sbom-cyclonedx 0.1.0 → 0.2.0

data/lib/sbom/cyclone_dx/record/base.rb

@@ -0,0 +1,244 @@
+# frozen_string_literal: true
+
+require "active_support/all"
+require_relative "../../../email_address_extension"
+require_relative "../enum"
+require_relative "../pattern"
+require_relative "../validator"
+
+module SBOM
+  module CycloneDX
+    module Record
+      class Base # rubocop:disable Metrics/ClassLength
+        include Comparable
+
+        attr_reader :errors
+
+        def initialize(**args)
+          raise "Cannot instantiate abstract Record" unless self.class < Base
+
+          populate_fields(**args)
+          valid?
+        end
+
+        def <=>(other)
+          return nil unless other.is_a?(self.class)
+
+          as_json <=> other.as_json
+        end
+
+        def valid?
+          @errors = @_fields.transform_values do |field|
+            field.valid?
+            field.errors
+          end
+          @errors[:_base] = []
+
+          self.class.custom_validators.each do |props, message, block|
+            @errors[:_base] += validate_custom(*props, message: message, &block)
+          end
+
+          @errors.values.all?(&:empty?)
+        end
+
+        def valid!
+          raise ArgumentError, formatted_errors
+        end
+
+        def formatted_errors
+          errors.filter_map do |field_name, field_errors|
+            next if field_errors.empty?
+
+            field_name = self.class.json_name if field_name == :_base
+            field_errors.map { |error| "#{field_name} #{error}" }
+          end.flatten
+        end
+
+        def self.json_create(object)
+          new(**object.deep_symbolize_keys)
+        end
+
+        private
+
+        attr_reader :_fields
+
+        def populate_fields(**args) # rubocop:disable Metrics/AbcSize,Metrics/MethodLength,Metrics/CyclomaticComplexity,Metrics/PerceivedComplexity
+          @_fields = self.class.fields.to_h do |name, field_class|
+            arg_name =
+              if args.key?(name)
+                name
+              elsif args.key?(field_class.json_name.to_sym)
+                field_class.json_name.to_sym
+              end
+
+            unless arg_name.nil?
+              if field_class < Field::ConstBase
+                const_object = field_class.new
+                input_object_value = args.delete(arg_name)
+                if const_object.value != input_object_value
+                  raise ArgumentError,
+                        "Sbom value does not match const field ('#{const_object.value}' != '#{input_object_value}')"
+                end
+
+                next [name, const_object]
+              end
+
+              next [name, field_class.new(field_class.coerce(args.delete(arg_name)))] if field_class < Field::PropBase
+            end
+
+            [name, field_class.new]
+          end
+
+          raise ArgumentError, "Unknown field(s): #{args.keys.join(", ")}" unless args.empty?
+
+          @_fields
+        end
+
+        def validate_custom(*props, message: nil) # rubocop:disable Metrics/MethodLength
+          case rv = yield(*props.map { |prop| public_send(prop) })
+          when "", true, nil
+            []
+          when String
+            [rv]
+          when Array
+            rv
+          when false
+            [message || "#{props.join(", ")} invalid"]
+          else
+            [rv.to_s]
+          end
+        end
+
+        class << self
+          def fields
+            @fields ||= {} #: Hash[Symbol, singleton(SBOM::CycloneDX::Field::Base)]
+          end
+
+          def json_name(klass_name = nil)
+            unless klass_name.nil?
+              raise ArgumentError, "json_name can only be set within the class body" unless in_subclass_body?
+
+              return @json_name = klass_name
+            end
+
+            @json_name ||= name&.split("::")&.last || "Record"
+          end
+
+          ###############################
+          # DSL Methods
+          ###############################
+
+          def prop(field_name, type, required: false, json_name: nil, **kwargs) # rubocop:disable Metrics/AbcSize,Metrics/CyclomaticComplexity,Metrics/MethodLength
+            raise "properties cannot be defined for abstract Record" unless self < Base
+            raise "properties must be defined in the class body of a subclass of Record" unless in_subclass_body?
+            raise "property #{field_name} already defined" if fields.key?(field_name)
+
+            new_prop =
+              case type
+              when :array
+                opts = kwargs.slice(:const, :default, :unique) #: arrayFieldOptions
+                Field.array(field_name: field_name, items: kwargs.fetch(:items), required: required,
+                            json_name: json_name, **opts)
+              when :boolean
+                opts = kwargs.slice(:const, :default) #: booleanFieldOptions
+                Field.boolean(field_name: field_name, required: required, json_name: json_name, **opts)
+              when :date_time
+                opts = kwargs.slice(:const, :default) #: dateTimeFieldOptions
+                Field.date_time(field_name: field_name,  required: required, json_name: json_name, **opts)
+              when :email_address
+                opts = kwargs.slice(:const, :default) #: emailAddressFieldOptions
+                Field.email_address(field_name: field_name, required: required, json_name: json_name, **opts)
