CycloneDX · jkowalleck · Nov 7, 2024 · Nov 3, 2024 · Nov 6, 2024 · Nov 6, 2024
@@ -297,6 +297,8 @@ enum ExternalReferenceType {
   EXTERNAL_REFERENCE_TYPE_DIGITAL_SIGNATURE = 40;
   // Document that complies with RFC-9116 (A File Format to Aid in Security Vulnerability Disclosure)
   EXTERNAL_REFERENCE_TYPE_RFC_9116 = 41;
+  // Reference to release notes
+  EXTERNAL_REFERENCE_TYPE_RELEASE_NOTES = 42;
 }
 
 enum HashAlg {

@@ -34,6 +34,185 @@
           "comment": "Vendor provided documentation for the product"
         }
       ]
+    },
+    {
+      "type": "application",
+      "name": "dummy",
+      "description": "this component has all external reference types possible",
+      "externalReferences": [
+        {
+          "type": "vcs",
+          "url": "http://example.com/extref/vcs"
+        },
+        {
+          "type": "issue-tracker",
+          "url": "http://example.com/extref/issue-tracker"
+        },
+        {
+          "type": "website",
+          "url": "http://example.com/extref/website"
+        },
+        {
+          "type": "advisories",
+          "url": "http://example.com/extref/advisories"
+        },
+        {
+          "type": "bom",
+          "url": "http://example.com/extref/bom"
+        },
+        {
+          "type": "mailing-list",
+          "url": "http://example.com/extref/mailing-list"
+        },
+        {
+          "type": "social",
+          "url": "http://example.com/extref/social"
+        },
+        {
+          "type": "chat",
+          "url": "http://example.com/extref/chat"
+        },
+        {
+          "type": "documentation",
+          "url": "http://example.com/extref/documentation"
+        },
+        {
+          "type": "support",
+          "url": "http://example.com/extref/support"
+        },
+        {
+          "type": "source-distribution",
+          "url": "http://example.com/extref/source-distribution"
+        },
+        {
+          "type": "distribution",
+          "url": "http://example.com/extref/distribution"
+        },
+        {
+          "type": "distribution-intake",
+          "url": "http://example.com/extref/distribution-intake"
+        },
+        {
+          "type": "license",
+          "url": "http://example.com/extref/license"
+        },
+        {
+          "type": "build-meta",
+          "url": "http://example.com/extref/build-meta"
+        },
+        {
+          "type": "build-system",
+          "url": "http://example.com/extref/build-system"
+        },
+        {
+          "type": "release-notes",
+          "url": "http://example.com/extref/release-notes"
+        },
+        {
+          "type": "security-contact",
+          "url": "http://example.com/extref/security-contact"
+        },
+        {
+          "type": "model-card",
+          "url": "http://example.com/extref/model-card"
+        },
+        {
+          "type": "log",
+          "url": "http://example.com/extref/log"
+        },
+        {
+          "type": "configuration",
+          "url": "http://example.com/extref/configuration"
+        },
+        {
+          "type": "evidence",
+          "url": "http://example.com/extref/evidence"
+        },
+        {
+          "type": "formulation",
+          "url": "http://example.com/extref/formulation"
+        },
+        {
+          "type": "attestation",
+          "url": "http://example.com/extref/attestation"
+        },
+        {
+          "type": "threat-model",
+          "url": "http://example.com/extref/threat-model"
+        },
+        {
+          "type": "adversary-model",
+          "url": "http://example.com/extref/adversary-model"
+        },
+        {
+          "type": "risk-assessment",
+          "url": "http://example.com/extref/risk-assessment"
+        },
+        {
+          "type": "vulnerability-assertion",
+          "url": "http://example.com/extref/vulnerability-assertion"
