PyPI - hoppr-cyclonedx-models - Versions diffs - 0.5.5__py3-none-any.whl → 0.6.1__py3-none-any.whl - Mend - Supply Chain Defender

hoppr-cyclonedx-models 0.5.5py3-none-any.whl → 0.6.1py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of hoppr-cyclonedx-models might be problematic. Click here for more details.

Files changed (11) hide show

hoppr_cyclonedx_models/cyclonedx_1_5.py CHANGED Viewed

@@ -1,6 +1,6 @@
 """
 --------------------------------------------------------------------------------
-SPDX-FileCopyrightText: Copyright © 2023 Lockheed Martin <open.source@lmco.com>
+SPDX-FileCopyrightText: Copyright © 2025 Lockheed Martin <open.source@lmco.com>
 SPDX-FileName: hoppr_cyclonedx_models/cyclonedx_1_5.py
 SPDX-FileType: SOURCE
 SPDX-License-Identifier: MIT
@@ -25,8 +25,8 @@ THE SOFTWARE.
 --------------------------------------------------------------------------------
 This file was generated by datamodel-codegen:
   filename:  bom-1.5.schema.json
-  timestamp: 2023-09-12T17:26:28+00:00
-  version:   0.21.5
+  timestamp: 2025-09-17T19:02:47+00:00
+  version:   0.25.7
 """
 from __future__ import annotations
@@ -103,7 +103,11 @@ class Phase(Enum):
         return next((member for member in cls if member.name in {str(value), str(value).upper()}), None)
-class Lifecycle(CycloneDXBaseModel):
+class Lifecycles(CycloneDXBaseModel):
+    """
+    The product lifecycle(s) that this BOM represents.
+    """
     class Config:
         extra = Extra.forbid
@@ -137,7 +141,11 @@ class Lifecycle(CycloneDXBaseModel):
     ]
-class Lifecycle1(CycloneDXBaseModel):
+class Lifecycles1(CycloneDXBaseModel):
+    """
+    The product lifecycle(s) that this BOM represents.
+    """
     class Config:
         extra = Extra.forbid
@@ -316,76 +324,42 @@ class LicenseType(Enum):
         return next((member for member in cls if member.name in {str(value), str(value).upper()}), None)
-class Licensing(CycloneDXBaseModel):
-    """
-    Licensing details describing the licensor/licensee, license type, renewal and expiration dates, and other important metadata
-    """
+class LicenseChoice21(CycloneDXBaseModel):
     class Config:
         extra = Extra.forbid
-    altIds: Annotated[
-        Optional[List[str]],
+    expression: Annotated[
+        str,
         Field(
-            description="License identifiers that may be used to manage licenses and their lifecycle",
-            title="Alternate License Identifiers",
+            examples=["Apache-2.0 AND (MIT OR GPL-2.0-only)", "GPL-3.0-only WITH Classpath-exception-2.0"],
+            title="SPDX License Expression",
         ),
-    ] = None
-    purchaseOrder: Annotated[
+    ]
+    bom_ref: Annotated[
         Optional[str],
         Field(
+            alias="bom-ref",
             description=(
-                "The purchase order identifier the purchaser sent to a supplier or vendor to authorize a purchase"
-            ),
-            title="Purchase Order",
-        ),
-    ] = None
-    licenseTypes: Annotated[
-        Optional[List[LicenseType]],
-        Field(
-            description=(
-                "The type of license(s) that was granted to the licensee\n\n* __academic__ = A license that grants use"
-                " of software solely for the purpose of education or research.\n* __appliance__ = A license covering"
-                " use of software embedded in a specific piece of hardware.\n* __client-access__ = A Client Access"
-                " License (CAL) allows client computers to access services provided by server software.\n*"
-                " __concurrent-user__ = A Concurrent User license (aka floating license) limits the number of licenses"
-                " for a software application and licenses are shared among a larger number of users.\n* __core-points__"
-                " = A license where the core of a computer's processor is assigned a specific number of points.\n*"
-                " __custom-metric__ = A license for which consumption is measured by non-standard metrics.\n*"
-                " __device__ = A license that covers a defined number of installations on computers and other types of"
-                " devices.\n* __evaluation__ = A license that grants permission to install and use software for trial"
-                " purposes.\n* __named-user__ = A license that grants access to the software to one or more pre-defined"
-                " users.\n* __node-locked__ = A license that grants access to the software on one or more pre-defined"
-                " computers or devices.\n* __oem__ = An Original Equipment Manufacturer license that is delivered with"
-                " hardware, cannot be transferred to other hardware, and is valid for the life of the hardware.\n*"
-                " __perpetual__ = A license where the software is sold on a one-time basis and the licensee can use a"
-                " copy of the software indefinitely.\n* __processor-points__ = A license where each installation"
-                " consumes points per processor.\n* __subscription__ = A license where the licensee pays a fee to use"
-                " the software or service.\n* __user__ = A license that grants access to the software or service by a"
-                " specified number of users.\n* __other__ = Another license type.\n"
-            ),
-            title="License Type",
-        ),
-    ] = None
-    lastRenewal: Annotated[
-        Optional[datetime],
-        Field(
-            description=(
-                "The timestamp indicating when the license was last renewed. For new purchases, this is often the"
-                " purchase or acquisition date. For non-perpetual licenses or subscriptions, this is the timestamp of"
-                " when the license was last renewed."
+                "An optional identifier which can be used to reference the license elsewhere in the BOM. Every bom-ref"
+                " MUST be unique within the BOM."
             ),
-            title="Last Renewal",
-        ),
-    ] = None
-    expiration: Annotated[
-        Optional[datetime],
-        Field(
-            description="The timestamp indicating when the current license expires (if applicable).", title="Expiration"
+            min_length=1,
+            title="BOM Reference",
         ),
     ] = None
+LicenseChoice2 = Annotated[
+    List[LicenseChoice21],
+    Field(
+        description="A tuple of exactly one SPDX License Expression.",
+        max_items=1,
+        min_items=1,
+        title="SPDX License Expression",
+    ),
+]
 class Type1(Enum):
     """
     Specifies the purpose for the patch including the resolution of defects, security issues, or new behavior or functionality.
@@ -615,11 +589,12 @@ class Dependency(CycloneDXBaseModel):
         ),
     ]
     dependsOn: Annotated[
-        Optional[List[RefLinkType]],
+        Optional[List[str]],
         Field(
             description=(
                 "The bom-ref identifiers of the components or services that are dependencies of this dependency object."
             ),
+            min_length=1,
             title="Depends On",
         ),
     ] = None
@@ -821,39 +796,6 @@ class Callstack(CycloneDXBaseModel):
     frames: Annotated[Optional[List[Frame]], Field(title="Methods")] = None
-class ComponentEvidence(CycloneDXBaseModel):
-    """
-    Provides the ability to document evidence collected through various forms of extraction or analysis.
-    """
-    class Config:
-        extra = Extra.forbid
-    identity: Annotated[
-        Optional[Identity], Field(description="Evidence that substantiates the identity of a component.")
-    ] = None
-    occurrences: Annotated[
-        Optional[List[Occurrence]],
-        Field(
-            description="Evidence of individual instances of a component spread across multiple locations.",
-            title="Occurrences",
-        ),
-    ] = None
-    callstack: Annotated[
-        Optional[Callstack], Field(description="Evidence of the components use through the callstack.")
-    ] = None
-    licenses: Annotated[
-        Optional[List],
-        Field(
-            description=(
-                "EITHER (list of SPDX licenses and/or named licenses) OR (tuple of one SPDX License Expression)"
-            ),
-            title="Component License(s)",
-        ),
-    ] = None
-    copyright: Annotated[Optional[List[Copyright]], Field(title="Copyright")] = None
 class AggregateType(Enum):
     COMPLETE = complete = "complete"
     INCOMPLETE = incomplete = "incomplete"
@@ -1012,19 +954,6 @@ class Advisory(CycloneDXBaseModel):
     url: Annotated[str, Field(description="Location where the advisory can be obtained.", title="URL")]
-Cwe = Annotated[
-    int,
-    Field(
-        description=(
-            "Integer representation of a Common Weaknesses Enumerations (CWE). For example 399 (of"
-            " https://cwe.mitre.org/data/definitions/399.html)"
-        ),
-        ge=1,
-        title="CWE",
-    ),
-]
 class Severity(Enum):
     """
     Textual representation of the severity of the vulnerability adopted by the analysis method. If the analysis method uses values other than what is provided, the user is expected to translate appropriately.
