sbom-cyclonedx 0.1.0 → 0.2.0

data/lib/sbom/cyclone_dx/record/performance_metric.rb

@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+
+require_relative "base"
+
+# Performance Metric
+module SBOM
+  module CycloneDX
+    module Record
+      # Schema name: PerformanceMetric
+      class PerformanceMetric < Base
+        # Schema name: ConfidenceInterval
+        class ConfidenceInterval < Base
+          # Lower Bound - The lower bound of the confidence interval.
+          prop :lower_bound, :string
+          # Upper Bound - The upper bound of the confidence interval.
+          prop :upper_bound, :string
+        end
+
+        # Type - The type of performance metric.
+        prop :type, :string
+        # Value - The value of the performance metric.
+        prop :value, :string
+        # Slice - The name of the slice this metric was computed on. By default, assume this metric is not sliced.
+        prop :slice, :string
+        # Confidence Interval - The confidence interval of the metric.
+        prop :confidence_interval, ConfidenceInterval
+      end
+    end
+  end
+end

data/lib/sbom/cyclone_dx/record/postal_address.rb

@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+
+require_relative "../pattern"
+require_relative "base"
+
+# Postal address - An address used to identify a contactable location.
+module SBOM
+  module CycloneDX
+    module Record
+      # Schema name: PostalAddress
+      class PostalAddress < Base
+        # BOM Reference - An optional identifier which can be used to reference the address elsewhere in the BOM. Every bom-ref must be unique within the BOM. Value SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.
+        prop :bom_ref, :string, pattern: Pattern::REF_LINK, json_name: "bom-ref"
+        # Country - The country name or the two-letter ISO 3166-1 country code.
+        prop :country, :string
+        # Region - The region or state in the country.
+        # Example: "Texas"
+        prop :region, :string
+        # Locality - The locality or city within the country.
+        # Example: "Austin"
+        prop :locality, :string
+        # Post Office Box Number - The post office box number.
+        # Example: 901
+        prop :post_office_box_number, :string
+        # Postal Code - The postal code.
+        # Example: "78758"
+        prop :postal_code, :string
+        # Street Address - The street address.
+        # Example: "100 Main Street"
+        prop :street_address, :string
+      end
+    end
+  end
+end

data/lib/sbom/cyclone_dx/record/property.rb

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+require_relative "base"
+
+# Lightweight name-value pair - Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.
+module SBOM
+  module CycloneDX
+    module Record
+      # Schema name: Property
+      class Property < Base
+        # Name - The name of the property. Duplicate names are allowed, each potentially having a different value.
+        prop :name, :string, required: true
+        # Value - The value of the property.
+        prop :value, :string
+      end
+    end
+  end
+end

data/lib/sbom/cyclone_dx/record/rating.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+require_relative "../enum"
+require_relative "base"
+require_relative "vulnerability_source"
+
+# Rating - Defines the severity or risk ratings of a vulnerability.
+module SBOM
+  module CycloneDX
+    module Record
+      # Schema name: Rating
+      class Rating < Base
+        # The source that calculated the severity or risk rating of the vulnerability.
+        prop :source, VulnerabilitySource
+        # Score - The numerical score of the rating.
+        prop :score, :float
+        # Textual representation of the severity that corresponds to the numerical score of the rating.
+        prop :severity, :string, enum: Enum::SEVERITY
+        prop :score_method, :string, enum: Enum::SCORE_METHOD, json_name: "method"
+        # Vector - Textual representation of the metric values used to score the vulnerability
+        prop :vector, :string
+        # Justification - An optional reason for rating the vulnerability as it was
+        prop :justification, :string
+      end
+    end
+  end
+end

