Skip to content

schema: refactor data/threat models and refresh bundles #777

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
P3tra-WP wants to merge 2 commits into
base: 2.0-dev-threatmodeling
Choose a base branch
from
Open

schema: refactor data/threat models and refresh bundles #777

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
90097fd
schema: refactor data/threat models and refresh bundles
petra-dv Jan 17, 2026
5169b21
schema: address PR #777 review comments on data and threat models
petra-dv Mar 1, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion schema/2.0/cyclonedx-2.0-bundled.min.schema.json
View file
Open in desktop

Large diffs are not rendered by default.

2,930 changes: 2,727 additions & 203 deletions schema/2.0/cyclonedx-2.0-bundled.schema.json
View file
Open in desktop

Large diffs are not rendered by default.

1 change: 1 addition & 0 deletions schema/2.0/cyclonedx-api-2.0-bundled.min.schema.json
View file
Open in desktop

Large diffs are not rendered by default.

12,942 changes: 12,942 additions & 0 deletions schema/2.0/cyclonedx-api-2.0-bundled.schema.json
View file
Open in desktop

Large diffs are not rendered by default.

248 changes: 59 additions & 189 deletions schema/2.0/model/cyclonedx-blueprint-2.0.schema.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,7 @@
"items": {
"$ref": "#/$defs/dataSet"
},
"description": "Datasets handled by the system, including placements and sensitivity"
"description": "Datasets handled by the system, including placements and classification"
},
"zones": {
"type": "array",
Expand Down Expand Up @@ -95,49 +95,6 @@
},
"description": "Assumptions made during the modeling process"
},
"actor": {
"type": "object",
"required": ["bom-ref", "name", "type"],
"additionalProperties": false,
"properties": {
"bom-ref": {
"$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType",
"description": "Unique identifier for the actor"
},
"name": {
"type": "string",
"description": "Name or title of the actor"
},
"description": {
"type": "string",
"description": "Narrative describing the actor's role and context"
},
"type": {
"type": "string",
"enum": ["user", "engineer", "administrator", "operator", "system", "external"],
"description": "Classification of the actor",
"meta:enum": {
"user": "End user of a client application or service",
"engineer": "Developer or platform/DevOps engineer",
"administrator": "Administrative or privileged operator",
"operator": "Operational staff running the system",
"system": "Automated system actor or service account",
"external": "Third-party or external entity"
}
},
"permissions": {
"type": "string",
"description": "Key permissions, capabilities, or duties the actor holds"
},
"trustZone": {
"$ref": "#/$defs/trustZoneRef",
"description": "Reference to the trust zone where the actor resides"
},
"properties": {
"$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties"
}
}
},
"visualizations": {
"type": "array",
"items": {
Expand Down Expand Up @@ -806,19 +763,26 @@
"description": "What information is contained and why it exists"
},
"classification": {
"$ref": "#/$defs/dataClassification"
"$ref": "cyclonedx-data-2.0.schema.json#/$defs/dataClassification"
},
"dataTypes": {
"type": "array",
"items": {
"$ref": "#/$defs/dataObjectType"
"$ref": "cyclonedx-data-2.0.schema.json#/$defs/dataCategory"
},
"description": "Categories of data stored (PII, PHI, etc.)"
},
"recordCount": {
"type": "integer",
"description": "Approximate number of records"
},
"dataObjects": {
"type": "array",
"items": {
"$ref": "cyclonedx-data-2.0.schema.json#/$defs/dataObject"
},
"description": "Data objects contained in this dataset"
},
"owners": {
"$ref": "cyclonedx-common-2.0.schema.json#/$defs/organizationalEntityOrContact"
},
Expand Down Expand Up @@ -1109,17 +1073,10 @@
"type": "string",
"description": "Communication protocol used"
},
"dataFormat": {
"type": "string",
"description": "Format of data in the flow"
},
"classification": {
"$ref": "#/$defs/dataClassification"
},
"dataObjects": {
"type": "array",
"items": {
"$ref": "#/$defs/dataObject"
"$ref": "cyclonedx-data-2.0.schema.json#/$defs/dataObject"
},
"description": "The data object(s) transported in this flow"
},
Expand Down Expand Up @@ -1304,18 +1261,58 @@
}
}
},
"actor": {
"type": "object",
"required": ["bom-ref", "name", "type"],
"additionalProperties": false,
"properties": {
"bom-ref": {
"$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType",
"description": "Unique identifier for the actor"
},
"name": {
"type": "string",
"description": "Name or title of the actor"
},
"description": {
"type": "string",
"description": "Narrative describing the actor's role and context"
},
"type": {
"type": "string",
