Merge remote-tracking branch 'refs/remotes/origin/1.7-dev' into 1.7-dev

# Conflicts:
#	schema/bom-1.7.proto
#	schema/bom-1.7.schema.json
#	schema/bom-1.7.xsd

Author: anthonyharrison

schema/bom-1.7.proto

@@ -514,8 +514,8 @@ message Metadata {
   repeated Lifecycles lifecycles = 9;
   // The organization that created the BOM. Manufacturer is common in BOMs created through automated processes. BOMs created through manual means may have '.authors' instead.
   optional OrganizationalEntity manufacturer = 10;
-  // The Traffic Light Protocol (TLP) classification that controls the sharing and distribution of the data that the BOM describes.
-  optional Tlp distribution = 11;
+  // The Traffic Light Protocol (TLP) classification that controls the sharing and distribution of the component that the BOM describes.
+  optional TlpClassification distribution = 11;
 }
 
 message Lifecycles {
@@ -677,18 +677,20 @@ message Swid {
   optional string url = 7;
 }
 
-// The Traffic Light Protocol (TLP) classification for the data that the BOM describes. TLP is a classification system for identifying the potential risk associated with artefact, including whether it is subject to certain types of legal, financial, or technical threats. Refer to https://www.first.org/tlp/ for further information. The default classification is `TLP_CLEAR`
-enum Tlp {
-  // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- `TLP_CLEAR` is our fallback, the default.
-  TLP_CLEAR = 0;
-  // Limited distribution but can be shared within a community.
-  TLP_GREEN = 1;
-  // Limited distribution but can be shared within an organization and with clients
-  TLP_AMBER = 2;
-  // Limited distribution but can be shared within an organization.
-  TLP_AMBER_AND_STRICT = 3;
-  // Restricted distribution to individual recipients and must not be shared.
-  TLP_RED = 4;
+// Traffic Light Protocol (TLP) is a classification system for identifying the potential risk associated with artefact, including whether it is subject to certain types of legal, financial, or technical threats. Refer to https://www.first.org/tlp/ for further information.
+//The default classification is "CLEAR"
+enum TlpClassification {
+  // The information is not subject to any restrictions as regards the sharing.
+  // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX -- "CLEAR" is our fallback, the default.
+  TLP_CLASSIFICATION_CLEAR = 0;
+  // The information is subject to limited disclosure, and recipients can share it within their community but not via publicly accessible channels.
+  TLP_CLASSIFICATION_GREEN = 1;
+  // The information is subject to limited disclosure, and recipients can only share it on a need-to-know basis within their organization and with clients.
+  TLP_CLASSIFICATION_AMBER = 2;
+  // The information is subject to limited disclosure, and recipients can only share it on a need-to-know basis within their organization.
+  TLP_CLASSIFICATION_AMBER_AND_STRICT = 3;
+  // The information is subject to restricted distribution to individual recipients only and must not be shared.
+  TLP_CLASSIFICATION_RED = 4;
 }
 
 // Specifies a tool (manual or automated).

schema/bom-1.7.schema.json

@@ -721,23 +721,23 @@
       }
     },
     "tlpClassification": {
+      "title": "Traffic Light Protocol (TLP) Classification",
+      "description": "Traffic Light Protocol (TLP) is a classification system for identifying the potential risk associated with artefact, including whether it is subject to certain types of legal, financial, or technical threats. Refer to [https://www.first.org/tlp/](https://www.first.org/tlp/) for further information.\nThe default classification is \"CLEAR\"",
       "type" : "string",
       "default": "CLEAR",
-      "title": "Traffic Light Protocol (TLP) Classification",
-      "description": "The Traffic Light Protocol (TLP) classification for the data that the BOM describes. TLP is a classification system for identifying the potential risk associated with artefact, including whether it is subject to certain types of legal, financial, or technical threats. Refer to [https://www.first.org/tlp/](https://www.first.org/tlp/) for further information. The default classification is CLEAR",
       "enum": [
+        "CLEAR",
+        "GREEN",
         "AMBER",
         "AMBER_AND_STRICT",
-        "GREEN",
-        "RED",
-        "CLEAR"
+        "RED"
       ],
       "meta:enum": {
-        "AMBER": "The BOM is subject to limited disclosure, and recipients can only share the BOM on a need-to-know basis within their organization and with clients.",
-        "AMBER_AND_STRICT": "The BOM is subject to limited disclosure, and recipients can only share the BOM on a need-to-know basis within their organization.",
-        "GREEN": "The BOM is subject to limited disclosure, and recipients can share the BOM within their community but not via publicly accessible channels.",
-        "RED": "The BOM is subject to restricted distribution to individual recipients only and must not be shared.",
-        "CLEAR": "The BOM is not subject to any restrictions as regards the sharing of the information within the BOM."
+        "CLEAR": "The information is not subject to any restrictions as regards the sharing.",
+        "GREEN": "The information is subject to limited disclosure, and recipients can share it within their community but not via publicly accessible channels.",
+        "AMBER": "The information is subject to limited disclosure, and recipients can only share it on a need-to-know basis within their organization and with clients.",
+        "AMBER_AND_STRICT": "The information is subject to limited disclosure, and recipients can only share it on a need-to-know basis within their organization.",
+        "RED": "The information is subject to restricted distribution to individual recipients only and must not be shared."
       }
     },
     "tool": {

