CBOM 2.0 features

[bhess]

Implement the following features for CBOM v2.0 as described in #738

• Change implementationPlatform to array to support multiple platforms
• Add keyUsage property to cryptoProperties and relatedCryptoMaterialProperties
  (open string array with examples: CIPHER, SIGN, VERIFY, WRAP, UNWRAP, etc.)
• Add secProperties to algorithmProperties for security properties
  (open string array with examples: IND-CPA, IND-CCA, SUF-CMA, EUF-CMA, etc.)
• Extend evidence/occurrences with system metadata: accountInfo, systemOwner
• Extend evidence/occurrences with process metadata: startTime, endTime, usageCount
• Change securedBy.algorithmRef to array of refs to support linking multiple
  securing assets (algorithms, hardware, keys, etc.)

Fixes #738

Adds support for pss in cryptoProperties.algorithmProperties.padding
Fixes #747

Adds support for key agreement or exchange in cryptoProperties.algorithmProperties.cryptoFunctions
Fixes #748

Adds support for additional cipher modes in cryptoProperties.algorithmProperties.mode
Fixes #749

[stevespringett]

Lets flush out this description a bit more and not assume the target audience is well-versed in PQC readiness.

[bhess]

Updated it with an improved description.

[stevespringett]

Same as above

[bhess]

Consolidated the two description fields to a single one.

[Copilot]

Pull request overview

This PR implements CBOM v2.0 features for improved cryptographic asset modeling. The changes extend the CycloneDX schema to support multiple implementation platforms, key usage specifications, security properties for algorithms, extended evidence metadata, additional cipher modes and padding schemes, key agreement functions, and multiple securing asset references.

Changes:

• Changed implementationPlatform from single string to array to support multiple platforms
• Added keyUsage property to cryptographic and related crypto material properties for usage specifications (CIPHER, SIGN, VERIFY, WRAP, UNWRAP, etc.)
• Added secProperties to algorithm properties for formal security guarantees (IND-CPA, IND-CCA, SUF-CMA, EUF-CMA, etc.)
• Extended evidence/occurrences with system metadata (accountInfo, systemOwner) and process metadata (startTime, endTime, usageCount)
• Changed securedBy.algorithmRef from single reference to array supporting multiple securing assets
• Added support for PSS padding, keyagree crypto function, and additional cipher modes (siv, gcm-siv, ocb, eax, kw, kwp, cts, xts)

Reviewed changes

Copilot reviewed 3 out of 4 changed files in this pull request and generated no comments.

File	Description
schema/2.0/model/cyclonedx-cryptography-2.0.schema.json	Core schema changes for CBOM 2.0 features including platform arrays, keyUsage, secProperties, and algorithmRef arrays
schema/2.0/model/cyclonedx-component-2.0.schema.json	Added system and process metadata fields to evidence/occurrences
schema/2.0/cyclonedx-2.0-bundled.schema.json	Bundled schema reflecting all CBOM 2.0 changes
schema/2.0/cyclonedx-2.0-bundled.min.schema.json	Minified bundled schema with all changes

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[stevespringett]

Double check to ensure that we're not missing any meta:enum properties for the new enums added.

[stevespringett]

Investigate syncing with related crypto material usage and making this an enum.