diff --git a/schema/bom-1.6.proto b/schema/bom-1.6.proto
index 975197f7..b9a629ca 100644
--- a/schema/bom-1.6.proto
+++ b/schema/bom-1.6.proto
@@ -297,6 +297,8 @@ enum ExternalReferenceType {
EXTERNAL_REFERENCE_TYPE_DIGITAL_SIGNATURE = 40;
// Document that complies with RFC-9116 (A File Format to Aid in Security Vulnerability Disclosure)
EXTERNAL_REFERENCE_TYPE_RFC_9116 = 41;
+ // Reference to release notes
+ EXTERNAL_REFERENCE_TYPE_RELEASE_NOTES = 42;
}
enum HashAlg {
diff --git a/tools/src/test/resources/1.6/valid-external-reference-1.6.json b/tools/src/test/resources/1.6/valid-external-reference-1.6.json
index 80d87d42..f5e24561 100644
--- a/tools/src/test/resources/1.6/valid-external-reference-1.6.json
+++ b/tools/src/test/resources/1.6/valid-external-reference-1.6.json
@@ -34,6 +34,185 @@
"comment": "Vendor provided documentation for the product"
}
]
+ },
+ {
+ "type": "application",
+ "name": "dummy",
+ "description": "this component has all external reference types possible",
+ "externalReferences": [
+ {
+ "type": "vcs",
+ "url": "http://example.com/extref/vcs"
+ },
+ {
+ "type": "issue-tracker",
+ "url": "http://example.com/extref/issue-tracker"
+ },
+ {
+ "type": "website",
+ "url": "http://example.com/extref/website"
+ },
+ {
+ "type": "advisories",
+ "url": "http://example.com/extref/advisories"
+ },
+ {
+ "type": "bom",
+ "url": "http://example.com/extref/bom"
+ },
+ {
+ "type": "mailing-list",
+ "url": "http://example.com/extref/mailing-list"
+ },
+ {
+ "type": "social",
+ "url": "http://example.com/extref/social"
+ },
+ {
+ "type": "chat",
+ "url": "http://example.com/extref/chat"
+ },
+ {
+ "type": "documentation",
+ "url": "http://example.com/extref/documentation"
+ },
+ {
+ "type": "support",
+ "url": "http://example.com/extref/support"
+ },
+ {
+ "type": "source-distribution",
+ "url": "http://example.com/extref/source-distribution"
+ },
+ {
+ "type": "distribution",
+ "url": "http://example.com/extref/distribution"
+ },
+ {
+ "type": "distribution-intake",
+ "url": "http://example.com/extref/distribution-intake"
+ },
+ {
+ "type": "license",
+ "url": "http://example.com/extref/license"
+ },
+ {
+ "type": "build-meta",
+ "url": "http://example.com/extref/build-meta"
+ },
+ {
+ "type": "build-system",
+ "url": "http://example.com/extref/build-system"
+ },
+ {
+ "type": "release-notes",
+ "url": "http://example.com/extref/release-notes"
+ },
+ {
+ "type": "security-contact",
+ "url": "http://example.com/extref/security-contact"
+ },
+ {
+ "type": "model-card",
+ "url": "http://example.com/extref/model-card"
+ },
+ {
+ "type": "log",
+ "url": "http://example.com/extref/log"
+ },
+ {
+ "type": "configuration",
+ "url": "http://example.com/extref/configuration"
+ },
+ {
+ "type": "evidence",
+ "url": "http://example.com/extref/evidence"
+ },
+ {
+ "type": "formulation",
+ "url": "http://example.com/extref/formulation"
+ },
+ {
+ "type": "attestation",
+ "url": "http://example.com/extref/attestation"
+ },
+ {
+ "type": "threat-model",
+ "url": "http://example.com/extref/threat-model"
+ },
+ {
+ "type": "adversary-model",
+ "url": "http://example.com/extref/adversary-model"
+ },
+ {
+ "type": "risk-assessment",
+ "url": "http://example.com/extref/risk-assessment"
+ },
+ {
+ "type": "vulnerability-assertion",
+ "url": "http://example.com/extref/vulnerability-assertion"
+ },
+ {
+ "type": "exploitability-statement",
+ "url": "http://example.com/extref/exploitability-statement"
+ },
+ {
+ "type": "pentest-report",
+ "url": "http://example.com/extref/pentest-report"
+ },
+ {
+ "type": "static-analysis-report",
