diff --git a/schema/bom-1.7.proto b/schema/bom-1.7.proto
index 2f1aaf0d..488f5315 100644
--- a/schema/bom-1.7.proto
+++ b/schema/bom-1.7.proto
@@ -514,6 +514,8 @@ message Metadata {
repeated Lifecycles lifecycles = 9;
// The organization that created the BOM. Manufacturer is common in BOMs created through automated processes. BOMs created through manual means may have '.authors' instead.
optional OrganizationalEntity manufacturer = 10;
+ // The Traffic Light Protocol (TLP) classification that controls the sharing and distribution of the data that the BOM describes.
+ optional TlpClassification distribution = 11;
}
message Lifecycles {
@@ -675,6 +677,22 @@ message Swid {
optional string url = 7;
}
+// Traffic Light Protocol (TLP) is a classification system for identifying the potential risk associated with artefact, including whether it is subject to certain types of legal, financial, or technical threats. Refer to https://www.first.org/tlp/ for further information.
+//The default classification is "CLEAR"
+enum TlpClassification {
+ // The information is not subject to any restrictions as regards the sharing.
+ // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- "CLEAR" is our fallback, the default.
+ TLP_CLASSIFICATION_CLEAR = 0;
+ // The information is subject to limited disclosure, and recipients can share it within their community but not via publicly accessible channels.
+ TLP_CLASSIFICATION_GREEN = 1;
+ // The information is subject to limited disclosure, and recipients can only share it on a need-to-know basis within their organization and with clients.
+ TLP_CLASSIFICATION_AMBER = 2;
+ // The information is subject to limited disclosure, and recipients can only share it on a need-to-know basis within their organization.
+ TLP_CLASSIFICATION_AMBER_AND_STRICT = 3;
+ // The information is subject to restricted distribution to individual recipients only and must not be shared.
+ TLP_CLASSIFICATION_RED = 4;
+}
+
// Specifies a tool (manual or automated).
message Tool {
// DEPRECATED - DO NOT USE - The vendor of the tool used to create the BOM.
diff --git a/schema/bom-1.7.schema.json b/schema/bom-1.7.schema.json
index e1dd5b1d..4dad0ca0 100644
--- a/schema/bom-1.7.schema.json
+++ b/schema/bom-1.7.schema.json
@@ -712,9 +712,34 @@
"title": "Properties",
"description": "Provides the ability to document properties in a name-value store. This provides flexibility to include data not officially supported in the standard without having to use additional namespaces or create extensions. Unlike key-value stores, properties support duplicate names, each potentially having different values. Property names of interest to the general public are encouraged to be registered in the [CycloneDX Property Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy). Formal registration is optional.",
"items": {"$ref": "#/definitions/property"}
+ },
+ "distribution": {
+ "title": "Distribution",
+ "description": "The Traffic Light Protocol (TLP) classification that controls the sharing and distribution of the data that the BOM describes.",
+ "$ref": "#/definitions/tlpClassification"
}
}
},
+ "tlpClassification": {
+ "title": "Traffic Light Protocol (TLP) Classification",
+ "description": "Traffic Light Protocol (TLP) is a classification system for identifying the potential risk associated with artefact, including whether it is subject to certain types of legal, financial, or technical threats. Refer to [https://www.first.org/tlp/](https://www.first.org/tlp/) for further information.\nThe default classification is \"CLEAR\"",
+ "type" : "string",
+ "default": "CLEAR",
+ "enum": [
+ "CLEAR",
+ "GREEN",
+ "AMBER",
+ "AMBER_AND_STRICT",
+ "RED"
+ ],
+ "meta:enum": {
+ "CLEAR": "The information is not subject to any restrictions as regards the sharing.",
+ "GREEN": "The information is subject to limited disclosure, and recipients can share it within their community but not via publicly accessible channels.",
+ "AMBER": "The information is subject to limited disclosure, and recipients can only share it on a need-to-know basis within their organization and with clients.",
+ "AMBER_AND_STRICT": "The information is subject to limited disclosure, and recipients can only share it on a need-to-know basis within their organization.",
+ "RED": "The information is subject to restricted distribution to individual recipients only and must not be shared."