@@ -1256,19 +1185,6 @@ class Analysis(CycloneDXBaseModel):
     ] = None
-class Affect(CycloneDXBaseModel):
-    class Config:
-        extra = Extra.forbid
-    ref: Annotated[
-        Union[RefLinkType, BomLinkElementType],
-        Field(description="References a component or service by the objects bom-ref", title="Reference"),
-    ]
-    versions: Annotated[
-        Optional[List], Field(description="Zero or more individual versions or range of versions.", title="Versions")
-    ] = None
 class AffectedStatus(Enum):
     """
     The vulnerability status of a given version or range of versions of a product. The statuses 'affected' and 'unaffected' indicate that the version is affected or unaffected by the vulnerability. The status 'unknown' indicates that it is unknown or unspecified whether the given version is affected. There can be many reasons for an 'unknown' status, including that an investigation has not been undertaken or that a vendor has not disclosed the status.
@@ -1286,24 +1202,6 @@ class AffectedStatus(Enum):
         return next((member for member in cls if member.name in {str(value), str(value).upper()}), None)
-Version = Annotated[
-    str, Field(description="A single version of a component or service.", max_length=1024, min_length=1)
-]
-Range = Annotated[
-    str,
-    Field(
-        description=(
-            "A version range specified in Package URL Version Range syntax (vers) which is defined at"
-            " https://github.com/package-url/purl-spec/VERSION-RANGE-SPEC.rst"
-        ),
-        max_length=1024,
-        min_length=1,
-    ),
-]
 class Type4(Enum):
     """
     Learning types describing the learning problem or hybrid learning problem.
@@ -1340,7 +1238,7 @@ class Approach(CycloneDXBaseModel):
     ] = None
-class Dataset(CycloneDXBaseModel):
+class Datasets(CycloneDXBaseModel):
     class Config:
         extra = Extra.forbid
@@ -1677,7 +1575,7 @@ class Parameter(CycloneDXBaseModel):
     dataType: Annotated[Optional[str], Field(description="The data type of the parameter.", title="Data type")] = None
-class AlgorithmEnum(Enum):
+class Algorithm(Enum):
     """
     Signature algorithm. The currently recognized JWA [RFC7518] and RFC8037 [RFC8037] asymmetric key algorithms. Note: Unlike RFC8037 [RFC8037] JSF requires explicit Ed* algorithm names instead of "EdDSA".
     """
@@ -1807,116 +1705,523 @@ class Hash(CycloneDXBaseModel):
     ]
-class License(CycloneDXBaseModel):
+class Licensor(CycloneDXBaseModel):
+    """
+    The individual or organization that grants a license to another individual or organization
+    """
     class Config:
         extra = Extra.forbid
-    bom_ref: Annotated[
-        Optional[str],
+    organization: Annotated[
+        OrganizationalEntity,
+        Field(description="The organization that granted the license", title="Licensor (Organization)"),
+    ]
+    individual: Annotated[
+        Optional[OrganizationalContact],
         Field(
-            alias="bom-ref",
-            description=(
-                "An optional identifier which can be used to reference the license elsewhere in the BOM. Every bom-ref"
-                " MUST be unique within the BOM."
-            ),
-            min_length=1,
-            title="BOM Reference",
+            description="The individual, not associated with an organization, that granted the license",
+            title="Licensor (Individual)",
         ),
     ] = None
-    id: Annotated[
-        Optional[spdx.LicenseID],
-        Field(description="A valid SPDX license ID", examples=["Apache-2.0"], title="License ID (SPDX)"),
+class Licensor1(CycloneDXBaseModel):
+    """
+    The individual or organization that grants a license to another individual or organization
+    """
+    class Config:
+        extra = Extra.forbid
+    organization: Annotated[
+        Optional[OrganizationalEntity],
+        Field(description="The organization that granted the license", title="Licensor (Organization)"),
     ] = None
-    name: Annotated[
-        Optional[str],
+    individual: Annotated[
+        OrganizationalContact,
         Field(
-            description="If SPDX does not define the license used, this field may be used to provide the license name",
-            examples=["Acme Software License"],
-            title="License Name",
+            description="The individual, not associated with an organization, that granted the license",
+            title="Licensor (Individual)",
         ),
-    ] = None
-    text: Annotated[
-        Optional[Attachment],
-        Field(description="An optional way to include the textual content of a license.", title="License text"),
-    ] = None
-    url: Annotated[
-        Optional[str],
+    ]
+class Licensee(CycloneDXBaseModel):
+    """
+    The individual or organization for which a license was granted to
+    """
+    class Config:
+        extra = Extra.forbid
+    organization: Annotated[
+        OrganizationalEntity,
+        Field(description="The organization that was granted the license", title="Licensee (Organization)"),
+    ]
+    individual: Annotated[
+        Optional[OrganizationalContact],
         Field(
-            description=(
-                "The URL to the license file. If specified, a 'license' externalReference should also be specified for"
-                " completeness"
-            ),
-            examples=["https://www.apache.org/licenses/LICENSE-2.0.txt"],
-            title="License URL",
+            description="The individual, not associated with an organization, that was granted the license",
+            title="Licensee (Individual)",
         ),
     ] = None
-    licensing: Annotated[
-        Optional[Licensing],
-        Field(
-            description=(
-                "Licensing details describing the licensor/licensee, license type, renewal and expiration dates, and"
-                " other important metadata"
-            ),
-            title="Licensing information",
-        ),
+class Licensee1(CycloneDXBaseModel):
+    """
+    The individual or organization for which a license was granted to
+    """
+    class Config:
+        extra = Extra.forbid
+    organization: Annotated[
+        Optional[OrganizationalEntity],
+        Field(description="The organization that was granted the license", title="Licensee (Organization)"),
     ] = None
-    properties: Annotated[
-        Optional[List[Property]],
+    individual: Annotated[
+        OrganizationalContact,
         Field(
-            description=(
-                "Provides the ability to document properties in a name-value store. This provides flexibility to"
-                " include data not officially supported in the standard without having to use additional namespaces or"
-                " create extensions. Unlike key-value stores, properties support duplicate names, each potentially"
-                " having different values. Property names of interest to the general public are encouraged to be"
-                " registered in the [CycloneDX Property"
-                " Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is OPTIONAL."
-            ),
-            title="Properties",
+            description="The individual, not associated with an organization, that was granted the license",
+            title="Licensee (Individual)",
         ),
-    ] = None
+    ]
-class Commit(CycloneDXBaseModel):
+class Purchaser(CycloneDXBaseModel):
     """
-    Specifies an individual commit
+    The individual or organization that purchased the license
     """
     class Config:
         extra = Extra.forbid
-    uid: Annotated[
-        Optional[str],
-        Field(
-            description=(
-                "A unique identifier of the commit. This may be version control specific. For example, Subversion uses"
-                " revision numbers whereas git uses commit hashes."