data/lib/sbom/cyclone_dx/record/release_notes.rb

@@ -0,0 +1,44 @@
+# frozen_string_literal: true
+
+require_relative "base"
+require_relative "issue"
+require_relative "note"
+require_relative "property"
+
+# Release notes
+module SBOM
+  module CycloneDX
+    module Record
+      # Schema name: ReleaseNotes
+      class ReleaseNotes < Base
+        # Type - The software versioning type. It is recommended that the release type use one of 'major', 'minor', 'patch', 'pre-release', or 'internal'. Representing all possible software release types is not practical, so standardizing on the recommended values, whenever possible, is strongly encouraged.
+        # * major = A major release may contain significant changes or may introduce breaking changes.
+        # * minor = A minor release, also known as an update, may contain a smaller number of changes than major releases.
+        # * patch = Patch releases are typically unplanned and may resolve defects or important security issues.
+        # * pre-release = A pre-release may include alpha, beta, or release candidates and typically have limited support. They provide the ability to preview a release prior to its general availability.
+        # * internal = Internal releases are not for public consumption and are intended to be used exclusively by the project or manufacturer that produced it.
+        prop :type, :string, required: true
+        # Title - The title of the release.
+        prop :title, :string
+        # Featured image - The URL to an image that may be prominently displayed with the release note.
+        prop :featured_image, :uri
+        # Social image - The URL to an image that may be used in messaging on social media platforms.
+        prop :social_image, :uri
+        # Description - A short description of the release.
+        prop :description, :string
+        # Timestamp - The date and time (timestamp) when the release note was created.
+        prop :timestamp, :date_time
+        # Aliases - One or more alternate names the release may be referred to. This may include unofficial terms used by development and marketing teams (e.g. code names).
+        prop :aliases, :array, items: :string
+        # Tags
+        prop :tags, :array, items: :string
+        # Resolves - A collection of issues that have been resolved.
+        prop :resolves, :array, items: Issue
+        # Notes - Zero or more release notes containing the locale and content. Multiple note objects may be specified to support release notes in a wide variety of languages.
+        prop :notes, :array, items: Note
+        # Properties - Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.
+        prop :properties, :array, items: Property
+      end
+    end
+  end
+end

data/lib/sbom/cyclone_dx/record/resource_reference_choice.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+require_relative "../pattern"
+require_relative "base"
+require_relative "external_reference"
+
+# Resource reference choice - A reference to a locally defined resource (e.g., a bom-ref) or an externally accessible resource.
+module SBOM
+  module CycloneDX
+    module Record
+      # Schema name: ResourceReferenceChoice
+      class ResourceReferenceChoice < Base
+        # BOM Reference - References an object by its bom-ref attribute
+        prop :ref, :string, pattern: Pattern::REF_OR_CDX_URN
+        # External reference - Reference to an externally accessible resource.
+        prop :external_reference, ExternalReference
+
+        validate :ref, :external_reference, presence: :any
+      end
+    end
+  end
+end

data/lib/sbom/cyclone_dx/record/risk.rb

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+require_relative "base"
+
+# Risk
+module SBOM
+  module CycloneDX
+    module Record
+      # Schema name: Risk
+      class Risk < Base
+        # Name - The name of the risk.
+        prop :name, :string
+        # Mitigation Strategy - Strategy used to address this risk.
+        prop :mitigation_strategy, :string
+      end
+    end
+  end
+end

