diff --git a/scanoss-settings-schema.json b/scanoss-settings-schema.json index bbdaa40..d78632c 100644 --- a/scanoss-settings-schema.json +++ b/scanoss-settings-schema.json @@ -18,6 +18,11 @@ "description": { "type": "string", "description": "Description of the project" + }, + "organization": { + "type": "string", + "description": "Name of the organization responsible for this project and its BOM decisions", + "examples": ["SCANOSS"] } } }, @@ -288,6 +293,16 @@ "comment": { "type": "string", "description": "Additional notes or comments" + }, + "acknowledgement": { + "type": "string", + "description": "Formal acknowledgement of this BOM decision, propagated to SBOM output" + }, + "timestamp": { + "type": "string", + "format": "date-time", + "description": "ISO 8601 UTC timestamp recording when this BOM decision was made", + "examples": ["2026-03-15T10:30:00Z"] } }, "uniqueItems": true, @@ -298,7 +313,9 @@ { "path": "src/lib/component.js", "purl": "pkg:npm/lodash@4.17.21", - "comment": "Full match: path + purl" + "comment": "Full match: path + purl", + "acknowledgement": "Confirmed: lodash 4.17.21 vendored under src/lib", + "timestamp": "2026-03-15T10:30:00Z" }, { "purl": "pkg:npm/vue@2.6.12", @@ -329,6 +346,16 @@ "comment": { "type": "string", "description": "Additional notes or comments" + }, + "acknowledgement": { + "type": "string", + "description": "Formal acknowledgement of this BOM decision, propagated to SBOM output" + }, + "timestamp": { + "type": "string", + "format": "date-time", + "description": "ISO 8601 UTC timestamp recording when this BOM decision was made", + "examples": ["2026-03-15T10:30:00Z"] } }, "anyOf": [ @@ -342,7 +369,9 @@ { "path": "src/main.c", "purl": "pkg:npm/vue@2.6.12", - "comment": "Full match: removes only this purl at this path" + "comment": "Full match: removes only this purl at this path", + "acknowledgement": "Reviewed and confirmed as original code, not third-party", + "timestamp": "2026-03-15T10:30:00Z" }, { "purl": "pkg:npm/deprecated-pkg@1.0.0", @@ -378,6 +407,16 @@ "type": "string", "description": "Additional notes or comments" }, + "acknowledgement": { + "type": "string", + "description": "Formal acknowledgement of this BOM decision, propagated to SBOM output" + }, + "timestamp": { + "type": "string", + "format": "date-time", + "description": "ISO 8601 UTC timestamp recording when this BOM decision was made", + "examples": ["2026-03-15T10:30:00Z"] + }, "license": { "type": "string", "description": "License of the replacement component. Should be a valid SPDX license expression (e.g. `MIT`, `Apache-2.0`, `GPL-3.0-only`).", @@ -402,7 +441,9 @@ "purl": "pkg:npm/old-lib@1.0.0", "replace_with": "pkg:npm/new-lib@2.0.0", "license": "MIT", - "comment": "Upgrade to newer version" + "comment": "Upgrade to newer version", + "acknowledgement": "Verified upstream project is the correct attribution", + "timestamp": "2026-03-15T10:30:00Z" } ] ]