2.0 dev threatmodeling

.gitignore

@@ -1,3 +1,4 @@
+.DS_Store
 .idea/
 .vscode/
 tools/target/

schema/2.0/cyclonedx-2.0.schema.json

@@ -76,6 +76,9 @@
     "definitions": {
       "$ref": "model/cyclonedx-definition-2.0.schema.json#/$defs/definitions"
     },
+    "blueprints": {
+      "$ref": "model/cyclonedx-blueprint-2.0.schema.json#/$defs/blueprints"
+    },
     "citations": {
       "$ref": "model/cyclonedx-citation-2.0.schema.json#/$defs/citations"
     },

schema/2.0/model/cyclonedx-behavior-2.0.schema.json

@@ -0,0 +1,246 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://cyclonedx.org/schema/2.0/model/cyclonedx-behavior-2.0.schema.json",
+  "type": "null",
+  "title": "CycloneDX Behavior Model",
+  "$comment" : "OWASP CycloneDX is an Ecma International standard (ECMA-424) developed in collaboration between the OWASP Foundation and Ecma Technical Committee 54 (TC54). The standard is published under a royalty-free patent policy. This JSON schema is the reference implementation and is licensed under the Apache License 2.0.",
+  "$defs": {
+    "behaviors": {
+      "type": "object",
+      "title": "Behaviors",
+      "description": "Behaviors performed by objects within the BOM.",
+      "additionalProperties": false,
+      "properties": {
+        "instances": {
+          "type": "array",
+          "title": "Instances",
+          "description": "Individual behavior instances.",
+          "uniqueItems": true,
+          "items": {
+            "$ref": "#/$defs/behaviorInstance"
+          }
+        },
+        "flows": {
+          "type": "array",
+          "title": "Flows",
+          "description": "Behavior flows that organise behaviors into operational patterns.",
+          "uniqueItems": true,
+          "items": {
+            "$ref": "#/$defs/behaviorFlow"
+          }
+        }
+      }
+    },
+    "behaviorInstance": {
+      "type": "object",
+      "title": "Behavior Instance",
+      "description": "A behavior performed by one or more objects within the BOM.",
+      "additionalProperties": false,
+      "required": ["bom-ref", "behavior"],
+      "properties": {
+        "bom-ref": {
+          "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType"
+        },
+        "behavior": {
+          "$ref": "../behavior-taxonomy.schema.json",
+          "title": "Behavior",
+          "description": "The behavior from the taxonomy."
+        },
+        "acknowledgment": {
+          "$ref": "#/$defs/acknowledgment"
+        },
+        "trigger": {
+          "$ref": "#/$defs/trigger"
+        },
+        "actors": {
+          "type": "array",
+          "title": "Actors",
+          "description": "References to objects that perform this behavior.",
+          "uniqueItems": true,
+          "items": {
+            "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType"
+          }
+        },
+        "targets": {
+          "type": "array",
+          "title": "Targets",
+          "description": "References to objects affected by this behavior.",
+          "uniqueItems": true,
+          "items": {
+            "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType"
+          }
+        }
+      }
+    },
+    "trigger": {
+      "type": "string",
+      "title": "Trigger",
+      "description": "The condition or event that initiates a behavior.",
+      "enum": [
+        "startup",
+        "shutdown",
+        "scheduled",
+        "event-driven",
+        "user-initiated",
+        "api-call",
+        "signal",
+        "condition-based",
+        "continuous",
+        "on-demand",
+        "unknown"
+      ],
+      "meta:enum": {
+        "startup": "Triggered during system or component initialisation.",
+        "shutdown": "Triggered during system or component termination.",
+        "scheduled": "Triggered at predetermined times or intervals.",
+        "event-driven": "Triggered in response to a specific event.",
+        "user-initiated": "Triggered by explicit user action.",
+        "api-call": "Triggered by an API invocation.",
+        "signal": "Triggered by a system or inter-process signal.",
+        "condition-based": "Triggered when specific conditions are met.",
+        "continuous": "Runs continuously during normal operation.",
+        "on-demand": "Triggered on demand as needed.",
+        "unknown": "The trigger mechanism is not known."
+      }
+    },
+    "ordering": {
+      "type": "string",
+      "title": "Ordering",
+      "description": "Execution semantics for steps within a flow.",
+      "default": "sequential",
