From 10b343a3f2271e23fe8ad2d1f64e47866c4cd38f Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Fri, 22 May 2026 16:49:22 -0500 Subject: [PATCH] Added new component identity model with updated test cases. Signed-off-by: Steve Springett --- .../model/cyclonedx-common-2.0.schema.json | 2 + .../model/cyclonedx-component-2.0.schema.json | 229 +++++++++++------- .../2.0/invalid-component-swid-2.0.json | 21 +- .../src/test/resources/2.0/valid-bom-2.0.json | 113 ++++++--- .../2.0/valid-component-identifiers-2.0.json | 52 +++- .../2.0/valid-component-swid-2.0.json | 28 ++- .../2.0/valid-component-swid-full-2.0.json | 34 ++- .../resources/2.0/valid-compositions-2.0.json | 7 +- .../resources/2.0/valid-evidence-2.0.json | 101 +++----- .../2.0/valid-license-expression-2.0.json | 3 +- .../resources/2.0/valid-license-id-2.0.json | 3 +- .../2.0/valid-license-id-with-text-2.0.json | 3 +- .../resources/2.0/valid-license-name-2.0.json | 3 +- .../2.0/valid-license-name-with-text-2.0.json | 3 +- .../resources/2.0/valid-perspective-2.0.json | 8 +- .../test/resources/2.0/valid-service-2.0.json | 3 +- .../2.0/valid-vulnerability-2.0.json | 3 +- 17 files changed, 365 insertions(+), 251 deletions(-) diff --git a/schema/2.0/model/cyclonedx-common-2.0.schema.json b/schema/2.0/model/cyclonedx-common-2.0.schema.json index 5350c5723..15d78ef9e 100644 --- a/schema/2.0/model/cyclonedx-common-2.0.schema.json +++ b/schema/2.0/model/cyclonedx-common-2.0.schema.json @@ -223,6 +223,7 @@ "patent-family", "patent-assertion", "citation", + "swid-tag", "other" ], "meta:enum": { @@ -273,6 +274,7 @@ "patent-family": "References information about a patent family which may be defined in human-readable documents or in machine-readable formats such as CycloneDX or ST.96. A patent family is a group of related patent applications or granted patents that cover the same or similar invention. For detailed patent family information or to reference the information provided directly by patent offices, it is recommended to leverage standards from the World Intellectual Property Organization (WIPO) such as [ST.96](https://www.wipo.int/standards/en/st96).", "patent-assertion" : "References assertions made regarding patents associated with a component or service. Assertions distinguish between ownership, licensing, and other relevant interactions with patents.", "citation": "A reference to external citations applicable to the object identified by this BOM entry or the BOM itself. When used with a BOM-Link, this allows offloading citations into a separate CycloneDX BOM.", + "swid-tag": "A Software Identification (SWID) tag document conforming to ISO/IEC 19770-2. The reference resolves to the XML SoftwareIdentity document itself, including all of its metadata (entities, evidence, payload, links, and meta elements). This is distinct from the `swid` identifier scheme, which carries only the tagId of a SWID tag.", "other": "Use this if no other types accurately describe the purpose of the external reference." } }, diff --git a/schema/2.0/model/cyclonedx-component-2.0.schema.json b/schema/2.0/model/cyclonedx-component-2.0.schema.json index b7d540e08..88728cdf2 100644 --- a/schema/2.0/model/cyclonedx-component-2.0.schema.json +++ b/schema/2.0/model/cyclonedx-component-2.0.schema.json @@ -156,39 +156,8 @@ "$ref": "cyclonedx-patent-2.0.schema.json#/$defs/patentAssertions", "title": "Component Patent(s)" }, - "cpe": { - "type": "string", - "title": "Common Platform Enumeration (CPE)", - "description": "Asserts the identity of the component using CPE. The CPE must conform to the CPE 2.2 or 2.3 specification. See [https://nvd.nist.gov/products/cpe](https://nvd.nist.gov/products/cpe). Refer to `@.evidence.identity` to optionally provide evidence that substantiates the assertion of the component's identity.", - "examples": ["cpe:2.3:a:acme:component_framework:-:*:*:*:*:*:*:*"] - }, - "purl": { - "type": "string", - "title": "Package URL (purl)", - "description": "Asserts the identity of the component using package-url (purl). The purl, if specified, must be valid and conform to the specification defined at: [https://github.com/package-url/purl-spec](https://github.com/package-url/purl-spec). Refer to `@.evidence.identity` to optionally provide evidence that substantiates the assertion of the component's identity.", - "examples": ["pkg:maven/com.acme/tomcat-catalina@9.0.14?packaging=jar"] - }, - "omniborId": { - "type": "array", - "title": "OmniBOR Artifact Identifier (gitoid)", - "description": "Asserts the identity of the component using the OmniBOR Artifact ID. The OmniBOR, if specified, must be valid and conform to the specification defined at: [https://www.iana.org/assignments/uri-schemes/prov/gitoid](https://www.iana.org/assignments/uri-schemes/prov/gitoid). Refer to `@.evidence.identity` to optionally provide evidence that substantiates the assertion of the component's identity.", - "items": { "type": "string" }, - "examples": [ - "gitoid:blob:sha1:a94a8fe5ccb19ba61c4c0873d391e987982fbbd3", - "gitoid:blob:sha256:9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08" - ] - }, - "swhid": { - "type": "array", - "title": "Software Heritage Identifier", - "description": "Asserts the identity of the component using the Software Heritage persistent identifier (SWHID). The SWHID, if specified, must be valid and conform to the specification defined at: [https://docs.softwareheritage.org/devel/swh-model/persistent-identifiers.html](https://docs.softwareheritage.org/devel/swh-model/persistent-identifiers.html). Refer to `@.evidence.identity` to optionally provide evidence that substantiates the assertion of the component's identity.", - "items": { "type": "string" }, - "examples": ["swh:1:cnt:94a9ed024d3859793618152ea559a168bbcbb5e2"] - }, - "swid": { - "$ref": "#/$defs/swid", - "title": "SWID