sbom-cyclonedx 0.1.0 → 0.2.0

data/lib/sbom/cyclone_dx/record/condition.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+require_relative "base"
+
+# Condition - A condition that was used to determine a trigger should be activated.
+module SBOM
+  module CycloneDX
+    module Record
+      # Schema name: Condition
+      class Condition < Base
+        # Description - Describes the set of conditions which cause the trigger to activate.
+        prop :description, :string
+        # Expression - The logical expression that was evaluated that determined the trigger should be fired.
+        prop :expression, :string
+        # Properties - Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.
+        prop :properties, :array, items: Property
+      end
+    end
+  end
+end

data/lib/sbom/cyclone_dx/record/copyright.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+require_relative "base"
+
+# Copyright - A copyright notice informing users of the underlying claims to copyright ownership in a published work.
+module SBOM
+  module CycloneDX
+    module Record
+      # Schema name: Copyright
+      class Copyright < Base
+        # Copyright Text - The textual content of the copyright.
+        prop :text, :string, required: true
+      end
+    end
+  end
+end

data/lib/sbom/cyclone_dx/record/crypto_properties.rb

@@ -0,0 +1,137 @@
+# frozen_string_literal: true
+
+require_relative "../enum"
+require_relative "../pattern"
+require_relative "base"
+require_relative "cipher_suite"
+require_relative "secured_by"
+
+# Cryptographic Properties - Cryptographic assets have properties that uniquely define them and that make them actionable for further reasoning. As an example, it makes a difference if one knows the algorithm family (e.g. AES) or the specific variant or instantiation (e.g. AES-128-GCM). This is because the security level and the algorithm primitive (authenticated encryption) are only defined by the definition of the algorithm variant. The presence of a weak cryptographic algorithm like SHA1 vs. HMAC-SHA1 also makes a difference.
+module SBOM
+  module CycloneDX
+    module Record
+      # Schema name: CryptoProperties
+      class CryptoProperties < Base
+        # Schema name: AlgorithmProperties
+        class AlgorithmProperties < Base
+          # primitive - Cryptographic building blocks used in higher-level cryptographic systems and protocols. Primitives represent different cryptographic routines: deterministic random bit generators (drbg, e.g. CTR_DRBG from NIST SP800-90A-r1), message authentication codes (mac, e.g. HMAC-SHA-256), blockciphers (e.g. AES), streamciphers (e.g. Salsa20), signatures (e.g. ECDSA), hash functions (e.g. SHA-256), public-key encryption schemes (pke, e.g. RSA), extended output functions (xof, e.g. SHAKE256), key derivation functions (e.g. pbkdf2), key agreement algorithms (e.g. ECDH), key encapsulation mechanisms (e.g. ML-KEM), authenticated encryption (ae, e.g. AES-GCM) and the combination of multiple algorithms (combiner, e.g. SP800-56Cr2).
+          prop :primitive, :string, enum: Enum::PRIMITIVE
+          # Parameter Set Identifier - An identifier for the parameter set of the cryptographic algorithm. Examples: in AES128, '128' identifies the key length in bits, in SHA256, '256' identifies the digest length, '128' in SHAKE128 identifies its maximum security level in bits, and 'SHA2-128s' identifies a parameter set used in SLH-DSA (FIPS205).
+          prop :parameter_set_identifier, :string
+          # Elliptic Curve - The specific underlying Elliptic Curve (EC) definition employed which is an indicator of the level of security strength, performance and complexity. Absent an authoritative source of curve names, CycloneDX recommends using curve names as defined at [https://neuromancer.sk/std/](https://neuromancer.sk/std/), the source of which can be found at [https://github.com/J08nY/std-curves](https://github.com/J08nY/std-curves).
+          prop :curve, :string
+          # Execution Environment - The target and execution environment in which the algorithm is implemented in.
+          prop :execution_environment, :string, enum: Enum::EXECUTION_ENVIRONMENT
+          # Implementation platform - The target platform for which the algorithm is implemented. The implementation can be 'generic', running on any platform or for a specific platform.
+          prop :implementation_platform, :string, enum: Enum::IMPLEMENTATION_PLATFORM
+          # Certification Level - The certification that the implementation of the cryptographic algorithm has received, if any. Certifications include revisions and levels of FIPS 140 or Common Criteria of different Extended Assurance Levels (CC-EAL).
+          prop :certification_level, :array, items: [:string, enum: Enum::CERTIFICATION_LEVEL]
+          # Mode - The mode of operation in which the cryptographic algorithm (block cipher) is used.
+          prop :mode, :string, enum: Enum::ALGORITHM_MODE
+          # Padding - The padding scheme that is used for the cryptographic algorithm.
+          prop :padding, :string, enum: Enum::PADDING
+          # Cryptographic functions - The cryptographic functions implemented by the cryptographic algorithm.
+          prop :crypto_functions, :array, items: [:string, enum: Enum::CRYPTO_FUNCTION]
+          # classical security level - The classical security level that a cryptographic algorithm provides (in bits).
+          prop :classical_security_level, :integer, minimum: 0
+          # NIST security strength category - The NIST security strength category as defined in https://csrc.nist.gov/projects/post-quantum-cryptography/post-quantum-cryptography-standardization/evaluation-criteria/security-(evaluation-criteria). A value of 0 indicates that none of the categories are met.
+          prop :nist_quantum_security_level, :integer, minimum: 0, maximum: 6
+        end
+
+        # Schema name: CertificateProperties
+        class CertificateProperties < Base
+          # Subject Name - The subject name for the certificate
+          prop :subject_name, :string
+          # Issuer Name - The issuer name for the certificate
+          prop :issuer_name, :string