+              when :float
+                opts = kwargs.slice(:const, :default, :maximum, :minimum) #: floatFieldOptions
+                Field.float(field_name: field_name, required: required, json_name: json_name, **opts)
+              when :integer
+                opts = kwargs.slice(:const, :default, :maximum, :minimum) #: integerFieldOptions
+                Field.integer(field_name: field_name, required: required, json_name: json_name, **opts)
+              when Class
+                opts = kwargs.slice(:const, :default) #: recordFieldOptions
+                Field.record(field_name: field_name, klass: type, required: required, json_name: json_name, **opts)
+              when :string
+                opts = kwargs.slice(:const, :default, :enum, :max_length, :min_length, :pattern) #: stringFieldOptions
+                Field.string(field_name: field_name,  required: required, json_name: json_name, **opts)
+              when :union
+                opts = kwargs.slice(:const, :default) #: unionFieldOptions
+                Field.union(field_name: field_name, of: kwargs.fetch(:of), required: required, json_name: json_name,
+                            **opts)
+              when :uri
+                opts = kwargs.slice(:const, :default) #: uriFieldOptions
+                Field.uri(field_name: field_name, required: required, json_name: json_name, **opts)
+              else
+                raise ArgumentError, "unknown type: #{type}"
+              end
+
+            @fields[field_name] = new_prop
+            define_method(field_name) { @_fields.fetch(field_name).value }
+            define_method(:"#{field_name}=") { |value| @_fields.fetch(field_name).value = value } unless new_prop.const?
+            define_method(:"#{field_name}?") { @_fields.fetch(field_name).value? }
+            define_method(:"#{field_name}_valid?") { @_fields.fetch(field_name).valid? }
+          end
+
+          def const(field_name, type, value, required: false, json_name: nil, **kwargs)
+            prop(field_name, type, required: required, json_name: json_name, const: value, **kwargs)
+          end
+
+          def validate(*props, presence: nil, message: nil, &block) # rubocop:disable Metrics/CyclomaticComplexity,Metrics/PerceivedComplexity,Metrics/MethodLength
+            raise "custom validators cannot be defined for abstract Record" unless self < Base
+            raise "custom validators must be defined in the class body of a subclass of Record" unless in_subclass_body?
+
+            @custom_validators ||= [] #: Array[[Array[Symbol], String, ^(*fieldValue?) -> (bool? | String | Array[String])]]
+            @custom_validators <<
+              if presence && block
+                raise ArgumentError, "cannot provide both :presence and a block"
+              elsif presence
+                validate_presence(props, presence, message)
+              elsif block
+                [props, message, block]
+              else
+                raise ArgumentError, "must provide :presence or a block"
+              end
+          end
+
+          def custom_validators
+            @custom_validators ||= []
+          end
+
+          private
+
+          def in_subclass_body? # rubocop:disable Metrics/CyclomaticComplexity,Metrics/PerceivedComplexity
+            caller_location = caller_locations&.find do |location|
+              !location.label&.include?("__RBS_TEST") && location.path != __FILE__
+            end
+
+            self < Base && (caller_location&.label&.start_with?("<class:") || false)
+          end
+
+          def validate_presence(props, presence, message = nil) # rubocop:disable Metrics/MethodLength,Metrics/CyclomaticComplexity,Metrics/PerceivedComplexity
+            case presence
+            when :all
+              [
+                props,
+                message || "all of #{props.join(", ")} must be present",
+                ->(*values) { values.none?(&:nil?) }
+              ]
+            when :any
+              [
+                props,
+                message || "at least one of #{props.join(", ")} must be present",
+                ->(*values) { !values.all?(&:nil?) }
+              ]
+            when :one
+              [
+                props,
+                message || "exactly one of #{props.join(", ")} must be present",
+                ->(*values) { values.count { |v| !v.nil? } == 1 }
+              ]
+            else
+              raise ArgumentError, "unknown value for presence: #{presence}"
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/sbom/cyclone_dx/record/cipher_suite.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+require_relative "../pattern"
+require_relative "base"
+
+# Cipher Suite - Object representing a cipher suite
+module SBOM
+  module CycloneDX
+    module Record
+      # Schema name: CipherSuite
+      class CipherSuite < Base
+        # Common Name - A common name for the cipher suite.
+        # Example: "TLS_DHE_RSA_WITH_AES_128_CCM"
+        prop :name, :string
+        # Related Algorithms - A list of algorithms related to the cipher suite.
+        prop :algorithms, :array, items: [:string, pattern: Pattern::REF_LINK]
+        # Cipher Suite Identifiers - A list of common identifiers for the cipher suite.
+        # Examples: "0xC0", "0x9E"
+        prop :identifiers, :array, items: :string
+      end
+    end
+  end
+end