+        },
+        {
+          "type": "exploitability-statement",
+          "url": "http://example.com/extref/exploitability-statement"
+        },
+        {
+          "type": "pentest-report",
+          "url": "http://example.com/extref/pentest-report"
+        },
+        {
+          "type": "static-analysis-report",
+          "url": "http://example.com/extref/static-analysis-report"
+        },
+        {
+          "type": "dynamic-analysis-report",
+          "url": "http://example.com/extref/dynamic-analysis-report"
+        },
+        {
+          "type": "runtime-analysis-report",
+          "url": "http://example.com/extref/runtime-analysis-report"
+        },
+        {
+          "type": "component-analysis-report",
+          "url": "http://example.com/extref/component-analysis-report"
+        },
+        {
+          "type": "maturity-report",
+          "url": "http://example.com/extref/maturity-report"
+        },
+        {
+          "type": "certification-report",
+          "url": "http://example.com/extref/certification-report"
+        },
+        {
+          "type": "quality-metrics",
+          "url": "http://example.com/extref/quality-metrics"
+        },
+        {
+          "type": "codified-infrastructure",
+          "url": "http://example.com/extref/codified-infrastructure"
+        },
+        {
+          "type": "poam",
+          "url": "http://example.com/extref/poam"
+        },
+        {
+          "type": "electronic-signature",
+          "url": "http://example.com/extref/electronic-signature"
+        },
+        {
+          "type": "digital-signature",
+          "url": "http://example.com/extref/digital-signature"
+        },
+        {
+          "type": "rfc-9116",
+          "url": "http://example.com/extref/rfc-9116"
+        },
+        {
+          "type": "other",
+          "url": "http://example.com/extref/other"
+        }
+      ]
     }
   ]
 }
@@ -30,3 +30,180 @@ components {
     comment: "Vendor provided documentation for the product"
   }
 }
+components {
+  type: CLASSIFICATION_APPLICATION
+  name: "dummy"
+  description: "this component has all external reference types possible"
+  external_references {
+    type: EXTERNAL_REFERENCE_TYPE_VCS
+    url: "http://example.com/extref/vcs"
+  }
+  external_references {
+    type: EXTERNAL_REFERENCE_TYPE_ISSUE_TRACKER
+    url: "http://example.com/extref/issue-tracker"
+  }
+  external_references {
+    type: EXTERNAL_REFERENCE_TYPE_WEBSITE
+    url: "http://example.com/extref/website"
+  }
+  external_references {
+    type: EXTERNAL_REFERENCE_TYPE_ADVISORIES
+    url: "http://example.com/extref/advisories"
+  }
+  external_references {
+    type: EXTERNAL_REFERENCE_TYPE_BOM
+    url: "http://example.com/extref/bom"
+  }
+  external_references {
+    type: EXTERNAL_REFERENCE_TYPE_MAILING_LIST
+    url: "http://example.com/extref/mailing-list"
+  }
+  external_references {
+    type: EXTERNAL_REFERENCE_TYPE_SOCIAL
+    url: "http://example.com/extref/social"
+  }
+  external_references {
+    type: EXTERNAL_REFERENCE_TYPE_CHAT
+    url: "http://example.com/extref/chat"
+  }
+  external_references {
+    type: EXTERNAL_REFERENCE_TYPE_DOCUMENTATION
+    url: "http://example.com/extref/documentation"
+  }
+  external_references {
+    type: EXTERNAL_REFERENCE_TYPE_SUPPORT
+    url: "http://example.com/extref/support"
+  }
+  external_references {
+    type: EXTERNAL_REFERENCE_TYPE_SOURCE_DISTRIBUTION
+    url: "http://example.com/extref/source-distribution"
+  }
+  external_references {
+    type: EXTERNAL_REFERENCE_TYPE_DISTRIBUTION
+    url: "http://example.com/extref/distribution"
+  }
+  external_references {
+    type: EXTERNAL_REFERENCE_TYPE_DISTRIBUTION_INTAKE
+    url: "http://example.com/extref/distribution-intake"
+  }
+  external_references {
+    type: EXTERNAL_REFERENCE_TYPE_LICENSE
+    url: "http://example.com/extref/license"
