "Bar" + } + ] + }, + { + "environmentVars": [ + "FooBar" + ] + }, + { + "environmentVars": [ + { + "name": "Foo", + "value": "Bar" + }, + "FooBar" + ] + } + ], + "timeStart": "2023-01-01T00:00:00+00:00", + "timeEnd": "2023-01-01T00:00:10+00:00", + "workspaces": [ + { + "bom-ref": "workspace-2", + "uid": "workspace-1", + "name": "My workspace", + "aliases": ["default-workspace"], + "description": "Description here", + "resourceReferences": [ + { + "ref": "component-t" + } + ], + "accessMode": "read-write", + "mountPath": "/tmp/workspace", + "managedDataType": "ConfigMap", + "volumeRequest": "requestedVolumeClaim", + "volume": { + "uid": "volume-1", + "name": "My volume", + "mode": "filesystem", + "path": "/", + "sizeAllocated": "10GB", + "persistent": true, + "remote": false + } + } + ], + "runtimeTopology": [ + { + "ref": "component-s", + "dependsOn": [ + "component-r" + ] + } + ], + "properties": [ + { + "name": "Foo", + "value": "Bar" + } + ] + } + ] + } + ] +} diff --git a/tests/_data/schemaTestData/1.7/valid-formulation-1.7.xml b/tests/_data/schemaTestData/1.7/valid-formulation-1.7.xml new file mode 100644 index 000000000..2e92821bf --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-formulation-1.7.xml @@ -0,0 +1,254 @@ + + + + + Acme Inc + org.example + mylibrary + 1.0.0 + + + + + + + Pipeline controller image + v0.47.0 + + + + + 8edb2b08-e2c7-11ed-b5ea-0242ac120002 + My workflow + Workflow description here + + + component-a + + + + + task-uid-1 + fetch-repository + Description here + + + component-a + + + + clone + build + + + trigger-1 + api + + + + My step + + + + + + component-a + + + + + + + component-b + + + + 2023-01-01T00:00:00+00:00 + 2023-01-01T00:00:00+00:00 + + + workspace-uid-1 + workspace + + + + + + + + + + + + + + + + clone + build + + + trigger-uid-2 + My trigger + Description here + + + component-a + + + api + + event-1 + Description here + 2023-01-01T00:00:00+00:00 + Foo/Bar + + component-g + + + component-h + + + Bar + + + + + Description here + 1 == 1 + + Bar + + + + 2023-01-01T00:00:00+00:00 + + + + component-10 + + + component-11 + + + component-12 + + + + + + + component-14 + + artifact + + component-15 + + + component-16 + + + + + Bar + + + + + My step + Description here + + + ls -las + + Bar + + + + + Bar + + + + + + + Bar + + + + + FooBar + + + + + Bar + FooBar + + + + + + + Bar + + + + + FooBar + + + + + Bar + FooBar + + + + 2023-01-01T00:00:00+00:00 + 2023-01-01T00:00:10+00:00 + + + workspace-1 + My workspace + + default-workspace + + Description here + + + component-t + + + read-write + /tmp/workspace + ConfigMap + requestedVolumeClaim + + volume-1 + My volume + filesystem + / + 10GB + true + false + + + + + + + + + + Bar + + + + + + diff --git a/tests/_data/schemaTestData/1.7/valid-license-choice-1.7.json b/tests/_data/schemaTestData/1.7/valid-license-choice-1.7.json new file mode 100644 index 000000000..295ab6b8b --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-license-choice-1.7.json @@ -0,0 +1,45 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7", + "serialNumber": "urn:uuid:b1ef52c6-7cd8-43d5-9e42-5e69044bbe9e", + "version": 1, + "components": [ + { + "type": "application", + "publisher": "Acme Inc", + "group": "com.acme", + "name": "tomcat-catalina", + "version": "9.0.14", + "description": "Modified version of Apache Catalina", + "scope": "required", + "licenses": [ + { + "license": { + "id": "Apache-2.0" + } + }, + { + "expression": "EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0" + }, + { + "license": { + "name": "My Own License", + "text": { + "content": "Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua." + } + } + }, + { + "expression": "LicenseRef-MIT-Style-2", + "expressionDetails": [ + { + "licenseIdentifier": "LicenseRef-MIT-Style-2", + "url": "https://example.com/license" + } + ] + } + ] + } + ] +} diff --git a/tests/_data/schemaTestData/1.7/valid-license-choice-1.7.xml b/tests/_data/schemaTestData/1.7/valid-license-choice-1.7.xml new file mode 100644 index 000000000..d38c2bd2f --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-license-choice-1.7.xml @@ -0,0 +1,32 @@ + + + + + Acme Inc + com.acme + tomcat-catalina + 9.0.14 + Modified version of Apache Catalina + required + + + Apache-2.0 + + EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0 + + My Own License + + + +
+ https://example.com/license +
+ + + pkg:maven/com.acme/tomcat-catalina@9.0.14?packaging=jar + + + diff --git a/tests/_data/schemaTestData/1.7/valid-license-declared-concluded-mix-1.7.json b/tests/_data/schemaTestData/1.7/valid-license-declared-concluded-mix-1.7.json new file mode 100644 index 000000000..77e9ab797 --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-license-declared-concluded-mix-1.7.json @@ -0,0 +1,167 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7", + "serialNumber": "urn:uuid:df628836-6b9b-41c9-a724-b44743c54d42", + "version": 1, + "metadata": { + "lifecycles": [ + { + "phase": "design" + } + ] + }, + "components": [ + { + "type": "library", + "group": "com.example", + "name": "situation-A", + "version": "1", + "description": "Multiple licenses: declared ids/names, and a concluded expression", + "licenses": [ + { + "license": { + "id": "MIT", + "acknowledgement": "declared" + } + }, + { + "license": { + "id": "PostgreSQL", + "acknowledgement": "declared" + } + }, + { + "license": { + "name": "Apache Software License", + "acknowledgement": "declared" + } + }, + { + "expression": "(MIT OR PostgreSQL OR Apache-2.0)", + "acknowledgement": "concluded" + } + ] + }, + { + "type": "library", + "group": "com.example", + "name": "situation-B", + "version": "1", + "description": "Multiple license expressions: one declared, one concluded", + "licenses": [ + { + "expression": "MIT OR (GPL-3.0 OR GPL-2.0)", + "acknowledgement": "declared" + }, + { + "expression": "(GPL-3.0-only AND LGPL-2.0-only)", + "acknowledgement": "concluded" + } + ] + }, + { + "type": "library", + "group": "com.example", + "name": "situation-C", + "version": "1", + "description": "Multiple license: one declared expression, one concluded id", + "licenses": [ + { + "expression": "GPL-3.0-or-later OR GPL-2.0", + "acknowledgement": "declared" + }, + { + "license": { + "id": "GPL-3.0-only", + "acknowledgement": "concluded" + } + } + ] + }, + { + "type": "library", + "group": "com.example", + "name": "situation-D", + "version": "1", + "description": "Multiple license with texts: one declared expression, one concluded id", + "licenses": [ + { + "expression": "GPL-3.0-or-later OR GPL-2.0", + "acknowledgement": "declared", + "expressionDetails": [ + { + "licenseIdentifier": "GPL-3.0-or-later", + "text": { + "content": "specific GPL-3.0-or-later license text" + } + }, + { + "licenseIdentifier": "GPL-2.0", + "text": { + "content": "specific GPL-2.0 license text" + } + } + ] + }, + { + "license": { + "id": "GPL-3.0-only", + "acknowledgement": "concluded", + "text": { + "content": "specific GPL-3.0-or-later license text" + } + } + } + ] + }, + { + "type": "library", + "group": "com.example", + "name": "situation-E", + "version": "1", + "description": "Multiple licenses with urls: declared ids/names, and a concluded expression", + "licenses": [ + { + "license": { + "id": "MIT", + "acknowledgement": "declared", + "url": "https://example.com/licenses/MIT" + } + }, + { + "license": { + "id": "PostgreSQL", + "acknowledgement": "declared", + "url": "https://example.com/licenses/PostgreSQL" + } + }, + { + "license": { + "name": "Apache Software License", + "acknowledgement": "declared", + "url": "https://example.com/licenses/Apache-2.0" + } + }, + { + "expression": "(MIT AND PostgreSQL AND Apache-2.0)", + "acknowledgement": "concluded", + "expressionDetails": [ + { + "licenseIdentifier": "MIT", + "url": "https://example.com/licenses/MIT" + }, + { + "licenseIdentifier": "PostgreSQL", + "url": "https://example.com/licenses/PostgreSQL" + }, + { + "licenseIdentifier": "Apache-2.0", + "url": "https://example.com/licenses/Apache-2.0" + } + ] + } + ] + } + ] +} diff --git a/tests/_data/schemaTestData/1.7/valid-license-declared-concluded-mix-1.7.xml b/tests/_data/schemaTestData/1.7/valid-license-declared-concluded-mix-1.7.xml new file mode 100644 index 000000000..9b35f5cfb --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-license-declared-concluded-mix-1.7.xml @@ -0,0 +1,115 @@ + + + + + + + design + + + + + + com.example + situation-A + 1 + Multiple licenses: declared ids/names, and a concluded expression + + + MIT + + + PostgreSQL + + + Apache Software License + + (MIT OR PostgreSQL OR Apache-2.0) + + + + com.example + situation-B + 1 + Multiple license expressions: one declared, one concluded + + MIT OR (GPL-3.0 OR GPL-2.0) + (GPL-3.0-only AND LGPL-2.0-only) + + + + com.example + situation-C + 1 + Multiple license: one declared expression, one concluded id + + GPL-3.0-or-later OR GPL-2.0 + + GPL-3.0-only + + + + + com.example + situation-D + 1 + Multiple license with texts: one declared expression, one concluded id + + +
+ specific GPL-3.0-or-later license text +
+
+ specific GPL-2.0 license text +
+ + + GPL-3.0-only + specific GPL-3.0-or-later license text + + + + + com.example + situation-E + 1 + Multiple licenses with urls: declared ids/names, and a concluded expression + + + MIT + https://example.com/licenses/MIT + + + PostgreSQL + https://example.com/licenses/PostgreSQL + + + Apache Software License + https://example.com/licenses/Apache-2.0 + + +
+ https://example.com/licenses/MIT +
+
+ https://example.com/licenses/PostgreSQL +
+
+ https://example.com/licenses/Apache-2.0 +
+ + + + + diff --git a/tests/_data/schemaTestData/1.7/valid-license-expression-1.7.json b/tests/_data/schemaTestData/1.7/valid-license-expression-1.7.json new file mode 100644 index 000000000..7deabc9ef --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-license-expression-1.7.json @@ -0,0 +1,44 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "components": [ + { + "type": "application", + "publisher": "Acme Inc", + "group": "com.acme", + "name": "tomcat-catalina", + "version": "9.0.14", + "description": "Modified version of Apache Catalina", + "scope": "required", + "hashes": [ + { + "alg": "MD5", + "content": "3942447fac867ae5cdb3229b658f4d48" + }, + { + "alg": "SHA-1", + "content": "e6b1000b94e835ffd37f4c6dcbdad43f4b48a02a" + }, + { + "alg": "SHA-256", + "content": "f498a8ff2dd007e29c2074f5e4b01a9a01775c3ff3aeaf6906ea503bc5791b7b" + }, + { + "alg": "SHA-512", + "content": "e8f33e424f3f4ed6db76a482fde1a5298970e442c531729119e37991884bdffab4f9426b7ee11fccd074eeda0634d71697d6f88a460dce0ac8d627a29f7d1282" + } + ], + "licenses": [ + { + "expression": "EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0", + "acknowledgement": "declared", + "bom-ref": "my-license" + } + ], + "purl": "pkg:maven/com.acme/tomcat-catalina@9.0.14?packaging=jar" + } + ] +} diff --git a/tests/_data/schemaTestData/1.7/valid-license-expression-1.7.xml b/tests/_data/schemaTestData/1.7/valid-license-expression-1.7.xml new file mode 100644 index 000000000..a5d07cf46 --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-license-expression-1.7.xml @@ -0,0 +1,26 @@ + + + + + Acme Inc + com.acme + tomcat-catalina + 9.0.14 + Modified version of Apache Catalina + required + + 3942447fac867ae5cdb3229b658f4d48 + e6b1000b94e835ffd37f4c6dcbdad43f4b48a02a + f498a8ff2dd007e29c2074f5e4b01a9a01775c3ff3aeaf6906ea503bc5791b7b + e8f33e424f3f4ed6db76a482fde1a5298970e442c531729119e37991884bdffab4f9426b7ee11fccd074eeda0634d71697d6f88a460dce0ac8d627a29f7d1282 + + + EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0 + + pkg:maven/com.acme/tomcat-catalina@9.0.14?packaging=jar + + + diff --git a/tests/_data/schemaTestData/1.7/valid-license-expression-with-licensing-1.7.json b/tests/_data/schemaTestData/1.7/valid-license-expression-with-licensing-1.7.json new file mode 100644 index 000000000..97f3f773f --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-license-expression-with-licensing-1.7.json @@ -0,0 +1,57 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7", + "serialNumber": "urn:uuid:78a32681-a31f-4097-b151-7b771cc58157", + "version": 1, + "components": [ + { + "type": "library", + "publisher": "Acme Inc", + "group": "com.acme", + "name": "cryptographic-provider", + "version": "2.2.0", + "licenses": [ + { + "bom-ref": "acme-license-1", + "expression": "LicenseRef-AcmeCommercialLicense", + "licensing": { + "altIds": [ + "acme", + "acme-license" + ], + "licensor": { + "organization": { + "name": "Acme Inc", + "contact": [ + { + "name": "Acme Licensing Fulfillment", + "email": "licensing@example.com" + } + ] + } + }, + "licensee": { + "organization": { + "name": "Example Co." + } + }, + "purchaser": { + "individual": { + "name": "Samantha Wright", + "email": "samantha.wright@gmail.com", + "phone": "800-555-1212" + } + }, + "purchaseOrder": "PO-12345", + "licenseTypes": [ + "appliance" + ], + "lastRenewal": "2022-04-13T20:20:39+00:00", + "expiration": "2023-04-13T20:20:39+00:00" + } + } + ] + } + ] +} diff --git a/tests/_data/schemaTestData/1.7/valid-license-expression-with-licensing-1.7.xml b/tests/_data/schemaTestData/1.7/valid-license-expression-with-licensing-1.7.xml new file mode 100644 index 000000000..e0eb488ad --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-license-expression-with-licensing-1.7.xml @@ -0,0 +1,52 @@ + + + + + Acme Inc + com.acme + cryptographic-provider + 2.2.0 + + + + + acme + acme-license + + + + Acme Inc + + Acme Licensing Fulfillment + licensing@example.com + + + + + + Example Co. + + + + + Samantha Wright + samantha.wright@gmail.com + 800-555-1212 + + + PO-12345 + + appliance + + 2022-04-13T20:20:39+00:00 + 2023-04-13T20:20:39+00:00 + + + + + + diff --git a/tests/_data/schemaTestData/1.7/valid-license-expression-with-text-1.7.json b/tests/_data/schemaTestData/1.7/valid-license-expression-with-text-1.7.json new file mode 100644 index 000000000..56f5784d5 --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-license-expression-with-text-1.7.json @@ -0,0 +1,58 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7", + "serialNumber": "urn:uuid:8ad91ceb-1741-4d58-8d22-4488a0f68dbe", + "version": 1, + "components": [ + { + "type": "application", + "name": "my-application", + "version": "1.33.7", + "description": "This application is composed of multiple things, and therefore has multiple licenses applied:\n* custom code - custom license\n* component A - EPL or GPL\n* component B - MIT\n* component C - MIT", + "licenses": [ + { + "bom-ref": "my-application-license", + "acknowledgement": "declared", + "expression": "LicenseRef-my-custom-license AND (EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0) AND MIT", + "expressionDetails": [ + { + "licenseIdentifier": "LicenseRef-my-custom-license", + "text": { + "content": "Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua." + }, + "url": "https://my-application.example.com/license.txt" + }, + { + "licenseIdentifier": "EPL-2.0", + "text": { + "content": "Eclipse Public License - v 2.0\n\n THE ACCOMPANYING PROGRAM IS PROVIDED UNDER THE TERMS OF THIS ECLIPSE\n PUBLIC LICENSE (\"AGREEMENT\"). ANY USE, REPRODUCTION OR DISTRIBUTION\n OF THE PROGRAM CONSTITUTES RECIPIENT'S ACCEPTANCE OF THIS AGREEMENT..." + } + }, + { + "licenseIdentifier": "GPL-2.0 WITH Classpath-exception-2.0", + "text": { + "contentType": "text/plain", + "content": " GNU GENERAL PUBLIC LICENSE\n Version 2, June 1991\n\n Copyright (C) 1989, 1991 Free Software Foundation, Inc.,\n \n Everyone is permitted to copy and distribute verbatim copies\n of this license document, but changing it is not allowed...\n\n...\n\nLinking this library statically or dynamically with other modules is making a combined work based on this library..." + } + }, + { + "licenseIdentifier": "MIT", + "bom-ref": "LicenseDetails-component-B", + "text": { + "content": "MIT License\n\nCopyright (c) 1996 Component-B-Creators Inc.\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"),...\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software..." + } + }, + { + "licenseIdentifier": "MIT", + "bom-ref": "LicenseDetails-component-C", + "text": { + "content": "MIT License\n\nCopyright (c) 2001 Component-C-Creators Org\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"),...\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software..." + } + } + ] + } + ] + } + ] +} diff --git a/tests/_data/schemaTestData/1.7/valid-license-expression-with-text-1.7.xml b/tests/_data/schemaTestData/1.7/valid-license-expression-with-text-1.7.xml new file mode 100644 index 000000000..1e9df7f5e --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-license-expression-with-text-1.7.xml @@ -0,0 +1,72 @@ + + + + + my-application + 1.33.7 + + This application is composed of multiple things, and therefore has multiple licenses applied: + * custom code - custom license + * component A - EPL or GPL + * component B - MIT + * component C - MIT + + + +
+ Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. + https://my-application.example.com/license.txt +
+
+ +
+
+ + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed... + +... + +Linking this library statically or dynamically with other modules is making a combined work based on this library...]]> +
+
+ +
+
+ +
+ + + + + diff --git a/tests/_data/schemaTestData/1.7/valid-license-id-1.7.json b/tests/_data/schemaTestData/1.7/valid-license-id-1.7.json new file mode 100644 index 000000000..7980b79a5 --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-license-id-1.7.json @@ -0,0 +1,46 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "components": [ + { + "type": "application", + "publisher": "Acme Inc", + "group": "com.acme", + "name": "tomcat-catalina", + "version": "9.0.14", + "description": "Modified version of Apache Catalina", + "scope": "required", + "hashes": [ + { + "alg": "MD5", + "content": "3942447fac867ae5cdb3229b658f4d48" + }, + { + "alg": "SHA-1", + "content": "e6b1000b94e835ffd37f4c6dcbdad43f4b48a02a" + }, + { + "alg": "SHA-256", + "content": "f498a8ff2dd007e29c2074f5e4b01a9a01775c3ff3aeaf6906ea503bc5791b7b" + }, + { + "alg": "SHA-512", + "content": "e8f33e424f3f4ed6db76a482fde1a5298970e442c531729119e37991884bdffab4f9426b7ee11fccd074eeda0634d71697d6f88a460dce0ac8d627a29f7d1282" + } + ], + "licenses": [ + { + "license": { + "id": "Apache-2.0", + "acknowledgement": "declared", + "bom-ref": "my-license" + } + } + ], + "purl": "pkg:maven/com.acme/tomcat-catalina@9.0.14?packaging=jar" + } + ] +} diff --git a/tests/_data/schemaTestData/1.7/valid-license-id-1.7.xml b/tests/_data/schemaTestData/1.7/valid-license-id-1.7.xml new file mode 100644 index 000000000..ea91485ef --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-license-id-1.7.xml @@ -0,0 +1,28 @@ + + + + + Acme Inc + com.acme + tomcat-catalina + 9.0.14 + Modified version of Apache Catalina + required + + 3942447fac867ae5cdb3229b658f4d48 + e6b1000b94e835ffd37f4c6dcbdad43f4b48a02a + f498a8ff2dd007e29c2074f5e4b01a9a01775c3ff3aeaf6906ea503bc5791b7b + e8f33e424f3f4ed6db76a482fde1a5298970e442c531729119e37991884bdffab4f9426b7ee11fccd074eeda0634d71697d6f88a460dce0ac8d627a29f7d1282 + + + + Apache-2.0 + + + pkg:maven/com.acme/tomcat-catalina@9.0.14?packaging=jar + + + diff --git a/tests/_data/schemaTestData/1.7/valid-license-id-with-text-1.7.json b/tests/_data/schemaTestData/1.7/valid-license-id-with-text-1.7.json new file mode 100644 index 000000000..a35781c52 --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-license-id-with-text-1.7.json @@ -0,0 +1,50 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "components": [ + { + "type": "application", + "publisher": "Acme Inc", + "group": "com.acme", + "name": "tomcat-catalina", + "version": "9.0.14", + "description": "Modified version of Apache Catalina", + "scope": "required", + "hashes": [ + { + "alg": "MD5", + "content": "3942447fac867ae5cdb3229b658f4d48" + }, + { + "alg": "SHA-1", + "content": "e6b1000b94e835ffd37f4c6dcbdad43f4b48a02a" + }, + { + "alg": "SHA-256", + "content": "f498a8ff2dd007e29c2074f5e4b01a9a01775c3ff3aeaf6906ea503bc5791b7b" + }, + { + "alg": "SHA-512", + "content": "e8f33e424f3f4ed6db76a482fde1a5298970e442c531729119e37991884bdffab4f9426b7ee11fccd074eeda0634d71697d6f88a460dce0ac8d627a29f7d1282" + } + ], + "licenses": [ + { + "license": { + "id": "Apache-2.0", + "acknowledgement": "declared", + "bom-ref": "my-license", + "text": { + "contentType": "text/plain", + "content": "\n Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION..." + } + } + } + ], + "purl": "pkg:maven/com.acme/tomcat-catalina@9.0.14?packaging=jar" + } + ] +} diff --git a/tests/_data/schemaTestData/1.7/valid-license-id-with-text-1.7.xml b/tests/_data/schemaTestData/1.7/valid-license-id-with-text-1.7.xml new file mode 100644 index 000000000..a00b1e6a9 --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-license-id-with-text-1.7.xml @@ -0,0 +1,34 @@ + + + + + Acme Inc + com.acme + tomcat-catalina + 9.0.14 + Modified version of Apache Catalina + required + + 3942447fac867ae5cdb3229b658f4d48 + e6b1000b94e835ffd37f4c6dcbdad43f4b48a02a + f498a8ff2dd007e29c2074f5e4b01a9a01775c3ff3aeaf6906ea503bc5791b7b + e8f33e424f3f4ed6db76a482fde1a5298970e442c531729119e37991884bdffab4f9426b7ee11fccd074eeda0634d71697d6f88a460dce0ac8d627a29f7d1282 + + + + Apache-2.0 + + + + pkg:maven/com.acme/tomcat-catalina@9.0.14?packaging=jar + + + diff --git a/tests/_data/schemaTestData/1.7/valid-license-name-1.7.json b/tests/_data/schemaTestData/1.7/valid-license-name-1.7.json new file mode 100644 index 000000000..7d0209d9a --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-license-name-1.7.json @@ -0,0 +1,45 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "components": [ + { + "type": "application", + "publisher": "Acme Inc", + "group": "com.acme", + "name": "tomcat-catalina", + "version": "9.0.14", + "description": "Modified version of Apache Catalina", + "scope": "required", + "hashes": [ + { + "alg": "MD5", + "content": "3942447fac867ae5cdb3229b658f4d48" + }, + { + "alg": "SHA-1", + "content": "e6b1000b94e835ffd37f4c6dcbdad43f4b48a02a" + }, + { + "alg": "SHA-256", + "content": "f498a8ff2dd007e29c2074f5e4b01a9a01775c3ff3aeaf6906ea503bc5791b7b" + }, + { + "alg": "SHA-512", + "content": "e8f33e424f3f4ed6db76a482fde1a5298970e442c531729119e37991884bdffab4f9426b7ee11fccd074eeda0634d71697d6f88a460dce0ac8d627a29f7d1282" + } + ], + "licenses": [ + { + "license": { + "name": "Apache License 2.0", + "bom-ref": "my-license" + } + } + ], + "purl": "pkg:maven/com.acme/tomcat-catalina@9.0.14?packaging=jar" + } + ] +} diff --git a/tests/_data/schemaTestData/1.7/valid-license-name-1.7.xml b/tests/_data/schemaTestData/1.7/valid-license-name-1.7.xml new file mode 100644 index 000000000..41d5754b8 --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-license-name-1.7.xml @@ -0,0 +1,28 @@ + + + + + Acme Inc + com.acme + tomcat-catalina + 9.0.14 + Modified version of Apache Catalina + required + + 3942447fac867ae5cdb3229b658f4d48 + e6b1000b94e835ffd37f4c6dcbdad43f4b48a02a + f498a8ff2dd007e29c2074f5e4b01a9a01775c3ff3aeaf6906ea503bc5791b7b + e8f33e424f3f4ed6db76a482fde1a5298970e442c531729119e37991884bdffab4f9426b7ee11fccd074eeda0634d71697d6f88a460dce0ac8d627a29f7d1282 + + + + Apache License 2.0 + + + pkg:maven/com.acme/tomcat-catalina@9.0.14?packaging=jar + + + diff --git a/tests/_data/schemaTestData/1.7/valid-license-name-with-licensing-1.7.json b/tests/_data/schemaTestData/1.7/valid-license-name-with-licensing-1.7.json new file mode 100644 index 000000000..2006c4eaa --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-license-name-with-licensing-1.7.json @@ -0,0 +1,57 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "components": [ + { + "type": "library", + "publisher": "Acme Inc", + "group": "com.acme", + "name": "cryptographic-provider", + "version": "2.2.0", + "licenses": [ + { + "license": { + "bom-ref": "acme-license-1", + "name": "Acme Commercial License", + "licensing": { + "altIds": [ + "acme", + "acme-license" + ], + "licensor": { + "organization": { + "name": "Acme Inc", + "contact": [ + { + "name": "Acme Licensing Fulfillment", + "email": "licensing@example.com" + } + ] + } + }, + "licensee": { + "organization": { + "name": "Example Co." + } + }, + "purchaser": { + "individual": { + "name": "Samantha Wright", + "email": "samantha.wright@gmail.com", + "phone": "800-555-1212" + } + }, + "purchaseOrder": "PO-12345", + "licenseTypes": ["appliance"], + "lastRenewal": "2022-04-13T20:20:39+00:00", + "expiration": "2023-04-13T20:20:39+00:00" + } + } + } + ] + } + ] +} diff --git a/tests/_data/schemaTestData/1.7/valid-license-name-with-licensing-1.7.xml b/tests/_data/schemaTestData/1.7/valid-license-name-with-licensing-1.7.xml new file mode 100644 index 000000000..5568726e2 --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-license-name-with-licensing-1.7.xml @@ -0,0 +1,52 @@ + + + + + Acme Inc + com.acme + cryptographic-provider + 2.2.0 + + + Acme Commercial License + + + acme + acme-license + + + + Acme Inc + + Acme Licensing Fulfillment + licensing@example.com + + + + + + Example Co. + + + + + Samantha Wright + samantha.wright@gmail.com + 800-555-1212 + + + PO-12345 + + appliance + + 2022-04-13T20:20:39+00:00 + 2023-04-13T20:20:39+00:00 + + + + + + diff --git a/tests/_data/schemaTestData/1.7/valid-license-name-with-text-1.7.json b/tests/_data/schemaTestData/1.7/valid-license-name-with-text-1.7.json new file mode 100644 index 000000000..b73c3c6d6 --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-license-name-with-text-1.7.json @@ -0,0 +1,50 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "components": [ + { + "type": "application", + "publisher": "Acme Inc", + "group": "com.acme", + "name": "tomcat-catalina", + "version": "9.0.14", + "description": "Modified version of Apache Catalina", + "scope": "required", + "hashes": [ + { + "alg": "MD5", + "content": "3942447fac867ae5cdb3229b658f4d48" + }, + { + "alg": "SHA-1", + "content": "e6b1000b94e835ffd37f4c6dcbdad43f4b48a02a" + }, + { + "alg": "SHA-256", + "content": "f498a8ff2dd007e29c2074f5e4b01a9a01775c3ff3aeaf6906ea503bc5791b7b" + }, + { + "alg": "SHA-512", + "content": "e8f33e424f3f4ed6db76a482fde1a5298970e442c531729119e37991884bdffab4f9426b7ee11fccd074eeda0634d71697d6f88a460dce0ac8d627a29f7d1282" + } + ], + "licenses": [ + { + "license": { + "name": "My License", + "bom-ref": "my-license", + "acknowledgement": "declared", + "text": { + "contentType": "text/plain", + "content": "Lorem ipsum dolor sit amet, consectetur adipiscing elit. Vivamus nec turpis efficitur, ullamcorper lorem ac, fermentum nulla. Mauris a enim nunc. Aliquam diam tellus, porttitor venenatis leo in, mollis ultricies lacus. Sed sagittis hendrerit nulla, eget pulvinar diam..." + } + } + } + ], + "purl": "pkg:maven/com.acme/tomcat-catalina@9.0.14?packaging=jar" + } + ] +} diff --git a/tests/_data/schemaTestData/1.7/valid-license-name-with-text-1.7.xml b/tests/_data/schemaTestData/1.7/valid-license-name-with-text-1.7.xml new file mode 100644 index 000000000..d930bfd42 --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-license-name-with-text-1.7.xml @@ -0,0 +1,29 @@ + + + + + Acme Inc + com.acme + tomcat-catalina + 9.0.14 + Modified version of Apache Catalina + required + + 3942447fac867ae5cdb3229b658f4d48 + e6b1000b94e835ffd37f4c6dcbdad43f4b48a02a + f498a8ff2dd007e29c2074f5e4b01a9a01775c3ff3aeaf6906ea503bc5791b7b + e8f33e424f3f4ed6db76a482fde1a5298970e442c531729119e37991884bdffab4f9426b7ee11fccd074eeda0634d71697d6f88a460dce0ac8d627a29f7d1282 + + + + My License + + + + pkg:maven/com.acme/tomcat-catalina@9.0.14?packaging=jar + + + diff --git a/tests/_data/schemaTestData/1.7/valid-machine-learning-1.7.json b/tests/_data/schemaTestData/1.7/valid-machine-learning-1.7.json new file mode 100644 index 000000000..cb64ee801 --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-machine-learning-1.7.json @@ -0,0 +1,102 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "components": [ + { + "bom-ref": "component-a", + "type": "machine-learning-model", + "publisher": "Acme Inc", + "group": "CompVis", + "name": "stable-diffusion", + "version": "1.4", + "description": "Stable Diffusion is a latent text-to-image diffusion model capable of generating photo-realistic images given any text input. For more information about how Stable Diffusion functions, please have a look at \uD83E\uDD17's Stable Diffusion with \uD83E\uDDE8Diffusers blog.", + "modelCard": { + "modelParameters": { + "approach": { + "type": "supervised" + }, + "task": "task goes here", + "architectureFamily": "the architecture family goes here", + "modelArchitecture": "The architecture of the model.", + "datasets": [ + { + "type": "dataset", + "name": "Training Data", + "contents": { + "url": "https://example.com/path/to/dataset" + }, + "classification": "public" + } + ], + "inputs": [ + { + "format": "string" + } + ], + "outputs": [ + { + "format": "byte[]" + } + ] + }, + "quantitativeAnalysis": { + "performanceMetrics": [ + { + "type": "The type of performance metric", + "value": "The value of the performance metric", + "slice": "The name of the slice this metric was computed on. By default, assume this metric is not sliced", + "confidenceInterval": { + "lowerBound": "The lower bound of the confidence interval", + "upperBound": "The upper bound of the confidence interval" + } + } + ], + "graphics": { + "description": "Performance images", + "collection": [ + { + "name": "FID vs CLIP Scores on 512x512 samples for different v1-versions", + "image": { + "contentType": "image/jpeg", + "encoding": "base64", + "content": "/9j/4AAQSkZJRgABAQEASABIAAD/2wBDAAIBAQEBAQIBAQECAgICAgQDAgICAgUEBAMEBgUGBgYFBgYGBwkIBgcJBwYGCAsICQoKCgoKBggLDAsKDAkKCgr/2wBDAQICAgICAgUDAwUKBwYHCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgr/wAARCAH4AxgDASIAAhEBAxEB/8QAHwAAAQUBAQEBAQEAAAAAAAAAAAECAwQFBgcICQoL/8QAtRAAAgEDAwIEAwUFBAQAAAF9AQIDAAQRBRIhMUEGE1FhByJxFDKBkaEII0KxwRVS0fAkM2JyggkKFhcYGRolJicoKSo0NTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqDhIWGh4iJipKTlJWWl5iZmqKjpKWmp6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uHi4+Tl5ufo6erx8vP09fb3+Pn6/8QAHwEAAwEBAQEBAQEBAQAAAAAAAAECAwQFBgcICQoL/8QAtREAAgECBAQDBAcFBAQAAQJ3AAECAxEEBSExBhJBUQdhcRMiMoEIFEKRobHBCSMzUvAVYnLRChYkNOEl8RcYGRomJygpKjU2Nzg5OkNERUZHSElKU1RVVldYWVpjZGVmZ2hpanN0dXZ3eHl6goOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExcbHyMnK0tPU1dbX2Nna4uPk5ebn6Onq8vP09fb3+Pn6/9oADAMBAAIRAxEAPwD9/KKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKAPDv2yv+CkH7G3/AAT/ALrwpYftYfFe68N3PjiW8i8K2tl4S1XV5dQe1WJrgKmnWs7LsWeI/OFyG4ztbGN+y9/wVb/YY/bK+Jp+D/7PHxO8Qav4gXTZb82mpfDPxDpMfkRlA7efqFhBDkF1+XfuOeAcHHyZ/wAFx/ird/BH/gpn+wN8U7D4UeLfHE2j+KfHUieFPAmnRXerahu0qyj2W8U0sSOw37yGkX5UY5JGD9i/smftw69+1R4r1Twvq37DPx4+FKaZp4uk1T4teE7HT7S9JkCeTA9tfXDNKM7iCqjaCc9qANj4f/t7fsnfFH4O/Ef4/eBPit9u8JfCTWNa0v4hat/YV/F/ZV3pMIm1CPypIFln8qMht0KSK/RC54rwnSf+DiL/AII+6xY22sJ+1feWenXao1vq+r/DHxLY2LK33W+03GnJCFOR8xcDnrXyt+wD/wAodv8Ago7/ANlg+NH/AKaEr7a/4IwWNlqf/BIL9njTdSs4ri2uPg3osdxbzxh0lRrNAysp4YEEgg8EGgD6G+F3xW+GPxu8B6d8Ufg58QtF8VeG9Xh83S9e8P6lFeWl0mSCUliZlbBBBweCCDgit+vzQ/4Je+GNH/ZN/wCC1X7Xn7C/wZtE0z4YXGjeHfH2h+FLQbLPQNSvLeNb1LeMfLCkzyBtigKqQxKoAQV9Zf8ABUXVP2qfDP7A/wATPHX7FPjt/D/xL8MeHX1zw5crpFrf/avsbLcT2fkXUUiOZ4I5oVwAweRSGBFAHvtFfB37Zv8AwVc1Sw/4I0eH/wBt39lSaMeP/jNpOiaJ8JdOjiiuHj8TauywJbqkqtHLLav9pYo6sjNaFWDAkHgv2/v2yv2sP2eP2i/gZ+w744/4KA+GvgRo+v8Awqk1Txd+0j4s8Eafdp4j8RWskVvLptulysenWLuC10xdAoWRFUL8quAfpdRXhH7BugftAaX4C1PWPjJ+3l4f/aD0nVLmKbwl4x0Pwhp+lGKEKwlikOnSvb3PzbSsiBMcgg9a8O/4ORPj78R/2dv+CPvxT8U/CjXZ9J1nWxpvh5dXtpSj2Vvf30NvcuGHKloHljDAgqZAQcgUAdj8TP8Aguz/AMEnfhN451P4d+KP2w9KvNT0SYxayfC/h/VNbtrBwSGWe6061ngiKkEMGcbSCDgg16F4w/4KZ/sI+CP2Qbn9vbVP2ktEvPhFZywRXXjTQIbjVIIpZbiO2SIxWUcswk86WNGTZuQt84UAkdh+yh+y58G/2Mv2fvDP7N/wI8IWWj+HfDOlxWsEdpbrG11IqASXUxUZkmlYF3kbLMzEkmvhf/g5o+Fvw2+FP/BC3426b8MvAek+H7bVfEug6nqNro1hHbRXF5Lr2nebcMkYCmR9oLNjLHJOSSSAfpbXnfgb9q74BfEn9ofx1+yn4K8e/bfH3w1s9NuvGug/2XdR/wBnQ38PnWjefJEsM3mR/NiJ3K9GCnivRK/PD9hr/lYa/bm/7E/4b/8ApnoA7zUf+Dhr/gkNpGo6pp2o/tS6jENF1SfTtWvT8LfE5s7S5hkMcqPdDTfJXawILb9vfOOa+svhR8Wvhj8dvh1pHxd+DXjzSvE/hjXrQXOj67ol6lxbXcRJG5HQkHDAqR1VlKkAgivx4/4Iz/8ABVf9ib9kL9lL4q/BL44ah4u1TxRJ8dfGV0nhDw18Lta1l9ShmugqQpLb2j2jPJtZdjzLjPzbQc19af8ABuV+zf8AG39mz/gnjcaX8b/hlf8AgWXxb8Sdd8UeGfAWqxmO58N6PdyR/ZrKSI8wsPLeTyyAyiYbgrblAB9c/tH/ALT37Pv7IXwtu/jV+0z8XNF8F+F7KVYpdX1u7EaPK2dsMajLzSsFYiOMM5CnAODXi3wH/wCC0/8AwTL/AGlfilo3wU+Ef7TsNz4q8RSFNA0bWfCmr6RLqTBSxFub+0hWY4BPyE5A4ry//gtj+yx+1P8AFXxd+z5+1l+y78F9M+K118BPiFc+INa+Eep6vFZf8JDBNBGizQSTgxC5tzGWj3AkNJuUOV2NF8Dv+C437PPxa/aC8Ifsr/tmfsffFL4CfEXxDqiJ4Hs/jB4NWPTtT1HIVI7C/BKvMWbYrlIwWdUVizhSAffNFfBPxj/aW/bl/bK/4KM+Pv8Agn3+wx8bdF+D/hv4J+HtHvvir8T7vwhBr2qXGparC1xZabY2t0fsyJ9nVneaQOQykADbhus+N3x4/ac/4JOf8E8/i9+1B+2D+0XY/HS88G2iXfhK+XwTb+HZ5ZJ3htLazu0tHaJgbuaPM0aoQjn5MqMgH2VRX5gfGnX/APgul+yR+xhP/wAFI/Hn7aXg7xrqPhnQIfFXjz9n5/hXY2OkQ6ZtWW8s7TVInN6JreEuRLIzhzEflPAboP8Agob/AMFC/wBsC68d/sQyf8E7/GOlaZaftJ3F7Nc2PirRYLq0msrjSbS6tbi5+UzKtqty9yY7eWJpTF5ZfDZAB+j9Ffmz+3B+19+2B/wS4+GXgv4M/Ev9vbwb43+JPx1+IZ0vwp8Sfin4S0zwx4f8BaVBbI+oXk6WsiJcLFuQxJNJuZ51VncKEfz3SP8AgqB8Sf2Rf2j/AIQaXr//AAWa+C/7XHgz4o/EKw8F+KPDnhqz8PWGu+F7i/LJbarapo9w5ls0mCpMJlYqrqAxZwVAP1oor8uvjt+3V+0d8Sv+ClvxW/ZD13/gqT4N/ZE0f4frpEfgLStf8D6TeXvjuK7tBNJqC3WtMIGjWUtEsVv8/wApDYZCW/Qb9mDw98Z/C3wQ0XRPj/8AHPS/iV4njE73PjjRvDselQatA8zvbSi1ikkjjbyGiVtjFWZSwwGwADv6K+P/APgrB+2p8f8A9n2/+Dv7LH7H9tokXxZ+P/jl/D/hrXvEtqbix8PWNvEJtQ1N4Aw+0PDEyFIidpLEndt2N5R46+Of/BRr/gl7+058ENI/az/a4034+fCf43fEG18AX2qXnw5sPDuq+FtfvEY2EkP2AiO4tpXSQOsilkVCdxOMgH6L0V+b/jP49/8ABTb49/8ABZH4y/sE/s7ftMaN4B+H/hf4deHdc/4SPUPA9lq11oEk8f7yOyidU8+e5kbJe6klihjgk2xFnXHoH/BN/wDaX/bB0r9tn42/8E2/21fi3pfxK1r4b6RoviTwf8SrDwxBo1xq+lagjh4ru0tv3EcsMqqoaMAMCxPYUAfbGrarYaHpVzreqz+Va2du89zLtLbI0UsxwAScAHgDNfFuif8ABxP/AMEifE2lw654c/aO8S6hZXAJt7yx+Cvi+WKUAkEq66SQ3II4PUV9h/EDSb7X/Aet6FpkQe5vdIuYLdCwUM7xMqjJ4HJHNflZ+zFr/wDwWR/4Inf8E4vCmifF39jb4U/ED4ZfCbQLm48XW/gf4jXf/CUWenG4mu7q88ue0W0l8hJXYxxyMSsR+YDLAA/TL43ftJ/Ar9m34OXn7QXx5+Jum+FPBthFBJea/rLtFDEJnVIgQRu3O7ooXG4lgMZrhf2KP+Ckv7FP/BRSx8S6p+xp8bY/Glt4QvILXxDPDoOoWSW0syyNEAby3i80MI3O6PcvHJGRntvh34x+CP7Y/wAAPC/xX0bSNO8UeCvGuiafr+ixa1psc0csEqJcW7vDKGCyLlTgjKOvYivi7/gkVaWtj/wU4/4KA2VjbRwwxfFPwykUMSBVRRpEgAAHAA9KAPpf9rP/AIKZ/sLfsN+JdM8EftQftC6b4b1/WbL7ZpXhyDT7vUdSurfe6CZLSyhmnMZaORQ+zBMbAHINbX7JH7eP7In7dvhnUfFn7J/xz0nxhb6NdLb61a2yTW17psrZ2rc2lykdxb7trbfMjXdsbGdpx6Nc+FfAmneJrj4oXfhzSYNZGlLZ3XiKSziW5FjG7yrC9wRv8lXkkcIW2guzYBJNfnP/AME8b/Sf20v+C1/xq/4KWfs3aCLP4L6b8MIPhpF4rt4fKtviF4gg1CO4uNTgwMXEVtHF9lFxyGCx7GILAAH6XVy/xr+M3w1/Z1+EfiP47fGPxJ/Y/hXwlo8+qeIdV+xzXH2S0hQvJJ5UCPJJhQTtRWY9ga/P79pz/gqN+0d/wSK/aK8eeB/217bXvix4E+IdrNq/7M2uaF4bt4r2XV8pGfBl0tjAil/MkjaC5dGdoixZpX+SP0jX/wBmb/gor+0B/wAEa/ij8GP2qPiHp/in44fFfwPrHk6FBZ2OnaZ4ZlvoSLbRYZII08yO3DKjTzPLIz7z5jrtoA6H4df8F4/+CXXxY8U6F4N8AfHXxNf33iXULWy0Qf8ACnPFkUNzNcOqQ/vpNLWJEZnX947KgByWAya9y/at/bO/Zc/Yd+HcHxX/AGsfjRpHgjQLq/FlaX+rM5+03JjeQQxJGrPI+yN22qpOFJr4XH7av/BSv/gkF+zv8Pb/APb6/ZL+Gur/AAQ8I6TofhbxL44+Efji9vNT8MQKkFjDf3lpeWkQuEaTywywHgyDBJwG/RzXvB3w7+JVppuoeJ/Cmja/BaTrfaRNqFhFdLBIUIWeEurbG2OQHXBwx5waAOD/AGOv23P2YP2/fhG/x2/ZI+Jw8W+FI9Xn0t9VGjXtji7hVGkj8u8hikOBIh3bdp3cE4OOE/aY/wCCvH/BOf8AZA+J1z8Ffj5+0zYab4vsreOfUPDGk6HqOsX9nE8ayI88GnW87who3RwXC5Vw3Qg14N/wbfgL+yx8Z1UYA/ap8c4A/wCvmGvuDxTd/Bj4GaP4q+Oni1fDvhazFp/afjTxVcww2okitoAgnu58AuI4Y1QM5O1EVRwAKAMj9mb9q39nP9sn4XwfGf8AZf8AjBovjTw1PO0H9p6NcFvJnUAtDNGwEkEoDKTHIquAykjBBPoNfnJ/wQp8Nav8Vfjx+1N/wUh8GfD+68H/AAm+P3jrSrj4V6Dd2RtW1G1022nt7jXvIIHlLfyy+cCQGYhycjYx+zf21PjF8Rf2ev2RPiX8dPhF8Pz4q8UeEfBGpatoHh4RO4vrqC3eSOMpH87ruUEonzMAQvJFAHp1FfmT/wAE6fjP+1h+2Na+AvjD4L/4L9/Dfx3qGof2fq/jX4M6Z8KtBj+y2zGOW80xRHMmpWrpGZIlnl3HcocpjIr1X/gq3+0ZrvwF8b6FJrH/AAWT8C/sweHbvQw0Oj3vw+0/Xdd1i7E0okuI1vHfZbKnlJ8lu3zh8uMgUAfcNFfnp/wRN/4KheKv2yvip8Yv2W/HH7R3hX40N8MG0q/8L/GLwl4cbR4/EumX0cm5bmy+5Bc280Rjby8I4cYHylm8p/4J3/ET/gtr/wAFK/2U/E3xi0L/AIKDeH/hxN4e8eeIdG8Jzn4T6Vqdx4ka1u3Ef21nRIbW1T5LZRBCZj5csryMSqUAfrDRX5YfsiftE/8ABYr/AIKufsEWf7a/wl/af8JfAm6stKu7XRvCumfDq11tPFep6fuiurm8nvmY2NvNdRSwpDApeJULmWQkIHftP/8ABXr9pnX/APg3P8K/8FQ/gTeW/hX4ja2+hx3iafptvcwm5/ttNOv4oYryOZFjlaOYJuVmRZBhiy7qAP1Nrz/x3+1J8Cfhn8fPAX7MHjfx19i8c/E631SfwPof9mXUn9pR6dAs94fOjiaGHy4mVsSuhbOE3Hivg39s34nf8Fkv+CdXwCH/AAUh+KH7WfhH4g6D4au7C9+KXwDsPhtZ2FhY6bc3EUNxHpeqLI15JLbGYBZJ3ZZApkKjHlN0n7YniXR/Gf8AwXJ/4J9eMPD1z51hq3hH4l3ljNtx5kMugWzo2O2VYGgD9DqK/LX48/8ABUjxv8ff25fip+zH4B/4KmfB79kvwR8GdRt9Fu/EPjQaJeeIPF+stHvuhbW+sTpDBZ25/dGQI7M4ODhsR7P7H3/BW347eJPhf+1V8JZfiL4A/aK+IX7Ovg//AISLwL4++GBhbTfiDZ3Gnz3FskkFjLLHHdRTwGGeKBsEuFQbhuYA/TGivy//AOCdPxy/a3/bV0fwJ8Y/Bv8AwX5+G3izW9USw1fxj8EtO+FOgoLGFtkt3pYVZk1OBo0MkQnkydyBymOK/UCgD59/au/4KnfsG/sSeP7D4UftIfHhdI8Ualpn9o2vhzSfDWp6zf8A2PeUFw8Gm21xJFGWVlDuFBKnBODXvtjeW+o2UOoWjlop4lkiZkKkqwyDggEcHoea/H/4C/sxftveIP8Agvj+0To2gf8ABTLXtI1jRvAvhS91TxAnws8P3Emq6XO8ksOlGKWAx28cKjYJogJZM7nJYZr3Hwt8dv8Agon/AMFNv2tfjh4I/ZI/ay034C/Cr4FeNpPAya1afDyw8Rat4o8Q26A35kF+TFbW0LsiqqLvcMDuBJ2gH6KUV+ef7N3/AAUO/ay139m79r/4G/tE6lokXx1/ZY0fUkm8ZeG9LSKy1qCbSLm+0fVhaS+YkUrrAXeAhowVHGGKCf8A4JK6l/wVU/bC/Z++DH7bX7Sn7b+maToes6Db3mo/DLQvhlprf8JFaeS8a3d7qDAPBPcPi52WkcMcSlI9rfMSAfoLWX448Z+Gvhx4L1j4h+M9S+xaPoOl3Go6teeS8nkW0EbSyybIwzttRWO1QWOMAE8VyP7Wn7Q/hv8AZJ/Zh+IH7Tvi3Tpb3T/AXhC/1y4sIHCvd/ZoHkWBWIIVpGVUBPALAmvzm8Rr/wAFqfij/wAEvPFP7ffj79rzwdfL4x+EWoeJrj9nmL4ZWsGmWug3enSTfZINWWT7aL1bOTzFeQyJ5wEbIy5egD7v1z/gop+xx4b/AGZPCP7Y+tfGHyfhv47vNNtfCniP/hH9Rb7dNfyeVaL9nW3M8XmOcZkjUL1YqOa1P2t/25P2U/2FPB+m+Ov2qvjBZ+FLHWtRFhosbWNze3Wo3O3cYre1tIpZ5iBydiNtyM4yM/nHpP7S3xp/ZV/4NyP2UfiL8CPF0Wi6xfan4E0a6u5tItL0PZXd4Ip4vLuopEBZCRvCh16qynmtD/grN8B/2p/G/wDwXM/Y2svh/wDtz6v4STxcfiA/gFYPAGj3y+BpLLw1atePCLmJhqBvOQftW/yN2YdpoA+1viD/AMFa/wDgn18KfgL4O/aV+I3x+Oj+FPiDc3EHgtr3wpqy6lq8kEjRzLDpn2X7cdjL8xMAADIejoT7L8FfjN8O/wBob4V6L8afhNq9zf8AhzxDafatJvLzSbqwlli3Fctb3ccc0Ryp+WRFPfGCK/J39s39lr9uiX/gtb+yh4Guf+CoOvy+I9Q8A+LX8M+MX+FHh7zPD0ltpNrHfyR2v2fyJzfMrO/mqfJ37YtqgCvV/wBsv/go18Xvh9+1n4W/4Jg6H/wUZ+GPwX1Hwp8LLDXviz+0R8VbPSIbrV759sMVrpunXUsNkLmfa11KMNHGkoCKNm1wD9NKK/OP/gnX/wAFJvHepf8ABQK+/wCCeXxK/bw+GP7Tek638P5fFfgb4t/DwaZDdW01vcLFdaRqdvpcslssgRhNHIgTKKcglgE47/gm/wDFD/gsD/wUh0D4l+Lb39vXTPht4X8BfHHxD4b0O/sfhVpOqapr0NrdAiCXzUSC3tYYmjhUrE1xI5mZ5RtQUAfqbRX5KTf8FU/H37afxz+KH/CJ/wDBZX4Jfsj+A/h746vvCfhTRfEUHh7UPEXimSyISfVbmPWblBb2bykiFYkDMqsGYFdzdR8Kv+CuXx5+LP8AwSn/AGsPHdl8XfBWrfFv9nK01rTrL4ofDhbW+0PxCIrM3Gna1bRv50H7xd2+E+ZGHibgBtigH6h1z/jv4s/Cv4Wz6Ha/E34l+H/DkvibXIdF8Nx69rMFm2ralMGMNlbCV1M9w4VtsSbnbacA4NfmP42+J/8AwW80D/gmLpv/AAVVb9uHwhY6honwtsfG+o/BU/Cmxl03VNNSzjuZlu9RyLpbuW33Tv8AZxDEkjGKNFUCSsP/AILTXvxi/ay8NfsB/tF/CT9ovUvAekfEX45eBZ9B0KHwxp9//YurajaT3dtrIluIy00tvG5jFs/+jvncyE4oA/XSivNP2VvhP8ffg58OLjwr+0b+1ZqPxh16XV5bmDxTqfhDTdFkhtWjiVLQQadHHEyqySP5hG8+aQThVx4F+3h+1V8fP2PP2/P2a/EF948x8Cfiprt38PvGuiTaXa7NP8R3UZl0a+W5MXnqZZFkgZDKIgqbthY5oA+yK+W/2kv+C1X/AAS9/ZH+Mb/s+fH79rbR9G8axXsFpc+G7TR9Q1G5tpplR4kmWyt5fJLLIjDeVGHB71znx0/aq+PfjP8A4LCfCP8AYK/Z28ef2R4c8O+BtT8ffHiSHS7W5N1pzMLTS9OEk8Tm3eS63SP5ZSUxEEMAMnyb/g5b8A+BNB/4Jwap4w0PwVpNlq+rfFjwe2q6paabFHc3rLqluoMsqqGkIVVUbicBQOwoA/SCiqHijxV4Y8EeH7rxZ408R2GkaVYxebfanql4lvb26dNzySEKg5HJIFfLn/BRP9pjx94p/YH+KfxH/wCCZX7Tvha9+JXgDQV8RWv/AAjl1pmuCW3tXE9xaSwMJgPPtoriNCAr79u1gQaAPrKivhH9u3/gqZrmmf8ABIrwr+1x+xzexr8QvjrD4f0H4M2jQw3Lx+INZZESIpKrRvLbL9pYo6Mpe22spBIrk/8Agob/AMFFfi7+zh8bfg7/AME1tC/bT+G3wv8AGfiH4eDxF8TP2hPizHp0FtZWUB+yCSzspnt7Sa+vLuKdhEdscaI5WMjlAD9GqK/Mn9j3/gpf4+8Cf8FFfAX7DXjn/gpb8Kv2sPC/xf0LV5vDXjbwNHo1tq/hfVtNt/tT2moQaPM9ubae3EhikKo7SRsvIQ5pfsv/ABa/4K3/ALfP7Tv7Unwf8Eftv6Z8L/A/wl+OGpaF4a8UQ/DHS9Y1V4gAIdMijnRIFggRfMeaZZp5WuUUOoQkgH6h15/+1H+1H8Cf2LvgTrv7S/7S/jn/AIRrwT4a+y/23rf9mXV59m+0XUVrD+5tYpZn3TTxJ8qHG7JwoJH54fFv9t/9qDx5/wAFFPiX+xt42/4KveDf2UrL4cWmiW/g2DxB4A0e4vviH9psVmn1RZ9YYW4j8/fGsFr8wwVJBQlvTP8Agqx8dP20P2Fv+CEvj744W/7UGjeLfiv4ZGkPY/E3TfA1hDa38F14ksoEl/s6YXNqGNlceW3DqWzIm07doB+gdFfFX/BSH9r39qWw/aw+Dn/BNf8AYd8SaJ4V8efFi01TWvEXxG1/RV1KPwnoNggLzwWbsqXNzLJujQSEoCmGHz74+R8E/tE/t5/sHf8ABRT4U/sZftpftF6Z8bPAfx80/V4fBHj5vBFnoGq6FrenW4uJLO5hscQTW8sTKEcIr73A4CMWAP0Dor8y/hL8ZP8Agqz+2n/wUC/ar/Zg+FX7Y2lfDPwB8J/Gul22ieKG+HOm6xqlqLiwEi6daxTIkJj3LJNLPc+fJzEkYQFmHXfsc/t8/tq6b8Fv2uPhD8erHTPin8Yv2WLi+XRtV0DQ/wCz18bwvpUl/pnmWcBIhuJTGUdIePnVVBYFmAP0Gor8tf8AgnT8fv2vf24vDfgf4yeEP+C+3w11zxNrENlq3i34Gaf8J9CA0xW2S3Wk7POTU4mjXzIhcOSSyb9pHB/UqgAooooAKKKKACiiigAooooAKKKKAPjP9v39lH4+/Gz/AIKU/sZfH/4Y+Av7T8I/CfxJ4uuvH+rf2paw/wBlQ3umW8Fs3lSyrLPvkRlxCjlcZYKCDX2ZRRQB+b/7IH7BP7WPwu/4JsftrfAHx38KfsPi34t/Ej4nap8PdJ/t2wl/tW01bTlh0+TzY52ig82QFdszxsnVwg5qp+xB8Vv+Cx/7LH7Fnw1/ZOsf+CMNxda14F8E2Gg/8JHr3x/8N2+nTSwQrH9oZLWS4nCZG7YqliOMjqP0rooA+Qf+CYf/AAT++Mv7N3jv4r/tiftj/EHQ/E/xz+OesWl54xm8LRSrpGh2FnEYbHSrEzASPHFGdpkcAvtjBBMe9/r10SRSjqGVhggjIIpaKAPyK/Y8/wCCSP7avw3/AOCiPhb4NfFbwFaQfsm/s/8AxM8WfEL4LamuvWco1G81QQNp2nNaJM1xF/Z8s97MkjxIpcS8kMm77W/bq8b/ALYWm+K4PAvw4/4JkeF/2iPhnqehRPqltqHj/S9Nu7XUhNOHje01WM29xAYvIKuJFYM0gIIxXb+P/j1+0X/w0XrPwF+BHwL8Fa+nh/wVouv6nq/i74k3ejEnUbvVbeOCKG30e+3hP7KdmdnTPnKAvykl3/Ccf8FC/wDo1/4M/wDh+NW/+ZegD5w/4I2/sH/HX9lz4w/Hv9oH4ifArwx8EvC3xc1rR7nwj8A/B/iCPUrPwybO2khuLt5LdEtUmumZXKW42KFAJIVAPpv9uv8AY9+HH7fX7JPjj9kT4rXM9to3jXSPsrX9qgaWxuY5EntrpFPDNFPFFKFPDbMHgmqf/Ccf8FC/+jX/AIM/+H41b/5l6P8AhOP+Chf/AEa/8Gf/AA/Grf8AzL0AfNPwb+NH/Bcb9ln4caZ+z/8AFH/gnT4f+PN/4ZsY9O034reDPjPpmiQa5bxKEhnvbPU0We3uCiqZWjEqs5YquMZwf+Co/wCzH/wU0/b2/wCCKfxH+B3jb4N+Dbj4y+LfEWmXeieA/A/iWP7JYadBq9jOtu99qDQRy3CQwyvJJlUZsiMY2ivrT/hOP+Chf/Rr/wAGf/D8at/8y9H/AAnH/BQv/o1/4M/+H41b/wCZegDwW1/b8/4LEy3McVz/AMECNbijaQCSU/tLeE22KTy2A+TjritT9lP9lH4+/Db/AILKftW/tWeNfAX2LwD8SvDfgm18Fa9/alrJ/aM1hpvk3a+RHK00PlyfLmVEDdVLDmvZv+E4/wCChf8A0a/8Gf8Aw/Grf/MvR/wnH/BQv/o1/wCDP/h+NW/+ZegDxn/gh3+yj8ff2Pv2W/Gvw5/aL8Bf8I7rOr/GzxPr+n2f9qWt35unXdwj282+1lkRd6gnYxDr/Eor7Mrxn/hOP+Chf/Rr/wAGf/D8at/8y9H/AAnH/BQv/o1/4M/+H41b/wCZegCt+2T8Sf27/ha3hjxL+xj+zR4S+KtiJbtPGnhnW/G39g6iVIh+zSWNzLG9ucHz/MSUDP7vaw+avj39pL4Cf8FLP+CtXxa+DHgz4/8A7EOjfs/fDT4V/FnTPHuu69rXxM0/xBrerzWAkEdjYxaaGS3WTzWDySOP4WAzHsk+y/8AhOP+Chf/AEa/8Gf/AA/Grf8AzL0f8Jx/wUL/AOjX/gz/AOH41b/5l6APm74x/s1/tzfsZ/8ABRrx9/wUD/YZ+B+jfGHw18bfD2j2PxU+GN14wt9B1S21PSoWtrLUrG6ux9meP7OzI8MjIxZiQTuyvW/HD4DftN/8FY/+Cefxd/Zf/bA/Z1sfgXeeMrRLTwlYr42t/EU8UkDw3dteXb2iLEoF3DHmKNnJRD8+WGPZP+E4/wCChf8A0a/8Gf8Aw/Grf/MvR/wnH/BQv/o1/wCDP/h+NW/+ZegD4n+NWg/8F0f2uP2MLj/gm747/Yq8H+CtR8TeH4fCvjz9oCT4q2N/o82m7VivL200uJBema4hDgRSKgQyn5hwV9V/aD/YA+KOk/tO/sFQ/ADwRLqnw+/Z1m1fTvE2rT6pawvpmnDQIdPsnaOWRJJy7RBSIUcg8kAc19B/8Jx/wUL/AOjX/gz/AOH41b/5l6P+E4/4KF/9Gv8AwZ/8Pxq3/wAy9AHkP/BXH/gn58Qf2wrH4WfHP4EaP4O1n4i/BHxfLrfh/wAK/EK283RPEtlcQiG+0u5Ox/KMsaRmOUqwR4xkDdvThfgjoX7UXiz4s+FtO1//AIN8/hF8LNPg1y1l1/xxqvj7w3fnTrdJVaSaxg060aeacAZiL+SAwBbGK+mP+E4/4KF/9Gv/AAZ/8Pxq3/zL0f8ACcf8FC/+jX/gz/4fjVv/AJl6APBP2zNa/bM+IXjPxF8KPHf/AAQ78BftB+Borp18Ia/qHxO0GGOa3dF/4+bTVoC9rIGyC8JkzgEAEV1//BFf9iz41/sFfsMad8B/jxrGmnWH8T6rrFr4c0PUZryw8L2d3cGWHSbaeYBpY4QSS2Mb5HwWADt6Z/wnH/BQv/o1/wCDP/h+NW/+Zej/AITj/goX/wBGv/Bn/wAPxq3/AMy9AHkv/BV/9iz4/ftBah8Hf2qP2QLjRJfix8APHL+IPDWg+JLs29j4hsbiIQ6hpjzhT9neaJUCSkFVKkHbu3r5R47+Bv8AwUZ/4Kh/tN/BDVv2sv2RtN+Afwn+CPxBtfH99pd58RrDxFqvinX7NWFhFD/Z4MdvbRO8hdpGDOrkBQcY+sf+E4/4KF/9Gv8AwZ/8Pxq3/wAy9H/Ccf8ABQv/AKNf+DP/AIfjVv8A5l6APJfgB+y38dvBP/BZn9oL9q/xP4F+y+APHHw38KaX4X1/+07V/tt3ZpILmPyElM8ewsPmkRVbPyk0fBn9lv47eFP+C1fxo/a31/wL9n+Hviz4P+HNE8P+IP7TtX+1X9rM7Tw+QspnTaCDueNVPYmvWv8AhOP+Chf/AEa/8Gf/AA/Grf8AzL0f8Jx/wUL/AOjX/gz/AOH41b/5l6APSfijqHxB0n4Z+ItV+Evh6w1fxXbaFdy+GdJ1S8Nva3uoLC5toJpQCYo3lCKzgHarE9q+Cf2mfin/AMFuP2w/gF4n/ZN8Kf8ABLbw78KLvx/oV14f1r4k+KvjnpWr6Zo9ldxNBczw21jH9qnk8p32ZjXaxUkNjbX1b/wnH/BQv/o1/wCDP/h+NW/+Zej/AITj/goX/wBGv/Bn/wAPxq3/AMy9AGT4J+F3xA/4J6f8E8vC/wAFv2YPg/efF/xB8MvBmlaLofhgeILTRZvEDw+TBNMbm7byLYlTLcEMcfKUXkrXw7+wcP8AgsH+zz+2x8dfjr44/wCCOOpJov7QHj/RNTuZF+PPhdj4Xtre3NrK7hJ2a7wrmXCKjELtAJINffH/AAnH/BQv/o1/4M/+H41b/wCZej/hOP8AgoX/ANGv/Bn/AMPxq3/zL0AfJX/BcXwD/wAFSP2kvF/hH9lf9mP9lnXvFfwB1SwjvvjNqvg34j6LoeseIB50ynw/HJqF1E9tbskcTzTIj+alx5YICSK/u/7AfxK/aZtG039njxj/AMEmb/8AZ8+HfhjwwYvDt+PiX4e1a0iaJ4kisUttNneVSyNI/msNuY23Hc4z33/Ccf8ABQv/AKNf+DP/AIfjVv8A5l6P+E4/4KF/9Gv/AAZ/8Pxq3/zL0AfHPxR/4JRfGP8A4K1fGz4mfGv/AIKU6NrHw/0PRbK58M/s0+CtK8SW8934WXdHKfFk0ljPJCb+aaOIpF5hEccZjcNhGr3b9nL4g/8ABVrwX+wXqOm/Gv8AZn0TxR8efAeox6RpwufG1laaX8RrKG6iT+1ormFpWsJJrQyuUuIkYTpkxqr7V9Q/4Tj/AIKF/wDRr/wZ/wDD8at/8y9H/Ccf8FC/+jX/AIM/+H41b/5l6APjP9tXwR/wV0/4K0/BWb9hXxl+wVo/7PPgLxfqNiPiN8QvEfxY0zxDdLptvdxXLwadaacCWmdoUAebYuMqQu7ev2p+0x4/+P37N/wS0ib9kT9kG7+Mmr2d7a6Yng+18c6foL21gsEgN0brUCI3CGOJPLHzt5u4cK1V/wDhOP8AgoX/ANGv/Bn/AMPxq3/zL0f8Jx/wUL/6Nf8Agz/4fjVv/mXoA+JP+CLHh7/gqj+yHNrXwA+P3/BLG/0Pwz4++Mmv+LtV+IA+M3h26j0C31FhKsTWVtPJNclGjVCUwTvztABqn/wVh+EX/BUH9rj9tbS/hXqf/BPzW/iV+yd4Kaz1I+GfC/xV8P6MfiJqwihnX+0/tt3HMljbTM8YtfLAleDzCzB49n3P/wAJx/wUL/6Nf+DP/h+NW/8AmXo/4Tj/AIKF/wDRr/wZ/wDD8at/8y9AFP8AYw+NX7UHxRtNW8P/ALQP/BPbUfgPp+g2lnD4ahu/HuiazFqKESK8USaXK4tlhWOIYcKCJQF+6cekfG/WPi94f+E2va38A/Bmk+IvGNrYNL4f0LXNUaytL+4BBEMk6qxhDDI37SAcEgiuD/4Tj/goX/0a/wDBn/w/Grf/ADL0f8Jx/wAFC/8Ao1/4M/8Ah+NW/wDmXoA/Pz9qn9i79tn/AIKL+P8AwHLF/wAEhvA37N/jLQfiJpXiHVf2hB8TNF1DVLCC1nEs0dp/ZUS3V3JKMhRceXHkDcFJDp6x8e/2av22v2dP+CtXij/gof8AAb9jPQv2g9B8ffDrS/D0OnzeN9P0TWPBVxZsd5t31EeU1tPkO4jYOXJJA2DzPqv/AITj/goX/wBGv/Bn/wAPxq3/AMy9H/Ccf8FC/wDo1/4M/wDh+NW/+ZegD5f/AOCbn7Ln/BQfwr/wVI/aC/bU/bV+GehaDYfFLwX4ch8PReG/EUF/aacbUOn9mBtyzyyQRCPzZ3hijkleQx5TBr0b/gh/+y38dv2QP2IpvhB+0V4F/wCEd8RN8SPE2qLp39p2t3m0u9Slmt5PMtZZI/njZW27ty5wwB4r1r/hOP8AgoX/ANGv/Bn/AMPxq3/zL0f8Jx/wUL/6Nf8Agz/4fjVv/mXoA8Z/4Iifso/H39kL/glV4V/Zt/aJ8Bf8I9410288SPe6L/alrd+Wt1q99cQHzraWSI7opo24c43YbBBA+DP2u/2VPjz+yl/waUeFf2Vv2gfDLeEfHeh+KNKttWsF1C2vTYSXHjJp4XEtrLJFJ+7mif5JDjOCQQQP1Z/4Tj/goX/0a/8ABn/w/Grf/MvXn/7TXwU/aV/bG+E1x8Df2jv2Jfgz4j8LXeoWd9caX/w0X4gs989rOlxA/mWvhuOQbZY0bAbBxgggkUAfOf7Z3wz/AOCyX/BRb4A/8O3vid+yV4S+HuheJruwsvij8fLH4lWd/YXum21xFNcS6XpaxreRy3JhBWOdFWMOYyxz5q+x/tE/sbfF/Wf+Cpv7G/xv+FHw88/4bfBvwx430zxVq39q2yf2St5o8Fpp6eTJKs0+94ymYkfbjL7RzXtP/Ccf8FC/+jX/AIM/+H41b/5l6P8AhOP+Chf/AEa/8Gf/AA/Grf8AzL0AfG3xN/YB/aB/ZI/bW+K/7RnwK/4J9fDf9pzwB8a9ag8Qan4X8Q6rpemeIPCmtCIR3T29xqkTW9zaTkCTZvR1c4AAXMnuv7MNn+1x4d+GHxK+Iejf8EtPhN8FfFi6Vbr8P/CGm+MbGefX7hBM0iald6daJDbR7vJEewzYLSM3QA+qf8Jx/wAFC/8Ao1/4M/8Ah+NW/wDmXo/4Tj/goX/0a/8ABn/w/Grf/MvQB+fH7YX7GP7cH/BSXX/CWmL/AMEgPAv7O3jnTPHel65fftFn4naLqGpaRHa3KzTfYzpcS3l1JIAQon8tM4LBTh0/W2vGf+E4/wCChf8A0a/8Gf8Aw/Grf/MvR/wnH/BQv/o1/wCDP/h+NW/+ZegDyX4Afst/HbwT/wAFmf2gv2r/ABP4F+y+APHHw38KaX4X1/8AtO1f7bd2aSC5j8hJTPHsLD5pEVWz8pNeV+FvgV/wUT/4Jk/tafHDxt+yT+yZpvx7+FXx18bSeOY9GtPiJYeHdW8L+IbhAL8SnUAIrm2mdUZWjbegUDaSDu+rv+E4/wCChf8A0a/8Gf8Aw/Grf/MvR/wnH/BQv/o1/wCDP/h+NW/+ZegD5Z/Zu/4J4/tY6F+zf+1/8c/2iNL0ST46ftT6PqTy+DfDeqJLZaLBDpFzY6PpIu5fLSWVFnKPOSsZLDnClz9Kf8Evfgz8Sv2df+CdfwV+BPxj8N/2P4q8JfDfStL8Q6V9shuPsl3DbokkfmwO8cmGBG5GZT2JrS/4Tj/goX/0a/8ABn/w/Grf/MvR/wAJx/wUL/6Nf+DP/h+NW/8AmXoA6P8Aa1/Z48Oftb/swfED9mHxZqUllp/j3whf6HcX8MYd7T7TA8azqpIDNGzK4BOCVANfn3pXhD/gubbf8E8NR/4Jg3n7Fvg9dW0z4bXHgey+PUPxTsX0zUdLjsmtI7iDTCq3YvZLYLEqzeVEJmEryIuVH3D/AMJx/wAFC/8Ao1/4M/8Ah+NW/wDmXo/4Tj/goX/0a/8ABn/w/Grf/MvQB8RfFT/gnX+2P4k/4IW/s6fscaL8HvO+JHgTxJ4KuvFfhz/hINOX7DDYXolu2+0NcCCXy0GcRyMW6KGPFfQn7Zf7Lnx2+K//AAVi/Yv/AGl/AHgb7f4J+E3/AAsX/hYGt/2naxf2V/amhQWtj+5klWafzZkZP3KSbMZfauDXrP8AwnH/AAUL/wCjX/gz/wCH41b/AOZej/hOP+Chf/Rr/wAGf/D8at/8y9AHkv7TP7Lfx2+IP/BYf9mP9qfwh4F+1+A/h54P8aWPjDXf7TtY/wCz57+zijtE8h5RNLvdWGY0cLjLFRzXnP7dH/BP742+G/2+h/wUg/Zs/ZX+Hnx4i8ReBYPC3xF+EXj27tLK4lNtN5lrqmmXl5FJBHOqHyZI5dqsijBJbKfUH/Ccf8FC/wDo1/4M/wDh+NW/+Zej/hOP+Chf/Rr/AMGf/D8at/8AMvQB5T+wtoHx11P403Pij4k/8Eg/hr+zvoNn4fnWz1yw8VaNqevXl88sIWFV0q3EcNv5Xnl2M7MWEYC4yaj/AOCLn7Lfx2/ZM/Z6+Ifgb9oHwL/YGqa78ePFniLSrX+07W78/Tb27WS2n3W0sirvUE7GIdf4lBr1r/hOP+Chf/Rr/wAGf/D8at/8y9H/AAnH/BQv/o1/4M/+H41b/wCZegD4b8N/sBftIf8ABPj4wfErRPhV/wAEvPhj+1F8MvH/AI+1Dxd4Y1C91zRdJ8ReFpb5lkn0y4OrRGO6tUkBMLxybwrNuBJ2r618R/2dv2nPjr/wSp/aF+Elv/wT7+H/AMHfHXj7wlqul+EPh34G8SadcPfh7ERwG9vI4bW1WdpnlUDcURNuZOTX0V/wnH/BQv8A6Nf+DP8A4fjVv/mXo/4Tj/goX/0a/wDBn/w/Grf/ADL0AeY/F79mX43+KP8Agh5rP7H2heCfP+It1+zGfCdv4d/tK2XdrH9gi0+zfaGkEA/f/J5hk8vvu28147+1P+wb+134o/4JvfsdaR8I/hlp2sfFD9mnxR8PfFmsfD7UfEdvZjVpNH0z7NeabHe5e3SXe5CyljHiNiC2Vz9Yf8Jx/wAFC/8Ao1/4M/8Ah+NW/wDmXo/4Tj/goX/0a/8ABn/w/Grf/MvQBufsr/Fj4+fGP4cXHir9o39lPUfg9r0WrS20PhbU/F2m61JNbLHGy3QuNOkeIKzPIgQkOPKJIAZc+df8Fav2NtU/bv8A2APiF+z94O/d+LptMXVvAF2s6wvba/YyLdWLJKxAh3TRLE0mRtSV+2a6n/hOP+Chf/Rr/wAGf/D8at/8y9H/AAnH/BQv/o1/4M/+H41b/wCZegD5+/4Ix/sr/tf+B9W+Mf7bP/BRfwBZ+HPjb8Z/FVmuo6LZ6raX0el6HplnHbWFuktrLLENxM8jBG5zGWAYEDzP/gvD4O/4KcfthfDvV/2N/wBmT/gmje+KvDFr4q8Pa3pvxPHxc8P2MV/9klgu5oRYXc0c8REgeDcxwSm8AqRX2b/wnH/BQv8A6Nf+DP8A4fjVv/mXo/4Tj/goX/0a/wDBn/w/Grf/ADL0AZv7PXir41ftjfB7xP4T/b//AOCd9n8NrK6uhYt4H8V+LtH8W2mvWRRXaSUWgeEJv+XypASSucYxXZfBT9jz9kj9muTVJv2c/wBlr4c+AH1yGOHWn8FeCLDSjqEabtiTm1hTzVXe+A2QN7Y6muf/AOE4/wCChf8A0a/8Gf8Aw/Grf/MvR/wnH/BQv/o1/wCDP/h+NW/+ZegD88v2GP8Agkr+2z8Lv+CgnhL4TfG3wLaw/ss/s3+NvGHi/wCA+pjX7Oc6pcatJCbCzltUmaeM2PnXkqyyRoPMDYyGXP0J/wAFK/8Agn58X/Gv7YfgH/go9+zb8DPAPxa8ReFfBl14O8Z/CX4jSwQW/iHRJLk3UL2V1cRSw2t7BcPIwaVdrJIRuXBD/RP/AAnH/BQv/o1/4M/+H41b/wCZej/hOP8AgoX/ANGv/Bn/AMPxq3/zL0AeJfsd6F+0Hr3x80jW/G3/AARP+GHwC0HTba5lu/GB8YaDqWsiZoWSOOzi0m2IQMzEPI8y/u2YBcnFaf8AwSy/Zb+O37OPxY/ar8TfGfwL/Y1j8Sf2kNX8U+Cp/wC07W4/tHSZoLdIrnEErmHcyMPLlCSDHKjIr1r/AITj/goX/wBGv/Bn/wAPxq3/AMy9H/Ccf8FC/wDo1/4M/wDh+NW/+ZegDwT9szWv2zPiF4z8RfCjx3/wQ78BftB+Borp18Ia/qHxO0GGOa3dF/4+bTVoC9rIGyC8JkzgEAEV83/EL/gkT+3D4b/4Nt/iL/wTw0Dw7pviX4neKPE9vrHhrwFofiWMWGgWb+JbDUP7JtrzUJIkaO3ghmkLOyguzqpclS/6F/8ACcf8FC/+jX/gz/4fjVv/AJl66T9l/wCMvif48fCT/hPPGngew8OavbeKPEGhanpGl64+pW0U+laze6W7xXMlvbNKkjWZkG6GMgSbSDjJAPmz/gpB+yF+1LfftYfBv/gpT+w94a0XxV48+E9pqmi+Ivhzr+tLpkfizQb9AHggvHVktrmKTdIhkAQl8sfk2Scj4J/Z2/by/bx/4KKfCn9s39tH9nPTfgl4E+Aen6vN4J8At43s9f1bXtb1GBbeS8uZrHMENvFEqlEDs+9AeQ7Bf0DooA+P/wDgnn+y38dvgZ+27+198X/in4F/svw78UfiRo+qeBdR/tO1n/tO0g03yZZPLhleSHbJ8u2VUY9QCOa5z9mf9m39sX9n39rf9uX9ojQPg/plxN8StY0DUvg9HrXiK3jtPEM1lozwOkzQPJLZp5+2MtLGpwdyqwGa+46KAPyP/bZ/Y0/bo/4KYroXhX/hz14E/Z98fweMdM1af9pBvihouoajoK210k8stk2mwre3UjqhVVmEaZYE4IDr+uFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRX5wf8Fev2Rv2N/ht8MdZ8TfCH4TXMv7U3xb8RSwfBbXND1y7Pid/EssomF1b3LTGS0sLQHz5wClrFBGUKgMikA/R+ivib/gpD+zT+z5P4NtvjT8aP8AgmL4i/aU8ey+GPsF5f8AgyK1+0ae1vDkSRm4vYZbQPI7lXsYpZwQTsJC59R/4JLatrOt/wDBNb4L6l4i+O8XxMv38CWi3vjaKWd/7RlUFWDNcok7PEQYWaZElLQsZFV9wAB0Xgf/AJSF/FD/ALIz4D/9O3i+vZq+ePgF8TvDfxR/b9+L+oeGtN8Q20enfCvwPY3C+IvCOo6O7ypqvi4lokv4IWni+YYmjDRMchXJU4+h6ACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAor5w/bY/bY8Vfs2eKtJ8D+B/Cmn3l7eaeL66utVWRoliMjxqiLG6HdmNiSTgDHBzx6/8A/itH8b/AIQ6J8UY9JaxOq27tLaM27y5EkeJwD3XchIPoRXzeB4tyLMeIMRktCo3iKCvNcrS6XtLZtc0b22ut9bfRY3hXO8vyHD5zXppYeu7QfMm+trx3V+WVu9ntpfsKKKK+kPnQooooAKKKKACiiigAooooAK8Z/YP/wCSIa5/2Wb4j/8Aqa63Xs1eM/sH/wDJENc/7LN8R/8A1NdboA9mooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAr4lm/wCCbn7cWjfto+Pf20vBX7fXgGfXfFYOneHF8a/AO41abwloCuXi0eylj8QW0aRZw8siwo9xKN8mcKq/bVFAHz98WvgN/wAFBvFniSa8+E3/AAUD8PeEtIvdMt4LrTrr4KQalPZ3Kwqk1xZTtqEYi8yQNKEuI7kIW25ZQBXc/sh/sv8AgD9jD9m/wp+zJ8ML/UrzR/Cti8MV/rFwJbu9mlmkuLi5mZVVTJLPLLK21VUFyAAABXpFFAHjPgf/AJSF/FD/ALIz4D/9O3i+vZq8Z8D/APKQv4of9kZ8B/8Ap28X17NQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFc58Vvi38N/gd4FvfiX8WPF1roeh6eoN1f3ZOAScKqqoLOxPAVQWPYGrhTnVmoQTbeiS1bfkiKlSnSg5zaSWrb0SXds6OiuJ+BH7RvwT/aa8IP47+BnxAtfEGmRXBgnmgikikhkAztkilVJIzggjcoyORkV21OrSq0Kjp1YuMlumrNeqYqNajiKSqUpKUXqmmmn6NaBRRRWZofP37XHw+8G/FD48fCHwH4v0GK8t9SvtWN2hZkeSCG2SUpvQhgu7BwDXu2haFo3hjRrbw94e0yGzsbOFYrW1t4wqRIBgKAK8j+I3/Ez/AG3PhxY9f7L8M6xeY9PMVYc/pXs9fI8PYbDPO81xigueVZQ5rLmahRpaXte3NJu199dz6vP8TiFk2WYRzfJGi58t3ZOdarra9r8qSvbbTYKKKK+uPlAooooAKKKKACiiigAooooAK8Z/YP8A+SIa5/2Wb4j/APqa63Xs1eM/sH/8kQ1z/ss3xH/9TXW6APZqKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigDxnwP8A8pC/ih/2RnwH/wCnbxfXs1eM+B/+UhfxQ/7Iz4D/APTt4vr2agAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKK+cf+Cp/j74+fDf9ky+8R/s+S39vqA1WCPWtR0tT9psdOKSmSaNl+ZCJBCpccqrscjGR5j/AMEVP2gvjb8avAHjXQ/i/wCO7vxBFoF/Zf2Re6tfG4vR56zGVJHcmRkHlxlS2eWcA4GB49TOaNPOYZc4S5pR5lL7Ozdu/Tfo9DwKvEGHo8QwymVOXPOPMpacuzdu70Tu1onZH25RRRXsHvhRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAV8m/8Fq/h1ofjv8AYN1zWda16WxfwtrFjq1gsabhdXBc2iwMPRhdN06MFPQGvrKvl/8A4KR/8V/rvwV/Zph+f/hN/irZ3OqQdfN0zTlNzdLj8YzntivZ4flOnnVCpF25JczflFSlL8E18zxOI4wqZHXpSV+ePKl5ycYx/wDJmn8il/wSo/YF8WfsP/DvxBd/EPxXa3+v+MJbOa9stOLm3sY4Fl8tAzqrNITO+87QOFAzjJ+raKK48wx+JzTGTxWId5y30t5Ky8krHbluXYXKsDDCYdWhBWV3d922+7bbCiiiuI7jxc/8TT/goEB1TS/hTn6SSah/8TXtFeMfDz/iZ/tu/EW+6/2X4X0izz6eYGmx+lez18xwt79HF1f58TXf3TjD/wBsPpeJ/drYSl/LhqC++Mp/+3hRRRX0580FFFFABRRRQAUUUUAFFFFABXjP7B//ACRDXP8Ass3xH/8AU11uvZq8Z/YP/wCSIa5/2Wb4j/8Aqa63QB7NRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABXzv4x/4Kt/sC/D74iah8MvGnx5Om3mka+dE1jV7rwrqq6Lp2oiXyTa3GrfZfsFvIJDsKyTrhuDzX0RXxV/wU68e3/wC1pa61/wAEhP2bLK11Txj8QtCWP4p6/JAJbD4d+GLlsTX112a/uE8xLO1yHdz57FI49zAHrvx3/wCCmH7Fn7Nfj7Ufhn8X/ivfWWr6JaRXWvx6Z4M1jU4NHgkj8xJb24srSaGyQoQ+6d0G05zjmvaPCfizwv488Lab448EeIrLV9G1iwivdJ1XTbpZ7e8tpUDxzRSISro6MGVgSCCCK+dP21v2nZP2b/BWgfsifs0+EofGnxq8faQ+mfDvwdeSeZFBbxxLBLrerPg+Tp1su1pZGGZmCwxhnf5fSP2IP2Y9O/Yv/ZD+HP7Kml+JZtZj8B+ErPSH1adNrXksUYEkoXJ2KzliqZO1SFycZoAzPA//ACkL+KH/AGRnwH/6dvF9ezV88fALUvivqf7fvxfk+LPgvw9olzH8K/A6aZF4d8Tz6olxZjVfF2yaV5rK0MMpO4GJVkVQARI2SB9D0AFFFeR/teftrfBH9ifwbY+MPjFdahK2q3LQaVpOjWyTXd4yAGQoruiBUDLuZmAG5RySBW+Gw2IxleNGhFynLZLdmGJxWHwVCVevNRhHVt6JHrlFcD+zV+0r8K/2sfhXa/F/4QapPPpk87288F5CI7izuEALwSoCQrgMp4JBDKQSCDXfVNajVw9WVKrFxlF2ae6fYqhXo4mjGrSkpRkrprVNPqgooorI1CiiigAooooAKKKKACiiigAooooAKKKKACiiigAr5i/bB8L+IP2cPinp37fnws0ma5i0+BNN+K2iWi86noxIAuwvea3ODn+4oyQqNn6dqK/sLHVbGfS9Ts4ri2uYWiuLeZAySowIZWB4IIJBB6g1yY3CrF0ORO0lrF/yyWz/AEa6ptdThzDBLHYZwT5ZJqUZdYyWqf6NdYuSe5V8K+KfD/jfwzp/jHwnq0N/pmqWcd1p97btlJoZFDI4PoQQav18sfs5399+xf8AtB3H7Fvi68lPgrxTJPqvwg1O5clYCW33OkMx/iRmLpnkhuSTIqj6npYHFPFUbzVpxdpLtJb/ACe8X1TXmTluNeNw95rlqRfLOP8ALJb/ACekovrFp9wooorsPQCiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACvl/Uv+Lrf8FaNNs/9ZYfCj4VzXW7r5Op6nP5W32zajOfavqCvl/8A4J8f8XE+LXx+/aTl+dfEnxNbQ9NnPPm2Okwi3hdf9lt7fitevln7rDYrEdocq9aklH/0lSPGzT99isLh/wCapzP0pxcv/SnA+oKKKK8g9kKKKy/G/im18DeC9X8a3trJPDo+l3F9NDD9+RYo2kKr7kLgVnVq06FKVWo7Rim2+ySbb+STfyNKVKpXqxpwV5SaSXdtpJfNtL5nln7Pf/Ex/aR+NPiHr5ms6VZhv+uFmVx/49Xs9fFv7CP7V2oeLP2gPEHgzWPCsMY8eavdarFcW8jFrSVIWfymzwyeXGQDgHd7Hj7Sr4jw5znLs84ceIwk+Ze1rc2jVpSqzqde8Zwfz7po+08Qcnx+S8Qqhi48r9lR5dU7qNKEOn96El8uzQUUUV92fDhRRRQAUUUUAFFFFABRRRQAV4z+wf8A8kQ1z/ss3xH/APU11uvZq8Z/YP8A+SIa5/2Wb4j/APqa63QB7NRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABXzFq3/AAR5/YM1X4keLfi3b+C/H2k6/wCO9fm1vxbd+Gfjn4v0mPUr+U5ed4bLVYogcYUBUCqoCqAoAH07RQB83fEX/gkt+w58Uvi/d/H3xR4L8bQeMb/QrLRr/wAQaB8Z/FWkz3NjaRiO3hk+w6nCHChcksCWcs7FnZmPuPws+GXhT4N/D/S/hj4HOqHSdHgMNkda8QXmq3W0sW/eXd7LLcTHLH5pJGOMDOAAOgooA8Z8D/8AKQv4of8AZGfAf/p28X17NXjPgf8A5SF/FD/sjPgP/wBO3i+vZqACvn3/AIKB/wDBPzwb+3t4N0TRtZ8a3PhzWPDlzNJo+sQWQukRJhGJo3hLpvDeVGQQ6kFB2JB+gqK6sHjMTl+JjiMPLlnHZ/h102OXG4LC5jhZYbEx5oS3X49Ndz45/wCCVOkaV+zC3jT9gjxrYix8aeHNdm1xbsuRF4k064EccWoQBidoVY4o3QE7CFyS28D7Gr5//bs/Z68aeOdJ0b9or9n9Fg+Kfw1ma/8ADbKP+Qta4/0jTJcY3pKm4KD0Y4BUOxr0L9mb9obwV+1F8GdI+MXgdmjhv4il/p8zfvtOvE4mtZRwQ6NkdBuBVhwwr0s2bzGP9px1c3aov5alt/8ADNK8ezUo9EeXlCWWy/suWigr03/NTvt/ig3yy7pxl1Z31FFFeGe8FFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQB5j+1t+znYftL/AAiuPB9vqJ0zxBp1wmp+ENejJWTTNTh+aGZWHIGflbHO1iRyARn/ALGn7Rl9+0B8M5rXxzpw0zx14TvW0fx3ojAK1tfx5UyKv/POUAupHH3lBO0mvXq+X/2uPDuufswfF+w/b5+GmlTT6fHDHpfxc0WzTJv9KJCx36qOs1udvPUoACVUOT5ONTwVdY2Hw7VF3j0l6wvr3g2uiPDzFPL8Ssxgvdso1V3h0n60769XByX2UfUFFUvDfiLQ/F/h+x8V+GNUhvtN1K0jurC8t33RzwyKGR1PcFSD+NXa9VNSV1se3GSkk07phRRRTGFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQBynx1+I1v8H/AIK+LfircsoXw54bvdRAbozQwO6r7ksoAHcmvNf+CaPw5uPhj+w58PNH1BW+26lov9s30kn33lvpGuyX77gJlXn+7iue/wCCr2sahcfsqJ8INCuTFqfxL8Y6P4U09k+9uuLpXcAd8xwup9mr6N0XSNP8P6PaaDpNuIbWxto7e2iXokaKFVfwAAr15fuMiiutWo38qcVFf+TTf3HjQ/f5/J9KVNL51JOT/wDJYL7yzRRRXkHshXP/ABX8V2fgb4Y+IfGN/HG8WmaLc3LRSqCsmyJiEIPXcQBjvmugrxn9ua9ub74PWXwx02Zku/G/ifT9EhKfeVZJg7t9NsZBPo1eNxFjp5ZkOJxUNZRhLlXeTXLBfOc4I9jh/AwzLPMNhp6RlOPM+0U+ab+UIyZV/Yl/Z0+H/wAMfhR4f8fxeFIU8Uazokc+o6nIztIVm/ehAGJWPCsikIFzt5ya9wqKys7bTrOHT7KERwwRLHDGvRVUYAH0AqWryLJ8HkOU0cDhoKMYRSdkleSSUpO27k0229XfVkZ3m+LzzNauNxM3KU5N6tuybbjFX2UU0kloraIKKKK9Y8oKKKKACiiigAooooAKKKKACvGf2D/+SIa5/wBlm+I//qa63Xs1eM/sH/8AJENc/wCyzfEf/wBTXW6APZqKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigDxnwP/ykL+KH/ZGfAf8A6dvF9ezV4z4H/wCUhfxQ/wCyM+A//Tt4vr2agAooooAK+Q/ipFL/AME8v2oD+0RpEbRfCL4o6nFa/Ea0jH7rw/rLnbDqwA+5FKTtlPqSTkmNR9eVi/EX4e+EPix4E1b4bePtGi1DRtbsZLTUbOUcSRuMHB6qw6hhypAIwQK9DLsZHCVmqq5qc1yzXePdf3ov3ovo12bPOzLBSxlFOk+WrB80Jdpdn/dkrxkuqfdI2IZoriJZ4JVdHUMjo2QwPIII6inV8t/sSfELxf8AAr4h6l/wTy+Oesy3eqeGrQ3nw08Q3ZwfEHh/JCJnoZ7cAoyj+FDgERlj9SVnjsHLA4h02+aLs4yW0ovVSXqt10aaeqNMvxscfhlUS5ZK6lF7xktJRfo9n1TTWjCiiiuM7QooooAKKKKACiiigAooooAKKKKACiiigAooooAKg1TS9N1zTLnRdYsYrq0vIHguraeMMk0bqVZGU8EEEgg9QanopNJqzE0mrM+Wf2ZdU1L9jv49XX7D3ja/lfwnrpn1b4O6tdyE/udxe40lnPV4mJZM8lSSfvoo+pq8s/a9/Zyg/aS+E0nh3SdT/svxRo10mq+C9fjO2TTtTh+aJww5CsRtbrw2cZUVB+xz+0bP+0R8LWuPFmmf2V408N3j6R450Jxtey1GL5XIXtHJjep5HJXJKmvJwbeBxH1KXwu7pvy6w9YX07wa/lPDwDeW4r+z5/A7ypP+79qn6wvePem1/IetUUUV657oUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFAH5Gf8ABWn4aftXfFX/AIKLr4Q+Glnr3iOS30HTtT8H6b4e8yVtGtztikmfy+LY/a45GMrFQA8eW+7j9UfhDp3jnSPhP4X0n4n6kl54ltfDtlD4ivI2BWe+WBFnkBGMhpA5z718/fsHf8Xh+P3xx/a3uP3ltrHi9fC3heU8r/Z2loI2kjP9yWRtx/2kNfUdfU8RZlOrh8PlrhFewjFNpauTinJP0ur95Xb1PkuGssp0sRiczjOT+sSk0m7pRUmotebs7do2S0Ciiivlj60K8V+Jv/Fd/tmfD/wOp32/hXRL7xFfRjoWkxbQE+6uCR9a9qrxX9n3/it/2ifiv8VW+eC11S28N6a/ZBaR5nUH3kZTXy/Ev+01cDgP+ftaLf8Agop1pfK8aa+Z9Nw5/s9LG47/AJ9UZJf46zVGPztKo/ke1UUUV9QfMhRRRQAUUUUAFFFFABRRRQAUUUUAFeM/sH/8kQ1z/ss3xH/9TXW69mrxn9g//kiGuf8AZZviP/6mut0AezUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFYnxMl+I0Hw38QT/B+z0e48Wpod23ha38RTSx6fLqIhf7Mt08IMiwGXYHKAsELFQTgUAbdFfA2rf8Edfjx+1JcP4i/4KH/8FS/jB4k1KdRLJ4I+D+rr4P8AC9grZIiW2hWSe6CEMqzzS+YwBLDOQILf/gh9f/s6qvi39h//AIKkftA/C3WIpo0tbTxT4vj8UeHZ5XcIi3GmX6BZizMqLiRW+bA5IoA/QCvk79pr9vn9rL9lrRfGfxu8df8ABPiSf4Q+A7m5m1zxTZ/FGzbW5dJgciXVbfSRbmN4RGGm8uS7jm2D/Vhvlr3n9nCL9oq3+C+i2v7WF14SuPH8AuItfu/AyXCaXdbbiVYJ4Uuf3kZktxC7xksEkd1VmVQx/O/9uf8A4KRfsZ/tkftO+I/+CdnxZ/bA8DfDT4NfD7WUtvjhe+JPFUGnal431CCUMfDVlHI6yR2KOgF7dYBlwbeI4MklAH01+2x/wUT+M/7KWt+CfEvgr9jg+Nvhj4r1zw1pl58SZPiHaabHZTazqUdjEsViYZrm4aMTQynKxIVkAD5DY+rq/On/AILuftn/ALIPw6/Zz+H3ws8R/H/wjpWsaj8TPh74p0fRZdTjSSfQYPElnK9/Eg62yRW8zbxwFib0r7u+DPxq+E37RPwz0v4y/Az4g6X4q8K60kraTr+i3QmtbsRyvC5Rxw22SN0PupHagDgfA/8AykL+KH/ZGfAf/p28X17NXzx8AvBfiTwT+378X7XxL8XPEPi+S8+Ffge5t7nxFbadE9jE2q+LgLWIWFpbKYlwSDIry5Y7pGGAPoegAooooAKKKKAPEv24f2Z9b+PPgGw8YfCrUV0r4leBb3+1/AOtAhStyuC9rITwYZ1UIwPy52kggEHc/ZD/AGmNE/an+Ddr4/t9ObS9bs5307xb4emBE2kapD8s9u6nkAH5lzyVZc4OQPUa+Sf2mNJ1T9hz9oWP9ufwHp80ngbxRJBpvxp0WzjLCEFtlvrSIOrxs22THJDdMyMw9vBNZlhvqM/jV3Sfm9ZU/SW8e01b7Z4WOTyzFf2hD+HKyqryWkanrDaXeDv9g+tqKr6Rq2l6/pVrruiahDd2V7bpPZ3dvIHjmidQyOrDhlIIII6g1YrxWmnZnuJpq6CiiikMKKKKACiiigAooooAKKKKACiiigAooooAKKKKACvlz9q3QtY/ZR+NVl+3l8PNNmm0S5SHSvjBo1nGWNzYFgsOpKg6ywHAJ6lMD5RvNfUdVta0bSfEej3fh/XtOhvLG+tnt7y0uIw0c0TqVdGB4KlSQR6GuTG4X63Q5U7STvF9pLZ+nRrqm0cGY4L69h+WL5ZxalCX8sls/TpJdYtoboWuaP4n0Sz8SeHtShvLDULWO5sru3cNHPE6hkdSOoKkEH3q3Xy5+yzrOrfskfG+8/YS8fajNL4e1BZtV+DusXkhYzWe4vPpbOessBJZR1K5PAKLX1HSwWK+t0OaStJO0l2kt16dU+qaYZdjfr2H5pLlnFuM4/yyW69OsX1i0+4UUUV2HeFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFeZftmfGhf2ev2WvHPxejuRFdaToE39mOT/wAvsuIbYf8Af6SOvTa+XP8AgoH/AMXd+L3wT/ZCtv3kPinxt/b/AImhXkHStLTz3jk9FkcgA/3o8V6OUUKeIzGnGp8CfNL/AAwTlL71G3zPMzjEVMNltSVP42uWP+KbUI/c5X+R6b+w98F2/Z9/ZN8C/Cu5tjFe2OgxTasjDkXs+Z7gH1xLK457AV6tRRXJia9TFYidafxSbb9W2/1OzDYenhMNChT+GCUV6JJfoFFFFYm5neLvEdl4P8Kan4t1I4t9L0+a7n5x8kaF2/RTXm37EPhy90T9nLRdX1cZ1DxDJPrV/JjHmPcytIrfjH5dcF/wU2+LvjP4e/CnT/BvhizC2nit7i11XUDHnyokVD5I7AyBm567UbHqOv8A2Cfih4o+Kn7O+n6j4q0mO2k0m5bS7SWGHYlzBDHGEkC9BjcUOOMxnp0r87XEOXYzxOWVe97Shh5Ne6+XmqShKWvlTUUns22k7pn6A8gx+D8Nnmnu+zr14p+8ublhGcY6edRybW6STas0e0UUUV+iH5+FFFFABRRRQAUUUUAFFFfCX7d//BWv4hfsv/tIzfBH4efDLRr+00OK1fXbrWjN5l0ZoY59luY3URgRyKN7B/mz8uBz5+ZZng8pw6rYl2i2lom9X5I8vN85y/I8KsRjJNRbUdE27vyXo36H3bRWH8MvHNl8T/ht4e+JWmWU1tbeIdDtNTt7a4x5kSTwpKqNj+IBwD7ityu6EozgpR2eq9Hr+p6UJxqQU4u6aTXo0mvwaCvGf2D/APkiGuf9lm+I/wD6mut17NXjP7B//JENc/7LN8R//U11uqKPZqKKKACiiigAooooAKKKKACiiigAooooAKKKKACmyyxQRNPPIqIilnd2wFA6knsKdWD8VPhn4F+NPww8SfBz4oaEuqeGfFug3mjeItMeeSIXdjdQPBcQl42V0Dxu67lZWGcgg4NAHyR/wUO0b48/s/8Axi0r/gp3+x/rs/i698L+GYtB+Lnwah1JGTxh4WguLi6WawQnCarZvdXUsXeZJHizyEk8y+A/jv4k/wDBbX9oDwn+1Hq+p6x4B/Za+G3iqz1r4XeFbqf7Fq3xN8QWU6y2+r30YbdFpttcRq0Fuf8AXSRiR8gBV+Rvij4F/wCDSPwT491T4cfC/wDYa8a/F3UNDu2tdZn+EFt4q1qztZlPzJ9qW/SGXH96J3Xnr1r2H/gm78Af+DYX49ftMaBp/wCzF+zXe+CvjR4N1S28R+HfCXj688SaVq8NxZyrcxXMMF5dmG6MbxeYY1MmFjYumwE0Afr1RRRQAUUUUAeM+B/+UhfxQ/7Iz4D/APTt4vr2avGfA/8AykL+KH/ZGfAf/p28X17NQAUUUUAFFFFABVLxJ4c0Lxh4evvCfijSYL/TdTtJLXULK5TdHPDIpV0YHqCpIP1q7RTTcWmt0JpSTTV0z5O/ZK8R69+x78cLn/gn58UdVnuNAvUm1P4K6/fSEm6sMlptKdz1mtySVHUpn7oMa19Y15L+2X+zHbftP/CQ6Do+rf2P4t0K8TVvA3iSI7ZdL1OE7onDAZCMRtcc8HOMquK37FH7Tlz+0j8MJ4/GukjR/HnhO9bR/H/h5wFey1CPKs6rn/VS7S6EZH3lBOwmvaxyWY4b6/Be+rKqv7z2n6T69pp/zI8PASeW4n+zpv3Hd0n/AHVvT9YX93vTa/kZ7HRRRXiHuhRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAeUfth/s5N+0Z8Kv7N8N6n/ZXjDw/eJq3gjXkO17DUofmjO7sj42N1GCGwSop37H37Ry/tH/ChdZ17TP7K8WaFdvpPjbQJBtk0/UoflkXaeQjEb168HbklTXqtfLf7UOkap+yH8dLT9ujwJYTSeGtWEGk/GLSLSMtvtdwS31VUHWSEkK3cqQONztXkYxPA4j67H4dFUX93pP1hfXvBv8AlPCzBPLcUsxh8DtGqv7v2anrC/vd6bf8qPqSiq+kavpev6Ta67omoQ3dle26T2l1byBo5onUMrqw4KkEEEdQasV6yaauj3E01dBRRRTGFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAV8ufAH/i+P/BRv4tfHGX97pnw70ez8B+HpTypuCftV+R2DpLhCeu1se1fQXxb+Iuj/CD4W+I/ip4gI+xeHNEutRuVLY3rDE0m0e524HqSK8e/4Jh/DrWPA37H+geJfFoLeIPHVzc+LfEE7LgzXF/IZlcjqD5Pkg57ivYwf+z5ZiMR1lamv+3ven/5LFL/ALePFxv+05rhsP0jzVZf9u+7D/yeTf8A26fQVFFFeOe0FFFFAHh/7R2m6d8Tf2gvhf8ABrVtPgvdOW6vdd1qzuYhJE8cEJSEOjAhlZ2dSCMc17RpWk6VoWnQ6PoemW9naW6BLe1tIVjjiUdFVVACj2FeO/Df/iuP20vH3jJvng8KeH7Dw/Zydi0pNzMB7qw2n617VXynDVOnicTjsyaXNVrTinZX5KPLSir2vbmjUdr2u726n1HEdSph8PgsuTfLTowk1d256vNVbte1+WVNXte2l+gUUUV9WfLhRRRQAUUUUAFFFFABXx5qnwC+D37X/wDwUk8eX/xT8C2utaR8NfCOjaYlvI8kccuozs92sknlsvnFIy0ZR9y4IBXgY+wmZUUu7AADJJPAFfNv/BNBW8Y/D/x1+0RcAs3xI+JWq6pYzEcmwjl+z26e4Xy5APrXkZlTp4rFYfDTScXJzaaurQjp/wCTSX3HhZtRpY3GYXCVIqUXKU5Jq6tTjpdP+/OP3H0hbW1vZ28dnZ26RRRIEiijQKqKBgKAOAAOMU+iivXPd2CvGf2D/wDkiGuf9lm+I/8A6mut17NXjP7B/wDyRDXP+yzfEf8A9TXW6APZqKKKACiiigAooooAKKKKACiiigAooooAKKKKACvPP2uvhx44+MX7KHxP+EXwx1gad4l8VfDzWtH8Pag0xjFrfXNhNDBLuHK7ZHRs9sZr0OoNU1TTND0y41rWtRgs7Ozgee7u7qZY4oIkUszuzEBVABJJOAASaAPzA/YO/wCC3P8AwTC/Yr/Zf8D/ALGv7ULap+zp4/8Ah34Xs9G8T/DzxZ4C1GDZewRLHcXUU1tbyQ3Ec8qvMJt++XzN7AliaqfGj9uH9mj/AILE/ta/s8eAv+Ccfh3WvH2pfCv41aX4w8Y/GSDwjeafpfhbRLNZGvdPN7dxRPJJeqyQi3QFJPvEnyxj9BfE3xp/Y48aW8dr4x+LPwz1aKJt0Uep69p86ofUB3IFeVftUf8ABRz4JfsrWvwj8N/CFvB/jCT4jfG3w18PxpGg+K7aI6TBqtw0LX6xwLJ5ghIB8vCBiwG9aAPqGiiigAooooA8Z8D/APKQv4of9kZ8B/8Ap28X17NXjPgf/lIX8UP+yM+A/wD07eL69moAKKKKACiiigAooooAK+VP2yfB3ib9l/4uWf8AwUP+DujTXUFnbx6f8YfD1kvOraMCAL5V7z23B3d0UZKqr5+q6ivbKz1Kzm07UbSOe3uImjngmQMkiMMMrKeCCCQQeua7cBjHgsRztc0WmpR6Si91+qfSSTWxw5hgljsPyJ8sk1KMusZLZ/o11i2nuUfBvjHwz8QvCem+OvBesw6jpOr2Ud3p19btlJ4ZFDKw+oPQ8joa06+RvgJe3v7A37SZ/Y+8VXcn/Cs/Ht3Pf/CDU7mQlNMvGbfcaK7HoCzb4snksBlmkO365qswwawdZcj5qclzQl3i+/mneMl0kn0aJy3GvG0H7RctSD5Zx7SXbvFq0ovrFrqnYooorgPQCiiigAooooAKKKKACiiigAorxn9vHwl8WfGn7P11ovwgju5rz7fE+p2dgx866swrh40A5Y7zGSo5IUjnofM/+CY9/wCNfCv/AAlfwh+JE2oadeWi2l7pfh3WIJIZ4Yn8wSyokgBCEmLOOAef4ufisXxhPB8aUMhqYWfJVjdVtoc1pNQWlm/da+JS5rWi1dn2WE4ShjODq2eQxUOelKzo7z5bxTm9bpe8n8Lja95J2R9ZUUUV9qfGhRRRQAVU8QaBovirQr3wx4j0yG90/UbWS2vrO4TdHPC6lXRgeoKkgj3q3RSaUlZiaUk09mfL37Juv61+yv8AGW+/YK+I+pzT6TJHLqvwg1q8fJvNNLFpdOZj1ltzkgdSmThV2A/UNeR/tk/s5XX7Qvwwj/4Q3UhpfjfwveLq/gXXEIV7PUIvmVC3/POTARgcjlWIO0Crf7Iv7Rtr+0p8JIfFGoaadL8S6VcvpfjLQZAVk03U4TtmjKnkKT8y5/hYA8g48rBN4Ku8FP4d6b/u9Y+sL6d4Nfys8TL28uxLy6fw2cqT7x6w9ad9O8HF/ZZ6jRRRXrHuBRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAfMf8AwVI1O/8AFfwl8Kfsu+Hrp49R+LnjrT9BkMJw8Ngsqz3c/wDuqsaBvZzX0rpemWGi6Zb6NpVqkFraQJDbQRjCxxqoVVHsAAK+VNE8U+GP2mv+CqCXfh3xHYarofwU8BSiGSyu0mRda1GTy5dpUkHbbrsbHKum04PFfWVezmUZYbB4fCtWai5y9aj0+6EY/eeJlco4rG4nFp3TkqcX/dpqz++cpfcFFFFeMe2FNmmit4XuJ5AiIpZ3Y4CgckmnV57+1f41Pw//AGcvGHiWOXZKNFktrZweRLPiBCPcNID+FcWZY2nluXVsZU+GnCU36Ri5fpb5nZl2CqZjmFHCU/iqTjBespKP63+RzP7DkMus/DDWfivdxsJvG/i/UdXBcfMIjMYo1+gEZx9a9orl/gn4LHw6+EPhrwOYtkmmaJbQTjGMyiMeYfxfcfxrqK4eGsFUy7h/C4er8ahFy/xyXPP/AMnnI7uI8bTzDPsTiKfwOcuX/BH3If8AkkIhRRRXtnihRRRQAUUUUAFFFFAHmP7aPxK/4VD+yj4/+IEdx5U9n4YuY7KTONtzMvkQn/v7IlWf2Rvhr/wqD9mLwJ8OZLfyp9N8MWi3qYxi5eMST/8AkV3NeY/8FI/+K30H4a/s5w/P/wALB+Jum2upQf3tOtmNxctjvt2RHFfSdeXS/fZvVn0hGMfnJub/AAUTxqH7/Pa0+lOEIL1k3Ul+Cggooor1D2Qrxn9g/wD5Ihrn/ZZviP8A+prrdezV4z+wf/yRDXP+yzfEf/1NdboA9mooooAKKKKACiiigAooooAKKKKACiiigAooooAK4D9q74Nf8NF/st/Er9nz7QsX/Cd+ANZ8O+azFQn22xmttxI6Y83Oa7+sP4m+G/E/jL4b+IfCHgnx5c+Fda1XQ7uz0jxPZ2cVxNpF1LC6RXiRTAxyvE7LIEcFWKAMCCaAPz7/AGJP+Dc//gnj4f8A2Svh94e/bC/YR8DXnxO07wzb2njW/stVvJ47y+iXy3uA6TKrGQKJDhQNzkYFWfj/AP8ABvR+x7oXjf4K/FT9gv8AZr8D+BPFHw/+PvhXxZ4j1ebUb5Hn0HT7z7ReW0OTMHmfbEUVgoJXl177+r/tO/8ABdH9kqQ+Gfiz+wD4P/aS0i3Oy1+IPwf8axeH76eIcK93pGoByJ2xlhbyGJSeOOKZpn7cP/Bbf9o6QeGPgL/wSW0T4RpMdr+O/jt8S4Z7Wz9T/Zmmp9qmbHIwyrnAJAyaAPvuvhv/AIKN65+3T+xv8CPiX+3Pof8AwUFtvsvhCSXVPDPwr1H4aaWui6jAbhVtdGlnCtqEt1PuS3WeK4jzLIpEQHy19Wfs3+BPjF8Nfgvovg74/wDxr/4WJ4xtxcSa74vGgw6Yl7LLcSzBY7WElIYokkWBFyzbIVLMzFmPxD8ZtM/b2+Lv7fV38UP2g/8Agmn4+8c/C34Va7v+BvhTwt498IJpl/fx7l/4SjUUvtYgllusE/ZYHiVbVWL4MzFlAPQdZ+Kv7Zf7Z/7X3xC/Z9+AX7Q0/wADtG+EHgzw7Prc9r4Q07Wb/VfEWsWst6ttP9vjkjSztrdIA6RLHLI87YlQKK9i/wCCbX7UPi79sT9jLwh8c/iPodjpvim4fUdI8W2Wmbvs0eraZqFzpt40IYlliee0kkRSSQjqCSRk+QeIvBf7ZX7Ln7ZHxH/as+AX7I1z8T9F+OXhDw9JrXhi38baVpWoeF/EWl20tqone7mWGa0lt5IFeSB5ZEe2bbHIrAn17/gmz+y94v8A2O/2MfCHwM+I+t2Oo+KYH1HV/Ft7pm77M+ranqFzqV4sJYBmiSe7kjRiASiKSATgAF7wP/ykL+KH/ZGfAf8A6dvF9ezV88fAL4R/Cj4Qft+/F/TfhN8MfD3he21T4V+B9Q1O38O6LBZJeXkmq+Lg9xKsKKJJWCqDI2WIUZPAr6HoAKKKKACiiigAooooAKKKKAPN/wBq39m7wt+1T8GNR+FfiK5eyumZbvQNagyJtK1GLJguoyCCCrcHBBKsy5Gc1yP7DH7SPin4u+E9V+EnxttksPil8O7tdK8baecD7SQP3OoRdN0U6AOCABuzgBSufdq+Yv25vhb41+GXi7Sf2/P2f9Ha58VeCbUweMtDt/l/4STw8TunhYDrLEAZEPJG3oxRFr2cvnDGUXl9V2u702/sz7N9Iz0T6KXLLueJmVOeCrrMaKvZWqJfah3S6yp6yXVx5o9j6dornvhP8UvBPxs+G+jfFf4dawl9ouu2KXVjcL12nqjD+F1YFWU8qykHkV0NeROE6U3Cas07NPdNbo9inUhVgpwd01dNbNPVMKKKKksKKKKACiiigAooooAK8r/aV+D/AIi8Uw6f8XPhO62/jrwkxn0iToNQg582yl/vI4Jxnox6jcTXqlFefmmW4bN8DPC172lazWkoyTvGcX0lGSUovo11TafflmY4nKcbDE0bXV7p6xlFq0oyXWMotxkuz6NJrkvgl8YPDvxv+H9p450BGgdyYdR0+b/W2N0nEkDjggqfUDIIPeutrwX4t6ZqP7MHxQk/aR8H2MsvhXXJUh+IukWyE+SxOE1KNR/EpOHA65J6sWX3PS9U07W9Mt9Z0i9iubS7gWa2uIXDJLGwBVlI6gggg152RZlia/tMBjrLE0bKVtFOL+CrFfyzS1X2KinB7Rv6Gd5dhqHJjsFd4atdxvq4SXx0pP8Amg3o/twcJreVp6KKK+hPACiiigAr5Z/aU03UP2Nvj9bftt+DLGVvB/iJoNK+MOlWsZIRCwS21dUHV42YI+OSDgDLsw+pqo+JvDWg+M/Dl/4R8U6VDfabqdpJa39ncLuSeGRSrow9CCRXHjsK8VRtF2nF3i+0lt8ns11i2uxwZjgnjcPaD5akXzQl/LJbP0esZLrFtdixpupafrGnW+r6TexXNrdQpNbXMEgZJY2AZXVhwQQQQR1BqavmD9kPxLr37M/xa1D9gT4n6rNcWltBJqfwl1u7bJ1HSCSXsmY9Zrc5GOpQEgBVXP0/TwWKWLoczVpLSS/lkt1+qfVNPqPLsasdhudrlmm4yj/LJbr9U+sXF9QooorrO4KKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAK5X466LN4k+CHjLw7beKv7Ckv/AArqNtHrmSP7OZ7aRRcZXkeXnfxz8tdVXzz/AMFQfiBrXhP9krVPAvg98+IfiLqVp4P8PwhsGWe/k8t145/1Am6d8V25bQnicwpUoOzco69tU2/RJNvyWpw5nXp4XLq1WaulGWnfRpJebbSVtbvTU+Kf+CLP7D/7ROm/Gnw/+15rkA0XwSdJvGs3e/RpNcWWOW3VPKRi6IsmJcyhcmJCoOQR+rlYXwv+H+i/Cj4baB8MPDibbDw9o1tp1p8uCY4YljBPuQuT7k1u13cQ51Wz3MpYmaSS92Nlb3U3a/d66/5Hn8OZHR4fyuOFpttv3pNu/vNK9uyutPvd2wooorxD3grxX9sT/iqrz4d/BuP5v+Em8cW0l7F132VqDNMMf98H8K9qrxW//wCK6/bvsLbG+18C+B5bjd/zzvLyTy8e2YRn8K+X4u/fZXDBLfEVaVL/ALdlNSn/AOU6cr+T8z6bhT9zmc8Y/wDmHp1an/byg4w/8nqRt6eR7VRRRX1B8yFFFFABRRRQAUUUUAFFFVNf13R/C2hXvibxDqMVnp+nWkl1fXc7YSCGNS7ux7AKCT7Ck2krsTaim3sj538Xf8XR/wCConhPQB+8s/hh8OL3WHbqsd9qEotQh/2vJAcewr6Tr4f/AOCff7XHwV+Nn7afxf1i21q5TXPG17aDwpFeWxRbnS9Pt2jAQ5+WQrmVkIBwM8kMB9wV4+SV6OLoVMRTkpc9Sb08mopf+AxT9GeBw7icPjsNWxVKal7SrN6O+zUYr/wGKfpJBRRRXsn0AV4z+wf/AMkQ1z/ss3xH/wDU11uvZq8Z/YP/AOSIa5/2Wb4j/wDqa63QB7NRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFfA37cvhn4jftw/wDBTnw1/wAE2dT/AGjPG3w3+GWl/A+X4ieJovhzrZ0vVPFl2+rnTYrF7xQXjtYFTzZET75nQN/CyfPn7Mnxy+LvhH/glD/wTm+KGjfGLxOniDxB8evD3h/XIR4guT/wkem6jc6nbXkF5HvxdokWJx5gbyzbBhgigD9fKKKKACiiigDxnwP/AMpC/ih/2RnwH/6dvF9ezV4z4H/5SF/FD/sjPgP/ANO3i+vZqACiiigAooooAKKKKACiiigApGVWUqwBBGCD3paKAPkLwgx/4J0ftTj4Z3beR8GPi7q7S+F5mOIfC/iF+Xss9I4LjGUHADAAABZGP17XFftDfAfwL+0t8H9a+DPxEtC+n6xbFFnjA820nX5oriMno6OAw7HGDkEg+V/sJfHjx1qg1v8AZM/aIux/ws34bFLe9unJxr+lnAttTiJ5cMpUOeSGILYL7R7mJ/4VMH9bX8Wmkqn96O0anrtGfnyye7Z4OF/4Scb9Tf8ACqNun/dlq5U/TeVPy5or4Uj6Jooorwz3gooooAKKKKACiiigAooooAh1LTrDWNPn0nVbOK4tbqForm3mQMkqMCGVgeCCCQRXhXwq1G//AGWvinH+zt4rvJJPB/iCeSb4earcOT9mkJy+myMe4JyhPXIHJbC+91ynxq+EXhv43fD+88B+I90Xm4lsb6IfvbK5XmOeM9Qyn3GQSOhNfPZ7lmJxHs8dgbLE0buF9FOL+OlJ/wAs0tHryTUJraV/fyTMsPQ58FjbvDVrKVtXCS+CrFfzQb1X24OcHvG3V0V5T+zV8XvEniIaj8Gvi3th8c+EyItS7LqVtwIr6P8AvK4I3Y6MRkDcAPVq9HK8zw2b4GGKoXSd009JRknaUJLpKMk4yXddU035+Z5biMpxssNWtdWaa1jKLV4yi+sZRacX2fRppFFFFegcAUUUUAeP/tnfs56l8fPhtb6l4A1EaZ498IXo1jwJrSkK0F9Hg+SzH/llKFCMD8v3WIO3B0/2S/2i9N/aY+EFt42bTjpuu2M76d4s0KQFZNL1OH5ZoWU8gZ+Zc87WGecgem18r/tDWV5+xX+0PB+2V4VtJP8AhBvFssGl/F3TbZCVtXLbLbV1Ud1ZgkmByG6FpCR5GLX1DEfXI/A7KovLaM/+3b2l/cf908LHp5Zi/wC0I/A7Rqry2jU9YXtLvB3+wfVFFRWV7Z6lZQ6jp13HPb3ESyQTwuGSRGGVZSOCCCCCOualr19z3U01dBRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABXy38Yv+L7f8FMfhv8ACWM+dpHwq8NXfjHW0HKNf3BFtZRt6On+uX2Y19RsyqpZmAAGSSelfLv/AATdB+LGu/Fn9su7HmD4jeOpbXw9Oed+i6aDa2rA9skSggcZQda9jK/3FDEYv+WPLH/FU938I87PFzX/AGjEYfBr7c+aX+Gn734y5EfUdFFFeOe0FFFFABXiv7KP/FXePvip8YnG4ax4yOmWch/jtrCMRIw9juP5V1P7TXx60f8AZ0+Fdz4+1OykuZ5ZxZ6Xax8ebdOjsgYn7qgIzE88L0JNecf8E1/if4X8Y/Ar/hB9Ktp4tT8OXLHWGnO7z3uZZZVmDd84ZcHkbO/Br4XM84yytx3gMplVXtYQq1eXq5OChBbWvyurNK+ybPt8tynMqPBGOzSNJ+znKlS5uiipuc3ve3MqUHpu0j6Iooor7o+ICiiigAooooAKKKKACvLv22fGnhvwB+yP8RvEfi2FZbE+Eb20e3Zyone4iNvHFkcjfJKi5HPzV6jXzR+3b/xd74r/AAh/ZFtv3kHiXxX/AG94oiHI/srTV85o5PRZZCFB/vR15+aVZUsBU5fikuVesvdX/pV/RM8vOq8qGWVeTWUlyR85T9xfjK78kzgP+Cd//BK7Sf2dvE/h/wDaR8d+O7nUvEZ0FJrTRF04W8ek3FzbbJld/MYzsqyPGDhByTgnGPtaiiqy7LcJleGVDDxtHd+b0u362/yKynKcDkuDWGwkOWO73u3ZXbv1dv0WgUUUV3HpBXjP7B//ACRDXP8Ass3xH/8AU11uvZq8Z/YP/wCSIa5/2Wb4j/8Aqa63QB7NRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAfDP7dXwS+E37b37f8A4b/Zcj13x78Lvit4E+EsvjrwL8dPh74iSyvra2uNSOnXWk+UyMLqAlIpJUf5QJYwCvmMWqf8E+/+CD/ww/Yq8VeCfGnxI/ah+IXxfuPhbZXNr8KdE8W3EUGi+ERcBhNcWljECv2lld1852YgNwAVVgn/AAVr/wCCfvhf44/FTwp+2n8Q/wDgqd4l/Zw074daL/Z2k6ppmpWGmW9pcTSzNPN9uuHjdTcI0MTwb/LkW1iyrEVxH7En7Pmq/Gr4o6N47+Bv/ByJ40+NOn+ENdsdS8ReENI1fRL6K9tYrhHe1u1tyZYoZgpiLYBIc4OaAP0pooooAKKKKAPGfA//ACkL+KH/AGRnwH/6dvF9ezV4z4H/AOUhfxQ/7Iz4D/8ATt4vr2agAooooAKKKKACiiigAooooAKKKKACvnX9u74E+Or46J+1x+ztZ5+Jnw23z2tpGDjxBpRybnTJQvL7lLNGOSGLBcM4YfRVFdWCxdTA4mNaGtt09mno4vyaun9+6RyY7B0sfhpUZ6X1TW8WtYyXnF2a+7Zs4v8AZ7+O3gX9pT4QaL8Zvh3eGTTtYtQ5hkI820mHyy28gHR0cFT24yMggntK+QfFIP8AwTn/AGqD8QrUGD4L/F7WFj8RxLxB4X8RPwl5jpHb3GMOeApBJICIp+vgQwDKcg9CK6MxwlOhONWhrSqK8X1XeL/vQej7q0tpHPlmMq4iEqVfStTdppbPtJf3ZrVdnzR3iFFFFeaemFFFFABRRRQAUUUUAFFFFAHk/wC0t8JPE2tnTvjX8IVWLxx4TzJYLj5dUteTLYyY+8GGdvoxOCN24dd8GPi54a+Nvw/svHvhksiTgx3llKf3tncLxJBIOzKfzBBHBFdVXgfxRsL79lb4qyftBeF7OR/BniO4SH4g6XboSLOYnampRqPc4kA65zyWyvx+ZRlw5mEs2pr/AGepb6xFfZeijiEv7qtGtbeHLU3pu/1uXNcQ4COV1H+/p39hJ/aWrlQb/vO8qN9p80Nqit75RUOn6hY6rYQappl3HcW1zEstvPC4ZJEYZVlI4IIIINTV9fGSkk07pnybTi2mrNBRRRTEFZ3i7wn4d8d+F9Q8F+LtJhv9L1WzktdQsp1yk0LqVZT9QT71o0UpRUotNXTFKMZxcZK6Z8x/sdeLPEX7O/xO1H9gL4r6tNc/2VbtqHws1u7bnVdEJJ+zFu81vypUfwqcAKgJ+nK8b/bS/Z11n44/D6z8TfDS+GnfELwVe/2v4F1YEApdJgtbOTwYplUIwPy52k5CkHc/ZT/aJ0X9pv4PWXxCtLE6fqsEr2PibRJQRLpepRYWe3dTyMN8y55KspODkDysDJ4Os8DN6JXpvvHrH1ht5xcX0Z4mXSlgMQ8uqPRK9JvrDrG/endLu4OL6M9Iooor1j3AooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKAPFf+Ch/wAYLz4J/seeNfFGiO/9r3+m/wBj6FHD/rXvbxhbRlB3ZfMMgH/TM12P7M3wfs/gD+z94P8Ag3aIgPh7QLe1uXj6SXAQGeT/AIFKXb/gVeK/tcf8Xu/bY+CP7MEP72w0O8n+IHiqHqFiswYrHcO6tcM6kHjkda+o69jFf7NlNCh1m3Ufp8EPwUn8zxcJ/tOcV6/Smo0l6/HP8XBfIKKKK8c9oKKKKAPCv25NMsviPpXgv4ALAr3vi/xZDiQKDJa2tupe5nTIOGVGx9Gau4+AX7OPw2/Zw8PXPh/4ewXbm+mEt9fahMsk9wVBChiqquFBOAFA5PcmuP8AA/8Axdb9svxP44b95pvgDR4tC0w/wm9n/e3Lr/tKP3R9iK9tr4nI8twGZ55is/qUoupzulSm1qqdJezk0/79T2mu9opJpaP7PO8xx2W5Lhsip1ZKnyKrVino6lV+0imv7kPZ6bXk203qiiiivtj4wKKKKACiiigAooooAK+aP2bv+L2/tx/Fv9oaX97pvhFIPAXhmXqA0JE9/jtkTlcEdmr2X9ob4sWPwL+Bvir4u35TGgaJPdQxydJZwpEMf/A5Ci/8CrjP2APhNffB/wDZO8J6Jr4dta1WzbWtflmH7yS8vGNw+/1ZQ6xn/rnXl4n/AGjMqNHpC9R/L3Yfi5P5Hi4z/as3w+H6QTqy9V7kP/JpSl/26ey0UUV6h7QUUUUAFeM/sH/8kQ1z/ss3xH/9TXW69mrxn9g//kiGuf8AZZviP/6mut0AezUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFAH5qf8FB/D37J3xH/AOC1/wAJvh5/wUpm0Gb4VRfBC9vvhVo/j+5SPw5qPjP+1xHeJMsxEE9wtj9l2RTZU+YcAsUB5f8AbR+GP/BOT4L/ALdX7Kus/wDBO3w98OPDPx21D436XY6jo3wfjs7WW+8GSRT/ANtvqNrYYjNutsCwllXduQBCQr4+sv2nbr9lf9sD9rG1/wCCX37Rv7L2j/EGzPwwf4hahqHiGKKS30mL+0P7Ot1hBXzVuJX+0YkjZCqROMndg8UP2e/+Cdn/AARn8W/DjxF+zr+xB4f0KX4tfE7Tfh9deKtIYvf6XLqIl+zM01yZJmt3nhjjaNJFG6SNiG28AH2tX59f8FtP2UvgJqeq/B39rrUvAz3HxC079ob4a6Rp+uz6vdutrZnxLbbkitjL9njZhI4aRYw7A4LEAY/QWvlX/go3+wp+1L+25feGNF+F/wC2P4a+HnhTw14h0LxJHoupfCRtcup9b0vUTewXBuhqtqFgYpbo0HlE/u3PmfPhQDxr/gpRP+zLd/8ABSX4e6B/wU71vSLT9nqf4QanJ4Si8c6gbbwvceNF1GLzheszLA1yun7TbLcHHM5j/eV0P/BAX45p8Xf2fPi74L8MaxrWoeBvhv8AtCeIvDXwqu9fe4e4HhcR2l7p0W+5/fPGkV7tiMhLCDyR2AHuPjz4Fft7+J/hr4W8O+Hv23fBOneI7C2uY/GOs3nwOF5Za1I8qtBNb2baqrWTxINozNOrE7ivAA6z9kT9lnwt+yN8KJvh7ovinU/Eeraxr994h8ZeLtbEYvfEGtXsplu76ZYlWNCzYVY0UJHHHHGowgoA4n4BfE7w38Uf2/fi/qHhrTfENtHp3wr8D2NwviLwjqOju8qar4uJaJL+CFp4vmGJow0THIVyVOPoevGfA/8AykL+KH/ZGfAf/p28X17NQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQBzvxb+FXgn43/DbWfhP8RtIW+0XXbF7W+t24O08h1P8LqwDKw5VlBHSvBv2Gfip42+HHivVv2Bv2gtXa48WeB7VZvCOuXHH/CS+HidsFwpP3pYgBHIMkjaOWKu1fTdeEftz/s3+Kvi14W0n4wfBC4Sw+KXw6u21TwXf4x9rwP32ny8jdFOgK4JA3YyQpbPr5bXpVISwWIdoTd039ieyl6P4Z/3WnvE8fM6FalUjj8Or1IKzivtw3cf8S+KH95NbSPd6K85/ZU/aQ8K/tUfBfTfit4bt3s7iQta67o0+RNpWoRYE9rICAQVbkZAJVlbAzXo1ebXoVcNWlSqq0otprs1/X69T0sPXo4qhGtSd4ySafdP+vzW6CiiisjYKKKKACiiigAooooAKr6tpOm69pdzoms2MV1Z3kDw3VtOgZJY2BDKwPUEEirFFTKMZxcZK6ejXdMcZShJSi7Napng3wf1bUv2Zfien7NPjO+ll8MazJJP8OdYuXJ2c5fTZGP8AEpOUz1BA/iVR7zXI/G/4PeH/AI4fD+68E65I9vKWE+l6lDxLYXacxzoRggg9cEZBIzzXNfs1fGHxB4uttQ+FPxVjW28deE3FvrUPQX0X/LO9i6bkkGCcdCegDKK+SyuUuHcwjlFV/uJ3eHk+ltZUG+8FeVK796neGrpa/WZnGPEGAlm1Jfv4WWIiut9I10u03aNW3w1LS0VTT1Oiiivrz5IKKKKACvlb4721z+xD+0fF+1v4dt3X4e+ObiDTPixYwISmn3RbZbauFHTltkhHXcThmkBH1TWX418GeGfiJ4R1LwJ4z0iK/wBK1eyktNQs5h8ssTqVYe3B4I5BwRyK4sdhXiqK5HacXzRfaS/R6qS6pvsjz8ywUsZQXs3y1IPmhLtJd/7rV4yXWLfVI0bW6tr22jvLO4SaGZA8UsThldSMhgRwQRzmn18zfsZeMvE3wI+Iep/sB/F7V5bm68P2xvvhrrd0cHWdBJO2LPQzW+ChUfwqcDbHk/TNXgsUsXQU7Wa0kusZLdfJ7Pqmn1Ly/Gxx+GVS3LJNqUesZLSUX6PZ9U01owooorqO0KKKKACiiigAooooAKKKKACiiigAooooAKKK8B/4KUfteap+xf8Asz3HxL8N6Et/rOq6pHo2ieaxEVtczQzSCeTHJVFhc7RjLbRkAk104PCV8fi4Yairzm0l6v8Ap/ccuNxlDL8HUxNd2hBNv0X9JfM5n9iX/i9P7Unxx/axuP3tm3iGPwV4UlPRbLTlH2h4z3SWdlfPqpr6kr4f/wCCFP7Qtj8Tv2atS+DCeEvsF34AvUNzqCSFl1IX0tzMJWLc+aGSQNyRjZjHQfcFenxJRq4bOatCatycsUv7sYpRfzXvesmeVwxWpYrJKWIg7+05pt/3pSk5L5P3fSKCiiivDPfCsb4ieNNN+HPgPWPHmrkfZ9I02a7kUnG/YhYKPckAD3IrZrxT9sqebxla+EP2d9OlYTeOvEkUeoKjYYabbET3LDHphPrzXjcQ5jUyvJa2IpK9RK0F3qTahTXznOPyTPXyDL6eZ5xRw9V2pt3m+0Ipzm/lCMvm0a/7GngvUvCnwI07WfEIJ1jxRcS6/rEjDBee6bzAT6ER+WCPUGvVKbBBDawJbW8SpHGgWNEGAqgYAA7CnV05Tl1PKcro4Km7qnGMb92lq35yk5SfnJmGa5hUzXM62MmrOpJyt2TeiXlGKjFeUUFFFFegeeFFFFABRRRQAUUUUAfNH/BQZj8VfEvws/Y/syZF8feMkvfEUK850bTgLm4VvTcwj2k8EoRzX0sqqqhVUAAYAA6V+XvwT/4KSz/F3/gpzovxD8QfDkf2ZrUCeDPDdqJW8/TIbi7UpcsD8rSM7fvMAYRiATt+b9Q6+fyPHYXNKuIxNGV/eUfSMV7v33lI+X4czLBZzXxeMoS5vfUNmrRhH3d/5m5y+avqFFFFfQH1AUUUUAFeM/sH/wDJENc/7LN8R/8A1Ndbr2avGf2D/wDkiGuf9lm+I/8A6mut0AezUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFeW/tyfE7xJ8Ev2KfjB8Z/BkjprHhH4W+INa0po1ywubXTbieIgdzvjWgDwT9vv8AZe/bY8PftVeE/wDgo3/wTph8J69470TwTP4L8b/DjxxfPaWfinQHu/tkK290vFtdwXJkdWfCsJSCcApJ574c+Cv/AAVb/wCCif7Q/wAL/F37f3wI8DfA74U/CLxva+NbbwVoHjJNf1nxNr9mr/YGluYAIYbSGRzKV+8zKAQ2Q8eX+2V+1/8AHL9j/wD4N4PCXxe+H3xZ1XxF8WfGfw88KaP4c8XajeG4vb/W9aS2827SR8kyKk1zNF12mOMdFrzm7/4J+ePf+CNHxT/Zv/aF+FH7aPxa8bar49+MmgfD7416J458WvqGl+JV1oSQPfxwOoMUsFyFkjJZ2CdXOH3gH600UUUAFFFFAHjPgf8A5SF/FD/sjPgP/wBO3i+vZq8Z8D/8pC/ih/2RnwH/AOnbxfXs1ABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQB8i/Hazu/2A/2lh+134XtZB8MPiBeQ2Hxc023QlNKvmbZb60qjoCzbJcDksT8zSLt+trO8tNRtItQ0+6jngnjWSCeFwySIwyGUjgggggjrVDxr4M8MfETwjqXgPxro0Oo6RrFlJaajY3C5SaGRSrKfwPUcjqOa+Z/2MvGfif9mT4s3v8AwTu+MmszXUen2z6h8IPEN43Or6ICSbNm6Ge2wRtH8CnACopb3J/8KuB5/wDl9RWvedNaJ+cqeifeFn9lngw/4SMf7P8A5c1np2hUerj5RqatdFO6+2j6rooorwz3gooooAKKKKACiiigAooooAK8k/aV+FHie9udP+PPwdhC+NvCiloYAPl1ey6y2UgH3sjJT0YkDBII9borzs1yzD5vgZYatdXs1JaShJO8ZxfSUZJNP1TunJP0MrzLEZTjY4mlZ2unF6xlFq0oSXWMo3TXo1ZpNcx8H/iv4X+NXw/sfiB4UmPkXabZ7aQ/vLWdeJIZB2ZTx7jBHBBrp68C+Itnd/smfFeT45eHraRvAnim7SLx1p0CEjTbpjtTUUUdFJOJAOpPcldvvNneWmoWkV/YXMc0E8ayQzROGWRGGQwI4IIIINcGRZniMUqmDxtliaNlNLRST+CrBfyVEr215JqcHrFX7s7y3D4ZwxmCu8NWu4X1cWvipSf89Nu19OaDhNaSdpKKKK+gPBCiiigDxb9tf9nnxB8ZfAth46+FF0th8RvAl5/a/gjUhgFplAMlm5PWKdV2FScZ25+UEHpf2W/2hvD/AO038HdP+Jmj2rWV7ua01/R5ciXS9Riws9s4PIKtyMgEqynAzivRK+VPjRDN+wx+0vH+1FosTR/DX4h3kOn/ABQtIl/d6VqLHbb6uFH3VYnZKfViTuZ1x5GK/wCE/E/XF8ErKp5dIz/7d2l/daf2Twsb/wAJeM+vx/hytGqu3SNT/t2/LP8AuNN/AfVdFNhmhuYUuLeVZI5FDI6NkMDyCCOop1eue6FFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFfG/iLwh4f/wCCmP7WGq+H/F1i2pfBf4QyTadLbLcSRw+IfEkkZSYh42ViltG2AVIIcgglZDXpn7fnx98X/DP4faZ8Hfgq3m/Ev4m350PwbAjYa13AfaL9sfdSCNt27naxUkEBq9C/Zq+AfhD9mT4J6D8FvBa77bR7QLcXjriS9uWO6a4f/aeQs3sCAOAK9zCSlleCeMTtVqXjT7pbTmuz+xF93JrY8HGRjm2OWCavSp2lU7Se8Kb7r7c12UE9yT4Efs5fBP8AZl8IP4E+Bnw/tfD+mS3BnnhglklkmkIxukllZ5JDgADcxwOBgV21FFePVq1a9R1KsnKT3bd2/Vs9qjRo4ekqdKKjFaJJJJeiWgUUUVmaBXiXw9/4ur+2J4t+IL/vNN8C6XF4d0puqm7kPm3Tj0Zf9WfYivUfiX440/4a/D7WvH+qYMGkabNdMhON5RSVQe7HCj3NcV+xz4I1Dwb8BdKvdfy2r+IpJNc1mVhhpLi6bzMsPUIY1PutfLZt/wAKHEGCwC+GnzYif/bnuUk/WpOUv+4fkfT5X/sGQ4zHP4qlqEP+3/fqtelOEY/9v+Z6jRRRX1J8wFFFFABRRRQAUUUUAFcl8ePirpnwP+DHif4uavtMPh/RZ7xY3OBNIqHy4vq77UHuwrra+aP+Cgzv8V/EPww/Y5sXLj4geLkvPEkSnP8AxJdPxc3Ct/d3MI9pPBKEc1xZjiJ4bBTnD4to/wCKT5Y/i19zPOzbFTweX1KlP47Wj/ik1GP/AJNJP0TKP7AH7Cvwh+HPw48IfHzxt8PYLr4mappp1TU9cvJpWeGW7Zptqwl/KidEkWMsqBuDzya+paRESNBHGgVVGFUDAA9KWqwWCw+Aw0aNGKSVr2Vruyu33b3bLy7LsLleEjh6EUkkr2SV3ZJyfdvdt66hRRRXWdwUUUUAFeM/sH/8kQ1z/ss3xH/9TXW69mrxn9g//kiGuf8AZZviP/6mut0AezUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFUvEvhvQfGXhzUPCHirSYL/S9VspbPUrG5TdHc28qFJI3B6qysQR3Bq7RQB+eHwo/4N5Phj4A+LfgHUvGv7aXxf8AHPwo+E3iaPxB8L/gn4r1lLjSNEvoSxtdz433EVuWIiQgFV+Usys6v9UftS/sc6X+1T8UPg5418WfEG+sdG+EfxAHjFPDVtZo0es6nDbSw2Tyyk7o1gaaWQBQdzEZxtBrw39qH/g4M/4Jm/sr/GDUvgBrnxP13xj4y0SZote0L4c+FbnWH0yRTh45pYlEIdTlXQOXRgVYKeK9I/YQ/wCCtH7CX/BR641TQf2X/jGL3xFoUXm634P1zTJ9N1ayj3BTI1vcKpkjDMqtJGXRWZVZgSBQB9I0UV4X8d/+ClX7E37M/wAc/Dv7Nfxp+NqaT438VXum2mi6FB4f1G9aSW/ufstmJZLW3kjt1lmyivMyLkckDmgD3SivLf2k/wBtH9mv9kh9Ds/jv8Q5NO1DxNLPH4d0LSdBvtX1PUzCoaZoLHT4J7mVI1ZS7rGVTeu4jcM7v7P/AO0Z8E/2pvhvB8W/gD8QrPxJoE91Nam8tUkje3uYXKTW88MqrLbzIww0UqK6nqozQBx3gf8A5SF/FD/sjPgP/wBO3i+vZq8Z8D/8pC/ih/2RnwH/AOnbxfXs1ABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAV41+2x+zHd/tHfDK3uvAuqjR/H/hG9GsfD/xAhCtZ6hHgiNm/wCeUu0I4OR91iG2AV7LRW+FxNbB4iNak7Si7/8AAa6pq6a6ptHPisLRxuGlQqq8ZKz/AEafRp2ae6aTPJv2Nf2nLT9qD4Rr4j1XSTo/ivRLt9J8ceHJQVl0vVIflljKnkIxG5DzwcE7lYD1mvk79rHw7rn7HPxzt/8AgoD8MNKnn8O6gsOmfGvQLGMsbixyFh1ZEHWaAkBj1KY+6DI1fUnhzxFoXi7w/Y+KvDGqwX+m6laR3Vhe20gaOeGRQyOpHUFSCD7125lhqK5cVh1+6qXsv5ZL4oP0vePeDT6M4csxVaTlhMS71adrv+eL+Ga9bWkuk1JbNF2iiivLPWCiiigAooooAKKKKACiiigCrrei6T4k0e68P69p8V3ZXtu8F3bTLlJY2BDKR6EGvEvgtrerfs4fEpf2XvHeoSzaDqJef4b61dNnfFnL6fIx/wCWkefl9QQOMote71xvx1+DeifHDwDP4Q1O4e0u45FudG1WHiXT7xOY5kI5GDwQCMgkZHUfO57luKqunmGAS+s0b8qvZVIPWdKT7TteLfwVFGW3Pf6DJMxw1JTwGOf+zVrcz3dOa0hViu8b2kl8dNyjvy27KivMP2a/jJrnjrTr/wCHHxOt0svHPhSQWviC06C5X/lneR9N0cgwcjgE9ACufT69PLMywubYGGKw7fLLo1ZxadpRkukoyTjJPZrtZvzcyy7E5VjZ4Wuvej1WqkmrxlF9Yyi1KLW6fqkUUUV3nCFZHj3wL4W+JvgvVPh7430iO/0nWbKS01C0lHEkbjB56gjqCOQQCORWvRUyjGcXGSumTOEakHGSuno13T3Pmn9izx14q+DfjbVf2CPjLq0lzqvhS2+1+ANbuuDrnh8kiLB7ywY8tlHZcDIjLH6WrxL9tr9n3xN8VvB2m/E/4OzLZ/En4f3Z1XwZfAYM7AfvrF+m6OdBsKkgbtuTtLZ639mP9oLwx+018HdM+KnhyFrWWcNb6xpUp/e6bfR/LPbSA4IKt0yASpVsDdXl4GUsJVeBqPZXg31h29YbPvHlfc8bLZzwNd5dVd+VXpt/ah/LfrKnpF9XHkl3PQKKKK9Y9sKKKKACiiigAooooAKKKKACqmv69o3hbQr3xN4i1KGy0/TrSS5vry4fbHBDGpZ3YnooUEk+gq3Xyp+29r2s/tMfF3w//wAE7vh1qc0Nvq8aa18WdUtHIbT9CjcFbXcPuy3LhVA6hdpIKua7cvwf13EqDfLFXcpfyxWsn92iXVtLqcOY436jhXUiuabajGP80npFffq30ipPoH7EWg6z+0z8XvEH/BRD4iabNDbatHJonwl0u7TDafoUbkNd7T92W5cM2eoXcASjivquqmgaDo3hXQrLwx4c0yGy0/TrSO1sbO3TbHBDGoVEUdgFAAHoKt0ZhjPruJc0uWKtGMf5YrSK+7VvrJt9Qy7BfUcKqcnzTbcpS/mk9ZP79EukVFdAoooriO4KKKKAPE/2xZZPHD+DP2c7F2L+NvEcZ1RUPI021xPcHjp0THrg17VFFHBEsMMaoiKFRVGAAOgFeKfDP/i6n7XvjP4lSfvNO8FWEXhnR26qblj5t2w9GVv3ZPowr22vluHf9uxmNzR7VKns4f8AXuhemreUqntZeejPp+IP9iwmDyxb04e0n/18rWm7+cafso+WoUUUV9SfMBRRRQAUUUUAFFFFABXzP+z/AP8AF9P28vij8fJT52k+A7SHwJ4ZkPK+eh8/UGHYMspVMjkq+K9l/aJ+Len/AAH+Bnir4v6iUK6Bos91BHIeJZwuIY/+BylE/wCBVxv7Afwk1D4O/sp+FtG8Qh21zV7Ztb8QzTD95Je3jGd9/qyh1jP/AFzry8T/ALRmNGh0heo/l7sP/JnJ/I8XGf7Vm1DD9IXqy+XuU1/4E5S/7dPZaKKK9Q9oKKKKACiiigArxn9g/wD5Ihrn/ZZviP8A+prrdezV4z+wf/yRDXP+yzfEf/1NdboA9mooooAKKKKACiiigAooooAKKKKACiiigAooooAK8r/bo+K+v/Af9iT4x/HHwpceVqngz4V+Idd02UDOy4tNNuLiNvwaMGvVK4P9qX4ffC/4tfsx/Eb4VfG/xX/YPgvxN4D1fSfF+uf2jFZ/2dpdzZSw3Vz58wMcHlwvI/mSAom3cwIBoA8i/wCCQH7Lfwr/AGU/+CePwr8KfDjwxa2t9rngjS9c8XawsI+1a3q93ax3F1d3Mv35naWV9pcsVQKgO1QK8s/4Kx/DLwV8L/2mP2Vf25/BGg2umfEGx/aK8PeBtT16zhWOfVNA13ztPubK4ZQDOitJFJHv3eWVfbjeTXzRpX/BO/8A4I0aFpdtomif8HE3xZs7Kzt0gs7O1/bK0aOKCJFCpGiKgCqqgAADAAAFdH8I/wDgnb/wR5vPjv8ADnxFYf8ABcL4g/EnXfDPxD0XXfCPg7xL+1No+tW2o6zaXsU1lF9j8stOzTKqBI8SNvKqQWoA/WCvj3/gtP8A8kB+FP8A2dF8NP8A1JbOvsKvBf2sf+CZ37HX7b/i3TfG37S3gfxLrd7pFvaxadHpvxN8QaRawm2uJLiCYW2nX8EBnSWRnWcoZRhBvwiBQDwv9tS2+LnjL/grV8J/Cn7HPiPQPDPxZ0T4K+IdS13xJ49sZNQ0OXwtPqVhC1mLCF4p7i7N7FBIskVzbiKON95lEioN/wD4IvSX+leEPjx4B+IKxXHxK0T9ojXD8V9c025V9L1nW7i0sbgXVggjQ21v9kktI/sz7pInicPJKxMj+qeM/wDgmR+xZ8QvAfg74f8AjD4YatexeAI7mPwfrrePdbTXtMjuGLTomsJeDUGSQn5la4ZSFUEYRQPQ/wBnr9mz4G/sp/DpPhR+z78ObLw1oQvZr2a1tXkkkuruZt0tzcTSs8txO5A3Syu7tgZY4FAHmHwC1L4r6n+378X5Piz4L8PaJcx/CvwOmmReHfE8+qJcWY1XxdsmleaytDDKTuBiVZFUAESNkgfQ9eM+B/8AlIX8UP8AsjPgP/07eL69moAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigCtrGj6V4h0i60DXdOhvLG+tnt7y0uYw8c8TqVdGU8MpUkEHqDXyn+zHrGq/sQftBSfsKePtQmk8E+JHn1P4K63eSFhGm7fcaM7nq8bNujzyQ3XLoo+ta8t/a/8A2ZtG/an+Dlz4Ek1JtL12xuE1Lwh4hhJWbSNUh+aC4Rl5Az8rY5KscYOCPUy3E0Yc2GxD/dVLJv8AlkvhmvOLeq6xcl2PKzPC1p8uKwy/fU7tLbmi/ig/KSWj6TUX3PUqK8T/AGH/ANpnWfj58Pr7wr8UdNXSviT4Gvf7H8f6IwCmO7TIW6QDgwzqpdSPlzuAJCgn2yuPFYWtg8RKjVXvR+59mn1TVmn1TTOzCYqjjcNGvSfuyXzXRpro00010aaCiiiuc6QooooAKKKKACiiigAooooA8h/aU+F3ilNRsP2hvg3bD/hMvC8Z8yzXga1p+cy2bgfeOMlO4PTkqR3fwm+KPhb4y+ArD4heELkvaX0WWif/AFlvKOHicdmVsg/mMgg10deA+Oba4/ZF+LUnxe0WB/8AhX3i69RPGVjEpK6RfOdqX6KOiOTh8dz3JQD4/ME+GsxlmcP92qte3XSEtIxrpdto1v7vLV3hNn12Aa4jy+OWz/3mkn7B/wA8dXKg/PeVH+9zU9pxR79RTLa5t7y3ju7SdJYpUDxSxsGV1IyCCOCCO9Pr69NNXR8k007MKKKKYgr5U+K0cn7CX7TqftEaWjRfC/4mX8Vl8RbZB+60XVmOINUwOFSQkrKeBkljuZkA+q6xfiN8PvCXxX8Cat8N/HekpfaRrVi9rf2z/wASMMZB/hYHDKw5VgCORXFjsLLE0k6btUi+aL7Nd/KSvGS7PukedmWCnjKCdJ8tWD5oPtJdH/dkrxkuqfdI2Y5I5Y1licMrAFWU5BB7ilr5s/Ym+IXi34XeK9X/AGEPjXqr3HiDwZbC48Gazc8HXvD5O2CQeskPEbgdAAOdjNX0nV4PFRxlBVErPZp7xktGn6P71ZrRmmAxsMfhlVSs9VKL3jJaSi/NP71ZrRoKKKK6jtCiiigAooooAKKKKAOF/aU+PnhD9mT4Ka98afGrbrXR7Qtb2aNiS9uWO2G3T/aeQqvsCSeAa89/YD+Afi/4a/D/AFT4yfGpPN+JfxOvxrnjKZ0w1puH+j2C5+6kEZ27f4WZgCQFrhdS/wCM8f23U0Nf9J+FnwJ1MS33eDXPFePlj9HS0UnPo+QQVkFfW1e1if8AhOwCwq/iVLSn5R3hD/2+S7uCex4WF/4U8weLf8OleNPzltOf4ezi+ym1uFFFFeKe6FFFFABWB8U/Hdh8MPhxrfxB1LaYtI0yW52MceY6qdifVm2qPc1v18Z/8FRfjv4r0bU9P+A2jGGLTL7TYdS1Z9oZ7gidxHCc/dUNCHP97I7DB+T444lo8JcMYjMZ35kuWFlf95O6h8k9X5R8z6rgvhyrxVxJQy+FuVvmnd29yNnP5taLzfke/fsfeA7/AMCfATRzru5tW1zfrOsyuMO9xdHzTu/2gpRT/u16dXDfs1fETxB8V/gX4c+IHinR0sb/AFGyZri3jjKIdkjxh1U9FdVDgejiu5r0uHIYOnw/hI4Rt0vZQ5W1ZtOKd2nqm7uTv1k/V+bxDPF1M+xcsUkqntJ8yTuk1Jqya0aVklbol6Iooor2jxwooooAKKKKACiiigD5n/b5J+L3j74VfsdWhMkPjLxWNW8UxLyP7H04CeVH9BI+0KT/ABR4r6YAAGAMAdAK+Z/2bP8Ai+X7b3xY/aMm/faX4RWHwF4WlPK7oCJr9h2z55UBh1ViK+mK8vLf3062Kf25WX+GF4r73zs8XKf9oqV8a/8Al5K0f8FO8F98ueXzCiiivUPaCiiigAooooAK8Z/YP/5Ihrn/AGWb4j/+prrdezV4z+wf/wAkQ1z/ALLN8R//AFNdboA9mooooAKKKKACiiigAooooAKKKKACiiigAooooAK83/bJ8cfDT4ZfshfFX4k/GfwKPFHg7w98N9c1PxZ4ZMMcg1fTINPnlurPZIQj+bCjx7WIU78HjNekV5F/wUD+Ffjn46/sF/G74I/DDSF1DxL4y+EXiXQ/D1g9zHCLm+u9LubeCIySMqRhpJEXc7BRnJIAJoA+Wfif+xr/AMEMfgv+xzpn7bnxJ/4Js/Da08J6lp3h+6+zWnw8sp7uH+17mztbVCgABIlvYQ5DYADEZxz7x4I/4JFf8Ev/AIa+NNI+I3w//YJ+Feja9oGqW+paJq+neDrWK4sbuCRZYZ4nVMo6SKrKw5BUGvz3/aM0X/gv9+0L/wAE/NP/AGCrz/gkD4a0u00+w8LWw8SxfHvRZZHGi3+n3it5BkUDzTYBCN/yiUn5tuD9UfCL9sf/AILpeKPix4X8NfF3/gjb4X8L+E9R8RWVr4n8TW/x90q8k0jTpJ0S5u1t0+adooi8gjX5nKbRyaAPuuiiigAooooA8Z8D/wDKQv4of9kZ8B/+nbxfXs1eM+B/+UhfxQ/7Iz4D/wDTt4vr2agAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigD5a/bZ8AeLvgJ8RtO/wCCh3wO0WW71Dw7aCy+J3h60GDr/h/ILyY6Ge3ADqx/hQZO2Pafoz4efEDwj8VfA2lfEjwFrMWoaNrdjHd6deQniSJxkZHVSOhU8ggg4INa80MNxC9vcRLJHIpV0dchgeCCD1FfIvwmmm/4J6ftPj9m/WpWj+EfxP1KW7+Gt5I37rQNYc7ptJJP3Y5Sd0Q9SANzGRh7lP8A4VcD7J/xqS93vOmtXHzlDWUe8OaP2UeDU/4SMf7VfwazXN2hUeil5RnpGXafLL7TPryiiivDPeCiiigAooooAKKKKACiiigAqn4g8P6N4r0O78NeItOivLC/t3gu7WZcrLGwwyn8DVyipnCFSDhNXTVmnqmno011TTsyoTnTmpwdmndNaNNapp90zwr4G+INZ/Z9+Ig/ZW+IWoyz6Xcq8/w41u5b/j4tgctYu3TzYs/L6r6AoK91rivj18F9J+OHgOTwzc3bWOpWsq3eg6vDkS6feJzHKpHOM8EDqCehwRkfs2/GfV/iLo994H+Itoth438LTC08S6fwBIcfJdR+scg+YEcAnjgqT8llM55Bj1k1d3pSu8PJ9lrKg2/tU1rTu7ypaaypO/1WaQhnuBeb0VarGyxEV3eirJL7NR6VLaRq66RqK3plFFFfXnyYUUUUAeG/tu/ALxZ8R/DGlfGT4KsLb4l/Du6bU/Cdwo/4/VA/f6fJ03RzICu0kfNgZAZs9v8As1/H3wn+0v8AB7Sfiz4TVoReRmPUdOlP73T7xPlmtpBwQyNnqBlSrYwwru6+A/2qf2mNJ/4Jjfti6hrfgDw//bmkfEvQ11nxN4L+2G0S0vxM8S38MvluoMuyXem35mUkkfJjw8wr0snr/XZu1OVoz9dozS6v7MratWf2T5vNMTQyDEf2jUdqM2o1PJ7Qml1enJJLVx5Xryn35RXG/s/fG7wn+0d8HNC+NXgiK4j03XbVpIobpQJIXSR4pY2xwSskbrkcHbkcGuyr2aVSnWpxqQd4tJp909UfQUa1LEUY1abvGSTTXVNXT+4KKKKs0CiiigArwv8Ab1/aG8T/AAZ+F9l4D+EUX2r4kfEPUBoPgSyQ/MlxJgSXjddscCNvLEFQxTdwSa9t1XVNN0PS7nW9Zv4rWzs7d57u6nkCRwxIpZnZjwFABJJ6AV8sfsa6VqX7WPx313/goT43sJU0ZUm0D4OaddIVNtpUbss+obT92S4fcAeGC715Uqa9bK6NKLljK6vTpWdn9qb+CHo2ry/uxfc8jNa9WShgqDtUq3V19mC+Ofqk+WP9+S7M9s/Za/Z68MfsufA7Q/g54Zl+0HT4DJqmpOP3moXsh3T3Lk8ku5JGScKFXOFFehUUV51etVxNaVWo7yk22+7Z6VChSw1CNGkrRikkuyWiCiiisjUKKKKAML4mfEPw58KPAeqfEPxZc+XY6XatNLgjdIeixrnqzMQoHqwry39n34EWXjDQ7/4yftB+CtM1bxL4zukv5LLV7CO4TS7UDFtbIsqnYVQgngHJAPK5qp4p/wCMpP2ho/AEP73wP8OrtLnxAw5j1PV+fKtfRki5LD1ypHKmveq+Nw9KlxNm8sVWipYbDuUKaaTjOp8NWpZppqGtKndNX9rJdGfX16tXhvKY4WlJxxNdRnUabUoU/ip07pppz0qzs07eyi+qGwww20KW9vCsccahY40UBVUDAAA6CnUUV9kkkrI+Qbbd2FFFFABRRRQAUUUUAFfPP/BTf9pj4lfsq/syv8QPhRaw/wBsX+uW+lxX88AlXT1kjlc3GxgVYgxBAGBXMgJBxg/Q1fLHxSsbL9s39tfT/gfeWcWofD/4QRx6x4yt5oxJb6lrcyEWlm6nKuscZZ2ByDmRGHSvLzipWWCdKjLlqVPdi1um+vpFJtvt52PFz6rXWXSoYeTjVqtQg1upPd+kYqUm+iWmrRw//BDj4u+LfHfwQ8U+BNf8Polr4d1xZ7XXFRg2oS3hmlmWRjw8iFFJbrtlQEcAn7frL8H+CPBfw80OPwx4A8IaXoemxMzRado+nx20CEnJIjjUKCT14rUrTKsHVy/LqeGqT53FWvt1f5ba69zXJMBWyvKqWEq1OeUFbmta+r/K9tde+oUUUV6B6oUUUUAFFFFABXjP7B//ACRDXP8Ass3xH/8AU11uvZq8Z/YP/wCSIa5/2Wb4j/8Aqa63QB7NRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRXy1+3D+3z8e/2PPip4I0jTf2LH8T/D3xV428N+GdQ+I8/xEtLBbC81fUksVWKwEM1xcNEZEkbcIkYNgSZBIAPqWivJf2hviF+2l4O8QWFn+zF+y94F8eaZNZl9SvvFfxbuPDsttPvIEaRRaPfCVduDvLocnG3jJ5n/AIJpftoeNf2+f2aD+0X4v+Clh4IguvFWraXodtpXi5tattVs7G5a0/tCG4eztG8qWaKcIDECURXz8+1QDa8D/wDKQv4of9kZ8B/+nbxfXqviG+vbZbSx02RY5r67ECTMm4RgI8jNjudqHHuRXlXgf/lIX8UP+yM+A/8A07eL69S8Qf8AIW0P/sKv/wCklxQAg8P6vjnxzqmfaG0/+MUv/CP6t/0POq/9+bT/AOMVqUUAZf8Awj+rf9Dzqv8A35tP/jFH/CP6t/0POq/9+bT/AOMVqUUAZf8Awj+rf9Dzqv8A35tP/jFH/CP6t/0POq/9+bT/AOMVqUUAZf8Awj+rf9Dzqv8A35tP/jFH/CP6t/0POq/9+bT/AOMVqVz3xa+Kfgf4G/C7xF8Z/ibqs1h4c8KaLc6tr1/b6fPdvbWdvE0s0oht0eWTaisxVEZsA4BoAu/8I/q3/Q86r/35tP8A4xR/wj+rf9Dzqv8A35tP/jFcve/tO/AbTv2aH/bEvPiRZp8NU8Gf8JYfFYilMJ0c2v2oXQQJ5hBhwwQJvOQoXccV8of8FLP26/8AgoD8HP2Xrv8Abg/YE8H/AAa1j4S6X8LIfGV3rnxRGuRarfCQPKsFtpsKQMgNubd83EsTBpGVkBTBAPtf/hH9W/6HnVf+/Np/8Yo/4R/Vv+h51X/vzaf/ABisr4G+N9W+JvwT8HfEjXre3hvvEPhbT9SvYrRGWJJZ7aOV1QMzEKGcgAknGMk9ap/tE6n+0DpHwb1m/wD2WfCvhfWvHqrAvh/TvGmqT2elyM08aytcTQRySKqQmVwEUlmRV43ZAB0P/CP6t/0POq/9+bT/AOMUh0DWQMx+ONSLDoJILUr+IEIP6ivlH/glh+2X+2H+0n8R/j58FP20dA+Gln4m+Dfjqy0GOb4X22oJY3Cz2K3TEvfSvJKRvChtkWcH5K+w6AKPhzUbnVNJS5vFUTJLLDNsGFLxyNGxA7AlSfxq9WX4P/5BM3/YVvv/AErlrUoAKKKKACuA/ab/AGePBf7UfwZ1b4PeNg0Ud9GJNO1KFf32nXicw3UR4IdG54I3KWU8Ma7+itaNarh60atN2lFpp9mjKvQpYmjKlVV4yTTT6pngH7Cn7Q/jPx9o2s/s9/H7bbfFP4bTrp/ieNj/AMhW3x/o+pxZxvSZNpJH8RyQodRXv9fnh/wXP0P4pfDW98C/tM/Aka3oOpQWt/o3ijxf4ZvZrW4itnMD2sEskLAiMt9oIJ4BwM8rWn/wTz/4KWzeDvgro/g79vfWfE+ialfXjnwp428U6FcJZavYFU8vdeFSHlVxMDI+FKBCXJzX1WL4eq4/LY5tgkmpvWnH4oyV+blV9Y3XMklzRjLZpJnyOE4jpZfmksnxzadNaVZaRlF25eZtaSs+Vyb5ZSjum2j78oqh4a8U+GfGmiQeJfB3iKx1bTbpN9rqGm3aTwTL6q6Eqw+hq/XyLjKLs1Zn2UZRkk07phRRRSGFFFFABRRRQAUUUUAFePftJfDTxVpmsWP7SXwas9/izw1CVv8ATo+Brmm5zLauB95gMsh5ORgAnbj2GivNzfK6GcYGWHqNxejjJfFCcXeM4vpKL1XRq8XeMmn6OVZnXynGxxFNKS1Uov4ZwkrShJdYyWj6p2krOKa5/wCFvxL8LfF/wJp/xC8HXnm2OoQ7lVsb4XHDxOOzq2QR7cZGDXQV4B4shl/Y++Lb/EnTImX4ceMr9U8T2sYymiai5wt6oH3YpDgPjof+ALXvsM0NxClxbyrJG6hkdGyGB5BBHUVxZFmlfGQnhcYlHE0Wo1Etnf4akP7lRLmW/LLng9Ya9md5ZQwk4YnCNyw1a7pt7q3xU5f36bdn/MuWa0lo6iiivfPCCvEf2tP+Cf8A8Af2yr/S9b+KUer2Wp6REYLfVNBvI4Z5ICxbyH8yORWQMWYfLkFmwRk59uorDE4XDYyi6VeClF9Hsc2MwWEzDDuhiYKcHumrrTY+Urj9lT42fsVSnxl+wvqs+u+GEAfXPhH4j1FnjucAb5rC4fJgnbGSp+ViT97Cx16/+zh+1p8KP2mNMuYvCV1c6Z4g0tvL8QeENbh+z6lpcoOGWWFuSoPG9cr2JByo9Orx39o/9jPwF8eNTtviLoGsXng34g6UM6J478Pny7uEgYEcwBAuYuxR/wCEkAqCc+f9Tr5f72C1h1pt6f8Abjfwv+6/cf8Ad3PK+oYnK/ey7WHWk3Zf9w278j/uu8H/AHHqexUV8z+A/wBsf4g/A7xZZ/BT9vjQ7XQb+6l8jQPiTpykaFrpHTzHwBaTkclWwvU/INufpaKWKeJZoZFdHUMjqchgehB7iu3C4yhi4vk0a3i9JRfZrp5PVPdNo9HBZhhsfFum2pR0lFq0ovtKL1Xk9U902h1FFeJfte/tdL8BINM+GXww8N/8JZ8UvFxMHg3whbtksxyDd3JBHlW0eCzMSN21gCAHdPSwuFr4yuqNJXk/kkurb2SS1beiRpi8XQwVB1qztFfNtvRJJatt6JLVv8PFv2x/2pvh3+1b8TNB/wCCc/wM+LFp9p8Va89p8R9ZtZSi2OnW6+bPZQysAs0820x4jLgbWRvvHH2N4U8LeH/A/hjTvBnhPSorHS9JsorPTrKBcJBBGgREUegUAfhX5vfsrf8ABDj4yfCb9pHwp8Xfib8XvDs+j+GtUtNYMOjPcNeXF5CySiEiSJUWPzVwX3kso+6pbj9Ma9/iJZVhoUMJl1b2lOKbk7bzb1b0V9Eklb3Vpd3bPnuGnm+JnXxmZ0PZVJNRir7QS0S1dlzNtu/vN3srJBRRRXzB9UFFFFABXmv7T3xd1f4aeCYNB8Cwi58X+KboaZ4WsxjPnvw059EiU7iTwDtB4NeiajqNhpGnz6tql3Hb21rC01xPK21I41BLMxPQAAkn2rxH9njTr/46fEvUf2sfFVpIlgVk0z4e2NwuDBYqxWS72no8zZ56hdw5BWvmuIcZiZKnleDly18Rdcy3p01b2lX1SfLDvUnH+Vn0eQYTDxdTM8ZHmo0LPle1So7+zp+ja5p9qcJfzI9F+BXwi0n4I/DSw8B6bMbiaIGbU79877y7fmWZieSS3TOSFCjtXX0UV7mDweGy/CU8Nh48sIJRil0SVl/wXu223q2eJjMXiMfip4nES5pzblJvq27v/htkkktEgooorpOcKKKKACiiigAooooA89/am+POk/s1/ArX/i3qMIuLiwtfL0iw5Jvb6Q7LeAAcndIVzjkKGPasH9iD4C6t8BvgZa2njeZrnxh4lu5de8bX8uDJPqdyd8isR12DbHxwShI+9Xn3jD/jLr9uzT/h7H+/8DfBBo9W17vFfeI5VP2WA9m8hMucdG3qw5FfUNeThv8AbMfPEP4YXhD1+3L77QXlGR4mE/4UMzni38FO9OHm/wDl5L70oJ9oy7hRRRXrHthRRRQAUUUUAFFFFABXjP7B/wDyRDXP+yzfEf8A9TXW69mrxn9g/wD5Ihrn/ZZviP8A+prrdAHs1FFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFfnp/wAF7v2xf2Wvg/4O+FvwZ+KHx58NaF4ri+OXw98VyaBqWpLHdLolv4khafUCh58hBbXBZ+g8l/Sv0LooA+P/APgox+25oF//AME0dQ+Jn7GvxD0zxPrfxkntvAnwd1jRLwSQ32s6vcnTopoZF4JgzcXBPQC0b0r6I/Zo+Angv9lr9nrwT+zh8O4NmieB/C9lounEoFaVLeFY/NfHV3Kl2PUsxJ613FFAHzx8AvBfiTwT+378X7XxL8XPEPi+S8+Ffge5t7nxFbadE9jE2q+LgLWIWFpbKYlwSDIry5Y7pGGAPc/EH/IW0P8A7Cr/APpJcV5b4H/5SF/FD/sjPgP/ANO3i+vUvEH/ACFtD/7Cr/8ApJcUAcN+0b+zP/w0V/Y3/GQPxO8C/wBj/aP+Sc+K/wCy/t3m+V/x8fu383Z5XydNvmSdd3HmP/Ds/wD6yBftN/8Ah1v/ALmr6bor0aGbZjhqSp0qlorpywf5wb/E83EZPluKrOrVp3k93zTXlsqkV+CPmT/h2f8A9ZAv2m//AA63/wBzUf8ADs//AKyBftN/+HW/+5q+m6K2/t3Nv+fv/ktP/wCVGH+r+T/8+v8Ayap/8tPmT/h2f/1kC/ab/wDDrf8A3NXT/Bz9hv8A4U98SNO+I3/DYPx08U/2d53/ABIfGXxB+3abdeZC8X76DyV37d+9eRh0Vu2K90oqKmdZnVpuE6l01Z+7DZ+lNP7mvU0p5HlVGopwp2ad171TdetRr70/QKra1o2k+I9Hu/D2vadDeWN/bSW97aXEYaOeJ1KujKeCpUkEdwas0V5Z6p+GGn634s1b4aaZ/wAGwt/qd9Jr1l+0g/h7Up3kb7RJ8I7cr4jS8aX+F3tmis1GcEDZk5wfvr/gvL8TPg78P/8Agk/8cPhZrPxB8NaJq2pfCq+i8P8Ahy61a3trm6QKEVbe3Zg0gGNoCKemO1fVEfwD+BUPxhk/aHi+C3hJfiBLpn9my+OV8OWo1h7Pj/Rje+X55i4H7vft4HHFYXxu/Yy/Y+/aZ1qz8SftIfso/DX4g6jp1qbbT7/xv4F0/Vp7WAsXMUb3ULsibiW2qQMknFAGF+w58Zvg/wCPf2TfBE/gT4q+G9bTQPAGjJrraPrlvdf2cwsI8rP5bt5R+R+Gwflb0Ndt4W/aF+A/jf4P2/7QnhL4zeF9Q8B3Vu1xb+MrbXYG0uSJZDE0gud/lbRIpTO7G4EdaofBn9k79lj9nHStW0L9nn9mn4f+A7HXtn9u2fgzwbY6XFqOxWVPPS2iQTbVdwN4OA7AdTVqL9mn9nKD4KH9mqH4AeCU+HJtTbHwAvhWzGieSZTKYvsPl+RsMhLldmNx3YzzQB8J/wDBJv8AaH+AFz/wUL/bUs7f45eDpJvFXxs0c+GIk8TWhbWB/Y8CZtQJM3Hz/L+73fNx1r9Iq8T8E/8ABNT/AIJzfDXxdpvxA+HP7AXwT0DXtGvI7vSNb0T4VaRaXdjcIdyTQzRW6vE6kAhlIIIyDXtlAGX4P/5BM3/YVvv/AErlrUrL8H/8gmb/ALCt9/6Vy1qUAFFFFABRRRQAVR8R+GfDfjHRbjw34u8P2WqaddJsurDUbRJ4Zl9GRwVYexFXqKabi7p2YnGMlZq6PmXxN/wTM8C+FdbuPHX7H3xW8SfBvX5n8yWPw3cm40i6ft5+nzExuOmFUqo/u1R/4aJ/b2/ZoP2f9pj9nSD4keHYPv8Ajb4TZe7RB/HPpsuHLY5YxlUXHevqiivWWcVqq5cZBVl/e+NelRWl9/MvI8eWS0KTc8FN0X/d+B+tN3h9yg/M8t+Af7aP7M/7S6fZ/hJ8VtPvNSUH7RoN4xtdRgZfvBraYLJ8pyCwBXI6mvUq8o+Pn7Ef7Mf7Sj/2j8UPhbZSawhDW/iPTM2epQuv3WFzCVdtp5AcsvtXlv8Awof/AIKC/szfvv2ePj/a/FTw5B93wd8VDt1FEH8MOpR4Lv0A83ai46Gn9VyvF/7vV9nL+Wpt8qkVb/wKMfUn63m2D/3mj7SP81Lf505O/wD4BKXofVNFfNHhP/gpr8M9E16DwF+1l8OfEfwa8RzNsjj8XWpfTLl+/kahGPKkQf32CLx1r6M0LX9C8UaRBr/hnWrTUbC6jD2t7YXKzQzKf4ldCVYe4NceLy/GYJr20Gk9nvF+kleL+TO7CZjgsen7Com1utpL1i7SXzXzLdFFFcZ2hRRRQAUUUUAUfE3hrQvGXh698K+JtNjvNP1C2aC7tpRlZEYYI9vqOQeRXjXwG8S658CvH5/ZR+JOpST2pief4d63cn/j+shybNm/56xDgDuo6AbM+51w/wAf/gtp/wAbvAraGt82n6xYTreeHdZiyJLC9TlJARztJ4YdwfUAj5zPcuxUpwzLAL/aaKdleyq03rOlJ/3rc1Nv4Kii9pTPockzDDRhPLsc/wDZ61rvd05rSNWK8r8s0vjpuS3jA7iivNv2b/jTqHxP0C88L+O7Ead408MTiy8UaYcDEo+7cIO8UgG4EcdQMjBPpNerluY4XNsDDF4d3hJddGmtHGS3UotOMovVSTXr5eY5ficrxs8LiFaUX01TT1UovZxkmpRa0aafoUUUV3HEFFFFAGP488AeCfih4UvPA3xD8L2Ws6Rfx7LvT7+ASRyDscHoQeQwwQQCCCM180y/Dj9pH9gKRtV+BcepfEv4SxMXuvAV3OZdY8PxdS2nytzcRL/zxbngAclpK+rq8b/a7/a40v8AZv0bTvCvhLw7J4p+IviuU2vgnwVZHM19OePOlx/q7dOrucDAIBHJXF5RLNcTGNC6q/ZkrJpbu99HBbyUvdtd6bnjZvh8EqX1upN05wWk4/Er7Rt9tN2XI07t6Weq4j4kf8FN/hDc/DPSLn9mc/8ACd+PvF87WPhPwRbgpdR3YHztexkhraKLO52bAYD5W25deo/ZB/ZFu/gtPqfxm+M/iNfFfxZ8XASeKvFEi5W3U4K2NoCB5VtHhQAAN+0EgAIq+S+C/wDgmd8V9AsG/aHtf2gbnSvj7qN9Nqmq69aQqdHkeYKW01rYLhrYbQu/G4nL7ThVHpnwU/bZuJPG8P7P37Wfg5fh98RG+WyWaXOleIBnAlsbgnadxx+6Y7gSFBZgQN55xLLaby6pZOTs60b8lXXSKbScF/cl8cveUpLlivHwVfEyxtOtnMeSWnsv+fabVrvV8tZ9pO0U+WnJvmb+gaKKKR9iFFFFABRRXKfGz4s6H8E/htqXxC1xfNFpHts7NT893ctxFCvfLNjpnAyegrnxeLw+Aws8TiJKMIJyk3skldv+t9EtWjowmFxGOxUMPQi5Tm1GKW7bdkv6829Ezzn9pHVtT+M3j7TP2SvB17JFFfRrqHjy/t2wbPTFYEQZHR5mwMehGQVY17TpGkaZoGk22haLZR21nZW6QWtvEuFijRQqqB2AAArzj9l34T654C8JXfjT4hsJvGXi+6/tLxLcMOY3Yfu7YeiRKdoHQEtjjFen14PD2ExFR1M1xkXGtiLWi96dJX9nT8nZ89TvUm19hHuZ/isPTVPK8JJSo0L3ktqlV29pU81dclP/AKdwT+2wooor6Y+bCiiigAooooAKKKKACvOP2sfj5Yfs1fAfXfipLbi5v7eAW2g6ftLNe6hKdlvCFHLZcgkDnarHtXo9fL2u5/a7/bxtfDC/v/AvwLZL7Uu8V/4mlU+TH6N9mQFuOVkDKRhq8/Ma9SlQUKX8Sb5Y+Te8vSKvJ+iXU8vNsTVoYZU6D/e1HyQ8m95ekI3k/RLqej/sU/AO/wD2fPgRY6B4ruDdeKtbuJda8aag7BnutUuTvmLMPvbfljB7iPPc161RRXVh6FPC0I0ae0VZf13erfm2dmFw1LB4aFCkvdikl8u/m9W31bbCiiitjoCiiigAooooAKKKKACvGf2D/wDkiGuf9lm+I/8A6mut17NXjP7B/wDyRDXP+yzfEf8A9TXW6APZqKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigDxnwP/AMpC/ih/2RnwH/6dvF9epeIP+Qtof/YVf/0kuK8t8D/8pC/ih/2RnwH/AOnbxfXqXiD/AJC2h/8AYVf/ANJLigDUorjPi7+0J8IPgP8A2f8A8LW8Xf2V/avm/YP+JfcT+b5Wzf8A6mN9uPMTrjOeM4NcX/w8I/ZB/wCiu/8AlA1D/wCR68LGcUcM5diZYfF42lTqRteMqkIyV1dXTaaunf0PbwfDPEeYYeOIwuDq1KctpRpylF2dnZpNOzVvU9norxj/AIeEfsg/9Fd/8oGof/I9H/Dwj9kH/orv/lA1D/5Hrl/124N/6GVD/wAG0/8A5I6v9TeL/wDoX1//AAVP/wCRPZ6K8Y/4eEfsg/8ARXf/ACgah/8AI9bXw9/bG/Zw+KvjCz8BeAviN9v1a/8AM+yWn9kXkW/ZG0jfNJCqjCIx5I6Y64Fa0OL+E8TWjRo4+jKcmkkqsG23okkndtvRIyrcJ8U4ajKrVwNaMIptt05pJLVttqySW7PTaKK5X46Xvxd034LeLdS+ANlo9z45tvDl7N4PtfEEEktjcaksDtbRXCxSxOYmlCK211IDEg8V9EfPnVUV8Oal/wAFgrRf+CI8H/BUTR/CtjN4svvBsUFj4QMMpifxlJcDTf7M8oOJmjXU8oUDCTykJyD8w8w/4Lm/sJ/Db46f8EwfHH7XX7XXhL+0vjF4J+BKqBoXiXVLXQtN1WJGmmmttPF20L4nmlCvP5z7FjBY7QaAP0yorz39kj/k1L4Y/wDZPdF/9IYaT9p39l/4V/te/DA/Bv40jW5fDc+ow3Wo6fofiO70tr9YskW801pJHK0LE5aMOA20A8cUAeh0V+Vmrfs1fAL9jj/gtL8AfgX/AMEr9CvPCmr3Wm6xqf7R3hDw5rV3NoqeF/soWzudTglleOK6a5YCBgBIzMpbKlCf1ToAy/B//IJm/wCwrff+lctalZfg/wD5BM3/AGFb7/0rlrUoAKKKKACiiigAooooAKKKKACiiigDN8WeDvCPj3QZ/C3jnwvp2s6ZdLtudO1WyS4glHoySAqfxFfOmu/8E0fD3gLV5/Gf7Fvxp8TfB/WJpDLLp+lXBvtEupPWawuCUPoNpCqOi19O0V24XMcbgk1Rm0nut4v1i7xfzXzOHF5bgcc060E5LaSupL0kmpL5O3kfK/8Aw1B+2/8As1/6L+1d+zMPGmgwcP48+EZa5ZUH8c+nSkSrxy7qQg5wDXr3wF/a/wD2bv2mLTzfg18WdL1W6VS0+kPIYL6DHXfbShZVAORu27eOCa9KryD49fsJfsv/ALRl5/b/AI++Glvba+jB7fxVoMhsNThkH3XE8OGcjsJN4HpXZ9ZyrGfx6TpS/mp6x+dOT/8ASJL0OP6rm+C/3eqqsf5amkvlUiv/AEuD9T1+ivlb/hT/APwUW/Zj/e/BD40af8ZPDUH3fC3xIYW2sJGP4IdRTCyuePmmwo7LWt4J/wCCm/wdg8Qw/D39prwf4g+DniiU7VsfHNmY7G4bu0F8o8mSMf322A9qmWTYipFzwklWj/c+JesHaa+SkvMcc7w1OShjIujJ/wA/wv0qK8H83F+R9J0VX0rVtK13TYdZ0PU7e8s7mMSW91aTLJHKh6MrKSGB9RVivJaadmewmmroKKKKQzxv9pD4c+KfDmv2f7TnwcsTJ4l8PQGPWdLj4GuaZ1kgYDrIoG5DyeMYJCgej/DT4jeFviz4H074geDb8XGn6lAJIicbo26NG47OrAqR6g1u18C/tEfG74ofsk/tJ+JfCfwSvX0bQ7+7ttTl0q4s45ra5mkhRpXiDoTGjMWUhCOUIyMAD834nzrC+HmIeb1FJ4XESUakIq7jVa92rFaL31Hlqq6u1CavLmUv0PhrJ8Vx9h1lVNpYmhFypzk7KVJP3qUnq/dcuam7OycoO0bNffVFeG6H+2s/9i2d54z/AGbfibp801rHJPNB4UaW13FQTscPkrnplQcYyKtD9vj9nS0OPEmq65ox7jVPDV2mPrtjavfhxtwnKClLGQhez9/mp766+0pw79/meHPgzimMnGOElO2nucs9u3JOf5fI9oory7Sv21P2WdYx9k+NOkpnp9q8yD/0ai4rnP2iv29fg98HPhwfEHw/1mx8c+I9QmFn4c8NeHdQjuJLq7fhPNaMnyIR1aR8ADgZJAPrYDOskzStGlhcXSnKTsrVaf61F9/RHk4/J85yyjKrisLVhGKu70qn6QfyXVmp+1z+1toX7NHh6w0bQ9Bl8T+PfE8xs/BHgqwObjUrk8b2xzHAhOXkPAHA5rE/ZE/ZJ134aazqP7Q/7Q+vQ+J/i74qiH9t6wBmDSLc8rp1kD/q4U4BIwXIyeMVR/Y1/ZmvfDmv3/7TX7QHjDT/ABb8W/E8AGo6haTrLa6DanldOsQCQkag4Zhy5zyRkt9E19VXxeGwuHeFwU1JS+Oovt/3Yv8A59p/ObV37vLE+Vw+DxOLxKxeOg48v8Om/sf3pLrUa+UE+Ve9zSCuR+NfwJ+FP7Q/gif4ffF3wfbavp0vzReaNsttJjAlhkHzROP7ykdwcgkHrqK8WpTp1qbhUScXunqmerVpUq9J06sVKL0aaumvNM+UF8T/ALS//BPpha/EB9W+KnwegOIfEcUfm6/4Zh7C6Qf8fcCj/loOVAJO0BUP0j8Nfif8P/jF4OtPiB8MfFtlrWj3ybre+sZdyk91YdUcdCjAMp4IBrdZVZSrAEEYIPevm74lfsYeMPhh4yu/jv8AsJ+JLXwl4iuX83XPBV4p/sHxFjkh4lwLaU84kTAyf4NzPXl+yxeW60b1KX8t7zj/AIW/iX92Tuvsyex4vscdlGtC9Wj/ACN3nBf3G376X8knzL7MnpE+kqK8W/Z1/bR8IfGPX5vhL8QvDl34E+JOnLjVPBOvMFlfAyZbWThbqIgEhl5wM424Y+016GHxNDF0vaUpXX5Pqmt011TSaPVwmMw2Oo+1oS5l+KfVNOzTXVNJrsFeC6Vj9qb9opvET/vvAvw0vTFpw6xaprYHzS+jJAMAH+9ggkMRXRftUfEvxHoujad8HfhjNnxj43nax0tkPNjb4/f3jY5UImcHrk5GdpFdt8KPhp4c+D/w90v4c+FYdtpplsIxIRhppDy8rf7TMSx9z6V8xjv+F/Oll61oYdxnW7SqfFSpeajpVqLypRe7R9pgf+EHJnj3pXrqUKXeNP4atXyctaVN+dWS2TOiooor64+UCiiigAooooAKKKKACiiqmv67o/hbQr3xN4h1GKz0/TrSS6vrudsJBDGpd3Y9gFBJ9hSbSV2JtRTb2R59+158foP2bPgNrPxJgt/tWrFFsfDWnBdzXupTnZbxKo5b5juIHO1GxVb9jH4A3H7OnwG0zwfr9z9q8SajLJq3jDUXfc93qlyd87s38W04jDd1jB6mvmnwB+1h8Hf+Cg37f3hHw/puq3Nt4V8Aaddar4b0vVrfy313W1OBOEBYbIYQZYwxDgox2gFgPuuvGwFejmmLnjKclKELwhb5Ocvm7RX91dmfPZXicPnOOqY+lJSpwvThbXs6kvm7RX92Lez1KKKK9o+iCiiigAooooAKKKKACiiigArxn9g//kiGuf8AZZviP/6mut17NXjP7B//ACRDXP8Ass3xH/8AU11ugD2aiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiivkL/got+1J+3h+yl8RPh74y+FGh/CO4+FXiD4leEfCevf8JDFqlx4hkl1bV47KdrdIZIbaFY45VZHdpSWzmPAGQD69or5U/b8/4KB6l+zl8UvCv7N/wy8YfDTwz4n8Q+Hr7xLr3jj4waybPw74T0K1nt7Y3VwFlha5mnurqGCGBZogSJGaRQgDexfsm+NfiX8Rfgrp/jX4ofE/4beNLrUJpZdO8U/CZZl0XUbPOI5YhNcXJDZDBts0i5HDdQADC8D/APKQv4of9kZ8B/8Ap28X16l4g/5C2h/9hV//AEkuK8t8D/8AKQv4of8AZGfAf/p28X16l4g/5C2h/wDYVf8A9JLigDUooooAKKKKACiiigAooooA/KrR/wDglj+2Ha/8FN4vhLc+ArQfsgab8fJ/jrYat/blp5jeIpNOXZpAsxL56QR6o0l0B5Xkle4bFe+/8FsrL9t74yfsr+N/2PP2Tf2FdT+JcPxI8B3enXPjC1+IWiaTBolzIxRY5LfULiKSf5QH3J8vzYzkV9sUUAfOP/BPr4g/td6j+zzH4I/aP/Ye1P4V6v4I8M6bpmh2upePtH1ceInhtDG7o2nzSLbAPEgxKQf3oIztNc78f/jp/wAFVLv/AIJuJ8SfgB+w7pth+0drkX2U/Di98eaXd23hlnmlQ3jXkk0Vre+XCscqxhwC8qg5COD9YUUAfnb/AMEuPCH7WP7Jj2vw78Vf8Eo/iJb614815L/4wfHfxj8XfCeoahrF++fM1C7jtb+Sdoo8sIrWEMIkO1QWLs36JUUUAZfg/wD5BM3/AGFb7/0rlrUrL8H/APIJm/7Ct9/6Vy1qUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABWT428BeB/iV4em8JfEPwfpmu6XcDE+n6vYx3EL+5SQEZ9+1a1FVGUoSUouzXVaEyhGcXGSun0eq+5ny/qv8AwTZh+GOpTeK/2H/jz4l+E+oSSGWTQopjqWg3L9T5llcEhSem4NhQflWq/wDw1t+2N+zd/on7YX7LsniDRYOJPiB8JC17AEH/AC0nsZMTQgDlnyF67VNfVFFess4qVly42CrLu9J/KcbS/wDAudHjvJadB82BqSovtHWHzpyvH/wHkZ578Cv2rv2d/wBpbTP7R+CfxZ0nXHWPfPYRT+XeQD1kt5AssY7ZZQD2Jr0KvGfjr+wH+y7+0Bqf/CVeKPh8ukeJUk8238XeFZzp2pwy9pPOhx5jDt5gcD0rzz/hXH/BST9mEeb8LPifpXxw8MQfd8PeOWGn67HGP4Ir9f3c7erzevC0/qeW4v8A3WtyS/lqWX3VF7r/AO3lD1F9dzTB6Yqjzx/npXf30376/wC3XP0PqmsnxB4B8C+LNQtdW8U+C9J1O6sW3WVzqGmxTSW5znKM6koc88YrwjwB/wAFNfgXfeI4vh1+0BomufCHxY/H9j/ECxNrBMehaG8/1MkeSMOxTd2FfRFhf2OqWUWpaZexXNvPGHguIJA6SKRkMrDgg+orzMfldailTxlHR6rmSlF21TTtKLtumm7b6M9PL81oYhupg62q0fK3GSvo01eMo32aaV9tSWggMNrDIPUGivK/2r/2rfBf7K/geDV9U0+41vxJrVx9i8H+ENMG691q9bAWKNQCQgLLvfBCgjgsyqxh8PWxdaNGlG8paJf106tvRK7bSQ8TiaGEoSrVpcsY6t/1u3skrttpJNsxP2yPjj8Ff2d/B1tceIPhpp/ivxZ4huPsXg3wbb6bFNea1eNgKiqVYrGCyl5MEKCAMsyqeN/ZY/4J/wCk6PpGp/E39qnQ9I1zxr4slFzf6LZW6xaT4fjP3bO0gjwgKjAaXlmI+8eWfa/ZN/ZS8aaR4yuv2sf2r9Qt9b+LGv2+yOKM7rPwrZHO3T7MZIUgEh5ASWJYAnLvJ9D1WZ5dkCoPCLD0qrfxzlTpyu19mDlBtQT3as5vXSNk88sx+fSrrGTr1aSX8Omqk48qf2pqM0nNraLuoLTWTk15DqP7Bv7KGov5zfCWG3kByslnqd3CVPsElA/Sqv8Awwx8KrP/AJFnxv450TH3f7K8Wzpt+m/dXtFFfIy4M4SlLmWBpJ94wUH98HB/ifXR4w4qjHl+u1Wu0puS+6amvwPF/wDhkzxlpn/IsftcfEuHH3RqerR3gH/faDNH/Cj/ANrHSjnQv2y3nQdINV8EWkmfq4bdXtFFL/U/I4/wlUh/gr14/wDuaRX+tudS/iunP/HQoS/9xI8X/wCEb/b10n/kH/Er4davjp/auj3Vvu+vknij/hKv28dJ/wCQh8Kvh/q+Ov8AZWuXFvn6ecOK9ooo/wBWHD+DjsTH/uNzL7p05fmH+sin/FwWGl/3C5X98KkfyPlD9orwb8Tv2h9Ah0z4w/sN3yahpzeZonirwt46tBqOlzA5ElvIF3rggHacqSASMgEcL4b/AG6f2rv2SvB97o37WvwP8S67pFpH5WgeP5NN8klzhYotR2bkBJIHmq25sDh2JYfdNUfEnhrw/wCMdAvPCvivRrbUdN1C3aC9sbyESRTRsMFWU8EVyS4ZzalVnXoZlU53Fr3oUXd2aXM4whez2bi2vNaHiZhLKsXWjicNgqdCunFuUJVXGaTXu1KcptTi1pdShON/cmtj5K/YE+PR/aL/AGhPFPj/AMcadDca9c+HYm0i8smJtLKxjkVHgiUliu55EfO45w3TJz9h18m6j+xv8SP2NfFd78Y/2BrO2vdNu0U+JPhZrdyWjvo1yc2V1IS8EvJIRmKknuAqV7D+zf8Atb/Cr9paxurPw1NdaT4l0k+X4h8G67D9n1LS5QcMJIm5ZQeN65HIBwcqM+C8Fjcgy7+zszq8+Ic6k+dq3tOeXNfm2lJL4tpaJcvKla8/4twnEGdpvDfVZckIRp83NTfJGz9jJ293qoO043fMpNuT9Rooor7Y4gooooAKKKKACiivOf2jf2o/hV+zH4Zh1nx9qM1xqWoSeToPhvS4vP1DVpyQFighHLZJALHCgkAnJAOVatSw9J1KslGK3b/r+uiZjiMRQwtGVWtJRit29v67LVt6JN6HbeK/FnhjwJ4cvPF/jPX7TS9L0+AzXuoX86xRQoOrMzHA/wAivlnXfHHxq/4KPx3ngb4Mi98E/Be6WS01zxxe2m3UPFEByksFhDIP3cDDKtKw5Bx2aM6XhT9mj4w/te+I7P4uftywrp3h61nFz4Y+DllcFrW2/uTak4x9pmx/yz+6OQQAzR19QWdnaadaRafp9rHBBBGscEEKBUjRRgKoHAAAAAHSvMcMTmq99OnRfTac159YRfb4mt3FOx4zhi86X7xOlh39nadRf3usIP8Al+OS+JwTsfJX7H//AAST+H37KHxx/wCF3H4p3/iO5sI508PWc2mLbCyEqNEzSMsjee/lOyghUHzE7emPrmiiuzA5fg8to+yw0OWN27a7v1ud+W5Xl+UYf2GDpqEbt2V9311bf/A0Ciiiuw9AKKKKACiiigAooooAKKKKACvGf2D/APkiGuf9lm+I/wD6mut17NXjP7B//JENc/7LN8R//U11ugD2aiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACvgz/gt18XNXj8O/Dj4L+Df2dfjF4z1XTPi74G8a3954B+Ems65YQaXYa/HPdBrqyt5IluEitpH+zlvMKtGduJFz950UAfnL+034Q0Hxd+3t8Cv+CtWufshfEfxv4CtvhprfhPVPDsnwtvZ/EPhS/a8E1lqcuhyxfbSrL9thJSFnjE0b42uGHr//AASJ+Enjn4feFPjL8QtW+DuqfDfwl8SfjZqfif4dfD7W7BbO70nSpbSzgaWW0B/0Frm5gubn7MQCgmBYBnYD67ooA+ePgF8MfDfwu/b9+L+n+GtS8Q3Meo/CvwPfXDeIvF2o6w6Svqvi4FYnv55mgi+UYhjKxKclUBY59z8Qf8hbQ/8AsKv/AOklxXlvgf8A5SF/FD/sjPgP/wBO3i+vUvEH/IW0P/sKv/6SXFAGpRXnH7QX/DXf/Eo/4ZW/4Vv/AMvH9vf8LB+3/wDTPyPs/wBj/wC22/f/ALGO9eb/APG3b/q3D/yv1w1sd7Go4eyqSt1jC6+T5l+R5uIzL6vWdP2FWVusYXT9Hzr8tz6Por5w/wCNu3/VuH/lfo/427f9W4f+V+sv7T/6cVf/AAD/AO3MP7Y/6hq3/gv/AO6H0fRXzh/xt2/6tw/8r9dJ8I/+HjH/AAsLT/8AhfH/AApT/hFP3v8Aav8AwiP9r/2j/qn8ryvtH7v/AFvl7t38G7HOKqGY881H2NRX6uFkvV870NKea+0qKH1esru13Tsl5t87su7sz2uiiuV+Onwc8FftD/Bbxb8BviPYfadA8Z+HL3RdYhAGWtrmB4ZNuejBXJB7EA9q9E9U6qvlz/goH/wVe+En/BOqacfEr9nP41+M7aw8MjX9Z1b4bfD1tR07SrDzZYjJdX0ssNtAwMLko8gbaVOPmXPwXN+1h8ZvEv8AwRW03/gl/L4iZPj9f/Fb/hmLUZVyXiWGbyp9UK53tb/2EokM2cFpN249/sf/AIK8/DDwd8Ev+CFfxk+DXw70sWWgeE/gjLo+iWa/8sbS2tkhiT3wiKKAPrf4deN9J+Jvw+0L4kaDb3ENj4h0a11Kyiu0VZUiniWVFcKzAMFcAgEjOcE9axP2gvjTbfs+fCjUvitdfDPxn4xXT5IEXw78P/Dsmq6tdtLMkSiG2QgsAXDMxIVEVnYhVJqj+yR/yal8Mf8Asnui/wDpDDXoLBipCtg44OOlAHyv8Jf+CtXwh8cfHTwz+zr8Yv2c/jN8F/E3jh5ovAyfF3wTHYWniCeKMySW1tdWtzcw+eIxu8qR0Y5AALMAfqmvyx/ac+GH7VH7PH7df7LPxh/4KVftQ2Hxu8B3XxitfC/w+07wf4Og8J/8I/4x1K2njsdRurQPdPqUIEcicXUXkMwfZICyn9TqAMvwf/yCZv8AsK33/pXLWpWX4P8A+QTN/wBhW+/9K5a1KACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigDE+IHw1+HvxX8OS+EPib4I0rX9Lm/1lhq9hHcRE/3grggMOzDkdjXzvff8E4tV+EN7L4k/YV/aH8R/DGdpDK3ha7lOq6BcMTkg2twSYi3ILqzFQflUV9R0V3YXMsbg4uNKfuveLtKL9YyvF/cn5nBi8swOOkp1Ye8tpK8ZL0lFqS9LteR+f37Wf8AwUw/bp/Yk8L2HhT41/s6+CZfEerSyDQ/F+maxNPpGoRw7PO/0TKTxuPMj4aRAd+QMDFdN/wSjktv2um8Qft9fGmaTWfH7a9caFpyzW+yx8PWkcUUgh0+Ms2wMtxhpCd5ywzku0n1L8d/2cvgn+014QTwJ8c/h/a+INMiuBPBDPLJFJDIBjdHLEySRnBIO1hkcHIrT+FPwk+G/wADvAtl8NPhP4RtdD0PT1ItbC0BwCTlmZmJZ2J5LMSx7k17dbOsreSOjh8P7PETdpSjonG92ldtpPS8VZabtPlPCo5Hmqz1V8Rifa4aCvCEtZKdrJu0Um462k7vXZNcx0dFFFfLH1gUUUUAFFFFABRRRQAUUUUAFeQftIfsbfD74/X9r490rVLzwj4+0kZ0Lx34ebyr22YDhJcEC4i7GN+xYAruOfX6KxxGHoYqk6dWN0/6uuqa6NNNdGc+KwmGxtF0q8VKL/Po09010aaa6M+ZfA/7YXxH+Animz+DH7fWi2ujXN1KIPD/AMTtNQjRNbPYTHAFnORyVbCdThF27vpiGaG5hS4t5lkjkUNHIjAqykZBBHUVl+OPAng34l+FbzwR8QPDNlrGkahF5d5p9/AJI5F9wehB5BHIIBBBFfNE/wAL/wBo/wDYGnfWf2fI9R+JHwpRi958O725MmraDHnLNp0rZM8Y/wCeDZPGBks0g87nxeW/xL1KX8284/4kvjX95LmXVS3PJ9pjso0q3rUf5t6kF/eS+OK/miudfajLc+raK4f4C/tF/CL9pXwaPGvwl8VR38KMI7+ykHl3VhL3inhPzRuMHrwcZUkc13FenSq0q9NVKck4vZrVM9mjXo4mkqtKSlF6pp3T+YUVT8Q+ItA8I6Hd+J/FOtWunadYwNNe317OsUMEajJd3YgKB6mvl3U/jD8dv2+NRn8G/sv3194J+FyTNBrXxSuLdo73WFB2vDpcbYKKeQZzgjnG0rtfnxeNp4VqFnKcvhit3/kl1k7Jeb0fJjsxo4Jxgk51JfDCPxPz7KK6ylaK7t2T6747/tmapb+OJf2dP2TvCkXjj4kMNt6BIf7L8OLnBmv5l4BU/wDLIHcSMHBKq2j+zl+xnpfwv8TTfG34y+K5fHnxQ1KP/iYeLNTjGyyUg/6PYxfdt4gCVG0BiCfug7B3XwI/Z8+FH7N3gaLwB8JfDEen2gPmXdwx33F9NjmaeU/NI59TwOgAAAHa1hRwVSrVVfGNSktYxXww9P5pf33/ANuqK35sPl1atWWJx7UprWMV8EPS/wAUu85K/wDKorcooor0z2QooooAKKKKACiiigAooooAKKKKACiiigArxn9g/wD5Ihrn/ZZviP8A+prrdezV4z+wf/yRDXP+yzfEf/1NdboA9mooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKAPGfA/wDykL+KH/ZGfAf/AKdvF9epeIP+Qtof/YVf/wBJLivLfA//ACkL+KH/AGRnwH/6dvF9eoeKWNrJpurOjGGy1DzLgqpJVGhlj3YHYGQE+gyaANaisoeOfBJGf+Ew0sfW/jH/ALNS/wDCc+Cf+hw0r/wYR/8AxVAGpRWX/wAJz4J/6HDSv/BhH/8AFUf8Jz4J/wChw0r/AMGEf/xVAGpRWX/wnPgn/ocNK/8ABhH/APFUf8Jz4J/6HDSv/BhH/wDFUAalFZf/AAnPgn/ocNK/8GEf/wAVR/wnPgn/AKHDSv8AwYR//FUAfOVn/wAEjv2VrH/gpRN/wVJhv/FJ8fS2bougtqcH9hRXj2Cae+pJbeR5gu2tEEJk83aQSduTmrf/AAUD/wCCZ3hv/golo7+D/iF+1v8AGrwR4YvNBk0nXPCPw48TWFnpuswu5ZmuormxuDI+DtyGUbQBjvX0F/wnPgn/AKHDSv8AwYR//FUf8Jz4J/6HDSv/AAYR/wDxVAHj37H/AOwyv7IPw61n4Y237Wvxk+Imn6nY29np0nxL8S2d7NoUEMLxLHYtbWduIQVYZ3B+Y0xjBzVX/gn54f8A+GPfD37H7/tT/G4p4ZuVuLD4lx/EN4vFssyzSyh59QjiUTD980ZRoyjRqqspxXtf/Cc+Cf8AocNK/wDBhH/8VR/wnPgn/ocNK/8ABhH/APFUAfMfwq/4JC/Bfwf8cvDX7RPxs/aI+M3xt8S+CJnuPA7fGHxvHqFn4funXYbq2tLW3toBPt4EsiO4wrAhlVh9YVl/8Jz4J/6HDSv/AAYR/wDxVIfHXgsD5fFumueyx3qMx+gByfwoAXwf/wAgmb/sK33/AKVy1qVmeEIpo9DEk8LRme6uLhUdcMFkneRcg9DhhxWnQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAeD/Hr9iex8XeMj8ef2d/F8nw8+JkKk/27p0Q+yauOvk39vjbOjYAL4LDgnftArzTX/wDgq1a/s3xv8O/20Pgn4g0Tx1ZqhMHheGG6sdVgbcFvbaSWZNsTMjAqSSp4ySGC/YdfMn7eH/BNDwd+234m0bx2/wARrrwxrelWIsJbtNNF5Fc2gkeRYzGZI9rK8khDBv4yCDxjwMzweOw9KVfKtKresdOWV93Z2Sku6av1voz5fOcBmeEozxOSWVZvWDtySvvLldkpre6cebXmvoznPhN8NPHP/BSCz0r9oP8AaT1qC3+Gks5ufCHwu0S/LwXPlyMon1KZcec4ZSPKGApGCF+dW+t9M0zTdF06DR9H0+C0tLWFYra1tohHHDGowqKqgBVAAAA4ArlP2fvgl4T/AGcvg5oXwV8ES3Emm6FatHFNdMDJM7yPLLI2OAWkkdsDgbsDgV2Vd+XYN4agpVNaskueV7tu2qv2TvZKyS2XV+nlOAeDwynW1rTSdSTd25W1V/5U7qKSUUtl1ZRRRXoHqhRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAV4z+wf/yRDXP+yzfEf/1Ndbr2avGf2D/+SIa5/wBlm+I//qa63QB7NRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAeM+B/+UhfxQ/7Iz4D/wDTt4vr2avMfib+yD8Fviz8SJfi54km8a6f4guNDtNIu77wj8UfEGgC5s7aa6mt45YtMvreOUxyXt0Vd1LDzmGcYAx/+GD/AII/9Dx8Zv8AxI7xr/8ALegD2aivGf8Ahg/4I/8AQ8fGb/xI7xr/APLeuR/aA/YC0bUvgP42074EfEv4w2Xji48I6lH4MvJ/2jvGWyDVWtZBaSN5mqsmFnMZO5WXA5BGRQB9KUV4z/wwf8Ef+h4+M3/iR3jX/wCW9H/DB/wR/wCh4+M3/iR3jX/5b0AezUV4z/wwf8Ef+h4+M3/iR3jX/wCW9H/DB/wR/wCh4+M3/iR3jX/5b0AezUV4z/wwf8Ef+h4+M3/iR3jX/wCW9H/DB/wR/wCh4+M3/iR3jX/5b0AezUV4z/wwf8Ef+h4+M3/iR3jX/wCW9H/DB/wR/wCh4+M3/iR3jX/5b0AezUV4z/wwf8Ef+h4+M3/iR3jX/wCW9cjrP7AWjSfHjw3qOj/Ev4wp4Hi8I63H4isz+0d4y3y6q91pR06QZ1XfhYE1QHawXMi7gx2FQD6Uorxn/hg/4I/9Dx8Zv/EjvGv/AMt6P+GD/gj/ANDx8Zv/ABI7xr/8t6APZqK8Z/4YP+CP/Q8fGb/xI7xr/wDLej/hg/4I/wDQ8fGb/wASO8a//LegD2aivGf+GD/gj/0PHxm/8SO8a/8Ay3o/4YP+CP8A0PHxm/8AEjvGv/y3oA9morxn/hg/4I/9Dx8Zv/EjvGv/AMt6P+GD/gj/ANDx8Zv/ABI7xr/8t6APZqK8Z/4YP+CP/Q8fGb/xI7xr/wDLeuR+Cf7AWjWHg29g+MvxL+MN3q7eLvEElnLD+0d4ywulPrF4+lx/u9VUZTT2tEORuyp3FmyxAPpSivGf+GD/AII/9Dx8Zv8AxI7xr/8ALej/AIYP+CP/AEPHxm/8SO8a/wDy3oA9morxn/hg/wCCP/Q8fGb/AMSO8a//AC3o/wCGD/gj/wBDx8Zv/EjvGv8A8t6APZqK8Z/4YP8Agj/0PHxm/wDEjvGv/wAt6P8Ahg/4I/8AQ8fGb/xI7xr/APLegD2aivGf+GD/AII/9Dx8Zv8AxI7xr/8ALej/AIYP+CP/AEPHxm/8SO8a/wDy3oA9mor5r+JH7AWjXXjL4fz/AA7+Jfxhg0i28XTSePIpP2jvGWbnSjo+pJHGu7VScjUH05/kKtiM87dyt13/AAwf8Ef+h4+M3/iR3jX/AOW9AHs1FeM/8MH/AAR/6Hj4zf8AiR3jX/5b0f8ADB/wR/6Hj4zf+JHeNf8A5b0AezUV4z/wwf8ABH/oePjN/wCJHeNf/lvR/wAMH/BH/oePjN/4kd41/wDlvQB7NRXjP/DB/wAEf+h4+M3/AIkd41/+W9H/AAwf8Ef+h4+M3/iR3jX/AOW9AHs1FeM/8MH/AAR/6Hj4zf8AiR3jX/5b0f8ADB/wR/6Hj4zf+JHeNf8A5b0AezUV81/Df9gLRrXxl8QJ/iJ8S/jDPpFz4uhk8BxR/tHeMs22lDR9NSSNtuqg5OoJqL/OWbEg527VXrv+GD/gj/0PHxm/8SO8a/8Ay3oA9morxn/hg/4I/wDQ8fGb/wASO8a//Lej/hg/4I/9Dx8Zv/EjvGv/AMt6APZqK8Z/4YP+CP8A0PHxm/8AEjvGv/y3o/4YP+CP/Q8fGb/xI7xr/wDLegD2aivGf+GD/gj/ANDx8Zv/ABI7xr/8t6P+GD/gj/0PHxm/8SO8a/8Ay3oA9morxn/hg/4I/wDQ8fGb/wASO8a//LeuR/aA/YC0bUvgP42074EfEv4w2Xji48I6lH4MvJ/2jvGWyDVWtZBaSN5mqsmFnMZO5WXA5BGRQB9KUV4z/wAMH/BH/oePjN/4kd41/wDlvR/wwf8ABH/oePjN/wCJHeNf/lvQB7NRXjP/AAwf8Ef+h4+M3/iR3jX/AOW9H/DB/wAEf+h4+M3/AIkd41/+W9AHs1FeM/8ADB/wR/6Hj4zf+JHeNf8A5b0f8MH/AAR/6Hj4zf8AiR3jX/5b0AezUV4z/wAMH/BH/oePjN/4kd41/wDlvR/wwf8ABH/oePjN/wCJHeNf/lvQB7NRXjP/AAwf8Ef+h4+M3/iR3jX/AOW9cjo37AWjR/HjxJqOsfEv4wv4Hl8I6JH4dsx+0d4y3xaql1qp1GQ41XfhoH0sDcxXMbbQp3lgD6Uorxn/AIYP+CP/AEPHxm/8SO8a/wDy3o/4YP8Agj/0PHxm/wDEjvGv/wAt6APZqK8Z/wCGD/gj/wBDx8Zv/EjvGv8A8t6P+GD/AII/9Dx8Zv8AxI7xr/8ALegD2aivGf8Ahg/4I/8AQ8fGb/xI7xr/APLej/hg/wCCP/Q8fGb/AMSO8a//AC3oA9morxn/AIYP+CP/AEPHxm/8SO8a/wDy3o/4YP8Agj/0PHxm/wDEjvGv/wAt6APZqK8Z/wCGD/gj/wBDx8Zv/EjvGv8A8t65H9n/APYC0bTfgP4J0747/Ev4w3vji38I6bH4zvIP2jvGWyfVVtYxdyL5eqqmGnEhG1VXB4AGBQB9KUV4z/wwf8Ef+h4+M3/iR3jX/wCW9H/DB/wR/wCh4+M3/iR3jX/5b0AezUV4z/wwf8Ef+h4+M3/iR3jX/wCW9H/DB/wR/wCh4+M3/iR3jX/5b0AezV4z+wf/AMkQ1z/ss3xH/wDU11uj/hg/4I/9Dx8Zv/EjvGv/AMt6774N/BvwB8A/AEHwy+GVhf2+k29/fXoGqa5ealcy3N5eTXt1NLdXsss8zyXFxNIWkdjl8DAAAAOoooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACvy0i/Zk+Gv7cXwj/bD/bB+OAvbj4m+D/ih440D4XeM49VnhvPAVr4cjNvpx0xkcCzPn27XchQDzmnbzN6nFfqXXxx8YP+CWfxM8U638V/CfwO/bNv/h98Mvjrqk2o/FHwVB4Kgv71rq6to7XUpdK1F50OnG8hiUSb4bnbIzyR+WzcAHu37D/xb8T/AB//AGLPhB8d/GqqNZ8bfC7w/r2rhIwgF1eadBcS4UcKN8jcdq+I/wDgoF+x9+yp8EPHfw4+HX7Dfw2k0j9qfxv8SNL1fwt4p0bWLubWLTS7fU4Z9a1TVrmSV5JNLFp9pgeKctHI9xHFGhbAX7msPgr458G+Ovh5bfCT4sxeGvhn4J8L3ej6l8NYfDUFwmr/ALq3i0+Rb52860FokMgEaAiXzvnI2DPzF8FP+Can7fHwM+Onj39oLRP+Chfw71zxN8RddF1r2v8Air9nm5u9STTo2/0bSIJ08RRpBaQISscccSruZpGDOxNAHV/8FNf2cf2YfE1lF8c/il/wTG8Q/tGeJV0ptLtbXwxHZS3emW8QlmRlF5fW/kZeVwJLVZLjcw+U7Vx8tfDnUdd+Of7E37Bn7HXxA+PF5448L/Fzxtqdv8SNattUvlfVtO0fTdX1EeHrma4WK5dI57W3spxKsckn2F1dRudT92/Hr4Lftz+M/Htzrf7Pf7ceheBfD13YRwtoOtfCCHXJrOZQQ09tc/brbazZB2zRzqCOBg4rz64/4JO+BPDn7I/w5/Z1+D/xn8QeH/FPwn8ZN4x8FfE2+tIL++XxBNPdzXt1dwERx3MN0b+9Sa3BjUpPtUoUQgA5r9jLwJ4W/ZD/AOCn/wAW/wBiX4G6Z/ZHwx1H4ReGfH+ieELWVzYeHNSn1DVNNvI7OIki3juFs7eZolwgdWZQNzZ+168I/ZK/Y38VfAz4leO/2iPjn8bv+FjfE74iJp1prXiO38Npo9jZaZYJKLPT7KyE05giVri4lYtNI8kkzMzcKB7vQAUUUUAfMH/BZn4r/EP4Nf8ABNj4keLPhT4ru9B16/8A7H8P2eu6fJsuNNXVtYsdLluonHMckcV5I6uOVZQwIIzXkUv7NPwY/wCCcn/BSX9mjwp+x94R/wCEP0L4u2vivwx8RNCsb2Z7fXPsOjNqlnqVykjsJL2KW0kQ3R/eut26uzAgV9e/tT/s3/Dz9r39njxd+zT8VRdroXjDR5LG8uNPm8u5tWJDxXMLkELNFKscqMQQHjUkEcV5F8Ef2D/jRpv7Q/hj9pX9sH9rgfFjXPh94bvtH+HlvY+BIdAttN+2iJLzULlI7mc3d9LFBHF5gMUSI0gSFTISAD2X9oD9nP4O/tSeAR8Lfjr4UfXfDrX8V3caQdRuLeG6ePOxJhBIhmiycmJyY2wNykDFfH//AATO8DfDKz/bk+N+rfsM6AdC/Zr07w9pnhxbDS7iQaBqvja2ubr+0rvR4ixSOKG3a2tZ5IAscs8ZxvMTNXrX7SX7Gf7Yn7QX7Ivjb9m2D/goPNoeu+L/ABffXEXjm1+HMKS6d4anuWdNBSG1vLdjsgK2xvRKkzoGb5WbK7H7Iv7L37Uv7OXgYfCLxV+0X8OLvwdpPhb+yfBeh/D34KSeHToUqhVimDT6xfJOqKG/dtGNzHcznkMAfGXxw+Bn7Pn7Lv7ePwI8K/s3fsX+Iv2fXi+NOn2Wp/Hmd0j0jxlZvBKG0AyWd1czXcmoOyQodTS3AdCVcybFe/8AtjfsJ+JtE/bY+Pn7bnxd/wCCVHw1/aM8C61pfh650t/EHimzj1zTbTTNJ8u++w2VxZTJO7tkiN57cuYABu3LX0dqv/BPr9qD44eL/A7/ALaP7dNn468I+AfGen+K9N8LeFfhXB4efVdUsJRNYyahc/bbozRxTBZTFBHbq7Iu75RtO9+0d+yj+3b8bdV8WeFPBn/BRKx8H/D/AMWwtayaLa/CC2uda0qzkgWKeGz1Nr1I0Zv3jLLLayvGZOD8q4APY/2cfij8L/jf+z94I+MXwSwPB/ifwpp+p+F0FuIfLsJrdJIEMY/1ZWNlUp/CQR2rtK5T4FfBjwH+zl8FfCfwB+F2nyWvhvwV4cs9E0O3ml8yRLW2hWGPe/8AG+1AWY8sST3rq6ACiiigD4d/aQ+FXgH9tb/grnpv7Jv7Svh2PxR8NPAv7PS+M7TwRqUjHTdR1vUNbnsBd3MAIW5a3t7FliEgZY2u3YAMQa6j/gj9qut6P8PfjP8As73Gv6hqOhfBv9oXxD4N8Ey6pfSXU9voiQWV/a2hmlLSSrbjUGtkLsWEcCLn5a7n9p39i/x/8Tvjv4a/aw/Zq/aAi+GnxL8P+Grzw1d6rqPhJdd03WdEuJo7g2l1Zm4tmLRXESywyxzIyM0gYOrlap/C39hn4jfAD9lq++DXwF/amv8ARfH/AIh8ct4t8ZfFfVfCVnqNxrWpXWpR3eps1i5WCJbiFXtIwp/0eIxldzRgkA47/gpZ+zf/AMEyfDvgfxV+2J+2/wDBuDxLqA06HTdMknvbu41Ke7K+TZ2GiwrL+4vppCFj+yqkjSNuZsKWHLeD/i3+19+zB/wTP+Bf7OHxA8R/2l+1D8RvD9p4Y0OTXLgXkmnXxgMt1ql+5P79NMs8yzuSRNNEke4tcKT0v7U3/BO39qn47ftt+H/2vvA37Z3hHS7DwVo/2bwD4D8bfBybX7Lw/fyLtudViaLWbISXki5jWWSNjFGSqEZZm9T8b/sLfBz9qD4beFfD3/BQz4Z/Dv4z+I/DK3Ri1u/8Ara2aSTuu97aznuLprbckcCsPOfcYg2RkKAD8+P2edf1X/gnZ/wSX/b8u/2f/FOoy6v8OfjJ4yh8Pa/qF6bm/N3/AGPpES6lLI2TJP5rm4ZjwXycY4r2Dxp+yT8Hv+CZPx9/ZN+IP7LWm3Glan44+JS/D34oXMepTyv44tb3QdRujf6kXdvtV1Fd2EVwtw2XBd13bGK16f8Asz/8ER/2Nv2dfAfx5+Gtp8PfDk+k/HXV9Xiv10TwzHpk2k+Hb61hhXQ4pEkctFC0csqSDYA82RGpXJ1fgr/wTj+MWh/Fr4a/ED9qb9sy6+KemfBa0uU+GGif8IPBpDxXcto1iNR1OdLiX+0btLR5YkdEt0BmeTyy5BAB9ZUUUUAFeX/tu/FvxN8Af2L/AIvfHfwWqtrPgr4X6/r2kq8YcG5s9OnuIsqeGG+NeD1r1Csvxt4M8M/EbwZq/wAPfGukx3+ja9pdxp2rWE2dlzbTxtFLG2OcMjMp+tAH5jv+zL8Nv2IPg/8AseftifBH7bb/ABP8YfFDwNoPxR8aSarPNeePLbxGgt9S/tNnci8/fXC3cZcHyWgXy9ijFfpT8XPhR4I+Ofw31b4S/EmwurvQdcthb6pa2ep3FnJNFuDFPOt3SVA23B2sCQSOhNfLfwg/4JY/EvwrrXwo8IfG/wDbNv8A4gfDD4FapDqPwv8ABM/gqCxvRc2ttJa6bJquopO/9omzhlby9kNtukVJJPMZefXfiZ8CP2s/GXhH4x+HPCP7bDeH7nx0kEXww1GP4f2sr/DyMWkUM+zbNG2pPJKs06yTMhiaUKMqgyAfMH7O3wW+Bfw4/wCCutv4H/4JueBYfCngb4feANVsP2jV8MzSR6Be6zcvaPo+nmLcYpNWgC3U8sqjzI4p1SR8yBK8f/bt8ZXv7Z/x6+B/7YsfiGRfhn4H/a/8FeEfg/ZR3W2HW511jZrHiJ1BxJE00AsrRjkCK3uJl+W6Uj67/wCCfX7Cn7Uv7Dvh3w/8I739qP4ca/8AD3R4bhr/AEXRPgpd6VqurXsqsz31xqU2vXZkuJJ286WR4XaUkjK5BHG/tHf8G/X/AATb+NMPhH/hAP2XPhn4Hn0D4i6T4i1240/4fW0za9p9rOZLnSZdrx7YrlTsdzvAHJjfpQByv/BRX9gT4l/Hb/goFpf7UQ/4J+/DH9oXwbpfwSXw7H4a+InjC30zyNT/ALWluzNaiayuleQQkIN4iQ+cf3owa+nP+CdHxi+BPxy/Y58HeNf2cPhY3gTwtbw3Wkw+BJLCK1fw5d2V1LaXenNFESiGG4hlT5flYAMOGFUfjN+zx+2bf65bWP7Jn7aHhv4Y+ELbw/baZa+FdR+DkGt/2eYQyia0n+3W3lnYY1EcqTRr5QwuCQer/Y0/ZS8EfsVfs7aH+zz4E17VNYg0uW7u9R17XJVe91fULy6lu7y9nZFVd8txPK+AAFDBRwooA9RooooAK+Mf+Cj+gad+0B+2t+zF+xD8SxNefDbxxN4w8R+OPDguXit/EB0WwtPsdjdbCDNbefqHntASUkNqm4MBivs6vEv2xf2P9S/aT1LwH8T/AIZ/FubwB8Sfhfr0+qeB/GC6KmpwQi5tntbyzurN5Ixc2s8D4dFkicNHG6yKU5APHv8AgnD4f039n79tj9pz9iL4ZLNZ/DbwRJ4P8SeB/DZuXlt/D51qxu/tlja7yTDbedp/nrApCRtdPtCg4r079uT9mT/gn54+8OXf7SX7fPgfw/qvh/wJ4eme4vvGV7M+maZahjI832Uv5JmJwFk8szE7UQ5IBzvg5+wz8VfhB8O/jB4isv2qZbv44/GNmudW+L7eCrcQaVdw2Is9N+y6Q8rxfZbNFVkt5ZZDIzSmSRvMOOS/bf8A+Cdf7TP7X3ij4TavaftneHbHSPhqsWoap4R8W/CRtY0rxP4giUCLVrqC31WyB8pgZIrZi8SSHfhiq7QD598P/sfftR/tRf8ABBnxh+zvo/gfUZp/G/js6r8JfBHxK1p0vNM8FjxTa3+nadqE9x5joU06EnY5kdI2SIgsuwd7+yF4y+Cn7HHxY+JvwJg/4Jg+BP2fPijb/Ce58b6enw91G21PSvGGjWUjRNsvIbS0l8yC5ljV4JYUYC4V1LKc19NH4S/tx33wDuPBuqftmeFbb4inWlubLx1onwfEOnpZqUP2SXS7jU7gybsOGlW5jbDjbtK5blv2ff2EfiD4X/aO1f8Aa7/a1/aNi+Knjy98Et4P0ZdO8Fx6Doui6LJcpc3EEFl9ouXeSeaOJpJpZ3JWJEUKowQD4XsPgd4R+Av/AAS2+Av/AAVw8KXd7N8fdV1z4feLPG3xCbUpm1DxYviPVtPg1LSrxt+JrQw6pJGlvjZCIIzGEKZr9eq+KPh9/wAEivGHhXTfAfwD8V/tg3+v/AL4X+MbXxD4J+F03g2GK/DWVwbnTbC+1b7QxvLK0m8tkiFvG7CCJZJHCnP2vQAUUUUAFflpF+zJ8Nf24vhH+2H+2D8cBe3HxN8H/FDxxoHwu8Zx6rPDeeArXw5GbfTjpjI4FmfPt2u5CgHnNO3mb1OK/Uuvjj4wf8Es/iZ4p1v4r+E/gd+2bf8Aw++GXx11SbUfij4Kg8FQX9611dW0drqUulai86HTjeQxKJN8NztkZ5I/LZuAD3b9h/4t+J/j/wDsWfCD47+NVUaz42+F3h/XtXCRhALq806C4lwo4Ub5G47V8R/8FAv2Pv2VPgh47+HHw6/Yb+G0mkftT+N/iRper+FvFOjaxdzaxaaXb6nDPrWqatcySvJJpYtPtMDxTlo5HuI4o0LYC/c1h8FfHPg3x18PLb4SfFmLw18M/BPhe70fUvhrD4aguE1f91bxafIt87edaC0SGQCNARL53zkbBn5i+Cn/AATU/b4+Bnx08e/tBaJ/wUL+HeueJviLroute1/xV+zzc3epJp0bf6NpEE6eIo0gtIEJWOOOJV3M0jBnYmgDlP8Agoh+wB8TPjX/AMFDov2qZf8Agnf8Mf2h/B1j8DrTw3B4d+IXjG20yS21OPV727kktFnsrpHk8mWNB5nkofNx5owaofHr4T+FP+Cov/BMn4AXn7Ev7Knhq98G+HfixpOq6j8HPG1zDo1haWOjvf2d/o1yFhnSMJcI1sQkUoP3grLX1V+0H8Ev27PHXjq61f8AZ1/br0L4f+H7zTY7dtE1f4PQa7PZzDcHuba5N9b7XYFTtmjnQFfu4JFYHgf9hf4pfs0/sn+CP2Zv2I/2oj4MuPCd9c3WqeI/GfguHxI3iOW6luLm7ku4hPasskt3cPcFoZY9p+UDbxQByP8AwS38RfAvwT4v+J/7JvhP9gzw3+zt4/8ABdzpmp+MvB3hG4tbrTNWtb6KUWWp2t5bwwfao2FvNG2+GOSNoirKMivsGvAv2Qf2KvEf7P8A8S/H37RXxs+O1z8Svif8SV0628Q+Jf8AhH4tIsbTT9PSVbOwsbGOSX7PChuJ3YtLK8jyFmY4GPfaACiiigD5g/4LM/Ff4h/Br/gmx8SPFnwp8V3eg69f/wBj+H7PXdPk2XGmrq2sWOly3UTjmOSOK8kdXHKsoYEEZryKX9mn4Mf8E5P+Ckv7NHhT9j7wj/wh+hfF218V+GPiJoVjezPb659h0ZtUs9SuUkdhJexS2kiG6P711u3V2YECvr39qf8AZv8Ah5+17+zx4u/Zp+Kou10Lxho8ljeXGnzeXc2rEh4rmFyCFmilWOVGIIDxqSCOK8i+CP7B/wAaNN/aH8MftK/tg/tcD4sa58PvDd9o/wAPLex8CQ6Bbab9tESXmoXKR3M5u76WKCOLzAYokRpAkKmQkAHsv7QH7Ofwd/ak8Aj4W/HXwo+u+HWv4ru40g6jcW8N08ediTCCRDNFk5MTkxtgblIGK+I/2Gk+HPwn/ac/aP8Ai7+wf4RbTP2cPB3gK306HRtLuJBoOt+ONPe9l1G40eIkxxxR2/2a0nkhCxyzxnG8xM1e7ftJfsZ/tiftBfsi+Nv2bYP+Cg82h674v8X31xF45tfhzCkuneGp7lnTQUhtby3Y7ICtsb0SpM6Bm+Vmyu9+xp+y/wDtFfs4+Frf4R/E/wCNfwx8Q/D3SPDiaT4b8HeBvgvN4bTT1Uqo3SS6xfLLH5YdTH5almfcXPIYA/N79hP4j+Frb4JfBf8A4KZ/tqf8E7v+EgPjrxZpE2tftLa14/W58R6drOoagtvb3Y0wR/6HoqXkkVrDFDc8W4jZrbDEH6M8Ffsk/B7/AIKcftB/tY+PP2ptNuNV1HwP8ST8PfhhcS6lPE/ge1s9B066+36aUdfst1Ld38tw1wuHJjRd2xQtdj4T/wCCO3jLQ/BfhX9lbXf2yr/VP2c/BPjG017w/wDCt/BMEepPFZ341Cx0q61n7QxuLGC5SJggtkmZIURpiBmuy+NX/BOX4x638W/iV8Q/2WP2zLn4V6b8aLO2j+J+i/8ACDw6u8t1DaCx/tHTJnuIf7Ou3tEiid3S4QmGOTyw4JIB1f8AwSY+O3j79pr/AIJp/BH46fFPUJLzxJ4h+HenTa5fzD5726SMRSXLf7UrIZDjjLnHFfQ1cr8Dfgz4B/Z0+DHhT4B/CzS2svDfgzw9Z6Lodq8m90tbaFYo97fxuVQFmPLMSTya6qgAooooA+A4/wBmr4Mf8FG/+Ck/7S3hP9sHwh/wmGg/CKz8KeGPh5oN/ezJb6J9v0ddUvNStkjdRHeyS3UcYuh+9RbRFRlANeuf8EZvit8Q/jJ/wTa+HPir4q+LLvX9d09tZ8P3mu6hJvuNSXSdZvtLiupXPMkkkVnG7OeWZixyTUvxv/YQ+NGpftD+Jv2lv2Pf2tx8J9e+IHhux0b4h2994Eh1+21L7EJUs9Qt0kuYDa30UU8kQkJlidBGHhYxgnqPhh+xxrv7OHwT+D37PH7LHxvu/CPhX4aapbt4kg1HQLfVbnxhpqw3H2i1mmlKm1mnuplunuYhu3oyhQrnAB8w/wDBX/8AZP8A2H/h58HfFvxM0P4O3WoftI/FK8m074L6romt3Z8UT+LZkP2OTTpzNvs7e2cJcTeWY7eKCFy4wcNzv/BRvxt8efG37WH7NX/BPDxh8Ipvi2mufDXVvEfjjwhD4qOg6N4r1myS0gRtUu1jZl02EteXBhWKUSzPaq0LAceveJ/+Cb/7a0n7cfi39t/wT+3j4EOq6xYrpPg3T/G3wIuNYbwbow5awsZItftUXzXAeabylkmYKGO1VUemftK/sR/EL44eIvhd8evAn7Qlt4L+M/wus7u1sPHEHg1b3TNTgvreKLUbW50uS5VmtpnhilRFuRJC0a7ZW+bcAfKWvfBrQv2wf+CWX7Qn/BPP9lT9jbRPhH8RfDvjax0jxd8JG8QxSaRb3zT6XqAube7VFjazuLARyqywxkkODCG+96d/wTzj+BP7OX7XGufspah/wTG8B/s6fEjX/A58RaVf/DrU7XU9L8VaNbXccEyreRWdpIs0E08Ja3lhHyyh1Zhk16X8KP2C/jR8FPhd8QL/AMBftfyf8Ln+J/jODxL4x+K2p+A7a4triaGK3torOPSvOVYrNLS2jt0jE5lUFn84seLv7PX7DXxQ8J/tO3P7ZP7V37TSfE7x9B4Ok8LeGF0fwZH4f0fQNLmuY7m5EFoLm6keeaWGEvPJOx2xKihVyKAPpCiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigDzP9sX9rT4O/sMfs0+Lf2qvjzq81p4Y8Iab9pvRaxh57qRnWOG2hUkBpZZXjiQEgbnG4qMkfLnw9+Mv/BwB+0L4Ls/jf4C+An7NXwu0PW7Vb3QvAHxP1PX9Q19LZxujF7cWPlwWsrIVJQRSNHnDqGBUc1/wdBaBrd5/wAExIvHEGk3F/oPgv4reGNf8aWdvEZDLpEN55c25B95Q8sTHsAuTwM1+gnhPxX4a8eeFtN8b+DNdtdU0fWLCG+0rUrGYSQ3dtKgkjljYcMjIysCOCCKAPiD9tv/AIKRftsfsif8E5/Df7TPjz9m7wl4P+J938T9L8LeIPCOrapLrWmJb3Govatd209tJbs6ywqk8W45TzArqxU1931+dn/BzPdWt3/wTp0Q2tzHJ5fxz8IJJ5bhtrDUBlTjoR6V+idAHyr+xZ+3H8Wf2jf2+P2q/wBlnxv4e8O2vh/4Ga94ZsvCV5pVpOl5dx6jp81zObt5JnSRleNQnlpEApOQx5Hy3+wx+3d/wXy/b2/ZBg/bN+DHhb9lC40661DVYLHwVqWi+I7LUb02N1LbtEtz/aEsEckhiOxmGzLDcVGSO/8A+CVv/KYz/gol/wBjh4C/9Mt1Xy3/AMEH/AP/AAWC+IP/AASt0Twv+yT8e/gT4F8B6j4h8SQadrmv+DNW1HxPprtqlys0yFbtbN2Ehdow0WANobJyaAP0y/4Jf/t8eGv+Clf7GXhf9q/QfBVx4ZudVkurHXvDV1cec+l6jazNBPCJNq+Ym5d6NtUlHXKq2VHG/wDBRr9v74xfs5fF34Q/scfsk/CXQfF3xk+ON/qkfhRfGOqy2eiaPZabbC5vL69eFWlkVYz8sUeGfa+DlVR+/wD+Cbv7B/w+/wCCbX7IHhf9kv4d+Jb3XYdC+0XGqeIdSiEc+q39xM01xcsgJEYZ3IVMttRUUsxBY8//AMFE/wDgmL8I/wDgohZeD/EOv/Ejxl8PvH3w41G4vvh78Svh9q/2PVdEmnVFmRWIIeKQRx70OCQgAZctkAzfgHq3/BZ/RfjT4e0j9q7wr+zjr3gDUWuE8Qa18MbrW7DU9HZbaV4XW31BpY7lGmWKI7ZFYCQttwpr3f4x/tB/AT9nbQYfFX7QPxv8IeBdLuJTFBqXjHxLa6ZbyOBkqslzIiscHoDmvze1j4q/8FTP+CRf7X/wH+Fv7SH7aen/ALR3wf8Ajj8RbbwNBJr3g630nxF4ev7oqsE6y2zN9pjVmDO8jP8AKrDbGWVq2f2SPgr8H/22P+C0n7X3jr9sjwHo3jjX/hFqHhvw18NPDHjCwjvrTw5olxYPcG5trWcMivcyDzDNtLAlgpAcggH6LfDL4ufCj41+E4/Hvwa+J3h7xboUsjRxa14Y1qC/tHdQCyiaB2QkZGRnjIrl/A37ZX7IHxP+Is3wg+Gn7Vnw28ReLbdnW48L6F450+71GIpneGtopmlXbg5yvGDmvi3/AILzeDPCH7EP/BGX4wWX7HngLRvhfYeLvEWkxeL7rwNo8WnRww399Y2F9dmO3VVDy2yR27sBllbnnmuR/wCC0v8AwT4/YK/Zf/4I3+Ivid+z38IPCXw/8QfB/TNI1j4XfEHwvp9vaataajDeWyW8i30SiWd7gsFdmZvMaQOcuFYAH6ReMvjb8GPhz4r0nwJ8Qvi74Y0HXNetL260LRtZ1+2tbvUYLOLzruWCGV1eZIIj5krICI1+ZiBzWb4E/af/AGafij8PdV+Lfwy/aH8DeIvCmhXUttrnifQvFtneafp08SJJLFPcxStHC6JJGzK7AqsikgBhn81/+CgHwj8Pftq/8FOv+Cb/AIP/AGmvCkd7ZeI/BXjPWPGPhy4jKwXk8WiafetaTx9HhNxGqyQsCroGRgQxFVP+C13w2/4RX9rP9kb9ib4AfsZeD/E/w68b+K/E/iXxF8HbTV7XwlovjTWNM061NnFe3CW7xMIU/e+VJG4n8qOIjhSoB+mPwY/al/Zk/aQN8P2eP2jPAnj3+zCBqX/CF+L7LVPshJwBL9mlfy8kH72Old3X5P2/7IH7evib9uj4CftJfCT/AIJDfDL9m9/AnjFLfx74m8B/F7TLoa14VuU8m9sLiytNPtBcBVKyxli5Ro8KoJBH6wUAfNPgz9sz4kfGj/gpd41/Y++Duj6CfA/wh8D2lz8T/Et/aTTXZ8Ral+807TbQpMkaLHapJPOzLIxLxxgRnLHE/wCCSn7ePxZ/bS+G/wARPB/7Tnhjw7oPxc+D/wAUNV8HeP8AR/C1tPBYs0Eha1vLeO4mmkWGaE8M0jbmikZcKQB5X/wQfaXU/H37bfiPxPk+JJv21/F9pemT/WCwt4rNbFOeTGqNIEPp0rnPjH4h0H/gmj/wXq0r48eJdVh0T4XftZ/DmfSvF2oXD+Xa2XivQIfOtrqZhwvmWP7lRjLPJI2Tg0Ae6eNv28Pi/rP/AAV/8H/8E5fgX4c8N3nhzSPhpe+M/jZr2p2dxNd6bDI4g0y0tHjnjjhneYo7iVJd0MoKhdpJzfh78VP+Cq/7Qn7Jfgb4m/s+fGD9kPVvF95qesR+Mda0r+2dd8LXMEV48VoumzWd6r+aiIVuPMdwJQyqF2kV5v8A8EAfDGvfHHwz8ZP+CsfxH0qaDXv2mfiPcah4djvE/fWXhPTWex0m2OeQQqTZIwHURNjoav8A/BsH/wAoYvhr/wBjB4q/9SLUaAPPPgj+2h/wXn+OP7bHxv8A2ItE1b9kWy1r4GweHJdb1m68F+KDa6iNYsDewiALqhceWg2tvA56ZFfoj8Aofj/b/CPR4f2pNS8HXfjxUm/4SC48AWV3b6Q7edJ5X2eO7kkmUeT5Qbe7ZcORgEAfEP8AwT5/5WAf+ChH/YP+Fn/qNtXvVh+1h+31c/tHt8K73/glN4itvAY8WyaavxSb4u+HGtzpi3DRpqv2AXH2vY0QE3kbPNAbaV3AigDL/Zb/AG4/iz8bv+CoP7Uv7FHivw94dt/CvwQtfBcnhTUNPtJ01C7Or6Sby5+1u8zRyBZBiPy448Lw28819U1+eH/BPn/lYB/4KEf9g/4Wf+o21fQn/BWj9qDVf2Pv+CdvxT+N3hR5T4lh8NtpXg2K25ml1vUHWxsBGo5dhc3ET4HOEbpjIAPOP2e/26f22f2s/wBlz4xftE/s1fBTwL4muNP+L2peG/gTpV/qU+mW2u6JYX0NjPql7dvJIGzIt9IqxJHlbdUwWbNVP+CT/wC3R+3B+0z+0F+0V+zX+3T4L+F+j+JPgnrXh+yg/wCFXR6gbWX+0bS4umEkt7M7TFFSFdyxxDdv4YbTX0B+wL+zBpf7F37Fnwx/ZZ0tIs+CfBtlp+oTQ/duL4Rh7ucf9dLhppPq9fKf/BLH/lL5/wAFDf8AsdvAv/pknoA+2P2g/j18Lf2Xfgl4n/aF+NfiaPSPC3hDSJdR1m/k5KxIOEReryOxVEQcu7qoyWAr48/4I7f8FLv2wf27Pj3+0H8Jv2tvgb4Y+H8nwxk8K3nhjw/pEF0NRtbHXLO8v4YNSkmnkSS6jt0tFfy44QshmBXoF8+/4Kt/HH4ia7/wUI+G/wAGPi9+xP8AH/x38AfhzY2/jbUl+E3wmvvEFt4v8UiVhp9ndvEFiFpZBTctEXYyTGIOhVQa80/4JLft36b44/4La/tevH+yb8dtK/4WzrXgRIBrnwvubY+E/sWhXaE67ub/AIlYn6wGTPmryKAPu34V/tmfEJf+CkfxE/YA+O2iaHZyJ4QsvG3wf1nR7aaE6zoLv9lvYLkSyyKby2vFwTHtDwyo3lptJb6Tr8+v+CgrzaT/AMF3P2BdQ8J5GqalY/Eyy11Yv+W2mJolvKolx0RZcsueC9foLQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFAGf4t8JeFvH3hbUvA3jjw7ZaxousWMtlq2lalarPb3ltKhSSGWNwVdGVipUgggkGvjDSP+CE/wAFfh5aTeEv2df23f2oPhR4Kkmd4Ph38P8A4xyQaPZB2LOlstzBPPbKSScRTL14Ir7fooA+TvjP/wAEa/2S/i/+wnpv/BPaz17x34U8FaV4li8QW+reHvE/m60+pLdyXj3Ml5qEd0XkkuJZJHYrnLfLtAAHN+GP+CM+ueGfEuneJH/4K/8A7aupDT76G5Onap8YbGW2uvLcN5UyDTAXjbG1lBGVJGRX2rRQB4z8AP2HPhN+zl+0r8Z/2pvBHiHxFdeIPjnqWkXvi2z1W7geztJNOtZLaAWiRwo8askjF/MeUlgMFRwT9gf9hz4Tf8E6v2atL/ZZ+CfiHxFqnh/SdSv722vPFN3BPeNJd3UlzIGeCGFCoeRguEBCgZJPJ9mooAK8H/bF/wCCfPwx/bK8Q+GvHmufF74oeAPFXhGC6t9B8WfCrx5caJfQwXLRNNC+wNFOjGCP5ZI2HBx1OfeKKAPkf4Jf8Ebf2ffhl+0DoP7Ufxd+Ofxi+N3jfwisv/CF6t8afHf9rR+HXkG2SWztoYYII5CP4zGxBAYEMoYbv7Vn/BKf4A/tQ/G20/ae0b4lfEn4T/E+30kaVdfEL4O+Lv7G1HUtPB3La3YaKWC6jU4x5kTMNqjdhVA+m6KAPCvhj/wT4+DXg79mjxb+yr8VPGnjr4veHPHlzczeL7z4v+LJdav9RE8EMDR+cQnkxqkEflpCsYjYF02sS1eI+F/+CBf7Kthd+F9C+Jv7Qfx2+JPgHwVqMF74U+EXxF+Jbah4Y0+S3/49l+yiBJJ44RgRxzyyIFG0gqSp+46KAPH/AIs/sU/Cv4x/tdfCT9tDxPr/AIgg8U/Bmz1628L2FhdQLp90mr2qWtybpHhaRyqIDH5ckeGyW3jipf2yP2Iv2e/27fhna/DH9oDw3eTx6VqsWq+G9d0TU5bDVdB1GLPlXtldwkSW8y5PIOCDhgw4r1uigD5U+CP/AASl8PfCP4p6D8VfF/7d37TPxLl8NXf2rRtD+I/xbe70yOYIyLJLbW0Futyyhjjz/M555NfVdFFAHyZ8F/2WvjH+zL/wVQ+KHxc+Hng4ah8Ifj54ZsdZ8UXkOoW8Z8NeLtNUW2TbySLLJDfWrhi8SyFZrc7wisGPX/8ABSr/AIJpfs8f8FUf2fbf9nT9o6/8Rafplj4gt9a03V/Cd5Bb6hZXcSSRho5J4JkCtHNKjAoch+MEAj6EooA5j4J/CDwN+z78HfCvwK+GWmGz8O+DvD1nouiWzEFo7W2hWGMMQBubagJbAyST3rhv2Ef2KfhX/wAE9f2ZND/ZS+C+v+INT8O6Beahc2d74ouoJr13vL2a8lDvBDDGQJJ3C4QYUKDk5J9gooA8Z+Dv7Dnwm+CP7YHxj/bX8KeIfEVx4q+N8OgR+K9P1C7gfT7QaRZGztvsiJCskZaM5k8ySTLcrsHFezUUUAfFfxq/4Ik/DX4rftb/ABC/bO8D/tz/ALSHwr8VfE9dKXxbafCnx7Y6VY3I06xisrYbG0+WQ7Y4y3zyN88shG0NtHPan/wRa8anx98NIdZ/4KAfGP4neCPDPxV0rxx4r0X43eLI9anluNIgvDp1vYGC1gWGN7q6WW4Em8SC1gwAU5+9aKAON/aB+EE/x8+D2ufCK2+LXjLwK+tQRxL4s+H2rpYaxp22VJN9tO8cqxsdmwko2Udh3yPjP4S/8G/Xw8+Cvxf1j45eBv8Agpr+13D4h8T6tY6h4xun+KOnD/hI5LQbYFvimlq1wgjzHgtnYzAEZr7+ooAK8b+Bn7EPwo/Z/wD2pfjR+1x4N8QeIbnxJ8dLjQpvFtlqd3A9jaNpNnJaWws0SFJIw0cjGTzJJcsAV2Dg+yUUAfJnw/8A2WfjH8S/+CtPjD9uf46+Dho/hjwB4Cg8DfBGxl1C3uH1Bblxd6rrbJDI5ty7lLSNJNshjidmRMrn6zoooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKAP/9k=" + } + } + ] + } + }, + "considerations": { + "users": [ + "Who are the intended users of the model?" + ], + "useCases": [ + "Who are the intended users of the model?" + ], + "technicalLimitations": [ + "What are the known technical limitations of the model? E.g. What kind(s) of data should the model be expected not to perform well on? What are the factors that might degrade model performance?" + ], + "performanceTradeoffs": [ + "What are the known tradeoffs in accuracy/performance of the model?" + ], + "ethicalConsiderations": [ + { + "name": "The name of the risk", + "mitigationStrategy": "Strategy used to address this risk" + } + ], + "fairnessAssessments": [ + { + "groupAtRisk": "The groups or individuals at risk of being systematically disadvantaged by the model", + "benefits": "Expected benefits to the identified groups", + "harms": "Expected harms to the identified groups", + "mitigationStrategy": "With respect to the benefits and harms outlined, please describe any mitigation strategy implemented." + } + ] + } + } + } + ] +} diff --git a/tests/_data/schemaTestData/1.7/valid-machine-learning-1.7.xml b/tests/_data/schemaTestData/1.7/valid-machine-learning-1.7.xml new file mode 100644 index 000000000..38df43ff7 --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-machine-learning-1.7.xml @@ -0,0 +1,94 @@ + + + + + Acme Inc + CompVis + stable-diffusion + 1.4 + Stable Diffusion is a latent text-to-image diffusion model capable of generating photo-realistic images given any text input. For more information about how Stable Diffusion functions, please have a look at 🤗's Stable Diffusion with 🧨Diffusers blog. + + + + supervised + + task goes here + the architecture family goes here + The architecture of the model. + + + dataset + Training Data + + https://example.com/path/to/dataset + + public + + + + + string + + + + + byte[] + + + + + + + The type of performance metric + The value of the performance metric + The name of the slice this metric was computed on. By default, assume this metric is not sliced + + The lower bound of the confidence interval + The upper bound of the confidence interval + + + + + Performance images + + + FID vs CLIP Scores on 512x512 samples for different v1-versions + /9j/4AAQSkZJRgABAQEASABIAAD/2wBDAAIBAQEBAQIBAQECAgICAgQDAgICAgUEBAMEBgUGBgYFBgYGBwkIBgcJBwYGCAsICQoKCgoKBggLDAsKDAkKCgr/2wBDAQICAgICAgUDAwUKBwYHCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgr/wAARCAH4AxgDASIAAhEBAxEB/8QAHwAAAQUBAQEBAQEAAAAAAAAAAAECAwQFBgcICQoL/8QAtRAAAgEDAwIEAwUFBAQAAAF9AQIDAAQRBRIhMUEGE1FhByJxFDKBkaEII0KxwRVS0fAkM2JyggkKFhcYGRolJicoKSo0NTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqDhIWGh4iJipKTlJWWl5iZmqKjpKWmp6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uHi4+Tl5ufo6erx8vP09fb3+Pn6/8QAHwEAAwEBAQEBAQEBAQAAAAAAAAECAwQFBgcICQoL/8QAtREAAgECBAQDBAcFBAQAAQJ3AAECAxEEBSExBhJBUQdhcRMiMoEIFEKRobHBCSMzUvAVYnLRChYkNOEl8RcYGRomJygpKjU2Nzg5OkNERUZHSElKU1RVVldYWVpjZGVmZ2hpanN0dXZ3eHl6goOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExcbHyMnK0tPU1dbX2Nna4uPk5ebn6Onq8vP09fb3+Pn6/9oADAMBAAIRAxEAPwD9/KKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKAPDv2yv+CkH7G3/AAT/ALrwpYftYfFe68N3PjiW8i8K2tl4S1XV5dQe1WJrgKmnWs7LsWeI/OFyG4ztbGN+y9/wVb/YY/bK+Jp+D/7PHxO8Qav4gXTZb82mpfDPxDpMfkRlA7efqFhBDkF1+XfuOeAcHHyZ/wAFx/ird/BH/gpn+wN8U7D4UeLfHE2j+KfHUieFPAmnRXerahu0qyj2W8U0sSOw37yGkX5UY5JGD9i/smftw69+1R4r1Twvq37DPx4+FKaZp4uk1T4teE7HT7S9JkCeTA9tfXDNKM7iCqjaCc9qANj4f/t7fsnfFH4O/Ef4/eBPit9u8JfCTWNa0v4hat/YV/F/ZV3pMIm1CPypIFln8qMht0KSK/RC54rwnSf+DiL/AII+6xY22sJ+1feWenXao1vq+r/DHxLY2LK33W+03GnJCFOR8xcDnrXyt+wD/wAodv8Ago7/ANlg+NH/AKaEr7a/4IwWNlqf/BIL9njTdSs4ri2uPg3osdxbzxh0lRrNAysp4YEEgg8EGgD6G+F3xW+GPxu8B6d8Ufg58QtF8VeG9Xh83S9e8P6lFeWl0mSCUliZlbBBBweCCDgit+vzQ/4Je+GNH/ZN/wCC1X7Xn7C/wZtE0z4YXGjeHfH2h+FLQbLPQNSvLeNb1LeMfLCkzyBtigKqQxKoAQV9Zf8ABUXVP2qfDP7A/wATPHX7FPjt/D/xL8MeHX1zw5crpFrf/avsbLcT2fkXUUiOZ4I5oVwAweRSGBFAHvtFfB37Zv8AwVc1Sw/4I0eH/wBt39lSaMeP/jNpOiaJ8JdOjiiuHj8TauywJbqkqtHLLav9pYo6sjNaFWDAkHgv2/v2yv2sP2eP2i/gZ+w744/4KA+GvgRo+v8Awqk1Txd+0j4s8Eafdp4j8RWskVvLptulysenWLuC10xdAoWRFUL8quAfpdRXhH7BugftAaX4C1PWPjJ+3l4f/aD0nVLmKbwl4x0Pwhp+lGKEKwlikOnSvb3PzbSsiBMcgg9a8O/4ORPj78R/2dv+CPvxT8U/CjXZ9J1nWxpvh5dXtpSj2Vvf30NvcuGHKloHljDAgqZAQcgUAdj8TP8Aguz/AMEnfhN451P4d+KP2w9KvNT0SYxayfC/h/VNbtrBwSGWe6061ngiKkEMGcbSCDgg16F4w/4KZ/sI+CP2Qbn9vbVP2ktEvPhFZywRXXjTQIbjVIIpZbiO2SIxWUcswk86WNGTZuQt84UAkdh+yh+y58G/2Mv2fvDP7N/wI8IWWj+HfDOlxWsEdpbrG11IqASXUxUZkmlYF3kbLMzEkmvhf/g5o+Fvw2+FP/BC3426b8MvAek+H7bVfEug6nqNro1hHbRXF5Lr2nebcMkYCmR9oLNjLHJOSSSAfpbXnfgb9q74BfEn9ofx1+yn4K8e/bfH3w1s9NuvGug/2XdR/wBnQ38PnWjefJEsM3mR/NiJ3K9GCnivRK/PD9hr/lYa/bm/7E/4b/8ApnoA7zUf+Dhr/gkNpGo6pp2o/tS6jENF1SfTtWvT8LfE5s7S5hkMcqPdDTfJXawILb9vfOOa+svhR8Wvhj8dvh1pHxd+DXjzSvE/hjXrQXOj67ol6lxbXcRJG5HQkHDAqR1VlKkAgivx4/4Iz/8ABVf9ib9kL9lL4q/BL44ah4u1TxRJ8dfGV0nhDw18Lta1l9ShmugqQpLb2j2jPJtZdjzLjPzbQc19af8ABuV+zf8AG39mz/gnjcaX8b/hlf8AgWXxb8Sdd8UeGfAWqxmO58N6PdyR/ZrKSI8wsPLeTyyAyiYbgrblAB9c/tH/ALT37Pv7IXwtu/jV+0z8XNF8F+F7KVYpdX1u7EaPK2dsMajLzSsFYiOMM5CnAODXi3wH/wCC0/8AwTL/AGlfilo3wU+Ef7TsNz4q8RSFNA0bWfCmr6RLqTBSxFub+0hWY4BPyE5A4ry//gtj+yx+1P8AFXxd+z5+1l+y78F9M+K118BPiFc+INa+Eep6vFZf8JDBNBGizQSTgxC5tzGWj3AkNJuUOV2NF8Dv+C437PPxa/aC8Ifsr/tmfsffFL4CfEXxDqiJ4Hs/jB4NWPTtT1HIVI7C/BKvMWbYrlIwWdUVizhSAffNFfBPxj/aW/bl/bK/4KM+Pv8Agn3+wx8bdF+D/hv4J+HtHvvir8T7vwhBr2qXGparC1xZabY2t0fsyJ9nVneaQOQykADbhus+N3x4/ac/4JOf8E8/i9+1B+2D+0XY/HS88G2iXfhK+XwTb+HZ5ZJ3htLazu0tHaJgbuaPM0aoQjn5MqMgH2VRX5gfGnX/APgul+yR+xhP/wAFI/Hn7aXg7xrqPhnQIfFXjz9n5/hXY2OkQ6ZtWW8s7TVInN6JreEuRLIzhzEflPAboP8Agob/AMFC/wBsC68d/sQyf8E7/GOlaZaftJ3F7Nc2PirRYLq0msrjSbS6tbi5+UzKtqty9yY7eWJpTF5ZfDZAB+j9Ffmz+3B+19+2B/wS4+GXgv4M/Ev9vbwb43+JPx1+IZ0vwp8Sfin4S0zwx4f8BaVBbI+oXk6WsiJcLFuQxJNJuZ51VncKEfz3SP8AgqB8Sf2Rf2j/AIQaXr//AAWa+C/7XHgz4o/EKw8F+KPDnhqz8PWGu+F7i/LJbarapo9w5ls0mCpMJlYqrqAxZwVAP1oor8uvjt+3V+0d8Sv+ClvxW/ZD13/gqT4N/ZE0f4frpEfgLStf8D6TeXvjuK7tBNJqC3WtMIGjWUtEsVv8/wApDYZCW/Qb9mDw98Z/C3wQ0XRPj/8AHPS/iV4njE73PjjRvDselQatA8zvbSi1ikkjjbyGiVtjFWZSwwGwADv6K+P/APgrB+2p8f8A9n2/+Dv7LH7H9tokXxZ+P/jl/D/hrXvEtqbix8PWNvEJtQ1N4Aw+0PDEyFIidpLEndt2N5R46+Of/BRr/gl7+058ENI/az/a4034+fCf43fEG18AX2qXnw5sPDuq+FtfvEY2EkP2AiO4tpXSQOsilkVCdxOMgH6L0V+b/jP49/8ABTb49/8ABZH4y/sE/s7ftMaN4B+H/hf4deHdc/4SPUPA9lq11oEk8f7yOyidU8+e5kbJe6klihjgk2xFnXHoH/BN/wDaX/bB0r9tn42/8E2/21fi3pfxK1r4b6RoviTwf8SrDwxBo1xq+lagjh4ru0tv3EcsMqqoaMAMCxPYUAfbGrarYaHpVzreqz+Va2du89zLtLbI0UsxwAScAHgDNfFuif8ABxP/AMEifE2lw654c/aO8S6hZXAJt7yx+Cvi+WKUAkEq66SQ3II4PUV9h/EDSb7X/Aet6FpkQe5vdIuYLdCwUM7xMqjJ4HJHNflZ+zFr/wDwWR/4Inf8E4vCmifF39jb4U/ED4ZfCbQLm48XW/gf4jXf/CUWenG4mu7q88ue0W0l8hJXYxxyMSsR+YDLAA/TL43ftJ/Ar9m34OXn7QXx5+Jum+FPBthFBJea/rLtFDEJnVIgQRu3O7ooXG4lgMZrhf2KP+Ckv7FP/BRSx8S6p+xp8bY/Glt4QvILXxDPDoOoWSW0syyNEAby3i80MI3O6PcvHJGRntvh34x+CP7Y/wAAPC/xX0bSNO8UeCvGuiafr+ixa1psc0csEqJcW7vDKGCyLlTgjKOvYivi7/gkVaWtj/wU4/4KA2VjbRwwxfFPwykUMSBVRRpEgAAHAA9KAPpf9rP/AIKZ/sLfsN+JdM8EftQftC6b4b1/WbL7ZpXhyDT7vUdSurfe6CZLSyhmnMZaORQ+zBMbAHINbX7JH7eP7In7dvhnUfFn7J/xz0nxhb6NdLb61a2yTW17psrZ2rc2lykdxb7trbfMjXdsbGdpx6Nc+FfAmneJrj4oXfhzSYNZGlLZ3XiKSziW5FjG7yrC9wRv8lXkkcIW2guzYBJNfnP/AME8b/Sf20v+C1/xq/4KWfs3aCLP4L6b8MIPhpF4rt4fKtviF4gg1CO4uNTgwMXEVtHF9lFxyGCx7GILAAH6XVy/xr+M3w1/Z1+EfiP47fGPxJ/Y/hXwlo8+qeIdV+xzXH2S0hQvJJ5UCPJJhQTtRWY9ga/P79pz/gqN+0d/wSK/aK8eeB/217bXvix4E+IdrNq/7M2uaF4bt4r2XV8pGfBl0tjAil/MkjaC5dGdoixZpX+SP0jX/wBmb/gor+0B/wAEa/ij8GP2qPiHp/in44fFfwPrHk6FBZ2OnaZ4ZlvoSLbRYZII08yO3DKjTzPLIz7z5jrtoA6H4df8F4/+CXXxY8U6F4N8AfHXxNf33iXULWy0Qf8ACnPFkUNzNcOqQ/vpNLWJEZnX947KgByWAya9y/at/bO/Zc/Yd+HcHxX/AGsfjRpHgjQLq/FlaX+rM5+03JjeQQxJGrPI+yN22qpOFJr4XH7av/BSv/gkF+zv8Pb/APb6/ZL+Gur/AAQ8I6TofhbxL44+Efji9vNT8MQKkFjDf3lpeWkQuEaTywywHgyDBJwG/RzXvB3w7+JVppuoeJ/Cmja/BaTrfaRNqFhFdLBIUIWeEurbG2OQHXBwx5waAOD/AGOv23P2YP2/fhG/x2/ZI+Jw8W+FI9Xn0t9VGjXtji7hVGkj8u8hikOBIh3bdp3cE4OOE/aY/wCCvH/BOf8AZA+J1z8Ffj5+0zYab4vsreOfUPDGk6HqOsX9nE8ayI88GnW87who3RwXC5Vw3Qg14N/wbfgL+yx8Z1UYA/ap8c4A/wCvmGvuDxTd/Bj4GaP4q+Oni1fDvhazFp/afjTxVcww2okitoAgnu58AuI4Y1QM5O1EVRwAKAMj9mb9q39nP9sn4XwfGf8AZf8AjBovjTw1PO0H9p6NcFvJnUAtDNGwEkEoDKTHIquAykjBBPoNfnJ/wQp8Nav8Vfjx+1N/wUh8GfD+68H/AAm+P3jrSrj4V6Dd2RtW1G1022nt7jXvIIHlLfyy+cCQGYhycjYx+zf21PjF8Rf2ev2RPiX8dPhF8Pz4q8UeEfBGpatoHh4RO4vrqC3eSOMpH87ruUEonzMAQvJFAHp1FfmT/wAE6fjP+1h+2Na+AvjD4L/4L9/Dfx3qGof2fq/jX4M6Z8KtBj+y2zGOW80xRHMmpWrpGZIlnl3HcocpjIr1X/gq3+0ZrvwF8b6FJrH/AAWT8C/sweHbvQw0Oj3vw+0/Xdd1i7E0okuI1vHfZbKnlJ8lu3zh8uMgUAfcNFfnp/wRN/4KheKv2yvip8Yv2W/HH7R3hX40N8MG0q/8L/GLwl4cbR4/EumX0cm5bmy+5Bc280Rjby8I4cYHylm8p/4J3/ET/gtr/wAFK/2U/E3xi0L/AIKDeH/hxN4e8eeIdG8Jzn4T6Vqdx4ka1u3Ef21nRIbW1T5LZRBCZj5csryMSqUAfrDRX5YfsiftE/8ABYr/AIKufsEWf7a/wl/af8JfAm6stKu7XRvCumfDq11tPFep6fuiurm8nvmY2NvNdRSwpDApeJULmWQkIHftP/8ABXr9pnX/APg3P8K/8FQ/gTeW/hX4ja2+hx3iafptvcwm5/ttNOv4oYryOZFjlaOYJuVmRZBhiy7qAP1Nrz/x3+1J8Cfhn8fPAX7MHjfx19i8c/E631SfwPof9mXUn9pR6dAs94fOjiaGHy4mVsSuhbOE3Hivg39s34nf8Fkv+CdXwCH/AAUh+KH7WfhH4g6D4au7C9+KXwDsPhtZ2FhY6bc3EUNxHpeqLI15JLbGYBZJ3ZZApkKjHlN0n7YniXR/Gf8AwXJ/4J9eMPD1z51hq3hH4l3ljNtx5kMugWzo2O2VYGgD9DqK/LX48/8ABUjxv8ff25fip+zH4B/4KmfB79kvwR8GdRt9Fu/EPjQaJeeIPF+stHvuhbW+sTpDBZ25/dGQI7M4ODhsR7P7H3/BW347eJPhf+1V8JZfiL4A/aK+IX7Ovg//AISLwL4++GBhbTfiDZ3Gnz3FskkFjLLHHdRTwGGeKBsEuFQbhuYA/TGivy//AOCdPxy/a3/bV0fwJ8Y/Bv8AwX5+G3izW9USw1fxj8EtO+FOgoLGFtkt3pYVZk1OBo0MkQnkydyBymOK/UCgD59/au/4KnfsG/sSeP7D4UftIfHhdI8Ualpn9o2vhzSfDWp6zf8A2PeUFw8Gm21xJFGWVlDuFBKnBODXvtjeW+o2UOoWjlop4lkiZkKkqwyDggEcHoea/H/4C/sxftveIP8Agvj+0To2gf8ABTLXtI1jRvAvhS91TxAnws8P3Emq6XO8ksOlGKWAx28cKjYJogJZM7nJYZr3Hwt8dv8Agon/AMFNv2tfjh4I/ZI/ay034C/Cr4FeNpPAya1afDyw8Rat4o8Q26A35kF+TFbW0LsiqqLvcMDuBJ2gH6KUV+ef7N3/AAUO/ay139m79r/4G/tE6lokXx1/ZY0fUkm8ZeG9LSKy1qCbSLm+0fVhaS+YkUrrAXeAhowVHGGKCf8A4JK6l/wVU/bC/Z++DH7bX7Sn7b+maToes6Db3mo/DLQvhlprf8JFaeS8a3d7qDAPBPcPi52WkcMcSlI9rfMSAfoLWX448Z+Gvhx4L1j4h+M9S+xaPoOl3Go6teeS8nkW0EbSyybIwzttRWO1QWOMAE8VyP7Wn7Q/hv8AZJ/Zh+IH7Tvi3Tpb3T/AXhC/1y4sIHCvd/ZoHkWBWIIVpGVUBPALAmvzm8Rr/wAFqfij/wAEvPFP7ffj79rzwdfL4x+EWoeJrj9nmL4ZWsGmWug3enSTfZINWWT7aL1bOTzFeQyJ5wEbIy5egD7v1z/gop+xx4b/AGZPCP7Y+tfGHyfhv47vNNtfCniP/hH9Rb7dNfyeVaL9nW3M8XmOcZkjUL1YqOa1P2t/25P2U/2FPB+m+Ov2qvjBZ+FLHWtRFhosbWNze3Wo3O3cYre1tIpZ5iBydiNtyM4yM/nHpP7S3xp/ZV/4NyP2UfiL8CPF0Wi6xfan4E0a6u5tItL0PZXd4Ip4vLuopEBZCRvCh16qynmtD/grN8B/2p/G/wDwXM/Y2svh/wDtz6v4STxcfiA/gFYPAGj3y+BpLLw1atePCLmJhqBvOQftW/yN2YdpoA+1viD/AMFa/wDgn18KfgL4O/aV+I3x+Oj+FPiDc3EHgtr3wpqy6lq8kEjRzLDpn2X7cdjL8xMAADIejoT7L8FfjN8O/wBob4V6L8afhNq9zf8AhzxDafatJvLzSbqwlli3Fctb3ccc0Ryp+WRFPfGCK/J39s39lr9uiX/gtb+yh4Guf+CoOvy+I9Q8A+LX8M+MX+FHh7zPD0ltpNrHfyR2v2fyJzfMrO/mqfJ37YtqgCvV/wBsv/go18Xvh9+1n4W/4Jg6H/wUZ+GPwX1Hwp8LLDXviz+0R8VbPSIbrV759sMVrpunXUsNkLmfa11KMNHGkoCKNm1wD9NKK/OP/gnX/wAFJvHepf8ABQK+/wCCeXxK/bw+GP7Tek638P5fFfgb4t/DwaZDdW01vcLFdaRqdvpcslssgRhNHIgTKKcglgE47/gm/wDFD/gsD/wUh0D4l+Lb39vXTPht4X8BfHHxD4b0O/sfhVpOqapr0NrdAiCXzUSC3tYYmjhUrE1xI5mZ5RtQUAfqbRX5KTf8FU/H37afxz+KH/CJ/wDBZX4Jfsj+A/h746vvCfhTRfEUHh7UPEXimSyISfVbmPWblBb2bykiFYkDMqsGYFdzdR8Kv+CuXx5+LP8AwSn/AGsPHdl8XfBWrfFv9nK01rTrL4ofDhbW+0PxCIrM3Gna1bRv50H7xd2+E+ZGHibgBtigH6h1z/jv4s/Cv4Wz6Ha/E34l+H/DkvibXIdF8Nx69rMFm2ralMGMNlbCV1M9w4VtsSbnbacA4NfmP42+J/8AwW80D/gmLpv/AAVVb9uHwhY6honwtsfG+o/BU/Cmxl03VNNSzjuZlu9RyLpbuW33Tv8AZxDEkjGKNFUCSsP/AILTXvxi/ay8NfsB/tF/CT9ovUvAekfEX45eBZ9B0KHwxp9//YurajaT3dtrIluIy00tvG5jFs/+jvncyE4oA/XSivNP2VvhP8ffg58OLjwr+0b+1ZqPxh16XV5bmDxTqfhDTdFkhtWjiVLQQadHHEyqySP5hG8+aQThVx4F+3h+1V8fP2PP2/P2a/EF948x8Cfiprt38PvGuiTaXa7NP8R3UZl0a+W5MXnqZZFkgZDKIgqbthY5oA+yK+W/2kv+C1X/AAS9/ZH+Mb/s+fH79rbR9G8axXsFpc+G7TR9Q1G5tpplR4kmWyt5fJLLIjDeVGHB71znx0/aq+PfjP8A4LCfCP8AYK/Z28ef2R4c8O+BtT8ffHiSHS7W5N1pzMLTS9OEk8Tm3eS63SP5ZSUxEEMAMnyb/g5b8A+BNB/4Jwap4w0PwVpNlq+rfFjwe2q6paabFHc3rLqluoMsqqGkIVVUbicBQOwoA/SCiqHijxV4Y8EeH7rxZ408R2GkaVYxebfanql4lvb26dNzySEKg5HJIFfLn/BRP9pjx94p/YH+KfxH/wCCZX7Tvha9+JXgDQV8RWv/AAjl1pmuCW3tXE9xaSwMJgPPtoriNCAr79u1gQaAPrKivhH9u3/gqZrmmf8ABIrwr+1x+xzexr8QvjrD4f0H4M2jQw3Lx+INZZESIpKrRvLbL9pYo6Mpe22spBIrk/8Agob/AMFFfi7+zh8bfg7/AME1tC/bT+G3wv8AGfiH4eDxF8TP2hPizHp0FtZWUB+yCSzspnt7Sa+vLuKdhEdscaI5WMjlAD9GqK/Mn9j3/gpf4+8Cf8FFfAX7DXjn/gpb8Kv2sPC/xf0LV5vDXjbwNHo1tq/hfVtNt/tT2moQaPM9ubae3EhikKo7SRsvIQ5pfsv/ABa/4K3/ALfP7Tv7Unwf8Eftv6Z8L/A/wl+OGpaF4a8UQ/DHS9Y1V4gAIdMijnRIFggRfMeaZZp5WuUUOoQkgH6h15/+1H+1H8Cf2LvgTrv7S/7S/jn/AIRrwT4a+y/23rf9mXV59m+0XUVrD+5tYpZn3TTxJ8qHG7JwoJH54fFv9t/9qDx5/wAFFPiX+xt42/4KveDf2UrL4cWmiW/g2DxB4A0e4vviH9psVmn1RZ9YYW4j8/fGsFr8wwVJBQlvTP8Agqx8dP20P2Fv+CEvj744W/7UGjeLfiv4ZGkPY/E3TfA1hDa38F14ksoEl/s6YXNqGNlceW3DqWzIm07doB+gdFfFX/BSH9r39qWw/aw+Dn/BNf8AYd8SaJ4V8efFi01TWvEXxG1/RV1KPwnoNggLzwWbsqXNzLJujQSEoCmGHz74+R8E/tE/t5/sHf8ABRT4U/sZftpftF6Z8bPAfx80/V4fBHj5vBFnoGq6FrenW4uJLO5hscQTW8sTKEcIr73A4CMWAP0Dor8y/hL8ZP8Agqz+2n/wUC/ar/Zg+FX7Y2lfDPwB8J/Gul22ieKG+HOm6xqlqLiwEi6daxTIkJj3LJNLPc+fJzEkYQFmHXfsc/t8/tq6b8Fv2uPhD8erHTPin8Yv2WLi+XRtV0DQ/wCz18bwvpUl/pnmWcBIhuJTGUdIePnVVBYFmAP0Gor8tf8AgnT8fv2vf24vDfgf4yeEP+C+3w11zxNrENlq3i34Gaf8J9CA0xW2S3Wk7POTU4mjXzIhcOSSyb9pHB/UqgAooooAKKKKACiiigAooooAKKKKAPjP9v39lH4+/Gz/AIKU/sZfH/4Y+Av7T8I/CfxJ4uuvH+rf2paw/wBlQ3umW8Fs3lSyrLPvkRlxCjlcZYKCDX2ZRRQB+b/7IH7BP7WPwu/4JsftrfAHx38KfsPi34t/Ej4nap8PdJ/t2wl/tW01bTlh0+TzY52ig82QFdszxsnVwg5qp+xB8Vv+Cx/7LH7Fnw1/ZOsf+CMNxda14F8E2Gg/8JHr3x/8N2+nTSwQrH9oZLWS4nCZG7YqliOMjqP0rooA+Qf+CYf/AAT++Mv7N3jv4r/tiftj/EHQ/E/xz+OesWl54xm8LRSrpGh2FnEYbHSrEzASPHFGdpkcAvtjBBMe9/r10SRSjqGVhggjIIpaKAPyK/Y8/wCCSP7avw3/AOCiPhb4NfFbwFaQfsm/s/8AxM8WfEL4LamuvWco1G81QQNp2nNaJM1xF/Z8s97MkjxIpcS8kMm77W/bq8b/ALYWm+K4PAvw4/4JkeF/2iPhnqehRPqltqHj/S9Nu7XUhNOHje01WM29xAYvIKuJFYM0gIIxXb+P/j1+0X/w0XrPwF+BHwL8Fa+nh/wVouv6nq/i74k3ejEnUbvVbeOCKG30e+3hP7KdmdnTPnKAvykl3/Ccf8FC/wDo1/4M/wDh+NW/+ZegD5w/4I2/sH/HX9lz4w/Hv9oH4ifArwx8EvC3xc1rR7nwj8A/B/iCPUrPwybO2khuLt5LdEtUmumZXKW42KFAJIVAPpv9uv8AY9+HH7fX7JPjj9kT4rXM9to3jXSPsrX9qgaWxuY5EntrpFPDNFPFFKFPDbMHgmqf/Ccf8FC/+jX/AIM/+H41b/5l6P8AhOP+Chf/AEa/8Gf/AA/Grf8AzL0AfNPwb+NH/Bcb9ln4caZ+z/8AFH/gnT4f+PN/4ZsY9O034reDPjPpmiQa5bxKEhnvbPU0We3uCiqZWjEqs5YquMZwf+Co/wCzH/wU0/b2/wCCKfxH+B3jb4N+Dbj4y+LfEWmXeieA/A/iWP7JYadBq9jOtu99qDQRy3CQwyvJJlUZsiMY2ivrT/hOP+Chf/Rr/wAGf/D8at/8y9H/AAnH/BQv/o1/4M/+H41b/wCZegDwW1/b8/4LEy3McVz/AMECNbijaQCSU/tLeE22KTy2A+TjritT9lP9lH4+/Db/AILKftW/tWeNfAX2LwD8SvDfgm18Fa9/alrJ/aM1hpvk3a+RHK00PlyfLmVEDdVLDmvZv+E4/wCChf8A0a/8Gf8Aw/Grf/MvR/wnH/BQv/o1/wCDP/h+NW/+ZegDxn/gh3+yj8ff2Pv2W/Gvw5/aL8Bf8I7rOr/GzxPr+n2f9qWt35unXdwj282+1lkRd6gnYxDr/Eor7Mrxn/hOP+Chf/Rr/wAGf/D8at/8y9H/AAnH/BQv/o1/4M/+H41b/wCZegCt+2T8Sf27/ha3hjxL+xj+zR4S+KtiJbtPGnhnW/G39g6iVIh+zSWNzLG9ucHz/MSUDP7vaw+avj39pL4Cf8FLP+CtXxa+DHgz4/8A7EOjfs/fDT4V/FnTPHuu69rXxM0/xBrerzWAkEdjYxaaGS3WTzWDySOP4WAzHsk+y/8AhOP+Chf/AEa/8Gf/AA/Grf8AzL0f8Jx/wUL/AOjX/gz/AOH41b/5l6APm74x/s1/tzfsZ/8ABRrx9/wUD/YZ+B+jfGHw18bfD2j2PxU+GN14wt9B1S21PSoWtrLUrG6ux9meP7OzI8MjIxZiQTuyvW/HD4DftN/8FY/+Cefxd/Zf/bA/Z1sfgXeeMrRLTwlYr42t/EU8UkDw3dteXb2iLEoF3DHmKNnJRD8+WGPZP+E4/wCChf8A0a/8Gf8Aw/Grf/MvR/wnH/BQv/o1/wCDP/h+NW/+ZegD4n+NWg/8F0f2uP2MLj/gm747/Yq8H+CtR8TeH4fCvjz9oCT4q2N/o82m7VivL200uJBema4hDgRSKgQyn5hwV9V/aD/YA+KOk/tO/sFQ/ADwRLqnw+/Z1m1fTvE2rT6pawvpmnDQIdPsnaOWRJJy7RBSIUcg8kAc19B/8Jx/wUL/AOjX/gz/AOH41b/5l6P+E4/4KF/9Gv8AwZ/8Pxq3/wAy9AHkP/BXH/gn58Qf2wrH4WfHP4EaP4O1n4i/BHxfLrfh/wAK/EK283RPEtlcQiG+0u5Ox/KMsaRmOUqwR4xkDdvThfgjoX7UXiz4s+FtO1//AIN8/hF8LNPg1y1l1/xxqvj7w3fnTrdJVaSaxg060aeacAZiL+SAwBbGK+mP+E4/4KF/9Gv/AAZ/8Pxq3/zL0f8ACcf8FC/+jX/gz/4fjVv/AJl6APBP2zNa/bM+IXjPxF8KPHf/AAQ78BftB+Borp18Ia/qHxO0GGOa3dF/4+bTVoC9rIGyC8JkzgEAEV1//BFf9iz41/sFfsMad8B/jxrGmnWH8T6rrFr4c0PUZryw8L2d3cGWHSbaeYBpY4QSS2Mb5HwWADt6Z/wnH/BQv/o1/wCDP/h+NW/+Zej/AITj/goX/wBGv/Bn/wAPxq3/AMy9AHkv/BV/9iz4/ftBah8Hf2qP2QLjRJfix8APHL+IPDWg+JLs29j4hsbiIQ6hpjzhT9neaJUCSkFVKkHbu3r5R47+Bv8AwUZ/4Kh/tN/BDVv2sv2RtN+Afwn+CPxBtfH99pd58RrDxFqvinX7NWFhFD/Z4MdvbRO8hdpGDOrkBQcY+sf+E4/4KF/9Gv8AwZ/8Pxq3/wAy9H/Ccf8ABQv/AKNf+DP/AIfjVv8A5l6APJfgB+y38dvBP/BZn9oL9q/xP4F+y+APHHw38KaX4X1/+07V/tt3ZpILmPyElM8ewsPmkRVbPyk0fBn9lv47eFP+C1fxo/a31/wL9n+Hviz4P+HNE8P+IP7TtX+1X9rM7Tw+QspnTaCDueNVPYmvWv8AhOP+Chf/AEa/8Gf/AA/Grf8AzL0f8Jx/wUL/AOjX/gz/AOH41b/5l6APSfijqHxB0n4Z+ItV+Evh6w1fxXbaFdy+GdJ1S8Nva3uoLC5toJpQCYo3lCKzgHarE9q+Cf2mfin/AMFuP2w/gF4n/ZN8Kf8ABLbw78KLvx/oV14f1r4k+KvjnpWr6Zo9ldxNBczw21jH9qnk8p32ZjXaxUkNjbX1b/wnH/BQv/o1/wCDP/h+NW/+Zej/AITj/goX/wBGv/Bn/wAPxq3/AMy9AGT4J+F3xA/4J6f8E8vC/wAFv2YPg/efF/xB8MvBmlaLofhgeILTRZvEDw+TBNMbm7byLYlTLcEMcfKUXkrXw7+wcP8AgsH+zz+2x8dfjr44/wCCOOpJov7QHj/RNTuZF+PPhdj4Xtre3NrK7hJ2a7wrmXCKjELtAJINffH/AAnH/BQv/o1/4M/+H41b/wCZej/hOP8AgoX/ANGv/Bn/AMPxq3/zL0AfJX/BcXwD/wAFSP2kvF/hH9lf9mP9lnXvFfwB1SwjvvjNqvg34j6LoeseIB50ynw/HJqF1E9tbskcTzTIj+alx5YICSK/u/7AfxK/aZtG039njxj/AMEmb/8AZ8+HfhjwwYvDt+PiX4e1a0iaJ4kisUttNneVSyNI/msNuY23Hc4z33/Ccf8ABQv/AKNf+DP/AIfjVv8A5l6P+E4/4KF/9Gv/AAZ/8Pxq3/zL0AfHPxR/4JRfGP8A4K1fGz4mfGv/AIKU6NrHw/0PRbK58M/s0+CtK8SW8934WXdHKfFk0ljPJCb+aaOIpF5hEccZjcNhGr3b9nL4g/8ABVrwX+wXqOm/Gv8AZn0TxR8efAeox6RpwufG1laaX8RrKG6iT+1ormFpWsJJrQyuUuIkYTpkxqr7V9Q/4Tj/AIKF/wDRr/wZ/wDD8at/8y9H/Ccf8FC/+jX/AIM/+H41b/5l6APjP9tXwR/wV0/4K0/BWb9hXxl+wVo/7PPgLxfqNiPiN8QvEfxY0zxDdLptvdxXLwadaacCWmdoUAebYuMqQu7ev2p+0x4/+P37N/wS0ib9kT9kG7+Mmr2d7a6Yng+18c6foL21gsEgN0brUCI3CGOJPLHzt5u4cK1V/wDhOP8AgoX/ANGv/Bn/AMPxq3/zL0f8Jx/wUL/6Nf8Agz/4fjVv/mXoA+JP+CLHh7/gqj+yHNrXwA+P3/BLG/0Pwz4++Mmv+LtV+IA+M3h26j0C31FhKsTWVtPJNclGjVCUwTvztABqn/wVh+EX/BUH9rj9tbS/hXqf/BPzW/iV+yd4Kaz1I+GfC/xV8P6MfiJqwihnX+0/tt3HMljbTM8YtfLAleDzCzB49n3P/wAJx/wUL/6Nf+DP/h+NW/8AmXo/4Tj/AIKF/wDRr/wZ/wDD8at/8y9AFP8AYw+NX7UHxRtNW8P/ALQP/BPbUfgPp+g2lnD4ahu/HuiazFqKESK8USaXK4tlhWOIYcKCJQF+6cekfG/WPi94f+E2va38A/Bmk+IvGNrYNL4f0LXNUaytL+4BBEMk6qxhDDI37SAcEgiuD/4Tj/goX/0a/wDBn/w/Grf/ADL0f8Jx/wAFC/8Ao1/4M/8Ah+NW/wDmXoA/Pz9qn9i79tn/AIKL+P8AwHLF/wAEhvA37N/jLQfiJpXiHVf2hB8TNF1DVLCC1nEs0dp/ZUS3V3JKMhRceXHkDcFJDp6x8e/2av22v2dP+CtXij/gof8AAb9jPQv2g9B8ffDrS/D0OnzeN9P0TWPBVxZsd5t31EeU1tPkO4jYOXJJA2DzPqv/AITj/goX/wBGv/Bn/wAPxq3/AMy9H/Ccf8FC/wDo1/4M/wDh+NW/+ZegD5f/AOCbn7Ln/BQfwr/wVI/aC/bU/bV+GehaDYfFLwX4ch8PReG/EUF/aacbUOn9mBtyzyyQRCPzZ3hijkleQx5TBr0b/gh/+y38dv2QP2IpvhB+0V4F/wCEd8RN8SPE2qLp39p2t3m0u9Slmt5PMtZZI/njZW27ty5wwB4r1r/hOP8AgoX/ANGv/Bn/AMPxq3/zL0f8Jx/wUL/6Nf8Agz/4fjVv/mXoA8Z/4Iifso/H39kL/glV4V/Zt/aJ8Bf8I9410288SPe6L/alrd+Wt1q99cQHzraWSI7opo24c43YbBBA+DP2u/2VPjz+yl/waUeFf2Vv2gfDLeEfHeh+KNKttWsF1C2vTYSXHjJp4XEtrLJFJ+7mif5JDjOCQQQP1Z/4Tj/goX/0a/8ABn/w/Grf/MvXn/7TXwU/aV/bG+E1x8Df2jv2Jfgz4j8LXeoWd9caX/w0X4gs989rOlxA/mWvhuOQbZY0bAbBxgggkUAfOf7Z3wz/AOCyX/BRb4A/8O3vid+yV4S+HuheJruwsvij8fLH4lWd/YXum21xFNcS6XpaxreRy3JhBWOdFWMOYyxz5q+x/tE/sbfF/Wf+Cpv7G/xv+FHw88/4bfBvwx430zxVq39q2yf2St5o8Fpp6eTJKs0+94ymYkfbjL7RzXtP/Ccf8FC/+jX/AIM/+H41b/5l6P8AhOP+Chf/AEa/8Gf/AA/Grf8AzL0AfG3xN/YB/aB/ZI/bW+K/7RnwK/4J9fDf9pzwB8a9ag8Qan4X8Q6rpemeIPCmtCIR3T29xqkTW9zaTkCTZvR1c4AAXMnuv7MNn+1x4d+GHxK+Iejf8EtPhN8FfFi6Vbr8P/CGm+MbGefX7hBM0iald6daJDbR7vJEewzYLSM3QA+qf8Jx/wAFC/8Ao1/4M/8Ah+NW/wDmXo/4Tj/goX/0a/8ABn/w/Grf/MvQB+fH7YX7GP7cH/BSXX/CWmL/AMEgPAv7O3jnTPHel65fftFn4naLqGpaRHa3KzTfYzpcS3l1JIAQon8tM4LBTh0/W2vGf+E4/wCChf8A0a/8Gf8Aw/Grf/MvR/wnH/BQv/o1/wCDP/h+NW/+ZegDyX4Afst/HbwT/wAFmf2gv2r/ABP4F+y+APHHw38KaX4X1/8AtO1f7bd2aSC5j8hJTPHsLD5pEVWz8pNeV+FvgV/wUT/4Jk/tafHDxt+yT+yZpvx7+FXx18bSeOY9GtPiJYeHdW8L+IbhAL8SnUAIrm2mdUZWjbegUDaSDu+rv+E4/wCChf8A0a/8Gf8Aw/Grf/MvR/wnH/BQv/o1/wCDP/h+NW/+ZegD5Z/Zu/4J4/tY6F+zf+1/8c/2iNL0ST46ftT6PqTy+DfDeqJLZaLBDpFzY6PpIu5fLSWVFnKPOSsZLDnClz9Kf8Evfgz8Sv2df+CdfwV+BPxj8N/2P4q8JfDfStL8Q6V9shuPsl3DbokkfmwO8cmGBG5GZT2JrS/4Tj/goX/0a/8ABn/w/Grf/MvR/wAJx/wUL/6Nf+DP/h+NW/8AmXoA6P8Aa1/Z48Oftb/swfED9mHxZqUllp/j3whf6HcX8MYd7T7TA8azqpIDNGzK4BOCVANfn3pXhD/gubbf8E8NR/4Jg3n7Fvg9dW0z4bXHgey+PUPxTsX0zUdLjsmtI7iDTCq3YvZLYLEqzeVEJmEryIuVH3D/AMJx/wAFC/8Ao1/4M/8Ah+NW/wDmXo/4Tj/goX/0a/8ABn/w/Grf/MvQB8RfFT/gnX+2P4k/4IW/s6fscaL8HvO+JHgTxJ4KuvFfhz/hINOX7DDYXolu2+0NcCCXy0GcRyMW6KGPFfQn7Zf7Lnx2+K//AAVi/Yv/AGl/AHgb7f4J+E3/AAsX/hYGt/2naxf2V/amhQWtj+5klWafzZkZP3KSbMZfauDXrP8AwnH/AAUL/wCjX/gz/wCH41b/AOZej/hOP+Chf/Rr/wAGf/D8at/8y9AHkv7TP7Lfx2+IP/BYf9mP9qfwh4F+1+A/h54P8aWPjDXf7TtY/wCz57+zijtE8h5RNLvdWGY0cLjLFRzXnP7dH/BP742+G/2+h/wUg/Zs/ZX+Hnx4i8ReBYPC3xF+EXj27tLK4lNtN5lrqmmXl5FJBHOqHyZI5dqsijBJbKfUH/Ccf8FC/wDo1/4M/wDh+NW/+Zej/hOP+Chf/Rr/AMGf/D8at/8AMvQB5T+wtoHx11P403Pij4k/8Eg/hr+zvoNn4fnWz1yw8VaNqevXl88sIWFV0q3EcNv5Xnl2M7MWEYC4yaj/AOCLn7Lfx2/ZM/Z6+Ifgb9oHwL/YGqa78ePFniLSrX+07W78/Tb27WS2n3W0sirvUE7GIdf4lBr1r/hOP+Chf/Rr/wAGf/D8at/8y9H/AAnH/BQv/o1/4M/+H41b/wCZegD4b8N/sBftIf8ABPj4wfErRPhV/wAEvPhj+1F8MvH/AI+1Dxd4Y1C91zRdJ8ReFpb5lkn0y4OrRGO6tUkBMLxybwrNuBJ2r618R/2dv2nPjr/wSp/aF+Elv/wT7+H/AMHfHXj7wlqul+EPh34G8SadcPfh7ERwG9vI4bW1WdpnlUDcURNuZOTX0V/wnH/BQv8A6Nf+DP8A4fjVv/mXo/4Tj/goX/0a/wDBn/w/Grf/ADL0AeY/F79mX43+KP8Agh5rP7H2heCfP+It1+zGfCdv4d/tK2XdrH9gi0+zfaGkEA/f/J5hk8vvu28147+1P+wb+134o/4JvfsdaR8I/hlp2sfFD9mnxR8PfFmsfD7UfEdvZjVpNH0z7NeabHe5e3SXe5CyljHiNiC2Vz9Yf8Jx/wAFC/8Ao1/4M/8Ah+NW/wDmXo/4Tj/goX/0a/8ABn/w/Grf/MvQBufsr/Fj4+fGP4cXHir9o39lPUfg9r0WrS20PhbU/F2m61JNbLHGy3QuNOkeIKzPIgQkOPKJIAZc+df8Fav2NtU/bv8A2APiF+z94O/d+LptMXVvAF2s6wvba/YyLdWLJKxAh3TRLE0mRtSV+2a6n/hOP+Chf/Rr/wAGf/D8at/8y9H/AAnH/BQv/o1/4M/+H41b/wCZegD5+/4Ix/sr/tf+B9W+Mf7bP/BRfwBZ+HPjb8Z/FVmuo6LZ6raX0el6HplnHbWFuktrLLENxM8jBG5zGWAYEDzP/gvD4O/4KcfthfDvV/2N/wBmT/gmje+KvDFr4q8Pa3pvxPHxc8P2MV/9klgu5oRYXc0c8REgeDcxwSm8AqRX2b/wnH/BQv8A6Nf+DP8A4fjVv/mXo/4Tj/goX/0a/wDBn/w/Grf/ADL0AZv7PXir41ftjfB7xP4T/b//AOCd9n8NrK6uhYt4H8V+LtH8W2mvWRRXaSUWgeEJv+XypASSucYxXZfBT9jz9kj9muTVJv2c/wBlr4c+AH1yGOHWn8FeCLDSjqEabtiTm1hTzVXe+A2QN7Y6muf/AOE4/wCChf8A0a/8Gf8Aw/Grf/MvR/wnH/BQv/o1/wCDP/h+NW/+ZegD88v2GP8Agkr+2z8Lv+CgnhL4TfG3wLaw/ss/s3+NvGHi/wCA+pjX7Oc6pcatJCbCzltUmaeM2PnXkqyyRoPMDYyGXP0J/wAFK/8Agn58X/Gv7YfgH/go9+zb8DPAPxa8ReFfBl14O8Z/CX4jSwQW/iHRJLk3UL2V1cRSw2t7BcPIwaVdrJIRuXBD/RP/AAnH/BQv/o1/4M/+H41b/wCZej/hOP8AgoX/ANGv/Bn/AMPxq3/zL0AeJfsd6F+0Hr3x80jW/G3/AARP+GHwC0HTba5lu/GB8YaDqWsiZoWSOOzi0m2IQMzEPI8y/u2YBcnFaf8AwSy/Zb+O37OPxY/ar8TfGfwL/Y1j8Sf2kNX8U+Cp/wC07W4/tHSZoLdIrnEErmHcyMPLlCSDHKjIr1r/AITj/goX/wBGv/Bn/wAPxq3/AMy9H/Ccf8FC/wDo1/4M/wDh+NW/+ZegDwT9szWv2zPiF4z8RfCjx3/wQ78BftB+Borp18Ia/qHxO0GGOa3dF/4+bTVoC9rIGyC8JkzgEAEV83/EL/gkT+3D4b/4Nt/iL/wTw0Dw7pviX4neKPE9vrHhrwFofiWMWGgWb+JbDUP7JtrzUJIkaO3ghmkLOyguzqpclS/6F/8ACcf8FC/+jX/gz/4fjVv/AJl66T9l/wCMvif48fCT/hPPGngew8OavbeKPEGhanpGl64+pW0U+laze6W7xXMlvbNKkjWZkG6GMgSbSDjJAPmz/gpB+yF+1LfftYfBv/gpT+w94a0XxV48+E9pqmi+Ivhzr+tLpkfizQb9AHggvHVktrmKTdIhkAQl8sfk2Scj4J/Z2/by/bx/4KKfCn9s39tH9nPTfgl4E+Aen6vN4J8At43s9f1bXtb1GBbeS8uZrHMENvFEqlEDs+9AeQ7Bf0DooA+P/wDgnn+y38dvgZ+27+198X/in4F/svw78UfiRo+qeBdR/tO1n/tO0g03yZZPLhleSHbJ8u2VUY9QCOa5z9mf9m39sX9n39rf9uX9ojQPg/plxN8StY0DUvg9HrXiK3jtPEM1lozwOkzQPJLZp5+2MtLGpwdyqwGa+46KAPyP/bZ/Y0/bo/4KYroXhX/hz14E/Z98fweMdM1af9pBvihouoajoK210k8stk2mwre3UjqhVVmEaZYE4IDr+uFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRX5wf8Fev2Rv2N/ht8MdZ8TfCH4TXMv7U3xb8RSwfBbXND1y7Pid/EssomF1b3LTGS0sLQHz5wClrFBGUKgMikA/R+ivib/gpD+zT+z5P4NtvjT8aP8AgmL4i/aU8ey+GPsF5f8AgyK1+0ae1vDkSRm4vYZbQPI7lXsYpZwQTsJC59R/4JLatrOt/wDBNb4L6l4i+O8XxMv38CWi3vjaKWd/7RlUFWDNcok7PEQYWaZElLQsZFV9wAB0Xgf/AJSF/FD/ALIz4D/9O3i+vZq+ePgF8TvDfxR/b9+L+oeGtN8Q20enfCvwPY3C+IvCOo6O7ypqvi4lokv4IWni+YYmjDRMchXJU4+h6ACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAor5w/bY/bY8Vfs2eKtJ8D+B/Cmn3l7eaeL66utVWRoliMjxqiLG6HdmNiSTgDHBzx6/8A/itH8b/AIQ6J8UY9JaxOq27tLaM27y5EkeJwD3XchIPoRXzeB4tyLMeIMRktCo3iKCvNcrS6XtLZtc0b22ut9bfRY3hXO8vyHD5zXppYeu7QfMm+trx3V+WVu9ntpfsKKKK+kPnQooooAKKKKACiiigAooooAK8Z/YP/wCSIa5/2Wb4j/8Aqa63Xs1eM/sH/wDJENc/7LN8R/8A1NdboA9mooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAr4lm/wCCbn7cWjfto+Pf20vBX7fXgGfXfFYOneHF8a/AO41abwloCuXi0eylj8QW0aRZw8siwo9xKN8mcKq/bVFAHz98WvgN/wAFBvFniSa8+E3/AAUD8PeEtIvdMt4LrTrr4KQalPZ3Kwqk1xZTtqEYi8yQNKEuI7kIW25ZQBXc/sh/sv8AgD9jD9m/wp+zJ8ML/UrzR/Cti8MV/rFwJbu9mlmkuLi5mZVVTJLPLLK21VUFyAAABXpFFAHjPgf/AJSF/FD/ALIz4D/9O3i+vZq8Z8D/APKQv4of9kZ8B/8Ap28X17NQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFc58Vvi38N/gd4FvfiX8WPF1roeh6eoN1f3ZOAScKqqoLOxPAVQWPYGrhTnVmoQTbeiS1bfkiKlSnSg5zaSWrb0SXds6OiuJ+BH7RvwT/aa8IP47+BnxAtfEGmRXBgnmgikikhkAztkilVJIzggjcoyORkV21OrSq0Kjp1YuMlumrNeqYqNajiKSqUpKUXqmmmn6NaBRRRWZofP37XHw+8G/FD48fCHwH4v0GK8t9SvtWN2hZkeSCG2SUpvQhgu7BwDXu2haFo3hjRrbw94e0yGzsbOFYrW1t4wqRIBgKAK8j+I3/Ez/AG3PhxY9f7L8M6xeY9PMVYc/pXs9fI8PYbDPO81xigueVZQ5rLmahRpaXte3NJu199dz6vP8TiFk2WYRzfJGi58t3ZOdarra9r8qSvbbTYKKKK+uPlAooooAKKKKACiiigAooooAK8Z/YP8A+SIa5/2Wb4j/APqa63Xs1eM/sH/8kQ1z/ss3xH/9TXW6APZqKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigDxnwP8A8pC/ih/2RnwH/wCnbxfXs1eM+B/+UhfxQ/7Iz4D/APTt4vr2agAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKK+cf+Cp/j74+fDf9ky+8R/s+S39vqA1WCPWtR0tT9psdOKSmSaNl+ZCJBCpccqrscjGR5j/AMEVP2gvjb8avAHjXQ/i/wCO7vxBFoF/Zf2Re6tfG4vR56zGVJHcmRkHlxlS2eWcA4GB49TOaNPOYZc4S5pR5lL7Ozdu/Tfo9DwKvEGHo8QwymVOXPOPMpacuzdu70Tu1onZH25RRRXsHvhRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAV8m/8Fq/h1ofjv8AYN1zWda16WxfwtrFjq1gsabhdXBc2iwMPRhdN06MFPQGvrKvl/8A4KR/8V/rvwV/Zph+f/hN/irZ3OqQdfN0zTlNzdLj8YzntivZ4flOnnVCpF25JczflFSlL8E18zxOI4wqZHXpSV+ePKl5ycYx/wDJmn8il/wSo/YF8WfsP/DvxBd/EPxXa3+v+MJbOa9stOLm3sY4Fl8tAzqrNITO+87QOFAzjJ+raKK48wx+JzTGTxWId5y30t5Ky8krHbluXYXKsDDCYdWhBWV3d922+7bbCiiiuI7jxc/8TT/goEB1TS/hTn6SSah/8TXtFeMfDz/iZ/tu/EW+6/2X4X0izz6eYGmx+lez18xwt79HF1f58TXf3TjD/wBsPpeJ/drYSl/LhqC++Mp/+3hRRRX0580FFFFABRRRQAUUUUAFFFFABXjP7B//ACRDXP8Ass3xH/8AU11uvZq8Z/YP/wCSIa5/2Wb4j/8Aqa63QB7NRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABXzv4x/4Kt/sC/D74iah8MvGnx5Om3mka+dE1jV7rwrqq6Lp2oiXyTa3GrfZfsFvIJDsKyTrhuDzX0RXxV/wU68e3/wC1pa61/wAEhP2bLK11Txj8QtCWP4p6/JAJbD4d+GLlsTX112a/uE8xLO1yHdz57FI49zAHrvx3/wCCmH7Fn7Nfj7Ufhn8X/ivfWWr6JaRXWvx6Z4M1jU4NHgkj8xJb24srSaGyQoQ+6d0G05zjmvaPCfizwv488Lab448EeIrLV9G1iwivdJ1XTbpZ7e8tpUDxzRSISro6MGVgSCCCK+dP21v2nZP2b/BWgfsifs0+EofGnxq8faQ+mfDvwdeSeZFBbxxLBLrerPg+Tp1su1pZGGZmCwxhnf5fSP2IP2Y9O/Yv/ZD+HP7Kml+JZtZj8B+ErPSH1adNrXksUYEkoXJ2KzliqZO1SFycZoAzPA//ACkL+KH/AGRnwH/6dvF9ezV88fALUvivqf7fvxfk+LPgvw9olzH8K/A6aZF4d8Tz6olxZjVfF2yaV5rK0MMpO4GJVkVQARI2SB9D0AFFFeR/teftrfBH9ifwbY+MPjFdahK2q3LQaVpOjWyTXd4yAGQoruiBUDLuZmAG5RySBW+Gw2IxleNGhFynLZLdmGJxWHwVCVevNRhHVt6JHrlFcD+zV+0r8K/2sfhXa/F/4QapPPpk87288F5CI7izuEALwSoCQrgMp4JBDKQSCDXfVNajVw9WVKrFxlF2ae6fYqhXo4mjGrSkpRkrprVNPqgooorI1CiiigAooooAKKKKACiiigAooooAKKKKACiiigAr5i/bB8L+IP2cPinp37fnws0ma5i0+BNN+K2iWi86noxIAuwvea3ODn+4oyQqNn6dqK/sLHVbGfS9Ts4ri2uYWiuLeZAySowIZWB4IIJBB6g1yY3CrF0ORO0lrF/yyWz/AEa6ptdThzDBLHYZwT5ZJqUZdYyWqf6NdYuSe5V8K+KfD/jfwzp/jHwnq0N/pmqWcd1p97btlJoZFDI4PoQQav18sfs5399+xf8AtB3H7Fvi68lPgrxTJPqvwg1O5clYCW33OkMx/iRmLpnkhuSTIqj6npYHFPFUbzVpxdpLtJb/ACe8X1TXmTluNeNw95rlqRfLOP8ALJb/ACekovrFp9wooorsPQCiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACvl/Uv+Lrf8FaNNs/9ZYfCj4VzXW7r5Op6nP5W32zajOfavqCvl/8A4J8f8XE+LXx+/aTl+dfEnxNbQ9NnPPm2Okwi3hdf9lt7fitevln7rDYrEdocq9aklH/0lSPGzT99isLh/wCapzP0pxcv/SnA+oKKKK8g9kKKKy/G/im18DeC9X8a3trJPDo+l3F9NDD9+RYo2kKr7kLgVnVq06FKVWo7Rim2+ySbb+STfyNKVKpXqxpwV5SaSXdtpJfNtL5nln7Pf/Ex/aR+NPiHr5ms6VZhv+uFmVx/49Xs9fFv7CP7V2oeLP2gPEHgzWPCsMY8eavdarFcW8jFrSVIWfymzwyeXGQDgHd7Hj7Sr4jw5znLs84ceIwk+Ze1rc2jVpSqzqde8Zwfz7po+08Qcnx+S8Qqhi48r9lR5dU7qNKEOn96El8uzQUUUV92fDhRRRQAUUUUAFFFFABRRRQAV4z+wf8A8kQ1z/ss3xH/APU11uvZq8Z/YP8A+SIa5/2Wb4j/APqa63QB7NRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABXzFq3/AAR5/YM1X4keLfi3b+C/H2k6/wCO9fm1vxbd+Gfjn4v0mPUr+U5ed4bLVYogcYUBUCqoCqAoAH07RQB83fEX/gkt+w58Uvi/d/H3xR4L8bQeMb/QrLRr/wAQaB8Z/FWkz3NjaRiO3hk+w6nCHChcksCWcs7FnZmPuPws+GXhT4N/D/S/hj4HOqHSdHgMNkda8QXmq3W0sW/eXd7LLcTHLH5pJGOMDOAAOgooA8Z8D/8AKQv4of8AZGfAf/p28X17NXjPgf8A5SF/FD/sjPgP/wBO3i+vZqACvn3/AIKB/wDBPzwb+3t4N0TRtZ8a3PhzWPDlzNJo+sQWQukRJhGJo3hLpvDeVGQQ6kFB2JB+gqK6sHjMTl+JjiMPLlnHZ/h102OXG4LC5jhZYbEx5oS3X49Ndz45/wCCVOkaV+zC3jT9gjxrYix8aeHNdm1xbsuRF4k064EccWoQBidoVY4o3QE7CFyS28D7Gr5//bs/Z68aeOdJ0b9or9n9Fg+Kfw1ma/8ADbKP+Qta4/0jTJcY3pKm4KD0Y4BUOxr0L9mb9obwV+1F8GdI+MXgdmjhv4il/p8zfvtOvE4mtZRwQ6NkdBuBVhwwr0s2bzGP9px1c3aov5alt/8ADNK8ezUo9EeXlCWWy/suWigr03/NTvt/ig3yy7pxl1Z31FFFeGe8FFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQB5j+1t+znYftL/AAiuPB9vqJ0zxBp1wmp+ENejJWTTNTh+aGZWHIGflbHO1iRyARn/ALGn7Rl9+0B8M5rXxzpw0zx14TvW0fx3ojAK1tfx5UyKv/POUAupHH3lBO0mvXq+X/2uPDuufswfF+w/b5+GmlTT6fHDHpfxc0WzTJv9KJCx36qOs1udvPUoACVUOT5ONTwVdY2Hw7VF3j0l6wvr3g2uiPDzFPL8Ssxgvdso1V3h0n60769XByX2UfUFFUvDfiLQ/F/h+x8V+GNUhvtN1K0jurC8t33RzwyKGR1PcFSD+NXa9VNSV1se3GSkk07phRRRTGFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQBynx1+I1v8H/AIK+LfircsoXw54bvdRAbozQwO6r7ksoAHcmvNf+CaPw5uPhj+w58PNH1BW+26lov9s30kn33lvpGuyX77gJlXn+7iue/wCCr2sahcfsqJ8INCuTFqfxL8Y6P4U09k+9uuLpXcAd8xwup9mr6N0XSNP8P6PaaDpNuIbWxto7e2iXokaKFVfwAAr15fuMiiutWo38qcVFf+TTf3HjQ/f5/J9KVNL51JOT/wDJYL7yzRRRXkHshXP/ABX8V2fgb4Y+IfGN/HG8WmaLc3LRSqCsmyJiEIPXcQBjvmugrxn9ua9ub74PWXwx02Zku/G/ifT9EhKfeVZJg7t9NsZBPo1eNxFjp5ZkOJxUNZRhLlXeTXLBfOc4I9jh/AwzLPMNhp6RlOPM+0U+ab+UIyZV/Yl/Z0+H/wAMfhR4f8fxeFIU8Uazokc+o6nIztIVm/ehAGJWPCsikIFzt5ya9wqKys7bTrOHT7KERwwRLHDGvRVUYAH0AqWryLJ8HkOU0cDhoKMYRSdkleSSUpO27k0229XfVkZ3m+LzzNauNxM3KU5N6tuybbjFX2UU0kloraIKKKK9Y8oKKKKACiiigAooooAKKKKACvGf2D/+SIa5/wBlm+I//qa63Xs1eM/sH/8AJENc/wCyzfEf/wBTXW6APZqKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigDxnwP/ykL+KH/ZGfAf8A6dvF9ezV4z4H/wCUhfxQ/wCyM+A//Tt4vr2agAooooAK+Q/ipFL/AME8v2oD+0RpEbRfCL4o6nFa/Ea0jH7rw/rLnbDqwA+5FKTtlPqSTkmNR9eVi/EX4e+EPix4E1b4bePtGi1DRtbsZLTUbOUcSRuMHB6qw6hhypAIwQK9DLsZHCVmqq5qc1yzXePdf3ov3ovo12bPOzLBSxlFOk+WrB80Jdpdn/dkrxkuqfdI2IZoriJZ4JVdHUMjo2QwPIII6inV8t/sSfELxf8AAr4h6l/wTy+Oesy3eqeGrQ3nw08Q3ZwfEHh/JCJnoZ7cAoyj+FDgERlj9SVnjsHLA4h02+aLs4yW0ovVSXqt10aaeqNMvxscfhlUS5ZK6lF7xktJRfo9n1TTWjCiiiuM7QooooAKKKKACiiigAooooAKKKKACiiigAooooAKg1TS9N1zTLnRdYsYrq0vIHguraeMMk0bqVZGU8EEEgg9QanopNJqzE0mrM+Wf2ZdU1L9jv49XX7D3ja/lfwnrpn1b4O6tdyE/udxe40lnPV4mJZM8lSSfvoo+pq8s/a9/Zyg/aS+E0nh3SdT/svxRo10mq+C9fjO2TTtTh+aJww5CsRtbrw2cZUVB+xz+0bP+0R8LWuPFmmf2V408N3j6R450Jxtey1GL5XIXtHJjep5HJXJKmvJwbeBxH1KXwu7pvy6w9YX07wa/lPDwDeW4r+z5/A7ypP+79qn6wvePem1/IetUUUV657oUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFAH5Gf8ABWn4aftXfFX/AIKLr4Q+Glnr3iOS30HTtT8H6b4e8yVtGtztikmfy+LY/a45GMrFQA8eW+7j9UfhDp3jnSPhP4X0n4n6kl54ltfDtlD4ivI2BWe+WBFnkBGMhpA5z718/fsHf8Xh+P3xx/a3uP3ltrHi9fC3heU8r/Z2loI2kjP9yWRtx/2kNfUdfU8RZlOrh8PlrhFewjFNpauTinJP0ur95Xb1PkuGssp0sRiczjOT+sSk0m7pRUmotebs7do2S0Ciiivlj60K8V+Jv/Fd/tmfD/wOp32/hXRL7xFfRjoWkxbQE+6uCR9a9qrxX9n3/it/2ifiv8VW+eC11S28N6a/ZBaR5nUH3kZTXy/Ev+01cDgP+ftaLf8Agop1pfK8aa+Z9Nw5/s9LG47/AJ9UZJf46zVGPztKo/ke1UUUV9QfMhRRRQAUUUUAFFFFABRRRQAUUUUAFeM/sH/8kQ1z/ss3xH/9TXW69mrxn9g//kiGuf8AZZviP/6mut0AezUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFYnxMl+I0Hw38QT/B+z0e48Wpod23ha38RTSx6fLqIhf7Mt08IMiwGXYHKAsELFQTgUAbdFfA2rf8Edfjx+1JcP4i/4KH/8FS/jB4k1KdRLJ4I+D+rr4P8AC9grZIiW2hWSe6CEMqzzS+YwBLDOQILf/gh9f/s6qvi39h//AIKkftA/C3WIpo0tbTxT4vj8UeHZ5XcIi3GmX6BZizMqLiRW+bA5IoA/QCvk79pr9vn9rL9lrRfGfxu8df8ABPiSf4Q+A7m5m1zxTZ/FGzbW5dJgciXVbfSRbmN4RGGm8uS7jm2D/Vhvlr3n9nCL9oq3+C+i2v7WF14SuPH8AuItfu/AyXCaXdbbiVYJ4Uuf3kZktxC7xksEkd1VmVQx/O/9uf8A4KRfsZ/tkftO+I/+CdnxZ/bA8DfDT4NfD7WUtvjhe+JPFUGnal431CCUMfDVlHI6yR2KOgF7dYBlwbeI4MklAH01+2x/wUT+M/7KWt+CfEvgr9jg+Nvhj4r1zw1pl58SZPiHaabHZTazqUdjEsViYZrm4aMTQynKxIVkAD5DY+rq/On/AILuftn/ALIPw6/Zz+H3ws8R/H/wjpWsaj8TPh74p0fRZdTjSSfQYPElnK9/Eg62yRW8zbxwFib0r7u+DPxq+E37RPwz0v4y/Az4g6X4q8K60kraTr+i3QmtbsRyvC5Rxw22SN0PupHagDgfA/8AykL+KH/ZGfAf/p28X17NXzx8AvBfiTwT+378X7XxL8XPEPi+S8+Ffge5t7nxFbadE9jE2q+LgLWIWFpbKYlwSDIry5Y7pGGAPoegAooooAKKKKAPEv24f2Z9b+PPgGw8YfCrUV0r4leBb3+1/AOtAhStyuC9rITwYZ1UIwPy52kggEHc/ZD/AGmNE/an+Ddr4/t9ObS9bs5307xb4emBE2kapD8s9u6nkAH5lzyVZc4OQPUa+Sf2mNJ1T9hz9oWP9ufwHp80ngbxRJBpvxp0WzjLCEFtlvrSIOrxs22THJDdMyMw9vBNZlhvqM/jV3Sfm9ZU/SW8e01b7Z4WOTyzFf2hD+HKyqryWkanrDaXeDv9g+tqKr6Rq2l6/pVrruiahDd2V7bpPZ3dvIHjmidQyOrDhlIIII6g1YrxWmnZnuJpq6CiiikMKKKKACiiigAooooAKKKKACiiigAooooAKKKKACvlz9q3QtY/ZR+NVl+3l8PNNmm0S5SHSvjBo1nGWNzYFgsOpKg6ywHAJ6lMD5RvNfUdVta0bSfEej3fh/XtOhvLG+tnt7y0uIw0c0TqVdGB4KlSQR6GuTG4X63Q5U7STvF9pLZ+nRrqm0cGY4L69h+WL5ZxalCX8sls/TpJdYtoboWuaP4n0Sz8SeHtShvLDULWO5sru3cNHPE6hkdSOoKkEH3q3Xy5+yzrOrfskfG+8/YS8fajNL4e1BZtV+DusXkhYzWe4vPpbOessBJZR1K5PAKLX1HSwWK+t0OaStJO0l2kt16dU+qaYZdjfr2H5pLlnFuM4/yyW69OsX1i0+4UUUV2HeFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFeZftmfGhf2ev2WvHPxejuRFdaToE39mOT/wAvsuIbYf8Af6SOvTa+XP8AgoH/AMXd+L3wT/ZCtv3kPinxt/b/AImhXkHStLTz3jk9FkcgA/3o8V6OUUKeIzGnGp8CfNL/AAwTlL71G3zPMzjEVMNltSVP42uWP+KbUI/c5X+R6b+w98F2/Z9/ZN8C/Cu5tjFe2OgxTasjDkXs+Z7gH1xLK457AV6tRRXJia9TFYidafxSbb9W2/1OzDYenhMNChT+GCUV6JJfoFFFFYm5neLvEdl4P8Kan4t1I4t9L0+a7n5x8kaF2/RTXm37EPhy90T9nLRdX1cZ1DxDJPrV/JjHmPcytIrfjH5dcF/wU2+LvjP4e/CnT/BvhizC2nit7i11XUDHnyokVD5I7AyBm567UbHqOv8A2Cfih4o+Kn7O+n6j4q0mO2k0m5bS7SWGHYlzBDHGEkC9BjcUOOMxnp0r87XEOXYzxOWVe97Shh5Ne6+XmqShKWvlTUUns22k7pn6A8gx+D8Nnmnu+zr14p+8ublhGcY6edRybW6STas0e0UUUV+iH5+FFFFABRRRQAUUUUAFFFfCX7d//BWv4hfsv/tIzfBH4efDLRr+00OK1fXbrWjN5l0ZoY59luY3URgRyKN7B/mz8uBz5+ZZng8pw6rYl2i2lom9X5I8vN85y/I8KsRjJNRbUdE27vyXo36H3bRWH8MvHNl8T/ht4e+JWmWU1tbeIdDtNTt7a4x5kSTwpKqNj+IBwD7ityu6EozgpR2eq9Hr+p6UJxqQU4u6aTXo0mvwaCvGf2D/APkiGuf9lm+I/wD6mut17NXjP7B//JENc/7LN8R//U11uqKPZqKKKACiiigAooooAKKKKACiiigAooooAKKKKACmyyxQRNPPIqIilnd2wFA6knsKdWD8VPhn4F+NPww8SfBz4oaEuqeGfFug3mjeItMeeSIXdjdQPBcQl42V0Dxu67lZWGcgg4NAHyR/wUO0b48/s/8Axi0r/gp3+x/rs/i698L+GYtB+Lnwah1JGTxh4WguLi6WawQnCarZvdXUsXeZJHizyEk8y+A/jv4k/wDBbX9oDwn+1Hq+p6x4B/Za+G3iqz1r4XeFbqf7Fq3xN8QWU6y2+r30YbdFpttcRq0Fuf8AXSRiR8gBV+Rvij4F/wCDSPwT491T4cfC/wDYa8a/F3UNDu2tdZn+EFt4q1qztZlPzJ9qW/SGXH96J3Xnr1r2H/gm78Af+DYX49ftMaBp/wCzF+zXe+CvjR4N1S28R+HfCXj688SaVq8NxZyrcxXMMF5dmG6MbxeYY1MmFjYumwE0Afr1RRRQAUUUUAeM+B/+UhfxQ/7Iz4D/APTt4vr2avGfA/8AykL+KH/ZGfAf/p28X17NQAUUUUAFFFFABVLxJ4c0Lxh4evvCfijSYL/TdTtJLXULK5TdHPDIpV0YHqCpIP1q7RTTcWmt0JpSTTV0z5O/ZK8R69+x78cLn/gn58UdVnuNAvUm1P4K6/fSEm6sMlptKdz1mtySVHUpn7oMa19Y15L+2X+zHbftP/CQ6Do+rf2P4t0K8TVvA3iSI7ZdL1OE7onDAZCMRtcc8HOMquK37FH7Tlz+0j8MJ4/GukjR/HnhO9bR/H/h5wFey1CPKs6rn/VS7S6EZH3lBOwmvaxyWY4b6/Be+rKqv7z2n6T69pp/zI8PASeW4n+zpv3Hd0n/AHVvT9YX93vTa/kZ7HRRRXiHuhRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAeUfth/s5N+0Z8Kv7N8N6n/ZXjDw/eJq3gjXkO17DUofmjO7sj42N1GCGwSop37H37Ry/tH/ChdZ17TP7K8WaFdvpPjbQJBtk0/UoflkXaeQjEb168HbklTXqtfLf7UOkap+yH8dLT9ujwJYTSeGtWEGk/GLSLSMtvtdwS31VUHWSEkK3cqQONztXkYxPA4j67H4dFUX93pP1hfXvBv8AlPCzBPLcUsxh8DtGqv7v2anrC/vd6bf8qPqSiq+kavpev6Ta67omoQ3dle26T2l1byBo5onUMrqw4KkEEEdQasV6yaauj3E01dBRRRTGFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAV8ufAH/i+P/BRv4tfHGX97pnw70ez8B+HpTypuCftV+R2DpLhCeu1se1fQXxb+Iuj/CD4W+I/ip4gI+xeHNEutRuVLY3rDE0m0e524HqSK8e/4Jh/DrWPA37H+geJfFoLeIPHVzc+LfEE7LgzXF/IZlcjqD5Pkg57ivYwf+z5ZiMR1lamv+3ven/5LFL/ALePFxv+05rhsP0jzVZf9u+7D/yeTf8A26fQVFFFeOe0FFFFAHh/7R2m6d8Tf2gvhf8ABrVtPgvdOW6vdd1qzuYhJE8cEJSEOjAhlZ2dSCMc17RpWk6VoWnQ6PoemW9naW6BLe1tIVjjiUdFVVACj2FeO/Df/iuP20vH3jJvng8KeH7Dw/Zydi0pNzMB7qw2n617VXynDVOnicTjsyaXNVrTinZX5KPLSir2vbmjUdr2u726n1HEdSph8PgsuTfLTowk1d256vNVbte1+WVNXte2l+gUUUV9WfLhRRRQAUUUUAFFFFABXx5qnwC+D37X/wDwUk8eX/xT8C2utaR8NfCOjaYlvI8kccuozs92sknlsvnFIy0ZR9y4IBXgY+wmZUUu7AADJJPAFfNv/BNBW8Y/D/x1+0RcAs3xI+JWq6pYzEcmwjl+z26e4Xy5APrXkZlTp4rFYfDTScXJzaaurQjp/wCTSX3HhZtRpY3GYXCVIqUXKU5Jq6tTjpdP+/OP3H0hbW1vZ28dnZ26RRRIEiijQKqKBgKAOAAOMU+iivXPd2CvGf2D/wDkiGuf9lm+I/8A6mut17NXjP7B/wDyRDXP+yzfEf8A9TXW6APZqKKKACiiigAooooAKKKKACiiigAooooAKKKKACvPP2uvhx44+MX7KHxP+EXwx1gad4l8VfDzWtH8Pag0xjFrfXNhNDBLuHK7ZHRs9sZr0OoNU1TTND0y41rWtRgs7Ozgee7u7qZY4oIkUszuzEBVABJJOAASaAPzA/YO/wCC3P8AwTC/Yr/Zf8D/ALGv7ULap+zp4/8Ah34Xs9G8T/DzxZ4C1GDZewRLHcXUU1tbyQ3Ec8qvMJt++XzN7AliaqfGj9uH9mj/AILE/ta/s8eAv+Ccfh3WvH2pfCv41aX4w8Y/GSDwjeafpfhbRLNZGvdPN7dxRPJJeqyQi3QFJPvEnyxj9BfE3xp/Y48aW8dr4x+LPwz1aKJt0Uep69p86ofUB3IFeVftUf8ABRz4JfsrWvwj8N/CFvB/jCT4jfG3w18PxpGg+K7aI6TBqtw0LX6xwLJ5ghIB8vCBiwG9aAPqGiiigAooooA8Z8D/APKQv4of9kZ8B/8Ap28X17NXjPgf/lIX8UP+yM+A/wD07eL69moAKKKKACiiigAooooAK+VP2yfB3ib9l/4uWf8AwUP+DujTXUFnbx6f8YfD1kvOraMCAL5V7z23B3d0UZKqr5+q6ivbKz1Kzm07UbSOe3uImjngmQMkiMMMrKeCCCQQeua7cBjHgsRztc0WmpR6Si91+qfSSTWxw5hgljsPyJ8sk1KMusZLZ/o11i2nuUfBvjHwz8QvCem+OvBesw6jpOr2Ud3p19btlJ4ZFDKw+oPQ8joa06+RvgJe3v7A37SZ/Y+8VXcn/Cs/Ht3Pf/CDU7mQlNMvGbfcaK7HoCzb4snksBlmkO365qswwawdZcj5qclzQl3i+/mneMl0kn0aJy3GvG0H7RctSD5Zx7SXbvFq0ovrFrqnYooorgPQCiiigAooooAKKKKACiiigAorxn9vHwl8WfGn7P11ovwgju5rz7fE+p2dgx866swrh40A5Y7zGSo5IUjnofM/+CY9/wCNfCv/AAlfwh+JE2oadeWi2l7pfh3WIJIZ4Yn8wSyokgBCEmLOOAef4ufisXxhPB8aUMhqYWfJVjdVtoc1pNQWlm/da+JS5rWi1dn2WE4ShjODq2eQxUOelKzo7z5bxTm9bpe8n8Lja95J2R9ZUUUV9qfGhRRRQAVU8QaBovirQr3wx4j0yG90/UbWS2vrO4TdHPC6lXRgeoKkgj3q3RSaUlZiaUk09mfL37Juv61+yv8AGW+/YK+I+pzT6TJHLqvwg1q8fJvNNLFpdOZj1ltzkgdSmThV2A/UNeR/tk/s5XX7Qvwwj/4Q3UhpfjfwveLq/gXXEIV7PUIvmVC3/POTARgcjlWIO0Crf7Iv7Rtr+0p8JIfFGoaadL8S6VcvpfjLQZAVk03U4TtmjKnkKT8y5/hYA8g48rBN4Ku8FP4d6b/u9Y+sL6d4Nfys8TL28uxLy6fw2cqT7x6w9ad9O8HF/ZZ6jRRRXrHuBRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAfMf8AwVI1O/8AFfwl8Kfsu+Hrp49R+LnjrT9BkMJw8Ngsqz3c/wDuqsaBvZzX0rpemWGi6Zb6NpVqkFraQJDbQRjCxxqoVVHsAAK+VNE8U+GP2mv+CqCXfh3xHYarofwU8BSiGSyu0mRda1GTy5dpUkHbbrsbHKum04PFfWVezmUZYbB4fCtWai5y9aj0+6EY/eeJlco4rG4nFp3TkqcX/dpqz++cpfcFFFFeMe2FNmmit4XuJ5AiIpZ3Y4CgckmnV57+1f41Pw//AGcvGHiWOXZKNFktrZweRLPiBCPcNID+FcWZY2nluXVsZU+GnCU36Ri5fpb5nZl2CqZjmFHCU/iqTjBespKP63+RzP7DkMus/DDWfivdxsJvG/i/UdXBcfMIjMYo1+gEZx9a9orl/gn4LHw6+EPhrwOYtkmmaJbQTjGMyiMeYfxfcfxrqK4eGsFUy7h/C4er8ahFy/xyXPP/AMnnI7uI8bTzDPsTiKfwOcuX/BH3If8AkkIhRRRXtnihRRRQAUUUUAFFFFAHmP7aPxK/4VD+yj4/+IEdx5U9n4YuY7KTONtzMvkQn/v7IlWf2Rvhr/wqD9mLwJ8OZLfyp9N8MWi3qYxi5eMST/8AkV3NeY/8FI/+K30H4a/s5w/P/wALB+Jum2upQf3tOtmNxctjvt2RHFfSdeXS/fZvVn0hGMfnJub/AAUTxqH7/Pa0+lOEIL1k3Ul+Cggooor1D2Qrxn9g/wD5Ihrn/ZZviP8A+prrdezV4z+wf/yRDXP+yzfEf/1NdboA9mooooAKKKKACiiigAooooAKKKKACiiigAooooAK4D9q74Nf8NF/st/Er9nz7QsX/Cd+ANZ8O+azFQn22xmttxI6Y83Oa7+sP4m+G/E/jL4b+IfCHgnx5c+Fda1XQ7uz0jxPZ2cVxNpF1LC6RXiRTAxyvE7LIEcFWKAMCCaAPz7/AGJP+Dc//gnj4f8A2Svh94e/bC/YR8DXnxO07wzb2njW/stVvJ47y+iXy3uA6TKrGQKJDhQNzkYFWfj/AP8ABvR+x7oXjf4K/FT9gv8AZr8D+BPFHw/+PvhXxZ4j1ebUb5Hn0HT7z7ReW0OTMHmfbEUVgoJXl177+r/tO/8ABdH9kqQ+Gfiz+wD4P/aS0i3Oy1+IPwf8axeH76eIcK93pGoByJ2xlhbyGJSeOOKZpn7cP/Bbf9o6QeGPgL/wSW0T4RpMdr+O/jt8S4Z7Wz9T/Zmmp9qmbHIwyrnAJAyaAPvuvhv/AIKN65+3T+xv8CPiX+3Pof8AwUFtvsvhCSXVPDPwr1H4aaWui6jAbhVtdGlnCtqEt1PuS3WeK4jzLIpEQHy19Wfs3+BPjF8Nfgvovg74/wDxr/4WJ4xtxcSa74vGgw6Yl7LLcSzBY7WElIYokkWBFyzbIVLMzFmPxD8ZtM/b2+Lv7fV38UP2g/8Agmn4+8c/C34Va7v+BvhTwt498IJpl/fx7l/4SjUUvtYgllusE/ZYHiVbVWL4MzFlAPQdZ+Kv7Zf7Z/7X3xC/Z9+AX7Q0/wADtG+EHgzw7Prc9r4Q07Wb/VfEWsWst6ttP9vjkjSztrdIA6RLHLI87YlQKK9i/wCCbX7UPi79sT9jLwh8c/iPodjpvim4fUdI8W2Wmbvs0eraZqFzpt40IYlliee0kkRSSQjqCSRk+QeIvBf7ZX7Ln7ZHxH/as+AX7I1z8T9F+OXhDw9JrXhi38baVpWoeF/EWl20tqone7mWGa0lt5IFeSB5ZEe2bbHIrAn17/gmz+y94v8A2O/2MfCHwM+I+t2Oo+KYH1HV/Ft7pm77M+ranqFzqV4sJYBmiSe7kjRiASiKSATgAF7wP/ykL+KH/ZGfAf8A6dvF9ezV88fAL4R/Cj4Qft+/F/TfhN8MfD3he21T4V+B9Q1O38O6LBZJeXkmq+Lg9xKsKKJJWCqDI2WIUZPAr6HoAKKKKACiiigAooooAKKKKAPN/wBq39m7wt+1T8GNR+FfiK5eyumZbvQNagyJtK1GLJguoyCCCrcHBBKsy5Gc1yP7DH7SPin4u+E9V+EnxttksPil8O7tdK8baecD7SQP3OoRdN0U6AOCABuzgBSufdq+Yv25vhb41+GXi7Sf2/P2f9Ha58VeCbUweMtDt/l/4STw8TunhYDrLEAZEPJG3oxRFr2cvnDGUXl9V2u702/sz7N9Iz0T6KXLLueJmVOeCrrMaKvZWqJfah3S6yp6yXVx5o9j6dornvhP8UvBPxs+G+jfFf4dawl9ouu2KXVjcL12nqjD+F1YFWU8qykHkV0NeROE6U3Cas07NPdNbo9inUhVgpwd01dNbNPVMKKKKksKKKKACiiigAooooAK8r/aV+D/AIi8Uw6f8XPhO62/jrwkxn0iToNQg582yl/vI4Jxnox6jcTXqlFefmmW4bN8DPC172lazWkoyTvGcX0lGSUovo11TafflmY4nKcbDE0bXV7p6xlFq0oyXWMotxkuz6NJrkvgl8YPDvxv+H9p450BGgdyYdR0+b/W2N0nEkDjggqfUDIIPeutrwX4t6ZqP7MHxQk/aR8H2MsvhXXJUh+IukWyE+SxOE1KNR/EpOHA65J6sWX3PS9U07W9Mt9Z0i9iubS7gWa2uIXDJLGwBVlI6gggg152RZlia/tMBjrLE0bKVtFOL+CrFfyzS1X2KinB7Rv6Gd5dhqHJjsFd4atdxvq4SXx0pP8Amg3o/twcJreVp6KKK+hPACiiigAr5Z/aU03UP2Nvj9bftt+DLGVvB/iJoNK+MOlWsZIRCwS21dUHV42YI+OSDgDLsw+pqo+JvDWg+M/Dl/4R8U6VDfabqdpJa39ncLuSeGRSrow9CCRXHjsK8VRtF2nF3i+0lt8ns11i2uxwZjgnjcPaD5akXzQl/LJbP0esZLrFtdixpupafrGnW+r6TexXNrdQpNbXMEgZJY2AZXVhwQQQQR1BqavmD9kPxLr37M/xa1D9gT4n6rNcWltBJqfwl1u7bJ1HSCSXsmY9Zrc5GOpQEgBVXP0/TwWKWLoczVpLSS/lkt1+qfVNPqPLsasdhudrlmm4yj/LJbr9U+sXF9QooorrO4KKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAK5X466LN4k+CHjLw7beKv7Ckv/AArqNtHrmSP7OZ7aRRcZXkeXnfxz8tdVXzz/AMFQfiBrXhP9krVPAvg98+IfiLqVp4P8PwhsGWe/k8t145/1Am6d8V25bQnicwpUoOzco69tU2/RJNvyWpw5nXp4XLq1WaulGWnfRpJebbSVtbvTU+Kf+CLP7D/7ROm/Gnw/+15rkA0XwSdJvGs3e/RpNcWWOW3VPKRi6IsmJcyhcmJCoOQR+rlYXwv+H+i/Cj4baB8MPDibbDw9o1tp1p8uCY4YljBPuQuT7k1u13cQ51Wz3MpYmaSS92Nlb3U3a/d66/5Hn8OZHR4fyuOFpttv3pNu/vNK9uyutPvd2wooorxD3grxX9sT/iqrz4d/BuP5v+Em8cW0l7F132VqDNMMf98H8K9qrxW//wCK6/bvsLbG+18C+B5bjd/zzvLyTy8e2YRn8K+X4u/fZXDBLfEVaVL/ALdlNSn/AOU6cr+T8z6bhT9zmc8Y/wDmHp1an/byg4w/8nqRt6eR7VRRRX1B8yFFFFABRRRQAUUUUAFFFVNf13R/C2hXvibxDqMVnp+nWkl1fXc7YSCGNS7ux7AKCT7Ck2krsTaim3sj538Xf8XR/wCConhPQB+8s/hh8OL3WHbqsd9qEotQh/2vJAcewr6Tr4f/AOCff7XHwV+Nn7afxf1i21q5TXPG17aDwpFeWxRbnS9Pt2jAQ5+WQrmVkIBwM8kMB9wV4+SV6OLoVMRTkpc9Sb08mopf+AxT9GeBw7icPjsNWxVKal7SrN6O+zUYr/wGKfpJBRRRXsn0AV4z+wf/AMkQ1z/ss3xH/wDU11uvZq8Z/YP/AOSIa5/2Wb4j/wDqa63QB7NRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFfA37cvhn4jftw/wDBTnw1/wAE2dT/AGjPG3w3+GWl/A+X4ieJovhzrZ0vVPFl2+rnTYrF7xQXjtYFTzZET75nQN/CyfPn7Mnxy+LvhH/glD/wTm+KGjfGLxOniDxB8evD3h/XIR4guT/wkem6jc6nbXkF5HvxdokWJx5gbyzbBhgigD9fKKKKACiiigDxnwP/AMpC/ih/2RnwH/6dvF9ezV4z4H/5SF/FD/sjPgP/ANO3i+vZqACiiigAooooAKKKKACiiigApGVWUqwBBGCD3paKAPkLwgx/4J0ftTj4Z3beR8GPi7q7S+F5mOIfC/iF+Xss9I4LjGUHADAAABZGP17XFftDfAfwL+0t8H9a+DPxEtC+n6xbFFnjA820nX5oriMno6OAw7HGDkEg+V/sJfHjx1qg1v8AZM/aIux/ws34bFLe9unJxr+lnAttTiJ5cMpUOeSGILYL7R7mJ/4VMH9bX8Wmkqn96O0anrtGfnyye7Z4OF/4Scb9Tf8ACqNun/dlq5U/TeVPy5or4Uj6Jooorwz3gooooAKKKKACiiigAooooAh1LTrDWNPn0nVbOK4tbqForm3mQMkqMCGVgeCCCQRXhXwq1G//AGWvinH+zt4rvJJPB/iCeSb4earcOT9mkJy+myMe4JyhPXIHJbC+91ynxq+EXhv43fD+88B+I90Xm4lsb6IfvbK5XmOeM9Qyn3GQSOhNfPZ7lmJxHs8dgbLE0buF9FOL+OlJ/wAs0tHryTUJraV/fyTMsPQ58FjbvDVrKVtXCS+CrFfzQb1X24OcHvG3V0V5T+zV8XvEniIaj8Gvi3th8c+EyItS7LqVtwIr6P8AvK4I3Y6MRkDcAPVq9HK8zw2b4GGKoXSd009JRknaUJLpKMk4yXddU035+Z5biMpxssNWtdWaa1jKLV4yi+sZRacX2fRppFFFFegcAUUUUAeP/tnfs56l8fPhtb6l4A1EaZ498IXo1jwJrSkK0F9Hg+SzH/llKFCMD8v3WIO3B0/2S/2i9N/aY+EFt42bTjpuu2M76d4s0KQFZNL1OH5ZoWU8gZ+Zc87WGecgem18r/tDWV5+xX+0PB+2V4VtJP8AhBvFssGl/F3TbZCVtXLbLbV1Ud1ZgkmByG6FpCR5GLX1DEfXI/A7KovLaM/+3b2l/cf908LHp5Zi/wC0I/A7Rqry2jU9YXtLvB3+wfVFFRWV7Z6lZQ6jp13HPb3ESyQTwuGSRGGVZSOCCCCCOualr19z3U01dBRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABXy38Yv+L7f8FMfhv8ACWM+dpHwq8NXfjHW0HKNf3BFtZRt6On+uX2Y19RsyqpZmAAGSSelfLv/AATdB+LGu/Fn9su7HmD4jeOpbXw9Oed+i6aDa2rA9skSggcZQda9jK/3FDEYv+WPLH/FU938I87PFzX/AGjEYfBr7c+aX+Gn734y5EfUdFFFeOe0FFFFABXiv7KP/FXePvip8YnG4ax4yOmWch/jtrCMRIw9juP5V1P7TXx60f8AZ0+Fdz4+1OykuZ5ZxZ6Xax8ebdOjsgYn7qgIzE88L0JNecf8E1/if4X8Y/Ar/hB9Ktp4tT8OXLHWGnO7z3uZZZVmDd84ZcHkbO/Br4XM84yytx3gMplVXtYQq1eXq5OChBbWvyurNK+ybPt8tynMqPBGOzSNJ+znKlS5uiipuc3ve3MqUHpu0j6Iooor7o+ICiiigAooooAKKKKACvLv22fGnhvwB+yP8RvEfi2FZbE+Eb20e3Zyone4iNvHFkcjfJKi5HPzV6jXzR+3b/xd74r/AAh/ZFtv3kHiXxX/AG94oiHI/srTV85o5PRZZCFB/vR15+aVZUsBU5fikuVesvdX/pV/RM8vOq8qGWVeTWUlyR85T9xfjK78kzgP+Cd//BK7Sf2dvE/h/wDaR8d+O7nUvEZ0FJrTRF04W8ek3FzbbJld/MYzsqyPGDhByTgnGPtaiiqy7LcJleGVDDxtHd+b0u362/yKynKcDkuDWGwkOWO73u3ZXbv1dv0WgUUUV3HpBXjP7B//ACRDXP8Ass3xH/8AU11uvZq8Z/YP/wCSIa5/2Wb4j/8Aqa63QB7NRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAfDP7dXwS+E37b37f8A4b/Zcj13x78Lvit4E+EsvjrwL8dPh74iSyvra2uNSOnXWk+UyMLqAlIpJUf5QJYwCvmMWqf8E+/+CD/ww/Yq8VeCfGnxI/ah+IXxfuPhbZXNr8KdE8W3EUGi+ERcBhNcWljECv2lld1852YgNwAVVgn/AAVr/wCCfvhf44/FTwp+2n8Q/wDgqd4l/Zw074daL/Z2k6ppmpWGmW9pcTSzNPN9uuHjdTcI0MTwb/LkW1iyrEVxH7En7Pmq/Gr4o6N47+Bv/ByJ40+NOn+ENdsdS8ReENI1fRL6K9tYrhHe1u1tyZYoZgpiLYBIc4OaAP0pooooAKKKKAPGfA//ACkL+KH/AGRnwH/6dvF9ezV4z4H/AOUhfxQ/7Iz4D/8ATt4vr2agAooooAKKKKACiiigAooooAKKKKACvnX9u74E+Or46J+1x+ztZ5+Jnw23z2tpGDjxBpRybnTJQvL7lLNGOSGLBcM4YfRVFdWCxdTA4mNaGtt09mno4vyaun9+6RyY7B0sfhpUZ6X1TW8WtYyXnF2a+7Zs4v8AZ7+O3gX9pT4QaL8Zvh3eGTTtYtQ5hkI820mHyy28gHR0cFT24yMggntK+QfFIP8AwTn/AGqD8QrUGD4L/F7WFj8RxLxB4X8RPwl5jpHb3GMOeApBJICIp+vgQwDKcg9CK6MxwlOhONWhrSqK8X1XeL/vQej7q0tpHPlmMq4iEqVfStTdppbPtJf3ZrVdnzR3iFFFFeaemFFFFABRRRQAUUUUAFFFFAHk/wC0t8JPE2tnTvjX8IVWLxx4TzJYLj5dUteTLYyY+8GGdvoxOCN24dd8GPi54a+Nvw/svHvhksiTgx3llKf3tncLxJBIOzKfzBBHBFdVXgfxRsL79lb4qyftBeF7OR/BniO4SH4g6XboSLOYnampRqPc4kA65zyWyvx+ZRlw5mEs2pr/AGepb6xFfZeijiEv7qtGtbeHLU3pu/1uXNcQ4COV1H+/p39hJ/aWrlQb/vO8qN9p80Nqit75RUOn6hY6rYQappl3HcW1zEstvPC4ZJEYZVlI4IIIINTV9fGSkk07pnybTi2mrNBRRRTEFZ3i7wn4d8d+F9Q8F+LtJhv9L1WzktdQsp1yk0LqVZT9QT71o0UpRUotNXTFKMZxcZK6Z8x/sdeLPEX7O/xO1H9gL4r6tNc/2VbtqHws1u7bnVdEJJ+zFu81vypUfwqcAKgJ+nK8b/bS/Z11n44/D6z8TfDS+GnfELwVe/2v4F1YEApdJgtbOTwYplUIwPy52k5CkHc/ZT/aJ0X9pv4PWXxCtLE6fqsEr2PibRJQRLpepRYWe3dTyMN8y55KspODkDysDJ4Os8DN6JXpvvHrH1ht5xcX0Z4mXSlgMQ8uqPRK9JvrDrG/endLu4OL6M9Iooor1j3AooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKAPFf+Ch/wAYLz4J/seeNfFGiO/9r3+m/wBj6FHD/rXvbxhbRlB3ZfMMgH/TM12P7M3wfs/gD+z94P8Ag3aIgPh7QLe1uXj6SXAQGeT/AIFKXb/gVeK/tcf8Xu/bY+CP7MEP72w0O8n+IHiqHqFiswYrHcO6tcM6kHjkda+o69jFf7NlNCh1m3Ufp8EPwUn8zxcJ/tOcV6/Smo0l6/HP8XBfIKKKK8c9oKKKKAPCv25NMsviPpXgv4ALAr3vi/xZDiQKDJa2tupe5nTIOGVGx9Gau4+AX7OPw2/Zw8PXPh/4ewXbm+mEt9fahMsk9wVBChiqquFBOAFA5PcmuP8AA/8Axdb9svxP44b95pvgDR4tC0w/wm9n/e3Lr/tKP3R9iK9tr4nI8twGZ55is/qUoupzulSm1qqdJezk0/79T2mu9opJpaP7PO8xx2W5Lhsip1ZKnyKrVino6lV+0imv7kPZ6bXk203qiiiivtj4wKKKKACiiigAooooAK+aP2bv+L2/tx/Fv9oaX97pvhFIPAXhmXqA0JE9/jtkTlcEdmr2X9ob4sWPwL+Bvir4u35TGgaJPdQxydJZwpEMf/A5Ci/8CrjP2APhNffB/wDZO8J6Jr4dta1WzbWtflmH7yS8vGNw+/1ZQ6xn/rnXl4n/AGjMqNHpC9R/L3Yfi5P5Hi4z/as3w+H6QTqy9V7kP/JpSl/26ey0UUV6h7QUUUUAFeM/sH/8kQ1z/ss3xH/9TXW69mrxn9g//kiGuf8AZZviP/6mut0AezUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFAH5qf8FB/D37J3xH/AOC1/wAJvh5/wUpm0Gb4VRfBC9vvhVo/j+5SPw5qPjP+1xHeJMsxEE9wtj9l2RTZU+YcAsUB5f8AbR+GP/BOT4L/ALdX7Kus/wDBO3w98OPDPx21D436XY6jo3wfjs7WW+8GSRT/ANtvqNrYYjNutsCwllXduQBCQr4+sv2nbr9lf9sD9rG1/wCCX37Rv7L2j/EGzPwwf4hahqHiGKKS30mL+0P7Ot1hBXzVuJX+0YkjZCqROMndg8UP2e/+Cdn/AARn8W/DjxF+zr+xB4f0KX4tfE7Tfh9deKtIYvf6XLqIl+zM01yZJmt3nhjjaNJFG6SNiG28AH2tX59f8FtP2UvgJqeq/B39rrUvAz3HxC079ob4a6Rp+uz6vdutrZnxLbbkitjL9njZhI4aRYw7A4LEAY/QWvlX/go3+wp+1L+25feGNF+F/wC2P4a+HnhTw14h0LxJHoupfCRtcup9b0vUTewXBuhqtqFgYpbo0HlE/u3PmfPhQDxr/gpRP+zLd/8ABSX4e6B/wU71vSLT9nqf4QanJ4Si8c6gbbwvceNF1GLzheszLA1yun7TbLcHHM5j/eV0P/BAX45p8Xf2fPi74L8MaxrWoeBvhv8AtCeIvDXwqu9fe4e4HhcR2l7p0W+5/fPGkV7tiMhLCDyR2AHuPjz4Fft7+J/hr4W8O+Hv23fBOneI7C2uY/GOs3nwOF5Za1I8qtBNb2baqrWTxINozNOrE7ivAA6z9kT9lnwt+yN8KJvh7ovinU/Eeraxr994h8ZeLtbEYvfEGtXsplu76ZYlWNCzYVY0UJHHHHGowgoA4n4BfE7w38Uf2/fi/qHhrTfENtHp3wr8D2NwviLwjqOju8qar4uJaJL+CFp4vmGJow0THIVyVOPoevGfA/8AykL+KH/ZGfAf/p28X17NQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQBzvxb+FXgn43/DbWfhP8RtIW+0XXbF7W+t24O08h1P8LqwDKw5VlBHSvBv2Gfip42+HHivVv2Bv2gtXa48WeB7VZvCOuXHH/CS+HidsFwpP3pYgBHIMkjaOWKu1fTdeEftz/s3+Kvi14W0n4wfBC4Sw+KXw6u21TwXf4x9rwP32ny8jdFOgK4JA3YyQpbPr5bXpVISwWIdoTd039ieyl6P4Z/3WnvE8fM6FalUjj8Or1IKzivtw3cf8S+KH95NbSPd6K85/ZU/aQ8K/tUfBfTfit4bt3s7iQta67o0+RNpWoRYE9rICAQVbkZAJVlbAzXo1ebXoVcNWlSqq0otprs1/X69T0sPXo4qhGtSd4ySafdP+vzW6CiiisjYKKKKACiiigAooooAKr6tpOm69pdzoms2MV1Z3kDw3VtOgZJY2BDKwPUEEirFFTKMZxcZK6ejXdMcZShJSi7Napng3wf1bUv2Zfien7NPjO+ll8MazJJP8OdYuXJ2c5fTZGP8AEpOUz1BA/iVR7zXI/G/4PeH/AI4fD+68E65I9vKWE+l6lDxLYXacxzoRggg9cEZBIzzXNfs1fGHxB4uttQ+FPxVjW28deE3FvrUPQX0X/LO9i6bkkGCcdCegDKK+SyuUuHcwjlFV/uJ3eHk+ltZUG+8FeVK796neGrpa/WZnGPEGAlm1Jfv4WWIiut9I10u03aNW3w1LS0VTT1Oiiivrz5IKKKKACvlb4721z+xD+0fF+1v4dt3X4e+ObiDTPixYwISmn3RbZbauFHTltkhHXcThmkBH1TWX418GeGfiJ4R1LwJ4z0iK/wBK1eyktNQs5h8ssTqVYe3B4I5BwRyK4sdhXiqK5HacXzRfaS/R6qS6pvsjz8ywUsZQXs3y1IPmhLtJd/7rV4yXWLfVI0bW6tr22jvLO4SaGZA8UsThldSMhgRwQRzmn18zfsZeMvE3wI+Iep/sB/F7V5bm68P2xvvhrrd0cHWdBJO2LPQzW+ChUfwqcDbHk/TNXgsUsXQU7Wa0kusZLdfJ7Pqmn1Ly/Gxx+GVS3LJNqUesZLSUX6PZ9U01owooorqO0KKKKACiiigAooooAKKKKACiiigAooooAKKK8B/4KUfteap+xf8Asz3HxL8N6Et/rOq6pHo2ieaxEVtczQzSCeTHJVFhc7RjLbRkAk104PCV8fi4Yairzm0l6v8Ap/ccuNxlDL8HUxNd2hBNv0X9JfM5n9iX/i9P7Unxx/axuP3tm3iGPwV4UlPRbLTlH2h4z3SWdlfPqpr6kr4f/wCCFP7Qtj8Tv2atS+DCeEvsF34AvUNzqCSFl1IX0tzMJWLc+aGSQNyRjZjHQfcFenxJRq4bOatCatycsUv7sYpRfzXvesmeVwxWpYrJKWIg7+05pt/3pSk5L5P3fSKCiiivDPfCsb4ieNNN+HPgPWPHmrkfZ9I02a7kUnG/YhYKPckAD3IrZrxT9sqebxla+EP2d9OlYTeOvEkUeoKjYYabbET3LDHphPrzXjcQ5jUyvJa2IpK9RK0F3qTahTXznOPyTPXyDL6eZ5xRw9V2pt3m+0Ipzm/lCMvm0a/7GngvUvCnwI07WfEIJ1jxRcS6/rEjDBee6bzAT6ER+WCPUGvVKbBBDawJbW8SpHGgWNEGAqgYAA7CnV05Tl1PKcro4Km7qnGMb92lq35yk5SfnJmGa5hUzXM62MmrOpJyt2TeiXlGKjFeUUFFFFegeeFFFFABRRRQAUUUUAfNH/BQZj8VfEvws/Y/syZF8feMkvfEUK850bTgLm4VvTcwj2k8EoRzX0sqqqhVUAAYAA6V+XvwT/4KSz/F3/gpzovxD8QfDkf2ZrUCeDPDdqJW8/TIbi7UpcsD8rSM7fvMAYRiATt+b9Q6+fyPHYXNKuIxNGV/eUfSMV7v33lI+X4czLBZzXxeMoS5vfUNmrRhH3d/5m5y+avqFFFFfQH1AUUUUAFeM/sH/wDJENc/7LN8R/8A1Ndbr2avGf2D/wDkiGuf9lm+I/8A6mut0AezUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFeW/tyfE7xJ8Ev2KfjB8Z/BkjprHhH4W+INa0po1ywubXTbieIgdzvjWgDwT9vv8AZe/bY8PftVeE/wDgo3/wTph8J69470TwTP4L8b/DjxxfPaWfinQHu/tkK290vFtdwXJkdWfCsJSCcApJ574c+Cv/AAVb/wCCif7Q/wAL/F37f3wI8DfA74U/CLxva+NbbwVoHjJNf1nxNr9mr/YGluYAIYbSGRzKV+8zKAQ2Q8eX+2V+1/8AHL9j/wD4N4PCXxe+H3xZ1XxF8WfGfw88KaP4c8XajeG4vb/W9aS2827SR8kyKk1zNF12mOMdFrzm7/4J+ePf+CNHxT/Zv/aF+FH7aPxa8bar49+MmgfD7416J458WvqGl+JV1oSQPfxwOoMUsFyFkjJZ2CdXOH3gH600UUUAFFFFAHjPgf8A5SF/FD/sjPgP/wBO3i+vZq8Z8D/8pC/ih/2RnwH/AOnbxfXs1ABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQB8i/Hazu/2A/2lh+134XtZB8MPiBeQ2Hxc023QlNKvmbZb60qjoCzbJcDksT8zSLt+trO8tNRtItQ0+6jngnjWSCeFwySIwyGUjgggggjrVDxr4M8MfETwjqXgPxro0Oo6RrFlJaajY3C5SaGRSrKfwPUcjqOa+Z/2MvGfif9mT4s3v8AwTu+MmszXUen2z6h8IPEN43Or6ICSbNm6Ge2wRtH8CnACopb3J/8KuB5/wDl9RWvedNaJ+cqeifeFn9lngw/4SMf7P8A5c1np2hUerj5RqatdFO6+2j6rooorwz3gooooAKKKKACiiigAooooAK8k/aV+FHie9udP+PPwdhC+NvCiloYAPl1ey6y2UgH3sjJT0YkDBII9borzs1yzD5vgZYatdXs1JaShJO8ZxfSUZJNP1TunJP0MrzLEZTjY4mlZ2unF6xlFq0oSXWMo3TXo1ZpNcx8H/iv4X+NXw/sfiB4UmPkXabZ7aQ/vLWdeJIZB2ZTx7jBHBBrp68C+Itnd/smfFeT45eHraRvAnim7SLx1p0CEjTbpjtTUUUdFJOJAOpPcldvvNneWmoWkV/YXMc0E8ayQzROGWRGGQwI4IIIINcGRZniMUqmDxtliaNlNLRST+CrBfyVEr215JqcHrFX7s7y3D4ZwxmCu8NWu4X1cWvipSf89Nu19OaDhNaSdpKKKK+gPBCiiigDxb9tf9nnxB8ZfAth46+FF0th8RvAl5/a/gjUhgFplAMlm5PWKdV2FScZ25+UEHpf2W/2hvD/AO038HdP+Jmj2rWV7ua01/R5ciXS9Riws9s4PIKtyMgEqynAzivRK+VPjRDN+wx+0vH+1FosTR/DX4h3kOn/ABQtIl/d6VqLHbb6uFH3VYnZKfViTuZ1x5GK/wCE/E/XF8ErKp5dIz/7d2l/daf2Twsb/wAJeM+vx/hytGqu3SNT/t2/LP8AuNN/AfVdFNhmhuYUuLeVZI5FDI6NkMDyCCOop1eue6FFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFfG/iLwh4f/wCCmP7WGq+H/F1i2pfBf4QyTadLbLcSRw+IfEkkZSYh42ViltG2AVIIcgglZDXpn7fnx98X/DP4faZ8Hfgq3m/Ev4m350PwbAjYa13AfaL9sfdSCNt27naxUkEBq9C/Zq+AfhD9mT4J6D8FvBa77bR7QLcXjriS9uWO6a4f/aeQs3sCAOAK9zCSlleCeMTtVqXjT7pbTmuz+xF93JrY8HGRjm2OWCavSp2lU7Se8Kb7r7c12UE9yT4Efs5fBP8AZl8IP4E+Bnw/tfD+mS3BnnhglklkmkIxukllZ5JDgADcxwOBgV21FFePVq1a9R1KsnKT3bd2/Vs9qjRo4ekqdKKjFaJJJJeiWgUUUVmaBXiXw9/4ur+2J4t+IL/vNN8C6XF4d0puqm7kPm3Tj0Zf9WfYivUfiX440/4a/D7WvH+qYMGkabNdMhON5RSVQe7HCj3NcV+xz4I1Dwb8BdKvdfy2r+IpJNc1mVhhpLi6bzMsPUIY1PutfLZt/wAKHEGCwC+GnzYif/bnuUk/WpOUv+4fkfT5X/sGQ4zHP4qlqEP+3/fqtelOEY/9v+Z6jRRRX1J8wFFFFABRRRQAUUUUAFcl8ePirpnwP+DHif4uavtMPh/RZ7xY3OBNIqHy4vq77UHuwrra+aP+Cgzv8V/EPww/Y5sXLj4geLkvPEkSnP8AxJdPxc3Ct/d3MI9pPBKEc1xZjiJ4bBTnD4to/wCKT5Y/i19zPOzbFTweX1KlP47Wj/ik1GP/AJNJP0TKP7AH7Cvwh+HPw48IfHzxt8PYLr4mappp1TU9cvJpWeGW7Zptqwl/KidEkWMsqBuDzya+paRESNBHGgVVGFUDAA9KWqwWCw+Aw0aNGKSVr2Vruyu33b3bLy7LsLleEjh6EUkkr2SV3ZJyfdvdt66hRRRXWdwUUUUAFeM/sH/8kQ1z/ss3xH/9TXW69mrxn9g//kiGuf8AZZviP/6mut0AezUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFUvEvhvQfGXhzUPCHirSYL/S9VspbPUrG5TdHc28qFJI3B6qysQR3Bq7RQB+eHwo/4N5Phj4A+LfgHUvGv7aXxf8AHPwo+E3iaPxB8L/gn4r1lLjSNEvoSxtdz433EVuWIiQgFV+Usys6v9UftS/sc6X+1T8UPg5418WfEG+sdG+EfxAHjFPDVtZo0es6nDbSw2Tyyk7o1gaaWQBQdzEZxtBrw39qH/g4M/4Jm/sr/GDUvgBrnxP13xj4y0SZote0L4c+FbnWH0yRTh45pYlEIdTlXQOXRgVYKeK9I/YQ/wCCtH7CX/BR641TQf2X/jGL3xFoUXm634P1zTJ9N1ayj3BTI1vcKpkjDMqtJGXRWZVZgSBQB9I0UV4X8d/+ClX7E37M/wAc/Dv7Nfxp+NqaT438VXum2mi6FB4f1G9aSW/ufstmJZLW3kjt1lmyivMyLkckDmgD3SivLf2k/wBtH9mv9kh9Ds/jv8Q5NO1DxNLPH4d0LSdBvtX1PUzCoaZoLHT4J7mVI1ZS7rGVTeu4jcM7v7P/AO0Z8E/2pvhvB8W/gD8QrPxJoE91Nam8tUkje3uYXKTW88MqrLbzIww0UqK6nqozQBx3gf8A5SF/FD/sjPgP/wBO3i+vZq8Z8D/8pC/ih/2RnwH/AOnbxfXs1ABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAV41+2x+zHd/tHfDK3uvAuqjR/H/hG9GsfD/xAhCtZ6hHgiNm/wCeUu0I4OR91iG2AV7LRW+FxNbB4iNak7Si7/8AAa6pq6a6ptHPisLRxuGlQqq8ZKz/AEafRp2ae6aTPJv2Nf2nLT9qD4Rr4j1XSTo/ivRLt9J8ceHJQVl0vVIflljKnkIxG5DzwcE7lYD1mvk79rHw7rn7HPxzt/8AgoD8MNKnn8O6gsOmfGvQLGMsbixyFh1ZEHWaAkBj1KY+6DI1fUnhzxFoXi7w/Y+KvDGqwX+m6laR3Vhe20gaOeGRQyOpHUFSCD7125lhqK5cVh1+6qXsv5ZL4oP0vePeDT6M4csxVaTlhMS71adrv+eL+Ga9bWkuk1JbNF2iiivLPWCiiigAooooAKKKKACiiigCrrei6T4k0e68P69p8V3ZXtu8F3bTLlJY2BDKR6EGvEvgtrerfs4fEpf2XvHeoSzaDqJef4b61dNnfFnL6fIx/wCWkefl9QQOMote71xvx1+DeifHDwDP4Q1O4e0u45FudG1WHiXT7xOY5kI5GDwQCMgkZHUfO57luKqunmGAS+s0b8qvZVIPWdKT7TteLfwVFGW3Pf6DJMxw1JTwGOf+zVrcz3dOa0hViu8b2kl8dNyjvy27KivMP2a/jJrnjrTr/wCHHxOt0svHPhSQWviC06C5X/lneR9N0cgwcjgE9ACufT69PLMywubYGGKw7fLLo1ZxadpRkukoyTjJPZrtZvzcyy7E5VjZ4Wuvej1WqkmrxlF9Yyi1KLW6fqkUUUV3nCFZHj3wL4W+JvgvVPh7430iO/0nWbKS01C0lHEkbjB56gjqCOQQCORWvRUyjGcXGSumTOEakHGSuno13T3Pmn9izx14q+DfjbVf2CPjLq0lzqvhS2+1+ANbuuDrnh8kiLB7ywY8tlHZcDIjLH6WrxL9tr9n3xN8VvB2m/E/4OzLZ/En4f3Z1XwZfAYM7AfvrF+m6OdBsKkgbtuTtLZ639mP9oLwx+018HdM+KnhyFrWWcNb6xpUp/e6bfR/LPbSA4IKt0yASpVsDdXl4GUsJVeBqPZXg31h29YbPvHlfc8bLZzwNd5dVd+VXpt/ah/LfrKnpF9XHkl3PQKKKK9Y9sKKKKACiiigAooooAKKKKACqmv69o3hbQr3xN4i1KGy0/TrSS5vry4fbHBDGpZ3YnooUEk+gq3Xyp+29r2s/tMfF3w//wAE7vh1qc0Nvq8aa18WdUtHIbT9CjcFbXcPuy3LhVA6hdpIKua7cvwf13EqDfLFXcpfyxWsn92iXVtLqcOY436jhXUiuabajGP80npFffq30ipPoH7EWg6z+0z8XvEH/BRD4iabNDbatHJonwl0u7TDafoUbkNd7T92W5cM2eoXcASjivquqmgaDo3hXQrLwx4c0yGy0/TrSO1sbO3TbHBDGoVEUdgFAAHoKt0ZhjPruJc0uWKtGMf5YrSK+7VvrJt9Qy7BfUcKqcnzTbcpS/mk9ZP79EukVFdAoooriO4KKKKAPE/2xZZPHD+DP2c7F2L+NvEcZ1RUPI021xPcHjp0THrg17VFFHBEsMMaoiKFRVGAAOgFeKfDP/i6n7XvjP4lSfvNO8FWEXhnR26qblj5t2w9GVv3ZPowr22vluHf9uxmNzR7VKns4f8AXuhemreUqntZeejPp+IP9iwmDyxb04e0n/18rWm7+cafso+WoUUUV9SfMBRRRQAUUUUAFFFFABXzP+z/AP8AF9P28vij8fJT52k+A7SHwJ4ZkPK+eh8/UGHYMspVMjkq+K9l/aJ+Len/AAH+Bnir4v6iUK6Bos91BHIeJZwuIY/+BylE/wCBVxv7Afwk1D4O/sp+FtG8Qh21zV7Ztb8QzTD95Je3jGd9/qyh1jP/AFzry8T/ALRmNGh0heo/l7sP/JnJ/I8XGf7Vm1DD9IXqy+XuU1/4E5S/7dPZaKKK9Q9oKKKKACiiigArxn9g/wD5Ihrn/ZZviP8A+prrdezV4z+wf/yRDXP+yzfEf/1NdboA9mooooAKKKKACiiigAooooAKKKKACiiigAooooAK8r/bo+K+v/Af9iT4x/HHwpceVqngz4V+Idd02UDOy4tNNuLiNvwaMGvVK4P9qX4ffC/4tfsx/Eb4VfG/xX/YPgvxN4D1fSfF+uf2jFZ/2dpdzZSw3Vz58wMcHlwvI/mSAom3cwIBoA8i/wCCQH7Lfwr/AGU/+CePwr8KfDjwxa2t9rngjS9c8XawsI+1a3q93ax3F1d3Mv35naWV9pcsVQKgO1QK8s/4Kx/DLwV8L/2mP2Vf25/BGg2umfEGx/aK8PeBtT16zhWOfVNA13ztPubK4ZQDOitJFJHv3eWVfbjeTXzRpX/BO/8A4I0aFpdtomif8HE3xZs7Kzt0gs7O1/bK0aOKCJFCpGiKgCqqgAADAAAFdH8I/wDgnb/wR5vPjv8ADnxFYf8ABcL4g/EnXfDPxD0XXfCPg7xL+1No+tW2o6zaXsU1lF9j8stOzTKqBI8SNvKqQWoA/WCvj3/gtP8A8kB+FP8A2dF8NP8A1JbOvsKvBf2sf+CZ37HX7b/i3TfG37S3gfxLrd7pFvaxadHpvxN8QaRawm2uJLiCYW2nX8EBnSWRnWcoZRhBvwiBQDwv9tS2+LnjL/grV8J/Cn7HPiPQPDPxZ0T4K+IdS13xJ49sZNQ0OXwtPqVhC1mLCF4p7i7N7FBIskVzbiKON95lEioN/wD4IvSX+leEPjx4B+IKxXHxK0T9ojXD8V9c025V9L1nW7i0sbgXVggjQ21v9kktI/sz7pInicPJKxMj+qeM/wDgmR+xZ8QvAfg74f8AjD4YatexeAI7mPwfrrePdbTXtMjuGLTomsJeDUGSQn5la4ZSFUEYRQPQ/wBnr9mz4G/sp/DpPhR+z78ObLw1oQvZr2a1tXkkkuruZt0tzcTSs8txO5A3Syu7tgZY4FAHmHwC1L4r6n+378X5Piz4L8PaJcx/CvwOmmReHfE8+qJcWY1XxdsmleaytDDKTuBiVZFUAESNkgfQ9eM+B/8AlIX8UP8AsjPgP/07eL69moAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigCtrGj6V4h0i60DXdOhvLG+tnt7y0uYw8c8TqVdGU8MpUkEHqDXyn+zHrGq/sQftBSfsKePtQmk8E+JHn1P4K63eSFhGm7fcaM7nq8bNujzyQ3XLoo+ta8t/a/8A2ZtG/an+Dlz4Ek1JtL12xuE1Lwh4hhJWbSNUh+aC4Rl5Az8rY5KscYOCPUy3E0Yc2GxD/dVLJv8AlkvhmvOLeq6xcl2PKzPC1p8uKwy/fU7tLbmi/ig/KSWj6TUX3PUqK8T/AGH/ANpnWfj58Pr7wr8UdNXSviT4Gvf7H8f6IwCmO7TIW6QDgwzqpdSPlzuAJCgn2yuPFYWtg8RKjVXvR+59mn1TVmn1TTOzCYqjjcNGvSfuyXzXRpro00010aaCiiiuc6QooooAKKKKACiiigAooooA8h/aU+F3ilNRsP2hvg3bD/hMvC8Z8yzXga1p+cy2bgfeOMlO4PTkqR3fwm+KPhb4y+ArD4heELkvaX0WWif/AFlvKOHicdmVsg/mMgg10deA+Oba4/ZF+LUnxe0WB/8AhX3i69RPGVjEpK6RfOdqX6KOiOTh8dz3JQD4/ME+GsxlmcP92qte3XSEtIxrpdto1v7vLV3hNn12Aa4jy+OWz/3mkn7B/wA8dXKg/PeVH+9zU9pxR79RTLa5t7y3ju7SdJYpUDxSxsGV1IyCCOCCO9Pr69NNXR8k007MKKKKYgr5U+K0cn7CX7TqftEaWjRfC/4mX8Vl8RbZB+60XVmOINUwOFSQkrKeBkljuZkA+q6xfiN8PvCXxX8Cat8N/HekpfaRrVi9rf2z/wASMMZB/hYHDKw5VgCORXFjsLLE0k6btUi+aL7Nd/KSvGS7PukedmWCnjKCdJ8tWD5oPtJdH/dkrxkuqfdI2Y5I5Y1licMrAFWU5BB7ilr5s/Ym+IXi34XeK9X/AGEPjXqr3HiDwZbC48Gazc8HXvD5O2CQeskPEbgdAAOdjNX0nV4PFRxlBVErPZp7xktGn6P71ZrRmmAxsMfhlVSs9VKL3jJaSi/NP71ZrRoKKKK6jtCiiigAooooAKKKKAOF/aU+PnhD9mT4Ka98afGrbrXR7Qtb2aNiS9uWO2G3T/aeQqvsCSeAa89/YD+Afi/4a/D/AFT4yfGpPN+JfxOvxrnjKZ0w1puH+j2C5+6kEZ27f4WZgCQFrhdS/wCM8f23U0Nf9J+FnwJ1MS33eDXPFePlj9HS0UnPo+QQVkFfW1e1if8AhOwCwq/iVLSn5R3hD/2+S7uCex4WF/4U8weLf8OleNPzltOf4ezi+ym1uFFFFeKe6FFFFABWB8U/Hdh8MPhxrfxB1LaYtI0yW52MceY6qdifVm2qPc1v18Z/8FRfjv4r0bU9P+A2jGGLTL7TYdS1Z9oZ7gidxHCc/dUNCHP97I7DB+T444lo8JcMYjMZ35kuWFlf95O6h8k9X5R8z6rgvhyrxVxJQy+FuVvmnd29yNnP5taLzfke/fsfeA7/AMCfATRzru5tW1zfrOsyuMO9xdHzTu/2gpRT/u16dXDfs1fETxB8V/gX4c+IHinR0sb/AFGyZri3jjKIdkjxh1U9FdVDgejiu5r0uHIYOnw/hI4Rt0vZQ5W1ZtOKd2nqm7uTv1k/V+bxDPF1M+xcsUkqntJ8yTuk1Jqya0aVklbol6Iooor2jxwooooAKKKKACiiigD5n/b5J+L3j74VfsdWhMkPjLxWNW8UxLyP7H04CeVH9BI+0KT/ABR4r6YAAGAMAdAK+Z/2bP8Ai+X7b3xY/aMm/faX4RWHwF4WlPK7oCJr9h2z55UBh1ViK+mK8vLf3062Kf25WX+GF4r73zs8XKf9oqV8a/8Al5K0f8FO8F98ueXzCiiivUPaCiiigAooooAK8Z/YP/5Ihrn/AGWb4j/+prrdezV4z+wf/wAkQ1z/ALLN8R//AFNdboA9mooooAKKKKACiiigAooooAKKKKACiiigAooooAK83/bJ8cfDT4ZfshfFX4k/GfwKPFHg7w98N9c1PxZ4ZMMcg1fTINPnlurPZIQj+bCjx7WIU78HjNekV5F/wUD+Ffjn46/sF/G74I/DDSF1DxL4y+EXiXQ/D1g9zHCLm+u9LubeCIySMqRhpJEXc7BRnJIAJoA+Wfif+xr/AMEMfgv+xzpn7bnxJ/4Js/Da08J6lp3h+6+zWnw8sp7uH+17mztbVCgABIlvYQ5DYADEZxz7x4I/4JFf8Ev/AIa+NNI+I3w//YJ+Feja9oGqW+paJq+neDrWK4sbuCRZYZ4nVMo6SKrKw5BUGvz3/aM0X/gv9+0L/wAE/NP/AGCrz/gkD4a0u00+w8LWw8SxfHvRZZHGi3+n3it5BkUDzTYBCN/yiUn5tuD9UfCL9sf/AILpeKPix4X8NfF3/gjb4X8L+E9R8RWVr4n8TW/x90q8k0jTpJ0S5u1t0+adooi8gjX5nKbRyaAPuuiiigAooooA8Z8D/wDKQv4of9kZ8B/+nbxfXs1eM+B/+UhfxQ/7Iz4D/wDTt4vr2agAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigD5a/bZ8AeLvgJ8RtO/wCCh3wO0WW71Dw7aCy+J3h60GDr/h/ILyY6Ge3ADqx/hQZO2Pafoz4efEDwj8VfA2lfEjwFrMWoaNrdjHd6deQniSJxkZHVSOhU8ggg4INa80MNxC9vcRLJHIpV0dchgeCCD1FfIvwmmm/4J6ftPj9m/WpWj+EfxP1KW7+Gt5I37rQNYc7ptJJP3Y5Sd0Q9SANzGRh7lP8A4VcD7J/xqS93vOmtXHzlDWUe8OaP2UeDU/4SMf7VfwazXN2hUeil5RnpGXafLL7TPryiiivDPeCiiigAooooAKKKKACiiigAqn4g8P6N4r0O78NeItOivLC/t3gu7WZcrLGwwyn8DVyipnCFSDhNXTVmnqmno011TTsyoTnTmpwdmndNaNNapp90zwr4G+INZ/Z9+Ig/ZW+IWoyz6Xcq8/w41u5b/j4tgctYu3TzYs/L6r6AoK91rivj18F9J+OHgOTwzc3bWOpWsq3eg6vDkS6feJzHKpHOM8EDqCehwRkfs2/GfV/iLo994H+Itoth438LTC08S6fwBIcfJdR+scg+YEcAnjgqT8llM55Bj1k1d3pSu8PJ9lrKg2/tU1rTu7ypaaypO/1WaQhnuBeb0VarGyxEV3eirJL7NR6VLaRq66RqK3plFFFfXnyYUUUUAeG/tu/ALxZ8R/DGlfGT4KsLb4l/Du6bU/Cdwo/4/VA/f6fJ03RzICu0kfNgZAZs9v8As1/H3wn+0v8AB7Sfiz4TVoReRmPUdOlP73T7xPlmtpBwQyNnqBlSrYwwru6+A/2qf2mNJ/4Jjfti6hrfgDw//bmkfEvQ11nxN4L+2G0S0vxM8S38MvluoMuyXem35mUkkfJjw8wr0snr/XZu1OVoz9dozS6v7MratWf2T5vNMTQyDEf2jUdqM2o1PJ7Qml1enJJLVx5Xryn35RXG/s/fG7wn+0d8HNC+NXgiK4j03XbVpIobpQJIXSR4pY2xwSskbrkcHbkcGuyr2aVSnWpxqQd4tJp909UfQUa1LEUY1abvGSTTXVNXT+4KKKKs0CiiigArwv8Ab1/aG8T/AAZ+F9l4D+EUX2r4kfEPUBoPgSyQ/MlxJgSXjddscCNvLEFQxTdwSa9t1XVNN0PS7nW9Zv4rWzs7d57u6nkCRwxIpZnZjwFABJJ6AV8sfsa6VqX7WPx313/goT43sJU0ZUm0D4OaddIVNtpUbss+obT92S4fcAeGC715Uqa9bK6NKLljK6vTpWdn9qb+CHo2ry/uxfc8jNa9WShgqDtUq3V19mC+Ofqk+WP9+S7M9s/Za/Z68MfsufA7Q/g54Zl+0HT4DJqmpOP3moXsh3T3Lk8ku5JGScKFXOFFehUUV51etVxNaVWo7yk22+7Z6VChSw1CNGkrRikkuyWiCiiisjUKKKKAML4mfEPw58KPAeqfEPxZc+XY6XatNLgjdIeixrnqzMQoHqwry39n34EWXjDQ7/4yftB+CtM1bxL4zukv5LLV7CO4TS7UDFtbIsqnYVQgngHJAPK5qp4p/wCMpP2ho/AEP73wP8OrtLnxAw5j1PV+fKtfRki5LD1ypHKmveq+Nw9KlxNm8sVWipYbDuUKaaTjOp8NWpZppqGtKndNX9rJdGfX16tXhvKY4WlJxxNdRnUabUoU/ip07pppz0qzs07eyi+qGwww20KW9vCsccahY40UBVUDAAA6CnUUV9kkkrI+Qbbd2FFFFABRRRQAUUUUAFfPP/BTf9pj4lfsq/syv8QPhRaw/wBsX+uW+lxX88AlXT1kjlc3GxgVYgxBAGBXMgJBxg/Q1fLHxSsbL9s39tfT/gfeWcWofD/4QRx6x4yt5oxJb6lrcyEWlm6nKuscZZ2ByDmRGHSvLzipWWCdKjLlqVPdi1um+vpFJtvt52PFz6rXWXSoYeTjVqtQg1upPd+kYqUm+iWmrRw//BDj4u+LfHfwQ8U+BNf8Polr4d1xZ7XXFRg2oS3hmlmWRjw8iFFJbrtlQEcAn7frL8H+CPBfw80OPwx4A8IaXoemxMzRado+nx20CEnJIjjUKCT14rUrTKsHVy/LqeGqT53FWvt1f5ba69zXJMBWyvKqWEq1OeUFbmta+r/K9tde+oUUUV6B6oUUUUAFFFFABXjP7B//ACRDXP8Ass3xH/8AU11uvZq8Z/YP/wCSIa5/2Wb4j/8Aqa63QB7NRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRXy1+3D+3z8e/2PPip4I0jTf2LH8T/D3xV428N+GdQ+I8/xEtLBbC81fUksVWKwEM1xcNEZEkbcIkYNgSZBIAPqWivJf2hviF+2l4O8QWFn+zF+y94F8eaZNZl9SvvFfxbuPDsttPvIEaRRaPfCVduDvLocnG3jJ5n/AIJpftoeNf2+f2aD+0X4v+Clh4IguvFWraXodtpXi5tattVs7G5a0/tCG4eztG8qWaKcIDECURXz8+1QDa8D/wDKQv4of9kZ8B/+nbxfXqviG+vbZbSx02RY5r67ECTMm4RgI8jNjudqHHuRXlXgf/lIX8UP+yM+A/8A07eL69S8Qf8AIW0P/sKv/wCklxQAg8P6vjnxzqmfaG0/+MUv/CP6t/0POq/9+bT/AOMVqUUAZf8Awj+rf9Dzqv8A35tP/jFH/CP6t/0POq/9+bT/AOMVqUUAZf8Awj+rf9Dzqv8A35tP/jFH/CP6t/0POq/9+bT/AOMVqUUAZf8Awj+rf9Dzqv8A35tP/jFH/CP6t/0POq/9+bT/AOMVqVz3xa+Kfgf4G/C7xF8Z/ibqs1h4c8KaLc6tr1/b6fPdvbWdvE0s0oht0eWTaisxVEZsA4BoAu/8I/q3/Q86r/35tP8A4xR/wj+rf9Dzqv8A35tP/jFcve/tO/AbTv2aH/bEvPiRZp8NU8Gf8JYfFYilMJ0c2v2oXQQJ5hBhwwQJvOQoXccV8of8FLP26/8AgoD8HP2Xrv8Abg/YE8H/AAa1j4S6X8LIfGV3rnxRGuRarfCQPKsFtpsKQMgNubd83EsTBpGVkBTBAPtf/hH9W/6HnVf+/Np/8Yo/4R/Vv+h51X/vzaf/ABisr4G+N9W+JvwT8HfEjXre3hvvEPhbT9SvYrRGWJJZ7aOV1QMzEKGcgAknGMk9ap/tE6n+0DpHwb1m/wD2WfCvhfWvHqrAvh/TvGmqT2elyM08aytcTQRySKqQmVwEUlmRV43ZAB0P/CP6t/0POq/9+bT/AOMUh0DWQMx+ONSLDoJILUr+IEIP6ivlH/glh+2X+2H+0n8R/j58FP20dA+Gln4m+Dfjqy0GOb4X22oJY3Cz2K3TEvfSvJKRvChtkWcH5K+w6AKPhzUbnVNJS5vFUTJLLDNsGFLxyNGxA7AlSfxq9WX4P/5BM3/YVvv/AErlrUoAKKKKACuA/ab/AGePBf7UfwZ1b4PeNg0Ud9GJNO1KFf32nXicw3UR4IdG54I3KWU8Ma7+itaNarh60atN2lFpp9mjKvQpYmjKlVV4yTTT6pngH7Cn7Q/jPx9o2s/s9/H7bbfFP4bTrp/ieNj/AMhW3x/o+pxZxvSZNpJH8RyQodRXv9fnh/wXP0P4pfDW98C/tM/Aka3oOpQWt/o3ijxf4ZvZrW4itnMD2sEskLAiMt9oIJ4BwM8rWn/wTz/4KWzeDvgro/g79vfWfE+ialfXjnwp428U6FcJZavYFU8vdeFSHlVxMDI+FKBCXJzX1WL4eq4/LY5tgkmpvWnH4oyV+blV9Y3XMklzRjLZpJnyOE4jpZfmksnxzadNaVZaRlF25eZtaSs+Vyb5ZSjum2j78oqh4a8U+GfGmiQeJfB3iKx1bTbpN9rqGm3aTwTL6q6Eqw+hq/XyLjKLs1Zn2UZRkk07phRRRSGFFFFABRRRQAUUUUAFePftJfDTxVpmsWP7SXwas9/izw1CVv8ATo+Brmm5zLauB95gMsh5ORgAnbj2GivNzfK6GcYGWHqNxejjJfFCcXeM4vpKL1XRq8XeMmn6OVZnXynGxxFNKS1Uov4ZwkrShJdYyWj6p2krOKa5/wCFvxL8LfF/wJp/xC8HXnm2OoQ7lVsb4XHDxOOzq2QR7cZGDXQV4B4shl/Y++Lb/EnTImX4ceMr9U8T2sYymiai5wt6oH3YpDgPjof+ALXvsM0NxClxbyrJG6hkdGyGB5BBHUVxZFmlfGQnhcYlHE0Wo1Etnf4akP7lRLmW/LLng9Ya9md5ZQwk4YnCNyw1a7pt7q3xU5f36bdn/MuWa0lo6iiivfPCCvEf2tP+Cf8A8Af2yr/S9b+KUer2Wp6REYLfVNBvI4Z5ICxbyH8yORWQMWYfLkFmwRk59uorDE4XDYyi6VeClF9Hsc2MwWEzDDuhiYKcHumrrTY+Urj9lT42fsVSnxl+wvqs+u+GEAfXPhH4j1FnjucAb5rC4fJgnbGSp+ViT97Cx16/+zh+1p8KP2mNMuYvCV1c6Z4g0tvL8QeENbh+z6lpcoOGWWFuSoPG9cr2JByo9Orx39o/9jPwF8eNTtviLoGsXng34g6UM6J478Pny7uEgYEcwBAuYuxR/wCEkAqCc+f9Tr5f72C1h1pt6f8Abjfwv+6/cf8Ad3PK+oYnK/ey7WHWk3Zf9w278j/uu8H/AHHqexUV8z+A/wBsf4g/A7xZZ/BT9vjQ7XQb+6l8jQPiTpykaFrpHTzHwBaTkclWwvU/INufpaKWKeJZoZFdHUMjqchgehB7iu3C4yhi4vk0a3i9JRfZrp5PVPdNo9HBZhhsfFum2pR0lFq0ovtKL1Xk9U902h1FFeJfte/tdL8BINM+GXww8N/8JZ8UvFxMHg3whbtksxyDd3JBHlW0eCzMSN21gCAHdPSwuFr4yuqNJXk/kkurb2SS1beiRpi8XQwVB1qztFfNtvRJJatt6JLVv8PFv2x/2pvh3+1b8TNB/wCCc/wM+LFp9p8Va89p8R9ZtZSi2OnW6+bPZQysAs0820x4jLgbWRvvHH2N4U8LeH/A/hjTvBnhPSorHS9JsorPTrKBcJBBGgREUegUAfhX5vfsrf8ABDj4yfCb9pHwp8Xfib8XvDs+j+GtUtNYMOjPcNeXF5CySiEiSJUWPzVwX3kso+6pbj9Ma9/iJZVhoUMJl1b2lOKbk7bzb1b0V9Eklb3Vpd3bPnuGnm+JnXxmZ0PZVJNRir7QS0S1dlzNtu/vN3srJBRRRXzB9UFFFFABXmv7T3xd1f4aeCYNB8Cwi58X+KboaZ4WsxjPnvw059EiU7iTwDtB4NeiajqNhpGnz6tql3Hb21rC01xPK21I41BLMxPQAAkn2rxH9njTr/46fEvUf2sfFVpIlgVk0z4e2NwuDBYqxWS72no8zZ56hdw5BWvmuIcZiZKnleDly18Rdcy3p01b2lX1SfLDvUnH+Vn0eQYTDxdTM8ZHmo0LPle1So7+zp+ja5p9qcJfzI9F+BXwi0n4I/DSw8B6bMbiaIGbU79877y7fmWZieSS3TOSFCjtXX0UV7mDweGy/CU8Nh48sIJRil0SVl/wXu223q2eJjMXiMfip4nES5pzblJvq27v/htkkktEgooorpOcKKKKACiiigAooooA89/am+POk/s1/ArX/i3qMIuLiwtfL0iw5Jvb6Q7LeAAcndIVzjkKGPasH9iD4C6t8BvgZa2njeZrnxh4lu5de8bX8uDJPqdyd8isR12DbHxwShI+9Xn3jD/jLr9uzT/h7H+/8DfBBo9W17vFfeI5VP2WA9m8hMucdG3qw5FfUNeThv8AbMfPEP4YXhD1+3L77QXlGR4mE/4UMzni38FO9OHm/wDl5L70oJ9oy7hRRRXrHthRRRQAUUUUAFFFFABXjP7B/wDyRDXP+yzfEf8A9TXW69mrxn9g/wD5Ihrn/ZZviP8A+prrdAHs1FFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFfnp/wAF7v2xf2Wvg/4O+FvwZ+KHx58NaF4ri+OXw98VyaBqWpLHdLolv4khafUCh58hBbXBZ+g8l/Sv0LooA+P/APgox+25oF//AME0dQ+Jn7GvxD0zxPrfxkntvAnwd1jRLwSQ32s6vcnTopoZF4JgzcXBPQC0b0r6I/Zo+Angv9lr9nrwT+zh8O4NmieB/C9lounEoFaVLeFY/NfHV3Kl2PUsxJ613FFAHzx8AvBfiTwT+378X7XxL8XPEPi+S8+Ffge5t7nxFbadE9jE2q+LgLWIWFpbKYlwSDIry5Y7pGGAPc/EH/IW0P8A7Cr/APpJcV5b4H/5SF/FD/sjPgP/ANO3i+vUvEH/ACFtD/7Cr/8ApJcUAcN+0b+zP/w0V/Y3/GQPxO8C/wBj/aP+Sc+K/wCy/t3m+V/x8fu383Z5XydNvmSdd3HmP/Ds/wD6yBftN/8Ah1v/ALmr6bor0aGbZjhqSp0qlorpywf5wb/E83EZPluKrOrVp3k93zTXlsqkV+CPmT/h2f8A9ZAv2m//AA63/wBzUf8ADs//AKyBftN/+HW/+5q+m6K2/t3Nv+fv/ktP/wCVGH+r+T/8+v8Ayap/8tPmT/h2f/1kC/ab/wDDrf8A3NXT/Bz9hv8A4U98SNO+I3/DYPx08U/2d53/ABIfGXxB+3abdeZC8X76DyV37d+9eRh0Vu2K90oqKmdZnVpuE6l01Z+7DZ+lNP7mvU0p5HlVGopwp2ad171TdetRr70/QKra1o2k+I9Hu/D2vadDeWN/bSW97aXEYaOeJ1KujKeCpUkEdwas0V5Z6p+GGn634s1b4aaZ/wAGwt/qd9Jr1l+0g/h7Up3kb7RJ8I7cr4jS8aX+F3tmis1GcEDZk5wfvr/gvL8TPg78P/8Agk/8cPhZrPxB8NaJq2pfCq+i8P8Ahy61a3trm6QKEVbe3Zg0gGNoCKemO1fVEfwD+BUPxhk/aHi+C3hJfiBLpn9my+OV8OWo1h7Pj/Rje+X55i4H7vft4HHFYXxu/Yy/Y+/aZ1qz8SftIfso/DX4g6jp1qbbT7/xv4F0/Vp7WAsXMUb3ULsibiW2qQMknFAGF+w58Zvg/wCPf2TfBE/gT4q+G9bTQPAGjJrraPrlvdf2cwsI8rP5bt5R+R+Gwflb0Ndt4W/aF+A/jf4P2/7QnhL4zeF9Q8B3Vu1xb+MrbXYG0uSJZDE0gud/lbRIpTO7G4EdaofBn9k79lj9nHStW0L9nn9mn4f+A7HXtn9u2fgzwbY6XFqOxWVPPS2iQTbVdwN4OA7AdTVqL9mn9nKD4KH9mqH4AeCU+HJtTbHwAvhWzGieSZTKYvsPl+RsMhLldmNx3YzzQB8J/wDBJv8AaH+AFz/wUL/bUs7f45eDpJvFXxs0c+GIk8TWhbWB/Y8CZtQJM3Hz/L+73fNx1r9Iq8T8E/8ABNT/AIJzfDXxdpvxA+HP7AXwT0DXtGvI7vSNb0T4VaRaXdjcIdyTQzRW6vE6kAhlIIIyDXtlAGX4P/5BM3/YVvv/AErlrUrL8H/8gmb/ALCt9/6Vy1qUAFFFFABRRRQAVR8R+GfDfjHRbjw34u8P2WqaddJsurDUbRJ4Zl9GRwVYexFXqKabi7p2YnGMlZq6PmXxN/wTM8C+FdbuPHX7H3xW8SfBvX5n8yWPw3cm40i6ft5+nzExuOmFUqo/u1R/4aJ/b2/ZoP2f9pj9nSD4keHYPv8Ajb4TZe7RB/HPpsuHLY5YxlUXHevqiivWWcVqq5cZBVl/e+NelRWl9/MvI8eWS0KTc8FN0X/d+B+tN3h9yg/M8t+Af7aP7M/7S6fZ/hJ8VtPvNSUH7RoN4xtdRgZfvBraYLJ8pyCwBXI6mvUq8o+Pn7Ef7Mf7Sj/2j8UPhbZSawhDW/iPTM2epQuv3WFzCVdtp5AcsvtXlv8Awof/AIKC/szfvv2ePj/a/FTw5B93wd8VDt1FEH8MOpR4Lv0A83ai46Gn9VyvF/7vV9nL+Wpt8qkVb/wKMfUn63m2D/3mj7SP81Lf505O/wD4BKXofVNFfNHhP/gpr8M9E16DwF+1l8OfEfwa8RzNsjj8XWpfTLl+/kahGPKkQf32CLx1r6M0LX9C8UaRBr/hnWrTUbC6jD2t7YXKzQzKf4ldCVYe4NceLy/GYJr20Gk9nvF+kleL+TO7CZjgsen7Com1utpL1i7SXzXzLdFFFcZ2hRRRQAUUUUAUfE3hrQvGXh698K+JtNjvNP1C2aC7tpRlZEYYI9vqOQeRXjXwG8S658CvH5/ZR+JOpST2pief4d63cn/j+shybNm/56xDgDuo6AbM+51w/wAf/gtp/wAbvAraGt82n6xYTreeHdZiyJLC9TlJARztJ4YdwfUAj5zPcuxUpwzLAL/aaKdleyq03rOlJ/3rc1Nv4Kii9pTPockzDDRhPLsc/wDZ61rvd05rSNWK8r8s0vjpuS3jA7iivNv2b/jTqHxP0C88L+O7Ead408MTiy8UaYcDEo+7cIO8UgG4EcdQMjBPpNerluY4XNsDDF4d3hJddGmtHGS3UotOMovVSTXr5eY5ficrxs8LiFaUX01TT1UovZxkmpRa0aafoUUUV3HEFFFFAGP488AeCfih4UvPA3xD8L2Ws6Rfx7LvT7+ASRyDscHoQeQwwQQCCCM180y/Dj9pH9gKRtV+BcepfEv4SxMXuvAV3OZdY8PxdS2nytzcRL/zxbngAclpK+rq8b/a7/a40v8AZv0bTvCvhLw7J4p+IviuU2vgnwVZHM19OePOlx/q7dOrucDAIBHJXF5RLNcTGNC6q/ZkrJpbu99HBbyUvdtd6bnjZvh8EqX1upN05wWk4/Er7Rt9tN2XI07t6Weq4j4kf8FN/hDc/DPSLn9mc/8ACd+PvF87WPhPwRbgpdR3YHztexkhraKLO52bAYD5W25deo/ZB/ZFu/gtPqfxm+M/iNfFfxZ8XASeKvFEi5W3U4K2NoCB5VtHhQAAN+0EgAIq+S+C/wDgmd8V9AsG/aHtf2gbnSvj7qN9Nqmq69aQqdHkeYKW01rYLhrYbQu/G4nL7ThVHpnwU/bZuJPG8P7P37Wfg5fh98RG+WyWaXOleIBnAlsbgnadxx+6Y7gSFBZgQN55xLLaby6pZOTs60b8lXXSKbScF/cl8cveUpLlivHwVfEyxtOtnMeSWnsv+fabVrvV8tZ9pO0U+WnJvmb+gaKKKR9iFFFFABRRXKfGz4s6H8E/htqXxC1xfNFpHts7NT893ctxFCvfLNjpnAyegrnxeLw+Aws8TiJKMIJyk3skldv+t9EtWjowmFxGOxUMPQi5Tm1GKW7bdkv6829Ezzn9pHVtT+M3j7TP2SvB17JFFfRrqHjy/t2wbPTFYEQZHR5mwMehGQVY17TpGkaZoGk22haLZR21nZW6QWtvEuFijRQqqB2AAArzj9l34T654C8JXfjT4hsJvGXi+6/tLxLcMOY3Yfu7YeiRKdoHQEtjjFen14PD2ExFR1M1xkXGtiLWi96dJX9nT8nZ89TvUm19hHuZ/isPTVPK8JJSo0L3ktqlV29pU81dclP/AKdwT+2wooor6Y+bCiiigAooooAKKKKACvOP2sfj5Yfs1fAfXfipLbi5v7eAW2g6ftLNe6hKdlvCFHLZcgkDnarHtXo9fL2u5/a7/bxtfDC/v/AvwLZL7Uu8V/4mlU+TH6N9mQFuOVkDKRhq8/Ma9SlQUKX8Sb5Y+Te8vSKvJ+iXU8vNsTVoYZU6D/e1HyQ8m95ekI3k/RLqej/sU/AO/wD2fPgRY6B4ruDdeKtbuJda8aag7BnutUuTvmLMPvbfljB7iPPc161RRXVh6FPC0I0ae0VZf13erfm2dmFw1LB4aFCkvdikl8u/m9W31bbCiiitjoCiiigAooooAKKKKACvGf2D/wDkiGuf9lm+I/8A6mut17NXjP7B/wDyRDXP+yzfEf8A9TXW6APZqKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigDxnwP/AMpC/ih/2RnwH/6dvF9epeIP+Qtof/YVf/0kuK8t8D/8pC/ih/2RnwH/AOnbxfXqXiD/AJC2h/8AYVf/ANJLigDUorjPi7+0J8IPgP8A2f8A8LW8Xf2V/avm/YP+JfcT+b5Wzf8A6mN9uPMTrjOeM4NcX/w8I/ZB/wCiu/8AlA1D/wCR68LGcUcM5diZYfF42lTqRteMqkIyV1dXTaaunf0PbwfDPEeYYeOIwuDq1KctpRpylF2dnZpNOzVvU9norxj/AIeEfsg/9Fd/8oGof/I9H/Dwj9kH/orv/lA1D/5Hrl/124N/6GVD/wAG0/8A5I6v9TeL/wDoX1//AAVP/wCRPZ6K8Y/4eEfsg/8ARXf/ACgah/8AI9bXw9/bG/Zw+KvjCz8BeAviN9v1a/8AM+yWn9kXkW/ZG0jfNJCqjCIx5I6Y64Fa0OL+E8TWjRo4+jKcmkkqsG23okkndtvRIyrcJ8U4ajKrVwNaMIptt05pJLVttqySW7PTaKK5X46Xvxd034LeLdS+ANlo9z45tvDl7N4PtfEEEktjcaksDtbRXCxSxOYmlCK211IDEg8V9EfPnVUV8Oal/wAFgrRf+CI8H/BUTR/CtjN4svvBsUFj4QMMpifxlJcDTf7M8oOJmjXU8oUDCTykJyD8w8w/4Lm/sJ/Db46f8EwfHH7XX7XXhL+0vjF4J+BKqBoXiXVLXQtN1WJGmmmttPF20L4nmlCvP5z7FjBY7QaAP0yorz39kj/k1L4Y/wDZPdF/9IYaT9p39l/4V/te/DA/Bv40jW5fDc+ow3Wo6fofiO70tr9YskW801pJHK0LE5aMOA20A8cUAeh0V+Vmrfs1fAL9jj/gtL8AfgX/AMEr9CvPCmr3Wm6xqf7R3hDw5rV3NoqeF/soWzudTglleOK6a5YCBgBIzMpbKlCf1ToAy/B//IJm/wCwrff+lctalZfg/wD5BM3/AGFb7/0rlrUoAKKKKACiiigAooooAKKKKACiiigDN8WeDvCPj3QZ/C3jnwvp2s6ZdLtudO1WyS4glHoySAqfxFfOmu/8E0fD3gLV5/Gf7Fvxp8TfB/WJpDLLp+lXBvtEupPWawuCUPoNpCqOi19O0V24XMcbgk1Rm0nut4v1i7xfzXzOHF5bgcc060E5LaSupL0kmpL5O3kfK/8Aw1B+2/8As1/6L+1d+zMPGmgwcP48+EZa5ZUH8c+nSkSrxy7qQg5wDXr3wF/a/wD2bv2mLTzfg18WdL1W6VS0+kPIYL6DHXfbShZVAORu27eOCa9KryD49fsJfsv/ALRl5/b/AI++Glvba+jB7fxVoMhsNThkH3XE8OGcjsJN4HpXZ9ZyrGfx6TpS/mp6x+dOT/8ASJL0OP6rm+C/3eqqsf5amkvlUiv/AEuD9T1+ivlb/hT/APwUW/Zj/e/BD40af8ZPDUH3fC3xIYW2sJGP4IdRTCyuePmmwo7LWt4J/wCCm/wdg8Qw/D39prwf4g+DniiU7VsfHNmY7G4bu0F8o8mSMf322A9qmWTYipFzwklWj/c+JesHaa+SkvMcc7w1OShjIujJ/wA/wv0qK8H83F+R9J0VX0rVtK13TYdZ0PU7e8s7mMSW91aTLJHKh6MrKSGB9RVivJaadmewmmroKKKKQzxv9pD4c+KfDmv2f7TnwcsTJ4l8PQGPWdLj4GuaZ1kgYDrIoG5DyeMYJCgej/DT4jeFviz4H074geDb8XGn6lAJIicbo26NG47OrAqR6g1u18C/tEfG74ofsk/tJ+JfCfwSvX0bQ7+7ttTl0q4s45ra5mkhRpXiDoTGjMWUhCOUIyMAD834nzrC+HmIeb1FJ4XESUakIq7jVa92rFaL31Hlqq6u1CavLmUv0PhrJ8Vx9h1lVNpYmhFypzk7KVJP3qUnq/dcuam7OycoO0bNffVFeG6H+2s/9i2d54z/AGbfibp801rHJPNB4UaW13FQTscPkrnplQcYyKtD9vj9nS0OPEmq65ox7jVPDV2mPrtjavfhxtwnKClLGQhez9/mp766+0pw79/meHPgzimMnGOElO2nucs9u3JOf5fI9oory7Sv21P2WdYx9k+NOkpnp9q8yD/0ai4rnP2iv29fg98HPhwfEHw/1mx8c+I9QmFn4c8NeHdQjuJLq7fhPNaMnyIR1aR8ADgZJAPrYDOskzStGlhcXSnKTsrVaf61F9/RHk4/J85yyjKrisLVhGKu70qn6QfyXVmp+1z+1toX7NHh6w0bQ9Bl8T+PfE8xs/BHgqwObjUrk8b2xzHAhOXkPAHA5rE/ZE/ZJ134aazqP7Q/7Q+vQ+J/i74qiH9t6wBmDSLc8rp1kD/q4U4BIwXIyeMVR/Y1/ZmvfDmv3/7TX7QHjDT/ABb8W/E8AGo6haTrLa6DanldOsQCQkag4Zhy5zyRkt9E19VXxeGwuHeFwU1JS+Oovt/3Yv8A59p/ObV37vLE+Vw+DxOLxKxeOg48v8Om/sf3pLrUa+UE+Ve9zSCuR+NfwJ+FP7Q/gif4ffF3wfbavp0vzReaNsttJjAlhkHzROP7ykdwcgkHrqK8WpTp1qbhUScXunqmerVpUq9J06sVKL0aaumvNM+UF8T/ALS//BPpha/EB9W+KnwegOIfEcUfm6/4Zh7C6Qf8fcCj/loOVAJO0BUP0j8Nfif8P/jF4OtPiB8MfFtlrWj3ybre+sZdyk91YdUcdCjAMp4IBrdZVZSrAEEYIPevm74lfsYeMPhh4yu/jv8AsJ+JLXwl4iuX83XPBV4p/sHxFjkh4lwLaU84kTAyf4NzPXl+yxeW60b1KX8t7zj/AIW/iX92Tuvsyex4vscdlGtC9Wj/ACN3nBf3G376X8knzL7MnpE+kqK8W/Z1/bR8IfGPX5vhL8QvDl34E+JOnLjVPBOvMFlfAyZbWThbqIgEhl5wM424Y+016GHxNDF0vaUpXX5Pqmt011TSaPVwmMw2Oo+1oS5l+KfVNOzTXVNJrsFeC6Vj9qb9opvET/vvAvw0vTFpw6xaprYHzS+jJAMAH+9ggkMRXRftUfEvxHoujad8HfhjNnxj43nax0tkPNjb4/f3jY5UImcHrk5GdpFdt8KPhp4c+D/w90v4c+FYdtpplsIxIRhppDy8rf7TMSx9z6V8xjv+F/Oll61oYdxnW7SqfFSpeajpVqLypRe7R9pgf+EHJnj3pXrqUKXeNP4atXyctaVN+dWS2TOiooor64+UCiiigAooooAKKKKACiiqmv67o/hbQr3xN4h1GKz0/TrSS6vrudsJBDGpd3Y9gFBJ9hSbSV2JtRTb2R59+158foP2bPgNrPxJgt/tWrFFsfDWnBdzXupTnZbxKo5b5juIHO1GxVb9jH4A3H7OnwG0zwfr9z9q8SajLJq3jDUXfc93qlyd87s38W04jDd1jB6mvmnwB+1h8Hf+Cg37f3hHw/puq3Nt4V8Aaddar4b0vVrfy313W1OBOEBYbIYQZYwxDgox2gFgPuuvGwFejmmLnjKclKELwhb5Ocvm7RX91dmfPZXicPnOOqY+lJSpwvThbXs6kvm7RX92Lez1KKKK9o+iCiiigAooooAKKKKACiiigArxn9g//kiGuf8AZZviP/6mut17NXjP7B//ACRDXP8Ass3xH/8AU11ugD2aiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiivkL/got+1J+3h+yl8RPh74y+FGh/CO4+FXiD4leEfCevf8JDFqlx4hkl1bV47KdrdIZIbaFY45VZHdpSWzmPAGQD69or5U/b8/4KB6l+zl8UvCv7N/wy8YfDTwz4n8Q+Hr7xLr3jj4waybPw74T0K1nt7Y3VwFlha5mnurqGCGBZogSJGaRQgDexfsm+NfiX8Rfgrp/jX4ofE/4beNLrUJpZdO8U/CZZl0XUbPOI5YhNcXJDZDBts0i5HDdQADC8D/APKQv4of9kZ8B/8Ap28X16l4g/5C2h/9hV//AEkuK8t8D/8AKQv4of8AZGfAf/p28X16l4g/5C2h/wDYVf8A9JLigDUooooAKKKKACiiigAooooA/KrR/wDglj+2Ha/8FN4vhLc+ArQfsgab8fJ/jrYat/blp5jeIpNOXZpAsxL56QR6o0l0B5Xkle4bFe+/8FsrL9t74yfsr+N/2PP2Tf2FdT+JcPxI8B3enXPjC1+IWiaTBolzIxRY5LfULiKSf5QH3J8vzYzkV9sUUAfOP/BPr4g/td6j+zzH4I/aP/Ye1P4V6v4I8M6bpmh2upePtH1ceInhtDG7o2nzSLbAPEgxKQf3oIztNc78f/jp/wAFVLv/AIJuJ8SfgB+w7pth+0drkX2U/Di98eaXd23hlnmlQ3jXkk0Vre+XCscqxhwC8qg5COD9YUUAfnb/AMEuPCH7WP7Jj2vw78Vf8Eo/iJb614815L/4wfHfxj8XfCeoahrF++fM1C7jtb+Sdoo8sIrWEMIkO1QWLs36JUUUAZfg/wD5BM3/AGFb7/0rlrUrL8H/APIJm/7Ct9/6Vy1qUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABWT428BeB/iV4em8JfEPwfpmu6XcDE+n6vYx3EL+5SQEZ9+1a1FVGUoSUouzXVaEyhGcXGSun0eq+5ny/qv8AwTZh+GOpTeK/2H/jz4l+E+oSSGWTQopjqWg3L9T5llcEhSem4NhQflWq/wDw1t+2N+zd/on7YX7LsniDRYOJPiB8JC17AEH/AC0nsZMTQgDlnyF67VNfVFFess4qVly42CrLu9J/KcbS/wDAudHjvJadB82BqSovtHWHzpyvH/wHkZ578Cv2rv2d/wBpbTP7R+CfxZ0nXHWPfPYRT+XeQD1kt5AssY7ZZQD2Jr0KvGfjr+wH+y7+0Bqf/CVeKPh8ukeJUk8238XeFZzp2pwy9pPOhx5jDt5gcD0rzz/hXH/BST9mEeb8LPifpXxw8MQfd8PeOWGn67HGP4Ir9f3c7erzevC0/qeW4v8A3WtyS/lqWX3VF7r/AO3lD1F9dzTB6Yqjzx/npXf30376/wC3XP0PqmsnxB4B8C+LNQtdW8U+C9J1O6sW3WVzqGmxTSW5znKM6koc88YrwjwB/wAFNfgXfeI4vh1+0BomufCHxY/H9j/ECxNrBMehaG8/1MkeSMOxTd2FfRFhf2OqWUWpaZexXNvPGHguIJA6SKRkMrDgg+orzMfldailTxlHR6rmSlF21TTtKLtumm7b6M9PL81oYhupg62q0fK3GSvo01eMo32aaV9tSWggMNrDIPUGivK/2r/2rfBf7K/geDV9U0+41vxJrVx9i8H+ENMG691q9bAWKNQCQgLLvfBCgjgsyqxh8PWxdaNGlG8paJf106tvRK7bSQ8TiaGEoSrVpcsY6t/1u3skrttpJNsxP2yPjj8Ff2d/B1tceIPhpp/ivxZ4huPsXg3wbb6bFNea1eNgKiqVYrGCyl5MEKCAMsyqeN/ZY/4J/wCk6PpGp/E39qnQ9I1zxr4slFzf6LZW6xaT4fjP3bO0gjwgKjAaXlmI+8eWfa/ZN/ZS8aaR4yuv2sf2r9Qt9b+LGv2+yOKM7rPwrZHO3T7MZIUgEh5ASWJYAnLvJ9D1WZ5dkCoPCLD0qrfxzlTpyu19mDlBtQT3as5vXSNk88sx+fSrrGTr1aSX8Omqk48qf2pqM0nNraLuoLTWTk15DqP7Bv7KGov5zfCWG3kByslnqd3CVPsElA/Sqv8Awwx8KrP/AJFnxv450TH3f7K8Wzpt+m/dXtFFfIy4M4SlLmWBpJ94wUH98HB/ifXR4w4qjHl+u1Wu0puS+6amvwPF/wDhkzxlpn/IsftcfEuHH3RqerR3gH/faDNH/Cj/ANrHSjnQv2y3nQdINV8EWkmfq4bdXtFFL/U/I4/wlUh/gr14/wDuaRX+tudS/iunP/HQoS/9xI8X/wCEb/b10n/kH/Er4davjp/auj3Vvu+vknij/hKv28dJ/wCQh8Kvh/q+Ov8AZWuXFvn6ecOK9ooo/wBWHD+DjsTH/uNzL7p05fmH+sin/FwWGl/3C5X98KkfyPlD9orwb8Tv2h9Ah0z4w/sN3yahpzeZonirwt46tBqOlzA5ElvIF3rggHacqSASMgEcL4b/AG6f2rv2SvB97o37WvwP8S67pFpH5WgeP5NN8klzhYotR2bkBJIHmq25sDh2JYfdNUfEnhrw/wCMdAvPCvivRrbUdN1C3aC9sbyESRTRsMFWU8EVyS4ZzalVnXoZlU53Fr3oUXd2aXM4whez2bi2vNaHiZhLKsXWjicNgqdCunFuUJVXGaTXu1KcptTi1pdShON/cmtj5K/YE+PR/aL/AGhPFPj/AMcadDca9c+HYm0i8smJtLKxjkVHgiUliu55EfO45w3TJz9h18m6j+xv8SP2NfFd78Y/2BrO2vdNu0U+JPhZrdyWjvo1yc2V1IS8EvJIRmKknuAqV7D+zf8Atb/Cr9paxurPw1NdaT4l0k+X4h8G67D9n1LS5QcMJIm5ZQeN65HIBwcqM+C8Fjcgy7+zszq8+Ic6k+dq3tOeXNfm2lJL4tpaJcvKla8/4twnEGdpvDfVZckIRp83NTfJGz9jJ293qoO043fMpNuT9Rooor7Y4gooooAKKKKACiivOf2jf2o/hV+zH4Zh1nx9qM1xqWoSeToPhvS4vP1DVpyQFighHLZJALHCgkAnJAOVatSw9J1KslGK3b/r+uiZjiMRQwtGVWtJRit29v67LVt6JN6HbeK/FnhjwJ4cvPF/jPX7TS9L0+AzXuoX86xRQoOrMzHA/wAivlnXfHHxq/4KPx3ngb4Mi98E/Be6WS01zxxe2m3UPFEByksFhDIP3cDDKtKw5Bx2aM6XhT9mj4w/te+I7P4uftywrp3h61nFz4Y+DllcFrW2/uTak4x9pmx/yz+6OQQAzR19QWdnaadaRafp9rHBBBGscEEKBUjRRgKoHAAAAAHSvMcMTmq99OnRfTac159YRfb4mt3FOx4zhi86X7xOlh39nadRf3usIP8Al+OS+JwTsfJX7H//AAST+H37KHxx/wCF3H4p3/iO5sI508PWc2mLbCyEqNEzSMsjee/lOyghUHzE7emPrmiiuzA5fg8to+yw0OWN27a7v1ud+W5Xl+UYf2GDpqEbt2V9311bf/A0Ciiiuw9AKKKKACiiigAooooAKKKKACvGf2D/APkiGuf9lm+I/wD6mut17NXjP7B//JENc/7LN8R//U11ugD2aiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACvgz/gt18XNXj8O/Dj4L+Df2dfjF4z1XTPi74G8a3954B+Ems65YQaXYa/HPdBrqyt5IluEitpH+zlvMKtGduJFz950UAfnL+034Q0Hxd+3t8Cv+CtWufshfEfxv4CtvhprfhPVPDsnwtvZ/EPhS/a8E1lqcuhyxfbSrL9thJSFnjE0b42uGHr//AASJ+Enjn4feFPjL8QtW+DuqfDfwl8SfjZqfif4dfD7W7BbO70nSpbSzgaWW0B/0Frm5gubn7MQCgmBYBnYD67ooA+ePgF8MfDfwu/b9+L+n+GtS8Q3Meo/CvwPfXDeIvF2o6w6Svqvi4FYnv55mgi+UYhjKxKclUBY59z8Qf8hbQ/8AsKv/AOklxXlvgf8A5SF/FD/sjPgP/wBO3i+vUvEH/IW0P/sKv/6SXFAGpRXnH7QX/DXf/Eo/4ZW/4Vv/AMvH9vf8LB+3/wDTPyPs/wBj/wC22/f/ALGO9eb/APG3b/q3D/yv1w1sd7Go4eyqSt1jC6+T5l+R5uIzL6vWdP2FWVusYXT9Hzr8tz6Por5w/wCNu3/VuH/lfo/427f9W4f+V+sv7T/6cVf/AAD/AO3MP7Y/6hq3/gv/AO6H0fRXzh/xt2/6tw/8r9dJ8I/+HjH/AAsLT/8AhfH/AApT/hFP3v8Aav8AwiP9r/2j/qn8ryvtH7v/AFvl7t38G7HOKqGY881H2NRX6uFkvV870NKea+0qKH1esru13Tsl5t87su7sz2uiiuV+Onwc8FftD/Bbxb8BviPYfadA8Z+HL3RdYhAGWtrmB4ZNuejBXJB7EA9q9E9U6qvlz/goH/wVe+En/BOqacfEr9nP41+M7aw8MjX9Z1b4bfD1tR07SrDzZYjJdX0ssNtAwMLko8gbaVOPmXPwXN+1h8ZvEv8AwRW03/gl/L4iZPj9f/Fb/hmLUZVyXiWGbyp9UK53tb/2EokM2cFpN249/sf/AIK8/DDwd8Ev+CFfxk+DXw70sWWgeE/gjLo+iWa/8sbS2tkhiT3wiKKAPrf4deN9J+Jvw+0L4kaDb3ENj4h0a11Kyiu0VZUiniWVFcKzAMFcAgEjOcE9axP2gvjTbfs+fCjUvitdfDPxn4xXT5IEXw78P/Dsmq6tdtLMkSiG2QgsAXDMxIVEVnYhVJqj+yR/yal8Mf8Asnui/wDpDDXoLBipCtg44OOlAHyv8Jf+CtXwh8cfHTwz+zr8Yv2c/jN8F/E3jh5ovAyfF3wTHYWniCeKMySW1tdWtzcw+eIxu8qR0Y5AALMAfqmvyx/ac+GH7VH7PH7df7LPxh/4KVftQ2Hxu8B3XxitfC/w+07wf4Og8J/8I/4x1K2njsdRurQPdPqUIEcicXUXkMwfZICyn9TqAMvwf/yCZv8AsK33/pXLWpWX4P8A+QTN/wBhW+/9K5a1KACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigDE+IHw1+HvxX8OS+EPib4I0rX9Lm/1lhq9hHcRE/3grggMOzDkdjXzvff8E4tV+EN7L4k/YV/aH8R/DGdpDK3ha7lOq6BcMTkg2twSYi3ILqzFQflUV9R0V3YXMsbg4uNKfuveLtKL9YyvF/cn5nBi8swOOkp1Ye8tpK8ZL0lFqS9LteR+f37Wf8AwUw/bp/Yk8L2HhT41/s6+CZfEerSyDQ/F+maxNPpGoRw7PO/0TKTxuPMj4aRAd+QMDFdN/wSjktv2um8Qft9fGmaTWfH7a9caFpyzW+yx8PWkcUUgh0+Ms2wMtxhpCd5ywzku0n1L8d/2cvgn+014QTwJ8c/h/a+INMiuBPBDPLJFJDIBjdHLEySRnBIO1hkcHIrT+FPwk+G/wADvAtl8NPhP4RtdD0PT1ItbC0BwCTlmZmJZ2J5LMSx7k17dbOsreSOjh8P7PETdpSjonG92ldtpPS8VZabtPlPCo5Hmqz1V8Rifa4aCvCEtZKdrJu0Um462k7vXZNcx0dFFFfLH1gUUUUAFFFFABRRRQAUUUUAFeQftIfsbfD74/X9r490rVLzwj4+0kZ0Lx34ebyr22YDhJcEC4i7GN+xYAruOfX6KxxGHoYqk6dWN0/6uuqa6NNNdGc+KwmGxtF0q8VKL/Po09010aaa6M+ZfA/7YXxH+Animz+DH7fWi2ujXN1KIPD/AMTtNQjRNbPYTHAFnORyVbCdThF27vpiGaG5hS4t5lkjkUNHIjAqykZBBHUVl+OPAng34l+FbzwR8QPDNlrGkahF5d5p9/AJI5F9wehB5BHIIBBBFfNE/wAL/wBo/wDYGnfWf2fI9R+JHwpRi958O725MmraDHnLNp0rZM8Y/wCeDZPGBks0g87nxeW/xL1KX8284/4kvjX95LmXVS3PJ9pjso0q3rUf5t6kF/eS+OK/miudfajLc+raK4f4C/tF/CL9pXwaPGvwl8VR38KMI7+ykHl3VhL3inhPzRuMHrwcZUkc13FenSq0q9NVKck4vZrVM9mjXo4mkqtKSlF6pp3T+YUVT8Q+ItA8I6Hd+J/FOtWunadYwNNe317OsUMEajJd3YgKB6mvl3U/jD8dv2+NRn8G/sv3194J+FyTNBrXxSuLdo73WFB2vDpcbYKKeQZzgjnG0rtfnxeNp4VqFnKcvhit3/kl1k7Jeb0fJjsxo4Jxgk51JfDCPxPz7KK6ylaK7t2T6747/tmapb+OJf2dP2TvCkXjj4kMNt6BIf7L8OLnBmv5l4BU/wDLIHcSMHBKq2j+zl+xnpfwv8TTfG34y+K5fHnxQ1KP/iYeLNTjGyyUg/6PYxfdt4gCVG0BiCfug7B3XwI/Z8+FH7N3gaLwB8JfDEen2gPmXdwx33F9NjmaeU/NI59TwOgAAAHa1hRwVSrVVfGNSktYxXww9P5pf33/ANuqK35sPl1atWWJx7UprWMV8EPS/wAUu85K/wDKorcooor0z2QooooAKKKKACiiigAooooAKKKKACiiigArxn9g/wD5Ihrn/ZZviP8A+prrdezV4z+wf/yRDXP+yzfEf/1NdboA9mooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKAPGfA/wDykL+KH/ZGfAf/AKdvF9epeIP+Qtof/YVf/wBJLivLfA//ACkL+KH/AGRnwH/6dvF9eoeKWNrJpurOjGGy1DzLgqpJVGhlj3YHYGQE+gyaANaisoeOfBJGf+Ew0sfW/jH/ALNS/wDCc+Cf+hw0r/wYR/8AxVAGpRWX/wAJz4J/6HDSv/BhH/8AFUf8Jz4J/wChw0r/AMGEf/xVAGpRWX/wnPgn/ocNK/8ABhH/APFUf8Jz4J/6HDSv/BhH/wDFUAalFZf/AAnPgn/ocNK/8GEf/wAVR/wnPgn/AKHDSv8AwYR//FUAfOVn/wAEjv2VrH/gpRN/wVJhv/FJ8fS2bougtqcH9hRXj2Cae+pJbeR5gu2tEEJk83aQSduTmrf/AAUD/wCCZ3hv/golo7+D/iF+1v8AGrwR4YvNBk0nXPCPw48TWFnpuswu5ZmuormxuDI+DtyGUbQBjvX0F/wnPgn/AKHDSv8AwYR//FUf8Jz4J/6HDSv/AAYR/wDxVAHj37H/AOwyv7IPw61n4Y237Wvxk+Imn6nY29np0nxL8S2d7NoUEMLxLHYtbWduIQVYZ3B+Y0xjBzVX/gn54f8A+GPfD37H7/tT/G4p4ZuVuLD4lx/EN4vFssyzSyh59QjiUTD980ZRoyjRqqspxXtf/Cc+Cf8AocNK/wDBhH/8VR/wnPgn/ocNK/8ABhH/APFUAfMfwq/4JC/Bfwf8cvDX7RPxs/aI+M3xt8S+CJnuPA7fGHxvHqFn4funXYbq2tLW3toBPt4EsiO4wrAhlVh9YVl/8Jz4J/6HDSv/AAYR/wDxVIfHXgsD5fFumueyx3qMx+gByfwoAXwf/wAgmb/sK33/AKVy1qVmeEIpo9DEk8LRme6uLhUdcMFkneRcg9DhhxWnQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAeD/Hr9iex8XeMj8ef2d/F8nw8+JkKk/27p0Q+yauOvk39vjbOjYAL4LDgnftArzTX/wDgq1a/s3xv8O/20Pgn4g0Tx1ZqhMHheGG6sdVgbcFvbaSWZNsTMjAqSSp4ySGC/YdfMn7eH/BNDwd+234m0bx2/wARrrwxrelWIsJbtNNF5Fc2gkeRYzGZI9rK8khDBv4yCDxjwMzweOw9KVfKtKresdOWV93Z2Sku6av1voz5fOcBmeEozxOSWVZvWDtySvvLldkpre6cebXmvoznPhN8NPHP/BSCz0r9oP8AaT1qC3+Gks5ufCHwu0S/LwXPlyMon1KZcec4ZSPKGApGCF+dW+t9M0zTdF06DR9H0+C0tLWFYra1tohHHDGowqKqgBVAAAA4ArlP2fvgl4T/AGcvg5oXwV8ES3Emm6FatHFNdMDJM7yPLLI2OAWkkdsDgbsDgV2Vd+XYN4agpVNaskueV7tu2qv2TvZKyS2XV+nlOAeDwynW1rTSdSTd25W1V/5U7qKSUUtl1ZRRRXoHqhRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAV4z+wf/yRDXP+yzfEf/1Ndbr2avGf2D/+SIa5/wBlm+I//qa63QB7NRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAeM+B/+UhfxQ/7Iz4D/wDTt4vr2avMfib+yD8Fviz8SJfi54km8a6f4guNDtNIu77wj8UfEGgC5s7aa6mt45YtMvreOUxyXt0Vd1LDzmGcYAx/+GD/AII/9Dx8Zv8AxI7xr/8ALegD2aivGf8Ahg/4I/8AQ8fGb/xI7xr/APLeuR/aA/YC0bUvgP42074EfEv4w2Xji48I6lH4MvJ/2jvGWyDVWtZBaSN5mqsmFnMZO5WXA5BGRQB9KUV4z/wwf8Ef+h4+M3/iR3jX/wCW9H/DB/wR/wCh4+M3/iR3jX/5b0AezUV4z/wwf8Ef+h4+M3/iR3jX/wCW9H/DB/wR/wCh4+M3/iR3jX/5b0AezUV4z/wwf8Ef+h4+M3/iR3jX/wCW9H/DB/wR/wCh4+M3/iR3jX/5b0AezUV4z/wwf8Ef+h4+M3/iR3jX/wCW9H/DB/wR/wCh4+M3/iR3jX/5b0AezUV4z/wwf8Ef+h4+M3/iR3jX/wCW9cjrP7AWjSfHjw3qOj/Ev4wp4Hi8I63H4isz+0d4y3y6q91pR06QZ1XfhYE1QHawXMi7gx2FQD6Uorxn/hg/4I/9Dx8Zv/EjvGv/AMt6P+GD/gj/ANDx8Zv/ABI7xr/8t6APZqK8Z/4YP+CP/Q8fGb/xI7xr/wDLej/hg/4I/wDQ8fGb/wASO8a//LegD2aivGf+GD/gj/0PHxm/8SO8a/8Ay3o/4YP+CP8A0PHxm/8AEjvGv/y3oA9morxn/hg/4I/9Dx8Zv/EjvGv/AMt6P+GD/gj/ANDx8Zv/ABI7xr/8t6APZqK8Z/4YP+CP/Q8fGb/xI7xr/wDLeuR+Cf7AWjWHg29g+MvxL+MN3q7eLvEElnLD+0d4ywulPrF4+lx/u9VUZTT2tEORuyp3FmyxAPpSivGf+GD/AII/9Dx8Zv8AxI7xr/8ALej/AIYP+CP/AEPHxm/8SO8a/wDy3oA9morxn/hg/wCCP/Q8fGb/AMSO8a//AC3o/wCGD/gj/wBDx8Zv/EjvGv8A8t6APZqK8Z/4YP8Agj/0PHxm/wDEjvGv/wAt6P8Ahg/4I/8AQ8fGb/xI7xr/APLegD2aivGf+GD/AII/9Dx8Zv8AxI7xr/8ALej/AIYP+CP/AEPHxm/8SO8a/wDy3oA9mor5r+JH7AWjXXjL4fz/AA7+Jfxhg0i28XTSePIpP2jvGWbnSjo+pJHGu7VScjUH05/kKtiM87dyt13/AAwf8Ef+h4+M3/iR3jX/AOW9AHs1FeM/8MH/AAR/6Hj4zf8AiR3jX/5b0f8ADB/wR/6Hj4zf+JHeNf8A5b0AezUV4z/wwf8ABH/oePjN/wCJHeNf/lvR/wAMH/BH/oePjN/4kd41/wDlvQB7NRXjP/DB/wAEf+h4+M3/AIkd41/+W9H/AAwf8Ef+h4+M3/iR3jX/AOW9AHs1FeM/8MH/AAR/6Hj4zf8AiR3jX/5b0f8ADB/wR/6Hj4zf+JHeNf8A5b0AezUV81/Df9gLRrXxl8QJ/iJ8S/jDPpFz4uhk8BxR/tHeMs22lDR9NSSNtuqg5OoJqL/OWbEg527VXrv+GD/gj/0PHxm/8SO8a/8Ay3oA9morxn/hg/4I/wDQ8fGb/wASO8a//Lej/hg/4I/9Dx8Zv/EjvGv/AMt6APZqK8Z/4YP+CP8A0PHxm/8AEjvGv/y3o/4YP+CP/Q8fGb/xI7xr/wDLegD2aivGf+GD/gj/ANDx8Zv/ABI7xr/8t6P+GD/gj/0PHxm/8SO8a/8Ay3oA9morxn/hg/4I/wDQ8fGb/wASO8a//LeuR/aA/YC0bUvgP42074EfEv4w2Xji48I6lH4MvJ/2jvGWyDVWtZBaSN5mqsmFnMZO5WXA5BGRQB9KUV4z/wAMH/BH/oePjN/4kd41/wDlvR/wwf8ABH/oePjN/wCJHeNf/lvQB7NRXjP/AAwf8Ef+h4+M3/iR3jX/AOW9H/DB/wAEf+h4+M3/AIkd41/+W9AHs1FeM/8ADB/wR/6Hj4zf+JHeNf8A5b0f8MH/AAR/6Hj4zf8AiR3jX/5b0AezUV4z/wAMH/BH/oePjN/4kd41/wDlvR/wwf8ABH/oePjN/wCJHeNf/lvQB7NRXjP/AAwf8Ef+h4+M3/iR3jX/AOW9cjo37AWjR/HjxJqOsfEv4wv4Hl8I6JH4dsx+0d4y3xaql1qp1GQ41XfhoH0sDcxXMbbQp3lgD6Uorxn/AIYP+CP/AEPHxm/8SO8a/wDy3o/4YP8Agj/0PHxm/wDEjvGv/wAt6APZqK8Z/wCGD/gj/wBDx8Zv/EjvGv8A8t6P+GD/AII/9Dx8Zv8AxI7xr/8ALegD2aivGf8Ahg/4I/8AQ8fGb/xI7xr/APLej/hg/wCCP/Q8fGb/AMSO8a//AC3oA9morxn/AIYP+CP/AEPHxm/8SO8a/wDy3o/4YP8Agj/0PHxm/wDEjvGv/wAt6APZqK8Z/wCGD/gj/wBDx8Zv/EjvGv8A8t65H9n/APYC0bTfgP4J0747/Ev4w3vji38I6bH4zvIP2jvGWyfVVtYxdyL5eqqmGnEhG1VXB4AGBQB9KUV4z/wwf8Ef+h4+M3/iR3jX/wCW9H/DB/wR/wCh4+M3/iR3jX/5b0AezUV4z/wwf8Ef+h4+M3/iR3jX/wCW9H/DB/wR/wCh4+M3/iR3jX/5b0AezV4z+wf/AMkQ1z/ss3xH/wDU11uj/hg/4I/9Dx8Zv/EjvGv/AMt6774N/BvwB8A/AEHwy+GVhf2+k29/fXoGqa5ealcy3N5eTXt1NLdXsss8zyXFxNIWkdjl8DAAAAOoooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACvy0i/Zk+Gv7cXwj/bD/bB+OAvbj4m+D/ih440D4XeM49VnhvPAVr4cjNvpx0xkcCzPn27XchQDzmnbzN6nFfqXXxx8YP+CWfxM8U638V/CfwO/bNv/h98Mvjrqk2o/FHwVB4Kgv71rq6to7XUpdK1F50OnG8hiUSb4bnbIzyR+WzcAHu37D/xb8T/AB//AGLPhB8d/GqqNZ8bfC7w/r2rhIwgF1eadBcS4UcKN8jcdq+I/wDgoF+x9+yp8EPHfw4+HX7Dfw2k0j9qfxv8SNL1fwt4p0bWLubWLTS7fU4Z9a1TVrmSV5JNLFp9pgeKctHI9xHFGhbAX7msPgr458G+Ovh5bfCT4sxeGvhn4J8L3ej6l8NYfDUFwmr/ALq3i0+Rb52860FokMgEaAiXzvnI2DPzF8FP+Can7fHwM+Onj39oLRP+Chfw71zxN8RddF1r2v8Air9nm5u9STTo2/0bSIJ08RRpBaQISscccSruZpGDOxNAHV/8FNf2cf2YfE1lF8c/il/wTG8Q/tGeJV0ptLtbXwxHZS3emW8QlmRlF5fW/kZeVwJLVZLjcw+U7Vx8tfDnUdd+Of7E37Bn7HXxA+PF5448L/Fzxtqdv8SNattUvlfVtO0fTdX1EeHrma4WK5dI57W3spxKsckn2F1dRudT92/Hr4Lftz+M/Htzrf7Pf7ceheBfD13YRwtoOtfCCHXJrOZQQ09tc/brbazZB2zRzqCOBg4rz64/4JO+BPDn7I/w5/Z1+D/xn8QeH/FPwn8ZN4x8FfE2+tIL++XxBNPdzXt1dwERx3MN0b+9Sa3BjUpPtUoUQgA5r9jLwJ4W/ZD/AOCn/wAW/wBiX4G6Z/ZHwx1H4ReGfH+ieELWVzYeHNSn1DVNNvI7OIki3juFs7eZolwgdWZQNzZ+168I/ZK/Y38VfAz4leO/2iPjn8bv+FjfE74iJp1prXiO38Npo9jZaZYJKLPT7KyE05giVri4lYtNI8kkzMzcKB7vQAUUUUAfMH/BZn4r/EP4Nf8ABNj4keLPhT4ru9B16/8A7H8P2eu6fJsuNNXVtYsdLluonHMckcV5I6uOVZQwIIzXkUv7NPwY/wCCcn/BSX9mjwp+x94R/wCEP0L4u2vivwx8RNCsb2Z7fXPsOjNqlnqVykjsJL2KW0kQ3R/eut26uzAgV9e/tT/s3/Dz9r39njxd+zT8VRdroXjDR5LG8uNPm8u5tWJDxXMLkELNFKscqMQQHjUkEcV5F8Ef2D/jRpv7Q/hj9pX9sH9rgfFjXPh94bvtH+HlvY+BIdAttN+2iJLzULlI7mc3d9LFBHF5gMUSI0gSFTISAD2X9oD9nP4O/tSeAR8Lfjr4UfXfDrX8V3caQdRuLeG6ePOxJhBIhmiycmJyY2wNykDFfH//AATO8DfDKz/bk+N+rfsM6AdC/Zr07w9pnhxbDS7iQaBqvja2ubr+0rvR4ixSOKG3a2tZ5IAscs8ZxvMTNXrX7SX7Gf7Yn7QX7Ivjb9m2D/goPNoeu+L/ABffXEXjm1+HMKS6d4anuWdNBSG1vLdjsgK2xvRKkzoGb5WbK7H7Iv7L37Uv7OXgYfCLxV+0X8OLvwdpPhb+yfBeh/D34KSeHToUqhVimDT6xfJOqKG/dtGNzHcznkMAfGXxw+Bn7Pn7Lv7ePwI8K/s3fsX+Iv2fXi+NOn2Wp/Hmd0j0jxlZvBKG0AyWd1czXcmoOyQodTS3AdCVcybFe/8AtjfsJ+JtE/bY+Pn7bnxd/wCCVHw1/aM8C61pfh650t/EHimzj1zTbTTNJ8u++w2VxZTJO7tkiN57cuYABu3LX0dqv/BPr9qD44eL/A7/ALaP7dNn468I+AfGen+K9N8LeFfhXB4efVdUsJRNYyahc/bbozRxTBZTFBHbq7Iu75RtO9+0d+yj+3b8bdV8WeFPBn/BRKx8H/D/AMWwtayaLa/CC2uda0qzkgWKeGz1Nr1I0Zv3jLLLayvGZOD8q4APY/2cfij8L/jf+z94I+MXwSwPB/ifwpp+p+F0FuIfLsJrdJIEMY/1ZWNlUp/CQR2rtK5T4FfBjwH+zl8FfCfwB+F2nyWvhvwV4cs9E0O3ml8yRLW2hWGPe/8AG+1AWY8sST3rq6ACiiigD4d/aQ+FXgH9tb/grnpv7Jv7Svh2PxR8NPAv7PS+M7TwRqUjHTdR1vUNbnsBd3MAIW5a3t7FliEgZY2u3YAMQa6j/gj9qut6P8PfjP8As73Gv6hqOhfBv9oXxD4N8Ey6pfSXU9voiQWV/a2hmlLSSrbjUGtkLsWEcCLn5a7n9p39i/x/8Tvjv4a/aw/Zq/aAi+GnxL8P+Grzw1d6rqPhJdd03WdEuJo7g2l1Zm4tmLRXESywyxzIyM0gYOrlap/C39hn4jfAD9lq++DXwF/amv8ARfH/AIh8ct4t8ZfFfVfCVnqNxrWpXWpR3eps1i5WCJbiFXtIwp/0eIxldzRgkA47/gpZ+zf/AMEyfDvgfxV+2J+2/wDBuDxLqA06HTdMknvbu41Ke7K+TZ2GiwrL+4vppCFj+yqkjSNuZsKWHLeD/i3+19+zB/wTP+Bf7OHxA8R/2l+1D8RvD9p4Y0OTXLgXkmnXxgMt1ql+5P79NMs8yzuSRNNEke4tcKT0v7U3/BO39qn47ftt+H/2vvA37Z3hHS7DwVo/2bwD4D8bfBybX7Lw/fyLtudViaLWbISXki5jWWSNjFGSqEZZm9T8b/sLfBz9qD4beFfD3/BQz4Z/Dv4z+I/DK3Ri1u/8Ara2aSTuu97aznuLprbckcCsPOfcYg2RkKAD8+P2edf1X/gnZ/wSX/b8u/2f/FOoy6v8OfjJ4yh8Pa/qF6bm/N3/AGPpES6lLI2TJP5rm4ZjwXycY4r2Dxp+yT8Hv+CZPx9/ZN+IP7LWm3Glan44+JS/D34oXMepTyv44tb3QdRujf6kXdvtV1Fd2EVwtw2XBd13bGK16f8Asz/8ER/2Nv2dfAfx5+Gtp8PfDk+k/HXV9Xiv10TwzHpk2k+Hb61hhXQ4pEkctFC0csqSDYA82RGpXJ1fgr/wTj+MWh/Fr4a/ED9qb9sy6+KemfBa0uU+GGif8IPBpDxXcto1iNR1OdLiX+0btLR5YkdEt0BmeTyy5BAB9ZUUUUAFeX/tu/FvxN8Af2L/AIvfHfwWqtrPgr4X6/r2kq8YcG5s9OnuIsqeGG+NeD1r1Csvxt4M8M/EbwZq/wAPfGukx3+ja9pdxp2rWE2dlzbTxtFLG2OcMjMp+tAH5jv+zL8Nv2IPg/8AseftifBH7bb/ABP8YfFDwNoPxR8aSarPNeePLbxGgt9S/tNnci8/fXC3cZcHyWgXy9ijFfpT8XPhR4I+Ofw31b4S/EmwurvQdcthb6pa2ep3FnJNFuDFPOt3SVA23B2sCQSOhNfLfwg/4JY/EvwrrXwo8IfG/wDbNv8A4gfDD4FapDqPwv8ABM/gqCxvRc2ttJa6bJquopO/9omzhlby9kNtukVJJPMZefXfiZ8CP2s/GXhH4x+HPCP7bDeH7nx0kEXww1GP4f2sr/DyMWkUM+zbNG2pPJKs06yTMhiaUKMqgyAfMH7O3wW+Bfw4/wCCutv4H/4JueBYfCngb4feANVsP2jV8MzSR6Be6zcvaPo+nmLcYpNWgC3U8sqjzI4p1SR8yBK8f/bt8ZXv7Z/x6+B/7YsfiGRfhn4H/a/8FeEfg/ZR3W2HW511jZrHiJ1BxJE00AsrRjkCK3uJl+W6Uj67/wCCfX7Cn7Uv7Dvh3w/8I739qP4ca/8AD3R4bhr/AEXRPgpd6VqurXsqsz31xqU2vXZkuJJ286WR4XaUkjK5BHG/tHf8G/X/AATb+NMPhH/hAP2XPhn4Hn0D4i6T4i1240/4fW0za9p9rOZLnSZdrx7YrlTsdzvAHJjfpQByv/BRX9gT4l/Hb/goFpf7UQ/4J+/DH9oXwbpfwSXw7H4a+InjC30zyNT/ALWluzNaiayuleQQkIN4iQ+cf3owa+nP+CdHxi+BPxy/Y58HeNf2cPhY3gTwtbw3Wkw+BJLCK1fw5d2V1LaXenNFESiGG4hlT5flYAMOGFUfjN+zx+2bf65bWP7Jn7aHhv4Y+ELbw/baZa+FdR+DkGt/2eYQyia0n+3W3lnYY1EcqTRr5QwuCQer/Y0/ZS8EfsVfs7aH+zz4E17VNYg0uW7u9R17XJVe91fULy6lu7y9nZFVd8txPK+AAFDBRwooA9RooooAK+Mf+Cj+gad+0B+2t+zF+xD8SxNefDbxxN4w8R+OPDguXit/EB0WwtPsdjdbCDNbefqHntASUkNqm4MBivs6vEv2xf2P9S/aT1LwH8T/AIZ/FubwB8Sfhfr0+qeB/GC6KmpwQi5tntbyzurN5Ixc2s8D4dFkicNHG6yKU5APHv8AgnD4f039n79tj9pz9iL4ZLNZ/DbwRJ4P8SeB/DZuXlt/D51qxu/tlja7yTDbedp/nrApCRtdPtCg4r079uT9mT/gn54+8OXf7SX7fPgfw/qvh/wJ4eme4vvGV7M+maZahjI832Uv5JmJwFk8szE7UQ5IBzvg5+wz8VfhB8O/jB4isv2qZbv44/GNmudW+L7eCrcQaVdw2Is9N+y6Q8rxfZbNFVkt5ZZDIzSmSRvMOOS/bf8A+Cdf7TP7X3ij4TavaftneHbHSPhqsWoap4R8W/CRtY0rxP4giUCLVrqC31WyB8pgZIrZi8SSHfhiq7QD598P/sfftR/tRf8ABBnxh+zvo/gfUZp/G/js6r8JfBHxK1p0vNM8FjxTa3+nadqE9x5joU06EnY5kdI2SIgsuwd7+yF4y+Cn7HHxY+JvwJg/4Jg+BP2fPijb/Ce58b6enw91G21PSvGGjWUjRNsvIbS0l8yC5ljV4JYUYC4V1LKc19NH4S/tx33wDuPBuqftmeFbb4inWlubLx1onwfEOnpZqUP2SXS7jU7gybsOGlW5jbDjbtK5blv2ff2EfiD4X/aO1f8Aa7/a1/aNi+Knjy98Et4P0ZdO8Fx6Doui6LJcpc3EEFl9ouXeSeaOJpJpZ3JWJEUKowQD4XsPgd4R+Av/AAS2+Av/AAVw8KXd7N8fdV1z4feLPG3xCbUpm1DxYviPVtPg1LSrxt+JrQw6pJGlvjZCIIzGEKZr9eq+KPh9/wAEivGHhXTfAfwD8V/tg3+v/AL4X+MbXxD4J+F03g2GK/DWVwbnTbC+1b7QxvLK0m8tkiFvG7CCJZJHCnP2vQAUUUUAFflpF+zJ8Nf24vhH+2H+2D8cBe3HxN8H/FDxxoHwu8Zx6rPDeeArXw5GbfTjpjI4FmfPt2u5CgHnNO3mb1OK/Uuvjj4wf8Es/iZ4p1v4r+E/gd+2bf8Aw++GXx11SbUfij4Kg8FQX9611dW0drqUulai86HTjeQxKJN8NztkZ5I/LZuAD3b9h/4t+J/j/wDsWfCD47+NVUaz42+F3h/XtXCRhALq806C4lwo4Ub5G47V8R/8FAv2Pv2VPgh47+HHw6/Yb+G0mkftT+N/iRper+FvFOjaxdzaxaaXb6nDPrWqatcySvJJpYtPtMDxTlo5HuI4o0LYC/c1h8FfHPg3x18PLb4SfFmLw18M/BPhe70fUvhrD4aguE1f91bxafIt87edaC0SGQCNARL53zkbBn5i+Cn/AATU/b4+Bnx08e/tBaJ/wUL+HeueJviLroute1/xV+zzc3epJp0bf6NpEE6eIo0gtIEJWOOOJV3M0jBnYmgDlP8Agoh+wB8TPjX/AMFDov2qZf8Agnf8Mf2h/B1j8DrTw3B4d+IXjG20yS21OPV727kktFnsrpHk8mWNB5nkofNx5owaofHr4T+FP+Cov/BMn4AXn7Ev7Knhq98G+HfixpOq6j8HPG1zDo1haWOjvf2d/o1yFhnSMJcI1sQkUoP3grLX1V+0H8Ev27PHXjq61f8AZ1/br0L4f+H7zTY7dtE1f4PQa7PZzDcHuba5N9b7XYFTtmjnQFfu4JFYHgf9hf4pfs0/sn+CP2Zv2I/2oj4MuPCd9c3WqeI/GfguHxI3iOW6luLm7ku4hPasskt3cPcFoZY9p+UDbxQByP8AwS38RfAvwT4v+J/7JvhP9gzw3+zt4/8ABdzpmp+MvB3hG4tbrTNWtb6KUWWp2t5bwwfao2FvNG2+GOSNoirKMivsGvAv2Qf2KvEf7P8A8S/H37RXxs+O1z8Svif8SV0628Q+Jf8AhH4tIsbTT9PSVbOwsbGOSX7PChuJ3YtLK8jyFmY4GPfaACiiigD5g/4LM/Ff4h/Br/gmx8SPFnwp8V3eg69f/wBj+H7PXdPk2XGmrq2sWOly3UTjmOSOK8kdXHKsoYEEZryKX9mn4Mf8E5P+Ckv7NHhT9j7wj/wh+hfF218V+GPiJoVjezPb659h0ZtUs9SuUkdhJexS2kiG6P711u3V2YECvr39qf8AZv8Ah5+17+zx4u/Zp+Kou10Lxho8ljeXGnzeXc2rEh4rmFyCFmilWOVGIIDxqSCOK8i+CP7B/wAaNN/aH8MftK/tg/tcD4sa58PvDd9o/wAPLex8CQ6Bbab9tESXmoXKR3M5u76WKCOLzAYokRpAkKmQkAHsv7QH7Ofwd/ak8Aj4W/HXwo+u+HWv4ru40g6jcW8N08ediTCCRDNFk5MTkxtgblIGK+I/2Gk+HPwn/ac/aP8Ai7+wf4RbTP2cPB3gK306HRtLuJBoOt+ONPe9l1G40eIkxxxR2/2a0nkhCxyzxnG8xM1e7ftJfsZ/tiftBfsi+Nv2bYP+Cg82h674v8X31xF45tfhzCkuneGp7lnTQUhtby3Y7ICtsb0SpM6Bm+Vmyu9+xp+y/wDtFfs4+Frf4R/E/wCNfwx8Q/D3SPDiaT4b8HeBvgvN4bTT1Uqo3SS6xfLLH5YdTH5almfcXPIYA/N79hP4j+Frb4JfBf8A4KZ/tqf8E7v+EgPjrxZpE2tftLa14/W58R6drOoagtvb3Y0wR/6HoqXkkVrDFDc8W4jZrbDEH6M8Ffsk/B7/AIKcftB/tY+PP2ptNuNV1HwP8ST8PfhhcS6lPE/ge1s9B066+36aUdfst1Ld38tw1wuHJjRd2xQtdj4T/wCCO3jLQ/BfhX9lbXf2yr/VP2c/BPjG017w/wDCt/BMEepPFZ341Cx0q61n7QxuLGC5SJggtkmZIURpiBmuy+NX/BOX4x638W/iV8Q/2WP2zLn4V6b8aLO2j+J+i/8ACDw6u8t1DaCx/tHTJnuIf7Ou3tEiid3S4QmGOTyw4JIB1f8AwSY+O3j79pr/AIJp/BH46fFPUJLzxJ4h+HenTa5fzD5726SMRSXLf7UrIZDjjLnHFfQ1cr8Dfgz4B/Z0+DHhT4B/CzS2svDfgzw9Z6Lodq8m90tbaFYo97fxuVQFmPLMSTya6qgAooooA+A4/wBmr4Mf8FG/+Ck/7S3hP9sHwh/wmGg/CKz8KeGPh5oN/ezJb6J9v0ddUvNStkjdRHeyS3UcYuh+9RbRFRlANeuf8EZvit8Q/jJ/wTa+HPir4q+LLvX9d09tZ8P3mu6hJvuNSXSdZvtLiupXPMkkkVnG7OeWZixyTUvxv/YQ+NGpftD+Jv2lv2Pf2tx8J9e+IHhux0b4h2994Eh1+21L7EJUs9Qt0kuYDa30UU8kQkJlidBGHhYxgnqPhh+xxrv7OHwT+D37PH7LHxvu/CPhX4aapbt4kg1HQLfVbnxhpqw3H2i1mmlKm1mnuplunuYhu3oyhQrnAB8w/wDBX/8AZP8A2H/h58HfFvxM0P4O3WoftI/FK8m074L6romt3Z8UT+LZkP2OTTpzNvs7e2cJcTeWY7eKCFy4wcNzv/BRvxt8efG37WH7NX/BPDxh8Ipvi2mufDXVvEfjjwhD4qOg6N4r1myS0gRtUu1jZl02EteXBhWKUSzPaq0LAceveJ/+Cb/7a0n7cfi39t/wT+3j4EOq6xYrpPg3T/G3wIuNYbwbow5awsZItftUXzXAeabylkmYKGO1VUemftK/sR/EL44eIvhd8evAn7Qlt4L+M/wus7u1sPHEHg1b3TNTgvreKLUbW50uS5VmtpnhilRFuRJC0a7ZW+bcAfKWvfBrQv2wf+CWX7Qn/BPP9lT9jbRPhH8RfDvjax0jxd8JG8QxSaRb3zT6XqAube7VFjazuLARyqywxkkODCG+96d/wTzj+BP7OX7XGufspah/wTG8B/s6fEjX/A58RaVf/DrU7XU9L8VaNbXccEyreRWdpIs0E08Ja3lhHyyh1Zhk16X8KP2C/jR8FPhd8QL/AMBftfyf8Ln+J/jODxL4x+K2p+A7a4triaGK3torOPSvOVYrNLS2jt0jE5lUFn84seLv7PX7DXxQ8J/tO3P7ZP7V37TSfE7x9B4Ok8LeGF0fwZH4f0fQNLmuY7m5EFoLm6keeaWGEvPJOx2xKihVyKAPpCiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigDzP9sX9rT4O/sMfs0+Lf2qvjzq81p4Y8Iab9pvRaxh57qRnWOG2hUkBpZZXjiQEgbnG4qMkfLnw9+Mv/BwB+0L4Ls/jf4C+An7NXwu0PW7Vb3QvAHxP1PX9Q19LZxujF7cWPlwWsrIVJQRSNHnDqGBUc1/wdBaBrd5/wAExIvHEGk3F/oPgv4reGNf8aWdvEZDLpEN55c25B95Q8sTHsAuTwM1+gnhPxX4a8eeFtN8b+DNdtdU0fWLCG+0rUrGYSQ3dtKgkjljYcMjIysCOCCKAPiD9tv/AIKRftsfsif8E5/Df7TPjz9m7wl4P+J938T9L8LeIPCOrapLrWmJb3Govatd209tJbs6ywqk8W45TzArqxU1931+dn/BzPdWt3/wTp0Q2tzHJ5fxz8IJJ5bhtrDUBlTjoR6V+idAHyr+xZ+3H8Wf2jf2+P2q/wBlnxv4e8O2vh/4Ga94ZsvCV5pVpOl5dx6jp81zObt5JnSRleNQnlpEApOQx5Hy3+wx+3d/wXy/b2/ZBg/bN+DHhb9lC40661DVYLHwVqWi+I7LUb02N1LbtEtz/aEsEckhiOxmGzLDcVGSO/8A+CVv/KYz/gol/wBjh4C/9Mt1Xy3/AMEH/AP/AAWC+IP/AASt0Twv+yT8e/gT4F8B6j4h8SQadrmv+DNW1HxPprtqlys0yFbtbN2Ehdow0WANobJyaAP0y/4Jf/t8eGv+Clf7GXhf9q/QfBVx4ZudVkurHXvDV1cec+l6jazNBPCJNq+Ym5d6NtUlHXKq2VHG/wDBRr9v74xfs5fF34Q/scfsk/CXQfF3xk+ON/qkfhRfGOqy2eiaPZabbC5vL69eFWlkVYz8sUeGfa+DlVR+/wD+Cbv7B/w+/wCCbX7IHhf9kv4d+Jb3XYdC+0XGqeIdSiEc+q39xM01xcsgJEYZ3IVMttRUUsxBY8//AMFE/wDgmL8I/wDgohZeD/EOv/Ejxl8PvH3w41G4vvh78Svh9q/2PVdEmnVFmRWIIeKQRx70OCQgAZctkAzfgHq3/BZ/RfjT4e0j9q7wr+zjr3gDUWuE8Qa18MbrW7DU9HZbaV4XW31BpY7lGmWKI7ZFYCQttwpr3f4x/tB/AT9nbQYfFX7QPxv8IeBdLuJTFBqXjHxLa6ZbyOBkqslzIiscHoDmvze1j4q/8FTP+CRf7X/wH+Fv7SH7aen/ALR3wf8Ajj8RbbwNBJr3g630nxF4ev7oqsE6y2zN9pjVmDO8jP8AKrDbGWVq2f2SPgr8H/22P+C0n7X3jr9sjwHo3jjX/hFqHhvw18NPDHjCwjvrTw5olxYPcG5trWcMivcyDzDNtLAlgpAcggH6LfDL4ufCj41+E4/Hvwa+J3h7xboUsjRxa14Y1qC/tHdQCyiaB2QkZGRnjIrl/A37ZX7IHxP+Is3wg+Gn7Vnw28ReLbdnW48L6F450+71GIpneGtopmlXbg5yvGDmvi3/AILzeDPCH7EP/BGX4wWX7HngLRvhfYeLvEWkxeL7rwNo8WnRww399Y2F9dmO3VVDy2yR27sBllbnnmuR/wCC0v8AwT4/YK/Zf/4I3+Ivid+z38IPCXw/8QfB/TNI1j4XfEHwvp9vaataajDeWyW8i30SiWd7gsFdmZvMaQOcuFYAH6ReMvjb8GPhz4r0nwJ8Qvi74Y0HXNetL260LRtZ1+2tbvUYLOLzruWCGV1eZIIj5krICI1+ZiBzWb4E/af/AGafij8PdV+Lfwy/aH8DeIvCmhXUttrnifQvFtneafp08SJJLFPcxStHC6JJGzK7AqsikgBhn81/+CgHwj8Pftq/8FOv+Cb/AIP/AGmvCkd7ZeI/BXjPWPGPhy4jKwXk8WiafetaTx9HhNxGqyQsCroGRgQxFVP+C13w2/4RX9rP9kb9ib4AfsZeD/E/w68b+K/E/iXxF8HbTV7XwlovjTWNM061NnFe3CW7xMIU/e+VJG4n8qOIjhSoB+mPwY/al/Zk/aQN8P2eP2jPAnj3+zCBqX/CF+L7LVPshJwBL9mlfy8kH72Old3X5P2/7IH7evib9uj4CftJfCT/AIJDfDL9m9/AnjFLfx74m8B/F7TLoa14VuU8m9sLiytNPtBcBVKyxli5Ro8KoJBH6wUAfNPgz9sz4kfGj/gpd41/Y++Duj6CfA/wh8D2lz8T/Et/aTTXZ8Ral+807TbQpMkaLHapJPOzLIxLxxgRnLHE/wCCSn7ePxZ/bS+G/wARPB/7Tnhjw7oPxc+D/wAUNV8HeP8AR/C1tPBYs0Eha1vLeO4mmkWGaE8M0jbmikZcKQB5X/wQfaXU/H37bfiPxPk+JJv21/F9pemT/WCwt4rNbFOeTGqNIEPp0rnPjH4h0H/gmj/wXq0r48eJdVh0T4XftZ/DmfSvF2oXD+Xa2XivQIfOtrqZhwvmWP7lRjLPJI2Tg0Ae6eNv28Pi/rP/AAV/8H/8E5fgX4c8N3nhzSPhpe+M/jZr2p2dxNd6bDI4g0y0tHjnjjhneYo7iVJd0MoKhdpJzfh78VP+Cq/7Qn7Jfgb4m/s+fGD9kPVvF95qesR+Mda0r+2dd8LXMEV48VoumzWd6r+aiIVuPMdwJQyqF2kV5v8A8EAfDGvfHHwz8ZP+CsfxH0qaDXv2mfiPcah4djvE/fWXhPTWex0m2OeQQqTZIwHURNjoav8A/BsH/wAoYvhr/wBjB4q/9SLUaAPPPgj+2h/wXn+OP7bHxv8A2ItE1b9kWy1r4GweHJdb1m68F+KDa6iNYsDewiALqhceWg2tvA56ZFfoj8Aofj/b/CPR4f2pNS8HXfjxUm/4SC48AWV3b6Q7edJ5X2eO7kkmUeT5Qbe7ZcORgEAfEP8AwT5/5WAf+ChH/YP+Fn/qNtXvVh+1h+31c/tHt8K73/glN4itvAY8WyaavxSb4u+HGtzpi3DRpqv2AXH2vY0QE3kbPNAbaV3AigDL/Zb/AG4/iz8bv+CoP7Uv7FHivw94dt/CvwQtfBcnhTUNPtJ01C7Or6Sby5+1u8zRyBZBiPy448Lw28819U1+eH/BPn/lYB/4KEf9g/4Wf+o21fQn/BWj9qDVf2Pv+CdvxT+N3hR5T4lh8NtpXg2K25ml1vUHWxsBGo5dhc3ET4HOEbpjIAPOP2e/26f22f2s/wBlz4xftE/s1fBTwL4muNP+L2peG/gTpV/qU+mW2u6JYX0NjPql7dvJIGzIt9IqxJHlbdUwWbNVP+CT/wC3R+3B+0z+0F+0V+zX+3T4L+F+j+JPgnrXh+yg/wCFXR6gbWX+0bS4umEkt7M7TFFSFdyxxDdv4YbTX0B+wL+zBpf7F37Fnwx/ZZ0tIs+CfBtlp+oTQ/duL4Rh7ucf9dLhppPq9fKf/BLH/lL5/wAFDf8AsdvAv/pknoA+2P2g/j18Lf2Xfgl4n/aF+NfiaPSPC3hDSJdR1m/k5KxIOEReryOxVEQcu7qoyWAr48/4I7f8FLv2wf27Pj3+0H8Jv2tvgb4Y+H8nwxk8K3nhjw/pEF0NRtbHXLO8v4YNSkmnkSS6jt0tFfy44QshmBXoF8+/4Kt/HH4ia7/wUI+G/wAGPi9+xP8AH/x38AfhzY2/jbUl+E3wmvvEFt4v8UiVhp9ndvEFiFpZBTctEXYyTGIOhVQa80/4JLft36b44/4La/tevH+yb8dtK/4WzrXgRIBrnwvubY+E/sWhXaE67ub/AIlYn6wGTPmryKAPu34V/tmfEJf+CkfxE/YA+O2iaHZyJ4QsvG3wf1nR7aaE6zoLv9lvYLkSyyKby2vFwTHtDwyo3lptJb6Tr8+v+CgrzaT/AMF3P2BdQ8J5GqalY/Eyy11Yv+W2mJolvKolx0RZcsueC9foLQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFAGf4t8JeFvH3hbUvA3jjw7ZaxousWMtlq2lalarPb3ltKhSSGWNwVdGVipUgggkGvjDSP+CE/wAFfh5aTeEv2df23f2oPhR4Kkmd4Ph38P8A4xyQaPZB2LOlstzBPPbKSScRTL14Ir7fooA+TvjP/wAEa/2S/i/+wnpv/BPaz17x34U8FaV4li8QW+reHvE/m60+pLdyXj3Ml5qEd0XkkuJZJHYrnLfLtAAHN+GP+CM+ueGfEuneJH/4K/8A7aupDT76G5Onap8YbGW2uvLcN5UyDTAXjbG1lBGVJGRX2rRQB4z8AP2HPhN+zl+0r8Z/2pvBHiHxFdeIPjnqWkXvi2z1W7geztJNOtZLaAWiRwo8askjF/MeUlgMFRwT9gf9hz4Tf8E6v2atL/ZZ+CfiHxFqnh/SdSv722vPFN3BPeNJd3UlzIGeCGFCoeRguEBCgZJPJ9mooAK8H/bF/wCCfPwx/bK8Q+GvHmufF74oeAPFXhGC6t9B8WfCrx5caJfQwXLRNNC+wNFOjGCP5ZI2HBx1OfeKKAPkf4Jf8Ebf2ffhl+0DoP7Ufxd+Ofxi+N3jfwisv/CF6t8afHf9rR+HXkG2SWztoYYII5CP4zGxBAYEMoYbv7Vn/BKf4A/tQ/G20/ae0b4lfEn4T/E+30kaVdfEL4O+Lv7G1HUtPB3La3YaKWC6jU4x5kTMNqjdhVA+m6KAPCvhj/wT4+DXg79mjxb+yr8VPGnjr4veHPHlzczeL7z4v+LJdav9RE8EMDR+cQnkxqkEflpCsYjYF02sS1eI+F/+CBf7Kthd+F9C+Jv7Qfx2+JPgHwVqMF74U+EXxF+Jbah4Y0+S3/49l+yiBJJ44RgRxzyyIFG0gqSp+46KAPH/AIs/sU/Cv4x/tdfCT9tDxPr/AIgg8U/Bmz1628L2FhdQLp90mr2qWtybpHhaRyqIDH5ckeGyW3jipf2yP2Iv2e/27fhna/DH9oDw3eTx6VqsWq+G9d0TU5bDVdB1GLPlXtldwkSW8y5PIOCDhgw4r1uigD5U+CP/AASl8PfCP4p6D8VfF/7d37TPxLl8NXf2rRtD+I/xbe70yOYIyLJLbW0Futyyhjjz/M555NfVdFFAHyZ8F/2WvjH+zL/wVQ+KHxc+Hng4ah8Ifj54ZsdZ8UXkOoW8Z8NeLtNUW2TbySLLJDfWrhi8SyFZrc7wisGPX/8ABSr/AIJpfs8f8FUf2fbf9nT9o6/8Rafplj4gt9a03V/Cd5Bb6hZXcSSRho5J4JkCtHNKjAoch+MEAj6EooA5j4J/CDwN+z78HfCvwK+GWmGz8O+DvD1nouiWzEFo7W2hWGMMQBubagJbAyST3rhv2Ef2KfhX/wAE9f2ZND/ZS+C+v+INT8O6Beahc2d74ouoJr13vL2a8lDvBDDGQJJ3C4QYUKDk5J9gooA8Z+Dv7Dnwm+CP7YHxj/bX8KeIfEVx4q+N8OgR+K9P1C7gfT7QaRZGztvsiJCskZaM5k8ySTLcrsHFezUUUAfFfxq/4Ik/DX4rftb/ABC/bO8D/tz/ALSHwr8VfE9dKXxbafCnx7Y6VY3I06xisrYbG0+WQ7Y4y3zyN88shG0NtHPan/wRa8anx98NIdZ/4KAfGP4neCPDPxV0rxx4r0X43eLI9anluNIgvDp1vYGC1gWGN7q6WW4Em8SC1gwAU5+9aKAON/aB+EE/x8+D2ufCK2+LXjLwK+tQRxL4s+H2rpYaxp22VJN9tO8cqxsdmwko2Udh3yPjP4S/8G/Xw8+Cvxf1j45eBv8Agpr+13D4h8T6tY6h4xun+KOnD/hI5LQbYFvimlq1wgjzHgtnYzAEZr7+ooAK8b+Bn7EPwo/Z/wD2pfjR+1x4N8QeIbnxJ8dLjQpvFtlqd3A9jaNpNnJaWws0SFJIw0cjGTzJJcsAV2Dg+yUUAfJnw/8A2WfjH8S/+CtPjD9uf46+Dho/hjwB4Cg8DfBGxl1C3uH1Bblxd6rrbJDI5ty7lLSNJNshjidmRMrn6zoooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKAP/9k= + + + + + + + Who are the intended users of the model? + + + Who are the intended users of the model? + + + What are the known technical limitations of the model? E.g. What kind(s) of data should the model be expected not to perform well on? What are the factors that might degrade model performance? + + + What are the known tradeoffs in accuracy/performance of the model? + + + + The name of the risk + Strategy used to address this risk + + + + + The groups or individuals at risk of being systematically disadvantaged by the model + Expected benefits to the identified groups + Expected harms to the identified groups + With respect to the benefits and harms outlined, please describe any mitigation strategy implemented. + + + + + + + diff --git a/tests/_data/schemaTestData/1.7/valid-machine-learning-considerations-env-1.7.json b/tests/_data/schemaTestData/1.7/valid-machine-learning-considerations-env-1.7.json new file mode 100644 index 000000000..be3f09daa --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-machine-learning-considerations-env-1.7.json @@ -0,0 +1,66 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7", + "serialNumber": "urn:uuid:ed5c5ba0-2be6-4b58-ac29-01a7fd375123", + "version": 1, + "components": [ + { + "bom-ref": "huggingface.co-meta-llama-Llama-2-7b", + "group": "meta-llama", + "name": "Llama-2-7b", + "type": "machine-learning-model", + "supplier": { + "name": "Hugging Face" + }, + "publisher": "meta", + "externalReferences": [ + { + "type": "distribution", + "url": "https://huggingface.co/meta-llama/Llama-2-7b" + } + ], + "modelCard": { + "considerations": { + "environmentalConsiderations": { + "energyConsumptions": [ + { + "activity": "training", + "energyProviders": [ + { + "description": "Meta data-center, US-East", + "organization": { + "name": "Meta", + "address": { + "country": "United States", + "region": "New Jersey", + "locality": "Newark" + } + }, + "energySource": "natural-gas", + "energyProvided": { + "value": 0.4, + "unit": "kWh" + } + } + ], + "activityEnergyCost": { + "value": 0.4, + "unit": "kWh" + }, + "co2CostEquivalent": { + "value": 31.22, + "unit": "tCO2eq" + }, + "co2CostOffset": { + "value": 31.22, + "unit": "tCO2eq" + } + } + ] + } + } + } + } + ] +} diff --git a/tests/_data/schemaTestData/1.7/valid-machine-learning-considerations-env-1.7.xml b/tests/_data/schemaTestData/1.7/valid-machine-learning-considerations-env-1.7.xml new file mode 100644 index 000000000..11d19e199 --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-machine-learning-considerations-env-1.7.xml @@ -0,0 +1,60 @@ + + + + + + Hugging Face + + meta + meta-llama + Llama-2-7b + + + https://huggingface.co/meta-llama/Llama-2-7b + + + + + + + + training + + Meta data-center, US-East + + Meta +
+ United States + New Jersey + Newark +
+ + natural-gas + + 0.4 + kWh + + + + 0.4 + kWh + + + 31.22 + tCO2eq + + + 31.22 + tCO2eq + + + + + + + + + diff --git a/tests/_data/schemaTestData/1.7/valid-metadata-author-1.7.json b/tests/_data/schemaTestData/1.7/valid-metadata-author-1.7.json new file mode 100644 index 000000000..76234ebb8 --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-metadata-author-1.7.json @@ -0,0 +1,17 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "metadata": { + "authors": [ + { + "name": "Samantha Wright", + "email": "samantha.wright@example.com", + "phone": "800-555-1212" + } + ] + }, + "components": [] +} diff --git a/tests/_data/schemaTestData/1.7/valid-metadata-author-1.7.xml b/tests/_data/schemaTestData/1.7/valid-metadata-author-1.7.xml new file mode 100644 index 000000000..b6e65ebe7 --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-metadata-author-1.7.xml @@ -0,0 +1,16 @@ + + + + + + Samantha Wright + samantha.wright@example.com + 800-555-1212 + + + + + diff --git a/tests/_data/schemaTestData/1.7/valid-metadata-distribution-1.7.json b/tests/_data/schemaTestData/1.7/valid-metadata-distribution-1.7.json new file mode 100644 index 000000000..1fd187c1e --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-metadata-distribution-1.7.json @@ -0,0 +1,13 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "metadata": { + "distributionConstraints": { + "tlp": "RED" + } + }, + "components": [] +} diff --git a/tests/_data/schemaTestData/1.7/valid-metadata-distribution-1.7.xml b/tests/_data/schemaTestData/1.7/valid-metadata-distribution-1.7.xml new file mode 100644 index 000000000..70bb7c30c --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-metadata-distribution-1.7.xml @@ -0,0 +1,12 @@ + + + + + RED + + + + diff --git a/tests/_data/schemaTestData/1.7/valid-metadata-license-1.7.json b/tests/_data/schemaTestData/1.7/valid-metadata-license-1.7.json new file mode 100644 index 000000000..dfe45aba0 --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-metadata-license-1.7.json @@ -0,0 +1,25 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "metadata": { + "licenses": [ + { + "license": { + "id": "Apache-2.0" + } + }, + { + "license": { + "name": "My License", + "text": { + "content": "My License Text" + } + } + } + ] + }, + "components": [] +} diff --git a/tests/_data/schemaTestData/1.7/valid-metadata-license-1.7.xml b/tests/_data/schemaTestData/1.7/valid-metadata-license-1.7.xml new file mode 100644 index 000000000..a5392b8f4 --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-metadata-license-1.7.xml @@ -0,0 +1,18 @@ + + + + + + Apache-2.0 + + + My License + My License Text + + + + + diff --git a/tests/_data/schemaTestData/1.7/valid-metadata-lifecycle-1.7.json b/tests/_data/schemaTestData/1.7/valid-metadata-lifecycle-1.7.json new file mode 100644 index 000000000..67da3e592 --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-metadata-lifecycle-1.7.json @@ -0,0 +1,22 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "metadata": { + "lifecycles": [ + { + "phase": "build" + }, + { + "phase": "post-build" + }, + { + "name": "platform-integration-testing", + "description": "Integration testing specific to the runtime platform" + } + ] + }, + "components": [] +} diff --git a/tests/_data/schemaTestData/1.7/valid-metadata-lifecycle-1.7.xml b/tests/_data/schemaTestData/1.7/valid-metadata-lifecycle-1.7.xml new file mode 100644 index 000000000..ae3876d58 --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-metadata-lifecycle-1.7.xml @@ -0,0 +1,21 @@ + + + + + + build + + + post-build + + + platform-integration-testing + Integration testing specific to the runtime platform + + + + + diff --git a/tests/_data/schemaTestData/1.7/valid-metadata-manufacture-1.7.json b/tests/_data/schemaTestData/1.7/valid-metadata-manufacture-1.7.json new file mode 100644 index 000000000..968db72d8 --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-metadata-manufacture-1.7.json @@ -0,0 +1,24 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "metadata": { + "manufacture": { + "bom-ref": "manufacturer-1", + "name": "Acme, Inc. // deprecated", + "url": [ + "https://example.com" + ], + "contact": [ + { + "bom-ref": "contact-1", + "name": "Acme Professional Services", + "email": "professional.services@example.com" + } + ] + } + }, + "components": [] +} diff --git a/tests/_data/schemaTestData/1.7/valid-metadata-manufacture-1.7.xml b/tests/_data/schemaTestData/1.7/valid-metadata-manufacture-1.7.xml new file mode 100644 index 000000000..d022c4669 --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-metadata-manufacture-1.7.xml @@ -0,0 +1,17 @@ + + + + + Acme, Inc. // deprecated + https://example.com + + Acme Professional Services + professional.services@example.com + + + + + diff --git a/tests/_data/schemaTestData/1.7/valid-metadata-manufacturer-1.7.json b/tests/_data/schemaTestData/1.7/valid-metadata-manufacturer-1.7.json new file mode 100644 index 000000000..03f49903f --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-metadata-manufacturer-1.7.json @@ -0,0 +1,24 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "metadata": { + "manufacturer": { + "bom-ref": "manufacturer-1", + "name": "Acme, Inc.", + "url": [ + "https://example.com" + ], + "contact": [ + { + "bom-ref": "contact-1", + "name": "Acme Professional Services", + "email": "professional.services@example.com" + } + ] + } + }, + "components": [] +} diff --git a/tests/_data/schemaTestData/1.7/valid-metadata-manufacturer-1.7.xml b/tests/_data/schemaTestData/1.7/valid-metadata-manufacturer-1.7.xml new file mode 100644 index 000000000..73ba9dd15 --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-metadata-manufacturer-1.7.xml @@ -0,0 +1,17 @@ + + + + + Acme, Inc. + https://example.com + + Acme Professional Services + professional.services@example.com + + + + + diff --git a/tests/_data/schemaTestData/1.7/valid-metadata-supplier-1.7.json b/tests/_data/schemaTestData/1.7/valid-metadata-supplier-1.7.json new file mode 100644 index 000000000..69eb99e79 --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-metadata-supplier-1.7.json @@ -0,0 +1,24 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "metadata": { + "supplier": { + "bom-ref": "supplier-1", + "name": "Acme, Inc.", + "url": [ + "https://example.com" + ], + "contact": [ + { + "bom-ref": "contact-1", + "name": "Acme Distribution", + "email": "distribution@example.com" + } + ] + } + }, + "components": [] +} diff --git a/tests/_data/schemaTestData/1.7/valid-metadata-supplier-1.7.xml b/tests/_data/schemaTestData/1.7/valid-metadata-supplier-1.7.xml new file mode 100644 index 000000000..f0807546c --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-metadata-supplier-1.7.xml @@ -0,0 +1,17 @@ + + + + + Acme, Inc. + https://example.com + + Acme Distribution + distribution@example.com + + + + + diff --git a/tests/_data/schemaTestData/1.7/valid-metadata-timestamp-1.7.json b/tests/_data/schemaTestData/1.7/valid-metadata-timestamp-1.7.json new file mode 100644 index 000000000..0e5fa00d8 --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-metadata-timestamp-1.7.json @@ -0,0 +1,11 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "metadata": { + "timestamp": "2020-04-13T20:20:39+00:00" + }, + "components": [] +} diff --git a/tests/_data/schemaTestData/1.7/valid-metadata-timestamp-1.7.xml b/tests/_data/schemaTestData/1.7/valid-metadata-timestamp-1.7.xml new file mode 100644 index 000000000..e7ff46269 --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-metadata-timestamp-1.7.xml @@ -0,0 +1,10 @@ + + + + 2020-04-13T20:20:39Z + + + diff --git a/tests/_data/schemaTestData/1.7/valid-metadata-tool-1.7.json b/tests/_data/schemaTestData/1.7/valid-metadata-tool-1.7.json new file mode 100644 index 000000000..5e57be3f2 --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-metadata-tool-1.7.json @@ -0,0 +1,48 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "metadata": { + "tools": { + "components": [ + { + "type": "application", + "group": "Awesome Vendor", + "name": "Awesome Tool", + "version": "9.1.2", + "hashes": [ + { + "alg": "SHA-1", + "content": "25ed8e31b995bb927966616df2a42b979a2717f0" + }, + { + "alg": "SHA-256", + "content": "a74f733635a19aefb1f73e5947cef59cd7440c6952ef0f03d09d974274cbd6df" + } + ] + } + ], + "services": [ + { + "provider": { + "name": "Acme Org", + "url": [ + "https://example.com" + ] + }, + "group": "com.example", + "name": "Acme Signing Server", + "description": "Signs artifacts", + "endpoints": [ + "https://example.com/sign", + "https://example.com/verify", + "https://example.com/tsa" + ] + } + ] + } + }, + "components": [] +} diff --git a/tests/_data/schemaTestData/1.7/valid-metadata-tool-1.7.xml b/tests/_data/schemaTestData/1.7/valid-metadata-tool-1.7.xml new file mode 100644 index 000000000..c633e3f3a --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-metadata-tool-1.7.xml @@ -0,0 +1,38 @@ + + + + + + + Awesome Vendor + Awesome Tool + 9.1.2 + + 25ed8e31b995bb927966616df2a42b979a2717f0 + a74f733635a19aefb1f73e5947cef59cd7440c6952ef0f03d09d974274cbd6df + + + + + + + Acme Org + https://example.com + + com.example + Acme Signing Server + Signs artifacts + + https://example.com/sign + https://example.com/verify + https://example.com/tsa + + + + + + + diff --git a/tests/_data/schemaTestData/1.7/valid-metadata-tool-deprecated-1.7.json b/tests/_data/schemaTestData/1.7/valid-metadata-tool-deprecated-1.7.json new file mode 100644 index 000000000..268b8b3d9 --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-metadata-tool-deprecated-1.7.json @@ -0,0 +1,27 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "metadata": { + "tools": [ + { + "vendor": "Awesome Vendor", + "name": "Awesome Tool", + "version": "9.1.2", + "hashes": [ + { + "alg": "SHA-1", + "content": "25ed8e31b995bb927966616df2a42b979a2717f0" + }, + { + "alg": "SHA-256", + "content": "a74f733635a19aefb1f73e5947cef59cd7440c6952ef0f03d09d974274cbd6df" + } + ] + } + ] + }, + "components": [] +} diff --git a/tests/_data/schemaTestData/1.7/valid-metadata-tool-deprecated-1.7.xml b/tests/_data/schemaTestData/1.7/valid-metadata-tool-deprecated-1.7.xml new file mode 100644 index 000000000..926776738 --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-metadata-tool-deprecated-1.7.xml @@ -0,0 +1,20 @@ + + + + + + Awesome Vendor + Awesome Tool + 9.1.2 + + 25ed8e31b995bb927966616df2a42b979a2717f0 + a74f733635a19aefb1f73e5947cef59cd7440c6952ef0f03d09d974274cbd6df + + + + + + diff --git a/tests/_data/schemaTestData/1.7/valid-minimal-viable-1.7.json b/tests/_data/schemaTestData/1.7/valid-minimal-viable-1.7.json new file mode 100644 index 000000000..b96c70f7e --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-minimal-viable-1.7.json @@ -0,0 +1,13 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "components": [ + { + "type": "library", + "name": "acme-library" + } + ] +} diff --git a/tests/_data/schemaTestData/1.7/valid-minimal-viable-1.7.xml b/tests/_data/schemaTestData/1.7/valid-minimal-viable-1.7.xml new file mode 100644 index 000000000..dd5635593 --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-minimal-viable-1.7.xml @@ -0,0 +1,11 @@ + + + + + acme-library + + + diff --git a/tests/_data/schemaTestData/1.7/valid-patch-1.7.json b/tests/_data/schemaTestData/1.7/valid-patch-1.7.json new file mode 100644 index 000000000..e02cc0314 --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-patch-1.7.json @@ -0,0 +1,89 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "components": [ + { + "type": "library", + "group": "com.acme", + "name": "sample-library", + "version": "1.0.0", + "pedigree": { + "ancestors": [ + { + "type": "library", + "group": "org.example", + "name": "sample-library", + "version": "1.0.0" + } + ], + "patches": [ + { + "type": "unofficial", + "diff": { + "text": { + "contentType": "text/plain", + "encoding": "base64", + "content": "blah" + }, + "url": "uri/to/changes.diff" + }, + "resolves": [ + { + "type": "enhancement", + "id": "JIRA-17240", + "description": "Great new feature that does something", + "source": { + "name": "Acme Org", + "url": "https://issues.acme.org/17240" + } + } + ] + }, + { + "type": "backport", + "diff": { + "text": { + "contentType": "text/plain", + "encoding": "base64", + "content": "blah" + }, + "url": "uri/to/changes.diff" + }, + "resolves": [ + { + "type": "security", + "id": "CVE-2019-9997", + "name": "CVE-2019-9997", + "description": "blah blah", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9997" + }, + "references": [ + "http://some/other/site-1", + "http://some/other/site-2" + ] + }, + { + "type": "defect", + "id": "JIRA-874319", + "description": "Enable to do something", + "source": { + "name": "Example Org", + "url": "https://issues.example.org/874319" + }, + "references": [ + "http://some/other/site-1", + "http://some/other/site-2" + ] + } + ] + } + ] + } + } + ] +} diff --git a/tests/_data/schemaTestData/1.7/valid-patch-1.7.xml b/tests/_data/schemaTestData/1.7/valid-patch-1.7.xml new file mode 100644 index 000000000..9723e1545 --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-patch-1.7.xml @@ -0,0 +1,73 @@ + + + + + com.acme + sample-library + 1.0.0 + + + + org.example + sample-library + 1.0.0 + + + + + + blah + uri/to/changes.diff + + + + JIRA-17240 + Great new feature that does something + + Acme Org + https://issues.acme.org/17240 + + + + + + + blah + uri/to/changes.diff + + + + CVE-2019-9997 + CVE-2019-9997 + blah blah + + NVD + https://nvd.nist.gov/vuln/detail/CVE-2019-9997 + + + http://some/other/site-1 + http://some/other/site-2 + + + + JIRA-874319 + Enable to do something + + Example Org + https://issues.example.org/874319 + + + http://some/other/site-1 + http://some/other/site-2 + + + + + + + + + diff --git a/tests/_data/schemaTestData/1.7/valid-patent-1.7.json b/tests/_data/schemaTestData/1.7/valid-patent-1.7.json new file mode 100644 index 000000000..97c89a1eb --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-patent-1.7.json @@ -0,0 +1,157 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7", + "serialNumber": "urn:uuid:123e4567-e89b-12d3-a456-426614174000", + "version": 1, + "components": [ + { + "bom-ref": "component-1", + "type": "library", + "manufacturer": { + "bom-ref": "org-acme-inc", + "name": "Acme Inc", + "url": ["https://example.com"] + }, + "name": "High-Efficiency Processor", + "version": "1.0", + "patentAssertions": [ + { + "bom-ref": "patent-assertion-1", + "assertionType": "ownership", + "asserter": "org-acme-inc", + "patentRefs": ["patent-1"], + "notes": "Covers the core processing architecture for advanced computation." + }, + { + "bom-ref": "patent-assertion-2", + "assertionType": "license", + "asserter": "org-acme-inc", + "patentRefs": ["patent-3"], + "notes": "Licensed for use in North America." + } + ] + } + ], + "services": [ + { + "bom-ref": "service-1", + "name": "Data Analysis Service", + "patentAssertions": [ + { + "bom-ref": "patent-assertion-3", + "assertionType": "exclusive-rights", + "asserter": { + "name": "Partner Company", + "contact": [ + { + "name": "Sam Smith", + "phone": "800-555-1212" + } + ] + }, + "patentRefs": ["patent-2"], + "notes": "Exclusive rights for machine learning integration." + } + ] + } + ], + "definitions": { + "patents": [ + { + "bom-ref": "patent-1", + "patentNumber": "US1234567890", + "applicationNumber": "12345", + "jurisdiction": "US", + "publicationNumber": "US-12345", + "title": "Efficient Data Processing Algorithm", + "abstract": "A novel system and method for improving data processing efficiency.", + "filingDate": "2021-01-15", + "grantDate": "2022-06-01", + "patentExpirationDate": "2042-01-15", + "patentLegalStatus": "in-force", + "patentAssignee": [ + { + "name": "Tech Innovators Inc.", + "url": ["https://techinnovators.com"] + } + ], + "externalReferences": [ + { + "type": "patent", + "url": "https://uspto.gov/patent/US12345678B1", + "comment": "Official USPTO page for the patent." + } + ] + }, + { + "bom-ref": "patent-2", + "patentNumber": "EU1234567890", + "applicationNumber": "12345", + "jurisdiction": "EU", + "priorityApplication": { + "applicationNumber": "US1234567890", + "jurisdiction": "US", + "filingDate": "2021-01-15" + }, + "publicationNumber": "EU-12345", + "title": "Efficient Data Processing Algorithm", + "abstract": "A novel system and method for improving data processing efficiency.", + "filingDate": "2021-01-15", + "grantDate": "2022-06-01", + "patentExpirationDate": "2042-01-15", + "patentLegalStatus": "in-force", + "patentAssignee": [ + { + "name": "Tech Innovators Inc.", + "url": ["https://techinnovators.com"] + } + ] + }, + { + "bom-ref": "patent-3", + "patentNumber": "EP987654321A1", + "jurisdiction": "EP", + "title": "Data Processing Optimisation", + "abstract": "An optimised approach to data processing for scalable systems.", + "filingDate": "2021-02-10", + "grantDate": "2023-03-15", + "patentExpirationDate": "2043-02-10", + "patentLegalStatus": "in-force", + "patentAssignee": [ + { + "name": "Jane Smith", + "email": "jane.smith@techinnovators.com" + } + ], + "externalReferences": [ + { + "type": "patent", + "url": "https://euipo.europa.eu/ep987654321A1", + "comment": "Official EUIPO page for the patent." + } + ] + }, + { + "bom-ref": "patent-family-1", + "familyId": "PF-2023001", + "priorityApplication": { + "applicationNumber": "12345", + "jurisdiction": "US", + "filingDate": "2021-01-15" + }, + "members": [ + "patent-1", + "patent-2" + ], + "externalReferences": [ + { + "type": "patent-family", + "url": "https://uspto.gov/patent-family-5678", + "comment": "Official record of the patent family." + } + ] + } + ] + } +} diff --git a/tests/_data/schemaTestData/1.7/valid-patent-1.7.xml b/tests/_data/schemaTestData/1.7/valid-patent-1.7.xml new file mode 100644 index 000000000..d07d64fa6 --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-patent-1.7.xml @@ -0,0 +1,157 @@ + + + + + + Acme Inc + https://example.com + + High-Efficiency Processor + 1.0 + + + ownership + + patent-1 + + + org-acme-inc + + Covers the core processing architecture for advanced computation. + + + license + + patent-3 + + + org-acme-inc + + Licensed for use in North America. + + + + + + + + Data Analysis Service + + + exclusive-rights + + patent-2 + + + + Partner Company + + Sam Smith + 800-555-1212 + + + + Exclusive rights for machine learning integration. + + + + + + + + + US1234567890 + 12345 + US + US-12345 + Efficient Data Processing Algorithm + A novel system and method for improving data processing efficiency. + 2021-01-15 + 2022-06-01 + 2042-01-15 + in-force + + + Tech Innovators Inc. + https://techinnovators.com + + + + + https://uspto.gov/patent/US12345678B1 + Official USPTO page for the patent. + + + + + + EU1234567890 + 12345 + EU + + US1234567890 + US + 2021-01-15 + + EU-12345 + Efficient Data Processing Algorithm + A novel system and method for improving data processing efficiency. + 2021-01-15 + 2022-06-01 + 2042-01-15 + in-force + + + Tech Innovators Inc. + https://techinnovators.com + + + + + + EP987654321A1 + EP + Data Processing Optimisation + An optimised approach to data processing for scalable systems. + 2021-02-10 + 2023-03-15 + 2043-02-10 + in-force + + + Jane Smith + jane.smith@techinnovators.com + + + + + https://euipo.europa.eu/ep987654321A1 + Official EUIPO page for the patent. + + + + + + PF-2023001 + + 12345 + US + 2021-01-15 + + + patent-1 + patent-2 + + + + https://uspto.gov/patent-family-5678 + Official record of the patent family. + + + + + + diff --git a/tests/_data/schemaTestData/1.7/valid-properties-1.7.json b/tests/_data/schemaTestData/1.7/valid-properties-1.7.json new file mode 100644 index 000000000..7bd6c162f --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-properties-1.7.json @@ -0,0 +1,101 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "metadata": { + "properties": [ + { + "name": "Foo", + "value": "Bar" + }, + { + "name": "Foo", + "value": "Two" + }, + { + "name": "Bar", + "value": "Foo" + }, + { + "name": "value-is-optional" + } + ] + }, + "components": [ + { + "type": "library", + "name": "acme-library", + "version": "1.0.0", + "licenses": [ + { + "license": { + "id": "Apache-2.0", + "properties": [ + { + "name": "Foo", + "value": "Bar" + }, + { + "name": "Foo", + "value": "Two" + }, + { + "name": "Bar", + "value": "Foo" + }, + { + "name": "value-is-optional" + } + ] + } + } + ], + "properties": [ + { + "name": "Foo", + "value": "Bar" + }, + { + "name": "Foo", + "value": "Two" + }, + { + "name": "Bar", + "value": "Foo" + }, + { + "name": "value-is-optional" + } + ] + } + ], + "services": [ + { + "bom-ref": "b2a46a4b-8367-4bae-9820-95557cfe03a8", + "group": "org.partner", + "name": "Stock ticker service", + "endpoints": [ + "https://partner.org/api/v1/stock" + ], + "properties": [ + { + "name": "Foo", + "value": "Bar" + }, + { + "name": "Foo", + "value": "Two" + }, + { + "name": "Bar", + "value": "Foo" + }, + { + "name": "value-is-optional" + } + ] + } + ] +} diff --git a/tests/_data/schemaTestData/1.7/valid-properties-1.7.xml b/tests/_data/schemaTestData/1.7/valid-properties-1.7.xml new file mode 100644 index 000000000..aa9570bb2 --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-properties-1.7.xml @@ -0,0 +1,52 @@ + + + + + Bar + Two + Foo + + + + + + acme-library + 1.0.0 + + + Apache-2.0 + + Bar + Two + Foo + + + + + + Bar + Two + Foo + + + + + + + org.partner + Stock ticker service + + https://partner.org/api/v1/stock + + + Bar + Two + Foo + + + + + diff --git a/tests/_data/schemaTestData/1.7/valid-random-attributes-1.7.xml b/tests/_data/schemaTestData/1.7/valid-random-attributes-1.7.xml new file mode 100644 index 000000000..226642389 --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-random-attributes-1.7.xml @@ -0,0 +1,122 @@ + + + + + Acme Inc + com.acme + tomcat-catalina + 9.0.14 + Modified version of Apache Catalina + required + + 3942447fac867ae5cdb3229b658f4d48 + e6b1000b94e835ffd37f4c6dcbdad43f4b48a02a + f498a8ff2dd007e29c2074f5e4b01a9a01775c3ff3aeaf6906ea503bc5791b7b + e8f33e424f3f4ed6db76a482fde1a5298970e442c531729119e37991884bdffab4f9426b7ee11fccd074eeda0634d71697d6f88a460dce0ac8d627a29f7d1282 + + + + Apache-2.0 + CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFwYWNoZSBMaWNlbnNlCiAgICAgICAgICAgICAgICAgICAgICAgICAgIFZlcnNpb24gMi4wLCBKYW51YXJ5IDIwMDQKICAgICAgICAgICAgICAgICAgICAgICAgaHR0cDovL3d3dy5hcGFjaGUub3JnL2xpY2Vuc2VzLwoKICAgVEVSTVMgQU5EIENPTkRJVElPTlMgRk9SIFVTRSwgUkVQUk9EVUNUSU9OLCBBTkQgRElTVFJJQlVUSU9OCgogICAxLiBEZWZpbml0aW9ucy4KCiAgICAgICJMaWNlbnNlIiBzaGFsbCBtZWFuIHRoZSB0ZXJtcyBhbmQgY29uZGl0aW9ucyBmb3IgdXNlLCByZXByb2R1Y3Rpb24sCiAgICAgIGFuZCBkaXN0cmlidXRpb24gYXMgZGVmaW5lZCBieSBTZWN0aW9ucyAxIHRocm91Z2ggOSBvZiB0aGlzIGRvY3VtZW50LgoKICAgICAgIkxpY2Vuc29yIiBzaGFsbCBtZWFuIHRoZSBjb3B5cmlnaHQgb3duZXIgb3IgZW50aXR5IGF1dGhvcml6ZWQgYnkKICAgICAgdGhlIGNvcHlyaWdodCBvd25lciB0aGF0IGlzIGdyYW50aW5nIHRoZSBMaWNlbnNlLgoKICAgICAgIkxlZ2FsIEVudGl0eSIgc2hhbGwgbWVhbiB0aGUgdW5pb24gb2YgdGhlIGFjdGluZyBlbnRpdHkgYW5kIGFsbAogICAgICBvdGhlciBlbnRpdGllcyB0aGF0IGNvbnRyb2wsIGFyZSBjb250cm9sbGVkIGJ5LCBvciBhcmUgdW5kZXIgY29tbW9uCiAgICAgIGNvbnRyb2wgd2l0aCB0aGF0IGVudGl0eS4gRm9yIHRoZSBwdXJwb3NlcyBvZiB0aGlzIGRlZmluaXRpb24sCiAgICAgICJjb250cm9sIiBtZWFucyAoaSkgdGhlIHBvd2VyLCBkaXJlY3Qgb3IgaW5kaXJlY3QsIHRvIGNhdXNlIHRoZQogICAgICBkaXJlY3Rpb24gb3IgbWFuYWdlbWVudCBvZiBzdWNoIGVudGl0eSwgd2hldGhlciBieSBjb250cmFjdCBvcgogICAgICBvdGhlcndpc2UsIG9yIChpaSkgb3duZXJzaGlwIG9mIGZpZnR5IHBlcmNlbnQgKDUwJSkgb3IgbW9yZSBvZiB0aGUKICAgICAgb3V0c3RhbmRpbmcgc2hhcmVzLCBvciAoaWlpKSBiZW5lZmljaWFsIG93bmVyc2hpcCBvZiBzdWNoIGVudGl0eS4KCiAgICAgICJZb3UiIChvciAiWW91ciIpIHNoYWxsIG1lYW4gYW4gaW5kaXZpZHVhbCBvciBMZWdhbCBFbnRpdHkKICAgICAgZXhlcmNpc2luZyBwZXJtaXNzaW9ucyBncmFudGVkIGJ5IHRoaXMgTGljZW5zZS4KCiAgICAgICJTb3VyY2UiIGZvcm0gc2hhbGwgbWVhbiB0aGUgcHJlZmVycmVkIGZvcm0gZm9yIG1ha2luZyBtb2RpZmljYXRpb25zLAogICAgICBpbmNsdWRpbmcgYnV0IG5vdCBsaW1pdGVkIHRvIHNvZnR3YXJlIHNvdXJjZSBjb2RlLCBkb2N1bWVudGF0aW9uCiAgICAgIHNvdXJjZSwgYW5kIGNvbmZpZ3VyYXRpb24gZmlsZXMuCgogICAgICAiT2JqZWN0IiBmb3JtIHNoYWxsIG1lYW4gYW55IGZvcm0gcmVzdWx0aW5nIGZyb20gbWVjaGFuaWNhbAogICAgICB0cmFuc2Zvcm1hdGlvbiBvciB0cmFuc2xhdGlvbiBvZiBhIFNvdXJjZSBmb3JtLCBpbmNsdWRpbmcgYnV0CiAgICAgIG5vdCBsaW1pdGVkIHRvIGNvbXBpbGVkIG9iamVjdCBjb2RlLCBnZW5lcmF0ZWQgZG9jdW1lbnRhdGlvbiwKICAgICAgYW5kIGNvbnZlcnNpb25zIHRvIG90aGVyIG1lZGlhIHR5cGVzLgoKICAgICAgIldvcmsiIHNoYWxsIG1lYW4gdGhlIHdvcmsgb2YgYXV0aG9yc2hpcCwgd2hldGhlciBpbiBTb3VyY2Ugb3IKICAgICAgT2JqZWN0IGZvcm0sIG1hZGUgYXZhaWxhYmxlIHVuZGVyIHRoZSBMaWNlbnNlLCBhcyBpbmRpY2F0ZWQgYnkgYQogICAgICBjb3B5cmlnaHQgbm90aWNlIHRoYXQgaXMgaW5jbHVkZWQgaW4gb3IgYXR0YWNoZWQgdG8gdGhlIHdvcmsKICAgICAgKGFuIGV4YW1wbGUgaXMgcHJvdmlkZWQgaW4gdGhlIEFwcGVuZGl4IGJlbG93KS4KCiAgICAgICJEZXJpdmF0aXZlIFdvcmtzIiBzaGFsbCBtZWFuIGFueSB3b3JrLCB3aGV0aGVyIGluIFNvdXJjZSBvciBPYmplY3QKICAgICAgZm9ybSwgdGhhdCBpcyBiYXNlZCBvbiAob3IgZGVyaXZlZCBmcm9tKSB0aGUgV29yayBhbmQgZm9yIHdoaWNoIHRoZQogICAgICBlZGl0b3JpYWwgcmV2aXNpb25zLCBhbm5vdGF0aW9ucywgZWxhYm9yYXRpb25zLCBvciBvdGhlciBtb2RpZmljYXRpb25zCiAgICAgIHJlcHJlc2VudCwgYXMgYSB3aG9sZSwgYW4gb3JpZ2luYWwgd29yayBvZiBhdXRob3JzaGlwLiBGb3IgdGhlIHB1cnBvc2VzCiAgICAgIG9mIHRoaXMgTGljZW5zZSwgRGVyaXZhdGl2ZSBXb3JrcyBzaGFsbCBub3QgaW5jbHVkZSB3b3JrcyB0aGF0IHJlbWFpbgogICAgICBzZXBhcmFibGUgZnJvbSwgb3IgbWVyZWx5IGxpbmsgKG9yIGJpbmQgYnkgbmFtZSkgdG8gdGhlIGludGVyZmFjZXMgb2YsCiAgICAgIHRoZSBXb3JrIGFuZCBEZXJpdmF0aXZlIFdvcmtzIHRoZXJlb2YuCgogICAgICAiQ29udHJpYnV0aW9uIiBzaGFsbCBtZWFuIGFueSB3b3JrIG9mIGF1dGhvcnNoaXAsIGluY2x1ZGluZwogICAgICB0aGUgb3JpZ2luYWwgdmVyc2lvbiBvZiB0aGUgV29yayBhbmQgYW55IG1vZGlmaWNhdGlvbnMgb3IgYWRkaXRpb25zCiAgICAgIHRvIHRoYXQgV29yayBvciBEZXJpdmF0aXZlIFdvcmtzIHRoZXJlb2YsIHRoYXQgaXMgaW50ZW50aW9uYWxseQogICAgICBzdWJtaXR0ZWQgdG8gTGljZW5zb3IgZm9yIGluY2x1c2lvbiBpbiB0aGUgV29yayBieSB0aGUgY29weXJpZ2h0IG93bmVyCiAgICAgIG9yIGJ5IGFuIGluZGl2aWR1YWwgb3IgTGVnYWwgRW50aXR5IGF1dGhvcml6ZWQgdG8gc3VibWl0IG9uIGJlaGFsZiBvZgogICAgICB0aGUgY29weXJpZ2h0IG93bmVyLiBGb3IgdGhlIHB1cnBvc2VzIG9mIHRoaXMgZGVmaW5pdGlvbiwgInN1Ym1pdHRlZCIKICAgICAgbWVhbnMgYW55IGZvcm0gb2YgZWxlY3Ryb25pYywgdmVyYmFsLCBvciB3cml0dGVuIGNvbW11bmljYXRpb24gc2VudAogICAgICB0byB0aGUgTGljZW5zb3Igb3IgaXRzIHJlcHJlc2VudGF0aXZlcywgaW5jbHVkaW5nIGJ1dCBub3QgbGltaXRlZCB0bwogICAgICBjb21tdW5pY2F0aW9uIG9uIGVsZWN0cm9uaWMgbWFpbGluZyBsaXN0cywgc291cmNlIGNvZGUgY29udHJvbCBzeXN0ZW1zLAogICAgICBhbmQgaXNzdWUgdHJhY2tpbmcgc3lzdGVtcyB0aGF0IGFyZSBtYW5hZ2VkIGJ5LCBvciBvbiBiZWhhbGYgb2YsIHRoZQogICAgICBMaWNlbnNvciBmb3IgdGhlIHB1cnBvc2Ugb2YgZGlzY3Vzc2luZyBhbmQgaW1wcm92aW5nIHRoZSBXb3JrLCBidXQKICAgICAgZXhjbHVkaW5nIGNvbW11bmljYXRpb24gdGhhdCBpcyBjb25zcGljdW91c2x5IG1hcmtlZCBvciBvdGhlcndpc2UKICAgICAgZGVzaWduYXRlZCBpbiB3cml0aW5nIGJ5IHRoZSBjb3B5cmlnaHQgb3duZXIgYXMgIk5vdCBhIENvbnRyaWJ1dGlvbi4iCgogICAgICAiQ29udHJpYnV0b3IiIHNoYWxsIG1lYW4gTGljZW5zb3IgYW5kIGFueSBpbmRpdmlkdWFsIG9yIExlZ2FsIEVudGl0eQogICAgICBvbiBiZWhhbGYgb2Ygd2hvbSBhIENvbnRyaWJ1dGlvbiBoYXMgYmVlbiByZWNlaXZlZCBieSBMaWNlbnNvciBhbmQKICAgICAgc3Vic2VxdWVudGx5IGluY29ycG9yYXRlZCB3aXRoaW4gdGhlIFdvcmsuCgogICAyLiBHcmFudCBvZiBDb3B5cmlnaHQgTGljZW5zZS4gU3ViamVjdCB0byB0aGUgdGVybXMgYW5kIGNvbmRpdGlvbnMgb2YKICAgICAgdGhpcyBMaWNlbnNlLCBlYWNoIENvbnRyaWJ1dG9yIGhlcmVieSBncmFudHMgdG8gWW91IGEgcGVycGV0dWFsLAogICAgICB3b3JsZHdpZGUsIG5vbi1leGNsdXNpdmUsIG5vLWNoYXJnZSwgcm95YWx0eS1mcmVlLCBpcnJldm9jYWJsZQogICAgICBjb3B5cmlnaHQgbGljZW5zZSB0byByZXByb2R1Y2UsIHByZXBhcmUgRGVyaXZhdGl2ZSBXb3JrcyBvZiwKICAgICAgcHVibGljbHkgZGlzcGxheSwgcHVibGljbHkgcGVyZm9ybSwgc3VibGljZW5zZSwgYW5kIGRpc3RyaWJ1dGUgdGhlCiAgICAgIFdvcmsgYW5kIHN1Y2ggRGVyaXZhdGl2ZSBXb3JrcyBpbiBTb3VyY2Ugb3IgT2JqZWN0IGZvcm0uCgogICAzLiBHcmFudCBvZiBQYXRlbnQgTGljZW5zZS4gU3ViamVjdCB0byB0aGUgdGVybXMgYW5kIGNvbmRpdGlvbnMgb2YKICAgICAgdGhpcyBMaWNlbnNlLCBlYWNoIENvbnRyaWJ1dG9yIGhlcmVieSBncmFudHMgdG8gWW91IGEgcGVycGV0dWFsLAogICAgICB3b3JsZHdpZGUsIG5vbi1leGNsdXNpdmUsIG5vLWNoYXJnZSwgcm95YWx0eS1mcmVlLCBpcnJldm9jYWJsZQogICAgICAoZXhjZXB0IGFzIHN0YXRlZCBpbiB0aGlzIHNlY3Rpb24pIHBhdGVudCBsaWNlbnNlIHRvIG1ha2UsIGhhdmUgbWFkZSwKICAgICAgdXNlLCBvZmZlciB0byBzZWxsLCBzZWxsLCBpbXBvcnQsIGFuZCBvdGhlcndpc2UgdHJhbnNmZXIgdGhlIFdvcmssCiAgICAgIHdoZXJlIHN1Y2ggbGljZW5zZSBhcHBsaWVzIG9ubHkgdG8gdGhvc2UgcGF0ZW50IGNsYWltcyBsaWNlbnNhYmxlCiAgICAgIGJ5IHN1Y2ggQ29udHJpYnV0b3IgdGhhdCBhcmUgbmVjZXNzYXJpbHkgaW5mcmluZ2VkIGJ5IHRoZWlyCiAgICAgIENvbnRyaWJ1dGlvbihzKSBhbG9uZSBvciBieSBjb21iaW5hdGlvbiBvZiB0aGVpciBDb250cmlidXRpb24ocykKICAgICAgd2l0aCB0aGUgV29yayB0byB3aGljaCBzdWNoIENvbnRyaWJ1dGlvbihzKSB3YXMgc3VibWl0dGVkLiBJZiBZb3UKICAgICAgaW5zdGl0dXRlIHBhdGVudCBsaXRpZ2F0aW9uIGFnYWluc3QgYW55IGVudGl0eSAoaW5jbHVkaW5nIGEKICAgICAgY3Jvc3MtY2xhaW0gb3IgY291bnRlcmNsYWltIGluIGEgbGF3c3VpdCkgYWxsZWdpbmcgdGhhdCB0aGUgV29yawogICAgICBvciBhIENvbnRyaWJ1dGlvbiBpbmNvcnBvcmF0ZWQgd2l0aGluIHRoZSBXb3JrIGNvbnN0aXR1dGVzIGRpcmVjdAogICAgICBvciBjb250cmlidXRvcnkgcGF0ZW50IGluZnJpbmdlbWVudCwgdGhlbiBhbnkgcGF0ZW50IGxpY2Vuc2VzCiAgICAgIGdyYW50ZWQgdG8gWW91IHVuZGVyIHRoaXMgTGljZW5zZSBmb3IgdGhhdCBXb3JrIHNoYWxsIHRlcm1pbmF0ZQogICAgICBhcyBvZiB0aGUgZGF0ZSBzdWNoIGxpdGlnYXRpb24gaXMgZmlsZWQuCgogICA0LiBSZWRpc3RyaWJ1dGlvbi4gWW91IG1heSByZXByb2R1Y2UgYW5kIGRpc3RyaWJ1dGUgY29waWVzIG9mIHRoZQogICAgICBXb3JrIG9yIERlcml2YXRpdmUgV29ya3MgdGhlcmVvZiBpbiBhbnkgbWVkaXVtLCB3aXRoIG9yIHdpdGhvdXQKICAgICAgbW9kaWZpY2F0aW9ucywgYW5kIGluIFNvdXJjZSBvciBPYmplY3QgZm9ybSwgcHJvdmlkZWQgdGhhdCBZb3UKICAgICAgbWVldCB0aGUgZm9sbG93aW5nIGNvbmRpdGlvbnM6CgogICAgICAoYSkgWW91IG11c3QgZ2l2ZSBhbnkgb3RoZXIgcmVjaXBpZW50cyBvZiB0aGUgV29yayBvcgogICAgICAgICAgRGVyaXZhdGl2ZSBXb3JrcyBhIGNvcHkgb2YgdGhpcyBMaWNlbnNlOyBhbmQKCiAgICAgIChiKSBZb3UgbXVzdCBjYXVzZSBhbnkgbW9kaWZpZWQgZmlsZXMgdG8gY2FycnkgcHJvbWluZW50IG5vdGljZXMKICAgICAgICAgIHN0YXRpbmcgdGhhdCBZb3UgY2hhbmdlZCB0aGUgZmlsZXM7IGFuZAoKICAgICAgKGMpIFlvdSBtdXN0IHJldGFpbiwgaW4gdGhlIFNvdXJjZSBmb3JtIG9mIGFueSBEZXJpdmF0aXZlIFdvcmtzCiAgICAgICAgICB0aGF0IFlvdSBkaXN0cmlidXRlLCBhbGwgY29weXJpZ2h0LCBwYXRlbnQsIHRyYWRlbWFyaywgYW5kCiAgICAgICAgICBhdHRyaWJ1dGlvbiBub3RpY2VzIGZyb20gdGhlIFNvdXJjZSBmb3JtIG9mIHRoZSBXb3JrLAogICAgICAgICAgZXhjbHVkaW5nIHRob3NlIG5vdGljZXMgdGhhdCBkbyBub3QgcGVydGFpbiB0byBhbnkgcGFydCBvZgogICAgICAgICAgdGhlIERlcml2YXRpdmUgV29ya3M7IGFuZAoKICAgICAgKGQpIElmIHRoZSBXb3JrIGluY2x1ZGVzIGEgIk5PVElDRSIgdGV4dCBmaWxlIGFzIHBhcnQgb2YgaXRzCiAgICAgICAgICBkaXN0cmlidXRpb24sIHRoZW4gYW55IERlcml2YXRpdmUgV29ya3MgdGhhdCBZb3UgZGlzdHJpYnV0ZSBtdXN0CiAgICAgICAgICBpbmNsdWRlIGEgcmVhZGFibGUgY29weSBvZiB0aGUgYXR0cmlidXRpb24gbm90aWNlcyBjb250YWluZWQKICAgICAgICAgIHdpdGhpbiBzdWNoIE5PVElDRSBmaWxlLCBleGNsdWRpbmcgdGhvc2Ugbm90aWNlcyB0aGF0IGRvIG5vdAogICAgICAgICAgcGVydGFpbiB0byBhbnkgcGFydCBvZiB0aGUgRGVyaXZhdGl2ZSBXb3JrcywgaW4gYXQgbGVhc3Qgb25lCiAgICAgICAgICBvZiB0aGUgZm9sbG93aW5nIHBsYWNlczogd2l0aGluIGEgTk9USUNFIHRleHQgZmlsZSBkaXN0cmlidXRlZAogICAgICAgICAgYXMgcGFydCBvZiB0aGUgRGVyaXZhdGl2ZSBXb3Jrczsgd2l0aGluIHRoZSBTb3VyY2UgZm9ybSBvcgogICAgICAgICAgZG9jdW1lbnRhdGlvbiwgaWYgcHJvdmlkZWQgYWxvbmcgd2l0aCB0aGUgRGVyaXZhdGl2ZSBXb3Jrczsgb3IsCiAgICAgICAgICB3aXRoaW4gYSBkaXNwbGF5IGdlbmVyYXRlZCBieSB0aGUgRGVyaXZhdGl2ZSBXb3JrcywgaWYgYW5kCiAgICAgICAgICB3aGVyZXZlciBzdWNoIHRoaXJkLXBhcnR5IG5vdGljZXMgbm9ybWFsbHkgYXBwZWFyLiBUaGUgY29udGVudHMKICAgICAgICAgIG9mIHRoZSBOT1RJQ0UgZmlsZSBhcmUgZm9yIGluZm9ybWF0aW9uYWwgcHVycG9zZXMgb25seSBhbmQKICAgICAgICAgIGRvIG5vdCBtb2RpZnkgdGhlIExpY2Vuc2UuIFlvdSBtYXkgYWRkIFlvdXIgb3duIGF0dHJpYnV0aW9uCiAgICAgICAgICBub3RpY2VzIHdpdGhpbiBEZXJpdmF0aXZlIFdvcmtzIHRoYXQgWW91IGRpc3RyaWJ1dGUsIGFsb25nc2lkZQogICAgICAgICAgb3IgYXMgYW4gYWRkZW5kdW0gdG8gdGhlIE5PVElDRSB0ZXh0IGZyb20gdGhlIFdvcmssIHByb3ZpZGVkCiAgICAgICAgICB0aGF0IHN1Y2ggYWRkaXRpb25hbCBhdHRyaWJ1dGlvbiBub3RpY2VzIGNhbm5vdCBiZSBjb25zdHJ1ZWQKICAgICAgICAgIGFzIG1vZGlmeWluZyB0aGUgTGljZW5zZS4KCiAgICAgIFlvdSBtYXkgYWRkIFlvdXIgb3duIGNvcHlyaWdodCBzdGF0ZW1lbnQgdG8gWW91ciBtb2RpZmljYXRpb25zIGFuZAogICAgICBtYXkgcHJvdmlkZSBhZGRpdGlvbmFsIG9yIGRpZmZlcmVudCBsaWNlbnNlIHRlcm1zIGFuZCBjb25kaXRpb25zCiAgICAgIGZvciB1c2UsIHJlcHJvZHVjdGlvbiwgb3IgZGlzdHJpYnV0aW9uIG9mIFlvdXIgbW9kaWZpY2F0aW9ucywgb3IKICAgICAgZm9yIGFueSBzdWNoIERlcml2YXRpdmUgV29ya3MgYXMgYSB3aG9sZSwgcHJvdmlkZWQgWW91ciB1c2UsCiAgICAgIHJlcHJvZHVjdGlvbiwgYW5kIGRpc3RyaWJ1dGlvbiBvZiB0aGUgV29yayBvdGhlcndpc2UgY29tcGxpZXMgd2l0aAogICAgICB0aGUgY29uZGl0aW9ucyBzdGF0ZWQgaW4gdGhpcyBMaWNlbnNlLgoKICAgNS4gU3VibWlzc2lvbiBvZiBDb250cmlidXRpb25zLiBVbmxlc3MgWW91IGV4cGxpY2l0bHkgc3RhdGUgb3RoZXJ3aXNlLAogICAgICBhbnkgQ29udHJpYnV0aW9uIGludGVudGlvbmFsbHkgc3VibWl0dGVkIGZvciBpbmNsdXNpb24gaW4gdGhlIFdvcmsKICAgICAgYnkgWW91IHRvIHRoZSBMaWNlbnNvciBzaGFsbCBiZSB1bmRlciB0aGUgdGVybXMgYW5kIGNvbmRpdGlvbnMgb2YKICAgICAgdGhpcyBMaWNlbnNlLCB3aXRob3V0IGFueSBhZGRpdGlvbmFsIHRlcm1zIG9yIGNvbmRpdGlvbnMuCiAgICAgIE5vdHdpdGhzdGFuZGluZyB0aGUgYWJvdmUsIG5vdGhpbmcgaGVyZWluIHNoYWxsIHN1cGVyc2VkZSBvciBtb2RpZnkKICAgICAgdGhlIHRlcm1zIG9mIGFueSBzZXBhcmF0ZSBsaWNlbnNlIGFncmVlbWVudCB5b3UgbWF5IGhhdmUgZXhlY3V0ZWQKICAgICAgd2l0aCBMaWNlbnNvciByZWdhcmRpbmcgc3VjaCBDb250cmlidXRpb25zLgoKICAgNi4gVHJhZGVtYXJrcy4gVGhpcyBMaWNlbnNlIGRvZXMgbm90IGdyYW50IHBlcm1pc3Npb24gdG8gdXNlIHRoZSB0cmFkZQogICAgICBuYW1lcywgdHJhZGVtYXJrcywgc2VydmljZSBtYXJrcywgb3IgcHJvZHVjdCBuYW1lcyBvZiB0aGUgTGljZW5zb3IsCiAgICAgIGV4Y2VwdCBhcyByZXF1aXJlZCBmb3IgcmVhc29uYWJsZSBhbmQgY3VzdG9tYXJ5IHVzZSBpbiBkZXNjcmliaW5nIHRoZQogICAgICBvcmlnaW4gb2YgdGhlIFdvcmsgYW5kIHJlcHJvZHVjaW5nIHRoZSBjb250ZW50IG9mIHRoZSBOT1RJQ0UgZmlsZS4KCiAgIDcuIERpc2NsYWltZXIgb2YgV2FycmFudHkuIFVubGVzcyByZXF1aXJlZCBieSBhcHBsaWNhYmxlIGxhdyBvcgogICAgICBhZ3JlZWQgdG8gaW4gd3JpdGluZywgTGljZW5zb3IgcHJvdmlkZXMgdGhlIFdvcmsgKGFuZCBlYWNoCiAgICAgIENvbnRyaWJ1dG9yIHByb3ZpZGVzIGl0cyBDb250cmlidXRpb25zKSBvbiBhbiAiQVMgSVMiIEJBU0lTLAogICAgICBXSVRIT1VUIFdBUlJBTlRJRVMgT1IgQ09ORElUSU9OUyBPRiBBTlkgS0lORCwgZWl0aGVyIGV4cHJlc3Mgb3IKICAgICAgaW1wbGllZCwgaW5jbHVkaW5nLCB3aXRob3V0IGxpbWl0YXRpb24sIGFueSB3YXJyYW50aWVzIG9yIGNvbmRpdGlvbnMKICAgICAgb2YgVElUTEUsIE5PTi1JTkZSSU5HRU1FTlQsIE1FUkNIQU5UQUJJTElUWSwgb3IgRklUTkVTUyBGT1IgQQogICAgICBQQVJUSUNVTEFSIFBVUlBPU0UuIFlvdSBhcmUgc29sZWx5IHJlc3BvbnNpYmxlIGZvciBkZXRlcm1pbmluZyB0aGUKICAgICAgYXBwcm9wcmlhdGVuZXNzIG9mIHVzaW5nIG9yIHJlZGlzdHJpYnV0aW5nIHRoZSBXb3JrIGFuZCBhc3N1bWUgYW55CiAgICAgIHJpc2tzIGFzc29jaWF0ZWQgd2l0aCBZb3VyIGV4ZXJjaXNlIG9mIHBlcm1pc3Npb25zIHVuZGVyIHRoaXMgTGljZW5zZS4KCiAgIDguIExpbWl0YXRpb24gb2YgTGlhYmlsaXR5LiBJbiBubyBldmVudCBhbmQgdW5kZXIgbm8gbGVnYWwgdGhlb3J5LAogICAgICB3aGV0aGVyIGluIHRvcnQgKGluY2x1ZGluZyBuZWdsaWdlbmNlKSwgY29udHJhY3QsIG9yIG90aGVyd2lzZSwKICAgICAgdW5sZXNzIHJlcXVpcmVkIGJ5IGFwcGxpY2FibGUgbGF3IChzdWNoIGFzIGRlbGliZXJhdGUgYW5kIGdyb3NzbHkKICAgICAgbmVnbGlnZW50IGFjdHMpIG9yIGFncmVlZCB0byBpbiB3cml0aW5nLCBzaGFsbCBhbnkgQ29udHJpYnV0b3IgYmUKICAgICAgbGlhYmxlIHRvIFlvdSBmb3IgZGFtYWdlcywgaW5jbHVkaW5nIGFueSBkaXJlY3QsIGluZGlyZWN0LCBzcGVjaWFsLAogICAgICBpbmNpZGVudGFsLCBvciBjb25zZXF1ZW50aWFsIGRhbWFnZXMgb2YgYW55IGNoYXJhY3RlciBhcmlzaW5nIGFzIGEKICAgICAgcmVzdWx0IG9mIHRoaXMgTGljZW5zZSBvciBvdXQgb2YgdGhlIHVzZSBvciBpbmFiaWxpdHkgdG8gdXNlIHRoZQogICAgICBXb3JrIChpbmNsdWRpbmcgYnV0IG5vdCBsaW1pdGVkIHRvIGRhbWFnZXMgZm9yIGxvc3Mgb2YgZ29vZHdpbGwsCiAgICAgIHdvcmsgc3RvcHBhZ2UsIGNvbXB1dGVyIGZhaWx1cmUgb3IgbWFsZnVuY3Rpb24sIG9yIGFueSBhbmQgYWxsCiAgICAgIG90aGVyIGNvbW1lcmNpYWwgZGFtYWdlcyBvciBsb3NzZXMpLCBldmVuIGlmIHN1Y2ggQ29udHJpYnV0b3IKICAgICAgaGFzIGJlZW4gYWR2aXNlZCBvZiB0aGUgcG9zc2liaWxpdHkgb2Ygc3VjaCBkYW1hZ2VzLgoKICAgOS4gQWNjZXB0aW5nIFdhcnJhbnR5IG9yIEFkZGl0aW9uYWwgTGlhYmlsaXR5LiBXaGlsZSByZWRpc3RyaWJ1dGluZwogICAgICB0aGUgV29yayBvciBEZXJpdmF0aXZlIFdvcmtzIHRoZXJlb2YsIFlvdSBtYXkgY2hvb3NlIHRvIG9mZmVyLAogICAgICBhbmQgY2hhcmdlIGEgZmVlIGZvciwgYWNjZXB0YW5jZSBvZiBzdXBwb3J0LCB3YXJyYW50eSwgaW5kZW1uaXR5LAogICAgICBvciBvdGhlciBsaWFiaWxpdHkgb2JsaWdhdGlvbnMgYW5kL29yIHJpZ2h0cyBjb25zaXN0ZW50IHdpdGggdGhpcwogICAgICBMaWNlbnNlLiBIb3dldmVyLCBpbiBhY2NlcHRpbmcgc3VjaCBvYmxpZ2F0aW9ucywgWW91IG1heSBhY3Qgb25seQogICAgICBvbiBZb3VyIG93biBiZWhhbGYgYW5kIG9uIFlvdXIgc29sZSByZXNwb25zaWJpbGl0eSwgbm90IG9uIGJlaGFsZgogICAgICBvZiBhbnkgb3RoZXIgQ29udHJpYnV0b3IsIGFuZCBvbmx5IGlmIFlvdSBhZ3JlZSB0byBpbmRlbW5pZnksCiAgICAgIGRlZmVuZCwgYW5kIGhvbGQgZWFjaCBDb250cmlidXRvciBoYXJtbGVzcyBmb3IgYW55IGxpYWJpbGl0eQogICAgICBpbmN1cnJlZCBieSwgb3IgY2xhaW1zIGFzc2VydGVkIGFnYWluc3QsIHN1Y2ggQ29udHJpYnV0b3IgYnkgcmVhc29uCiAgICAgIG9mIHlvdXIgYWNjZXB0aW5nIGFueSBzdWNoIHdhcnJhbnR5IG9yIGFkZGl0aW9uYWwgbGlhYmlsaXR5LgoKICAgRU5EIE9GIFRFUk1TIEFORCBDT05ESVRJT05TCgogICBBUFBFTkRJWDogSG93IHRvIGFwcGx5IHRoZSBBcGFjaGUgTGljZW5zZSB0byB5b3VyIHdvcmsuCgogICAgICBUbyBhcHBseSB0aGUgQXBhY2hlIExpY2Vuc2UgdG8geW91ciB3b3JrLCBhdHRhY2ggdGhlIGZvbGxvd2luZwogICAgICBib2lsZXJwbGF0ZSBub3RpY2UsIHdpdGggdGhlIGZpZWxkcyBlbmNsb3NlZCBieSBicmFja2V0cyAiW10iCiAgICAgIHJlcGxhY2VkIHdpdGggeW91ciBvd24gaWRlbnRpZnlpbmcgaW5mb3JtYXRpb24uIChEb24ndCBpbmNsdWRlCiAgICAgIHRoZSBicmFja2V0cyEpICBUaGUgdGV4dCBzaG91bGQgYmUgZW5jbG9zZWQgaW4gdGhlIGFwcHJvcHJpYXRlCiAgICAgIGNvbW1lbnQgc3ludGF4IGZvciB0aGUgZmlsZSBmb3JtYXQuIFdlIGFsc28gcmVjb21tZW5kIHRoYXQgYQogICAgICBmaWxlIG9yIGNsYXNzIG5hbWUgYW5kIGRlc2NyaXB0aW9uIG9mIHB1cnBvc2UgYmUgaW5jbHVkZWQgb24gdGhlCiAgICAgIHNhbWUgInByaW50ZWQgcGFnZSIgYXMgdGhlIGNvcHlyaWdodCBub3RpY2UgZm9yIGVhc2llcgogICAgICBpZGVudGlmaWNhdGlvbiB3aXRoaW4gdGhpcmQtcGFydHkgYXJjaGl2ZXMuCgogICBDb3B5cmlnaHQgW3l5eXldIFtuYW1lIG9mIGNvcHlyaWdodCBvd25lcl0KCiAgIExpY2Vuc2VkIHVuZGVyIHRoZSBBcGFjaGUgTGljZW5zZSwgVmVyc2lvbiAyLjAgKHRoZSAiTGljZW5zZSIpOwogICB5b3UgbWF5IG5vdCB1c2UgdGhpcyBmaWxlIGV4Y2VwdCBpbiBjb21wbGlhbmNlIHdpdGggdGhlIExpY2Vuc2UuCiAgIFlvdSBtYXkgb2J0YWluIGEgY29weSBvZiB0aGUgTGljZW5zZSBhdAoKICAgICAgIGh0dHA6Ly93d3cuYXBhY2hlLm9yZy9saWNlbnNlcy9MSUNFTlNFLTIuMAoKICAgVW5sZXNzIHJlcXVpcmVkIGJ5IGFwcGxpY2FibGUgbGF3IG9yIGFncmVlZCB0byBpbiB3cml0aW5nLCBzb2Z0d2FyZQogICBkaXN0cmlidXRlZCB1bmRlciB0aGUgTGljZW5zZSBpcyBkaXN0cmlidXRlZCBvbiBhbiAiQVMgSVMiIEJBU0lTLAogICBXSVRIT1VUIFdBUlJBTlRJRVMgT1IgQ09ORElUSU9OUyBPRiBBTlkgS0lORCwgZWl0aGVyIGV4cHJlc3Mgb3IgaW1wbGllZC4KICAgU2VlIHRoZSBMaWNlbnNlIGZvciB0aGUgc3BlY2lmaWMgbGFuZ3VhZ2UgZ292ZXJuaW5nIHBlcm1pc3Npb25zIGFuZAogICBsaW1pdGF0aW9ucyB1bmRlciB0aGUgTGljZW5zZS4= + https://www.apache.org/licenses/LICENSE-2.0.txt + + + pkg:maven/com.acme/tomcat-catalina@9.0.14?packaging=jar + + + + Apache + org.apache.tomcat + tomcat-catalina + 9.0.14 + Apache Catalina + + + Apache-2.0 + + + pkg:maven/org.apache.tomcat/tomcat-catalina@9.0.14?packaging=jar + + + + + 7638417db6d59f3c431d3e1f261cc637155684cd + https://location/to/7638417db6d59f3c431d3e1f261cc637155684cd + + 2018-11-07T22:01:45Z + John Doe + john.doe@example.com + + + 2018-11-07T22:01:45Z + Jane Doe + jane.doe@example.com + + Initial commit + + + Commentary here + + + + org.example + mylibrary + 1.0.0 + required + + 2342c2eaf1feb9a80195dbaddf2ebaa3 + 68b78babe00a053f9e35ec6a2d9080f5b90122b0 + 708f1f53b41f11f02d12a11b1a38d2905d47b099afc71a0f1124ef8582ec7313 + 387b7ae16b9cae45f830671541539bf544202faae5aac544a93b7b0a04f5f846fa2f4e81ef3f1677e13aed7496408a441f5657ab6d54423e56bf6f38da124aef + + + EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0 + + Copyright Example Inc. All rights reserved. + cpe:/a:example:myapplication:1.0.0 + pkg:maven/com.example/myapplication@1.0.0?packaging=war + false + + + http://example.org/docs + All component versions are documented here + + + http://example.org/security + + + + + com.example + myframework + 1.0.0 + Example Inc, enterprise framework + required + + cfcb0b64aacd2f81c1cd546543de965a + 7fbeef2346c45d565c3341f037bce4e088af8a52 + 0384db3cec55d86a6898c489fdb75a8e75fe66b26639634983d2f3c3558493d1 + 854909cdb9e3ca183056837144aab6d8069b377bd66445087cc7157bf0c3f620418705dd0b83bdc2f73a508c2bdb316ca1809d75ee6972d02023a3e7dd655c79 + + + + Some random license + + + pkg:maven/com.example/myframework@1.0.0?packaging=war + false + + + http://example.com/myframework + + + http://example.com/security + + + + + diff --git a/tests/_data/schemaTestData/1.7/valid-release-notes-1.7.json b/tests/_data/schemaTestData/1.7/valid-release-notes-1.7.json new file mode 100644 index 000000000..63e9da622 --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-release-notes-1.7.json @@ -0,0 +1,201 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "components": [ + { + "type": "library", + "name": "acme-example", + "version": "1.0.0", + "externalReferences": [ + { + "type": "release-notes", + "url": "https://example.com/releases/1.0.0" + } + ], + "releaseNotes": { + "type": "major", + "title": "My new release", + "featuredImage": "https://example.com/featured_image.png", + "socialImage": "https://example.com/social_image.png", + "description": "The main description of your release", + "timestamp": "2021-09-17T00:51:18+00:00", + "aliases": [ + "Project Orion" + ], + "tags": [ + "CMS", + "SEO", + "wysiwyg" + ], + "resolves": [ + { + "type": "enhancement", + "id": "JIRA-17240", + "description": "Great new feature that does something", + "source": { + "name": "Acme Org", + "url": "https://issues.example.com/17240" + } + }, + { + "type": "security", + "id": "CVE-2019-9997", + "name": "CVE-2019-9997", + "description": "A security issue was fixed that did something bad", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9997" + }, + "references": [ + "http://some/other/site-1", + "http://some/other/site-2" + ] + } + ], + "notes": [ + { + "locale": "en-US", + "text": { + "contentType": "text/html", + "encoding": "base64", + "content": "PGgxPk15IG5ldyByZWxlYXNlPGgxPgo8cD5SZWxlYXNlIG5vdGVzIGhlcmU8L3A+" + } + }, + { + "locale": "es", + "text": { + "contentType": "text/html", + "encoding": "base64", + "content": "PGgxPk15IG5ldyByZWxlYXNlPGgxPgo8cD5Ob3RhcyBkZSBsYSB2ZXJzacOzbiBhcXXDrTwvcD4=" + } + } + ] + } + } + ], + "services": [ + { + "bom-ref": "b2a46a4b-8367-4bae-9820-95557cfe03a8", + "provider": { + "name": "Partner Org", + "url": [ + "https://partner.org" + ], + "contact": [ + { + "name": "Support", + "email": "support@partner.org", + "phone": "800-555-1212" + } + ] + }, + "group": "org.partner", + "name": "Stock ticker service", + "version": "2020-Q2", + "description": "Provides real-time stock information", + "endpoints": [ + "https://partner.org/api/v1/lookup", + "https://partner.org/api/v1/stock" + ], + "authenticated": true, + "x-trust-boundary": true, + "data": [ + { + "classification": "PII", + "flow": "inbound" + }, + { + "classification": "PIFI", + "flow": "outbound" + }, + { + "classification": "public", + "flow": "bi-directional" + }, + { + "classification": "partner-data", + "flow": "unknown" + } + ], + "licenses": [ + { + "license": { + "name": "Partner license" + } + } + ], + "externalReferences": [ + { + "type": "website", + "url": "http://partner.org" + }, + { + "type": "documentation", + "url": "http://api.partner.org/swagger" + } + ], + "releaseNotes": { + "type": "major", + "title": "My new release", + "featuredImage": "https://example.com/featured_image.png", + "socialImage": "https://example.com/social_image.png", + "description": "The main description of your release", + "timestamp": "2021-09-17T00:51:18+00:00", + "aliases": [ + "Project Orion" + ], + "tags": [ + "CMS", + "SEO", + "wysiwyg" + ], + "resolves": [ + { + "type": "enhancement", + "id": "JIRA-17240", + "description": "Great new feature that does something", + "source": { + "name": "Acme Org", + "url": "https://issues.example.com/17240" + } + }, + { + "type": "security", + "id": "CVE-2019-9997", + "name": "CVE-2019-9997", + "description": "A security issue was fixed that did something bad", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9997" + }, + "references": [ + "http://some/other/site-1", + "http://some/other/site-2" + ] + } + ], + "notes": [ + { + "locale": "en-US", + "text": { + "contentType": "text/html", + "encoding": "base64", + "content": "PGgxPk15IG5ldyByZWxlYXNlPGgxPgo8cD5SZWxlYXNlIG5vdGVzIGhlcmU8L3A+" + } + }, + { + "locale": "es", + "text": { + "contentType": "text/html", + "encoding": "base64", + "content": "PGgxPk15IG5ldyByZWxlYXNlPGgxPgo8cD5Ob3RhcyBkZSBsYSB2ZXJzacOzbiBhcXXDrTwvcD4=" + } + } + ] + } + } + ] +} diff --git a/tests/_data/schemaTestData/1.7/valid-release-notes-1.7.xml b/tests/_data/schemaTestData/1.7/valid-release-notes-1.7.xml new file mode 100644 index 000000000..c5ce6f9ac --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-release-notes-1.7.xml @@ -0,0 +1,157 @@ + + + + + acme-example + 1.0.0 + + + https://example.com/releases/1.0.0 + + + + major + My new release + https://example.com/featured_image.png + https://example.com/social_image.png + The main description of your release + 2021-09-17T00:51:18+00:00 + + Project Orion + + + CMS + SEO + wysiwyg + + + + JIRA-17240 + Great new feature that does something + + Acme Org + https://issues.example.com/17240 + + + + CVE-2019-9997 + CVE-2019-9997 + A security issue was fixed that did something bad + + NVD + https://nvd.nist.gov/vuln/detail/CVE-2019-9997 + + + http://some/other/site-1 + http://some/other/site-2 + + + + + + en-US + PGgxPk15IG5ldyByZWxlYXNlPGgxPgo8cD5SZWxlYXNlIG5vdGVzIGhlcmU8L3A+ + + + es + PGgxPk15IG5ldyByZWxlYXNlPGgxPgo8cD5Ob3RhcyBkZSBsYSB2ZXJzacOzbiBhcXXDrTwvcD4= + + + + + + + + + Partner Org + https://partner.org + + Support + support@partner.org + 800-555-1212 + + + org.partner + Stock ticker service + 2020-Q2 + Provides real-time stock information + + https://partner.org/api/v1/lookup + https://partner.org/api/v1/stock + + true + true + + PII + PIFI + public + partner-data + + + + Partner license + + + + + http://partner.org + + + http://api.partner.org/swagger + + + + major + My new release + https://example.com/featured_image.png + https://example.com/social_image.png + The main description of your release + 2021-09-17T00:51:18+00:00 + + Project Orion + + + CMS + SEO + wysiwyg + + + + JIRA-17240 + Great new feature that does something + + Acme Org + https://issues.example.com/17240 + + + + CVE-2019-9997 + CVE-2019-9997 + A security issue was fixed that did something bad + + NVD + https://nvd.nist.gov/vuln/detail/CVE-2019-9997 + + + http://some/other/site-1 + http://some/other/site-2 + + + + + + en-US + PGgxPk15IG5ldyByZWxlYXNlPGgxPgo8cD5SZWxlYXNlIG5vdGVzIGhlcmU8L3A+ + + + es + PGgxPk15IG5ldyByZWxlYXNlPGgxPgo8cD5Ob3RhcyBkZSBsYSB2ZXJzacOzbiBhcXXDrTwvcD4= + + + + + + diff --git a/tests/_data/schemaTestData/1.7/valid-saasbom-1.7.json b/tests/_data/schemaTestData/1.7/valid-saasbom-1.7.json new file mode 100644 index 000000000..f05ba55bc --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-saasbom-1.7.json @@ -0,0 +1,304 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "metadata": { + "timestamp": "2021-01-10T12:00:00Z", + "component": { + "bom-ref": "acme-stock-application", + "type": "application", + "name": "Acme SaaSBOM Example", + "version": "2022-1" + } + }, + "services": [ + { + "bom-ref": "stock-ticker-service", + "provider": { + "name": "Acme Inc", + "url": ["https://example.com"] + }, + "group": "com.example", + "name": "Stock Ticker Service", + "version": "2022-1", + "endpoints": [ + "https://example.com/", + "https://example.com/app" + ], + "authenticated": true, + "trustZone": "Acme Public Zone", + "data": [ + { + "name": "Consumer to Stock Service", + "description": "Traffic to/from consumer to service", + "classification": "Customer", + "flow": "bi-directional", + "source": [ + "https://0.0.0.0" + ], + "destination": [ + "https://0.0.0.0" + ] + }, + { + "name": "Stock Service to MS-1", + "description": "Traffic to/from stock service to microservice-1", + "classification": "PII", + "flow": "bi-directional", + "source": [ + "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-1.example.com" + ], + "destination": [ + "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-1.example.com" + ] + }, + { + "name": "Stock Service to MS-2", + "description": "Traffic to/from stock service to microservice-2", + "classification": "PIFI", + "flow": "bi-directional", + "source": [ + "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-2.example.com" + ], + "destination": [ + "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-2.example.com" + ] + }, + { + "name": "Stock Service to MS-3", + "description": "Traffic to/from stock service to microservice-3", + "classification": "Public", + "flow": "bi-directional", + "source": [ + "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-3.example.com" + ], + "destination": [ + "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-3.example.com" + ] + } + ], + "externalReferences": [ + { + "type": "documentation", + "url": "https://example.com/app/swagger" + } + ], + "services": [ + { + "bom-ref": "ms-1.example.com", + "provider": { + "name": "Acme Inc", + "url": ["https://example.com"] + }, + "group": "com.example", + "name": "Microservice 1", + "version": "2022-1", + "description": "Example Microservice", + "endpoints": [ + "https://ms-1.example.com" + ], + "authenticated": true, + "trustZone": "Acme Private Zone", + "data": [ + { + "name": "Stock Service to MS-1", + "description": "Traffic to/from stock service to microservice-1", + "classification": "PII", + "flow": "bi-directional", + "governance": { + "owners": [ + { + "organization": { + "name": "Customer Name" + } + } + ] + }, + "source": [ + "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#stock-ticker-service" + ], + "destination": [ + "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#stock-ticker-service" + ] + }, + { + "name": "MS-1 to Database", + "description": "Traffic to/from microservice-1 to database", + "classification": "PII", + "flow": "bi-directional", + "source": [ + "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-1-pgsql.example.com" + ], + "destination": [ + "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-1-pgsql.example.com" + ] + } + ], + "externalReferences": [ + { + "type": "documentation", + "url": "https://ms-1.example.com/swagger" + } + ] + }, + { + "bom-ref": "ms-2.example.com", + "provider": { + "name": "Acme Inc", + "url": ["https://example.com"] + }, + "group": "com.example", + "name": "Microservice 2", + "version": "2022-1", + "description": "Example Microservice", + "endpoints": [ + "https://ms-2.example.com" + ], + "authenticated": true, + "trustZone": "Acme Private Zone", + "data": [ + { + "name": "Stock Service to MS-2", + "description": "Traffic to/from stock service to microservice-2", + "classification": "PIFI", + "flow": "bi-directional", + "source": [ + "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#stock-ticker-service" + ], + "destination": [ + "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#stock-ticker-service" + ] + } + ], + "externalReferences": [ + { + "type": "documentation", + "url": "https://ms-2.example.com/swagger" + } + ] + }, + { + "bom-ref": "ms-3.example.com", + "provider": { + "name": "Acme Inc", + "url": ["https://example.com"] + }, + "group": "com.example", + "name": "Microservice 3", + "version": "2022-1", + "description": "Example Microservice", + "endpoints": [ + "https://ms-3.example.com" + ], + "authenticated": true, + "trustZone": "Acme Private Zone", + "data": [ + { + "name": "Stock Service to MS-3", + "description": "Traffic to/from stock service to microservice-3", + "classification": "Public", + "flow": "bi-directional", + "source": [ + "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#stock-ticker-service" + ], + "destination": [ + "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#stock-ticker-service" + ] + }, + { + "name": "MS-3 to S3", + "description": "Data pushed from microservice-3 to S3 bucket", + "classification": "Public", + "flow": "outbound", + "destination": [ + "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#s3-example.amazon.com" + ] + } + ], + "externalReferences": [ + { + "type": "documentation", + "url": "https://ms-3.example.com/swagger" + } + ] + }, + { + "bom-ref": "ms-1-pgsql.example.com", + "group": "org.postgresql", + "name": "Postgres", + "version": "14.1", + "description": "Postgres database for Microservice #1", + "endpoints": [ + "https://ms-1-pgsql.example.com:5432" + ], + "authenticated": true, + "trustZone": "Acme Private Zone", + "data": [ + { + "name": "MS-1 to Database", + "description": "Traffic to/from microservice-1 to database", + "classification": "PII", + "flow": "bi-directional", + "source": [ + "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-1.example.com" + ], + "destination": [ + "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-1.example.com" + ] + } + ] + }, + { + "bom-ref": "s3-example.amazon.com", + "group": "com.amazon", + "name": "S3", + "description": "S3 bucket", + "endpoints": [ + "https://s3-example.amazon.com" + ], + "authenticated": true, + "trustZone": "Public Internet", + "data": [ + { + "name": "MS-3 to S3", + "description": "Data pushed from microservice-3 to S3 bucket", + "classification": "PII", + "flow": "inbound", + "source": [ + "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-3.example.com" + ] + } + ] + } + ] + } + ], + "dependencies": [ + { + "ref": "acme-stock-application", + "dependsOn": ["stock-ticker-service"] + }, + { + "ref": "stock-ticker-service", + "dependsOn": [ + "ms-1.example.com", + "ms-2.example.com", + "ms-3.example.com" + ] + }, + { + "ref": "ms-1.example.com", + "dependsOn": ["ms-1-pgsql.example.com"] + }, + { + "ref": "ms-2.example.com", + "dependsOn": [] + }, + { + "ref": "ms-3.example.com", + "dependsOn": ["s3-example.amazon.com"] + } + ] +} diff --git a/tests/_data/schemaTestData/1.7/valid-saasbom-1.7.xml b/tests/_data/schemaTestData/1.7/valid-saasbom-1.7.xml new file mode 100644 index 000000000..87685ae08 --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-saasbom-1.7.xml @@ -0,0 +1,271 @@ + + + + 2021-01-10T12:00:00Z + + Acme SaaSBOM Example + 2022-1 + + + + + + Acme Inc + https://example.com + + com.example + Stock Ticker Service + 2022-1 + + https://example.com/ + https://example.com/app + + true + Acme Public Zone + + + Customer + + https://0.0.0.0 + + + https://0.0.0.0 + + + + PII + + urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-1.example.com + + + urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-1.example.com + + + + PIFI + + urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-2.example.com + + + urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-2.example.com + + + + Public + + urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-3.example.com + + + urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-3.example.com + + + + + + https://example.com/app/swagger + + + + + + Acme Inc + https://example.com + + com.example + Microservice 1 + 2022-1 + Example Microservice + + https://ms-1.example.com + + true + Acme Private Zone + + + PII + + + + + Customer Name + + + + + + urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#stock-ticker-service + + + urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#stock-ticker-service + + + + PII + + urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-1-pgsql.example.com + + + urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-1-pgsql.example.com + + + + + + https://ms-1.example.com/swagger + + + + + + Acme Inc + https://example.com + + com.example + Microservice 2 + 2022-1 + Example Microservice + + https://ms-2.example.com + + true + Acme Private Zone + + + PIFI + + urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#stock-ticker-service + + + urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#stock-ticker-service + + + + + + https://ms-2.example.com/swagger + + + + + + Acme Inc + https://example.com + + com.example + Microservice 3 + 2022-1 + Example Microservice + + https://ms-3.example.com + + true + Acme Private Zone + + + Public + + urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#stock-ticker-service + + + urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#stock-ticker-service + + + + Public + + urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#s3-example.amazon.com + + + + + + https://ms-3.example.com/swagger + + + + + org.postgresql + Postgres + 14.1 + Postgres database for Microservice #1 + + https://ms-1-pgsql.example.com:5432 + + true + Acme Private Zone + + + PII + + urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-1.example.com + + + urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-1.example.com + + + + + + com.amazon + S3 + S3 bucket + + https://s3-example.amazon.com + + true + Public Internet + + + PII + + urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#ms-3.example.com + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/tests/_data/schemaTestData/1.7/valid-service-1.7.json b/tests/_data/schemaTestData/1.7/valid-service-1.7.json new file mode 100644 index 000000000..4bf3fbd90 --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-service-1.7.json @@ -0,0 +1,102 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "components": [ + { + "bom-ref": "pkg:maven/com.acme/stock-java-client@1.0.12", + "type": "library", + "publisher": "Acme Inc", + "group": "com.acme", + "name": "stock-java-client", + "version": "1.0.12", + "hashes": [ + { + "alg": "SHA-1", + "content": "e6b1000b94e835ffd37f4c6dcbdad43f4b48a02a" + } + ], + "licenses": [ + { + "license": { + "id": "Apache-2.0" + } + } + ], + "purl": "pkg:maven/com.acme/stock-java-client@1.0.12" + } + ], + "services": [ + { + "bom-ref": "b2a46a4b-8367-4bae-9820-95557cfe03a8", + "provider": { + "name": "Partner Org", + "url": [ + "https://partner.org" + ], + "contact": [ + { + "name": "Support", + "email": "support@partner.org", + "phone": "800-555-1212" + } + ] + }, + "group": "org.partner", + "name": "Stock ticker service", + "version": "2020-Q2", + "description": "Provides real-time stock information", + "endpoints": [ + "https://partner.org/api/v1/lookup", + "https://partner.org/api/v1/stock" + ], + "authenticated": true, + "x-trust-boundary": true, + "data": [ + { + "classification": "PII", + "flow": "inbound" + }, + { + "classification": "PIFI", + "flow": "outbound" + }, + { + "classification": "public", + "flow": "bi-directional" + }, + { + "classification": "partner-data", + "flow": "unknown" + } + ], + "licenses": [ + { + "license": { + "name": "Partner license" + } + } + ], + "externalReferences": [ + { + "type": "website", + "url": "http://partner.org" + }, + { + "type": "documentation", + "url": "http://api.partner.org/swagger" + } + ] + } + ], + "dependencies": [ + { + "ref": "pkg:maven/com.acme/stock-java-client@1.0.12", + "dependsOn": [ + "b2a46a4b-8367-4bae-9820-95557cfe03a8" + ] + } + ] +} diff --git a/tests/_data/schemaTestData/1.7/valid-service-1.7.xml b/tests/_data/schemaTestData/1.7/valid-service-1.7.xml new file mode 100644 index 000000000..e4c5b95a1 --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-service-1.7.xml @@ -0,0 +1,70 @@ + + + + + Acme Inc + com.acme + stock-java-client + 1.0.12 + + e6b1000b94e835ffd37f4c6dcbdad43f4b48a02a + + + + Apache-2.0 + + + pkg:maven/com.acme/stock-java-client@1.0.12 + + + + + + Partner Org + https://partner.org + + Support + support@partner.org + 800-555-1212 + + + org.partner + Stock ticker service + 2020-Q2 + Provides real-time stock information + + https://partner.org/api/v1/lookup + https://partner.org/api/v1/stock + + true + true + + PII + PIFI + public + partner-data + + + + Partner license + + + + + http://partner.org + + + http://api.partner.org/swagger + + + + + + + + + + diff --git a/tests/_data/schemaTestData/1.7/valid-service-empty-objects-1.7.json b/tests/_data/schemaTestData/1.7/valid-service-empty-objects-1.7.json new file mode 100644 index 000000000..8c3c72e7f --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-service-empty-objects-1.7.json @@ -0,0 +1,23 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "services": [ + { + "bom-ref": "b2a46a4b-8367-4bae-9820-95557cfe03a8", + "provider": { + "contact": [ + ] + }, + "name": "Stock ticker service", + "endpoints": [ + ], + "data": [ + ], + "externalReferences": [ + ] + } + ] +} diff --git a/tests/_data/schemaTestData/1.7/valid-service-empty-objects-1.7.xml b/tests/_data/schemaTestData/1.7/valid-service-empty-objects-1.7.xml new file mode 100644 index 000000000..cad321c4d --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-service-empty-objects-1.7.xml @@ -0,0 +1,19 @@ + + + + + + + Stock ticker service + + + + + + + + + diff --git a/tests/_data/schemaTestData/1.7/valid-signatures-1.7.json b/tests/_data/schemaTestData/1.7/valid-signatures-1.7.json new file mode 100644 index 000000000..d7a7f8462 --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-signatures-1.7.json @@ -0,0 +1,79 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "components": [ + { + "bom-ref": "5366293e-0740-4dcf-b1d0-0c1fc26e4981", + "type": "application", + "name": "amce app", + "version": "1.0", + "signature": { + "algorithm": "ES256", + "certificatePath": [ + "MIIB-TCCAVigAwIBAgIGAWFcc4YkMAwGCCqGSM49BAMEBQAwLTELMAkGA1UEBhMCRVUxHjAcBgNVBAMTFVRydXN0IE5ldHdvcmsgU3ViIENBMzAeFw0xODAxMDEwMDAwMDBaFw0yMjEyMzEyMzU5NTlaMDIxCzAJBgNVBAYTAkZSMQ0wCwYDVQQFEwQ0NTAxMRQwEgYDVQQDEwtleGFtcGxlLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABHHp7A83DBJIInj8-g1we3A7sBXprIQBUfdFDVUBQoPExq8rze6ewG0-eVcSF72J77gKiD0IHnzpwHaU7t6nVeajXTBbMAkGA1UdEwQCMAAwDgYDVR0PAQH_BAQDAgP4MB0GA1UdDgQWBBQQyJ9rXSIskoUuA946von62LoxqzAfBgNVHSMEGDAWgBTUWrS54qC2NgG3UK6rVAr0gbQ0MTAMBggqhkjOPQQDBAUAA4GMADCBiAJCAaWoVQ0r6jFjhO5e0WJTgyMmA8BhpO1t7gXQ6xoKGso9jCOYf9OG9BFfZoVmdIyfYiwkhy1ld27tiOJ5X4m6WasRAkIBpEkUDf8irbSZ1V7zXALaR2mJTjKQV_5jRHsiBQWA-5DxEa-x_zJVRz8tpp-jjT2tSCU82bwUOBLu6te1YIDpWCA", + "MIIDsTCCAZmgAwIBAgIBAzANBgkqhkiG9w0BAQ0FADAuMQswCQYDVQQGEwJVUzEfMB0GA1UEAxMWVHJ1c3QgTmV0d29yayBSb290IENBMTAeFw0xNjA3MTAxMDAwMDBaFw0yNTA3MTAwOTU5NTlaMC0xCzAJBgNVBAYTAkVVMR4wHAYDVQQDExVUcnVzdCBOZXR3b3JrIFN1YiBDQTMwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYABAGJzPZsjniwyZeXrgrlQM3Y13r3znR8FSQpKbC2bplrOWySQJPGm-GFObe5Dk4t3Jrtk_Pbs8-3VW_4q5drL0YqYwBYNJPhqjbSM6SGHrc6wNdPZRw_WnJVa0ELXKICC73lkjskWPfE-cLpZ3sTq1ovEmoNjgaySVRUH1wFDdkqyReJaKNjMGEwDwYDVR0TAQH_BAUwAwEB_zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFNRatLnioLY2AbdQrqtUCvSBtDQxMB8GA1UdIwQYMBaAFEkmC1HDAh0fXehpiUhUGE868Hk2MA0GCSqGSIb3DQEBDQUAA4ICAQAs2KADYyGQCVy8tJZWakNtGdww4OumZpBuR66p_2xK7veRubQEhG-nJn7oVkJ4w5pEec3sYQEqtPbHyZcEKEYbOJ2cVf1nMH-DvFZ6ypQocGRp3WSWsTzL3SgqiWrQdPX1Y5dO6Hvx7p9ST9H2WgkxB-Q75Jov1gVF3bScAbxb7Mw7tf5z3Cvqmfo0Gatkgzz6-jDPrtUK7AAAOw3C0kHMbE3EnNarsfhBkUerE8QVmHIvz373mWt0SnguaHq0A9ZuSia_pF7bgfVRZi2ZzIzpu2O276sB2Yji9tcSn5l21jq63rXtvY_DLAi4kaLyf9sHT_tkH-gkTdkdkfQq8sA5ysRW21wPQbmjTIVwsfY4JjajVIUitjPbkUJqURpf2VD0JXdYQHS6KVPWqHWTlKPlsKbhw4ghuLqCMYda88L9rxWnSC5L8s0DJSuBBm-nq23NtHl5FbCzeXWcKRayIgimT-An1WIOeJP4F7-BctYLIooKoQzJZR1tOWvprUs22_xAivVBz7J_LmJyVlKesB2ic8qYdt7YVoCsWrnEUgoNoJPwLHeva8KPvd0gLXrwaMyTCCjeoemXFj6nCbbMHJeVffh6jYBAzlbcAEvTiZcdzrVVr54kOtWskyaeDnAcMXW4Of1vWdUJ2as5nyfletfTp4E6A9P2dZ5g7nMoL90yIw" + ], + "value": "tqITqIm0gUMWXIjqDgwqzqPw1CwTUKRewZQ5YpX3VwFMWV68NJgX4npU91cSwSC-MRlx1QfOYwSQkeU26VpXSg" + } + } + ], + "services": [ + { + "bom-ref": "ee10d0a2-baba-4656-a5ac-d49e172a0d3d", + "group": "org.partner", + "name": "Stock ticker service", + "version": "2020-Q2", + "endpoints": [ + "https://partner.org/api/v1/lookup", + "https://partner.org/api/v1/stock" + ], + "authenticated": true, + "x-trust-boundary": true, + "data": [ + { + "classification": "PII", + "flow": "inbound" + } + ], + "signature": { + "algorithm": "ES256", + "certificatePath": [ + "MIIB-TCCAVigAwIBAgIGAWFcc4YkMAwGCCqGSM49BAMEBQAwLTELMAkGA1UEBhMCRVUxHjAcBgNVBAMTFVRydXN0IE5ldHdvcmsgU3ViIENBMzAeFw0xODAxMDEwMDAwMDBaFw0yMjEyMzEyMzU5NTlaMDIxCzAJBgNVBAYTAkZSMQ0wCwYDVQQFEwQ0NTAxMRQwEgYDVQQDEwtleGFtcGxlLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABHHp7A83DBJIInj8-g1we3A7sBXprIQBUfdFDVUBQoPExq8rze6ewG0-eVcSF72J77gKiD0IHnzpwHaU7t6nVeajXTBbMAkGA1UdEwQCMAAwDgYDVR0PAQH_BAQDAgP4MB0GA1UdDgQWBBQQyJ9rXSIskoUuA946von62LoxqzAfBgNVHSMEGDAWgBTUWrS54qC2NgG3UK6rVAr0gbQ0MTAMBggqhkjOPQQDBAUAA4GMADCBiAJCAaWoVQ0r6jFjhO5e0WJTgyMmA8BhpO1t7gXQ6xoKGso9jCOYf9OG9BFfZoVmdIyfYiwkhy1ld27tiOJ5X4m6WasRAkIBpEkUDf8irbSZ1V7zXALaR2mJTjKQV_5jRHsiBQWA-5DxEa-x_zJVRz8tpp-jjT2tSCU82bwUOBLu6te1YIDpWCA", + "MIIDsTCCAZmgAwIBAgIBAzANBgkqhkiG9w0BAQ0FADAuMQswCQYDVQQGEwJVUzEfMB0GA1UEAxMWVHJ1c3QgTmV0d29yayBSb290IENBMTAeFw0xNjA3MTAxMDAwMDBaFw0yNTA3MTAwOTU5NTlaMC0xCzAJBgNVBAYTAkVVMR4wHAYDVQQDExVUcnVzdCBOZXR3b3JrIFN1YiBDQTMwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYABAGJzPZsjniwyZeXrgrlQM3Y13r3znR8FSQpKbC2bplrOWySQJPGm-GFObe5Dk4t3Jrtk_Pbs8-3VW_4q5drL0YqYwBYNJPhqjbSM6SGHrc6wNdPZRw_WnJVa0ELXKICC73lkjskWPfE-cLpZ3sTq1ovEmoNjgaySVRUH1wFDdkqyReJaKNjMGEwDwYDVR0TAQH_BAUwAwEB_zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFNRatLnioLY2AbdQrqtUCvSBtDQxMB8GA1UdIwQYMBaAFEkmC1HDAh0fXehpiUhUGE868Hk2MA0GCSqGSIb3DQEBDQUAA4ICAQAs2KADYyGQCVy8tJZWakNtGdww4OumZpBuR66p_2xK7veRubQEhG-nJn7oVkJ4w5pEec3sYQEqtPbHyZcEKEYbOJ2cVf1nMH-DvFZ6ypQocGRp3WSWsTzL3SgqiWrQdPX1Y5dO6Hvx7p9ST9H2WgkxB-Q75Jov1gVF3bScAbxb7Mw7tf5z3Cvqmfo0Gatkgzz6-jDPrtUK7AAAOw3C0kHMbE3EnNarsfhBkUerE8QVmHIvz373mWt0SnguaHq0A9ZuSia_pF7bgfVRZi2ZzIzpu2O276sB2Yji9tcSn5l21jq63rXtvY_DLAi4kaLyf9sHT_tkH-gkTdkdkfQq8sA5ysRW21wPQbmjTIVwsfY4JjajVIUitjPbkUJqURpf2VD0JXdYQHS6KVPWqHWTlKPlsKbhw4ghuLqCMYda88L9rxWnSC5L8s0DJSuBBm-nq23NtHl5FbCzeXWcKRayIgimT-An1WIOeJP4F7-BctYLIooKoQzJZR1tOWvprUs22_xAivVBz7J_LmJyVlKesB2ic8qYdt7YVoCsWrnEUgoNoJPwLHeva8KPvd0gLXrwaMyTCCjeoemXFj6nCbbMHJeVffh6jYBAzlbcAEvTiZcdzrVVr54kOtWskyaeDnAcMXW4Of1vWdUJ2as5nyfletfTp4E6A9P2dZ5g7nMoL90yIw" + ], + "value": "6A77T3RBTAuVpZOgFFFfOvGOQ1hqMbfSQ91VucRM1RIP6QqX9kEF1Pi1_vCl37qpVzK51kIyppgUF_i9s999XA" + } + } + ], + "compositions": [ + { + "aggregate": "complete", + "assemblies": [ + "5366293e-0740-4dcf-b1d0-0c1fc26e4981", + "ee10d0a2-baba-4656-a5ac-d49e172a0d3d" + ], + "dependencies": [ + "5366293e-0740-4dcf-b1d0-0c1fc26e4981" + ], + "signature": { + "algorithm": "ES256", + "certificatePath": [ + "MIIB-TCCAVigAwIBAgIGAWFcc4YkMAwGCCqGSM49BAMEBQAwLTELMAkGA1UEBhMCRVUxHjAcBgNVBAMTFVRydXN0IE5ldHdvcmsgU3ViIENBMzAeFw0xODAxMDEwMDAwMDBaFw0yMjEyMzEyMzU5NTlaMDIxCzAJBgNVBAYTAkZSMQ0wCwYDVQQFEwQ0NTAxMRQwEgYDVQQDEwtleGFtcGxlLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABHHp7A83DBJIInj8-g1we3A7sBXprIQBUfdFDVUBQoPExq8rze6ewG0-eVcSF72J77gKiD0IHnzpwHaU7t6nVeajXTBbMAkGA1UdEwQCMAAwDgYDVR0PAQH_BAQDAgP4MB0GA1UdDgQWBBQQyJ9rXSIskoUuA946von62LoxqzAfBgNVHSMEGDAWgBTUWrS54qC2NgG3UK6rVAr0gbQ0MTAMBggqhkjOPQQDBAUAA4GMADCBiAJCAaWoVQ0r6jFjhO5e0WJTgyMmA8BhpO1t7gXQ6xoKGso9jCOYf9OG9BFfZoVmdIyfYiwkhy1ld27tiOJ5X4m6WasRAkIBpEkUDf8irbSZ1V7zXALaR2mJTjKQV_5jRHsiBQWA-5DxEa-x_zJVRz8tpp-jjT2tSCU82bwUOBLu6te1YIDpWCA", + "MIIDsTCCAZmgAwIBAgIBAzANBgkqhkiG9w0BAQ0FADAuMQswCQYDVQQGEwJVUzEfMB0GA1UEAxMWVHJ1c3QgTmV0d29yayBSb290IENBMTAeFw0xNjA3MTAxMDAwMDBaFw0yNTA3MTAwOTU5NTlaMC0xCzAJBgNVBAYTAkVVMR4wHAYDVQQDExVUcnVzdCBOZXR3b3JrIFN1YiBDQTMwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYABAGJzPZsjniwyZeXrgrlQM3Y13r3znR8FSQpKbC2bplrOWySQJPGm-GFObe5Dk4t3Jrtk_Pbs8-3VW_4q5drL0YqYwBYNJPhqjbSM6SGHrc6wNdPZRw_WnJVa0ELXKICC73lkjskWPfE-cLpZ3sTq1ovEmoNjgaySVRUH1wFDdkqyReJaKNjMGEwDwYDVR0TAQH_BAUwAwEB_zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFNRatLnioLY2AbdQrqtUCvSBtDQxMB8GA1UdIwQYMBaAFEkmC1HDAh0fXehpiUhUGE868Hk2MA0GCSqGSIb3DQEBDQUAA4ICAQAs2KADYyGQCVy8tJZWakNtGdww4OumZpBuR66p_2xK7veRubQEhG-nJn7oVkJ4w5pEec3sYQEqtPbHyZcEKEYbOJ2cVf1nMH-DvFZ6ypQocGRp3WSWsTzL3SgqiWrQdPX1Y5dO6Hvx7p9ST9H2WgkxB-Q75Jov1gVF3bScAbxb7Mw7tf5z3Cvqmfo0Gatkgzz6-jDPrtUK7AAAOw3C0kHMbE3EnNarsfhBkUerE8QVmHIvz373mWt0SnguaHq0A9ZuSia_pF7bgfVRZi2ZzIzpu2O276sB2Yji9tcSn5l21jq63rXtvY_DLAi4kaLyf9sHT_tkH-gkTdkdkfQq8sA5ysRW21wPQbmjTIVwsfY4JjajVIUitjPbkUJqURpf2VD0JXdYQHS6KVPWqHWTlKPlsKbhw4ghuLqCMYda88L9rxWnSC5L8s0DJSuBBm-nq23NtHl5FbCzeXWcKRayIgimT-An1WIOeJP4F7-BctYLIooKoQzJZR1tOWvprUs22_xAivVBz7J_LmJyVlKesB2ic8qYdt7YVoCsWrnEUgoNoJPwLHeva8KPvd0gLXrwaMyTCCjeoemXFj6nCbbMHJeVffh6jYBAzlbcAEvTiZcdzrVVr54kOtWskyaeDnAcMXW4Of1vWdUJ2as5nyfletfTp4E6A9P2dZ5g7nMoL90yIw" + ], + "value": "lm6wx-elyBTbNMKNF8riooZhvrm6f5j8JpvgP9JtVv50dd7sXQLH7PqJcn9fmKV8eoF8cszPllEsQQhEQOM4hA" + } + } + ], + "signature": { + "algorithm": "ES256", + "certificatePath": [ + "MIIB-TCCAVigAwIBAgIGAWFcc4YkMAwGCCqGSM49BAMEBQAwLTELMAkGA1UEBhMCRVUxHjAcBgNVBAMTFVRydXN0IE5ldHdvcmsgU3ViIENBMzAeFw0xODAxMDEwMDAwMDBaFw0yMjEyMzEyMzU5NTlaMDIxCzAJBgNVBAYTAkZSMQ0wCwYDVQQFEwQ0NTAxMRQwEgYDVQQDEwtleGFtcGxlLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABHHp7A83DBJIInj8-g1we3A7sBXprIQBUfdFDVUBQoPExq8rze6ewG0-eVcSF72J77gKiD0IHnzpwHaU7t6nVeajXTBbMAkGA1UdEwQCMAAwDgYDVR0PAQH_BAQDAgP4MB0GA1UdDgQWBBQQyJ9rXSIskoUuA946von62LoxqzAfBgNVHSMEGDAWgBTUWrS54qC2NgG3UK6rVAr0gbQ0MTAMBggqhkjOPQQDBAUAA4GMADCBiAJCAaWoVQ0r6jFjhO5e0WJTgyMmA8BhpO1t7gXQ6xoKGso9jCOYf9OG9BFfZoVmdIyfYiwkhy1ld27tiOJ5X4m6WasRAkIBpEkUDf8irbSZ1V7zXALaR2mJTjKQV_5jRHsiBQWA-5DxEa-x_zJVRz8tpp-jjT2tSCU82bwUOBLu6te1YIDpWCA", + "MIIDsTCCAZmgAwIBAgIBAzANBgkqhkiG9w0BAQ0FADAuMQswCQYDVQQGEwJVUzEfMB0GA1UEAxMWVHJ1c3QgTmV0d29yayBSb290IENBMTAeFw0xNjA3MTAxMDAwMDBaFw0yNTA3MTAwOTU5NTlaMC0xCzAJBgNVBAYTAkVVMR4wHAYDVQQDExVUcnVzdCBOZXR3b3JrIFN1YiBDQTMwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYABAGJzPZsjniwyZeXrgrlQM3Y13r3znR8FSQpKbC2bplrOWySQJPGm-GFObe5Dk4t3Jrtk_Pbs8-3VW_4q5drL0YqYwBYNJPhqjbSM6SGHrc6wNdPZRw_WnJVa0ELXKICC73lkjskWPfE-cLpZ3sTq1ovEmoNjgaySVRUH1wFDdkqyReJaKNjMGEwDwYDVR0TAQH_BAUwAwEB_zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFNRatLnioLY2AbdQrqtUCvSBtDQxMB8GA1UdIwQYMBaAFEkmC1HDAh0fXehpiUhUGE868Hk2MA0GCSqGSIb3DQEBDQUAA4ICAQAs2KADYyGQCVy8tJZWakNtGdww4OumZpBuR66p_2xK7veRubQEhG-nJn7oVkJ4w5pEec3sYQEqtPbHyZcEKEYbOJ2cVf1nMH-DvFZ6ypQocGRp3WSWsTzL3SgqiWrQdPX1Y5dO6Hvx7p9ST9H2WgkxB-Q75Jov1gVF3bScAbxb7Mw7tf5z3Cvqmfo0Gatkgzz6-jDPrtUK7AAAOw3C0kHMbE3EnNarsfhBkUerE8QVmHIvz373mWt0SnguaHq0A9ZuSia_pF7bgfVRZi2ZzIzpu2O276sB2Yji9tcSn5l21jq63rXtvY_DLAi4kaLyf9sHT_tkH-gkTdkdkfQq8sA5ysRW21wPQbmjTIVwsfY4JjajVIUitjPbkUJqURpf2VD0JXdYQHS6KVPWqHWTlKPlsKbhw4ghuLqCMYda88L9rxWnSC5L8s0DJSuBBm-nq23NtHl5FbCzeXWcKRayIgimT-An1WIOeJP4F7-BctYLIooKoQzJZR1tOWvprUs22_xAivVBz7J_LmJyVlKesB2ic8qYdt7YVoCsWrnEUgoNoJPwLHeva8KPvd0gLXrwaMyTCCjeoemXFj6nCbbMHJeVffh6jYBAzlbcAEvTiZcdzrVVr54kOtWskyaeDnAcMXW4Of1vWdUJ2as5nyfletfTp4E6A9P2dZ5g7nMoL90yIw" + ], + "value": "m4pMbQQVV61TlP4Og7a75SeY8lh00LkkUDXZ4PIhXsR512MPRgZmusFYorJlYq9wM3P9n9gM3T8BTg9XdFdQkQ" + } +} diff --git a/tests/_data/schemaTestData/1.7/valid-standard-1.7.json b/tests/_data/schemaTestData/1.7/valid-standard-1.7.json new file mode 100644 index 000000000..b4d2cc014 --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-standard-1.7.json @@ -0,0 +1,82 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "definitions": { + "standards": [ + { + "bom-ref": "standard-1", + "name": "Sample Standard", + "version": "1.0.0", + "description": "Description here", + "owner": "Acme Inc", + "requirements": [ + { + "bom-ref": "requirement-1", + "identifier": "v1", + "title": "Title here" + }, + { + "bom-ref": "requirement-1.1", + "identifier": "v1.1", + "title": "Title here", + "text": "Text here", + "descriptions": [ + "Requirement is described here", + "and here" + ], + "parent": "requirement-1" + }, + { + "bom-ref": "requirement-1.1.1", + "identifier": "v1.1.1", + "text": "Text of the requirement here", + "descriptions": [ + "Supplemental text here" + ], + "openCre": [ + "CRE:616-305" + ], + "parent": "requirement-1.1" + } + ], + "levels": [ + { + "bom-ref": "level-1", + "identifier": "Level 1", + "description": "Description here", + "requirements": [ + "requirement-1.1.1" + ] + }, + { + "bom-ref": "level-2", + "identifier": "Level 2", + "description": "Description here", + "requirements": [ + "requirement-1.1.1" + ] + }, + { + "bom-ref": "level-3", + "identifier": "Level 3", + "description": "Description here", + "requirements": [ + "requirement-1.1.1" + ] + } + ], + "signature": { + "algorithm": "ES256", + "certificatePath": [ + "MIIB...", + "MIID..." + ], + "value": "tqIT..." + } + } + ] + } +} diff --git a/tests/_data/schemaTestData/1.7/valid-standard-1.7.xml b/tests/_data/schemaTestData/1.7/valid-standard-1.7.xml new file mode 100644 index 000000000..686e32839 --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-standard-1.7.xml @@ -0,0 +1,67 @@ + + + + + + Sample Standard + 1.0.0 + Description here + Acme Inc + + + v1 + Title here + + + v1.1 + Title here + Text here + + Requirement is described here + and here + + requirement-1 + + + v1.1.1 + Text of the requirement here + + Supplemental text here + + CRE:616-305 + requirement-1.1 + + + + + Level 1 + Description here + + requirement-1.1.1 + + + + Level 2 + Description here + + requirement-1.1.1 + + + + Level 3 + Description here + + requirement-1.1.1 + + + + + + + + + + diff --git a/tests/_data/schemaTestData/1.7/valid-tags-1.7.json b/tests/_data/schemaTestData/1.7/valid-tags-1.7.json new file mode 100644 index 000000000..1723bc00f --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-tags-1.7.json @@ -0,0 +1,31 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "components": [ + { + "type": "library", + "name": "my-json-parser", + "version": "1.0", + "tags": [ + "json-parser", + "javascript", + "node.js" + ] + } + ], + "services": [ + { + "name": "my service", + "endpoints": ["https://example.com/myservice"], + "tags": [ + "microservice", + "golang", + "aws", + "us-east-1" + ] + } + ] +} diff --git a/tests/_data/schemaTestData/1.7/valid-tags-1.7.xml b/tests/_data/schemaTestData/1.7/valid-tags-1.7.xml new file mode 100644 index 000000000..2723630fd --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-tags-1.7.xml @@ -0,0 +1,31 @@ + + + + + my-json-parser + 1.0 + + json-parser + javascript + node.js + + + + + + my service + + https://example.com/myservice + + + microservice + golang + aws + us-east-1 + + + + diff --git a/tests/_data/schemaTestData/1.7/valid-vulnerability-1.7.json b/tests/_data/schemaTestData/1.7/valid-vulnerability-1.7.json new file mode 100644 index 000000000..5b458cb1f --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-vulnerability-1.7.json @@ -0,0 +1,173 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "components": [ + { + "bom-ref": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.4", + "type": "library", + "group": "com.fasterxml.jackson.core", + "name": "jackson-databind", + "version": "2.9.4", + "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.4" + } + ], + "vulnerabilities": [ + { + "bom-ref": "6eee14da-8f42-4cc4-bb65-203235f02415", + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-32111", + "source": { + "name": "Snyk", + "url": "https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-32111" + }, + "references": [ + { + "id": "CVE-2018-7489", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9997" + } + } + ], + "ratings": [ + { + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H&version=3.0" + }, + "score": 9.8, + "severity": "critical", + "method": "CVSSv3", + "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "justification": "An optional reason for rating the vulnerability as it was" + } + ], + "cwes": [ + 184, + 502 + ], + "description": "FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.", + "detail": "", + "recommendation": "Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.6.7.5, 2.8.11.1, 2.9.5 or higher.", + "workaround": "Describe the workarounds here", + "proofOfConcept": { + "reproductionSteps": "Precise steps to reproduce go here", + "environment": "Describe the environment", + "supportingMaterial": [ + { + "contentType": "image/jpeg", + "encoding": "base64", + "content": "/9j/4AAQSkZJRgABAQAASABIAAD/4QBYRXhpZgAATU0AKgAAAAgAAgESAAMAAAABAAEAAIdpAAQAAAABAAAAJgAAAAAAA6ABAAMAAAABAAEAAKACAAQAAAABAAABQKADAAQAAAABAAABQAAAAAD/wAARCAFAAUADASIAAhEBAxEB/8QAHwAAAQUBAQEBAQEAAAAAAAAAAAECAwQFBgcICQoL/8QAtRAAAgEDAwIEAwUFBAQAAAF9AQIDAAQRBRIhMUEGE1FhByJxFDKBkaEII0KxwRVS0fAkM2JyggkKFhcYGRolJicoKSo0NTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqDhIWGh4iJipKTlJWWl5iZmqKjpKWmp6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uHi4+Tl5ufo6erx8vP09fb3+Pn6/8QAHwEAAwEBAQEBAQEBAQAAAAAAAAECAwQFBgcICQoL/8QAtREAAgECBAQDBAcFBAQAAQJ3AAECAxEEBSExBhJBUQdhcRMiMoEIFEKRobHBCSMzUvAVYnLRChYkNOEl8RcYGRomJygpKjU2Nzg5OkNERUZHSElKU1RVVldYWVpjZGVmZ2hpanN0dXZ3eHl6goOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExcbHyMnK0tPU1dbX2Nna4uPk5ebn6Onq8vP09fb3+Pn6/9sAQwACAgICAgIDAgIDBQMDAwUGBQUFBQYIBgYGBgYICggICAgICAoKCgoKCgoKDAwMDAwMDg4ODg4PDw8PDw8PDw8P/9sAQwECAgIEBAQHBAQHEAsJCxAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQ/90ABAAU/9oADAMBAAIRAxEAPwD9xKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigD/9D9xKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigD/9H9xKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigD/9L9xKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigD/9P9xKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigD/9T9xKKKKACiiigAooooAKKKKACiiigAooooAKKzdY1jSfD2lXWua7eRafp9jG0s9xO4SONF6szHgCvyK+P/APwUJ1zV7i68MfAxTpmnKTG2sTJ/pU3Ym3jbIiU9mYFz1AWmkB+qvjL4ieA/h5Z/bvHPiCy0OEjK/a51jZv91CdzfgDXy3r/APwUA/Zw0WVobPUr/WWXvZ2T7D9GmMQNfitofhT4ofGXX5ptHsdR8V6rK2Zrht85BPeSaQ7V/wCBMK+nvDv7Afxk1WJZtcvtL0PdzskmeeQfUQqVz/wI185nXF+VZc+XG4mMH2b1+5Xf4HTRwlWprCLZ9xW//BSD4DSy7JtO12Bf77WsBH5LOT+leweEP2yv2cfGc0drZeL4tNuJOBHqUclmST23yKI//H6/Om4/4J2eOli3Wvi/TJJP7rwzoPzAb+VeL+NP2NPjx4Ohku00aPXrWPJL6ZKJ2x/1yYLIfwU15WX+JeQYqfs6OMhfzfL/AOlJGk8trxV3Bn9Ctpd2t/bR3thPHc28w3JLEweNwe6spII+lWK/me+G3xr+LfwN1hj4P1e50zyXxcadcBmtnI6rLbScA+4CsOxr9mP2bv2x/Bfxz8rwzrUaeHfGIX/jzd8wXeBy1q7ck9zG3zDtuGTX2+6ujiPsmiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigD//1f3EooooAKKKKACiiigAooooAKKKKACop54LWCS6upFhhhVnkdyFVEUZZmJ4AAGSalr88P8AgoV8aJ/BXgCz+F+hXBi1PxeGa7ZDho9OiOGX285/k91DChAfDv7Xn7Uuo/GzxHN4V8LXL2/gbSZSIUUlft8qHH2mUd1z/qlPAHzH5jx1P7NH7HM/j21tfHvxQWWy8Py4ktbBSY571ezu3WOE9sfMw5GBgnhP2PfgTB8WfGsviHxJb+b4Z8NsjzIw+W6uTzFAfVRjc49MD+Kv2w/dxR/wxxxr7Kqqo/IAD8q/nbxl8VauAm8pyyVqlvfkt432S/vNat9Fa2r0+hyjK1Ne1qbdEZWgeHtB8K6VDofhrT4NL0+3GI4LeMRoPfA6n1J5Pc1sV8+X/wC1V+z9pustoV14ytTOjbGeNJZIFYcYMyIU/EEj3r3iw1Cw1Wyg1LS7mO8tLpBJFNC4eORG5DKy5BB9q/lbM8px1C1XG0px59U5Jrm+bWp9NTqwlpBrTsW6KKK8k1PD/jD+z78OvjRp8ieI7IWurBcQanbKFuoz23HpInqr59sHmvxc+K/wl8c/AbxlHpWtFo3VvP0/UbYsiTqjZWSJxyrqcblzuU+2Cf6E68r+Mnwn0H4yeBb3wfraqkrAyWVzjL2t0o+SRT1x2cd1JHpX7D4ZeKuJyevHDYqTlhno09eTzj6dY7P1PJzLLI1k5RVpfmef/sZftQn41aA/gvxnMo8Z6JEGaQ4X+0LZcL54H/PRTgSgeoYdSB9yV/MPoWs+M/gP8U4dTgU2XiDwnfFZIySFYxNtkjb1jkXI91Oa/pQ8E+LtI8feENG8a6C++w1u1iuovVRIuSp91OVPuDX9ywqRnFTg7p6pnxTTTszqKKKKoQUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFAH//W/cSiiigAooooAKKKKACiiigD8fP2q/21fiZo/wAStW+Hnwsvl0LTvD0xtZ7pYkkuLm4T/WYaQMERW+UBRk4yTg4r5Z/4bJ/aZ/6Hu6/79W//AMbr6u/a+/Yz8cX3jLWfi18L7U63Zau5u77Tov8Aj7gnI/ePEn/LVHI3bV+YEkYIr8z9Ovrnw9qhe4soppYGKS295CHGQeVZGAKkfgRTe2iNKUYuSU3Zd9z6C/4bJ/aZ/wCh7uv+/Vv/APG68Z8e/EXxr8T9dHiXx7qsusaksKQCaUKCIoySqgIFAAJJ6d6+gPBPiT4Q+KvLs9Q0Gx0rUWwPLliTy3P+xIQB+BwfrWR8efDHh3Q9E0u40bTYLGWS5ZGaGMIWXYTg468ivIp5x+/VCdNxbPv8TwBbLp5lh8VCpCO9r33StqtHrsz9EP2G9X8J33wOt9M8PKY7/TbqZdUV8bmuZTvWTjqjR7QvptI7VN+3B4o1vw18C7iHRZHg/tm+gsbmRCQRburu65HQOUCn1BI714P/AME5Wbb48TJ2/wDEvOO2f33NfoJ8QvAXh74m+D9R8E+KImksNRQAlDiSN1O5JEJzhkYAj8jwTX8Y8WTw+VcaTr105041Izd9X7yUn62b0XkkcOFUquDSjo7W/Q/m/wCnAr9XP+CePifWr/wx4q8KXkjy6bpM9tPa7iSImuQ/mIvoCUDY9cnvXll//wAE8PiAmsmDTPFGmS6UW4nmWZJwnvEqspbHo+K/Qz4KfBrw58EfBq+FdBka7mmk8+8u5AFe4nIA3YGdqqBhVycDuSSa/UfF/wASMlx2SywmEqqpUm4tWT92zTbd0rO11bfXseblOXVoVueaskev0UUV/JR9SFFFFAH5F/8ABQLwFDovj7RvH1lGEj8R2zQ3GBgG5tMAMfdo2X/vmvrj/gnD43l174Qat4NupN8vhfUT5QJ5FveL5qj6CQSfnXHf8FBNPiuPg/o+oMP3llrEQU9wssMqsPxwPyrzP/gmNqEqeNvHWlZ/dTabazkf7UU5Qfo5r+9vBfNJ4rh2h7R3cLw+Sen3JpfI+Hziko4iVuup+xNFFFfqR5YUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFAH//1/3EooooAKKKKACiiigAooooAK+cPjd+yz8KfjnBJda9Y/2Zr+3Eeq2QVLgHt5o+7Mvs/Powr6Pr57/aW+PFp+z78PB4s+wjU9SvrhbOxtmYpG8zKzlpGHIRFUk45JwBjOQ0B+MHxz/ZJ+KvwOabVL+1GueGkPy6rZKWjRScD7RHy0J+uVz0Y18+XvibXdS0i30LULt7mztH8yFZDuKHG3AY84x26V6f8Wf2iPi18abpm8ba3I1gG3R6fbfuLKP0xEp+Yj+85Y+9eJU3BOza2NqWIqQUowk0no7dV2fc/Tr/AIJy/wDM+f8AcP8A/a1fp1X5mf8ABOa2mFt47vCP3RewjB/2gJmI/Kv0zr+CPGlp8S4q39z/ANIifZ5P/u8fn+YUUUV+WHphRRRQAUUUUAfAv/BQrWIbX4X+H9DLfvtQ1YSgf7FvC+4/m61xv/BMXSJX8SePNf2nyobOztM9t0sryY/KOvDP26PiNB4x+LMfhXTpRJZeEYDbMQcqbuUh5/8AvnCofdTX6Ff8E+/AE3hD4EJ4hvY/LuvF15JfjIwfs0YEMH4EKzD2av798H8nnguH8PCorSneb/7ed1/5LY+Fzasp15NdND7looor9LPNCiiigAooooAKK5rxf4x8MeAfD134r8Y6lFpWlWK7pZ5jhRngKAMlmY8KqgknoK+KW/4KOfAVdW+wCy1prPdt+2C1j8vH97yzL5mP+A59qLAffdFcp4K8ceE/iL4ctfFngrU4tV0q7zsmiJ4ZfvIynDK691YAiuroAKKKKACiiigAooooAKKKKAP/0P3EooooAKKKKACiiigAooooAK8J/aH+Bej/ALQHw/bwdqN42m3dtOt3Y3arv8mdVK/MmRuRlYqwBB7jkV7tRQB+MDf8EzPiiCQvi/RiOx2XIz+Gyuf8V/8ABOn4seGfC+q+IrbXNN1ibTLd7hbK1Sfz5xHyyx7lA3bckDuRgcmv2/r5b/ay+P8AqX7Pnw+ste0Cwiv9Y1i8Fnai43GCLCNI8jhSC2AMBQRknk4FVcD8Xv2cvjbefA/x/HrMwebQ9RAttTt16tDnIkUf89IjyPUZXvX7xaLrWk+I9JtNe0K7jvtOv41mgniO5JEbkEH+Y6g8Hmv5yPG3iqXxv4p1HxZc6faaZcapIZpobFGit/Nb77IjM23efmIBxknAFe2fAH9prxh8Drv+z1U6x4ZuH3z6fI+0ox6yW7nOxz3GNrdxnkfhni54UvOF9fwFlXirNbKaW2vSS6N6NaPZHt5Vmnsv3c/h/I/d6iuY8F+LtG8e+FNL8ZeH3Z9P1eBZ4t42uA3BVhzhlIIPuK6ev4tr0J0pypVFaUW00+jW6PsIyTV0FFFRT3EFpBJdXUqQwxKWeSRgqKo6lmOAAPU1mlfRDJa+bP2lvj5pnwS8GyCzlSXxTqqNHp1v1KE8G4kHZI+2fvNgDvjzP40/tt+A/A9vcaN8Onj8U69gqJUJ+wQN6tIMeaR/dTg92FflvHH8S/j78RViQT+IvE+uSYHoAP8Ax2KKMfRVFfv3hj4NYnG1oY3NabhRWqi9JT+W6j3vutFvdeFmWbxgnCk7v8ja+Cnws8Q/Hv4qWPhOB5Jft0xutTuzljFbBt08zMf4jnC56uwr+k3SdK07QdKstD0iEW1jp8MdvBEvRIolCoo+gFfP/wCzL+zpo37P/go6bEVv/EWqBJNUvlXh3UfLDFnkRR5OP7xyx64H0kUcdVI/Cv7J0WiPkBtFGCKKACilCk9Bmql/e2WlWz3uq3EVlbxjc8k7rEij1LMQAKALVVb6+stMs59R1K4jtLS2QySzTOI440XkszNgAD1NfGHxa/bw+C/w7jmsPDFyfGespkCKwbFqrf8ATS6IK4/65hz9K/Jf40/tMfFb473f2fxPf/ZdI35h0qy3R2qnPy7lyWlf3cn2A6U0gPbP25P2idC+MfijS/C3gPUHvPDPh5ZGeUApDdXrnBkTPLIiDarEDqxHBzXgi/AbxF/wol/jxJewx6cLsW62jKwmeMy+T5ob7uN/AHoCc9q92+Af7FninxzNbeJvidHLoHh7IkW1YbL27XqBtPMKHuzfMR0HevsD9suw0rw1+zLd6Bo1tHZWMFzp1tbwRDakcaSghVH0WvxziLxToLNcJlOWTUpyqRU2rNKLdnFPu+62t329jD5ZL2U6tRWSTsfPH/BNjxlrNl8TNe8BrKX0nVdOe9aIn5UuLV0VZFHqyOVPrgegr9oa/D3/AIJvW5l+OuqTgcQaHck/8CmhFfuFX7HI8cKKKKQBRRRQAUUUUAFFFFAH/9H9xKKKKACiiigAooooAKKKKACiiigAr83P+CmUBf4WeEbgDiLW2B/4FbSf4V+kdfBX/BRjS2vfgBb36jJ07WrOQ+yyJLGf1YU0B+ef7JXwK8DfHG58UWPjGW8hfSYrWS3a0lWMjzWdW3BkcH7ox0r6suv+Cd/w5kmV7PxTq0MWRuRkgcle4DbVwfcg14p/wTw1IQfEbxRpRODeaUkoHqYJ1H8pK/XCv5D8WeOs6yzPq1DCYmUYWi0tGtYq9k0+tz6zK8FRqUFKcbvU5zwh4U0bwN4Y0zwh4eiMOm6TAsEKsdzbV7se7Mckn1NdHRRX871q06k5VKjvJu7b3be7PfSSVkFfOX7VXgLxn8R/g5qPhvwKTJqHnwTvbBwhuoYiS8QJIGScMATglcelfRtFd2TZrUwOLpYykk5QkpK+qunfUitSU4uD6n88t78BPjZp2ftfgXWEx/ds5H/9ABrmZvAvxE0d/Mn8PatYuv8AEbS4jI/HYDX9IOSOhpwkkHRiPxr+gaP0ksYv4mEi/STX5pngvh6HSbP5u49e+I+lf6rUtZstvpPcxY/UVpQ/GD4s2J2weNdahI7DULgf+z1/RbIkcv8ArkWT/eAP86oy6RpE4xPYW8g/2oUb+Yr06f0lV9vA/dU/+0M3w72n+H/BP59ov2g/jlBxF8Q9dUf9hKf/AOLqz/w0d8eiMf8ACxddx/2EJv8A4qv3tk8HeEJuZtB09/8AetIT/Nag/wCEE8DZz/wjemZ/68oP/iK6l9JSh1wT/wDA1/8AIk/6uv8An/A/Am6+PHxpvVK3fj/XJQeobUrj/wCLrnmHxF8eTrC/9r+I5nPyq32i8JPsDur+iS38L+F7QhrXRrGEjulrEv8AJa11MFmm1NsK+igKPyFc1f6Sd1ajgdfOf6KBcOHO8/w/4J+Kvw1/Yk+MHjZ4rrxHAnhHTGwS9781yV/2LdTuz/vlK/ST4SfsufCn4RGLUNNsTq+tx4P9o34WSVW9Ykxsi/4CN3+0a96l1KMcRLuPqeBVq2nFxHvxgg4Ir8s4w8T89zSDjWn7Ok/sw0Xzd+Z+jdvI9fD5NTormtd92WCSTk18M/8ABQDUha/BjTdPzhr/AFiAY9RFFK5/XFfc1fmL/wAFF9eGPBPhZG5/0y+df++IkP8A6HXF4RYJ1+I8JFdG5f8AgMW/0JzWfLh5srf8EytMM3xC8aaxji10qCDPvPOG/wDaVfsnX5h/8EyfD7W/g3xt4odcfbb+2tEb1FtEXb9ZRX6eV/oDI+DCiiikAUUUUAFFFFABRRRQB//S/cSiiigAooooAKKKKACiiigAooooAK+aP2w/DreJv2bfG9nGm+SztUvkHvZypMT+Cqa+l6yte0a08R6FqXh6/GbbVLaa1kB/uToUP6GgD+fv9i3xEugftBaHFK22PWIbmwPpuljLp+boB+NfuTX841jNq3wn+JcMsylNQ8I6qN69DvspsMPx2kfQ1/RZpuo2esadaavp7iS1voY54mHIaOVQ6n8jX8ifSNylwx+HxqWk4uPzi7/lJfcfWcP1b05Q7P8AMu0UUV/OR9AFFFFAGHNfXAlYKdoBxjFMGoXI/iB/Ctp4IZDudASe9Rmztj/yzH617EMbh7JOH5HUqsLaozBqVx/sn8KX+05v7q/rV/7Ban+D9TSf2fa/3T+dV9awv8g/aU+xS/tOb+4v60h1Oc9FUfnV3+z7b0P50o0+1H8JP40fWMJ/KHPS7GU95cvwXwPbiokimmPyqW966BLW3j+6gz781PQ80hFWpQB4hL4UczNA8BAkxkjPFa2mjEBPq1Z19J5lw2Oi8flWxaJ5dug7kZP41rj6reHjzbsqtJ8iuWa/ED9tjxcvij486pZQvvt/D0EGnLg8B0HmS/8Aj7kH6V+zni/xRp/grwrq/i/VWC2mj2st1JnuI1JCj3Y4A9zX88+l2GvfFv4kW2nrmbV/F2phSev728lyx+i7ifoK/cfo55E6mNr5jJaQjyr1lq/uS/8AJj5HiCvaEaffU/df9iDwi3hL9m/w0Zo/LuNba41OTPXFxIRH/wCQ1SvrSsvRNGsfDui6f4f0xAlnplvFawqO0cKBF/QVqV/XDPlAooooAKKKKACiiigAooooA//T/cSiiigAooooAKKKKACiiigAooooAKKKKAPwj/4KAfDGTwT8bH8XWkOzTPGcIu1YD5RdxAR3C/U/K/8AwKvrz9h/4oR+NfhSvg++m3ar4RYWxUn5ms3y0D/ReY/+Aj1r6M/at+Cg+OHwkv8AQtPjDa9pRN/pbdzcRqd0OfSZMp/vbT2r8Mvgn8U9Y+CPxJs/FMcUhhiZrXUbQ/K0luxxKhB6OhG5c9GUe9fn3ifwe86ymeHpr95H3oeq6fNXXrZ9D0Mtxfsaqk9noz+hGisfw94g0fxXodj4k8PXS3um6lEs0EyHhkYcfQjoR1ByDWxX+fdSnKEnCas1o0+jPu076oKKKKgYUUUUAFFFFABRRR70AFVrq4FvGT/Efuio576KLIT529un51jM0tzLk/MzdK9TB5e5PmqaI6aVBvV7C28RnmC9up+ldLVW1thbpg8s3U15p8ZPi14f+DPgi78X64wkmAMdla5w91ckfJGvsOrn+Fcn0rZ0quOxMMNho80m7RS6tmWKxEVeTeiPjP8Ab6+LkdlpFh8HtHn/ANJvyl7qe0/cgQ5gib/fYbyPRV9a4r/gnP8ACZ/EXxA1H4ranDnT/C8Zt7RmHD31yuCR/wBcoiSfQutfEUj+NvjZ8Scqrap4l8VXoCqvQySnAA/uxov4Ki+1f0Y/Bf4WaR8Gfhto3w/0giT7BHuuZwMG4upPmmlP+83T0UAdq/0A4E4UhkuWU8DHWW8n3k936dF5JH51jsU61Rz+49Sooor645AooooAKKKKACiiigAooooA/9T9xKKKKACiiigAooooAKKKKACiiigAooooAK/Ij9u79ly4sr28+Ofw/szJZ3B8zXLSJeYpO94ij+Bv+WuOjfP0Jx+u9MkjjmjeGZBJHICrKwBVlIwQQeCCOoppgfz5/syftO6n8FdQ/wCEe8QCTUPB99JulhX5pLSRus0APUH+NP4uo+br+0fhvxN4f8Y6Ja+I/C9/Fqem3i7op4W3KfUHuGHQqcEHgivz4/ah/YPvLa4vPH/wLtPtFtIWlutDT/WRE8s1n/eX/pl1H8GR8o+Bvhr8XviT8FNcluPCd9JYsJNt3YXCkwSsvBWaFsYYdMjDD1r8Q8SvBujm8pY3AtQr9b/DP17Pz69V1Pay7N3S9yesfyP6HKQ5wcda+Ffhl+3j8N/E8cVh8QraTwrqJwGmAa4smb1DqN6fRlIH96vs/wAP+J/DfiyzXUPC+q2ur2zDIktZkmX8dhOPxr+SM+4RzLK58mOoSh5291+klo/kz6qhiqdRXg7ldp7lJCWdlbvzUq6hcr1Ib6it1kR+HUH6ioGs7Zv+WYH0rlWYUZL34Hp+3g90Zo1Kfuqn86Dqc3ZV/Wrx0+29D+dH9n23ofzp/WMJ/KPnpdjObULk9CB9BVZ5ZpjhmLe1bq2Vsv8ABn6mrCRonEagfQUf2hRh8EA9vBfCjCisZ5OWGwep/wAK2ILaO3GEGSepPWuS8Y/EbwH8PrVrzxrr1npCAZCzygSt/uxjLsfopr4H+LH7f9jDHNpPwe0xriY5X+0tQTbGv+1Fb5y3sZCB/smvoci4SznO5KODovk/m2ivWT0forvyPOxmaQgvfl8j7X+LXxk8D/Bnw82ueL7sCaQH7LZREG5unH8Ma9hnq5+Ve57V+Hnxf+L/AIx+OHjD+3/EBIUHybCxhy0dvGx+WONerOxxubGWP4AYLv8AEb40eNVU/bfFXiXVX2qoBllb2AHCIv4Ko9BX7Dfsr/sVaX8J5Lbx98SRDqvi9QHt7dcSW2nE91PSSYf3/ur/AA5PzV/XPhz4VYXIY+3qP2ldrWXReUf1e78lofGZhmkq/urSJJ+xT+yzJ8JdI/4WP48tgvi/V4dsEDjJ061cZKn0mk/j/uj5eu6vvyiiv1Q8sKKKKACiiigAooooAKKKKACiiigD/9X9xKKKKACiiigAooooAKKKKACiiigAooooAKKKKACvnL40fssfCP44LJe+I9OOna4y4XVLHEVzkdPM4KSgf7YJ9CK+jaKAPwv+Jv8AwT3+Mvg55rzwS8HjLTkyVFuRBehf9qCQ4Y/7jtn0r45v9L8e/DXVtmo2upeFtSjPV1ms5c+x+Un8DX9S1UdT0vS9atWsdasoNQtm4MVxEsyEf7rgiiSUk4yV0xp2P5zPD/7Vf7QHhxUSz8ZXV1EvRLxY7sfnKrN+terad+3x8crQBb2HSb8Du9q0bH8Y5FH6V+sniP8AZO/Z08UO8upeBNPhlfkvaB7Rs+v7hkH6V5Fqf/BPP9nS+YtZwarp2f8AnjfFgPoJVevlMbwHkmId62Dpt9+VJ/ekmdUMdWjtN/efEEP/AAUP+JiDE3hfR5D6g3C/+1KfL/wUQ+JLLiLwto6H1LXDf+1BX1fP/wAE1vgw7E2/iDXYh6NLbP8A+0RUcP8AwTU+DitmfxFrkg9A9uv6+Sa8n/iFHDl7/U4/fL/M1/tXEfznxVqf7fPxwvAVsINJ04Hulq0jD8ZJGH6V474m/ae+PPipHi1TxleQQv1jtClomD2/cqhx+NfrLpf/AATw/Z2sGDXseraljtPfbAfqIUjr2Xwz+yp+zx4SdJtJ8CadJMnIku0a8fPrm4aQfpXr4DgTJMM+ahg6afflTf3u7MZ46tL4pv7z+fPw34J+IfxN1Qx+F9G1HxJfTH5nhikuDk93lOQPqzV93fCr/gnH49154dS+K+qReGrE4ZrO1K3N6w9Cw/dR/XLn2r9l7Ozs9OtlstOt47S3ThYoUWNAPZVAA/KrNfVrRWRynlXwr+Cnw1+DGknSvh/o0di0gAnun/eXdxjvLM3zH/dGFHYCvVaKKQBRRRQAUUUUAFFFFABRRRQAUUUUAFFFFAH/1v3EooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKAP/1/3EooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKAP/0P3EooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKAP/0f3EooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKAP/0v3Eoq9/Z15/zz/UUf2def8APP8AUUAUaKvf2def88/1FH9nXn/PP9RQBRoq9/Z15/zz/UUf2def88/1FAFGir39nXn/ADz/AFFH9nXn/PP9RQBRoq9/Z15/zz/UUf2def8APP8AUUAUaKvf2def88/1FH9nXn/PP9RQBRoq9/Z15/zz/UUf2def88/1FAFGir39nXn/ADz/AFFH9nXn/PP9RQBRoq9/Z15/zz/UUf2def8APP8AUUAUaKvf2def88/1FH9nXn/PP9RQBRoq9/Z15/zz/UUf2def88/1FAFGir39nXn/ADz/AFFH9nXn/PP9RQBRoq9/Z15/zz/UUf2def8APP8AUUAUaKvf2def88/1FH9nXn/PP9RQBRoq9/Z15/zz/UUf2def88/1FAFGir39nXn/ADz/AFFH9nXn/PP9RQBRoq9/Z15/zz/UUf2def8APP8AUUAUaKvf2def88/1FH9nXn/PP9RQBRoq9/Z15/zz/UUf2def88/1FAFGir39nXn/ADz/AFFH9nXn/PP9RQB//9k=" + } + ] + }, + "advisories": [ + { + "title": "GitHub Commit", + "url": "https://github.com/FasterXML/jackson-databind/commit/6799f8f10cc78e9af6d443ed6982d00a13f2e7d2" + }, + { + "title": "GitHub Issue", + "url": "https://github.com/FasterXML/jackson-databind/issues/1931" + } + ], + "created": "2021-01-01T00:00:00.000Z", + "published": "2021-01-01T00:00:00.000Z", + "updated": "2021-01-01T00:00:00.000Z", + "rejected": "2022-01-01T00:00:00.000Z", + "credits": { + "organizations": [ + { + "name": "Acme, Inc.", + "url": [ + "https://example.com" + ] + } + ], + "individuals": [ + { + "name": "Jane Doe", + "email": "jane.doe@example.com" + } + ] + }, + "tools": { + "components": [ + { + "type": "application", + "group": "Snyk", + "name": "Snyk CLI (Linux)", + "version": "1.729.0", + "hashes": [ + { + "alg": "SHA-256", + "content": "2eaf8c62831a1658c95d41fdc683cd177c147733c64a93e59cb2362829e45b7d" + } + ] + } + ], + "services": [ + { + "provider": { + "name": "Acme Inc" + }, + "name": "Acme BOM Analyzer", + "endpoints": [ + "https://example.com/analyze" + ] + } + ] + }, + "analysis": { + "state": "not_affected", + "justification": "code_not_reachable", + "response": [ + "will_not_fix", + "update" + ], + "detail": "An optional explanation of why the application is not affected by the vulnerable component.", + "firstIssued": "2022-01-01T00:00:00.000Z", + "lastUpdated": "2022-02-01T00:00:00.000Z" + }, + "affects": [ + { + "ref": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.4", + "versions": [ + { + "range": "vers:semver/<2.6.7.5", + "status": "affected" + }, + { + "range": "vers:semver/2.7.0|<2.8.11.1", + "status": "affected" + }, + { + "range": "vers:semver/2.9.0|<2.9.5", + "status": "affected" + } + ] + } + ], + "properties": [ + { + "name": "Foo", + "value": "Bar" + }, + { + "name": "Foo", + "value": "You" + }, + { + "name": "Foo", + "value": "Two" + }, + { + "name": "Bar", + "value": "Foo" + } + ] + } + ] +} diff --git a/tests/_data/schemaTestData/1.7/valid-vulnerability-1.7.xml b/tests/_data/schemaTestData/1.7/valid-vulnerability-1.7.xml new file mode 100644 index 000000000..ee8db9f2e --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-vulnerability-1.7.xml @@ -0,0 +1,147 @@ + + + + + com.fasterxml.jackson.core + jackson-databind + 2.9.4 + pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.4 + + + + + SNYK-JAVA-COMFASTERXMLJACKSONCORE-32111 + + Snyk + https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-32111 + + + + CVE-2018-7489 + + NVD + https://nvd.nist.gov/vuln/detail/CVE-2019-9997 + + + + + + + NVD + + + 9.8 + critical + CVSSv3 + AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + An optional reason for rating the vulnerability as it was + + + + 184 + 502 + + FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath. + + Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.6.7.5, 2.8.11.1, 2.9.5 or higher. + Describe the workarounds here + + Precise steps to reproduce go here + Describe the environment + + /9j/4AAQSkZJRgABAQAASABIAAD/4QBYRXhpZgAATU0AKgAAAAgAAgESAAMAAAABAAEAAIdpAAQAAAABAAAAJgAAAAAAA6ABAAMAAAABAAEAAKACAAQAAAABAAABQKADAAQAAAABAAABQAAAAAD/wAARCAFAAUADASIAAhEBAxEB/8QAHwAAAQUBAQEBAQEAAAAAAAAAAAECAwQFBgcICQoL/8QAtRAAAgEDAwIEAwUFBAQAAAF9AQIDAAQRBRIhMUEGE1FhByJxFDKBkaEII0KxwRVS0fAkM2JyggkKFhcYGRolJicoKSo0NTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqDhIWGh4iJipKTlJWWl5iZmqKjpKWmp6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uHi4+Tl5ufo6erx8vP09fb3+Pn6/8QAHwEAAwEBAQEBAQEBAQAAAAAAAAECAwQFBgcICQoL/8QAtREAAgECBAQDBAcFBAQAAQJ3AAECAxEEBSExBhJBUQdhcRMiMoEIFEKRobHBCSMzUvAVYnLRChYkNOEl8RcYGRomJygpKjU2Nzg5OkNERUZHSElKU1RVVldYWVpjZGVmZ2hpanN0dXZ3eHl6goOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExcbHyMnK0tPU1dbX2Nna4uPk5ebn6Onq8vP09fb3+Pn6/9sAQwACAgICAgIDAgIDBQMDAwUGBQUFBQYIBgYGBgYICggICAgICAoKCgoKCgoKDAwMDAwMDg4ODg4PDw8PDw8PDw8P/9sAQwECAgIEBAQHBAQHEAsJCxAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQ/90ABAAU/9oADAMBAAIRAxEAPwD9xKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigD/9D9xKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigD/9H9xKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigD/9L9xKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigD/9P9xKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigD/9T9xKKKKACiiigAooooAKKKKACiiigAooooAKKzdY1jSfD2lXWua7eRafp9jG0s9xO4SONF6szHgCvyK+P/APwUJ1zV7i68MfAxTpmnKTG2sTJ/pU3Ym3jbIiU9mYFz1AWmkB+qvjL4ieA/h5Z/bvHPiCy0OEjK/a51jZv91CdzfgDXy3r/APwUA/Zw0WVobPUr/WWXvZ2T7D9GmMQNfitofhT4ofGXX5ptHsdR8V6rK2Zrht85BPeSaQ7V/wCBMK+nvDv7Afxk1WJZtcvtL0PdzskmeeQfUQqVz/wI185nXF+VZc+XG4mMH2b1+5Xf4HTRwlWprCLZ9xW//BSD4DSy7JtO12Bf77WsBH5LOT+leweEP2yv2cfGc0drZeL4tNuJOBHqUclmST23yKI//H6/Om4/4J2eOli3Wvi/TJJP7rwzoPzAb+VeL+NP2NPjx4Ohku00aPXrWPJL6ZKJ2x/1yYLIfwU15WX+JeQYqfs6OMhfzfL/AOlJGk8trxV3Bn9Ctpd2t/bR3thPHc28w3JLEweNwe6spII+lWK/me+G3xr+LfwN1hj4P1e50zyXxcadcBmtnI6rLbScA+4CsOxr9mP2bv2x/Bfxz8rwzrUaeHfGIX/jzd8wXeBy1q7ck9zG3zDtuGTX2+6ujiPsmiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigD//1f3EooooAKKKKACiiigAooooAKKKKACop54LWCS6upFhhhVnkdyFVEUZZmJ4AAGSalr88P8AgoV8aJ/BXgCz+F+hXBi1PxeGa7ZDho9OiOGX285/k91DChAfDv7Xn7Uuo/GzxHN4V8LXL2/gbSZSIUUlft8qHH2mUd1z/qlPAHzH5jx1P7NH7HM/j21tfHvxQWWy8Py4ktbBSY571ezu3WOE9sfMw5GBgnhP2PfgTB8WfGsviHxJb+b4Z8NsjzIw+W6uTzFAfVRjc49MD+Kv2w/dxR/wxxxr7Kqqo/IAD8q/nbxl8VauAm8pyyVqlvfkt432S/vNat9Fa2r0+hyjK1Ne1qbdEZWgeHtB8K6VDofhrT4NL0+3GI4LeMRoPfA6n1J5Pc1sV8+X/wC1V+z9pustoV14ytTOjbGeNJZIFYcYMyIU/EEj3r3iw1Cw1Wyg1LS7mO8tLpBJFNC4eORG5DKy5BB9q/lbM8px1C1XG0px59U5Jrm+bWp9NTqwlpBrTsW6KKK8k1PD/jD+z78OvjRp8ieI7IWurBcQanbKFuoz23HpInqr59sHmvxc+K/wl8c/AbxlHpWtFo3VvP0/UbYsiTqjZWSJxyrqcblzuU+2Cf6E68r+Mnwn0H4yeBb3wfraqkrAyWVzjL2t0o+SRT1x2cd1JHpX7D4ZeKuJyevHDYqTlhno09eTzj6dY7P1PJzLLI1k5RVpfmef/sZftQn41aA/gvxnMo8Z6JEGaQ4X+0LZcL54H/PRTgSgeoYdSB9yV/MPoWs+M/gP8U4dTgU2XiDwnfFZIySFYxNtkjb1jkXI91Oa/pQ8E+LtI8feENG8a6C++w1u1iuovVRIuSp91OVPuDX9ywqRnFTg7p6pnxTTTszqKKKKoQUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFAH//W/cSiiigAooooAKKKKACiiigD8fP2q/21fiZo/wAStW+Hnwsvl0LTvD0xtZ7pYkkuLm4T/WYaQMERW+UBRk4yTg4r5Z/4bJ/aZ/6Hu6/79W//AMbr6u/a+/Yz8cX3jLWfi18L7U63Zau5u77Tov8Aj7gnI/ePEn/LVHI3bV+YEkYIr8z9Ovrnw9qhe4soppYGKS295CHGQeVZGAKkfgRTe2iNKUYuSU3Zd9z6C/4bJ/aZ/wCh7uv+/Vv/APG68Z8e/EXxr8T9dHiXx7qsusaksKQCaUKCIoySqgIFAAJJ6d6+gPBPiT4Q+KvLs9Q0Gx0rUWwPLliTy3P+xIQB+BwfrWR8efDHh3Q9E0u40bTYLGWS5ZGaGMIWXYTg468ivIp5x+/VCdNxbPv8TwBbLp5lh8VCpCO9r33StqtHrsz9EP2G9X8J33wOt9M8PKY7/TbqZdUV8bmuZTvWTjqjR7QvptI7VN+3B4o1vw18C7iHRZHg/tm+gsbmRCQRburu65HQOUCn1BI714P/AME5Wbb48TJ2/wDEvOO2f33NfoJ8QvAXh74m+D9R8E+KImksNRQAlDiSN1O5JEJzhkYAj8jwTX8Y8WTw+VcaTr105041Izd9X7yUn62b0XkkcOFUquDSjo7W/Q/m/wCnAr9XP+CePifWr/wx4q8KXkjy6bpM9tPa7iSImuQ/mIvoCUDY9cnvXll//wAE8PiAmsmDTPFGmS6UW4nmWZJwnvEqspbHo+K/Qz4KfBrw58EfBq+FdBka7mmk8+8u5AFe4nIA3YGdqqBhVycDuSSa/UfF/wASMlx2SywmEqqpUm4tWT92zTbd0rO11bfXseblOXVoVueaskev0UUV/JR9SFFFFAH5F/8ABQLwFDovj7RvH1lGEj8R2zQ3GBgG5tMAMfdo2X/vmvrj/gnD43l174Qat4NupN8vhfUT5QJ5FveL5qj6CQSfnXHf8FBNPiuPg/o+oMP3llrEQU9wssMqsPxwPyrzP/gmNqEqeNvHWlZ/dTabazkf7UU5Qfo5r+9vBfNJ4rh2h7R3cLw+Sen3JpfI+Hziko4iVuup+xNFFFfqR5YUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFAH//1/3EooooAKKKKACiiigAooooAK+cPjd+yz8KfjnBJda9Y/2Zr+3Eeq2QVLgHt5o+7Mvs/Powr6Pr57/aW+PFp+z78PB4s+wjU9SvrhbOxtmYpG8zKzlpGHIRFUk45JwBjOQ0B+MHxz/ZJ+KvwOabVL+1GueGkPy6rZKWjRScD7RHy0J+uVz0Y18+XvibXdS0i30LULt7mztH8yFZDuKHG3AY84x26V6f8Wf2iPi18abpm8ba3I1gG3R6fbfuLKP0xEp+Yj+85Y+9eJU3BOza2NqWIqQUowk0no7dV2fc/Tr/AIJy/wDM+f8AcP8A/a1fp1X5mf8ABOa2mFt47vCP3RewjB/2gJmI/Kv0zr+CPGlp8S4q39z/ANIifZ5P/u8fn+YUUUV+WHphRRRQAUUUUAfAv/BQrWIbX4X+H9DLfvtQ1YSgf7FvC+4/m61xv/BMXSJX8SePNf2nyobOztM9t0sryY/KOvDP26PiNB4x+LMfhXTpRJZeEYDbMQcqbuUh5/8AvnCofdTX6Ff8E+/AE3hD4EJ4hvY/LuvF15JfjIwfs0YEMH4EKzD2av798H8nnguH8PCorSneb/7ed1/5LY+Fzasp15NdND7looor9LPNCiiigAooooAKK5rxf4x8MeAfD134r8Y6lFpWlWK7pZ5jhRngKAMlmY8KqgknoK+KW/4KOfAVdW+wCy1prPdt+2C1j8vH97yzL5mP+A59qLAffdFcp4K8ceE/iL4ctfFngrU4tV0q7zsmiJ4ZfvIynDK691YAiuroAKKKKACiiigAooooAKKKKAP/0P3EooooAKKKKACiiigAooooAK8J/aH+Bej/ALQHw/bwdqN42m3dtOt3Y3arv8mdVK/MmRuRlYqwBB7jkV7tRQB+MDf8EzPiiCQvi/RiOx2XIz+Gyuf8V/8ABOn4seGfC+q+IrbXNN1ibTLd7hbK1Sfz5xHyyx7lA3bckDuRgcmv2/r5b/ay+P8AqX7Pnw+ste0Cwiv9Y1i8Fnai43GCLCNI8jhSC2AMBQRknk4FVcD8Xv2cvjbefA/x/HrMwebQ9RAttTt16tDnIkUf89IjyPUZXvX7xaLrWk+I9JtNe0K7jvtOv41mgniO5JEbkEH+Y6g8Hmv5yPG3iqXxv4p1HxZc6faaZcapIZpobFGit/Nb77IjM23efmIBxknAFe2fAH9prxh8Drv+z1U6x4ZuH3z6fI+0ox6yW7nOxz3GNrdxnkfhni54UvOF9fwFlXirNbKaW2vSS6N6NaPZHt5Vmnsv3c/h/I/d6iuY8F+LtG8e+FNL8ZeH3Z9P1eBZ4t42uA3BVhzhlIIPuK6ev4tr0J0pypVFaUW00+jW6PsIyTV0FFFRT3EFpBJdXUqQwxKWeSRgqKo6lmOAAPU1mlfRDJa+bP2lvj5pnwS8GyCzlSXxTqqNHp1v1KE8G4kHZI+2fvNgDvjzP40/tt+A/A9vcaN8Onj8U69gqJUJ+wQN6tIMeaR/dTg92FflvHH8S/j78RViQT+IvE+uSYHoAP8Ax2KKMfRVFfv3hj4NYnG1oY3NabhRWqi9JT+W6j3vutFvdeFmWbxgnCk7v8ja+Cnws8Q/Hv4qWPhOB5Jft0xutTuzljFbBt08zMf4jnC56uwr+k3SdK07QdKstD0iEW1jp8MdvBEvRIolCoo+gFfP/wCzL+zpo37P/go6bEVv/EWqBJNUvlXh3UfLDFnkRR5OP7xyx64H0kUcdVI/Cv7J0WiPkBtFGCKKACilCk9Bmql/e2WlWz3uq3EVlbxjc8k7rEij1LMQAKALVVb6+stMs59R1K4jtLS2QySzTOI440XkszNgAD1NfGHxa/bw+C/w7jmsPDFyfGespkCKwbFqrf8ATS6IK4/65hz9K/Jf40/tMfFb473f2fxPf/ZdI35h0qy3R2qnPy7lyWlf3cn2A6U0gPbP25P2idC+MfijS/C3gPUHvPDPh5ZGeUApDdXrnBkTPLIiDarEDqxHBzXgi/AbxF/wol/jxJewx6cLsW62jKwmeMy+T5ob7uN/AHoCc9q92+Af7FninxzNbeJvidHLoHh7IkW1YbL27XqBtPMKHuzfMR0HevsD9suw0rw1+zLd6Bo1tHZWMFzp1tbwRDakcaSghVH0WvxziLxToLNcJlOWTUpyqRU2rNKLdnFPu+62t329jD5ZL2U6tRWSTsfPH/BNjxlrNl8TNe8BrKX0nVdOe9aIn5UuLV0VZFHqyOVPrgegr9oa/D3/AIJvW5l+OuqTgcQaHck/8CmhFfuFX7HI8cKKKKQBRRRQAUUUUAFFFFAH/9H9xKKKKACiiigAooooAKKKKACiiigAr83P+CmUBf4WeEbgDiLW2B/4FbSf4V+kdfBX/BRjS2vfgBb36jJ07WrOQ+yyJLGf1YU0B+ef7JXwK8DfHG58UWPjGW8hfSYrWS3a0lWMjzWdW3BkcH7ox0r6suv+Cd/w5kmV7PxTq0MWRuRkgcle4DbVwfcg14p/wTw1IQfEbxRpRODeaUkoHqYJ1H8pK/XCv5D8WeOs6yzPq1DCYmUYWi0tGtYq9k0+tz6zK8FRqUFKcbvU5zwh4U0bwN4Y0zwh4eiMOm6TAsEKsdzbV7se7Mckn1NdHRRX871q06k5VKjvJu7b3be7PfSSVkFfOX7VXgLxn8R/g5qPhvwKTJqHnwTvbBwhuoYiS8QJIGScMATglcelfRtFd2TZrUwOLpYykk5QkpK+qunfUitSU4uD6n88t78BPjZp2ftfgXWEx/ds5H/9ABrmZvAvxE0d/Mn8PatYuv8AEbS4jI/HYDX9IOSOhpwkkHRiPxr+gaP0ksYv4mEi/STX5pngvh6HSbP5u49e+I+lf6rUtZstvpPcxY/UVpQ/GD4s2J2weNdahI7DULgf+z1/RbIkcv8ArkWT/eAP86oy6RpE4xPYW8g/2oUb+Yr06f0lV9vA/dU/+0M3w72n+H/BP59ov2g/jlBxF8Q9dUf9hKf/AOLqz/w0d8eiMf8ACxddx/2EJv8A4qv3tk8HeEJuZtB09/8AetIT/Nag/wCEE8DZz/wjemZ/68oP/iK6l9JSh1wT/wDA1/8AIk/6uv8An/A/Am6+PHxpvVK3fj/XJQeobUrj/wCLrnmHxF8eTrC/9r+I5nPyq32i8JPsDur+iS38L+F7QhrXRrGEjulrEv8AJa11MFmm1NsK+igKPyFc1f6Sd1ajgdfOf6KBcOHO8/w/4J+Kvw1/Yk+MHjZ4rrxHAnhHTGwS9781yV/2LdTuz/vlK/ST4SfsufCn4RGLUNNsTq+tx4P9o34WSVW9Ykxsi/4CN3+0a96l1KMcRLuPqeBVq2nFxHvxgg4Ir8s4w8T89zSDjWn7Ok/sw0Xzd+Z+jdvI9fD5NTormtd92WCSTk18M/8ABQDUha/BjTdPzhr/AFiAY9RFFK5/XFfc1fmL/wAFF9eGPBPhZG5/0y+df++IkP8A6HXF4RYJ1+I8JFdG5f8AgMW/0JzWfLh5srf8EytMM3xC8aaxji10qCDPvPOG/wDaVfsnX5h/8EyfD7W/g3xt4odcfbb+2tEb1FtEXb9ZRX6eV/oDI+DCiiikAUUUUAFFFFABRRRQB//S/cSiiigAooooAKKKKACiiigAooooAK+aP2w/DreJv2bfG9nGm+SztUvkHvZypMT+Cqa+l6yte0a08R6FqXh6/GbbVLaa1kB/uToUP6GgD+fv9i3xEugftBaHFK22PWIbmwPpuljLp+boB+NfuTX841jNq3wn+JcMsylNQ8I6qN69DvspsMPx2kfQ1/RZpuo2esadaavp7iS1voY54mHIaOVQ6n8jX8ifSNylwx+HxqWk4uPzi7/lJfcfWcP1b05Q7P8AMu0UUV/OR9AFFFFAGHNfXAlYKdoBxjFMGoXI/iB/Ctp4IZDudASe9Rmztj/yzH617EMbh7JOH5HUqsLaozBqVx/sn8KX+05v7q/rV/7Ban+D9TSf2fa/3T+dV9awv8g/aU+xS/tOb+4v60h1Oc9FUfnV3+z7b0P50o0+1H8JP40fWMJ/KHPS7GU95cvwXwPbiokimmPyqW966BLW3j+6gz781PQ80hFWpQB4hL4UczNA8BAkxkjPFa2mjEBPq1Z19J5lw2Oi8flWxaJ5dug7kZP41rj6reHjzbsqtJ8iuWa/ED9tjxcvij486pZQvvt/D0EGnLg8B0HmS/8Aj7kH6V+zni/xRp/grwrq/i/VWC2mj2st1JnuI1JCj3Y4A9zX88+l2GvfFv4kW2nrmbV/F2phSev728lyx+i7ifoK/cfo55E6mNr5jJaQjyr1lq/uS/8AJj5HiCvaEaffU/df9iDwi3hL9m/w0Zo/LuNba41OTPXFxIRH/wCQ1SvrSsvRNGsfDui6f4f0xAlnplvFawqO0cKBF/QVqV/XDPlAooooAKKKKACiiigAooooA//T/cSiiigAooooAKKKKACiiigAooooAKKKKAPwj/4KAfDGTwT8bH8XWkOzTPGcIu1YD5RdxAR3C/U/K/8AwKvrz9h/4oR+NfhSvg++m3ar4RYWxUn5ms3y0D/ReY/+Aj1r6M/at+Cg+OHwkv8AQtPjDa9pRN/pbdzcRqd0OfSZMp/vbT2r8Mvgn8U9Y+CPxJs/FMcUhhiZrXUbQ/K0luxxKhB6OhG5c9GUe9fn3ifwe86ymeHpr95H3oeq6fNXXrZ9D0Mtxfsaqk9noz+hGisfw94g0fxXodj4k8PXS3um6lEs0EyHhkYcfQjoR1ByDWxX+fdSnKEnCas1o0+jPu076oKKKKgYUUUUAFFFFABRRR70AFVrq4FvGT/Efuio576KLIT529un51jM0tzLk/MzdK9TB5e5PmqaI6aVBvV7C28RnmC9up+ldLVW1thbpg8s3U15p8ZPi14f+DPgi78X64wkmAMdla5w91ckfJGvsOrn+Fcn0rZ0quOxMMNho80m7RS6tmWKxEVeTeiPjP8Ab6+LkdlpFh8HtHn/ANJvyl7qe0/cgQ5gib/fYbyPRV9a4r/gnP8ACZ/EXxA1H4ranDnT/C8Zt7RmHD31yuCR/wBcoiSfQutfEUj+NvjZ8Scqrap4l8VXoCqvQySnAA/uxov4Ki+1f0Y/Bf4WaR8Gfhto3w/0giT7BHuuZwMG4upPmmlP+83T0UAdq/0A4E4UhkuWU8DHWW8n3k936dF5JH51jsU61Rz+49Sooor645AooooAKKKKACiiigAooooA/9T9xKKKKACiiigAooooAKKKKACiiigAooooAK/Ij9u79ly4sr28+Ofw/szJZ3B8zXLSJeYpO94ij+Bv+WuOjfP0Jx+u9MkjjmjeGZBJHICrKwBVlIwQQeCCOoppgfz5/syftO6n8FdQ/wCEe8QCTUPB99JulhX5pLSRus0APUH+NP4uo+br+0fhvxN4f8Y6Ja+I/C9/Fqem3i7op4W3KfUHuGHQqcEHgivz4/ah/YPvLa4vPH/wLtPtFtIWlutDT/WRE8s1n/eX/pl1H8GR8o+Bvhr8XviT8FNcluPCd9JYsJNt3YXCkwSsvBWaFsYYdMjDD1r8Q8SvBujm8pY3AtQr9b/DP17Pz69V1Pay7N3S9yesfyP6HKQ5wcda+Ffhl+3j8N/E8cVh8QraTwrqJwGmAa4smb1DqN6fRlIH96vs/wAP+J/DfiyzXUPC+q2ur2zDIktZkmX8dhOPxr+SM+4RzLK58mOoSh5291+klo/kz6qhiqdRXg7ldp7lJCWdlbvzUq6hcr1Ib6it1kR+HUH6ioGs7Zv+WYH0rlWYUZL34Hp+3g90Zo1Kfuqn86Dqc3ZV/Wrx0+29D+dH9n23ofzp/WMJ/KPnpdjObULk9CB9BVZ5ZpjhmLe1bq2Vsv8ABn6mrCRonEagfQUf2hRh8EA9vBfCjCisZ5OWGwep/wAK2ILaO3GEGSepPWuS8Y/EbwH8PrVrzxrr1npCAZCzygSt/uxjLsfopr4H+LH7f9jDHNpPwe0xriY5X+0tQTbGv+1Fb5y3sZCB/smvoci4SznO5KODovk/m2ivWT0forvyPOxmaQgvfl8j7X+LXxk8D/Bnw82ueL7sCaQH7LZREG5unH8Ma9hnq5+Ve57V+Hnxf+L/AIx+OHjD+3/EBIUHybCxhy0dvGx+WONerOxxubGWP4AYLv8AEb40eNVU/bfFXiXVX2qoBllb2AHCIv4Ko9BX7Dfsr/sVaX8J5Lbx98SRDqvi9QHt7dcSW2nE91PSSYf3/ur/AA5PzV/XPhz4VYXIY+3qP2ldrWXReUf1e78lofGZhmkq/urSJJ+xT+yzJ8JdI/4WP48tgvi/V4dsEDjJ061cZKn0mk/j/uj5eu6vvyiiv1Q8sKKKKACiiigAooooAKKKKACiiigD/9X9xKKKKACiiigAooooAKKKKACiiigAooooAKKKKACvnL40fssfCP44LJe+I9OOna4y4XVLHEVzkdPM4KSgf7YJ9CK+jaKAPwv+Jv8AwT3+Mvg55rzwS8HjLTkyVFuRBehf9qCQ4Y/7jtn0r45v9L8e/DXVtmo2upeFtSjPV1ms5c+x+Un8DX9S1UdT0vS9atWsdasoNQtm4MVxEsyEf7rgiiSUk4yV0xp2P5zPD/7Vf7QHhxUSz8ZXV1EvRLxY7sfnKrN+terad+3x8crQBb2HSb8Du9q0bH8Y5FH6V+sniP8AZO/Z08UO8upeBNPhlfkvaB7Rs+v7hkH6V5Fqf/BPP9nS+YtZwarp2f8AnjfFgPoJVevlMbwHkmId62Dpt9+VJ/ekmdUMdWjtN/efEEP/AAUP+JiDE3hfR5D6g3C/+1KfL/wUQ+JLLiLwto6H1LXDf+1BX1fP/wAE1vgw7E2/iDXYh6NLbP8A+0RUcP8AwTU+DitmfxFrkg9A9uv6+Sa8n/iFHDl7/U4/fL/M1/tXEfznxVqf7fPxwvAVsINJ04Hulq0jD8ZJGH6V474m/ae+PPipHi1TxleQQv1jtClomD2/cqhx+NfrLpf/AATw/Z2sGDXseraljtPfbAfqIUjr2Xwz+yp+zx4SdJtJ8CadJMnIku0a8fPrm4aQfpXr4DgTJMM+ahg6afflTf3u7MZ46tL4pv7z+fPw34J+IfxN1Qx+F9G1HxJfTH5nhikuDk93lOQPqzV93fCr/gnH49154dS+K+qReGrE4ZrO1K3N6w9Cw/dR/XLn2r9l7Ozs9OtlstOt47S3ThYoUWNAPZVAA/KrNfVrRWRynlXwr+Cnw1+DGknSvh/o0di0gAnun/eXdxjvLM3zH/dGFHYCvVaKKQBRRRQAUUUUAFFFFABRRRQAUUUUAFFFFAH/1v3EooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKAP/1/3EooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKAP/0P3EooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKAP/0f3EooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKAP/0v3Eoq9/Z15/zz/UUf2def8APP8AUUAUaKvf2def88/1FH9nXn/PP9RQBRoq9/Z15/zz/UUf2def88/1FAFGir39nXn/ADz/AFFH9nXn/PP9RQBRoq9/Z15/zz/UUf2def8APP8AUUAUaKvf2def88/1FH9nXn/PP9RQBRoq9/Z15/zz/UUf2def88/1FAFGir39nXn/ADz/AFFH9nXn/PP9RQBRoq9/Z15/zz/UUf2def8APP8AUUAUaKvf2def88/1FH9nXn/PP9RQBRoq9/Z15/zz/UUf2def88/1FAFGir39nXn/ADz/AFFH9nXn/PP9RQBRoq9/Z15/zz/UUf2def8APP8AUUAUaKvf2def88/1FH9nXn/PP9RQBRoq9/Z15/zz/UUf2def88/1FAFGir39nXn/ADz/AFFH9nXn/PP9RQBRoq9/Z15/zz/UUf2def8APP8AUUAUaKvf2def88/1FH9nXn/PP9RQBRoq9/Z15/zz/UUf2def88/1FAFGir39nXn/ADz/AFFH9nXn/PP9RQB//9k= + + + + + GitHub Commit + https://github.com/FasterXML/jackson-databind/commit/6799f8f10cc78e9af6d443ed6982d00a13f2e7d2 + + + GitHub Issue + https://github.com/FasterXML/jackson-databind/issues/1931 + + + 2021-01-01T00:00:00.000Z + 2021-01-01T00:00:00.000Z + 2021-01-01T00:00:00.000Z + 2022-01-01T00:00:00.000Z + + + + Acme, Inc. + https://example.com + + + + + Jane Doe + jane.doe@example.com + + + + + + + Snyk + Snyk CLI (Linux) + 1.729.0 + + 2eaf8c62831a1658c95d41fdc683cd177c147733c64a93e59cb2362829e45b7d + + + + + + + Acme Inc + + Acme BOM Analyzer + + https://example.com/analyze + + + + + + not_affected + code_not_reachable + + will_not_fix + update + + An optional explanation of why the application is not affected by the vulnerable component. + 2022-01-01T00:00:00.000Z + 2022-02-01T00:00:00.000Z + + + + pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.4 + + + + affected + + + + affected + + + + affected + + + + + + Bar + You + Two + Foo + + + + diff --git a/tests/_data/schemaTestData/1.7/valid-xml-signature-1.7.xml b/tests/_data/schemaTestData/1.7/valid-xml-signature-1.7.xml new file mode 100644 index 000000000..97c539f6c --- /dev/null +++ b/tests/_data/schemaTestData/1.7/valid-xml-signature-1.7.xml @@ -0,0 +1,181 @@ + + + + + Acme Inc + com.acme + tomcat-catalina + 9.0.14 + + 3942447fac867ae5cdb3229b658f4d48 + e6b1000b94e835ffd37f4c6dcbdad43f4b48a02a + f498a8ff2dd007e29c2074f5e4b01a9a01775c3ff3aeaf6906ea503bc5791b7b + e8f33e424f3f4ed6db76a482fde1a5298970e442c531729119e37991884bdffab4f9426b7ee11fccd074eeda0634d71697d6f88a460dce0ac8d627a29f7d1282 + + + + Apache-2.0 + + + pkg:maven/com.acme/tomcat-catalina@9.0.14?packaging=jar + + + + Apache + org.apache.tomcat + tomcat-catalina + 9.0.14 + + + Apache-2.0 + + + pkg:maven/org.apache.tomcat/tomcat-catalina@9.0.14?packaging=jar + + + + + + 7638417db6d59f3c431d3e1f261cc637155684cd + https://location/to/7638417db6d59f3c431d3e1f261cc637155684cd + + 2018-11-07T22:01:45Z + John Doe + jdoe@example.com + + + 2018-11-07T22:01:45Z + John Doe + jdoe@example.com + + Initial commit + + + + + + org.example + mylibrary + 1.0.0 + required + + 2342c2eaf1feb9a80195dbaddf2ebaa3 + 68b78babe00a053f9e35ec6a2d9080f5b90122b0 + 708f1f53b41f11f02d12a11b1a38d2905d47b099afc71a0f1124ef8582ec7313 + 387b7ae16b9cae45f830671541539bf544202faae5aac544a93b7b0a04f5f846fa2f4e81ef3f1677e13aed7496408a441f5657ab6d54423e56bf6f38da124aef + + + + Apache-2.0 + blah + fdaf + + + Copyright Example Inc. All rights reserved. + cpe:/a:example:myapplication:1.0.0 + pkg:maven/com.example/myapplication@1.0.0?packaging=war + false + + + com.example + myframework + 1.0.0 + Example Inc, enterprise framework + required + + cfcb0b64aacd2f81c1cd546543de965a + 7fbeef2346c45d565c3341f037bce4e088af8a52 + 0384db3cec55d86a6898c489fdb75a8e75fe66b26639634983d2f3c3558493d1 + 854909cdb9e3ca183056837144aab6d8069b377bd66445087cc7157bf0c3f620418705dd0b83bdc2f73a508c2bdb316ca1809d75ee6972d02023a3e7dd655c79 + + + + Apache-2.0 + + + pkg:maven/com.example/myframework@1.0.0?packaging=war + false + + + http://example.com/myframework + + + http://example.com/security + + + + + + + + + + + + + + PrB8/rofGs34XwIX5OIdYSjV2aKSe5VaztJKBvsgjIk= + + + + ePGNg30Zl9CW7RZdcRn8gFCp1AlWncjudA9pQDXyqZOvyj9RC2YtkI688WdfDOdVRZs6mflJFXr7 + IKA9wY6jVrEqZmlef55Qp/8iGwOjOjWbwYsm2AhrdkUi9gaFSWEd8uITYHOpWbiPFSsnimiK9+ft + 56dkg/oJMLdXzlaukzq9iGkRcafRkW433OQcZIXwD2K8lg4cdD0pNNNqBa+PgIvzbxA5H84TyQDB + HBcQiw/j1edRBJgPOwlqzZDUawOJaFhAPUQ+GGKMetIJH2FqqrHXGuV1NIwnbWTCg40RdOcBdCrl + PDtDVjFh34uZ4dYBpJBIlM4daD2N4B6WPB5iHRyuZTczF2q03ObabuTgkpK6EeadFVqFNsEOOPPt + MDDyda+Lwff5KjvUHvRRtUDIOm2rNIQKzaseulwYcA9UWQHAFcupJmWcLLM4zzY7F/uOdZuSurzh + U6h5kdb76Juepof6ee4Q5YpwNOGNL5JfB4C3sc/Dbbv8dZ8OuXFYSZN7reUGZzCNksByqERPEbAe + n1ldJu1HnRXRQpwaon8Asy9CuNmPfFCfDwOs2B4p4tb+tLNIKFHdRlpd19Zr9vCMCbltXeqq0Cpq + OejSyLYGqSWzzzUh449dJrg6KTevrTNEln5GAlLBFSdjM5JA7KV2u/GyDVFwSEW7UKooGN4CtgU= + + + + CN=bomsigner,OU=development,O=cyclonedx + + MIIE+DCCAuCgAwIBAgIEXGzayTANBgkqhkiG9w0BAQsFADA+MRIwEAYDVQQKDAljeWNsb25lZHgx + FDASBgNVBAsMC2RldmVsb3BtZW50MRIwEAYDVQQDDAlib21zaWduZXIwHhcNMTkwMjIwMDQ0MjQ5 + WhcNNDkwMjIwMDQ0MjQ5WjA+MRIwEAYDVQQKDAljeWNsb25lZHgxFDASBgNVBAsMC2RldmVsb3Bt + ZW50MRIwEAYDVQQDDAlib21zaWduZXIwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCo + 5JZsM4ZLfWW/dpRlU6CpnItWspddF+bEVDETKVwVj9tGpqR5jURgKS/BOQP2TGUsR3/ZJJBhYRll + ONhrUQrVKV/I6wp3Z40qPEa1RJLE+QlG9iL8qBV52CnXkLmnUSax3dspSzmSct5vDiTnvpHG9jr0 + AKFeTjy7U9rv8GJybz0ijwlpBoO9JRdYPX2PrrzoSeJLoxKq+GwuyCZ5LhXRN0p1a+NAirTAmY+c + G1ZTLkMmfeCUy1t6H/bG4RnYOSSPOvk7Rb68lQpUqb+pbbNuB2o/b9cDwtLLCtGVlu+5Wj8mrytY + 3FGFQM20j3yVeRInmGqTTDBelQa/CO4JKqBlmaeYEIvNYbFs9+AlqadivwDO51RpdPo9fPSpsBpy + ZMv6S2bXNuUML+Rk99WyKJTPM0PTZhRLZ64ZXEhlz3kQWVoSlrcwwim6sj6LRUb5IRqA3lxRFUI6 + NXKyiQLamQp+t3/9OGW9L1rLCcw7yFo0s8LhMTPMiv4ol9/hQViT+8ICzDsr0OM9ZiF4/UagFRlt + IClV70cjh1DpsZjzQIRVGaj8uQ/JdtfRz4E43Ki7U0a2Vpho/t6poLVndv46tkX5nYGtMW4WfMoD + ZflQ9pajvvKtr2jB1wob6nsU+VTmAcWZy4BCPH+XyfDw/0SFBdUceJJJtPWIeYFDUY7onptf+wID + AQABMA0GCSqGSIb3DQEBCwUAA4ICAQCOVariNgK+9OF/5T9ZaSvZbkk45RTmzgQNXtFc5xfRvqwP + s+pu/DFXm1R+ltjyS5j3w6NBZUFUI5MqLQr6JEEDrbu8BvfBO57wJNAEATj1JIHEfDfh7BxnBF8f + oYFOwbrh4jOt0wz0FW2obsSVmF4GSvS7tTlWqTcsxjdZVmwP40RWu18B9jzv7M61adrWD3ksDA5O + amSOsZi3Nt0aacDkyGRdCIEFi0fplxQInXMtD1z3RhXu2JSTAIr54Cei49Bh71kAXSWHMCog/f8a + lSrZyqZBty/ACfU9DqlPIM+giHePKm4z2bcdpUdKZk6wcKDn4CvuBOqsMBMg7L05UEyyqTPD/4dk + 2GwJ8Nv0E5gsYHCIXF2cZ3OUVsw0mB/ozleEJVDE02uZZN/1wW1Xq028LsMdgN0Wk1WvWyF5MEdh + nPWuhqp6tNaDI/kK6XQF+LjYJUzua3AQFOHfYNLKhO6d+bJ4rr0833v4v3cLW34kbXkKb6U3Yv8X + SK3jBGCACiPgnc0N6awkh1kDlrZQ7GMsl14c+2+vpl9Lf0sL0mRUIyICfSC8MjlsP/BZH3emyfsk + iWivPALomycKqP+PSkt1WaWApGENZWk1wNN99FYSYlt6LViW2p6T97fRx4jPRlHu+wecfD2k9RP4 + bt5W2HWfOP0zNAS7SnAVLEl2QZxXKw== + + + + + + qOSWbDOGS31lv3aUZVOgqZyLVrKXXRfmxFQxEylcFY/bRqakeY1EYCkvwTkD9kxlLEd/2SSQYWEZ + ZTjYa1EK1SlfyOsKd2eNKjxGtUSSxPkJRvYi/KgVedgp15C5p1Emsd3bKUs5knLebw4k576RxvY6 + 9AChXk48u1Pa7/Bicm89Io8JaQaDvSUXWD19j6686EniS6MSqvhsLsgmeS4V0TdKdWvjQIq0wJmP + nBtWUy5DJn3glMtbeh/2xuEZ2Dkkjzr5O0W+vJUKVKm/qW2zbgdqP2/XA8LSywrRlZbvuVo/Jq8r + WNxRhUDNtI98lXkSJ5hqk0wwXpUGvwjuCSqgZZmnmBCLzWGxbPfgJamnYr8AzudUaXT6PXz0qbAa + cmTL+ktm1zblDC/kZPfVsiiUzzND02YUS2euGVxIZc95EFlaEpa3MMIpurI+i0VG+SEagN5cURVC + OjVysokC2pkKfrd//ThlvS9aywnMO8haNLPC4TEzzIr+KJff4UFYk/vCAsw7K9DjPWYheP1GoBUZ + bSApVe9HI4dQ6bGY80CEVRmo/LkPyXbX0c+BONyou1NGtlaYaP7eqaC1Z3b+OrZF+Z2BrTFuFnzK + A2X5UPaWo77yra9owdcKG+p7FPlU5gHFmcuAQjx/l8nw8P9EhQXVHHiSSbT1iHmBQ1GO6J6bX/s= + + AQAB + + + + + diff --git a/tests/_data/schemaTestData/fetch.sh b/tests/_data/schemaTestData/fetch.sh index 4de5c2671..4b198f88c 100755 --- a/tests/_data/schemaTestData/fetch.sh +++ b/tests/_data/schemaTestData/fetch.sh @@ -9,7 +9,7 @@ TEMP_DIR="$(mktemp -d)" LOCAL_PACKAGE="$TEMP_DIR/source_package.zip" wget -O "$LOCAL_PACKAGE" "$SOURCE_PACKAGE" -for SCHEMA_VERSION in '1.6' '1.5' '1.4' '1.3' '1.2' '1.1' '1.0' +for SCHEMA_VERSION in '1.7' '1.6' '1.5' '1.4' '1.3' '1.2' '1.1' '1.0' do unzip -d "$TEMP_DIR" "$LOCAL_PACKAGE" "$SOURCE_DIR/$SCHEMA_VERSION/*" rm -rf "${THIS_DIR:?