data/lib/sbom/cyclone_dx/record/co2_measure.rb

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+require_relative "base"
+
+# CO2 Measure - A measure of carbon dioxide (CO2).
+module SBOM
+  module CycloneDX
+    module Record
+      # Schema name: CO2Measure
+      class CO2Measure < Base
+        # Value - Quantity of carbon dioxide (CO2).
+        prop :value, :float, required: true
+        # Unit - Unit of carbon dioxide (CO2), currently specified as a const "tCO2eq".
+        const :unit, :string, "tCO2eq"
+      end
+    end
+  end
+end

data/lib/sbom/cyclone_dx/record/command.rb

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+require_relative "base"
+
+# Anonymous class from Command
+module SBOM
+  module CycloneDX
+    module Record
+      # Schema name: Command
+      class Command < Base
+        # Executed - A text representation of the executed command.
+        prop :executed, :string
+        # Properties - Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.
+        prop :properties, :array, items: Property
+      end
+    end
+  end
+end

data/lib/sbom/cyclone_dx/record/commit.rb

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+require_relative "base"
+require_relative "identifiable_action"
+
+# Commit - Specifies an individual commit
+module SBOM
+  module CycloneDX
+    module Record
+      # Schema name: Commit
+      class Commit < Base
+        # UID - A unique identifier of the commit. This may be version control specific. For example, Subversion uses revision numbers whereas git uses commit hashes.
+        prop :uid, :string
+        # URL - The URL to the commit. This URL will typically point to a commit in a version control system.
+        prop :url, :uri
+        # Author - The author who created the changes in the commit
+        prop :author, IdentifiableAction
+        # Committer - The person who committed or pushed the commit
+        prop :committer, IdentifiableAction
+        # Message - The text description of the contents of the commit
+        prop :message, :string
+      end
+    end
+  end
+end

