CycloneDX · stevespringett · Jan 26, 2024 · Jan 26, 2024 · prabhu · Jan 26, 2024
diff --git a/schema/bom-1.6.proto b/schema/bom-1.6.proto
@@ -171,16 +171,12 @@ enum DataFlowDirection {
 }
 
 message Dependency {
-  enum DependencyType {
-    DEPENDENCY_TYPE_IMPLEMENTS = 0;
-    DEPENDENCY_TYPE_USES = 1;
-  }
   // References a component or service by the its bom-ref attribute
   string ref = 1;
   // The bom-ref identifiers of the components or services that are dependencies of this dependency object.
   repeated Dependency dependencies = 2;
-  // Defines and characterizes the type of dependency
-  optional DependencyType type = 3;
+  // The bom-ref identifiers of the components or services that define a given specification or standard, which are provided or implemented by this dependency object.
+  repeated string provides = 3;
 }
 
 message Diff {

diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json
@@ -1766,11 +1766,14 @@
           "title": "Depends On",
           "description": "The bom-ref identifiers of the components or services that are dependencies of this dependency object."
         },
-        "type": {
-          "type": "string",
-          "title": "Dependency Type",
-          "description": "Defines and characterizes the type of dependency",
-          "$ref": "#/definitions/dependencyType"
+        "provides": {
+          "type": "array",
+          "uniqueItems": true,
+          "items": {
+            "$ref": "#/definitions/refLinkType"
+          },
+          "title": "Provides",
+          "description": "The bom-ref identifiers of the components or services that define a given specification or standard, which are provided or implemented by this dependency object.\nFor example, a cryptographic library which implements a cryptographic algorithm. A component which implements another component does not imply that the implementation is in use."
         }
       }
     },
@@ -4601,20 +4604,6 @@
       "title": "Signature",
       "description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."
     },
-    "dependencyType": {
-      "type": "string",
-      "title": "Dependency Type",
-      "enum": [
-        "implements",
-        "uses"
-      ],
-      "meta:enum": {
-        "implements": "Refers to a component or service that fulfills the requirements of a given specification or standard. For example, a cryptographic library which implements a cryptographic algorithm. A component which implements another component does not imply that the implementation is in use.",
-        "uses": "Refers to a component or service that relies on another component or service, either explicitly via function calls or via configuration at run time."
-      },
-      "default": "uses",
-      "description": "An optional field that describes the type of dependency."
-    },
     "cryptoProperties": {
       "type": "object",
       "title": "Cryptographic Properties",

diff --git a/schema/bom-1.6.xsd b/schema/bom-1.6.xsd
@@ -1851,18 +1851,32 @@ limitations under the License.
 
     <xs:complexType name="dependencyType">
         <xs:sequence minOccurs="0" maxOccurs="unbounded">
-            <xs:element name="dependency" type="bom:dependencyType"/>
+            <xs:element name="dependency" type="bom:dependencyType" minOccurs="0">
+                <xs:annotation>
+                    <xs:documentation>The component or service that is a dependency of this dependency object.</xs:documentation>
+                </xs:annotation>
+            </xs:element>
+            <xs:element name="provides" minOccurs="0">
+                <xs:annotation>
+                    <xs:documentation>
+                        The component or service that define a given specification or standard, which is provided or implemented by this dependency object.
+                        For example, a cryptographic library which implements a cryptographic algorithm. A component which implements another component does not imply that the implementation is in use.
+                    </xs:documentation>
+                </xs:annotation>
+                <xs:complexType>
+                    <xs:attribute name="ref" type="bom:refLinkType" use="required">
+                        <xs:annotation>
+                            <xs:documentation>References a component or service by its bom-ref attribute</xs:documentation>
+                        </xs:annotation>
+                    </xs:attribute>
+                </xs:complexType>
+            </xs:element>
         </xs:sequence>
         <xs:attribute name="ref" type="bom:refLinkType" use="required">
             <xs:annotation>
                 <xs:documentation>References a component or service by its bom-ref attribute</xs:documentation>
             </xs:annotation>
         </xs:attribute>
-        <xs:attribute name="type" type="bom:dependencyUsageType" default="uses" use="optional">
-            <xs:annotation>
-                <xs:documentation>An optional field that describes the type of dependency.</xs:documentation>
-            </xs:annotation>
-        </xs:attribute>
         <xs:anyAttribute namespace="##other" processContents="lax">
             <xs:annotation>
                 <xs:documentation>User-defined attributes may be used on this element as long as they
@@ -1871,28 +1885,6 @@ limitations under the License.
         </xs:anyAttribute>
     </xs:complexType>
 
