diff --git a/schema/2.0/model/cyclonedx-blueprint-2.0.schema.json b/schema/2.0/model/cyclonedx-blueprint-2.0.schema.json index 2b01b3fd..6543af3b 100644 --- a/schema/2.0/model/cyclonedx-blueprint-2.0.schema.json +++ b/schema/2.0/model/cyclonedx-blueprint-2.0.schema.json @@ -46,6 +46,20 @@ }, "description": "The assets (components, services, data, actors) included in the model" }, + "dataStores": { + "type": "array", + "items": { + "$ref": "#/$defs/dataStore" + }, + "description": "Structured description of data stores used in the model" + }, + "dataSets": { + "type": "array", + "items": { + "$ref": "#/$defs/dataSet" + }, + "description": "Datasets handled by the system, including placements and sensitivity" + }, "zones": { "type": "array", "items": { @@ -67,6 +81,13 @@ }, "description": "Data, control, or process flows between assets" }, + "actors": { + "type": "array", + "items": { + "$ref": "#/$defs/actor" + }, + "description": "Human or system actors involved in the model, distinct from assets" + }, "assumptions": { "type": "array", "items": { @@ -74,6 +95,49 @@ }, "description": "Assumptions made during the modeling process" }, + "actor": { + "type": "object", + "required": ["bom-ref", "name", "type"], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "description": "Unique identifier for the actor" + }, + "name": { + "type": "string", + "description": "Name or title of the actor" + }, + "description": { + "type": "string", + "description": "Narrative describing the actor's role and context" + }, + "type": { + "type": "string", + "enum": ["user", "engineer", "administrator", "operator", "system", "external"], + "description": "Classification of the actor", + "meta:enum": { + "user": "End user of a client application or service", + "engineer": "Developer or platform/DevOps engineer", + "administrator": "Administrative or privileged operator", + "operator": "Operational staff running the system", + "system": "Automated system actor or service account", + "external": "Third-party or external entity" + } + }, + "permissions": { + "type": "string", + "description": "Key permissions, capabilities, or duties the actor holds" + }, + "trustZone": { + "$ref": "#/$defs/trustZoneRef", + "description": "Reference to the trust zone where the actor resides" + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" + } + } + }, "visualizations": { "type": "array", "items": { @@ -321,6 +385,7 @@ "compliance", "risk", "stakeholder", + "design-review", "custom" ], "meta:enum": { @@ -535,7 +600,7 @@ "component": "Software component or application", "service": "Service or microservice", "dataStore": "Database, file system, or data repository", - "data": "Data asset or dataset", + "data": "Dataset", "actor": "User, system, or external entity", "process": "Business or system process", "infrastructure": "Infrastructure component", @@ -616,8 +681,8 @@ "description": "Authentication methods supported/required" }, "authorization": { - "$ref": "#/$defs/authorizationType", - "description": "Authorization model used" + "$ref": "#/$defs/accessControlType", + "description": "Access control model used" }, "encryption": { "$ref": "#/$defs/encryptionType" @@ -636,6 +701,169 @@ } } }, + "dataStore": { + "type": "object", + "required": ["bom-ref", "name", "type"], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "name": { + "type": "string", + "description": "Name of the data store" + }, + "description": { + "type": "string", + "description": "Purpose and contents of the store" + }, + "type": { + "type": "string", + "enum": [ + "sql", + "keyValue", + "document", + "object", + "graph", + "timeSeries", + "file", + "blob", + "cache", + "custom" + ], + "meta:enum": { + "sql": "Relational database", + "keyValue": "Key-value store", + "document": "Document database (e.g., MongoDB)", + "object": "Object storage", + "graph": "Graph database", + "timeSeries": "Time-series database", + "file": "File system or NAS", + "blob": "Binary/blob storage", + "cache": "Caching tier", + "custom": "Other or mixed storage technology" + } + }, + "vendor": { + "type": "string" + }, + "product": { + "type": "string" + }, + "version": { + "type": "string" + }, + "environment": { + "type": "string", + "description": "Deployment environment (prod, test, etc.)" + }, + "trustZone": { + "$ref": "#/$defs/trustZoneRef" + }, + "location": { + "type": "string", + "description": "Physical