data/lib/sbom/cyclone_dx/record/component.rb

@@ -0,0 +1,126 @@
+# frozen_string_literal: true
+
+require_relative "../enum"
+require_relative "../pattern"
+require_relative "base"
+require_relative "commit"
+require_relative "component_data"
+require_relative "component_evidence"
+require_relative "crypto_properties"
+require_relative "external_reference"
+require_relative "hash_data"
+require_relative "license_choice"
+require_relative "model_card"
+require_relative "organizational_contact"
+require_relative "organizational_entity"
+require_relative "patch"
+require_relative "property"
+require_relative "release_notes"
+require_relative "signature"
+require_relative "swid"
+
+# Component
+module SBOM
+  module CycloneDX
+    module Record
+      # Schema name: Component
+      class Component < Base
+        # Schema name: Pedigree
+        class Pedigree < Base
+          # Ancestors - Describes zero or more components in which a component is derived from. This is commonly used to describe forks from existing projects where the forked version contains a ancestor node containing the original component it was forked from. For example, Component A is the original component. Component B is the component being used and documented in the BOM. However, Component B contains a pedigree node with a single ancestor documenting Component A - the original component from which Component B is derived from.
+          prop :ancestors, :array, items: Component
+          # Descendants - Descendants are the exact opposite of ancestors. This provides a way to document all forks (and their forks) of an original or root component.
+          prop :descendants, :array, items: Component
+          # Variants - Variants describe relations where the relationship between the components is not known. For example, if Component A contains nearly identical code to Component B. They are both related, but it is unclear if one is derived from the other, or if they share a common ancestor.
+          prop :variants, :array, items: Component
+          # Commits - A list of zero or more commits which provide a trail describing how the component deviates from an ancestor, descendant, or variant.
+          prop :commits, :array, items: Commit
+          # Patches - A list of zero or more patches describing how the component deviates from an ancestor, descendant, or variant. Patches may be complementary to commits or may be used in place of commits.
+          prop :patches, :array, items: Patch
+          # Notes - Notes, observations, and other non-structured commentary describing the components pedigree.
+          prop :notes, :string
+        end
+
+        # Component Type - Specifies the type of component. For software components, classify as application if no more specific appropriate classification is available or cannot be determined for the component.
+        prop :type, :string, enum: Enum::COMPONENT_TYPE, required: true
+        # Mime-Type - The optional mime-type of the component. When used on file components, the mime-type can provide additional context about the kind of file being represented, such as an image, font, or executable. Some library or framework components may also have an associated mime-type.
+        # TODO: Use a mime-type gem
+        prop :mime_type, :string, pattern: Pattern::MIME_TYPE, json_name: "mime-type"
+        # BOM Reference - An optional identifier which can be used to reference the component elsewhere in the BOM. Every bom-ref must be unique within the BOM. Value SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.
+        prop :bom_ref, :string, pattern: Pattern::REF_LINK, json_name: "bom-ref"
+        # Component Supplier -  The organization that supplied the component. The supplier may often be the manufacturer, but may also be a distributor or repackager.
+        prop :supplier, OrganizationalEntity
+        # Component Manufacturer - The organization that created the component. Manufacturer is common in components created through automated processes. Components created through manual means may have `@.authors` instead.
+        prop :manufacturer, OrganizationalEntity
+        # Component Authors - The person(s) who created the component. Authors are common in components created through manual processes. Components created through automated means may have `@.manufacturer` instead.
+        prop :authors, :array, items: OrganizationalContact
+        # Component Publisher - The person(s) or organization(s) that published the component
+        # Example: "Acme Inc"
+        prop :publisher, :string
+        # Component Group - The grouping name or identifier. This will often be a shortened, single name of the company or project that produced the component, or the source package or domain name. Whitespace and special characters should be avoided. Examples include: apache, org.apache.commons, and apache.org.
+        # Example: "com.acme"
+        prop :group, :string
+        # Component Name - The name of the component. This will often be a shortened, single name of the component. Examples: commons-lang3 and jquery
+        # Example: "tomcat-catalina"
+        prop :name, :string, required: true
+        # Component Version - The component version. The version should ideally comply with semantic versioning but is not enforced.
+        prop :version, :string
+        # Component Description - Specifies a description for the component
+        prop :description, :string
+        # Component Scope - Specifies the scope of the component. If scope is not specified, 'required' scope SHOULD be assumed by the consumer of the BOM.