Tag", - "description": "Asserts the identity of the component using [ISO-IEC 19770-2 Software Identification (SWID) Tags](https://www.iso.org/standard/65666.html). Refer to `@.evidence.identity` to optionally provide evidence that substantiates the assertion of the component's identity." + "identifiers": { + "$ref": "#/$defs/identifiers" }, "pedigree": { "type": "object", @@ -353,57 +322,6 @@ } } }, - "swid": { - "type": "object", - "title": "SWID Tag", - "description": "Specifies metadata and content for ISO-IEC 19770-2 Software Identification (SWID) Tags.", - "required": [ - "tagId", - "name" - ], - "additionalProperties": false, - "properties": { - "tagId": { - "type": "string", - "title": "Tag ID", - "description": "Maps to the tagId of a SoftwareIdentity." - }, - "name": { - "type": "string", - "title": "Name", - "description": "Maps to the name of a SoftwareIdentity." - }, - "version": { - "type": "string", - "title": "Version", - "default": "0.0", - "description": "Maps to the version of a SoftwareIdentity." - }, - "tagVersion": { - "type": "integer", - "title": "Tag Version", - "default": 0, - "description": "Maps to the tagVersion of a SoftwareIdentity." - }, - "patch": { - "type": "boolean", - "title": "Patch", - "default": false, - "description": "Maps to the patch of a SoftwareIdentity." - }, - "text": { - "title": "Attachment text", - "description": "Specifies the metadata and content of the SWID tag.", - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/attachment" - }, - "url": { - "type": "string", - "title": "URL", - "description": "The URL to the SWID file.", - "format": "iri-reference" - } - } - }, "componentEvidence": { "type": "object", "title": "Evidence", @@ -561,16 +479,11 @@ "type": "object", "title": "Identity Evidence", "description": "Evidence that substantiates the identity of a component.", - "required": [ "field" ], + "required": [ "scheme" ], "additionalProperties": false, "properties": { - "field": { - "type": "string", - "enum": [ - "group", "name", "version", "purl", "cpe", "omniborId", "swhid", "swid", "hash" - ], - "title": "Field", - "description": "The identity field of the component which the evidence describes." + "scheme": { + "$ref": "#/$defs/identityScheme" }, "confidence": { "type": "number", @@ -582,7 +495,7 @@ "concludedValue": { "type": "string", "title": "Concluded Value", - "description": "The value of the field (cpe, purl, etc) that has been concluded based on the aggregate of all methods (if available)." + "description": "The value of the scheme that has been concluded based on the aggregate of all methods (if available)." }, "methods": { "type": "array", @@ -733,6 +646,136 @@ "$ref": "cyclonedx-data-2.0.schema.json#/$defs/dataGovernance" } } + }, + "identifiers": { + "type": "array", + "title": "Identifiers", + "description": "Identifiers asserted by one or more parties to identify this component. Each entry groups one or more identity claims by the party asserting them. Identifiers carry positive claims of identity. For unverified or inferred identity data, use evidence.", + "items": { + "$ref": "#/$defs/identifier" + }, + "uniqueItems": true + }, + "identifier": { + "type": "object", + "title": "Identifier", + "description": "A set of identifiers attributed to a single asserting party.", + "required": [ + "party", + "identities" + ], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "party": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType", + "title": "Asserting Party", + "description": "Reference using bom-link or bom-ref to the party making the identity assertion." + }, + "identities": { + "type": "array", + "title": "Identities", + "description": "The discrete identity claims asserted by the party.", + "items": { + "$ref": "#/$defs/identity" + }, + "minItems": 1, + "uniqueItems": true + } + } + }, + "identity": { + "type": "object", + "title": "Identity", + "description": "A single identity claim, pairing a typed identifier scheme with the value asserted under that scheme.", + "required": [ + "scheme", + "value" + ], + "additionalProperties": false, + "properties": { + "scheme": { "$ref": "#/$defs/identityScheme" }, + "value": { "$ref": "#/$defs/identityValue" } + } + }, + "identityScheme": { + "title": "Identifier Scheme", + "description": "The scheme under which an identifier is asserted. Either a predefined value or a custom scheme described by name and description.", + "oneOf": [ + { + "type": "string", + "enum": [ + "purl", + "cpe", + "swid", + "swhid", + "omniborid", + "gtin", + "gmn", + "mpn", + "part-number", + "model-number", + "sku", + "serial-number", + "asset-tag", + "udi-di", + "udi-pi", + "fcc-id", + "imei", + "mac-address" + ], + "meta:enum": { + "purl": "Package URL identifier, conforming to the Package URL specification.", + "cpe": "Common Platform Enumeration name, conforming to NIST Interagency Report 7695.", + "swid": "Software Identification tag identifier, conforming to ISO/IEC 19770-2.", + "swhid": "Software Heritage persistent identifier.", + "omniborid": "OmniBOR Artifact Identifier, also known as a gitoid.", + "gtin": "Global Trade Item Number issued under the GS1 system.", + "gmn": "Global Model Number issued by GS1.", + "mpn": "Manufacturer Part Number, assigned by the original manufacturer.", + "part-number": "Generic part number assigned by a distributor, integrator, or operator.", + "model-number": "Product model number assigned by the manufacturer.", + "sku": "Stock Keeping Unit, assigned by a seller or distributor.", + "serial-number": "Unique identifier for an individual instance of a product.", + "asset-tag": "Asset tag assigned by the owning or operating organisation.", + "udi-di": "Unique Device Identifier, Device Identifier portion, conforming to ISO/IEC 15459 and applicable regulatory