or logical hosting location" + }, + "technologies": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Supporting technologies or services" + }, + "dataSets": { + "type": "array", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": "References to data sets stored here" + }, + "accessControl": { + "$ref": "#/$defs/accessControlType" + }, + "encryption": { + "$ref": "#/$defs/encryptionType" + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" + } + } + }, + "dataSet": { + "type": "object", + "required": ["bom-ref", "name", "description"], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "name": { + "type": "string", + "description": "Name of the dataset" + }, + "description": { + "type": "string", + "description": "What information is contained and why it exists" + }, + "classification": { + "$ref": "#/$defs/dataClassification" + }, + "dataTypes": { + "type": "array", + "items": { + "$ref": "#/$defs/dataObjectType" + }, + "description": "Categories of data stored (PII, PHI, etc.)" + }, + "recordCount": { + "type": "integer", + "description": "Approximate number of records" + }, + "owners": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/organizationalEntityOrContact" + }, + "regulations": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Applicable regulations or contracts" + }, + "accessControl": { + "$ref": "#/$defs/accessControlType" + }, + "placements": { + "type": "array", + "items": { + "type": "object", + "required": ["dataStore"], + "additionalProperties": false, + "properties": { + "dataStore": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "description": "Reference to the store holding this dataset" + }, + "encrypted": { + "type": "boolean", + "description": "Whether the dataset is encrypted at this location" + }, + "retention": { + "type": "string", + "description": "Retention policy for this placement" + }, + "replicated": { + "type": "boolean", + "description": "Indicates if this placement is a replica" + } + } + }, + "description": "Where the dataset resides" + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" + } + } + }, "interface": { "type": "object", "required": ["name", "type"], @@ -787,8 +1015,8 @@ "description": "Authentication required to cross this boundary" }, "authorization": { - "$ref": "#/$defs/authorizationType", - "description": "Authorization model at this boundary" + "$ref": "#/$defs/accessControlType", + "description": "Access control model at this boundary" }, "dataValidation": { "type": "boolean", @@ -888,6 +1116,13 @@ "classification": { "$ref": "#/$defs/dataClassification" }, + "dataObjects": { + "type": "array", + "items": { + "$ref": "#/$defs/dataObject" + }, + "description": "The data object(s) transported in this flow" + }, "authentication": { "type": "array", "items": { @@ -897,6 +1132,11 @@ "encryption": { "$ref": "#/$defs/encryptionType" }, + "sequence": { + "type": "integer", + "minimum": 0, + "description": "Ordering hint so flows can be assembled into sequence diagrams" + }, "properties": { "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" } @@ -914,10 +1154,10 @@ "type": "string", "description": "The assumption being made" }, - "category": { + "topic": { "type": "string", "enum": ["technical", "business", "operational", "security", "compliance", "performance", "availability"], - "description": "Category of the assumption" + "description": "Topic of the assumption" }, "relatedAssets": { "type": "array", @@ -1108,6 +1348,16 @@ "type": "object", "additionalProperties": false, "properties": { + "level": { + "type": "string", + "enum": ["public", "internal", "confidential", "restricted"], + "description": "Data sensitivity classification", + "meta:enum": { + "public": "Public information that can be freely shared", + "internal": "Internal use only within the organization", + "confidential": "Confidential information requiring protection", + "restricted": "Highly restricted information with limited access and special protection measures" + } "sensitivity": { "$ref": "cyclonedx-data-2.0.schema.json#/$defs/dataSensitivity" }, @@ -1139,6 +1389,85 @@ } } }, + "dataObject": { + "type": "object", + "required": ["name"], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "description": "Unique identifier for this data object" + }, + "name": { + "type": "string", + "description": "Name of the transported data