}/$SCHEMA_VERSION" diff --git a/tests/_data/snapshots/enum_ComponentScope-1.7.json.bin b/tests/_data/snapshots/enum_ComponentScope-1.7.json.bin new file mode 100644 index 000000000..491f8880a --- /dev/null +++ b/tests/_data/snapshots/enum_ComponentScope-1.7.json.bin @@ -0,0 +1,51 @@ +{ + "components": [ + { + "bom-ref": "scoped-EXCLUDED", + "name": "dummy-EXCLUDED", + "scope": "excluded", + "type": "library" + }, + { + "bom-ref": "scoped-OPTIONAL", + "name": "dummy-OPTIONAL", + "scope": "optional", + "type": "library" + }, + { + "bom-ref": "scoped-REQUIRED", + "name": "dummy-REQUIRED", + "scope": "required", + "type": "library" + } + ], + "dependencies": [ + { + "ref": "scoped-EXCLUDED" + }, + { + "ref": "scoped-OPTIONAL" + }, + { + "ref": "scoped-REQUIRED" + } + ], + "metadata": { + "timestamp": "2023-01-07T13:44:32.312678+00:00" + }, + "properties": [ + { + "name": "key1", + "value": "val1" + }, + { + "name": "key2", + "value": "val2" + } + ], + "serialNumber": "urn:uuid:1441d33a-e0fc-45b5-af3b-61ee52a88bac", + "version": 1, + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7" +} \ No newline at end of file diff --git a/tests/_data/snapshots/enum_ComponentScope-1.7.xml.bin b/tests/_data/snapshots/enum_ComponentScope-1.7.xml.bin new file mode 100644 index 000000000..9e3dfc35f --- /dev/null +++ b/tests/_data/snapshots/enum_ComponentScope-1.7.xml.bin @@ -0,0 +1,29 @@ + + + + 2023-01-07T13:44:32.312678+00:00 + + + + dummy-EXCLUDED + excluded + + + dummy-OPTIONAL + optional + + + dummy-REQUIRED + required + + + + + + + + + val1 + val2 + + diff --git a/tests/_data/snapshots/enum_ComponentType-1.7.json.bin b/tests/_data/snapshots/enum_ComponentType-1.7.json.bin new file mode 100644 index 000000000..90b109fba --- /dev/null +++ b/tests/_data/snapshots/enum_ComponentType-1.7.json.bin @@ -0,0 +1,128 @@ +{ + "components": [ + { + "bom-ref": "typed-APPLICATION", + "name": "dummy APPLICATION", + "type": "application" + }, + { + "bom-ref": "typed-CONTAINER", + "name": "dummy CONTAINER", + "type": "container" + }, + { + "bom-ref": "typed-CRYPTOGRAPHIC_ASSET", + "name": "dummy CRYPTOGRAPHIC_ASSET", + "type": "cryptographic-asset" + }, + { + "bom-ref": "typed-DATA", + "name": "dummy DATA", + "type": "data" + }, + { + "bom-ref": "typed-DEVICE", + "name": "dummy DEVICE", + "type": "device" + }, + { + "bom-ref": "typed-DEVICE_DRIVER", + "name": "dummy DEVICE_DRIVER", + "type": "device-driver" + }, + { + "bom-ref": "typed-FILE", + "name": "dummy FILE", + "type": "file" + }, + { + "bom-ref": "typed-FIRMWARE", + "name": "dummy FIRMWARE", + "type": "firmware" + }, + { + "bom-ref": "typed-FRAMEWORK", + "name": "dummy FRAMEWORK", + "type": "framework" + }, + { + "bom-ref": "typed-LIBRARY", + "name": "dummy LIBRARY", + "type": "library" + }, + { + "bom-ref": "typed-MACHINE_LEARNING_MODEL", + "name": "dummy MACHINE_LEARNING_MODEL", + "type": "machine-learning-model" + }, + { + "bom-ref": "typed-OPERATING_SYSTEM", + "name": "dummy OPERATING_SYSTEM", + "type": "operating-system" + }, + { + "bom-ref": "typed-PLATFORM", + "name": "dummy PLATFORM", + "type": "platform" + } + ], + "dependencies": [ + { + "ref": "typed-APPLICATION" + }, + { + "ref": "typed-CONTAINER" + }, + { + "ref": "typed-CRYPTOGRAPHIC_ASSET" + }, + { + "ref": "typed-DATA" + }, + { + "ref": "typed-DEVICE" + }, + { + "ref": "typed-DEVICE_DRIVER" + }, + { + "ref": "typed-FILE" + }, + { + "ref": "typed-FIRMWARE" + }, + { + "ref": "typed-FRAMEWORK" + }, + { + "ref": "typed-LIBRARY" + }, + { + "ref": "typed-MACHINE_LEARNING_MODEL" + }, + { + "ref": "typed-OPERATING_SYSTEM" + }, + { + "ref": "typed-PLATFORM" + } + ], + "metadata": { + "timestamp": "2023-01-07T13:44:32.312678+00:00" + }, + "properties": [ + { + "name": "key1", + "value": "val1" + }, + { + "name": "key2", + "value": "val2" + } + ], + "serialNumber": "urn:uuid:1441d33a-e0fc-45b5-af3b-61ee52a88bac", + "version": 1, + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7" +} \ No newline at end of file diff --git a/tests/_data/snapshots/enum_ComponentType-1.7.xml.bin b/tests/_data/snapshots/enum_ComponentType-1.7.xml.bin new file mode 100644 index 000000000..9913c12f4 --- /dev/null +++ b/tests/_data/snapshots/enum_ComponentType-1.7.xml.bin @@ -0,0 +1,66 @@ + + + + 2023-01-07T13:44:32.312678+00:00 + + + + dummy APPLICATION + + + dummy CONTAINER + + + dummy CRYPTOGRAPHIC_ASSET + + + dummy DATA + + + dummy DEVICE + + + dummy DEVICE_DRIVER + + + dummy FILE + + + dummy FIRMWARE + + + dummy FRAMEWORK + + + dummy LIBRARY + + + dummy MACHINE_LEARNING_MODEL + + + dummy OPERATING_SYSTEM + + + dummy PLATFORM + + + + + + + + + + + + + + + + + + + val1 + val2 + + diff --git a/tests/_data/snapshots/enum_DataFlow-1.7.json.bin b/tests/_data/snapshots/enum_DataFlow-1.7.json.bin new file mode 100644 index 000000000..fd5eb8667 --- /dev/null +++ b/tests/_data/snapshots/enum_DataFlow-1.7.json.bin @@ -0,0 +1,49 @@ +{ + "dependencies": [ + { + "ref": "dummy" + } + ], + "metadata": { + "timestamp": "2023-01-07T13:44:32.312678+00:00" + }, + "properties": [ + { + "name": "key1", + "value": "val1" + }, + { + "name": "key2", + "value": "val2" + } + ], + "serialNumber": "urn:uuid:1441d33a-e0fc-45b5-af3b-61ee52a88bac", + "services": [ + { + "bom-ref": "dummy", + "data": [ + { + "classification": "BI_DIRECTIONAL", + "flow": "bi-directional" + }, + { + "classification": "INBOUND", + "flow": "inbound" + }, + { + "classification": "OUTBOUND", + "flow": "outbound" + }, + { + "classification": "UNKNOWN", + "flow": "unknown" + } + ], + "name": "dummy" + } + ], + "version": 1, + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7" +} \ No newline at end of file diff --git a/tests/_data/snapshots/enum_DataFlow-1.7.xml.bin b/tests/_data/snapshots/enum_DataFlow-1.7.xml.bin new file mode 100644 index 000000000..04c4f0136 --- /dev/null +++ b/tests/_data/snapshots/enum_DataFlow-1.7.xml.bin @@ -0,0 +1,24 @@ + + + + 2023-01-07T13:44:32.312678+00:00 + + + + dummy + + BI_DIRECTIONAL + INBOUND + OUTBOUND + UNKNOWN + + + + + + + + val1 + val2 + + diff --git a/tests/_data/snapshots/enum_Encoding-1.7.json.bin b/tests/_data/snapshots/enum_Encoding-1.7.json.bin new file mode 100644 index 000000000..253f842ae --- /dev/null +++ b/tests/_data/snapshots/enum_Encoding-1.7.json.bin @@ -0,0 +1,44 @@ +{ + "components": [ + { + "bom-ref": "dummy", + "licenses": [ + { + "license": { + "name": "att.encoding: BASE_64", + "text": { + "content": "att.encoding: BASE_64", + "contentType": "text/plain", + "encoding": "base64" + } + } + } + ], + "name": "dummy", + "type": "library" + } + ], + "dependencies": [ + { + "ref": "dummy" + } + ], + "metadata": { + "timestamp": "2023-01-07T13:44:32.312678+00:00" + }, + "properties": [ + { + "name": "key1", + "value": "val1" + }, + { + "name": "key2", + "value": "val2" + } + ], + "serialNumber": "urn:uuid:1441d33a-e0fc-45b5-af3b-61ee52a88bac", + "version": 1, + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7" +} \ No newline at end of file diff --git a/tests/_data/snapshots/enum_Encoding-1.7.xml.bin b/tests/_data/snapshots/enum_Encoding-1.7.xml.bin new file mode 100644 index 000000000..861dd77fa --- /dev/null +++ b/tests/_data/snapshots/enum_Encoding-1.7.xml.bin @@ -0,0 +1,24 @@ + + + + 2023-01-07T13:44:32.312678+00:00 + + + + dummy + + + att.encoding: BASE_64 + att.encoding: BASE_64 + + + + + + + + + val1 + val2 + + diff --git a/tests/_data/snapshots/enum_ExternalReferenceType-1.1.xml.bin b/tests/_data/snapshots/enum_ExternalReferenceType-1.1.xml.bin index 7bacaee6c..be2cf7e1a 100644 --- a/tests/_data/snapshots/enum_ExternalReferenceType-1.1.xml.bin +++ b/tests/_data/snapshots/enum_ExternalReferenceType-1.1.xml.bin @@ -29,6 +29,9 @@ tests/CHAT + + tests/CITATION + tests/CODIFIED_INFRASTRUCTURE @@ -86,6 +89,15 @@ tests/OTHER + + tests/PATENT + + + tests/PATENT_ASSERTION + + + tests/PATENT_FAMILY + tests/PENTEST_REPORT diff --git a/tests/_data/snapshots/enum_ExternalReferenceType-1.2.json.bin b/tests/_data/snapshots/enum_ExternalReferenceType-1.2.json.bin index 014101d32..6d578afd1 100644 --- a/tests/_data/snapshots/enum_ExternalReferenceType-1.2.json.bin +++ b/tests/_data/snapshots/enum_ExternalReferenceType-1.2.json.bin @@ -35,6 +35,10 @@ "type": "chat", "url": "tests/CHAT" }, + { + "type": "other", + "url": "tests/CITATION" + }, { "type": "other", "url": "tests/CODIFIED_INFRASTRUCTURE" @@ -111,6 +115,18 @@ "type": "other", "url": "tests/OTHER" }, + { + "type": "other", + "url": "tests/PATENT" + }, + { + "type": "other", + "url": "tests/PATENT_ASSERTION" + }, + { + "type": "other", + "url": "tests/PATENT_FAMILY" + }, { "type": "other", "url": "tests/PENTEST_REPORT" diff --git a/tests/_data/snapshots/enum_ExternalReferenceType-1.2.xml.bin b/tests/_data/snapshots/enum_ExternalReferenceType-1.2.xml.bin index 3f27e8d80..5adf4c1c1 100644 --- a/tests/_data/snapshots/enum_ExternalReferenceType-1.2.xml.bin +++ b/tests/_data/snapshots/enum_ExternalReferenceType-1.2.xml.bin @@ -32,6 +32,9 @@ tests/CHAT + + tests/CITATION + tests/CODIFIED_INFRASTRUCTURE @@ -89,6 +92,15 @@ tests/OTHER + + tests/PATENT + + + tests/PATENT_ASSERTION + + + tests/PATENT_FAMILY + tests/PENTEST_REPORT diff --git a/tests/_data/snapshots/enum_ExternalReferenceType-1.3.json.bin b/tests/_data/snapshots/enum_ExternalReferenceType-1.3.json.bin index d26e39a65..3c722e075 100644 --- a/tests/_data/snapshots/enum_ExternalReferenceType-1.3.json.bin +++ b/tests/_data/snapshots/enum_ExternalReferenceType-1.3.json.bin @@ -35,6 +35,10 @@ "type": "chat", "url": "tests/CHAT" }, + { + "type": "other", + "url": "tests/CITATION" + }, { "type": "other", "url": "tests/CODIFIED_INFRASTRUCTURE" @@ -111,6 +115,18 @@ "type": "other", "url": "tests/OTHER" }, + { + "type": "other", + "url": "tests/PATENT" + }, + { + "type": "other", + "url": "tests/PATENT_ASSERTION" + }, + { + "type": "other", + "url": "tests/PATENT_FAMILY" + }, { "type": "other", "url": "tests/PENTEST_REPORT" diff --git a/tests/_data/snapshots/enum_ExternalReferenceType-1.3.xml.bin b/tests/_data/snapshots/enum_ExternalReferenceType-1.3.xml.bin index 40689b7cc..34d645a90 100644 --- a/tests/_data/snapshots/enum_ExternalReferenceType-1.3.xml.bin +++ b/tests/_data/snapshots/enum_ExternalReferenceType-1.3.xml.bin @@ -32,6 +32,9 @@ tests/CHAT + + tests/CITATION + tests/CODIFIED_INFRASTRUCTURE @@ -89,6 +92,15 @@ tests/OTHER + + tests/PATENT + + + tests/PATENT_ASSERTION + + + tests/PATENT_FAMILY + tests/PENTEST_REPORT diff --git a/tests/_data/snapshots/enum_ExternalReferenceType-1.4.json.bin b/tests/_data/snapshots/enum_ExternalReferenceType-1.4.json.bin index 6932a1e7a..bc4bb7857 100644 --- a/tests/_data/snapshots/enum_ExternalReferenceType-1.4.json.bin +++ b/tests/_data/snapshots/enum_ExternalReferenceType-1.4.json.bin @@ -35,6 +35,10 @@ "type": "chat", "url": "tests/CHAT" }, + { + "type": "other", + "url": "tests/CITATION" + }, { "type": "other", "url": "tests/CODIFIED_INFRASTRUCTURE" @@ -111,6 +115,18 @@ "type": "other", "url": "tests/OTHER" }, + { + "type": "other", + "url": "tests/PATENT" + }, + { + "type": "other", + "url": "tests/PATENT_ASSERTION" + }, + { + "type": "other", + "url": "tests/PATENT_FAMILY" + }, { "type": "other", "url": "tests/PENTEST_REPORT" diff --git a/tests/_data/snapshots/enum_ExternalReferenceType-1.4.xml.bin b/tests/_data/snapshots/enum_ExternalReferenceType-1.4.xml.bin index d7a331a41..92169a2f6 100644 --- a/tests/_data/snapshots/enum_ExternalReferenceType-1.4.xml.bin +++ b/tests/_data/snapshots/enum_ExternalReferenceType-1.4.xml.bin @@ -31,6 +31,9 @@ tests/CHAT + + tests/CITATION + tests/CODIFIED_INFRASTRUCTURE @@ -88,6 +91,15 @@ tests/OTHER + + tests/PATENT + + + tests/PATENT_ASSERTION + + + tests/PATENT_FAMILY + tests/PENTEST_REPORT diff --git a/tests/_data/snapshots/enum_ExternalReferenceType-1.5.json.bin b/tests/_data/snapshots/enum_ExternalReferenceType-1.5.json.bin index 7fd1047c3..451384363 100644 --- a/tests/_data/snapshots/enum_ExternalReferenceType-1.5.json.bin +++ b/tests/_data/snapshots/enum_ExternalReferenceType-1.5.json.bin @@ -35,6 +35,10 @@ "type": "chat", "url": "tests/CHAT" }, + { + "type": "other", + "url": "tests/CITATION" + }, { "type": "codified-infrastructure", "url": "tests/CODIFIED_INFRASTRUCTURE" @@ -111,6 +115,18 @@ "type": "other", "url": "tests/OTHER" }, + { + "type": "other", + "url": "tests/PATENT" + }, + { + "type": "other", + "url": "tests/PATENT_ASSERTION" + }, + { + "type": "other", + "url": "tests/PATENT_FAMILY" + }, { "type": "pentest-report", "url": "tests/PENTEST_REPORT" diff --git a/tests/_data/snapshots/enum_ExternalReferenceType-1.5.xml.bin b/tests/_data/snapshots/enum_ExternalReferenceType-1.5.xml.bin index ed7b36041..b7f3bd447 100644 --- a/tests/_data/snapshots/enum_ExternalReferenceType-1.5.xml.bin +++ b/tests/_data/snapshots/enum_ExternalReferenceType-1.5.xml.bin @@ -31,6 +31,9 @@ tests/CHAT + + tests/CITATION + tests/CODIFIED_INFRASTRUCTURE @@ -88,6 +91,15 @@ tests/OTHER + + tests/PATENT + + + tests/PATENT_ASSERTION + + + tests/PATENT_FAMILY + tests/PENTEST_REPORT diff --git a/tests/_data/snapshots/enum_ExternalReferenceType-1.6.json.bin b/tests/_data/snapshots/enum_ExternalReferenceType-1.6.json.bin index 8ea655e70..f927ff82b 100644 --- a/tests/_data/snapshots/enum_ExternalReferenceType-1.6.json.bin +++ b/tests/_data/snapshots/enum_ExternalReferenceType-1.6.json.bin @@ -35,6 +35,10 @@ "type": "chat", "url": "tests/CHAT" }, + { + "type": "other", + "url": "tests/CITATION" + }, { "type": "codified-infrastructure", "url": "tests/CODIFIED_INFRASTRUCTURE" @@ -111,6 +115,18 @@ "type": "other", "url": "tests/OTHER" }, + { + "type": "other", + "url": "tests/PATENT" + }, + { + "type": "other", + "url": "tests/PATENT_ASSERTION" + }, + { + "type": "other", + "url": "tests/PATENT_FAMILY" + }, { "type": "pentest-report", "url": "tests/PENTEST_REPORT" diff --git a/tests/_data/snapshots/enum_ExternalReferenceType-1.6.xml.bin b/tests/_data/snapshots/enum_ExternalReferenceType-1.6.xml.bin index 6c3069f35..53080af7e 100644 --- a/tests/_data/snapshots/enum_ExternalReferenceType-1.6.xml.bin +++ b/tests/_data/snapshots/enum_ExternalReferenceType-1.6.xml.bin @@ -31,6 +31,9 @@ tests/CHAT + + tests/CITATION + tests/CODIFIED_INFRASTRUCTURE @@ -88,6 +91,15 @@ tests/OTHER + + tests/PATENT + + + tests/PATENT_ASSERTION + + + tests/PATENT_FAMILY + tests/PENTEST_REPORT diff --git a/tests/_data/snapshots/enum_ExternalReferenceType-1.7.json.bin b/tests/_data/snapshots/enum_ExternalReferenceType-1.7.json.bin new file mode 100644 index 000000000..9fcd274e9 --- /dev/null +++ b/tests/_data/snapshots/enum_ExternalReferenceType-1.7.json.bin @@ -0,0 +1,222 @@ +{ + "components": [ + { + "bom-ref": "dummy", + "externalReferences": [ + { + "type": "adversary-model", + "url": "tests/ADVERSARY_MODEL" + }, + { + "type": "advisories", + "url": "tests/ADVISORIES" + }, + { + "type": "attestation", + "url": "tests/ATTESTATION" + }, + { + "type": "bom", + "url": "tests/BOM" + }, + { + "type": "build-meta", + "url": "tests/BUILD_META" + }, + { + "type": "build-system", + "url": "tests/BUILD_SYSTEM" + }, + { + "type": "certification-report", + "url": "tests/CERTIFICATION_REPORT" + }, + { + "type": "chat", + "url": "tests/CHAT" + }, + { + "type": "citation", + "url": "tests/CITATION" + }, + { + "type": "codified-infrastructure", + "url": "tests/CODIFIED_INFRASTRUCTURE" + }, + { + "type": "component-analysis-report", + "url": "tests/COMPONENT_ANALYSIS_REPORT" + }, + { + "type": "configuration", + "url": "tests/CONFIGURATION" + }, + { + "type": "digital-signature", + "url": "tests/DIGITAL_SIGNATURE" + }, + { + "type": "distribution", + "url": "tests/DISTRIBUTION" + }, + { + "type": "distribution-intake", + "url": "tests/DISTRIBUTION_INTAKE" + }, + { + "type": "documentation", + "url": "tests/DOCUMENTATION" + }, + { + "type": "dynamic-analysis-report", + "url": "tests/DYNAMIC_ANALYSIS_REPORT" + }, + { + "type": "electronic-signature", + "url": "tests/ELECTRONIC_SIGNATURE" + }, + { + "type": "evidence", + "url": "tests/EVIDENCE" + }, + { + "type": "exploitability-statement", + "url": "tests/EXPLOITABILITY_STATEMENT" + }, + { + "type": "formulation", + "url": "tests/FORMULATION" + }, + { + "type": "issue-tracker", + "url": "tests/ISSUE_TRACKER" + }, + { + "type": "license", + "url": "tests/LICENSE" + }, + { + "type": "log", + "url": "tests/LOG" + }, + { + "type": "mailing-list", + "url": "tests/MAILING_LIST" + }, + { + "type": "maturity-report", + "url": "tests/MATURITY_REPORT" + }, + { + "type": "model-card", + "url": "tests/MODEL_CARD" + }, + { + "type": "other", + "url": "tests/OTHER" + }, + { + "type": "patent", + "url": "tests/PATENT" + }, + { + "type": "patent-assertion", + "url": "tests/PATENT_ASSERTION" + }, + { + "type": "patent-family", + "url": "tests/PATENT_FAMILY" + }, + { + "type": "pentest-report", + "url": "tests/PENTEST_REPORT" + }, + { + "type": "poam", + "url": "tests/POAM" + }, + { + "type": "quality-metrics", + "url": "tests/QUALITY_METRICS" + }, + { + "type": "release-notes", + "url": "tests/RELEASE_NOTES" + }, + { + "type": "rfc-9116", + "url": "tests/RFC_9166" + }, + { + "type": "risk-assessment", + "url": "tests/RISK_ASSESSMENT" + }, + { + "type": "runtime-analysis-report", + "url": "tests/RUNTIME_ANALYSIS_REPORT" + }, + { + "type": "security-contact", + "url": "tests/SECURITY_CONTACT" + }, + { + "type": "social", + "url": "tests/SOCIAL" + }, + { + "type": "source-distribution", + "url": "tests/SOURCE_DISTRIBUTION" + }, + { + "type": "static-analysis-report", + "url": "tests/STATIC_ANALYSIS_REPORT" + }, + { + "type": "support", + "url": "tests/SUPPORT" + }, + { + "type": "threat-model", + "url": "tests/THREAT_MODEL" + }, + { + "type": "vcs", + "url": "tests/SCM" + }, + { + "type": "vulnerability-assertion", + "url": "tests/VULNERABILITY_ASSERTION" + }, + { + "type": "website", + "url": "tests/WEBSITE" + } + ], + "name": "dummy", + "type": "library" + } + ], + "dependencies": [ + { + "ref": "dummy" + } + ], + "metadata": { + "timestamp": "2023-01-07T13:44:32.312678+00:00" + }, + "properties": [ + { + "name": "key1", + "value": "val1" + }, + { + "name": "key2", + "value": "val2" + } + ], + "serialNumber": "urn:uuid:1441d33a-e0fc-45b5-af3b-61ee52a88bac", + "version": 1, + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7" +} \ No newline at end of file diff --git a/tests/_data/snapshots/enum_ExternalReferenceType-1.7.xml.bin b/tests/_data/snapshots/enum_ExternalReferenceType-1.7.xml.bin new file mode 100644 index 000000000..d053c269f --- /dev/null +++ b/tests/_data/snapshots/enum_ExternalReferenceType-1.7.xml.bin @@ -0,0 +1,161 @@ + + + + 2023-01-07T13:44:32.312678+00:00 + + + + dummy + + + tests/ADVERSARY_MODEL + + + tests/ADVISORIES + + + tests/ATTESTATION + + + tests/BOM + + + tests/BUILD_META + + + tests/BUILD_SYSTEM + + + tests/CERTIFICATION_REPORT + + + tests/CHAT + + + tests/CITATION + + + tests/CODIFIED_INFRASTRUCTURE + + + tests/COMPONENT_ANALYSIS_REPORT + + + tests/CONFIGURATION + + + tests/DIGITAL_SIGNATURE + + + tests/DISTRIBUTION + + + tests/DISTRIBUTION_INTAKE + + + tests/DOCUMENTATION + + + tests/DYNAMIC_ANALYSIS_REPORT + + + tests/ELECTRONIC_SIGNATURE + + + tests/EVIDENCE + + + tests/EXPLOITABILITY_STATEMENT + + + tests/FORMULATION + + + tests/ISSUE_TRACKER + + + tests/LICENSE + + + tests/LOG + + + tests/MAILING_LIST + + + tests/MATURITY_REPORT + + + tests/MODEL_CARD + + + tests/OTHER + + + tests/PATENT + + + tests/PATENT_ASSERTION + + + tests/PATENT_FAMILY + + + tests/PENTEST_REPORT + + + tests/POAM + + + tests/QUALITY_METRICS + + + tests/RELEASE_NOTES + + + tests/RFC_9166 + + + tests/RISK_ASSESSMENT + + + tests/RUNTIME_ANALYSIS_REPORT + + + tests/SECURITY_CONTACT + + + tests/SOCIAL + + + tests/SOURCE_DISTRIBUTION + + + tests/STATIC_ANALYSIS_REPORT + + + tests/SUPPORT + + + tests/THREAT_MODEL + + + tests/SCM + + + tests/VULNERABILITY_ASSERTION + + + tests/WEBSITE + + + + + + + + + val1 + val2 + + diff --git a/tests/_data/snapshots/enum_HashAlgorithm-1.7.json.bin b/tests/_data/snapshots/enum_HashAlgorithm-1.7.json.bin new file mode 100644 index 000000000..2854cf0ac --- /dev/null +++ b/tests/_data/snapshots/enum_HashAlgorithm-1.7.json.bin @@ -0,0 +1,90 @@ +{ + "components": [ + { + "bom-ref": "dummy", + "hashes": [ + { + "alg": "BLAKE2b-256", + "content": "ae2b1fca515949e5d54fb22b8ed95575" + }, + { + "alg": "BLAKE2b-384", + "content": "ae2b1fca515949e5d54fb22b8ed95575" + }, + { + "alg": "BLAKE2b-512", + "content": "ae2b1fca515949e5d54fb22b8ed95575" + }, + { + "alg": "BLAKE3", + "content": "ae2b1fca515949e5d54fb22b8ed95575" + }, + { + "alg": "MD5", + "content": "ae2b1fca515949e5d54fb22b8ed95575" + }, + { + "alg": "SHA-1", + "content": "ae2b1fca515949e5d54fb22b8ed95575" + }, + { + "alg": "SHA-256", + "content": "ae2b1fca515949e5d54fb22b8ed95575" + }, + { + "alg": "SHA-384", + "content": "ae2b1fca515949e5d54fb22b8ed95575" + }, + { + "alg": "SHA-512", + "content": "ae2b1fca515949e5d54fb22b8ed95575" + }, + { + "alg": "SHA3-256", + "content": "ae2b1fca515949e5d54fb22b8ed95575" + }, + { + "alg": "SHA3-384", + "content": "ae2b1fca515949e5d54fb22b8ed95575" + }, + { + "alg": "SHA3-512", + "content": "ae2b1fca515949e5d54fb22b8ed95575" + }, + { + "alg": "Streebog-256", + "content": "ae2b1fca515949e5d54fb22b8ed95575" + }, + { + "alg": "Streebog-512", + "content": "ae2b1fca515949e5d54fb22b8ed95575" + } + ], + "name": "dummy", + "type": "library" + } + ], + "dependencies": [ + { + "ref": "dummy" + } + ], + "metadata": { + "timestamp": "2023-01-07T13:44:32.312678+00:00" + }, + "properties": [ + { + "name": "key1", + "value": "val1" + }, + { + "name": "key2", + "value": "val2" + } + ], + "serialNumber": "urn:uuid:1441d33a-e0fc-45b5-af3b-61ee52a88bac", + "version": 1, + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7" +} \ No newline at end of file diff --git a/tests/_data/snapshots/enum_HashAlgorithm-1.7.xml.bin b/tests/_data/snapshots/enum_HashAlgorithm-1.7.xml.bin new file mode 100644 index 000000000..e9e1c49cd --- /dev/null +++ b/tests/_data/snapshots/enum_HashAlgorithm-1.7.xml.bin @@ -0,0 +1,34 @@ + + + + 2023-01-07T13:44:32.312678+00:00 + + + + dummy + + ae2b1fca515949e5d54fb22b8ed95575 + ae2b1fca515949e5d54fb22b8ed95575 + ae2b1fca515949e5d54fb22b8ed95575 + ae2b1fca515949e5d54fb22b8ed95575 + ae2b1fca515949e5d54fb22b8ed95575 + ae2b1fca515949e5d54fb22b8ed95575 + ae2b1fca515949e5d54fb22b8ed95575 + ae2b1fca515949e5d54fb22b8ed95575 + ae2b1fca515949e5d54fb22b8ed95575 + ae2b1fca515949e5d54fb22b8ed95575 + ae2b1fca515949e5d54fb22b8ed95575 + ae2b1fca515949e5d54fb22b8ed95575 + ae2b1fca515949e5d54fb22b8ed95575 + ae2b1fca515949e5d54fb22b8ed95575 + + + + + + + + val1 + val2 + + diff --git a/tests/_data/snapshots/enum_ImpactAnalysisAffectedStatus-1.7.json.bin b/tests/_data/snapshots/enum_ImpactAnalysisAffectedStatus-1.7.json.bin new file mode 100644 index 000000000..b3e26d7f0 --- /dev/null +++ b/tests/_data/snapshots/enum_ImpactAnalysisAffectedStatus-1.7.json.bin @@ -0,0 +1,45 @@ +{ + "metadata": { + "timestamp": "2023-01-07T13:44:32.312678+00:00" + }, + "properties": [ + { + "name": "key1", + "value": "val1" + }, + { + "name": "key2", + "value": "val2" + } + ], + "serialNumber": "urn:uuid:1441d33a-e0fc-45b5-af3b-61ee52a88bac", + "version": 1, + "vulnerabilities": [ + { + "affects": [ + { + "ref": "urn:cdx:bom23/1#comp42", + "versions": [ + { + "status": "affected", + "version": "1.33.7+AFFECTED" + }, + { + "status": "unaffected", + "version": "1.33.7+UNAFFECTED" + }, + { + "status": "unknown", + "version": "1.33.7+UNKNOWN" + } + ] + } + ], + "bom-ref": "dummy", + "id": "dummy" + } + ], + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7" +} \ No newline at end of file diff --git a/tests/_data/snapshots/enum_ImpactAnalysisAffectedStatus-1.7.xml.bin b/tests/_data/snapshots/enum_ImpactAnalysisAffectedStatus-1.7.xml.bin new file mode 100644 index 000000000..a9cdc5231 --- /dev/null +++ b/tests/_data/snapshots/enum_ImpactAnalysisAffectedStatus-1.7.xml.bin @@ -0,0 +1,34 @@ + + + + 2023-01-07T13:44:32.312678+00:00 + + + val1 + val2 + + + + dummy + + + urn:cdx:bom23/1#comp42 + + + 1.33.7+AFFECTED + affected + + + 1.33.7+UNAFFECTED + unaffected + + + 1.33.7+UNKNOWN + unknown + + + + + + + diff --git a/tests/_data/snapshots/enum_ImpactAnalysisJustification-1.7.json.bin b/tests/_data/snapshots/enum_ImpactAnalysisJustification-1.7.json.bin new file mode 100644 index 000000000..982c675e1 --- /dev/null +++ b/tests/_data/snapshots/enum_ImpactAnalysisJustification-1.7.json.bin @@ -0,0 +1,85 @@ +{ + "metadata": { + "timestamp": "2023-01-07T13:44:32.312678+00:00" + }, + "properties": [ + { + "name": "key1", + "value": "val1" + }, + { + "name": "key2", + "value": "val2" + } + ], + "serialNumber": "urn:uuid:1441d33a-e0fc-45b5-af3b-61ee52a88bac", + "version": 1, + "vulnerabilities": [ + { + "analysis": { + "justification": "code_not_present" + }, + "bom-ref": "vuln-with-CODE_NOT_PRESENT", + "id": "vuln-with-CODE_NOT_PRESENT" + }, + { + "analysis": { + "justification": "code_not_reachable" + }, + "bom-ref": "vuln-with-CODE_NOT_REACHABLE", + "id": "vuln-with-CODE_NOT_REACHABLE" + }, + { + "analysis": { + "justification": "protected_at_perimeter" + }, + "bom-ref": "vuln-with-PROTECTED_AT_PERIMITER", + "id": "vuln-with-PROTECTED_AT_PERIMITER" + }, + { + "analysis": { + "justification": "protected_at_runtime" + }, + "bom-ref": "vuln-with-PROTECTED_AT_RUNTIME", + "id": "vuln-with-PROTECTED_AT_RUNTIME" + }, + { + "analysis": { + "justification": "protected_by_compiler" + }, + "bom-ref": "vuln-with-PROTECTED_BY_COMPILER", + "id": "vuln-with-PROTECTED_BY_COMPILER" + }, + { + "analysis": { + "justification": "protected_by_mitigating_control" + }, + "bom-ref": "vuln-with-PROTECTED_BY_MITIGATING_CONTROL", + "id": "vuln-with-PROTECTED_BY_MITIGATING_CONTROL" + }, + { + "analysis": { + "justification": "requires_configuration" + }, + "bom-ref": "vuln-with-REQUIRES_CONFIGURATION", + "id": "vuln-with-REQUIRES_CONFIGURATION" + }, + { + "analysis": { + "justification": "requires_dependency" + }, + "bom-ref": "vuln-with-REQUIRES_DEPENDENCY", + "id": "vuln-with-REQUIRES_DEPENDENCY" + }, + { + "analysis": { + "justification": "requires_environment" + }, + "bom-ref": "vuln-with-REQUIRES_ENVIRONMENT", + "id": "vuln-with-REQUIRES_ENVIRONMENT" + } + ], + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7" +} \ No newline at end of file diff --git a/tests/_data/snapshots/enum_ImpactAnalysisJustification-1.7.xml.bin b/tests/_data/snapshots/enum_ImpactAnalysisJustification-1.7.xml.bin new file mode 100644 index 000000000..4488ae221 --- /dev/null +++ b/tests/_data/snapshots/enum_ImpactAnalysisJustification-1.7.xml.bin @@ -0,0 +1,66 @@ + + + + 2023-01-07T13:44:32.312678+00:00 + + + val1 + val2 + + + + vuln-with-CODE_NOT_PRESENT + + code_not_present + + + + vuln-with-CODE_NOT_REACHABLE + + code_not_reachable + + + + vuln-with-PROTECTED_AT_PERIMITER + + protected_at_perimeter + + + + vuln-with-PROTECTED_AT_RUNTIME + + protected_at_runtime + + + + vuln-with-PROTECTED_BY_COMPILER + + protected_by_compiler + + + + vuln-with-PROTECTED_BY_MITIGATING_CONTROL + + protected_by_mitigating_control + + + + vuln-with-REQUIRES_CONFIGURATION + + requires_configuration + + + + vuln-with-REQUIRES_DEPENDENCY + + requires_dependency + + + + vuln-with-REQUIRES_ENVIRONMENT + + requires_environment + + + + diff --git a/tests/_data/snapshots/enum_ImpactAnalysisResponse-1.7.json.bin b/tests/_data/snapshots/enum_ImpactAnalysisResponse-1.7.json.bin new file mode 100644 index 000000000..c17b463f8 --- /dev/null +++ b/tests/_data/snapshots/enum_ImpactAnalysisResponse-1.7.json.bin @@ -0,0 +1,35 @@ +{ + "metadata": { + "timestamp": "2023-01-07T13:44:32.312678+00:00" + }, + "properties": [ + { + "name": "key1", + "value": "val1" + }, + { + "name": "key2", + "value": "val2" + } + ], + "serialNumber": "urn:uuid:1441d33a-e0fc-45b5-af3b-61ee52a88bac", + "version": 1, + "vulnerabilities": [ + { + "analysis": { + "response": [ + "can_not_fix", + "rollback", + "update", + "will_not_fix", + "workaround_available" + ] + }, + "bom-ref": "dummy", + "id": "dummy" + } + ], + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7" +} \ No newline at end of file diff --git a/tests/_data/snapshots/enum_ImpactAnalysisResponse-1.7.xml.bin b/tests/_data/snapshots/enum_ImpactAnalysisResponse-1.7.xml.bin new file mode 100644 index 000000000..03c49530c --- /dev/null +++ b/tests/_data/snapshots/enum_ImpactAnalysisResponse-1.7.xml.bin @@ -0,0 +1,24 @@ + + + + 2023-01-07T13:44:32.312678+00:00 + + + val1 + val2 + + + + dummy + + + can_not_fix + rollback + update + will_not_fix + workaround_available + + + + + diff --git a/tests/_data/snapshots/enum_ImpactAnalysisState-1.7.json.bin b/tests/_data/snapshots/enum_ImpactAnalysisState-1.7.json.bin new file mode 100644 index 000000000..d7589c2ec --- /dev/null +++ b/tests/_data/snapshots/enum_ImpactAnalysisState-1.7.json.bin @@ -0,0 +1,64 @@ +{ + "metadata": { + "timestamp": "2023-01-07T13:44:32.312678+00:00" + }, + "properties": [ + { + "name": "key1", + "value": "val1" + }, + { + "name": "key2", + "value": "val2" + } + ], + "serialNumber": "urn:uuid:1441d33a-e0fc-45b5-af3b-61ee52a88bac", + "version": 1, + "vulnerabilities": [ + { + "analysis": { + "state": "exploitable" + }, + "bom-ref": "vuln-wit-state-EXPLOITABLE", + "id": "vuln-wit-state-EXPLOITABLE" + }, + { + "analysis": { + "state": "false_positive" + }, + "bom-ref": "vuln-wit-state-FALSE_POSITIVE", + "id": "vuln-wit-state-FALSE_POSITIVE" + }, + { + "analysis": { + "state": "in_triage" + }, + "bom-ref": "vuln-wit-state-IN_TRIAGE", + "id": "vuln-wit-state-IN_TRIAGE" + }, + { + "analysis": { + "state": "not_affected" + }, + "bom-ref": "vuln-wit-state-NOT_AFFECTED", + "id": "vuln-wit-state-NOT_AFFECTED" + }, + { + "analysis": { + "state": "resolved" + }, + "bom-ref": "vuln-wit-state-RESOLVED", + "id": "vuln-wit-state-RESOLVED" + }, + { + "analysis": { + "state": "resolved_with_pedigree" + }, + "bom-ref": "vuln-wit-state-RESOLVED_WITH_PEDIGREE", + "id": "vuln-wit-state-RESOLVED_WITH_PEDIGREE" + } + ], + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7" +} \ No newline at end of file diff --git a/tests/_data/snapshots/enum_ImpactAnalysisState-1.7.xml.bin b/tests/_data/snapshots/enum_ImpactAnalysisState-1.7.xml.bin new file mode 100644 index 000000000..aa6c24d31 --- /dev/null +++ b/tests/_data/snapshots/enum_ImpactAnalysisState-1.7.xml.bin @@ -0,0 +1,48 @@ + + + + 2023-01-07T13:44:32.312678+00:00 + + + val1 + val2 + + + + vuln-wit-state-EXPLOITABLE + + exploitable + + + + vuln-wit-state-FALSE_POSITIVE + + false_positive + + + + vuln-wit-state-IN_TRIAGE + + in_triage + + + + vuln-wit-state-NOT_AFFECTED + + not_affected + + + + vuln-wit-state-RESOLVED + + resolved + + + + vuln-wit-state-RESOLVED_WITH_PEDIGREE + + resolved_with_pedigree + + + + diff --git a/tests/_data/snapshots/enum_IssueClassification-1.7.json.bin b/tests/_data/snapshots/enum_IssueClassification-1.7.json.bin new file mode 100644 index 000000000..0259c6ba9 --- /dev/null +++ b/tests/_data/snapshots/enum_IssueClassification-1.7.json.bin @@ -0,0 +1,53 @@ +{ + "components": [ + { + "bom-ref": "dummy", + "name": "dummy", + "pedigree": { + "patches": [ + { + "resolves": [ + { + "id": "issue-DEFECT", + "type": "defect" + }, + { + "id": "issue-ENHANCEMENT", + "type": "enhancement" + }, + { + "id": "issue-SECURITY", + "type": "security" + } + ], + "type": "backport" + } + ] + }, + "type": "library" + } + ], + "dependencies": [ + { + "ref": "dummy" + } + ], + "metadata": { + "timestamp": "2023-01-07T13:44:32.312678+00:00" + }, + "properties": [ + { + "name": "key1", + "value": "val1" + }, + { + "name": "key2", + "value": "val2" + } + ], + "serialNumber": "urn:uuid:1441d33a-e0fc-45b5-af3b-61ee52a88bac", + "version": 1, + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7" +} \ No newline at end of file diff --git a/tests/_data/snapshots/enum_IssueClassification-1.7.xml.bin b/tests/_data/snapshots/enum_IssueClassification-1.7.xml.bin new file mode 100644 index 000000000..d7b8b274f --- /dev/null +++ b/tests/_data/snapshots/enum_IssueClassification-1.7.xml.bin @@ -0,0 +1,35 @@ + + + + 2023-01-07T13:44:32.312678+00:00 + + + + dummy + + + + + + issue-DEFECT + + + issue-ENHANCEMENT + + + issue-SECURITY + + + + + + + + + + + + val1 + val2 + + diff --git a/tests/_data/snapshots/enum_LifecyclePhase-1.7.json.bin b/tests/_data/snapshots/enum_LifecyclePhase-1.7.json.bin new file mode 100644 index 000000000..1307728e9 --- /dev/null +++ b/tests/_data/snapshots/enum_LifecyclePhase-1.7.json.bin @@ -0,0 +1,43 @@ +{ + "metadata": { + "lifecycles": [ + { + "phase": "build" + }, + { + "phase": "decommission" + }, + { + "phase": "design" + }, + { + "phase": "discovery" + }, + { + "phase": "operations" + }, + { + "phase": "post-build" + }, + { + "phase": "pre-build" + } + ], + "timestamp": "2023-01-07T13:44:32.312678+00:00" + }, + "properties": [ + { + "name": "key1", + "value": "val1" + }, + { + "name": "key2", + "value": "val2" + } + ], + "serialNumber": "urn:uuid:1441d33a-e0fc-45b5-af3b-61ee52a88bac", + "version": 1, + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7" +} \ No newline at end of file diff --git a/tests/_data/snapshots/enum_LifecyclePhase-1.7.xml.bin b/tests/_data/snapshots/enum_LifecyclePhase-1.7.xml.bin new file mode 100644 index 000000000..e8bb572e3 --- /dev/null +++ b/tests/_data/snapshots/enum_LifecyclePhase-1.7.xml.bin @@ -0,0 +1,33 @@ + + + + 2023-01-07T13:44:32.312678+00:00 + + + build + + + decommission + + + design + + + discovery + + + operations + + + post-build + + + pre-build + + + + + val1 + val2 + + diff --git a/tests/_data/snapshots/enum_PatchClassification-1.7.json.bin b/tests/_data/snapshots/enum_PatchClassification-1.7.json.bin new file mode 100644 index 000000000..2db037a7d --- /dev/null +++ b/tests/_data/snapshots/enum_PatchClassification-1.7.json.bin @@ -0,0 +1,48 @@ +{ + "components": [ + { + "bom-ref": "dummy", + "name": "dummy", + "pedigree": { + "patches": [ + { + "type": "backport" + }, + { + "type": "cherry-pick" + }, + { + "type": "monkey" + }, + { + "type": "unofficial" + } + ] + }, + "type": "library" + } + ], + "dependencies": [ + { + "ref": "dummy" + } + ], + "metadata": { + "timestamp": "2023-01-07T13:44:32.312678+00:00" + }, + "properties": [ + { + "name": "key1", + "value": "val1" + }, + { + "name": "key2", + "value": "val2" + } + ], + "serialNumber": "urn:uuid:1441d33a-e0fc-45b5-af3b-61ee52a88bac", + "version": 1, + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7" +} \ No newline at end of file diff --git a/tests/_data/snapshots/enum_PatchClassification-1.7.xml.bin b/tests/_data/snapshots/enum_PatchClassification-1.7.xml.bin new file mode 100644 index 000000000..322f7fefa --- /dev/null +++ b/tests/_data/snapshots/enum_PatchClassification-1.7.xml.bin @@ -0,0 +1,26 @@ + + + + 2023-01-07T13:44:32.312678+00:00 + + + + dummy + + + + + + + + + + + + + + + val1 + val2 + + diff --git a/tests/_data/snapshots/enum_VulnerabilityScoreSource-1.7.json.bin b/tests/_data/snapshots/enum_VulnerabilityScoreSource-1.7.json.bin new file mode 100644 index 000000000..19c5d3b6b --- /dev/null +++ b/tests/_data/snapshots/enum_VulnerabilityScoreSource-1.7.json.bin @@ -0,0 +1,49 @@ +{ + "metadata": { + "timestamp": "2023-01-07T13:44:32.312678+00:00" + }, + "properties": [ + { + "name": "key1", + "value": "val1" + }, + { + "name": "key2", + "value": "val2" + } + ], + "serialNumber": "urn:uuid:1441d33a-e0fc-45b5-af3b-61ee52a88bac", + "version": 1, + "vulnerabilities": [ + { + "bom-ref": "dummy", + "id": "dummy", + "ratings": [ + { + "method": "CVSSv2" + }, + { + "method": "CVSSv3" + }, + { + "method": "CVSSv31" + }, + { + "method": "CVSSv4" + }, + { + "method": "OWASP" + }, + { + "method": "SSVC" + }, + { + "method": "other" + } + ] + } + ], + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7" +} \ No newline at end of file diff --git a/tests/_data/snapshots/enum_VulnerabilityScoreSource-1.7.xml.bin b/tests/_data/snapshots/enum_VulnerabilityScoreSource-1.7.xml.bin new file mode 100644 index 000000000..665c49ee1 --- /dev/null +++ b/tests/_data/snapshots/enum_VulnerabilityScoreSource-1.7.xml.bin @@ -0,0 +1,38 @@ + + + + 2023-01-07T13:44:32.312678+00:00 + + + val1 + val2 + + + + dummy + + + CVSSv2 + + + CVSSv3 + + + CVSSv31 + + + CVSSv4 + + + OWASP + + + SSVC + + + other + + + + + diff --git a/tests/_data/snapshots/enum_VulnerabilitySeverity-1.7.json.bin b/tests/_data/snapshots/enum_VulnerabilitySeverity-1.7.json.bin new file mode 100644 index 000000000..a30277ee6 --- /dev/null +++ b/tests/_data/snapshots/enum_VulnerabilitySeverity-1.7.json.bin @@ -0,0 +1,49 @@ +{ + "metadata": { + "timestamp": "2023-01-07T13:44:32.312678+00:00" + }, + "properties": [ + { + "name": "key1", + "value": "val1" + }, + { + "name": "key2", + "value": "val2" + } + ], + "serialNumber": "urn:uuid:1441d33a-e0fc-45b5-af3b-61ee52a88bac", + "version": 1, + "vulnerabilities": [ + { + "bom-ref": "dummy", + "id": "dummy", + "ratings": [ + { + "severity": "critical" + }, + { + "severity": "high" + }, + { + "severity": "info" + }, + { + "severity": "low" + }, + { + "severity": "medium" + }, + { + "severity": "none" + }, + { + "severity": "unknown" + } + ] + } + ], + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7" +} \ No newline at end of file diff --git a/tests/_data/snapshots/enum_VulnerabilitySeverity-1.7.xml.bin b/tests/_data/snapshots/enum_VulnerabilitySeverity-1.7.xml.bin new file mode 100644 index 000000000..5d34b880e --- /dev/null +++ b/tests/_data/snapshots/enum_VulnerabilitySeverity-1.7.xml.bin @@ -0,0 +1,38 @@ + + + + 2023-01-07T13:44:32.312678+00:00 + + + val1 + val2 + + + + dummy + + + critical + + + high + + + info + + + low + + + medium + + + none + + + unknown + + + + + diff --git a/tests/_data/snapshots/get_bom_for_issue540_duplicate_components-1.7.json.bin b/tests/_data/snapshots/get_bom_for_issue540_duplicate_components-1.7.json.bin new file mode 100644 index 000000000..53966ad8d --- /dev/null +++ b/tests/_data/snapshots/get_bom_for_issue540_duplicate_components-1.7.json.bin @@ -0,0 +1,63 @@ +{ + "components": [ + { + "bom-ref": "some-component", + "name": "some-component", + "type": "library" + }, + { + "bom-ref": "some-library1", + "name": "some-library", + "type": "library" + }, + { + "bom-ref": "some-library2", + "name": "some-library", + "type": "library" + } + ], + "dependencies": [ + { + "dependsOn": [ + "some-component" + ], + "ref": "myApp" + }, + { + "dependsOn": [ + "some-library1", + "some-library2" + ], + "ref": "some-component" + }, + { + "ref": "some-library1" + }, + { + "ref": "some-library2" + } + ], + "metadata": { + "component": { + "bom-ref": "myApp", + "name": "myApp", + "type": "application" + }, + "timestamp": "2023-01-07T13:44:32.312678+00:00" + }, + "properties": [ + { + "name": "key1", + "value": "val1" + }, + { + "name": "key2", + "value": "val2" + } + ], + "serialNumber": "urn:uuid:1441d33a-e0fc-45b5-af3b-61ee52a88bac", + "version": 1, + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7" +} \ No newline at end of file diff --git a/tests/_data/snapshots/get_bom_for_issue540_duplicate_components-1.7.xml.bin b/tests/_data/snapshots/get_bom_for_issue540_duplicate_components-1.7.xml.bin new file mode 100644 index 000000000..ba05022e5 --- /dev/null +++ b/tests/_data/snapshots/get_bom_for_issue540_duplicate_components-1.7.xml.bin @@ -0,0 +1,35 @@ + + + + 2023-01-07T13:44:32.312678+00:00 + + myApp + + + + + some-component + + + some-library + + + some-library + + + + + + + + + + + + + + + val1 + val2 + + diff --git a/tests/_data/snapshots/get_bom_for_issue_275_components-1.7.json.bin b/tests/_data/snapshots/get_bom_for_issue_275_components-1.7.json.bin new file mode 100644 index 000000000..3c5da6dea --- /dev/null +++ b/tests/_data/snapshots/get_bom_for_issue_275_components-1.7.json.bin @@ -0,0 +1,69 @@ +{ + "components": [ + { + "bom-ref": "17e3b199-dc0b-42ef-bfdd-1fa81a1e3eda", + "name": "comp_a", + "type": "library", + "version": "1.0.0" + }, + { + "bom-ref": "0b049d09-64c0-4490-a0f5-c84d9aacf857", + "components": [ + { + "bom-ref": "cd3e9c95-9d41-49e7-9924-8cf0465ae789", + "name": "comp_c", + "type": "library", + "version": "1.0.0" + } + ], + "name": "comp_b", + "type": "library", + "version": "1.0.0" + } + ], + "dependencies": [ + { + "dependsOn": [ + "cd3e9c95-9d41-49e7-9924-8cf0465ae789" + ], + "ref": "0b049d09-64c0-4490-a0f5-c84d9aacf857" + }, + { + "ref": "17e3b199-dc0b-42ef-bfdd-1fa81a1e3eda" + }, + { + "dependsOn": [ + "0b049d09-64c0-4490-a0f5-c84d9aacf857", + "17e3b199-dc0b-42ef-bfdd-1fa81a1e3eda" + ], + "ref": "be2c6502-7e9a-47db-9a66-e34f729810a3" + }, + { + "ref": "cd3e9c95-9d41-49e7-9924-8cf0465ae789" + } + ], + "metadata": { + "component": { + "bom-ref": "be2c6502-7e9a-47db-9a66-e34f729810a3", + "name": "app", + "type": "library", + "version": "1.0.0" + }, + "timestamp": "2023-01-07T13:44:32.312678+00:00" + }, + "properties": [ + { + "name": "key1", + "value": "val1" + }, + { + "name": "key2", + "value": "val2" + } + ], + "serialNumber": "urn:uuid:1441d33a-e0fc-45b5-af3b-61ee52a88bac", + "version": 1, + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7" +} \ No newline at end of file diff --git a/tests/_data/snapshots/get_bom_for_issue_275_components-1.7.xml.bin b/tests/_data/snapshots/get_bom_for_issue_275_components-1.7.xml.bin new file mode 100644 index 000000000..6b1078990 --- /dev/null +++ b/tests/_data/snapshots/get_bom_for_issue_275_components-1.7.xml.bin @@ -0,0 +1,41 @@ + + + + 2023-01-07T13:44:32.312678+00:00 + + app + 1.0.0 + + + + + comp_a + 1.0.0 + + + comp_b + 1.0.0 + + + comp_c + 1.0.0 + + + + + + + + + + + + + + + + + val1 + val2 + + diff --git a/tests/_data/snapshots/get_bom_for_issue_328_components-1.7.json.bin b/tests/_data/snapshots/get_bom_for_issue_328_components-1.7.json.bin new file mode 100644 index 000000000..134f26f7f --- /dev/null +++ b/tests/_data/snapshots/get_bom_for_issue_328_components-1.7.json.bin @@ -0,0 +1,73 @@ +{ + "components": [ + { + "bom-ref": "component-A", + "components": [ + { + "bom-ref": "component-B", + "components": [ + { + "bom-ref": "component-C", + "name": "C", + "type": "library", + "version": "1.0" + } + ], + "name": "B", + "type": "library", + "version": "1.0" + } + ], + "name": "A", + "type": "library", + "version": "0.1" + } + ], + "dependencies": [ + { + "dependsOn": [ + "component-B" + ], + "ref": "component-A" + }, + { + "dependsOn": [ + "component-C" + ], + "ref": "component-B" + }, + { + "ref": "component-C" + }, + { + "dependsOn": [ + "component-A" + ], + "ref": "my-project" + } + ], + "metadata": { + "component": { + "bom-ref": "my-project", + "name": "my-project", + "type": "application", + "version": "1" + }, + "timestamp": "2023-01-07T13:44:32.312678+00:00" + }, + "properties": [ + { + "name": "key1", + "value": "val1" + }, + { + "name": "key2", + "value": "val2" + } + ], + "serialNumber": "urn:uuid:1441d33a-e0fc-45b5-af3b-61ee52a88bac", + "version": 1, + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7" +} \ No newline at end of file diff --git a/tests/_data/snapshots/get_bom_for_issue_328_components-1.7.xml.bin b/tests/_data/snapshots/get_bom_for_issue_328_components-1.7.xml.bin new file mode 100644 index 000000000..b5b2b60ae --- /dev/null +++ b/tests/_data/snapshots/get_bom_for_issue_328_components-1.7.xml.bin @@ -0,0 +1,44 @@ + + + + 2023-01-07T13:44:32.312678+00:00 + + my-project + 1 + + + + + A + 0.1 + + + B + 1.0 + + + C + 1.0 + + + + + + + + + + + + + + + + + + + + val1 + val2 + + diff --git a/tests/_data/snapshots/get_bom_for_issue_497_urls-1.7.json.bin b/tests/_data/snapshots/get_bom_for_issue_497_urls-1.7.json.bin new file mode 100644 index 000000000..dce009b61 --- /dev/null +++ b/tests/_data/snapshots/get_bom_for_issue_497_urls-1.7.json.bin @@ -0,0 +1,49 @@ +{ + "components": [ + { + "bom-ref": "dummy", + "externalReferences": [ + { + "comment": "nothing special", + "type": "other", + "url": "https://acme.org" + }, + { + "comment": "pre-encoded", + "type": "other", + "url": "https://acme.org/?bar%5b23%5D=42" + }, + { + "comment": "control characters", + "type": "other", + "url": "https://acme.org/?foo=sp%20ace&bar%5B23%5D=42<=1%3C2>=3%3E2&cb=%7Blol%7D"e=%22test%22is%27test%27" + } + ], + "name": "dummy", + "type": "library" + } + ], + "dependencies": [ + { + "ref": "dummy" + } + ], + "metadata": { + "timestamp": "2023-01-07T13:44:32.312678+00:00" + }, + "properties": [ + { + "name": "key1", + "value": "val1" + }, + { + "name": "key2", + "value": "val2" + } + ], + "serialNumber": "urn:uuid:1441d33a-e0fc-45b5-af3b-61ee52a88bac", + "version": 1, + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7" +} \ No newline at end of file diff --git a/tests/_data/snapshots/get_bom_for_issue_497_urls-1.7.xml.bin b/tests/_data/snapshots/get_bom_for_issue_497_urls-1.7.xml.bin new file mode 100644 index 000000000..63c3332f5 --- /dev/null +++ b/tests/_data/snapshots/get_bom_for_issue_497_urls-1.7.xml.bin @@ -0,0 +1,32 @@ + + + + 2023-01-07T13:44:32.312678+00:00 + + + + dummy + + + https://acme.org + nothing special + + + https://acme.org/?bar%5b23%5D=42 + pre-encoded + + + https://acme.org/?foo=sp%20ace&bar%5B23%5D=42&lt=1%3C2&gt=3%3E2&cb=%7Blol%7D&quote=%22test%22is%27test%27 + control characters + + + + + + + + + val1 + val2 + + diff --git a/tests/_data/snapshots/get_bom_for_issue_598_multiple_components_with_purl_qualifiers-1.7.json.bin b/tests/_data/snapshots/get_bom_for_issue_598_multiple_components_with_purl_qualifiers-1.7.json.bin new file mode 100644 index 000000000..bb0266dca --- /dev/null +++ b/tests/_data/snapshots/get_bom_for_issue_598_multiple_components_with_purl_qualifiers-1.7.json.bin @@ -0,0 +1,44 @@ +{ + "components": [ + { + "bom-ref": "dummy-a", + "name": "dummy", + "purl": "pkg:pypi/pathlib2@2.3.5", + "type": "library", + "version": "2.3.5" + }, + { + "bom-ref": "dummy-b", + "name": "dummy", + "purl": "pkg:pypi/pathlib2@2.3.5?vcs_url=git%2Bhttps://github.com/jazzband/pathlib2.git%405a6a88db3cc1d08dbc86fbe15edfb69fb5f5a3d6", + "type": "library", + "version": "2.3.5" + } + ], + "dependencies": [ + { + "ref": "dummy-a" + }, + { + "ref": "dummy-b" + } + ], + "metadata": { + "timestamp": "2023-01-07T13:44:32.312678+00:00" + }, + "properties": [ + { + "name": "key1", + "value": "val1" + }, + { + "name": "key2", + "value": "val2" + } + ], + "serialNumber": "urn:uuid:1441d33a-e0fc-45b5-af3b-61ee52a88bac", + "version": 1, + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7" +} \ No newline at end of file diff --git a/tests/_data/snapshots/get_bom_for_issue_598_multiple_components_with_purl_qualifiers-1.7.xml.bin b/tests/_data/snapshots/get_bom_for_issue_598_multiple_components_with_purl_qualifiers-1.7.xml.bin new file mode 100644 index 000000000..8a17c960d --- /dev/null +++ b/tests/_data/snapshots/get_bom_for_issue_598_multiple_components_with_purl_qualifiers-1.7.xml.bin @@ -0,0 +1,26 @@ + + + + 2023-01-07T13:44:32.312678+00:00 + + + + dummy + 2.3.5 + pkg:pypi/pathlib2@2.3.5 + + + dummy + 2.3.5 + pkg:pypi/pathlib2@2.3.5?vcs_url=git%2Bhttps://github.com/jazzband/pathlib2.git%405a6a88db3cc1d08dbc86fbe15edfb69fb5f5a3d6 + + + + + + + + val1 + val2 + + diff --git a/tests/_data/snapshots/get_bom_for_issue_630_empty_property-1.7.json.bin b/tests/_data/snapshots/get_bom_for_issue_630_empty_property-1.7.json.bin new file mode 100644 index 000000000..0bdc84311 --- /dev/null +++ b/tests/_data/snapshots/get_bom_for_issue_630_empty_property-1.7.json.bin @@ -0,0 +1,38 @@ +{ + "components": [ + { + "bom-ref": "example@15.8.0", + "name": "example", + "properties": [ + { + "name": "cdx:npm:package:path" + } + ], + "type": "library", + "version": "15.8.0" + } + ], + "dependencies": [ + { + "ref": "example@15.8.0" + } + ], + "metadata": { + "timestamp": "2023-01-07T13:44:32.312678+00:00" + }, + "properties": [ + { + "name": "key1", + "value": "val1" + }, + { + "name": "key2", + "value": "val2" + } + ], + "serialNumber": "urn:uuid:1441d33a-e0fc-45b5-af3b-61ee52a88bac", + "version": 1, + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7" +} \ No newline at end of file diff --git a/tests/_data/snapshots/get_bom_for_issue_630_empty_property-1.7.xml.bin b/tests/_data/snapshots/get_bom_for_issue_630_empty_property-1.7.xml.bin new file mode 100644 index 000000000..e6dc26f8d --- /dev/null +++ b/tests/_data/snapshots/get_bom_for_issue_630_empty_property-1.7.xml.bin @@ -0,0 +1,22 @@ + + + + 2023-01-07T13:44:32.312678+00:00 + + + + example + 15.8.0 + + + + + + + + + + val1 + val2 + + diff --git a/tests/_data/snapshots/get_bom_just_complete_metadata-1.7.json.bin b/tests/_data/snapshots/get_bom_just_complete_metadata-1.7.json.bin new file mode 100644 index 000000000..24e062a6e --- /dev/null +++ b/tests/_data/snapshots/get_bom_just_complete_metadata-1.7.json.bin @@ -0,0 +1,460 @@ +{ + "dependencies": [ + { + "ref": "my-specific-bom-ref-for-dings" + } + ], + "metadata": { + "authors": [ + { + "email": "someone@somewhere.tld", + "name": "A N Other", + "phone": "+44 (0)1234 567890" + }, + { + "email": "paul.horton@owasp.org", + "name": "Paul Horton" + } + ], + "component": { + "author": "Test Author", + "bom-ref": "my-specific-bom-ref-for-dings", + "components": [ + { + "author": "Test Author", + "bom-ref": "pkg:pypi/setuptools@50.3.2?extension=tar.gz", + "licenses": [ + { + "license": { + "id": "MIT" + } + } + ], + "name": "setuptools", + "purl": "pkg:pypi/setuptools@50.3.2?extension=tar.gz", + "type": "library", + "version": "50.3.2" + }, + { + "bom-ref": "pkg:pypi/toml@0.10.2?extension=tar.gz", + "externalReferences": [ + { + "comment": "No comment", + "hashes": [ + { + "alg": "SHA-256", + "content": "806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b" + } + ], + "type": "distribution", + "url": "https://cyclonedx.org" + } + ], + "hashes": [ + { + "alg": "SHA-256", + "content": "806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b" + } + ], + "name": "toml", + "purl": "pkg:pypi/toml@0.10.2?extension=tar.gz", + "type": "library", + "version": "0.10.2" + } + ], + "copyright": "Apache 2.0 baby!", + "cpe": "cpe:2.3:a:python:setuptools:50.3.2:*:*:*:*:*:*:*", + "description": "This component is awesome", + "evidence": { + "copyright": [ + { + "text": "Commercial" + }, + { + "text": "Commercial 2" + } + ] + }, + "externalReferences": [ + { + "comment": "No comment", + "hashes": [ + { + "alg": "SHA-256", + "content": "806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b" + } + ], + "type": "distribution", + "url": "https://cyclonedx.org" + } + ], + "licenses": [ + { + "license": { + "id": "MIT" + } + } + ], + "manufacturer": { + "address": { + "country": "GB", + "locality": "Cheshire", + "region": "England", + "streetAddress": "100 Main Street" + }, + "contact": [ + { + "email": "someone@somewhere.tld", + "name": "A N Other", + "phone": "+44 (0)1234 567890" + }, + { + "email": "paul.horton@owasp.org", + "name": "Paul Horton" + } + ], + "name": "CycloneDX", + "url": [ + "https://cyclonedx.org", + "https://cyclonedx.org/docs" + ] + }, + "name": "setuptools", + "pedigree": { + "ancestors": [ + { + "author": "Test Author", + "bom-ref": "ccc8d7ee-4b9c-4750-aee0-a72585152291", + "licenses": [ + { + "license": { + "id": "MIT" + } + } + ], + "name": "setuptools", + "purl": "pkg:pypi/setuptools@50.3.2?extension=tar.gz", + "type": "library", + "version": "50.3.2" + }, + { + "author": "Test Author", + "bom-ref": "8a3893b3-9923-4adb-a1d3-47456636ba0a", + "licenses": [ + { + "license": { + "id": "MIT" + } + } + ], + "name": "setuptools", + "purl": "pkg:pypi/setuptools?extension=tar.gz", + "type": "library" + } + ], + "commits": [ + { + "message": "A commit message", + "uid": "a-random-uid" + } + ], + "descendants": [ + { + "author": "Test Author", + "bom-ref": "28b2d8ce-def0-446f-a221-58dee0b44acc", + "licenses": [ + { + "license": { + "id": "MIT" + } + } + ], + "name": "setuptools", + "purl": "pkg:pypi/setuptools?extension=tar.gz", + "type": "library" + }, + { + "bom-ref": "555ca729-93c6-48f3-956e-bdaa4a2f0bfa", + "externalReferences": [ + { + "comment": "No comment", + "hashes": [ + { + "alg": "SHA-256", + "content": "806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b" + } + ], + "type": "distribution", + "url": "https://cyclonedx.org" + } + ], + "hashes": [ + { + "alg": "SHA-256", + "content": "806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b" + } + ], + "name": "toml", + "purl": "pkg:pypi/toml@0.10.2?extension=tar.gz", + "type": "library", + "version": "0.10.2" + } + ], + "notes": "Some notes here please", + "patches": [ + { + "diff": { + "text": { + "content": "LS0tIGZvbwkyMDI0LTAzLTA0IDEyOjQxOjExLjQxODc1OTE0NSArMDEwMAorKysgYmFyCTIwMjQtMDMtMDQgMTI6NDE6MjguMzE1NTE3ODQ3ICswMTAwCkBAIC0xLDIgKzEsMiBAQAotaGVsbG8gd29ybGQuCitIZWxsbyB3b3JsZC4KIAo=", + "contentType": "text/x-diff", + "encoding": "base64" + }, + "url": "https://acme.com/my-patch.diff" + }, + "type": "backport" + } + ], + "variants": [ + { + "author": "Test Author", + "bom-ref": "ded1d73e-1fca-4302-b520-f1bc53979958", + "licenses": [ + { + "license": { + "id": "MIT" + } + } + ], + "name": "setuptools", + "purl": "pkg:pypi/setuptools@50.3.2?extension=tar.gz", + "type": "library", + "version": "50.3.2" + }, + { + "bom-ref": "e7abdcca-5ba2-4f29-b2cf-b1e1ef788e66", + "externalReferences": [ + { + "comment": "No comment", + "hashes": [ + { + "alg": "SHA-256", + "content": "806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b" + } + ], + "type": "distribution", + "url": "https://cyclonedx.org" + } + ], + "hashes": [ + { + "alg": "SHA-256", + "content": "806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b" + } + ], + "name": "toml", + "purl": "pkg:pypi/toml@0.10.2?extension=tar.gz", + "type": "library", + "version": "0.10.2" + } + ] + }, + "properties": [ + { + "name": "key1", + "value": "val1" + }, + { + "name": "key2", + "value": "val2" + } + ], + "publisher": "CycloneDX", + "purl": "pkg:pypi/setuptools@50.3.2?extension=tar.gz", + "releaseNotes": { + "aliases": [ + "First Test Release" + ], + "description": "This release is a test release", + "featuredImage": "https://cyclonedx.org/theme/assets/images/CycloneDX-Twitter-Card.png", + "notes": [ + { + "locale": "en-GB", + "text": { + "content": "U29tZSBzaW1wbGUgcGxhaW4gdGV4dA==", + "contentType": "text/plain; charset=UTF-8", + "encoding": "base64" + } + }, + { + "locale": "en-US", + "text": { + "content": "U29tZSBzaW1wbGUgcGxhaW4gdGV4dA==", + "contentType": "text/plain; charset=UTF-8", + "encoding": "base64" + } + } + ], + "properties": [ + { + "name": "key1", + "value": "val1" + }, + { + "name": "key2", + "value": "val2" + } + ], + "resolves": [ + { + "description": "Apache Log4j2 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 JNDI features...", + "id": "CVE-2021-44228", + "name": "Apache Log3Shell", + "references": [ + "https://central.sonatype.org/news/20211213_log4shell_help", + "https://logging.apache.org/log4j/2.x/security.html" + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228" + }, + "type": "security" + } + ], + "socialImage": "https://cyclonedx.org/cyclonedx-icon.png", + "tags": [ + "alpha", + "test" + ], + "timestamp": "2023-08-15T01:23:45.678900+00:00", + "title": "Release Notes Title", + "type": "major" + }, + "scope": "required", + "supplier": { + "address": { + "country": "GB", + "locality": "Cheshire", + "region": "England", + "streetAddress": "100 Main Street" + }, + "contact": [ + { + "email": "someone@somewhere.tld", + "name": "A N Other", + "phone": "+44 (0)1234 567890" + }, + { + "email": "paul.horton@owasp.org", + "name": "Paul Horton" + } + ], + "name": "CycloneDX", + "url": [ + "https://cyclonedx.org", + "https://cyclonedx.org/docs" + ] + }, + "swid": { + "name": "Test Application", + "tagId": "swidgen-242eb18a-503e-ca37-393b-cf156ef09691_9.1.1", + "text": { + "content": "PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiID8+CjxTb2Z0d2FyZUlkZW50aXR5IHhtbDpsYW5nPSJFTiIgbmFtZT0iQWNtZSBBcHBsaWNhdGlvbiIgdmVyc2lvbj0iOS4xLjEiIAogdmVyc2lvblNjaGVtZT0ibXVsdGlwYXJ0bnVtZXJpYyIgCiB0YWdJZD0ic3dpZGdlbi1iNTk1MWFjOS00MmMwLWYzODItM2YxZS1iYzdhMmE0NDk3Y2JfOS4xLjEiIAogeG1sbnM9Imh0dHA6Ly9zdGFuZGFyZHMuaXNvLm9yZy9pc28vMTk3NzAvLTIvMjAxNS9zY2hlbWEueHNkIj4gCiB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiAKIHhzaTpzY2hlbWFMb2NhdGlvbj0iaHR0cDovL3N0YW5kYXJkcy5pc28ub3JnL2lzby8xOTc3MC8tMi8yMDE1LWN1cnJlbnQvc2NoZW1hLnhzZCBzY2hlbWEueHNkIiA+CiAgPE1ldGEgZ2VuZXJhdG9yPSJTV0lEIFRhZyBPbmxpbmUgR2VuZXJhdG9yIHYwLjEiIC8+IAogIDxFbnRpdHkgbmFtZT0iQWNtZSwgSW5jLiIgcmVnaWQ9ImV4YW1wbGUuY29tIiByb2xlPSJ0YWdDcmVhdG9yIiAvPiAKPC9Tb2Z0d2FyZUlkZW50aXR5Pg==", + "contentType": "text/xml", + "encoding": "base64" + }, + "version": "3.4.5" + }, + "type": "library", + "version": "50.3.2" + }, + "licenses": [ + { + "license": { + "id": "Apache-2.0", + "text": { + "content": "VGVzdCBjb250ZW50IC0gdGhpcyBpcyBub3QgdGhlIEFwYWNoZSAyLjAgbGljZW5zZSE=", + "contentType": "text/plain", + "encoding": "base64" + }, + "url": "https://www.apache.org/licenses/LICENSE-2.0.txt" + } + } + ], + "lifecycles": [ + { + "phase": "build" + } + ], + "manufacture": { + "address": { + "country": "GB", + "locality": "Cheshire", + "region": "England", + "streetAddress": "100 Main Street" + }, + "contact": [ + { + "email": "someone@somewhere.tld", + "name": "A N Other", + "phone": "+44 (0)1234 567890" + }, + { + "email": "paul.horton@owasp.org", + "name": "Paul Horton" + } + ], + "name": "CycloneDX", + "url": [ + "https://cyclonedx.org", + "https://cyclonedx.org/docs" + ] + }, + "properties": [ + { + "name": "key1", + "value": "val1" + }, + { + "name": "key2", + "value": "val2" + } + ], + "supplier": { + "address": { + "country": "US", + "locality": "Austin", + "postOfficeBoxNumber": "105a", + "postalCode": "12345", + "region": "Texas", + "streetAddress": "100 Yee-Ha Street" + }, + "contact": [ + { + "email": "someone@somewhere.tld", + "name": "A N Other", + "phone": "+44 (0)1234 567890" + } + ], + "name": "Cyclone DX", + "url": [ + "https://cyclonedx.org/" + ] + }, + "timestamp": "2023-01-07T13:44:32.312678+00:00" + }, + "properties": [ + { + "name": "key1", + "value": "val1" + }, + { + "name": "key2", + "value": "val2" + } + ], + "serialNumber": "urn:uuid:1441d33a-e0fc-45b5-af3b-61ee52a88bac", + "version": 1, + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7" +} \ No newline at end of file diff --git a/tests/_data/snapshots/get_bom_just_complete_metadata-1.7.xml.bin b/tests/_data/snapshots/get_bom_just_complete_metadata-1.7.xml.bin new file mode 100644 index 000000000..ac12da27f --- /dev/null +++ b/tests/_data/snapshots/get_bom_just_complete_metadata-1.7.xml.bin @@ -0,0 +1,328 @@ + + + + 2023-01-07T13:44:32.312678+00:00 + + + build + + + + + A N Other + someone@somewhere.tld + +44 (0)1234 567890 + + + Paul Horton + paul.horton@owasp.org + + + + + CycloneDX +
+ GB + England + Cheshire + 100 Main Street +
+ https://cyclonedx.org + https://cyclonedx.org/docs + + A N Other + someone@somewhere.tld + +44 (0)1234 567890 + + + Paul Horton + paul.horton@owasp.org + + + + CycloneDX +
+ GB + England + Cheshire + 100 Main Street +
+ https://cyclonedx.org + https://cyclonedx.org/docs + + A N Other + someone@somewhere.tld + +44 (0)1234 567890 + + + Paul Horton + paul.horton@owasp.org + + + Test Author + CycloneDX + setuptools + 50.3.2 + This component is awesome + required + + + MIT + + + Apache 2.0 baby! + cpe:2.3:a:python:setuptools:50.3.2:*:*:*:*:*:*:* + pkg:pypi/setuptools@50.3.2?extension=tar.gz + + PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiID8+CjxTb2Z0d2FyZUlkZW50aXR5IHhtbDpsYW5nPSJFTiIgbmFtZT0iQWNtZSBBcHBsaWNhdGlvbiIgdmVyc2lvbj0iOS4xLjEiIAogdmVyc2lvblNjaGVtZT0ibXVsdGlwYXJ0bnVtZXJpYyIgCiB0YWdJZD0ic3dpZGdlbi1iNTk1MWFjOS00MmMwLWYzODItM2YxZS1iYzdhMmE0NDk3Y2JfOS4xLjEiIAogeG1sbnM9Imh0dHA6Ly9zdGFuZGFyZHMuaXNvLm9yZy9pc28vMTk3NzAvLTIvMjAxNS9zY2hlbWEueHNkIj4gCiB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiAKIHhzaTpzY2hlbWFMb2NhdGlvbj0iaHR0cDovL3N0YW5kYXJkcy5pc28ub3JnL2lzby8xOTc3MC8tMi8yMDE1LWN1cnJlbnQvc2NoZW1hLnhzZCBzY2hlbWEueHNkIiA+CiAgPE1ldGEgZ2VuZXJhdG9yPSJTV0lEIFRhZyBPbmxpbmUgR2VuZXJhdG9yIHYwLjEiIC8+IAogIDxFbnRpdHkgbmFtZT0iQWNtZSwgSW5jLiIgcmVnaWQ9ImV4YW1wbGUuY29tIiByb2xlPSJ0YWdDcmVhdG9yIiAvPiAKPC9Tb2Z0d2FyZUlkZW50aXR5Pg== + + + + + Test Author + setuptools + 50.3.2 + + + MIT + + + pkg:pypi/setuptools@50.3.2?extension=tar.gz + + + Test Author + setuptools + + + MIT + + + pkg:pypi/setuptools?extension=tar.gz + + + + + Test Author + setuptools + + + MIT + + + pkg:pypi/setuptools?extension=tar.gz + + + toml + 0.10.2 + + 806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b + + pkg:pypi/toml@0.10.2?extension=tar.gz + + + https://cyclonedx.org + No comment + + 806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b + + + + + + + + Test Author + setuptools + 50.3.2 + + + MIT + + + pkg:pypi/setuptools@50.3.2?extension=tar.gz + + + toml + 0.10.2 + + 806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b + + pkg:pypi/toml@0.10.2?extension=tar.gz + + + https://cyclonedx.org + No comment + + 806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b + + + + + + + + a-random-uid + A commit message + + + + + + LS0tIGZvbwkyMDI0LTAzLTA0IDEyOjQxOjExLjQxODc1OTE0NSArMDEwMAorKysgYmFyCTIwMjQtMDMtMDQgMTI6NDE6MjguMzE1NTE3ODQ3ICswMTAwCkBAIC0xLDIgKzEsMiBAQAotaGVsbG8gd29ybGQuCitIZWxsbyB3b3JsZC4KIAo= + https://acme.com/my-patch.diff + + + + Some notes here please + + + + https://cyclonedx.org + No comment + + 806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b + + + + + val1 + val2 + + + + Test Author + setuptools + 50.3.2 + + + MIT + + + pkg:pypi/setuptools@50.3.2?extension=tar.gz + + + toml + 0.10.2 + + 806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b + + pkg:pypi/toml@0.10.2?extension=tar.gz + + + https://cyclonedx.org + No comment + + 806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b + + + + + + + + Commercial + Commercial 2 + + + + major + Release Notes Title + https://cyclonedx.org/theme/assets/images/CycloneDX-Twitter-Card.png + https://cyclonedx.org/cyclonedx-icon.png + This release is a test release + 2023-08-15T01:23:45.678900+00:00 + + First Test Release + + + alpha + test + + + + CVE-2021-44228 + Apache Log3Shell + Apache Log4j2 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 JNDI features... + + NVD + https://nvd.nist.gov/vuln/detail/CVE-2021-44228 + + + https://central.sonatype.org/news/20211213_log4shell_help + https://logging.apache.org/log4j/2.x/security.html + + + + + + en-GB + U29tZSBzaW1wbGUgcGxhaW4gdGV4dA== + + + en-US + U29tZSBzaW1wbGUgcGxhaW4gdGV4dA== + + + + val1 + val2 + + + + + CycloneDX +
+ GB + England + Cheshire + 100 Main Street +
+ https://cyclonedx.org + https://cyclonedx.org/docs + + A N Other + someone@somewhere.tld + +44 (0)1234 567890 + + + Paul Horton + paul.horton@owasp.org + + + + Cyclone DX +
+ US + Texas + Austin + 105a + 12345 + 100 Yee-Ha Street +
+ https://cyclonedx.org/ + + A N Other + someone@somewhere.tld + +44 (0)1234 567890 + + + + + Apache-2.0 + VGVzdCBjb250ZW50IC0gdGhpcyBpcyBub3QgdGhlIEFwYWNoZSAyLjAgbGljZW5zZSE= + https://www.apache.org/licenses/LICENSE-2.0.txt + + + + val1 + val2 + + + + + + + val1 + val2 + + diff --git a/tests/_data/snapshots/get_bom_v1_6_with_crypto_algorithm-1.7.json.bin b/tests/_data/snapshots/get_bom_v1_6_with_crypto_algorithm-1.7.json.bin new file mode 100644 index 000000000..819b1821b --- /dev/null +++ b/tests/_data/snapshots/get_bom_v1_6_with_crypto_algorithm-1.7.json.bin @@ -0,0 +1,60 @@ +{ + "components": [ + { + "bom-ref": "8182921e-0588-472e-b8f9-9c527c68f067", + "cryptoProperties": { + "algorithmProperties": { + "certificationLevel": [ + "fips140-1-l1", + "fips140-2-l3", + "other" + ], + "classicalSecurityLevel": 2, + "cryptoFunctions": [ + "sign", + "unknown" + ], + "curve": "9n8y2oxty3ao83n8qc2g2x3qcw4jt4wj", + "executionEnvironment": "software-plain-ram", + "implementationPlatform": "generic", + "mode": "ecb", + "nistQuantumSecurityLevel": 2, + "padding": "pkcs7", + "parameterSetIdentifier": "a-parameter-set-id", + "primitive": "kem" + }, + "assetType": "algorithm", + "oid": "an-oid-here" + }, + "name": "My Algorithm", + "tags": [ + "algorithm" + ], + "type": "cryptographic-asset", + "version": "1.0" + } + ], + "dependencies": [ + { + "ref": "8182921e-0588-472e-b8f9-9c527c68f067" + } + ], + "metadata": { + "timestamp": "2023-01-07T13:44:32.312678+00:00" + }, + "properties": [ + { + "name": "key1", + "value": "val1" + }, + { + "name": "key2", + "value": "val2" + } + ], + "serialNumber": "urn:uuid:1441d33a-e0fc-45b5-af3b-61ee52a88bac", + "version": 1, + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7" +} \ No newline at end of file diff --git a/tests/_data/snapshots/get_bom_v1_6_with_crypto_algorithm-1.7.xml.bin b/tests/_data/snapshots/get_bom_v1_6_with_crypto_algorithm-1.7.xml.bin new file mode 100644 index 000000000..a31cf67d7 --- /dev/null +++ b/tests/_data/snapshots/get_bom_v1_6_with_crypto_algorithm-1.7.xml.bin @@ -0,0 +1,44 @@ + + + + 2023-01-07T13:44:32.312678+00:00 + + + + My Algorithm + 1.0 + + algorithm + + kem + a-parameter-set-id + 9n8y2oxty3ao83n8qc2g2x3qcw4jt4wj + software-plain-ram + generic + fips140-1-l1 + fips140-2-l3 + other + ecb + pkcs7 + + sign + unknown + + 2 + 2 + + an-oid-here + + + algorithm + + + + + + + + val1 + val2 + + diff --git a/tests/_data/snapshots/get_bom_v1_6_with_crypto_certificate-1.7.json.bin b/tests/_data/snapshots/get_bom_v1_6_with_crypto_certificate-1.7.json.bin new file mode 100644 index 000000000..1ded17727 --- /dev/null +++ b/tests/_data/snapshots/get_bom_v1_6_with_crypto_certificate-1.7.json.bin @@ -0,0 +1,48 @@ +{ + "components": [ + { + "bom-ref": "1f4ed1e4-582a-4fa0-8c38-1b4facc16972", + "cryptoProperties": { + "assetType": "certificate", + "certificateProperties": { + "certificateExtension": "csr", + "certificateFormat": "pem", + "issuerName": "Cloudflare Inc ECC CA-3", + "notValidAfter": "2024-05-19T00:59:59.999999+00:00", + "notValidBefore": "2023-05-19T01:00:00+00:00", + "subjectName": "cyclonedx.org" + }, + "oid": "an-oid-here" + }, + "name": "My Certificate", + "tags": [ + "certificate" + ], + "type": "cryptographic-asset", + "version": "1.0" + } + ], + "dependencies": [ + { + "ref": "1f4ed1e4-582a-4fa0-8c38-1b4facc16972" + } + ], + "metadata": { + "timestamp": "2023-01-07T13:44:32.312678+00:00" + }, + "properties": [ + { + "name": "key1", + "value": "val1" + }, + { + "name": "key2", + "value": "val2" + } + ], + "serialNumber": "urn:uuid:1441d33a-e0fc-45b5-af3b-61ee52a88bac", + "version": 1, + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7" +} \ No newline at end of file diff --git a/tests/_data/snapshots/get_bom_v1_6_with_crypto_certificate-1.7.xml.bin b/tests/_data/snapshots/get_bom_v1_6_with_crypto_certificate-1.7.xml.bin new file mode 100644 index 000000000..81a2ac3ca --- /dev/null +++ b/tests/_data/snapshots/get_bom_v1_6_with_crypto_certificate-1.7.xml.bin @@ -0,0 +1,34 @@ + + + + 2023-01-07T13:44:32.312678+00:00 + + + + My Certificate + 1.0 + + certificate + + cyclonedx.org + Cloudflare Inc ECC CA-3 + 2023-05-19T01:00:00+00:00 + 2024-05-19T00:59:59.999999+00:00 + pem + csr + + an-oid-here + + + certificate + + + + + + + + val1 + val2 + + diff --git a/tests/_data/snapshots/get_bom_v1_6_with_crypto_protocol-1.7.json.bin b/tests/_data/snapshots/get_bom_v1_6_with_crypto_protocol-1.7.json.bin new file mode 100644 index 000000000..973ed625d --- /dev/null +++ b/tests/_data/snapshots/get_bom_v1_6_with_crypto_protocol-1.7.json.bin @@ -0,0 +1,81 @@ +{ + "components": [ + { + "bom-ref": "26b1ce0f-bec6-4bfe-9db1-03b75a4ed1ec", + "cryptoProperties": { + "assetType": "protocol", + "oid": "an-oid-here", + "protocolProperties": { + "cipherSuites": [ + { + "identifiers": [ + "TLS_AES_128_CCM_8_SHA256" + ], + "name": "TLS_AES_128_CCM_8_SHA256" + }, + { + "identifiers": [ + "TLS_AES_128_CCM_SHA256" + ], + "name": "TLS_AES_128_CCM_SHA256" + }, + { + "identifiers": [ + "TLS_AES_128_GCM_SHA256" + ], + "name": "TLS_AES_128_GCM_SHA256" + }, + { + "identifiers": [ + "TLS_AES_256_GCM_SHA384" + ], + "name": "TLS_AES_256_GCM_SHA384" + }, + { + "identifiers": [ + "TLS_CHACHA20_POLY1305_SHA256" + ], + "name": "TLS_CHACHA20_POLY1305_SHA256" + } + ], + "cryptoRefArray": [ + "for-test-1", + "for-test-2" + ], + "type": "tls", + "version": "1.3" + } + }, + "name": "TLS", + "tags": [ + "protocl", + "tls" + ], + "type": "cryptographic-asset", + "version": "v1.3" + } + ], + "dependencies": [ + { + "ref": "26b1ce0f-bec6-4bfe-9db1-03b75a4ed1ec" + } + ], + "metadata": { + "timestamp": "2023-01-07T13:44:32.312678+00:00" + }, + "properties": [ + { + "name": "key1", + "value": "val1" + }, + { + "name": "key2", + "value": "val2" + } + ], + "serialNumber": "urn:uuid:1441d33a-e0fc-45b5-af3b-61ee52a88bac", + "version": 1, + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7" +} \ No newline at end of file diff --git a/tests/_data/snapshots/get_bom_v1_6_with_crypto_protocol-1.7.xml.bin b/tests/_data/snapshots/get_bom_v1_6_with_crypto_protocol-1.7.xml.bin new file mode 100644 index 000000000..5c91c3b5f --- /dev/null +++ b/tests/_data/snapshots/get_bom_v1_6_with_crypto_protocol-1.7.xml.bin @@ -0,0 +1,65 @@ + + + + 2023-01-07T13:44:32.312678+00:00 + + + + TLS + v1.3 + + protocol + + tls + 1.3 + + + TLS_AES_128_CCM_8_SHA256 + + TLS_AES_128_CCM_8_SHA256 + + + + TLS_AES_128_CCM_SHA256 + + TLS_AES_128_CCM_SHA256 + + + + TLS_AES_128_GCM_SHA256 + + TLS_AES_128_GCM_SHA256 + + + + TLS_AES_256_GCM_SHA384 + + TLS_AES_256_GCM_SHA384 + + + + TLS_CHACHA20_POLY1305_SHA256 + + TLS_CHACHA20_POLY1305_SHA256 + + + + for-test-1 + for-test-2 + + an-oid-here + + + protocl + tls + + + + + + + + val1 + val2 + + diff --git a/tests/_data/snapshots/get_bom_v1_6_with_crypto_related_material-1.7.json.bin b/tests/_data/snapshots/get_bom_v1_6_with_crypto_related_material-1.7.json.bin new file mode 100644 index 000000000..9c404d2e5 --- /dev/null +++ b/tests/_data/snapshots/get_bom_v1_6_with_crypto_related_material-1.7.json.bin @@ -0,0 +1,55 @@ +{ + "components": [ + { + "bom-ref": "332b3cee-078c-4789-ab15-887565b6fac5", + "cryptoProperties": { + "assetType": "related-crypto-material", + "oid": "an-oid-here", + "relatedCryptoMaterialProperties": { + "activationDate": "2023-05-19T01:00:00+00:00", + "creationDate": "2023-05-19T01:00:00+00:00", + "expirationDate": "2024-05-19T00:59:59.999999+00:00", + "format": "a-format", + "id": "some-identifier", + "securedBy": { + "mechanism": "hard-work" + }, + "size": 32, + "state": "active", + "type": "digest", + "value": "some-random-value" + } + }, + "name": "My Encrypted Thing", + "tags": [ + "data", + "encrypted" + ], + "type": "cryptographic-asset", + "version": "1.0" + } + ], + "dependencies": [ + { + "ref": "332b3cee-078c-4789-ab15-887565b6fac5" + } + ], + "metadata": { + "timestamp": "2023-01-07T13:44:32.312678+00:00" + }, + "properties": [ + { + "name": "key1", + "value": "val1" + }, + { + "name": "key2", + "value": "val2" + } + ], + "serialNumber": "urn:uuid:1441d33a-e0fc-45b5-af3b-61ee52a88bac", + "version": 1, + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7" +} \ No newline at end of file diff --git a/tests/_data/snapshots/get_bom_v1_6_with_crypto_related_material-1.7.xml.bin b/tests/_data/snapshots/get_bom_v1_6_with_crypto_related_material-1.7.xml.bin new file mode 100644 index 000000000..239e2c956 --- /dev/null +++ b/tests/_data/snapshots/get_bom_v1_6_with_crypto_related_material-1.7.xml.bin @@ -0,0 +1,41 @@ + + + + 2023-01-07T13:44:32.312678+00:00 + + + + My Encrypted Thing + 1.0 + + related-crypto-material + + digest + some-identifier + active + 2023-05-19T01:00:00+00:00 + 2023-05-19T01:00:00+00:00 + 2024-05-19T00:59:59.999999+00:00 + some-random-value + 32 + a-format + + hard-work + + + an-oid-here + + + data + encrypted + + + + + + + + val1 + val2 + + diff --git a/tests/_data/snapshots/get_bom_with_component_evidence-1.7.json.bin b/tests/_data/snapshots/get_bom_with_component_evidence-1.7.json.bin new file mode 100644 index 000000000..a1bf57584 --- /dev/null +++ b/tests/_data/snapshots/get_bom_with_component_evidence-1.7.json.bin @@ -0,0 +1,143 @@ +{ + "components": [ + { + "author": "Test Author", + "bom-ref": "pkg:pypi/setuptools@50.3.2?extension=tar.gz", + "evidence": { + "callstack": { + "frames": [ + { + "column": 5, + "fullFilename": "path/to/file", + "function": "example_function", + "line": 10, + "module": "example.module", + "package": "example.package", + "parameters": [ + "param1", + "param2" + ] + } + ] + }, + "copyright": [ + { + "text": "Commercial" + }, + { + "text": "Commercial 2" + } + ], + "identity": [ + { + "concludedValue": "example-hash", + "confidence": 0.1, + "field": "hash", + "methods": [ + { + "confidence": 0.1, + "technique": "attestation", + "value": "analysis-tool" + } + ], + "tools": [ + "cbom:generator" + ] + }, + { + "concludedValue": "example-component", + "confidence": 0.9, + "field": "name", + "methods": [ + { + "confidence": 0.8, + "technique": "source-code-analysis", + "value": "analysis-tool" + } + ], + "tools": [ + "cbom:generator" + ] + } + ], + "licenses": [ + { + "license": { + "id": "MIT" + } + } + ], + "occurrences": [ + { + "additionalContext": "Found in source code", + "line": 42, + "location": "path/to/file", + "offset": 16, + "symbol": "exampleSymbol" + } + ] + }, + "licenses": [ + { + "license": { + "id": "MIT" + } + } + ], + "name": "setuptools", + "purl": "pkg:pypi/setuptools@50.3.2?extension=tar.gz", + "type": "library", + "version": "50.3.2" + } + ], + "dependencies": [ + { + "dependsOn": [ + "pkg:pypi/setuptools@50.3.2?extension=tar.gz" + ], + "ref": "myApp" + }, + { + "ref": "pkg:pypi/setuptools@50.3.2?extension=tar.gz" + } + ], + "metadata": { + "component": { + "bom-ref": "myApp", + "licenses": [ + { + "license": { + "id": "MIT" + } + } + ], + "name": "root-component", + "type": "application" + }, + "timestamp": "2023-01-07T13:44:32.312678+00:00", + "tools": { + "components": [ + { + "bom-ref": "cbom:generator", + "name": "product-cbom-generator", + "type": "application" + } + ] + } + }, + "properties": [ + { + "name": "key1", + "value": "val1" + }, + { + "name": "key2", + "value": "val2" + } + ], + "serialNumber": "urn:uuid:1441d33a-e0fc-45b5-af3b-61ee52a88bac", + "version": 1, + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7" +} \ No newline at end of file diff --git a/tests/_data/snapshots/get_bom_with_component_evidence-1.7.xml.bin b/tests/_data/snapshots/get_bom_with_component_evidence-1.7.xml.bin new file mode 100644 index 000000000..ca95d432f --- /dev/null +++ b/tests/_data/snapshots/get_bom_with_component_evidence-1.7.xml.bin @@ -0,0 +1,110 @@ + + + + 2023-01-07T13:44:32.312678+00:00 + + + + product-cbom-generator + + + + + root-component + + + MIT + + + + + + + Test Author + setuptools + 50.3.2 + + + MIT + + + pkg:pypi/setuptools@50.3.2?extension=tar.gz + + + hash + 0.1 + example-hash + + + attestation + 0.1 + analysis-tool + + + + + + + + name + 0.9 + example-component + + + source-code-analysis + 0.8 + analysis-tool + + + + + + + + + path/to/file + 42 + 16 + exampleSymbol + Found in source code + + + + + + example.package + example.module + example_function + + param1 + param2 + + 10 + 5 + path/to/file + + + + + + MIT + + + + Commercial + Commercial 2 + + + + + + + + + + + + val1 + val2 + + diff --git a/tests/_data/snapshots/get_bom_with_component_setuptools_basic-1.7.json.bin b/tests/_data/snapshots/get_bom_with_component_setuptools_basic-1.7.json.bin new file mode 100644 index 000000000..2e5fc61cc --- /dev/null +++ b/tests/_data/snapshots/get_bom_with_component_setuptools_basic-1.7.json.bin @@ -0,0 +1,42 @@ +{ + "components": [ + { + "author": "Test Author", + "bom-ref": "pkg:pypi/setuptools@50.3.2?extension=tar.gz", + "licenses": [ + { + "license": { + "id": "MIT" + } + } + ], + "name": "setuptools", + "purl": "pkg:pypi/setuptools@50.3.2?extension=tar.gz", + "type": "library", + "version": "50.3.2" + } + ], + "dependencies": [ + { + "ref": "pkg:pypi/setuptools@50.3.2?extension=tar.gz" + } + ], + "metadata": { + "timestamp": "2023-01-07T13:44:32.312678+00:00" + }, + "properties": [ + { + "name": "key1", + "value": "val1" + }, + { + "name": "key2", + "value": "val2" + } + ], + "serialNumber": "urn:uuid:1441d33a-e0fc-45b5-af3b-61ee52a88bac", + "version": 1, + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7" +} \ No newline at end of file diff --git a/tests/_data/snapshots/get_bom_with_component_setuptools_basic-1.7.xml.bin b/tests/_data/snapshots/get_bom_with_component_setuptools_basic-1.7.xml.bin new file mode 100644 index 000000000..07ead6601 --- /dev/null +++ b/tests/_data/snapshots/get_bom_with_component_setuptools_basic-1.7.xml.bin @@ -0,0 +1,26 @@ + + + + 2023-01-07T13:44:32.312678+00:00 + + + + Test Author + setuptools + 50.3.2 + + + MIT + + + pkg:pypi/setuptools@50.3.2?extension=tar.gz + + + + + + + val1 + val2 + + diff --git a/tests/_data/snapshots/get_bom_with_component_setuptools_complete-1.7.json.bin b/tests/_data/snapshots/get_bom_with_component_setuptools_complete-1.7.json.bin new file mode 100644 index 000000000..e9022bcaa --- /dev/null +++ b/tests/_data/snapshots/get_bom_with_component_setuptools_complete-1.7.json.bin @@ -0,0 +1,354 @@ +{ + "components": [ + { + "author": "Test Author", + "bom-ref": "my-specific-bom-ref-for-dings", + "components": [ + { + "author": "Test Author", + "bom-ref": "pkg:pypi/setuptools@50.3.2?extension=tar.gz", + "licenses": [ + { + "license": { + "id": "MIT" + } + } + ], + "name": "setuptools", + "purl": "pkg:pypi/setuptools@50.3.2?extension=tar.gz", + "type": "library", + "version": "50.3.2" + }, + { + "bom-ref": "pkg:pypi/toml@0.10.2?extension=tar.gz", + "externalReferences": [ + { + "comment": "No comment", + "hashes": [ + { + "alg": "SHA-256", + "content": "806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b" + } + ], + "type": "distribution", + "url": "https://cyclonedx.org" + } + ], + "hashes": [ + { + "alg": "SHA-256", + "content": "806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b" + } + ], + "name": "toml", + "purl": "pkg:pypi/toml@0.10.2?extension=tar.gz", + "type": "library", + "version": "0.10.2" + } + ], + "copyright": "Apache 2.0 baby!", + "cpe": "cpe:2.3:a:python:setuptools:50.3.2:*:*:*:*:*:*:*", + "description": "This component is awesome", + "evidence": { + "copyright": [ + { + "text": "Commercial" + }, + { + "text": "Commercial 2" + } + ] + }, + "externalReferences": [ + { + "comment": "No comment", + "hashes": [ + { + "alg": "SHA-256", + "content": "806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b" + } + ], + "type": "distribution", + "url": "https://cyclonedx.org" + } + ], + "licenses": [ + { + "license": { + "id": "MIT" + } + } + ], + "name": "setuptools", + "pedigree": { + "ancestors": [ + { + "author": "Test Author", + "bom-ref": "ccc8d7ee-4b9c-4750-aee0-a72585152291", + "licenses": [ + { + "license": { + "id": "MIT" + } + } + ], + "name": "setuptools", + "purl": "pkg:pypi/setuptools@50.3.2?extension=tar.gz", + "type": "library", + "version": "50.3.2" + }, + { + "author": "Test Author", + "bom-ref": "8a3893b3-9923-4adb-a1d3-47456636ba0a", + "licenses": [ + { + "license": { + "id": "MIT" + } + } + ], + "name": "setuptools", + "purl": "pkg:pypi/setuptools?extension=tar.gz", + "type": "library" + } + ], + "commits": [ + { + "message": "A commit message", + "uid": "a-random-uid" + } + ], + "descendants": [ + { + "author": "Test Author", + "bom-ref": "28b2d8ce-def0-446f-a221-58dee0b44acc", + "licenses": [ + { + "license": { + "id": "MIT" + } + } + ], + "name": "setuptools", + "purl": "pkg:pypi/setuptools?extension=tar.gz", + "type": "library" + }, + { + "bom-ref": "555ca729-93c6-48f3-956e-bdaa4a2f0bfa", + "externalReferences": [ + { + "comment": "No comment", + "hashes": [ + { + "alg": "SHA-256", + "content": "806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b" + } + ], + "type": "distribution", + "url": "https://cyclonedx.org" + } + ], + "hashes": [ + { + "alg": "SHA-256", + "content": "806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b" + } + ], + "name": "toml", + "purl": "pkg:pypi/toml@0.10.2?extension=tar.gz", + "type": "library", + "version": "0.10.2" + } + ], + "notes": "Some notes here please", + "patches": [ + { + "diff": { + "text": { + "content": "LS0tIGZvbwkyMDI0LTAzLTA0IDEyOjQxOjExLjQxODc1OTE0NSArMDEwMAorKysgYmFyCTIwMjQtMDMtMDQgMTI6NDE6MjguMzE1NTE3ODQ3ICswMTAwCkBAIC0xLDIgKzEsMiBAQAotaGVsbG8gd29ybGQuCitIZWxsbyB3b3JsZC4KIAo=", + "contentType": "text/x-diff", + "encoding": "base64" + }, + "url": "https://acme.com/my-patch.diff" + }, + "type": "backport" + } + ], + "variants": [ + { + "author": "Test Author", + "bom-ref": "ded1d73e-1fca-4302-b520-f1bc53979958", + "licenses": [ + { + "license": { + "id": "MIT" + } + } + ], + "name": "setuptools", + "purl": "pkg:pypi/setuptools@50.3.2?extension=tar.gz", + "type": "library", + "version": "50.3.2" + }, + { + "bom-ref": "e7abdcca-5ba2-4f29-b2cf-b1e1ef788e66", + "externalReferences": [ + { + "comment": "No comment", + "hashes": [ + { + "alg": "SHA-256", + "content": "806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b" + } + ], + "type": "distribution", + "url": "https://cyclonedx.org" + } + ], + "hashes": [ + { + "alg": "SHA-256", + "content": "806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b" + } + ], + "name": "toml", + "purl": "pkg:pypi/toml@0.10.2?extension=tar.gz", + "type": "library", + "version": "0.10.2" + } + ] + }, + "properties": [ + { + "name": "key1", + "value": "val1" + }, + { + "name": "key2", + "value": "val2" + } + ], + "publisher": "CycloneDX", + "purl": "pkg:pypi/setuptools@50.3.2?extension=tar.gz", + "releaseNotes": { + "aliases": [ + "First Test Release" + ], + "description": "This release is a test release", + "featuredImage": "https://cyclonedx.org/theme/assets/images/CycloneDX-Twitter-Card.png", + "notes": [ + { + "locale": "en-GB", + "text": { + "content": "U29tZSBzaW1wbGUgcGxhaW4gdGV4dA==", + "contentType": "text/plain; charset=UTF-8", + "encoding": "base64" + } + }, + { + "locale": "en-US", + "text": { + "content": "U29tZSBzaW1wbGUgcGxhaW4gdGV4dA==", + "contentType": "text/plain; charset=UTF-8", + "encoding": "base64" + } + } + ], + "properties": [ + { + "name": "key1", + "value": "val1" + }, + { + "name": "key2", + "value": "val2" + } + ], + "resolves": [ + { + "description": "Apache Log4j2 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 JNDI features...", + "id": "CVE-2021-44228", + "name": "Apache Log3Shell", + "references": [ + "https://central.sonatype.org/news/20211213_log4shell_help", + "https://logging.apache.org/log4j/2.x/security.html" + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228" + }, + "type": "security" + } + ], + "socialImage": "https://cyclonedx.org/cyclonedx-icon.png", + "tags": [ + "alpha", + "test" + ], + "timestamp": "2023-08-15T01:23:45.678900+00:00", + "title": "Release Notes Title", + "type": "major" + }, + "scope": "required", + "supplier": { + "address": { + "country": "GB", + "locality": "Cheshire", + "region": "England", + "streetAddress": "100 Main Street" + }, + "contact": [ + { + "email": "someone@somewhere.tld", + "name": "A N Other", + "phone": "+44 (0)1234 567890" + }, + { + "email": "paul.horton@owasp.org", + "name": "Paul Horton" + } + ], + "name": "CycloneDX", + "url": [ + "https://cyclonedx.org", + "https://cyclonedx.org/docs" + ] + }, + "swid": { + "name": "Test Application", + "tagId": "swidgen-242eb18a-503e-ca37-393b-cf156ef09691_9.1.1", + "text": { + "content": "PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiID8+CjxTb2Z0d2FyZUlkZW50aXR5IHhtbDpsYW5nPSJFTiIgbmFtZT0iQWNtZSBBcHBsaWNhdGlvbiIgdmVyc2lvbj0iOS4xLjEiIAogdmVyc2lvblNjaGVtZT0ibXVsdGlwYXJ0bnVtZXJpYyIgCiB0YWdJZD0ic3dpZGdlbi1iNTk1MWFjOS00MmMwLWYzODItM2YxZS1iYzdhMmE0NDk3Y2JfOS4xLjEiIAogeG1sbnM9Imh0dHA6Ly9zdGFuZGFyZHMuaXNvLm9yZy9pc28vMTk3NzAvLTIvMjAxNS9zY2hlbWEueHNkIj4gCiB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiAKIHhzaTpzY2hlbWFMb2NhdGlvbj0iaHR0cDovL3N0YW5kYXJkcy5pc28ub3JnL2lzby8xOTc3MC8tMi8yMDE1LWN1cnJlbnQvc2NoZW1hLnhzZCBzY2hlbWEueHNkIiA+CiAgPE1ldGEgZ2VuZXJhdG9yPSJTV0lEIFRhZyBPbmxpbmUgR2VuZXJhdG9yIHYwLjEiIC8+IAogIDxFbnRpdHkgbmFtZT0iQWNtZSwgSW5jLiIgcmVnaWQ9ImV4YW1wbGUuY29tIiByb2xlPSJ0YWdDcmVhdG9yIiAvPiAKPC9Tb2Z0d2FyZUlkZW50aXR5Pg==", + "contentType": "text/xml", + "encoding": "base64" + }, + "version": "3.4.5" + }, + "type": "library", + "version": "50.3.2" + } + ], + "dependencies": [ + { + "ref": "my-specific-bom-ref-for-dings" + } + ], + "metadata": { + "timestamp": "2023-01-07T13:44:32.312678+00:00" + }, + "properties": [ + { + "name": "key1", + "value": "val1" + }, + { + "name": "key2", + "value": "val2" + } + ], + "serialNumber": "urn:uuid:1441d33a-e0fc-45b5-af3b-61ee52a88bac", + "version": 1, + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7" +} \ No newline at end of file diff --git a/tests/_data/snapshots/get_bom_with_component_setuptools_complete-1.7.xml.bin b/tests/_data/snapshots/get_bom_with_component_setuptools_complete-1.7.xml.bin new file mode 100644 index 000000000..3f50554d7 --- /dev/null +++ b/tests/_data/snapshots/get_bom_with_component_setuptools_complete-1.7.xml.bin @@ -0,0 +1,246 @@ + + + + 2023-01-07T13:44:32.312678+00:00 + + + + + CycloneDX +
+ GB + England + Cheshire + 100 Main Street +