+        prop :scope, :string, enum: Enum::SCOPE, default: "required"
+        # Component Hashes - The hashes of the component.
+        prop :hashes, :array, items: HashData
+        # Component License(s)
+        prop :licenses, :array, items: [:union, of: LicenseChoice::UNION_TYPE]
+        # Component Copyright - A copyright notice informing users of the underlying claims to copyright ownership in a published work.
+        # Example: "Acme Inc"
+        prop :copyright, :string
+        # Common Platform Enumeration (CPE) - Asserts the identity of the component using CPE. The CPE must conform to the CPE 2.2 or 2.3 specification. See [https://nvd.nist.gov/products/cpe](https://nvd.nist.gov/products/cpe). Refer to `@.evidence.identity` to optionally provide evidence that substantiates the assertion of the component's identity.
+        # Example: "cpe:2.3:a:acme:component_framework:-:*:*:*:*:*:*:*"
+        # TODO: Validate
+        prop :cpe, :string
+        # Package URL (purl) - Asserts the identity of the component using package-url (purl). The purl, if specified, must be valid and conform to the specification defined at: [https://github.com/package-url/purl-spec](https://github.com/package-url/purl-spec). Refer to `@.evidence.identity` to optionally provide evidence that substantiates the assertion of the component's identity.
+        # Example: "pkg:maven/com.acme/tomcat-catalina@9.0.14?packaging=jar"
+        # TODO: Validate
+        prop :purl, :string
+        # OmniBOR Artifact Identifier (gitoid) - Asserts the identity of the component using the OmniBOR Artifact ID. The OmniBOR, if specified, must be valid and conform to the specification defined at: [https://www.iana.org/assignments/uri-schemes/prov/gitoid](https://www.iana.org/assignments/uri-schemes/prov/gitoid). Refer to `@.evidence.identity` to optionally provide evidence that substantiates the assertion of the component's identity.
+        # Examples:
+        #   "gitoid:blob:sha1:a94a8fe5ccb19ba61c4c0873d391e987982fbbd3"
+        #   "gitoid:blob:sha256:9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08"
+        # TODO: Validate
+        prop :omnibor_id, :array, items: :string
+        # Software Heritage Identifier - Asserts the identity of the component using the Software Heritage persistent identifier (SWHID). The SWHID, if specified, must be valid and conform to the specification defined at: [https://docs.softwareheritage.org/devel/swh-model/persistent-identifiers.html](https://docs.softwareheritage.org/devel/swh-model/persistent-identifiers.html). Refer to `@.evidence.identity` to optionally provide evidence that substantiates the assertion of the component's identity.
+        # Example: "swh:1:cnt:94a9ed024d3859793618152ea559a168bbcbb5e2"
+        # TODO: Validate
+        prop :swhid, :array, items: :string
+        # SWID Tag - Asserts the identity of the component using [ISO-IEC 19770-2 Software Identification (SWID) Tags](https://www.iso.org/standard/65666.html). Refer to `@.evidence.identity` to optionally provide evidence that substantiates the assertion of the component's identity.
+        prop :swid, SWID
+        # Component Modified From Original - [Deprecated] This will be removed in a future version. Use the pedigree element instead to supply information on exactly how the component was modified. A boolean value indicating if the component has been modified from the original. A value of true indicates the component is a derivative of the original. A value of false indicates the component has not been modified from the original.
+        prop :modified, :boolean
+        # Component Pedigree - Component pedigree is a way to document complex supply chain scenarios where components are created, distributed, modified, redistributed, combined with other components, etc. Pedigree supports viewing this complex chain from the beginning, the end, or anywhere in the middle. It also provides a way to document variants where the exact relation may not be known.
+        prop :pedigree, Pedigree
+        # External References - External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM.
+        prop :external_references, :array, items: ExternalReference
+        # Components - A list of software and hardware components included in the parent component. This is not a dependency tree. It provides a way to specify a hierarchical representation of component assemblies, similar to system &#8594; subsystem &#8594; parts assembly in physical supply chains.
+        prop :components, :array, items: Component
+        # Evidence - Provides the ability to document evidence collected through various forms of extraction or analysis.
+        prop :evidence, ComponentEvidence
+        # Release notes - Specifies optional release notes.
+        prop :release_notes, ReleaseNotes
+        # AI/ML Model Card
+        prop :model_card, ModelCard
+        # Data - This object SHOULD be specified for any component of type `data` and must not be specified for other component types.
+        prop :data, :array, items: ComponentData
+        # Cryptographic Properties
+        prop :crypto_properties, CryptoProperties
+        # Properties - Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.
+        prop :properties, :array, items: Property
+        # Tags
+        prop :tags, :array, items: :string
+        # Signature - Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html).
+        prop :signature, :union, of: Signature::UNION_TYPE
+      end
+    end
+  end
+end

