sbom-cyclonedx 0.1.0 → 0.2.0

data/lib/sbom/cyclone_dx/record/tools.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+require_relative "base"
+require_relative "component"
+require_relative "service"
+
+# Tools - The tool(s) used to identify, confirm, or score the vulnerability.
+module SBOM
+  module CycloneDX
+    module Record
+      # Schema name: Tools
+      class Tools < Base
+        # Components - A list of software and hardware components used as tools.
+        prop :components, :array, items: Component, unique: true
+        # Services - A list of services used as tools. This may include microservices, function-as-a-service, and other types of network or intra-process services.
+        prop :services, :array, items: Service, unique: true
+      end
+    end
+  end
+end

data/lib/sbom/cyclone_dx/record/trigger.rb

@@ -0,0 +1,48 @@
+# frozen_string_literal: true
+
+require_relative "../enum"
+require_relative "../pattern"
+require_relative "base"
+require_relative "condition"
+require_relative "event"
+require_relative "input"
+require_relative "output"
+require_relative "property"
+require_relative "resource_reference_choice"
+
+# Trigger - Represents a resource that can conditionally activate (or fire) tasks based upon associated events and their data.
+module SBOM
+  module CycloneDX
+    module Record
+      # Schema name: Trigger
+      class Trigger < Base
+        # BOM Reference - An optional identifier which can be used to reference the trigger elsewhere in the BOM. Every bom-ref must be unique within the BOM. Value SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.
+        prop :bom_ref, :string, pattern: Pattern::REF_LINK, json_name: "bom-ref", required: true
+        # Unique Identifier (UID) - The unique identifier for the resource instance within its deployment context.
+        prop :uid, :string, required: true
+        # Name - The name of the resource instance.
+        prop :name, :string
+        # Description - A description of the resource instance.
+        prop :description, :string
+        # Resource references - References to component or service resources that are used to realize the resource instance.
+        prop :resource_references, :array, items: ResourceReferenceChoice, unique: true
+        # Type - The source type of event which caused the trigger to fire.
+        prop :type, :string, enum: Enum::TRIGGER_TYPE, required: true
+        # Event - The event data that caused the associated trigger to activate.
+        prop :event, Event
+        # Conditions - A list of conditions used to determine if a trigger should be activated.
+        prop :conditions, :array, items: Condition, unique: true
+        # Time activated - The date and time (timestamp) when the trigger was activated.
+        prop :time_activated, :date_time
+        # Inputs - Represents resources and data brought into a task at runtime by executor or task commands
+        # Example: "a `configuration` file which was declared as a local `component` or `externalReference`"
+        prop :inputs, :array, items: Input, unique: true
+        # Outputs - Represents resources and data output from a task at runtime by executor or task commands
+        # Examples: "a log file or metrics data produced by the task"
+        prop :outputs, :array, items: Output, unique: true
+        # Properties - Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.
+        prop :properties, :array, items: Property
+      end
+    end
+  end
+end

data/lib/sbom/cyclone_dx/record/version.rb

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+require_relative "../enum"
+require_relative "base"
+
+# Version
+module SBOM
+  module CycloneDX
+    module Record
+      # Schema name: Version
+      class Version < Base
+        # Version - A single version of a component or service.
+        prop :version, :string, max_length: 1024
+        # Version Range - A version range specified in Package URL Version Range syntax (vers) which is defined at https://github.com/package-url/purl-spec/blob/master/VERSION-RANGE-SPEC.rst
+        # TODO: Validate syntax
+        prop :range, :string, max_length: 4096, min_length: 1
+        # Status - The vulnerability status for the version or range of versions.
+        prop :status, :string, enum: Enum::AFFECTED_STATUS
+
+        validate :version, :range, presence: :any
+      end
+    end
+  end
+end

