diff --git a/schema/2.0/model/cyclonedx-component-2.0.schema.json b/schema/2.0/model/cyclonedx-component-2.0.schema.json index b7d540e0..e5c085d7 100644 --- a/schema/2.0/model/cyclonedx-component-2.0.schema.json +++ b/schema/2.0/model/cyclonedx-component-2.0.schema.json @@ -264,6 +264,9 @@ "$ref": "cyclonedx-cryptography-2.0.schema.json#/$defs/cryptoProperties", "title": "Cryptographic Properties" }, + "agility": { + "$ref": "#/$defs/agility" + }, "tags": { "$ref": "cyclonedx-common-2.0.schema.json#/$defs/tags", "title": "Tags" @@ -733,6 +736,67 @@ "$ref": "cyclonedx-data-2.0.schema.json#/$defs/dataGovernance" } } + }, + "agility": { + "type": "object", + "title": "Agility", + "description": "Properties describing how this component's configuration was determined and how a change to it can be applied. These properties support change management and, for cryptographic assets, cryptographic-agility.", + "additionalProperties": false, + "properties": { + "configurationSource": { + "type": "string", + "title": "Configuration Source", + "description": "Describes how this component's configuration was determined, ordered from least to most agile.", + "enum": [ + "hardcoded", + "product-default", + "administrator-configured", + "policy-managed", + "negotiated", + "other", + "unknown" + ], + "meta:enum": { + "hardcoded": "The configuration is fixed in code or firmware and is not intended to be changed.", + "product-default": "The configuration is inherited from product or vendor defaults and can typically be overridden.", + "administrator-configured": "The configuration is explicitly set by an administrator through external configuration.", + "policy-managed": "The configuration is determined by a policy or governance engine.", + "negotiated": "The configuration is agreed at runtime with a peer, such as during a protocol handshake.", + "other": "Another configuration source applies.", + "unknown": "The configuration source is not known." + } + }, + "configurationRef": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType", + "title": "Configuration Reference", + "description": "The bom-ref of the configuration that determines this component's configuration. Typically points to a component of type 'data' whose data type is 'configuration'." + }, + "changeMechanism": { + "type": "string", + "title": "Change Mechanism", + "description": "Describes how a change to this component's configuration is applied, ordered from least to most agile.", + "enum": [ + "not-possible", + "hardware-replacement", + "firmware-update", + "software-update", + "restart-required", + "runtime-config", + "other", + "unknown" + ], + "meta:enum": { + "not-possible": "The configuration cannot be changed through any supported means.", + "hardware-replacement": "The change requires replacing or adding hardware.", + "firmware-update": "The change requires a firmware update.", + "software-update": "The change requires a software or package update.", + "restart-required": "The change can be applied through configuration but requires restarting software or service processes.", + "runtime-config": "The change can be applied at runtime without a restart.", + "other": "Another change mechanism applies.", + "unknown": "The change mechanism is not known." + } + } + } } } } diff --git a/schema/2.0/model/cyclonedx-cryptography-2.0.schema.json b/schema/2.0/model/cyclonedx-cryptography-2.0.schema.json index 4792c4ed..1a824c5a 100644 --- a/schema/2.0/model/cyclonedx-cryptography-2.0.schema.json +++ b/schema/2.0/model/cyclonedx-cryptography-2.0.schema.json @@ -521,6 +521,11 @@ "title": "Destruction Date", "description": "The date and time (timestamp) when the certificate was destroyed." }, + "renewal": { + "$ref": "#/$defs/lifecycleControl", + "title": "Certificate Renewal", + "description": "How this certificate is renewed or re-enrolled." + }, "certificateExtensions": { "type": "array", "title": "Certificate Extensions", @@ -673,6 +678,11 @@ "destroyed" ] }, + "rotation": { + "$ref": "#/$defs/lifecycleControl", + "title": "Key Rotation", + "description": "How this cryptographic material is rotated under the same algorithm." + }, "creationDate": { "type": "string", "format": "date-time", @@ -1088,6 +1098,50 @@ "unknown": "The cryptographic function is not known." } }, + "lifecycleControl": { + "type": "object", + "title": "Lifecycle Control", + "description": "How a cryptographic lifecycle operation, such as key rotation or certificate renewal, is performed.", + "additionalProperties": false, + "properties": { + "automation": { + "type": "string", + "title": "Automation", + "description": "The degree of automation with which the operation is performed, ordered from least to most agile.", + "enum": [ + "not-supported", + "manual", + "on-demand", + "automatic", + "other", + "unknown" + ], + "meta:enum": { + "not-supported": "The operation is not supported.", + "manual": "The operation is initiated and executed manually.", + "on-demand": "The operation can be triggered on demand, for example through an API call.", + "automatic": "The operation is performed automatically based on policy or schedule.", + "other": "Another mechanism applies.", + "unknown": "The mechanism is not known." + } + }, + "mechanism": { + "type": "string", + "title": "Lifecycle Mechanism", + "description": "The protocol, system, or interface used to perform the operation, such as the ACME (RFC 8555), EST (RFC 7030), SCEP (RFC 8894), CMP (RFC 4210), or CMC (RFC 5272) certificate protocols, or KMIP, PKCS#11, and cloud key-management services for key rotation.", + "examples": [ + "ACME", + "EST", + "SCEP", + "CMP", + "CMC", + "KMIP", + "PKCS#11", + "HashiCorp Vault Transit" + ] + } + } + }, "relatedCryptographicAssets": { "type": "array", "title": "Related Cryptographic Assets",