frameworks.", + "udi-pi": "Unique Device Identifier, Production Identifier portion, conforming to ISO/IEC 15459 and applicable regulatory frameworks.", + "fcc-id": "United States Federal Communications Commission equipment identifier.", + "imei": "International Mobile Equipment Identity, conforming to 3GPP TS 23.003.", + "mac-address": "IEEE 802 Media Access Control address." + } + }, + { + "type": "object", + "title": "Custom Identifier Scheme", + "description": "A custom identifier scheme not represented in the predefined taxonomy.", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "minLength": 1, + "title": "Name", + "description": "The name of the custom identifier scheme." + }, + "description": { + "type": "string", + "title": "Description", + "description": "A description of the custom identifier scheme." + } + } + } + ] + }, + "identityValue": { + "type": "string", + "minLength": 1, + "title": "Identifier Value", + "description": "The value of an identifier." } } } diff --git a/tools/src/test/resources/2.0/invalid-component-swid-2.0.json b/tools/src/test/resources/2.0/invalid-component-swid-2.0.json index 85024aec0..2e64dbc2a 100644 --- a/tools/src/test/resources/2.0/invalid-component-swid-2.0.json +++ b/tools/src/test/resources/2.0/invalid-component-swid-2.0.json @@ -4,16 +4,27 @@ "specVersion": "2.0", "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", "version": 1, + "metadata": { + "manufacturer": { + "bom-ref": "acme-inc", + "name": "Acme Inc." + } + }, "components": [ { "type": "application", - "authors": [ { "name": "Acme Super Heros" } ], "name": "Acme Application", "version": "9.1.1", - "swid": { - "name": "Acme Application", - "version": "9.1.1" - } + "identifiers": [ + { + "party": "acme-inc", + "identities": [ + { + "scheme": "swid" + } + ] + } + ] } ] } diff --git a/tools/src/test/resources/2.0/valid-bom-2.0.json b/tools/src/test/resources/2.0/valid-bom-2.0.json index 670efbceb..1c6d96f34 100644 --- a/tools/src/test/resources/2.0/valid-bom-2.0.json +++ b/tools/src/test/resources/2.0/valid-bom-2.0.json @@ -9,9 +9,9 @@ "tools": { "components": [ { - "type": "application", - "manufacturer": { - "name": "Awesome Vendor" + "type": "application", + "manufacturer": { + "name": "Awesome Vendor" }, "name": "Awesome Tool", "version": "9.1.2", @@ -37,21 +37,23 @@ ], "component": { "type": "application", - "authors": [ { "name": "Acme Super Heros" } ], + "authors": [ { "name": "Acme Super Heroes" } ], "name": "Acme Application", "version": "9.1.1", - "swid": { - "tagId": "swidgen-242eb18a-503e-ca37-393b-cf156ef09691_9.1.1", - "name": "Acme Application", - "version": "9.1.1", - "text": { - "mediaType": "text/xml", - "encoding": "base64", - "content": "PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiID8+CjxTb2Z0d2FyZUlkZW50aXR5IHhtbDpsYW5nPSJFTiIgbmFtZT0iQWNtZSBBcHBsaWNhdGlvbiIgdmVyc2lvbj0iOS4xLjEiIAogdmVyc2lvblNjaGVtZT0ibXVsdGlwYXJ0bnVtZXJpYyIgCiB0YWdJZD0ic3dpZGdlbi1iNTk1MWFjOS00MmMwLWYzODItM2YxZS1iYzdhMmE0NDk3Y2JfOS4xLjEiIAogeG1sbnM9Imh0dHA6Ly9zdGFuZGFyZHMuaXNvLm9yZy9pc28vMTk3NzAvLTIvMjAxNS9zY2hlbWEueHNkIj4gCiB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiAKIHhzaTpzY2hlbWFMb2NhdGlvbj0iaHR0cDovL3N0YW5kYXJkcy5pc28ub3JnL2lzby8xOTc3MC8tMi8yMDE1LWN1cnJlbnQvc2NoZW1hLnhzZCBzY2hlbWEueHNkIiA+CiAgPE1ldGEgZ2VuZXJhdG9yPSJTV0lEIFRhZyBPbmxpbmUgR2VuZXJhdG9yIHYwLjEiIC8+IAogIDxFbnRpdHkgbmFtZT0iQWNtZSwgSW5jLiIgcmVnaWQ9ImV4YW1wbGUuY29tIiByb2xlPSJ0YWdDcmVhdG9yIiAvPiAKPC9Tb2Z0d2FyZUlkZW50aXR5Pg==" + "identifiers": [ + { + "party": "acme-inc", + "identities": [ + { + "scheme": "swid", + "value": "swidgen-242eb18a-503e-ca37-393b-cf156ef09691_9.1.1" + } + ] } - } + ] }, "manufacturer": { + "bom-ref": "acme-inc", "name": "Acme, Inc.", "url": [ "https://example.com" @@ -78,14 +80,14 @@ }, "components": [ { - "bom-ref": "pkg:maven/com.acme/tomcat-catalina@9.0.14?packaging=jar", + "bom-ref": "pkg:maven/com.acme/acme-catalina@9.0.14?packaging=jar", "type": "application", "authors": [ { "name": "Joane Doe et al." } ], "publisher": "Acme Inc", "group": "com.acme", - "name": "tomcat-catalina", + "name": "acme-catalina", "version": "9.0.14", - "description": "Modified version of Apache Catalina", + "description": "Modified version of Acme Catalina", "scope": "required", "hashes": [ { @@ -109,26 +111,31 @@ { "license": { "id": "Apache-2.0", - "text": { - "mediaType": "text/plain", - "encoding": "base64", - "content": "CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFwYWNoZSBMaWNlbnNlCiAgICAgICAgICAgICAgICAgICAgICAgICAgIFZlcnNpb24gMi4wLCBKYW51YXJ5IDIwMDQKICAgICAgICAgICAgICAgICAgICAgICAgaHR0cDovL3d3dy5hcGFjaGUub3JnL2xpY2Vuc2VzLwoKICAgVEVSTVMgQU5EIENPTkRJVElPTlMgRk9SIFVTRSwgUkVQUk9EVUNUSU9OLCBBTkQgRElTVFJJQlVUSU9OCgogICAxLiBEZWZpbml0aW9ucy4KCiAgICAgICJMaWNlbnNlIiBzaGFsbCBtZWFuIHRoZSB0ZXJtcyBhbmQgY29uZGl0aW9ucyBmb3IgdXNlLCByZXByb2R1Y3Rpb24sCiAgICAgIGFuZCBkaXN0cmlidXRpb24gYXMgZGVmaW5lZCBieSBTZWN0aW9ucyAxIHRocm91Z2ggOSBvZiB0aGlzIGRvY3VtZW50LgoKICAgICAgIkxpY2Vuc29yIiBzaGFsbCBtZWFuIHRoZSBjb3B5cmlnaHQgb3duZXIgb3IgZW50aXR5IGF1dGhvcml6ZWQgYnkKICAgICAgdGhlIGNvcHlyaWdodCBvd25lciB0aGF0IGlzIGdyYW50aW5nIHRoZSBMaWNlbnNlLgoKICAgICAgIkxlZ2FsIEVudGl0eSIgc2hhbGwgbWVhbiB0aGUgdW5pb24gb2YgdGhlIGFjdGluZyBlbnRpdHkgYW5kIGFsbAogICAgICBvdGhlciBlbnRpdGllcyB0aGF0IGNvbnRyb2wsIGFyZSBjb250cm9sbGVkIGJ5LCBvciBhcmUgdW5kZXIgY29tbW9uCiAgICAgIGNvbnRyb2wgd2l0aCB0aGF0IGVudGl0eS4gRm9yIHRoZSBwdXJwb3NlcyBvZiB0aGlzIGRlZmluaXRpb24sCiAgICAgICJjb250cm9sIiBtZWFucyAoaSkgdGhlIHBvd2VyLCBkaXJlY3Qgb3IgaW5kaXJlY3QsIHRvIGNhdXNlIHRoZQogICAgICBkaXJlY3Rpb24gb3IgbWFuYWdlbWVudCBvZiBzdWNoIGVudGl0eSwgd2hldGhlciBieSBjb250cmFjdCBvcgogICAgICBvdGhlcndpc2UsIG9yIChpaSkgb3duZXJzaGlwIG9mIGZpZnR5IHBlcmNlbnQgKDUwJSkgb3IgbW9yZSBvZiB0aGUKICAgICAgb3V0c3RhbmRpbmcgc2hhcmVzLCBvciAoaWlpKSBiZW5lZmljaWFsIG93bmVyc2hpcCBvZiBzdWNoIGVudGl0eS4KCiAgICAgICJZb3UiIChvciAiWW91ciIpIHNoYWxsIG1lYW4gYW4gaW5kaXZpZHVhbCBvciBMZWdhbCBFbnRpdHkKICAgICAgZXhlcmNpc2luZyBwZXJtaXNzaW9ucyBncmFudGVkIGJ5IHRoaXMgTGljZW5zZS4KCiAgICAgICJTb3VyY2UiIGZvcm0gc2hhbGwgbWVhbiB0aGUgcHJlZmVycmVkIGZvcm0gZm9yIG1ha2luZyBtb2RpZmljYXRpb25zLAogICAgICBpbmNsdWRpbmcgYnV0IG5vdCBsaW1pdGVkIHRvIHNvZnR3YXJlIHNvdXJjZSBjb2RlLCBkb2N1bWVudGF0aW9uCiAgICAgIHNvdXJjZSwgYW5kIGNvbmZpZ3VyYXRpb24gZmlsZXMuCgogICAgICAiT2JqZWN0IiBmb3JtIHNoYWxsIG1lYW4gYW55IGZvcm0gcmVzdWx0aW5nIGZyb20gbWVjaGFuaWNhbAogICAgICB0cmFuc2Zvcm1hdGlvbiBvciB0cmFuc2xhdGlvbiBvZiBhIFNvdXJjZSBmb3JtLCBpbmNsdWRpbmcgYnV0CiAgICAgIG5vdCBsaW1pdGVkIHRvIGNvbXBpbGVkIG9iamVjdCBjb2RlLCBnZW5lcmF0ZWQgZG9jdW1lbnRhdGlvbiwKICAgICAgYW5kIGNvbnZlcnNpb25zIHRvIG90aGVyIG1lZGlhIHR5cGVzLgoKICAgICAgIldvcmsiIHNoYWxsIG1lYW4gdGhlIHdvcmsgb2YgYXV0aG9yc2hpcCwgd2hldGhlciBpbiBTb3VyY2Ugb3IKICAgICAgT2JqZWN0IGZvcm0sIG1hZGUgYXZhaWxhYmxlIHVuZGVyIHRoZSBMaWNlbnNlLCBhcyBpbmRpY2F0ZWQgYnkgYQogICAgICBjb3B5cmlnaHQgbm90aWNlIHRoYXQgaXMgaW5jbHVkZWQgaW4gb3IgYXR0YWNoZWQgdG8gdGhlIHdvcmsKICAgICAgKGFuIGV4YW1wbGUgaXMgcHJvdmlkZWQgaW4gdGhlIEFwcGVuZGl4IGJlbG93KS4KCiAgICAgICJEZXJpdmF0aXZlIFdvcmtzIiBzaGFsbCBtZWFuIGFueSB3b3JrLCB3aGV0aGVyIGluIFNvdXJjZSBvciBPYmplY3QKICAgICAgZm9ybSwgdGhhdCBpcyBiYXNlZCBvbiAob3IgZGVyaXZlZCBmcm9tKSB0aGUgV29yayBhbmQgZm9yIHdoaWNoIHRoZQogICAgICBlZGl0b3JpYWwgcmV2aXNpb25zLCBhbm5vdGF0aW9ucywgZWxhYm9yYXRpb25zLCBvciBvdGhlciBtb2RpZmljYXRpb25zCiAgICAgIHJlcHJlc2VudCwgYXMgYSB3aG9sZSwgYW4gb3JpZ2luYWwgd29yayBvZiBhdXRob3JzaGlwLiBGb3IgdGhlIHB1cnBvc2VzCiAgICAgIG9mIHRoaXMgTGljZW5zZSwgRGVyaXZhdGl2ZSBXb3JrcyBzaGFsbCBub3QgaW5jbHVkZSB3b3JrcyB0aGF0IHJlbWFpbgogICAgICBzZXBhcmFibGUgZnJvbSwgb3IgbWVyZWx5IGxpbmsgKG9yIGJpbmQgYnkgbmFtZSkgdG8gdGhlIGludGVyZmFjZXMgb2YsCiAgICAgIHRoZSBXb3JrIGFuZCBEZXJpdmF0aXZlIFdvcmtzIHRoZXJlb2YuCgogICAgICAiQ29udHJpYnV0aW9uIiBzaGFsbCBtZWFuIGFueSB3b3JrIG9mIGF1dGhvcnNoaXAsIGluY2x1ZGluZwogICAgICB0aGUgb3JpZ2luYWwgdmVyc2lvbiBvZiB0aGUgV29yayBhbmQgYW55IG1vZGlmaWNhdGlvbnMgb3IgYWRkaXRpb25zCiAgICAgIHRvIHRoYXQgV29yayBvciBEZXJpdmF0aXZlIFdvcmtzIHRoZXJlb2YsIHRoYXQgaXMgaW50ZW50aW9uYWxseQogICAgICBzdWJtaXR0ZWQgdG8gTGljZW5zb3IgZm9yIGluY2x1c2lvbiBpbiB0aGUgV29yayBieSB0aGUgY29weXJpZ2h0IG93bmVyCiAgICAgIG9yIGJ5IGFuIGluZGl2aWR1YWwgb3IgTGVnYWwgRW50aXR5IGF1dGhvcml6ZWQgdG8gc3VibWl0IG9uIGJlaGFsZiBvZgogICAgICB0aGUgY29weXJpZ2h0IG93bmVyLiBGb3IgdGhlIHB1cnBvc2VzIG9mIHRoaXMgZGVmaW5pdGlvbiwgInN1Ym1pdHRlZCIKICAgICAgbWVhbnMgYW55IGZvcm0gb2YgZWxlY3Ryb25pYywgdmVyYmFsLCBvciB3cml0dGVuIGNvbW11bmljYXRpb24gc2VudAogICAgICB0byB0aGUgTGljZW5zb3Igb3IgaXRzIHJlcHJlc2VudGF0aXZlcywgaW5jbHVkaW5nIGJ1dCBub3QgbGltaXRlZCB0bwogICAgICBjb21tdW5pY2F0aW9uIG9uIGVsZWN0cm9uaWMgbWFpbGluZyBsaXN0cywgc291cmNlIGNvZGUgY29udHJvbCBzeXN0ZW1zLAogICAgICBhbmQgaXNzdWUgdHJhY2tpbmcgc3lzdGVtcyB0aGF0IGFyZSBtYW5hZ2VkIGJ5LCBvciBvbiBiZWhhbGYgb2YsIHRoZQogICAgICBMaWNlbnNvciBmb3IgdGhlIHB1cnBvc2Ugb2YgZGlzY3Vzc2luZyBhbmQgaW1wcm92aW5nIHRoZSBXb3JrLCBidXQKICAgICAgZXhjbHVkaW5nIGNvbW11bmljYXRpb24gdGhhdCBpcyBjb25zcGljdW91c2x5IG1hcmtlZCBvciBvdGhlcndpc2UKICAgICAgZGVzaWduYXRlZCBpbiB3cml0aW5nIGJ5IHRoZSBjb3B5cmlnaHQgb3duZXIgYXMgIk5vdCBhIENvbnRyaWJ1dGlvbi4iCgogICAgICAiQ29udHJpYnV0b3IiIHNoYWxsIG1lYW4gTGljZW5zb3IgYW5kIGFueSBpbmRpdmlkdWFsIG9yIExlZ2FsIEVudGl0eQogICAgICBvbiBiZWhhbGYgb2Ygd2hvbSBhIENvbnRyaWJ1dGlvbiBoYXMgYmVlbiByZWNlaXZlZCBieSBMaWNlbnNvciBhbmQKICAgICAgc3Vic2VxdWVudGx5IGluY29ycG9yYXRlZCB3aXRoaW4gdGhlIFdvcmsuCgogICAyLiBHcmFudCBvZiBDb3B5cmlnaHQgTGljZW5zZS4gU3ViamVjdCB0byB0aGUgdGVybXMgYW5kIGNvbmRpdGlvbnMgb2YKICAgICAgdGhpcyBMaWNlbnNlLCBlYWNoIENvbnRyaWJ1dG9yIGhlcmVieSBncmFudHMgdG8gWW91IGEgcGVycGV0dWFsLAogICAgICB3b3JsZHdpZGUsIG5vbi1leGNsdXNpdmUsIG5vLWNoYXJnZSwgcm95YWx0eS1mcmVlLCBpcnJldm9jYWJsZQogICAgICBjb3B5cmlnaHQgbGljZW5zZSB0byByZXByb2R1Y2UsIHByZXBhcmUgRGVyaXZhdGl2ZSBXb3JrcyBvZiwKICAgICAgcHVibGljbHkgZGlzcGxheSwgcHVibGljbHkgcGVyZm9ybSwgc3VibGljZW5zZSwgYW5kIGRpc3RyaWJ1dGUgdGhlCiAgICAgIFdvcmsgYW5kIHN1Y2ggRGVyaXZhdGl2ZSBXb3JrcyBpbiBTb3VyY2Ugb3IgT2JqZWN0IGZvcm0uCgogICAzLiBHcmFudCBvZiBQYXRlbnQgTGljZW5zZS4gU3ViamVjdCB0byB0aGUgdGVybXMgYW5kIGNvbmRpdGlvbnMgb2YKICAgICAgdGhpcyBMaWNlbnNlLCBlYWNoIENvbnRyaWJ1dG9yIGhlcmVieSBncmFudHMgdG8gWW91IGEgcGVycGV0dWFsLAogICAgICB3b3JsZHdpZGUsIG5vbi1leGNsdXNpdmUsIG5vLWNoYXJnZSwgcm95YWx0eS1mcmVlLCBpcnJldm9jYWJsZQogICAgICAoZXhjZXB0IGFzIHN0YXRlZCBpbiB0aGlzIHNlY3Rpb24pIHBhdGVudCBsaWNlbnNlIHRvIG1ha2UsIGhhdmUgbWFkZSwKICAgICAgdXNlLCBvZmZlciB0byBzZWxsLCBzZWxsLCBpbXBvcnQsIGFuZCBvdGhlcndpc2UgdHJhbnNmZXIgdGhlIFdvcmssCiAgICAgIHdoZXJlIHN1Y2ggbGljZW5zZSBhcHBsaWVzIG9ubHkgdG8gdGhvc2UgcGF0ZW50IGNsYWltcyBsaWNlbnNhYmxlCiAgICAgIGJ5IHN1Y2ggQ29udHJpYnV0b3IgdGhhdCBhcmUgbmVjZXNzYXJpbHkgaW5mcmluZ2VkIGJ5IHRoZWlyCiAgICAgIENvbnRyaWJ1dGlvbihzKSBhbG9uZSBvciBieSBjb21iaW5hdGlvbiBvZiB0aGVpciBDb250cmlidXRpb24ocykKICAgICAgd2l0aCB0aGUgV29yayB0byB3aGljaCBzdWNoIENvbnRyaWJ1dGlvbihzKSB3YXMgc3VibWl0dGVkLiBJZiBZb3UKICAgICAgaW5zdGl0dXRlIHBhdGVudCBsaXRpZ2F0aW9uIGFnYWluc3QgYW55IGVudGl0eSAoaW5jbHVkaW5nIGEKICAgICAgY3Jvc3MtY2xhaW0gb3IgY291bnRlcmNsYWltIGluIGEgbGF3c3VpdCkgYWxsZWdpbmcgdGhhdCB0aGUgV29yawogICAgICBvciBhIENvbnRyaWJ1dGlvbiBpbmNvcnBvcmF0ZWQgd2l0aGluIHRoZSBXb3JrIGNvbnN0aXR1dGVzIGRpcmVjdAogICAgICBvciBjb250cmlidXRvcnkgcGF0ZW50IGluZnJpbmdlbWVudCwgdGhlbiBhbnkgcGF0ZW50IGxpY2Vuc2VzCiAgICAgIGdyYW50ZWQgdG8gWW91IHVuZGVyIHRoaXMgTGljZW5zZSBmb3IgdGhhdCBXb3JrIHNoYWxsIHRlcm1pbmF0ZQogICAgICBhcyBvZiB0aGUgZGF0ZSBzdWNoIGxpdGlnYXRpb24gaXMgZmlsZWQuCgogICA0LiBSZWRpc3RyaWJ1dGlvbi4gWW91IG1heSByZXByb2R1Y2UgYW5kIGRpc3RyaWJ1dGUgY29waWVzIG9mIHRoZQogICAgICBXb3JrIG9yIERlcml2YXRpdmUgV29ya3MgdGhlcmVvZiBpbiBhbnkgbWVkaXVtLCB3aXRoIG9yIHdpdGhvdXQKICAgICAgbW9kaWZpY2F0aW9ucywgYW5kIGluIFNvdXJjZSBvciBPYmplY3QgZm9ybSwgcHJvdmlkZWQgdGhhdCBZb3UKICAgICAgbWVldCB0aGUgZm9sbG93aW5nIGNvbmRpdGlvbnM6CgogICAgICAoYSkgWW91IG11c3QgZ2l2ZSBhbnkgb3RoZXIgcmVjaXBpZW50cyBvZiB0aGUgV29yayBvcgogICAgICAgICAgRGVyaXZhdGl2ZSBXb3JrcyBhIGNvcHkgb2YgdGhpcyBMaWNlbnNlOyBhbmQKCiAgICAgIChiKSBZb3UgbXVzdCBjYXVzZSBhbnkgbW9kaWZpZWQgZmlsZXMgdG8gY2FycnkgcHJvbWluZW50IG5vdGljZXMKICAgICAgICAgIHN0YXRpbmcgdGhhdCBZb3UgY2hhbmdlZCB0aGUgZmlsZXM7IGFuZAoKICAgICAgKGMpIFlvdSBtdXN0IHJldGFpbiwgaW4gdGhlIFNvdXJjZSBmb3JtIG9mIGFueSBEZXJpdmF0aXZlIFdvcmtzCiAgICAgICAgICB0aGF0IFlvdSBkaXN0cmlidXRlLCBhbGwgY29weXJpZ2h0LCBwYXRlbnQsIHRyYWRlbWFyaywgYW5kCiAgICAgICAgICBhdHRyaWJ1dGlvbiBub3RpY2VzIGZyb20gdGhlIFNvdXJjZSBmb3JtIG9mIHRoZSBXb3JrLAogICAgICAgICAgZXhjbHVkaW5nIHRob3NlIG5vdGljZXMgdGhhdCBkbyBub3QgcGVydGFpbiB0byBhbnkgcGFydCBvZgogICAgICAgICAgdGhlIERlcml2YXRpdmUgV29ya3M7IGFuZAoKICAgICAgKGQpIElmIHRoZSBXb3JrIGluY2x1ZGVzIGEgIk5PVElDRSIgdGV4dCBmaWxlIGFzIHBhcnQgb2YgaXRzCiAgICAgICAgICBkaXN0cmlidXRpb24sIHRoZW4gYW55IERlcml2YXRpdmUgV29ya3MgdGhhdCBZb3UgZGlzdHJpYnV0ZSBtdXN0CiAgICAgICAgICBpbmNsdWRlIGEgcmVhZGFibGUgY29weSBvZiB0aGUgYXR0cmlidXRpb24gbm90aWNlcyBjb250YWluZWQKICAgICAgICAgIHdpdGhpbiBzdWNoIE5PVElDRSBmaWxlLCBleGNsdWRpbmcgdGhvc2Ugbm90aWNlcyB0aGF0IGRvIG5vdAogICAgICAgICAgcGVydGFpbiB0byBhbnkgcGFydCBvZiB0aGUgRGVyaXZhdGl2ZSBXb3JrcywgaW4gYXQgbGVhc3Qgb25lCiAgICAgICAgICBvZiB0aGUgZm9sbG93aW5nIHBsYWNlczogd2l0aGluIGEgTk9USUNFIHRleHQgZmlsZSBkaXN0cmlidXRlZAogICAgICAgICAgYXMgcGFydCBvZiB0aGUgRGVyaXZhdGl2ZSBXb3Jrczsgd2l0aGluIHRoZSBTb3VyY2UgZm9ybSBvcgogICAgICAgICAgZG9jdW1lbnRhdGlvbiwgaWYgcHJvdmlkZWQgYWxvbmcgd2l0aCB0aGUgRGVyaXZhdGl2ZSBXb3Jrczsgb3IsCiAgICAgICAgICB3aXRoaW4gYSBkaXNwbGF5IGdlbmVyYXRlZCBieSB0aGUgRGVyaXZhdGl2ZSBXb3JrcywgaWYgYW5kCiAgICAgICAgICB3aGVyZXZlciBzdWNoIHRoaXJkLXBhcnR5IG5vdGljZXMgbm9ybWFsbHkgYXBwZWFyLiBUaGUgY29udGVudHMKICAgICAgICAgIG9mIHRoZSBOT1RJQ0UgZmlsZSBhcmUgZm9yIGluZm9ybWF0aW9uYWwgcHVycG9zZXMgb25seSBhbmQKICAgICAgICAgIGRvIG5vdCBtb2RpZnkgdGhlIExpY2Vuc2UuIFlvdSBtYXkgYWRkIFlvdXIgb3duIGF0dHJpYnV0aW9uCiAgICAgICAgICBub3RpY2VzIHdpdGhpbiBEZXJpdmF0aXZlIFdvcmtzIHRoYXQgWW91IGRpc3RyaWJ1dGUsIGFsb25nc2lkZQogICAgICAgICAgb3IgYXMgYW4gYWRkZW5kdW0gdG8gdGhlIE5PVElDRSB0ZXh0IGZyb20gdGhlIFdvcmssIHByb3ZpZGVkCiAgICAgICAgICB0aGF0IHN1Y2ggYWRkaXRpb25hbCBhdHRyaWJ1dGlvbiBub3RpY2VzIGNhbm5vdCBiZSBjb25zdHJ1ZWQKICAgICAgICAgIGFzIG1vZGlmeWluZyB0aGUgTGljZW5zZS4KCiAgICAgIFlvdSBtYXkgYWRkIFlvdXIgb3duIGNvcHlyaWdodCBzdGF0ZW1lbnQgdG8gWW91ciBtb2RpZmljYXRpb25zIGFuZAogICAgICBtYXkgcHJvdmlkZSBhZGRpdGlvbmFsIG9yIGRpZmZlcmVudCBsaWNlbnNlIHRlcm1zIGFuZCBjb25kaXRpb25zCiAgICAgIGZvciB1c2UsIHJlcHJvZHVjdGlvbiwgb3IgZGlzdHJpYnV0aW9uIG9mIFlvdXIgbW9kaWZpY2F0aW9ucywgb3IKICAgICAgZm9yIGFueSBzdWNoIERlcml2YXRpdmUgV29ya3MgYXMgYSB3aG9sZSwgcHJvdmlkZWQgWW91ciB1c2UsCiAgICAgIHJlcHJvZHVjdGlvbiwgYW5kIGRpc3RyaWJ1dGlvbiBvZiB0aGUgV29yayBvdGhlcndpc2UgY29tcGxpZXMgd2l0aAogICAgICB0aGUgY29uZGl0aW9ucyBzdGF0ZWQgaW4gdGhpcyBMaWNlbnNlLgoKICAgNS4gU3VibWlzc2lvbiBvZiBDb250cmlidXRpb25zLiBVbmxlc3MgWW91IGV4cGxpY2l0bHkgc3RhdGUgb3RoZXJ3aXNlLAogICAgICBhbnkgQ29udHJpYnV0aW9uIGludGVudGlvbmFsbHkgc3VibWl0dGVkIGZvciBpbmNsdXNpb24gaW4gdGhlIFdvcmsKICAgICAgYnkgWW91IHRvIHRoZSBMaWNlbnNvciBzaGFsbCBiZSB1bmRlciB0aGUgdGVybXMgYW5kIGNvbmRpdGlvbnMgb2YKICAgICAgdGhpcyBMaWNlbnNlLCB3aXRob3V0IGFueSBhZGRpdGlvbmFsIHRlcm1zIG9yIGNvbmRpdGlvbnMuCiAgICAgIE5vdHdpdGhzdGFuZGluZyB0aGUgYWJvdmUsIG5vdGhpbmcgaGVyZWluIHNoYWxsIHN1cGVyc2VkZSBvciBtb2RpZnkKICAgICAgdGhlIHRlcm1zIG9mIGFueSBzZXBhcmF0ZSBsaWNlbnNlIGFncmVlbWVudCB5b3UgbWF5IGhhdmUgZXhlY3V0ZWQKICAgICAgd2l0aCBMaWNlbnNvciByZWdhcmRpbmcgc3VjaCBDb250cmlidXRpb25zLgoKICAgNi4gVHJhZGVtYXJrcy4gVGhpcyBMaWNlbnNlIGRvZXMgbm90IGdyYW50IHBlcm1pc3Npb24gdG8gdXNlIHRoZSB0cmFkZQogICAgICBuYW1lcywgdHJhZGVtYXJrcywgc2VydmljZSBtYXJrcywgb3IgcHJvZHVjdCBuYW1lcyBvZiB0aGUgTGljZW5zb3IsCiAgICAgIGV4Y2VwdCBhcyByZXF1aXJlZCBmb3IgcmVhc29uYWJsZSBhbmQgY3VzdG9tYXJ5IHVzZSBpbiBkZXNjcmliaW5nIHRoZQogICAgICBvcmlnaW4gb2YgdGhlIFdvcmsgYW5kIHJlcHJvZHVjaW5nIHRoZSBjb250ZW50IG9mIHRoZSBOT1RJQ0UgZmlsZS4KCiAgIDcuIERpc2NsYWltZXIgb2YgV2FycmFudHkuIFVubGVzcyByZXF1aXJlZCBieSBhcHBsaWNhYmxlIGxhdyBvcgogICAgICBhZ3JlZWQgdG8gaW4gd3JpdGluZywgTGljZW5zb3IgcHJvdmlkZXMgdGhlIFdvcmsgKGFuZCBlYWNoCiAgICAgIENvbnRyaWJ1dG9yIHByb3ZpZGVzIGl0cyBDb250cmlidXRpb25zKSBvbiBhbiAiQVMgSVMiIEJBU0lTLAogICAgICBXSVRIT1VUIFdBUlJBTlRJRVMgT1IgQ09ORElUSU9OUyBPRiBBTlkgS0lORCwgZWl0aGVyIGV4cHJlc3Mgb3IKICAgICAgaW1wbGllZCwgaW5jbHVkaW5nLCB3aXRob3V0IGxpbWl0YXRpb24sIGFueSB3YXJyYW50aWVzIG9yIGNvbmRpdGlvbnMKICAgICAgb2YgVElUTEUsIE5PTi1JTkZSSU5HRU1FTlQsIE1FUkNIQU5UQUJJTElUWSwgb3IgRklUTkVTUyBGT1IgQQogICAgICBQQVJUSUNVTEFSIFBVUlBPU0UuIFlvdSBhcmUgc29sZWx5IHJlc3BvbnNpYmxlIGZvciBkZXRlcm1pbmluZyB0aGUKICAgICAgYXBwcm9wcmlhdGVuZXNzIG9mIHVzaW5nIG9yIHJlZGlzdHJpYnV0aW5nIHRoZSBXb3JrIGFuZCBhc3N1bWUgYW55CiAgICAgIHJpc2tzIGFzc29jaWF0ZWQgd2l0aCBZb3VyIGV4ZXJjaXNlIG9mIHBlcm1pc3Npb25zIHVuZGVyIHRoaXMgTGljZW5zZS4KCiAgIDguIExpbWl0YXRpb24gb2YgTGlhYmlsaXR5LiBJbiBubyBldmVudCBhbmQgdW5kZXIgbm8gbGVnYWwgdGhlb3J5LAogICAgICB3aGV0aGVyIGluIHRvcnQgKGluY2x1ZGluZyBuZWdsaWdlbmNlKSwgY29udHJhY3QsIG9yIG90aGVyd2lzZSwKICAgICAgdW5sZXNzIHJlcXVpcmVkIGJ5IGFwcGxpY2FibGUgbGF3IChzdWNoIGFzIGRlbGliZXJhdGUgYW5kIGdyb3NzbHkKICAgICAgbmVnbGlnZW50IGFjdHMpIG9yIGFncmVlZCB0byBpbiB3cml0aW5nLCBzaGFsbCBhbnkgQ29udHJpYnV0b3IgYmUKICAgICAgbGlhYmxlIHRvIFlvdSBmb3IgZGFtYWdlcywgaW5jbHVkaW5nIGFueSBkaXJlY3QsIGluZGlyZWN0LCBzcGVjaWFsLAogICAgICBpbmNpZGVudGFsLCBvciBjb25zZXF1ZW50aWFsIGRhbWFnZXMgb2YgYW55IGNoYXJhY3RlciBhcmlzaW5nIGFzIGEKICAgICAgcmVzdWx0IG9mIHRoaXMgTGljZW5zZSBvciBvdXQgb2YgdGhlIHVzZSBvciBpbmFiaWxpdHkgdG8gdXNlIHRoZQogICAgICBXb3JrIChpbmNsdWRpbmcgYnV0IG5vdCBsaW1pdGVkIHRvIGRhbWFnZXMgZm9yIGxvc3Mgb2YgZ29vZHdpbGwsCiAgICAgIHdvcmsgc3RvcHBhZ2UsIGNvbXB1dGVyIGZhaWx1cmUgb3IgbWFsZnVuY3Rpb24sIG9yIGFueSBhbmQgYWxsCiAgICAgIG90aGVyIGNvbW1lcmNpYWwgZGFtYWdlcyBvciBsb3NzZXMpLCBldmVuIGlmIHN1Y2ggQ29udHJpYnV0b3IKICAgICAgaGFzIGJlZW4gYWR2aXNlZCBvZiB0aGUgcG9zc2liaWxpdHkgb2Ygc3VjaCBkYW1hZ2VzLgoKICAgOS4gQWNjZXB0aW5nIFdhcnJhbnR5IG9yIEFkZGl0aW9uYWwgTGlhYmlsaXR5LiBXaGlsZSByZWRpc3RyaWJ1dGluZwogICAgICB0aGUgV29yayBvciBEZXJpdmF0aXZlIFdvcmtzIHRoZXJlb2YsIFlvdSBtYXkgY2hvb3NlIHRvIG9mZmVyLAogICAgICBhbmQgY2hhcmdlIGEgZmVlIGZvciwgYWNjZXB0YW5jZSBvZiBzdXBwb3J0LCB3YXJyYW50eSwgaW5kZW1uaXR5LAogICAgICBvciBvdGhlciBsaWFiaWxpdHkgb2JsaWdhdGlvbnMgYW5kL29yIHJpZ2h0cyBjb25zaXN0ZW50IHdpdGggdGhpcwogICAgICBMaWNlbnNlLiBIb3dldmVyLCBpbiBhY2NlcHRpbmcgc3VjaCBvYmxpZ2F0aW9ucywgWW91IG1heSBhY3Qgb25seQogICAgICBvbiBZb3VyIG93biBiZWhhbGYgYW5kIG9uIFlvdXIgc29sZSByZXNwb25zaWJpbGl0eSwgbm90IG9uIGJlaGFsZgogICAgICBvZiBhbnkgb3RoZXIgQ29udHJpYnV0b3IsIGFuZCBvbmx5IGlmIFlvdSBhZ3JlZSB0byBpbmRlbW5pZnksCiAgICAgIGRlZmVuZCwgYW5kIGhvbGQgZWFjaCBDb250cmlidXRvciBoYXJtbGVzcyBmb3IgYW55IGxpYWJpbGl0eQogICAgICBpbmN1cnJlZCBieSwgb3IgY2xhaW1zIGFzc2VydGVkIGFnYWluc3QsIHN1Y2ggQ29udHJpYnV0b3IgYnkgcmVhc29uCiAgICAgIG9mIHlvdXIgYWNjZXB0aW5nIGFueSBzdWNoIHdhcnJhbnR5IG9yIGFkZGl0aW9uYWwgbGlhYmlsaXR5LgoKICAgRU5EIE9GIFRFUk1TIEFORCBDT05ESVRJT05TCgogICBBUFBFTkRJWDogSG93IHRvIGFwcGx5IHRoZSBBcGFjaGUgTGljZW5zZSB0byB5b3VyIHdvcmsuCgogICAgICBUbyBhcHBseSB0aGUgQXBhY2hlIExpY2Vuc2UgdG8geW91ciB3b3JrLCBhdHRhY2ggdGhlIGZvbGxvd2luZwogICAgICBib2lsZXJwbGF0ZSBub3RpY2UsIHdpdGggdGhlIGZpZWxkcyBlbmNsb3NlZCBieSBicmFja2V0cyAiW10iCiAgICAgIHJlcGxhY2VkIHdpdGggeW91ciBvd24gaWRlbnRpZnlpbmcgaW5mb3JtYXRpb24uIChEb24ndCBpbmNsdWRlCiAgICAgIHRoZSBicmFja2V0cyEpICBUaGUgdGV4dCBzaG91bGQgYmUgZW5jbG9zZWQgaW4gdGhlIGFwcHJvcHJpYXRlCiAgICAgIGNvbW1lbnQgc3ludGF4IGZvciB0aGUgZmlsZSBmb3JtYXQuIFdlIGFsc28gcmVjb21tZW5kIHRoYXQgYQogICAgICBmaWxlIG9yIGNsYXNzIG5hbWUgYW5kIGRlc2NyaXB0aW9uIG9mIHB1cnBvc2UgYmUgaW5jbHVkZWQgb24gdGhlCiAgICAgIHNhbWUgInByaW50ZWQgcGFnZSIgYXMgdGhlIGNvcHlyaWdodCBub3RpY2UgZm9yIGVhc2llcgogICAgICBpZGVudGlmaWNhdGlvbiB3aXRoaW4gdGhpcmQtcGFydHkgYXJjaGl2ZXMuCgogICBDb3B5cmlnaHQgW3l5eXldIFtuYW1lIG9mIGNvcHlyaWdodCBvd25lcl0KCiAgIExpY2Vuc2VkIHVuZGVyIHRoZSBBcGFjaGUgTGljZW5zZSwgVmVyc2lvbiAyLjAgKHRoZSAiTGljZW5zZSIpOwogICB5b3UgbWF5IG5vdCB1c2UgdGhpcyBmaWxlIGV4Y2VwdCBpbiBjb21wbGlhbmNlIHdpdGggdGhlIExpY2Vuc2UuCiAgIFlvdSBtYXkgb2J0YWluIGEgY29weSBvZiB0aGUgTGljZW5zZSBhdAoKICAgICAgIGh0dHA6Ly93d3cuYXBhY2hlLm9yZy9saWNlbnNlcy9MSUNFTlNFLTIuMAoKICAgVW5sZXNzIHJlcXVpcmVkIGJ5IGFwcGxpY2FibGUgbGF3IG9yIGFncmVlZCB0byBpbiB3cml0aW5nLCBzb2Z0d2FyZQogICBkaXN0cmlidXRlZCB1bmRlciB0aGUgTGljZW5zZSBpcyBkaXN0cmlidXRlZCBvbiBhbiAiQVMgSVMiIEJBU0lTLAogICBXSVRIT1VUIFdBUlJBTlRJRVMgT1IgQ09ORElUSU9OUyBPRiBBTlkgS0lORCwgZWl0aGVyIGV4cHJlc3Mgb3IgaW1wbGllZC4KICAgU2VlIHRoZSBMaWNlbnNlIGZvciB0aGUgc3BlY2lmaWMgbGFuZ3VhZ2UgZ292ZXJuaW5nIHBlcm1pc3Npb25zIGFuZAogICBsaW1pdGF0aW9ucyB1bmRlciB0aGUgTGljZW5zZS4=" - }, "url": "https://www.apache.org/licenses/LICENSE-2.0.txt" } } ], - "purl": "pkg:maven/com.acme/tomcat-catalina@9.0.14?packaging=jar", + "identifiers": [ + { + "party": "acme-inc", + "identities": [ + { + "scheme": "purl", + "value": "pkg:maven/com.acme/acme-catalina@9.0.14?packaging=jar" + } + ] + } + ], "pedigree": { "ancestors": [ { "type": "application", - "authors": [ { "name": "Apache Super Heros" } ], - "publisher": "Apache", - "group": "org.apache.tomcat", - "name": "tomcat-catalina", + "authors": [ { "name": "Globex Super Heroes" } ], + "publisher": "Globex", + "group": "org.globex.catalina", + "name": "globex-catalina", "version": "9.0.14", - "description": "Apache Catalina", + "description": "Globex Catalina", "licenses": [ { "license": { @@ -136,7 +143,17 @@ } } ], - "purl": "pkg:maven/org.apache.tomcat/tomcat-catalina@9.0.14?packaging=jar" + "identifiers": [ + { + "party": "acme-inc", + "identities": [ + { + "scheme": "purl", + "value": "pkg:maven/org.globex.catalina/globex-catalina@9.0.14?packaging=jar" + } + ] + } + ] } ], "commits": [ @@ -181,6 +198,7 @@ ] }, "manufacturer": { + "bom-ref": "example-2-inc", "name": "Example-2, Inc.", "url": [ "https://example.org" @@ -230,8 +248,21 @@ } ], "copyright": "Copyright Example Inc. All rights reserved.", - "cpe": "cpe:/a:example:myapplication:1.0.0", - "purl": "pkg:maven/com.example/myapplication@1.0.0?packaging=war", + "identifiers": [ + { + "party": "example-2-inc", + "identities": [ + { + "scheme": "cpe", + "value": "cpe:/a:example:myapplication:1.0.0" + }, + { + "scheme": "purl", + "value": "pkg:maven/com.example/myapplication@1.0.0?packaging=war" + } + ] + } + ], "externalReferences": [ { "url": "http://example.org/docs", @@ -246,10 +277,10 @@ }, { "type": "framework", - "authors": [ - { - "name": "Example Super Heros" - } + "authors": [ + { + "name": "Example Super Heroes" + } ], "group": "com.example", "name": "myframework", @@ -281,7 +312,17 @@ } } ], - "purl": "pkg:maven/com.example/myframework@1.0.0?packaging=war", + "identifiers": [ + { + "party": "example-2-inc", + "identities": [ + { + "scheme": "purl", + "value": "pkg:maven/com.example/myframework@1.0.0?packaging=war" + } + ] + } + ], "externalReferences": [ { "type": "website", @@ -296,7 +337,7 @@ ], "dependencies": [ { - "ref": "pkg:maven/com.acme/tomcat-catalina@9.0.14?packaging=jar", + "ref": "pkg:maven/com.acme/acme-catalina@9.0.14?packaging=jar", "dependsOn": [ "pkg:maven/com.example/myapplication@1.0.0?packaging=war" ] diff --git a/tools/src/test/resources/2.0/valid-component-identifiers-2.0.json b/tools/src/test/resources/2.0/valid-component-identifiers-2.0.json index 2302e816a..7fc0608f5 100644 --- a/tools/src/test/resources/2.0/valid-component-identifiers-2.0.json +++ b/tools/src/test/resources/2.0/valid-component-identifiers-2.0.json @@ -4,21 +4,53 @@ "specVersion": "2.0", "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", "version": 1, + "metadata": { + "manufacturer": { + "bom-ref": "acme-inc", + "name": "Acme Inc." + } + }, "components": [ { "type": "library", - "group": "com.example", + "group": "com.acme", "name": "acme-library", "version": "1.0.0", - "cpe": "cpe:2.3:a:example:acme-library:1.0.0:*:*:*:*:*:*:*", - "purl": "pkg:maven/com.example/acme-library@1.0.0", - "omniborId": [ - "gitoid:blob:sha1:261eeb9e9f8b2b4b0d119366dda99c6fd7d35c64", - "gitoid:blob:sha256:9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08" - ], - "swhid": [ - "swh:1:cnt:94a9ed024d3859793618152ea559a168bbcbb5e2", - "swh:1:dir:d198bc9d7a6bcf6db04f476d29314f157507d505" + "identifiers": [ + { + "bom-ref": "acme-library-identity", + "party": "acme-inc", + "identities": [ + { + "scheme": "purl", + "value": "pkg:maven/com.acme/acme-library@1.0.0" + }, + { + "scheme": "cpe", + "value": "cpe:2.3:a:acme:acme-library:1.0.0:*:*:*:*:*:*:*" + }, + { + "scheme": "swid", + "value": "acme.com-acme-library-1.0.0" + }, + { + "scheme": "swhid", + "value": "swh:1:cnt:94a9ed024d3859793618152ea559a168bbcbb5e2" + }, + { + "scheme": "swhid", + "value": "swh:1:dir:d198bc9d7a6bcf6db04f476d29314f157507d505" + }, + { + "scheme": "omniborid", + "value": "gitoid:blob:sha1:261eeb9e9f8b2b4b0d119366dda99c6fd7d35c64" + }, + { + "scheme": "omniborid", + "value": "gitoid:blob:sha256:9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08" + } + ] + } ] } ] diff --git a/tools/src/test/resources/2.0/valid-component-swid-2.0.json b/tools/src/test/resources/2.0/valid-component-swid-2.0.json index cb161dc76..8bdca8961 100644 --- a/tools/src/test/resources/2.0/valid-component-swid-2.0.json +++ b/tools/src/test/resources/2.0/valid-component-swid-2.0.json @@ -4,21 +4,33 @@ "specVersion": "2.0", "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", "version": 1, + "metadata": { + "manufacturer": { + "bom-ref": "acme-inc", + "name": "Acme Inc." + } + }, "components": [ { "type": "application", - "authors": [ - { - "name": "Acme Super Heros" + "authors": [ + { + "name": "Acme Super Heroes" } ], "name": "Acme Application", "version": "9.1.1", - "swid": { - "tagId": "swidgen-242eb18a-503e-ca37-393b-cf156ef09691_9.1.1", - "name": "Acme Application", - "version": "9.1.1" - } + "identifiers": [ + { + "party": "acme-inc", + "identities": [ + { + "scheme": "swid", + "value": "swidgen-242eb18a-503e-ca37-393b-cf156ef09691_9.1.1" + } + ] + } + ] } ] } diff --git a/tools/src/test/resources/2.0/valid-component-swid-full-2.0.json b/tools/src/test/resources/2.0/valid-component-swid-full-2.0.json index f983a14a6..50d1c600c 100644 --- a/tools/src/test/resources/2.0/valid-component-swid-full-2.0.json +++ b/tools/src/test/resources/2.0/valid-component-swid-full-2.0.json @@ -4,26 +4,40 @@ "specVersion": "2.0", "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", "version": 1, + "metadata": { + "manufacturer": { + "bom-ref": "acme-inc", + "name": "Acme Inc." + } + }, "components": [ { "type": "application", "authors": [ { - "name": "Acme Super Heros" + "name": "Acme Super Heroes" } ], "name": "Acme Application", "version": "9.1.1", - "swid": { - "tagId": "swidgen-242eb18a-503e-ca37-393b-cf156ef09691_9.1.1", - "name": "Acme Application", - "version": "9.1.1", - "text": { - "mediaType": "text/xml", - "encoding": "base64", - "content": "PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiID8+CjxTb2Z0d2FyZUlkZW50aXR5IHhtbDpsYW5nPSJFTiIgbmFtZT0iQWNtZSBBcHBsaWNhdGlvbiIgdmVyc2lvbj0iOS4xLjEiIAogdmVyc2lvblNjaGVtZT0ibXVsdGlwYXJ0bnVtZXJpYyIgCiB0YWdJZD0ic3dpZGdlbi1iNTk1MWFjOS00MmMwLWYzODItM2YxZS1iYzdhMmE0NDk3Y2JfOS4xLjEiIAogeG1sbnM9Imh0dHA6Ly9zdGFuZGFyZHMuaXNvLm9yZy9pc28vMTk3NzAvLTIvMjAxNS9zY2hlbWEueHNkIj4gCiB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiAKIHhzaTpzY2hlbWFMb2NhdGlvbj0iaHR0cDovL3N0YW5kYXJkcy5pc28ub3JnL2lzby8xOTc3MC8tMi8yMDE1LWN1cnJlbnQvc2NoZW1hLnhzZCBzY2hlbWEueHNkIiA+CiAgPE1ldGEgZ2VuZXJhdG9yPSJTV0lEIFRhZyBPbmxpbmUgR2VuZXJhdG9yIHYwLjEiIC8+IAogIDxFbnRpdHkgbmFtZT0iQWNtZSwgSW5jLiIgcmVnaWQ9ImV4YW1wbGUuY29tIiByb2xlPSJ0YWdDcmVhdG9yIiAvPiAKPC9Tb2Z0d2FyZUlkZW50aXR5Pg==" + "identifiers": [ + { + "party": "acme-inc", + "identities": [ + { + "scheme": "swid", + "value": "swidgen-242eb18a-503e-ca37-393b-cf156ef09691_9.1.1" + } + ] + } + ], + "externalReferences": [ + { + "type": "swid-tag", + "url": "https://acme.example.com/swid/acme-application-9.1.1.swidtag", + "comment": "ISO/IEC 19770-2 SoftwareIdentity XML document for this application." } - } + ] } ] } diff --git a/tools/src/test/resources/2.0/valid-compositions-2.0.json b/tools/src/test/resources/2.0/valid-compositions-2.0.json index 4286ed527..7601b215f 100644 --- a/tools/src/test/resources/2.0/valid-compositions-2.0.json +++ b/tools/src/test/resources/2.0/valid-compositions-2.0.json @@ -18,14 +18,12 @@ "type": "library", "name": "Partner Shaded Library", "version": "1.0", - "purl": "pkg:maven/partner/shaded-library@1.0", "components": [ { "bom-ref": "pkg:maven/ossproject/library@2.0", "type": "library", "name": "Some Opensource Library", - "version": "2.0", - "purl": "pkg:maven/ossproject/library@2.0" + "version": "2.0" } ] }, @@ -33,8 +31,7 @@ "bom-ref": "pkg:maven/acme/library@3.0", "type": "library", "name": "Acme Library", - "version": "3.0", - "purl": "pkg:maven/acme/library@3.0" + "version": "3.0" } ], "dependencies": [ diff --git a/tools/src/test/resources/2.0/valid-evidence-2.0.json b/tools/src/test/resources/2.0/valid-evidence-2.0.json index 6c0c40e26..6d123d503 100644 --- a/tools/src/test/resources/2.0/valid-evidence-2.0.json +++ b/tools/src/test/resources/2.0/valid-evidence-2.0.json @@ -4,11 +4,17 @@ "specVersion": "2.0", "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", "version": 1, + "metadata": { + "manufacturer": { + "bom-ref": "acme-inc", + "name": "Acme Inc." + } + }, "components": [ { "type": "application", - "group": "com.google.code.findbugs", - "name": "findbugs-project", + "group": "com.acme.tools", + "name": "acme-bug-finder", "version": "3.0.0", "licenses": [ { @@ -18,17 +24,28 @@ } } ], - "purl": "pkg:maven/com.google.code.findbugs/findbugs-project@3.0.0", + "identifiers": [ + { + "party": "acme-inc", + "identities": [ + { + "scheme": "purl", + "value": "pkg:maven/com.acme.tools/acme-bug-finder@3.0.0" + } + ] + } + ], "evidence": { "identity": [ { - "field": "purl", + "scheme": "purl", + "concludedValue": "pkg:maven/com.acme.tools/acme-bug-finder@3.0.0", "confidence": 1, "methods": [ { "technique": "filename", "confidence": 0.1, - "value": "findbugs-project-3.0.0.jar" + "value": "acme-bug-finder-3.0.0.jar" }, { "technique": "ast-fingerprint", @@ -44,6 +61,18 @@ "tools": [ "bom-ref-of-tool-that-performed-analysis" ] + }, + { + "scheme": "cpe", + "concludedValue": "cpe:2.3:a:acme:acme-bug-finder:3.0.0:*:*:*:*:*:*:*", + "confidence": 0.8, + "methods": [ + { + "technique": "manifest-analysis", + "confidence": 0.8, + "value": "META-INF/MANIFEST.MF" + } + ] } ], "occurrences": [ @@ -59,7 +88,7 @@ "callstack": { "frames": [ { - "package": "com.apache.logging.log4j.core", + "package": "com.acme.logging.core", "module": "Logger.class", "function": "logMessage", "parameters": [ @@ -70,7 +99,7 @@ ], "line": 150, "column": 17, - "fullFilename": "/path/to/log4j-core-2.14.0.jar!