+ "url": "http://example.com/extref/static-analysis-report"
+ },
+ {
+ "type": "dynamic-analysis-report",
+ "url": "http://example.com/extref/dynamic-analysis-report"
+ },
+ {
+ "type": "runtime-analysis-report",
+ "url": "http://example.com/extref/runtime-analysis-report"
+ },
+ {
+ "type": "component-analysis-report",
+ "url": "http://example.com/extref/component-analysis-report"
+ },
+ {
+ "type": "maturity-report",
+ "url": "http://example.com/extref/maturity-report"
+ },
+ {
+ "type": "certification-report",
+ "url": "http://example.com/extref/certification-report"
+ },
+ {
+ "type": "quality-metrics",
+ "url": "http://example.com/extref/quality-metrics"
+ },
+ {
+ "type": "codified-infrastructure",
+ "url": "http://example.com/extref/codified-infrastructure"
+ },
+ {
+ "type": "poam",
+ "url": "http://example.com/extref/poam"
+ },
+ {
+ "type": "electronic-signature",
+ "url": "http://example.com/extref/electronic-signature"
+ },
+ {
+ "type": "digital-signature",
+ "url": "http://example.com/extref/digital-signature"
+ },
+ {
+ "type": "rfc-9116",
+ "url": "http://example.com/extref/rfc-9116"
+ },
+ {
+ "type": "other",
+ "url": "http://example.com/extref/other"
+ }
+ ]
}
]
}
diff --git a/tools/src/test/resources/1.6/valid-external-reference-1.6.textproto b/tools/src/test/resources/1.6/valid-external-reference-1.6.textproto
index 0428a8e9..9a8c3df2 100644
--- a/tools/src/test/resources/1.6/valid-external-reference-1.6.textproto
+++ b/tools/src/test/resources/1.6/valid-external-reference-1.6.textproto
@@ -30,3 +30,180 @@ components {
comment: "Vendor provided documentation for the product"
}
}
+components {
+ type: CLASSIFICATION_APPLICATION
+ name: "dummy"
+ description: "this component has all external reference types possible"
+ external_references {
+ type: EXTERNAL_REFERENCE_TYPE_VCS
+ url: "http://example.com/extref/vcs"
+ }
+ external_references {
+ type: EXTERNAL_REFERENCE_TYPE_ISSUE_TRACKER
+ url: "http://example.com/extref/issue-tracker"
+ }
+ external_references {
+ type: EXTERNAL_REFERENCE_TYPE_WEBSITE
+ url: "http://example.com/extref/website"
+ }
+ external_references {
+ type: EXTERNAL_REFERENCE_TYPE_ADVISORIES
+ url: "http://example.com/extref/advisories"
+ }
+ external_references {
+ type: EXTERNAL_REFERENCE_TYPE_BOM
+ url: "http://example.com/extref/bom"
+ }
+ external_references {
+ type: EXTERNAL_REFERENCE_TYPE_MAILING_LIST
+ url: "http://example.com/extref/mailing-list"
+ }
+ external_references {
+ type: EXTERNAL_REFERENCE_TYPE_SOCIAL
+ url: "http://example.com/extref/social"
+ }
+ external_references {
+ type: EXTERNAL_REFERENCE_TYPE_CHAT
+ url: "http://example.com/extref/chat"
+ }
+ external_references {
+ type: EXTERNAL_REFERENCE_TYPE_DOCUMENTATION
+ url: "http://example.com/extref/documentation"
+ }
+ external_references {
+ type: EXTERNAL_REFERENCE_TYPE_SUPPORT
+ url: "http://example.com/extref/support"
+ }
+ external_references {
+ type: EXTERNAL_REFERENCE_TYPE_SOURCE_DISTRIBUTION
+ url: "http://example.com/extref/source-distribution"
+ }
+ external_references {
+ type: EXTERNAL_REFERENCE_TYPE_DISTRIBUTION
+ url: "http://example.com/extref/distribution"
+ }
+ external_references {
+ type: EXTERNAL_REFERENCE_TYPE_DISTRIBUTION_INTAKE
+ url: "http://example.com/extref/distribution-intake"
+ }
+ external_references {
+ type: EXTERNAL_REFERENCE_TYPE_LICENSE
+ url: "http://example.com/extref/license"
+ }
+ external_references {
+ type: EXTERNAL_REFERENCE_TYPE_BUILD_META
+ url: "http://example.com/extref/build-meta"
+ }
+ external_references {
+ type: EXTERNAL_REFERENCE_TYPE_BUILD_SYSTEM
+ url: "http://example.com/extref/build-system"
