Proposed 2.0 schema for AI/ML BOM

.github/dependabot.yml

@@ -6,6 +6,8 @@ updates:
     schedule:
       interval: 'weekly'
       day: 'saturday'
+    cooldown:
+      default-days: 7
     labels: [ 'dependencies' ]
     commit-message:
       prefix: 'chore'   ## prefix maximum string length of 15
@@ -16,6 +18,8 @@ updates:
     schedule:
       interval: 'weekly'
       day: 'saturday'
+    cooldown:
+      default-days: 7
     labels: [ 'dependencies' ]
     commit-message:
       prefix: 'chore'   ## prefix maximum string length of 15
@@ -26,6 +30,8 @@ updates:
     schedule:
       interval: 'weekly'
       day: 'saturday'
+    cooldown:
+      default-days: 7
     labels: [ 'dependencies' ]
     commit-message:
       prefix: 'chore'   ## prefix maximum string length of 15
@@ -36,6 +42,8 @@ updates:
     schedule:
       interval: 'weekly'
       day: 'saturday'
+    cooldown:
+      default-days: 7
     labels: [ 'dependencies' ]
     commit-message:
       prefix: 'chore'   ## prefix maximum string length of 15
@@ -46,6 +54,8 @@ updates:
     schedule:
       interval: 'weekly'
       day: 'saturday'
+    cooldown:
+      default-days: 7
     labels: [ 'dependencies' ]
     commit-message:
       prefix: 'chore'   ## prefix maximum string length of 15
@@ -56,6 +66,8 @@ updates:
     schedule:
       interval: 'weekly'
       day: 'saturday'
+    cooldown:
+      default-days: 7
     labels: [ 'dependencies' ]
     commit-message:
       prefix: 'chore'   ## prefix maximum string length of 15

.github/workflows/build_docs.yml

@@ -21,10 +21,12 @@ jobs:
     steps:
     - name: Checkout
       # see https://github.com/actions/checkout
-      uses: actions/checkout@v6
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      with:
+        persist-credentials: false
     - name: Set up JDK
       # see https://github.com/actions/setup-java
-      uses: actions/setup-java@v5
+      uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
       with:
         java-version: '21'
         distribution: 'zulu'
@@ -33,7 +35,7 @@ jobs:
       run: ./gen.sh
     - name: Archive Schema documentation
       # https://github.com/actions/upload-artifact
-      uses: actions/upload-artifact@v6
+      uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
       with:
         name: XML-Schema-documentation
         path: docgen/xml/docs
@@ -46,18 +48,20 @@ jobs:
     steps:
     - name: Checkout
       # see https://github.com/actions/checkout
-      uses: actions/checkout@v6
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      with:
+        persist-credentials: false
     - name: Setup Python Environment
       # see https://github.com/actions/setup-python
-      uses: actions/setup-python@v6
+      uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
       with:
         python-version: ${{ env.PYTHON_VERSION_DEFAULT }}
         architecture: 'x64'
     - name: Generate Schema documentation
       run: ./gen.sh
     - name: Archive Schema documentation
       # https://github.com/actions/upload-artifact
-      uses: actions/upload-artifact@v6
+      uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
       with:
         name: JSON-Schema-documentation
         path: docgen/json/docs
@@ -70,12 +74,14 @@ jobs:
     steps:
     - name: Checkout
       # see https://github.com/actions/checkout
-      uses: actions/checkout@v6
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      with:
+        persist-credentials: false
     - name: Generate Schema documentation
       run: ./gen.sh
     - name: Archive Schema documentation
       # https://github.com/actions/upload-artifact
-      uses: actions/upload-artifact@v6
+      uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
       with:
         name: PROTO-Schema-documentation
         path: docgen/proto/docs

.github/workflows/bundle_2.0_schemas.yml

@@ -7,7 +7,7 @@ on:
       - 2.0-dev-threatmodeling
     paths:
       - 'schema/2.0/**/*.schema.json'
-      - 'tools/src/main/js/bundler/bundle-schemas.js'
+      - 'tools/src/main/js/bundle-schemas.js'
   workflow_dispatch:  # Allows manual trigger
 
 jobs:
@@ -19,39 +19,44 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        # see https://github.com/actions/checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Setup Node.js
-        uses: actions/setup-node@v6
+        # see https://github.com/actions/setup-node
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
           node-version: '20'
 
       - name: Install dependencies
-        working-directory: tools/src/main/js/bundler
+        working-directory: tools/src/main/js
         run: npm install
 
       - name: Bundle schemas
-        working-directory: tools/src/main/js/bundler
+        working-directory: tools/src/main/js
         run: |
           node bundle-schemas.js \
-            ../../../../../schema/2.0/model \
-            ../../../../../schema/2.0/cyclonedx-2.0.schema.json
+            ../../../../schema/2.0/model \
+            ../../../../schema/2.0/cyclonedx-2.0.schema.json
 
       - name: Check for changes and commit
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           BUNDLED_FILE="schema/2.0/cyclonedx-2.0-bundled.schema.json"
-          MINIFIED_FILE="schema/2.0/cyclonedx-2.0-bundled.min.schema.json"
 
-          # Add both files (works for both new and modified files)
-          git add "$BUNDLED_FILE" "$MINIFIED_FILE"
+          # Add the file (works for both new and modified files)
+          git add "$BUNDLED_FILE"
 