object" + }, + "description": { + "type": "string", + "description": "Additional details about the data contents" + }, + "classification": { + "$ref": "#/$defs/dataClassification", + "description": "Inline classification details for this data object" + }, + "classificationRef": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "description": "Reference to a shared classification definition elsewhere in the model" + }, + "type": { + "$ref": "#/$defs/dataObjectType", + "description": "Type of data (PII, PHI, PCI, etc.)" + }, + "schema": { + "type": "string", + "description": "Reference to a schema contract or document describing the data structure" + }, + "format": { + "type": "string", + "description": "Serialization or encoding format (JSON, HL7, CSV, etc.)" + }, + "attributes": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Key attributes or fields transported" + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" + } + } + }, + "dataObjectType": { + "type": "string", + "enum": [ + "pii", + "phi", + "pci", + "financial", + "intellectualProperty", + "telemetry", + "logs", + "credentials", + "safety", + "operational", + "custom" + ], + "description": "Common data object classifications", + "meta:enum": { + "pii": "Personally identifiable information", + "phi": "Protected health information", + "pci": "Payment card industry data", + "financial": "Financial statements or transaction data", + "intellectualProperty": "Intellectual property or trade secrets", + "telemetry": "System or product telemetry data", + "logs": "Operational or security log data", + "credentials": "Secrets, tokens, or credentials", + "safety": "Safety critical data or signals", + "operational": "Operational or process data", + "custom": "Other data types not covered by the enumerated values" + } + }, "ownership": { "type": "object", "additionalProperties": false, @@ -1230,6 +1559,10 @@ "description": "Whether data is encrypted during processing" } } + }, + "trustZoneRef": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "description": "Reference to a zone entry whose type is 'trust'" } } -} \ No newline at end of file +} diff --git a/schema/2.0/model/cyclonedx-risk-2.0.schema.json b/schema/2.0/model/cyclonedx-risk-2.0.schema.json index abf35b5c..a2bd70b0 100644 --- a/schema/2.0/model/cyclonedx-risk-2.0.schema.json +++ b/schema/2.0/model/cyclonedx-risk-2.0.schema.json @@ -23,6 +23,13 @@ }, "description": "Risk scenarios identified" }, + "risks": { + "type": "array", + "items": { + "$ref": "#/$defs/risk" + }, + "description": "Documented risks derived from scenarios" + }, "mitigations": { "type": "array", "items": { @@ -151,7 +158,7 @@ "type": "string", "enum": ["threat", "vulnerability", "weakness", "risk", "incident", "opportunity", "hazard"], "meta:enum": { - "threat": "Security threat scenario", + "threat": "Threat scenario", "vulnerability": "Exploitable vulnerability", "weakness": "System or design weakness", "risk": "General risk scenario", @@ -163,10 +170,6 @@ "domain": { "$ref": "#/$defs/riskDomain" }, - "category": { - "type": "string", - "description": "Category or classification of the scenario" - }, "likelihood": { "$ref": "#/$defs/likelihood" }, @@ -203,6 +206,118 @@ "$ref": "cyclonedx-common-2.0.schema.json#/$defs/externalReference" } }, + "compliance": { + "type": "array", + "items": { + "type": "object", + "required": ["framework", "controlId"], + "additionalProperties": false, + "properties": { + "framework": { + "type": "string", + "description": "Name of the compliance program or framework" + }, + "controlId": { + "type": "string", + "description": "Identifier of the control within the framework" + }, + "reference": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/externalReference", + "description": "Link or citation to the requirement or control documentation" + }, + "description": { + "type": "string", + "description": "Optional notes describing the mapping" + } + } + }, + "description": "Compliance frameworks and control references this mitigation supports" + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" + } + } + }, + "risk": { + "type": "object", + "required": ["bom-ref", "name", "statement"], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "name": { + "type": "string", + "description": "Name or identifier for the risk" + }, + "statement": { + "type": "string", + "description": "Structured