+          # Not Valid Before - The date and time according to ISO-8601 standard from which the certificate is valid
+          prop :not_valid_before, :date_time
+          # Not Valid After - The date and time according to ISO-8601 standard from which the certificate is not valid anymore
+          prop :not_valid_after, :date_time
+          # Algorithm Reference - The bom-ref to signature algorithm used by the certificate
+          prop :signature_algorithm_ref, :string, pattern: Pattern::REF_LINK
+          # Key reference - The bom-ref to the public key of the subject
+          prop :subject_public_key_ref, :string, pattern: Pattern::REF_LINK
+          # Certificate Format - The format of the certificate
+          # Examples: "X.509", "PEM", "DER", "CVC"
+          prop :certificate_format, :string
+          # Certificate File Extension - The file extension of the certificate
+          # Examples: "crt", "pem", "cer", "der", "p12"
+          prop :certificate_extension, :string
+        end
+
+        # Schema name: ProtocolProperties
+        class ProtocolProperties < Base
+          # Schema name: IKEv2TransformType
+          class IKEv2TransformType < Base
+            # Encryption Algorithm (ENCR) - Transform Type 1: encryption algorithms
+            prop :encr, :array, items: [:string, pattern: Pattern::REF_LINK]
+            # Pseudorandom Function (PRF) - Transform Type 2: pseudorandom functions
+            prop :prf, :array, items: [:string, pattern: Pattern::REF_LINK]
+            # Integrity Algorithm (INTEG) - Transform Type 3: integrity algorithms
+            prop :integ, :array, items: [:string, pattern: Pattern::REF_LINK]
+            # Key Exchange Method (KE) - Transform Type 4: Key Exchange Method (KE) per [RFC 9370](https://www.ietf.org/rfc/rfc9370.html), formerly called Diffie-Hellman Group (D-H).
+            prop :ke, :array, items: [:string, pattern: Pattern::REF_LINK]
+            # Extended Sequence Numbers (ESN) - Specifies if an Extended Sequence Number (ESN) is used.
+            prop :esn, :boolean
+            # IKEv2 Authentication method - IKEv2 Authentication method
+            prop :auth, :array, items: [:string, pattern: Pattern::REF_LINK]
+          end
+
+          # Type - The concrete protocol type.
+          prop :type, :string, enum: Enum::PROTOCOL_TYPE
+          # Protocol Version - The version of the protocol.
+          # Examples: "1.0", "1.2", "1.99"
+          prop :version, :string
+          # Cipher Suites - A list of cipher suites related to the protocol.
+          prop :cipher_suites, :array, items: CipherSuite
+          # IKEv2 Transform Types - The IKEv2 transform types supported (types 1-4), defined in [RFC 7296 section 3.3.2](https://www.ietf.org/rfc/rfc7296.html#section-3.3.2), and additional properties.
+          prop :ikev2_transform_types, IKEv2TransformType
+          # Cryptographic References - A list of protocol-related cryptographic assets
+          prop :crypto_ref_array, :array, items: [:string, pattern: Pattern::REF_LINK]
+        end
+
+        # Schema name: RelatedCryptoMaterialProperties
+        class RelatedCryptoMaterialProperties < Base
+          # relatedCryptoMaterialType - The type for the related cryptographic material
+          prop :type, :string, enum: Enum::RELATED_CRYPTO_MATERIAL_TYPE
+          # ID - The optional unique identifier for the related cryptographic material.
+          prop :id, :string
+          # State - The key state as defined by NIST SP 800-57.
+          prop :state, :string, enum: Enum::RELATED_CRYPTO_MATERIAL_STATE
+          # Algorithm Reference - The bom-ref to the algorithm used to generate the related cryptographic material.
+          prop :algorithm_ref, :string, pattern: Pattern::REF_LINK
+          # Creation Date - The date and time (timestamp) when the related cryptographic material was created.
+          prop :creation_date, :date_time
+          # Activation Date - The date and time (timestamp) when the related cryptographic material was activated.
+          prop :activation_date, :date_time
+          # Update Date - The date and time (timestamp) when the related cryptographic material was updated.
+          prop :update_date, :date_time
+          # Expiration Date - The date and time (timestamp) when the related cryptographic material expires.
+          prop :expiration_date, :date_time
+          # Value - The associated value of the cryptographic material.
+          prop :value, :string
+          # Size - The size of the cryptographic asset (in bits).
+          prop :asset_size, :integer, json_name: "size"
+          # Format - The format of the related cryptographic material (e.g. P8, PEM, DER).
+          prop :format, :string
+          # Secured By - The mechanism by which the cryptographic asset is secured by.
+          prop :secured_by, SecuredBy
+        end
+
+        # Asset Type - Cryptographic assets occur in several forms. Algorithms and protocols are most commonly implemented in specialized cryptographic libraries. They may, however, also be 'hardcoded' in software components. Certificates and related cryptographic material like keys, tokens, secrets or passwords are other cryptographic assets to be modelled.
+        prop :asset_type, :string, enum: Enum::ASSET_TYPE, required: true
+        # Algorithm Properties - Additional properties specific to a cryptographic algorithm.
+        prop :algorithm_properties, AlgorithmProperties
+        # Certificate Properties - Properties for cryptographic assets of asset type 'certificate'
+        prop :certificate_properties, CertificateProperties
+        # Related Cryptographic Material Properties - Properties for cryptographic assets of asset type: `related-crypto-material`
+        prop :related_crypto_material_properties, RelatedCryptoMaterialProperties
+        # Protocol Properties - Properties specific to cryptographic assets of type: `protocol`.
+        prop :protocol_properties, ProtocolProperties
+        # OID - The object identifier (OID) of the cryptographic asset.
+        prop :oid, :string
+      end
+    end
+  end
+end