data/lib/sbom/cyclone_dx/record/component_data.rb

@@ -0,0 +1,46 @@
+# frozen_string_literal: true
+
+require_relative "../enum"
+require_relative "../pattern"
+require_relative "base"
+require_relative "attachment"
+require_relative "graphics_collection"
+require_relative "data_governance"
+require_relative "property"
+
+# Anonymous class from ComponentData
+module SBOM
+  module CycloneDX
+    module Record
+      # Schema name: ComponentData
+      class ComponentData < Base
+        class Content < Base
+          # Data Attachment - An optional way to include textual or encoded data.
+          prop :attachment, Attachment
+          # Data URL - The URL to where the data can be retrieved.
+          prop :url, :uri
+          # Configuration Properties - Provides the ability to document name-value parameters used for configuration.
+          prop :properties, :array, items: Property
+        end
+
+        # BOM Reference - An optional identifier which can be used to reference the dataset elsewhere in the BOM. Every bom-ref must be unique within the BOM. Value SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.
+        prop :bom_ref, :string, pattern: Pattern::REF_LINK, json_name: "bom-ref"
+        # Type of Data - The general theme or subject matter of the data being specified.
+        prop :type, :string, enum: Enum::COMPONENT_DATA_TYPE, required: true
+        # Dataset Name - The name of the dataset.
+        prop :name, :string
+        # Data Contents - The contents or references to the contents of the data being described.
+        prop :contents, Content
+        # Data Classification - Data classification tags data according to its type, sensitivity, and value if altered, stolen, or destroyed.
+        prop :classification, :string
+        # Sensitive Data - A description of any sensitive data in a dataset.
+        prop :sensitive_data, :array, items: :string
+        prop :graphics, GraphicsCollection
+        # Dataset Description - A description of the dataset. Can describe size of dataset, whether it's used for source code, training, testing, or validation, etc.
+        prop :description, :string
+        # Data Governance
+        prop :governance, DataGovernance
+      end
+    end
+  end
+end

data/lib/sbom/cyclone_dx/record/component_evidence.rb

@@ -0,0 +1,68 @@
+# frozen_string_literal: true
+
+require_relative "../pattern"
+require_relative "base"
+require_relative "component_identity_evidence"
+require_relative "copyright"
+require_relative "license_choice"
+
+# Evidence - Provides the ability to document evidence collected through various forms of extraction or analysis.
+module SBOM
+  module CycloneDX
+    module Record
+      # Schema name: ComponentEvidence
+      class ComponentEvidence < Base
+        # Schema name: Callstack
+        class Callstack < Base
+          # Schema name: Frame
+          class Frame < Base
+            # Package - A package organizes modules into namespaces, providing a unique namespace for each type it contains.
+            prop :package, :string
+            # Module - A module or class that encloses functions/methods and other code.
+            prop :source_module, :string, required: true, json_name: "module"
+            # Function - A block of code designed to perform a particular task.
+            prop :function, :string
+            # Parameters - Optional arguments that are passed to the module or function.
+            prop :parameters, :array, items: :string
+            # Line - The line number the code that is called resides on.
+            prop :line, :integer
+            # Column - The column the code that is called resides.
+            prop :column, :integer
+            # Full Filename - The full path and filename of the module.
+            prop :full_filename, :string
+          end
+
+          # Frames - Within a call stack, a frame is a discrete unit that encapsulates an execution context, including local variables, parameters, and the return address. As function calls are made, frames are pushed onto the stack, forming an array-like structure that orchestrates the flow of program execution and manages the sequence of function invocations.
+          prop :frames, :array, items: Frame
+        end
+
+        # Schema name: Occurrence
+        class Occurrence < Base
+          # BOM Reference - An optional identifier which can be used to reference the occurrence elsewhere in the BOM. Every bom-ref must be unique within the BOM. Value SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.
+          prop :bom_ref, :string, pattern: Pattern::REF_LINK, json_name: "bom-ref"
+          # Location - The location or path to where the component was found.
+          prop :location, :string, required: true
+          # Line Number - The line number where the component was found.
+          prop :line, :integer
+          # Offset - The offset where the component was found.
+          prop :offset, :integer
+          # Symbol - The symbol name that was found associated with the component.
+          prop :symbol, :string
+          # Additional Context - Any additional context of the detected component (e.g. a code snippet).
+          prop :additional_context, :string
+        end
+
+        # Identity Evidence - Evidence that substantiates the identity of a component. The identity may be an object or an array of identity objects. Support for specifying identity as a single object was introduced in CycloneDX v1.5. Arrays were introduced in v1.6. It is recommended that all implementations use arrays, even if only one identity object is specified.
+        prop :identity, :array, items: ComponentIdentityEvidence
+        # Occurrences - Evidence of individual instances of a component spread across multiple locations.
+        prop :occurrences, :array, items: Occurrence
+        # Call Stack - Evidence of the components use through the callstack.
+        prop :callstack, Callstack
+        # License Evidence
+        prop :licenses, :array, items: [:union, of: LicenseChoice::UNION_TYPE]
+        # Copyright Evidence - Copyright evidence captures intellectual property assertions, providing evidence of possible ownership and legal protection.
+        prop :copyright, :array, items: Copyright
+      end
+    end
+  end
+end

