cyclonedx.model

Uniform set of models to represent objects within a CycloneDX software bill-of-materials.

You can either create a cyclonedx.model.bom.Bom yourself programmatically, or generate a cyclonedx.model.bom.Bom from a cyclonedx.parser.BaseParser implementation.

Submodules

Classes

DataFlow

This is our internal representation of the dataFlowType simple type within the CycloneDX standard.

DataClassification

This is our internal representation of the dataClassificationType complex type within the CycloneDX standard.

Encoding

This is our internal representation of the encoding simple type within the CycloneDX standard.

AttachedText

This is our internal representation of the attachedTextType complex type within the CycloneDX standard.

HashAlgorithm

This is our internal representation of the hashAlg simple type within the CycloneDX standard.

HashType

This is our internal representation of the hashType complex type within the CycloneDX standard.

ExternalReferenceType

Enum object that defines the permissible 'types' for an External Reference according to the CycloneDX schema.

XsUri

Helper class that allows us to perform validation on data strings that are defined as xs:anyURI

ExternalReference

This is our internal representation of an ExternalReference complex type that can be used in multiple places within

Property

This is our internal representation of propertyType complex type that can be used in multiple places within

NoteText

This is our internal representation of the Note.text complex type that can be used in multiple places within

Note

This is our internal representation of the Note complex type that can be used in multiple places within

IdentifiableAction

This is our internal representation of the identifiableActionType complex type.

Copyright

This is our internal representation of the copyrightsType complex type.

Package Contents

class cyclonedx.model.DataFlow

Bases: str, enum.Enum

This is our internal representation of the dataFlowType simple type within the CycloneDX standard.

INBOUND = 'inbound'
OUTBOUND = 'outbound'
BI_DIRECTIONAL = 'bi-directional'
UNKNOWN = 'unknown'
class cyclonedx.model.DataClassification(*, flow: DataFlow, classification: str)

This is our internal representation of the dataClassificationType complex type within the CycloneDX standard.

DataClassification might be deprecated since CycloneDX 1.5, but it is not deprecated in this library. In fact, this library will try to provide a compatibility layer if needed.

Note

See the CycloneDX Schema for dataClassificationType: https://cyclonedx.org/docs/1.6/xml/#type_dataClassificationType

property flow: DataFlow

Specifies the flow direction of the data.

Valid values are: inbound, outbound, bi-directional, and unknown.

Direction is relative to the service.

  • Inbound flow states that data enters the service

  • Outbound flow states that data leaves the service

  • Bi-directional states that data flows both ways

  • Unknown states that the direction is not known

Returns:

DataFlow

property classification: str

Data classification tags data according to its type, sensitivity, and value if altered, stolen, or destroyed.

Returns:

str

class cyclonedx.model.Encoding

Bases: str, enum.Enum

This is our internal representation of the encoding simple type within the CycloneDX standard.

Note

See the CycloneDX Schema: https://cyclonedx.org/docs/1.6/#type_encoding

BASE_64 = 'base64'
class cyclonedx.model.AttachedText(*, content: str, content_type: str = DEFAULT_CONTENT_TYPE, encoding: Encoding | None = None)

This is our internal representation of the attachedTextType complex type within the CycloneDX standard.

Note

See the CycloneDX Schema for hashType: https://cyclonedx.org/docs/1.6/#type_attachedTextType

DEFAULT_CONTENT_TYPE = 'text/plain'
property content_type: str

Specifies the content type of the text. Defaults to text/plain if not specified.

Returns:

str

property encoding: Encoding | None

Specifies the optional encoding the text is represented in.

Returns:

Encoding if set else None

property content: str

The attachment data.

Proactive controls such as input validation and sanitization should be employed to prevent misuse of attachment text.

Returns:

str

class cyclonedx.model.HashAlgorithm

Bases: str, enum.Enum

This is our internal representation of the hashAlg simple type within the CycloneDX standard.

Note

See the CycloneDX Schema: https://cyclonedx.org/docs/1.6/#type_hashAlg

BLAKE2B_256 = 'BLAKE2b-256'
BLAKE2B_384 = 'BLAKE2b-384'
BLAKE2B_512 = 'BLAKE2b-512'
BLAKE3 = 'BLAKE3'
MD5 = 'MD5'
SHA_1 = 'SHA-1'
SHA_256 = 'SHA-256'
SHA_384 = 'SHA-384'
SHA_512 = 'SHA-512'
SHA3_256 = 'SHA3-256'
SHA3_384 = 'SHA3-384'
SHA3_512 = 'SHA3-512'
class cyclonedx.model.HashType(*, alg: HashAlgorithm, content: str)

This is our internal representation of the hashType complex type within the CycloneDX standard.