/org/apache/logging/log4j/core/Logger.class" + "fullFilename": "/path/to/acme-logging-2.14.0.jar!/com/acme/logging/core/Logger.class" }, { "module": "HelloWorld.class", @@ -97,63 +126,7 @@ ], "copyright": [ { - "text": "Copyright 2012 Google Inc. All Rights Reserved." - }, - { - "text": "Copyright (C) 2004,2005 Dave Brosius " - }, - { - "text": "Copyright (C) 2005 William Pugh" - }, - { - "text": "Copyright (C) 2004,2005 University of Maryland" - } - ] - } - }, - { - "type": "application", - "group": "com.example", - "name": "example-project", - "version": "1.0.0", - "purl": "pkg:maven/com.example/example-project@1.0.0", - "evidence": { - "identity": [ - { - "field": "group", - "confidence": 0.1, - "concludedValue": "com.example", - "methods": [ - { - "technique": "filename", - "confidence": 0.1, - "value": "example-project-1.0.0.jar" - } - ] - }, - { - "field": "name", - "confidence": 0.1, - "concludedValue": "example-project", - "methods": [ - { - "technique": "filename", - "confidence": 0.1, - "value": "example-project-1.0.0.jar" - } - ] - }, - { - "field": "version", - "confidence": 0.1, - "concludedValue": "1.0.0", - "methods": [ - { - "technique": "filename", - "confidence": 0.1, - "value": "example-project-1.0.0.jar" - } - ] + "text": "Copyright 2012 Acme Inc. All Rights Reserved." } ] } diff --git a/tools/src/test/resources/2.0/valid-license-expression-2.0.json b/tools/src/test/resources/2.0/valid-license-expression-2.0.json index 8f2a23377..0ca63394e 100644 --- a/tools/src/test/resources/2.0/valid-license-expression-2.0.json +++ b/tools/src/test/resources/2.0/valid-license-expression-2.0.json @@ -37,8 +37,7 @@ "acknowledgement": "declared", "bom-ref": "my-license" } - ], - "purl": "pkg:maven/com.acme/tomcat-catalina@9.0.14?packaging=jar" + ] } ] } diff --git a/tools/src/test/resources/2.0/valid-license-id-2.0.json b/tools/src/test/resources/2.0/valid-license-id-2.0.json index 97369f20a..2f466eb1d 100644 --- a/tools/src/test/resources/2.0/valid-license-id-2.0.json +++ b/tools/src/test/resources/2.0/valid-license-id-2.0.json @@ -39,8 +39,7 @@ "bom-ref": "my-license" } } - ], - "purl": "pkg:maven/com.acme/tomcat-catalina@9.0.14?packaging=jar" + ] } ] } diff --git a/tools/src/test/resources/2.0/valid-license-id-with-text-2.0.json b/tools/src/test/resources/2.0/valid-license-id-with-text-2.0.json index 65a223b18..30af12fb7 100644 --- a/tools/src/test/resources/2.0/valid-license-id-with-text-2.0.json +++ b/tools/src/test/resources/2.0/valid-license-id-with-text-2.0.json @@ -43,8 +43,7 @@ } } } - ], - "purl": "pkg:maven/com.acme/tomcat-catalina@9.0.14?packaging=jar" + ] } ] } diff --git a/tools/src/test/resources/2.0/valid-license-name-2.0.json b/tools/src/test/resources/2.0/valid-license-name-2.0.json index 479726400..69c547d49 100644 --- a/tools/src/test/resources/2.0/valid-license-name-2.0.json +++ b/tools/src/test/resources/2.0/valid-license-name-2.0.json @@ -38,8 +38,7 @@ "bom-ref": "my-license" } } - ], - "purl": "pkg:maven/com.acme/tomcat-catalina@9.0.14?packaging=jar" + ] } ] } diff --git a/tools/src/test/resources/2.0/valid-license-name-with-text-2.0.json b/tools/src/test/resources/2.0/valid-license-name-with-text-2.0.json index b01699dd7..3525a2b95 100644 --- a/tools/src/test/resources/2.0/valid-license-name-with-text-2.0.json +++ b/tools/src/test/resources/2.0/valid-license-name-with-text-2.0.json @@ -43,8 +43,7 @@ } } } - ], - "purl": "pkg:maven/com.acme/tomcat-catalina@9.0.14?packaging=jar" + ] } ] } diff --git a/tools/src/test/resources/2.0/valid-perspective-2.0.json b/tools/src/test/resources/2.0/valid-perspective-2.0.json index 1ea4fd81b..52f28cecb 100644 --- a/tools/src/test/resources/2.0/valid-perspective-2.0.json +++ b/tools/src/test/resources/2.0/valid-perspective-2.0.json @@ -23,9 +23,7 @@ }, "group": "com.acme", "name": "sample-library", - "version": "1.0.0", - "purl": "pkg:maven/com.acme/sample-library@1.0.0?packaging=jar", - "cpe": "cpe:2.3:a:acme:sample-library:1.0.0:*:*:*:*:*:*:*" + "version": "1.0.0" }, { "bom-ref": "pkg:maven/com.acme/sample-framework@2.1.0?packaging=jar", @@ -35,9 +33,7 @@ }, "group": "com.acme", "name": "sample-framework", - "version": "2.1.0", - "purl": "pkg:maven/com.acme/sample-framework@2.1.0?packaging=jar", - "cpe": "cpe:2.3:a:acme:sample-framework:2.1.0:*:*:*:*:*:*:*" + "version": "2.1.0" } ], "dependencies": [ diff --git a/tools/src/test/resources/2.0/valid-service-2.0.json b/tools/src/test/resources/2.0/valid-service-2.0.json index 714819fd3..8f544114f 100644 --- a/tools/src/test/resources/2.0/valid-service-2.0.json +++ b/tools/src/test/resources/2.0/valid-service-2.0.json @@ -24,8 +24,7 @@ "id": "Apache-2.0" } } - ], - "purl": "pkg:maven/com.acme/stock-java-client@1.0.12" + ] } ], "services": [ diff --git a/tools/src/test/resources/2.0/valid-vulnerability-2.0.json b/tools/src/test/resources/2.0/valid-vulnerability-2.0.json index 6fbe030a7..992629f5f 100644 --- a/tools/src/test/resources/2.0/valid-vulnerability-2.0.json +++ b/tools/src/test/resources/2.0/valid-vulnerability-2.0.json @@ -10,8 +10,7 @@ "type": "library", "group": "com.fasterxml.jackson.core", "name": "jackson-databind", - "version": "2.9.4", - "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.4" + "version": "2.9.4" } ], "vulnerabilities": [