data/lib/sbom/cyclone_dx/record/volume.rb

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+require_relative "../enum"
+require_relative "base"
+require_relative "property"
+
+# Volume - An identifiable, logical unit of data storage tied to a physical device.
+module SBOM
+  module CycloneDX
+    module Record
+      # Schema name: Volume
+      class Volume < Base
+        # Unique Identifier (UID) - The unique identifier for the volume instance within its deployment context.
+        prop :uid, :string
+        # Name - The name of the volume instance
+        prop :name, :string
+        # Mode - The mode for the volume instance.
+        prop :mode, :string, enum: Enum::VOLUME_MODE, default: "filesystem"
+        # Path - The underlying path created from the actual volume.
+        prop :path, :string
+        # Size allocated - The allocated size of the volume accessible to the associated workspace. This should include the scalar size as well as IEC standard unit in either decimal or binary form.
+        # Examples: "10GB", "2Ti", "1Pi"
+        prop :size_allocated, :string
+        # Persistent - Indicates if the volume persists beyond the life of the resource it is associated with.
+        prop :persistent, :boolean
+        # Remote - Indicates if the volume is remotely (i.e., network) attached.
+        prop :remote, :boolean
+        # Properties - Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.
+        prop :properties, :array, items: Property
+      end
+    end
+  end
+end

