sbom-cyclonedx 0.1.0 → 0.2.0

data/lib/sbom/cyclone_dx/record/fairness_assessment.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+require_relative "base"
+
+# Fairness Assessment - Information about the benefits and harms of the model to an identified at risk group.
+module SBOM
+  module CycloneDX
+    module Record
+      # Schema name: FairnessAssessment
+      class FairnessAssessment < Base
+        # Group at Risk - The groups or individuals at risk of being systematically disadvantaged by the model.
+        prop :group_at_risk, :string
+        # Benefits - Expected benefits to the identified groups.
+        prop :benefits, :string
+        # Harms - Expected harms to the identified groups.
+        prop :harms, :string
+        # Mitigation Strategy - With respect to the benefits and harms outlined, please describe any mitigation strategy implemented.
+        prop :mitigation_strategy, :string
+      end
+    end
+  end
+end

data/lib/sbom/cyclone_dx/record/formula.rb

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+require_relative "../pattern"
+require_relative "base"
+require_relative "component"
+require_relative "property"
+require_relative "service"
+require_relative "workflow"
+
+# Formula - Describes workflows and resources that captures rules and other aspects of how the associated BOM component or service was formed.
+module SBOM
+  module CycloneDX
+    module Record
+      # Schema name: Formula
+      class Formula < Base
+        # BOM Reference - An optional identifier which can be used to reference the formula elsewhere in the BOM. Every bom-ref must be unique within the BOM. Value SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.
+        prop :bom_ref, :string, pattern: Pattern::REF_LINK, json_name: "bom-ref"
+        # Components - Transient components that are used in tasks that constitute one or more of this formula's workflows
+        prop :components, :array, items: Component, unique: true
+        # Services - Transient services that are used in tasks that constitute one or more of this formula's workflows
+        prop :services, :array, items: Service, unique: true
+        # Workflows - List of workflows that can be declared to accomplish specific orchestrated goals and independently triggered.
+        prop :workflows, :array, items: Workflow, unique: true
+        # Properties - Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.
+        prop :properties, :array, items: Property, unique: true
+      end
+    end
+  end
+end

data/lib/sbom/cyclone_dx/record/graphic.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+require_relative "base"
+require_relative "attachment"
+
+# Graphic
+module SBOM
+  module CycloneDX
+    module Record
+      # Schema name: Graphic
+      class Graphic < Base
+        # Name - The name of the graphic.
+        prop :name, :string
+        # Graphic Image - The graphic (vector or raster). Base64 encoding must be specified for binary images.
+        prop :image, Attachment
+      end
+    end
+  end
+end

data/lib/sbom/cyclone_dx/record/graphics_collection.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+require_relative "base"
+require_relative "graphic"
+
+# Graphics Collection - A collection of graphics that represent various measurements.
+module SBOM
+  module CycloneDX
+    module Record
+      # Schema name: GraphicsCollection
+      class GraphicsCollection < Base
+        # Description - A description of this collection of graphics.
+        prop :description, :string
+        # Collection - A collection of graphics.
+        prop :collection, :array, items: Graphic
+      end
+    end
+  end
+end

data/lib/sbom/cyclone_dx/record/hash_data.rb

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+require_relative "../enum"
+require_relative "../pattern"
+require_relative "base"
+
+# Hash
+module SBOM
+  module CycloneDX
+    module Record
+      # Schema name: HashData
+      class HashData < Base
+        prop :alg, :string, enum: Enum::HASH_ALG, required: true
+        prop :content, :string, pattern: Pattern::HASH_VALUE, required: true
+      end
+    end
+  end
+end

data/lib/sbom/cyclone_dx/record/identifiable_action.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+require_relative "base"
+require_relative "../../../email_address_extension"
+
+# Identifiable Action - Specifies an individual commit
+module SBOM
+  module CycloneDX
+    module Record
+      # Schema name: IdentifiableAction
+      class IdentifiableAction < Base
+        # Timestamp - The timestamp in which the action occurred
+        prop :timestamp, :date_time
+        # Name - The name of the individual who performed the action
+        prop :name, :string
+        # E-mail - The email address of the individual who performed the action
+        prop :email, :email_address
+      end
+    end
+  end
+end

