Skip to content

2.0 dev threatmodeling #678

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
wants to merge 4 commits into
base: 2.0-dev
Choose a base branch
from
Draft

2.0 dev threatmodeling #678

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
9265fba
Initial commit
stevespringett Jul 9, 2025
513ef74
Added requirement prototype
stevespringett Jul 23, 2025
83ce9d0
Initial checkin of blueprint and threat model support
stevespringett Sep 3, 2025
f4d10d4
Adding threat models
Oct 29, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1,235 changes: 1,235 additions & 0 deletions schema/2.0/model/cyclonedx-blueprint-2.0.schema.json
View file
Open in desktop

Large diffs are not rendered by default.

87 changes: 81 additions & 6 deletions schema/2.0/model/cyclonedx-common-2.0.schema.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -392,6 +392,12 @@
}
}
},
"organizationalEntityOrContact": {
"oneOf": [
{ "$ref": "#/$defs/organizationalEntity" },
{ "$ref": "#/$defs/organizationalContact" }
]
},
"properties": {
"type": "array",
"title": "Properties",
Expand Down Expand Up @@ -458,12 +464,81 @@
"pattern": "^\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}(\\.\\d+)?Z$",
"description": "An RFC 3339-compliant UTC timestamp using Zulu time (i.e., ending with 'Z'). The format must be 'YYYY-MM-DDTHH:MM:SSZ' or include optional fractional seconds, e.g., 'YYYY-MM-DDTHH:MM:SS.sssZ'. Offsets such as '+00:00' are not allowed."
},