data/lib/sbom/cyclone_dx/record/data_governance.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+require_relative "base"
+require_relative "data_governance_responsible_party"
+
+# Data Governance - Data governance captures information regarding data ownership, stewardship, and custodianship, providing insights into the individuals or entities responsible for managing, overseeing, and safeguarding the data throughout its lifecycle.
+module SBOM
+  module CycloneDX
+    module Record
+      # Schema name: DataGovernance
+      class DataGovernance < Base
+        # Data Custodians - Data custodians are responsible for the safe custody, transport, and storage of data.
+        prop :custodians, :array, items: DataGovernanceResponsibleParty
+        # Data Stewards - Data stewards are responsible for data content, context, and associated business rules.
+        prop :stewards, :array, items: DataGovernanceResponsibleParty
+        # Data Owners - Data owners are concerned with risk and appropriate access to data.
+        prop :owners, :array, items: DataGovernanceResponsibleParty
+      end
+    end
+  end
+end

data/lib/sbom/cyclone_dx/record/data_governance_responsible_party.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+require_relative "base"
+require_relative "organizational_entity"
+require_relative "organizational_contact"
+
+# Anonymous class from DataGovernanceResponsibleParty
+module SBOM
+  module CycloneDX
+    module Record
+      # Schema name: DataGovernanceResponsibleParty
+      class DataGovernanceResponsibleParty < Base
+        # Organization - The organization that is responsible for specific data governance role(s).
+        prop :organization, OrganizationalEntity
+        # Individual - The individual that is responsible for specific data governance role(s).
+        prop :contact, OrganizationalContact
+
+        validate :organization, :contact, presence: :any
+      end
+    end
+  end
+end