+ }
+ },
"tool": {
"type": "object",
"title": "Tool",
diff --git a/schema/bom-1.7.xsd b/schema/bom-1.7.xsd
index 594d2bfb..51ee9732 100644
--- a/schema/bom-1.7.xsd
+++ b/schema/bom-1.7.xsd
@@ -256,6 +256,12 @@ limitations under the License.
Formal registration is optional.
+
+
+ The Traffic Light Protocol (TLP) classification that controls the sharing and distribution
+ of the data that the BOM describes.
+
+
@@ -390,6 +396,52 @@ limitations under the License.
+
+
+
+ Traffic Light Protocol (TLP) is a classification system for identifying the potential risk associated with artefact, including whether it is subject to certain types of legal, financial, or technical threats. Refer to https://www.first.org/tlp/ for further information.
+ The default classification is "CLEAR"
+
+
+
+
+
+
+ The information is not subject to any restrictions as regards the sharing.
+
+
+
+
+
+
+ The information is subject to limited disclosure, and recipients can share it within their community but not via publicly accessible channels.
+
+
+
+
+
+
+ The information is subject to limited disclosure, and recipients can only share it on a need-to-know basis within their organization and with clients.
+
+
+
+
+
+
+ The information is subject to limited disclosure, and recipients can only share it on a need-to-know basis within their organization.
+
+
+
+
+
+
+ The information is subject to restricted distribution to individual recipients only and must not be shared.
+
+
+
+
+
+
Information about the automated or manual tool used
diff --git a/tools/src/test/resources/1.7/invalid-metadata-distribution-1.7.json b/tools/src/test/resources/1.7/invalid-metadata-distribution-1.7.json
new file mode 100644
index 00000000..0506bd53
--- /dev/null
+++ b/tools/src/test/resources/1.7/invalid-metadata-distribution-1.7.json
@@ -0,0 +1,11 @@
+{
+ "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json",
+ "bomFormat": "CycloneDX",
+ "specVersion": "1.7",
+ "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
+ "version": 1,
+ "metadata": {
+ "distribution": "Unrestricted"
+ },
+ "components": []
+}
diff --git a/tools/src/test/resources/1.7/invalid-metadata-distribution-1.7.xml b/tools/src/test/resources/1.7/invalid-metadata-distribution-1.7.xml
new file mode 100644
index 00000000..89543039
--- /dev/null
+++ b/tools/src/test/resources/1.7/invalid-metadata-distribution-1.7.xml
@@ -0,0 +1,7 @@
+
+
+
+ Unrestricted
+
+
+
diff --git a/tools/src/test/resources/1.7/valid-metadata-distribution-1.7.json b/tools/src/test/resources/1.7/valid-metadata-distribution-1.7.json
new file mode 100644
index 00000000..54411553
--- /dev/null
+++ b/tools/src/test/resources/1.7/valid-metadata-distribution-1.7.json
@@ -0,0 +1,11 @@
+{
+ "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json",
+ "bomFormat": "CycloneDX",
+ "specVersion": "1.7",
+ "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
+ "version": 1,
+ "metadata": {
+ "distribution": "RED"
+ },
+ "components": []
+}
diff --git a/tools/src/test/resources/1.7/valid-metadata-distribution-1.7.textproto b/tools/src/test/resources/1.7/valid-metadata-distribution-1.7.textproto
new file mode 100644
index 00000000..e32c0456
--- /dev/null
+++ b/tools/src/test/resources/1.7/valid-metadata-distribution-1.7.textproto
@@ -0,0 +1,9 @@
+# proto-file: schema/bom-1.7.proto
+# proto-message: Bom
+
+spec_version: "1.7"
+version: 1
+serial_number: "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79"
+metadata {
+ distribution: TLP_CLASSIFICATION_RED
+}
diff --git a/tools/src/test/resources/1.7/valid-metadata-distribution-1.7.xml b/tools/src/test/resources/1.7/valid-metadata-distribution-1.7.xml
new file mode 100644
index 00000000..3666b382
--- /dev/null
+++ b/tools/src/test/resources/1.7/valid-metadata-distribution-1.7.xml
@@ -0,0 +1,7 @@
+
+
+
+ RED
+
+
+