-            ),
-            title="UID",
-        ),
-    ] = None
-    url: Annotated[
-        Optional[str],
+    organization: Annotated[
+        OrganizationalEntity,
+        Field(description="The organization that purchased the license", title="Purchaser (Organization)"),
+    ]
+    individual: Annotated[
+        Optional[OrganizationalContact],
         Field(
-            description="The URL to the commit. This URL will typically point to a commit in a version control system.",
-            title="URL",
+            description="The individual, not associated with an organization, that purchased the license",
+            title="Purchaser (Individual)",
         ),
     ] = None
-    author: Annotated[
-        Optional[IdentifiableAction],
-        Field(description="The author who created the changes in the commit", title="Author"),
-    ] = None
-    committer: Annotated[
-        Optional[IdentifiableAction],
-        Field(description="The person who committed or pushed the commit", title="Committer"),
-    ] = None
-    message: Annotated[
-        Optional[str], Field(description="The text description of the contents of the commit", title="Message")
-    ] = None
-class Patch(CycloneDXBaseModel):
+class Purchaser1(CycloneDXBaseModel):
     """
-    Specifies an individual patch
+    The individual or organization that purchased the license
+    """
+    class Config:
+        extra = Extra.forbid
+    organization: Annotated[
+        Optional[OrganizationalEntity],
+        Field(description="The organization that purchased the license", title="Purchaser (Organization)"),
+    ] = None
+    individual: Annotated[
+        OrganizationalContact,
+        Field(
+            description="The individual, not associated with an organization, that purchased the license",
+            title="Purchaser (Individual)",
+        ),
+    ]
+class Licensing(CycloneDXBaseModel):
+    """
+    Licensing details describing the licensor/licensee, license type, renewal and expiration dates, and other important metadata
+    """
+    class Config:
+        extra = Extra.forbid
+    altIds: Annotated[
+        Optional[List[str]],
+        Field(
+            description="License identifiers that may be used to manage licenses and their lifecycle",
+            title="Alternate License Identifiers",
+        ),
+    ] = None
+    licensor: Annotated[
+        Optional[Union[Licensor, Licensor1]],
+        Field(
+            description="The individual or organization that grants a license to another individual or organization",
+            title="Licensor",
+        ),
+    ] = None
+    licensee: Annotated[
+        Optional[Union[Licensee, Licensee1]],
+        Field(description="The individual or organization for which a license was granted to", title="Licensee"),
+    ] = None
+    purchaser: Annotated[
+        Optional[Union[Purchaser, Purchaser1]],
+        Field(description="The individual or organization that purchased the license", title="Purchaser"),
+    ] = None
+    purchaseOrder: Annotated[
+        Optional[str],
+        Field(
+            description=(
+                "The purchase order identifier the purchaser sent to a supplier or vendor to authorize a purchase"
+            ),
+            title="Purchase Order",
+        ),
+    ] = None
+    licenseTypes: Annotated[
+        Optional[List[LicenseType]],
+        Field(
+            description=(
+                "The type of license(s) that was granted to the licensee\n\n* __academic__ = A license that grants use"
+                " of software solely for the purpose of education or research.\n* __appliance__ = A license covering"
+                " use of software embedded in a specific piece of hardware.\n* __client-access__ = A Client Access"
+                " License (CAL) allows client computers to access services provided by server software.\n*"
+                " __concurrent-user__ = A Concurrent User license (aka floating license) limits the number of licenses"
+                " for a software application and licenses are shared among a larger number of users.\n* __core-points__"
+                " = A license where the core of a computer's processor is assigned a specific number of points.\n*"
+                " __custom-metric__ = A license for which consumption is measured by non-standard metrics.\n*"
+                " __device__ = A license that covers a defined number of installations on computers and other types of"
+                " devices.\n* __evaluation__ = A license that grants permission to install and use software for trial"
+                " purposes.\n* __named-user__ = A license that grants access to the software to one or more pre-defined"
+                " users.\n* __node-locked__ = A license that grants access to the software on one or more pre-defined"
+                " computers or devices.\n* __oem__ = An Original Equipment Manufacturer license that is delivered with"
+                " hardware, cannot be transferred to other hardware, and is valid for the life of the hardware.\n*"
+                " __perpetual__ = A license where the software is sold on a one-time basis and the licensee can use a"
+                " copy of the software indefinitely.\n* __processor-points__ = A license where each installation"
+                " consumes points per processor.\n* __subscription__ = A license where the licensee pays a fee to use"
+                " the software or service.\n* __user__ = A license that grants access to the software or service by a"
+                " specified number of users.\n* __other__ = Another license type.\n"
+            ),
+            title="License Type",
+        ),
+    ] = None
+    lastRenewal: Annotated[
+        Optional[datetime],
+        Field(
+            description=(
+                "The timestamp indicating when the license was last renewed. For new purchases, this is often the"
+                " purchase or acquisition date. For non-perpetual licenses or subscriptions, this is the timestamp of"
+                " when the license was last renewed."
+            ),
+            title="Last Renewal",
+        ),
+    ] = None
+    expiration: Annotated[
+        Optional[datetime],
+        Field(
+            description="The timestamp indicating when the current license expires (if applicable).", title="Expiration"
+        ),
+    ] = None
+class License1(CycloneDXBaseModel):
+    class Config:
+        extra = Extra.forbid
+    bom_ref: Annotated[
+        Optional[str],
+        Field(
+            alias="bom-ref",
+            description=(
+                "An optional identifier which can be used to reference the license elsewhere in the BOM. Every bom-ref"
+                " MUST be unique within the BOM."
+            ),
+            min_length=1,
+            title="BOM Reference",
+        ),
+    ] = None
+    id: Annotated[
+        spdx.LicenseID, Field(description="A valid SPDX license ID", examples=["Apache-2.0"], title="License ID (SPDX)")
+    ]
+    name: Annotated[
+        Optional[str],
+        Field(
+            description="If SPDX does not define the license used, this field may be used to provide the license name",
+            examples=["Acme Software License"],
+            title="License Name",
+        ),
+    ] = None
+    text: Annotated[
+        Optional[Attachment],
+        Field(description="An optional way to include the textual content of a license.", title="License text"),
+    ] = None
+    url: Annotated[
+        Optional[str],
+        Field(
+            description=(
+                "The URL to the license file. If specified, a 'license' externalReference should also be specified for"
+                " completeness"
+            ),
+            examples=["https://www.apache.org/licenses/LICENSE-2.0.txt"],
+            title="License URL",
+        ),
+    ] = None
+    licensing: Annotated[
+        Optional[Licensing],
+        Field(
+            description=(
+                "Licensing details describing the licensor/licensee, license type, renewal and expiration dates, and"
+                " other important metadata"
+            ),
+            title="Licensing information",
+        ),
+    ] = None
+    properties: Annotated[
+        Optional[List[Property]],
+        Field(
+            description=(
+                "Provides the ability to document properties in a name-value store. This provides flexibility to"
+                " include data not officially supported in the standard without having to use additional namespaces or"
+                " create extensions. Unlike key-value stores, properties support duplicate names, each potentially"
+                " having different values. Property names of interest to the general public are encouraged to be"
+                " registered in the [CycloneDX Property"
+                " Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is OPTIONAL."
+            ),
+            title="Properties",
+        ),
+    ] = None
+class Licensor2(Licensor):
+    """
+    The individual or organization that grants a license to another individual or organization
+    """
+class Licensor3(Licensor1):
+    """
+    The individual or organization that grants a license to another individual or organization
+    """
+class Licensee2(Licensee):
+    """
+    The individual or organization for which a license was granted to
+    """
+class Licensee3(Licensee1):
+    """
+    The individual or organization for which a license was granted to
+    """
+class Purchaser2(Purchaser):
+    """
+    The individual or organization that purchased the license
+    """
+class Purchaser3(Purchaser1):
+    """
+    The individual or organization that purchased the license
+    """
+class Licensing1(CycloneDXBaseModel):
+    """
+    Licensing details describing the licensor/licensee, license type, renewal and expiration dates, and other important metadata
+    """
+    class Config:
+        extra = Extra.forbid
+    altIds: Annotated[
+        Optional[List[str]],
+        Field(
+            description="License identifiers that may be used to manage licenses and their lifecycle",
+            title="Alternate License Identifiers",
+        ),
+    ] = None
+    licensor: Annotated[
+        Optional[Union[Licensor2, Licensor3]],
+        Field(
+            description="The individual or organization that grants a license to another individual or organization",
+            title="Licensor",
+        ),
+    ] = None
+    licensee: Annotated[
+        Optional[Union[Licensee2, Licensee3]],
+        Field(description="The individual or organization for which a license was granted to", title="Licensee"),
+    ] = None
+    purchaser: Annotated[
+        Optional[Union[Purchaser2, Purchaser3]],
+        Field(description="The individual or organization that purchased the license", title="Purchaser"),
+    ] = None
+    purchaseOrder: Annotated[
+        Optional[str],
+        Field(
+            description=(
+                "The purchase order identifier the purchaser sent to a supplier or vendor to authorize a purchase"
+            ),
+            title="Purchase Order",
+        ),
+    ] = None
+    licenseTypes: Annotated[
+        Optional[List[LicenseType]],
+        Field(
+            description=(
+                "The type of license(s) that was granted to the licensee\n\n* __academic__ = A license that grants use"
+                " of software solely for the purpose of education or research.\n* __appliance__ = A license covering"
+                " use of software embedded in a specific piece of hardware.\n* __client-access__ = A Client Access"
+                " License (CAL) allows client computers to access services provided by server software.\n*"
+                " __concurrent-user__ = A Concurrent User license (aka floating license) limits the number of licenses"
+                " for a software application and licenses are shared among a larger number of users.\n* __core-points__"
+                " = A license where the core of a computer's processor is assigned a specific number of points.\n*"
+                " __custom-metric__ = A license for which consumption is measured by non-standard metrics.\n*"
+                " __device__ = A license that covers a defined number of installations on computers and other types of"
+                " devices.\n* __evaluation__ = A license that grants permission to install and use software for trial"
+                " purposes.\n* __named-user__ = A license that grants access to the software to one or more pre-defined"
+                " users.\n* __node-locked__ = A license that grants access to the software on one or more pre-defined"
+                " computers or devices.\n* __oem__ = An Original Equipment Manufacturer license that is delivered with"
+                " hardware, cannot be transferred to other hardware, and is valid for the life of the hardware.\n*"
+                " __perpetual__ = A license where the software is sold on a one-time basis and the licensee can use a"
+                " copy of the software indefinitely.\n* __processor-points__ = A license where each installation"
+                " consumes points per processor.\n* __subscription__ = A license where the licensee pays a fee to use"
+                " the software or service.\n* __user__ = A license that grants access to the software or service by a"
+                " specified number of users.\n* __other__ = Another license type.\n"
+            ),
+            title="License Type",
+        ),
+    ] = None
+    lastRenewal: Annotated[
+        Optional[datetime],
+        Field(
+            description=(
+                "The timestamp indicating when the license was last renewed. For new purchases, this is often the"
+                " purchase or acquisition date. For non-perpetual licenses or subscriptions, this is the timestamp of"
+                " when the license was last renewed."