data/lib/sbom/cyclone_dx/record/vulnerability.rb

@@ -0,0 +1,119 @@
+# frozen_string_literal: true
+
+require_relative "../enum"
+require_relative "../pattern"
+require_relative "base"
+require_relative "advisory"
+require_relative "attachment"
+require_relative "organizational_contact"
+require_relative "organizational_entity"
+require_relative "property"
+require_relative "rating"
+require_relative "tools"
+require_relative "version"
+require_relative "vulnerability_source"
+
+# Vulnerability - Defines a weakness in a component or service that could be exploited or triggered by a threat source.
+module SBOM
+  module CycloneDX
+    module Record
+      # Schema name: Vulnerability
+      class Vulnerability < Base
+        # Schema name: Analysis
+        class Analysis < Base
+          prop :state, :string, enum: Enum::IMPACT_ANALYSIS_STATE
+          prop :justification, :string, enum: Enum::IMPACT_ANALYSIS_JUSTIFICATION
+          # Response - A response to the vulnerability by the manufacturer, supplier, or project responsible for the affected component or service. More than one response is allowed. Responses are strongly encouraged for vulnerabilities where the analysis state is exploitable.
+          prop :response, :array, items: [:string, enum: Enum::RESPONSE]
+          # Detail - Detailed description of the impact including methods used during assessment. If a vulnerability is not exploitable, this field should include specific details on why the component or service is not impacted by this vulnerability.
+          prop :detail, :string
+          # First Issued - The date and time (timestamp) when the analysis was first issued.
+          prop :first_issued, :date_time
+          # Last Updated - The date and time (timestamp) when the analysis was last updated.
+          prop :last_updated, :date_time
+        end
+
+        # Schema name: Affects
+        class Affects < Base
+          # Reference - References a component or service by the objects bom-ref
+          prop :ref, :string, pattern: Pattern::REF_OR_CDX_URN, required: true
+          # Versions - Zero or more individual versions or range of versions.
+          prop :versions, :array, items: Version
+        end
+
+        # Schema name: Credits
+        class Credits < Base
+          # Organizations - The organizations credited with vulnerability discovery.
+          prop :organizations, :array, items: OrganizationalEntity
+          # Individuals - The individuals, not associated with organizations, that are credited with vulnerability discovery.
+          prop :individuals, :array, items: OrganizationalContact
+        end
+
+        # Schema name: ProofOfConcept
+        class ProofOfConcept < Base
+          # Steps to Reproduce - Precise steps to reproduce the vulnerability.
+          prop :reproduction_steps, :string
+          # Environment - A description of the environment in which reproduction was possible.
+          prop :environment, :string
+          # Supporting Material - Supporting material that helps in reproducing or understanding how reproduction is possible. This may include screenshots, payloads, and PoC exploit code.
+          prop :supporting_material, :array, items: Attachment
+        end
+
+        # Schema name: Reference
+        class Reference < Base
+          # ID - An identifier that uniquely identifies the vulnerability.
+          # Examples: "CVE-2021-39182", "GHSA-35m5-8cvj-8783", "SNYK-PYTHON-ENROCRYPT-1912876"
+          prop :id, :string, required: true
+          # The source that published the vulnerability.
+          prop :source, VulnerabilitySource, required: true
+        end
+
+        # BOM Reference - An optional identifier which can be used to reference the vulnerability elsewhere in the BOM. Every bom-ref must be unique within the BOM. Value SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.
+        prop :bom_ref, :string, pattern: Pattern::REF_LINK, json_name: "bom-ref"
+        # ID - The identifier that uniquely identifies the vulnerability.
+        # Examples: "CVE-2021-39182", "GHSA-35m5-8cvj-8783", "SNYK-PYTHON-ENROCRYPT-1912876"
+        prop :id, :string
+        # The source that published the vulnerability.
+        prop :source, VulnerabilitySource
+        # References - Zero or more pointers to vulnerabilities that are the equivalent of the vulnerability specified. Often times, the same vulnerability may exist in multiple sources of vulnerability intelligence, but have different identifiers. References provide a way to correlate vulnerabilities across multiple sources of vulnerability intelligence.
+        prop :references, :array, items: Reference
+        # Ratings - List of vulnerability ratings
+        prop :ratings, :array, items: Rating
+        # CWEs - List of Common Weaknesses Enumerations (CWEs) codes that describes this vulnerability.
+        # Contains integer representations of Common Weaknesses Enumerations (CWE). For example 399 (of https://cwe.mitre.org/data/definitions/399.html)
+        # Example: [399]
+        prop :cwes, :array, items: [:integer, minimum: 1]
+        # Description - A description of the vulnerability as provided by the source.
+        prop :description, :string
+        # Details - If available, an in-depth description of the vulnerability as provided by the source organization. Details often include information useful in understanding root cause.
+        prop :detail, :string
+        # Recommendation - Recommendations of how the vulnerability can be remediated or mitigated.
+        prop :recommendation, :string
+        # Workarounds - A bypass, usually temporary, of the vulnerability that reduces its likelihood and/or impact. Workarounds often involve changes to configuration or deployments.
+        prop :workaround, :string
+        # Proof of Concept - Evidence used to reproduce the vulnerability.
+        prop :proof_of_concept, ProofOfConcept
+        # Advisories - Published advisories of the vulnerability if provided.
+        prop :advisories, :array, items: Advisory
+        # Created - The date and time (timestamp) when the vulnerability record was created in the vulnerability database.
+        prop :created, :date_time
+        # Published - The date and time (timestamp) when the vulnerability record was first published.
+        prop :published, :date_time
+        # Updated - The date and time (timestamp) when the vulnerability record was last updated.
+        prop :updated, :date_time
+        # Rejected - The date and time (timestamp) when the vulnerability record was rejected (if applicable).
+        prop :rejected, :date_time
+        # Credits - Individuals or organizations credited with the discovery of the vulnerability.
+        prop :credits, Credits
+        # Tools - The tool(s) used to identify, confirm, or score the vulnerability.
+        prop :tools, Tools
+        # Impact Analysis - An assessment of the impact and exploitability of the vulnerability.
+        prop :analysis, Analysis
+        # Affects - The components or services that are affected by the vulnerability.
+        prop :affects, :array, items: Affects, unique: true
+        # Properties - Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.
+        prop :properties, :array, items: Property
+      end
+    end
+  end
+end

data/lib/sbom/cyclone_dx/record/vulnerability_source.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+require_relative "base"
+
+# Source - The source of vulnerability information. This is often the organization that published the vulnerability.
+module SBOM
+  module CycloneDX
+    module Record
+      # Schema name: VulnerabilitySource
+      class VulnerabilitySource < Base
+        # URL - The url of the vulnerability documentation as provided by the source.
+        # Example: "https://nvd.nist.gov/vuln/detail/CVE-2021-39182"
+        prop :url, :string # Oddly, the schema does not validate the URL format here
+        # Name - The name of the source.
+        # Examples: "NVD", "National Vulnerability Database", "OSS Index", "VulnDB", "GitHub Advisories"
+        prop :name, :string
+      end
+    end
+  end
+end

