Add support for redaction to compositions

Signed-off-by: Steve Springett <[email protected]>
CycloneDX · Mar 23, 2024 · d329585 · d329585
1 parent a0e58b1
commit d329585
Show file tree

Hide file tree

Showing 3 changed files with 38 additions and 29 deletions.
diff --git a/schema/bom-1.6.proto b/schema/bom-1.6.proto
@@ -652,24 +652,26 @@ enum Aggregate {
   // The relationship completeness is not specified.
   // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- `not specified` is our fallback, doubling `unspecified`
   AGGREGATE_NOT_SPECIFIED = 0;
-  // The relationship is complete. No further relationships including constituent components, services, or dependencies are known to exist.
+  // The information is complete. No further relationships including constituent components, services, or dependencies are known to exist.
   AGGREGATE_COMPLETE = 1;
-  // The relationship is incomplete. Additional relationships exist and may include constituent components, services, or dependencies.
+  // The information is incomplete. Additional relationships exist and may include constituent components, services, or dependencies.
   AGGREGATE_INCOMPLETE = 2;
-  // The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented.
+  // The information is incomplete. Only relationships for first-party components, services, or their dependencies are represented.
   AGGREGATE_INCOMPLETE_FIRST_PARTY_ONLY = 3;
-  // The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented.
+  // The information is incomplete. Only relationships for third-party components, services, or their dependencies are represented.
   AGGREGATE_INCOMPLETE_THIRD_PARTY_ONLY = 4;
-  // The relationship may be complete or incomplete. This usually signifies a 'best-effort' to obtain constituent components, services, or dependencies but the completeness is inconclusive.
+  // The information may be complete or incomplete. This usually signifies a 'best-effort' to obtain constituent components, services, or dependencies but the completeness is inconclusive.
   AGGREGATE_UNKNOWN = 5;
-  // The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented, limited specifically to those that are proprietary.
+  // The information is incomplete. Only relationships for first-party components, services, or their dependencies are represented, limited specifically to those that are proprietary.
   AGGREGATE_INCOMPLETE_FIRST_PARTY_PROPRIETARY_ONLY = 6;
-  // The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented, limited specifically to those that are opensource.
+  // The information is incomplete. Only relationships for first-party components, services, or their dependencies are represented, limited specifically to those that are opensource.
   AGGREGATE_INCOMPLETE_FIRST_PARTY_OPENSOURCE_ONLY = 7;
-  // The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are proprietary.
+  // The information is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are proprietary.
   AGGREGATE_INCOMPLETE_THIRD_PARTY_PROPRIETARY_ONLY = 8;
-  // The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are opensource.
+  // The information is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are opensource.
   AGGREGATE_INCOMPLETE_THIRD_PARTY_OPENSOURCE_ONLY = 9;
+  // The information has been redacted.
+  AGGREGATE_REDACTED = 10;
 }
 
 message Composition {

diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json
@@ -2237,20 +2237,22 @@
         "incomplete_third_party_only",
         "incomplete_third_party_proprietary_only",
         "incomplete_third_party_opensource_only",
+        "redacted",
         "unknown",
         "not_specified"
       ],
       "meta:enum": {
-        "complete": "The relationship is complete. No further relationships including constituent components, services, or dependencies are known to exist.",
-        "incomplete": "The relationship is incomplete. Additional relationships exist and may include constituent components, services, or dependencies.",
-        "incomplete_first_party_only": "The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented.",
-        "incomplete_first_party_proprietary_only": "The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented, limited specifically to those that are proprietary.",
-        "incomplete_first_party_opensource_only": "The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented, limited specifically to those that are opensource.",
-        "incomplete_third_party_only": "The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented.",
-        "incomplete_third_party_proprietary_only": "The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are proprietary.",
-        "incomplete_third_party_opensource_only": "The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are opensource.",
-        "unknown": "The relationship may be complete or incomplete. This usually signifies a 'best-effort' to obtain constituent components, services, or dependencies but the completeness is inconclusive.",
-        "not_specified": "The relationship completeness is not specified."
+        "complete": "The information is complete. No further relationships including constituent components, services, or dependencies are known to exist.",
+        "incomplete": "The information is incomplete. Additional relationships exist and may include constituent components, services, or dependencies.",
+        "incomplete_first_party_only": "The information is incomplete. Only relationships for first-party components, services, or their dependencies are represented.",
+        "incomplete_first_party_proprietary_only": "The information is incomplete. Only relationships for first-party components, services, or their dependencies are represented, limited specifically to those that are proprietary.",
+        "incomplete_first_party_opensource_only": "The information is incomplete. Only relationships for first-party components, services, or their dependencies are represented, limited specifically to those that are opensource.",
+        "incomplete_third_party_only": "The information is incomplete. Only relationships for third-party components, services, or their dependencies are represented.",
+        "incomplete_third_party_proprietary_only": "The information is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are proprietary.",
+        "incomplete_third_party_opensource_only": "The information is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are opensource.",
+        "redacted": "The information has been redacted.",
+        "unknown": "The information may be complete or incomplete. This usually signifies a 'best-effort' to obtain constituent components, services, or dependencies but the completeness is inconclusive.",
+        "not_specified": "The information completeness is not specified."
       }
     },
     "property": {