risk statement describing source, event, and impact" + }, + "description": { + "type": "string", + "description": "Additional narrative about the risk" + }, + "domains": { + "type": "array", + "items": { + "$ref": "#/$defs/riskDomain" + }, + "description": "Risk domains impacted" + }, + "scenarios": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": "References to scenarios this risk addresses" + }, + "likelihood": { + "$ref": "#/$defs/likelihood" + }, + "impact": { + "$ref": "#/$defs/impact" + }, + "riskScore": { + "$ref": "#/$defs/riskScore" + }, + "riskAttributes": { + "type": "array", + "items": { + "$ref": "#/$defs/riskAttribute" + } + }, + "responses": { + "type": "array", + "items": { + "$ref": "#/$defs/riskResponse" + }, + "description": "Risk responses or mitigation plans applied to this risk" + }, + "relatedThreats": { + "type": "array", + "items": { + "$ref": "cyclonedx-threat-2.0.schema.json#/$defs/threatScenario" + }, + "description": "Related threat scenarios informing this risk" + }, + "status": { + "type": "string", + "enum": ["identified", "assessed", "mitigated", "accepted", "transferred", "retired"], + "meta:enum": { + "identified": "Risk has been identified but not yet evaluated", + "assessed": "Risk has been assessed and prioritized", + "mitigated": "Mitigations are in place reducing this risk", + "accepted": "Risk has been formally accepted", + "transferred": "Risk has been transferred to another party", + "retired": "Risk no longer applies" + } + }, + "owner": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/organizationalEntityOrContact", + "description": "Owner or accountable party for this risk" + }, "properties": { "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" } @@ -218,18 +333,17 @@ "enum": ["veryLow", "low", "medium", "high", "veryHigh", "certain"], "description": "Likelihood level", "meta:enum": { - "veryLow": "Very unlikely to occur (< 10%)", - "low": "Unlikely to occur (10-30%)", - "medium": "Possible to occur (30-60%)", - "high": "Likely to occur (60-90%)", - "veryHigh": "Very likely to occur (> 90%)", - "certain": "Will certainly occur (100%)" + "rare": "Very unlikely to occur (< 10%)", + "unlikely": "Unlikely to occur (10-30%)", + "possible": "Possible to occur (30-60%)", + "likely": "Likely to occur (60-90%)", + "almostCertain": "Very likely to occur (> 90%)" } }, "score": { "type": "number", "minimum": 0, - "maximum": 10, + "maximum": 5, "description": "Numeric likelihood score" }, "probability": { @@ -238,6 +352,13 @@ "maximum": 1, "description": "Probability as a decimal (0-1)" }, + "factors": { + "type": "array", + "items": { + "$ref": "#/$defs/likelihoodFactor" + }, + "description": "Factors considered when determining the likelihood level" + }, "rationale": { "type": "string", "description": "Justification for the likelihood rating" @@ -251,14 +372,13 @@ "properties": { "level": { "type": "string", - "enum": ["negligible", "low", "moderate", "high", "severe", "catastrophic"], + "enum": ["negligible", "low", "moderate", "major", "catastrophic"], "description": "Impact severity level", "meta:enum": { "negligible": "Minimal impact with no significant consequences", "low": "Minor impact with limited consequences", "moderate": "Moderate impact affecting some operations", - "high": "Significant impact with serious consequences", - "severe": "Severe impact with critical consequences", + "major": "Significant impact with serious consequences", "catastrophic": "Catastrophic impact with existential consequences" } }, @@ -367,7 +487,7 @@ }, "score": { "type": "number", - "minimum": 0, + "minimum": 1, "description": "Numeric risk score" }, "vector": { @@ -380,46 +500,39 @@ } } }, - "mitigation": { + "riskResponse": { "type": "object", - "required": ["bom-ref", "name", "type"], + "required": ["bom-ref", "mitigations", "mitigationPlan"], "additionalProperties": false, "properties": { "bom-ref": { "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" }, - "name": { - "type": "string", - "description": "Name of the mitigation" + "mitigations": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#/$defs/mitigation" + }, + "description": "Mitigations applied to this risk response" }, - "description": { - "type": "string", - "description": "Description of what the mitigation