data/lib/sbom/cyclone_dx/record/component_identity_evidence.rb

@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+
+require_relative "../enum"
+require_relative "../pattern"
+require_relative "base"
+
+# Identity Evidence - Evidence that substantiates the identity of a component.
+module SBOM
+  module CycloneDX
+    module Record
+      # Schema name: ComponentIdentityEvidence
+      class ComponentIdentityEvidence < Base
+        # Schema name: Method
+        class Method < Base
+          # Technique - The technique used in this method of analysis.
+          prop :technique, :string, enum: Enum::TECHNIQUE, required: true
+          # Confidence - The confidence of the evidence from 0 - 1, where 1 is 100% confidence. Confidence is specific to the technique used. Each technique of analysis can have independent confidence.
+          prop :confidence, :float, minimum: 0, maximum: 1, required: true
+          # Value - The value or contents of the evidence.
+          prop :value, :string
+        end
+
+        # Field - The identity field of the component which the evidence describes.
+        prop :field, :string, enum: Enum::FIELD, required: true
+        # Confidence - The overall confidence of the evidence from 0 - 1, where 1 is 100% confidence.
+        prop :confidence, :float, minimum: 0, maximum: 1
+        # Concluded Value - The value of the field (cpe, purl, etc) that has been concluded based on the aggregate of all methods (if available).
+        prop :concluded_value, :string
+        # Methods - The methods used to extract and/or analyze the evidence.
+        prop :methods_used, :array, items: Method, json_name: "methods"
+        # BOM References - The object in the BOM identified by its bom-ref. This is often a component or service but may be any object type supporting bom-refs. Tools used for analysis should already be defined in the BOM, either in the metadata/tools, components, or formulation.
+        prop :tools, :array, items: [:string, pattern: Pattern::REF_OR_CDX_URN], unique: true
+      end
+    end
+  end
+end

data/lib/sbom/cyclone_dx/record/composition.rb

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+require_relative "../enum"
+require_relative "../pattern"
+require_relative "base"
+require_relative "component"
+require_relative "service"
+require_relative "vulnerability"
+
+# Compositions
+module SBOM
+  module CycloneDX
+    module Record
+      # Schema name: Composition
+      class Composition < Base
+        # BOM Reference - An optional identifier which can be used to reference the composition elsewhere in the BOM. Every bom-ref must be unique within the BOM. Value SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.
+        prop :bom_ref, :string, pattern: Pattern::REF_LINK, json_name: "bom-ref"
+        # Aggregate - Specifies an aggregate type that describe how complete a relationship is.
+        prop :aggregate, :string, enum: Enum::AGGREGATE_TYPE
+        # BOM references - The bom-ref identifiers of the components or services being described. Assemblies refer to nested relationships whereby a constituent part may include other constituent parts. References do not cascade to child parts. References are explicit for the specified constituent part only.
+        prop :assemblies, :array, items: [:string, pattern: Pattern::REF_OR_CDX_URN], unique: true
+        # BOM references - The bom-ref identifiers of the components or services being described. Dependencies refer to a relationship whereby an independent constituent part requires another independent constituent part. References do not cascade to transitive dependencies. References are explicit for the specified dependency only.
+        # TODO: Serialize to a BOMLinkElement
+        prop :dependencies, :array, items: [:union, of: [Component, Service]], unique: true
+        # BOM references - The bom-ref identifiers of the vulnerabilities being described.
+        # TODO: Serialize to a BOMLinkElement
+        prop :vulnerabilities, :array, items: Vulnerability, unique: true
+        # Signature - Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html).
+        prop :signature, :union, of: Signature::UNION_TYPE
+      end
+    end
+  end
+end