diff --git a/schema/bom-1.6.xsd b/schema/bom-1.6.xsd
@@ -2646,52 +2646,57 @@ limitations under the License.
         <xs:restriction base="xs:string">
             <xs:enumeration value="complete">
                 <xs:annotation>
-                    <xs:documentation>The relationship is complete. No further relationships including constituent components, services, or dependencies are known to exist.</xs:documentation>
+                    <xs:documentation>The information is complete. No further relationships including constituent components, services, or dependencies are known to exist.</xs:documentation>
                 </xs:annotation>
             </xs:enumeration>
             <xs:enumeration value="incomplete">
                 <xs:annotation>
-                    <xs:documentation>The relationship is incomplete. Additional relationships exist and may include constituent components, services, or dependencies.</xs:documentation>
+                    <xs:documentation>The information is incomplete. Additional relationships exist and may include constituent components, services, or dependencies.</xs:documentation>
                 </xs:annotation>
             </xs:enumeration>
             <xs:enumeration value="incomplete_first_party_only">
                 <xs:annotation>
-                    <xs:documentation>The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented.</xs:documentation>
+                    <xs:documentation>The information is incomplete. Only relationships for first-party components, services, or their dependencies are represented.</xs:documentation>
                 </xs:annotation>
             </xs:enumeration>
             <xs:enumeration value="incomplete_first_party_proprietary_only">
                 <xs:annotation>
-                    <xs:documentation>The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are proprietary.</xs:documentation>
+                    <xs:documentation>The information is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are proprietary.</xs:documentation>
                 </xs:annotation>
             </xs:enumeration>
             <xs:enumeration value="incomplete_first_party_opensource_only">
                 <xs:annotation>
-                    <xs:documentation>The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are opensource.</xs:documentation>
+                    <xs:documentation>The information is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are opensource.</xs:documentation>
                 </xs:annotation>
             </xs:enumeration>
             <xs:enumeration value="incomplete_third_party_only">
                 <xs:annotation>
-                    <xs:documentation>The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented.</xs:documentation>
+                    <xs:documentation>The information is incomplete. Only relationships for third-party components, services, or their dependencies are represented.</xs:documentation>
                 </xs:annotation>
             </xs:enumeration>
             <xs:enumeration value="incomplete_third_party_proprietary_only">
                 <xs:annotation>
-                    <xs:documentation>The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are proprietary.</xs:documentation>
+                    <xs:documentation>The information is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are proprietary.</xs:documentation>
                 </xs:annotation>
             </xs:enumeration>
             <xs:enumeration value="incomplete_third_party_opensource_only">
                 <xs:annotation>
-                    <xs:documentation>The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are opensource.</xs:documentation>
+                    <xs:documentation>The information is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are opensource.</xs:documentation>
+                </xs:annotation>
+            </xs:enumeration>
+            <xs:enumeration value="redacted">
+                <xs:annotation>
+                    <xs:documentation>The information has been redacted.</xs:documentation>
                 </xs:annotation>
             </xs:enumeration>
             <xs:enumeration value="unknown">
                 <xs:annotation>
-                    <xs:documentation>The relationship may be complete or incomplete. This usually signifies a 'best-effort' to obtain constituent components, services, or dependencies but the completeness is inconclusive.</xs:documentation>
+                    <xs:documentation>The information may be complete or incomplete. This usually signifies a 'best-effort' to obtain constituent components, services, or dependencies but the completeness is inconclusive.</xs:documentation>
                 </xs:annotation>
             </xs:enumeration>
             <xs:enumeration value="not_specified">
                 <xs:annotation>
-                    <xs:documentation>The relationship completeness is not specified.</xs:documentation>
+                    <xs:documentation>The information completeness is not specified.</xs:documentation>
                 </xs:annotation>
             </xs:enumeration>
         </xs:restriction>