+ }
+ external_references {
+ type: EXTERNAL_REFERENCE_TYPE_RELEASE_NOTES
+ url: "http://example.com/extref/release-notes"
+ }
+ external_references {
+ type: EXTERNAL_REFERENCE_TYPE_SECURITY_CONTACT
+ url: "http://example.com/extref/security-contact"
+ }
+ external_references {
+ type: EXTERNAL_REFERENCE_TYPE_MODEL_CARD
+ url: "http://example.com/extref/model-card"
+ }
+ external_references {
+ type: EXTERNAL_REFERENCE_TYPE_LOG
+ url: "http://example.com/extref/log"
+ }
+ external_references {
+ type: EXTERNAL_REFERENCE_TYPE_CONFIGURATION
+ url: "http://example.com/extref/configuration"
+ }
+ external_references {
+ type: EXTERNAL_REFERENCE_TYPE_EVIDENCE
+ url: "http://example.com/extref/evidence"
+ }
+ external_references {
+ type: EXTERNAL_REFERENCE_TYPE_FORMULATION
+ url: "http://example.com/extref/formulation"
+ }
+ external_references {
+ type: EXTERNAL_REFERENCE_TYPE_ATTESTATION
+ url: "http://example.com/extref/attestation"
+ }
+ external_references {
+ type: EXTERNAL_REFERENCE_TYPE_THREAT_MODEL
+ url: "http://example.com/extref/threat-model"
+ }
+ external_references {
+ type: EXTERNAL_REFERENCE_TYPE_ADVERSARY_MODEL
+ url: "http://example.com/extref/adversary-model"
+ }
+ external_references {
+ type: EXTERNAL_REFERENCE_TYPE_RISK_ASSESSMENT
+ url: "http://example.com/extref/risk-assessment"
+ }
+ external_references {
+ type: EXTERNAL_REFERENCE_TYPE_VULNERABILITY_ASSERTION
+ url: "http://example.com/extref/vulnerability-assertion"
+ }
+ external_references {
+ type: EXTERNAL_REFERENCE_TYPE_EXPLOITABILITY_STATEMENT
+ url: "http://example.com/extref/exploitability-statement"
+ }
+ external_references {
+ type: EXTERNAL_REFERENCE_TYPE_PENTEST_REPORT
+ url: "http://example.com/extref/pentest-report"
+ }
+ external_references {
+ type: EXTERNAL_REFERENCE_TYPE_STATIC_ANALYSIS_REPORT
+ url: "http://example.com/extref/static-analysis-report"
+ }
+ external_references {
+ type: EXTERNAL_REFERENCE_TYPE_DYNAMIC_ANALYSIS_REPORT
+ url: "http://example.com/extref/dynamic-analysis-report"
+ }
+ external_references {
+ type: EXTERNAL_REFERENCE_TYPE_RUNTIME_ANALYSIS_REPORT
+ url: "http://example.com/extref/runtime-analysis-report"
+ }
+ external_references {
+ type: EXTERNAL_REFERENCE_TYPE_COMPONENT_ANALYSIS_REPORT
+ url: "http://example.com/extref/component-analysis-report"
+ }
+ external_references {
+ type: EXTERNAL_REFERENCE_TYPE_MATURITY_REPORT
+ url: "http://example.com/extref/maturity-report"
+ }
+ external_references {
+ type: EXTERNAL_REFERENCE_TYPE_CERTIFICATION_REPORT
+ url: "http://example.com/extref/certification-report"
+ }
+ external_references {
+ type: EXTERNAL_REFERENCE_TYPE_QUALITY_METRICS
+ url: "http://example.com/extref/quality-metrics"
+ }
+ external_references {
+ type: EXTERNAL_REFERENCE_TYPE_CODIFIED_INFRASTRUCTURE
+ url: "http://example.com/extref/codified-infrastructure"
+ }
+ external_references {
+ type: EXTERNAL_REFERENCE_TYPE_POAM
+ url: "http://example.com/extref/poam"
+ }
+ external_references {
+ type: EXTERNAL_REFERENCE_TYPE_ELECTRONIC_SIGNATURE
+ url: "http://example.com/extref/electronic-signature"
+ }
+ external_references {
+ type: EXTERNAL_REFERENCE_TYPE_DIGITAL_SIGNATURE
+ url: "http://example.com/extref/digital-signature"
+ }
+ external_references {
+ type: EXTERNAL_REFERENCE_TYPE_RFC_9116
+ url: "http://example.com/extref/rfc-9116"
+ }
+ external_references {
+ type: EXTERNAL_REFERENCE_TYPE_OTHER
+ url: "http://example.com/extref/other"
+ }
+}
diff --git a/tools/src/test/resources/1.6/valid-external-reference-1.6.xml b/tools/src/test/resources/1.6/valid-external-reference-1.6.xml