data/lib/sbom/cyclone_dx/record/workflow.rb

@@ -0,0 +1,59 @@
+# frozen_string_literal: true
+
+require_relative "../enum"
+require_relative "../pattern"
+require_relative "base"
+require_relative "dependency"
+require_relative "input"
+require_relative "output"
+require_relative "property"
+require_relative "resource_reference_choice"
+require_relative "step"
+require_relative "task"
+require_relative "trigger"
+require_relative "workspace"
+
+# Workflow - A specialized orchestration task.
+module SBOM
+  module CycloneDX
+    module Record
+      # Schema name: Workflow
+      class Workflow < Base
+        # BOM Reference - An optional identifier which can be used to reference the workflow elsewhere in the BOM. Every bom-ref must be unique within the BOM. Value SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.
+        prop :bom_ref, :string, pattern: Pattern::REF_LINK, json_name: "bom-ref", required: true
+        # Unique Identifier (UID) - The unique identifier for the resource instance within its deployment context.
+        prop :uid, :string, required: true
+        # Name - The name of the resource instance.
+        prop :name, :string
+        # Description - A description of the resource instance.
+        prop :description, :string
+        # Resource references - References to component or service resources that are used to realize the resource instance.
+        prop :resource_references, :array, items: ResourceReferenceChoice, unique: true
+        # Tasks - The tasks that comprise the workflow.
+        prop :tasks, :array, items: Task, unique: true
+        # Task dependency graph - The graph of dependencies between tasks within the workflow.
+        prop :task_dependencies, :array, items: Dependency, unique: true
+        # Task types - Indicates the types of activities performed by the set of workflow tasks.
+        prop :task_types, :array, items: [:string, enum: Enum::TASK_TYPE], required: true
+        # Trigger - The trigger that initiated the task.
+        prop :trigger, Trigger
+        # Steps - The sequence of steps for the task.
+        prop :steps, :array, items: Step, unique: true
+        # Inputs - Represents resources and data brought into a task at runtime by executor or task commands
+        prop :inputs, :array, items: Input, unique: true
+        # Outputs - Represents resources and data output from a task at runtime by executor or task commands
+        prop :outputs, :array, items: Output, unique: true
+        # Time start - The date and time (timestamp) when the task started.
+        prop :time_start, :date_time
+        # Time end - The date and time (timestamp) when the task ended.
+        prop :time_end, :date_time
+        # Workspaces - A set of named filesystem or data resource shareable by workflow tasks.
+        prop :workspaces, :array, items: Workspace, unique: true
+        # Runtime topology - A graph of the component runtime topology for workflow's instance.
+        prop :runtime_topology, :array, items: Dependency, unique: true
+        # Properties - Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.
+        prop :properties, :array, items: Property
+      end
+    end
+  end
+end