data/lib/sbom/cyclone_dx/record/input.rb

@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+
+require_relative "base"
+require_relative "resource_reference_choice"
+require_relative "parameter"
+require_relative "property"
+require_relative "attachment"
+
+# Input type - Type that represents various input data types and formats.
+module SBOM
+  module CycloneDX
+    module Record
+      # Schema name: Input
+      class Input < Base
+        # Source - A reference to the component or service that provided the input to the task (e.g., reference to a service with data flow value of `inbound`)
+        prop :source, ResourceReferenceChoice
+        # Target - A reference to the component or service that received or stored the input if not the task itself (e.g., a local, named storage workspace)
+        prop :target, ResourceReferenceChoice
+        # Resource - A reference to an independent resource provided as an input to a task by the workflow runtime.
+        prop :resource, ResourceReferenceChoice
+        # Parameters - Inputs that have the form of parameters with names and values.
+        prop :parameters, :array, items: Parameter, unique: true
+        # Environment variables - Inputs that have the form of parameters with names and values.
+        prop :environment_vars, :array, items: [:union, of: [Property, :string]], unique: true
+        # Data - Inputs that have the form of data.
+        prop :data, Attachment
+        # Properties - Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.
+        prop :properties, :array, items: Property
+
+        validate :resource, :parameters, :environment_vars, :data, presence: :any
+      end
+    end
+  end
+end

data/lib/sbom/cyclone_dx/record/input_output_ml_parameter.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+require_relative "base"
+
+# Input and Output Parameters
+module SBOM
+  module CycloneDX
+    module Record
+      # Schema name: InputOutputMLParameter
+      class InputOutputMLParameter < Base
+        # Input/Output Format - The data format for input/output to the model.
+        # Examples: "string", "image", "time-series"
+        prop :format, :string
+      end
+    end
+  end
+end

data/lib/sbom/cyclone_dx/record/issue.rb

@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+
+require_relative "../enum"
+require_relative "base"
+
+# Issue - An individual issue that has been resolved.
+module SBOM
+  module CycloneDX
+    module Record
+      # Schema name: Issue
+      class Issue < Base
+        # Schema name: Source
+        class Source < Base
+          # Name - The name of the source.
+          # Examples: "National Vulnerability Database", "NVD", "Apache"
+          prop :name, :string
+          # URL - The url of the issue documentation as provided by the source
+          prop :url, :uri
+        end
+
+        # Issue Type - Specifies the type of issue
+        prop :type, :string, enum: Enum::ISSUE_TYPE, required: true
+        # Issue ID - The identifier of the issue assigned by the source of the issue
+        prop :id, :string
+        # Issue Name - The name of the issue
+        prop :name, :string
+        # Issue Description - A description of the issue
+        prop :description, :string
+        # Source - The source of the issue where it is documented
+        prop :source, Source
+        # References - A collection of URL's for reference. Multiple URLs are allowed.
+        prop :references, :array, items: :uri
+      end
+    end
+  end
+end