index 21810f3c..f30782f7 100644
--- a/tools/src/test/resources/1.6/valid-external-reference-1.6.xml
+++ b/tools/src/test/resources/1.6/valid-external-reference-1.6.xml
@@ -23,5 +23,54 @@
+
+ dummy
+ this component has all external reference types possible
+
+ http://example.com/extref/vcs
+ http://example.com/extref/issue-tracker
+ http://example.com/extref/website
+ http://example.com/extref/advisories
+ http://example.com/extref/bom
+ http://example.com/extref/mailing-list
+ http://example.com/extref/social
+ http://example.com/extref/chat
+ http://example.com/extref/documentation
+ http://example.com/extref/support
+ http://example.com/extref/source-distribution
+ http://example.com/extref/distribution
+ http://example.com/extref/distribution-intake
+ http://example.com/extref/license
+ http://example.com/extref/build-meta
+ http://example.com/extref/build-system
+ http://example.com/extref/release-notes
+ http://example.com/extref/security-contact
+ http://example.com/extref/model-card
+ http://example.com/extref/log
+ http://example.com/extref/configuration
+ http://example.com/extref/evidence
+ http://example.com/extref/formulation
+ http://example.com/extref/attestation
+ http://example.com/extref/threat-model
+ http://example.com/extref/adversary-model
+ http://example.com/extref/risk-assessment
+ http://example.com/extref/vulnerability-assertion
+ http://example.com/extref/exploitability-statement
+ http://example.com/extref/pentest-report
+ http://example.com/extref/static-analysis-report
+ http://example.com/extref/dynamic-analysis-report
+ http://example.com/extref/runtime-analysis-report
+ http://example.com/extref/component-analysis-report
+ http://example.com/extref/maturity-report
+ http://example.com/extref/certification-report
+ http://example.com/extref/quality-metrics
+ http://example.com/extref/codified-infrastructure
+ http://example.com/extref/poam
+ http://example.com/extref/electronic-signature
+ http://example.com/extref/digital-signature
+ http://example.com/extref/rfc-9116
+ http://example.com/extref/other
+
+
diff --git a/tools/src/test/resources/1.6/valid-release-notes-1.6.json b/tools/src/test/resources/1.6/valid-release-notes-1.6.json
index 48b1215a..46c5a7c3 100644
--- a/tools/src/test/resources/1.6/valid-release-notes-1.6.json
+++ b/tools/src/test/resources/1.6/valid-release-notes-1.6.json
@@ -9,6 +9,12 @@
"type": "library",
"name": "acme-example",
"version": "1.0.0",
+ "externalReferences": [
+ {
+ "type": "release-notes",
+ "url": "https://example.com/releases/1.0.0"
+ }
+ ],
"releaseNotes": {
"type": "major",
"title": "My new release",
diff --git a/tools/src/test/resources/1.6/valid-release-notes-1.6.textproto b/tools/src/test/resources/1.6/valid-release-notes-1.6.textproto
index 2336c299..e39791f9 100644
--- a/tools/src/test/resources/1.6/valid-release-notes-1.6.textproto
+++ b/tools/src/test/resources/1.6/valid-release-notes-1.6.textproto
@@ -8,6 +8,10 @@ components {
type: CLASSIFICATION_LIBRARY
name: "acme-example"
version: "1.0.0"
+ external_references {
+ type: EXTERNAL_REFERENCE_TYPE_RELEASE_NOTES
+ url: "https://example.com/releases/1.0.0"
+ }
releaseNotes: {
type: "major"
title: "My new release"
diff --git a/tools/src/test/resources/1.6/valid-release-notes-1.6.xml b/tools/src/test/resources/1.6/valid-release-notes-1.6.xml
index f7ce16b0..b25986bc 100644
--- a/tools/src/test/resources/1.6/valid-release-notes-1.6.xml
+++ b/tools/src/test/resources/1.6/valid-release-notes-1.6.xml
@@ -4,6 +4,11 @@
acme-example
1.0.0
+
+
+ https://example.com/releases/1.0.0
+
+
major
My new release