+            ),
+            title="Last Renewal",
+        ),
+    ] = None
+    expiration: Annotated[
+        Optional[datetime],
+        Field(
+            description="The timestamp indicating when the current license expires (if applicable).", title="Expiration"
+        ),
+    ] = None
+class License2(CycloneDXBaseModel):
+    class Config:
+        extra = Extra.forbid
+    bom_ref: Annotated[
+        Optional[str],
+        Field(
+            alias="bom-ref",
+            description=(
+                "An optional identifier which can be used to reference the license elsewhere in the BOM. Every bom-ref"
+                " MUST be unique within the BOM."
+            ),
+            min_length=1,
+            title="BOM Reference",
+        ),
+    ] = None
+    id: Annotated[
+        Optional[spdx.LicenseID],
+        Field(description="A valid SPDX license ID", examples=["Apache-2.0"], title="License ID (SPDX)"),
+    ] = None
+    name: Annotated[
+        str,
+        Field(
+            description="If SPDX does not define the license used, this field may be used to provide the license name",
+            examples=["Acme Software License"],
+            title="License Name",
+        ),
+    ]
+    text: Annotated[
+        Optional[Attachment],
+        Field(description="An optional way to include the textual content of a license.", title="License text"),
+    ] = None
+    url: Annotated[
+        Optional[str],
+        Field(
+            description=(
+                "The URL to the license file. If specified, a 'license' externalReference should also be specified for"
+                " completeness"
+            ),
+            examples=["https://www.apache.org/licenses/LICENSE-2.0.txt"],
+            title="License URL",
+        ),
+    ] = None
+    licensing: Annotated[
+        Optional[Licensing1],
+        Field(
+            description=(
+                "Licensing details describing the licensor/licensee, license type, renewal and expiration dates, and"
+                " other important metadata"
+            ),
+            title="Licensing information",
+        ),
+    ] = None
+    properties: Annotated[
+        Optional[List[Property]],
+        Field(
+            description=(
+                "Provides the ability to document properties in a name-value store. This provides flexibility to"
+                " include data not officially supported in the standard without having to use additional namespaces or"
+                " create extensions. Unlike key-value stores, properties support duplicate names, each potentially"
+                " having different values. Property names of interest to the general public are encouraged to be"
+                " registered in the [CycloneDX Property"
+                " Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is OPTIONAL."
+            ),
+            title="Properties",
+        ),
+    ] = None
+class LicenseChoice1(CycloneDXBaseModel):
+    class Config:
+        extra = Extra.forbid
+    license: Annotated[Union[License1, License2], Field(title="License Object")]
+class Commit(CycloneDXBaseModel):
+    """
+    Specifies an individual commit
+    """
+    class Config:
+        extra = Extra.forbid
+    uid: Annotated[
+        Optional[str],
+        Field(
+            description=(
+                "A unique identifier of the commit. This may be version control specific. For example, Subversion uses"
+                " revision numbers whereas git uses commit hashes."
+            ),
+            title="UID",
+        ),
+    ] = None
+    url: Annotated[
+        Optional[str],
+        Field(
+            description="The URL to the commit. This URL will typically point to a commit in a version control system.",
+            title="URL",
+        ),
+    ] = None
+    author: Annotated[
+        Optional[IdentifiableAction],
+        Field(description="The author who created the changes in the commit", title="Author"),
+    ] = None
+    committer: Annotated[
+        Optional[IdentifiableAction],
+        Field(description="The person who committed or pushed the commit", title="Committer"),
+    ] = None
+    message: Annotated[
+        Optional[str], Field(description="The text description of the contents of the commit", title="Message")
+    ] = None
+class Patch(CycloneDXBaseModel):
+    """
+    Specifies an individual patch
     """
     class Config:
@@ -2050,6 +2355,39 @@ class ExternalReference(CycloneDXBaseModel):
     ] = None
+class ComponentEvidence(CycloneDXBaseModel):
+    """
+    Provides the ability to document evidence collected through various forms of extraction or analysis.
+    """
+    class Config:
+        extra = Extra.forbid
+    identity: Annotated[
+        Optional[Identity], Field(description="Evidence that substantiates the identity of a component.")
+    ] = None
+    occurrences: Annotated[
+        Optional[List[Occurrence]],
+        Field(
+            description="Evidence of individual instances of a component spread across multiple locations.",
+            title="Occurrences",
+        ),
+    ] = None
+    callstack: Annotated[
+        Optional[Callstack], Field(description="Evidence of the components use through the callstack.")
+    ] = None
+    licenses: Annotated[
+        Optional[Union[List[LicenseChoice1], LicenseChoice2]],
+        Field(
+            description=(
+                "EITHER (list of SPDX licenses and/or named licenses) OR (tuple of one SPDX License Expression)"
+            ),
+            title="Component License(s)",
+        ),
+    ] = None
+    copyright: Annotated[Optional[List[Copyright]], Field(title="Copyright")] = None
 class Rating(CycloneDXBaseModel):
     """
     Defines the severity or risk ratings of a vulnerability.
@@ -2073,35 +2411,95 @@ class Rating(CycloneDXBaseModel):
     vector: Annotated[
         Optional[str],
         Field(
-            description="Textual representation of the metric values used to score the vulnerability", title="Vector"
+            description="Textual representation of the metric values used to score the vulnerability", title="Vector"
+        ),
+    ] = None
+    justification: Annotated[
+        Optional[str],
+        Field(description="An optional reason for rating the vulnerability as it was", title="Justification"),
+    ] = None
+class Credits(CycloneDXBaseModel):
+    """
+    Individuals or organizations credited with the discovery of the vulnerability.
+    """
+    class Config:
+        extra = Extra.forbid
+    organizations: Annotated[
+        Optional[List[OrganizationalEntity]],
+        Field(description="The organizations credited with vulnerability discovery.", title="Organizations"),
+    ] = None
+    individuals: Annotated[
+        Optional[List[OrganizationalContact]],
+        Field(
+            description=(
+                "The individuals, not associated with organizations, that are credited with vulnerability discovery."
+            ),
+            title="Individuals",
+        ),
+    ] = None
+class Versions(CycloneDXBaseModel):
+    class Config:
+        extra = Extra.forbid
+    version: Annotated[
+        str, Field(description="A single version of a component or service.", max_length=1024, min_length=1)
+    ]
+    range: Annotated[
+        Optional[str],
+        Field(
+            description=(
+                "A version range specified in Package URL Version Range syntax (vers) which is defined at"
+                " https://github.com/package-url/purl-spec/VERSION-RANGE-SPEC.rst"
+            ),
+            max_length=1024,
+            min_length=1,
         ),
     ] = None
-    justification: Annotated[
-        Optional[str],
-        Field(description="An optional reason for rating the vulnerability as it was", title="Justification"),
-    ] = None
+    status: Annotated[
+        Optional[AffectedStatus], Field(description="The vulnerability status for the version or range of versions.")
+    ] = AffectedStatus.affected
-class Credits(CycloneDXBaseModel):
-    """
-    Individuals or organizations credited with the discovery of the vulnerability.
-    """
+class Versions1(CycloneDXBaseModel):
     class Config:
         extra = Extra.forbid
-    organizations: Annotated[
-        Optional[List[OrganizationalEntity]],
-        Field(description="The organizations credited with vulnerability discovery.", title="Organizations"),
+    version: Annotated[
+        Optional[str], Field(description="A single version of a component or service.", max_length=1024, min_length=1)
     ] = None
-    individuals: Annotated[
-        Optional[List[OrganizationalContact]],
+    range: Annotated[
+        str,
         Field(
             description=(
-                "The individuals, not associated with organizations, that are credited with vulnerability discovery."
