CycloneDX
diff --git a/‎schema/2.0/cyclonedx-2.0-bundled.min.schema.json‎
Lines changed: 1 addition & 1 deletion b/‎schema/2.0/cyclonedx-2.0-bundled.min.schema.json‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎schema/2.0/cyclonedx-2.0-bundled.schema.json‎
Lines changed: 108 additions & 0 deletions b/‎schema/2.0/cyclonedx-2.0-bundled.schema.json‎
Lines changed: 108 additions & 0 deletions
@@ -75,6 +75,9 @@
     },
     "definitions": {
       "$ref": "#/$defs/cyclonedx-definition-2.0/$defs/definitions"
+    },
+    "citations": {
+      "$ref": "#/$defs/cyclonedx-citation-2.0/$defs/citations"
     }
   },
   "$defs": {
@@ -765,6 +768,108 @@
         }
       }
     },
+    "cyclonedx-citation-2.0": {
+      "type": "null",
+      "title": "CycloneDX Citation Model",
+      "$defs": {
+        "citations": {
+          "type": "array",
+          "items": {
+            "$ref": "#/$defs/cyclonedx-citation-2.0/$defs/citation"
+          },
+          "uniqueItems": true,
+          "title": "Citations",
+          "description": "A collection of attributions indicating which entity supplied information for specific fields within the BOM."
+        },
+        "citation": {
+          "type": "object",
+          "title": "Citation",
+          "description": "Details a specific attribution of data within the BOM to a contributing entity or process.",
+          "additionalProperties": false,
+          "properties": {
+            "bom-ref": {
+              "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refType",
+              "title": "BOM Reference"
+            },
+            "pointers": {
+              "type": "array",
+              "items": {
+                "type": "string",
+                "title": "Field Reference",
+                "description": "A [JSON Pointer](https://datatracker.ietf.org/doc/html/rfc6901) identifying the BOM field to which the attribution applies."
+              },
+              "minItems": 1,
+              "title": "Field References",
+              "description": "One or more [JSON Pointers](https://datatracker.ietf.org/doc/html/rfc6901) identifying the BOM fields to which the attribution applies.\nExactly one of the \"pointers\" or \"expressions\" elements must be present."
+            },
+            "expressions": {
+              "type": "array",
+              "items": {
+                "type": "string",
+                "title": "Path Expression",
+                "description": "Specifies a [JSONPath](https://datatracker.ietf.org/doc/html/rfc9535) expression used to locate a value within a BOM."
+              },
+              "minItems": 1,
+              "title": "Path Expressions",
+              "description": "One or more path expressions used to locate values within a BOM.\nExactly one of the \"pointers\" or \"expressions\" elements must be present."
+            },
+            "timestamp": {
+              "type": "string",
+              "format": "date-time",
+              "title": "Timestamp",
+              "description": "The date and time when the attribution was made or the information was supplied."
+            },
+            "attributedTo": {
+              "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType",
+              "title": "Attributed To",
+              "description": "The `bom-ref` of an object, such as a component, service, tool, organisational entity, or person that supplied the cited information.\nAt least one of the \"attributedTo\" or \"process\" elements must be present."
+            },
+            "process": {
+              "$ref": "#/$defs/cyclonedx-common-2.0/$defs/refLinkType",
+              "title": "Process Reference",
+              "description": "The `bom-ref` to a process (such as a formula, workflow, task, or step) defined in the `formulation` section that executed or generated the attributed data.\nAt least one of the \"attributedTo\" or \"process\" elements must be present."
+            },
+            "note": {
+              "type": "string",
+              "title": "Note",
+              "description": "A description or comment about the context or quality of the data attribution."
+            },
+            "signature": {
+              "$ref": "#/$defs/cyclonedx-common-2.0/$defs/signature",
+              "title": "Signature",
+              "description": "A digital signature verifying the authenticity or integrity of the attribution."
+            }
+          },
+          "required": [
+            "timestamp"
+          ],
+          "anyOf": [
+            {
+              "required": [
+                "attributedTo"
+              ]
+            },
+            {
+              "required": [
+                "process"
+              ]
+            }
+          ],
+          "oneOf": [
+            {
+              "required": [
+                "pointers"
+              ]
+            },
+            {
+              "required": [
+                "expressions"
+              ]
+            }
+          ]
+        }
+      }
+    },
     "cyclonedx-common-2.0": {
       "type": "null",
       "title": "CycloneDX Common Model",
@@ -6679,6 +6784,9 @@
         },
         "definitions": {
           "$ref": "#/$defs/cyclonedx-definition-2.0/$defs/definitions"
+        },
+        "citations": {
+          "$ref": "#/$defs/cyclonedx-citation-2.0/$defs/citations"
         }
       }
     }