does" + "mitigationPlan": { + "$ref": "#/$defs/mitigationPlan" + } + } + }, + "mitigation": { + "type": "object", + "required": ["bom-ref", "reference"], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "description": "Unique identifier for this mitigation entry so it can be referenced by a plan" }, - "type": { - "type": "string", - "enum": [ - "avoid", - "reduce", - "transfer", - "accept", - "control", - "countermeasure", - "safeguard", - "practice", - "procedure" - ], - "meta:enum": { - "avoid": "Avoid the risk entirely", - "reduce": "Reduce likelihood or impact", - "transfer": "Transfer risk to another party", - "accept": "Accept the risk", - "control": "Preventive or detective control", - "countermeasure": "Reactive measure to counter risks", - "safeguard": "Protective measure", - "practice": "Risk management practice", - "procedure": "Documented procedure" - } + "reference": { + "description": "Reference to a mitigation/control implementing the response.", + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" }, "strategy": { "type": "string", @@ -431,6 +544,21 @@ "recover": "Recovers from the impact" } }, + "type": { + "type": "string", + "enum": [ + "control", + "countermeasure", + "procedure", + "removal" + ], + "meta:enum": { + "control": "Protective, preventive or detective control", + "countermeasure": "Reactive measure to counter risks", + "procedure": "Documented procedure", + "removal": "Removing a risky component or asset" + } + }, "status": { "type": "string", "enum": ["proposed", "approved", "planned", "inProgress", "implemented", "verified"], @@ -465,14 +593,75 @@ "items": { "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" }, - "description": "References to scenarios this mitigation addresses" + "description": "References to scenarios this plan addresses" }, "implementedBy": { "type": "array", "items": { "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" }, - "description": "References to assets that implement this mitigation" + "description": "References to assets that implement this plan" + }, + "externalReferences": { + "type": "array", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/externalReference" + } + }, + "properties": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" + } + } + }, + "mitigationPlan": { + "type": "object", + "required": ["name", "type", "status", "mitigations"], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "description": "Name of the mitigation plan" + }, + "description": { + "type": "string", + "description": "Description of what the plan covers" + }, + "type": { + "type": "string", + "enum": [ + "avoid", + "reduce", + "transfer", + "accept", + "control", + "countermeasure", + "safeguard", + "practice", + "procedure" + ], + "meta:enum": { + "avoid": "Avoid the risk entirely", + "reduce": "Reduce likelihood or impact", + "transfer": "Transfer risk to another party", + "accept": "Accept the risk", + "control": "Protective, preventive or detective control", + "countermeasure": "Reactive measure to counter risks", + "safeguard": "Safeguards mitigating adverse events", + "practice": "Operational or governance practice", + "procedure": "Documented procedure" + } + }, + "status": { + "type": "string", + "enum": ["proposed", "approved", "planned", "inProgress", "implemented", "verified"], + "meta:enum": { + "proposed": "Mitigation has been proposed", + "approved": "Mitigation has been approved", + "planned": "Implementation is planned", + "inProgress": "Implementation is in progress", + "implemented": "Mitigation has been implemented", + "verified": "Effectiveness has been verified" + } }, "externalReferences": { "type": "array", @@ -482,6 +671,14 @@ }, "properties": { "$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties" + }, + "mitigations": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": "List of mitigation bom-refs chosen for this plan" } } }, @@ -492,8 +689,8 @@ "percentage": { "type": "number", "minimum": 0, - "maximum": 100, - "description": "Effectiveness as percentage" + "maximum": 1, + "description": "Effectiveness as decimal" }, "rating": { "type": "string", @@ -539,16 +736,32 @@ "type": "string", "description": "Executive summary of the assessment" }, - "findings": { + "risks": { "type": "array", "items": { - "$ref": "#/$defs/finding" + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" }, - "description": "Specific findings from the assessment" + "description": "References