data/lib/sbom/cyclone_dx/record/declarations.rb

@@ -0,0 +1,193 @@
+# frozen_string_literal: true
+
+require_relative "../pattern"
+require_relative "base"
+
+# Declarations - The list of declarations which describe the conformance to standards. Each declaration may include attestations, claims, and evidence.
+module SBOM
+  module CycloneDX
+    module Record
+      # Schema name: Declarations
+      class Declarations < Base
+        # Schema name: Affirmation
+        class Affirmation < Base
+          # Schema name: Signatory
+          class Signatory < Base
+            # Name - The signatory's name.
+            prop :name, :string
+            # Role - The signatory's role within an organization.
+            prop :role, :string
+            # Signature - Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html).
+            prop :signature, :union, of: Signature::UNION_TYPE
+            # Organization - The signatory's organization.
+            prop :organization, OrganizationalEntity
+            # External Reference - External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM.
+            prop :external_reference, ExternalReference
+
+            validate(
+              :signature,
+              :organization,
+              :external_reference,
+              message: "must specify organization and external_reference if signature is not provided"
+            ) do |signature, organization, external_reference|
+              signature.nil? && (organization.nil? || external_reference.nil?)
+            end
+          end
+
+          # Statement - The brief statement affirmed by an individual regarding all declarations.\n*- Notes This could be an affirmation of acceptance by a third-party auditor or receiving individual of a file.
+          # Example: "I certify, to the best of my knowledge, that all information is correct."
+          prop :statement, :string
+          # Signatories - The list of signatories authorized on behalf of an organization to assert validity of this document.
+          prop :signatories, :array, items: Signatory
+          # Signature - Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html).
+          prop :signature, :union, of: Signature::UNION_TYPE
+        end
+
+        # Schema name: Assessor
+        class Assessor < Base
+          # BOM Reference - An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref must be unique within the BOM.
+          prop :bom_ref, :string, pattern: Pattern::REF_LINK, json_name: "bom-ref"
+          # Third Party - The boolean indicating if the assessor is outside the organization generating claims. A value of false indicates a self assessor.
+          prop :third_party, :boolean
+          # Organization - The entity issuing the assessment.
+          prop :organization, OrganizationalEntity
+        end
+
+        # Schema name: Attestation
+        class Attestation < Base
+          # Schema name: Map
+          class Map < Base
+            # Schema name: Confidence
+            class Confidence < Base
+              # Score - The confidence of the claim between and inclusive of 0 and 1, where 1 is 100% confidence.
+              prop :score, :float, minimum: 0, maximum: 1
+              # Rationale - The rationale for the confidence score.
+              prop :rationale, :string
+            end
+
+            # Schema name: Conformance
+            class Conformance < Base
+              # Score - The conformance of the claim between and inclusive of 0 and 1, where 1 is 100% conformance.
+              prop :score, :float, minimum: 0, maximum: 1
+              # Rationale - The rationale for the conformance score.
+              prop :rationale, :string
+              # Mitigation Strategies - The list of  `bom-ref` to the evidence provided describing the mitigation strategies.
+              prop :mitigation_strategies, :array, items: [:string, pattern: Pattern::REF_LINK]
+            end
+
+            # Requirement - The `bom-ref` to the requirement being attested to.
+            prop :requirement, :string, pattern: Pattern::REF_LINK
+            # Claims - The list of `bom-ref` to the claims being attested to.
+            prop :claims, :array, items: [:string, pattern: Pattern::REF_LINK]
+            # Counter Claims - The list of  `bom-ref` to the counter claims being attested to.
+            prop :counter_claims, :array, items: [:string, pattern: Pattern::REF_LINK]
+            # Conformance - The conformance of the claim meeting a requirement.
+            prop :conformance, Conformance
+            # Confidence - The confidence of the claim meeting the requirement.
+            prop :confidence, Confidence
+          end
+
+          # Summary - The short description explaining the main points of the attestation.
+          prop :summary, :string
+          # Assessor - The `bom-ref` to the assessor asserting the attestation.
+          prop :assessor, :string, pattern: Pattern::REF_LINK
+          # Map - The grouping of requirements to claims and the attestors declared conformance and confidence thereof.
+          prop :requirements_map, :array, items: Map, json_name: "map"
+          # Signature - Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html).
+          prop :signature, :union, of: Signature::UNION_TYPE
+        end
+
+        # Schema name: Claim
+        class Claim < Base
+          # BOM Reference - An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref must be unique within the BOM.
+          prop :bom_ref, :string, pattern: Pattern::REF_LINK, json_name: "bom-ref"