+      "enum": [
+        "sequential",
+        "unordered",
+        "parallel",
+        "conditional"
+      ],
+      "meta:enum": {
+        "sequential": "Steps execute in ordinal order. Each completes before the next begins.",
+        "unordered": "All steps execute, but order is not guaranteed.",
+        "parallel": "Steps may execute concurrently.",
+        "conditional": "Step execution is determined by runtime conditions."
+      }
+    },
+    "acknowledgment": {
+      "type": "array",
+      "title": "Acknowledgment",
+      "description": "Indicates how the behavior or flow was identified. Multiple values indicate the behavior was both declared and observed.",
+      "uniqueItems": true,
+      "items": {
+        "type": "string",
+        "enum": [
+          "declared",
+          "observed"
+        ],
+        "meta:enum": {
+          "declared": "The behavior was explicitly declared, designed, or expected. Typically used for threat modelling, security requirements, and architectural documentation.",
+          "observed": "The behavior was observed, detected, or measured during analysis or runtime. Typically used for anomaly detection, incident response, and behavioural analysis."
+        }
+      }
+    },
+    "behaviorFlow": {
+      "type": "object",
+      "title": "Behavior Flow",
+      "description": "An organised collection of behaviors forming a coherent process.",
+      "additionalProperties": false,
+      "required": ["bom-ref", "steps"],
+      "properties": {
+        "bom-ref": {
+          "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType"
+        },
+        "acknowledgment": {
+          "$ref": "#/$defs/acknowledgment"
+        },
+        "ordering": {
+          "$ref": "#/$defs/ordering"
+        },
+        "trigger": {
+          "$ref": "#/$defs/trigger"
+        },
+        "steps": {
+          "type": "array",
+          "title": "Steps",
+          "description": "The steps that comprise this flow.",
+          "minItems": 1,
+          "items": {
+            "$ref": "#/$defs/flowStep"
+          }
+        }
+      },
+      "allOf": [
+        {
+          "if": {
+            "anyOf": [
+              { "properties": { "ordering": { "const": "sequential" } }, "required": ["ordering"] },
+              { "not": { "required": ["ordering"] } }
+            ]
+          },
+          "then": {
+            "properties": {
+              "steps": {
+                "items": {
+                  "required": ["ordinal"]
+                }
+              }
+            }
+          }
+        }
+      ]
+    },
+    "flowStep": {
+      "type": "object",
+      "title": "Flow Step",
+      "description": "A single step within a behavior flow.",
+      "additionalProperties": false,
+      "properties": {
+        "ordinal": {
+          "type": "integer",
+          "title": "Ordinal",
+          "description": "Position within the flow. Required when ordering is 'sequential' or omitted.",
+          "minimum": 1
+        },
+        "behavior": {
+          "$ref": "../behavior-taxonomy.schema.json",
+          "title": "Behavior",
+          "description": "The behavior performed in this step. Mutually exclusive with 'ref' and 'flow'."
+        },
+        "trigger": {
+          "$ref": "#/$defs/trigger"
+        },
+        "ref": {
+          "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType",
+          "title": "Behavior Reference",
+          "description": "Reference to a behavior instance. Mutually exclusive with 'behavior' and 'flow'."
+        },
+        "flow": {
+          "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType",
+          "title": "Flow Reference",
+          "description": "Reference to a nested flow. Mutually exclusive with 'behavior' and 'ref'."
+        },
+        "actors": {
+          "type": "array",
+          "title": "Actors",
+          "description": "References to objects that perform this step.",
+          "uniqueItems": true,
+          "items": {
+            "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType"
+          }
+        },
+        "targets": {
+          "type": "array",
+          "title": "Targets",
+          "description": "References to objects affected by this step.",
+          "uniqueItems": true,
+          "items": {
+            "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType"
+          }
+        }
+      },
+      "oneOf": [
+        { "required": ["behavior"] },
+        { "required": ["ref"] },
+        { "required": ["flow"] }
+      ]
+    }
+  }
+}