data/lib/sbom/cyclone_dx/record/workspace.rb

@@ -0,0 +1,45 @@
+# frozen_string_literal: true
+
+require_relative "../enum"
+require_relative "../pattern"
+require_relative "base"
+require_relative "resource_reference_choice"
+require_relative "property"
+require_relative "volume"
+
+# Workspace - A named filesystem or data resource shareable by workflow tasks.
+module SBOM
+  module CycloneDX
+    module Record
+      # Schema name: Workspace
+      class Workspace < Base
+        # BOM Reference - An optional identifier which can be used to reference the workspace elsewhere in the BOM. Every bom-ref must be unique within the BOM. Value SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.
+        prop :bom_ref, :string, pattern: Pattern::REF_LINK, json_name: "bom-ref", required: true
+        # Unique Identifier (UID) - The unique identifier for the resource instance within its deployment context.
+        prop :uid, :string, required: true
+        # Name - The name of the resource instance.
+        prop :name, :string
+        # Aliases - The names for the workspace as referenced by other workflow tasks. Effectively, a name mapping so other tasks can use their own local name in their steps.
+        prop :aliases, :array, items: :string
+        # Description - A description of the resource instance.
+        prop :description, :string
+        # Resource references - References to component or service resources that are used to realize the resource instance.
+        prop :resource_references, :array, items: ResourceReferenceChoice, unique: true
+        # Access mode - Describes the read-write access control for the workspace relative to the owning resource instance.
+        prop :access_mode, :string, enum: Enum::ACCESS_MODE
+        # Mount path - A path to a location on disk where the workspace will be available to the associated task's steps.
+        prop :mount_path, :string
+        # Managed data type - The name of a domain-specific data type the workspace represents.
+        # Examples: "ConfigMap", "Secret"
+        prop :managed_data_type, :string
+        # Volume request - Identifies the reference to the request for a specific volume type and parameters.
+        # Example: "a kubernetes Persistent Volume Claim (PVC) name"
+        prop :volume_request, :string
+        # Volume - Information about the actual volume instance allocated to the workspace.
+        prop :volume, Volume
+        # Properties - Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.
+        prop :properties, :array, items: Property
+      end
+    end
+  end
+end

data/lib/sbom/cyclone_dx/record.rb

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+Dir[File.join(__dir__ || ".", "record", "*.rb")].each do |file|
+  require_relative file
+end
+
+module SBOM
+  module CycloneDX
+    module Record
+    end
+  end
+end

data/lib/sbom/cyclone_dx/validator/array_validator.rb

@@ -0,0 +1,66 @@
+# frozen_string_literal: true
+
+require_relative("base_validator")
+require_relative("record_validator")
+require_relative("../validator")
+
+module SBOM
+  module CycloneDX
+    # TODO: Add helpful errors
+    module Validator
+      class ArrayValidator < BaseValidator
+        def initialize(items:, unique: false, required: false)
+          super(Array, required: required)
+
+          @unique = unique
+          @items_validator =
+            case items
+            when :array, :boolean, :date_time, :email_address, :float, :integer, :string, :uri
+              Validator.for(items, required: true)
+            # when Proc
+            #   proc_validator(items)
+            when Array
+              Validator.for(items.first, required: true, **items.last)
+            when Class
+              raise "Unsupported items type: #{items}" unless items < Record::Base
+
+              RecordValidator.new(type: items, required: true)
+            else
+              raise ArgumentError, "Unsupported items type: #{items}"
+            end
+        end
+
+        def validate(value)
+          rv = super
+          return rv unless value.is_a?(Array)
+
+          rv << "Unique array contains non-unique values" if @unique && value.uniq.length != value.length
+          value.each { |item| rv += @items_validator.validate(item) }
+          rv
+        end
+
+        def raw_types
+          @items_validator.raw_types
+        end
+
+        private
+
+        def validator_method(klass)
+          proc { |item| klass.validate(item) } #: ^(untyped) -> Array[String]
+        end
+
+        def proc_validator(validator)
+          lambda do |item|
+            rv = validator.call(item)
+            case rv
+            when Array then rv.map(&:to_s)
+            when true then []
+            when false then ["#{item} is invalid"]
+            else [rv.to_s]
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/sbom/cyclone_dx/validator/base_validator.rb