data/lib/sbom/cyclone_dx/record/root.rb

@@ -0,0 +1,63 @@
+# frozen_string_literal: true
+
+require_relative "../pattern"
+require_relative "base"
+require_relative "metadata"
+require_relative "component"
+require_relative "service"
+require_relative "external_reference"
+require_relative "dependency"
+require_relative "composition"
+require_relative "vulnerability"
+require_relative "annotation"
+require_relative "formula"
+require_relative "declarations"
+require_relative "definitions"
+require_relative "signature"
+require_relative "property"
+
+# CycloneDX Bill of Materials Standard
+module SBOM
+  module CycloneDX
+    module Record
+      # Schema name: Root
+      class Root < Base
+        # BOM Serial Number - Every BOM generated SHOULD have a unique serial number, even if the contents of the BOM have not changed over time. If specified, the serial number must conform to [RFC 4122](https://www.ietf.org/rfc/rfc4122.html). Use of serial numbers is recommended.
+        prop :serial_number,
+             :string,
+             pattern: Pattern::BOM_SERIAL_NUMBER,
+             default: -> { "urn:uuid:#{SecureRandom.uuid}" }
+        # Version - Whenever an existing BOM is modified, either manually or through automated processes, the version of the BOM SHOULD be incremented by 1. When a system is presented with multiple BOMs with identical serial numbers, the system SHOULD use the most recent version of the BOM. The default version is '1'.
+        prop :version, :integer, minimum: 1, required: true, default: 1
+        # BOM Metadata - Provides additional information about a BOM.
+        prop :metadata, Metadata
+        # Components - A list of software and hardware components.
+        prop :components, :array, items: Component, unique: true
+        # Services - A list of services. This may include microservices, function-as-a-service, and other types of network or intra-process services.
+        prop :services, :array, items: Service, unique: true
+        # External References - External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM.
+        prop :external_references, :array, items: ExternalReference
+        # Dependencies - Provides the ability to document dependency relationships including provided & implemented components.
+        prop :dependencies, :array, items: Dependency, unique: true
+        # Compositions - Compositions describe constituent parts (including components, services, and dependency relationships) and their completeness. The completeness of vulnerabilities expressed in a BOM may also be described.
+        prop :compositions, :array, items: Composition, unique: true
+        # Vulnerabilities - Vulnerabilities identified in components or services.
+        prop :vulnerabilities, :array, items: Vulnerability, unique: true
+        # Annotations - Comments made by people, organizations, or tools about any object with a bom-ref, such as components, services, vulnerabilities, or the BOM itself. Unlike inventory information, annotations may contain opinions or commentary from various stakeholders. Annotations may be inline (with inventory) or externalized via BOM-Link and may optionally be signed.
+        prop :annotations, :array, items: Annotation, unique: true
+        # Formulation - Describes how a component or service was manufactured or deployed. This is achieved through the use of formulas, workflows, tasks, and steps, which declare the precise steps to reproduce along with the observed formulas describing the steps which transpired in the manufacturing process.
+        prop :formulation, :array, items: Formula, unique: true
+        # Declarations - The list of declarations which describe the conformance to standards. Each declaration may include attestations, claims, and evidence.
+        prop :declarations, Declarations
+        # Definitions - A collection of reusable objects that are defined and may be used elsewhere in the BOM.
+        prop :definitions, Definitions
+        # Properties - Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.
+        prop :properties, :array, items: Property
+        # Signature - Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html).
+        prop :signature, :union, of: Signature::UNION_TYPE
+        const :bom_format, :string, "CycloneDX"
+        const :spec_version, :string, "1.6"
+      end
+    end
+  end
+end

data/lib/sbom/cyclone_dx/record/secured_by.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+require_relative "../pattern"
+require_relative "base"
+
+# Secured By - Specifies the mechanism by which the cryptographic asset is secured by
+module SBOM
+  module CycloneDX
+    module Record
+      # Schema name: SecuredBy
+      class SecuredBy < Base
+        # Mechanism - Specifies the mechanism by which the cryptographic asset is secured by.
+        # Examples: "HSM", "TPM", "SGX", "Software", "None"
+        prop :mechanism, :string
+        # Algorithm Reference - The bom-ref to the algorithm.
+        prop :algorithm_ref, :string, pattern: Pattern::REF_LINK
+      end
+    end
+  end
+end