+                "A version range specified in Package URL Version Range syntax (vers) which is defined at"
+                " https://github.com/package-url/purl-spec/VERSION-RANGE-SPEC.rst"
             ),
-            title="Individuals",
+            max_length=1024,
+            min_length=1,
         ),
+    ]
+    status: Annotated[
+        Optional[AffectedStatus], Field(description="The vulnerability status for the version or range of versions.")
+    ] = AffectedStatus.affected
+class Affect(CycloneDXBaseModel):
+    class Config:
+        extra = Extra.forbid
+    ref: Annotated[
+        Union[RefLinkType, BomLinkElementType],
+        Field(description="References a component or service by the objects bom-ref", title="Reference"),
+    ]
+    versions: Annotated[
+        Optional[List[Union[Versions, Versions1]]],
+        Field(description="Zero or more individual versions or range of versions.", title="Versions"),
     ] = None
@@ -2155,14 +2553,22 @@ class Considerations(CycloneDXBaseModel):
     ] = None
-class DataGovernanceResponsibleParty(CycloneDXBaseModel):
+class DataGovernanceResponsibleParty1(CycloneDXBaseModel):
     class Config:
         extra = Extra.forbid
-    organization: Annotated[Optional[OrganizationalEntity], Field(title="Organization")] = None
+    organization: Annotated[OrganizationalEntity, Field(title="Organization")]
     contact: Annotated[Optional[OrganizationalContact], Field(title="Individual")] = None
+class DataGovernanceResponsibleParty2(CycloneDXBaseModel):
+    class Config:
+        extra = Extra.forbid
+    organization: Annotated[Optional[OrganizationalEntity], Field(title="Organization")] = None
+    contact: Annotated[OrganizationalContact, Field(title="Individual")]
 class GraphicsCollection(CycloneDXBaseModel):
     """
     A collection of graphics that represent various measurements.
@@ -2192,7 +2598,7 @@ class Step(CycloneDXBaseModel):
     properties: Annotated[Optional[List[Property]], Field(title="Properties")] = None
-class ResourceReferenceChoice(CycloneDXBaseModel):
+class ResourceReferenceChoice1(CycloneDXBaseModel):
     """
     A reference to a locally defined resource (e.g., a bom-ref) or an externally accessible resource.
     """
@@ -2201,20 +2607,38 @@ class ResourceReferenceChoice(CycloneDXBaseModel):
         extra = Extra.forbid
     ref: Annotated[
-        Optional[Union[RefLinkType, BomLinkElementType]],
+        Union[RefLinkType, BomLinkElementType],
         Field(description="References an object by its bom-ref attribute", title="BOM Reference"),
-    ] = None
+    ]
     externalReference: Annotated[
         Optional[ExternalReference],
         Field(description="Reference to an externally accessible resource.", title="External reference"),
     ] = None
+class ResourceReferenceChoice2(CycloneDXBaseModel):
+    """
+    A reference to a locally defined resource (e.g., a bom-ref) or an externally accessible resource.
+    """
+    class Config:
+        extra = Extra.forbid
+    ref: Annotated[
+        Optional[Union[RefLinkType, BomLinkElementType]],
+        Field(description="References an object by its bom-ref attribute", title="BOM Reference"),
+    ] = None
+    externalReference: Annotated[
+        ExternalReference,
+        Field(description="Reference to an externally accessible resource.", title="External reference"),
+    ]
 class Signer(CycloneDXBaseModel):
     class Config:
         extra = Extra.forbid
-    algorithm: Union[AlgorithmEnum, AnyUrl]
+    algorithm: Union[Algorithm, AnyUrl]
     keyId: Annotated[
         Optional[str],
         Field(description="Optional. Application specific string identifying the signature key.", title="Key ID"),
@@ -2311,21 +2735,21 @@ class DataGovernance(CycloneDXBaseModel):
         extra = Extra.forbid
     custodians: Annotated[
-        Optional[List[DataGovernanceResponsibleParty]],
+        Optional[List[Union[DataGovernanceResponsibleParty1, DataGovernanceResponsibleParty2]]],
         Field(
             description="Data custodians are responsible for the safe custody, transport, and storage of data.",
             title="Data Custodians",
         ),
     ] = None
     stewards: Annotated[
-        Optional[List[DataGovernanceResponsibleParty]],
+        Optional[List[Union[DataGovernanceResponsibleParty1, DataGovernanceResponsibleParty2]]],
         Field(
             description="Data stewards are responsible for data content, context, and associated business rules.",
             title="Data Stewards",
         ),
     ] = None
     owners: Annotated[
-        Optional[List[DataGovernanceResponsibleParty]],
+        Optional[List[Union[DataGovernanceResponsibleParty1, DataGovernanceResponsibleParty2]]],
         Field(description="Data owners are concerned with risk and appropriate access to data.", title="Data Owners"),
     ] = None
@@ -2372,7 +2796,7 @@ class Workspace(CycloneDXBaseModel):
         Optional[str], Field(description="A description of the resource instance.", title="Description")
     ] = None
     resourceReferences: Annotated[
-        Optional[List[ResourceReferenceChoice]],
+        Optional[List[Union[ResourceReferenceChoice1, ResourceReferenceChoice2]]],
         Field(
             description="References to component or service resources that are used to realize the resource instance.",
             title="Resource references",
@@ -2412,46 +2836,229 @@ class Workspace(CycloneDXBaseModel):
             title="Volume request",
         ),
     ] = None
-    volume: Annotated[
-        Optional[Volume],
+    volume: Annotated[
+        Optional[Volume],
+        Field(
+            description="Information about the actual volume instance allocated to the workspace.",
+            examples=["see https://kubernetes.io/docs/concepts/storage/persistent-volumes/"],
+            title="Volume",
+        ),
+    ] = None
+    properties: Annotated[Optional[List[Property]], Field(title="Properties")] = None
+class Event(CycloneDXBaseModel):
+    """
+    Represents something that happened that may trigger a response.
+    """
+    class Config:
+        extra = Extra.forbid
+    uid: Annotated[
+        Optional[str], Field(description="The unique identifier of the event.", title="Unique Identifier (UID)")
+    ] = None
+    description: Annotated[Optional[str], Field(description="A description of the event.", title="Description")] = None
+    timeReceived: Annotated[
+        Optional[datetime],
+        Field(description="The date and time (timestamp) when the event was received.", title="Time Received"),
+    ] = None
+    data: Annotated[Optional[Attachment], Field(description="Encoding of the raw event data.", title="Data")] = None
+    source: Annotated[
+        Optional[Union[ResourceReferenceChoice1, ResourceReferenceChoice2]],
+        Field(description="References the component or service that was the source of the event", title="Source"),
+    ] = None
+    target: Annotated[
+        Optional[Union[ResourceReferenceChoice1, ResourceReferenceChoice2]],
+        Field(description="References the component or service that was the target of the event", title="Target"),
+    ] = None
+    properties: Annotated[Optional[List[Property]], Field(title="Properties")] = None
+class InputType1(CycloneDXBaseModel):
+    """
+    Type that represents various input data types and formats.
+    """
+    class Config:
+        extra = Extra.forbid
+    source: Annotated[
+        Optional[Union[ResourceReferenceChoice1, ResourceReferenceChoice2]],
+        Field(
+            description=(
+                "A references to the component or service that provided the input to the task (e.g., reference to a"
+                " service with data flow value of `inbound`)"
+            ),
+            examples=["source code repository", "database"],
+            title="Source",
+        ),
+    ] = None
+    target: Annotated[
+        Optional[Union[ResourceReferenceChoice1, ResourceReferenceChoice2]],
+        Field(
+            description=(
+                "A reference to the component or service that received or stored the input if not the task itself"
+                " (e.g., a local, named storage workspace)"
+            ),
+            examples=["workspace", "directory"],
+            title="Target",
+        ),
+    ] = None
+    resource: Annotated[
+        Union[ResourceReferenceChoice1, ResourceReferenceChoice2],
+        Field(
+            description=(
+                "A reference to an independent resource provided as an input to a task by the workflow runtime."