+ https://cyclonedx.org + https://cyclonedx.org/docs + + A N Other + someone@somewhere.tld + +44 (0)1234 567890 + + + Paul Horton + paul.horton@owasp.org + + + Test Author + CycloneDX + setuptools + 50.3.2 + This component is awesome + required + + + MIT + + + Apache 2.0 baby! + cpe:2.3:a:python:setuptools:50.3.2:*:*:*:*:*:*:* + pkg:pypi/setuptools@50.3.2?extension=tar.gz + + PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiID8+CjxTb2Z0d2FyZUlkZW50aXR5IHhtbDpsYW5nPSJFTiIgbmFtZT0iQWNtZSBBcHBsaWNhdGlvbiIgdmVyc2lvbj0iOS4xLjEiIAogdmVyc2lvblNjaGVtZT0ibXVsdGlwYXJ0bnVtZXJpYyIgCiB0YWdJZD0ic3dpZGdlbi1iNTk1MWFjOS00MmMwLWYzODItM2YxZS1iYzdhMmE0NDk3Y2JfOS4xLjEiIAogeG1sbnM9Imh0dHA6Ly9zdGFuZGFyZHMuaXNvLm9yZy9pc28vMTk3NzAvLTIvMjAxNS9zY2hlbWEueHNkIj4gCiB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiAKIHhzaTpzY2hlbWFMb2NhdGlvbj0iaHR0cDovL3N0YW5kYXJkcy5pc28ub3JnL2lzby8xOTc3MC8tMi8yMDE1LWN1cnJlbnQvc2NoZW1hLnhzZCBzY2hlbWEueHNkIiA+CiAgPE1ldGEgZ2VuZXJhdG9yPSJTV0lEIFRhZyBPbmxpbmUgR2VuZXJhdG9yIHYwLjEiIC8+IAogIDxFbnRpdHkgbmFtZT0iQWNtZSwgSW5jLiIgcmVnaWQ9ImV4YW1wbGUuY29tIiByb2xlPSJ0YWdDcmVhdG9yIiAvPiAKPC9Tb2Z0d2FyZUlkZW50aXR5Pg== + + + + + Test Author + setuptools + 50.3.2 + + + MIT + + + pkg:pypi/setuptools@50.3.2?extension=tar.gz + + + Test Author + setuptools + + + MIT + + + pkg:pypi/setuptools?extension=tar.gz + + + + + Test Author + setuptools + + + MIT + + + pkg:pypi/setuptools?extension=tar.gz + + + toml + 0.10.2 + + 806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b + + pkg:pypi/toml@0.10.2?extension=tar.gz + + + https://cyclonedx.org + No comment + + 806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b + + + + + + + + Test Author + setuptools + 50.3.2 + + + MIT + + + pkg:pypi/setuptools@50.3.2?extension=tar.gz + + + toml + 0.10.2 + + 806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b + + pkg:pypi/toml@0.10.2?extension=tar.gz + + + https://cyclonedx.org + No comment + + 806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b + + + + + + + + a-random-uid + A commit message + + + + + + LS0tIGZvbwkyMDI0LTAzLTA0IDEyOjQxOjExLjQxODc1OTE0NSArMDEwMAorKysgYmFyCTIwMjQtMDMtMDQgMTI6NDE6MjguMzE1NTE3ODQ3ICswMTAwCkBAIC0xLDIgKzEsMiBAQAotaGVsbG8gd29ybGQuCitIZWxsbyB3b3JsZC4KIAo= + https://acme.com/my-patch.diff + + + + Some notes here please + + + + https://cyclonedx.org + No comment + + 806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b + + + + + val1 + val2 + + + + Test Author + setuptools + 50.3.2 + + + MIT + + + pkg:pypi/setuptools@50.3.2?extension=tar.gz + + + toml + 0.10.2 + + 806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b + + pkg:pypi/toml@0.10.2?extension=tar.gz + + + https://cyclonedx.org + No comment + + 806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b + + + + + + + + Commercial + Commercial 2 + + + + major + Release Notes Title + https://cyclonedx.org/theme/assets/images/CycloneDX-Twitter-Card.png + https://cyclonedx.org/cyclonedx-icon.png + This release is a test release + 2023-08-15T01:23:45.678900+00:00 + + First Test Release + + + alpha + test + + + + CVE-2021-44228 + Apache Log3Shell + Apache Log4j2 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 JNDI features... + + NVD + https://nvd.nist.gov/vuln/detail/CVE-2021-44228 + + + https://central.sonatype.org/news/20211213_log4shell_help + https://logging.apache.org/log4j/2.x/security.html + + + + + + en-GB + U29tZSBzaW1wbGUgcGxhaW4gdGV4dA== + + + en-US + U29tZSBzaW1wbGUgcGxhaW4gdGV4dA== + + + + val1 + val2 + + + + + + + + + val1 + val2 + + diff --git a/tests/_data/snapshots/get_bom_with_component_setuptools_no_component_version-1.7.json.bin b/tests/_data/snapshots/get_bom_with_component_setuptools_no_component_version-1.7.json.bin new file mode 100644 index 000000000..718dd55a0 --- /dev/null +++ b/tests/_data/snapshots/get_bom_with_component_setuptools_no_component_version-1.7.json.bin @@ -0,0 +1,41 @@ +{ + "components": [ + { + "author": "Test Author", + "bom-ref": "pkg:pypi/setuptools?extension=tar.gz", + "licenses": [ + { + "license": { + "id": "MIT" + } + } + ], + "name": "setuptools", + "purl": "pkg:pypi/setuptools?extension=tar.gz", + "type": "library" + } + ], + "dependencies": [ + { + "ref": "pkg:pypi/setuptools?extension=tar.gz" + } + ], + "metadata": { + "timestamp": "2023-01-07T13:44:32.312678+00:00" + }, + "properties": [ + { + "name": "key1", + "value": "val1" + }, + { + "name": "key2", + "value": "val2" + } + ], + "serialNumber": "urn:uuid:1441d33a-e0fc-45b5-af3b-61ee52a88bac", + "version": 1, + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7" +} \ No newline at end of file diff --git a/tests/_data/snapshots/get_bom_with_component_setuptools_no_component_version-1.7.xml.bin b/tests/_data/snapshots/get_bom_with_component_setuptools_no_component_version-1.7.xml.bin new file mode 100644 index 000000000..42eb8c21f --- /dev/null +++ b/tests/_data/snapshots/get_bom_with_component_setuptools_no_component_version-1.7.xml.bin @@ -0,0 +1,25 @@ + + + + 2023-01-07T13:44:32.312678+00:00 + + + + Test Author + setuptools + + + MIT + + + pkg:pypi/setuptools?extension=tar.gz + + + + + + + val1 + val2 + + diff --git a/tests/_data/snapshots/get_bom_with_component_setuptools_with_cpe-1.7.json.bin b/tests/_data/snapshots/get_bom_with_component_setuptools_with_cpe-1.7.json.bin new file mode 100644 index 000000000..cb155a604 --- /dev/null +++ b/tests/_data/snapshots/get_bom_with_component_setuptools_with_cpe-1.7.json.bin @@ -0,0 +1,43 @@ +{ + "components": [ + { + "author": "Test Author", + "bom-ref": "pkg:pypi/setuptools@50.3.2?extension=tar.gz", + "cpe": "cpe:2.3:a:python:setuptools:50.3.2:*:*:*:*:*:*:*", + "licenses": [ + { + "license": { + "id": "MIT" + } + } + ], + "name": "setuptools", + "purl": "pkg:pypi/setuptools@50.3.2?extension=tar.gz", + "type": "library", + "version": "50.3.2" + } + ], + "dependencies": [ + { + "ref": "pkg:pypi/setuptools@50.3.2?extension=tar.gz" + } + ], + "metadata": { + "timestamp": "2023-01-07T13:44:32.312678+00:00" + }, + "properties": [ + { + "name": "key1", + "value": "val1" + }, + { + "name": "key2", + "value": "val2" + } + ], + "serialNumber": "urn:uuid:1441d33a-e0fc-45b5-af3b-61ee52a88bac", + "version": 1, + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7" +} \ No newline at end of file diff --git a/tests/_data/snapshots/get_bom_with_component_setuptools_with_cpe-1.7.xml.bin b/tests/_data/snapshots/get_bom_with_component_setuptools_with_cpe-1.7.xml.bin new file mode 100644 index 000000000..a69b8552c --- /dev/null +++ b/tests/_data/snapshots/get_bom_with_component_setuptools_with_cpe-1.7.xml.bin @@ -0,0 +1,27 @@ + + + + 2023-01-07T13:44:32.312678+00:00 + + + + Test Author + setuptools + 50.3.2 + + + MIT + + + cpe:2.3:a:python:setuptools:50.3.2:*:*:*:*:*:*:* + pkg:pypi/setuptools@50.3.2?extension=tar.gz + + + + + + + val1 + val2 + + diff --git a/tests/_data/snapshots/get_bom_with_component_setuptools_with_release_notes-1.7.json.bin b/tests/_data/snapshots/get_bom_with_component_setuptools_with_release_notes-1.7.json.bin new file mode 100644 index 000000000..318441702 --- /dev/null +++ b/tests/_data/snapshots/get_bom_with_component_setuptools_with_release_notes-1.7.json.bin @@ -0,0 +1,101 @@ +{ + "components": [ + { + "author": "Test Author", + "bom-ref": "pkg:pypi/setuptools@50.3.2?extension=tar.gz", + "licenses": [ + { + "license": { + "id": "MIT" + } + } + ], + "name": "setuptools", + "purl": "pkg:pypi/setuptools@50.3.2?extension=tar.gz", + "releaseNotes": { + "aliases": [ + "First Test Release" + ], + "description": "This release is a test release", + "featuredImage": "https://cyclonedx.org/theme/assets/images/CycloneDX-Twitter-Card.png", + "notes": [ + { + "locale": "en-GB", + "text": { + "content": "U29tZSBzaW1wbGUgcGxhaW4gdGV4dA==", + "contentType": "text/plain; charset=UTF-8", + "encoding": "base64" + } + }, + { + "locale": "en-US", + "text": { + "content": "U29tZSBzaW1wbGUgcGxhaW4gdGV4dA==", + "contentType": "text/plain; charset=UTF-8", + "encoding": "base64" + } + } + ], + "properties": [ + { + "name": "key1", + "value": "val1" + }, + { + "name": "key2", + "value": "val2" + } + ], + "resolves": [ + { + "description": "Apache Log4j2 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 JNDI features...", + "id": "CVE-2021-44228", + "name": "Apache Log3Shell", + "references": [ + "https://central.sonatype.org/news/20211213_log4shell_help", + "https://logging.apache.org/log4j/2.x/security.html" + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228" + }, + "type": "security" + } + ], + "socialImage": "https://cyclonedx.org/cyclonedx-icon.png", + "tags": [ + "alpha", + "test" + ], + "timestamp": "2023-08-15T01:23:45.678900+00:00", + "title": "Release Notes Title", + "type": "major" + }, + "type": "library", + "version": "50.3.2" + } + ], + "dependencies": [ + { + "ref": "pkg:pypi/setuptools@50.3.2?extension=tar.gz" + } + ], + "metadata": { + "timestamp": "2023-01-07T13:44:32.312678+00:00" + }, + "properties": [ + { + "name": "key1", + "value": "val1" + }, + { + "name": "key2", + "value": "val2" + } + ], + "serialNumber": "urn:uuid:1441d33a-e0fc-45b5-af3b-61ee52a88bac", + "version": 1, + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7" +} \ No newline at end of file diff --git a/tests/_data/snapshots/get_bom_with_component_setuptools_with_release_notes-1.7.xml.bin b/tests/_data/snapshots/get_bom_with_component_setuptools_with_release_notes-1.7.xml.bin new file mode 100644 index 000000000..29d5c2a6f --- /dev/null +++ b/tests/_data/snapshots/get_bom_with_component_setuptools_with_release_notes-1.7.xml.bin @@ -0,0 +1,70 @@ + + + + 2023-01-07T13:44:32.312678+00:00 + + + + Test Author + setuptools + 50.3.2 + + + MIT + + + pkg:pypi/setuptools@50.3.2?extension=tar.gz + + major + Release Notes Title + https://cyclonedx.org/theme/assets/images/CycloneDX-Twitter-Card.png + https://cyclonedx.org/cyclonedx-icon.png + This release is a test release + 2023-08-15T01:23:45.678900+00:00 + + First Test Release + + + alpha + test + + + + CVE-2021-44228 + Apache Log3Shell + Apache Log4j2 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 JNDI features... + + NVD + https://nvd.nist.gov/vuln/detail/CVE-2021-44228 + + + https://central.sonatype.org/news/20211213_log4shell_help + https://logging.apache.org/log4j/2.x/security.html + + + + + + en-GB + U29tZSBzaW1wbGUgcGxhaW4gdGV4dA== + + + en-US + U29tZSBzaW1wbGUgcGxhaW4gdGV4dA== + + + + val1 + val2 + + + + + + + + + val1 + val2 + + diff --git a/tests/_data/snapshots/get_bom_with_component_setuptools_with_v16_fields-1.7.json.bin b/tests/_data/snapshots/get_bom_with_component_setuptools_with_v16_fields-1.7.json.bin new file mode 100644 index 000000000..29eb56f4a --- /dev/null +++ b/tests/_data/snapshots/get_bom_with_component_setuptools_with_v16_fields-1.7.json.bin @@ -0,0 +1,86 @@ +{ + "components": [ + { + "author": "Test Author", + "authors": [ + { + "email": "someone@somewhere.tld", + "name": "A N Other", + "phone": "+44 (0)1234 567890" + }, + { + "email": "paul.horton@owasp.org", + "name": "Paul Horton" + } + ], + "bom-ref": "pkg:pypi/setuptools@50.3.2?extension=tar.gz", + "licenses": [ + { + "license": { + "id": "MIT" + } + } + ], + "manufacturer": { + "address": { + "country": "GB", + "locality": "Cheshire", + "region": "England", + "streetAddress": "100 Main Street" + }, + "contact": [ + { + "email": "someone@somewhere.tld", + "name": "A N Other", + "phone": "+44 (0)1234 567890" + }, + { + "email": "paul.horton@owasp.org", + "name": "Paul Horton" + } + ], + "name": "CycloneDX", + "url": [ + "https://cyclonedx.org", + "https://cyclonedx.org/docs" + ] + }, + "name": "setuptools", + "omniborId": [ + "gitoid:blob:sha1:261eeb9e9f8b2b4b0d119366dda99c6fd7d35c64" + ], + "purl": "pkg:pypi/setuptools@50.3.2?extension=tar.gz", + "swhid": [ + "swh:1:cnt:4d99d2d18326621ccdd70f5ea66c2e2ac236ad8b;origin=https://gitorious.org/ocamlp3l/ocamlp3l_cvs.git;visit=swh:1:snp:d7f1b9eb7ccb596c2622c4780febaa02549830f9;anchor=swh:1:rev:2db189928c94d62a3b4757b3eec68f0a4d4113f0;path=/Examples/SimpleFarm/simplefarm.ml;lines=9-15", + "swh:1:cnt:94a9ed024d3859793618152ea559a168bbcbb5e2", + "swh:1:cnt:f10371aa7b8ccabca8479196d6cd640676fd4a04;origin=https://github.com/web-platform-tests/wpt;visit=swh:1:snp:b37d435721bbd450624165f334724e3585346499;anchor=swh:1:rev:259d0612af038d14f2cd889a14a3adb6c9e96d96;path=/html/semantics/document-metadata/the-meta-element/pragma-directives/attr-meta-http-equiv-refresh/support/x%3Burl=foo/", + "swh:1:rel:22ece559cc7cc2364edc5e5593d63ae8bd229f9f" + ], + "type": "library", + "version": "50.3.2" + } + ], + "dependencies": [ + { + "ref": "pkg:pypi/setuptools@50.3.2?extension=tar.gz" + } + ], + "metadata": { + "timestamp": "2023-01-07T13:44:32.312678+00:00" + }, + "properties": [ + { + "name": "key1", + "value": "val1" + }, + { + "name": "key2", + "value": "val2" + } + ], + "serialNumber": "urn:uuid:1441d33a-e0fc-45b5-af3b-61ee52a88bac", + "version": 1, + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7" +} \ No newline at end of file diff --git a/tests/_data/snapshots/get_bom_with_component_setuptools_with_v16_fields-1.7.xml.bin b/tests/_data/snapshots/get_bom_with_component_setuptools_with_v16_fields-1.7.xml.bin new file mode 100644 index 000000000..d95e4d04e --- /dev/null +++ b/tests/_data/snapshots/get_bom_with_component_setuptools_with_v16_fields-1.7.xml.bin @@ -0,0 +1,62 @@ + + + + 2023-01-07T13:44:32.312678+00:00 + + + + + CycloneDX +
+ GB + England + Cheshire + 100 Main Street +
+ https://cyclonedx.org + https://cyclonedx.org/docs + + A N Other + someone@somewhere.tld + +44 (0)1234 567890 + + + Paul Horton + paul.horton@owasp.org + + + + + A N Other + someone@somewhere.tld + +44 (0)1234 567890 + + + Paul Horton + paul.horton@owasp.org + + + Test Author + setuptools + 50.3.2 + + + MIT + + + pkg:pypi/setuptools@50.3.2?extension=tar.gz + gitoid:blob:sha1:261eeb9e9f8b2b4b0d119366dda99c6fd7d35c64 + swh:1:cnt:4d99d2d18326621ccdd70f5ea66c2e2ac236ad8b;origin=https://gitorious.org/ocamlp3l/ocamlp3l_cvs.git;visit=swh:1:snp:d7f1b9eb7ccb596c2622c4780febaa02549830f9;anchor=swh:1:rev:2db189928c94d62a3b4757b3eec68f0a4d4113f0;path=/Examples/SimpleFarm/simplefarm.ml;lines=9-15 + swh:1:cnt:94a9ed024d3859793618152ea559a168bbcbb5e2 + swh:1:cnt:f10371aa7b8ccabca8479196d6cd640676fd4a04;origin=https://github.com/web-platform-tests/wpt;visit=swh:1:snp:b37d435721bbd450624165f334724e3585346499;anchor=swh:1:rev:259d0612af038d14f2cd889a14a3adb6c9e96d96;path=/html/semantics/document-metadata/the-meta-element/pragma-directives/attr-meta-http-equiv-refresh/support/x%3Burl=foo/ + swh:1:rel:22ece559cc7cc2364edc5e5593d63ae8bd229f9f + + + + + + + val1 + val2 + + diff --git a/tests/_data/snapshots/get_bom_with_component_setuptools_with_vulnerability-1.7.json.bin b/tests/_data/snapshots/get_bom_with_component_setuptools_with_vulnerability-1.7.json.bin new file mode 100644 index 000000000..176d775f2 --- /dev/null +++ b/tests/_data/snapshots/get_bom_with_component_setuptools_with_vulnerability-1.7.json.bin @@ -0,0 +1,176 @@ +{ + "components": [ + { + "author": "Test Author", + "bom-ref": "pkg:pypi/setuptools@50.3.2?extension=tar.gz", + "licenses": [ + { + "license": { + "id": "MIT" + } + } + ], + "name": "setuptools", + "purl": "pkg:pypi/setuptools@50.3.2?extension=tar.gz", + "type": "library", + "version": "50.3.2" + } + ], + "dependencies": [ + { + "ref": "pkg:pypi/setuptools@50.3.2?extension=tar.gz" + } + ], + "metadata": { + "timestamp": "2023-01-07T13:44:32.312678+00:00" + }, + "properties": [ + { + "name": "key1", + "value": "val1" + }, + { + "name": "key2", + "value": "val2" + } + ], + "serialNumber": "urn:uuid:1441d33a-e0fc-45b5-af3b-61ee52a88bac", + "version": 1, + "vulnerabilities": [ + { + "advisories": [ + { + "url": "http://www.securitytracker.com/id/1040693" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-7489" + } + ], + "affects": [ + { + "ref": "pkg:pypi/setuptools@50.3.2?extension=tar.gz", + "versions": [ + { + "range": "49.0.0 - 54.0.0", + "status": "affected" + } + ] + } + ], + "analysis": { + "detail": "Some extra detail", + "firstIssued": "2018-09-01T10:50:42.051979+00:00", + "justification": "requires_environment", + "lastUpdated": "2018-09-01T10:50:42.051979+00:00", + "response": [ + "can_not_fix" + ], + "state": "exploitable" + }, + "bom-ref": "my-vuln-ref-1", + "created": "2021-09-01T10:50:42.051979+00:00", + "credits": { + "individuals": [ + { + "email": "someone@somewhere.tld", + "name": "A N Other", + "phone": "+44 (0)1234 567890" + } + ], + "organizations": [ + { + "address": { + "country": "GB", + "locality": "Cheshire", + "region": "England", + "streetAddress": "100 Main Street" + }, + "contact": [ + { + "email": "someone@somewhere.tld", + "name": "A N Other", + "phone": "+44 (0)1234 567890" + }, + { + "email": "paul.horton@owasp.org", + "name": "Paul Horton" + } + ], + "name": "CycloneDX", + "url": [ + "https://cyclonedx.org", + "https://cyclonedx.org/docs" + ] + } + ] + }, + "cwes": [ + 22, + 33 + ], + "description": "A description here", + "detail": "Some detail here", + "id": "CVE-2018-7489", + "properties": [ + { + "name": "key1", + "value": "val1" + }, + { + "name": "key2", + "value": "val2" + } + ], + "published": "2021-09-02T10:50:42.051979+00:00", + "ratings": [ + { + "justification": "Some justification", + "method": "CVSSv3", + "score": 9.8, + "severity": "critical", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-7489" + }, + "vector": "AN/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, + { + "justification": "Some other justification", + "method": "CVSSv3", + "score": 2.7, + "severity": "low", + "source": { + "name": "OWASP", + "url": "https://owasp.org" + }, + "vector": "AV:L/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N" + } + ], + "recommendation": "Upgrade", + "references": [ + { + "id": "SOME-OTHER-ID", + "source": { + "name": "OSS Index", + "url": "https://ossindex.sonatype.org/component/pkg:pypi/setuptools" + } + } + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-7489" + }, + "tools": [ + { + "name": "cyclonedx-python-lib", + "vendor": "CycloneDX" + } + ], + "updated": "2021-09-03T10:50:42.051979+00:00", + "workaround": "Describe the workarounds here" + } + ], + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7" +} \ No newline at end of file diff --git a/tests/_data/snapshots/get_bom_with_component_setuptools_with_vulnerability-1.7.xml.bin b/tests/_data/snapshots/get_bom_with_component_setuptools_with_vulnerability-1.7.xml.bin new file mode 100644 index 000000000..503b2feb0 --- /dev/null +++ b/tests/_data/snapshots/get_bom_with_component_setuptools_with_vulnerability-1.7.xml.bin @@ -0,0 +1,149 @@ + + + + 2023-01-07T13:44:32.312678+00:00 + + + + Test Author + setuptools + 50.3.2 + + + MIT + + + pkg:pypi/setuptools@50.3.2?extension=tar.gz + + + + + + + val1 + val2 + + + + CVE-2018-7489 + + NVD + https://nvd.nist.gov/vuln/detail/CVE-2018-7489 + + + + SOME-OTHER-ID + + OSS Index + https://ossindex.sonatype.org/component/pkg:pypi/setuptools + + + + + + + NVD + https://nvd.nist.gov/vuln/detail/CVE-2018-7489 + + 9.8 + critical + CVSSv3 + AN/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + Some justification + + + + OWASP + https://owasp.org + + 2.7 + low + CVSSv3 + AV:L/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N + Some other justification + + + + 22 + 33 + + A description here + Some detail here + Upgrade + Describe the workarounds here + + + http://www.securitytracker.com/id/1040693 + + + https://nvd.nist.gov/vuln/detail/CVE-2018-7489 + + + 2021-09-01T10:50:42.051979+00:00 + 2021-09-02T10:50:42.051979+00:00 + 2021-09-03T10:50:42.051979+00:00 + + + + CycloneDX +
+ GB + England + Cheshire + 100 Main Street +
+ https://cyclonedx.org + https://cyclonedx.org/docs + + A N Other + someone@somewhere.tld + +44 (0)1234 567890 + + + Paul Horton + paul.horton@owasp.org + + + + + + A N Other + someone@somewhere.tld + +44 (0)1234 567890 + + + + + + CycloneDX + cyclonedx-python-lib + + + + exploitable + requires_environment + + can_not_fix + + Some extra detail + 2018-09-01T10:50:42.051979+00:00 + 2018-09-01T10:50:42.051979+00:00 + + + + pkg:pypi/setuptools@50.3.2?extension=tar.gz + + + 49.0.0 - 54.0.0 + affected + + + + + + val1 + val2 + + + + diff --git a/tests/_data/snapshots/get_bom_with_component_toml_1-1.7.json.bin b/tests/_data/snapshots/get_bom_with_component_toml_1-1.7.json.bin new file mode 100644 index 000000000..995cb2698 --- /dev/null +++ b/tests/_data/snapshots/get_bom_with_component_toml_1-1.7.json.bin @@ -0,0 +1,53 @@ +{ + "components": [ + { + "bom-ref": "pkg:pypi/toml@0.10.2?extension=tar.gz", + "externalReferences": [ + { + "comment": "No comment", + "hashes": [ + { + "alg": "SHA-256", + "content": "806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b" + } + ], + "type": "distribution", + "url": "https://cyclonedx.org" + } + ], + "hashes": [ + { + "alg": "SHA-256", + "content": "806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b" + } + ], + "name": "toml", + "purl": "pkg:pypi/toml@0.10.2?extension=tar.gz", + "type": "library", + "version": "0.10.2" + } + ], + "dependencies": [ + { + "ref": "pkg:pypi/toml@0.10.2?extension=tar.gz" + } + ], + "metadata": { + "timestamp": "2023-01-07T13:44:32.312678+00:00" + }, + "properties": [ + { + "name": "key1", + "value": "val1" + }, + { + "name": "key2", + "value": "val2" + } + ], + "serialNumber": "urn:uuid:1441d33a-e0fc-45b5-af3b-61ee52a88bac", + "version": 1, + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7" +} \ No newline at end of file diff --git a/tests/_data/snapshots/get_bom_with_component_toml_1-1.7.xml.bin b/tests/_data/snapshots/get_bom_with_component_toml_1-1.7.xml.bin new file mode 100644 index 000000000..3fd0e044b --- /dev/null +++ b/tests/_data/snapshots/get_bom_with_component_toml_1-1.7.xml.bin @@ -0,0 +1,32 @@ + + + + 2023-01-07T13:44:32.312678+00:00 + + + + toml + 0.10.2 + + 806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b + + pkg:pypi/toml@0.10.2?extension=tar.gz + + + https://cyclonedx.org + No comment + + 806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b + + + + + + + + + + val1 + val2 + + diff --git a/tests/_data/snapshots/get_bom_with_definitions_and_detailed_standards-1.7.json.bin b/tests/_data/snapshots/get_bom_with_definitions_and_detailed_standards-1.7.json.bin new file mode 100644 index 000000000..453cb3e1d --- /dev/null +++ b/tests/_data/snapshots/get_bom_with_definitions_and_detailed_standards-1.7.json.bin @@ -0,0 +1,159 @@ +{ + "definitions": { + "standards": [ + { + "bom-ref": "other-standard", + "description": "Other description", + "externalReferences": [ + { + "type": "website", + "url": "https://cyclonedx.org" + } + ], + "levels": [ + { + "bom-ref": "lvl-3", + "description": "Level 3 description", + "identifier": "LVL-3", + "requirements": [ + "req-3" + ], + "title": "Level 3" + } + ], + "name": "Other Standard", + "owner": "Other Owner", + "requirements": [ + { + "bom-ref": "req-3", + "descriptions": [ + "Requirement 3 described here", + "and here" + ], + "identifier": "REQ-3", + "openCre": [ + "CRE:5-6", + "CRE:7-8" + ], + "properties": [ + { + "name": "key3", + "value": "val3" + } + ], + "text": "some requirement text", + "title": "Requirement 3" + } + ], + "version": "1.0.0" + }, + { + "bom-ref": "some-standard", + "description": "Some description", + "externalReferences": [ + { + "comment": "No comment", + "hashes": [ + { + "alg": "SHA-256", + "content": "806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b" + } + ], + "type": "distribution", + "url": "https://cyclonedx.org" + } + ], + "levels": [ + { + "bom-ref": "lvl-1", + "description": "Level 1 description", + "identifier": "LVL-1", + "title": "Level 1" + }, + { + "bom-ref": "lvl-2", + "description": "Level 2 description", + "identifier": "LVL-2", + "requirements": [ + "req-1", + "req-2" + ], + "title": "Level 2" + } + ], + "name": "Some Standard", + "owner": "Some Owner", + "requirements": [ + { + "bom-ref": "req-1", + "descriptions": [ + "Requirement 1 described here", + "and here" + ], + "externalReferences": [ + { + "type": "website", + "url": "https://cyclonedx.org" + } + ], + "identifier": "REQ-1", + "openCre": [ + "CRE:1-2" + ], + "properties": [ + { + "name": "key1", + "value": "val1a" + }, + { + "name": "key1", + "value": "val1b" + } + ], + "text": "some requirement text", + "title": "Requirement 1" + }, + { + "bom-ref": "req-2", + "descriptions": [ + "Requirement 2 described here" + ], + "identifier": "REQ-2", + "openCre": [ + "CRE:1-2", + "CRE:3-4" + ], + "parent": "req-1", + "properties": [ + { + "name": "key2", + "value": "val2" + } + ], + "text": "some requirement text", + "title": "Requirement 2" + } + ], + "version": "1.2.3" + } + ] + }, + "metadata": { + "timestamp": "2023-01-07T13:44:32.312678+00:00" + }, + "properties": [ + { + "name": "key1", + "value": "val1" + }, + { + "name": "key2", + "value": "val2" + } + ], + "serialNumber": "urn:uuid:1441d33a-e0fc-45b5-af3b-61ee52a88bac", + "version": 1, + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7" +} \ No newline at end of file diff --git a/tests/_data/snapshots/get_bom_with_definitions_and_detailed_standards-1.7.xml.bin b/tests/_data/snapshots/get_bom_with_definitions_and_detailed_standards-1.7.xml.bin new file mode 100644 index 000000000..4ea59f611 --- /dev/null +++ b/tests/_data/snapshots/get_bom_with_definitions_and_detailed_standards-1.7.xml.bin @@ -0,0 +1,117 @@ + + + + 2023-01-07T13:44:32.312678+00:00 + + + val1 + val2 + + + + + Other Standard + 1.0.0 + Other description + Other Owner + + + REQ-3 + Requirement 3 + some requirement text + + Requirement 3 described here + and here + + CRE:5-6 + CRE:7-8 + + val3 + + + + + + LVL-3 + Level 3 + Level 3 description + + req-3 + + + + + + https://cyclonedx.org + + + + + Some Standard + 1.2.3 + Some description + Some Owner + + + REQ-1 + Requirement 1 + some requirement text + + Requirement 1 described here + and here + + CRE:1-2 + + val1a + val1b + + + + https://cyclonedx.org + + + + + REQ-2 + Requirement 2 + some requirement text + + Requirement 2 described here + + CRE:1-2 + CRE:3-4 + req-1 + + val2 + + + + + + LVL-1 + Level 1 + Level 1 description + + + LVL-2 + Level 2 + Level 2 description + + req-1 + req-2 + + + + + + https://cyclonedx.org + No comment + + 806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b + + + + + + + diff --git a/tests/_data/snapshots/get_bom_with_definitions_standards-1.7.json.bin b/tests/_data/snapshots/get_bom_with_definitions_standards-1.7.json.bin new file mode 100644 index 000000000..57c9cc0da --- /dev/null +++ b/tests/_data/snapshots/get_bom_with_definitions_standards-1.7.json.bin @@ -0,0 +1,37 @@ +{ + "definitions": { + "standards": [ + { + "bom-ref": "some-standard", + "description": "Some description", + "externalReferences": [ + { + "type": "website", + "url": "https://cyclonedx.org" + } + ], + "name": "Some Standard", + "owner": "Some Owner", + "version": "1.2.3" + } + ] + }, + "metadata": { + "timestamp": "2023-01-07T13:44:32.312678+00:00" + }, + "properties": [ + { + "name": "key1", + "value": "val1" + }, + { + "name": "key2", + "value": "val2" + } + ], + "serialNumber": "urn:uuid:1441d33a-e0fc-45b5-af3b-61ee52a88bac", + "version": 1, + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7" +} \ No newline at end of file diff --git a/tests/_data/snapshots/get_bom_with_definitions_standards-1.7.xml.bin b/tests/_data/snapshots/get_bom_with_definitions_standards-1.7.xml.bin new file mode 100644 index 000000000..88a31730b --- /dev/null +++ b/tests/_data/snapshots/get_bom_with_definitions_standards-1.7.xml.bin @@ -0,0 +1,25 @@ + + + + 2023-01-07T13:44:32.312678+00:00 + + + val1 + val2 + + + + + Some Standard + 1.2.3 + Some description + Some Owner + + + https://cyclonedx.org + + + + + + diff --git a/tests/_data/snapshots/get_bom_with_dependencies_hanging-1.7.json.bin b/tests/_data/snapshots/get_bom_with_dependencies_hanging-1.7.json.bin new file mode 100644 index 000000000..e720662e0 --- /dev/null +++ b/tests/_data/snapshots/get_bom_with_dependencies_hanging-1.7.json.bin @@ -0,0 +1,82 @@ +{ + "components": [ + { + "author": "Test Author", + "bom-ref": "setuptools", + "licenses": [ + { + "license": { + "id": "MIT" + } + } + ], + "name": "setuptools", + "purl": "pkg:pypi/setuptools@50.3.2?extension=tar.gz", + "type": "library", + "version": "50.3.2" + }, + { + "bom-ref": "toml", + "externalReferences": [ + { + "comment": "No comment", + "hashes": [ + { + "alg": "SHA-256", + "content": "806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b" + } + ], + "type": "distribution", + "url": "https://cyclonedx.org" + } + ], + "hashes": [ + { + "alg": "SHA-256", + "content": "806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b" + } + ], + "name": "toml", + "purl": "pkg:pypi/toml@0.10.2?extension=tar.gz", + "type": "library", + "version": "0.10.2" + } + ], + "dependencies": [ + { + "ref": "root-component" + }, + { + "dependsOn": [ + "toml" + ], + "ref": "setuptools" + }, + { + "ref": "toml" + } + ], + "metadata": { + "component": { + "bom-ref": "root-component", + "name": "rootComponent", + "type": "application" + }, + "timestamp": "2023-01-07T13:44:32.312678+00:00" + }, + "properties": [ + { + "name": "key1", + "value": "val1" + }, + { + "name": "key2", + "value": "val2" + } + ], + "serialNumber": "urn:uuid:1441d33a-e0fc-45b5-af3b-61ee52a88bac", + "version": 23, + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7" +} \ No newline at end of file diff --git a/tests/_data/snapshots/get_bom_with_dependencies_hanging-1.7.xml.bin b/tests/_data/snapshots/get_bom_with_dependencies_hanging-1.7.xml.bin new file mode 100644 index 000000000..94379059c --- /dev/null +++ b/tests/_data/snapshots/get_bom_with_dependencies_hanging-1.7.xml.bin @@ -0,0 +1,50 @@ + + + + 2023-01-07T13:44:32.312678+00:00 + + rootComponent + + + + + Test Author + setuptools + 50.3.2 + + + MIT + + + pkg:pypi/setuptools@50.3.2?extension=tar.gz + + + toml + 0.10.2 + + 806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b + + pkg:pypi/toml@0.10.2?extension=tar.gz + + + https://cyclonedx.org + No comment + + 806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b + + + + + + + + + + + + + + val1 + val2 + + diff --git a/tests/_data/snapshots/get_bom_with_dependencies_valid-1.7.json.bin b/tests/_data/snapshots/get_bom_with_dependencies_valid-1.7.json.bin new file mode 100644 index 000000000..157eed17a --- /dev/null +++ b/tests/_data/snapshots/get_bom_with_dependencies_valid-1.7.json.bin @@ -0,0 +1,74 @@ +{ + "components": [ + { + "author": "Test Author", + "bom-ref": "pkg:pypi/setuptools@50.3.2?extension=tar.gz", + "licenses": [ + { + "license": { + "id": "MIT" + } + } + ], + "name": "setuptools", + "purl": "pkg:pypi/setuptools@50.3.2?extension=tar.gz", + "type": "library", + "version": "50.3.2" + }, + { + "bom-ref": "pkg:pypi/toml@0.10.2?extension=tar.gz", + "externalReferences": [ + { + "comment": "No comment", + "hashes": [ + { + "alg": "SHA-256", + "content": "806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b" + } + ], + "type": "distribution", + "url": "https://cyclonedx.org" + } + ], + "hashes": [ + { + "alg": "SHA-256", + "content": "806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b" + } + ], + "name": "toml", + "purl": "pkg:pypi/toml@0.10.2?extension=tar.gz", + "type": "library", + "version": "0.10.2" + } + ], + "dependencies": [ + { + "dependsOn": [ + "pkg:pypi/toml@0.10.2?extension=tar.gz" + ], + "ref": "pkg:pypi/setuptools@50.3.2?extension=tar.gz" + }, + { + "ref": "pkg:pypi/toml@0.10.2?extension=tar.gz" + } + ], + "metadata": { + "timestamp": "2023-01-07T13:44:32.312678+00:00" + }, + "properties": [ + { + "name": "key1", + "value": "val1" + }, + { + "name": "key2", + "value": "val2" + } + ], + "serialNumber": "urn:uuid:1441d33a-e0fc-45b5-af3b-61ee52a88bac", + "version": 1, + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7" +} \ No newline at end of file diff --git a/tests/_data/snapshots/get_bom_with_dependencies_valid-1.7.xml.bin b/tests/_data/snapshots/get_bom_with_dependencies_valid-1.7.xml.bin new file mode 100644 index 000000000..08f4a82e2 --- /dev/null +++ b/tests/_data/snapshots/get_bom_with_dependencies_valid-1.7.xml.bin @@ -0,0 +1,46 @@ + + + + 2023-01-07T13:44:32.312678+00:00 + + + + Test Author + setuptools + 50.3.2 + + + MIT + + + pkg:pypi/setuptools@50.3.2?extension=tar.gz + + + toml + 0.10.2 + + 806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b + + pkg:pypi/toml@0.10.2?extension=tar.gz + + + https://cyclonedx.org + No comment + + 806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b + + + + + + + + + + + + + val1 + val2 + + diff --git a/tests/_data/snapshots/get_bom_with_external_references-1.7.json.bin b/tests/_data/snapshots/get_bom_with_external_references-1.7.json.bin new file mode 100644 index 000000000..01744db68 --- /dev/null +++ b/tests/_data/snapshots/get_bom_with_external_references-1.7.json.bin @@ -0,0 +1,37 @@ +{ + "externalReferences": [ + { + "comment": "No comment", + "hashes": [ + { + "alg": "SHA-256", + "content": "806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b" + } + ], + "type": "distribution", + "url": "https://cyclonedx.org" + }, + { + "type": "website", + "url": "https://cyclonedx.org" + } + ], + "metadata": { + "timestamp": "2023-01-07T13:44:32.312678+00:00" + }, + "properties": [ + { + "name": "key1", + "value": "val1" + }, + { + "name": "key2", + "value": "val2" + } + ], + "serialNumber": "urn:uuid:1441d33a-e0fc-45b5-af3b-61ee52a88bac", + "version": 1, + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7" +} \ No newline at end of file diff --git a/tests/_data/snapshots/get_bom_with_external_references-1.7.xml.bin b/tests/_data/snapshots/get_bom_with_external_references-1.7.xml.bin new file mode 100644 index 000000000..02af4c300 --- /dev/null +++ b/tests/_data/snapshots/get_bom_with_external_references-1.7.xml.bin @@ -0,0 +1,22 @@ + + + + 2023-01-07T13:44:32.312678+00:00 + + + + https://cyclonedx.org + No comment + + 806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b + + + + https://cyclonedx.org + + + + val1 + val2 + + diff --git a/tests/_data/snapshots/get_bom_with_licenses-1.7.json.bin b/tests/_data/snapshots/get_bom_with_licenses-1.7.json.bin new file mode 100644 index 000000000..f095a4692 --- /dev/null +++ b/tests/_data/snapshots/get_bom_with_licenses-1.7.json.bin @@ -0,0 +1,163 @@ +{ + "components": [ + { + "bom-ref": "C2", + "licenses": [ + { + "license": { + "acknowledgement": "concluded", + "id": "Apache-2.0", + "url": "https://www.apache.org/licenses/LICENSE-2.0.html" + } + } + ], + "name": "c-with-SPDX", + "type": "library" + }, + { + "bom-ref": "C1", + "licenses": [ + { + "acknowledgement": "concluded", + "expression": "Apache-2.0 OR MIT" + } + ], + "name": "c-with-expression", + "type": "library" + }, + { + "bom-ref": "C3", + "licenses": [ + { + "license": { + "name": "some additional", + "text": { + "content": "this is additional license text", + "contentType": "text/plain" + } + } + }, + { + "license": { + "name": "some commercial license", + "text": { + "content": "this is a license text", + "contentType": "text/plain" + } + } + } + ], + "name": "c-with-name", + "type": "library" + } + ], + "dependencies": [ + { + "ref": "C1" + }, + { + "ref": "C2" + }, + { + "ref": "C3" + }, + { + "ref": "S1" + }, + { + "ref": "S2" + }, + { + "ref": "S3" + }, + { + "ref": "my-app" + } + ], + "metadata": { + "component": { + "bom-ref": "my-app", + "licenses": [ + { + "license": { + "name": "proprietary" + } + } + ], + "name": "app", + "type": "application" + }, + "licenses": [ + { + "license": { + "id": "CC-BY-1.0" + } + } + ], + "timestamp": "2023-01-07T13:44:32.312678+00:00" + }, + "properties": [ + { + "name": "key1", + "value": "val1" + }, + { + "name": "key2", + "value": "val2" + } + ], + "serialNumber": "urn:uuid:1441d33a-e0fc-45b5-af3b-61ee52a88bac", + "services": [ + { + "bom-ref": "S2", + "licenses": [ + { + "license": { + "acknowledgement": "declared", + "id": "Apache-2.0", + "url": "https://www.apache.org/licenses/LICENSE-2.0.html" + } + } + ], + "name": "s-with-SPDX" + }, + { + "bom-ref": "S1", + "licenses": [ + { + "acknowledgement": "declared", + "expression": "Apache-2.0 OR MIT" + } + ], + "name": "s-with-expression" + }, + { + "bom-ref": "S3", + "licenses": [ + { + "license": { + "name": "some additional", + "text": { + "content": "this is additional license text", + "contentType": "text/plain" + } + } + }, + { + "license": { + "name": "some commercial license", + "text": { + "content": "this is a license text", + "contentType": "text/plain" + } + } + } + ], + "name": "s-with-name" + } + ], + "version": 1, + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7" +} \ No newline at end of file diff --git a/tests/_data/snapshots/get_bom_with_licenses-1.7.xml.bin b/tests/_data/snapshots/get_bom_with_licenses-1.7.xml.bin new file mode 100644 index 000000000..b9e91e6db --- /dev/null +++ b/tests/_data/snapshots/get_bom_with_licenses-1.7.xml.bin @@ -0,0 +1,92 @@ + + + + 2023-01-07T13:44:32.312678+00:00 + + app + + + proprietary + + + + + + CC-BY-1.0 + + + + + + c-with-SPDX + + + Apache-2.0 + https://www.apache.org/licenses/LICENSE-2.0.html + + + + + c-with-expression + + Apache-2.0 OR MIT + + + + c-with-name + + + some additional + this is additional license text + + + some commercial license + this is a license text + + + + + + + s-with-SPDX + + + Apache-2.0 + https://www.apache.org/licenses/LICENSE-2.0.html + + + + + s-with-expression + + Apache-2.0 OR MIT + + + + s-with-name + + + some additional + this is additional license text + + + some commercial license + this is a license text + + + + + + + + + + + + + + + val1 + val2 + + diff --git a/tests/_data/snapshots/get_bom_with_lifecycles-1.7.json.bin b/tests/_data/snapshots/get_bom_with_lifecycles-1.7.json.bin new file mode 100644 index 000000000..205d45ae2 --- /dev/null +++ b/tests/_data/snapshots/get_bom_with_lifecycles-1.7.json.bin @@ -0,0 +1,42 @@ +{ + "dependencies": [ + { + "ref": "my-app" + } + ], + "metadata": { + "component": { + "bom-ref": "my-app", + "name": "app", + "type": "application" + }, + "lifecycles": [ + { + "phase": "build" + }, + { + "phase": "post-build" + }, + { + "description": "Integration testing specific to the runtime platform", + "name": "platform-integration-testing" + } + ], + "timestamp": "2023-01-07T13:44:32.312678+00:00" + }, + "properties": [ + { + "name": "key1", + "value": "val1" + }, + { + "name": "key2", + "value": "val2" + } + ], + "serialNumber": "urn:uuid:1441d33a-e0fc-45b5-af3b-61ee52a88bac", + "version": 1, + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7" +} \ No newline at end of file diff --git a/tests/_data/snapshots/get_bom_with_lifecycles-1.7.xml.bin b/tests/_data/snapshots/get_bom_with_lifecycles-1.7.xml.bin new file mode 100644 index 000000000..2fbb8cb79 --- /dev/null +++ b/tests/_data/snapshots/get_bom_with_lifecycles-1.7.xml.bin @@ -0,0 +1,28 @@ + + + + 2023-01-07T13:44:32.312678+00:00 + + + build + + + post-build + + + platform-integration-testing + Integration testing specific to the runtime platform + + + + app + + + + + + + val1 + val2 + + diff --git a/tests/_data/snapshots/get_bom_with_metadata_component_and_dependencies-1.7.json.bin b/tests/_data/snapshots/get_bom_with_metadata_component_and_dependencies-1.7.json.bin new file mode 100644 index 000000000..b78d65964 --- /dev/null +++ b/tests/_data/snapshots/get_bom_with_metadata_component_and_dependencies-1.7.json.bin @@ -0,0 +1,74 @@ +{ + "components": [ + { + "bom-ref": "pkg:pypi/toml@0.10.2?extension=tar.gz", + "externalReferences": [ + { + "comment": "No comment", + "hashes": [ + { + "alg": "SHA-256", + "content": "806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b" + } + ], + "type": "distribution", + "url": "https://cyclonedx.org" + } + ], + "hashes": [ + { + "alg": "SHA-256", + "content": "806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b" + } + ], + "name": "toml", + "purl": "pkg:pypi/toml@0.10.2?extension=tar.gz", + "type": "library", + "version": "0.10.2" + } + ], + "dependencies": [ + { + "dependsOn": [ + "pkg:pypi/toml@0.10.2?extension=tar.gz" + ], + "ref": "pkg:pypi/setuptools@50.3.2?extension=tar.gz" + }, + { + "ref": "pkg:pypi/toml@0.10.2?extension=tar.gz" + } + ], + "metadata": { + "component": { + "author": "Test Author", + "bom-ref": "pkg:pypi/setuptools@50.3.2?extension=tar.gz", + "licenses": [ + { + "license": { + "id": "MIT" + } + } + ], + "name": "setuptools", + "purl": "pkg:pypi/setuptools@50.3.2?extension=tar.gz", + "type": "library", + "version": "50.3.2" + }, + "timestamp": "2023-01-07T13:44:32.312678+00:00" + }, + "properties": [ + { + "name": "key1", + "value": "val1" + }, + { + "name": "key2", + "value": "val2" + } + ], + "serialNumber": "urn:uuid:1441d33a-e0fc-45b5-af3b-61ee52a88bac", + "version": 1, + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7" +} \ No newline at end of file diff --git a/tests/_data/snapshots/get_bom_with_metadata_component_and_dependencies-1.7.xml.bin b/tests/_data/snapshots/get_bom_with_metadata_component_and_dependencies-1.7.xml.bin new file mode 100644 index 000000000..ced8a82fe --- /dev/null +++ b/tests/_data/snapshots/get_bom_with_metadata_component_and_dependencies-1.7.xml.bin @@ -0,0 +1,46 @@ + + + + 2023-01-07T13:44:32.312678+00:00 + + Test Author + setuptools + 50.3.2 + + + MIT + + + pkg:pypi/setuptools@50.3.2?extension=tar.gz + + + + + toml + 0.10.2 + + 806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b + + pkg:pypi/toml@0.10.2?extension=tar.gz + + + https://cyclonedx.org + No comment + + 806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b + + + + + + + + + + + + + val1 + val2 + + diff --git a/tests/_data/snapshots/get_bom_with_multiple_licenses-1.7.json.bin b/tests/_data/snapshots/get_bom_with_multiple_licenses-1.7.json.bin new file mode 100644 index 000000000..d19b61443 --- /dev/null +++ b/tests/_data/snapshots/get_bom_with_multiple_licenses-1.7.json.bin @@ -0,0 +1,97 @@ +{ + "components": [ + { + "bom-ref": "my-compo", + "licenses": [ + { + "license": { + "id": "MIT" + } + }, + { + "license": { + "name": "foo license" + } + } + ], + "name": "comp", + "type": "library" + } + ], + "dependencies": [ + { + "ref": "my-app" + }, + { + "ref": "my-compo" + }, + { + "ref": "my-serv" + } + ], + "metadata": { + "component": { + "bom-ref": "my-app", + "licenses": [ + { + "license": { + "id": "MIT" + } + }, + { + "license": { + "name": "foo license" + } + } + ], + "name": "app", + "type": "application" + }, + "licenses": [ + { + "license": { + "id": "MIT" + } + }, + { + "license": { + "name": "foo license" + } + } + ], + "timestamp": "2023-01-07T13:44:32.312678+00:00" + }, + "properties": [ + { + "name": "key1", + "value": "val1" + }, + { + "name": "key2", + "value": "val2" + } + ], + "serialNumber": "urn:uuid:1441d33a-e0fc-45b5-af3b-61ee52a88bac", + "services": [ + { + "bom-ref": "my-serv", + "licenses": [ + { + "license": { + "id": "MIT" + } + }, + { + "license": { + "name": "foo license" + } + } + ], + "name": "serv" + } + ], + "version": 1, + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7" +} \ No newline at end of file diff --git a/tests/_data/snapshots/get_bom_with_multiple_licenses-1.7.xml.bin b/tests/_data/snapshots/get_bom_with_multiple_licenses-1.7.xml.bin new file mode 100644 index 000000000..956d77389 --- /dev/null +++ b/tests/_data/snapshots/get_bom_with_multiple_licenses-1.7.xml.bin @@ -0,0 +1,60 @@ + + + + 2023-01-07T13:44:32.312678+00:00 + + app + + + MIT + + + foo license + + + + + + MIT + + + foo license + + + + + + comp + + + MIT + + + foo license + + + + + + + serv + + + MIT + + + foo license + + + + + + + + + + + val1 + val2 + + diff --git a/tests/_data/snapshots/get_bom_with_nested_services-1.7.json.bin b/tests/_data/snapshots/get_bom_with_nested_services-1.7.json.bin new file mode 100644 index 000000000..edb0cc6cb --- /dev/null +++ b/tests/_data/snapshots/get_bom_with_nested_services-1.7.json.bin @@ -0,0 +1,249 @@ +{ + "dependencies": [ + { + "ref": "my-specific-bom-ref-for-cpl" + }, + { + "ref": "my-specific-bom-ref-for-my-first-service" + }, + { + "ref": "my-specific-bom-ref-for-my-second-service" + } + ], + "metadata": { + "component": { + "bom-ref": "my-specific-bom-ref-for-cpl", + "name": "cyclonedx-python-lib", + "type": "library", + "version": "1.0.0" + }, + "timestamp": "2023-01-07T13:44:32.312678+00:00" + }, + "properties": [ + { + "name": "key1", + "value": "val1" + }, + { + "name": "key2", + "value": "val2" + } + ], + "serialNumber": "urn:uuid:1441d33a-e0fc-45b5-af3b-61ee52a88bac", + "services": [ + { + "authenticated": false, + "bom-ref": "my-specific-bom-ref-for-my-first-service", + "data": [ + { + "classification": "public", + "flow": "outbound" + } + ], + "description": "Description goes here", + "endpoints": [ + "/api/thing/1", + "/api/thing/2" + ], + "externalReferences": [ + { + "comment": "No comment", + "hashes": [ + { + "alg": "SHA-256", + "content": "806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b" + } + ], + "type": "distribution", + "url": "https://cyclonedx.org" + } + ], + "group": "a-group", + "licenses": [ + { + "license": { + "name": "Commercial" + } + } + ], + "name": "my-first-service", + "properties": [ + { + "name": "key1", + "value": "val1" + }, + { + "name": "key2", + "value": "val2" + } + ], + "provider": { + "address": { + "country": "GB", + "locality": "Cheshire", + "region": "England", + "streetAddress": "100 Main Street" + }, + "contact": [ + { + "email": "someone@somewhere.tld", + "name": "A N Other", + "phone": "+44 (0)1234 567890" + }, + { + "email": "paul.horton@owasp.org", + "name": "Paul Horton" + } + ], + "name": "CycloneDX", + "url": [ + "https://cyclonedx.org", + "https://cyclonedx.org/docs" + ] + }, + "releaseNotes": { + "aliases": [ + "First Test Release" + ], + "description": "This release is a test release", + "featuredImage": "https://cyclonedx.org/theme/assets/images/CycloneDX-Twitter-Card.png", + "notes": [ + { + "locale": "en-GB", + "text": { + "content": "U29tZSBzaW1wbGUgcGxhaW4gdGV4dA==", + "contentType": "text/plain; charset=UTF-8", + "encoding": "base64" + } + }, + { + "locale": "en-US", + "text": { + "content": "U29tZSBzaW1wbGUgcGxhaW4gdGV4dA==", + "contentType": "text/plain; charset=UTF-8", + "encoding": "base64" + } + } + ], + "properties": [ + { + "name": "key1", + "value": "val1" + }, + { + "name": "key2", + "value": "val2" + } + ], + "resolves": [ + { + "description": "Apache Log4j2 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 JNDI features...", + "id": "CVE-2021-44228", + "name": "Apache Log3Shell", + "references": [ + "https://central.sonatype.org/news/20211213_log4shell_help", + "https://logging.apache.org/log4j/2.x/security.html" + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228" + }, + "type": "security" + } + ], + "socialImage": "https://cyclonedx.org/cyclonedx-icon.png", + "tags": [ + "alpha", + "test" + ], + "timestamp": "2023-08-15T01:23:45.678900+00:00", + "title": "Release Notes Title", + "type": "major" + }, + "services": [ + { + "authenticated": true, + "bom-ref": "my-specific-bom-ref-for-second-nested-service", + "group": "no-group", + "name": "second-nested-service", + "provider": { + "address": { + "country": "GB", + "locality": "Cheshire", + "region": "England", + "streetAddress": "100 Main Street" + }, + "contact": [ + { + "email": "someone@somewhere.tld", + "name": "A N Other", + "phone": "+44 (0)1234 567890" + }, + { + "email": "paul.horton@owasp.org", + "name": "Paul Horton" + } + ], + "name": "CycloneDX", + "url": [ + "https://cyclonedx.org", + "https://cyclonedx.org/docs" + ] + }, + "version": "3.2.1", + "x-trust-boundary": false + }, + { + "bom-ref": "my-specific-bom-ref-for-first-nested-service", + "name": "first-nested-service" + } + ], + "version": "1.2.3", + "x-trust-boundary": true + }, + { + "bom-ref": "my-specific-bom-ref-for-my-second-service", + "name": "my-second-service", + "services": [ + { + "bom-ref": "yet-another-nested-service", + "group": "what-group", + "name": "yet-another-nested-service", + "provider": { + "address": { + "country": "GB", + "locality": "Cheshire", + "region": "England", + "streetAddress": "100 Main Street" + }, + "contact": [ + { + "email": "someone@somewhere.tld", + "name": "A N Other", + "phone": "+44 (0)1234 567890" + }, + { + "email": "paul.horton@owasp.org", + "name": "Paul Horton" + } + ], + "name": "CycloneDX", + "url": [ + "https://cyclonedx.org", + "https://cyclonedx.org/docs" + ] + }, + "version": "6.5.4" + }, + { + "bom-ref": "my-specific-bom-ref-for-another-nested-service", + "name": "another-nested-service" + } + ] + } + ], + "version": 1, + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7" +} \ No newline at end of file diff --git a/tests/_data/snapshots/get_bom_with_nested_services-1.7.xml.bin b/tests/_data/snapshots/get_bom_with_nested_services-1.7.xml.bin new file mode 100644 index 000000000..f166a3a9e --- /dev/null +++ b/tests/_data/snapshots/get_bom_with_nested_services-1.7.xml.bin @@ -0,0 +1,183 @@ + + + + 2023-01-07T13:44:32.312678+00:00 + + cyclonedx-python-lib + 1.0.0 + + + + + + CycloneDX +
+ GB + England + Cheshire + 100 Main Street +
+ https://cyclonedx.org + https://cyclonedx.org/docs + + A N Other + someone@somewhere.tld + +44 (0)1234 567890 + + + Paul Horton + paul.horton@owasp.org + + + a-group + my-first-service + 1.2.3 + Description goes here + + /api/thing/1 + /api/thing/2 + + false + true + + public + + + + Commercial + + + + + https://cyclonedx.org + No comment + + 806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b + + + + + val1 + val2 + + + + + CycloneDX +
+ GB + England + Cheshire + 100 Main Street +
+ https://cyclonedx.org + https://cyclonedx.org/docs + + A N Other + someone@somewhere.tld + +44 (0)1234 567890 + + + Paul Horton + paul.horton@owasp.org + + + no-group + second-nested-service + 3.2.1 + true + false + + + first-nested-service + + + + major + Release Notes Title + https://cyclonedx.org/theme/assets/images/CycloneDX-Twitter-Card.png + https://cyclonedx.org/cyclonedx-icon.png + This release is a test release + 2023-08-15T01:23:45.678900+00:00 + + First Test Release + + + alpha + test + + + + CVE-2021-44228 + Apache Log3Shell + Apache Log4j2 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 JNDI features... + + NVD + https://nvd.nist.gov/vuln/detail/CVE-2021-44228 + + + https://central.sonatype.org/news/20211213_log4shell_help + https://logging.apache.org/log4j/2.x/security.html + + + + + + en-GB + U29tZSBzaW1wbGUgcGxhaW4gdGV4dA== + + + en-US + U29tZSBzaW1wbGUgcGxhaW4gdGV4dA== + + + + val1 + val2 + + + + + my-second-service + + + + CycloneDX +
+ GB + England + Cheshire + 100 Main Street +
+ https://cyclonedx.org + https://cyclonedx.org/docs + + A N Other + someone@somewhere.tld + +44 (0)1234 567890 + + + Paul Horton + paul.horton@owasp.org + + + what-group + yet-another-nested-service + 6.5.4 + + + another-nested-service + + + + + + + + + + + val1 + val2 + + diff --git a/tests/_data/snapshots/get_bom_with_services_complex-1.7.json.bin b/tests/_data/snapshots/get_bom_with_services_complex-1.7.json.bin new file mode 100644 index 000000000..9aa33fa2d --- /dev/null +++ b/tests/_data/snapshots/get_bom_with_services_complex-1.7.json.bin @@ -0,0 +1,175 @@ +{ + "dependencies": [ + { + "ref": "my-specific-bom-ref-for-cpl" + }, + { + "ref": "my-specific-bom-ref-for-my-first-service" + }, + { + "ref": "my-specific-bom-ref-for-my-second-service" + } + ], + "metadata": { + "component": { + "bom-ref": "my-specific-bom-ref-for-cpl", + "name": "cyclonedx-python-lib", + "type": "library", + "version": "1.0.0" + }, + "timestamp": "2023-01-07T13:44:32.312678+00:00" + }, + "properties": [ + { + "name": "key1", + "value": "val1" + }, + { + "name": "key2", + "value": "val2" + } + ], + "serialNumber": "urn:uuid:1441d33a-e0fc-45b5-af3b-61ee52a88bac", + "services": [ + { + "authenticated": false, + "bom-ref": "my-specific-bom-ref-for-my-first-service", + "data": [ + { + "classification": "public", + "flow": "outbound" + } + ], + "description": "Description goes here", + "endpoints": [ + "/api/thing/1", + "/api/thing/2" + ], + "externalReferences": [ + { + "comment": "No comment", + "hashes": [ + { + "alg": "SHA-256", + "content": "806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b" + } + ], + "type": "distribution", + "url": "https://cyclonedx.org" + } + ], + "group": "a-group", + "licenses": [ + { + "license": { + "name": "Commercial" + } + } + ], + "name": "my-first-service", + "properties": [ + { + "name": "key1", + "value": "val1" + }, + { + "name": "key2", + "value": "val2" + } + ], + "provider": { + "address": { + "country": "GB", + "locality": "Cheshire", + "region": "England", + "streetAddress": "100 Main Street" + }, + "contact": [ + { + "email": "someone@somewhere.tld", + "name": "A N Other", + "phone": "+44 (0)1234 567890" + }, + { + "email": "paul.horton@owasp.org", + "name": "Paul Horton" + } + ], + "name": "CycloneDX", + "url": [ + "https://cyclonedx.org", + "https://cyclonedx.org/docs" + ] + }, + "releaseNotes": { + "aliases": [ + "First Test Release" + ], + "description": "This release is a test release", + "featuredImage": "https://cyclonedx.org/theme/assets/images/CycloneDX-Twitter-Card.png", + "notes": [ + { + "locale": "en-GB", + "text": { + "content": "U29tZSBzaW1wbGUgcGxhaW4gdGV4dA==", + "contentType": "text/plain; charset=UTF-8", + "encoding": "base64" + } + }, + { + "locale": "en-US", + "text": { + "content": "U29tZSBzaW1wbGUgcGxhaW4gdGV4dA==", + "contentType": "text/plain; charset=UTF-8", + "encoding": "base64" + } + } + ], + "properties": [ + { + "name": "key1", + "value": "val1" + }, + { + "name": "key2", + "value": "val2" + } + ], + "resolves": [ + { + "description": "Apache Log4j2 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 JNDI features...", + "id": "CVE-2021-44228", + "name": "Apache Log3Shell", + "references": [ + "https://central.sonatype.org/news/20211213_log4shell_help", + "https://logging.apache.org/log4j/2.x/security.html" + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228" + }, + "type": "security" + } + ], + "socialImage": "https://cyclonedx.org/cyclonedx-icon.png", + "tags": [ + "alpha", + "test" + ], + "timestamp": "2023-08-15T01:23:45.678900+00:00", + "title": "Release Notes Title", + "type": "major" + }, + "version": "1.2.3", + "x-trust-boundary": true + }, + { + "bom-ref": "my-specific-bom-ref-for-my-second-service", + "name": "my-second-service" + } + ], + "version": 1, + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7" +} \ No newline at end of file diff --git a/tests/_data/snapshots/get_bom_with_services_complex-1.7.xml.bin b/tests/_data/snapshots/get_bom_with_services_complex-1.7.xml.bin new file mode 100644 index 000000000..770f7a844 --- /dev/null +++ b/tests/_data/snapshots/get_bom_with_services_complex-1.7.xml.bin @@ -0,0 +1,121 @@ + + + + 2023-01-07T13:44:32.312678+00:00 + + cyclonedx-python-lib + 1.0.0 + + + + + + CycloneDX +
+ GB + England + Cheshire + 100 Main Street +
+ https://cyclonedx.org + https://cyclonedx.org/docs + + A N Other + someone@somewhere.tld + +44 (0)1234 567890 + + + Paul Horton + paul.horton@owasp.org + + + a-group + my-first-service + 1.2.3 + Description goes here + + /api/thing/1 + /api/thing/2 + + false + true + + public + + + + Commercial + + + + + https://cyclonedx.org + No comment + + 806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b + + + + + val1 + val2 + + + major + Release Notes Title + https://cyclonedx.org/theme/assets/images/CycloneDX-Twitter-Card.png + https://cyclonedx.org/cyclonedx-icon.png + This release is a test release + 2023-08-15T01:23:45.678900+00:00 + + First Test Release + + + alpha + test + + + + CVE-2021-44228 + Apache Log3Shell + Apache Log4j2 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 JNDI features... + + NVD + https://nvd.nist.gov/vuln/detail/CVE-2021-44228 + + + https://central.sonatype.org/news/20211213_log4shell_help + https://logging.apache.org/log4j/2.x/security.html + + + + + + en-GB + U29tZSBzaW1wbGUgcGxhaW4gdGV4dA== + + + en-US + U29tZSBzaW1wbGUgcGxhaW4gdGV4dA== + + + + val1 + val2 + + + + + my-second-service + + + + + + + + + val1 + val2 + + diff --git a/tests/_data/snapshots/get_bom_with_services_simple-1.7.json.bin b/tests/_data/snapshots/get_bom_with_services_simple-1.7.json.bin new file mode 100644 index 000000000..65181aeb5 --- /dev/null +++ b/tests/_data/snapshots/get_bom_with_services_simple-1.7.json.bin @@ -0,0 +1,47 @@ +{ + "dependencies": [ + { + "ref": "my-specific-bom-ref-for-cpl" + }, + { + "ref": "my-specific-bom-ref-for-my-first-service" + }, + { + "ref": "my-specific-bom-ref-for-my-second-service" + } + ], + "metadata": { + "component": { + "bom-ref": "my-specific-bom-ref-for-cpl", + "name": "cyclonedx-python-lib", + "type": "library", + "version": "1.0.0" + }, + "timestamp": "2023-01-07T13:44:32.312678+00:00" + }, + "properties": [ + { + "name": "key1", + "value": "val1" + }, + { + "name": "key2", + "value": "val2" + } + ], + "serialNumber": "urn:uuid:1441d33a-e0fc-45b5-af3b-61ee52a88bac", + "services": [ + { + "bom-ref": "my-specific-bom-ref-for-my-first-service", + "name": "my-first-service" + }, + { + "bom-ref": "my-specific-bom-ref-for-my-second-service", + "name": "my-second-service" + } + ], + "version": 1, + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7" +} \ No newline at end of file diff --git a/tests/_data/snapshots/get_bom_with_services_simple-1.7.xml.bin b/tests/_data/snapshots/get_bom_with_services_simple-1.7.xml.bin new file mode 100644 index 000000000..5fe84e749 --- /dev/null +++ b/tests/_data/snapshots/get_bom_with_services_simple-1.7.xml.bin @@ -0,0 +1,27 @@ + + + + 2023-01-07T13:44:32.312678+00:00 + + cyclonedx-python-lib + 1.0.0 + + + + + my-first-service + + + my-second-service + + + + + + + + + val1 + val2 + + diff --git a/tests/_data/snapshots/get_bom_with_tools-1.7.json.bin b/tests/_data/snapshots/get_bom_with_tools-1.7.json.bin new file mode 100644 index 000000000..59086d2f5 --- /dev/null +++ b/tests/_data/snapshots/get_bom_with_tools-1.7.json.bin @@ -0,0 +1,88 @@ +{ + "metadata": { + "timestamp": "2023-01-07T13:44:32.312678+00:00", + "tools": [ + { + "externalReferences": [ + { + "type": "build-system", + "url": "https://github.com/CycloneDX/cyclonedx-python-lib/actions" + }, + { + "type": "distribution", + "url": "https://pypi.org/project/cyclonedx-python-lib/" + }, + { + "type": "documentation", + "url": "https://cyclonedx-python-library.readthedocs.io/" + }, + { + "type": "issue-tracker", + "url": "https://github.com/CycloneDX/cyclonedx-python-lib/issues" + }, + { + "type": "license", + "url": "https://github.com/CycloneDX/cyclonedx-python-lib/blob/main/LICENSE" + }, + { + "type": "release-notes", + "url": "https://github.com/CycloneDX/cyclonedx-python-lib/blob/main/CHANGELOG.md" + }, + { + "type": "vcs", + "url": "https://github.com/CycloneDX/cyclonedx-python-lib" + }, + { + "type": "website", + "url": "https://github.com/CycloneDX/cyclonedx-python-lib/#readme" + } + ], + "name": "cyclonedx-python-lib", + "vendor": "CycloneDX", + "version": "TESTING" + }, + { + "externalReferences": [ + { + "comment": "No comment", + "hashes": [ + { + "alg": "SHA-256", + "content": "806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b" + } + ], + "type": "distribution", + "url": "https://cyclonedx.org" + } + ], + "hashes": [ + { + "alg": "SHA-256", + "content": "adbbbe72c8f023b4a2d96a3978f69d94873ab2fef424e0298287c3368519c1a6" + } + ], + "name": "test-tool-a", + "vendor": "example", + "version": "1.33.7" + }, + { + "name": "test-tool-b" + } + ] + }, + "properties": [ + { + "name": "key1", + "value": "val1" + }, + { + "name": "key2", + "value": "val2" + } + ], + "serialNumber": "urn:uuid:1441d33a-e0fc-45b5-af3b-61ee52a88bac", + "version": 1, + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7" +} \ No newline at end of file diff --git a/tests/_data/snapshots/get_bom_with_tools-1.7.xml.bin b/tests/_data/snapshots/get_bom_with_tools-1.7.xml.bin new file mode 100644 index 000000000..378ffa176 --- /dev/null +++ b/tests/_data/snapshots/get_bom_with_tools-1.7.xml.bin @@ -0,0 +1,63 @@ + + + + 2023-01-07T13:44:32.312678+00:00 + + + CycloneDX + cyclonedx-python-lib + TESTING + + + https://github.com/CycloneDX/cyclonedx-python-lib/actions + + + https://pypi.org/project/cyclonedx-python-lib/ + + + https://cyclonedx-python-library.readthedocs.io/ + + + https://github.com/CycloneDX/cyclonedx-python-lib/issues + + + https://github.com/CycloneDX/cyclonedx-python-lib/blob/main/LICENSE + + + https://github.com/CycloneDX/cyclonedx-python-lib/blob/main/CHANGELOG.md + + + https://github.com/CycloneDX/cyclonedx-python-lib + + + https://github.com/CycloneDX/cyclonedx-python-lib/#readme + + + + + example + test-tool-a + 1.33.7 + + adbbbe72c8f023b4a2d96a3978f69d94873ab2fef424e0298287c3368519c1a6 + + + + https://cyclonedx.org + No comment + + 806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b + + + + + + test-tool-b + + + + + val1 + val2 + + diff --git a/tests/_data/snapshots/get_bom_with_tools_with_component_and_service_and_duplicated_tools_irreversible_migrate-1.7.json.bin b/tests/_data/snapshots/get_bom_with_tools_with_component_and_service_and_duplicated_tools_irreversible_migrate-1.7.json.bin new file mode 100644 index 000000000..6583b10e8 --- /dev/null +++ b/tests/_data/snapshots/get_bom_with_tools_with_component_and_service_and_duplicated_tools_irreversible_migrate-1.7.json.bin @@ -0,0 +1,75 @@ +{ + "metadata": { + "timestamp": "2023-01-07T13:44:32.312678+00:00", + "tools": [ + { + "externalReferences": [ + { + "type": "build-system", + "url": "https://github.com/CycloneDX/cyclonedx-python-lib/actions" + }, + { + "type": "distribution", + "url": "https://pypi.org/project/cyclonedx-python-lib/" + }, + { + "type": "documentation", + "url": "https://cyclonedx-python-library.readthedocs.io/" + }, + { + "type": "issue-tracker", + "url": "https://github.com/CycloneDX/cyclonedx-python-lib/issues" + }, + { + "type": "license", + "url": "https://github.com/CycloneDX/cyclonedx-python-lib/blob/main/LICENSE" + }, + { + "type": "release-notes", + "url": "https://github.com/CycloneDX/cyclonedx-python-lib/blob/main/CHANGELOG.md" + }, + { + "type": "vcs", + "url": "https://github.com/CycloneDX/cyclonedx-python-lib" + }, + { + "type": "website", + "url": "https://github.com/CycloneDX/cyclonedx-python-lib/#readme" + } + ], + "name": "cyclonedx-python-lib", + "vendor": "CycloneDX", + "version": "TESTING" + }, + { + "name": "other-component", + "vendor": "acme" + }, + { + "name": "other-service", + "vendor": "acme" + }, + { + "name": "test-component" + }, + { + "name": "test-service" + } + ] + }, + "properties": [ + { + "name": "key1", + "value": "val1" + }, + { + "name": "key2", + "value": "val2" + } + ], + "serialNumber": "urn:uuid:1441d33a-e0fc-45b5-af3b-61ee52a88bac", + "version": 1, + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7" +} \ No newline at end of file diff --git a/tests/_data/snapshots/get_bom_with_tools_with_component_and_service_and_duplicated_tools_irreversible_migrate-1.7.xml.bin b/tests/_data/snapshots/get_bom_with_tools_with_component_and_service_and_duplicated_tools_irreversible_migrate-1.7.xml.bin new file mode 100644 index 000000000..9b6643125 --- /dev/null +++ b/tests/_data/snapshots/get_bom_with_tools_with_component_and_service_and_duplicated_tools_irreversible_migrate-1.7.xml.bin @@ -0,0 +1,57 @@ + + + + 2023-01-07T13:44:32.312678+00:00 + + + CycloneDX + cyclonedx-python-lib + TESTING + + + https://github.com/CycloneDX/cyclonedx-python-lib/actions + + + https://pypi.org/project/cyclonedx-python-lib/ + + + https://cyclonedx-python-library.readthedocs.io/ + + + https://github.com/CycloneDX/cyclonedx-python-lib/issues + + + https://github.com/CycloneDX/cyclonedx-python-lib/blob/main/LICENSE + + + https://github.com/CycloneDX/cyclonedx-python-lib/blob/main/CHANGELOG.md + + + https://github.com/CycloneDX/cyclonedx-python-lib + + + https://github.com/CycloneDX/cyclonedx-python-lib/#readme + + + + + acme + other-component + + + acme + other-service + + + test-component + + + test-service + + + + + val1 + val2 + + diff --git a/tests/_data/snapshots/get_bom_with_tools_with_component_and_service_and_tools_irreversible_migrate-1.7.json.bin b/tests/_data/snapshots/get_bom_with_tools_with_component_and_service_and_tools_irreversible_migrate-1.7.json.bin new file mode 100644 index 000000000..71c821b55 --- /dev/null +++ b/tests/_data/snapshots/get_bom_with_tools_with_component_and_service_and_tools_irreversible_migrate-1.7.json.bin @@ -0,0 +1,134 @@ +{ + "metadata": { + "timestamp": "2023-01-07T13:44:32.312678+00:00", + "tools": [ + { + "externalReferences": [ + { + "type": "build-system", + "url": "https://github.com/CycloneDX/cyclonedx-python-lib/actions" + }, + { + "type": "distribution", + "url": "https://pypi.org/project/cyclonedx-python-lib/" + }, + { + "type": "documentation", + "url": "https://cyclonedx-python-library.readthedocs.io/" + }, + { + "type": "issue-tracker", + "url": "https://github.com/CycloneDX/cyclonedx-python-lib/issues" + }, + { + "type": "license", + "url": "https://github.com/CycloneDX/cyclonedx-python-lib/blob/main/LICENSE" + }, + { + "type": "release-notes", + "url": "https://github.com/CycloneDX/cyclonedx-python-lib/blob/main/CHANGELOG.md" + }, + { + "type": "vcs", + "url": "https://github.com/CycloneDX/cyclonedx-python-lib" + }, + { + "type": "website", + "url": "https://github.com/CycloneDX/cyclonedx-python-lib/#readme" + } + ], + "name": "cyclonedx-python-lib", + "vendor": "CycloneDX", + "version": "TESTING" + }, + { + "externalReferences": [ + { + "comment": "No comment", + "hashes": [ + { + "alg": "SHA-256", + "content": "806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b" + } + ], + "type": "distribution", + "url": "https://cyclonedx.org" + } + ], + "hashes": [ + { + "alg": "SHA-256", + "content": "49b420bd8d8182542a76d4422e0c7890dcc88a3d8ddad04da06366d8c40ac8ca" + } + ], + "name": "other-component", + "vendor": "acme" + }, + { + "externalReferences": [ + { + "comment": "No comment", + "hashes": [ + { + "alg": "SHA-256", + "content": "806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b" + } + ], + "type": "distribution", + "url": "https://cyclonedx.org" + } + ], + "name": "other-service", + "vendor": "acme" + }, + { + "externalReferences": [ + { + "comment": "No comment", + "hashes": [ + { + "alg": "SHA-256", + "content": "806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b" + } + ], + "type": "distribution", + "url": "https://cyclonedx.org" + } + ], + "hashes": [ + { + "alg": "SHA-256", + "content": "adbbbe72c8f023b4a2d96a3978f69d94873ab2fef424e0298287c3368519c1a6" + } + ], + "name": "test-tool-a", + "vendor": "example", + "version": "1.33.7" + }, + { + "name": "test-component" + }, + { + "name": "test-service" + }, + { + "name": "test-tool-b" + } + ] + }, + "properties": [ + { + "name": "key1", + "value": "val1" + }, + { + "name": "key2", + "value": "val2" + } + ], + "serialNumber": "urn:uuid:1441d33a-e0fc-45b5-af3b-61ee52a88bac", + "version": 1, + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7" +} \ No newline at end of file diff --git a/tests/_data/snapshots/get_bom_with_tools_with_component_and_service_and_tools_irreversible_migrate-1.7.xml.bin b/tests/_data/snapshots/get_bom_with_tools_with_component_and_service_and_tools_irreversible_migrate-1.7.xml.bin new file mode 100644 index 000000000..d634f1825 --- /dev/null +++ b/tests/_data/snapshots/get_bom_with_tools_with_component_and_service_and_tools_irreversible_migrate-1.7.xml.bin @@ -0,0 +1,98 @@ + + + + 2023-01-07T13:44:32.312678+00:00 + + + CycloneDX + cyclonedx-python-lib + TESTING + + + https://github.com/CycloneDX/cyclonedx-python-lib/actions + + + https://pypi.org/project/cyclonedx-python-lib/ + + + https://cyclonedx-python-library.readthedocs.io/ + + + https://github.com/CycloneDX/cyclonedx-python-lib/issues + + + https://github.com/CycloneDX/cyclonedx-python-lib/blob/main/LICENSE + + + https://github.com/CycloneDX/cyclonedx-python-lib/blob/main/CHANGELOG.md + + + https://github.com/CycloneDX/cyclonedx-python-lib + + + https://github.com/CycloneDX/cyclonedx-python-lib/#readme + + + + + acme + other-component + + 49b420bd8d8182542a76d4422e0c7890dcc88a3d8ddad04da06366d8c40ac8ca + + + + https://cyclonedx.org + No comment + + 806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b + + + + + + acme + other-service + + + https://cyclonedx.org + No comment + + 806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b + + + + + + example + test-tool-a + 1.33.7 + + adbbbe72c8f023b4a2d96a3978f69d94873ab2fef424e0298287c3368519c1a6 + + + + https://cyclonedx.org + No comment + + 806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b + + + + + + test-component + + + test-service + + + test-tool-b + + + + + val1 + val2 + + diff --git a/tests/_data/snapshots/get_bom_with_tools_with_component_and_service_migrate-1.7.json.bin b/tests/_data/snapshots/get_bom_with_tools_with_component_and_service_migrate-1.7.json.bin new file mode 100644 index 000000000..72516a164 --- /dev/null +++ b/tests/_data/snapshots/get_bom_with_tools_with_component_and_service_migrate-1.7.json.bin @@ -0,0 +1,127 @@ +{ + "metadata": { + "timestamp": "2023-01-07T13:44:32.312678+00:00", + "tools": { + "components": [ + { + "bom-ref": "other-component", + "externalReferences": [ + { + "comment": "No comment", + "hashes": [ + { + "alg": "SHA-256", + "content": "806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b" + } + ], + "type": "distribution", + "url": "https://cyclonedx.org" + } + ], + "group": "acme", + "hashes": [ + { + "alg": "SHA-256", + "content": "49b420bd8d8182542a76d4422e0c7890dcc88a3d8ddad04da06366d8c40ac8ca" + } + ], + "name": "other-component", + "type": "application" + }, + { + "description": "Python library for CycloneDX", + "externalReferences": [ + { + "type": "build-system", + "url": "https://github.com/CycloneDX/cyclonedx-python-lib/actions" + }, + { + "type": "distribution", + "url": "https://pypi.org/project/cyclonedx-python-lib/" + }, + { + "type": "documentation", + "url": "https://cyclonedx-python-library.readthedocs.io/" + }, + { + "type": "issue-tracker", + "url": "https://github.com/CycloneDX/cyclonedx-python-lib/issues" + }, + { + "type": "license", + "url": "https://github.com/CycloneDX/cyclonedx-python-lib/blob/main/LICENSE" + }, + { + "type": "release-notes", + "url": "https://github.com/CycloneDX/cyclonedx-python-lib/blob/main/CHANGELOG.md" + }, + { + "type": "vcs", + "url": "https://github.com/CycloneDX/cyclonedx-python-lib" + }, + { + "type": "website", + "url": "https://github.com/CycloneDX/cyclonedx-python-lib/#readme" + } + ], + "group": "CycloneDX", + "licenses": [ + { + "license": { + "acknowledgement": "declared", + "id": "Apache-2.0" + } + } + ], + "name": "cyclonedx-python-lib", + "type": "library", + "version": "TESTING" + }, + { + "bom-ref": "test-component", + "name": "test-component", + "type": "library" + } + ], + "services": [ + { + "bom-ref": "other-service", + "externalReferences": [ + { + "comment": "No comment", + "hashes": [ + { + "alg": "SHA-256", + "content": "806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b" + } + ], + "type": "distribution", + "url": "https://cyclonedx.org" + } + ], + "group": "acme", + "name": "other-service" + }, + { + "bom-ref": "test-service", + "name": "test-service" + } + ] + } + }, + "properties": [ + { + "name": "key1", + "value": "val1" + }, + { + "name": "key2", + "value": "val2" + } + ], + "serialNumber": "urn:uuid:1441d33a-e0fc-45b5-af3b-61ee52a88bac", + "version": 1, + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7" +} \ No newline at end of file diff --git a/tests/_data/snapshots/get_bom_with_tools_with_component_and_service_migrate-1.7.xml.bin b/tests/_data/snapshots/get_bom_with_tools_with_component_and_service_migrate-1.7.xml.bin new file mode 100644 index 000000000..71349a426 --- /dev/null +++ b/tests/_data/snapshots/get_bom_with_tools_with_component_and_service_migrate-1.7.xml.bin @@ -0,0 +1,88 @@ + + + + 2023-01-07T13:44:32.312678+00:00 + + + + acme + other-component + + 49b420bd8d8182542a76d4422e0c7890dcc88a3d8ddad04da06366d8c40ac8ca + + + + https://cyclonedx.org + No comment + + 806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b + + + + + + CycloneDX + cyclonedx-python-lib + TESTING + Python library for CycloneDX + + + Apache-2.0 + + + + + https://github.com/CycloneDX/cyclonedx-python-lib/actions + + + https://pypi.org/project/cyclonedx-python-lib/ + + + https://cyclonedx-python-library.readthedocs.io/ + + + https://github.com/CycloneDX/cyclonedx-python-lib/issues + + + https://github.com/CycloneDX/cyclonedx-python-lib/blob/main/LICENSE + + + https://github.com/CycloneDX/cyclonedx-python-lib/blob/main/CHANGELOG.md + + + https://github.com/CycloneDX/cyclonedx-python-lib + + + https://github.com/CycloneDX/cyclonedx-python-lib/#readme + + + + + test-component + + + + + acme + other-service + + + https://cyclonedx.org + No comment + + 806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b + + + + + + test-service + + + + + + val1 + val2 + + diff --git a/tests/_data/snapshots/get_bom_with_tools_with_component_migrate-1.7.json.bin b/tests/_data/snapshots/get_bom_with_tools_with_component_migrate-1.7.json.bin new file mode 100644 index 000000000..63512c80b --- /dev/null +++ b/tests/_data/snapshots/get_bom_with_tools_with_component_migrate-1.7.json.bin @@ -0,0 +1,103 @@ +{ + "metadata": { + "timestamp": "2023-01-07T13:44:32.312678+00:00", + "tools": { + "components": [ + { + "bom-ref": "other-component", + "externalReferences": [ + { + "comment": "No comment", + "hashes": [ + { + "alg": "SHA-256", + "content": "806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b" + } + ], + "type": "distribution", + "url": "https://cyclonedx.org" + } + ], + "group": "acme", + "hashes": [ + { + "alg": "SHA-256", + "content": "49b420bd8d8182542a76d4422e0c7890dcc88a3d8ddad04da06366d8c40ac8ca" + } + ], + "name": "other-component", + "type": "application" + }, + { + "description": "Python library for CycloneDX", + "externalReferences": [ + { + "type": "build-system", + "url": "https://github.com/CycloneDX/cyclonedx-python-lib/actions" + }, + { + "type": "distribution", + "url": "https://pypi.org/project/cyclonedx-python-lib/" + }, + { + "type": "documentation", + "url": "https://cyclonedx-python-library.readthedocs.io/" + }, + { + "type": "issue-tracker", + "url": "https://github.com/CycloneDX/cyclonedx-python-lib/issues" + }, + { + "type": "license", + "url": "https://github.com/CycloneDX/cyclonedx-python-lib/blob/main/LICENSE" + }, + { + "type": "release-notes", + "url": "https://github.com/CycloneDX/cyclonedx-python-lib/blob/main/CHANGELOG.md" + }, + { + "type": "vcs", + "url": "https://github.com/CycloneDX/cyclonedx-python-lib" + }, + { + "type": "website", + "url": "https://github.com/CycloneDX/cyclonedx-python-lib/#readme" + } + ], + "group": "CycloneDX", + "licenses": [ + { + "license": { + "acknowledgement": "declared", + "id": "Apache-2.0" + } + } + ], + "name": "cyclonedx-python-lib", + "type": "library", + "version": "TESTING" + }, + { + "bom-ref": "test-component", + "name": "test-component", + "type": "library" + } + ] + } + }, + "properties": [ + { + "name": "key1", + "value": "val1" + }, + { + "name": "key2", + "value": "val2" + } + ], + "serialNumber": "urn:uuid:1441d33a-e0fc-45b5-af3b-61ee52a88bac", + "version": 1, + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7" +} \ No newline at end of file diff --git a/tests/_data/snapshots/get_bom_with_tools_with_component_migrate-1.7.xml.bin b/tests/_data/snapshots/get_bom_with_tools_with_component_migrate-1.7.xml.bin new file mode 100644 index 000000000..46131bf9f --- /dev/null +++ b/tests/_data/snapshots/get_bom_with_tools_with_component_migrate-1.7.xml.bin @@ -0,0 +1,70 @@ + + + + 2023-01-07T13:44:32.312678+00:00 + + + + acme + other-component + + 49b420bd8d8182542a76d4422e0c7890dcc88a3d8ddad04da06366d8c40ac8ca + + + + https://cyclonedx.org + No comment + + 806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b + + + + + + CycloneDX + cyclonedx-python-lib + TESTING + Python library for CycloneDX + + + Apache-2.0 + + + + + https://github.com/CycloneDX/cyclonedx-python-lib/actions + + + https://pypi.org/project/cyclonedx-python-lib/ + + + https://cyclonedx-python-library.readthedocs.io/ + + + https://github.com/CycloneDX/cyclonedx-python-lib/issues + + + https://github.com/CycloneDX/cyclonedx-python-lib/blob/main/LICENSE + + + https://github.com/CycloneDX/cyclonedx-python-lib/blob/main/CHANGELOG.md + + + https://github.com/CycloneDX/cyclonedx-python-lib + + + https://github.com/CycloneDX/cyclonedx-python-lib/#readme + + + + + test-component + + + + + + val1 + val2 + + diff --git a/tests/_data/snapshots/get_bom_with_tools_with_service_migrate-1.7.json.bin b/tests/_data/snapshots/get_bom_with_tools_with_service_migrate-1.7.json.bin new file mode 100644 index 000000000..5feaa83e5 --- /dev/null +++ b/tests/_data/snapshots/get_bom_with_tools_with_service_migrate-1.7.json.bin @@ -0,0 +1,46 @@ +{ + "metadata": { + "timestamp": "2023-01-07T13:44:32.312678+00:00", + "tools": { + "services": [ + { + "bom-ref": "other-service", + "externalReferences": [ + { + "comment": "No comment", + "hashes": [ + { + "alg": "SHA-256", + "content": "806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b" + } + ], + "type": "distribution", + "url": "https://cyclonedx.org" + } + ], + "group": "acme", + "name": "other-service" + }, + { + "bom-ref": "test-service", + "name": "test-service" + } + ] + } + }, + "properties": [ + { + "name": "key1", + "value": "val1" + }, + { + "name": "key2", + "value": "val2" + } + ], + "serialNumber": "urn:uuid:1441d33a-e0fc-45b5-af3b-61ee52a88bac", + "version": 1, + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7" +} \ No newline at end of file diff --git a/tests/_data/snapshots/get_bom_with_tools_with_service_migrate-1.7.xml.bin b/tests/_data/snapshots/get_bom_with_tools_with_service_migrate-1.7.xml.bin new file mode 100644 index 000000000..cda60f02e --- /dev/null +++ b/tests/_data/snapshots/get_bom_with_tools_with_service_migrate-1.7.xml.bin @@ -0,0 +1,30 @@ + + + + 2023-01-07T13:44:32.312678+00:00 + + + + acme + other-service + + + https://cyclonedx.org + No comment + + 806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b + + + + + + test-service + + + + + + val1 + val2 + + diff --git a/tests/test_deserialize_json.py b/tests/test_deserialize_json.py index 958335e63..14fcb953b 100644 --- a/tests/test_deserialize_json.py +++ b/tests/test_deserialize_json.py @@ -35,6 +35,8 @@ all_get_bom_funct_with_incomplete_deps, ) +_LATEST_SCHEMA = SchemaVersion.V1_7 + @ddt class TestDeserializeJson(TestCase, SnapshotMixin, DeepCompareMixin): @@ -44,7 +46,7 @@ class TestDeserializeJson(TestCase, SnapshotMixin, DeepCompareMixin): @patch('cyclonedx.builder.this.__ThisVersion', 'TESTING') def test_prepared(self, get_bom: Callable[[], Bom], *_: Any, **__: Any) -> None: # only latest schema will have all data populated in serialized form - snapshot_name = mksname(get_bom, SchemaVersion.V1_6, OutputFormat.JSON) + snapshot_name = mksname(get_bom, _LATEST_SCHEMA, OutputFormat.JSON) expected = get_bom() json = json_loads(self.readSnapshot(snapshot_name)) bom = Bom.from_json(json) diff --git a/tests/test_deserialize_xml.py b/tests/test_deserialize_xml.py index 4d526c5ef..12e32e5f7 100644 --- a/tests/test_deserialize_xml.py +++ b/tests/test_deserialize_xml.py @@ -32,6 +32,8 @@ all_get_bom_funct_with_incomplete_deps, ) +_LATEST_SCHEMA = SchemaVersion.V1_7 + @ddt class TestDeserializeXml(TestCase, SnapshotMixin, DeepCompareMixin): @@ -41,7 +43,7 @@ class TestDeserializeXml(TestCase, SnapshotMixin, DeepCompareMixin): @patch('cyclonedx.builder.this.__ThisVersion', 'TESTING') def test_prepared(self, get_bom: Callable[[], Bom], *_: Any, **__: Any) -> None: # only latest schema will have all data populated in serialized form - snapshot_name = mksname(get_bom, SchemaVersion.V1_6, OutputFormat.XML) + snapshot_name = mksname(get_bom, _LATEST_SCHEMA, OutputFormat.XML) expected = get_bom() with open(self.getSnapshotFile(snapshot_name)) as s: bom = Bom.from_xml(s) diff --git a/tests/test_model_bom.py b/tests/test_model_bom.py index 8dd1288b5..edd5b9a64 100644 --- a/tests/test_model_bom.py +++ b/tests/test_model_bom.py @@ -30,7 +30,7 @@ from cyclonedx.model.license import DisjunctiveLicense from cyclonedx.model.lifecycle import LifecyclePhase, NamedLifecycle, PredefinedLifecycle from cyclonedx.model.tool import Tool -from cyclonedx.output.json import JsonV1Dot6 +from cyclonedx.output.json import JsonV1Dot7 from tests._data.models import ( get_bom_component_licenses_invalid, get_bom_component_nested_licenses_invalid, @@ -163,14 +163,14 @@ def test_root_component_only_bom(self) -> None: with warnings.catch_warnings(record=True) as w: warnings.simplefilter('always') bom = Bom(metadata=BomMetaData(component=Component(name='test', version='1.2'))) - _ = JsonV1Dot6(bom).output_as_string() + _ = JsonV1Dot7(bom).output_as_string() self.assertEqual(len(w), 0) def test_warning_missing_dependency(self) -> None: with self.assertWarns(expected_warning=UserWarning) as w: bom = Bom(metadata=BomMetaData(component=Component(name='root_component', version='1.2'))) bom.components.add(Component(name='test2', version='4.2')) - _ = JsonV1Dot6(bom).output_as_string() + _ = JsonV1Dot7(bom).output_as_string() self.assertEqual(len(w.warnings), 1) self.assertIn('has no defined dependencies ', str(w.warnings[0])) diff --git a/tests/test_schema_SchemaVersion.py b/tests/test_schema_SchemaVersion.py index 0c7fab6fa..29fe465b1 100644 --- a/tests/test_schema_SchemaVersion.py +++ b/tests/test_schema_SchemaVersion.py @@ -22,6 +22,7 @@ from cyclonedx.schema import SchemaVersion SORTED_SV = ( + SchemaVersion.V1_7, SchemaVersion.V1_6, SchemaVersion.V1_5, SchemaVersion.V1_4, diff --git a/tests/test_schema__res.py b/tests/test_schema__res.py index 4292aaf24..7323ada7d 100644 --- a/tests/test_schema__res.py +++ b/tests/test_schema__res.py @@ -31,6 +31,7 @@ def _dp_files() -> Generator: yield file yield _res.SPDX_JSON yield _res.SPDX_XML + yield _res.CRYPTOGRAPHY_DEFS yield _res.JSF diff --git a/tools/schema-downloader.py b/tools/schema-downloader.py index 7865ab26c..30b7ecd54 100755 --- a/tools/schema-downloader.py +++ b/tools/schema-downloader.py @@ -21,12 +21,12 @@ from os.path import dirname, join, realpath from urllib.request import urlretrieve -SOURCE_ROOT = 'https://raw.githubusercontent.com/CycloneDX/specification/refs/tags/1.6.1/schema/' +SOURCE_ROOT = 'https://raw.githubusercontent.com/CycloneDX/specification/refs/tags/1.7/schema/' SOURCE_ROOT_LATEST = 'https://raw.githubusercontent.com/CycloneDX/specification/refs/heads/master/schema/' TARGET_ROOT = realpath(join(dirname(__file__), '..', 'cyclonedx', 'schema', '_res')) BOM_XSD = { - 'versions': ['1.6', '1.5', '1.4', '1.3', '1.2', '1.1', '1.0'], + 'versions': ['1.7', '1.6', '1.5', '1.4', '1.3', '1.2', '1.1', '1.0'], 'sourcePattern': f'{SOURCE_ROOT}bom-%s.xsd', 'targetPattern': join(TARGET_ROOT, 'bom-%s.SNAPSHOT.xsd'), 'replace': [], @@ -66,11 +66,12 @@ _DEFAULTS_WITH_PATERN_REPL = r'' BOM_JSON_LAX = { - 'versions': ['1.6', '1.5', '1.4', '1.3', '1.2'], + 'versions': ['1.7', '1.6', '1.5', '1.4', '1.3', '1.2'], 'sourcePattern': f'{SOURCE_ROOT}bom-%s.schema.json', 'targetPattern': join(TARGET_ROOT, 'bom-%s.SNAPSHOT.schema.json'), 'replace': [ ('spdx.schema.json', 'spdx.SNAPSHOT.schema.json'), + ('cryptography-defs.schema.json', 'cryptography-defs.SNAPSHOT.schema.json'), ('jsf-0.82.schema.json', 'jsf-0.82.SNAPSHOT.schema.json'), (_BOM_REQUIRED_S, _BOM_REQUIRED_R), ], @@ -94,8 +95,9 @@ } OTHER_DOWNLOADABLES = [ - (f'{SOURCE_ROOT_LATEST}spdx.schema.json', join(TARGET_ROOT, 'spdx.SNAPSHOT.schema.json')), (f'{SOURCE_ROOT_LATEST}spdx.xsd', join(TARGET_ROOT, 'spdx.SNAPSHOT.xsd')), + (f'{SOURCE_ROOT_LATEST}spdx.schema.json', join(TARGET_ROOT, 'spdx.SNAPSHOT.schema.json')), + (f'{SOURCE_ROOT_LATEST}cryptography-defs.schema.json', join(TARGET_ROOT, 'cryptography-defs.SNAPSHOT.schema.json')), (f'{SOURCE_ROOT_LATEST}jsf-0.82.schema.json', join(TARGET_ROOT, 'jsf-0.82.SNAPSHOT.schema.json')), ] From 25a27ccff51d3dd4f2184e638906cb2593e9f9f5 Mon Sep 17 00:00:00 2001 From: semantic-release Date: Thu, 23 Oct 2025 14:28:22 +0000 Subject: [PATCH 41/76] chore(release): 11.4.0 Automatically generated by python-semantic-release Signed-off-by: semantic-release --- CHANGELOG.md | 9 +++++++++ cyclonedx/__init__.py | 2 +- docs/conf.py | 2 +- pyproject.toml | 2 +- 4 files changed, 12 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5fb65c590..69c148492 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,15 @@ +## v11.4.0 (2025-10-23) + +### Features + +- Add support for CycloneDX 1.7 (basics) + ([#902](https://github.com/CycloneDX/cyclonedx-python-lib/pull/902), + [`f35b9ee`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/f35b9eed0803f70882e30616f6fb3c0a4e212651)) + + ## v11.3.0 (2025-10-22) ### Bug Fixes diff --git a/cyclonedx/__init__.py b/cyclonedx/__init__.py index b283f8ec6..b7adb5587 100644 --- a/cyclonedx/__init__.py +++ b/cyclonedx/__init__.py @@ -22,4 +22,4 @@ # !! version is managed by semantic_release # do not use typing here, or else `semantic_release` might have issues finding the variable -__version__ = "11.3.0" # noqa:Q000 +__version__ = "11.4.0" # noqa:Q000 diff --git a/docs/conf.py b/docs/conf.py index bd6b126b8..fdec9efea 100644 --- a/docs/conf.py +++ b/docs/conf.py @@ -23,7 +23,7 @@ # The full version, including alpha/beta/rc tags # !! version is managed by semantic_release -release = '11.3.0' +release = '11.4.0' # -- General configuration --------------------------------------------------- diff --git a/pyproject.toml b/pyproject.toml index 05af72669..b779cdbae 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -5,7 +5,7 @@ build-backend = "poetry.core.masonry.api" [tool.poetry] name = "cyclonedx-python-lib" # !! version is managed by semantic_release -version = "11.3.0" +version = "11.4.0" description = "Python library for CycloneDX" authors = [ "Paul Horton ", From 649412cae1854621fa84fc2c9fb8effaae0fee91 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 27 Oct 2025 09:03:25 +0100 Subject: [PATCH 42/76] chore(deps): bump actions/upload-artifact from 4 to 5 (#904) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4 to 5.
Release notes