"enum": ["user", "engineer", "administrator", "operator", "system", "external"],
"description": "Classification of the actor",
"meta:enum": {
"user": "End user of a client application or service",
"engineer": "Developer or platform/DevOps engineer",
"administrator": "Administrative or privileged operator",
"operator": "Operational staff running the system",
"system": "Automated system actor or service account",
"external": "Third-party or external entity"
}
},
"permissions": {
"type": "string",
"description": "Key permissions, capabilities, or duties the actor holds"
},
"trustZone": {
"$ref": "#/$defs/trustZoneRef",
"description": "Reference to the trust zone where the actor resides"
},
"properties": {
"$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties"
}
}
},
"assetClassification": {
"type": "object",
"additionalProperties": false,
"properties": {
"criticality": {
"$ref": "cyclonedx-risk-2.0.schema.json#/$defs/criticality"
},
"sensitivity": {
"$ref": "cyclonedx-data-2.0.schema.json#/$defs/dataSensitivity"
},
"dataClassification": {
"$ref": "#/$defs/dataClassification"
"classification": {
"$ref": "cyclonedx-data-2.0.schema.json#/$defs/dataClassification"
},
"tier": {
"type": "string",
Expand Down Expand Up @@ -1344,136 +1341,6 @@
}
}
},
"dataClassification": {
"type": "object",
"additionalProperties": false,
"properties": {
"level": {
"type": "string",
"enum": [
"public",
"internal",
"confidential",
"restricted"
],
"description": "Data sensitivity classification",
"meta:enum": {
"public": "Public information that can be freely shared",
"internal": "Internal use only within the organization",
"confidential": "Confidential information requiring protection",
"restricted": "Highly restricted information with limited access and special protection measures"
}
},
"sensitivity": {
"$ref": "cyclonedx-data-2.0.schema.json#/$defs/dataSensitivity"
},
"dataTypes": {
"type": "array",
"items": {
"type": "string"
},
"description": "Specific types of data"
},
"handling": {
"type": "string",
"description": "Data handling requirements"
},
"retention": {
"type": "string",
"description": "Data retention requirements"
},
"disposal": {
"type": "string",
"description": "Data disposal requirements"
},
"regulations": {
"type": "array",
"items": {
"type": "string"
},
"description": "Applicable regulations"
}
}
},
"dataObject": {
"type": "object",
"required": ["name"],
"additionalProperties": false,
"properties": {
"bom-ref": {
"$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType",
"description": "Unique identifier for this data object"
},
"name": {
"type": "string",
"description": "Name of the transported data object"
},
"description": {
"type": "string",
"description": "Additional details about the data contents"
},
"classification": {
"$ref": "#/$defs/dataClassification",
"description": "Inline classification details for this data object"
},
"classificationRef": {
"$ref": "cyclonedx-common-2.0.schema.json#/$defs/refType",
"description": "Reference to a shared classification definition elsewhere in the model"
},
"type": {
"$ref": "#/$defs/dataObjectType",
"description": "Type of data (PII, PHI, PCI, etc.)"
},
"schema": {
"type": "string",
"description": "Reference to a schema contract or document describing the data structure"
},
"format": {
"type": "string",
"description": "Serialization or encoding format (JSON, HL7, CSV, etc.)"
},
"attributes": {
"type": "array",
"items": {
"type": "string"
},
"description": "Key attributes or fields transported"
},
"properties": {
"$ref": "cyclonedx-common-2.0.schema.json#/$defs/properties"
}
}
},
"dataObjectType": {
"type": "string",
"enum": [
"pii",
"phi",
"pci",
"financial",
"intellectualProperty",
"telemetry",
"logs",
"credentials",
"safety",
"operational",
"custom"
],
"description": "Common data object classifications",
"meta:enum": {
"pii": "Personally identifiable information",
"phi": "Protected health information",
"pci": "Payment card industry data",
"financial": "Financial statements or transaction data",
"intellectualProperty": "Intellectual property or trade secrets",
"telemetry": "System or product telemetry data",
"logs": "Operational or security log data",
"credentials": "Secrets, tokens, or credentials",
"safety": "Safety critical data or signals",
"operational": "Operational or process data",
"custom": "Other data types not covered by the enumerated values"
}
},
"ownership": {
"type": "object",
"additionalProperties": false,
Expand Down Expand Up @@ -1532,6 +1399,9 @@
"custom": "Custom authentication method"
}
},
"accessControlType": {
"$ref": "#/$defs/authorizationType"
},
"authorizationType": {
"type": "string",
"enum": ["none", "acl", "rbac", "abac", "mac", "dac", "pbac", "cbac", "custom"],
Expand Down
Loading