data/lib/sbom/cyclone_dx/record/service.rb

@@ -0,0 +1,54 @@
+# frozen_string_literal: true
+
+require_relative "../pattern"
+require_relative "base"
+require_relative "service_data"
+
+# Service
+module SBOM
+  module CycloneDX
+    module Record
+      # Schema name: Service
+      class Service < Base
+        # BOM Reference - An optional identifier which can be used to reference the service elsewhere in the BOM. Every bom-ref must be unique within the BOM. Value SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.
+        prop :bom_ref, :string, pattern: Pattern::REF_LINK, json_name: "bom-ref"
+        # Provider - The organization that provides the service.
+        prop :provider, OrganizationalEntity
+        # Service Group - The grouping name, namespace, or identifier. This will often be a shortened, single name of the company or project that produced the service or domain name. Whitespace and special characters should be avoided.
+        # Example: "com.acme"
+        prop :group, :string
+        # Service Name - The name of the service. This will often be a shortened, single name of the service.
+        # Example: "ticker-service"
+        prop :name, :string, required: true
+        # Service Version - The service version.
+        prop :version, :string
+        # Service Description - Specifies a description for the service
+        prop :description, :string
+        # Endpoints - The endpoint URIs of the service. Multiple endpoints are allowed.
+        prop :endpoints, :array, items: :uri
+        # Authentication Required - A boolean value indicating if the service requires authentication. A value of true indicates the service requires authentication prior to use. A value of false indicates the service does not require authentication.
+        prop :authenticated, :boolean
+        # Crosses Trust Boundary - A boolean value indicating if use of the service crosses a trust zone or boundary. A value of true indicates that by using the service, a trust boundary is crossed. A value of false indicates that by using the service, a trust boundary is not crossed.
+        prop :x_trust_boundary, :boolean, json_name: "x-trust-boundary"
+        # Trust Zone - The name of the trust zone the service resides in.
+        prop :trust_zone, :string
+        # Data - Specifies information about the data including the directional flow of data and the data classification.
+        prop :data, :array, items: ServiceData
+        # Service License(s)
+        prop :licenses, :array, items: [:union, of: LicenseChoice::UNION_TYPE]
+        # External References - External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM.
+        prop :external_references, :array, items: ExternalReference
+        # Services - A list of services included or deployed behind the parent service. This is not a dependency tree. It provides a way to specify a hierarchical representation of service assemblies.
+        prop :services, :array, items: Service
+        # Release notes - Specifies optional release notes.
+        prop :release_notes, ReleaseNotes
+        # Properties - Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.
+        prop :properties, :array, items: Property
+        # Tags
+        prop :tags, :array, items: :string
+        # Signature - Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html).
+        prop :signature, :union, of: Signature::UNION_TYPE
+      end
+    end
+  end
+end

data/lib/sbom/cyclone_dx/record/service_data.rb

@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+
+require_relative "../enum"
+require_relative "../pattern"
+require_relative "base"
+require_relative "data_governance"
+
+module SBOM
+  module CycloneDX
+    module Record
+      # Schema name: ServiceData
+      class ServiceData < Base
+        # Directional Flow - Specifies the flow direction of the data. Direction is relative to the service. Inbound flow states that data enters the service. Outbound flow states that data leaves the service. Bi-directional states that data flows both ways and unknown states that the direction is not known.
+        prop :flow, :string, enum: Enum::DATA_FLOW_DIRECTION, required: true
+        # Data Classification - Data classification tags data according to its type, sensitivity, and value if altered, stolen, or destroyed.
+        prop :classification, :string, required: true
+        # Name - Name for the defined data
+        # Example: "Credit card reporting"
+        prop :name, :string
+        # Description - Short description of the data content and usage
+        # Example: "Credit card information being exchanged in between the web app and the database"
+        prop :description, :string
+        # Data Governance
+        prop :governance, DataGovernance
+        # Source - The URI, URL, or BOM-Link of the components or services the data came in from
+        prop :source, :union, of: [:uri, [:string, pattern: Pattern::CDX_URN]], required: true
+        # Destination - The URI, URL, or BOM-Link of the components or services the data is sent to
+        prop :destination, :union, of: [:uri, [:string, pattern: Pattern::CDX_URN]], required: true
+      end
+    end
+  end
+end