Sourced from actions/upload-artifact's releases.

v5.0.0

What's Changed

BREAKING CHANGE: this update supports Node v24.x. This is not a breaking change per-se but we're treating it as such.

New Contributors

Full Changelog: https://github.com/actions/upload-artifact/compare/v4...v5.0.0

v4.6.2

What's Changed

New Contributors

Full Changelog: https://github.com/actions/upload-artifact/compare/v4...v4.6.2

v4.6.1

What's Changed

Full Changelog: https://github.com/actions/upload-artifact/compare/v4...v4.6.1

v4.6.0

What's Changed

Full Changelog: https://github.com/actions/upload-artifact/compare/v4...v4.6.0

v4.5.0

What's Changed

New Contributors

... (truncated)

Commits
  • 330a01c Merge pull request #734 from actions/danwkennedy/prepare-5.0.0
  • 03f2824 Update github.dep.yml
  • 905a1ec Prepare v5.0.0
  • 2d9f9cd Merge pull request #725 from patrikpolyak/patch-1
  • 9687587 Merge branch 'main' into patch-1
  • 2848b2c Merge pull request #727 from danwkennedy/patch-1
  • 9b51177 Spell out the first use of GHES
  • cd231ca Update GHES guidance to include reference to Node 20 version
  • de65e23 Merge pull request #712 from actions/nebuk89-patch-1
  • 8747d8c Update README.md
  • Additional commits viewable in compare view

[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=actions/upload-artifact&package-manager=github_actions&previous-version=4&new-version=5)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) ---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/python.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/python.yml b/.github/workflows/python.yml index f78d975d5..6f63628f5 100644 --- a/.github/workflows/python.yml +++ b/.github/workflows/python.yml @@ -239,7 +239,7 @@ jobs: - name: Artifact reports if: ${{ ! cancelled() }} # see https://github.com/actions/upload-artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v5 with: name: ${{ env.TESTS_REPORTS_ARTIFACT }}-${{ matrix.os }}-py${{ matrix.python-version }}${{ matrix.toxenv-factors }} path: ${{ env.REPORTS_DIR }} From 5d42b558e655abd69b78a0bb1e60996c72fc6a18 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 27 Oct 2025 09:03:33 +0100 Subject: [PATCH 43/76] chore(deps): bump actions/download-artifact from 5 to 6 (#905) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 5 to 6.
Release notes

Sourced from actions/download-artifact's releases.

v6.0.0

What's Changed

BREAKING CHANGE: this update supports Node v24.x. This is not a breaking change per-se but we're treating it as such.

New Contributors

Full Changelog: https://github.com/actions/download-artifact/compare/v5...v6.0.0

Commits
  • 018cc2c Merge pull request #438 from actions/danwkennedy/prepare-6.0.0
  • 815651c Revert "Remove github.dep.yml"
  • bb3a066 Remove github.dep.yml
  • fa1ce46 Prepare v6.0.0
  • 4a24838 Merge pull request #431 from danwkennedy/patch-1
  • 5e3251c Readme: spell out the first use of GHES
  • abefc31 Merge pull request #424 from actions/yacaovsnc/update_readme
  • ac43a60 Update README with artifact extraction details
  • de96f46 Merge pull request #417 from actions/yacaovsnc/update_readme
  • 7993cb4 Remove migration guide for artifact download changes
  • Additional commits viewable in compare view

[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=actions/download-artifact&package-manager=github_actions&previous-version=5&new-version=6)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) ---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/python.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/python.yml b/.github/workflows/python.yml index 6f63628f5..5e19efb2f 100644 --- a/.github/workflows/python.yml +++ b/.github/workflows/python.yml @@ -253,7 +253,7 @@ jobs: steps: - name: fetch test artifacts # see https://github.com/actions/download-artifact - uses: actions/download-artifact@v5 + uses: actions/download-artifact@v6 with: path: ${{ env.REPORTS_DIR }} pattern: ${{ env.TESTS_REPORTS_ARTIFACT }}-* From 70adb7ccceb1296f197c70c95a2f01dc130cc6ae Mon Sep 17 00:00:00 2001 From: Johannes Feichtner <343448+Churro@users.noreply.github.com> Date: Fri, 31 Oct 2025 09:15:58 +0100 Subject: [PATCH 44/76] feat: add support for DistributionConstraints in BOM metadata (#906) part of #903 --------- Signed-off-by: Johannes Feichtner --- cyclonedx/model/bom.py | 97 ++++++++++++++++++- tests/_data/models.py | 15 ++- .../enum_TlpClassification-1.0.xml.bin | 4 + .../enum_TlpClassification-1.1.xml.bin | 4 + .../enum_TlpClassification-1.2.json.bin | 10 ++ .../enum_TlpClassification-1.2.xml.bin | 6 ++ .../enum_TlpClassification-1.3.json.bin | 10 ++ .../enum_TlpClassification-1.3.xml.bin | 6 ++ .../enum_TlpClassification-1.4.json.bin | 10 ++ .../enum_TlpClassification-1.4.xml.bin | 6 ++ .../enum_TlpClassification-1.5.json.bin | 20 ++++ .../enum_TlpClassification-1.5.xml.bin | 10 ++ .../enum_TlpClassification-1.6.json.bin | 20 ++++ .../enum_TlpClassification-1.6.xml.bin | 10 ++ .../enum_TlpClassification-1.7.json.bin | 23 +++++ .../enum_TlpClassification-1.7.xml.bin | 13 +++ ...et_bom_just_complete_metadata-1.7.json.bin | 3 + ...get_bom_just_complete_metadata-1.7.xml.bin | 3 + ..._with_distribution_constraints-1.0.xml.bin | 4 + ..._with_distribution_constraints-1.1.xml.bin | 4 + ...with_distribution_constraints-1.2.json.bin | 21 ++++ ..._with_distribution_constraints-1.2.xml.bin | 13 +++ ...with_distribution_constraints-1.3.json.bin | 21 ++++ ..._with_distribution_constraints-1.3.xml.bin | 13 +++ ...with_distribution_constraints-1.4.json.bin | 20 ++++ ..._with_distribution_constraints-1.4.xml.bin | 12 +++ ...with_distribution_constraints-1.5.json.bin | 30 ++++++ ..._with_distribution_constraints-1.5.xml.bin | 16 +++ ...with_distribution_constraints-1.6.json.bin | 30 ++++++ ..._with_distribution_constraints-1.6.xml.bin | 16 +++ ...with_distribution_constraints-1.7.json.bin | 33 +++++++ ..._with_distribution_constraints-1.7.xml.bin | 19 ++++ tests/test_enums.py | 20 +++- tests/test_model_bom.py | 47 ++++++++- 34 files changed, 584 insertions(+), 5 deletions(-) create mode 100644 tests/_data/snapshots/enum_TlpClassification-1.0.xml.bin create mode 100644 tests/_data/snapshots/enum_TlpClassification-1.1.xml.bin create mode 100644 tests/_data/snapshots/enum_TlpClassification-1.2.json.bin create mode 100644 tests/_data/snapshots/enum_TlpClassification-1.2.xml.bin create mode 100644 tests/_data/snapshots/enum_TlpClassification-1.3.json.bin create mode 100644 tests/_data/snapshots/enum_TlpClassification-1.3.xml.bin create mode 100644 tests/_data/snapshots/enum_TlpClassification-1.4.json.bin create mode 100644 tests/_data/snapshots/enum_TlpClassification-1.4.xml.bin create mode 100644 tests/_data/snapshots/enum_TlpClassification-1.5.json.bin create mode 100644 tests/_data/snapshots/enum_TlpClassification-1.5.xml.bin create mode 100644 tests/_data/snapshots/enum_TlpClassification-1.6.json.bin create mode 100644 tests/_data/snapshots/enum_TlpClassification-1.6.xml.bin create mode 100644 tests/_data/snapshots/enum_TlpClassification-1.7.json.bin create mode 100644 tests/_data/snapshots/enum_TlpClassification-1.7.xml.bin create mode 100644 tests/_data/snapshots/get_bom_with_distribution_constraints-1.0.xml.bin create mode 100644 tests/_data/snapshots/get_bom_with_distribution_constraints-1.1.xml.bin create mode 100644 tests/_data/snapshots/get_bom_with_distribution_constraints-1.2.json.bin create mode 100644 tests/_data/snapshots/get_bom_with_distribution_constraints-1.2.xml.bin create mode 100644 tests/_data/snapshots/get_bom_with_distribution_constraints-1.3.json.bin create mode 100644 tests/_data/snapshots/get_bom_with_distribution_constraints-1.3.xml.bin create mode 100644 tests/_data/snapshots/get_bom_with_distribution_constraints-1.4.json.bin create mode 100644 tests/_data/snapshots/get_bom_with_distribution_constraints-1.4.xml.bin create mode 100644 tests/_data/snapshots/get_bom_with_distribution_constraints-1.5.json.bin create mode 100644 tests/_data/snapshots/get_bom_with_distribution_constraints-1.5.xml.bin create mode 100644 tests/_data/snapshots/get_bom_with_distribution_constraints-1.6.json.bin create mode 100644 tests/_data/snapshots/get_bom_with_distribution_constraints-1.6.xml.bin create mode 100644 tests/_data/snapshots/get_bom_with_distribution_constraints-1.7.json.bin create mode 100644 tests/_data/snapshots/get_bom_with_distribution_constraints-1.7.xml.bin diff --git a/cyclonedx/model/bom.py b/cyclonedx/model/bom.py index 4debf4217..9c4b8cad2 100644 --- a/cyclonedx/model/bom.py +++ b/cyclonedx/model/bom.py @@ -18,6 +18,7 @@ from collections.abc import Generator, Iterable from datetime import datetime +from enum import Enum from itertools import chain from typing import TYPE_CHECKING, Optional, Union from uuid import UUID, uuid4 @@ -56,6 +57,81 @@ from packageurl import PackageURL +@serializable.serializable_enum +class TlpClassification(str, Enum): + """ + Enum object that defines the Traffic Light Protocol (TLP) classification that controls the sharing and distribution + of the data that the BOM describes. + + .. note:: + Introduced in CycloneDX v1.7 + + .. note:: + See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.7/xml/#type_tlpClassificationType + """ + + CLEAR = 'CLEAR' + GREEN = 'GREEN' + AMBER = 'AMBER' + AMBER_AND_STRICT = 'AMBER_AND_STRICT' + RED = 'RED' + + +@serializable.serializable_class(ignore_unknown_during_deserialization=True) +class DistributionConstraints: + """ + Our internal representation of the `distributionConstraints` complex type. + Conditions and constraints governing the sharing and distribution of the data or components described by this BOM. + + .. note:: + Introduced in CycloneDX v1.7 + + .. note:: + See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.7/xml/#type_metadata + """ + + def __init__( + self, *, + tlp: Optional[TlpClassification] = None, + ) -> None: + self.tlp = tlp or TlpClassification.CLEAR + + @property + @serializable.xml_sequence(0) + def tlp(self) -> TlpClassification: + """ + The Traffic Light Protocol (TLP) classification that controls the sharing and distribution of the data that the + BOM describes. + + Returns: + `TlpClassification` enum value + """ + return self._tlp + + @tlp.setter + def tlp(self, tlp: TlpClassification) -> None: + self._tlp = tlp + + def __comparable_tuple(self) -> _ComparableTuple: + return _ComparableTuple(self.tlp) + + def __eq__(self, other: object) -> bool: + if isinstance(other, DistributionConstraints): + return self.__comparable_tuple() == other.__comparable_tuple() + return False + + def __lt__(self, other: object) -> bool: + if isinstance(other, DistributionConstraints): + return self.__comparable_tuple() < other.__comparable_tuple() + return NotImplemented + + def __hash__(self) -> int: + return hash(self.__comparable_tuple()) + + def __repr__(self) -> str: + return f'' + + @serializable.serializable_class(ignore_unknown_during_deserialization=True) class BomMetaData: """ @@ -76,6 +152,7 @@ def __init__( timestamp: Optional[datetime] = None, manufacturer: Optional[OrganizationalEntity] = None, lifecycles: Optional[Iterable[Lifecycle]] = None, + distribution_constraints: Optional[DistributionConstraints] = None, # Deprecated as of v1.6 manufacture: Optional[OrganizationalEntity] = None, ) -> None: @@ -88,6 +165,7 @@ def __init__( self.properties = properties or [] self.manufacturer = manufacturer self.lifecycles = lifecycles or [] + self.distribution_constraints = distribution_constraints # deprecated properties below self.manufacture = manufacture @@ -301,10 +379,27 @@ def properties(self) -> 'SortedSet[Property]': def properties(self, properties: Iterable[Property]) -> None: self._properties = SortedSet(properties) + @property + @serializable.view(SchemaVersion1Dot7) + @serializable.xml_sequence(11) + def distribution_constraints(self) -> Optional[DistributionConstraints]: + """ + Conditions and constraints governing the sharing and distribution of the data or components described by this + BOM. + + Returns: + `DistributionConstraints` or `None` + """ + return self._distribution_constraints + + @distribution_constraints.setter + def distribution_constraints(self, distribution_constraints: Optional[DistributionConstraints]) -> None: + self._distribution_constraints = distribution_constraints + def __comparable_tuple(self) -> _ComparableTuple: return _ComparableTuple(( _ComparableTuple(self.authors), self.component, _ComparableTuple(self.licenses), self.manufacture, - _ComparableTuple(self.properties), + _ComparableTuple(self.properties), self.distribution_constraints, _ComparableTuple(self.lifecycles), self.supplier, self.timestamp, self.tools, self.manufacturer )) diff --git a/tests/_data/models.py b/tests/_data/models.py index 8d3a089d3..793006a44 100644 --- a/tests/_data/models.py +++ b/tests/_data/models.py @@ -42,7 +42,7 @@ Property, XsUri, ) -from cyclonedx.model.bom import Bom, BomMetaData +from cyclonedx.model.bom import Bom, BomMetaData, DistributionConstraints, TlpClassification from cyclonedx.model.bom_ref import BomRef from cyclonedx.model.component import ( Commit, @@ -582,6 +582,7 @@ def get_bom_just_complete_metadata() -> Bom: )] bom.metadata.lifecycles = [PredefinedLifecycle(LifecyclePhase.BUILD)] bom.metadata.properties = get_properties_1() + bom.metadata.distribution_constraints = DistributionConstraints(tlp=TlpClassification.GREEN) return bom @@ -1403,6 +1404,17 @@ def get_bom_with_lifecycles() -> Bom: ) +def get_bom_with_distribution_constraints() -> Bom: + return _make_bom( + metadata=BomMetaData( + distribution_constraints=DistributionConstraints( + tlp=TlpClassification.AMBER_AND_STRICT + ), + component=Component(name='app', type=ComponentType.APPLICATION, bom_ref='my-app'), + ) + ) + + def get_bom_with_definitions_standards() -> Bom: """ Returns a BOM with definitions and standards only. @@ -1584,6 +1596,7 @@ def get_bom_for_issue540_duplicate_components() -> Bom: get_bom_with_component_setuptools_with_v16_fields, get_bom_for_issue_630_empty_property, get_bom_with_lifecycles, + get_bom_with_distribution_constraints, get_bom_with_definitions_standards, get_bom_with_definitions_and_detailed_standards, } diff --git a/tests/_data/snapshots/enum_TlpClassification-1.0.xml.bin b/tests/_data/snapshots/enum_TlpClassification-1.0.xml.bin new file mode 100644 index 000000000..acb066124 --- /dev/null +++ b/tests/_data/snapshots/enum_TlpClassification-1.0.xml.bin @@ -0,0 +1,4 @@ + + + + diff --git a/tests/_data/snapshots/enum_TlpClassification-1.1.xml.bin b/tests/_data/snapshots/enum_TlpClassification-1.1.xml.bin new file mode 100644 index 000000000..55ef5cda2 --- /dev/null +++ b/tests/_data/snapshots/enum_TlpClassification-1.1.xml.bin @@ -0,0 +1,4 @@ + + + + diff --git a/tests/_data/snapshots/enum_TlpClassification-1.2.json.bin b/tests/_data/snapshots/enum_TlpClassification-1.2.json.bin new file mode 100644 index 000000000..8f473bd3a --- /dev/null +++ b/tests/_data/snapshots/enum_TlpClassification-1.2.json.bin @@ -0,0 +1,10 @@ +{ + "metadata": { + "timestamp": "2023-01-07T13:44:32.312678+00:00" + }, + "serialNumber": "urn:uuid:1441d33a-e0fc-45b5-af3b-61ee52a88bac", + "version": 1, + "$schema": "http://cyclonedx.org/schema/bom-1.2b.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.2" +} \ No newline at end of file diff --git a/tests/_data/snapshots/enum_TlpClassification-1.2.xml.bin b/tests/_data/snapshots/enum_TlpClassification-1.2.xml.bin new file mode 100644 index 000000000..df1938ec0 --- /dev/null +++ b/tests/_data/snapshots/enum_TlpClassification-1.2.xml.bin @@ -0,0 +1,6 @@ + + + + 2023-01-07T13:44:32.312678+00:00 + + diff --git a/tests/_data/snapshots/enum_TlpClassification-1.3.json.bin b/tests/_data/snapshots/enum_TlpClassification-1.3.json.bin new file mode 100644 index 000000000..02943890a --- /dev/null +++ b/tests/_data/snapshots/enum_TlpClassification-1.3.json.bin @@ -0,0 +1,10 @@ +{ + "metadata": { + "timestamp": "2023-01-07T13:44:32.312678+00:00" + }, + "serialNumber": "urn:uuid:1441d33a-e0fc-45b5-af3b-61ee52a88bac", + "version": 1, + "$schema": "http://cyclonedx.org/schema/bom-1.3a.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.3" +} \ No newline at end of file diff --git a/tests/_data/snapshots/enum_TlpClassification-1.3.xml.bin b/tests/_data/snapshots/enum_TlpClassification-1.3.xml.bin new file mode 100644 index 000000000..8341ff600 --- /dev/null +++ b/tests/_data/snapshots/enum_TlpClassification-1.3.xml.bin @@ -0,0 +1,6 @@ + + + + 2023-01-07T13:44:32.312678+00:00 + + diff --git a/tests/_data/snapshots/enum_TlpClassification-1.4.json.bin b/tests/_data/snapshots/enum_TlpClassification-1.4.json.bin new file mode 100644 index 000000000..48f1745d1 --- /dev/null +++ b/tests/_data/snapshots/enum_TlpClassification-1.4.json.bin @@ -0,0 +1,10 @@ +{ + "metadata": { + "timestamp": "2023-01-07T13:44:32.312678+00:00" + }, + "serialNumber": "urn:uuid:1441d33a-e0fc-45b5-af3b-61ee52a88bac", + "version": 1, + "$schema": "http://cyclonedx.org/schema/bom-1.4.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.4" +} \ No newline at end of file diff --git a/tests/_data/snapshots/enum_TlpClassification-1.4.xml.bin b/tests/_data/snapshots/enum_TlpClassification-1.4.xml.bin new file mode 100644 index 000000000..d0a7d4c90 --- /dev/null +++ b/tests/_data/snapshots/enum_TlpClassification-1.4.xml.bin @@ -0,0 +1,6 @@ + + + + 2023-01-07T13:44:32.312678+00:00 + + diff --git a/tests/_data/snapshots/enum_TlpClassification-1.5.json.bin b/tests/_data/snapshots/enum_TlpClassification-1.5.json.bin new file mode 100644 index 000000000..57b5e590e --- /dev/null +++ b/tests/_data/snapshots/enum_TlpClassification-1.5.json.bin @@ -0,0 +1,20 @@ +{ + "metadata": { + "timestamp": "2023-01-07T13:44:32.312678+00:00" + }, + "properties": [ + { + "name": "key1", + "value": "val1" + }, + { + "name": "key2", + "value": "val2" + } + ], + "serialNumber": "urn:uuid:1441d33a-e0fc-45b5-af3b-61ee52a88bac", + "version": 1, + "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.5" +} \ No newline at end of file diff --git a/tests/_data/snapshots/enum_TlpClassification-1.5.xml.bin b/tests/_data/snapshots/enum_TlpClassification-1.5.xml.bin new file mode 100644 index 000000000..f952637cf --- /dev/null +++ b/tests/_data/snapshots/enum_TlpClassification-1.5.xml.bin @@ -0,0 +1,10 @@ + + + + 2023-01-07T13:44:32.312678+00:00 + + + val1 + val2 + + diff --git a/tests/_data/snapshots/enum_TlpClassification-1.6.json.bin b/tests/_data/snapshots/enum_TlpClassification-1.6.json.bin new file mode 100644 index 000000000..b93790d4b --- /dev/null +++ b/tests/_data/snapshots/enum_TlpClassification-1.6.json.bin @@ -0,0 +1,20 @@ +{ + "metadata": { + "timestamp": "2023-01-07T13:44:32.312678+00:00" + }, + "properties": [ + { + "name": "key1", + "value": "val1" + }, + { + "name": "key2", + "value": "val2" + } + ], + "serialNumber": "urn:uuid:1441d33a-e0fc-45b5-af3b-61ee52a88bac", + "version": 1, + "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.6" +} \ No newline at end of file diff --git a/tests/_data/snapshots/enum_TlpClassification-1.6.xml.bin b/tests/_data/snapshots/enum_TlpClassification-1.6.xml.bin new file mode 100644 index 000000000..6faca474a --- /dev/null +++ b/tests/_data/snapshots/enum_TlpClassification-1.6.xml.bin @@ -0,0 +1,10 @@ + + + + 2023-01-07T13:44:32.312678+00:00 + + + val1 + val2 + + diff --git a/tests/_data/snapshots/enum_TlpClassification-1.7.json.bin b/tests/_data/snapshots/enum_TlpClassification-1.7.json.bin new file mode 100644 index 000000000..e5f7f9c2a --- /dev/null +++ b/tests/_data/snapshots/enum_TlpClassification-1.7.json.bin @@ -0,0 +1,23 @@ +{ + "metadata": { + "distributionConstraints": { + "tlp": "CLEAR" + }, + "timestamp": "2023-01-07T13:44:32.312678+00:00" + }, + "properties": [ + { + "name": "key1", + "value": "val1" + }, + { + "name": "key2", + "value": "val2" + } + ], + "serialNumber": "urn:uuid:1441d33a-e0fc-45b5-af3b-61ee52a88bac", + "version": 1, + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7" +} \ No newline at end of file diff --git a/tests/_data/snapshots/enum_TlpClassification-1.7.xml.bin b/tests/_data/snapshots/enum_TlpClassification-1.7.xml.bin new file mode 100644 index 000000000..5f78c14aa --- /dev/null +++ b/tests/_data/snapshots/enum_TlpClassification-1.7.xml.bin @@ -0,0 +1,13 @@ + + + + 2023-01-07T13:44:32.312678+00:00 + + CLEAR + + + + val1 + val2 + + diff --git a/tests/_data/snapshots/get_bom_just_complete_metadata-1.7.json.bin b/tests/_data/snapshots/get_bom_just_complete_metadata-1.7.json.bin index 24e062a6e..4869ed921 100644 --- a/tests/_data/snapshots/get_bom_just_complete_metadata-1.7.json.bin +++ b/tests/_data/snapshots/get_bom_just_complete_metadata-1.7.json.bin @@ -367,6 +367,9 @@ "type": "library", "version": "50.3.2" }, + "distributionConstraints": { + "tlp": "GREEN" + }, "licenses": [ { "license": { diff --git a/tests/_data/snapshots/get_bom_just_complete_metadata-1.7.xml.bin b/tests/_data/snapshots/get_bom_just_complete_metadata-1.7.xml.bin index ac12da27f..d188f978f 100644 --- a/tests/_data/snapshots/get_bom_just_complete_metadata-1.7.xml.bin +++ b/tests/_data/snapshots/get_bom_just_complete_metadata-1.7.xml.bin @@ -317,6 +317,9 @@ val1 val2 + + GREEN + diff --git a/tests/_data/snapshots/get_bom_with_distribution_constraints-1.0.xml.bin b/tests/_data/snapshots/get_bom_with_distribution_constraints-1.0.xml.bin new file mode 100644 index 000000000..acb066124 --- /dev/null +++ b/tests/_data/snapshots/get_bom_with_distribution_constraints-1.0.xml.bin @@ -0,0 +1,4 @@ + + + + diff --git a/tests/_data/snapshots/get_bom_with_distribution_constraints-1.1.xml.bin b/tests/_data/snapshots/get_bom_with_distribution_constraints-1.1.xml.bin new file mode 100644 index 000000000..55ef5cda2 --- /dev/null +++ b/tests/_data/snapshots/get_bom_with_distribution_constraints-1.1.xml.bin @@ -0,0 +1,4 @@ + + + + diff --git a/tests/_data/snapshots/get_bom_with_distribution_constraints-1.2.json.bin b/tests/_data/snapshots/get_bom_with_distribution_constraints-1.2.json.bin new file mode 100644 index 000000000..18150abd0 --- /dev/null +++ b/tests/_data/snapshots/get_bom_with_distribution_constraints-1.2.json.bin @@ -0,0 +1,21 @@ +{ + "dependencies": [ + { + "ref": "my-app" + } + ], + "metadata": { + "component": { + "bom-ref": "my-app", + "name": "app", + "type": "application", + "version": "" + }, + "timestamp": "2023-01-07T13:44:32.312678+00:00" + }, + "serialNumber": "urn:uuid:1441d33a-e0fc-45b5-af3b-61ee52a88bac", + "version": 1, + "$schema": "http://cyclonedx.org/schema/bom-1.2b.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.2" +} \ No newline at end of file diff --git a/tests/_data/snapshots/get_bom_with_distribution_constraints-1.2.xml.bin b/tests/_data/snapshots/get_bom_with_distribution_constraints-1.2.xml.bin new file mode 100644 index 000000000..5fb21515b --- /dev/null +++ b/tests/_data/snapshots/get_bom_with_distribution_constraints-1.2.xml.bin @@ -0,0 +1,13 @@ + + + + 2023-01-07T13:44:32.312678+00:00 + + app + + + + + + + diff --git a/tests/_data/snapshots/get_bom_with_distribution_constraints-1.3.json.bin b/tests/_data/snapshots/get_bom_with_distribution_constraints-1.3.json.bin new file mode 100644 index 000000000..fd64f1450 --- /dev/null +++ b/tests/_data/snapshots/get_bom_with_distribution_constraints-1.3.json.bin @@ -0,0 +1,21 @@ +{ + "dependencies": [ + { + "ref": "my-app" + } + ], + "metadata": { + "component": { + "bom-ref": "my-app", + "name": "app", + "type": "application", + "version": "" + }, + "timestamp": "2023-01-07T13:44:32.312678+00:00" + }, + "serialNumber": "urn:uuid:1441d33a-e0fc-45b5-af3b-61ee52a88bac", + "version": 1, + "$schema": "http://cyclonedx.org/schema/bom-1.3a.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.3" +} \ No newline at end of file diff --git a/tests/_data/snapshots/get_bom_with_distribution_constraints-1.3.xml.bin b/tests/_data/snapshots/get_bom_with_distribution_constraints-1.3.xml.bin new file mode 100644 index 000000000..7bb6d933a --- /dev/null +++ b/tests/_data/snapshots/get_bom_with_distribution_constraints-1.3.xml.bin @@ -0,0 +1,13 @@ + + + + 2023-01-07T13:44:32.312678+00:00 + + app + + + + + + + diff --git a/tests/_data/snapshots/get_bom_with_distribution_constraints-1.4.json.bin b/tests/_data/snapshots/get_bom_with_distribution_constraints-1.4.json.bin new file mode 100644 index 000000000..199835665 --- /dev/null +++ b/tests/_data/snapshots/get_bom_with_distribution_constraints-1.4.json.bin @@ -0,0 +1,20 @@ +{ + "dependencies": [ + { + "ref": "my-app" + } + ], + "metadata": { + "component": { + "bom-ref": "my-app", + "name": "app", + "type": "application" + }, + "timestamp": "2023-01-07T13:44:32.312678+00:00" + }, + "serialNumber": "urn:uuid:1441d33a-e0fc-45b5-af3b-61ee52a88bac", + "version": 1, + "$schema": "http://cyclonedx.org/schema/bom-1.4.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.4" +} \ No newline at end of file diff --git a/tests/_data/snapshots/get_bom_with_distribution_constraints-1.4.xml.bin b/tests/_data/snapshots/get_bom_with_distribution_constraints-1.4.xml.bin new file mode 100644 index 000000000..118c192fd --- /dev/null +++ b/tests/_data/snapshots/get_bom_with_distribution_constraints-1.4.xml.bin @@ -0,0 +1,12 @@ + + + + 2023-01-07T13:44:32.312678+00:00 + + app + + + + + + diff --git a/tests/_data/snapshots/get_bom_with_distribution_constraints-1.5.json.bin b/tests/_data/snapshots/get_bom_with_distribution_constraints-1.5.json.bin new file mode 100644 index 000000000..c37c40f30 --- /dev/null +++ b/tests/_data/snapshots/get_bom_with_distribution_constraints-1.5.json.bin @@ -0,0 +1,30 @@ +{ + "dependencies": [ + { + "ref": "my-app" + } + ], + "metadata": { + "component": { + "bom-ref": "my-app", + "name": "app", + "type": "application" + }, + "timestamp": "2023-01-07T13:44:32.312678+00:00" + }, + "properties": [ + { + "name": "key1", + "value": "val1" + }, + { + "name": "key2", + "value": "val2" + } + ], + "serialNumber": "urn:uuid:1441d33a-e0fc-45b5-af3b-61ee52a88bac", + "version": 1, + "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.5" +} \ No newline at end of file diff --git a/tests/_data/snapshots/get_bom_with_distribution_constraints-1.5.xml.bin b/tests/_data/snapshots/get_bom_with_distribution_constraints-1.5.xml.bin new file mode 100644 index 000000000..77a416bc8 --- /dev/null +++ b/tests/_data/snapshots/get_bom_with_distribution_constraints-1.5.xml.bin @@ -0,0 +1,16 @@ + + + + 2023-01-07T13:44:32.312678+00:00 + + app + + + + + + + val1 + val2 + + diff --git a/tests/_data/snapshots/get_bom_with_distribution_constraints-1.6.json.bin b/tests/_data/snapshots/get_bom_with_distribution_constraints-1.6.json.bin new file mode 100644 index 000000000..7085323c1 --- /dev/null +++ b/tests/_data/snapshots/get_bom_with_distribution_constraints-1.6.json.bin @@ -0,0 +1,30 @@ +{ + "dependencies": [ + { + "ref": "my-app" + } + ], + "metadata": { + "component": { + "bom-ref": "my-app", + "name": "app", + "type": "application" + }, + "timestamp": "2023-01-07T13:44:32.312678+00:00" + }, + "properties": [ + { + "name": "key1", + "value": "val1" + }, + { + "name": "key2", + "value": "val2" + } + ], + "serialNumber": "urn:uuid:1441d33a-e0fc-45b5-af3b-61ee52a88bac", + "version": 1, + "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.6" +} \ No newline at end of file diff --git a/tests/_data/snapshots/get_bom_with_distribution_constraints-1.6.xml.bin b/tests/_data/snapshots/get_bom_with_distribution_constraints-1.6.xml.bin new file mode 100644 index 000000000..d8276254c --- /dev/null +++ b/tests/_data/snapshots/get_bom_with_distribution_constraints-1.6.xml.bin @@ -0,0 +1,16 @@ + + + + 2023-01-07T13:44:32.312678+00:00 + + app + + + + + + + val1 + val2 + + diff --git a/tests/_data/snapshots/get_bom_with_distribution_constraints-1.7.json.bin b/tests/_data/snapshots/get_bom_with_distribution_constraints-1.7.json.bin new file mode 100644 index 000000000..ae96fe14c --- /dev/null +++ b/tests/_data/snapshots/get_bom_with_distribution_constraints-1.7.json.bin @@ -0,0 +1,33 @@ +{ + "dependencies": [ + { + "ref": "my-app" + } + ], + "metadata": { + "component": { + "bom-ref": "my-app", + "name": "app", + "type": "application" + }, + "distributionConstraints": { + "tlp": "AMBER_AND_STRICT" + }, + "timestamp": "2023-01-07T13:44:32.312678+00:00" + }, + "properties": [ + { + "name": "key1", + "value": "val1" + }, + { + "name": "key2", + "value": "val2" + } + ], + "serialNumber": "urn:uuid:1441d33a-e0fc-45b5-af3b-61ee52a88bac", + "version": 1, + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7" +} \ No newline at end of file diff --git a/tests/_data/snapshots/get_bom_with_distribution_constraints-1.7.xml.bin b/tests/_data/snapshots/get_bom_with_distribution_constraints-1.7.xml.bin new file mode 100644 index 000000000..2167d67f4 --- /dev/null +++ b/tests/_data/snapshots/get_bom_with_distribution_constraints-1.7.xml.bin @@ -0,0 +1,19 @@ + + + + 2023-01-07T13:44:32.312678+00:00 + + app + + + AMBER_AND_STRICT + + + + + + + val1 + val2 + + diff --git a/tests/test_enums.py b/tests/test_enums.py index f769388e3..1d749d637 100644 --- a/tests/test_enums.py +++ b/tests/test_enums.py @@ -30,7 +30,7 @@ from cyclonedx.exception import MissingOptionalDependencyException from cyclonedx.exception.serialization import SerializationOfUnsupportedComponentTypeException from cyclonedx.model import AttachedText, ExternalReference, HashType, XsUri -from cyclonedx.model.bom import Bom, BomMetaData +from cyclonedx.model.bom import Bom, BomMetaData, DistributionConstraints, TlpClassification from cyclonedx.model.component import Component, Patch, Pedigree from cyclonedx.model.issue import IssueType from cyclonedx.model.license import DisjunctiveLicense @@ -490,3 +490,21 @@ def test_cases_render_valid(self, of: OutputFormat, sv: SchemaVersion, *_: Any, lifecycles=[PredefinedLifecycle(phase=phase) for phase in LifecyclePhase] )) super()._test_cases_render(bom, of, sv) + + +@ddt +class TestEnumTlpClassification(_EnumTestCase): + + @idata(set(chain( + dp_cases_from_xml_schemas(f"./{SCHEMA_NS}simpleType[@name='tlpClassificationType']"), + dp_cases_from_json_schemas('definitions', 'tlpClassification'), + ))) + def test_knows_value(self, value: str) -> None: + super()._test_knows_value(TlpClassification, value) + + @named_data(*NAMED_OF_SV) + def test_cases_render_valid(self, of: OutputFormat, sv: SchemaVersion, *_: Any, **__: Any) -> None: + bom = _make_bom(metadata=BomMetaData( + distribution_constraints=DistributionConstraints(tlp=TlpClassification.CLEAR) + )) + super()._test_cases_render(bom, of, sv) diff --git a/tests/test_model_bom.py b/tests/test_model_bom.py index edd5b9a64..030ee4a56 100644 --- a/tests/test_model_bom.py +++ b/tests/test_model_bom.py @@ -16,6 +16,7 @@ # Copyright (c) OWASP Foundation. All Rights Reserved. import warnings from collections.abc import Callable +from random import shuffle from unittest import TestCase from uuid import uuid4 @@ -23,7 +24,7 @@ from cyclonedx.exception.model import LicenseExpressionAlongWithOthersException from cyclonedx.model import Property -from cyclonedx.model.bom import Bom, BomMetaData +from cyclonedx.model.bom import Bom, BomMetaData, DistributionConstraints, TlpClassification from cyclonedx.model.bom_ref import BomRef from cyclonedx.model.component import Component, ComponentType from cyclonedx.model.contact import OrganizationalContact, OrganizationalEntity @@ -31,6 +32,7 @@ from cyclonedx.model.lifecycle import LifecyclePhase, NamedLifecycle, PredefinedLifecycle from cyclonedx.model.tool import Tool from cyclonedx.output.json import JsonV1Dot7 +from tests import reorder from tests._data.models import ( get_bom_component_licenses_invalid, get_bom_component_nested_licenses_invalid, @@ -45,6 +47,43 @@ ) +class TestDistributionConstraints(TestCase): + + def test_create(self) -> None: + dc = DistributionConstraints(tlp=TlpClassification.GREEN) + self.assertIs(TlpClassification.GREEN, dc.tlp) + + def test_update(self) -> None: + dc = DistributionConstraints(tlp=TlpClassification.AMBER_AND_STRICT) + dc.tlp = TlpClassification.RED + self.assertIs(TlpClassification.RED, dc.tlp) + + def test_equal(self) -> None: + a = DistributionConstraints(tlp=TlpClassification.GREEN) + b = DistributionConstraints(tlp=TlpClassification.GREEN) + c = DistributionConstraints(tlp=TlpClassification.RED) + self.assertEqual(a, b) + self.assertNotEqual(a, c) + + def test_sort(self) -> None: + expected_order = [2, 1, 3, 0] + dcs = [ + DistributionConstraints(tlp=TlpClassification.RED), + DistributionConstraints(tlp=TlpClassification.AMBER), + DistributionConstraints(tlp=TlpClassification.AMBER_AND_STRICT), + DistributionConstraints(tlp=TlpClassification.CLEAR), + ] + expected_dcs = reorder(dcs, expected_order) + shuffle(dcs) + sorted_dcs = sorted(dcs) + self.assertListEqual(sorted_dcs, expected_dcs) + + def test_create_distribution_constraints(self) -> None: + dc = DistributionConstraints(tlp=TlpClassification.AMBER) + self.assertIsNotNone(dc) + self.assertEqual(TlpClassification.AMBER, dc.tlp) + + class TestBomMetaData(TestCase): def test_empty_bom_metadata(self) -> None: @@ -54,6 +93,7 @@ def test_empty_bom_metadata(self) -> None: self.assertIsNone(metadata.component) self.assertIsNone(metadata.manufacture) self.assertIsNone(metadata.supplier) + self.assertIsNone(metadata.distribution_constraints) self.assertEqual(0, len(metadata.licenses)) self.assertEqual(0, len(metadata.lifecycles)) self.assertEqual(0, len(metadata.properties)) @@ -83,9 +123,11 @@ def test_basic_bom_metadata(self) -> None: Property(name='property_1', value='value_1'), Property(name='property_2', value='value_2', ) ] + distribution_constraints = DistributionConstraints(tlp=TlpClassification.CLEAR) metadata = BomMetaData(tools=tools, authors=authors, component=component, lifecycles=lifecycles, - manufacture=manufacturer, supplier=supplier, licenses=licenses, properties=properties) + manufacture=manufacturer, supplier=supplier, licenses=licenses, properties=properties, + distribution_constraints=distribution_constraints) self.assertIsNotNone(metadata.timestamp) self.assertIsNotNone(metadata.authors) self.assertTrue(authors[0] in metadata.authors) @@ -106,6 +148,7 @@ def test_basic_bom_metadata(self) -> None: self.assertEqual(2, len(metadata.tools.tools)) self.assertTrue(tools[0] in metadata.tools.tools) self.assertTrue(tools[1] in metadata.tools.tools) + self.assertEqual(metadata.distribution_constraints, distribution_constraints) def test_bom_metadata_sorting(self) -> None: """Test that BomMetaData instances can be sorted without triggering TypeError""" From 73e7c1a5ddb8935730c896739348cb808d05fa18 Mon Sep 17 00:00:00 2001 From: Johannes Feichtner <343448+Churro@users.noreply.github.com> Date: Fri, 31 Oct 2025 09:19:54 +0100 Subject: [PATCH 45/76] feat: add support for properties in external references (#907) part of https://github.com/CycloneDX/cyclonedx-python-lib/issues/903 --------- Signed-off-by: Johannes Feichtner --- cyclonedx/model/__init__.py | 21 ++++++++++++++++++- tests/_data/models.py | 13 +++++++++++- ...t_bom_with_external_references-1.1.xml.bin | 3 +++ ..._bom_with_external_references-1.2.json.bin | 4 ++++ ...t_bom_with_external_references-1.2.xml.bin | 3 +++ ..._bom_with_external_references-1.3.json.bin | 4 ++++ ...t_bom_with_external_references-1.3.xml.bin | 3 +++ ..._bom_with_external_references-1.4.json.bin | 4 ++++ ...t_bom_with_external_references-1.4.xml.bin | 3 +++ ..._bom_with_external_references-1.5.json.bin | 4 ++++ ...t_bom_with_external_references-1.5.xml.bin | 3 +++ ..._bom_with_external_references-1.6.json.bin | 4 ++++ ...t_bom_with_external_references-1.6.xml.bin | 3 +++ ..._bom_with_external_references-1.7.json.bin | 14 +++++++++++++ ...t_bom_with_external_references-1.7.xml.bin | 7 +++++++ tests/test_model_component.py | 16 +++++++++++--- 16 files changed, 104 insertions(+), 5 deletions(-) diff --git a/cyclonedx/model/__init__.py b/cyclonedx/model/__init__.py index 925c2a90e..ff0abc773 100644 --- a/cyclonedx/model/__init__.py +++ b/cyclonedx/model/__init__.py @@ -835,11 +835,13 @@ def __init__( url: XsUri, comment: Optional[str] = None, hashes: Optional[Iterable[HashType]] = None, + properties: Optional[Iterable['Property']] = None, ) -> None: self.url = url self.comment = comment self.type = type self.hashes = hashes or [] + self.properties = properties or [] @property @serializable.xml_sequence(1) @@ -909,10 +911,27 @@ def hashes(self) -> 'SortedSet[HashType]': def hashes(self, hashes: Iterable[HashType]) -> None: self._hashes = SortedSet(hashes) + @property + @serializable.view(SchemaVersion1Dot7) + @serializable.xml_array(serializable.XmlArraySerializationType.NESTED, 'property') + def properties(self) -> 'SortedSet[Property]': + """ + Provides the ability to document properties in a key/value store. This provides flexibility to include data not + officially supported in the standard without having to use additional namespaces or create extensions. + + Return: + Set of `Property` + """ + return self._properties + + @properties.setter + def properties(self, properties: Iterable['Property']) -> None: + self._properties = SortedSet(properties) + def __comparable_tuple(self) -> _ComparableTuple: return _ComparableTuple(( self._type, self._url, self._comment, - _ComparableTuple(self._hashes) + _ComparableTuple(self._hashes), _ComparableTuple(self.properties), )) def __eq__(self, other: object) -> bool: diff --git a/tests/_data/models.py b/tests/_data/models.py index 793006a44..43d62570e 100644 --- a/tests/_data/models.py +++ b/tests/_data/models.py @@ -588,7 +588,7 @@ def get_bom_just_complete_metadata() -> Bom: def get_bom_with_external_references() -> Bom: bom = _make_bom(external_references=[ - get_external_reference_1(), get_external_reference_2() + get_external_reference_1(), get_external_reference_2(), get_external_reference_with_properties() ]) return bom @@ -896,6 +896,17 @@ def get_external_reference_2() -> ExternalReference: ) +def get_external_reference_with_properties() -> ExternalReference: + return ExternalReference( + type=ExternalReferenceType.VCS, + url=XsUri('https://cyclonedx.org'), + properties=[ + Property(name='property_1', value='value_1'), + Property(name='property_2', value='value_2') + ] + ) + + def get_issue_1() -> IssueType: return IssueType( type=IssueClassification.SECURITY, id='CVE-2021-44228', name='Apache Log3Shell', diff --git a/tests/_data/snapshots/get_bom_with_external_references-1.1.xml.bin b/tests/_data/snapshots/get_bom_with_external_references-1.1.xml.bin index 0a260e819..b7b31df00 100644 --- a/tests/_data/snapshots/get_bom_with_external_references-1.1.xml.bin +++ b/tests/_data/snapshots/get_bom_with_external_references-1.1.xml.bin @@ -6,6 +6,9 @@ https://cyclonedx.org No comment + + https://cyclonedx.org + https://cyclonedx.org diff --git a/tests/_data/snapshots/get_bom_with_external_references-1.2.json.bin b/tests/_data/snapshots/get_bom_with_external_references-1.2.json.bin index b108f640a..0e507a443 100644 --- a/tests/_data/snapshots/get_bom_with_external_references-1.2.json.bin +++ b/tests/_data/snapshots/get_bom_with_external_references-1.2.json.bin @@ -5,6 +5,10 @@ "type": "distribution", "url": "https://cyclonedx.org" }, + { + "type": "vcs", + "url": "https://cyclonedx.org" + }, { "type": "website", "url": "https://cyclonedx.org" diff --git a/tests/_data/snapshots/get_bom_with_external_references-1.2.xml.bin b/tests/_data/snapshots/get_bom_with_external_references-1.2.xml.bin index 44a8e0a51..4fba839e9 100644 --- a/tests/_data/snapshots/get_bom_with_external_references-1.2.xml.bin +++ b/tests/_data/snapshots/get_bom_with_external_references-1.2.xml.bin @@ -8,6 +8,9 @@ https://cyclonedx.org No comment + + https://cyclonedx.org + https://cyclonedx.org diff --git a/tests/_data/snapshots/get_bom_with_external_references-1.3.json.bin b/tests/_data/snapshots/get_bom_with_external_references-1.3.json.bin index 19fcd07f3..3e793c509 100644 --- a/tests/_data/snapshots/get_bom_with_external_references-1.3.json.bin +++ b/tests/_data/snapshots/get_bom_with_external_references-1.3.json.bin @@ -11,6 +11,10 @@ "type": "distribution", "url": "https://cyclonedx.org" }, + { + "type": "vcs", + "url": "https://cyclonedx.org" + }, { "type": "website", "url": "https://cyclonedx.org" diff --git a/tests/_data/snapshots/get_bom_with_external_references-1.3.xml.bin b/tests/_data/snapshots/get_bom_with_external_references-1.3.xml.bin index 0ae18fbad..13a9e149f 100644 --- a/tests/_data/snapshots/get_bom_with_external_references-1.3.xml.bin +++ b/tests/_data/snapshots/get_bom_with_external_references-1.3.xml.bin @@ -11,6 +11,9 @@ 806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b + + https://cyclonedx.org + https://cyclonedx.org diff --git a/tests/_data/snapshots/get_bom_with_external_references-1.4.json.bin b/tests/_data/snapshots/get_bom_with_external_references-1.4.json.bin index e90c3ea2a..43fbfa6de 100644 --- a/tests/_data/snapshots/get_bom_with_external_references-1.4.json.bin +++ b/tests/_data/snapshots/get_bom_with_external_references-1.4.json.bin @@ -11,6 +11,10 @@ "type": "distribution", "url": "https://cyclonedx.org" }, + { + "type": "vcs", + "url": "https://cyclonedx.org" + }, { "type": "website", "url": "https://cyclonedx.org" diff --git a/tests/_data/snapshots/get_bom_with_external_references-1.4.xml.bin b/tests/_data/snapshots/get_bom_with_external_references-1.4.xml.bin index f64b1c7af..7889bb9d4 100644 --- a/tests/_data/snapshots/get_bom_with_external_references-1.4.xml.bin +++ b/tests/_data/snapshots/get_bom_with_external_references-1.4.xml.bin @@ -11,6 +11,9 @@ 806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b + + https://cyclonedx.org + https://cyclonedx.org diff --git a/tests/_data/snapshots/get_bom_with_external_references-1.5.json.bin b/tests/_data/snapshots/get_bom_with_external_references-1.5.json.bin index 552385888..52a6c19d9 100644 --- a/tests/_data/snapshots/get_bom_with_external_references-1.5.json.bin +++ b/tests/_data/snapshots/get_bom_with_external_references-1.5.json.bin @@ -11,6 +11,10 @@ "type": "distribution", "url": "https://cyclonedx.org" }, + { + "type": "vcs", + "url": "https://cyclonedx.org" + }, { "type": "website", "url": "https://cyclonedx.org" diff --git a/tests/_data/snapshots/get_bom_with_external_references-1.5.xml.bin b/tests/_data/snapshots/get_bom_with_external_references-1.5.xml.bin index 411ab39a0..1a6c87b14 100644 --- a/tests/_data/snapshots/get_bom_with_external_references-1.5.xml.bin +++ b/tests/_data/snapshots/get_bom_with_external_references-1.5.xml.bin @@ -11,6 +11,9 @@ 806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b + + https://cyclonedx.org + https://cyclonedx.org diff --git a/tests/_data/snapshots/get_bom_with_external_references-1.6.json.bin b/tests/_data/snapshots/get_bom_with_external_references-1.6.json.bin index 82c9bc406..050afd045 100644 --- a/tests/_data/snapshots/get_bom_with_external_references-1.6.json.bin +++ b/tests/_data/snapshots/get_bom_with_external_references-1.6.json.bin @@ -11,6 +11,10 @@ "type": "distribution", "url": "https://cyclonedx.org" }, + { + "type": "vcs", + "url": "https://cyclonedx.org" + }, { "type": "website", "url": "https://cyclonedx.org" diff --git a/tests/_data/snapshots/get_bom_with_external_references-1.6.xml.bin b/tests/_data/snapshots/get_bom_with_external_references-1.6.xml.bin index 7dee398e6..6216a6d33 100644 --- a/tests/_data/snapshots/get_bom_with_external_references-1.6.xml.bin +++ b/tests/_data/snapshots/get_bom_with_external_references-1.6.xml.bin @@ -11,6 +11,9 @@ 806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b + + https://cyclonedx.org + https://cyclonedx.org diff --git a/tests/_data/snapshots/get_bom_with_external_references-1.7.json.bin b/tests/_data/snapshots/get_bom_with_external_references-1.7.json.bin index 01744db68..ebeb80240 100644 --- a/tests/_data/snapshots/get_bom_with_external_references-1.7.json.bin +++ b/tests/_data/snapshots/get_bom_with_external_references-1.7.json.bin @@ -11,6 +11,20 @@ "type": "distribution", "url": "https://cyclonedx.org" }, + { + "properties": [ + { + "name": "property_1", + "value": "value_1" + }, + { + "name": "property_2", + "value": "value_2" + } + ], + "type": "vcs", + "url": "https://cyclonedx.org" + }, { "type": "website", "url": "https://cyclonedx.org" diff --git a/tests/_data/snapshots/get_bom_with_external_references-1.7.xml.bin b/tests/_data/snapshots/get_bom_with_external_references-1.7.xml.bin index 02af4c300..dcf64c052 100644 --- a/tests/_data/snapshots/get_bom_with_external_references-1.7.xml.bin +++ b/tests/_data/snapshots/get_bom_with_external_references-1.7.xml.bin @@ -11,6 +11,13 @@ 806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b + + https://cyclonedx.org + + value_1 + value_2 + + https://cyclonedx.org diff --git a/tests/test_model_component.py b/tests/test_model_component.py index 9c47fe024..44f59a121 100644 --- a/tests/test_model_component.py +++ b/tests/test_model_component.py @@ -132,16 +132,24 @@ def test_multiple_basic_components(self) -> None: def test_external_references(self) -> None: c1 = Component(name='test-component') + properties = [ + Property(name='property_1', value='value_1'), + Property(name='property_2', value='value_2') + ] c1.external_references.add(ExternalReference( type=ExternalReferenceType.OTHER, url=XsUri('https://cyclonedx.org'), - comment='No comment' + comment='No comment', + properties=properties )) self.assertEqual(c1.name, 'test-component') self.assertIsNone(c1.version) self.assertEqual(c1.type, ComponentType.LIBRARY) self.assertEqual(len(c1.external_references), 1) self.assertEqual(len(c1.hashes), 0) + self.assertIsNotNone(c1.external_references[0].properties) + self.assertIn(properties[0], c1.external_references[0].properties) + self.assertIn(properties[1], c1.external_references[0].properties) c2 = Component(name='test2-component') self.assertEqual(c2.name, 'test2-component') @@ -163,13 +171,15 @@ def test_component_equal_1(self) -> None: c1.external_references.add(ExternalReference( type=ExternalReferenceType.OTHER, url=XsUri('https://cyclonedx.org'), - comment='No comment' + comment='No comment', + properties=[Property(name='property_1', value='value_1')] )) c2 = Component(name='test-component') c2.external_references.add(ExternalReference( type=ExternalReferenceType.OTHER, url=XsUri('https://cyclonedx.org'), - comment='No comment' + comment='No comment', + properties=[Property(name='property_1', value='value_1')] )) self.assertEqual(c1, c2) From aff96368a0c66181a80b67c904e847cebeb44966 Mon Sep 17 00:00:00 2001 From: semantic-release Date: Fri, 31 Oct 2025 08:32:42 +0000 Subject: [PATCH 46/76] chore(release): 11.5.0 Automatically generated by python-semantic-release Signed-off-by: semantic-release --- CHANGELOG.md | 13 +++++++++++++ cyclonedx/__init__.py | 2 +- docs/conf.py | 2 +- pyproject.toml | 2 +- 4 files changed, 16 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 69c148492..7cfcd095c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,19 @@ +## v11.5.0 (2025-10-31) + +### Features + +- Add support for DistributionConstraints in BOM metadata + ([#906](https://github.com/CycloneDX/cyclonedx-python-lib/pull/906), + [`70adb7c`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/70adb7ccceb1296f197c70c95a2f01dc130cc6ae)) + +- Add support for properties in external references + ([#907](https://github.com/CycloneDX/cyclonedx-python-lib/pull/907), + [`73e7c1a`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/73e7c1a5ddb8935730c896739348cb808d05fa18)) + + ## v11.4.0 (2025-10-23) ### Features diff --git a/cyclonedx/__init__.py b/cyclonedx/__init__.py index b7adb5587..a0bfe9324 100644 --- a/cyclonedx/__init__.py +++ b/cyclonedx/__init__.py @@ -22,4 +22,4 @@ # !! version is managed by semantic_release # do not use typing here, or else `semantic_release` might have issues finding the variable -__version__ = "11.4.0" # noqa:Q000 +__version__ = "11.5.0" # noqa:Q000 diff --git a/docs/conf.py b/docs/conf.py index fdec9efea..cd9bc4d1b 100644 --- a/docs/conf.py +++ b/docs/conf.py @@ -23,7 +23,7 @@ # The full version, including alpha/beta/rc tags # !! version is managed by semantic_release -release = '11.4.0' +release = '11.5.0' # -- General configuration --------------------------------------------------- diff --git a/pyproject.toml b/pyproject.toml index b779cdbae..cdcf23d7a 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -5,7 +5,7 @@ build-backend = "poetry.core.masonry.api" [tool.poetry] name = "cyclonedx-python-lib" # !! version is managed by semantic_release -version = "11.4.0" +version = "11.5.0" description = "Python library for CycloneDX" authors = [ "Paul Horton ", From 4f76c7922f7b04ac5ed16a8b3c09ee573d6f29bb Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 27 Nov 2025 13:50:59 +0100 Subject: [PATCH 47/76] chore(deps): bump actions/checkout from 5 to 6 (#915) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Bumps [actions/checkout](https://github.com/actions/checkout) from 5 to 6.
Release notes

Sourced from actions/checkout's releases.

v6.0.0

What's Changed

Full Changelog: https://github.com/actions/checkout/compare/v5.0.0...v6.0.0

v6-beta

What's Changed

Updated persist-credentials to store the credentials under $RUNNER_TEMP instead of directly in the local git config.

This requires a minimum Actions Runner version of v2.329.0 to access the persisted credentials for Docker container action scenarios.

v5.0.1

What's Changed

Full Changelog: https://github.com/actions/checkout/compare/v5...v5.0.1

Changelog

Sourced from actions/checkout's changelog.

Changelog

V6.0.0

V5.0.1

V5.0.0

V4.3.1

V4.3.0

v4.2.2

v4.2.1

v4.2.0

v4.1.7

v4.1.6

v4.1.5

... (truncated)

Commits

[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=actions/checkout&package-manager=github_actions&previous-version=5&new-version=6)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) ---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/python.yml | 14 +++++++------- .github/workflows/release.yml | 6 +++--- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/.github/workflows/python.yml b/.github/workflows/python.yml index 5e19efb2f..a378c67e5 100644 --- a/.github/workflows/python.yml +++ b/.github/workflows/python.yml @@ -33,7 +33,7 @@ jobs: steps: - name: Checkout # see https://github.com/actions/checkout - uses: actions/checkout@v5 + uses: actions/checkout@v6 - name: Setup Python Environment # see https://github.com/actions/setup-python uses: actions/setup-python@v6 @@ -57,7 +57,7 @@ jobs: steps: - name: Checkout # see https://github.com/actions/checkout - uses: actions/checkout@v5 + uses: actions/checkout@v6 - name: Setup Python Environment # see https://github.com/actions/setup-python uses: actions/setup-python@v6 @@ -81,7 +81,7 @@ jobs: steps: - name: Checkout # see https://github.com/actions/checkout - uses: actions/checkout@v5 + uses: actions/checkout@v6 - name: Setup Python Environment # see https://github.com/actions/setup-python uses: actions/setup-python@v6 @@ -105,7 +105,7 @@ jobs: steps: - name: Checkout # see https://github.com/actions/checkout - uses: actions/checkout@v5 + uses: actions/checkout@v6 - name: Setup Python Environment # see https://github.com/actions/setup-python uses: actions/setup-python@v6 @@ -141,7 +141,7 @@ jobs: steps: - name: Checkout # see https://github.com/actions/checkout - uses: actions/checkout@v5 + uses: actions/checkout@v6 - name: Setup Python Environment # see https://github.com/actions/setup-python uses: actions/setup-python@v6 @@ -204,7 +204,7 @@ jobs: git config --global core.eol lf - name: Checkout # see https://github.com/actions/checkout - uses: actions/checkout@v5 + uses: actions/checkout@v6 - name: Create reports directory run: mkdir ${{ env.REPORTS_DIR }} - name: Setup Python Environment @@ -282,7 +282,7 @@ jobs: steps: - name: Checkout # see https://github.com/actions/checkout - uses: actions/checkout@v5 + uses: actions/checkout@v6 - name: Setup Python Environment # see https://github.com/actions/setup-python uses: actions/setup-python@v6 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index b32afec33..eb99f16a7 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -48,7 +48,7 @@ jobs: steps: - name: Checkout code # see https://github.com/actions/checkout - uses: actions/checkout@v5 + uses: actions/checkout@v6 - name: Setup Python Environment # see https://github.com/actions/setup-python uses: actions/setup-python@v6 @@ -70,7 +70,7 @@ jobs: steps: - name: Checkout code # see https://github.com/actions/checkout - uses: actions/checkout@v5 + uses: actions/checkout@v6 - name: Setup Python Environment # see https://github.com/actions/setup-python uses: actions/setup-python@v6 @@ -105,7 +105,7 @@ jobs: steps: - name: Checkout code # see https://github.com/actions/checkout - uses: actions/checkout@v5 + uses: actions/checkout@v6 with: fetch-depth: 0 From 687818fca7635936c5e3b0caeae617a46d646e8a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 1 Dec 2025 10:03:25 +0100 Subject: [PATCH 48/76] chore(deps-dev): update mypy requirement from 1.18.2 to 1.19.0 (#918) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Updates the requirements on [mypy](https://github.com/python/mypy) to permit the latest version.
Changelog

Sourced from mypy's changelog.

Mypy Release Notes

Next Release

Drop Support for Python 3.9

Mypy no longer supports running with Python 3.9, which has reached end-of-life. When running mypy with Python 3.10+, it is still possible to type check code that needs to support Python 3.9 with the --python-version 3.9 argument. Support for this will be dropped in the first half of 2026!

Contributed by Marc Mueller (PR 20156).

Mypy 1.19

We’ve just uploaded mypy 1.19.0 to the Python Package Index (PyPI). Mypy is a static type checker for Python. This release includes new features, performance improvements and bug fixes. You can install it as follows:

python3 -m pip install -U mypy

You can read the full documentation for this release on Read the Docs.

Python 3.9 Support Ending Soon

This is the last mypy feature release that supports Python 3.9, which reached end of life in October 2025.

Performance Improvements

  • Switch to a more dynamic SCC processing logic (Ivan Levkivskyi, PR 20053)
  • Speed up type aliases (Ivan Levkivskyi, PR 19810)

Fixed‑Format Cache Improvements

Mypy uses a cache by default to speed up incremental runs by reusing partial results from earlier runs. Mypy 1.18 added a new binary fixed-format cache representation as an experimental feature. The feature is no longer experimental, and we are planning to enable it by default in a future mypy release (possibly 1.20), since it's faster and uses less space than the original, JSON-based cache format. Use --fixed-format-cache to enable the fixed-format cache.

Mypy now has an extra dependency on the librt PyPI package, as it's needed for cache serialization and deserialization.

Mypy ships with a tool to convert fixed-format cache files to the old JSON format. Example of how to use this:

$ python -m mypy.exportjson .mypy_cache/.../my_module.data.ff

... (truncated)