           # Check if there are staged changes
           if git diff --staged --quiet; then
-            echo "No changes to bundled schemas"
+            echo "No changes to bundled schema"
           else
             echo "Committing bundled schema changes"
             git config --local user.email "github-actions[bot]@users.noreply.github.com"
             git config --local user.name "github-actions[bot]"
-            git commit -m "chore: update bundled schemas [skip ci]"
-            git push
+            git commit -m "chore: update bundled schema [skip ci]"
+            git push "https://x-access-token:${GH_TOKEN}@github.com/${GITHUB_REPOSITORY}.git"
           fi

.github/workflows/generate_algorithm_families.yml

@@ -17,13 +17,15 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        # see https://github.com/actions/checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           persist-credentials: false
 
       - name: Set up Python
-        uses: actions/setup-python@v5
+        # see https://github.com/actions/setup-python
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
         with:
           python-version: '3.x'
 

.github/workflows/test_java.yml

@@ -23,10 +23,12 @@ jobs:
     steps:
     - name: Checkout
       # see https://github.com/actions/checkout
-      uses: actions/checkout@v6
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      with:
+        persist-credentials: false
     - name: Set up JDK
       # see https://github.com/actions/setup-java
-      uses: actions/setup-java@v5
+      uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
       with:
         java-version: '8'
         distribution: 'zulu'

.github/workflows/test_js.yml

@@ -26,10 +26,12 @@ jobs:
     steps:
       - name: Checkout
         # see https://github.com/actions/checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       - name: Setup Node.js
         # see https://github.com/actions/setup-node
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
           node-version: '24.x'
           package-manager-cache: false

.github/workflows/test_php.yml

@@ -26,10 +26,12 @@ jobs:
     steps:
       - name: Checkout
         # see https://github.com/actions/checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       - name: Setup PHP
         # see https://github.com/shivammathur/setup-php
-        uses: shivammathur/setup-php@v2
+        uses: shivammathur/setup-php@7c071dfe9dc99bdf297fa79cb49ea005b9fcadbc # 2.37.1
         with:
           php-version: "8.4"
           tools: composer:v2

.github/workflows/test_proto.yml

@@ -26,6 +26,8 @@ jobs:
     steps:
       - name: Checkout
         # see https://github.com/actions/checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       - name: Run test
         run: ./test.sh

.github/workflows/update_spdx_licenses.yml

@@ -23,12 +23,13 @@ jobs:
     steps:
       - name: Checkout
         # see https://github.com/actions/checkout
-        uses: actions/checkout@v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
         with:
           ref: ${{ github.ref_name }}
+          persist-credentials: false
       - name: Set up JDK
         # see https://github.com/actions/setup-java
-        uses: actions/setup-java@v5
+        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
         with:
           java-version: '21'
           distribution: 'zulu'
@@ -54,7 +55,7 @@ jobs:
       - name: Artifact changes
         if: ${{ steps.diff.outputs.changed == 'true' }}
         # https://github.com/actions/upload-artifact
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           retention-days: 1
           name: schema-spdx
@@ -74,9 +75,10 @@ jobs:
     steps:
       - name: Checkout
         # see https://github.com/actions/checkout
-        uses: actions/checkout@v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
         with:
           ref: ${{ github.ref_name }}
+          persist-credentials: false
       - name: Switch branch
         id: branch
         run: |
@@ -93,11 +95,13 @@ jobs:
           fi
       - name: Fetch changes
         # https://github.com/actions/download-artifact
-        uses: actions/download-artifact@v5
+        uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
         with:
           name: schema-spdx
           path: schema
       - name: Commit and push
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           set -eux
           if git diff --quiet -- 'schema/spdx.*'
@@ -109,7 +113,7 @@ jobs:
           git config user.email 'spdx-license-bumper@bot.local'
           git add -A schema
           git commit -s -m "feat: bump SPDX licenses $SB_VERSION"
-          git push origin "$SB_BRANCH"
+          git push "https://x-access-token:${GH_TOKEN}@github.com/${GITHUB_REPOSITORY}.git" "$SB_BRANCH"
       - name: Pull request
         if: ${{ steps.branch.outputs.existed == 'false' }}
         run: >

.github/workflows/zizmor.yml

@@ -0,0 +1,42 @@
+name: Zizmor
+
+on:
+  push:
+    branches: ['master', 'main']
+  pull_request:
+    branches: ['**']
+  workflow_dispatch:
+  schedule:
+    - cron: '0 0 * * 6'
+
+permissions: {}
+
+concurrency:
+  group: '${{ github.workflow }}-${{ github.ref }}'
+  cancel-in-progress: true
+
+jobs:
+  zizmor:
+    name: Zizmor
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout
+        # see https://github.com/actions/checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+      - name: Run zizmor 🌈
+        # see https://github.com/zizmorcore/zizmor-action
+        uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6
+        with:
+          # advanced-security: false => emit findings as workflow-command annotations (::error file=…) rather than
+          # uploading a SARIF report to GitHub's Security tab.
+          # Uploading SARIF requires `security-events: write` and GitHub Advanced Security (GHAS),
+          # both of which are unnecessary here and would violate the least-privilege policy.
+          # The two modes are mutually exclusive: advanced-security must be false for
+          # annotations to take effect.
+          advanced-security: false
+          annotations: true

.gitignore

@@ -1,3 +1,11 @@
+# Filesystem
+**/.DS_Store
+
+# Tooling
 .idea/
 .vscode/
 tools/target/
+.bob
+
+# UML diagrams
+**/.uml/