Note

See the CycloneDX Schema for hashType: https://cyclonedx.org/docs/1.6/#type_hashType

static from_hashlib_alg(hashlib_alg: str, content: str) HashType

Attempts to convert a hashlib-algorithm to our internal model classes.

Args:
hashlib_alg:

Hash algorith - like it is used by hashlib. Example: sha256.

content:

Hash value.

Raises:

UnknownHashTypeException if the algorithm of hash cannot be determined.

Returns:

An instance of HashType.

static from_composite_str(composite_hash: str) HashType

Attempts to convert a string which includes both the Hash Algorithm and Hash Value and represent using our internal model classes.

Args:
composite_hash:

Composite Hash string of the format HASH_ALGORITHM:HASH_VALUE. Example: sha256:806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b.

Valid case insensitive prefixes are: md5, sha1, sha256, sha384, sha512, blake2b256, blake2b384, blake2b512, blake2256, blake2384, blake2512, sha3-256, sha3-384, sha3-512, blake3.

Raises:

UnknownHashTypeException if the type of hash cannot be determined.

Returns:

An instance of HashType.

property alg: HashAlgorithm

Specifies the algorithm used to create the hash.

Returns:

HashAlgorithm

property content: str

Hash value content.

Returns:

str

class cyclonedx.model.ExternalReferenceType

Bases: str, enum.Enum

Enum object that defines the permissible ‘types’ for an External Reference according to the CycloneDX schema.

Note

See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.6/#type_externalReferenceType

ADVERSARY_MODEL = 'adversary-model'
ADVISORIES = 'advisories'
ATTESTATION = 'attestation'
BOM = 'bom'
BUILD_META = 'build-meta'
BUILD_SYSTEM = 'build-system'
CERTIFICATION_REPORT = 'certification-report'
CHAT = 'chat'
CODIFIED_INFRASTRUCTURE = 'codified-infrastructure'
COMPONENT_ANALYSIS_REPORT = 'component-analysis-report'
CONFIGURATION = 'configuration'
DIGITAL_SIGNATURE = 'digital-signature'
DISTRIBUTION = 'distribution'
DISTRIBUTION_INTAKE = 'distribution-intake'
DOCUMENTATION = 'documentation'
DYNAMIC_ANALYSIS_REPORT = 'dynamic-analysis-report'
ELECTRONIC_SIGNATURE = 'electronic-signature'
EVIDENCE = 'evidence'
EXPLOITABILITY_STATEMENT = 'exploitability-statement'
FORMULATION = 'formulation'
ISSUE_TRACKER = 'issue-tracker'
LICENSE = 'license'
LOG = 'log'
MAILING_LIST = 'mailing-list'
MATURITY_REPORT = 'maturity-report'
MODEL_CARD = 'model-card'
PENTEST_REPORT = 'pentest-report'
POAM = 'poam'
QUALITY_METRICS = 'quality-metrics'
RELEASE_NOTES = 'release-notes'
RFC_9166 = 'rfc-9116'
RISK_ASSESSMENT = 'risk-assessment'
RUNTIME_ANALYSIS_REPORT = 'runtime-analysis-report'
SECURITY_CONTACT = 'security-contact'
STATIC_ANALYSIS_REPORT = 'static-analysis-report'
SOCIAL = 'social'
SOURCE_DISTRIBUTION = 'source-distribution'
SCM = 'vcs'
SUPPORT = 'support'
THREAT_MODEL = 'threat-model'
VCS = 'vcs'
VULNERABILITY_ASSERTION = 'vulnerability-assertion'
WEBSITE = 'website'
OTHER = 'other'
class cyclonedx.model.XsUri(uri: str)

Bases: py_serializable.helpers.BaseHelper

Helper class that allows us to perform validation on data strings that are defined as xs:anyURI in CycloneDX schema.

Developers can just use this via str(XsUri(‘https://www.google.com’)).

Note

See XSD definition for xsd:anyURI: http://www.datypic.com/sc/xsd/t-xsd_anyURI.html See JSON Schema definition for iri-reference: https://tools.ietf.org/html/rfc3987

property uri: str
classmethod serialize(o: Any) str

general purpose serializer

classmethod deserialize(o: Any) XsUri

general purpose deserializer

Generate a BOM-Link URI.

Args:

serial_number: The unique serial number of the BOM. version: The version of the BOM. The default version is 1. bom_ref: The unique identifier of the component, service, or vulnerability within the BOM.

Returns:

XsUri: Instance of XsUri with the generated BOM-Link URI.

Check if the URI is a BOM-Link.