data/lib/sbom/cyclone_dx/record/license.rb

@@ -0,0 +1,90 @@
+# frozen_string_literal: true
+
+require_relative "../enum"
+require_relative "../pattern"
+require_relative "base"
+require_relative "attachment"
+require_relative "property"
+require_relative "organizational_contact"
+require_relative "organizational_entity"
+
+# License - Specifies the details and attributes related to a software license. It can either include a valid SPDX license identifier or a named license, along with additional properties such as license acknowledgment, comprehensive commercial licensing information, and the full text of the license.
+module SBOM
+  module CycloneDX
+    module Record
+      # Schema name: License
+      class License < Base
+        # Schema name: Licensing
+        class Licensing < Base
+          # Schema name: Licensee
+          class Licensee < Base
+            # Licensee (Organization) - The organization that was granted the license
+            prop :organization, OrganizationalEntity
+            # Licensee (Individual) - The individual, not associated with an organization, that was granted the license
+            prop :individual, OrganizationalContact
+
+            validate :organization, :individual, presence: :any
+          end
+
+          # Schema name: Licensor
+          class Licensor < Base
+            # Licensor (Organization) - The organization that granted the license
+            prop :organization, OrganizationalEntity
+            # Licensor (Individual) - The individual, not associated with an organization, that granted the license
+            prop :individual, OrganizationalContact
+
+            validate :organization, :individual, presence: :any
+          end
+
+          # Schema name: Purchaser
+          class Purchaser < Base
+            # Purchaser (Organization) - The organization that purchased the license
+            prop :organization, OrganizationalEntity
+            # Purchaser (Individual) - The individual, not associated with an organization, that purchased the license
+            prop :individual, OrganizationalContact
+
+            validate :organization, :individual, presence: :any
+          end
+
+          # Alternate License Identifiers - License identifiers that may be used to manage licenses and their lifecycle
+          prop :alt_ids, :array, items: :string
+          # Licensor - The individual or organization that grants a license to another individual or organization
+          prop :licensor, Licensor
+          # Licensee - The individual or organization for which a license was granted to
+          prop :licensee, Licensee
+          # Purchaser - The individual or organization that purchased the license
+          prop :purchaser, Purchaser
+          # Purchase Order - The purchase order identifier the purchaser sent to a supplier or vendor to authorize a purchase
+          prop :purchase_order, :string
+          # License Type - The type of license(s) that was granted to the licensee.
+          prop :license_types, :array, items: [:string, enum: Enum::LICENSE_TYPE]
+          # Last Renewal - The timestamp indicating when the license was last renewed. For new purchases, this is often the purchase or acquisition date. For non-perpetual licenses or subscriptions, this is the timestamp of when the license was last renewed.
+          prop :last_renewal, :date_time
+          # Expiration - The timestamp indicating when the current license expires (if applicable).
+          prop :expiration, :date_time
+        end
+
+        # BOM Reference - An optional identifier which can be used to reference the license elsewhere in the BOM. Every bom-ref must be unique within the BOM. Value SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.
+        prop :bom_ref, :string, pattern: Pattern::REF_LINK, json_name: "bom-ref"
+        # License ID (SPDX) - A valid SPDX license identifier. If specified, this value must be one of the enumeration of valid SPDX license identifiers defined in the spdx.schema.json (or spdx.xml) subschema which is synchronized with the official SPDX license list.
+        # Example: "Apache-2.0"
+        prop :id, :string, enum: Enum::LICENSE_ID
+        # License Name - The name of the license. This may include the name of a commercial or proprietary license or an open source license that may not be defined by SPDX.
+        # Example: "Acme Software License"
+        prop :name, :string
+        prop :acknowledgement, :string, enum: Enum::LICENSE_ACKNOWLEDGEMENT
+        # License text - An optional way to include the textual content of a license.
+        prop :text, Attachment
+        # License URL - The URL to the license file. If specified, a 'license' externalReference should also be specified for completeness
+        # Example: ["https://www.apache.org/licenses/LICENSE-2.0.txt"]
+        prop :url, :uri
+        # Licensing information - Licensing details describing the licensor/licensee, license type, renewal and expiration dates, and other important metadata
+        prop :licensing, Licensing
+        # Properties - Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.
+        prop :properties, :array, items: Property
+
+        validate :id, :name, presence: :any
+      end
+    end
+  end
+end

data/lib/sbom/cyclone_dx/record/license_choice.rb

@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+
+require_relative "../enum"
+require_relative "../pattern"
+require_relative "base"
+require_relative "license"
+
+module SBOM
+  module CycloneDX
+    module Record
+      module LicenseChoice
+        # Schema name: LicenseExpression
+        class LicenseExpression < Base
+          # SPDX License Expression - A valid SPDX license expression Refer to https://spdx.org/specifications for syntax requirements
+          # Examples:
+          #   "Apache-2.0 AND (MIT OR GPL-2.0-only)"
+          #   "GPL-3.0-only WITH Classpath-exception-2.0"
+          # TODO: Validate syntax
+          prop :expression, :string, required: true
+          prop :acknowledgement, :string, enum: Enum::LICENSE_ACKNOWLEDGEMENT
+          # BOM Reference - An optional identifier which can be used to reference the license elsewhere in the BOM. Every bom-ref must be unique within the BOM Value SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.
+          prop :bom_ref, :string, pattern: Pattern::REF_LINK, json_name: "bom-ref"
+        end
+
+        # Schema name: WrappedLicense
+        class WrappedLicense < Base
+          # License - The license information for the BOM document. This may be different from the license(s) of the component(s) that the BOM describes.
+          prop :license, License, required: true
+        end
+
+        UNION_TYPE = [LicenseExpression, WrappedLicense].freeze #: [singleton(LicenseExpression), singleton(WrappedLicense)]
+      end
+    end
+  end
+end