Commits

Most Recent Ignore Conditions Applied to This Pull Request | Dependency Name | Ignore Conditions | | --- | --- | | mypy | [>= 0.971.a, < 0.972] |
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) ---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- pyproject.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pyproject.toml b/pyproject.toml index cdcf23d7a..6d4573156 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -97,7 +97,7 @@ flake8-use-fstring = "1.4" pep8-naming = "0.15.1" isort = "6.1.0" autopep8 = "2.3.2" -mypy = "1.18.2" +mypy = "1.19.0" tomli = { version = "2.3.0", python = "<3.11" } tox = "4.30.3" xmldiff = "2.7.0" From 7e6771b0c1166d384ee438460e45794914937b6e Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Tue, 2 Dec 2025 11:41:12 +0100 Subject: [PATCH 49/76] docs: update 1.7 (#920) Signed-off-by: Jan Kowalleck --- docs/outputting.rst | 9 ++++++--- docs/schema-support.rst | 4 ++++ 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/docs/outputting.rst b/docs/outputting.rst index d04ee1a4c..4d06ba343 100644 --- a/docs/outputting.rst +++ b/docs/outputting.rst @@ -30,11 +30,14 @@ Supported CycloneDX Schema Versions This library supports the following schema versions: +* 1.7 (XML, JSON) - the latest supported schema version +* 1.6 (XML, JSON) +* 1.5 (XML, JSON) +* 1.4 (XML, JSON) +* 1.3 (XML, JSON) +* 1.2 (XML, JSON) * 1.0 (XML) - `(note, 1.1 schema version has no support for JSON)` * 1.1 (XML) - `(note, 1.1 schema version has no support for JSON)` -* 1.2 (XML, JSON) -* 1.3 (XML, JSON) -* 1.4 (XML, JSON) - the latest supported schema version Outputting to JSON ------------------ diff --git a/docs/schema-support.rst b/docs/schema-support.rst index 57b4cdb5e..fe37633dc 100644 --- a/docs/schema-support.rst +++ b/docs/schema-support.rst @@ -24,6 +24,8 @@ supported in prior versions of the CycloneDX schema. Root Level Schema Support ------------------------- +This is a snapshot. See the API docs for the latest state. + +----------------------------+---------------+---------------------------------------------------------------------------------------------------+ | Data Path | Supported? | Notes | +============================+===============+===================================================================================================+ @@ -62,6 +64,8 @@ Root Level Schema Support Internal Model Schema Support ----------------------------- +This is a snapshot. See the API docs for the latest state. + +----------------------------+---------------+----------------------------------------------------------------------------------------------+ | Internal Model | Supported? | Notes | +============================+===============+==============================================================================================+ From 15a902374bc6507788853a854256d3570ab250a7 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Tue, 2 Dec 2025 13:17:02 +0100 Subject: [PATCH 50/76] =?UTF-8?q?feat:=20Moved=20non=E2=80=91standard=20im?= =?UTF-8?q?plementations=20to=20Contrib=20area=20(#916)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Added - New sub-package `contrib`. * Changed - Moved non‑standard implementations to Contrib area. * Deprecated - Certain exports have been deprecated; downstream imports should be updated to the new locations. Note: the symbols themselves remain supported. See documentation and the "Refactored" section below for details. - Some (trivial) non-standard functionality was deprecated: - `model.bom.Bom.get_component_by_purl()` - `model.bom.Bom.get_urn_uuid()` - `model.bom.Bom.has_component()` - `model.bom.Bom.get_vulnerabilities_for_bom_ref()` - `model.bom.Bom.has_vulnerabilities()` - `model.bom.Bom.urn()` * Refactored * The following symbols were moved. The symbols are still import-able through their old location. * **OLD** -> **NEW** - `builder.this.this_component()` -> `contrib.this.builders.this_component()` - `builder.this.this_tool()` -> `contrib.this.builders.this_tool()` - `exception.factory.*` -> `contrib.license.exceptions.*` - `factory.license.LicenseFactory` -> `contrib.license.factories.LicenseFactory` - `model.HashType.from_hashlib_alg()` -> `contrib.hash.factories.HashTypeFactory.from_hashlib_alg()` - `model.HashType.from_composite_str()` -> `contrib.hash.factories.HashTypeFactory.from_composite_str()` - `model.component.Component.for_file()` -> `contrib.component.builders.ComponentBuilder.make_for_file()` - `model.vulnerability.VulnerabilitySeverity.get_from_cvss_scores()` -> `contrib.vulnerability.cvss.vs_from_cvss_scores()` --------- Signed-off-by: Jan Kowalleck --- cyclonedx/builder/__init__.py | 2 + cyclonedx/builder/this.py | 100 ++++++-------- cyclonedx/contrib/README.md | 20 +++ .../hash.py => contrib/__init__.py} | 28 +--- cyclonedx/contrib/component/__init__.py | 18 +++ cyclonedx/contrib/component/builders.py | 75 ++++++++++ cyclonedx/contrib/hash/__init__.py | 18 +++ cyclonedx/contrib/hash/factories.py | 129 ++++++++++++++++++ cyclonedx/contrib/license/__init__.py | 18 +++ cyclonedx/contrib/license/exceptions.py | 61 +++++++++ cyclonedx/contrib/license/factories.py | 97 +++++++++++++ cyclonedx/contrib/this/__init__.py | 18 +++ cyclonedx/contrib/this/builders.py | 83 +++++++++++ cyclonedx/contrib/vulnerability/__init__.py | 18 +++ cyclonedx/contrib/vulnerability/cvss.py | 58 ++++++++ cyclonedx/exception/factory.py | 80 +++++++---- cyclonedx/exception/model.py | 2 +- cyclonedx/factory/__init__.py | 2 + cyclonedx/factory/license.py | 83 +++-------- cyclonedx/model/__init__.py | 115 +++------------- cyclonedx/model/bom.py | 22 ++- cyclonedx/model/component.py | 46 +++---- cyclonedx/model/license.py | 6 +- cyclonedx/model/vulnerability.py | 43 ++---- examples/complex_serialize.py | 4 +- tests/test_component.py | 4 +- tests/test_contrib/.gitkeep | 0 tests/test_deserialize_json.py | 2 +- tests/test_deserialize_xml.py | 2 +- tests/test_factory_license.py | 20 +-- tests/test_output_json.py | 2 +- tests/test_output_xml.py | 2 +- tests/test_real_world_examples.py | 2 +- 33 files changed, 842 insertions(+), 338 deletions(-) create mode 100644 cyclonedx/contrib/README.md rename cyclonedx/{_internal/hash.py => contrib/__init__.py} (57%) create mode 100644 cyclonedx/contrib/component/__init__.py create mode 100644 cyclonedx/contrib/component/builders.py create mode 100644 cyclonedx/contrib/hash/__init__.py create mode 100644 cyclonedx/contrib/hash/factories.py create mode 100644 cyclonedx/contrib/license/__init__.py create mode 100644 cyclonedx/contrib/license/exceptions.py create mode 100644 cyclonedx/contrib/license/factories.py create mode 100644 cyclonedx/contrib/this/__init__.py create mode 100644 cyclonedx/contrib/this/builders.py create mode 100644 cyclonedx/contrib/vulnerability/__init__.py create mode 100644 cyclonedx/contrib/vulnerability/cvss.py create mode 100644 tests/test_contrib/.gitkeep diff --git a/cyclonedx/builder/__init__.py b/cyclonedx/builder/__init__.py index ec68e667d..dc45dec33 100644 --- a/cyclonedx/builder/__init__.py +++ b/cyclonedx/builder/__init__.py @@ -17,4 +17,6 @@ """ Builders used in this library. + +.. deprecated:: next """ diff --git a/cyclonedx/builder/this.py b/cyclonedx/builder/this.py index 8f81a8ff5..31f7a8ab9 100644 --- a/cyclonedx/builder/this.py +++ b/cyclonedx/builder/this.py @@ -15,69 +15,51 @@ # SPDX-License-Identifier: Apache-2.0 # Copyright (c) OWASP Foundation. All Rights Reserved. -"""Representation of this very python library.""" +"""Representation of this very python library. -__all__ = ['this_component', 'this_tool', ] +.. deprecated:: next +""" -from .. import __version__ as __ThisVersion # noqa: N812 -from ..model import ExternalReference, ExternalReferenceType, XsUri -from ..model.component import Component, ComponentType -from ..model.license import DisjunctiveLicense, LicenseAcknowledgement -from ..model.tool import Tool +__all__ = ['this_component', 'this_tool'] -# !!! keep this file in sync with `pyproject.toml` +import sys +from typing import TYPE_CHECKING +if sys.version_info >= (3, 13): + from warnings import deprecated +else: + from typing_extensions import deprecated -def this_component() -> Component: - """Representation of this very python library as a :class:`Component`.""" - return Component( - type=ComponentType.LIBRARY, - group='CycloneDX', - name='cyclonedx-python-lib', - version=__ThisVersion or 'UNKNOWN', - description='Python library for CycloneDX', - licenses=(DisjunctiveLicense(id='Apache-2.0', - acknowledgement=LicenseAcknowledgement.DECLARED),), - external_references=( - # let's assume this is not a fork - ExternalReference( - type=ExternalReferenceType.WEBSITE, - url=XsUri('https://github.com/CycloneDX/cyclonedx-python-lib/#readme') - ), - ExternalReference( - type=ExternalReferenceType.DOCUMENTATION, - url=XsUri('https://cyclonedx-python-library.readthedocs.io/') - ), - ExternalReference( - type=ExternalReferenceType.VCS, - url=XsUri('https://github.com/CycloneDX/cyclonedx-python-lib') - ), - ExternalReference( - type=ExternalReferenceType.BUILD_SYSTEM, - url=XsUri('https://github.com/CycloneDX/cyclonedx-python-lib/actions') - ), - ExternalReference( - type=ExternalReferenceType.ISSUE_TRACKER, - url=XsUri('https://github.com/CycloneDX/cyclonedx-python-lib/issues') - ), - ExternalReference( - type=ExternalReferenceType.LICENSE, - url=XsUri('https://github.com/CycloneDX/cyclonedx-python-lib/blob/main/LICENSE') - ), - ExternalReference( - type=ExternalReferenceType.RELEASE_NOTES, - url=XsUri('https://github.com/CycloneDX/cyclonedx-python-lib/blob/main/CHANGELOG.md') - ), - # we cannot assert where the lib was fetched from, but we can give a hint - ExternalReference( - type=ExternalReferenceType.DISTRIBUTION, - url=XsUri('https://pypi.org/project/cyclonedx-python-lib/') - ), - ), - # to be extended... - ) +from ..contrib.this.builders import this_component as _this_component, this_tool as _this_tool +# region deprecated re-export -def this_tool() -> Tool: - """Representation of this very python library as a :class:`Tool`.""" - return Tool.from_component(this_component()) +if TYPE_CHECKING: + from ..model.component import Component + from ..model.tool import Tool + + +@deprecated('Deprecated re-export location - see docstring of "this_component" for details.') +def this_component() -> 'Component': + """Deprecated — Alias of :func:`cyclonedx.contrib.this.builders.this_component`. + + .. deprecated:: next + This re-export location is deprecated. + Use ``from cyclonedx.contrib.this.builders import this_component`` instead. + The exported symbol itself is NOT deprecated — only this import path. + """ + return _this_component() + + +@deprecated('Deprecated re-export location - see docstring of "this_tool" for details.') +def this_tool() -> 'Tool': + """Deprecated — Alias of :func:`cyclonedx.contrib.this.builders.this_tool`. + + .. deprecated:: next + This re-export location is deprecated. + Use ``from cyclonedx.contrib.this.builders import this_tool`` instead. + The exported symbol itself is NOT deprecated — only this import path. + """ + return _this_tool() + +# endregion deprecated re-export diff --git a/cyclonedx/contrib/README.md b/cyclonedx/contrib/README.md new file mode 100644 index 000000000..aff5230ef --- /dev/null +++ b/cyclonedx/contrib/README.md @@ -0,0 +1,20 @@ +# CycloneDX Contrib Extensions + +This directory contains community-contributed functionality that extends the capabilities of the CycloneDX core library. +Unlike the modules in `../`, these features are not part of the official CycloneDX specification and may vary in stability, scope, or compatibility. + +## Contents +- Utilities, helpers, and experimental features developed by the community +- Optional add-ons that may facilitate or enhance use of the CycloneDX core library +- Code that evolves independently of the CycloneDX specification + +## Notes +- Contrib modules are optional and not required for strict compliance with the CycloneDX standard. +- They may change more frequently than the core and are not guaranteed to follow the same versioning rules. +- Users should evaluate these modules carefully and consult documentation or source comments for details. + +## Contributing +Contributions are welcome. To add an extension: +1. Follow the contribution guidelines in the main repository. +2. Place your code in a clearly named subfolder or file under `contrib/`. +3. Provide documentation and tests to ensure clarity and maintainability. diff --git a/cyclonedx/_internal/hash.py b/cyclonedx/contrib/__init__.py similarity index 57% rename from cyclonedx/_internal/hash.py rename to cyclonedx/contrib/__init__.py index 4fc17f5e2..d0babedd1 100644 --- a/cyclonedx/_internal/hash.py +++ b/cyclonedx/contrib/__init__.py @@ -17,27 +17,11 @@ """ -!!! ALL SYMBOLS IN HERE ARE INTERNAL. -Everything might change without any notice. +Some features in this library are marked as contrib. +These are community-provided extensions and are not part of the official standard. +They are optional and may evolve independently from the core. """ - -from hashlib import sha1 - - -def file_sha1sum(filename: str) -> str: - """ - Generate a SHA1 hash of the provided file. - - Args: - filename: - Absolute path to file to hash as `str` - - Returns: - SHA-1 hash - """ - h = sha1() # nosec B303, B324 - with open(filename, 'rb') as f: - for byte_block in iter(lambda: f.read(4096), b''): - h.update(byte_block) - return h.hexdigest() +__all__ = [ + # there is no intention to export anything in here. +] diff --git a/cyclonedx/contrib/component/__init__.py b/cyclonedx/contrib/component/__init__.py new file mode 100644 index 000000000..02d2b73fe --- /dev/null +++ b/cyclonedx/contrib/component/__init__.py @@ -0,0 +1,18 @@ +# This file is part of CycloneDX Python Library +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# Copyright (c) OWASP Foundation. All Rights Reserved. + +"""Component related functionality""" diff --git a/cyclonedx/contrib/component/builders.py b/cyclonedx/contrib/component/builders.py new file mode 100644 index 000000000..633e186b1 --- /dev/null +++ b/cyclonedx/contrib/component/builders.py @@ -0,0 +1,75 @@ +# This file is part of CycloneDX Python Library +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# Copyright (c) OWASP Foundation. All Rights Reserved. + +"""Component related builders""" + +__all__ = ['ComponentBuilder'] + +from hashlib import sha1 +from os.path import exists +from typing import Optional + +from ...model import HashAlgorithm, HashType +from ...model.component import Component, ComponentType + + +class ComponentBuilder: + + def make_for_file(self, absolute_file_path: str, *, + name: Optional[str]) -> Component: + """ + Helper method to create a :class:`cyclonedx.model.component.Component` + that represents the provided local file as a Component. + + Args: + absolute_file_path: + Absolute path to the file you wish to represent + name: + Optionally, if supplied this is the name that will be used for the component. + Defaults to arg ``absolute_file_path``. + + Returns: + `Component` representing the supplied file + """ + if not exists(absolute_file_path): + raise FileExistsError(f'Supplied file path {absolute_file_path!r} does not exist') + + return Component( + type=ComponentType.FILE, + name=name or absolute_file_path, + hashes=[ + HashType(alg=HashAlgorithm.SHA_1, content=self._file_sha1sum(absolute_file_path)) + ] + ) + + @staticmethod + def _file_sha1sum(filename: str) -> str: + """ + Generate a SHA1 hash of the provided file. + + Args: + filename: + Absolute path to file to hash as `str` + + Returns: + SHA-1 hash + """ + h = sha1() # nosec B303, B324 + with open(filename, 'rb') as f: + for byte_block in iter(lambda: f.read(4096), b''): + h.update(byte_block) + return h.hexdigest() diff --git a/cyclonedx/contrib/hash/__init__.py b/cyclonedx/contrib/hash/__init__.py new file mode 100644 index 000000000..b65a1aff6 --- /dev/null +++ b/cyclonedx/contrib/hash/__init__.py @@ -0,0 +1,18 @@ +# This file is part of CycloneDX Python Library +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# Copyright (c) OWASP Foundation. All Rights Reserved. + +"""Hash related functionality""" diff --git a/cyclonedx/contrib/hash/factories.py b/cyclonedx/contrib/hash/factories.py new file mode 100644 index 000000000..c4b477fd7 --- /dev/null +++ b/cyclonedx/contrib/hash/factories.py @@ -0,0 +1,129 @@ +# This file is part of CycloneDX Python Library +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# Copyright (c) OWASP Foundation. All Rights Reserved. + +"""Hash related factories""" + +__all__ = ['HashTypeFactory'] + +from ...exception.model import UnknownHashTypeException +from ...model import HashAlgorithm, HashType + +_MAP_HASHLIB: dict[str, HashAlgorithm] = { + # from hashlib.algorithms_guaranteed + 'md5': HashAlgorithm.MD5, + 'sha1': HashAlgorithm.SHA_1, + # sha224: + 'sha256': HashAlgorithm.SHA_256, + 'sha384': HashAlgorithm.SHA_384, + 'sha512': HashAlgorithm.SHA_512, + # blake2b: + # blake2s: + # sha3_224: + 'sha3_256': HashAlgorithm.SHA3_256, + 'sha3_384': HashAlgorithm.SHA3_384, + 'sha3_512': HashAlgorithm.SHA3_512, + # shake_128: + # shake_256: +} + + +class HashTypeFactory: + + def from_hashlib_alg(self, hashlib_alg: str, content: str) -> HashType: + """ + Attempts to convert a hashlib-algorithm to our internal model classes. + + Args: + hashlib_alg: + Hash algorithm - like it is used by `hashlib`. + Example: `sha256`. + + content: + Hash value. + + Raises: + `UnknownHashTypeException` if the algorithm of hash cannot be determined. + + Returns: + An instance of `HashType`. + """ + alg = _MAP_HASHLIB.get(hashlib_alg.lower()) + if alg is None: + raise UnknownHashTypeException(f'Unable to determine hash alg for {hashlib_alg!r}') + return HashType(alg=alg, content=content) + + def from_composite_str(self, composite_hash: str) -> HashType: + """ + Attempts to convert a string which includes both the Hash Algorithm and Hash Value and represent using our + internal model classes. + + Args: + composite_hash: + Composite Hash string of the format `HASH_ALGORITHM`:`HASH_VALUE`. + Example: `sha256:806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b`. + + Valid case insensitive prefixes are: + `md5`, `sha1`, `sha256`, `sha384`, `sha512`, `blake2b256`, `blake2b384`, `blake2b512`, + `blake2256`, `blake2384`, `blake2512`, `sha3-256`, `sha3-384`, `sha3-512`, + `blake3`. + + Raises: + `UnknownHashTypeException` if the type of hash cannot be determined. + + Returns: + An instance of `HashType`. + """ + parts = composite_hash.split(':') + + algorithm_prefix = parts[0].lower() + if algorithm_prefix == 'md5': + return HashType( + alg=HashAlgorithm.MD5, + content=parts[1].lower() + ) + elif algorithm_prefix[0:4] == 'sha3': + return HashType( + alg=getattr(HashAlgorithm, f'SHA3_{algorithm_prefix[5:]}'), + content=parts[1].lower() + ) + elif algorithm_prefix == 'sha1': + return HashType( + alg=HashAlgorithm.SHA_1, + content=parts[1].lower() + ) + elif algorithm_prefix[0:3] == 'sha': + # This is actually SHA2... + return HashType( + alg=getattr(HashAlgorithm, f'SHA_{algorithm_prefix[3:]}'), + content=parts[1].lower() + ) + elif algorithm_prefix[0:7] == 'blake2b': + return HashType( + alg=getattr(HashAlgorithm, f'BLAKE2B_{algorithm_prefix[7:]}'), + content=parts[1].lower() + ) + elif algorithm_prefix[0:6] == 'blake2': + return HashType( + alg=getattr(HashAlgorithm, f'BLAKE2B_{algorithm_prefix[6:]}'), + content=parts[1].lower() + ) + elif algorithm_prefix[0:6] == 'blake3': + return HashType( + alg=HashAlgorithm.BLAKE3, + content=parts[1].lower() + ) + raise UnknownHashTypeException(f'Unable to determine hash type from {composite_hash!r}') diff --git a/cyclonedx/contrib/license/__init__.py b/cyclonedx/contrib/license/__init__.py new file mode 100644 index 000000000..cd8b075e1 --- /dev/null +++ b/cyclonedx/contrib/license/__init__.py @@ -0,0 +1,18 @@ +# This file is part of CycloneDX Python Library +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# Copyright (c) OWASP Foundation. All Rights Reserved. + +"""License related functionality""" diff --git a/cyclonedx/contrib/license/exceptions.py b/cyclonedx/contrib/license/exceptions.py new file mode 100644 index 000000000..571c75982 --- /dev/null +++ b/cyclonedx/contrib/license/exceptions.py @@ -0,0 +1,61 @@ +# This file is part of CycloneDX Python Library +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# Copyright (c) OWASP Foundation. All Rights Reserved. + + +""" +Exceptions relating to specific conditions that occur when factoring a model. +""" + +from ...exception import CycloneDxException + +__all__ = ['FactoryException', 'LicenseChoiceFactoryException', 'InvalidSpdxLicenseException', + 'LicenseFactoryException', 'InvalidLicenseExpressionException'] + + +class FactoryException(CycloneDxException): + """ + Base exception that covers all exceptions that may be thrown during model factoring. + """ + pass + + +class LicenseChoiceFactoryException(FactoryException): + """ + Base exception that covers all LicenseChoiceFactory exceptions. + """ + pass + + +class InvalidSpdxLicenseException(LicenseChoiceFactoryException): + """ + Thrown when an invalid SPDX License is provided. + """ + pass + + +class LicenseFactoryException(FactoryException): + """ + Base exception that covers all LicenseFactory exceptions. + """ + pass + + +class InvalidLicenseExpressionException(LicenseFactoryException): + """ + Thrown when an invalid License expression is provided. + """ + pass diff --git a/cyclonedx/contrib/license/factories.py b/cyclonedx/contrib/license/factories.py new file mode 100644 index 000000000..581acbed7 --- /dev/null +++ b/cyclonedx/contrib/license/factories.py @@ -0,0 +1,97 @@ +# This file is part of CycloneDX Python Library +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# Copyright (c) OWASP Foundation. All Rights Reserved. + +"""License related factories""" + +__all__ = ['LicenseFactory'] + +from typing import TYPE_CHECKING, Optional + +from ...model.license import DisjunctiveLicense, LicenseExpression +from ...spdx import fixup_id as spdx_fixup, is_expression as is_spdx_expression +from .exceptions import InvalidLicenseExpressionException, InvalidSpdxLicenseException + +if TYPE_CHECKING: # pragma: no cover + from ...model import AttachedText, XsUri + from ...model.license import License, LicenseAcknowledgement + + +class LicenseFactory: + """Factory for :class:`cyclonedx.model.license.License`.""" + + def make_from_string(self, value: str, *, + license_text: Optional['AttachedText'] = None, + license_url: Optional['XsUri'] = None, + license_acknowledgement: Optional['LicenseAcknowledgement'] = None + ) -> 'License': + """Make a :class:`cyclonedx.model.license.License` from a string.""" + try: + return self.make_with_id(value, + text=license_text, + url=license_url, + acknowledgement=license_acknowledgement) + except InvalidSpdxLicenseException: + pass + try: + return self.make_with_expression(value, + acknowledgement=license_acknowledgement) + except InvalidLicenseExpressionException: + pass + return self.make_with_name(value, + text=license_text, + url=license_url, + acknowledgement=license_acknowledgement) + + def make_with_expression(self, expression: str, *, + acknowledgement: Optional['LicenseAcknowledgement'] = None + ) -> LicenseExpression: + """Make a :class:`cyclonedx.model.license.LicenseExpression` with a compound expression. + + Utilizes :func:`cyclonedx.spdx.is_expression`. + + :raises InvalidLicenseExpressionException: if param `value` is not known/supported license expression + """ + if is_spdx_expression(expression): + return LicenseExpression(expression, acknowledgement=acknowledgement) + raise InvalidLicenseExpressionException(expression) + + def make_with_id(self, spdx_id: str, *, + text: Optional['AttachedText'] = None, + url: Optional['XsUri'] = None, + acknowledgement: Optional['LicenseAcknowledgement'] = None + ) -> DisjunctiveLicense: + """Make a :class:`cyclonedx.model.license.DisjunctiveLicense` from an SPDX-ID. + + :raises InvalidSpdxLicenseException: if param `spdx_id` was not known/supported SPDX-ID + """ + spdx_license_id = spdx_fixup(spdx_id) + if spdx_license_id is None: + raise InvalidSpdxLicenseException(spdx_id) + return DisjunctiveLicense(id=spdx_license_id, text=text, url=url, acknowledgement=acknowledgement) + + def make_with_name(self, name: str, *, + text: Optional['AttachedText'] = None, + url: Optional['XsUri'] = None, + acknowledgement: Optional['LicenseAcknowledgement'] = None + ) -> DisjunctiveLicense: + """Make a :class:`cyclonedx.model.license.DisjunctiveLicense` with a name.""" + return DisjunctiveLicense(name=name, text=text, url=url, acknowledgement=acknowledgement) + + +# Idea for more factories: +# class LicenseAttachmentFactory: +# def make_from_file(self, path: PathLike) -> AttachedText: ... diff --git a/cyclonedx/contrib/this/__init__.py b/cyclonedx/contrib/this/__init__.py new file mode 100644 index 000000000..b6b613202 --- /dev/null +++ b/cyclonedx/contrib/this/__init__.py @@ -0,0 +1,18 @@ +# This file is part of CycloneDX Python Library +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# Copyright (c) OWASP Foundation. All Rights Reserved. + +"""Representation of this very python library.""" diff --git a/cyclonedx/contrib/this/builders.py b/cyclonedx/contrib/this/builders.py new file mode 100644 index 000000000..2aa5bfe7b --- /dev/null +++ b/cyclonedx/contrib/this/builders.py @@ -0,0 +1,83 @@ +# This file is part of CycloneDX Python Library +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# Copyright (c) OWASP Foundation. All Rights Reserved. + +"""Representation of this very python library.""" + +__all__ = ['this_component', 'this_tool', ] + +from ... import __version__ as __ThisVersion # noqa: N812 +from ...model import ExternalReference, ExternalReferenceType, XsUri +from ...model.component import Component, ComponentType +from ...model.license import DisjunctiveLicense, LicenseAcknowledgement +from ...model.tool import Tool + +# !!! keep this file in sync with `pyproject.toml` + + +def this_component() -> Component: + """Representation of this very python library as a :class:`cyclonedx.model.component.Component`.""" + return Component( + type=ComponentType.LIBRARY, + group='CycloneDX', + name='cyclonedx-python-lib', + version=__ThisVersion or 'UNKNOWN', + description='Python library for CycloneDX', + licenses=(DisjunctiveLicense(id='Apache-2.0', + acknowledgement=LicenseAcknowledgement.DECLARED),), + external_references=( + # let's assume this is not a fork + ExternalReference( + type=ExternalReferenceType.WEBSITE, + url=XsUri('https://github.com/CycloneDX/cyclonedx-python-lib/#readme') + ), + ExternalReference( + type=ExternalReferenceType.DOCUMENTATION, + url=XsUri('https://cyclonedx-python-library.readthedocs.io/') + ), + ExternalReference( + type=ExternalReferenceType.VCS, + url=XsUri('https://github.com/CycloneDX/cyclonedx-python-lib') + ), + ExternalReference( + type=ExternalReferenceType.BUILD_SYSTEM, + url=XsUri('https://github.com/CycloneDX/cyclonedx-python-lib/actions') + ), + ExternalReference( + type=ExternalReferenceType.ISSUE_TRACKER, + url=XsUri('https://github.com/CycloneDX/cyclonedx-python-lib/issues') + ), + ExternalReference( + type=ExternalReferenceType.LICENSE, + url=XsUri('https://github.com/CycloneDX/cyclonedx-python-lib/blob/main/LICENSE') + ), + ExternalReference( + type=ExternalReferenceType.RELEASE_NOTES, + url=XsUri('https://github.com/CycloneDX/cyclonedx-python-lib/blob/main/CHANGELOG.md') + ), + # we cannot assert where the lib was fetched from, but we can give a hint + ExternalReference( + type=ExternalReferenceType.DISTRIBUTION, + url=XsUri('https://pypi.org/project/cyclonedx-python-lib/') + ), + ), + # to be extended... + ) + + +def this_tool() -> Tool: + """Representation of this very python library as a :class:`cyclonedx.model.tool.Tool`.""" + return Tool.from_component(this_component()) diff --git a/cyclonedx/contrib/vulnerability/__init__.py b/cyclonedx/contrib/vulnerability/__init__.py new file mode 100644 index 000000000..5d93d0472 --- /dev/null +++ b/cyclonedx/contrib/vulnerability/__init__.py @@ -0,0 +1,18 @@ +# This file is part of CycloneDX Python Library +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# Copyright (c) OWASP Foundation. All Rights Reserved. + +"""Vulnerability related functionality""" diff --git a/cyclonedx/contrib/vulnerability/cvss.py b/cyclonedx/contrib/vulnerability/cvss.py new file mode 100644 index 000000000..461b5ee95 --- /dev/null +++ b/cyclonedx/contrib/vulnerability/cvss.py @@ -0,0 +1,58 @@ +# This file is part of CycloneDX Python Library +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# Copyright (c) OWASP Foundation. All Rights Reserved. + +"""CVSS related utilities""" + +__all__ = ['vs_from_cvss_scores'] + +from typing import Union + +from ...model.vulnerability import VulnerabilitySeverity + + +def vs_from_cvss_scores(scores: Union[tuple[float, ...], float, None]) -> VulnerabilitySeverity: + """ + Derives the Severity of a Vulnerability from it's declared CVSS scores. + + Args: + scores: A `tuple` of CVSS scores. CVSS scoring system allows for up to three separate scores. + + Returns: + Always returns an instance of :class:`cyclonedx.model.vulnerability.VulnerabilitySeverity`. + """ + if type(scores) is float: + scores = (scores,) + + if scores is None: + return VulnerabilitySeverity.UNKNOWN + + max_cvss_score: float + if isinstance(scores, tuple): + max_cvss_score = max(scores) + else: + max_cvss_score = float(scores) + + if max_cvss_score >= 9.0: + return VulnerabilitySeverity.CRITICAL + elif max_cvss_score >= 7.0: + return VulnerabilitySeverity.HIGH + elif max_cvss_score >= 4.0: + return VulnerabilitySeverity.MEDIUM + elif max_cvss_score > 0.0: + return VulnerabilitySeverity.LOW + else: + return VulnerabilitySeverity.NONE diff --git a/cyclonedx/exception/factory.py b/cyclonedx/exception/factory.py index 2ddbb3271..41591e410 100644 --- a/cyclonedx/exception/factory.py +++ b/cyclonedx/exception/factory.py @@ -18,41 +18,69 @@ """ Exceptions relating to specific conditions that occur when factoring a model. + +.. deprecated:: next """ -from . import CycloneDxException +__all__ = ['CycloneDxFactoryException', 'LicenseChoiceFactoryException', + 'InvalidSpdxLicenseException', 'LicenseFactoryException', 'InvalidLicenseExpressionException'] + +from ..contrib.license.exceptions import ( + FactoryException as _FactoryException, + InvalidLicenseExpressionException as _InvalidLicenseExpressionException, + InvalidSpdxLicenseException as _InvalidSpdxLicenseException, + LicenseChoiceFactoryException as _LicenseChoiceFactoryException, + LicenseFactoryException as _LicenseFactoryException, +) + +# region deprecated re-export +# re-export NOT as inherited class with @deprecated, to keep the original subclassing intact!!1 -class CycloneDxFactoryException(CycloneDxException): - """ - Base exception that covers all exceptions that may be thrown during model factoring.. - """ - pass +CycloneDxFactoryException = _FactoryException +"""Deprecated — Alias of :class:`cyclonedx.contrib.license.exceptions.FactoryException`. -class LicenseChoiceFactoryException(CycloneDxFactoryException): - """ - Base exception that covers all LicenseChoiceFactory exceptions. - """ - pass +.. deprecated:: next + This re-export location is deprecated. + Use ``from cyclonedx.contrib.license.exceptions import FactoryException`` instead. + The exported symbol itself is NOT deprecated — only this import path. +""" +LicenseChoiceFactoryException = _LicenseChoiceFactoryException +"""Deprecated — Alias of :class:`cyclonedx.contrib.license.exceptions.LicenseChoiceFactoryException`. -class InvalidSpdxLicenseException(LicenseChoiceFactoryException): - """ - Thrown when an invalid SPDX License is provided. - """ - pass +.. deprecated:: next + This re-export location is deprecated. + Use ``from cyclonedx.contrib.license.exceptions import LicenseChoiceFactoryException`` instead. + The exported symbol itself is NOT deprecated — only this import path. +""" +InvalidSpdxLicenseException = _InvalidSpdxLicenseException +"""Deprecated — Alias of :class:`cyclonedx.contrib.license.exceptions.InvalidSpdxLicenseException`. -class LicenseFactoryException(CycloneDxFactoryException): - """ - Base exception that covers all LicenseFactory exceptions. - """ - pass +.. deprecated:: next + This re-export location is deprecated. + Use ``from cyclonedx.contrib.license.exceptions import InvalidSpdxLicenseException`` instead. + The exported symbol itself is NOT deprecated — only this import path. +""" +LicenseFactoryException = _LicenseFactoryException +"""Deprecated — Alias of :class:`cyclonedx.contrib.license.exceptions.LicenseFactoryException`. + +.. deprecated:: next + This re-export location is deprecated. + Use ``from cyclonedx.contrib.license.exceptions import LicenseFactoryException`` instead. + The exported symbol itself is NOT deprecated — only this import path. +""" + +InvalidLicenseExpressionException = _InvalidLicenseExpressionException +"""Deprecated — Alias of :class:`cyclonedx.contrib.license.exceptions.InvalidLicenseExpressionException`. + +.. deprecated:: next + This re-export location is deprecated. + Use ``from cyclonedx.contrib.license.exceptions import InvalidLicenseExpressionException`` instead. + The exported symbol itself is NOT deprecated — only this import path. +""" -class InvalidLicenseExpressionException(LicenseFactoryException): - """ - Thrown when an invalid License expressions is provided. - """ - pass +# endregion deprecated re-export diff --git a/cyclonedx/exception/model.py b/cyclonedx/exception/model.py index f3986eb93..a38cc386c 100644 --- a/cyclonedx/exception/model.py +++ b/cyclonedx/exception/model.py @@ -116,7 +116,7 @@ class UnknownHashTypeException(CycloneDxModelException): """ Exception raised when we are unable to determine the type of hash from a composite hash string. """ - pass + pass # TODO research deprecation of this... class LicenseExpressionAlongWithOthersException(CycloneDxModelException): diff --git a/cyclonedx/factory/__init__.py b/cyclonedx/factory/__init__.py index ffb3ca2f4..58f48f6de 100644 --- a/cyclonedx/factory/__init__.py +++ b/cyclonedx/factory/__init__.py @@ -17,4 +17,6 @@ """ Factories used in this library. + +.. deprecated:: next """ diff --git a/cyclonedx/factory/license.py b/cyclonedx/factory/license.py index 40d4484d4..043f3967a 100644 --- a/cyclonedx/factory/license.py +++ b/cyclonedx/factory/license.py @@ -15,74 +15,33 @@ # SPDX-License-Identifier: Apache-2.0 # Copyright (c) OWASP Foundation. All Rights Reserved. -from typing import TYPE_CHECKING, Optional +""" +.. deprecated:: next +""" -from ..exception.factory import InvalidLicenseExpressionException, InvalidSpdxLicenseException -from ..model.license import DisjunctiveLicense, LicenseExpression -from ..spdx import fixup_id as spdx_fixup, is_expression as is_spdx_expression +__all__ = ['LicenseFactory'] -if TYPE_CHECKING: # pragma: no cover - from ..model import AttachedText, XsUri - from ..model.license import License, LicenseAcknowledgement +import sys +if sys.version_info >= (3, 13): + from warnings import deprecated +else: + from typing_extensions import deprecated -class LicenseFactory: - """Factory for :class:`cyclonedx.model.license.License`.""" +from ..contrib.license.factories import LicenseFactory as _LicenseFactory - def make_from_string(self, value: str, *, - license_text: Optional['AttachedText'] = None, - license_url: Optional['XsUri'] = None, - license_acknowledgement: Optional['LicenseAcknowledgement'] = None - ) -> 'License': - """Make a :class:`cyclonedx.model.license.License` from a string.""" - try: - return self.make_with_id(value, - text=license_text, - url=license_url, - acknowledgement=license_acknowledgement) - except InvalidSpdxLicenseException: - pass - try: - return self.make_with_expression(value, - acknowledgement=license_acknowledgement) - except InvalidLicenseExpressionException: - pass - return self.make_with_name(value, - text=license_text, - url=license_url, - acknowledgement=license_acknowledgement) +# region deprecated re-export - def make_with_expression(self, expression: str, *, - acknowledgement: Optional['LicenseAcknowledgement'] = None - ) -> LicenseExpression: - """Make a :class:`cyclonedx.model.license.LicenseExpression` with a compound expression. - Utilizes :func:`cyclonedx.spdx.is_expression`. +@deprecated('Deprecated re-export location - see docstring of "LicenseFactory" for details.') +class LicenseFactory(_LicenseFactory): + """Deprecated — Alias of :class:`cyclonedx.contrib.license.factories.LicenseFactory`. - :raises InvalidLicenseExpressionException: if param `value` is not known/supported license expression - """ - if is_spdx_expression(expression): - return LicenseExpression(expression, acknowledgement=acknowledgement) - raise InvalidLicenseExpressionException(expression) + .. deprecated:: next + This re-export location is deprecated. + Use ``from cyclonedx.contrib.license.factories import LicenseFactory`` instead. + The exported symbol itself is NOT deprecated — only this import path. + """ + pass - def make_with_id(self, spdx_id: str, *, - text: Optional['AttachedText'] = None, - url: Optional['XsUri'] = None, - acknowledgement: Optional['LicenseAcknowledgement'] = None - ) -> DisjunctiveLicense: - """Make a :class:`cyclonedx.model.license.DisjunctiveLicense` from an SPDX-ID. - - :raises InvalidSpdxLicenseException: if param `spdx_id` was not known/supported SPDX-ID - """ - spdx_license_id = spdx_fixup(spdx_id) - if spdx_license_id is None: - raise InvalidSpdxLicenseException(spdx_id) - return DisjunctiveLicense(id=spdx_license_id, text=text, url=url, acknowledgement=acknowledgement) - - def make_with_name(self, name: str, *, - text: Optional['AttachedText'] = None, - url: Optional['XsUri'] = None, - acknowledgement: Optional['LicenseAcknowledgement'] = None - ) -> DisjunctiveLicense: - """Make a :class:`cyclonedx.model.license.DisjunctiveLicense` with a name.""" - return DisjunctiveLicense(name=name, text=text, url=url, acknowledgement=acknowledgement) +# endregion deprecated re-export diff --git a/cyclonedx/model/__init__.py b/cyclonedx/model/__init__.py index ff0abc773..f949e10ce 100644 --- a/cyclonedx/model/__init__.py +++ b/cyclonedx/model/__init__.py @@ -23,6 +23,7 @@ """ import re +import sys from collections.abc import Generator, Iterable from datetime import datetime from enum import Enum @@ -34,11 +35,16 @@ from warnings import warn from xml.etree.ElementTree import Element as XmlElement # nosec B405 +if sys.version_info >= (3, 13): + from warnings import deprecated +else: + from typing_extensions import deprecated + import py_serializable as serializable from sortedcontainers import SortedSet from .._internal.compare import ComparableTuple as _ComparableTuple -from ..exception.model import InvalidLocaleTypeException, InvalidUriException, UnknownHashTypeException +from ..exception.model import InvalidLocaleTypeException, InvalidUriException from ..exception.serialization import CycloneDxDeserializationException, SerializationOfUnexpectedValueException from ..schema.schema import ( SchemaVersion1Dot0, @@ -366,25 +372,6 @@ def xml_denormalize(cls, o: 'XmlElement', *, ] -_MAP_HASHLIB: dict[str, HashAlgorithm] = { - # from hashlib.algorithms_guaranteed - 'md5': HashAlgorithm.MD5, - 'sha1': HashAlgorithm.SHA_1, - # sha224: - 'sha256': HashAlgorithm.SHA_256, - 'sha384': HashAlgorithm.SHA_384, - 'sha512': HashAlgorithm.SHA_512, - # blake2b: - # blake2s: - # sha3_224: - 'sha3_256': HashAlgorithm.SHA3_256, - 'sha3_384': HashAlgorithm.SHA3_384, - 'sha3_512': HashAlgorithm.SHA3_512, - # shake_128: - # shake_256: -} - - @serializable.serializable_class class HashType: """ @@ -395,91 +382,33 @@ class HashType: """ @staticmethod + @deprecated('Deprecated - use cyclonedx.contrib.hash.factories.HashTypeFactory().from_hashlib_alg() instead') def from_hashlib_alg(hashlib_alg: str, content: str) -> 'HashType': - """ - Attempts to convert a hashlib-algorithm to our internal model classes. - - Args: - hashlib_alg: - Hash algorith - like it is used by `hashlib`. - Example: `sha256`. + """Deprecated — Alias of :func:`cyclonedx.contrib.hash.factories.HashTypeFactory.from_hashlib_alg`. - content: - Hash value. - - Raises: - `UnknownHashTypeException` if the algorithm of hash cannot be determined. + Attempts to convert a hashlib-algorithm to our internal model classes. - Returns: - An instance of `HashType`. + .. deprecated:: next + Use ``cyclonedx.contrib.hash.factories.HashTypeFactory().from_hashlib_alg()`` instead. """ - alg = _MAP_HASHLIB.get(hashlib_alg.lower()) - if alg is None: - raise UnknownHashTypeException(f'Unable to determine hash alg for {hashlib_alg!r}') - return HashType(alg=alg, content=content) + from ..contrib.hash.factories import HashTypeFactory + + return HashTypeFactory().from_hashlib_alg(hashlib_alg, content) @staticmethod + @deprecated('Deprecated - use cyclonedx.contrib.hash.factories.HashTypeFactory().from_composite_str() instead') def from_composite_str(composite_hash: str) -> 'HashType': - """ + """Deprecated — Alias of :func:`cyclonedx.contrib.hash.factories.HashTypeFactory.from_composite_str`. + Attempts to convert a string which includes both the Hash Algorithm and Hash Value and represent using our internal model classes. - Args: - composite_hash: - Composite Hash string of the format `HASH_ALGORITHM`:`HASH_VALUE`. - Example: `sha256:806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b`. - - Valid case insensitive prefixes are: - `md5`, `sha1`, `sha256`, `sha384`, `sha512`, `blake2b256`, `blake2b384`, `blake2b512`, - `blake2256`, `blake2384`, `blake2512`, `sha3-256`, `sha3-384`, `sha3-512`, - `blake3`. - - Raises: - `UnknownHashTypeException` if the type of hash cannot be determined. - - Returns: - An instance of `HashType`. + .. deprecated:: next + Use ``cyclonedx.contrib.hash.factories.HashTypeFactory().from_composite_str()`` instead. """ - parts = composite_hash.split(':') + from ..contrib.hash.factories import HashTypeFactory - algorithm_prefix = parts[0].lower() - if algorithm_prefix == 'md5': - return HashType( - alg=HashAlgorithm.MD5, - content=parts[1].lower() - ) - elif algorithm_prefix[0:4] == 'sha3': - return HashType( - alg=getattr(HashAlgorithm, f'SHA3_{algorithm_prefix[5:]}'), - content=parts[1].lower() - ) - elif algorithm_prefix == 'sha1': - return HashType( - alg=HashAlgorithm.SHA_1, - content=parts[1].lower() - ) - elif algorithm_prefix[0:3] == 'sha': - # This is actually SHA2... - return HashType( - alg=getattr(HashAlgorithm, f'SHA_{algorithm_prefix[3:]}'), - content=parts[1].lower() - ) - elif algorithm_prefix[0:7] == 'blake2b': - return HashType( - alg=getattr(HashAlgorithm, f'BLAKE2B_{algorithm_prefix[7:]}'), - content=parts[1].lower() - ) - elif algorithm_prefix[0:6] == 'blake2': - return HashType( - alg=getattr(HashAlgorithm, f'BLAKE2B_{algorithm_prefix[6:]}'), - content=parts[1].lower() - ) - elif algorithm_prefix[0:6] == 'blake3': - return HashType( - alg=HashAlgorithm.BLAKE3, - content=parts[1].lower() - ) - raise UnknownHashTypeException(f'Unable to determine hash type from {composite_hash!r}') + return HashTypeFactory().from_composite_str(composite_hash) def __init__( self, *, diff --git a/cyclonedx/model/bom.py b/cyclonedx/model/bom.py index 9c4b8cad2..08e838773 100644 --- a/cyclonedx/model/bom.py +++ b/cyclonedx/model/bom.py @@ -706,6 +706,8 @@ def get_component_by_purl(self, purl: Optional['PackageURL']) -> Optional[Compon Returns: `Component` or `None` + + .. deprecated:: next """ if purl: found = [x for x in self.components if x.purl == purl] @@ -720,6 +722,8 @@ def get_urn_uuid(self) -> str: Returns: URN formatted UUID that uniquely identified this Bom instance. + + .. deprecated:: next """ return self.serial_number.urn @@ -733,6 +737,8 @@ def has_component(self, component: Component) -> bool: Returns: `bool` - `True` if the supplied Component is part of this Bom, `False` otherwise. + + .. deprecated:: next """ return component in self.components @@ -751,8 +757,10 @@ def get_vulnerabilities_for_bom_ref(self, bom_ref: BomRef) -> 'SortedSet[Vulnera Returns: `SortedSet` of `Vulnerability` - """ + .. deprecated:: next + Deprecated without any replacement. + """ vulnerabilities: SortedSet[Vulnerability] = SortedSet() for v in self.vulnerabilities: for target in v.affects: @@ -766,6 +774,9 @@ def has_vulnerabilities(self) -> bool: Returns: `bool` - `True` if this Bom has at least one Vulnerability, `False` otherwise. + + .. deprecated:: next + Deprecated without any replacement. """ return bool(self.vulnerabilities) @@ -788,6 +799,11 @@ def register_dependency(self, target: Dependable, depends_on: Optional[Iterable[ self.register_dependency(target=_d2, depends_on=None) def urn(self) -> str: + """ + .. deprecated:: next + Deprecated without any replacement. + """ + # idea: have 'serial_number' be a string, and use it instead of this method return f'{_BOM_LINK_PREFIX}{self.serial_number}/{self.version}' def validate(self) -> bool: @@ -797,7 +813,11 @@ def validate(self) -> bool: Returns: `bool` + + .. deprecated:: next + Deprecated without any replacement. """ + # !! deprecated function. have this as an part of the normalization process, like the BomRefDiscrimator # 0. Make sure all Dependable have a Dependency entry if self.metadata.component: self.register_dependency(target=self.metadata.component) diff --git a/cyclonedx/model/component.py b/cyclonedx/model/component.py index c4e4e5c6d..47702ed00 100644 --- a/cyclonedx/model/component.py +++ b/cyclonedx/model/component.py @@ -16,12 +16,17 @@ # Copyright (c) OWASP Foundation. All Rights Reserved. import re +import sys from collections.abc import Iterable from enum import Enum -from os.path import exists from typing import Any, Optional, Union from warnings import warn +if sys.version_info >= (3, 13): + from warnings import deprecated +else: + from typing_extensions import deprecated + # See https://github.com/package-url/packageurl-python/issues/65 import py_serializable as serializable from packageurl import PackageURL @@ -29,7 +34,6 @@ from .._internal.bom_ref import bom_ref_from_str as _bom_ref_from_str from .._internal.compare import ComparablePackageURL as _ComparablePackageURL, ComparableTuple as _ComparableTuple -from .._internal.hash import file_sha1sum as _file_sha1sum from ..exception.model import InvalidOmniBorIdException, InvalidSwhidException from ..exception.serialization import ( CycloneDxDeserializationException, @@ -955,34 +959,26 @@ class Component(Dependable): """ @staticmethod + @deprecated('Deprecated - use cyclonedx.contrib.component.builders.ComponentBuilder().make_for_file() instead') def for_file(absolute_file_path: str, path_for_bom: Optional[str]) -> 'Component': - """ + """Deprecated — Wrapper of :func:`cyclonedx.contrib.component.builders.ComponentBuilder.make_for_file`. + Helper method to create a Component that represents the provided local file as a Component. - Args: - absolute_file_path: - Absolute path to the file you wish to represent - path_for_bom: - Optionally, if supplied this is the path that will be used to identify the file in the BOM + .. deprecated:: next + Use ``cyclonedx.contrib.component.builders.ComponentBuilder().make_for_file()`` instead. + """ + from ..contrib.component.builders import ComponentBuilder - Returns: - `Component` representing the supplied file - """ - if not exists(absolute_file_path): - raise FileExistsError(f'Supplied file path {absolute_file_path!r} does not exist') - - sha1_hash: str = _file_sha1sum(absolute_file_path) - return Component( - name=path_for_bom if path_for_bom else absolute_file_path, - version=f'0.0.0-{sha1_hash[0:12]}', - hashes=[ - HashType(alg=HashAlgorithm.SHA_1, content=sha1_hash) - ], - type=ComponentType.FILE, purl=PackageURL( - type='generic', name=path_for_bom if path_for_bom else absolute_file_path, - version=f'0.0.0-{sha1_hash[0:12]}' - ) + component = ComponentBuilder().make_for_file(absolute_file_path, name=path_for_bom) + sha1_hash = next((h.content for h in component.hashes if h.alg is HashAlgorithm.SHA_1), None) + assert sha1_hash is not None + component.version = f'0.0.0-{sha1_hash[0:12]}' + component.purl = PackageURL( # DEPRECATED: a file has no PURL! + type='generic', name=path_for_bom if path_for_bom else absolute_file_path, + version=f'0.0.0-{sha1_hash[0:12]}' ) + return component def __init__( self, *, diff --git a/cyclonedx/model/license.py b/cyclonedx/model/license.py index 3d9369429..9d32160e2 100644 --- a/cyclonedx/model/license.py +++ b/cyclonedx/model/license.py @@ -59,7 +59,11 @@ class LicenseAcknowledgement(str, Enum): # In an error, the name of the enum was `LicenseExpressionAcknowledgement`. # Even though this was changed, there might be some downstream usage of this symbol, so we keep it around ... LicenseExpressionAcknowledgement = LicenseAcknowledgement -"""Deprecated alias for :class:`LicenseAcknowledgement`""" +"""Deprecated — Alias for :class:`LicenseAcknowledgement` + +.. deprecated:: next Import `LicenseAcknowledgement` instead. + The exported original symbol itself is NOT deprecated - only this import path. +""" @serializable.serializable_class( diff --git a/cyclonedx/model/vulnerability.py b/cyclonedx/model/vulnerability.py index fcfb4a687..5f3bf0240 100644 --- a/cyclonedx/model/vulnerability.py +++ b/cyclonedx/model/vulnerability.py @@ -28,14 +28,19 @@ See the CycloneDX Schema extension definition https://cyclonedx.org/docs/1.7/xml/#type_vulnerabilitiesType """ - import re +import sys from collections.abc import Iterable from datetime import datetime from decimal import Decimal from enum import Enum from typing import Any, Optional, Union +if sys.version_info >= (3, 13): + from warnings import deprecated +else: + from typing_extensions import deprecated + import py_serializable as serializable from sortedcontainers import SortedSet @@ -724,38 +729,18 @@ class VulnerabilitySeverity(str, Enum): UNKNOWN = 'unknown' @staticmethod + @deprecated('Deprecated - use cyclonedx.contrib.vulnerability.cvss.vs_from_cvss_scores instead') def get_from_cvss_scores(scores: Union[tuple[float, ...], float, None]) -> 'VulnerabilitySeverity': - """ + """Deprecated — Alias of :func:`cyclonedx.contrib.vulnerability.cvss.vs_from_cvss_scores()`. + Derives the Severity of a Vulnerability from it's declared CVSS scores. - Args: - scores: A `tuple` of CVSS scores. CVSS scoring system allows for up to three separate scores. + .. deprecated:: next + Use ``cyclonedx.contrib.vulnerability.cvss.vs_from_cvss_scores()`` instead. + """ + from ..contrib.vulnerability.cvss import vs_from_cvss_scores - Returns: - Always returns an instance of `VulnerabilitySeverity`. - """ - if type(scores) is float: - scores = (scores,) - - if scores is None: - return VulnerabilitySeverity.UNKNOWN - - max_cvss_score: float - if isinstance(scores, tuple): - max_cvss_score = max(scores) - else: - max_cvss_score = float(scores) - - if max_cvss_score >= 9.0: - return VulnerabilitySeverity.CRITICAL - elif max_cvss_score >= 7.0: - return VulnerabilitySeverity.HIGH - elif max_cvss_score >= 4.0: - return VulnerabilitySeverity.MEDIUM - elif max_cvss_score > 0.0: - return VulnerabilitySeverity.LOW - else: - return VulnerabilitySeverity.NONE + return vs_from_cvss_scores(scores) @serializable.serializable_class(ignore_unknown_during_deserialization=True) diff --git a/examples/complex_serialize.py b/examples/complex_serialize.py index 03619f8b1..a7c162bba 100644 --- a/examples/complex_serialize.py +++ b/examples/complex_serialize.py @@ -20,9 +20,9 @@ from packageurl import PackageURL -from cyclonedx.builder.this import this_component as cdx_lib_component +from cyclonedx.contrib.license.factories import LicenseFactory +from cyclonedx.contrib.this.builders import this_component as cdx_lib_component from cyclonedx.exception import MissingOptionalDependencyException -from cyclonedx.factory.license import LicenseFactory from cyclonedx.model import XsUri from cyclonedx.model.bom import Bom from cyclonedx.model.component import Component, ComponentType diff --git a/tests/test_component.py b/tests/test_component.py index 05ee373f8..8e6e7e4d8 100644 --- a/tests/test_component.py +++ b/tests/test_component.py @@ -21,7 +21,7 @@ # See https://github.com/package-url/packageurl-python/issues/65 from packageurl import PackageURL -from cyclonedx._internal.hash import file_sha1sum as _file_sha1sum +from cyclonedx.contrib.component.builders import ComponentBuilder from cyclonedx.model.component import Component from tests import OWN_DATA_DIRECTORY from tests._data.models import get_component_setuptools_simple @@ -65,7 +65,7 @@ def test_purl_incorrect_name(self) -> None: def test_from_xml_file_with_path_for_bom(self) -> None: test_file = join(OWN_DATA_DIRECTORY, 'xml', '1.4', 'bom_setuptools.xml') c = Component.for_file(absolute_file_path=test_file, path_for_bom='fixtures/bom_setuptools.xml') - sha1_hash: str = _file_sha1sum(filename=test_file) + sha1_hash: str = ComponentBuilder._file_sha1sum(filename=test_file) expected_version = f'0.0.0-{sha1_hash[0:12]}' self.assertEqual(c.name, 'fixtures/bom_setuptools.xml') self.assertEqual(c.version, expected_version) diff --git a/tests/test_contrib/.gitkeep b/tests/test_contrib/.gitkeep new file mode 100644 index 000000000..e69de29bb diff --git a/tests/test_deserialize_json.py b/tests/test_deserialize_json.py index 14fcb953b..85f8b11aa 100644 --- a/tests/test_deserialize_json.py +++ b/tests/test_deserialize_json.py @@ -43,7 +43,7 @@ class TestDeserializeJson(TestCase, SnapshotMixin, DeepCompareMixin): @named_data(*all_get_bom_funct_valid_immut, *all_get_bom_funct_valid_reversible_migrate) - @patch('cyclonedx.builder.this.__ThisVersion', 'TESTING') + @patch('cyclonedx.contrib.this.builders.__ThisVersion', 'TESTING') def test_prepared(self, get_bom: Callable[[], Bom], *_: Any, **__: Any) -> None: # only latest schema will have all data populated in serialized form snapshot_name = mksname(get_bom, _LATEST_SCHEMA, OutputFormat.JSON) diff --git a/tests/test_deserialize_xml.py b/tests/test_deserialize_xml.py index 12e32e5f7..8ad0f31cd 100644 --- a/tests/test_deserialize_xml.py +++ b/tests/test_deserialize_xml.py @@ -40,7 +40,7 @@ class TestDeserializeXml(TestCase, SnapshotMixin, DeepCompareMixin): @named_data(*all_get_bom_funct_valid_immut, *all_get_bom_funct_valid_reversible_migrate) - @patch('cyclonedx.builder.this.__ThisVersion', 'TESTING') + @patch('cyclonedx.contrib.this.builders.__ThisVersion', 'TESTING') def test_prepared(self, get_bom: Callable[[], Bom], *_: Any, **__: Any) -> None: # only latest schema will have all data populated in serialized form snapshot_name = mksname(get_bom, _LATEST_SCHEMA, OutputFormat.XML) diff --git a/tests/test_factory_license.py b/tests/test_factory_license.py index 051a88b36..d381347b3 100644 --- a/tests/test_factory_license.py +++ b/tests/test_factory_license.py @@ -32,8 +32,8 @@ def test_make_from_string_with_id(self) -> None: acknowledgement = unittest.mock.NonCallableMock(spec=LicenseAcknowledgement) expected = DisjunctiveLicense(id='bar', text=text, url=url, acknowledgement=acknowledgement) - with unittest.mock.patch('cyclonedx.factory.license.spdx_fixup', return_value='bar'), \ - unittest.mock.patch('cyclonedx.factory.license.is_spdx_expression', return_value=True): + with unittest.mock.patch('cyclonedx.contrib.license.factories.spdx_fixup', return_value='bar'), \ + unittest.mock.patch('cyclonedx.contrib.license.factories.is_spdx_expression', return_value=True): actual = LicenseFactory().make_from_string('foo', license_text=text, license_url=url, @@ -47,8 +47,8 @@ def test_make_from_string_with_name(self) -> None: acknowledgement = unittest.mock.NonCallableMock(spec=LicenseAcknowledgement) expected = DisjunctiveLicense(name='foo', text=text, url=url, acknowledgement=acknowledgement) - with unittest.mock.patch('cyclonedx.factory.license.spdx_fixup', return_value=None), \ - unittest.mock.patch('cyclonedx.factory.license.is_spdx_expression', return_value=False): + with unittest.mock.patch('cyclonedx.contrib.license.factories.spdx_fixup', return_value=None), \ + unittest.mock.patch('cyclonedx.contrib.license.factories.is_spdx_expression', return_value=False): actual = LicenseFactory().make_from_string('foo', license_text=text, license_url=url, @@ -60,8 +60,8 @@ def test_make_from_string_with_expression(self) -> None: acknowledgement = unittest.mock.NonCallableMock(spec=LicenseAcknowledgement) expected = LicenseExpression('foo', acknowledgement=acknowledgement) - with unittest.mock.patch('cyclonedx.factory.license.spdx_fixup', return_value=None), \ - unittest.mock.patch('cyclonedx.factory.license.is_spdx_expression', return_value=True): + with unittest.mock.patch('cyclonedx.contrib.license.factories.spdx_fixup', return_value=None), \ + unittest.mock.patch('cyclonedx.contrib.license.factories.is_spdx_expression', return_value=True): actual = LicenseFactory().make_from_string('foo', license_acknowledgement=acknowledgement) @@ -73,14 +73,14 @@ def test_make_with_id(self) -> None: acknowledgement = unittest.mock.NonCallableMock(spec=LicenseAcknowledgement) expected = DisjunctiveLicense(id='bar', text=text, url=url, acknowledgement=acknowledgement) - with unittest.mock.patch('cyclonedx.factory.license.spdx_fixup', return_value='bar'): + with unittest.mock.patch('cyclonedx.contrib.license.factories.spdx_fixup', return_value='bar'): actual = LicenseFactory().make_with_id(spdx_id='foo', text=text, url=url, acknowledgement=acknowledgement) self.assertEqual(expected, actual) def test_make_with_id_raises(self) -> None: with self.assertRaises(InvalidSpdxLicenseException, msg='foo'): - with unittest.mock.patch('cyclonedx.factory.license.spdx_fixup', return_value=None): + with unittest.mock.patch('cyclonedx.contrib.license.factories.spdx_fixup', return_value=None): LicenseFactory().make_with_id(spdx_id='foo') def test_make_with_name(self) -> None: @@ -94,11 +94,11 @@ def test_make_with_name(self) -> None: def test_make_with_expression(self) -> None: acknowledgement = unittest.mock.NonCallableMock(spec=LicenseAcknowledgement) expected = LicenseExpression('foo', acknowledgement=acknowledgement) - with unittest.mock.patch('cyclonedx.factory.license.is_spdx_expression', return_value=True): + with unittest.mock.patch('cyclonedx.contrib.license.factories.is_spdx_expression', return_value=True): actual = LicenseFactory().make_with_expression(expression='foo', acknowledgement=acknowledgement) self.assertEqual(expected, actual) def test_make_with_expression_raises(self) -> None: with self.assertRaises(InvalidLicenseExpressionException, msg='foo'): - with unittest.mock.patch('cyclonedx.factory.license.is_spdx_expression', return_value=False): + with unittest.mock.patch('cyclonedx.contrib.license.factories.is_spdx_expression', return_value=False): LicenseFactory().make_with_expression('foo') diff --git a/tests/test_output_json.py b/tests/test_output_json.py index 0bc3f1e21..b9340a4e2 100644 --- a/tests/test_output_json.py +++ b/tests/test_output_json.py @@ -62,7 +62,7 @@ def test_unsupported_schema_raises(self, sv: SchemaVersion) -> None: and is_valid_for_schema_version(gb, sv) )) @unpack - @patch('cyclonedx.builder.this.__ThisVersion', 'TESTING') + @patch('cyclonedx.contrib.this.builders.__ThisVersion', 'TESTING') def test_valid(self, get_bom: Callable[[], Bom], sv: SchemaVersion, *_: Any, **__: Any) -> None: snapshot_name = mksname(get_bom, sv, OutputFormat.JSON) bom = get_bom() diff --git a/tests/test_output_xml.py b/tests/test_output_xml.py index 2b1a16ee9..6e887dedb 100644 --- a/tests/test_output_xml.py +++ b/tests/test_output_xml.py @@ -49,7 +49,7 @@ class TestOutputXml(TestCase, SnapshotMixin): if is_valid_for_schema_version(gb, sv) )) @unpack - @patch('cyclonedx.builder.this.__ThisVersion', 'TESTING') + @patch('cyclonedx.contrib.this.builders.__ThisVersion', 'TESTING') def test_valid(self, get_bom: Callable[[], Bom], sv: SchemaVersion, *_: Any, **__: Any) -> None: snapshot_name = mksname(get_bom, sv, OutputFormat.XML) if snapshot_name is None: diff --git a/tests/test_real_world_examples.py b/tests/test_real_world_examples.py index 3170e7308..232e32915 100644 --- a/tests/test_real_world_examples.py +++ b/tests/test_real_world_examples.py @@ -26,7 +26,7 @@ from tests import OWN_DATA_DIRECTORY -@patch('cyclonedx.builder.this.__ThisVersion', 'TESTING') +@patch('cyclonedx.contrib.this.builders.__ThisVersion', 'TESTING') @patch('cyclonedx.model.bom._get_now_utc', return_value=datetime.fromisoformat('2023-01-07 13:44:32.312678+00:00')) class TestDeserializeRealWorldExamples(unittest.TestCase): From 095e7c580955725d217ade1e3078c89bc49ede93 Mon Sep 17 00:00:00 2001 From: semantic-release Date: Tue, 2 Dec 2025 12:28:21 +0000 Subject: [PATCH 51/76] chore(release): 11.6.0 Automatically generated by python-semantic-release Signed-off-by: semantic-release --- CHANGELOG.md | 14 ++++++++++++++ cyclonedx/__init__.py | 2 +- docs/conf.py | 2 +- pyproject.toml | 2 +- 4 files changed, 17 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7cfcd095c..fed614193 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,20 @@ +## v11.6.0 (2025-12-02) + +### Documentation + +- Update 1.7 ([#920](https://github.com/CycloneDX/cyclonedx-python-lib/pull/920), + [`7e6771b`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/7e6771b0c1166d384ee438460e45794914937b6e)) + +### Features + +- Moved non‑standard implementations to Contrib area + ([#916](https://github.com/CycloneDX/cyclonedx-python-lib/pull/916), + [`15a9023`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/15a902374bc6507788853a854256d3570ab250a7)) + + ## v11.5.0 (2025-10-31) ### Features diff --git a/cyclonedx/__init__.py b/cyclonedx/__init__.py index a0bfe9324..7bcd52bff 100644 --- a/cyclonedx/__init__.py +++ b/cyclonedx/__init__.py @@ -22,4 +22,4 @@ # !! version is managed by semantic_release # do not use typing here, or else `semantic_release` might have issues finding the variable -__version__ = "11.5.0" # noqa:Q000 +__version__ = "11.6.0" # noqa:Q000 diff --git a/docs/conf.py b/docs/conf.py index cd9bc4d1b..65743848d 100644 --- a/docs/conf.py +++ b/docs/conf.py @@ -23,7 +23,7 @@ # The full version, including alpha/beta/rc tags # !! version is managed by semantic_release -release = '11.5.0' +release = '11.6.0' # -- General configuration --------------------------------------------------- diff --git a/pyproject.toml b/pyproject.toml index 6d4573156..0aa4dd18e 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -5,7 +5,7 @@ build-backend = "poetry.core.masonry.api" [tool.poetry] name = "cyclonedx-python-lib" # !! version is managed by semantic_release -version = "11.5.0" +version = "11.6.0" description = "Python library for CycloneDX" authors = [ "Paul Horton ", From af0059d8fb6c9f8cc437f6c210487d131a6f658f Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Fri, 5 Dec 2025 12:23:15 +0100 Subject: [PATCH 52/76] docs: modernize RTF setup (#921) Signed-off-by: Jan Kowalleck --- .readthedocs.yaml | 4 ++-- docs/requirements.txt | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.readthedocs.yaml b/.readthedocs.yaml index 717f260c7..57b93e6d1 100644 --- a/.readthedocs.yaml +++ b/.readthedocs.yaml @@ -6,9 +6,9 @@ version: 2 # Set the version of Python and other tools you might need build: - os: ubuntu-22.04 + os: ubuntu-lts-latest tools: - python: "3.11" + python: "3.14" # You can also specify other tool versions: # nodejs: "16" # rust: "1.55" diff --git a/docs/requirements.txt b/docs/requirements.txt index 32780572e..8cd9cd5f9 100644 --- a/docs/requirements.txt +++ b/docs/requirements.txt @@ -1,4 +1,4 @@ m2r2>=0.3.2 -sphinx>=7.2.6,<9 -sphinx-autoapi>=3.0.0,<4 -sphinx-rtd-theme>=2.0.0,<3 +sphinx>=8,<9 +sphinx-autoapi>=3,<4 +sphinx-rtd-theme>=3,<4 From 0c747756ed1685ccec18acd3013698da0c1510e1 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 16 Dec 2025 12:29:48 +0100 Subject: [PATCH 53/76] chore(deps): bump actions/upload-artifact from 5 to 6 (#924) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 5 to 6.
Release notes

Sourced from actions/upload-artifact's releases.

v6.0.0

v6 - What's new

[!IMPORTANT] actions/upload-artifact@v6 now runs on Node.js 24 (runs.using: node24) and requires a minimum Actions Runner version of 2.327.1. If you are using self-hosted runners, ensure they are updated before upgrading.

Node.js 24

This release updates the runtime to Node.js 24. v5 had preliminary support for Node.js 24, however this action was by default still running on Node.js 20. Now this action by default will run on Node.js 24.

What's Changed

Full Changelog: https://github.com/actions/upload-artifact/compare/v5.0.0...v6.0.0

Commits
  • b7c566a Merge pull request #745 from actions/upload-artifact-v6-release
  • e516bc8 docs: correct description of Node.js 24 support in README
  • ddc45ed docs: update README to correct action name for Node.js 24 support
  • 615b319 chore: release v6.0.0 for Node.js 24 support
  • 017748b Merge pull request #744 from actions/fix-storage-blob
  • 38d4c79 chore: rebuild dist
  • 7d27270 chore: add missing license cache files for @​actions/core, @​actions/io, and mi...
  • 5f643d3 chore: update license files for @​actions/artifact@​5.0.1 dependencies
  • 1df1684 chore: update package-lock.json with @​actions/artifact@​5.0.1
  • b5b1a91 fix: update @​actions/artifact to ^5.0.0 for Node.js 24 punycode fix
  • Additional commits viewable in compare view

[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=actions/upload-artifact&package-manager=github_actions&previous-version=5&new-version=6)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) ---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/python.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/python.yml b/.github/workflows/python.yml index a378c67e5..13aaaed99 100644 --- a/.github/workflows/python.yml +++ b/.github/workflows/python.yml @@ -239,7 +239,7 @@ jobs: - name: Artifact reports if: ${{ ! cancelled() }} # see https://github.com/actions/upload-artifact - uses: actions/upload-artifact@v5 + uses: actions/upload-artifact@v6 with: name: ${{ env.TESTS_REPORTS_ARTIFACT }}-${{ matrix.os }}-py${{ matrix.python-version }}${{ matrix.toxenv-factors }} path: ${{ env.REPORTS_DIR }} From 586edc2c4f6e78673ba576fec52c6854e6b786c6 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 16 Dec 2025 12:29:55 +0100 Subject: [PATCH 54/76] chore(deps): bump actions/download-artifact from 6 to 7 (#925) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 6 to 7.
Release notes

Sourced from actions/download-artifact's releases.

v7.0.0

v7 - What's new

[!IMPORTANT] actions/download-artifact@v7 now runs on Node.js 24 (runs.using: node24) and requires a minimum Actions Runner version of 2.327.1. If you are using self-hosted runners, ensure they are updated before upgrading.

Node.js 24

This release updates the runtime to Node.js 24. v6 had preliminary support for Node 24, however this action was by default still running on Node.js 20. Now this action by default will run on Node.js 24.

What's Changed

New Contributors

Full Changelog: https://github.com/actions/download-artifact/compare/v6.0.0...v7.0.0

Commits
  • 37930b1 Merge pull request #452 from actions/download-artifact-v7-release
  • 72582b9 doc: update readme
  • 0d2ec9d chore: release v7.0.0 for Node.js 24 support
  • fd7ae8f Merge pull request #451 from actions/fix-storage-blob
  • d484700 chore: restore minimatch.dep.yml license file
  • 03a8080 chore: remove obsolete dependency license files
  • 56fe6d9 chore: update @​actions/artifact license file to 5.0.1
  • 8e3ebc4 chore: update package-lock.json with @​actions/artifact@​5.0.1
  • 1e3c4b4 fix: update @​actions/artifact to ^5.0.0 for Node.js 24 punycode fix
  • 458627d chore: use local @​actions/artifact package for Node.js 24 testing
  • Additional commits viewable in compare view

[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=actions/download-artifact&package-manager=github_actions&previous-version=6&new-version=7)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) ---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/python.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/python.yml b/.github/workflows/python.yml index 13aaaed99..ba94897cd 100644 --- a/.github/workflows/python.yml +++ b/.github/workflows/python.yml @@ -253,7 +253,7 @@ jobs: steps: - name: fetch test artifacts # see https://github.com/actions/download-artifact - uses: actions/download-artifact@v6 + uses: actions/download-artifact@v7 with: path: ${{ env.REPORTS_DIR }} pattern: ${{ env.TESTS_REPORTS_ARTIFACT }}-* From 944beb3b38ae23ea795921740ef86267efa98733 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 22 Dec 2025 11:23:54 +0100 Subject: [PATCH 55/76] chore(deps-dev): update mypy requirement from 1.19.0 to 1.19.1 (#929) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Updates the requirements on [mypy](https://github.com/python/mypy) to permit the latest version.
Changelog

Sourced from mypy's changelog.

Mypy 1.19.1

  • Fix noncommutative joins with bounded TypeVars (Shantanu, PR 20345)
  • Respect output format for cached runs by serializing raw errors in cache metas (Ivan Levkivskyi, PR 20372)
  • Allow types.NoneType in match cases (A5rocks, PR 20383)
  • Fix mypyc generator regression with empty tuple (BobTheBuidler, PR 20371)
  • Fix crash involving Unpack-ed TypeVarTuple (Shantanu, PR 20323)
  • Fix crash on star import of redefinition (Ivan Levkivskyi, PR 20333)
  • Fix crash on typevar with forward ref used in other module (Ivan Levkivskyi, PR 20334)
  • Fail with an explicit error on PyPy (Ivan Levkivskyi, PR 20389)

Acknowledgements

Thanks to all mypy contributors who contributed to this release:

  • A5rocks
  • BobTheBuidler
  • bzoracler
  • Chainfire
  • Christoph Tyralla
  • David Foster
  • Frank Dana
  • Guo Ci
  • iap
  • Ivan Levkivskyi
  • James Hilton-Balfe
  • jhance
  • Joren Hammudoglu
  • Jukka Lehtosalo
  • KarelKenens
  • Kevin Kannammalil
  • Marc Mueller
  • Michael Carlstrom
  • Michael J. Sullivan
  • Piotr Sawicki
  • Randolf Scholz
  • Shantanu
  • Sigve Sebastian Farstad
  • sobolevn
  • Stanislav Terliakov
  • Stephen Morton
  • Theodore Ando
  • Thiago J. Barbalho
  • wyattscarpenter

I’d also like to thank my employer, Dropbox, for supporting mypy development.

Mypy 1.18

We’ve just uploaded mypy 1.18.1 to the Python Package Index (PyPI). Mypy is a static type checker for Python. This release includes new features, performance

... (truncated)

Commits

Most Recent Ignore Conditions Applied to This Pull Request | Dependency Name | Ignore Conditions | | --- | --- | | mypy | [>= 0.971.a, < 0.972] |
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) ---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- pyproject.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pyproject.toml b/pyproject.toml index 0aa4dd18e..5bccba5f3 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -97,7 +97,7 @@ flake8-use-fstring = "1.4" pep8-naming = "0.15.1" isort = "6.1.0" autopep8 = "2.3.2" -mypy = "1.19.0" +mypy = "1.19.1" tomli = { version = "2.3.0", python = "<3.11" } tox = "4.30.3" xmldiff = "2.7.0" From fda79c032fdc48b342f06703069c074465bb8f0a Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Mon, 22 Dec 2025 11:43:43 +0100 Subject: [PATCH 56/76] chore(deps): Update pyupgrade version to 3.21.2 (#930) might fix https://github.com/CycloneDX/cyclonedx-python-lib/actions/runs/20417619990/job/58663570418#step:6:193 --------- Signed-off-by: Jan Kowalleck --- pyproject.toml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/pyproject.toml b/pyproject.toml index 5bccba5f3..baef0ca3d 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -102,7 +102,10 @@ tomli = { version = "2.3.0", python = "<3.11" } tox = "4.30.3" xmldiff = "2.7.0" bandit = "1.8.6" -pyupgrade = "3.21.0" +pyupgrade = [ + { version = "3.21.0", python = "<3.10" }, + { version = "3.21.2", python = ">=3.10" }, +] deptry = "0.23.1" # for tests, use the GPL-version of jsonschema format validators - they are faster jsonschema = { version = "*", extras = ["format"], optional=true } From de09ece53e4254200a3f79249f58a4d61b46e200 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Mon, 12 Jan 2026 14:08:24 +0100 Subject: [PATCH 57/76] chore: PR template Signed-off-by: Jan Kowalleck --- .github/PULL_REQUEST_TEMPLATE.md | 39 ++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 .github/PULL_REQUEST_TEMPLATE.md diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md new file mode 100644 index 000000000..e19c5da37 --- /dev/null +++ b/.github/PULL_REQUEST_TEMPLATE.md @@ -0,0 +1,39 @@ + + +### Description + + +A clear and concise summary of the change and which issue (if any) it fixes. Should also include relevant motivation and context. + +Resolves or fixes issue: + +### AI Tool Disclosure + +- [ ] My contribution does not include any AI-generated content +- [ ] My contribution includes AI-generated content, as disclosed below: + - AI Tools: `[e.g. GitHub CoPilot, ChatGPT, JetBrains Junie etc.]` + - LLMs and versions: `[e.g. GPT-4.1, Claude Haiku 4.5, Gemini 2.5 Pro etc.]` + - Prompts: `[Summarize the key prompts or instructions given to the AI tools]` + +### Affirmation + +- [ ] My code follows the [CONTRIBUTING.md](https://github.com/CycloneDX/cyclonedx-python-lib/blob/main/CONTRIBUTING.md) guidelines From f311b61d90707f43493b9882860691da441f4a50 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Mon, 26 Jan 2026 16:27:40 +0100 Subject: [PATCH 58/76] chore(ci): modernize GH ci (#932) Signed-off-by: Jan Kowalleck --- .github/workflows/python.yml | 17 ++--------------- 1 file changed, 2 insertions(+), 15 deletions(-) diff --git a/.github/workflows/python.yml b/.github/workflows/python.yml index ba94897cd..40dfc86d9 100644 --- a/.github/workflows/python.yml +++ b/.github/workflows/python.yml @@ -180,23 +180,10 @@ jobs: - "-allExtras" - "-noExtras" exclude: - - os: macos-latest + - os: macos-latest # macos-latest is incompatible with some PY versions python-version: "3.10" - - os: macos-latest + - os: macos-latest # macos-latest is incompatible with some PY versions python-version: "3.9" - include: - - os: macos-13 - python-version: "3.10" - toxenv-factors: "-allExtras" - - os: macos-13 - python-version: "3.10" - toxenv-factors: "-noExtras" - - os: macos-13 - python-version: "3.9" - toxenv-factors: "-allExtras" - - os: macos-13 - python-version: "3.9" - toxenv-factors: "-noExtras" steps: - name: Disabled Git auto EOL CRLF transforms run: | From bf596c0ed1495bf42add39185f460605b0ecd12a Mon Sep 17 00:00:00 2001 From: Saquib Saifee Date: Fri, 27 Feb 2026 07:40:17 -0500 Subject: [PATCH 59/76] docs: Add comprehensive SBOM validation guide (#933) ### Description Adds validation documentation with practical examples for validating CycloneDX SBOMs, addressing #708. - Include practical examples for JSON and XML validation - Document error handling patterns with ValidationError inspection Resolves or fixes issue: #708 ### Affirmation - [x] My code follows the [CONTRIBUTING.md](https://github.com/CycloneDX/cyclonedx-python-lib/blob/main/CONTRIBUTING.md) guidelines --------- Signed-off-by: Saquib Saifee Signed-off-by: Saquib Saifee Co-authored-by: Jan Kowalleck --- docs/examples.rst | 8 ++ examples/complex_validation.py | 208 +++++++++++++++++++++++++++++++++ 2 files changed, 216 insertions(+) create mode 100644 examples/complex_validation.py diff --git a/docs/examples.rst b/docs/examples.rst index 2452e7d44..83bc82acd 100644 --- a/docs/examples.rst +++ b/docs/examples.rst @@ -29,3 +29,11 @@ Complex Deserialize .. literalinclude:: ../examples/complex_deserialize.py :language: python :linenos: + + +Complex Validation +------------------ + +.. literalinclude:: ../examples/complex_validation.py + :language: python + :linenos: diff --git a/examples/complex_validation.py b/examples/complex_validation.py new file mode 100644 index 000000000..5b094cc53 --- /dev/null +++ b/examples/complex_validation.py @@ -0,0 +1,208 @@ +# This file is part of CycloneDX Python Library +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# Copyright (c) OWASP Foundation. All Rights Reserved. + +import json +import sys +from typing import TYPE_CHECKING, Optional + +from cyclonedx.exception import MissingOptionalDependencyException +from cyclonedx.schema import OutputFormat, SchemaVersion +from cyclonedx.validation import make_schemabased_validator + +if TYPE_CHECKING: + from cyclonedx.validation.json import JsonValidator + from cyclonedx.validation.xml import XmlValidator + +""" +This example demonstrates how to validate CycloneDX documents (both JSON and XML). +Make sure to have the needed dependencies installed - install the library's extra 'validation' for that. +""" + +# region Sample SBOMs + +JSON_SBOM = """ +{ + "bomFormat": "CycloneDX", + "specVersion": "1.5", + "version": 1, + "metadata": { + "component": { + "type": "application", + "name": "my-app", + "version": "1.0.0" + } + }, + "components": [] +} +""" + +XML_SBOM = """ + + + + my-app + 1.0.0 + + + +""" + +INVALID_JSON_SBOM = """ +{ + "bomFormat": "CycloneDX", + "specVersion": "1.5", + "metadata": { + "component": { + "type": "invalid-type", + "name": "my-app" + } + } +} +""" +# endregion Sample SBOMs + + +# region JSON Validation + +print('--- JSON Validation ---') + +# Create a JSON validator for a specific schema version +json_validator: 'JsonValidator' = make_schemabased_validator(OutputFormat.JSON, SchemaVersion.V1_5) + +# 1. Validate valid SBOM +try: + validation_errors = json_validator.validate_str(JSON_SBOM) +except MissingOptionalDependencyException as error: + print('JSON validation was skipped:', error) +else: + if validation_errors: + print('JSON SBOM is unexpectedly invalid!', file=sys.stderr) + else: + print('JSON SBOM is valid') + + # 2. Validate invalid SBOM and inspect details + print('\nChecking invalid JSON SBOM...') + try: + validation_errors = json_validator.validate_str(INVALID_JSON_SBOM) + except MissingOptionalDependencyException as error: + print('JSON validation was skipped:', error) + else: + if validation_errors: + print('Validation failed as expected.') + print(f'Error Message: {validation_errors.data.message}') + print(f'JSON Path: {validation_errors.data.json_path}') + print(f'Invalid Data: {validation_errors.data.instance}') + +# endregion JSON Validation + + +print('\n' + '=' * 30 + '\n') + + +# region XML Validation + +print('--- XML Validation ---') + +xml_validator: 'XmlValidator' = make_schemabased_validator(OutputFormat.XML, SchemaVersion.V1_5) + +try: + xml_validation_errors = xml_validator.validate_str(XML_SBOM) + if xml_validation_errors: + print('XML SBOM is invalid!', file=sys.stderr) + else: + print('XML SBOM is valid') +except MissingOptionalDependencyException as error: + print('XML validation was skipped:', error) + +# endregion XML Validation + + +print('\n' + '=' * 30 + '\n') + + +# region Dynamic version detection + +print('--- Dynamic Validation ---') + + +def _detect_json_format(raw_data: str) -> Optional[tuple[OutputFormat, SchemaVersion]]: + """Detect JSON format and extract schema version.""" + try: + data = json.loads(raw_data) + except json.JSONDecodeError: + return None + + spec_version_str = data.get('specVersion') + try: + schema_version = SchemaVersion.from_version(spec_version_str) + except Exception: + print('failed to detect schema_version from', repr(spec_version_str), file=sys.stderr) + return None + return (OutputFormat.JSON, schema_version) + + +def _detect_xml_format(raw_data: str) -> Optional[tuple[OutputFormat, SchemaVersion]]: + try: + from lxml import etree # type: ignore[import-untyped] + except ImportError: + return None + + try: + xml_tree = etree.fromstring(raw_data.encode('utf-8')) + except etree.XMLSyntaxError: + return None + + for ns in xml_tree.nsmap.values(): + if ns and ns.startswith('http://cyclonedx.org/schema/bom/'): + version_str = ns.split('/')[-1] + try: + return (OutputFormat.XML, SchemaVersion.from_version(version_str)) + except Exception: + print('failed to detect schema_version from namespace', repr(ns), file=sys.stderr) + return None + + print('failed to detect CycloneDX namespace in XML document', file=sys.stderr) + return None + + +def validate_sbom(raw_data: str) -> bool: + """Validate an SBOM by detecting its format and version.""" + # Detect format and version + format_info = _detect_json_format(raw_data) or _detect_xml_format(raw_data) + if not format_info: + return False + + input_format, schema_version = format_info + try: + validator = make_schemabased_validator(input_format, schema_version) + errors = validator.validate_str(raw_data) + if errors: + print(f'Validation failed ({input_format.name} {schema_version.to_version()}): {errors}', + file=sys.stderr) + return False + print(f'Valid {input_format.name} SBOM (schema {schema_version.to_version()})') + return True + except MissingOptionalDependencyException as e: + print(f'Validation skipped (missing dependencies): {e}') + return False + + +# Execute dynamic validation +validate_sbom(JSON_SBOM) +validate_sbom(XML_SBOM) + +# endregion Dynamic version detection From 8a6efce21096ce5eb94035c7e91248f7ab1caf24 Mon Sep 17 00:00:00 2001 From: Saquib Saifee Date: Sat, 28 Feb 2026 15:46:15 -0500 Subject: [PATCH 60/76] feat(validation): provide useful structured validation errors --- cyclonedx/validation/__init__.py | 15 ++++++++++++--- cyclonedx/validation/json.py | 17 +++++++++++++++-- cyclonedx/validation/xml.py | 3 +-- tests/test_validation_json.py | 26 ++++++++++++++++++++++++++ tests/test_validation_xml.py | 14 ++++++++++++++ 5 files changed, 68 insertions(+), 7 deletions(-) diff --git a/cyclonedx/validation/__init__.py b/cyclonedx/validation/__init__.py index 7ff3b8823..a3701ab2c 100644 --- a/cyclonedx/validation/__init__.py +++ b/cyclonedx/validation/__init__.py @@ -37,14 +37,23 @@ class ValidationError: data: Any """Raw error data from one of the underlying validation methods.""" - def __init__(self, data: Any) -> None: + message: str + """Human-readable error message suitable for end-user presentation.""" + + path: tuple[Union[str, int], ...] + """Path to the offending value if known.""" + + def __init__(self, data: Any, *, message: Optional[str] = None, + path: Iterable[Union[str, int]] = ()) -> None: self.data = data + self.message = str(data) if message is None else message + self.path = tuple(path) def __repr__(self) -> str: - return repr(self.data) + return f'{self.__class__.__name__}(message={self.message!r}, path={self.path!r})' def __str__(self) -> str: - return str(self.data) + return self.message class SchemabasedValidator(Protocol): diff --git a/cyclonedx/validation/json.py b/cyclonedx/validation/json.py index 6431df57a..d5f197cf8 100644 --- a/cyclonedx/validation/json.py +++ b/cyclonedx/validation/json.py @@ -56,11 +56,24 @@ class JsonValidationError(ValidationError): + @classmethod + def __get_most_relevant_jsve(cls, e: 'JsonSchemaValidationError') -> 'JsonSchemaValidationError': + if not e.context: + return e + # nested `context` errors generally provide more useful details than + # generic parent messages, e.g. for oneOf/anyOf checks. + child = max(e.context, key=lambda ce: len(ce.absolute_path)) + return cls.__get_most_relevant_jsve(child) + @classmethod def _make_from_jsve(cls, e: 'JsonSchemaValidationError') -> 'JsonValidationError': """⚠️ This is an internal API. It is not part of the public interface and may change without notice.""" - # in preparation for https://github.com/CycloneDX/cyclonedx-python-lib/pull/836 - return cls(e) + useful = cls.__get_most_relevant_jsve(e) + return cls( + e, + message=useful.message, + path=tuple(useful.absolute_path) + ) class _BaseJsonValidator(BaseSchemabasedValidator, ABC): diff --git a/cyclonedx/validation/xml.py b/cyclonedx/validation/xml.py index 14f528088..1ac12981b 100644 --- a/cyclonedx/validation/xml.py +++ b/cyclonedx/validation/xml.py @@ -51,8 +51,7 @@ class XmlValidationError(ValidationError): @classmethod def _make_from_xle(cls, e: '_XmlLogEntry') -> 'XmlValidationError': """⚠️ This is an internal API. It is not part of the public interface and may change without notice.""" - # in preparation for https://github.com/CycloneDX/cyclonedx-python-lib/pull/836 - return cls(e) + return cls(e, message=e.message, path=(e.path,) if e.path else ()) class _BaseXmlValidator(BaseSchemabasedValidator, ABC): diff --git a/tests/test_validation_json.py b/tests/test_validation_json.py index 48cfa1b68..181ee584b 100644 --- a/tests/test_validation_json.py +++ b/tests/test_validation_json.py @@ -113,6 +113,32 @@ def test_validate_expected_error_iterator(self, schema_version: SchemaVersion, t self.assertIsNotNone(validation_error.data) + + def test_validation_error_has_useful_message_and_path(self) -> None: + validator = JsonValidator(SchemaVersion.V1_6) + test_data = '{"bomFormat": "CycloneDX", "specVersion": "1.6", "version": 1, "metadata": {"timestamp": true}}' + try: + validation_error = validator.validate_str(test_data) + except MissingOptionalDependencyException: + self.skipTest('MissingOptionalDependencyException') + self.assertIsNotNone(validation_error) + assert validation_error is not None + self.assertTrue(validation_error.message) + self.assertEqual(('metadata', 'timestamp'), validation_error.path) + self.assertNotEqual(str(validation_error.data), str(validation_error)) + + def test_validation_error_prefers_nested_context_message(self) -> None: + validator = JsonValidator(SchemaVersion.V1_6) + test_data = '{"bomFormat": "CycloneDX", "specVersion": "1.6", "version": 1, "components": [{"type": "library", "name": "demo", "version": 1}]}' + try: + validation_error = validator.validate_str(test_data) + except MissingOptionalDependencyException: + self.skipTest('MissingOptionalDependencyException') + self.assertIsNotNone(validation_error) + assert validation_error is not None + self.assertEqual(('components', 0, 'version'), validation_error.path) + self.assertIn('is not of type', validation_error.message) + @ddt class TestJsonStrictValidator(TestCase): diff --git a/tests/test_validation_xml.py b/tests/test_validation_xml.py index 2565a85ad..3f71f1827 100644 --- a/tests/test_validation_xml.py +++ b/tests/test_validation_xml.py @@ -111,3 +111,17 @@ def test_validate_expected_error_iterator(self, schema_version: SchemaVersion, t self.assertGreater(len(validation_errors), 0) for validation_error in validation_errors: self.assertIsNotNone(validation_error.data) + + def test_validation_error_has_useful_message_and_path(self) -> None: + validator = XmlValidator(SchemaVersion.V1_6) + test_data = 'not-a-date' + try: + validation_error = validator.validate_str(test_data) + except MissingOptionalDependencyException: + self.skipTest('MissingOptionalDependencyException') + self.assertIsNotNone(validation_error) + assert validation_error is not None + self.assertTrue(validation_error.message) + self.assertTrue(validation_error.path) + self.assertNotEqual(str(validation_error.data), str(validation_error)) + From 44f127351858504a5373c2c11e0108a64812eea6 Mon Sep 17 00:00:00 2001 From: Stefan <96178532+stefan6419846@users.noreply.github.com> Date: Fri, 6 Mar 2026 14:35:49 +0100 Subject: [PATCH 61/76] Fix signing command in contribution guide (#943) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ### Description The correct parameter name is `--signoff` as per the official docs: https://git-scm.com/docs/git-commit#Documentation/git-commit.txt--s Otherwise, it is frustrating for occasional or first-time contributors to be told to use parameters which the standard tools do not understand. Additionally fixes a casing typo I stumbled upon when reading the document. Resolves or fixes issue: none ### AI Tool Disclosure - [x] My contribution does not include any AI-generated content - [ ] My contribution includes AI-generated content, as disclosed below: - AI Tools: `[e.g. GitHub CoPilot, ChatGPT, JetBrains Junie etc.]` - LLMs and versions: `[e.g. GPT-4.1, Claude Haiku 4.5, Gemini 2.5 Pro etc.]` - Prompts: `[Summarize the key prompts or instructions given to the AI tools]` ### Affirmation - [x] My code follows the [CONTRIBUTING.md](https://github.com/CycloneDX/cyclonedx-python-lib/blob/main/CONTRIBUTING.md) guidelines Signed-off-by: stefan6419846 <96178532+stefan6419846@users.noreply.github.com> --- CONTRIBUTING.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 998da4889..ffa914d2f 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -21,7 +21,7 @@ poetry install --all-extras ## Code style -THis project loves latest python features. +This project loves latest python features. This project loves sorted imports. This project uses [PEP8] Style Guide for Python Code. @@ -67,7 +67,7 @@ Please sign off your commits, to show that you agree to publish your changes und , and to indicate agreement with [Developer Certificate of Origin (DCO)](https://developercertificate.org/). ```shell -git commit --signed-off ... +git commit --signoff ... ``` ## Pre-commit hooks From 6460b71b5189a10819e539f1315a7c05b9b7e40e Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Fri, 13 Mar 2026 11:25:07 +0100 Subject: [PATCH 62/76] docs: docstrings for schema version classes (#946) Signed-off-by: Jan Kowalleck --- cyclonedx/schema/schema.py | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/cyclonedx/schema/schema.py b/cyclonedx/schema/schema.py index 3be105619..a05f77de6 100644 --- a/cyclonedx/schema/schema.py +++ b/cyclonedx/schema/schema.py @@ -23,8 +23,8 @@ from . import SchemaVersion -class BaseSchemaVersion(ABC, ViewType): - +class BaseSchemaVersion(ViewType, ABC): + """Base class for schema version views.""" @property @abstractmethod def schema_version_enum(self) -> SchemaVersion: @@ -35,56 +35,56 @@ def get_schema_version(self) -> str: class SchemaVersion1Dot7(BaseSchemaVersion): - + """Schema version views 1.7""" @property def schema_version_enum(self) -> Literal[SchemaVersion.V1_7]: return SchemaVersion.V1_7 class SchemaVersion1Dot6(BaseSchemaVersion): - + """Schema version views 1.6""" @property def schema_version_enum(self) -> Literal[SchemaVersion.V1_6]: return SchemaVersion.V1_6 class SchemaVersion1Dot5(BaseSchemaVersion): - + """Schema version views 1.5""" @property def schema_version_enum(self) -> Literal[SchemaVersion.V1_5]: return SchemaVersion.V1_5 class SchemaVersion1Dot4(BaseSchemaVersion): - + """Schema version views 1.4""" @property def schema_version_enum(self) -> Literal[SchemaVersion.V1_4]: return SchemaVersion.V1_4 class SchemaVersion1Dot3(BaseSchemaVersion): - + """Schema version views 1.3""" @property def schema_version_enum(self) -> Literal[SchemaVersion.V1_3]: return SchemaVersion.V1_3 class SchemaVersion1Dot2(BaseSchemaVersion): - + """Schema version views 1.2""" @property def schema_version_enum(self) -> Literal[SchemaVersion.V1_2]: return SchemaVersion.V1_2 class SchemaVersion1Dot1(BaseSchemaVersion): - + """Schema version views 1.1""" @property def schema_version_enum(self) -> Literal[SchemaVersion.V1_1]: return SchemaVersion.V1_1 class SchemaVersion1Dot0(BaseSchemaVersion): - + """Schema version views 1.0""" @property def schema_version_enum(self) -> Literal[SchemaVersion.V1_0]: return SchemaVersion.V1_0 From 71edacfaf5c46088d0ca08196b7c858ff39a23b5 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Tue, 17 Mar 2026 10:23:04 +0100 Subject: [PATCH 63/76] feat: make schema deprecation warnings handle-able (#945) Signed-off-by: Jan Kowalleck --- cyclonedx/model/bom.py | 6 +- cyclonedx/model/component.py | 7 +- cyclonedx/model/tool.py | 6 +- cyclonedx/schema/deprecation.py | 129 ++++++++++++++++++++++++++++++++ examples/complex_deserialize.py | 14 +++- 5 files changed, 146 insertions(+), 16 deletions(-) create mode 100644 cyclonedx/schema/deprecation.py diff --git a/cyclonedx/model/bom.py b/cyclonedx/model/bom.py index 08e838773..7cb0081e9 100644 --- a/cyclonedx/model/bom.py +++ b/cyclonedx/model/bom.py @@ -30,6 +30,7 @@ from .._internal.compare import ComparableTuple as _ComparableTuple from .._internal.time import get_now_utc as _get_now_utc from ..exception.model import LicenseExpressionAlongWithOthersException, UnknownComponentDependencyException +from ..schema.deprecation import SchemaDeprecationWarning1Dot6 from ..schema.schema import ( SchemaVersion1Dot0, SchemaVersion1Dot1, @@ -291,10 +292,7 @@ def manufacture(self, manufacture: Optional[OrganizationalEntity]) -> None: we should set this data on `.component.manufacturer`. """ if manufacture is not None: - warn( - '`bom.metadata.manufacture` is deprecated from CycloneDX v1.6 onwards. ' - 'Please use `bom.metadata.component.manufacturer` instead.', - DeprecationWarning) + SchemaDeprecationWarning1Dot6._warn('bom.metadata.manufacture', 'bom.metadata.component.manufacturer') self._manufacture = manufacture @property diff --git a/cyclonedx/model/component.py b/cyclonedx/model/component.py index 47702ed00..09031eef7 100644 --- a/cyclonedx/model/component.py +++ b/cyclonedx/model/component.py @@ -40,6 +40,7 @@ SerializationOfUnexpectedValueException, SerializationOfUnsupportedComponentTypeException, ) +from ..schema.deprecation import SchemaDeprecationWarning1Dot3, SchemaDeprecationWarning1Dot6 from ..schema.schema import ( SchemaVersion1Dot0, SchemaVersion1Dot1, @@ -1185,8 +1186,7 @@ def author(self) -> Optional[str]: @author.setter def author(self, author: Optional[str]) -> None: if author is not None: - warn('`@.author` is deprecated from CycloneDX v1.6 onwards. ' - 'Please use `@.authors` or `@.manufacturer` instead.', DeprecationWarning) + SchemaDeprecationWarning1Dot6._warn('@.author', '@.authors` or `@.manufacturer') self._author = author @property @@ -1467,8 +1467,7 @@ def modified(self) -> bool: @modified.setter def modified(self, modified: bool) -> None: if modified: - warn('`@.modified` is deprecated from CycloneDX v1.3 onwards. ' - 'Please use `@.pedigree` instead.', DeprecationWarning) + SchemaDeprecationWarning1Dot3._warn('@.modified', '@.pedigree') self._modified = modified @property diff --git a/cyclonedx/model/tool.py b/cyclonedx/model/tool.py index 5ef648c71..d900e2854 100644 --- a/cyclonedx/model/tool.py +++ b/cyclonedx/model/tool.py @@ -19,7 +19,6 @@ from collections.abc import Iterable from itertools import chain from typing import TYPE_CHECKING, Any, Optional, Union -from warnings import warn from xml.etree.ElementTree import Element # nosec B405 import py_serializable as serializable @@ -28,6 +27,7 @@ from .._internal.compare import ComparableTuple as _ComparableTuple from ..schema import SchemaVersion +from ..schema.deprecation import SchemaDeprecationWarning1Dot5 from ..schema.schema import SchemaVersion1Dot4, SchemaVersion1Dot5, SchemaVersion1Dot6, SchemaVersion1Dot7 from . import ExternalReference, HashType, _HashTypeRepositorySerializationHelper from .component import Component @@ -240,9 +240,7 @@ def tools(self) -> 'SortedSet[Tool]': @tools.setter def tools(self, tools: Iterable[Tool]) -> None: if tools: - warn('`@.tools` is deprecated from CycloneDX v1.5 onwards. ' - 'Please use `@.components` and `@.services` instead.', - DeprecationWarning) + SchemaDeprecationWarning1Dot5._warn('@.tools', '@.components` and `@.services') self._tools = SortedSet(tools) def __len__(self) -> int: diff --git a/cyclonedx/schema/deprecation.py b/cyclonedx/schema/deprecation.py new file mode 100644 index 000000000..d42821cad --- /dev/null +++ b/cyclonedx/schema/deprecation.py @@ -0,0 +1,129 @@ +# This file is part of CycloneDX Python Library +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# Copyright (c) OWASP Foundation. All Rights Reserved. + + +""" +CycloneDX Schema Deprecation Warnings +===================================== + +This module provides warning classes for deprecated features in CycloneDX schemas. +Each warning class corresponds to a specific schema version, enabling downstream +code to catch, filter, or otherwise handle schema-specific deprecation warnings. + +Intended Usage +-------------- + +Downstream consumers can manage warnings using Python's ``warnings`` module. +Common scenarios include: + +- Filtering by schema version +- Suppressing warnings in tests or batch processing +- Logging or reporting deprecation warnings without raising exceptions + +Example +------- + +.. code-block:: python + + import warnings + from cyclonedx.schema.deprecation import ( + BaseSchemaDeprecationWarning, + SchemaDeprecationWarning1Dot7, + ) + + # Suppress all CycloneDX schema deprecation warnings + warnings.filterwarnings("ignore", category=BaseSchemaDeprecationWarning) + + # Suppress only warnings specific to schema version 1.7 + warnings.filterwarnings("ignore", category=SchemaDeprecationWarning1Dot7) + +Notes +----- + +- All deprecation warnings inherit from :class:`BaseSchemaDeprecationWarning`. +- The ``SCHEMA_VERSION`` class variable indicates the CycloneDX schema version + where the feature became deprecated. +- These warning classes are designed for downstream **filtering and logging**, + not for raising exceptions. +""" + + +from abc import ABC +from typing import ClassVar, Literal, Optional +from warnings import warn + +from . import SchemaVersion + +__all__ = [ + 'BaseSchemaDeprecationWarning', + 'SchemaDeprecationWarning1Dot1', + 'SchemaDeprecationWarning1Dot2', + 'SchemaDeprecationWarning1Dot3', + 'SchemaDeprecationWarning1Dot4', + 'SchemaDeprecationWarning1Dot5', + 'SchemaDeprecationWarning1Dot6', + 'SchemaDeprecationWarning1Dot7', +] + + +class BaseSchemaDeprecationWarning(DeprecationWarning, ABC): + """Base class for warnings about deprecated schema features.""" + + SCHEMA_VERSION: ClassVar[SchemaVersion] + + @classmethod + def _warn(cls, deprecated: str, instead: Optional[str] = None, *, stacklevel: int = 1) -> None: + """Internal API. Not part of the public interface.""" + msg = f'`{deprecated}` is deprecated from CycloneDX v{cls.SCHEMA_VERSION.to_version()} onwards.' + if instead: + msg += f' Please use `{instead}` instead.' + warn(msg, category=cls, stacklevel=stacklevel + 1) + + +class SchemaDeprecationWarning1Dot7(BaseSchemaDeprecationWarning): + """Class for warnings about deprecated schema features in CycloneDX 1.7""" + SCHEMA_VERSION: ClassVar[Literal[SchemaVersion.V1_7]] = SchemaVersion.V1_7 + + +class SchemaDeprecationWarning1Dot6(BaseSchemaDeprecationWarning): + """Class for warnings about deprecated schema features in CycloneDX 1.6""" + SCHEMA_VERSION: ClassVar[Literal[SchemaVersion.V1_6]] = SchemaVersion.V1_6 + + +class SchemaDeprecationWarning1Dot5(BaseSchemaDeprecationWarning): + """Class for warnings about deprecated schema features in CycloneDX 1.5""" + SCHEMA_VERSION: ClassVar[Literal[SchemaVersion.V1_5]] = SchemaVersion.V1_5 + + +class SchemaDeprecationWarning1Dot4(BaseSchemaDeprecationWarning): + """Class for warnings about deprecated schema features in CycloneDX 1.4""" + SCHEMA_VERSION: ClassVar[Literal[SchemaVersion.V1_4]] = SchemaVersion.V1_4 + + +class SchemaDeprecationWarning1Dot3(BaseSchemaDeprecationWarning): + """Class for warnings about deprecated schema features in CycloneDX 1.3""" + SCHEMA_VERSION: ClassVar[Literal[SchemaVersion.V1_3]] = SchemaVersion.V1_3 + + +class SchemaDeprecationWarning1Dot2(BaseSchemaDeprecationWarning): + """Class for warnings about deprecated schema features in CycloneDX 1.2""" + SCHEMA_VERSION: ClassVar[Literal[SchemaVersion.V1_2]] = SchemaVersion.V1_2 + + +class SchemaDeprecationWarning1Dot1(BaseSchemaDeprecationWarning): + """Class for warnings about deprecated schema features in CycloneDX 1.1""" + SCHEMA_VERSION: ClassVar[Literal[SchemaVersion.V1_1]] = SchemaVersion.V1_1 diff --git a/examples/complex_deserialize.py b/examples/complex_deserialize.py index ffe595a8b..39bb505f7 100644 --- a/examples/complex_deserialize.py +++ b/examples/complex_deserialize.py @@ -16,6 +16,7 @@ # Copyright (c) OWASP Foundation. All Rights Reserved. import sys +import warnings from json import loads as json_loads from typing import TYPE_CHECKING @@ -24,6 +25,7 @@ from cyclonedx.exception import MissingOptionalDependencyException from cyclonedx.model.bom import Bom from cyclonedx.schema import OutputFormat, SchemaVersion +from cyclonedx.schema.deprecation import BaseSchemaDeprecationWarning from cyclonedx.validation import make_schemabased_validator from cyclonedx.validation.json import JsonStrictValidator @@ -154,8 +156,10 @@ print('JSON valid') except MissingOptionalDependencyException as error: print('JSON-validation was skipped due to', error) -bom_from_json = Bom.from_json( # type: ignore[attr-defined] - json_loads(json_data)) +with warnings.catch_warnings(): + warnings.filterwarnings('ignore', category=BaseSchemaDeprecationWarning) + bom_from_json = Bom.from_json( # type: ignore[attr-defined] + json_loads(json_data)) print('bom_from_json', repr(bom_from_json)) # endregion JSON @@ -255,8 +259,10 @@ print('XML valid') except MissingOptionalDependencyException as error: print('XML-validation was skipped due to', error) -bom_from_xml = Bom.from_xml( # type: ignore[attr-defined] - SafeElementTree.fromstring(xml_data)) +with warnings.catch_warnings(): + warnings.filterwarnings('ignore', category=BaseSchemaDeprecationWarning) + bom_from_xml = Bom.from_xml( # type: ignore[attr-defined] + SafeElementTree.fromstring(xml_data)) print('bom_from_xml', repr(bom_from_xml)) # endregion XML From 375d209c738473ea2815fc4cb36806563be41e2e Mon Sep 17 00:00:00 2001 From: Peter Schuster Date: Tue, 17 Mar 2026 15:42:53 +0100 Subject: [PATCH 64/76] feat: add properties for licenses according to CycloneDX 1.5 (#947) This change adds properties to DisjunctiveLicense according to CycloneDX v1.5 Related to / implements a part of issue #578 ---- ### AI Tool Disclosure - [x] My contribution does not include any AI-generated content - [ ] My contribution includes AI-generated content, as disclosed below: - AI Tools: `[e.g. GitHub CoPilot, ChatGPT, JetBrains Junie etc.]` - LLMs and versions: `[e.g. GPT-4.1, Claude Haiku 4.5, Gemini 2.5 Pro etc.]` - Prompts: `[Summarize the key prompts or instructions given to the AI tools]` ### Affirmation - [x] My code follows the [CONTRIBUTING.md](https://github.com/CycloneDX/cyclonedx-python-lib/blob/main/CONTRIBUTING.md) guidelines Signed-off-by: Peter Schuster --- cyclonedx/model/license.py | 36 ++++++++++++------- tests/_data/models.py | 8 +++++ .../get_bom_with_licenses-1.0.xml.bin | 5 +++ .../get_bom_with_licenses-1.1.xml.bin | 12 +++++++ .../get_bom_with_licenses-1.2.json.bin | 21 +++++++++++ .../get_bom_with_licenses-1.2.xml.bin | 13 +++++++ .../get_bom_with_licenses-1.3.json.bin | 21 +++++++++++ .../get_bom_with_licenses-1.3.xml.bin | 13 +++++++ .../get_bom_with_licenses-1.4.json.bin | 20 +++++++++++ .../get_bom_with_licenses-1.4.xml.bin | 12 +++++++ .../get_bom_with_licenses-1.5.json.bin | 36 +++++++++++++++++++ .../get_bom_with_licenses-1.5.xml.bin | 19 ++++++++++ .../get_bom_with_licenses-1.6.json.bin | 36 +++++++++++++++++++ .../get_bom_with_licenses-1.6.xml.bin | 19 ++++++++++ .../get_bom_with_licenses-1.7.json.bin | 36 +++++++++++++++++++ .../get_bom_with_licenses-1.7.xml.bin | 19 ++++++++++ tests/test_model_license.py | 20 ++++++++++- 17 files changed, 333 insertions(+), 13 deletions(-) diff --git a/cyclonedx/model/license.py b/cyclonedx/model/license.py index 9d32160e2..b6e36f571 100644 --- a/cyclonedx/model/license.py +++ b/cyclonedx/model/license.py @@ -20,6 +20,7 @@ License related things """ +from collections.abc import Iterable from enum import Enum from json import loads as json_loads from typing import TYPE_CHECKING, Any, Optional, Union @@ -34,7 +35,7 @@ from ..exception.model import MutuallyExclusivePropertiesException from ..exception.serialization import CycloneDxDeserializationException from ..schema.schema import SchemaVersion1Dot5, SchemaVersion1Dot6, SchemaVersion1Dot7 -from . import AttachedText, XsUri +from . import AttachedText, Property, XsUri from .bom_ref import BomRef @@ -85,6 +86,7 @@ def __init__( id: Optional[str] = None, name: Optional[str] = None, text: Optional[AttachedText] = None, url: Optional[XsUri] = None, acknowledgement: Optional[LicenseAcknowledgement] = None, + properties: Optional[Iterable[Property]] = None, ) -> None: if not id and not name: raise MutuallyExclusivePropertiesException('Either `id` or `name` MUST be supplied') @@ -99,6 +101,7 @@ def __init__( self._text = text self._url = url self._acknowledgement = acknowledgement + self._properties = SortedSet(properties or []) @property @serializable.view(SchemaVersion1Dot5) @@ -200,17 +203,25 @@ def url(self, url: Optional[XsUri]) -> None: # def licensing(self, ...) -> None: # ... # TODO since CDX1.5 - # @property - # ... - # @serializable.view(SchemaVersion1Dot5) - # @serializable.view(SchemaVersion1Dot6) - # @serializable.xml_sequence(6) - # def properties(self) -> ...: - # ... # TODO since CDX1.5 - # - # @licensing.setter - # def properties(self, ...) -> None: - # ... # TODO since CDX1.5 + @property + @serializable.view(SchemaVersion1Dot5) + @serializable.view(SchemaVersion1Dot6) + @serializable.view(SchemaVersion1Dot7) + @serializable.xml_array(serializable.XmlArraySerializationType.NESTED, 'property') + @serializable.xml_sequence(6) + def properties(self) -> 'SortedSet[Property]': + """ + Provides the ability to document properties in a key/value store. This provides flexibility to include data not + officially supported in the standard without having to use additional namespaces or create extensions. + + Return: + Set of `Property` + """ + return self._properties + + @properties.setter + def properties(self, properties: Iterable[Property]) -> None: + self._properties = SortedSet(properties) @property @serializable.view(SchemaVersion1Dot6) @@ -245,6 +256,7 @@ def __comparable_tuple(self) -> _ComparableTuple: self._url, self._text, self._bom_ref.value, + _ComparableTuple(self._properties), )) def __eq__(self, other: object) -> bool: diff --git a/tests/_data/models.py b/tests/_data/models.py index 43d62570e..55a5cdb9a 100644 --- a/tests/_data/models.py +++ b/tests/_data/models.py @@ -1082,6 +1082,14 @@ def get_bom_with_licenses() -> Bom: DisjunctiveLicense(name='some additional', text=AttachedText(content='this is additional license text')), ]), + Component(name='c-with-license-properties', type=ComponentType.LIBRARY, bom_ref='C4', + licenses=[ + DisjunctiveLicense(id='Apache-2.0', + properties=[Property(name='key1', value='val1'), + Property(name='key2', value='val2')]), + DisjunctiveLicense(name='some other license', + properties=[Property(name='myname', value='proprietary')]), + ]), ], services=[ Service(name='s-with-expression', bom_ref='S1', diff --git a/tests/_data/snapshots/get_bom_with_licenses-1.0.xml.bin b/tests/_data/snapshots/get_bom_with_licenses-1.0.xml.bin index 1b308eafe..89f5c8166 100644 --- a/tests/_data/snapshots/get_bom_with_licenses-1.0.xml.bin +++ b/tests/_data/snapshots/get_bom_with_licenses-1.0.xml.bin @@ -11,6 +11,11 @@ false + + c-with-license-properties + + false + c-with-name diff --git a/tests/_data/snapshots/get_bom_with_licenses-1.1.xml.bin b/tests/_data/snapshots/get_bom_with_licenses-1.1.xml.bin index e6f6adcaa..5519f41aa 100644 --- a/tests/_data/snapshots/get_bom_with_licenses-1.1.xml.bin +++ b/tests/_data/snapshots/get_bom_with_licenses-1.1.xml.bin @@ -18,6 +18,18 @@ Apache-2.0 OR MIT + + c-with-license-properties + + + + Apache-2.0 + + + some other license + + + c-with-name diff --git a/tests/_data/snapshots/get_bom_with_licenses-1.2.json.bin b/tests/_data/snapshots/get_bom_with_licenses-1.2.json.bin index c88a0812a..e016afff5 100644 --- a/tests/_data/snapshots/get_bom_with_licenses-1.2.json.bin +++ b/tests/_data/snapshots/get_bom_with_licenses-1.2.json.bin @@ -25,6 +25,24 @@ "type": "library", "version": "" }, + { + "bom-ref": "C4", + "licenses": [ + { + "license": { + "id": "Apache-2.0" + } + }, + { + "license": { + "name": "some other license" + } + } + ], + "name": "c-with-license-properties", + "type": "library", + "version": "" + }, { "bom-ref": "C3", "licenses": [ @@ -62,6 +80,9 @@ { "ref": "C3" }, + { + "ref": "C4" + }, { "ref": "S1" }, diff --git a/tests/_data/snapshots/get_bom_with_licenses-1.2.xml.bin b/tests/_data/snapshots/get_bom_with_licenses-1.2.xml.bin index 996e5716f..85a4054ed 100644 --- a/tests/_data/snapshots/get_bom_with_licenses-1.2.xml.bin +++ b/tests/_data/snapshots/get_bom_with_licenses-1.2.xml.bin @@ -30,6 +30,18 @@ Apache-2.0 OR MIT + + c-with-license-properties + + + + Apache-2.0 + + + some other license + + + c-with-name @@ -79,6 +91,7 @@ + diff --git a/tests/_data/snapshots/get_bom_with_licenses-1.3.json.bin b/tests/_data/snapshots/get_bom_with_licenses-1.3.json.bin index a5407c588..46c9b296d 100644 --- a/tests/_data/snapshots/get_bom_with_licenses-1.3.json.bin +++ b/tests/_data/snapshots/get_bom_with_licenses-1.3.json.bin @@ -25,6 +25,24 @@ "type": "library", "version": "" }, + { + "bom-ref": "C4", + "licenses": [ + { + "license": { + "id": "Apache-2.0" + } + }, + { + "license": { + "name": "some other license" + } + } + ], + "name": "c-with-license-properties", + "type": "library", + "version": "" + }, { "bom-ref": "C3", "licenses": [ @@ -62,6 +80,9 @@ { "ref": "C3" }, + { + "ref": "C4" + }, { "ref": "S1" }, diff --git a/tests/_data/snapshots/get_bom_with_licenses-1.3.xml.bin b/tests/_data/snapshots/get_bom_with_licenses-1.3.xml.bin index 1b53ee51e..5a5ab04d0 100644 --- a/tests/_data/snapshots/get_bom_with_licenses-1.3.xml.bin +++ b/tests/_data/snapshots/get_bom_with_licenses-1.3.xml.bin @@ -35,6 +35,18 @@ Apache-2.0 OR MIT + + c-with-license-properties + + + + Apache-2.0 + + + some other license + + + c-with-name @@ -84,6 +96,7 @@ + diff --git a/tests/_data/snapshots/get_bom_with_licenses-1.4.json.bin b/tests/_data/snapshots/get_bom_with_licenses-1.4.json.bin index a082d8a3d..c084a6934 100644 --- a/tests/_data/snapshots/get_bom_with_licenses-1.4.json.bin +++ b/tests/_data/snapshots/get_bom_with_licenses-1.4.json.bin @@ -23,6 +23,23 @@ "name": "c-with-expression", "type": "library" }, + { + "bom-ref": "C4", + "licenses": [ + { + "license": { + "id": "Apache-2.0" + } + }, + { + "license": { + "name": "some other license" + } + } + ], + "name": "c-with-license-properties", + "type": "library" + }, { "bom-ref": "C3", "licenses": [ @@ -59,6 +76,9 @@ { "ref": "C3" }, + { + "ref": "C4" + }, { "ref": "S1" }, diff --git a/tests/_data/snapshots/get_bom_with_licenses-1.4.xml.bin b/tests/_data/snapshots/get_bom_with_licenses-1.4.xml.bin index 6d81479e8..7a3131097 100644 --- a/tests/_data/snapshots/get_bom_with_licenses-1.4.xml.bin +++ b/tests/_data/snapshots/get_bom_with_licenses-1.4.xml.bin @@ -32,6 +32,17 @@ Apache-2.0 OR MIT + + c-with-license-properties + + + Apache-2.0 + + + some other license + + + c-with-name @@ -80,6 +91,7 @@ + diff --git a/tests/_data/snapshots/get_bom_with_licenses-1.5.json.bin b/tests/_data/snapshots/get_bom_with_licenses-1.5.json.bin index a8b28b10a..b4d897131 100644 --- a/tests/_data/snapshots/get_bom_with_licenses-1.5.json.bin +++ b/tests/_data/snapshots/get_bom_with_licenses-1.5.json.bin @@ -23,6 +23,39 @@ "name": "c-with-expression", "type": "library" }, + { + "bom-ref": "C4", + "licenses": [ + { + "license": { + "id": "Apache-2.0", + "properties": [ + { + "name": "key1", + "value": "val1" + }, + { + "name": "key2", + "value": "val2" + } + ] + } + }, + { + "license": { + "name": "some other license", + "properties": [ + { + "name": "myname", + "value": "proprietary" + } + ] + } + } + ], + "name": "c-with-license-properties", + "type": "library" + }, { "bom-ref": "C3", "licenses": [ @@ -59,6 +92,9 @@ { "ref": "C3" }, + { + "ref": "C4" + }, { "ref": "S1" }, diff --git a/tests/_data/snapshots/get_bom_with_licenses-1.5.xml.bin b/tests/_data/snapshots/get_bom_with_licenses-1.5.xml.bin index fc2bedfd2..4cb534ccc 100644 --- a/tests/_data/snapshots/get_bom_with_licenses-1.5.xml.bin +++ b/tests/_data/snapshots/get_bom_with_licenses-1.5.xml.bin @@ -32,6 +32,24 @@ Apache-2.0 OR MIT + + c-with-license-properties + + + Apache-2.0 + + val1 + val2 + + + + some other license + + proprietary + + + + c-with-name @@ -80,6 +98,7 @@ + diff --git a/tests/_data/snapshots/get_bom_with_licenses-1.6.json.bin b/tests/_data/snapshots/get_bom_with_licenses-1.6.json.bin index 4e6ef33ff..e626d7bbb 100644 --- a/tests/_data/snapshots/get_bom_with_licenses-1.6.json.bin +++ b/tests/_data/snapshots/get_bom_with_licenses-1.6.json.bin @@ -25,6 +25,39 @@ "name": "c-with-expression", "type": "library" }, + { + "bom-ref": "C4", + "licenses": [ + { + "license": { + "id": "Apache-2.0", + "properties": [ + { + "name": "key1", + "value": "val1" + }, + { + "name": "key2", + "value": "val2" + } + ] + } + }, + { + "license": { + "name": "some other license", + "properties": [ + { + "name": "myname", + "value": "proprietary" + } + ] + } + } + ], + "name": "c-with-license-properties", + "type": "library" + }, { "bom-ref": "C3", "licenses": [ @@ -61,6 +94,9 @@ { "ref": "C3" }, + { + "ref": "C4" + }, { "ref": "S1" }, diff --git a/tests/_data/snapshots/get_bom_with_licenses-1.6.xml.bin b/tests/_data/snapshots/get_bom_with_licenses-1.6.xml.bin index 49b31f469..527a1ce3a 100644 --- a/tests/_data/snapshots/get_bom_with_licenses-1.6.xml.bin +++ b/tests/_data/snapshots/get_bom_with_licenses-1.6.xml.bin @@ -32,6 +32,24 @@ Apache-2.0 OR MIT + + c-with-license-properties + + + Apache-2.0 + + val1 + val2 + + + + some other license + + proprietary + + + + c-with-name @@ -80,6 +98,7 @@ + diff --git a/tests/_data/snapshots/get_bom_with_licenses-1.7.json.bin b/tests/_data/snapshots/get_bom_with_licenses-1.7.json.bin index f095a4692..4f5e710ab 100644 --- a/tests/_data/snapshots/get_bom_with_licenses-1.7.json.bin +++ b/tests/_data/snapshots/get_bom_with_licenses-1.7.json.bin @@ -25,6 +25,39 @@ "name": "c-with-expression", "type": "library" }, + { + "bom-ref": "C4", + "licenses": [ + { + "license": { + "id": "Apache-2.0", + "properties": [ + { + "name": "key1", + "value": "val1" + }, + { + "name": "key2", + "value": "val2" + } + ] + } + }, + { + "license": { + "name": "some other license", + "properties": [ + { + "name": "myname", + "value": "proprietary" + } + ] + } + } + ], + "name": "c-with-license-properties", + "type": "library" + }, { "bom-ref": "C3", "licenses": [ @@ -61,6 +94,9 @@ { "ref": "C3" }, + { + "ref": "C4" + }, { "ref": "S1" }, diff --git a/tests/_data/snapshots/get_bom_with_licenses-1.7.xml.bin b/tests/_data/snapshots/get_bom_with_licenses-1.7.xml.bin index b9e91e6db..8b28e1972 100644 --- a/tests/_data/snapshots/get_bom_with_licenses-1.7.xml.bin +++ b/tests/_data/snapshots/get_bom_with_licenses-1.7.xml.bin @@ -32,6 +32,24 @@ Apache-2.0 OR MIT + + c-with-license-properties + + + Apache-2.0 + + val1 + val2 + + + + some other license + + proprietary + + + + c-with-name @@ -80,6 +98,7 @@ + diff --git a/tests/test_model_license.py b/tests/test_model_license.py index 11443e485..a21b8741e 100644 --- a/tests/test_model_license.py +++ b/tests/test_model_license.py @@ -21,7 +21,7 @@ from unittest.mock import MagicMock from cyclonedx.exception.model import MutuallyExclusivePropertiesException -from cyclonedx.model import AttachedText, XsUri +from cyclonedx.model import AttachedText, Property, XsUri from cyclonedx.model.license import DisjunctiveLicense, LicenseExpression from tests import reorder @@ -81,6 +81,24 @@ def test_equal(self) -> None: self.assertNotEqual(a, c) self.assertNotEqual(a, 'foo') + def test_create_with_properties(self) -> None: + properties = [Property(name='key1', value='value1')] + license = DisjunctiveLicense(id='MIT', properties=properties) + self.assertEqual(1, len(license.properties)) + + def test_set_properties(self) -> None: + license = DisjunctiveLicense(id='MIT') + self.assertEqual(0, len(license.properties)) + license.properties = [Property(name='key1', value='value1')] + self.assertEqual(1, len(license.properties)) + + def test_equal_with_properties(self) -> None: + a = DisjunctiveLicense(id='MIT', properties=[Property(name='key1', value='value1')]) + b = DisjunctiveLicense(id='MIT', properties=[Property(name='key1', value='value1')]) + c = DisjunctiveLicense(id='MIT') + self.assertEqual(a, b) + self.assertNotEqual(a, c) + class TestModelLicenseExpression(TestCase): def test_create(self) -> None: From ec2f6041f1ac6736410e7289ec8f294b6b8829d9 Mon Sep 17 00:00:00 2001 From: Peter Schuster Date: Tue, 17 Mar 2026 15:49:06 +0100 Subject: [PATCH 65/76] chore: force tox environment to utf8 (#949) Signed-off-by: Peter Schuster --- tox.ini | 1 + 1 file changed, 1 insertion(+) diff --git a/tox.ini b/tox.ini index d3317c06d..af228b75a 100644 --- a/tox.ini +++ b/tox.ini @@ -27,6 +27,7 @@ commands_pre = commands = poetry run coverage run --source=cyclonedx -m unittest discover -t . -s tests -v setenv = + PYTHONUTF8=1 PYTHONHASHSEED=0 CDX_TEST_RECREATE_SNAPSHOTS={env:CDX_TEST_RECREATE_SNAPSHOTS:} From 3ccfa4fa4e502d8e5781ab95cd0c31bf61c42b12 Mon Sep 17 00:00:00 2001 From: semantic-release Date: Tue, 17 Mar 2026 15:18:48 +0000 Subject: [PATCH 66/76] chore(release): 11.7.0 Automatically generated by python-semantic-release Signed-off-by: semantic-release --- CHANGELOG.md | 26 ++++++++++++++++++++++++++ cyclonedx/__init__.py | 2 +- docs/conf.py | 2 +- pyproject.toml | 2 +- 4 files changed, 29 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index fed614193..86d6a8728 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,32 @@ +## v11.7.0 (2026-03-17) + +### Documentation + +- Add comprehensive SBOM validation guide + ([#933](https://github.com/CycloneDX/cyclonedx-python-lib/pull/933), + [`bf596c0`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/bf596c0ed1495bf42add39185f460605b0ecd12a)) + +- Docstrings for schema version classes + ([#946](https://github.com/CycloneDX/cyclonedx-python-lib/pull/946), + [`6460b71`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/6460b71b5189a10819e539f1315a7c05b9b7e40e)) + +- Modernize RTF setup ([#921](https://github.com/CycloneDX/cyclonedx-python-lib/pull/921), + [`af0059d`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/af0059d8fb6c9f8cc437f6c210487d131a6f658f)) + +### Features + +- Add properties for licenses according to CycloneDX 1.5 + ([#947](https://github.com/CycloneDX/cyclonedx-python-lib/pull/947), + [`375d209`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/375d209c738473ea2815fc4cb36806563be41e2e)) + +- Make schema deprecation warnings handle-able + ([#945](https://github.com/CycloneDX/cyclonedx-python-lib/pull/945), + [`71edacf`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/71edacfaf5c46088d0ca08196b7c858ff39a23b5)) + + ## v11.6.0 (2025-12-02) ### Documentation diff --git a/cyclonedx/__init__.py b/cyclonedx/__init__.py index 7bcd52bff..ff9bd20b3 100644 --- a/cyclonedx/__init__.py +++ b/cyclonedx/__init__.py @@ -22,4 +22,4 @@ # !! version is managed by semantic_release # do not use typing here, or else `semantic_release` might have issues finding the variable -__version__ = "11.6.0" # noqa:Q000 +__version__ = "11.7.0" # noqa:Q000 diff --git a/docs/conf.py b/docs/conf.py index 65743848d..31daedd81 100644 --- a/docs/conf.py +++ b/docs/conf.py @@ -23,7 +23,7 @@ # The full version, including alpha/beta/rc tags # !! version is managed by semantic_release -release = '11.6.0' +release = '11.7.0' # -- General configuration --------------------------------------------------- diff --git a/pyproject.toml b/pyproject.toml index baef0ca3d..52b5dfdc6 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -5,7 +5,7 @@ build-backend = "poetry.core.masonry.api" [tool.poetry] name = "cyclonedx-python-lib" # !! version is managed by semantic_release -version = "11.6.0" +version = "11.7.0" description = "Python library for CycloneDX" authors = [ "Paul Horton ", From e492b844d9cadeae0bf399f7c872fbd25ff0d314 Mon Sep 17 00:00:00 2001 From: Peter Schuster Date: Mon, 23 Mar 2026 15:07:52 +0100 Subject: [PATCH 67/76] chore: extract glob for pyupgrade to separate script for cross-platform compatibility (#950) Currently pyupgrade cannot be run on Windows due to 'sh' in tox.ini not working in PowerShell. Adding a separate script for this might be controversial. \ I could not find another solution that is platform independent, except from inline python in tox.ini which got "complicated" due to `{posargs}`. However, if anyone has a better idea, this could be reworked. ### AI Tool Disclosure - [X] My contribution includes AI-generated content, as disclosed below: - The contents of the new script is based on suggestions from Claude Sonnet 4.6 ### Affirmation - [X] My code follows the [CONTRIBUTING.md](https://github.com/CycloneDX/cyclonedx-python-lib/blob/main/CONTRIBUTING.md) guidelines --------- Signed-off-by: Peter Schuster Signed-off-by: Jan Kowalleck Co-authored-by: Jan Kowalleck --- tools/run_pyupgrade.py | 54 ++++++++++++++++++++++++++++++++++++++++++ tox.ini | 6 ++--- 2 files changed, 56 insertions(+), 4 deletions(-) create mode 100755 tools/run_pyupgrade.py diff --git a/tools/run_pyupgrade.py b/tools/run_pyupgrade.py new file mode 100755 index 000000000..e040c5071 --- /dev/null +++ b/tools/run_pyupgrade.py @@ -0,0 +1,54 @@ +#!/usr/bin/env python3 + +# This file is part of CycloneDX Python Library +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# Copyright (c) OWASP Foundation. All Rights Reserved. + +import subprocess # nosec - subprocess is used to run pyupgrade and not part of published library +import sys +from pathlib import Path + +HELP = f""" +Wrapper around pyupgrade to perform a lookup of all *.py/*.pyi files in passed directories +and pass them to pyupgrade in a single invocation. + +Usage: {sys.argv[0]} [pyupgrade-args ...] -- +""" + +if '--' not in sys.argv: + print(HELP, file=sys.stderr) + sys.exit(1) + +sep = sys.argv.index('--') +pyupgrade_args = sys.argv[1:sep] +directories = sys.argv[sep + 1:] + +if not directories: + print('Error: at least one directory must be specified after --', '\n', HELP, file=sys.stderr) + sys.exit(2) + +files = sorted({ + str(file) + for directory in directories + for pattern in ['*.py', '*.pyi'] + for file in Path(directory).rglob(pattern) +}) + +result = subprocess.run( # nosec - shell=False is used to prevent injection, all arg passed as a list + [sys.executable, '-m', 'pyupgrade', *pyupgrade_args, *files], + shell=False # w/o shell all args are passed directly to the process without the need for quotes or escaping +) +sys.exit(result.returncode) diff --git a/tox.ini b/tox.ini index af228b75a..8afcf3aa0 100644 --- a/tox.ini +++ b/tox.ini @@ -52,10 +52,8 @@ commands = poetry run deptry -v . [testenv:pyupgrade] -allowlist_externals = poetry, sh -commands = sh -c "\ - find cyclonedx typings tests tools examples -type f \( -name '*.py' -or -name '*.pyi' \) -print0 \ - | xargs -0 poetry run pyupgrade --py39-plus {posargs} " +# first -- stops command parsing by poetry run, the second -- splits pyupgrade args from args for glob patterns +commands = poetry run -- python tools/run_pyupgrade.py --py39-plus {posargs} -- cyclonedx typings tests tools examples [testenv:isort] commands = poetry run isort . From 752b1620a23e319add81c505fe7197a2ae3cca06 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Tue, 24 Mar 2026 12:27:47 +0100 Subject: [PATCH 68/76] docs: update CDX summary (#951) A clear and concise summary of the change and which issue (if any) it fixes. Should also include relevant motivation and context. Signed-off-by: Jan Kowalleck --- README.md | 4 ++-- docs/index.rst | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 2017b51b3..31f088eee 100644 --- a/README.md +++ b/README.md @@ -14,8 +14,8 @@ ---- -OWASP [CycloneDX][link_website] is a full-stack Bill of Materials (BOM) standard -that provides advanced supply chain capabilities for cyber risk reduction. +OWASP [CycloneDX][link_website] is a full‑stack Bill of Materials (BOM) and system‑transparency standard +that provides deep visibility into software, services, hardware, and AI components, enabling advanced supply‑chain security and cyber‑risk reduction. This Python package provides data models, validators and more, to help you create/render/read CycloneDX documents. diff --git a/docs/index.rst b/docs/index.rst index 729103101..74632d755 100644 --- a/docs/index.rst +++ b/docs/index.rst @@ -13,10 +13,10 @@ # SPDX-License-Identifier: Apache-2.0 CycloneDX’s Python Library documentation -==================================================== +======================================== -OWASP `CycloneDX`_ is a full-stack Bill of Materials (BOM) standard -that provides advanced supply chain capabilities for cyber risk reduction. +OWASP `CycloneDX`_ is a full‑stack Bill of Materials (BOM) and system‑transparency standard +that provides deep visibility into software, services, hardware, and AI components, enabling advanced supply‑chain security and cyber‑risk reduction. This Python package provides data models, validators and more, to help you create/render/read CycloneDX documents. From b8b8720e84edfb81dd55956891d7815e1d81689c Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Tue, 7 Apr 2026 12:34:47 +0200 Subject: [PATCH 69/76] chore: fix test coverage reporting (#956) ### Description fix coverage reporting failing runs: - timeout https://github.com/CycloneDX/cyclonedx-python-lib/actions/runs/24053559593/job/70220791872#step:3:350 - unresolvable target: https://github.com/CycloneDX/cyclonedx-python-lib/actions/runs/24052662937/job/70152194867#step:3:422 ### AI Tool Disclosure - [x] My contribution does not include any AI-generated content - [ ] My contribution includes AI-generated content, as disclosed below: - AI Tools: `[e.g. GitHub CoPilot, ChatGPT, JetBrains Junie etc.]` - LLMs and versions: `[e.g. GPT-4.1, Claude Haiku 4.5, Gemini 2.5 Pro etc.]` - Prompts: `[Summarize the key prompts or instructions given to the AI tools]` ### Affirmation - [x] My code follows the [CONTRIBUTING.md](https://github.com/CycloneDX/cyclonedx-python-lib/blob/main/CONTRIBUTING.md) guidelines Signed-off-by: Jan Kowalleck --- .github/workflows/python.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/python.yml b/.github/workflows/python.yml index 40dfc86d9..db50276fa 100644 --- a/.github/workflows/python.yml +++ b/.github/workflows/python.yml @@ -236,7 +236,7 @@ jobs: name: Publish test coverage needs: [ "build-and-test" ] runs-on: ubuntu-latest - timeout-minutes: 5 + timeout-minutes: 10 steps: - name: fetch test artifacts # see https://github.com/actions/download-artifact From d04d0438ad1bf82214058a927a769daa5613ff6b Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Wed, 8 Apr 2026 09:34:27 +0200 Subject: [PATCH 70/76] Update CONTRIBUTING.md Signed-off-by: Jan Kowalleck --- CONTRIBUTING.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index ffa914d2f..cee8f2557 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -67,7 +67,7 @@ Please sign off your commits, to show that you agree to publish your changes und , and to indicate agreement with [Developer Certificate of Origin (DCO)](https://developercertificate.org/). ```shell -git commit --signoff ... +git commit -s ... ``` ## Pre-commit hooks From 204dfddbec84d863f50ca660b6200ec4e1290c16 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 13 Apr 2026 11:34:24 +0200 Subject: [PATCH 71/76] chore(deps-dev): update tomli requirement from 2.3.0 to 2.4.1 (#954) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- pyproject.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pyproject.toml b/pyproject.toml index 52b5dfdc6..75521da5f 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -98,7 +98,7 @@ pep8-naming = "0.15.1" isort = "6.1.0" autopep8 = "2.3.2" mypy = "1.19.1" -tomli = { version = "2.3.0", python = "<3.11" } +tomli = { version = "2.4.1", python = "<3.11" } tox = "4.30.3" xmldiff = "2.7.0" bandit = "1.8.6" From 7209c314382d09fec5bc1ca6323fb5ebbe14494d Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Wed, 15 Apr 2026 13:55:37 +0200 Subject: [PATCH 72/76] chore(release): use own GH app for releasing (#958) Signed-off-by: Jan Kowalleck Co-authored-by: semantic-release Co-authored-by: cyclonedx-internal-release-bot[bot] <275040549+cyclonedx-internal-release-bot[bot]@users.noreply.github.com> Co-authored-by: cyclonedx-releases[bot] <275040549+cyclonedx-releases[bot]@users.noreply.github.com> --- .github/workflows/release.yml | 23 +++++++++++++++++++++-- pyproject.toml | 3 +-- 2 files changed, 22 insertions(+), 4 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index eb99f16a7..1b2780b4d 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -103,11 +103,28 @@ jobs: id-token: write contents: write steps: + - name: Generate GitHub App Token + id: release-bot-token + # see https://github.com/actions/create-github-app-token + uses: actions/create-github-app-token@v3 + with: + # see https://github.com/organizations/CycloneDX/settings/apps/cyclonedx-releases + app-id: 3335294 + private-key: ${{ secrets.CDX_RELEASE_BOT_PRIVATE_KEY }} + - name: Get GitHub App User ID + id: release-bot-user-id + run: | + set -xeu + echo "user-id=$(gh api "/users/${{ steps.release-bot-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT" + env: + GH_TOKEN: ${{ steps.release-bot-token.outputs.token }} + - name: Checkout code # see https://github.com/actions/checkout uses: actions/checkout@v6 with: fetch-depth: 0 + token: ${{ steps.release-bot-token.outputs.token }} - name: Setup python # see https://github.com/actions/setup-python @@ -134,7 +151,9 @@ jobs: # see https://github.com/python-semantic-release/python-semantic-release uses: python-semantic-release/python-semantic-release@v10.0.2 with: - github_token: ${{ secrets.GITHUB_TOKEN }} + git_committer_name: ${{ steps.release-bot-token.outputs.app-slug }}[bot] + git_committer_email: ${{ steps.release-bot-user-id.outputs.user-id }}+${{ steps.release-bot-token.outputs.app-slug }}[bot]@users.noreply.github.com + github_token: ${{ steps.release-bot-token.outputs.token }} force: ${{ github.event.inputs.release_force }} prerelease: ${{ github.event.inputs.prerelease }} prerelease_token: ${{ github.event.inputs.prerelease_token }} @@ -151,5 +170,5 @@ jobs: # see https://python-semantic-release.readthedocs.io/en/latest/automatic-releases/github-actions.html#python-semantic-release-publish-action uses: python-semantic-release/publish-action@v10 with: - github_token: ${{ secrets.GITHUB_TOKEN }} + github_token: ${{ steps.release-bot-token.outputs.token }} tag: ${{ steps.release.outputs.tag }} diff --git a/pyproject.toml b/pyproject.toml index 75521da5f..532b1e6cf 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -115,8 +115,7 @@ jsonschema = { version = "*", extras = ["format"], optional=true } logging_use_named_masks = true commit_parser = "conventional" commit_parser_options = { parse_squash_commits = true, ignore_merge_commits = true } -commit_author = "semantic-release " -commit_message = "chore(release): {version}\n\nAutomatically generated by python-semantic-release\n\nSigned-off-by: semantic-release " +commit_message = "chore(release): {version}\n\nAutomatically generated by python-semantic-release" upload_to_vcs_release = true build_command = """ pip install poetry From 4ef5bc3eddb7a9f86763bd50bd3a9dc69c7d31fa Mon Sep 17 00:00:00 2001 From: Copilot <198982749+Copilot@users.noreply.github.com> Date: Wed, 15 Apr 2026 14:22:21 +0200 Subject: [PATCH 73/76] chore(ci): pin GitHub Actions to immutable SHAs while preserving tag tracking (#961) Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: jkowalleck <2765863+jkowalleck@users.noreply.github.com> --- .github/workflows/python.yml | 48 +++++++++++++++++------------------ .github/workflows/release.yml | 24 +++++++++--------- 2 files changed, 36 insertions(+), 36 deletions(-) diff --git a/.github/workflows/python.yml b/.github/workflows/python.yml index db50276fa..46e29b82f 100644 --- a/.github/workflows/python.yml +++ b/.github/workflows/python.yml @@ -33,16 +33,16 @@ jobs: steps: - name: Checkout # see https://github.com/actions/checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Setup Python Environment # see https://github.com/actions/setup-python - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: ${{ env.PYTHON_VERSION_DEFAULT }} architecture: 'x64' - name: Install poetry # see https://github.com/marketplace/actions/setup-poetry - uses: Gr1N/setup-poetry@v9 + uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9 with: poetry-version: ${{ env.POETRY_VERSION }} - name: Install dependencies @@ -57,16 +57,16 @@ jobs: steps: - name: Checkout # see https://github.com/actions/checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Setup Python Environment # see https://github.com/actions/setup-python - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: ${{ env.PYTHON_VERSION_DEFAULT }} architecture: 'x64' - name: Install poetry # see https://github.com/marketplace/actions/setup-poetry - uses: Gr1N/setup-poetry@v9 + uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9 with: poetry-version: ${{ env.POETRY_VERSION }} - name: Install dependencies @@ -81,16 +81,16 @@ jobs: steps: - name: Checkout # see https://github.com/actions/checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Setup Python Environment # see https://github.com/actions/setup-python - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: ${{ env.PYTHON_VERSION_DEFAULT }} architecture: 'x64' - name: Install poetry # see https://github.com/marketplace/actions/setup-poetry - uses: Gr1N/setup-poetry@v9 + uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9 with: poetry-version: ${{ env.POETRY_VERSION }} - name: Install dependencies @@ -105,16 +105,16 @@ jobs: steps: - name: Checkout # see https://github.com/actions/checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Setup Python Environment # see https://github.com/actions/setup-python - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: ${{ env.PYTHON_VERSION_DEFAULT }} architecture: 'x64' - name: Install poetry # see https://github.com/marketplace/actions/setup-poetry - uses: Gr1N/setup-poetry@v9 + uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9 with: poetry-version: ${{ env.POETRY_VERSION }} - name: Install dependencies @@ -141,16 +141,16 @@ jobs: steps: - name: Checkout # see https://github.com/actions/checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Setup Python Environment # see https://github.com/actions/setup-python - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: ${{ matrix.python-version }} architecture: 'x64' - name: Install poetry # see https://github.com/marketplace/actions/setup-poetry - uses: Gr1N/setup-poetry@v9 + uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9 with: poetry-version: ${{ env.POETRY_VERSION }} - name: Install dependencies @@ -191,12 +191,12 @@ jobs: git config --global core.eol lf - name: Checkout # see https://github.com/actions/checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Create reports directory run: mkdir ${{ env.REPORTS_DIR }} - name: Setup Python Environment # see https://github.com/actions/setup-python - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: ${{ matrix.python-version }} architecture: 'x64' @@ -207,7 +207,7 @@ jobs: print('Python %s on %s in %s' % (sys.version, sys.platform, sys.getdefaultencoding())) - name: Install poetry # see https://github.com/marketplace/actions/setup-poetry - uses: Gr1N/setup-poetry@v9 + uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9 with: poetry-version: ${{ env.POETRY_VERSION }} - name: Install dependencies @@ -226,7 +226,7 @@ jobs: - name: Artifact reports if: ${{ ! cancelled() }} # see https://github.com/actions/upload-artifact - uses: actions/upload-artifact@v6 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 with: name: ${{ env.TESTS_REPORTS_ARTIFACT }}-${{ matrix.os }}-py${{ matrix.python-version }}${{ matrix.toxenv-factors }} path: ${{ env.REPORTS_DIR }} @@ -240,7 +240,7 @@ jobs: steps: - name: fetch test artifacts # see https://github.com/actions/download-artifact - uses: actions/download-artifact@v7 + uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7 with: path: ${{ env.REPORTS_DIR }} pattern: ${{ env.TESTS_REPORTS_ARTIFACT }}-* @@ -250,7 +250,7 @@ jobs: CODACY_PROJECT_TOKEN: ${{ secrets.CODACY_PROJECT_TOKEN }} if: ${{ env.CODACY_PROJECT_TOKEN != '' }} ## see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#example-using-secrets # see https://github.com/codacy/codacy-coverage-reporter-action - uses: codacy/codacy-coverage-reporter-action@v1 + uses: codacy/codacy-coverage-reporter-action@89d6c85cfafaec52c72b6c5e8b2878d33104c699 # v1 with: project-token: ${{ env.CODACY_PROJECT_TOKEN }} coverage-reports: ${{ env.REPORTS_DIR }}/coverage/* @@ -269,10 +269,10 @@ jobs: steps: - name: Checkout # see https://github.com/actions/checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Setup Python Environment # see https://github.com/actions/setup-python - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: '>=3.9 <=3.14' # supported version range - name: Validate Python Environment @@ -282,7 +282,7 @@ jobs: print('Python %s on %s in %s' % (sys.version, sys.platform, sys.getdefaultencoding())) - name: Install poetry # see https://github.com/marketplace/actions/setup-poetry - uses: Gr1N/setup-poetry@v9 + uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9 with: poetry-version: ${{ env.POETRY_VERSION }} - name: Install package and prod dependencies diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 1b2780b4d..6215ce44f 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -48,16 +48,16 @@ jobs: steps: - name: Checkout code # see https://github.com/actions/checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Setup Python Environment # see https://github.com/actions/setup-python - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: ${{ env.PYTHON_VERSION_DEFAULT }} architecture: 'x64' - name: Install poetry # see https://github.com/marketplace/actions/setup-poetry - uses: Gr1N/setup-poetry@v9 + uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9 with: poetry-version: ${{ env.POETRY_VERSION }} - name: Install dependencies @@ -70,16 +70,16 @@ jobs: steps: - name: Checkout code # see https://github.com/actions/checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Setup Python Environment # see https://github.com/actions/setup-python - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: ${{ env.PYTHON_VERSION_DEFAULT }} architecture: 'x64' - name: Install poetry # see https://github.com/marketplace/actions/setup-poetry - uses: Gr1N/setup-poetry@v9 + uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9 with: poetry-version: ${{ env.POETRY_VERSION }} - name: Install dependencies @@ -121,20 +121,20 @@ jobs: - name: Checkout code # see https://github.com/actions/checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 token: ${{ steps.release-bot-token.outputs.token }} - name: Setup python # see https://github.com/actions/setup-python - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: ${{ env.PYTHON_VERSION_DEFAULT }} architecture: 'x64' - name: Install and configure Poetry # See https://github.com/marketplace/actions/install-poetry-action - uses: snok/install-poetry@v1 + uses: snok/install-poetry@76e04a911780d5b312d89783f7b1cd627778900a # v1 with: version: ${{ env.POETRY_VERSION }} virtualenvs-create: true @@ -149,7 +149,7 @@ jobs: id: release # see https://python-semantic-release.readthedocs.io/en/latest/automatic-releases/github-actions.html # see https://github.com/python-semantic-release/python-semantic-release - uses: python-semantic-release/python-semantic-release@v10.0.2 + uses: python-semantic-release/python-semantic-release@1a324000f2251a9e722e77b128bf72712653813f # v10.0.2 with: git_committer_name: ${{ steps.release-bot-token.outputs.app-slug }}[bot] git_committer_email: ${{ steps.release-bot-user-id.outputs.user-id }}+${{ steps.release-bot-token.outputs.app-slug }}[bot]@users.noreply.github.com @@ -161,14 +161,14 @@ jobs: - name: Publish package distributions to PyPI if: steps.release.outputs.released == 'true' # see https://github.com/pypa/gh-action-pypi-publish - uses: pypa/gh-action-pypi-publish@release/v1 + uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # release/v1 with: attestations: true - name: Publish package distributions to GitHub Releases if: steps.release.outputs.released == 'true' # see https://python-semantic-release.readthedocs.io/en/latest/automatic-releases/github-actions.html#python-semantic-release-publish-action - uses: python-semantic-release/publish-action@v10 + uses: python-semantic-release/publish-action@310a9983a0ae878b29f3aac778d7c77c1db27378 # v10 with: github_token: ${{ steps.release-bot-token.outputs.token }} tag: ${{ steps.release.outputs.tag }} From 52c29afe0e17339daf77fc107f21072d4bf52425 Mon Sep 17 00:00:00 2001 From: Copilot <198982749+Copilot@users.noreply.github.com> Date: Mon, 4 May 2026 14:40:30 +0200 Subject: [PATCH 74/76] chore: add zizmor workflow to harden GitHub Actions security (#968) Signed-off-by: Jan Kowalleck Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: jkowalleck <2765863+jkowalleck@users.noreply.github.com> Co-authored-by: Jan Kowalleck Co-authored-by: cyclonedx-releases[bot] <275040549+cyclonedx-releases[bot]@users.noreply.github.com> --- .github/dependabot.yml | 4 ++++ .github/workflows/python.yml | 14 +++++++++++ .github/workflows/release.yml | 16 +++++++++---- .github/workflows/zizmor.yml | 45 +++++++++++++++++++++++++++++++++++ .pre-commit-config.yaml | 4 ++++ pyproject.toml | 10 ++++---- 6 files changed, 83 insertions(+), 10 deletions(-) create mode 100644 .github/workflows/zizmor.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 423d4b3f6..e91d61095 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -7,6 +7,8 @@ updates: schedule: interval: 'weekly' day: 'saturday' + cooldown: + default-days: 7 allow: - dependency-type: 'all' versioning-strategy: 'auto' @@ -21,6 +23,8 @@ updates: schedule: interval: 'weekly' day: 'saturday' + cooldown: + default-days: 7 labels: [ 'dependencies' ] commit-message: ## prefix maximum string length of 15 diff --git a/.github/workflows/python.yml b/.github/workflows/python.yml index 46e29b82f..c32a4c52f 100644 --- a/.github/workflows/python.yml +++ b/.github/workflows/python.yml @@ -34,6 +34,8 @@ jobs: - name: Checkout # see https://github.com/actions/checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Setup Python Environment # see https://github.com/actions/setup-python uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 @@ -58,6 +60,8 @@ jobs: - name: Checkout # see https://github.com/actions/checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Setup Python Environment # see https://github.com/actions/setup-python uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 @@ -82,6 +86,8 @@ jobs: - name: Checkout # see https://github.com/actions/checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Setup Python Environment # see https://github.com/actions/setup-python uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 @@ -106,6 +112,8 @@ jobs: - name: Checkout # see https://github.com/actions/checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Setup Python Environment # see https://github.com/actions/setup-python uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 @@ -142,6 +150,8 @@ jobs: - name: Checkout # see https://github.com/actions/checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Setup Python Environment # see https://github.com/actions/setup-python uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 @@ -192,6 +202,8 @@ jobs: - name: Checkout # see https://github.com/actions/checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Create reports directory run: mkdir ${{ env.REPORTS_DIR }} - name: Setup Python Environment @@ -270,6 +282,8 @@ jobs: - name: Checkout # see https://github.com/actions/checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Setup Python Environment # see https://github.com/actions/setup-python uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 6215ce44f..9fc60639a 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -49,6 +49,8 @@ jobs: - name: Checkout code # see https://github.com/actions/checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Setup Python Environment # see https://github.com/actions/setup-python uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 @@ -71,6 +73,8 @@ jobs: - name: Checkout code # see https://github.com/actions/checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Setup Python Environment # see https://github.com/actions/setup-python uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 @@ -106,18 +110,19 @@ jobs: - name: Generate GitHub App Token id: release-bot-token # see https://github.com/actions/create-github-app-token - uses: actions/create-github-app-token@v3 + uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3 with: # see https://github.com/organizations/CycloneDX/settings/apps/cyclonedx-releases - app-id: 3335294 + client-id: 3335294 private-key: ${{ secrets.CDX_RELEASE_BOT_PRIVATE_KEY }} + # for `permission-*` see `permissions` above + permission-contents: write - name: Get GitHub App User ID id: release-bot-user-id - run: | - set -xeu - echo "user-id=$(gh api "/users/${{ steps.release-bot-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT" env: + APP_SLUG: ${{ steps.release-bot-token.outputs.app-slug }} GH_TOKEN: ${{ steps.release-bot-token.outputs.token }} + run: echo "user-id=$(gh api "/users/${APP_SLUG}[bot]" --jq .id)" >> "$GITHUB_OUTPUT" - name: Checkout code # see https://github.com/actions/checkout @@ -125,6 +130,7 @@ jobs: with: fetch-depth: 0 token: ${{ steps.release-bot-token.outputs.token }} + persist-credentials: false - name: Setup python # see https://github.com/actions/setup-python diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 000000000..325898889 --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,45 @@ +# Analyzes all GitHub Actions workflows for security issues using zizmor. +# docs: https://docs.zizmor.sh/ +name: Workflow Security Analysis (zizmor) + +on: + pull_request: + paths: + - ".github/workflows/**" + push: + paths: + - ".github/workflows/**" + schedule: + # Every Saturday at 00:00 UTC + - cron: "0 0 * * 6" + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +permissions: + contents: read + +jobs: + zizmor: + name: zizmor + runs-on: ubuntu-latest + timeout-minutes: 10 + steps: + - name: Checkout + # see https://github.com/actions/checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false + - name: Run zizmor + # see https://github.com/zizmorcore/zizmor-action + uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3 + with: + # advanced-security: false => emit findings as workflow-command annotations (::error file=…) rather than + # uploading a SARIF report to GitHub's Security tab. + # Uploading SARIF requires `security-events: write` and GitHub Advanced Security (GHAS), + # both of which are unnecessary here and would violate the least-privilege policy. + # The two modes are mutually exclusive: advanced-security must be false for + # annotations to take effect. + advanced-security: false + annotations: true diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 44a9bcc11..a6573d028 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -42,3 +42,7 @@ repos: entry: poetry run -- tox r -e bandit pass_filenames: false language: system + - repo: https://github.com/zizmorcore/zizmor-pre-commit + rev: v1.24.1 + hooks: + - id: zizmor diff --git a/pyproject.toml b/pyproject.toml index 532b1e6cf..13862476d 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -146,15 +146,15 @@ exclude_commit_patterns = [ match = "(main|master)" prerelease = false -[tool.semantic_release.branches."step"] -match = "(build|chore|ci|docs|feat|fix|perf|style|refactor|tests?)" -prerelease = true -prerelease_token = "alpha" - [tool.semantic_release.branches."major-dev"] match = "(\\d+\\.0\\.0-(dev|rc)|dev/\\d+\\.0\\.0)" prerelease = true prerelease_token = "rc" +[tool.semantic_release.branches.fallback] +match = ".*" +prerelease = true +prerelease_token = "alpha" + [tool.deptry] extend_exclude = ["docs", "examples", "package_aliases", "tools"] From 1a6dfb047631085d2acddc38afbe41413a4f9420 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Wed, 6 May 2026 19:23:05 +0200 Subject: [PATCH 75/76] Update PULL_REQUEST_TEMPLATE.md (#974) Signed-off-by: Jan Kowalleck --- .github/PULL_REQUEST_TEMPLATE.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md index e19c5da37..51bc6246f 100644 --- a/.github/PULL_REQUEST_TEMPLATE.md +++ b/.github/PULL_REQUEST_TEMPLATE.md @@ -24,7 +24,7 @@ provide the required disclosure, your PR will not be merged. A clear and concise summary of the change and which issue (if any) it fixes. Should also include relevant motivation and context. -Resolves or fixes issue: +Resolves or fixes issue: ### AI Tool Disclosure From 0daf3f99c171d64634443cfecea12eb10c84fde9 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Wed, 6 May 2026 20:56:48 +0200 Subject: [PATCH 76/76] chore: Update CONTRIBUTING.md (#975) Signed-off-by: Jan Kowalleck --- CONTRIBUTING.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index cee8f2557..39b65018d 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -9,6 +9,16 @@ Find the needed basics here: * [how to fork a repository](https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/working-with-forks/fork-a-repo) * [how create a pull request from a fork](https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/creating-a-pull-request-from-a-fork) + +## Pullrequests + +When opening a pull request, use the repository’s pull request template and complete all required fields. +Keep each pull request focused on a single topic or problem. + +Every pull request must reference an existing issue that it aims to address. +If no issue exists for your topic, please create one first using the appropriate issue template, then link your pull request to it. + + ## Setup This project uses [poetry]. Have it installed and setup first.