Returns:

bool

classmethod json_normalize(o: Any, *, view: Type[py_serializable.ViewType] | None, prop_info: py_serializable.ObjectMetadataLibrary.SerializableProperty, ctx: Type[Any], **kwargs: Any) Any | None

json specific normalizer

classmethod json_serialize(o: Any) str | Any

json specific serializer

classmethod json_denormalize(o: Any, *, prop_info: py_serializable.ObjectMetadataLibrary.SerializableProperty, ctx: Type[Any], **kwargs: Any) Any

json specific denormalizer

Parameters:
  • tCls – the class that was desired to denormalize to

  • pCls – tha prent class - as context

classmethod json_deserialize(o: Any) Any

json specific deserializer

classmethod xml_normalize(o: Any, *, element_name: str, view: Type[py_serializable.ViewType] | None, xmlns: str | None, prop_info: py_serializable.ObjectMetadataLibrary.SerializableProperty, ctx: Type[Any], **kwargs: Any) xml.etree.ElementTree.Element | Any | None

xml specific normalizer

classmethod xml_serialize(o: Any) str | Any

xml specific serializer

classmethod xml_denormalize(o: xml.etree.ElementTree.Element, *, default_ns: str | None, prop_info: py_serializable.ObjectMetadataLibrary.SerializableProperty, ctx: Type[Any], **kwargs: Any) Any

xml specific denormalizer

classmethod xml_deserialize(o: str | Any) Any

xml specific deserializer

class cyclonedx.model.ExternalReference(*, type: ExternalReferenceType, url: XsUri, comment: str | None = None, hashes: Iterable[HashType] | None = None)

This is our internal representation of an ExternalReference complex type that can be used in multiple places within a CycloneDX BOM document.

Note

See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.6/#type_externalReference

property url: XsUri

The URL to the external reference.

Returns:

XsUri

property comment: str | None

An optional comment describing the external reference.

Returns:

str if set else None

property type: ExternalReferenceType

Specifies the type of external reference.

There are built-in types to describe common references. If a type does not exist for the reference being referred to, use the “other” type.

Returns:

ExternalReferenceType

property hashes: SortedSet[HashType]

The hashes of the external reference (if applicable).

Returns:

Set of HashType

class cyclonedx.model.Property(*, name: str, value: str | None = None)

This is our internal representation of propertyType complex type that can be used in multiple places within a CycloneDX BOM document.

Note

See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.6/xml/#type_propertyType

Specifies an individual property with a name and value.

property name: str

The name of the property.

Duplicate names are allowed, each potentially having a different value.

Returns:

str

property value: str | None

Value of this Property.

Returns:

str

class cyclonedx.model.NoteText(*, content: str, content_type: str | None = None, encoding: Encoding | None = None)

This is our internal representation of the Note.text complex type that can be used in multiple places within a CycloneDX BOM document.

Note

See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.6/xml/#type_releaseNotesType

DEFAULT_CONTENT_TYPE: str = 'text/plain'
property content: str

Get the text content of this Note.

Returns:

str note content

property content_type: str | None

Get the content-type of this Note.

Defaults to ‘text/plain’ if one was not explicitly specified.

Returns:

str content-type

property encoding: Encoding | None

Get the encoding method used for the note’s content.

Returns:

Encoding if set else None

class cyclonedx.model.Note(*, text: NoteText, locale: str | None = None)

This is our internal representation of the Note complex type that can be used in multiple places within a CycloneDX BOM document.

Note

See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.6/xml/#type_releaseNotesType

@todo: Replace NoteText with AttachedText?

property text: NoteText

Specifies the full content of the release note.

Returns:

NoteText

property locale: str | None

Get the ISO locale of this Note.

The ISO-639 (or higher) language code and optional ISO-3166 (or higher) country code.

Examples include: “en”, “en-US”, “fr” and “fr-CA”.

Returns:

str locale if set else None

class cyclonedx.model.IdentifiableAction(*, timestamp: datetime.datetime | None = None, name: str | None = None, email: str | None = None)

This is our internal representation of the identifiableActionType complex type.

property timestamp: datetime.datetime | None

The timestamp in which the action occurred.

Returns:

datetime if set else None

property name: str | None

The name of the individual who performed the action.

Returns:

str if set else None

property email: str | None

The email address of the individual who performed the action.

Returns:

str if set else None

class cyclonedx.model.Copyright(*, text: str)

This is our internal representation of the copyrightsType complex type.

Note

See the CycloneDX specification: https://cyclonedx.org/docs/1.6/xml/#type_copyrightsType

property text: str

Copyright statement.

Returns:

str if set else None