schema/bom-1.7.xsd

@@ -256,7 +256,7 @@ limitations under the License.
                         Formal registration is optional.</xs:documentation>
                 </xs:annotation>
             </xs:element>
-            <xs:element name="distribution" type="bom:tlpType" minOccurs="0" maxOccurs="1">
+            <xs:element name="distribution" type="bom:tlpClassificationType" default="CLEAR" minOccurs="0" maxOccurs="1">
                 <xs:annotation>
                     <xs:documentation>The Traffic Light Protocol (TLP) classification that controls the sharing and distribution
                         of the data that the BOM describes.</xs:documentation>
@@ -396,51 +396,46 @@ limitations under the License.
         </xs:anyAttribute>
     </xs:complexType>
 
-    <xs:simpleType name="tlpType" default="CLEAR">
+    <xs:simpleType name="tlpClassificationType">
         <xs:annotation>
             <xs:documentation xml:lang="en">
-                The Traffic Light Protocol (TLP) classification for the data that the BOM describes. TLP is a classification
-                system for identifying the potential risk associated with artefact, including whether it is subject to certain
-                types of legal, financial, or technical threats. Refer to https://www.first.org/tlp/ for further information.
-                The default classification is CLEAR.
+                Traffic Light Protocol (TLP) is a classification system for identifying the potential risk associated with artefact, including whether it is subject to certain types of legal, financial, or technical threats. Refer to https://www.first.org/tlp/ for further information.
+                The default classification is "CLEAR"
             </xs:documentation>
         </xs:annotation>
         <xs:restriction base="xs:string">
             <xs:enumeration value="CLEAR">
                 <xs:annotation>
                     <xs:documentation>
-                        The BOM is not subject to any restrictions as regards the sharing of the information within the BOM.
+                        The information is not subject to any restrictions as regards the sharing.
                     </xs:documentation>
                 </xs:annotation>
             </xs:enumeration>
             <xs:enumeration value="GREEN">
                 <xs:annotation>
                     <xs:documentation>
-                        The BOM is subject to limited disclosure, and recipients can share the BOM within their community
-                        but not via publicly accessible channels.
+                        The information is subject to limited disclosure, and recipients can share it within their community but not via publicly accessible channels.
                     </xs:documentation>
                 </xs:annotation>
             </xs:enumeration>
             <xs:enumeration value="AMBER">
                 <xs:annotation>
                     <xs:documentation>
-                        The BOM is subject to limited disclosure, and recipients can only share the BOM on a need-to-know
-                        basis within their organization and with clients.
+                        The information is subject to limited disclosure, and recipients can only share it on a need-to-know basis within their organization and with clients.
                     </xs:documentation>
                 </xs:annotation>
             </xs:enumeration>
             <xs:enumeration value="AMBER_AND_STRICT">
                 <xs:annotation>
                     <xs:documentation>
-                        The BOM is subject to limited disclosure, and recipients can only share the BOM on a need-to-know
-                        basis within their organization.
+                        The information is subject to limited disclosure, and recipients can only share it on a need-to-know basis within their organization.
                     </xs:documentation>
                 </xs:annotation>
             </xs:enumeration>
             <xs:enumeration value="RED">
                 <xs:annotation>
                     <xs:documentation>
-                        The BOM is subject to restricted distribution to individual recipients only and must not be shared.
+                        The information is subject to restricted distribution to individual recipients only and must not be shared.
                     </xs:documentation>
                 </xs:annotation>
             </xs:enumeration>

tools/src/test/resources/1.7/valid-metadata-distribution-1.7.json

@@ -5,7 +5,7 @@
   "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
   "version": 1,
   "metadata": {
-    "distribution": "CLEAR"
+    "distribution": "RED"
   },
   "components": []
 }

tools/src/test/resources/1.7/valid-metadata-distribution-1.7.textproto

@@ -5,5 +5,5 @@ spec_version: "1.7"
 version: 1
 serial_number: "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79"
 metadata {
-  distribution: CLEAR
+  distribution: TLP_CLASSIFICATION_RED
 }

tools/src/test/resources/1.7/valid-metadata-distribution-1.7.xml

@@ -1,7 +1,7 @@
 <?xml version="1.0"?>
 <bom serialNumber="urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" version="1" xmlns="http://cyclonedx.org/schema/bom/1.7">
     <metadata>
-        <distribution>CLEAR</distribution>
+        <distribution>RED</distribution>
     </metadata>
     <components />
 </bom>