Major updates to threatmodeling and bluepring schemas and their related schemas. Supersedes and closes #777.

Signed-off-by: Steve Springett <steve@springett.us>

Author: stevespringett

schema/2.0/cyclonedx-2.0.schema.json

@@ -79,6 +79,9 @@
     "blueprints": {
       "$ref": "model/cyclonedx-blueprint-2.0.schema.json#/$defs/blueprints"
     },
+    "profiles": {
+      "$ref": "model/cyclonedx-profile-2.0.schema.json#/$defs/profiles"
+    },
     "citations": {
       "$ref": "model/cyclonedx-citation-2.0.schema.json#/$defs/citations"
     },

schema/2.0/model/cyclonedx-blueprint-2.0.schema.json

@@ -156,6 +156,14 @@
           "$ref": "cyclonedx-patent-2.0.schema.json#/$defs/patentAssertions",
           "title": "Component Patent(s)"
         },
+        "requirementAssertions": {
+          "$ref": "cyclonedx-requirement-2.0.schema.json#/$defs/requirementAssertions",
+          "title": "Component Requirement(s)"
+        },
+        "useCaseAssertions": {
+          "$ref": "cyclonedx-usecase-2.0.schema.json#/$defs/useCaseAssertions",
+          "title": "Component Use Case(s)"
+        },
         "cpe": {
           "type": "string",
           "title": "Common Platform Enumeration (CPE)",

schema/2.0/model/cyclonedx-component-2.0.schema.json

@@ -0,0 +1,20 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://cyclonedx.org/schema/2.0/model/cyclonedx-profile-2.0.schema.json",
+  "type": "null",
+  "title": "CycloneDX Profile Model",
+  "$comment": "OWASP CycloneDX is an Ecma International standard (ECMA-424) developed in collaboration between the OWASP Foundation and Ecma Technical Committee 54 (TC54). The standard is published under a royalty-free patent policy. This JSON schema is the reference implementation and is licensed under the Apache License 2.0.",
+  "$defs": {
+    "profiles": {
+      "type": "object",
+      "title": "Profiles",
+      "description": "A reusable, named characterization of how a subject behaves or is governed within a domain. Profiles separate characterization from identity: identity describes who or what the subject is; the profile describes the durable attributes that characterize it.",
+      "additionalProperties": false,
+      "properties": {
+        "dataProfiles": {
+          "$ref": "cyclonedx-data-2.0.schema.json#/$defs/dataProfiles"
+        }
+      }
+    }
+  }
+}

schema/2.0/model/cyclonedx-data-2.0.schema.json

@@ -3,7 +3,7 @@
   "$id": "https://cyclonedx.org/schema/2.0/model/cyclonedx-requirement-2.0.schema.json",
   "type": "null",
   "title": "CycloneDX Engineering Requirement Model",
-  "$comment" : "OWASP CycloneDX is an Ecma International standard (ECMA-424) developed in collaboration between the OWASP Foundation and Ecma Technical Committee 54 (TC54). The standard is published under a royalty-free patent policy. This JSON schema is the reference implementation and is licensed under the Apache License 2.0.",
+  "$comment": "OWASP CycloneDX is an Ecma International standard (ECMA-424) developed in collaboration between the OWASP Foundation and Ecma Technical Committee 54 (TC54). The standard is published under a royalty-free patent policy. This JSON schema is the reference implementation and is licensed under the Apache License 2.0.",
   "$defs": {
     "requirements": {
       "type": "array",
@@ -91,9 +91,9 @@
           }
         },
         "parent": {
-          "type": "string",
+          "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType",
           "title": "Parent BOM Reference",
-          "description": "The optional `bom-ref` to a parent requirement. This establishes a hierarchy of requirements."
+          "description": "Optional reference using bom-link or bom-ref to a parent requirement. Establishes a hierarchy of requirements."
         },
         "rationale": {
           "type": "string",
@@ -274,6 +274,66 @@
           "description": "A description of the dependency relationship."
         }
       }
+    },
+    "requirementAssertions": {
+      "type": "array",
+      "title": "Requirement Assertions",
+      "description": "A list of assertions describing how a component relates to specific requirements.",
+      "uniqueItems": true,
+      "items": {
+        "type": "object",
+        "title": "Requirement Assertion",
+        "description": "An assertion linking one or more requirements to a component, specifying the nature of the relationship.",
+        "required": [
+          "assertionType",
+          "requirementRefs"
+        ],
+        "additionalProperties": false,
+        "properties": {
+          "bom-ref": {
+            "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType",
+            "title": "BOM Reference",
+            "description": "An identifier which can be used to reference the assertion elsewhere in the BOM. Every `bom-ref` must be unique within the BOM."
+          },
+          "assertionType": {
+            "type": "string",
+            "title": "Assertion Type",
+            "description": "The type of assertion being made about the relationship between the component and the requirement.",
+            "enum": [
+              "conflicts",
+              "not-applicable",
+              "not-assessed",
+              "other",
+              "partially-satisfies",
+              "satisfies",
+              "violates"
+            ],
+            "meta:enum": {
+              "conflicts": "The component is in tension with the requirement but a definitive determination of violation has not been made. This may indicate partial incompatibility, competing constraints, or an unresolved evaluation.",
+              "not-applicable": "The requirement does not pertain to this component. The evaluator has reviewed the requirement and determined it is irrelevant.",
+              "not-assessed": "The relationship between the component and the requirement has not yet been evaluated.",
+              "other": "A relationship that does not fit into the other predefined assertion types.",
+              "partially-satisfies": "The component partially meets the requirement but does not fully satisfy all of its conditions or acceptance criteria.",
+              "satisfies": "The component fully satisfies the requirement, meeting all of its conditions and acceptance criteria.",
+              "violates": "The component has been evaluated and conclusively determined to not meet the requirement, breaching one or more of its conditions or acceptance criteria."
+            }
+          },
+          "requirementRefs": {
+            "type": "array",
+            "title": "Requirement References",
+            "description": "A list of BOM references linking to requirement objects defined in the BOM.",
+            "uniqueItems": true,
+            "items": {
+              "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType"
+            }
+          },
+          "description": {
+            "type": "string",
+            "title": "Description",
+            "description": "Additional context or clarification regarding the assertion."
+          }
+        }
+      }
     }
   }
 }