data/lib/sbom/cyclone_dx/record/signature.rb

@@ -0,0 +1,85 @@
+# frozen_string_literal: true
+
+require_relative "base"
+require_relative "../validator"
+
+# Signature - Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html).
+module SBOM
+  module CycloneDX
+    module Record
+      module Signature
+        # Schema name: JSFSignature
+        class JSFSignature < Base
+          module PublicKey
+            # Schema name: ECPublicKey
+            class EC < Base
+              const :kty, :string, "EC"
+              prop :crv, :string, enum: Enum::SIGNATURE_EC_CRV, required: true
+              prop :x, :string, required: true
+              prop :y, :string, required: true
+            end
+
+            # Schema name: OKPPublicKey
+            class OKP < Base
+              const :kty, :string, "OKP"
+              prop :crv, :string, enum: Enum::SIGNATURE_OKP_CRV, required: true
+              prop :x, :string, required: true
+            end
+
+            # Schema name: RSAPublicKey
+            class RSA < Base
+              const :kty, :string, "RSA"
+              prop :n, :string, required: true
+              prop :e, :string, required: true
+            end
+
+            UNION_TYPE = [EC, OKP, RSA].freeze #: [singleton(EC), singleton(OKP), singleton(RSA)]
+
+            def self.new(kty:, crv: nil, x: nil, y: nil, n: nil, e: nil) # rubocop:disable Naming/MethodParameterName,Metrics/AbcSize,Metrics/CyclomaticComplexity,Metrics/MethodLength,Metrics/PerceivedComplexity
+              case kty
+              when "EC"
+                raise "`n` and `e` must be nil when kty == \"EC\"" unless n.nil? && e.nil?
+                if crv.nil? || x.nil? || y.nil?
+                  raise ArgumentError, "`crv`, `x`, and `y` must not be nil when kty == \"EC\""
+                end
+
+                EC.new(crv: crv, x: x, y: y)
+              when "OKP"
+                raise "`y`, `n` and `e` must be nil when kty == \"OKP\"" unless y.nil? && n.nil? && e.nil?
+                raise ArgumentError, "`crv` and `x` must not be nil when kty == \"OKP\"" if crv.nil? || x.nil?
+
+                OKP.new(crv: crv, x: x)
+              when "RSA"
+                raise "`crv`, `x`, and `y` must be nil when kty == \"RSA\"" unless crv.nil? && x.nil? && y.nil?
+                raise ArgumentError, "`n` and `e` must not be nil when kty == \"RSA\"" if n.nil? || e.nil?
+
+                RSA.new(n: n, e: e)
+              else
+                raise ArgumentError, "Invalid value for `kty`"
+              end
+            end
+          end
+
+          prop :algorithm, :union, of: [:uri, [:string, enum: Enum::SIGNATURE_ALGORITHM]], required: true
+          prop :key_id, :string
+          prop :public_key, :union, of: PublicKey::UNION_TYPE
+          prop :certificate_path, :array, items: :string
+          prop :excludes, :array, items: :string
+          prop :value, :string, required: true
+        end
+
+        # Schema name: SignatureChain
+        class SignatureChain < Base
+          prop :signatures, :array, items: JSFSignature, json_name: "chain"
+        end
+
+        # Schema name: SignatureList
+        class SignerList < Base
+          prop :signers, :array, items: JSFSignature
+        end
+
+        UNION_TYPE = [JSFSignature, SignatureChain, SignerList].freeze #: [singleton(JSFSignature), singleton(SignatureChain), singleton(SignerList)]
+      end
+    end
+  end
+end