@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+
+module SBOM
+  module CycloneDX
+    # TODO: Add helpful errors
+    module Validator
+      class BaseValidator
+        MISSING_REQUIRED = "Required property is missing or nil"
+        INVALID_TYPE = "Invalid type `%s`, expected: %s"
+
+        def initialize(*types, required: false)
+          raise "Abstract class BaseValidator cannot be instantiated" unless self.class < BaseValidator
+
+          @types = types
+          @required = required
+        end
+
+        def valid?(value)
+          validate(value).empty?
+        end
+
+        def validate(value) # rubocop:disable Metrics/CyclomaticComplexity
+          errors = [] #: Array[String]
+
+          errors << MISSING_REQUIRED if required? && value.nil?
+          return errors if errors.any?
+          return errors if @types.any? { |type| value.is_a?(type) }
+          return errors if value.nil? && !required?
+
+          errors << format(INVALID_TYPE, value.class.name, @types.join(", "))
+        end
+
+        def required?
+          @required
+        end
+
+        def raw_types
+          @types
+        end
+      end
+    end
+  end
+end

data/lib/sbom/cyclone_dx/validator/boolean_validator.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+require_relative "base_validator"
+
+module SBOM
+  module CycloneDX
+    # TODO: Add helpful errors
+    module Validator
+      class BooleanValidator < BaseValidator
+        def initialize(required: false)
+          super(TrueClass, FalseClass, required: required)
+        end
+      end
+    end
+  end
+end

data/lib/sbom/cyclone_dx/validator/date_time_validator.rb

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+require "date"
+require_relative "base_validator"
+
+module SBOM
+  module CycloneDX
+    # TODO: Add helpful errors
+    module Validator
+      class DateTimeValidator < BaseValidator
+        def initialize(required: false)
+          super(DateTime, Time, String, required: required)
+        end
+
+        def validate(value)
+          rv = super
+          return rv unless value.is_a?(String)
+
+          begin
+            DateTime.iso8601(value)
+            rv
+          rescue ArgumentError, TypeError
+            rv << "Invalid ISO8601 date-time"
+          end
+        end
+      end
+    end
+  end
+end

data/lib/sbom/cyclone_dx/validator/email_address_validator.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+require_relative "base_validator"
+require_relative("../../../email_address_extension")
+
+module SBOM
+  module CycloneDX
+    # TODO: Add helpful errors
+    module Validator
+      class EmailAddressValidator < BaseValidator
+        def initialize(required: false)
+          super(EmailAddress::Address, String, required: required)
+        end
+
+        def validate(value)
+          rv = super
+          return rv unless value.is_a?(EmailAddress::Address) || value.is_a?(String)
+
+          begin
+            to_validate = value.is_a?(EmailAddress::Address) ? value : EmailAddress::Address.new(value)
+            return rv if to_validate.valid?
+          rescue NoMethodError
+            # Do nothing, all errors handled below
+          end
+
+          rv << "Invalid email address"
+        end
+      end
+    end
+  end
+end

data/lib/sbom/cyclone_dx/validator/float_validator.rb

@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+
+require_relative "base_validator"
+
+module SBOM
+  module CycloneDX
+    # TODO: Add helpful errors
+    module Validator
+      class FloatValidator < BaseValidator
+        def initialize(maximum: nil, minimum: nil, required: false)
+          if maximum && minimum && maximum < minimum
+            raise ArgumentError, "maximum must be greater than or equal to minimum"
+          end
+
+          super(Float, required: required)
+
+          @range = (minimum..maximum)
+        end
+
+        def validate(value)
+          rv = super
+          return rv unless value.is_a?(Float)
+
+          rv << "Value is not within range" unless @range.cover?(value)
+          rv
+        end
+      end
+    end
+  end
+end

data/lib/sbom/cyclone_dx/validator/integer_validator.rb

@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+
+require_relative "base_validator"
+
+module SBOM
+  module CycloneDX
+    # TODO: Add helpful errors
+    module Validator
+      class IntegerValidator < BaseValidator
+        def initialize(maximum: nil, minimum: nil, required: false)
+          if maximum && minimum && maximum < minimum
+            raise ArgumentError, "maximum must be greater than or equal to minimum"
+          end
+
+          super(Integer, required: required)
+
+          @range = (minimum..maximum)
+        end
+
+        def validate(value)
+          rv = super
+          return rv unless value.is_a?(Integer)
+
+          rv << "Value is not within range" unless @range.cover?(value)
+          rv
+        end
+      end
+    end
+  end
+end