-    <xs:simpleType name="dependencyUsageType">
-        <xs:restriction base="xs:string">
-            <xs:enumeration value="implements">
-                <xs:annotation>
-                    <xs:documentation>
-                        Refers to a component or service that fulfills the requirements of a given specification or
-                        standard. For example, a cryptographic library which implements a cryptographic algorithm.
-                        A component which implements another component does not imply that the implementation is in use.
-                    </xs:documentation>
-                </xs:annotation>
-            </xs:enumeration>
-            <xs:enumeration value="uses">
-                <xs:annotation>
-                    <xs:documentation>
-                        Refers to a component or service that relies on another component or service, either explicitly
-                        via function calls or via configuration at run time.
-                    </xs:documentation>
-                </xs:annotation>
-            </xs:enumeration>
-        </xs:restriction>
-    </xs:simpleType>
-
     <xs:complexType name="dependenciesType">
         <xs:sequence minOccurs="0" maxOccurs="unbounded">
             <xs:element name="dependency" type="bom:dependencyType">

diff --git a/...resources/1.6/valid-cryptography-1.6.json → ...alid-cryptography-implementation-1.6.json b/...resources/1.6/valid-cryptography-1.6.json → ...alid-cryptography-implementation-1.6.json
@@ -37,18 +37,23 @@
       "bom-ref": "crypto-library",
       "name": "Crypto library",
       "version": "1.0.0"
+    },
+    {
+      "type": "library",
+      "bom-ref": "some-library",
+      "name": "Some library",
+      "version": "1.0.0"
     }
   ],
   "dependencies": [
     {
       "ref": "acme-application",
-      "type": "uses",
       "dependsOn": ["crypto-library"]
     },
     {
       "ref": "crypto-library",
-      "type": "implements",
-      "dependsOn": ["aes128gcm"]
+      "provides": ["aes128gcm"],
+      "dependsOn": ["some-library"]
     }
   ]
 }
diff --git a/...rces/1.6/valid-cryptography-1.6.textproto → ...cryptography-implementation-1.6.textproto b/...rces/1.6/valid-cryptography-1.6.textproto → ...cryptography-implementation-1.6.textproto
@@ -1,3 +1,6 @@
+# proto-file: schema/bom-1.6.proto
+# proto-message: 
+
 spec_version: "1.6"
 version: 1
 serial_number: "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79"
@@ -40,21 +43,26 @@ components: [
     bom_ref: "crypto-library"
     name: "Crypto library"
     version: "1.0.0"
+  },
+  {
+    type: CLASSIFICATION_LIBRARY
+    bom_ref: "some-library"
+    name: "Some library"
+    version: "1.0.0"
   }
 ],
 dependencies: [
   {
     ref: "acme-application"
-    type: DEPENDENCY_TYPE_USES
     dependencies {
       ref: "crypto-library"
     }
   },
   {
     ref: "crypto-library"
-    type: DEPENDENCY_TYPE_IMPLEMENTS
+    provides: [ "aes128gcm" ]
     dependencies {
-      ref: "aes128gcm"
+      ref: "some-library"
     }
   }
 ]
diff --git a/.../resources/1.6/valid-cryptography-1.6.xml → ...valid-cryptography-implementation-1.6.xml b/.../resources/1.6/valid-cryptography-1.6.xml → ...valid-cryptography-implementation-1.6.xml
@@ -34,13 +34,18 @@
             <name>Crypto Library</name>
             <version>1.0.0</version>
         </component>
+        <component type="library" bom-ref="some-library">
+            <name>Some Library</name>
+            <version>1.0.0</version>
+        </component>
     </components>
     <dependencies>
-        <dependency ref="acme-application" type="uses">
+        <dependency ref="acme-application">
             <dependency ref="crypto-library"/>
         </dependency>
-        <dependency ref="crypto-library" type="implements">
-            <dependency ref="aes128gcm"/>
+        <dependency ref="crypto-library">
+            <provides ref="aes128gcm"/>
+            <dependency ref="some-library"/>
         </dependency>
     </dependencies>
 </bom>