data/lib/sbom/cyclone_dx/record/standard.rb

@@ -0,0 +1,72 @@
+# frozen_string_literal: true
+
+require_relative "../pattern"
+require_relative "base"
+require_relative "external_reference"
+require_relative "property"
+
+# Standard - A standard may consist of regulations, industry or organizational-specific standards, maturity models, best practices, or any other requirements which can be evaluated against or attested to.
+module SBOM
+  module CycloneDX
+    module Record
+      # Schema name: Standard
+      class Standard < Base
+        # Schema name: Level
+        class Level < Base
+          # BOM Reference - An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref must be unique within the BOM.
+          prop :bom_ref, :string, pattern: Pattern::REF_LINK, json_name: "bom-ref"
+          # Identifier - The identifier used in the standard to identify a specific level.
+          prop :identifier, :string
+          # Title - The title of the level.
+          prop :title, :string
+          # Description - The description of the level.
+          prop :description, :string
+          # Requirements - The list of requirement `bom-ref`s that comprise the level.
+          prop :requirements, :array, items: [:string, pattern: Pattern::REF_LINK]
+        end
+
+        # Schema name: Requirement
+        class Requirement < Base
+          # BOM Reference - An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref must be unique within the BOM.
+          prop :bom_ref, :string, pattern: Pattern::REF_LINK, json_name: "bom-ref"
+          # Identifier - The unique identifier used in the standard to identify a specific requirement. This should match what is in the standard and should not be the requirements bom-ref.
+          prop :identifier, :string
+          # Title - The title of the requirement.
+          prop :title, :string
+          # Text - The textual content of the requirement.
+          prop :text, :string
+          # Descriptions - The supplemental text that provides additional guidance or context to the requirement, but is not directly part of the requirement.
+          prop :descriptions, :array, items: :string
+          # OWASP OpenCRE Identifier(s) - The Common Requirements Enumeration (CRE) identifier(s). CRE is a structured and standardized framework for uniting security standards and guidelines. CRE links each section of a resource to a shared topic identifier (a Common Requirement). Through this shared topic link, all resources map to each other. Use of CRE promotes clear and unambiguous communication among stakeholders.
+          # Example: ["CRE:764-507"]
+          prop :open_cre, :array, items: [:string, pattern: Pattern::OPEN_CRE]
+          # Parent BOM Reference - The optional `bom-ref` to a parent requirement. This establishes a hierarchy of requirements. Top-level requirements must not define a parent. Only child requirements should define parents.
+          prop :parent, :string, pattern: Pattern::REF_LINK
+          # Properties - Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.
+          prop :properties, :array, items: Property
+          # External References - External references provide a way to document systems, sites, and information that may be relevant, but are not included with the BOM. They may also establish specific relationships within or external to the BOM.
+          prop :external_references, :array, items: ExternalReference
+        end
+
+        # BOM Reference - An optional identifier which can be used to reference the object elsewhere in the BOM. Every bom-ref must be unique within the BOM.
+        prop :bom_ref, :string, pattern: Pattern::REF_LINK, json_name: "bom-ref"
+        # Name - The name of the standard. This will often be a shortened, single name of the standard.
+        prop :name, :string
+        # Version - The version of the standard.
+        prop :version, :string
+        # Description - The description of the standard.
+        prop :description, :string
+        # Owner - The owner of the standard, often the entity responsible for its release.
+        prop :owner, :string
+        # Requirements - The list of requirements comprising the standard.
+        prop :requirements, :array, items: Requirement
+        # Levels - The list of levels associated with the standard. Some standards have different levels of compliance.
+        prop :levels, :array, items: Level
+        # External References - External references provide a way to document systems, sites, and information that may be relevant but are not included with the BOM. They may also establish specific relationships within or external to the BOM.
+        prop :external_references, :array, items: ExternalReference
+        # Signature - Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html).
+        prop :signature, :union, of: Signature::UNION_TYPE
+      end
+    end
+  end
+end

data/lib/sbom/cyclone_dx/record/step.rb

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+require_relative "base"
+require_relative "command"
+require_relative "property"
+
+# Executes specific commands or tools in order to accomplish its owning task as part of a sequence.
+module SBOM
+  module CycloneDX
+    module Record
+      # Schema name: Step
+      class Step < Base
+        # Name - A name for the step.
+        prop :name, :string
+        # Description - A description of the step.
+        prop :description, :string
+        # Commands - Ordered list of commands or directives for the step
+        prop :commands, :array, items: Command
+        # Properties - Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.
+        prop :properties, :array, items: Property
+      end
+    end
+  end
+end