"ordinalVersion": {
"title": "Ordinal Version",
"description": "An ordinal version is a dot-delimited, purely numeric identifier where each segment represents an ordered level in the hierarchy. The segments have no prescribed meaning beyond numeric ordering, allowing straightforward comparison and sorting.",
"type": "string",
"pattern": "^\\d+(\\.\\d+)*$",
"examples": [
"1",
"1.2",
"1.2.3",
"2025.09.02",
"10.4.7.3"
]
},
"lifecycle": {
"type": "object",
"title": "Lifecycle",
"description": "The product lifecycle(s) that this BOM represents.",
"oneOf": [
{
"title": "Pre-Defined Phase",
"required": ["phase"],
"additionalProperties": false,
"properties": {
"phase": {
"type": "string",
"title": "Phase",
"description": "A pre-defined phase in the product lifecycle.",
"enum": [
"design",
"pre-build",
"build",
"post-build",
"operations",
"discovery",
"decommission"
],
"meta:enum": {
"design": "BOM produced early in the development lifecycle containing an inventory of components and services that are proposed or planned to be used. The inventory may need to be procured, retrieved, or resourced prior to use.",
"pre-build": "BOM consisting of information obtained prior to a build process and may contain source files and development artifacts and manifests. The inventory may need to be resolved and retrieved prior to use.",
"build": "BOM consisting of information obtained during a build process where component inventory is available for use. The precise versions of resolved components are usually available at this time as well as the provenance of where the components were retrieved from.",
"post-build": "BOM consisting of information obtained after a build process has completed and the resulting components(s) are available for further analysis. Built components may exist as the result of a CI/CD process, may have been installed or deployed to a system or device, and may need to be retrieved or extracted from the system or device.",
"operations": "BOM produced that represents inventory that is running and operational. This may include staging or production environments and will generally encompass multiple SBOMs describing the applications and operating system, along with HBOMs describing the hardware that makes up the system. Operations Bill of Materials (OBOM) can provide full-stack inventory of runtime environments, configurations, and additional dependencies.",
"discovery": "BOM consisting of information observed through network discovery providing point-in-time enumeration of embedded, on-premise, and cloud-native services such as server applications, connected devices, microservices, and serverless functions.",
"decommission": "BOM containing inventory that will be, or has been retired from operations."
}
}
}
},
{
"title": "Custom Phase",
"required": ["name"],
"additionalProperties": false,
"properties": {
"name": {
"type": "string",
"title": "Name",
"description": "The name of the lifecycle phase"
},
"description": {
"type": "string",
"title": "Description",
"description": "The description of the lifecycle phase"
}
}
}
]
},
"lifecycles": {
"type": "array",
"title": "Lifecycles",
"description": "Lifecycles communicate the stage(s) in which data was captured. Different types of data may be available at various phases of a lifecycle, such as the Software Development Lifecycle (SDLC), IT Asset Management (ITAM), and Software Asset Management (SAM). Thus, a BOM may include data specific to or only obtainable in a given lifecycle.",
"items": {
"$ref": "#/$defs/lifecycle"
}
},
"commit": {
"type": "object",
"title": "Commit",
Expand Down
281 changes: 281 additions & 0 deletions schema/2.0/model/cyclonedx-requirement-2.0.schema.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,281 @@
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"$id": "http://localhost:8080/schema/2.0/cyclonedx-requirement-2.0.schema.json",
"type": "object",
"title": "CycloneDX Transparency Expression Language: Engineering Requirement",
"$comment": "CycloneDX JSON schema is published under the terms of the Apache License 2.0.",
"additionalProperties": false,
"$defs": {
"requirement": {
"type": "object",
"title": "Requirement",
"description": "A requirement represents a specific need, constraint, or capability that must be met.",
"additionalProperties": false,
"properties": {
"bom-ref": {
"$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType"
},
"id": {
"type": "string",
"title": "Identifier",
"description": "A unique identifier for the requirement, often used in requirement management systems (e.g., REQ-001)."
},
"name": {
"type": "string",
"title": "Name",
"description": "A short name or title for the requirement."
},
"description": {
"type": "string",
"title": "Description",
"description": "A detailed description of the requirement."
},
"type": {
"type": "array",
"title": "Requirement Types",
"description": "The categories or classifications applicable to the requirement.",
"items": {
"$ref": "#/$defs/requirementType"
},
"uniqueItems": true
},
"priority": {
"type": "string",
"title": "Priority",
"description": "The priority level of the requirement.",
"enum": [
"critical",
"high",
"medium",
"low"
]
},
"status": {
"$ref": "#/$defs/requirementStatus"
},
"version": {
"type": "string",
"title": "Version",
"description": "The version of the requirement."
},
"stakeholders": {
"type": "array",
"title": "Stakeholders",
"description": "The individuals or groups who have an interest in the requirement.",
"items": {
"type": "string"
}
},
"acceptanceCriteria": {
"type": "array",
"title": "Acceptance Criteria",
"description": "Criteria that must be met for the requirement to be considered satisfied.",
"items": {
"$ref": "#/$defs/acceptanceCriterion"
}
},
"dependencies": {
"type": "array",
"title": "Dependencies",
"description": "Other requirements that this requirement depends on.",
"items": {
"$ref": "#/$defs/dependency"
}
},
"parent": {
"type": "string",
"title": "Parent BOM Reference",
"description": "The optional `bom-ref` to a parent requirement. This establishes a hierarchy of requirements."
},
"rationale": {