+            ),
+            examples=[
+                "reference to a configuration file in a repository (i.e., a bom-ref)",
+                "reference to a scanning service used in a task (i.e., a bom-ref)",
+            ],
+            title="Resource",
+        ),
+    ]
+    parameters: Annotated[
+        Optional[List[Parameter]],
+        Field(
+            description="Inputs that have the form of parameters with names and values.",
+            title="Parameters",
+        ),
+    ] = None
+    environmentVars: Annotated[
+        Optional[List[Union[Property, str]]],
+        Field(
+            description="Inputs that have the form of parameters with names and values.",
+            title="Environment variables",
+        ),
+    ] = None
+    data: Annotated[Optional[Attachment], Field(description="Inputs that have the form of data.", title="Data")] = None
+    properties: Annotated[Optional[List[Property]], Field(title="Properties")] = None
+class InputType2(CycloneDXBaseModel):
+    """
+    Type that represents various input data types and formats.
+    """
+    class Config:
+        extra = Extra.forbid
+    source: Annotated[
+        Optional[Union[ResourceReferenceChoice1, ResourceReferenceChoice2]],
+        Field(
+            description=(
+                "A references to the component or service that provided the input to the task (e.g., reference to a"
+                " service with data flow value of `inbound`)"
+            ),
+            examples=["source code repository", "database"],
+            title="Source",
+        ),
+    ] = None
+    target: Annotated[
+        Optional[Union[ResourceReferenceChoice1, ResourceReferenceChoice2]],
+        Field(
+            description=(
+                "A reference to the component or service that received or stored the input if not the task itself"
+                " (e.g., a local, named storage workspace)"
+            ),
+            examples=["workspace", "directory"],
+            title="Target",
+        ),
+    ] = None
+    resource: Annotated[
+        Optional[Union[ResourceReferenceChoice1, ResourceReferenceChoice2]],
+        Field(
+            description=(
+                "A reference to an independent resource provided as an input to a task by the workflow runtime."
+            ),
+            examples=[
+                "reference to a configuration file in a repository (i.e., a bom-ref)",
+                "reference to a scanning service used in a task (i.e., a bom-ref)",
+            ],
+            title="Resource",
+        ),
+    ] = None
+    parameters: Annotated[
+        List[Parameter],
+        Field(
+            description="Inputs that have the form of parameters with names and values.",
+            title="Parameters",
+        ),
+    ]
+    environmentVars: Annotated[
+        Optional[List[Union[Property, str]]],
+        Field(
+            description="Inputs that have the form of parameters with names and values.",
+            title="Environment variables",
+        ),
+    ] = None
+    data: Annotated[Optional[Attachment], Field(description="Inputs that have the form of data.", title="Data")] = None
+    properties: Annotated[Optional[List[Property]], Field(title="Properties")] = None
+class InputType3(CycloneDXBaseModel):
+    """
+    Type that represents various input data types and formats.
+    """
+    class Config:
+        extra = Extra.forbid
+    source: Annotated[
+        Optional[Union[ResourceReferenceChoice1, ResourceReferenceChoice2]],
+        Field(
+            description=(
+                "A references to the component or service that provided the input to the task (e.g., reference to a"
+                " service with data flow value of `inbound`)"
+            ),
+            examples=["source code repository", "database"],
+            title="Source",
+        ),
+    ] = None
+    target: Annotated[
+        Optional[Union[ResourceReferenceChoice1, ResourceReferenceChoice2]],
+        Field(
+            description=(
+                "A reference to the component or service that received or stored the input if not the task itself"
+                " (e.g., a local, named storage workspace)"
+            ),
+            examples=["workspace", "directory"],
+            title="Target",
+        ),
+    ] = None
+    resource: Annotated[
+        Optional[Union[ResourceReferenceChoice1, ResourceReferenceChoice2]],
+        Field(
+            description=(
+                "A reference to an independent resource provided as an input to a task by the workflow runtime."
+            ),
+            examples=[
+                "reference to a configuration file in a repository (i.e., a bom-ref)",
+                "reference to a scanning service used in a task (i.e., a bom-ref)",
+            ],
+            title="Resource",
+        ),
+    ] = None
+    parameters: Annotated[
+        Optional[List[Parameter]],
+        Field(
+            description="Inputs that have the form of parameters with names and values.",
+            title="Parameters",
+        ),
+    ] = None
+    environmentVars: Annotated[
+        List[Union[Property, str]],
         Field(
-            description="Information about the actual volume instance allocated to the workspace.",
-            examples=["see https://kubernetes.io/docs/concepts/storage/persistent-volumes/"],
-            title="Volume",
+            description="Inputs that have the form of parameters with names and values.",
+            title="Environment variables",
         ),
-    ] = None
-    properties: Annotated[Optional[List[Property]], Field(title="Properties")] = None
-class Event(CycloneDXBaseModel):
-    """
-    Represents something that happened that may trigger a response.
-    """
-    class Config:
-        extra = Extra.forbid
-    uid: Annotated[
-        Optional[str], Field(description="The unique identifier of the event.", title="Unique Identifier (UID)")
-    ] = None
-    description: Annotated[Optional[str], Field(description="A description of the event.", title="Description")] = None
-    timeReceived: Annotated[
-        Optional[datetime],
-        Field(description="The date and time (timestamp) when the event was received.", title="Time Received"),
-    ] = None
-    data: Annotated[Optional[Attachment], Field(description="Encoding of the raw event data.", title="Data")] = None
-    source: Annotated[
-        Optional[ResourceReferenceChoice],
-        Field(description="References the component or service that was the source of the event", title="Source"),
-    ] = None
-    target: Annotated[
-        Optional[ResourceReferenceChoice],
-        Field(description="References the component or service that was the target of the event", title="Target"),
-    ] = None
+    ]
+    data: Annotated[Optional[Attachment], Field(description="Inputs that have the form of data.", title="Data")] = None
     properties: Annotated[Optional[List[Property]], Field(title="Properties")] = None
-class InputType(CycloneDXBaseModel):
+class InputType4(CycloneDXBaseModel):
     """
     Type that represents various input data types and formats.
     """
@@ -2460,7 +3067,7 @@ class InputType(CycloneDXBaseModel):
         extra = Extra.forbid
     source: Annotated[
-        Optional[ResourceReferenceChoice],
+        Optional[Union[ResourceReferenceChoice1, ResourceReferenceChoice2]],
         Field(
             description=(
                 "A references to the component or service that provided the input to the task (e.g., reference to a"
@@ -2471,7 +3078,7 @@ class InputType(CycloneDXBaseModel):
         ),
     ] = None
     target: Annotated[
-        Optional[ResourceReferenceChoice],
+        Optional[Union[ResourceReferenceChoice1, ResourceReferenceChoice2]],
         Field(
             description=(
                 "A reference to the component or service that received or stored the input if not the task itself"
@@ -2482,7 +3089,7 @@ class InputType(CycloneDXBaseModel):
         ),
     ] = None
     resource: Annotated[
-        Optional[ResourceReferenceChoice],
+        Optional[Union[ResourceReferenceChoice1, ResourceReferenceChoice2]],
         Field(
             description=(
                 "A reference to an independent resource provided as an input to a task by the workflow runtime."