+          # Target - The `bom-ref` to a target representing a specific system, application, API, module, team, person, process, business unit, company, etc...  that this claim is being applied to.
+          prop :target, :string, pattern: Pattern::REF_LINK
+          # Predicate - The specific statement or assertion about the target.
+          prop :predicate, :string
+          # Mitigation Strategies - The list of  `bom-ref` to the evidence provided describing the mitigation strategies. Each mitigation strategy should include an explanation of how any weaknesses in the evidence will be mitigated.
+          prop :mitigation_strategies, :array, items: [:string, pattern: Pattern::REF_LINK]
+          # Reasoning - The written explanation of why the evidence provided substantiates the claim.
+          prop :reasoning, :string
+          # Evidence - The list of `bom-ref` to evidence that supports this claim.
+          prop :evidence, :array, items: [:string, pattern: Pattern::REF_LINK]
+          # Counter Evidence - The list of `bom-ref` to counterEvidence that supports this claim.
+          prop :counter_evidence, :array, items: [:string, pattern: Pattern::REF_LINK]
+          # External References - External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM.
+          prop :external_references, :array, items: ExternalReference
+          # Signature - Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html).
+          prop :signature, :union, of: Signature::UNION_TYPE
+        end
+
+        # Schema name: Evidence
+        class Evidence < Base
+          # Schema name: EvidenceData
+          class EvidenceData < Base
+            # Schema name: Contents
+            class Contents < Base
+              # Data Attachment - An optional way to include textual or encoded data.
+              prop :attachment, Attachment
+              # Data URL - The URL to where the data can be retrieved.
+              prop :url, :uri
+            end
+
+            # Data Name - The name of the data.
+            prop :name, :string
+            # Data Contents - The contents or references to the contents of the data being described.
+            prop :contents, Contents
+            # Data Classification - Data classification tags data according to its type, sensitivity, and value if altered, stolen, or destroyed.
+            prop :classification, :string
+            # Sensitive Data - A description of any sensitive data included.
+            prop :sensitive_data, :array, items: :string
+            # Data Governance - Data governance information.
+            prop :governance, DataGovernance
+          end
+
+          # BOM Reference - An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref must be unique within the BOM.
+          prop :bom_ref, :string, pattern: Pattern::REF_LINK, json_name: "bom-ref"
+          # Property Name - The reference to the property name as defined in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy/).
+          prop :property_name, :string
+          # Description - The written description of what this evidence is and how it was created.
+          prop :description, :string
+          # Data - The output or analysis that supports claims.
+          prop :data, :array, items: EvidenceData
+          # Created - The date and time (timestamp) when the evidence was created.
+          prop :created, :date_time
+          # Expires - The optional date and time (timestamp) when the evidence is no longer valid.
+          prop :expires, :date_time
+          # Author - The author of the evidence.
+          prop :author, OrganizationalContact
+          # Reviewer - The reviewer of the evidence.
+          prop :reviewer, OrganizationalContact
+          # Signature - Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html).
+          prop :signature, :union, of: Signature::UNION_TYPE
+        end
+
+        # Schema name: Target
+        class Target < Base
+          # Organizations - The list of organizations which claims are made against.
+          prop :organizations, :array, items: OrganizationalEntity
+          # Components - The list of components which claims are made against.
+          prop :components, :array, items: Component
+          # Services - The list of services which claims are made against.
+          prop :services, :array, items: Service
+        end
+
+        # Assessors - The list of assessors evaluating claims and determining conformance to requirements and confidence in that assessment.
+        prop :assessors, :array, items: Assessor
+        # Attestations - The list of attestations asserted by an assessor that maps requirements to claims.
+        prop :attestations, :array, items: Attestation
+        # Claims - The list of claims.
+        prop :claims, :array, items: Claim
+        # Evidence - The list of evidence
+        prop :evidence, :array, items: Evidence
+        # Targets - The list of targets which claims are made against.
+        prop :targets, :array, items: Target
+        # Affirmation - A concise statement affirmed by an individual regarding all declarations, often used for third-party auditor acceptance or recipient acknowledgment. It includes a list of authorized signatories who assert the validity of the document on behalf of the organization.
+        prop :affirmation, Affirmation
+        # Signature - Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)
+        prop :signature, :union, of: Signature::UNION_TYPE
+      end
+    end
+  end
+end