"type": "string",
"title": "Rationale",
"description": "The reasoning or justification for the requirement."
},
"fitCriterion": {
"type": "string",
"title": "Fit Criterion",
"description": "A measurable test that the solution must pass to be acceptable to the stakeholders."
},
"effort": {
"type": "string",
"title": "Effort Estimation",
"description": "An estimation of the effort required to implement the requirement."
},
"risk": {
"type": "string",
"title": "Risk",
"description": "The risk level associated with implementing or not implementing the requirement.",
"enum": [
"critical",
"high",
"medium",
"low"
]
},
"attachments": {
"type": "array",
"title": "Attachments",
"description": "Files or documents attached to the requirement.",
"items": {
"$ref": "cyclonedx-common-2.0.schema.json#/$defs/attachment"
}
},
"properties": {
"type": "array",
"title": "Properties",
"description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard.",
"items": {
"$ref": "cyclonedx-common-2.0.schema.json#/$defs/property"
}
},
"externalReferences": {
"type": "array",
"title": "External References",
"description": "External references provide a way to document systems, sites, and information that may be relevant to the requirement.",
"items": {
"$ref": "cyclonedx-common-2.0.schema.json#/$defs/externalReference"
}
}
}
},
"requirementType": {
"type": "string",
"title": "Requirement Type",
"description": "The category or classification applicable to the requirement.",
"enum": [
"accessibility",
"auditability",
"availability",
"business",
"compatibility",
"compliance",
"deployment",
"functional",
"interoperability",
"localization",
"maintainability",
"non-functional",
"other",
"performance",
"portability",
"privacy",
"regulatory",
"reliability",
"scalability",
"security",
"system",
"testability",
"usability",
"user"
],
"meta:enum": {
"accessibility": "Requirements ensuring inclusive access for people with disabilities or impairments.",
"auditability": "Requirements defining the capability of a system to record activities for review and compliance purposes.",
"availability": "Requirements describing the uptime and operational availability of systems or services.",
"business": "Requirements derived from organizational goals, strategies, or business processes.",
"compatibility": "Requirements ensuring the software or system functions correctly with other systems or legacy components.",
"compliance": "Requirements ensuring adherence to internal policies, industry standards, or external agreements beyond regulatory mandates.",
"deployment": "Requirements related to deploying, configuring, and operating the system in production environments.",
"functional": "Requirements specifying the fundamental behaviors and capabilities of the system or application.",
"interoperability": "Requirements addressing the ability of the system to interact seamlessly with external systems or products.",
"localization": "Requirements specifying adaptations for specific languages, cultures, or regional needs.",
"maintainability": "Requirements aimed at ensuring the ease of performing maintenance, enhancements, or repairs.",
"non-functional": "Requirements that define constraints or qualities such as performance, usability, reliability, etc., rather than specific functionality.",
"other": "Requirements that do not clearly fit into other specified categories.",
"performance": "Requirements specifying response times, throughput, or other efficiency-related aspects.",
"portability": "Requirements enabling the system or components to be transferred easily across various environments or platforms.",
"privacy": "Requirements specifically addressing the handling and protection of personal and sensitive data.",
"regulatory": "Requirements necessary for legal compliance, dictated by laws, regulations, or standards.",
"reliability": "Requirements ensuring the system consistently performs under specified conditions and duration.",
"scalability": "Requirements focused on the ability of the system to grow and manage increased demand effectively.",
"security": "Requirements intended to protect systems, data, and users from malicious actions or threats.",
"system": "Technical requirements defining infrastructure, architecture, or underlying technologies.",
"testability": "Requirements ensuring the system can be effectively validated and tested.",
"usability": "Requirements addressing the ease of use, intuitiveness, and overall user experience.",
"user": "Requirements captured directly from user needs, tasks, and expectations."
}
},
"requirementStatus": {
"type": "string",
"title": "Status",
"description": "The current status of the requirement in the development lifecycle.",
"enum": [
"draft",
"proposed",
"approved",
"implemented",
"verified",
"deferred",
"rejected",
"replaced",
"obsolete"
]
},
"acceptanceCriterion": {
"type": "object",
"title": "Acceptance Criterion",
"description": "A specific condition that must be met for the requirement to be considered satisfied.",
"additionalProperties": false,
"properties": {
"id": {
"type": "string",
"title": "Identifier",
"description": "A unique identifier for the acceptance criterion."
},
"description": {
"type": "string",
"title": "Description",
"description": "A description of the acceptance criterion."
},
"status": {
"type": "string",
"title": "Status",
"description": "The current status of the acceptance criterion.",
"enum": [
"pending",
"passed",
"failed"
]
}
}
},
"dependency": {
"type": "object",
"title": "Dependency",
"description": "A dependency on another requirement.",
"additionalProperties": false,
"properties": {
"ref": {
"oneOf": [
{
"title": "Ref",
"$ref": "#/definitions/refLinkType"
},
{
"title": "BOM-Link Element",
"$ref": "#/definitions/bomLinkElementType"
}
]
},
"type": {
"type": "string",
"title": "Dependency Type",
"description": "The type of dependency relationship.",
"enum": [
"requires",
"conflicts-with",
"enhances",
"implements",
"other"
]
},
"description": {
"type": "string",
"title": "Description",
"description": "A description of the dependency relationship."
}
}
}
}
}
Loading