data/lib/sbom/cyclone_dx/record/metadata.rb

@@ -0,0 +1,55 @@
+# frozen_string_literal: true
+
+require_relative "../enum"
+require_relative "base"
+require_relative "component"
+require_relative "license_choice"
+require_relative "organizational_contact"
+require_relative "organizational_entity"
+require_relative "property"
+require_relative "tools"
+
+# BOM Metadata
+module SBOM
+  module CycloneDX
+    module Record
+      # Schema name: Metadata
+      class Metadata < Base
+        # Schema name: CustomPhase
+        class CustomPhase < Base
+          # Name - The name of the lifecycle phase
+          prop :name, :string, required: true
+          # Description - The description of the lifecycle phase
+          prop :description, :string
+        end
+
+        # Schema name: PreDefinedPhase
+        class PreDefinedPhase < Base
+          # Phase - A pre-defined phase in the product lifecycle.
+          prop :phase, :string, enum: Enum::PHASE, required: true
+        end
+
+        # Timestamp - The date and time (timestamp) when the BOM was created.
+        prop :timestamp, :date_time
+        # Lifecycles - Lifecycles communicate the stage(s) in which data in the BOM was captured. Different types of data may be available at various phases of a lifecycle, such as the Software Development Lifecycle (SDLC), IT Asset Management (ITAM), and Software Asset Management (SAM). Thus, a BOM may include data specific to or only obtainable in a given lifecycle.
+        prop :lifecycles, :array, items: [:union, of: [PreDefinedPhase, CustomPhase]]
+        # Tools - The tool(s) used in the creation, enrichment, and validation of the BOM.
+        prop :tools, Tools
+        # BOM Manufacturer - The organization that created the BOM. Manufacturer is common in BOMs created through automated processes. BOMs created through manual means may have `@.authors` instead.
+        prop :manufacturer, OrganizationalEntity
+        # BOM Authors - The person(s) who created the BOM. Authors are common in BOMs created through manual processes. BOMs created through automated means may have `@.manufacturer` instead.
+        prop :authors, :array, items: OrganizationalContact
+        # Component - The component that the BOM describes.
+        prop :component, Component
+        # Component Manufacture (legacy) - [Deprecated] This will be removed in a future version. Use the `@.component.manufacturer` instead. The organization that manufactured the component that the BOM describes.
+        prop :manufacture, OrganizationalEntity
+        # Supplier -  The organization that supplied the component that the BOM describes. The supplier may often be the manufacturer, but may also be a distributor or repackager.
+        prop :supplier, OrganizationalEntity
+        # BOM License(s) - The license information for the BOM document. This may be different from the license(s) of the component(s) that the BOM describes.
+        prop :licenses, :array, items: [:union, of: LicenseChoice::UNION_TYPE]
+        # Properties - Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.
+        prop :properties, :array, items: Property
+      end
+    end
+  end
+end