data/lib/sbom/cyclone_dx/record/definitions.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+require_relative "base"
+require_relative "standard"
+
+# Definitions - A collection of reusable objects that are defined and may be used elsewhere in the BOM.
+module SBOM
+  module CycloneDX
+    module Record
+      # Schema name: Definitions
+      class Definitions < Base
+        # Standards - The list of standards which may consist of regulations, industry or organizational-specific standards, maturity models, best practices, or any other requirements which can be evaluated against or attested to.
+        prop :standards, :array, items: Standard
+      end
+    end
+  end
+end

data/lib/sbom/cyclone_dx/record/dependency.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+require_relative "../pattern"
+require_relative "base"
+
+# Dependency - Defines the direct dependencies of a component, service, or the components provided/implemented by a given component. Components or services that do not have their own dependencies must be declared as empty elements within the graph. Components or services that are not represented in the dependency graph may have unknown dependencies. It is recommended that implementations assume this to be opaque and not an indicator of an object being dependency-free. It is recommended to leverage compositions to indicate unknown dependency graphs.
+module SBOM
+  module CycloneDX
+    module Record
+      # Schema name: Dependency
+      class Dependency < Base
+        # Reference - References a component or service by its bom-ref attribute
+        prop :ref, :string, pattern: Pattern::REF_LINK, required: true
+        # Depends On - The bom-ref identifiers of the components or services that are dependencies of this dependency object.
+        prop :depends_on, :array, items: [:string, pattern: Pattern::REF_LINK], unique: true
+        # Provides - The bom-ref identifiers of the components or services that define a given specification or standard, which are provided or implemented by this dependency object. For example, a cryptographic library which implements a cryptographic algorithm. A component which implements another component does not imply that the implementation is in use.
+        prop :provides, :array, items: [:string, pattern: Pattern::REF_LINK], unique: true
+      end
+    end
+  end
+end

data/lib/sbom/cyclone_dx/record/diff.rb

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+require_relative "base"
+
+# Diff - The patch file (or diff) that shows changes. Refer to https://en.wikipedia.org/wiki/Diff
+module SBOM
+  module CycloneDX
+    module Record
+      # Schema name: Diff
+      class Diff < Base
+        # Diff text - Specifies the optional text of the diff
+        prop :text, Attachment
+        # URL - Specifies the URL to the diff
+        prop :url, :uri
+      end
+    end
+  end
+end

data/lib/sbom/cyclone_dx/record/energy_consumption.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+require_relative "../enum"
+require_relative "base"
+require_relative "energy_provider"
+require_relative "energy_measure"
+require_relative "co2_measure"
+require_relative "property"
+
+# Energy consumption - Describes energy consumption information incurred for the specified lifecycle activity.
+module SBOM
+  module CycloneDX
+    module Record
+      # Schema name: EnergyConsumption
+      class EnergyConsumption < Base
+        # Activity - The type of activity that is part of a machine learning model development or operational lifecycle.
+        prop :activity, :string, enum: Enum::ACTIVITY, required: true
+        # Energy Providers - The provider(s) of the energy consumed by the associated model development lifecycle activity.
+        prop :energy_providers, :array, items: EnergyProvider, required: true
+        # Activity Energy Cost - The total energy cost associated with the model lifecycle activity.
+        prop :activity_energy_cost, EnergyMeasure, required: true
+        # CO2 Equivalent Cost - The CO2 cost (debit) equivalent to the total energy cost.
+        prop :co2_cost_equivalent, CO2Measure
+        # CO2 Cost Offset - The CO2 offset (credit) for the CO2 equivalent cost.
+        prop :co2_cost_offset, CO2Measure
+        # Properties - Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.
+        prop :properties, :array, items: Property
+      end
+    end
+  end
+end

data/lib/sbom/cyclone_dx/record/energy_measure.rb

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+require_relative "base"
+
+# Energy Measure - A measure of energy.
+module SBOM
+  module CycloneDX
+    module Record
+      # Schema name: EnergyMeasure
+      class EnergyMeasure < Base
+        # Value - Quantity of energy.
+        prop :value, :float, required: true
+        # Unit - Unit of energy, currently specified as a const "kWh".
+        const :unit, :string, "kWh"
+      end
+    end
+  end
+end