+  }
+  external_references {
+    type: EXTERNAL_REFERENCE_TYPE_BUILD_META
+    url: "http://example.com/extref/build-meta"
+  }
+  external_references {
+    type: EXTERNAL_REFERENCE_TYPE_BUILD_SYSTEM
+    url: "http://example.com/extref/build-system"
+  }
+  external_references {
+    type: EXTERNAL_REFERENCE_TYPE_RELEASE_NOTES
+    url: "http://example.com/extref/release-notes"
+  }
+  external_references {
+    type: EXTERNAL_REFERENCE_TYPE_SECURITY_CONTACT
+    url: "http://example.com/extref/security-contact"
+  }
+  external_references {
+    type: EXTERNAL_REFERENCE_TYPE_MODEL_CARD
+    url: "http://example.com/extref/model-card"
+  }
+  external_references {
+    type: EXTERNAL_REFERENCE_TYPE_LOG
+    url: "http://example.com/extref/log"
+  }
+  external_references {
+    type: EXTERNAL_REFERENCE_TYPE_CONFIGURATION
+    url: "http://example.com/extref/configuration"
+  }
+  external_references {
+    type: EXTERNAL_REFERENCE_TYPE_EVIDENCE
+    url: "http://example.com/extref/evidence"
+  }
+  external_references {
+    type: EXTERNAL_REFERENCE_TYPE_FORMULATION
+    url: "http://example.com/extref/formulation"
+  }
+  external_references {
+    type: EXTERNAL_REFERENCE_TYPE_ATTESTATION
+    url: "http://example.com/extref/attestation"
+  }
+  external_references {
+    type: EXTERNAL_REFERENCE_TYPE_THREAT_MODEL
+    url: "http://example.com/extref/threat-model"
+  }
+  external_references {
+    type: EXTERNAL_REFERENCE_TYPE_ADVERSARY_MODEL
+    url: "http://example.com/extref/adversary-model"
+  }
+  external_references {
+    type: EXTERNAL_REFERENCE_TYPE_RISK_ASSESSMENT
+    url: "http://example.com/extref/risk-assessment"
+  }
+  external_references {
+    type: EXTERNAL_REFERENCE_TYPE_VULNERABILITY_ASSERTION
+    url: "http://example.com/extref/vulnerability-assertion"
+  }
+  external_references {
+    type: EXTERNAL_REFERENCE_TYPE_EXPLOITABILITY_STATEMENT
+    url: "http://example.com/extref/exploitability-statement"
+  }
+  external_references {
+    type: EXTERNAL_REFERENCE_TYPE_PENTEST_REPORT
+    url: "http://example.com/extref/pentest-report"
+  }
+  external_references {
+    type: EXTERNAL_REFERENCE_TYPE_STATIC_ANALYSIS_REPORT
+    url: "http://example.com/extref/static-analysis-report"
+  }
+  external_references {
+    type: EXTERNAL_REFERENCE_TYPE_DYNAMIC_ANALYSIS_REPORT
+    url: "http://example.com/extref/dynamic-analysis-report"
+  }
+  external_references {
+    type: EXTERNAL_REFERENCE_TYPE_RUNTIME_ANALYSIS_REPORT
+    url: "http://example.com/extref/runtime-analysis-report"
+  }
+  external_references {
+    type: EXTERNAL_REFERENCE_TYPE_COMPONENT_ANALYSIS_REPORT
+    url: "http://example.com/extref/component-analysis-report"
+  }
+  external_references {
+    type: EXTERNAL_REFERENCE_TYPE_MATURITY_REPORT
+    url: "http://example.com/extref/maturity-report"
+  }
+  external_references {
+    type: EXTERNAL_REFERENCE_TYPE_CERTIFICATION_REPORT
+    url: "http://example.com/extref/certification-report"
+  }
+  external_references {
+    type: EXTERNAL_REFERENCE_TYPE_QUALITY_METRICS
+    url: "http://example.com/extref/quality-metrics"
+  }
+  external_references {
+    type: EXTERNAL_REFERENCE_TYPE_CODIFIED_INFRASTRUCTURE
+    url: "http://example.com/extref/codified-infrastructure"
+  }
+  external_references {
+    type: EXTERNAL_REFERENCE_TYPE_POAM
+    url: "http://example.com/extref/poam"
+  }
+  external_references {
+    type: EXTERNAL_REFERENCE_TYPE_ELECTRONIC_SIGNATURE
+    url: "http://example.com/extref/electronic-signature"
+  }
+  external_references {
+    type: EXTERNAL_REFERENCE_TYPE_DIGITAL_SIGNATURE
+    url: "http://example.com/extref/digital-signature"
+  }
+  external_references {
+    type: EXTERNAL_REFERENCE_TYPE_RFC_9116
+    url: "http://example.com/extref/rfc-9116"
+  }
+  external_references {
+    type: EXTERNAL_REFERENCE_TYPE_OTHER
+    url: "http://example.com/extref/other"
+  }  
+}