data/lib/sbom/cyclone_dx/record/model_card.rb

@@ -0,0 +1,89 @@
+# frozen_string_literal: true
+
+require_relative "../enum"
+require_relative "../pattern"
+require_relative "base"
+require_relative "property"
+require_relative "risk"
+require_relative "fairness_assessment"
+require_relative "input_output_ml_parameter"
+require_relative "performance_metric"
+require_relative "graphics_collection"
+require_relative "environmental_consideration"
+require_relative "component_data"
+
+# Model Card - A model card describes the intended uses of a machine learning model and potential limitations, including biases and ethical considerations. Model cards typically contain the training parameters, which datasets were used to train the model, performance metrics, and other relevant data useful for ML transparency. This object SHOULD be specified for any component of type `machine-learning-model` and must not be specified for other component types.
+module SBOM
+  module CycloneDX
+    module Record
+      # Schema name: ModelCard
+      class ModelCard < Base
+        # Schema name: Considerations
+        class Considerations < Base
+          # Users - Who are the intended users of the model?
+          prop :users, :array, items: :string
+          # Use Cases - What are the intended use cases of the model?
+          prop :use_cases, :array, items: :string
+          # Technical Limitations - What are the known technical limitations of the model? E.g. What kind(s) of data should the model be expected not to perform well on? What are the factors that might degrade model performance?
+          prop :technical_limitations, :array, items: :string
+          # Performance Tradeoffs - What are the known tradeoffs in accuracy/performance of the model?
+          prop :performance_tradeoffs, :array, items: :string
+          # Ethical Considerations - What are the ethical risks involved in the application of this model?
+          prop :ethical_considerations, :array, items: Risk
+          # Environmental Considerations - What are the various environmental impacts the corresponding machine learning model has exhibited across its lifecycle?
+          prop :environmental_considerations, EnvironmentalConsideration
+          # Fairness Assessments - How does the model affect groups at risk of being systematically disadvantaged? What are the harms and benefits to the various affected groups?
+          prop :fairness_assessments, :array, items: FairnessAssessment
+        end
+
+        # Schema name: ModelParameters
+        class ModelParameters < Base
+          # Schema name: Approach
+          class Approach < Base
+            # Learning Type - Learning types describing the learning problem or hybrid learning problem.
+            prop :type, :string, enum: Enum::LEARNING_TYPE
+          end
+
+          # Schema name: DataReference
+          class DataReference < Base
+            # Reference - References a data component by the components bom-ref attribute
+            prop :ref, :string, pattern: Pattern::REF_OR_CDX_URN
+          end
+
+          # Approach - The overall approach to learning used by the model for problem solving.
+          prop :approach, Approach
+          # Task - Directly influences the input and/or output. Examples include classification, regression, clustering, etc.
+          prop :task, :string
+          # Architecture Family - The model architecture family such as transformer network, convolutional neural network, residual neural network, LSTM neural network, etc.
+          prop :architecture_family, :string
+          # Model Architecture - The specific architecture of the model such as GPT-1, ResNet-50, YOLOv3, etc.
+          prop :model_architecture, :string
+          # Datasets - The datasets used to train and evaluate the model.
+          prop :datasets, :array, items: [:union, of: [ComponentData, DataReference]]
+          # Inputs - The input format(s) of the model
+          prop :inputs, :array, items: InputOutputMLParameter
+          # Outputs - The output format(s) from the model
+          prop :outputs, :array, items: InputOutputMLParameter
+        end
+
+        # Schema name: QuantitativeAnalysis
+        class QuantitativeAnalysis < Base
+          # Performance Metrics - The model performance metrics being reported. Examples may include accuracy, F1 score, precision, top-3 error rates, MSC, etc.
+          prop :performance_metrics, :array, items: PerformanceMetric
+          prop :graphics, GraphicsCollection
+        end
+
+        # BOM Reference - An optional identifier which can be used to reference the model card elsewhere in the BOM. Every bom-ref must be unique within the BOM. Value SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.
+        prop :bom_ref, :string, pattern: Pattern::REF_LINK, json_name: "bom-ref"
+        # Model Parameters - Hyper-parameters for construction of the model.
+        prop :model_parameters, ModelParameters
+        # Quantitative Analysis - A quantitative analysis of the model
+        prop :quantitative_analysis, QuantitativeAnalysis
+        # Considerations - What considerations should be taken into account regarding the model's construction, training, and application?
+        prop :considerations, Considerations
+        # Properties - Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.
+        prop :properties, :array, items: Property
+      end
+    end
+  end
+end

data/lib/sbom/cyclone_dx/record/note.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+require_relative "../pattern"
+require_relative "base"
+require_relative "attachment"
+
+# Note - A note containing the locale and content.
+module SBOM
+  module CycloneDX
+    module Record
+      # Schema name: Note
+      class Note < Base
+        # Locale - The ISO-639 (or higher) language code and optional ISO-3166 (or higher) country code. Examples include: "en", "en-US", "fr" and "fr-CA"
+        prop :locale, :string, pattern: Pattern::LOCALE
+        # Release note content - Specifies the full content of the release note.
+        prop :text, Attachment, required: true
+      end
+    end
+  end
+end