data/lib/sbom/cyclone_dx/record/energy_provider.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+require_relative "../enum"
+require_relative "../pattern"
+require_relative "base"
+require_relative "external_reference"
+require_relative "energy_measure"
+require_relative "organizational_entity"
+
+# Energy Provider - Describes the physical provider of energy used for model development or operations.
+module SBOM
+  module CycloneDX
+    module Record
+      # Schema name: EnergyProvider
+      class EnergyProvider < Base
+        # BOM Reference - An optional identifier which can be used to reference the energy provider elsewhere in the BOM. Every bom-ref must be unique within the BOM. Value SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.
+        prop :bom_ref, :string, pattern: Pattern::REF_LINK, json_name: "bom-ref"
+        # Description - A description of the energy provider.
+        prop :description, :string
+        # Organization - The organization that provides energy.
+        prop :organization, OrganizationalEntity, required: true
+        # Energy Source - The energy source for the energy provider.
+        prop :energy_source, :string, enum: Enum::ENERGY_SOURCE, required: true
+        # Energy Provided - The energy provided by the energy source for an associated activity.
+        prop :energy_provided, EnergyMeasure, required: true
+        # External References - External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM.
+        prop :external_references, :array, items: ExternalReference
+      end
+    end
+  end
+end

data/lib/sbom/cyclone_dx/record/environmental_consideration.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+require_relative "base"
+require_relative "energy_consumption"
+require_relative "property"
+
+# Environmental Considerations - Describes various environmental impact metrics.
+module SBOM
+  module CycloneDX
+    module Record
+      # Schema name: EnvironmentalConsideration
+      class EnvironmentalConsideration < Base
+        # Energy Consumptions - Describes energy consumption information incurred for one or more component lifecycle activities.
+        prop :energy_consumptions, :array, items: EnergyConsumption
+        # Properties - Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.
+        prop :properties, :array, items: Property
+      end
+    end
+  end
+end

data/lib/sbom/cyclone_dx/record/event.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+require_relative "base"
+require_relative "attachment"
+require_relative "property"
+require_relative "resource_reference_choice"
+
+# Event - Represents something that happened that may trigger a response.
+module SBOM
+  module CycloneDX
+    module Record
+      # Schema name: Event
+      class Event < Base
+        # Unique Identifier (UID) - The unique identifier of the event.
+        prop :uid, :string
+        # Description - A description of the event.
+        prop :description, :string
+        # Time Received - The date and time (timestamp) when the event was received.
+        prop :time_received, :date_time
+        # Data - Encoding of the raw event data.
+        prop :data, Attachment
+        # Source - References the component or service that was the source of the event
+        prop :source, ResourceReferenceChoice
+        # Target - References the component or service that was the target of the event
+        prop :target, ResourceReferenceChoice
+        # Properties - Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.
+        prop :properties, :array, items: Property
+      end
+    end
+  end
+end

data/lib/sbom/cyclone_dx/record/external_reference.rb

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+require_relative "../enum"
+require_relative "../pattern"
+require_relative "base"
+require_relative "hash_data"
+
+# External Reference - External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM.
+module SBOM
+  module CycloneDX
+    module Record
+      # Schema name: ExternalReference
+      class ExternalReference < Base
+        # URL - The URI (URL or URN) to the external reference. External references are URIs and therefore can accept any URL scheme including https ([RFC-7230](https://www.ietf.org/rfc/rfc7230.txt)), mailto ([RFC-2368](https://www.ietf.org/rfc/rfc2368.txt)), tel ([RFC-3966](https://www.ietf.org/rfc/rfc3966.txt)), and dns ([RFC-4501](https://www.ietf.org/rfc/rfc4501.txt)). External references may also include formally registered URNs such as [CycloneDX BOM-Link](https://cyclonedx.org/capabilities/bomlink/) to reference CycloneDX BOMs or any object within a BOM. BOM-Link transforms applicable external references into relationships that can be expressed in a BOM or across BOMs.
+        prop :url, :union, of: [:uri, [:string, pattern: Pattern::CDX_URN]], required: true
+        # Comment - An optional comment describing the external reference
+        prop :comment, :string
+        # Type - Specifies the type of external reference.
+        prop :type, :string, enum: Enum::EXTERNAL_REFERENCE_TYPE, required: true
+        # Hashes - The hashes of the external reference (if applicable).
+        prop :hashes, :array, items: HashData
+      end
+    end
+  end
+end