@@ -2508,24 +3115,66 @@ class InputType(CycloneDXBaseModel):
             title="Environment variables",
         ),
     ] = None
-    data: Annotated[Optional[Attachment], Field(description="Inputs that have the form of data.", title="Data")] = None
+    data: Annotated[Attachment, Field(description="Inputs that have the form of data.", title="Data")]
+    properties: Annotated[Optional[List[Property]], Field(title="Properties")] = None
+class OutputType1(CycloneDXBaseModel):
+    class Config:
+        extra = Extra.forbid
+    type: Annotated[Optional[Type7], Field(description="Describes the type of data output.", title="Type")] = None
+    source: Annotated[
+        Optional[Union[ResourceReferenceChoice1, ResourceReferenceChoice2]],
+        Field(
+            description="Component or service that generated or provided the output from the task (e.g., a build tool)",
+            title="Source",
+        ),
+    ] = None
+    target: Annotated[
+        Optional[Union[ResourceReferenceChoice1, ResourceReferenceChoice2]],
+        Field(
+            description=(
+                "Component or service that received the output from the task (e.g., reference to an artifactory service"
+                " with data flow value of `outbound`)"
+            ),
+            examples=["a log file described as an `externalReference` within its target domain."],
+            title="Target",
+        ),
+    ] = None
+    resource: Annotated[
+        Union[ResourceReferenceChoice1, ResourceReferenceChoice2],
+        Field(
+            description="A reference to an independent resource generated as output by the task.",
+            examples=["configuration file", "source code", "scanning service"],
+            title="Resource",
+        ),
+    ]
+    data: Annotated[Optional[Attachment], Field(description="Outputs that have the form of data.", title="Data")] = None
+    environmentVars: Annotated[
+        Optional[List[Union[Property, str]]],
+        Field(
+            description="Outputs that have the form of environment variables.",
+            title="Environment variables",
+        ),
+    ] = None
     properties: Annotated[Optional[List[Property]], Field(title="Properties")] = None
-class OutputType(CycloneDXBaseModel):
+class OutputType2(CycloneDXBaseModel):
     class Config:
         extra = Extra.forbid
     type: Annotated[Optional[Type7], Field(description="Describes the type of data output.", title="Type")] = None
     source: Annotated[
-        Optional[ResourceReferenceChoice],
+        Optional[Union[ResourceReferenceChoice1, ResourceReferenceChoice2]],
         Field(
             description="Component or service that generated or provided the output from the task (e.g., a build tool)",
             title="Source",
         ),
     ] = None
     target: Annotated[
-        Optional[ResourceReferenceChoice],
+        Optional[Union[ResourceReferenceChoice1, ResourceReferenceChoice2]],
         Field(
             description=(
                 "Component or service that received the output from the task (e.g., reference to an artifactory service"
@@ -2536,7 +3185,7 @@ class OutputType(CycloneDXBaseModel):
         ),
     ] = None
     resource: Annotated[
-        Optional[ResourceReferenceChoice],
+        Optional[Union[ResourceReferenceChoice1, ResourceReferenceChoice2]],
         Field(
             description="A reference to an independent resource generated as output by the task.",
             examples=["configuration file", "source code", "scanning service"],
@@ -2544,6 +3193,48 @@ class OutputType(CycloneDXBaseModel):
         ),
     ] = None
     data: Annotated[Optional[Attachment], Field(description="Outputs that have the form of data.", title="Data")] = None
+    environmentVars: Annotated[
+        List[Union[Property, str]],
+        Field(
+            description="Outputs that have the form of environment variables.",
+            title="Environment variables",
+        ),
+    ]
+    properties: Annotated[Optional[List[Property]], Field(title="Properties")] = None
+class OutputType3(CycloneDXBaseModel):
+    class Config:
+        extra = Extra.forbid
+    type: Annotated[Optional[Type7], Field(description="Describes the type of data output.", title="Type")] = None
+    source: Annotated[
+        Optional[Union[ResourceReferenceChoice1, ResourceReferenceChoice2]],
+        Field(
+            description="Component or service that generated or provided the output from the task (e.g., a build tool)",
+            title="Source",
+        ),
+    ] = None
+    target: Annotated[
+        Optional[Union[ResourceReferenceChoice1, ResourceReferenceChoice2]],
+        Field(
+            description=(
+                "Component or service that received the output from the task (e.g., reference to an artifactory service"
+                " with data flow value of `outbound`)"
+            ),
+            examples=["a log file described as an `externalReference` within its target domain."],
+            title="Target",
+        ),
+    ] = None
+    resource: Annotated[
+        Optional[Union[ResourceReferenceChoice1, ResourceReferenceChoice2]],
+        Field(
+            description="A reference to an independent resource generated as output by the task.",
+            examples=["configuration file", "source code", "scanning service"],
+            title="Resource",
+        ),
+    ] = None
+    data: Annotated[Attachment, Field(description="Outputs that have the form of data.", title="Data")]
     environmentVars: Annotated[
         Optional[List[Union[Property, str]]],
         Field(
@@ -2720,7 +3411,7 @@ class Trigger(CycloneDXBaseModel):
         Optional[str], Field(description="A description of the resource instance.", title="Description")
     ] = None
     resourceReferences: Annotated[
-        Optional[List[ResourceReferenceChoice]],
+        Optional[List[Union[ResourceReferenceChoice1, ResourceReferenceChoice2]]],
         Field(
             description="References to component or service resources that are used to realize the resource instance.",
             title="Resource references",
@@ -2739,7 +3430,7 @@ class Trigger(CycloneDXBaseModel):
         Field(description="The date and time (timestamp) when the trigger was activated.", title="Time activated"),
     ] = None
     inputs: Annotated[
-        Optional[List[InputType]],
+        Optional[List[Union[InputType1, InputType2, InputType3, InputType4]]],
         Field(
             description="Represents resources and data brought into a task at runtime by executor or task commands",
             examples=["a `configuration` file which was declared as a local `component` or `externalReference`"],
@@ -2747,7 +3438,7 @@ class Trigger(CycloneDXBaseModel):
         ),
     ] = None
     outputs: Annotated[
-        Optional[List[OutputType]],
+        Optional[List[Union[OutputType1, OutputType2, OutputType3]]],
         Field(
             description="Represents resources and data output from a task at runtime by executor or task commands",
             examples=["a log file or metrics data produced by the task"],
@@ -2848,7 +3539,7 @@ class Service(CycloneDXBaseModel):
         ),
     ] = None
     licenses: Annotated[
-        Optional[List],
+        Optional[Union[List[LicenseChoice1], LicenseChoice2]],
         Field(
             description=(
                 "EITHER (list of SPDX licenses and/or named licenses) OR (tuple of one SPDX License Expression)"
@@ -2994,52 +3685,6 @@ class Compositions(CycloneDXBaseModel):
     ] = None
-class Annotations(CycloneDXBaseModel):
-    """
-    A comment, note, explanation, or similar textual content which provides additional context to the object(s) being annotated.
-    """
-    class Config:
-        extra = Extra.forbid
-    bom_ref: Annotated[
-        Optional[str],
-        Field(
-            alias="bom-ref",
-            description=(
-                "An optional identifier which can be used to reference the annotation elsewhere in the BOM. Every"
-                " bom-ref MUST be unique within the BOM."
-            ),
-            min_length=1,
-            title="BOM Reference",
-        ),
-    ] = None
-    subjects: Annotated[
-        List[Union[RefLinkType, BomLinkElementType]],
-        Field(
-            description=(
-                "The object in the BOM identified by its bom-ref. This is often a component or service, but may be any"
-                " object type supporting bom-refs."
-            ),
-            title="BOM References",
-        ),
-    ]
-    timestamp: Annotated[
-        datetime, Field(description="The date and time (timestamp) when the annotation was created.", title="Timestamp")
-    ]
-    text: Annotated[str, Field(description="The textual content of the annotation.", title="Text")]
-    signature: Annotated[
-        Optional[Union[Signature1, Signature2, Signer]],
-        Field(
-            description=(
-                "Enveloped signature in [JSON Signature Format"
-                " (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."
-            ),
-            title="Signature",
-        ),
-    ] = None
 class ModelParameters(CycloneDXBaseModel):
     """
     Hyper-parameters for construction of the model.
@@ -3080,7 +3725,7 @@ class ModelParameters(CycloneDXBaseModel):
         ),
     ] = None
     datasets: Annotated[
-        Optional[List[Union[ComponentData, Dataset]]],
+        Optional[List[Union[ComponentData, Datasets]]],
         Field(description="The datasets used to train and evaluate the model.", title="Datasets"),
     ] = None
     inputs: Annotated[
@@ -3178,7 +3823,7 @@ class Task(CycloneDXBaseModel):
         Optional[str], Field(description="A description of the resource instance.", title="Description")
     ] = None
     resourceReferences: Annotated[
-        Optional[List[ResourceReferenceChoice]],
+        Optional[List[Union[ResourceReferenceChoice1, ResourceReferenceChoice2]]],
         Field(
             description="References to component or service resources that are used to realize the resource instance.",
             title="Resource references",
@@ -3201,7 +3846,7 @@ class Task(CycloneDXBaseModel):
         ),
     ] = None
     inputs: Annotated[
-        Optional[List[InputType]],
+        Optional[List[Union[InputType1, InputType2, InputType3, InputType4]]],
         Field(
             description="Represents resources and data brought into a task at runtime by executor or task commands",
             examples=["a `configuration` file which was declared as a local `component` or `externalReference`"],
@@ -3209,7 +3854,7 @@ class Task(CycloneDXBaseModel):
         ),
     ] = None
     outputs: Annotated[
-        Optional[List[OutputType]],
+        Optional[List[Union[OutputType1, OutputType2, OutputType3]]],
         Field(
             description="Represents resources and data output from a task at runtime by executor or task commands",
             examples=["a log file or metrics data produced by the task"],
@@ -3272,7 +3917,7 @@ class Workflow(CycloneDXBaseModel):
         Optional[str], Field(description="A description of the resource instance.", title="Description")
     ] = None
     resourceReferences: Annotated[
-        Optional[List[ResourceReferenceChoice]],
+        Optional[List[Union[ResourceReferenceChoice1, ResourceReferenceChoice2]]],
         Field(
             description="References to component or service resources that are used to realize the resource instance.",
             title="Resource references",
@@ -3309,7 +3954,7 @@ class Workflow(CycloneDXBaseModel):
         ),
     ] = None
     inputs: Annotated[
-        Optional[List[InputType]],
+        Optional[List[Union[InputType1, InputType2, InputType3, InputType4]]],
         Field(
             description="Represents resources and data brought into a task at runtime by executor or task commands",
             examples=["a `configuration` file which was declared as a local `component` or `externalReference`"],
@@ -3317,7 +3962,7 @@ class Workflow(CycloneDXBaseModel):
         ),
     ] = None
     outputs: Annotated[
-        Optional[List[OutputType]],
+        Optional[List[Union[OutputType1, OutputType2, OutputType3]]],
         Field(
             description="Represents resources and data output from a task at runtime by executor or task commands",
             examples=["a log file or metrics data produced by the task"],
@@ -3503,7 +4148,7 @@ class CyclonedxSoftwareBillOfMaterialsStandard(CycloneDXBaseModel):
     ] = None
-class ToolModel(CycloneDXBaseModel):
+class Tools(CycloneDXBaseModel):
     """
     The tool(s) used in the creation of the BOM.