data/lib/sbom/cyclone_dx/record/organizational_contact.rb

@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+require_relative "../../../email_address_extension"
+require_relative "../pattern"
+require_relative "base"
+
+# Organizational Contact
+module SBOM
+  module CycloneDX
+    module Record
+      # Schema name: OrganizationalContact
+      class OrganizationalContact < Base
+        # BOM Reference - An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref must be unique within the BOM. Value SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.
+        prop :bom_ref, :string, pattern: Pattern::REF_LINK, json_name: "bom-ref"
+        # Name - The name of a contact
+        # Example: "Contact name"
+        prop :name, :string
+        # Email Address - The email address of the contact.
+        prop :email, :email_address
+        # Phone - The phone number of the contact.
+        # Example: "800-555-1212"
+        prop :phone, :string
+      end
+    end
+  end
+end

data/lib/sbom/cyclone_dx/record/organizational_entity.rb

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+require_relative "organizational_contact"
+require_relative "postal_address"
+require_relative "../pattern"
+require_relative "base"
+
+# Organizational Entity
+module SBOM
+  module CycloneDX
+    module Record
+      # Schema name: OrganizationalEntity
+      class OrganizationalEntity < Base
+        # BOM Reference - An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref must be unique within the BOM. Value SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.
+        prop :bom_ref, :string, pattern: Pattern::REF_LINK, json_name: "bom-ref"
+        # Organization Name - The name of the organization
+        # Example: "Example Inc."
+        prop :name, :string
+        # Organization Address - The physical address (location) of the organization
+        prop :address, PostalAddress
+        # Organization URL(s) - The URL of the organization. Multiple URLs are allowed.
+        prop :url, :array, items: :uri
+        # Organizational Contact - A contact at the organization. Multiple contacts are allowed.
+        prop :contact, :array, items: OrganizationalContact
+      end
+    end
+  end
+end

data/lib/sbom/cyclone_dx/record/output.rb

@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+
+require_relative "../enum"
+require_relative "base"
+require_relative "resource_reference_choice"
+require_relative "attachment"
+require_relative "property"
+
+# Anonymous class from Output
+module SBOM
+  module CycloneDX
+    module Record
+      # Schema name: Output
+      class Output < Base
+        # Type - Describes the type of data output.
+        prop :type, :string, enum: Enum::OUTPUT_TYPE, required: true
+        # Source - Component or service that generated or provided the output from the task (e.g., a build tool)
+        prop :source, ResourceReferenceChoice
+        # Target - Component or service that received the output from the task (e.g., reference to an artifactory service with data flow value of `outbound`)
+        prop :target, ResourceReferenceChoice
+        # Resource - A reference to an independent resource generated as output by the task.
+        prop :resource, ResourceReferenceChoice
+        # Data - Outputs that have the form of data.
+        prop :data, Attachment
+        # Environment variables - Outputs that have the form of environment variables.
+        prop :environment_vars, :array, items: [:union, of: [Property, :string]]
+        # Properties - Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.
+        prop :properties, :array, items: Property
+
+        validate :resource, :data, :environment_vars, presence: :any
+      end
+    end
+  end
+end

data/lib/sbom/cyclone_dx/record/parameter.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+require_relative "base"
+
+# Parameter - A representation of a functional parameter.
+module SBOM
+  module CycloneDX
+    module Record
+      # Schema name: Parameter
+      class Parameter < Base
+        # Name - The name of the parameter.
+        prop :name, :string
+        # Value - The value of the parameter.
+        prop :value, :string
+        # Data type - The data type of the parameter.
+        prop :data_type, :string
+      end
+    end
+  end
+end

data/lib/sbom/cyclone_dx/record/patch.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+require_relative "../enum"
+require_relative "base"
+require_relative "diff"
+require_relative "issue"
+
+# Patch - Specifies an individual patch
+module SBOM
+  module CycloneDX
+    module Record
+      # Schema name: Patch
+      class Patch < Base
+        # Patch Type - Specifies the purpose for the patch including the resolution of defects, security issues, or new behavior or functionality.
+        prop :type, :string, enum: Enum::PATCH_TYPE, required: true
+        # Diff - The patch file (or diff) that shows changes. Refer to [https://en.wikipedia.org/wiki/Diff](https://en.wikipedia.org/wiki/Diff)
+        prop :diff, Diff
+        # Resolves - A collection of issues the patch resolves
+        prop :resolves, :array, items: Issue
+      end
+    end
+  end
+end