threatScenario.threatActor references threatActorProfile #816
Description
While reviewing the cyclonedx-threat-2.0.schema.json in the 2.0-dev-threatmodeling branch, I noticed the following definition inside $defs.threatScenario:
"threatActor": {
"$ref": "#/$defs/threatActorProfile"
}However, the schema also defines a full threatActor object separately, which includes identity properties (bom-ref, name, type) and an embedded profile.
This appears to introduce a potential ambiguity in the intended semantics:
• Is threatScenario.threatActor meant to reference a defined threatActor entity?
• Or is the intent that a scenario only captures an assumed actor profile (without identity and bom-ref linkage)?
The current naming suggests a full actor, while the referenced type represents only a profile.
Depending on the intended modeling approach, alignment between naming and referenced type may be beneficial.
Before proposing any changes, I wanted to confirm the intended direction with the working group.
Happy to submit a PR aligned with the agreed semantics.