     """
@@ -3539,9 +4184,9 @@ class Metadata(CycloneDXBaseModel):
         Field(description="The date and time (timestamp) when the BOM was created.", title="Timestamp"),
     ] = None
     lifecycles: Annotated[
-        Optional[List[Union[Lifecycle, Lifecycle1]]], Field(description="", title="Lifecycles")
+        Optional[List[Union[Lifecycles, Lifecycles1]]], Field(description="", title="Lifecycles")
     ] = None
-    tools: Optional[Union[ToolModel, List[Tool]]] = None
+    tools: Optional[Union[Tools, List[Tool]]] = None
     authors: Annotated[
         Optional[List[OrganizationalContact]],
         Field(
@@ -3572,7 +4217,7 @@ class Metadata(CycloneDXBaseModel):
         ),
     ] = None
     licenses: Annotated[
-        Optional[List],
+        Optional[Union[List[LicenseChoice1], LicenseChoice2]],
         Field(
             description=(
                 "EITHER (list of SPDX licenses and/or named licenses) OR (tuple of one SPDX License Expression)"
@@ -3816,7 +4461,7 @@ class Component(CycloneDXBaseModel):
     ] = Scope.required
     hashes: Annotated[Optional[List[Hash]], Field(title="Component Hashes")] = None
     licenses: Annotated[
-        Optional[List],
+        Optional[Union[List[LicenseChoice1], LicenseChoice2]],
         Field(
             description=(
                 "EITHER (list of SPDX licenses and/or named licenses) OR (tuple of one SPDX License Expression)"
@@ -3964,7 +4609,7 @@ class Component(CycloneDXBaseModel):
     ] = None
-class Tool1(CycloneDXBaseModel):
+class Tools1(CycloneDXBaseModel):
     """
     The tool(s) used to identify, confirm, or score the vulnerability.
     """
@@ -4038,13 +4683,14 @@ class Vulnerability(CycloneDXBaseModel):
         Optional[List[Rating]], Field(description="List of vulnerability ratings", title="Ratings")
     ] = None
     cwes: Annotated[
-        Optional[List[Cwe]],
+        Optional[List[int]],
         Field(
             description=(
                 "List of Common Weaknesses Enumerations (CWEs) codes that describes this vulnerability. For example 399"
                 " (of https://cwe.mitre.org/data/definitions/399.html)"
             ),
             examples=[399],
+            ge=1,
             title="CWEs",
         ),
     ] = None
@@ -4123,7 +4769,7 @@ class Vulnerability(CycloneDXBaseModel):
             title="Credits",
         ),
     ] = None
-    tools: Optional[Union[Tool1, List[Tool]]] = None
+    tools: Optional[Union[Tools1, List[Tool]]] = None
     analysis: Annotated[
         Optional[Analysis],
         Field(
@@ -4153,6 +4799,135 @@ class Vulnerability(CycloneDXBaseModel):
     ] = None
+class Annotator(CycloneDXBaseModel):
+    """
+    The organization, person, component, or service which created the textual content of the annotation.
+    """
+    class Config:
+        extra = Extra.forbid
+    organization: Annotated[OrganizationalEntity, Field(description="The organization that created the annotation")]
+    individual: Annotated[
+        Optional[OrganizationalContact], Field(description="The person that created the annotation")
+    ] = None
+    component: Annotated[
+        Optional[Component], Field(description="The tool or component that created the annotation")
+    ] = None
+    service: Annotated[Optional[Service], Field(description="The service that created the annotation")] = None
+class Annotator1(CycloneDXBaseModel):
+    """
+    The organization, person, component, or service which created the textual content of the annotation.
+    """
+    class Config:
+        extra = Extra.forbid
+    organization: Annotated[
+        Optional[OrganizationalEntity], Field(description="The organization that created the annotation")
+    ] = None
+    individual: Annotated[OrganizationalContact, Field(description="The person that created the annotation")]
+    component: Annotated[
+        Optional[Component], Field(description="The tool or component that created the annotation")
+    ] = None
+    service: Annotated[Optional[Service], Field(description="The service that created the annotation")] = None
+class Annotator2(CycloneDXBaseModel):
+    """
+    The organization, person, component, or service which created the textual content of the annotation.
+    """
+    class Config:
+        extra = Extra.forbid
+    organization: Annotated[
+        Optional[OrganizationalEntity], Field(description="The organization that created the annotation")
+    ] = None
+    individual: Annotated[
+        Optional[OrganizationalContact], Field(description="The person that created the annotation")
+    ] = None
+    component: Annotated[Component, Field(description="The tool or component that created the annotation")]
+    service: Annotated[Optional[Service], Field(description="The service that created the annotation")] = None
+class Annotator3(CycloneDXBaseModel):
+    """
+    The organization, person, component, or service which created the textual content of the annotation.
+    """
+    class Config:
+        extra = Extra.forbid
+    organization: Annotated[
+        Optional[OrganizationalEntity], Field(description="The organization that created the annotation")
+    ] = None
+    individual: Annotated[
+        Optional[OrganizationalContact], Field(description="The person that created the annotation")
+    ] = None
+    component: Annotated[
+        Optional[Component], Field(description="The tool or component that created the annotation")
+    ] = None
+    service: Annotated[Service, Field(description="The service that created the annotation")]
+class Annotations(CycloneDXBaseModel):
+    """
+    A comment, note, explanation, or similar textual content which provides additional context to the object(s) being annotated.
+    """
+    class Config:
+        extra = Extra.forbid
+    bom_ref: Annotated[
+        Optional[str],
+        Field(
+            alias="bom-ref",
+            description=(
+                "An optional identifier which can be used to reference the annotation elsewhere in the BOM. Every"
+                " bom-ref MUST be unique within the BOM."
+            ),
+            min_length=1,
+            title="BOM Reference",
+        ),
+    ] = None
+    subjects: Annotated[
+        List[Union[RefLinkType, BomLinkElementType]],
+        Field(
+            description=(
+                "The object in the BOM identified by its bom-ref. This is often a component or service, but may be any"
+                " object type supporting bom-refs."
+            ),
+            title="BOM References",
+        ),
+    ]
+    annotator: Annotated[
+        Union[Annotator, Annotator1, Annotator2, Annotator3],
+        Field(
+            description=(
+                "The organization, person, component, or service which created the textual content of the annotation."
+            ),
+            title="Annotator",
+        ),
+    ]
+    timestamp: Annotated[
+        datetime, Field(description="The date and time (timestamp) when the annotation was created.", title="Timestamp")
+    ]
+    text: Annotated[str, Field(description="The textual content of the annotation.", title="Text")]
+    signature: Annotated[
+        Optional[Union[Signature1, Signature2, Signer]],
+        Field(
+            description=(
+                "Enveloped signature in [JSON Signature Format"
+                " (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."
+            ),
+            title="Signature",
+        ),
+    ] = None
 class Formula(CycloneDXBaseModel):
     """
     Describes workflows and resources that captures rules and other aspects of how the associated BOM component or service was formed.
@@ -4206,6 +4981,6 @@ class Formula(CycloneDXBaseModel):
 Service.update_forward_refs()
 CyclonedxSoftwareBillOfMaterialsStandard.update_forward_refs()
-ToolModel.update_forward_refs()
+Tools.update_forward_refs()
 Metadata.update_forward_refs()
 Pedigree.update_forward_refs()