to risk entries evaluated in this assessment" }, "overallRisk": { - "$ref": "#/$defs/riskScore", - "description": "Overall risk score/level" + "type": "object", + "required": ["method", "score"], + "additionalProperties": false, + "properties": { + "method": { + "type": "string", + "enum": ["sum", "average", "custom"], + "description": "Aggregation method used to derive the overall risk" + }, + "score": { + "$ref": "#/$defs/riskScore" + }, + "description": { + "type": "string", + "description": "Optional explanation for custom aggregation approaches" + } + }, + "description": "Aggregated risk result for this assessment" }, "recommendations": { "type": "array", @@ -567,55 +780,6 @@ } } }, - "finding": { - "type": "object", - "required": ["title", "severity"], - "additionalProperties": false, - "properties": { - "bom-ref": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" - }, - "title": { - "type": "string", - "description": "Title of the finding" - }, - "description": { - "type": "string", - "description": "Detailed description of the finding" - }, - "severity": { - "$ref": "#/$defs/severity" - }, - "relatedScenarios": { - "type": "array", - "items": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" - }, - "description": "Scenarios related to this finding" - }, - "relatedAssets": { - "type": "array", - "items": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" - }, - "description": "Assets affected by this finding" - }, - "remediation": { - "type": "string", - "description": "Recommended remediation" - }, - "status": { - "type": "string", - "enum": ["open", "inProgress", "resolved", "accepted"], - "meta:enum": { - "open": "Finding is open and unaddressed", - "inProgress": "Remediation is in progress", - "resolved": "Finding has been resolved", - "accepted": "Risk has been accepted" - } - } - } - }, "priority": { "type": "string", "enum": ["none", "low", "medium", "high", "critical"], diff --git a/schema/2.0/model/cyclonedx-threat-2.0.schema.json b/schema/2.0/model/cyclonedx-threat-2.0.schema.json index 95270ec1..4bf44932 100644 --- a/schema/2.0/model/cyclonedx-threat-2.0.schema.json +++ b/schema/2.0/model/cyclonedx-threat-2.0.schema.json @@ -26,6 +26,13 @@ "attackPattern": { "$ref": "#/$defs/attackPatternReference" }, + "abuseCases": { + "type": "array", + "items": { + "$ref": "#/$defs/abuseCase" + }, + "description": "Abuse or misuse cases that illustrate how this threat can be exercised" + }, "weakness": { "$ref": "#/$defs/weaknessReference" }, @@ -174,11 +181,6 @@ }, "description": "Primary motivations" }, - "capability": { - "type": "string", - "enum": ["minimal", "limited", "moderate", "significant", "advanced"], - "description": "Overall capability level" - }, "intent": { "type": "string", "enum": ["accidental", "opportunistic", "targeted", "persistent"], @@ -219,7 +221,10 @@ }, "complexity": { "type": "string", - "enum": ["low", "high"], + "enum": [ + "low", + "high" + ], "description": "Attack complexity" }, "privileges": { @@ -239,6 +244,42 @@ } } }, + "abuseCase": { + "type": "object", + "required": ["bom-ref", "name"], + "additionalProperties": false, + "properties": { + "bom-ref": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "name": { + "type": "string", + "description": "Name of the abuse case" + }, + "description": { + "type": "string", + "description": "Narrative describing how the system can be misused or abused" + }, + "abuser": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType", + "description": "Reference (bom-ref) to a threat actor involved in the abuse case" + }, + "targets": { + "type": "array", + "items": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType" + }, + "description": "References (bom-refs) to assets or flows targeted in this abuse case" + }, + "steps": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Ordered steps the abuser follows" + } + } + }, "attackPattern": { "type": "object", "required": ["bom-ref", "name"], @@ -259,14 +300,6 @@ "type": "string", "description": "Description of the attack pattern" }, - "severity": { - "$ref": "cyclonedx-risk-2.0.schema.json#/$defs/severity" - }, - "likelihood": { - "type": "string", - "enum": ["low", "medium", "high"], - "description": "Likelihood of this pattern being used" - }, "prerequisites": { "type": "array", "items": { @@ -768,4 +801,4 @@ } } } -} \ No newline at end of file +}