data/lib/sbom/cyclone_dx/record/swid.rb

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+require_relative "base"
+require_relative "attachment"
+
+# SWID Tag - Specifies metadata and content for ISO-IEC 19770-2 Software Identification (SWID) Tags.
+module SBOM
+  module CycloneDX
+    module Record
+      # Schema name: SWID
+      class SWID < Base
+        # Tag ID - Maps to the tagId of a SoftwareIdentity.
+        prop :tag_id, :string, required: true
+        # Name - Maps to the name of a SoftwareIdentity.
+        prop :name, :string, required: true
+        # Version - Maps to the version of a SoftwareIdentity.
+        prop :version, :string, default: "0.0"
+        # Tag Version - Maps to the tagVersion of a SoftwareIdentity.
+        prop :tag_version, :integer, default: 0
+        # Patch - Maps to the patch of a SoftwareIdentity.
+        prop :patch, :boolean, default: false
+        # Attachment text - Specifies the metadata and content of the SWID tag.
+        prop :text, Attachment
+        # URL - The URL to the SWID file.
+        prop :url, :uri
+      end
+    end
+  end
+end

data/lib/sbom/cyclone_dx/record/task.rb

@@ -0,0 +1,56 @@
+# frozen_string_literal: true
+
+require_relative "../enum"
+require_relative "../pattern"
+require_relative "base"
+require_relative "dependency"
+require_relative "input"
+require_relative "output"
+require_relative "property"
+require_relative "resource_reference_choice"
+require_relative "step"
+require_relative "trigger"
+require_relative "workspace"
+
+# Task - Describes the inputs, sequence of steps and resources used to accomplish a task and its output.
+module SBOM
+  module CycloneDX
+    module Record
+      # Schema name: Task
+      class Task < Base
+        # BOM Reference - An optional identifier which can be used to reference the task elsewhere in the BOM. Every bom-ref must be unique within the BOM. Value SHOULD not start with the BOM-Link intro 'urn:cdx:' to avoid conflicts with BOM-Links.
+        prop :bom_ref, :string, pattern: Pattern::REF_LINK, json_name: "bom-ref", required: true
+        # Unique Identifier (UID) - The unique identifier for the resource instance within its deployment context.
+        prop :uid, :string, required: true
+        # Name - The name of the resource instance.
+        prop :name, :string
+        # Description - A description of the resource instance.
+        prop :description, :string
+        # Resource references - References to component or service resources that are used to realize the resource instance.
+        prop :resource_references, :array, items: ResourceReferenceChoice
+        # Task types - Indicates the types of activities performed by the set of workflow tasks.
+        prop :task_types, :array, items: [:string, enum: Enum::TASK_TYPE]
+        # Trigger - The trigger that initiated the task.
+        prop :trigger, Trigger
+        # Steps - The sequence of steps for the task.
+        prop :steps, :array, items: Step
+        # Inputs - Represents resources and data brought into a task at runtime by executor or task commands
+        # Example: "a `configuration` file which was declared as a local `component` or `externalReference`"
+        prop :inputs, :array, items: Input
+        # Outputs - Represents resources and data output from a task at runtime by executor or task commands
+        # Example: "a log file or metrics data produced by the task"
+        prop :outputs, :array, items: Output
+        # Time start - The date and time (timestamp) when the task started.
+        prop :time_start, :date_time
+        # Time end - The date and time (timestamp) when the task ended.
+        prop :time_end, :date_time
+        # Workspaces - A set of named filesystem or data resource shareable by workflow tasks.
+        prop :workspaces, :array, items: Workspace, unique: true
+        # Runtime topology - A graph of the component runtime topology for task's instance.
+        prop :runtime_topology, :array, items: Dependency, unique: true
+        # Properties - Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.
+        prop :properties, :array, items: Property
+      end
+    end
+  end
+end